From patchwork Fri Oct 4 20:13:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1172038 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="2Qu0Oe+l"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46lLgh56mSz9sP7 for ; Sat, 5 Oct 2019 06:14:24 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5861AC86; Fri, 4 Oct 2019 20:13:52 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 311FBC3F for ; Fri, 4 Oct 2019 20:13:51 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7184934F for ; Fri, 4 Oct 2019 20:13:50 +0000 (UTC) Received: from pps.filterd (m0127840.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x94KAE2E007726 for ; Fri, 4 Oct 2019 13:13:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=H20H6ICi3Ptrnq5yW0cKUsCCQ84DZCN3HuIOYNnWi6k=; b=2Qu0Oe+lx9Z1yKI3oYHLrXrWyy9m7Uk7XyWg8BxwsvhhHhAl3t0pRaO2KNGQ8iJsG3lV nsI4cqJ5xkvguzSwwxPyliMfbJ+JikCEIOTnaYx52Sl503ddFsPObmDwBppNk+6TSkZb 0HanucY+ZC6hnkB+xZ5ELaknln2UcEtxTyw4z4cC/y2ZhyKJ4vfPgKV6wtWL2+/GDYzV 0OAyRcgbd6aWziDDKkHFFXut5FxAdxcKFcWDZsdDORgApW6vwlVN2O+1eA9tgpz2wB8A bkl9slHETWAtvwoda0lCyRAFHzAKpnXzsgYm2k5UBUl4GOexRhAsC4HLmG1xif3kbetR Dg== Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2053.outbound.protection.outlook.com [104.47.36.53]) by mx0a-002c1b01.pphosted.com with ESMTP id 2va3uu6pr4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Fri, 04 Oct 2019 13:13:49 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d9P0AXo5IlbwmJPT5TTag/WEFMlPZhNeMw+CUTC1kUuqFInEJmqdSsSaUepIxaNSrA+fEy+9XEqiSi7ewUZQkgw4jJ5InavPQ7h80UMQk4L1boKyLOEv74R0D700Xz45i0YRTbVLjKM3zMJdJ/16T+z12IkRr896d8wPllYwx88Wb7UJztkDDlImYeKUYs5ID/TBtxDobkTPveP39wSy7dTZPeuwb+2uro2noBRhN2AMfIVN68CLgW0/Z3v0HFDhKbTsGmQTmeA2wSsl8YMUbEpDfh1ySOWTiJaZM1NWSj15T9z9ma7mo8bSBDkkxPKaTx2eIURQXaK4A5SOWYYU9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H20H6ICi3Ptrnq5yW0cKUsCCQ84DZCN3HuIOYNnWi6k=; b=Pdet6SNeZF2jZ6BDLJX1hI+S81Y/fcsGa6L3hR4Bb9iYlvzworQfqxjzfW81cpndZTsROZWdZOnZmRonT0IRByz3nag7eY6OkFdSoR5mVaVgjIG9JoudzR2My3an2rEKMo2DUniXqeNmpsZy7rfUHYr/iOXTW7PhNuu2ABbeSBQL6cVBmPlVHd5uY7LBgpPcg24MZ6EPf6wxFrI0gNnZF6md/wMLDuTXGhrJfdMT/mNjCKAbZduBgrYHh25LLf/oXF3O9hWVt2KJuTBHXBKlO2QEglhh5M9yUYahgDDA1ioTa2lLdLmoPR03R1kA+ELjwARA5tQYMBureqK/QTeciQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from SN1PR02MB3901.namprd02.prod.outlook.com (52.132.194.18) by SN1PR02MB3903.namprd02.prod.outlook.com (52.132.198.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Fri, 4 Oct 2019 20:13:48 +0000 Received: from SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2]) by SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2%4]) with mapi id 15.20.2305.023; Fri, 4 Oct 2019 20:13:48 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 1/2 ovn] OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless Thread-Index: AQHVevA7lN3/AsodrUaBIsFVHPU6jQ== Date: Fri, 4 Oct 2019 20:13:48 +0000 Message-ID: <1570220071-16483-2-git-send-email-ankur.sharma@nutanix.com> References: <1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR06CA0056.namprd06.prod.outlook.com (2603:10b6:a03:14b::33) To SN1PR02MB3901.namprd02.prod.outlook.com (2603:10b6:802:24::18) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.98] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 761067e2-087c-449f-9e2f-08d749075d80 x-ms-traffictypediagnostic: SN1PR02MB3903: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:561; x-forefront-prvs: 018093A9B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(39860400002)(376002)(396003)(346002)(189003)(199004)(5660300002)(25786009)(478600001)(486006)(5640700003)(386003)(6506007)(102836004)(305945005)(64756008)(66446008)(2906002)(52116002)(81166006)(446003)(256004)(316002)(14454004)(81156014)(11346002)(14444005)(476003)(2616005)(8936002)(2501003)(8676002)(50226002)(6916009)(99286004)(186003)(66066001)(4326008)(86362001)(6486002)(2351001)(4720700003)(66556008)(66946007)(66476007)(44832011)(3846002)(6436002)(7736002)(26005)(76176011)(66574012)(6512007)(36756003)(6116002)(71190400001)(107886003)(71200400001)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR02MB3903; H:SN1PR02MB3901.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: xMXalpcyrzCwwxn7yPxHM/kDaZovY6uwFmWqc/xpc3xYtjJi6vy365n6XgcCSZoYphcVmOoNZ91kDTl54FaQA2A+0tqKddchnvOIn0P6KXHmUx69aJL3Bo+i3MwQcxe5tKcgsDMGJJ4FU+TyrGuXgVy/MPmRSUwYESjcV6xiAwd3MIBOaUO35Y+jZcN+AVFF7fPJEDDU0Bd2+64IuF04LTwyoY6lKRB4GTWX0UMa5SVJrkwJkPHy6xGQyKCcZhcC8i7Mh43DOfaA2jwYbq5z8vvBQp9Llipp07goKYeT+SLc7gov1Fn0PWpC/mruXfvYhIDLBbW2xJEqzQEANt0EhV7p8t7HbjIJVIwBQ4gBPnh9TTpDqYzkrfbV1s0IRjlMqNBarLMErV7zV8nmIIDsYToiS2TtPnYS49r96f5jRwg= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 761067e2-087c-449f-9e2f-08d749075d80 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2019 20:13:48.0812 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: zc+3PGgHf98w7F95C1sGaZpUf+9tYcmxh+KU+f0+IRjgl8J3eQGrI32tpMGNMAPpZreY2zqyBAorNsbIQUcAFV7QHGrlLUsxDWmkQgjAyFA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR02MB3903 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-04_12:2019-10-03,2019-10-04 signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2 1/2 ovn] OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Adding ovn-nbctl to mark a dnat_and_snat rule as stateless. This configuration will added to "options" column of NAT table. Signed-off-by: Ankur Sharma --- ovn-nb.ovsschema | 6 ++++-- ovn-nb.xml | 5 +++++ tests/ovn-nbctl.at | 29 +++++++++++++++++++++++++++++ utilities/ovn-nbctl.8.xml | 12 +++++++++++- utilities/ovn-nbctl.c | 30 +++++++++++++++++++++++++++++- 5 files changed, 78 insertions(+), 4 deletions(-) diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index 2c87cbb..084305b 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.16.0", - "cksum": "923459061 23095", + "version": "5.17.0", + "cksum": "1128988054 23237", "tables": { "NB_Global": { "columns": { @@ -345,6 +345,8 @@ "snat", "dnat_and_snat" ]]}}}, + "options": {"type": {"key": "string", "value": "string", + "min": 0, "max": "unlimited"}}, "external_ids": { "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, diff --git a/ovn-nb.xml b/ovn-nb.xml index b41b579..a1ebe05 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2254,6 +2254,11 @@

