[ovs-discuss] OpenvSwitch SNAT doesn't work for "ping" on Windows

Tue Feb 25 01:17:45 UTC 2020

Hi Alin,

Yes, we find this issue when testing with Windows native 'ping'. So you mean the bug is introduced by Windows `ping` utility but not by Windows system design. Could you help suggest some third party `ping` utilities we could use on Windows?

Thanks,
Wenying

-----Original Message-----
From: Alin Serdean <aserdean at cloudbasesolutions.com> 
Sent: 2020年2月25日 0:04
To: Wenying Dong <wenyingd at vmware.com>; bugs at openvswitch.org
Cc: Jinjun Gao <jinjung at vmware.com>; Anand Kumar <kumaranand at vmware.com>; Rui Cao <rcao at vmware.com>; Vicky Liu <vickyl at vmware.com>
Subject: RE: OpenvSwitch SNAT doesn't work for "ping" on Windows

> -----Original Message-----
> From: Wenying Dong <wenyingd at vmware.com>
> Sent: Monday, February 17, 2020 10:08 AM
> To: bugs at openvswitch.org
> Cc: Jinjun Gao <jinjung at vmware.com>; Anand Kumar 
> <kumaranand at vmware.com>; Alin Serdean 
> <aserdean at cloudbasesolutions.com>; Rui Cao <rcao at vmware.com>; Vicky 
> Liu <vickyl at vmware.com>
> Subject: OpenvSwitch SNAT doesn't work for "ping" on Windows
> 
> Hi,
> 
> 
> 
> We are running OVS on Windows to provide networking for containers. We 
> expect OVS could do SNAT for the traffic which is sent from containers 
> to an external address. But during the test, we found that the SNAT 
> corresponding OpenFlow entries don't work if we "ping" external 
> address, and the container could not get reply packets.
> 
> 
> 
> Using OVS conntrack commands, we found that there were datapath flows 
> for the ICMP packets, and the key of the connection was a tuple of 
> (sIP, dIP, ICMP type, ICMP code, and identifier). We have also dump 
> the packets with wireshark, and found that the "ping" packets from 
> both containers and the hypervisor host were using a fixed identifier 
> "256", which might cause OVS to forward the reply packets by mistake.
> 
> 
> 
> Could you help fix this issue?
> 
> 
> 
> Thanks,
> 
> Wenying

Hi Wenying,

Is this isolated for ICMP?

One of the issues that I found during testing was that the native Windows `ping` utility does not change the ICMP ID/SEQ.
For reference:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPing_(networking_utility)%23Echo_request&data=02%7C01%7Cwenyingd%40vmware.com%7Ceb4502417d2543c9afe808d7b943228e%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637181570309694384&sdata=HceXT2V1zkDzE97F0F81iPixe2jNJiNOfhSTxWlYy90%3D&reserved=0
Can you try using a different ping utility?

Alin.