[ovs-dev] [PATCH 3/3] ovn-northd: SNAT in either direction of gateway router.

Guru Shetty guru.ovn at gmail.com
Fri Nov 4 01:06:12 UTC 2016 


> On Nov 3, 2016, at 4:34 PM, Mickey Spiegel <mickeys.dev at gmail.com> wrote:
> 
> Interesting problem. See comments inline.
> 
>> On Thu, Nov 3, 2016 at 3:46 AM, Gurucharan Shetty <guru at ovn.org> wrote:
>> 
>> When multiple gateway routers exist, a packet can
>> enter any gateway router. Once the packet reaches its
>> destination, its reverse direction should be via the
>> same gateway router.  This is achieved by doing a SNAT
>> of the packet in the inward direction (towards logical space)
>> with a IP address of the gateway router such that packet travels back
>> to the same gateway router.
>> 
>> The above means that you can have SNAT rules in the NB
>> database for both directions.  For e.g. if the logical
>> ip address are of the range 192.168.1.0/24, you will have
>> one SNAT rule to transform packet from 192.168.1.0/24 to
>> an external_ip and another SNAT rule to transform
>> "0.0.0.0/0" (all external initiated traffic) to a gateway_ip.
>> 
>> For a particular connection, we should do SNAT in only one
>> direction.
> 
> 
> In certain deployment scenarios, including the one you have
> mentioned, this might work. However, I wonder if this is really
> addressing the root of the problem, or latching on to a symptom
> specific to this deployment scenario.
> 
> It seems to me that the root of the problem has to do with
> three issues:
> 1. SNAT (and DNAT) rules should not apply to ct.rpl traffic,
>   instead only UNSNAT (and UNDNAT) rules should apply.
>   Conntrack can tell which traffic is reply traffic, but this would
>   require going through conntrack with recirc prior to SNAT.

Correct

> 2. If a stateful action such as DNAT or LB is taken on a
>   gateway router, such that it is necessary for the reverse
>   packet flow to come back to the same gateway router,
>   then there should be an SNAT action coupled with the
>   DNAT or LB action. If we could implement such composite
>   actions, then there would be no need for a general purpose
>   SNAT 0.0.0.0/0 catch all. Perhaps instead of SNAT
>   0.0.0.0/0, DNAT or LB could set a flag that indicates that
>   SNAT should be applied?

That is one option. But I could not think of a nice way to express it in nb database. The other option is to set it as an option in the gateway router itself.

> 3. Currently your gateway router has no sense of direction.
>   NAT rules are applied on all interfaces. In the scenario
>   described above, you really want the 192.168.1.0/24 SNAT
>   rule to apply to outward connections, while you want the
>   0.0.0.0/0 SNAT rule to apply to inward connections. Since
>   the gateway router has no sense of direction, both rules
>   are applied in both directions. Is there a way to introduce
>   a sense of direction to a gateway router?

It complicates deployment a bit. But can be given more thought.

> 
> And to do that in the pipeline, we check whether a packet
>> has already been SNATted and if it has a transformation, we should not
>> do it again.
> 
> I think this is a roundabout way of implementing 1 above. If all
> gateway router traffic is subject to SNAT, then reply traffic will
> always hit UNSNAT and so avoid the SNAT stage.

Right.

> 
> The question is whether a solution that requires all traffic to
> be subject to SNAT is acceptable, for deployment scenarios
> where SNAT rules have coarse enough IP address prefixes
> to catch traffic in both directions?

I did not understand the above point. Can you elaborate a bit.

> 
> Mickey
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list