Age | Commit message (Collapse) | Author | Files | Lines |
|
Drop pycodestyle for code style checking in favor of black. Black is
much faster, stable PEP8 compliant code style checker offering also
automatic formatting. It aims to be very stable and produce smallest
diffs. It's used by many small and big projects.
Running checkstyle with black takes a few seconds with a terse output.
Thus, test-checkstyle-diff is no longer necessary.
Expand scope of checkstyle to all python files in the repo, replacing
test-checkstyle with checkstyle-python.
Also, fixstyle-python is now available for automatic style formatting.
Note: python virtualenv has been consolidated in test/Makefile,
test/requirements*.txt which will eventually be moved to a central
location. This is required to simply the automated generation of
docker executor images in the CI.
Type: improvement
Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Replace code with branchless code.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ic38a20ad33483c1c26f90a927f8b963b0ead4a87
|
|
The RFC7857 state machine introduced in 56c492a is a trade-off.
It tries to retain sessions as much as possible and also offers
some protection against spurious RST by re-establishing sessions if data
is received after the RST. From experience in the wild, this algorithm is
a little too liberal, as it leaves too many spurious established sessions
in the session table.
E.g. a oberserved pattern is:
client server
<- FIN, ACK
ACK ->
ACK ->
RST, ACK ->
With the current state machine this would leave the session in established state.
These proposed changes do:
- require 3-way handshake to establish session.
(current requires only to see SYNs from both sides)
- RST will move session to transitory without recovery if data is sent after
- Only a single FIN is needed to move to transitory
Fixes: 56c492aa0502751de2dd9d890096a82c5f04776d
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I92e593e00b2efe48d04997642d85bd59e0eaa2ea
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Set is_add function argument to 0 when deleting interface role.
Change-Id: I6ca88d6511e1c88285e51b3750eb501fde2b341b
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
|
|
Two similar CLI paths "nat44" and "nat44 add interface address"
caused unexpected behavior. If "nat44 add interface address"
command would fail the vlib cli processing function would
call "nat44" handler. This would also clean any previously
set errors from the first command and basically return
same error returned by "nat44" handler for every failed
command that starts with the same path string.
Fixes nat44-ed and nat44-ei plugin.
Change-Id: I1aac85c8ae2932da582a2b78243521d1bf8a0653
Ticket: VPP-2021
Type: fix
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This patch affects how destination fib is choosen during session
creation. Default behavior of choosing fib based on output
interfaces is kept.
Configuration gives you the ability to change default behavior
to direct or restrict traffic between different FIB tables.
NAT specific VRF routing options:
a) keeping communication in the same VRF
b) option to add multiple destination VRFs
c) option to control the resolution order of destination VRFs
TX FIB resolution is based on looking up RX FIB entry in NATs
VRF table and picking the first FIB that resolves
destination address.
Ticket: VPP-2009
Type: improvement
Change-Id: If500c48d7ce3466533ad9581c0847870788fc4fb
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Set deprecated option on unsupported API calls.
Cleaned up API calls with deprecated option. Removed
in progress option from long term used API calls.
Removed obsolete/unused nodes, functions, variables.
Fixed set frame queue nelts function. Calling API
would incorrectly not fail even though frame queue nelts
can only be set before first call nat44_plugin_enable.
Moved all formatting functions to _format.c file.
Type: refactor
Change-Id: I3ca16e0568f8d7eee3a27c3620ca36164833a7e4
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This allows specifying both c string and vector for node name
and removes need for crafting temporary string.
Type: improvement
Change-Id: I0b016cd70aeda0f68eb6f9171c5152f303be7369
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Add missing translation of ICMP inner IP layer.
Change responsible test so that it actually tests something.
Type: fix
Fixes: 4881cb4c6f
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: Id3a6f12a7308d81b1cdf9815f857221fab2f24d9
|
|
Type: refactor
Change-Id: Ifd533a095d979dc55bfbe5fac7e0b7510a4d900c
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
TCP/UDP packets which are dropped are not counted towards TCP/UDP
counters. Apply same behaviour to ICMP packets.
Type: improvement
Signed-off-by: Klement Sekera <klement.sekera@gmail.com>
Change-Id: I487fa7135ac8e49431a621fac213638d2dab31c8
|
|
Type: refactor
IP4 does not depend on TCP (it's the other way around).
This upside down dependency leads to some nasty circular includes when trying to use ip46_address.h in interface.h
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I4a1bd21543b08b9c1cf1e5563da738414734a878
|
|
This also changes the behavior of the nat44-ei hairpinning feature.
Rather then enabling the feature on every nat interface, it is enabled
only on local0.
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: I4e16a83c9e328aa75fc61df508b620ef743ca775
|
|
We invoke nat_affinity_enable for nat44_plugin_enable.
