summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2018-09-26NAT44: endpoint-dependent mode session timeout improvement (VPP-1423)Matus Fabian2-0/+28
Change-Id: Ib62e503f4eb5d72431288de32f417a4553df4e0c Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-25NAT44: fix nat44_o2i_ed_is_idle_session_cb (VPP-1424)Matus Fabian2-4/+1
Change-Id: I47e1fc789ddf3dbfdf9768b99d5c3a8804d6b750 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24NAT44: endpoint-dependent mode session timeout improvement (VPP-1423)Matus Fabian4-27/+63
Change-Id: I630f3da1ea4e6e50a50f1352c097becef1efe3c0 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-24Trivial: Clean up some typos.Paul Vinciguerra1-3/+3
Change-Id: I085615fde1f966490f30ed5d32017b8b088cfd59 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2018-09-21NAT: Refactoring / Housekeeping (VPP-1415)Matus Fabian19-10848/+11482
Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-20NAT44 virtual fragmentation reassembly for endpoint-dependent mode (VPP-1325)Juraj Sloboda6-147/+1296
Change-Id: I36ece2ef2eaef9fa559d69ec7f7f07e7c16a7a9d Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-09-19nat: free port_bitmapdongjuan1-0/+7
Change-Id: Ied0fc50f1afb0f7fc563784544699726a6d03380 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-13NAT: TCP MSS clampingMatus Fabian9-0/+236
NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation. If the negotiated MSS value is greater than the configured value it is changed to the configured value. If the negotiated MSS value is smaller than the configured value it remains unchanged. Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-11nat: fix busy ports of each threaddongjuan1-4/+15
which can create dead loop in nat_alloc_addr_and_port_default function Change-Id: I468c25ce0f0a0b3f881de564623dea208b2ca700 Signed-off-by: dongjuan <dong.juan1@zte.com.cn>
2018-09-06NAT: fix maximum out of order fragments (VPP-1399)Matus Fabian6-8/+38
All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment. Change-Id: Id0c968f45629698e347e8226c5926f27b48b82d6 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-04NAT: add support for configurable port range (VPP-1346)Matus Fabian5-3/+310
Change-Id: I6882b6daa05db866fe6e78a62b380ec331507f74 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-09-03NAT44: client-IP based session affinity for load-balancing (VPP-1297)Matus Fabian10-40/+524
Enable client-IP based session affinity per LB NAT rule with specific timeout. Change-Id: I9aade152e330218d21dfda99cc5e984d769ab806 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27NAT44: fix nat44_ed_not_translate_output_feature for multiple VRF (VPP-1404)Matus Fabian1-9/+15
Change-Id: I44acc5aeff59dc25d18369e29618bbe39d30a1b3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27cmake: Fix plugins .h includesMohsin Kazmi1-0/+4
Change-Id: I90600d000afb02e8969f3c01bcf9e4b5c10a7d39 Signed-off-by: Mohsin Kazmi <sykazmi@cisco.com>
2018-08-27NAT44: add support for session timeout (VPP-1272)Matus Fabian13-534/+684
NAT44 (vanilla/simple and endpoint-dependent mode) now lazily delete expired sessions. When inserting to session lookup hash and bucket is full, expired session is overwritten. Change-Id: Ib1b34959f60f0ca4f5b13525b1d41dd2f992288d Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-27cmake: add missing vat pluginsDamjan Marion1-0/+3
Change-Id: Ib61f0299c17c0f021408ab0a44c5b54f55f8a8ec Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-25cmake: improve add_vpp_plugin macroDamjan Marion1-2/+5
Change-Id: Iffd5c45ab242a919592a1f686f7f880936b68a1a Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-22NAT: update nat_show_config_reply API (VPP-1403)Matus Fabian3-1/+36
Change-Id: I85383e428cb54c4c09ab387811dd6390f7c61d97 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-17CMake as an alternative to autotools (experimental)Damjan Marion1-0/+41
Change-Id: Ibc59323e849810531dd0963e85493efad3b86857 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-08-16VPP-1386: fix wrong ip address of hash key for creating user in unknown protocolshubing guo1-1/+1
Change-Id: I6239e930a8805207f8e42d15e8b17d444047e3f3 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-15Remove client_index field from replies in APIOndrej Fabry1-1/+0
- replies should not need to contain client_index since it is used to identify sender of requests to VPP Change-Id: Iece3853b3f020054ee1652b149d0cf8d9580db4e Signed-off-by: Ondrej Fabry <ofabry@cisco.com>
2018-08-15NAT44: fix next_src_nat (VPP-1384)Matus Fabian1-6/+7
