Message ID | 20200422100746.31008-1-flavio@flaviof.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [ovs-dev,ovn,v1] NAT: port range cannot be stateless | expand |
Hi Flavio,
Changes look fine to me.
Acked-by: Ankur Sharma<ankur.sharma@nutanix.com>
Regards,
Ankur
On Thu, Apr 23, 2020 at 12:55 AM Ankur Sharma <ankur.sharma@nutanix.com> wrote: > > Hi Flavio, > > Changes look fine to me. > > Acked-by: Ankur Sharma<ankur.sharma@nutanix.com> > > Regards, > Ankur > ________________________________ > From: dev <ovs-dev-bounces@openvswitch.org> on behalf of Flavio Fernandes <flavio@flaviof.com> > Sent: Wednesday, April 22, 2020 3:07 AM > To: dev@openvswitch.org <dev@openvswitch.org> > Subject: [ovs-dev] [PATCH ovn v1] NAT: port range cannot be stateless > > Minor change to ovn-nbctl to prevent users from attempting > to use port range and stateless together. That is so > because port range uses conntrack to set the source port. > > Signed-off-by: Flavio Fernandes <flavio@flaviof.com> Hi Flavio, The test case "144: ovn -- check portrange dnat, snat and dnat_and_snat rules" is failing for me with this patch. Here's the output of test suite log **** ... table=3 (lr_out_delivery ), priority=100 , match=(outport == "R1-S1"), action=(output;) ovn-northd.at:1127: waiting until test 3 = `ovn-sbctl dump-flows R1 | grep lr_in_unsnat | \ wc -l`... ovn-northd.at:1127: wait failed after 30 seconds ../../tests/ovs-macros.at:220: hard failure 144. ovn-northd.at:1077: 144. ovn -- check portrange dnat, snat and dnat_and_snat rules (ovn-northd.at:1077): FAILED (ovs-macros.at:220) ***** Thanks Numan > --- > tests/ovn-nbctl.at | 4 ++++ > utilities/ovn-nbctl.c | 6 ++++++ > 2 files changed, 10 insertions(+) > > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at > index 66fbcc748..637d88fcd 100644 > --- a/tests/ovn-nbctl.at > +++ b/tests/ovn-nbctl.at > @@ -652,6 +652,10 @@ AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1. > [ovn-nbctl: invalid port range 0-10. > ]) > > +AT_CHECK([ovn-nbctl --stateless --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.5 192.168.1.8 6], [1], [], > +[ovn-nbctl: --stateless and --portrange may not be used together > +]) > + > AT_CHECK([ovn-nbctl show lr0 | grep -c 'external port(s): "1-3000"'], [0], [dnl > 3 > ]) > diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c > index cb46d3aa5..95eb54bf3 100644 > --- a/utilities/ovn-nbctl.c > +++ b/utilities/ovn-nbctl.c > @@ -4167,6 +4167,12 @@ nbctl_lr_nat_add(struct ctl_context *ctx) > ctl_error(ctx, "stateless is not applicable to dnat or snat types"); > return; > } > + /* Port range needs conntrack, so it can't be stateless. */ > + if (stateless && is_portrange) { > + ctl_error(ctx, "--stateless and --portrange may not be used " > + "together"); > + return; > + } > > int is_snat = !strcmp("snat", nat_type); > for (size_t i = 0; i < lr->n_nat; i++) { > -- > 2.17.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=xNkp1l1aS0wzzCO0Cl0IOWE8eoCoKlh0eQyn2TTeoQM&s=pKYanI7NOuKdC1X_F_QrPy9JKQexeG6q7boRHJWpv8c&e= > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 66fbcc748..637d88fcd 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -652,6 +652,10 @@ AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1. [ovn-nbctl: invalid port range 0-10. ]) +AT_CHECK([ovn-nbctl --stateless --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.5 192.168.1.8 6], [1], [], +[ovn-nbctl: --stateless and --portrange may not be used together +]) + AT_CHECK([ovn-nbctl show lr0 | grep -c 'external port(s): "1-3000"'], [0], [dnl 3 ]) diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index cb46d3aa5..95eb54bf3 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -4167,6 +4167,12 @@ nbctl_lr_nat_add(struct ctl_context *ctx) ctl_error(ctx, "stateless is not applicable to dnat or snat types"); return; } + /* Port range needs conntrack, so it can't be stateless. */ + if (stateless && is_portrange) { + ctl_error(ctx, "--stateless and --portrange may not be used " + "together"); + return; + } int is_snat = !strcmp("snat", nat_type); for (size_t i = 0; i < lr->n_nat; i++) {
Minor change to ovn-nbctl to prevent users from attempting to use port range and stateless together. That is so because port range uses conntrack to set the source port. Signed-off-by: Flavio Fernandes <flavio@flaviof.com> --- tests/ovn-nbctl.at | 4 ++++ utilities/ovn-nbctl.c | 6 ++++++ 2 files changed, 10 insertions(+)