aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2018-03-28NAT44: fix nat44_user_session_dump and nat44_del_session crash with one ↵Matus Fabian2-2/+2
worker (VPP-1213) Change-Id: I8e0c7ed2ff462b9ab59c233f56be262ec03c29ff Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-26NAT44: interface output feature and dst NAT (VPP-1200)Matus Fabian2-7/+78
Do not translate packet which go out via nat44-in2out-output and was tranlated in nat44-out2in before. On way back forward packet to nat44-in2out node. Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 4d023c8c930b2a4220998d4c211d751e33324faa)
2018-03-26NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian2-6/+117
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I0e3733361de4b85068b9be02f953154a478ce8cc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-26User session counters stay <= per-user limitMatthew Smith3-22/+28
When a user session is allocated/reused, only increase one of the session counters for that user if the counters are below the per-user limit. THis addresses a SEGV that arises after the following sequence of events: - an outside interface IP address is put in a pool - a user exceeds the number of per-user translations by an amount greater than the number of per-user translations (nsessions + nstaticsessions > 100 + 100) - the outside interface IP address is deleted and then added again (observed when using DHCP client, likely happens if address changed via CLI, API also) - the user sends more packets that should be translated When nsessions is > the per-user limit, nat_session_alloc_or_recycle() reclaims the oldest existing user session. When an outside address is deleted, the corresponding user sessions are deleted. If the counters were far above the per-user limit, the deletions wouldn't result in the counters dropping back below the limit. So no session could be reclaimed -> SEGV. Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2018-03-23NAT44: fix ICMP checksum update crash (VPP-1205)Matus Fabian2-0/+6
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 3f2dd30b0bf7cf3d82c720d5065178c1fa628c6b)
2018-03-23NAT44: fix nat_not_translate_output_feature in dual loop (VPP-1194)Matus Fabian1-2/+2
Change-Id: Icb858414145db0e5fef495e155903b3b935e50ba Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 3c2a416c42a0481698735a0b1e355bfb7a702882)
2018-03-23NAT44: fix removal of LB static mappings with same local address and port ↵Matus Fabian1-5/+35
pair (VPP-1199) Change-Id: Iad8c626e83bbc58d5c85b6736f5a3dd5bc9ceafb Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit e877d68407d316adb64baa855985b746dcb2e102)
2018-03-21Revert "NAT44: interface output feature and service host direct access ↵Matus Fabian2-117/+6
(VPP-1176)" This reverts commit d30c94afe4e67298b3da6fd839e0210844cf45a5. Change-Id: Ic076f6c116e1d816c492eb8e03e50cf95cedae77 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-14NAT44 - unknown protocols work with forwardingMatthew Smith1-6/+9
If forwarding is enabled, inbound packets on an outside interface should not be dropped and instead pass on to the FIB lookup. This works for TCP and UDP but not other IP protocols. Enable it for unknown protocols. Change-Id: I1da84b5633a36b3e5e64079754db2fcc50f29819 Signed-off-by: Matthew Smith <mgsmith@netgate.com> (cherry picked from commit 03f942a1cc4de3963507fc7075d91aff0cae7d58)
2018-03-14NAT44: interface output feature and service host direct access (VPP-1176)Matus Fabian2-6/+117
forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 204591d1bd754f6086edcf8b27a95beab929a78f)
2018-03-14NAT44: fix nat_not_translate_output_feature for ICMP (VPP-1191)Matus Fabian1-8/+7
Change-Id: I1552e1418b704fdf1f1fa2c0174313b9b82a37a3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-03-14when lb tcp in2out flow,ahdj0071-0/+1
in2out and out2in protocol are not same Change-Id: I4ce680ad1f088cb079e1f2aeb15ca59225fca0d1 Signed-off-by: ahdj007 <dong.juan1@zte.com.cn> (cherry picked from commit 9691cf2d082727fb2f88e85050068dc6fd761bcd)
2018-03-14when exceed max reass,ahdj0071-6/+12
frag packet can't get reass. adding bihash,it can rewrite new hash value. so need to delete hash after compare hash value. Change-Id: I83b5c47890110e9a598b78cfbe8fcd27bbe291bb Signed-off-by: ahdj007 <dong.juan1@zte.com.cn> (cherry picked from commit 5e85c54d229e443d30dabe9bca39625587add8a5)
2018-03-14NAT44: allow to configure one interface only as output or input feature ↵Matus Fabian1-0/+12
