VPP配置SNAT,内网接口GigabitEthernet2/0/0,外网接口GigabitEthernet3/0/0,NAT之后的地址为GigabitEthernet3/0/0接口的地址。
vpp# set interface state GigabitEthernet2/0/0 up
vpp# set interface state GigabitEthernet3/0/0 up
vpp#
vpp# set interface ip address GigabitEthernet2/0/0 30.1.1.1/24
vpp# set interface ip address GigabitEthernet3/0/0 192.168.1.203/24
vpp#
vpp# nat44 plugin enable
vpp# set interface nat44 in GigabitEthernet2/0/0 out GigabitEthernet3/0/0
vpp# nat44 add interface address GigabitEthernet3/0/0
NAT44-ED插件使用的feature和node节点如下。
ip4-output:ip4-sv-reassembly-output-feature nat44-ed-in2out-output nat44-in2out-output-worker-handoff nat-pre-in2out-output ip4-unicast:ip4-sv-reassembly-feature nat44-ed-out2innat44-ed-in2outnat44-out2in-worker-handoff nat44-in2out-worker-handoff nat44-handoff-classify nat44-ed-classifynat-pre-out2in nat-pre-in2out
nat44-ed处理节点流程如下。VPP配置了多个worker线程的话,需要nat44-in2out-worker-handoff和nat44-out2in-worker-handoff节点;否则,使用nat-pre-in2out和nat-pre-out2in节点。
|-----------------------|| ip4-input-no-checksum ||-----------------------|||---------------------------| GigabitEthernet3/0/0 |-----------------------------|| ip4-sv-reassembly-feature |-------------------------------| nat44-out2in-worker-handoff | | | | / nat-pre-out2in ||---------------------------| |-----------------------------|
GigabitEthernet2/0/0 | ||-----------------------------| |-----------------|| nat44-in2out-worker-handoff | | nat44-ed-out2in || / nat-pre-in2out | | ||-----------------------------| |-----------------|| ||-------------------| nonexist |----------------------------| || nat44-ed-in2out |-----------| nat44-ed-in2out-slowpath | ||-------------------| |----------------------------| |
existing session | | || | ||----------------| | || ip4-lookup |--------------------------|------------------------||----------------|
一. 报文重组功能
IP报文分片之后,仅在第一个分片中可见4层的端口号信息,对于后续分片由于没有端口号,将不能进行NAT操作,所以需要IP报文重组功能。在ARC集合ip4-unicast中,nat-pre-in2out和nat-pre-out2in都是位于ip4-sv-reassembly-feature之后,报文先经过重组处理。
VNET_FEATURE_INIT (nat_pre_in2out, static) = {.arc_name = "ip4-unicast",.node_name = "nat-pre-in2out",.runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat_pre_out2in, static) = {.arc_name = "ip4-unicast",.node_name = "nat-pre-out2in",.runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-dhcp-client-detect","ip4-sv-reassembly-feature"),
};
节点nat_pre_nat的下一个节点索引默认为NAT_NEXT_IN2OUT_ED_FAST_PATH,对应于节点nat44-ed-in2out。
VLIB_NODE_FN (nat_pre_in2out_node)(vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
{return nat_pre_node_fn_inline (vm, node, frame,NAT_NEXT_IN2OUT_ED_FAST_PATH);
}
在函数nat_pre_node_fn_inline中,主要的工作就是记录ARC集合的下一个节点索引,记录在报文接口的nat.arc_next中,以便在NAT44模块处理完成之后,继续ARC集中的处理流程。通常情况下一个feature为ip4-lookup。
static inline uword
nat_pre_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,vlib_frame_t *frame, u32 def_next)
{while (n_left_from > 0) {vlib_buffer_t *b0;b0 = *b;b++;next0 = def_next;vnet_feature_next (&arc_next0, b0);vnet_buffer2 (b0)->nat.arc_next = arc_next0;n_left_from--;next[0] = next0;next++;}
二. NAT44模块使能
对应命令nat44 plugin enable。如果VPP配置的worker线程数量大于1,需要创建frame_queue队列,在worker线程之间传递报文,保证同一个会话流在同一个worker上处理,避免使用锁。内网接口和外网接口分别注册fq_in2out_index和fq_out2in_index为索引的队列,对应node节点nat44-ed-in2out和nat44-ed-out2in。
int nat44_plugin_enable (nat44_config_t c)
{snat_main_t *sm = &snat_main;if (sm->num_workers > 1) { vlib_main_t *vm = vlib_get_main ();vlib_node_t *node;if (sm->fq_in2out_index == ~0) { node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");sm->fq_in2out_index = vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);} if (sm->fq_out2in_index == ~0) { node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");sm->fq_out2in_index = vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);}
三. NAT44接口