Use rx_fib_index instead of sm->inside_fib_index for session lookup key. Change-Id: I2d6cce5b9376fa8ac4d75a9bbfa8498be0fd1493 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-15VPP-1387:foreach outside address vector to find correct index when free ↵shubing guo3-21/+16
outside address and port Change-Id: Ie5452350a8ebe2c1b62085fcab50dbc0138d3ae2 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-15NAT44: fix bug in snat_interface_add_del (VPP-1380)Matus Fabian1-4/+4
Should not enable nat44-hairpinning node in deterministic mode Change-Id: I5790323a6842ee71a62c6c91c49166a2839eac12 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-15NAT64: fix TCP session expire (VPP-1390)Matus Fabian2-7/+20
Add missing call of nat64_tcp_session_set_state to set TCP session state. Change-Id: Ifd297ea3ffe20870e1e34a95449b5c9404ec13eb Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-11VPP-1381: Fix the incorrect if condition when delete session for static mappingshubing guo1-2/+2
-- The session should not be deleted when either ip address or port doesn't same with static mapping. Change-Id: I09ab7379947654d2780a8c40c5340ce430541b12 Signed-off-by: shubing guo <guo.shubing@zte.com.cn>
2018-08-09NAT44: delete user with zero sessions (VPP-1282)Matus Fabian5-20/+52
Change-Id: I756e3ad3de9ffe1494221ef95c1943c8591f8f50 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-08-02NAT44: LB NAT - local backends in multiple VRFs (VPP-1345)Matus Fabian5-34/+37
Add support for local backends in multiple VRFs for load-balancing NAT rules. Change-Id: I64e6818bd67a7e69985003498cf1f16f7200c334 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-23NAT44: fix forwarding feature bug (VPP-1349)Matus Fabian1-3/+3
Change-Id: I5009fcfde5c627d59dea3edda15486b9392134a2 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-20NAT44: in+out interface in STN setup improvement (VPP-1344)Matus Fabian1-8/+26
Change-Id: Iad7e0337a577ef8a0dfb7bde1968cc115d176043 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-19Remove unused argument to vlib_feature_nextDamjan Marion1-16/+8
Change-Id: Ieb8b53977fc8484c19780941e232ee072b667de3 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-13The gateway IP should be 172.16.2.1shenJibiao1-1/+1
Change-Id: I28d05a04abd11f630035d34ce573016c77ffab53 Signed-off-by: shenJibiao <shenjibiao@corp.netease.com>
2018-07-11avoid using thread local storage for thread indexDamjan Marion9-22/+22
It is cheaper to get thread index from vlib_main_t if available... Change-Id: I4582e160d06d9d7fccdc54271912f0635da79b50 Signed-off-by: Damjan Marion <damarion@cisco.com>
2018-07-10NAT44: multiple outside FIB tables (VPP-1314)Matus Fabian4-41/+178
Change-Id: I56eb15f8fd2d3049845287dc3df7870582764f8b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-07-10Do not translate packets destined for NAT64 inside interface (VPP-1331)Juraj Sloboda1-0/+29
Change-Id: Ieb8020f57ed5ad20daf552cd62ae3fdd8c573926 Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
2018-06-26NAT44: fix nat44_ed_not_translate_output_feature (VPP-1329)Matus Fabian1-0/+5
Change-Id: Iddb0b848c53da03116524e203c7112c82b401ac5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-16NAT44: fix coverityMatus Fabian1-1/+1
Change-Id: Ib1e4563dbc027571c77497e5c190201713adc72b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-15NAT44: endpoint dependent mode (VPP-1273)Matus Fabian7-1453/+3450
To enable NAT plugin endpoint dependent mode add following to statrup config: nat { endpoint-dependent } Enable endpoint dependent filtering and mapping for all sessions. Move some existing functionality such as service load balancing, twice nat, out2in-only static mappings and unknown protocol dynamic translations, which use endpoint dependent lookup hash tables before. Basically split to vanilla NAT44 and extra features NAT44. Change-Id: I3925eb5ddcc8f1ec4cf6af4e2a618a7ec7aa9735 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-06-11Fix multiple NAT translation with interface address as externalAlexander Chernavin1-4/+4
Change-Id: Idd65c6d0489bf83984a2c34d22d3f94000fc7018 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2018-05-28NAT44: code cleanup and refactor (VPP-1285)Matus Fabian17-463/+631
Change-Id: I088163f10ae5515d7a9115781cc13ef563fafed5 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-27VPP-1294: add missing feature arc constraintDave Barach1-1/+2
