summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/in2out_ed.c
AgeCommit message (Collapse)AuthorFilesLines
2020-07-28nat: limit resource consumption when out of portsKlement Sekera1-2/+7
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I83f44711264376389989152666f3c71216146bdd
2020-07-23nat: fix port number selectionElias Rudberg1-4/+4
Change the port number selection for new NAT sessions so that it matches how the thread index is calculated from the port number for out2in packets. Before this change there was a problem when the largest port number in the range was used, that resulted in the wrong thread index being selected when out2in packets arrive for that session. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I936c389eb0d5df6168e18e5e44754de1cdad6ad1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-07-15nat: add prefetching to in2out_ed/out2in_edKlement Sekera1-1/+13
This saves about 20 clocks/packet in both code paths. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib559c74bf8168e3ddd764d51b7e5bcd2a557f591
2020-06-27nat: replace speculative buffer enqueue modelKlement Sekera1-427/+394
Replace speculative buffer enqueue coding model with vlib_get_buffers(...)/vlib_buffer_enqueue_to_next(...). Type: improvement Change-Id: I7dbfac2234a7bd754c599857eb1d5b601da5bc7c Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-06-22nat: set buf error if can't create userKlement Sekera1-13/+3
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I747d78966a7296dcbae54d54b0c165d407c8863d
2020-06-16nat: improve outside port selection & perfKlement Sekera1-29/+31
Prefer using source port form packet as outside port if possible. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
2020-06-11nat: simplify bihash buckets/mem configKlement Sekera1-2/+4
Derive reasonable values from max translations/max users. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
2020-06-08nat: more long read after short write optimizationKlement Sekera1-129/+133
Replace whitespread (mis)use of snat_session_key_t by proper function arguments where applicable and inline functions to calculate hash keys instead of using structs for that. Make all hash tables use same network byte order port so that there is no longer a discrepancy between static mappings using host byte order while in2out/out2in tables using network byte order. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I80786d2f947c67824c101a13bb608f1fe1080f34
2020-06-04nat: fixed input validationFilip Varga1-1/+0
Ticket: VPP-1887 Type: fix Change-Id: I341ac7b455926a106d736f4de6771aae655db82e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-06-03nat: refactor mss_clamping to not depend on snat_main_tOle Troan1-2/+3
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1110e425859a4f1f07952c91b50f263cb7323836
2020-05-22nat: output fib index fixFilip Varga1-69/+47
Type: fix Change-Id: I7cb7e3716aee865b12235865009e39ed6ad16680 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-14nat: ED: store both thread&session idx in hashKlement Sekera1-36/+58
By storing thread and session index in hash table we are able to skip multiple hash lookups in multi-worker scenario, which were used for handoff before. Also, by storing sesion index in vnet_buffer2, we can avoid repeating the lookup after handoff. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I406fb12f4e2dd8f4a5ca5d83d59dbc37e1af9abf
2020-05-14nat: fix segv if out of ports in ed modeAlexander Chernavin1-1/+0
Type: fix Change-Id: Ife726d2f6baaa3516c209011183f39670cf6a55d Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera1-12/+13
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera1-21/+21
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-13nat: handoff next node feature fixFilip Varga1-1/+2
Type: fix Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-08nat: fix per thread data vlib_main_t usage take 2Ole Troan1-3/+5
The original fix access vlib_main before these was initialized. Removed cached vlib_mains structure. Type: fix Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I686bab9220e27891f66bf60489c1602855786aa8 Signed-off-by: Ole Troan <ot@cisco.com>
2020-05-07nat: fix per thread data vlib_main_t usageFilip Varga1-2/+3
Type: fix Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06nat: fix coverity warningKlement Sekera1-19/+5
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I609fef6f96c6a3fc85a4dc07e75244b0e1ba9239
2020-05-04nat: per vrf session limitsFilip Varga1-2/+6
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-27nat: improve perf - long read after short writeKlement Sekera1-99/+105
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-81/+23
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: make usage of vnet_buffer2 transparentKlement Sekera1-5/+5
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I50df248afb3f6b46c49e6695b3f124cfd584f016
2020-04-24nat: ED: reduce number of hash tables usedKlement Sekera1-127/+174
Use out2in_ed hash table for port overloading tracking instead of global table. This reduces number of hash insertions in slowpath. Type: improvement Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-16nat: scavenging functionality removedFilip Varga1-20/+7
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: ED: global session LRU listKlement Sekera1-5/+1
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-04-07nat: ED: port re-use algorithmKlement Sekera1-8/+108
Type: fix Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-07nat: don't drop packet for expired sessionKlement Sekera1-2/+2
If session is expired, the packet which we just received might be a one, which legitimely creates a new session, process it in slow path instead to decide the outcome. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera1-10/+36
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-25nat: fix error countersKlement Sekera1-0/+5
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-13/+42
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-20nat: nat44 split slow and fast pathFilip Varga1-513/+170
Type: improvement Change-Id: I07c7e1c154583906ac9af958f22ed9a1be382f4a Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-01-21nat: fix dhcp client on outside interface with output featureAlexander Chernavin1-9/+9
There was an attempt to fix this problem in the commit: d3b8c861a44e70c197ab721fa3ce7f38bbeab7fd But checking the LOCALLY_ORIGINATED flag didn't work because this flag gets reset before it can reach the NAT nodes. With this commit, replace the check for the LOCALLY_ORIGINATED flag with a check to see if the packet is a DHCP broadcast. Type: fix Change-Id: I069c08a785b5988b10192f528e4f9c4c7cc2f8a3 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-17nat: refactor of port/address allocation functionsFilip Varga1-3/+3
Change-Id: Ie2a3c0f44322dd8415603b7ce51bb72d72769c95 Ticket: VPP-1815 Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-01-03nat: use SVRKlement Sekera1-599/+212
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-0/+3
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-27nat: fix dhcp client on outside interface with output featureAlexander Chernavin1-0/+49
When a DHCP client is configured on a NAT outside interface with output feature enabled, DHCP packets will reach the NAT in2out-output node and will be dropped with "out of ports" reason. With this commit, allow locally originated DHCP packets to be sent from a NAT outside interface with output feature enabled. Type: fix Change-Id: I47d76b22587f2bf0c7b0b9dfda41c89f8f61d0b4 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2019-11-19nat: respect arc features (multi worker)Filip Varga1-191/+189
Type: fix Ticket: VPP-1747 Change-Id: If282aae3e584d7017c200f897b99c8a37eb1b2e5 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-05nat: NAT udp counter & unit test fixesFilip Varga1-1/+1
Ticket: VPP-1798 Type: fix Change-Id: I42f02d5824575720e95b9fc99cfa864252221a82 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-05nat: respect udp checksumFilip Varga1-22/+98
Type: fix Change-Id: I732be02d2e2b854eb589c3fa10f980ef2dbe8dfc Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-04nat: revert respect udp checksumOle Troan1-98/+22
This reverts commit 0d75f783644a24b219ed79d9f9c17387783f67ca. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Iaf33301201897e6646eba2b4157e2a45f5fd30f2
2019-10-28nat: respect udp checksumFilip Varga1-22/+98
Type: fix Change-Id: I73895fa0101bd50483160c8dc6faac2c67513077 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-08-22nat: handoff traffic matching for dynamic NATFilip Varga1-78/+2
Type: feature Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-16/+14
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-11/+25
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-58/+27
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-5/+7
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-14NAT: counters (VPP-1484)Matus Fabian1-14/+56
Change-Id: I5d1852a09712adfe7547c200d161539736aca6f5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+16
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-23NAT44: improve expired sessions reuse (VPP-1503)Matus Fabian1-34/+17
Change-Id: Iab506f127136c94a641df31ded108016de26260b Signed-off-by: Matus Fabian <matfabia@cisco.com>