summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/test
AgeCommit message (Collapse)AuthorFilesLines
2021-02-05nat: configurable handoff frame queue sizeElias Rudberg1-0/+27
Make number of worker handoff frame queue elements configurable as a set nat frame-queue-nelts command. The default value is 64 which is the same value that was previously hard-coded. The idea is that allowing larger values can be useful in some cases, to avoid congestion drops. Also add nat_set_fq_options API support and a corresponding test case. Type: improvement Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2021-01-18nat: deal with flows instead of sessionsKlement Sekera1-4/+4
This change introduces flow concept to endpoint-dependent NAT. Instead of having a session and a plethora of special cases in code for e.g. hairpinning, twice-nat and others, figure all this out and store it in flow logic. Every flow has a match and a rewrite part. This unifies all the NAT packet processing cases into one - match a flow and rewrite the packet based on that flow. It also provides a cure for hairpinning dilemma where one part of the flow is on one worker and another on a different one. These cases are also sped up by not requiring destination adress lookup every single time to be able to rewrite source nat as this is now part of flow rewrite logic. Type: improvement Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-12-16nat: refactor & MW support for NAT testsFilip Varga2-3592/+3659
Split ED and EI nat44 test cases. Added multi worker support for ED test cases. Type: refactor Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-08nat: avoid hairpinning infinite loop problemElias Rudberg1-0/+88
Fix in nat44 hairpinning code to check if anything was actually changed in the snat_hairpinning() routine, and return 0 if nothing changed. This helps avoid an infinite loop repeating the three nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there was no change. Also add a corresponding test case. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I95f48476bd002ac4c6789afe504681f1963e5d38 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2020-12-03nat: fix incorrect session removal caseKlement Sekera1-2/+35
Add a condition where a TCP session in transitory timeout is kept instead of being erroneously deleted. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ic625c8c88cc8864293ebd57b0321505652af9380
2020-11-26nat: fix testsFilip Varga1-106/+10
Fixed nat_ha and ipfix tests. Removed obsolete tests and moved extended tests to standard tests. Type: fix Change-Id: I2d7f4c4fa4c52a4aa10d70c956e085a0fe00b911 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-13nat: cleanup & reorganizationFilip Varga1-0/+0
Fixed compatibility issue between nat ei and nat ed modes. Moved nat syslogging to nat librarry. Deprecating apis that will be integrated in upcoming candidate configuration patch. Type: refactor Change-Id: I334b1b05b81b74667c5c76a05f768442e0dcf7e8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-03nat: bihash: fix buckets calc and remove mem paramKlement Sekera1-16/+0
Calculate bihash buckets as n_elts / 2.5 rounded to closest pow2 per Damjan's recommendation. Remove memory configuration parameters because bihash init ignores them anyway as it resides in main heap now. Type: improvement Change-Id: I189f463f3c4640106cce4f12d3c5a62969276a82 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-10-23nat: nat44 enable/disable dynamic configFilip Varga1-157/+74
This patch changes initialization and configuration of NAT plugin. Instead of allocating data structures at vpp plugin initialization phase allocation and configuration happens after calling enable API or CLI call. This reduces base VPP memory footprint and also enables dynamic reconfiguration of the NAT plugin. Type: improvement Change-Id: I42c069ee19a0311d043ac1f3f230d87bc8d2680f Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-09nat: ipfix logging separation & refactorFilip Varga1-11/+0
Type: refactor Change-Id: I8785e4987e4f60361072440d0c3c6954c9c12394 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-07nat: move nat64 to a subfeatureFilip Varga2-1549/+1946
Type: refactor Change-Id: I3b9e17164647d2019b1f40cffeed63393345219e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-31nat: fix type in api messageKlement Sekera1-0/+43
Translation memory size is internally a uword, but in api it was u32, resulting in the returned value being 0 all the time. Fix the "incorrect" API reply to return a u32 capped to 0xffffffff if the u64 is larger than that, introduce the message with the correct type, deprecate the message with the incorrect type. Also, while we are updating the message definition, add the max translations / max users per worker thread into the new message. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I92e38a6a2bcb70fc8d1b129bbe416bf7f9e54280 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-08-17nat: sessions get expired when fib table removedFilip Varga1-4/+6
