Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Hi car1, In the link: https://docs.google.com/document/d/1jCmraZGirmXq5V1MtRqhjdZCbUfiwBhRkUjDXGt5QUQ/edit, there is some words like When the node is being scheduled to host the SNAT, a new namespace and internal IP address will be assigned to host the SNAT service. Any nova instance VM that is connected to the router will have this new SNAT IP as its external gateway address. Can nova VM see this secondary IP? I think that even in the node hosting SNAT, IR still exists. So VM at this node will also see IP of the IR interface, and send packet to IR first, next the IR will redirect the traffic to SNAT in the same node (but in different namespace). Is that right? ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Wuhongning, The code for forwarding traffic from a DVR serviced node to the default snat gw node is now included in the latest L-3 agent patch posted at (https://review.openstack.org/89413). It utilizes a combination of ip rules and ip routes to implement policy based routing for snat traffic. Carl's description is a very good representation of what it implements. Additional information is also available at (https://docs.google.com/document/d/1jCmraZGirmXq5V1MtRqhjdZCbUfiwBhRkUjDXGt5QUQ/edit) thanks, -Rajeev. -Original Message- From: Narasimhan, Vivekanandan Sent: Thursday, May 22, 2014 10:04 PM To: OpenStack Development Mailing List (not for usage questions) Cc: Grover, Rajeev; Smith, Michael (HPN RD) Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Thanks Carl, for pitching in for us. As Carl said, this is the last detail that is being worked out. Wuhogning, I am requesting Rajeev and Mike(CC'ed) who are working in DVR SNAT to post the document into to the blueprint link here, so that you can take a look. https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr - Thanks, Vivek -Original Message- From: Carl Baldwin [mailto:c...@ecbaldwin.net] Sent: Friday, May 23, 2014 3:57 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route node-for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
sorry it's very strange that I can't receive any mail with [neutron] tag, but [nova] is ok. So I just find reply thread from archives. So, will this additional port and vxlan tunnel be the same concept I've mentioned as interconnect network? It should works, but bring another question: if CN has no vxlan provider network configed in neutron.conf(only vlan provider is used), will it mean that I can't use DVR snat? Also, another gw ip is occupied, it seems a little strange for user. Here is another idea: can we let the central NN snat use DVR logical mac? Then we can config each CN router's next hop to NN snat out from the device where it received packet, with next hop ip can also be the gw interface ip(no need for second ip), if we delete all gw interface ip from all DVR router's local table. I've done test in sles sp2, and it works! = Vivek, CN to NN Vxlan tunnel is something user/customer configured ? Or DVR is mandating this VxLan tunnel to reach from NN from CN ? Means the packets are encapsulated over network even they are not mandated to do so ? Then there should be standard if something is getting done like this. Thanks regards, Keshava.A -Original Message- From: Narasimhan, Vivekanandan Sent: Friday, May 23, 2014 2:49 AM To: A, Keshava; OpenStack Development Mailing List (not for usage questions); Carl Baldwin Cc: Grover, Rajeev Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Keshava, Tunneled over to network node means: OVS VXLAN Tunnel will be established between compute node and network node and packets will flow through that OVS VXLAN Tunnel. NAT'ing and tunneling are not related here. NAT'ing happens in network node. Packets that need to reach the external network will be tunneled to NN where SNAT'ing puts them onto external network. -- Thanks, Vivek -Original Message- From: A, Keshava Sent: Friday, May 23, 2014 1:11 PM To: OpenStack Development Mailing List (not for usage questions); Carl Baldwin Cc: Narasimhan, Vivekanandan; Grover, Rajeev; A, Keshava Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I have one basic question, what is this tunneled over to network node means ? ( At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic.) What kind of tunnel between Compute to Network Node during SNAT ? Why tunneling will happen during NAT ? Thanks regards, Keshava.A -Original Message- From: Carl Baldwin [mailto:carl at ecbaldwin.nethttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev] Sent: Thursday, May 22, 2014 3:27 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongning at huawei.comhttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route node-for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Hi, I have one basic question, what is this tunneled over to network node means ? ( At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic.) What kind of tunnel between Compute to Network Node during SNAT ? Why tunneling will happen during NAT ? Thanks regards, Keshava.A -Original Message- From: Carl Baldwin [mailto:c...