summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44-ed
AgeCommit message (Collapse)AuthorFilesLines
2023-09-13nat: fix nat44_ed set_session_limit crashVladislav Grishenko1-8/+4
Setting session limit should return error for unknown fib. Optimize max_translations_per_fib expanding and drop unnecessary trailing fib entry. Type: fix Change-Id: Ie7d2b363ade48f53598faa617a49cce7b2db6400 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2023-09-06nat: improve nat44-ed outside address distributionVladislav Grishenko1-1/+3
Use client address hash to pick the first outside address instead of just address high octet, becasue it may denegerate into stable 10/172/192, depending on nat address count. Fix outside address distribution test to acually test the distribution, not the algo, so previous distribution will fail with 65 nat addresses and 100 clients: FAIL: Outside address distribution based on source address Traceback (most recent call last): File ".../test/test_nat44_ed.py", line 2048, in test_outside_address_distribution msg="Bad outside address distribution") AssertionError: 156.25 not less than 0.33 : Bad outside address distribution Type: improvement Change-Id: I604b1294422f20d211db5614c47559557a78a193 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2023-08-26nat: nat44-ed bug fixWei Li1-3/+4
fix lb static mapping "nat44_ed_sm_o2i_add" laddr and lport Type: fix Signed-off-by: Wei Li <realbaseball2008@gmail.com> Change-Id: I249a00919e8154d92cbce03f6db196c13612948f
2023-08-26nat: nat44-ed cli bug fixWei Li1-1/+5
lport and eport in Cli "nat44 add load-balancing static mapping" should hton() Type: fix Signed-off-by: Wei Li <realbaseball2008@gmail.com> Change-Id: I2eadb7e341efb70cc406e10b3b189e5ebff09ff4
2023-08-18nat: documention fixSteven Luong1-4/+4
s/nat44 enable sessions/nat44 plugin enable sessions/ Type: docs Change-Id: I93dbd161f085bff5b98df50cd29c9bedf5038307 Signed-off-by: Steven Luong <sluong@cisco.com>
2023-07-21vcl: ldp support SO_ORIGINAL_DSTqinyang1-0/+42
Type: improvement Support SO_ORIGINAL_DST socket option to get original dst_ip4 and dst_port if nat44 rule enabled. Change-Id: If00e00d03e48f3b78a23a68f1b078954d79dd0f7 Signed-off-by: qinyang <qiny@yusur.tech>
2023-06-02api: nat44_ed - Mark old message versions as deprecatedOndrej Fabry1-0/+10
List of changed messages: - nat44_add_del_static_mapping - nat44_user_session_dump - nat44_user_session_details - nat44_user_session_v2_dump - nat44_user_session_v2_details This change is part of VPP API cleanup initiative. Type: fix Signed-off-by: Ondrej Fabry <ofabry@cisco.com> Change-Id: I317ae93a0e763c3759a8c24fd550e1c97f6f4987
2023-04-13nat: distribute nat44-ed in2out sessions by rx vrfVladislav Grishenko1-1/+3
Nat in2out sessions are distributing among workers by client addresses. In case there's multiple client vrfs with very similar client addresses (usually from rfc1918), session distribution/load can be unfair just due similar hash. Let's take dynamic client fib_index into account, it'll affect external port range only, outside address picking has own address-based hash therefore not affected. Type: improvement Change-Id: I56ab2e1ce8dd27f2b1f9e7f22839ccf7774bfb82 Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2023-04-13nat: fix the wrong unformat typeTed Chen1-1/+1
The unformat type for "%d" should be u32 or int. Type: fix Signed-off-by: Ted Chen <znscnchen@gmail.com> Change-Id: I2483df6259ed8d3c7648c8db6345e5063ac8b57e
2023-04-13nat: adding a new api nat44_ed_vrf_tables_v2_dumpDaniel Béreš2-0/+76
Adding api nat44_ed_vrf_tables_v2_dump which may replace nat44_ed_vrf_tables_dump in the future. - fixing endianess Type: improvement Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech> Change-Id: I40d09ea3252589bdcb61db9f1629dacd87f69978
2023-03-31nat: fix nat44 vrf handlersDaniel Béreš1-2/+2
Change of enums used in REPLY_MACRO() to appropriate one for handlers: -vl_api_nat44_ed_add_del_vrf_table_t_handler -vl_api_nat44_ed_add_del_vrf_route_t_handler Type: fix Change-Id: I58e97817b1678da7c025c0d03a8b938a4e0f7b6c Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
2023-02-03nat: fix accidental o2i deletion/reuseDmitry Valter1-0/+6
