summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2021-03-01nat: pick outside addr based on local addrKlement Sekera6-107/+215
Use outside addresses more evenly by using local address to pick from pool of addresses. This ensures stability from POV of remote host - an internal host always gets translated using the same outside address, so it doesn't appear to be "hopping". Also, this avoids all hosts being translated using the first address, which helps avoid needless recaptchas and the like. Exact assignment depends on internal ordering of addresses - local address is used to pick an offset into internal vector. If that address cannot be used, a linear search is performed as a fallback mechanism to find a possible translation. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I7ccb1da1dda5537f5d30d2f4cb48024f4b51c1a4
2021-02-26nat: optimize flow matching in ED NATKlement Sekera5-81/+87
This saves 6 clocks in nat44-ed-in2out node. (112->106 per packet) Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I48e757e7f4b6b0d250a432a4659fe6955fc52a07
2021-02-26nat: NAT44ED fail if using old plugin optionFilip Varga3-448/+496
Fail if obsolete flag is used. Type: fix Change-Id: Id7000de9c82fa2c22692104b2fc1d463e5961f39 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-24nat: Final NAT44 EI/ED split patchFilip Varga44-5781/+10760
This patch achieves complete separation of endpoint-dependent and endpoint-independent IPv4 NAT features. Some common stuff is also moved to NAT library. Type: refactor Change-Id: I52468b7e2b5ac28958a2baf8e2ea01787322e801 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-02-24docs: move pnat doc link into dev doc sectionDave Wallace1-1/+1
- "PNAT: 1:1 match and rewrite programmable NAT" link was hanging out on the top level of the doc tree. Move it to VPP->Developer Documentation. Type: fix Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: Iadb7d3463567a2414eece68db0a3743237ab26f9
2021-02-18tests: re-enable NAT44ED tests for multiworkerAndrew Yourtchenko1-1/+0
Re-enable the test for 2-worker config test Change-Id: Ie108c5d244c6704ffa152177ca77f6b6055fe38e Type: test Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-13nat: pnat only use save_rewrite_length on output pathOle Troan1-3/+2
Don't expect save_rewrite_length to be set correctly on RX path. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ieee40d119213f617c3d836181e5879f084b74548 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-11tests: tag the tests that do not work with multi-worker configurationAndrew Yourtchenko4-0/+9
If the multi-worker default VPP configuration is triggered by setting VPP_WORKER_CONFIG="workers 2", some of the tests fail for various reasons. It's a substantial number, so this change marks all of the testsets that have this issue, such that they can be addressed later independently. Type: test Change-Id: I4f77196499edef3300afe7eabef9cbff91f794d3 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2021-02-10nat: fix EI hairpinning thread safetyKlement Sekera6-64/+810
Avoid doing inter-thread reads without locks by doing a handoff before destination address rewrite. Destination address is read from a session which is possibly owned by a different thread. By splitting the work in two parts with a handoff in the middle, we can do both in a thread safe way. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1c50d188393a610f5564fa230c75771a8065f273
2021-02-09nat: bump default max translations to 63KKlement Sekera1-1/+1
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibea7ec844d1d910e8a3235e11154b1ecea8302ac
2021-02-09nat: deny adding intf addr if static-mapping-onlyAlexander Chernavin1-0/+8
If static-mapping-only is enabled, NAT pool cannot be configured, only static mappings. There're two ways to add addresses to the NAT pool: by address range, or by first found address from an interface. NAT44_ADD_DEL_ADDRESS_RANGE already tests if dynamic mappings are available but NAT44_ADD_DEL_INTERFACE_ADDR doesn't. If static-mapping-only is enabled, adding addresses by range is rejected but by interface not. With this change, if static-mapping-only is enabled, do not allow to add addresses to the NAT pool both ways. Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ifc055ea9a71a5e579388833a2990aef21bf7ed29
2021-02-09nat: fix coverity errorsOle Troan3-7/+6
Including a general missing free in fromjson autogenerated code. Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I9ab2b0193135e2fb3d62d51b3c114df56969e341 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-09nat: improve type safety and remove unused paramKlement Sekera3-96/+76
Type: improvement Change-Id: I456f9b14e6a4eb46c9c49f6e09acccae530e4ebc Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-02-08misc: support api generated dependency for multiarch sourceOle Troan2-0/+5
Fix dependency issues where multi-arch file is using API generated file. Type: improvement Change-Id: I5d4af7a630529bc138c35841723e38938f36d963 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-05nat: 1:1 policy NATOle Troan14-0/+2437
A NAT sub-plugin doing statically configured match/rewrite on IP4 input or output. It's stateless (no connection tracking). Currently it supports rewriting of SA, DA and TCP/UDP ports. It should be simple to add new rewrites if required. API: pnat_binding_add, pnat_binding_del, pnat_bindings_get, pnat_interfaces_get CLI: set pnat translation interface <name> match <5-tuple> rewrite <5-tuple> {in|out} [del] show pnat translations show pnat interfaces Trying a new C based unit testing scheme. Where the graph node is tested in isolation. See pnat/pnat_test.c. Also added new cmake targets to generate coverage directly. E.g.: make test_pnat-ccov-report File '/vpp/sdnat/src/plugins/nat/pnat/pnat.c': Name Regions Miss Cover Lines Miss Cover ------------------------------------------------------------------------------------ pnat_interface_by_sw_if_index 39 8 79.49% 13 0 100.00% pnat_instructions_from_mask 9 0 100.00% 13 0 100.00% pnat_binding_add 64 8 87.50% 31 2 93.55% pnat_flow_lookup 4 4 0.00% 10 10 0.00% pnat_binding_attach 104 75 27.88% 33 6 81.82% pnat_binding_detach 30 5 83.33% 23 2 91.30% pnat_binding_del 97 33 65.98% 17 3 82.35% pnat.c:pnat_calc_key_from_5tuple 9 1 88.89% 14 1 92.86% pnat.c:pnat_interface_check_mask 10 2 80.00% 11 2 81.82% pnat.c:pnat_enable 5 0 100.00% 11 0 100.00% pnat.c:pnat_enable_interface 107 26 75.70% 60 15 75.00% pnat.c:pnat_disable_interface 91 30 67.03% 32 7 78.12% pnat.c:pnat_disable 7 2 71.43% 13 7 46.15% ------------------------------------------------------------------------------------ TOTAL 576 194 66.32% 281 55 80.43% File '/vpp/sdnat/src/plugins/nat/pnat/pnat_node.h': Name Regions Miss Cover Lines Miss Cover ------------------------------------------------------------------------------------ pnat_test.c:pnat_node_inline 67 11 83.58% 115 1 99.13% pnat_test.c:pnat_calc_key 9 2 77.78% 14 2 85.71% pnat_test.c:pnat_rewrite_ip4 55 11 80.00% 60 12 80.00% pnat_test.c:format_pnat_trace 1 1 0.00% 12 12 0.00% pnat_node.c:pnat_node_inline 63 63 0.00% 115 115 0.00% pnat_node.c:pnat_calc_key 9 9 0.00% 14 14 0.00% pnat_node.c:pnat_rewrite_ip4 55 55 0.00% 60 60 0.00% pnat_node.c:format_pnat_trace 5 5 0.00% 12 12 0.00% ------------------------------------------------------------------------------------ TOTAL 264 157 40.53% 402 228 43.28% Type: feature Change-Id: I9c897f833603054a8303e7369ebff6512517c9e0 Signed-off-by: Ole Troan <ot@cisco.com>
2021-02-05nat: configurable handoff frame queue sizeElias Rudberg7-6/+171
Make number of worker handoff frame queue elements configurable as a set nat frame-queue-nelts command. The default value is 64 which is the same value that was previously hard-coded. The idea is that allowing larger values can be useful in some cases, to avoid congestion drops. Also add nat_set_fq_options API support and a corresponding test case. Type: improvement Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2021-02-04nat: reduce number of hash tables for EI NATKlement Sekera9-141/+141
Making code more simple and storing thread index along with session index as a preparation step for fixing thread safety patches. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib0c531e9f1f64b1f1ee912d4a83279200638e931
2021-01-18nat: deal with flows instead of sessionsKlement Sekera14-1960/+1860
This change introduces flow concept to endpoint-dependent NAT. Instead of having a session and a plethora of special cases in code for e.g. hairpinning, twice-nat and others, figure all this out and store it in flow logic. Every flow has a match and a rewrite part. This unifies all the NAT packet processing cases into one - match a flow and rewrite the packet based on that flow. It also provides a cure for hairpinning dilemma where one part of the flow is on one worker and another on a different one. These cases are also sped up by not requiring destination adress lookup every single time to be able to rewrite source nat as this is now part of flow rewrite logic. Type: improvement Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-01-11nat: refactor and split fo EI/ED features p.2Filip Varga8-351/+1216
Patch n. 2 aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: Ida20c1c084449b146344b6c3d8442f49efb6f3fa Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-01-05nat: refactor and split fo EI/ED featuresFilip Varga17-1026/+999
This patch is aimed at moving EI features out of NAT44 plugin & split of EI/ED functions. Type: refactor Change-Id: I63cf70a264ed2512708fe92665d64f04690783d0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-16nat: refactor & MW support for NAT testsFilip Varga3-3598/+3662
