Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 1986337

Summary: [RFE] To allow NAT registers type "dnat_and_snat" with CIDR instead of IP address
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Rodolfo Alonso <ralonsoh>
Component: ovn2.13Assignee: OVN Team <ovnteam>
Status: CLOSED DEFERRED QA Contact: Jianlin Shi <jishi>
Severity: high Docs Contact:
Priority: high    
Version: FDP 21.KCC: ctrautma, froyo, jiji, mmichels, ralongi
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-24 15:08:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1970907    

Description Rodolfo Alonso 2021-07-27 10:04:53 UTC 
This RFE is related to https://bugzilla.redhat.com/show_bug.cgi?id=1970907.

Description
-----------
The aim of this proposal is to have allowed address pairs [1][2] in Neutron, but instead of using IP addresses (/32), using CIDRs. That will allow to define VIPs within a range instead of one single IP address. In [3] the customer describes what they really wanted:
- Create two VM ports and a VIP port.
- Assign a CIDR to both VM ports as allowed address pairs.
- Create a FIP per port.
--> any traffic coming to the VIP FIP should be redirected to any of the VMs.


Current behaviour
-----------------
This is my understanding of the current implementation that could be wrong. Please correct me in this case.

As I described in [4], when a FIP is created in Neutron, a NAT register type "dnat_and_snat" is created. That will NAT any traffic, in both directions, from the FIP to the fixed IP, that is a logical switch port. This LSP has its Neutron port equivalent.

When the LSP is marked as virtual, two new rules are set in OVS, in table 21. Those OF rules will send any GARP coming from the fixed IP (internal IP) to a controller. This controller will match the port, the MAC address and the fixed IP address. That will happen when in a VM port, the fixed IP is set manually (when I say manually I mean not OpenStack). This is the fixed VIP.

The LSP is marked as virtual because (1) is not bound and (2) another bound port receives its own IP address as allowed address pair.


Proposal
--------
What I'm proposing here is to be able to have NAT registers type "dnat_and_snat" with CIDRs instead of IP addresses. That will allow to match any GARP from this CIDR (as we do now with IPs) and match this port, MAC and IP address.

That implies Neutron is capable of, when a CIDR is set as allowed address pair of a port, find the same CIDR set to any other unbound port and mark it as virtual. The LSP holds in "addresses" the [MAC, IP address] tuple, but in "external_ids:neutron:cidrs" the Neutron CIDR is stored. That could be used in OVN to set the NAT register "ip_address" field.



[1]https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/networking_guide/sec-allowed-address-pairs
[2]https://docs.openstack.org/developer/dragonflow/specs/allowed_address_pairs.html
[3]https://bugzilla.redhat.com/show_bug.cgi?id=1970907#c3
[4]https://bugzilla.redhat.com/show_bug.cgi?id=1970907#c5