2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/lib/ipfix_logging.h>
25 #include <nat/nat_inlines.h>
26 #include <nat/nat44/inlines.h>
27 #include <nat/nat_affinity.h>
28 #include <nat/nat_syslog.h>
29 #include <nat/nat_ha.h>
30 #include <vnet/fib/fib_table.h>
31 #include <vnet/fib/ip4_fib.h>
32 #include <vnet/ip/reass/ip4_sv_reass.h>
33 #include <vppinfra/bihash_16_8.h>
34 #include <nat/nat44/ed_inlines.h>
35 #include <vnet/ip/ip_table.h>
37 #include <vpp/app/version.h>
39 snat_main_t snat_main;
41 fib_source_t nat_fib_src_hi;
42 fib_source_t nat_fib_src_low;
45 /* Hook up input features */
46 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
47 .arc_name = "ip4-unicast",
48 .node_name = "nat-pre-in2out",
49 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
50 "ip4-sv-reassembly-feature"),
52 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
53 .arc_name = "ip4-unicast",
54 .node_name = "nat-pre-out2in",
55 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
56 "ip4-dhcp-client-detect",
57 "ip4-sv-reassembly-feature"),
59 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
60 .arc_name = "ip4-unicast",
61 .node_name = "nat44-in2out-worker-handoff",
62 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
64 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
65 .arc_name = "ip4-unicast",
66 .node_name = "nat44-out2in-worker-handoff",
67 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
68 "ip4-dhcp-client-detect"),
70 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
71 .arc_name = "ip4-unicast",
72 .node_name = "nat44-in2out",
73 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
75 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
76 .arc_name = "ip4-unicast",
77 .node_name = "nat44-out2in",
78 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
79 "ip4-dhcp-client-detect"),
81 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
82 .arc_name = "ip4-unicast",
83 .node_name = "nat44-classify",
84 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
86 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
87 .arc_name = "ip4-unicast",
88 .node_name = "nat44-ed-in2out",
89 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
91 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
92 .arc_name = "ip4-unicast",
93 .node_name = "nat44-ed-out2in",
94 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
95 "ip4-dhcp-client-detect"),
97 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
98 .arc_name = "ip4-unicast",
99 .node_name = "nat44-ed-classify",
100 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
102 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
103 .arc_name = "ip4-unicast",
104 .node_name = "nat44-handoff-classify",
105 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
107 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
108 .arc_name = "ip4-unicast",
109 .node_name = "nat44-in2out-fast",
110 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
112 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
113 .arc_name = "ip4-unicast",
114 .node_name = "nat44-out2in-fast",
115 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
116 "ip4-dhcp-client-detect"),
118 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
119 .arc_name = "ip4-unicast",
120 .node_name = "nat44-hairpin-dst",
121 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
123 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
124 .arc_name = "ip4-unicast",
125 .node_name = "nat44-ed-hairpin-dst",
126 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
129 /* Hook up output features */
130 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
131 .arc_name = "ip4-output",
132 .node_name = "nat44-in2out-output",
133 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
135 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
136 .arc_name = "ip4-output",
137 .node_name = "nat44-in2out-output-worker-handoff",
138 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
140 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
141 .arc_name = "ip4-output",
142 .node_name = "nat44-hairpin-src",
143 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
145 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
146 .arc_name = "ip4-output",
147 .node_name = "nat-pre-in2out-output",
148 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
149 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
151 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
152 .arc_name = "ip4-output",
153 .node_name = "nat44-ed-in2out-output",
154 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
155 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
157 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
158 .arc_name = "ip4-output",
159 .node_name = "nat44-ed-hairpin-src",
160 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
161 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
164 /* Hook up ip4-local features */
165 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
167 .arc_name = "ip4-local",
168 .node_name = "nat44-hairpinning",
169 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
171 VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) =
173 .arc_name = "ip4-local",
174 .node_name = "nat44-ed-hairpinning",
175 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
179 VLIB_PLUGIN_REGISTER () = {
180 .version = VPP_BUILD_VER,
181 .description = "Network Address Translation (NAT)",
186 nat44_ed_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip,
187 u32 rx_fib_index, u8 is_output);
190 nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
194 snat_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip0,
195 u32 rx_fib_index0, u8 is_output);
198 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
201 static u32 nat_calc_bihash_buckets (u32 n_elts);
203 u8 *format_static_mapping_kvp (u8 * s, va_list * args);
205 u8 *format_ed_session_kvp (u8 * s, va_list * args);
208 nat_ha_sadd_cb (ip4_address_t * in_addr, u16 in_port,
209 ip4_address_t * out_addr, u16 out_port,
210 ip4_address_t * eh_addr, u16 eh_port,
211 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
212 u32 fib_index, u16 flags, u32 thread_index);
215 nat_ha_sdel_cb (ip4_address_t * out_addr, u16 out_port,
216 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
220 nat_ha_sref_cb (ip4_address_t * out_addr, u16 out_port,
221 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
222 u32 total_pkts, u64 total_bytes, u32 thread_index);
225 nat_ha_sadd_ed_cb (ip4_address_t * in_addr, u16 in_port,
226 ip4_address_t * out_addr, u16 out_port,
227 ip4_address_t * eh_addr, u16 eh_port,
228 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
229 u32 fib_index, u16 flags, u32 thread_index);
232 nat_ha_sdel_ed_cb (ip4_address_t * out_addr, u16 out_port,
233 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
234 u32 fib_index, u32 ti);
237 nat_ha_sdel_ed_cb (ip4_address_t * out_addr, u16 out_port,
238 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
239 u32 fib_index, u32 ti);
242 nat_ha_sref_ed_cb (ip4_address_t * out_addr, u16 out_port,
243 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
244 u32 fib_index, u32 total_pkts, u64 total_bytes,
248 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
251 clib_bihash_kv_8_8_t kv;
254 ip4_address_t *l_addr, *r_addr;
256 clib_bihash_kv_16_8_t ed_kv;
257 snat_main_per_thread_data_t *tsm =
258 vec_elt_at_index (sm->per_thread_data, thread_index);
260 if (is_ed_session (s))
262 per_vrf_sessions_unregister_session (s, thread_index);
265 if (is_fwd_bypass_session (s))
267 if (snat_is_unk_proto_session (s))
269 init_ed_k (&ed_kv, s->in2out.addr, 0, s->ext_host_addr, 0, 0,
274 l_port = s->in2out.port;
275 r_port = s->ext_host_port;
276 l_addr = &s->in2out.addr;
277 r_addr = &s->ext_host_addr;
278 proto = nat_proto_to_ip_proto (s->nat_proto);
279 fib_index = s->in2out.fib_index;
280 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index,
283 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
284 nat_elog_warn ("in2out_ed key del failed");
288 /* session lookup tables */
289 if (is_ed_session (s))
291 if (is_affinity_sessions (s))
292 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
293 s->nat_proto, s->out2in.port);
294 l_addr = &s->out2in.addr;
295 r_addr = &s->ext_host_addr;
296 fib_index = s->out2in.fib_index;
297 if (snat_is_unk_proto_session (s))
299 proto = s->in2out.port;
305 proto = nat_proto_to_ip_proto (s->nat_proto);
306 l_port = s->out2in.port;
307 r_port = s->ext_host_port;
309 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index, proto);
310 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0))
311 nat_elog_warn ("out2in_ed key del failed");
312 l_addr = &s->in2out.addr;
313 fib_index = s->in2out.fib_index;
314 if (!snat_is_unk_proto_session (s))
315 l_port = s->in2out.port;
316 if (is_twice_nat_session (s))
318 r_addr = &s->ext_host_nat_addr;
319 r_port = s->ext_host_nat_port;
321 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index, proto);
322 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
323 nat_elog_warn ("in2out_ed key del failed");
326 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
327 &s->in2out.addr, s->in2out.port,
328 &s->ext_host_nat_addr, s->ext_host_nat_port,
329 &s->out2in.addr, s->out2in.port,
330 &s->ext_host_addr, s->ext_host_port,
331 s->nat_proto, is_twice_nat_session (s));
335 init_nat_i2o_k (&kv, s);
336 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
337 nat_elog_warn ("in2out key del failed");
338 init_nat_o2i_k (&kv, s);
339 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
340 nat_elog_warn ("out2in key del failed");
343 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
344 &s->in2out.addr, s->in2out.port,
345 &s->out2in.addr, s->out2in.port,
349 if (snat_is_unk_proto_session (s))
355 nat_ipfix_logging_nat44_ses_delete (thread_index,
356 s->in2out.addr.as_u32,
357 s->out2in.addr.as_u32,
361 s->in2out.fib_index);
363 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
364 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
368 /* Twice NAT address and port for external host */
369 if (is_twice_nat_session (s))
371 snat_free_outside_address_and_port (sm->twice_nat_addresses,
373 &s->ext_host_nat_addr,
374 s->ext_host_nat_port, s->nat_proto);
377 if (snat_is_session_static (s))
380 snat_free_outside_address_and_port (sm->addresses, thread_index,
381 &s->out2in.addr, s->out2in.port,
386 nat44_free_session_data (snat_main_t * sm, snat_session_t * s,
387 u32 thread_index, u8 is_ha)
391 ip4_address_t *l_addr, *r_addr;
393 clib_bihash_kv_16_8_t ed_kv;
394 snat_main_per_thread_data_t *tsm =
395 vec_elt_at_index (sm->per_thread_data, thread_index);
397 if (is_fwd_bypass_session (s))
399 if (snat_is_unk_proto_session (s))
401 proto = s->in2out.port;
407 proto = nat_proto_to_ip_proto (s->nat_proto);
408 l_port = s->in2out.port;
409 r_port = s->ext_host_port;
412 l_addr = &s->in2out.addr;
413 r_addr = &s->ext_host_addr;
415 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index, proto);
418 (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
419 nat_elog_warn ("in2out_ed key del failed");
423 /* session lookup tables */
424 if (is_affinity_sessions (s))
425 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
426 s->nat_proto, s->out2in.port);
427 l_addr = &s->out2in.addr;
428 r_addr = &s->ext_host_addr;
429 fib_index = s->out2in.fib_index;
430 if (snat_is_unk_proto_session (s))
432 proto = s->in2out.port;
438 proto = nat_proto_to_ip_proto (s->nat_proto);
439 l_port = s->out2in.port;
440 r_port = s->ext_host_port;
442 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index, proto);
444 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0)))
445 nat_elog_warn ("out2in_ed key del failed");
447 l_addr = &s->in2out.addr;
448 fib_index = s->in2out.fib_index;
450 if (!snat_is_unk_proto_session (s))
451 l_port = s->in2out.port;
453 if (is_twice_nat_session (s))
455 r_addr = &s->ext_host_nat_addr;
456 r_port = s->ext_host_nat_port;
458 init_ed_k (&ed_kv, *l_addr, l_port, *r_addr, r_port, fib_index, proto);
460 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
461 nat_elog_warn ("in2out_ed key del failed");
465 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
466 &s->in2out.addr, s->in2out.port,
467 &s->ext_host_nat_addr, s->ext_host_nat_port,
468 &s->out2in.addr, s->out2in.port,
469 &s->ext_host_addr, s->ext_host_port,
470 s->nat_proto, is_twice_nat_session (s));
473 if (snat_is_unk_proto_session (s))
478 nat_ipfix_logging_nat44_ses_delete (thread_index,
479 s->in2out.addr.as_u32,
480 s->out2in.addr.as_u32,
484 s->in2out.fib_index);
485 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
486 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
490 /* Twice NAT address and port for external host */
491 if (is_twice_nat_session (s))
493 snat_free_outside_address_and_port (sm->twice_nat_addresses,
495 &s->ext_host_nat_addr,
496 s->ext_host_nat_port, s->nat_proto);
499 if (snat_is_session_static (s))
502 snat_free_outside_address_and_port (sm->addresses, thread_index,
503 &s->out2in.addr, s->out2in.port,
509 nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index,
513 snat_user_key_t user_key;
514 clib_bihash_kv_8_8_t kv, value;
515 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
516 dlist_elt_t *per_user_list_head_elt;
518 user_key.addr.as_u32 = addr->as_u32;
519 user_key.fib_index = fib_index;
520 kv.key = user_key.as_u64;
522 /* Ever heard of the "user" = src ip4 address before? */
523 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
525 if (pool_elts (tsm->users) >= sm->max_users_per_thread)
527 vlib_increment_simple_counter (&sm->user_limit_reached,
529 nat_elog_warn ("maximum user limit reached");
