From patchwork Thu Apr  2 05:33:59 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Sharma <svc.mail.git@nutanix.com>
X-Patchwork-Id: 1265430
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133;
	helo=hemlock.osuosl.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=nutanix.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=nutanix.com header.i=@nutanix.com
	header.a=rsa-sha256 header.s=proofpoint20171006
	header.b=w9CHeLCX; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48tBZv1Wfvz9sR4
	for <incoming@patchwork.ozlabs.org>;
	Thu,  2 Apr 2020 16:34:30 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 568A788193;
	Thu,  2 Apr 2020 05:34:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Dn0+ic1W+PUk; Thu,  2 Apr 2020 05:34:24 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by hemlock.osuosl.org (Postfix) with ESMTP id 31D9F87ECD;
	Thu,  2 Apr 2020 05:34:24 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 1770DC1AE2;
	Thu,  2 Apr 2020 05:34:24 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 57107C07FF
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by whitealder.osuosl.org (Postfix) with ESMTP id 5372D86C0E
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:22 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Oa+f8uRpsLiE for <ovs-dev@openvswitch.org>;
	Thu,  2 Apr 2020 05:34:21 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com
	[148.163.151.68])
	by whitealder.osuosl.org (Postfix) with ESMTPS id CE35086BB9
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:20 +0000 (UTC)
Received: from pps.filterd (m0127839.ppops.net [127.0.0.1])
	by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
	0325U0Yd005597
	for <ovs-dev@openvswitch.org>; Wed, 1 Apr 2020 22:34:19 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;
	h=from : to : cc :
	subject : date : message-id : in-reply-to : references : content-type
	: mime-version; s=proofpoint20171006;
	bh=mInqV/r8yRhnKQeFoVSQurZfhybPgu6IWN21Vr7kmYg=;
	b=w9CHeLCXQnq30+EnoHKdjvo8nBlDRqbGaOdq8EKrQUMRUJ2ZYmZuDhvl7oonj24U3Wbg
	hkPNMbC44E3ghqBw9lOHIFXn8WC4VXIzDMVz8hsfKwo76ort2kczzNU449j3ihTw4JCm
	9wucwUKP9yDjVEbb4qSK8e933cQitcddjzULOqpSlE3ZfY+O5nRcb1GP9QO6ob93WWaL
	YbWhdV8x/qs8W79Kw26yqmGwAY507L2YijhplrGv3TZG4cvcgY4orkWWjysED8/Aq/K5
	dBj9ANe+iwxXM4v+K2/VPm3+wEirxA8wYxK7I40V6DriTbybrCGN8Du+iCVG3HwTNYSf
	3w==
Received: from nam10-bn7-obe.outbound.protection.outlook.com
	(mail-bn7nam10lp2101.outbound.protection.outlook.com [104.47.70.101])
	by mx0a-002c1b01.pphosted.com with ESMTP id 302ss3gpt6-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT)
	for <ovs-dev@openvswitch.org>; Wed, 01 Apr 2020 22:34:19 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=hyjONPvS9i7hFhQ/G4+c4cb6Dtiqh2DouEn1O1tvQkXeX/AZErvvvDEzVyspckQOzL0mEtO6oYCzAd3OKk/RmO+uhuInO48X1Hypcb8L76+lE5A5lo7YFzxpOQRqAtiT7UldYj7GUSa2aThgwES8epHzfkn8OST/A/0KVkWOYx7DBA4ht3iT+xUbenE5V119qCJxxCaiaaA9sNMXsJ6R9i80AJqzEgOXS5CP70VVEFEDFun5FVgrts1ySUD3y2X/etDejiZ45F05fuU872zQnzdd5akq4DPOMz1FjsBCZ1oeE+41spLiyOMsgSmSbDbz5ZEucBvTIJwtJVmwmnH0fA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=mInqV/r8yRhnKQeFoVSQurZfhybPgu6IWN21Vr7kmYg=;
	b=ViWdbJNvH89Mah+GGgidSSE9rKZzZSdwTI3JWJJ2mOA5eDOnh22EPy31wh2D5v23GK5mwkqDypcgpK1J1m2i55V2BjhKrSFh8Xjix0tOBWYda0OVycM5s9pGeqcRJkPIC9VysFTa3bRusXZ/D24AN5R7zquYQp+WOMiSc7PWXBLhNzejGhfdTRLg7nAMAu1IC/ySCDGlIneRYTWRNe5e88viUqIlxVVxMRIGsGIJvBOVxYNTHx733vP/svszV+jnE+TzbKsqp2UgdbAsWhr/LffdiVrDBl9nQqQLfU5P45K559gErPLla8VDZ35a/mDhVjlSWK4oZI10OCIygkyzWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
	smtp.mailfrom=nutanix.com;
	dmarc=pass action=none header.from=nutanix.com;
	dkim=pass header.d=nutanix.com; arc=none
Received: from BL0PR02MB3714.namprd02.prod.outlook.com (2603:10b6:207:44::16)
	by BL0PR02MB5588.namprd02.prod.outlook.com (2603:10b6:208:8a::20)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20;
	Thu, 2 Apr 2020 05:34:18 +0000
Received: from BL0PR02MB3714.namprd02.prod.outlook.com
	([fe80::c43f:ba9f:6c04:d0fb]) by
	BL0PR02MB3714.namprd02.prod.outlook.com
	([fe80::c43f:ba9f:6c04:d0fb%7]) with mapi id 15.20.2878.016;
	Thu, 2 Apr 2020 05:34:18 +0000
From: Ankur Sharma <svc.mail.git@nutanix.com>
To: ovs-dev@openvswitch.org
Date: Wed,  1 Apr 2020 22:33:59 -0700
Message-Id: <1585805640-94503-2-git-send-email-svc.mail.git@nutanix.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1585805640-94503-1-git-send-email-svc.mail.git@nutanix.com>
References: <1585805640-94503-1-git-send-email-svc.mail.git@nutanix.com>
X-ClientProxiedBy: BYAPR01CA0034.prod.exchangelabs.com (2603:10b6:a02:80::47)
	To BL0PR02MB3714.namprd02.prod.outlook.com
	(2603:10b6:207:44::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from northd.localdomain (192.146.154.98) by
	BYAPR01CA0034.prod.exchangelabs.com (2603:10b6:a02:80::47) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.2878.15 via Frontend Transport; Thu, 2 Apr 2020 05:34:17 +0000
X-Mailer: git-send-email 1.8.3.1
X-Originating-IP: [192.146.154.98]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4def4caf-45fa-48b3-0c9d-08d7d6c77cc2
X-MS-TrafficTypeDiagnostic: BL0PR02MB5588:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
 <BL0PR02MB558878A61E674226F3BAD221D1C60@BL0PR02MB5588.namprd02.prod.outlook.com>
x-proofpoint-crosstenant: true
X-MS-Oob-TLC-OOBClassifiers: OLM:1443;
X-Forefront-PRVS: 0361212EA8
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:BL0PR02MB3714.namprd02.prod.outlook.com; PTR:;
	CAT:NONE; SFTY:;
	SFS:(10019020)(366004)(39860400002)(396003)(376002)(346002)(136003)(6512007)(2616005)(8676002)(956004)(186003)(16526019)(26005)(36756003)(5660300002)(6486002)(52116002)(478600001)(66476007)(6506007)(2906002)(107886003)(81166006)(81156014)(316002)(6666004)(54906003)(66946007)(66556008)(4326008)(8936002)(6916009)(66574012)(86362001);
	DIR:OUT; SFP:1102;
Received-SPF: None (protection.outlook.com: nutanix.com does not designate
	permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 XVKVAHSMW2qlflSouAyCB+dnCR7uiZeNqKOM7uIGONUTQ2tqxg2TMdE2JtZCQYxEz0vmh5ZterjhS7xjb/SOTUVFCYhoGN2dZqPKPB9HVdlDl5I8o3qpweEXjKOXSbRHeQyahpOiUryAzJisZLVR15Fuhl8A2oAjh2E+qjSJRdSxP/Itw8YYZd7Sa9b/jBy4fq6SSdHUn76F6WJCWXkKmLCcYC+XJnex+ZESHpxEFxCBP1Pvu/wxkDvQh9+VhCdmpi2W571vuLIbJd9bunYAAjebBuEj35p4e/7cblp52UpU6nZV1tyLxk5DXKeVaYh8+3otq0lKB3U3wmkJAebPp6FEl4mwJGCrgMuIb8RqqNeycLye3wGAcRvnDlr8A5iIetydHwmiWic6odr7xvHL5tYJqR/2enETkqNpjGm7KebognMzPrqKnyCsYNKIvJQD
X-MS-Exchange-AntiSpam-MessageData: 
 7Db37U4WIkK0syXmV+LAUGeW9NQg/djZognuWFNyceoUWeSjnfY6ytpmV5h7gcxu/i7vtQhd46VJaATSbq59IZcuZEcDMxPb5Y4ZAqYFdC+neUm90ZqjLRHZA1OnrPEZO0yaU8Esqu1V1VGYMd23fQ==
X-OriginatorOrg: nutanix.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4def4caf-45fa-48b3-0c9d-08d7d6c77cc2
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2020 05:34:17.8840
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 BOvGgwCv+VnqI0I9+meC4BJsG42Vx7h/iENqbpl3DEyd4XWxSWpdI7ZrAhvH2l1UIedhQdsVptQ+yyDJxcO/kmEVmGtG1qxoVOtzpx1q7QA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR02MB5588
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,
	18.0.676 definitions=2020-04-01_04:2020-03-31,
	2020-04-01 signatures=0
X-Proofpoint-Spam-Reason: safe
Cc: Ankur Sharma <svc.mail.git@nutanix.com>
Subject: [ovs-dev] [PATCH v3 1/2 ovn] NAT: Provide port range in input
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

