Hi Numan, Thanks for applying the patches. Sure, I have sent out the NEW entry changes.
Just noticed that Acked-by is missing in the commits. Regards, Ankur From: Numan Siddique <num...@ovn.org> Sent: Friday, November 1, 2019 9:51 AM To: Ankur Sharma <ankur.sha...@nutanix.com> Cc: ovs-dev@openvswitch.org Subject: Re: [ovs-dev] [PATCH v4 0/2] ALLOW Stateless NAT operations On Fri, Nov 1, 2019, 2:57 PM Numan Siddique <num...@ovn.org<mailto:num...@ovn.org>> wrote: On Fri, Nov 1, 2019 at 6:58 AM Ankur Sharma <ankur.sha...@nutanix.com<mailto:ankur.sha...@nutanix.com>> wrote: > > NAT implementation in OVN uses connection tracker to replace > source and dest ips. This implementation works fine and > is the right approach for cases where external ips are shared > (i.e. SNAT) or where we replace ip only when relevant flow is there > (i.e. DNAT). > > However, it opens the possibility of Dos Attack, where attacker > can easily simluate multiple 5 tuples, to consume the connection > tracker entry in an OVN chassis. This way they can easily attain > the CT limit, there by impacting the usage of it by other features > like valid NAT, ACL etc. > > This attack is even worse, when external ip is a public ip, > i.e internet routable ip. > > In this patch we are introducing an option with NAT table entry. > Option "stateless=true" indicates that NAT implmentation > should not be using CT, i.e it should not use ct_snat/dnat actions. > > Instead of ct_* actions, we will use ip4.src/dst OVN actions, which > will replace source and destination ips, while recalculating the > checksums. > > This option is applicable only for the NAT rules which can be > 1:1 mapped between inner and external ips, i.e dnat_and_snat rule. > > Signed-off-by: Ankur Sharma > <ankur.sha...@nutanix.com<mailto:ankur.sha...@nutanix.com>> Thanks. I applied this series to master. Can you please submit a follow up patch to add a news entry ? Numan Numan > > Ankur Sharma (2): > OVN: ADD nbctl cli to mark a dnat_and_snat rule as stateless > OVN: Use ip4.src and ip4.dst actions for NAT rules > > northd/ovn-northd.8.xml | 33 ++++- > northd/ovn-northd.c | 84 +++++++++++-- > ovn-nb.ovsschema | 6 +- > ovn-nb.xml | 5 + > tests/ovn-nbctl.at > [ovn-nbctl.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnbctl.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=aO9sOuPuIT1Xl5-wYLhphXDat0tkD05LaGTeGNaXXX0&e=> > | 37 ++++++ > tests/ovn-northd.at > [ovn-northd.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn-2Dnorthd.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=c5IfQw6bObiRN2TI_tcwttyxMPgFJVkwU_BSwrDEZeY&e=> > | 95 ++++++++++++++ > tests/ovn.at > [ovn.at]<https://urldefense.proofpoint.com/v2/url?u=http-3A__ovn.at&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=o-ecwOgnFjLzExHLICefl-LCZVesnIOoDi_d6xRcmHM&e=> > | 311 ++++++++++++++++++++++++++++++++++++++++++++++ > utilities/ovn-nbctl.8.xml | 12 +- > utilities/ovn-nbctl.c | 30 ++++- > 9 files changed, 594 insertions(+), 19 deletions(-) > > -- > 1.8.3.1 > > _______________________________________________ > dev mailing list > d...@openvswitch.org<mailto:d...@openvswitch.org> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > [mail.openvswitch.org]<https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwMFaQ&c=s883GpUCOChKOHiocYtGcg&r=mZwX9gFQgeJHzTg-68aCJgsODyUEVsHGFOfL90J6MJY&m=YZ-yzLqDHYdnZtQchAxjJnIcVdF_Zeb0nIZ0cN4nB9Y&s=vPxNiy5LZtA6jq5RYig_EKbeOkUkV-LHoB9P9o6zrvk&e=> _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev