2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/nat_ipfix_logging.h>
25 #include <nat/nat_det.h>
26 #include <nat/nat64.h>
27 #include <nat/nat66.h>
28 #include <nat/nat_inlines.h>
29 #include <nat/nat44/inlines.h>
30 #include <nat/nat_affinity.h>
31 #include <nat/nat_syslog.h>
32 #include <nat/nat_ha.h>
33 #include <vnet/fib/fib_table.h>
34 #include <vnet/fib/ip4_fib.h>
35 #include <vnet/ip/reass/ip4_sv_reass.h>
36 #include <vppinfra/bihash_16_8.h>
37 #include <nat/nat44/ed_inlines.h>
39 #include <vpp/app/version.h>
41 snat_main_t snat_main;
43 fib_source_t nat_fib_src_hi;
44 fib_source_t nat_fib_src_low;
47 /* Hook up input features */
48 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
49 .arc_name = "ip4-unicast",
50 .node_name = "nat-pre-in2out",
51 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
52 "ip4-sv-reassembly-feature"),
54 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
55 .arc_name = "ip4-unicast",
56 .node_name = "nat-pre-out2in",
57 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
58 "ip4-dhcp-client-detect",
59 "ip4-sv-reassembly-feature"),
61 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
62 .arc_name = "ip4-unicast",
63 .node_name = "nat44-in2out-worker-handoff",
64 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
66 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
67 .arc_name = "ip4-unicast",
68 .node_name = "nat44-out2in-worker-handoff",
69 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
70 "ip4-dhcp-client-detect"),
72 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
73 .arc_name = "ip4-unicast",
74 .node_name = "nat44-in2out",
75 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
77 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
78 .arc_name = "ip4-unicast",
79 .node_name = "nat44-out2in",
80 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
81 "ip4-dhcp-client-detect"),
83 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
84 .arc_name = "ip4-unicast",
85 .node_name = "nat44-classify",
86 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
88 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
89 .arc_name = "ip4-unicast",
90 .node_name = "nat44-det-in2out",
91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
93 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
94 .arc_name = "ip4-unicast",
95 .node_name = "nat44-det-out2in",
96 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
97 "ip4-dhcp-client-detect"),
99 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
100 .arc_name = "ip4-unicast",
101 .node_name = "nat44-det-classify",
102 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
104 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
105 .arc_name = "ip4-unicast",
106 .node_name = "nat44-ed-in2out",
107 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
109 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
110 .arc_name = "ip4-unicast",
111 .node_name = "nat44-ed-out2in",
112 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
113 "ip4-dhcp-client-detect"),
115 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
116 .arc_name = "ip4-unicast",
117 .node_name = "nat44-ed-classify",
118 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-handoff-classify",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
125 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
126 .arc_name = "ip4-unicast",
127 .node_name = "nat44-in2out-fast",
128 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
130 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
131 .arc_name = "ip4-unicast",
132 .node_name = "nat44-out2in-fast",
133 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
134 "ip4-dhcp-client-detect"),
136 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
137 .arc_name = "ip4-unicast",
138 .node_name = "nat44-hairpin-dst",
139 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
141 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
142 .arc_name = "ip4-unicast",
143 .node_name = "nat44-ed-hairpin-dst",
144 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
147 /* Hook up output features */
148 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
149 .arc_name = "ip4-output",
150 .node_name = "nat44-in2out-output",
151 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
153 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
154 .arc_name = "ip4-output",
155 .node_name = "nat44-in2out-output-worker-handoff",
156 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
158 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
159 .arc_name = "ip4-output",
160 .node_name = "nat44-hairpin-src",
161 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
163 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
164 .arc_name = "ip4-output",
165 .node_name = "nat44-ed-in2out-output",
166 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
167 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
169 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
170 .arc_name = "ip4-output",
171 .node_name = "nat44-ed-hairpin-src",
172 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
173 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
176 /* Hook up ip4-local features */
177 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
179 .arc_name = "ip4-local",
180 .node_name = "nat44-hairpinning",
181 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
183 VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) =
185 .arc_name = "ip4-local",
186 .node_name = "nat44-ed-hairpinning",
187 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
191 VLIB_PLUGIN_REGISTER () = {
192 .version = VPP_BUILD_VER,
193 .description = "Network Address Translation (NAT)",
198 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
201 snat_session_key_t key;
202 clib_bihash_kv_8_8_t kv;
205 ip4_address_t *l_addr, *r_addr;
207 clib_bihash_kv_16_8_t ed_kv;
208 snat_main_per_thread_data_t *tsm =
209 vec_elt_at_index (sm->per_thread_data, thread_index);
211 if (is_fwd_bypass_session (s))
213 if (snat_is_unk_proto_session (s))
215 make_ed_kv (&s->in2out.addr, &s->ext_host_addr, s->in2out.port, 0,
216 0, 0, ~0, ~0, &ed_kv);
220 l_port = s->in2out.port;
221 r_port = s->ext_host_port;
222 l_addr = &s->in2out.addr;
223 r_addr = &s->ext_host_addr;
224 proto = nat_proto_to_ip_proto (s->in2out.protocol);
225 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0,
228 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
229 nat_elog_warn ("in2out_ed key del failed");
233 /* session lookup tables */
234 if (is_ed_session (s))
236 if (is_affinity_sessions (s))
237 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
238 s->in2out.protocol, s->out2in.port);
239 l_addr = &s->out2in.addr;
240 r_addr = &s->ext_host_addr;
241 fib_index = s->out2in.fib_index;
242 if (snat_is_unk_proto_session (s))
244 proto = s->in2out.port;
250 proto = nat_proto_to_ip_proto (s->in2out.protocol);
251 l_port = s->out2in.port;
252 r_port = s->ext_host_port;
254 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0, ~0,
256 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0))
257 nat_elog_warn ("out2in_ed key del failed");
258 l_addr = &s->in2out.addr;
259 fib_index = s->in2out.fib_index;
260 if (!snat_is_unk_proto_session (s))
261 l_port = s->in2out.port;
262 if (is_twice_nat_session (s))
264 r_addr = &s->ext_host_nat_addr;
265 r_port = s->ext_host_nat_port;
267 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0, ~0,
269 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
270 nat_elog_warn ("in2out_ed key del failed");
273 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
274 &s->in2out.addr, s->in2out.port,
275 &s->ext_host_nat_addr, s->ext_host_nat_port,
276 &s->out2in.addr, s->out2in.port,
277 &s->ext_host_addr, s->ext_host_port,
278 s->in2out.protocol, is_twice_nat_session (s));
282 kv.key = s->in2out.as_u64;
283 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
284 nat_elog_warn ("in2out key del failed");
285 kv.key = s->out2in.as_u64;
286 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
287 nat_elog_warn ("out2in key del failed");
290 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
291 &s->in2out.addr, s->in2out.port,
292 &s->out2in.addr, s->out2in.port,
296 if (snat_is_unk_proto_session (s))
302 snat_ipfix_logging_nat44_ses_delete (thread_index,
303 s->in2out.addr.as_u32,
304 s->out2in.addr.as_u32,
308 s->in2out.fib_index);
310 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
311 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
315 /* Twice NAT address and port for external host */
316 if (is_twice_nat_session (s))
318 key.protocol = s->in2out.protocol;
319 key.port = s->ext_host_nat_port;
320 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
321 snat_free_outside_address_and_port (sm->twice_nat_addresses,
325 if (snat_is_session_static (s))
328 snat_free_outside_address_and_port (sm->addresses, thread_index,
333 nat44_set_session_limit (u32 session_limit, u32 vrf_id)
335 snat_main_t *sm = &snat_main;
336 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
337 u32 len = vec_len (sm->max_translations_per_fib);
339 if (len <= fib_index)
341 vec_validate (sm->max_translations_per_fib, fib_index + 1);
343 for (; len < vec_len (sm->max_translations_per_fib); len++)
344 sm->max_translations_per_fib[len] = sm->max_translations;
347 sm->max_translations_per_fib[fib_index] = session_limit;
352 nat44_free_session_data (snat_main_t * sm, snat_session_t * s,
353 u32 thread_index, u8 is_ha)
355 snat_session_key_t key;
358 ip4_address_t *l_addr, *r_addr;
360 clib_bihash_kv_16_8_t ed_kv;
361 snat_main_per_thread_data_t *tsm =
362 vec_elt_at_index (sm->per_thread_data, thread_index);
364 if (is_fwd_bypass_session (s))
366 if (snat_is_unk_proto_session (s))
368 proto = s->in2out.port;
374 proto = nat_proto_to_ip_proto (s->in2out.protocol);
375 l_port = s->in2out.port;
376 r_port = s->ext_host_port;
379 l_addr = &s->in2out.addr;
380 r_addr = &s->ext_host_addr;
382 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0, ~0,
386 (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
387 nat_elog_warn ("in2out_ed key del failed");
391 /* session lookup tables */
392 if (is_affinity_sessions (s))
393 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
394 s->in2out.protocol, s->out2in.port);
395 l_addr = &s->out2in.addr;
396 r_addr = &s->ext_host_addr;
397 fib_index = s->out2in.fib_index;
398 if (snat_is_unk_proto_session (s))
400 proto = s->in2out.port;
406 proto = nat_proto_to_ip_proto (s->in2out.protocol);
407 l_port = s->out2in.port;
408 r_port = s->ext_host_port;
410 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0, ~0,
413 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0)))
414 nat_elog_warn ("out2in_ed key del failed");
416 l_addr = &s->in2out.addr;
417 fib_index = s->in2out.fib_index;
419 if (!snat_is_unk_proto_session (s))
420 l_port = s->in2out.port;
422 if (is_twice_nat_session (s))
424 r_addr = &s->ext_host_nat_addr;
425 r_port = s->ext_host_nat_port;
427 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0, ~0,
430 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
431 nat_elog_warn ("in2out_ed key del failed");
435 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
436 &s->in2out.addr, s->in2out.port,
437 &s->ext_host_nat_addr, s->ext_host_nat_port,
438 &s->out2in.addr, s->out2in.port,
439 &s->ext_host_addr, s->ext_host_port,
440 s->in2out.protocol, is_twice_nat_session (s));
443 if (snat_is_unk_proto_session (s))
448 snat_ipfix_logging_nat44_ses_delete (thread_index,
449 s->in2out.addr.as_u32,
450 s->out2in.addr.as_u32,
454 s->in2out.fib_index);
455 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
456 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
460 /* Twice NAT address and port for external host */
461 if (is_twice_nat_session (s))
463 key.protocol = s->in2out.protocol;
464 key.port = s->ext_host_nat_port;
465 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
466 snat_free_outside_address_and_port (sm->twice_nat_addresses,
470 if (snat_is_session_static (s))
473 snat_free_outside_address_and_port (sm->addresses, thread_index,
479 nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index,
483 snat_user_key_t user_key;
484 clib_bihash_kv_8_8_t kv, value;
485 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
486 dlist_elt_t *per_user_list_head_elt;
488 user_key.addr.as_u32 = addr->as_u32;
489 user_key.fib_index = fib_index;
490 kv.key = user_key.as_u64;
492 /* Ever heard of the "user" = src ip4 address before? */
493 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
495 /* no, make a new one */
496 pool_get (tsm->users, u);
497 clib_memset (u, 0, sizeof (*u));
499 u->addr.as_u32 = addr->as_u32;
500 u->fib_index = fib_index;
502 pool_get (tsm->list_pool, per_user_list_head_elt);
504 u->sessions_per_user_list_head_index = per_user_list_head_elt -
507 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
509 kv.value = u - tsm->users;
512 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
514 nat_elog_warn ("user_hash key add failed");
515 nat44_delete_user_with_no_session (sm, u, thread_index);
519 vlib_set_simple_counter (&sm->total_users, thread_index, 0,
520 pool_elts (tsm->users));
524 u = pool_elt_at_index (tsm->users, value.value);
531 nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u,
532 u32 thread_index, f64 now)
535 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
