Commit 8aa7b526 authored by Dumitru Ceara's avatar Dumitru Ceara Committed by Jakub Kicinski
Browse files

openvswitch: handle DNAT tuple collision 

With multiple DNAT rules it's possible that after destination
translation the resulting tuples collide.

For example, two openvswitch flows:
nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))

Assuming two TCP clients initiating the following connections:
10.0.0.10:5000->10.0.0.10:10
10.0.0.10:5000->10.0.0.20:10

Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing
nf_conntrack_confirm() to fail because of tuple collision.

Netfilter handles this case by allocating a null binding for SNAT at
egress by default.  Perform the same operation in openvswitch for DNAT
if no explicit SNAT is requested by the user and allocate a null binding
for SNAT for packets in the "original" direction.

Reported-at: https://bugzilla.redhat.com/1877128


Suggested-by: default avatarFlorian Westphal <fw@strlen.de>
Fixes: 05752523 ("openvswitch: Interface with NAT.")
Signed-off-by: default avatarDumitru Ceara <dceara@redhat.com>
Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent d42ee76e

net/openvswitch/conntrack.c

+13 −9
Original line number Diff line number Diff line
@@ -905,8 +905,8 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, 
	}

	err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);



	if (err == NF_ACCEPT &&

	    ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {

	if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) {

		if (ct->status & IPS_SRC_NAT) {

			if (maniptype == NF_NAT_MANIP_SRC)

				maniptype = NF_NAT_MANIP_DST;

			else
@@ -914,6 +914,10 @@ static int ovs_ct_nat(struct net *net, struct sw_flow_key *key, 


			err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,

						 maniptype);

		} else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {

			err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL,

						 NF_NAT_MANIP_SRC);

		}

	}



	/* Mark NAT done if successful and update the flow key. */

CRA Git | Maintained and supported by SUSTech CRA and CCSE