This patch enhances the NB OVSSCHEMA to
add an additional comuln in NAT table.

external_port_range: Specifies the range of port numbers
                     to translate source port to.

Changes also add corresponding ovn-nbctl cli.

Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com>
---
 ovn-nb.ovsschema      |   5 ++-
 ovn-nb.xml            |  23 +++++++++++
 tests/ovn-nbctl.at    |  46 +++++++++++++++++++++
 utilities/ovn-nbctl.c | 108 +++++++++++++++++++++++++++++++++++++++++++++-----
 4 files changed, 169 insertions(+), 13 deletions(-)

diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
index ea6f4e3..affa0ce 100644
--- a/ovn-nb.ovsschema
+++ b/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
-    "version": "5.20.1",
-    "cksum": "721375950 25251",
+    "version": "5.20.2",
+    "cksum": "623498453 25310",
     "tables": {
         "NB_Global": {
             "columns": {
@@ -379,6 +379,7 @@
                 "external_ip": {"type": "string"},
                 "external_mac": {"type": {"key": "string",
                                           "min": 0, "max": 1}},
+                "external_port_range": {"type": "string"},
                 "logical_ip": {"type": "string"},
                 "logical_port": {"type": {"key": "string",
                                           "min": 0, "max": 1}},
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 541ec20..61c1ae8 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -2552,6 +2552,29 @@
       </p>
     </column>
 
