aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/out2in.c
AgeCommit message (Collapse)AuthorFilesLines
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-3/+0
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-01-17nat: refactor of port/address allocation functionsFilip Varga1-2/+2
Change-Id: Ie2a3c0f44322dd8415603b7ce51bb72d72769c95 Ticket: VPP-1815 Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-01-03nat: use SVRKlement Sekera1-506/+185
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-0/+4
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-05nat: respect udp checksumFilip Varga1-38/+74
Type: fix Change-Id: I732be02d2e2b854eb589c3fa10f980ef2dbe8dfc Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-04nat: revert respect udp checksumOle Troan1-74/+34
This reverts commit 0d75f783644a24b219ed79d9f9c17387783f67ca. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Iaf33301201897e6646eba2b4157e2a45f5fd30f2
2019-11-04nat: revert fix dual-loop tcp checksum botchOle Troan1-17/+9
This reverts commit 9654a37fac7fe2b425576eb0237b8d24ae44e1b1. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I93ed5a48303421de43f5494c11db2be9a3c8ce57
2019-11-04nat: fix dual-loop tcp checksum botchDave Barach1-9/+17
Type: fix Fixes: 22921 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I4fecce96d027c0ee1797d9d84cfab94b1ecdc02b
2019-10-28nat: respect udp checksumFilip Varga1-34/+74
Type: fix Change-Id: I73895fa0101bd50483160c8dc6faac2c67513077 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-07-31nat: elog rewrite for multi-worker supportFilip Varga1-8/+8
Type: fix Change-Id: I04f136a04bc022d223e4bcb5c59920bd1f1fd560 Signed-off-by: Filip Varga <filipvarga89@gmail.com>
2019-02-27NAT44: active-passive HA (VPP-1571)Matus Fabian1-10/+21
session synchronization so that we can build a plain active-passive HA NAT pair Change-Id: I21db200491081ca46b7af3e82afc677c1985abf4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2019-02-18NAT: fix: multiple definition of nat64_cleaner_process_event_eNeale Ranns1-1/+1
Change-Id: Idcff6108f4f965344afce9ff614018239819dc95 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-02-18NAT: VPP-1552 code migration from old multiarch schemeFilip Varga1-34/+26
Change-Id: I88f3df8aaa521e7707ef3335acdbf1ab41e7ee28 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-01-21NAT: VPP-1537 IPFIX per worker processingFilip Varga1-3/+5
Change-Id: I428bd25a513eb9fe65bea56572fea8cab7c51681 Signed-off-by: Filip Varga <fivarga@cisco.com>
2018-12-14NAT: counters (VPP-1484)Matus Fabian1-13/+53
Change-Id: I5d1852a09712adfe7547c200d161539736aca6f5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-29NAT: syslog - sessions logging (VPP-1139)Matus Fabian1-0/+11
Change-Id: I6e0b7cf37c1a9ac66f8ac011db29504e57844ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-20NAT44: fix virtual fragmentation reassembly in forwarding mode (VPP-1501)Matus Fabian1-0/+8
Change-Id: Id86d8aa8753b9b2ff4c709b11e3901ba8d552918 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-11-14Remove c-11 memcpy checks from perf-critical codeDave Barach1-6/+5
Change-Id: Id4f37f5d4a03160572954a416efa1ef9b3d79ad1 Signed-off-by: Dave Barach <dave@barachs.net>
2018-10-19NAT44: fix ICMP virtual fragmentation reassembly (VPP-1466)Matus Fabian1-18/+40
Change-Id: I8006bca02948d9121f474a3d14f0576747bb3c51 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-08NAT44: do not create session record for identity mapping (VPP-1439)Matus Fabian1-7/+32
Change-Id: I39a3146a4e4ba8eadf50af7113b9ae6b1c1d688f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-10-02Update code to compute checksum for buffer chainsJuraj Sloboda1-3/+5
Compute ICMP checksum for buffer chains Fix checksum function for buffer chains Change-Id: I39b845b94a63c3ab5fc9f6f9ab36cadbc67c104f Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian1-3646/+1067
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda1-16/+389
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-06NAT: fix maximum out of order fragments (VPP-1399)Matus Fabian1-1/+1
All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment. Change-Id: Id0c968f45629698e347e8226c5926f27b48b82d6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian1-18/+23
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian1-34/+183
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-16VPP-1386: fix wrong ip address of hash key for creating user in unknown protocolshubing guo1-1/+1
Change-Id: I6239e930a8805207f8e42d15e8b17d444047e3f3 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-15NAT44: fix next_src_nat (VPP-1384)Matus Fabian1-6/+7
Use rx_fib_index instead of sm->inside_fib_index for session lookup key. Change-Id: I2d6cce5b9376fa8ac4d75a9bbfa8498be0fd1493 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian1-0/+4
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-23NAT44: fix forwarding feature bug (VPP-1349)Matus Fabian1-3/+3
Change-Id: I5009fcfde5c627d59dea3edda15486b9392134a2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion1-16/+8
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion1-5/+5
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-10NAT44: multiple outside FIB tables (VPP-1314)Matus Fabian1-2/+2
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian1-571/+1343
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian1-107/+108
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian1-10/+6
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-14NAT44: delete closed TCP session (VPP-1274)Matus Fabian1-8/+14
Change-Id: Id25b447bddccb7b321123e4abc4134e7261a0807 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian1-0/+10
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-2/+7
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-10/+54
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-12Handle DHCP replies with NAT44 forwarding enabledMatthew Smith1-48/+57
When NAT44 forwarding is disabled, if a DHCP server-to- client packet arrives on an outside interface, it is handled correctly by setting the next node to the next feature on the ip4-unicast feature arc, where it can be processed. When NAT44 forwarding is enabled, if a DHCP server-to- client packet arrives, it is not handled any differently than other packets and ends up going to ip4-lookup which results in the packet being dropped. Move the check for DHCP server-to-client packets outside of the block that is executed if forwarding is disabled so DHCP replies will be processed in either case. Change-Id: Ia795cce3fd459f3252c2c17d53bb88ceaeaafca4 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-10/+11
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-24User session counters stay <= per-user limitMatthew Smith1-3/+3
When a user session is allocated/reused, only increase one of the session counters for that user if the counters are below the per-user limit. THis addresses a SEGV that arises after the following sequence of events: - an outside interface IP address is put in a pool - a user exceeds the number of per-user translations by an amount greater than the number of per-user translations (nsessions + nstaticsessions > 100 + 100) - the outside interface IP address is deleted and then added again (observed when using DHCP client, likely happens if address changed via CLI, API also) - the user sends more packets that should be translated When nsessions is > the per-user limit, nat_session_alloc_or_recycle() reclaims the oldest existing user session. When an outside address is deleted, the corresponding user sessions are deleted. If the counters were far above the per-user limit, the deletions wouldn't result in the counters dropping back below the limit. So no session could be reclaimed -> SEGV. Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23NAT44: fix ICMP checksum update crash (VPP-1205)Matus Fabian1-0/+3
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-22NAT44: interface output feature and dst NAT (VPP-1200)Matus Fabian1-1/+51
Do not translate packet which go out via nat44-in2out-output and was tranlated in nat44-out2in before. On way back forward packet to nat44-in2out node. Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-05NAT44 - unknown protocols work with forwardingMatthew Smith1-6/+9
If forwarding is enabled, inbound packets on an outside interface should not be dropped and instead pass on to the FIB lookup. This works for TCP and UDP but not other IP protocols. Enable it for unknown protocols. Change-Id: I1da84b5633a36b3e5e64079754db2fcc50f29819 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-02NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian1-4/+54
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-14NAT44 out2in DHCP client next nodeMatthew Smith1-8/+24
Call vnet_feature_next() for DHCP replies instead of using default ip4-lookup. This allows DHCP replies to reach an outside interface if it's configured as a DHCP client. Change-Id: Icce1cd68b21256fcd6b1fad6792c06578b0e4e36 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-01-26NAT44: fix ICMP error translation for endpoint dependent sessions (VPP-1150)Matus Fabian1-2/+75
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-20Translate matching packets using NAT (VPP-1069)Juraj Sloboda1-48/+74
Add API function which enables forwarding of packets not matching existing translation or static mapping instead of dropping them. When forwarding is enabled matching packets will be translated while non-matching packets will be forwarded without translation. Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>