On Mon, Jan 10, 2022 at 5:32 AM Mark Michelson <mmich...@redhat.com> wrote: > > On 1/7/22 09:26, Abhiram Sangana wrote: > > Hi Mark, > > > > Thanks for looking into this patch. > > > >> On 5 Jan 2022, at 22:01, Mark Michelson <mmich...@redhat.com> wrote: > >> > >> Hi, > >> > >> I haven't done a full review of this patch, but I have noticed a problem pretty early on when I started looking. > >> > >> The new ip_in_lrp_networks() function that is added here is intended to determine which l3dgw port to use for a particular NAT external address. The problem is that there are configurations, especially from OpenStack, where this will cause problems. > >> > >> In current OpenStack configurations, they might set up a router with a gateway port that serves the 10.0.0.0/8 network. But they might set up a DNAT with external address 192.168.0.1 on that router. They expect that traffic sent to 192.168.0.1 will be NATted correctly on that router, even though the router port network does not include that IP address. > > > > Yeah, this makes sense. I was thinking about this case for Load balancer rules but it’s true for DNAT in general. > > > >> If you run `make check-system-userspace` with your series, you'll find that the "Floating IP outside router subnet IPv4" test fails. > >> > >> How could this be fixed? > >> > >> One idea is to configure the external port explicitly either on the NAT itself or on the router. This way, even if the IP address is outside the subnet of the DGP, you can still know which DGP is the "correct" one. > >> > >> Another idea would be to differentiate behavior between SNAT and DNAT. For DNAT, you could treat all DGPs as equals, so it doesn't matter on which DGP the traffic is received, it will get translated properly. For SNAT or DNAT-and-SNAT, you'd probably need to explicitly specify which DGP to use, though. > > > > I was thinking of the second approach for Load balancer rules. I could do the same for DNAT rules. The first approach gives more control but expects the user to configure correctly. Which approach would you suggest? > > I think the second approach should be good as well. >
Sorry for my ~late response. For the second approach, I wonder if there would be scale problems: when there are many DGPs, all DNAT external IPs need to be advertised (GARP) from all DGPs. Would it be better to allow the configuration to specify which DGP to use for DNAT (and for all the NAT types), and only if it is not specified, then advertise on all DGPs as the default behavior? Thanks, Han > > > > Thanks, > > Abhiram > > > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