+    <column name="external_port_range">
+      <p>
+        L4 source port range
+      </p>
+
+      <p>
+        Range of port, from which a port number will be picked that will
+        replace the source port of to be NATed packet. This is basically
+        PAT (port address translation).
+      </p>
+
+      <p>
+        Value of the column is in the format, port_lo-port_hi.
+        For example:
+        external_port_range : "1-30000"
+      </p>
+
+      <p>
+        Valid range of ports is 1-65535.
+      </p>
+
+    </column>
+
     <column name="logical_ip">
       An IPv4 network (e.g 192.168.1.0/24) or an IPv4 address.
     </column>
diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index fcb6ad7..39189fd 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -604,6 +604,52 @@ snat             fd01::1            fd11::/64
 ])
 
 AT_CHECK([ovn-nbctl lr-nat-del lr0])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 snat 40.0.0.3 192.168.1.6 1-3000])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat 40.0.0.4 192.168.1.7 1-3000])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat 40.0.0.5 192.168.1.10 1])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.5 192.168.1.8 1-3000])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 lp0 00:00:00:04:05:06 1-3000])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 lp0 1-3000], [1], [],
+[ovn-nbctl: lr-nat-add with logical_port must also specify external_mac.
+])
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 00:00:00:04:05:06 1-3000], [1], [],
+[ovn-nbctl: lr-nat-add with logical_port must also specify external_mac.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.7 192.168.1.10 1-], [1], [],
+[ovn-nbctl: invalid port range 1-.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 -300], [1], [],
+[ovn-nbctl: invalid port range -300.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 500-300], [1], [],
+[ovn-nbctl: invalid port range 500-300.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 a-300], [1], [],
+[ovn-nbctl: invalid port range a-300.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 100-b], [1], [],
+[ovn-nbctl: invalid port range 100-b.
+])
+
+AT_CHECK([ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 40.0.0.6 192.168.1.9 0-10], [1], [],
+[ovn-nbctl: invalid port range 0-10.
+])
+
+AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [dnl
+TYPE             EXTERNAL_IP        LOGICAL_IP            EXTERNAL_MAC         LOGICAL_PORT
+dnat             40.0.0.4           192.168.1.7
+dnat             40.0.0.5           192.168.1.10
+dnat_and_snat    40.0.0.5           192.168.1.8
+dnat_and_snat    40.0.0.6           192.168.1.9           00:00:00:04:05:06    lp0
+snat             40.0.0.3           192.168.1.6
+])
+
+AT_CHECK([ovn-nbctl lr-nat-del lr0])
 AT_CHECK([ovn-nbctl lr-nat-list lr0], [0], [])
 AT_CHECK([ovn-nbctl lr-nat-del lr0])
 AT_CHECK([ovn-nbctl lr-nat-del lr0 dnat])])
diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c
index 59abe00..ab37b49 100644
--- a/utilities/ovn-nbctl.c
+++ b/utilities/ovn-nbctl.c
@@ -702,7 +702,8 @@ Policy commands:\n\
 \n\
 NAT commands:\n\
   [--stateless]\n\
-  lr-nat-add ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]\n\
+  [--portrange]\n\
+  lr-nat-add ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC] [EXTERNAL_PORT_RANGE]\n\
                             add a NAT to ROUTER\n\
   lr-nat-del ROUTER [TYPE [IP]]\n\
                             remove NATs from ROUTER\n\
@@ -3963,6 +3964,56 @@ out:
     free(nexthop);
 }
 
+static bool
+is_valid_port_range(const char *port_range)
+{
+    int range_lo_int, range_hi_int;
+    bool ret = false;
+
+    if (!port_range) {
+        return false;
+    }
+
+    char *save_ptr = NULL;
+    char *tokstr = xstrdup(port_range);
+    char *range_lo = strtok_r(tokstr, "-", &save_ptr);
+    if (!range_lo) {
+        goto done;
+    }
+    range_lo_int = strtol(range_lo, NULL, 10);
+    if (errno == EINVAL || range_lo_int <= 0) {
+        goto done;
+    }
+
+    if (!strchr(port_range, '-')) {
+        ret = true;
+        goto done;
+    }
+
+    char *range_hi = strtok_r(NULL, "", &save_ptr);
+    if (!range_hi) {
+        goto done;
+    }
+    range_hi_int = strtol(range_hi, NULL, 10);
+    if (errno == EINVAL) {
+        goto done;
+    }
+
+    if (range_lo_int >= range_hi_int) {
+        goto done;
+    }
+
+    if (range_lo_int <= 0 || range_hi_int > 65535) {
+        goto done;
+    }
+
+    ret = true;
+
+done:
+    free(tokstr);
+    return ret;
+}
+
 static void
 nbctl_lr_nat_add(struct ctl_context *ctx)
 {
@@ -3971,6 +4022,7 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
     const char *external_ip = ctx->argv[3];
     const char *logical_ip = ctx->argv[4];
     char *new_logical_ip = NULL;
+    bool is_portrange = shash_find(&ctx->options, "--portrange") != NULL;
 
     char *error = lr_by_name_or_uuid(ctx, ctx->argv[1], true, &lr);
     if (error) {
@@ -4034,14 +4086,25 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
         }
     }
 
