diff mbox series

[ovs-dev,ovn,v1] NAT: port range cannot be stateless

Message ID 20200422100746.31008-1-flavio@flaviof.com
State Changes Requested
Headers show
Series [ovs-dev,ovn,v1] NAT: port range cannot be stateless | expand

Commit Message

Flaviof April 22, 2020, 10:07 a.m. UTC 
Minor change to ovn-nbctl to prevent users from attempting
to use port range and stateless together. That is so
because port range uses conntrack to set the source port.

Signed-off-by: Flavio Fernandes <flavio@flaviof.com>
---
 tests/ovn-nbctl.at    | 4 ++++
 utilities/ovn-nbctl.c | 6 ++++++
 2 files changed, 10 insertions(+)

Comments

Ankur Sharma April 22, 2020, 7:25 p.m. UTC | #1 
Hi Flavio,

Changes look fine to me.

Acked-by: Ankur Sharma<ankur.sharma@nutanix.com>

Regards,
Ankur
Numan Siddique April 27, 2020, 9:24 a.m. UTC | #2 
On Thu, Apr 23, 2020 at 12:55 AM Ankur Sharma <ankur.sharma@nutanix.com> wrote:
>
> Hi Flavio,
>
> Changes look fine to me.
>
> Acked-by: Ankur Sharma<ankur.sharma@nutanix.com>
>
> Regards,
> Ankur
> ________________________________
> From: dev <ovs-dev-bounces@openvswitch.org> on behalf of Flavio Fernandes <flavio@flaviof.com>
> Sent: Wednesday, April 22, 2020 3:07 AM
> To: dev@openvswitch.org <dev@openvswitch.org>
> Subject: [ovs-dev] [PATCH ovn v1] NAT: port range cannot be stateless
>
> Minor change to ovn-nbctl to prevent users from attempting
> to use port range and stateless together. That is so
> because port range uses conntrack to set the source port.
>
> Signed-off-by: Flavio Fernandes <flavio@flaviof.com>

Hi Flavio,

The test case "144: ovn -- check portrange dnat, snat and
dnat_and_snat rules" is failing for me
with this patch.

Here's the output of test suite log

****
...
  table=3 (lr_out_delivery    ), priority=100  , match=(outport ==
"R1-S1"), action=(output;)
ovn-northd.at:1127: waiting until test 3 = `ovn-sbctl dump-flows R1 |
grep lr_in_unsnat | \
wc -l`...
ovn-northd.at:1127: wait failed after 30 seconds
../../tests/ovs-macros.at:220: hard failure
144. ovn-northd.at:1077: 144. ovn -- check portrange dnat, snat and
dnat_and_snat rules (ovn-northd.at:1077): FAILED (ovs-macros.at:220)

*****

Thanks
Numan

> ---
>  tests/ovn-nbctl.at    | 4 ++++
>  utilities/ovn-nbctl.c | 6 ++++++
>  2 files changed, 10 insertions(+)
>
> diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
> index 66fbcc748..637d88fcd 100644
> --- a/tests/ovn-nbctl.at
> +++ b/tests/ovn-nbctl.at
> @@ -652,6 +652,10 @@ AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.
>  [ovn-nbctl: invalid port range 0-10.
>  ])
>
> +AT_CHECK([ovn-nbctl --stateless --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.5 192.168.1.8 6], [1], [],
> +[ovn-nbctl: --stateless and --portrange may not be used together
> +])
> +
>  AT_CHECK([ovn-nbctl show lr0 | grep -c 'external port(s): "1-3000"'], [0], [dnl
>  3
>  ])
> diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c
> index cb46d3aa5..95eb54bf3 100644
> --- a/utilities/ovn-nbctl.c
> +++ b/utilities/ovn-nbctl.c
> @@ -4167,6 +4167,12 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
>          ctl_error(ctx, "stateless is not applicable to dnat or snat types");
>          return;
>      }
> +    /* Port range needs conntrack, so it can't be stateless. */
> +    if (stateless && is_portrange) {
> +        ctl_error(ctx, "--stateless and --portrange may not be used "
> +                  "together");
> +        return;
> +    }
>
>      int is_snat = !strcmp("snat", nat_type);
>      for (size_t i = 0; i < lr->n_nat; i++) {
> --
> 2.17.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwICAg&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=xNkp1l1aS0wzzCO0Cl0IOWE8eoCoKlh0eQyn2TTeoQM&s=pKYanI7NOuKdC1X_F_QrPy9JKQexeG6q7boRHJWpv8c&e=
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox series

Patch

diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 66fbcc748..637d88fcd 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -652,6 +652,10 @@  AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.
 [ovn-nbctl: invalid port range 0-10.
 ])
 
+AT_CHECK([ovn-nbctl --stateless --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.5 192.168.1.8 6], [1], [],
+[ovn-nbctl: --stateless and --portrange may not be used together
+])
+
 AT_CHECK([ovn-nbctl show lr0 | grep -c 'external port(s): "1-3000"'], [0], [dnl
 3
 ])
diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c
index cb46d3aa5..95eb54bf3 100644
--- a/utilities/ovn-nbctl.c
+++ b/utilities/ovn-nbctl.c
@@ -4167,6 +4167,12 @@  nbctl_lr_nat_add(struct ctl_context *ctx)
         ctl_error(ctx, "stateless is not applicable to dnat or snat types");
         return;
     }
+    /* Port range needs conntrack, so it can't be stateless. */
+    if (stateless && is_portrange) {
+        ctl_error(ctx, "--stateless and --portrange may not be used "
+                  "together");
+        return;
+    }
 
     int is_snat = !strcmp("snat", nat_type);
     for (size_t i = 0; i < lr->n_nat; i++) {