532 /* no, make a new one */
533 pool_get (tsm->users, u);
534 clib_memset (u, 0, sizeof (*u));
536 u->addr.as_u32 = addr->as_u32;
537 u->fib_index = fib_index;
539 pool_get (tsm->list_pool, per_user_list_head_elt);
541 u->sessions_per_user_list_head_index = per_user_list_head_elt -
544 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
546 kv.value = u - tsm->users;
549 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
551 nat_elog_warn ("user_hash key add failed");
552 nat44_delete_user_with_no_session (sm, u, thread_index);
556 vlib_set_simple_counter (&sm->total_users, thread_index, 0,
557 pool_elts (tsm->users));
561 u = pool_elt_at_index (tsm->users, value.value);
568 nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u,
569 u32 thread_index, f64 now)
572 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
573 u32 oldest_per_user_translation_list_index, session_index;
574 dlist_elt_t *oldest_per_user_translation_list_elt;
575 dlist_elt_t *per_user_translation_list_elt;
577 /* Over quota? Recycle the least recently used translation */
578 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
580 oldest_per_user_translation_list_index =
581 clib_dlist_remove_head (tsm->list_pool,
582 u->sessions_per_user_list_head_index);
584 ASSERT (oldest_per_user_translation_list_index != ~0);
586 /* Add it back to the end of the LRU list */
587 clib_dlist_addtail (tsm->list_pool,
588 u->sessions_per_user_list_head_index,
589 oldest_per_user_translation_list_index);
590 /* Get the list element */
591 oldest_per_user_translation_list_elt =
592 pool_elt_at_index (tsm->list_pool,
593 oldest_per_user_translation_list_index);
595 /* Get the session index from the list element */
596 session_index = oldest_per_user_translation_list_elt->value;
598 /* Get the session */
599 s = pool_elt_at_index (tsm->sessions, session_index);
600 nat_free_session_data (sm, s, thread_index, 0);
601 if (snat_is_session_static (s))
602 u->nstaticsessions--;
609 s->ext_host_addr.as_u32 = 0;
610 s->ext_host_port = 0;
611 s->ext_host_nat_addr.as_u32 = 0;
612 s->ext_host_nat_port = 0;
616 pool_get (tsm->sessions, s);
617 clib_memset (s, 0, sizeof (*s));
619 /* Create list elts */
620 pool_get (tsm->list_pool, per_user_translation_list_elt);
621 clib_dlist_init (tsm->list_pool,
622 per_user_translation_list_elt - tsm->list_pool);
624 per_user_translation_list_elt->value = s - tsm->sessions;
625 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
626 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
628 clib_dlist_addtail (tsm->list_pool,
629 s->per_user_list_head_index,
630 per_user_translation_list_elt - tsm->list_pool);
632 s->user_index = u - tsm->users;
633 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
634 pool_elts (tsm->sessions));
637 s->ha_last_refreshed = now;
643 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
646 fib_prefix_t prefix = {
648 .fp_proto = FIB_PROTOCOL_IP4,
650 .ip4.as_u32 = addr->as_u32,
653 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
656 fib_table_entry_update_one_path (fib_index,
659 (FIB_ENTRY_FLAG_CONNECTED |
660 FIB_ENTRY_FLAG_LOCAL |
661 FIB_ENTRY_FLAG_EXCLUSIVE),
665 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
667 fib_table_entry_delete (fib_index, &prefix, nat_fib_src_low);
671 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
676 vlib_thread_main_t *tm = vlib_get_thread_main ();
678 if (twice_nat && !sm->endpoint_dependent)
680 nat_log_err ("unsupported");
681 return VNET_API_ERROR_UNSUPPORTED;
684 /* Check if address already exists */
686 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
688 if (ap->addr.as_u32 == addr->as_u32)
690 nat_log_err ("address exist");
691 return VNET_API_ERROR_VALUE_EXIST;
697 vec_add2 (sm->twice_nat_addresses, ap, 1);
699 vec_add2 (sm->addresses, ap, 1);
704 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
710 #define _(N, i, n, s) \
711 clib_memset(ap->busy_##n##_port_refcounts, 0, sizeof(ap->busy_##n##_port_refcounts));\
712 ap->busy_##n##_ports = 0; \
713 ap->busy_##n##_ports_per_thread = 0;\
714 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
722 /* Add external address to FIB */
724 pool_foreach (i, sm->interfaces,
726 if (nat_interface_is_inside(i) || sm->out2in_dpo)
729 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
732 pool_foreach (i, sm->output_feature_interfaces,
734 if (nat_interface_is_inside(i) || sm->out2in_dpo)
737 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
746 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
748 snat_static_mapping_t *m;
750 pool_foreach (m, sm->static_mappings,
752 if (is_addr_only_static_mapping (m) ||
753 is_out2in_only_static_mapping (m) ||
754 is_identity_static_mapping (m))
756 if (m->external_addr.as_u32 == addr.as_u32)
765 snat_add_static_mapping_when_resolved (snat_main_t * sm,
766 ip4_address_t l_addr,
771 nat_protocol_t proto,
772 int addr_only, int is_add, u8 * tag,
773 int twice_nat, int out2in_only,
775 ip4_address_t pool_addr, int exact)
777 snat_static_map_resolve_t *rp;
779 vec_add2 (sm->to_resolve, rp, 1);
780 rp->l_addr.as_u32 = l_addr.as_u32;
782 rp->sw_if_index = sw_if_index;
786 rp->addr_only = addr_only;
788 rp->twice_nat = twice_nat;
789 rp->out2in_only = out2in_only;
790 rp->identity_nat = identity_nat;
791 rp->tag = vec_dup (tag);
792 rp->pool_addr = pool_addr;
797 get_thread_idx_by_port (u16 e_port)
799 snat_main_t *sm = &snat_main;
800 u32 thread_idx = sm->num_workers;
801 if (sm->num_workers > 1)
804 sm->first_worker_index +
805 sm->workers[(e_port - 1024) / sm->port_per_thread];
811 snat_static_mapping_del_sessions (snat_main_t * sm,
812 snat_main_per_thread_data_t * tsm,
813 snat_user_key_t u_key, int addr_only,
814 ip4_address_t e_addr, u16 e_port)
816 clib_bihash_kv_8_8_t kv, value;
817 kv.key = u_key.as_u64;
819 dlist_elt_t *head, *elt;
822 u32 elt_index, head_index, ses_index;
823 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
825 user_index = value.value;
826 u = pool_elt_at_index (tsm->users, user_index);
827 if (u->nstaticsessions)
829 head_index = u->sessions_per_user_list_head_index;
830 head = pool_elt_at_index (tsm->list_pool, head_index);
831 elt_index = head->next;
832 elt = pool_elt_at_index (tsm->list_pool, elt_index);
833 ses_index = elt->value;
834 while (ses_index != ~0)
836 s = pool_elt_at_index (tsm->sessions, ses_index);
837 elt = pool_elt_at_index (tsm->list_pool, elt->next);
838 ses_index = elt->value;
842 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
843 (s->out2in.port != e_port))
847 if (is_lb_session (s))
850 if (!snat_is_session_static (s))
853 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
854 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
864 snat_ed_static_mapping_del_sessions (snat_main_t * sm,
865 snat_main_per_thread_data_t * tsm,
866 ip4_address_t l_addr,
869 u32 fib_index, int addr_only,
870 ip4_address_t e_addr, u16 e_port)
873 u32 *indexes_to_free = NULL;
875 pool_foreach (s, tsm->sessions, {
876 if (s->in2out.fib_index != fib_index ||
877 s->in2out.addr.as_u32 != l_addr.as_u32)
883 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
884 s->out2in.port != e_port ||
885 s->in2out.port != l_port ||
886 s->nat_proto != protocol)
890 if (is_lb_session (s))
892 if (!snat_is_session_static (s))
894 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
895 vec_add1 (indexes_to_free, s - tsm->sessions);
901 vec_foreach (ses_index, indexes_to_free)
903 s = pool_elt_at_index (tsm->sessions, *ses_index);
904 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
906 vec_free (indexes_to_free);
910 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
911 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
912 u32 sw_if_index, nat_protocol_t proto, int is_add,
913 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
914 u8 identity_nat, ip4_address_t pool_addr, int exact)
916 snat_main_t *sm = &snat_main;
917 snat_static_mapping_t *m;
918 clib_bihash_kv_8_8_t kv, value;
919 snat_address_t *a = 0;
921 snat_interface_t *interface;
923 snat_main_per_thread_data_t *tsm;
924 snat_user_key_t u_key;
926 dlist_elt_t *head, *elt;
927 u32 elt_index, head_index;
931 snat_static_map_resolve_t *rp, *rp_match = 0;
932 nat44_lb_addr_port_t *local;
935 if (!sm->endpoint_dependent)
937 if (twice_nat || out2in_only)
938 return VNET_API_ERROR_FEATURE_DISABLED;
941 /* If the external address is a specific interface address */
942 if (sw_if_index != ~0)
944 ip4_address_t *first_int_addr;
946 for (i = 0; i < vec_len (sm->to_resolve); i++)
948 rp = sm->to_resolve + i;
949 if (rp->sw_if_index != sw_if_index ||
950 rp->l_addr.as_u32 != l_addr.as_u32 ||
951 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
956 if ((rp->l_port != l_port && rp->e_port != e_port)
957 || rp->proto != proto)
965 /* Might be already set... */
966 first_int_addr = ip4_interface_first_address
967 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
972 return VNET_API_ERROR_VALUE_EXIST;
974 snat_add_static_mapping_when_resolved
975 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
976 addr_only, is_add, tag, twice_nat, out2in_only,
977 identity_nat, pool_addr, exact);
979 /* DHCP resolution required? */
980 if (first_int_addr == 0)
986 e_addr.as_u32 = first_int_addr->as_u32;
987 /* Identity mapping? */
988 if (l_addr.as_u32 == 0)
989 l_addr.as_u32 = e_addr.as_u32;
995 return VNET_API_ERROR_NO_SUCH_ENTRY;
997 vec_del1 (sm->to_resolve, i);
1001 e_addr.as_u32 = first_int_addr->as_u32;
1002 /* Identity mapping? */
1003 if (l_addr.as_u32 == 0)
1004 l_addr.as_u32 = e_addr.as_u32;
1011 init_nat_k (&kv, e_addr, addr_only ? 0 : e_port, 0, addr_only ? 0 : proto);
1012 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1015 m = pool_elt_at_index (sm->static_mappings, value.value);
1021 if (is_identity_static_mapping (m))
1024 pool_foreach (local, m->locals,
1026 if (local->vrf_id == vrf_id)
1027 return VNET_API_ERROR_VALUE_EXIST;
1030 pool_get (m->locals, local);
1031 local->vrf_id = vrf_id;
1033 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1035 init_nat_kv (&kv, m->local_addr, m->local_port,
1036 local->fib_index, m->proto,
1037 m - sm->static_mappings);
1038 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1042 return VNET_API_ERROR_VALUE_EXIST;
1045 if (twice_nat && addr_only)
1046 return VNET_API_ERROR_UNSUPPORTED;
1048 /* Convert VRF id to FIB index */
1051 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1053 /* If not specified use inside VRF id from SNAT plugin startup config */
1056 fib_index = sm->inside_fib_index;
1057 vrf_id = sm->inside_vrf_id;
1058 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1061 if (!(out2in_only || identity_nat))
1063 init_nat_k (&kv, l_addr, addr_only ? 0 : l_port, fib_index,
1064 addr_only ? 0 : proto);
1065 if (!clib_bihash_search_8_8
1066 (&sm->static_mapping_by_local, &kv, &value))
1067 return VNET_API_ERROR_VALUE_EXIST;
1070 /* Find external address in allocated addresses and reserve port for
1071 address and port pair mapping when dynamic translations enabled */
1072 if (!(addr_only || sm->static_mapping_only || out2in_only))
1074 for (i = 0; i < vec_len (sm->addresses); i++)
1076 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1078 a = sm->addresses + i;
1079 /* External port must be unused */
1082 #define _(N, j, n, s) \
1083 case NAT_PROTOCOL_##N: \
1084 if (a->busy_##n##_port_refcounts[e_port]) \
1085 return VNET_API_ERROR_INVALID_VALUE; \
1086 ++a->busy_##n##_port_refcounts[e_port]; \
1087 if (e_port > 1024) \
1089 a->busy_##n##_ports++; \
1090 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1093 foreach_nat_protocol
1096 nat_elog_info ("unknown protocol");
1097 return VNET_API_ERROR_INVALID_VALUE_2;
1102 /* External address must be allocated */
1103 if (!a && (l_addr.as_u32 != e_addr.as_u32))
1105 if (sw_if_index != ~0)
1107 for (i = 0; i < vec_len (sm->to_resolve); i++)
1109 rp = sm->to_resolve + i;
1112 if (rp->sw_if_index != sw_if_index &&
1113 rp->l_addr.as_u32 != l_addr.as_u32 &&
1114 rp->vrf_id != vrf_id && rp->l_port != l_port &&
1115 rp->e_port != e_port && rp->proto != proto)
1118 vec_del1 (sm->to_resolve, i);
1122 return VNET_API_ERROR_NO_SUCH_ENTRY;
1126 pool_get (sm->static_mappings, m);
1127 clib_memset (m, 0, sizeof (*m));
1128 m->tag = vec_dup (tag);
1129 m->local_addr = l_addr;
1130 m->external_addr = e_addr;
1131 m->twice_nat = twice_nat;
1133 if (twice_nat == TWICE_NAT && exact)
1135 m->flags |= NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS;
1136 m->pool_addr = pool_addr;
1140 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1142 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
1145 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
1146 pool_get (m->locals, local);
1147 local->vrf_id = vrf_id;
1148 local->fib_index = fib_index;
1153 m->fib_index = fib_index;
1157 m->local_port = l_port;
1158 m->external_port = e_port;
1162 if (sm->num_workers > 1)
1165 .src_address = m->local_addr,
1167 vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index, 0));
1168 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1171 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1173 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto,
1174 m - sm->static_mappings);
1176 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1178 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto,
1179 m - sm->static_mappings);
1180 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
1182 /* Delete dynamic sessions matching local address (+ local port) */
1183 if (!(sm->static_mapping_only))
1185 u_key.addr = m->local_addr;
1186 u_key.fib_index = m->fib_index;
1187 kv.key = u_key.as_u64;
1188 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1190 user_index = value.value;
1191 u = pool_elt_at_index (tsm->users, user_index);