We need to invoke nat_affinity_disable for nat44_plugin_disable
to free the memory for bihash.
Type: fix
Fixes: I2743f7b1104b627bcc5ef937e3a50655313a26ea
Signed-off-by: Steven Luong <sluong@cisco.com>
Change-Id: I9adeb3225136e3fff853c2d5b8f9a30e98ddcf4c
|
|
Removing obsolete unused nat44-ei nodes and functions.
Type: refactor
Change-Id: I1e03e283091c3c0d92908d04037cba00a348351a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Implement proper state machine based on above RFCs. ACKs to SYNs/FINs
are no longer required/tracked. This is more friendly to peers and
accounts for lost packets and retransmits.
This change also means that all traffic is translated and forwarded
while in transitory timeout, which helps delivering e.g. retransmitted
FINs, FINACKs and other messages.
Also support reopening a session in transitory timeout after seeing both
FINs by seeing both SYNs again. This helps quick connection
reestablishment if the peers want to.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
|
|
Change [1] put static mappings in flow hash. This change also broke
relationship between nat pool addresses and static mappings. Port and
address are no longer reserved in nat pool address records for a new
static mapping.
Because of this change both nat objects and their configuration can
function independently. This change also removed already broken logic of
having static-mapping-only configuration.
In this patch i have cleaned up and removed unnecessary logic for static
mapping configuration functions, address configuration functions,
interface configuraiton functions and all callback functions used for
resolving interface address bound records.
No more viable configuration option static-mapping-only is also removed
because there is no more option to run traffic through vpp for static
mappings without having flow hash table allocated. Instead user is now
able to create static mapping records without using nat pool addresses.
Fixed and improved management of required fib entries (ensuring VPP will
reply to ARP for all external addresses on outside interfaces) through
holding a refcount for their creation and removal.
[1] https://gerrit.fd.io/r/c/vpp/+/34077
Type: improvement
Change-Id: Ic16deefbede833d574c2a5972155c9afa5bc62ce
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
This patch improves algorithm responsible for choosing nat pool address
during dynamic session creation.
Patch synchronizes nat pool address attributes with vpp interfaces doing
so gives nat option to determine correct nat pool address when creating
dynamic session.
Improvements:
* match dst address subnet and src fib with nat pool address
* for output-feature also fallback match of tx_sw_if_index with nat
pool address
Type: improvement
Change-Id: I594638bc76fc1153f582add376838b4b72ff573a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Change-Id: Ifa074dfd337f9cd68858468d34abf641fe7f247f
Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
|
|
Modify the ipfix_exporter to use ip_address instead of the ipv4 specific
version. Modify the current code so that it writes into the v4 specific
part of the address, i.e. we are not yet fully supporting IPv6. For the
exporter configured via the original API (the one that is always in slot0)
we will not support IPv6 addresses.
Type: improvement
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: Ic9854ac62aaee76a7a55a958234c456fd9828c4c
|
|
When a new flow-report is created the caller provides 2 callback functions.
These functions both take a pointer to the exporter, plus a pointer to the
source and dest address. However the pointers to the address are not adding
any value as these are always set to the src/dest addresses of the exporter
(which is already being passed). Remove these parameters and leave the
callback functions to get the addresses out of the exporter.
Type: improvement
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I36dec394f30e85cdca120dd8706b5d90f5e07c48
|
|
Pass an ipfix_exporter to this function so that callers can choose which
exporter they are modifying.
Type: improvement
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: Ice0ed19a57baf15b1dc85cd27fe01913e36d7f4f
|
|
Pull out the fields in flow_report_main_t that are specific to a single
exporter and move them into a new structure that represents an exporter.
Add a pool of exporters to flow_report_main_t and do a pool_get() to get
the entry at index 0, so that the existing users of the code need only
change the path at which they access the old fields and have no need to
make further code changes. In functions that were accessing the fields
that now make up the ipfix_exporter create a local var that points to the
first (always valid) exporter and use this as the base for the fields
rather than finding them from flow_report_main.
This is in preparation for supporting multiple flow_exporters.
Note that at the moment the code supports multiple 'streams' for a given
exporter, where each stream has its own source port, domain id and template
space. But all streams within an exporter have the same destination address,
so this is not the same as multiple exporters.
Type: refactor
Signed-off-by: Paul Atkins <patkins@graphiant.com>
Change-Id: I49f5c7fb9e901773351d31dc8a59178c37e99301
|
|
The problem was reproducible only with icmp packet type
when det44 in, out interfaces were swapped.
Dst addr was unknown but packet has been forwarded.
Type: fix
Ticket: VPP-1958
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
Change-Id: Ie446cf2ac866955cc668fe2848f954a2ef92e3fa
|
|
det44 plugin process node would only run once on
the first plugin enable call. this patch ads
the required calls into while loop in the
process node funciton.
