Age | Commit message (Collapse) | Author | Files | Lines |
|
Maintain a global session LRU allowing reuse of expired session instead
of relying on a scavenging mechanism to periodically walk sessions.
Whenever a new session is being allocated in slow path, also attempt to
free an expired session from global LRU list.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
|
|
Type: fix
Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Wait transitory timeout seconds before moving internal state of TCP
session to CLOSED state per RFC 7857. This patch implements this
functionality for endpoint-dependent NAT.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
|
|
Type: fix
Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This fixes a bug in the initialization of handoff_out2in_index and
handoff_in2out_index where the node index for out2in was set to the
in2out node, and vice versa.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
|
|
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
|
|
Save the next session timeout when sweeping sessions for cleanup so that
we can avoid unnecessary runs of the sweeping algorithm.
Type: fix
Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: refactor
Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
The current feature ordering of NAT44 nodes with respect to the
ACL plugin's IPv4 input/output features is:
ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes
ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes
ACL rules with action permit+reflect can keep track of outbound
flows and allow the replies inbound without an explicit inbound rule.
If ACL permit+reflect rules are configured on an interface that also
has NAT44 configured with output-feature/postrouting translation of
outbound packets, the ACL rules cannot allow inbound packets. The
ACL state that was stored on the outbound flow contains the IP
addresses of the original packet, prior to translation. The inbound
packets are being evaluated by the ACL node using the translated
addresses.
The order of processing inbound needs to be the opposite of what it
was outbound for this to work. Change the NAT44 features on
ip4-output so that they run before outbound ACL nodes. This matches
the existing behavior of the NAT44 nodes which rewrite
source addresses as an input feature instead of an output feature.
This was only done for endpoint dependent mode because the regular
endpoint independent in2out-output node currently selects an
explicit next node rather than using the next node on the feature
arc.
Unit test added to configure both NAT and an ACL and ensure that
out2in packets matching an in2out flow are permitted by the ACL
and translated by NAT.
Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Remove NAT's implementation of shallow virtual reassembly with
corresponding CLIs, APIs & tests. Replace with standalone shallow
virtual reassembly provided by ipX-sv-reass* nodes.
Type: refactor
Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Ticket: VPP-1795
Type: fix
Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: feature
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
|
|
Type: feature
the fib_source_t enum alone no longer defines the priority and
behaviour, instead each source must be allocated these attributes.
This allows the creation of other sources by the plugins (and
soon over the API).
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I890ee820fbc16079ee417ea1fbc163192806e853
|
|
Type: fix
Ticket: VPP-1747
Change-Id: If282aae3e584d7017c200f897b99c8a37eb1b2e5
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
NAT hasn't worked when NAT interfaces wasn't in
default VRF (fib_index = 0). This issue has been occurred with
interfaces with output-feature in endpoint-dependent mode.
Update VAT commands:
- update nat44_add_del_address_range
- add nat44_interface_add_del_output_feature
Ticket: VPP-1732
Type: fix
Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Type: feature
Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Change-Id: Ib9164d8f6c681e8900e645306f3a2dc0ac0e40a8
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
Type: fix
Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
Type: fix
Change-Id: Ie5befde2f23caffb033b3b9f35ac1535c1224925
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: I2d1e2addb2e440c23c255ac7709169f7909cb0be
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
We must do lock fib while vrf id ~0, otherwise it crashes while unlocking fib.
Change-Id: Iec9754ccd67634a132bc5384a4f796d4a65943ae
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
In endpoint dependent mode, when a session at the head of a user
LRU is reused, if the IP protocol for that session was unknown (any
other than tcp, udp, or icmp), the attempt to delete the session
mapping from the in2out bihash was not using the same key that was
used when the mapping was added. This would cause the deletion of
the mapping to fail. If packets arrive later which match the original
session, the search for the session key would succeed when it should
have failed and the session, which is now associated with a different
pair of endpoints, may end up being updated when it should not be.
Update the key generation when reallocating an existing session to
do the right thing if the session is for an unknown protocol.
Also update format_nat_session() for unknown protocols so that
'vppctl show nat44 session detail' will display the protocol
correctly. In endpoint dependent mode, the IP protocol is stored in
the port field on a session if the protocol is unknown. The value
is stored in host byte order, but the format function was swapping
the bytes before writing the protocol.
Change-Id: I9e8daadd4569cb2610532dab4e4f41d1567cf3d1
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When you create two identical NAT44 static mappings using interface
name as external address and only local or ext port is different,
VALUE_EXIST will be raised but when-resolved static mapping will
remain.
vpp# nat44 add static mapping tcp local 10.128.0.129 443 external GigabitEthernet0/8/0 8443
vpp# nat44 add static mapping tcp local 10.128.0.129 80 external GigabitEthernet0/8/0 8443
nat44 add static mapping: Mapping already exist.
vpp# show nat44 static mappings
NAT44 static mappings:
tcp local 10.128.0.129:443 external 2.2.2.2:8443 vrf 0
tcp local 10.128.0.129:443 external GigabitEthernet0/8/0:8443 vrf -1
tcp local 10.128.0.129:80 external GigabitEthernet0/8/0:8443 vrf -1
With this commit, when-resolved static mapping is not created if the
translation only differs in local or ext port.
Change-Id: Ifc960b9dc1371caa2a8d3206a80a0ffd10d293e4
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
When using the output feature ('postrouting') outbound translation,
no packets are passed when using worker threads. The frame queue for
in2out packets to be handed off between threads is never allocated.
This is because that allocation only happens if the value of
fq_in2out_output_index == ~0, but fq_in2out_output_index is never
initialized prior to checking that.
Initialize fq_in2out_output_index to ~0 so a frame queue will be
allocated when there are worker threads.
Change-Id: I0836685eb611348643c11ac7e4d0cab935a29384
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
session synchronization so that we can build a plain active-passive HA NAT pair
Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: I9c562f8e3407ca60a4412a162015fa505b7590b6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Outside FIB index doesn't change in this case. We register
callback for changing of outside FIB if table binding is changed
on an interface.
Change-Id: I1ebbd7c3c547fc999089db07abd2019734395a6e
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Fixed NAT issues with dropping reverse packets in case NAT worked
in 'endpoint-dependent' mode and outside interface has FIB different
from 0 when the output-feature is set.
In this case, the out2in_ed dynamic hash key was not being created
correctly.
Change-Id: I6362967f4b09a375a4606eedaa8e264795b25453
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Change-Id: I0ee80c7bec59d3e9c69e92e6cf0af1a6864a4ec4
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I41a82e21571d5c64d01af72cd88c3983afac26ed
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I5419e06592b0402e911e132796368800321f355a
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iab506f127136c94a641df31ded108016de26260b
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
pool (VPP-1485)
Change-Id: Iaa404361eac2a6612dcdaba3f73bae41a35c5446
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: Ied0fc50f1afb0f7fc563784544699726a6d03380
Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
|
|
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation.
If the negotiated MSS value is greater than the configured value it is changed
to the configured value. If the negotiated MSS value is smaller than the
configured value it remains unchanged.
Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
which can create dead loop in
nat_alloc_addr_and_port_default function
Change-Id: I468c25ce0f0a0b3f881de564623dea208b2ca700
Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
|
|
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Enable client-IP based session affinity per LB NAT rule with specific timeout.
Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired
sessions. When inserting to session lookup hash and bucket is full, expired
session is overwritten.
Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|