Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: improvement
Currently, NAT44-ED users sessions details are returned for both active
and timed out NAT sessions. It may confuse users that expect to see only
active sessions in the response and make them think that timeouts for
NAT sessions do not work.
With this change, introduce an indicator of timing out for NAT sessions
returned in NAT44-ED user session details.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Ib81ed90369d4b495117538f521e5112e289cf7e6
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4f7b3d5354a7658d7271c28444f2f4641f05b28b
|
|
Fixed FIB entry per interface, pool and
static mapping registrations in NAT control plane.
Improved FIB configuration handling in NAT -
added functions to generalize handling of FIB & NAT,
cleaned up interface callback functions. Changed "is_"
macros to inline functions for easier debugging.
Type: improvement
Change-Id: I68a17761a975dd819139ae94e52a8a85d3f27ffc
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
With endpoint dependent NAT44, When there are multiple workers we look
for a flow which matches the packet in order to figure out which worker
should handle the packet. If the packet is an ICMP error, it may be
associated with an existing flow by inspecting the L3/L4 headers that
are included in the message payload.
This was not being done for in2out packets in
nat44_ed_get_in2out_worker_index(), so some packets which were related
to an open session were not being associated with that session and were
being passed to a different thread than the one where the session was
created. Later on, when the packet was processed by the fast path in2out
node, the L3/L4 headers in the payload are inspected and the fast path
node finds the existing session. Since that session is owned by a
different thread than the one the packet is being processed by, the
in2out fast path node can potentially access the wrong session and/or
memory adjacent to the session pool. This can cause a SEGV.
Make nat44_ed_get_in2out_worker_index() look at the inner headers when
processing an ICMP error. THis is already done in
nat44_ed_get_out2in_worker_index() and in the fast path in2out node.
Change-Id: Icdc1abebcbce452ee7be7cb23fc563e09bf575f2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
The NAT plugin stores packet counters and a counter represents a vector
indexed by interface index. When an interface is assigned a NAT role,
the counters are validated to be long enough for the given interface
index.
When a packet traverses NAT in2out and output feature is disabled, the
appropriate counters are updated by the RX interface index. In this
case, translation happens on the inside interface and its index was
ensured to be valid in all of the counters during NAT role assignment.
When a packet traverses NAT in2out and output feature is enabled, the
appropriate counters are updated by the RX interface index too. In this
case, translation happens on the outside interface and the packet could
be received on any interface, even with no NAT role assigned. If that's
the case and its index is greater than the greatest index validated in
the counters, a new counter value will be written to memory that does
not belong to the counter. As a result, a crash will occur at some
point.
With this change, use TX interface index to update the counters when
output feature is enabled. TX interface is an actual interface where
translation happens and its index is always valid in the counters.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: I53a52af949fe96419e1b5fef4134ab4062198f51
|
|
Refactoring and cleaning up address allocation functions &
ip table update callbacks.
Type: refactor
Change-Id: I9a11700a5f335b64d0d84e04d8e16d040624e01b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Replace vec ops with pool ops when iterating over pool of
interfaces in plugin_disable() functions.
With this change plugin disabling function and interface role
disabling functions iterate over identical sets of registered
interfaces, preventing 'interface couldn't be found' errors.
Signed-off-by: Alexander Skorichenko <askorichenko@netgate.com>
Change-Id: I4e191bcc5322ff1f9f7730c6fda5e6af86a8eec9
|
|
Return unsupported error if user calls one
of the configuration functions that can
run only after nat44-ed plugin is
enabled via appropriate api/cli
call.
Type: fix
Change-Id: I0d4ab0684ba5ae23fc2ecc668554a34537c2904a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Handle case where extra data is present in buffer which is not part of
IP/ICMP headers.
Type: fix
Fixes: 05b5a5b3b4b04823776feed6403b5a99b2e06d76
Change-Id: Icfef811470056d38c60fc45cc302139ed7594385
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Refactoring static mapping configuration
functions based on feature type.
