| Message ID | b90cdfce-35d1-4111-af88-86e9f564453a@redhat.com |
|---|---|
| State | Not Applicable |
| Headers | show
Return-Path: <ovs-dev-bounces@openvswitch.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NMev46Jv; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TDCzN33wBz1yPV for <incoming@patchwork.ozlabs.org>; Tue, 16 Jan 2024 00:44:00 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 4BBD7416C7; Mon, 15 Jan 2024 13:43:57 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 4BBD7416C7 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NMev46Jv X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mAXu3YsIJ7l4; Mon, 15 Jan 2024 13:43:56 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id EDD604045C; Mon, 15 Jan 2024 13:43:54 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EDD604045C Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A8C11C0077; Mon, 15 Jan 2024 13:43:54 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id AF113C0037 for <ovs-dev@openvswitch.org>; Mon, 15 Jan 2024 13:43:52 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 84EA08140F for <ovs-dev@openvswitch.org>; Mon, 15 Jan 2024 13:43:52 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 84EA08140F Authentication-Results: smtp1.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=NMev46Jv X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfzOCFtZlceJ for <ovs-dev@openvswitch.org>; Mon, 15 Jan 2024 13:43:51 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id 8AF76813E9 for <ovs-dev@openvswitch.org>; Mon, 15 Jan 2024 13:43:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 8AF76813E9 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705326230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=irvnzrj+kmuOCEV2ESKQMELgX8DuidfHAFHgcnZTbOI=; b=NMev46JvqSa3khUnWgrGR7PG2LeSWjmxNmjoSPmB2gk8TiLYls0fo9mmSuomSVHBZdO9iB LpUSoIzD2x/gjTKvodJNBnJgtob8S3QfsGpCgl7KH4H+NniMQ42+2oK7JO4jn7oMyz8m+E SIfnvdm48at8PpHsqs8glgyugSwNNzA= Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-662-2U3CFL6JOhic7HtfUuwR9w-1; Mon, 15 Jan 2024 08:43:49 -0500 X-MC-Unique: 2U3CFL6JOhic7HtfUuwR9w-1 Received: by mail-qt1-f200.google.com with SMTP id d75a77b69052e-429f3c43c66so7723241cf.1 for <ovs-dev@openvswitch.org>; Mon, 15 Jan 2024 05:43:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705326229; x=1705931029; h=content-transfer-encoding:subject:cc:to:from:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=irvnzrj+kmuOCEV2ESKQMELgX8DuidfHAFHgcnZTbOI=; b=pWi3vw9DYCIv3ZhGRF2MKyYGi8dKh1sP5fScOeZ28Wk3zndG2Mv8OHq2hcXYsfiE7U 4pp6A0ZkbKOViR5XYkliOJ27Xi1BDbJQxM84zNujAtyeEeQHL1U7tTEV90WEJjSsmgHm M20rpNP1x1leCPfn1eapTWGYxUicj6nFBKmXztkfGQubD6Cl127MOKxUjapx6fyBF9ir 0270KUNZw9NZe04D0pfOQHD4G85fD1l9ors9VBnSRbIyuG0dvMRZnrfi1WQs3tGWlApy FYP0SrD51XNS/Byj03Piqo2f11V1EUVr1M0WrSCU4c0PsWM7H3yk1xlIREuCXTiG21Je euAg== X-Gm-Message-State: AOJu0YwPeSHA8AVjZ3lOF6af4dMO+g2coux9dyO1bzDia3KB6G97jolU TiNU5nQ3ho1FRnclah1bC8U7sgUteQB2mAHp3i9POJxw3LDsJC8HOmXaHfrrpPNiocVmA8UilyM raqqveIbHQKDj2UXBaZvXyVMrCg== X-Received: by 2002:a05:622a:1181:b0:429:fcb2:bd9c with SMTP id m1-20020a05622a118100b00429fcb2bd9cmr440346qtk.27.1705326228784; Mon, 15 Jan 2024 05:43:48 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyrlBuo6T1d/O8B+FFhjjMduDZeEADkP0MRH895a6Uf2Qi01kn28vsz9xOgj9g8dmkOJuP2g== X-Received: by 2002:a05:622a:1181:b0:429:fcb2:bd9c with SMTP id m1-20020a05622a118100b00429fcb2bd9cmr440335qtk.27.1705326228464; Mon, 15 Jan 2024 05:43:48 -0800 (PST) Received: from [192.168.178.112] (82-75-96-200.cable.dynamic.v4.ziggo.nl. [82.75.96.200]) by smtp.gmail.com with ESMTPSA id cq11-20020a05622a424b00b00427f5c73636sm3888970qtb.27.2024.01.15.05.43.