[UPG-NAT] Controlled CG-NAT #122
Conversation
upf/pfcp.c
Outdated
| length -= 2; | ||
|
|
||
| if (length < 2) | ||
| return PFCP_CAUSE_INVALID_LENGTH; | ||
|
|
There was a problem hiding this comment.
teh length check is already covered by line 4766
upf/pfcp.c
Outdated
| pfcp_bbf_up_function_features_t *n = | ||
| va_arg (*args, pfcp_bbf_up_function_features_t *); | ||
|
|
||
| s = format (s, "NAT:%u", (*n & BBF_UP_NAT)); |
There was a problem hiding this comment.
| s = format (s, "NAT:%u", (*n & BBF_UP_NAT)); | |
| s = format (s, "NAT:%u", !!(*n & BBF_UP_NAT)); |
upf/pfcp.c
Outdated
| { | ||
| u64 *v = p; | ||
|
|
||
| if (length % 2 != 0 || length < 2) |
There was a problem hiding this comment.
minimum length of this IE is 4 bytes
There was a problem hiding this comment.
check line updated
upf/pfcp.c
Outdated
| put_u16_little (*vec, *v); | ||
| put_u16_little (*vec, *v >> 16); |
There was a problem hiding this comment.
| put_u16_little (*vec, *v); | |
| put_u16_little (*vec, *v >> 16); | |
| put_u32_little (*vec, *v); |
There was a problem hiding this comment.
oh, missed this. thanks
upf/pfcp.c
Outdated
| if (ISSET_BIT(*v, IP_VERSION_4)) | ||
| s = format (s, "IPv4"); | ||
| else | ||
| s = format (s, "IPv6"); |
There was a problem hiding this comment.
both flags can be set (v4 and v6)
| { | ||
| if (!(vec_is_equal (np->network_instance, ue_p->nwi_name))) | ||
| continue; | ||
| pfcp_bbf_nat_port_block_t *block; |
There was a problem hiding this comment.
local variable definition should not follow code
There was a problem hiding this comment.
Sorry, missed this here but fixed for stable branch.
upf/upf_pfcp_api.c
Outdated
| do | ||
| { | ||
| err = | ||
| upf_nat_create_binding (user_ip, addr->ext_addr, port_start, port_end, | ||
| np->vrf_id); | ||
| if (!err) | ||
| { | ||
| addr->used_blocks += 1; | ||
| sx->nat_addr = addr; | ||
| created_binding->block = vec_dup (np->name); | ||
| created_binding->outside_addr.as_u32 = addr->ext_addr.as_u32; | ||
| created_binding->port_range.start_port = port_start; | ||
| created_binding->port_range.end_port = port_end; | ||
| SET_BIT (created_binding->grp.fields, | ||
| TP_CREATED_BINDING_NAT_PORT_BLOCK); | ||
| SET_BIT (created_binding->grp.fields, | ||
| TP_CREATED_BINDING_NAT_OUTSIDE_ADDRESS); | ||
| SET_BIT (created_binding->grp.fields, | ||
| TP_CREATED_BINDING_NAT_EXTERNAL_PORT_RANGE); | ||
| return 0; | ||
| } | ||
| port_start += np->port_block_size; | ||
| port_end = port_start + np->port_block_size; | ||
| } | ||
| while (port_end < np->max_port); |
There was a problem hiding this comment.
I hate this trial and error approach to finding a suitable block
There was a problem hiding this comment.
I've removed this try-err thing out from UPG code and make logic for finding port block inside NAT code.
NAT plugin in full of such constructions in terms of port selection. Now its a part of binding validation procedure.
upf/upf_pfcp.c
Outdated
|
|
||
| ASSERT (ap->used_blocks > 0); | ||
|
|
||
| ap->used_blocks -= 1; |
| @@ -359,7 +367,6 @@ def associate(self): | |||
| IE_NodeId(id_type="FQDN", id="ergw") | |||
| ]), PFCPAssociationSetupResponse) | |||
| self.assertEqual(CauseValues[resp[IE_Cause].cause], "Request accepted") | |||
| self.assertIn(b"vpp", resp[IE_EnterpriseSpecific].data) | |||
There was a problem hiding this comment.
Is this change somehow related to this PR? This is actually a problem (#104), as the build id should contain upg not vpp, but I thought of fixing it separately and not by removing this check, but rather by fixing the id itself and replacing vpp with upg here
There was a problem hiding this comment.
In general, association setup response checks should be enhanced with:
- proper build ID check
- BBF UserPlane Features checks
I think it's worth a separate review
|
LGTM |
upf/upf.c
Outdated
| np = pool_elt_at_index (gtm->nat_pools, p[0]); | ||
|
|
||
| return np; |
There was a problem hiding this comment.
| np = pool_elt_at_index (gtm->nat_pools, p[0]); | |
| return np; | |
| return pool_elt_at_index (gtm->nat_pools, p[0]); |
upf/upf.c
Outdated
| { | ||
| u32 i = 0; | ||
|
|
||
| vec_reset_length (np->addresses); |
There was a problem hiding this comment.
to avoid unnecessary fragmentation, you could used vec_validate to make sure the vector is large enough to hold all entries before going into the loop.
upf/upf_cli.c
Outdated
| { | ||
| .path = "upf nat pool", | ||
| .short_help = | ||
| "upf nat pool nwi <nwi-name> start <ip4-addr> end <ip4-addr> min_port <min-port> max_port <max-port> block_size <port-block-size> vrf <vrf-id> name <name> [del]", |
There was a problem hiding this comment.
A NWI currently uniquely identifies a VRF, it the extra VRF really needed or different from the NWI VRF?
There was a problem hiding this comment.
We are operating nwi name w/o nwi lookup itself. I will add TODO in a code, but removing vrf out will create a cascade of changes to charts.
There was a problem hiding this comment.
"because something somewhere else would need to be redone" is not an argument for leaving this code in a inconsistent state. A TODO for this is only acceptable if it is followed up with some urgency.
There was a problem hiding this comment.
VRF removed as redundant CLI argument
| { | ||
| if (!(vec_is_equal (np->network_instance, ue_p->nwi_name))) | ||
| continue; | ||
| pfcp_bbf_nat_port_block_t *block; |
NAT plugin dedicated changes. ED NAT address and port selection done based on bindings created by UPG plugin.
Fixed PFCP IE ordering for BBF/TP messages. Fixed minor issues in UPG NAT processing.
Also populate Reencode PFCP test .txt files with missing TP IEs.
|
LGTM from my side |
upf/upf.c
Outdated
| return VNET_API_ERROR_NO_SUCH_ENTRY; | ||
|
|
||
| nat_pool = pool_elt_at_index (gtm->nat_pools, p[0]); | ||
| //TBD: nat pool cleanup upf_delete_nat_addresses(nat_pool); |
There was a problem hiding this comment.
removing a NAT pool that used entries would crash at some, right?
upf/upf_cli.c
Outdated
| { | ||
| .path = "upf nat pool", | ||
| .short_help = | ||
| "upf nat pool nwi <nwi-name> start <ip4-addr> end <ip4-addr> min_port <min-port> max_port <max-port> block_size <port-block-size> vrf <vrf-id> name <name> [del]", |
There was a problem hiding this comment.
"because something somewhere else would need to be redone" is not an argument for leaving this code in a inconsistent state. A TODO for this is only acceptable if it is followed up with some urgency.
sergeymatov
force-pushed
the
exp/cg-nat
branch
4 times, most recently
from
d81f68c
to
169da0c
Compare
upf/upf_cli.c
Outdated
| // something like this). To avoid this, two strings could be picked | ||
| // in single unformat call. Probably Address Sanitaizer should be | ||
| // used to identify problems with unformatting input line | ||
| else if (unformat (line_input, "nwi %_%v%_ name %_%v%_", &nwi_s, &name)) |
There was a problem hiding this comment.
it seems that "%s" does not suffer from this problem. It would therefore be possible to scan the names as string and then convert them to vectors.
That would IMHO be a better workaround.
There was a problem hiding this comment.
Looking at the full function also makes me wonder if the fact that name is not initialized to zero might play a role in the problem.
There was a problem hiding this comment.
Initiation of name vectors to 0 resolves the issue, so I've removed W/A.
Thanks for good notice
Changes: - Remove redundant vrf_id from "upf nat pool" cli from code and upf scapy tests. - Free nat addresses vector on nat pool deletion. - Code optimization and cleanup.
In order to allow UPG perform CG-NAT function following changes has been introduced:
To UPG:
To NAT plugin: