Re: [vpp-dev] do not SNAT if forwarding enabled
Hi all,
Anyone get this working? When I enable nat44 forwarding, all NAT
translations stop working.
example - 110.21.22.12 is the IP address of my wan0.
I have:
set interface nat44 in loop0 out wan0
Without forwarding:
vpp# sh nat44 sessions
NAT44 sessions:
thread 0 vpp_main: 2240 sessions
10.1.3.138: 1540 dynamic translations, 0 static translations
10.1.3.135: 36 dynamic translations, 0 static translations
10.1.3.125: 524 dynamic translations, 0 static translations
10.1.1.2: 108 dynamic translations, 0 static translations
10.1.3.174: 5 dynamic translations, 0 static translations
10.1.3.169: 15 dynamic translations, 0 static translations
10.1.3.62: 10 dynamic translations, 0 static translations
10.1.2.203: 2 dynamic translations, 0 static translations
With forwarding:
vpp# sh nat44 sessions
NAT44 sessions:
thread 0 vpp_main: 19 sessions
110.21.22.12: 19 dynamic translations, 0 static translations
Thanks
On Mon, Apr 15, 2019 at 1:29 AM Shahid Khan
wrote:
> Hi Ole,
>
> any finding on it ? are u able to reproduce it ?
>
> -Shahid.
>
>
>
> On Thu, Apr 11, 2019 at 1:32 PM Shahid Khan via Lists.Fd.Io
> wrote:
>
>> There is another physical port bridged to loop1 which is on
>> 192.168.15.0/24 network.
>> .the packets coming inside GRE tunnel are for 192.168.15.0/24
>> network.
>>
>> also just want to understand why SNAT is blocked when forwarding is
>> enabled ?
>> someone might have a requirement to SNAT first and then do forward.
>>
>> when i comment the code as below, SNAT and GRE both works. but i don't
>> know how it will impact rest of code/functionality.
>>
>> static inline int
>> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
>> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
>> u32 rx_fib_index0, u32 thread_index)
>> {
>> udp_header_t *udp0 = ip4_next_header (ip0);
>> snat_session_key_t key0, sm0;
>> clib_bihash_kv_8_8_t kv0, value0;
>>
>> key0.addr = ip0->dst_address;
>> key0.port = udp0->dst_port;
>> key0.protocol = proto0;
>> key0.fib_index = sm->outside_fib_index;
>> kv0.key = key0.as_u64;
>>
>> /* NAT packet aimed at external address if */
>> /* has active sessions */
>> if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
>> ,
>> ))
>> {
>> /* or is static mappings */
>> if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
>> return 0;
>> }
>> else
>> return 0;
>>
>> /*
>> if (sm->forwarding_enabled)
>> return 1;
>> */
>>
>> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
>> rx_fib_index0);
>> }
>>
>>
>>
>> -Shahid.
>>
>>
>>
>>
>> On Thu, Apr 11, 2019 at 12:44 PM Ole Troan wrote:
>>
>>> Shahid,
>>>
>>> Right, so the GRE packets shouldn’t go through the NAT at all.
>>> Are the GRE tunnel itself marked as inside?
>>>
>>> I should have thoguht this was supported with
>>> https://jira.fd.io/browse/VPP-447
>>> Let me see if I can reproduce.,
>>>
>>> Best regards,
>>> Ole
>>>
>>> > On 10 Apr 2019, at 12:55, Shahid Khan
>>> wrote:
>>> >
>>> > Hi Ole,
>>> >
>>> > we have a bridge(loop0) with a private ip say 192.168.100.2/24.
>>> > a TAP is also connected to this bridge and other end of TAP is on host
>>> side.
>>> >
>>> > we have one physical interface connected to another bridge (loop1)
>>> with outside network ip of say 192.168.10.1/24
>>> > and a GRE tunnel is created having source as 192.168.10.1.
>>> >
>>> > Host has requirement to initiate sessions(tcp/udp) to outside network.
