Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
Support SO_ORIGINAL_DST socket option to get original dst_ip4 and dst_port if nat44 rule enabled.
Change-Id: If00e00d03e48f3b78a23a68f1b078954d79dd0f7
Signed-off-by: qinyang <qiny@yusur.tech>
|
|
List of changed messages:
- nat44_add_del_static_mapping
- nat44_user_session_dump
- nat44_user_session_details
- nat44_user_session_v2_dump
- nat44_user_session_v2_details
This change is part of VPP API cleanup initiative.
Type: fix
Signed-off-by: Ondrej Fabry <ofabry@cisco.com>
Change-Id: I317ae93a0e763c3759a8c24fd550e1c97f6f4987
|
|
Nat in2out sessions are distributing among workers by client
addresses. In case there's multiple client vrfs with very
similar client addresses (usually from rfc1918), session
distribution/load can be unfair just due similar hash.
Let's take dynamic client fib_index into account, it'll affect
external port range only, outside address picking has own
address-based hash therefore not affected.
Type: improvement
Change-Id: I56ab2e1ce8dd27f2b1f9e7f22839ccf7774bfb82
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
The unformat type for "%d" should be u32 or int.
Type: fix
Signed-off-by: Ted Chen <znscnchen@gmail.com>
Change-Id: I2483df6259ed8d3c7648c8db6345e5063ac8b57e
|
|
Adding api nat44_ed_vrf_tables_v2_dump which may replace
nat44_ed_vrf_tables_dump in the future.
- fixing endianess
Type: improvement
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
Change-Id: I40d09ea3252589bdcb61db9f1629dacd87f69978
|
|
Change of enums used in REPLY_MACRO() to appropriate one
for handlers:
-vl_api_nat44_ed_add_del_vrf_table_t_handler
-vl_api_nat44_ed_add_del_vrf_route_t_handler
Type: fix
Change-Id: I58e97817b1678da7c025c0d03a8b938a4e0f7b6c
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
|
|
Nat session is allocated before the port allocation. During port allocation
candidate address+port are set to o2i 6-tuple and tested against the flow hash.
If insertion fails, the port is busy and rejected. When all N attempts are
unsuccessful, "out-of-ports" error is recorded and the session is to be
deleted.
During session deletion o2i and i2o tuples are deleted from the flow hash.
In case of "out-of-ports" i2o tuple is not valid, however o2i is and it refers
to **some other** session that's known to be allocated.
By backing match tuple up session should be invalidated well enough not to
collide with any valid one.
Type: fix
Signed-off-by: Dmitry Valter <d-valter@yandex-team.ru>
Change-Id: Id30be6f26ecce7a5a63135fb971bb65ce318af82
|
|
Type: fix
Change-Id: Ifc709b6e7217a893d13aee6d3019e699637366ef
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
Change-Id: I2a96ab0dafe4db796704341c325c43a6960be312
|
|
fix memory leak and refactor nat44-ed db init/free through.
how to reproduce memory leak: input "set nat44 session limit
50000 vrf 1" repeatedly.
Program received signal SIGABRT, Aborted.
0x00007ff4b3cc5337 in raise () from /lib64/libc.so.6
(gdb) bt
0 0x00007ff4b3cc5337 in raise () from /lib64/libc.so.6
1 0x00007ff4b3cc6a28 in abort () from /lib64/libc.so.6
2 0x00000000004079db in os_panic () at /usr/src/debug/vpp-23.02/src/vpp/vnet/main.c:417
3 0x00007ff4b43e784f in os_out_of_memory ()
at /usr/src/debug/vpp-23.02/src/vppinfra/unix-misc.c:221
4 0x00007ff4b43a71aa in clib_mem_heap_alloc_inline (heap=0x0, size=27263040, align=64,
os_out_of_memory_on_failure=1) at /usr/src/debug/vpp-23.02/src/vppinfra/mem_dlmalloc.c:613
5 0x00007ff4b43a7256 in clib_mem_alloc_aligned (size=27263040, align=64)
at /usr/src/debug/vpp-23.02/src/vppinfra/mem_dlmalloc.c:635
6 0x00007ff4b522fafa in alloc_aligned_16_8 (h=0x7ff46a7815b8 <snat_main+408>, nbytes=27262976)
at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:59
7 0x00007ff4b522fd12 in clib_bihash_instantiate_16_8 (h=0x7ff46a7815b8 <snat_main+408>)
