summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/out2in.c
AgeCommit message (Collapse)AuthorFilesLines
2018-04-19Add special Twice-NAT feature (VPP-1221)Juraj Sloboda1-2/+7
When enabled then Twice-NAT is applied only when source IP equals destination IP after DNAT Change-Id: I58a9d1d222b2a10c83eafffb2107f32c1b4aa3a8 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-04-18NAT44: recycle old sessions for forwarding bypass (VPP-1240)Matus Fabian1-10/+54
Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-04-12Handle DHCP replies with NAT44 forwarding enabledMatthew Smith1-48/+57
When NAT44 forwarding is disabled, if a DHCP server-to- client packet arrives on an outside interface, it is handled correctly by setting the next node to the next feature on the ip4-unicast feature arc, where it can be processed. When NAT44 forwarding is enabled, if a DHCP server-to- client packet arrives, it is not handled any differently than other packets and ends up going to ip4-lookup which results in the packet being dropped. Move the check for DHCP server-to-client packets outside of the block that is executed if forwarding is disabled so DHCP replies will be processed in either case. Change-Id: Ia795cce3fd459f3252c2c17d53bb88ceaeaafca4 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-04-11NAT44: fix setting of flag SNAT_SESSION_FLAG_LOAD_BALANCING (VPP-1235)Matus Fabian1-10/+11
Change-Id: Ieeafb41d10959700bfd434cd455800af31944150 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-24User session counters stay <= per-user limitMatthew Smith1-3/+3
When a user session is allocated/reused, only increase one of the session counters for that user if the counters are below the per-user limit. THis addresses a SEGV that arises after the following sequence of events: - an outside interface IP address is put in a pool - a user exceeds the number of per-user translations by an amount greater than the number of per-user translations (nsessions + nstaticsessions > 100 + 100) - the outside interface IP address is deleted and then added again (observed when using DHCP client, likely happens if address changed via CLI, API also) - the user sends more packets that should be translated When nsessions is > the per-user limit, nat_session_alloc_or_recycle() reclaims the oldest existing user session. When an outside address is deleted, the corresponding user sessions are deleted. If the counters were far above the per-user limit, the deletions wouldn't result in the counters dropping back below the limit. So no session could be reclaimed -> SEGV. Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23NAT44: fix ICMP checksum update crash (VPP-1205)Matus Fabian1-0/+3
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-22NAT44: interface output feature and dst NAT (VPP-1200)Matus Fabian1-1/+51
Do not translate packet which go out via nat44-in2out-output and was tranlated in nat44-out2in before. On way back forward packet to nat44-in2out node. Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-05NAT44 - unknown protocols work with forwardingMatthew Smith1-6/+9
If forwarding is enabled, inbound packets on an outside interface should not be dropped and instead pass on to the FIB lookup. This works for TCP and UDP but not other IP protocols. Enable it for unknown protocols. Change-Id: I1da84b5633a36b3e5e64079754db2fcc50f29819 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-02NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian1-4/+54
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-14NAT44 out2in DHCP client next nodeMatthew Smith1-8/+24
Call vnet_feature_next() for DHCP replies instead of using default ip4-lookup. This allows DHCP replies to reach an outside interface if it's configured as a DHCP client. Change-Id: Icce1cd68b21256fcd6b1fad6792c06578b0e4e36 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-01-26NAT44: fix ICMP error translation for endpoint dependent sessions (VPP-1150)Matus Fabian1-2/+75
Change-Id: I85c799f28c4246884107e569a36482af10d9be9d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-20Translate matching packets using NAT (VPP-1069)Juraj Sloboda1-48/+74
Add API function which enables forwarding of packets not matching existing translation or static mapping instead of dropping them. When forwarding is enabled matching packets will be translated while non-matching packets will be forwarded without translation. Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-19NAT: Twice NAT44 (VPP-969)Matus Fabian1-193/+117
Translation of both source and destination addresses and ports for 1:1 NAT session initiated from outside network (ExternalIP K8 use case). Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-13NAT64: multi-thread support (VPP-891)Matus Fabian1-0/+1
Change-Id: Iebf859b6d86482e4465423bad598eecf87e53ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07SNAT: IP fragmentation (VPP-890)Matus Fabian1-2/+334
Translation of fragmented packets. Change-Id: I9b1f2e9433ce273638080f32c2d3bff39c49899d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-09NAT: fixed ICMP broken translation for GRE tunnel interface (VPP-1008)Matus Fabian1-10/+7
Change-Id: Ie3245b96c511cc30915e70e8c881f445291a38c2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-09-26NAT: remove worker_by_in lookup hash table (VPP-992)Matus Fabian1-4/+0
Change-Id: I3873d3e411bf93cac82e73a0b8e3b22563aaf217 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-09-25NAT: session number limitation to avoid running out of memory crash (VPP-984)Matus Fabian1-21/+56
Change-Id: I7f18f8c4ba609d96950dc1f833feb967d4a099b7 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-09-20NAT: move session and user lookup tables to per thread data (VPP-986)Matus Fabian1-12/+20
Change-Id: I41a51bb36e31e05c76fef0b34fe006afbee27729 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-09-15Modify return value of snat_out2in_lb(VPP-985)dongjuan1-5/+6
in order to trace session_index Change-Id: I4433155fbe21635f8a997523e2c7900c6a7569af Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2017-09-06NAT: Destination NAT44 with load-balancing (VPP-954)Matus Fabian1-11/+194
added load-balancing static mappings with unequal load support Change-Id: Ie505e41f24d46f812b94dd28bdafe3dc170a6060 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-08-23NAT: Rename snat plugin to nat (VPP-955)Matus Fabian1-0/+2294
Change-Id: I30a7e3da7a4efc6038a91e27b48045d4b07e2764 Signed-off-by: Matus Fabian <matfabia@cisco.com>