We currently customize the Neutron python code to support our current ingress/egress NAT model, inherited from the old nova-network days.
With every openstack upgrade we need to forwardport the patches, which is error prone and is not a proper long term solution.
@JHedden suggested we should use address scopes instead, which seems to be the proper openstack neutron mechanism to handle this situation.
Things to take into account:
- preserving the same routing_source_ip address
- preserving a dmz_cidr-similar mechanism
Related docs:
- our current Neutron setup, ingress & egress: https://wikitech.wikimedia.org/wiki/Portal:Cloud_VPS/Admin/Neutron#Ingress_&_Egress
- openstack address scopes: https://docs.openstack.org/neutron/pike/admin/config-address-scopes.html and https://specs.openstack.org/openstack/neutron-specs/specs/liberty/address-scopes.html