[ovs-discuss] Openvswitch linux nat issue (ver 2.7.0 and linux 4.9.x)

akshay6 agarwal akshayagarwal2014 at gmail.com
Fri May 26 15:10:41 UTC 2017


Hi Aaron

I tried the first approach and it is not working.
i am able to receive the packet from LAN to veth1 but no more further
So it seems iptables not applying within netns "test"

Please advise

Thanks

On Thu, May 25, 2017 at 10:43 PM, akshay6 agarwal <
akshayagarwal2014 at gmail.com> wrote:

> Hi Aaron
>
> Thanks
> I see there are 2 approaches as mentioned by you
>
> 1. Regarding the first I assume u mean creating another netns and creating
> peers between ethwan1 and veth1
> Say we have another netns lying outside ovs whose one interface (say veth1
> lying inside netns test) is linked to ovs internal wan interface(say
> ethwan1)
>
>
> ip link add ethwan1 type veth peer name veth1
> ip link set veth1 netns test
>
> And I assume in this test netns, I need to add my physical wan interface
> say eth2 too
> ip link set eth2 netns test
> So we have 2 interfaces present in netns *test* , one of which (veth1) is
> connected to ovs ethwan1.
> And then I need to apply iptables between veth1 and eth2 using
> #sudo ip netns exec myns1 iptables ...
> Correct?
> Please explain this part even if it is complicated .Also I assume veth1
> and ethwan1 should be on same subnet
>
> 2. Regarding the second approach , I am not able to find proper ovs
> natting  commands/docs for the same except some explanation
> http://openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdf
>
> In my scenario I want to achieve natting using ovs having lan interface as
> 10.10.10.0/24 ( and one virtual lan interface as ethlan)
> and single wan interface as 11.11.11.11/32.( and single wan virtual
> interface as ethwan1)
> Both of the interfaces lie on ovs and traffic from host pc( multiple
> machines) needs to be natted via ovs
> Can you let me know the specific command  . In a way ,my objective is to
> achieve Dynamic NAT/PAT using ovs openflow commands?
>
>
> Thanks
>
>
> On Thu, May 25, 2017 at 8:33 PM, Aaron Conole <aconole at redhat.com> wrote:
>
>> akshay6 agarwal <akshayagarwal2014 at gmail.com> writes:
>>
>> > Hi All
>> >
>> > My objective  is to use fast failover using linux nat in OVS but before
>> implementing that I am stuck in NAT
>> > (ip tables) issue.
>> >
>> > I have one ovs bridge with 2 lan interface ( 1 virtual interface
>> (ethlan)and one physical interface(eth1.4))
>> > Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2)
>> >
>> > Below is the bridge configuration:
>> >
>> > LAN SIDE:
>> > ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan
>> type=internal
>> > ovs-vsctl add-port base eth1.4 tag=10  (Actual physical lan interface)
>> >
>> > WAN1 SIDE:
>> >
>> > ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1
>> type=internal
>> >
>> > WAN2 SIDE:
>> >
>> > ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2
>> type=internal
>> >
>> > IP addresss:
>> > ethlan -> 192.168.10.2
>> > ethwan1 -> 192.168.10.4
>> > eth2->10.1.10.2/24
>> > eth3->10.1.20.2/24
>> >
>> > I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these
>> interfaces are lying outside the ovs
>> >
>> > My linux nat iptables from ethwan1 to eth2 are not working .I am able
>> to receive the packet from eth1.4
>> > to ethwan1 but not further.
>>
>> While Open vSwitch plugs into the netfilter framework, it does NOT plug
>> into xtables.  This means that the iptables commands are not (as a rule)
>> executed as part of the datapath.  You *can* create a hybrid setup where
>> you have a virtual port (tap/tun devices or veth pairs connected to
>> separate bridge or netns) which can be used to attach xtables
>> processing.  IMO, that is significantly more complication than you want
>> in your life.
>>
>> Using just openvswitch, you can setup the requisite conntrack actions to
>> commit and add any additional nat actions you would desire.  Open
>> vSwitch *is* integrated with generic netfilter, so all of the classic
>> netfilter helpers are accessible, and conntrack tools will work just
>> fine.
>>
>> > I am using below iptables:
>> >
>> > # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
>> > # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state  --state
>> RELATED,ESTABLISHED -j ACCEPT
>> > # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT
>> >
>> > I am using below openflows:
>> >
>> > 1. ovs-ofctl -O OpenFlow13 add-flow base cookie=50000,priority=50000,ac
>> tions=NORMAL
>> >
>> > ->To forward traffic from ethlan to ethwan1
>> > 2.ovs-ofctl -O OpenFlow13 add-flow base cookie=50001,priority=50001,ip
>> ,in_port=1,actions=output:2
>> >
>> > Please advise
>>
>> Your normal flow processing won't work here.
>>
>> Please refer to the Open vSwitch conntrack and nat documentation.
>>
>> > Thanks
>> > Akshay
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20170526/fd540826/attachment-0002.html>


More information about the discuss mailing list