summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44-ei
AgeCommit message (Collapse)AuthorFilesLines
2022-08-19nat: simplify per-protocol code by using an arrayJon Loeliger3-243/+157
rather than using obfuscated macro hacery, simplify the per-protocol data management by directly using an array of NAT protocol types. Type: refactor Signed-off-by: Jon Loeliger <jdl@netgate.com> Change-Id: I6fe987556ac9f402f8d490da0740e2b91440304c
2022-08-18nat: Replace port refcounts with simple bitvectorsJon Loeliger2-17/+80
Previously, each address maintained an array of 32-bit reference counts for each of 65K possible ports for each of 4 NAT protocols. Totalling 1MB per address. Wow. A close read of the code shows that an "is used" check precedes each attempted reference count increment. That means the refcount never actually gets above 1. That in turn means algorithmically, a bit vector is sufficient. And one need not be allocated for more than the highest validated port referenced. These changes introduce a dynamically sized bit vector replacing the reference counts, for a maximum of 32K if all 4 protocols use port 65535. In fact, protocol OTHER is never used, so at most 24K will be used, and none of it will be "statically" allocated per address. Type: fix Fixes: 85bee7548bc5a360851d92807dae6d4159b68314 Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2022-08-16nat: fix potential out-of-bound worker array indexJing Peng1-16/+16
In several NAT submodules, the number of available ports (0xffff - 1024) may not be divisible by the number of workers, so port_per_thread is determined by integer division, which is the floor of the quotient. Later when a worker index is needed, dividing the port with port_per_thread may yield an out-of-bound array index into the workers array. As an example, assume 2 workers are configured, then port_per_thread will be (0xffff - 1024) / 2, which is 32255. When we compute a worker index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2, but since we only have 2 workers, only 0 and 1 are valid indices. This patch fixes the problem by adding a modulo at the end of the division. Type: fix Signed-off-by: Jing Peng <pj.hades@gmail.com> Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
2022-05-31nat: disable nat44-ei-in2out-output ttl checkAlexander Skorichenko1-3/+3
Type: fix A packet passing through nat44-ei-in2out-output, has its ttl value validated in earlier nodes. "ip4-input" node checks ttl for locally generated packets. "ip4-rewrite" node validates ttl in forwarded packets. Thus for example, the ED counterpart disables ttl checks in its "nat44-ed-in2out-output" node. This patch updates nat44 EI conditions for ttl checks to those currently used in nat44 ED case, meaning no extra ttl validation for in2out when output-feature is enabled. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: Idd15d7c9a746b60c0a6dac5537d00ef10c257fdc
2022-04-18nat: fix deleting nat ei out interface featureAlexander Skorichenko1-2/+2
Type: fix Set is_add function argument to 0 when deleting interface role. Change-Id: I6ca88d6511e1c88285e51b3750eb501fde2b341b Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
2022-04-05nat: nat44 cli bug fixFilip Varga1-8/+8
Two similar CLI paths "nat44" and "nat44 add interface address" caused unexpected behavior. If "nat44 add interface address" command would fail the vlib cli processing function would call "nat44" handler. This would also clean any previously set errors from the first command and basically return same error returned by "nat44" handler for every failed command that starts with the same path string. Fixes nat44-ed and nat44-ei plugin. Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653 Ticket: VPP-2021 Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-02-03ip nat: use ip rx sw_if_index in ip-local arc startFlorin Coras1-7/+31
This also changes the behavior of the nat44-ei hairpinning feature. Rather then enabling the feature on every nat interface, it is enabled only on local0. Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
2022-02-01nat: nat44-ei hairpinning code cleanupFilip Varga6-1545/+673
Removing obsolete unused nat44-ei nodes and functions. Type: refactor Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-26api: add helper macros for native endianMohsin Kazmi1-5/+1
Type: improvement Change-Id: Ifa074dfd337f9cd68858468d34abf641fe7f247f Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-11-11nat: nat44-ei/ed nat objects cleanup improvementsFilip Varga4-124/+240
Improvements: * Changed plugin disable call behavior from freeing data types to calling appropriate nat plugin object delete calls for pool addresses, mappings and interfaces. * Added wrapper nat44_ei/ed_add_del_static_mapping function to handle switch bound static mappings. This would also fix ip assignment callback add/del bound static mapping issue preventing creation of the mapping. Fixes: * Fixed lingering object issue: some nat intertwined objects would not free each other if not correctly deleted in proper order. * Fixed incorect order of FIB unlocks for pool addresses causing syslog messages to use deleted FIBs in multiple VRF configuration. * Fixed incorrect value testing of flags instead of vrf_id for multiple vrf configuration static mapping. Type: improvement Change-Id: I2743f7b1104b627bcc5ef937e3a50655313a26ea Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-10nat: api autoendian fixFilip Varga4-52/+77
Fixed bad use of macros for autoendian API calls and updated tests for the new API. Removed sw_if_index check macro because of ntol conversion. Changed REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions. Type: fix Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-31interface: handoff refactor and optimizationsFlorin Coras1-1/+0
