[ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations
Ankur Sharma
ankur.sharma at nutanix.com
Fri Nov 1 20:31:53 UTC 2019
Hi Numan,
Thanks for applying the patches.
Sure, I have sent out the NEW entry changes.
Just noticed that Acked-by is missing in the commits.
Regards,
Ankur
From: Numan Siddique <numans at ovn.org>
Sent: Friday, November 1, 2019 9:51 AM
To: Ankur Sharma <ankur.sharma at nutanix.com>
Cc: ovs-dev at openvswitch.org
Subject: Re: [ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations
On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <numans at ovn.org<mailto:numans at ovn.org>> wrote:
On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sharma at nutanix.com<mailto:ankur.sharma at nutanix.com>> wrote:
>
> NAT implementation in OVN uses connection tracker to replace
> source and dest ips. This implementation works fine and
> is the right approach for cases where external ips are shared
> (i.e. SNAT) or where we replace ip only when relevant flow is there
> (i.e. DNAT).
>
> However, it opens the possibility of Dos Attack, where attacker
> can easily simluate multiple 5 tuples, to consume the connection
> tracker entry in an OVN chassis. This way they can easily attain
> the CT limit, there by impacting the usage of it by other features
> like valid NAT, ACL etc.
>
> This attack is even worse, when external ip is a public ip,
> i.e internet routable ip.
>
> In this patch we are introducing an option with NAT table entry.
> Option "stateless=true" indicates that NAT implmentation
> should not be using CT, i.e it should not use ct_snat/dnat actions.
>
> Instead of ct_* actions, we will use ip4.src/dst OVN actions, which
> will replace source and destination ips, while recalculating the
> checksums.
>
> This option is applicable only for the NAT rules which can be
> 1:1 mapped between inner and external ips, i.e dnat_and_snat rule.
>
> Signed-off-by: Ankur Sharma <ankur.sharma at nutanix.com<mailto:ankur.sharma at nutanix.com>>
Thanks.
I applied this series to master.
Can you please submit a follow up patch to add a news entry ?
Numan
Numan
>
> Ankur Sharma (2):
> OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless
> OVN: Use ip4.src and ip4.dst actions for NAT rules
>
> northd/ovn-northd.8.xml | 33 ++++-
> northd/ovn-northd.c | 84 +++++++++++--
> ovn-nb.ovsschema | 6 +-
> ovn-nb.xml | 5 +
> tests/ovn-nbctl.at [ovn-nbctl.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnbctl.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=aO9sOuPuIT1Xl5-wYLhphXDat0tkD05LaGTeGNaXXX0&e=> | 37 ++++++
> tests/ovn-northd.at [ovn-northd.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnorthd.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=c5IfQw6bObiRN2TI_tcwttyxMPgFJVkwU_BSwrDEZeY&e=> | 95 ++++++++++++++
> tests/ovn.at [ovn.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=o-ecwOgnFjLzExHLICefl-LCZVesnIOoDi_d6xRcmHM&e=> | 311 ++++++++++++++++++++++++++++++++++++++++++++++
> utilities/ovn-nbctl.8.xml | 12 +-
> utilities/ovn-nbctl.c | 30 ++++-
> 9 files changed, 594 insertions(+), 19 deletions(-)
>
> --
> 1.8.3.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org<mailto:dev at openvswitch.org>
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev [mail.openvswitch.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=vPxNiy5LZtA6jq5RYig_EKbeOkUkV-LHoB9P9o6zrvk&e=>
More information about the dev
mailing list