summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2020-06-01nat: update ip4-udp src port for checksum == 0 pktsDave Barach1-3/+6
Otherwise, the out2in path will discard return-path traffic with probability 1.0. Type: fix Fixes: gerrit 23963 / f126e746fc01c75bc99329d10ce9127b26b23814 Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: I621ed99329c04ef358035747dde599c0016b58f5
2020-05-27nat: fix regarding vm arg for vlib_time_now callElias Rudberg1-1/+2
Change in snat_ipfix_header_create() to use thread-specific vlib_main_t *vm pointer to avoid problems with different threads accessing the same vlib_main_t data structure. This avoids assertion failure when vlib_time_now() is called with a vm corresponding to a different thread. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I2096c1debb5688d3b97e5ed9a0ea78d94053d8b7
2020-05-22nat: fix dslite session port allocationVladimir Ratnikov1-4/+4
Fix allocation of port per dslite session. After each session is created per protocol, when new one should be created with new port, instead it's trying to create with the same port and while(1) loop is executed forever and VPP does not response Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: Ic91b8b07253498ef9846ca60bcd4c4c76a5fac91
2020-05-22nat: output fib index fixFilip Varga1-69/+47
Type: fix Change-Id: I7cb7e3716aee865b12235865009e39ed6ad16680 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-15misc: removed executable bits from source filesRay Kinsella4-0/+0
Identified and removed executable bit from source files in the tree. find . -perm 755 -name *.[ch] -exec chmod a-x {} \; Type: improvement Signed-off-by: Ray Kinsella <mdr@ashroe.eu> Change-Id: I00710d59fcc46ce5be5233109af4c8077daff74b
2020-05-14nat: unhide testsKlement Sekera1-5/+5
Parallel merges introduced two test clasess with a same name. Rename latter, so that former is seen (and run) by test runner again. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I47772b41bb940bfdda4536cdd1f9b5e3768ca18b
2020-05-14nat: "users" dump for ED-NATKlement Sekera3-0/+170
Since the removal of "users" concept in ED-NAT nat44_user_dump API returns empty array. This brings back previous behaviour at a considerable runtime cost until a better API is introduced. Type: improvement Change-Id: I5a45923cfeb6b8ebe6fc906601264d6567386991 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-05-14nat: remove unused codeKlement Sekera2-3/+0
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I95286d6723fd1860bf6bb0e81c474d732ab25121
2020-05-14nat: ED: store both thread&session idx in hashKlement Sekera9-197/+315
By storing thread and session index in hash table we are able to skip multiple hash lookups in multi-worker scenario, which were used for handoff before. Also, by storing sesion index in vnet_buffer2, we can avoid repeating the lookup after handoff. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I406fb12f4e2dd8f4a5ca5d83d59dbc37e1af9abf
2020-05-14nat: fix segv if out of ports in ed modeAlexander Chernavin2-1/+47
Type: fix Change-Id: Ife726d2f6baaa3516c209011183f39670cf6a55d Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-05-13nat: fix broken buildKlement Sekera1-1/+1
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2a70db3a25450e014adaed84989f4da9bb77b14d
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera10-161/+391
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera32-451/+401
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-13nat: handoff next node feature fixFilip Varga7-47/+159
Type: fix Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-08docs: fix merge damage in nat.hDave Wallace1-4/+0
Type: fix Fixes: b5a575b09 Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I22d35159a923075243df9760f1a74e2ca74e30e1
2020-05-08nat: fix per thread data vlib_main_t usage take 2Ole Troan7-42/+32
The original fix access vlib_main before these was initialized. Removed cached vlib_mains structure. Type: fix Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I686bab9220e27891f66bf60489c1602855786aa8 Signed-off-by: Ole Troan <ot@cisco.com>
2020-05-07nat: remove duplicate line of codeKlement Sekera1-1/+0
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I3c914d5c457df40205280ac589a2d353261343d5
2020-05-07nat: fix per thread data vlib_main_t usageFilip Varga9-75/+97
Type: fix Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06docs: clean up make docs jobPaul Vinciguerra5-9/+29
Type: docs Change-Id: I9b5e5137eb4c1e89f6e8d7a278cd11a0fd496471 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-06nat: ipfix logging vlib_mains[thread_index] bugfixElias Rudberg1-16/+16
Use thread-specific vlib_main_t *vm pointers to avoid problems with different threads accessing the same vlib_main_t data structure. This avoids crashing when ipfix logging is enabled and several threads are used. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: Ic1d3d335919d7666ead14be1153eb8c8c07b7356
