Message ID | 1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com |
---|---|
Headers | show
Return-Path: <ovs-dev-bounces@openvswitch.org> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="00yySk/Q"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 46lLg629wSz9sP7 for <incoming@patchwork.ozlabs.org>; Sat, 5 Oct 2019 06:13:53 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id AD0A4C3A; Fri, 4 Oct 2019 20:13:49 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0064DC37 for <ovs-dev@openvswitch.org>; Fri, 4 Oct 2019 20:13:48 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6DBF034F for <ovs-dev@openvswitch.org>; Fri, 4 Oct 2019 20:13:48 +0000 (UTC) Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x94KADQd006792 for <ovs-dev@openvswitch.org>; Fri, 4 Oct 2019 13:13:47 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=zRy7ZqbVLmSgt/t1YQ0aNgh6p02vxYA+vEqLAhC2AE8=; b=00yySk/QMJKHTUnsWGu7oeqaOu9LMR1/Y6wZiv8IA7bou6q+ksTytt/Yt5PZx0A8jUiu ECFqHLGhggnWym2Jy57MxP4dEENqyYcUz0ktAtART7EOiJF11/6WHKZK2/ZlpurDbyGA mbpOHjmPOK19eu11TaKlNOQM2pi84L307b2+XkgX4qVdR4pCyDbhZyngBB8/Xw46d5p0 23Dg+wmyBzj3Rv39dFoBUyFCORkS7bAf09twPtBcl6P29a6UPdD29oos4dyybWknNsZq I4IcJ47M7+Rfx0JYVY49cny/FzrHysrvSFwh2TL9XyTqgF41Qi6zYAFwYSbKz6yOU1P+ 2g== Received: from nam04-bn3-obe.outbound.protection.outlook.com (mail-bn3nam04lp2056.outbound.protection.outlook.com [104.47.46.56]) by mx0b-002c1b01.pphosted.com with ESMTP id 2va528pa1u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <ovs-dev@openvswitch.org>; Fri, 04 Oct 2019 13:13:47 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CuGcT2Oa20Tc4lPH6iB+ZQNug0E+VDwWN3DJoMKhgUDGnl3dvsX1mb+nH1n650rfikyLP6K+d2iqJGyEDgRjkk/VSN+aptt/ch8QnUnvLeAfRpLAGUTfkTcxMD/v0U0mQL7hhDhyGPFYYlQXRtaLLb2IXU+z1hRX04wOAGaOQoMLStCCcdtTqDKzwUpr2Amrf38KAaAIN2hbVFdp1mGVxAtvzSLs1rAROo1abEh0SUWOeJOxV7U3T6jjsw0cQLbDLa8J0NKPE1Y7szw6SGRY2UePT4J9SMYE3idh90K4v8xBEPe1y2wQKIEm2NwyRF7za6B9t+8u9jwRDO1arFbXdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zRy7ZqbVLmSgt/t1YQ0aNgh6p02vxYA+vEqLAhC2AE8=; b=nwF930jcItKkiz4GC5VJI/MifMvxLbBgCygFlCHN4IYh7+sEP3Q8Sm3LrI1oPQU9eBmYRqaBiOADUyrY7VDYx+aKR5BbnkKzkGBhxy6N+agu9P9aUO3b7+ziX6xHbPc2fjvdJyOPqbA4A2CiUoyOexTU9HqBjn1iepGWhwJKwdauACLzoZY18QWDmu8kPtiP3EtVLP5l94gi5v9aoBSEx+LjuNPH7mbwbazWKt0GHPZ9BljpWDdjcHc/p/hqcWsGtykfRCrJRVVvTl4gV1yKjZ/at2sKM8xy4PedGY3h5iqSE5t4Q3nYY2/87FQEBzgXFbwrh5wojc35grSxaOXxZA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nutanix.com; dmarc=pass action=none header.from=nutanix.com; dkim=pass header.d=nutanix.com; arc=none Received: from SN1PR02MB3901.namprd02.prod.outlook.com (52.132.194.18) by SN1PR02MB3903.namprd02.prod.outlook.com (52.132.198.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Fri, 4 Oct 2019 20:13:45 +0000 Received: from SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2]) by SN1PR02MB3901.namprd02.prod.outlook.com ([fe80::fd4b:9ebb:e59a:f4c2%4]) with mapi id 15.20.2305.023; Fri, 4 Oct 2019 20:13:45 +0000 From: Ankur Sharma <ankur.sharma@nutanix.com> To: "ovs-dev@openvswitch.org" <ovs-dev@openvswitch.org> Thread-Topic: [PATCH v2 0/2] ALLOW Stateless NAT operations Thread-Index: AQHVevA5o5u30B4i3Eu5tESS8g+NAw== Date: Fri, 4 Oct 2019 20:13:45 +0000 Message-ID: <1570220071-16483-1-git-send-email-ankur.sharma@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR06CA0056.namprd06.prod.outlook.com (2603:10b6:a03:14b::33) To SN1PR02MB3901.namprd02.prod.outlook.com (2603:10b6:802:24::18) x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 1.8.3.1 x-originating-ip: [192.146.154.98] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 264c0851-39a6-409d-fafe-08d749075bc6 x-ms-traffictypediagnostic: SN1PR02MB3903: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: <SN1PR02MB3903DDBD2BCD66C2B3CA92678D9E0@SN1PR02MB3903.namprd02.prod.outlook.com> x-proofpoint-crosstenant: true x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 018093A9B5 