summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2021-09-09nat: nat44-ed add session timing out indicator in apiAlexander Chernavin2-1/+150
Type: improvement Currently, NAT44-ED users sessions details are returned for both active and timed out NAT sessions. It may confuse users that expect to see only active sessions in the response and make them think that timeouts for NAT sessions do not work. With this change, introduce an indicator of timing out for NAT sessions returned in NAT44-ED user session details. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
2021-09-08nat: remove unusued parameters and use correct parameter typesKlement Sekera2-20/+15
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
2021-09-02nat: NAT44 ED improvements and fixesFilip Varga8-392/+353
Fixed FIB entry per interface, pool and static mapping registrations in NAT control plane. Improved FIB configuration handling in NAT - added functions to generalize handling of FIB & NAT, cleaned up interface callback functions. Changed "is_" macros to inline functions for easier debugging. Type: improvement Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-19nat: handle ED in2out ICMP errors with workersMatthew Smith1-0/+22
Type: fix With endpoint dependent NAT44, When there are multiple workers we look for a flow which matches the packet in order to figure out which worker should handle the packet. If the packet is an ICMP error, it may be associated with an existing flow by inspecting the L3/L4 headers that are included in the message payload. This was not being done for in2out packets in nat44_ed_get_in2out_worker_index(), so some packets which were related to an open session were not being associated with that session and were being passed to a different thread than the one where the session was created. Later on, when the packet was processed by the fast path in2out node, the L3/L4 headers in the payload are inspected and the fast path node finds the existing session. Since that session is owned by a different thread than the one the packet is being processed by, the in2out fast path node can potentially access the wrong session and/or memory adjacent to the session pool. This can cause a SEGV. Make nat44_ed_get_in2out_worker_index() look at the inner headers when processing an ICMP error. THis is already done in nat44_ed_get_out2in_worker_index() and in the fast path in2out node. Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-08-17nat: fix counters increment for output featureAlexander Chernavin3-68/+93
Type: fix The NAT plugin stores packet counters and a counter represents a vector indexed by interface index. When an interface is assigned a NAT role, the counters are validated to be long enough for the given interface index. When a packet traverses NAT in2out and output feature is disabled, the appropriate counters are updated by the RX interface index. In this case, translation happens on the inside interface and its index was ensured to be valid in all of the counters during NAT role assignment. When a packet traverses NAT in2out and output feature is enabled, the appropriate counters are updated by the RX interface index too. In this case, translation happens on the outside interface and the packet could be received on any interface, even with no NAT role assigned. If that's the case and its index is greater than the greatest index validated in the counters, a new counter value will be written to memory that does not belong to the counter. As a result, a crash will occur at some point. With this change, use TX interface index to update the counters when output feature is enabled. TX interface is an actual interface where translation happens and its index is always valid in the counters. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
2021-08-12nat: NAT44ED configuration refactorFilip Varga4-378/+365
Refactoring and cleaning up address allocation functions & ip table update callbacks. Type: refactor Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-08-12nat: correct pool ops when disable nat44 pluginAlexander Skorichenko1-10/+10
Type: fix Replace vec ops with pool ops when iterating over pool of interfaces in plugin_disable() functions. With this change plugin disabling function and interface role disabling functions iterate over identical sets of registered interfaces, preventing 'interface couldn't be found' errors. Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com> Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
2021-08-05nat: nat44-ed disable protection for api/cliFilip Varga4-60/+67
Return unsupported error if user calls one of the configuration functions that can run only after nat44-ed plugin is enabled via appropriate api/cli call. Type: fix Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-29nat: fix ICMP checksum validationKlement Sekera1-9/+9
Handle case where extra data is present in buffer which is not part of IP/ICMP headers. Type: fix Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76 Change-Id: Icfef811470056d38c60fc45cc302139ed7594385 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-22nat: nat44-ed configuration refactor & cleanupFilip Varga9-896/+1195
Refactoring static mapping configuration functions based on feature type. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I007d9b0e9717ced613fbcef2b11b6853f479be1e
2021-07-19nat: harden ICMP handlingKlement Sekera4-49/+110
