SlideShare a Scribd company logo

LinuxCon 2015 Stateful NAT with OVS

Thomas Graf, profile picture
Thomas Graf

The document discusses Open vSwitch, its stateful NAT options, and connection tracking capabilities, particularly focusing on the integration with the Linux conntrack module. It outlines the functionalities of Open vSwitch, its use in managing overlay networks, and the implementation of a distributed firewall for enhanced performance and visibility. Additionally, it hints at future developments including native stateful NAT and customizable NAT through eBPF.

Technology
1 of 13
Downloaded 107 times
1
2
3
4
5
Most read
6
7
8
9
10
11
12
13
Stateful NAT with Open vSwitch LinuxCon 2015, Seattle Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)
Agenda ● What is Open vSwitch ● Stateful NAT options for Open vSwitch ● Demo ● Q&A
Open vSwitch Connects VM Host NIC Container Tunnel Cloudy Stuff
● Highly scaleable multi layer virtual switch for hypervisors – Apache License (User Space), GPL (Kernel) ● Extensive flow table programming capabilities – OpenFlow 1.0 – 1.5 (some partial) – Vendor extensions ● Designed to manage overlay networks – VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ... ● Remote management protocol (OVSDB) ● Monitoring capabilities Open vSwitch in a Nutshell
NAT Dependency: Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection ● Have prototype working. Expect to ship as part of OVS in next release.
Netfilter Conntrack Integration OVS Flow Table Netfilter Connection Tracker CT Table Userspace Netlink API Create & Update CT entries Connection State (conn_state=) conntrack() Recirculation 1 2 3 4
Zone 1 Connection Tracking Zones OVS Flow Table CT Table Zone 2 CT Table Netfilter Connection Tracker
● Route packets through separate NAT network namespace ● Utilize Netfilter chains to perform NAT ● Pro: Working now ● Con: Requires linear Netfilter chain traversal NAT with Open vSwitch The Now ● Native OpenFlow NAT action ● Pro: Fast, clean & available to orchestration tools ● Con: Tricky to get right The Future
Possible Future 1: Native stateful NAT OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 Netfilter NAT nat()
Possible Future 2: Customizable NAT through eBPF OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 BPF prog performing NAT bpf()
What is available now: NAT with Netfilter OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Final L2/L3 decision 1 2 3 Namespace w/ -j SNAT / -j DNAT output() to internal port 5 4 Routing: ip rule add iif nat-gw lookup 100 ip route add 1.1.1.1/32 dev nat-gw ip route add default via 1.1.1.1 table 100
Demo
Q&A Contact: ● E-Mail: tgraf@suug.ch ● Twitter: @tgraf__

More Related Content

PDF
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
PDF
Linux Networking Explained
Thomas Graf
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
PPTX
Linux Network Stack
Adrien Mahieux
 
PDF
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
PPTX
MPLS Layer 3 VPN
NetProtocol Xpert
 
PDF
Deploy MPLS Traffic Engineering
APNIC
 
PDF
ACI MultiPod 구성
Woo Hyung Choi
 
Cisco commands List for Beginners (CCNA, CCNP)
DH Da Lat
 
Linux Networking Explained
Thomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
Thomas Graf
 
Linux Network Stack
Adrien Mahieux
 
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
MPLS Layer 3 VPN
NetProtocol Xpert
 
Deploy MPLS Traffic Engineering
APNIC
 
ACI MultiPod 구성
Woo Hyung Choi
 

What's hot (20)

PDF
Ccna Commands In 10 Minutes
CCNAResources
 
PDF
Faster packet processing in Linux: XDP
Daniel T. Lee
 
PDF
MPLS L3 VPN Deployment
APNIC
 
PDF
VRF (virtual routing and forwarding)
Netwax Lab
 
PDF
evpn_in_service_provider_network-web.pdf
ThanhTrungBui5
 
PDF
Hands-on ethernet driver
SUSE Labs Taipei
 
PPTX
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
PPT
Introduction to SSH
Hemant Shah
 
PDF
Deploying IP/MPLS VPN - Cisco Networkers 2010
Febrian ‎
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
PDF
Open vSwitchソースコードの全体像
Sho Shimizu
 
PDF
netfilter and iptables
Kernel TLV
 
PPT
Basic Linux Internals
mukul bhardwaj
 
PDF
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Bruno Teixeira
 
PDF
Fun with Network Interfaces
Kernel TLV
 
PDF
MPLS Presentation
Unni Kannan VijayaKumar
 
PDF
HUAWEI Switch HOW-TO - Configuring link aggregation in static LACP mode
IPMAX s.r.l.
 
