[ovs-dev] OVS/OVN: conntrack nat
Jarno Rajahalme
jarno at ovn.org
Wed Jan 27 19:34:13 UTC 2016
> On Jan 26, 2016, at 10:25 PM, Chandra Vejendla <chandra.vejendla at gmail.com> wrote:
>
> Hi Jarno,
>
> We are trying to install openflow rules to get floating-ips working in OVN and have a question about DNAT action.
>
> When a DNAT action is committed, at what stage is the packets DIP actually modified. If there are rules in the pipeline after the DNAT action that try to match on the new DNAT address, those rules doesn't seem to match the packet.
>
Any CT/NAT modifications are done only when the CT action is executed by the datapath. If the rest of the OpenFlow pipeline needs to match on those changed fields, you will need to recirculate instead of resubmit. That is done by adding a “table=1” parameter to the CT action.
Jarno
> In a simple setup with following rules, the packets always match the 3rd rule. Is there a way to match on the DNAT IP after a DNAT action is committed.
>
> cookie=0x0, duration=726.320s, table=0, n_packets=2, n_bytes=196, idle_age=613, ip,in_port=1 actions=ct(commit,zone=1,nat(dst=10.1.1.2)),resubmit(,1)
> cookie=0x0, duration=674.391s, table=1, n_packets=0, n_bytes=0, idle_age=674, priority=100,ip,nw_dst=10.1.1.2 actions=output:2
> cookie=0x0, duration=664.212s, table=1, n_packets=2, n_bytes=196, idle_age=613, priority=50,ip,nw_dst=10.1.1.64 actions=output:2
>
> The use case we are trying to solve is to be able to look at the DNAT IP of a packet from a public network -> a floating IP and accordingly route the packet based on the virtual network the DNAT IP belongs to.
>
> Thanks,
> Chandra
>
More information about the dev
mailing list