536 u32 oldest_per_user_translation_list_index, session_index;
537 dlist_elt_t *oldest_per_user_translation_list_elt;
538 dlist_elt_t *per_user_translation_list_elt;
540 /* Over quota? Recycle the least recently used translation */
541 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
543 oldest_per_user_translation_list_index =
544 clib_dlist_remove_head (tsm->list_pool,
545 u->sessions_per_user_list_head_index);
547 ASSERT (oldest_per_user_translation_list_index != ~0);
549 /* Add it back to the end of the LRU list */
550 clib_dlist_addtail (tsm->list_pool,
551 u->sessions_per_user_list_head_index,
552 oldest_per_user_translation_list_index);
553 /* Get the list element */
554 oldest_per_user_translation_list_elt =
555 pool_elt_at_index (tsm->list_pool,
556 oldest_per_user_translation_list_index);
558 /* Get the session index from the list element */
559 session_index = oldest_per_user_translation_list_elt->value;
561 /* Get the session */
562 s = pool_elt_at_index (tsm->sessions, session_index);
563 nat_free_session_data (sm, s, thread_index, 0);
564 if (snat_is_session_static (s))
565 u->nstaticsessions--;
572 s->ext_host_addr.as_u32 = 0;
573 s->ext_host_port = 0;
574 s->ext_host_nat_addr.as_u32 = 0;
575 s->ext_host_nat_port = 0;
579 pool_get (tsm->sessions, s);
580 clib_memset (s, 0, sizeof (*s));
582 /* Create list elts */
583 pool_get (tsm->list_pool, per_user_translation_list_elt);
584 clib_dlist_init (tsm->list_pool,
585 per_user_translation_list_elt - tsm->list_pool);
587 per_user_translation_list_elt->value = s - tsm->sessions;
588 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
589 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
591 clib_dlist_addtail (tsm->list_pool,
592 s->per_user_list_head_index,
593 per_user_translation_list_elt - tsm->list_pool);
595 s->user_index = u - tsm->users;
596 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
597 pool_elts (tsm->sessions));
600 s->ha_last_refreshed = now;
606 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
609 fib_prefix_t prefix = {
611 .fp_proto = FIB_PROTOCOL_IP4,
613 .ip4.as_u32 = addr->as_u32,
616 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
619 fib_table_entry_update_one_path (fib_index,
622 (FIB_ENTRY_FLAG_CONNECTED |
623 FIB_ENTRY_FLAG_LOCAL |
624 FIB_ENTRY_FLAG_EXCLUSIVE),
628 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
630 fib_table_entry_delete (fib_index, &prefix, nat_fib_src_low);
634 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
639 vlib_thread_main_t *tm = vlib_get_thread_main ();
641 if (twice_nat && !sm->endpoint_dependent)
642 return VNET_API_ERROR_FEATURE_DISABLED;
644 /* Check if address already exists */
646 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
648 if (ap->addr.as_u32 == addr->as_u32)
649 return VNET_API_ERROR_VALUE_EXIST;
654 vec_add2 (sm->twice_nat_addresses, ap, 1);
656 vec_add2 (sm->addresses, ap, 1);
661 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
665 #define _(N, i, n, s) \
666 clib_memset(ap->busy_##n##_port_refcounts, 0, sizeof(ap->busy_##n##_port_refcounts));\
667 ap->busy_##n##_ports = 0; \
668 ap->busy_##n##_ports_per_thread = 0;\
669 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
675 /* Add external address to FIB */
677 pool_foreach (i, sm->interfaces,
679 if (nat_interface_is_inside(i) || sm->out2in_dpo)
682 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
685 pool_foreach (i, sm->output_feature_interfaces,
687 if (nat_interface_is_inside(i) || sm->out2in_dpo)
690 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
699 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
701 snat_static_mapping_t *m;
703 pool_foreach (m, sm->static_mappings,
705 if (is_addr_only_static_mapping (m) ||
706 is_out2in_only_static_mapping (m) ||
707 is_identity_static_mapping (m))
709 if (m->external_addr.as_u32 == addr.as_u32)
718 snat_add_static_mapping_when_resolved (snat_main_t * sm,
719 ip4_address_t l_addr,
724 nat_protocol_t proto,
725 int addr_only, int is_add, u8 * tag,
726 int twice_nat, int out2in_only,
729 snat_static_map_resolve_t *rp;
731 vec_add2 (sm->to_resolve, rp, 1);
732 rp->l_addr.as_u32 = l_addr.as_u32;
734 rp->sw_if_index = sw_if_index;
738 rp->addr_only = addr_only;
740 rp->twice_nat = twice_nat;
741 rp->out2in_only = out2in_only;
742 rp->identity_nat = identity_nat;
743 rp->tag = vec_dup (tag);
747 get_thread_idx_by_port (u16 e_port)
749 snat_main_t *sm = &snat_main;
750 u32 thread_idx = sm->num_workers;
751 if (sm->num_workers > 1)
754 sm->first_worker_index +
755 sm->workers[(e_port - 1024) / sm->port_per_thread];
761 snat_static_mapping_del_sessions (snat_main_t * sm,
762 snat_main_per_thread_data_t * tsm,
763 snat_user_key_t u_key, int addr_only,
764 ip4_address_t e_addr, u16 e_port)
766 clib_bihash_kv_8_8_t kv, value;
767 kv.key = u_key.as_u64;
769 dlist_elt_t *head, *elt;
772 u32 elt_index, head_index, ses_index;
773 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
775 user_index = value.value;
776 u = pool_elt_at_index (tsm->users, user_index);
777 if (u->nstaticsessions)
779 head_index = u->sessions_per_user_list_head_index;
780 head = pool_elt_at_index (tsm->list_pool, head_index);
781 elt_index = head->next;
782 elt = pool_elt_at_index (tsm->list_pool, elt_index);
783 ses_index = elt->value;
784 while (ses_index != ~0)
786 s = pool_elt_at_index (tsm->sessions, ses_index);
787 elt = pool_elt_at_index (tsm->list_pool, elt->next);
788 ses_index = elt->value;
792 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
793 (clib_net_to_host_u16 (s->out2in.port) != e_port))
797 if (is_lb_session (s))
800 if (!snat_is_session_static (s))
803 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
804 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
814 snat_ed_static_mapping_del_sessions (snat_main_t * sm,
815 snat_main_per_thread_data_t * tsm,
816 ip4_address_t l_addr,
819 u32 fib_index, int addr_only,
820 ip4_address_t e_addr, u16 e_port)
823 u32 *indexes_to_free = NULL;
825 pool_foreach (s, tsm->sessions, {
826 if (s->in2out.fib_index != fib_index ||
827 s->in2out.addr.as_u32 != l_addr.as_u32)
833 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
834 (clib_net_to_host_u16 (s->out2in.port) != e_port) ||
835 clib_net_to_host_u16 (s->in2out.port) != l_port ||
836 s->in2out.protocol != protocol)
840 if (is_lb_session (s))
842 if (!snat_is_session_static (s))
844 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
845 vec_add1 (indexes_to_free, s - tsm->sessions);
851 vec_foreach (ses_index, indexes_to_free)
853 s = pool_elt_at_index (tsm->sessions, *ses_index);
854 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
856 vec_free (indexes_to_free);
860 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
861 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
862 u32 sw_if_index, nat_protocol_t proto, int is_add,
863 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
866 snat_main_t *sm = &snat_main;
867 snat_static_mapping_t *m;
868 snat_session_key_t m_key;
869 clib_bihash_kv_8_8_t kv, value;
870 snat_address_t *a = 0;
872 snat_interface_t *interface;
874 snat_main_per_thread_data_t *tsm;
875 snat_user_key_t u_key;
877 dlist_elt_t *head, *elt;
878 u32 elt_index, head_index;
882 snat_static_map_resolve_t *rp, *rp_match = 0;
883 nat44_lb_addr_port_t *local;
886 if (!sm->endpoint_dependent)
888 if (twice_nat || out2in_only)
889 return VNET_API_ERROR_FEATURE_DISABLED;
892 /* If the external address is a specific interface address */
893 if (sw_if_index != ~0)
895 ip4_address_t *first_int_addr;
897 for (i = 0; i < vec_len (sm->to_resolve); i++)
899 rp = sm->to_resolve + i;
900 if (rp->sw_if_index != sw_if_index ||
901 rp->l_addr.as_u32 != l_addr.as_u32 ||
902 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
907 if ((rp->l_port != l_port && rp->e_port != e_port)
908 || rp->proto != proto)
916 /* Might be already set... */
917 first_int_addr = ip4_interface_first_address
918 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
923 return VNET_API_ERROR_VALUE_EXIST;
925 snat_add_static_mapping_when_resolved
926 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
927 addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
929 /* DHCP resolution required? */
930 if (first_int_addr == 0)
936 e_addr.as_u32 = first_int_addr->as_u32;
937 /* Identity mapping? */
938 if (l_addr.as_u32 == 0)
939 l_addr.as_u32 = e_addr.as_u32;
945 return VNET_API_ERROR_NO_SUCH_ENTRY;
947 vec_del1 (sm->to_resolve, i);
951 e_addr.as_u32 = first_int_addr->as_u32;
952 /* Identity mapping? */
953 if (l_addr.as_u32 == 0)
954 l_addr.as_u32 = e_addr.as_u32;
962 m_key.port = addr_only ? 0 : e_port;
963 m_key.protocol = addr_only ? 0 : proto;
965 kv.key = m_key.as_u64;
966 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
969 m = pool_elt_at_index (sm->static_mappings, value.value);
975 if (is_identity_static_mapping (m))
978 pool_foreach (local, m->locals,
980 if (local->vrf_id == vrf_id)
981 return VNET_API_ERROR_VALUE_EXIST;
984 pool_get (m->locals, local);
985 local->vrf_id = vrf_id;
987 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
989 m_key.addr = m->local_addr;
990 m_key.port = m->local_port;
991 m_key.protocol = m->proto;
992 m_key.fib_index = local->fib_index;
993 kv.key = m_key.as_u64;
994 kv.value = m - sm->static_mappings;
995 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
999 return VNET_API_ERROR_VALUE_EXIST;
1002 if (twice_nat && addr_only)
1003 return VNET_API_ERROR_UNSUPPORTED;
1005 /* Convert VRF id to FIB index */
1008 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1010 /* If not specified use inside VRF id from SNAT plugin startup config */
1013 fib_index = sm->inside_fib_index;
1014 vrf_id = sm->inside_vrf_id;
1015 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1018 if (!(out2in_only || identity_nat))
1020 m_key.addr = l_addr;
1021 m_key.port = addr_only ? 0 : l_port;
1022 m_key.protocol = addr_only ? 0 : proto;
1023 m_key.fib_index = fib_index;
1024 kv.key = m_key.as_u64;
1025 if (!clib_bihash_search_8_8
1026 (&sm->static_mapping_by_local, &kv, &value))
1027 return VNET_API_ERROR_VALUE_EXIST;
1030 /* Find external address in allocated addresses and reserve port for
1031 address and port pair mapping when dynamic translations enabled */
1032 if (!(addr_only || sm->static_mapping_only || out2in_only))
1034 for (i = 0; i < vec_len (sm->addresses); i++)
1036 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1038 a = sm->addresses + i;
1039 /* External port must be unused */
1042 #define _(N, j, n, s) \
1043 case NAT_PROTOCOL_##N: \
1044 if (a->busy_##n##_port_refcounts[e_port]) \
1045 return VNET_API_ERROR_INVALID_VALUE; \
1046 ++a->busy_##n##_port_refcounts[e_port]; \
1047 if (e_port > 1024) \
1049 a->busy_##n##_ports++; \
1050 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1053 foreach_nat_protocol
1056 nat_elog_info ("unknown protocol");
1057 return VNET_API_ERROR_INVALID_VALUE_2;
1062 /* External address must be allocated */
1063 if (!a && (l_addr.as_u32 != e_addr.as_u32))
1065 if (sw_if_index != ~0)
1067 for (i = 0; i < vec_len (sm->to_resolve); i++)
1069 rp = sm->to_resolve + i;
1072 if (rp->sw_if_index != sw_if_index &&
1073 rp->l_addr.as_u32 != l_addr.as_u32 &&
1074 rp->vrf_id != vrf_id && rp->l_port != l_port &&
1075 rp->e_port != e_port && rp->proto != proto)
1078 vec_del1 (sm->to_resolve, i);
1082 return VNET_API_ERROR_NO_SUCH_ENTRY;
1086 pool_get (sm->static_mappings, m);
1087 clib_memset (m, 0, sizeof (*m));
1088 m->tag = vec_dup (tag);
1089 m->local_addr = l_addr;
1090 m->external_addr = e_addr;
1091 m->twice_nat = twice_nat;
1093 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1095 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
1098 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
1099 pool_get (m->locals, local);
1100 local->vrf_id = vrf_id;
1101 local->fib_index = fib_index;
1106 m->fib_index = fib_index;
1110 m->local_port = l_port;
1111 m->external_port = e_port;
1115 if (sm->num_workers > 1)
1118 .src_address = m->local_addr,
1120 vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index, 0));
1121 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1124 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1126 m_key.addr = m->local_addr;
1127 m_key.port = m->local_port;
1128 m_key.protocol = m->proto;
1129 m_key.fib_index = fib_index;
1130 kv.key = m_key.as_u64;
1131 kv.value = m - sm->static_mappings;
1133 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1135 m_key.addr = m->external_addr;
1136 m_key.port = m->external_port;
1137 m_key.fib_index = 0;
1138 kv.key = m_key.as_u64;
1139 kv.value = m - sm->static_mappings;
1140 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
1142 /* Delete dynamic sessions matching local address (+ local port) */
1143 if (!(sm->static_mapping_only))
1145 u_key.addr = m->local_addr;
1146 u_key.fib_index = m->fib_index;
1147 kv.key = u_key.as_u64;
1148 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1150 user_index = value.value;
1151 u = pool_elt_at_index (tsm->users, user_index);
1154 head_index = u->sessions_per_user_list_head_index;
1155 head = pool_elt_at_index (tsm->list_pool, head_index);
1156 elt_index = head->next;
1157 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1158 ses_index = elt->value;
1159 while (ses_index != ~0)
1161 s = pool_elt_at_index (tsm->sessions, ses_index);
1162 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1163 ses_index = elt->value;
1165 if (snat_is_session_static (s))