PDF
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley
 
PDF
EIGRP (enhanced interior gateway routing protocol)
Netwax Lab
 
PDF
Implementing cisco mpls
Matiullah Jamil
 
Ccna Commands In 10 Minutes
CCNAResources
 
Faster packet processing in Linux: XDP
Daniel T. Lee
 
MPLS L3 VPN Deployment
APNIC
 
VRF (virtual routing and forwarding)
Netwax Lab
 
evpn_in_service_provider_network-web.pdf
ThanhTrungBui5
 
Hands-on ethernet driver
SUSE Labs Taipei
 
MPLS L3 VPN Tutorial, by Nurul Islam Roman [APNIC 38]
APNIC
 
Introduction to SSH
Hemant Shah
 
Deploying IP/MPLS VPN - Cisco Networkers 2010
Febrian ‎
 
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Open vSwitchソースコードの全体像
Sho Shimizu
 
netfilter and iptables
Kernel TLV
 
Basic Linux Internals
mukul bhardwaj
 
Cisco Live! :: Cisco ASR 9000 Architecture :: BRKARC-2003 | Las Vegas 2017
Bruno Teixeira
 
Fun with Network Interfaces
Kernel TLV
 
MPLS Presentation
Unni Kannan VijayaKumar
 
HUAWEI Switch HOW-TO - Configuring link aggregation in static LACP mode
IPMAX s.r.l.
 
DPDK: Multi Architecture High Performance Packet Processing
Michelle Holley
 
EIGRP (enhanced interior gateway routing protocol)
Netwax Lab
 
Implementing cisco mpls
Matiullah Jamil
 
Ad

Viewers also liked (20)

PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
PDF
2015 FOSDEM - OVS Stateful Services
Thomas Graf
 
PDF
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
PDF
BPF: Next Generation of Programmable Datapath
Thomas Graf
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
PDF
Cilium - BPF & XDP for containers
Thomas Graf
 
PDF
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
PDF
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
PDF
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
PDF
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
PDF
The linux networking architecture
hugo lu
 
PPTX
OpenvSwitch Deep Dive
rajdeep
 
PDF
The 100 - {dive} : event
IRT b-com
 
PDF
Red Hat demo of OpenStack and ODL at ODL summit 2016
RedHatTelco
 
PDF
Why is PHP Awesome
Jeremy Coates
 
PDF
Pipework: Software-Defined Network for Containers and Docker
Jérôme Petazzoni
 
ODP
Netfilter: Making large iptables rulesets scale
brouer
 
PDF
CETH for XDP [Linux Meetup Santa Clara | July 2016]
IO Visor Project
 
PDF
Testing with Codeception
Jeremy Coates
 
PDF
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
National Cheng Kung University
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Thomas Graf
 
2015 FOSDEM - OVS Stateful Services
Thomas Graf
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
BPF: Next Generation of Programmable Datapath
Thomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Cilium - BPF & XDP for containers
Thomas Graf
 
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
DevConf 2014 Kernel Networking Walkthrough
Thomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
Thomas Graf
 
