Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No need to process snat lflows in lr_out_snat if reply packet has been matched in lr_out_undnat #116

Open
shylou opened this issue Feb 25, 2022 · 0 comments
Open

No need to process snat lflows in lr_out_snat if reply packet has been matched in lr_out_undnat #116

shylou opened this issue Feb 25, 2022 · 0 comments

Comments

@shylou
Copy link
Contributor

shylou commented Feb 25, 2022

We test dnat_and_snat for logical ip could not work If we has config snat for 0.0.0.0/0.
like this:

table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 192.168.119.69 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_dnat;)
table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
table=1 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 192.168.119.69 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_snat(172.16.10.133);)
table=1 (lr_out_snat ), priority=129 , match=(ip && ip4.src == 0.0.0.0/0 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_snat(172.16.10.252);)

I think there is no need to process snat lflows in lr_out_snat if the packet has been matched ct_dnat. We can fix it that add one lflow for external ip of dnat_and_snat and pass it use next action like this:

table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 192.168.119.69 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_dnat;)
table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
table=1 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 172.16.10.133 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(next;)
table=1 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 192.168.119.69 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_snat(172.16.10.133);)
table=1 (lr_out_snat ), priority=129 , match=(ip && ip4.src == 0.0.0.0/0 && outport == "lrp-b9553715-858b-44f2-8514-75bd2118962d" && is_chassis_resident("cr-lrp-b9553715-858b-44f2-8514-75bd2118962d")), action=(ct_snat(172.16.10.252);)

Any one has other opinions?
@shylou shylou changed the title No need to process snat lflows in lr_out_snat if packet has been matched in lr_out_undnat No need to process snat lflows in lr_out_snat if reply packet has been matched in lr_out_undnat Feb 25, 2022
This was referenced Mar 26, 2022
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shylou