at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:163
8 0x00007ff4b5230037 in clib_bihash_init2_16_8 (a=0x7ff465f36870)
at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:245
9 0x00007ff4b52300ac in clib_bihash_init_16_8 (h=0x7ff46a7815b8 <snat_main+408>,
name=0x7ff46a754871 "ed-flow-hash", nbuckets=262144, memory_size=0)
at /usr/src/debug/vpp-23.02/src/vppinfra/bihash_template.c:260
10 0x00007ff46a7013e8 in reinit_ed_flow_hash ()
at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3264
11 0x00007ff46a7014fd in nat44_ed_sessions_clear ()
at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3299
12 0x00007ff46a701044 in nat44_update_session_limit (session_limit=70000, vrf_id=1)
at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed.c:3225
13 0x00007ff46a73d3d1 in nat44_set_session_limit_command_fn (vm=0x7ff473c8f740,
input=0x7ff465f36ef0, cmd=0x7ff474c5ce48)
at /usr/src/debug/vpp-23.02/src/plugins/nat/nat44-ed/nat44_ed_cli.c:1638
14 0x00007ff4b5d56527 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740,
cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=97)
at /usr/src/debug/vpp-23.02/src/vlib/cli.c:650
15 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740,
cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=98)
at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607
16 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740,
cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=21)
at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607
17 0x00007ff4b5d562c3 in vlib_cli_dispatch_sub_commands (vm=0x7ff473c8f740,
cm=0x4273f0 <vlib_global_main+48>, input=0x7ff465f36ef0, parent_command_index=0)
at /usr/src/debug/vpp-23.02/src/vlib/cli.c:607
18 0x00007ff4b5d569cb in vlib_cli_input (vm=0x7ff473c8f740, input=0x7ff465f36ef0,
function=0x7ff4b5dc2406 <unix_vlib_cli_output>, function_arg=0)
---Type <return> to continue, or q <return> to quit---
at /usr/src/debug/vpp-23.02/src/vlib/cli.c:753
19 0x00007ff4b5dc7b0c in unix_cli_process_input (cm=0x7ff4b5e4ae00 <unix_cli_main>,
cli_file_index=0) at /usr/src/debug/vpp-23.02/src/vlib/unix/cli.c:2616
20 0x00007ff4b5dc825a in unix_cli_process (vm=0x7ff473c8f740, rt=0x7ff4797a5280, f=0x0)
at /usr/src/debug/vpp-23.02/src/vlib/unix/cli.c:2745
21 0x00007ff4b5d80a25 in vlib_process_bootstrap (_a=140687718901968)
at /usr/src/debug/vpp-23.02/src/vlib/main.c:1221
22 0x00007ff4b439e298 in clib_calljmp () at /usr/src/debug/vpp-23.02/src/vppinfra/longjmp.S:123
23 0x00007ff4698268a0 in ?? ()
24 0x00007ff4b5d80b4e in vlib_process_startup (vm=0x7ff4b43a77a3 <clib_mem_size+24>,
p=0x7ff4698268d0, f=0x7ff474b1e580) at /usr/src/debug/vpp-23.02/src/vlib/main.c:1246
25 0x00007ff4b5dbdbe6 in vec_max_bytes (v=0x8)
at /usr/src/debug/vpp-23.02/src/vppinfra/vec_bootstrap.h:161
26 0x00007ff474b1e598 in ?? ()
27 0x0000000000000004 in ?? ()
28 0x00000000000000ff in ?? ()
29 0x00007ff469826980 in ?? ()
30 0x00007ff4b5dbddcb in _vec_set_len (
v=<error reading variable: Cannot access memory at address 0xfffffffffffffff5>,
len=<error reading variable: Cannot access memory at address 0xffffffffffffffed>,
elt_sz=<error reading variable: Cannot access memory at address 0xffffffffffffffe5>)
at /usr/src/debug/vpp-23.02/src/vppinfra/vec_bootstrap.h:196
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
Type: fix
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
Change-Id: I52a7d229c95e4ab30f7f2cfe574440aa37bed6a2
|
|
After deleting a sw interface with nat44 features, the next created
sw interface will get the same sw_index reused and therefore will
erroneously have the same nat features enabled.
Type: fix
Change-Id: I1d84f842ab7ab2a757668ae1a111efe67e1e924d
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
NAT44 enable/disable return status was used
instead of appropriate VNET_API_ERROR_ code.
