2 * det44.h - deterministic NAT definitions
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
20 * @brief Deterministic NAT (CGN) definitions
23 #ifndef __included_det44_h__
24 #define __included_det44_h__
26 #include <vnet/vnet.h>
27 #include <vnet/ip/ip.h>
28 #include <vnet/ethernet/ethernet.h>
29 #include <vnet/ip/icmp46_packet.h>
30 #include <vnet/api_errno.h>
31 #include <vnet/fib/fib_source.h>
32 #include <vppinfra/dlist.h>
33 #include <vppinfra/error.h>
34 #include <vlibapi/api.h>
36 #include <vnet/fib/fib_table.h>
37 #include <vnet/fib/ip4_fib.h>
38 #include <vnet/ip/reass/ip4_sv_reass.h>
40 #include <nat/lib/lib.h>
41 #include <nat/lib/inlines.h>
44 #define foreach_det44_session_state \
45 _(0, UNKNOWN, "unknown") \
46 _(1, UDP_ACTIVE, "udp-active") \
47 _(2, TCP_SYN_SENT, "tcp-syn-sent") \
48 _(3, TCP_ESTABLISHED, "tcp-established") \
49 _(4, TCP_FIN_WAIT, "tcp-fin-wait") \
50 _(5, TCP_CLOSE_WAIT, "tcp-close-wait") \
51 _(6, TCP_CLOSING, "tcp-closing") \
52 _(7, TCP_LAST_ACK, "tcp-last-ack") \
53 _(8, TCP_CLOSED, "tcp-closed") \
54 _(9, ICMP_ACTIVE, "icmp-active")
58 #define _(v, N, s) DET44_SESSION_##N = v,
59 foreach_det44_session_state
61 } det44_session_state_t;
63 #define DET44_SES_PER_USER 1000
73 u16 src_port, dst_port;
78 u32 cached_sw_if_index;
79 u32 cached_ip4_address;
82 typedef struct nat_timeouts_s
96 /* deterministic session outside key */
103 ip4_address_t ext_host_addr;
109 } snat_det_out_key_t;
113 /* Inside network port */
115 /* Outside network address and port */
116 snat_det_out_key_t out;
121 } snat_det_session_t;
125 /* inside IP address range */
126 ip4_address_t in_addr;
128 /* outside IP address range */
129 ip4_address_t out_addr;
131 /* inside IP addresses / outside IP addresses */
133 /* number of ports available to internal host */
135 /* session counter */
137 /* vector of sessions */
138 snat_det_session_t *sessions;
159 typedef struct det44_main_s
161 det44_config_t config;
163 u32 outside_fib_index;
164 u32 inside_fib_index;
166 /* Vector of outside fibs */
167 det44_fib_t *outside_fibs;
169 fib_source_t fib_src_hi;
170 fib_source_t fib_src_low;
172 u32 out2in_node_index;
173 u32 in2out_node_index;
175 /* Deterministic NAT mappings */
176 snat_det_map_t *det_maps;
178 /* TCP MSS clamping */
181 /* Protocol timeouts */
182 nat_timeouts_t timeouts;
184 /* Expire walk process node index */
185 u32 expire_walk_node_index;
189 /* API message ID base */
193 vlib_log_class_t log_class;
195 det44_interface_t *interfaces;
198 ip4_main_t *ip4_main;
200 vnet_main_t *vnet_main;
204 extern det44_main_t det44_main;
207 #define det44_log_err(...) \
208 vlib_log(VLIB_LOG_LEVEL_ERR, det44_main.log_class, __VA_ARGS__)
209 #define det44_log_warn(...) \
210 vlib_log(VLIB_LOG_LEVEL_WARNING, det44_main.log_class, __VA_ARGS__)
211 #define det44_log_notice(...) \
212 vlib_log(VLIB_LOG_LEVEL_NOTICE, det44_main.log_class, __VA_ARGS__)
213 #define det44_log_info(...) \
214 vlib_log(VLIB_LOG_LEVEL_INFO, det44_main.log_class, __VA_ARGS__)
215 #define det44_log_debug(...)\
216 vlib_log(VLIB_LOG_LEVEL_DEBUG, det44_main.log_class, __VA_ARGS__)
218 /* Deterministic NAT interface flags */
219 #define DET44_INTERFACE_FLAG_IS_INSIDE 1
220 #define DET44_INTERFACE_FLAG_IS_OUTSIDE 2
222 /** \brief Check if Deterministic NAT interface is inside.
223 @param i Deterministic NAT interface
224 @return 1 if inside interface
226 #define det44_interface_is_inside(i) i->flags & DET44_INTERFACE_FLAG_IS_INSIDE
228 /** \brief Check if Deterministic NAT interface is outside.
229 @param i Deterministic NAT interface
230 @return 1 if outside interface
232 #define det44_interface_is_outside(i) i->flags & DET44_INTERFACE_FLAG_IS_OUTSIDE
234 static_always_inline u8
237 det44_main_t *dm = &det44_main;
241 extern vlib_node_registration_t det44_in2out_node;
242 extern vlib_node_registration_t det44_out2in_node;
244 int det44_plugin_enable ();
245 int det44_plugin_disable ();
247 int det44_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del);
249 int det44_set_timeouts (nat_timeouts_t * timeouts);
250 nat_timeouts_t det44_get_timeouts ();
251 void det44_reset_timeouts ();
253 /* format functions */
254 format_function_t format_det_map_ses;
256 int snat_det_add_map (ip4_address_t * in_addr, u8 in_plen,
257 ip4_address_t * out_addr, u8 out_plen, int is_add);
259 /* icmp session match functions */
260 u32 icmp_match_out2in_det (vlib_node_runtime_t * node,
261 u32 thread_index, vlib_buffer_t * b0,
262 ip4_header_t * ip0, ip4_address_t * addr,
263 u16 * port, u32 * fib_index,
264 nat_protocol_t * proto, void *d, void *e,
265 u8 * dont_translate);
266 u32 icmp_match_in2out_det (vlib_node_runtime_t * node,
267 u32 thread_index, vlib_buffer_t * b0,
268 ip4_header_t * ip0, ip4_address_t * addr,
269 u16 * port, u32 * fib_index,
270 nat_protocol_t * proto, void *d, void *e,
271 u8 * dont_translate);
272 u32 det44_icmp_in2out (vlib_buffer_t * b0, ip4_header_t * ip0,
273 icmp46_header_t * icmp0, u32 sw_if_index0,
274 u32 rx_fib_index0, vlib_node_runtime_t * node,
275 u32 next0, u32 thread_index, void *d, void *e);
276 u32 det44_icmp_out2in (vlib_buffer_t * b0, ip4_header_t * ip0,
277 icmp46_header_t * icmp0, u32 sw_if_index0,
278 u32 rx_fib_index0, vlib_node_runtime_t * node,
279 u32 next0, u32 thread_index, void *d, void *e);
281 static_always_inline int
282 is_addr_in_net (ip4_address_t * addr, ip4_address_t * net, u8 plen)
284 if (net->as_u32 == (addr->as_u32 & ip4_main.fib_masks[plen]))
289 static_always_inline snat_det_map_t *
290 snat_det_map_by_user (ip4_address_t * user_addr)
292 det44_main_t *dm = &det44_main;
295 pool_foreach (mp, dm->det_maps,
297 if (is_addr_in_net(user_addr, &mp->in_addr, mp->in_plen))
304 static_always_inline snat_det_map_t *
305 snat_det_map_by_out (ip4_address_t * out_addr)
307 det44_main_t *dm = &det44_main;
310 pool_foreach (mp, dm->det_maps,
312 if (is_addr_in_net(out_addr, &mp->out_addr, mp->out_plen))
319 static_always_inline void
320 snat_det_forward (snat_det_map_t * dm, ip4_address_t * in_addr,
321 ip4_address_t * out_addr, u16 * lo_port)
323 u32 in_offset, out_offset;
325 in_offset = clib_net_to_host_u32 (in_addr->as_u32) -
326 clib_net_to_host_u32 (dm->in_addr.as_u32);
