diff --git a/neutron/agent/l3/dvr_snat_ns.py b/neutron/agent/l3/dvr_snat_ns.py index d09041764e8..a8761bcb9a8 100644 --- a/neutron/agent/l3/dvr_snat_ns.py +++ b/neutron/agent/l3/dvr_snat_ns.py @@ -30,9 +30,9 @@ class SnatNamespace(namespaces.Namespace): def create(self): super(SnatNamespace, self).create() - # This might be an HA router namespaces and it should not have - # ip_nonlocal_bind enabled - ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 0) + # Set nonlocal_bind to 1 to allow setup applications in HA mode + # for example ipsec from VPNaaS + ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 1) # Set nf_conntrack_tcp_loose to 0 to ensure mid-stream # TCP conversations aren't taken over by SNAT cmd = ['net.netfilter.nf_conntrack_tcp_loose=0'] diff --git a/neutron/agent/l3/ha_router.py b/neutron/agent/l3/ha_router.py index 222e1d1df36..40ddf7e6b24 100644 --- a/neutron/agent/l3/ha_router.py +++ b/neutron/agent/l3/ha_router.py @@ -51,9 +51,13 @@ THROTTLER_MULTIPLIER = 1.5 class HaRouterNamespace(namespaces.RouterNamespace): """Namespace for HA router. - This namespace sets the ip_nonlocal_bind to 0 for HA router namespaces. - It does so to prevent sending gratuitous ARPs for interfaces that got VIP - removed in the middle of processing. + This namespace sets the ip_nonlocal_bind to 1 for HA router namespaces. + It allows to setup applications on both routers simulteniously like + ipsec from VPNaaS which speed up theirs failover. And let failover work + for VPNaaS even when python is down. + It is safe to set ip_nonlocal_bind to 1 as we use keepalived > 1.2.20 + and we do not set GARP from python code anymore. More details may be + found in related bug #1639315. It also disables ipv6 forwarding by default. Forwarding will be enabled during router configuration processing only for the primary node. It has to be disabled on all other nodes to avoid sending MLD packets @@ -61,8 +65,8 @@ class HaRouterNamespace(namespaces.RouterNamespace): """ def create(self): super(HaRouterNamespace, self).create(ipv6_forwarding=False) - # HA router namespaces should not have ip_nonlocal_bind enabled - ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 0) + # HA router namespaces should have ip_nonlocal_bind enabled + ip_lib.set_ip_nonlocal_bind_for_namespace(self.name, 1) # Linux should not automatically assign link-local addr for HA routers # They are managed by keepalived ip_wrapper = ip_lib.IPWrapper(namespace=self.name) diff --git a/neutron/tests/functional/agent/l3/test_dvr_router.py b/neutron/tests/functional/agent/l3/test_dvr_router.py index 2573687f2be..ed99da0b22b 100644 --- a/neutron/tests/functional/agent/l3/test_dvr_router.py +++ b/neutron/tests/functional/agent/l3/test_dvr_router.py @@ -2228,7 +2228,7 @@ class TestDvrRouter(DvrRouterTestFramework, framework.L3AgentTestFramework): # here. src_machine.assert_no_ping(machine_diff_scope.ip) - def test_dvr_snat_namespace_has_ip_nonlocal_bind_disabled(self): + def test_dvr_snat_namespace_has_ip_nonlocal_bind_enabled(self): self.agent.conf.agent_mode = 'dvr_snat' router_info = self.generate_dvr_router_info( enable_ha=True, enable_snat=True) @@ -2243,7 +2243,7 @@ class TestDvrRouter(DvrRouterTestFramework, framework.L3AgentTestFramework): "This kernel doesn't support %s in network namespaces." % ( ip_lib.IP_NONLOCAL_BIND)) raise - self.assertEqual(0, ip_nonlocal_bind_value) + self.assertEqual(1, ip_nonlocal_bind_value) def test_dvr_router_fip_namespace_routes(self): """Test to validate the floatingip namespace subnets routes.""" diff --git a/neutron/tests/functional/agent/l3/test_ha_router.py b/neutron/tests/functional/agent/l3/test_ha_router.py index 710025c7f2c..3dc31878879 100644 --- a/neutron/tests/functional/agent/l3/test_ha_router.py +++ b/neutron/tests/functional/agent/l3/test_ha_router.py @@ -337,7 +337,7 @@ class L3HATestCase(framework.L3AgentTestFramework): self.agent._process_updated_router(router1.router) self.wait_until_ha_router_has_state(router1, 'primary') - def test_ha_router_namespace_has_ip_nonlocal_bind_disabled(self): + def test_ha_router_namespace_has_ip_nonlocal_bind_enabled(self): router_info = self.generate_router_info(enable_ha=True) router = self.manage_router(self.agent, router_info) try: @@ -350,7 +350,7 @@ class L3HATestCase(framework.L3AgentTestFramework): "This kernel doesn't support %s in network namespaces." % ( ip_lib.IP_NONLOCAL_BIND)) raise - self.assertEqual(0, ip_nonlocal_bind_value) + self.assertEqual(1, ip_nonlocal_bind_value) @testtools.skipUnless(netutils.is_ipv6_enabled(), "IPv6 is not enabled") def test_ha_router_addr_gen_mode(self):