Verify that headers are not truncated and that checksums are valid. Correct checksum computation in translation code. Type: fix Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-07-15misc: replace CLIB_PREFETCH with clib_prefetch_{load,store}Damjan Marion9-20/+20
Type: refactor Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-07-15nat: nat44-ed sm fixFilip Varga1-15/+13
Fixing nat44-ed identity map in2out communication. TCP packets would get dropped because of the order of testing TCP state. Type: fix Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-07-14nat: refactoring NAT44ED cfg functionsFilip Varga4-344/+500
Refactored & fixed NAT44ED configuration functions used for handling interfaces and nodes. Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
2021-06-23nat: ICMP handling fixesKlement Sekera4-24/+110
If ICMP comes from a router on path, source address must not be rewritten in o2i path to avoid getting wrong checksum. Fix ICMP checksum computations. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708
2021-06-22nat: don't drop packet with ttl=1 if output featureKlement Sekera1-2/+2
TTL was already decremented in ip4-rewrite so it's okay if it's 1. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
2021-06-16nat: test all intf addrs in is_interface_addr()Alexander Chernavin4-20/+42
Type: fix Currently, is_interface_addr() tests if a given IPv4 address belongs to an interface by a given sw_if_index. However, there are several issues: * only the first found address on the interface is actually tested, * sw_if_index is always cached even if the interface hasn't been assigned any addresses yet. With this change, is_interface_addr() tests all IPv4 addresses on an interface by a given sw_if_index and caches sw_if_index only if there are addresses present. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: If1acc4a534647a5f0ce8e9b565b867c92a016dc3
2021-06-16nat: fix crash when translate unknown proto packetsAlexander Chernavin2-4/+5
Type: fix Currently, there might be a crash in NAT ED mode: * if a session for an unknown proto packet cannot be created in2out, * if a session for an unknown proto packet cannot be found out2in. With this change, translate packets only if a session is given in NAT ED mode. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: Iafb332db1ae9a3e76435964ad636037d1b8a51e8
2021-05-31nat: fix broken nat44-ed cliRuslan Babayev2-10/+1
snat_set_frame_queue_nelts has been replaced with nat44_ed_set_frame_queue_nelts. Type: fix Signed-off-by: Ruslan Babayev <ruslan@babayev.com> Change-Id: I8d970be71376fdbb2bfd383d4d5824a8def93bb3
2021-05-26nat: add thread index assertionsKlement Sekera4-0/+11
Add extra assertions to debug build. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ib20130365e8f9dbb556fcbb4321dd184c7eff603
2021-05-25nat: report correct EI per-user session limitMatthew Smith2-3/+5
Type: fix When enabling the endpoint independent NAT44 plugin, user_sessions determines the maximum number of translations that can be active for a single inside address. If 0 is passed in, a default value is used but 0 is still stored in the field that is used to populate reply messages to nat44_ei_show_running_config, At the time of enabling the plugin, if user_sessions is 0, update the field which is used by nat44_ei_show_running_config to contain the default per-user limit which gets used by the EI nodes. Change-Id: I6b060d85bcd42d91db879b95a8b07c6844bcd2a5 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-05-21nat: add maximum configured sessions to stat segmentOle Troan2-0/+11
Add /nat44-ed/max-cfg-sessions gauge. Reflects the configured value for configured sessions (per thread). Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I618c8aa0daab0981399cfe9273d191fa1990ef60 Signed-off-by: Ole Troan <ot@cisco.com>
2021-05-14vlib: pass node runtime to vlib_buffer_enqueue_to_thread()Damjan Marion6-15/+12
Mechanical change for patch following this one... Type: improvement Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-05-13tests: move test source to vpp/testDave Wallace8-11555/+0
- Generate copyright year and version instead of using hard-coded data Type: refactor Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
2021-05-06vlib: rename vl_counter_t to vlib_error_desc_tOle Troan1-1/+1
Type: improvement Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I368b0410db2d633d3c52199c840e24d21952c1b4
2021-05-06pnat: coverity errorsOle Troan4-5/+13
Type: fix Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: Ic38cfbdcab86172bad6ec6cb4c66c83f8deed64f Signed-off-by: Ole Troan <ot@cisco.com>
2021-05-05nat: cli commands parsing fixFilip Varga2-235/+200
Newline get's ignored when parsing configuration file. Type: fix Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ib4f86177150dfe3bc085231a9268cf730490ea81
2021-05-05nat: fixing cfg file parsing cli issuesFilip Varga4-93/+92
Type: fix Change-Id: I35012bb2f7af1996c954641af40f3223bc7f37e4 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-05-01vlib: refactor trajectory trace debug featureBenoît Ganne2-8/+0
trajectory trace has been broken for a while because we used to save the buffer trajectory in a vector pointed to in opaque2. This does not work well when opaque2 is copied (eg. because of a clone) as 2 buffers end up sharing the same vector. This dedicates a full cacheline in the buffer metadata instead when trajectory is compiled in. No dynamic allocation, no sharing, no tears. Type: refactor Change-Id: I6a028ca1b48d38f393a36979e5e452c2dd48ad3f Signed-off-by: Benoît Ganne <bganne@cisco.com>
