Add support for port forwarding with masquerading (stateful NAT) #1262
+1,221
−84
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qmonnet
changed the title
Differentiate between 2 cases when logging: - no flow entry is found in table for a given key - did not build a flow key (because of the type of packet) Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Add srcVpcd to FlowTuple so that it gets displayed/logged too. The flowTuple type could be used as the single input to the lookup function. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Make it such that no string needs to be created. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Flow-filter should be the first stage so that other stages can use the flow-info. Up until now, the flow-filter couldn't because it preceeded the flow-lookup stage. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Augment FlowInfoLocked to include a VpcDiscriminant so that we can determine the dst VPC from a flow entry as a fallback. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Rename the type (NF) so that it is clear its purpose. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
If, in the flow filter, the destination vpc (discriminant) cannot be determined for a packet, try to discover it from the flow-info attached to the packet. Ofc, the correctness of this depends on whether we store a flow-entry for the corresponding flow and what information we keep there. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Quentin Monnet <qmo@qmon.net> Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
qmonnet
force-pushed
the
pr/fredi/nat_use_cases
branch
from
50d68da to
5b0b995
Compare
Member
|
Note that I rebased the base branch on |
Also, extend the metadata to 32 bits and the Display impl. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Extend the enum with PortForwarding. The expectation is that from the API, we'll be explicitly told about port forwarding. As a result, the contents of the flow-filter will include that infor- mation which will allow us to annotate the packet accordingly to steer the packet through the PortForwarder. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Do not unnecessarily propagate src/dst vpc discriminants. The stateful NAT NF requires packets to have been annotated with both of them, but it only needs them if there is no session. Instead of always retrieving them and passing them along, keep the check that they are present, but just retrieve them from the packet given that we need to pass a reference to it to modify it. Also, given that the flow-filter is the one responsible for determining src & dst vpcd, and annotating that nat is needed, the stateful nat function should never get a packet without those annotations. Therefore, add a debug assert to the existing check. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Extend FlowInfoLocked object with optional state for port forwarding. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Implement TryFrom/From methods for [Tcp|Udp]ProtoKey from port tuples. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
The port-forwarding table is the table that keeps the rules to perform port-forwarding (and address translation) in the datapath. The table is wrapped in a PortFwTableRw object that allows repla- cing it depending on the configuration. A single type is used to both read and replace. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Implement Display for port forwarding table, key and entries. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
This avoids polluting the datapath with error checking and makes sense from a practical standpoint. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
The PortFwState is the custom state associated to a flow entry used to perform src ip/port translation on the reverse path of a port-forwarded flow. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Adds functions to nat source IPs and ports or destination IPs and ports. The functions are specific for port-forwrading since they expect packets to be IP and contain either TCP or UDP payloads. The functions return true if the packet could be updated and false otherwise. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Make FlowInfo::update_status() infallible as it always returns Ok(). Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Fredi-raspall
force-pushed
the
pr/fredi/port-forwarding
branch
3 times, most recently
from
4764633 to
7087c7c
Compare
qmonnet
force-pushed
the
pr/fredi/nat_use_cases
branch
2 times, most recently
from
c7b016c to
0ade936
Compare
Adds functions to: - retrieve port-forwarding state associated to a packet. - create entry on reverse path with port-forwarding state. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
This NF will attempt to perform port-forwarding for all packets. This behavior needs to be changed depending on what the flow-filter does for those packets. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Udp::empty() sets the length of the UDP header to the minimum. This avoids panics when printing test packets since the previous method does not set the length. This will be fixed in another PR. Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
Fredi-raspall
force-pushed
the
pr/fredi/port-forwarding
branch
from
7087c7c to
d46f0ac
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This goes on top of #1257