linuxcon 2015 stateful nat with ovs

Stateful NAT with Open vSwitchLinuxCon 2015, Seattle

Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)

Agenda

● What is Open vSwitch● Stateful NAT options for Open vSwitch● Demo● Q&A

Open vSwitch Connects

VM

Host

NIC

Cont

aine

r Tunnel

CloudyStuff

● Highly scaleable multi layer virtual switch for hypervisors

– Apache License (User Space), GPL (Kernel)● Extensive flow table programming capabilities

– OpenFlow 1.0 – 1.5 (some partial)– Vendor extensions

● Designed to manage overlay networks

– VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ...● Remote management protocol (OVSDB)● Monitoring capabilities

Open vSwitch in a Nutshell

NAT Dependency:Connection Tracking

● We are adding the ability to use the conntrack module from Linux

– Stateful tracking of flows

– Supports ALGs to punch holes for related “data” channels

● FTP, TFTP, SIP● Implement a distributed firewall with enforcement at the edge

– Better performance

– Better visibility

● Introduce new OpenFlow extensions:

– Action to send to conntrack

– Match fields on state of connection

● Have prototype working. Expect to ship as part of OVS in next release.

Netfilter Conntrack Integration

OVS Flow Table

NetfilterConnection Tracker

CTTable

Userspace Netlink API

Create & UpdateCT entries

Connection State (conn_state=)

conntrack()

Recirculation

1

2

3

4

Zone 1

Connection Tracking Zones

OVS Flow Table

CTTable

Zone 2

CTTable

NetfilterConnection Tracker

● Route packets through separate NAT network namespace● Utilize Netfilter chains to perform NAT● Pro: Working now● Con: Requires linear Netfilter chain traversal

NAT with Open vSwitch

The Now

● Native OpenFlow NAT action● Pro: Fast, clean & available to orchestration tools● Con: Tricky to get right

The Future

Possible Future 1:Native stateful NAT

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Recirculation

1

2

3

4

NetfilterNAT

nat()

Possible Future 2:Customizable NAT through eBPF

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Recirculation

1

2

3

4

BPF progperforming NAT

bpf()

What is available now:NAT with Netfilter

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Final L2/L3 decision

1

2

3

Namespace w/-j SNAT / -j DNAT

output() tointernal port

5

4

Routing:ip rule add iif nat-gw lookup 100ip route add 1.1.1.1/32 dev nat-gwip route add default \ via 1.1.1.1 table 100

Demo

Q&A

Contact:● E-Mail: tgraf@suug.ch● Twitter: @tgraf__