@@ -70,6 +70,7 @@ enum mff_log_flags_bits {
MLF_LOOKUP_FDB_BIT = 8,
MLF_SKIP_SNAT_FOR_LB_BIT = 9,
MLF_LOCALPORT_BIT = 10,
+ MLF_USE_SNAT_ZONE = 11,
};
/* MFF_LOG_FLAGS_REG flag assignments */
@@ -125,6 +125,10 @@ ovn_init_symtab(struct shash *symtab)
MLF_SKIP_SNAT_FOR_LB_BIT);
expr_symtab_add_subfield(symtab, "flags.skip_snat_for_lb", NULL,
flags_str);
+ snprintf(flags_str, sizeof flags_str, "flags[%d]",
+ MLF_USE_SNAT_ZONE);
+ expr_symtab_add_subfield(symtab, "flags.use_snat_zone", NULL,
+ flags_str);
/* Connection tracking state. */
expr_symtab_add_field_scoped(symtab, "ct_mark", MFF_CT_MARK, NULL, false,
@@ -159,11 +159,14 @@ enum ovn_stage {
PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 18, "lr_in_arp_request") \
\
/* Logical router egress stages. */ \
- PIPELINE_STAGE(ROUTER, OUT, UNDNAT, 0, "lr_out_undnat") \
- PIPELINE_STAGE(ROUTER, OUT, POST_UNDNAT, 1, "lr_out_post_undnat") \
- PIPELINE_STAGE(ROUTER, OUT, SNAT, 2, "lr_out_snat") \
- PIPELINE_STAGE(ROUTER, OUT, EGR_LOOP, 3, "lr_out_egr_loop") \
- PIPELINE_STAGE(ROUTER, OUT, DELIVERY, 4, "lr_out_delivery")
+ PIPELINE_STAGE(ROUTER, OUT, CHECK_DNAT_LOCAL, 0, \
+ "lr_out_chk_dnat_local") \
+ PIPELINE_STAGE(ROUTER, OUT, UNDNAT, 1, "lr_out_undnat") \
+ PIPELINE_STAGE(ROUTER, OUT, POST_UNDNAT, 2, "lr_out_post_undnat") \
+ PIPELINE_STAGE(ROUTER, OUT, SNAT, 3, "lr_out_snat") \
+ PIPELINE_STAGE(ROUTER, OUT, POST_SNAT, 4, "lr_out_post_snat") \
+ PIPELINE_STAGE(ROUTER, OUT, EGR_LOOP, 5, "lr_out_egr_loop") \
+ PIPELINE_STAGE(ROUTER, OUT, DELIVERY, 6, "lr_out_delivery")
#define PIPELINE_STAGE(DP_TYPE, PIPELINE, STAGE, TABLE, NAME) \
S_##DP_TYPE##_##PIPELINE##_##STAGE \
@@ -210,6 +213,7 @@ enum ovn_stage {
#define REGBIT_PKT_LARGER "reg9[1]"
#define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[2]"
#define REGBIT_LOOKUP_NEIGHBOR_IP_RESULT "reg9[3]"
+#define REGBIT_DST_NAT_IP_LOCAL "reg9[4]"
/* Register to store the eth address associated to a router port for packets
* received in S_ROUTER_IN_ADMISSION.
@@ -9446,9 +9450,10 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip *lb_vip,
undnat_match_p, est_actions,
&lb->nlb->header_);
} else {
- ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 120,
- undnat_match_p, "ct_dnat;",
- &lb->nlb->header_);
+ ovn_lflow_add_with_hint(
+ lflows, od, S_ROUTER_OUT_UNDNAT, 120, undnat_match_p,
+ od->is_gw_router ? "ct_dnat;" : "ct_dnat_in_czone;",
+ &lb->nlb->header_);
}
free(undnat_match_p);
next:
@@ -9743,7 +9748,7 @@ lrouter_nat_add_ext_ip_match(struct ovn_datapath *od,
uint16_t priority;
/* Priority of logical flows corresponding to exempted_ext_ips is
- * +1 of the corresponding regulr NAT rule.
+ * +2 of the corresponding regular NAT rule.
* For example, if we have following NAT rule and we associate
* exempted external ips to it:
* "ovn-nbctl lr-nat-add router dnat_and_snat 10.15.24.139 50.0.0.11"
@@ -9751,17 +9756,17 @@ lrouter_nat_add_ext_ip_match(struct ovn_datapath *od,
* And now we associate exempted external ip address set to it.
* Now corresponding to above rule we will have following logical
* flows:
- * lr_out_snat...priority=162, match=(..ip4.dst == $exempt_range),
+ * lr_out_snat...priority=163, match=(..ip4.dst == $exempt_range),
* action=(next;)
* lr_out_snat...priority=161, match=(..), action=(ct_snat(....);)
*
*/
if (is_src) {
/* S_ROUTER_IN_DNAT uses priority 100 */
- priority = 100 + 1;
+ priority = 100 + 2;
} else {
/* S_ROUTER_OUT_SNAT uses priority (mask + 1 + 128 + 1) */
- priority = count_1bits(ntohl(mask)) + 2;
+ priority = count_1bits(ntohl(mask)) + 3;
if (!od->is_gw_router) {
priority += 128;
@@ -12121,9 +12126,9 @@ build_lrouter_in_unsnat_flow(struct hmap *lflows, struct ovn_datapath *od,
/* Traffic received on l3dgw_port is subject to NAT. */
ds_clear(match);
ds_clear(actions);
- ds_put_format(match, "ip && ip%s.dst == %s && inport == %s",
- is_v6 ? "6" : "4", nat->external_ip,
- od->l3dgw_ports[0]->json_key);
+ ds_put_format(match, "ip && ip%s.dst == %s && inport == %s && "
+ "flags.loopback == 0", is_v6 ? "6" : "4",
+ nat->external_ip, od->l3dgw_ports[0]->json_key);
if (!distributed && od->n_l3dgw_ports) {
/* Flows for NAT rules that are centralized are only
* programmed on the gateway chassis. */
@@ -12135,12 +12140,31 @@ build_lrouter_in_unsnat_flow(struct hmap *lflows, struct ovn_datapath *od,
ds_put_format(actions, "ip%s.dst=%s; next;",
is_v6 ? "6" : "4", nat->logical_ip);
} else {
- ds_put_cstr(actions, "ct_snat;");
+ ds_put_cstr(actions, "ct_snat_in_czone;");
}
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
100, ds_cstr(match), ds_cstr(actions),
&nat->header_);
+
+ if (!stateless) {
+ ds_clear(match);
+ ds_clear(actions);
+ ds_put_format(match, "ip && ip%s.dst == %s && inport == %s && "
+ "flags.loopback == 1 && flags.use_snat_zone == 1",
+ is_v6 ? "6" : "4", nat->external_ip,
+ od->l3dgw_ports[0]->json_key);
+ if (!distributed && od->n_l3dgw_ports) {
+ /* Flows for NAT rules that are centralized are only
+ * programmed on the gateway chassis. */
+ ds_put_format(match, " && is_chassis_resident(%s)",
+ od->l3dgw_ports[0]->cr_port->json_key);
+ }
+ ds_put_cstr(actions, "ct_snat;");
+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_UNSNAT,
+ 100, ds_cstr(match), ds_cstr(actions),
+ &nat->header_);
+ }
}
}
@@ -12217,7 +12241,7 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od,
ds_put_format(actions, "ip%s.dst=%s; next;",
is_v6 ? "6" : "4", nat->logical_ip);
} else {
- ds_put_format(actions, "ct_dnat(%s", nat->logical_ip);
+ ds_put_format(actions, "ct_dnat_in_czone(%s", nat->logical_ip);
if (nat->external_port_range[0]) {
ds_put_format(actions, ",%s", nat->external_port_range);
}
@@ -12270,7 +12294,8 @@ build_lrouter_out_undnat_flow(struct hmap *lflows, struct ovn_datapath *od,
ds_put_format(actions, "ip%s.src=%s; next;",
is_v6 ? "6" : "4", nat->external_ip);
} else {
- ds_put_format(actions, "ct_dnat;");
+ ds_put_format(actions,
+ od->is_gw_router ? "ct_dnat;" : "ct_dnat_in_czone;");
}
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
@@ -12278,6 +12303,36 @@ build_lrouter_out_undnat_flow(struct hmap *lflows, struct ovn_datapath *od,
&nat->header_);
}
+static void
+build_lrouter_out_is_dnat_local(struct hmap *lflows, struct ovn_datapath *od,
+ const struct nbrec_nat *nat, struct ds *match,
+ struct ds *actions, bool distributed,
+ bool is_v6)
+{
+ /* Note that this only applies for NAT on a distributed router.
