aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
AgeCommit message (Collapse)AuthorFilesLines
2020-05-13nat: fix broken buildKlement Sekera1-1/+1
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2a70db3a25450e014adaed84989f4da9bb77b14d
2020-05-13nat: fix LRU blocked by inactive sessionKlement Sekera10-161/+391
This fixes a situation where long-lived inactive session blocks LRU list. Solution is to have multiple LRU lists based on session type. This helps because session timeout is same for all sessions of same type. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
2020-05-13nat: perf improvement - replace branchy codeKlement Sekera32-451/+401
Use a lookup table instead. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
2020-05-13nat: handoff next node feature fixFilip Varga7-47/+159
Type: fix Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-08docs: fix merge damage in nat.hDave Wallace1-4/+0
Type: fix Fixes: b5a575b09 Signed-off-by: Dave Wallace <dwallacelf@gmail.com> Change-Id: I22d35159a923075243df9760f1a74e2ca74e30e1
2020-05-08nat: fix per thread data vlib_main_t usage take 2Ole Troan7-42/+32
The original fix access vlib_main before these was initialized. Removed cached vlib_mains structure. Type: fix Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f Signed-off-by: Ole Troan <ot@cisco.com> Change-Id: I686bab9220e27891f66bf60489c1602855786aa8 Signed-off-by: Ole Troan <ot@cisco.com>
2020-05-07nat: remove duplicate line of codeKlement Sekera1-1/+0
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I3c914d5c457df40205280ac589a2d353261343d5
2020-05-07nat: fix per thread data vlib_main_t usageFilip Varga9-75/+97
Type: fix Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06docs: clean up make docs jobPaul Vinciguerra5-9/+29
Type: docs Change-Id: I9b5e5137eb4c1e89f6e8d7a278cd11a0fd496471 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-05-06nat: ipfix logging vlib_mains[thread_index] bugfixElias Rudberg1-16/+16
Use thread-specific vlib_main_t *vm pointers to avoid problems with different threads accessing the same vlib_main_t data structure. This avoids crashing when ipfix logging is enabled and several threads are used. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: Ic1d3d335919d7666ead14be1153eb8c8c07b7356
2020-05-06nat: enable force session cleanupFilip Varga6-142/+236
Force session cleanup drops NAT db. Also fixing user specific cli/api calls. Type: improvement Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-06nat: fix coverity warningKlement Sekera1-19/+5
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I609fef6f96c6a3fc85a4dc07e75244b0e1ba9239
2020-05-05nat: remove unused codeKlement Sekera1-27/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I33b2b38961b200dc3297b82124a7107b9ecbd0de
2020-05-04nat: per vrf session limitsFilip Varga9-29/+310
Type: improvement Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-05-03tests: vpp_interface remove deprecated packed propertiesPaul Vinciguerra1-12/+14
The api no longer requires packed ip addresses. Type: test Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-04-28nat: remove unused codeKlement Sekera1-9/+0
Type: refactor Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I0f82d937b4829e5a7f074d4d566fa49319a11716
2020-04-27nat: improve perf - long read after short writeKlement Sekera7-363/+424
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
2020-04-24nat: ignore user hash in ED NATKlement Sekera8-362/+273
With port overloading, port is no longer a scarce resource and there is no need to limit connections per internal IP. This saves one hash insert in slow path. Type: improvement Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: make usage of vnet_buffer2 transparentKlement Sekera5-21/+13
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I50df248afb3f6b46c49e6695b3f124cfd584f016
2020-04-24nat: ED: reduce number of hash tables usedKlement Sekera5-212/+210
Use out2in_ed hash table for port overloading tracking instead of global table. This reduces number of hash insertions in slowpath. Type: improvement Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-24nat: fix extended unit testsKlement Sekera1-2/+2
Type: fix Fixes: b86437b79b82493c2e9728929df417f55b153824 Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I2c833928dcdceb4d23dfc161bcc3358272076980
2020-04-23nat: add/del ed_ext_ports only if the table is instantiatedDave Barach1-4/+6
Add a suitable ASSERT in the bihash template in case this happens again. Type: fix Signed-off-by: Dave Barach <dave@barachs.net> Change-Id: Ib370d4238f6bae2995bc30fd17fad5c41053c3d1
2020-04-21nat: dslite ce mode in separate config entryVladimir Ratnikov2-4/+20
Previously dslite was moved to separate plugin folder and CE mode was removed. But it still needed. This patch adds CE option to separate config entry Type: feature Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If153ae08fa385ba5a6605cb412e49bbb4d1db46c
2020-04-20nat: remove unused codeKlement Sekera5-484/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
2020-04-16nat: scavenging functionality removedFilip Varga7-392/+9
Type: refactor Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8 Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-04-08nat: use correct data types for memory sizesKlement Sekera8-25/+25
Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
2020-04-08nat: ED: global session LRU listKlement Sekera6-19/+110
Maintain a global session LRU allowing reuse of expired session instead of relying on a scavenging mechanism to periodically walk sessions. Whenever a new session is being allocated in slow path, also attempt to free an expired session from global LRU list. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
2020-04-08nat: preallocate poolsKlement Sekera1-0/+3
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
2020-04-07nat: ED: port re-use algorithmKlement Sekera6-45/+196
Type: fix Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-04-07nat: don't drop packet for expired sessionKlement Sekera3-6/+4
If session is expired, the packet which we just received might be a one, which legitimely creates a new session, process it in slow path instead to decide the outcome. Type: fix Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