1194 head_index = u->sessions_per_user_list_head_index;
1195 head = pool_elt_at_index (tsm->list_pool, head_index);
1196 elt_index = head->next;
1197 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1198 ses_index = elt->value;
1199 while (ses_index != ~0)
1201 s = pool_elt_at_index (tsm->sessions, ses_index);
1202 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1203 ses_index = elt->value;
1205 if (snat_is_session_static (s))
1208 if (!addr_only && s->in2out.port != m->local_port)
1211 nat_free_session_data (sm, s,
1212 tsm - sm->per_thread_data, 0);
1213 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1215 if (!addr_only && !sm->endpoint_dependent)
1226 if (sw_if_index != ~0)
1229 return VNET_API_ERROR_NO_SUCH_ENTRY;
1235 vrf_id = sm->inside_vrf_id;
1238 pool_foreach (local, m->locals,
1240 if (local->vrf_id == vrf_id)
1241 find = local - m->locals;
1245 return VNET_API_ERROR_NO_SUCH_ENTRY;
1247 local = pool_elt_at_index (m->locals, find);
1248 fib_index = local->fib_index;
1249 pool_put (m->locals, local);
1252 fib_index = m->fib_index;
1254 /* Free external address port */
1255 if (!(addr_only || sm->static_mapping_only || out2in_only))
1257 for (i = 0; i < vec_len (sm->addresses); i++)
1259 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1261 a = sm->addresses + i;
1264 #define _(N, j, n, s) \
1265 case NAT_PROTOCOL_##N: \
1266 --a->busy_##n##_port_refcounts[e_port]; \
1267 if (e_port > 1024) \
1269 a->busy_##n##_ports--; \
1270 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1273 foreach_nat_protocol
1276 nat_elog_info ("unknown protocol");
1277 return VNET_API_ERROR_INVALID_VALUE_2;
1284 if (sm->num_workers > 1)
1285 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1287 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1289 init_nat_k (&kv, m->local_addr, m->local_port, fib_index, m->proto);
1291 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
1293 /* Delete session(s) for static mapping if exist */
1294 if (!(sm->static_mapping_only) ||
1295 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
1297 if (sm->endpoint_dependent)
1299 snat_ed_static_mapping_del_sessions (sm, tsm, m->local_addr,
1300 m->local_port, m->proto,
1301 fib_index, addr_only,
1306 u_key.addr = m->local_addr;
1307 u_key.fib_index = fib_index;
1308 kv.key = u_key.as_u64;
1309 snat_static_mapping_del_sessions (sm, tsm, u_key, addr_only,
1314 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1315 if (pool_elts (m->locals))
1318 init_nat_k (&kv, m->external_addr, m->external_port, 0, m->proto);
1319 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
1322 vec_free (m->workers);
1323 /* Delete static mapping from pool */
1324 pool_put (sm->static_mappings, m);
1327 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
1330 /* Add/delete external address to FIB */
1332 pool_foreach (interface, sm->interfaces,
1334 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1337 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1340 pool_foreach (interface, sm->output_feature_interfaces,
1342 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1345 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1354 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1355 nat_protocol_t proto,
1356 nat44_lb_addr_port_t * locals, u8 is_add,
1357 twice_nat_type_t twice_nat, u8 out2in_only,
1358 u8 * tag, u32 affinity)
1360 snat_main_t *sm = &snat_main;
1361 snat_static_mapping_t *m;
1362 clib_bihash_kv_8_8_t kv, value;
1363 snat_address_t *a = 0;
1365 nat44_lb_addr_port_t *local;
1366 snat_main_per_thread_data_t *tsm;
1370 if (!sm->endpoint_dependent)
1371 return VNET_API_ERROR_FEATURE_DISABLED;
1373 init_nat_k (&kv, e_addr, e_port, 0, proto);
1374 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1377 m = pool_elt_at_index (sm->static_mappings, value.value);
1382 return VNET_API_ERROR_VALUE_EXIST;
1384 if (vec_len (locals) < 2)
1385 return VNET_API_ERROR_INVALID_VALUE;
1387 /* Find external address in allocated addresses and reserve port for
1388 address and port pair mapping when dynamic translations enabled */
1389 if (!(sm->static_mapping_only || out2in_only))
1391 for (i = 0; i < vec_len (sm->addresses); i++)
1393 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1395 a = sm->addresses + i;
1396 /* External port must be unused */
1399 #define _(N, j, n, s) \
1400 case NAT_PROTOCOL_##N: \
1401 if (a->busy_##n##_port_refcounts[e_port]) \
1402 return VNET_API_ERROR_INVALID_VALUE; \
1403 ++a->busy_##n##_port_refcounts[e_port]; \
1404 if (e_port > 1024) \
1406 a->busy_##n##_ports++; \
1407 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1410 foreach_nat_protocol
1413 nat_elog_info ("unknown protocol");
1414 return VNET_API_ERROR_INVALID_VALUE_2;
1419 /* External address must be allocated */
1421 return VNET_API_ERROR_NO_SUCH_ENTRY;
1424 pool_get (sm->static_mappings, m);
1425 clib_memset (m, 0, sizeof (*m));
1426 m->tag = vec_dup (tag);
1427 m->external_addr = e_addr;
1428 m->external_port = e_port;
1430 m->twice_nat = twice_nat;
1431 m->flags |= NAT_STATIC_MAPPING_FLAG_LB;
1433 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1434 m->affinity = affinity;
1437 m->affinity_per_service_list_head_index =
1438 nat_affinity_get_per_service_list_head_index ();
1440 m->affinity_per_service_list_head_index = ~0;
1442 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto,
1443 m - sm->static_mappings);
1444 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
1446 nat_elog_err ("static_mapping_by_external key add failed");
1447 return VNET_API_ERROR_UNSPECIFIED;
1450 for (i = 0; i < vec_len (locals); i++)
1452 locals[i].fib_index =
1453 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1458 init_nat_kv (&kv, locals[i].addr, locals[i].port,
1459 locals[i].fib_index, m->proto,
1460 m - sm->static_mappings);
1461 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1463 locals[i].prefix = (i == 0) ? locals[i].probability :
1464 (locals[i - 1].prefix + locals[i].probability);
1465 pool_get (m->locals, local);
1467 if (sm->num_workers > 1)
1470 .src_address = locals[i].addr,
1473 clib_bitmap_set (bitmap,
1474 sm->worker_in2out_cb (&ip, m->fib_index, 0),
1479 /* Assign workers */
1480 if (sm->num_workers > 1)
1483 clib_bitmap_foreach (i, bitmap,
1485 vec_add1(m->workers, i);
1493 return VNET_API_ERROR_NO_SUCH_ENTRY;
1495 if (!is_lb_static_mapping (m))
1496 return VNET_API_ERROR_INVALID_VALUE;
1498 /* Free external address port */
1499 if (!(sm->static_mapping_only || out2in_only))
1501 for (i = 0; i < vec_len (sm->addresses); i++)
1503 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1505 a = sm->addresses + i;
1508 #define _(N, j, n, s) \
1509 case NAT_PROTOCOL_##N: \
1510 --a->busy_##n##_port_refcounts[e_port]; \
1511 if (e_port > 1024) \
1513 a->busy_##n##_ports--; \
1514 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1517 foreach_nat_protocol
1520 nat_elog_info ("unknown protocol");
1521 return VNET_API_ERROR_INVALID_VALUE_2;
1528 init_nat_k (&kv, m->external_addr, m->external_port, 0, m->proto);
1529 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1531 nat_elog_err ("static_mapping_by_external key del failed");
1532 return VNET_API_ERROR_UNSPECIFIED;
1536 pool_foreach (local, m->locals,
1538 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1542 init_nat_k(& kv, local->addr, local->port, local->fib_index, m->proto);
1543 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1545 nat_elog_err ("static_mapping_by_local key del failed");
1546 return VNET_API_ERROR_UNSPECIFIED;
1550 if (sm->num_workers > 1)
1553 .src_address = local->addr,
1555 tsm = vec_elt_at_index (sm->per_thread_data,
1556 sm->worker_in2out_cb (&ip, m->fib_index, 0));
1559 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1561 /* Delete sessions */
1562 pool_foreach (s, tsm->sessions, {
1563 if (!(is_lb_session (s)))
1566 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1567 s->in2out.port != local->port)
1570 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1571 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1576 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1577 pool_free (m->locals);
1579 vec_free (m->workers);
1581 pool_put (sm->static_mappings, m);
1588 nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1589 ip4_address_t l_addr, u16 l_port,
1590 nat_protocol_t proto, u32 vrf_id,
1591 u8 probability, u8 is_add)
1593 snat_main_t *sm = &snat_main;
1594 snat_static_mapping_t *m = 0;
1595 clib_bihash_kv_8_8_t kv, value;
1596 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1597 snat_main_per_thread_data_t *tsm;
1603 if (!sm->endpoint_dependent)
1604 return VNET_API_ERROR_FEATURE_DISABLED;
1606 init_nat_k (&kv, e_addr, e_port, 0, proto);
1607 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1608 m = pool_elt_at_index (sm->static_mappings, value.value);
1611 return VNET_API_ERROR_NO_SUCH_ENTRY;
1613 if (!is_lb_static_mapping (m))
1614 return VNET_API_ERROR_INVALID_VALUE;
1617 pool_foreach (local, m->locals,
1619 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1620 (local->vrf_id == vrf_id))
1622 match_local = local;
1631 return VNET_API_ERROR_VALUE_EXIST;
1633 pool_get (m->locals, local);
1634 clib_memset (local, 0, sizeof (*local));
1635 local->addr.as_u32 = l_addr.as_u32;
1636 local->port = l_port;
1637 local->probability = probability;
1638 local->vrf_id = vrf_id;
1640 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1643 if (!is_out2in_only_static_mapping (m))
1645 init_nat_kv (&kv, l_addr, l_port, local->fib_index, proto,
1646 m - sm->static_mappings);
1647 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1))
1648 nat_elog_err ("static_mapping_by_local key add failed");
1654 return VNET_API_ERROR_NO_SUCH_ENTRY;
1656 if (pool_elts (m->locals) < 3)
1657 return VNET_API_ERROR_UNSPECIFIED;
1659 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1662 if (!is_out2in_only_static_mapping (m))
1664 init_nat_k (&kv, l_addr, l_port, match_local->fib_index, proto);
1665 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0))
1666 nat_elog_err ("static_mapping_by_local key del failed");
1669 if (sm->num_workers > 1)
1672 .src_address = local->addr,
1674 tsm = vec_elt_at_index (sm->per_thread_data,
1675 sm->worker_in2out_cb (&ip, m->fib_index,
1679 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1681 /* Delete sessions */
1683 pool_foreach (s, tsm->sessions, {
1684 if (!(is_lb_session (s)))
1687 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1688 s->in2out.port != match_local->port)
1691 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1692 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1696 pool_put (m->locals, match_local);
1699 vec_free (m->workers);
1702 pool_foreach (local, m->locals,
1704 vec_add1 (locals, local - m->locals);
1705 if (sm->num_workers > 1)
1708 ip.src_address.as_u32 = local->addr.as_u32,
1709 bitmap = clib_bitmap_set (bitmap,
1710 sm->worker_in2out_cb (&ip, local->fib_index, 0),
1716 ASSERT (vec_len (locals) > 1);
1718 local = pool_elt_at_index (m->locals, locals[0]);
1719 local->prefix = local->probability;
1720 for (i = 1; i < vec_len (locals); i++)
1722 local = pool_elt_at_index (m->locals, locals[i]);
1723 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1724 local->prefix = local->probability + prev_local->prefix;
1727 /* Assign workers */
1728 if (sm->num_workers > 1)
1731 clib_bitmap_foreach (i, bitmap, ({ vec_add1(m->workers, i); }));
1739 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1742 snat_address_t *a = 0;
1743 snat_session_t *ses;
1744 u32 *ses_to_be_removed = 0, *ses_index;
1745 snat_main_per_thread_data_t *tsm;
1746 snat_static_mapping_t *m;
1747 snat_interface_t *interface;
1749 snat_address_t *addresses =
1750 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1752 /* Find SNAT address */
1753 for (i = 0; i < vec_len (addresses); i++)
1755 if (addresses[i].addr.as_u32 == addr.as_u32)
1763 nat_log_err ("no such address");
1764 return VNET_API_ERROR_NO_SUCH_ENTRY;
1769 ip4_address_t pool_addr = { 0 };
1771 pool_foreach (m, sm->static_mappings,
1773 if (m->external_addr.as_u32 == addr.as_u32)
1774 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1775 m->local_port, m->external_port,
1777 is_addr_only_static_mapping(m), ~0,
1778 m->proto, 0 /* is_add */,
1780 is_out2in_only_static_mapping(m),
1782 is_identity_static_mapping(m),
1789 /* Check if address is used in some static mapping */
1790 if (is_snat_address_used_in_static_mapping (sm, addr))
1792 nat_log_err ("address used in static mapping");
1793 return VNET_API_ERROR_UNSPECIFIED;
1797 if (a->fib_index != ~0)
1798 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1800 /* Delete sessions using address */
1801 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1804 vec_foreach (tsm, sm->per_thread_data)
1806 pool_foreach (ses, tsm->sessions, ({
1807 if (ses->out2in.addr.as_u32 == addr.as_u32)
1809 nat_free_session_data (sm, ses, tsm - sm->per_thread_data, 0);
1810 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1814 if (sm->endpoint_dependent){
1815 vec_foreach (ses_index, ses_to_be_removed)
1817 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1818 nat_ed_session_delete (sm, ses, tsm - sm->per_thread_data, 1);
1821 vec_foreach (ses_index, ses_to_be_removed)
1823 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1824 nat44_delete_session (sm, ses, tsm - sm->per_thread_data);
1828 vec_free (ses_to_be_removed);
1833 #define _(N, i, n, s) \
1834 vec_free (a->busy_##n##_ports_per_thread);
1835 foreach_nat_protocol
1839 vec_del1 (sm->twice_nat_addresses, i);
1843 vec_del1 (sm->addresses, i);
1845 /* Delete external address from FIB */
1847 pool_foreach (interface, sm->interfaces,
