diff options
author | Filip Varga <fivarga@cisco.com> | 2020-02-25 14:31:33 +0100 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2020-03-13 11:17:13 +0000 |
commit | a73f2d6f53c224668bd6bbea1a980ee4313c794f (patch) | |
tree | c40965985639940beb294e8688aedbe30e47a548 /src/plugins/nat/nat.h | |
parent | c27b43673237c3971c1c170646b531728e0d8eb1 (diff) |
nat: timed out session scavenging upgrade
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
Diffstat (limited to 'src/plugins/nat/nat.h')
-rw-r--r-- | src/plugins/nat/nat.h | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index 9bcce9d43cc..647bec0cd07 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -349,6 +349,8 @@ typedef struct u32 sessions_per_user_list_head_index; u32 nsessions; u32 nstaticsessions; + /* discovered minimum session timeout time */ + u64 min_session_timeout; } snat_user_t; typedef struct @@ -519,6 +521,12 @@ typedef struct /* discovered minimum session timeout time */ u64 min_session_timeout; + + /* session scavenging */ + u32 cleared; + u32 cleanup_runs; + f64 cleanup_timeout; + } snat_main_per_thread_data_t; struct snat_main_s; @@ -676,10 +684,14 @@ typedef struct snat_main_s u32 inside_fib_index; /* values of various timeouts */ + + // min timeout of all proto timeouts + u32 min_timeout; + // proto timeouts u32 udp_timeout; - u32 icmp_timeout; u32 tcp_transitory_timeout; u32 tcp_established_timeout; + u32 icmp_timeout; /* TCP MSS clamping */ u16 mss_clamping; @@ -703,6 +715,7 @@ typedef struct snat_main_s ip4_main_t *ip4_main; ip_lookup_main_t *ip4_lookup_main; api_main_t *api_main; + } snat_main_t; typedef struct @@ -750,6 +763,7 @@ extern fib_source_t nat_fib_src_low; /* format functions */ format_function_t format_snat_user; +format_function_t format_snat_user_v2; format_function_t format_snat_static_mapping; format_function_t format_snat_static_map_to_resolve; format_function_t format_snat_session; @@ -1294,6 +1308,16 @@ void nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index, u8 is_ha); /** + * @brief Free NAT44 ED session data (lookup keys, external addrres port) + * + * @param s NAT session + * @param thread_index thread index + * @param is_ha is HA event + */ +void +nat44_free_session_data (snat_main_t * sm, snat_session_t * s, + u32 thread_index, u8 is_ha); +/** * @brief Find or create NAT user * * @param addr IPv4 address @@ -1302,8 +1326,9 @@ void nat_free_session_data (snat_main_t * sm, snat_session_t * s, * * @return NAT user data structure on success otherwise zero value */ -snat_user_t *nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, - u32 fib_index, u32 thread_index); +snat_user_t *nat_user_get_or_create (snat_main_t * sm, + ip4_address_t * addr, u32 fib_index, + u32 thread_index); /** * @brief Allocate new NAT session or recycle last used |