fib table removal would leave lingering sessions in vpp this patch is aimed at solving this issue by grouping sessions by source and destionation fib. if one of the fibs gets removed this grouping is tagged as expired and session won't be passed to non existing fib table Ticket: VPPSUPP-93 Type: improvement Change-Id: I45b1205a8b58d91f174e6feb862554ec2f6cffad Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: move deterministic nat to det44 sub featureFilip Varga2-619/+682
Type: refactor Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: remove non-error error countersKlement Sekera1-145/+133
Some statistics counters were implemented as error counters. Move them to stat segment, where they belong. Type: improvement Change-Id: I5600bec1b4e0496282297374ec1e79d909cdaf8a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-07-02nat: nat66 to pluginOle Troan2-153/+196
Type: refactor Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6 Signed-off-by: Ole Troan <ot@cisco.com>
2020-06-23nat: fix broken testKlement Sekera1-2/+14
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I04952865b7e2b447763d0b67d120c3d933177646
2020-06-16nat: improve outside port selection & perfKlement Sekera1-50/+64
Prefer using source port form packet as outside port if possible. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
2020-06-11nat: simplify bihash buckets/mem configKlement Sekera1-5/+4
Derive reasonable values from max translations/max users. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
2020-05-14nat: unhide testsKlement Sekera1-5/+5
Parallel merges introduced two test clasess with a same name. Rename latter, so that former is seen (and run) by test runner again. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I47772b41bb940bfdda4536cdd1f9b5e3768ca18b
2020-05-14nat: "users" dump for ED-NATKlement Sekera1-0/+105
Since the removal of "users" concept in ED-NAT nat44_user_dump API returns empty array. This brings back previous behaviour at a considerable runtime cost until a better API is introduced. Type: improvement Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-05-14nat: fix segv if out of ports in ed modeAlexander Chernavin1-0/+47
Type: fix Change-Id: Ife726d2f6baaa3516c209011183f39670cf6a55d Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera1-0/+105
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera1-1/+1
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-06nat: enable force session cleanupFilip Varga1-0/+69
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-04nat: per vrf session limitsFilip Varga1-22/+150
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-03tests: vpp_interface remove deprecated packed propertiesPaul Vinciguerra1-12/+14
The api no longer requires packed ip addresses. Type: test Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-24nat: ignore user hash in ED NATKlement Sekera1-11/+0
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: fix extended unit testsKlement Sekera1-2/+2
Type: fix Fixes: b86437b79b82493c2e9728929df417f55b153824 Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2c833928dcdceb4d23dfc161bcc3358272076980
2020-04-21nat: dslite ce mode in separate config entryVladimir Ratnikov1-4/+5
Previously dslite was moved to separate plugin folder and CE mode was removed. But it still needed. This patch adds CE option to separate config entry Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If153ae08fa385ba5a6605cb412e49bbb4d1db46c
2020-04-20nat: remove unused codeKlement Sekera1-41/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
2020-04-16nat: scavenging functionality removedFilip Varga1-94/+0
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-03-27acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26acl: revert acl: api cleanupOle Trøan1-14/+51
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a. Reason for revert: Verify failure. Doesn't build. Type: fix Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee Signed-off-by: Ole Troan <ot@cisco.com>
2020-03-26acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera1-66/+183
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-15nat: test cleanupKlement Sekera1-291/+261
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5ec761bfcdc13a8238b83ff46c2f1c53ec0e79d8
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-73/+0
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-05nat: move dslite to separate sub-pluginOle Troan2-305/+338
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-01-24nat: in2out-output nodes work with acl reflectMatthew Smith1-0/+103