>>> so we have applied NAT as below.
>>> >
>>> > nat44 add interface address loop1
>>> > set interface nat44 in loop0 out loop1
>>> >
>>> > with this host can initiate session with outside network and SNAT
>>> works fine.
>>> >
>>> > But GRE does not work. we looked into traces and found that packet
>>> comming to GRE tunnels are getting dropped with trace showing "unknown
>>> protocol".
>>> >
>>> > if we enable forwarding then GRE packets are getting forwarded to
>>> destination but now host is not able to initiate session to outside network
>>> because SNAT stops
>>> >
>>> > -Shahid.
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > On Wed, Apr 10, 2019 at 2:33 PM Ole Troan
>>> wrote:
>>> > Hi Shahid,
>>> >
>>> > What are you trying to achieve?
>>> > https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
>>> >
>>> > You do not typically enable the “forwarding” feature.
>>> >
>>> > Cheers,
>>> > Ole
>>> >
>>> > > On 8 Apr 2019, at 07:52, Shahid Khan
>>> wrote:
>>> > >
>>> > > can someone look into below query ?
>>> > >
>>> > > -Shahid.
>>> > >
>>> > > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
>>> wrote:
>>> > > Hi,
>>> > >
>>> > > can someone help us on below query ?
>>> > >
>>> > > -Shahid.
>>> > >
>>> > > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
>>> wrote:
>>> > >
>>> > > I have
Re: [vpp-dev] do not SNAT if forwarding enabled
Hi Ole,
any finding on it ? are u able to reproduce it ?
-Shahid.
On Thu, Apr 11, 2019 at 1:32 PM Shahid Khan via Lists.Fd.Io
wrote:
> There is another physical port bridged to loop1 which is on
> 192.168.15.0/24 network.
> .the packets coming inside GRE tunnel are for 192.168.15.0/24
> network.
>
> also just want to understand why SNAT is blocked when forwarding is
> enabled ?
> someone might have a requirement to SNAT first and then do forward.
>
> when i comment the code as below, SNAT and GRE both works. but i don't
> know how it will impact rest of code/functionality.
>
> static inline int
> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> u32 rx_fib_index0, u32 thread_index)
> {
> udp_header_t *udp0 = ip4_next_header (ip0);
> snat_session_key_t key0, sm0;
> clib_bihash_kv_8_8_t kv0, value0;
>
> key0.addr = ip0->dst_address;
> key0.port = udp0->dst_port;
> key0.protocol = proto0;
> key0.fib_index = sm->outside_fib_index;
> kv0.key = key0.as_u64;
>
> /* NAT packet aimed at external address if */
> /* has active sessions */
> if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
> ,
> ))
> {
> /* or is static mappings */
> if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
> return 0;
> }
> else
> return 0;
>
> /*
> if (sm->forwarding_enabled)
> return 1;
> */
>
> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> rx_fib_index0);
> }
>
>
>
> -Shahid.
>
>
>
>
> On Thu, Apr 11, 2019 at 12:44 PM Ole Troan wrote:
>
>> Shahid,
>>
>> Right, so the GRE packets shouldn’t go through the NAT at all.
>> Are the GRE tunnel itself marked as inside?
>>
>> I should have thoguht this was supported with
>> https://jira.fd.io/browse/VPP-447
>> Let me see if I can reproduce.,
>>
>> Best regards,
>> Ole
>>
>> > On 10 Apr 2019, at 12:55, Shahid Khan
>> wrote:
>> >
>> > Hi Ole,
>> >
>> > we have a bridge(loop0) with a private ip say 192.168.100.2/24.
>> > a TAP is also connected to this bridge and other end of TAP is on host
>> side.
>> >
>> > we have one physical interface connected to another bridge (loop1) with
>> outside network ip of say 192.168.10.1/24
>> > and a GRE tunnel is created having source as 192.168.10.1.
>> >
>> > Host has requirement to initiate sessions(tcp/udp) to outside network.
>> so we have applied NAT as below.
