aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2022-05-10tests: replace pycodestyle with blackKlement Sekera14-229/+315
Drop pycodestyle for code style checking in favor of black. Black is much faster, stable PEP8 compliant code style checker offering also automatic formatting. It aims to be very stable and produce smallest diffs. It's used by many small and big projects. Running checkstyle with black takes a few seconds with a terse output. Thus, test-checkstyle-diff is no longer necessary. Expand scope of checkstyle to all python files in the repo, replacing test-checkstyle with checkstyle-python. Also, fixstyle-python is now available for automatic style formatting. Note: python virtualenv has been consolidated in test/Makefile, test/requirements*.txt which will eventually be moved to a central location. This is required to simply the automated generation of docker executor images in the CI. Type: improvement Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
2022-05-10nat: improve icmp type detection performanceKlement Sekera1-12/+10
Replace code with branchless code. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ic38a20ad33483c1c26f90a927f8b963b0ead4a87
2022-04-21nat: tweak rfc7857 tcp connection trackingOle Troan4-292/+61
The RFC7857 state machine introduced in 56c492a is a trade-off. It tries to retain sessions as much as possible and also offers some protection against spurious RST by re-establishing sessions if data is received after the RST. From experience in the wild, this algorithm is a little too liberal, as it leaves too many spurious established sessions in the session table. E.g. a oberserved pattern is: client server <- FIN, ACK ACK -> ACK -> RST, ACK -> With the current state machine this would leave the session in established state. These proposed changes do: - require 3-way handshake to establish session. (current requires only to see SYNs from both sides) - RST will move session to transitory without recovery if data is sent after - Only a single FIN is needed to move to transitory Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea Signed-off-by: Ole Troan <ot@cisco.com>
2022-04-18nat: fix deleting nat ei out interface featureAlexander Skorichenko1-2/+2
Type: fix Set is_add function argument to 0 when deleting interface role. Change-Id: I6ca88d6511e1c88285e51b3750eb501fde2b341b Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
2022-04-05nat: nat44 cli bug fixFilip Varga5-42/+38
Two similar CLI paths "nat44" and "nat44 add interface address" caused unexpected behavior. If "nat44 add interface address" command would fail the vlib cli processing function would call "nat44" handler. This would also clean any previously set errors from the first command and basically return same error returned by "nat44" handler for every failed command that starts with the same path string. Fixes nat44-ed and nat44-ei plugin. Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653 Ticket: VPP-2021 Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-04-01nat: VRF routing & FIB improvementsFilip Varga8-281/+727
This patch affects how destination fib is choosen during session creation. Default behavior of choosing fib based on output interfaces is kept. Configuration gives you the ability to change default behavior to direct or restrict traffic between different FIB tables. NAT specific VRF routing options: a) keeping communication in the same VRF b) option to add multiple destination VRFs c) option to control the resolution order of destination VRFs TX FIB resolution is based on looking up RX FIB entry in NATs VRF table and picking the first FIB that resolves destination address. Ticket: VPP-2009 Type: improvement Change-Id: If500c48d7ce3466533ad9581c0847870788fc4fb Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-04-01nat: nat44-ed cleanup & fixesFilip Varga7-1303/+645
Set deprecated option on unsupported API calls. Cleaned up API calls with deprecated option. Removed in progress option from long term used API calls. Removed obsolete/unused nodes, functions, variables. Fixed set frame queue nelts function. Calling API would incorrectly not fail even though frame queue nelts can only be set before first call nat44_plugin_enable. Moved all formatting functions to _format.c file. Type: refactor Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4 Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-03-23vppinfra: change vlib_register_node so it takes format string for node nameDamjan Marion1-1/+2
This allows specifying both c string and vector for node name and removes need for crafting temporary string. Type: improvement Change-Id: I0b016cd70aeda0f68eb6f9171c5152f303be7369 Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-03-17nat: fix ICMP error translationKlement Sekera1-0/+3
Add missing translation of ICMP inner IP layer. Change responsible test so that it actually tests something. Type: fix Fixes: 4881cb4c6f Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
2022-03-09stats: refactorDamjan Marion2-13/+7
Type: refactor Change-Id: Ifd533a095d979dc55bfbe5fac7e0b7510a4d900c Signed-off-by: Damjan Marion <damarion@cisco.com>
2022-02-21nat: make tcp/udp/icmp packet counters consistentKlement Sekera2-4/+12
TCP/UDP packets which are dropped are not counted towards TCP/UDP counters. Apply same behaviour to ICMP packets. Type: improvement Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Change-Id: I487fa7135ac8e49431a621fac213638d2dab31c8
