[ovs-dev] [PATCH] ovn: Allow IP packets destined to router ip for SNAT

Chandra Sekhar Vejendla csvejend at us.ibm.com
Wed Jun 22 17:15:38 UTC 2016


Hi Guru,

I am fine with the changes. You can go ahead and apply them.

Thanks,
Chandra

Guru Shetty <guru at ovn.org> wrote on 06/22/2016 09:39:17 AM:

> From: Guru Shetty <guru at ovn.org>
> To: Chandra Sekhar Vejendla/San Jose/IBM at IBMUS
> Cc: ovs dev <dev at openvswitch.org>
> Date: 06/22/2016 09:39 AM
> Subject: Re: [ovs-dev] [PATCH] ovn: Allow IP packets destined to
> router ip for SNAT
>
> On 21 June 2016 at 18:36, Chandra S Vejendla <csvejend at us.ibm.com> wrote:
> By default all the ip traffic destined to router ip is dropped in
> lr_in_ip_input stage. When the router ip is used as snat ip, allow
> reverse snat traffic destined to the router ip.
>
> Signed-off-by: Chandra Sekhar Vejendla <csvejend at us.ibm.com>
>
> Thank you for the fix! This needs an update to ovn-northd.8.xml. If
> you are happy with the following incremental which does that (and
> also adds your name to AUTHORS and makes a couple of stylistic
> changes), I will apply it.
>
> diff --git a/AUTHORS b/AUTHORS
> index e2ac267..c39fdd3 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -39,6 +39,7 @@ Bruce Davie             bsd at nicira.com
>  Bryan Phillippe         bp at toroki.com
>  Carlo Andreotti         c.andreotti at m3s.it
>  Casey Barker            crbarker at google.com
> +Chandra Sekhar Vejendla csvejend at us.ibm.com
>  Christoph Jaeger        cj at linux.com
>  Chris Wright            chrisw at sous-sol.org
>  Chuck Short             zulcss at ubuntu.com
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index 22edba9..6d52f7e 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -631,7 +631,10 @@ output;
>          handled by one of the flows above, which amounts to ICMP (other
than
>          echo requests) and fragments with nonzero offsets.  For
> each IP address
>          <var>A</var> owned by the router, a priority-60 flow matches
> -        <code>ip4.dst == <var>A</var></code> and drops the traffic.
> +        <code>ip4.dst == <var>A</var></code> and drops the traffic.  An
> +        exception is made and the above flow is not added if the router
> +        port's own IP address is used to SNAT packets passing through
that
> +        router.
>        </li>
>      </ul>
>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 6ff303e..1599e18 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -2047,9 +2047,9 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
>          }
>
>          /* Drop IP traffic to this router, unless the router ip is used
as
> -         * snat ip. */
> +         * SNAT ip. */
>          bool snat_ip_is_router_ip = false;
> -        for (int i = 0; i < op->od->nbr->n_nat && !
> snat_ip_is_router_ip; i++) {
> +        for (int i = 0; i < op->od->nbr->n_nat; i++) {
>              const struct nbrec_nat *nat;
>              ovs_be32 ip;
>
> @@ -2057,14 +2057,17 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
>              if (strcmp(nat->type, "snat")) {
>                  continue;
>              }
> +
>              if (!ip_parse(nat->external_ip, &ip) || !ip) {
>                  static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
>                  VLOG_WARN_RL(&rl, "bad ip address %s in snat
configuration "
>                           "for router %s", nat->external_ip, op->key);
>                  continue;
>              }
> +
>              if (ip == op->ip) {
>                  snat_ip_is_router_ip = true;
> +                break;
>              }
>          }
>
>
> ---
>  ovn/northd/ovn-northd.c | 33 ++++++++++++++++++++++++++++-----
>  1 file changed, 28 insertions(+), 5 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 17713ec..6ff303e 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -2046,11 +2046,34 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
>              free(actions);
>          }
>
> -        /* Drop IP traffic to this router. */
> -        match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip));
> -        ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60,
> -                      match, "drop;");
> -        free(match);
> +        /* Drop IP traffic to this router, unless the router ip is used
as
> +         * snat ip. */
> +        bool snat_ip_is_router_ip = false;
> +        for (int i = 0; i < op->od->nbr->n_nat && !
> snat_ip_is_router_ip; i++) {
> +            const struct nbrec_nat *nat;
> +            ovs_be32 ip;
> +
> +            nat = op->od->nbr->nat[i];
> +            if (strcmp(nat->type, "snat")) {
> +                continue;
> +            }
> +            if (!ip_parse(nat->external_ip, &ip) || !ip) {
> +                static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
> +                VLOG_WARN_RL(&rl, "bad ip address %s in snat
configuration "
> +                         "for router %s", nat->external_ip, op->key);
> +                continue;
> +            }
> +            if (ip == op->ip) {
> +                snat_ip_is_router_ip = true;
> +            }
> +        }
> +
> +        if (!snat_ip_is_router_ip) {
> +            match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip));
> +            ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60,
match,
> +                          "drop;");
> +            free(match);
> +        }
>      }
>
>      /* NAT in Gateway routers. */
> --
> 2.6.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev



More information about the dev mailing list