>> >
>> > nat44 add interface address loop1
>> > set interface nat44 in loop0 out loop1
>> >
>> > with this host can initiate session with outside network and SNAT works
>> fine.
>> >
>> > But GRE does not work. we looked into traces and found that packet
>> comming to GRE tunnels are getting dropped with trace showing "unknown
>> protocol".
>> >
>> > if we enable forwarding then GRE packets are getting forwarded to
>> destination but now host is not able to initiate session to outside network
>> because SNAT stops
>> >
>> > -Shahid.
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Apr 10, 2019 at 2:33 PM Ole Troan wrote:
>> > Hi Shahid,
>> >
>> > What are you trying to achieve?
>> > https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
>> >
>> > You do not typically enable the “forwarding” feature.
>> >
>> > Cheers,
>> > Ole
>> >
>> > > On 8 Apr 2019, at 07:52, Shahid Khan
>> wrote:
>> > >
>> > > can someone look into below query ?
>> > >
>> > > -Shahid.
>> > >
>> > > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
>> wrote:
>> > > Hi,
>> > >
>> > > can someone help us on below query ?
>> > >
>> > > -Shahid.
>> > >
>> > > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
>> wrote:
>> > >
>> > > I have following query related to SNAT on VPP Release 19.0.1.02
>> > >
>> > > following is the code from vpp/src/plugins/nat/in2out.c
>> > >
>> > > static inline int
>> > > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
>> > > u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
>> > > u32 rx_fib_index0, u32 thread_index)
>> > > {
>> > > udp_header_t *udp0 = ip4_next_header (ip0);
>> > > snat_session_key_t key0, sm0;
>> > > clib_bihash_kv_8_8_t kv0, value0;
>> > >
>> > > key0.addr = ip0->dst_address;
>> > > key0.port = udp0->dst_port;
>> > > key0.protocol = proto0;
>> > > key0.fib_index = sm->outside_fib_index;
>> > > kv0.key = key0.as_u64;
>> > >
>> > > /* NAT packet aimed at external address if */
>> > > /* has active sessions */
>> > > if (clib_bihash_search_8_8
>> (>per_thread_data[thread_index].out2in, ,
>> > > ))
>> > > {
>> > > /* or is static mappings */
>> > > if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0,
>> 0))
>> > > return 0;
>> > > }
>> > > else
>> > > return 0;
>> > >
>> > > if (sm->forwarding_enabled)
>> > >
Re: [vpp-dev] do not SNAT if forwarding enabled
There is another physical port bridged to loop1 which is on 192.168.15.0/24
network.
.the packets coming inside GRE tunnel are for 192.168.15.0/24 network.
also just want to understand why SNAT is blocked when forwarding is
enabled ?
someone might have a requirement to SNAT first and then do forward.
when i comment the code as below, SNAT and GRE both works. but i don't know
how it will impact rest of code/functionality.
static inline int
snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
u32 rx_fib_index0, u32 thread_index)
{
udp_header_t *udp0 = ip4_next_header (ip0);
snat_session_key_t key0, sm0;
clib_bihash_kv_8_8_t kv0, value0;
key0.addr = ip0->dst_address;
key0.port = udp0->dst_port;
key0.protocol = proto0;
key0.fib_index = sm->outside_fib_index;
kv0.key = key0.as_u64;
/* NAT packet aimed at external address if */
/* has active sessions */
if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
,
))
{
/* or is static mappings */
if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
return 0;
}
else
return 0;
/*
if (sm->forwarding_enabled)
return 1;
*/
return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
rx_fib_index0);
}
-Shahid.
On Thu, Apr 11, 2019 at 12:44 PM Ole Troan wrote:
> Shahid,
>
> Right, so the GRE packets shouldn’t go through the NAT at all.
> Are the GRE tunnel itself marked as inside?
