learning:NAT-ED两种配置模式
2023-06-13 09:16:29 时间
本文主要描述VPP nat插件在NAT44-ed的两种配置场景路由前Nat和路由后nat的转发流程区别及配置差异。两种模式基本组网配置如下:
NAT44-ed路由前NAT
首先来说无论是路由前nat还是路由后nat都需要使能nat功能,并配置nat地址池,具体命令行如下:
nat44 enable #开启nat功能
#nat地址池使用指定的接口,当然也可以指定地址池,后续在研究。。
nat44 nat44 add interface address GigabitEthernet2/2/0
配置路由前nat命令行如下:
set interface nat44 in GigabitEthernet2/4/0 out GigabitEthernet2/2/0
从PC上ping114.114.114.114 查询一下nat模块的转发流程:
###请求报文
06:53:44:636511: dpdk-input
GigabitEthernet2/4/0 rx queue 0
buffer 0x9a52f: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23494c40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x35c4 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x749f id 7
06:53:44:636559: ethernet-input
frame: flags 0x3, hw-if-index 3, sw-if-index 3
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
06:53:44:636584: ip4-input-no-checksum
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x35c4 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x749f id 7
06:53:44:636601: ip4-sv-reassembly-feature
[not-fragmented]
06:53:44:636615: nat-pre-in2out
in2out next_index 2 arc_next_index 10
06:53:44:636629: nat44-ed-in2out
NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 10, session 1, translation result 'success' via i2of
i2of match: saddr 172.169.1.2 sport 7 daddr 114.114.114.114 dport 7 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 64233 txfib 0
o2if match: saddr 114.114.114.114 sport 64233 daddr 192.168.1.84 dport 64233 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 7
txfib 0
search key local 172.169.1.2:7 remote 114.114.114.114:7 proto ICMP fib 0 thread-index 32767 session-index 4159776952
06:53:44:636661: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x2173 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
06:53:44:636679: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 192.168.1.1 GigabitEthernet2/2/0: mtu:9000 next:3 flags:[] 446a2ebdb5be000c29076fa40800 flow has
h: 0x00000000
00000000: 446a2ebdb5be000c29076fa4080045000054725540003f012273c0a801547272
00000020: 7272080079bcfae90024ce34c8610000000020cc0d00000000001011
06:53:44:636693: GigabitEthernet2/2/0-output
GigabitEthernet2/2/0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x2273 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
06:53:44:636708: GigabitEthernet2/2/0-tx
GigabitEthernet2/2/0 tx queue 0
buffer 0x9a52f: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23494c40
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x2273 dscp CS0 ecn NON_ECN
fragment id 0x7255, flags DONT_FRAGMENT
ICMP echo_request checksum 0x79bc id 64233
##回应报文
06:53:44:662713: dpdk-input
GigabitEthernet2/2/0 rx queue 0
buffer 0x95cf1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23773cc0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 44:6a:2e:bd:b5:be -> 00:0c:29:07:6f:a4
ICMP: 114.114.114.114 -> 192.168.1.84
tos 0x04, ttl 79, length 84, checksum 0x17f3 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x81bc id 64233
06:53:44:662760: ethernet-input
frame: flags 0x3, hw-if-index 1, sw-if-index 1
IP4: 44:6a:2e:bd:b5:be -> 00:0c:29:07:6f:a4
06:53:44:662785: ip4-input-no-checksum
ICMP: 114.114.114.114 -> 192.168.1.84
tos 0x04, ttl 79, length 84, checksum 0x17f3 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x81bc id 64233
06:53:44:662802: ip4-sv-reassembly-feature
[not-fragmented]
06:53:44:662816: nat-pre-out2in
out2in next_index 6 arc_next_index 10
06:53:44:662829: nat44-ed-out2in
NAT44_OUT2IN_ED_FAST_PATH: sw_if_index 1, next index 10, session 1, translation result 'success' via o2if
i2of match: saddr 172.169.1.2 sport 7 daddr 114.114.114.114 dport 7 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 64233 txfib 0
o2if match: saddr 114.114.114.114 sport 64233 daddr 192.168.1.84 dport 64233 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 7
txfib 0
search key local 114.114.114.114:64233 remote 192.168.1.84:64233 proto ICMP fib 0 thread-index 32767 session-index 4159776952
no reason for slow path
06:53:44:662860: ip4-lookup
fib 0 dpo-idx 6 flow hash: 0x00000000
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 79, length 84, checksum 0x2c44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
06:53:44:662879: ip4-rewrite
tx_sw_if_index 3 dpo-idx 6 : ipv4 via 172.169.1.2 GigabitEthernet2/4/0: mtu:9000 next:4 flags:[] 000c29076fc2000c29076fb80800 flow has
h: 0x00000000
00000000: 000c29076fc2000c29076fb8080045040054acd100004e012d4472727272aca9
00000020: 010200007c9f00070024ce34c8610000000020cc0d00000000001011
06:53:44:662892: GigabitEthernet2/4/0-output
GigabitEthernet2/4/0
IP4: 00:0c:29:07:6f:b8 -> 00:0c:29:07:6f:c2
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 78, length 84, checksum 0x2d44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
06:53:44:662908: GigabitEthernet2/4/0-tx
GigabitEthernet2/4/0 tx queue 0
buffer 0x95cf1: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x1
ext-hdr-valid
l4-cksum-computed l4-cksum-correct l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 0, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x23773cc0
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:b8 -> 00:0c:29:07:6f:c2
ICMP: 114.114.114.114 -> 172.169.1.2
tos 0x04, ttl 78, length 84, checksum 0x2d44 dscp unknown ecn NON_ECN
fragment id 0xacd1
ICMP echo_reply checksum 0x7c9f id 7
Nat44-ed 路由后NAT
路由后Nat配置命令行如下:
set interface nat44 out GigabitEthernet2/2/0 output-feature
在PC上ping114.114.114.114,显示trace流程如下,这里只张贴了in2out流程,因为out2in流程都是一样的。
08:16:37:742858: dpdk-input
GigabitEthernet2/4/0 rx queue 0
buffer 0x98690: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x2341a480
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742930: ethernet-input
frame: flags 0x3, hw-if-index 3, sw-if-index 3
IP4: 00:0c:29:07:6f:c2 -> 00:0c:29:07:6f:b8
08:16:37:742954: ip4-input-no-checksum
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742971: ip4-lookup
fib 0 dpo-idx 1 flow hash: 0x00000000
ICMP: 172.169.1.2 -> 114.114.114.114
tos 0x00, ttl 64, length 84, checksum 0x894f dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0x9700 id 9
08:16:37:742992: ip4-rewrite
tx_sw_if_index 1 dpo-idx 1 : ipv4 via 192.168.1.1 GigabitEthernet2/2/0: mtu:9000 next:3 flags:[features ] 446a2ebdb5be000c29076fa40800
flow hash: 0x00000000
00000000: 446a2ebdb5be000c29076fa40800450000541eca40003f018a4faca901027272
00000020: 727208009700000903923b48c861000000008ce70e00000000001011
08:16:37:743008: ip4-sv-reassembly-output-feature
[not-fragmented]
08:16:37:743022: nat-pre-in2out-output
in2out next_index 4 arc_next_index 11
08:16:37:743035: nat44-ed-in2out-output