1169 && (clib_net_to_host_u16 (s->in2out.port) !=
1173 nat_free_session_data (sm, s,
1174 tsm - sm->per_thread_data, 0);
1175 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1177 if (!addr_only && !sm->endpoint_dependent)
1188 if (sw_if_index != ~0)
1191 return VNET_API_ERROR_NO_SUCH_ENTRY;
1197 vrf_id = sm->inside_vrf_id;
1200 pool_foreach (local, m->locals,
1202 if (local->vrf_id == vrf_id)
1203 find = local - m->locals;
1207 return VNET_API_ERROR_NO_SUCH_ENTRY;
1209 local = pool_elt_at_index (m->locals, find);
1210 fib_index = local->fib_index;
1211 pool_put (m->locals, local);
1214 fib_index = m->fib_index;
1216 /* Free external address port */
1217 if (!(addr_only || sm->static_mapping_only || out2in_only))
1219 for (i = 0; i < vec_len (sm->addresses); i++)
1221 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1223 a = sm->addresses + i;
1226 #define _(N, j, n, s) \
1227 case NAT_PROTOCOL_##N: \
1228 --a->busy_##n##_port_refcounts[e_port]; \
1229 if (e_port > 1024) \
1231 a->busy_##n##_ports--; \
1232 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1235 foreach_nat_protocol
1238 nat_elog_info ("unknown protocol");
1239 return VNET_API_ERROR_INVALID_VALUE_2;
1246 if (sm->num_workers > 1)
1247 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1249 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1251 m_key.addr = m->local_addr;
1252 m_key.port = m->local_port;
1253 m_key.protocol = m->proto;
1254 m_key.fib_index = fib_index;
1255 kv.key = m_key.as_u64;
1257 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
1259 /* Delete session(s) for static mapping if exist */
1260 if (!(sm->static_mapping_only) ||
1261 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
1263 if (sm->endpoint_dependent)
1265 snat_ed_static_mapping_del_sessions (sm, tsm, m->local_addr,
1266 m->local_port, m->proto,
1267 fib_index, addr_only,
1272 u_key.addr = m->local_addr;
1273 u_key.fib_index = fib_index;
1274 kv.key = u_key.as_u64;
1275 snat_static_mapping_del_sessions (sm, tsm, u_key, addr_only,
1280 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1281 if (pool_elts (m->locals))
1284 m_key.addr = m->external_addr;
1285 m_key.port = m->external_port;
1286 m_key.fib_index = 0;
1287 kv.key = m_key.as_u64;
1288 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
1291 vec_free (m->workers);
1292 /* Delete static mapping from pool */
1293 pool_put (sm->static_mappings, m);
1296 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
1299 /* Add/delete external address to FIB */
1301 pool_foreach (interface, sm->interfaces,
1303 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1306 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1309 pool_foreach (interface, sm->output_feature_interfaces,
1311 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1314 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1323 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1324 nat_protocol_t proto,
1325 nat44_lb_addr_port_t * locals, u8 is_add,
1326 twice_nat_type_t twice_nat, u8 out2in_only,
1327 u8 * tag, u32 affinity)
1329 snat_main_t *sm = &snat_main;
1330 snat_static_mapping_t *m;
1331 snat_session_key_t m_key;
1332 clib_bihash_kv_8_8_t kv, value;
1333 snat_address_t *a = 0;
1335 nat44_lb_addr_port_t *local;
1336 snat_main_per_thread_data_t *tsm;
1340 if (!sm->endpoint_dependent)
1341 return VNET_API_ERROR_FEATURE_DISABLED;
1343 m_key.addr = e_addr;
1344 m_key.port = e_port;
1345 m_key.protocol = proto;
1346 m_key.fib_index = 0;
1347 kv.key = m_key.as_u64;
1348 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1351 m = pool_elt_at_index (sm->static_mappings, value.value);
1356 return VNET_API_ERROR_VALUE_EXIST;
1358 if (vec_len (locals) < 2)
1359 return VNET_API_ERROR_INVALID_VALUE;
1361 /* Find external address in allocated addresses and reserve port for
1362 address and port pair mapping when dynamic translations enabled */
1363 if (!(sm->static_mapping_only || out2in_only))
1365 for (i = 0; i < vec_len (sm->addresses); i++)
1367 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1369 a = sm->addresses + i;
1370 /* External port must be unused */
1373 #define _(N, j, n, s) \
1374 case NAT_PROTOCOL_##N: \
1375 if (a->busy_##n##_port_refcounts[e_port]) \
1376 return VNET_API_ERROR_INVALID_VALUE; \
1377 ++a->busy_##n##_port_refcounts[e_port]; \
1378 if (e_port > 1024) \
1380 a->busy_##n##_ports++; \
1381 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1384 foreach_nat_protocol
1387 nat_elog_info ("unknown protocol");
1388 return VNET_API_ERROR_INVALID_VALUE_2;
1393 /* External address must be allocated */
1395 return VNET_API_ERROR_NO_SUCH_ENTRY;
1398 pool_get (sm->static_mappings, m);
1399 clib_memset (m, 0, sizeof (*m));
1400 m->tag = vec_dup (tag);
1401 m->external_addr = e_addr;
1402 m->external_port = e_port;
1404 m->twice_nat = twice_nat;
1405 m->flags |= NAT_STATIC_MAPPING_FLAG_LB;
1407 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1408 m->affinity = affinity;
1411 m->affinity_per_service_list_head_index =
1412 nat_affinity_get_per_service_list_head_index ();
1414 m->affinity_per_service_list_head_index = ~0;
1416 m_key.addr = m->external_addr;
1417 m_key.port = m->external_port;
1418 m_key.protocol = m->proto;
1419 m_key.fib_index = 0;
1420 kv.key = m_key.as_u64;
1421 kv.value = m - sm->static_mappings;
1422 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
1424 nat_elog_err ("static_mapping_by_external key add failed");
1425 return VNET_API_ERROR_UNSPECIFIED;
1428 m_key.fib_index = m->fib_index;
1429 for (i = 0; i < vec_len (locals); i++)
1431 locals[i].fib_index =
1432 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1435 m_key.addr = locals[i].addr;
1436 m_key.fib_index = locals[i].fib_index;
1439 m_key.port = locals[i].port;
1440 kv.key = m_key.as_u64;
1441 kv.value = m - sm->static_mappings;
1442 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1444 locals[i].prefix = (i == 0) ? locals[i].probability :
1445 (locals[i - 1].prefix + locals[i].probability);
1446 pool_get (m->locals, local);
1448 if (sm->num_workers > 1)
1451 .src_address = locals[i].addr,
1454 clib_bitmap_set (bitmap,
1455 sm->worker_in2out_cb (&ip, m->fib_index, 0),
1460 /* Assign workers */
1461 if (sm->num_workers > 1)
1464 clib_bitmap_foreach (i, bitmap,
1466 vec_add1(m->workers, i);
1474 return VNET_API_ERROR_NO_SUCH_ENTRY;
1476 if (!is_lb_static_mapping (m))
1477 return VNET_API_ERROR_INVALID_VALUE;
1479 /* Free external address port */
1480 if (!(sm->static_mapping_only || out2in_only))
1482 for (i = 0; i < vec_len (sm->addresses); i++)
1484 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1486 a = sm->addresses + i;
1489 #define _(N, j, n, s) \
1490 case NAT_PROTOCOL_##N: \
1491 --a->busy_##n##_port_refcounts[e_port]; \
1492 if (e_port > 1024) \
1494 a->busy_##n##_ports--; \
1495 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1498 foreach_nat_protocol
1501 nat_elog_info ("unknown protocol");
1502 return VNET_API_ERROR_INVALID_VALUE_2;
1509 m_key.addr = m->external_addr;
1510 m_key.port = m->external_port;
1511 m_key.protocol = m->proto;
1512 m_key.fib_index = 0;
1513 kv.key = m_key.as_u64;
1514 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1516 nat_elog_err ("static_mapping_by_external key del failed");
1517 return VNET_API_ERROR_UNSPECIFIED;
1521 pool_foreach (local, m->locals,
1523 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1525 m_key.addr = local->addr;
1528 m_key.port = local->port;
1529 m_key.fib_index = local->fib_index;
1530 kv.key = m_key.as_u64;
1531 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1533 nat_elog_err ("static_mapping_by_local key del failed");
1534 return VNET_API_ERROR_UNSPECIFIED;
1538 if (sm->num_workers > 1)
1541 .src_address = local->addr,
1543 tsm = vec_elt_at_index (sm->per_thread_data,
1544 sm->worker_in2out_cb (&ip, m->fib_index, 0));
1547 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1549 /* Delete sessions */
1550 pool_foreach (s, tsm->sessions, {
1551 if (!(is_lb_session (s)))
1554 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1555 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1558 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1559 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1564 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1565 pool_free (m->locals);
1567 vec_free (m->workers);
1569 pool_put (sm->static_mappings, m);
1576 nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1577 ip4_address_t l_addr, u16 l_port,
1578 nat_protocol_t proto, u32 vrf_id,
1579 u8 probability, u8 is_add)
1581 snat_main_t *sm = &snat_main;
1582 snat_static_mapping_t *m = 0;
1583 snat_session_key_t m_key;
1584 clib_bihash_kv_8_8_t kv, value;
1585 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1586 snat_main_per_thread_data_t *tsm;
1592 if (!sm->endpoint_dependent)
1593 return VNET_API_ERROR_FEATURE_DISABLED;
1595 m_key.addr = e_addr;
1596 m_key.port = e_port;
1597 m_key.protocol = proto;
1598 m_key.fib_index = 0;
1599 kv.key = m_key.as_u64;
1600 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1601 m = pool_elt_at_index (sm->static_mappings, value.value);
1604 return VNET_API_ERROR_NO_SUCH_ENTRY;
1606 if (!is_lb_static_mapping (m))
1607 return VNET_API_ERROR_INVALID_VALUE;
1610 pool_foreach (local, m->locals,
1612 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1613 (local->vrf_id == vrf_id))
1615 match_local = local;
1624 return VNET_API_ERROR_VALUE_EXIST;
1626 pool_get (m->locals, local);
1627 clib_memset (local, 0, sizeof (*local));
1628 local->addr.as_u32 = l_addr.as_u32;
1629 local->port = l_port;
1630 local->probability = probability;
1631 local->vrf_id = vrf_id;
1633 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1636 if (!is_out2in_only_static_mapping (m))
1638 m_key.addr = l_addr;
1639 m_key.port = l_port;
1640 m_key.fib_index = local->fib_index;
1641 kv.key = m_key.as_u64;
1642 kv.value = m - sm->static_mappings;
1643 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1))
1644 nat_elog_err ("static_mapping_by_local key add failed");
1650 return VNET_API_ERROR_NO_SUCH_ENTRY;
1652 if (pool_elts (m->locals) < 3)
1653 return VNET_API_ERROR_UNSPECIFIED;
1655 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1658 if (!is_out2in_only_static_mapping (m))
1660 m_key.addr = l_addr;
1661 m_key.port = l_port;
1662 m_key.fib_index = match_local->fib_index;
1663 kv.key = m_key.as_u64;
1664 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0))
1665 nat_elog_err ("static_mapping_by_local key del failed");
1668 if (sm->num_workers > 1)
1671 .src_address = local->addr,
1673 tsm = vec_elt_at_index (sm->per_thread_data,
1674 sm->worker_in2out_cb (&ip, m->fib_index,
1678 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1680 /* Delete sessions */
1682 pool_foreach (s, tsm->sessions, {
1683 if (!(is_lb_session (s)))
1686 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1687 (clib_net_to_host_u16 (s->in2out.port) != match_local->port))
1690 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1691 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1695 pool_put (m->locals, match_local);
1698 vec_free (m->workers);
1701 pool_foreach (local, m->locals,
1703 vec_add1 (locals, local - m->locals);
1704 if (sm->num_workers > 1)
1707 ip.src_address.as_u32 = local->addr.as_u32,
1708 bitmap = clib_bitmap_set (bitmap,
1709 sm->worker_in2out_cb (&ip, local->fib_index, 0),
1715 ASSERT (vec_len (locals) > 1);
1717 local = pool_elt_at_index (m->locals, locals[0]);
1718 local->prefix = local->probability;
1719 for (i = 1; i < vec_len (locals); i++)
1721 local = pool_elt_at_index (m->locals, locals[i]);
1722 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1723 local->prefix = local->probability + prev_local->prefix;
1726 /* Assign workers */
1727 if (sm->num_workers > 1)
1730 clib_bitmap_foreach (i, bitmap, ({ vec_add1(m->workers, i); }));
1738 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1741 snat_address_t *a = 0;
1742 snat_session_t *ses;
1743 u32 *ses_to_be_removed = 0, *ses_index;
1744 snat_main_per_thread_data_t *tsm;
1745 snat_static_mapping_t *m;
1746 snat_interface_t *interface;
1748 snat_address_t *addresses =
1749 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1751 /* Find SNAT address */
1752 for (i = 0; i < vec_len (addresses); i++)
1754 if (addresses[i].addr.as_u32 == addr.as_u32)
1761 return VNET_API_ERROR_NO_SUCH_ENTRY;
1766 pool_foreach (m, sm->static_mappings,
1768 if (m->external_addr.as_u32 == addr.as_u32)
1769 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1770 m->local_port, m->external_port,
1771 m->vrf_id, is_addr_only_static_mapping(m), ~0,
1772 m->proto, 0, m->twice_nat,
1773 is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
1779 /* Check if address is used in some static mapping */
1780 if (is_snat_address_used_in_static_mapping (sm, addr))
1782 nat_elog_notice ("address used in static mapping");
1783 return VNET_API_ERROR_UNSPECIFIED;
1787 if (a->fib_index != ~0)
1788 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1790 /* Delete sessions using address */
1791 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1794 vec_foreach (tsm, sm->per_thread_data)
1796 pool_foreach (ses, tsm->sessions, ({
1797 if (ses->out2in.addr.as_u32 == addr.as_u32)
1799 nat_free_session_data (sm, ses, tsm - sm->per_thread_data, 0);
1800 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1804 if (sm->endpoint_dependent){
