Changes in swss-utilities submodule to support NAT feature. #645
Conversation
|
|
| """Add Static NAT-related configutation""" | ||
|
|
||
| # Verify the ip address format | ||
| if is_valid_ipv4_address(local_ip) is False: |
There was a problem hiding this comment.
The function is_valid_ipv4_address rejects if the ip is reserved IP address. Will this block use of some private ip ranges as local ip address ?
There was a problem hiding this comment.
@arlakshm No, It won't block the private ip addresses. Function "is_reserved()" will check for IETF reserved ip addresses (Ex. 240.0.0.0/4). For private address checking, "is_private()" function is used.
Signed-off-by: akhilesh.samineni@broadcom.com
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
AkhileshSamineni
force-pushed
the
nat_changes_in_sonic
branch
from
fe51425
to
a3273d5
Compare
config/nat.py
Outdated
| if 'SNAT_ENTRIES' in counter_entry: | ||
| snat_entries = counter_entry['SNAT_ENTRIES'] | ||
|
|
||
| if int(snat_entries) >= 1024: |
There was a problem hiding this comment.
This limit of 1k entries is for SNAT or DNAT or overall static nat entry limit ?
Is this a Software limit or hardware limit ?
There was a problem hiding this comment.
1K is hardware limitation only, Both SNAT and DNAT limits the entries to 1k.
Single Static NAT entry creates a SNAT and DNAT entry is hardware.
There was a problem hiding this comment.
Do we have a way to query this limit from HW?
There was a problem hiding this comment.
Yes, Added "MAX_ENTRIES" in counter_db which will be queried from HW at natorch code.
| """Enbale the NAT feature """ | ||
| config_db = ConfigDBConnector() | ||
| config_db.connect() | ||
| config_db.mod_entry("NAT_GLOBAL", "Values", {"admin_mode": "enabled"}) |
There was a problem hiding this comment.
When NAT is enabled but no timeout is configured, what will be the default timeout value ?
There was a problem hiding this comment.
For NAT entries, the default timeout is 600 seconds.
For NAPT entries, the default tcp timeout is 86400 seconds and udp timeout is 300 seconds.
When NAT is enabled, default timeouts are set in NatMgr code if timeouts are not configured before NAT enabled.
config/nat.py
Outdated
| from swsssdk import ConfigDBConnector | ||
| from swsssdk import SonicV2Connector | ||
|
|
||
| TABLE_NAME_SEPARATOR = '|' |
There was a problem hiding this comment.
I think TABLE_NAME_SEPERATOR should be defined somewhere in swsssdk
There was a problem hiding this comment.
Yes, TABLE_NAME_SEPERATOR is defined in ConfigDBConnector from swsssdk.
Not using the TABLE_NAME_SEPERATOR, removed this variable.
config/nat.py
Outdated
| ip = ipaddress.IPv4Address(address) | ||
| if (ip.is_reserved) or (ip.is_multicast) or (ip.is_loopback) or (address in invalid_list): | ||
| return False | ||
| except: |
There was a problem hiding this comment.
Only IPv4Address creation can throw here, could you be more specific in except statement?
There was a problem hiding this comment.
Added "AddressValueError" exception here.
config/nat.py
Outdated
| return False | ||
| try: | ||
| netaddr.IPNetwork(val) | ||
| except: |
There was a problem hiding this comment.
It will be good to be more specific in except
There was a problem hiding this comment.
Not needed this function, removed it.
config/nat.py
Outdated
| except ValueError: | ||
| return False | ||
|
|
||
| if ((port_address < 1) or (port_address > 65535)): |
There was a problem hiding this comment.
if port_address not in xrange(1, 65535):looks more python-way
config/nat.py
Outdated
| @@ -0,0 +1,1104 @@ | |||
| #!/usr/bin/env python -u | |||
There was a problem hiding this comment.
Why '-u' flag is needed ?
There was a problem hiding this comment.
Not needed actually, removed it.
| elif interface_name.startswith("Vlan"): | ||
| interface_dict = config_db.get_table('VLAN') | ||
| elif interface_name.startswith("Loopback"): | ||
| return True |
There was a problem hiding this comment.
Don't we need to check LOOPBACK_INTERFACE table?
There was a problem hiding this comment.