+ + Indicates if a dnat_and_snat rule should lead to connection + tracking state or not. + + See External IDs at the beginning of this document. diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 01091dd..4ebc1bb 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -516,6 +516,31 @@ dnat_and_snat 30.0.0.2 192.168.1.3 snat 30.0.0.1 192.168.1.0/24 ]) +AT_CHECK([ovn-nbctl --bare --columns=options list nat | grep is_stateless=true| wc -l], [0], +[0 +]) +AT_CHECK([ovn-nbctl --stateless lr-nat-add lr0 dnat_and_snat 40.0.0.2 192.168.1.4]) +AT_CHECK([ovn-nbctl --bare --columns=options list nat | grep is_stateless=true| wc -l], [0], +[1 +]) +AT_CHECK([ovn-nbctl --stateless lr-nat-add lr0 dnat 40.0.0.2 192.168.1.4], [1], [], +[ovn-nbctl: is_stateless is not applicable to dnat or snat types +]) +AT_CHECK([ovn-nbctl --stateless lr-nat-add lr0 snat 40.0.0.2 192.168.1.4], [1], [], +[ovn-nbctl: is_stateless is not applicable to dnat or snat types +]) +AT_CHECK([ovn-nbctl lr-nat-add lr0 snat 40.0.0.2 192.168.1.5], [1], [], +[ovn-nbctl: 40.0.0.2, 192.168.1.5: External ip cannot be shared across stateless and stateful NATs +]) +AT_CHECK([ovn-nbctl lr-nat-add lr0 dnat 40.0.0.2 192.168.1.5], [1], [], +[ovn-nbctl: 40.0.0.2, 192.168.1.5: External ip cannot be shared across stateless and stateful NATs +]) + +AT_CHECK([ovn-nbctl lr-nat-add lr0 snat 40.0.0.3 192.168.1.6]) +AT_CHECK([ovn-nbctl --stateless lr-nat-add lr0 dnat_and_snat 40.0.0.3 192.168.1.7], [1], [], +[ovn-nbctl: 40.0.0.3, 192.168.1.7: External ip cannot be shared across stateless and stateful NATs +]) + dnl Deletes the NATs AT_CHECK([ovn-nbctl lr-nat-del lr0 dnat_and_snat 30.0.0.3], [1], [], [ovn-nbctl: no matching NAT with the type (dnat_and_snat) and external_ip (30.0.0.3) @@ -533,14 +558,18 @@ AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl TYPE EXTERNAL_IP LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT dnat 30.0.0.1 192.168.1.2 dnat_and_snat 30.0.0.2 192.168.1.3 +dnat_and_snat 40.0.0.2 192.168.1.4 snat 30.0.0.1 192.168.1.0/24 +snat 40.0.0.3 192.168.1.6 ]) AT_CHECK([ovn-nbctl lr-nat-del lr0 dnat]) AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl TYPE EXTERNAL_IP LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT dnat_and_snat 30.0.0.2 192.168.1.3 +dnat_and_snat 40.0.0.2 192.168.1.4 snat 30.0.0.1 192.168.1.0/24 +snat 40.0.0.3 192.168.1.6 ]) AT_CHECK([ovn-nbctl lr-nat-del lr0]) diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index fd75c0e..2161d8c 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -665,7 +665,7 @@

NAT Commands

-
[--may-exist] lr-nat-add router type external_ip logical_ip [logical_port external_mac]
+
[--may-exist] [--stateless]lr-nat-add router type external_ip logical_ip [logical_port external_mac]

Adds the specified NAT to router. @@ -681,8 +681,18 @@ The logical_port is the name of an existing logical switch port where the logical_ip resides. The external_mac is an Ethernet address. + The --stateless

+ When --stateless is specified then it implies that + we will be not use connection tracker, i.e internal ip and external + ip are 1:1 mapped. This implies that --stateless is + applicable only to dnat_and_snat type NAT rules. + An external ip with --stateless NAT cannot be shared + with any other NAT rule. +

