Age | Commit message (Collapse) | Author | Files | Lines |
|
Do not translate packet which go out via nat44-in2out-output and was tranlated
in nat44-out2in before. On way back forward packet to nat44-in2out node.
Change-Id: I934d69856f0178c86ff879bc691c9e074b8485c8
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 4d023c8c930b2a4220998d4c211d751e33324faa)
|
|
forwarding mode:
session initiaded from service host - translate
session initiaded from remote host - do not translate
Change-Id: I0e3733361de4b85068b9be02f953154a478ce8cc
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
When a user session is allocated/reused, only increase
one of the session counters for that user if the counters
are below the per-user limit.
THis addresses a SEGV that arises after the following
sequence of events:
- an outside interface IP address is put in a pool
- a user exceeds the number of per-user translations by
an amount greater than the number of per-user translations
(nsessions + nstaticsessions > 100 + 100)
- the outside interface IP address is deleted and then added
again (observed when using DHCP client, likely happens if
address changed via CLI, API also)
- the user sends more packets that should be translated
When nsessions is > the per-user limit,
nat_session_alloc_or_recycle() reclaims the oldest existing
user session. When an outside address is deleted, the
corresponding user sessions are deleted. If the counters were
far above the per-user limit, the deletions wouldn't result
in the counters dropping back below the limit. So no session
could be reclaimed -> SEGV.
Change-Id: I940bafba0fd5385a563e2ce87534688eb9469f12
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
Change-Id: I3e4bbfe205c86cb0839dd5c542f083dbe6bea881
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 3f2dd30b0bf7cf3d82c720d5065178c1fa628c6b)
|
|
Change-Id: Icb858414145db0e5fef495e155903b3b935e50ba
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 3c2a416c42a0481698735a0b1e355bfb7a702882)
|
|
pair (VPP-1199)
Change-Id: Iad8c626e83bbc58d5c85b6736f5a3dd5bc9ceafb
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit e877d68407d316adb64baa855985b746dcb2e102)
|
|
Change-Id: Iaf959d7636907cec54d83b3f14244153fbf19fa2
Signed-off-by: Dave Barach <dbarach@cisco.com>
|
|
(VPP-1176)"
This reverts commit d30c94afe4e67298b3da6fd839e0210844cf45a5.
Change-Id: Ic076f6c116e1d816c492eb8e03e50cf95cedae77
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
If forwarding is enabled, inbound packets on an outside
interface should not be dropped and instead pass on to
the FIB lookup. This works for TCP and UDP but not other
IP protocols. Enable it for unknown protocols.
Change-Id: I1da84b5633a36b3e5e64079754db2fcc50f29819
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
(cherry picked from commit 03f942a1cc4de3963507fc7075d91aff0cae7d58)
|
|
forwarding mode:
session initiaded from service host - translate
session initiaded from remote host - do not translate
Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 204591d1bd754f6086edcf8b27a95beab929a78f)
|
|
Change-Id: I1552e1418b704fdf1f1fa2c0174313b9b82a37a3
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
in2out and out2in protocol are not same
Change-Id: I4ce680ad1f088cb079e1f2aeb15ca59225fca0d1
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
(cherry picked from commit 9691cf2d082727fb2f88e85050068dc6fd761bcd)
|
|
frag packet can't get reass.
adding bihash,it can rewrite new hash value.
so need to delete hash after compare hash value.
Change-Id: I83b5c47890110e9a598b78cfbe8fcd27bbe291bb
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
(cherry picked from commit 5e85c54d229e443d30dabe9bca39625587add8a5)
|
|
(VPP-1192)
following is not possible:
set interface nat44 out GigabitEthernet0/3/0 output-feature
set interface nat44 out GigabitEthernet0/3/0
Change-Id: I1592cc18390881fda66f98316700886b8f5295f0
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit e4e34c23fe7050c26967997fdb8f555c51fd3961)
|
|
Change-Id: I8a4a7a85e86acbfe411e6dfa22e3976d7d4c903b
Signed-off-by: ahdj007 <dong.juan1@zte.com.cn>
(cherry picked from commit 9f06d0eccf06b82b42cc55f02c37cbed9e1aab83)
|
|
interface reconnect.
