[ovs-discuss] [ovn] Unexpected snat for tcp connection initiated from physical to logical network

Yousong Zhou yszhou4tech at gmail.com
Thu Jun 14 11:57:47 UTC 2018


Hi, I encountered the said situation when playing with those functions
provided ovn.  The logical traffic path is basically like the
following

  [ls0p0] - ls0 - lr0 - ls_transit - lg0 - ls_localnet - [veth0]

where

 - ls0p0 has ip 192.168.2.2/24
 - lg0 port connecting to ls_localnet has ip 192.168.5.1/24
 - veth0 has ip 192.168.5.2/24 and its peer added as port to ls_localnet

Then I have

 - snat logical_ip=192.168.2.0/24 external_ip=192.168.5.1 attached to lg0
 - on chassis where veth0 resides: ip route add 192.168.2.0/24 via
192.168.5.1 dev veth0

When issuing "curl http://192.168.2.2:8000" from veth0, I got
connection resets.  The tcpdump shows that the 3-way conn setup and
http request psh packets went as expected.  The issue happens when
192.168.2.2 tried to sent back ACK where it was un-snated to
192.168.5.1.  From that moment on, tcp rst was exchanged with nat in
place.

This is unexpected since I thought the snat action only takes effect
on connections initiated from inside the logical network, plus the
fact the the conntrack event happens suddenly after connection was up
instead of the normal transition of new,syn_sent,etc.

The Open vSwitch version is 2.9.2.  The host where 192.168.5.2 runs

Here are the tcpdump and "conntrack -E" logs on the event

19:34:40.141129 IP 192.168.5.2.42278 > 192.168.2.2.8000: Flags [S],
seq 160641838, win 29200, options [mss 1460,sackOK,TS val 1891801109
ecr 0,nop,wscale 9], length 0
19:34:40.145115 IP 192.168.2.2.8000 > 192.168.5.2.42278: Flags [S.],
seq 1269471447, ack 160641839, win 27800, options [mss 1402,sackOK,TS
val 723784877 ecr 1891801109,nop,wscale 7], length 0
19:34:40.145172 IP 192.168.5.2.42278 > 192.168.2.2.8000: Flags [.],
ack 1269471448, win 58, options [nop,nop,TS val 1891801110 ecr
723784877], length 0
19:34:40.145247 IP 192.168.5.2.42278 > 192.168.2.2.8000: Flags [P.],
seq 160641839:160641919, ack 1269471448, win 58, options [nop,nop,TS
val 1891801110 ecr 723784877], length 80
19:34:40.145608 IP 192.168.5.1.8000 > 192.168.5.2.42278: Flags [.],
ack 160641919, win 218, options [nop,nop,TS val 723784879 ecr
1891801110], length 0
19:34:40.145645 IP 192.168.5.2.42278 > 192.168.5.1.8000: Flags [R],
seq 160641919, win 0, length 0
19:34:40.354084 IP 192.168.5.2.42278 > 192.168.2.2.8000: Flags [P.],
seq 160641839:160641919, ack 1269471448, win 58, options [nop,nop,TS
val 1891801163 ecr 723784877], length 80
19:34:40.354776 IP 192.168.2.2.8000 > 192.168.5.2.42278: Flags [R],
seq 1269471448, win 0, length 0

    [NEW] tcp      6 120 SYN_SENT src=192.168.5.2 dst=192.168.2.2
sport=42278 dport=8000 [UNREPLIED] src=192.168.2.2 dst=192.168.5.2
sport=8000 dport=42278
 [UPDATE] tcp      6 60 SYN_RECV src=192.168.5.2 dst=192.168.2.2
sport=42278 dport=8000 src=192.168.2.2 dst=192.168.5.2 sport=8000
dport=42278
 [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.5.2
dst=192.168.2.2 sport=42278 dport=8000 src=192.168.2.2 dst=192.168.5.2
sport=8000 dport=42278 [ASSURED]
    [NEW] tcp      6 300 ESTABLISHED src=192.168.2.2 dst=192.168.5.2
sport=8000 dport=42278 [UNREPLIED] src=192.168.5.2 dst=192.168.5.1
sport=42278 dport=8000 zone=6
    [NEW] tcp      6 300 ESTABLISHED src=192.168.5.1 dst=192.168.5.2
sport=8000 dport=42278 [UNREPLIED] src=192.168.5.2 dst=192.168.5.1
sport=42278 dport=8000
[DESTROY] tcp      6 src=192.168.5.1 dst=192.168.5.2 sport=8000
dport=42278 [UNREPLIED] src=192.168.5.2 dst=192.168.5.1 sport=42278
dport=8000
[DESTROY] tcp      6 src=192.168.2.2 dst=192.168.5.2 sport=8000
dport=42278 [UNREPLIED] src=192.168.5.2 dst=192.168.5.1 sport=42278
dport=8000 zone=6
 [UPDATE] tcp      6 10 CLOSE src=192.168.5.2 dst=192.168.2.2
sport=42278 dport=8000 src=192.168.2.2 dst=192.168.5.2 sport=8000
dport=42278 [ASSURED]
[DESTROY] tcp      6 src=192.168.5.2 dst=192.168.2.2 sport=42278
dport=8000 src=192.168.2.2 dst=192.168.5.2 sport=8000 dport=42278
[ASSURED]


                yousong


More information about the discuss mailing list