Hi Guru, It looked very useful patch. Do you plan to commit it into main? Was there any reason to not merge it so far?
Regards - Manoj On 11/3/16, 3:46 AM, "dev on behalf of Gurucharan Shetty" <[email protected] on behalf of [email protected]> wrote: >We currently have the ability to add a large network to >match on the source IP address of a packet and then SNAT >it to a external_ip. For e.g. one could add a SNAT rule >that SNATs all packets with source IP address of >"0.0.0.0/0" to 10.1.1.10. > >It is useful to make a small subnet to pass-through without >any SNAT done on it. For e.g a subnet that is routable in >the external network. This commit adds a "nosnat" option >to the NAT table. > >Signed-off-by: Gurucharan Shetty <[email protected]> >--- > ovn/northd/ovn-northd.8.xml | 8 ++++++++ > ovn/northd/ovn-northd.c | 38 ++++++++++++++++++++++++++++---------- > ovn/ovn-nb.ovsschema | 5 +++-- > ovn/ovn-nb.xml | 7 +++++++ > tests/system-ovn.at | 17 +++++++++++++++++ > 5 files changed, 63 insertions(+), 12 deletions(-) > >diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml >index df53d4c..b406db6 100644 >--- a/ovn/northd/ovn-northd.8.xml >+++ b/ovn/northd/ovn-northd.8.xml >@@ -1434,6 +1434,14 @@ arp { > <li> > <p> > For each configuration in the OVN Northbound database, that asks >+ NOT to change the source IP address of a packet with address >+ <var>A</var> or NOT to change the source IP address of a packet that >+ belongs to network <var>A</var>, a priority-100 flow with a match of >+ <code>ip && ip4.src == <var>A</var></code> and an action of >+ <code>next;</code>. >+ </p> >+ <p> >+ For each configuration in the OVN Northbound database, that asks > to change the source IP address of a packet from an IP address of > <var>A</var> or to change the source IP address of a packet that > belongs to network <var>A</var> to <var>B</var>, a flow matches >diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c >index 07c7b2d..86504aa 100644 >--- a/ovn/northd/ovn-northd.c >+++ b/ovn/northd/ovn-northd.c >@@ -3680,6 +3680,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap >*ports, > > nat = op->od->nbr->nat[i]; > >+ if (!strcmp(nat->type, "nosnat")) { >+ continue; >+ } >+ > ovs_be32 ip; > if (!ip_parse(nat->external_ip, &ip) || !ip) { > static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); >@@ -3920,19 +3924,24 @@ build_lrouter_flows(struct hmap *datapaths, struct >hmap *ports, > > ovs_be32 ip, mask; > >- char *error = ip_parse_masked(nat->external_ip, &ip, &mask); >- if (error || mask != OVS_BE32_MAX) { >- static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); >- VLOG_WARN_RL(&rl, "bad external ip %s for nat", >- nat->external_ip); >- free(error); >- continue; >+ if (strcmp(nat->type, "nosnat")) { >+ /* "nosnat" cases do not have a 'external_ip'. Every other >+ * case should have a valid 'external_ip'. */ >+ char *error = ip_parse_masked(nat->external_ip, &ip, &mask); >+ if (error || mask != OVS_BE32_MAX) { >+ static struct vlog_rate_limit rl >+ = VLOG_RATE_LIMIT_INIT(5, 1); >+ VLOG_WARN_RL(&rl, "bad external ip %s for nat", >+ nat->external_ip); >+ free(error); >+ continue; >+ } > } > > /* Check the validity of nat->logical_ip. 'logical_ip' can >- * be a subnet when the type is "snat". */ >- error = ip_parse_masked(nat->logical_ip, &ip, &mask); >- if (!strcmp(nat->type, "snat")) { >+ * be a subnet when the type is "snat" or "nosnat". */ >+ char *error = ip_parse_masked(nat->logical_ip, &ip, &mask); >+ if (!strcmp(nat->type, "snat") || !strcmp(nat->type, "nosnat")) { > if (error) { > static struct vlog_rate_limit rl = > VLOG_RATE_LIMIT_INIT(5, 1); >@@ -3987,6 +3996,15 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap >*ports, > ds_cstr(&match), ds_cstr(&actions)); > } > >+ /* Egress SNAT table: Skip packets that have a specific 'nosnat' >+ * rule. */ >+ if (!strcmp(nat->type, "nosnat")) { >+ ds_clear(&match); >+ ds_put_format(&match, "ip && ip4.src == %s", nat->logical_ip); >+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 100, >+ ds_cstr(&match), "next;"); >+ } >+ > /* Egress SNAT table: Packets enter the egress pipeline with > * source ip address that needs to be SNATted to a external ip > * address. */ >diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema >index 65f2d7c..8cfc8a6 100644 >--- a/ovn/ovn-nb.ovsschema >+++ b/ovn/ovn-nb.ovsschema >@@ -1,7 +1,7 @@ > { > "name": "OVN_Northbound", >- "version": "5.4.1", >- "cksum": "3773248894 11490", >+ "version": "5.4.2", >+ "cksum": "3390487716 11561", > "tables": { > "NB_Global": { > "columns": { >@@ -210,6 +210,7 @@ > "type": {"type": {"key": {"type": "string", > "enum": ["set", ["dnat", > "snat", >+ "nosnat", > "dnat_and_snat" > ]]}}}}, > "isRoot": false}, >diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml >index 7626551..e16e1c2 100644 >--- a/ovn/ovn-nb.xml >+++ b/ovn/ovn-nb.xml >@@ -1155,6 +1155,13 @@ > <ref column="external_ip"/>. > </li> > <li> >+ When <ref column="type"/> is <code>nosnat</code>, IP packets >+ with their source IP address that either matches the IP address >+ in <ref column="logical_ip"/> or is in the network provided by >+ <ref column="logical_ip"/> is not SNATed and is allowed to >+ pass-through. >+ </li> >+ <li> > When <ref column="type"/> is <code>dnat_and_snat</code>, the > externally visible IP address <ref column="external_ip"/> is > DNATted to the IP address <ref column="logical_ip"/> in the >diff --git a/tests/system-ovn.at b/tests/system-ovn.at >index 21226d9..d627f76 100644 >--- a/tests/system-ovn.at >+++ b/tests/system-ovn.at >@@ -263,6 +263,23 @@ sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl > icmp,orig=(src=192.168.1.2,dst=172.16.1.2,id=<cleared>,type=8,code=0),reply=(src=172.16.1.2,dst=172.16.1.1,id=<cleared>,type=0,code=0),zone=<cleared> > ]) > >+ovs-appctl dpctl/flush-conntrack >+ >+# Add a "nosnat" rule. >+ovn-nbctl -- --id=@nat create nat type="nosnat" logical_ip=192.168.1.0/24 \ >+ -- add logical_router R2 nat @nat >+ >+# South-North NOSNAT: 'foo1' pings 'alice1'. 'alice1' receives traffic >+# from 192.168.1.2 (i.e without NAT) >+NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 172.16.1.2 | FORMAT_PING], \ >+[0], [dnl >+3 packets transmitted, 3 received, 0% packet loss, time 0ms >+]) >+ >+# We verify that SNAT did not happen via 'dump-conntrack' command. >+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.1)], [0], [dnl >+]) >+ > OVS_APP_EXIT_AND_WAIT([ovn-controller]) > > as ovn-sb >-- >1.9.1 > >_______________________________________________ >dev mailing list >[email protected] >http://openvswitch.org/mailman/listinfo/dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