NAT44_IN2OUT_ED_FAST_PATH: sw_if_index 3, next index 11, session 5, translation result 'success' via i2of
i2of match: saddr 172.169.1.2 sport 9 daddr 114.114.114.114 dport 9 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.84 daddr 114.114.114
.114 icmp-id 51846 txfib 0
o2if match: saddr 114.114.114.114 sport 51846 daddr 192.168.1.84 dport 51846 proto ICMP fib_idx 0 rewrite: daddr 172.169.1.2 icmp-id 9
txfib 0
search key local 172.169.1.2:9 remote 114.114.114.114:9 proto ICMP fib 0 thread-index 32767 session-index 4159776952
08:16:37:743080: GigabitEthernet2/2/0-output
GigabitEthernet2/2/0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x75fe dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0xcc82 id 51846
08:16:37:743093: GigabitEthernet2/2/0-tx
GigabitEthernet2/2/0 tx queue 0
buffer 0x98690: current data 0, length 98, buffer-pool 0, ref-count 1, totlen-nifb 0, trace handle 0x0
ext-hdr-valid
l4-cksum-computed l4-cksum-correct natted l2-hdr-offset 0 l3-hdr-offset 14
PKT MBUF: port 2, nb_segs 1, pkt_len 98
buf_len 2176, data_len 98, ol_flags 0x0, data_off 128, phys_addr 0x2341a480
packet_type 0x0 l2_len 0 l3_len 0 outer_l2_len 0 outer_l3_len 0
rss 0x0 fdir.hi 0x0 fdir.lo 0x0
IP4: 00:0c:29:07:6f:a4 -> 44:6a:2e:bd:b5:be
ICMP: 192.168.1.84 -> 114.114.114.114
tos 0x00, ttl 63, length 84, checksum 0x75fe dscp CS0 ecn NON_ECN
fragment id 0x1eca, flags DONT_FRAGMENT
ICMP echo_request checksum 0xcc82 id 51846
转发流程图总结
按照上述trace流程总结出nat44-ed模式转发流程图如下:
实际在阅读代码中,对于路由后nat节点挂载情况如下:
#show interface feat GigabitEthernet2/2/0
ip4-output: #in2out方向
ip4-sv-reassembly-output-feature
nat-pre-in2out-output
ip4-unicast:#out2in方向
ip4-sv-reassembly-feature
nat-pre-out2in
我们可以得到两个信息: 1、nat模块默认会开启为伪重组功能。--旧版本中是不是这样? 2、nat-pre-out2in和nat-pre-in2out-output是nat模块处理的入口, 上图中的nat44-ed-out2in和nat44-ed-in2out节点并未在feature中体现,在nat处理中node节点挂接关系处理的非常巧妙。默认所有的node节点都是一个node节点nat-default的兄弟节点,包括nat模块的入口节点,这其他node节点处理流程中都是通过处理逻辑来指定下一个node节点。
DBGvpp# show node nat-default
node nat-default, type internal, state active, index 90
node function variants:
Name Priority Active Description
default 0 yes default
next nodes:
next-index node-index Node Vectors
0 674 error-drop 0
1 617 ip4-icmp-error 0
2 89 nat44-ed-in2out 0
3 87 nat44-ed-in2out-slowpath 0
4 88 nat44-ed-in2out-output 0
5 86 nat44-ed-in2out-output-slowpat 0
6 83 nat44-ed-out2in 0
7 82 nat44-ed-out2in-slowpath 0
8 80 nat44-in2out-worker-handoff 0
9 78 nat44-out2in-worker-handoff 0
10 613 ip4-lookup 0
11 672 interface-output 0
相关文章
- springboot整合mybatis(配置模式+注解模式)
- SQLServer找不到配置管理器,如何打开配置管理器
- ROS1云课→24机器人感知配置
- 高通msm8916 LK阶段配置使用i2c5
- 【玩转服务器】lnmp一键安装包 nginx配置tp6 pathinfo模式 隐藏index.php
- Spring Cloud Security配置JWT和OAuth2的集成实现授权管理(三)
- 教你如何在Linux 系统安装配置RabbitMQ 集群搭建流程图解
- SQLServer 错误 7308 因为 OLE DB 访问接口“%ls”配置为在单线程单元模式下运行,所以该访问接口无法用于分布式查询。 故障 处理 修复 支持远程
- Oracle 参数 MULTISHARD_QUERY_DATA_CONSISTENCY 官方解释,作用,如何配置最优化建议
- MySQL Variables log_syslog_facility 数据库 参数变量解释及正确配置使用
- Linux Vi编辑器配置:轻松调整你的工作环境(linuxvi配置文件)
- Linux系统网卡配置实战指南(linux系统中网卡配置)
- 查看和修改Linux下IP查看及配置修改方法(linux下ip)
- Linux中的库文件路径配置(linux库文件路径)
- 启动如何配置Redis从手动启动模式改为自动启动模式(怎么修改redis为手动)
- Linux下域名解析服务器配置实现(linux域名解析服务器)
- 如何实现Redis哨兵服务的高可用配置(redis 配置哨兵服务)
- Redis配置实现性能优化(redis配置性能优化)
- php中安全模式safe_mode配置教程
- apache下运行cgi模式的配置方法