Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1651647

Summary: [RHOSP 12][DVR] Neutron doesn't configure multiple external subnets for one network properly
Product: Red Hat OpenStack Reporter: Alex Stupnikov <astupnik>
Component: openstack-neutronAssignee: Slawek Kaplonski <skaplons>
Status: CLOSED EOL QA Contact: Roee Agiman <ragiman>
Severity: high Docs Contact:
Priority: unspecified    
Version: 12.0 (Pike)CC: amuller, bhaley, chrisw, nyechiel
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1651936 (view as bug list) Environment:
Last Closed: 2018-12-17 15:16:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1651936    

Description Alex Stupnikov 2018-11-20 13:42:08 UTC 
Description of problem:

It is possible to create two subnets for single external network and it looks like we support such kind of setup. However, it doesn't work properly: every DVR will have a single on-link route for ONLY ONE external subnet and will not have on-link route for another one.

As a result, there are two scenarios when routing doesn't work as it should:

- two instances with FIPs from different external subnets will have asymmetric traffic flows: if there is an on-link route for DST packet, it will be routed directly to another DVR. If not, packet will be routed to external router. As a result, if there is a stateful firewall on external router, this communication will be blocked.
- two instances with FIPs from the same external subnet could have suboptimal traffic flows if there are no on-link routes for this subnet. As a result, traffic will always go through external router, which could cause issues if router has protection against such kind of flows.

Here is an example output of routing table in fip-* namespace on compute node where single external network has two subnets: 10.0.0.0/24 and 10.0.1.0/24:

default via 10.0.0.1 dev fg-83ec5f16-be table 2852022899 
10.0.0.0/24 dev fg-83ec5f16-be proto kernel scope link src 10.0.0.225 
10.0.0.218 via 169.254.106.114 dev fpr-789f245b-1 
10.0.0.219 via 169.254.106.114 dev fpr-789f245b-1 
10.0.1.15 via 169.254.106.114 dev fpr-789f245b-1

As we can see, there are host routes for local FIPs, a single on-link route for 10.0.0.0/24 subnet and default route.


Additional information:

An upstream bug for legacy routers [1] was solved long time ago.

[1] https://bugs.launchpad.net/neutron/+bug/1312467