+ +

When type is dnat, the externally visible IP address external_ip is DNATted to the IP address logical_ip in the logical space. diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index a89a9cb..7a3ac6e 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -691,6 +691,7 @@ Policy commands:\n\ lr-policy-list ROUTER print policies for ROUTER\n\ \n\ NAT commands:\n\ + [--stateless]\n\ lr-nat-add ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]\n\ add a NAT to ROUTER\n\ lr-nat-del ROUTER [TYPE [IP]]\n\ @@ -3926,6 +3927,13 @@ nbctl_lr_nat_add(struct ctl_context *ctx) } bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL; + bool is_stateless = shash_find(&ctx->options, "--stateless") != NULL; + + if (strcmp(nat_type, "dnat_and_snat") && is_stateless) { + ctl_error(ctx, "is_stateless is not applicable to dnat or snat types"); + return; + } + int is_snat = !strcmp("snat", nat_type); for (size_t i = 0; i < lr->n_nat; i++) { const struct nbrec_nat *nat = lr->nat[i]; @@ -3957,10 +3965,25 @@ nbctl_lr_nat_add(struct ctl_context *ctx) return; } } + + } + if (!strcmp(nat_type, "dnat_and_snat") || + !strcmp(nat->type, "dnat_and_snat")) { + + if (!strcmp(nat->external_ip, external_ip)) { + struct smap nat_options = SMAP_INITIALIZER(&nat_options); + if (!strcmp(smap_get(&nat->options, "is_stateless"), + "true") || is_stateless) { + ctl_error(ctx, "%s, %s: External ip cannot be shared " + "across stateless and stateful NATs", + external_ip, new_logical_ip); + } + } } } /* Create the NAT. */ + struct smap nat_options = SMAP_INITIALIZER(&nat_options); struct nbrec_nat *nat = nbrec_nat_insert(ctx->txn); nbrec_nat_set_type(nat, nat_type); nbrec_nat_set_external_ip(nat, external_ip); @@ -3969,7 +3992,12 @@ nbctl_lr_nat_add(struct ctl_context *ctx) nbrec_nat_set_logical_port(nat, logical_port); nbrec_nat_set_external_mac(nat, external_mac); } + + smap_add(&nat_options, "is_stateless", is_stateless ? "true":"false"); + nbrec_nat_set_options(nat, &nat_options); + free(new_logical_ip); + smap_destroy(&nat_options); /* Insert the NAT into the logical router. */ nbrec_logical_router_verify_nat(lr); @@ -5689,7 +5717,7 @@ static const struct ctl_command_syntax nbctl_commands[] = { /* NAT commands. */ { "lr-nat-add", 4, 6, "ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]", NULL, - nbctl_lr_nat_add, NULL, "--may-exist", RW }, + nbctl_lr_nat_add, NULL, "--may-exist,--stateless", RW }, { "lr-nat-del", 1, 3, "ROUTER [TYPE [IP]]", NULL, nbctl_lr_nat_del, NULL, "--if-exists", RW }, { "lr-nat-list", 1, 1, "ROUTER", NULL, nbctl_lr_nat_list, NULL, "", RO }, From patchwork Fri Oct 4 20:13:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ankur Sharma X-Patchwork-Id: 1172039 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="u3MYU6D2"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46lLhH12G9z9sPJ for ; Sat, 5 Oct 2019 06:14:55 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 03834D09; Fri, 4 Oct 2019 20:13:54 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8AD97CC7 for ; Fri, 4 Oct 2019 20:13:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A085B34F for ; Fri, 4 Oct 2019 20:13:52 +0000 (UTC) Received: from pps.filterd (m0127839.