Fast-path

The behavior of the fast-path network stack can be customized globally, and per VRF.

If there is no configuration value in a VRF, the global configuration applies. The VRF configuration overrides the system one.

ALG

The ALGs allow to use specific applications through CG-NAT or fp-firewall.

The following configuration activates the DNS ALG, and sets its session timeout to 1000.

vsr running config# / system network-stack fast-path alg dns session-timeout 1000

The configuration can be overridden at the VRF level. The following configuration sets the DNS session-timeout to 500 in the test VRF, while it stays at the 1000 value defined previously in the other vrfs.

vsr running config# / vrf main network-stack fast-path alg dns session-timeout 500

To display the ALG configuration:

vsr> show state / vrf main network-stack fast-path alg
alg dns
    port 53
    session-timeout 500
    ..

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute nodefault / vrf main network-stack fast-path alg
<config xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <network-stack xmlns="urn:6wind:vrouter/system">
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <alg>
          <name>dns</name>
          <session-timeout>500</session-timeout>
        </alg>
      </fast-path>
    </network-stack>
  </vrf>
</config>

Note

In the previous versions, dns-udp was the default value. It is not the case anymore. Therefore, you may need to configure it in its new path: / system network-stack fast-path alg dns.

Conntracks

Conntrack timeouts can be set for each protocol. UDP, ICMP and GRE protocols only handle basic conntrack states (new, established, closed), whereas TCP offers more granularity.

The following configuration sets the TCP timeout of established to 100:

vsr running config# / system network-stack fast-path conntrack timeouts tcp established 100

The conntrack tcp-window-check behavior is now disabled:

vsr running config# / system network-stack fast-path conntrack behavior tcp-window-check enabled false

To fragment NAT64 packet according to the MTU of the output interface:

vsr running config# / system network-stack fast-path conntrack nat64 mtu lowest-ipv6 0

The same configuration can be made using this NETCONF XML configuration:

vsr> show config xml absolute nodefault / system network-stack fast-path conntrack
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <network-stack>
      <fast-path xmlns="urn:6wind:vrouter/fast-path-network-stack">
        <conntrack>
          <behavior>
            <tcp-options>tcp-window-check</tcp-options>
            <enabled>false</enabled>
          </behavior>
          <timeouts>
            <tcp>
              <state>established</state>
              <timeout>100</timeout>
            </tcp>
          </timeouts>
          <nat64>
            <mtu>
              <option>lowest-ipv6</option>
              <value>0</value>
            </mtu>
          </nat64>
        </conntrack>
      </fast-path>
    </network-stack>
  </system>
</config>

See also

The command reference for details.