On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <num...@ovn.org> wrote: > On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sha...@nutanix.com> > wrote: > > > > NAT implementation in OVN uses connection tracker to replace > > source and dest ips. This implementation works fine and > > is the right approach for cases where external ips are shared > > (i.e. SNAT) or where we replace ip only when relevant flow is there > > (i.e. DNAT). > > > > However, it opens the possibility of Dos Attack, where attacker > > can easily simluate multiple 5 tuples, to consume the connection > > tracker entry in an OVN chassis. This way they can easily attain > > the CT limit, there by impacting the usage of it by other features > > like valid NAT, ACL etc. > > > > This attack is even worse, when external ip is a public ip, > > i.e internet routable ip. > > > > In this patch we are introducing an option with NAT table entry. > > Option "stateless=true" indicates that NAT implmentation > > should not be using CT, i.e it should not use ct_snat/dnat actions. > > > > Instead of ct_* actions, we will use ip4.src/dst OVN actions, which > > will replace source and destination ips, while recalculating the > > checksums. > > > > This option is applicable only for the NAT rules which can be > > 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. > > > > Signed-off-by: Ankur Sharma <ankur.sha...@nutanix.com> > > Thanks. > > I applied this series to master.
Can you please submit a follow up patch to add a news entry ? Numan > Numan > > > > > Ankur Sharma (2): > > OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless > > OVN: Use ip4.src and ip4.dst actions for NAT rules > > > > northd/ovn-northd.8.xml | 33 ++++- > > northd/ovn-northd.c | 84 +++++++++++-- > > ovn-nb.ovsschema | 6 +- > > ovn-nb.xml | 5 + > > tests/ovn-nbctl.at | 37 ++++++ > > tests/ovn-northd.at | 95 ++++++++++++++ > > tests/ovn.at | 311 > ++++++++++++++++++++++++++++++++++++++++++++++ > > utilities/ovn-nbctl.8.xml | 12 +- > > utilities/ovn-nbctl.c | 30 ++++- > > 9 files changed, 594 insertions(+), 19 deletions(-) > > > > -- > > 1.8.3.1 > > > > _______________________________________________ > > dev mailing list > > d...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
