Message ID | 1570154179-14525-1-git-send-email-ankur.sharma@nutanix.com |
---|---|
Headers | show
Return-Path: <ovs-dev-bounces@openvswitch.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="PwfiAMXR"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46ktJp4H6mz9sNw for <incoming@patchwork.ozlabs.org>; Fri, 4 Oct 2019 11:56:25 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 247C8171B; Fri, 4 Oct 2019 01:56:22 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C58211709 for <ovs-dev@openvswitch.org>; Fri, 4 Oct 2019 01:55:39 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com [148.163.151.68]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1A3245D3 for <ovs-dev@openvswitch.org>; Fri, 4 Oct 2019 01:55:38 +0000 (UTC) Received: from pps.filterd (m0127838.ppops.net [127.0.0.1]) by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x941sgwn020772 for <ovs-dev@openvswitch.org>; Thu, 3 Oct 2019 18:55:38 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=QMRRIyKo/VsRx3Nd+JU4Nj1+KMP0mI/vstlnl1Rbtjs=; b=PwfiAMXRLEEf0Gn/hulP1VBNTwp0TAjgCi8wfWf0IfyXjMQzE92HAI8PVFqN/4LHtely HzgMyOzWLD5Ed7NgiE7OyqGxfygMnSn/DT0tY5Wr2Fp5Do6EiwzuwB9ctWTeLs+Rkkc5 iUE0NdKJGCx1pyKEApgbMowIhdTKO7tEdAJN4irBA/hMO3/QCwX32fzFb/8WDz/8SSyQ zul4PQ0Ga9yD8Ly9NtOTwsRSstDBAtuvjt8L2CancKzB0MjeWUqEWFVEqK0v4ghNXcQB 34MmRagCpNNGEyPyV5RvOwTR90ST8R5YK+rUMMOxsuM1y1/fzfsQB5NV+39vmpJ468aj Yw== Received: from nam04-sn1-obe.outbound.protection.outlook.com (mail-sn1nam04lp2056.outbound.protection.outlook.com [104.47.44.56]) by mx0a-002c1b01.pphosted.com with ESMTP id 2va72xvk2q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <ovs-dev@openvswitch.org>; Thu, 03 Oct 2019 18:55:38 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iC1WJCZikKIL3MXxPG9mpo7sS282HfveY1HXxaTjfR/5cqKWkAJrfb7GjdrCBDK45Z9QEMoXtZRr/YSkAQvMCdJvDh6qmd5h5XQ8uiOfxBie7yVWvEyQJcCmhTq20BLcMdDwa9Gl2UfFCkFjKAWj1y4ex/Satr4XmRGl6y+VDXRqj3xXJKcrcsBlIIazFIik+gTw4++5akS9BNjyxqmNqO8vXtM3ModOpFFFFfAEdcyat5K/obi6OTcIHsONYOBlZR3U6V1IFVVwrVQ1Mj5M2VztgMjE/r+z+MxCKtwM2YSsG8j9PpLtltht67g1iiXLkMys2+krbCJq30krO5OfHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QMRRIyKo/VsRx3Nd+JU4Nj1+KMP0mI/vstlnl1Rbtjs=; b=OqsAz1zPmsdFCLrxdcF43AqHGDDhvjfpsB08J6tlDJXtDbxlej1A6Ule2iUzPazlwbHzomleuwnhFvbMpsFg5M1DWbXGSw6wvnG1SklfiCC72tK106n+yS+t9qTi+Owxo6JgNPxpPv1byB6nR6BYHyMcouJXZmYCPTqGoxkRz1M8kOkxBxfNmdcv9lbXjyy1J/yXV/ty8pcV7VwOUQib9ztmchbUFpdt/lPSPiJSko8n6bGehzxB3VUYBTtQhTs/+kg+PqRS6kfTpLuWcyK76Sd4oTYYvfKtDLqto1ucYKZIozbfhENNbjtJBqY1dJHAdcK5RS2n72RJ3if7+A2UfA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from SN1PR02MB3901.namprd02.prod.outlook.com (52.132.194.18) by SN1PR02MB3695.namprd02.prod.outlook.com (52.132.198.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.17; Fri, 4 Oct 2019 01:55:36 +0000 Received: from SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2]) by SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2%4]) with mapi id 15.20.2305.023; Fri, 4 Oct 2019 01:55:36 +0000 From: Ankur Sharma <ankur.sharma@nutanix.com> To: "ovs-dev@openvswitch.org" <ovs-dev@openvswitch.org> Thread-Topic: [PATCH v1 0/3] ALLOW Stateless NAT operations Thread-Index: AQHVelbQmpE3x0XGV021B5MkvBcV0A== Date: Fri, 4 Oct 2019 01:55:36 +0000 Message-ID: <1570154179-14525-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR11CA0078.namprd11.prod.outlook.com (2603:10b6:a03:f4::19) To SN1PR02MB3901.namprd02.prod.outlook.com (2603:10b6:802:24::18) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.98] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e874b57e-53d8-4f72-0abe-08d7486df2cf x-ms-traffictypediagnostic: SN1PR02MB3695: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: <SN1PR02MB3695BE980F4DF70A6C155BD28D9E0@SN1PR02MB3695.namprd02.prod.outlook.com> x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 