2022-02-15tcp: Do not include the tcp_packet.h file in the ip4_packet.hNeale Ranns2-0/+2
Type: refactor IP4 does not depend on TCP (it's the other way around). This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
2022-02-03ip nat: use ip rx sw_if_index in ip-local arc startFlorin Coras1-7/+31
This also changes the behavior of the nat44-ei hairpinning feature. Rather then enabling the feature on every nat interface, it is enabled only on local0. Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
2022-02-01nat: memory leak on nat44_plugin_disableSteven Luong1-0/+2
We invoke nat_affinity_enable for nat44_plugin_enable. We need to invoke nat_affinity_disable for nat44_plugin_disable to free the memory for bihash. Type: fix Fixes: I2743f7b1104b627bcc5ef937e3a50655313a26ea Signed-off-by: Steven Luong <sluong@cisco.com> Change-Id: I9adeb3225136e3fff853c2d5b8f9a30e98ddcf4c
2022-02-01nat: nat44-ei hairpinning code cleanupFilip Varga7-1547/+673
Removing obsolete unused nat44-ei nodes and functions. Type: refactor Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-01-24nat: TCP state tracking based on RFC 7857/RFC 6146Klement Sekera10-332/+589
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs are no longer required/tracked. This is more friendly to peers and accounts for lost packets and retransmits. This change also means that all traffic is translated and forwarded while in transitory timeout, which helps delivering e.g. retransmitted FINs, FINACKs and other messages. Also support reopening a session in transitory timeout after seeing both FINs by seeing both SYNs again. This helps quick connection reestablishment if the peers want to. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com> Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
2022-01-04nat: remove nat44-ed relation between SM and addrFilip Varga6-555/+436
Change [1] put static mappings in flow hash. This change also broke relationship between nat pool addresses and static mappings. Port and address are no longer reserved in nat pool address records for a new static mapping. Because of this change both nat objects and their configuration can function independently. This change also removed already broken logic of having static-mapping-only configuration. In this patch i have cleaned up and removed unnecessary logic for static mapping configuration functions, address configuration functions, interface configuraiton functions and all callback functions used for resolving interface address bound records. No more viable configuration option static-mapping-only is also removed because there is no more option to run traffic through vpp for static mappings without having flow hash table allocated. Instead user is now able to create static mapping records without using nat pool addresses. Fixed and improved management of required fib entries (ensuring VPP will reply to ARP for all external addresses on outside interfaces) through holding a refcount for their creation and removal. [1] https://gerrit.fd.io/r/c/vpp/+/34077 Type: improvement Change-Id: Ic16deefbede833d574c2a5972155c9afa5bc62ce Signed-off-by: Filip Varga <fivarga@cisco.com>
2022-01-04nat: nat44-ed pool address allocation improvementFilip Varga4-58/+289
This patch improves algorithm responsible for choosing nat pool address during dynamic session creation. Patch synchronizes nat pool address attributes with vpp interfaces doing so gives nat option to determine correct nat pool address when creating dynamic session. Improvements: * match dst address subnet and src fib with nat pool address * for output-feature also fallback match of tx_sw_if_index with nat pool address Type: improvement Change-Id: I594638bc76fc1153f582add376838b4b72ff573a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-26api: add helper macros for native endianMohsin Kazmi3-20/+4
Type: improvement Change-Id: Ifa074dfd337f9cd68858468d34abf641fe7f247f Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2021-11-22ipfix-export: Change exp to use ip_addressPaul Atkins1-4/+4
Modify the ipfix_exporter to use ip_address instead of the ipv4 specific version. Modify the current code so that it writes into the v4 specific part of the address, i.e. we are not yet fully supporting IPv6. For the exporter configured via the original API (the one that is always in slot0) we will not support IPv6 addresses. Type: improvement Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: Ic9854ac62aaee76a7a55a958234c456fd9828c4c
2021-11-22ipfix-export: refactor params to the callback fnsPaul Atkins1-31/+16
When a new flow-report is created the caller provides 2 callback functions. These functions both take a pointer to the exporter, plus a pointer to the source and dest address. However the pointers to the address are not adding any value as these are always set to the src/dest addresses of the exporter (which is already being passed). Remove these parameters and leave the callback functions to get the addresses out of the exporter. Type: improvement Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: I36dec394f30e85cdca120dd8706b5d90f5e07c48
2021-11-22ipfix-export: pass an exp to flow_report_add_delPaul Atkins1-83/+69
Pass an ipfix_exporter to this function so that callers can choose which exporter they are modifying. Type: improvement Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: Ice0ed19a57baf15b1dc85cd27fe01913e36d7f4f
2021-11-22ipfix-export: refactor fields in flow_report_mainPaul Atkins1-23/+30
