1 .. contents:: Table of Contents
8 https://git.opendaylight.org/gerrit/#/q/topic:snat_conntrack
10 The ovs conntrack based SNAT implements Source Network Address Translation using openflow rules by
11 leveraging ovs-netfilter integration.
16 Today SNAT is done in Opendaylight netvirt using controller punting and thus controller installing
17 the rules for inbound and outbound NAPT. This causes significant delay as the first packet of all
18 the new connections needs to go through the controller.The number of flows grows linearly with the
19 increase in the vms. Also the current implementation does not support ICMP.
23 The following use case will be realized by the implementation
25 External Network Access
26 The SNAT enables the VM in a tenant network access the external network without using a floating ip. It
27 uses NAPT for sharing the external ip address across multiple VMs that share the same router
33 The proposed implementation uses linux netfilter framework to do the NAPT (Network Address Port
34 Translation) and for tracking the connection. The first packet of a traffic will be committed to
35 the netfilter for translation along with the external ip. The subsequent packets will use the entry
36 in the netfilter for inbound and outbound translation. The router id will be used as the zone id in
37 the netfilter. Each zone tracks the connection in its own table. The rest of the implementation for
38 selecting the designated NAPT switch and non designated switches will remain the same. The pipeline
39 changes will happen in the designated switch. With this implementation we will be able to do
40 translation for icmp as well.
42 The openflow plugin needs to support new set of actions for conntrack based NAPT. This shall be
43 added in the nicira plugin extension of OpenFlow plugin.
45 The new implementation will not re-install the existing NAT entries to the new NAPT switch during
46 fail-over. Also spec does not cover the use case of having multiple external subnets in the same
51 The ovs based NAPT flows will replace the controller based NAPT flows. The changes are limited
52 to the designated switch for the router. The NAPT INBOUND Table is changed from table 44 to 43
53 for both the implementation. Below is the illustration for flat external network.
57 Table 26 (PSNAT Table) => submits the packet to netfilter to check whether it is an existing
58 connection. Resubmits the packet back to 46.
60 Table 44 => The metadata will be swapped here to that of the external network and packet will
63 Table 46 (NAPT OUTBOUND TABLE) => if it is an established connection which indicates the
64 translation is done and the packet is forwarded to table 44.
65 If it is a new connection the connection will be committed to netfilter and this entry will be
66 used for napt. The translated packet will be resubmitted to table 44.
68 Table 47 (NAPT FIB TABLE) => The translated packet will be sent to the egress group.
74 table=26, priority=5,ip,metadata=0x222e2/0xfffffffe actions=ct(table=46,zone=5003,nat)
75 table=44, priority=5,ct_state=+snat,ip,metadata=0x222e2/0xfffffffe,nw_src=192.168.111.21 actions=write_metadata:0x222e0/0xfffffffe,goto_table:47
76 table=46, priority=6,ct_state=+snat,ip actions=resubmit(,44)
77 table=46, priority=5,ct_state=+new+trk,ip,metadata=0x222e2/0xfffffffe actions=ct(commit,table=44,zone=5003,nat(src=192.168.111.21))
78 table=47, priority=6,ct_state=+snat,ip,nw_src=192.168.111.21 actions=group:200003
82 Table 43 (NAPT INBOUND Table)=> submits the packet to netfilter to check for an existing
83 connection. The packet will be submitted back to table 44.
85 Table 44 => The metadata will be swapped here to that of the internal network and packet will
88 Table 47 (NAPT FIB TABLE) => The translated packet will be sent to table 43 for writing the
89 appropriate metadata and will be submitted back to table 21.
