aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/test
AgeCommit message (Collapse)AuthorFilesLines
2020-03-13nat: timed out session scavenging upgradeFilip Varga1-73/+0
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-02-05nat: move dslite to separate sub-pluginOle Troan2-305/+338
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-01-24nat: in2out-output nodes work with acl reflectMatthew Smith1-0/+103
Type: feature The current feature ordering of NAT44 nodes with respect to the ACL plugin's IPv4 input/output features is: ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes ACL rules with action permit+reflect can keep track of outbound flows and allow the replies inbound without an explicit inbound rule. If ACL permit+reflect rules are configured on an interface that also has NAT44 configured with output-feature/postrouting translation of outbound packets, the ACL rules cannot allow inbound packets. The ACL state that was stored on the outbound flow contains the IP addresses of the original packet, prior to translation. The inbound packets are being evaluated by the ACL node using the translated addresses. The order of processing inbound needs to be the opposite of what it was outbound for this to work. Change the NAT44 features on ip4-output so that they run before outbound ACL nodes. This matches the existing behavior of the NAT44 nodes which rewrite source addresses as an input feature instead of an output feature. This was only done for endpoint dependent mode because the regular endpoint independent in2out-output node currently selects an explicit next node rather than using the next node on the feature arc. Unit test added to configure both NAT and an ACL and ensure that out2in packets matching an in2out flow are permitted by the ACL and translated by NAT. Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-01-03nat: use SVRKlement Sekera1-182/+6
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2019-12-12nat: session cleanup fixFilip Varga1-55/+95
Ticket: VPP-1795 Type: fix Change-Id: Ib3b5742119d7013c293a11eb3dd1aadf46b422dd Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-11-26fib: Table ReplaceNeale Ranns1-13/+16
Type: feature from the API doc, a table replace is: " The use-case is that, for some unspecified reason, the control plane has a very different set of entries it wants in the table than VPP currently has. The CP would thus like to 'replace' VPP's current table only by specifying what the new set of entries shall be, i.e. it is not going to delete anything that already eixts. the CP delcartes the start of this procedure with this begin_replace API Call, and when it has populated all the entries it wants, it calls the below end_replace API. From this point on it is of coursce free to add and delete entries as usual. The underlying mechanism by which VPP implements this replace is purposefully left unspecified. " In the FIB, the algorithm is implemented using mark and sweep. Algorithm goes: 1) replace_begin: this marks all the entries in that table as 'stale' 2) download all the entries that should be in this table - this clears the stale flag on those entries 3) signal the table converged: ip_table_replace_end - this removes all entries that are still stale this procedure can be used when an agent first connects to VPP, as an alternative to dump and diff state reconciliation. Change-Id: I168edec10cf7670866076b129ebfe6149ea8222e Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-15tests: Remove the unrequired VPP IP address/prefix class wrappersNeale Ranns1-13/+7
Type: refactor Change-Id: I204f3f8eebc5f5d5a377e91262f91c615fd00168 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-11-05misc: Fix python scripts shebang lineRenato Botelho do Couto2-2/+2
Type: fix Since CentOS 8, RPM build script doesn't accept '#!/usr/bin/env python' as a valid shebang line. It requires scripts to explicitly chose between python2 or python3. Change all to use python3 as suggested by Paul Vinciguerra. Depends-On: https://gerrit.fd.io/r/23170 Signed-off-by: Renato Botelho do Couto <renato@netgate.com> Change-Id: Ie72af9f60fd0609e07f05b70f8d96e738b2754d1
2019-11-05nat: NAT udp counter & unit test fixesFilip Varga1-16/+16
Ticket: VPP-1798 Type: fix Change-Id: I42f02d5824575720e95b9fc99cfa864252221a82 Signed-off-by: Filip Varga <fivarga@cisco.com>
2019-10-22ip: ipfix-export API updateJakub Grajciar1-80/+76
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I5b03e5de111c3a3b8da4e9f02cba0aa99e3ee9f3
2019-10-17nat: tests support python3Ole Troan1-10/+9
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ie15ea8f01846f87cb65e90e8762dc941441fc176
2019-09-23nat: fix update of outside fibs (output-feature)Dmitry Vakhrushev1-1/+120
NAT hasn't worked when NAT interfaces wasn't in default VRF (fib_index = 0). This issue has been occurred with interfaces with output-feature in endpoint-dependent mode. Update VAT commands: - update nat44_add_del_address_range - add nat44_interface_add_del_output_feature Ticket: VPP-1732 Type: fix Change-Id: Iddea15dde4b948f159a0056d48c55bd917037fd1 Signed-off-by: Dmitry Vakhrushev <dmitry@netgate.com>
2019-09-03api: enforce vla is last and fixed string typeOle Troan1-1/+1
Enforce that variable length fields are the last element of API messages. Add a 'fixed' version of string type, since dealing with multiple variable length strings turned out too painful for the C language bindings. The string type is now: { string name[64]; // NUL terminated C-string. Essentially decays to u8 name[64] string name[]; // Variable length string with embedded len field (vl_api_string_t) }; The latter notation could be made available to other types as well. e.g. { vl_api_address_t addresses[]; } instead of { u32 n_addr; vl_api_address_t addresses[n_addr]; }; Type: fix Change-Id: I18fa17ef47227633752ab50453e8d20a652a9f9b Signed-off-by: Ole Troan <ot@cisco.com>
2019-08-22tests: move plugin tests to src/plugins/*/testDave Wallace2-0/+9846
- Relocate plugin tests for 'make test' into src/plugins/*/test so that plugin test cases are co-located with the plugin source code. Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I503e6a43528e14981799b735fa65674155713f67 Signed-off-by: Dave Wallace <dwallacelf@gmail.com>