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x94KAGli020351 for ; Fri, 4 Oct 2019 13:13:52 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=1UbDeDlYKgS5szQlQJ0VBOAz0dhLMy8PNUPsc4XFMx4=; b=u3MYU6D2GoqDczB9Mm3RDoHr4s5RxfIGnkcx0esfVtT617nagEx6aI7iUD6ig02tesfP JbHhn1n+hl6DD6R5TOXo6jYRKlNAVoTkk/eMcCcqj3nh1n3RAoFt3lbzPjBgsE9E67KO ZraP1lazlwSCFmtfu3LoDxHq3GYAI5trtE50KLg/T3FTss/KGNFtPs2eYBtDK3tJRzLK T1A++yUZzcHNpk3kDrmiqkb+HIjjDlMEpMKpFp7zRQpya9aAGbQXp8wr54Q1grBugO0P aJjtxNtco/c87QNdQZkO02XWB1QET5HNpeHc4dVsMgqJr3BVizUQ16Byr7CDQuOa9U0f qw== Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2054.outbound.protection.outlook.com [104.47.36.54]) by mx0a-002c1b01.pphosted.com with ESMTP id 2va6khpjej-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Fri, 04 Oct 2019 13:13:52 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NPG2Kz8/a+lXbK7iytTypjd3aQFeZg1JGvZWAKnagoJk9v6f54R3dVO2u5TMx7etxhwOZpK/4JQn9RIpMkV+J8nQeHatVICqMmg09d2bLHS7sHqcgfz2VVahUdNDunChJzKA+uwhX4jAMeuq/T9Yo+i/IWbNX3FQKgNnKdOuz/HgW+3wfniEJmR6rquhbf8eEsb8129TyA8WhV4ryecCdDQDq+Uo+9v9WDe8b/PD2UEJu0/jLM6f4QzmEWtyXo88f8h18AG+Cxtve8R0xkwPZkEfkZUogU5UjqRN2XDfCJ2jFJE8pmpWe+7FSLQGh1YH8rRQT18qEt68g3UYo2XpRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1UbDeDlYKgS5szQlQJ0VBOAz0dhLMy8PNUPsc4XFMx4=; b=NBJR1qddqC6qML8dSyLbK2x2v8SpMRJMGtKsulzVZ+KnE7x2wWiWF3y+LqOLFztTVdM2QJOktTS0+PejXNNRMk65A2ke2FmGfCvMbMt/IBagGg4EH5SbPFc9VDFLwy49Ql41oIOyopzhOcdbtFb8LDKNwW3PKe5RwoYnXSAm929QiZ6ctDPcvbuF/lzkRTh2fW5CVlo2r/04JQIKLo9oN2M8+MXkAQ+BLpZTRtsr2aUlL4NLHun9ktT1fJQoE51sJ01G2SCYLKQJfOfwWrSH3Z6/SaZ2rdVYze9J4G/gAOeS/KV42X71UP/Eh4cHm5UUwqI0E8K0z8hyWRdtfq0SUg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from SN1PR02MB3901.namprd02.prod.outlook.com (52.132.194.18) by SN1PR02MB3903.namprd02.prod.outlook.com (52.132.198.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Fri, 4 Oct 2019 20:13:50 +0000 Received: from SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2]) by SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2%4]) with mapi id 15.20.2305.023; Fri, 4 Oct 2019 20:13:50 +0000 From: Ankur Sharma To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 2/2 ovn] OVN: Use ipv4.src and ipv4.dst actions for NAT rules Thread-Index: AQHVevA8o6QxueBvhE6T31i3zpI/Kw== Date: Fri, 4 Oct 2019 20:13:50 +0000 Message-ID: <1570220071-16483-3-git-send-email-ankur.sharma@nutanix.com> References: <1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com> In-Reply-To: <1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR06CA0056.namprd06.prod.outlook.com (2603:10b6:a03:14b::33) To SN1PR02MB3901.namprd02.prod.outlook.com (2603:10b6:802:24::18) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.98] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 1400e480-722d-4ca0-4225-08d749075ef4 x-ms-traffictypediagnostic: SN1PR02MB3903: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:635; x-forefront-prvs: 