13
Stateful NAT with Open vSwitch LinuxCon 2015, Seale Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)

LinuxCon 2015 Stateful NAT with OVS

Embed Size (px)

Citation preview

Page 1: LinuxCon 2015 Stateful NAT with OVS

Stateful NAT with Open vSwitchLinuxCon 2015, Seattle

Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)

Page 2: LinuxCon 2015 Stateful NAT with OVS

Agenda

● What is Open vSwitch● Stateful NAT options for Open vSwitch● Demo● Q&A

Page 3: LinuxCon 2015 Stateful NAT with OVS

Open vSwitch Connects

VM

Host

NIC

Cont

aine

r Tunnel

CloudyStuff

Page 4: LinuxCon 2015 Stateful NAT with OVS

● Highly scaleable multi layer virtual switch for hypervisors

– Apache License (User Space), GPL (Kernel)● Extensive flow table programming capabilities

– OpenFlow 1.0 – 1.5 (some partial)– Vendor extensions

● Designed to manage overlay networks

– VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ...● Remote management protocol (OVSDB)● Monitoring capabilities

Open vSwitch in a Nutshell

Page 5: LinuxCon 2015 Stateful NAT with OVS

NAT Dependency:Connection Tracking

● We are adding the ability to use the conntrack module from Linux

– Stateful tracking of flows

– Supports ALGs to punch holes for related “data” channels

● FTP, TFTP, SIP● Implement a distributed firewall with enforcement at the edge

– Better performance

– Better visibility

● Introduce new OpenFlow extensions:

– Action to send to conntrack

– Match fields on state of connection

● Have prototype working. Expect to ship as part of OVS in next release.

Page 6: LinuxCon 2015 Stateful NAT with OVS

Netfilter Conntrack Integration

OVS Flow Table

NetfilterConnection Tracker

CTTable

Userspace Netlink API

Create & UpdateCT entries

Connection State (conn_state=)

conntrack()

Recirculation

1

2

3

4

Page 7: LinuxCon 2015 Stateful NAT with OVS

Zone 1

Connection Tracking Zones

OVS Flow Table

CTTable

Zone 2

CTTable

NetfilterConnection Tracker

Page 8: LinuxCon 2015 Stateful NAT with OVS

● Route packets through separate NAT network namespace● Utilize Netfilter chains to perform NAT● Pro: Working now● Con: Requires linear Netfilter chain traversal

NAT with Open vSwitch

The Now

● Native OpenFlow NAT action● Pro: Fast, clean & available to orchestration tools● Con: Tricky to get right

The Future

Page 9: LinuxCon 2015 Stateful NAT with OVS

Possible Future 1:Native stateful NAT

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Recirculation

1

2

3

4

NetfilterNAT

nat()

Page 10: LinuxCon 2015 Stateful NAT with OVS

Possible Future 2:Customizable NAT through eBPF

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Recirculation

1

2

3

4

BPF progperforming NAT

bpf()

Page 11: LinuxCon 2015 Stateful NAT with OVS

What is available now:NAT with Netfilter

OVS Flow Table

NetfilterConnection Tracker CT

Table

Create & UpdateCT entries

conntrack()

Final L2/L3 decision

1

2

3

Namespace w/-j SNAT / -j DNAT

output() tointernal port

5

4

Routing:ip rule add iif nat-gw lookup 100ip route add 1.1.1.1/32 dev nat-gwip route add default \ via 1.1.1.1 table 100

Page 12: LinuxCon 2015 Stateful NAT with OVS

Demo

Page 13: LinuxCon 2015 Stateful NAT with OVS

Q&A

Contact:● E-Mail: [email protected]● Twitter: @tgraf__

mailto:[email protected]

Presentation LinuxCon Europe 2012 lmr

Presentation LinuxCon Europe 2012 lmr

Documents
LinuxCon Keynote

LinuxCon Keynote

Technology
Presentazione Ovs

Presentazione Ovs

Business
ovsgroup.comovsgroup.com/wp-content/uploads/2012/10/OVS-Framework-Technolo… · (9 ovs gÊoup technology presentation ovs@ framework architecture components reports & charts maps

ovsgroup.comovsgroup.com/wp-content/uploads/2012/10/OVS-Framework-Technolo… · (9 ovs gÊoup technology presentation ovs@ framework architecture components reports & charts maps