1805 vec_foreach (ses_index, ses_to_be_removed)
1807 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1808 nat_ed_session_delete (sm, ses, tsm - sm->per_thread_data, 1);
1811 vec_foreach (ses_index, ses_to_be_removed)
1813 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1814 nat44_delete_session (sm, ses, tsm - sm->per_thread_data);
1818 vec_free (ses_to_be_removed);
1823 #define _(N, i, n, s) \
1824 vec_free (a->busy_##n##_ports_per_thread);
1825 foreach_nat_protocol
1829 vec_del1 (sm->twice_nat_addresses, i);
1833 vec_del1 (sm->addresses, i);
1835 /* Delete external address from FIB */
1837 pool_foreach (interface, sm->interfaces,
1839 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1842 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1845 pool_foreach (interface, sm->output_feature_interfaces,
1847 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1850 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1859 snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1861 snat_main_t *sm = &snat_main;
1862 snat_interface_t *i;
1863 const char *feature_name, *del_feature_name;
1865 snat_static_mapping_t *m;
1867 nat_outside_fib_t *outside_fib;
1868 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1871 if (sm->out2in_dpo && !is_inside)
1872 return VNET_API_ERROR_UNSUPPORTED;
1875 pool_foreach (i, sm->output_feature_interfaces,
1877 if (i->sw_if_index == sw_if_index)
1878 return VNET_API_ERROR_VALUE_EXIST;
1882 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1883 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1886 if (sm->num_workers > 1 && !sm->deterministic)
1888 is_inside ? "nat44-in2out-worker-handoff" :
1889 "nat44-out2in-worker-handoff";
1890 else if (sm->deterministic)
1891 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1892 else if (sm->endpoint_dependent)
1894 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1897 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1900 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1901 sm->fq_in2out_index =
1902 vlib_frame_queue_main_init (sm->in2out_node_index, NAT_FQ_NELTS);
1904 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1905 sm->fq_out2in_index =
1906 vlib_frame_queue_main_init (sm->out2in_node_index, NAT_FQ_NELTS);
1911 vec_foreach (outside_fib, sm->outside_fibs)
1913 if (outside_fib->fib_index == fib_index)
1917 outside_fib->refcount--;
1918 if (!outside_fib->refcount)
1919 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1922 outside_fib->refcount++;
1929 vec_add2 (sm->outside_fibs, outside_fib, 1);
1930 outside_fib->refcount = 1;
1931 outside_fib->fib_index = fib_index;
1936 pool_foreach (i, sm->interfaces,
1938 if (i->sw_if_index == sw_if_index)
1942 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1945 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1947 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1949 if (sm->num_workers > 1 && !sm->deterministic)
1951 del_feature_name = "nat44-handoff-classify";
1952 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1953 "nat44-out2in-worker-handoff";
1955 else if (sm->deterministic)
1957 del_feature_name = "nat44-det-classify";
1958 feature_name = !is_inside ? "nat44-det-in2out" :
1961 else if (sm->endpoint_dependent)
1963 del_feature_name = "nat44-ed-classify";
1964 feature_name = !is_inside ? "nat-pre-in2out" :
1969 del_feature_name = "nat44-classify";
1970 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1973 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1976 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1977 sw_if_index, 0, 0, 0);
1978 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1979 sw_if_index, 1, 0, 0);
1982 if (sm->endpoint_dependent)
1983 vnet_feature_enable_disable ("ip4-local",
1984 "nat44-ed-hairpinning",
1985 sw_if_index, 1, 0, 0);
1986 else if (!sm->deterministic)
1987 vnet_feature_enable_disable ("ip4-local",
1988 "nat44-hairpinning",
1989 sw_if_index, 1, 0, 0);
1994 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1997 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1998 sw_if_index, 0, 0, 0);
1999 pool_put (sm->interfaces, i);
2002 if (sm->endpoint_dependent)
2003 vnet_feature_enable_disable ("ip4-local",
2004 "nat44-ed-hairpinning",
2005 sw_if_index, 0, 0, 0);
2006 else if (!sm->deterministic)
2007 vnet_feature_enable_disable ("ip4-local",
2008 "nat44-hairpinning",
2009 sw_if_index, 0, 0, 0);
2015 if ((nat_interface_is_inside(i) && is_inside) ||
2016 (nat_interface_is_outside(i) && !is_inside))
2019 if (sm->num_workers > 1 && !sm->deterministic)
2021 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
2022 "nat44-out2in-worker-handoff";
2023 feature_name = "nat44-handoff-classify";
2025 else if (sm->deterministic)
2027 del_feature_name = !is_inside ? "nat44-det-in2out" :
2029 feature_name = "nat44-det-classify";
2031 else if (sm->endpoint_dependent)
2033 del_feature_name = !is_inside ? "nat-pre-in2out" :
2036 feature_name = "nat44-ed-classify";
2040 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
2041 feature_name = "nat44-classify";
2044 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2047 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
2048 sw_if_index, 0, 0, 0);
2049 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2050 sw_if_index, 1, 0, 0);
2053 if (sm->endpoint_dependent)
2054 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2055 sw_if_index, 0, 0, 0);
2056 else if (!sm->deterministic)
2057 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2058 sw_if_index, 0, 0, 0);
2069 return VNET_API_ERROR_NO_SUCH_ENTRY;
2071 pool_get (sm->interfaces, i);
2072 i->sw_if_index = sw_if_index;
2074 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
2077 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2081 if (is_inside && !sm->out2in_dpo)
2083 if (sm->endpoint_dependent)
2084 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2085 sw_if_index, 1, 0, 0);
2086 else if (!sm->deterministic)
2087 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2088 sw_if_index, 1, 0, 0);
2094 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2098 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2100 /* Add/delete external addresses to FIB */
2103 vec_foreach (ap, sm->addresses)
2104 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2106 pool_foreach (m, sm->static_mappings,
2108 if (!(is_addr_only_static_mapping(m)) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2111 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2114 pool_foreach (dm, sm->det_maps,
2116 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
2124 snat_interface_add_del_output_feature (u32 sw_if_index,
2125 u8 is_inside, int is_del)
2127 snat_main_t *sm = &snat_main;
2128 snat_interface_t *i;
2130 snat_static_mapping_t *m;
2131 nat_outside_fib_t *outside_fib;
2132 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2136 if (sm->deterministic ||
2137 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
2138 return VNET_API_ERROR_UNSUPPORTED;
2141 pool_foreach (i, sm->interfaces,
2143 if (i->sw_if_index == sw_if_index)
2144 return VNET_API_ERROR_VALUE_EXIST;
2151 vec_foreach (outside_fib, sm->outside_fibs)
2153 if (outside_fib->fib_index == fib_index)
2157 outside_fib->refcount--;
2158 if (!outside_fib->refcount)
2159 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2162 outside_fib->refcount++;
2169 vec_add2 (sm->outside_fibs, outside_fib, 1);
2170 outside_fib->refcount = 1;
2171 outside_fib->fib_index = fib_index;
2178 if (sm->endpoint_dependent)
2181 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2185 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2189 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
2190 sw_if_index, !is_del, 0, 0);
2191 vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
2192 sw_if_index, !is_del, 0, 0);
2197 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2201 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2205 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
2206 sw_if_index, !is_del, 0, 0);
2207 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
2208 sw_if_index, !is_del, 0, 0);
2213 if (sm->num_workers > 1)
2215 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2219 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, !is_del);
2222 vnet_feature_enable_disable ("ip4-unicast",
2223 "nat44-out2in-worker-handoff",
2224 sw_if_index, !is_del, 0, 0);
2225 vnet_feature_enable_disable ("ip4-output",
2226 "nat44-in2out-output-worker-handoff",
2227 sw_if_index, !is_del, 0, 0);
2231 if (sm->endpoint_dependent)
2234 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2238 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2242 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
2243 sw_if_index, !is_del, 0, 0);
2244 vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output",
2245 sw_if_index, !is_del, 0, 0);
2250 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2254 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2258 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
2259 sw_if_index, !is_del, 0, 0);
2260 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
2261 sw_if_index, !is_del, 0, 0);
2266 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
2267 sm->fq_in2out_output_index =
2268 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
2270 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
2271 sm->fq_out2in_index =
2272 vlib_frame_queue_main_init (sm->out2in_node_index, 0);
2275 pool_foreach (i, sm->output_feature_interfaces,
2277 if (i->sw_if_index == sw_if_index)
2280 pool_put (sm->output_feature_interfaces, i);
2282 return VNET_API_ERROR_VALUE_EXIST;
2290 return VNET_API_ERROR_NO_SUCH_ENTRY;
2292 pool_get (sm->output_feature_interfaces, i);
2293 i->sw_if_index = sw_if_index;
2296 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2298 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2300 /* Add/delete external addresses to FIB */
2306 vec_foreach (ap, sm->addresses)
2307 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2309 pool_foreach (m, sm->static_mappings,
2311 if (!((is_addr_only_static_mapping(m))) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2314 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2322 snat_set_workers (uword * bitmap)
2324 snat_main_t *sm = &snat_main;
2327 if (sm->num_workers < 2)
2328 return VNET_API_ERROR_FEATURE_DISABLED;
2330 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
2331 return VNET_API_ERROR_INVALID_WORKER;
2333 vec_free (sm->workers);
2335 clib_bitmap_foreach (i, bitmap,
2337 vec_add1(sm->workers, i);
2338 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2339 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
2344 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2350 snat_update_outside_fib (u32 sw_if_index, u32 new_fib_index,
2353 snat_main_t *sm = &snat_main;
2354 nat_outside_fib_t *outside_fib;
2355 snat_interface_t *i;
2359 if (new_fib_index == old_fib_index)
2362 if (!vec_len (sm->outside_fibs))
2366 pool_foreach (i, sm->interfaces,
2368 if (i->sw_if_index == sw_if_index)
2370 if (!(nat_interface_is_outside (i)))
2376 pool_foreach (i, sm->output_feature_interfaces,
2378 if (i->sw_if_index == sw_if_index)
2380 if (!(nat_interface_is_outside (i)))
2390 vec_foreach (outside_fib, sm->outside_fibs)
2392 if (outside_fib->fib_index == old_fib_index)
2394 outside_fib->refcount--;
2395 if (!outside_fib->refcount)
2396 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2401 vec_foreach (outside_fib, sm->outside_fibs)
2403 if (outside_fib->fib_index == new_fib_index)
2405 outside_fib->refcount++;
2413 vec_add2 (sm->outside_fibs, outside_fib, 1);
2414 outside_fib->refcount = 1;
2415 outside_fib->fib_index = new_fib_index;
2420 snat_ip4_table_bind (ip4_main_t * im,
2422 u32 sw_if_index, u32 new_fib_index, u32 old_fib_index)
2424 snat_update_outside_fib (sw_if_index, new_fib_index, old_fib_index);
2428 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2431 ip4_address_t * address,
2433 u32 if_address_index, u32 is_delete);
2436 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
2439 ip4_address_t * address,
2441 u32 if_address_index, u32 is_delete);
2444 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2447 snat_session_key_t * k,
2448 u16 port_per_thread, u32 snat_thread_index);
2451 test_ed_make_split ()
2453 ip4_address_t l_addr;
2454 l_addr.as_u8[0] = 1;
2455 l_addr.as_u8[1] = 1;
2456 l_addr.as_u8[2] = 1;
2457 l_addr.as_u8[3] = 1;
2458 ip4_address_t r_addr;
2459 r_addr.as_u8[0] = 2;
2460 r_addr.as_u8[1] = 2;
2461 r_addr.as_u8[2] = 2;
2462 r_addr.as_u8[3] = 2;
2466 u32 fib_index = 9000001;
2467 u32 thread_index = 3000000001;
2468 u32 session_index = 3000000221;
2469 clib_bihash_kv_16_8_t kv;
2470 make_ed_kv (&l_addr, &r_addr, proto, fib_index, l_port, r_port,
2471 thread_index, session_index, &kv);
2472 ip4_address_t l_addr2;
2473 ip4_address_t r_addr2;
2474 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2475 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2480 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2482 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2483 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2484 ASSERT (l_port == l_port2);
2485 ASSERT (r_port == r_port2);
2486 ASSERT (proto == proto2);
2487 ASSERT (fib_index == fib_index2);
2488 ASSERT (thread_index == ed_value_get_thread_index (&kv));
2489 ASSERT (session_index == ed_value_get_session_index (&kv));
