[ovs-git] [openvswitch/ovs] d072d2: ofproto-dpif-trace: Improve NAT tracing.

Dumitru Ceara noreply at github.com
Tue Jun 16 22:08:06 UTC 2020


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: d072d2de011b5874e16a0fe81953c2448658746a
      https://github.com/openvswitch/ovs/commit/d072d2de011b5874e16a0fe81953c2448658746a
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2020-06-16 (Tue, 16 Jun 2020)

  Changed paths:
    M ofproto/ofproto-dpif-trace.c
    M ofproto/ofproto-dpif-trace.h
    M ofproto/ofproto-dpif-xlate.c
    M tests/ofproto-dpif.at

  Log Message:
  -----------
  ofproto-dpif-trace: Improve NAT tracing.

When ofproto/trace detects a recirc action it resumes execution at the
specified next table. However, if the ct action performs SNAT/DNAT,
e.g., ct(commit,nat(src=1.1.1.1:4000),table=42), the src/dst IPs and
ports in the oftrace_recirc_node->flow field are not updated. This leads
to misleading outputs from ofproto/trace as real packets would actually
first get NATed and might match different flows when recirculated.

Assume the first IP/port from the NAT src/dst action will be used by
conntrack for the translation and update the oftrace_recirc_node->flow
accordingly. This is not entirely correct as conntrack might choose a
different IP/port but the result is more realistic than before.

This fix covers new connections. However, for reply traffic that executes
actions of the form ct(nat, table=42) we still don't update the flow as
we don't have any information about conntrack state when tracing.

Also move the oftrace_recirc_node processing out of ofproto_trace()
and to its own function, ofproto_trace_recirc_node() for better
readability/

Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>




More information about the git mailing list