1849 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1852 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1855 pool_foreach (interface, sm->output_feature_interfaces,
1857 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1860 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1869 nat_validate_counters (snat_main_t * sm, u32 sw_if_index)
1872 vlib_validate_simple_counter (&sm->counters.fastpath.in2out.x, \
1874 vlib_zero_simple_counter (&sm->counters.fastpath.in2out.x, sw_if_index); \
1875 vlib_validate_simple_counter (&sm->counters.fastpath.out2in.x, \
1877 vlib_zero_simple_counter (&sm->counters.fastpath.out2in.x, sw_if_index); \
1878 vlib_validate_simple_counter (&sm->counters.slowpath.in2out.x, \
1880 vlib_zero_simple_counter (&sm->counters.slowpath.in2out.x, sw_if_index); \
1881 vlib_validate_simple_counter (&sm->counters.slowpath.out2in.x, \
1883 vlib_zero_simple_counter (&sm->counters.slowpath.out2in.x, sw_if_index); \
1884 vlib_validate_simple_counter (&sm->counters.fastpath.in2out_ed.x, \
1886 vlib_zero_simple_counter (&sm->counters.fastpath.in2out_ed.x, sw_if_index); \
1887 vlib_validate_simple_counter (&sm->counters.fastpath.out2in_ed.x, \
1889 vlib_zero_simple_counter (&sm->counters.fastpath.out2in_ed.x, sw_if_index); \
1890 vlib_validate_simple_counter (&sm->counters.slowpath.in2out_ed.x, \
1892 vlib_zero_simple_counter (&sm->counters.slowpath.in2out_ed.x, sw_if_index); \
1893 vlib_validate_simple_counter (&sm->counters.slowpath.out2in_ed.x, \
1895 vlib_zero_simple_counter (&sm->counters.slowpath.out2in_ed.x, sw_if_index);
1896 foreach_nat_counter;
1898 vlib_validate_simple_counter (&sm->counters.hairpinning, sw_if_index);
1899 vlib_zero_simple_counter (&sm->counters.hairpinning, sw_if_index);
1903 expire_per_vrf_sessions (u32 fib_index)
1905 per_vrf_sessions_t *per_vrf_sessions;
1906 snat_main_per_thread_data_t *tsm;
1907 snat_main_t *sm = &snat_main;
1910 vec_foreach (tsm, sm->per_thread_data)
1912 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1914 if ((per_vrf_sessions->rx_fib_index == fib_index) ||
1915 (per_vrf_sessions->tx_fib_index == fib_index))
1917 per_vrf_sessions->expired = 1;
1925 update_per_vrf_sessions_vec (u32 fib_index, int is_del)
1927 snat_main_t *sm = &snat_main;
1930 // we don't care if it is outside/inside fib
1931 // we just care about their ref_count
1932 // if it reaches 0 sessions should expire
1933 // because the fib isn't valid for NAT anymore
1935 vec_foreach (fib, sm->fibs)
1937 if (fib->fib_index == fib_index)
1942 if (!fib->ref_count)
1944 vec_del1 (sm->fibs, fib - sm->fibs);
1945 expire_per_vrf_sessions (fib_index);
1955 vec_add2 (sm->fibs, fib, 1);
1957 fib->fib_index = fib_index;
1962 snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1964 snat_main_t *sm = &snat_main;
1965 snat_interface_t *i;
1966 const char *feature_name, *del_feature_name;
1968 snat_static_mapping_t *m;
1969 nat_outside_fib_t *outside_fib;
1970 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1975 nat_log_err ("nat44 is disabled");
1976 return VNET_API_ERROR_UNSUPPORTED;
1979 if (sm->out2in_dpo && !is_inside)
1981 nat_log_err ("error unsupported");
1982 return VNET_API_ERROR_UNSUPPORTED;
1986 pool_foreach (i, sm->output_feature_interfaces,
1988 if (i->sw_if_index == sw_if_index)
1990 nat_log_err ("error interface already configured");
1991 return VNET_API_ERROR_VALUE_EXIST;
1996 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1997 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
2000 if (sm->num_workers > 1)
2002 is_inside ? "nat44-in2out-worker-handoff" :
2003 "nat44-out2in-worker-handoff";
2004 else if (sm->endpoint_dependent)
2006 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
2009 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
2012 if (sm->fq_in2out_index == ~0 && sm->num_workers > 1)
2013 sm->fq_in2out_index =
2014 vlib_frame_queue_main_init (sm->in2out_node_index, NAT_FQ_NELTS);
2016 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
2017 sm->fq_out2in_index =
2018 vlib_frame_queue_main_init (sm->out2in_node_index, NAT_FQ_NELTS);
2020 if (sm->endpoint_dependent)
2021 update_per_vrf_sessions_vec (fib_index, is_del);
2026 vec_foreach (outside_fib, sm->outside_fibs)
2028 if (outside_fib->fib_index == fib_index)
2032 outside_fib->refcount--;
2033 if (!outside_fib->refcount)
2034 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2037 outside_fib->refcount++;
2044 vec_add2 (sm->outside_fibs, outside_fib, 1);
2045 outside_fib->refcount = 1;
2046 outside_fib->fib_index = fib_index;
2052 pool_foreach (i, sm->interfaces,
2054 if (i->sw_if_index == sw_if_index)
2058 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
2061 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
2063 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
2065 if (sm->num_workers > 1)
2067 del_feature_name = "nat44-handoff-classify";
2068 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
2069 "nat44-out2in-worker-handoff";
2071 else if (sm->endpoint_dependent)
2073 del_feature_name = "nat44-ed-classify";
2074 feature_name = !is_inside ? "nat-pre-in2out" :
2079 del_feature_name = "nat44-classify";
2080 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
2083 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2086 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
2087 sw_if_index, 0, 0, 0);
2088 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2089 sw_if_index, 1, 0, 0);
2092 if (sm->endpoint_dependent)
2093 vnet_feature_enable_disable ("ip4-local",
2094 "nat44-ed-hairpinning",
2095 sw_if_index, 1, 0, 0);
2097 vnet_feature_enable_disable ("ip4-local",
2098 "nat44-hairpinning",
2099 sw_if_index, 1, 0, 0);
2104 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2107 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2108 sw_if_index, 0, 0, 0);
2109 pool_put (sm->interfaces, i);
2112 if (sm->endpoint_dependent)
2113 vnet_feature_enable_disable ("ip4-local",
2114 "nat44-ed-hairpinning",
2115 sw_if_index, 0, 0, 0);
2117 vnet_feature_enable_disable ("ip4-local",
2118 "nat44-hairpinning",
2119 sw_if_index, 0, 0, 0);
2125 if ((nat_interface_is_inside(i) && is_inside) ||
2126 (nat_interface_is_outside(i) && !is_inside))
2129 if (sm->num_workers > 1)
2131 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
2132 "nat44-out2in-worker-handoff";
2133 feature_name = "nat44-handoff-classify";
2135 else if (sm->endpoint_dependent)
2137 del_feature_name = !is_inside ? "nat-pre-in2out" :
2140 feature_name = "nat44-ed-classify";
2144 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
2145 feature_name = "nat44-classify";
2148 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2151 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
2152 sw_if_index, 0, 0, 0);
2153 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2154 sw_if_index, 1, 0, 0);
2157 if (sm->endpoint_dependent)
2158 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2159 sw_if_index, 0, 0, 0);
2161 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2162 sw_if_index, 0, 0, 0);
2174 nat_log_err ("error interface couldn't be found");
2175 return VNET_API_ERROR_NO_SUCH_ENTRY;
2178 pool_get (sm->interfaces, i);
2179 i->sw_if_index = sw_if_index;
2181 nat_validate_counters (sm, sw_if_index);
2183 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
2186 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2190 if (is_inside && !sm->out2in_dpo)
2192 if (sm->endpoint_dependent)
2193 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2194 sw_if_index, 1, 0, 0);
2196 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2197 sw_if_index, 1, 0, 0);
2203 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2207 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2209 /* Add/delete external addresses to FIB */
2212 vec_foreach (ap, sm->addresses)
2213 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2215 pool_foreach (m, sm->static_mappings,
2217 if (!(is_addr_only_static_mapping(m)) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2220 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2228 snat_interface_add_del_output_feature (u32 sw_if_index,
2229 u8 is_inside, int is_del)
2231 snat_main_t *sm = &snat_main;
2232 snat_interface_t *i;
2234 snat_static_mapping_t *m;
2235 nat_outside_fib_t *outside_fib;
2236 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2241 nat_log_err ("nat44 is disabled");
2242 return VNET_API_ERROR_UNSUPPORTED;
2245 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
2247 nat_log_err ("error unsupported");
2248 return VNET_API_ERROR_UNSUPPORTED;
2252 pool_foreach (i, sm->interfaces,
2254 if (i->sw_if_index == sw_if_index)
2256 nat_log_err ("error interface already configured");
2257 return VNET_API_ERROR_VALUE_EXIST;
2262 if (sm->endpoint_dependent)
2263 update_per_vrf_sessions_vec (fib_index, is_del);
2268 vec_foreach (outside_fib, sm->outside_fibs)
2270 if (outside_fib->fib_index == fib_index)
2274 outside_fib->refcount--;
2275 if (!outside_fib->refcount)
2276 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2279 outside_fib->refcount++;
2286 vec_add2 (sm->outside_fibs, outside_fib, 1);
2287 outside_fib->refcount = 1;
2288 outside_fib->fib_index = fib_index;
2295 if (sm->endpoint_dependent)
2298 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2302 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2306 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
2307 sw_if_index, !is_del, 0, 0);
2308 vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
2309 sw_if_index, !is_del, 0, 0);
2314 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2318 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2322 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
2323 sw_if_index, !is_del, 0, 0);
2324 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
2325 sw_if_index, !is_del, 0, 0);
2330 if (sm->num_workers > 1)
2332 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2336 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, !is_del);
2339 vnet_feature_enable_disable ("ip4-unicast",
2340 "nat44-out2in-worker-handoff",
2341 sw_if_index, !is_del, 0, 0);
2342 vnet_feature_enable_disable ("ip4-output",
2343 "nat44-in2out-output-worker-handoff",
2344 sw_if_index, !is_del, 0, 0);
2348 if (sm->endpoint_dependent)
2351 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2355 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2359 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
2360 sw_if_index, !is_del, 0, 0);
2361 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
2362 sw_if_index, !is_del, 0, 0);
2367 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2371 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2375 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
2376 sw_if_index, !is_del, 0, 0);
2377 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
2378 sw_if_index, !is_del, 0, 0);
2383 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
2384 sm->fq_in2out_output_index =
2385 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
2387 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
2388 sm->fq_out2in_index =
2389 vlib_frame_queue_main_init (sm->out2in_node_index, 0);
2392 pool_foreach (i, sm->output_feature_interfaces,
2394 if (i->sw_if_index == sw_if_index)
2397 pool_put (sm->output_feature_interfaces, i);
2399 return VNET_API_ERROR_VALUE_EXIST;
2408 nat_log_err ("error interface couldn't be found");
2409 return VNET_API_ERROR_NO_SUCH_ENTRY;
2412 pool_get (sm->output_feature_interfaces, i);
2413 i->sw_if_index = sw_if_index;
2415 nat_validate_counters (sm, sw_if_index);
2417 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2419 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2421 /* Add/delete external addresses to FIB */
2427 vec_foreach (ap, sm->addresses)
2428 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2430 pool_foreach (m, sm->static_mappings,
2432 if (!((is_addr_only_static_mapping(m))) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2435 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2443 snat_set_workers (uword * bitmap)
2445 snat_main_t *sm = &snat_main;
2448 if (sm->num_workers < 2)
2449 return VNET_API_ERROR_FEATURE_DISABLED;
2451 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
2452 return VNET_API_ERROR_INVALID_WORKER;
2454 vec_free (sm->workers);
2456 clib_bitmap_foreach (i, bitmap,
2458 vec_add1(sm->workers, i);
2459 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2460 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
2465 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2471 snat_update_outside_fib (ip4_main_t * im, uword opaque,
2472 u32 sw_if_index, u32 new_fib_index,
2475 snat_main_t *sm = &snat_main;
2476 nat_outside_fib_t *outside_fib;
2477 snat_interface_t *i;
2481 if (!sm->enabled || (new_fib_index == old_fib_index)
2482 || (!vec_len (sm->outside_fibs)))
2488 pool_foreach (i, sm->interfaces,
2490 if (i->sw_if_index == sw_if_index)
2492 if (!(nat_interface_is_outside (i)))
2498 pool_foreach (i, sm->output_feature_interfaces,
2500 if (i->sw_if_index == sw_if_index)
2502 if (!(nat_interface_is_outside (i)))
2512 vec_foreach (outside_fib, sm->outside_fibs)
2514 if (outside_fib->fib_index == old_fib_index)
2516 outside_fib->refcount--;
2517 if (!outside_fib->refcount)
2518 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2523 vec_foreach (outside_fib, sm->outside_fibs)
2525 if (outside_fib->fib_index == new_fib_index)
2527 outside_fib->refcount++;
2535 vec_add2 (sm->outside_fibs, outside_fib, 1);
2536 outside_fib->refcount = 1;
2537 outside_fib->fib_index = new_fib_index;
2542 snat_update_outside_fib (ip4_main_t * im, uword opaque,
2543 u32 sw_if_index, u32 new_fib_index,
2547 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2550 ip4_address_t * address,
