Re: [vpp-dev] clearing sessions when application exits #vppcom #vpp-hoststack

[Florin Coras]

Hi Tahir, 

If a vcl app/worker is not closed cleanly, it won’t detach from vpp. In vpp 
20.05, the binary api infra will detect that vcl's binary api client crashed, 
and cleanup the stale app state, but only after about 30s. In 21.01 (master 
latest) after this [1] vcl can be configured to use the session layer’s app 
socket api. With this, the session layer in vpp detects socket close events 
(e.g., app crashes) and cleans up stale app state. 

More comments inline. 

[1] https://gerrit.fd.io/r/c/vpp/+/28717 

> On Sep 30, 2020, at 12:06 PM, tahir.a.sangli...@gmail.com wrote:
> 
> we are using vcl library to send/receive, if the application aborts or kill 
> signal is sent to the application, vcl sessions are still in listening mode 
> even after the thread containing the vcl sessions is closed.
>
> we have a process monitor which monitors our application running/not and 
> immediately reloads the application
>
> while booting up consecutive time, because the previous session same(IP+port) 
> will not be closed while trying to open up new session again 
> I am getting error as connection refused
>
> below is the list of calls made
> vppcom_app_create - in main thread
> In receiver thread

This is probably an issue. VCL workers are not thread safe and their data 
structures should only be accessed by threads that have __vcl_worker_index (TLS 
variable) set to the index of the worker. If this can’t be ensured, consider 
using VLS (vcl_locked). Otherwise, if two threads compete for a single worker’s 
message queue (blocking calls/epoll) could result in undefined behavior. 

> vppcom_worker_register -> vppcom_session_create -> 
> vppcom_session_attr(VPPCOM_ATTR_SET_CONNECTED) -> vppcom_session_bind -> 
> vppcom_session_listen
>
> while exiting thread calling vppcom_session_close -> vppcom_worker_unregister

Note that sharing of vcl sessions between workers is also not supported (again, 
vls may solve this). vppcom_worker_unregister should cleanup associated 
listener state in vpp as long as the worker is the owner of the listener. That 
is, if the listener was registered by one vcl worker but a different worker is 
later unregistered, it will have no effect on the listener state in vpp.

Regards,
Florin

>
> getting error while calling vppcom_session_listen
> vnet[12346]: session_mq_listen_handler:66: listen returned: -16
> general protection fault ip:7f351eb202d8 sp:7f33b9ffae20 error:0 in 
> libvppcom.so.20.05[7f351eb03000+2f000]
> general protection fault ip:7f351eb202d8 sp:7f33b97f9e20 error:0
> session listen failed errno=-111
> 
> Kindly let me know if there's some other configuration that I could use.
> 
> vcl.conf
> vcl {
>   rx-fifo-size 400
>   tx-fifo-size 400
>   app-scope-local
>   app-scope-global
>   api-socket-name /tmp/vpp-api.sock
>   app-timeout 2
>   session-timeout 2
> }
> 
> regards
> Tahir
> 
> 
> 


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17623): https://lists.fd.io/g/vpp-dev/message/17623
Mute This Topic: https://lists.fd.io/mt/77224682/21656
Mute #vpp-hoststack:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-hoststack
Mute #vppcom:https://lists.fd.io/g/vpp-dev/mutehashtag/vppcom
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] clearing sessions when application exits #vppcom #vpp-hoststack

[tahir . a . sanglikar]

we are using vcl library to send/receive, if the application aborts or kill 
signal is sent to the application, vcl sessions are still in listening mode
even after the thread containing the vcl sessions is closed.

we have a process monitor which monitors our application running/not and 
immediately reloads the application

while booting up consecutive time, because the previous session same(IP+port) 
will not be closed while trying to open up new session again
I am getting error as connection refused

below is the list of calls made
vppcom_app_create - in main thread
In receiver thread
vppcom_worker_register -> vppcom_session_create -> 
vppcom_session_attr(VPPCOM_ATTR_SET_CONNECTED) -> vppcom_session_bind -> 
vppcom_session_listen

while exiting thread calling vppcom_session_close -> vppcom_worker_unregister

getting error while calling vppcom_session_listen
vnet[12346]: session_mq_listen_handler:66: listen returned: -16
general protection fault ip:7f351eb202d8 sp:7f33b9ffae20 error:0 in 
libvppcom.so.20.05[7f351eb03000+2f000]
general protection fault ip:7f351eb202d8 sp:7f33b97f9e20 error:0
session listen failed errno=-111

Kindly let me know if there's some other configuration that I could use.

vcl.conf
vcl {
rx-fifo-size 400
tx-fifo-size 400
app-scope-local
app-scope-global
api-socket-name /tmp/vpp-api.sock
app-timeout 2
session-timeout 2
}

regards
Tahir

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17622): https://lists.fd.io/g/vpp-dev/message/17622
Mute This Topic: https://lists.fd.io/mt/77224682/21656
Mute #vppcom:https://lists.fd.io/g/vpp-dev/mutehashtag/vppcom
Mute #vpp-hoststack:https://lists.fd.io/g/vpp-dev/mutehashtag/vpp-hoststack
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] Stable/2009 branch is *CLOSED* due to release ceremonies...

