Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-18 Thread Kevin Benton
If I understand correctly, for southbound traffic there would be hair-pinning via the L3 agent that the upstream router happened to pick out of the ECMP group since it doesn't know where the hypervisors are. On the other hand northbound traffic could egress directly (assuming an l3 agent is

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-18 Thread Angus Lees
On Mon Feb 16 2015 at 9:37:22 PM Kevin Benton blak...@gmail.com wrote: It's basically very much like floating IPs, only you're handing out a sub-slice of a floating-IP to each machine - if you like. This requires participation of the upstream router (L4 policy routing pointing to next hops

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-16 Thread Assaf Muller
- Original Message - Has there been any work to use conntrack synchronization similar to L3 HA in DVR so failover is fast on the SNAT node? https://review.openstack.org/#/c/139686/ https://review.openstack.org/#/c/143169/ These changes have taken a back seat to improving the DVR

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-16 Thread Kevin Benton
Or a pool of SNAT addresses ~= to the size of the hypervisor count. This had originally come up as an option in the early DVR discussions. IIRC it was going to be a tunable parameter since it results in a tradeoff between spent public addresses and distributed-ness. However, due to time

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-16 Thread Robert Collins
On 16 February 2015 at 21:29, Angus Lees g...@inodes.org wrote: Conntrack synchronisation gets us HA on the SNAT node, but that's a long way from distributed SNAT. Distributed SNAT (in at least one implementation) needs a way to allocate unique [IP + ephemeral port ranges] to hypervisors, and

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-16 Thread Angus Lees
Conntrack synchronisation gets us HA on the SNAT node, but that's a long way from distributed SNAT. Distributed SNAT (in at least one implementation) needs a way to allocate unique [IP + ephemeral port ranges] to hypervisors, and then some sort of layer4 loadbalancer capable of forwarding the

Re: [openstack-dev] Fwd: [Neutron][DVR]Neutron distributed SNAT

2015-02-15 Thread Kevin Benton
Has there been any work to use conntrack synchronization similar to L3 HA in DVR so failover is fast on the SNAT node? On Sat, Feb 14, 2015 at 1:31 PM, Carl Baldwin c...@ecbaldwin.net wrote: On Feb 10, 2015 2:36 AM, Wilence Yao wilence@gmail.com wrote: Hi all, After OpenStack