Type: feature The current feature ordering of NAT44 nodes with respect to the ACL plugin's IPv4 input/output features is: ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes ACL rules with action permit+reflect can keep track of outbound flows and allow the replies inbound without an explicit inbound rule. If ACL permit+reflect rules are configured on an interface that also has NAT44 configured with output-feature/postrouting translation of outbound packets, the ACL rules cannot allow inbound packets. The ACL state that was stored on the outbound flow contains the IP addresses of the original packet, prior to translation. The inbound packets are being evaluated by the ACL node using the translated addresses. The order of processing inbound needs to be the opposite of what it was outbound for this to work. Change the NAT44 features on ip4-output so that they run before outbound ACL nodes. This matches the existing behavior of the NAT44 nodes which rewrite source addresses as an input feature instead of an output feature. This was only done for endpoint dependent mode because the regular endpoint independent in2out-output node currently selects an explicit next node rather than using the next node on the feature arc. Unit test added to configure both NAT and an ACL and ensure that out2in packets matching an in2out flow are permitted by the ACL and translated by NAT. Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-01-03nat: use SVRKlement Sekera1-182/+6
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-55/+95
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-26fib: Table ReplaceNeale Ranns1-13/+16
Type: feature from the API doc, a table replace is: " The use-case is that, for some unspecified reason, the control plane has a very different set of entries it wants in the table than VPP currently has. The CP would thus like to 'replace' VPP's current table only by specifying what the new set of entries shall be, i.e. it is not going to delete anything that already eixts. the CP delcartes the start of this procedure with this begin_replace API Call, and when it has populated all the entries it wants, it calls the below end_replace API. From this point on it is of coursce free to add and delete entries as usual. The underlying mechanism by which VPP implements this replace is purposefully left unspecified. " In the FIB, the algorithm is implemented using mark and sweep. Algorithm goes: 1) replace_begin: this marks all the entries in that table as 'stale' 2) download all the entries that should be in this table - this clears the stale flag on those entries 3) signal the table converged: ip_table_replace_end - this removes all entries that are still stale this procedure can be used when an agent first connects to VPP, as an alternative to dump and diff state reconciliation. Change-Id: I168edec10cf7670866076b129ebfe6149ea8222e Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-15tests: Remove the unrequired VPP IP address/prefix class wrappersNeale Ranns1-13/+7
Type: refactor Change-Id: I204f3f8eebc5f5d5a377e91262f91c615fd00168 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-05misc: Fix python scripts shebang lineRenato Botelho do Couto2-2/+2
Type: fix Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python' as a valid shebang line. It requires scripts to explicitly chose between python2 or python3. Change all to use python3 as suggested by Paul Vinciguerra. Depends-On: https://gerrit.fd.io/r/23170 Signed-off-by: Renato Botelho do Couto <renato@netgate.com> Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
2019-11-05nat: NAT udp counter & unit test fixesFilip Varga1-16/+16
Ticket: VPP-1798 Type: fix Change-Id: I42f02d5824575720e95b9fc99cfa864252221a82 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-10-22ip: ipfix-export API updateJakub Grajciar1-80/+76
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I5b03e5de111c3a3b8da4e9f02cba0aa99e3ee9f3
2019-10-17nat: tests support python3Ole Troan1-10/+9
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ie15ea8f01846f87cb65e90e8762dc941441fc176
2019-09-23nat: fix update of outside fibs (output-feature)Dmitry Vakhrushev1-1/+120
NAT hasn't worked when NAT interfaces wasn't in default VRF (fib_index = 0). This issue has been occurred with interfaces with output-feature in endpoint-dependent mode. Update VAT commands: - update nat44_add_del_address_range - add nat44_interface_add_del_output_feature Ticket: VPP-1732 Type: fix Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1 Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2019-09-03api: enforce vla is last and fixed string typeOle Troan1-1/+1
Enforce that variable length fields are the last element of API messages. Add a 'fixed' version of string type, since dealing with multiple variable length strings turned out too painful for the C language bindings. The string type is now: { string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64] string name[]; // Variable length string with embedded len field (vl_api_string_t) }; The latter notation could be made available to other types as well. e.g. { vl_api_address_t addresses[]; } instead of { u32 n_addr; vl_api_address_t addresses[n_addr]; }; Type: fix Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b Signed-off-by: Ole Troan <ot@cisco.com>