neutron

Add port forwarding from gateway to internal hosts

Registered by Jianing Yang on 2013-10-17

This BP virtually intends to implement a DNAT on routers. It enables outside to access internal hosts via different port on gateway IP.

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Jianing Yang

Direction:: Needs approval

Assignee:: Jianing Yang

Definition:: Obsolete

Series goal:: None

Implementation:: Needs Code Review

Milestone target:: next

Started by: Jianing Yang on 2013-11-13

Completed by: Armando Migliaccio on 2015-12-08

Related branches

Related bugs

Sprints

Whiteboard

Dec-07-2015(armax): If someone is interested in pursuing it, this must be re-submitted according to guidelines defined in [1].

[1] http://docs.openstack.org/developer/neutron/policies/blueprints.html

---------------

4-Mar (markmcclain): Deferring to Juno

*Use Case

When users are lack of public ip addresses. This can help users to access their VMs by port forwarding SSH port to some other port on the l3 router.

*Implementation Method

Basically, It can be done by inserting iptables rules into qrouter's netns. Rules will be inserted into
neutron-l3-agent-snat / neutron-l3-agent-PREROUTING chain of the nat table. For instance,

ip netns exec qrouter-xxx iptables -t nat -A quantum-l3-agent-PREROUTING -p tcp/udp -d gateway_ip -j DNAT --to ip:port
ip netns exec qrouter-xxx iptables -t nat -A quantum-l3-agent-snat -p tcp/udp -s ip --sport port -j SNAT --to gateway_ip

*DB Model Spec

* router_id :: String(36), foreign ref to router.id
* protocol :: String(3), tcp/udp
* inside_addr :: String(15), ip address of the dest host in a private network
* inside_port :: Integer, port number of the dest host
* outside_port :: Integer, port number on the l3 router

note(jianingy): outside_addr is not required anymore as it can be derived from external gateway

*API Spec

Use have to submit a complete list of port forwarding rules by the following request,

POST /v2.0/routers/<router-uuid>
Accept: application/json

{
    "router": {
"portforwardings": [{
     "outside_port": "2222",
     "inside_addr": "10.0.0.3",
     "inside_port": "22",
     "protocol": "tcp"
}]
    }
}

*CLI Spec
* portforwarding-list
* portforwarding-create --rule outside_addr=x,outside_ip=p,inside_addr=y,inside_port=q
* portforwarding-delete --rule outside_addr=x,outside_ip=p,inside_addr=y,inside_port=q

*Additions

[liyingjun] Seems like this is duplicated with https://blueprints.launchpad.net/neutron/+spec/access-vms-via-port-mapping

Is it possible to add a scheduler to auto select the router? in that case we don't need to specify the router_id when creating new port forwarding

[jianingy] for now, I think we can focus on the basic functionalities. I think we could propose another BP to improve this one later.

[gongysh] the idea from liyingjun to auto select router is reasonable.

Gerrit topic: https://review.openstack.org/#q,topic:bp/router-port-forwarding,n,z

Addressed by: https://review.openstack.org/60512
Implement basic functionalities for port forwarding

Addressed by: https://review.openstack.org/167165
Initial commit of the specs of a port-forwarding extension for the neutron router.

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Alexander Volkov

Bao Nguyen

Carl Baldwin

Chen Xin Jiang

Daniel Aquino

Davide Michelino

Dong Liu

fangzhen

Ihar Hrachyshka

Liyingjun

Marco Alfano

Pellaeon Lin

Roberto Vela

Sean M. Collins

Sylvain Afchain

yong sheng gong

Yves-Gwenael Bourhis