the ip4-dhcp-client-detect feature MUST run prior to nat44-out2in, or inbound dhcp broadcast packets will be dropped. Certain dhcp servers answer lease renewal dhcp-request packets with broadcast dhcp-acks, leading to unrecoverable lease loss. In detail, this constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; doesn't get the job done: ip4-unicast: [17] nat44-out2in [23] ip4-dhcp-client-detect [26] ip4-not-enabled Add a proper constraint: VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", "ip4-dhcp-client-detect"), }; and the interface feature order is OK, at least in this regard: ip4-unicast: [17] ip4-dhcp-client-detect [18] nat44-out2in [26] ip4-not-enabled We need to carefully audit (especially) the ip4-unicast feature arc, which has [gasp] 37 features on it! Change-Id: I5e749ead7ab2a25d80839a331de6261e112977ad Signed-off-by: Dave Barach <dave@barachs.net>
2018-05-17NAT44: nat44_del_session and nat44_user_session_details API update (VPP-1271)Matus Fabian7-90/+246
Change-Id: I484d79000c1bbd87ff83847cf567bf3414a719d3 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-14NAT44: delete closed TCP session (VPP-1274)Matus Fabian3-22/+68
Change-Id: Id25b447bddccb7b321123e4abc4134e7261a0807 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-13Improve ipfix template packet rewrite constructionDave Barach1-9/+27
Instead of repeatedly cutting, pasting, and hacking to create a new callback, use vnet_flow_rewrite_generic_callback(). Add three arguments to the flow rewrite callback: (in) pointer to an array of report elements, (in) length of array, (out) pointer to the stream index Change existing code prototypes. Code owners encouraged to evaluate whether they can use the generic callback or not, at leisure. /* ipfix field definitions for a particular report */ typedef struct { u32 info_element; u32 size; } ipfix_report_element_t; Best generated like so: _(sourceIPv4Address, 4) \ _(destinationIPv4Address, 4) \ _(sourceTransportPort, 2) \ _(destinationTransportPort, 2) \ _(protocolIdentifier, 1) \ _(flowStartMicroseconds, 8) \ _(flowEndMicroseconds, 8) static ipfix_report_element_t simple_report_elements[] = { foreach_simple_report_ipfix_element }; ... /* Set up the ipfix report */ memset (&a, 0, sizeof (a)); a.is_add = 1 /* to enable the report */ ; a.domain_id = 1 /* pick a domain ID */ ; a.src_port = UDP_DST_PORT_ipfix /* src port for reports */ ; a.rewrite_callback = vnet_flow_rewrite_generic_callback; a.report_elements = simple_report_elements; a.n_report_elements = ARRAY_LEN (simple_report_elements); a.stream_indexp = &jim->stream_index; a.flow_data_callback = simple_flow_data_callback; /* Create the report */ rv = vnet_flow_report_add_del (frm, &a, &template_id); if (rv) return rv; ... Change-Id: If6131e6821d3a37a29269c0d58040cdf18ff05e4 Signed-off-by: Dave Barach <dave@barachs.net>
2018-05-10NAT44: sessions counters per user fix (VPP-1270)Matus Fabian1-6/+6
Change-Id: I6306b81e0e1c3e1c591f929a76bb265c1c1d0859 Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-08NAT44: TCP connection close detection (VPP-1266)Matus Fabian7-13/+131
Change-Id: Iba1cc1179ee80478e29888790a6476571d1904dc Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-04Flow: Rename IPFIX exporter.Ole Troan1-1/+1
Change-Id: I9363cf54b73f7cfd8622af6f1cb250438ea0d3b6 Signed-off-by: Ole Troan <ot@cisco.com>
2018-05-03NAT: fix bin API dump of static mappings.Milan Lenco1-2/+5
Static mappings with equal local and external IPs but different ports were dumped as identity mappings. Change-Id: Ifea7cef5b78aea4c2eb31cf1620185eeef2681e5 Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>
2018-05-03NAT44: fix VAT nat44_user_session_detailsMatus Fabian1-4/+5
Change-Id: If379247f0574fbfcca39e752684bf6c81b95187b Signed-off-by: Matus Fabian <matfabia@cisco.com>
2018-05-03NAT44 segv on unknown proto on inside interfaceMatthew Smith1-22/+25
When a packet with an unknown proto arrives on an inside interface and there are no existing sessions for the source address, a segv occurs. snat_in2out_unknown_proto() finds the head of the sessions dlist, fetches the address of the next element using head->next, and then dereferences the next element. On the first packet received from a source address, head->next is ~0, so this results in a segv. Check that the session list is not empty before trying to traverse it. Also removed unnecessary lookup against tsm->user_hash. Prior call to nat_user_get_or_create() already performed that lookup and added a user if one didn't exist. Change-Id: If73e79aa2f8e3962ab7b876ecf55aea40d7a5472 Signed-off-by: Matthew Smith <mgsmith@netgate.com>