2492 static clib_error_t *
2493 snat_init (vlib_main_t * vm)
2495 snat_main_t *sm = &snat_main;
2496 clib_error_t *error = 0;
2497 ip4_main_t *im = &ip4_main;
2498 ip_lookup_main_t *lm = &im->lookup_main;
2500 vlib_thread_registration_t *tr;
2501 vlib_thread_main_t *tm = vlib_get_thread_main ();
2504 ip4_add_del_interface_address_callback_t cb4;
2507 sm->vnet_main = vnet_get_main ();
2509 sm->ip4_lookup_main = lm;
2510 sm->api_main = vlibapi_get_main ();
2511 sm->first_worker_index = 0;
2512 sm->num_workers = 0;
2514 sm->port_per_thread = 0xffff - 1024;
2515 sm->fq_in2out_index = ~0;
2516 sm->fq_in2out_output_index = ~0;
2517 sm->fq_out2in_index = ~0;
2519 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
2520 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
2521 sm->forwarding_enabled = 0;
2522 sm->log_class = vlib_log_register_class ("nat", 0);
2523 sm->log_level = SNAT_LOG_ERROR;
2524 sm->mss_clamping = 0;
2526 node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
2527 sm->error_node_index = node->index;
2529 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2530 sm->pre_in2out_node_index = node->index;
2531 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2532 sm->pre_out2in_node_index = node->index;
2534 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2535 sm->pre_in2out_node_index = node->index;
2537 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2538 sm->pre_out2in_node_index = node->index;
2540 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out");
2541 sm->in2out_node_index = node->index;
2542 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output");
2543 sm->in2out_output_node_index = node->index;
2544 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-fast");
2545 sm->in2out_fast_node_index = node->index;
2546 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-slowpath");
2547 sm->in2out_slowpath_node_index = node->index;
2548 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output-slowpath");
2549 sm->in2out_slowpath_output_node_index = node->index;
2551 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2552 sm->ed_in2out_node_index = node->index;
2553 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-slowpath");
2554 sm->ed_in2out_slowpath_node_index = node->index;
2556 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in");
2557 sm->out2in_node_index = node->index;
2558 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-fast");
2559 sm->out2in_fast_node_index = node->index;
2561 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2562 sm->ed_out2in_node_index = node->index;
2563 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-slowpath");
2564 sm->ed_out2in_slowpath_node_index = node->index;
2566 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-in2out");
2567 sm->det_in2out_node_index = node->index;
2568 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-out2in");
2569 sm->det_out2in_node_index = node->index;
2571 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpinning");
2572 sm->hairpinning_node_index = node->index;
2573 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-dst");
2574 sm->hairpin_dst_node_index = node->index;
2575 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-src");
2576 sm->hairpin_src_node_index = node->index;
2577 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpinning");
2578 sm->ed_hairpinning_node_index = node->index;
2579 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-dst");
2580 sm->ed_hairpin_dst_node_index = node->index;
2581 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-src");
2582 sm->ed_hairpin_src_node_index = node->index;
2584 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2587 tr = (vlib_thread_registration_t *) p[0];
2590 sm->num_workers = tr->count;
2591 sm->first_worker_index = tr->first_index;
2595 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
2597 /* Use all available workers by default */
2598 if (sm->num_workers > 1)
2600 for (i = 0; i < sm->num_workers; i++)
2601 bitmap = clib_bitmap_set (bitmap, i, 1);
2602 snat_set_workers (bitmap);
2603 clib_bitmap_free (bitmap);
2607 sm->per_thread_data[0].snat_thread_index = 0;
2610 error = snat_api_init (vm, sm);
2614 /* Set up the interface address add/del callback */
2615 cb4.function = snat_ip4_add_del_interface_address_cb;
2616 cb4.function_opaque = 0;
2618 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2620 cb4.function = nat_ip4_add_del_addr_only_sm_cb;
2621 cb4.function_opaque = 0;
2623 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2625 nat_dpo_module_init ();
2628 sm->total_users.name = "total-users";
2629 sm->total_users.stat_segment_name = "/nat44/total-users";
2630 vlib_validate_simple_counter (&sm->total_users, 0);
2631 vlib_zero_simple_counter (&sm->total_users, 0);
2632 sm->total_sessions.name = "total-sessions";
2633 sm->total_sessions.stat_segment_name = "/nat44/total-sessions";
2634 vlib_validate_simple_counter (&sm->total_sessions, 0);
2635 vlib_zero_simple_counter (&sm->total_sessions, 0);
2637 /* Init IPFIX logging */
2638 snat_ipfix_logging_init (vm);
2641 error = nat64_init (vm);
2647 ip4_table_bind_callback_t cbt4 = {
2648 .function = snat_ip4_table_bind,
2650 vec_add1 (ip4_main.table_bind_callbacks, cbt4);
2652 nat_fib_src_hi = fib_source_allocate ("nat-hi",
2653 FIB_SOURCE_PRIORITY_HI,
2654 FIB_SOURCE_BH_SIMPLE);
2655 nat_fib_src_low = fib_source_allocate ("nat-low",
2656 FIB_SOURCE_PRIORITY_LOW,
2657 FIB_SOURCE_BH_SIMPLE);
2659 test_ed_make_split ();
2663 VLIB_INIT_FUNCTION (snat_init);
2666 snat_free_outside_address_and_port (snat_address_t * addresses,
2667 u32 thread_index, snat_session_key_t * k)
2671 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
2673 for (address_index = 0; address_index < vec_len (addresses);
2676 if (addresses[address_index].addr.as_u32 == k->addr.as_u32)
2680 ASSERT (address_index < vec_len (addresses));
2682 a = addresses + address_index;
2684 switch (k->protocol)
2686 #define _(N, i, n, s) \
2687 case NAT_PROTOCOL_##N: \
2688 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
2689 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
2690 a->busy_##n##_ports--; \
2691 a->busy_##n##_ports_per_thread[thread_index]--; \
2693 foreach_nat_protocol
2696 nat_elog_info ("unknown protocol");
2702 nat_set_outside_address_and_port (snat_address_t * addresses,
2703 u32 thread_index, snat_session_key_t * k)
2705 snat_address_t *a = 0;
2707 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
2709 for (address_index = 0; address_index < vec_len (addresses);
2712 if (addresses[address_index].addr.as_u32 != k->addr.as_u32)
2715 a = addresses + address_index;
2716 switch (k->protocol)
2718 #define _(N, j, n, s) \
2719 case NAT_PROTOCOL_##N: \
2720 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
2721 return VNET_API_ERROR_INSTANCE_IN_USE; \
2722 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
2723 a->busy_##n##_ports_per_thread[thread_index]++; \
2724 a->busy_##n##_ports++; \
2726 foreach_nat_protocol
2729 nat_elog_info ("unknown protocol");
2734 return VNET_API_ERROR_NO_SUCH_ENTRY;
2738 snat_static_mapping_match (snat_main_t * sm,
2739 snat_session_key_t match,
2740 snat_session_key_t * mapping,
2743 twice_nat_type_t * twice_nat,
2744 lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
2745 u8 * is_identity_nat)
2747 clib_bihash_kv_8_8_t kv, value;
2748 snat_static_mapping_t *m;
2749 snat_session_key_t m_key;
2750 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
2751 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2753 nat44_lb_addr_port_t *local;
2755 m_key.fib_index = match.fib_index;
2758 mapping_hash = &sm->static_mapping_by_external;
2759 m_key.fib_index = 0;
2762 m_key.addr = match.addr;
2763 m_key.port = clib_net_to_host_u16 (match.port);
2764 m_key.protocol = match.protocol;
2766 kv.key = m_key.as_u64;
2768 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2770 /* Try address only mapping */
2773 kv.key = m_key.as_u64;
2774 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2778 m = pool_elt_at_index (sm->static_mappings, value.value);
2782 if (is_lb_static_mapping (m))
2784 if (PREDICT_FALSE (lb != 0))
2785 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2786 if (m->affinity && !nat_affinity_find_and_lock (ext_host_addr[0],
2792 local = pool_elt_at_index (m->locals, backend_index);
2793 mapping->addr = local->addr;
2794 mapping->port = clib_host_to_net_u16 (local->port);
2795 mapping->fib_index = local->fib_index;
2798 // pick locals matching this worker
2799 if (PREDICT_FALSE (sm->num_workers > 1))
2801 u32 thread_index = vlib_get_thread_index ();
2803 pool_foreach_index (i, m->locals,
2805 local = pool_elt_at_index (m->locals, i);
2808 .src_address = local->addr,
2811 if (sm->worker_in2out_cb (&ip, m->fib_index, 0) ==
2818 ASSERT (vec_len (tmp) != 0);
2823 pool_foreach_index (i, m->locals,
2829 hi = vec_len (tmp) - 1;
2830 local = pool_elt_at_index (m->locals, tmp[hi]);
2831 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2834 mid = ((hi - lo) >> 1) + lo;
2835 local = pool_elt_at_index (m->locals, tmp[mid]);
2836 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2838 local = pool_elt_at_index (m->locals, tmp[lo]);
2839 if (!(local->prefix >= rand))
2841 mapping->addr = local->addr;
2842 mapping->port = clib_host_to_net_u16 (local->port);
2843 mapping->fib_index = local->fib_index;
2846 if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr,
2847 match.protocol, match.port,
2848 tmp[lo], m->affinity,
2849 m->affinity_per_service_list_head_index))
2850 nat_elog_info ("create affinity record failed");
2856 if (PREDICT_FALSE (lb != 0))
2858 mapping->fib_index = m->fib_index;
2859 mapping->addr = m->local_addr;
2860 /* Address only mapping doesn't change port */
2861 mapping->port = is_addr_only_static_mapping (m) ? match.port
2862 : clib_host_to_net_u16 (m->local_port);
2864 mapping->protocol = m->proto;
2868 mapping->addr = m->external_addr;
2869 /* Address only mapping doesn't change port */
2870 mapping->port = is_addr_only_static_mapping (m) ? match.port
2871 : clib_host_to_net_u16 (m->external_port);
2872 mapping->fib_index = sm->outside_fib_index;
2876 if (PREDICT_FALSE (is_addr_only != 0))
2877 *is_addr_only = is_addr_only_static_mapping (m);
2879 if (PREDICT_FALSE (twice_nat != 0))
2880 *twice_nat = m->twice_nat;
2882 if (PREDICT_FALSE (is_identity_nat != 0))
2883 *is_identity_nat = is_identity_static_mapping (m);
2888 static_always_inline u16
2889 snat_random_port (u16 min, u16 max)
2891 snat_main_t *sm = &snat_main;
2892 return min + random_u32 (&sm->random_seed) /
2893 (random_u32_max () / (max - min + 1) + 1);
2897 snat_alloc_outside_address_and_port (snat_address_t * addresses,
2900 snat_session_key_t * k,
2901 u16 port_per_thread,
2902 u32 snat_thread_index)
2904 snat_main_t *sm = &snat_main;
2906 return sm->alloc_addr_and_port (addresses, fib_index, thread_index, k,
2907 port_per_thread, snat_thread_index);
2911 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2914 snat_session_key_t * k,
2915 u16 port_per_thread, u32 snat_thread_index)
2918 snat_address_t *a, *ga = 0;
2921 for (i = 0; i < vec_len (addresses); i++)
2924 switch (k->protocol)
2926 #define _(N, j, n, s) \
2927 case NAT_PROTOCOL_##N: \
2928 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
2930 if (a->fib_index == fib_index) \
2934 portnum = (port_per_thread * \
2935 snat_thread_index) + \
2936 snat_random_port(1, port_per_thread) + 1024; \
2937 if (a->busy_##n##_port_refcounts[portnum]) \
2939 --a->busy_##n##_port_refcounts[portnum]; \
2940 a->busy_##n##_ports_per_thread[thread_index]++; \
2941 a->busy_##n##_ports++; \
2942 k->addr = a->addr; \
2943 k->port = clib_host_to_net_u16(portnum); \
2947 else if (a->fib_index == ~0) \
2953 foreach_nat_protocol
2956 nat_elog_info ("unknown protocol");
2965 switch (k->protocol)
2967 #define _(N, j, n, s) \
2968 case NAT_PROTOCOL_##N: \
2971 portnum = (port_per_thread * \
2972 snat_thread_index) + \
2973 snat_random_port(1, port_per_thread) + 1024; \
2974 if (a->busy_##n##_port_refcounts[portnum]) \
2976 ++a->busy_##n##_port_refcounts[portnum]; \
2977 a->busy_##n##_ports_per_thread[thread_index]++; \
2978 a->busy_##n##_ports++; \
2979 k->addr = a->addr; \
2980 k->port = clib_host_to_net_u16(portnum); \
2984 foreach_nat_protocol
2987 nat_elog_info ("unknown protocol");
2992 /* Totally out of translations to use... */
2993 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
2998 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
3001 snat_session_key_t * k,
3002 u16 port_per_thread, u32 snat_thread_index)
3004 snat_main_t *sm = &snat_main;
3005 snat_address_t *a = addresses;
3006 u16 m, ports, portnum, A, j;
3007 m = 16 - (sm->psid_offset + sm->psid_length);
3008 ports = (1 << (16 - sm->psid_length)) - (1 << m);
3010 if (!vec_len (addresses))
3013 switch (k->protocol)
3015 #define _(N, i, n, s) \
3016 case NAT_PROTOCOL_##N: \
3017 if (a->busy_##n##_ports < ports) \
3021 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
3022 j = snat_random_port(0, pow2_mask(m)); \
3023 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
3024 if (a->busy_##n##_port_refcounts[portnum]) \
3026 ++a->busy_##n##_port_refcounts[portnum]; \
3027 a->busy_##n##_ports++; \
3028 k->addr = a->addr; \
3029 k->port = clib_host_to_net_u16 (portnum); \
3034 foreach_nat_protocol
3037 nat_elog_info ("unknown protocol");
3042 /* Totally out of translations to use... */
3043 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
3048 nat_alloc_addr_and_port_range (snat_address_t * addresses,
3051 snat_session_key_t * k,
3052 u16 port_per_thread, u32 snat_thread_index)
3054 snat_main_t *sm = &snat_main;
3055 snat_address_t *a = addresses;
3058 ports = sm->end_port - sm->start_port + 1;
3060 if (!vec_len (addresses))
3063 switch (k->protocol)
3065 #define _(N, i, n, s) \
3066 case NAT_PROTOCOL_##N: \
3067 if (a->busy_##n##_ports < ports) \
3071 portnum = snat_random_port(sm->start_port, sm->end_port); \
3072 if (a->busy_##n##_port_refcounts[portnum]) \
3074 ++a->busy_##n##_port_refcounts[portnum]; \
3075 a->busy_##n##_ports++; \
3076 k->addr = a->addr; \
3077 k->port = clib_host_to_net_u16 (portnum); \
3082 foreach_nat_protocol
3085 nat_elog_info ("unknown protocol");
3090 /* Totally out of translations to use... */
3091 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
3096 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
3098 dpo_id_t dpo_v4 = DPO_INVALID;
3099 fib_prefix_t pfx = {
3100 .fp_proto = FIB_PROTOCOL_IP4,
3102 .fp_addr.ip4.as_u32 = addr.as_u32,
3107 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
3108 fib_table_entry_special_dpo_add (0, &pfx, nat_fib_src_hi,
3109 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
3110 dpo_reset (&dpo_v4);
3114 fib_table_entry_special_remove (0, &pfx, nat_fib_src_hi);
3119 format_session_kvp (u8 * s, va_list * args)
3121 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3122 snat_session_key_t k;
3126 s = format (s, "%U session-index %llu", format_snat_key, &k, v->value);
3132 format_static_mapping_kvp (u8 * s, va_list * args)
3134 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3135 snat_session_key_t k;
3139 s = format (s, "%U static-mapping-index %llu",
3140 format_static_mapping_key, &k, v->value);
3146 format_user_kvp (u8 * s, va_list * args)
3148 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3153 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
3154 k.fib_index, v->value);
3160 format_ed_session_kvp (u8 * s, va_list * args)
3162 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
3166 ip4_address_t l_addr, r_addr;
3169 split_ed_kv (v, &l_addr, &r_addr, &proto, &fib_index, &l_port, &r_port);
3172 "local %U:%d remote %U:%d proto %U fib %d thread-index %u session-index %u",
3173 format_ip4_address, &l_addr, clib_net_to_host_u16 (l_port),
3174 format_ip4_address, &r_addr, clib_net_to_host_u16 (r_port),
3175 format_ip_protocol, proto, fib_index,
3176 ed_value_get_session_index (v), ed_value_get_thread_index (v));
3182 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
3185 snat_main_t *sm = &snat_main;
3186 u32 next_worker_index = 0;
3189 next_worker_index = sm->first_worker_index;
3190 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
3191 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
3193 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3194 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3196 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3198 return next_worker_index;
3202 snat_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip0,
3203 u32 rx_fib_index0, u8 is_output)
3205 snat_main_t *sm = &snat_main;
3208 snat_session_key_t m_key;
3209 clib_bihash_kv_8_8_t kv, value;
3210 snat_static_mapping_t *m;
3212 u32 next_worker_index = 0;
3214 /* first try static mappings without port */
3215 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3217 m_key.addr = ip0->dst_address;
3220 m_key.fib_index = rx_fib_index0;
3221 kv.key = m_key.as_u64;
3222 if (!clib_bihash_search_8_8
3223 (&sm->static_mapping_by_external, &kv, &value))
3225 m = pool_elt_at_index (sm->static_mappings, value.value);
3226 return m->workers[0];
3230 proto = ip_proto_to_nat_proto (ip0->protocol);
3231 udp = ip4_next_header (ip0);
3232 port = udp->dst_port;
3234 /* unknown protocol */
3235 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
3237 /* use current thread */
3238 return vlib_get_thread_index ();
3241 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
3243 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3244 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3245 if (!icmp_type_is_error_message
3246 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3247 port = vnet_buffer (b)->ip.reass.l4_src_port;
3250 /* if error message, then it's not fragmented and we can access it */
3251 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3252 proto = ip_proto_to_nat_proto (inner_ip->protocol);
3253 void *l4_header = ip4_next_header (inner_ip);
3256 case NAT_PROTOCOL_ICMP:
3257 icmp = (icmp46_header_t *) l4_header;
3258 echo = (icmp_echo_header_t *) (icmp + 1);
3259 port = echo->identifier;
3261 case NAT_PROTOCOL_UDP:
3262 case NAT_PROTOCOL_TCP:
3263 port = ((tcp_udp_header_t *) l4_header)->src_port;
3266 return vlib_get_thread_index ();
3271 /* try static mappings with port */
3272 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3274 m_key.addr = ip0->dst_address;
3275 m_key.port = clib_net_to_host_u16 (port);
3276 m_key.protocol = proto;
3277 m_key.fib_index = rx_fib_index0;
3278 kv.key = m_key.as_u64;
3279 if (!clib_bihash_search_8_8
3280 (&sm->static_mapping_by_external, &kv, &value))
3282 m = pool_elt_at_index (sm->static_mappings, value.value);
3283 return m->workers[0];
3287 /* worker by outside port */
3288 next_worker_index = sm->first_worker_index;
3289 next_worker_index +=
3290 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3291 return next_worker_index;
3295 nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
3298 snat_main_t *sm = &snat_main;
3299 u32 next_worker_index = sm->first_worker_index;
3302 clib_bihash_kv_16_8_t kv16, value16;
3303 snat_main_per_thread_data_t *tsm;
3306 if (PREDICT_FALSE (is_output))
3308 u32 fib_index = sm->outside_fib_index;
3309 nat_outside_fib_t *outside_fib;
3310 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3311 fib_prefix_t pfx = {
3312 .fp_proto = FIB_PROTOCOL_IP4,
3315 .ip4.as_u32 = ip->dst_address.as_u32,
3320 udp = ip4_next_header (ip);
3322 switch (vec_len (sm->outside_fibs))
3325 fib_index = sm->outside_fib_index;
3328 fib_index = sm->outside_fibs[0].fib_index;
3332 vec_foreach (outside_fib, sm->outside_fibs)
3334 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3335 if (FIB_NODE_INDEX_INVALID != fei)
3337 if (fib_entry_get_resolving_interface (fei) != ~0)
3339 fib_index = outside_fib->fib_index;
3348 make_ed_kv (&ip->src_address, &ip->dst_address,
3349 ip->protocol, fib_index, udp->src_port, udp->dst_port,
3352 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3356 vec_elt_at_index (sm->per_thread_data,
3357 ed_value_get_thread_index (&value16));
3358 next_worker_index += tsm->thread_index;
3360 nat_elog_debug_handoff ("HANDOFF IN2OUT-OUTPUT-FEATURE (session)",
3361 next_worker_index, fib_index,
3362 clib_net_to_host_u32 (ip->
3363 src_address.as_u32),
3364 clib_net_to_host_u32 (ip->
3365 dst_address.as_u32));
3367 return next_worker_index;
3371 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3372 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3374 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3375 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3377 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3379 if (PREDICT_TRUE (!is_output))
3381 nat_elog_debug_handoff ("HANDOFF IN2OUT",
3382 next_worker_index, rx_fib_index,
3383 clib_net_to_host_u32 (ip->src_address.as_u32),
3384 clib_net_to_host_u32 (ip->dst_address.as_u32));
3388 nat_elog_debug_handoff ("HANDOFF IN2OUT-OUTPUT-FEATURE",
3389 next_worker_index, rx_fib_index,
3390 clib_net_to_host_u32 (ip->src_address.as_u32),
3391 clib_net_to_host_u32 (ip->dst_address.as_u32));
3394 return next_worker_index;
3398 nat44_ed_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip,
3399 u32 rx_fib_index, u8 is_output)
3401 snat_main_t *sm = &snat_main;
3402 clib_bihash_kv_8_8_t kv, value;
3403 clib_bihash_kv_16_8_t kv16, value16;
3404 snat_main_per_thread_data_t *tsm;
3406 u32 proto, next_worker_index = 0;
3409 snat_static_mapping_t *m;
3412 proto = ip_proto_to_nat_proto (ip->protocol);
3414 if (PREDICT_TRUE (proto == NAT_PROTOCOL_UDP || proto == NAT_PROTOCOL_TCP))
3416 udp = ip4_next_header (ip);
3418 make_ed_kv (&ip->dst_address, &ip->src_address,
3419 ip->protocol, rx_fib_index, udp->dst_port, udp->src_port,
3422 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3426 vec_elt_at_index (sm->per_thread_data,
3427 ed_value_get_thread_index (&value16));
3428 vnet_buffer2 (b)->nat.ed_out2in_nat_session_index =
3429 ed_value_get_session_index (&value16);
3430 next_worker_index = sm->first_worker_index + tsm->thread_index;
3431 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3432 next_worker_index, rx_fib_index,
3433 clib_net_to_host_u32 (ip->
3434 src_address.as_u32),
3435 clib_net_to_host_u32 (ip->
3436 dst_address.as_u32));
3437 return next_worker_index;
3440 else if (proto == NAT_PROTOCOL_ICMP)
3442 if (!get_icmp_o2i_ed_key (b, ip, rx_fib_index, ~0, ~0, 0, 0, 0, &kv16))
3444 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3448 vec_elt_at_index (sm->per_thread_data,
3449 ed_value_get_thread_index (&value16));
3450 next_worker_index = sm->first_worker_index + tsm->thread_index;
3451 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3452 next_worker_index, rx_fib_index,
3453 clib_net_to_host_u32 (ip->
3454 src_address.as_u32),
3455 clib_net_to_host_u32 (ip->
3456 dst_address.as_u32));
3457 return next_worker_index;
3462 /* first try static mappings without port */
3463 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3465 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
3466 if (!clib_bihash_search_8_8
3467 (&sm->static_mapping_by_external, &kv, &value))
3469 m = pool_elt_at_index (sm->static_mappings, value.value);
3470 next_worker_index = m->workers[0];
3475 /* unknown protocol */
3476 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
3478 /* use current thread */
3479 next_worker_index = vlib_get_thread_index ();
3483 udp = ip4_next_header (ip);
3484 port = udp->dst_port;
3486 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
3488 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3489 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3490 if (!icmp_type_is_error_message
3491 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3492 port = vnet_buffer (b)->ip.reass.l4_src_port;
3495 /* if error message, then it's not fragmented and we can access it */
3496 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3497 proto = ip_proto_to_nat_proto (inner_ip->protocol);
3498 void *l4_header = ip4_next_header (inner_ip);
3501 case NAT_PROTOCOL_ICMP:
3502 icmp = (icmp46_header_t *) l4_header;
3503 echo = (icmp_echo_header_t *) (icmp + 1);
3504 port = echo->identifier;
3506 case NAT_PROTOCOL_UDP:
3507 case NAT_PROTOCOL_TCP:
3508 port = ((tcp_udp_header_t *) l4_header)->src_port;
3511 next_worker_index = vlib_get_thread_index ();
3517 /* try static mappings with port */
3518 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3520 make_sm_kv (&kv, &ip->dst_address, proto, 0,
3521 clib_net_to_host_u16 (port));
3522 if (!clib_bihash_search_8_8
3523 (&sm->static_mapping_by_external, &kv, &value))
3525 m = pool_elt_at_index (sm->static_mappings, value.value);
3526 if (!is_lb_static_mapping (m))
3528 next_worker_index = m->workers[0];
3532 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3533 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3535 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3537 m->workers[hash & (_vec_len (m->workers) - 1)];
3539 next_worker_index = m->workers[hash % _vec_len (m->workers)];
3544 /* worker by outside port */
3545 next_worker_index = sm->first_worker_index;
3546 next_worker_index +=
3547 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3550 nat_elog_debug_handoff ("HANDOFF OUT2IN", next_worker_index, rx_fib_index,
3551 clib_net_to_host_u32 (ip->src_address.as_u32),
3552 clib_net_to_host_u32 (ip->dst_address.as_u32));
3553 return next_worker_index;
3557 nat_ha_sadd_cb (ip4_address_t * in_addr, u16 in_port,
3558 ip4_address_t * out_addr, u16 out_port,
3559 ip4_address_t * eh_addr, u16 eh_port,
3560 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
3561 u32 fib_index, u16 flags, u32 thread_index)
3563 snat_main_t *sm = &snat_main;
3564 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
3565 snat_session_key_t key;
3568 clib_bihash_kv_8_8_t kv;
3569 vlib_main_t *vm = vlib_get_main ();
3570 f64 now = vlib_time_now (vm);
3571 nat_outside_fib_t *outside_fib;
3572 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3573 fib_prefix_t pfx = {
3574 .fp_proto = FIB_PROTOCOL_IP4,
3577 .ip4.as_u32 = eh_addr->as_u32,
3581 key.addr.as_u32 = out_addr->as_u32;
3582 key.port = out_port;
3583 key.protocol = proto;
3585 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
3587 if (nat_set_outside_address_and_port
3588 (sm->addresses, thread_index, &key))
3592 u = nat_user_get_or_create (sm, in_addr, fib_index, thread_index);
3596 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
3600 if (sm->endpoint_dependent)
3602 nat_ed_lru_insert (tsm, s, now, proto);
3605 s->last_heard = now;
3607 s->ext_host_addr.as_u32 = eh_addr->as_u32;
3608 s->ext_host_port = eh_port;
3609 user_session_increment (sm, u, snat_is_session_static (s));
3610 switch (vec_len (sm->outside_fibs))
3613 key.fib_index = sm->outside_fib_index;