Nat session is allocated before the port allocation. During port allocation candidate address+port are set to o2i 6-tuple and tested against the flow hash. If insertion fails, the port is busy and rejected. When all N attempts are unsuccessful, "out-of-ports" error is recorded and the session is to be deleted. During session deletion o2i and i2o tuples are deleted from the flow hash. In case of "out-of-ports" i2o tuple is not valid, however o2i is and it refers to **some other** session that's known to be allocated. By backing match tuple up session should be invalidated well enough not to collide with any valid one. Type: fix Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru> Change-Id: Id30be6f26ecce7a5a63135fb971bb65ce318af82
2023-01-11nat: do not use nat session object after deletionBenoît Ganne2-0/+10
Type: fix Change-Id: Ifc709b6e7217a893d13aee6d3019e699637366ef Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-12-19nat: fix incorrect using about sw_if_index in nat44-ed static mapping v2 api.Huawei LI1-1/+1
Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: I2a96ab0dafe4db796704341c325c43a6960be312
2022-12-19nat: fix memory leak and refactor nat44-ed db init/free.Huawei LI1-22/+31
fix memory leak and refactor nat44-ed db init/free through. how to reproduce memory leak: input "set nat44 session limit 50000 vrf 1" repeatedly. Program received signal SIGABRT, Aborted. 0x00007ff4b3cc5337 in raise () from /lib64/libc.so.6 (gdb) bt 0 0x00007ff4b3cc5337 in raise () from /lib64/libc.so.6 1 0x00007ff4b3cc6a28 in abort () from /lib64/libc.so.6 2 0x00000000004079db in os_panic () at /usr/src/debug/vpp-23.02/src/vpp/vnet/main.c:417 3 0x00007ff4b43e784f in os_out_of_memory () at /usr/src/debug/vpp-23.02/src/vppinfra/unix-misc.c:221 4 0x00007ff4b43a71aa in clib_mem_heap_alloc_inline (heap=0x0, size=27263040, align=64, os_out_of_memory_on_failure=1) at /usr/src/debug/vpp-23.02/src/vppinfra/mem_dlmalloc.c:613 5 0x00007ff4b43a7256 in clib_mem_alloc_aligned (size=27263040, align=64) at /usr/src/debug/vpp-23.02/src/vppinfra/mem_dlmalloc.c:635 6 0x00007ff4b522fafa in alloc_aligned_16_8 (h=0x7ff46a7815b8 <snat_main+408>, nbytes=27262976) at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:59 7 0x00007ff4b522fd12 in clib_bihash_instantiate_16_8 (h=0x7ff46a7815b8 <snat_main+408>) at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:163 8 0x00007ff4b5230037 in clib_bihash_init2_16_8 (a=0x7ff465f36870) at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:245 9 0x00007ff4b52300ac in clib_bihash_init_16_8 (h=0x7ff46a7815b8 <snat_main+408>, name=0x7ff46a754871 "ed-flow-hash", nbuckets=262144, memory_size=0) at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:260 10 0x00007ff46a7013e8 in reinit_ed_flow_hash () at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3264 11 0x00007ff46a7014fd in nat44_ed_sessions_clear () at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3299 12 0x00007ff46a701044 in nat44_update_session_limit (session_limit=70000, vrf_id=1) at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3225 13 0x00007ff46a73d3d1 in nat44_set_session_limit_command_fn (vm=0x7ff473c8f740, input=0x7ff465f36ef0, cmd=0x7ff474c5ce48) at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed_cli.c:1638 14 0x00007ff4b5d56527 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740, cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=97) at /usr/src/debug/vpp-23.02/src/vlib/cli.c:650 15 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740, cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=98) at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607 16 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740, cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=21) at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607 17 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740, cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=0) at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607 18 0x00007ff4b5d569cb in vlib_cli_input (vm=0x7ff473c8f740, input=0x7ff465f36ef0, function=0x7ff4b5dc2406 <unix_vlib_cli_output>, function_arg=0) ---Type <return> to continue, or q <return> to quit--- at /usr/src/debug/vpp-23.02/src/vlib/cli.c:753 