Make number of worker handoff frame queue elements configurable as
a set nat frame-queue-nelts command. The default value is 64 which
is the same value that was previously hard-coded. The idea is that
allowing larger values can be useful in some cases, to avoid
congestion drops. Also add nat_set_fq_options API support and a
corresponding test case.
Type: improvement
Change-Id: I5c321eb2d7997f76fac2703d9c4a5b2516375db3
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Making code more simple and storing thread index along with session
index as a preparation step for fixing thread safety patches.
Type: improvement
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ib0c531e9f1f64b1f1ee912d4a83279200638e931
This change introduces flow concept to endpoint-dependent NAT. Instead
of having a session and a plethora of special cases in code for e.g.
hairpinning, twice-nat and others, figure all this out and store it in
flow logic. Every flow has a match and a rewrite part. This unifies all
the NAT packet processing cases into one - match a flow and rewrite the
packet based on that flow. It also provides a cure for hairpinning
dilemma where one part of the flow is on one worker and another on
a different one. These cases are also sped up by not requiring
destination adress lookup every single time to be able to rewrite source
nat as this is now part of flow rewrite logic.
Type: improvement
Change-Id: Ib60c992e16792ea4d4129bc10202ebb99a73b5be
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Patch n. 2 aimed at moving EI features out of
NAT44 plugin & split of EI/ED functions.
Type: refactor
Change-Id: Ida20c1c084449b146344b6c3d8442f49efb6f3fa
Signed-off-by: Filip Varga <fivarga@cisco.com>
This patch is aimed at moving EI features out of NAT44
plugin & split of EI/ED functions.
Type: refactor
Change-Id: I63cf70a264ed2512708fe92665d64f04690783d0
Signed-off-by: Filip Varga <fivarga@cisco.com>
Split ED and EI nat44 test cases. Added multi worker
support for ED test cases.
Type: refactor
Change-Id: Ibcc2f62b94cacff69ed35c5d914b55f9fdbcf882
Signed-off-by: Filip Varga <fivarga@cisco.com>
- reduces number of instructions generated 4 times compared to old code
- adds pool_foreach2 which is more friendly to clang-format
Type: improvement
Change-Id: I51e9c7fb09655c60d883987dadf5b2666c12b3f7
Signed-off-by: Damjan Marion <damarion@cisco.com>
This reverts commit bfba2d5553.
Reason for revert: breaks test test_nat44.TestNAT44.test_ipfix_max_sessions
Change-Id: I6eed4d02835ab792e7e3491fc14240cc88a86710
Type: fix
Signed-off-by: Damjan Marion <damarion@cisco.com>
Type: fix
The code for quota exceeded events is a u32 and was being copied
into ipfix packets in host byte order. Same for the limit field.
Swap the order before copying into packet buffer.
Change-Id: I881766e1c52acc9bebde38d85228fa492214ee21
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Fix in nat44 hairpinning code to check if anything was actually
changed in the snat_hairpinning() routine, and return 0 if nothing
changed. This helps avoid an infinite loop repeating the three
nodes nat44-hairpinning-->ip4-lookup-->ip4-local in case there
was no change. Also add a corresponding test case.
Type: fix
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
Change-Id: I95f48476bd002ac4c6789afe504681f1963e5d38
Signed-off-by: Elias Rudberg <elias.rudberg@bahnhof.net>
A special case when out2in packet needs to
be handoffed to other worker thread. We are
not able to determine which thread they belong
to in the first processing of nat handoff node.
These packets needs to go through out2in slowpath
before we are able to tell where to handoff them.
Type: fix
Ticket: VPP-1941
Change-Id: I7173bda970ce6a91d81f48fc72aa2457586a076f
Signed-off-by: Filip Varga <fivarga@cisco.com>
Add a condition where a TCP session in transitory timeout is kept
instead of being erroneously deleted.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: Ic625c8c88cc8864293ebd57b0321505652af9380
Using vlib_main of another thread is prohibited.
Type: fix
Change-Id: I9a85a5fee5c6665d423b4306faf3b3f2c5e22f99
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Fixed nat_ha and ipfix tests. Removed obsolete tests
and moved extended tests to standard tests.
Type: fix
Change-Id: I2d7f4c4fa4c52a4aa10d70c956e085a0fe00b911
Signed-off-by: Filip Varga <fivarga@cisco.com>
Fixed compatibility issue between
nat ei and nat ed modes. Moved nat
syslogging to nat librarry. Deprecating
apis that will be integrated in upcoming
candidate configuration patch.
Type: refactor
Change-Id: I334b1b05b81b74667c5c76a05f768442e0dcf7e8
Signed-off-by: Filip Varga <fivarga@cisco.com>
Cleanup of print functions in api file,
splitting functionality of cleanup callbacks for ED
and EI NAT. Updating and fixing API & CLI calls.
Type: refactor
Change-Id: I7a9dc4c8b1d2ca29db4754be7dfa4f698942127a
Signed-off-by: Filip Varga <fivarga@cisco.com>
Type: fix
IPfix messages about NAT44 session create/delete were being populated
with the FIB table index instead of the table ID. The table ID is the
correct identifier to report externally (NAT64 IPfix messages for BIB
and session create/delete use table ID, as does NAT syslogging). Convert
the table index to an ID before adding it to the IPfix NAT44 session
create/delete message data.
Change-Id: I0166384752b17ff3a8c55aa19fa2af7a8140791e
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Calculate bihash buckets as n_elts / 2.5 rounded to closest pow2
per Damjan's recommendation. Remove memory configuration parameters
because bihash init ignores them anyway as it resides in main heap now.
Type: improvement
Change-Id: I189f463f3c4640106cce4f12d3c5a62969276a82
Signed-off-by: Klement Sekera <ksekera@cisco.com>
- we should not copy and iterate over the pool underlying vector, as
slots can be freed (ie in the freelist).
- delete interface instead of adding them again
- fix the log message
Type: fix
Change-Id: If0a7a2f475b4f40793eb29ea80a9d29fe5d1bcb9
Signed-off-by: Benoît Ganne <bganne@cisco.com>
This patch changes initialization and configuration of NAT
plugin. Instead of allocating data structures at vpp plugin
initialization phase allocation and configuration happens
after calling enable API or CLI call. This reduces base VPP
memory footprint and also enables dynamic reconfiguration
of the NAT plugin.
Type: improvement
Change-Id: I42c069ee19a0311d043ac1f3f230d87bc8d2680f
Signed-off-by: Filip Varga <fivarga@cisco.com>
After get_icmp_o2i_ed_key() bihash key may include
IP protocol and addresses from inner ICMP packet.
It is OK for session lookup, but we should not create
a session on ICMP error message receiving.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: Ic93272ebe90d2288a975265439f9e079eb28936a
Bihash key already contains rx_fib_index for lookup
but fib value for session itself is set to 0.
In the result bihash is allocated with key with fib index
set, but free function is looking for key with fib index set
to zero. It leads to use-after-free because session itself is
removed from pool but bihash is not because of key mismatch.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I8ac5a41b0a5a32b1baab9e9d757141d5b24b7798
The syntax of the deprecated flag has evolved.
Clean up usage to be "option deprecated;".
Type: fix
Signed-off-by: Ole Troan <ot@cisco.com>
Change-Id: If2b639f275eb8db58b36c457f9245fe35a4d8cb1
The dslite plugin would on plugin load initialize large bihash datastructures.
Postpone until configured.
Type: improvement
Change-Id: Ie790ab8c5fc39fac18153acd54dcd051805e763a
Signed-off-by: Ole Troan <ot@cisco.com>
Multiple (> 1) workers leads to handoff node being enabled.
This node pops next feature index to nat.arc_next to make sure
that packet will be pushed to the next feature in the arc.
But node nat44-ed-in2out-output also pops next feature and changes
arc_next. So actual next feature will be skipped in that case.
It leads to all nat44-ed-in2out packets being dropped if we have
multiple workers (handoff node enabled).
To resolve this a new node was added (nat-pre-in2out-output) to fill
arc_next in single worker case and multiple worker case is already
handled by handoff node.
Type: fix
Signed-off-by: Vladimir Isaev <visaev@netgate.com>
Change-Id: I9dfba68f00164d2d5ab867224871811bef4411ed
Let twice-nat static mapping pick specific
address from the twice-nat pool.
Type: improvement
Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1
Signed-off-by: Filip Varga <fivarga@cisco.com>
In one's complement, there are two representations of zero: the all
zero and the all one bit values, often referred to as +0 and -0. See
RFC 1624 section 3 for more details.
This used to be taken care of in ip4_header_checksum(), but it is no
longer the case. The check ip->checksum == ip4_header_checksum (ip) is
no longer correct in the -0 case.
Always use ip4_header_checksum_is_valid() instead (which behaves
correctly since 9a79a1ab93).
Type: fix
Fixes: e5f0050c7a
Change-Id: Iacc6b60645a834287b085aecb9e3fdb4554cf0cf
Signed-off-by: Benoît Ganne <bganne@cisco.com>
Translation memory size is internally a uword, but in api it was u32,
resulting in the returned value being 0 all the time.
Fix the "incorrect" API reply to return a u32 capped to 0xffffffff if
the u64 is larger than that, introduce the message with
the correct type, deprecate the message with the incorrect type.
Also, while we are updating the message definition,
add the max translations / max users per worker thread
into the new message.
Type: fix
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Change-Id: I92e38a6a2bcb70fc8d1b129bbe416bf7f9e54280
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Ole Troan