sonic-net / sonic-swss

SONiC Switch State Service (SwSS)
https://azure.github.io/SONiC
Other
179 stars 537 forks source link

[NAT] Twice NAT/NAPT is worked even when only destination IP address is match #1350

Open shihhsien-wang opened 4 years ago

shihhsien-wang commented 4 years ago

Description

It should receive a packet whose source and destination IP addresses are both match to the twice NAT/NAPT confgiuration, and then twice NAT/NAPT are able to apply on the packets. In our test, not only the packets whose source and destination IP addresses are both match to the configuration will be NAT translated, but also the packets whose destination IP address only is match to the configuration be NAT translated.

Steps to reproduce the issue:

Configuration:

config nat feature enable
config nat add interface Ethernet0 -nat_zone 1
config nat add interface Ethernet4 -nat_zone 2

config interface ip add Ethernet0 172.10.0.3/16
config interface ip add Ethernet4 172.27.0.3/16
ip route add 192.169.0.0/16 via 172.27.0.5
ip neigh add 172.10.0.101 lladdr 00:11:11:00:00:01 dev Ethernet0
ip neigh add 172.27.0.5 lladdr 00:11:11:00:00:09 dev Ethernet4

config nat add static basic 172.10.0.101 172.27.0.101 -nat_type snat -twice_nat_id 1
config nat add static basic 172.10.0.102 192.169.0.102 -nat_type dnat -twice_nat_id 1

Topology:

+-----+       +----------------+       +-----+
| PC1 | +---> |     Device     | +---> | PC2 |
+-----+       +----------------+       +-----+
            Ethernet0    Ethernet4

Packets injected from PC1:

  1. Packet A: source IP address = 192.169.0.102, destination IP address = 172.27.0.101
  2. Packet B: source IP address = 192.169.0.103, destination IP address = 172.27.0.101
  3. Packet C: source IP address = 192.169.0.102, destination IP address = 172.27.0.103

Describe the results you received:

Packets received at PC2:

  1. Packet A: source IP address = 172.10.0.102 (NATed), destination IP address = 172.10.0.101 (NATed)
  2. Packet B: source IP address = 172.10.0.102 (NATed), destination IP address = 172.10.0.101 (NATed)
  3. Packet C: not present.

Both packet A and B with same desitnation IP address but not same source IP address are NAT translated into same source IP address and destination IP addresses.

Describe the results you expected:

  1. Packet A: passed.
  2. Packet B: failed. According to our NAT configuration, it should not do NAT translated with packet B.
  3. Packet C: passed.

Additional information you deem important (e.g. issue happens only occasionally):

Note: another case (dynamic SNAT and static SNAT in same 'twice_nat_id' group) has same problem.

**Output of `show version`:**

admin@sonic:~$ show version

SONiC Software Version: SONiC.master.346-8ea03eed
Distribution: Debian 10.4
Kernel: 4.19.0-9-2-amd64
Build commit: 8ea03eed
Build date: Sun Jul 12 18:10:30 UTC 2020
Built by: johnar@jenkins-worker-4

Platform: x86_64-accton_as7712_32x-r0
HwSKU: Accton-AS7712-32X
ASIC: broadcom
Serial Number: 771232X1909084
Uptime: 03:35:01 up 2 min,  1 user,  load average: 3.42, 1.40, 0.52

Docker images:
REPOSITORY                    TAG                   IMAGE ID            SIZE
docker-teamd                  latest                5bdc27151693        380MB
docker-teamd                  master.346-8ea03eed   5bdc27151693        380MB
docker-router-advertiser      latest                f6374644f094        350MB
docker-router-advertiser      master.346-8ea03eed   f6374644f094        350MB
docker-lldp                   latest                e05765635c6a        377MB
docker-lldp                   master.346-8ea03eed   e05765635c6a        377MB
docker-dhcp-relay             latest                a608b2765e7e        357MB
docker-dhcp-relay             master.346-8ea03eed   a608b2765e7e        357MB
docker-database               latest                9980932086f5        350MB
docker-database               master.346-8ea03eed   9980932086f5        350MB
docker-orchagent              latest                f6a438e40754        393MB
docker-orchagent              master.346-8ea03eed   f6a438e40754        393MB
docker-sonic-telemetry        latest                46aad5a40cf9        414MB
docker-sonic-telemetry        master.346-8ea03eed   46aad5a40cf9        414MB
docker-sonic-mgmt-framework   latest                153f5b212b31        473MB
docker-sonic-mgmt-framework   master.346-8ea03eed   153f5b212b31        473MB
docker-sflow                  latest                accd44e81959        383MB
docker-sflow                  master.346-8ea03eed   accd44e81959        383MB
docker-snmp                   latest                f7f8604477ca        390MB
docker-snmp                   master.346-8ea03eed   f7f8604477ca        390MB
docker-syncd-brcm             latest                36db5c9c35f6        442MB
docker-syncd-brcm             master.346-8ea03eed   36db5c9c35f6        442MB
docker-platform-monitor       latest                0b6901e8073f        358MB
docker-platform-monitor       master.346-8ea03eed   0b6901e8073f        358MB
docker-nat                    latest                3636bd7994a4        317MB
docker-nat                    master.346-8ea03eed   3636bd7994a4        317MB
docker-fpm-frr                latest                628c62893a8e        335MB
docker-fpm-frr                master.346-8ea03eed   628c62893a8e        335MB
ben-gale commented 4 years ago

Please add "nat" label

arlakshm commented 4 years ago

@AkhileshSamineni, please update the analysis here.

santoshdoke commented 4 years ago

Hi,

The native NAT tables on Broadcom Silicon match only destination IP address OR source IP address but not both. These NAT lookup tables do not provide a means to match both Destination IP and Source IP (incase of TWICE NAT).

So, the current behavior is expected and is a limitation. There is an alternative to use ACL rules (instead of native NAT lookups) to achieve TWICE NAT, but that is not preferred as it impacts other ACL based applications.