+ */
+ if (!od->n_l3dgw_ports) {
+ return;
+ }
+
+ ds_clear(match);
+ ds_put_format(match, "ip && ip%s.dst == %s && ",
+ is_v6 ? "6" : "4", nat->external_ip);
+ if (distributed) {
+ ds_put_format(match, "is_chassis_resident(\"%s\")", nat->logical_port);
+ } else {
+ ds_put_format(match, "is_chassis_resident(%s)",
+ od->l3dgw_ports[0]->cr_port->json_key);
+ }
+
+ ds_clear(actions);
+ ds_put_cstr(actions, REGBIT_DST_NAT_IP_LOCAL" = 1; next;");
+
+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_CHECK_DNAT_LOCAL,
+ 50, ds_cstr(match), ds_cstr(actions),
+ &nat->header_);
+}
+
static void
build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
const struct nbrec_nat *nat, struct ds *match,
@@ -12331,12 +12386,18 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
ds_put_format(match, "ip && ip%s.src == %s && outport == %s",
is_v6 ? "6" : "4", nat->logical_ip,
od->l3dgw_ports[0]->json_key);
- if (!distributed && od->n_l3dgw_ports) {
- /* Flows for NAT rules that are centralized are only
- * programmed on the gateway chassis. */
- priority += 128;
- ds_put_format(match, " && is_chassis_resident(%s)",
- od->l3dgw_ports[0]->cr_port->json_key);
+ if (od->n_l3dgw_ports) {
+ if (distributed) {
+ ovs_assert(nat->logical_port);
+ ds_put_format(match, " && is_chassis_resident(\"%s\")",
+ nat->logical_port);
+ } else {
+ /* Flows for NAT rules that are centralized are only
+ * programmed on the gateway chassis. */
+ priority += 128;
+ ds_put_format(match, " && is_chassis_resident(%s)",
+ od->l3dgw_ports[0]->cr_port->json_key);
+ }
}
ds_clear(actions);
@@ -12354,7 +12415,7 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
ds_put_format(actions, "ip%s.src=%s; next;",
is_v6 ? "6" : "4", nat->external_ip);
} else {
- ds_put_format(actions, "ct_snat(%s",
+ ds_put_format(actions, "ct_snat_in_czone(%s",
nat->external_ip);
if (nat->external_port_range[0]) {
ds_put_format(actions, ",%s", nat->external_port_range);
@@ -12368,6 +12429,24 @@ build_lrouter_out_snat_flow(struct hmap *lflows, struct ovn_datapath *od,
ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
priority, ds_cstr(match),
ds_cstr(actions), &nat->header_);
+
+ if (!stateless) {
+ ds_put_cstr(match, " && "REGBIT_DST_NAT_IP_LOCAL" == 1");
+ ds_clear(actions);
+ if (distributed) {
+ ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
+ ETH_ADDR_ARGS(mac));
+ }
+ ds_put_format(actions, REGBIT_DST_NAT_IP_LOCAL" = 0; ct_snat(%s",
+ nat->external_ip);
+ if (nat->external_port_range[0]) {
+ ds_put_format(actions, ",%s", nat->external_port_range);
+ }
+ ds_put_format(actions, ");");
+ ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_SNAT,
+ priority + 1, ds_cstr(match),
+ ds_cstr(actions), &nat->header_);
+ }
}
}
@@ -12596,10 +12675,13 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
/* Packets are allowed by default. */
ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_IN_UNSNAT, 0, "1", "next;");
+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_CHECK_DNAT_LOCAL, 0, "1",
+ REGBIT_DST_NAT_IP_LOCAL" = 0; next;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 0, "1", "next;");
+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_SNAT, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
@@ -12612,8 +12694,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
* not committed, it would produce ongoing datapath flows with the ct.new
* flag set. Some NICs are unable to offload these flows.
*/
- if ((od->is_gw_router || od->n_l3dgw_ports) &&
- (od->nbr->n_nat || od->has_lb_vip)) {
+ if (od->is_gw_router && (od->nbr->n_nat || od->has_lb_vip)) {
ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 50,
"ip", "flags.loopback = 1; ct_dnat;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_POST_UNDNAT, 50,
@@ -12686,6 +12767,10 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
}
}
+ /* S_ROUTER_OUT_DNAT_LOCAL */
+ build_lrouter_out_is_dnat_local(lflows, od, nat, match, actions,
+ distributed, is_v6);
+
/* S_ROUTER_OUT_UNDNAT */
build_lrouter_out_undnat_flow(lflows, od, nat, match, actions, distributed,
mac, is_v6);
@@ -12759,7 +12844,8 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
"clone { ct_clear; "
"inport = outport; outport = \"\"; "
"eth.dst <-> eth.src; "
- "flags = 0; flags.loopback = 1; ");
+ "flags = 0; flags.loopback = 1; "
+ "flags.use_snat_zone = "REGBIT_DST_NAT_IP_LOCAL"; ");
for (int j = 0; j < MFF_N_LOG_REGS; j++) {
ds_put_format(actions, "reg%d = 0; ", j);
}
@@ -2876,23 +2876,65 @@ icmp6 {
<p>
For each configuration in the OVN Northbound database, that asks
to change the source IP address of a packet from <var>A</var> to
- <var>B</var>, a priority-100 flow matches <code>ip &&
- ip4.dst == <var>B</var> && inport == <var>GW</var></code> or
- <code>ip &&
- ip6.dst == <var>B</var> && inport == <var>GW</var></code>
- where <var>GW</var> is the logical router gateway port, with an
- action <code>ct_snat;</code>. If the NAT rule is of type
- dnat_and_snat and has <code>stateless=true</code> in the
- options, then the action would be <code>ip4/6.dst=
- (<var>B</var>)</code>.
