本文主要描述VPP nat插件在NAT44-ed的两种配置场景路由前Nat和路由后nat的转发流程区别及配置差异。两种模式基本组网配置如下:
首先来说无论是路由前nat还是路由后nat都需要使能nat功能,并配置nat地址池,具体命令行如下:
nat44 enable #开启nat功能
#nat地址池使用指定的接口,当然也可以指定地址池,后续在研究。。
nat44 nat44 add interface address GigabitEthernet2/2/0
配置路由前nat命令行如下:
set interface nat44 in GigabitEthernet2/4/0 out GigabitEthernet2/2/0
从PC上ping114.114.114.114 查询一下nat模块的转发流程:
###请求报文
06:53:44:636511: dpdk-input
GigabitEthernet2/4/0 rx queue 0
buffer 0x9a52f: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23494c40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x35c4 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x749f id 7
06:53:44:636559: ethernet-input
frame: flags 0x3, hw-if-index 3, sw-if-index 3
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
06:53:44:636584: ip4-input-no-checksum
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x35c4 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x749f id 7
06:53:44:636601: ip4-sv-reassembly-feature
[not-fragmented]
06:53:44:636615: nat-pre-in2out
in2out next_index 2 arc_next_index 10
06:53:44:636629: nat44-ed-in2out
NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 10, session 1, translation result 'success' via i2of
i2of match: saddr 172.169.1.2 sport 7 daddr 114.114.114.114 dport 7 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 64233 txfib 0
o2if match: saddr 114.114.114.114 sport 64233 daddr 192.168.1.84 dport 64233 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 7
txfib 0
search key local 172.169.1.2:7 remote 114.114.114.114:7 proto ICMP fib 0 thread-index 32767 session-index 4159776952
06:53:44:636661: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x2173 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
06:53:44:636679: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 192.168.1.1 GigabitEthernet2/2/0: mtu:9000 next:3 flags:[] 446a2ebdb5be000c29076fa40800 flow has
h: 0x00000000
00000000: 446a2ebdb5be000c29076fa4080045000054725540003f012273c0a801547272
00000020: 7272080079bcfae90024ce34c8610000000020cc0d00000000001011
06:53:44:636693: GigabitEthernet2/2/0-output
GigabitEthernet2/2/0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x2273 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
06:53:44:636708: GigabitEthernet2/2/0-tx
GigabitEthernet2/2/0 tx queue 0
buffer 0x9a52f: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23494c40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x2273 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
##回应报文
06:53:44:662713: dpdk-input
GigabitEthernet2/2/0 rx queue 0
buffer 0x95cf1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23773cc0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 44:6a:2e:bd:b5:be -> 00:0c:29:07:6f:a4
ICMP: 114.114.114.114 -> 192.168.1.84
tos 0x04, ttl 79, length 84, checksum 0x17f3 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x81bc id 64233
06:53:44:662760: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: 44:6a:2e:bd:b5:be -> 00:0c:29:07:6f:a4
06:53:44:662785: ip4-input-no-checksum
ICMP: 114.114.114.114 -> 192.168.1.84
tos 0x04, ttl 79, length 84, checksum 0x17f3 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x81bc id 64233
06:53:44:662802: ip4-sv-reassembly-feature
[not-fragmented]
06:53:44:662816: nat-pre-out2in
out2in next_index 6 arc_next_index 10
06:53:44:662829: nat44-ed-out2in
NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 1, next index 10, session 1, translation result 'success' via o2if
i2of match: saddr 172.169.1.2 sport 7 daddr 114.114.114.114 dport 7 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 64233 txfib 0
o2if match: saddr 114.114.114.114 sport 64233 daddr 192.168.1.84 dport 64233 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 7
txfib 0
search key local 114.114.114.114:64233 remote 192.168.1.84:64233 proto ICMP fib 0 thread-index 32767 session-index 4159776952
no reason for slow path
06:53:44:662860: ip4-lookup
fib 0 dpo-idx 6 flow hash: 0x00000000
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 79, length 84, checksum 0x2c44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
06:53:44:662879: ip4-rewrite
tx_sw_if_index 3 dpo-idx 6 : ipv4 via 172.169.1.2 GigabitEthernet2/4/0: mtu:9000 next:4 flags:[] 000c29076fc2000c29076fb80800 flow has
h: 0x00000000
00000000: 000c29076fc2000c29076fb8080045040054acd100004e012d4472727272aca9
00000020: 010200007c9f00070024ce34c8610000000020cc0d00000000001011
06:53:44:662892: GigabitEthernet2/4/0-output
GigabitEthernet2/4/0
IP4: 00:0c:29:07:6f:b8 -> 00:0c:29:07:6f:c2
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 78, length 84, checksum 0x2d44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
06:53:44:662908: GigabitEthernet2/4/0-tx
GigabitEthernet2/4/0 tx queue 0
buffer 0x95cf1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1
ext-hdr-valid
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23773cc0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:b8 -> 00:0c:29:07:6f:c2
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 78, length 84, checksum 0x2d44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
路由后Nat配置命令行如下:
set interface nat44 out GigabitEthernet2/2/0 output-feature
在PC上ping114.114.114.114,显示trace流程如下,这里只张贴了in2out流程,因为out2in流程都是一样的。
08:16:37:742858: dpdk-input
GigabitEthernet2/4/0 rx queue 0
buffer 0x98690: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x2341a480
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742930: ethernet-input
frame: flags 0x3, hw-if-index 3, sw-if-index 3
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
08:16:37:742954: ip4-input-no-checksum
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742971: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742992: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 192.168.1.1 GigabitEthernet2/2/0: mtu:9000 next:3 flags:[features ] 446a2ebdb5be000c29076fa40800
flow hash: 0x00000000
00000000: 446a2ebdb5be000c29076fa40800450000541eca40003f018a4faca901027272
00000020: 727208009700000903923b48c861000000008ce70e00000000001011
08:16:37:743008: ip4-sv-reassembly-output-feature
[not-fragmented]
08:16:37:743022: nat-pre-in2out-output
in2out next_index 4 arc_next_index 11
08:16:37:743035: nat44-ed-in2out-output
NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 11, session 5, translation result 'success' via i2of
i2of match: saddr 172.169.1.2 sport 9 daddr 114.114.114.114 dport 9 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 51846 txfib 0
o2if match: saddr 114.114.114.114 sport 51846 daddr 192.168.1.84 dport 51846 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 9
txfib 0
search key local 172.169.1.2:9 remote 114.114.114.114:9 proto ICMP fib 0 thread-index 32767 session-index 4159776952
08:16:37:743080: GigabitEthernet2/2/0-output
GigabitEthernet2/2/0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x75fe dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0xcc82 id 51846
08:16:37:743093: GigabitEthernet2/2/0-tx
GigabitEthernet2/2/0 tx queue 0
buffer 0x98690: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x2341a480
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x75fe dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0xcc82 id 51846
按照上述trace流程总结出nat44-ed模式转发流程图如下:
实际在阅读代码中,对于路由后nat节点挂载情况如下:
#show interface feat GigabitEthernet2/2/0
ip4-output: #in2out方向
ip4-sv-reassembly-output-feature
nat-pre-in2out-output
ip4-unicast:#out2in方向
ip4-sv-reassembly-feature
nat-pre-out2in
我们可以得到两个信息: 1、nat模块默认会开启为伪重组功能。--旧版本中是不是这样? 2、nat-pre-out2in和nat-pre-in2out-output是nat模块处理的入口, 上图中的nat44-ed-out2in和nat44-ed-in2out节点并未在feature中体现,在nat处理中node节点挂接关系处理的非常巧妙。默认所有的node节点都是一个node节点nat-default的兄弟节点,包括nat模块的入口节点,这其他node节点处理流程中都是通过处理逻辑来指定下一个node节点。
DBGvpp# show node nat-default
node nat-default, type internal, state active, index 90
node function variants:
Name Priority Active Description
default 0 yes default
next nodes:
next-index node-index Node Vectors
0 674 error-drop 0
1 617 ip4-icmp-error 0
2 89 nat44-ed-in2out 0
3 87 nat44-ed-in2out-slowpath 0
4 88 nat44-ed-in2out-output 0
5 86 nat44-ed-in2out-output-slowpat 0
6 83 nat44-ed-out2in 0
7 82 nat44-ed-out2in-slowpath 0
8 80 nat44-in2out-worker-handoff 0
9 78 nat44-out2in-worker-handoff 0
10 613 ip4-lookup 0
11 672 interface-output 0
本文分享自 DPDK VPP源码分析 微信公众号,前往查看
如有侵权,请联系 cloudcommunity@tencent.com 删除。
本文参与 腾讯云自媒体同步曝光计划 ,欢迎热爱写作的你一起参与!