SNAT
简介
目的:修改数据包中源地址。
vpp实现流程:获取数据包IP头,修改源IP地址,依据相加取反计算IP校验和,更新校验;修改为vpp中in2out的port,依据相加取反计算TCP/UDP校验和,更新校验。
网络拓扑
配置方法
1.宿主机
ip link add name vpp1out type veth peer name vpp1host
ip addr show vpp1host
ip link set dev vpp1host up
ip link set dev vpp1out up
ip addr add 192.168.10.2/24 dev vpp1host
ip addr show vpp1host
2.VPP
set int ip address eth0 192.168.1.2/24
set interface promiscuous on eth0
set interface state eth0 up
create host-interface name vpp1out
set int state host-vpp1out up
set int ip address host-vpp1out 192.168.10.1/24
show int address
nat44 add int address host-vpp1out
set int nat44 in eth0 out host-vpp1outDNAT
简介
目的:修改数据包中目的地址。
配置方法
1.宿主机
ip link add name vpp1out type veth peer name vpp1host
ip addr show vpp1host
ip link set dev vpp1host up
ip link set dev vpp1out up
ip addr add 192.168.10.2/24 dev vpp1host
ip addr show vpp1host
2.VPP
set int ip address eth0 192.168.1.2/24
set interface state eth0 up
create host-interface name vpp1out
set int state host-vpp1out up
set int ip address host-vpp1out 192.168.10.1/24
show int address
nat44 add static mapping tcp local 192.168.10.2 external eth0
set int nat44 out eth0## node节点(snat) ##
### 1.feature类注册(arc) ###
文件:ip4_forward.c
VNET_FEATURE_ARC_INIT (ip4_unicast, static) =
{
.arc_name = "ip4-unicast", /*arc 类 名字*/
.start_nodes = VNET_FEATURES ("ip4-input", "ip4-input-no-checksum"), /*开始node*/
.end_node = "ip4-lookup",/*结束node*/
.arc_index_ptr = &ip4_main.lookup_main.ucast_feature_arc_index,
};
这个宏里的构造函数(在源码里找到这个宏的全部代码)会在main执行前执行,大体意思就是初始化ip4-unicast(单播)类的feature并添加到vnet_feature_main_t feature_main->next_feature的链表上
文件:ip4_input.c
VLIB_REGISTER_NODE (ip4_input_node) = {
.function = ip4_input,
.name = "ip4-input",
.vector_size = sizeof (u32),
.n_errors = IP4_N_ERROR,
.error_strings = ip4_error_strings,
.n_next_nodes = IP4_INPUT_N_NEXT,
.next_nodes = {
[IP4_INPUT_NEXT_DROP] = "error-drop",
[IP4_INPUT_NEXT_PUNT] = "error-punt",
[IP4_INPUT_NEXT_LOOKUP] = "ip4-lookup",
[IP4_INPUT_NEXT_LOOKUP_MULTICAST] = "ip4-lookup-multicast",
[IP4_INPUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
},
.format_buffer = format_ip4_header,
.format_trace = format_ip4_input_trace,
};
节点通过函数 .function执行决定下一个节点是.next_nodes中的哪一个,然后通过名字关联下一个节点。当处理流程到ip4-input节点时执行ip4_input函数:ip4_input->ip4_input_inline->vnet_feature_arc_start (arc0, sw_if_index0, &next0, p0);vnet_feature_arc_start函数从ip4-input所在的ip4-unicast类feature里找到优先级最高的feature 节点并执行。
### 2.node节点注册 ###
文件:out2in.c
VLIB_REGISTER_NODE (snat_out2in_node) = {
.function = snat_out2in_node_fn,
.name = "snat-out2in",
.vector_size = sizeof (u32),
.format_trace = format_snat_out2in_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
.n_errors = ARRAY_LEN(snat_out2in_error_strings),
.error_strings = snat_out2in_error_strings,
.runtime_data_bytes = sizeof (snat_runtime_t),
.n_next_nodes = SNAT_OUT2IN_N_NEXT,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
},
};
这个只是将节点注册到vpp的节点管理链表里,并不会产生关联关系。
### 3.node与feature关联 ###
文件:snat.c
VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "snat-out2in",
.runs_before = VNET_FEATURES ("ip4-lookup"),
};
VNET_FEATURE_INIT的执行会将snat-out2in节点添加到ip4-unicast类的feature链表里,.runs_before指定snat-out2in在ip4-lookup前执行,这个关联就是在给节点设置优先级,排在越前越先执行
### 4.feature生效 ###
feature节点真正生效还需要在指定端口(网络接口)上使能;
vnet_feature_enable_disable (arc_name, feature_name, sw_if_index, !is_del, 0, 0)函数就是在指定 sw_if_index端口上添加arc_name feature类的feature_name feature节点。
snat里,假设使能索引是1的端口:
vnet_feature_enable_disable ("ip4-unicast", "snat-out2in", 1, !is_del, 0, 0)的意思就是在端口1上的ip4-unicast feature类里添加feature节点snat-out2in。
到现在为止,一个feature节点才正式注册成功。
扫一扫
1671
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
