summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat.c
AgeCommit message (Collapse)AuthorFilesLines
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-217/+382
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-11Fix multiple NAT translation with interface address as externalAlexander Chernavin1-4/+4
Change-Id: Idd65c6d0489bf83984a2c34d22d3f94000fc7018 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-83/+152
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-27VPP-1294: add missing feature arc constraintDave Barach1-1/+2
the ip4-dhcp-client-detect feature MUST run prior to nat44-out2in, or inbound dhcp broadcast packets will be dropped. Certain dhcp servers answer lease renewal dhcp-request packets with broadcast dhcp-acks, leading to unrecoverable lease loss. In detail, this constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; doesn't get the job done: ip4-unicast: [17] nat44-out2in [23] ip4-dhcp-client-detect [26] ip4-not-enabled Add a proper constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", "ip4-dhcp-client-detect"), }; and the interface feature order is OK, at least in this regard: ip4-unicast: [17] ip4-dhcp-client-detect [18] nat44-out2in [26] ip4-not-enabled We need to carefully audit (especially) the ip4-unicast feature arc, which has [gasp] 37 features on it! Change-Id: I5e749ead7ab2a25d80839a331de6261e112977ad Signed-off-by: Dave Barach <dave@barachs.net>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-34/+81
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-10NAT44: sessions counters per user fix (VPP-1270)Matus Fabian1-6/+6
Change-Id: I6306b81e0e1c3e1c591f929a76bb265c1c1d0859 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-9/+25
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-26NAT44: disable nat44-hairpinning feature for in-out interface (VPP-1255)Matus Fabian1-10/+20
Change-Id: Icd42abf4e35db550df496592cffce655f1987d68 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-24NAT44: one-armed NAT and identity mapping (VPP-1212)Matus Fabian1-3/+10
Change-Id: I228728bacfca6056dc409a96de1bffb9cadcd3e6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-7/+18
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-0/+15
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-13NAT66: Do not translate if packet not aimed at outside interfaceJuraj Sloboda1-0/+9
Change-Id: Id5a2a90d81cc9cb87cb6fb89ac2f4ca3cbcb51e2 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-4/+12
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-10when deleting l3 static mapping with addr_only,ahdj0071-1/+4
lb session with the same user maybe deleted. Change-Id: Ie58579cf4f8babb594f3c44aa185720134c58c3d Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
2018-04-09NAT44: don't add static mapping to resolution vector if failed (VPP-1225)Matus Fabian1-3/+27
Change-Id: I71660eb327124179ff200763c4743cc81dc6e1c6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-04NAT added FIB entries have a preference lower than API/CLINeale Ranns1-6/+6
Change-Id: Ia99490180683e8649784f7d9d18c509c3ca78438 Signed-off-by: Neale Ranns <nranns@cisco.com>
2018-04-04NAT44: prohibit multiple static mappings for a single local address (VPP-1224)Matus Fabian1-0/+11
Change-Id: I32b30210c2f1aec10a1b614d04f427662326a3d2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-04NAT44: fix static mapping for DHCP addressed interface deleting (VPP-1223)Matus Fabian1-4/+92
Change-Id: Ifb4d23059b7989c32a52eaf0c25c275b35e83010 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-28NAT44: make 1:1NAT for DHCP addressed interface persistentMatus Fabian1-22/+53
Static mapping is not deleted from resolution vector after address is set on interface. Change-Id: Ib7c45ca2e307123d101248c5a1b17d130ac32cd0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-28NAT44: fix nat44_user_session_dump and nat44_del_session crash with one ↵Matus Fabian1-1/+1
worker (VPP-1213) Change-Id: I8e0c7ed2ff462b9ab59c233f56be262ec03c29ff Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-21NAT44: fix removal of LB static mappings with same local address and port ↵Matus Fabian1-5/+35
pair (VPP-1199) Change-Id: Iad8c626e83bbc58d5c85b6736f5a3dd5bc9ceafb Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-07NAT44: allow to configure one interface only as output or input feature ↵Matus Fabian1-0/+12
(VPP-1192) following is not possible: set interface nat44 out GigabitEthernet0/3/0 output-feature set interface nat44 out GigabitEthernet0/3/0 Change-Id: I1592cc18390881fda66f98316700886b8f5295f0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-14NAT44: run NAT nodes after ACL (VPP-1160)Matus Fabian1-15/+15
NAT input features run after acl-plugin-in-ip4-fa NAT output features run after acl-plugin-out-ip4-fa Change-Id: I1e4487a0d6fdb99a90b8db640d9ad0e0eb7347a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT66 1:1 mapping (VPP-1108)Matus Fabian1-0/+3
Support the 1:1 translation of source address for IPv6 Change-Id: I934d18e5ec508bf7422d796ee5f172b79c048011 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: in2out output feature skip translation for already translated packets ↵Matus Fabian1-1/+1
(VPP-1156) Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT44: Delete dynamic sessions matching new 1:1NAT (VPP-1158)Matus Fabian1-8/+52
Change-Id: Ib99b597502b8335e57ecfa122b12e2e5aa45ee1a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-30NAT: replace format_vnet_sw_interface_name with format_vnet_sw_if_index_name ↵Matus Fabian1-5/+3