018093A9B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(136003)(366004)(396003)(189003)(199004)(66574012)(36756003)(4326008)(66446008)(2501003)(50226002)(64756008)(8936002)(8676002)(81166006)(81156014)(86362001)(5640700003)(6512007)(52116002)(6436002)(6486002)(99286004)(71190400001)(71200400001)(107886003)(14444005)(66066001)(256004)(44832011)(3846002)(6116002)(386003)(6506007)(2616005)(486006)(476003)(305945005)(7736002)(186003)(102836004)(2906002)(26005)(478600001)(316002)(25786009)(66946007)(66476007)(4720700003)(5660300002)(14454004)(2351001)(66556008)(6916009)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR02MB3695; H:SN1PR02MB3901.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: VtrjZ1faOsMUlUuhnn6BPiiU6WK7qclguUigjwsF7hjkrLmyoPpgYvd8w6XShKAfRJyACxS/1+Z80fZ8S1T/0TH5daA7I1hoBfnfp1xBSSfsbZp/HqikpDb6Fx6CIvjnq3yzWMsqVOrJblbKiyBDCfz7+SW7yJ4oIh+chLFgMXaT2UPu9BQm5s95KmbM2xtebNKMf6pvN6hXDss4o1FsM8J61hJVmAocsq7bEaFOPtRQlpSGjZSN0nMFHTpaqkkuPE0VN2YSRoI5Pw4WUt50ThcD8L5u9sJSZew4UTRhjlRuxYjR7TUdrtP9OxIMgy23c9163kDjkJMH6pswFYo8+2/YMgcACrY9r5fFgEcqs8mYr5Qckh2mT60QIg8ENiTTLtK+c1ddD2pDd2yr0C6wyA/Rdbovk495sue3B3ryzI0= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: e874b57e-53d8-4f72-0abe-08d7486df2cf X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2019 01:55:36.1113 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: nPNZ1sQvGOgCplsGDLiSt8onFq6H4Ga6G/NJdajQKpU/kpPns20j5RsHdYpnGpxtV5Ytl+yLUWIExQDwsngG45HExqiYbTGR3a3zBmUbnhg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR02MB3695 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-04_01:2019-10-03,2019-10-04 signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v1 0/3] ALLOW Stateless NAT operations X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: <ovs-dev.openvswitch.org> List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe> List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/> List-Post: <mailto:ovs-dev@openvswitch.org> List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help> List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org |
Series | ALLOW Stateless NAT operations | expand |
NAT implementation in OVN uses connection tracker to replace source and dest ips. This implementation works fine and is the right approach for cases where external ips are shared (i.e. SNAT) or where we replace ip only when relevant flow is there (i.e. DNAT). However, it opens the possibility of Dos Attack, where attacker can easily simluate multiple 5 tuples, to consume the connection tracker entry in an OVN chassis. This way they can easily attain the CT limit, there by impacting the usage of it by other features like valid NAT, ACL etc. This attack is even worse, when external ip is a public ip, i.e internet routable ip. In this patch we are introducing an option with NAT table entry. Option "is_stateless=true" indicates that NAT implmentation should not be using CT, i.e it should not use ct_snat/dnat actions. We introduce new OVN actions which will replace source and destination ips, while recalculating the checksums. This option is applicable only for the NAT rules which can be 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> Ankur Sharma (3): OVN: ADD new ovn actions to replace source and destination ip OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless OVN: Use replace_src_ip and replace_dst_ip for NAT rules include/ovn/actions.h | 10 ++++- lib/actions.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++ northd/ovn-northd.8.xml | 34 +++++++++++---- northd/ovn-northd.c | 86 ++++++++++++++++++++++++++++++++++---- ovn-nb.ovsschema | 6 ++- ovn-nb.xml | 5 +++ tests/ovn-nbctl.at | 29 +++++++++++++ tests/ovn-northd.at | 35 ++++++++++++++++ tests/ovn.at | 26 ++++++++++++ utilities/ovn-nbctl.8.xml | 12 +++++- utilities/ovn-nbctl.c | 30 +++++++++++++- utilities/ovn-trace.c | 6 +++ 12 files changed, 361 insertions(+), 21 deletions(-)