Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: refactor
Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Some statistics counters were implemented as error counters. Move them
to stat segment, where they belong.
Type: improvement
Change-Id: I5600bec1b4e0496282297374ec1e79d909cdaf8a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Change the port number selection for new NAT sessions so that it
matches how the thread index is calculated from the port number for
out2in packets. Before this change there was a problem when the
largest port number in the range was used, that resulted in the wrong
thread index being selected when out2in packets arrive for that
session.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I936c389eb0d5df6168e18e5e44754de1cdad6ad1
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: refactor
Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Prefer using source port form packet as outside port if possible.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
|
|
Type: fix
Fixes: a1018c166a468f7692ab621c743503914266f508
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I86592f73a60fd146d3764e474f975881e940c244
|
|
Derive reasonable values from max translations/max users.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
|
|
Replace whitespread (mis)use of snat_session_key_t by proper function
arguments where applicable and inline functions to calculate hash keys
instead of using structs for that. Make all hash tables use same network
byte order port so that there is no longer a discrepancy between static
mappings using host byte order while in2out/out2in tables using network
byte order.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I80786d2f947c67824c101a13bb608f1fe1080f34
|
|
Ticket: VPP-1887
Type: fix
Change-Id: I341ac7b455926a106d736f4de6771aae655db82e
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Identified and removed executable bit from source files in the tree.
find . -perm 755 -name *.[ch] -exec chmod a-x {} \;
Type: improvement
Signed-off-by: Ray Kinsella <mdr@ashroe.eu>
Change-Id: I00710d59fcc46ce5be5233109af4c8077daff74b
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I95286d6723fd1860bf6bb0e81c474d732ab25121
|
|
By storing thread and session index in hash table we are able to skip
multiple hash lookups in multi-worker scenario, which were used for
handoff before. Also, by storing sesion index in vnet_buffer2, we can
avoid repeating the lookup after handoff.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I406fb12f4e2dd8f4a5ca5d83d59dbc37e1af9abf
|
|
This fixes a situation where long-lived inactive session blocks LRU
list. Solution is to have multiple LRU lists based on session type.
This helps because session timeout is same for all sessions of same
type.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
|
|
Use a lookup table instead.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
|
|
Type: fix
Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
The original fix access vlib_main before these was initialized.
Removed cached vlib_mains structure.
Type: fix
Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I686bab9220e27891f66bf60489c1602855786aa8
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I3c914d5c457df40205280ac589a2d353261343d5
|
|
Type: fix
Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Force session cleanup drops NAT db.
Also fixing user specific cli/api calls.
Type: improvement
Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
|
|
With port overloading, port is no longer a scarce resource and there
is no need to limit connections per internal IP. This saves one hash
insert in slow path.
Type: improvement
Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Use out2in_ed hash table for port overloading tracking instead of
global table. This reduces number of hash insertions in slowpath.
Type: improvement
Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Add a suitable ASSERT in the bihash template in case this happens again.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ib370d4238f6bae2995bc30fd17fad5c41053c3d1
|
|
Type: refactor
Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
|
|
Maintain a global session LRU allowing reuse of expired session instead
of relying on a scavenging mechanism to periodically walk sessions.
Whenever a new session is being allocated in slow path, also attempt to
free an expired session from global LRU list.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
|
|
Type: fix
Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Wait transitory timeout seconds before moving internal state of TCP
session to CLOSED state per RFC 7857. This patch implements this
functionality for endpoint-dependent NAT.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
|
|
Type: fix
Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This fixes a bug in the initialization of handoff_out2in_index and
handoff_in2out_index where the node index for out2in was set to the
in2out node, and vice versa.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
|
|
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
|
|
Save the next session timeout when sweeping sessions for cleanup so that
we can avoid unnecessary runs of the sweeping algorithm.
Type: fix
Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: refactor
Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
The current feature ordering of NAT44 nodes with respect to the
ACL plugin's IPv4 input/output features is:
ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes
ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes
ACL rules with action permit+reflect can keep track of outbound
flows and allow the replies inbound without an explicit inbound rule.
If ACL permit+reflect rules are configured on an interface that also
has NAT44 configured with output-feature/postrouting translation of
outbound packets, the ACL rules cannot allow inbound packets. The
ACL state that was stored on the outbound flow contains the IP
addresses of the original packet, prior to translation. The inbound
packets are being evaluated by the ACL node using the translated
addresses.
The order of processing inbound needs to be the opposite of what it
was outbound for this to work. Change the NAT44 features on
ip4-output so that they run before outbound ACL nodes. This matches
the existing behavior of the NAT44 nodes which rewrite
source addresses as an input feature instead of an output feature.
This was only done for endpoint dependent mode because the regular
endpoint independent in2out-output node currently selects an
explicit next node rather than using the next node on the feature
arc.
Unit test added to configure both NAT and an ACL and ensure that
out2in packets matching an in2out flow are permitted by the ACL
and translated by NAT.
Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Remove NAT's implementation of shallow virtual reassembly with
corresponding CLIs, APIs & tests. Replace with standalone shallow
virtual reassembly provided by ipX-sv-reass* nodes.
Type: refactor
Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Ticket: VPP-1795
Type: fix
Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: feature
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
|
|
Type: feature
the fib_source_t enum alone no longer defines the priority and
behaviour, instead each source must be allocated these attributes.
This allows the creation of other sources by the plugins (and
soon over the API).
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I890ee820fbc16079ee417ea1fbc163192806e853
|
|
Type: fix
Ticket: VPP-1747
Change-Id: If282aae3e584d7017c200f897b99c8a37eb1b2e5
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
NAT hasn't worked when NAT interfaces wasn't in
default VRF (fib_index = 0). This issue has been occurred with
interfaces with output-feature in endpoint-dependent mode.
Update VAT commands:
- update nat44_add_del_address_range
- add nat44_interface_add_del_output_feature
Ticket: VPP-1732
Type: fix
Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Type: feature
Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Change-Id: Ib9164d8f6c681e8900e645306f3a2dc0ac0e40a8
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
Type: fix
Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
Type: fix
Change-Id: Ie5befde2f23caffb033b3b9f35ac1535c1224925
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: I2d1e2addb2e440c23c255ac7709169f7909cb0be
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
We must do lock fib while vrf id ~0, otherwise it crashes while unlocking fib.
Change-Id: Iec9754ccd67634a132bc5384a4f796d4a65943ae
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
In endpoint dependent mode, when a session at the head of a user
LRU is reused, if the IP protocol for that session was unknown (any
other than tcp, udp, or icmp), the attempt to delete the session
mapping from the in2out bihash was not using the same key that was
used when the mapping was added. This would cause the deletion of
the mapping to fail. If packets arrive later which match the original
session, the search for the session key would succeed when it should
have failed and the session, which is now associated with a different
pair of endpoints, may end up being updated when it should not be.
Update the key generation when reallocating an existing session to
do the right thing if the session is for an unknown protocol.
Also update format_nat_session() for unknown protocols so that
'vppctl show nat44 session detail' will display the protocol
correctly. In endpoint dependent mode, the IP protocol is stored in
the port field on a session if the protocol is unknown. The value
is stored in host byte order, but the format function was swapping
the bytes before writing the protocol.
Change-Id: I9e8daadd4569cb2610532dab4e4f41d1567cf3d1
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|