[vpp-dev] VPP 18.04 release day is tomorrow!

[Chris Luke]

All,

Release day is upon us. The tentative plan is that tomorrow morning, around 
07:00 US Eastern time I'll declare the stable branch closed to new patches. If 
you have critical fixes for stable, that is your deadline to get them in for 
the release.

Thanks,
Chris.

Re: [vpp-dev] question about set ip arp

[xyxue]

Hi Neale，

After merged the patch ,the he configuration time of 100k cost 7+ mins .

The most time-consuming part is 'fib_node_list_walk' .  The stack info is shown 
below:
0x7717d0eb in round_pow2 (x=44, pow2=8) at 
/home/vpp/build-data/../src/vppinfra/clib.h:277
277 {
(gdb) bt
#0  0x7717d0eb in round_pow2 (x=44, pow2=8) at 
/home/vpp/build-data/../src/vppinfra/clib.h:277
#1  0x7717d19c in vec_aligned_header_bytes (header_bytes=40, align=8) 
at /home/vpp/build-data/../src/vppinfra/vec_bootstrap.h:112
#2  0x7717d1e8 in vec_aligned_header (v=0x7fffba3af5a0, 
header_bytes=40, align=8) at 
/home/vpp/build-data/../src/vppinfra/vec_bootstrap.h:118
#3  0x7717de8a in pool_header (v=0x7fffba3af5a0) at 
/home/vpp/build-data/../src/vppinfra/pool.h:79
#4  0x7717dfd2 in fib_node_list_elt_get (fi=13419) at 
/home/vpp/build-data/../src/vnet/fib/fib_node_list.c:80
#5  0x7717f34b in fib_node_list_walk (list=26, fn=0x7718c56c 
, args=0x7fffb6cc5240)
at /home/vpp/build-data/../src/vnet/fib/fib_node_list.c:382
#6  0x7718c647 in fib_entry_cover_walk (cover=0x7fffb7d46eb8, 
walk=0x7718c65d , args=0xccbc)
at /home/vpp/build-data/../src/vnet/fib/fib_entry_cover.c:104
#7  0x7718c74a in fib_entry_cover_change_notify (cover_index=0, 
covered=52412) at /home/vpp/build-data/../src/vnet/fib/fib_entry_cover.c:158
#8  0x77172655 in fib_table_post_insert_actions 
(fib_table=0x7fffb6b409c0, prefix=0x7fffb6cc5490, fib_entry_index=52412)
at /home/vpp/build-data/../src/vnet/fib/fib_table.c:193
#9  0x77172772 in fib_table_entry_insert (fib_table=0x7fffb6b409c0, 
prefix=0x7fffb6cc5490, fib_entry_index=52412) at 
/home/vpp/build-data/../src/vnet/fib/fib_table.c:230
#10 0x771732da in fib_table_entry_path_add2 (fib_index=0, 
prefix=0x7fffb6cc5490, source=FIB_SOURCE_ADJ, flags=FIB_ENTRY_FLAG_ATTACHED, 
rpath=0x7fffb74ebf74)
at /home/vpp/build-data/../src/vnet/fib/fib_table.c:601
#11 0x771731a0 in fib_table_entry_path_add (fib_index=0, 
prefix=0x7fffb6cc5490, source=FIB_SOURCE_ADJ, flags=FIB_ENTRY_FLAG_ATTACHED, 
next_hop_proto=DPO_PROTO_IP4, 
next_hop=0x7fffb6cc5494, next_hop_sw_if_index=1, 
next_hop_fib_index=4294967295, next_hop_weight=1, next_hop_labels=0x0, 
path_flags=FIB_ROUTE_PATH_FLAG_NONE)
at /home/vpp/build-data/../src/vnet/fib/fib_table.c:569
#12 0x76cb1d4f in arp_adj_fib_add (e=0x7fffb9040ad4, fib_index=0) at 
/home/vpp/build-data/../src/vnet/ethernet/arp.c:550
#13 0x76cb249e in vnet_arp_set_ip4_over_ethernet_internal 
(vnm=0x7763cfc0 , args=0x7fffb6cc5790) at 
/home/vpp/build-data/../src/vnet/ethernet/arp.c:618
#14 0x76cb7d74 in set_ip4_over_ethernet_rpc_callback (a=0x7fffb6cc5790) 
at /home/vpp/build-data/../src/vnet/ethernet/arp.c:1989
#15 0x779472ce in vl_api_rpc_call_main_thread_inline (fp=0x76cb7c63 
, data=0x7fffb6cc5790 "\001", 
data_length=28, force_rpc=0 '\000')
at /home/vpp/build-data/../src/vlibmemory/memory_vlib.c:2061
#16 0x77947421 in vl_api_rpc_call_main_thread (fp=0x76cb7c63 
, data=0x7fffb6cc5790 "\001", 
data_length=28)
at /home/vpp/build-data/../src/vlibmemory/memory_vlib.c:2107
#17 0x76cb8421 in vnet_arp_set_ip4_over_ethernet (vnm=0x7763cfc0 
, sw_if_index=1, a_arg=0x7fffb6cc5890, is_static=0, 
is_no_fib_entry=0)
at /home/vpp/build-data/../src/vnet/ethernet/arp.c:2074


