Re: [ovs-discuss] external port range on internal logical ip seems weird

2020-04-22 Thread Flavio Fernandes 
[inline]

On Tue, Apr 21, 2020 at 10:44 PM Ankur Sharma 
wrote:

> Hi Flavio,
>
> Glad to see your feedback, please find my replies inline.
>

[flaviof] Heh, my pleasure, really.


>
> Regards,
> Ankur
>
> --
> *From:* Flavio Fernandes 
> *Sent:* Tuesday, April 21, 2020 6:59 AM
> *To:* Ankur Sharma 
> *Cc:* Numan Siddique ; Mark Michelson <
> mmich...@redhat.com>; Terry Wilson ;
> ovs-discuss@openvswitch.org 
> *Subject:* external port range on internal logical ip seems weird
>
> [cc Numan, Mark, Terry, ovs-discuss]
>
> Hi Ankur,
>
> I'm taking a deeper look at the changes for external port range [0] and
> scratching
> my head a little bit about a particular behavior.
>
> Let me start by mentioning about a basic setup I'm using:
>
> 1 internal switch with 1 logical port to represent a vm (10.0.0.3/24
> [10.0.0.3]
> )
>
> 1 public switch (172.16.0.0/24 [172.16.0.0]
> )
>
> 1 rtr that connects both logical switches (10.0.0.1, 172.16.0.100)
> 1 snat_and_dnat rule for translating the ip, using port range
>
> NOTE: The exact script is in this gist [1].
> ovn-nbctl lsp-add sw0 sw0-port1
> ovn-nbctl ls-add public
> ...
> ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03 10.0.0.3"
> ovn-nbctl lr-add lr0
> ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24 [10.0.0.1]
> 
> ...
> ovn-nbctl lrp-add lr0 lr0-public 00:00:20:20:12:13 172.16.0.100/24
> [172.16.0.100]
> 
> ...
> ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 172.16.0.110 10.0.0.3
> sw0-port1 30:54:00:00:00:03 8080-8082
>
> And this is what the logical flow looks like regarding NAT:
> [root@ovn-central /]# ovn-sbctl dump-flows lr0 | grep -i -e 'ct_' -e
> 'nat'
>   table=5 (lr_in_unsnat   ), priority=100  , match=(ip && ip4.dst ==
> 172.16.0.110 && inport == "lr0-public"), action=(ct_snat;)
>   table=5 (lr_in_unsnat   ), priority=0, match=(1), action=(next;)
>   table=6 (lr_in_dnat ), priority=100  , match=(ip && ip4.dst ==
> 172.16.0.110 && inport == "lr0-public"),
> action=(ct_dnat(10.0.0.3,8080-8082);)
>   table=6 (lr_in_dnat ), priority=0, match=(1), action=(next;)
>   table=0 (lr_out_undnat  ), priority=100  , match=(ip && ip4.src ==
> 10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03;
> ct_dnat;)
>   table=0 (lr_out_undnat  ), priority=0, match=(1), action=(next;)
>   table=1 (lr_out_snat), priority=120  , match=(nd_ns),
> action=(next;)
>   table=1 (lr_out_snat), priority=33   , match=(ip && ip4.src ==
> 10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03;
> ct_snat(172.16.0.110,8080-8082);)
>   table=1 (lr_out_snat), priority=0, match=(1), action=(next;)
>   table=2 (lr_out_egr_loop), priority=100  , match=(ip4.dst ==
> 172.16.0.110 && outport == "lr0-public" &&
> is_chassis_resident("sw0-port1")), action=(clone { ct_clear; inport =
> outport; outport = ""; flags = 0; flags.loopback = 1; reg0 = 0; reg1 = 0;
> reg2 = 0; reg3 = 0; reg4 = 0; reg5 = 0; reg6 = 0; reg7 = 0; reg8 = 0; reg9
> = 0; reg9[0] = 1; next(pipeline=ingress, table=0); };)
>
> Out of that:
> [root@ovn-central /]# ovn-sbctl dump-flows lr0 | grep 8080
>   table=6 (lr_in_dnat ), priority=100  , match=(ip && ip4.dst ==
> 172.16.0.110 && inport == "lr0-public"),
> action=(ct_dnat(10.0.0.3,8080-8082);)
>   table=1 (lr_out_snat), priority=33   , match=(ip && ip4.src ==
> 10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03;
> ct_snat(172.16.0.110,8080-8082);)
>
> The rule "ct_dnat(10.0.0.3,8080-8082)" -- line 40 in gist [1] --  seems
> wrong to me because external port range should, as the name suggests, be
> only applied to the external ip[2]. Am I missing something? That particular
> code lives here [3][4].
>
> What do you think? Maybe we also need "internal_port_range" semantics?
>
> [ANKUR]: Idea behind port range is to specify the range for port address
> translation(PAT). Netfilter allows specification for translating port also,
> whil

Re: [ovs-discuss] external port range on internal logical ip seems weird

2020-04-21 Thread Ankur Sharma 
Hi Flavio,

Glad to see your feedback, please find my replies inline.