Type: fix
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
Change-Id: If944866bf3061afdc91284c0ad475135e529bdc4
|
|
Type: fix
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
Change-Id: I1f5069df2dc743ecd1269e947dd375cb1b84970f
|
|
Each NAT44 ED session has a per_vrf_sessions_index referencing
an element in the thread-local vector per_vrf_sessions_vec.
However this index can be possibly invalidated by vec_del1() in
per_vrf_sessions_cleanup(), before a session is registered.
Such a stale index can cause an assertion failure in function
per_vrf_sessions_is_expired() when we use it to locate the
per_vrf_sessions object.
A possible sequence to reproduce is:
1. Create two NAT44 ED sessions s1, s2 so that two per_vrf_sessions are created:
index 0: between VRF pair 10 and 11 (expired=0, ses_count=1)
index 1: between VRF pair 20 and 21 (expired=0, ses_count=1)
For the sessions we have:
s1->per_vrf_sessions_index == 0
s2->per_vrf_sessions_index == 1
2. Delete the first session via CLI, now the two per_vrf_sessions become:
index 0: between VRF pair 10 and 11 (expired=0, ses_count=0)
index 1: between VRF pair 20 and 21 (expired=0, ses_count=1)
For the sessions we have:
s2->per_vrf_sessions_index == 1
3. Delete the VRF 11:
index 0: between VRF pair 10 and 11 (expired=1, ses_count=0)
index 1: between VRF pair 20 and 21 (expired=0, ses_count=1)
For the sessions we have:
s2->per_vrf_sessions_index == 1
4. Create a new session s3 between VRF pair 20 and 21 so that the first
per_vrf_sessions will be deleted:
index 0: between VRF pair 20 and 21 (expired=0, ses_count=2)
For the sessions we have:
s2->per_vrf_sessions_index == 1
s3->per_vrf_sessions_index == 0
Here, note that the actual index of per_vrf_session is changed due
to vec_del1(). The new session is added after the cleanup so it gets
the correct index. But the index held by the existing session is not
updated.
5. Trigger the fast path of the session s2. To achieve this, session
s2 could be created in step 1 by
ping -i20 -Iiface_in_vrf_10 1.1.1.1
and steps 2-4 should then be performed within the 20-second interval.
This patch fixes this by changing per_vrf_sessions_vec to a pool so
that indicies are kept intact.
Type: fix
Signed-off-by: Jing Peng <jing@meter.com>
Change-Id: I4c08f9bfd50134bcb5f08e50ad61af2bddbcb645
|
|
fix byte order error about the struct snat_address_t's member net.
for example configurations:
set interface ip table loop1 1
set interface ip addr loop1 10.10.10.2/24
nat44 add address 10.10.10.2 tenant-vrf 1
the snat address's net should be "as_u8 = {0xa, 0xa, 0xa, 0x0}",
but now it's "as_u8 = {0x0, 0xa, 0xa, 0x2}" because of missing
transition of byte order about the member net of snat_address_t.
(gdb) p/x *snat_main->addresses
$3 = {addr = {data = {0xa, 0xa, 0xa, 0x2}, data_u32 = 0x20a0a0a,
as_u8 = {0xa, 0xa, 0xa, 0x2}, as_u16 = {0xa0a, 0x20a},
as_u32 = 0x20a0a0a}, net = {data = {0x0, 0xa, 0xa, 0x2},
data_u32 = 0x20a0a00, as_u8 = {0x0, 0xa, 0xa, 0x2},
as_u16 = {0xa00, 0x20a}, as_u32 = 0x20a0a00},
sw_if_index = 0x3, fib_index = 0x1,addr_len = 0x18}
(gdb)
Type: fix
Signed-off-by: Huawei LI <lihuawei_zzu@163.com>
Change-Id: I4f25f0639ae90a7f2e8715b44f825571283d994d
|
|
Type: refactor
1) Removed deprecated API.
- These specific APIs do not have repleacement
because features that they controled
aren't part of current NAT44-ED
implementation anymore.
2) Removed unused typedef of port allocation funciton.
- Missed left over removed.
Change-Id: Ib3f763449065eda7cdcb2c6565a9cae51baf23d6
Signed-off-by: Filip Varga <filipvarga89@gmail.com>
|
|
Type: improvement
Change-Id: I3fbbda0378b72843ecd39a7e8592dedc9757793a
Signed-off-by: Damjan Marion <dmarion@me.com>
|
|
existing details report the last_heard as the seconds since VPP
started, this is not very useful, so report additionaly
time_since_last_heard in seconds between VPP time and
last_heard.