2020-05-06nat: enable force session cleanupFilip Varga6-142/+236
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06nat: fix coverity warningKlement Sekera1-19/+5
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I609fef6f96c6a3fc85a4dc07e75244b0e1ba9239
2020-05-05nat: remove unused codeKlement Sekera1-27/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I33b2b38961b200dc3297b82124a7107b9ecbd0de
2020-05-04nat: per vrf session limitsFilip Varga9-29/+310
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-03tests: vpp_interface remove deprecated packed propertiesPaul Vinciguerra1-12/+14
The api no longer requires packed ip addresses. Type: test Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-28nat: remove unused codeKlement Sekera1-9/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I0f82d937b4829e5a7f074d4d566fa49319a11716
2020-04-27nat: improve perf - long read after short writeKlement Sekera7-363/+424
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
2020-04-24nat: ignore user hash in ED NATKlement Sekera8-362/+273
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: make usage of vnet_buffer2 transparentKlement Sekera5-21/+13
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I50df248afb3f6b46c49e6695b3f124cfd584f016
2020-04-24nat: ED: reduce number of hash tables usedKlement Sekera5-212/+210
Use out2in_ed hash table for port overloading tracking instead of global table. This reduces number of hash insertions in slowpath. Type: improvement Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: fix extended unit testsKlement Sekera1-2/+2
Type: fix Fixes: b86437b79b82493c2e9728929df417f55b153824 Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2c833928dcdceb4d23dfc161bcc3358272076980
2020-04-23nat: add/del ed_ext_ports only if the table is instantiatedDave Barach1-4/+6
Add a suitable ASSERT in the bihash template in case this happens again. Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ib370d4238f6bae2995bc30fd17fad5c41053c3d1
2020-04-21nat: dslite ce mode in separate config entryVladimir Ratnikov2-4/+20
Previously dslite was moved to separate plugin folder and CE mode was removed. But it still needed. This patch adds CE option to separate config entry Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If153ae08fa385ba5a6605cb412e49bbb4d1db46c
2020-04-20nat: remove unused codeKlement Sekera5-484/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
2020-04-16nat: scavenging functionality removedFilip Varga7-392/+9
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: use correct data types for memory sizesKlement Sekera8-25/+25
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
2020-04-08nat: ED: global session LRU listKlement Sekera6-19/+110
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-04-08nat: preallocate poolsKlement Sekera1-0/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
2020-04-07nat: ED: port re-use algorithmKlement Sekera6-45/+196
Type: fix Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-07nat: don't drop packet for expired sessionKlement Sekera3-6/+4
If session is expired, the packet which we just received might be a one, which legitimely creates a new session, process it in slow path instead to decide the outcome. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
2020-03-31nat: fix unknown proto translation out2in_edAlexander Chernavin1-2/+2
An unknown proto packet can be processed as UDP with destination port rewriting which breaks the original packet. With this commit, stop processing unknown proto packets after nat44_ed_out2in_unknown_proto() execution. Type: fix Change-Id: Iea93faf3c282f542d5ee7120c15e1027c1e4abc9 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-27acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26acl: revert acl: api cleanupOle Trøan1-14/+51
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a. Reason for revert: Verify failure. Doesn't build. Type: fix Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee Signed-off-by: Ole Troan <ot@cisco.com>
2020-03-26acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera9-118/+329
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-25nat: fix error countersKlement Sekera4-1/+21
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-15nat: test cleanupKlement Sekera1-291/+261
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5ec761bfcdc13a8238b83ff46c2f1c53ec0e79d8
2020-03-13nat: in2out/out2in handoff node index bugfixElias Rudberg1-2/+2
This fixes a bug in the initialization of handoff_out2in_index and handoff_in2out_index where the node index for out2in was set to the in2out node, and vice versa. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
2020-03-13nat: timed out session scavenging upgradeFilip Varga11-293/+615
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-03-11nat: dslite plugin separationFilip Varga15-84/+213
Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I81546423200cc7f8a06b527dac8ead191a9e0519