Reviewed: https://review.opendev.org/c/openstack/neutron/+/788485 Committed: https://opendev.org/openstack/neutron/commit/ddc8e625f714aebd65a454f23fedc6d9a9320e89 Submitter: "Zuul (22348)" Branch: master
commit ddc8e625f714aebd65a454f23fedc6d9a9320e89 Author: Lucas Alvares Gomes <[email protected]> Date: Wed Apr 28 13:41:15 2021 +0100 [OVN] Fix: Disabling snat after it was enabled This patch removes a conditional check in the update_router() method which was verifying if snat was enabled in order to update the nat rules. This check does not make sense in the update method as if snat was disabled we should still call update_nat_rules() which will then remove the NAT entry from the OVN NB DB. Change-Id: Ice20d22365acaf33ee211b1e38b7d0bc151c1ba8 Closes-Bug: #1922089 Signed-off-by: Lucas Alvares Gomes <[email protected]> ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1922089 Title: [ovn] enable_snat cannot be disabled once enabled Status in neutron: Fix Released Status in neutron package in Ubuntu: Confirmed Bug description: Hi, Using Openstack focal/ussuri - ovn version 20.03.1-0ubuntu1.2 and neutron 2:16.2.0-0ubuntu2. If "enable_snat" is enabled on an external gateway on a router, it's not possible to disable it without completely removing said gateway from the router. For example : I have a subnet called subnet_axino_test - 10.0.100.0/24 I run the following : $ openstack router create router_axino_test $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test $ openstack router add subnet router_axino_test subnet_axino_test And so on OVN, I get nothing : $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24 Now, I enable SNAT : $ openstack router set --enable-snat --external-gateway net_stg-external router_axino_test This correctly adds an OVN SNAT entry as follows : $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24 _uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc external_ids : {} external_ip : "A.B.C.D" external_mac : [] logical_ip : "10.131.100.0/24" logical_port : [] options : {} type : snat Now, I remove SNAT from the router : $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test I confirm this : $ openstack router show router_axino_test | grep enable_snat | external_gateway_info | {"network_id": "4fb8304e-7adb-4cc3-bae5-deb968263eb0", "external_fixed_ips": [{"subnet_id": "60000d47-1e44-41af-8f64-dd802d5c3ddc", "ip_address": "A.B.C.D"}], "enable_snat": false} | Above, you can see that "enable_snat" is "false". So I would expect OVN to _not_ have a NAT entry. Yet, it does : $ sudo ovn-nbctl list NAT |grep -B5 -A4 10.131.100.0/24 _uuid : a65cc4b8-14ae-4ce4-b274-10eefdcc51dc external_ids : {} external_ip : "162.213.34.141" external_mac : [] logical_ip : "10.131.100.0/24" logical_port : [] options : {} type : snat The only way to remove SNAT is to completely remove the external gateway from the router, and to re-add it with SNAT disabled : $ openstack router unset --external-gateway router_axino_test $ openstack router set --disable-snat --external-gateway net_stg-external router_axino_test Note that this requires removing all the floating IPs from VMs behind this router, which obviously makes them unreachable - which is less than ideal in production. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1922089/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