Type: fix
Change-Id: I38c94b29fd1e2c842a1330e8628e3019f23f2b69
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Add a new cmake option VPP_BUILD_TESTS_WITH_COVERAGE to enable
building unittests with clang code coverage.
Type: improvement
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I9cbe9e3031afdcd03bc8f9203d662b91677724ab
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Improvements:
* Changed plugin disable call behavior from freeing data types
to calling appropriate nat plugin object delete calls for
pool addresses, mappings and interfaces.
* Added wrapper nat44_ei/ed_add_del_static_mapping function to
handle switch bound static mappings. This would also fix ip assignment
callback add/del bound static mapping issue preventing creation of the
mapping.
Fixes:
* Fixed lingering object issue: some nat intertwined objects would
not free each other if not correctly deleted in proper order.
* Fixed incorect order of FIB unlocks for pool addresses causing
syslog messages to use deleted FIBs in multiple VRF configuration.
* Fixed incorrect value testing of flags instead of vrf_id for
multiple vrf configuration static mapping.
Type: improvement
Change-Id: I2743f7b1104b627bcc5ef937e3a50655313a26ea
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Fixed bad use of macros for autoendian API calls
and updated tests for the new API. Removed sw_if_index
check macro because of ntol conversion. Changed
REPLY_MACRO to REPLY_MACRO_END to fix ntohl conversions.
Type: fix
Change-Id: I878a07b3f80fe03179feab60f0abc662f408a2c8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
- move existing ethernet hash functions to hash infra (no l4
awareness)
- refactor code to use hash infra and add apis to request l4 aware
hashing functions
- hashing functions per interface
- code cleanup
Type: improvement
Signed-off-by: Florin Coras <fcoras@cisco.com>
Change-Id: Ia9f44db98d83f0f027aeb37718585a2e10ffd2c6
|
|
Fix coverity warning by initialising proto variable to a dummy value.
This value is never used because consuming function uses this parameter
value only if is_addr_only flag is not set and this flag is always set
if proto value is not provided by user.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I041bc821a392f0746ef9f07f9b259d62884305b7
|
|
nat44-ed core configuration improvements & fixes [0-5] adjusted
for nat44-ei plugin.
Improvements:
* repeating code converted to functions
* simplified functions used for pool address, static mapping
and interface configuration.
Clean up:
* remove obsolete code and logic persisted after plugin
separation from old SNAT plugin.
Fixes:
* [0] return correct API behavior changed in [5]
Type: improvement
[0] https://gerrit.fd.io/r/c/vpp/+/33622
[1] https://gerrit.fd.io/r/c/vpp/+/33431
[2] https://gerrit.fd.io/r/c/vpp/+/33337
[3] https://gerrit.fd.io/r/c/vpp/+/33249
[4] https://gerrit.fd.io/r/c/vpp/+/32796
[5] https://gerrit.fd.io/r/c/vpp/+/32951
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: Ie197faa576cb49acb3d218f14e00cb7d13ad9342
|
|
This patch fixes issue with NAT_API_IS_TWICE_NAT and
NAT_API_IS_ADDR_ONLY flags. Because of control plane
code change - move from boolean parameters to flags
in https://gerrit.fd.io/r/c/vpp/+/32796 patch these
api flags weren't correctly set.
Type: fix
Change-Id: Ieec5fe6bdcca314da027f2d23e3a24f174391a6f
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Put static mappings in flow hash, drop existing hash tables used for
static mappings. Drop refcount variables and use hash table as a single
point of truth. Allow creating a static mapping conflicting with dynamic
mapping, which will take precedence after dynamic mapping is freed, so
that the existing flow can finish transferring data.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Idfde8efabc09971be38921d4b0ca5ccf4e9fe412
|
|
Type: improvement
Change-Id: I7e821cce1feae229e1be4baeed249b9cca658135
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Fix coverity warning by initialising proto variable to a dummy value.
This value is never used because consuming function uses this
parameter value only if is_addr_only flag is not set and this flag is
always set if proto value is not provided by user.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9b5e8c08346bea1e2b460bb09e962c4b8d3b6947
|
|
Adding a nat44 static mapping during startup on a DHCP interface leads
to a segv via this path:
- dhcp_client_acquire_address
- ip4_add_del_interface_address
- ip4_add_del_interface_address_internal
- nat44_ed_add_del_interface_address_cb
- nat44_ed_add_static_mapping
- ip4_interface_first_address
Type: fix
Signed-off-by: Joshua Roys <roysjosh@gmail.com>
Change-Id: I38dac8a096b052550f2b87b4e13a950d2cd868b0
|
|
This reverts commit 69b7599e4b061a8996205f0304232ede84cb70d4.
