Re: [vpp-dev] do not SNAT if forwarding enabled

Thu, 11 Apr 2019 00:15:15 -0700 

Shahid,

Right, so the GRE packets shouldn’t go through the NAT at all.
Are the GRE tunnel itself marked as inside?

I should have thoguht this was supported with https://jira.fd.io/browse/VPP-447
Let me see if I can reproduce.,

Best regards,
Ole

> On 10 Apr 2019, at 12:55, Shahid Khan <shahidnasimk...@gmail.com> wrote:
> 
> Hi Ole,
> 
> we have a bridge(loop0) with a private ip say 192.168.100.2/24. 
> a TAP is also connected to this bridge and other end of TAP is on host side.
> 
> we have one physical interface connected to another bridge (loop1) with 
> outside network ip of say 192.168.10.1/24
> and a GRE tunnel is created having source as 192.168.10.1.
> 
> Host has requirement to initiate sessions(tcp/udp) to outside network. so we 
> have applied NAT as below.
> 
> nat44 add interface address loop1
> set interface nat44 in loop0 out loop1
> 
> with this host can initiate session with outside network and SNAT works fine.
> 
> But GRE does not work. we looked into traces and found that packet comming to 
> GRE tunnels are getting dropped with  trace showing "unknown protocol".
> 
> if we enable forwarding then GRE packets are getting forwarded to destination 
> but now host is not able to initiate session to outside network because SNAT 
> stops
> 
> -Shahid.
> 
> 
> 
> 
> 
> 
> On Wed, Apr 10, 2019 at 2:33 PM Ole Troan <otr...@employees.org> wrote:
> Hi Shahid,
> 
> What are you trying to achieve?
> https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
> 
> You do not typically enable the “forwarding” feature.
> 
> Cheers,
> Ole
> 
> > On 8 Apr 2019, at 07:52, Shahid Khan <shahidnasimk...@gmail.com> wrote:
> > 
> > can someone look into below query ?
> > 
> > -Shahid.
> > 
> > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io 
> > <shahidnasimkhan=gmail....@lists.fd.io> wrote:
> > Hi,
> > 
> > can someone help us on below query ?
> > 
> > -Shahid.
> > 
> > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io 
> > <shahidnasimkhan=gmail....@lists.fd.io> wrote:
> > 
> > I have following query related to SNAT on VPP Release 19.0.1.02
> > 
> > following is the code from vpp/src/plugins/nat/in2out.c
> > 
> > static inline int
> > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> >                     u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> >                     u32 rx_fib_index0, u32 thread_index)
> > {
> >   udp_header_t *udp0 = ip4_next_header (ip0);
> >   snat_session_key_t key0, sm0;
> >   clib_bihash_kv_8_8_t kv0, value0;
> > 
> >   key0.addr = ip0->dst_address;
> >   key0.port = udp0->dst_port;
> >   key0.protocol = proto0;
> >   key0.fib_index = sm->outside_fib_index;
> >   kv0.key = key0.as_u64;
> > 
> >   /* NAT packet aimed at external address if */
> >   /* has active sessions */
> >   if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, 
> > &kv0,
> >                               &value0))
> >     {
> >       /* or is static mappings */
> >       if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
> >         return 0;
> >     }
> >   else
> >     return 0;
> > 
> >   if (sm->forwarding_enabled)
> >     return 1;
> > 
> > 
> >   return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> >                                   rx_fib_index0);
> > }
> > 
> > want to understand why above highlighted condition is there in code ?
> > 
> > this  is causing SNAT to stop working the moment we enable forwarding.
> > what will be impact we comment this condition ?
> > 
> > -Shahid.
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > 
> > View/Reply Online (#12680): https://lists.fd.io/g/vpp-dev/message/12680
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  
> > [shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > 
> > View/Reply Online (#12691): https://lists.fd.io/g/vpp-dev/message/12691
> > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  
> > [shahidnasimk...@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > 
> > View/Reply Online (#12723): https://lists.fd.io/g/vpp-dev/message/12723
> > Mute This Topic: https://lists.fd.io/mt/30851776/675193
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [otr...@employees.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> 
> View/Reply Online (#12743): https://lists.fd.io/g/vpp-dev/message/12743
> Mute This Topic: https://lists.fd.io/mt/30851776/675193
> Group Owner: vpp-dev+ow...@lists.fd.io
> Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [otr...@employees.org]
> -=-=-=-=-=-=-=-=-=-=-=-


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#12758): https://lists.fd.io/g/vpp-dev/message/12758
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to