- move existing ethernet hash functions to hash infra (no l4 awareness) - refactor code to use hash infra and add apis to request l4 aware hashing functions - hashing functions per interface - code cleanup Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia9f44db98d83f0f027aeb37718585a2e10ffd2c6
2021-10-30nat: fix coverity warningKlement Sekera1-1/+1
Fix coverity warning by initialising proto variable to a dummy value. This value is never used because consuming function uses this parameter value only if is_addr_only flag is not set and this flag is always set if proto value is not provided by user. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I041bc821a392f0746ef9f07f9b259d62884305b7
2021-10-20nat: nat44-ei configuration improvementsFilip Varga6-1027/+1574
nat44-ed core configuration improvements & fixes [0-5] adjusted for nat44-ei plugin. Improvements: * repeating code converted to functions * simplified functions used for pool address, static mapping and interface configuration. Clean up: * remove obsolete code and logic persisted after plugin separation from old SNAT plugin. Fixes: * [0] return correct API behavior changed in [5] Type: improvement [0] https://gerrit.fd.io/r/c/vpp/+/33622 [1] https://gerrit.fd.io/r/c/vpp/+/33431 [2] https://gerrit.fd.io/r/c/vpp/+/33337 [3] https://gerrit.fd.io/r/c/vpp/+/33249 [4] https://gerrit.fd.io/r/c/vpp/+/32796 [5] https://gerrit.fd.io/r/c/vpp/+/32951 Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
2021-10-14nat: static mappings in flow hashKlement Sekera5-24/+44
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
2021-10-13docs: convert plugins doc md->rstNathan Skrzypczak2-70/+88
Type: improvement Change-Id: I7e821cce1feae229e1be4baeed249b9cca658135 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-12Revert "nat: static mappings in flow hash"Ole Troan5-44/+24
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
2021-10-12nat: static mappings in flow hashKlement Sekera5-24/+44
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
2021-09-30nat: doc nitfixesNathan Skrzypczak2-3/+3
Type: improvement Change-Id: I9a4303030b9657c28bbd73168def72c7daa13483 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-09-28nat: NAT44 ED & EI session filtering CLIJúlius Milan1-1/+8
Improving session filtering capabilities of show nat44 sessions CLI command for EI and ED NAT plugins. Adding filtering options: saddr, sport, daddr, dport, proto for both i2o and o2i flows. Type: improvement Change-Id: I70bc94a2e922cddf9451eb7dcbf4a7be21ebf0df Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin2-43/+59
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-07-15misc: replace CLIB_PREFETCH with clib_prefetch_{load,store}Damjan Marion3-8/+8
Type: refactor Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-06-16nat: test all intf addrs in is_interface_addr()Alexander Chernavin2-10/+21
Type: fix Currently, is_interface_addr() tests if a given IPv4 address belongs to an interface by a given sw_if_index. However, there are several issues: * only the first found address on the interface is actually tested, * sw_if_index is always cached even if the interface hasn't been assigned any addresses yet. With this change, is_interface_addr() tests all IPv4 addresses on an interface by a given sw_if_index and caches sw_if_index only if there are addresses present. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: If1acc4a534647a5f0ce8e9b565b867c92a016dc3
2021-05-25nat: report correct EI per-user session limitMatthew Smith2-3/+5
Type: fix When enabling the endpoint independent NAT44 plugin, user_sessions determines the maximum number of translations that can be active for a single inside address. If 0 is passed in, a default value is used but 0 is still stored in the field that is used to populate reply messages to nat44_ei_show_running_config, At the time of enabling the plugin, if user_sessions is 0, update the field which is used by nat44_ei_show_running_config to contain the default per-user limit which gets used by the EI nodes. Change-Id: I6b060d85bcd42d91db879b95a8b07c6844bcd2a5 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-05-14vlib: pass node runtime to vlib_buffer_enqueue_to_thread()Damjan Marion3-7/+6
Mechanical change for patch following this one... Type: improvement Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-05nat: cli commands parsing fixFilip Varga1-121/+99
Newline get's ignored when parsing configuration file. Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ib4f86177150dfe3bc085231a9268cf730490ea81
2021-05-01vlib: refactor trajectory trace debug featureBenoît Ganne1-1/+0
trajectory trace has been broken for a while because we used to save the buffer trajectory in a vector pointed to in opaque2. This does not work well when opaque2 is copied (eg. because of a clone) as 2 buffers end up sharing the same vector. This dedicates a full cacheline in the buffer metadata instead when trajectory is compiled in. No dynamic allocation, no sharing, no tears. Type: refactor Change-Id: I6a028ca1b48d38f393a36979e5e452c2dd48ad3f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-04-28nat: fix byte order on ipfix message fieldsMatthew Smith1-1/+1
Type: fix The code for quota exceeded events is a u32 and was being copied into ipfix packets in host byte order. Same for the limit field. Swap the order before copying into packet buffer. This change was applied once before but had to be reverted. This was because between the time the change was uploaded/reviewed and the time it was merged, a different patch was merged which activated a NAT ipfix unit test that had formerly only been run as part of the extended tests. The test was expecting the values to be in host byte order so it failed with this patch applied. This time around, that test has also been updated to expect network byte order. Change-Id: If5413b1f806d664f6786e56ba13c3eee573c26d2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-04-20nat: fixing cli bug for nat44-ei and nat44-edFilip Varga1-1/+1
Removing obsolete optional parameters. Type: fix Change-Id: I135eb4767979ab81636da16e91752a2ad80e0a45 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-03-31nat: correct thread index usageKlement Sekera3-12/+15
Use actual thread index from hash table instead of doing calculation. Calculated index might be different and could lead to crash. Type: fix Change-Id: Iede9a67fbe541cb44eccd0d6ddf4e2c51eb35423 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-30nat: fix HA multi-worker issuesKlement Sekera5-62/+57
Use correct vlib_main() in various code parts. Fix tests. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia379f3b686599532dedaafad2278c4097a3f03f3
2021-03-26vlib: introduce vlib_get_main_by_index(), vlib_get_n_threads()Damjan Marion1-4/+4
Type: improvement Change-Id: If3da7d4338470912f37ff1794620418d928fb77f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-03-25nat: allocate enough space for full port usageKlement Sekera1-1/+1
Type: fix Change-Id: I068bfeaf22b9e6cce967c27acdd46d4b8541bdf8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: fix bihash kvp printKlement Sekera1-2/+3
Type: fix Change-Id: I392d348b1a38affac8761b0614b117cd991958d7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: prevent usage of ED nodes in EI codeKlement Sekera1-40/+111
Type: fix Change-Id: I84d511c30eb5878a1867f5e9d2207a39d4f0926c Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: fix vnet_feature_next in source hairpinningKlement Sekera1-3/+11
Avoid erroneous double vnet_feature_next if routing buffer manually. Type: fix Change-Id: I3f56c12bf57f59a1e5ddad63a2565fa195934cf6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-15nat: get rid of worker selection callbacksKlement Sekera4-29/+28
Make code easier to read and debug. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib52a4cdd3bcdcc475053aa32af3964c00859e1cd
2021-03-07nat: fix worker selectionKlement Sekera1-1/+1
Use correct ports from SVR. Perform lookup of existing session for all cases to pick any created bypasses and derive correct thread indexes. Type: fix Change-Id: I1e3814c9e13cd4d9b8d65f514f7e9ab42df3c22e Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-01nat: pick outside addr based on local addrKlement Sekera3-36/+40
Use outside addresses more evenly by using local address to pick from pool of addresses. This ensures stability from POV of remote host - an internal host always gets translated using the same outside address, so it doesn't appear to be "hopping". Also, this avoids all hosts being translated using the first address, which helps avoid needless recaptchas and the like. Exact assignment depends on internal ordering of addresses - local address is used to pick an offset into internal vector. If that address cannot be used, a linear search is performed as a fallback mechanism to find a possible translation. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I7ccb1da1dda5537f5d30d2f4cb48024f4b51c1a4
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga15-1337/+9111
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-10nat: fix EI hairpinning thread safetyKlement Sekera1-24/+242
Avoid doing inter-thread reads without locks by doing a handoff before destination address rewrite. Destination address is read from a session which is possibly owned by a different thread. By splitting the work in two parts with a handoff in the middle, we can do both in a thread safe way. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1c50d188393a610f5564fa230c75771a8065f273
2021-02-09nat: improve type safety and remove unused paramKlement Sekera2-51/+51
Type: improvement Change-Id: I456f9b14e6a4eb46c9c49f6e09acccae530e4ebc Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-02-05nat: configurable handoff frame queue sizeElias Rudberg1-0/+3
Make number of worker handoff frame queue elements configurable as a set nat frame-queue-nelts command. The default value is 64 which is the same value that was previously hard-coded. The idea is that allowing larger values can be useful in some cases, to avoid congestion drops. Also add nat_set_fq_options API support and a corresponding test case. Type: improvement Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2021-02-04nat: reduce number of hash tables for EI NATKlement Sekera4-81/+73
Making code more simple and storing thread index along with session index as a preparation step for fixing thread safety patches. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib0c531e9f1f64b1f1ee912d4a83279200638e931
2021-01-18nat: deal with flows instead of sessionsKlement Sekera2-5/+5
This change introduces flow concept to endpoint-dependent NAT. Instead of having a session and a plethora of special cases in code for e.g. hairpinning, twice-nat and others, figure all this out and store it in flow logic. Every flow has a match and a rewrite part. This unifies all the NAT packet processing cases into one - match a flow and rewrite the packet based on that flow. It also provides a cure for hairpinning dilemma where one part of the flow is on one worker and another on a different one. These cases are also sped up by not requiring destination adress lookup every single time to be able to rewrite source nat as this is now part of flow rewrite logic. Type: improvement Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-01-11nat: refactor and split fo EI/ED features p.2Filip Varga4-43/+917
Patch n. 2 aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: Ida20c1c084449b146344b6c3d8442f49efb6f3fa Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-01-05nat: refactor and split fo EI/ED featuresFilip Varga8-0/+5783
This patch is aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: I63cf70a264ed2512708fe92665d64f04690783d0 Signed-off-by: Filip Varga <fivarga@cisco.com>