Hi: I'm trying to do full-NAT with ovs 2.6, I want to translate packets from global network into private network.
(global-ip:port -> 100.2.5.8:2489) <=> (10.0.1.20:X -> 10.0.1.5:9468) To achieve it, I have set up three ct(nat) actions, first bare nat to lookup conntrack table, then one for dnat and one for snat: table=0,tcp,in_port=5 actions=ct(table=10,zone=1,nat) table=10,ct_state=+new,ct_zone=1,tcp,nw_dst=100.2.5.8,tp_dst=2489 actions=ct(commit,table=15,zone=1,nat(dst=10.0.1.5:9468)) table=15,ct_zone=1 actions=ct(commit,table=20,zone=1,nat(src=10.0.1.20)) table=20,output:2 But only the first packet is successful translated, all following packets are not translated by snat, only dnat applied: IP 10.0.1.20.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ... IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ... IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ... IP 169.254.174.222.42510 > 10.0.1.5.9468: Flags [S], seq 133205195, ... And, there come two conntrack entries: tcp, orig=(src=169.254.174.222,dst=100.2.5.8,sport=42510,dport=2489), reply=(src=10.0.1.5,dst=169.254.174.222,sport=9468,dport=42510), zone=1,protoinfo=(state=SYN_SENT) tcp, orig=(src=169.254.174.222,dst=10.0.1.5,sport=42510,dport=9468), reply=(src=10.0.1.5,dst=10.0.1.20,sport=9468,dport=42510), zone=1,protoinfo=(state=SYN_SENT) >From my experience of iptables and conntrack, there should be only one conntrack entry like this: tcp, orig=(src=169.254.174.222,dst=100.2.5.8,sport=42510,dport=2489), reply=(src=10.0.1.5,dst=10.0.1.20,sport=9468,dport=42510), zone=1,protoinfo=(state=SYN_SENT) Using current ovs, is there any way to achieve full-NAT ? _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
