<div dir="ltr"><span style="font-size:12.8px">Hi Aaron</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">I tried the first approach and it is not working.</div><div style="font-size:12.8px"><div>i am able to receive the packet from LAN to veth1 but no more further</div><div>So it seems iptables not applying within netns "test"</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Please advise</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thanks</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 25, 2017 at 10:43 PM, akshay6 agarwal <span dir="ltr"><<a href="mailto:akshayagarwal2014@gmail.com" target="_blank">akshayagarwal2014@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Aaron</div><div><br></div><div>Thanks</div><div>I see there are 2 approaches as mentioned by you</div><div> </div><div>1. Regarding the first I assume u mean creating another netns and creating peers between ethwan1 and veth1</div><div>Say we have another netns lying outside ovs whose one interface (say veth1 lying inside netns test) is linked to ovs internal wan interface(say ethwan1)</div><div><br></div><div><br></div><div>ip link add ethwan1 type veth peer name veth1</div><div>ip link set veth1 netns test</div><div><br></div><div>And I assume in this test netns, I need to add my physical wan interface say eth2 too </div><div>ip link set eth2 netns test</div><div>So we have 2 interfaces present in netns <b>test</b> , one of which (veth1) is connected to ovs ethwan1.</div><div>And then I need to apply iptables between veth1 and eth2 using </div><div>#sudo ip netns exec myns1 iptables ... </div><div>Correct?</div><div>Please explain this part even if it is complicated .Also I assume veth1 and ethwan1 should be on same subnet</div><div><br></div><div>2. Regarding the second approach , I am not able to find proper ovs natting commands/docs for the same except some explanation<br></div><div><a href="http://openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdf" target="_blank">http://openvswitch.org/<wbr>support/ovscon2014/17/1030-<wbr>conntrack_nat.pdf</a></div><div><br></div><div>In my scenario I want to achieve natting using ovs having lan interface as <a href="http://10.10.10.0/24" target="_blank">10.10.10.0/24</a> ( and one virtual lan interface as ethlan)</div><div>and single wan interface as <a href="http://11.11.11.11/32.(" target="_blank">11.11.11.11/32.(</a> and single wan virtual interface as ethwan1)</div><div>Both of the interfaces lie on ovs and traffic from host pc( multiple machines) needs to be natted via ovs</div><div>Can you let me know the specific command . In a way ,my objective is to achieve Dynamic NAT/PAT using ovs openflow commands?</div><div><br></div><div><br></div><div>Thanks</div><div><div class="h5"><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, May 25, 2017 at 8:33 PM, Aaron Conole <span dir="ltr"><<a href="mailto:aconole@redhat.com" target="_blank">aconole@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>akshay6 agarwal <<a href="mailto:akshayagarwal2014@gmail.com" target="_blank">akshayagarwal2014@gmail.com</a>> writes:<br>
<br>
> Hi All<br>
><br>
> My objective is to use fast failover using linux nat in OVS but before implementing that I am stuck in NAT<br>
> (ip tables) issue.<br>
><br>
> I have one ovs bridge with 2 lan interface ( 1 virtual interface (ethlan)and one physical interface(eth1.4))<br>
> Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2)<br>
><br>
> Below is the bridge configuration:<br>
><br>
> LAN SIDE:<br>
> ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan type=internal<br>
> ovs-vsctl add-port base eth1.4 tag=10 (Actual physical lan interface)<br>
><br>
> WAN1 SIDE:<br>
><br>
> ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1 type=internal<br>
><br>
> WAN2 SIDE:<br>
><br>
> ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2 type=internal<br>
><br>
> IP addresss:<br>
> ethlan -> 192.168.10.2<br>
> ethwan1 -> 192.168.10.4<br>
> eth2-><a href="http://10.1.10.2/24" rel="noreferrer" target="_blank">10.1.10.2/24</a><br>
> eth3-><a href="http://10.1.20.2/24" rel="noreferrer" target="_blank">10.1.20.2/24</a><br>
><br>
> I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these interfaces are lying outside the ovs<br>
><br>
> My linux nat iptables from ethwan1 to eth2 are not working .I am able to receive the packet from eth1.4<br>
> to ethwan1 but not further.<br>
<br>
</span>While Open vSwitch plugs into the netfilter framework, it does NOT plug<br>
into xtables. This means that the iptables commands are not (as a rule)<br>
executed as part of the datapath. You *can* create a hybrid setup where<br>
you have a virtual port (tap/tun devices or veth pairs connected to<br>
separate bridge or netns) which can be used to attach xtables<br>
processing. IMO, that is significantly more complication than you want<br>
in your life.<br>
<br>
Using just openvswitch, you can setup the requisite conntrack actions to<br>
commit and add any additional nat actions you would desire. Open<br>
vSwitch *is* integrated with generic netfilter, so all of the classic<br>
netfilter helpers are accessible, and conntrack tools will work just<br>
fine.<br>
<span><br>
> I am using below iptables:<br>
><br>
> # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE<br>
> # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
> # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT<br>
><br>
> I am using below openflows:<br>
><br>
> 1. ovs-ofctl -O OpenFlow13 add-flow base cookie=50000,priority=50000,ac<wbr>tions=NORMAL<br>
><br>
> ->To forward traffic from ethlan to ethwan1<br>
> 2.ovs-ofctl -O OpenFlow13 add-flow base cookie=50001,priority=50001,ip<wbr>,in_port=1,actions=output:2<br>
><br>
> Please advise<br>
<br>
</span>Your normal flow processing won't work here.<br>
<br>
Please refer to the Open vSwitch conntrack and nat documentation.<br>
<br>
> Thanks<br>
> Akshay<br>
</blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>