summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat44
AgeCommit message (Collapse)AuthorFilesLines
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga2-405/+0
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-01-18nat: deal with flows instead of sessionsKlement Sekera1-5/+111
This change introduces flow concept to endpoint-dependent NAT. Instead of having a session and a plethora of special cases in code for e.g. hairpinning, twice-nat and others, figure all this out and store it in flow logic. Every flow has a match and a rewrite part. This unifies all the NAT packet processing cases into one - match a flow and rewrite the packet based on that flow. It also provides a cure for hairpinning dilemma where one part of the flow is on one worker and another on a different one. These cases are also sped up by not requiring destination adress lookup every single time to be able to rewrite source nat as this is now part of flow rewrite logic. Type: improvement Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-01-05nat: refactor and split fo EI/ED featuresFilip Varga1-9/+0
This patch is aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: I63cf70a264ed2512708fe92665d64f04690783d0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-13nat: api,cli and test update & cleanupFilip Varga1-73/+0
Cleanup of print functions in api file, splitting functionality of cleanup callbacks for ED and EI NAT. Updating and fixing API & CLI calls. Type: refactor Change-Id: I7a9dc4c8b1d2ca29db4754be7dfa4f698942127a Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-05nat: remove unused codeKlement Sekera1-22/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibbdfb0a2d1ff64044a0f6b2443b526bd1cf12f93
2020-08-17nat: sessions get expired when fib table removedFilip Varga1-0/+111
fib table removal would leave lingering sessions in vpp this patch is aimed at solving this issue by grouping sessions by source and destionation fib. if one of the fibs gets removed this grouping is tagged as expired and session won't be passed to non existing fib table Ticket: VPPSUPP-93 Type: improvement Change-Id: I45b1205a8b58d91f174e6feb862554ec2f6cffad Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: move deterministic nat to det44 sub featureFilip Varga1-1/+1
Type: refactor Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-06-11nat: simplify bihash buckets/mem configKlement Sekera1-1/+1
Derive reasonable values from max translations/max users. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
2020-05-14nat: ED: store both thread&session idx in hashKlement Sekera1-22/+0
By storing thread and session index in hash table we are able to skip multiple hash lookups in multi-worker scenario, which were used for handoff before. Also, by storing sesion index in vnet_buffer2, we can avoid repeating the lookup after handoff. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I406fb12f4e2dd8f4a5ca5d83d59dbc37e1af9abf
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera2-14/+145
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-06nat: enable force session cleanupFilip Varga1-0/+25
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-05nat: remove unused codeKlement Sekera1-27/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I33b2b38961b200dc3297b82124a7107b9ecbd0de
2020-05-04nat: per vrf session limitsFilip Varga1-0/+11
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-8/+14
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-16nat: scavenging functionality removedFilip Varga1-170/+0
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: ED: global session LRU listKlement Sekera1-0/+10
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera1-1/+7
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-69/+149
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-20nat: user deletion function & extra metricsFilip Varga1-0/+68
Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ia5dbfe864c18e953ff49147a9a4684d2ca14b96e
2020-02-20nat: avoid running pointless session cleanupsKlement Sekera1-11/+29
Save the next session timeout when sweeping sessions for cleanup so that we can avoid unnecessary runs of the sweeping algorithm. Type: fix Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-02-07nat: api & cli command for forcing session cleanupFilip Varga1-0/+37
Ticket: VPP-1836 Type: feature Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I8f7fc011bac435445a8916a4948d130ca9162f67
2020-01-17nat: refactor of port/address allocation functionsFilip Varga1-0/+119
Change-Id: Ie2a3c0f44322dd8415603b7ce51bb72d72769c95 Ticket: VPP-1815 Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com>