Regards,
Ankur


From: Flavio Fernandes 
Sent: Tuesday, April 21, 2020 6:59 AM
To: Ankur Sharma 
Cc: Numan Siddique ; Mark Michelson ; 
Terry Wilson ; ovs-discuss@openvswitch.org 

Subject: external port range on internal logical ip seems weird

[cc Numan, Mark, Terry, ovs-discuss]

Hi Ankur,

I'm taking a deeper look at the changes for external port range [0] and 
scratching
my head a little bit about a particular behavior.

Let me start by mentioning about a basic setup I'm using:

1 internal switch with 1 logical port to represent a vm (10.0.0.3/24 
[10.0.0.3])
1 public switch (172.16.0.0/24 
[172.16.0.0])
1 rtr that connects both logical switches (10.0.0.1, 172.16.0.100)
1 snat_and_dnat rule for translating the ip, using port range

NOTE: The exact script is in this gist [1].
ovn-nbctl lsp-add sw0 sw0-port1
ovn-nbctl ls-add public
...
ovn-nbctl lsp-set-addresses sw0-port1 "50:54:00:00:00:03 10.0.0.3"
ovn-nbctl lr-add lr0
ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24 
[10.0.0.1]
...
ovn-nbctl lrp-add lr0 lr0-public 00:00:20:20:12:13 172.16.0.100/24 
[172.16.0.100]
...
ovn-nbctl --portrange lr-nat-add lr0 dnat_and_snat 172.16.0.110 10.0.0.3 
sw0-port1 30:54:00:00:00:03 8080-8082

And this is what the logical flow looks like regarding NAT:
[root@ovn-central /]# ovn-sbctl dump-flows lr0 | grep -i -e 'ct_' -e 'nat'
  table=5 (lr_in_unsnat   ), priority=100  , match=(ip && ip4.dst == 
172.16.0.110 && inport == "lr0-public"), action=(ct_snat;)
  table=5 (lr_in_unsnat   ), priority=0, match=(1), action=(next;)
  table=6 (lr_in_dnat ), priority=100  , match=(ip && ip4.dst == 
172.16.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3,8080-8082);)
  table=6 (lr_in_dnat ), priority=0, match=(1), action=(next;)
  table=0 (lr_out_undnat  ), priority=100  , match=(ip && ip4.src == 
10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03; 
ct_dnat;)
  table=0 (lr_out_undnat  ), priority=0, match=(1), action=(next;)
  table=1 (lr_out_snat), priority=120  , match=(nd_ns), action=(next;)
  table=1 (lr_out_snat), priority=33   , match=(ip && ip4.src == 
10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03; 
ct_snat(172.16.0.110,8080-8082);)
  table=1 (lr_out_snat), priority=0, match=(1), action=(next;)
  table=2 (lr_out_egr_loop), priority=100  , match=(ip4.dst == 172.16.0.110 
&& outport == "lr0-public" && is_chassis_resident("sw0-port1")), action=(clone 
{ ct_clear; inport = outport; outport = ""; flags = 0; flags.loopback = 1; reg0 
= 0; reg1 = 0; reg2 = 0; reg3 = 0; reg4 = 0; reg5 = 0; reg6 = 0; reg7 = 0; reg8 
= 0; reg9 = 0; reg9[0] = 1; next(pipeline=ingress, table=0); };)

Out of that:
[root@ovn-central /]# ovn-sbctl dump-flows lr0 | grep 8080
  table=6 (lr_in_dnat ), priority=100  , match=(ip && ip4.dst == 
172.16.0.110 && inport == "lr0-public"), action=(ct_dnat(10.0.0.3,8080-8082);)
  table=1 (lr_out_snat), priority=33   , match=(ip && ip4.src == 
10.0.0.3 && outport == "lr0-public"), action=(eth.src = 30:54:00:00:00:03; 
ct_snat(172.16.0.110,8080-8082);)

The rule "ct_dnat(10.0.0.3,8080-8082)" -- line 40 in gist [1] --  seems wrong 
to me because external port range should, as the name suggests, be only applied 
to the external ip[2]. Am I missing something? That particular code lives here 
[3][4].

What do you think? Maybe we also need "internal_port_range" semantics?

[ANKUR]: Idea behind port range is to specify the range for port address 
translation(PAT). Netfilter allows specification for translating port also, 
while doing (src/dest) IP translation. Now, this PAT happens in either 
direction (based on SNAT or DNAT) and probably thats the reason phrase 
"external" is causing confusion. We dont need separate semantics, we can just 
move to a generic semantics from "external_port_range" to "port_range".

Not