[ovs-discuss] Openvswitch linux nat issue (ver 2.7.0 and linux 4.9.x)

Aaron Conole aconole at redhat.com
Thu May 25 15:03:39 UTC 2017

akshay6 agarwal <akshayagarwal2014 at gmail.com> writes:

> Hi All
> My objective  is to use fast failover using linux nat in OVS but before implementing that I am stuck in NAT
> (ip tables) issue.
> I have one ovs bridge with 2 lan interface ( 1 virtual interface (ethlan)and one physical interface(eth1.4))
> Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2)
> Below is the bridge configuration:
> ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan type=internal  
> ovs-vsctl add-port base eth1.4 tag=10  (Actual physical lan interface)
> ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1 type=internal 
> ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2 type=internal
> IP addresss:
> ethlan ->
> ethwan1 ->
> eth2->
> eth3->
> I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these interfaces are lying outside the ovs
> My linux nat iptables from ethwan1 to eth2 are not working .I am able to receive the packet from eth1.4
> to ethwan1 but not further.

While Open vSwitch plugs into the netfilter framework, it does NOT plug
into xtables.  This means that the iptables commands are not (as a rule)
executed as part of the datapath.  You *can* create a hybrid setup where
you have a virtual port (tap/tun devices or veth pairs connected to
separate bridge or netns) which can be used to attach xtables
processing.  IMO, that is significantly more complication than you want
in your life.

Using just openvswitch, you can setup the requisite conntrack actions to
commit and add any additional nat actions you would desire.  Open
vSwitch *is* integrated with generic netfilter, so all of the classic
netfilter helpers are accessible, and conntrack tools will work just

> I am using below iptables:
> # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
> # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state  --state RELATED,ESTABLISHED -j ACCEPT
> # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT
> I am using below openflows:
> 1. ovs-ofctl -O OpenFlow13 add-flow base cookie=50000,priority=50000,actions=NORMAL
> ->To forward traffic from ethlan to ethwan1
> 2.ovs-ofctl -O OpenFlow13 add-flow base cookie=50001,priority=50001,ip,in_port=1,actions=output:2
> Please advise

Your normal flow processing won't work here.

Please refer to the Open vSwitch conntrack and nat documentation.

> Thanks
> Akshay

More information about the discuss mailing list