blob: faf0dec8b06a94676dab7d2460f3e01fa41cd505 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
NAT44ED TCP connection tracking
===============================
TCP connection tracking in endpoint-dependent NAT is based on RFC 7857
and RFC 6146, which RFC 7857 references.
See RFC 7857 for the original graph - our graph is slightly different,
allowing creation of new session, while an old session is in transitory
timeout after seeing FIN packets from both sides:
After discussion on vpp-dev and with Andrew Yourtschenko we agreed that
it's friendly behaviour to allow creating a new session while the old
one is closed and in transitory timeout. The alternative means VPP is
insisting that a 5-tuple connection cannot be created while an old one
is finished and timing out. There is no apparent reason why our change
would break anything and we agreed that it could only help users.
::
+------------transitory timeout----------------+
| |
| +-------------+ |
| session created---->+ CLOSED | |
| +-------------+ |
| | | |
+-----+ | SYN SYN |
| v v IN2OUT OUT2IN |
| +->session removed | | |
| | ^ ^ ^ ^ ^ v v |
| | | | | | | +-------+ +-------+ |
| | | | | | +----transitory timeout---+SYN_I2O| |SYN_O2I+--+
| | | | | | +---------+ |-------| |-------|
| | | | | +-transitory---+RST_TRANS| | |
| | | | | timeout +---------+ SYN SYN
| | | | | | ^ OUT2IN IN2OUT
| | | | | | | | |
| | | | | | | v v
| | | | | | | +-----------+
| | | | | | +--RST----+ESTABLISHED+<-SYN IN2OUT-+
| | | | | | +-----------+ |
| | | | | +---data pkt-----^ | | | ^ |
| | | | | | | | | |
| | | | +----established timeout---------------+ | | | |
| | | | | | | |
| | | | +-----FIN IN2OUT---------+ | | |
| | | | v | | |
| | | | +-------+ +--FIN OUT2IN----+ | |
| | | +--established---+FIN_I2O| | | |
| | | timeout +-------+ v +-SYN OUT2IN-+ |
| | | | +-------+ | |
| | +----established-------------+FIN_O2I| +--------------+ |
| | timeout | +-------+ |REOPEN_SYN_I2O| +--------------+
| | | | +--------------+ |REOPEN_SYN_O2I|
| | FIN FIN ^ | +--------------+
| | OUT2IN IN2OUT | | ^ |
| | | | | | | |
| | v v | | | |
| | +-------------+ | | | |
| +--transitory timeout---+ FIN_TRANS +-SYN IN2OUT-+ | | |
| +-------------+ | | |
| | | | |
| +--------SYN OUT2IN----|-----------+ |
| v |
+------------------transitory timeout-------------------+<-------------+
|
