Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6412: CGNAT fix allocation calcluation for verify #3585

Merged
merged 1 commit into from
Jun 6, 2024
Merged

T6412: CGNAT fix allocation calcluation for verify #3585

merged 1 commit into from
Jun 6, 2024

Conversation

sever-sever
Copy link
Member

Change Summary

Fix external address/port allocation for CGN.
It fixes cases where external addresses/ports can be allocated again to another user.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

cgnat

Proposed changes

How to test

VyOS configuration:

set nat cgnat pool external ext-01 external-port-range '1024-65535'
set nat cgnat pool external ext-01 per-user-limit port '12096'
set nat cgnat pool external ext-01 range 192.168.122.121/32
set nat cgnat pool external ext-01 range 192.168.122.222/32
set nat cgnat pool external ext-01 range 192.168.122.223/32
set nat cgnat pool internal int-01 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int-01'
set nat cgnat rule 10 translation pool 'ext-01'

Before the fix the commit without raise ConfigError:

commit
vyos@r4# run show nat cgnat allocation 
Internal IP    External IP      Port range
-------------  ---------------  ------------
100.64.0.0     192.168.122.121  1024-13119    <=== First correct allocation
100.64.0.1     192.168.122.121  13120-25215
100.64.0.2     192.168.122.121  25216-37311
100.64.0.3     192.168.122.121  37312-49407
100.64.0.4     192.168.122.121  49408-61503
100.64.0.5     192.168.122.222  1024-13119
100.64.0.6     192.168.122.222  13120-25215
100.64.0.7     192.168.122.222  25216-37311
100.64.0.8     192.168.122.222  37312-49407
100.64.0.9     192.168.122.222  49408-61503
100.64.0.10    192.168.122.223  1024-13119
100.64.0.11    192.168.122.223  13120-25215
100.64.0.12    192.168.122.223  25216-37311
100.64.0.13    192.168.122.223  37312-49407
100.64.0.14    192.168.122.223  49408-61503
100.64.0.15    192.168.122.121  1024-13119    <=== UNEXPECTED entry
[edit]
vyos@r4#

After the fix we can see the expected raise ConfigError for the specified translation rule:

vyos@r4# commit
[ nat cgnat ]
Rule "10" does not have enough ports available for the specified
parameters

[[nat cgnat]] failed
Commit failed
[edit]
vyos@r4# 

vyos@r4# set nat cgnat pool external ext-01 per-user-limit port '10752'
[edit]
vyos@r4# commit
run[edit]
vyos@r4# run show nat cgnat allocation 
Internal IP    External IP      Port range
-------------  ---------------  ------------
100.64.0.0     192.168.122.121  1024-11775
100.64.0.1     192.168.122.121  11776-22527
100.64.0.2     192.168.122.121  22528-33279
100.64.0.3     192.168.122.121  33280-44031
100.64.0.4     192.168.122.121  44032-54783
100.64.0.5     192.168.122.121  54784-65535
100.64.0.6     192.168.122.222  1024-11775
100.64.0.7     192.168.122.222  11776-22527
100.64.0.8     192.168.122.222  22528-33279
100.64.0.9     192.168.122.222  33280-44031
100.64.0.10    192.168.122.222  44032-54783
100.64.0.11    192.168.122.222  54784-65535
100.64.0.12    192.168.122.223  1024-11775
100.64.0.13    192.168.122.223  11776-22527
100.64.0.14    192.168.122.223  22528-33279
100.64.0.15    192.168.122.223  33280-44031
[edit]
vyos@r4#

Smoketest result

vyos@r4:~$ /usr/libexec/vyos/tests/smoke/cli/test_cgnat.py
test_cgnat (__main__.TestCGNAT.test_cgnat) ... ok
test_cgnat_sequence (__main__.TestCGNAT.test_cgnat_sequence) ... ok

----------------------------------------------------------------------
Ran 2 tests in 27.227s

OK
vyos@r4:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever
T6412: CGNAT fix allocation calcluation for verify
407aaa2 
Fix external address/port allocation for CGN.
It fixes some cases where external address/ports can be allocated again
to another user.
@sever-sever sever-sever requested a review from a team as a code owner June 5, 2024 15:23
@sever-sever sever-sever merged commit 7a0d80e into vyos:current Jun 6, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zdc zdc zdc approved these changes

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev was automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro was automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po was automatically assigned from vyos/reviewers

Assignees

@sever-sever sever-sever

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sever-sever @dmbaturin @zdc