+ <var>B</var>, two priority-100 flows are added.
</p>
<p>
If the NAT rule cannot be handled in a distributed manner, then
- the priority-100 flow above is only programmed on the
+ the below priority-100 flows are only programmed on the
gateway chassis.
</p>
+ <ul>
+ <li>
+ <p>
+ The first flow matches <code>ip &&
+ ip4.dst == <var>B</var> && inport == <var>GW</var>
+ && flags.loopback == 0</code> or
+ <code>ip &&
+ ip6.dst == <var>B</var> && inport == <var>GW</var>
+ && flags.loopback == 0</code>
+ where <var>GW</var> is the logical router gateway port, with an
+ action <code>ct_snat_in_czone;</code> to unSNAT in the common
+ zone. If the NAT rule is of type dnat_and_snat and has
+ <code>stateless=true</code> in the options, then the action
+ would be <code>ip4/6.dst=(<var>B</var>)</code>.
+ </p>
+
+ <p>
+ If the NAT entry is of type <code>snat</code>, then there is an
+ additional match <code>is_chassis_resident(<var>cr-GW</var>)
+ </code> where <var>cr-GW</var> is the chassis resident port of
+ <var>GW</var>.
+ </p>
+ </li>
+
+ <li>
+ <p>
+ The second flow matches <code>ip &&
+ ip4.dst == <var>B</var> && inport == <var>GW</var>
+ && flags.loopback == 1 &&
+ flags.use_snat_zone == 1</code> or
+ <code>ip &&
+ ip6.dst == <var>B</var> && inport == <var>GW</var>
+ && flags.loopback == 0 &&
+ flags.use_snat_zone == 1</code>
+ where <var>GW</var> is the logical router gateway port, with an
+ action <code>ct_snat;</code> to unSNAT in the snat zone. If the
+ NAT rule is of type dnat_and_snat and has
+ <code>stateless=true</code> in the options, then the action
+ would be <code>ip4/6.dst=(<var>B</var>)</code>.
+ </p>
+
+ <p>
+ If the NAT entry is of type <code>snat</code>, then there is an
+ additional match <code>is_chassis_resident(<var>cr-GW</var>)
+ </code> where <var>cr-GW</var> is the chassis resident port of
+ <var>GW</var>.
+ </p>
+ </li>
+ </ul>
+
<p>
A priority-0 logical flow with match <code>1</code> has actions
<code>next;</code>.
@@ -4028,7 +4070,43 @@ nd_ns {
</li>
</ul>
- <h3>Egress Table 0: UNDNAT</h3>
+ <h3>Egress Table 0: Check DNAT local </h3>
+
+ <p>
+ This table checks if the packet needs to be DNATed in the router ingress
+ table <code>lr_out_dnat</code> after it is SNATed and looped back
+ to the ingress pipeline. This check is done only for routers configured
+ with distributed gateway ports and NAT entries. This check is done
+ so that SNAT and DNAT is done in different zones instead of a common
+ zone.
+ </p>
+
+ <ul>
+ <li>
+ <p>
+ For each NAT rule in the OVN Northbound database on a
+ distributed router, a priority-50 logical flow with match
+ <code>ip4.dst == <var>E</var> &&
+ is_chassis_resident(<var>P</var>)</code>, where <var>E</var> is the
+ external IP address specified in the NAT rule, <var>GW</var>
+ is the logical router distributed gateway port. For dnat_and_snat
+ NAT rule, <var>P</var> is the logical port specified in the NAT rule.
+ If <ref column="logical_port"
+ table="NAT" db="OVN_Northbound"/> column of
+ <ref table="NAT" db="OVN_Northbound"/> table is NOT set, then
+ <var>P</var> is the <code>chassisredirect port</code> of
+ <var>GW</var> with the actions:
+ <code>REGBIT_DST_NAT_IP_LOCAL = 1; next; </code>
+ </p>
+ </li>
+
+ <li>
+ A priority-0 logical flow with match <code>1</code> has actions
+ <code>REGBIT_DST_NAT_IP_LOCAL = 0; next;</code>.
+ </li>
+ </ul>
+
+ <h3>Egress Table 1: UNDNAT</h3>
<p>
This is for already established connections' reverse traffic.
@@ -4037,6 +4115,23 @@ nd_ns {
is unDNATed here.
</p>
+ <ul>
+ <li>
+ A priority-0 logical flow with match <code>1</code> has actions
+ <code>next;</code>.
+ </li>
+ </ul>
+
+ <h3>Egress Table 1: UNDNAT on Gateway Routers</h3>
+
+ <ul>
+ <li>
+ For all IP packets, a priority-50 flow with an action
+ <code>flags.loopback = 1; ct_dnat;</code>.
+ </li>
+ </ul>
+
+ <h3>Egress Table 1: UNDNAT on Distributed Routers</h3>
<ul>
<li>
<p>
@@ -4047,9 +4142,9 @@ nd_ns {
gateway chassis that matches
<code>ip && ip4.src == <var>B</var> &&
outport == <var>GW</var></code>, where <var>GW</var> is the logical
- router gateway port with an action <code>ct_dnat;</code>. If the
- backend IPv4 address <var>B</var> is also configured with L4 port
- <var>PORT</var> of protocol <var>P</var>, then the
+ router gateway port with an action <code>ct_dnat_in_czone;</code>.
+ If the backend IPv4 address <var>B</var> is also configured with
+ L4 port <var>PORT</var> of protocol <var>P</var>, then the
match also includes <code>P.src</code> == <var>PORT</var>. These
flows are not added for load balancers with IPv6 <var>VIPs</var>.