Change-Id: Ifc7eb2494a22c334d8899422545fca1a4bba4d05
Signed-off-by: Chun Li <chunl2@cisco.com>
|
|
(VPP-1149)
Change-Id: I860468bdc21c6ee07f63c8854592c46ca631ebc2
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
(VPP-1156)
Change-Id: I5395245c9e49f741a949ada1f725c34f9379c249
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit f7ad5cbe819533523169e8a88876b94b9f38789c)
|
|
Change-Id: Iae15d15b470bdde759d08201de9d6dc5afef0ee9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
NAT input features run after acl-plugin-in-ip4-fa
NAT output features run after acl-plugin-out-ip4-fa
Change-Id: I1e4487a0d6fdb99a90b8db640d9ad0e0eb7347a5
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit 16f0546cadb1248f9dce99788ecc50cc2668c7e4)
|
|
Change-Id: Ic5e8d74bf5ac84cce5661de44778c89541c67636
Signed-off-by: Matus Fabian <matfabia@cisco.com>
(cherry picked from commit e71eb5922a293eca36dbd323970741daaca3c5c7)
|
|
Modify interface creation to allow creation of tunnel interfaces
without dedicated per tunnel output and tx nodes which are not
used for most tunnel types. Also changed interface-output node
function vnet_per_buffer_interface_output() so it does not rely
on hw_if_index as the next node index which is not flexible nor
efficient for large scale tunnel interfaces.
The improvenemts are done for VXLAN, VXLAN-GPE, GENEVE and GTPU
tunnels. GRE tunnel is still using per tunnel output nodes which
will be changed in a separate patch with other GRE enhencements.
Change-Id: I4123c01c0d2ead814417a867adb8c8a407e4df55
Signed-off-by: John Lo <loj@cisco.com>
(cherry picked from commit e5453d0fa29f39a7f78a7e22815566a7f4c9e5ef)
|
|
a crash on debug image (VPP-1151)
In debug image, there is extra code to validate the buffer when it is
freed. It uses the hash table to lookup the buffer index with spinlock
to prevent contention. However, there is one spinlock for each worker
thread. So allocating the buffer on thread-x and freeing the same buffer
on thread-y causes the validation to fail on thread-y. The fix is to
have only one spinlock, stored in vlib_global_main.
Change-Id: Ic383846cefe84a3e262255afcf82276742f0f62e
Signed-off-by: Steven <sluong@cisco.com>
|
|
Change-Id: I5415c002a431d84372f56d4a77dc2aabd6ef55f7
Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
|
|
Change-Id: I6eef2ca258ff5b4aa9b21b98543d814633e295af
Signed-off-by: Radu Nicolau <radu.nicolau@intel.com>
|
|
Change-Id: I3ce014da7b514aa766a90cacddd76cd2247406a8
Signed-off-by: Billy McFall <bmcfall@redhat.com>
|
|
Change-Id: I6ae99c00e76058654f2c5e71377e9fd1bd13b47b
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
Change-Id: I5e080d69f28661cc0b1846885d5001526b54fbd9
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Move the functions hash_set_key_copy() and hash_unset_key_free()
which are dupilicated in various tunnel support code modules to
hash.h as hash_set_mem_alloc() and hash_unset_mem_free() to be
used by all.
Change-Id: I40723cabe29072ab7feb1804c221f28606d8e4fe
Signed-off-by: John Lo <loj@cisco.com>
(cherry picked from commit e6bfeab1c352ae73a19361c038e2a06a58c035db)
|
|
Change-Id: Id897ed61a26a4069678ed4ddac1ba28bf32809c3
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I518387ab479bee4778d45a33c95f7b0f72aa1b72
Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
|
|
IP table mapping is set using 'set int ip table X Y"
Change-Id: I2adec40015f9281c9b00c55506000b322f42d91a
Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
|
|
format from hex representation
Even though the trace now prints the hex as well as human readable format for acl plugin,
it can be handy to have a separate function which allows to decode the hex. So add this debug CLI.
Change-Id: I1db133a043374817ea9e94ae3736b8a98630669d
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
L2 Emulation is a feautre that is applied to L2 ports to 'extract'
IP packets from the L2 path and inject them into the L3 path (i.e.
into the appropriate ip[4|6]_input node).
L3 routes in the table_id for that interface should then be configured
as DVR routes, therefore the forwarded packet has the L2 header
preserved and togehter the L3 routed system behaves like an L2 bridge.