3616 key.fib_index = sm->outside_fibs[0].fib_index;
3620 vec_foreach (outside_fib, sm->outside_fibs)
3622 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3623 if (FIB_NODE_INDEX_INVALID != fei)
3625 if (fib_entry_get_resolving_interface (fei) != ~0)
3627 key.fib_index = outside_fib->fib_index;
3636 kv.key = key.as_u64;
3637 kv.value = s - tsm->sessions;
3638 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 1))
3639 nat_elog_warn ("out2in key add failed");
3641 key.addr.as_u32 = in_addr->as_u32;
3643 key.fib_index = fib_index;
3645 kv.key = key.as_u64;
3646 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 1))
3647 nat_elog_warn ("in2out key add failed");
3651 nat_ha_sdel_cb (ip4_address_t * out_addr, u16 out_port,
3652 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
3655 snat_main_t *sm = &snat_main;
3656 snat_session_key_t key;
3657 clib_bihash_kv_8_8_t kv, value;
3660 snat_main_per_thread_data_t *tsm;
3662 if (sm->num_workers > 1)
3664 sm->first_worker_index +
3665 (sm->workers[(clib_net_to_host_u16 (out_port) -
3666 1024) / sm->port_per_thread]);
3668 thread_index = sm->num_workers;
3669 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3671 key.addr.as_u32 = out_addr->as_u32;
3672 key.port = out_port;
3673 key.protocol = proto;
3674 key.fib_index = fib_index;
3675 kv.key = key.as_u64;
3676 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
3679 s = pool_elt_at_index (tsm->sessions, value.value);
3680 nat_free_session_data (sm, s, thread_index, 1);
3681 nat44_delete_session (sm, s, thread_index);
3685 nat_ha_sref_cb (ip4_address_t * out_addr, u16 out_port,
3686 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
3687 u32 total_pkts, u64 total_bytes, u32 thread_index)
3689 snat_main_t *sm = &snat_main;
3690 snat_session_key_t key;
3691 clib_bihash_kv_8_8_t kv, value;
3693 snat_main_per_thread_data_t *tsm;
3695 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3697 key.addr.as_u32 = out_addr->as_u32;
3698 key.port = out_port;
3699 key.protocol = proto;
3700 key.fib_index = fib_index;
3701 kv.key = key.as_u64;
3702 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
3705 s = pool_elt_at_index (tsm->sessions, value.value);
3706 s->total_pkts = total_pkts;
3707 s->total_bytes = total_bytes;
3711 nat_ha_sadd_ed_cb (ip4_address_t * in_addr, u16 in_port,
3712 ip4_address_t * out_addr, u16 out_port,
3713 ip4_address_t * eh_addr, u16 eh_port,
3714 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
3715 u32 fib_index, u16 flags, u32 thread_index)
3717 snat_main_t *sm = &snat_main;
3718 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
3719 snat_session_key_t key;
3721 clib_bihash_kv_16_8_t kv;
3722 vlib_main_t *vm = vlib_get_main ();
3723 f64 now = vlib_time_now (vm);
3724 nat_outside_fib_t *outside_fib;
3725 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3726 fib_prefix_t pfx = {
3727 .fp_proto = FIB_PROTOCOL_IP4,
3730 .ip4.as_u32 = eh_addr->as_u32,
3734 key.addr.as_u32 = out_addr->as_u32;
3735 key.port = out_port;
3736 key.protocol = proto;
3738 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
3740 if (nat_set_outside_address_and_port
3741 (sm->addresses, thread_index, &key))
3745 key.addr.as_u32 = ehn_addr->as_u32;
3746 key.port = ehn_port;
3747 if (flags & SNAT_SESSION_FLAG_TWICE_NAT)
3749 if (nat_set_outside_address_and_port
3750 (sm->twice_nat_addresses, thread_index, &key))
3754 s = nat_ed_session_alloc (sm, thread_index, now, proto);
3758 s->last_heard = now;
3760 s->ext_host_nat_addr.as_u32 = s->ext_host_addr.as_u32 = eh_addr->as_u32;
3761 s->ext_host_nat_port = s->ext_host_port = eh_port;
3762 if (is_twice_nat_session (s))
3764 s->ext_host_nat_addr.as_u32 = ehn_addr->as_u32;
3765 s->ext_host_nat_port = ehn_port;
3767 switch (vec_len (sm->outside_fibs))
3770 key.fib_index = sm->outside_fib_index;
3773 key.fib_index = sm->outside_fibs[0].fib_index;
3777 vec_foreach (outside_fib, sm->outside_fibs)
3779 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3780 if (FIB_NODE_INDEX_INVALID != fei)
3782 if (fib_entry_get_resolving_interface (fei) != ~0)
3784 key.fib_index = outside_fib->fib_index;
3792 key.addr.as_u32 = out_addr->as_u32;
3793 key.port = out_port;
3795 kv.value = s - tsm->sessions;
3797 key.addr.as_u32 = in_addr->as_u32;
3799 key.fib_index = fib_index;
3802 make_ed_kv (in_addr, &s->ext_host_nat_addr,
3803 nat_proto_to_ip_proto (proto), fib_index, in_port,
3804 s->ext_host_nat_port, thread_index, s - tsm->sessions, &kv);
3805 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
3806 nat_elog_warn ("in2out key add failed");
3808 make_ed_kv (out_addr, eh_addr, nat_proto_to_ip_proto (proto),
3809 s->out2in.fib_index, out_port, eh_port, thread_index,
3810 s - tsm->sessions, &kv);
3811 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &kv, 1))
3812 nat_elog_warn ("out2in key add failed");
3816 nat_ha_sdel_ed_cb (ip4_address_t * out_addr, u16 out_port,
3817 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3818 u32 fib_index, u32 ti)
3820 snat_main_t *sm = &snat_main;
3821 clib_bihash_kv_16_8_t kv, value;
3824 snat_main_per_thread_data_t *tsm;
3826 if (sm->num_workers > 1)
3828 sm->first_worker_index +
3829 (sm->workers[(clib_net_to_host_u16 (out_port) -
3830 1024) / sm->port_per_thread]);
3832 thread_index = sm->num_workers;
3833 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3835 make_ed_kv (out_addr, eh_addr, proto, fib_index, out_port, eh_port, ~0, ~0,
3837 if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
3840 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
3841 nat_free_session_data (sm, s, thread_index, 1);
3842 nat44_delete_session (sm, s, thread_index);
3846 nat_ha_sref_ed_cb (ip4_address_t * out_addr, u16 out_port,
3847 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3848 u32 fib_index, u32 total_pkts, u64 total_bytes,
3851 snat_main_t *sm = &snat_main;
3852 clib_bihash_kv_16_8_t kv, value;
3854 snat_main_per_thread_data_t *tsm;
3856 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3858 make_ed_kv (out_addr, eh_addr, proto, fib_index, out_port, eh_port, ~0, ~0,
3860 if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
3863 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
3864 s->total_pkts = total_pkts;
3865 s->total_bytes = total_bytes;
3869 nat44_db_init (snat_main_per_thread_data_t * tsm)
3871 snat_main_t *sm = &snat_main;
3873 pool_alloc (tsm->sessions, sm->max_translations);
3874 pool_alloc (tsm->lru_pool, sm->max_translations);
3878 pool_get (tsm->lru_pool, head);
3879 tsm->tcp_trans_lru_head_index = head - tsm->lru_pool;
3880 clib_dlist_init (tsm->lru_pool, tsm->tcp_trans_lru_head_index);
3882 pool_get (tsm->lru_pool, head);
3883 tsm->tcp_estab_lru_head_index = head - tsm->lru_pool;
3884 clib_dlist_init (tsm->lru_pool, tsm->tcp_estab_lru_head_index);
3886 pool_get (tsm->lru_pool, head);
3887 tsm->udp_lru_head_index = head - tsm->lru_pool;
3888 clib_dlist_init (tsm->lru_pool, tsm->udp_lru_head_index);
3890 pool_get (tsm->lru_pool, head);
3891 tsm->icmp_lru_head_index = head - tsm->lru_pool;
3892 clib_dlist_init (tsm->lru_pool, tsm->icmp_lru_head_index);
3894 pool_get (tsm->lru_pool, head);
3895 tsm->unk_proto_lru_head_index = head - tsm->lru_pool;
3896 clib_dlist_init (tsm->lru_pool, tsm->unk_proto_lru_head_index);
3898 if (sm->endpoint_dependent)
3900 clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed",
3901 sm->translation_buckets,
3902 sm->translation_memory_size);
3903 clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed,
3904 format_ed_session_kvp);
3908 clib_bihash_init_8_8 (&tsm->in2out, "in2out",
3909 sm->translation_buckets,
3910 sm->translation_memory_size);
3911 clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out, format_session_kvp);
3912 clib_bihash_init_8_8 (&tsm->out2in, "out2in",
3913 sm->translation_buckets,
3914 sm->translation_memory_size);
3915 clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in, format_session_kvp);
3918 // TODO: resolve static mappings (put only to !ED)
3919 pool_alloc (tsm->list_pool, sm->max_translations);
3920 clib_bihash_init_8_8 (&tsm->user_hash, "users", sm->user_buckets,
3921 sm->user_memory_size);
3922 clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash, format_user_kvp);
3926 nat44_db_free (snat_main_per_thread_data_t * tsm)
3928 snat_main_t *sm = &snat_main;
3930 pool_free (tsm->sessions);
3931 pool_free (tsm->lru_pool);
3933 if (sm->endpoint_dependent)
3935 clib_bihash_free_16_8 (&tsm->in2out_ed);
3939 clib_bihash_free_8_8 (&tsm->in2out);
3940 clib_bihash_free_8_8 (&tsm->out2in);
3943 // TODO: resolve static mappings (put only to !ED)
3944 pool_free (tsm->users);
3945 pool_free (tsm->list_pool);
3946 clib_bihash_free_8_8 (&tsm->user_hash);
3950 nat44_sessions_clear ()
3952 snat_main_t *sm = &snat_main;
3953 snat_main_per_thread_data_t *tsm;
3955 if (sm->endpoint_dependent)
3957 clib_bihash_free_16_8 (&sm->out2in_ed);
3958 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
3959 clib_max (1, sm->num_workers) *
3960 sm->translation_buckets,
3961 clib_max (1, sm->num_workers) *
3962 sm->translation_memory_size);
3963 clib_bihash_set_kvp_format_fn_16_8 (&sm->out2in_ed,
3964 format_ed_session_kvp);
3968 vec_foreach (tsm, sm->per_thread_data)
3972 nat44_db_free (tsm);
3973 nat44_db_init (tsm);
3975 ti = tsm->snat_thread_index;
3976 vlib_set_simple_counter (&sm->total_users, ti, 0, 0);
3977 vlib_set_simple_counter (&sm->total_sessions, ti, 0, 0);
3982 static clib_error_t *
3983 snat_config (vlib_main_t * vm, unformat_input_t * input)
3985 snat_main_t *sm = &snat_main;
3986 nat66_main_t *nm = &nat66_main;
3987 snat_main_per_thread_data_t *tsm;
3989 u32 static_mapping_buckets = 1024;
3990 uword static_mapping_memory_size = 64 << 20;
3992 u32 nat64_bib_buckets = 1024;
3993 u32 nat64_bib_memory_size = 128 << 20;
3995 u32 nat64_st_buckets = 2048;
3996 uword nat64_st_memory_size = 256 << 20;
3998 u32 user_buckets = 128;
3999 uword user_memory_size = 64 << 20;
4000 u32 translation_buckets = 1024;
4001 uword translation_memory_size = 128 << 20;
4003 u32 max_translations_per_user = ~0;
4005 u32 outside_vrf_id = 0;
4006 u32 outside_ip6_vrf_id = 0;
4007 u32 inside_vrf_id = 0;
4008 u8 static_mapping_only = 0;
4009 u8 static_mapping_connection_tracking = 0;
4011 u32 udp_timeout = SNAT_UDP_TIMEOUT;
4012 u32 icmp_timeout = SNAT_ICMP_TIMEOUT;
4013 u32 tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
4014 u32 tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
4016 sm->deterministic = 0;
4018 sm->endpoint_dependent = 0;
4020 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
4023 (input, "translation hash buckets %d", &translation_buckets))
4025 else if (unformat (input, "udp timeout %d", &udp_timeout))
4027 else if (unformat (input, "icmp timeout %d", &icmp_timeout))
4029 else if (unformat (input, "tcp transitory timeout %d",
4030 &tcp_transitory_timeout));
4031 else if (unformat (input, "tcp established timeout %d",
4032 &tcp_established_timeout));
4033 else if (unformat (input, "translation hash memory %d",
4034 &translation_memory_size));
4035 else if (unformat (input, "user hash buckets %d", &user_buckets))
4037 else if (unformat (input, "user hash memory %d", &user_memory_size))
4039 else if (unformat (input, "max translations per user %d",
4040 &max_translations_per_user))
4042 else if (unformat (input, "outside VRF id %d", &outside_vrf_id))
4044 else if (unformat (input, "outside ip6 VRF id %d", &outside_ip6_vrf_id))
4046 else if (unformat (input, "inside VRF id %d", &inside_vrf_id))
4048 else if (unformat (input, "static mapping only"))
4050 static_mapping_only = 1;
4051 if (unformat (input, "connection tracking"))
4052 static_mapping_connection_tracking = 1;
4054 else if (unformat (input, "deterministic"))
4055 sm->deterministic = 1;
4056 else if (unformat (input, "nat64 bib hash buckets %d",
4057 &nat64_bib_buckets))
4059 else if (unformat (input, "nat64 bib hash memory %d",
4060 &nat64_bib_memory_size))
4063 if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
4065 else if (unformat (input, "nat64 st hash memory %d",
4066 &nat64_st_memory_size))
4068 else if (unformat (input, "out2in dpo"))
4070 else if (unformat (input, "endpoint-dependent"))
4071 sm->endpoint_dependent = 1;
4073 return clib_error_return (0, "unknown input '%U'",
4074 format_unformat_error, input);
4077 if (sm->deterministic && sm->endpoint_dependent)
4078 return clib_error_return (0,
4079 "deterministic and endpoint-dependent modes are mutually exclusive");
4081 if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent))
4082 return clib_error_return (0,
4083 "static mapping only mode available only for simple nat");
4085 if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent))
4086 return clib_error_return (0,
4087 "out2in dpo mode available only for simple nat");
4089 /* optionally configurable timeouts for testing purposes */
4090 sm->udp_timeout = udp_timeout;
4091 sm->tcp_transitory_timeout = tcp_transitory_timeout;
4092 sm->tcp_established_timeout = tcp_established_timeout;
4093 sm->icmp_timeout = icmp_timeout;
4095 sm->user_buckets = user_buckets;
4096 sm->user_memory_size = user_memory_size;
4098 sm->translation_buckets = translation_buckets;
4099 sm->translation_memory_size = translation_memory_size;
4100 /* do not exceed load factor 10 */
4101 sm->max_translations = 10 * translation_buckets;
4102 vec_add1 (sm->max_translations_per_fib, sm->max_translations);
4104 sm->max_translations_per_user = max_translations_per_user == ~0 ?
4105 sm->max_translations : max_translations_per_user;
4107 sm->outside_vrf_id = outside_vrf_id;
4108 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
4111 nm->outside_vrf_id = outside_ip6_vrf_id;
4112 nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6,
4115 sm->inside_vrf_id = inside_vrf_id;
4116 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
4119 sm->static_mapping_only = static_mapping_only;
4120 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
4122 nat64_set_hash (nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
4123 nat64_st_memory_size);
4125 if (sm->deterministic)
4127 sm->in2out_node_index = snat_det_in2out_node.index;
4128 sm->in2out_output_node_index = ~0;
4129 sm->out2in_node_index = snat_det_out2in_node.index;
4130 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
4131 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
4135 if (sm->endpoint_dependent)
4137 sm->worker_in2out_cb = nat44_ed_get_worker_in2out_cb;
4138 sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb;
4140 sm->in2out_node_index = nat44_ed_in2out_node.index;
4141 sm->in2out_output_node_index = nat44_ed_in2out_output_node.index;
4142 sm->out2in_node_index = nat44_ed_out2in_node.index;
4144 sm->icmp_match_in2out_cb = icmp_match_in2out_ed;
4145 sm->icmp_match_out2in_cb = icmp_match_out2in_ed;
4146 nat_affinity_init (vm);
4147 nat_ha_init (vm, nat_ha_sadd_ed_cb, nat_ha_sdel_ed_cb,
4149 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
4150 translation_buckets,
4151 translation_memory_size);
4152 clib_bihash_set_kvp_format_fn_16_8 (&sm->out2in_ed,
4153 format_ed_session_kvp);
4157 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
4158 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
4160 sm->in2out_node_index = snat_in2out_node.index;
4161 sm->in2out_output_node_index = snat_in2out_output_node.index;
4162 sm->out2in_node_index = snat_out2in_node.index;
4164 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
4165 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
4166 nat_ha_init (vm, nat_ha_sadd_cb, nat_ha_sdel_cb, nat_ha_sref_cb);
4168 if (!static_mapping_only ||
4169 (static_mapping_only && static_mapping_connection_tracking))
4172 vec_foreach (tsm, sm->per_thread_data)
4174 nat44_db_init (tsm);
4180 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
4181 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
4183 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
4184 "static_mapping_by_local", static_mapping_buckets,
4185 static_mapping_memory_size);
4186 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
4187 format_static_mapping_kvp);
4189 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
4190 "static_mapping_by_external",
4191 static_mapping_buckets,
4192 static_mapping_memory_size);
4193 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
4194 format_static_mapping_kvp);
4200 VLIB_CONFIG_FUNCTION (snat_config, "nat");
4203 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
4206 ip4_address_t * address,
4208 u32 if_address_index, u32 is_delete)
4210 snat_main_t *sm = &snat_main;
4211 snat_static_map_resolve_t *rp;
4212 snat_static_mapping_t *m;
4213 snat_session_key_t m_key;
4214 clib_bihash_kv_8_8_t kv, value;
4216 ip4_address_t l_addr;
4218 for (i = 0; i < vec_len (sm->to_resolve); i++)
4220 rp = sm->to_resolve + i;
4221 if (rp->addr_only == 0)
4223 if (rp->sw_if_index == sw_if_index)
4230 m_key.addr.as_u32 = address->as_u32;
4231 m_key.port = rp->addr_only ? 0 : rp->e_port;
4232 m_key.protocol = rp->addr_only ? 0 : rp->proto;
4233 m_key.fib_index = sm->outside_fib_index;
4234 kv.key = m_key.as_u64;
4235 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
4238 m = pool_elt_at_index (sm->static_mappings, value.value);
4242 /* Don't trip over lease renewal, static config */
4252 /* Indetity mapping? */
4253 if (rp->l_addr.as_u32 == 0)
4254 l_addr.as_u32 = address[0].as_u32;
4256 l_addr.as_u32 = rp->l_addr.as_u32;
4257 /* Add the static mapping */
4258 rv = snat_add_static_mapping (l_addr,
4263 rp->addr_only, ~0 /* sw_if_index */ ,
4264 rp->proto, !is_delete, rp->twice_nat,
4265 rp->out2in_only, rp->tag, rp->identity_nat);
4267 nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv);
4271 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
4274 ip4_address_t * address,
4276 u32 if_address_index, u32 is_delete)
4278 snat_main_t *sm = &snat_main;
4279 snat_static_map_resolve_t *rp;
4280 ip4_address_t l_addr;
4284 snat_address_t *addresses = sm->addresses;
4286 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
4288 if (sw_if_index == sm->auto_add_sw_if_indices[i])
4292 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
4295 addresses = sm->twice_nat_addresses;
4296 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
4305 /* Don't trip over lease renewal, static config */
4306 for (j = 0; j < vec_len (addresses); j++)
4307 if (addresses[j].addr.as_u32 == address->as_u32)
4310 (void) snat_add_address (sm, address, ~0, twice_nat);
4311 /* Scan static map resolution vector */
4312 for (j = 0; j < vec_len (sm->to_resolve); j++)
4314 rp = sm->to_resolve + j;
4317 /* On this interface? */
4318 if (rp->sw_if_index == sw_if_index)
4320 /* Indetity mapping? */
4321 if (rp->l_addr.as_u32 == 0)
4322 l_addr.as_u32 = address[0].as_u32;
4324 l_addr.as_u32 = rp->l_addr.as_u32;
4325 /* Add the static mapping */
4326 rv = snat_add_static_mapping (l_addr,
4332 ~0 /* sw_if_index */ ,
4334 rp->is_add, rp->twice_nat,
4335 rp->out2in_only, rp->tag,
4338 nat_elog_notice_X1 ("snat_add_static_mapping returned %d",
4346 (void) snat_del_address (sm, address[0], 1, twice_nat);
4353 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
4356 ip4_main_t *ip4_main = sm->ip4_main;
4357 ip4_address_t *first_int_addr;
4358 snat_static_map_resolve_t *rp;
4359 u32 *indices_to_delete = 0;
4361 u32 *auto_add_sw_if_indices =
4363 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
4365 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
4368 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
4370 if (auto_add_sw_if_indices[i] == sw_if_index)
4374 /* if have address remove it */
4376 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
4379 for (j = 0; j < vec_len (sm->to_resolve); j++)
4381 rp = sm->to_resolve + j;
4382 if (rp->sw_if_index == sw_if_index)
4383 vec_add1 (indices_to_delete, j);
4385 if (vec_len (indices_to_delete))
4387 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
4388 vec_del1 (sm->to_resolve, j);
4389 vec_free (indices_to_delete);
4393 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
4395 vec_del1 (sm->auto_add_sw_if_indices, i);
4398 return VNET_API_ERROR_VALUE_EXIST;
4405 return VNET_API_ERROR_NO_SUCH_ENTRY;
4407 /* add to the auto-address list */
4409 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
4411 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
4413 /* If the address is already bound - or static - add it now */
4415 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
4421 nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4422 nat_protocol_t proto, u32 vrf_id, int is_in)
4424 snat_main_per_thread_data_t *tsm;
4425 clib_bihash_kv_8_8_t kv, value;
4427 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4428 snat_session_key_t key;
4430 clib_bihash_8_8_t *t;
4432 if (sm->endpoint_dependent)
4433 return VNET_API_ERROR_UNSUPPORTED;
4435 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4436 if (sm->num_workers > 1)
4438 vec_elt_at_index (sm->per_thread_data,
4439 sm->worker_in2out_cb (&ip, fib_index, 0));
4441 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4443 key.addr.as_u32 = addr->as_u32;
4444 key.port = clib_host_to_net_u16 (port);
4445 key.protocol = proto;
4446 key.fib_index = fib_index;
4447 kv.key = key.as_u64;
4448 t = is_in ? &tsm->in2out : &tsm->out2in;
4449 if (!clib_bihash_search_8_8 (t, &kv, &value))
4451 if (pool_is_free_index (tsm->sessions, value.value))
4452 return VNET_API_ERROR_UNSPECIFIED;
4454 s = pool_elt_at_index (tsm->sessions, value.value);
4455 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4456 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
4460 return VNET_API_ERROR_NO_SUCH_ENTRY;
4464 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4465 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
4466 u32 vrf_id, int is_in)
4469 clib_bihash_16_8_t *t;
4470 clib_bihash_kv_16_8_t kv, value;
4471 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4473 snat_main_per_thread_data_t *tsm;
4475 if (!sm->endpoint_dependent)
4476 return VNET_API_ERROR_FEATURE_DISABLED;
4478 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4479 if (sm->num_workers > 1)
4481 vec_elt_at_index (sm->per_thread_data,
4482 sm->worker_in2out_cb (&ip, fib_index, 0));
4484 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4486 t = is_in ? &tsm->in2out_ed : &sm->out2in_ed;
4487 make_ed_kv (addr, eh_addr, proto, fib_index, clib_host_to_net_u16 (port),
4488 clib_host_to_net_u16 (eh_port), ~0, ~0, &kv);
4489 if (clib_bihash_search_16_8 (t, &kv, &value))
4491 return VNET_API_ERROR_NO_SUCH_ENTRY;
4494 if (pool_is_free_index (tsm->sessions, value.value))
4495 return VNET_API_ERROR_UNSPECIFIED;
4496 s = pool_elt_at_index (tsm->sessions, value.value);
4497 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4498 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
4503 nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length)
4505 snat_main_t *sm = &snat_main;
4507 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE;
4508 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
4510 sm->psid_offset = psid_offset;
4511 sm->psid_length = psid_length;
4515 nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port)
4517 snat_main_t *sm = &snat_main;
4519 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE;
4520 sm->alloc_addr_and_port = nat_alloc_addr_and_port_range;
4521 sm->start_port = start_port;
4522 sm->end_port = end_port;
4526 nat_set_alloc_addr_and_port_default (void)
4528 snat_main_t *sm = &snat_main;
4530 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
4531 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
4534 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
4535 vlib_node_runtime_t * node,
4536 vlib_frame_t * frame)
4542 VLIB_REGISTER_NODE (nat_default_node) = {
4543 .name = "nat-default",
4544 .vector_size = sizeof (u32),
4546 .type = VLIB_NODE_TYPE_INTERNAL,
4548 .n_next_nodes = NAT_N_NEXT,
4550 [NAT_NEXT_DROP] = "error-drop",
4551 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4552 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
4553 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
4554 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
4555 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
4556 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
4557 [NAT_NEXT_IN2OUT_CLASSIFY] = "nat44-in2out-worker-handoff",
4558 [NAT_NEXT_OUT2IN_CLASSIFY] = "nat44-out2in-worker-handoff",
4564 * fd.io coding-style-patch-verification: ON
4567 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob