From 56c492aa0502751de2dd9d890096a82c5f04776d Mon Sep 17 00:00:00 2001
From: Klement Sekera <ksekera@cisco.com>
Date: Mon, 10 Jan 2022 21:57:27 +0000
Subject: nat: TCP state tracking based on RFC 7857/RFC 6146

Implement proper state machine based on above RFCs. ACKs to SYNs/FINs
are no longer required/tracked. This is more friendly to peers and
accounts for lost packets and retransmits.

This change also means that all traffic is translated and forwarded
while in transitory timeout, which helps delivering e.g. retransmitted
FINs, FINACKs and other messages.

Also support reopening a session in transitory timeout after seeing both
FINs by seeing both SYNs again. This helps quick connection
reestablishment if the peers want to.

Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Signed-off-by: Miklos Tirpak <miklos.tirpak@gmail.com>
Change-Id: Ibf521c79463472db97e593bfa02b32b4a06dfd2a
---
 src/plugins/nat/nat44-ed/nat44_ed.c | 47 +++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

(limited to 'src/plugins/nat/nat44-ed/nat44_ed.c')

diff --git a/src/plugins/nat/nat44-ed/nat44_ed.c b/src/plugins/nat/nat44-ed/nat44_ed.c
index d3ef3d54f89..e389a81aab1 100644
--- a/src/plugins/nat/nat44-ed/nat44_ed.c
+++ b/src/plugins/nat/nat44-ed/nat44_ed.c
@@ -2390,6 +2390,8 @@ nat44_plugin_enable (nat44_config_t c)
 
   nat44_ed_db_init (sm->max_translations_per_thread, sm->translation_buckets);
 
+  nat44_ed_init_tcp_state_stable (sm);
+
   nat_affinity_enable ();
 
   nat_reset_timeouts (&sm->timeouts);
@@ -4066,6 +4068,51 @@ nat_syslog_nat44_sdel (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
 			 is_twicenat);
 }
 
+u8 *
+format_nat44_ed_tcp_state (u8 *s, va_list *args)
+{
+  nat44_ed_tcp_state_e e = va_arg (*args, nat44_ed_tcp_state_e);
+  switch (e)
+    {
+    case NAT44_ED_TCP_STATE_CLOSED:
+      s = format (s, "closed");
+      break;
+    case NAT44_ED_TCP_STATE_SYN_I2O:
+      s = format (s, "SYN seen in in2out direction");
+      break;
+    case NAT44_ED_TCP_STATE_SYN_O2I:
+      s = format (s, "SYN seen in out2in direction");
+      break;
+    case NAT44_ED_TCP_STATE_ESTABLISHED:
+      s = format (s, "SYN seen in both directions/established");
+      break;
+    case NAT44_ED_TCP_STATE_FIN_I2O:
+      s = format (s, "FIN seen in in2out direction");
+      break;
+    case NAT44_ED_TCP_STATE_FIN_O2I:
+      s = format (s, "FIN seen in out2in direction");
+      break;
+    case NAT44_ED_TCP_STATE_RST_TRANS:
+      s = format (s, "RST seen/transitory timeout");
+      break;
+    case NAT44_ED_TCP_STATE_FIN_TRANS:
+      s = format (s, "FIN seen in both directions/transitory timeout");
+      break;
+    case NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_O2I:
+      s = format (s, "FIN seen in both directions/transitory timeout/session "
+		     "reopening in out2in direction");
+      break;
+    case NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_I2O:
+      s = format (s, "FIN seen in both directions/transitory timeout/session "
+		     "reopening in in2out direction");
+      break;
+    case NAT44_ED_TCP_N_STATE:
+      s = format (s, "BUG! unexpected N_STATE! BUG!");
+      break;
+    }
+  return s;
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
-- 
cgit 1.2.3-korg