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: If531b122ae5a9f91c2fe6eaa0da69922a91f16d3
|
|
Put static mappings in flow hash, drop existing hash tables used for
static mappings. Drop refcount variables and use hash table as a single
point of truth. Allow creating a static mapping conflicting with dynamic
mapping, which will take precedence after dynamic mapping is freed, so
that the existing flow can finish transferring data.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ieeba691d83a83887d0a0baccd5f3832f66126096
|
|
Backward compatibility fix returns erroneous behavior that lets user
add internally unused inside interface for the purpose
of complying with the old add/dump/details API behavior.
Change introduced in https://gerrit.fd.io/r/c/vpp/+/32951 removed
extra inside interface that wasn't required or any how used by the
output feature. This patch also changed outside interface flags to
inside & outside. This fix returns the old behavior by imitating
the old behavior through dummy registratoin data.
Added new API calls nat44_ed_add_del_output_interface
and nat44_ed_output_interface_get/details as a
replacement of old API's. New API introduces
simplified and cleaner way of configuring outside
feature without requirement of config flags.
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I7a170f7325727c04da5e2e3ffbe3f02179531284
|
|
Type: improvement
Change-Id: I9a4303030b9657c28bbd73168def72c7daa13483
Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
|
|
Type: improvement
Currently, NAT44-ED users sessions details are returned for both active
and timed out NAT sessions. It may confuse users that expect to see only
active sessions in the response and make them think that timeouts for
NAT sessions do not work.
With this change, introduce an indicator of timing out for NAT sessions
returned in NAT44-ED user session details.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib4d689f77cec4b0b0cc8484019e13733cc8bdc0d
|
|
Improving session filtering capabilities of
show nat44 sessions CLI command for EI and ED NAT
plugins. Adding filtering options: saddr, sport,
daddr, dport, proto for both i2o and o2i flows.
Type: improvement
Change-Id: I70bc94a2e922cddf9451eb7dcbf4a7be21ebf0df
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Change-Id: I35db6763f3c5bd73169a222a4a93a917e8f468e6
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
This reverts commit f059a3452c285ec57a75c7b1ede5052244be4e5d, which broke the build.
https://s3-logs.fd.io/logs/production/vex-yul-rot-jenkins-1/vpp-merge-master-debian10-x86_64/1344/console.log.gz
Change-Id: I16fece8128fa9973495c587d105a8db57738e8f2
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Type: improvement
Currently, NAT44-ED users sessions details are returned for both active
and timed out NAT sessions. It may confuse users that expect to see only
active sessions in the response and make them think that timeouts for
NAT sessions do not work.
With this change, introduce an indicator of timing out for NAT sessions
returned in NAT44-ED user session details.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
|
|
Fixed FIB entry per interface, pool and
static mapping registrations in NAT control plane.
Improved FIB configuration handling in NAT -
added functions to generalize handling of FIB & NAT,
cleaned up interface callback functions. Changed "is_"
macros to inline functions for easier debugging.
Type: improvement
Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
With endpoint dependent NAT44, When there are multiple workers we look
for a flow which matches the packet in order to figure out which worker
should handle the packet. If the packet is an ICMP error, it may be
associated with an existing flow by inspecting the L3/L4 headers that
are included in the message payload.
This was not being done for in2out packets in
nat44_ed_get_in2out_worker_index(), so some packets which were related
to an open session were not being associated with that session and were
being passed to a different thread than the one where the session was
created. Later on, when the packet was processed by the fast path in2out
node, the L3/L4 headers in the payload are inspected and the fast path
node finds the existing session. Since that session is owned by a
different thread than the one the packet is being processed by, the
in2out fast path node can potentially access the wrong session and/or
memory adjacent to the session pool. This can cause a SEGV.
Make nat44_ed_get_in2out_worker_index() look at the inner headers when
processing an ICMP error. THis is already done in
nat44_ed_get_out2in_worker_index() and in the fast path in2out node.
Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
The NAT plugin stores packet counters and a counter represents a vector
indexed by interface index. When an interface is assigned a NAT role,
the counters are validated to be long enough for the given interface
index.
When a packet traverses NAT in2out and output feature is disabled, the
appropriate counters are updated by the RX interface index. In this
case, translation happens on the inside interface and its index was
ensured to be valid in all of the counters during NAT role assignment.
When a packet traverses NAT in2out and output feature is enabled, the
appropriate counters are updated by the RX interface index too. In this
case, translation happens on the outside interface and the packet could
be received on any interface, even with no NAT role assigned. If that's
the case and its index is greater than the greatest index validated in
the counters, a new counter value will be written to memory that does
not belong to the counter. As a result, a crash will occur at some
point.
With this change, use TX interface index to update the counters when
output feature is enabled. TX interface is an actual interface where
translation happens and its index is always valid in the counters.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
|
|
Refactoring and cleaning up address allocation functions &
ip table update callbacks.
Type: refactor
Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|