[ovs-discuss] Full-NAT (DNAT+SNAT) support

Zang MingJie zealot0630 at gmail.com
Fri Dec 9 11:21:15 UTC 2016


Hi:

I'm trying to do full-NAT with ovs 2.6, I want to translate packets from 
global network into private network.

(global-ip:port -> 100.2.5.8:2489) <=> (10.0.1.20:X -> 10.0.1.5:9468)

To achieve it, I have set up three ct(nat) actions, first bare nat to 
lookup conntrack table, then one for dnat and one for snat:

table=0,tcp,in_port=5 actions=ct(table=10,zone=1,nat)
table=10,ct_state=+new,ct_zone=1,tcp,nw_dst=100.2.5.8,tp_dst=2489 
actions=ct(commit,table=15,zone=1,nat(dst=10.0.1.5:9468))
table=15,ct_zone=1 actions=ct(commit,table=20,zone=1,nat(src=10.0.1.20))
table=20,output:2

But only the first packet is successful translated, all following 
packets are not translated by snat, only dnat applied:

IP 10.0.1.20.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ...
IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ...
IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ...
IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ...

And, there come two conntrack entries:

tcp,
orig=(src=169.254.174.222,dst=100.2.5.8,sport=42510,dport=2489),
reply=(src=10.0.1.5,dst=169.254.174.222,sport=9468,dport=42510),
zone=1,protoinfo=(state=SYN_SENT)

tcp,
orig=(src=169.254.174.222,dst=10.0.1.5,sport=42510,dport=9468),
reply=(src=10.0.1.5,dst=10.0.1.20,sport=9468,dport=42510),
zone=1,protoinfo=(state=SYN_SENT)

 From my experience of iptables and conntrack, there should be only one 
conntrack entry like this:

tcp,
orig=(src=169.254.174.222,dst=100.2.5.8,sport=42510,dport=2489),
reply=(src=10.0.1.5,dst=10.0.1.20,sport=9468,dport=42510),
zone=1,protoinfo=(state=SYN_SENT)

Using current ovs, is there any way to achieve full-NAT ?



More information about the discuss mailing list