Public bug reported: Description ===========
The usecase is not have multiple external gateways: one for the public network for instances to reach the internet, and second is the routed network. Expectation for instances to be reachable in both the "internal" routed network as well as through the public floating IP. Thus, src_nat needs to be disabled for "internal" and enabled for "public" networks, while both of them added as external_gateways to the router. Exactly this scenario is show-cased in API reference: https://docs.openstack.org/api-ref/network/v2/index.html#add-external- gateways-to-router You can see there an example of router `external_gateways` update to enable_snat for a specific one. However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest. Environment =========== Ubuntu 24.04 OVN: 25.03 OVS: 3.5.0 Neutron: 26.0.1.dev4 neutron-lib: 3.18.2 How to reproduce ================ openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external openstack subnet create --network public --subnet-range 172.29.248.0/22 openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24 openstack router create --external-gateway public --external-gateway intenral-link internal openstack network create private openstack subnet create --network private private --subnet-range 10.0.0.0/24 openstack router add subnet internal private curl -H "X-Auth-Token: $token" http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways -X PUT -H "Content-Type: application/json" -d '{"router": {"external_gateways": [{"enable_snat": false, "network_id": "ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips": [{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address": "192.168.0.53"}]}, {"enable_snat": true, "network_id": "bc638fd7-b1de-47e1-8ace-23fce8bad0c9", "external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id": "cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f - returns empty result. Change CURL request to the first network to `"enable_snat": true` and second one to `"enable_snat": false` ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f - will show snat for both, which is just wrong: # ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f TYPE GATEWAY_PORT MATCH EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 172.29.249.137 10.0.0.0/24 snat 192.168.0.53 10.0.0.0/24 Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/ ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2106776 Title: Unable to enable/disable src_nat per external gateway Status in neutron: New Bug description: Description =========== The usecase is not have multiple external gateways: one for the public network for instances to reach the internet, and second is the routed network. Expectation for instances to be reachable in both the "internal" routed network as well as through the public floating IP. Thus, src_nat needs to be disabled for "internal" and enabled for "public" networks, while both of them added as external_gateways to the router. Exactly this scenario is show-cased in API reference: https://docs.openstack.org/api-ref/network/v2/index.html#add-external- gateways-to-router You can see there an example of router `external_gateways` update to enable_snat for a specific one. However, while such request is accepted by Neutron, it's never processed as expected, as value of enable_snat is taken only for the "first" external gateway and applied for all the rest. Environment =========== Ubuntu 24.04 OVN: 25.03 OVS: 3.5.0 Neutron: 26.0.1.dev4 neutron-lib: 3.18.2 How to reproduce ================ openstack network create public --provider-network-type vlan --provider-physical-network vlan --provider-segment 10 --share --external openstack subnet create --network public --subnet-range 172.29.248.0/22 openstack network create intenral-link --provider-network-type vlan --provider-physical-network physnet1 --provider-segment 190 --share --external openstack subnet create --network intenral-link intenral-link --subnet-range 192.168.0.0/24 openstack router create --external-gateway public --external-gateway intenral-link internal openstack network create private openstack subnet create --network private private --subnet-range 10.0.0.0/24 openstack router add subnet internal private curl -H "X-Auth-Token: $token" http://172.29.236.101:9696/v2.0/routers/ee37797b-961c-4645-85c2-55f74031500f/update_external_gateways -X PUT -H "Content-Type: application/json" -d '{"router": {"external_gateways": [{"enable_snat": false, "network_id": "ab79f236-d790-4d9e-a863-22ee57eb873a", "external_fixed_ips": [{"subnet_id": "db07cec8-f238-4a45-8442-6eae4867ecb0", "ip_address": "192.168.0.53"}]}, {"enable_snat": true, "network_id": "bc638fd7-b1de-47e1-8ace-23fce8bad0c9", "external_fixed_ips":[{"ip_address": "172.29.249.137", "subnet_id": "cbefd7b0-cc15-4ca2-8bac-0d50ccd14e31"}]}]}}' | jq ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f - returns empty result. Change CURL request to the first network to `"enable_snat": true` and second one to `"enable_snat": false` ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f - will show snat for both, which is just wrong: # ovn-nbctl lr-nat-list neutron-ee37797b-961c-4645-85c2-55f74031500f TYPE GATEWAY_PORT MATCH EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT snat 172.29.249.137 10.0.0.0/24 snat 192.168.0.53 10.0.0.0/24 Full paste: https://paste.openstack.org/show/bQtuZPAmwDlqVu6noiNY/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2106776/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
