summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat.c
AgeCommit message (Collapse)AuthorFilesLines
2019-04-09nat: initialize fq_in2out_output_indexMatthew Smith1-0/+1
When using the output feature ('postrouting') outbound translation, no packets are passed when using worker threads. The frame queue for in2out packets to be handed off between threads is never allocated. This is because that allocation only happens if the value of fq_in2out_output_index == ~0, but fq_in2out_output_index is never initialized prior to checking that. Initialize fq_in2out_output_index to ~0 so a frame queue will be allocated when there are worker threads. Change-Id: I0836685eb611348643c11ac7e4d0cab935a29384 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-28/+411
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-4/+57
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-02-18NAT44: fix snat_get_worker_out2in_cb (VPP-1536)Matus Fabian1-9/+36
Change-Id: I9c562f8e3407ca60a4412a162015fa505b7590b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-01-28Fix issues with order of NAT commands before set VRF table on an interfaceDmitry Vakhrushev1-2/+66
Outside FIB index doesn't change in this case. We register callback for changing of outside FIB if table binding is changed on an interface. Change-Id: I1ebbd7c3c547fc999089db07abd2019734395a6e Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-5/+6
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-16NAT: Fixed issues with dropping reverse packets with output-feature.Dmitry Vakhrushev1-0/+32
Fixed NAT issues with dropping reverse packets in case NAT worked in 'endpoint-dependent' mode and outside interface has FIB different from 0 when the output-feature is set. In this case, the out2in_ed dynamic hash key was not being created correctly. Change-Id: I6362967f4b09a375a4606eedaa8e264795b25453 Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2018-12-21NAT: fix coverity error 190176 (VPP-1474)Matus Fabian1-0/+2
Change-Id: I0ee80c7bec59d3e9c69e92e6cf0af1a6864a4ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-12-20NAT: total users and sessions gauges (VPP-1484)Matus Fabian1-0/+18
Change-Id: I41a82e21571d5c64d01af72cd88c3983afac26ed Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-12-18NAT44: nat44_add_del_lb_static_mapping enhancements (VPP-1514)Matus Fabian1-40/+233
Change-Id: I5419e06592b0402e911e132796368800321f355a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+15
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-23NAT44: improve expired sessions reuse (VPP-1503)Matus Fabian1-45/+48
Change-Id: Iab506f127136c94a641df31ded108016de26260b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-07NAT44: fix undesired dependency between static mapping and address from the ↵Matus Fabian1-0/+7
pool (VPP-1485) Change-Id: Iaa404361eac2a6612dcdaba3f73bae41a35c5446 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-23c11 safe string handling supportDave Barach1-5/+5
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-12NAT44: identity NAT fix (VPP-1441)Matus Fabian1-23/+82
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-40/+34
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24NAT44: endpoint-dependent mode session timeout improvement (VPP-1423)Matus Fabian1-21/+57
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-1711/+990
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda1-25/+240
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-19nat: free port_bitmapdongjuan1-0/+7
Change-Id: Ied0fc50f1afb0f7fc563784544699726a6d03380 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+1
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-11nat: fix busy ports of each threaddongjuan1-4/+15
which can create dead loop in nat_alloc_addr_and_port_default function Change-Id: I468c25ce0f0a0b3f881de564623dea208b2ca700 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-04NAT: add support for configurable port range (VPP-1346)Matus Fabian1-0/+84
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-6/+41
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-3/+49
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-22NAT: update nat_show_config_reply API (VPP-1403)Matus Fabian1-0/+12
Change-Id: I85383e428cb54c4c09ab387811dd6390f7c61d97 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-15VPP-1387:foreach outside address vector to find correct index when free ↵shubing guo1-17/+14