>
> I should have thoguht this was supported with
> https://jira.fd.io/browse/VPP-447
> Let me see if I can reproduce.,
>
> Best regards,
> Ole
>
> > On 10 Apr 2019, at 12:55, Shahid Khan wrote:
> >
> > Hi Ole,
> >
> > we have a bridge(loop0) with a private ip say 192.168.100.2/24.
> > a TAP is also connected to this bridge and other end of TAP is on host
> side.
> >
> > we have one physical interface connected to another bridge (loop1) with
> outside network ip of say 192.168.10.1/24
> > and a GRE tunnel is created having source as 192.168.10.1.
> >
> > Host has requirement to initiate sessions(tcp/udp) to outside network.
> so we have applied NAT as below.
> >
> > nat44 add interface address loop1
> > set interface nat44 in loop0 out loop1
> >
> > with this host can initiate session with outside network and SNAT works
> fine.
> >
> > But GRE does not work. we looked into traces and found that packet
> comming to GRE tunnels are getting dropped with trace showing "unknown
> protocol".
> >
> > if we enable forwarding then GRE packets are getting forwarded to
> destination but now host is not able to initiate session to outside network
> because SNAT stops
> >
> > -Shahid.
> >
> >
> >
> >
> >
> >
> > On Wed, Apr 10, 2019 at 2:33 PM Ole Troan wrote:
> > Hi Shahid,
> >
> > What are you trying to achieve?
> > https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
> >
> > You do not typically enable the “forwarding” feature.
> >
> > Cheers,
> > Ole
> >
> > > On 8 Apr 2019, at 07:52, Shahid Khan
> wrote:
> > >
> > > can someone look into below query ?
> > >
> > > -Shahid.
> > >
> > > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
> wrote:
> > > Hi,
> > >
> > > can someone help us on below query ?
> > >
> > > -Shahid.
> > >
> > > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> wrote:
> > >
> > > I have following query related to SNAT on VPP Release 19.0.1.02
> > >
> > > following is the code from vpp/src/plugins/nat/in2out.c
> > >
> > > static inline int
> > > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> > > u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> > > u32 rx_fib_index0, u32 thread_index)
> > > {
> > > udp_header_t *udp0 = ip4_next_header (ip0);
> > > snat_session_key_t key0, sm0;
> > > clib_bihash_kv_8_8_t kv0, value0;
> > >
> > > key0.addr = ip0->dst_address;
> > > key0.port = udp0->dst_port;
> > > key0.protocol = proto0;
> > > key0.fib_index = sm->outside_fib_index;
> > > kv0.key = key0.as_u64;
> > >
> > > /* NAT packet aimed at external address if */
> > > /* has active sessions */
> > > if (clib_bihash_search_8_8
> (>per_thread_data[thread_index].out2in, ,
> > > ))
> > > {
> > > /* or is static mappings */
> > > if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0,
> 0))
> > > return 0;
> > > }
> > > else
> > > return 0;
> > >
> > > if (sm->forwarding_enabled)
> > > return 1;
> > >
> > >
> > > return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> > > rx_fib_index0);
> > > }
> > >
> > > want to understand why above highlighted condition is there in code ?
> > >
> > > this is causing SNAT to stop working the moment we enable forwarding.
> > > what will be impact
Re: [vpp-dev] do not SNAT if forwarding enabled
Shahid,
Right, so the GRE packets shouldn’t go through the NAT at all.
Are the GRE tunnel itself marked as inside?
I should have thoguht this was supported with https://jira.fd.io/browse/VPP-447
Let me see if I can reproduce.,
Best regards,
Ole
> On 10 Apr 2019, at 12:55, Shahid Khan wrote:
>
> Hi Ole,
>
> we have a bridge(loop0) with a private ip say 192.168.100.2/24.
> a TAP is also connected to this bridge and other end of TAP is on host side.
>
> we have one physical interface connected to another bridge (loop1) with
> outside network ip of say 192.168.10.1/24
> and a GRE tunnel is created having source as 192.168.10.1.
>
> Host has requirement to initiate sessions(tcp/udp) to outside network. so we
> have applied NAT as below.
