Age | Commit message (Collapse) | Author | Files | Lines |
|
We must do lock fib while vrf id ~0, otherwise it crashes while unlocking fib.
Change-Id: Iec9754ccd67634a132bc5384a4f796d4a65943ae
Signed-off-by: jackiechen1985 <xiaobo.chen@tieto.com>
|
|
- Make plugin descriptions more consistent
so the output of "show plugin" can be
used in the wiki.
Change-Id: I4c6feb11e7dcc5a4cf0848eed37f1d3b035c7dda
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
In endpoint dependent mode, when a session at the head of a user
LRU is reused, if the IP protocol for that session was unknown (any
other than tcp, udp, or icmp), the attempt to delete the session
mapping from the in2out bihash was not using the same key that was
used when the mapping was added. This would cause the deletion of
the mapping to fail. If packets arrive later which match the original
session, the search for the session key would succeed when it should
have failed and the session, which is now associated with a different
pair of endpoints, may end up being updated when it should not be.
Update the key generation when reallocating an existing session to
do the right thing if the session is for an unknown protocol.
Also update format_nat_session() for unknown protocols so that
'vppctl show nat44 session detail' will display the protocol
correctly. In endpoint dependent mode, the IP protocol is stored in
the port field on a session if the protocol is unknown. The value
is stored in host byte order, but the format function was swapping
the bytes before writing the protocol.
Change-Id: I9e8daadd4569cb2610532dab4e4f41d1567cf3d1
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
When you create two identical NAT44 static mappings using interface
name as external address and only local or ext port is different,
VALUE_EXIST will be raised but when-resolved static mapping will
remain.
vpp# nat44 add static mapping tcp local 10.128.0.129 443 external GigabitEthernet0/8/0 8443
vpp# nat44 add static mapping tcp local 10.128.0.129 80 external GigabitEthernet0/8/0 8443
nat44 add static mapping: Mapping already exist.
vpp# show nat44 static mappings
NAT44 static mappings:
tcp local 10.128.0.129:443 external 2.2.2.2:8443 vrf 0
tcp local 10.128.0.129:443 external GigabitEthernet0/8/0:8443 vrf -1
tcp local 10.128.0.129:80 external GigabitEthernet0/8/0:8443 vrf -1
With this commit, when-resolved static mapping is not created if the
translation only differs in local or ext port.
Change-Id: Ifc960b9dc1371caa2a8d3206a80a0ffd10d293e4
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
When using the output feature ('postrouting') outbound translation,
no packets are passed when using worker threads. The frame queue for
in2out packets to be handed off between threads is never allocated.
This is because that allocation only happens if the value of
fq_in2out_output_index == ~0, but fq_in2out_output_index is never
initialized prior to checking that.
Initialize fq_in2out_output_index to ~0 so a frame queue will be
allocated when there are worker threads.
Change-Id: I0836685eb611348643c11ac7e4d0cab935a29384
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
session synchronization so that we can build a plain active-passive HA NAT pair
Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Change-Id: I9c562f8e3407ca60a4412a162015fa505b7590b6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Outside FIB index doesn't change in this case. We register
callback for changing of outside FIB if table binding is changed
on an interface.
Change-Id: I1ebbd7c3c547fc999089db07abd2019734395a6e
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Fixed NAT issues with dropping reverse packets in case NAT worked
in 'endpoint-dependent' mode and outside interface has FIB different
from 0 when the output-feature is set.
In this case, the out2in_ed dynamic hash key was not being created
correctly.
Change-Id: I6362967f4b09a375a4606eedaa8e264795b25453
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Change-Id: I0ee80c7bec59d3e9c69e92e6cf0af1a6864a4ec4
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I41a82e21571d5c64d01af72cd88c3983afac26ed
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I5419e06592b0402e911e132796368800321f355a
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iab506f127136c94a641df31ded108016de26260b
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
pool (VPP-1485)
Change-Id: Iaa404361eac2a6612dcdaba3f73bae41a35c5446
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: Ied0fc50f1afb0f7fc563784544699726a6d03380
Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
|
|
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation.
If the negotiated MSS value is greater than the configured value it is changed
to the configured value. If the negotiated MSS value is smaller than the
configured value it remains unchanged.
Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
which can create dead loop in
nat_alloc_addr_and_port_default function
Change-Id: I468c25ce0f0a0b3f881de564623dea208b2ca700
Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
|
|
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Enable client-IP based session affinity per LB NAT rule with specific timeout.
Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired
sessions. When inserting to session lookup hash and bucket is full, expired
session is overwritten.
Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I85383e428cb54c4c09ab387811dd6390f7c61d97
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
outside address and port
Change-Id: Ie5452350a8ebe2c1b62085fcab50dbc0138d3ae2
Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
|
|
Should not enable nat44-hairpinning node in deterministic mode
Change-Id: I5790323a6842ee71a62c6c91c49166a2839eac12
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
-- The session should not be deleted when either ip address or port doesn't same with static mapping.
Change-Id: I09ab7379947654d2780a8c40c5340ce430541b12
Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
|
|
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Add support for local backends in multiple VRFs for load-balancing NAT rules.
Change-Id: I64e6818bd67a7e69985003498cf1f16f7200c334
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iad7e0337a577ef8a0dfb7bde1968cc115d176043
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
To enable NAT plugin endpoint dependent mode add following to statrup config:
nat { endpoint-dependent }
Enable endpoint dependent filtering and mapping for all sessions.
Move some existing functionality such as service load balancing, twice nat,
out2in-only static mappings and unknown protocol dynamic translations, which
use endpoint dependent lookup hash tables before. Basically split to vanilla
NAT44 and extra features NAT44.
Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Idd65c6d0489bf83984a2c34d22d3f94000fc7018
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
the ip4-dhcp-client-detect feature MUST run prior to nat44-out2in, or
inbound dhcp broadcast packets will be dropped. Certain dhcp servers
answer lease renewal dhcp-request packets with broadcast dhcp-acks, leading
to unrecoverable lease loss.
In detail, this constraint:
VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-out2in",
.runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
};
doesn't get the job done:
ip4-unicast:
[17] nat44-out2in
[23] ip4-dhcp-client-detect
[26] ip4-not-enabled
Add a proper constraint:
VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-out2in",
.runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
"ip4-dhcp-client-detect"),
};
and the interface feature order is OK, at least in this regard:
ip4-unicast:
[17] ip4-dhcp-client-detect
[18] nat44-out2in
[26] ip4-not-enabled
We need to carefully audit (especially) the ip4-unicast feature arc,
which has [gasp] 37 features on it!
Change-Id: I5e749ead7ab2a25d80839a331de6261e112977ad
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I6306b81e0e1c3e1c591f929a76bb265c1c1d0859
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Icd42abf4e35db550df496592cffce655f1987d68
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I228728bacfca6056dc409a96de1bffb9cadcd3e6
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
When enabled then Twice-NAT is applied only when
source IP equals destination IP after DNAT
Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Id5a2a90d81cc9cb87cb6fb89ac2f4ca3cbcb51e2
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|