Hi Matus,
We were looking to modify the flow so that the south->north path looks
like ip4-input-no-checksum-> ip4-policer-classify -> nat44-in2out ->
ip4-lookup and north->south path should be ip4-input-no-checksum ->
nat44-in2out -> ip4-policer-classify -> ip4-lookup
With your suggested modifications we were able to get the desired flow
for south->north path, but with a small change, by putting
"nat44-out2in" in .runs_after. The code looks like:
.runs_before = VNET_FEATURES ("ipsec-input-ip4","nat44-in2out"),
.runs_after = VNET_FEATURES ("nat44-out2in"),
But in north->south direction ip4-policer-classify node is being skipped.
Also I did not fully understand this statement: "It would be possible
to add additional static graph arc from nat node to
ip4-policer-classify and decide on per-packet basis where to send
packet since you don't know at compile time whether policer is
configured on interface.".
Thanks and Regards,
Raj
On Mon, Jan 21, 2019 at 6:04 PM Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> Hi,
>
> You can use ip4-policer-classify before NAT node. Add nat44-in2out or
> nat44-out2in to ip4_policer_classify runs_before list
> VNET_FEATURE_INIT (ip4_policer_classify, static) =
> {
> .arc_name = "ip4-unicast",
> .node_name = "ip4-policer-classify",
> .runs_before = VNET_FEATURES ("ipsec4-input-feature", "nat44-in2out",
> "nat44-out2in"),
> };
>
> NAT code can't continue in feature arc using vnet_feature_next in some cases.
> It would be possible to add additional static graph arc from nat node to
> ip4-policer-classify and decide on per-packet basis where to send packet
> since you don't know at compile time whether policer is configured on
> interface.
>
> Matus
>
>
> -----Original Message-----
> From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Raj
> Sent: Monday, January 21, 2019 1:00 PM
> To: vpp-dev@lists.fd.io
> Subject: [vpp-dev] Configuring NAT and Policing together
>
> Hello all,
>
> I am trying to configure NAT and VPP run together, but its not working.
>
> My configuration is as follows:
>
> version: vpp v18.10-release built by root on 41f0552eeae3
>
> Interfaces:
>
> GigabitEthernet1/0/0 (up):
> L3 100.69.1.1/24
> L3 2001:xxx:xxx:600::1/56
> GigabitEthernet1/0/1 (up):
> L3 xxx.79.223.14/29
> L3 2001:xxx:xxx:10d::600/64
>
> Policer config with default route:
>
> configure policer name policy1 cir 500 eir 0 cb 5000 eb 15000 rate kbps round
> closest type 1r3c conform-action transmit exceed-action mark-and-transmit
> AF22 violate-action drop configure policer name policy2 cir 750 eir 0 cb 7500
> eb 20000 rate kbps round closest type 1r3c conform-action transmit
> exceed-action mark-and-transmit AF22 violate-action drop classify table mask
> l3 ip4 src classify table mask l3 ip4 dst classify session policer-hit-next
> policy1 exceed-color table-index 0 match l3 ip4 src 100.69.1.4 classify
> session policer-hit-next policy2 exceed-color table-index 1 match l3 ip4 dst
> 100.69.1.4 set policer classify interface GigabitEthernet1/0/0 ip4-table 0
> set policer classify interface GigabitEthernet1/0/1 ip4-table 1 ip route add
> 0.0.0.0/0 via xxx.79.223.9 GigabitEthernet1/0/1 ip route add ::/0 via
> 2001:xxx:xxxx:10d::1 GigabitEthernet1/0/1
>
> At this point, if I do a wget at 100.69.1.4 to download from xxx.79.223.9,
> the speed is about 1mbps, but ranging from about 1.5mbps to 831kbps
>
> /dev/null 14%[===> ] 75.30M 1.18Mb/s
>
> The packet trace show:
>
> 100.69.1.4 -> xxx.79.223.9
>
> 01:10:21:269382: dpdk-input
> GigabitEthernet1/0/0 rx queue 0
> 01:10:21:269383: ip4-input-no-checksum
> 01:10:21:269384: ip4-policer-classify
> 01:10:21:269384: ip4-lookup
> 01:10:21:269384: ip4-rewrite
> 01:10:21:269384: GigabitEthernet1/0/1-output
> 01:10:21:269385: GigabitEthernet1/0/1-tx
>
>
> xxx.79.223.9 -> 100.69.1.4
>
> 01:10:21:268964: dpdk-input
> GigabitEthernet1/0/1 rx queue 0
> 01:10:21:268970: ip4-input-no-checksum
> 01:10:21:268973: ip4-policer-classify
> 01:10:21:268974: ip4-lookup
> 01:10:21:268975: ip4-rewrite
> 01:10:21:268976: GigabitEthernet1/0/0-output
> 01:10:21:268976: GigabitEthernet1/0/0-tx
>
> Now adding NAT using the commands:
>
> nat44 add interface address GigabitEthernet1/0/1 set interface nat44 in
> GigabitEthernet1/0/0 out GigabitEthernet1/0/1
>
> Policer stops working at this point.
>
> traces show:
>
> 100.69.1.4 -> xxx.79.223.9
>
> 01:23:19:656284: dpdk-input
> GigabitEthernet1/0/0 rx queue 0
> 01:23:19:656285: ip4-input-no-checksum
> 01:23:19:656285: nat44-in2out
> 01:23:19:656285: ip4-lookup
> 01:23:19:656286: ip4-rewrite
> 01:23:19:656286: GigabitEthernet1/0/1-output
> 01:23:19:656286: GigabitEthernet1/0/1-tx
>
> xxx.79.223.9 -> xxx.79.223.14
>
> 01:23:19:656289: dpdk-input
> GigabitEthernet1/0/1 rx queue 0
> 01:23:19:656290: ip4-input-no-checksum
> 01:23:19:656290: nat44-out2in
> 01:23:19:656290: ip4-lookup
> 01:23:19:656290: ip4-rewrite
> 01:23:19:656290: GigabitEthernet1/0/0-output
> 01:23:19:656291: GigabitEthernet1/0/0-tx
>
>
> The traces show that when NAT is enabled, policer nodes are not getting
> traversed.
>
> Ideally 100.69.1.4 -> xxx.79.223.9 should have ip4-input-no-checksum
> -> ip4-policer-classify -> nat44-in2out -> ip4-lookup and xxx.79.223.9
> -> 100.69.1.4 should have ip4-input-no-checksum -> nat44-in2out ->
> ip4-policer-classify -> ip4-lookup
>
> Is such a configuration possible? How can I configure VPP for it? Is there
> any incompatibility between NAT and Policer?
>
>
> Thanks and Regards,
>
> Raj
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11967): https://lists.fd.io/g/vpp-dev/message/11967
Mute This Topic: https://lists.fd.io/mt/29379239/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