[Andrew Yourtchenko]

Dear VPP committers,

I am shortly starting the release process for 20.09.

Please don’t merge any new patches to VPP stable/2009 branch until I reply to 
this mail, reopening the branch or until you see the announcement of the 
release being available.

Thanks! 

--a /* your friendly 20.09 release manager */
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17621): https://lists.fd.io/g/vpp-dev/message/17621
Mute This Topic: https://lists.fd.io/mt/77221346/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] vnet buffer leaking on 20.09RC2?

[Damjan Marion via lists.fd.io]

> On 30.09.2020., at 03:49, Chan Wai  wrote:
> 
> Hi, vpp-dev,
> I am using vpp 20.09RC2. When I bring up the interface, the vnet buffers will 
> dramatically decreased.
> Is this a memory leaking?
>  
> DBGvpp# show version
> vpp v20.09-rc2~0-ga87deb77d built by ubuntu on ubuntu-740-1 at 
> 2020-09-30T01:45:40
>  
> DBGvpp# show dpdk version
> DPDK Version: DPDK 20.08.0
> DPDK EAL init args:   -c 552 -n 4 --in-memory --file-prefix vpp -w 
> :65:00.0 --master-lcore 1
>  
> DBGvpp# show buffers
> Pool NameIndex NUMA  Size  Data Size  Total  Avail  Cached   Used
> default-numa-0 0 0   2496 204816800  16800 0   0
>  
> DBGvpp# show interface
>   Name   IdxState  MTU (L3/IP4/IP6/MPLS) 
> Counter  Count
> TwentyFiveGigabitEthernet65/0/0   1 down 9000/0/0/0
> local00 down  0/0/0/0
>  
> DBGvpp# set interface state TwentyFiveGigabitEthernet65/0/0 up
>  
> DBGvpp# show buffers
> Pool NameIndex NUMA  Size  Data Size  Total  Avail  Cached   Used
> default-numa-0 0 0   2496 204816800   384  0 16416

There is no enough information to help you here. This can be valid state if you 
are using 
larger number of RX queues and/or bigger ring sizes…

— 
Damjan
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17620): https://lists.fd.io/g/vpp-dev/message/17620
Mute This Topic: https://lists.fd.io/mt/77210359/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] bihash change

[Damjan Marion via lists.fd.io]

> On 30.09.2020., at 17:29, Jon Loeliger via lists.fd.io 
>  wrote:
> 
> On Wed, Sep 30, 2020 at 8:11 AM Damjan Marion via lists.fd.io 
>   > wrote:
> 
> Just a heads-up on under-the-hood change[1] which is merged few minutes ago 
> and which affects all features that use bihash.
> Now, bihash is allocating memory from the (main) heap, instead of mmap()-ing 
> it’s own alloc arena.
> 
> [ ...] 
> Damjan
> 
> Damjan,
> 
> Does this include the bihash and heap use within the Classifier code as well?
> Or just the templated bihash from the library?

no, no changes for classifier….


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17619): https://lists.fd.io/g/vpp-dev/message/17619
Mute This Topic: https://lists.fd.io/mt/77216768/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Support for localsid behaviors (T.Insert, T.Encaps, H.Insert and H.Encaps)

[Pablo via lists.fd.io]

Hi Chinmaya,

Not sure I understand what you want to achieve.
The SR policy is set to one of either H.Insert or H.Encaps. Any packet steered 
into that policy will use that behavior. Same applies for the relevant 
BindingSID.
If you want to get both H.Insert and H.Encaps for the same SR Policy, then you 
would need to have two policies.

Thanks,
Pablo.

From: vpp-dev@lists.fd.io  On Behalf Of Chinmaya Aggarwal
Sent: miércoles, 30 de septiembre de 2020 7:15
To: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] Support for localsid behaviors (T.Insert, T.Encaps, 
H.Insert and H.Encaps)

On Tue, Sep 29, 2020 at 07:29 AM, Pablo wrote:
Yes, those are supported.
Hi Pablo,
What we infer of the documentation link that you shared is that we can 
configure encap or inline at per policy level. But, H.Insert and H.Encaps are 
headend node behaviour. So how are these two related?