Documents
OpenZFS at LinuxCon

OpenZFS at LinuxCon

Technology
OVS v OVS-DPDK

OVS v OVS-DPDK

Engineering
Apache CloudStack at LinuxCon Japan

Apache CloudStack at LinuxCon Japan

Technology
Apache Deltacloud (Linuxcon 2010)

Apache Deltacloud (Linuxcon 2010)

Technology
Farblegende der Biotope - · PDF file281803 281804 281808 281809 281810 281907 281814 281913 281914 281818 281920 281921 o ovs fwr ff fwr ovw ba/ hber ff ovs ovs ovw ovp ovs hb ovs

Farblegende der Biotope - · PDF file281803 281804 281808 281809 281810 281907 281814 281913 281914 281818 281920 281921 o ovs fwr ff fwr ovw ba/ hber ff ovs ovs ovw ovp ovs hb ovs

Documents
Offer versus Serve (OVS) 1. No OVS for Breakfast As always, OVS is optional for all grade groups No OVS means students must take all planned menu

Offer versus Serve (OVS) 1. No OVS for Breakfast As always, OVS is optional for all grade groups No OVS means students must take all planned menu

Documents
Linux 2.4 stateful firewall designcarfield.com.hk/document/security/Linux+Stateful+Firewall.pdf · Linux 2.4 stateful firewall design ... Defining rules 6 4. Stateful firewalls 8

Linux 2.4 stateful firewall designcarfield.com.hk/document/security/Linux+Stateful+Firewall.pdf · Linux 2.4 stateful firewall design ... Defining rules 6 4. Stateful firewalls 8

Documents
Xen Project Update LinuxCon Brazil

Xen Project Update LinuxCon Brazil

Technology
OVS-NFV Tutorial

OVS-NFV Tutorial

Technology
Stateful Firewalls

Stateful Firewalls

Documents
LinuxCon Introduction to CloudStack

LinuxCon Introduction to CloudStack

Documents
D2W Stateful Controllers

D2W Stateful Controllers

Technology
OVS Debugging 110414

OVS Debugging 110414

Documents
OVS Strategy Update 20Apr - ovscorporate.it · 2017 OVS Strategy Update OVS today: the environment OVS is competing in a market characterized by the following main aspects: a) Market

OVS Strategy Update 20Apr - ovscorporate.it · 2017 OVS Strategy Update OVS today: the environment OVS is competing in a market characterized by the following main aspects: a) Market

Documents
2015 FOSDEM - OVS Stateful Services

2015 FOSDEM - OVS Stateful Services

Technology
Building ovs

Building ovs

Engineering
ODP Presentation LinuxCon NA 2014

ODP Presentation LinuxCon NA 2014

Documents
LinuxCon Europe

LinuxCon Europe

Documents
Report of linuxcon japan 2013

Report of linuxcon japan 2013

Technology
Catalogo OVS Kids

Catalogo OVS Kids

Documents
Stateful Distributed Dataflow Graphs - SICSictlabs-summer-school.sics.se/2015/slides/stateful...Peter R. Pietzuch prp@doc.ic.ac.uk Stateful Distributed Dataflow Graphs: Imperative

Stateful Distributed Dataflow Graphs - SICSictlabs-summer-school.sics.se/2015/slides/stateful...Peter R. Pietzuch [email protected] Stateful Distributed Dataflow Graphs: Imperative

Documents
LinuxCon Europe 2013

LinuxCon Europe 2013

Technology
The Stateful ElePHPant

The Stateful ElePHPant

Technology
NAME SYNOPSIS DESCRIPTIONopenvswitch.org/support/dist-docs/ovs-ofctl.8.pdf · ovs−ofctl(8) OpenvSwitch Manual ovs−ofctl(8) NAME ovs−ofctl − administer OpenFlowswitches SYNOPSIS

NAME SYNOPSIS DESCRIPTIONopenvswitch.org/support/dist-docs/ovs-ofctl.8.pdf · ovs−ofctl(8) OpenvSwitch Manual ovs−ofctl(8) NAME ovs−ofctl − administer OpenFlowswitches SYNOPSIS

Documents
Stateful Connection Tracking & Stateful NAT - Open …openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdfStateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas

Stateful Connection Tracking & Stateful NAT - Open …openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdfStateful Connection Tracking & Stateful NAT Justin Pettit VMware Thomas

Documents
Dream product LinuxCon Europe Europe

Dream product LinuxCon Europe Europe

Education