-
Notifications
You must be signed in to change notification settings - Fork 236
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
northd: Explicitly handle SNAT for ICMP need frag.
Considering following topology: client - sw0 - lrp0 - lr - lrp1 - sw1 - server sw0 in subnet 192.168.0.0/24 sw1 in subnet 172.168.0.0/24 SNAT configured for client gateway_mtu=1400 configured for lrp0 If we send UDP traffic from client to server and server responds with packet bigger than 1400 the following sequence will happen: 1) Packet is coming into lr via lrp1 2) unSNAT 3) Routing, the outport will be set to lrp0 4) Check for packet larger will fail 5) We will generate ICMP need frag However, the last step is wrong from the server perspective. The ICMP message will have IP source address = lrp1 IP address. Which means that SNAT won't happen because the source is not within the sw0 subnet, but the inner packet has sw0 subnet address, because it was unSNATted. This results in server ignoring the ICMP message because server never sent any packet to the sw0 subnet. In order to prevent this issue perform SNAT for the ICMP packet. Because the packet is related to already existing connection we just need to perform ct_commit_nat(snat) action. This is achieved with addition of the following flow for "lr_in_larger_pkts" stage (the flow for IPv6 is the in regard to the addition): match=(inport == "INPORT" && outport == "OUTPORT" && ip4 && REGBIT_PKT_LARGER && REGBIT_EGRESS_LOOPBACK == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; REGBIT_EGRESS_LOOPBACK = 1; REGBIT_PKT_LARGER = 0; eth.dst = ETH_DST; ip4.dst = ip4.src; ip4.src = IP_SRC; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) Also, add flow to "lr_out_post_snat" stage: match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);) Partially revert 0e49f49 ("northd: Allow need frag to be SNATed") which attempted to fix the same issue in a wrong way. Also add feature flag for the updated ct_commit_nat action. In case there is an update of northd to newer version before all controllers are updated. Fixes: 0e49f49 ("northd: Allow need frag to be SNATed") Reported-at: https://issues.redhat.com/browse/FDP-134 Reported-at: https://issues.redhat.com/browse/FDP-159 Signed-off-by: Ales Musil <amusil@redhat.com> Signed-off-by: Dumitru Ceara <dceara@redhat.com> (cherry picked from commit 43f741c)
- Loading branch information
Showing
10 changed files
with
218 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.