19 0x00007ff4b5dc7b0c in unix_cli_process_input (cm=0x7ff4b5e4ae00 <unix_cli_main>, cli_file_index=0) at /usr/src/debug/vpp-23.02/src/vlib/unix/cli.c:2616 20 0x00007ff4b5dc825a in unix_cli_process (vm=0x7ff473c8f740, rt=0x7ff4797a5280, f=0x0) at /usr/src/debug/vpp-23.02/src/vlib/unix/cli.c:2745 21 0x00007ff4b5d80a25 in vlib_process_bootstrap (_a=140687718901968) at /usr/src/debug/vpp-23.02/src/vlib/main.c:1221 22 0x00007ff4b439e298 in clib_calljmp () at /usr/src/debug/vpp-23.02/src/vppinfra/longjmp.S:123 23 0x00007ff4698268a0 in ?? () 24 0x00007ff4b5d80b4e in vlib_process_startup (vm=0x7ff4b43a77a3 <clib_mem_size+24>, p=0x7ff4698268d0, f=0x7ff474b1e580) at /usr/src/debug/vpp-23.02/src/vlib/main.c:1246 25 0x00007ff4b5dbdbe6 in vec_max_bytes (v=0x8) at /usr/src/debug/vpp-23.02/src/vppinfra/vec_bootstrap.h:161 26 0x00007ff474b1e598 in ?? () 27 0x0000000000000004 in ?? () 28 0x00000000000000ff in ?? () 29 0x00007ff469826980 in ?? () 30 0x00007ff4b5dbddcb in _vec_set_len ( v=<error reading variable: Cannot access memory at address 0xfffffffffffffff5>, len=<error reading variable: Cannot access memory at address 0xffffffffffffffed>, elt_sz=<error reading variable: Cannot access memory at address 0xffffffffffffffe5>) at /usr/src/debug/vpp-23.02/src/vppinfra/vec_bootstrap.h:196 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: I52a7d229c95e4ab30f7f2cfe574440aa37bed6a2
2022-12-15nat: disable nat44-ed/ei features on interface deletionVladislav Grishenko1-0/+49
After deleting a sw interface with nat44 features, the next created sw interface will get the same sw_index reused and therefore will erroneously have the same nat features enabled. Type: fix Change-Id: I1d84f842ab7ab2a757668ae1a111efe67e1e924d Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-12-09nat: fixed return values of enable/disable callFilip Varga1-6/+6
NAT44 enable/disable return status was used instead of appropriate VNET_API_ERROR_ code. Type: fix Signed-off-by: Filip Varga <filipvarga89@gmail.com> Change-Id: If944866bf3061afdc91284c0ad475135e529bdc4
2022-11-07nat: fix per-vrf session bookkeepingJing Peng3-34/+26
Each NAT44 ED session has a per_vrf_sessions_index referencing an element in the thread-local vector per_vrf_sessions_vec. However this index can be possibly invalidated by vec_del1() in per_vrf_sessions_cleanup(), before a session is registered. Such a stale index can cause an assertion failure in function per_vrf_sessions_is_expired() when we use it to locate the per_vrf_sessions object. A possible sequence to reproduce is: 1. Create two NAT44 ED sessions s1, s2 so that two per_vrf_sessions are created: index 0: between VRF pair 10 and 11 (expired=0, ses_count=1) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s1->per_vrf_sessions_index == 0 s2->per_vrf_sessions_index == 1 2. Delete the first session via CLI, now the two per_vrf_sessions become: index 0: between VRF pair 10 and 11 (expired=0, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 3. Delete the VRF 11: index 0: between VRF pair 10 and 11 (expired=1, ses_count=0) index 1: between VRF pair 20 and 21 (expired=0, ses_count=1) For the sessions we have: s2->per_vrf_sessions_index == 1 4. Create a new session s3 between VRF pair 20 and 21 so that the first per_vrf_sessions will be deleted: index 0: between VRF pair 20 and 21 (expired=0, ses_count=2) For the sessions we have: s2->per_vrf_sessions_index == 1 s3->per_vrf_sessions_index == 0 Here, note that the actual index of per_vrf_session is changed due to vec_del1(). The new session is added after the cleanup so it gets the correct index. But the index held by the existing session is not updated. 5. Trigger the fast path of the session s2. To achieve this, session s2 could be created in step 1 by ping -i20 -Iiface_in_vrf_10 1.1.1.1 and steps 2-4 should then be performed within the 20-second interval. This patch fixes this by changing per_vrf_sessions_vec to a pool so that indicies are kept intact. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: I4c08f9bfd50134bcb5f08e50ad61af2bddbcb645
2022-11-07nat: fix byte order error.Huawei LI1-6/+4
