[ovs-discuss] Source NAT with OpenVSwitch failed

Wei-Yu Chen aweimeow.tw at gmail.com
Thu Apr 26 13:41:53 UTC 2018


Hello all,

Recently, I’m trying on SNAT with OVS, I tried to apply all possible flows
to OVS, but SNAT still don’t work, so I post this message for asking your
help.

In my experiment environment, I used Ubuntu 16.04 with kernel version
4.10.0–28-generic, and OVS’s version 2.9.0.

I have a VM in my PC, connected VM and OVS with a Linux bridge, as
following illustrated:

+———————————–+
| |
| +——+ +—–+ |
| +–+ br +———+ OVS | |
| | +——+ vnet2+—+-+ |
| | | |
| +–+——+ | |
| | VM | | |
| |10.1.1.2 | | |
| +———+ +—+—-+ |
| Ubuntu 16.04 | enp2s0 | |
+————————+——–+-+

And OVS have 2 IP addresses, 10.1.1.1/24 and an public IP
address(140.113.x.x) original enp2s0 have. I attached vnet2 and enp2s0 on
my OVS.

I referred many posts and wrote following script:

#!/bin/sh
IN="vnet2"
OUT="enp2s0"

flow1="in_port=$IN,ip,actions=ct(commit,zone=1,nat(src=10.1.1.1)),$OUT"
flow2="in_port=$OUT,ip,ct_state=-trk,actions=ct(zone=1,nat)"
flow3="in_port=$OUT,ip,ct_state=+trk,ct_zone=1,actions=$IN"

# Add Flows
sudo ovs-ofctl add-flow $BR $flow1
sudo ovs-ofctl add-flow $BR $flow2
sudo ovs-ofctl add-flow $BR $flow3

But I found ICMP echo to Google DNS from VM (nw_src=10.1.1.2,
nw_dst=8.8.8.8), when it passed to enp2s0, only source IP address changed
to 10.1.1.1, but source MAC address keep same as VM’s MAC, and destination
MAC address keep same as OVS’s MAC address. (VM’s default gateway is
10.1.1.1/24, OVS’s vnet2 interface).

Tcpdump’s log:

    10.1.1.1 > 8.8.8.8: ICMP echo request, id 725, seq 1, length 64
21:12:09.413082 52:54:00:fd:d6:ce > 70:4d:7b:6e:16:e0, ethertype IPv4
(0x0800), length 98: (tos 0x0, ttl 64, id 41649, offset 0, flags [DF],
proto ICMP (1), length 84)

I also tried to find reason by conntrack tool, but it shows only 10.1.1.2
have a NEW connection to 8.8.8.8 but didn’t get any reply.

I can’t figure out why OVS’s SNAT didn’t work, do my flows have wrong? Any
suggestion and idea is appreciated, Thanks very much.

P.s. Attachment is illustration snapshot, if illustrate broken in mail
viewer, please take a look on the attachment.



---
Best Regards,

Wei-Yu Chen
Wireless Internet Laboratory
Department of Computer Science
National Chiao Tung University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180426/8490ef2a/attachment.html>


More information about the discuss mailing list