Source NAT, or SNAT for short, is the method of changing the source address of a packet as it leaves the interface of a router. When a Neutron router is allocated an IP address from an external network using the router-gateway-set command, the IP is used in source NAT operations. The source IP of traffic from virtual machine instances to external networks will be translated as the router's address when the instances do not have 1-to-1 floating IPs configured. All routers in Neutron, whether they are standalone, HA, or distributed, support SNAT.
In this demonstration, the following provider and tenant networks are created:
Figure 9.20
Using the --distributed=true option, a distributed virtual router is created:
Figure 9.21
In this environment, the L3 agent on the controller is in dvr_snat mode and serves as the centralized SNAT node. Attaching the router to the TENANT_NET tenant network results in the router being scheduled to the controller node:
Figure 9.22
When an instance is spun up in the tenant network, the router is also scheduled to the respective compute node:
Figure 9.23
At this point, both the controller node and compute node each have a qrouter namespace that corresponds to the MyRouter-DVR router. Attaching the router to the external network using the router-gateway-set command results in the creation of a snat namespace on the controller node. Now, on the controller node, two namespaces exist for the same router—snat and qrouter:
Figure 9.24
This configuration can be represented by the following diagram:
Figure 9.25
The qrouter namespace on the controller node is identical to the qrouter namespace on the compute node and is used to service DHCP, load balancer, and other traffic that traverses this host. The snat namespace is for the centralized SNAT service.
Within the qrouter namespace, observe the following interfaces—lo (loopback) and qr:
Figure 9.26
Unlike the qrouter namespace of a legacy router, there is no qg interface even though the router is attached to the external network.
However, take a look inside the snat namespace:
Figure 9.27
Inside the snat namespace, you will find the qg interface that is used to handle outgoing traffic from virtual machine instances. In addition to the qg interface, there is now a new interface with the prefix sg. A virtual router will have a qr interface and new sg interface for every internal network it is connected to. The sg interfaces are used as an extra hop when traffic is source NAT'd, and this will be explained in further detail in the following sections.
When a virtual machine instance without a floating IP sends traffic destined to an external network, such as the Internet, it hits the local qrouter namespace on the compute node and is routed to the snat namespace on the centralized network node. To accomplish this task, special routing rules are put in place within the qrouter namespaces.
Linux offers a routing policy database made up of multiple routing tables and rules that allow for intelligent routing based on destination and source addresses, IP protocols, ports, and more. There are source routing rules for every subnet that a virtual router is attached to.
In this demonstration, the router is attached to a single tenant network: 10.30.0.0/24. Take a look at the main routing table within the qrouter namespace on compute01:
Figure 9.28
Note that there is no default route in the main routing table.
On the compute node, use the ip rule command from within the qrouter namespace to list additional routing tables and rules created by the Neutron agent:
Figure 9.29
The table numbered 169738241 is created by Neutron. The additional routing table is consulted and a default route is found:
Figure 9.30
From this output, we can see that 10.30.0.4 is the default gateway address and corresponds to the sq interface within the snat namespace on the centralized node. When traffic reaches the snat namespace, the source NAT is performed and the traffic is routed out of the qg interface.
In the following example, the green VM sends traffic to 8.8.8.8, a Google DNS server, as shown in the following diagram:
Figure 9.31
|
Source MAC |
Destination MAC |
Source IP |
Destination IP |
|---|---|---|---|
|
Green VM |
Green router interface ( |
Green VM |
(Google DNS) |
When traffic arrives at the local qrouter namespace, the main routing table is consulted. The destination IP, 8.8.8.8, does not match any directly connected subnet and a default route does not exist. Secondary routing tables are then consulted, where a match is found based on the source interface. The router then routes the traffic from the green VM to the green interface of the SNAT namespace, sg1, through the east-west routing mechanisms covered earlier in this chapter:
Figure 9.32
|
Source MAC |
Destination MAC |
Source IP |
Destination IP |
|---|---|---|---|
|
Green router interface ( |
Green SNAT interface ( |
Green VM |
(Google DNS) |
When traffic enters the snat namespace, it is routed out the qg interface. The iptables rules within the namespace change the source IP and MAC addresses to that of the qg interface to ensure that the traffic is routed back properly:
Figure 9.33
|
Source MAC |
Destination MAC |
Source IP |
Destination IP |
|---|---|---|---|
|
External SNAT interface ( |
Physical default gateway |
External SNAT interface ( |
(Google DNS) |
When the remote destination responds, a combination of flow rules on the centralized network node and compute node ensures that the response is routed back to the green VM with the proper IP and MAC addresses in place.