-    const char *logical_port;
-    const char *external_mac;
+    const char *logical_port = NULL;
+    const char *external_mac = NULL;
+    const char *port_range = NULL;
+
     if (ctx->argc == 6) {
-        ctl_error(ctx, "lr-nat-add with logical_port "
-                  "must also specify external_mac.");
-        free(new_logical_ip);
-        return;
-    } else if (ctx->argc == 7) {
+        if (!is_portrange) {
+            ctl_error(ctx, "lr-nat-add with logical_port "
+                      "must also specify external_mac.");
+            free(new_logical_ip);
+            return;
+        }
+        port_range = ctx->argv[5];
+        if (!is_valid_port_range(port_range)) {
+            ctl_error(ctx, "invalid port range %s.", port_range);
+            free(new_logical_ip);
+            return;
+        }
+
+    } else if (ctx->argc >= 7) {
         if (strcmp(nat_type, "dnat_and_snat")) {
             ctl_error(ctx, "logical_port and external_mac are only valid when "
                       "type is \"dnat_and_snat\".");
@@ -4049,6 +4112,13 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
             return;
         }
 
+        if (ctx->argc == 7 && is_portrange) {
+            ctl_error(ctx, "lr-nat-add with logical_port "
+                      "must also specify external_mac.");
+            free(new_logical_ip);
+            return;
+        }
+
         logical_port = ctx->argv[5];
         const struct nbrec_logical_switch_port *lsp;
         error = lsp_by_name_or_uuid(ctx, logical_port, true, &lsp);
@@ -4065,7 +4135,18 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
             free(new_logical_ip);
             return;
         }
+
+        if (ctx->argc > 7) {
+            port_range = ctx->argv[7];
+            if (!is_valid_port_range(port_range)) {
+                ctl_error(ctx, "invalid port range %s.", port_range);
+                free(new_logical_ip);
+                return;
+            }
+        }
+
     } else {
+        port_range = NULL;
         logical_port = NULL;
         external_mac = NULL;
     }
@@ -4137,6 +4218,10 @@ nbctl_lr_nat_add(struct ctl_context *ctx)
         nbrec_nat_set_external_mac(nat, external_mac);
     }
 
+    if (port_range) {
+        nbrec_nat_set_external_port_range(nat, port_range);
+    }
+
     smap_add(&nat_options, "stateless", stateless ? "true":"false");
     nbrec_nat_set_options(nat, &nat_options);
 
@@ -6133,9 +6218,10 @@ static const struct ctl_command_syntax nbctl_commands[] = {
        "", RO },
 
     /* NAT commands. */
-    { "lr-nat-add", 4, 6,
-      "ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]", NULL,
-      nbctl_lr_nat_add, NULL, "--may-exist,--stateless", RW },
+    { "lr-nat-add", 4, 7,
+      "ROUTER TYPE EXTERNAL_IP LOGICAL_IP"
+      "[LOGICAL_PORT EXTERNAL_MAC] [EXTERNAL_PORT_RANGE]", NULL,
+      nbctl_lr_nat_add, NULL, "--may-exist,--stateless,--portrange", RW },
     { "lr-nat-del", 1, 3, "ROUTER [TYPE [IP]]", NULL,
         nbctl_lr_nat_del, NULL, "--if-exists", RW },
     { "lr-nat-list", 1, 1, "ROUTER", NULL, nbctl_lr_nat_list, NULL, "", RO },

