summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat.h
AgeCommit message (Collapse)AuthorFilesLines
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera1-18/+10
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera1-24/+11
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-13nat: handoff next node feature fixFilip Varga1-2/+3
Type: fix Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-08docs: fix merge damage in nat.hDave Wallace1-4/+0
Type: fix Fixes: b5a575b09 Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I22d35159a923075243df9760f1a74e2ca74e30e1
2020-05-08nat: fix per thread data vlib_main_t usage take 2Ole Troan1-3/+0
The original fix access vlib_main before these was initialized. Removed cached vlib_mains structure. Type: fix Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I686bab9220e27891f66bf60489c1602855786aa8 Signed-off-by: Ole Troan <ot@cisco.com>
2020-05-07nat: fix per thread data vlib_main_t usageFilip Varga1-32/+34
Type: fix Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06docs: clean up make docs jobPaul Vinciguerra1-9/+23
Type: docs Change-Id: I9b5e5137eb4c1e89f6e8d7a278cd11a0fd496471 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-06nat: enable force session cleanupFilip Varga1-1/+15
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-04nat: per vrf session limitsFilip Varga1-0/+13
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-28nat: remove unused codeKlement Sekera1-9/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I0f82d937b4829e5a7f074d4d566fa49319a11716
2020-04-27nat: improve perf - long read after short writeKlement Sekera1-17/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-3/+2
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: make usage of vnet_buffer2 transparentKlement Sekera1-8/+0
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I50df248afb3f6b46c49e6695b3f124cfd584f016
2020-04-24nat: ED: reduce number of hash tables usedKlement Sekera1-23/+2
Use out2in_ed hash table for port overloading tracking instead of global table. This reduces number of hash insertions in slowpath. Type: improvement Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-20nat: remove unused codeKlement Sekera1-14/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
2020-04-16nat: scavenging functionality removedFilip Varga1-13/+0
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: use correct data types for memory sizesKlement Sekera1-2/+2
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
2020-04-08nat: ED: global session LRU listKlement Sekera1-0/+8
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-04-07nat: ED: port re-use algorithmKlement Sekera1-1/+25
Type: fix Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-07nat: don't drop packet for expired sessionKlement Sekera1-2/+0
If session is expired, the packet which we just received might be a one, which legitimely creates a new session, process it in slow path instead to decide the outcome. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera1-9/+3
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-25nat: fix error countersKlement Sekera1-0/+6
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-3/+28
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-03-11nat: dslite plugin separationFilip Varga1-1/+0
Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I81546423200cc7f8a06b527dac8ead191a9e0519
2020-02-20nat: avoid running pointless session cleanupsKlement Sekera1-0/+3
Save the next session timeout when sweeping sessions for cleanup so that we can avoid unnecessary runs of the sweeping algorithm. Type: fix Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-02-05nat: move dslite to separate sub-pluginOle Troan1-5/+0
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-01-03nat: use SVRKlement Sekera1-13/+15
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-2/+2
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-12-04fib: Decouple source from priority and behaviourNeale Ranns1-0/+4
Type: feature the fib_source_t enum alone no longer defines the priority and behaviour, instead each source must be allocated these attributes. This allows the creation of other sources by the plugins (and soon over the API). Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I890ee820fbc16079ee417ea1fbc163192806e853
2019-11-19nat: respect arc features (multi worker)Filip Varga1-0/+54
Type: fix Ticket: VPP-1747 Change-Id: If282aae3e584d7017c200f897b99c8a37eb1b2e5 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-08-22nat: handoff traffic matching for dynamic NATFilip Varga1-2/+139
Type: feature Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-0/+101
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-04-24NAT: VPP-1531 api cleanup & updateFilip Varga1-0/+18
Change-Id: I2492400a67b39a3adbc24ab7cf1ba17a409e95a8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-04-23Revert "NAT: VPP-1531 api cleanup & update"Ole Trøan1-18/+0
This reverts commit bed1421b9f1b3643d93384084972337b596aec73. /vpp/master3/src/plugins/nat/nat_api.c: In function ‘send_nat_worker_details’: /vpp/master3/src/vppinfra/clib.h:62:33: error: division ‘sizeof (u8 * {aka unsigned char *}) / sizeof (u8 {aka unsigned char})’ does not compute the number of array elements [-Werror=sizeof-pointer-div] #define ARRAY_LEN(x) (sizeof (x)/sizeof (x[0])) ^ /vpp/master3/src/plugins/nat/nat_api.c:205:43: note: in expansion of macro ‘ARRAY_LEN’ rmp = vl_msg_api_alloc (sizeof (*rmp) + ARRAY_LEN (w->name) - 1); ^~~~~~~~~ Change-Id: Ie82672c145fb2f6580827f95e535435307bc7a23 Signed-off-by: Ole Troan <ot@cisco.com>
2019-04-23NAT: VPP-1531 api cleanup & updateFilip Varga1-0/+18
Change-Id: I519d7efc8ee3c86381d96be2e2a46017cd948895 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-03-28Typos. A bunch of typos I've been collecting.Paul Vinciguerra1-3/+3
Change-Id: I53ab8d17914e6563110354e4052109ac02bf8f3b Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-3/+6
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-2/+25
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-20NAT: total users and sessions gauges (VPP-1484)Matus Fabian1-0/+4
Change-Id: I41a82e21571d5c64d01af72cd88c3983afac26ed Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-12-18NAT44: nat44_add_del_lb_static_mapping enhancements (VPP-1514)Matus Fabian1-0/+5
Change-Id: I5419e06592b0402e911e132796368800321f355a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+3
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-22NAT44: Apply transitory timeout on TCP RST (VPP-1494)Matus Fabian1-0/+1
RFC7857 section 2.2. Change-Id: I031af5fe379b72262e83fd8565c34fa1b772f2c8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-19NAT44: fix bug in TCP close with output-feature interface (VPP-1493)Matus Fabian1-0/+7
Change-Id: If8c883d6b1ee58de9a03012d3567ec82211a0225 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-12NAT44: identity NAT fix (VPP-1441)Matus Fabian1-0/+7
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-18/+44
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24NAT44: endpoint-dependent mode session timeout improvement (VPP-1423)Matus Fabian1-1/+1
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-220/+592
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+4
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-04NAT: add support for configurable port range (VPP-1346)Matus Fabian1-0/+19
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-2/+18
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>