2020-03-31nat: fix unknown proto translation out2in_edAlexander Chernavin1-2/+2
An unknown proto packet can be processed as UDP with destination port rewriting which breaks the original packet. With this commit, stop processing unknown proto packets after nat44_ed_out2in_unknown_proto() execution. Type: fix Change-Id: Iea93faf3c282f542d5ee7120c15e1027c1e4abc9 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-03-27acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26acl: revert acl: api cleanupOle Trøan1-14/+51
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a. Reason for revert: Verify failure. Doesn't build. Type: fix Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee Signed-off-by: Ole Troan <ot@cisco.com>
2020-03-26acl: API cleanupJakub Grajciar1-51/+14
Use consistent API types. Type: fix Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com> Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99 Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
2020-03-26nat: transitory timeout for TCP CLOSED stateKlement Sekera9-118/+329
Wait transitory timeout seconds before moving internal state of TCP session to CLOSED state per RFC 7857. This patch implements this functionality for endpoint-dependent NAT. Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
2020-03-25nat: fix error countersKlement Sekera4-1/+21
Type: fix Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-03-15nat: test cleanupKlement Sekera1-291/+261
Type: improvement Signed-off-by: Klement Sekera <ksekera@cisco.com> Change-Id: I5ec761bfcdc13a8238b83ff46c2f1c53ec0e79d8
2020-03-13nat: in2out/out2in handoff node index bugfixElias Rudberg1-2/+2
This fixes a bug in the initialization of handoff_out2in_index and handoff_in2out_index where the node index for out2in was set to the in2out node, and vice versa. Type: fix Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net> Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
2020-03-13nat: timed out session scavenging upgradeFilip Varga11-293/+615
Patch changes the behavior of session scavenging and fixes multiple nat issues. Allows proper session clearing and removes issue with lingering sessions in session db. Patch also updates and fixes CLI/API calls for better readability of session state metrics. Fixes security issue that would allow attacker to reuse timed out session in both directions (in2out/out2in). Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
2020-03-11nat: dslite plugin separationFilip Varga15-84/+213
Type: refactor Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I81546423200cc7f8a06b527dac8ead191a9e0519
2020-02-20nat: user deletion function & extra metricsFilip Varga4-0/+272
Type: improvement Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Ia5dbfe864c18e953ff49147a9a4684d2ca14b96e
2020-02-20nat: avoid running pointless session cleanupsKlement Sekera3-11/+33
Save the next session timeout when sweeping sessions for cleanup so that we can avoid unnecessary runs of the sweeping algorithm. Type: fix Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613 Signed-off-by: Klement Sekera <ksekera@cisco.com>
2020-02-20nat: nat44 split slow and fast pathFilip Varga2-1080/+339
Type: improvement Change-Id: I07c7e1c154583906ac9af958f22ed9a1be382f4a Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-02-07nat: api & cli command for forcing session cleanupFilip Varga4-0/+98
Ticket: VPP-1836 Type: feature Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: I8f7fc011bac435445a8916a4948d130ca9162f67
2020-02-05nat: move dslite to separate sub-pluginOle Troan19-763/+775
Type: refactor Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7 Signed-off-by: Ole Troan <ot@cisco.com>
2020-02-04nat: pool allocation function fixFilip Varga1-1/+1
Type: fix Change-Id: I75b20db66fb58e1724a212253c51315836079f4b Signed-off-by: Filip Varga <fivarga@cisco.com>
2020-01-27docs nat: fix nat-ha ascii artPaul Vinciguerra1-0/+2
See: https://docs.fd.io/vpp/19.08/nat_ha_doc.html Type: docs Change-Id: I43ecf1dfb6976ebafee04d820f0e1b07393a0b93 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2020-01-24nat: in2out-output nodes work with acl reflectMatthew Smith2-2/+107
Type: feature The current feature ordering of NAT44 nodes with respect to the ACL plugin's IPv4 input/output features is: ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes ACL rules with action permit+reflect can keep track of outbound flows and allow the replies inbound without an explicit inbound rule. If ACL permit+reflect rules are configured on an interface that also has NAT44 configured with output-feature/postrouting translation of outbound packets, the ACL rules cannot allow inbound packets. The ACL state that was stored on the outbound flow contains the IP addresses of the original packet, prior to translation. The inbound packets are being evaluated by the ACL node using the translated addresses. The order of processing inbound needs to be the opposite of what it was outbound for this to work. Change the NAT44 features on ip4-output so that they run before outbound ACL nodes. This matches the existing behavior of the NAT44 nodes which rewrite source addresses as an input feature instead of an output feature. This was only done for endpoint dependent mode because the regular endpoint independent in2out-output node currently selects an explicit next node rather than using the next node on the feature arc. Unit test added to configure both NAT and an ACL and ensure that out2in packets matching an in2out flow are permitted by the ACL and translated by NAT. Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2020-01-21nat: fix dhcp client on outside interface with output featureAlexander Chernavin2-18/+18
There was an attempt to fix this problem in the commit: d3b8c861a44e70c197ab721fa3ce7f38bbeab7fd But checking the LOCALLY_ORIGINATED flag didn't work because this flag gets reset before it can reach the NAT nodes. With this commit, replace the check for the LOCALLY_ORIGINATED flag with a check to see if the packet is a DHCP broadcast. Type: fix Change-Id: I069c08a785b5988b10192f528e4f9c4c7cc2f8a3 Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
2020-01-21nat: removed obsolete fragmentation codeFilip Varga1-84/+16
Type: fix Ticket: VPP-1817 Signed-off-by: Filip Varga <fivarga@cisco.com> Change-Id: Id4d694ce636b0a213e65ce27c32a8150df9af0f8