[ovs-dev] [PATCH v2] ipf: fix only nat the first fragment in the reass process
Aaron Conole
aconole at redhat.com
Thu Aug 12 16:17:59 UTC 2021
wenxu at ucloud.cn writes:
> From: wenxu <wenxu at ucloud.cn>
>
> The ipf collect original fragment packets and reass a new pkt
> to do the conntrack logic. After finsh the conntrack things
> copy the ct meta info to each orignal packet and modify the
> l4 header in the first fragment. It should modify the ip src/
> dst info for all the fragments.
>
> Signed-off-by: wenxu <wenxu at ucloud.cn>
> Co-authored-by: luke.li <luke.li at ucloud.cn>
> Signed-off-by: luke.li <luke.li at ucloud.cn>
> ---
Acked-by: Aaron Conole <aconole at redhat.com>
Thanks for the fix. I see it can work for any l3 protocol.
Based on the comments you supplied, I wrote the following test case. It
can either be folded in by you (or Ilya on apply), or I can submit as a
separate patch (in case you are worried about having my sign-off /
coauthor on this patch).
When testing 'make check-system-userspace' before this patch, I see a
failure and get the following tcpdump logged:
12:15:31 aconole at RHTPC1VM0NT {master} ~/git/ovs$ sudo tcpdump -r tests/system-userspace-testsuite.dir/078/p1.pcap
reading from file tests/system-userspace-testsuite.dir/078/p1.pcap, link-type EN10MB (Ethernet), snapshot length 262144
dropped privs to tcpdump
12:07:21.364925 ARP, Request who-has 10.2.1.2 tell 10.2.1.1, length 28
12:07:21.364928 ARP, Reply 10.2.1.2 is-at e6:45:4a:80:7c:61 (oui Unknown), length 28
12:07:21.365095 IP 10.1.1.1 > 10.1.1.2: ICMP echo request, id 40165, seq 1, length 1480
12:07:21.365099 IP 10.2.1.1 > 10.1.1.2: icmp
12:07:21.365101 IP 10.2.1.1 > 10.1.1.2: icmp
12:07:21.365102 IP 10.2.1.1 > 10.1.1.2: icmp
We see the first frag correct, but subsequent frags are broken.
This test worked both for userspace and kernel datapath on my local
system.
---
tests/system-traffic.at | 46 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index f400cfabc9..feb335c783 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -3305,6 +3305,52 @@ NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING
OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP
+AT_SETUP([conntrack - IPv4 Fragmentation + nat])
+AT_SKIP_IF([test $HAVE_TCPDUMP = no])
+CHECK_CONNTRACK()
+
+OVS_TRAFFIC_VSWITCHD_START(
+ [set-fail-mode br0 secure -- ])
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.2.1.1/24")
+NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+# create a dummy route for NAT
+ADD_VETH(p2, at_ns1, br0, "10.2.1.2/24")
+NS_CHECK_EXEC([at_ns0], [ip route add 10.1.1.0/24 via 10.2.1.2])
+NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 nud permanent lladdr 80:88:88:88:88:88 dev p1])
+
+# disable iptables from getting in the way
+NS_EXEC([at_ns1], [iptables --flush])
+
+# solely for debugging when things go wrong
+NS_EXEC([at_ns0], [tcpdump -i p0 -w p0.pcap -xx >tcpdump.out &])
+NS_EXEC([at_ns1], [tcpdump -i p1 -w p1.pcap -xx >tcpdump.out &])
+NS_EXEC([at_ns1], [tcpdump -i p2 -w p2.pcap -xx >tcpdump2.out &])
+
+AT_DATA([flows.txt], [dnl
+table=0,arp,actions=normal
+table=0,ct_state=-trk,ip,in_port=ovs-p0, actions=ct(table=1, nat)
+table=0,ct_state=-trk,ip,in_port=ovs-p1, actions=ct(table=1, nat)
+table=1,ct_state=+trk+new,ip,in_port=ovs-p0, actions=ct(commit, nat(src=10.1.1.1)),ovs-p1
+table=1,ct_state=+trk+est,ip,in_port=ovs-p0, actions=ovs-p1
+table=1,ct_state=+trk+est,ip,in_port=ovs-p1, actions=ovs-p0
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+
+#check connectivity
+NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 -M dont -s 4500 | FORMAT_PING], [0], [dnl
+1 packets transmitted, 1 received, 0% packet loss, time 0ms
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+
AT_SETUP([conntrack - resubmit to ct multiple times])
CHECK_CONNTRACK()
--
2.31.1
More information about the dev
mailing list