[LXD] Floating IP addresses

stgraber · August 9, 2021, 2:21pm

tomp:

lxc network forward add <network> <listen_address> [<default_target_address>]
lxc network forward port add <network> <listen_address> <target_address> <protocol> <port range>[,<port range>]
lxc network forward port remove <network> <listen_address> <target_address> <protocol> <port range>[,<port range>]
lxc network <network> forward delete <listen_address>
lxc network <network> forward show <listen_address>
lxc network <network> forward edit <listen_address>
lxc network <network> forward list

The command structure looks wrong here.
It should be:

lxc network forward <action> <network> ...
lxc network forward port <action> <network> <listen_address> ...

tomp · August 9, 2021, 3:01pm

Yep thats a copy/paste error, fixed.

tomp · August 9, 2021, 3:34pm

Fixed.

tomp · August 9, 2021, 3:34pm

Yes indeed, fixed.

tomp · August 9, 2021, 3:36pm

I agree except potentially with the many:many port range option.

It may be that the user wants something like:

listen ports: 80-81
target ports: 90-91

As long as there is a 1:1 mapping between each of the listen and target ports, then it could be valid. This is similar to what the proxy device does. It also makes the listen and target port ordering important when they are specified by the user.

I’m happy ofc to make the target port a single port only, if you don’t think that scenario should be supported.

tomp · August 9, 2021, 4:13pm

@stgraber I think this rationale for using ipv{n}.nat.address on ovn networks may have an issue. This is because unlike bridge networks that share a common router (the host itself), ovn networks each have their own virtual router.

This presents two issues:

Any SNAT we perform for outbound traffic from the network’s virtual router onto the uplink network will require the virtual router to respond to ARP/NDP neighbour requests for that IP so that return packets can make it back.
By extension of 1. this means that we cannot share SNAT addresses between multiple ovn networks (as you cannot have multiple ARP/NDP neighbour responders for the same IP on different virtual routers).

So I wonder what the original intention of this feature was, over, just changing the ovn networks volatile.network.ipv{n}.address which would both change the virtual router’s IP and the SNAT source address?

stgraber · August 9, 2021, 4:23pm

Ah yeah, I guess we can allow port ranges in that case so long as they’re both the same size. This is a case where we’ll need to expand them for the bridged case as there’s no way to do that with netfilter ranges I believe.

tomp · August 9, 2021, 4:24pm

Yep thats what the proxy does right now for all combinations, and what we’re going to look at optimising for the other scenarios in

github.com/lxc/lxd

Proxy device with NAT enabled has a single firewall rule per port

opened 08:33PM - 02 Aug 21 UTC

morphis

Bug

# Required information * Distribution: Ubuntu * Distribution version: 20.0…4 * The output of "lxc info" or if that fails: * Kernel version: 5.8.0-1037-oracle #38~20.04.1-Ubuntu * LXC version: * LXD version: 4.0.7 * Storage backend in use: zfs # Issue description Adding the following proxy device to a container causes one iptables rule in the nat table to be generated per port: ``` turn: connect: udp:240.39.0.109:60000-60100 listen: udp:10.0.0.39:60000-60100 nat: "true" type: proxy ``` ``` $ sudo iptables -S -t nat ... -A POSTROUTING -s 240.39.0.109/32 -d 240.39.0.109/32 -p udp -m udp --dport 60100 -m comment --comment "generated for LXD container juju-111acc-1 (turn)" -j MASQUERADE .... -A POSTROUTING -s 240.39.0.109/32 -d 240.39.0.109/32 -p udp -m udp --dport 60000 -m comment --comment "generated for LXD container juju-111acc-1 (turn)" -j MASQUERADE ``` # Steps to reproduce See above # Information to attach - [ ] Any relevant kernel output (`dmesg`) - [ ] Container log (`lxc info NAME --show-log`) - [ ] Container configuration (`lxc config show NAME --expanded`) - [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log) - [ ] Output of the client with --debug - [ ] Output of the daemon with --debug (alternatively output of `lxc monitor` while reproducing the issue)

stgraber · August 9, 2021, 4:25pm

volatile.network.ipv{n}.address only lets you set it to something on the uplink subnet, my interest is in being able to set it to an external address.

tomp · August 9, 2021, 4:30pm

OK, cool, so it’ll still be a per-network address (i.e it cannot be shared across multiple networks).

