T7181: VPP add initial source NAT implentation

[sever-sever]

Change Summary

Add initial source NAT implementation

set vpp nat44 source inbound-interface 'eth2'
set vpp nat44 source outbound-interface 'eth1'
set vpp nat44 source translation address '192.0.2.1-192.0.2.2'

Add initial simple implementation of the source NAT In the future, we'll extend it to the rules if it is possible to do via VPP API

https://github.com/FDio/vpp/blob/stable/2410/src/plugins/nat/nat44-ed/nat44_ed.api

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Other (please describe):

Related Task(s)

• https://vyos.dev/T7181

Related PR(s)

Proposed changes

How to test

set interfaces ethernet eth1 address '192.0.2.1/30'
set interfaces ethernet eth2 address '100.64.0.1/24'

set vpp settings lcp ignore-kernel-routes
set vpp settings interface eth1 driver 'dpdk'
set vpp settings interface eth2 driver 'dpdk'
set vpp settings unix poll-sleep-usec '123'

set vpp nat44 source inbound-interface 'eth2'
set vpp nat44 source outbound-interface 'eth1'
set vpp nat44 source translation address '192.168.122.21-192.168.122.22'

Check VPP

vyos@r14# sudo vppctl show nat44 sum
max translations per thread: 64512 fib 0
icmp LRU min session timeout 1754 (now 1695)
total sessions: 1 (timed out: 0)
tcp sessions:
    total: 0 (timed out: 0)
        established: 0 (timed out: 0)
        transitory: 0 (timed out: 0)
udp sessions:
    total: 0 (timed out: 0)
icmp sessions:
    total: 1 (timed out: 0)
other sessions:
    total: 0 (timed out: 0)
[edit]
vyos@r14# 
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo vppctl show nat44 interfaces
NAT44 interfaces:
 eth1 output-feature in out
[edit]
vyos@r14# 
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo vppctl show nat44 addr
NAT44 pool addresses:
192.168.122.21
  tenant VRF: 0
192.168.122.22
  tenant VRF: 0
NAT44 twice-nat pool addresses:
[edit]
vyos@r14# 
[edit]
vyos@r14# 
[edit]
vyos@r14# sudo vppctl show nat44 sessions
NAT44 ED sessions:
-------- thread 0 vpp_main: 1 sessions --------
    i2o 192.0.2.1 proto ICMP port 3924 fib 0
    o2i 192.168.122.21 proto ICMP port 3924 fib 0
       external host 192.0.2.2:3924
       i2o flow: match: saddr 192.0.2.1 sport 3924 daddr 192.0.2.2 dport 3924 proto ICMP fib_idx 0 rewrite: saddr 192.168.122.21 daddr 192.0.2.2 icmp-id 3924 txfib 0 
       o2i flow: match: saddr 192.0.2.2 sport 3924 daddr 192.168.122.21 dport 3924 proto ICMP fib_idx 0 rewrite: saddr 192.0.2.2 daddr 192.0.2.1 icmp-id 3924 txfib 0 
       index 0
       last heard 1726.25
       timeout in 59.45
       total pkts 268, total bytes 26264
       dynamic translation

[edit]
vyos@r14# 

Some real sessions:

vpp# show nat44 sessions 
NAT44 ED sessions:
-------- thread 0 vpp_main: 81 sessions --------
    i2o 100.64.0.10 proto UDP port 53871 fib 0
    o2i 192.168.122.22 proto UDP port 53871 fib 0
       external host 1.1.1.1:53
       i2o flow: match: saddr 100.64.0.10 sport 53871 daddr 1.1.1.1 dport 53 proto UDP fib_idx 0 rewrite: saddr 192.168.122.22 sport 53871 daddr 1.1.1.1 dport 53 txfib 0 
       o2i flow: match: saddr 1.1.1.1 sport 53 daddr 192.168.122.22 dport 53871 proto UDP fib_idx 0 rewrite: saddr 1.1.1.1 daddr 100.64.0.10 dport 53871 txfib 0 
       index 0
       last heard 106.68
       timeout in 266.56
       total pkts 2, total bytes 200
       dynamic translation

    i2o 192.168.122.14 proto UDP port 37208 fib 0
    o2i 192.168.122.22 proto UDP port 37208 fib 0
       external host 34.206.168.146:123
       i2o flow: match: saddr 192.168.122.14 sport 37208 daddr 34.206.168.146 dport 123 proto UDP fib_idx 0 rewrite: saddr 192.168.122.22 sport 37208 daddr 34.206.168.146 dport 123 txfib 0 
       o2i flow: match: saddr 34.206.168.146 sport 123 daddr 192.168.122.22 dport 37208 proto UDP fib_idx 0 rewrite: saddr 34.206.168.146 daddr 192.168.122.14 dport 37208 txfib 0 
       index 1
       last heard 24.26
       timeout in 184.14
       total pkts 2, total bytes 166
       dynamic translation

    i2o 100.64.0.10 proto UDP port 36670 fib 0
    o2i 192.168.122.22 proto UDP port 36670 fib 0
       external host 1.1.1.1:53
       i2o flow: match: saddr 100.64.0.10 sport 36670 daddr 1.1.1.1 dport 53 proto UDP fib_idx 0 rewrite: saddr 192.168.122.22 sport 36670 daddr 1.1.1.1 dport 53 txfib 0 
       o2i flow: match: saddr 1.1.1.1 sport 53 daddr 192.168.122.22 dport 36670 proto UDP fib_idx 0 rewrite: saddr 1.1.1.1 daddr 100.64.0.10 dport 36670 txfib 0 
       index 2
       last heard 121.71
       timeout in 281.59
       total pkts 2, total bytes 200
       dynamic translation
                                                                               
    i2o 100.64.0.10 proto UDP port 48524 fib 0
    o2i 192.168.122.22 proto UDP port 48524 fib 0
       external host 1.1.1.1:53
       i2o flow: match: saddr 100.64.0.10 sport 48524 daddr 1.1.1.1 dport 53 proto UDP fib_idx 0 rewrite: saddr 192.168.122.22 sport 48524 daddr 1.1.1.1 dport 53 txfib 0 
       o2i flow: match: saddr 1.1.1.1 sport 53 daddr 192.168.122.22 dport 48524 proto UDP fib_idx 0 rewrite: saddr 1.1.1.1 daddr 100.64.0.10 dport 48524 txfib 0 
       index 3
       last heard 65.47
       timeout in 225.36
       total pkts 2, total bytes 140
       dynamic translation

    i2o 100.64.0.10 proto UDP port 54071 fib 0
    o2i 192.168.122.22 proto UDP port 54071 fib 0
       external host 1.1.1.1:53
       i2o flow: match: saddr 100.64.0.10 sport 54071 daddr 1.1.1.1 dport 53 proto UDP fib_idx 0 rewrite: saddr 192.168.122.22 sport 54071 daddr 1.1.1.1 dport 53 txfib 0 
       o2i flow: match: saddr 1.1.1.1 sport 53 daddr 192.168.122.22 dport 54071 
proto UDP fib_idx 0 rewrite: saddr 1.1.1.1 daddr 100.64.0.10 dport 54071 txfib 0 
       index 4
       last heard 65.58
       timeout in 225.47
       total pkts 4, total bytes 292
       dynamic translation

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[dmbaturin]

I think it's a good start but we should think how we will extend that syntax when we add more options. My particular concern is how do we plan to go about identity mapping. We should design the CLI now to ensure that those things can be added without config syntax changes and migration scripts.

[dmbaturin]

What's the default value for the number of sessions per thread? The docs use examples like nat44 plugin enable sessions 10000. Is the default unlimited?

[sever-sever]

I cant find default value, what I saw some calculations here FDio/vpp@5f694d1

vpp# show nat44 summary 
max translations per thread: 64512 fib 0
transitory tcp LRU min session timeout 1376 (now 1136)
udp LRU min session timeout 1007 (now 1136)
icmp LRU min session timeout 1196 (now 1136)
total sessions: 6 (timed out: 1)
tcp sessions:
    total: 1 (timed out: 0)
        established: 0 (timed out: 0)
        transitory: 1 (timed out: 0)
udp sessions:
    total: 4 (timed out: 1)
icmp sessions:
    total: 1 (timed out: 0)
other sessions:
    total: 0 (timed out: 0)
vpp# 

[dmbaturin]

There are examples in the dynamic NAT section like nat44 add address 10.0.1.1 where it's using a single external address. In other places the "address pool" is an interface name.

It can also take options such as tenant-vrf or twice-nat.

Expanding a leaf node to support those things will require an incompatible change and a migration script, so I think we should make a plan for extending it right away.

The translation-pool option certainly shouldn't be a leaf node. We should likely have mutually-exclusive sub-nodes there like range, address, and interface. Ideally, they should be grouped under a node, although I'm not sure what we might call that node... external?

[sever-sever]

Changed translation-pool to translation address x.x.x.x

set vpp nat44 source translation address '192.0.2.1'

possible usage with a range

set vpp nat44 source translation address '192.0.2.1-192.0.2.2'

[sever-sever]

PoC works; it is necessary to think about CLI style and possible configuration options based on the VPP API.
It will be in draft state until we decide what and how to do with it. This PR is a good start to show what can be done with minimal settings. Feel free to claim it if you want to proceed with it.

We can talk about any ideas about this stuff here.