summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat.c
AgeCommit message (Collapse)AuthorFilesLines
2020-04-08nat: ED: global session LRU listKlement Sekera1-3/+50
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-04-08nat: preallocate poolsKlement Sekera1-0/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
2020-04-07nat: ED: port re-use algorithmKlement Sekera1-22/+43
Type: fix Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera1-1/+2
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-25nat: fix error countersKlement Sekera1-1/+5
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-13nat: in2out/out2in handoff node index bugfixElias Rudberg1-2/+2
This fixes a bug in the initialization of handoff_out2in_index and handoff_in2out_index where the node index for out2in was set to the in2out node, and vice versa. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-50/+164
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-20nat: avoid running pointless session cleanupsKlement Sekera1-0/+1
Save the next session timeout when sweeping sessions for cleanup so that we can avoid unnecessary runs of the sweeping algorithm. Type: fix Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-02-05nat: move dslite to separate sub-pluginOle Troan1-15/+3
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-01-24nat: in2out-output nodes work with acl reflectMatthew Smith1-2/+4
Type: feature The current feature ordering of NAT44 nodes with respect to the ACL plugin's IPv4 input/output features is: ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes ACL rules with action permit+reflect can keep track of outbound flows and allow the replies inbound without an explicit inbound rule. If ACL permit+reflect rules are configured on an interface that also has NAT44 configured with output-feature/postrouting translation of outbound packets, the ACL rules cannot allow inbound packets. The ACL state that was stored on the outbound flow contains the IP addresses of the original packet, prior to translation. The inbound packets are being evaluated by the ACL node using the translated addresses. The order of processing inbound needs to be the opposite of what it was outbound for this to work. Change the NAT44 features on ip4-output so that they run before outbound ACL nodes. This matches the existing behavior of the NAT44 nodes which rewrite source addresses as an input feature instead of an output feature. This was only done for endpoint dependent mode because the regular endpoint independent in2out-output node currently selects an explicit next node rather than using the next node on the feature arc. Unit test added to configure both NAT and an ACL and ensure that out2in packets matching an in2out flow are permitted by the ACL and translated by NAT. Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-01-03nat: use SVRKlement Sekera1-90/+94
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-22/+46
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-12-10api: multiple connections per processDave Barach1-1/+1
Type: feature Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I2272521d6e69edcd385ef684af6dd4eea5eaa953
2019-12-04fib: Decouple source from priority and behaviourNeale Ranns1-17/+27
Type: feature the fib_source_t enum alone no longer defines the priority and behaviour, instead each source must be allocated these attributes. This allows the creation of other sources by the plugins (and soon over the API). Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I890ee820fbc16079ee417ea1fbc163192806e853
2019-11-19nat: respect arc features (multi worker)Filip Varga1-24/+95
Type: fix Ticket: VPP-1747 Change-Id: If282aae3e584d7017c200f897b99c8a37eb1b2e5 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-09-23nat: fix update of outside fibs (output-feature)Dmitry Vakhrushev1-0/+10
NAT hasn't worked when NAT interfaces wasn't in default VRF (fib_index = 0). This issue has been occurred with interfaces with output-feature in endpoint-dependent mode. Update VAT commands: - update nat44_add_del_address_range - add nat44_interface_add_del_output_feature Ticket: VPP-1732 Type: fix Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1 Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2019-08-22nat: handoff traffic matching for dynamic NATFilip Varga1-21/+198
Type: feature Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-08-01nat: handoff rewrite & fixes for multi-workerFilip Varga1-22/+36
Type: fix Change-Id: Ib9164d8f6c681e8900e645306f3a2dc0ac0e40a8 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-31/+33
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-07-23nat: fixed handoff in2out lookup of static mappings by external addressFilip Varga1-2/+2
Type: fix Change-Id: Ie5befde2f23caffb033b3b9f35ac1535c1224925 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-06-12NAT: interface fib fix (VPP-1691)Filip Varga1-8/+16
Change-Id: I2d1e2addb2e440c23c255ac7709169f7909cb0be Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-05-23Fix vpp crash bug while deleting dhcp clientjackiechen19851-0/+1
We must do lock fib while vrf id ~0, otherwise it crashes while unlocking fib. Change-Id: Iec9754ccd67634a132bc5384a4f796d4a65943ae Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
2019-05-03plugins: clean up plugin descriptionsDave Wallace1-1/+1
- Make plugin descriptions more consistent so the output of "show plugin" can be used in the wiki. Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2019-04-26nat: fix ED mode unknown proto session managementMatthew Smith1-3/+12
In endpoint dependent mode, when a session at the head of a user LRU is reused, if the IP protocol for that session was unknown (any other than tcp, udp, or icmp), the attempt to delete the session mapping from the in2out bihash was not using the same key that was used when the mapping was added. This would cause the deletion of the mapping to fail. If packets arrive later which match the original session, the search for the session key would succeed when it should have failed and the session, which is now associated with a different pair of endpoints, may end up being updated when it should not be. Update the key generation when reallocating an existing session to do the right thing if the session is for an unknown protocol. Also update format_nat_session() for unknown protocols so that 'vppctl show nat44 session detail' will display the protocol correctly. In endpoint dependent mode, the IP protocol is stored in the port field on a session if the protocol is unknown. The value is stored in host byte order, but the format function was swapping the bytes before writing the protocol. Change-Id: I9e8daadd4569cb2610532dab4e4f41d1567cf3d1 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-04-26nat: prevent creation when-resolved static mappings on errorsAlexander Chernavin1-1/+1
When you create two identical NAT44 static mappings using interface name as external address and only local or ext port is different, VALUE_EXIST will be raised but when-resolved static mapping will remain. vpp# nat44 add static mapping tcp local 10.128.0.129 443 external GigabitEthernet0/8/0 8443 vpp# nat44 add static mapping tcp local 10.128.0.129 80 external GigabitEthernet0/8/0 8443 nat44 add static mapping: Mapping already exist. vpp# show nat44 static mappings NAT44 static mappings: tcp local 10.128.0.129:443 external 2.2.2.2:8443 vrf 0 tcp local 10.128.0.129:443 external GigabitEthernet0/8/0:8443 vrf -1 tcp local 10.128.0.129:80 external GigabitEthernet0/8/0:8443 vrf -1 With this commit, when-resolved static mapping is not created if the translation only differs in local or ext port. Change-Id: Ifc960b9dc1371caa2a8d3206a80a0ffd10d293e4 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2019-04-09nat: initialize fq_in2out_output_indexMatthew Smith1-0/+1
When using the output feature ('postrouting') outbound translation, no packets are passed when using worker threads. The frame queue for in2out packets to be handed off between threads is never allocated. This is because that allocation only happens if the value of fq_in2out_output_index == ~0, but fq_in2out_output_index is never initialized prior to checking that. Initialize fq_in2out_output_index to ~0 so a frame queue will be allocated when there are worker threads. Change-Id: I0836685eb611348643c11ac7e4d0cab935a29384 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-28/+411
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-4/+57
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-02-18NAT44: fix snat_get_worker_out2in_cb (VPP-1536)Matus Fabian1-9/+36
Change-Id: I9c562f8e3407ca60a4412a162015fa505b7590b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-01-28Fix issues with order of NAT commands before set VRF table on an interfaceDmitry Vakhrushev1-2/+66
Outside FIB index doesn't change in this case. We register callback for changing of outside FIB if table binding is changed on an interface. Change-Id: I1ebbd7c3c547fc999089db07abd2019734395a6e Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-5/+6
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-16NAT: Fixed issues with dropping reverse packets with output-feature.Dmitry Vakhrushev1-0/+32
Fixed NAT issues with dropping reverse packets in case NAT worked in 'endpoint-dependent' mode and outside interface has FIB different from 0 when the output-feature is set. In this case, the out2in_ed dynamic hash key was not being created correctly. Change-Id: I6362967f4b09a375a4606eedaa8e264795b25453 Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2018-12-21NAT: fix coverity error 190176 (VPP-1474)Matus Fabian1-0/+2
Change-Id: I0ee80c7bec59d3e9c69e92e6cf0af1a6864a4ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-12-20NAT: total users and sessions gauges (VPP-1484)Matus Fabian1-0/+18
Change-Id: I41a82e21571d5c64d01af72cd88c3983afac26ed Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-12-18NAT44: nat44_add_del_lb_static_mapping enhancements (VPP-1514)Matus Fabian1-40/+233
Change-Id: I5419e06592b0402e911e132796368800321f355a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+15
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-23NAT44: improve expired sessions reuse (VPP-1503)Matus Fabian1-45/+48
Change-Id: Iab506f127136c94a641df31ded108016de26260b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-07NAT44: fix undesired dependency between static mapping and address from the ↵Matus Fabian1-0/+7
pool (VPP-1485) Change-Id: Iaa404361eac2a6612dcdaba3f73bae41a35c5446 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-23c11 safe string handling supportDave Barach1-5/+5
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-12NAT44: identity NAT fix (VPP-1441)Matus Fabian1-23/+82
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-40/+34
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24NAT44: endpoint-dependent mode session timeout improvement (VPP-1423)Matus Fabian1-21/+57
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-1711/+990
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda1-25/+240
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-19nat: free port_bitmapdongjuan1-0/+7
Change-Id: Ied0fc50f1afb0f7fc563784544699726a6d03380 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+1
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-11nat: fix busy ports of each threaddongjuan1-4/+15
which can create dead loop in nat_alloc_addr_and_port_default function Change-Id: I468c25ce0f0a0b3f881de564623dea208b2ca700 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-04NAT: add support for configurable port range (VPP-1346)Matus Fabian1-0/+84
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-6/+41
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-3/+49
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>