@ecbaldwin.net] Sent: Thursday, May 22, 2014 3:27 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route node-for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Keshava, Tunneled over to network node means: OVS VXLAN Tunnel will be established between compute node and network node and packets will flow through that OVS VXLAN Tunnel. NAT'ing and tunneling are not related here. NAT'ing happens in network node. Packets that need to reach the external network will be tunneled to NN where SNAT'ing puts them onto external network. -- Thanks, Vivek -Original Message- From: A, Keshava Sent: Friday, May 23, 2014 1:11 PM To: OpenStack Development Mailing List (not for usage questions); Carl Baldwin Cc: Narasimhan, Vivekanandan; Grover, Rajeev; A, Keshava Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I have one basic question, what is this tunneled over to network node means ? ( At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic.) What kind of tunnel between Compute to Network Node during SNAT ? Why tunneling will happen during NAT ? Thanks regards, Keshava.A -Original Message- From: Carl Baldwin [mailto:c...@ecbaldwin.net] Sent: Thursday, May 22, 2014 3:27 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route node-for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Vivek, CN to NN Vxlan tunnel is something user/customer configured ? Or DVR is mandating this VxLan tunnel to reach from NN from CN ? Means the packets are encapsulated over network even they are not mandated to do so ? Then there should be standard if something is getting done like this. Thanks regards, Keshava.A -Original Message- From: Narasimhan, Vivekanandan Sent: Friday, May 23, 2014 2:49 AM To: A, Keshava; OpenStack Development Mailing List (not for usage questions); Carl Baldwin Cc: Grover, Rajeev Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Keshava, Tunneled over to network node means: OVS VXLAN Tunnel will be established between compute node and network node and packets will flow through that OVS VXLAN Tunnel. NAT'ing and tunneling are not related here. NAT'ing happens in network node. Packets that need to reach the external network will be tunneled to NN where SNAT'ing puts them onto external network. -- Thanks, Vivek -Original Message- From: A, Keshava Sent: Friday, May 23, 2014 1:11 PM To: OpenStack Development Mailing List (not for usage questions); Carl Baldwin Cc: Narasimhan, Vivekanandan; Grover, Rajeev; A, Keshava Subject: RE: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I have one basic question, what is this tunneled over to network node means ? ( At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic.) What kind of tunnel between Compute to Network Node during SNAT ? Why tunneling will happen during NAT ? Thanks regards, Keshava.A -Original Message- From: Carl Baldwin [mailto:c...@ecbaldwin.net] Sent: Thursday, May 22, 2014 3:27 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route node-for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Thanks Carl, for pitching in for us. As Carl said, this is the last detail that is being worked out. Wuhogning, I am requesting Rajeev and Mike(CC'ed) who are working in DVR SNAT to post the document into to the blueprint link here, so that you can take a look. https://blueprints.launchpad.net/neutron/+spec/neutron-ovs-dvr - Thanks, Vivek -Original Message- From: Carl Baldwin [mailto:c...@ecbaldwin.net] Sent: Friday, May 23, 2014 3:57 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Neutron] Default routes to SNAT gateway in DVR Hi, I found this message in my backlog from when I was at the summit. Sorry for the delay in responding. The default SNAT or dynamic SNAT use case is one of the last details being worked in the DVR subteam. That may be why you do not see any code around this in the patches that have been submitted. Outbound traffic that will use this SNAT address will first enter the IR on the compute host. In the IR, it will not match against any of the static SNAT addresses for floating IPs. At that point the packet will be redirected to another port belonging to the central component of the DVR. This port has an IP address different from the default gateway address (e.g. 192.168.1.2 instead of 192.168.1.1). At this point, the packet will go back out to br-int and but tunneled over to the network node just like any other intra-network traffic. Once the packet hits the central component of the DVR on the network node it will be processed very much like default SNAT traffic is processed in the current Neutron implementation. Another interconnect subnet should not be needed here and would be overkill. I hope this helps. Let me know if you have any questions. Carl On Fri, May 16, 2014 at 1:57 AM, Wuhongning wuhongn...@huawei.com wrote: Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Neutron] Default routes to SNAT gateway in DVR
Hi DVRers, I didn't see any detail documents or source code on how to deal with routing packet from DVR node to SNAT gw node. If the routing table see a outside ip, it should be matched with a default route, so for the next hop, which interface will it select? Maybe another standalone interconnect subnet per DVR is needed, which connect each DVR node and optionally, the SNAT gw node. For packets from dvr node-snat node, the interconnect subnet act as the default route for this host, and the next hop will be the snat node. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