2552 u32 if_address_index, u32 is_delete);
2555 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
2558 ip4_address_t * address,
2560 u32 if_address_index, u32 is_delete);
2563 nat_alloc_addr_and_port_default (snat_address_t * addresses, u32 fib_index,
2564 u32 thread_index, nat_protocol_t proto,
2565 ip4_address_t * addr, u16 * port,
2566 u16 port_per_thread, u32 snat_thread_index);
2569 test_key_calc_split ()
2571 ip4_address_t l_addr;
2572 l_addr.as_u8[0] = 1;
2573 l_addr.as_u8[1] = 1;
2574 l_addr.as_u8[2] = 1;
2575 l_addr.as_u8[3] = 1;
2576 ip4_address_t r_addr;
2577 r_addr.as_u8[0] = 2;
2578 r_addr.as_u8[1] = 2;
2579 r_addr.as_u8[2] = 2;
2580 r_addr.as_u8[3] = 2;
2584 u32 fib_index = 9000001;
2585 u32 thread_index = 3000000001;
2586 u32 session_index = 3000000221;
2587 clib_bihash_kv_16_8_t kv;
2588 init_ed_kv (&kv, l_addr, l_port, r_addr, r_port, fib_index, proto,
2589 thread_index, session_index);
2590 ip4_address_t l_addr2;
2591 ip4_address_t r_addr2;
2592 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2593 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2598 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2600 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2601 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2602 ASSERT (l_port == l_port2);
2603 ASSERT (r_port == r_port2);
2604 ASSERT (proto == proto2);
2605 ASSERT (fib_index == fib_index2);
2606 ASSERT (thread_index == ed_value_get_thread_index (&kv));
2607 ASSERT (session_index == ed_value_get_session_index (&kv));
2611 nat_protocol_t proto3 = ~0;
2612 u64 key = calc_nat_key (l_addr, l_port, fib_index, proto);
2613 split_nat_key (key, &l_addr2, &l_port2, &fib_index2, &proto3);
2614 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2615 ASSERT (l_port == l_port2);
2616 ASSERT (proto == proto3);
2617 ASSERT (fib_index == fib_index2);
2620 static clib_error_t *
2621 nat_ip_table_add_del (vnet_main_t * vnm, u32 table_id, u32 is_add)
2623 snat_main_t *sm = &snat_main;
2626 if (sm->endpoint_dependent)
2628 // TODO: consider removing all NAT interfaces
2632 fib_index = ip4_fib_index_from_table_id (table_id);
2633 if (fib_index != ~0)
2634 expire_per_vrf_sessions (fib_index);
2640 VNET_IP_TABLE_ADD_DEL_FUNCTION (nat_ip_table_add_del);
2643 nat44_set_node_indexes (snat_main_t * sm, vlib_main_t * vm)
2647 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in");
2648 sm->ei_out2in_node_index = node->index;
2649 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out");
2650 sm->ei_in2out_node_index = node->index;
2651 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output");
2652 sm->ei_in2out_output_node_index = node->index;
2654 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2655 sm->ed_out2in_node_index = node->index;
2656 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2657 sm->ed_in2out_node_index = node->index;
2658 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-output");
2659 sm->ed_in2out_output_node_index = node->index;
2661 node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
2662 sm->error_node_index = node->index;
2663 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2664 sm->pre_in2out_node_index = node->index;
2665 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2666 sm->pre_out2in_node_index = node->index;
2667 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2668 sm->pre_in2out_node_index = node->index;
2669 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2670 sm->pre_out2in_node_index = node->index;
2671 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-fast");
2672 sm->in2out_fast_node_index = node->index;
2673 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-slowpath");
2674 sm->in2out_slowpath_node_index = node->index;
2675 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output-slowpath");
2676 sm->in2out_slowpath_output_node_index = node->index;
2677 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-slowpath");
2678 sm->ed_in2out_slowpath_node_index = node->index;
2679 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-fast");
2680 sm->out2in_fast_node_index = node->index;
2681 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-slowpath");
2682 sm->ed_out2in_slowpath_node_index = node->index;
2683 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpinning");
2684 sm->hairpinning_node_index = node->index;
2685 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-dst");
2686 sm->hairpin_dst_node_index = node->index;
2687 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-src");
2688 sm->hairpin_src_node_index = node->index;
2689 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpinning");
2690 sm->ed_hairpinning_node_index = node->index;
2691 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-dst");
2692 sm->ed_hairpin_dst_node_index = node->index;
2693 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-src");
2694 sm->ed_hairpin_src_node_index = node->index;
2697 #define nat_init_simple_counter(c, n, sn) \
2701 c.stat_segment_name = sn; \
2702 vlib_validate_simple_counter (&c, 0); \
2703 vlib_zero_simple_counter (&c, 0); \
2706 static clib_error_t *
2707 nat_init (vlib_main_t * vm)
2709 snat_main_t *sm = &snat_main;
2710 clib_error_t *error = 0;
2711 vlib_thread_main_t *tm = vlib_get_thread_main ();
2712 vlib_thread_registration_t *tr;
2713 ip4_add_del_interface_address_callback_t cbi = { 0 };
2714 ip4_table_bind_callback_t cbt = { 0 };
2715 u32 i, num_threads = 0;
2716 uword *p, *bitmap = 0;
2718 clib_memset (sm, 0, sizeof (*sm));
2721 sm->vnet_main = vnet_get_main ();
2723 sm->ip4_main = &ip4_main;
2724 sm->api_main = vlibapi_get_main ();
2725 sm->ip4_lookup_main = &ip4_main.lookup_main;
2727 // frame queue indices used for handoff
2728 sm->fq_out2in_index = ~0;
2729 sm->fq_in2out_index = ~0;
2730 sm->fq_in2out_output_index = ~0;
2732 sm->log_level = SNAT_LOG_ERROR;
2734 nat44_set_node_indexes (sm, vm);
2735 sm->log_class = vlib_log_register_class ("nat", 0);
2736 nat_ipfix_logging_init (vm);
2738 nat_init_simple_counter (sm->total_users, "total-users",
2739 "/nat44/total-users");
2740 nat_init_simple_counter (sm->total_sessions, "total-sessions",
2741 "/nat44/total-sessions");
2742 nat_init_simple_counter (sm->user_limit_reached, "user-limit-reached",
2743 "/nat44/user-limit-reached");
2746 sm->counters.fastpath.in2out.x.name = #x; \
2747 sm->counters.fastpath.in2out.x.stat_segment_name = \
2748 "/nat44/in2out/fastpath/" #x; \
2749 sm->counters.slowpath.in2out.x.name = #x; \
2750 sm->counters.slowpath.in2out.x.stat_segment_name = \
2751 "/nat44/in2out/slowpath/" #x; \
2752 sm->counters.fastpath.out2in.x.name = #x; \
2753 sm->counters.fastpath.out2in.x.stat_segment_name = \
2754 "/nat44/out2in/fastpath/" #x; \
2755 sm->counters.slowpath.out2in.x.name = #x; \
2756 sm->counters.slowpath.out2in.x.stat_segment_name = \
2757 "/nat44/out2in/slowpath/" #x; \
2758 sm->counters.fastpath.in2out_ed.x.name = #x; \
2759 sm->counters.fastpath.in2out_ed.x.stat_segment_name = \
2760 "/nat44/ed/in2out/fastpath/" #x; \
2761 sm->counters.slowpath.in2out_ed.x.name = #x; \
2762 sm->counters.slowpath.in2out_ed.x.stat_segment_name = \
2763 "/nat44/ed/in2out/slowpath/" #x; \
2764 sm->counters.fastpath.out2in_ed.x.name = #x; \
2765 sm->counters.fastpath.out2in_ed.x.stat_segment_name = \
2766 "/nat44/ed/out2in/fastpath/" #x; \
2767 sm->counters.slowpath.out2in_ed.x.name = #x; \
2768 sm->counters.slowpath.out2in_ed.x.stat_segment_name = \
2769 "/nat44/ed/out2in/slowpath/" #x;
2770 foreach_nat_counter;
2772 sm->counters.hairpinning.name = "hairpinning";
2773 sm->counters.hairpinning.stat_segment_name = "/nat44/hairpinning";
2775 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2778 tr = (vlib_thread_registration_t *) p[0];
2781 sm->num_workers = tr->count;
2782 sm->first_worker_index = tr->first_index;
2785 num_threads = tm->n_vlib_mains - 1;
2786 sm->port_per_thread = 0xffff - 1024;
2787 vec_validate (sm->per_thread_data, num_threads);
2789 /* Use all available workers by default */
2790 if (sm->num_workers > 1)
2793 for (i = 0; i < sm->num_workers; i++)
2794 bitmap = clib_bitmap_set (bitmap, i, 1);
2795 snat_set_workers (bitmap);
2796 clib_bitmap_free (bitmap);
2799 sm->per_thread_data[0].snat_thread_index = 0;
2801 /* callbacks to call when interface address changes. */
2802 cbi.function = snat_ip4_add_del_interface_address_cb;
2803 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2804 cbi.function = nat_ip4_add_del_addr_only_sm_cb;
2805 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2807 /* callbacks to call when interface to table biding changes */
2808 cbt.function = snat_update_outside_fib;
2809 vec_add1 (sm->ip4_main->table_bind_callbacks, cbt);
2811 // TODO: is it possible to move it into snat_main ?
2813 fib_source_allocate ("nat-low", FIB_SOURCE_PRIORITY_LOW,
2814 FIB_SOURCE_BH_SIMPLE);
2816 fib_source_allocate ("nat-hi", FIB_SOURCE_PRIORITY_HI,
2817 FIB_SOURCE_BH_SIMPLE);
2819 /* used only by out2in-dpo feature */
2820 nat_dpo_module_init ();
2822 nat_affinity_init (vm);
2823 nat_ha_init (vm, sm->num_workers, num_threads);
2825 test_key_calc_split ();
2826 error = snat_api_init (vm, sm);
2830 VLIB_INIT_FUNCTION (nat_init);
2833 nat44_plugin_enable (nat44_config_t c)
2835 snat_main_t *sm = &snat_main;
2836 u32 static_mapping_buckets = 1024;
2837 u32 static_mapping_memory_size = 64 << 20;
2841 nat_log_err ("nat44 is enabled");
2845 // c.static_mapping_only + c.connection_tracking
2846 // - supported in NAT EI & NAT ED
2847 // c.out2in_dpo, c.static_mapping_only
2848 // - supported in NAT EI
2850 if (c.endpoint_dependent)
2852 if ((c.static_mapping_only && !c.connection_tracking) || c.out2in_dpo)
2854 nat_log_err ("unsupported combination of configuration");
2857 if (c.users || c.user_sessions)
2859 nat_log_err ("unsupported combination of configuration");
2864 // reset to defaults:
2865 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
2866 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
2868 sm->udp_timeout = SNAT_UDP_TIMEOUT;
2869 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
2870 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
2871 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
2873 // nat44 feature configuration
2874 sm->endpoint_dependent = c.endpoint_dependent;
2875 sm->static_mapping_only = c.static_mapping_only;
2876 sm->static_mapping_connection_tracking = c.connection_tracking;
2877 sm->forwarding_enabled = 0;
2878 sm->mss_clamping = 0;
2884 sm->max_users_per_thread = c.users;
2885 sm->user_buckets = nat_calc_bihash_buckets (c.users);
2889 // default value based on legacy setting of load factor 10 * default
2890 // translation buckets 1024
2891 c.sessions = 10 * 1024;
2893 sm->max_translations_per_thread = c.sessions;
2894 sm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
2896 vec_add1 (sm->max_translations_per_fib, sm->max_translations_per_thread);
2897 sm->max_translations_per_user
2898 = c.user_sessions ? c.user_sessions : sm->max_translations_per_thread;
2900 sm->outside_vrf_id = c.outside_vrf;
2901 sm->outside_fib_index =
2902 fib_table_find_or_create_and_lock
2903 (FIB_PROTOCOL_IP4, c.outside_vrf, nat_fib_src_hi);
2905 sm->inside_vrf_id = c.inside_vrf;
2906 sm->inside_fib_index =
2907 fib_table_find_or_create_and_lock
2908 (FIB_PROTOCOL_IP4, c.inside_vrf, nat_fib_src_hi);
2910 if (c.endpoint_dependent)
2912 sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb;
2913 sm->worker_in2out_cb = nat44_ed_get_worker_in2out_cb;
2914 sm->out2in_node_index = sm->ed_out2in_node_index;
2915 sm->in2out_node_index = sm->ed_in2out_node_index;
2916 sm->in2out_output_node_index = sm->ed_in2out_output_node_index;
2917 sm->icmp_match_out2in_cb = icmp_match_out2in_ed;
2918 sm->icmp_match_in2out_cb = icmp_match_in2out_ed;
2920 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
2921 sm->translation_buckets, 0);
2922 clib_bihash_set_kvp_format_fn_16_8 (&sm->out2in_ed,
2923 format_ed_session_kvp);
2926 nat_affinity_enable ();
2928 nat_ha_enable (nat_ha_sadd_ed_cb, nat_ha_sdel_ed_cb, nat_ha_sref_ed_cb);
2932 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
2933 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
2934 sm->out2in_node_index = sm->ei_out2in_node_index;
2935 sm->in2out_node_index = sm->ei_in2out_node_index;
2936 sm->in2out_output_node_index = sm->ei_in2out_output_node_index;
2937 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
2938 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
2940 nat_ha_enable (nat_ha_sadd_cb, nat_ha_sdel_cb, nat_ha_sref_cb);
2943 // c.static_mapping & c.connection_tracking require
2945 if (!c.static_mapping_only
2946 || (c.static_mapping_only && c.connection_tracking))
2948 snat_main_per_thread_data_t *tsm;
2950 vec_foreach (tsm, sm->per_thread_data)
2952 nat44_db_init (tsm);
2958 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
2959 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
2962 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
2963 "static_mapping_by_local", static_mapping_buckets,
2964 static_mapping_memory_size);
2965 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
2966 format_static_mapping_kvp);
2968 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
2969 "static_mapping_by_external",
2970 static_mapping_buckets, static_mapping_memory_size);
2971 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
2972 format_static_mapping_kvp);
2974 // last: reset counters
2975 vlib_zero_simple_counter (&sm->total_users, 0);
2976 vlib_zero_simple_counter (&sm->total_sessions, 0);
2977 vlib_zero_simple_counter (&sm->user_limit_reached, 0);
2981 nat_log_info ("nat44 enable");
2987 nat44_addresses_free (snat_address_t ** addresses)
2991 vec_foreach (ap, *addresses)
2993 #define _(N, i, n, s) \
