[ovs-discuss] Source NAT with OpenVSwitch failed

Thu, 26 Apr 2018 06:43:13 -0700 

Hello all,

Recently, I’m trying on SNAT with OVS, I tried to apply all possible flows
to OVS, but SNAT still don’t work, so I post this message for asking your
help.

In my experiment environment, I used Ubuntu 16.04 with kernel version
4.10.0–28-generic, and OVS’s version 2.9.0.

I have a VM in my PC, connected VM and OVS with a Linux bridge, as
following illustrated:

+———————————–+
| |
| +——+ +—–+ |
| +–+ br +———+ OVS | |
| | +——+ vnet2+—+-+ |
| | | |
| +–+——+ | |
| | VM | | |
| |10.1.1.2 | | |
| +———+ +—+—-+ |
| Ubuntu 16.04 | enp2s0 | |
+————————+——–+-+

And OVS have 2 IP addresses, 10.1.1.1/24 and an public IP
address(140.113.x.x) original enp2s0 have. I attached vnet2 and enp2s0 on
my OVS.

I referred many posts and wrote following script:

#!/bin/sh
IN="vnet2"
OUT="enp2s0"

flow1="in_port=$IN,ip,actions=ct(commit,zone=1,nat(src=10.1.1.1)),$OUT"
flow2="in_port=$OUT,ip,ct_state=-trk,actions=ct(zone=1,nat)"
flow3="in_port=$OUT,ip,ct_state=+trk,ct_zone=1,actions=$IN"

# Add Flows
sudo ovs-ofctl add-flow $BR $flow1
sudo ovs-ofctl add-flow $BR $flow2
sudo ovs-ofctl add-flow $BR $flow3

But I found ICMP echo to Google DNS from VM (nw_src=10.1.1.2,
nw_dst=8.8.8.8), when it passed to enp2s0, only source IP address changed
to 10.1.1.1, but source MAC address keep same as VM’s MAC, and destination
MAC address keep same as OVS’s MAC address. (VM’s default gateway is
10.1.1.1/24, OVS’s vnet2 interface).

Tcpdump’s log:

    10.1.1.1 > 8.8.8.8: ICMP echo request, id 725, seq 1, length 64
21:12:09.413082 52:54:00:fd:d6:ce > 70:4d:7b:6e:16:e0, ethertype IPv4
(0x0800), length 98: (tos 0x0, ttl 64, id 41649, offset 0, flags [DF],
proto ICMP (1), length 84)

I also tried to find reason by conntrack tool, but it shows only 10.1.1.2
have a NEW connection to 8.8.8.8 but didn’t get any reply.

I can’t figure out why OVS’s SNAT didn’t work, do my flows have wrong? Any
suggestion and idea is appreciated, Thanks very much.

P.s. Attachment is illustration snapshot, if illustrate broken in mail
viewer, please take a look on the attachment.



---
Best Regards,

Wei-Yu Chen
Wireless Internet Laboratory
Department of Computer Science
National Chiao Tung University

_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Reply via email to