</p>
@@ -4069,7 +4164,7 @@ nd_ns {
matches <code>ip && ip4.src == <var>B</var>
&& outport == <var>GW</var></code>, where <var>GW</var>
is the logical router gateway port, with an action
- <code>ct_dnat;</code>. If the NAT rule is of type
+ <code>ct_dnat_in_czone;</code>. If the NAT rule is of type
dnat_and_snat and has <code>stateless=true</code> in the
options, then the action would be <code>ip4/6.src=
(<var>B</var>)</code>.
@@ -4078,7 +4173,7 @@ nd_ns {
<p>
If the NAT rule cannot be handled in a distributed manner, then
the priority-100 flow above is only programmed on the
- gateway chassis.
+ gateway chassis with the action <code>ct_dnat_in_czone</code>.
</p>
<p>
@@ -4091,26 +4186,17 @@ nd_ns {
</p>
</li>
- <li>
- For all IP packets, a priority-50 flow with an action
- <code>flags.loopback = 1; ct_dnat;</code>.
- </li>
-
- <li>
- A priority-0 logical flow with match <code>1</code> has actions
- <code>next;</code>.
- </li>
</ul>
- <h3>Egress Table 1: Post UNDNAT</h3>
+ <h3>Egress Table 2: Post UNDNAT</h3>
<p>
<ul>
<li>
A priority-50 logical flow is added that commits any untracked flows
- from the previous table <code>lr_out_undnat</code>. This flow
- matches on <code>ct.new && ip</code> with action
- <code>ct_commit { } ; next; </code>.
+ from the previous table <code>lr_out_undnat</code> for Gateway
+ routers. This flow matches on <code>ct.new && ip</code>
+ with action <code>ct_commit { } ; next; </code>.
</li>
<li>
@@ -4121,7 +4207,7 @@ nd_ns {
</ul>
</p>
- <h3>Egress Table 2: SNAT</h3>
+ <h3>Egress Table 3: SNAT</h3>
<p>
Packets that are configured to be SNATed get their source IP address
@@ -4137,7 +4223,7 @@ nd_ns {
</li>
</ul>
- <p>Egress Table 2: SNAT on Gateway Routers</p>
+ <p>Egress Table 3: SNAT on Gateway Routers</p>
<ul>
<li>
@@ -4236,7 +4322,7 @@ nd_ns {
</li>
</ul>
- <p>Egress Table 2: SNAT on Distributed Routers</p>
+ <p>Egress Table 3: SNAT on Distributed Routers</p>
<ul>
<li>
@@ -4244,28 +4330,46 @@ nd_ns {
For each configuration in the OVN Northbound database, that asks
to change the source IP address of a packet from an IP address of
<var>A</var> or to change the source IP address of a packet that
- belongs to network <var>A</var> to <var>B</var>, a flow matches
- <code>ip && ip4.src == <var>A</var> &&
- outport == <var>GW</var></code>, where <var>GW</var> is the
- logical router gateway port, with an action
- <code>ct_snat(<var>B</var>);</code>. The priority of the flow
- is calculated based on the mask of <var>A</var>, with matches
- having larger masks getting higher priorities. If the NAT rule
- is of type dnat_and_snat and has <code>stateless=true</code>
- in the options, then the action would be <code>ip4/6.src=
- (<var>B</var>)</code>.
+ belongs to network <var>A</var> to <var>B</var>, two flows are
+ added. The priority of these flows are calculated based on the
+ mask of <var>A</var>, with matches having larger masks getting
+ higher priorities.
</p>
<p>
If the NAT rule cannot be handled in a distributed manner, then
- the flow above is only programmed on the
- gateway chassis increasing flow priority by 128 in
- order to be run first
+ the below flows are only programmed on the gateway chassis increasing
+ flow priority by 128 in order to be run first.
</p>
+ <ul>
+ <li>
+ The first flow is added with the match
+ <code>ip && ip4.src == <var>A</var> &&
+ outport == <var>GW</var></code>, where <var>GW</var> is the
+ logical router gateway port, with an action
+ <code>ct_snat_in_czone(<var>B</var>);</code> to SNATed in the
+ common zone. If the NAT rule is of type dnat_and_snat and has
+ <code>stateless=true</code> in the options, then the action
+ would be <code>ip4/6.src=(<var>B</var>)</code>.
+ </li>
+
+ <li>
+ The second flow is added with the match
+ <code>ip && ip4.src == <var>A</var> &&
+ outport == <var>GW</var> &&
+ REGBIT_DST_NAT_IP_LOCAL == 0</code>, where <var>GW</var> is the
+ logical router gateway port, with an action
+ <code>ct_snat(<var>B</var>);</code> to SNAT in the snat zone.
+ If the NAT rule is of type dnat_and_snat and has
+ <code>stateless=true</code> in the options, then the action would
+ be <code>ip4/6.src=(<var>B</var>)</code>.
+ </li>
+ </ul>
+
<p>
If the NAT rule can be handled in a distributed manner, then
- there is an additional action
+ there is an additional action (for both the flows)
<code>eth.src = <var>EA</var>;</code>, where <var>EA</var>
is the ethernet address associated with the IP address
<var>A</var> in the NAT rule. This allows upstream MAC
@@ -4296,7 +4400,7 @@ nd_ns {
</li>
</ul>
- <h3>Egress Table 3: Egress Loopback</h3>
+ <h3>Egress Table 4: Egress Loopback</h3>
<p>
For distributed logical routers where one of the logical router
@@ -4341,6 +4445,7 @@ clone {
outport = "";
flags = 0;
flags.loopback = 1;
+ flags.use_snat_zone = REGBIT_DST_NAT_IP_LOCAL;
reg0 = 0;
reg1 = 0;
...
@@ -4365,7 +4470,7 @@ clone {
</li>
</ul>
- <h3>Egress Table 4: Delivery</h3>
+ <h3>Egress Table 5: Delivery</h3>
<p>
Packets that reach this table are ready for delivery. It contains:
@@ -877,25 +877,25 @@ check_flow_match_sets() {
echo
echo "IPv4: stateful"
ovn-nbctl --wait=sb lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11
-check_flow_match_sets 2 2 3 0 0 0 0
+check_flow_match_sets 3 4 2 0 0 0 0
ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1
echo
echo "IPv4: stateless"
ovn-nbctl --wait=sb --stateless lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11
-check_flow_match_sets 2 0 1 2 2 0 0
+check_flow_match_sets 2 0 0 2 2 0 0
ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1
echo
echo "IPv6: stateful"
ovn-nbctl --wait=sb lr-nat-add R1 dnat_and_snat fd01::1 fd11::2
-check_flow_match_sets 2 2 3 0 0 0 0
+check_flow_match_sets 3 4 2 0 0 0 0
ovn-nbctl lr-nat-del R1 dnat_and_snat fd01::1
echo
echo "IPv6: stateless"
ovn-nbctl --wait=sb --stateless lr-nat-add R1 dnat_and_snat fd01::1 fd11::2
-check_flow_match_sets 2 0 1 0 0 2 2
+check_flow_match_sets 2 0 0 0 0 2 2
AT_CLEANUP
])
@@ -924,9 +924,9 @@ echo "CR-LRP UUID is: " $uuid
ovn-nbctl --portrange lr-nat-add R1 dnat_and_snat 172.16.1.1 50.0.0.11 1-3000
AT_CAPTURE_FILE([sbflows])
-OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows && test 2 = `grep -c lr_in_unsnat sbflows`])
+OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows && test 3 = `grep -c lr_in_unsnat sbflows`])
AT_CHECK([grep -c 'ct_snat.*3000' sbflows && grep -c 'ct_dnat.*3000' sbflows],
- [0], [1
+ [0], [2
1
])
@@ -934,9 +934,9 @@ ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1
ovn-nbctl --wait=sb --portrange lr-nat-add R1 snat 172.16.1.1 50.0.0.11 1-3000
AT_CAPTURE_FILE([sbflows2])
-OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows2 && test 2 = `grep -c lr_in_unsnat sbflows`])
+OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows2 && test 3 = `grep -c lr_in_unsnat sbflows`])
AT_CHECK([grep -c 'ct_snat.*3000' sbflows2 && grep -c 'ct_dnat.*3000' sbflows2],
- [1], [1
+ [1], [2
0
])
@@ -944,7 +944,7 @@ ovn-nbctl lr-nat-del R1 snat 172.16.1.1
ovn-nbctl --wait=sb --portrange --stateless lr-nat-add R1 dnat_and_snat 172.16.1.2 50.0.0.12 1-3000
AT_CAPTURE_FILE([sbflows3])
-OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows3 && test 3 = `grep -c lr_in_unsnat sbflows3`])
+OVS_WAIT_UNTIL([ovn-sbctl dump-flows R1 > sbflows3 && test 4 = `grep -c lr_in_unsnat sbflows3`])
AT_CHECK([grep 'ct_[s]dnat.*172\.16\.1\.2.*3000' sbflows3], [1])
ovn-nbctl lr-nat-del R1 dnat_and_snat 172.16.1.1
@@ -1008,17 +1008,20 @@ AT_CAPTURE_FILE([drflows])
ovn-sbctl dump-flows CR > crflows
AT_CAPTURE_FILE([crflows])
-AT_CHECK([
- grep -c lr_out_snat drflows
- grep -c lr_out_snat crflows
- grep lr_out_snat drflows | grep "ip4.src == 50.0.0.11" | grep -c "ip4.dst == $allowed_range"
- grep lr_out_snat crflows | grep "ip4.src == 50.0.0.11" | grep -c "ip4.dst == $allowed_range"], [0], [dnl
-3
-3
-1
-1
+AT_CHECK([grep -e "lr_out_snat" drflows | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $allowed_range), action=(ct_snat_in_czone(172.16.1.1);)
+ table=??(lr_out_snat ), priority=162 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $allowed_range && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.16.1.1);)
+])
+
+AT_CHECK([grep -e "lr_out_snat" crflows | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range), action=(ct_snat(172.16.1.1);)
])
+
# SNAT with DISALLOWED_IPs
check ovn-nbctl lr-nat-del DR snat 50.0.0.11
check ovn-nbctl lr-nat-del CR snat 50.0.0.11
@@ -1036,19 +1039,19 @@ AT_CAPTURE_FILE([drflows2])
ovn-sbctl dump-flows CR > crflows2
AT_CAPTURE_FILE([crflows2])
-AT_CHECK([
- grep -c lr_out_snat drflows2
- grep -c lr_out_snat crflows2
- grep lr_out_snat drflows2 | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep -c "priority=162"
- grep lr_out_snat drflows2 | grep "ip4.src == 50.0.0.11" | grep -c "priority=161"
- grep lr_out_snat crflows2 | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep -c "priority=34"
- grep lr_out_snat crflows2 | grep "ip4.src == 50.0.0.11" | grep -c "priority=33"], [0], [dnl
-4
-4
-1
-1
-1
-1
+AT_CHECK([grep -e "lr_out_snat" drflows2 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1")), action=(ct_snat_in_czone(172.16.1.1);)
+ table=??(lr_out_snat ), priority=162 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.16.1.1);)
+ table=??(lr_out_snat ), priority=163 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $disallowed_range), action=(next;)
+])
+
+AT_CHECK([grep -e "lr_out_snat" crflows2 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11), action=(ct_snat(172.16.1.1);)
+ table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;)
])
# Stateful FIP with ALLOWED_IPs
@@ -1059,25 +1062,24 @@ check ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11
check ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
check ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range
-check ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range
+check ovn-nbctl --wait=sb lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range
-ovn-nbctl show DR
-ovn-sbctl dump-flows DR
-ovn-nbctl show CR
-ovn-sbctl dump-flows CR
-
-OVS_WAIT_UNTIL([test 3 = `ovn-sbctl dump-flows DR | grep lr_out_snat | \
-wc -l`])
-OVS_WAIT_UNTIL([test 3 = `ovn-sbctl dump-flows CR | grep lr_out_snat | \
-wc -l`])
+ovn-sbctl dump-flows DR > drflows3
+AT_CAPTURE_FILE([drflows2])
+ovn-sbctl dump-flows CR > crflows3
+AT_CAPTURE_FILE([crflows2])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $allowed_range" | wc -l], [0], [1
+AT_CHECK([grep -e "lr_out_snat" drflows3 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $allowed_range), action=(ct_snat_in_czone(172.16.1.2);)
+ table=??(lr_out_snat ), priority=162 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $allowed_range && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.16.1.2);)
])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $allowed_range" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $allowed_range" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $allowed_range" | wc -l], [0], [1
+
+AT_CHECK([grep -e "lr_out_snat" crflows3 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range), action=(ct_snat(172.16.1.2);)
])
# Stateful FIP with DISALLOWED_IPs
@@ -1088,26 +1090,26 @@ ovn-nbctl lr-nat-add DR dnat_and_snat 172.16.1.2 50.0.0.11
ovn-nbctl lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
ovn-nbctl --is-exempted lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 disallowed_range
-ovn-nbctl --is-exempted lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 disallowed_range
+check ovn-nbctl --wait=sb --is-exempted lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 disallowed_range
-ovn-nbctl show DR
-ovn-sbctl dump-flows DR
-ovn-nbctl show CR
-ovn-sbctl dump-flows CR
-
-OVS_WAIT_UNTIL([test 4 = `ovn-sbctl dump-flows DR | grep lr_out_snat | \
-wc -l`])
-OVS_WAIT_UNTIL([test 4 = `ovn-sbctl dump-flows CR | grep lr_out_snat | \
-wc -l`])
+ovn-sbctl dump-flows DR > drflows4
+AT_CAPTURE_FILE([drflows2])
+ovn-sbctl dump-flows CR > crflows4
+AT_CAPTURE_FILE([crflows2])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep "priority=162" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $disallowed_range" | grep "priority=101" | wc -l], [0], [1
+AT_CHECK([grep -e "lr_out_snat" drflows4 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1")), action=(ct_snat_in_czone(172.16.1.2);)
+ table=??(lr_out_snat ), priority=162 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.16.1.2);)
+ table=??(lr_out_snat ), priority=163 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $disallowed_range), action=(next;)
