On 26 April 2018 at 06:41, Wei-Yu Chen <[email protected]> wrote:
> Hello all, > > Recently, I’m trying on SNAT with OVS, I tried to apply all possible flows > to OVS, but SNAT still don’t work, so I post this message for asking your > help. > > In my experiment environment, I used Ubuntu 16.04 with kernel version > 4.10.0–28-generic, and OVS’s version 2.9.0. > > I have a VM in my PC, connected VM and OVS with a Linux bridge, as > following illustrated: > > +———————————–+ > | | > | +——+ +—–+ | > | +–+ br +———+ OVS | | > | | +——+ vnet2+—+-+ | > | | | | > | +–+——+ | | > | | VM | | | > | |10.1.1.2 | | | > | +———+ +—+—-+ | > | Ubuntu 16.04 | enp2s0 | | > +————————+——–+-+ > > And OVS have 2 IP addresses, 10.1.1.1/24 and an public IP > address(140.113.x.x) original enp2s0 have. I attached vnet2 and enp2s0 on > my OVS. > > I referred many posts and wrote following script: > > #!/bin/sh > IN="vnet2" > OUT="enp2s0" > > flow1="in_port=$IN,ip,actions=ct(commit,zone=1,nat(src=10.1.1.1)),$OUT" > flow2="in_port=$OUT,ip,ct_state=-trk,actions=ct(zone=1,nat)" > flow3="in_port=$OUT,ip,ct_state=+trk,ct_zone=1,actions=$IN" > > # Add Flows > sudo ovs-ofctl add-flow $BR $flow1 > sudo ovs-ofctl add-flow $BR $flow2 > sudo ovs-ofctl add-flow $BR $flow3 > > But I found ICMP echo to Google DNS from VM (nw_src=10.1.1.2, > nw_dst=8.8.8.8), when it passed to enp2s0, only source IP address changed > to 10.1.1.1, but source MAC address keep same as VM’s MAC, and destination > MAC address keep same as OVS’s MAC address. (VM’s default gateway is > 10.1.1.1/24, OVS’s vnet2 interface). > You need to change the MAC addresses too. > Tcpdump’s log: > > 10.1.1.1 > 8.8.8.8: ICMP echo request, id 725, seq 1, length 64 > 21:12:09.413082 52:54:00:fd:d6:ce > 70:4d:7b:6e:16:e0, ethertype IPv4 > (0x0800), length 98: (tos 0x0, ttl 64, id 41649, offset 0, flags [DF], proto > ICMP (1), length 84) > > I also tried to find reason by conntrack tool, but it shows only 10.1.1.2 > have a NEW connection to 8.8.8.8 but didn’t get any reply. > > I can’t figure out why OVS’s SNAT didn’t work, do my flows have wrong? Any > suggestion and idea is appreciated, Thanks very much. > > P.s. Attachment is illustration snapshot, if illustrate broken in mail > viewer, please take a look on the attachment. > > > > --- > Best Regards, > > Wei-Yu Chen > Wireless Internet Laboratory > Department of Computer Science > National Chiao Tung University > > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > >
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
