diff options
| author | Gurucharan Shetty <guru@ovn.org> | 2016-05-10 18:59:01 -0700 |
|---|---|---|
| committer | Gurucharan Shetty <guru@ovn.org> | 2016-06-21 11:45:56 -0700 |
| commit | de2975479605ad91c3d26678b491ea40f24c239f (patch) | |
| tree | 78ce71f35b2a0e00b1c875a015aa38574e0c2ccc /ovn/ovn-nb.ovsschema | |
| parent | a1361a6ed65fc39c52cfd4418f154d1c9abcb3f8 (diff) | |
| download | openvswitch-de2975479605ad91c3d26678b491ea40f24c239f.tar.gz | |
ovn: DNAT and SNAT on a gateway router.
For traffic from physical space to virtual space we need DNAT.
The DNAT happens in the gateway router and reaches the logical
port. The return traffic should be unDNATed.
Traffic originating in virtual space heading to physical space
should be SNATed. The return traffic is unSNATted.
East-west traffic with the public destination IP address needs
a DNAT. This traffic is punted to the l3 gateway where DNAT
takes place. This traffic is also SNATed and eventually loops back to
its destination. The SNAT is needed because we need the reverse traffic
to go back to the l3 gateway and not short-circuit directly to the source.
This commit introduces 4 new logical actions.
1. ct_snat: To send the packet through SNAT zone to unSNAT packets.
2. ct_snat(IP): To SNAT to the provided IP address.
3. ct_dnat: To send the packet throgh DNAT zone to unDNAT packets.
4. ct_dnat(IP): To DNAT to the provided IP.
This commit only provides the ability to do IP based NAT. This will
eventually be enhanced to do PORT based NAT too.
Command hints:
Consider a distributed router "R1" that has switch foo (192.168.1.0/24)
with a lport foo1 (192.168.1.2) and bar (192.168.2.0/24) with lport bar1
(192.168.2.2) connected to it. You connect "R1" to
a gateway router "R2" via a switch "join" in (20.0.0.0/24) network.
R2 has a switch "alice" (172.16.1.0/24) connected to it (to simulate
external network).
case: Add pure DNAT (north-south)
Add a DNAT rule in R2:
ovn-nbctl -- --id=@nat create nat type="dnat" logical_ip=192.168.1.2 \
external_ip=30.0.0.2 -- add logical_router R2 nat @nat
Now alice1 should be able to ping 192.168.1.2 via 30.0.0.2.
case2 : Add pure SNAT (south-north)
Add a SNAT rule in R2:
ovn-nbctl -- --id=@nat create nat type="snat" logical_ip=192.168.2.2 \
external_ip=30.0.0.1 -- add logical_router R2 nat @nat
(You need a static route in R1 to send packets destined to outside
world to go through R2. The logical_ip can be a subnet.)
When bar1 pings alice1, alice1 receives traffic from 30.0.0.1
case3 : SNAT and DNAT (east-west traffic)
When bar1 pings 30.0.0.2, the traffic jumps to the gateway router
and loops back to foo1 with a source ip address of 30.0.0.1
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Flavio Fernandes <flavio@flaviof.com>
Diffstat (limited to 'ovn/ovn-nb.ovsschema')
| -rw-r--r-- | ovn/ovn-nb.ovsschema | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 95eb4f7ee..58f04b2f5 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "3.0.0", - "cksum": "1808140260 5339", + "version": "3.1.0", + "cksum": "1426508118 6135", "tables": { "Logical_Switch": { "columns": { @@ -78,6 +78,11 @@ "max": "unlimited"}}, "default_gw": {"type": {"key": "string", "min": 0, "max": 1}}, "enabled": {"type": {"key": "boolean", "min": 0, "max": 1}}, + "nat": {"type": {"key": {"type": "uuid", + "refTable": "NAT", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, "options": { "type": {"key": "string", "value": "string", @@ -104,6 +109,16 @@ "ip_prefix": {"type": "string"}, "nexthop": {"type": "string"}, "output_port": {"type": {"key": "string", "min": 0, "max": 1}}}, + "isRoot": false}, + "NAT": { + "columns": { + "external_ip": {"type": "string"}, + "logical_ip": {"type": "string"}, + "type": {"type": {"key": {"type": "string", + "enum": ["set", ["dnat", + "snat", + "dnat_and_snat" + ]]}}}}, "isRoot": false} } } |