[ovs-dev] [PATCH v2] conntrack: fix src port selection for DNAT case
Paolo Valerio
pvalerio at redhat.com
Tue Aug 31 14:25:10 UTC 2021
Hello,
wenxu at ucloud.cn writes:
> From: wenxu <wenxu at ucloud.cn>
>
> For DNAT case the src port should never modified.
>
> Fixes: 61e48c2d1db2 ("conntrack: Handle SNAT with all-zero IP address")
> Signed-off-by: wenxu <wenxu at ucloud.cn>
> ---
> lib/conntrack.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 551c206..4566f65 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -2258,11 +2258,13 @@ set_sport_range(struct nat_action_info_t *ni, const struct conn_key *k,
> uint32_t hash, uint16_t *curr, uint16_t *min,
> uint16_t *max)
> {
> - if (((ni->nat_action & NAT_ACTION_SNAT_ALL) == NAT_ACTION_SRC) ||
> - ((ni->nat_action & NAT_ACTION_DST))) {
the purpose here was to have a more consistent behavior between
datapaths, allowing, only in case of collision, something like this:
tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=10000,dport=80),reply=(src=10.1.1.2,dst=10.1.1.1,sport=80,dport=10000),protoinfo=(state=ESTABLISHED)
tcp,orig=(src=10.1.1.1,dst=192.168.2.100,sport=10000,dport=80),reply=(src=10.1.1.2,dst=10.1.1.1,sport=80,dport=10001),protoinfo=(state=ESTABLISHED)
originating both connections from 10.1.1.1 using the same source port.
The kernel datapath does the same:
tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=10000,dport=80),reply=(src=10.1.1.2,dst=10.1.1.1,sport=80,dport=10000),protoinfo=(state=ESTABLISHED)
tcp,orig=(src=10.1.1.1,dst=192.168.2.100,sport=10000,dport=80),reply=(src=10.1.1.2,dst=10.1.1.1,sport=80,dport=49264),protoinfo=(state=ESTABLISHED)
but picking a random port.
Changing this wouldn't allow the second entry to get created:
ovs-vswitchd[434250]: ovs|00051|conntrack|WARN|Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and/or zone partitioning.
is it something we want?
> + if ((ni->nat_action & NAT_ACTION_SNAT_ALL) == NAT_ACTION_SRC) {
> *curr = ntohs(k->src.port);
> *min = MIN_NAT_EPHEMERAL_PORT;
> *max = MAX_NAT_EPHEMERAL_PORT;
> + } else if (ni->nat_action & NAT_ACTION_DST) {
> + *curr = ntohs(k->src.port);
> + *min = *max = *curr;
> } else {
> *min = ni->min_port;
> *max = ni->max_port;
> --
> 1.8.3.1
More information about the dev
mailing list