In this function, checking for PORT, VLAN, PORTCHANNEL tables and for Loopback we don't have a LOOPBACK table, so returning True for it.
The verification of INTERFACE tables like LOOPBACK_INTERFACE tables are happens at add_interface(..) and remove_interface(..) functions.
config/nat.py
Outdated
| if 'SNAT_ENTRIES' in counter_entry: | ||
| snat_entries = counter_entry['SNAT_ENTRIES'] | ||
|
|
||
| if int(snat_entries) >= 1024: |
There was a problem hiding this comment.
Do we have a way to query this limit from HW?
| import subprocess | ||
|
|
||
| def main(): | ||
| ctdumpcmd = 'conntrack -L -j > /host/warmboot/nat/nat_entries.dump' |
There was a problem hiding this comment.
'conntrack -L -j' output may have a lot of entries. I'm looking at https://github.com/Azure/sonic-buildimage/pull/3494/files#diff-dc200de8bc4641995c83a89e61e3c32cR51 where it is parsed using a complex regular expressions during warm start.
My concern is that parsing that output during system start can consume a lot of cpu in case of huge amount of entries. Did you test this part and impact on system warm reboot?
Right now sonic seems to have performance degradation comparing to 201811 release during system warm start causing LAG/BGP flapping on some platforms.
IMO, dumping this output in a fast-loadable format (like json) during warm start is preferred.
There was a problem hiding this comment.
This option can be explored. We can do it in a separate PR ?
scripts/fast-reboot
Outdated
| # Kill nat docker after saving the conntrack table | ||
| debug "Stopping nat ..." | ||
| /usr/bin/dump_nat_entries.py | ||
| docker kill nat > /dev/null |
There was a problem hiding this comment.
To avoid systemd restart the service automatically after kill you should add 'systemctl stop nat'
scripts/fast-reboot
Outdated
| @@ -410,6 +410,12 @@ docker exec -i bgp pkill -9 zebra | |||
| docker exec -i bgp pkill -9 bgpd || [ $? == 1 ] | |||
| debug "Stopped bgp ..." | |||
|
|
|||
| # Kill nat docker after saving the conntrack table | |||
| debug "Stopping nat ..." | |||
| /usr/bin/dump_nat_entries.py | |||
There was a problem hiding this comment.
Any reason to put this after stopping radv, bgp ? If we stop before it will have no impact on bgp restart timeout
There was a problem hiding this comment.
No specific reason. moved it to before radv.
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
@stepanblyschak |
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
|
Retest this please. |
3 similar comments
|
Retest this please. |
|
Retest this please. |
|
Retest this please. |
|
retest this please |
Signed-off-by: akhilesh.samineni@broadcom.com
Signed-off-by: akhilesh.samineni@broadcom.com
Added new commands to supports NAT feature
Config Commands:
config nat add static basic {global-ip} {local-ip} -nat_type {snat/dnat} -twice_nat_id {value}
config nat remove static basic {global-ip} {local-ip}
config nat add static {tcp | udp} {global-ip} {global-port} {local-ip} {local-port} -nat_type {snat | dnat} -twice_nat_id {value}
config nat remove static {tcp | udp} {global-ip} {global-port} {local-ip} {local-port}
config nat remove static all
config nat add pool {pool-name} {global-ip-range} {global-port-range}
config nat remove pool {pool-name}
config nat remove pools
config nat add binding {binding-name} {pool-name} {acl-name} -nat_type {snat | dnat} -twice_nat_id {value}
config nat remove binding {binding-name}
config nat remove bindings
config nat add interface {interface-name} {-nat_zone {zone-value}}
config nat remove interface {interface-name}
config nat remove interfaces
config nat set timeout {secs}
config nat reset timeout
config nat feature {enable | disable}
config nat set udp-timeout {secs}
config nat reset udp-timeout
config nat set tcp-timeout {secs}
config nat reset tcp-timeout
Show Commands:
show nat translations
show nat statistics
show nat config static
show nat config pool
show nat config bindings
show nat config globalvalues
show nat config zones
show nat translations count
show nat config
Clear Commands:
sonic-clear nat translations
sonic-clear nat statistics
Link to NAT HLD : https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md
Signed-off-by: akhilesh.samineni@broadcom.com