[ovs-discuss] OpenvSwitch SNAT doesn't work for "ping" on Windows
Wenying Dong
wenyingd at vmware.com
Tue Feb 25 01:17:45 UTC 2020
Hi Alin,
Yes, we find this issue when testing with Windows native 'ping'. So you mean the bug is introduced by Windows `ping` utility but not by Windows system design. Could you help suggest some third party `ping` utilities we could use on Windows?
Thanks,
Wenying
-----Original Message-----
From: Alin Serdean <aserdean at cloudbasesolutions.com>
Sent: 2020年2月25日 0:04
To: Wenying Dong <wenyingd at vmware.com>; bugs at openvswitch.org
Cc: Jinjun Gao <jinjung at vmware.com>; Anand Kumar <kumaranand at vmware.com>; Rui Cao <rcao at vmware.com>; Vicky Liu <vickyl at vmware.com>
Subject: RE: OpenvSwitch SNAT doesn't work for "ping" on Windows
> -----Original Message-----
> From: Wenying Dong <wenyingd at vmware.com>
> Sent: Monday, February 17, 2020 10:08 AM
> To: bugs at openvswitch.org
> Cc: Jinjun Gao <jinjung at vmware.com>; Anand Kumar
> <kumaranand at vmware.com>; Alin Serdean
> <aserdean at cloudbasesolutions.com>; Rui Cao <rcao at vmware.com>; Vicky
> Liu <vickyl at vmware.com>
> Subject: OpenvSwitch SNAT doesn't work for "ping" on Windows
>
> Hi,
>
>
>
> We are running OVS on Windows to provide networking for containers. We
> expect OVS could do SNAT for the traffic which is sent from containers
> to an external address. But during the test, we found that the SNAT
> corresponding OpenFlow entries don't work if we "ping" external
> address, and the container could not get reply packets.
>
>
>
> Using OVS conntrack commands, we found that there were datapath flows
> for the ICMP packets, and the key of the connection was a tuple of
> (sIP, dIP, ICMP type, ICMP code, and identifier). We have also dump
> the packets with wireshark, and found that the "ping" packets from
> both containers and the hypervisor host were using a fixed identifier
> "256", which might cause OVS to forward the reply packets by mistake.
>
>
>
> Could you help fix this issue?
>
>
>
> Thanks,
>
> Wenying
Hi Wenying,
Is this isolated for ICMP?
One of the issues that I found during testing was that the native Windows `ping` utility does not change the ICMP ID/SEQ.
For reference:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FPing_(networking_utility)%23Echo_request&data=02%7C01%7Cwenyingd%40vmware.com%7Ceb4502417d2543c9afe808d7b943228e%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637181570309694384&sdata=HceXT2V1zkDzE97F0F81iPixe2jNJiNOfhSTxWlYy90%3D&reserved=0
Can you try using a different ping utility?
Alin.
More information about the discuss
mailing list