From patchwork Fri May 31 03:18:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: solomon X-Patchwork-Id: 1108005 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="LHSb929W"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45FV6p6XgKz9sCJ for ; Fri, 31 May 2019 13:19:29 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9140E13ED; Fri, 31 May 2019 03:19:25 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 38C3013DC for ; Fri, 31 May 2019 03:18:55 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B5CDA6C5 for ; Fri, 31 May 2019 03:18:54 +0000 (UTC) Received: by mail-pl1-f193.google.com with SMTP id g21so3406188plq.0 for ; Thu, 30 May 2019 20:18:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:cc:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=8J+e6XUsTWAZKXeKHtkkhyxg9O3/2jDaGkJJFjvt0vg=; b=LHSb929W7XILL+HPsMRHNjaIEC3T5kVomTIHwNkf+K4/ypJp27RUIgc70KI8EYHanG r6j53T6PmauWU276e4uwjgwnGivQNwqL/W+p//UPkDJC9belG0ECLdheaWFJqZANq5Fm DXiCp9iabtXKdPXJVzOeF1Y3zxVDmv3qcdoAftBjcdaJndGrjgLuYPLY9YVuQ9tzkX+V jOrucSRYnw0r1oRl1MZWZFcZfTBDMMOyhZFXwCgGNg+MurID4aMP6ocXEe+JjzEPjZDN moa7CXaRnJ+RhgmsKfmafSF76JeZ6HTXwQdE1VrNwnD2nUjpXFpEpn2vA6hjIxMokB+z qntA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=8J+e6XUsTWAZKXeKHtkkhyxg9O3/2jDaGkJJFjvt0vg=; b=lIINRGhThaCxI1F3mqKD77vh0XBSOz5G2u29rsNmeaKG38I2ZjAfXIOrNPxTkmmLCK aTUyLIPXPXkZGZftHHNTTjgFZrKIKFnKDRy0I7kL/h5bIsIW/ooK5DyjEtdqys+VlHJC r3pmjviQUKeNpjDJrup+dKczXCvEPYCwwne6h5PqDZTDBzqax2bIYfA8Ob+AACHzT+ow orZYl4sHSERdzvbY5RdrAva+1zpOcTKrPaupx3RtkTTmhEdpt7xHOJzPc1vraz92Sg42 Rp1bokJ/JmzQBBr5KGTMGHfXWzep64B7AgyEyADNpAzKDbkDFsaOvIkQI5kQQGU0pMh7 VWjA== X-Gm-Message-State: APjAAAUJgYQY87A5vjfa0zgWJkF8wGpdMSs3N2mf7FNDveq0QMJP+741 VSoulbETmj0GHkoB7iSqwT8= X-Google-Smtp-Source: APXvYqxoQzzu09lKm0glv51hMo2YTJkL5ztWNMSnkQK1PIvPBndxCTLp1FUDftGjdkG4tpUv7SWN3w== X-Received: by 2002:a17:902:3103:: with SMTP id w3mr6433747plb.187.1559272734244; Thu, 30 May 2019 20:18:54 -0700 (PDT) Received: from solomondeMacBook-Pro.local ([47.88.227.51]) by smtp.gmail.com with ESMTPSA id v4sm4930345pff.45.2019.05.30.20.18.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 30 May 2019 20:18:53 -0700 (PDT) To: Darrell Ball , ovs dev From: solomon Message-ID: <86efbfc0-77a9-c1b5-f956-84bd334da70c@gmail.com> Date: Fri, 31 May 2019 11:18:50 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 Content-Language: en-US X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2]conntrack: ignore port for ICMP/ICMPv6 NAT. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org ICMP/ICMPv6 fails, if the src/dst port is set in a common NAT rule. like this: actions=ct(nat(dst=172.16.1.100:5000),commit,table=40) Fixes: 4cd0481c9e8b ("conntrack: Fix wasted work for ICMP NAT.") CC: Darrell Ball Signed-off-by: solomon Signed-off-by: Darrell Ball --- lib/conntrack.c | 8 +++++-- tests/system-traffic.at | 51 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 2 deletions(-) diff --git a/lib/conntrack.c b/lib/conntrack.c index d7d48a43a..9d6b8a358 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2039,10 +2039,14 @@ nat_select_range_tuple(struct conntrack *ct, const struct conn *conn, while (true) { if (conn->nat_info->nat_action & NAT_ACTION_SRC) { nat_conn->rev_key.dst.addr = ct_addr; - nat_conn->rev_key.dst.port = htons(port); + if (pat_enabled) { + nat_conn->rev_key.dst.port = htons(port); + } } else { nat_conn->rev_key.src.addr = ct_addr; - nat_conn->rev_key.src.port = htons(port); + if (pat_enabled) { + nat_conn->rev_key.src.port = htons(port); + } } uint32_t conn_hash = conn_key_hash(&nat_conn->rev_key, diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 79d12fecd..7cf7d9392 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3994,6 +3994,57 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - SNAT with port range using ICMP]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from +ns1->ns0. +AT_DATA([flows.txt], [dnl +in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:20000)),2 +in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat) +in_port=2,ct_state=+trk,ct_zone=1,action=1 +dnl +dnl ARP +priority=100 arp arp_op=1 +action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10 +priority=10 arp action=normal +priority=0,action=drop +dnl +dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 +table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] +table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] +dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. +dnl TPA IP in reg2. +dnl Swaps the fields of the ARP message to turn a query to a response. +table=10 priority=100 arp xreg0=0 action=normal +table=10 +priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] +table=10 priority=0 action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl ICMP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl +1 packets transmitted, 1 received, 0% packet loss, time 0ms +]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e +'s/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=,type=0,code=0),zone=1 +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_SETUP([conntrack - SNAT with port range with exhaustion]) CHECK_CONNTRACK() CHECK_CONNTRACK_NAT()