>
> nat44 add interface address loop1
> set interface nat44 in loop0 out loop1
>
> with this host can initiate session with outside network and SNAT works fine.
>
> But GRE does not work. we looked into traces and found that packet comming to
> GRE tunnels are getting dropped with trace showing "unknown protocol".
>
> if we enable forwarding then GRE packets are getting forwarded to destination
> but now host is not able to initiate session to outside network because SNAT
> stops
>
> -Shahid.
>
>
>
>
>
>
> On Wed, Apr 10, 2019 at 2:33 PM Ole Troan wrote:
> Hi Shahid,
>
> What are you trying to achieve?
> https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
>
> You do not typically enable the “forwarding” feature.
>
> Cheers,
> Ole
>
> > On 8 Apr 2019, at 07:52, Shahid Khan wrote:
> >
> > can someone look into below query ?
> >
> > -Shahid.
> >
> > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
> > wrote:
> > Hi,
> >
> > can someone help us on below query ?
> >
> > -Shahid.
> >
> > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> > wrote:
> >
> > I have following query related to SNAT on VPP Release 19.0.1.02
> >
> > following is the code from vpp/src/plugins/nat/in2out.c
> >
> > static inline int
> > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> > u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> > u32 rx_fib_index0, u32 thread_index)
> > {
> > udp_header_t *udp0 = ip4_next_header (ip0);
> > snat_session_key_t key0, sm0;
> > clib_bihash_kv_8_8_t kv0, value0;
> >
> > key0.addr = ip0->dst_address;
> > key0.port = udp0->dst_port;
> > key0.protocol = proto0;
> > key0.fib_index = sm->outside_fib_index;
> > kv0.key = key0.as_u64;
> >
> > /* NAT packet aimed at external address if */
> > /* has active sessions */
> > if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
> > ,
> > ))
> > {
> > /* or is static mappings */
> > if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
> > return 0;
> > }
> > else
> > return 0;
> >
> > if (sm->forwarding_enabled)
> > return 1;
> >
> >
> > return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> > rx_fib_index0);
> > }
> >
> > want to understand why above highlighted condition is there in code ?
> >
> > this is causing SNAT to stop working the moment we enable forwarding.
> > what will be impact we comment this condition ?
> >
> > -Shahid.
> >
> >
> >
> >
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
> > [shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub
> > [shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12723): https://lists.fd.io/g/vpp-dev/message/12723
> > Mute This Topic: https://lists.fd.io/mt/30851776/675193
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [otr...@employees.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12743): https://lists.fd.io/g/vpp-dev/message/12743
> Mute This Topic: https://lists.fd.io/mt/30851776/675193
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [otr...@employees.org]
> -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply
Re: [vpp-dev] do not SNAT if forwarding enabled
Hi Ole,
we have a bridge(loop0) with a private ip say 192.168.100.2/24.
a TAP is also connected to this bridge and other end of TAP is on host side.
we have one physical interface connected to another bridge (loop1) with
outside network ip of say 192.168.10.1/24
and a GRE tunnel is created having source as 192.168.10.1.
Host has requirement to initiate sessions(tcp/udp) to outside network. so
we have applied NAT as below.
nat44 add interface address loop1
set interface nat44 in loop0 out loop1
with this host can initiate session with outside network and SNAT works
fine.
But GRE does not work. we looked into traces and found that packet comming
to GRE tunnels are getting dropped with trace showing "unknown protocol".
if we enable forwarding then GRE packets are getting forwarded to
destination but now host is not able to initiate session to outside network
because SNAT stops
-Shahid.
On Wed, Apr 10, 2019 at 2:33 PM Ole Troan wrote:
> Hi Shahid,
>
> What are you trying to achieve?
> https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
>
> You do not typically enable the “forwarding” feature.
>
> Cheers,
> Ole
>
> > On 8 Apr 2019, at 07:52, Shahid Khan wrote:
> >
> > can someone look into below query ?
