summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/in2out.c
AgeCommit message (Collapse)AuthorFilesLines
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-3/+0
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-01-21nat: fix dhcp client on outside interface with output featureAlexander Chernavin1-9/+9
There was an attempt to fix this problem in the commit: d3b8c861a44e70c197ab721fa3ce7f38bbeab7fd But checking the LOCALLY_ORIGINATED flag didn't work because this flag gets reset before it can reach the NAT nodes. With this commit, replace the check for the LOCALLY_ORIGINATED flag with a check to see if the packet is a DHCP broadcast. Type: fix Change-Id: I069c08a785b5988b10192f528e4f9c4c7cc2f8a3 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-17nat: refactor of port/address allocation functionsFilip Varga1-2/+2
Change-Id: Ie2a3c0f44322dd8415603b7ce51bb72d72769c95 Ticket: VPP-1815 Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-01-03nat: use SVRKlement Sekera1-501/+202
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-0/+4
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-27nat: fix dhcp client on outside interface with output featureAlexander Chernavin1-0/+37
When a DHCP client is configured on a NAT outside interface with output feature enabled, DHCP packets will reach the NAT in2out-output node and will be dropped with "out of ports" reason. With this commit, allow locally originated DHCP packets to be sent from a NAT outside interface with output feature enabled. Type: fix Change-Id: I47d76b22587f2bf0c7b0b9dfda41c89f8f61d0b4 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2019-11-05nat: NAT udp counter & unit test fixesFilip Varga1-1/+1
Ticket: VPP-1798 Type: fix Change-Id: I42f02d5824575720e95b9fc99cfa864252221a82 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-05nat: respect udp checksumFilip Varga1-36/+74
Type: fix Change-Id: I732be02d2e2b854eb589c3fa10f980ef2dbe8dfc Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-04nat: revert respect udp checksumOle Troan1-74/+36
This reverts commit 0d75f783644a24b219ed79d9f9c17387783f67ca. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Iaf33301201897e6646eba2b4157e2a45f5fd30f2
2019-10-28nat: respect udp checksumFilip Varga1-36/+74
Type: fix Change-Id: I73895fa0101bd50483160c8dc6faac2c67513077 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-8/+8
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-10/+21
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: fix: multiple definition of nat64_cleaner_process_event_eNeale Ranns1-1/+1
Change-Id: Idcff6108f4f965344afce9ff614018239819dc95 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-56/+31
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-4/+6
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-14NAT: counters (VPP-1484)Matus Fabian1-14/+54
Change-Id: I5d1852a09712adfe7547c200d161539736aca6f5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+11
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach1-6/+5
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-19NAT44: fix ICMP virtual fragmentation reassembly (VPP-1466)Matus Fabian1-6/+42
Change-Id: I8006bca02948d9121f474a3d14f0576747bb3c51 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-6/+35
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-02Update code to compute checksum for buffer chainsJuraj Sloboda1-3/+5
Compute ICMP checksum for buffer chains Fix checksum function for buffer chains Change-Id: I39b845b94a63c3ab5fc9f6f9ab36cadbc67c104f Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-4969/+1110
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda1-101/+610
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+11
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-06NAT: fix maximum out of order fragments (VPP-1399)Matus Fabian1-1/+1
All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment. Change-Id: Id0c968f45629698e347e8226c5926f27b48b82d6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-10/+10
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: fix nat44_ed_not_translate_output_feature for multiple VRF (VPP-1404)Matus Fabian1-9/+15
Change-Id: I44acc5aeff59dc25d18369e29618bbe39d30a1b3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-33/+184
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian1-8/+11
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion1-5/+5
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-10NAT44: multiple outside FIB tables (VPP-1314)Matus Fabian1-31/+129
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-26NAT44: fix nat44_ed_not_translate_output_feature (VPP-1329)Matus Fabian1-0/+5
Change-Id: Iddb0b848c53da03116524e203c7112c82b401ac5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-16NAT44: fix coverityMatus Fabian1-1/+1
Change-Id: Ib1e4563dbc027571c77497e5c190201713adc72b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-649/+1634
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-84/+83
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-15/+11
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-14NAT44: delete closed TCP session (VPP-1274)Matus Fabian1-14/+23
Change-Id: Id25b447bddccb7b321123e4abc4134e7261a0807 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-1/+19
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-03NAT44 segv on unknown proto on inside interfaceMatthew Smith1-22/+25
When a packet with an unknown proto arrives on an inside interface and there are no existing sessions for the source address, a segv occurs. snat_in2out_unknown_proto() finds the head of the sessions dlist, fetches the address of the next element using head->next, and then dereferences the next element. On the first packet received from a source address, head->next is ~0, so this results in a segv. Check that the session list is not empty before trying to traverse it. Also removed unnecessary lookup against tsm->user_hash. Prior call to nat_user_get_or_create() already performed that lookup and added a user if one didn't exist. Change-Id: If73e79aa2f8e3962ab7b876ecf55aea40d7a5472 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-0/+2
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-7/+22
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-9/+11
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-24User session counters stay <= per-user limitMatthew Smith1-14/+7
When a user session is allocated/reused, only increase one of the session counters for that user if the counters are below the per-user limit. THis addresses a SEGV that arises after the following sequence of events: - an outside interface IP address is put in a pool - a user exceeds the number of per-user translations by an amount greater than the number of per-user translations (nsessions + nstaticsessions > 100 + 100) - the outside interface IP address is deleted and then added again (observed when using DHCP client, likely happens if address changed via CLI, API also) - the user sends more packets that should be translated When nsessions is > the per-user limit, nat_session_alloc_or_recycle() reclaims the oldest existing user session. When an outside address is deleted, the corresponding user sessions are deleted. If the counters were far above the per-user limit, the deletions wouldn't result in the counters dropping back below the limit. So no session could be reclaimed -> SEGV. Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23NAT44: fix ICMP checksum update crash (VPP-1205)Matus Fabian1-0/+3
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-22NAT44: interface output feature and dst NAT (VPP-1200)Matus Fabian1-6/+27
Do not translate packet which go out via nat44-in2out-output and was tranlated in nat44-out2in before. On way back forward packet to nat44-in2out node. Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-12NAT44: fix nat_not_translate_output_feature in dual loop (VPP-1194)Matus Fabian1-2/+2
Change-Id: Icb858414145db0e5fef495e155903b3b935e50ba Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-12NAT44: fix nat_not_translate_output_feature for ICMP (VPP-1191)Matus Fabian1-8/+7
Change-Id: I1552e1418b704fdf1f1fa2c0174313b9b82a37a3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-06when lb tcp in2out flow,ahdj0071-0/+1
in2out and out2in protocol are not same Change-Id: I4ce680ad1f088cb079e1f2aeb15ca59225fca0d1 Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
2018-03-02NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian1-2/+63
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: in2out output feature skip translation for already translated packets ↵Matus Fabian1-14/+73
(VPP-1156) Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249 Signed-off-by: Matus Fabian <matfabia@cisco.com>