设置接口的inside/outside属性。首先,判断如果接口已经在nat44的接口中,并且接口的inside/outside属性没有改变,结束处理。
int nat44_ed_add_interface (u32 sw_if_index, u8 is_inside)
{snat_main_t *sm = &snat_main;nat_fib_t *outside_fib;snat_interface_t *i;i = nat44_ed_get_interface (sm->interfaces, sw_if_index);if (i){if ((nat44_ed_is_interface_inside (i) && is_inside) ||(nat44_ed_is_interface_outside (i) && !is_inside))return 0;
否则,这里是要修改接口的inside/outside属性,分两种情况。第一,worker线程数量大于1,接口从inside修改为outside,需要删除nat44-in2out-worker-handoff;否则,删除nat44-out2in-worker-handoff。
第二,worker线程小于等于1,接口从inside修改为outside,需要删除nat-pre-in2out,否则,删除nat-pre-out2in。
最后,开启ip4-sv-reassembly-feature,如果已经开启,增加引用计数。并且,删除记录下来的接口旧的feature,使能新的feature。以上提到的这些feature都位于ARC集合ip4-unicast。
if (sm->num_workers > 1) {del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :"nat44-out2in-worker-handoff";feature_name = "nat44-handoff-classify";} else {del_feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";feature_name = "nat44-ed-classify";}rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);if (rv)return rv;vnet_feature_enable_disable ("ip4-unicast", del_feature_name, sw_if_index, 0, 0, 0);vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0);}
以下处理nat44模块中从未添加过此接口的情况。在worker线程数量大于1时,对于inside接口,使能nat44-in2out-worker-handoff;对于outside接口,使能nat44-out2in-worker-handoff。
使能报文重组feature:ip4-sv-reassembly-feature。将接口添加到nat44模块的接口池中(sm->interfaces)。
else {if (sm->num_workers > 1)feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff";elsefeature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";nat_validate_interface_counters (sm, sw_if_index);rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);if (rv) return rv;vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0);pool_get (sm->interfaces, i);i->sw_if_index = sw_if_index;i->flags = 0;}
如下命令显示nat44模块的接口池内容:
vpp# show nat44 interfaces
NAT44 interfaces:GigabitEthernet2/0/0 inGigabitEthernet3/0/0 out
四. nat44添加地址
分配snat_address_resolve_t地址结构,记录接口索引等。
int
nat44_ed_add_interface_address (u32 sw_if_index, u8 twice_nat)
{ snat_main_t *sm = &snat_main;ip4_main_t *ip4_main = sm->ip4_main;ip4_address_t *first_int_addr;snat_address_resolve_t *ap;vec_add2 (sm->addr_to_resolve, ap, 1);ap->sw_if_index = sw_if_index;ap->is_twice_nat = twice_nat;ap->is_resolved = 0;
获取接口的首个IP地址,添加到nat44的地址池中。添加成功之后,设置is_resolved为真。
first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);if (first_int_addr) {rv = nat44_ed_add_address (first_int_addr, ~0, twice_nat);if (0 != rv) {nat44_ed_del_addr_resolve_record (sw_if_index, twice_nat);return rv;}ap->is_resolved = 1;}
这里不涉及两次NAT的情况,twice_nat为false。添加的地址保存在nat44模块的addresses地址向量中,先检测其中是否已有此地址,避免重复添加。
int
nat44_ed_add_address (ip4_address_t *addr, u32 vrf_id, u8 twice_nat)
{snat_main_t *sm = &snat_main;snat_address_t *ap, *addresses;addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;// check if address already existsvec_foreach (ap, addresses) {if (ap->addr.as_u32 == addr->as_u32) {nat_log_err ("address exist");return VNET_API_ERROR_VALUE_EXIST;}}
在addresses向量中分配新成员,填入新地址。
if (twice_nat)vec_add2 (sm->twice_nat_addresses, ap, 1);elsevec_add2 (sm->addresses, ap, 1);ap->addr_len = ~0;ap->fib_index = ~0;ap->addr = *addr;
五. 节点流程
测试VPP配置了2个worker线程。如下,thread2在inside接口GigabitEthernet2/0/0接收到ICMP请求报文,不是IP分片,节点nat44-in2out-worker-handoff通过处理,将报文handoff到thread1。
------------------- Start of thread 2 vpp_wk_1 -------------------
Packet 2
00:06:05:665438: dpdk-inputGigabitEthernet2/0/0 rx queue 1ICMP: 30.1.1.2 -> 192.168.12.254ICMP echo_request checksum 0x4bde id 1
00:06:05:665440: ethernet-inputIP4: 50:7b:9d:c7:03:73 -> 00:60:e0:65:b5:c7
00:06:05:665440: ip4-input-no-checksumICMP: 30.1.1.2 -> 192.168.12.254ICMP echo_request checksum 0x4bde id 1
00:06:05:665441: ip4-sv-reassembly-feature[not-fragmented]
00:06:05:665441: nat44-in2out-worker-handofffragment id 0x3b72NAT44_IN2OUT_WORKER_HANDOFF : next-worker 1 trace index 1
以上通过frame-queue:fq_in2out_index,将报文handoff到了thread1的nat44-ed-in2out节点。对于第一个报文,session并不存在,需要进入慢速节点处理:nat44-ed-in2out-slowpath。
------------------- Start of thread 1 vpp_wk_0 -------------------
Packet 2
00:06:05:665444: handoff_traceHANDED-OFF: from thread 2 trace index 1
00:06:05:665444: nat44-ed-in2outNAT44_IN2OUT_ED_FAST_PATH: sw_if_index 5, next index 3search key local 30.1.1.2:1 remote 192.168.12.254:1 proto ICMP fib 0 thread-index 0 session-index 0
00:06:05:665447: nat44-ed-in2out-slowpathNAT44_IN2OUT_ED_SLOW_PATH: sw_if_index 5, next index 10, session 4, translation result 'success' via i2ofi2of match: saddr 30.1.1.2 sport 1 daddr 192.168.12.254 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.12.12 daddr 192.168.12.254 icmp-id 28931 txfib 0o2if match: saddr 192.168.12.254 sport 28931 daddr 192.168.12.12 dport 28931 p
roto ICMP fib_idx 0 rewrite: daddr 30.1.1.2 icmp-id 1 txfib 0
00:06:05:665453: ip4-lookupfib 0 dpo-idx 3 flow hash: 0x00000000ICMP: 192.168.12.12 -> 192.168.12.254
另外,对于由外到内的报文,即由GigabitEthernet3/0/0接口接收的报文。节点nat44-out2in-worker-handoff匹配到session,并且session位于thread1,即当前的thread,不需要handoff处理;也不需要进入慢速路径节点nat44-ed-out2in-slowpath。
------------------- Start of thread 1 vpp_wk_0 -------------------
Packet 14
00:06:10:263962: ip4-input-no-checksumICMP: 192.168.12.254 -> 192.168.12.12ICMP echo_reply checksum 0xe2da id 28931
00:06:10:263962: ip4-sv-reassembly-feature[not-fragmented]
00:06:10:263963: nat44-out2in-worker-handoffNAT44_OUT2IN_WORKER_HANDOFF : next-worker 1 trace index 13
00:06:10:263965: nat44-ed-out2inNAT44_OUT2IN_ED_FAST_PATH: sw_if_index 6, next index 10, session 4, translation result 'success' via o2ifi2of match: saddr 30.1.1.2 sport 1 daddr 192.168.12.254 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.12.12 daddr 192.168.12.254 icmp-id 28931 txfib 0o2if match: saddr 192.168.12.254 sport 28931 daddr 192.168.12.12 dport 28931 p
roto ICMP fib_idx 0 rewrite: daddr 30.1.1.2 icmp-id 1 txfib 0search key local 192.168.12.254:28931 remote 192.168.12.12:28931 proto ICMP fib 0 thread-index 0 session-index 0no reason for slow path
00:06:10:263966: ip4-lookupfib 0 dpo-idx 4 flow hash: 0x00000000ICMP: 192.168.12.254 -> 30.1.1.2ICMP echo_reply checksum 0x53dd id 1
00:06:10:263967: ip4-rewritetx_sw_if_index 5 dpo-idx 4 : ipv4 via 30.1.1.2 GigabitEthernet2/0/0: mtu:9000 next:3 flags:[] 507b9dc703730060e065b5c70800 flow hash: 0x0000000000000000: 507b9dc703730060e065b5c708004500003cb15400003f01ddc3c0a80cfe1e0100000020: 0102000053dd0001017e6162636465666768696a6b6c6d6e6f707172
00:06:10:263968: GigabitEthernet2/0/0-output
对于由GigabitEthernet2/0/0接口接收的第二个icmp请求报文,由于session已经存在,也不再需要进入慢速路径节点。由于报文被网卡送到了thread2线程,这里显示为handoff之后的处理。
------------------- Start of thread 1 vpp_wk_0 -------------------
Packet 13
00:06:10:263324: handoff_traceHANDED-OFF: from thread 2 trace index 5
00:06:10:263324: nat44-ed-in2outNAT44_IN2OUT_ED_FAST_PATH: sw_if_index 5, next index 10, session 4, translation result 'success' via i2ofi2of match: saddr 30.1.1.2 sport 1 daddr 192.168.12.254 dport 1 proto ICMP fib
_idx 0 rewrite: saddr 192.168.12.12 daddr 192.168.12.254 icmp-id 28931 txfib 0o2if match: saddr 192.168.12.254 sport 28931 daddr 192.168.12.12 dport 28931 proto ICMP fib_idx 0 rewrite: daddr 30.1.1.2 icmp-id 1 txfib 0lookup skipped - cached session index used
00:06:10:263327: ip4-lookupfib 0 dpo-idx 6 flow hash: 0x00000000ICMP: 192.168.12.12 -> 192.168.12.254ICMP echo_request checksum 0xdada id 28931
)
:LCR 174. 寻找二叉搜索树中的目标节点)
)
,Javaee项目,springboot vue前后端分离项目。)
理论综合试卷)
![[SS]语义分割_转置卷积](http://pic.xiahunao.cn/[SS]语义分割_转置卷积)
![[娱乐]索尼电视安装Kodi](http://pic.xiahunao.cn/[娱乐]索尼电视安装Kodi)