95 table=21, priority=42,ip,metadata=0x222e0/0xfffffffe,nw_dst=192.168.111.21 actions=resubmit(,43)
96 table=43, priority=10,ip actions=ct(table=44,zone=5003,nat)
97 table=44, priority=5,ct_state=+dnat,ip,metadata=0x222e0/0xfffffffe actions=write_metadata:0x222e2/0xfffffffe,goto_table:47
98 table=47, priority=5,ct_state=+dnat,ip actions=resubmit(,21)
102 The nicira-action.yang and the openflowplugin-extension-nicira-action.yang needs to be updated
103 with nat action. The action structure shall be
107 typedef nx-action-nat-range-present {
109 enum NX_NAT_RANGE_IPV4_MIN {
111 description "IPV4 minimum value is present";
113 enum NX_NAT_RANGE_IPV4_MAX {
115 description "IPV4 maximum value is present";
117 enum NX_NAT_RANGE_IPV6_MIN {
119 description "IPV6 minimum value is present in range";
121 enum NX_NAT_RANGE_IPV6_MAX {
123 description "IPV6 maximum value is present in range";
125 enum NX_NAT_RANGE_PROTO_MIN {
127 description "Port minimum value is present in range";
129 enum NX_NAT_RANGE_PROTO_MAX {
131 description "Port maximum value is present in range";
136 typedef nx-action-nat-flags {
140 description "Source nat is selected ,Mutually exclusive with NX_NAT_F_DST";
144 description "Destination nat is selected";
146 enum NX_NAT_F_PERSISTENT {
148 description "Persistent flag is selected";
150 enum NX_NAT_F_PROTO_HASH {
152 description "Hash mode is selected for port mapping, Mutually exclusive with
153 NX_NAT_F_PROTO_RANDOM ";
155 enum NX_NAT_F_PROTO_RANDOM {
157 description "Port mapping will be randomized";
162 grouping ofj-nx-action-conntrack-grouping {
163 container nx-action-conntrack {
170 leaf conntrack-zone {
176 leaf experimenter-id {
177 type oft:experimenter-id;
185 grouping ofpact-actions {
187 "Actions to be performed with conntrack.";
188 choice ofpact-actions {
189 case nx-action-nat-case {
190 container nx-action-nat {
197 leaf ip-address-min {
198 type inet:ip-address;
200 leaf ip-address-max {
201 type inet:ip-address;
216 The proposed change requires the NAT service to provide a configuration knob to switch between the
217 controller based/conntrack based implementation. A new configuration file shall be added for this.
219 Clustering considerations
220 -------------------------
223 Other Infra considerations
224 --------------------------
225 The implementation requires ovs2.6 with the kernel module installed. OVS currently does not support
226 SNAT connection tracking for dpdk datapath. It would be supported in some future release.
228 Security considerations
229 -----------------------
232 Scale and Performance Impact
233 ----------------------------
234 The new SNAT implementation is expected to improve the performance when compared to the existing
235 one and will reduce the flows in ovs pipeline.
243 An alternative implementation of X NAPT switches was discussed, which will not be a part of this
244 document but will be considered as a further enhancement.
249 Create External Network
250 -----------------------
251 Create an external flat network and subnet
255 neutron net-create ext1 --router:external --provider:physical_network public --provider:network_type flat
256 neutron subnet-create --allocation-pool start=<start-ip>,end=<end-ip> --gateway=<gw-ip> --disable-dhcp --name subext1 ext1 <subnet-cidr>
258 Create Internal Network
259 -----------------------
260 Create an internal n/w and subnet
264 neutron net-create vx-net1 --provider:network_type vxlan
265 neutron subnet-create vx-net1 <subnet-cidr> --name vx-subnet1
269 Create a router and add an interface to internal n/w. Set the external n/w as the router gateway.
273 neutron router-create router1
274 neutron router-interface-add router1 vx-subnet1
275 neutron router-gateway-set router1 ext1
276 nova boot --poll --flavor m1.tiny --image $(nova image-list | grep 'uec\s' | awk '{print $2}' | tail -1) --nic net-id=$(neutron net-list | grep -w vx-net1 | awk '{print $2}') vmvx2
280 odl-netvirt-openstack
295 Aswin Suryanarayanan <asuryana@redhat.com>
299 https://trello.com/c/DMLsrLfq/9-snat-decentralized-ovs-nat-based
301 * Write a framework which can support multiple modes of NAT implementation.
302 * Add support in openflow plugin for conntrack nat actions.
303 * Add support in genius for conntrack nat actions.
304 * Add a config parameter to select between controller based and conntrack based.
305 * Add the flow programming for SNAT in netvirt.
306 * Write Unit tests for conntrack based snat.
318 Unit test needs to be added for the new snat mode. It shall use the component tests framework
322 Integration tests needs to be added for the conntrack snat flows.
326 Run the CSIT with conntrack based SNAT configured.
330 Necessary documentation would be added on how to use this feature.