Re: [vpp-dev] Configuring NAT and Policing together

Mon, 21 Jan 2019 04:34:34 -0800 

Hi,

You can use ip4-policer-classify before NAT node. Add nat44-in2out or 
nat44-out2in to ip4_policer_classify runs_before list
VNET_FEATURE_INIT (ip4_policer_classify, static) =
{
  .arc_name = "ip4-unicast",
  .node_name = "ip4-policer-classify",
  .runs_before = VNET_FEATURES ("ipsec4-input-feature", "nat44-in2out", 
"nat44-out2in"),
};

NAT code can't continue in feature arc using vnet_feature_next in some cases. 
It would be possible to add  additional static graph arc from nat node to 
ip4-policer-classify and decide on per-packet basis where to send packet since 
you don't know at compile time whether policer is configured on interface.

Matus


-----Original Message-----
From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Raj
Sent: Monday, January 21, 2019 1:00 PM
To: vpp-dev@lists.fd.io
Subject: [vpp-dev] Configuring NAT and Policing together

Hello all,

I am trying to configure NAT and VPP run together, but its not working.

My configuration is as follows:

version: vpp v18.10-release built by root on 41f0552eeae3

Interfaces:

GigabitEthernet1/0/0 (up):
  L3 100.69.1.1/24
  L3 2001:xxx:xxx:600::1/56
GigabitEthernet1/0/1 (up):
  L3 xxx.79.223.14/29
  L3 2001:xxx:xxx:10d::600/64

Policer config with default route:

configure policer name policy1 cir 500 eir 0 cb 5000 eb 15000 rate kbps round 
closest type 1r3c conform-action transmit exceed-action mark-and-transmit AF22 
violate-action drop configure policer name policy2 cir 750 eir 0 cb 7500 eb 
20000 rate kbps round closest type 1r3c conform-action transmit exceed-action 
mark-and-transmit AF22 violate-action drop classify table mask l3 ip4 src 
classify table mask l3 ip4 dst classify session policer-hit-next policy1 
exceed-color table-index 0 match l3 ip4 src 100.69.1.4 classify session 
policer-hit-next policy2 exceed-color table-index 1 match l3 ip4 dst 100.69.1.4 
set policer classify interface GigabitEthernet1/0/0 ip4-table 0 set policer 
classify interface GigabitEthernet1/0/1 ip4-table 1 ip route add 0.0.0.0/0 via 
xxx.79.223.9 GigabitEthernet1/0/1 ip route add ::/0 via 2001:xxx:xxxx:10d::1 
GigabitEthernet1/0/1

At this point, if I do a wget at 100.69.1.4 to download from xxx.79.223.9, the 
speed is about 1mbps, but ranging from about 1.5mbps to 831kbps

/dev/null               14%[===>                          ]  75.30M  1.18Mb/s

The packet trace show:

100.69.1.4 -> xxx.79.223.9

01:10:21:269382: dpdk-input
  GigabitEthernet1/0/0 rx queue 0
01:10:21:269383: ip4-input-no-checksum
01:10:21:269384: ip4-policer-classify
01:10:21:269384: ip4-lookup
01:10:21:269384: ip4-rewrite
01:10:21:269384: GigabitEthernet1/0/1-output
01:10:21:269385: GigabitEthernet1/0/1-tx


xxx.79.223.9 -> 100.69.1.4

01:10:21:268964: dpdk-input
  GigabitEthernet1/0/1 rx queue 0
01:10:21:268970: ip4-input-no-checksum
01:10:21:268973: ip4-policer-classify
01:10:21:268974: ip4-lookup
01:10:21:268975: ip4-rewrite
01:10:21:268976: GigabitEthernet1/0/0-output
01:10:21:268976: GigabitEthernet1/0/0-tx

Now adding NAT using the commands:

nat44 add interface address GigabitEthernet1/0/1 set interface nat44 in 
GigabitEthernet1/0/0 out GigabitEthernet1/0/1

Policer stops working at this point.

traces show:

100.69.1.4 -> xxx.79.223.9

01:23:19:656284: dpdk-input
  GigabitEthernet1/0/0 rx queue 0
01:23:19:656285: ip4-input-no-checksum
01:23:19:656285: nat44-in2out
01:23:19:656285: ip4-lookup
01:23:19:656286: ip4-rewrite
01:23:19:656286: GigabitEthernet1/0/1-output
01:23:19:656286: GigabitEthernet1/0/1-tx

xxx.79.223.9 -> xxx.79.223.14

01:23:19:656289: dpdk-input
  GigabitEthernet1/0/1 rx queue 0
01:23:19:656290: ip4-input-no-checksum
01:23:19:656290: nat44-out2in
01:23:19:656290: ip4-lookup
01:23:19:656290: ip4-rewrite
01:23:19:656290: GigabitEthernet1/0/0-output
01:23:19:656291: GigabitEthernet1/0/0-tx


The traces show that when NAT is enabled, policer nodes are not getting 
traversed.

Ideally 100.69.1.4 -> xxx.79.223.9 should have ip4-input-no-checksum
-> ip4-policer-classify -> nat44-in2out -> ip4-lookup and xxx.79.223.9
-> 100.69.1.4 should have ip4-input-no-checksum -> nat44-in2out ->
ip4-policer-classify -> ip4-lookup

Is such a configuration possible? How can I configure VPP for it? Is there any 
incompatibility between NAT and Policer?


Thanks and Regards,

Raj

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11964): https://lists.fd.io/g/vpp-dev/message/11964
Mute This Topic: https://lists.fd.io/mt/29379239/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
  • [... Raj
    • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
      • ... Raj
        • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
          • ... Raj
            • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
              • ... Raj
                • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
                • ... Raj
                • ... Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES@Cisco) via Lists.Fd.Io
                • ... Raj
                • ... Raj

Reply via email to