Split ED and EI nat44 test cases. Added multi worker support for ED test cases. Type: refactor Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-15nat: set out2in-dpo during plugin enablingAlexander Chernavin1-0/+1
Type: fix Change-Id: Ie41e2fb9393bf63099519150bb158b830d2c0d87 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-12-14misc: refactor clib_bitmap_foreach macroDamjan Marion2-10/+10
Type: refactor Change-Id: I077110e1a422722e20aa546a6f3224c06ab0cde5 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14misc: move to new pool_foreach macrosDamjan Marion18-241/+241
Type: refactor Change-Id: Ie67dc579e88132ddb1ee4a34cb69f96920101772 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-14vppinfra: simpler and faster pool_foreachDamjan Marion1-1/+1
- reduces number of instructions generated 4 times compared to old code - adds pool_foreach2 which is more friendly to clang-format Type: improvement Change-Id: I51e9c7fb09655c60d883987dadf5b2666c12b3f7 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-13nat: revert 'fix byte order on ipfix message fields'Damjan Marion1-6/+3
This reverts commit bfba2d555331ce67f707e608877e96dbd2aacd80. Reason for revert: breaks test test_nat44.TestNAT44.test_ipfix_max_sessions Change-Id: I6eed4d02835ab792e7e3491fc14240cc88a86710 Type: fix Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-12-11nat: fix byte order on ipfix message fieldsMatthew Smith1-3/+6
Type: fix The code for quota exceeded events is a u32 and was being copied into ipfix packets in host byte order. Same for the limit field. Swap the order before copying into packet buffer. Change-Id: I881766e1c52acc9bebde38d85228fa492214ee21 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-12-08nat: avoid hairpinning infinite loop problemElias Rudberg2-0/+100
Fix in nat44 hairpinning code to check if anything was actually changed in the snat_hairpinning() routine, and return 0 if nothing changed. This helps avoid an infinite loop repeating the three nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there was no change. Also add a corresponding test case. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I95f48476bd002ac4c6789afe504681f1963e5d38 Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
2020-12-07tests: py2 cleanup - remove subclassing of objectPaul Vinciguerra12-12/+12
Type: refactor Change-Id: I9096e3b473110350e1e8e5936e3c4c164f8969a7 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-12-03nat: fix forwarding handoff workaroundFilip Varga5-28/+168
A special case when out2in packet needs to be handoffed to other worker thread. We are not able to determine which thread they belong to in the first processing of nat handoff node. These packets needs to go through out2in slowpath before we are able to tell where to handoff them. Type: fix Ticket: VPP-1941 Change-Id: I7173bda970ce6a91d81f48fc72aa2457586a076f Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-12-03nat: fix incorrect session removal caseKlement Sekera3-10/+43
Add a condition where a TCP session in transitory timeout is kept instead of being erroneously deleted. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ic625c8c88cc8864293ebd57b0321505652af9380
2020-12-02nat: use correct per-thread vlib_mainBenoît Ganne1-8/+8
Using vlib_main of another thread is prohibited. Type: fix Change-Id: I9a85a5fee5c6665d423b4306faf3b3f2c5e22f99 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-11-26nat: fix testsFilip Varga5-110/+42
Fixed nat_ha and ipfix tests. Removed obsolete tests and moved extended tests to standard tests. Type: fix Change-Id: I2d7f4c4fa4c52a4aa10d70c956e085a0fe00b911 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-25api: vat2 and json autogeneration for api messagesOle Troan2-5/+2
VAT2: A completely auto-generated replacement of VAT. Reads input message in JSON from stdin and outputs received messages in JSON. A VAT2 plugin is automatically built for a .api file. There no longer a need for a separate _test.c. Example: vat2 show_version {} { "_msgname": "show_version_reply", "retval": 0, "program": "vpe", "version": "21.01-rc0~411-gf6eb348a6", "build_date": "2020-11-19T09:49:25", "build_directory": "/vpp/autogen3" } vat2 sw_interface_dump '{"sw_if_index": -1, "name_filter_valid": 0, "name_filter": ""}' [{ "_msgname": "sw_interface_details", "sw_if_index": 0, "sup_sw_if_index": 0, "l2_address": "00:00:00:00:00:00", "flags": "Invalid ENUM", "type": "IF_API_TYPE_HARDWARE", "link_duplex": "LINK_DUPLEX_API_UNKNOWN", "link_speed": 0, "link_mtu": 0, "mtu": [0, 0, 0, 0], "sub_id": 0, "sub_number_of_tags": 0, "sub_outer_vlan_id": 0, "sub_inner_vlan_id": 0, "sub_if_flags": "Invalid ENUM", "vtr_op": 0, "vtr_push_dot1q": 0, "vtr_tag1": 0, "vtr_tag2": 0, "outer_tag": 0, "b_dmac": "00:00:00:00:00:00", "b_smac": "00:00:00:00:00:00", "b_vlanid": 0, "i_sid": 0, "interface_name": "local0", "interface_dev_type": "local", "tag": "" }] This is the first phase and vat2 is not integrated in packaging yet. Type: feature Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ib45ddeafb180ea7da8c5dc274a9274d7a4edc876 Signed-off-by: Ole Troan <ot@cisco.com>
