[ovs-dev] [PATCH 2/3] ovn: Ability to skip some IP addresses for SNAT.
Manoj Sharma
manoj.sharma at nutanix.com
Mon Jun 19 19:16:33 UTC 2017
Hi Guru,
It looked very useful patch. Do you plan to commit it into main?
Was there any reason to not merge it so far?
Regards
- Manoj
On 11/3/16, 3:46 AM, "dev on behalf of Gurucharan Shetty" <dev-bounces at openvswitch.org on behalf of guru at ovn.org> wrote:
>We currently have the ability to add a large network to
>match on the source IP address of a packet and then SNAT
>it to a external_ip. For e.g. one could add a SNAT rule
>that SNATs all packets with source IP address of
>"0.0.0.0/0" to 10.1.1.10.
>
>It is useful to make a small subnet to pass-through without
>any SNAT done on it. For e.g a subnet that is routable in
>the external network. This commit adds a "nosnat" option
>to the NAT table.
>
>Signed-off-by: Gurucharan Shetty <guru at ovn.org>
>---
> ovn/northd/ovn-northd.8.xml | 8 ++++++++
> ovn/northd/ovn-northd.c | 38 ++++++++++++++++++++++++++++----------
> ovn/ovn-nb.ovsschema | 5 +++--
> ovn/ovn-nb.xml | 7 +++++++
> tests/system-ovn.at | 17 +++++++++++++++++
> 5 files changed, 63 insertions(+), 12 deletions(-)
>
>diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
>index df53d4c..b406db6 100644
>--- a/ovn/northd/ovn-northd.8.xml
>+++ b/ovn/northd/ovn-northd.8.xml
>@@ -1434,6 +1434,14 @@ arp {
> <li>
> <p>
> For each configuration in the OVN Northbound database, that asks
>+ NOT to change the source IP address of a packet with address
>+ <var>A</var> or NOT to change the source IP address of a packet that
>+ belongs to network <var>A</var>, a priority-100 flow with a match of
>+ <code>ip && ip4.src == <var>A</var></code> and an action of
>+ <code>next;</code>.
>+ </p>
>+ <p>
>+ For each configuration in the OVN Northbound database, that asks
> to change the source IP address of a packet from an IP address of
> <var>A</var> or to change the source IP address of a packet that
> belongs to network <var>A</var> to <var>B</var>, a flow matches
>diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
>index 07c7b2d..86504aa 100644
>--- a/ovn/northd/ovn-northd.c
>+++ b/ovn/northd/ovn-northd.c
>@@ -3680,6 +3680,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
>
> nat = op->od->nbr->nat[i];
>
>+ if (!strcmp(nat->type, "nosnat")) {
>+ continue;
>+ }
>+
> ovs_be32 ip;
> if (!ip_parse(nat->external_ip, &ip) || !ip) {
> static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
>@@ -3920,19 +3924,24 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
>
> ovs_be32 ip, mask;
>
>- char *error = ip_parse_masked(nat->external_ip, &ip, &mask);
>- if (error || mask != OVS_BE32_MAX) {
>- static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1);
>- VLOG_WARN_RL(&rl, "bad external ip %s for nat",
>- nat->external_ip);
>- free(error);
>- continue;
>+ if (strcmp(nat->type, "nosnat")) {
>+ /* "nosnat" cases do not have a 'external_ip'. Every other
>+ * case should have a valid 'external_ip'. */
>+ char *error = ip_parse_masked(nat->external_ip, &ip, &mask);
>+ if (error || mask != OVS_BE32_MAX) {
>+ static struct vlog_rate_limit rl
>+ = VLOG_RATE_LIMIT_INIT(5, 1);
>+ VLOG_WARN_RL(&rl, "bad external ip %s for nat",
>+ nat->external_ip);
>+ free(error);
>+ continue;
>+ }
> }
>
> /* Check the validity of nat->logical_ip. 'logical_ip' can
>- * be a subnet when the type is "snat". */