SDN & NFV Introduction - Open Source Data Center Networking
Thomas Graf
 
The linux networking architecture
hugo lu
 
OpenvSwitch Deep Dive
rajdeep
 
The 100 - {dive} : event
IRT b-com
 
Red Hat demo of OpenStack and ODL at ODL summit 2016
RedHatTelco
 
Why is PHP Awesome
Jeremy Coates
 
Pipework: Software-Defined Network for Containers and Docker
Jérôme Petazzoni
 
Netfilter: Making large iptables rulesets scale
brouer
 
CETH for XDP [Linux Meetup Santa Clara | July 2016]
IO Visor Project
 
Testing with Codeception
Jeremy Coates
 
進階嵌入式作業系統設計與實做 (2015 年秋季 ) 課程說明
National Cheng Kung University
 
Ad

Similar to LinuxCon 2015 Stateful NAT with OVS (20)

PDF
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
PDF
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
PDF
Open vSwitch Introduction
HungWei Chiu
 
PDF
Network Virtualization & Software-defined Networking
Digicomp Academy AG
 
PDF
NFV SDN Summit March 2014 D3 03 bruno_rijsman NFV with OpenContrail
ozkan01
 
PDF
The Open vSwitch and OVN Projects
LinuxCon ContainerCon CloudOpen China
 
PDF
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OpenvSwitch
 
PPT
OpenFlow Tutorial
Ja-seop Kwak
 
PDF
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 
PDF
Introduction to OpenNetwork and SDN
HungWei Chiu
 
PDF
Virtualized network with openvswitch
Sim Janghoon
 
PDF
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Open-NFP
 
PDF
LF_OVS_17_State of the OVN
LF_OpenvSwitch
 
PDF
Ovn vancouver
Mason Mei
 
PPTX
Open v switch20150410b
Richard Kuo
 
PPTX
Thebasicintroductionofopenvswitch
Ramses Ramirez
 
PPTX
Openstack openswitch basics
nshah061
 
PPT
Software defined network and Virtualization
idrajeev
 
PPT
OpenFlow tutorial
openflow
 
PDF
PLNOG 13: Nicolai van der Smagt: SDN
PROIDEA
 
LF_OVS_17_OVS/OVS-DPDK connection tracking for Mobile usecases
LF_OpenvSwitch
 
Open VSwitch .. Use it for your day to day needs
rranjithrajaram
 
Open vSwitch Introduction
HungWei Chiu
 
Network Virtualization & Software-defined Networking
Digicomp Academy AG
 
NFV SDN Summit March 2014 D3 03 bruno_rijsman NFV with OpenContrail
ozkan01
 
The Open vSwitch and OVN Projects
LinuxCon ContainerCon CloudOpen China
 
LF_OVS_17_Open vSwitch Offload: Conntrack and the Upstream Kernel
LF_OpenvSwitch
 
OpenFlow Tutorial
Ja-seop Kwak
 
Open vSwitch Offload: Conntrack and the Upstream Kernel
Netronome
 
Introduction to OpenNetwork and SDN
HungWei Chiu
 
Virtualized network with openvswitch
Sim Janghoon
 
Stacks and Layers: Integrating P4, C, OVS and OpenStack
Open-NFP
 
LF_OVS_17_State of the OVN
LF_OpenvSwitch
 
Ovn vancouver
Mason Mei
 
Open v switch20150410b
Richard Kuo
 
Thebasicintroductionofopenvswitch
Ramses Ramirez
 
Openstack openswitch basics
nshah061
 
Software defined network and Virtualization
idrajeev
 
OpenFlow tutorial
openflow
 
PLNOG 13: Nicolai van der Smagt: SDN
PROIDEA
 

More from Thomas Graf (8)

PDF
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
PDF
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
PDF
Cilium - Network security for microservices
Thomas Graf
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
PDF
Linux Native, HTTP Aware Network Security
Thomas Graf
 
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Thomas Graf
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
Thomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
Thomas Graf
 
Cilium - Network security for microservices
Thomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
Linux Native, HTTP Aware Network Security
Thomas Graf
 

Recently uploaded (20)

PPTX
Coupa-Overview _Assumptions presentation
annapureddyn
 
PDF
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
PDF
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
PDF
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
PDF
Doc9.....................................
SofiaCollazos
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
PDF
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
PDF
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
PPTX
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
PDF
Software Development Methodologies in 2025
KodekX
 
