summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/nat_api.c
AgeCommit message (Collapse)AuthorFilesLines
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera1-1/+2
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera1-16/+16
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-04nat: per vrf session limitsFilip Varga1-0/+28
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-23/+46
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-16nat: scavenging functionality removedFilip Varga1-25/+0
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: use correct data types for memory sizesKlement Sekera1-6/+6
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-5/+3
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-20nat: user deletion function & extra metricsFilip Varga1-0/+25
Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ia5dbfe864c18e953ff49147a9a4684d2ca14b96e
2020-02-07nat: api & cli command for forcing session cleanupFilip Varga1-0/+26
Ticket: VPP-1836 Type: feature Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I8f7fc011bac435445a8916a4948d130ca9162f67
2020-02-05nat: move dslite to separate sub-pluginOle Troan1-232/+2
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-01-03nat: use SVRKlement Sekera1-154/+0
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-09-03api: enforce vla is last and fixed string typeOle Troan1-114/+33
Enforce that variable length fields are the last element of API messages. Add a 'fixed' version of string type, since dealing with multiple variable length strings turned out too painful for the C language bindings. The string type is now: { string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64] string name[]; // Variable length string with embedded len field (vl_api_string_t) }; The latter notation could be made available to other types as well. e.g. { vl_api_address_t addresses[]; } instead of { u32 n_addr; vl_api_address_t addresses[n_addr]; }; Type: fix Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b Signed-off-by: Ole Troan <ot@cisco.com>
2019-08-22nat: handoff traffic matching for dynamic NATFilip Varga1-1/+1
Type: feature Change-Id: I5c5af6f9acb340cc674323305104b8ce23e6d21d Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-08-20vppapigen: remove support for legacy typedefsPaul Vinciguerra1-1/+0
vppapigen has remapped legacy to typedefs behind the scenes for some time now. - update .api files to use new style typedefs. - issue error on 'typeonly define' in .api files - remove unneeded macros redefining vl_noop_handler Type: refactor Change-Id: I7a8c4a6dafacee6a131f95cd0e9b03a8c60dea8b Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-0/+28
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-07-12nat: fix net44 lb static APIBenoît Ganne1-1/+1
tag should be added at the end of the reply message instead of overwriting the original data. Type: fix Fixed: dd1e3e780c Change-Id: I4b31cf3a4a41b49ea9039a9398114dbf49a53e57 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2019-06-26api: refactor format_vl_api_prefix_t return keysPaul Vinciguerra1-3/+3
format_vl_api_prefix_t returns a dict with keys 'address' and 'address_length', but other format_vl_api_prefix functions return a dict with 'prefix', and 'len'. Refactor all format_vl_api_prefix_t to return consistent keys 'address' and 'len'. Type: refactor Change-Id: I5f9558fc2da8742a303266e011102f5b2db80aad Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-06-26api: Remove the inlines file and replace with library functionsNeale Ranns1-1/+0
using inlines exposes the users to the internal data types used by VPP, namely vec.h. This file does not compile with a C++ compiler. Type: feature Change-Id: I1544fdd9eae998309f865df61df78571bdb96903 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-06-18api: string type to convert to vectorOle Troan1-0/+1
Previous use of strndup() required user to remember to call free(). Now return a vector pointing directly to the API message string. Of course user must remember to copy the string out if lifetime is longer than API message lifetime. Change-Id: Ib5e2b3d52d258e1a42ea9ea9a9e04abbe360e2bf Type: fix Signed-off-by: Ole Troan <ot@cisco.com>
2019-05-09NAT: VPP-1665 coverity scan issue fixFilip Varga1-2/+9
Change-Id: I092a9f8237a895f907590772f2ea213a86502fb4 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-04-24NAT: VPP-1531 api cleanup & updateFilip Varga1-141/+272
Change-Id: I2492400a67b39a3adbc24ab7cf1ba17a409e95a8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-04-23Revert "NAT: VPP-1531 api cleanup & update"Ole Trøan1-268/+141