(VPP-1192) following is not possible: set interface nat44 out GigabitEthernet0/3/0 output-feature set interface nat44 out GigabitEthernet0/3/0 Change-Id: I1592cc18390881fda66f98316700886b8f5295f0 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit e4e34c23fe7050c26967997fdb8f555c51fd3961)
2018-03-09reass frag_n should to be inited to 0ahdj0071-0/+1
Change-Id: I8a4a7a85e86acbfe411e6dfa22e3976d7d4c903b Signed-off-by: ahdj007 <dong.juan1@zte.com.cn> (cherry picked from commit 9f06d0eccf06b82b42cc55f02c37cbed9e1aab83)
2018-02-27NAT: replace format_vnet_sw_interface_name with format_vnet_sw_if_index_name ↵Matus Fabian2-39/+32
(VPP-1149) Change-Id: I860468bdc21c6ee07f63c8854592c46ca631ebc2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-27NAT44: in2out output feature skip translation for already translated packets ↵Matus Fabian2-15/+74
(VPP-1156) Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit f7ad5cbe819533523169e8a88876b94b9f38789c)
2018-02-27NAT44: fix ICMP error translation for endpoint dependent sessions (VPP-1150)Matus Fabian2-4/+150
Change-Id: Iae15d15b470bdde759d08201de9d6dc5afef0ee9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-02-26NAT44: run NAT nodes after ACL (VPP-1160)Matus Fabian1-15/+15
NAT input features run after acl-plugin-in-ip4-fa NAT output features run after acl-plugin-out-ip4-fa Change-Id: I1e4487a0d6fdb99a90b8db640d9ad0e0eb7347a5 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit 16f0546cadb1248f9dce99788ecc50cc2668c7e4)
2018-02-05NAT64: Run nat64-expire-worker-walk only when NAT64 is configured (VPP-1162)Matus Fabian2-4/+48
Change-Id: Ic5e8d74bf5ac84cce5661de44778c89541c67636 Signed-off-by: Matus Fabian <matfabia@cisco.com> (cherry picked from commit e71eb5922a293eca36dbd323970741daaca3c5c7)
2018-01-08NAT: fixed get_worker_out2in bug (VPP-1116)Matus Fabian2-4/+12
Change-Id: I5e080d69f28661cc0b1846885d5001526b54fbd9 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-01-03NAT64: free port when dynamic BIB deleted (VPP-1107)v18.04-rc0Matus Fabian6-39/+46
Change-Id: Id897ed61a26a4069678ed4ddac1ba28bf32809c3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-21VPP-1109 Fix loop for some CLI (code review)Swarup Nayak1-0/+1
Change-Id: I518387ab479bee4778d45a33c95f7b0f72aa1b72 Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
2017-12-20Translate matching packets using NAT (VPP-1069)Juraj Sloboda6-48/+238
Add API function which enables forwarding of packets not matching existing translation or static mapping instead of dropping them. When forwarding is enabled matching packets will be translated while non-matching packets will be forwarded without translation. Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-12-19NAT: Twice NAT44 (VPP-969)Matus Fabian6-783/+821
Translation of both source and destination addresses and ports for 1:1 NAT session initiated from outside network (ExternalIP K8 use case). Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-18NAT: Add performance testing TRex scripts and config (VPP-832)Matus Fabian13-0/+426
Change-Id: I149a20f183b836db4c32fb4e4a8438b3a14c1c26 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-18Fix nat44 identity mappingDave Barach1-0/+5
Set l_addr to the interface address if the interface address is known when the identity mapping is created. Change-Id: I61af0f5248c9d86d23a24457b342b2e1fb4ac726 Signed-off-by: Dave Barach <dave@barachs.net>
2017-12-14NAT64: fix coverity (VPP-1032)Matus Fabian2-0/+4
CIDs 180713 and 180714 Change-Id: Ia4856d1a62f176e99983f8c82eaa09d5df9d4ca5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-13NAT64: multi-thread support (VPP-891)Matus Fabian15-505/+1263
Change-Id: Iebf859b6d86482e4465423bad598eecf87e53ec4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-13NAT: DS-Lite AFTR tunnel endpoint address respond to ICMPv6 echo request ↵Matus Fabian1-3/+8
(VPP-1090) Change-Id: I361c043979274eac1aefcd95abdf1624a3ef2756 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-12-11call unformat_free in some flow, remove unnecessary callsSwarup Nayak1-8/+0
Change-Id: I565277eafbce3d4f59a7f0d497fca1c4fed3cfc8 Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
2017-11-30NAT44: identity NAT (VPP-1073)Matus Fabian3-7/+301
Identity mapping translate an IP address to itself. Change-Id: Icc0ca5102d32547a4b0c75720b5f5bf41ed69c71 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-30Fix variable mismatchJuraj Sloboda1-1/+1
Change-Id: Iae2f9f9652cecdf7e754700b2fe107ad61ff8ff9 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2017-11-29NAT: Remove old SNAT API (VPP-1070)Matus Fabian3-2114/+221