2994 vec_free (ap->busy_##n##_ports_per_thread);
2995 foreach_nat_protocol
2999 vec_free (*addresses);
3004 nat44_plugin_disable ()
3006 snat_main_t *sm = &snat_main;
3007 snat_interface_t *i, *vec;
3012 nat_log_err ("nat44 is disabled");
3016 // first unregister all nodes from interfaces
3017 vec = vec_dup (sm->interfaces);
3019 vec_foreach (i, vec)
3021 if (nat_interface_is_inside(i))
3022 error = snat_interface_add_del (i->sw_if_index, 1, 1);
3023 if (nat_interface_is_outside(i))
3024 error = snat_interface_add_del (i->sw_if_index, 0, 1);
3028 nat_log_err ("error occurred while removing interface %u",
3036 vec = vec_dup (sm->output_feature_interfaces);
3038 vec_foreach (i, vec)
3040 if (nat_interface_is_inside(i))
3041 error = snat_interface_add_del_output_feature (i->sw_if_index, 1, 1);
3042 if (nat_interface_is_outside(i))
3043 error = snat_interface_add_del_output_feature (i->sw_if_index, 0, 1);
3047 nat_log_err ("error occurred while removing interface %u",
3053 sm->output_feature_interfaces = 0;
3055 vec_free (sm->max_translations_per_fib);
3057 if (sm->endpoint_dependent)
3059 nat_affinity_disable ();
3060 clib_bihash_free_16_8 (&sm->out2in_ed);
3063 clib_bihash_free_8_8 (&sm->static_mapping_by_local);
3064 clib_bihash_free_8_8 (&sm->static_mapping_by_external);
3066 if (!sm->static_mapping_only ||
3067 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
3069 snat_main_per_thread_data_t *tsm;
3071 vec_foreach (tsm, sm->per_thread_data)
3073 nat44_db_free (tsm);
3078 pool_free (sm->static_mappings);
3080 nat44_addresses_free (&sm->addresses);
3081 nat44_addresses_free (&sm->twice_nat_addresses);
3084 vec_free (sm->to_resolve);
3085 vec_free (sm->auto_add_sw_if_indices);
3086 vec_free (sm->auto_add_sw_if_indices_twice_nat);
3089 sm->auto_add_sw_if_indices = 0;
3090 sm->auto_add_sw_if_indices_twice_nat = 0;
3092 sm->forwarding_enabled = 0;
3100 snat_free_outside_address_and_port (snat_address_t * addresses,
3102 ip4_address_t * addr,
3103 u16 port, nat_protocol_t protocol)
3107 u16 port_host_byte_order = clib_net_to_host_u16 (port);
3109 for (address_index = 0; address_index < vec_len (addresses);
3112 if (addresses[address_index].addr.as_u32 == addr->as_u32)
3116 ASSERT (address_index < vec_len (addresses));
3118 a = addresses + address_index;
3122 #define _(N, i, n, s) \
3123 case NAT_PROTOCOL_##N: \
3124 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
3125 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
3126 a->busy_##n##_ports--; \
3127 a->busy_##n##_ports_per_thread[thread_index]--; \
3129 foreach_nat_protocol
3132 nat_elog_info ("unknown protocol");
3138 nat_set_outside_address_and_port (snat_address_t * addresses,
3139 u32 thread_index, ip4_address_t addr,
3140 u16 port, nat_protocol_t protocol)
3142 snat_address_t *a = 0;
3144 u16 port_host_byte_order = clib_net_to_host_u16 (port);
3146 for (address_index = 0; address_index < vec_len (addresses);
3149 if (addresses[address_index].addr.as_u32 != addr.as_u32)
3152 a = addresses + address_index;
3155 #define _(N, j, n, s) \
3156 case NAT_PROTOCOL_##N: \
3157 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
3158 return VNET_API_ERROR_INSTANCE_IN_USE; \
3159 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
3160 a->busy_##n##_ports_per_thread[thread_index]++; \
3161 a->busy_##n##_ports++; \
3163 foreach_nat_protocol
3166 nat_elog_info ("unknown protocol");
3171 return VNET_API_ERROR_NO_SUCH_ENTRY;
3175 snat_static_mapping_match (snat_main_t * sm,
3176 ip4_address_t match_addr,
3178 u32 match_fib_index,
3179 nat_protocol_t match_protocol,
3180 ip4_address_t * mapping_addr,
3182 u32 * mapping_fib_index,
3185 twice_nat_type_t * twice_nat,
3186 lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
3187 u8 * is_identity_nat, snat_static_mapping_t ** out)
3189 clib_bihash_kv_8_8_t kv, value;
3190 clib_bihash_8_8_t *mapping_hash;
3191 snat_static_mapping_t *m;
3192 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
3193 nat44_lb_addr_port_t *local;
3198 mapping_hash = &sm->static_mapping_by_local;
3199 init_nat_k (&kv, match_addr, match_port, match_fib_index,
3201 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
3203 /* Try address only mapping */
3204 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
3205 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
3211 mapping_hash = &sm->static_mapping_by_external;
3212 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
3213 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
3215 /* Try address only mapping */
3216 init_nat_k (&kv, match_addr, 0, 0, 0);
3217 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
3222 m = pool_elt_at_index (sm->static_mappings, value.value);
3226 if (is_lb_static_mapping (m))
3228 if (PREDICT_FALSE (lb != 0))
3229 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
3230 if (m->affinity && !nat_affinity_find_and_lock (ext_host_addr[0],
3236 local = pool_elt_at_index (m->locals, backend_index);
3237 *mapping_addr = local->addr;
3238 *mapping_port = local->port;
3239 *mapping_fib_index = local->fib_index;
3242 // pick locals matching this worker
3243 if (PREDICT_FALSE (sm->num_workers > 1))
3245 u32 thread_index = vlib_get_thread_index ();
3247 pool_foreach_index (i, m->locals,
3249 local = pool_elt_at_index (m->locals, i);
3252 .src_address = local->addr,
3255 if (sm->worker_in2out_cb (&ip, m->fib_index, 0) ==
3262 ASSERT (vec_len (tmp) != 0);
3267 pool_foreach_index (i, m->locals,
3273 hi = vec_len (tmp) - 1;
3274 local = pool_elt_at_index (m->locals, tmp[hi]);
3275 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
3278 mid = ((hi - lo) >> 1) + lo;
3279 local = pool_elt_at_index (m->locals, tmp[mid]);
3280 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
3282 local = pool_elt_at_index (m->locals, tmp[lo]);
3283 if (!(local->prefix >= rand))
3285 *mapping_addr = local->addr;
3286 *mapping_port = local->port;
3287 *mapping_fib_index = local->fib_index;
3290 if (nat_affinity_create_and_lock (ext_host_addr[0], match_addr,
3291 match_protocol, match_port,
3292 tmp[lo], m->affinity,
3293 m->affinity_per_service_list_head_index))
3294 nat_elog_info ("create affinity record failed");
3300 if (PREDICT_FALSE (lb != 0))
3302 *mapping_fib_index = m->fib_index;
3303 *mapping_addr = m->local_addr;
3304 /* Address only mapping doesn't change port */
3305 *mapping_port = is_addr_only_static_mapping (m) ? match_port
3311 *mapping_addr = m->external_addr;
3312 /* Address only mapping doesn't change port */
3313 *mapping_port = is_addr_only_static_mapping (m) ? match_port
3315 *mapping_fib_index = sm->outside_fib_index;
3319 if (PREDICT_FALSE (is_addr_only != 0))
3320 *is_addr_only = is_addr_only_static_mapping (m);
3322 if (PREDICT_FALSE (twice_nat != 0))
3323 *twice_nat = m->twice_nat;
3325 if (PREDICT_FALSE (is_identity_nat != 0))
3326 *is_identity_nat = is_identity_static_mapping (m);
3335 snat_alloc_outside_address_and_port (snat_address_t * addresses,
3338 nat_protocol_t proto,
3339 ip4_address_t * addr,
3341 u16 port_per_thread,
3342 u32 snat_thread_index)
3344 snat_main_t *sm = &snat_main;
3346 return sm->alloc_addr_and_port (addresses, fib_index, thread_index, proto,
3347 addr, port, port_per_thread,
3352 nat_alloc_addr_and_port_default (snat_address_t * addresses,
3355 nat_protocol_t proto,
3356 ip4_address_t * addr,
3358 u16 port_per_thread, u32 snat_thread_index)
3361 snat_address_t *a, *ga = 0;
3364 for (i = 0; i < vec_len (addresses); i++)
3369 #define _(N, j, n, s) \
3370 case NAT_PROTOCOL_##N: \
3371 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
3373 if (a->fib_index == fib_index) \
3377 portnum = (port_per_thread * \
3378 snat_thread_index) + \
3379 snat_random_port(0, port_per_thread - 1) + 1024; \
3380 if (a->busy_##n##_port_refcounts[portnum]) \
3382 --a->busy_##n##_port_refcounts[portnum]; \
3383 a->busy_##n##_ports_per_thread[thread_index]++; \
3384 a->busy_##n##_ports++; \
3386 *port = clib_host_to_net_u16(portnum); \
3390 else if (a->fib_index == ~0) \
3396 foreach_nat_protocol
3399 nat_elog_info ("unknown protocol");
3410 #define _(N, j, n, s) \
3411 case NAT_PROTOCOL_##N: \
3414 portnum = (port_per_thread * \
3415 snat_thread_index) + \
3416 snat_random_port(0, port_per_thread - 1) + 1024; \
3417 if (a->busy_##n##_port_refcounts[portnum]) \
3419 ++a->busy_##n##_port_refcounts[portnum]; \
3420 a->busy_##n##_ports_per_thread[thread_index]++; \
3421 a->busy_##n##_ports++; \
3423 *port = clib_host_to_net_u16(portnum); \
3427 foreach_nat_protocol
3430 nat_elog_info ("unknown protocol");
3435 /* Totally out of translations to use... */
3436 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
3441 nat_alloc_addr_and_port_mape (snat_address_t * addresses, u32 fib_index,
3442 u32 thread_index, nat_protocol_t proto,
3443 ip4_address_t * addr, u16 * port,
3444 u16 port_per_thread, u32 snat_thread_index)
3446 snat_main_t *sm = &snat_main;
3447 snat_address_t *a = addresses;
3448 u16 m, ports, portnum, A, j;
3449 m = 16 - (sm->psid_offset + sm->psid_length);
3450 ports = (1 << (16 - sm->psid_length)) - (1 << m);
3452 if (!vec_len (addresses))
3457 #define _(N, i, n, s) \
3458 case NAT_PROTOCOL_##N: \
3459 if (a->busy_##n##_ports < ports) \
3463 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
3464 j = snat_random_port(0, pow2_mask(m)); \
3465 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
3466 if (a->busy_##n##_port_refcounts[portnum]) \
3468 ++a->busy_##n##_port_refcounts[portnum]; \
3469 a->busy_##n##_ports++; \
3471 *port = clib_host_to_net_u16 (portnum); \
3476 foreach_nat_protocol
3479 nat_elog_info ("unknown protocol");
3484 /* Totally out of translations to use... */
3485 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
3490 nat_alloc_addr_and_port_range (snat_address_t * addresses, u32 fib_index,
3491 u32 thread_index, nat_protocol_t proto,
3492 ip4_address_t * addr, u16 * port,
3493 u16 port_per_thread, u32 snat_thread_index)
3495 snat_main_t *sm = &snat_main;
3496 snat_address_t *a = addresses;
3499 ports = sm->end_port - sm->start_port + 1;
3501 if (!vec_len (addresses))
3506 #define _(N, i, n, s) \
3507 case NAT_PROTOCOL_##N: \
3508 if (a->busy_##n##_ports < ports) \
3512 portnum = snat_random_port(sm->start_port, sm->end_port); \
3513 if (a->busy_##n##_port_refcounts[portnum]) \
3515 ++a->busy_##n##_port_refcounts[portnum]; \
3516 a->busy_##n##_ports++; \
3518 *port = clib_host_to_net_u16 (portnum); \
3523 foreach_nat_protocol
3526 nat_elog_info ("unknown protocol");
3531 /* Totally out of translations to use... */
3532 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
3537 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
3539 dpo_id_t dpo_v4 = DPO_INVALID;
3540 fib_prefix_t pfx = {
3541 .fp_proto = FIB_PROTOCOL_IP4,
3543 .fp_addr.ip4.as_u32 = addr.as_u32,
3548 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
3549 fib_table_entry_special_dpo_add (0, &pfx, nat_fib_src_hi,
3550 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
3551 dpo_reset (&dpo_v4);
3555 fib_table_entry_special_remove (0, &pfx, nat_fib_src_hi);
3560 format_session_kvp (u8 * s, va_list * args)
3562 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3564 s = format (s, "%U session-index %llu", format_snat_key, v->key, v->value);
3570 format_static_mapping_kvp (u8 * s, va_list * args)
3572 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3574 s = format (s, "%U static-mapping-index %llu",
3575 format_snat_key, v->key, v->value);
3581 format_user_kvp (u8 * s, va_list * args)
3583 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3588 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
3589 k.fib_index, v->value);
3595 format_ed_session_kvp (u8 * s, va_list * args)
3597 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
3601 ip4_address_t l_addr, r_addr;
3604 split_ed_kv (v, &l_addr, &r_addr, &proto, &fib_index, &l_port, &r_port);
3607 "local %U:%d remote %U:%d proto %U fib %d thread-index %u session-index %u",
3608 format_ip4_address, &l_addr, clib_net_to_host_u16 (l_port),
3609 format_ip4_address, &r_addr, clib_net_to_host_u16 (r_port),
3610 format_ip_protocol, proto, fib_index,
3611 ed_value_get_session_index (v), ed_value_get_thread_index (v));
3617 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
3620 snat_main_t *sm = &snat_main;
3621 u32 next_worker_index = 0;
3624 next_worker_index = sm->first_worker_index;
3625 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
3626 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
3628 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3629 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3631 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3633 return next_worker_index;
3637 snat_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip0,
3638 u32 rx_fib_index0, u8 is_output)
3640 snat_main_t *sm = &snat_main;
3643 clib_bihash_kv_8_8_t kv, value;
3644 snat_static_mapping_t *m;
3646 u32 next_worker_index = 0;
3648 /* first try static mappings without port */
3649 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3651 init_nat_k (&kv, ip0->dst_address, 0, rx_fib_index0, 0);
3652 if (!clib_bihash_search_8_8
3653 (&sm->static_mapping_by_external, &kv, &value))
3655 m = pool_elt_at_index (sm->static_mappings, value.value);
3656 return m->workers[0];
3660 proto = ip_proto_to_nat_proto (ip0->protocol);
3661 udp = ip4_next_header (ip0);
3662 port = udp->dst_port;
3664 /* unknown protocol */
3665 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
3667 /* use current thread */
3668 return vlib_get_thread_index ();
3671 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
3673 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3674 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3675 if (!icmp_type_is_error_message