fix byte order error about the struct snat_address_t's member net. for example configurations: set interface ip table loop1 1 set interface ip addr loop1 10.10.10.2/24 nat44 add address 10.10.10.2 tenant-vrf 1 the snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}", but now it's "as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing transition of byte order about the member net of snat_address_t. (gdb) p/x *snat_main->addresses $3 = {addr = {data = {0xa, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a0a, as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a, 0x20a}, as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2}, as_u16 = {0xa00, 0x20a}, as_u32 = 0x20a0a00}, sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18} (gdb) Type: fix Signed-off-by: Huawei LI <lihuawei_zzu@163.com> Change-Id: I4f25f0639ae90a7f2e8715b44f825571283d994d
2022-11-04nat: cleanup of deprecated featuresFilip Varga3-296/+0
Type: refactor 1) Removed deprecated API. - These specific APIs do not have repleacement because features that they controled aren't part of current NAT44-ED implementation anymore. 2) Removed unused typedef of port allocation funciton. - Missed left over removed. Change-Id: Ib3f763449065eda7cdcb2c6565a9cae51baf23d6 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2022-10-11nat: report time between current vpp time and last_heardDave Cornejo2-0/+137
existing details report the last_heard as the seconds since VPP started, this is not very useful, so report additionaly time_since_last_heard in seconds between VPP time and last_heard. Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738 Type: improvement Signed-off-by: Dave Cornejo <dcornejo@netgate.com> Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
2022-09-20nat: adding docs for nat44-ed sub pluginFilip Varga1-0/+729
Type: docs Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056 Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-09-15nat: fix nat44-ed port range with multiple workersVladislav Grishenko4-8/+15
The number of available dynamic ports is set to (0xffff - 1024) = 64511, which is not divisable by the pow2 number of workers - the only integer divisors are 31 and 2081. So, total dynamic port range of all workers will be less than it: 1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536 2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535 4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533 8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529 ... As seen, with multiple workers there are unused trailing ports for every nat pool address and that is the reason of out-of-bound index in the worker array on out2in path due (port - 1024) / port_per_thread math. This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets to unused ports will go to existing worker and dropped there. Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6: 6. Port Number Ranges o the System Ports, also known as the Well Known Ports, from 0-1023 (assigned by IANA) o the User Ports, also known as the Registered Ports, from 1024- 49151 (assigned by IANA) o the Dynamic Ports, also known as the Private or Ephemeral Ports, from 49152-65535 (never assigned) According that let's allocate dynamic ports from 1024 and have full port range with a wide range of the workers number - 64 integer divisors in total, including pow2 ones: 1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536 2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536 3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536 4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536 5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534 6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536 7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536 8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536 ... Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required when the numbers of workers is not the integer divisor of 64512. Type: fix Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
2022-09-09nat: fix nat44-ed-in2out fast path next nodeJing Peng1-1/+1
When a session is found expired, the next node of in2out fast path should be in2out slow path instead of out2in slow path. Type: fix Signed-off-by: Jing Peng <jing@meter.com> Change-Id: If1dd920502089c25b33bea5434823b0496a44499