This reverts commit bed1421b9f1b3643d93384084972337b596aec73. /vpp/master3/src/plugins/nat/nat_api.c: In function ‘send_nat_worker_details’: /vpp/master3/src/vppinfra/clib.h:62:33: error: division ‘sizeof (u8 * {aka unsigned char *}) / sizeof (u8 {aka unsigned char})’ does not compute the number of array elements [-Werror=sizeof-pointer-div] #define ARRAY_LEN(x) (sizeof (x)/sizeof (x[0])) ^ /vpp/master3/src/plugins/nat/nat_api.c:205:43: note: in expansion of macro ‘ARRAY_LEN’ rmp = vl_msg_api_alloc (sizeof (*rmp) + ARRAY_LEN (w->name) - 1); ^~~~~~~~~ Change-Id: Ie82672c145fb2f6580827f95e535435307bc7a23 Signed-off-by: Ole Troan <ot@cisco.com>
2019-04-23NAT: VPP-1531 api cleanup & updateFilip Varga1-141/+268
Change-Id: I519d7efc8ee3c86381d96be2e2a46017cd948895 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-04-10API: Fix shared memory only action handlers.Ole Troan1-11/+11
Some API action handlers called vl_msg_ai_send_shmem() directly. That breaks Unix domain socket API transport. A couple (bond / vhost) also tried to send a sw_interface_event directly, but did not send the message to all that had registred interest. That scheme never worked correctly. Refactored and improved the interface event code. Change-Id: Idb90edfd8703c6ae593b36b4eeb4d3ed7da5c808 Signed-off-by: Ole Troan <ot@cisco.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-1/+205
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-26DSLITE: Fix dslite_get_b4_addr_reply message type.Jon Loeliger1-1/+1
Fix what appears to be a cut-n-past error. Change-Id: I71ee32c1b0d2dc38ed3df4bd24ec4248005a6008 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2019-01-22NAT: ipfix call optimizationFilip Varga1-2/+1
Change-Id: I84dfdbb727fb765fcaa7fb0099cbdd7ef7dbcc10 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-1/+2
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-18NAT44: nat44_add_del_lb_static_mapping enhancements (VPP-1514)Matus Fabian1-9/+67
Change-Id: I5419e06592b0402e911e132796368800321f355a Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-23c11 safe string handling supportDave Barach1-28/+28
Change-Id: Ied34720ca5a6e6e717eea4e86003e854031b6eab Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-12NAT44: identity NAT fix (VPP-1441)Matus Fabian1-8/+11
Change-Id: Ic4affc54d15d08b9b730f6ec6146ee053b28b4b6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-14/+11
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-01thread: Add show threads apiMohsin Kazmi1-1/+1
Change-Id: I3124238ab4d43bcef5590bad33a4ff0b5d8b7d15 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-09-13NAT: TCP MSS clampingMatus Fabian1-0/+59
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-04NAT: add support for configurable port range (VPP-1346)Matus Fabian1-2/+93
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-1/+2
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-142/+70
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-22NAT: update nat_show_config_reply API (VPP-1403)Matus Fabian1-0/+9
Change-Id: I85383e428cb54c4c09ab387811dd6390f7c61d97 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian1-2/+6
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-02NAT44: LB NAT - local backends in multiple VRFs (VPP-1345)Matus Fabian1-5/+5
Add support for local backends in multiple VRFs for load-balancing NAT rules. Change-Id: I64e6818bd67a7e69985003498cf1f16f7200c334 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-1/+1
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-1/+2
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-8/+60
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-0/+2
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-03NAT: fix bin API dump of static mappings.Milan Lenco1-2/+5
Static mappings with equal local and external IPs but different ports were dumped as identity mappings. Change-Id: Ifea7cef5b78aea4c2eb31cf1620185eeef2681e5 Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-4/+20
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-12NAT: disable CLI/API not supported in active mode (VPP-1234)Juraj Sloboda1-3/+136
When in deterministic mode disable nondeterministic CLI/API. When not in deterministic mode disable deterministic CLI/API. Change-Id: Ibf485c14612297e51d3815a6fde541542c8fe7ab Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-05DSLite: Implement new API call DSLITE_ADDRESS_DUMP.Jon Loeliger1-0/+49
Change-Id: I92ca28d3007f7ea43cd3e8b20659e400dfa6c75c Signed-off-by: Jon Loeliger <jdl@netgate.com>
2018-03-28NAT44: fix nat44_user_session_dump and nat44_del_session crash with one ↵Matus Fabian1-1/+1
worker (VPP-1213) Change-Id: I8e0c7ed2ff462b9ab59c233f56be262ec03c29ff Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-31NAT66 1:1 mapping (VPP-1108)Matus Fabian1-1/+192
Support the 1:1 translation of source address for IPv6 Change-Id: I934d18e5ec508bf7422d796ee5f172b79c048011 Signed-off-by: Matus Fabian <matfabia@cisco.com>