Change-Id: Ifd34b1449e57919242b1f0e22156d3590af3c738
Type: improvement
Signed-off-by: Dave Cornejo <dcornejo@netgate.com>
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
|
|
Type: docs
Change-Id: Icfa2bdc9367f8438b53da7c89caec263ed6ab056
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
The number of available dynamic ports is set to (0xffff - 1024) =
64511, which is not divisable by the pow2 number of workers - the
only integer divisors are 31 and 2081.
So, total dynamic port range of all workers will be less than it:
1 wrk: n = (port_per_thread = 64511/1)*1 = 64511 + 1025 = 65536
2 wrk: n = (port_per_thread = 64511/2)*2 = 64510 + 1025 = 65535
4 wrk: n = (port_per_thread = 64511/4)*4 = 64508 + 1025 = 65533
8 wrk: n = (port_per_thread = 64511/8)*8 = 64504 + 1025 = 65529
...
As seen, with multiple workers there are unused trailing ports for every
nat pool address and that is the reason of out-of-bound index in the
worker array on out2in path due (port - 1024) / port_per_thread math.
This was fixed in 5c9f9968de63fa627b4a72b344df36cdc686d18a, so packets
to unused ports will go to existing worker and dropped there.
Per RFC 6335 https://www.rfc-editor.org/rfc/rfc6335#section-6:
6. Port Number Ranges
o the System Ports, also known as the Well Known Ports, from 0-1023
(assigned by IANA)
o the User Ports, also known as the Registered Ports, from 1024-
49151 (assigned by IANA)
o the Dynamic Ports, also known as the Private or Ephemeral Ports,
from 49152-65535 (never assigned)
According that let's allocate dynamic ports from 1024 and have full port
range with a wide range of the workers number - 64 integer divisors in
total, including pow2 ones:
1 wrk: n = (port_per_thread = 64512/1)*1 = 64512 + 1024 = 65536
2 wrk: n = (port_per_thread = 64512/2)*2 = 64512 + 1024 = 65536
3 wrk: n = (port_per_thread = 64512/3)*3 = 64512 + 1024 = 65536
4 wrk: n = (port_per_thread = 64512/4)*4 = 64512 + 1024 = 65536
5 wrk: n = (port_per_thread = 64512/5)*5 = 64510 + 1024 = 65534
6 wrk: n = (port_per_thread = 64512/6)*6 = 64512 + 1024 = 65536
7 wrk: n = (port_per_thread = 64512/7)*7 = 64512 + 1024 = 65536
8 wrk: n = (port_per_thread = 64512/8)*8 = 64512 + 1024 = 65536
...
Modulo from 5c9f9968de63fa627b4a72b344df36cdc686d18a is still required
when the numbers of workers is not the integer divisor of 64512.
Type: fix
Fixes: 5c9f9968de63fa627b4a72b344df36cdc686d18a
Change-Id: I9edaea07e58ff4888812b0d86cbf41a3784b189e
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
|
|
When a session is found expired, the next node of in2out fast path
should be in2out slow path instead of out2in slow path.
Type: fix
Signed-off-by: Jing Peng <jing@meter.com>
Change-Id: If1dd920502089c25b33bea5434823b0496a44499
|
|
Zero-initialize a variable.
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: Iccf2eb4bf26755d6cd93fc70df3c5481d69ce7eb
|
|
Zero-initialize the variable
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Change-Id: I4ee127ac3e2a3beffa11bbc96db1f3254b3f7c5d
|
|
In case of a bad packet, the bihash kv is not initialized before being
copied in the trace. Make sure it is initialized to 0.
Type: fix
Change-Id: I22fcfe99f3586d0fa128493059547a56557b8fb5
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
rather than using obfuscated macro hacery, simplify
the per-protocol data management by directly using
an array of NAT protocol types.
Type: refactor
Signed-off-by: Jon Loeliger <jdl@netgate.com>
Change-Id: I6fe987556ac9f402f8d490da0740e2b91440304c
|
|
Previously, each address maintained an array of 32-bit
reference counts for each of 65K possible ports for each
of 4 NAT protocols. Totalling 1MB per address. Wow.
A close read of the code shows that an "is used" check
precedes each attempted reference count increment.
That means the refcount never actually gets above 1.
