Max_frag value is applied when fragments arrived out of order (non-initial fragments arrive before first fragment which contains L4 header), fragments are stored and waiting for first fragment (max_frag is limit for number of stored fragments). Fragments are dropped in nat44-in2out-reass or nat44-out2in-reass node. Whether fragments are dropped depends on order. All fragments should be dropped when max_frag is 1 and 2 non-initial fragments are received before first fragment. After a brief look into the code I see that this is not current behaviour and dropped is only second fragment so I think some improvements should be done in the future.
Matus From: Jon Loeliger <j...@netgate.com> Sent: Wednesday, August 15, 2018 4:06 PM To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com> Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] NAT Fragment Reassembly On Wed, Aug 15, 2018 at 8:50 AM, Jon Loeliger <j...@netgate.com<mailto:j...@netgate.com>> wrote: On Wed, Aug 15, 2018 at 12:49 AM, Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) <matfa...@cisco.com<mailto:matfa...@cisco.com>> wrote: Hi Jon, NAT plugin does virtual fragment reassembly – it enables to translate non-initial fragments without L4 header otherwise NAT is unable to gather port information from the non-initial fragment, packet is still broken into several fragments after NAT translation. Matus Thanks, Matus! I'm trying to understand how part of the NAT virtual reassembly works still. When and how does the drop_frag count come into play? For example, if an original packet was broken into 3 fragments, and drop_frag was 1 or 2, Naturally, I meant the "max_frag" values here. should all three fragments get dropped? And are they dropped on ingress or egress? Is there a packet trace flow where I can see them being dropped? I ask because it looks to me like these fragments are only sometimes dropped when the drop_frag value is exceeded, and it also requires the And "max_frag" there too. ip_reassembly_enable_disable to be "on" too. I've been doing a "trace add dpdk-input 500", sending my example packets that need fragmentation, NAT-ing them, and then filtering the trace buffer. What is the right node to use in the "filter" here? Thanks, jdl
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#10177): https://lists.fd.io/g/vpp-dev/message/10177 Mute This Topic: https://lists.fd.io/mt/24529319/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
