From patchwork Thu Nov 3 10:46:45 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gurucharan Shetty X-Patchwork-Id: 691014 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3t8xyt3yCQz9tkH for ; Fri, 4 Nov 2016 07:53:58 +1100 (AEDT) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 5F51D10B7D; Thu, 3 Nov 2016 13:53:55 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 3FBEB10B7C for ; Thu, 3 Nov 2016 13:53:54 -0700 (PDT) Received: from bar6.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id CDB8A1626AD for ; Thu, 3 Nov 2016 14:53:53 -0600 (MDT) X-ASG-Debug-ID: 1478206433-0b323720437f7e00001-byXFYA Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar6.cudamail.com with ESMTP id uIVThHhzHpTT6YHa (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 03 Nov 2016 14:53:53 -0600 (MDT) X-Barracuda-Envelope-From: guru.ovn@gmail.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2 Received: from unknown (HELO mail-pf0-f196.google.com) (209.85.192.196) by mx1-pf2.cudamail.com with ESMTPS (AES128-SHA encrypted); 3 Nov 2016 20:53:52 -0000 Received-SPF: pass (mx1-pf2.cudamail.com: SPF record at _netblocks.google.com designates 209.85.192.196 as permitted sender) X-Barracuda-Apparent-Source-IP: 209.85.192.196 X-Barracuda-RBL-IP: 209.85.192.196 Received: by mail-pf0-f196.google.com with SMTP id a136so5807683pfa.0 for ; Thu, 03 Nov 2016 13:53:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=9zRNwt2DtaziwVU4gJhyvBOC9RKJzDaBZopEUl6aUwo=; b=DI5b9kLuXKlZu4GTR4gyZcL+WwGLgUD+qS6yN+CtJSUuSXIJVDHq6D6T4sVn7pA+6W 0S7lAUm20+Dwz6AeBTroaJmvYsiPKoRLGMrtpZ5HAzVzoLckUJZgoz8iPo+zSxac+RU1 tMJUfndRWr/8cXPWqJtGaIB9AqWfCKuNjT79NfzP8LXSZnsKwqKJN3x/uLeIi6DnjeUZ boA3oNV+t5r8+v10aYw7xyiYwQVwyByoGLvZivLzOInBEVfYlNOU942V3n0mJ0oQ2Ppk ShuOkm+VaF7J+xMUaOu1oi69a1JfSCqmiiocd2ATFXJD40mbxOgO094Eetv+4IHyn61X OkYw== X-Gm-Message-State: ABUngveIZO5MbqBm1fakGOhofXWCqCZVhOP0y+G+ZHA7B1GIaG9IDZjR9NRv/tffDo0SwA== X-Received: by 10.98.18.133 with SMTP id 5mr20090714pfs.124.1478206430634; Thu, 03 Nov 2016 13:53:50 -0700 (PDT) Received: from ubuntu.eng.vmware.com ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id x1sm14852607pax.7.2016.11.03.13.53.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 03 Nov 2016 13:53:49 -0700 (PDT) X-CudaMail-Envelope-Sender: guru.ovn@gmail.com From: Gurucharan Shetty To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E2-1102076336 X-CudaMail-DTE: 110316 X-CudaMail-Originating-IP: 209.85.192.196 Date: Thu, 3 Nov 2016 03:46:45 -0700 X-ASG-Orig-Subj: [##CM-E2-1102076336##][PATCH 2/3] ovn: Ability to skip some IP addresses for SNAT. Message-Id: <1478170006-15289-2-git-send-email-guru@ovn.org> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1478170006-15289-1-git-send-email-guru@ovn.org> References: <1478170006-15289-1-git-send-email-guru@ovn.org> X-Barracuda-Connect: UNKNOWN[192.168.24.2] X-Barracuda-Start-Time: 1478206433 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH 2/3] ovn: Ability to skip some IP addresses for SNAT. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" We currently have the ability to add a large network to match on the source IP address of a packet and then SNAT it to a external_ip. For e.g. one could add a SNAT rule that SNATs all packets with source IP address of "0.0.0.0/0" to 10.1.1.10. It is useful to make a small subnet to pass-through without any SNAT done on it. For e.g a subnet that is routable in the external network. This commit adds a "nosnat" option to the NAT table. Signed-off-by: Gurucharan Shetty --- ovn/northd/ovn-northd.8.xml | 8 ++++++++ ovn/northd/ovn-northd.c | 38 ++++++++++++++++++++++++++++---------- ovn/ovn-nb.ovsschema | 5 +++-- ovn/ovn-nb.xml | 7 +++++++ tests/system-ovn.at | 17 +++++++++++++++++ 5 files changed, 63 insertions(+), 12 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index df53d4c..b406db6 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -1434,6 +1434,14 @@ arp {

  • For each configuration in the OVN Northbound database, that asks + NOT to change the source IP address of a packet with address + A or NOT to change the source IP address of a packet that + belongs to network A, a priority-100 flow with a match of + ip && ip4.src == A and an action of + next;. +

    +

    + For each configuration in the OVN Northbound database, that asks to change the source IP address of a packet from an IP address of A or to change the source IP address of a packet that belongs to network A to B, a flow matches diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 07c7b2d..86504aa 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -3680,6 +3680,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, nat = op->od->nbr->nat[i]; + if (!strcmp(nat->type, "nosnat")) { + continue; + } + ovs_be32 ip; if (!ip_parse(nat->external_ip, &ip) || !ip) { static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); @@ -3920,19 +3924,24 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ovs_be32 ip, mask; - char *error = ip_parse_masked(nat->external_ip, &ip, &mask); - if (error || mask != OVS_BE32_MAX) { - static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); - VLOG_WARN_RL(&rl, "bad external ip %s for nat", - nat->external_ip); - free(error); - continue; + if (strcmp(nat->type, "nosnat")) { + /* "nosnat" cases do not have a 'external_ip'. Every other + * case should have a valid 'external_ip'. */ + char *error = ip_parse_masked(nat->external_ip, &ip, &mask); + if (error || mask != OVS_BE32_MAX) { + static struct vlog_rate_limit rl + = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "bad external ip %s for nat", + nat->external_ip); + free(error); + continue; + } } /* Check the validity of nat->logical_ip. 'logical_ip' can - * be a subnet when the type is "snat". */ - error = ip_parse_masked(nat->logical_ip, &ip, &mask); - if (!strcmp(nat->type, "snat")) { + * be a subnet when the type is "snat" or "nosnat". */ + char *error = ip_parse_masked(nat->logical_ip, &ip, &mask); + if (!strcmp(nat->type, "snat") || !strcmp(nat->type, "nosnat")) { if (error) { static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); @@ -3987,6 +3996,15 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_cstr(&match), ds_cstr(&actions)); } + /* Egress SNAT table: Skip packets that have a specific 'nosnat' + * rule. */ + if (!strcmp(nat->type, "nosnat")) { + ds_clear(&match); + ds_put_format(&match, "ip && ip4.src == %s", nat->logical_ip); + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 100, + ds_cstr(&match), "next;"); + } + /* Egress SNAT table: Packets enter the egress pipeline with * source ip address that needs to be SNATted to a external ip * address. */ diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 65f2d7c..8cfc8a6 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.4.1", - "cksum": "3773248894 11490", + "version": "5.4.2", + "cksum": "3390487716 11561", "tables": { "NB_Global": { "columns": { @@ -210,6 +210,7 @@ "type": {"type": {"key": {"type": "string", "enum": ["set", ["dnat", "snat", + "nosnat", "dnat_and_snat" ]]}}}}, "isRoot": false}, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 7626551..e16e1c2 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1155,6 +1155,13 @@ .

  • + When is nosnat, IP packets + with their source IP address that either matches the IP address + in or is in the network provided by + is not SNATed and is allowed to + pass-through. +
    • +
  • When is dnat_and_snat, the externally visible IP address is DNATted to the IP address in the diff --git a/tests/system-ovn.at b/tests/system-ovn.at index 21226d9..d627f76 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -263,6 +263,23 @@ sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl icmp,orig=(src=192.168.1.2,dst=172.16.1.2,id=,type=8,code=0),reply=(src=172.16.1.2,dst=172.16.1.1,id=,type=0,code=0),zone= ]) +ovs-appctl dpctl/flush-conntrack + +# Add a "nosnat" rule. +ovn-nbctl -- --id=@nat create nat type="nosnat" logical_ip=192.168.1.0/24 \ + -- add logical_router R2 nat @nat + +# South-North NOSNAT: 'foo1' pings 'alice1'. 'alice1' receives traffic +# from 192.168.1.2 (i.e without NAT) +NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 172.16.1.2 | FORMAT_PING], \ +[0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +# We verify that SNAT did not happen via 'dump-conntrack' command. +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.1)], [0], [dnl +]) + OVS_APP_EXIT_AND_WAIT([ovn-controller]) as ovn-sb