This series adds NAT support to openvswitch kernel module. A few changes are needed to the netfilter code to facilitate this (patches 1-2/7). Patches 3-6 make the openvswitch kernel module ready for the patch 7 that adds the NAT support by calling into netfilter NAT code from the openvswitch conntrack action. This version addresses all the comments received on prior versions and rebases to current nf-next. The OVS master now has the corresponding OVS userspace support to use and test the NAT features. Below if a walk through of a simple use case. In this case ports 1 and 2 are in different namespaces. The OpenFlow table below only allows IPv4 connections initiated from port 1, and applies source NAT to those connections: in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat) in_port=2,ct_state=+est,ct_zone=1,ip,action=1 This flow table matches all IPv4 traffic from port 1, runs them through conntrack in zone 1 and NATs them. The NAT is initialized to do source IP mapping to the given range for the first packet of each connection, after which the new connection is committed (confirmed). For further packets of already tracked connections NAT is done according to the connection state and the commit is a no-op. Each packet that is not flagged as a drop by the CT action is forwarded to port 2. The CT action does an implicit fragmentation reassembly, so that only complete packets are run through conntrack. Reassembled packets are re-fragmented on output. The IPv4 traffic coming from port 2 is first matched for the non-tracked state (-trk), which means that the packet has not been through a CT action yet. Such traffic is run trough the conntrack in zone 1 and all packets associated with a NATted connection are NATted also in the return direction. After the packet has been through conntrack it is recirculated back to OpenFlow table 0 (which is the default table, so all the rules above are in table 0). The CT action changes the 'trk' flag to being set, so the packets after recirculation no longer match the second rule. The third rule then matches the recirculated packets that were marked as established by conntrack (+est), and the packet is output on port 1. Matching on ct_zone is not strictly needed, but in this test case it verifies that the ct_zone key attribute is properly set by the conntrack action. A full test case requires rules for ARP handling not shown here. The flow table above is an OpenFlow table, and the rules therein are translated to kernel flow entries on-demand by ovs-vswitchd. Jarno Rajahalme (7): netfilter: Remove IP_CT_NEW_REPLY definition. netfilter: Allow calling into nat helper without skb_dst. openvswitch: Update the CT state key only after nf_conntrack_in(). openvswitch: Find existing conntrack entry after upcall. openvswitch: Handle NF_REPEAT in conntrack action. openvswitch: Delay conntrack helper call for new connections. openvswitch: Interface with NAT. include/uapi/linux/netfilter/nf_conntrack_common.h | 12 +- include/uapi/linux/openvswitch.h | 47 ++ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 30 +- net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 30 +- net/openvswitch/conntrack.c | 646 +++++++++++++++++++-- net/openvswitch/conntrack.h | 3 +- 6 files changed, 682 insertions(+), 86 deletions(-) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
