[ovs-discuss] Source NAT with OpenVSwitch failed

Wei-Yu Chen aweimeow.tw at gmail.com
Thu May 3 03:52:04 UTC 2018 

Hi Guru,

Thanks for your reply, but I can’t make sure what MAC address for Gateway,
doesn’t this should be automatic done by OVS NAT function?



---
Best Regards,

Wei-Yu Chen
Wireless Internet Laboratory
Department of Computer Science
National Chiao Tung University

On 30 April 2018 at 11:49:29 PM, Guru Shetty (guru at ovn.org) wrote:



On 26 April 2018 at 06:41, Wei-Yu Chen <aweimeow.tw at gmail.com> wrote:

> Hello all,
>
> Recently, I’m trying on SNAT with OVS, I tried to apply all possible flows
> to OVS, but SNAT still don’t work, so I post this message for asking your
> help.
>
> In my experiment environment, I used Ubuntu 16.04 with kernel version
> 4.10.0–28-generic, and OVS’s version 2.9.0.
>
> I have a VM in my PC, connected VM and OVS with a Linux bridge, as
> following illustrated:
>
> +———————————–+
> | |
> | +——+ +—–+ |
> | +–+ br +———+ OVS | |
> | | +——+ vnet2+—+-+ |
> | | | |
> | +–+——+ | |
> | | VM | | |
> | |10.1.1.2 | | |
> | +———+ +—+—-+ |
> | Ubuntu 16.04 | enp2s0 | |
> +————————+——–+-+
>
> And OVS have 2 IP addresses, 10.1.1.1/24 and an public IP
> address(140.113.x.x) original enp2s0 have. I attached vnet2 and enp2s0 on
> my OVS.
>
> I referred many posts and wrote following script:
>
> #!/bin/sh
> IN="vnet2"
> OUT="enp2s0"
>
> flow1="in_port=$IN,ip,actions=ct(commit,zone=1,nat(src=10.1.1.1)),$OUT"
> flow2="in_port=$OUT,ip,ct_state=-trk,actions=ct(zone=1,nat)"
> flow3="in_port=$OUT,ip,ct_state=+trk,ct_zone=1,actions=$IN"
>
> # Add Flows
> sudo ovs-ofctl add-flow $BR $flow1
> sudo ovs-ofctl add-flow $BR $flow2
> sudo ovs-ofctl add-flow $BR $flow3
>
> But I found ICMP echo to Google DNS from VM (nw_src=10.1.1.2,
> nw_dst=8.8.8.8), when it passed to enp2s0, only source IP address changed
> to 10.1.1.1, but source MAC address keep same as VM’s MAC, and destination
> MAC address keep same as OVS’s MAC address. (VM’s default gateway is
> 10.1.1.1/24, OVS’s vnet2 interface).
>
You need to change the MAC addresses too.



> Tcpdump’s log:
>
>     10.1.1.1 > 8.8.8.8: ICMP echo request, id 725, seq 1, length 64
> 21:12:09.413082 52:54:00:fd:d6:ce > 70:4d:7b:6e:16:e0, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 41649, offset 0, flags [DF], proto ICMP (1), length 84)
>
> I also tried to find reason by conntrack tool, but it shows only 10.1.1.2
> have a NEW connection to 8.8.8.8 but didn’t get any reply.
>
> I can’t figure out why OVS’s SNAT didn’t work, do my flows have wrong? Any
> suggestion and idea is appreciated, Thanks very much.
>
> P.s. Attachment is illustration snapshot, if illustrate broken in mail
> viewer, please take a look on the attachment.
>
>
> ---
> Best Regards,
>
> Wei-Yu Chen
> Wireless Internet Laboratory
> Department of Computer Science
> National Chiao Tung University
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180502/174cd544/attachment-0001.html>

More information about the discuss mailing list