2021-04-28nat: fix byte order on ipfix message fieldsMatthew Smith4-7/+10
Type: fix The code for quota exceeded events is a u32 and was being copied into ipfix packets in host byte order. Same for the limit field. Swap the order before copying into packet buffer. This change was applied once before but had to be reverted. This was because between the time the change was uploaded/reviewed and the time it was merged, a different patch was merged which activated a NAT ipfix unit test that had formerly only been run as part of the extended tests. The test was expecting the values to be in host byte order so it failed with this patch applied. This time around, that test has also been updated to expect network byte order. Change-Id: If5413b1f806d664f6786e56ba13c3eee573c26d2 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2021-04-23nat: correct detection of icmp bypass presenceKlement Sekera1-2/+2
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Iead167e7497e0779c440f7fb243014a06ae2b452
2021-04-21nat: fix multi worker scenariosKlement Sekera3-48/+161
Properly select worker from hash table in out2in direction, increase number of worker threads in MW test to 4 to test these cases. Type: fix Change-Id: I76eda5761ff497b85b031dd913a64b7fcb53b33a Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-04-20nat: fixing cli bug for nat44-ei and nat44-edFilip Varga2-2/+2
Removing obsolete optional parameters. Type: fix Change-Id: I135eb4767979ab81636da16e91752a2ad80e0a45 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-04-20nat: nat44-ed i2o & o2i trace fixFilip Varga2-8/+10
If cache used than we don't print in trace session index. Type: fix Change-Id: Ib965cd8632b5217f8b2dd8b6cc6af3286c747582 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-04-14nat: test dynamic translation between two vrfsFilip Varga1-3/+41
Adding test for NAT44-ED subplugin. Type: test Change-Id: I10ce3d3ca8cb976ee9879efe77cb600df0102147 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-04-06tests: remove wrappersKlement Sekera1-75/+53
Improve the code by removing another kind of wrappers. Type: improvement Change-Id: I5292ef6c1761e3c6c2edd15f2aa625dac26c3732 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-04-01nat: fix ordering of feature nodesKlement Sekera1-2/+4
Fix ordering of feature nodes so that ACL runs after NAT in in2out direction so it can properly track stuff like ports after NAT rewrite. Type: fix Change-Id: I2c689b64765628e9bc77108914f74c6c801d8ce2 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-31nat: enable multiworker testsKlement Sekera1-2/+0
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4a5d52d54aa2748008e896888bfeabb18a1088bb
2021-03-31nat: fix test for multi-worker scenarioKlement Sekera1-3/+16
Type: fix Change-Id: I170f9d8c685f59b7ccf6f9ee7fdc1dcdf2a54fe1 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-31nat: correct thread index usageKlement Sekera3-12/+15
Use actual thread index from hash table instead of doing calculation. Calculated index might be different and could lead to crash. Type: fix Change-Id: Iede9a67fbe541cb44eccd0d6ddf4e2c51eb35423 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-31nat: avoid creating negative zero checksumKlement Sekera1-1/+3
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ibbb72e77c751b7e775620cfb160b52ceff2da86b
2021-03-31nat: NAT44-ED unused value removalFilip Varga1-4/+1
Type: fix Coverity scan issue fix. Change-Id: I9036fade15fd381da9c1e6b575f250fdcb21f876 Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-03-31nat: NAT66 plugin enable&disable calls updateFilip Varga6-93/+258
Type: improvement Adding support for enable&disable calls (dynamic plugin configuration). API (nat66_plugin_enable_disable) and CLI (nat66 plugin enable/nat66 plugin disable) with support for outside_vrf id configuration. Change-Id: I5637ff1621d6662adc3b7c6f7f8176d84a4b492b Signed-off-by: Filip Varga <fivarga@cisco.com>
2021-03-30nat: fix HA multi-worker issuesKlement Sekera6-154/+176
Use correct vlib_main() in various code parts. Fix tests. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia379f3b686599532dedaafad2278c4097a3f03f3
2021-03-26vlib: split vlib_main_t into global and per-threadDamjan Marion1-11/+0
Type: refactor Change-Id: I8b273bc3bf16aa360f031f1b2692f766e5fc4613 Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-03-26vlib: introduce vlib_get_main_by_index(), vlib_get_n_threads()Damjan Marion4-18/+18
Type: improvement Change-Id: If3da7d4338470912f37ff1794620418d928fb77f Signed-off-by: Damjan Marion <damarion@cisco.com>
2021-03-25nat: allocate enough space for full port usageKlement Sekera1-1/+1
Type: fix Change-Id: I068bfeaf22b9e6cce967c27acdd46d4b8541bdf8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: fix bihash kvp printKlement Sekera1-2/+3
Type: fix Change-Id: I392d348b1a38affac8761b0614b117cd991958d7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: prevent usage of ED nodes in EI codeKlement Sekera2-44/+118
Type: fix Change-Id: I84d511c30eb5878a1867f5e9d2207a39d4f0926c Signed-off-by: Klement Sekera <ksekera@cisco.com>
2021-03-25nat: fix vnet_feature_next in source hairpinningKlement Sekera1-3/+11
Avoid erroneous double vnet_feature_next if routing buffer manually. Type: fix Change-Id: I3f56c12bf57f59a1e5ddad63a2565fa195934cf6 Signed-off-by: Klement Sekera <ksekera@cisco.com>