Thanks，
Xyxue

From: Neale Ranns (nranns)
Date: 2018-04-23 20:36
To: 薛欣颖; vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] question about set ip arp
HI Xyxue,
 
Can you please test to see if the situation improves with:
  https://gerrit.fd.io/r/#/c/12012/
 
thanks,
neale
 
From:  on behalf of xyxue 
Date: Friday, 20 April 2018 at 11:31
To: "vpp-dev@lists.fd.io" 
Subject: [vpp-dev] question about set ip arp
 
 
Hi guys,

I'm testing 'set ip arp' . When I don't configure the param 'no-fib-entry' , 
the configuration time of 100k cost 19+ mins. When I configure  the param 
'no-fib-entry' the time is 9 s.
Can I use 'set ip arp ... + no-fib-entry  and ip route add ' achieve the same 
goal with 'set ip arp without no-fib-entry'?
The most time-consuming part is 'clib_bihash_foreach_key_value_pair_24_8' .  
The stack info is shown below:
0 clib_bihash_foreach_key_value_pair_24_8 (h=0x7fffb5d4c840, 
callback=0x7719c98d , arg=0x7fffb5d33dc0) 
at /home/vpp/build-data/../src/vppinfra/bihash_template.c:589 
#1 0x7719cafd in adj_nbr_walk_nh4 (sw_if_index=1, addr=0x7fffb5d4c0f8, 
cb=0x76cacb17 , ctx=0x7fffb5d4c0f4) 
at /home/vpp/build-data/../src/vnet/adj/adj_nbr.c:642 
#2 0x76cacd64 in arp_update_adjacency (vnm=0x7763a540 , 
sw_if_index=1, ai=1) at /home/vpp/build-data/../src/vnet/ethernet/arp.c:466 
#3 0x76cbb6fe in ethernet_update_adjacency (vnm=0x7763a540 
, sw_if_index=1, ai=1) at 
/home/vpp/build-data/../src/vnet/ethernet/interface.c:208 
#4 0x771aca55 in vnet_update_adjacency_for_sw_interface 
(vnm=0x7ff

Re: [vpp-dev] segfault due to movaps unaligned access

[Florin Coras]

Hi Radu, 

Making the crypto_worker_main_t a full cache line in size (see patch [1]) seems 
to solve the issue. Could you confirm?

Florin

[1] https://gerrit.fd.io/r/#/c/12086/ 

> On Apr 24, 2018, at 9:23 AM, Radu Nicolau  wrote:
> 
> Hello all,
>
> We’re seeing a weird issue, that is a segfault that looks to be caused by a 
> movaps instruction that is trying to access an address that is not 16 byte 
> aligned.
> The call originates from a vec_validate_init_empty_aligned that has the 
> argument aligned to 16 bytes.
> I have seen something like this in the past, we couldn’t find a root cause 
> and considered it a GCC bug (version 5 then), but now it pops up again on 
> version 7, so probably it isn’t.
> Any idea? A snapshot of the gdb screen below.
>
> gcc (Ubuntu 7.2.0-8ubuntu3.2) 7.2.0
> https://postimg.cc/image/9jy4p38at/ 
>
> thanks and I will appreciate any help,
> Radu
> 

[vpp-dev] segfault due to movaps unaligned access

[Radu Nicolau]

Hello all,

We're seeing a weird issue, that is a segfault that looks to be caused by a 
movaps instruction that is trying to access an address that is not 16 byte 
aligned.
The call originates from a vec_validate_init_empty_aligned that has the 
argument aligned to 16 bytes.
I have seen something like this in the past, we couldn't find a root cause and 
considered it a GCC bug (version 5 then), but now it pops up again on version 
7, so probably it isn't.
Any idea? A snapshot of the gdb screen below.

gcc (Ubuntu 7.2.0-8ubuntu3.2) 7.2.0
https://postimg.cc/image/9jy4p38at/

thanks and I will appreciate any help,
Radu

[vpp-dev] vnet_feature_init:70: Unknown feature arc 'my_policer'

[Sara Gittlin]

Hello all,

i get this run time error message
i  have 3 plugins my_policer, my_forwarder4 and my_forwarder6
the policer set the next node to be forwarder4 or 6
i **did not**  get this error message when i only have **2 plugins**
policer and forwarder

the policer VNET_FEATURE_INIT macro is set to:
VNET_FEATURE_INIT (my_policer, static) =
{
  .arc_name = "device-input",
  .node_name = "my_policer",
  .runs_before = VNET_FEATURES ("ethernet-input"),
};
also the my-forwarders are set the same
VNET_FEATURE_INIT (my_forwarder4, static) =
{
  .arc_name = "device-input",
  .node_name = "my_forwarder4",
  .runs_before = VNET_FEATURES ("ethernet-input"),
};
Thank you
-Sara

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)]

You can use vat console

Matus

From: Hamid Rasool <14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 12:52 PM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 

Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Thanks.

I dont know if it is a bug or for some other reason, my setup works better when 
I add both deterministic and non-deterministic commands to get deterministic 
mapping. When I used only deterministic commands, I got some issues with 
reverse NAT translations. In particular, those internal addresses mapped with 
the first outside address established sessions while all other addresses did 
not function properly. Adding non-deterministic commands fixed the problem 
somehow.

About the API calls, do I need to build a run a .c program as documented 
here or is there a more 
simple approach like vat# console for this purpose?

On Tue, Apr 24, 2018 at 3:20 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Hi,

You can’t use deterministic and non-deterministic NAT commands at same time.
When you want to store active deterministic sessions somewhere you can use API 
nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just call this 
API periodically.

Matus


From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 11:56 AM

To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Thanks Matus.

I was using namespaces to generate internal addresses and after verifying, the 
address range was indeed deterministic.

To partially solve my logging issue, when you add the commands for 
deterministic and non-deterministic at the same time (start address-end address 
according to the outside address pool), I get back details of the current 
sessions through 'show nat44 deterministic sessions' commands. This command 
only shows the active sessions. Is there any way to make this mapping 
persistent/store these results in a file/database?

Regards.

On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Hi,

Are internal addresses you used sequence or are randomly selected from internal 
network range?
Deterministic NAT use sequential outside address and port range assignment 
(first block of external address goes to first address from inside network 
range, second block of external address goes to second address and so on). 
There is also CLI where you can obtain outside address and port range for 
specific inside host “nat44 deterministic forward ” and also CLI to 
obtain inside host address from specific outside address and port pair “nat44 
deterministic reverse :”
Example:
DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 
1.1.1.1/30
DBGvpp# nat44 deterministic forward 10.0.55.6
1.1.1.3:<27994-28008>
DBGvpp# nat44 deterministic forward 10.0.55.7
1.1.1.3:<28009-28023>
DBGvpp# nat44 deterministic forward 10.0.55.8
1.1.1.3:<28024-28038>
DBGvpp# nat44 deterministic reverse 1.1.1.1:1276
10.0.16.16


Matus


From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 9:44 AM

To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi again,

I have ran into some issues while performing deterministic CG-NAT. You guys 
told that we do not require logging in this because we are sure that clients 
will get deterministic outside addresses according to ratio. However, I was set 
mappings ratio as 16 and have created sessions using 16 different inside 
addresses. In case of deterministic, they should all map to a single outside 
address and then the 17th different inside address should be attached to a 
different outside address. This is not the case for me as 10 sessions are going 
to 1st address and other 6 are mapped to second one.

