When a nat rule is configured in stateless mode there is a 1:1 mapping between external_ip and logical_ip. Do not modify dst/src ips in S_ROUTER_IN_UNSNAT/S_ROUTER_OUT_UNDNAT stages for stateless nat entries since they will be properly modified in S_ROUTER_IN_DNAT/S_ROUTER_OUT_SNAT stages. This path will allow respecting allowed_ext_ips for stateless nat rules.
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2066990 Signed-off-by: Lorenzo Bianconi <[email protected]> --- Changes since v1: - rebase on top of ovn master - improve ip parsing --- northd/northd.c | 26 ++++++++++++++++++++------ tests/ovn-northd.at | 4 ++-- tests/ovn.at | 4 ++-- 3 files changed, 24 insertions(+), 10 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index a56666297..c61e8a526 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -12032,6 +12032,23 @@ build_gateway_redirect_flows_for_lrouter( ds_cstr(match), ds_cstr(actions), stage_hint); } + + for (int i = 0; i < od->n_nat_entries; i++) { + const struct ovn_nat *nat = &od->nat_entries[i]; + + if (!lrouter_nat_is_stateless(nat->nb) || + strcmp(nat->nb->type, "dnat_and_snat")) { + continue; + } + + ds_clear(match); + ds_put_format(match, "ip && ip%s.dst == %s", + nat_entry_is_v6(nat) ? "6" : "4", + nat->nb->external_ip); + ovn_lflow_add(lflows, od, S_ROUTER_IN_GW_REDIRECT, 100, + ds_cstr(match), "drop;"); + } + /* Packets are allowed by default. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_GW_REDIRECT, 0, "1", "next;"); } @@ -12781,8 +12798,7 @@ build_lrouter_in_unsnat_flow(struct hmap *lflows, struct ovn_datapath *od, ds_put_format(match, "ip && ip%s.dst == %s", is_v6 ? "6" : "4", nat->external_ip); if (!strcmp(nat->type, "dnat_and_snat") && stateless) { - ds_put_format(actions, "ip%s.dst=%s; next;", - is_v6 ? "6" : "4", nat->logical_ip); + ds_put_format(actions, "next;"); } else { ds_put_cstr(actions, "ct_snat;"); } @@ -12807,8 +12823,7 @@ build_lrouter_in_unsnat_flow(struct hmap *lflows, struct ovn_datapath *od, } if (!strcmp(nat->type, "dnat_and_snat") && stateless) { - ds_put_format(actions, "ip%s.dst=%s; next;", - is_v6 ? "6" : "4", nat->logical_ip); + ds_put_format(actions, "next;"); } else { ds_put_cstr(actions, "ct_snat_in_czone;"); } @@ -12963,8 +12978,7 @@ build_lrouter_out_undnat_flow(struct hmap *lflows, struct ovn_datapath *od, if (!strcmp(nat->type, "dnat_and_snat") && lrouter_nat_is_stateless(nat)) { - ds_put_format(actions, "ip%s.src=%s; next;", - is_v6 ? "6" : "4", nat->external_ip); + ds_put_format(actions, "next;"); } else { ds_put_format(actions, od->is_gw_router ? "ct_dnat;" : "ct_dnat_in_czone;"); diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 69ad85533..91cd8ee40 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -895,7 +895,7 @@ ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1 echo echo "IPv4: stateless" ovn-nbctl --wait=sb --stateless lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 -check_flow_match_sets 2 0 0 2 2 0 0 +check_flow_match_sets 2 0 0 1 1 0 0 ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1 echo @@ -907,7 +907,7 @@ ovn-nbctl lr-nat-del R1 dnat_and_snat fd01::1 echo echo "IPv6: stateless" ovn-nbctl --wait=sb --stateless lr-nat-add R1 dnat_and_snat fd01::1 fd11::2 -check_flow_match_sets 2 0 0 0 0 2 2 +check_flow_match_sets 2 0 0 0 0 1 1 AT_CLEANUP ]) diff --git a/tests/ovn.at b/tests/ovn.at index 799a6aabd..256b73495 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -22038,8 +22038,8 @@ AT_CHECK([for regex in ct_snat ct_dnat ip4.dst= ip4.src=; do grep -c "$regex" sbflows; done], [0], [0 0 -2 -2 +1 +1 ]) echo "----------- Post Traffic hv1 dump -----------" -- 2.35.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
