[ovs-dev] [PATCH] ovn: Allow IP packets destined to router ip for SNAT
Chandra Sekhar Vejendla
csvejend at us.ibm.com
Wed Jun 22 17:15:38 UTC 2016
Hi Guru,
I am fine with the changes. You can go ahead and apply them.
Thanks,
Chandra
Guru Shetty <guru at ovn.org> wrote on 06/22/2016 09:39:17 AM:
> From: Guru Shetty <guru at ovn.org>
> To: Chandra Sekhar Vejendla/San Jose/IBM at IBMUS
> Cc: ovs dev <dev at openvswitch.org>
> Date: 06/22/2016 09:39 AM
> Subject: Re: [ovs-dev] [PATCH] ovn: Allow IP packets destined to
> router ip for SNAT
>
> On 21 June 2016 at 18:36, Chandra S Vejendla <csvejend at us.ibm.com> wrote:
> By default all the ip traffic destined to router ip is dropped in
> lr_in_ip_input stage. When the router ip is used as snat ip, allow
> reverse snat traffic destined to the router ip.
>
> Signed-off-by: Chandra Sekhar Vejendla <csvejend at us.ibm.com>
>
> Thank you for the fix! This needs an update to ovn-northd.8.xml. If
> you are happy with the following incremental which does that (and
> also adds your name to AUTHORS and makes a couple of stylistic
> changes), I will apply it.
>
> diff --git a/AUTHORS b/AUTHORS
> index e2ac267..c39fdd3 100644
> --- a/AUTHORS
> +++ b/AUTHORS
> @@ -39,6 +39,7 @@ Bruce Davie bsd at nicira.com
> Bryan Phillippe bp at toroki.com
> Carlo Andreotti c.andreotti at m3s.it
> Casey Barker crbarker at google.com
> +Chandra Sekhar Vejendla csvejend at us.ibm.com
> Christoph Jaeger cj at linux.com
> Chris Wright chrisw at sous-sol.org
> Chuck Short zulcss at ubuntu.com
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index 22edba9..6d52f7e 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -631,7 +631,10 @@ output;
> handled by one of the flows above, which amounts to ICMP (other
than
> echo requests) and fragments with nonzero offsets. For
> each IP address
> <var>A</var> owned by the router, a priority-60 flow matches
> - <code>ip4.dst == <var>A</var></code> and drops the traffic.
> + <code>ip4.dst == <var>A</var></code> and drops the traffic. An
> + exception is made and the above flow is not added if the router
> + port's own IP address is used to SNAT packets passing through
that
> + router.
> </li>
> </ul>
>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 6ff303e..1599e18 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -2047,9 +2047,9 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
> }
>
> /* Drop IP traffic to this router, unless the router ip is used
as
> - * snat ip. */
> + * SNAT ip. */
> bool snat_ip_is_router_ip = false;
> - for (int i = 0; i < op->od->nbr->n_nat && !
> snat_ip_is_router_ip; i++) {
> + for (int i = 0; i < op->od->nbr->n_nat; i++) {
> const struct nbrec_nat *nat;
> ovs_be32 ip;
>
> @@ -2057,14 +2057,17 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
> if (strcmp(nat->type, "snat")) {
> continue;
> }
> +
> if (!ip_parse(nat->external_ip, &ip) || !ip) {
> static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
> VLOG_WARN_RL(&rl, "bad ip address %s in snat
configuration "
> "for router %s", nat->external_ip, op->key);
> continue;
> }
> +
> if (ip == op->ip) {
> snat_ip_is_router_ip = true;
> + break;
> }
> }
>
>
> ---
> ovn/northd/ovn-northd.c | 33 ++++++++++++++++++++++++++++-----
> 1 file changed, 28 insertions(+), 5 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 17713ec..6ff303e 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -2046,11 +2046,34 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
> free(actions);
> }
>
> - /* Drop IP traffic to this router. */
> - match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip));
> - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60,
> - match, "drop;");
> - free(match);
> + /* Drop IP traffic to this router, unless the router ip is used
as
> + * snat ip. */
> + bool snat_ip_is_router_ip = false;
> + for (int i = 0; i < op->od->nbr->n_nat && !
> snat_ip_is_router_ip; i++) {
> + const struct nbrec_nat *nat;
> + ovs_be32 ip;
> +
> + nat = op->od->nbr->nat[i];
> + if (strcmp(nat->type, "snat")) {
> + continue;
> + }
> + if (!ip_parse(nat->external_ip, &ip) || !ip) {
> + static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
> + VLOG_WARN_RL(&rl, "bad ip address %s in snat
configuration "
> + "for router %s", nat->external_ip, op->key);
> + continue;
> + }
> + if (ip == op->ip) {
> + snat_ip_is_router_ip = true;
> + }
> + }
> +
> + if (!snat_ip_is_router_ip) {
> + match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip));
> + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60,
match,
> + "drop;");
> + free(match);
> + }
> }
>
> /* NAT in Gateway routers. */
> --
> 2.6.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list