> >
> > -Shahid.
> >
> > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
> wrote:
> > Hi,
> >
> > can someone help us on below query ?
> >
> > -Shahid.
> >
> > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> wrote:
> >
> > I have following query related to SNAT on VPP Release 19.0.1.02
> >
> > following is the code from vpp/src/plugins/nat/in2out.c
> >
> > static inline int
> > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> > u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> > u32 rx_fib_index0, u32 thread_index)
> > {
> > udp_header_t *udp0 = ip4_next_header (ip0);
> > snat_session_key_t key0, sm0;
> > clib_bihash_kv_8_8_t kv0, value0;
> >
> > key0.addr = ip0->dst_address;
> > key0.port = udp0->dst_port;
> > key0.protocol = proto0;
> > key0.fib_index = sm->outside_fib_index;
> > kv0.key = key0.as_u64;
> >
> > /* NAT packet aimed at external address if */
> > /* has active sessions */
> > if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
> ,
> > ))
> > {
> > /* or is static mappings */
> > if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
> > return 0;
> > }
> > else
> > return 0;
> >
> > if (sm->forwarding_enabled)
> > return 1;
> >
> >
> > return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> > rx_fib_index0);
> > }
> >
> > want to understand why above highlighted condition is there in code ?
> >
> > this is causing SNAT to stop working the moment we enable forwarding.
> > what will be impact we comment this condition ?
> >
> > -Shahid.
> >
> >
> >
> >
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
> shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
> shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12723): https://lists.fd.io/g/vpp-dev/message/12723
> > Mute This Topic: https://lists.fd.io/mt/30851776/675193
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [otr...@employees.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12743): https://lists.fd.io/g/vpp-dev/message/12743
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] do not SNAT if forwarding enabled
Hi Shahid,
What are you trying to achieve?
https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
You do not typically enable the “forwarding” feature.
Cheers,
Ole
> On 8 Apr 2019, at 07:52, Shahid Khan wrote:
>
> can someone look into below query ?
>
> -Shahid.
>
> On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
> wrote:
> Hi,
>
> can someone help us on below query ?
>
> -Shahid.
>
> On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> wrote:
>
> I have following query related to SNAT on VPP Release 19.0.1.02
>
> following is the code from vpp/src/plugins/nat/in2out.c
>
> static inline int
> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> u32 rx_fib_index0, u32 thread_index)
> {
> udp_header_t *udp0 = ip4_next_header (ip0);
> snat_session_key_t key0, sm0;
> clib_bihash_kv_8_8_t kv0, value0;
>
> key0.addr = ip0->dst_address;
> key0.port = udp0->dst_port;
> key0.protocol = proto0;
> key0.fib_index = sm->outside_fib_index;
> kv0.key = key0.as_u64;
>
> /* NAT packet aimed at external address if */
> /* has active sessions */
> if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in, ,
> ))
> {
> /* or is static mappings */
> if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
> return 0;
> }
> else
> return 0;
>
> if (sm->forwarding_enabled)
> return 1;
>
>
> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> rx_fib_index0);
> }
>
> want to understand why above highlighted condition is there in code ?
>
> this is causing SNAT to stop working the moment we enable forwarding.
> what will be impact we comment this condition ?
>
> -Shahid.
>
>
>
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [shahidnasimk...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [shahidnasimk...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12723): https://lists.fd.io/g/vpp-dev/message/12723
> Mute This Topic: https://lists.fd.io/mt/30851776/675193
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [otr...@employees.org]
> -=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12741): https://lists.fd.io/g/vpp-dev/message/12741
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] do not SNAT if forwarding enabled
can someone look into below query ?
-Shahid.
On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
wrote:
> Hi,
>
> can someone help us on below query ?
>
> -Shahid.
