diff options
Diffstat (limited to 'src/plugins/nat')
-rw-r--r-- | src/plugins/nat/nat.h | 14 | ||||
-rw-r--r-- | src/plugins/nat/nat44_hairpinning.c | 113 | ||||
-rwxr-xr-x | src/plugins/nat/nat_ipfix_logging.c | 310 | ||||
-rw-r--r-- | src/plugins/nat/nat_ipfix_logging.h | 6 | ||||
-rw-r--r-- | src/plugins/nat/test/test_nat.py | 44 |
5 files changed, 3 insertions, 484 deletions
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index 46f8b44dc11..be82ced4318 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -142,13 +142,6 @@ typedef struct }; } snat_user_key_t; -typedef struct -{ - u32 sw_if_index; - u32 next_index; - u8 cached; -} nat44_reass_trace_t; - /* NAT API Configuration flags */ #define foreach_nat_config_flag \ _(0x01, IS_TWICE_NAT) \ @@ -223,8 +216,6 @@ _(BAD_ICMP_TYPE, "unsupported ICMP type") \ _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ _(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \ _(DROP_FRAGMENT, "drop fragment") \ -_(MAX_REASS, "maximum reassemblies exceeded") \ -_(MAX_FRAG, "maximum fragments per reassembly exceeded")\ _(CANNOT_CREATE_USER, "cannot create NAT user") \ _(NON_SYN, "non-SYN packet try to create session") \ _(TCP_PACKETS, "TCP packets") \ @@ -253,8 +244,6 @@ _(NO_TRANSLATION, "no translation") \ _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ _(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \ _(DROP_FRAGMENT, "drop fragment") \ -_(MAX_REASS, "maximum reassemblies exceeded") \ -_(MAX_FRAG, "maximum fragments per reassembly exceeded")\ _(CANNOT_CREATE_USER, "cannot create NAT user") \ _(NON_SYN, "non-SYN packet try to create session") \ _(TCP_PACKETS, "TCP packets") \ @@ -1143,9 +1132,6 @@ void nat44_ed_hairpinning_unknown_proto (snat_main_t * sm, vlib_buffer_t * b, int snat_hairpinning (snat_main_t * sm, vlib_buffer_t * b0, ip4_header_t * ip0, udp_header_t * udp0, tcp_header_t * tcp0, u32 proto0, int is_ed); -void nat44_reass_hairpinning (snat_main_t * sm, vlib_buffer_t * b0, - ip4_header_t * ip0, u16 sport, u16 dport, - u32 proto0, int is_ed); /* Call back functions for clib_bihash_add_or_overwrite_stale */ int nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg); diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c index 69a19b80645..c0b84127741 100644 --- a/src/plugins/nat/nat44_hairpinning.c +++ b/src/plugins/nat/nat44_hairpinning.c @@ -424,119 +424,6 @@ nat44_ed_hairpinning_unknown_proto (snat_main_t * sm, } #endif -#ifndef CLIB_MARCH_VARIANT -void -nat44_reass_hairpinning (snat_main_t * sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - u16 sport, u16 dport, u32 proto0, int is_ed) -{ - snat_session_key_t key0, sm0; - snat_session_t *s0; - clib_bihash_kv_8_8_t kv0, value0; - ip_csum_t sum0; - u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si; - u16 new_dst_port0, old_dst_port0; - udp_header_t *udp0; - tcp_header_t *tcp0; - int rv; - - key0.addr = ip0->dst_address; - key0.port = dport; - key0.protocol = proto0; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - - udp0 = ip4_next_header (ip0); - - /* Check if destination is static mappings */ - if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0)) - { - new_dst_addr0 = sm0.addr.as_u32; - new_dst_port0 = sm0.port; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; - } - /* or active sessions */ - else - { - if (sm->num_workers > 1) - ti = - (clib_net_to_host_u16 (udp0->dst_port) - - 1024) / sm->port_per_thread; - else - ti = sm->num_workers; - - if (is_ed) - { - clib_bihash_kv_16_8_t ed_kv, ed_value; - make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, - ip0->protocol, sm->outside_fib_index, udp0->dst_port, - udp0->src_port); - rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, - &ed_kv, &ed_value); - si = ed_value.value; - } - else - { - rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, - &value0); - si = value0.value; - } - if (!rv) - { - s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); - new_dst_addr0 = s0->in2out.addr.as_u32; - new_dst_port0 = s0->in2out.port; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - } - } - - /* Destination is behind the same NAT, use internal address and port */ - if (new_dst_addr0) - { - old_dst_addr0 = ip0->dst_address.as_u32; - ip0->dst_address.as_u32 = new_dst_addr0; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - ip0->checksum = ip_csum_fold (sum0); - - old_dst_port0 = dport; - if (PREDICT_TRUE (new_dst_port0 != old_dst_port0 && - ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - tcp0 = ip4_next_header (ip0); - tcp0->dst = new_dst_port0; - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0, - ip4_header_t /* cheat */ , length); - tcp0->checksum = ip_csum_fold (sum0); - } - else - { - udp0->dst_port = new_dst_port0; - udp0->checksum = 0; - } - } - else - { - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - tcp0 = ip4_next_header (ip0); - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - tcp0->checksum = ip_csum_fold (sum0); - } - } - } -} -#endif - static inline uword nat44_hairpinning_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node, diff --git a/src/plugins/nat/nat_ipfix_logging.c b/src/plugins/nat/nat_ipfix_logging.c index c24c2372b54..55f516e640c 100755 --- a/src/plugins/nat/nat_ipfix_logging.c +++ b/src/plugins/nat/nat_ipfix_logging.c @@ -219,20 +219,6 @@ snat_template_rewrite (flow_report_main_t * frm, update_template_id(&silm->max_bibs_template_id, fr->template_id); } - else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY) - { - field_count = MAX_FRAGMENTS_FIELD_COUNT; - - update_template_id(&silm->max_frags_ip4_template_id, - fr->template_id); - } - else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6) - { - field_count = MAX_FRAGMENTS_FIELD_COUNT; - - update_template_id(&silm->max_frags_ip6_template_id, - fr->template_id); - } } /* allocate rewrite space */ @@ -377,36 +363,6 @@ snat_template_rewrite (flow_report_main_t * frm, f->e_id_length = ipfix_e_id_length (0, maxBIBEntries, 4); f++; } - else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY) - { - f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, - 8); - f++; - f->e_id_length = ipfix_e_id_length (0, natEvent, 1); - f++; - f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4); - f++; - f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly, - 4); - f++; - f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4); - f++; - } - else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6) - { - f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, - 8); - f++; - f->e_id_length = ipfix_e_id_length (0, natEvent, 1); - f++; - f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4); - f++; - f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly, - 4); - f++; - f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16); - f++; - } } /* Back to the template packet... */ @@ -499,34 +455,6 @@ nat_template_rewrite_max_bibs (flow_report_main_t * frm, } u8 * -nat_template_rewrite_max_frags_ip4 (flow_report_main_t * frm, - flow_report_t * fr, - ip4_address_t * collector_address, - ip4_address_t * src_address, - u16 collector_port, - ipfix_report_element_t *elts, - u32 n_elts, u32 *stream_index) -{ - return snat_template_rewrite (frm, fr, collector_address, src_address, - collector_port, QUOTA_EXCEEDED, - MAX_FRAGMENTS_PENDING_REASSEMBLY); -} - -u8 * -nat_template_rewrite_max_frags_ip6 (flow_report_main_t * frm, - flow_report_t * fr, - ip4_address_t * collector_address, - ip4_address_t * src_address, - u16 collector_port, - ipfix_report_element_t *elts, - u32 n_elts, u32 *stream_index) -{ - return snat_template_rewrite (frm, fr, collector_address, src_address, - collector_port, QUOTA_EXCEEDED, - MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6); -} - -u8 * nat_template_rewrite_nat64_bib (flow_report_main_t * frm, flow_report_t * fr, ip4_address_t * collector_address, @@ -1100,190 +1028,6 @@ nat_ipfix_logging_max_bib (u32 thread_index, u32 limit, int do_flush) } static void -nat_ipfix_logging_max_frag_ip4 (u32 thread_index, - u32 limit, u32 src, int do_flush) -{ - snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main; - snat_ipfix_per_thread_data_t *sitd = &silm->per_thread_data[thread_index]; - flow_report_main_t *frm = &flow_report_main; - vlib_frame_t *f; - vlib_buffer_t *b0 = 0; - u32 bi0 = ~0; - u32 offset; - vlib_main_t *vm = frm->vlib_main; - u64 now; - u8 nat_event = QUOTA_EXCEEDED; - u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY; - u16 template_id; - - now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3); - now += silm->milisecond_time_0; - - b0 = sitd->max_frags_ip4_buffer; - - if (PREDICT_FALSE (b0 == 0)) - { - if (do_flush) - return; - - if (vlib_buffer_alloc (vm, &bi0, 1) != 1) - { - nat_elog_err ("can't allocate buffer for NAT IPFIX event"); - return; - } - - b0 = sitd->max_frags_ip4_buffer = vlib_get_buffer (vm, bi0); - VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0); - offset = 0; - } - else - { - bi0 = vlib_get_buffer_index (vm, b0); - offset = sitd->max_frags_ip4_next_record_offset; - } - - f = sitd->max_frags_ip4_frame; - if (PREDICT_FALSE (f == 0)) - { - u32 *to_next; - f = vlib_get_frame_to_node (vm, ip4_lookup_node.index); - sitd->max_frags_ip4_frame = f; - to_next = vlib_frame_vector_args (f); - to_next[0] = bi0; - f->n_vectors = 1; - } - - if (PREDICT_FALSE (offset == 0)) - snat_ipfix_header_create (frm, b0, &offset); - - if (PREDICT_TRUE (do_flush == 0)) - { - u64 time_stamp = clib_host_to_net_u64 (now); - clib_memcpy_fast (b0->data + offset, &time_stamp, sizeof (time_stamp)); - offset += sizeof (time_stamp); - - clib_memcpy_fast (b0->data + offset, &nat_event, sizeof (nat_event)); - offset += sizeof (nat_event); - - clib_memcpy_fast (b0->data + offset, "a_event, sizeof (quota_event)); - offset += sizeof (quota_event); - - clib_memcpy_fast (b0->data + offset, &limit, sizeof (limit)); - offset += sizeof (limit); - - clib_memcpy_fast (b0->data + offset, &src, sizeof (src)); - offset += sizeof (src); - - b0->current_length += MAX_FRAGMENTS_IP4_LEN; - } - - if (PREDICT_FALSE - (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu)) - { - template_id = clib_atomic_fetch_or ( - &silm->max_frags_ip4_template_id, - 0); - snat_ipfix_send (frm, f, b0, template_id); - sitd->max_frags_ip4_frame = 0; - sitd->max_frags_ip4_buffer = 0; - offset = 0; - } - sitd->max_frags_ip4_next_record_offset = offset; -} - -static void -nat_ipfix_logging_max_frag_ip6 (u32 thread_index, - u32 limit, ip6_address_t * src, int do_flush) -{ - snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main; - snat_ipfix_per_thread_data_t *sitd = &silm->per_thread_data[thread_index]; - flow_report_main_t *frm = &flow_report_main; - vlib_frame_t *f; - vlib_buffer_t *b0 = 0; - u32 bi0 = ~0; - u32 offset; - vlib_main_t *vm = frm->vlib_main; - u64 now; - u8 nat_event = QUOTA_EXCEEDED; - u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY; - u16 template_id; - - now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3); - now += silm->milisecond_time_0; - - b0 = sitd->max_frags_ip6_buffer; - - if (PREDICT_FALSE (b0 == 0)) - { - if (do_flush) - return; - - if (vlib_buffer_alloc (vm, &bi0, 1) != 1) - { - nat_elog_err ("can't allocate buffer for NAT IPFIX event"); - return; - } - - b0 = sitd->max_frags_ip6_buffer = vlib_get_buffer (vm, bi0); - VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0); - offset = 0; - } - else - { - bi0 = vlib_get_buffer_index (vm, b0); - offset = sitd->max_frags_ip6_next_record_offset; - } - - f = sitd->max_frags_ip6_frame; - if (PREDICT_FALSE (f == 0)) - { - u32 *to_next; - f = vlib_get_frame_to_node (vm, ip4_lookup_node.index); - sitd->max_frags_ip6_frame = f; - to_next = vlib_frame_vector_args (f); - to_next[0] = bi0; - f->n_vectors = 1; - } - - if (PREDICT_FALSE (offset == 0)) - snat_ipfix_header_create (frm, b0, &offset); - - if (PREDICT_TRUE (do_flush == 0)) - { - u64 time_stamp = clib_host_to_net_u64 (now); - clib_memcpy_fast (b0->data + offset, &time_stamp, sizeof (time_stamp)); - offset += sizeof (time_stamp); - - clib_memcpy_fast (b0->data + offset, &nat_event, sizeof (nat_event)); - offset += sizeof (nat_event); - - clib_memcpy_fast (b0->data + offset, "a_event, sizeof (quota_event)); - offset += sizeof (quota_event); - - clib_memcpy_fast (b0->data + offset, &limit, sizeof (limit)); - offset += sizeof (limit); - - clib_memcpy_fast (b0->data + offset, src, sizeof (ip6_address_t)); - offset += sizeof (ip6_address_t); - - b0->current_length += MAX_FRAGMENTS_IP6_LEN; - } - - if (PREDICT_FALSE - (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu)) - { - template_id = clib_atomic_fetch_or ( - &silm->max_frags_ip6_template_id, - 0); - snat_ipfix_send (frm, f, b0, template_id); - sitd->max_frags_ip6_frame = 0; - sitd->max_frags_ip6_buffer = 0; - offset = 0; - } - sitd->max_frags_ip6_next_record_offset = offset; -} - -static void nat_ipfix_logging_nat64_bibe (u32 thread_index, u8 nat_event, ip6_address_t * src_ip, u32 nat_src_ip, u8 proto, u16 src_port, u16 nat_src_port, @@ -1510,8 +1254,6 @@ snat_ipfix_flush (u32 thread_index) snat_ipfix_logging_max_entries_per_usr (thread_index, 0, 0, do_flush); nat_ipfix_logging_max_ses (thread_index, 0, do_flush); nat_ipfix_logging_max_bib (thread_index, 0, do_flush); - nat_ipfix_logging_max_frag_ip4 (thread_index, 0, 0, do_flush); - nat_ipfix_logging_max_frag_ip6 (thread_index, 0, 0, do_flush); nat_ipfix_logging_nat64_bibe (thread_index, 0, 0, 0, 0, 0, 0, 0, do_flush); nat_ipfix_logging_nat64_ses (thread_index, @@ -1677,40 +1419,6 @@ nat_ipfix_logging_max_bibs (u32 thread_index, u32 limit) } /** - * @brief Generate maximum IPv4 fragments pending reassembly exceeded event - * - * @param thread_index thread index - * @param limit configured limit - * @param src source IPv4 address - */ -void -nat_ipfix_logging_max_fragments_ip4 (u32 thread_index, - u32 limit, ip4_address_t * src) -{ - //TODO: This event SHOULD be rate limited - skip_if_disabled (); - - nat_ipfix_logging_max_frag_ip4 (thread_index, limit, src->as_u32, 0); -} - -/** - * @brief Generate maximum IPv6 fragments pending reassembly exceeded event - * - * @param thread_index thread index - * @param limit configured limit - * @param src source IPv6 address - */ -void -nat_ipfix_logging_max_fragments_ip6 (u32 thread_index, - u32 limit, ip6_address_t * src) -{ - //TODO: This event SHOULD be rate limited - skip_if_disabled (); - - nat_ipfix_logging_max_frag_ip6 (thread_index, limit, src, 0); -} - -/** * @brief Generate NAT64 BIB create and delete events * * @param thread_index thread index @@ -1868,24 +1576,6 @@ snat_ipfix_logging_enable_disable (int enable, u32 domain_id, u16 src_port) return -1; } - a.rewrite_callback = nat_template_rewrite_max_frags_ip4; - - rv = vnet_flow_report_add_del (frm, &a, NULL); - if (rv) - { - nat_elog_warn_X1 ("vnet_flow_report_add_del returned %d", "i4", rv); - return -1; - } - - a.rewrite_callback = nat_template_rewrite_max_frags_ip6; - - rv = vnet_flow_report_add_del (frm, &a, NULL); - if (rv) - { - nat_elog_warn_X1 ("vnet_flow_report_add_del returned %d", "i4", rv); - return -1; - } - a.rewrite_callback = nat_template_rewrite_nat64_bib; rv = vnet_flow_report_add_del (frm, &a, NULL); diff --git a/src/plugins/nat/nat_ipfix_logging.h b/src/plugins/nat/nat_ipfix_logging.h index a5cdb1a3c1a..7b5049e0545 100644 --- a/src/plugins/nat/nat_ipfix_logging.h +++ b/src/plugins/nat/nat_ipfix_logging.h @@ -35,8 +35,6 @@ typedef enum { MAX_SESSION_ENTRIES = 1, MAX_BIB_ENTRIES = 2, MAX_ENTRIES_PER_USER = 3, - MAX_FRAGMENTS_PENDING_REASSEMBLY = 5, - MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6, } quota_exceed_event_t; typedef struct { @@ -128,10 +126,6 @@ void snat_ipfix_logging_max_entries_per_user(u32 thread_index, u32 limit, u32 src_ip); void nat_ipfix_logging_max_sessions(u32 thread_index, u32 limit); void nat_ipfix_logging_max_bibs(u32 thread_index, u32 limit); -void nat_ipfix_logging_max_fragments_ip4(u32 thread_index, - u32 limit, ip4_address_t * src); -void nat_ipfix_logging_max_fragments_ip6(u32 thread_index, - u32 limit, ip6_address_t * src); void nat_ipfix_logging_nat64_session(u32 thread_index, ip6_address_t * src_ip, ip4_address_t * nat_src_ip, u8 proto, diff --git a/src/plugins/nat/test/test_nat.py b/src/plugins/nat/test/test_nat.py index e267c4ef2bc..07c0e0c23bc 100644 --- a/src/plugins/nat/test/test_nat.py +++ b/src/plugins/nat/test/test_nat.py @@ -929,44 +929,6 @@ class MethodHolder(VppTestCase): # maxBIBEntries self.assertEqual(struct.pack("I", limit), record[472]) - def verify_ipfix_max_fragments_ip6(self, data, limit, src_addr): - """ - Verify IPFIX maximum IPv6 fragments pending reassembly exceeded event - - :param data: Decoded IPFIX data records - :param limit: Number of maximum fragments pending reassembly - :param src_addr: IPv6 source address - """ - self.assertEqual(1, len(data)) - record = data[0] - # natEvent - self.assertEqual(scapy.compat.orb(record[230]), 13) - # natQuotaExceededEvent - self.assertEqual(struct.pack("I", 5), record[466]) - # maxFragmentsPendingReassembly - self.assertEqual(struct.pack("I", limit), record[475]) - # sourceIPv6Address - self.assertEqual(src_addr, record[27]) - - def verify_ipfix_max_fragments_ip4(self, data, limit, src_addr): - """ - Verify IPFIX maximum IPv4 fragments pending reassembly exceeded event - - :param data: Decoded IPFIX data records - :param limit: Number of maximum fragments pending reassembly - :param src_addr: IPv4 source address - """ - self.assertEqual(1, len(data)) - record = data[0] - # natEvent - self.assertEqual(scapy.compat.orb(record[230]), 13) - # natQuotaExceededEvent - self.assertEqual(struct.pack("I", 5), record[466]) - # maxFragmentsPendingReassembly - self.assertEqual(struct.pack("I", limit), record[475]) - # sourceIPv4Address - self.assertEqual(src_addr, record[8]) - def verify_ipfix_bib(self, data, is_create, src_addr): """ Verify IPFIX NAT64 BIB create and delete events @@ -2703,7 +2665,7 @@ class TestNAT44(MethodHolder): self.verify_capture_out(capture) self.nat44_add_address(self.nat_addr, is_add=0) self.vapi.ipfix_flush() - capture = self.pg3.get_capture(9) + capture = self.pg3.get_capture(7) ipfix = IPFIXDecoder() # first load template for p in capture: @@ -2748,7 +2710,7 @@ class TestNAT44(MethodHolder): self.pg1.assert_nothing_captured() sleep(1) self.vapi.ipfix_flush() - capture = self.pg3.get_capture(9) + capture = self.pg3.get_capture(7) ipfix = IPFIXDecoder() # first load template for p in capture: @@ -8907,7 +8869,7 @@ class TestNAT64(MethodHolder): p = self.pg1.get_capture(1) self.tcp_port_out = p[0][TCP].sport self.vapi.ipfix_flush() - capture = self.pg3.get_capture(10) + capture = self.pg3.get_capture(8) ipfix = IPFIXDecoder() # first load template for p in capture: |