summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/in2out.c
AgeCommit message (Collapse)AuthorFilesLines
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-10/+21
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: fix: multiple definition of nat64_cleaner_process_event_eNeale Ranns1-1/+1
Change-Id: Idcff6108f4f965344afce9ff614018239819dc95 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-56/+31
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-4/+6
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-14NAT: counters (VPP-1484)Matus Fabian1-14/+54
Change-Id: I5d1852a09712adfe7547c200d161539736aca6f5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+11
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach1-6/+5
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-19NAT44: fix ICMP virtual fragmentation reassembly (VPP-1466)Matus Fabian1-6/+42
Change-Id: I8006bca02948d9121f474a3d14f0576747bb3c51 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-6/+35
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-02Update code to compute checksum for buffer chainsJuraj Sloboda1-3/+5
Compute ICMP checksum for buffer chains Fix checksum function for buffer chains Change-Id: I39b845b94a63c3ab5fc9f6f9ab36cadbc67c104f Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-4969/+1110
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda1-101/+610
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+11
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-06NAT: fix maximum out of order fragments (VPP-1399)Matus Fabian1-1/+1
All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment. Change-Id: Id0c968f45629698e347e8226c5926f27b48b82d6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-10/+10
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: fix nat44_ed_not_translate_output_feature for multiple VRF (VPP-1404)Matus Fabian1-9/+15
Change-Id: I44acc5aeff59dc25d18369e29618bbe39d30a1b3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-33/+184
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian1-8/+11
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion1-5/+5
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-10NAT44: multiple outside FIB tables (VPP-1314)Matus Fabian1-31/+129
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-26NAT44: fix nat44_ed_not_translate_output_feature (VPP-1329)Matus Fabian1-0/+5
Change-Id: Iddb0b848c53da03116524e203c7112c82b401ac5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-16NAT44: fix coverityMatus Fabian1-1/+1
Change-Id: Ib1e4563dbc027571c77497e5c190201713adc72b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-649/+1634
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-84/+83
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-15/+11
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-14NAT44: delete closed TCP session (VPP-1274)Matus Fabian1-14/+23
Change-Id: Id25b447bddccb7b321123e4abc4134e7261a0807 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-1/+19
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-03NAT44 segv on unknown proto on inside interfaceMatthew Smith1-22/+25
When a packet with an unknown proto arrives on an inside interface and there are no existing sessions for the source address, a segv occurs. snat_in2out_unknown_proto() finds the head of the sessions dlist, fetches the address of the next element using head->next, and then dereferences the next element. On the first packet received from a source address, head->next is ~0, so this results in a segv. Check that the session list is not empty before trying to traverse it. Also removed unnecessary lookup against tsm->user_hash. Prior call to nat_user_get_or_create() already performed that lookup and added a user if one didn't exist. Change-Id: If73e79aa2f8e3962ab7b876ecf55aea40d7a5472 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-0/+2
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-7/+22
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-9/+11
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-24User session counters stay <= per-user limitMatthew Smith1-14/+7
When a user session is allocated/reused, only increase one of the session counters for that user if the counters are below the per-user limit. THis addresses a SEGV that arises after the following sequence of events: - an outside interface IP address is put in a pool - a user exceeds the number of per-user translations by an amount greater than the number of per-user translations (nsessions + nstaticsessions > 100 + 100) - the outside interface IP address is deleted and then added again (observed when using DHCP client, likely happens if address changed via CLI, API also) - the user sends more packets that should be translated When nsessions is > the per-user limit, nat_session_alloc_or_recycle() reclaims the oldest existing user session. When an outside address is deleted, the corresponding user sessions are deleted. If the counters were far above the per-user limit, the deletions wouldn't result in the counters dropping back below the limit. So no session could be reclaimed -> SEGV. Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23NAT44: fix ICMP checksum update crash (VPP-1205)Matus Fabian1-0/+3
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-22NAT44: interface output feature and dst NAT (VPP-1200)Matus Fabian1-6/+27
Do not translate packet which go out via nat44-in2out-output and was tranlated in nat44-out2in before. On way back forward packet to nat44-in2out node. Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-12NAT44: fix nat_not_translate_output_feature in dual loop (VPP-1194)Matus Fabian1-2/+2
Change-Id: Icb858414145db0e5fef495e155903b3b935e50ba Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-12NAT44: fix nat_not_translate_output_feature for ICMP (VPP-1191)Matus Fabian1-8/+7
Change-Id: I1552e1418b704fdf1f1fa2c0174313b9b82a37a3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-06when lb tcp in2out flow,ahdj0071-0/+1
in2out and out2in protocol are not same Change-Id: I4ce680ad1f088cb079e1f2aeb15ca59225fca0d1 Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
2018-03-02NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian1-2/+63
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: in2out output feature skip translation for already translated packets ↵Matus Fabian1-14/+73
(VPP-1156) Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-26NAT44: fix ICMP error translation for endpoint dependent sessions (VPP-1150)Matus Fabian1-2/+75
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-11NAT44: asymmetrical load balancing static mapping rule (VPP-1132)Matus Fabian1-3/+3
Add option to NAT44 load balancing static mapping API/CLI to make rule asymmetrical (rule match only in out2in direction). Change-Id: I325ecef5591e4bf44ce4469a24d44fe56c3bb2e9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-08NAT64: IPFix (VPP-1106)Matus Fabian1-9/+13
Change-Id: Ib90dc5613c9fdac0344b3bd7f163e2f7163c64d8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-05Add support for 464XLAT NAT44 mode (VPP-1045)Juraj Sloboda1-0/+3
Change-Id: I24e7a26972bbbfcea100292b212b29ae7a349335 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-20Translate matching packets using NAT (VPP-1069)Juraj Sloboda1-0/+3
Add API function which enables forwarding of packets not matching existing translation or static mapping instead of dropping them. When forwarding is enabled matching packets will be translated while non-matching packets will be forwarded without translation. Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-19NAT: Twice NAT44 (VPP-969)Matus Fabian1-373/+102
Translation of both source and destination addresses and ports for 1:1 NAT session initiated from outside network (ExternalIP K8 use case). Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-13NAT64: multi-thread support (VPP-891)Matus Fabian1-2/+2
Change-Id: Iebf859b6d86482e4465423bad598eecf87e53ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-30Fix variable mismatchJuraj Sloboda1-1/+1
Change-Id: Iae2f9f9652cecdf7e754700b2fe107ad61ff8ff9 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-11-07SNAT: IP fragmentation (VPP-890)Matus Fabian1-1/+416
Translation of fragmented packets. Change-Id: I9b1f2e9433ce273638080f32c2d3bff39c49899d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07NAT: DS-Lite (VPP-1040)Matus Fabian1-6/+12
Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IPv4-in-IPv6 and NAT. Change-Id: I039740f8548c623cd1ac89b8ecda1a6cc4aafb9c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-25One armed NAT (VPP-1035)Matus Fabian1-2/+2
Use a single physical interface in order to accomplish NAT44/NAT64. Change-Id: I0c8138953a7a4075df306172e125abad771315e4 Signed-off-by: Matus Fabian <matfabia@cisco.com>