summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2020-10-14nat: Fix ICMP bypass session creationVladimir Isaev1-0/+6
After get_icmp_o2i_ed_key() bihash key may include IP protocol and addresses from inner ICMP packet. It is OK for session lookup, but we should not create a session on ICMP error message receiving. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
2020-10-12nat: set fib index for bypass sessionVladimir Isaev2-1/+2
Bihash key already contains rx_fib_index for lookup but fib value for session itself is set to 0. In the result bihash is allocated with key with fib index set, but free function is looking for key with fib index set to zero. It leads to use-after-free because session itself is removed from pool but bihash is not because of key mismatch. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798
2020-10-09nat: ipfix logging separation & refactorFilip Varga14-263/+240
Type: refactor Change-Id: I8785e4987e4f60361072440d0c3c6954c9c12394 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-08nat: use proper type for countersKlement Sekera1-2/+2
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I330822c5d675cdfa57ab75ceb0223f11e0ebb7d2
2020-10-07misc: Purge unused pg includesNeale Ranns4-4/+0
Type: style Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I26a19e42076e031ec5399d5ca05cb49fd6fbe1cd
2020-10-07nat: move nat64 to a subfeatureFilip Varga21-2636/+3607
Type: refactor Change-Id: I3b9e17164647d2019b1f40cffeed63393345219e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-07nat: det44 plugin fix style and api cleanupFilip Varga3-18/+22
Type: refactor Change-Id: I3c5ca31de8046b82fb3d3f364ba88370fe51ef02 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-10-02nat: add dummy nat_ha_resync() to avoid missing symbol errorsDamjan Marion1-0/+7
Type: fix Change-Id: I288e93da192cf48b3d774e36584d471d4daa2727 Signed-off-by: Damjan Marion <damarion@cisco.com>
2020-09-16api: clean up use of deprecated flagOle Troan1-11/+11
The syntax of the deprecated flag has evolved. Clean up usage to be "option deprecated;". Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
2020-09-14nat: delay datastructure allocation until configuredOle Troan2-18/+33
The dslite plugin would on plugin load initialize large bihash datastructures. Postpone until configured. Type: improvement Change-Id: Ie790ab8c5fc39fac18153acd54dcd051805e763a Signed-off-by: Ole Troan <ot@cisco.com>
2020-09-11nat: Fix next feature for ED with multiple workersVladimir Isaev3-2/+25
Multiple (> 1) workers leads to handoff node being enabled. This node pops next feature index to nat.arc_next to make sure that packet will be pushed to the next feature in the arc. But node nat44-ed-in2out-output also pops next feature and changes arc_next. So actual next feature will be skipped in that case. It leads to all nat44-ed-in2out packets being dropped if we have multiple workers (handoff node enabled). To resolve this a new node was added (nat-pre-in2out-output) to fill arc_next in single worker case and multiple worker case is already handled by handoff node. Type: fix Signed-off-by: Vladimir Isaev <visaev@netgate.com> Change-Id: I9dfba68f00164d2d5ab867224871811bef4411ed
2020-09-11nat: endian mismatchFilip Varga1-7/+13
Type: fix Change-Id: Icf6ce0ddb5fe9d078503e9d9ff7e7b26423f53f8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-09-02nat: twice-nat static mapping pool addressFilip Varga10-95/+354
Let twice-nat static mapping pick specific address from the twice-nat pool. Type: improvement Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-09-01ip: fix ip zero checksum verificationBenoît Ganne1-1/+1
In one's complement, there are two representations of zero: the all zero and the all one bit values, often referred to as +0 and -0. See RFC 1624 section 3 for more details. This used to be taken care of in ip4_header_checksum(), but it is no longer the case. The check ip->checksum == ip4_header_checksum (ip) is no longer correct in the -0 case. Always use ip4_header_checksum_is_valid() instead (which behaves correctly since 9a79a1ab931c3b5a7ae07d6f0fcfef7c4368a2c4). Type: fix Fixes: e5f0050c7a5d411f96af6401797529d58825e2af Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf Signed-off-by: Benoît Ganne <bganne@cisco.com>
2020-08-31nat: fix type in api messageKlement Sekera4-2/+204
