[ovs-discuss] OpenvSwitch SNAT doesn't work for "ping" on Windows
Alin Serdean
aserdean at cloudbasesolutions.com
Mon Feb 24 16:03:47 UTC 2020
> -----Original Message-----
> From: Wenying Dong <wenyingd at vmware.com>
> Sent: Monday, February 17, 2020 10:08 AM
> To: bugs at openvswitch.org
> Cc: Jinjun Gao <jinjung at vmware.com>; Anand Kumar
> <kumaranand at vmware.com>; Alin Serdean
> <aserdean at cloudbasesolutions.com>; Rui Cao <rcao at vmware.com>; Vicky Liu
> <vickyl at vmware.com>
> Subject: OpenvSwitch SNAT doesn't work for "ping" on Windows
>
> Hi,
>
>
>
> We are running OVS on Windows to provide networking for containers. We
> expect OVS could do SNAT for the traffic which is sent from containers to an
> external address. But during the test, we found that the SNAT corresponding
> OpenFlow entries don't work if we "ping" external address, and the container
> could not get reply packets.
>
>
>
> Using OVS conntrack commands, we found that there were datapath flows for
> the ICMP packets, and the key of the connection was a tuple of (sIP, dIP, ICMP
> type, ICMP code, and identifier). We have also dump the packets with wireshark,
> and found that the "ping" packets from both containers and the hypervisor host
> were using a fixed identifier "256", which might cause OVS to forward the reply
> packets by mistake.
>
>
>
> Could you help fix this issue?
>
>
>
> Thanks,
>
> Wenying
Hi Wenying,
Is this isolated for ICMP?
One of the issues that I found during testing was that the native Windows `ping` utility
does not change the ICMP ID/SEQ.
For reference:
https://en.wikipedia.org/wiki/Ping_(networking_utility)#Echo_request
Can you try using a different ping utility?
Alin.
More information about the discuss
mailing list