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17618): https://lists.fd.io/g/vpp-dev/message/17618
Mute This Topic: https://lists.fd.io/mt/77196921/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] bihash change

[Jon Loeliger via lists.fd.io]

On Wed, Sep 30, 2020 at 8:11 AM Damjan Marion via lists.fd.io  wrote:

>
> Just a heads-up on under-the-hood change[1] which is merged few minutes
> ago and which affects all features that use bihash.
> Now, bihash is allocating memory from the (main) heap, instead of
> mmap()-ing it’s own alloc arena.
>
> [ ...]
> Damjan
>

Damjan,

Does this include the bihash and heap use within the Classifier code as
well?
Or just the templated bihash from the library?

Thanks,
jdl

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17617): https://lists.fd.io/g/vpp-dev/message/17617
Mute This Topic: https://lists.fd.io/mt/77216768/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[vpp-dev] bihash change

[Damjan Marion via lists.fd.io]

Guys,

Just a heads-up on under-the-hood change[1] which is merged few minutes ago and 
which affects all features that use bihash.

Now, bihash is allocating memory from the (main) heap, instead of mmap()-ing 
it’s own alloc arena.

There are several beneifs of that approach:
 - smaller memory footprint
 - ability to use hugepages without dedicating them to specific feature
 - smaller coredump files
 
Size of each table is now limited by heap size, and not by the value provided 
during the table initialisation.
In some cases increasing heap size may be needed, and if performance matters 
putting the main heap into hugepages may also be a good idea, as all bihash 
tables will now immediately benefit out of it.

i.e. startup.conf example:

memory {
main-heap-size 2G
main-heap-page-size 1G
}

If anybody notices some issues, please let us know.

— 
Damjan


[1] https://gerrit.fd.io/r/c/vpp/+/29099



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17616): https://lists.fd.io/g/vpp-dev/message/17616
Mute This Topic: https://lists.fd.io/mt/77216768/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Hi Filip

Thanks for discussing with me.

Ok now i understand where you are trying to get. At this point this kind of 
matching is not supported. At this point you can either get match combination 
of external-host external-host-port && external external-port in out2in-only 
twice-nat scenario. I will try to look into it and do some testying of the 
configuraiton. At the moment though we are in a situation of simplyfing NAT 
because of it’s complexity. That means separating features into sub plugins. We 
were though working on policy based matching for NAT this is on hold right now.

Do you have any advice for me?
I'm not expert on VPP.

"Policy based matching for NAT" sounds like what I need.
Do you have some plan or schedule that we can follow up?
If we can do some help for that feature.

By the way, does VPP have feature roadmap?


Thanks and appreciate

Regards,
Date


寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
寄件日期: 2020年9月30日 下午 07:42
收件者: Date Huang ; Nathan Skrzypczak 

副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



Ok now i understand where you are trying to get. At this point this kind of 
matching is not supported. At this point you can either get match combination 
of external-host external-host-port && external external-port in out2in-only 
twice-nat scenario. I will try to look into it and do some testying of the 
configuraiton. At the moment though we are in a situation of simplyfing NAT 
because of it’s complexity. That means separating features into sub plugins. We 
were though working on policy based matching for NAT this is on hold right now.



Best regards,

Filip Varga



From: vpp-dev@lists.fd.io  On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 1:29 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Continued from previous mail



For example this rule

vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

  1.  check if match source IP and Port in packet with rule "external-host 
X.X.X.X 1234"
  2.  check if match dst IP and Port in packet "external Y.Y.Y.Y 8080"
  3.  If 1 & 2 match success, do NAT translate dst IP and Port to "local 
Z.Z.Z.Z 5566"
  4.  If no match, do nothing.



Regards,

Date





寄件者: �S 宇�� mailto:tjjh89...@hotmail.com>>
寄件日期: 2020年9月30日 下午 07:17
收件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>; Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port



Hi Filip



(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?



Yes

Other OUTSIDE HOST will not be matched to this NAT rule and will not perform 
NAT to translate.



If below



Rules: (using VPP debug CLI-like, Schematic command, not existing)

and we can specify only external-host(outside host)=X.X.X.X will match this 
function.

vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X



Action:

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)





Rules:

or we can sepcify external-host ip and port

vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234



Action:

(OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to 
(OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\

(OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)



It will a little bit like this:

nat44 add static mapping tcp|udp|icmp local  [] external 
(|) [] [external-host (|all) []] [vrf 
] [twice-nat] [out2in-only] [del]

to assign source ip and port (or "external-host" used in session tables) to 
static NAT rule directly.



Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.

twice-nat didn't meet my requirement.

I want to keep source ip and port

but I want to add more match entries to NAT rule, source ip, source port, dst 
ip, dst port match this rule, and them perform this rule. (source ip and source 
port can be "don't care" attribute)

For now, I only saw match "dst ip and port" and then perform NAT rule to 
translate.



Thanks and appreciate

Regards,

Date









寄件者: Filip 

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Filip Varga via lists.fd.io]

Hi Date,

Ok now i understand where you are trying to get. At this point this kind of 
matching is not supported. At this point you can either get match combination 
of external-host external-host-port && external external-port in out2in-only 
twice-nat scenario. I will try to look into it and do some testying of the 
configuraiton. At the moment though we are in a situation of simplyfing NAT 
because of it’s complexity. That means separating features into sub plugins. We 
were though working on policy based matching for NAT this is on hold right now.

Best regards,
Filip Varga

From: vpp-dev@lists.fd.io  On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 1:29 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High

Continued from previous mail

For example this rule
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

  1.  check if match source IP and Port in packet with rule "external-host 
X.X.X.X 1234"
  2.  check if match dst IP and Port in packet "external Y.Y.Y.Y 8080"
  3.  If 1 & 2 match success, do NAT translate dst IP and Port to "local 
Z.Z.Z.Z 5566"
  4.  If no match, do nothing.

Regards,
Date


寄件者: 黃 宇強 mailto:tjjh89...@hotmail.com>>
寄件日期: 2020年9月30日 下午 07:17
收件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>; Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port

Hi Filip


(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?

Yes
Other OUTSIDE HOST will not be matched to this NAT rule and will not perform 
NAT to translate.

If below

Rules: (using VPP debug CLI-like, Schematic command, not existing)
and we can specify only external-host(outside host)=X.X.X.X will match this 
function.
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X

Action:

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


Rules:
or we can sepcify external-host ip and port
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

Action:

(OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to 
(OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\

(OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

It will a little bit like this:
nat44 add static mapping tcp|udp|icmp local  [] external 
(|) [] [external-host (|all) []] [vrf 
] [twice-nat] [out2in-only] [del]
to assign source ip and port (or "external-host" used in session tables) to 
static NAT rule directly.


Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.
twice-nat didn't meet my requirement.
I want to keep source ip and port
but I want to add more match entries to NAT rule, source ip, source port, dst 
ip, dst port match this rule, and them perform this rule. (source ip and source 
port can be "don't care" attribute)
For now, I only saw match "dst ip and port" and then perform NAT rule to 
translate.


Thanks and appreciate
Regards,
Date




寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:52
收件者: 黃 宇強 mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



Just to verify you want something like this ?



(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?



Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.



Best regards,

Filip Varga



From: 黃 宇強 mailto:tjjh89...@hotmail.com>>
Sent: Wednesday, September 30, 2020 12:48 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>; Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
Cc: vpp-dev mailto:vpp-dev@lists.fd.io>>
Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Filip

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Continued from previous mail

For example this rule
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

  1.  check if match source IP and Port in packet with rule "external-host 
X.X.X.X 1234"
  2.  check if match dst IP and Port in packet "external Y.Y.Y.Y 8080"
  3.  If 1 & 2 match success, do NAT translate dst IP and Port to "local 
Z.Z.Z.Z 5566"
  4.  If no match, do nothing.

Regards,
Date


寄件者: �S 宇�� 
寄件日期: 2020年9月30日 下午 07:17
收件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port

Hi Filip


(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?

Yes
Other OUTSIDE HOST will not be matched to this NAT rule and will not perform 
NAT to translate.

If below

Rules: (using VPP debug CLI-like, Schematic command, not existing)
and we can specify only external-host(outside host)=X.X.X.X will match this 
function.
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X

Action:

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


Rules:
or we can sepcify external-host ip and port
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

Action:

(OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to 
(OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\

(OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


It will a little bit like this:
nat44 add static mapping tcp|udp|icmp local  [] external 
(|) [] [external-host (|all) []] [vrf 
] [twice-nat] [out2in-only] [del]

to assign source ip and port (or "external-host" used in session tables) to 
static NAT rule directly.


Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.

twice-nat didn't meet my requirement.
I want to keep source ip and port
but I want to add more match entries to NAT rule, source ip, source port, dst 
ip, dst port match this rule, and them perform this rule. (source ip and source 
port can be "don't care" attribute)
For now, I only saw match "dst ip and port" and then perform NAT rule to 
translate.


Thanks and appreciate

Regards,
Date




寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
寄件日期: 2020年9月30日 下午 06:52
收件者: �S 宇�� ; Nathan Skrzypczak 

副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



Just to verify you want something like this ?



(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?



Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.



Best regards,

Filip Varga



From: �S 宇�� 
Sent: Wednesday, September 30, 2020 12:48 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
Cc: vpp-dev 
Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Filip



We already used ED mode to re-use the 8080 port



But we still cannot limit this rule only for specific source IP.

Do you have any idea or advice for this?



Thanks and appreciate

Regards,

Date





寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port



Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED �C endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> On Behalf Of Date Huang

[vpp-dev] vnet buffer leaking on 20.09RC2?

