summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat.c
AgeCommit message (Collapse)AuthorFilesLines
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga1-4246/+0
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-10nat: fix EI hairpinning thread safetyKlement Sekera1-0/+18
Avoid doing inter-thread reads without locks by doing a handoff before destination address rewrite. Destination address is read from a session which is possibly owned by a different thread. By splitting the work in two parts with a handoff in the middle, we can do both in a thread safe way. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1c50d188393a610f5564fa230c75771a8065f273
2021-02-09nat: bump default max translations to 63KKlement Sekera1-1/+1
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibea7ec844d1d910e8a3235e11154b1ecea8302ac
2021-02-05nat: configurable handoff frame queue sizeElias Rudberg1-4/+18
Make number of worker handoff frame queue elements configurable as a set nat frame-queue-nelts command. The default value is 64 which is the same value that was previously hard-coded. The idea is that allowing larger values can be useful in some cases, to avoid congestion drops. Also add nat_set_fq_options API support and a corresponding test case. Type: improvement Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2021-02-04nat: reduce number of hash tables for EI NATKlement Sekera1-27/+25
Making code more simple and storing thread index along with session index as a preparation step for fixing thread safety patches. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib0c531e9f1f64b1f1ee912d4a83279200638e931
2021-01-18nat: deal with flows instead of sessionsKlement Sekera1-177/+425
This change introduces flow concept to endpoint-dependent NAT. Instead of having a session and a plethora of special cases in code for e.g. hairpinning, twice-nat and others, figure all this out and store it in flow logic. Every flow has a match and a rewrite part. This unifies all the NAT packet processing cases into one - match a flow and rewrite the packet based on that flow. It also provides a cure for hairpinning dilemma where one part of the flow is on one worker and another on a different one. These cases are also sped up by not requiring destination adress lookup every single time to be able to rewrite source nat as this is now part of flow rewrite logic. Type: improvement Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-01-11nat: refactor and split fo EI/ED features p.2Filip Varga1-256/+270
Patch n. 2 aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: Ida20c1c084449b146344b6c3d8442f49efb6f3fa Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-01-05nat: refactor and split fo EI/ED featuresFilip Varga1-829/+17
This patch is aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: I63cf70a264ed2512708fe92665d64f04690783d0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-16nat: refactor & MW support for NAT testsFilip Varga1-6/+3
Split ED and EI nat44 test cases. Added multi worker support for ED test cases. Type: refactor Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-15nat: set out2in-dpo during plugin enablingAlexander Chernavin1-0/+1
Type: fix Change-Id: Ie41e2fb9393bf63099519150bb158b830d2c0d87 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-12-14misc: refactor clib_bitmap_foreach macroDamjan Marion1-7/+7
Type: refactor Change-Id: I077110e1a422722e20aa546a6f3224c06ab0cde5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion1-77/+77
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-03nat: fix forwarding handoff workaroundFilip Varga1-0/+1
A special case when out2in packet needs to be handoffed to other worker thread. We are not able to determine which thread they belong to in the first processing of nat handoff node. These packets needs to go through out2in slowpath before we are able to tell where to handoff them. Type: fix Ticket: VPP-1941 Change-Id: I7173bda970ce6a91d81f48fc72aa2457586a076f Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-26nat: fix testsFilip Varga1-0/+2
Fixed nat_ha and ipfix tests. Removed obsolete tests and moved extended tests to standard tests. Type: fix Change-Id: I2d7f4c4fa4c52a4aa10d70c956e085a0fe00b911 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-13nat: cleanup & reorganizationFilip Varga1-6/+3
Fixed compatibility issue between nat ei and nat ed modes. Moved nat syslogging to nat librarry. Deprecating apis that will be integrated in upcoming candidate configuration patch. Type: refactor Change-Id: I334b1b05b81b74667c5c76a05f768442e0dcf7e8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-13nat: api,cli and test update & cleanupFilip Varga1-294/+249
Cleanup of print functions in api file, splitting functionality of cleanup callbacks for ED and EI NAT. Updating and fixing API & CLI calls. Type: refactor Change-Id: I7a9dc4c8b1d2ca29db4754be7dfa4f698942127a Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-03nat: bihash: fix buckets calc and remove mem paramKlement Sekera1-46/+25
Calculate bihash buckets as n_elts / 2.5 rounded to closest pow2 per Damjan's recommendation. Remove memory configuration parameters because bihash init ignores them anyway as it resides in main heap now. Type: improvement Change-Id: I189f463f3c4640106cce4f12d3c5a62969276a82 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-10-28misc: Break the big IP header files to improve compile timeNeale Ranns1-0/+1
Type: refactor Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Change-Id: Id1801519638a9b97175847d7ed58824fb83433d6
2020-10-26nat: nat44 cli command fixFilip Varga1-2/+1
Type: fix Change-Id: I4aa0dac544582703316cbcfabe67bcb7dc24d4f7 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-23nat: nat44 enable/disable dynamic configFilip Varga1-357/+530
This patch changes initialization and configuration of NAT plugin. Instead of allocating data structures at vpp plugin initialization phase allocation and configuration happens after calling enable API or CLI call. This reduces base VPP memory footprint and also enables dynamic reconfiguration of the NAT plugin. Type: improvement Change-Id: I42c069ee19a0311d043ac1f3f230d87bc8d2680f Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-16nat: error in input parameter of init_nat_kDengfeng Liu1-1/+1
Type: fix Signed-off-by: Dengfeng Liu <liudf0716@gmail.com> Change-Id: I3e7ee771d0cf5b7b1b9fbbc833776d523dfa9f09
2020-10-12nat: set fib index for bypass sessionVladimir Isaev1-0/+1
Bihash key already contains rx_fib_index for lookup but fib value for session itself is set to 0. In the result bihash is allocated with key with fib index set, but free function is looking for key with fib index set to zero. It leads to use-after-free because session itself is removed from pool but bihash is not because of key mismatch. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798
2020-10-09nat: ipfix logging separation & refactorFilip Varga1-19/+19
Type: refactor Change-Id: I8785e4987e4f60361072440d0c3c6954c9c12394 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-07nat: move nat64 to a subfeatureFilip Varga1-27/+0
Type: refactor Change-Id: I3b9e17164647d2019b1f40cffeed63393345219e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-09-11nat: Fix next feature for ED with multiple workersVladimir Isaev1-1/+8
Multiple (> 1) workers leads to handoff node being enabled. This node pops next feature index to nat.arc_next to make sure that packet will be pushed to the next feature in the arc. But node nat44-ed-in2out-output also pops next feature and changes arc_next. So actual next feature will be skipped in that case. It leads to all nat44-ed-in2out packets being dropped if we have multiple workers (handoff node enabled). To resolve this a new node was added (nat-pre-in2out-output) to fill arc_next in single worker case and multiple worker case is already handled by handoff node. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I9dfba68f00164d2d5ab867224871811bef4411ed
2020-09-02nat: twice-nat static mapping pool addressFilip Varga1-20/+41
Let twice-nat static mapping pick specific address from the twice-nat pool. Type: improvement Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-20nat: fixed cli nat summary and nat limitFilip Varga1-19/+58
Type: fix Change-Id: I78017b02015116f93b579c7381119f618351c98d Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-17nat: sessions get expired when fib table removedFilip Varga1-1/+96
fib table removal would leave lingering sessions in vpp this patch is aimed at solving this issue by grouping sessions by source and destionation fib. if one of the fibs gets removed this grouping is tagged as expired and session won't be passed to non existing fib table Ticket: VPPSUPP-93 Type: improvement Change-Id: I45b1205a8b58d91f174e6feb862554ec2f6cffad Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: move deterministic nat to det44 sub featureFilip Varga1-122/+60
Type: refactor Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: remove non-error error countersKlement Sekera1-0/+67
Some statistics counters were implemented as error counters. Move them to stat segment, where they belong. Type: improvement Change-Id: I5600bec1b4e0496282297374ec1e79d909cdaf8a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-07-23nat: fix port number selectionElias Rudberg1-2/+2
Change the port number selection for new NAT sessions so that it matches how the thread index is calculated from the port number for out2in packets. Before this change there was a problem when the largest port number in the range was used, that resulted in the wrong thread index being selected when out2in packets arrive for that session. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I936c389eb0d5df6168e18e5e44754de1cdad6ad1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-07-02nat: nat66 to pluginOle Troan1-8/+0
Type: refactor Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6 Signed-off-by: Ole Troan <ot@cisco.com>
2020-06-16nat: improve outside port selection & perfKlement Sekera1-8/+0
Prefer using source port form packet as outside port if possible. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
2020-06-11nat: properly scale out2in-ed hash on initKlement Sekera1-1/+3
Type: fix Fixes: a1018c166a468f7692ab621c743503914266f508 Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I86592f73a60fd146d3764e474f975881e940c244
2020-06-11nat: simplify bihash buckets/mem configKlement Sekera1-18/+78
Derive reasonable values from max translations/max users. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
2020-06-08nat: more long read after short write optimizationKlement Sekera1-310/+215
Replace whitespread (mis)use of snat_session_key_t by proper function arguments where applicable and inline functions to calculate hash keys instead of using structs for that. Make all hash tables use same network byte order port so that there is no longer a discrepancy between static mappings using host byte order while in2out/out2in tables using network byte order. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I80786d2f947c67824c101a13bb608f1fe1080f34
2020-06-04nat: fixed input validationFilip Varga1-9/+0
Ticket: VPP-1887 Type: fix Change-Id: I341ac7b455926a106d736f4de6771aae655db82e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-15misc: removed executable bits from source filesRay Kinsella1-0/+0
Identified and removed executable bit from source files in the tree. find . -perm 755 -name *.[ch] -exec chmod a-x {} \; Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I00710d59fcc46ce5be5233109af4c8077daff74b
2020-05-14nat: remove unused codeKlement Sekera1-2/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I95286d6723fd1860bf6bb0e81c474d732ab25121
2020-05-14nat: ED: store both thread&session idx in hashKlement Sekera1-85/+123
By storing thread and session index in hash table we are able to skip multiple hash lookups in multi-worker scenario, which were used for handoff before. Also, by storing sesion index in vnet_buffer2, we can avoid repeating the lookup after handoff. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I406fb12f4e2dd8f4a5ca5d83d59dbc37e1af9abf
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera1-71/+34
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera1-47/+47
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-13nat: handoff next node feature fixFilip Varga1-15/+9
Type: fix Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-08nat: fix per thread data vlib_main_t usage take 2Ole Troan1-18/+4
The original fix access vlib_main before these was initialized. Removed cached vlib_mains structure. Type: fix Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I686bab9220e27891f66bf60489c1602855786aa8 Signed-off-by: Ole Troan <ot@cisco.com>
2020-05-07nat: remove duplicate line of codeKlement Sekera1-1/+0
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I3c914d5c457df40205280ac589a2d353261343d5
2020-05-07nat: fix per thread data vlib_main_t usageFilip Varga1-10/+21
Type: fix Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06nat: enable force session cleanupFilip Varga1-44/+71
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-04nat: per vrf session limitsFilip Varga1-1/+22
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-27nat: improve perf - long read after short writeKlement Sekera1-111/+134
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-175/+159
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>