Open Stack

Hi Neutron stackers,

I have a question about how to fix the problem of DHCP port address being
SNAT by L3 agent.

I have my neutron DHCP agent and L3 agent running on the same network node,
and I disabled namespace usage in both agent configuration. I have one
router created with one external network and one internal network attached.

After enable the security group settings, I found that VMs on the compute
node cannot get DHCP message from dnsmasq on DHCP port of network node.

After future investigation by tcpdump the package from network node DHCP
port, I figured the source IP in the DHCP message sending from DHCP port
has been SNAT'ed into the external gateway IP address by L3 agent.
Therefore, the security group rule to allow DHCP sending from internal DHCP
address doesn't work anymore.

Chain neutron-vpn-agen-snat (1 references)
target     prot opt source               destination
neutron-vpn-agen-float-snat  all  --  anywhere
anywhere
SNAT       all  --  10.1.1.0/24          anywhere
to:192.168.1.113

DHCP port address 10.1.1.2 is in the cidr of source IP being SNAT'ed. This
only happens when DHCP agent and L3 agent is on the same node and they both
have namespace disabled.


To fix this, I think we can either:

1. Add a return rule before the SNAT rule for DHCP port so the SNAT won't
be applied for DHCP port.

2. break the source cidr of the SNAT rule into IP ranges to exclude DHCP
address.

What's your opinion on this?

Xuhan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140408/a7704149/attachment.html>