There is currently no way to track this other than tcpdump. In the normal 
nat44, there is a show nat44 addresses which gives some idea about the 
mappings, but the show nat44 deterministic mappings (in stable/1804) only 
provides the ratio and number of ports calculated which is not too helpful.

Looking for better ideas to track these addresses or make them truly 
deterministic. Thanks.

On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Src address is mandatory parameter

Matus

From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Mon

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Hamid via Lists.Fd.Io]

Thanks.

I dont know if it is a bug or for some other reason, my setup works better
when I add both deterministic and non-deterministic commands to get
deterministic mapping. When I used only deterministic commands, I got some
issues with reverse NAT translations. In particular, those internal
addresses mapped with the first outside address established sessions while
all other addresses did not function properly. Adding non-deterministic
commands fixed the problem somehow.

About the API calls, do I need to build a run a .c program as documented
here  or is there a more
simple approach like vat# console for this purpose?

On Tue, Apr 24, 2018 at 3:20 PM, Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco)  wrote:

> Hi,
>
>
>
> You can’t use deterministic and non-deterministic NAT commands at same
> time.
>
> When you want to store active deterministic sessions somewhere you can use
> API nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just
> call this API periodically.
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Tuesday, April 24, 2018 11:56 AM
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Thanks Matus.
>
>
>
> I was using namespaces to generate internal addresses and after verifying,
> the address range was indeed deterministic.
>
>
>
> To partially solve my logging issue, when you add the commands for
> deterministic and non-deterministic at the same time (start address-end
> address according to the outside address pool), I get back details of the
> current sessions through 'show nat44 deterministic sessions' commands. This
> command only shows the active sessions. Is there any way to make this
> mapping persistent/store these results in a file/database?
>
>
>
> Regards.
>
>
>
> On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> Hi,
>
>
>
> Are internal addresses you used sequence or are randomly selected from
> internal network range?
>
> Deterministic NAT use sequential outside address and port range assignment
> (first block of external address goes to first address from inside network
> range, second block of external address goes to second address and so on).
> There is also CLI where you can obtain outside address and port range for
> specific inside host “nat44 deterministic forward ” and also CLI to
> obtain inside host address from specific outside address and port pair
> “nat44 deterministic reverse :”
>
> Example:
>
> DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.1/30
>
> DBGvpp# nat44 deterministic forward 10.0.55.6
>
> 1.1.1.3:<27994-28008>
>
> DBGvpp# nat44 deterministic forward 10.0.55.7
>
> 1.1.1.3:<28009-28023>
>
> DBGvpp# nat44 deterministic forward 10.0.55.8
>
> 1.1.1.3:<28024-28038>
>
> DBGvpp# nat44 deterministic reverse 1.1.1.1:1276
>
> 10.0.16.16
>
>
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Tuesday, April 24, 2018 9:44 AM
>
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Hi again,
>
>
>
> I have ran into some issues while performing deterministic CG-NAT. You
> guys told that we do not require logging in this because we are sure that
> clients will get deterministic outside addresses according to ratio.
> However, I was set mappings ratio as 16 and have created sessions using 16
> different inside addresses. In case of deterministic, they should all map
> to a single outside address and then the 17th different inside address
> should be attached to a different outside address. This is not the case for
> me as 10 sessions are going to 1st address and other 6 are mapped to second
> one.
>
>
>
> There is currently no way to track this other than tcpdump. In the normal
> nat44, there is a show nat44 addresses which gives some idea about the
> mappings, but the show nat44 deterministic mappings (in stable/1804) only
> provides the ratio and number of ports calculated which is not too helpful.
>
>
>
> Looking for better ideas to track these addresses or make them truly
> deterministic. Thanks.
>
>
>
> On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> Src address is mandatory parameter
>
>
>
> Matus
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Monday, April 23, 2018 7:31 AM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Is the src  necessary in the netflow export collector command?
> I have ping connectivity with the collector but still I am unable to get
> any flow

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)]

Hi,

You can’t use deterministic and non-deterministic NAT commands at same time.
When you want to store active deterministic sessions somewhere you can use API 
nat_det_session_dump (https://wiki.fd.io/view/VPP/NAT#API_2), just call this 
API periodically.

