[openstack-dev] [neutron][dvr] Wasting so many external network IPs in DVR mode?

Carl Baldwin carl at ecbaldwin.net
Wed Jun 1 16:18:29 UTC 2016

On Wed, Jun 1, 2016 at 9:48 AM, zhi <changzhi1990 at gmail.com> wrote:
> hi, all
>     I have some questions about north/south traffic in DVR mode.
>     As we all know, packets will be sent to instance's  default gateway (qr
> interface) when an instance want to communicate to the external network.
> Next, these packets will be sent from rfp interface(qrouter interface) to
> the fpr interface(fip namespace) after NAT by iptables rules in qrouter
> namespace, Finally, packets will be forwarded by fg interface which exists
> in the fip namespace.
>     I was so confused by the "fg" interface.
>     The device owner of "fg" interface is "network:floatingip_agent_gateway"
> in Neutron. It is a special port which allocated from the external network.
> I think, in this way, we have to wasted many IP addresses from the external
> network. Because we need a dedicated router IP per compute node, didn't we?

Yes, this is correct.  We have a simple spec [1] in review to solve
this problem in Newton.  It will still require the same fg ports but
will allow you to pull the IP addresses for these ports from a private
address space so that your public IPs are not wasted on them.

>     In DVR mode, why not we use "qg" interface in qrouter namespace? Just
> like the "Legacy L3 agent mode" !  We can also setup "qg" interface and "qr"
> interfaces in qrouter namespaces in DVR mode.

The main reason behind putting the routers behind the fip namespace,
was the number of mac addresses that you would need.  Each port needs
a unique mac address and some calculations showed that in some large
environments, the number of mac addresses flying around could stretch
the limits of mac address tables in switches and routers and cause
degraded performance.

Another thing is that it was not trivial to create a port without a
permanent IP address to host floating ips which can come and go at any
time.  It is also nice to have a permanent IP address on each port to
allow debugging.  A number of ideas were thrown around for how to
accomplish this but none ever came to fruition.  The spec I mentioned
[1] will help with this by allowing a permanent IP for each port from
a private pool of plentiful IP addresses to avoid wasting the public

>     Maybe my thought was wrong, but I want to know what can we benefit from
> the "fip" namespace and the reason why we do not use "qg" interfaces in DVR
> mode just like Legacy L3 agent mode.
>     Hope for your reply.  ;-)

Glad to help,

[1] https://review.openstack.org/#/c/300207/

More information about the OpenStack-dev mailing list