Translation memory size is internally a uword, but in api it was u32, resulting in the returned value being 0 all the time. Fix the "incorrect" API reply to return a u32 capped to 0xffffffff if the u64 is larger than that, introduce the message with the correct type, deprecate the message with the incorrect type. Also, while we are updating the message definition, add the max translations / max users per worker thread into the new message. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I92e38a6a2bcb70fc8d1b129bbe416bf7f9e54280 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2020-08-20nat: fixed cli nat summary and nat limitFilip Varga3-50/+109
Type: fix Change-Id: I78017b02015116f93b579c7381119f618351c98d Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-19nat: session cli command fixFilip Varga1-3/+11
Type: fix Change-Id: I57ae649d1b26d5bea2df89c209f257372e565b49 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-17nat: det: replace speculative buffer enqueue modelKlement Sekera2-948/+897
Replace speculative buffer enqueue coding model with vlib_get_buffers(...)/vlib_buffer_enqueue_to_next(...). Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib5a32d60592fb17ed0ba1ac074047e39780f74be
2020-08-17nat: sessions get expired when fib table removedFilip Varga7-9/+348
fib table removal would leave lingering sessions in vpp this patch is aimed at solving this issue by grouping sessions by source and destionation fib. if one of the fibs gets removed this grouping is tagged as expired and session won't be passed to non existing fib table Ticket: VPPSUPP-93 Type: improvement Change-Id: I45b1205a8b58d91f174e6feb862554ec2f6cffad Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: move deterministic nat to det44 sub featureFilip Varga27-3108/+4484
Type: refactor Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-08-13nat: remove non-error error countersKlement Sekera16-507/+585
Some statistics counters were implemented as error counters. Move them to stat segment, where they belong. Type: improvement Change-Id: I5600bec1b4e0496282297374ec1e79d909cdaf8a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-08-06misc: harmonize namesDave Barach2-9/+10
Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ibad744788e200ce012ad88ff59c2c34920742454
2020-07-28nat: limit resource consumption when out of portsKlement Sekera1-2/+7
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I83f44711264376389989152666f3c71216146bdd
2020-07-23nat: fix port number selectionElias Rudberg2-6/+6
Change the port number selection for new NAT sessions so that it matches how the thread index is calculated from the port number for out2in packets. Before this change there was a problem when the largest port number in the range was used, that resulted in the wrong thread index being selected when out2in packets arrive for that session. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I936c389eb0d5df6168e18e5e44754de1cdad6ad1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-07-15nat: add prefetching to in2out_ed/out2in_edKlement Sekera2-2/+27
This saves about 20 clocks/packet in both code paths. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib559c74bf8168e3ddd764d51b7e5bcd2a557f591
2020-07-02nat: nat66 to pluginOle Troan14-480/+607
Type: refactor Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6 Signed-off-by: Ole Troan <ot@cisco.com>
2020-06-27nat: replace speculative buffer enqueue modelKlement Sekera5-2278/+2107
Replace speculative buffer enqueue coding model with vlib_get_buffers(...)/vlib_buffer_enqueue_to_next(...). Type: improvement Change-Id: I7dbfac2234a7bd754c599857eb1d5b601da5bc7c Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-06-25nat: avoid division by zeroKlement Sekera1-1/+8
Return error instead of dividing by zero. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9f6a942e87ab87e8f1921e744ec1add45884e74a
2020-06-24nat: deterministic: disallow invalid configKlement Sekera2-5/+20
Prevent overflow if input network prefix is too small and crash on packet #1 due to vector not being allocated/initialized. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I3494cc62ce889df48cc59cc9340b5dd70338c3a8
2020-06-23nat: fix broken testKlement Sekera1-2/+14
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I04952865b7e2b447763d0b67d120c3d933177646
2020-06-22nat: set buf error if can't create userKlement Sekera4-27/+9
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I747d78966a7296dcbae54d54b0c165d407c8863d
2020-06-19nat: remove unused codeKlement Sekera2-47/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Icc55276c8a4c256049718610cb131a34dc8d0a80
2020-06-17nat: print hash table parameters in CLIKlement Sekera1-2/+13
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Id6ab7e2ca965e860ea3f96145a888e0f3ccf9778
