On 22 June 2016 at 10:15, Chandra Sekhar Vejendla <[email protected]> wrote:
> > Hi Guru, > > I am fine with the changes. You can go ahead and apply them. > Thank you, applied! > > Thanks, > Chandra > > Guru Shetty <[email protected]> wrote on 06/22/2016 09:39:17 AM: > > > From: Guru Shetty <[email protected]> > > To: Chandra Sekhar Vejendla/San Jose/IBM@IBMUS > > Cc: ovs dev <[email protected]> > > Date: 06/22/2016 09:39 AM > > Subject: Re: [ovs-dev] [PATCH] ovn: Allow IP packets destined to > > router ip for SNAT > > > > On 21 June 2016 at 18:36, Chandra S Vejendla <[email protected]> > wrote: > > By default all the ip traffic destined to router ip is dropped in > > lr_in_ip_input stage. When the router ip is used as snat ip, allow > > reverse snat traffic destined to the router ip. > > > > Signed-off-by: Chandra Sekhar Vejendla <[email protected]> > > > > Thank you for the fix! This needs an update to ovn-northd.8.xml. If > > you are happy with the following incremental which does that (and > > also adds your name to AUTHORS and makes a couple of stylistic > > changes), I will apply it. > > > > diff --git a/AUTHORS b/AUTHORS > > index e2ac267..c39fdd3 100644 > > --- a/AUTHORS > > +++ b/AUTHORS > > @@ -39,6 +39,7 @@ Bruce Davie [email protected] > > Bryan Phillippe [email protected] > > Carlo Andreotti [email protected] > > Casey Barker [email protected] > > +Chandra Sekhar Vejendla [email protected] > > Christoph Jaeger [email protected] > > Chris Wright [email protected] > > Chuck Short [email protected] > > diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml > > index 22edba9..6d52f7e 100644 > > --- a/ovn/northd/ovn-northd.8.xml > > +++ b/ovn/northd/ovn-northd.8.xml > > @@ -631,7 +631,10 @@ output; > > handled by one of the flows above, which amounts to ICMP (other > than > > echo requests) and fragments with nonzero offsets. For > > each IP address > > <var>A</var> owned by the router, a priority-60 flow matches > > - <code>ip4.dst == <var>A</var></code> and drops the traffic. > > + <code>ip4.dst == <var>A</var></code> and drops the traffic. An > > + exception is made and the above flow is not added if the router > > + port's own IP address is used to SNAT packets passing through > that > > + router. > > </li> > > </ul> > > > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > > index 6ff303e..1599e18 100644 > > --- a/ovn/northd/ovn-northd.c > > +++ b/ovn/northd/ovn-northd.c > > @@ -2047,9 +2047,9 @@ build_lrouter_flows(struct hmap *datapaths, > > struct hmap *ports, > > } > > > > /* Drop IP traffic to this router, unless the router ip is used > as > > - * snat ip. */ > > + * SNAT ip. */ > > bool snat_ip_is_router_ip = false; > > - for (int i = 0; i < op->od->nbr->n_nat && ! > > snat_ip_is_router_ip; i++) { > > + for (int i = 0; i < op->od->nbr->n_nat; i++) { > > const struct nbrec_nat *nat; > > ovs_be32 ip; > > > > @@ -2057,14 +2057,17 @@ build_lrouter_flows(struct hmap *datapaths, > > struct hmap *ports, > > if (strcmp(nat->type, "snat")) { > > continue; > > } > > + > > if (!ip_parse(nat->external_ip, &ip) || !ip) { > > static struct vlog_rate_limit rl = > > VLOG_RATE_LIMIT_INIT(5, 1); > > VLOG_WARN_RL(&rl, "bad ip address %s in snat > configuration " > > "for router %s", nat->external_ip, op->key); > > continue; > > } > > + > > if (ip == op->ip) { > > snat_ip_is_router_ip = true; > > + break; > > } > > } > > > > > > --- > > ovn/northd/ovn-northd.c | 33 ++++++++++++++++++++++++++++----- > > 1 file changed, 28 insertions(+), 5 deletions(-) > > > > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > > index 17713ec..6ff303e 100644 > > --- a/ovn/northd/ovn-northd.c > > +++ b/ovn/northd/ovn-northd.c > > @@ -2046,11 +2046,34 @@ build_lrouter_flows(struct hmap *datapaths, > > struct hmap *ports, > > free(actions); > > } > > > > - /* Drop IP traffic to this router. */ > > - match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip)); > > - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, > > - match, "drop;"); > > - free(match); > > + /* Drop IP traffic to this router, unless the router ip is used > as > > + * snat ip. */ > > + bool snat_ip_is_router_ip = false; > > + for (int i = 0; i < op->od->nbr->n_nat && ! > > snat_ip_is_router_ip; i++) { > > + const struct nbrec_nat *nat; > > + ovs_be32 ip; > > + > > + nat = op->od->nbr->nat[i]; > > + if (strcmp(nat->type, "snat")) { > > + continue; > > + } > > + if (!ip_parse(nat->external_ip, &ip) || !ip) { > > + static struct vlog_rate_limit rl = > > VLOG_RATE_LIMIT_INIT(5, 1); > > + VLOG_WARN_RL(&rl, "bad ip address %s in snat > configuration " > > + "for router %s", nat->external_ip, op->key); > > + continue; > > + } > > + if (ip == op->ip) { > > + snat_ip_is_router_ip = true; > > + } > > + } > > + > > + if (!snat_ip_is_router_ip) { > > + match = xasprintf("ip4.dst == "IP_FMT, IP_ARGS(op->ip)); > > + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 60, > match, > > + "drop;"); > > + free(match); > > + } > > } > > > > /* NAT in Gateway routers. */ > > -- > > 2.6.1 > > > > _______________________________________________ > > dev mailing list > > [email protected] > > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ > dev mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
