Re: [vpp-dev] Configuring NAT and Policing together

Raj Wed, 23 Jan 2019 06:05:44 -0800

Hi Matus,

Thanks for the code fragment it helped me get a better understanding
of what I have to do, and have modified the code. But occasionally VPP
hits an ASSERT at:


DBGvpp# 0: /vpp/src/vlib/node_funcs.h:296
(vlib_node_runtime_get_next_frame) assertion `next_index <
n->n_next_nodes' fails
Aborted

The approach I had followed was to get the index of policer classify
node and setting that as the next node of 'nat44-out2in'
,'nat44-out2in-reass' and 'nat44-out2in-fast'.

This is the partial diff of how we got the index of
ip4-policer-classify and setting the next node. (full diff is
attached).

--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -1110,6 +1113,15 @@ snat_out2in_node_fn (vlib_main_t * vm,

          proto0 = ip_proto_to_snat_proto (ip0->protocol);

+          ip4_policer_classify_node =
+            vlib_get_node_by_name (vm, (u8 *) "ip4-policer-classify");
+          if (ip4_policer_classify_node)
+            {
+              next0 = SNAT_OUT2IN_NEXT_POLICER_CLASSIFY;
+              vlib_node_add_next (vm, ip4_policer_classify_node->index,
+                                  next0);
+            }
+
          if (PREDICT_FALSE (proto0 == ~0))
            {
              if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))

I hope the approach followed is the correct one, but I could not
figure out why the ASSERT is happening.

Thanks and Regards,

Raj


On Tue, Jan 22, 2019 at 8:10 PM Matus Fabian -X (matfabia - PANTHEON
TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
>
> nat44-out2in node:
> u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
> <...>
> vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, 
> n_left_to_next, bi0, next0);
>
> whatever you specify in VNET_FEATURE_INIT runs_before is ignored for 
> nat44-out2in, normally when you want continue to nex node in feature arc you 
> use vnet_feature_next(), but this is not possible in NAT (nat44-out2in is not 
> always configured as interface feature, e.g. worker handoff in case of 
> multithreading or combined in-out NAT interface).
>
> Matus
>
> -----Original Message-----
> From: Raj <rajlistu...@gmail.com>
> Sent: Tuesday, January 22, 2019 3:22 PM
> To: Matus Fabian -X (matfabia - PANTHEON TECHNOLOGIES at Cisco) 
> <matfa...@cisco.com>
> Cc: vpp-dev@lists.fd.io
> Subject: Re: [vpp-dev] Configuring NAT and Policing together
>
> On Tue, Jan 22, 2019 at 7:44 PM Matus Fabian -X (matfabia - PANTHEON 
> TECHNOLOGIES at Cisco) <matfa...@cisco.com> wrote:
> > I don't think it is working way you wanted since nat44-out2in goes directly 
> > to ip4-lookup instead of continue in feature arc to ip4-policer-classify.
>
> Yes, you were right. My conclusion was premature. I still do not quite 
> understand VNET_FEATURE_INIT to route the traffic the way I want. A sample 
> code fragment would be very helpful.
>
> Thanks and Regards,
>
> Raj

diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index 8c013d9b..401bcacc 100755
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -34,6 +34,7 @@
 #include <vppinfra/error.h>
 #include <vppinfra/elog.h>
 
+
 typedef struct
 {
   u32 sw_if_index;
@@ -103,6 +104,7 @@ typedef enum
   SNAT_OUT2IN_NEXT_LOOKUP,
   SNAT_OUT2IN_NEXT_ICMP_ERROR,
   SNAT_OUT2IN_NEXT_REASS,
+  SNAT_OUT2IN_NEXT_POLICER_CLASSIFY,
   SNAT_OUT2IN_N_NEXT,
 } snat_out2in_next_t;
 
@@ -1086,6 +1088,7 @@ snat_out2in_node_fn (vlib_main_t * vm,
          snat_session_t *s0 = 0;
          clib_bihash_kv_8_8_t kv0, value0;
          u8 identity_nat0;
+          vlib_node_t *ip4_policer_classify_node = NULL;
 
          /* speculatively enqueue b0 to the current next frame */
          bi0 = from[0];
@@ -1110,6 +1113,15 @@ snat_out2in_node_fn (vlib_main_t * vm,
 
          proto0 = ip_proto_to_snat_proto (ip0->protocol);
 
+          ip4_policer_classify_node = 
+            vlib_get_node_by_name (vm, (u8 *) "ip4-policer-classify");
+          if (ip4_policer_classify_node)
+            {
+              next0 = SNAT_OUT2IN_NEXT_POLICER_CLASSIFY;
+              vlib_node_add_next (vm, ip4_policer_classify_node->index,
+                                  next0);
+            }
+
          if (PREDICT_FALSE (proto0 == ~0))
            {
              if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
@@ -1295,6 +1307,7 @@ VLIB_REGISTER_NODE (snat_out2in_node) = {
     [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_POLICER_CLASSIFY] = "ip4-policer-classify",
   },
 };
 /* *INDENT-ON* */
@@ -1343,6 +1356,8 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm,
          u16 old_port0, new_port0;
          ip_csum_t sum0;
          u8 identity_nat0;
+          vlib_node_t *ip4_policer_classify_node = NULL;
+
 
          /* speculatively enqueue b0 to the current next frame */
          bi0 = from[0];
@@ -1360,6 +1375,15 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm,
            fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
                                                 sw_if_index0);
 
+          ip4_policer_classify_node =
+            vlib_get_node_by_name (vm, (u8 *) "ip4-policer-classify");
+          if (ip4_policer_classify_node)
+            {
+              next0 = SNAT_OUT2IN_NEXT_POLICER_CLASSIFY;
+              vlib_node_add_next (vm, ip4_policer_classify_node->index,
+                                  next0);
+            }
+
          if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
            {
              next0 = SNAT_OUT2IN_NEXT_DROP;
@@ -1628,6 +1652,7 @@ VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
     [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_POLICER_CLASSIFY] = "ip4-policer-classify",
   },
 };
 /* *INDENT-ON* */
@@ -1670,6 +1695,8 @@ snat_out2in_fast_node_fn (vlib_main_t * vm,
          snat_session_key_t key0, sm0;
          u32 proto0;
          u32 rx_fib_index0;
+          vlib_node_t *ip4_policer_classify_node = NULL;
+
 
          /* speculatively enqueue b0 to the current next frame */
          bi0 = from[0];
@@ -1692,6 +1719,15 @@ snat_out2in_fast_node_fn (vlib_main_t * vm,
 
          vnet_feature_next (&next0, b0);
 
+          ip4_policer_classify_node =
+            vlib_get_node_by_name (vm, (u8 *) "ip4-policer-classify");
+          if (ip4_policer_classify_node)
+            {
+              next0 = SNAT_OUT2IN_NEXT_POLICER_CLASSIFY;
+              vlib_node_add_next (vm, ip4_policer_classify_node->index,
+                                  next0);
+            }
+
          if (PREDICT_FALSE (ip0->ttl == 1))
            {
              vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
@@ -1822,6 +1858,7 @@ VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
     [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_POLICER_CLASSIFY] = "ip4-policer-classify",
   },
 };
 /* *INDENT-ON* */

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#11980): https://lists.fd.io/g/vpp-dev/message/11980
Mute This Topic: https://lists.fd.io/mt/29379239/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] Configuring NAT and Policing together

Reply via email to