3676 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3677 port = vnet_buffer (b)->ip.reass.l4_src_port;
3680 /* if error message, then it's not fragmented and we can access it */
3681 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3682 proto = ip_proto_to_nat_proto (inner_ip->protocol);
3683 void *l4_header = ip4_next_header (inner_ip);
3686 case NAT_PROTOCOL_ICMP:
3687 icmp = (icmp46_header_t *) l4_header;
3688 echo = (icmp_echo_header_t *) (icmp + 1);
3689 port = echo->identifier;
3691 case NAT_PROTOCOL_UDP:
3692 case NAT_PROTOCOL_TCP:
3693 port = ((tcp_udp_header_t *) l4_header)->src_port;
3696 return vlib_get_thread_index ();
3701 /* try static mappings with port */
3702 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3704 init_nat_k (&kv, ip0->dst_address, port, rx_fib_index0, proto);
3705 if (!clib_bihash_search_8_8
3706 (&sm->static_mapping_by_external, &kv, &value))
3708 m = pool_elt_at_index (sm->static_mappings, value.value);
3709 return m->workers[0];
3713 /* worker by outside port */
3714 next_worker_index = sm->first_worker_index;
3715 next_worker_index +=
3716 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3717 return next_worker_index;
3721 nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
3724 snat_main_t *sm = &snat_main;
3725 u32 next_worker_index = sm->first_worker_index;
3728 clib_bihash_kv_16_8_t kv16, value16;
3729 snat_main_per_thread_data_t *tsm;
3732 if (PREDICT_FALSE (is_output))
3734 u32 fib_index = sm->outside_fib_index;
3735 nat_outside_fib_t *outside_fib;
3736 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3737 fib_prefix_t pfx = {
3738 .fp_proto = FIB_PROTOCOL_IP4,
3741 .ip4.as_u32 = ip->dst_address.as_u32,
3746 udp = ip4_next_header (ip);
3748 switch (vec_len (sm->outside_fibs))
3751 fib_index = sm->outside_fib_index;
3754 fib_index = sm->outside_fibs[0].fib_index;
3758 vec_foreach (outside_fib, sm->outside_fibs)
3760 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3761 if (FIB_NODE_INDEX_INVALID != fei)
3763 if (fib_entry_get_resolving_interface (fei) != ~0)
3765 fib_index = outside_fib->fib_index;
3774 init_ed_k (&kv16, ip->src_address, udp->src_port, ip->dst_address,
3775 udp->dst_port, fib_index, ip->protocol);
3777 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3781 vec_elt_at_index (sm->per_thread_data,
3782 ed_value_get_thread_index (&value16));
3783 next_worker_index += tsm->thread_index;
3785 nat_elog_debug_handoff ("HANDOFF IN2OUT-OUTPUT-FEATURE (session)",
3786 next_worker_index, fib_index,
3787 clib_net_to_host_u32 (ip->
3788 src_address.as_u32),
3789 clib_net_to_host_u32 (ip->
3790 dst_address.as_u32));
3792 return next_worker_index;
3796 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3797 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3799 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3800 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3802 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3804 if (PREDICT_TRUE (!is_output))
3806 nat_elog_debug_handoff ("HANDOFF IN2OUT",
3807 next_worker_index, rx_fib_index,
3808 clib_net_to_host_u32 (ip->src_address.as_u32),
3809 clib_net_to_host_u32 (ip->dst_address.as_u32));
3813 nat_elog_debug_handoff ("HANDOFF IN2OUT-OUTPUT-FEATURE",
3814 next_worker_index, rx_fib_index,
3815 clib_net_to_host_u32 (ip->src_address.as_u32),
3816 clib_net_to_host_u32 (ip->dst_address.as_u32));
3819 return next_worker_index;
3823 nat44_ed_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip,
3824 u32 rx_fib_index, u8 is_output)
3826 snat_main_t *sm = &snat_main;
3827 clib_bihash_kv_8_8_t kv, value;
3828 clib_bihash_kv_16_8_t kv16, value16;
3829 snat_main_per_thread_data_t *tsm;
3831 u32 proto, next_worker_index = 0;
3834 snat_static_mapping_t *m;
3837 proto = ip_proto_to_nat_proto (ip->protocol);
3839 if (PREDICT_TRUE (proto == NAT_PROTOCOL_UDP || proto == NAT_PROTOCOL_TCP))
3841 udp = ip4_next_header (ip);
3843 init_ed_k (&kv16, ip->dst_address, udp->dst_port, ip->src_address,
3844 udp->src_port, rx_fib_index, ip->protocol);
3846 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3850 vec_elt_at_index (sm->per_thread_data,
3851 ed_value_get_thread_index (&value16));
3852 vnet_buffer2 (b)->nat.ed_out2in_nat_session_index =
3853 ed_value_get_session_index (&value16);
3854 next_worker_index = sm->first_worker_index + tsm->thread_index;
3855 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3856 next_worker_index, rx_fib_index,
3857 clib_net_to_host_u32 (ip->
3858 src_address.as_u32),
3859 clib_net_to_host_u32 (ip->
3860 dst_address.as_u32));
3861 return next_worker_index;
3864 else if (proto == NAT_PROTOCOL_ICMP)
3866 if (!get_icmp_o2i_ed_key (b, ip, rx_fib_index, ~0, ~0, 0, 0, 0, &kv16))
3868 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&sm->out2in_ed,
3872 vec_elt_at_index (sm->per_thread_data,
3873 ed_value_get_thread_index (&value16));
3874 next_worker_index = sm->first_worker_index + tsm->thread_index;
3875 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3876 next_worker_index, rx_fib_index,
3877 clib_net_to_host_u32 (ip->
3878 src_address.as_u32),
3879 clib_net_to_host_u32 (ip->
3880 dst_address.as_u32));
3881 return next_worker_index;
3886 /* first try static mappings without port */
3887 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3889 init_nat_k (&kv, ip->dst_address, 0, 0, 0);
3890 if (!clib_bihash_search_8_8
3891 (&sm->static_mapping_by_external, &kv, &value))
3893 m = pool_elt_at_index (sm->static_mappings, value.value);
3894 next_worker_index = m->workers[0];
3899 /* unknown protocol */
3900 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
3902 /* use current thread */
3903 next_worker_index = vlib_get_thread_index ();
3907 udp = ip4_next_header (ip);
3908 port = udp->dst_port;
3910 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
3912 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3913 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3914 if (!icmp_type_is_error_message
3915 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3916 port = vnet_buffer (b)->ip.reass.l4_src_port;
3919 /* if error message, then it's not fragmented and we can access it */
3920 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3921 proto = ip_proto_to_nat_proto (inner_ip->protocol);
3922 void *l4_header = ip4_next_header (inner_ip);
3925 case NAT_PROTOCOL_ICMP:
3926 icmp = (icmp46_header_t *) l4_header;
3927 echo = (icmp_echo_header_t *) (icmp + 1);
3928 port = echo->identifier;
3930 case NAT_PROTOCOL_UDP:
3931 case NAT_PROTOCOL_TCP:
3932 port = ((tcp_udp_header_t *) l4_header)->src_port;
3935 next_worker_index = vlib_get_thread_index ();
3941 /* try static mappings with port */
3942 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3944 init_nat_k (&kv, ip->dst_address, port, 0, proto);
3945 if (!clib_bihash_search_8_8
3946 (&sm->static_mapping_by_external, &kv, &value))
3948 m = pool_elt_at_index (sm->static_mappings, value.value);
3949 if (!is_lb_static_mapping (m))
3951 next_worker_index = m->workers[0];
3955 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3956 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3958 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3960 m->workers[hash & (_vec_len (m->workers) - 1)];
3962 next_worker_index = m->workers[hash % _vec_len (m->workers)];
3967 /* worker by outside port */
3968 next_worker_index = sm->first_worker_index;
3969 next_worker_index +=
3970 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3973 nat_elog_debug_handoff ("HANDOFF OUT2IN", next_worker_index, rx_fib_index,
3974 clib_net_to_host_u32 (ip->src_address.as_u32),
3975 clib_net_to_host_u32 (ip->dst_address.as_u32));
3976 return next_worker_index;
3980 nat_ha_sadd_cb (ip4_address_t * in_addr, u16 in_port,
3981 ip4_address_t * out_addr, u16 out_port,
3982 ip4_address_t * eh_addr, u16 eh_port,
3983 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
3984 u32 fib_index, u16 flags, u32 thread_index)
3986 snat_main_t *sm = &snat_main;
3987 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
3990 clib_bihash_kv_8_8_t kv;
3991 vlib_main_t *vm = vlib_get_main ();
3992 f64 now = vlib_time_now (vm);
3993 nat_outside_fib_t *outside_fib;
3994 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3995 fib_prefix_t pfx = {
3996 .fp_proto = FIB_PROTOCOL_IP4,
3999 .ip4.as_u32 = eh_addr->as_u32,
4003 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
4005 if (nat_set_outside_address_and_port
4006 (sm->addresses, thread_index, *out_addr, out_port, proto))
4010 u = nat_user_get_or_create (sm, in_addr, fib_index, thread_index);
4014 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
4018 if (sm->endpoint_dependent)
4020 nat_ed_lru_insert (tsm, s, now, nat_proto_to_ip_proto (proto));
4023 s->out2in.addr.as_u32 = out_addr->as_u32;
4024 s->out2in.port = out_port;
4025 s->nat_proto = proto;
4026 s->last_heard = now;
4028 s->ext_host_addr.as_u32 = eh_addr->as_u32;
4029 s->ext_host_port = eh_port;
4030 user_session_increment (sm, u, snat_is_session_static (s));
4031 switch (vec_len (sm->outside_fibs))
4034 s->out2in.fib_index = sm->outside_fib_index;
4037 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
4041 vec_foreach (outside_fib, sm->outside_fibs)
4043 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
4044 if (FIB_NODE_INDEX_INVALID != fei)
4046 if (fib_entry_get_resolving_interface (fei) != ~0)
4048 s->out2in.fib_index = outside_fib->fib_index;
4056 init_nat_o2i_kv (&kv, s, s - tsm->sessions);
4057 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 1))
4058 nat_elog_warn ("out2in key add failed");
4060 s->in2out.addr.as_u32 = in_addr->as_u32;
4061 s->in2out.port = in_port;
4062 s->in2out.fib_index = fib_index;
4063 init_nat_i2o_kv (&kv, s, s - tsm->sessions);
4064 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 1))
4065 nat_elog_warn ("in2out key add failed");
4069 nat_ha_sdel_cb (ip4_address_t * out_addr, u16 out_port,
4070 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
4073 snat_main_t *sm = &snat_main;
4074 clib_bihash_kv_8_8_t kv, value;
4077 snat_main_per_thread_data_t *tsm;
4079 if (sm->num_workers > 1)
4081 sm->first_worker_index +
4082 (sm->workers[(clib_net_to_host_u16 (out_port) -
4083 1024) / sm->port_per_thread]);
4085 thread_index = sm->num_workers;
4086 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
4088 init_nat_k (&kv, *out_addr, out_port, fib_index, proto);
4089 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
4092 s = pool_elt_at_index (tsm->sessions, value.value);
4093 nat_free_session_data (sm, s, thread_index, 1);
4094 nat44_delete_session (sm, s, thread_index);
4098 nat_ha_sref_cb (ip4_address_t * out_addr, u16 out_port,
4099 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
4100 u32 total_pkts, u64 total_bytes, u32 thread_index)
4102 snat_main_t *sm = &snat_main;
4103 clib_bihash_kv_8_8_t kv, value;
4105 snat_main_per_thread_data_t *tsm;
4107 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
4109 init_nat_k (&kv, *out_addr, out_port, fib_index, proto);
4110 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
4113 s = pool_elt_at_index (tsm->sessions, value.value);
4114 s->total_pkts = total_pkts;
4115 s->total_bytes = total_bytes;
4119 nat_ha_sadd_ed_cb (ip4_address_t * in_addr, u16 in_port,
4120 ip4_address_t * out_addr, u16 out_port,
4121 ip4_address_t * eh_addr, u16 eh_port,
4122 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
4123 u32 fib_index, u16 flags, u32 thread_index)
4125 snat_main_t *sm = &snat_main;
4126 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
4128 clib_bihash_kv_16_8_t kv;
4129 vlib_main_t *vm = vlib_get_main ();
4130 f64 now = vlib_time_now (vm);
4131 nat_outside_fib_t *outside_fib;
4132 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
4133 fib_prefix_t pfx = {
4134 .fp_proto = FIB_PROTOCOL_IP4,
4137 .ip4.as_u32 = eh_addr->as_u32,
4142 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
4144 if (nat_set_outside_address_and_port
4145 (sm->addresses, thread_index, *out_addr, out_port, proto))
4149 if (flags & SNAT_SESSION_FLAG_TWICE_NAT)
4151 if (nat_set_outside_address_and_port
4152 (sm->addresses, thread_index, *ehn_addr, ehn_port, proto))
4156 s = nat_ed_session_alloc (sm, thread_index, now, proto);
4160 s->last_heard = now;
4162 s->ext_host_nat_addr.as_u32 = s->ext_host_addr.as_u32 = eh_addr->as_u32;
4163 s->ext_host_nat_port = s->ext_host_port = eh_port;
4164 if (is_twice_nat_session (s))
4166 s->ext_host_nat_addr.as_u32 = ehn_addr->as_u32;
4167 s->ext_host_nat_port = ehn_port;
4169 switch (vec_len (sm->outside_fibs))
4172 s->out2in.fib_index = sm->outside_fib_index;
4175 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
4179 vec_foreach (outside_fib, sm->outside_fibs)
4181 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
4182 if (FIB_NODE_INDEX_INVALID != fei)
4184 if (fib_entry_get_resolving_interface (fei) != ~0)
4186 s->out2in.fib_index = outside_fib->fib_index;
4194 s->nat_proto = proto;
4195 s->out2in.addr.as_u32 = out_addr->as_u32;
4196 s->out2in.port = out_port;
4198 s->in2out.addr.as_u32 = in_addr->as_u32;
4199 s->in2out.port = in_port;
4200 s->in2out.fib_index = fib_index;
4202 init_ed_kv (&kv, *in_addr, in_port, s->ext_host_nat_addr,
4203 s->ext_host_nat_port, fib_index, nat_proto_to_ip_proto (proto),
4204 thread_index, s - tsm->sessions);
4205 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
4206 nat_elog_warn ("in2out key add failed");
4208 init_ed_kv (&kv, *out_addr, out_port, *eh_addr, eh_port,
4209 s->out2in.fib_index, nat_proto_to_ip_proto (proto),
4210 thread_index, s - tsm->sessions);
4211 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &kv, 1))
4212 nat_elog_warn ("out2in key add failed");
4216 nat_ha_sdel_ed_cb (ip4_address_t * out_addr, u16 out_port,