[Chan Wai]

Hi, vpp-dev,
I am using vpp 20.09RC2. When I bring up the interface, the vnet buffers will 
dramatically decreased.
Is this a memory leaking?

DBGvpp# show version
vpp v20.09-rc2~0-ga87deb77d built by ubuntu on ubuntu-740-1 at 
2020-09-30T01:45:40

DBGvpp# show dpdk version
DPDK Version: DPDK 20.08.0
DPDK EAL init args:   -c 552 -n 4 --in-memory --file-prefix vpp -w 
:65:00.0 --master-lcore 1

DBGvpp# show buffers
Pool NameIndex NUMA  Size  Data Size  Total  Avail  Cached   Used
default-numa-0 0 0   2496 204816800  16800 0   0

DBGvpp# show interface
  Name   IdxState  MTU (L3/IP4/IP6/MPLS) 
Counter  Count
TwentyFiveGigabitEthernet65/0/0   1 down 9000/0/0/0
local00 down  0/0/0/0

DBGvpp# set interface state TwentyFiveGigabitEthernet65/0/0 up

DBGvpp# show buffers
Pool NameIndex NUMA  Size  Data Size  Total  Avail  Cached   Used
default-numa-0 0 0   2496 204816800   384  0 16416

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17613): https://lists.fd.io/g/vpp-dev/message/17613
Mute This Topic: https://lists.fd.io/mt/77210359/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Hi Filip


(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?

Yes
Other OUTSIDE HOST will not be matched to this NAT rule and will not perform 
NAT to translate.

If below

Rules: (using VPP debug CLI-like, Schematic command, not existing)
and we can specify only external-host(outside host)=X.X.X.X will match this 
function.
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X

Action:

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


Rules:
or we can sepcify external-host ip and port
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

Action:

(OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to 
(OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\

(OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


It will a little bit like this:
nat44 add static mapping tcp|udp|icmp local  [] external 
(|) [] [external-host (|all) []] [vrf 
] [twice-nat] [out2in-only] [del]

to assign source ip and port (or "external-host" used in session tables) to 
static NAT rule directly.


Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.

twice-nat didn't meet my requirement.
I want to keep source ip and port
but I want to add more match entries to NAT rule, source ip, source port, dst 
ip, dst port match this rule, and them perform this rule. (source ip and source 
port can be "don't care" attribute)
For now, I only saw match "dst ip and port" and then perform NAT rule to 
translate.


Thanks and appreciate

Regards,
Date




寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
寄件日期: 2020年9月30日 下午 06:52
收件者: �S 宇�� ; Nathan Skrzypczak 

副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



Just to verify you want something like this ?



(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?



Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.



Best regards,

Filip Varga



From: �S 宇�� 
Sent: Wednesday, September 30, 2020 12:48 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
Cc: vpp-dev 
Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Filip



We already used ED mode to re-use the 8080 port



But we still cannot limit this rule only for specific source IP.

Do you have any idea or advice for this?



Thanks and appreciate

Regards,

Date





寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port



Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED �C endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
Cc: vpp-dev mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Nathan



[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]



so glad to see your reply.

My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :

*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> 

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Filip Varga via lists.fd.io]

Hi Date,

Just to verify you want something like this ?


(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?

Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.

Best regards,
Filip Varga

From: 黃 宇強 
Sent: Wednesday, September 30, 2020 12:48 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) ; 
Nathan Skrzypczak 
Cc: vpp-dev 
Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High

Hi Filip

We already used ED mode to re-use the 8080 port

But we still cannot limit this rule only for specific source IP.
Do you have any idea or advice for this?

Thanks and appreciate
Regards,
Date


寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED – endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io 
mailto:vpp-dev@lists.fd.io>> On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
Cc: vpp-dev mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Nathan



[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]



so glad to see your reply.

My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :

*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)

Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively

for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?

If I used netfilter/iptables to explain.
It will more like this.

iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566

when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"

I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN

Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*  X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> 

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Hi Filip

We already used ED mode to re-use the 8080 port

But we still cannot limit this rule only for specific source IP.
Do you have any idea or advice for this?

Thanks and appreciate
Regards,
Date


寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang ; Nathan Skrzypczak 

副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED �C endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io  On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Nathan



[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]



so glad to see your reply.

My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :

*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)

Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively

for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?

If I used netfilter/iptables to explain.
It will more like this.

iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566

when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"

I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN

Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*  X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 
(X still can connect to Z, even there is no Static NAT rule, if session is 
kept. this translation rule will be stored in session not Static NAT rule until 
TCP connection is timeout)

* (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything.

5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need 
to be X2.X2.X2.X2:port_xx2"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

6. and so on.

---

for now, we can only do this in NAT ED mode
(any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot 
limit specific source ip to apply NAT translation, and deny other source ip for 
security issue)

Thanks and appreciate for your reply.
Regards,
Date

回覆: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Hi Filip

We already used ED mode to re-use the 8080 port

But we still cannot limit this rule only for specific source IP.
Do you have any idea or advice for this?

Thanks and appreciate
Regards,
Date


寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang ; Nathan Skrzypczak 

副本: vpp-dev 
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED �C endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io  On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Nathan



[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]



so glad to see your reply.

My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :

*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)

Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively

for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?

If I used netfilter/iptables to explain.
It will more like this.

iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566

when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"

I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN

Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*  X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 
(X still can connect to Z, even there is no Static NAT rule, if session is 
kept. this translation rule will be stored in session not Static NAT rule until 
TCP connection is timeout)

* (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything.

5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need 
to be X2.X2.X2.X2:port_xx2"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

6. and so on.

---

for now, we can only do this in NAT ED mode
(any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot 
limit specific source ip to apply NAT translation, and deny other source ip for 
security issue)

Thanks and appreciate for your reply.
Regards,
Date

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Filip Varga via lists.fd.io]

Hi Date,

I would suggest looking into ED NAT out2in only translations.

Just to point out
(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

Let’s go with NAT in VPP

set interface nat44 in LAN out WAN
nat44 add address (NAT ADDRESS)
nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .

ED – endpoint dependent NAT will let you reuse 8080 port for other connections.

Best regards,
Filip Varga


From: vpp-dev@lists.fd.io  On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
Cc: vpp-dev 
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High

Hi Nathan

[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]

so glad to see your reply.
My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.
Just to be sure to understand your use case, you want to have the following 
translations happening :
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566
* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234
Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)
Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively
for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?
If I used netfilter/iptables to explain.
It will more like this.
iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566
when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"
I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN
Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*  X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 
(X still can connect to Z, even there is no Static NAT rule, if session is 
kept. this translation rule will be stored in session not Static NAT rule until 
TCP connection is timeout)
* (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything.

5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need 
to be X2.X2.X2.X2:port_xx2"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

6. and so on.

---

for now, we can only do this in NAT ED mode
(any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot 
limit specific source ip to apply NAT translation, and deny other source ip for 
security issue)

Thanks and appreciate for your reply.
Regards,
Date


寄件者: Nathan Skrzypczak 
mailto:nathan.skrzypc...@gmail.com>>
寄件日期: 2020年9月30日 下午 03:17
收件者: Date Huang mailto:tjjh89...@hotmail.com>>
副本: vpp-dev mailto:vpp-dev@lists.fd.io>>
主旨: Re: [vpp-dev] Static NAT rule only match specific source ip or port

Hi Date,

Sorry for the late reply,
I'm not sure this will be supported by the existing NAT plugin but it might be 
doable with few additions.

Just to be sure to understand your use case, you want to have the 

Re: [vpp-dev] VPP Deterministic NAT Same in/out Interface Not Matching Session

[Filip Varga via lists.fd.io]

Hi Joshua,

Try to run your setup on master branch with recent changes. Few weeks ago i 
have moved deterministic feature out of snat plugin. Now deterministic feature 
is running in it’s separate plugin. Please check det44 sub plugin. If you have 
any issues feel free to write me back.

Best regards,
Filip Varga

From: vpp-dev@lists.fd.io  On Behalf Of Joshua Moore
Sent: Tuesday, September 29, 2020 11:38 PM
To: Joshua Moore 
Cc: vpp-dev@lists.fd.io
Subject: Re: [vpp-dev] VPP Deterministic NAT Same in/out Interface Not Matching 
Session
Importance: High

Yep, definitely looks like this is unsupported. I moved to separated in/out 
interfaces and packets started flowing appropriately.



On Tue, Sep 29, 2020 at 2:35 PM Joshua Moore via 
lists.fd.io 
mailto:jcm...@lists.fd.io>> wrote:
Hello,

Do we know if the same in/out interface for NAT in deterministic mode is 
supported in VPP? I am seeing a strange behavior where return traffic is not 
matching the session. For example, see session below where a DNS request is 
initially captured outbound to 8.8.8.8: 
http://jcm.me/session.txt

As you can see, this is recorded as 1.1.1.0:2325 for the 
outside translated IP/port:

in 100.65.0.2:35573 out 
1.1.1.0:2325 external host 8.8.8.8:53 
state: udp-active expire: 869

When reply comes back from 8.8.8.8 though to 1.1.1.0:2325 
the packet is dropped. I captured this in the trace: http://jcm.me/trace.txt