That in turn means algorithmically, a bit vector is
sufficient. And one need not be allocated for more
than the highest validated port referenced.
These changes introduce a dynamically sized bit vector
replacing the reference counts, for a maximum of 32K
if all 4 protocols use port 65535. In fact, protocol
OTHER is never used, so at most 24K will be used, and
none of it will be "statically" allocated per address.
Type: fix
Fixes: 85bee7548bc5a360851d92807dae6d4159b68314
Change-Id: I7fd70050e7bf4871692a862231f8f38cf0158132
Signed-off-by: Jon Loeliger <jdl@netgate.com>
|
|
In several NAT submodules, the number of available ports (0xffff - 1024)
may not be divisible by the number of workers, so port_per_thread is
determined by integer division, which is the floor of the quotient.
Later when a worker index is needed, dividing the port with port_per_thread
may yield an out-of-bound array index into the workers array.
As an example, assume 2 workers are configured, then port_per_thread
will be (0xffff - 1024) / 2, which is 32255. When we compute a worker
index with port 0xffff, we get (0xffff - 1024) / 32255, which is 2,
but since we only have 2 workers, only 0 and 1 are valid indices.
This patch fixes the problem by adding a modulo at the end of the division.
Type: fix
Signed-off-by: Jing Peng <pj.hades@gmail.com>
Change-Id: Ieae3d5faf716410422610484a68222f1c957f3f8
|
|
Type: fix
A packet passing through nat44-ei-in2out-output,
has its ttl value validated in earlier nodes.
"ip4-input" node checks ttl for locally generated packets.
"ip4-rewrite" node validates ttl in forwarded packets.
Thus for example, the ED counterpart disables ttl checks
in its "nat44-ed-in2out-output" node.
This patch updates nat44 EI conditions for ttl checks to
those currently used in nat44 ED case, meaning no extra ttl
validation for in2out when output-feature is enabled.
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: Idd15d7c9a746b60c0a6dac5537d00ef10c257fdc
|
|
- add pnat_binding_add_v2 which explicitly requires match mask to
set to PNAT_PROTO if we want to match on IP Protocol
- fix pnat_binding_add backward compatibility i.e. no need to set
match mast to PNAT_PROTO
Type: improvement
Signed-off-by: Fahad Naeem <fahadnaeemkhan@gmail.com>
Change-Id: I5a23244be55b7d4c10552c555881527a4b2f325f
|
|
Drop pycodestyle for code style checking in favor of black. Black is
much faster, stable PEP8 compliant code style checker offering also
automatic formatting. It aims to be very stable and produce smallest
diffs. It's used by many small and big projects.
Running checkstyle with black takes a few seconds with a terse output.
Thus, test-checkstyle-diff is no longer necessary.
Expand scope of checkstyle to all python files in the repo, replacing
test-checkstyle with checkstyle-python.
Also, fixstyle-python is now available for automatic style formatting.
Note: python virtualenv has been consolidated in test/Makefile,
test/requirements*.txt which will eventually be moved to a central
location. This is required to simply the automated generation of
docker executor images in the CI.
Type: improvement
Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Replace code with branchless code.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ic38a20ad33483c1c26f90a927f8b963b0ead4a87
|
|
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Set is_add function argument to 0 when deleting interface role.
Change-Id: I6ca88d6511e1c88285e51b3750eb501fde2b341b
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
|
|
Two similar CLI paths "nat44" and "nat44 add interface address"
caused unexpected behavior. If "nat44 add interface address"
command would fail the vlib cli processing function would
call "nat44" handler. This would also clean any previously
set errors from the first command and basically return
same error returned by "nat44" handler for every failed
command that starts with the same path string.
Fixes nat44-ed and nat44-ei plugin.
Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653
Ticket: VPP-2021
Type: fix
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This patch affects how destination fib is choosen during session
creation. Default behavior of choosing fib based on output
interfaces is kept.
Configuration gives you the ability to change default behavior
to direct or restrict traffic between different FIB tables.
NAT specific VRF routing options:
a) keeping communication in the same VRF
b) option to add multiple destination VRFs
c) option to control the resolution order of destination VRFs
TX FIB resolution is based on looking up RX FIB entry in NATs
VRF table and picking the first FIB that resolves
destination address.
Ticket: VPP-2009
Type: improvement
Change-Id: If500c48d7ce3466533ad9581c0847870788fc4fb
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Set deprecated option on unsupported API calls.
