[MidoNet-dev] Should all packets traversing a connection-tracking rule be connection tracked?

Dave Cahill dcahill at midokura.com
Fri Feb 1 01:38:44 UTC 2013


I'm not sure if this is expected behavior or not, so sending to the dev
list rather than GitHub. I can work around it by arranging my Rules and
Chains differently, but wanted to check if it's expected.

Scenario (simplified)
-------------------------------------------------
Chain has one Rule, which consists of: {matchForwardFlow(true),
srcIp=SOME_STATIC_IP}

A packet arrives to the chain with srcIP=SOME_EXTERNAL_IP and
dstIP=ANOTHER_STATIC_IP

Observed behavior
---------------------------------
Clearly, the rule will evaluate to false for this packet (srcIP doesn't
match).

However, evaluating the matchForwardFlow condition has the side effect of
causing the connection to be tracked.

Expected behavior
------------------------------------
When Midolman sees that srcIP doesn't match, I expected it to continue to
the next Rule in the Chain without connection tracking the flow.

Why is this an issue?
--------------------------------------------
Performance: We hit Cassandra when that may not be necessary for this flow
Side-effects: For example, a flow could be set as a forward when it is
actually a return flow, causing issues later

Logs
--------------
In the snippet below, Sim #35 is following a packet from 192.168.1.140 to
192.168.27.127.

18:43:03.932 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1]
Coordinator - Sim #:35 Simulating packet with match InputPortNumber :
2;InputPortUUID : 04481527-3070-460b-893c-8099dae4dd39;EthernetSource :
02:45:61:f8:68:77;EthernetDestination : 02:9c:0c:c0:72:cc;EtherType :
2048;NetworkSource : 192.168.1.140;NetworkDestination :
192.168.27.127;NetworkProtocol : 6;NetworkTTL : 62;FragmentType :
None;TransportSource : 51113;TransportDestination : 8000;, device
221aedcb-a7f9-4772-828b-0bae48d763a3

Here we can see the packet traverse a rule intended for
nwSrcIp=172.16.0.216 and go to Cassandra for connection tracking.

18:43:03.943 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain -
Sim #:35 Process rule ForwardNatRule [condition=Condition
[matchForwardFlow=true,outPortIds={49e90d35-5752-469b-9381-f074f1148a0c,},nwSrcIp=172.16.0.216,],
action=ACCEPT, chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=1,
dnat=false, floatingIp=true, floatingIpAddr=192.168.27.127,
targets={NatTarget [nwStart=192.168.27.127, nwEnd=192.168.27.127,
tpStart=0, tpEnd=0], }]
18:43:03.978 DEBUG [] HThriftClient -  Transport open status true for
client CassandraClient<127.0.0.1:9160-2>
18:43:03.978 DEBUG [] HThriftClient -  keyspace reseting from null to
midolmanj
18:43:04.136 DEBUG [] HThriftClient -  Transport open status true for
client CassandraClient<127.0.0.1:9160-2>
18:43:04.136 DEBUG [] ConcurrentHClientPool -  Status of releaseClient
CassandraClient<127.0.0.1:9160-2> to queue: true

18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1]
PacketContext - PacketContext isForwardFlow conntrack lookup -
key:192.168.1.140|51113|192.168.27.127|8000|6|d7c5e6a3-e2f4-426b-b728-b7ce6a0448e5,value:null
18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain -
Sim #:35 Process rule ForwardNatRule [condition=Condition
[outPortIds={49e90d35-5752-469b-9381-f074f1148a0c,},], action=ACCEPT,
chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=2, dnat=false,
floatingIp=false, targets={NatTarget [nwStart=192.168.27.141,
nwEnd=192.168.27.141, tpStart=1, tpEnd=65535], }]
18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain -
Sim #:35 Process rule ForwardNatRule [condition=Condition
[nwSrcIp=192.0.2.19,], action=ACCEPT,
chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=3, dnat=false,
floatingIp=true, floatingIpAddr=172.16.0.1, targets={NatTarget
[nwStart=172.16.0.1, nwEnd=172.16.0.1, tpStart=0, tpEnd=0], }]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130201/4b266fa6/attachment-0001.html>


More information about the MidoNet-dev mailing list