>- error = ip_parse_masked(nat->logical_ip, &ip, &mask);
>- if (!strcmp(nat->type, "snat")) {
>+ * be a subnet when the type is "snat" or "nosnat". */
>+ char *error = ip_parse_masked(nat->logical_ip, &ip, &mask);
>+ if (!strcmp(nat->type, "snat") || !strcmp(nat->type, "nosnat")) {
> if (error) {
> static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
>@@ -3987,6 +3996,15 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
> ds_cstr(&match), ds_cstr(&actions));
> }
>
>+ /* Egress SNAT table: Skip packets that have a specific 'nosnat'
>+ * rule. */
>+ if (!strcmp(nat->type, "nosnat")) {
>+ ds_clear(&match);
>+ ds_put_format(&match, "ip && ip4.src == %s", nat->logical_ip);
>+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 100,
>+ ds_cstr(&match), "next;");
>+ }
>+
> /* Egress SNAT table: Packets enter the egress pipeline with
> * source ip address that needs to be SNATted to a external ip
> * address. */
>diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
>index 65f2d7c..8cfc8a6 100644
>--- a/ovn/ovn-nb.ovsschema
>+++ b/ovn/ovn-nb.ovsschema
>@@ -1,7 +1,7 @@
> {
> "name": "OVN_Northbound",
>- "version": "5.4.1",
>- "cksum": "3773248894 11490",
>+ "version": "5.4.2",
>+ "cksum": "3390487716 11561",
> "tables": {
> "NB_Global": {
> "columns": {
>@@ -210,6 +210,7 @@
> "type": {"type": {"key": {"type": "string",
> "enum": ["set", ["dnat",
> "snat",
>+ "nosnat",
> "dnat_and_snat"
> ]]}}}},
> "isRoot": false},
>diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
>index 7626551..e16e1c2 100644
>--- a/ovn/ovn-nb.xml
>+++ b/ovn/ovn-nb.xml
>@@ -1155,6 +1155,13 @@
> <ref column="external_ip"/>.
> </li>
> <li>
>+ When <ref column="type"/> is <code>nosnat</code>, IP packets
>+ with their source IP address that either matches the IP address
>+ in <ref column="logical_ip"/> or is in the network provided by
>+ <ref column="logical_ip"/> is not SNATed and is allowed to
>+ pass-through.
>+ </li>
>+ <li>
> When <ref column="type"/> is <code>dnat_and_snat</code>, the
> externally visible IP address <ref column="external_ip"/> is
> DNATted to the IP address <ref column="logical_ip"/> in the
>diff --git a/tests/system-ovn.at b/tests/system-ovn.at
>index 21226d9..d627f76 100644
>--- a/tests/system-ovn.at
>+++ b/tests/system-ovn.at
>@@ -263,6 +263,23 @@ sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
> icmp,orig=(src=192.168.1.2,dst=172.16.1.2,id=<cleared>,type=8,code=0),reply=(src=172.16.1.2,dst=172.16.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
> ])
>
>+ovs-appctl dpctl/flush-conntrack
>+
>+# Add a "nosnat" rule.
>+ovn-nbctl -- --id=@nat create nat type="nosnat" logical_ip=192.168.1.0/24 \
>+ -- add logical_router R2 nat @nat
>+
>+# South-North NOSNAT: 'foo1' pings 'alice1'. 'alice1' receives traffic
>+# from 192.168.1.2 (i.e without NAT)
>+NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 172.16.1.2 | FORMAT_PING], \
>+[0], [dnl
>+3 packets transmitted, 3 received, 0% packet loss, time 0ms
>+])
>+
>+# We verify that SNAT did not happen via 'dump-conntrack' command.
>+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.1)], [0], [dnl
>+])
>+
> OVS_APP_EXIT_AND_WAIT([ovn-controller])
>
> as ovn-sb
>--
>1.9.1
>
>_______________________________________________
>dev mailing list
>dev at openvswitch.org
>http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list