[openstack-dev] [neutron] route metrics inside VR

Volodymyr Litovka doka.ua at gmx.com
Fri Mar 9 15:30:46 UTC 2018 

Dear colleagues,

for some reasons (see below explanation) , I'm trying to deploy the 
following network configuration:

                   Network
+-------------------------------------------+
  Subnet-1                         Subnet-2
+---+----+--+                   +----+------+
     |    |        +----+             |
     |    |        |    |             |
     |    +--------+ VR +-------------+
     |             |    |
  +--+-+           +----+
  |    |
  | VM |
  |    |
  +----+

where VR is Neutron's virtual router, connected to two subnets, which 
belong to same network:
Subnet-1 is "LAN" interface (25.0.0.1/8) connected to qr-64c53cf8-d9
Subnet-2 is external gateway (51.x.x.x) connected to qg-16bdddb1-d5 with 
SNAT enabled

The reason why I'm trying to use this configuration is pretty simple - 
this allows to switch VM between diffrent address scopes (e.g. "grey" 
and "white") while preserving port/MAC (which is created in the 
"Network" and remains there while I'm switching VM between different 
subnets).

Such configuration produces the following commands list when creating VR:

14:45:18.043 Running command: ['ip', 'netns', 'exec', 'qrouter-UUID', 
'ip', '-4', 'addr', 'add', '25.0.0.1/8', 'scope', 'global', 'dev', 
'qr-64c53cf8-d9', 'brd', '25.255.255.255']
14:45:19.815 Running command: ['ip', 'netns', 'exec', 'qrouter-UUID', 
'ip', '-4', 'addr', 'add', '51.x.x.x/24', 'scope', 'global', 'dev', 
'qg-16bdddb1-d5', 'brd', '51.x.x.255']
14:45:20.283 Running command: ['ip', 'netns', 'exec', 'qrouter-UUID', 
'ip', '-4', 'route', 'replace', '25.0.0.0/8', 'dev', 'qg-16bdddb1-d5', 
'scope', 'link']
14:45:20.919 Running command: ['ip', 'netns', 'exec', 'qrouter-UUID', 
'ip', '-4', 'route', 'replace', 'default', 'via', '51.x.x.254', 'dev', 
'qg-16bdddb1-d5']

Since 25/8 is extra subnet of "Network",  Neutron installs this entry 
(by using 'ip route replace') despite the fact that there should be 
connected route (via qr-64c53cf8-d9).

Due to current implementation, all traffic from VR to directly connected 
"subnet-1" goes over "subnet-2" (through NAT) and, thus, VM in Subnet-1 
can't access VR - it "pings" local address (25.0.0.1) while replies 
return from another (NAT) address.

Whether this behaviour can be safely changed by using "ip route add 
[...] metric <LOWER>" instead of "ip route replace"?

Thank you.

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

More information about the OpenStack-dev mailing list