From patchwork Thu Apr  2 05:34:00 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ankur Sharma <svc.mail.git@nutanix.com>
X-Patchwork-Id: 1265431
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
	smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133;
	helo=hemlock.osuosl.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=nutanix.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=nutanix.com header.i=@nutanix.com
	header.a=rsa-sha256 header.s=proofpoint20171006
	header.b=xtGxYvRa; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48tBZv3zwKz9sRN
	for <incoming@patchwork.ozlabs.org>;
	Thu,  2 Apr 2020 16:34:31 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id B989988246;
	Thu,  2 Apr 2020 05:34:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id VTNcT2eWAM2z; Thu,  2 Apr 2020 05:34:27 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by hemlock.osuosl.org (Postfix) with ESMTP id D1D81880C7;
	Thu,  2 Apr 2020 05:34:26 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id BACE1C1D89;
	Thu,  2 Apr 2020 05:34:26 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 66388C1AE2
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 55EFA87EBB
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:25 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UaI8oAAGbDBj for <ovs-dev@openvswitch.org>;
	Thu,  2 Apr 2020 05:34:22 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mx0a-002c1b01.pphosted.com (mx0a-002c1b01.pphosted.com
	[148.163.151.68])
	by hemlock.osuosl.org (Postfix) with ESMTPS id 7B42D87EA9
	for <ovs-dev@openvswitch.org>; Thu,  2 Apr 2020 05:34:22 +0000 (UTC)
Received: from pps.filterd (m0127839.ppops.net [127.0.0.1])
	by mx0a-002c1b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id
	0325U0Ye005597
	for <ovs-dev@openvswitch.org>; Wed, 1 Apr 2020 22:34:21 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com;
	h=from : to : cc :
	subject : date : message-id : in-reply-to : references : content-type
	: mime-version; s=proofpoint20171006;
	bh=s9banIcb7LQkTEG3GhAjdIL90b4YgfE/6KVnyywO9W8=;
	b=xtGxYvRaiZ/brsH/e5h568bMGXltQETfXesKwUZZGbz6f4/9IBbMs8/crNB33M9q/ryu
	5fYwlopwNUpzj+7uRAVgsx0YV0YBpHI13CMUjZUs76hXM4tl6DBVyCYUQuqOL2QDD2yZ
	OqGlNTdlJYpRBhD1wSjGBKEbEXH5vPW8ZwxipazFQyisdtymk4Qf5B+05x6cVuigbtf1
	RmW7pdld2C57PwZMPTiJ2x/GUUOoQRIUoBaB+xCNWCudtkwSCOjf2eWDOst0N7gn7pic
	wuODpB6CYayfwTvFa/BRJCPMTC6if00epSDY2Yc29MblrB9739GkeddijpMFuS6mmL8W
	sw==
Received: from nam10-bn7-obe.outbound.protection.outlook.com
	(mail-bn7nam10lp2100.outbound.protection.outlook.com [104.47.70.100])
	by mx0a-002c1b01.pphosted.com with ESMTP id 302ss3gpt8-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NOT)
	for <ovs-dev@openvswitch.org>; Wed, 01 Apr 2020 22:34:21 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
	b=HlIelsye6ReYC4gc0nLJisbs8arWz/nUHsxvcDExjyjQitpSk0Xn8+qINdvBBgwRq6n/QoL8dpy7+te07yypKweeySKapk5Bzqn04Ob1Z8oA4j9vhqGvVwyEqIp3NlFdhYxf9gdV6BkyPupBFRRioFyZiKUzzXMRt3QPGHDbH4meI+QdmKBRda2LQ91it6kurTAfiWb0diGXzVIPfDY+bamGtgTI2sSQKXDGF7Zn9K08S0j3ngqxxL0p01tvL3g6emJ1MT5Zq2nGKzYj0N4wqG0qouizO1mupItUTF/kJCYy4BH/qKcvcUTF4Ra65Y/XJlWxhm4B0iZGstoFgjlI8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
	s=arcselector9901;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
	bh=s9banIcb7LQkTEG3GhAjdIL90b4YgfE/6KVnyywO9W8=;
	b=JH6h4JtLkc+5wQ8vsHn8vJgatdfS07oA2ZJlaU8wnIdf+Cf/sCV+z44qbxinJhm02wMAQ78uf0fru8TDrc8D42P52ygD6R7KAHn3MLpTXd0CuKIc90EmCL/7+W4mJWeVdAPXsbbicb6iqJCEuyQHuKybMNONWhyOALRD2+IRDIWCPAOpAPEGy7vfMprLb5i5hPI/GdoaiVxX4cJiKCi2/cytxxWP9CHLENKclUSRgK/h2k+YQKmxfbQ8Jahlkv5UDz11PkSrVtEglrZSqJ/rIdEfgtp6j31Sl8/eGIgc7wUfiX0+xcV3Nz+Beg4gPgVqAj3oEdB3Rs5ARwnVkT9ZHw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
	smtp.mailfrom=nutanix.com;
	dmarc=pass action=none header.from=nutanix.com;
	dkim=pass header.d=nutanix.com; arc=none
Received: from BL0PR02MB3714.namprd02.prod.outlook.com (2603:10b6:207:44::16)
	by BL0PR02MB5588.namprd02.prod.outlook.com (2603:10b6:208:8a::20)
	with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20;
	Thu, 2 Apr 2020 05:34:19 +0000
Received: from BL0PR02MB3714.namprd02.prod.outlook.com
	([fe80::c43f:ba9f:6c04:d0fb]) by
	BL0PR02MB3714.namprd02.prod.outlook.com
	([fe80::c43f:ba9f:6c04:d0fb%7]) with mapi id 15.20.2878.016;
	Thu, 2 Apr 2020 05:34:19 +0000
From: Ankur Sharma <svc.mail.git@nutanix.com>
To: ovs-dev@openvswitch.org
Date: Wed,  1 Apr 2020 22:34:00 -0700
Message-Id: <1585805640-94503-3-git-send-email-svc.mail.git@nutanix.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1585805640-94503-1-git-send-email-svc.mail.git@nutanix.com>
References: <1585805640-94503-1-git-send-email-svc.mail.git@nutanix.com>
X-ClientProxiedBy: BYAPR01CA0034.prod.exchangelabs.com (2603:10b6:a02:80::47)
	To BL0PR02MB3714.namprd02.prod.outlook.com
	(2603:10b6:207:44::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from northd.localdomain (192.146.154.98) by
	BYAPR01CA0034.prod.exchangelabs.com (2603:10b6:a02:80::47) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.2878.15 via Frontend Transport; Thu, 2 Apr 2020 05:34:18 +0000
X-Mailer: git-send-email 1.8.3.1
X-Originating-IP: [192.146.154.98]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 281ccb36-d351-4103-86c2-08d7d6c77dab
X-MS-TrafficTypeDiagnostic: BL0PR02MB5588:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: 
 <BL0PR02MB5588AF72B49FF283325C994CD1C60@BL0PR02MB5588.namprd02.prod.outlook.com>
x-proofpoint-crosstenant: true
X-MS-Oob-TLC-OOBClassifiers: OLM:197;
X-Forefront-PRVS: 0361212EA8
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:BL0PR02MB3714.namprd02.prod.outlook.com; PTR:;
	CAT:NONE; SFTY:;
	SFS:(10019020)(366004)(39860400002)(396003)(376002)(346002)(136003)(6512007)(2616005)(8676002)(956004)(186003)(16526019)(26005)(36756003)(5660300002)(6486002)(52116002)(478600001)(66476007)(6506007)(2906002)(107886003)(81166006)(81156014)(316002)(6666004)(54906003)(66946007)(66556008)(4326008)(8936002)(30864003)(6916009)(66574012)(86362001);
	DIR:OUT; SFP:1102;
Received-SPF: None (protection.outlook.com: nutanix.com does not designate
	permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 mn9OCIhznA7B6ZjVTOp34sMr70jHRkUXxAFTrbnjh7KNdzOPF20QcMYJBmr5i71lfQe3cklbLkL/8RjfX396zf+uCkXfESDfJ736QElnCQoJbbYHS4X7ts+6c2BN/lX9AkS5WogDLKLvZDR+d5aZuofsR2eyYJB77YesTosve6xNa/am6ybLZcujEYRNWAMMLfJzSAej0M7qRGNeY3q47v2SxTEh0+Lvy2uD0l7cIN+qlpcM755XTwSlj86NiGu8QbUQ+nDstODw5vg7mCVDDAL1WksFAXH+DuRS1otGt8QQTmv/ft5rba8D86vPD8tdriVaPTh4WCxmiGQ/M2SMbEoLIvJj+kN+GaSTBe5r3+AeKlucDpi4FjKaZHt8R/c6tFIg3N5/dMGWa93aHd6QU4PfYiRTScX5oYw3oAxRCT+uhOfd9QCJ62Fa35lU0k2K
X-MS-Exchange-AntiSpam-MessageData: 
 hHlsVRn0clE1iUbiUgcOR6xWWx5oc27p0aUeky+5+3kThOxelnPbkbEhSA6cluiJ70OxrO8lOp7aF9Dq3C9ZklgKiZ1wGtAHEpB7dFmLnqCM5euYH/mZX6bCNEA1HEfZjQLAnTHOeQ+4Zqh79oVDkg==
X-OriginatorOrg: nutanix.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 281ccb36-d351-4103-86c2-08d7d6c77dab
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2020 05:34:19.4112
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: bb047546-786f-4de1-bd75-24e5b6f79043
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 ZXAwa+f2RnEaR5PIJcgPwStCdTlq6iEr12hm/yFOUxCAtcpjIRiqBvt/q43Rj2jE/sYpb51KLHeYI4Q5kcBbRJUAHffKa+wGx0pILeQp4AA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR02MB5588
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,
	18.0.676 definitions=2020-04-01_04:2020-03-31,
	2020-04-01 signatures=0
X-Proofpoint-Spam-Reason: safe
Cc: Ankur Sharma <svc.mail.git@nutanix.com>
Subject: [ovs-dev] [PATCH v3 2/2 ovn] NAT: Northd and parser changes to
	support port range
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

