dbf53b7bbf
When ovn_router_indirect_snat = True, ml2/ovn will set a catch-all snat rule for each external ip, instead of a snat rule per attached subnet. NB: This option is global to cluster and cannot be controlled per project or per router. NB2: this patch assumes that 0.0.0.0/0 snat rules are properly handled by OVN. Some (e.g. 22.03 and 24.03) OVN versions may have this scenario broken. See: https://issues.redhat.com/browse/FDP-744 for details. -- A long time ago, nested SNAT behavior was unconditionally enabled for ml2/ovs, see: https://bugs.launchpad.net/neutron/+bug/1386041 Since this behavior has potential security implications, and since it may not be desired in all environments, a new flag is introduced. Since OVN was deployed without nested SNAT enabled in multiple environments, the flag is set to False by default (meaning: no nested SNAT). In theory, instead of a config option, neutron could introduce a new API to allow users to control the behavior per router. This would require more work though. This granular API is left out of the patch. Interested parties are welcome to start a discussion about adding the new API as a new neutron extension to routers. -- Before this patch, there was an alternative implementation proposed that was not relying on 0.0.0.0/0 snat behavior implemented properly in OVN. The implementation was abandoned because it introduced non-negligible complexity in the neutron code and the OVN NB database. See: https://review.opendev.org/c/openstack/neutron/+/907504 -- Closes-Bug: #2051935 Co-Authored-By: Brian Haley <haleyb.dev@gmail.com> Change-Id: I28fae44edc122fae389916e25b3321550de001fd
OpenStack Neutron
Neutron is an OpenStack project to provide "network connectivity as a service" between interface devices (e.g., vNICs) managed by other OpenStack services (e.g., Nova).
To learn more about neutron:
- Documentation: https://docs.openstack.org/neutron/latest/
- Features: https://specs.openstack.org/openstack/neutron-specs
- Defects: https://launchpad.net/neutron
- Release notes: https://docs.openstack.org/releasenotes/neutron/index.html
- Source: https://opendev.org/openstack/neutron
If you would like to contribute to Neutron, please read the file CONTRIBUTING.rst or see the Neutron contributor guide:
https://docs.openstack.org/neutron/latest/contributor/contributing.html
Get in touch via email. Use [Neutron] in your subject.