The only thing I can think of here that may be a little odd with my setup is 
that I am using the same interface for inside and outside. See my VPP config 
below:
jmoore@test:~$ cat /etc/vpp/setup.gate
set interface ip address loop0 1.1.1.1/29
set interface state loop0 up
set interface ip address GigabitEthernet3/0/0 
172.16.30.250/24
set int nat44 in GigabitEthernet3/0/0 out GigabitEthernet3/0/0
nat44 deterministic add in 100.65.0.0/22 out 
1.1.1.0/29
set interface state GigabitEthernet3/0/0 up
ip route add 0.0.0.0/0 via 172.16.30.1

Any reason that the trace is showing the below?
00:09:23:047897: drop
  nat44-det-in2out: No translation



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17606): https://lists.fd.io/g/vpp-dev/message/17606
Mute This Topic: https://lists.fd.io/mt/77203973/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Date Huang]

Hi Nathan

[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]

so glad to see your reply.
My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566
* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234
Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)
Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively
for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?
If I used netfilter/iptables to explain.
It will more like this.
iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566
when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"

I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN
Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*  X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 
(X still can connect to Z, even there is no Static NAT rule, if session is 
kept. this translation rule will be stored in session not Static NAT rule until 
TCP connection is timeout)
* (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything.

5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need 
to be X2.X2.X2.X2:port_xx2"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

6. and so on.

---

for now, we can only do this in NAT ED mode
(any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot 
limit specific source ip to apply NAT translation, and deny other source ip for 
security issue)

Thanks and appreciate for your reply.
Regards,
Date


寄件者: Nathan Skrzypczak 
寄件日期: 2020年9月30日 下午 03:17
收件者: Date Huang 
副本: vpp-dev 
主旨: Re: [vpp-dev] Static NAT rule only match specific source ip or port

Hi Date,

Sorry for the late reply,
I'm not sure this will be supported by the existing NAT plugin but it might be 
doable with few additions.

Just to be sure to understand your use case, you want to have the following 
translations happening :
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566
* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)
Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively
for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?

Best,
-Nathan

Le lun. 28 sept. 2020 à 08:36, Date Huang 
mailto:tjjh89...@hotmail.com>> a écrit :
Hi all

Is it possible to create a static nat rule with match source ip or source port 
like IPtable command below?
iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566
For security issue, we want to allow only X.X.X.X to access port 

Re: [vpp-dev] vnet buffer leaking on 20.09RC2?

[Benoit Ganne (bganne) via lists.fd.io]

Hi,

Yes VPP default to 1024 descriptors per RX and per TX queue for DPDK interface.
By default, the number of txq is determined by the number of threads (main 
thread + worker threads).
So if you have 1 interface, 16 rxq and 16 workers, you will allocate 1024 * (16 
+ (1 + 16)) = 33792 buffers for the interface.
You can tweak those parameters (number of descriptors per queue, total number 
of buffers etc), see [1] and [2].

Best
Ben

[1] 
https://fd.io/docs/vpp/master/gettingstarted/users/configuring/startup.html#the-dpdk-section
[2] 
https://fd.io/docs/vpp/master/gettingstarted/users/configuring/startup.html#the-buffers-section

> -Original Message-
> From: vpp-dev@lists.fd.io  On Behalf Of
> chanwai1...@gmail.com
> Sent: mercredi 30 septembre 2020 05:06
> To: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] vnet buffer leaking on 20.09RC2?
> 
> #9  0x7fff6da8fae4 in ice_alloc_rx_queue_mbufs (rxq=0x7fe2406de580) at
> /home/ubuntu/vpp/build-root/build-vpp_debug-native/external/dpdk-
> 20.08/drivers/net/ice/ice_rxtx.c:193
> #10 0x7fff6da9fa4b in ice_rx_queue_start (dev=0x7fff7146dec0
> , rx_queue_id=5) at /home/ubuntu/vpp/build-root/build-
> vpp_debug-native/external/dpdk-20.08/drivers/net/ice/ice_rxtx.c:391
> #11 0x7fff6da6b5b2 in ice_dev_start (dev=0x7fff7146dec0
> ) at /home/ubuntu/vpp/build-root/build-vpp_debug-
> native/external/dpdk-20.08/drivers/net/ice/ice_ethdev.c:3324
> #12 0x7fff6c6318c2 in rte_eth_dev_start (port_id=0) at
> /home/ubuntu/vpp/build-root/build-vpp_debug-native/external/dpdk-
> 20.08/lib/librte_ethdev/rte_ethdev.c:1636
> #13 0x7fff707a82c2 in dpdk_device_start (xd=0x7fff78ebe700) at
> /home/ubuntu/vpp/src/plugins/dpdk/device/common.c:173
> 
> It seems that the ice driver will reserve 1024 buffers per rx queue.
> let me try do some more test to check if vlib_buffer_alloc will failed
> when there is enough buffers.

