Stateful NAT with Open vSwitch LinuxCon 2015, Seale Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Stateful NAT with Open vSwitchLinuxCon 2015, Seattle
Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)
Agenda
● What is Open vSwitch● Stateful NAT options for Open vSwitch● Demo● Q&A
Open vSwitch Connects
VM
Host
NIC
Cont
aine
r Tunnel
CloudyStuff
● Highly scaleable multi layer virtual switch for hypervisors
– Apache License (User Space), GPL (Kernel)● Extensive flow table programming capabilities
– OpenFlow 1.0 – 1.5 (some partial)– Vendor extensions
● Designed to manage overlay networks
– VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ...● Remote management protocol (OVSDB)● Monitoring capabilities
Open vSwitch in a Nutshell
NAT Dependency:Connection Tracking
● We are adding the ability to use the conntrack module from Linux
– Stateful tracking of flows
– Supports ALGs to punch holes for related “data” channels
● FTP, TFTP, SIP● Implement a distributed firewall with enforcement at the edge
– Better performance
– Better visibility
● Introduce new OpenFlow extensions:
– Action to send to conntrack
– Match fields on state of connection
● Have prototype working. Expect to ship as part of OVS in next release.
Netfilter Conntrack Integration
OVS Flow Table
NetfilterConnection Tracker
CTTable
Userspace Netlink API
Create & UpdateCT entries
Connection State (conn_state=)
conntrack()
Recirculation
1
2
3
4
Zone 1
Connection Tracking Zones
OVS Flow Table
CTTable
Zone 2
CTTable
NetfilterConnection Tracker
● Route packets through separate NAT network namespace● Utilize Netfilter chains to perform NAT● Pro: Working now● Con: Requires linear Netfilter chain traversal
NAT with Open vSwitch
The Now
● Native OpenFlow NAT action● Pro: Fast, clean & available to orchestration tools● Con: Tricky to get right
The Future
Possible Future 1:Native stateful NAT
OVS Flow Table
NetfilterConnection Tracker CT
Table
Create & UpdateCT entries
conntrack()
Recirculation
1
2
3
4
NetfilterNAT
nat()
Possible Future 2:Customizable NAT through eBPF
OVS Flow Table
NetfilterConnection Tracker CT
Table
Create & UpdateCT entries
conntrack()
Recirculation
1
2
3
4
BPF progperforming NAT
bpf()
What is available now:NAT with Netfilter
OVS Flow Table
NetfilterConnection Tracker CT
Table
Create & UpdateCT entries
conntrack()
Final L2/L3 decision
1
2
3
Namespace w/-j SNAT / -j DNAT
output() tointernal port
5
4
Routing:ip rule add iif nat-gw lookup 100ip route add 1.1.1.1/32 dev nat-gwip route add default \ via 1.1.1.1 table 100
Demo
Related Documents