>
> On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> wrote:
>
>>
>> I have following query related to SNAT on VPP Release 19.0.1.02
>>
>> following is the code from vpp/src/plugins/nat/in2out.c
>>
>> static inline int
>> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
>> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
>> u32 rx_fib_index0, u32 thread_index)
>> {
>> udp_header_t *udp0 = ip4_next_header (ip0);
>> snat_session_key_t key0, sm0;
>> clib_bihash_kv_8_8_t kv0, value0;
>>
>> key0.addr = ip0->dst_address;
>> key0.port = udp0->dst_port;
>> key0.protocol = proto0;
>> key0.fib_index = sm->outside_fib_index;
>> kv0.key = key0.as_u64;
>>
>> /* NAT packet aimed at external address if */
>> /* has active sessions */
>> if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
>> ,
>> ))
>> {
>> /* or is static mappings */
>> if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
>> return 0;
>> }
>> else
>> return 0;
>>
>> if (sm->forwarding_enabled)
>> return 1;
>>
>>
>> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
>> rx_fib_index0);
>> }
>>
>> want to understand why above highlighted condition is there in code ?
>>
>> this is causing SNAT to stop working the moment we enable forwarding.
>> what will be impact we comment this condition ?
>>
>> -Shahid.
>>
>>
>>
>>
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-
>> Links: You receive all messages sent to this group.
>>
>> View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
>> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
>> Group Owner: vpp-dev+ow...@lists.fd.io
>> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
>> shahidnasimk...@gmail.com]
>> -=-=-=-=-=-=-=-=-=-=-=-
>>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
> shahidnasimk...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12723): https://lists.fd.io/g/vpp-dev/message/12723
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] do not SNAT if forwarding enabled
Hi,
can someone help us on below query ?
-Shahid.
On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
wrote:
>
> I have following query related to SNAT on VPP Release 19.0.1.02
>
> following is the code from vpp/src/plugins/nat/in2out.c
>
> static inline int
> snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> u32 rx_fib_index0, u32 thread_index)
> {
> udp_header_t *udp0 = ip4_next_header (ip0);
> snat_session_key_t key0, sm0;
> clib_bihash_kv_8_8_t kv0, value0;
>
> key0.addr = ip0->dst_address;
> key0.port = udp0->dst_port;
> key0.protocol = proto0;
> key0.fib_index = sm->outside_fib_index;
> kv0.key = key0.as_u64;
>
> /* NAT packet aimed at external address if */
> /* has active sessions */
> if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
> ,
> ))
> {
> /* or is static mappings */
> if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
> return 0;
> }
> else
> return 0;
>
> if (sm->forwarding_enabled)
> return 1;
>
>
> return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> rx_fib_index0);
> }
>
> want to understand why above highlighted condition is there in code ?
>
> this is causing SNAT to stop working the moment we enable forwarding.
> what will be impact we comment this condition ?
>
> -Shahid.
>
>
>
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
>
> View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
> Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [
> shahidnasimk...@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] do not SNAT if forwarding enabled
I have following query related to SNAT on VPP Release 19.0.1.02
following is the code from vpp/src/plugins/nat/in2out.c
static inline int
snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
u32 rx_fib_index0, u32 thread_index)
{
udp_header_t *udp0 = ip4_next_header (ip0);
snat_session_key_t key0, sm0;
clib_bihash_kv_8_8_t kv0, value0;
key0.addr = ip0->dst_address;
key0.port = udp0->dst_port;
key0.protocol = proto0;
key0.fib_index = sm->outside_fib_index;
kv0.key = key0.as_u64;
/* NAT packet aimed at external address if */
/* has active sessions */
if (clib_bihash_search_8_8 (>per_thread_data[thread_index].out2in,
,
))
{
/* or is static mappings */
if (!snat_static_mapping_match (sm, key0, , 1, 0, 0, 0, 0, 0))
return 0;
}
else
return 0;
if (sm->forwarding_enabled)
return 1;
return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
rx_fib_index0);
}
want to understand why above highlighted condition is there in code ?
this is causing SNAT to stop working the moment we enable forwarding.
what will be impact we comment this condition ?
-Shahid.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
