[ovs-discuss] Openvswitch linux nat issue (ver 2.7.0 and linux 4.9.x)
akshayagarwal2014 at gmail.com
Fri May 26 15:10:41 UTC 2017
I tried the first approach and it is not working.
i am able to receive the packet from LAN to veth1 but no more further
So it seems iptables not applying within netns "test"
On Thu, May 25, 2017 at 10:43 PM, akshay6 agarwal <
akshayagarwal2014 at gmail.com> wrote:
> Hi Aaron
> I see there are 2 approaches as mentioned by you
> 1. Regarding the first I assume u mean creating another netns and creating
> peers between ethwan1 and veth1
> Say we have another netns lying outside ovs whose one interface (say veth1
> lying inside netns test) is linked to ovs internal wan interface(say
> ip link add ethwan1 type veth peer name veth1
> ip link set veth1 netns test
> And I assume in this test netns, I need to add my physical wan interface
> say eth2 too
> ip link set eth2 netns test
> So we have 2 interfaces present in netns *test* , one of which (veth1) is
> connected to ovs ethwan1.
> And then I need to apply iptables between veth1 and eth2 using
> #sudo ip netns exec myns1 iptables ...
> Please explain this part even if it is complicated .Also I assume veth1
> and ethwan1 should be on same subnet
> 2. Regarding the second approach , I am not able to find proper ovs
> natting commands/docs for the same except some explanation
> In my scenario I want to achieve natting using ovs having lan interface as
> 10.10.10.0/24 ( and one virtual lan interface as ethlan)
> and single wan interface as 188.8.131.52/32.( and single wan virtual
> interface as ethwan1)
> Both of the interfaces lie on ovs and traffic from host pc( multiple
> machines) needs to be natted via ovs
> Can you let me know the specific command . In a way ,my objective is to
> achieve Dynamic NAT/PAT using ovs openflow commands?
> On Thu, May 25, 2017 at 8:33 PM, Aaron Conole <aconole at redhat.com> wrote:
>> akshay6 agarwal <akshayagarwal2014 at gmail.com> writes:
>> > Hi All
>> > My objective is to use fast failover using linux nat in OVS but before
>> implementing that I am stuck in NAT
>> > (ip tables) issue.
>> > I have one ovs bridge with 2 lan interface ( 1 virtual interface
>> (ethlan)and one physical interface(eth1.4))
>> > Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2)
>> > Below is the bridge configuration:
>> > LAN SIDE:
>> > ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan
>> > ovs-vsctl add-port base eth1.4 tag=10 (Actual physical lan interface)
>> > WAN1 SIDE:
>> > ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1
>> > WAN2 SIDE:
>> > ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2
>> > IP addresss:
>> > ethlan -> 192.168.10.2
>> > ethwan1 -> 192.168.10.4
>> > eth2->10.1.10.2/24
>> > eth3->10.1.20.2/24
>> > I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these
>> interfaces are lying outside the ovs
>> > My linux nat iptables from ethwan1 to eth2 are not working .I am able
>> to receive the packet from eth1.4
>> > to ethwan1 but not further.
>> While Open vSwitch plugs into the netfilter framework, it does NOT plug
>> into xtables. This means that the iptables commands are not (as a rule)
>> executed as part of the datapath. You *can* create a hybrid setup where
>> you have a virtual port (tap/tun devices or veth pairs connected to
>> separate bridge or netns) which can be used to attach xtables
>> processing. IMO, that is significantly more complication than you want
>> in your life.
>> Using just openvswitch, you can setup the requisite conntrack actions to
>> commit and add any additional nat actions you would desire. Open
>> vSwitch *is* integrated with generic netfilter, so all of the classic
>> netfilter helpers are accessible, and conntrack tools will work just
>> > I am using below iptables:
>> > # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
>> > # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state --state
>> RELATED,ESTABLISHED -j ACCEPT
>> > # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT
>> > I am using below openflows:
>> > 1. ovs-ofctl -O OpenFlow13 add-flow base cookie=50000,priority=50000,ac
>> > ->To forward traffic from ethlan to ethwan1
>> > 2.ovs-ofctl -O OpenFlow13 add-flow base cookie=50001,priority=50001,ip
>> > Please advise
>> Your normal flow processing won't work here.
>> Please refer to the Open vSwitch conntrack and nat documentation.
>> > Thanks
>> > Akshay
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss