Age | Commit message (Collapse) | Author | Files | Lines |
|
Make number of worker handoff frame queue elements configurable as
a set nat frame-queue-nelts command. The default value is 64 which
is the same value that was previously hard-coded. The idea is that
allowing larger values can be useful in some cases, to avoid
congestion drops. Also add nat_set_fq_options API support and a
corresponding test case.
Type: improvement
Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
|
|
This change introduces flow concept to endpoint-dependent NAT. Instead
of having a session and a plethora of special cases in code for e.g.
hairpinning, twice-nat and others, figure all this out and store it in
flow logic. Every flow has a match and a rewrite part. This unifies all
the NAT packet processing cases into one - match a flow and rewrite the
packet based on that flow. It also provides a cure for hairpinning
dilemma where one part of the flow is on one worker and another on
a different one. These cases are also sped up by not requiring
destination adress lookup every single time to be able to rewrite source
nat as this is now part of flow rewrite logic.
Type: improvement
Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Split ED and EI nat44 test cases. Added multi worker
support for ED test cases.
Type: refactor
Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Fix in nat44 hairpinning code to check if anything was actually
changed in the snat_hairpinning() routine, and return 0 if nothing
changed. This helps avoid an infinite loop repeating the three
nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there
was no change. Also add a corresponding test case.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I95f48476bd002ac4c6789afe504681f1963e5d38
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
|
|
Add a condition where a TCP session in transitory timeout is kept
instead of being erroneously deleted.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ic625c8c88cc8864293ebd57b0321505652af9380
|
|
Fixed nat_ha and ipfix tests. Removed obsolete tests
and moved extended tests to standard tests.
Type: fix
Change-Id: I2d7f4c4fa4c52a4aa10d70c956e085a0fe00b911
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Fixed compatibility issue between
nat ei and nat ed modes. Moved nat
syslogging to nat librarry. Deprecating
apis that will be integrated in upcoming
candidate configuration patch.
Type: refactor
Change-Id: I334b1b05b81b74667c5c76a05f768442e0dcf7e8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Calculate bihash buckets as n_elts / 2.5 rounded to closest pow2
per Damjan's recommendation. Remove memory configuration parameters
because bihash init ignores them anyway as it resides in main heap now.
Type: improvement
Change-Id: I189f463f3c4640106cce4f12d3c5a62969276a82
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
This patch changes initialization and configuration of NAT
plugin. Instead of allocating data structures at vpp plugin
initialization phase allocation and configuration happens
after calling enable API or CLI call. This reduces base VPP
memory footprint and also enables dynamic reconfiguration
of the NAT plugin.
Type: improvement
Change-Id: I42c069ee19a0311d043ac1f3f230d87bc8d2680f
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: refactor
Change-Id: I8785e4987e4f60361072440d0c3c6954c9c12394
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: refactor
Change-Id: I3b9e17164647d2019b1f40cffeed63393345219e
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Translation memory size is internally a uword, but in api it was u32,
resulting in the returned value being 0 all the time.
Fix the "incorrect" API reply to return a u32 capped to 0xffffffff if
the u64 is larger than that, introduce the message with
the correct type, deprecate the message with the incorrect type.
Also, while we are updating the message definition,
add the max translations / max users per worker thread
into the new message.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I92e38a6a2bcb70fc8d1b129bbe416bf7f9e54280
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
fib table removal would leave lingering sessions in vpp
this patch is aimed at solving this issue by grouping
sessions by source and destionation fib. if one of the
fibs gets removed this grouping is tagged as expired
and session won't be passed to non existing fib table
Ticket: VPPSUPP-93
Type: improvement
Change-Id: I45b1205a8b58d91f174e6feb862554ec2f6cffad
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: refactor
Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Some statistics counters were implemented as error counters. Move them
to stat segment, where they belong.
Type: improvement
Change-Id: I5600bec1b4e0496282297374ec1e79d909cdaf8a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: refactor
Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I04952865b7e2b447763d0b67d120c3d933177646
|
|
Prefer using source port form packet as outside port if possible.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
|
|
Derive reasonable values from max translations/max users.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
|
|
Parallel merges introduced two test clasess with a same name. Rename
latter, so that former is seen (and run) by test runner again.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I47772b41bb940bfdda4536cdd1f9b5e3768ca18b
|
|
Since the removal of "users" concept in ED-NAT nat44_user_dump API
returns empty array. This brings back previous behaviour at
a considerable runtime cost until a better API is introduced.
Type: improvement
Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Change-Id: Ife726d2f6baaa3516c209011183f39670cf6a55d
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
This fixes a situation where long-lived inactive session blocks LRU
list. Solution is to have multiple LRU lists based on session type.
This helps because session timeout is same for all sessions of same
type.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
|
|
Use a lookup table instead.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
|
|
Force session cleanup drops NAT db.
Also fixing user specific cli/api calls.
Type: improvement
Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
The api no longer requires packed ip addresses.
Type: test
Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
With port overloading, port is no longer a scarce resource and there
is no need to limit connections per internal IP. This saves one hash
insert in slow path.
Type: improvement
Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Fixes: b86437b79b82493c2e9728929df417f55b153824
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2c833928dcdceb4d23dfc161bcc3358272076980
|
|
Previously dslite was moved to separate plugin folder
and CE mode was removed. But it still needed.
This patch adds CE option to separate config entry
Type: feature
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If153ae08fa385ba5a6605cb412e49bbb4d1db46c
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
|
|
Type: refactor
Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a.
Reason for revert: Verify failure. Doesn't build.
Type: fix
Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Wait transitory timeout seconds before moving internal state of TCP
session to CLOSED state per RFC 7857. This patch implements this
functionality for endpoint-dependent NAT.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5ec761bfcdc13a8238b83ff46c2f1c53ec0e79d8
|
|
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
|
|
Type: refactor
Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: feature
The current feature ordering of NAT44 nodes with respect to the
ACL plugin's IPv4 input/output features is:
ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes
ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes
ACL rules with action permit+reflect can keep track of outbound
flows and allow the replies inbound without an explicit inbound rule.
If ACL permit+reflect rules are configured on an interface that also
has NAT44 configured with output-feature/postrouting translation of
outbound packets, the ACL rules cannot allow inbound packets. The
ACL state that was stored on the outbound flow contains the IP
addresses of the original packet, prior to translation. The inbound
packets are being evaluated by the ACL node using the translated
addresses.
The order of processing inbound needs to be the opposite of what it
was outbound for this to work. Change the NAT44 features on
ip4-output so that they run before outbound ACL nodes. This matches
the existing behavior of the NAT44 nodes which rewrite
source addresses as an input feature instead of an output feature.
This was only done for endpoint dependent mode because the regular
endpoint independent in2out-output node currently selects an
explicit next node rather than using the next node on the feature
arc.
Unit test added to configure both NAT and an ACL and ensure that
out2in packets matching an in2out flow are permitted by the ACL
and translated by NAT.
Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Remove NAT's implementation of shallow virtual reassembly with
corresponding CLIs, APIs & tests. Replace with standalone shallow
virtual reassembly provided by ipX-sv-reass* nodes.
Type: refactor
Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Ticket: VPP-1795
Type: fix
Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: feature
from the API doc, a table replace is:
"
The use-case is that, for some unspecified reason, the control plane
has a very different set of entries it wants in the table than VPP
currently has. The CP would thus like to 'replace' VPP's current table
only by specifying what the new set of entries shall be, i.e. it is not
going to delete anything that already eixts.
the CP delcartes the start of this procedure with this begin_replace
API Call, and when it has populated all the entries it wants, it calls
the below end_replace API. From this point on it is of coursce free
to add and delete entries as usual.
The underlying mechanism by which VPP implements this replace is
purposefully left unspecified.
"
In the FIB, the algorithm is implemented using mark and sweep.
Algorithm goes:
1) replace_begin: this marks all the entries in that table as 'stale'
2) download all the entries that should be in this table
- this clears the stale flag on those entries
3) signal the table converged: ip_table_replace_end
- this removes all entries that are still stale
this procedure can be used when an agent first connects to VPP,
as an alternative to dump and diff state reconciliation.
Change-Id: I168edec10cf7670866076b129ebfe6149ea8222e
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: refactor
Change-Id: I204f3f8eebc5f5d5a377e91262f91c615fd00168
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
Type: fix
Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python'
as a valid shebang line. It requires scripts to explicitly chose
between python2 or python3.
Change all to use python3 as suggested by Paul Vinciguerra.
Depends-On: https://gerrit.fd.io/r/23170
Signed-off-by: Renato Botelho do Couto <renato@netgate.com>
Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
|
|
Ticket: VPP-1798
Type: fix
Change-Id: I42f02d5824575720e95b9fc99cfa864252221a82
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I5b03e5de111c3a3b8da4e9f02cba0aa99e3ee9f3
|
|
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ie15ea8f01846f87cb65e90e8762dc941441fc176
|
|
NAT hasn't worked when NAT interfaces wasn't in
default VRF (fib_index = 0). This issue has been occurred with
interfaces with output-feature in endpoint-dependent mode.
Update VAT commands:
- update nat44_add_del_address_range
- add nat44_interface_add_del_output_feature
Ticket: VPP-1732
Type: fix
Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1
Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
|
|
Enforce that variable length fields are the last element of API messages.
Add a 'fixed' version of string type, since dealing with
multiple variable length strings turned out too painful
for the C language bindings.
The string type is now:
{
string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64]
string name[]; // Variable length string with embedded len field (vl_api_string_t)
};
The latter notation could be made available to other types as well.
e.g.
{
vl_api_address_t addresses[];
}
instead of
{
u32 n_addr;
vl_api_address_t addresses[n_addr];
};
Type: fix
Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b
Signed-off-by: Ole Troan <ot@cisco.com>
|