actions: Use random port selection for SNAT with external_port_range.

This is to avoid unexpected behavior changes due to the underlying datapath (e.g., kernel) changing defaults. If we don't explicitly request a port selection algorithm, OVS leaves it up to the datapath to decide how to do the port selection. Currently that means that source port allocation is not random if the original source port fits in the requested range. Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2024-January/410847.html Reported-at: https://issues.redhat.com/browse/FDP-301 Fixes: 60bdc8e ("NAT: Provide port range in input") Signed-off-by: Dumitru Ceara <[email protected]>
dceara · Jan 22, 2024 · 71c1e2f · 71c1e2f
1 parent e3b798b
commit 71c1e2f
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/lib/actions.c b/lib/actions.c
@@ -1133,6 +1133,16 @@ encode_ct_nat(const struct ovnact_ct_nat *cn,
     if (cn->port_range.exists) {
        nat->range.proto.min = cn->port_range.port_lo;
        nat->range.proto.max = cn->port_range.port_hi;
+
+       /* Explicitly set the port selection algorithm to "random".  Otherwise
+        * it's up to the datapath to choose how to select the port and that
+        * might create unexpected behavior changes when the datapath defaults
+        * change.
+        *
+        * NOTE: for the userspace datapath the "random" function doesn't
+        * really generate random ports, it uses "hash" under the hood:
+        * https://issues.redhat.com/browse/FDP-269. */
+       nat->flags |= NX_NAT_F_PROTO_RANDOM;
     }
 
     ofpacts->header = ofpbuf_push_uninit(ofpacts, nat_offset);