summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44-ed
AgeCommit message (Collapse)AuthorFilesLines
2021-07-22nat: nat44-ed configuration refactor & cleanupFilip Varga9-896/+1195
Refactoring static mapping configuration functions based on feature type. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I007d9b0e9717ced613fbcef2b11b6853f479be1e
2021-07-19nat: harden ICMP handlingKlement Sekera4-49/+110
Verify that headers are not truncated and that checksums are valid. Correct checksum computation in translation code. Type: fix Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-15misc: replace CLIB_PREFETCH with clib_prefetch_{load,store}Damjan Marion4-8/+8
Type: refactor Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-07-15nat: nat44-ed sm fixFilip Varga1-15/+13
Fixing nat44-ed identity map in2out communication. TCP packets would get dropped because of the order of testing TCP state. Type: fix Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-14nat: refactoring NAT44ED cfg functionsFilip Varga4-344/+500
Refactored & fixed NAT44ED configuration functions used for handling interfaces and nodes. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
2021-06-23nat: ICMP handling fixesKlement Sekera4-24/+110
If ICMP comes from a router on path, source address must not be rewritten in o2i path to avoid getting wrong checksum. Fix ICMP checksum computations. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708
2021-06-22nat: don't drop packet with ttl=1 if output featureKlement Sekera1-2/+2
TTL was already decremented in ip4-rewrite so it's okay if it's 1. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
2021-06-16nat: test all intf addrs in is_interface_addr()Alexander Chernavin2-10/+21
Type: fix Currently, is_interface_addr() tests if a given IPv4 address belongs to an interface by a given sw_if_index. However, there are several issues: * only the first found address on the interface is actually tested, * sw_if_index is always cached even if the interface hasn't been assigned any addresses yet. With this change, is_interface_addr() tests all IPv4 addresses on an interface by a given sw_if_index and caches sw_if_index only if there are addresses present. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: If1acc4a534647a5f0ce8e9b565b867c92a016dc3
2021-06-16nat: fix crash when translate unknown proto packetsAlexander Chernavin2-4/+5
Type: fix Currently, there might be a crash in NAT ED mode: * if a session for an unknown proto packet cannot be created in2out, * if a session for an unknown proto packet cannot be found out2in. With this change, translate packets only if a session is given in NAT ED mode. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iafb332db1ae9a3e76435964ad636037d1b8a51e8
2021-05-31nat: fix broken nat44-ed cliRuslan Babayev2-10/+1
snat_set_frame_queue_nelts has been replaced with nat44_ed_set_frame_queue_nelts. Type: fix Signed-off-by: Ruslan Babayev <ruslan@babayev.com> Change-Id: I8d970be71376fdbb2bfd383d4d5824a8def93bb3
2021-05-26nat: add thread index assertionsKlement Sekera4-0/+11
Add extra assertions to debug build. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib20130365e8f9dbb556fcbb4321dd184c7eff603
2021-05-21nat: add maximum configured sessions to stat segmentOle Troan2-0/+11
Add /nat44-ed/max-cfg-sessions gauge. Reflects the configured value for configured sessions (per thread). Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I618c8aa0daab0981399cfe9273d191fa1990ef60 Signed-off-by: Ole Troan <ot@cisco.com>
2021-05-14vlib: pass node runtime to vlib_buffer_enqueue_to_thread()Damjan Marion1-2/+2
Mechanical change for patch following this one... Type: improvement Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-05nat: cli commands parsing fixFilip Varga1-114/+101
Newline get's ignored when parsing configuration file. Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ib4f86177150dfe3bc085231a9268cf730490ea81
2021-04-28nat: fix byte order on ipfix message fieldsMatthew Smith1-1/+1
Type: fix The code for quota exceeded events is a u32 and was being copied into ipfix packets in host byte order. Same for the limit field. Swap the order before copying into packet buffer. This change was applied once before but had to be reverted. This was because between the time the change was uploaded/reviewed and the time it was merged, a different patch was merged which activated a NAT ipfix unit test that had formerly only been run as part of the extended tests. The test was expecting the values to be in host byte order so it failed with this patch applied. This time around, that test has also been updated to expect network byte order. Change-Id: If5413b1f806d664f6786e56ba13c3eee573c26d2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-04-23nat: correct detection of icmp bypass presenceKlement Sekera1-2/+2
