NAT plugin changes the MSS value in TCP SYN packets to avoid fragmentation.
If the negotiated MSS value is greater than the configured value it is changed
to the configured value. If the negotiated MSS value is smaller than the
configured value it remains unchanged.
Change-Id: Ic3c4f94a2f1b76e2bf79f50f3ad36a4097f3f188
Signed-off-by: Matus Fabian <matfabia@cisco.com>
sum0 =
ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
length);
+ mss_clamping (&snat_main, tcp0, &sum0);
tcp0->checksum = ip_csum_fold (sum0);
}
else
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
else
sum1 = ip_csum_update (sum1, old_port1, new_port1,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp1, &sum1);
tcp1->checksum = ip_csum_fold(sum1);
}
else
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
else
tcp0->dst_port = s0->ext_host_port;
ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
}
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index))
goto trace00;
ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
}
tcp1->checksum = ip_csum_fold(sum1);
+ mss_clamping (sm, tcp1, &sum1);
if (nat44_set_tcp_session_state_i2o (sm, s1, tcp1, thread_index))
goto trace01;
}
tcp0->dst_port = s0->ext_host_port;
ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
}
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index))
goto trace0;
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
else
sum1 = ip_csum_update (sum1, old_port1, new_port1,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp1, &sum1);
tcp1->checksum = ip_csum_fold(sum1);
}
else
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
else
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */,
length /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
else
sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
ip4_header_t,
dst_address /* changed member */);
+ mss_clamping (sm, tcp0, &sum0);
tcp0->checksum = ip_csum_fold(sum0);
}
}
u16 end_port;
};
+/** \brief Set TCP MSS rewriting configuration
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param mss_value - MSS value to be used for MSS rewriting
+ @param enable - disable(0)/enable(1) MSS rewriting feature
+*/
+autoreply define nat_set_mss_clamping {
+ u32 client_index;
+ u32 context;
+ u16 mss_value;
+ u8 enable;
+};
+
+/** \brief Get TCP MSS rewriting configuration
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+*/
+define nat_get_mss_clamping {
+ u32 client_index;
+ u32 context;
+};
+
+/** \brief Get TCP MSS rewriting configuration reply
+ @param context - sender context, to match reply w/ request
+ @param retval - return code
+ @param mss_value - MSS value to be used for MSS rewriting
+ @param enable - disable(0)/enable(1) MSS rewriting feature
+*/
+define nat_get_mss_clamping_reply {
+ u32 context;
+ i32 retval;
+ u16 mss_value;
+ u8 enable;
+};
+
/*
* NAT44 APIs
*/
sm->log_class = vlib_log_register_class ("nat", 0);
error_drop_node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
sm->error_node_index = error_drop_node->index;
+ sm->mss_clamping = 0;
p = hash_get_mem (tm->thread_registrations_by_name, "workers");
if (p)
u32 tcp_transitory_timeout;
u32 icmp_timeout;
+ /* TCP MSS clamping */
+ u16 mss_clamping;
+ u16 mss_value_net;
+
/* API message ID base */
u16 msg_id_base;
return 0;
}
+static clib_error_t *
+nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ snat_main_t *sm = &snat_main;
+ clib_error_t *error = 0;
+ u32 mss;
+
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "disable"))
+ sm->mss_clamping = 0;
+ else if (unformat (line_input, "%d", &mss))
+ {
+ sm->mss_clamping = (u16) mss;
+ sm->mss_value_net = clib_host_to_net_u16 (sm->mss_clamping);
+ }
+ else
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ goto done;
+ }
+ }
+
+done:
+ unformat_free (line_input);
+
+ return error;
+}
+
+static clib_error_t *
+nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ snat_main_t *sm = &snat_main;
+
+ if (sm->mss_clamping)
+ vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
+ else
+ vlib_cli_output (vm, "mss-clamping disabled");
+
+ return 0;
+}
+
static clib_error_t *
add_address_command_fn (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
.function = nat44_show_alloc_addr_and_port_alg_command_fn,
};
+/*?
