Hi,
I will look into it.
Best regards,
Filip
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Dengfeng Liu
Sent: Thursday, September 24, 2020 11:44 AM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] nat44 static mapping does not work in endpoint-dependent
mode and workers > 1
Importance: High
Dear all,
It seems that nat44 static mapping feature does not work in ed mode and workers
>1.
my setup is :
vpp 20.09
startup.conf
unix {
interactive
nodaemon
cli-listen /run/vpp/cli.sock
cli-no-pager
poll-sleep-usec 100
}
api-trace {
on
}
api-segment {
gid vpp
}
socksvr {
default
}
cpu {
main-core 1
corelist-workers 2,3
}
dpdk {
uio-driver vfio-pci
dev 0000:02:05.0 { name G0}
}
nat {
endpoint-dependent
}
vpp config:
set int state G0 up
create tap id 1
set int state tap1 up
set int ip addr tap1 1.1.1.1/24
set dhcp client intfc G0
set int nat44 out G0 output-feature
nat44 add int address G0
nat44 forwarding enable
nat44 add static map tcp local 1.1.1.2 80 external 192.168.1.155 80
after config, show all information
DBGvpp# sh int addr
G0 (up):
L3 192.168.1.155/24
local0 (dn):
tap1 (up):
L3 1.1.1.1/24
DBGvpp# sh nat44 int
interfaces interface
DBGvpp# sh nat44 interfaces
NAT44 interfaces:
G0 output-feature out
DBGvpp# sh nat44 addresses
NAT44 pool addresses:
192.168.1.155
tenant VRF independent
0 busy other ports
0 busy udp ports
1 busy tcp ports
0 busy icmp ports
NAT44 twice-nat pool addresses:
DBGvpp# sh nat44 static mappings
NAT44 static mappings:
tcp local 1.1.1.2:80 external 192.168.1.155:80 vrf 0
when http client start to request , device 1.1.1.2 can receive tcp syn and
respond syn+ack but drop by vpp for reason of "non-SYN packet try to create
session
"
I read the code and find in node nat44-in2out-output-worker-handoff, it should
use snat_static_mapping_match to check whether the packet is static mapping or
not, otherwise it will give wrong thread_index and when packet is processed in
node nat44-ed-in2out-output-slowpath, it will raise error of "non-SYN packet
try to create session".
the following patch will fix above bug, If anybody find problem of the patch or
have better idea, please let me know, thanks.
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index 15c767c..f4147f2 100644
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -1599,8 +1599,8 @@ nat44_lb_static_mapping_add_del_local (ip4_address_t
e_addr, u16 e_port,
.src_address = local->addr,
};
tsm = vec_elt_at_index (sm->per_thread_data,
- sm->worker_in2out_cb (&ip, m->fib_index,
- 0));
+ sm->worker_in2out_cb (&ip,
+ m->fib_index, 0));
}
else
tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
@@ -3254,8 +3254,8 @@ format_ed_session_kvp (u8 * s, va_list * args)
}
static u32
-snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
- u8 is_output)
+snat_get_worker_in2out_cb (ip4_header_t * ip0,
+ u32 rx_fib_index0, u8 is_output)
{
snat_main_t *sm = &snat_main;
u32 next_worker_index = 0;
@@ -3358,8 +3358,8 @@ snat_get_worker_out2in_cb (vlib_buffer_t * b,
ip4_header_t * ip0,
}
static u32
-nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
- u8 is_output)
+nat44_ed_get_worker_in2out_cb (ip4_header_t * ip,
+ u32 rx_fib_index, u8 is_output)
{
snat_main_t *sm = &snat_main;
u32 next_worker_index = sm->first_worker_index;
@@ -3383,8 +3383,6 @@ nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32
rx_fib_index,
,
};
- udp = ip4_next_header (ip);
-
switch (vec_len (sm->outside_fibs))
{
case 0:
@@ -3411,8 +3409,27 @@ nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32
rx_fib_index,
break;
}
- init_ed_k (&kv16, ip->src_address, udp->src_port, ip->dst_address,
- udp->dst_port, fib_index, ip->protocol);
+ udp = ip4_next_header (ip);
+
+ ip4_address_t sm_addr;
+ u16 sm_port;
+ u32 sm_fib_index;
+ u32 nat_proto = ip_proto_to_nat_proto (ip->protocol);
+ u16 sport = udp->src_port;
+ u16 dport = udp->dst_port;
+ if (snat_static_mapping_match
+ (sm, ip->src_address, sport, rx_fib_index, nat_proto,
+ &sm_addr, &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, 0, 0))
+ {
+
+ init_ed_k (&kv16, ip->src_address, sport, ip->dst_address,
+ dport, fib_index, ip->protocol);
+ }
+ else
+ {
+ init_ed_k (&kv16, sm_addr, sm_port, ip->dst_address, dport,
+ sm_fib_index, ip->protocol);
+ }
if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
&kv16, &value16)))
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 8eef1e4..205947f 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -300,9 +300,8 @@ create_session_for_static_mapping_ed (snat_main_t * sm,
o2i_fib_index, ip->protocol, thread_index, s - tsm->sessions);
ctx.now = now;
ctx.thread_index = thread_index;
- if (clib_bihash_add_or_overwrite_stale_16_8 (&sm->out2in_ed, &kv,
- nat44_o2i_ed_is_idle_session_cb,
- &ctx))
+ if (clib_bihash_add_or_overwrite_stale_16_8
+ (&sm->out2in_ed, &kv, nat44_o2i_ed_is_idle_session_cb, &ctx))
nat_elog_notice ("out2in-ed key add failed");
if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
@@ -487,7 +486,7 @@ create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b,
ip4_header_t * ip,
s->in2out.port = s->out2in.port;
s->in2out.fib_index = s->out2in.fib_index;
- kv.value = s - tsm->sessions;
+ kv.value = (u64) thread_index << 32 | (s - tsm->sessions);
if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
nat_elog_notice ("in2out_ed key add failed");
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17498): https://lists.fd.io/g/vpp-dev/message/17498
Mute This Topic: https://lists.fd.io/mt/77054012/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
