Commit Graph

16 Commits

Author SHA1 Message Date
Alin Jerpelea
67d02a45eb net: migrate to SPDX identifier
Most tools used for compliance and SBOM generation use SPDX identifiers
This change brings us a step closer to an easy SBOM generation.

Signed-off-by: Alin Jerpelea <alin.jerpelea@sony.com>
2024-09-12 01:08:11 +08:00
Zhe Weng
b0cf0acc66 net/nat: Add foreach interface for entries
Prepare for netlink conntrack dump of entries.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-18 13:03:59 +08:00
Zhe Weng
17584eaa4f net/nat: Rename struct ipv*_nat_entry to ipv*_nat_entry_t
I found `struct ipv*_nat_entry` is missing `_s` suffix, but the name is too long in some cases, so maybe `ipv*_nat_entry_t` could be better.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-12 14:39:01 +02:00
Zhe Weng
f3b34c84c2 net/nat: Support IPv6 Masquerading (NAT66)
Notes:
1. This version of NAT66 is a stateful one like NAT44, corresponding to Linux's MASQUERADE target of ip6tables.  We can support stateless NAT66 & NPTv6 later by slightly modify the address & port selection logic (maybe just match the rules and skip the entry find).
2. We're using same flag `IFF_NAT` for both NAT44 & NAT66 to make control easier.  Which means, if we enable NAT, both NAT44 & NAT66 will be enabled.  If we don't want one of them, we can just disable that one in Kconfig.
3. Maybe we can accelerate the checksum adjustment by pre-calculate a difference of checksum, and apply it to each packet, instead of calling `net_chksum_adjust` each time.  Just a thought, maybe do it later.
4. IP fragment segments on NAT66 connections are not supported yet.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-11 22:23:29 +08:00
Zhe Weng
f2ff5cee03 net/nat: Make some IPv4 NAT functions as common
To prepare for future IPv6 NAT functions.
- Rename common ipv4_nat_xxx to nat_xxx
- Move some common definitions into header

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-11 22:23:29 +08:00
Zhe Weng
a1a09f271f net/nat: Support Symmetric NAT
The symmetric NAT limits one external port to be used with only one peer ip:port.

Note:
1. To avoid using too much #ifdef, we're always passing peer_ip and peer_port as arguments, but won't use them under full cone NAT, let the compiler optimize them.
2. We need to find port binding without peer ip:port, so don't add peer ip:port into hash key.
3. Symmetric NAT needs to *select another external port if a port is used by any other NAT entry*, this behavior is exactly same as Full Cone NAT, so we don't need to change anything related to `ipv4_nat_port_inuse`.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2024-04-07 23:57:55 +08:00
Zhe Weng
cb958e5d69 net/nat: Clear entries when NAT will be disabled
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-24 12:05:20 +08:00
Zhe Weng
902a6dcad2 net/nat: Support isolation between multiple WAN devices by saving external ip
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-24 12:05:20 +08:00
Zhe Weng
a9da1fff28 net/nat: Add auto reclaim logic for NAT entries.
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-22 20:20:12 +08:00
Zhe Weng
879c337e30 net/nat: Use hashtable to optimize performance
Performance tested on simulator:

Before optimization:      -25% bandwidth @2k entries, -64% @10k entries
hashtable size=  2(1bit): -24% bandwidth @2k entries, -65% @10k entries
hashtable size=  4(2bits):-15% bandwidth @2k entries, -51% @10k entries
hashtable size= 32(5bits): -3% bandwidth @2k entries, -14% @10k entries
hashtable size=256(8bits): -1% bandwidth @2k entries,  -3% @10k entries

Note: Tested on worst performance, the earliest entry will be the worst.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-22 20:20:12 +08:00
Zhe Weng
f416fd86bb net/ipfwd: Support ICMP error reply when forwarding IPv4
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-02 15:26:45 +08:00
Zhe Weng
9aefd6717c net/nat: Add support for ICMP Error Message
Support DEST_UNREACHABLE, TIME_EXCEEDED and PARAMETER_PROBLEM ICMP types in NAT.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-12-01 22:45:22 +08:00
Zhe Weng
f498102512 net: select NAT external port by tcp_selectport for TCP
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-11-11 14:36:55 +08:00
Zhe Weng
8239ddeef4 net/nat: Add TCP entry expiration logic
Add TCP entry expiration logic for NAT, with entries changed from sq to dq for fast removal.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-11-11 14:36:55 +08:00
Zhe Weng
0a4e01d712 net: verify NAT port usage in tcp_selectport
Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-11-11 14:36:55 +08:00
Zhe Weng
b595430578 net: add basic NAT workflow
Add basic functions for NAT (NAPT), remaining some logic unimplemented (UDP, ICMP, port assignment, etc). NAT for TCP can work now (unless port conflicts).
Outbound: LAN ->  Forward  ->  NAT(only if targeting at WAN)  -> WAN
Inbound:  WAN ->  NAT(only from WAN, change dest) -> Forward  -> LAN

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
2022-11-11 14:36:55 +08:00