PDF
Architecture of the Future (09152021)
EdwardMeyman
 
PPTX
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
PDF
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
PDF
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 
Coupa-Overview _Assumptions presentation
annapureddyn
 
The Evolution of KM Roles (Presented at Knowledge Summit Dublin 2025)
Enterprise Knowledge
 
How Open Source Changed My Career by abdelrahman ismail
a0m0rajab1
 
Event Presentation Google Cloud Next Extended 2025
minhtrietgect
 
Doc9.....................................
SofiaCollazos
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
Anchore
 
Automating ArcGIS Content Discovery with FME: A Real World Use Case
Safe Software
 
How-Cloud-Computing-Impacts-Businesses-in-2025-and-Beyond.pdf
Artjoker Software Development Company
 
IoT Sensor Integration 2025 Powering Smart Tech and Industrial Automation.pptx
Rejig Digital
 
Software Development Methodologies in 2025
KodekX
 
Architecture of the Future (09152021)
EdwardMeyman
 
The-Ethical-Hackers-Imperative-Safeguarding-the-Digital-Frontier.pptx
sujalchauhan1305
 
NewMind AI Weekly Chronicles - July'25 - Week IV
NewMind AI
 
Advances in Ultra High Voltage (UHV) Transmission and Distribution Systems.pdf
Nabajyoti Banik
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
How to Build a Scalable Micro-Investing Platform in 2025 - A Founder’s Guide ...
Third Rock Techkno
 

LinuxCon 2015 Stateful NAT with OVS

  • 1. Stateful NAT with Open vSwitch LinuxCon 2015, Seattle Thomas Graf Kernel & Open vSwitch Team Noiro Networks (Cisco)
  • 2. Agenda ● What is Open vSwitch ● Stateful NAT options for Open vSwitch ● Demo ● Q&A
  • 4. ● Highly scaleable multi layer virtual switch for hypervisors – Apache License (User Space), GPL (Kernel) ● Extensive flow table programming capabilities – OpenFlow 1.0 – 1.5 (some partial) – Vendor extensions ● Designed to manage overlay networks – VXLAN (+ extensions), GRE, Geneve, LISP, STT, VLAN, ... ● Remote management protocol (OVSDB) ● Monitoring capabilities Open vSwitch in a Nutshell
  • 5. NAT Dependency: Connection Tracking ● We are adding the ability to use the conntrack module from Linux – Stateful tracking of flows – Supports ALGs to punch holes for related “data” channels ● FTP, TFTP, SIP ● Implement a distributed firewall with enforcement at the edge – Better performance – Better visibility ● Introduce new OpenFlow extensions: – Action to send to conntrack – Match fields on state of connection ● Have prototype working. Expect to ship as part of OVS in next release.
  • 6. Netfilter Conntrack Integration OVS Flow Table Netfilter Connection Tracker CT Table Userspace Netlink API Create & Update CT entries Connection State (conn_state=) conntrack() Recirculation 1 2 3 4
  • 7. Zone 1 Connection Tracking Zones OVS Flow Table CT Table Zone 2 CT Table Netfilter Connection Tracker
  • 8. ● Route packets through separate NAT network namespace ● Utilize Netfilter chains to perform NAT ● Pro: Working now ● Con: Requires linear Netfilter chain traversal NAT with Open vSwitch The Now ● Native OpenFlow NAT action ● Pro: Fast, clean & available to orchestration tools ● Con: Tricky to get right The Future
  • 9. Possible Future 1: Native stateful NAT OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 Netfilter NAT nat()
  • 10. Possible Future 2: Customizable NAT through eBPF OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Recirculation 1 2 3 4 BPF prog performing NAT bpf()
  • 11. What is available now: NAT with Netfilter OVS Flow Table Netfilter Connection Tracker CT Table Create & Update CT entries conntrack() Final L2/L3 decision 1 2 3 Namespace w/ -j SNAT / -j DNAT output() to internal port 5 4 Routing: ip rule add iif nat-gw lookup 100 ip route add 1.1.1.1/32 dev nat-gw ip route add default via 1.1.1.1 table 100
  • 12. Demo