Re: [openstack-dev] [Neutron] Assigning a floating IP to an internal network

2014-01-30 Thread Ofer Barkai 
Hi all,

During the implementation of:
https://blueprints.launchpad.net/neutron/+spec/floating-ip-extra-route

Which suggest allowing assignment of floating IP to internal address
not directly connected to the router, if there is a route configured on
the router to the internal address.

In: https://review.openstack.org/55987

There seem to be 2 possible approaches for finding an appropriate
router for a floating IP assignment, while considering extra routes:

1. Use the first router that has a route matching the internal address
which is the target of the floating IP.

2. Use the first router that has a matching route, _and_ verify that
there exists a path of connected devices to the network object to
which the internal address belongs.

The first approach solves the simple case of a gateway on a compute
hosts that protects an internal network (which is the motivation for
this enhancement).

However, if the same (or overlapping) addresses are assigned to
different internal networks, there is a risk that the first approach
might find the wrong router.

Still, the second approach might force many DB lookups to trace the path from
the router to the internal network. This overhead might not be
desirable if the use case does not (at least, initially) appear in the
real world.

Patch set 6 presents the first, lightweight approach, and Patch set 5
presents the second, more accurate approach.

I would appreciate the opportunity to get more points of view on this subject.

Thanks,

-Ofer
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [Neutron] Assigning a floating IP to an internal network

2013-12-09 Thread Ofer Barkai 
Hi all,

The extra route extension allows setting up an hierarchical network
topology where there is a compute instance or an internal router that
separates an internal network from an external router. Traffic can be
routed by using extra routes on the external router, however, it is not
possible to assign floating IPs to an instance on the internal network.
This is because there is a code that validates reachability from the
external router to the internal network that does not take into account
the availability of extra routes.

The described setup is important to users who wish to place a
custom gateway that provides VPN, firewall or other functionality
to a publicly accessible network behind the gateway.

There is a bug opened about this issue:

https://bugs.launchpad.net/neutron/+bug/1250105

There is a patch set for review:

https://review.openstack.org/55987

It was suggested that this may be considered as new functionality as
opposed to fixing a flaw, and should be proposed as a blueprint and
discussed on the dev mailing list.

A blueprint is available for discussion:

https://blueprints.launchpad.net/neutron/+spec/floating-ip-extra-route

Thanks,

-Ofer Barkai
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev