Based on my test, *it seems that nat44 assume that there is only one OUT vrf* ,
so given that loop1 in vrf1 and loop2 in vrf2,
I found that "set interface nat44 out loop1" would cause nat out2in always
works in vrf1 (not the default vrf0, but the previous set vrf1),
and later "set interface nat44 out loop2" would assume that loop2 is in
vrf2(which is not), so out2in failed on loop2,
complains that "NAT44_OUT2IN: sw_if_index 18, next index 0, session index -1".
So when I try "set interface ip table loop2 vrf1", the out2in works properly.
I've ran nat plugin test which cover tenants test, and the test case show that
the assumption exist,
and multiple tenants should be configured with different private networks.
SCRIPT: sw_interface_add_del_address sw_if_index 1 172.16.1.1/24 del
SCRIPT: sw_interface_add_del_address sw_if_index 2 172.16.2.1/24 del
SCRIPT: ip_table_add_del add table 1
SCRIPT: ip_table_add_del add table 2
SCRIPT: sw_interface_set_table sw_if_index 1 vrf 1
SCRIPT: sw_interface_set_table sw_if_index 2 vrf 2
SCRIPT: sw_interface_add_del_address sw_if_index 1 172.16.1.1/24
SCRIPT: sw_interface_add_del_address sw_if_index 2 172.16.2.1/24
Here may be the question:
*Is there an assumption that there should only have ONE OUT VRF in nat plugin?
Can nat plugin works with multiple in/out interfaces for multiple tenants?
* It don't make any sense about this multiple tenants nat behavior.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#14611): https://lists.fd.io/g/vpp-dev/message/14611
Mute This Topic: https://lists.fd.io/mt/57703484/21656
Mute #nat: https://lists.fd.io/mk?hashtag=nat&subid=1480452
Mute #nsh: https://lists.fd.io/mk?hashtag=nsh&subid=1480452
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
