Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Stateful NAT with Open vSwitch
LinuxCon 2015, Seattle
Thomas Graf
Kernel & Open vSwitch Team
Noiro Networks (Cisco)
Agenda
● What is Open vSwitch
● Stateful NAT options for Open vSwitch
● Demo
● Q&A
Open vSwitch Connects
VM
Host
NIC
Container
Tunnel
Cloudy
Stuff
● Highly scaleable multi layer virtual switch for hypervisors
– Apache License (User Space), GPL (Kernel)
● Extensive flow...
NAT Dependency:
Connection Tracking
● We are adding the ability to use the conntrack module from Linux
– Stateful tracking...
Netfilter Conntrack Integration
OVS Flow Table
Netfilter
Connection Tracker
CT
Table
Userspace Netlink API
Create & Update...
Zone 1
Connection Tracking Zones
OVS Flow Table
CT
Table
Zone 2
CT
Table
Netfilter
Connection Tracker
● Route packets through separate NAT network namespace
● Utilize Netfilter chains to perform NAT
● Pro: Working now
● Con:...
Possible Future 1:
Native stateful NAT
OVS Flow Table
Netfilter
Connection Tracker CT
Table
Create & Update
CT entries
con...
Possible Future 2:
Customizable NAT through eBPF
OVS Flow Table
Netfilter
Connection Tracker CT
Table
Create & Update
CT e...
What is available now:
NAT with Netfilter
OVS Flow Table
Netfilter
Connection Tracker CT
Table
Create & Update
CT entries
...
Demo
Q&A
Contact:
● E-Mail: tgraf@suug.ch
● Twitter: @tgraf__
Upcoming SlideShare
Loading in …5
×

LinuxCon 2015 Stateful NAT with OVS

As containers are being deployed as part of multi tenant clusters, virtual multi layer switches become essential to interconnect containers while providing isolation guarantees. Assigning tenants their own private networks requires stateful network address translation (NAT) implemented in a scalable architecture to expose containers to public networks. Existing virtual switches integrated into the Linux kernel did not support stateful NAT so far. This presentation introduces a new virtual NAT service deployable as container built using existing kernel functionality such as network namespaces, routing rules and Netfilter to provide NAT services to existing virtual switches such as Open vSwitch and the Linux bridge but also the core L3 layer of Linux.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

LinuxCon 2015 Stateful NAT with OVS

  1. 1. Stateful NAT with Open vSwitch LinuxCon 2015, Seattle Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)
  2. 2. Agenda ● What is Open vSwitch ● Stateful NAT options for Open vSwitch ● Demo ● Q&A
  3. 3. Open vSwitch Connects VM Host NIC Container Tunnel Cloudy Stuff
  4. 4. ● Highly scaleable multi layer virtual switch for hypervisors – Apache License (User Space), GPL (Kernel) ● Extensive flow table programming capabilities – OpenFlow 1.0 – 1.5 (some partial) – Vendor extensions ● Designed to manage overlay networks – VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ... ● Remote management protocol (OVSDB) ● Monitoring capabilities Open vSwitch in a Nutshell
  5. 5. NAT Dependency: Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection ● Have prototype working. Expect to ship as part of OVS in next release.
  6. 6. Netfilter Conntrack Integration OVS Flow Table Netfilter Connection Tracker CT Table Userspace Netlink API Create & Update CT entries Connection State (conn_state=) conntrack() Recirculation 1 2 3 4
  7. 7. Zone 1 Connection Tracking Zones OVS Flow Table CT Table Zone 2 CT Table Netfilter Connection Tracker
  8. 8. ● Route packets through separate NAT network namespace ● Utilize Netfilter chains to perform NAT ● Pro: Working now ● Con: Requires linear Netfilter chain traversal NAT with Open vSwitch The Now ● Native OpenFlow NAT action ● Pro: Fast, clean & available to orchestration tools ● Con: Tricky to get right The Future
  9. 9. Possible Future 1: Native stateful NAT OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 Netfilter NAT nat()
  10. 10. Possible Future 2: Customizable NAT through eBPF OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 BPF prog performing NAT bpf()
  11. 11. What is available now: NAT with Netfilter OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Final L2/L3 decision 1 2 3 Namespace w/ -j SNAT / -j DNAT output() to internal port 5 4 Routing: ip rule add iif nat-gw lookup 100 ip route add 1.1.1.1/32 dev nat-gw ip route add default via 1.1.1.1 table 100
  12. 12. Demo
  13. 13. Q&A Contact: ● E-Mail: tgraf@suug.ch ● Twitter: @tgraf__

×