Change-Id: I8effd7e2f4c67ee277b73c7bc79aa3e5a3e34d03
Signed-off-by: Neale Ranns <nranns@cisco.com>
|
|
* NAT46: fix test cleanup, missing del keyword
* NAT66: fix kube-proxy vip, is ipv6
* add some missing kp_put_writer_lock
* wipe flowtable after each unit test
* Add new cli api: "test kube-proxy flowtable flush" to flushes everything
* Call this new cli function after the end of each kube-proxy unit test.
* same as commit b3d1b203579226ca5136b9d6a2744577d07cfcc6 for the lb plugin
Change-Id: I4146f44841328ec96eb66729e3bae3d40f33e4aa
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Add API function which enables forwarding of packets not matching
existing translation or static mapping instead of dropping them.
When forwarding is enabled matching packets will be translated
while non-matching packets will be forwarded without translation.
Change-Id: Ic13040cbad16d3a1ecdc3e02a497171bef6aa413
Signed-off-by: Juraj Sloboda <jsloboda@cisco.com>
|
|
Translation of both source and destination addresses and ports for 1:1 NAT
session initiated from outside network (ExternalIP K8 use case).
Change-Id: Ic0000497cf71619aac996d6d580844f0ea0edc14
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: I149a20f183b836db4c32fb4e4a8438b3a14c1c26
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Set l_addr to the interface address if the interface address is known
when the identity mapping is created.
Change-Id: I61af0f5248c9d86d23a24457b342b2e1fb4ac726
Signed-off-by: Dave Barach <dave@barachs.net>
|
|
This plugin provides kube-proxy data plane on user space,
which is used to replace linux kernal's kube-proxy based on iptables.
The idea is largely inspired from VPP LB plugin.
Currently, kube-proxy plugin supports three service types:
1) Cluster IP plus Port: support any protocols, including TCP, UDP.
2) Node IP plus Node Port: currently only support UDP.
3) External Load Balancer.
Please refer to kp_plugin_doc.md for details.
Change-Id: I36690e417dd26ad5ec1bd77c7ea4b8100416cac6
Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
|
|
This allows arm platforms to also take advantage of crc32 hardware
acceleration.
* add a wrapper for crc32_u64. It's the only one really used. Using it
instead of a call to clib_crc32c() eases building symmetrical hash
functions.
* replace #ifdef on SSE4 by a test on clib_crc32c_uses_intrinsics.
Note: keep the test on i386
* fix typo in lb test log
Change-Id: I03a0897b70f6c1717e6901d93cf0fe024d5facb5
Signed-off-by: Gabriel Ganne <gabriel.ganne@enea.com>
|
|
Change-Id: I1699e440052faa317b06d46692e8656a41d21bfe
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Change-Id: Ib4012ff598698924484525932d041988cc4c63f6
Signed-off-by: Damjan Marion <damarion@cisco.com>
|
|
Elastic Network Adapter PMD for newer AWS instance types
Change-Id: Ic7f6ac4a261ccc7af3ffb2ed8950274532e3feae
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
|
|
CIDs 180713 and 180714
Change-Id: Ia4856d1a62f176e99983f8c82eaa09d5df9d4ca5
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
Change-Id: Iebf859b6d86482e4465423bad598eecf87e53ec4
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
(VPP-1090)
Change-Id: I361c043979274eac1aefcd95abdf1624a3ef2756
Signed-off-by: Matus Fabian <matfabia@cisco.com>
|
|
macip_acl_add_replace on an existing MACIP ACL
The classifier tables layout might (and most always will) change during the MACIP ACL modification.
Furthermore, vnet_set_input_acl_intfc() is quite a picky creature - it quietly does nothing
if there is an existing inacl applied, even if the number is different, so a simple "reapply"
does not work. So, cleanly remove inacl, then reapply when the new tables are ready.
Also, fix the testcase which was supposed to test this exact behavior.
Thanks to Jon Loeliger for spotting this issue.
Change-Id: I7e4bd8023d9de7e914448bb4466c1b0ef6940f58
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
|
|
Change-Id: I565277eafbce3d4f59a7f0d497fca1c4fed3cfc8
Signed-off-by: Swarup Nayak <swarupnpvt@gmail.com>
|
|
Also fixes old ixge driver, so it works with recent physmem changes and
vfio.
Change-Id: Id4be74b34daed47cd281a77eec43d6692340d882
Signed-off-by: Damjan Marion <damarion@cisco.com>
|