Age | Commit message (Collapse) | Author | Files | Lines |
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2a70db3a25450e014adaed84989f4da9bb77b14d
|
|
This fixes a situation where long-lived inactive session blocks LRU
list. Solution is to have multiple LRU lists based on session type.
This helps because session timeout is same for all sessions of same
type.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5e54b2aab73b23911d6518d42e8c3f166c69a38c
|
|
Use a lookup table instead.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ia8461099828bb8824bf016201f135e6b69c444d1
|
|
Type: fix
Change-Id: I14e323e7bb1db7a3d40668212535c07504374e59
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Fixes: b5a575b09
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
Change-Id: I22d35159a923075243df9760f1a74e2ca74e30e1
|
|
The original fix access vlib_main before these was initialized.
Removed cached vlib_mains structure.
Type: fix
Fixes: 9bb09afb56b1aa787ca574cc732085272059fd5f
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: I686bab9220e27891f66bf60489c1602855786aa8
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I3c914d5c457df40205280ac589a2d353261343d5
|
|
Type: fix
Change-Id: If6784c9eb278f525e05304d10fd1a00641faaaf0
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: docs
Change-Id: I9b5e5137eb4c1e89f6e8d7a278cd11a0fd496471
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Use thread-specific vlib_main_t *vm pointers to avoid problems
with different threads accessing the same vlib_main_t data
structure. This avoids crashing when ipfix logging is enabled
and several threads are used.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: Ic1d3d335919d7666ead14be1153eb8c8c07b7356
|
|
Force session cleanup drops NAT db.
Also fixing user specific cli/api calls.
Type: improvement
Change-Id: Ia3e25fcf07fe5fb9a83d55c03fe90aca727b41ac
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I609fef6f96c6a3fc85a4dc07e75244b0e1ba9239
|
|
Type: refactor
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I33b2b38961b200dc3297b82124a7107b9ecbd0de
|
|
Type: improvement
Change-Id: I170256ab47978db34fb0ff6808d9cd54ab872410
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
The api no longer requires packed ip addresses.
Type: test
Change-Id: If67365d86b7c3189f871a58234e99f9c8f875371
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: refactor
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I0f82d937b4829e5a7f074d4d566fa49319a11716
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Idbbad246161d28f595c25e10d7282c8b33fa9876
|
|
With port overloading, port is no longer a scarce resource and there
is no need to limit connections per internal IP. This saves one hash
insert in slow path.
Type: improvement
Change-Id: I8a7a9713ac855fa99fa1617ec684f757cf6e09ae
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I50df248afb3f6b46c49e6695b3f124cfd584f016
|
|
Use out2in_ed hash table for port overloading tracking instead of
global table. This reduces number of hash insertions in slowpath.
Type: improvement
Change-Id: Iad4e897d52033beb7f6d76a7ddb596eef586c6cb
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: fix
Fixes: b86437b79b82493c2e9728929df417f55b153824
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I2c833928dcdceb4d23dfc161bcc3358272076980
|
|
Add a suitable ASSERT in the bihash template in case this happens again.
Type: fix
Signed-off-by: Dave Barach <dave@barachs.net>
Change-Id: Ib370d4238f6bae2995bc30fd17fad5c41053c3d1
|
|
Previously dslite was moved to separate plugin folder
and CE mode was removed. But it still needed.
This patch adds CE option to separate config entry
Type: feature
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If153ae08fa385ba5a6605cb412e49bbb4d1db46c
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: If5c00faa309cf3e1ea8bdf8b23250041f6a499c4
|
|
Type: refactor
Change-Id: I9f743ba2818e1b1c5004c3575925cc7b479948d8
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Id2d181385f109163d4c806eecda166c2087c4b92
|
|
Maintain a global session LRU allowing reuse of expired session instead
of relying on a scavenging mechanism to periodically walk sessions.
Whenever a new session is being allocated in slow path, also attempt to
free an expired session from global LRU list.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I9edde9ec138de67c9a4888e915b0490ec16415fa
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I1be559a98f74c28a9c83fe320c8ce02459793e66
|
|
Type: fix
Change-Id: I11440c855eb35d2a6095dfe135e4ab5090f11ff3
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
If session is expired, the packet which we just received might be a one,
which legitimely creates a new session, process it in slow path instead
to decide the outcome.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I45628f52d37ae9dee5e8aa58171ff0b86f91f5dd
|
|
An unknown proto packet can be processed as UDP with destination port
rewriting which breaks the original packet.
With this commit, stop processing unknown proto packets after
nat44_ed_out2in_unknown_proto() execution.
Type: fix
Change-Id: Iea93faf3c282f542d5ee7120c15e1027c1e4abc9
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: I09fa6c1b6917936351bd376b56c414ce24488095
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
This reverts commit aad1ee149403994194cf37cef4530b042ba7df3a.
