[ovs-dev] [PATCH 2/3] ovn: Ability to skip some IP addresses for SNAT.

Guru Shetty guru at ovn.org
Mon Jun 19 20:04:44 UTC 2017


On 19 June 2017 at 12:16, Manoj Sharma <manoj.sharma at nutanix.com> wrote:

> Hi Guru,
>
> It looked very useful patch. Do you plan to commit it into main?
> Was there any reason to not merge it so far?
>

Is there a use case for which you want to use it? What is the use case?
This is an old patch and if you think it is useful, please consider
spending some time rebasing it to the current master and running all the
system tests to make sure that it does not introduce any regression.


>
>
> Regards
> - Manoj
>
>
> On 11/3/16, 3:46 AM, "dev on behalf of Gurucharan Shetty" <
> dev-bounces at openvswitch.org on behalf of guru at ovn.org> wrote:
>
> >We currently have the ability to add a large network to
> >match on the source IP address of a packet and then SNAT
> >it to a external_ip.  For e.g. one could add a SNAT rule
> >that SNATs all packets with source IP address of
> >"0.0.0.0/0" to 10.1.1.10.
> >
> >It is useful to make a small subnet to pass-through without
> >any SNAT done on it. For e.g a subnet that is routable in
> >the external network. This commit adds a "nosnat" option
> >to the NAT table.
> >
> >Signed-off-by: Gurucharan Shetty <guru at ovn.org>
> >---
> > ovn/northd/ovn-northd.8.xml |  8 ++++++++
> > ovn/northd/ovn-northd.c     | 38 ++++++++++++++++++++++++++++----------
> > ovn/ovn-nb.ovsschema        |  5 +++--
> > ovn/ovn-nb.xml              |  7 +++++++
> > tests/system-ovn.at         | 17 +++++++++++++++++
> > 5 files changed, 63 insertions(+), 12 deletions(-)
> >
> >diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> >index df53d4c..b406db6 100644
> >--- a/ovn/northd/ovn-northd.8.xml
> >+++ b/ovn/northd/ovn-northd.8.xml
> >@@ -1434,6 +1434,14 @@ arp {
> >       <li>
> >         <p>
> >           For each configuration in the OVN Northbound database, that
> asks
> >+          NOT to change the source IP address of a packet with address
> >+          <var>A</var> or NOT to change the source IP address of a
> packet that
> >+          belongs to network <var>A</var>, a priority-100 flow with a
> match of
> >+          <code>ip &amp;&amp; ip4.src == <var>A</var></code> and an
> action of
> >+          <code>next;</code>.
> >+        </p>
> >+        <p>
> >+          For each configuration in the OVN Northbound database, that
> asks
> >           to change the source IP address of a packet from an IP address
> of
> >           <var>A</var> or to change the source IP address of a packet
> that
> >           belongs to network <var>A</var> to <var>B</var>, a flow matches
> >diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> >index 07c7b2d..86504aa 100644
> >--- a/ovn/northd/ovn-northd.c
> >+++ b/ovn/northd/ovn-northd.c
> >@@ -3680,6 +3680,10 @@ build_lrouter_flows(struct hmap *datapaths, struct
> hmap *ports,
> >
> >             nat = op->od->nbr->nat[i];
> >
> >+            if (!strcmp(nat->type, "nosnat")) {
> >+                continue;
> >+            }
> >+
> >             ovs_be32 ip;
> >             if (!ip_parse(nat->external_ip, &ip) || !ip) {
> >                 static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
> >@@ -3920,19 +3924,24 @@ build_lrouter_flows(struct hmap *datapaths,
> struct hmap *ports,
> >
> >             ovs_be32 ip, mask;
> >
> >-            char *error = ip_parse_masked(nat->external_ip, &ip, &mask);
> >-            if (error || mask != OVS_BE32_MAX) {
> >-                static struct vlog_rate_limit rl =
> VLOG_RATE_LIMIT_INIT(5, 1);
> >-                VLOG_WARN_RL(&rl, "bad external ip %s for nat",
> >-                             nat->external_ip);
> >-                free(error);
> >-                continue;
> >+            if (strcmp(nat->type, "nosnat")) {
> >+                /* "nosnat" cases do not have a 'external_ip'.  Every
> other
> >+                 * case should have a valid 'external_ip'. */
> >+                char *error = ip_parse_masked(nat->external_ip, &ip,
> &mask);
> >+                if (error || mask != OVS_BE32_MAX) {
> >+                    static struct vlog_rate_limit rl
> >+                            = VLOG_RATE_LIMIT_INIT(5, 1);
> >+                    VLOG_WARN_RL(&rl, "bad external ip %s for nat",
> >+                                 nat->external_ip);
> >+                    free(error);
> >+                    continue;
> >+                }
> >             }
> >
> >             /* Check the validity of nat->logical_ip. 'logical_ip' can
> >-             * be a subnet when the type is "snat". */
> >-            error = ip_parse_masked(nat->logical_ip, &ip, &mask);
> >-            if (!strcmp(nat->type, "snat")) {
> >+             * be a subnet when the type is "snat" or "nosnat". */
> >+            char *error = ip_parse_masked(nat->logical_ip, &ip, &mask);
> >+            if (!strcmp(nat->type, "snat") || !strcmp(nat->type,
> "nosnat")) {
> >                 if (error) {
> >                     static struct vlog_rate_limit rl =
> >                         VLOG_RATE_LIMIT_INIT(5, 1);
> >@@ -3987,6 +3996,15 @@ build_lrouter_flows(struct hmap *datapaths, struct
> hmap *ports,
> >                               ds_cstr(&match), ds_cstr(&actions));
> >             }
> >
> >+            /* Egress SNAT table: Skip packets that have a specific
> 'nosnat'
> >+             * rule. */
> >+            if (!strcmp(nat->type, "nosnat")) {
> >+                ds_clear(&match);
> >+                ds_put_format(&match, "ip && ip4.src == %s",
> nat->logical_ip);
> >+                ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 100,
> >+                              ds_cstr(&match), "next;");
> >+            }
> >+
> >             /* Egress SNAT table: Packets enter the egress pipeline with
> >              * source ip address that needs to be SNATted to a external
> ip
> >              * address. */
> >diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
> >index 65f2d7c..8cfc8a6 100644
> >--- a/ovn/ovn-nb.ovsschema
> >+++ b/ovn/ovn-nb.ovsschema
> >@@ -1,7 +1,7 @@
> > {
> >     "name": "OVN_Northbound",
> >-    "version": "5.4.1",
> >-    "cksum": "3773248894 11490",
> >+    "version": "5.4.2",
> >+    "cksum": "3390487716 11561",
> >     "tables": {
> >         "NB_Global": {
> >             "columns": {
> >@@ -210,6 +210,7 @@
> >                 "type": {"type": {"key": {"type": "string",
> >                                            "enum": ["set", ["dnat",
> >                                                              "snat",
> >+                                                             "nosnat",
> >
> "dnat_and_snat"
> >                                                                ]]}}}},
> >             "isRoot": false},
> >diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
> >index 7626551..e16e1c2 100644
> >--- a/ovn/ovn-nb.xml
> >+++ b/ovn/ovn-nb.xml
> >@@ -1155,6 +1155,13 @@
> >           <ref column="external_ip"/>.
> >         </li>
> >         <li>
> >+          When <ref column="type"/> is <code>nosnat</code>, IP packets
> >+          with their source IP address that either matches the IP address
> >+          in <ref column="logical_ip"/> or is in the network provided by
> >+          <ref column="logical_ip"/> is not SNATed and is allowed to
> >+          pass-through.
> >+        </li>
> >+        <li>
> >           When <ref column="type"/> is <code>dnat_and_snat</code>, the
> >           externally visible IP address <ref column="external_ip"/> is
> >           DNATted to the IP address <ref column="logical_ip"/> in the
> >diff --git a/tests/system-ovn.at b/tests/system-ovn.at
> >index 21226d9..d627f76 100644
> >--- a/tests/system-ovn.at
> >+++ b/tests/system-ovn.at
> >@@ -263,6 +263,23 @@ sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
> > icmp,orig=(src=192.168.1.2,dst=172.16.1.2,id=<cleared>,
> type=8,code=0),reply=(src=172.16.1.2,dst=172.16.1.1,id=<
> cleared>,type=0,code=0),zone=<cleared>
> > ])
> >
> >+ovs-appctl dpctl/flush-conntrack
> >+
> >+# Add a "nosnat" rule.
> >+ovn-nbctl -- --id=@nat create nat type="nosnat" logical_ip=
> 192.168.1.0/24 \
> >+     -- add logical_router R2 nat @nat
> >+
> >+# South-North NOSNAT: 'foo1' pings 'alice1'. 'alice1' receives traffic
> >+# from 192.168.1.2 (i.e without NAT)
> >+NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 172.16.1.2 |
> FORMAT_PING], \
> >+[0], [dnl
> >+3 packets transmitted, 3 received, 0% packet loss, time 0ms
> >+])
> >+
> >+# We verify that SNAT did not happen via 'dump-conntrack' command.
> >+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.1)], [0],
> [dnl
> >+])
> >+
> > OVS_APP_EXIT_AND_WAIT([ovn-controller])
> >
> > as ovn-sb
> >--
> >1.9.1
> >
> >_______________________________________________
> >dev mailing list
> >dev at openvswitch.org
> >http://openvswitch.org/mailman/listinfo/dev
>


More information about the dev mailing list