Matus


From: Hamid Rasool <14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 11:56 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 

Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Thanks Matus.

I was using namespaces to generate internal addresses and after verifying, the 
address range was indeed deterministic.

To partially solve my logging issue, when you add the commands for 
deterministic and non-deterministic at the same time (start address-end address 
according to the outside address pool), I get back details of the current 
sessions through 'show nat44 deterministic sessions' commands. This command 
only shows the active sessions. Is there any way to make this mapping 
persistent/store these results in a file/database?

Regards.

On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Hi,

Are internal addresses you used sequence or are randomly selected from internal 
network range?
Deterministic NAT use sequential outside address and port range assignment 
(first block of external address goes to first address from inside network 
range, second block of external address goes to second address and so on). 
There is also CLI where you can obtain outside address and port range for 
specific inside host “nat44 deterministic forward ” and also CLI to 
obtain inside host address from specific outside address and port pair “nat44 
deterministic reverse :”
Example:
DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 
1.1.1.1/30
DBGvpp# nat44 deterministic forward 10.0.55.6
1.1.1.3:<27994-28008>
DBGvpp# nat44 deterministic forward 10.0.55.7
1.1.1.3:<28009-28023>
DBGvpp# nat44 deterministic forward 10.0.55.8
1.1.1.3:<28024-28038>
DBGvpp# nat44 deterministic reverse 1.1.1.1:1276
10.0.16.16


Matus


From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 9:44 AM

To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi again,

I have ran into some issues while performing deterministic CG-NAT. You guys 
told that we do not require logging in this because we are sure that clients 
will get deterministic outside addresses according to ratio. However, I was set 
mappings ratio as 16 and have created sessions using 16 different inside 
addresses. In case of deterministic, they should all map to a single outside 
address and then the 17th different inside address should be attached to a 
different outside address. This is not the case for me as 10 sessions are going 
to 1st address and other 6 are mapped to second one.

There is currently no way to track this other than tcpdump. In the normal 
nat44, there is a show nat44 addresses which gives some idea about the 
mappings, but the show nat44 deterministic mappings (in stable/1804) only 
provides the ratio and number of ports calculated which is not too helpful.

Looking for better ideas to track these addresses or make them truly 
deterministic. Thanks.

On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Src address is mandatory parameter

Matus

From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Monday, April 23, 2018 7:31 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Is the src  necessary in the netflow export collector command? I 
have ping connectivity with the collector but still I am unable to get any 
flows are visible.
It is a bit odd because I only want to verify the inside address:inside port 
and outside address:outside port and for that you need an extra setup.

Thanks.

On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool 
<14mseesras...@seecs.edu.pk> wrote:
No luck with the tcpdump (it only shows the broadcast routing protocol messages 
from a virtual router interface that it is connected with;my test bed topology 
has multiple hosts) during ipfix flush command either.

Is there any logs for ipfix / NAT translation logs stored on the local machine 
where vpp is running? So far the only way you can obtain the translated ports 
currently is by running tcpdump on the vpp machine outbound interface but they 
are not viable to maintain logging. I have tried r

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Hamid via Lists.Fd.Io]

Thanks Matus.

I was using namespaces to generate internal addresses and after verifying,
the address range was indeed deterministic.

To partially solve my logging issue, when you add the commands for
deterministic and non-deterministic at the same time (start address-end
address according to the outside address pool), I get back details of the
current sessions through 'show nat44 deterministic sessions' commands. This
command only shows the active sessions. Is there any way to make this
mapping persistent/store these results in a file/database?

Regards.