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 15 Jan 2024 05:43:47 -0800 (PST) Message-ID: <b90cdfce-35d1-4111-af88-86e9f564453a@redhat.com> Date: Mon, 15 Jan 2024 14:43:45 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Dumitru Ceara <dceara@redhat.com> To: ankur.sharma@nutanix.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Cc: ovs-dev <ovs-dev@openvswitch.org>, Tim Rozet <trozet@redhat.com> Subject: [ovs-dev] OVN SNAT external_port_range randomized source port question X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: <ovs-dev.openvswitch.org> List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe> List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/> List-Post: <mailto:ovs-dev@openvswitch.org> List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help> List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" <ovs-dev-bounces@openvswitch.org> |
| Series |
[ovs-dev] OVN SNAT external_port_range randomized source port question
|
expand
|
| Context | Check | Description |
|---|---|---|
| ovsrobot/intel-ovs-compilation | fail | test: fail |
| ovsrobot/apply-robot | fail | apply and check: fail |
diff --git a/lib/actions.c b/lib/actions.c index 38cf4642d6..d719dccdf2 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -1133,6 +1133,7 @@ encode_ct_nat(const struct ovnact_ct_nat *cn, if (cn->port_range.exists) { nat->range.proto.min = cn->port_range.port_lo; nat->range.proto.max = cn->port_range.port_hi; + nat->flags |= NX_NAT_F_PROTO_RANDOM; } ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset);
Hi Ankur, Tim (in cc) pointed me to at what I think to be a bug in the way OVN's external_port_range option on SNAT works. I see you're the original author so I wanted to check whether my understanding is correct: https://github.com/ovn-org/ovn/commit/60bdc8ea78d With the following configuration: ovn-nbctl --portrange lr-nat-add rtr snat 66.66.66.66 42.42.42.0/24 10000-20000 When client initiates a connection from behind the SNAT, e.g.: 43.43.43.2:40000 -> 42.42.42.2:8080 this get's SNATed to: 66.66.66.66:X -> 42.42.42.2:80 with X being a random value in the 10000-20000 range. Until here the behavior is as expected. Now, if we change the client and initiate connections with a source port that's already in the desired range, e.g.: 43.43.43.2:15000 -> 42.42.42.2:8080 then PAT doesn't happen anymore and only the source IP gets translated: 66.66.66.66:15000 -> 42.42.42.2:80 Checking why that happens I see it's because of the way OVN configures the SNAT openflow. The openflow action is: ct(commit,table=46,zone=NXM_NX_REG12[0..15],nat(src=66.66.66.66:10000-20000)) This leaves the nat flags set to default (0) which AFAICT, with the kernel datapath, eventually ends up translating to NF_NAT_RANGE_PROTO_RANDOM: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/netfilter/nf_nat.h#L10 With this, conntrack will not do PAT unless needed. However, checking the ovs-actions manual: "ports The L4 port or range port1-port2 from which the translated port should be selected. When a port range is specified, fallback to ephemeral ports does not happen, else, it will. The port number selection can be informed by the optional random and hash flags described below. The userspace datapath only supports the hash behavior" If we explicitly request random hashing then the datapath will use NF_NAT_RANGE_PROTO_RANDOM_FULLY and always perform PAT. The OVN patch is trivial but I'd like to confirm with you that this is also desired behavior in your use cases. Something like this works just fine for my scenario: --- Regards, Dumitru