[ovs-dev] OVS/OVN: conntrack nat

Chandra Vejendla chandra.vejendla at gmail.com
Thu Jan 28 23:27:49 UTC 2016


Hi Jarno,

On my simple OVS setup i setup flows to do DNAT with recirculation and the
flows match on the DNAT IP.

I tried to do the same on my OVN setup, but the flows don't match the DNAT
IP. The flows below try to match the DST NAT IP network and accordingly
route the packet, but the flows are matching on the original DST IP of the
packet.

Is there something i am missing here.

 cookie=0x0, duration=419.960s, table=16, n_packets=10, n_bytes=980,
idle_age=374, priority=60,reg6=0x1,ip,metadata=0x3,dl_dst=fa:16:3e:25:26:49
actions=ct(commit,table=17,nat(dst=10.0.0.99))

 cookie=0x0, duration=559.343s, table=17, n_packets=17, n_bytes=1533,
idle_age=374, priority=0,metadata=0x3 actions=resubmit(,18)

 cookie=0x0, duration=559.343s, table=18, n_packets=10, n_bytes=980,
idle_age=374, priority=24,ip,metadata=0x3,nw_dst=172.16.0.0/24
actions=dec_ttl(),move:NXM_OF_IP_DST[]->NXM_NX_REG0[],resubmit(,19)

 cookie=0x0, duration=557.831s, table=18, n_packets=0, n_bytes=98,
idle_age=534, priority=24,ip,metadata=0x3,nw_dst=10.0.0.0/24
actions=dec_ttl(),move:NXM_OF_IP_DST[]->NXM_NX_REG0[],resubmit(,19)


Thanks,
Chandra

On Wed, Jan 27, 2016 at 11:34 AM, Jarno Rajahalme <jarno at ovn.org> wrote:

>
> On Jan 26, 2016, at 10:25 PM, Chandra Vejendla <chandra.vejendla at gmail.com>
> wrote:
>
> Hi Jarno,
>
> We are trying to install openflow rules to get floating-ips working in OVN
> and have a question about DNAT action.
>
> When a DNAT action is committed, at what stage is the packets DIP actually
> modified. If there are rules in the pipeline after the DNAT action that try
> to match on the new DNAT address, those rules doesn't seem to match the
> packet.
>
>
> Any CT/NAT modifications are done only when the CT action is executed by
> the datapath. If the rest of the OpenFlow pipeline needs to match on those
> changed fields, you will need to recirculate instead of resubmit. That is
> done by adding a “table=1” parameter to the CT action.
>
>   Jarno
>
> In a simple setup with following rules, the packets always match the 3rd
> rule. Is there a way to match on the DNAT IP after a DNAT action is
> committed.
>
> cookie=0x0, duration=726.320s, table=0, n_packets=2, n_bytes=196,
> idle_age=613, ip,in_port=1
> actions=ct(commit,zone=1,nat(dst=10.1.1.2)),resubmit(,1)
> cookie=0x0, duration=674.391s, table=1, n_packets=0, n_bytes=0,
> idle_age=674, priority=100,ip,nw_dst=10.1.1.2 actions=output:2
> cookie=0x0, duration=664.212s, table=1, n_packets=2, n_bytes=196,
> idle_age=613, priority=50,ip,nw_dst=10.1.1.64 actions=output:2
>
> The use case we are trying to solve is to be able to look at the DNAT IP
> of a packet from a public network -> a floating IP and accordingly route
> the packet based on the virtual network the DNAT IP belongs to.
>
> Thanks,
> Chandra
>
>
>



More information about the dev mailing list