Reason for revert: Verify failure. Doesn't build.
Type: fix
Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Use consistent API types.
Type: fix
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
Change-Id: If90d753f129312400c4c3669bb86289d0c3e0d99
Signed-off-by: Jakub Grajciar <jgrajcia@cisco.com>
|
|
Wait transitory timeout seconds before moving internal state of TCP
session to CLOSED state per RFC 7857. This patch implements this
functionality for endpoint-dependent NAT.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I4491d831cd9edf63fae520a516cdbe590bac85db
|
|
Type: fix
Change-Id: I021b1427362f4bdba1c0ebc9863c9143dd6b3cb7
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I5ec761bfcdc13a8238b83ff46c2f1c53ec0e79d8
|
|
This fixes a bug in the initialization of handoff_out2in_index and
handoff_in2out_index where the node index for out2in was set to the
in2out node, and vice versa.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I983ddd3b3cec06f4cb3fb95b2a9cda4ab6d1270f
|
|
Patch changes the behavior of session scavenging and fixes multiple
nat issues. Allows proper session clearing and removes issue with lingering sessions
in session db. Patch also updates and fixes CLI/API calls for better readability
of session state metrics. Fixes security issue that would allow attacker to
reuse timed out session in both directions (in2out/out2in).
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I78897585a2a57291fad5db6d457941aa0a0457bd
|
|
Type: refactor
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I81546423200cc7f8a06b527dac8ead191a9e0519
|
|
Type: improvement
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: Ia5dbfe864c18e953ff49147a9a4684d2ca14b96e
|
|
Save the next session timeout when sweeping sessions for cleanup so that
we can avoid unnecessary runs of the sweeping algorithm.
Type: fix
Change-Id: I736d00f2dfe242af10f963fbe34b11128f8b0613
Signed-off-by: Klement Sekera <ksekera@cisco.com>
|
|
Type: improvement
Change-Id: I07c7e1c154583906ac9af958f22ed9a1be382f4a
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
Ticket: VPP-1836
Type: feature
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: I8f7fc011bac435445a8916a4948d130ca9162f67
|
|
Type: refactor
Change-Id: If3d9f16f3a06c10b354f1eef674e8db5f3c44de7
Signed-off-by: Ole Troan <ot@cisco.com>
|
|
Type: fix
Change-Id: I75b20db66fb58e1724a212253c51315836079f4b
Signed-off-by: Filip Varga <fivarga@cisco.com>
|
|
See: https://docs.fd.io/vpp/19.08/nat_ha_doc.html
Type: docs
Change-Id: I43ecf1dfb6976ebafee04d820f0e1b07393a0b93
Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
|
|
Type: feature
The current feature ordering of NAT44 nodes with respect to the
ACL plugin's IPv4 input/output features is:
ip4-output: acl-plugin-out-ip4-fa runs before any NAT44 nodes
ip4-unicast: acl-plugin-in-ip4-fa runs before any NAT44 nodes
ACL rules with action permit+reflect can keep track of outbound
flows and allow the replies inbound without an explicit inbound rule.
If ACL permit+reflect rules are configured on an interface that also
has NAT44 configured with output-feature/postrouting translation of
outbound packets, the ACL rules cannot allow inbound packets. The
ACL state that was stored on the outbound flow contains the IP
addresses of the original packet, prior to translation. The inbound
packets are being evaluated by the ACL node using the translated
addresses.
The order of processing inbound needs to be the opposite of what it
was outbound for this to work. Change the NAT44 features on
ip4-output so that they run before outbound ACL nodes. This matches
the existing behavior of the NAT44 nodes which rewrite
source addresses as an input feature instead of an output feature.
This was only done for endpoint dependent mode because the regular
endpoint independent in2out-output node currently selects an
explicit next node rather than using the next node on the feature
arc.
Unit test added to configure both NAT and an ACL and ensure that
out2in packets matching an in2out flow are permitted by the ACL
and translated by NAT.
Change-Id: Ibd679c28b64c3fc3cc8c0606ea93123e384e839f
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
There was an attempt to fix this problem in the commit:
d3b8c861a44e70c197ab721fa3ce7f38bbeab7fd
But checking the LOCALLY_ORIGINATED flag didn't work because this flag
gets reset before it can reach the NAT nodes.
With this commit, replace the check for the LOCALLY_ORIGINATED flag
with a check to see if the packet is a DHCP broadcast.
Type: fix
Change-Id: I069c08a785b5988b10192f528e4f9c4c7cc2f8a3
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
|
|
Type: fix
Ticket: VPP-1817
Signed-off-by: Filip Varga <fivarga@cisco.com>
Change-Id: Id4d694ce636b0a213e65ce27c32a8150df9af0f8
|