But I think due to the need for the virtual router to respond to ARP/NDP neighbour requests for that address (which would then suggest its already in the uplink’s subnet anyway) should we then restrict this setting to only being used when the uplink network’s ovn.ingress_mode is routed?

We’ll also need to get the BGP advertiser to advertise that address as should be routed towards that router.

stgraber · August 9, 2021, 5:01pm

Yeah, I think that’s fine.

tomp · August 9, 2021, 5:07pm

Thanks. I’ve clarified the rationale around that and added a statement about that requirement.

stgraber · August 9, 2021, 5:27pm

@tomp reviewed and approved!

tomp · August 11, 2021, 12:06pm

The PR that adds SNAT support for ovn networks is here:

github.com/lxc/lxd

Network: Add source NAT address support

lxc:master ← tomponline:tp-network-ovn-snat

opened 04:38PM - 10 Aug 21 UTC

tomponline

+209 -95

Adds support for specifying an outbound external NAT address for `ovn` networks …using `ipv4.nat.address` and `ipv6.nat.address`. The specified address must be within one of the uplink network's `ipv{n}.routes` and not overlap with an external subnet in use by another OVN network on the same uplink (either the network itself or one of the NICs connected to it). NICs connected to the same OVN network may have externally routed subnet(s) that overlap with the network's `ipv{n}.nat.address`. Because the NAT addresses will be by definition outside of the uplink's own subnet, it is required that routes are added on the uplink that forward the desired addresses to the OVN network's external router IP (`volatile.network.ipv{n}.address`), either manually or via a route advert mechanism such as BGP.

And the associated tests here:

tomp · August 11, 2021, 12:40pm

I’ve removed the per-driver API extensions for this feature and gone with a single API extension so it can also be referenced in the shared API struct docs.

tomp · August 11, 2021, 1:22pm

@stgraber I was thinking about the CLI command structure more, and I believe there is a small problem with the current proposal.

We state in the API struct definitions that effectively you cannot create an “empty” forward, i.e a listen address with no default target and no port specifications.

// Target address to forward all unmatched ports to (optional if Ports not-empty)
// Example: 198.51.100.1

However in the commands the default_target_address is (correctly) optional, but adding port specifications requires a separate command.

lxc network forward add <network> <listen_address> [<default_target_address>]
lxc network forward port add <network> <listen_address> <target_address> <protocol> <port range>[,<port range>]

Allowing me to run just:

lxc network forward add <network> <listen_address>

And with no port specifications, this will either always fail or allow an empty forward to be created, and based on the current API spec it will always fails.

So we either need to allow an empty forward to be created, or make a small change to the forward add command to allow one or more port specifications (using a similar argument style as the proxy device uses) to be added:

i.e:

<type>:<listen_port>[-<listen_port>][,<listen_port>]:<addr>:<target_port>[-<target_port>][,<target_port>]

lxc network forward add <network> <listen_address> [<default_target_address>] [ports...]

Which would then look something like this (default target only):

lxc network forward add ovn0 10.0.0.1 192.168.1.1

or with a default target and multiple port specifications:

lxc network forward add ovn0 10.0.0.1 192.168.1.1 tcp:80,81,90-91:192.168.1.2:90,91-94 udp:53:192.168.1.3:53

or with just port specifications and not default target:

lxc network forward add ovn0 10.0.0.1 tcp:80,81,90-91:192.168.1.2:90,91-94 udp:53:192.168.1.3:53

This would then prevent running the command without any target specifications like:

lxc network forward add ovn0 10.0.0.1

stgraber · August 11, 2021, 3:00pm

I feel like allowing for an empty forward is likely best here.
It will also effectively allow you to “reserve” an address, making it unusable by instances, so this feels like a good side benefit

tomp · August 12, 2021, 3:18pm

@stgraber should lxc network forward add be infact lxc network forward create to keep with convention as we’re creating a resource.

And only lxc network forward port add should be “add” as its adding a port to and existing resource?

As we have lxc network <network> forward delete but conventially “delete” is paired with “create” and “remove” paired with “add”.

stgraber · August 12, 2021, 3:53pm

yes, create/delete for forward add/remove for port.

tomp · August 12, 2021, 4:16pm

Thanks, I’ve also made some changes to the CLI part of the spec as it was not providing support for custom target ports.