Cleaned up API calls with deprecated option. Removed
in progress option from long term used API calls.
Removed obsolete/unused nodes, functions, variables.
Fixed set frame queue nelts function. Calling API
would incorrectly not fail even though frame queue nelts
can only be set before first call nat44_plugin_enable.
Moved all formatting functions to _format.c file.
Type: refactor
Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This allows specifying both c string and vector for node name
and removes need for crafting temporary string.
Type: improvement
Change-Id: I0b016cd70aeda0f68eb6f9171c5152f303be7369
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Add missing translation of ICMP inner IP layer.
Change responsible test so that it actually tests something.
Type: fix
Fixes: 4881cb4c6f
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
|
|
Type: refactor
Change-Id: Ifd533a095d979dc55bfbe5fac7e0b7510a4d900c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
TCP/UDP packets which are dropped are not counted towards TCP/UDP
counters. Apply same behaviour to ICMP packets.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I487fa7135ac8e49431a621fac213638d2dab31c8
|
|
Type: refactor
IP4 does not depend on TCP (it's the other way around).
This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
|
|
This also changes the behavior of the nat44-ei hairpinning feature.
Rather then enabling the feature on every nat interface, it is enabled
only on local0.
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
|
|
We invoke nat_affinity_enable for nat44_plugin_enable.
We need to invoke nat_affinity_disable for nat44_plugin_disable
to free the memory for bihash.
Type: fix
Fixes: I2743f7b1104b627bcc5ef937e3a50655313a26ea
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I9adeb3225136e3fff853c2d5b8f9a30e98ddcf4c
|
|
Removing obsolete unused nat44-ei nodes and functions.
Type: refactor
Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs
are no longer required/tracked. This is more friendly to peers and
accounts for lost packets and retransmits.
This change also means that all traffic is translated and forwarded
while in transitory timeout, which helps delivering e.g. retransmitted
FINs, FINACKs and other messages.
Also support reopening a session in transitory timeout after seeing both
FINs by seeing both SYNs again. This helps quick connection
reestablishment if the peers want to.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
|
|
Change [1] put static mappings in flow hash. This change also broke
relationship between nat pool addresses and static mappings. Port and
address are no longer reserved in nat pool address records for a new
static mapping.
Because of this change both nat objects and their configuration can
function independently. This change also removed already broken logic of
having static-mapping-only configuration.
In this patch i have cleaned up and removed unnecessary logic for static
mapping configuration functions, address configuration functions,
interface configuraiton functions and all callback functions used for
resolving interface address bound records.
No more viable configuration option static-mapping-only is also removed
because there is no more option to run traffic through vpp for static
mappings without having flow hash table allocated. Instead user is now
able to create static mapping records without using nat pool addresses.
Fixed and improved management of required fib entries (ensuring VPP will
reply to ARP for all external addresses on outside interfaces) through
holding a refcount for their creation and removal.
[1] https://gerrit.fd.io/r/c/vpp/+/34077
Type: improvement
Change-Id: Ic16deefbede833d574c2a5972155c9afa5bc62ce
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This patch improves algorithm responsible for choosing nat pool address
during dynamic session creation.
Patch synchronizes nat pool address attributes with vpp interfaces doing
so gives nat option to determine correct nat pool address when creating
dynamic session.
Improvements:
* match dst address subnet and src fib with nat pool address
* for output-feature also fallback match of tx_sw_if_index with nat
pool address
Type: improvement
Change-Id: I594638bc76fc1153f582add376838b4b72ff573a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Change-Id: Ifa074dfd337f9cd68858468d34abf641fe7f247f
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Modify the ipfix_exporter to use ip_address instead of the ipv4 specific
version. Modify the current code so that it writes into the v4 specific
part of the address, i.e. we are not yet fully supporting IPv6. For the
exporter configured via the original API (the one that is always in slot0)
we will not support IPv6 addresses.
Type: improvement
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: Ic9854ac62aaee76a7a55a958234c456fd9828c4c
|
|
When a new flow-report is created the caller provides 2 callback functions.
These functions both take a pointer to the exporter, plus a pointer to the
source and dest address. However the pointers to the address are not adding
any value as these are always set to the src/dest addresses of the exporter
(which is already being passed). Remove these parameters and leave the
callback functions to get the addresses out of the exporter.
Type: improvement
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I36dec394f30e85cdca120dd8706b5d90f5e07c48
|