])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep "priority=34" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $disallowed_range" | grep "priority=101" | wc -l], [0], [1
+AT_CHECK([grep -e "lr_out_snat" crflows4 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11), action=(ct_snat(172.16.1.2);)
+ table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;)
])
# Stateless FIP with DISALLOWED_IPs
@@ -1120,24 +1122,21 @@ ovn-nbctl --stateless lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
ovn-nbctl lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 allowed_range
ovn-nbctl lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 allowed_range
-ovn-nbctl show DR
-ovn-sbctl dump-flows DR
-
-ovn-nbctl show CR
-ovn-sbctl dump-flows CR
-
-OVS_WAIT_UNTIL([test 3 = `ovn-sbctl dump-flows DR | grep lr_out_snat | \
-wc -l`])
-OVS_WAIT_UNTIL([test 3 = `ovn-sbctl dump-flows CR | grep lr_out_snat | \
-wc -l`])
+ovn-sbctl dump-flows DR > drflows5
+AT_CAPTURE_FILE([drflows2])
+ovn-sbctl dump-flows CR > crflows5
+AT_CAPTURE_FILE([crflows2])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $allowed_range" | wc -l], [0], [1
+AT_CHECK([grep -e "lr_out_snat" drflows5 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $allowed_range), action=(ip4.src=172.16.1.2; next;)
])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $allowed_range" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $allowed_range" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $allowed_range" | wc -l], [0], [1
+
+AT_CHECK([grep -e "lr_out_snat" crflows5 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $allowed_range), action=(ip4.src=172.16.1.2; next;)
])
# Stateful FIP with DISALLOWED_IPs
@@ -1150,23 +1149,25 @@ ovn-nbctl --stateless lr-nat-add CR dnat_and_snat 172.16.1.2 50.0.0.11
ovn-nbctl --is-exempted lr-nat-update-ext-ip DR dnat_and_snat 172.16.1.2 disallowed_range
ovn-nbctl --is-exempted lr-nat-update-ext-ip CR dnat_and_snat 172.16.1.2 disallowed_range
-ovn-nbctl show DR
-ovn-sbctl dump-flows DR
-ovn-nbctl show CR
-ovn-sbctl dump-flows CR
+ovn-nbctl --wait=sb sync
-OVS_WAIT_UNTIL([test 4 = `ovn-sbctl dump-flows DR | grep lr_out_snat | \
-wc -l`])
-OVS_WAIT_UNTIL([test 4 = `ovn-sbctl dump-flows CR | grep lr_out_snat | \
-wc -l`])
+ovn-sbctl dump-flows DR > drflows6
+AT_CAPTURE_FILE([drflows2])
+ovn-sbctl dump-flows CR > crflows6
+AT_CAPTURE_FILE([crflows2])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep "priority=162" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows DR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $disallowed_range" | grep "priority=101" | wc -l], [0], [1
+AT_CHECK([grep -e "lr_out_snat" drflows6 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=161 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1")), action=(ip4.src=172.16.1.2; next;)
+ table=??(lr_out_snat ), priority=163 , match=(ip && ip4.src == 50.0.0.11 && outport == "DR-S1" && is_chassis_resident("cr-DR-S1") && ip4.dst == $disallowed_range), action=(next;)
])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_out_snat | grep "ip4.src == 50.0.0.11" | grep "ip4.dst == $disallowed_range" | grep "priority=34" | wc -l], [0], [1
-])
-AT_CHECK([ovn-sbctl dump-flows CR | grep lr_in_dnat | grep "ip4.dst == 172.16.1.2" | grep "ip4.src == $disallowed_range" | grep "priority=101" | wc -l], [0], [1
+
+AT_CHECK([grep -e "lr_out_snat" crflows6 | sed 's/table=../table=??/' | sort], [0], [dnl
+ table=??(lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=??(lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=??(lr_out_snat ), priority=33 , match=(ip && ip4.src == 50.0.0.11), action=(ip4.src=172.16.1.2; next;)
+ table=??(lr_out_snat ), priority=35 , match=(ip && ip4.src == 50.0.0.11 && ip4.dst == $disallowed_range), action=(next;)
])
AT_CLEANUP
@@ -3475,14 +3476,14 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(ct_lb(backends=10.0.0.40:8080);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="20.0.0.4 aef0::4"
@@ -3511,21 +3512,21 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip4), action=(ct_snat(20.0.0.4);)
- table=2 (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip6), action=(ct_snat(aef0::4);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip4), action=(ct_snat(20.0.0.4);)
+ table=? (lr_out_snat ), priority=100 , match=(flags.force_snat_for_lb == 1 && ip6), action=(ct_snat(aef0::4);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
check ovn-nbctl --wait=sb set logical_router lr0 options:lb_force_snat_ip="router_ip"
@@ -3557,22 +3558,22 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
check ovn-nbctl --wait=sb remove logical_router lr0 options chassis
@@ -3584,9 +3585,9 @@ AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
table=4 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
check ovn-nbctl set logical_router lr0 options:chassis=ch1
@@ -3617,23 +3618,23 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw1"), action=(ct_snat(bef0::1);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.100);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw1"), action=(ct_snat(20.0.0.1);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw1"), action=(ct_snat(bef0::1);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
check ovn-nbctl --wait=sb lb-add lb2 10.0.0.20:80 10.0.0.40:8080
@@ -3661,18 +3662,18 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.20 && tcp && reg9[[16..31]] == 80), action=(flags.skip_snat_for_lb = 1; ct_lb(backends=10.0.0.40:8080);)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=120 , match=(flags.skip_snat_for_lb == 1 && ip), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=120 , match=(flags.skip_snat_for_lb == 1 && ip), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
AT_CLEANUP
@@ -4176,6 +4177,8 @@ check ovn-nbctl lsp-set-options lrp1-attachment router-port=lrp1
check ovn-nbctl lr-nat-add lr0 dnat 42.42.42.42 192.168.0.2
check ovn-nbctl --wait=sb sync
+ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip4.dst == 42.42.42.42 && ip4.src == 11.0.0.2 && ip.ttl == 64'
+
AT_CHECK([ovn-trace --minimal 'inport == "sw1-port1" && eth.src == 50:54:00:00:00:03 && eth.dst == 00:00:00:00:ff:02 && ip4.dst == 42.42.42.42 && ip4.src == 11.0.0.2 && ip.ttl == 64' | grep "output(\"sw0-port1\")"], [0], [ignore])
dnl If we remove the DNAT entry we will be unable to trace to the DNAT address
@@ -4555,17 +4558,17 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
# Create few dnat_and_snat entries
@@ -4591,17 +4594,21 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+])
+
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
ovn-sbctl chassis-add gw1 geneve 127.0.0.1
@@ -4622,9 +4629,12 @@ AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
table=4 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0], [dnl
@@ -4633,26 +4643,34 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0], [dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat(10.0.0.3);)
+ table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone(10.0.0.3);)
+])
+
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.10 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.20 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.30 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=153 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=153 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.10);)
+ table=? (lr_out_snat ), priority=154 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.30);)
+ table=? (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.20);)
+ table=? (lr_out_snat ), priority=162 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=162 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.20);)
])