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(366004)(39860400002)(376002)(396003)(346002)(189003)(199004)(5660300002)(25786009)(478600001)(486006)(5640700003)(386003)(6506007)(102836004)(305945005)(64756008)(66446008)(2906002)(52116002)(81166006)(256004)(316002)(14454004)(81156014)(14444005)(476003)(2616005)(8936002)(2501003)(8676002)(50226002)(6916009)(99286004)(186003)(66066001)(4326008)(86362001)(6486002)(2351001)(4720700003)(66556008)(66946007)(66476007)(44832011)(3846002)(6436002)(7736002)(26005)(66574012)(6512007)(36756003)(6116002)(71190400001)(107886003)(71200400001)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR02MB3903; H:SN1PR02MB3901.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: YzpWAVt53TLHkWaf1VnQJeUJOz3tH4NuJBgvZ6EQUWj+wNmz0UWuBLYcEg6i2K2YWRkmcw+20+GA3PxbrH+v8+GcOmJXsrMfgQB8KfK9BQJffm+wG3vDf1st8f2pKvtuxYH/UVJLK2wL1BmpG7/CJw09MN2sYMbvXgHmjGc9x2IpcEFEySFO/oZFuqf1O1ECAl4qboqIHtF6ngKUAUfu6SZwB9wUBGnsGhCuNgw+fyp6xiiyFiszXWt3YASOnXCEt44LyRUCd8moOPtjOjvAd45yikynsH1VGyCzGoLC9RGb7NhsZ58Whz131D929ZSy622oL8+iBnzf5953JzJUOrY8xy013eOYSWcu4Vvs7IV9497cIc9Gey3AwWBc10r8D9Zkv2Hf7kVRDbFLD6wPyGnjeyHiRb8NP3LnxkEMx80= MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: 264c0851-39a6-409d-fafe-08d749075bc6 X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2019 20:13:45.5656 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8IHesP6Jxyo62G5fvET0m73N6dXaa6x/xxCbKmM5bYSgL6MT3y2AwVAarR1N031dpW9ybHtG7j9uC5p9brENGtC8UWYAOjN2A1AVPMv2cLo= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR02MB3903 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-04_12:2019-10-03,2019-10-04 signatures=0 X-Proofpoint-Spam-Reason: safe X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2 0/2] ALLOW Stateless NAT operations X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: <ovs-dev.openvswitch.org> List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe> List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/> List-Post: <mailto:ovs-dev@openvswitch.org> List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help> List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>, <mailto:ovs-dev-request@openvswitch.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org |
Series |
ALLOW Stateless NAT operations
|
expand
|
NAT implementation in OVN uses connection tracker to replace source and dest ips. This implementation works fine and is the right approach for cases where external ips are shared (i.e. SNAT) or where we replace ip only when relevant flow is there (i.e. DNAT). However, it opens the possibility of Dos Attack, where attacker can easily simluate multiple 5 tuples, to consume the connection tracker entry in an OVN chassis. This way they can easily attain the CT limit, there by impacting the usage of it by other features like valid NAT, ACL etc. This attack is even worse, when external ip is a public ip, i.e internet routable ip. In this patch we are introducing an option with NAT table entry. Option "is_stateless=true" indicates that NAT implmentation should not be using CT, i.e it should not use ct_snat/dnat actions. Instead of ct_* actions, we will use ip4.src/dst OVN actions, which will replace source and destination ips, while recalculating the checksums. This option is applicable only for the NAT rules which can be 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com> Ankur Sharma (2): OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless OVN: Use ipv4.src and ipv4.dst actions for NAT rules northd/ovn-northd.8.xml | 34 +++++++++++++++---- northd/ovn-northd.c | 86 ++++++++++++++++++++++++++++++++++++++++++----- ovn-nb.ovsschema | 6 ++-- ovn-nb.xml | 5 +++ tests/ovn-nbctl.at | 29 ++++++++++++++++ tests/ovn-northd.at | 50 +++++++++++++++++++++++++++ utilities/ovn-nbctl.8.xml | 12 ++++++- utilities/ovn-nbctl.c | 30 ++++++++++++++++- 8 files changed, 232 insertions(+), 20 deletions(-)