Re: [vpp-dev] do not SNAT if forwarding enabled

Shahid Khan Thu, 11 Apr 2019 01:02:37 -0700

There is another physical port bridged to loop1 which is on 192.168.15.0/24
network.
.....the packets coming inside GRE tunnel are for 192.168.15.0/24  network.


also just want to understand  why SNAT is blocked when forwarding is
enabled ?
someone might have a requirement to SNAT first and then do forward.

when i comment the code as below, SNAT and GRE both works. but i don't know
how it will impact rest of code/functionality.

static inline int
snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
                    u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
                    u32 rx_fib_index0, u32 thread_index)
{
  udp_header_t *udp0 = ip4_next_header (ip0);
  snat_session_key_t key0, sm0;
  clib_bihash_kv_8_8_t kv0, value0;

  key0.addr = ip0->dst_address;
  key0.port = udp0->dst_port;
  key0.protocol = proto0;
  key0.fib_index = sm->outside_fib_index;
  kv0.key = key0.as_u64;

  /* NAT packet aimed at external address if */
  /* has active sessions */
  if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
&kv0,
                              &value0))
    {
      /* or is static mappings */
      if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
        return 0;
    }
  else
    return 0;

/*
  if (sm->forwarding_enabled)
    return 1;
*/

  return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
                                  rx_fib_index0);
}



-Shahid.




On Thu, Apr 11, 2019 at 12:44 PM Ole Troan <otr...@employees.org> wrote:

> Shahid,
>
> Right, so the GRE packets shouldn’t go through the NAT at all.
> Are the GRE tunnel itself marked as inside?
>
> I should have thoguht this was supported with
> https://jira.fd.io/browse/VPP-447
> Let me see if I can reproduce.,
>
> Best regards,
> Ole
>
> > On 10 Apr 2019, at 12:55, Shahid Khan <shahidnasimk...@gmail.com> wrote:
> >
> > Hi Ole,
> >
> > we have a bridge(loop0) with a private ip say 192.168.100.2/24.
> > a TAP is also connected to this bridge and other end of TAP is on host
> side.
> >
> > we have one physical interface connected to another bridge (loop1) with
> outside network ip of say 192.168.10.1/24
> > and a GRE tunnel is created having source as 192.168.10.1.
> >
> > Host has requirement to initiate sessions(tcp/udp) to outside network.
> so we have applied NAT as below.
> >
> > nat44 add interface address loop1
> > set interface nat44 in loop0 out loop1
> >
> > with this host can initiate session with outside network and SNAT works
> fine.
> >
> > But GRE does not work. we looked into traces and found that packet
> comming to GRE tunnels are getting dropped with  trace showing "unknown
> protocol".
> >
> > if we enable forwarding then GRE packets are getting forwarded to
> destination but now host is not able to initiate session to outside network
> because SNAT stops
> >
> > -Shahid.
> >
> >
> >
> >
> >
> >
> > On Wed, Apr 10, 2019 at 2:33 PM Ole Troan <otr...@employees.org> wrote:
> > Hi Shahid,
> >
> > What are you trying to achieve?
> > https://wiki.fd.io/view/VPP/NAT#Enable_or_disable_forwarding
> >
> > You do not typically enable the “forwarding” feature.
> >
> > Cheers,
> > Ole
> >
> > > On 8 Apr 2019, at 07:52, Shahid Khan <shahidnasimk...@gmail.com>
> wrote:
> > >
> > > can someone look into below query ?
> > >
> > > -Shahid.
> > >
> > > On Wed, Apr 3, 2019 at 12:56 PM Shahid Khan via Lists.Fd.Io
> <shahidnasimkhan=gmail....@lists.fd.io> wrote:
> > > Hi,
> > >
> > > can someone help us on below query ?
> > >
> > > -Shahid.
> > >
> > > On Mon, Apr 1, 2019 at 11:45 AM Shahid Khan via Lists.Fd.Io
> <shahidnasimkhan=gmail....@lists.fd.io> wrote:
> > >
> > > I have following query related to SNAT on VPP Release 19.0.1.02
> > >
> > > following is the code from vpp/src/plugins/nat/in2out.c
> > >
> > > static inline int
> > > snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
> > >                     u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
> > >                     u32 rx_fib_index0, u32 thread_index)
> > > {
> > >   udp_header_t *udp0 = ip4_next_header (ip0);
> > >   snat_session_key_t key0, sm0;
> > >   clib_bihash_kv_8_8_t kv0, value0;
> > >
> > >   key0.addr = ip0->dst_address;
> > >   key0.port = udp0->dst_port;
> > >   key0.protocol = proto0;
> > >   key0.fib_index = sm->outside_fib_index;
> > >   kv0.key = key0.as_u64;
> > >
> > >   /* NAT packet aimed at external address if */
> > >   /* has active sessions */
> > >   if (clib_bihash_search_8_8
> (&sm->per_thread_data[thread_index].out2in, &kv0,
> > >                               &value0))
> > >     {
> > >       /* or is static mappings */
> > >       if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0,
> 0))
> > >         return 0;
> > >     }
> > >   else
> > >     return 0;
> > >
> > >   if (sm->forwarding_enabled)
> > >     return 1;
> > >
> > >
> > >   return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
> > >                                   rx_fib_index0);
> > > }
> > >
> > > want to understand why above highlighted condition is there in code ?
> > >
> > > this  is causing SNAT to stop working the moment we enable forwarding.
> > > what will be impact we comment this condition ?
> > >
> > > -Shahid.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > >
> > > View/Reply Online (#12680):
> https://lists.fd.io/g/vpp-dev/message/12680
> > > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > > Group Owner: vpp-dev+ow...@lists.fd.io
> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [
> shahidnasimk...@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > >
> > > View/Reply Online (#12691):
> https://lists.fd.io/g/vpp-dev/message/12691
> > > Mute This Topic: https://lists.fd.io/mt/30851776/1713129
> > > Group Owner: vpp-dev+ow...@lists.fd.io
> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [
> shahidnasimk...@gmail.com]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > -=-=-=-=-=-=-=-=-=-=-=-
> > > Links: You receive all messages sent to this group.
> > >
> > > View/Reply Online (#12723):
> https://lists.fd.io/g/vpp-dev/message/12723
> > > Mute This Topic: https://lists.fd.io/mt/30851776/675193
> > > Group Owner: vpp-dev+ow...@lists.fd.io
> > > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [
> otr...@employees.org]
> > > -=-=-=-=-=-=-=-=-=-=-=-
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> >
> > View/Reply Online (#12743): https://lists.fd.io/g/vpp-dev/message/12743
> > Mute This Topic: https://lists.fd.io/mt/30851776/675193
> > Group Owner: vpp-dev+ow...@lists.fd.io
> > Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [otr...@employees.org]
> > -=-=-=-=-=-=-=-=-=-=-=-
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#12759): https://lists.fd.io/g/vpp-dev/message/12759
Mute This Topic: https://lists.fd.io/mt/30851776/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub  [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [vpp-dev] do not SNAT if forwarding enabled

Reply via email to