2022-08-31nat: fix coverity 249194Andrew Yourtchenko1-1/+1
Zero-initialize a variable. Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: Iccf2eb4bf26755d6cd93fc70df3c5481d69ce7eb
2022-08-31nat: fix coverity 249178Andrew Yourtchenko1-1/+1
Zero-initialize the variable Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Change-Id: I4ee127ac3e2a3beffa11bbc96db1f3254b3f7c5d
2022-08-29nat: fix coverity 249202Benoît Ganne1-2/+2
In case of a bad packet, the bihash kv is not initialized before being copied in the trace. Make sure it is initialized to 0. Type: fix Change-Id: I22fcfe99f3586d0fa128493059547a56557b8fb5 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2022-08-16nat: fix potential out-of-bound worker array indexJing Peng1-6/+4
In several NAT submodules, the number of available ports (0xffff - 1024) may not be divisible by the number of workers, so port_per_thread is determined by integer division, which is the floor of the quotient. Later when a worker index is needed, dividing the port with port_per_thread may yield an out-of-bound array index into the workers array. As an example, assume 2 workers are configured, then port_per_thread will be (0xffff - 1024) / 2, which is 32255. When we compute a worker index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2, but since we only have 2 workers, only 0 and 1 are valid indices. This patch fixes the problem by adding a modulo at the end of the division. Type: fix Signed-off-by: Jing Peng <pj.hades@gmail.com> Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
2022-04-21nat: tweak rfc7857 tcp connection trackingOle Troan4-292/+61
The RFC7857 state machine introduced in 56c492a is a trade-off. It tries to retain sessions as much as possible and also offers some protection against spurious RST by re-establishing sessions if data is received after the RST. From experience in the wild, this algorithm is a little too liberal, as it leaves too many spurious established sessions in the session table. E.g. a oberserved pattern is: client server <- FIN, ACK ACK -> ACK -> RST, ACK -> With the current state machine this would leave the session in established state. These proposed changes do: - require 3-way handshake to establish session. (current requires only to see SYNs from both sides) - RST will move session to transitory without recovery if data is sent after - Only a single FIN is needed to move to transitory Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-05nat: nat44 cli bug fixFilip Varga4-34/+30
Two similar CLI paths "nat44" and "nat44 add interface address" caused unexpected behavior. If "nat44 add interface address" command would fail the vlib cli processing function would call "nat44" handler. This would also clean any previously set errors from the first command and basically return same error returned by "nat44" handler for every failed command that starts with the same path string. Fixes nat44-ed and nat44-ei plugin. Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653 Ticket: VPP-2021 Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-04-01nat: VRF routing & FIB improvementsFilip Varga8-281/+727
This patch affects how destination fib is choosen during session creation. Default behavior of choosing fib based on output interfaces is kept. Configuration gives you the ability to change default behavior to direct or restrict traffic between different FIB tables. NAT specific VRF routing options: a) keeping communication in the same VRF b) option to add multiple destination VRFs c) option to control the resolution order of destination VRFs TX FIB resolution is based on looking up RX FIB entry in NATs VRF table and picking the first FIB that resolves destination address. Ticket: VPP-2009 Type: improvement Change-Id: If500c48d7ce3466533ad9581c0847870788fc4fb Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-04-01nat: nat44-ed cleanup & fixesFilip Varga6-1303/+634
Set deprecated option on unsupported API calls. Cleaned up API calls with deprecated option. Removed in progress option from long term used API calls. Removed obsolete/unused nodes, functions, variables. Fixed set frame queue nelts function. Calling API would incorrectly not fail even though frame queue nelts can only be set before first call nat44_plugin_enable. Moved all formatting functions to _format.c file. Type: refactor Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4 Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-03-17nat: fix ICMP error translationKlement Sekera1-0/+3
Add missing translation of ICMP inner IP layer. Change responsible test so that it actually tests something. Type: fix Fixes: 4881cb4c6f Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
2022-03-09stats: refactorDamjan Marion1-7/+7
Type: refactor Change-Id: Ifd533a095d979dc55bfbe5fac7e0b7510a4d900c Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-02-21nat: make tcp/udp/icmp packet counters consistentKlement Sekera2-4/+12
TCP/UDP packets which are dropped are not counted towards TCP/UDP counters. Apply same behaviour to ICMP packets. Type: improvement Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I487fa7135ac8e49431a621fac213638d2dab31c8
2022-02-01nat: memory leak on nat44_plugin_disableSteven Luong1-0/+2
We invoke nat_affinity_enable for nat44_plugin_enable. We need to invoke nat_affinity_disable for nat44_plugin_disable to free the memory for bihash. Type: fix Fixes: I2743f7b1104b627bcc5ef937e3a50655313a26ea Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I9adeb3225136e3fff853c2d5b8f9a30e98ddcf4c
2022-01-24nat: TCP state tracking based on RFC 7857/RFC 6146Klement Sekera9-318/+588
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs are no longer required/tracked. This is more friendly to peers and accounts for lost packets and retransmits. This change also means that all traffic is translated and forwarded while in transitory timeout, which helps delivering e.g. retransmitted FINs, FINACKs and other messages. Also support reopening a session in transitory timeout after seeing both FINs by seeing both SYNs again. This helps quick connection reestablishment if the peers want to. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com> Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
2022-01-04nat: remove nat44-ed relation between SM and addrFilip Varga6-555/+436
Change [1] put static mappings in flow hash. This change also broke relationship between nat pool addresses and static mappings. Port and address are no longer reserved in nat pool address records for a new static mapping. Because of this change both nat objects and their configuration can function independently. This change also removed already broken logic of having static-mapping-only configuration. In this patch i have cleaned up and removed unnecessary logic for static mapping configuration functions, address configuration functions, interface configuraiton functions and all callback functions used for resolving interface address bound records. No more viable configuration option static-mapping-only is also removed because there is no more option to run traffic through vpp for static mappings without having flow hash table allocated. Instead user is now able to create static mapping records without using nat pool addresses. Fixed and improved management of required fib entries (ensuring VPP will reply to ARP for all external addresses on outside interfaces) through holding a refcount for their creation and removal. [1] https://gerrit.fd.io/r/c/vpp/+/34077 Type: improvement Change-Id: Ic16deefbede833d574c2a5972155c9afa5bc62ce Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-01-04nat: nat44-ed pool address allocation improvementFilip Varga4-58/+289
This patch improves algorithm responsible for choosing nat pool address during dynamic session creation. Patch synchronizes nat pool address attributes with vpp interfaces doing so gives nat option to determine correct nat pool address when creating dynamic session. Improvements: * match dst address subnet and src fib with nat pool address * for output-feature also fallback match of tx_sw_if_index with nat pool address Type: improvement Change-Id: I594638bc76fc1153f582add376838b4b72ff573a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-26api: add helper macros for native endianMohsin Kazmi1-5/+1
Type: improvement Change-Id: Ifa074dfd337f9cd68858468d34abf641fe7f247f Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-11-11nat: nat44-ei/ed nat objects cleanup improvementsFilip Varga1-135/+249