(VPP-1149) Avoid crash when interface was deleted. Change-Id: I2ac3031c13ca5ad3360495e1c4cb90b0002be5ff Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-25NAT44: add opaque string tag to static mapping APIs (VPP-1147)Matus Fabian1-6/+14
Change-Id: I620e2081285ca8ac5c2da8efc12fe6f540ea4fd1 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-25NAT: nat.c refactor (split out CLI) (VPP-1140)Matus Fabian1-1546/+9
Moved CLI from nat.c to nat44_cli.c Split "show nat44" to: show nat44 addresses show nat44 interfaces show nat44 static mappings show nat44 interface address show nat44 sessions detail show nat44 deterministic mappings show nat44 deterministic timeouts show nat44 deterministic sessions show nat workers Change-Id: I2d1be8941dd0e4a9e037f4a4d2cd192389beb8ed Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-24NAT44: asymmetrical static mapping and one-armed NAT (VPP-1138)Matus Fabian1-1/+10
One-armed NAT should work for asymmetrical static mappings without adding external address to the NAT44 pool. Change-Id: Ie886b75b55c3b552d1029a50bd967625fde80f09 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-23NAT44: Fix interface feature removal.Milan Lenco1-3/+14
Change-Id: Ie7cd809f30decc36cb8e1f4d8acc4b41f17cd390 Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
2018-01-22NAT44: asymmetrical static mapping rule (VPP-1135)Matus Fabian1-18/+28
add option to NAT44 static mapping API/CLI to make rule asymmetrical (rule match only out2in direction) Change-Id: If262a3ff375a24d3059f0de1f1ac387a4fe09475 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-11NAT44: asymmetrical load balancing static mapping rule (VPP-1132)Matus Fabian1-15/+25
Add option to NAT44 load balancing static mapping API/CLI to make rule asymmetrical (rule match only in out2in direction). Change-Id: I325ecef5591e4bf44ce4469a24d44fe56c3bb2e9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-11Add basic support for DS-Lite CE (VPP-1059)Juraj Sloboda1-0/+3
Change-Id: Ifcca60da3f77c0a4959f98b3365c846badbdc2d0 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-01-08NAT: fixed get_worker_out2in bug (VPP-1116)Matus Fabian1-2/+6
Change-Id: I5e080d69f28661cc0b1846885d5001526b54fbd9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-05Add support for 464XLAT NAT44 mode (VPP-1045)Juraj Sloboda1-7/+42
Change-Id: I24e7a26972bbbfcea100292b212b29ae7a349335 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-21VPP-1109 Fix loop for some CLI (code review)Swarup Nayak1-0/+1
Change-Id: I518387ab479bee4778d45a33c95f7b0f72aa1b72 Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
2017-12-20Translate matching packets using NAT (VPP-1069)Juraj Sloboda1-0/+68
Add API function which enables forwarding of packets not matching existing translation or static mapping instead of dropping them. When forwarding is enabled matching packets will be translated while non-matching packets will be forwarded without translation. Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-19NAT: Twice NAT44 (VPP-969)Matus Fabian1-192/+508
Translation of both source and destination addresses and ports for 1:1 NAT session initiated from outside network (ExternalIP K8 use case). Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-18Fix nat44 identity mappingDave Barach1-0/+5
Set l_addr to the interface address if the interface address is known when the identity mapping is created. Change-Id: I61af0f5248c9d86d23a24457b342b2e1fb4ac726 Signed-off-by: Dave Barach <dave@barachs.net>
2017-12-13NAT64: multi-thread support (VPP-891)Matus Fabian1-27/+95
Change-Id: Iebf859b6d86482e4465423bad598eecf87e53ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-11call unformat_free in some flow, remove unnecessary callsSwarup Nayak1-8/+0
Change-Id: I565277eafbce3d4f59a7f0d497fca1c4fed3cfc8 Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
2017-11-30NAT44: identity NAT (VPP-1073)Matus Fabian1-5/+105
Identity mapping translate an IP address to itself. Change-Id: Icc0ca5102d32547a4b0c75720b5f5bf41ed69c71 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-09Port restricted NAT44 (VPP-1048)Matus Fabian1-8/+136
For the MAP-E CE limit port choice based on PSID CLI: nat44 addr-port-assignment-alg map-e psid <n> psid-offset <n> psid-len <n> Change-Id: Iecceee61fca372cb5790c16993a82fbdc9930f0f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07SNAT: IP fragmentation (VPP-890)Matus Fabian1-1/+7
Translation of fragmented packets. Change-Id: I9b1f2e9433ce273638080f32c2d3bff39c49899d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07NAT: DS-Lite (VPP-1040)Matus Fabian1-13/+20
Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IPv4-in-IPv6 and NAT. Change-Id: I039740f8548c623cd1ac89b8ecda1a6cc4aafb9c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-26NAT: delete session API/CLI (VPP-1041)Matus Fabian1-0/+113
Administratively delete NAT44 session for specific inside/outside addresses and port pair. Change-Id: If5ab500ac3592c7153d6d8f2cc0297df7309fbc3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-25One armed NAT (VPP-1035)Matus Fabian1-16/+250
Use a single physical interface in order to accomplish NAT44/NAT64. Change-Id: I0c8138953a7a4075df306172e125abad771315e4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-14NAT: fix delete of sessions for 1:1 NAT if 1 worker (VPP-1023)Matus Fabian1-1/+1
Change-Id: I2446c646de7f227f9438dd7ef93a455ba5af0102 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-09NAT: hairpinning rework (VPP-1003)Matus Fabian1-1/+13
Change-Id: I7c6911cd6ac366fe62675fd0ff8b0246a25ea1db Signed-off-by: Matus Fabian <matfabia@cisco.com>