incus icon indicating copy to clipboard operation
incus copied to clipboard
verified publisher icon lxc

Allow overriding the external address (NAT) for OVN NICs

Open stgraber opened this issue 9 months ago • 7 comments

Is there an existing issue for this?

  • [x] There is no existing issue for this feature

What are you currently unable to do

Currently if an instance is the target of a network forward, it will interact using that address for any connection coming through the forward.

However connections established from the instance will still go through the normal private address and NAT on the OVN network.

That's not necessarily wrong in all cases, but it also makes sense to have a way to allow the instance to use the address from one of its network forwards as its default external address.

What do you think would need to be added

My thought is to add two options:

  • ipv4.address.external
  • ipv6.address.external

Both as NIC options. They would need a bit of validation, basically ensuring that the address selected is that of one of the network forwards on the network.

When doing that, we'd then inject a SNAT rule into OVN so that all new traffic coming out of the instance will be NATed to the selected address rather than whatever the network would normally do.

stgraber avatar Mar 27 '25 01:03 stgraber

Would this also solve the double NAT issue mentioned here https://discuss.linuxcontainers.org/t/stuck-on-simple-ovn-setup/23247/3?

defect-track avatar Mar 31 '25 02:03 defect-track

Nope, that's completely unrelated.

There is no double NAT issue, the double NAT only happens because you're setting a private NAT-ed network as the uplink. For proper OVN operation, the uplink should be an external shared subnet that all servers have an interface on (dedicated or VLAN) and on which an existing gateway is available and a range of IP addresses have been reserved for Incus to assign to OVN routers.

Using a bridge like incusbr0 as the uplink works fine for development and testing, but it is not a proper production environment for OVN as it's not a shared subnet meaning that when one of the OVN chassis goes down, the traffic will now exit through one of the other servers, being NATed to a completely different address and breaking all existing connections.

stgraber avatar Mar 31 '25 02:03 stgraber

Hello, I'm a student at UT in Professor Chidambaram's Virtualization course. Could me and my partner be assigned this issue?

OGCbn avatar Apr 02 '25 23:04 OGCbn

Done. I'll need your partner to comment in here so I can assign them too.

stgraber avatar Apr 03 '25 00:04 stgraber

Hello, I'm @OGCbn 's partner

davidbockelman avatar Apr 05 '25 03:04 davidbockelman

Me and my partner are writing to ask if our thought process is correct.

  1. Introduce new NIC Config Options -In file internal/server/device/nic_ovn.go, update the validateConfig by adding the two new entires
  2. Validate the new Configs -In the same file create a new helper method, we check to see if the IP belongs to a forward on the same network
  3. Inject the SNAT rule
    • Same file, create a new helper method, will replace the SNAT address with the necessary one.

Any guidance would be greatly appreciated.

OGCbn avatar May 05 '25 01:05 OGCbn

Yep, the approach sounds good to me!

stgraber avatar May 05 '25 19:05 stgraber