[MidoNet-dev] Should all packets traversing a connection-tracking rule be connection tracked?

Pino de Candia gdecandia at midokura.com
Fri Feb 1 11:28:14 UTC 2013


Hi Dave,

On Friday, February 1, 2013 at 2:38 AM, Dave Cahill wrote:

> I'm not sure if this is expected behavior or not, so sending to the dev list rather than GitHub. I can work around it by arranging my Rules and Chains differently, but wanted to check if it's expected.
> 
> Scenario (simplified)
> -------------------------------------------------
> Chain has one Rule, which consists of: {matchForwardFlow(true), srcIp=SOME_STATIC_IP}
> 
> A packet arrives to the chain with srcIP=SOME_EXTERNAL_IP and dstIP=ANOTHER_STATIC_IP
> 
> Observed behavior
> ---------------------------------
> Clearly, the rule will evaluate to false for this packet (srcIP doesn't match). 
> 
> However, evaluating the matchForwardFlow condition has the side effect of causing the connection to be tracked.
> 
> Expected behavior
> ------------------------------------
> When Midolman sees that srcIP doesn't match, I expected it to continue to the next Rule in the Chain without connection tracking the flow.
> 
> 
> 

Hi Dave,

after thinking about it and chatting with the team, I agree with you. I'm going to move this discussion to GH - I'd like to follow-up by talking about what we can do for Caddo/Chamicuro (no API changes, consider it a bug) and Diyari (API changes).

thanks,
Pino 
> 
> Why is this an issue?
> --------------------------------------------
> Performance: We hit Cassandra when that may not be necessary for this flow
> Side-effects: For example, a flow could be set as a forward when it is actually a return flow, causing issues later
> 
> Logs
> --------------
> In the snippet below, Sim #35 is following a packet from 192.168.1.140 to 192.168.27.127.
> 
> 18:43:03.932 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Coordinator - Sim #:35 Simulating packet with match InputPortNumber : 2;InputPortUUID : 04481527-3070-460b-893c-8099dae4dd39;EthernetSource : 02:45:61:f8:68:77;EthernetDestination : 02:9c:0c:c0:72:cc;EtherType : 2048;NetworkSource : 192.168.1.140;NetworkDestination : 192.168.27.127;NetworkProtocol : 6;NetworkTTL : 62;FragmentType : None;TransportSource : 51113;TransportDestination : 8000;, device 221aedcb-a7f9-4772-828b-0bae48d763a3 
> 
> Here we can see the packet traverse a rule intended for nwSrcIp=172.16.0.216 and go to Cassandra for connection tracking.
> 
> 18:43:03.943 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain - Sim #:35 Process rule ForwardNatRule [condition=Condition [matchForwardFlow=true,outPortIds={49e90d35-5752-469b-9381-f074f1148a0c,},nwSrcIp=172.16.0.216,], action=ACCEPT, chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=1, dnat=false, floatingIp=true, floatingIpAddr=192.168.27.127, targets={NatTarget [nwStart=192.168.27.127, nwEnd=192.168.27.127, tpStart=0, tpEnd=0], }] 
> 18:43:03.978 DEBUG [] HThriftClient -  Transport open status true for client CassandraClient<127.0.0.1:9160-2>
> 18:43:03.978 DEBUG [] HThriftClient -  keyspace reseting from null to midolmanj
> 18:43:04.136 DEBUG [] HThriftClient -  Transport open status true for client CassandraClient<127.0.0.1:9160-2>
> 18:43:04.136 DEBUG [] ConcurrentHClientPool -  Status of releaseClient CassandraClient<127.0.0.1:9160-2> to queue: true                                         
> 18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] PacketContext - PacketContext isForwardFlow conntrack lookup - key:192.168.1.140|51113|192.168.27.127|8000|6|d7c5e6a3-e2f4-426b-b728-b7ce6a0448e5,value:null
> 18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain - Sim #:35 Process rule ForwardNatRule [condition=Condition [outPortIds={49e90d35-5752-469b-9381-f074f1148a0c,},], action=ACCEPT, chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=2, dnat=false, floatingIp=false, targets={NatTarget [nwStart=192.168.27.141, nwEnd=192.168.27.141, tpStart=1, tpEnd=65535], }]
> 18:43:04.137 DEBUG [MidolmanActors-akka.actor.default-dispatcher-1] Chain - Sim #:35 Process rule ForwardNatRule [condition=Condition [nwSrcIp=192.0.2.19,], action=ACCEPT, chainId=5b7cdfde-dff7-4ee8-a98f-5b71f026b1ef, position=3, dnat=false, floatingIp=true, floatingIpAddr=172.16.0.1, targets={NatTarget [nwStart=172.16.0.1, nwEnd=172.16.0.1, tpStart=0, tpEnd=0], }]
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.midonet.org/pipermail/midonet-dev/attachments/20130201/b16bf4a2/attachment.html>


More information about the MidoNet-dev mailing list