Pull out the fields in flow_report_main_t that are specific to a single exporter and move them into a new structure that represents an exporter. Add a pool of exporters to flow_report_main_t and do a pool_get() to get the entry at index 0, so that the existing users of the code need only change the path at which they access the old fields and have no need to make further code changes. In functions that were accessing the fields that now make up the ipfix_exporter create a local var that points to the first (always valid) exporter and use this as the base for the fields rather than finding them from flow_report_main. This is in preparation for supporting multiple flow_exporters. Note that at the moment the code supports multiple 'streams' for a given exporter, where each stream has its own source port, domain id and template space. But all streams within an exporter have the same destination address, so this is not the same as multiple exporters. Type: refactor Signed-off-by: Paul Atkins <patkins@graphiant.com> Change-Id: I49f5c7fb9e901773351d31dc8a59178c37e99301
2021-11-17nat: VPP crashes when route is not reachableDaniel Béreš1-0/+3
The problem was reproducible only with icmp packet type when det44 in, out interfaces were swapped. Dst addr was unknown but packet has been forwarded. Type: fix Ticket: VPP-1958 Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech> Change-Id: Ie446cf2ac866955cc668fe2848f954a2ef92e3fa
2021-11-17nat: det44 plugin session scavenging fixFilip Varga1-15/+27
det44 plugin process node would only run once on the first plugin enable call. this patch ads the required calls into while loop in the process node funciton. Type: fix Change-Id: I38c94b29fd1e2c842a1330e8628e3019f23f2b69 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-11tests: make code coverage for unit tests optionalOle Troan1-1/+1
Add a new cmake option VPP_BUILD_TESTS_WITH_COVERAGE to enable building unittests with clang code coverage. Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9cbe9e3031afdcd03bc8f9203d662b91677724ab Signed-off-by: Ole Troan <ot@cisco.com>
2021-11-11nat: nat44-ei/ed nat objects cleanup improvementsFilip Varga5-259/+489
Improvements: * Changed plugin disable call behavior from freeing data types to calling appropriate nat plugin object delete calls for pool addresses, mappings and interfaces. * Added wrapper nat44_ei/ed_add_del_static_mapping function to handle switch bound static mappings. This would also fix ip assignment callback add/del bound static mapping issue preventing creation of the mapping. Fixes: * Fixed lingering object issue: some nat intertwined objects would not free each other if not correctly deleted in proper order. * Fixed incorect order of FIB unlocks for pool addresses causing syslog messages to use deleted FIBs in multiple VRF configuration. * Fixed incorrect value testing of flags instead of vrf_id for multiple vrf configuration static mapping. Type: improvement Change-Id: I2743f7b1104b627bcc5ef937e3a50655313a26ea Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-11-10nat: api autoendian fixFilip Varga5-60/+86
Fixed bad use of macros for autoendian API calls and updated tests for the new API. Removed sw_if_index check macro because of ntol conversion. Changed REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions. Type: fix Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-31interface: handoff refactor and optimizationsFlorin Coras2-2/+0
- move existing ethernet hash functions to hash infra (no l4 awareness) - refactor code to use hash infra and add apis to request l4 aware hashing functions - hashing functions per interface - code cleanup Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Ia9f44db98d83f0f027aeb37718585a2e10ffd2c6
2021-10-30nat: fix coverity warningKlement Sekera1-1/+1
Fix coverity warning by initialising proto variable to a dummy value. This value is never used because consuming function uses this parameter value only if is_addr_only flag is not set and this flag is always set if proto value is not provided by user. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I041bc821a392f0746ef9f07f9b259d62884305b7
2021-10-20nat: nat44-ei configuration improvementsFilip Varga6-1027/+1574
nat44-ed core configuration improvements & fixes [0-5] adjusted for nat44-ei plugin. Improvements: * repeating code converted to functions * simplified functions used for pool address, static mapping and interface configuration. Clean up: * remove obsolete code and logic persisted after plugin separation from old SNAT plugin. Fixes: * [0] return correct API behavior changed in [5] Type: improvement [0] https://gerrit.fd.io/r/c/vpp/+/33622 [1] https://gerrit.fd.io/r/c/vpp/+/33431 [2] https://gerrit.fd.io/r/c/vpp/+/33337 [3] https://gerrit.fd.io/r/c/vpp/+/33249 [4] https://gerrit.fd.io/r/c/vpp/+/32796 [5] https://gerrit.fd.io/r/c/vpp/+/32951 Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
2021-10-20nat: NAT44-ED api fix and improvementFilip Varga4-16/+14
This patch fixes issue with NAT_API_IS_TWICE_NAT and NAT_API_IS_ADDR_ONLY flags. Because of control plane code change - move from boolean parameters to flags in https://gerrit.fd.io/r/c/vpp/+/32796 patch these api flags weren't correctly set. Type: fix Change-Id: Ieec5fe6bdcca314da027f2d23e3a24f174391a6f Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-10-14nat: static mappings in flow hashKlement Sekera27-1475/+1086
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
2021-10-13docs: convert plugins doc md->rstNathan Skrzypczak6-180/+224