Improvements: * Changed plugin disable call behavior from freeing data types to calling appropriate nat plugin object delete calls for pool addresses, mappings and interfaces. * Added wrapper nat44_ei/ed_add_del_static_mapping function to handle switch bound static mappings. This would also fix ip assignment callback add/del bound static mapping issue preventing creation of the mapping. Fixes: * Fixed lingering object issue: some nat intertwined objects would not free each other if not correctly deleted in proper order. * Fixed incorect order of FIB unlocks for pool addresses causing syslog messages to use deleted FIBs in multiple VRF configuration. * Fixed incorrect value testing of flags instead of vrf_id for multiple vrf configuration static mapping. Type: improvement Change-Id: I2743f7b1104b627bcc5ef937e3a50655313a26ea Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-10nat: api autoendian fixFilip Varga1-8/+9
Fixed bad use of macros for autoendian API calls and updated tests for the new API. Removed sw_if_index check macro because of ntol conversion. Changed REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions. Type: fix Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-31interface: handoff refactor and optimizationsFlorin Coras1-1/+0
- move existing ethernet hash functions to hash infra (no l4 awareness) - refactor code to use hash infra and add apis to request l4 aware hashing functions - hashing functions per interface - code cleanup Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia9f44db98d83f0f027aeb37718585a2e10ffd2c6
2021-10-20nat: NAT44-ED api fix and improvementFilip Varga4-16/+14
This patch fixes issue with NAT_API_IS_TWICE_NAT and NAT_API_IS_ADDR_ONLY flags. Because of control plane code change - move from boolean parameters to flags in https://gerrit.fd.io/r/c/vpp/+/32796 patch these api flags weren't correctly set. Type: fix Change-Id: Ieec5fe6bdcca314da027f2d23e3a24f174391a6f Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-14nat: static mappings in flow hashKlement Sekera10-1213/+878
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
2021-10-13nat: fix coverity warningKlement Sekera1-1/+1
Fix coverity warning by initialising proto variable to a dummy value. This value is never used because consuming function uses this parameter value only if is_addr_only flag is not set and this flag is always set if proto value is not provided by user. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9b5e8c08346bea1e2b460bb09e962c4b8d3b6947
2021-10-13nat: fix static mapping segvJoshua Roys1-1/+1
Adding a nat44 static mapping during startup on a DHCP interface leads to a segv via this path: - dhcp_client_acquire_address - ip4_add_del_interface_address - ip4_add_del_interface_address_internal - nat44_ed_add_del_interface_address_cb - nat44_ed_add_static_mapping - ip4_interface_first_address Type: fix Signed-off-by: Joshua Roys <roysjosh@gmail.com> Change-Id: I38dac8a096b052550f2b87b4e13a950d2cd868b0
2021-10-12Revert "nat: static mappings in flow hash"Ole Troan10-850/+1195
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
2021-10-12nat: static mappings in flow hashKlement Sekera10-1195/+850
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
2021-10-05nat: NAT44 ED api fix and improvementFilip Varga3-14/+178
Backward compatibility fix returns erroneous behavior that lets user add internally unused inside interface for the purpose of complying with the old add/dump/details API behavior. Change introduced in https://gerrit.fd.io/r/c/vpp/+/32951 removed extra inside interface that wasn't required or any how used by the output feature. This patch also changed outside interface flags to inside & outside. This fix returns the old behavior by imitating the old behavior through dummy registratoin data. Added new API calls nat44_ed_add_del_output_interface and nat44_ed_output_interface_get/details as a replacement of old API's. New API introduces simplified and cleaner way of configuring outside feature without requirement of config flags. Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I7a170f7325727c04da5e2e3ffbe3f02179531284