Type: refactor
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I007d9b0e9717ced613fbcef2b11b6853f479be1e
|
|
Verify that headers are not truncated and that checksums are valid.
Correct checksum computation in translation code.
Type: fix
Change-Id: I6acfcec4661411f83c86b15aafac90cd4538c0b5
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: refactor
Change-Id: Id10cbf52e8f2dd809080a228d8fa282308be84ac
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Fixing nat44-ed identity map in2out communication.
TCP packets would get dropped because of the order
of testing TCP state.
Type: fix
Change-Id: Ib11e7e75c66945224fecc0bb311733672e315c7d
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Refactored & fixed NAT44ED configuration
functions used for handling interfaces and
nodes.
Type: refactor
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I6fbbb7f0fe35d572675997745d53290152987424
|
|
If ICMP comes from a router on path, source address must not be
rewritten in o2i path to avoid getting wrong checksum.
Fix ICMP checksum computations.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I035debccf966d7dbd63c364cb1e43380d641f708
|
|
TTL was already decremented in ip4-rewrite so it's okay if it's 1.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I587dc343737c15247eb62837a06d5e44c0d11acc
|
|
Type: fix
Currently, is_interface_addr() tests if a given IPv4 address belongs to
an interface by a given sw_if_index. However, there are several issues:
* only the first found address on the interface is actually tested,
* sw_if_index is always cached even if the interface hasn't been
assigned any addresses yet.
With this change, is_interface_addr() tests all IPv4 addresses on an
interface by a given sw_if_index and caches sw_if_index only if there
are addresses present.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: If1acc4a534647a5f0ce8e9b565b867c92a016dc3
|
|
Type: fix
Currently, there might be a crash in NAT ED mode:
* if a session for an unknown proto packet cannot be created in2out,
* if a session for an unknown proto packet cannot be found out2in.
With this change, translate packets only if a session is given in NAT
ED mode.
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
Change-Id: Iafb332db1ae9a3e76435964ad636037d1b8a51e8
|
|
snat_set_frame_queue_nelts has been replaced with
nat44_ed_set_frame_queue_nelts.
Type: fix
Signed-off-by: Ruslan Babayev <ruslan@babayev.com>
Change-Id: I8d970be71376fdbb2bfd383d4d5824a8def93bb3
|
|
Add extra assertions to debug build.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ib20130365e8f9dbb556fcbb4321dd184c7eff603
|
|
Type: fix
When enabling the endpoint independent NAT44 plugin, user_sessions
determines the maximum number of translations that can be active for
a single inside address. If 0 is passed in, a default value is used
but 0 is still stored in the field that is used to populate reply
messages to nat44_ei_show_running_config,
At the time of enabling the plugin, if user_sessions is 0, update the
field which is used by nat44_ei_show_running_config to contain the
default per-user limit which gets used by the EI nodes.
Change-Id: I6b060d85bcd42d91db879b95a8b07c6844bcd2a5
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Add /nat44-ed/max-cfg-sessions gauge.
Reflects the configured value for configured sessions (per thread).
Type: improvement
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I618c8aa0daab0981399cfe9273d191fa1990ef60
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Mechanical change for patch following this one...
Type: improvement
Change-Id: Iee12f3a8851f35569e6c039494a94fc36e83d20f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
- Generate copyright year and version
instead of using hard-coded data
Type: refactor
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I6058f5025323b3aa483f5df4a2c4371e27b5914e
|
|
Type: improvement
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I368b0410db2d633d3c52199c840e24d21952c1b4
|
|
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: Ic38cfbdcab86172bad6ec6cb4c66c83f8deed64f
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Newline get's ignored when parsing configuration file.
Type: fix
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: Ib4f86177150dfe3bc085231a9268cf730490ea81
|
|
Type: fix
Change-Id: I35012bb2f7af1996c954641af40f3223bc7f37e4
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
trajectory trace has been broken for a while because we used to save the
buffer trajectory in a vector pointed to in opaque2. This does not work
well when opaque2 is copied (eg. because of a clone) as 2 buffers end up
sharing the same vector.
This dedicates a full cacheline in the buffer metadata instead when
trajectory is compiled in. No dynamic allocation, no sharing, no tears.
Type: refactor
Change-Id: I6a028ca1b48d38f393a36979e5e452c2dd48ad3f
Signed-off-by: Benoît Ganne <bganne@cisco.com>
|
|
Type: fix
The code for quota exceeded events is a u32 and was being copied
into ipfix packets in host byte order. Same for the limit field.
Swap the order before copying into packet buffer.
This change was applied once before but had to be reverted. This was
because between the time the change was uploaded/reviewed and the
time it was merged, a different patch was merged which activated a
NAT ipfix unit test that had formerly only been run as part of the
extended tests. The test was expecting the values to be in host byte
order so it failed with this patch applied. This time around, that
test has also been updated to expect network byte order.
Change-Id: If5413b1f806d664f6786e56ba13c3eee573c26d2
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Iead167e7497e0779c440f7fb243014a06ae2b452
|
|
Properly select worker from hash table in out2in direction, increase
number of worker threads in MW test to 4 to test these cases.
Type: fix
Change-Id: I76eda5761ff497b85b031dd913a64b7fcb53b33a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Removing obsolete optional parameters.
Type: fix
Change-Id: I135eb4767979ab81636da16e91752a2ad80e0a45
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
If cache used than we don't print in trace session index.
Type: fix
Change-Id: Ib965cd8632b5217f8b2dd8b6cc6af3286c747582
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Adding test for NAT44-ED subplugin.
Type: test
Change-Id: I10ce3d3ca8cb976ee9879efe77cb600df0102147
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Improve the code by removing another kind of wrappers.
Type: improvement
Change-Id: I5292ef6c1761e3c6c2edd15f2aa625dac26c3732
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Fix ordering of feature nodes so that ACL runs after NAT in in2out
direction so it can properly track stuff like ports after NAT rewrite.
Type: fix
Change-Id: I2c689b64765628e9bc77108914f74c6c801d8ce2
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4a5d52d54aa2748008e896888bfeabb18a1088bb
|
|
Type: fix
Change-Id: I170f9d8c685f59b7ccf6f9ee7fdc1dcdf2a54fe1
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Use actual thread index from hash table instead of doing calculation.
Calculated index might be different and could lead to crash.
Type: fix
Change-Id: Iede9a67fbe541cb44eccd0d6ddf4e2c51eb35423
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ibbb72e77c751b7e775620cfb160b52ceff2da86b
|
|
Type: fix
Coverity scan issue fix.
Change-Id: I9036fade15fd381da9c1e6b575f250fdcb21f876
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: improvement
Adding support for enable&disable calls
(dynamic plugin configuration).
API (nat66_plugin_enable_disable) and
CLI (nat66 plugin enable/nat66 plugin disable) with support for
outside_vrf id configuration.
Change-Id: I5637ff1621d6662adc3b7c6f7f8176d84a4b492b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Use correct vlib_main() in various code parts. Fix tests.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ia379f3b686599532dedaafad2278c4097a3f03f3
|
|
Type: refactor
Change-Id: I8b273bc3bf16aa360f031f1b2692f766e5fc4613
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: improvement
Change-Id: If3da7d4338470912f37ff1794620418d928fb77f
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Type: fix
Change-Id: I068bfeaf22b9e6cce967c27acdd46d4b8541bdf8
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Change-Id: I392d348b1a38affac8761b0614b117cd991958d7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Change-Id: I84d511c30eb5878a1867f5e9d2207a39d4f0926c
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Avoid erroneous double vnet_feature_next if routing buffer manually.
Type: fix
Change-Id: I3f56c12bf57f59a1e5ddad63a2565fa195934cf6
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|