4217 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
4218 u32 fib_index, u32 ti)
4220 snat_main_t *sm = &snat_main;
4221 clib_bihash_kv_16_8_t kv, value;
4224 snat_main_per_thread_data_t *tsm;
4226 if (sm->num_workers > 1)
4228 sm->first_worker_index +
4229 (sm->workers[(clib_net_to_host_u16 (out_port) -
4230 1024) / sm->port_per_thread]);
4232 thread_index = sm->num_workers;
4233 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
4235 init_ed_k (&kv, *out_addr, out_port, *eh_addr, eh_port, fib_index, proto);
4236 if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
4239 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
4240 nat_free_session_data (sm, s, thread_index, 1);
4241 nat44_delete_session (sm, s, thread_index);
4245 nat_ha_sref_ed_cb (ip4_address_t * out_addr, u16 out_port,
4246 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
4247 u32 fib_index, u32 total_pkts, u64 total_bytes,
4250 snat_main_t *sm = &snat_main;
4251 clib_bihash_kv_16_8_t kv, value;
4253 snat_main_per_thread_data_t *tsm;
4255 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
4257 init_ed_k (&kv, *out_addr, out_port, *eh_addr, eh_port, fib_index, proto);
4258 if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
4261 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
4262 s->total_pkts = total_pkts;
4263 s->total_bytes = total_bytes;
4267 nat_calc_bihash_buckets (u32 n_elts)
4269 n_elts = n_elts / 2.5;
4271 while (lower_pow2 * 2 < n_elts)
4273 lower_pow2 = 2 * lower_pow2;
4275 u64 upper_pow2 = 2 * lower_pow2;
4276 if ((upper_pow2 - n_elts) < (n_elts - lower_pow2))
4278 if (upper_pow2 <= UINT32_MAX)
4287 nat44_get_max_session_limit ()
4289 snat_main_t *sm = &snat_main;
4290 u32 max_limit = 0, len = 0;
4292 for (; len < vec_len (sm->max_translations_per_fib); len++)
4294 if (max_limit < sm->max_translations_per_fib[len])
4295 max_limit = sm->max_translations_per_fib[len];
4301 nat44_set_session_limit (u32 session_limit, u32 vrf_id)
4303 snat_main_t *sm = &snat_main;
4304 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4305 u32 len = vec_len (sm->max_translations_per_fib);
4307 if (len <= fib_index)
4309 vec_validate (sm->max_translations_per_fib, fib_index + 1);
4311 for (; len < vec_len (sm->max_translations_per_fib); len++)
4312 sm->max_translations_per_fib[len] = sm->max_translations_per_thread;
4315 sm->max_translations_per_fib[fib_index] = session_limit;
4320 nat44_update_session_limit (u32 session_limit, u32 vrf_id)
4322 snat_main_t *sm = &snat_main;
4324 if (nat44_set_session_limit (session_limit, vrf_id))
4326 sm->max_translations_per_thread = nat44_get_max_session_limit ();
4328 sm->translation_buckets =
4329 nat_calc_bihash_buckets (sm->max_translations_per_thread);
4331 nat44_sessions_clear ();
4336 nat44_db_init (snat_main_per_thread_data_t * tsm)
4338 snat_main_t *sm = &snat_main;
4340 pool_alloc (tsm->sessions, sm->max_translations_per_thread);
4341 pool_alloc (tsm->lru_pool, sm->max_translations_per_thread);
4345 pool_get (tsm->lru_pool, head);
4346 tsm->tcp_trans_lru_head_index = head - tsm->lru_pool;
4347 clib_dlist_init (tsm->lru_pool, tsm->tcp_trans_lru_head_index);
4349 pool_get (tsm->lru_pool, head);
4350 tsm->tcp_estab_lru_head_index = head - tsm->lru_pool;
4351 clib_dlist_init (tsm->lru_pool, tsm->tcp_estab_lru_head_index);
4353 pool_get (tsm->lru_pool, head);
4354 tsm->udp_lru_head_index = head - tsm->lru_pool;
4355 clib_dlist_init (tsm->lru_pool, tsm->udp_lru_head_index);
4357 pool_get (tsm->lru_pool, head);
4358 tsm->icmp_lru_head_index = head - tsm->lru_pool;
4359 clib_dlist_init (tsm->lru_pool, tsm->icmp_lru_head_index);
4361 pool_get (tsm->lru_pool, head);
4362 tsm->unk_proto_lru_head_index = head - tsm->lru_pool;
4363 clib_dlist_init (tsm->lru_pool, tsm->unk_proto_lru_head_index);
4365 if (sm->endpoint_dependent)
4367 clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed",
4368 sm->translation_buckets, 0);
4369 clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed,
4370 format_ed_session_kvp);
4375 clib_bihash_init_8_8 (&tsm->in2out, "in2out", sm->translation_buckets,
4377 clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out, format_session_kvp);
4378 clib_bihash_init_8_8 (&tsm->out2in, "out2in", sm->translation_buckets,
4380 clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in, format_session_kvp);
4383 // TODO: ED nat is not using these
4384 // before removal large refactor required
4385 pool_alloc (tsm->list_pool, sm->max_translations_per_thread);
4386 clib_bihash_init_8_8 (&tsm->user_hash, "users", sm->user_buckets, 0);
4387 clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash, format_user_kvp);
4391 nat44_db_free (snat_main_per_thread_data_t * tsm)
4393 snat_main_t *sm = &snat_main;
4395 pool_free (tsm->sessions);
4396 pool_free (tsm->lru_pool);
4398 if (sm->endpoint_dependent)
4400 clib_bihash_free_16_8 (&tsm->in2out_ed);
4401 vec_free (tsm->per_vrf_sessions_vec);
4405 clib_bihash_free_8_8 (&tsm->in2out);
4406 clib_bihash_free_8_8 (&tsm->out2in);
4409 // TODO: resolve static mappings (put only to !ED)
4410 pool_free (tsm->users);
4411 pool_free (tsm->list_pool);
4412 clib_bihash_free_8_8 (&tsm->user_hash);
4416 nat44_sessions_clear ()
4418 snat_main_t *sm = &snat_main;
4419 snat_main_per_thread_data_t *tsm;
4421 if (sm->endpoint_dependent)
4423 clib_bihash_free_16_8 (&sm->out2in_ed);
4424 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
4427 sm->translation_buckets, 0);
4428 clib_bihash_set_kvp_format_fn_16_8 (&sm->out2in_ed,
4429 format_ed_session_kvp);
4433 vec_foreach (tsm, sm->per_thread_data)
4437 nat44_db_free (tsm);
4438 nat44_db_init (tsm);
4440 ti = tsm->snat_thread_index;
4441 vlib_set_simple_counter (&sm->total_users, ti, 0, 0);
4442 vlib_set_simple_counter (&sm->total_sessions, ti, 0, 0);
4448 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
4451 ip4_address_t * address,
4453 u32 if_address_index, u32 is_delete)
4455 snat_main_t *sm = &snat_main;
4456 snat_static_map_resolve_t *rp;
4457 snat_static_mapping_t *m;
4458 clib_bihash_kv_8_8_t kv, value;
4460 ip4_address_t l_addr;
4465 for (i = 0; i < vec_len (sm->to_resolve); i++)
4467 rp = sm->to_resolve + i;
4468 if (rp->addr_only == 0)
4470 if (rp->sw_if_index == sw_if_index)
4477 init_nat_k (&kv, *address, rp->addr_only ? 0 : rp->e_port,
4478 sm->outside_fib_index, rp->addr_only ? 0 : rp->proto);
4479 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
4482 m = pool_elt_at_index (sm->static_mappings, value.value);
4486 /* Don't trip over lease renewal, static config */
4496 /* Indetity mapping? */
4497 if (rp->l_addr.as_u32 == 0)
4498 l_addr.as_u32 = address[0].as_u32;
4500 l_addr.as_u32 = rp->l_addr.as_u32;
4501 /* Add the static mapping */
4502 rv = snat_add_static_mapping (l_addr,
4507 rp->addr_only, ~0 /* sw_if_index */ ,
4508 rp->proto, !is_delete, rp->twice_nat,
4509 rp->out2in_only, rp->tag, rp->identity_nat,
4510 rp->pool_addr, rp->exact);
4512 nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv);
4516 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
4519 ip4_address_t * address,
4521 u32 if_address_index, u32 is_delete)
4523 snat_main_t *sm = &snat_main;
4524 snat_static_map_resolve_t *rp;
4525 ip4_address_t l_addr;
4529 snat_address_t *addresses = sm->addresses;
4534 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
4536 if (sw_if_index == sm->auto_add_sw_if_indices[i])
4540 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
4543 addresses = sm->twice_nat_addresses;
4544 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
4553 /* Don't trip over lease renewal, static config */
4554 for (j = 0; j < vec_len (addresses); j++)
4555 if (addresses[j].addr.as_u32 == address->as_u32)
4558 (void) snat_add_address (sm, address, ~0, twice_nat);
4559 /* Scan static map resolution vector */
4560 for (j = 0; j < vec_len (sm->to_resolve); j++)
4562 rp = sm->to_resolve + j;
4565 /* On this interface? */
4566 if (rp->sw_if_index == sw_if_index)
4568 /* Indetity mapping? */
4569 if (rp->l_addr.as_u32 == 0)
4570 l_addr.as_u32 = address[0].as_u32;
4572 l_addr.as_u32 = rp->l_addr.as_u32;
4573 /* Add the static mapping */
4574 rv = snat_add_static_mapping (l_addr,
4580 ~0 /* sw_if_index */ ,
4582 rp->is_add, rp->twice_nat,
4583 rp->out2in_only, rp->tag,
4585 rp->pool_addr, rp->exact);
4587 nat_elog_notice_X1 ("snat_add_static_mapping returned %d",
4595 (void) snat_del_address (sm, address[0], 1, twice_nat);
4602 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
4605 ip4_main_t *ip4_main = sm->ip4_main;
4606 ip4_address_t *first_int_addr;
4607 snat_static_map_resolve_t *rp;
4608 u32 *indices_to_delete = 0;
4610 u32 *auto_add_sw_if_indices =
4612 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
4614 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
4617 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
4619 if (auto_add_sw_if_indices[i] == sw_if_index)
4623 /* if have address remove it */
4625 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
4628 for (j = 0; j < vec_len (sm->to_resolve); j++)
4630 rp = sm->to_resolve + j;
4631 if (rp->sw_if_index == sw_if_index)
4632 vec_add1 (indices_to_delete, j);
4634 if (vec_len (indices_to_delete))
4636 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
4637 vec_del1 (sm->to_resolve, j);
4638 vec_free (indices_to_delete);
4642 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
4644 vec_del1 (sm->auto_add_sw_if_indices, i);
4647 return VNET_API_ERROR_VALUE_EXIST;
4654 return VNET_API_ERROR_NO_SUCH_ENTRY;
4656 /* add to the auto-address list */
4658 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
4660 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
4662 /* If the address is already bound - or static - add it now */
4664 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
4670 nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4671 nat_protocol_t proto, u32 vrf_id, int is_in)
4673 snat_main_per_thread_data_t *tsm;
4674 clib_bihash_kv_8_8_t kv, value;
4676 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4678 clib_bihash_8_8_t *t;
4680 if (sm->endpoint_dependent)
4681 return VNET_API_ERROR_UNSUPPORTED;
4683 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4684 if (sm->num_workers > 1)
4686 vec_elt_at_index (sm->per_thread_data,
4687 sm->worker_in2out_cb (&ip, fib_index, 0));
4689 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4691 init_nat_k (&kv, *addr, port, fib_index, proto);
4692 t = is_in ? &tsm->in2out : &tsm->out2in;
4693 if (!clib_bihash_search_8_8 (t, &kv, &value))
4695 if (pool_is_free_index (tsm->sessions, value.value))
4696 return VNET_API_ERROR_UNSPECIFIED;
4698 s = pool_elt_at_index (tsm->sessions, value.value);
4699 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4700 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
4704 return VNET_API_ERROR_NO_SUCH_ENTRY;
4708 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4709 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
4710 u32 vrf_id, int is_in)
4713 clib_bihash_16_8_t *t;
4714 clib_bihash_kv_16_8_t kv, value;
4715 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4717 snat_main_per_thread_data_t *tsm;
4719 if (!sm->endpoint_dependent)
4720 return VNET_API_ERROR_FEATURE_DISABLED;
4722 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4723 if (sm->num_workers > 1)
4725 vec_elt_at_index (sm->per_thread_data,
4726 sm->worker_in2out_cb (&ip, fib_index, 0));
4728 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4730 t = is_in ? &tsm->in2out_ed : &sm->out2in_ed;
4731 init_ed_k (&kv, *addr, port, *eh_addr, eh_port, fib_index, proto);
4732 if (clib_bihash_search_16_8 (t, &kv, &value))
4734 return VNET_API_ERROR_NO_SUCH_ENTRY;
4737 if (pool_is_free_index (tsm->sessions, value.value))
4738 return VNET_API_ERROR_UNSPECIFIED;
4739 s = pool_elt_at_index (tsm->sessions, value.value);
4740 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4741 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
4746 nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length)
4748 snat_main_t *sm = &snat_main;
4750 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE;
4751 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
4753 sm->psid_offset = psid_offset;
4754 sm->psid_length = psid_length;
4758 nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port)
4760 snat_main_t *sm = &snat_main;
4762 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE;
4763 sm->alloc_addr_and_port = nat_alloc_addr_and_port_range;
4764 sm->start_port = start_port;
4765 sm->end_port = end_port;
4769 nat_set_alloc_addr_and_port_default (void)
4771 snat_main_t *sm = &snat_main;
4773 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
4774 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
4777 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
4778 vlib_node_runtime_t * node,
4779 vlib_frame_t * frame)
4785 VLIB_REGISTER_NODE (nat_default_node) = {
4786 .name = "nat-default",
4787 .vector_size = sizeof (u32),
4789 .type = VLIB_NODE_TYPE_INTERNAL,
4791 .n_next_nodes = NAT_N_NEXT,
4793 [NAT_NEXT_DROP] = "error-drop",
4794 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4795 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
4796 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
4797 [NAT_NEXT_IN2OUT_ED_OUTPUT_FAST_PATH] = "nat44-ed-in2out-output",
4798 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
4799 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
4800 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
4801 [NAT_NEXT_IN2OUT_CLASSIFY] = "nat44-in2out-worker-handoff",
4802 [NAT_NEXT_OUT2IN_CLASSIFY] = "nat44-out2in-worker-handoff",
4808 * fd.io coding-style-patch-verification: ON
4811 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob