[ovs-discuss] Conntrack and unexpected change in source IP

Thiago Santos thiago at mode.net
Tue May 7 19:05:43 UTC 2019


I've been using OVS Conntrack integration for Source NAT and setting the
Destination IP directly but this is having the side effect of overwriting
the Conntrack set SNAT IP. I simplified my rules to look like this to
reproduce the problem:

cookie=0x0, duration=90070.633s, table=0, n_packets=32266,
n_bytes=48644792, idle_age=1716, hard_age=65534,
ip,in_port=1,nw_dst= actions=ct(table=1,zone=2,nat)
cookie=0x0, duration=89993.501s, table=1, n_packets=32266,
n_bytes=48644792, idle_age=1716, hard_age=65534,
cookie=0x0, duration=1757.194s, table=2, n_packets=0, n_bytes=0,
idle_age=1757, priority=601,ip,nw_src= actions=drop
cookie=0x0, duration=1808.236s, table=2, n_packets=5361, n_bytes=8105832,
idle_age=1716, priority=600,ip actions=mod_nw_dst:,output:2

If I change the last 2 rules priorities so that they are in reverse order,
it seems to work.

ovs-appctl dpctl/dump-flows shows me this:
recirc_id(0x2),ct_state(+new+trk),eth(),eth_type(0x0800),ipv4(src=,dst=,frag=no), packets:59, bytes:89208,
used:0.168s, actions:ct(commit,zone=2,nat(src=,set(ipv4(src=,dst=,4

So it looks like it is doing a set on the source IP because of the matching
on source IP of the 3rd rule above. Is there a way around this or am I
doing something wrong?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190507/8325d2f5/attachment.html>

More information about the discuss mailing list