outside address and port Change-Id: Ie5452350a8ebe2c1b62085fcab50dbc0138d3ae2 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-15NAT44: fix bug in snat_interface_add_del (VPP-1380)Matus Fabian1-4/+4
Should not enable nat44-hairpinning node in deterministic mode Change-Id: I5790323a6842ee71a62c6c91c49166a2839eac12 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-11VPP-1381: Fix the incorrect if condition when delete session for static mappingshubing guo1-2/+2
-- The session should not be deleted when either ip address or port doesn't same with static mapping. Change-Id: I09ab7379947654d2780a8c40c5340ce430541b12 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian1-7/+4
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-02NAT44: LB NAT - local backends in multiple VRFs (VPP-1345)Matus Fabian1-16/+12
Add support for local backends in multiple VRFs for load-balancing NAT rules. Change-Id: I64e6818bd67a7e69985003498cf1f16f7200c334 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-20NAT44: in+out interface in STN setup improvement (VPP-1344)Matus Fabian1-8/+26
Change-Id: Iad7e0337a577ef8a0dfb7bde1968cc115d176043 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-10NAT44: multiple outside FIB tables (VPP-1314)Matus Fabian1-8/+39
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-217/+382
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-11Fix multiple NAT translation with interface address as externalAlexander Chernavin1-4/+4
Change-Id: Idd65c6d0489bf83984a2c34d22d3f94000fc7018 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-83/+152
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-27VPP-1294: add missing feature arc constraintDave Barach1-1/+2
the ip4-dhcp-client-detect feature MUST run prior to nat44-out2in, or inbound dhcp broadcast packets will be dropped. Certain dhcp servers answer lease renewal dhcp-request packets with broadcast dhcp-acks, leading to unrecoverable lease loss. In detail, this constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; doesn't get the job done: ip4-unicast: [17] nat44-out2in [23] ip4-dhcp-client-detect [26] ip4-not-enabled Add a proper constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", "ip4-dhcp-client-detect"), }; and the interface feature order is OK, at least in this regard: ip4-unicast: [17] ip4-dhcp-client-detect [18] nat44-out2in [26] ip4-not-enabled We need to carefully audit (especially) the ip4-unicast feature arc, which has [gasp] 37 features on it! Change-Id: I5e749ead7ab2a25d80839a331de6261e112977ad Signed-off-by: Dave Barach <dave@barachs.net>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-34/+81
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-10NAT44: sessions counters per user fix (VPP-1270)Matus Fabian1-6/+6
Change-Id: I6306b81e0e1c3e1c591f929a76bb265c1c1d0859 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-9/+25
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-26NAT44: disable nat44-hairpinning feature for in-out interface (VPP-1255)Matus Fabian1-10/+20
Change-Id: Icd42abf4e35db550df496592cffce655f1987d68 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-24NAT44: one-armed NAT and identity mapping (VPP-1212)Matus Fabian1-3/+10
Change-Id: I228728bacfca6056dc409a96de1bffb9cadcd3e6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-7/+18
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-0/+15
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-13NAT66: Do not translate if packet not aimed at outside interfaceJuraj Sloboda1-0/+9
Change-Id: Id5a2a90d81cc9cb87cb6fb89ac2f4ca3cbcb51e2 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-4/+12
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-10when deleting l3 static mapping with addr_only,ahdj0071-1/+4
lb session with the same user maybe deleted. Change-Id: Ie58579cf4f8babb594f3c44aa185720134c58c3d Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
2018-04-09NAT44: don't add static mapping to resolution vector if failed (VPP-1225)Matus Fabian1-3/+27
Change-Id: I71660eb327124179ff200763c4743cc81dc6e1c6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-04NAT added FIB entries have a preference lower than API/CLINeale Ranns1-6/+6
Change-Id: Ia99490180683e8649784f7d9d18c509c3ca78438 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-04-04NAT44: prohibit multiple static mappings for a single local address (VPP-1224)Matus Fabian1-0/+11
Change-Id: I32b30210c2f1aec10a1b614d04f427662326a3d2 Signed-off-by: Matus Fabian <matfabia@cisco.com>