# Associate load balancer to lr0
@@ -4673,9 +4691,12 @@ AT_CAPTURE_FILE([lr0flows])
AT_CHECK([grep "lr_in_unsnat" lr0flows | sort], [0], [dnl
table=4 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
- table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.10 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && flags.loopback == 0 && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone;)
+ table=4 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.30 && inport == "lr0-public" && flags.loopback == 1 && flags.use_snat_zone == 1 && is_chassis_resident("cr-lr0-public")), action=(ct_snat;)
])
AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0], [dnl
@@ -4688,7 +4709,7 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0], [dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat(10.0.0.3);)
+ table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone(10.0.0.3);)
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 172.168.0.200 && ct_label.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 172.168.0.200 && is_chassis_resident("cr-lr0-public")), action=(ct_lb(backends=10.0.0.80,10.0.0.81);)
table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 && tcp && reg9[[16..31]] == 80 && ct_label.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
@@ -4699,27 +4720,35 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60 && is_chassis_resident("cr-lr0-public")), action=(ct_lb(backends=10.0.0.50:6062,10.0.0.60:6062);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.4 && tcp.src == 8080)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.50 && tcp.src == 82) || (ip4.src == 10.0.0.60 && tcp.src == 82)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.50 && udp.src == 6062) || (ip4.src == 10.0.0.60 && udp.src == 6062)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.80) || (ip4.src == 10.0.0.81)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.10 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.20 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
+ table=? (lr_out_chk_dnat_local), priority=50 , match=(ip && ip4.dst == 172.168.0.30 && is_chassis_resident("cr-lr0-public")), action=(reg9[[4]] = 1; next;)
+])
+
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=100 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
+ table=? (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.4 && tcp.src == 8080)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
+ table=? (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.50 && tcp.src == 82) || (ip4.src == 10.0.0.60 && tcp.src == 82)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
+ table=? (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.50 && udp.src == 6062) || (ip4.src == 10.0.0.60 && udp.src == 6062)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
+ table=? (lr_out_undnat ), priority=120 , match=(ip4 && ((ip4.src == 10.0.0.80) || (ip4.src == 10.0.0.81)) && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=153 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=153 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.10);)
+ table=? (lr_out_snat ), priority=154 , match=(ip && ip4.src == 10.0.0.0/24 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.30);)
+ table=? (lr_out_snat ), priority=161 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_snat_in_czone(172.168.0.20);)
+ table=? (lr_out_snat ), priority=162 , match=(ip && ip4.src == 10.0.0.10 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=162 , match=(ip && ip4.src == 10.0.0.3 && outport == "lr0-public" && is_chassis_resident("cr-lr0-public") && reg9[[4]] == 1), action=(reg9[[4]] = 0; ct_snat(172.168.0.20);)
])
# Make the logical router as Gateway router
@@ -4759,22 +4788,26 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), action=(ct_lb(backends=10.0.0.50:6062,10.0.0.60:6062);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+])
+
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
])
# Set lb force snat logical router.
@@ -4814,24 +4847,28 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.50:6062,10.0.0.60:6062);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
+])
+
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
])
# Add a LB VIP same as router ip.
@@ -4875,24 +4912,28 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.50:6062,10.0.0.60:6062);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+])
+
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
])
# Add IPv6 router port and LB.
@@ -4949,26 +4990,30 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip6 && xxreg0 == def0::2 && tcp && reg9[[16..31]] == 8000), action=(flags.force_snat_for_lb = 1; ct_lb(backends=[[aef0::2]]:80,[[aef0::3]]:80);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
+])
+
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-public"), action=(ct_snat(def0::10);)
- table=2 (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw0"), action=(ct_snat(aef0::1);)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
- table=2 (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
- table=2 (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-public"), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip4 && outport == "lr0-sw0"), action=(ct_snat(10.0.0.1);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-public"), action=(ct_snat(def0::10);)
+ table=? (lr_out_snat ), priority=110 , match=(flags.force_snat_for_lb == 1 && ip6 && outport == "lr0-sw0"), action=(ct_snat(aef0::1);)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+ table=? (lr_out_snat ), priority=25 , match=(ip && ip4.src == 10.0.0.0/24), action=(ct_snat(172.168.0.10);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.10), action=(ct_snat(172.168.0.30);)
+ table=? (lr_out_snat ), priority=33 , match=(ip && ip4.src == 10.0.0.3), action=(ct_snat(172.168.0.20);)
])
check ovn-nbctl lrp-del lr0-sw0
@@ -5003,19 +5048,23 @@ AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1; ct_lb(backends=10.0.0.50:6062,10.0.0.60:6062);)
])
-AT_CHECK([grep "lr_out_undnat" lr0flows | sort], [0], [dnl
- table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
- table=0 (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
+AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[[4]] = 0; next;)
+])
+
+AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_undnat ), priority=50 , match=(ip), action=(flags.loopback = 1; ct_dnat;)
])
-AT_CHECK([grep "lr_out_post_undnat" lr0flows | sort], [0], [dnl
- table=1 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
- table=1 (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
+AT_CHECK([grep "lr_out_post_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_post_undnat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_post_undnat ), priority=50 , match=(ip && ct.new), action=(ct_commit { } ; next; )
])
-AT_CHECK([grep "lr_out_snat" lr0flows | sort], [0], [dnl
- table=2 (lr_out_snat ), priority=0 , match=(1), action=(next;)
- table=2 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
+AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
+ table=? (lr_out_snat ), priority=0 , match=(1), action=(next;)
+ table=? (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;)
])
AT_CLEANUP
@@ -21564,7 +21564,7 @@ AT_CAPTURE_FILE([sbflows])
AT_CHECK([for regex in ct_snat ct_dnat ip4.dst= ip4.src=; do
grep -c "$regex" sbflows;
done], [0], [0
-1
+0
2
2
])
@@ -2224,7 +2224,7 @@ ovn-nbctl set load_balancer $uuid vips:'"30.0.0.2:8000"'='"192.168.1.2:80,192.16
ovn-nbctl list load_balancer
ovn-sbctl dump-flows R2
-OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=42 | \
+OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=43 | \
grep 'nat(src=20.0.0.2)'])
dnl Test load-balancing that includes L4 ports in NAT.