On Tue, Apr 24, 2018 at 1:17 PM, Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco)  wrote:

> Hi,
>
>
>
> Are internal addresses you used sequence or are randomly selected from
> internal network range?
>
> Deterministic NAT use sequential outside address and port range assignment
> (first block of external address goes to first address from inside network
> range, second block of external address goes to second address and so on).
> There is also CLI where you can obtain outside address and port range for
> specific inside host “nat44 deterministic forward ” and also CLI to
> obtain inside host address from specific outside address and port pair
> “nat44 deterministic reverse :”
>
> Example:
>
> DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.1/30
>
> DBGvpp# nat44 deterministic forward 10.0.55.6
>
> 1.1.1.3:<27994-28008>
>
> DBGvpp# nat44 deterministic forward 10.0.55.7
>
> 1.1.1.3:<28009-28023>
>
> DBGvpp# nat44 deterministic forward 10.0.55.8
>
> 1.1.1.3:<28024-28038>
>
> DBGvpp# nat44 deterministic reverse 1.1.1.1:1276
>
> 10.0.16.16
>
>
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Tuesday, April 24, 2018 9:44 AM
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Hi again,
>
>
>
> I have ran into some issues while performing deterministic CG-NAT. You
> guys told that we do not require logging in this because we are sure that
> clients will get deterministic outside addresses according to ratio.
> However, I was set mappings ratio as 16 and have created sessions using 16
> different inside addresses. In case of deterministic, they should all map
> to a single outside address and then the 17th different inside address
> should be attached to a different outside address. This is not the case for
> me as 10 sessions are going to 1st address and other 6 are mapped to second
> one.
>
>
>
> There is currently no way to track this other than tcpdump. In the normal
> nat44, there is a show nat44 addresses which gives some idea about the
> mappings, but the show nat44 deterministic mappings (in stable/1804) only
> provides the ratio and number of ports calculated which is not too helpful.
>
>
>
> Looking for better ideas to track these addresses or make them truly
> deterministic. Thanks.
>
>
>
> On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> Src address is mandatory parameter
>
>
>
> Matus
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Monday, April 23, 2018 7:31 AM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Is the src  necessary in the netflow export collector command?
> I have ping connectivity with the collector but still I am unable to get
> any flows are visible.
>
> It is a bit odd because I only want to verify the inside address:inside
> port and outside address:outside port and for that you need an extra setup.
>
>
>
> Thanks.
>
>
>
> On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool <14mseesras...@seecs.edu.pk>
> wrote:
>
> No luck with the tcpdump (it only shows the broadcast routing protocol
> messages from a virtual router interface that it is connected with;my test
> bed topology has multiple hosts) during ipfix flush command either.
>
>
>
> Is there any logs for ipfix / NAT translation logs stored on the local
> machine where vpp is running? So far the only way you can obtain the
> translated ports currently is by running tcpdump on the vpp machine
> outbound interface but they are not viable to maintain logging. I have
> tried running tcpdump on the vpp machine on the interface which is used to
> check ping connectivity with the collector machine and have still not
> observed anything relevant.
>
>
>
> Thanks.
>
>
>
> On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> This should send some IPfix NAT44 session create events. Do you observe
> any traffic in tcpdump at the collector machine when use “ipfix flush”?
> This command should at least send IPfix templates.
>
>
>
> Matus
>
>
>
>
>
> *From:* vpp-dev@lists.fd.io  *On Behalf Of *Hamid
> via Lists.Fd.Io
> *Sent:* Monday

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco)]

Hi,

Are internal addresses you used sequence or are randomly selected from internal 
network range?
Deterministic NAT use sequential outside address and port range assignment 
(first block of external address goes to first address from inside network 
range, second block of external address goes to second address and so on). 
There is also CLI where you can obtain outside address and port range for 
specific inside host “nat44 deterministic forward ” and also CLI to 
obtain inside host address from specific outside address and port pair “nat44 
deterministic reverse :”
Example:
DBGvpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.1/30
DBGvpp# nat44 deterministic forward 10.0.55.6
1.1.1.3:<27994-28008>
DBGvpp# nat44 deterministic forward 10.0.55.7
1.1.1.3:<28009-28023>
DBGvpp# nat44 deterministic forward 10.0.55.8
1.1.1.3:<28024-28038>
DBGvpp# nat44 deterministic reverse 1.1.1.1:1276
10.0.16.16


Matus


From: Hamid Rasool <14mseesras...@seecs.edu.pk>
Sent: Tuesday, April 24, 2018 9:44 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 

Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Hi again,

I have ran into some issues while performing deterministic CG-NAT. You guys 
told that we do not require logging in this because we are sure that clients 
will get deterministic outside addresses according to ratio. However, I was set 
mappings ratio as 16 and have created sessions using 16 different inside 
addresses. In case of deterministic, they should all map to a single outside 
address and then the 17th different inside address should be attached to a 
different outside address. This is not the case for me as 10 sessions are going 
to 1st address and other 6 are mapped to second one.