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Iead167e7497e0779c440f7fb243014a06ae2b452
2021-04-21nat: fix multi worker scenariosKlement Sekera2-28/+56
Properly select worker from hash table in out2in direction, increase number of worker threads in MW test to 4 to test these cases. Type: fix Change-Id: I76eda5761ff497b85b031dd913a64b7fcb53b33a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-04-20nat: fixing cli bug for nat44-ei and nat44-edFilip Varga1-1/+1
Removing obsolete optional parameters. Type: fix Change-Id: I135eb4767979ab81636da16e91752a2ad80e0a45 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-04-20nat: nat44-ed i2o & o2i trace fixFilip Varga2-8/+10
If cache used than we don't print in trace session index. Type: fix Change-Id: Ib965cd8632b5217f8b2dd8b6cc6af3286c747582 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-04-01nat: fix ordering of feature nodesKlement Sekera1-2/+4
Fix ordering of feature nodes so that ACL runs after NAT in in2out direction so it can properly track stuff like ports after NAT rewrite. Type: fix Change-Id: I2c689b64765628e9bc77108914f74c6c801d8ce2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-31nat: avoid creating negative zero checksumKlement Sekera1-1/+3
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibbb72e77c751b7e775620cfb160b52ceff2da86b
2021-03-31nat: NAT44-ED unused value removalFilip Varga1-4/+1
Type: fix Coverity scan issue fix. Change-Id: I9036fade15fd381da9c1e6b575f250fdcb21f876 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-03-15nat: get rid of worker selection callbacksKlement Sekera4-52/+49
Make code easier to read and debug. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib52a4cdd3bcdcc475053aa32af3964c00859e1cd
2021-03-09nat: fix dst nat thread issuesKlement Sekera2-118/+108
Make sure packet lands on the right thread for dst nat case. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I0ec4e4c2bb3fa80ff73fac588c36d36420ba68fa
2021-03-07nat: replace main vlib with per-thread vlibKlement Sekera6-67/+53
Fix incorrect vlib main usage. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ic5304ca844f1b27756818eb6995b1d9c08412674
2021-03-07nat: fix worker selectionKlement Sekera6-88/+72
Use correct ports from SVR. Perform lookup of existing session for all cases to pick any created bypasses and derive correct thread indexes. Type: fix Change-Id: I1e3814c9e13cd4d9b8d65f514f7e9ab42df3c22e Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-06nat: use correct node indexes for queuesKlement Sekera1-2/+2
Type: fix Change-Id: I30b847acc4653fea9d609fc0d5875c3fda0824ef Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-01nat: avoid crash if plugin not enabledKlement Sekera1-18/+21
Avoid crash if nat pool not allocated when issuing "show nat44 summary". Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I55661cf699bab04f4673e9d471fe12486e972067
2021-03-01nat: pick outside addr based on local addrKlement Sekera1-71/+92
Use outside addresses more evenly by using local address to pick from pool of addresses. This ensures stability from POV of remote host - an internal host always gets translated using the same outside address, so it doesn't appear to be "hopping". Also, this avoids all hosts being translated using the first address, which helps avoid needless recaptchas and the like. Exact assignment depends on internal ordering of addresses - local address is used to pick an offset into internal vector. If that address cannot be used, a linear search is performed as a fallback mechanism to find a possible translation. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I7ccb1da1dda5537f5d30d2f4cb48024f4b51c1a4
2021-02-26nat: optimize flow matching in ED NATKlement Sekera5-81/+87
This saves 6 clocks in nat44-ed-in2out node. (112->106 per packet) Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I48e757e7f4b6b0d250a432a4659fe6955fc52a07
2021-02-26nat: NAT44ED fail if using old plugin optionFilip Varga2-446/+494
Fail if obsolete flag is used. Type: fix Change-Id: Id7000de9c82fa2c22692104b2fc1d463e5961f39 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga13-0/+14891
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>