2020-06-17nat: add more trex test scriptsKlement Sekera3-0/+206
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia824d663c86d6a7c9bafe0206e9a93f93884739d
2020-06-16nat: improve outside port selection & perfKlement Sekera4-87/+110
Prefer using source port form packet as outside port if possible. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5c25f6a42386f38c9a6cc95bd7dda9f090b49817
2020-06-11nat: properly scale out2in-ed hash on initKlement Sekera1-1/+3
Type: fix Fixes: a1018c166a468f7692ab621c743503914266f508 Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I86592f73a60fd146d3764e474f975881e940c244
2020-06-11nat: simplify bihash buckets/mem configKlement Sekera8-31/+95
Derive reasonable values from max translations/max users. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I41a96ab63ab138b4160cd60bd6df24fc73791c86
2020-06-10nat: optimize prefetchingKlement Sekera6-18/+18
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Iea1748e8e39d213fcb3f3b52379bd37a6dd6aa3d
2020-06-08nat: more long read after short write optimizationKlement Sekera15-1060/+1051
Replace whitespread (mis)use of snat_session_key_t by proper function arguments where applicable and inline functions to calculate hash keys instead of using structs for that. Make all hash tables use same network byte order port so that there is no longer a discrepancy between static mappings using host byte order while in2out/out2in tables using network byte order. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I80786d2f947c67824c101a13bb608f1fe1080f34
2020-06-04nat: fix coverity warningKlement Sekera1-1/+1
Type: fix Change-Id: I0e87021b11009a955f5839bdb68af897145816c1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-06-04nat: fixed input validationFilip Varga7-21/+22
Ticket: VPP-1887 Type: fix Change-Id: I341ac7b455926a106d736f4de6771aae655db82e Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-06-04nat: add tracing for nat44-hairpinningKlement Sekera3-15/+84
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ife437f959e29d3de88bd7ee77221ada86fb03e80
2020-06-03nat: refactor mss_clamping to not depend on snat_main_tOle Troan9-68/+83
Type: refactor Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I1110e425859a4f1f07952c91b50f263cb7323836
2020-06-01nat: update ip4-udp src port for checksum == 0 pktsDave Barach1-3/+6
Otherwise, the out2in path will discard return-path traffic with probability 1.0. Type: fix Fixes: gerrit 23963 / f126e746fc01c75bc99329d10ce9127b26b23814 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I621ed99329c04ef358035747dde599c0016b58f5
2020-05-27nat: fix regarding vm arg for vlib_time_now callElias Rudberg1-1/+2
Change in snat_ipfix_header_create() to use thread-specific vlib_main_t *vm pointer to avoid problems with different threads accessing the same vlib_main_t data structure. This avoids assertion failure when vlib_time_now() is called with a vm corresponding to a different thread. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I2096c1debb5688d3b97e5ed9a0ea78d94053d8b7
2020-05-22nat: fix dslite session port allocationVladimir Ratnikov1-4/+4
Fix allocation of port per dslite session. After each session is created per protocol, when new one should be created with new port, instead it's trying to create with the same port and while(1) loop is executed forever and VPP does not response Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Ic91b8b07253498ef9846ca60bcd4c4c76a5fac91
2020-05-22nat: output fib index fixFilip Varga1-69/+47
Type: fix Change-Id: I7cb7e3716aee865b12235865009e39ed6ad16680 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-15misc: removed executable bits from source filesRay Kinsella4-0/+0
Identified and removed executable bit from source files in the tree. find . -perm 755 -name *.[ch] -exec chmod a-x {} \; Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I00710d59fcc46ce5be5233109af4c8077daff74b
2020-05-14nat: unhide testsKlement Sekera1-5/+5
Parallel merges introduced two test clasess with a same name. Rename latter, so that former is seen (and run) by test runner again. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I47772b41bb940bfdda4536cdd1f9b5e3768ca18b
2020-05-14nat: "users" dump for ED-NATKlement Sekera3-0/+170
Since the removal of "users" concept in ED-NAT nat44_user_dump API returns empty array. This brings back previous behaviour at a considerable runtime cost until a better API is introduced. Type: improvement Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991 Signed-off-by: Klement Sekera <ksekera@cisco.com>