Change-Id: I3d936d456ee27b2e0857843295efb60a9f2d0be7 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-13NAT: Buufer overflow for memcpy()Ole Troan1-3/+2
Change-Id: I11d1f9507d429ad8b25e9873272ede231623e622 Signed-off-by: Ole Troan <ot@cisco.com>
2017-11-09Port restricted NAT44 (VPP-1048)Matus Fabian2-8/+149
For the MAP-E CE limit port choice based on PSID CLI: nat44 addr-port-assignment-alg map-e psid <n> psid-offset <n> psid-len <n> Change-Id: Iecceee61fca372cb5790c16993a82fbdc9930f0f Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-08NAT64 to use IPv4 address from interface (VPP-1051)Matus Fabian5-0/+217
Change-Id: I326429c31dea6958a342ee152ef86cb975f4b12c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07SNAT: IP fragmentation (VPP-890)Matus Fabian12-33/+2998
Translation of fragmented packets. Change-Id: I9b1f2e9433ce273638080f32c2d3bff39c49899d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-07NAT: DS-Lite (VPP-1040)Matus Fabian12-23/+1630
Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IPv4-in-IPv6 and NAT. Change-Id: I039740f8548c623cd1ac89b8ecda1a6cc4aafb9c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-11-03NAT64: Input feature arc on virtual interface via interface RX DPO.Ole Troan1-2/+44
Change-Id: If2048c7d72048679bc5d0412f3fae109926f759e Signed-off-by: Ole Troan <ot@cisco.com>
2017-11-01nat plugin - fix test logicGabriel Ganne1-1/+1
warning found by clang: warning: logical not is only applied to the left hand side of this bitwise operator [-Wlogical-not-parentheses] Change-Id: I964651a4444b11da145edc329da83675cd830f78 Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
2017-10-26NAT: delete session API/CLI (VPP-1041)Matus Fabian4-0/+172
Administratively delete NAT44 session for specific inside/outside addresses and port pair. Change-Id: If5ab500ac3592c7153d6d8f2cc0297df7309fbc3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-25One armed NAT (VPP-1035)Matus Fabian8-33/+289
Use a single physical interface in order to accomplish NAT44/NAT64. Change-Id: I0c8138953a7a4075df306172e125abad771315e4 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-14NAT: fix delete of sessions for 1:1 NAT if 1 worker (VPP-1023)Matus Fabian1-1/+1
Change-Id: I2446c646de7f227f9438dd7ef93a455ba5af0102 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-09vppapigen: support per-file (major,minor,patch) version stampsDave Barach1-0/+3
Add one of these statements to foo.api: vl_api_version 1.2.3 to generate a version tuple stanza in foo.api.h: /****** Version tuple *****/ vl_api_version_tuple(foo, 1, 2, 3) Change-Id: Ic514439e4677999daa8463a94f948f76b132ff15 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Ole Troan <ot@cisco.com>
2017-10-09NAT: hairpinning rework (VPP-1003)Matus Fabian2-14/+114
Change-Id: I7c6911cd6ac366fe62675fd0ff8b0246a25ea1db Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-09NAT: fixed ICMP broken translation for GRE tunnel interface (VPP-1008)Matus Fabian3-31/+27
Change-Id: Ie3245b96c511cc30915e70e8c881f445291a38c2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-10-03Repair vlib API socket serverDave Barach2-2/+2
- Teach vpp_api_test to send/receive API messages over sockets - Add memfd-based shared memory - Add api messages to create memfd-based shared memory segments - vpp_api_test supports both socket and shared memory segment connections - vpp_api_test pivot from socket to shared memory API messaging - add socket client support to libvlibclient.so - dead client reaper sends ping messages, container-friendly - dead client reaper falls back to kill (<pid>, 0) live checking if e.g. a python app goes silent for tens of seconds - handle ping messages in python client support code - teach show api ring about pairwise shared-memory segments - fix ip probing of already resolved destinations (VPP-998) We'll need this work to implement proper host-stack client isolation Change-Id: Ic23b65f75c854d0393d9a2e9d6b122a9551be769 Signed-off-by: Dave Barach <dave@barachs.net> Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Signed-off-by: Florin Coras <fcoras@cisco.com>
2017-09-26NAT: remove worker_by_in lookup hash table (VPP-992)Matus Fabian4-97/+30
Change-Id: I3873d3e411bf93cac82e73a0b8e3b22563aaf217 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2017-09-26Memory overwritten when using unformat %u (VPP-987)Aequitas3-19/+19
Change-Id: I7d8f807fb502d61688aa1dee25fa4edcbeb32f41 Signed-off-by: Aequitas <wang.junqi@zte.com.cn>