2020-11-13nat: cleanup & reorganizationFilip Varga22-125/+122
Fixed compatibility issue between nat ei and nat ed modes. Moved nat syslogging to nat librarry. Deprecating apis that will be integrated in upcoming candidate configuration patch. Type: refactor Change-Id: I334b1b05b81b74667c5c76a05f768442e0dcf7e8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-13nat: api,cli and test update & cleanupFilip Varga10-2241/+429
Cleanup of print functions in api file, splitting functionality of cleanup callbacks for ED and EI NAT. Updating and fixing API & CLI calls. Type: refactor Change-Id: I7a9dc4c8b1d2ca29db4754be7dfa4f698942127a Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-11-12nat: use table ID for nat44 ipfix session eventsMatthew Smith2-7/+10
Type: fix IPfix messages about NAT44 session create/delete were being populated with the FIB table index instead of the table ID. The table ID is the correct identifier to report externally (NAT64 IPfix messages for BIB and session create/delete use table ID, as does NAT syslogging). Convert the table index to an ID before adding it to the IPfix NAT44 session create/delete message data. Change-Id: I0166384752b17ff3a8c55aa19fa2af7a8140791e Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-11-05nat: fix hairpinning traceKlement Sekera1-3/+3
Type: fix Fixes: 17a8ab6857f023bc1436d84808acc58dd614203e Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I597d08d1d2457116e6856fa40cd65987e13a28d4
2020-11-05nat: remove unnecessary codeKlement Sekera3-28/+24
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I478f5dcbf7595c62611d25a40aa356d8ce09d216
2020-11-05nat: fix byte order of vrf_id in loggingAlexander Chernavin1-0/+3
Type: fix Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I9930a2a90caa78e848fe657ab2da863467be41ea
2020-11-05nat: remove unused codeKlement Sekera1-22/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibbdfb0a2d1ff64044a0f6b2443b526bd1cf12f93
2020-11-03nat: bihash: fix buckets calc and remove mem paramKlement Sekera5-92/+33
Calculate bihash buckets as n_elts / 2.5 rounded to closest pow2 per Damjan's recommendation. Remove memory configuration parameters because bihash init ignores them anyway as it resides in main heap now. Type: improvement Change-Id: I189f463f3c4640106cce4f12d3c5a62969276a82 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-11-02nat: fix nat64 disableBenoît Ganne1-5/+10
- we should not copy and iterate over the pool underlying vector, as slots can be freed (ie in the freelist). - delete interface instead of adding them again - fix the log message Type: fix Change-Id: If0a7a2f475b4f40793eb29ea80a9d29fe5d1bcb9 Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-10-28misc: Break the big IP header files to improve compile timeNeale Ranns1-0/+1
Type: refactor Signed-off-by: Neale Ranns <neale.ranns@cisco.com> Change-Id: Id1801519638a9b97175847d7ed58824fb83433d6
2020-10-26nat: nat44 cli command fixFilip Varga2-11/+10
Type: fix Change-Id: I4aa0dac544582703316cbcfabe67bcb7dc24d4f7 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-23nat: nat44 enable/disable dynamic configFilip Varga10-554/+992
This patch changes initialization and configuration of NAT plugin. Instead of allocating data structures at vpp plugin initialization phase allocation and configuration happens after calling enable API or CLI call. This reduces base VPP memory footprint and also enables dynamic reconfiguration of the NAT plugin. Type: improvement Change-Id: I42c069ee19a0311d043ac1f3f230d87bc8d2680f Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-21misc: minimize dependencies on udp.hFlorin Coras8-6/+10
Type: improvement Signed-off-by: Florin Coras <fcoras@cisco.com> Change-Id: Id13f33843b230a1d169560742c4f7b2dc17d8718
2020-10-16nat: error in input parameter of init_nat_kDengfeng Liu1-1/+1
Type: fix Signed-off-by: Dengfeng Liu <liudf0716@gmail.com> Change-Id: I3e7ee771d0cf5b7b1b9fbbc833776d523dfa9f09
2020-10-14nat: Fix ICMP bypass session creationVladimir Isaev1-0/+6
After get_icmp_o2i_ed_key() bihash key may include IP protocol and addresses from inner ICMP packet. It is OK for session lookup, but we should not create a session on ICMP error message receiving. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
2020-10-12nat: set fib index for bypass sessionVladimir Isaev2-1/+2
Bihash key already contains rx_fib_index for lookup but fib value for session itself is set to 0. In the result bihash is allocated with key with fib index set, but free function is looking for key with fib index set to zero. It leads to use-after-free because session itself is removed from pool but bihash is not because of key mismatch. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798