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17603): https://lists.fd.io/g/vpp-dev/message/17603
Mute This Topic: https://lists.fd.io/mt/77210359/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Nathan Skrzypczak]

Hi Date,

Sorry for the late reply,
I'm not sure this will be supported by the existing NAT plugin but it might
be doable with few additions.

Just to be sure to understand your use case, you want to have the following
translations happening :
*  X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566
* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing
?)
Also are you in a home-gateway scenario a.k.a do you have inside & outside
interfaces respectively
for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all
interfaces ?

Best,
-Nathan

Le lun. 28 sept. 2020 à 08:36, Date Huang  a écrit :

> Hi all
>
> Is it possible to create a static nat rule with match source ip or source
> port like IPtable command below?
> iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j
> DNAT --to-destination Z.Z.Z.Z:5566
> For security issue, we want to allow only X.X.X.X to access port 8080.
> But we still need to re-use 8080 port in ED mode.
> 1. create rule A for port 8080 to mapping Z.Z.Z.Z:5566 and establish
> connection
> 2. after established, delete rule A, and connection need to be kept.
> 3. and only allow X.X.X.X to access rule A
> 4. create rule B for port 8080 to mapping W.W.W.W:1234 and establish
> connection
> 5. after established, delete rule B, two connection need to be kept.
>
> Thanks a lot
> Regards,
> Date
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17602): https://lists.fd.io/g/vpp-dev/message/17602
Mute This Topic: https://lists.fd.io/mt/77169416/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Endpoint-Independent Mapping on Determinate NAT

[Milan Lenco]

Hi Joshua,


This is currently not supported by the deterministic NAT in VPP. Not sure 
if/when this will be added, so in the meantime you might want to consider 
customizing the plugin for yourself.

Start from snat_det_find_ses_by_in() function where the session entry matching 
is being done and compares also endpoint IP+port:

https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blob;f=src/plugins/nat/det44/det44.h;h=3ddba6d140596aa6db875aa13a4dd414d6f6b49e;hb=refs/heads/master#l376


Please note however that the implementation of det44 plugin is rather limited. 
As you will notice the session entry matching is being done with for-cycles 
causing it to have linear complexity. Also it is not possible to customize 
(external IP, ports) distribution across internal IPs - it is always done 
evenly (i.e. no per-subscriber limits). Also dynamic port range (for when 
static port range runs out) is not supported, etc.


Regards,

Milan



Od: vpp-dev@lists.fd.io  v mene používateľa Joshua Moore 

Odoslané: streda, 30. septembra 2020 3:33
Komu: vpp-dev@lists.fd.io
Predmet: [vpp-dev] Endpoint-Independent Mapping on Determinate NAT

Hello,

I have a need to relax the session lookup criteria on out2in packet processing 
with NAT44 determinate mode. The behavior I am looking for is so that as long 
as there is an initial session for a given destination IP:port then any return 
packet to the translated port should be allowed regardless of the source IP. 
Essentially, if I open a session from 100.65.0.2 to 
2.2.2.2:3074 and VPP creates a translation entry then the 
out2in processing should allow any n:3074 source IP and not restrict the 
translation to return packets only allowed from 2.2.2.2.

It looks like this may have been possible with the below feature but it's not 
available in determinate mode:
https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding

Are there any thoughts on this? Any suggestions on where I could perhaps 
compile my own version of that allows endpoint-independent mapping?



Thanks!


--Josh

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17601): https://lists.fd.io/g/vpp-dev/message/17601
Mute This Topic: https://lists.fd.io/mt/77210049/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Endpoint-Independent Mapping on Determinate NAT

[Joshua Moore]

Just to clarify, the filtering behavior I’m looking for is often known as “full 
cone” or “pure cone” NAT.

> On Sep 29, 2020, at 6:33 PM, Joshua Moore  wrote:
> 
> 
> Hello,
> 
> I have a need to relax the session lookup criteria on out2in packet 
> processing with NAT44 determinate mode. The behavior I am looking for is so 
> that as long as there is an initial session for a given destination IP:port 
> then any return packet to the translated port should be allowed regardless of 
> the source IP. Essentially, if I open a session from 100.65.0.2 to 
> 2.2.2.2:3074 and VPP creates a translation entry then the out2in processing 
> should allow any n:3074 source IP and not restrict the translation to return 
> packets only allowed from 2.2.2.2.
> 
> It looks like this may have been possible with the below feature but it's not 
> available in determinate mode:
> https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
> 
> Are there any thoughts on this? Any suggestions on where I could perhaps 
> compile my own version of that allows endpoint-independent mapping?
> 
> 
> 
> Thanks!
> 
> 
> --Josh

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17600): https://lists.fd.io/g/vpp-dev/message/17600
Mute This Topic: https://lists.fd.io/mt/77210049/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-