[ovs-dev] [PATCH ovn v4 2/2] ovn-trace: correctly handle ct_dnat(IP) action

Mark Gray mark.d.gray at redhat.com
Fri Jun 11 14:10:48 UTC 2021


ovn-trace does not set translated ip address for ct_dnat()
actions when tracing. This causes the trace to end prematurely.

This can be tested with the following or an equivalent for IPv6:

ovn-nbctl ls-add sw0
ovn-nbctl lsp-add sw0 sw0-port1
ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"

ovn-nbctl ls-add sw1
ovn-nbctl lsp-add sw1 sw1-port1
ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"

ovn-nbctl lr-add lr0
ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
ovn-nbctl lsp-add sw0 lrp0-attachment
ovn-nbctl lsp-set-type lrp0-attachment router
ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24 -- lrp-set-gateway-chassis lrp1 chassis-1
ovn-nbctl lsp-add sw1 lrp1-attachment
ovn-nbctl lsp-set-type lrp1-attachment router
ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1

ovn-nbctl lr-nat-add lr0 dnat 42.42.42.42 192.168.0.2

ovs-vsctl add-port br-int p1 -- \
    set Interface p1 external_ids:iface-id=sw0-port1
ovs-vsctl add-port br-int p2 -- \
    set Interface p2 external_ids:iface-id=sw1-port1

ovn-trace  'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip4.dst == 42.42.42.42 && ip4.src == 11.0.0.2 && ip.ttl == 64'

Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Dumitru Ceara <dceara at redhat.com>
---

Notes:
    v2: fix whitespace and add unit tests, move ovn-trace tests to dedicated file
    v3: Move ovn-trace tests back to original file
    v4: Split out whitepace patch
        add Dumitru's ack
        add trailing whitespace
        add check for 'ovn-nbctl' commands

 tests/ovn-northd.at   | 78 +++++++++++++++++++++++++++++++++++++++++++
 utilities/ovn-trace.c | 10 ++++++
 2 files changed, 88 insertions(+)

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index aae85e3bf657..7f54ce91e6ab 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -3644,3 +3644,81 @@ check ovn-nbctl --wait=sb sync
 OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
 AT_CLEANUP
 ])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- trace with IPv4 dnat])
+AT_KEYWORDS([dnat])
+ovn_start
+
+check ovn-nbctl ls-add sw0
+check ovn-nbctl lsp-add sw0 sw0-port1
+check ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 192.168.0.2"
+
+check ovn-nbctl ls-add sw1
+check ovn-nbctl lsp-add sw1 sw1-port1
+check ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 11.0.0.2"
+
+check ovn-nbctl lr-add lr0
+check ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 192.168.0.1/24
+check ovn-nbctl lsp-add sw0 lrp0-attachment
+check ovn-nbctl lsp-set-type lrp0-attachment router
+check ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
+check ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
+check ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 11.0.0.1/24 -- lrp-set-gateway-chassis lrp1 chassis-1
+check ovn-nbctl lsp-add sw1 lrp1-attachment
+check ovn-nbctl lsp-set-type lrp1-attachment router
+check ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
+check ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1
+
+check ovn-nbctl lr-nat-add lr0 dnat 42.42.42.42 192.168.0.2
+check ovn-nbctl --wait=sb sync
+
+AT_CHECK([ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip4.dst == 42.42.42.42 && ip4.src == 11.0.0.2 && ip.ttl == 64' | grep "output(\"sw0-port1\")"], [0], [ignore])
+
+dnl If we remove the DNAT entry we will be unable to trace to the DNAT address
+check ovn-nbctl lr-nat-del lr0 dnat 42.42.42.42
+check ovn-nbctl --wait=sb sync
+
+AT_CHECK([ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip4.dst == 42.42.42.42 && ip4.src == 11.0.0.2 && ip.ttl == 64' | grep "output(\"sw0-port1\")"], [1], [ignore])
+
+AT_CLEANUP
+])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([ovn -- trace with IPv6 dnat])
+AT_KEYWORDS([dnat])
+ovn_start
+
+check ovn-nbctl ls-add sw0
+check ovn-nbctl lsp-add sw0 sw0-port1
+check ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:01 fd68::2"
+
+check ovn-nbctl ls-add sw1
+check ovn-nbctl lsp-add sw1 sw1-port1
+check ovn-nbctl lsp-set-addresses sw1-port1 "50:54:00:00:00:03 fd11::2"
+
+check ovn-nbctl lr-add lr0
+check ovn-nbctl lrp-add lr0 lrp0 00:00:00:00:ff:01 fd68::1/64
+check ovn-nbctl lsp-add sw0 lrp0-attachment
+check ovn-nbctl lsp-set-type lrp0-attachment router
+check ovn-nbctl lsp-set-addresses lrp0-attachment 00:00:00:00:ff:01
+check ovn-nbctl lsp-set-options lrp0-attachment router-port=lrp0
+check ovn-nbctl lrp-add lr0 lrp1 00:00:00:00:ff:02 fd11::1/64 -- lrp-set-gateway-chassis lrp1 chassis-1
+check ovn-nbctl lsp-add sw1 lrp1-attachment
+check ovn-nbctl lsp-set-type lrp1-attachment router
+check ovn-nbctl lsp-set-addresses lrp1-attachment 00:00:00:00:ff:02
+check ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1
+
+check ovn-nbctl lr-nat-add lr0 dnat fd42::42 fd68::2
+check ovn-nbctl --wait=sb sync
+
+AT_CHECK([ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip6.dst == fd42::42 && ip6.src == fd11::2 && ip.ttl == 64' | grep "output(\"sw0-port1\")"], [0], [ignore])
+
+dnl If we remove the DNAT entry we will be unable to trace to the DNAT address
+check ovn-nbctl lr-nat-del lr0 dnat fd42::42
+check ovn-nbctl --wait=sb sync
+
+AT_CHECK([ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip6.dst == fd42::42 && ip6.src == fd11::2 && ip.ttl == 64' | grep "output(\"sw0-port1\")"], [1], [ignore])
+
+AT_CLEANUP
+])
diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c
index 3b26b5af1d69..49463c5c2652 100644
--- a/utilities/ovn-trace.c
+++ b/utilities/ovn-trace.c
@@ -2297,10 +2297,20 @@ execute_ct_nat(const struct ovnact_ct_nat *ct_nat,
         if (ct_nat->family == AF_INET) {
             ds_put_format(&s, "(ip4.%s="IP_FMT")", direction,
                           IP_ARGS(ct_nat->ipv4));
+            if (is_dst) {
+                ct_flow.nw_dst = ct_nat->ipv4;
+            } else {
+                ct_flow.nw_src = ct_nat->ipv4;
+            }
         } else {
             ds_put_format(&s, "(ip6.%s=", direction);
             ipv6_format_addr(&ct_nat->ipv6, &s);
             ds_put_char(&s, ')');
+            if (is_dst) {
+                ct_flow.ipv6_dst = ct_nat->ipv6;
+            } else {
+                ct_flow.ipv6_src = ct_nat->ipv6;
+            }
         }
 
         uint8_t state = is_dst ? CS_DST_NAT : CS_SRC_NAT;
-- 
2.27.0



More information about the dev mailing list