Natmgrd changes in sonic-swss sub module to support NAT feature.#1059
Natmgrd changes in sonic-swss sub module to support NAT feature.#1059rlhui merged 12 commits intosonic-net:masterfrom
Conversation
AkhileshSamineni
force-pushed
the
nat_changes_in_sonic
branch
from
816a7e2 to
45e30bf
Compare
cfgmgr/intfmgr.cpp
Outdated
| { | ||
| FieldValueTuple t("nat_zone", nat_zone); | ||
| fvVector.push_back(t); | ||
| m_appIntfTableProducer.set(alias, fvVector); |
There was a problem hiding this comment.
set is at the end of outer if (!is_lo)
There was a problem hiding this comment.
This set it specific to nat_zone only, so using new "fvVector" variable for it.
There was a problem hiding this comment.
After resolved merge conflicts, doing set at the end of outer if(!is_lo).
cfgmgr/natmgr.cpp
Outdated
| m_cfgNatPoolTable(cfgDb, CFG_NAT_POOL_TABLE_NAME), | ||
| m_cfgNatBindingsTable(cfgDb, CFG_NAT_BINDINGS_TABLE_NAME), | ||
| m_cfgNatGlobalTable(cfgDb, CFG_NAT_GLOBAL_TABLE_NAME), | ||
| m_cfgInterfaceTable(cfgDb, CFG_INTF_TABLE_NAME), |
There was a problem hiding this comment.
intfmgr is responsible for that table
There was a problem hiding this comment.
I have removed these lines, but NatMgr is also a consumer for the Interface Tables, to get the configured nat_zone value on every interface, which will be used as a mark value (zone +1 ) in iptables rules.
cfgmgr/natmgr.cpp
Outdated
| m_cfgLagInterfaceTable(cfgDb, CFG_LAG_INTF_TABLE_NAME), | ||
| m_cfgVlanInterfaceTable(cfgDb, CFG_VLAN_INTF_TABLE_NAME), | ||
| m_cfgLoopbackInterfaceTable(cfgDb, CFG_LOOPBACK_INTERFACE_TABLE_NAME), | ||
| m_cfgNatAclTable(cfgDb, CFG_ACL_TABLE_NAME), | ||
| m_cfgNatAclRuleTable(cfgDb, CFG_ACL_RULE_TABLE_NAME), |
There was a problem hiding this comment.
Each table has a single manager that should handle it, and these table don't belong to NAT manager.
There was a problem hiding this comment.
I have removed these lines, but NatMgr is also a consumer for the Interface Tables, to get the configured nat_zone value on every interface, which will be used as a mark value (zone +1 ) in iptables rules and ACL tables as well.
|
|
||
| /* Clean the NAT iptables */ | ||
| std::string res; | ||
| const std::string cmds = std::string("") + IPTABLES_CMD + " -F -t nat "; |
There was a problem hiding this comment.
Why clear iptables before start?
There was a problem hiding this comment.
Before the NAT application, wanted to clearing any stale nat iptables rules.
| } | ||
|
|
||
| /* To check the give global_ip is withing the Prefix subnet or not */ | ||
| bool NatMgr::isGlobalIpMatching(const string &prefix, const string &global_ip) |
There was a problem hiding this comment.
This would fit as a method in IpPrefix class
There was a problem hiding this comment.
Yes, will move it to IpPrefix class in next patch.
| char ipAddr[INET_ADDRSTRLEN]; | ||
| std::vector<swss::FieldValueTuple> values; | ||
|
|
||
| if (!port_range.empty() and (port_range != "NULL")) |
There was a problem hiding this comment.
First check if not NULL?
There was a problem hiding this comment.
No, When pool is created with only Ip address, "nat_port" value is set to "NULL" string like below
root@sonic:/home/admin# config nat add pool p1 65.55.42.5
root@sonic:/home/admin# redis-cli -n 4
127.0.0.1:6379[4]> keys NA
- "NAT_POOL|p1"
127.0.0.1:6379[4]> hgetall NAT_POOL|p1 - "nat_port"
- "NULL"
- "nat_ip"
- "65.55.42.5"
127.0.0.1:6379[4]> exit
root@sonic:/home/admin#
| ipv4_addr_low = ntohl(ipv4_addr_low); | ||
| } | ||
|
|
||
| for (ip = ipv4_addr_low; ip <= ipv4_addr_high; ip++) |
There was a problem hiding this comment.
Why set like this and not as a range?
There was a problem hiding this comment.
Here m_appNaptPoolIpTable is used by NatSyncd code to know whether the packet notified by conntrack table is NAPT'ed or NAT'ed.
For example, Create a NAT pool to do NAPT'ed like "config nat add pool p1 65.55.42.5 100-200"
If packet comes to cpu with Src Ip as 12.0.0.1 and Src port as 100, it get's SNAPT'ed to Src Ip as 65.55.42.5 and Src Port as 100, kernel picks the "100" as it is available from Pool.
So kernel doesn't set any separate flags in the conntrack entry if it is NAPT'ed. Only SNAT/DNAT flags are set in the conntrack entry that is notified to natsyncd.
When the translated port number is the same, Natsyncd will not be able to say if it is NAT'ed or NAPT'ed. So the NaptPoolIpTable is added for every IP address in the pool to help NatSyncd pick the conntrack notifications as NAPT and add them as NAPT entries in the APP_DB.
marian-pritsak
left a comment
marian-pritsak
left a comment
There was a problem hiding this comment.
The PR is very substantial. Can you please split it by the daemon it is related to? I think it won't break it.
@marian-pritsak Yes right, Created PRs for orchanget (#1125 ) and Natsyncd (#1126 ). |
AkhileshSamineni
changed the title
arlakshm
left a comment
arlakshm
left a comment
There was a problem hiding this comment.
Are this pytest changes present in PR 1125. I could not fine them. Kindly confirm.
Added pytest changes in PR 1125. |
- Added natmgr and natorch changes. - Added nat Zone related changes. - Added Warm reboot changes. Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
AkhileshSamineni
force-pushed
the
nat_changes_in_sonic
branch
from
7d2c620 to
3fcfea3
Compare
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
|
Retest this please. |
|
retest this please. |
|
Retest this please. |
Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com
Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com
…#1059) Filter fdb was wiping out IPv4 entries when both IPv4 and IPv6 are associated with VLan interface. The reason is IPv6 network was overwriting IPv4 network. This pr add support to filter both IPv4 and IPv6 addresses signed-off-by: Tamer Ahmed <tamer.ahmed@microsoft.com>
The previous regex can only match one device so that the original MACsec devices cannot been cleanup by config reload.
…c-net#1059 Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com
7 participants
Added natmgr, and intfmgr changes.
Link to NAT HLD : https://github.com/Azure/SONiC/blob/master/doc/nat/nat_design_spec.md
Depends on:
sonic-swss : #1126 and #1125
sonic-swss-common : sonic-net/sonic-swss-common#304
sonic-linux-kernel : sonic-net/sonic-linux-kernel#100
sonic-sairedis : sonic-net/sonic-sairedis#519
Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com