From: Florian Westphal <fw@strlen.de>
To: Thomas Graf <tgraf@suug.ch>
Cc: Florian Westphal <fw@strlen.de>,
Jarno Rajahalme <jrajahalme@nicira.com>,
netdev@vger.kernel.org, dev@openvswitch.org
Subject: Re: [RFC PATCH 5/5] openvswitch: Interface with NAT.
Date: Wed, 21 Oct 2015 16:42:12 +0200 [thread overview]
Message-ID: <20151021144212.GB31323@breakpoint.cc> (raw)
In-Reply-To: <20151021113054.GB17991@pox.localdomain>
Thomas Graf <tgraf@suug.ch> wrote:
> On 10/21/15 at 11:34am, Florian Westphal wrote:
> > Jarno Rajahalme <jrajahalme@nicira.com> wrote:
> > > #define OVS_CS_F_REPLY_DIR 0x08 /* Flow is in the reply direction. */
> > > #define OVS_CS_F_INVALID 0x10 /* Could not track connection. */
> > > #define OVS_CS_F_TRACKED 0x20 /* Conntrack has occurred. */
> > > +#define OVS_CS_F_SRC_NAT 0x40 /* Packet's source address/port was
> > > + mangled by NAT. */
> > > +#define OVS_CS_F_DST_NAT 0x80 /* Packet's destination address/port
> > > + was mangled by NAT. */
> >
> > I'm blind -- how does ovs deal with change of output device and the
> > ether dst mac as result of a l3 dst translation?
>
> I assume you are referring to rewriting of L2 and the forwarding decision
> after NAT. As NAT is performed in combination with conntrack, the packet
> is recirculated and hits the flow table again after NAT. That 2nd
> stage flow must take are of performing L3 by rewriting L2, decrementing
> TTL, etc.
> Is this what you are referring to?
Yes, exactly, thanks for answering my question.
[ in classic bridge netfilter this requires route lookup & neigh stunts
to deal with the consequences of dnat, i.e.
- route says dst is reachable via some other interface not part of
bridge
- route says that dst is localhost
- route says its on same bridge, but neigh has no idea what the new
dst mac address is,etc.
I was kinda disappointed to not see similar tur^W hacks ;)
next prev parent reply other threads:[~2015-10-21 14:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-20 22:20 [RFC PATCH 1/5] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme
2015-10-20 22:20 ` [RFC PATCH 2/5] netfilter: Factor out nf_ct_get_info() Jarno Rajahalme
[not found] ` <1445379629-112880-2-git-send-email-jrajahalme-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org>
2015-10-21 8:50 ` Thomas Graf
2015-10-21 10:45 ` Pablo Neira Ayuso
2015-10-21 20:43 ` Jarno Rajahalme
2015-10-21 21:38 ` Jarno Rajahalme
2015-10-20 22:20 ` [RFC PATCH 3/5] netfilter: Allow calling into nat helper without skb_dst Jarno Rajahalme
[not found] ` <1445379629-112880-3-git-send-email-jrajahalme-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org>
2015-10-21 10:44 ` Pablo Neira Ayuso
2015-10-21 20:44 ` Jarno Rajahalme
[not found] ` <1445379629-112880-1-git-send-email-jrajahalme-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org>
2015-10-20 22:20 ` [RFC PATCH 4/5] openvswitch: conntrack netlink API updates Jarno Rajahalme
2015-10-21 10:41 ` Pablo Neira Ayuso
2015-10-21 11:18 ` Thomas Graf
2015-10-20 22:20 ` [RFC PATCH 5/5] openvswitch: Interface with NAT Jarno Rajahalme
[not found] ` <1445379629-112880-5-git-send-email-jrajahalme-l0M0P4e3n4LQT0dZR+AlfA@public.gmane.org>
2015-10-21 9:34 ` Florian Westphal
2015-10-21 11:30 ` Thomas Graf
2015-10-21 14:42 ` Florian Westphal [this message]
2015-10-21 10:59 ` Thomas Graf
2015-10-21 21:04 ` Jarno Rajahalme
2015-10-21 23:30 ` Thomas Graf
2015-10-20 22:28 ` [RFC PATCH 1/5] netfilter: Remove IP_CT_NEW_REPLY definition Jarno Rajahalme
2015-10-21 8:33 ` [ovs-dev] " Thomas Graf
[not found] ` <20151021083323.GB15539-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2015-10-21 20:15 ` Jarno Rajahalme
2015-10-21 23:32 ` [ovs-dev] " Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151021144212.GB31323@breakpoint.cc \
--to=fw@strlen.de \
--cc=dev@openvswitch.org \
--cc=jrajahalme@nicira.com \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.