[ovs-git] [openvswitch/ovs] de2975: ovn: DNAT and SNAT on a gateway router.

GitHub noreply at github.com
Tue Jun 21 18:48:39 UTC 2016 

  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: de2975479605ad91c3d26678b491ea40f24c239f
      https://github.com/openvswitch/ovs/commit/de2975479605ad91c3d26678b491ea40f24c239f
  Author: Gurucharan Shetty <guru at ovn.org>
  Date:   2016-06-21 (Tue, 21 Jun 2016)

  Changed paths:
    M ovn/lib/actions.c
    M ovn/northd/ovn-northd.8.xml
    M ovn/northd/ovn-northd.c
    M ovn/ovn-nb.ovsschema
    M ovn/ovn-nb.xml
    M ovn/ovn-sb.xml
    M ovn/utilities/ovn-nbctl.c
    M tests/ovn.at

  Log Message:
  -----------
  ovn: DNAT and SNAT on a gateway router.

For traffic from physical space to virtual space we need DNAT.
The DNAT happens in the gateway router and reaches the logical
port. The return traffic should be unDNATed.

Traffic originating in virtual space heading to physical space
should be SNATed. The return traffic is unSNATted.

East-west traffic with the public destination IP address needs
a DNAT. This traffic is punted to the l3 gateway where DNAT
takes place. This traffic is also SNATed and eventually loops back to
its destination. The SNAT is needed because we need the reverse traffic
to go back to the l3 gateway and not short-circuit directly to the source.

This commit introduces 4 new logical actions.
1. ct_snat: To send the packet through SNAT zone to unSNAT packets.
2. ct_snat(IP): To SNAT to the provided IP address.
3. ct_dnat: To send the packet throgh DNAT zone to unDNAT packets.
4. ct_dnat(IP): To DNAT to the provided IP.

This commit only provides the ability to do IP based NAT. This will
eventually be enhanced to do PORT based NAT too.

Command hints:

Consider a distributed router "R1" that has switch foo (192.168.1.0/24)
with a lport foo1 (192.168.1.2) and bar (192.168.2.0/24) with lport bar1
(192.168.2.2) connected to it. You connect "R1" to
a gateway router "R2" via a switch "join" in (20.0.0.0/24) network.

R2 has a switch "alice" (172.16.1.0/24) connected to it (to simulate
external network).

case: Add pure DNAT (north-south)

Add a DNAT rule in R2:
ovn-nbctl -- --id=@nat create nat type="dnat" logical_ip=192.168.1.2 \
external_ip=30.0.0.2 -- add logical_router R2 nat @nat

Now alice1 should be able to ping 192.168.1.2 via 30.0.0.2.

case2 : Add pure SNAT (south-north)

Add a SNAT rule in R2:

ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=192.168.2.2 \
external_ip=30.0.0.1 -- add logical_router R2 nat @nat

(You need a static route in R1 to send packets destined to outside
world to go through R2. The logical_ip can be a subnet.)

When bar1 pings alice1, alice1 receives traffic from 30.0.0.1

case3 : SNAT and DNAT (east-west traffic)

When bar1 pings 30.0.0.2, the traffic jumps to the gateway router
and loops back to foo1 with a source ip address of 30.0.0.1

Signed-off-by: Gurucharan Shetty <guru at ovn.org>
Acked-by: Flavio Fernandes <flavio at flaviof.com>

More information about the git mailing list