[ovs-dev] [PATCH v1 0/3] ALLOW Stateless NAT operations
ankur.sharma at nutanix.com
Fri Oct 4 01:55:36 UTC 2019
NAT implementation in OVN uses connection tracker to replace
source and dest ips. This implementation works fine and
is the right approach for cases where external ips are shared
(i.e. SNAT) or where we replace ip only when relevant flow is there
However, it opens the possibility of Dos Attack, where attacker
can easily simluate multiple 5 tuples, to consume the connection
tracker entry in an OVN chassis. This way they can easily attain
the CT limit, there by impacting the usage of it by other features
like valid NAT, ACL etc.
This attack is even worse, when external ip is a public ip,
i.e internet routable ip.
In this patch we are introducing an option with NAT table entry.
Option "is_stateless=true" indicates that NAT implmentation
should not be using CT, i.e it should not use ct_snat/dnat actions.
We introduce new OVN actions which will replace source and destination
ips, while recalculating the checksums.
This option is applicable only for the NAT rules which can be
1:1 mapped between inner and external ips, i.e dnat_and_snat rule.
Signed-off-by: Ankur Sharma <ankur.sharma at nutanix.com>
Ankur Sharma (3):
OVN: ADD new ovn actions to replace source and destination ip
OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless
OVN: Use replace_src_ip and replace_dst_ip for NAT rules
include/ovn/actions.h | 10 ++++-
lib/actions.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++
northd/ovn-northd.8.xml | 34 +++++++++++----
northd/ovn-northd.c | 86 ++++++++++++++++++++++++++++++++++----
ovn-nb.ovsschema | 6 ++-
ovn-nb.xml | 5 +++
tests/ovn-nbctl.at | 29 +++++++++++++
tests/ovn-northd.at | 35 ++++++++++++++++
tests/ovn.at | 26 ++++++++++++
utilities/ovn-nbctl.8.xml | 12 +++++-
utilities/ovn-nbctl.c | 30 +++++++++++++-
utilities/ovn-trace.c | 6 +++
12 files changed, 361 insertions(+), 21 deletions(-)
More information about the dev