018093A9B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(39860400002)(376002)(396003)(346002)(189003)(199004)(5660300002)(25786009)(478600001)(486006)(5640700003)(386003)(6506007)(102836004)(305945005)(64756008)(66446008)(2906002)(52116002)(81166006)(446003)(256004)(316002)(14454004)(81156014)(11346002)(476003)(2616005)(8936002)(2501003)(8676002)(50226002)(6916009)(99286004)(186003)(66066001)(4326008)(86362001)(6486002)(2351001)(4720700003)(66556008)(66946007)(66476007)(44832011)(3846002)(6436002)(7736002)(26005)(76176011)(66574012)(6512007)(36756003)(6116002)(71190400001)(107886003)(71200400001)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR02MB3903; H:SN1PR02MB3901.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: pxapS7VPsvoPq0b+HHvB/kigIZZSoS9V045U9x9wN2gyXE5ebQ+Lme947sxxb55zCMLutoY4AiHW51O5WC2VvfnFBnpR9dRCBMh7y6WIjTZjTBoOZkMqeHfIK9A4wJd3f781Menj8Rpyr5meOpugfKyv85VfCjH1JL7lNtJ+rJOIp/L9BI5bHJJ104zBmkZpZ3mUIrFVbaEk0tSJBHKMjOm3x0B9YGPXT4FfDOWgNaSGsXbvrPzLAwPgL1i7PhTAt1Vdh4lFaJea18xTEeExrmAw23jXoQ5VM4PTxK3+b/hhVkuHiP0AaODckXf58GaP0gbdM/ny5N3b2OClPnbiL/13vKic+612Eg4/TF6gkPqCL42fIZPaZyEsk3gUXMk/rKQ00mH1Ck4i5A7LkpB8kozs/L7wn64MPlXpb94nzZQ= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 1400e480-722d-4ca0-4225-08d749075ef4 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2019 20:13:50.4608 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: XLme9KU08qruXYvBfyC4RfFqzVsa4aREhORj1kNR2NyaIBjXfxByNnLEl0KTdxemuoMOLHWx4EKF/bv1CFSSSM2qqxQPXwSt+aMgImWW7hg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR02MB3903 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-04_12:2019-10-03,2019-10-04 signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2 2/2 ovn] OVN: Use ipv4.src and ipv4.dst actions for NAT rules X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org For dnat_and_snat rules which are meant to be stateless instead of using ct_snat/dnat OVN actions, we will use ipv4.src/ipv4.dst. This actions will do 1:1 mapping to inner ip to external ip, while recalculating the checksums. Signed-off-by: Ankur Sharma --- northd/ovn-northd.8.xml | 34 +++++++++++++++---- northd/ovn-northd.c | 86 +++++++++++++++++++++++++++++++++++++++++++------ tests/ovn-northd.at | 50 ++++++++++++++++++++++++++++ 3 files changed, 154 insertions(+), 16 deletions(-) diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 0f4f1c1..7d5d102 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1718,7 +1718,9 @@ icmp6 { to change the source IP address of a packet from A to B, a priority-90 flow matches ip && ip4.dst == B with an action - ct_snat; . + ct_snat; . If the NAT rule is of type dnat_and_snat + and has is_stateless=true in the options, then the action + would be replace_dst_ip(B).

@@ -1738,7 +1740,10 @@ icmp6 { B, a priority-100 flow matches ip && ip4.dst == B && inport == GW, where GW is the logical router gateway port, with an - action ct_snat;. + action ct_snat;. If the NAT rule is of type + dnat_and_snat and has is_stateless=true in the + options, then the action would be replace_dst_ip + (B).

@@ -1858,7 +1863,10 @@ icmp6 { Gateway router is configured to force SNAT any DNATed packet, the above action will be replaced by flags.force_snat_for_dnat = 1; flags.loopback = 1; - ct_dnat(B);. + ct_dnat(B);. If the NAT rule is of type + dnat_and_snat and has is_stateless=true in the + options, then the action would be replace_dst_ip + (B).

  • @@ -1890,7 +1898,10 @@ icmp6 { B, a priority-100 flow matches ip && ip4.dst == B && inport == GW, where GW is the logical router gateway port, with an - action ct_dnat(B);. + action ct_dnat(B);. If the NAT rule is of + type dnat_and_snat and has is_stateless=true in the + options, then the action would be replace_dst_ip + (B).

    @@ -2553,7 +2564,10 @@ nd_ns { matches ip && ip4.src == B && outport == GW, where GW is the logical router gateway port, with an action - ct_dnat;. + ct_dnat;. If the NAT rule is of type + dnat_and_snat and has is_stateless=true in the + options, then the action would be replace_src_ip + (B).

    @@ -2611,7 +2625,10 @@ nd_ns { ip && ip4.src == A with an action ct_snat(B);. The priority of the flow is calculated based on the mask of A, with matches - having larger masks getting higher priorities. + having larger masks getting higher priorities. If the NAT rule is + of type dnat_and_snat and has is_stateless=true in the + options, then the action would be replace_src_ip + (B).

    A priority-0 logical flow with match 1 has actions @@ -2634,7 +2651,10 @@ nd_ns { logical router gateway port, with an action ct_snat(B);. The priority of the flow is calculated based on the mask of A, with matches - having larger masks getting higher priorities. + having larger masks getting higher priorities. If the NAT rule + is of type dnat_and_snat and has is_stateless=true + in the options, then the action would be replace_src_ip + (B).

    diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f393ceb..4036392 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6314,6 +6314,18 @@ copy_ra_to_sb(struct ovn_port *op, const char *address_mode) smap_destroy(&options); } +static inline bool +lrouter_nat_is_stateless(const struct nbrec_nat *nat) +{ + const char *is_stateless = smap_get(&nat->options, "is_stateless"); + + if (is_stateless && !strcmp(is_stateless, "true")) { + return true; + } + + return false; +} + static void build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, struct hmap *lflows, struct shash *meter_groups) @@ -7052,6 +7064,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, nat = od->nbr->nat[i]; ovs_be32 ip, mask; + bool is_stateless = lrouter_nat_is_stateless(nat); char *error = ip_parse_masked(nat->external_ip, &ip, &mask); if (error || mask != OVS_BE32_MAX) { @@ -7117,15 +7130,26 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, if (!od->l3dgw_port) { /* Gateway router. */ ds_clear(&match); + ds_clear(&actions); ds_put_format(&match, "ip && ip4.dst == %s", nat->external_ip); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.dst=%s; next;", + nat->logical_ip); + } else { + ds_put_cstr(&actions, "ct_snat;"); + } + ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 90, - ds_cstr(&match), "ct_snat;"); + ds_cstr(&match), ds_cstr(&actions)); } else { /* Distributed router. */ /* Traffic received on l3dgw_port is subject to NAT. */ ds_clear(&match); + ds_clear(&actions); + ds_put_format(&match, "ip && ip4.dst == %s" " && inport == %s", nat->external_ip, @@ -7136,8 +7160,16 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_put_format(&match, " && is_chassis_resident(%s)", od->l3redirect_port->json_key); } + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.dst=%s; next;", + nat->logical_ip); + } else { + ds_put_cstr(&actions, "ct_snat;"); + } + ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 100, - ds_cstr(&match), "ct_snat;"); + ds_cstr(&match), ds_cstr(&actions)); /* Traffic received on other router ports must be * redirected to the central instance of the l3dgw_port @@ -7172,8 +7204,16 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_put_format(&actions, "flags.force_snat_for_dnat = 1; "); } - ds_put_format(&actions, "flags.loopback = 1; ct_dnat(%s);", - nat->logical_ip); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "flags.loopback = 1; " + "ip4.dst=%s; next;", + nat->logical_ip); + } else { + ds_put_format(&actions, "flags.loopback = 1; ct_dnat(%s);", + nat->logical_ip); + } + ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 100, ds_cstr(&match), ds_cstr(&actions)); } else { @@ -7192,8 +7232,15 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, od->l3redirect_port->json_key); } ds_clear(&actions); - ds_put_format(&actions, "ct_dnat(%s);", - nat->logical_ip); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.dst=%s; next;", + nat->logical_ip); + } else { + ds_put_format(&actions, "ct_dnat(%s);", + nat->logical_ip); + } + ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 100, ds_cstr(&match), ds_cstr(&actions)); @@ -7235,7 +7282,14 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_put_format(&actions, "eth.src = "ETH_ADDR_FMT"; ", ETH_ADDR_ARGS(mac)); } - ds_put_format(&actions, "ct_dnat;"); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.src=%s; next;", + nat->external_ip); + } else { + ds_put_format(&actions, "ct_dnat;"); + } + ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 100, ds_cstr(&match), ds_cstr(&actions)); } @@ -7251,7 +7305,14 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_put_format(&match, "ip && ip4.src == %s", nat->logical_ip); ds_clear(&actions); - ds_put_format(&actions, "ct_snat(%s);", nat->external_ip); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.src=%s; next;", + nat->external_ip); + } else { + ds_put_format(&actions, "ct_snat(%s);", + nat->external_ip); + } /* The priority here is calculated such that the * nat->logical_ip with the longest mask gets a higher @@ -7280,7 +7341,14 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_put_format(&actions, "eth.src = "ETH_ADDR_FMT"; ", ETH_ADDR_ARGS(mac)); } - ds_put_format(&actions, "ct_snat(%s);", nat->external_ip); + + if (!strcmp(nat->type, "dnat_and_snat") && is_stateless) { + ds_put_format(&actions, "ip4.src=%s; next;", + nat->external_ip); + } else { + ds_put_format(&actions, "ct_snat(%s);", + nat->external_ip); + } /* The priority here is calculated such that the * nat->logical_ip with the longest mask gets a higher diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 42033d5..64511a9 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -966,3 +966,53 @@ OVS_WAIT_UNTIL([ovn-sbctl get Port_Binding ${uuid} options:redirect-type], [0], ]) AT_CLEANUP + +AT_SETUP([ovn -- check stateless dnat_and_snat rule]) +AT_SKIP_IF([test $HAVE_PYTHON = no]) +ovn_start + +ovn-sbctl chassis-add gw1 geneve 127.0.0.1 + +ovn-nbctl lr-add R1 +ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24 + +ovn-nbctl ls-add S1 +ovn-nbctl lsp-add S1 S1-R1 +ovn-nbctl lsp-set-type S1-R1 router +ovn-nbctl lsp-set-addresses S1-R1 router +ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1 + +ovn-nbctl lrp-set-gateway-chassis R1-S1 gw1 + +uuid=`ovn-sbctl --columns=_uuid --bare find Port_Binding logical_port=cr-R1-S1` +echo "CR-LRP UUID is: " $uuid + +ovn-nbctl lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | wc -l], [0], [2 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | wc -l], [0], [2 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.dst=| wc -l], [0], [0 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.src=| wc -l], [0], [0 +]) + +ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1 + +ovn-nbctl --stateless lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | wc -l], [0], [0 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | wc -l], [0], [0 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.dst=| wc -l], [0], [2 +]) + +AT_CHECK([ovn-sbctl dump-flows R1 | grep ip4.src=| wc -l], [0], [2 +]) + +AT_CLEANUP