There is currently no way to track this other than tcpdump. In the normal 
nat44, there is a show nat44 addresses which gives some idea about the 
mappings, but the show nat44 deterministic mappings (in stable/1804) only 
provides the ratio and number of ports calculated which is not too helpful.

Looking for better ideas to track these addresses or make them truly 
deterministic. Thanks.

On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
Src address is mandatory parameter

Matus

From: Hamid Rasool 
<14mseesras...@seecs.edu.pk>
Sent: Monday, April 23, 2018 7:31 AM
To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Is the src  necessary in the netflow export collector command? I 
have ping connectivity with the collector but still I am unable to get any 
flows are visible.
It is a bit odd because I only want to verify the inside address:inside port 
and outside address:outside port and for that you need an extra setup.

Thanks.

On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool 
<14mseesras...@seecs.edu.pk> wrote:
No luck with the tcpdump (it only shows the broadcast routing protocol messages 
from a virtual router interface that it is connected with;my test bed topology 
has multiple hosts) during ipfix flush command either.

Is there any logs for ipfix / NAT translation logs stored on the local machine 
where vpp is running? So far the only way you can obtain the translated ports 
currently is by running tcpdump on the vpp machine outbound interface but they 
are not viable to maintain logging. I have tried running tcpdump on the vpp 
machine on the interface which is used to check ping connectivity with the 
collector machine and have still not observed anything relevant.

Thanks.

On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON 
TECHNOLOGIES at Cisco) mailto:matfa...@cisco.com>> wrote:
This should send some IPfix NAT44 session create events. Do you observe any 
traffic in tcpdump at the collector machine when use “ipfix flush”? This 
command should at least send IPfix templates.

Matus


From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> On Behalf Of Hamid via 
Lists.Fd.Io
Sent: Monday, April 16, 2018 12:17 PM

To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
mailto:matfa...@cisco.com>>
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] #vpp CGNAT implementation in VPP

Currently I have just 1 client connected.

vpp# show nat44 sessions
NAT44 sessions:
  100.64.0.1: 100 dynamic translations, 0 static translations


Here are all of the VPP commands used (involve a few TAP and bvi interfaces):
Is there a command history option in vpp cli?
loopback create
set int l2 bridge loop0 1 bvi
set int ip address loop0 192.168.10.1/24
set int state loop0 up

tap connect lstack address 192.168.10.2/24
set int l2 bri

Re: [vpp-dev] VLAN to VLAN

[Andrew Yourtchenko]

Carlito,

Seems like my mail didn’t make it to the list...

Your release doesn’t have yet the support for subinterfaces.

Do “make test TEST=acl_plugin_macip” and the very scenario you are setting up 
is the first unit test in the supported version, so you can compare the logs.

I suggest giving a whirl to a 18.04rc2, since the release will be out in just a 
couple of days.

--a

> On 24 Apr 2018, at 04:02, carlito nueno  wrote:
> 
> any suggestions?
> 
> Thanks
> 

Re: [vpp-dev] #vpp CGNAT implementation in VPP

[Hamid via Lists.Fd.Io]

Hi again,

I have ran into some issues while performing deterministic CG-NAT. You guys
told that we do not require logging in this because we are sure that
clients will get deterministic outside addresses according to ratio.
However, I was set mappings ratio as 16 and have created sessions using 16
different inside addresses. In case of deterministic, they should all map
to a single outside address and then the 17th different inside address
should be attached to a different outside address. This is not the case for
me as 10 sessions are going to 1st address and other 6 are mapped to second
one.

There is currently no way to track this other than tcpdump. In the normal
nat44, there is a show nat44 addresses which gives some idea about the
mappings, but the show nat44 deterministic mappings (in stable/1804) only
provides the ratio and number of ports calculated which is not too helpful.

Looking for better ideas to track these addresses or make them truly
deterministic. Thanks.

On Mon, Apr 23, 2018 at 10:47 AM, Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco)  wrote:

> Src address is mandatory parameter
>
>
>
> Matus
>
>
>
> *From:* Hamid Rasool <14mseesras...@seecs.edu.pk>
> *Sent:* Monday, April 23, 2018 7:31 AM
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Is the src  necessary in the netflow export collector command?
> I have ping connectivity with the collector but still I am unable to get
> any flows are visible.
>
> It is a bit odd because I only want to verify the inside address:inside
> port and outside address:outside port and for that you need an extra setup.
>
>
>
> Thanks.
>
>
>
> On Mon, Apr 16, 2018 at 6:49 PM, Hamid Rasool <14mseesras...@seecs.edu.pk>
> wrote:
>
> No luck with the tcpdump (it only shows the broadcast routing protocol
> messages from a virtual router interface that it is connected with;my test
> bed topology has multiple hosts) during ipfix flush command either.
>
>
>
> Is there any logs for ipfix / NAT translation logs stored on the local
> machine where vpp is running? So far the only way you can obtain the
> translated ports currently is by running tcpdump on the vpp machine
> outbound interface but they are not viable to maintain logging. I have
> tried running tcpdump on the vpp machine on the interface which is used to
> check ping connectivity with the collector machine and have still not
> observed anything relevant.
>
>
>
> Thanks.
>
>
>
> On Mon, Apr 16, 2018 at 3:52 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> This should send some IPfix NAT44 session create events. Do you observe
> any traffic in tcpdump at the collector machine when use “ipfix flush”?
> This command should at least send IPfix templates.
>
>
>
> Matus
>
>
>
>
>
> *From:* vpp-dev@lists.fd.io  *On Behalf Of *Hamid
> via Lists.Fd.Io
> *Sent:* Monday, April 16, 2018 12:17 PM
>
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <
> matfa...@cisco.com>
> *Cc:* vpp-dev@lists.fd.io
> *Subject:* Re: [vpp-dev] #vpp CGNAT implementation in VPP
>
>
>
> Currently I have just 1 client connected.
>
>
>
> vpp# show nat44 sessions
>
> NAT44 sessions:
>
>   100.64.0.1: 100 dynamic translations, 0 static translations
>
>
>
>
>
> Here are all of the VPP commands used (involve a few TAP and bvi
> interfaces):
> Is there a command history option in vpp cli?
>
> loopback create
>
> set int l2 bridge loop0 1 bvi
>
> set int ip address loop0 192.168.10.1/24
>
> set int state loop0 up
>
>
>
> tap connect lstack address 192.168.10.2/24
>
> set int l2 bridge tapcli-0 1
>
> set int state tapcli-0 up
>
>
>
> loopback create
>
> set int l2 bridge loop1 2 bvi
>
> set int ip address loop1 192.168.100.1/24
>
> set int state loop1 up
>
>
>
> tap connect lstack1 address 192.168.100.2/24
>
> set int l2 bridge tapcli-1 2
>
> set int state tapcli-1 up
>
>
>
> nat44 add interface address loop0
>
> set interface nat44 in loop1 out loop0
>
> nat44 add address 192.168.10.20 - 192.168.10.30
>
>
>
> set int l2 bridge GigabitEthernet0/3/0 1
>
> set int state GigabitEthernet0/3/0 up
>
>
>
> ip route add 100.64.0.0/24 via 192.168.100.2
>
> ip route add 0.0.0.0/0 via 192.168.10.3
>
>
>
> set ipfix exporter collector 192.168.4.3 port 2055 src 192.168.10.1
>
> nat ipfix logging
>
>
>
>
>
> On Mon, Apr 16, 2018 at 3:07 PM, Matus Fabian -X (matfabia - PANTHEON
> TECHNOLOGIES at Cisco)  wrote:
>
> How many NAT session client create? IPfix should send at least templates
> each 20 seconds if there is no data. You can manually send cached IPfix
> data and templates by “ipfix flush”. Could you please provide your VPP
> config (all used CLI config commands)? There are couple of NAT IPfix tests
> and all pass.
>
>
>
> Matus
>
>
>
>
>
> *From:* Hamid Rasool 
> *Sent:* Monday, April 16, 2018 11:09 AM
>
>
> *To:* Matus Fabian -X (matfabia - PANTHEON TECHNOL