327 out_offset = in_offset / dm->sharing_ratio;
329 clib_host_to_net_u32 (clib_net_to_host_u32 (dm->out_addr.as_u32) +
331 *lo_port = 1024 + dm->ports_per_host * (in_offset % dm->sharing_ratio);
334 static_always_inline void
335 snat_det_reverse (snat_det_map_t * dm, ip4_address_t * out_addr, u16 out_port,
336 ip4_address_t * in_addr)
338 u32 in_offset1, in_offset2, out_offset;
340 out_offset = clib_net_to_host_u32 (out_addr->as_u32) -
341 clib_net_to_host_u32 (dm->out_addr.as_u32);
342 in_offset1 = out_offset * dm->sharing_ratio;
343 in_offset2 = (out_port - 1024) / dm->ports_per_host;
345 clib_host_to_net_u32 (clib_net_to_host_u32 (dm->in_addr.as_u32) +
346 in_offset1 + in_offset2);
349 static_always_inline u32
350 snat_det_user_ses_offset (ip4_address_t * addr, u8 plen)
352 return (clib_net_to_host_u32 (addr->as_u32) & pow2_mask (32 - plen)) *
356 static_always_inline snat_det_session_t *
357 snat_det_get_ses_by_out (snat_det_map_t * dm, ip4_address_t * in_addr,
363 user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
364 for (i = 0; i < DET44_SES_PER_USER; i++)
366 if (dm->sessions[i + user_offset].out.as_u64 == out_key)
367 return &dm->sessions[i + user_offset];
373 static_always_inline snat_det_session_t *
374 snat_det_find_ses_by_in (snat_det_map_t * dm, ip4_address_t * in_addr,
375 u16 in_port, snat_det_out_key_t out_key)
377 snat_det_session_t *ses;
381 user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
382 for (i = 0; i < DET44_SES_PER_USER; i++)
384 ses = &dm->sessions[i + user_offset];
385 if (ses->in_port == in_port &&
386 ses->out.ext_host_addr.as_u32 == out_key.ext_host_addr.as_u32 &&
387 ses->out.ext_host_port == out_key.ext_host_port)
388 return &dm->sessions[i + user_offset];
394 static_always_inline snat_det_session_t *
395 snat_det_ses_create (u32 thread_index, snat_det_map_t * dm,
396 ip4_address_t * in_addr, u16 in_port,
397 snat_det_out_key_t * out)
402 user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
404 for (i = 0; i < DET44_SES_PER_USER; i++)
406 if (!dm->sessions[i + user_offset].in_port)
408 if (clib_atomic_bool_cmp_and_swap
409 (&dm->sessions[i + user_offset].in_port, 0, in_port))
411 dm->sessions[i + user_offset].out.as_u64 = out->as_u64;
412 dm->sessions[i + user_offset].state = DET44_SESSION_UNKNOWN;
413 dm->sessions[i + user_offset].expire = 0;
414 clib_atomic_add_fetch (&dm->ses_num, 1);
415 return &dm->sessions[i + user_offset];
421 /*snat_ipfix_logging_max_entries_per_user (thread_index,
427 static_always_inline void
428 snat_det_ses_close (snat_det_map_t * dm, snat_det_session_t * ses)
430 if (clib_atomic_bool_cmp_and_swap (&ses->in_port, ses->in_port, 0))
433 clib_atomic_add_fetch (&dm->ses_num, -1);
437 clib_error_t *det44_api_hookup (vlib_main_t * vm);
439 #endif /* __included_det44_h__ */
442 * fd.io coding-style-patch-verification: ON
445 * eval: (c-set-style "gnu")