@@ -2262,7 +2262,7 @@ ovn-nbctl set load_balancer $uuid vips:'"30.0.0.2:8000"'='"192.168.1.2:80,192.16
ovn-nbctl list load_balancer
ovn-sbctl dump-flows R2
-OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=42 | \
+OVS_WAIT_UNTIL([ovs-ofctl -O OpenFlow13 dump-flows br-int table=43 | \
grep 'nat(src=20.0.0.2)'])
rm -f wget*.log
@@ -3861,11 +3861,9 @@ NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 192.168.2.2 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
+# We verify that the connection is not tracked.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.2.2) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmp,orig=(src=192.168.1.2,dst=192.168.2.2,id=<cleared>,type=8,code=0),reply=(src=192.168.2.2,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
@@ -3875,11 +3873,9 @@ NS_CHECK_EXEC([foo2], [ping -q -c 3 -i 0.3 -w 2 192.168.2.2 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
+# We verify that the connection is not tracked.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.2.2) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmp,orig=(src=192.168.1.3,dst=192.168.2.2,id=<cleared>,type=8,code=0),reply=(src=192.168.2.2,dst=192.168.1.3,id=<cleared>,type=0,code=0),zone=<cleared>
])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
@@ -3889,14 +3885,13 @@ NS_CHECK_EXEC([bar1], [ping -q -c 3 -i 0.3 -w 2 192.168.1.3 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
+# We verify that the connection is not tracked.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.168.2.2) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmp,orig=(src=192.168.2.2,dst=192.168.1.3,id=<cleared>,type=8,code=0),reply=(src=192.168.1.3,dst=192.168.2.2,id=<cleared>,type=0,code=0),zone=<cleared>
])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
# East-West NAT: 'foo1' pings 'bar1' using 172.16.1.4.
NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 172.16.1.4 | FORMAT_PING], \
[0], [dnl
@@ -3909,7 +3904,6 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.4) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
icmp,orig=(src=172.16.1.1,dst=172.16.1.4,id=<cleared>,type=8,code=0),reply=(src=192.168.2.2,dst=172.16.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
icmp,orig=(src=192.168.1.2,dst=172.16.1.4,id=<cleared>,type=8,code=0),reply=(src=172.16.1.4,dst=172.16.1.1,id=<cleared>,type=0,code=0),zone=<cleared>
-icmp,orig=(src=192.168.1.2,dst=172.16.1.4,id=<cleared>,type=8,code=0),reply=(src=172.16.1.4,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
@@ -4055,13 +4049,6 @@ NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 fd12::2 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
-AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd12::2) | \
-sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmpv6,orig=(src=fd11::2,dst=fd12::2,id=<cleared>,type=128,code=0),reply=(src=fd12::2,dst=fd11::2,id=<cleared>,type=129,code=0),zone=<cleared>
-])
-
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
# East-West No NAT: 'foo2' pings 'bar1' using fd12::2.
NS_CHECK_EXEC([foo2], [ping -q -c 3 -i 0.3 -w 2 fd12::2 | FORMAT_PING], \
@@ -4069,13 +4056,6 @@ NS_CHECK_EXEC([foo2], [ping -q -c 3 -i 0.3 -w 2 fd12::2 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
-AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd12::2) | \
-sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmpv6,orig=(src=fd11::3,dst=fd12::2,id=<cleared>,type=128,code=0),reply=(src=fd12::2,dst=fd11::3,id=<cleared>,type=129,code=0),zone=<cleared>
-])
-
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
# East-West No NAT: 'bar1' pings 'foo2' using fd11::3.
NS_CHECK_EXEC([bar1], [ping -q -c 3 -i 0.3 -w 2 fd11::3 | FORMAT_PING], \
@@ -4083,13 +4063,6 @@ NS_CHECK_EXEC([bar1], [ping -q -c 3 -i 0.3 -w 2 fd11::3 | FORMAT_PING], \
3 packets transmitted, 3 received, 0% packet loss, time 0ms
])
-# We verify that the connection is tracked but not NATted. This is due to the
-# unDNAT table in the egress router pipeline
-AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd12::2) | \
-sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmpv6,orig=(src=fd12::2,dst=fd11::3,id=<cleared>,type=128,code=0),reply=(src=fd11::3,dst=fd12::2,id=<cleared>,type=129,code=0),zone=<cleared>
-])
-
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
# East-West NAT: 'foo1' pings 'bar1' using fd20::4.
NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 fd20::4 | FORMAT_PING], \
@@ -4101,7 +4074,6 @@ NS_CHECK_EXEC([foo1], [ping -q -c 3 -i 0.3 -w 2 fd20::4 | FORMAT_PING], \
# Then DNAT of 'bar1' address happens (listed first below).
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd20::4) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
-icmpv6,orig=(src=fd11::2,dst=fd20::4,id=<cleared>,type=128,code=0),reply=(src=fd20::4,dst=fd11::2,id=<cleared>,type=129,code=0),zone=<cleared>
icmpv6,orig=(src=fd11::2,dst=fd20::4,id=<cleared>,type=128,code=0),reply=(src=fd20::4,dst=fd20::1,id=<cleared>,type=129,code=0),zone=<cleared>
icmpv6,orig=(src=fd20::1,dst=fd20::4,id=<cleared>,type=128,code=0),reply=(src=fd12::2,dst=fd20::1,id=<cleared>,type=129,code=0),zone=<cleared>
])
@@ -6037,7 +6009,6 @@ NS_CHECK_EXEC([sw01-x], [ping -q -c 3 -i 0.3 -w 2 172.16.1.100 | FORMAT_PING], \
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.1.100) | \
sed -e 's/zone=[[0-9]]*/zone=<cleared>/'], [0], [dnl
icmp,orig=(src=192.168.1.2,dst=172.16.1.100,id=<cleared>,type=8,code=0),reply=(src=172.16.1.100,dst=172.16.1.20,id=<cleared>,type=0,code=0),zone=<cleared>
-icmp,orig=(src=192.168.1.2,dst=172.16.1.100,id=<cleared>,type=8,code=0),reply=(src=172.16.1.100,dst=192.168.1.2,id=<cleared>,type=0,code=0),zone=<cleared>
])
OVS_APP_EXIT_AND_WAIT([ovn-controller])