This patch has northd changes to put
port range in the logical flow based on configuration.

Port range is NOT applicable for stateless dnat_and_snat
rules.

Changes to parse the logical flow, which specifies port_range
for ct_nat action.

Example logical flow:
ct_snat(10.15.24.135,1-30000)

Signed-off-by: Ankur Sharma <ankur.sharma@nutanix.com>
---
 include/ovn/actions.h |  7 ++++++
 include/ovn/lex.h     |  1 +
 lib/actions.c         | 48 ++++++++++++++++++++++++++++++++++++++
 lib/lex.c             |  5 +++-
 northd/ovn-northd.c   | 31 +++++++++++++++++++++----
 tests/ovn-northd.at   | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/ovn.at          | 34 +++++++++++++++++++++++----
 7 files changed, 180 insertions(+), 10 deletions(-)

diff --git a/include/ovn/actions.h b/include/ovn/actions.h
index 9b01492..2cec369 100644
--- a/include/ovn/actions.h
+++ b/include/ovn/actions.h
@@ -233,6 +233,13 @@ struct ovnact_ct_nat {
         struct in6_addr ipv6;
         ovs_be32 ipv4;
     };
+
+    struct {
+       bool exists;
+       uint16_t port_lo;
+       uint16_t port_hi;
+    } port_range;
+
     uint8_t ltable;             /* Logical table ID of next table. */
 };
 
diff --git a/include/ovn/lex.h b/include/ovn/lex.h
index 8d55857..1da6ccc 100644
--- a/include/ovn/lex.h
+++ b/include/ovn/lex.h
@@ -63,6 +63,7 @@ enum lex_type {
     LEX_T_EXCHANGE,             /* <-> */
     LEX_T_DECREMENT,            /* -- */
     LEX_T_COLON,                /* : */
+    LEX_T_HYPHEN,               /* - */
 };
 
 /* Subtype for LEX_T_INTEGER and LEX_T_MASKED_INTEGER tokens.
diff --git a/lib/actions.c b/lib/actions.c
index 6351db7..5d9d93b 100644
--- a/lib/actions.c
+++ b/lib/actions.c
@@ -770,6 +770,38 @@ parse_ct_nat(struct action_context *ctx, const char *name,
         }
         lexer_get(ctx->lexer);
 
+        if (lexer_match(ctx->lexer, LEX_T_COMMA)) {
+
+           if (ctx->lexer->token.type != LEX_T_INTEGER ||
+               ctx->lexer->token.format != LEX_F_DECIMAL) {
+              lexer_syntax_error(ctx->lexer, "expecting Integer for port "
+                                 "range");
+           }
+
+           cn->port_range.port_lo = ntohll(ctx->lexer->token.value.integer);
+           lexer_get(ctx->lexer);
+
+           if (lexer_match(ctx->lexer, LEX_T_HYPHEN)) {
+
+               if (ctx->lexer->token.type != LEX_T_INTEGER) {
+                   lexer_syntax_error(ctx->lexer, "expecting Integer for port "
+                                      "range");
+               }
+               cn->port_range.port_hi = ntohll(
+                                        ctx->lexer->token.value.integer);
+
+               if (cn->port_range.port_hi <= cn->port_range.port_lo) {
+                   lexer_syntax_error(ctx->lexer, "range high should be "
+                                      "greater than range lo");
+               }
+               lexer_get(ctx->lexer);
+           } else {
+               cn->port_range.port_hi = 0;
+           }
+
+           cn->port_range.exists = true;
+        }
+
         if (!lexer_force_match(ctx->lexer, LEX_T_RPAREN)) {
             return;
         }
@@ -799,6 +831,17 @@ format_ct_nat(const struct ovnact_ct_nat *cn, const char *name, struct ds *s)
         ipv6_format_addr(&cn->ipv6, s);
         ds_put_char(s, ')');
     }
+
+    if (cn->port_range.exists) {
+        ds_chomp(s, ')');
+        ds_put_format(s, ",%d", cn->port_range.port_lo);
+
+        if (cn->port_range.port_hi) {
+            ds_put_format(s, "-%d", cn->port_range.port_hi);
+        }
+        ds_put_char(s, ')');
+    }
+
     ds_put_char(s, ';');
 }
 
@@ -861,6 +904,11 @@ encode_ct_nat(const struct ovnact_ct_nat *cn,
         }
     }
 
+    if (cn->port_range.exists) {
+       nat->range.proto.min = cn->port_range.port_lo;
+       nat->range.proto.max = cn->port_range.port_hi;
+    }
+
     ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset);
     ct = ofpacts->header;
     if (cn->family == AF_INET || cn->family == AF_INET6) {
diff --git a/lib/lex.c b/lib/lex.c
index 7a2ab41..94f6c77 100644
--- a/lib/lex.c
+++ b/lib/lex.c
@@ -301,6 +301,9 @@ lex_token_format(const struct lex_token *token, struct ds *s)
     case LEX_T_COLON:
         ds_put_char(s, ':');
         break;
+    case LEX_T_HYPHEN:
+        ds_put_char(s, '-');
+        break;
     default:
         OVS_NOT_REACHED();
     }
@@ -757,7 +760,7 @@ next:
             token->type = LEX_T_DECREMENT;
             p++;
         } else {
-            lex_error(token, "`-' is only valid as part of `--'.");
+           token->type = LEX_T_HYPHEN;
         }
         break;
 
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 0762781..71d420d 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -8849,7 +8849,13 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                                       is_v6 ? "6" : "4", nat->logical_ip);
                     } else {
                         ds_put_format(&actions, "flags.loopback = 1; "
-                                      "ct_dnat(%s);", nat->logical_ip);
+                                      "ct_dnat(%s", nat->logical_ip);
+
+                        if (strlen(nat->external_port_range)) {
+                            ds_put_format(&actions, ",%s",
+                                          nat->external_port_range);
+                        }
+                        ds_put_format(&actions, ");");
                     }
 
                     ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
@@ -8877,8 +8883,12 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                         ds_put_format(&actions, "ip%s.dst=%s; next;",
                                       is_v6 ? "6" : "4", nat->logical_ip);
                     } else {
-                        ds_put_format(&actions, "ct_dnat(%s);",
-                                      nat->logical_ip);
+                        ds_put_format(&actions, "ct_dnat(%s", nat->logical_ip);
+                        if (strlen(nat->external_port_range)) {
+                            ds_put_format(&actions, ",%s",
+                                          nat->external_port_range);
+                        }
+                        ds_put_format(&actions, ");");
                     }
 
                     ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_DNAT, 100,
@@ -8982,8 +8992,14 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                         ds_put_format(&actions, "ip%s.src=%s; next;",
                                       is_v6 ? "6" : "4", nat->external_ip);
                     } else {
-                        ds_put_format(&actions, "ct_snat(%s);",
+                        ds_put_format(&actions, "ct_snat(%s",
                                       nat->external_ip);
+
+                        if (strlen(nat->external_port_range)) {
+                            ds_put_format(&actions, ",%s",
+                                          nat->external_port_range);
+                        }
+                        ds_put_format(&actions, ");");
                     }
 
                     /* The priority here is calculated such that the
@@ -9020,8 +9036,13 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
                         ds_put_format(&actions, "ip%s.src=%s; next;",
                                       is_v6 ? "6" : "4", nat->external_ip);
                     } else {
-                        ds_put_format(&actions, "ct_snat(%s);",
+                        ds_put_format(&actions, "ct_snat(%s",
                                       nat->external_ip);
+                        if (strlen(nat->external_port_range)) {
+                            ds_put_format(&actions, ",%s",
+                                          nat->external_port_range);
+                        }
+                        ds_put_format(&actions, ");");
                     }
 
                     /* The priority here is calculated such that the
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index d127152..8cc3f70 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1074,6 +1074,70 @@ AT_CHECK([ovn-sbctl dump-flows R1 | grep ip6.src=| wc -l], [0], [2
 
 AT_CLEANUP
 
+AT_SETUP([ovn -- check portrange dnat, snat and dnat_and_snat rules])
+ovn_start
+
+ovn-sbctl chassis-add gw1 geneve 127.0.0.1
+
+ovn-nbctl lr-add R1
+ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
+
+ovn-nbctl ls-add S1
+ovn-nbctl lsp-add S1 S1-R1
+ovn-nbctl lsp-set-type S1-R1 router
+ovn-nbctl lsp-set-addresses S1-R1 router
+ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
+
+ovn-nbctl lrp-set-gateway-chassis R1-S1 gw1
+
+uuid=`ovn-sbctl --columns=_uuid --bare find Port_Binding logical_port=cr-R1-S1`
+echo "CR-LRP UUID is: " $uuid
+
+# IPV4
+ovn-nbctl --portrange lr-nat-add R1 dnat_and_snat  172.16.1.1 50.0.0.11 1-3000
+
+OVS_WAIT_UNTIL([test 2 = `ovn-sbctl dump-flows R1 | grep lr_in_unsnat | \
+wc -l`])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | grep 3000 | wc -l], [0], [1
+])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | grep 3000 | wc -l], [0], [1
+])
+
+
+ovn-nbctl lr-nat-del R1 dnat_and_snat  172.16.1.1
+
+ovn-nbctl --portrange lr-nat-add R1 snat  172.16.1.1 50.0.0.11 1-3000
+
+OVS_WAIT_UNTIL([test 2 = `ovn-sbctl dump-flows R1 | grep lr_in_unsnat | \
+wc -l`])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | grep 3000 | wc -l], [0], [1
+])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | grep 3000 | wc -l], [0], [0
+])
+
+ovn-nbctl lr-nat-del R1 snat  172.16.1.1
+
+ovn-nbctl --portrange --stateless lr-nat-add R1 dnat_and_snat  172.16.1.2 50.0.0.12 1-3000
+ovn-sbctl dump-flows R1
+
+OVS_WAIT_UNTIL([test 3 = `ovn-sbctl dump-flows R1 | grep lr_in_unsnat | \
+wc -l`])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_snat | grep 3000 | grep 172.16.1.2 | wc -l], [0], [0
+])
+
+AT_CHECK([ovn-sbctl dump-flows R1 | grep ct_dnat | grep 3000 | grep 172.16.1.2 | wc -l], [0], [0
+])
+
+
+ovn-nbctl lr-nat-del R1 dnat_and_snat  172.16.1.1
+
+AT_CLEANUP
+
 AT_SETUP([ovn -- check Load balancer health check and Service Monitor sync])
 AT_SKIP_IF([test $HAVE_PYTHON = no])
 ovn_start
diff --git a/tests/ovn.at b/tests/ovn.at
index 0135838..314be47 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -136,7 +136,6 @@ fe:x => error("Invalid numeric constant.")
 (){}[[]]==!=<<=>>=!&&||..,;=<->--: => ( ) { } [[ ]] == != < <= > >= ! && || .. , ; = <-> -- :
 & => error("`&' is only valid as part of `&&'.")
 | => error("`|' is only valid as part of `||'.")
-- => error("`-' is only valid as part of `--'.")
 
 ^ => error("Invalid character `^' in input.")
 ])
@@ -1049,15 +1048,29 @@ ct_dnat(192.168.1.2);
 ct_dnat(fd11::2);
     encodes as ct(commit,table=19,zone=NXM_NX_REG11[0..15],nat(dst=fd11::2))
     has prereqs ip
+ct_dnat(192.168.1.2, 1-3000);
+    formats as ct_dnat(192.168.1.2,1-3000);
+    encodes as ct(commit,table=19,zone=NXM_NX_REG11[0..15],nat(dst=192.168.1.2:1-3000))
+    has prereqs ip
 
 ct_dnat(192.168.1.2, 192.168.1.3);
-    Syntax error at `,' expecting `)'.
+    Syntax error at `192.168.1.3' expecting Integer for port range.
 ct_dnat(foo);
     Syntax error at `foo' expecting IPv4 or IPv6 address.
 ct_dnat(foo, bar);
     Syntax error at `foo' expecting IPv4 or IPv6 address.
 ct_dnat();
     Syntax error at `)' expecting IPv4 or IPv6 address.
+ct_dnat(192.168.1.2, foo);
+    Syntax error at `foo' expecting Integer for port range.
+ct_dnat(192.168.1.2, 1000-foo);
+    Syntax error at `foo' expecting Integer for port range.
+ct_dnat(192.168.1.2, 1000);
+    formats as ct_dnat(192.168.1.2,1000);
+    encodes as ct(commit,table=19,zone=NXM_NX_REG11[0..15],nat(dst=192.168.1.2:1000))
+    has prereqs ip
+ct_dnat(192.168.1.2, 1000-100);
+    Syntax error at `100' range high should be greater than range lo.
 
 # ct_snat
 ct_snat;
@@ -1069,16 +1082,29 @@ ct_snat(192.168.1.2);
 ct_snat(fd11::2);
     encodes as ct(commit,table=19,zone=NXM_NX_REG12[0..15],nat(src=fd11::2))
     has prereqs ip
+ct_snat(192.168.1.2, 1-3000);
+    formats as ct_snat(192.168.1.2,1-3000);
+    encodes as ct(commit,table=19,zone=NXM_NX_REG12[0..15],nat(src=192.168.1.2:1-3000))
+    has prereqs ip
 
 ct_snat(192.168.1.2, 192.168.1.3);
-    Syntax error at `,' expecting `)'.
+    Syntax error at `192.168.1.3' expecting Integer for port range.
 ct_snat(foo);
     Syntax error at `foo' expecting IPv4 or IPv6 address.
 ct_snat(foo, bar);
     Syntax error at `foo' expecting IPv4 or IPv6 address.
 ct_snat();
     Syntax error at `)' expecting IPv4 or IPv6 address.
-
+ct_snat(192.168.1.2, foo);
+    Syntax error at `foo' expecting Integer for port range.
+ct_snat(192.168.1.2, 1000-foo);
+    Syntax error at `foo' expecting Integer for port range.
+ct_snat(192.168.1.2, 1000);
+    formats as ct_snat(192.168.1.2,1000);
+    encodes as ct(commit,table=19,zone=NXM_NX_REG12[0..15],nat(src=192.168.1.2:1000))
+    has prereqs ip
+ct_snat(192.168.1.2, 1000-100);
+    Syntax error at `100' range high should be greater than range lo.
 # ct_clear
 ct_clear;
     encodes as ct_clear