Re: [vpp-dev] nat44-out2in no translation with multiple tenants #nat #nsh
Seems that the suspect exist, and " Multiple outside interfaces ( https://wiki.fd.io/view/VPP/NAT ) " has not yet been implemented and leave suspended. Can anybody devs confirm this please? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14614): https://lists.fd.io/g/vpp-dev/message/14614 Mute This Topic: https://lists.fd.io/mt/57703484/21656 Mute #nat: https://lists.fd.io/mk?hashtag=nat&subid=1480452 Mute #nsh: https://lists.fd.io/mk?hashtag=nsh&subid=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [vpp-dev] nat44-out2in no translation with multiple tenants #nat #nsh
Based on my test, *it seems that nat44 assume that there is only one OUT vrf* , so given that loop1 in vrf1 and loop2 in vrf2, I found that "set interface nat44 out loop1" would cause nat out2in always works in vrf1 (not the default vrf0, but the previous set vrf1), and later "set interface nat44 out loop2" would assume that loop2 is in vrf2(which is not), so out2in failed on loop2, complains that "NAT44_OUT2IN: sw_if_index 18, next index 0, session index -1". So when I try "set interface ip table loop2 vrf1", the out2in works properly. I've ran nat plugin test which cover tenants test, and the test case show that the assumption exist, and multiple tenants should be configured with different private networks. SCRIPT: sw_interface_add_del_address sw_if_index 1 172.16.1.1/24 del SCRIPT: sw_interface_add_del_address sw_if_index 2 172.16.2.1/24 del SCRIPT: ip_table_add_del add table 1 SCRIPT: ip_table_add_del add table 2 SCRIPT: sw_interface_set_table sw_if_index 1 vrf 1 SCRIPT: sw_interface_set_table sw_if_index 2 vrf 2 SCRIPT: sw_interface_add_del_address sw_if_index 1 172.16.1.1/24 SCRIPT: sw_interface_add_del_address sw_if_index 2 172.16.2.1/24 Here may be the question: *Is there an assumption that there should only have ONE OUT VRF in nat plugin? Can nat plugin works with multiple in/out interfaces for multiple tenants? * It don't make any sense about this multiple tenants nat behavior. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14611): https://lists.fd.io/g/vpp-dev/message/14611 Mute This Topic: https://lists.fd.io/mt/57703484/21656 Mute #nat: https://lists.fd.io/mk?hashtag=nat&subid=1480452 Mute #nsh: https://lists.fd.io/mk?hashtag=nsh&subid=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[vpp-dev] nat44-out2in no translation with multiple tenants #nat #nsh
Hi all, I'm testing multiple tenants using nat44-snat, and turns out tenants might be mixed. Assuming two tenants 200 (fib index 1) and 100 (fib index 2): vpp# show ip fib table 100 ipv4-VRF:100, fib_index:2, flow hash:[src dst sport dport proto ] locks:[src:CLI:7, src:plugin-low:1, src:adjacency:3, ] creating nsh decapsultion tep (nsp: 14000, nsi: 255): [VPP] create nsh map nsp 14000 nsi 255 mapped-nsp 14000 mapped-nsi 255 nsh_action pop encap-none 2 0 [VPP] set interface ip table nsh_tunnel6 100 [VPP] set interface nat44 out nsh_tunnel6 this nsh_tunnel6's sw_if_index is 18: vpp# show interface nsh_tunnel6 Name Idx State MTU (L3/IP4/IP6/MPLS) Counter Count nsh_tunnel6 18 up 0/0/0/0 drops 59 ip4 59 vpp# but all these turn out that snat out2in goes into wrong vrf: 00:00:29:028228: vxlan4-gpe-input VXLAN-GPE: tunnel 0 next 5 error 0 00:00:29:028229: nsh-input nsh ver 0 ttl 3 len 6 (24 bytes) md_type 1 next_protocol 3 service path 14000 service index 255 c1 0 c2 0 c3 0 c4 0 00:00:29:028230: ethernet-input IP4: ec:f4:bb:c4:ae:80 -> 52:54:00:00:02:00 00:00:29:028230: ip4-input ICMP: 10.255.1.200 -> 10.255.1.211 tos 0x00, ttl 64, length 84, checksum 0x5c1a fragment id 0x04f7 ICMP echo_reply checksum 0x31cb *# HERE, it complains that no session found when this package decapsulated from nsh_tunnel6.* 00:00:29:028231: nat44-out2in NAT44_OUT2IN: sw_if_index 18, next index 0, session index -1 00:00:29:028233: error-drop rx:nsh_tunnel6 00:00:29:028234: drop nat44-out2in: no translation and also, nat44 detail looks weired: i2o works in vrf100-fib2, this is expected, but *out2in works in vrf200-fib1*. vpp# show nat44 sessions detail NAT44 sessions: thread 0 vpp_main: 1 sessions 192.168.1.1: 1 dynamic translations, 0 static translations i2o 192.168.1.1 proto icmp port 24403 fib 2 o2i 10.255.1.211 proto icmp port 16253 fib 1 index 0 last heard 90.61 total pkts 85, total bytes 7140 dynamic translation vpp# To the best of my knowledge, nsh_tunnel6 was set into vrf100, and decapsulated into fib2, so out2in should also go into fib2 here. Not figure out what cause o2i goes into fib1 instead. Any suggestion would be helpful. Thanks. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#14599): https://lists.fd.io/g/vpp-dev/message/14599 Mute This Topic: https://lists.fd.io/mt/57703484/21656 Mute #nsh: https://lists.fd.io/mk?hashtag=nsh&subid=1480452 Mute #nat: https://lists.fd.io/mk?hashtag=nat&subid=1480452 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