Type: improvement Change-Id: I7e821cce1feae229e1be4baeed249b9cca658135 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-10-13nat: fix coverity warningKlement Sekera1-1/+1
Fix coverity warning by initialising proto variable to a dummy value. This value is never used because consuming function uses this parameter value only if is_addr_only flag is not set and this flag is always set if proto value is not provided by user. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9b5e8c08346bea1e2b460bb09e962c4b8d3b6947
2021-10-13nat: fix static mapping segvJoshua Roys1-1/+1
Adding a nat44 static mapping during startup on a DHCP interface leads to a segv via this path: - dhcp_client_acquire_address - ip4_add_del_interface_address - ip4_add_del_interface_address_internal - nat44_ed_add_del_interface_address_cb - nat44_ed_add_static_mapping - ip4_interface_first_address Type: fix Signed-off-by: Joshua Roys <roysjosh@gmail.com> Change-Id: I38dac8a096b052550f2b87b4e13a950d2cd868b0
2021-10-12Revert "nat: static mappings in flow hash"Ole Troan27-1058/+1457
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
2021-10-12nat: static mappings in flow hashKlement Sekera27-1457/+1058
Put static mappings in flow hash, drop existing hash tables used for static mappings. Drop refcount variables and use hash table as a single point of truth. Allow creating a static mapping conflicting with dynamic mapping, which will take precedence after dynamic mapping is freed, so that the existing flow can finish transferring data. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
2021-10-05nat: NAT44 ED api fix and improvementFilip Varga3-14/+178
Backward compatibility fix returns erroneous behavior that lets user add internally unused inside interface for the purpose of complying with the old add/dump/details API behavior. Change introduced in https://gerrit.fd.io/r/c/vpp/+/32951 removed extra inside interface that wasn't required or any how used by the output feature. This patch also changed outside interface flags to inside & outside. This fix returns the old behavior by imitating the old behavior through dummy registratoin data. Added new API calls nat44_ed_add_del_output_interface and nat44_ed_output_interface_get/details as a replacement of old API's. New API introduces simplified and cleaner way of configuring outside feature without requirement of config flags. Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I7a170f7325727c04da5e2e3ffbe3f02179531284
2021-09-30nat: doc nitfixesNathan Skrzypczak5-8/+8
Type: improvement Change-Id: I9a4303030b9657c28bbd73168def72c7daa13483 Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
2021-09-29nat: nat44-ed add session timing out indicator in api (2)Alexander Chernavin2-1/+146
Type: improvement Currently, NAT44-ED users sessions details are returned for both active and timed out NAT sessions. It may confuse users that expect to see only active sessions in the response and make them think that timeouts for NAT sessions do not work. With this change, introduce an indicator of timing out for NAT sessions returned in NAT44-ED user session details. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib4d689f77cec4b0b0cc8484019e13733cc8bdc0d
2021-09-28nat: NAT44 ED & EI session filtering CLIJúlius Milan2-15/+103
Improving session filtering capabilities of show nat44 sessions CLI command for EI and ED NAT plugins. Adding filtering options: saddr, sport, daddr, dport, proto for both i2o and o2i flows. Type: improvement Change-Id: I70bc94a2e922cddf9451eb7dcbf4a7be21ebf0df Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-09-21pnat: fix the version of the PNAT plugin from the hardcoded 0.0.1Andrew Yourtchenko1-1/+2
Type: fix Change-Id: I35db6763f3c5bd73169a222a4a93a917e8f468e6 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Ole Troan <ot@cisco.com>
2021-09-09nat: Revert "nat: nat44-ed add session timing out indicator in api"Andrew Yourtchenko2-150/+1
This reverts commit f059a3452c285ec57a75c7b1ede5052244be4e5d, which broke the build. https://s3-logs.fd.io/logs/production/vex-yul-rot-jenkins-1/vpp-merge-master-debian10-x86_64/1344/console.log.gz Change-Id: I16fece8128fa9973495c587d105a8db57738e8f2 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-09-09nat: nat44-ed add session timing out indicator in apiAlexander Chernavin2-1/+150
Type: improvement Currently, NAT44-ED users sessions details are returned for both active and timed out NAT sessions. It may confuse users that expect to see only active sessions in the response and make them think that timeouts for NAT sessions do not work. With this change, introduce an indicator of timing out for NAT sessions returned in NAT44-ED user session details. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
2021-09-08nat: remove unusued parameters and use correct parameter typesKlement Sekera2-20/+15
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
2021-09-02nat: NAT44 ED improvements and fixesFilip Varga8-392/+353
Fixed FIB entry per interface, pool and static mapping registrations in NAT control plane. Improved FIB configuration handling in NAT - added functions to generalize handling of FIB & NAT, cleaned up interface callback functions. Changed "is_" macros to inline functions for easier debugging. Type: improvement Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+22
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin3-68/+93
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>