[ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations

Ankur Sharma ankur.sharma at nutanix.com
Fri Nov 1 20:31:53 UTC 2019 

Hi Numan,

Thanks for applying the patches.
Sure, I have sent out the NEW entry changes.

Just noticed that Acked-by is missing in the commits.

Regards,
Ankur

From: Numan Siddique <numans at ovn.org>
Sent: Friday, November 1, 2019 9:51 AM
To: Ankur Sharma <ankur.sharma at nutanix.com>
Cc: ovs-dev at openvswitch.org
Subject: Re: [ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations


On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <numans at ovn.org<mailto:numans at ovn.org>> wrote:
On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sharma at nutanix.com<mailto:ankur.sharma at nutanix.com>> wrote:
>
> NAT implementation in OVN uses connection tracker to replace
> source and dest ips. This implementation works fine and
> is the right approach for cases where external ips are shared
> (i.e. SNAT) or where we replace ip only when relevant flow is there
> (i.e. DNAT).
>
> However, it opens the possibility of Dos Attack, where attacker
> can easily simluate multiple 5 tuples, to consume the connection
> tracker entry in an OVN chassis. This way they can easily attain
> the CT limit, there by impacting the usage of it by other features
> like valid NAT, ACL etc.
>
> This attack is even worse, when external ip is a public ip,
> i.e internet routable ip.
>
> In this patch we are introducing an option with NAT table entry.
> Option "stateless=true" indicates that NAT implmentation
> should not be using CT, i.e it should not use ct_snat/dnat actions.
>
> Instead of ct_* actions, we will use ip4.src/dst OVN actions, which
> will replace source and destination ips, while recalculating the
> checksums.
>
> This option is applicable only for the NAT rules which can be
> 1:1 mapped between inner and external ips, i.e dnat_and_snat rule.
>
> Signed-off-by: Ankur Sharma <ankur.sharma at nutanix.com<mailto:ankur.sharma at nutanix.com>>

Thanks.

I applied this series to master.

Can you please submit a follow up patch to add a news entry ?

Numan


Numan

>
> Ankur Sharma (2):
>   OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless
>   OVN: Use ip4.src and ip4.dst actions for NAT rules
>
>  northd/ovn-northd.8.xml   |  33 ++++-
>  northd/ovn-northd.c       |  84 +++++++++++--
>  ovn-nb.ovsschema          |   6 +-
>  ovn-nb.xml                |   5 +
>  tests/ovn-nbctl.at [ovn-nbctl.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnbctl.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=aO9sOuPuIT1Xl5-wYLhphXDat0tkD05LaGTeGNaXXX0&e=>        |  37 ++++++
>  tests/ovn-northd.at [ovn-northd.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnorthd.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=c5IfQw6bObiRN2TI_tcwttyxMPgFJVkwU_BSwrDEZeY&e=>       |  95 ++++++++++++++
>  tests/ovn.at [ovn.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=o-ecwOgnFjLzExHLICefl-LCZVesnIOoDi_d6xRcmHM&e=>              | 311 ++++++++++++++++++++++++++++++++++++++++++++++
>  utilities/ovn-nbctl.8.xml |  12 +-
>  utilities/ovn-nbctl.c     |  30 ++++-
>  9 files changed, 594 insertions(+), 19 deletions(-)
>
> --
> 1.8.3.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org<mailto:dev at openvswitch.org>
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev [mail.openvswitch.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=vPxNiy5LZtA6jq5RYig_EKbeOkUkV-LHoB9P9o6zrvk&e=>

More information about the dev mailing list