+ * @cliexpar
+ * @cliexstart{nat mss-clamping}
+ * Set TCP MSS rewriting configuration
+ * To enable TCP MSS rewriting use:
+ * vpp# nat mss-clamping 1452
+ * To disbale TCP MSS rewriting use:
+ * vpp# nat mss-clamping disable
+?*/
+VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
+ .path = "nat mss-clamping",
+ .short_help = "nat mss-clamping <mss-value>|disable",
+ .function = nat_set_mss_clamping_command_fn,
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{nat mss-clamping}
+ * Show TCP MSS rewriting configuration
+?*/
+VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
+ .path = "show nat mss-clamping",
+ .short_help = "show nat mss-clamping",
+ .function = nat_show_mss_clamping_command_fn,
+};
+
/*?
* @cliexpar
* @cliexstart{show nat44 hash tables}
checksum = &tcp->checksum;
csum = ip_csum_sub_even (*checksum, sport);
csum = ip_csum_add_even (csum, udp->src_port);
+ mss_clamping (nm->sm, tcp, &csum);
*checksum = ip_csum_fold (csum);
}
FINISH;
}
+static void
+vl_api_nat_set_mss_clamping_t_handler (vl_api_nat_set_mss_clamping_t * mp)
+{
+ snat_main_t *sm = &snat_main;
+ vl_api_nat_set_mss_clamping_reply_t *rmp;
+ int rv = 0;
+
+ if (mp->enable)
+ {
+ sm->mss_clamping = ntohs (mp->mss_value);
+ sm->mss_value_net = mp->mss_value;
+ }
+ else
+ sm->mss_clamping = 0;
+
+ REPLY_MACRO (VL_API_NAT_SET_MSS_CLAMPING_REPLY);
+}
+
+static void *
+vl_api_nat_set_mss_clamping_t_print (vl_api_nat_set_mss_clamping_t * mp,
+ void *handle)
+{
+ u8 *s;
+
+ s = format (0, "SCRIPT: nat_set_mss_clamping enable %d mss_value %d\n",
+ mp->enable, ntohs (mp->mss_value));
+
+ FINISH;
+}
+
+static void
+vl_api_nat_get_mss_clamping_t_handler (vl_api_nat_get_mss_clamping_t * mp)
+{
+ snat_main_t *sm = &snat_main;
+ vl_api_nat_get_mss_clamping_reply_t *rmp;
+ int rv = 0;
+
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_NAT_GET_MSS_CLAMPING_REPLY,
+ ({
+ rmp->enable = sm->mss_clamping ? 1 : 0;
+ rmp->mss_value = htons (sm->mss_clamping);
+ }))
+ /* *INDENT-ON* */
+}
+
+static void *
+vl_api_nat_get_mss_clamping_t_print (vl_api_nat_get_mss_clamping_t * mp,
+ void *handle)
+{
+ u8 *s;
+
+ s = format (0, "SCRIPT: nat_get_mss_clamping");
+
+ FINISH;
+}
+
/*************/
/*** NAT44 ***/
/*************/
_(NAT_GET_TIMEOUTS, nat_get_timeouts) \
_(NAT_SET_ADDR_AND_PORT_ALLOC_ALG, nat_set_addr_and_port_alloc_alg) \
_(NAT_GET_ADDR_AND_PORT_ALLOC_ALG, nat_get_addr_and_port_alloc_alg) \
+_(NAT_SET_MSS_CLAMPING, nat_set_mss_clamping) \
+_(NAT_GET_MSS_CLAMPING, nat_get_mss_clamping) \
_(NAT44_ADD_DEL_ADDRESS_RANGE, nat44_add_del_address_range) \
_(NAT44_INTERFACE_ADD_DEL_FEATURE, nat44_interface_add_del_feature) \
_(NAT44_ADD_DEL_STATIC_MAPPING, nat44_add_del_static_mapping) \
kv->value = ~0ULL;
}
+always_inline void
+mss_clamping (snat_main_t * sm, tcp_header_t * tcp, ip_csum_t * sum)
+{
+ u8 *data;
+ u8 opt_len, opts_len, kind;
+ u16 mss;
+
+ if (!(sm->mss_clamping && tcp_syn (tcp)))
+ return;
+
+ opts_len = (tcp_doff (tcp) << 2) - sizeof (tcp_header_t);
+ data = (u8 *) (tcp + 1);
+ for (; opts_len > 0; opts_len -= opt_len, data += opt_len)
+ {
+ kind = data[0];
+
+ if (kind == TCP_OPTION_EOL)
+ break;
+ else if (kind == TCP_OPTION_NOOP)
+ {
+ opt_len = 1;
+ continue;
+ }
+ else
+ {
+ if (opts_len < 2)
+ return;
+ opt_len = data[1];
+
+ if (opt_len < 2 || opt_len > opts_len)
+ return;
+ }
+
+ if (kind == TCP_OPTION_MSS)
+ {
+ mss = *(u16 *) (data + 2);
+ if (clib_net_to_host_u16 (mss) > sm->mss_clamping)
+ {
+ *sum =
+ ip_csum_update (*sum, mss, sm->mss_value_net, ip4_header_t,
+ length);
+ clib_memcpy (data + 2, &sm->mss_value_net, 2);
+ }
+ return;
+ }
+ }
+}
+
#endif /* __included_nat_inlines_h__ */
/*
self.verify_no_nat44_user()
self.vapi.nat_set_timeouts()
self.vapi.nat_set_addr_and_port_alloc_alg()
+ self.vapi.nat_set_mss_clamping()
def nat44_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
local_port=0, external_port=0, vrf_id=0,
# sourceIPv4Address
self.assertEqual(src_addr, record[8])
+ def verify_mss_value(self, pkt, mss):
+ """
+ Verify TCP MSS value
+
+ :param pkt:
+ :param mss:
+ """
+ if not pkt.haslayer(IP) or not pkt.haslayer(TCP):
+ raise TypeError("Not a TCP/IP packet")
+
+ for option in pkt[TCP].options:
+ if option[0] == 'MSS':
+ self.assertEqual(option[1], mss)
+ self.assert_tcp_checksum_valid(pkt)
+
class TestNAT44(MethodHolder):
""" NAT44 Test Cases """
nsessions = nsessions + user.nsessions
self.assertLess(nsessions, 2 * max_sessions)
+ def test_mss_clamping(self):
+ """ TCP MSS clamping """
+ self.nat44_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index)
+ self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index,
+ is_inside=0)
+
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=self.tcp_port_in, dport=self.tcp_external_port,
+ flags="S", options=[('MSS', 1400)]))
+
+ self.vapi.nat_set_mss_clamping(enable=1, mss_value=1000)
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ # Negotiated MSS value greater than configured - changed
+ self.verify_mss_value(capture[0], 1000)
+
+ self.vapi.nat_set_mss_clamping(enable=0)
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ # MSS clamping disabled - negotiated MSS unchanged
+ self.verify_mss_value(capture[0], 1400)
+
+ self.vapi.nat_set_mss_clamping(enable=1, mss_value=1500)
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ # Negotiated MSS value smaller than configured - unchanged
+ self.verify_mss_value(capture[0], 1400)
+
def tearDown(self):
super(TestNAT44, self).tearDown()
if not self.vpp_dead:
"""Get address and port assignment algorithm"""
return self.api(self.papi.nat_get_addr_and_port_alloc_alg, {})
+ def nat_set_mss_clamping(self, enable=0, mss_value=1500):
+ """Set TCP MSS rewriting configuration
+
+ :param enable: disable(0)/enable(1) MSS rewriting feature
+ :param mss_value: MSS value to be used for MSS rewriting
+ """
+ return self.api(
+ self.papi.nat_set_mss_clamping,
+ {'enable': enable, 'mss_value': mss_value})
+
+ def nat_get_mss_clamping(self):
+ """Get TCP MSS rewriting configuration"""
+ return self.api(self.papi.nat_get_mss_clamping, {})
+
def nat_det_close_session_out(
self,
out_addr,