1986337 – [RFE] To allow NAT registers type "dnat_and_snat" with CIDR instead of IP address

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1986337 - [RFE] To allow NAT registers type "dnat_and_snat" with CIDR instead of IP address

Summary: [RFE] To allow NAT registers type "dnat_and_snat" with CIDR instead of IP add...

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn2.13
Sub Component:
Version:	FDP 21.K
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	OVN Team
QA Contact:	Jianlin Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1970907
TreeView+	depends on / blocked

Reported:	2021-07-27 10:04 UTC by Rodolfo Alonso
Modified:	2023-04-24 15:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-04-24 15:08:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-1446	0	None	None	None	2021-09-24 14:02:33 UTC

Description Rodolfo Alonso 2021-07-27 10:04:53 UTC

This RFE is related to https://bugzilla.redhat.com/show_bug.cgi?id=1970907.

Description
-----------
The aim of this proposal is to have allowed address pairs [1][2] in Neutron, but instead of using IP addresses (/32), using CIDRs. That will allow to define VIPs within a range instead of one single IP address. In [3] the customer describes what they really wanted:
- Create two VM ports and a VIP port.
- Assign a CIDR to both VM ports as allowed address pairs.
- Create a FIP per port.
--> any traffic coming to the VIP FIP should be redirected to any of the VMs.

Current behaviour
-----------------
This is my understanding of the current implementation that could be wrong. Please correct me in this case.

As I described in [4], when a FIP is created in Neutron, a NAT register type "dnat_and_snat" is created. That will NAT any traffic, in both directions, from the FIP to the fixed IP, that is a logical switch port. This LSP has its Neutron port equivalent.

When the LSP is marked as virtual, two new rules are set in OVS, in table 21. Those OF rules will send any GARP coming from the fixed IP (internal IP) to a controller. This controller will match the port, the MAC address and the fixed IP address. That will happen when in a VM port, the fixed IP is set manually (when I say manually I mean not OpenStack). This is the fixed VIP.

The LSP is marked as virtual because (1) is not bound and (2) another bound port receives its own IP address as allowed address pair.

Proposal
--------
What I'm proposing here is to be able to have NAT registers type "dnat_and_snat" with CIDRs instead of IP addresses. That will allow to match any GARP from this CIDR (as we do now with IPs) and match this port, MAC and IP address.

That implies Neutron is capable of, when a CIDR is set as allowed address pair of a port, find the same CIDR set to any other unbound port and mark it as virtual. The LSP holds in "addresses" the [MAC, IP address] tuple, but in "external_ids:neutron:cidrs" the Neutron CIDR is stored. That could be used in OVN to set the NAT register "ip_address" field.

[1]https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/networking_guide/sec-allowed-address-pairs
[2]https://docs.openstack.org/developer/dragonflow/specs/allowed_address_pairs.html
[3]https://bugzilla.redhat.com/show_bug.cgi?id=1970907#c3
[4]https://bugzilla.redhat.com/show_bug.cgi?id=1970907#c5

Note You need to log in before you can comment on or make changes to this bug.