2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/nat_ipfix_logging.h>
25 #include <nat/nat_det.h>
26 #include <nat/nat64.h>
27 #include <nat/nat66.h>
28 #include <nat/nat_inlines.h>
29 #include <nat/nat44/inlines.h>
30 #include <nat/nat_affinity.h>
31 #include <nat/nat_syslog.h>
32 #include <nat/nat_ha.h>
33 #include <vnet/fib/fib_table.h>
34 #include <vnet/fib/ip4_fib.h>
35 #include <vnet/ip/reass/ip4_sv_reass.h>
36 #include <vppinfra/bihash_16_8.h>
38 #include <vpp/app/version.h>
40 snat_main_t snat_main;
42 fib_source_t nat_fib_src_hi;
43 fib_source_t nat_fib_src_low;
46 /* Hook up input features */
47 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
48 .arc_name = "ip4-unicast",
49 .node_name = "nat-pre-in2out",
50 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
51 "ip4-sv-reassembly-feature"),
53 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
54 .arc_name = "ip4-unicast",
55 .node_name = "nat-pre-out2in",
56 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
57 "ip4-dhcp-client-detect",
58 "ip4-sv-reassembly-feature"),
60 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
61 .arc_name = "ip4-unicast",
62 .node_name = "nat44-in2out-worker-handoff",
63 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
65 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
66 .arc_name = "ip4-unicast",
67 .node_name = "nat44-out2in-worker-handoff",
68 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
69 "ip4-dhcp-client-detect"),
71 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
72 .arc_name = "ip4-unicast",
73 .node_name = "nat44-in2out",
74 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
76 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
77 .arc_name = "ip4-unicast",
78 .node_name = "nat44-out2in",
79 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
80 "ip4-dhcp-client-detect"),
82 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
83 .arc_name = "ip4-unicast",
84 .node_name = "nat44-classify",
85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
87 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
88 .arc_name = "ip4-unicast",
89 .node_name = "nat44-det-in2out",
90 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
92 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
93 .arc_name = "ip4-unicast",
94 .node_name = "nat44-det-out2in",
95 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
96 "ip4-dhcp-client-detect"),
98 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
99 .arc_name = "ip4-unicast",
100 .node_name = "nat44-det-classify",
101 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
103 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
104 .arc_name = "ip4-unicast",
105 .node_name = "nat44-ed-in2out",
106 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
108 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
109 .arc_name = "ip4-unicast",
110 .node_name = "nat44-ed-out2in",
111 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
112 "ip4-dhcp-client-detect"),
114 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
115 .arc_name = "ip4-unicast",
116 .node_name = "nat44-ed-classify",
117 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
119 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
120 .arc_name = "ip4-unicast",
121 .node_name = "nat44-handoff-classify",
122 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
124 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
125 .arc_name = "ip4-unicast",
126 .node_name = "nat44-in2out-fast",
127 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
129 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
130 .arc_name = "ip4-unicast",
131 .node_name = "nat44-out2in-fast",
132 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
133 "ip4-dhcp-client-detect"),
135 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
136 .arc_name = "ip4-unicast",
137 .node_name = "nat44-hairpin-dst",
138 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
140 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
141 .arc_name = "ip4-unicast",
142 .node_name = "nat44-ed-hairpin-dst",
143 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
146 /* Hook up output features */
147 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
148 .arc_name = "ip4-output",
149 .node_name = "nat44-in2out-output",
150 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
152 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
153 .arc_name = "ip4-output",
154 .node_name = "nat44-in2out-output-worker-handoff",
155 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
157 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
158 .arc_name = "ip4-output",
159 .node_name = "nat44-hairpin-src",
160 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
162 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
163 .arc_name = "ip4-output",
164 .node_name = "nat44-ed-in2out-output",
165 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
166 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
168 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
169 .arc_name = "ip4-output",
170 .node_name = "nat44-ed-hairpin-src",
171 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
172 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
175 /* Hook up ip4-local features */
176 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
178 .arc_name = "ip4-local",
179 .node_name = "nat44-hairpinning",
180 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
182 VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) =
184 .arc_name = "ip4-local",
185 .node_name = "nat44-ed-hairpinning",
186 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
190 VLIB_PLUGIN_REGISTER () = {
191 .version = VPP_BUILD_VER,
192 .description = "Network Address Translation (NAT)",
197 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
200 snat_session_key_t key;
201 clib_bihash_kv_8_8_t kv;
204 ip4_address_t *l_addr, *r_addr;
206 clib_bihash_kv_16_8_t ed_kv;
207 snat_main_per_thread_data_t *tsm =
208 vec_elt_at_index (sm->per_thread_data, thread_index);
210 if (is_fwd_bypass_session (s))
212 if (snat_is_unk_proto_session (s))
214 make_ed_kv (&s->in2out.addr, &s->ext_host_addr, s->in2out.port, 0,
215 0, 0, ~0ULL, &ed_kv);
219 proto = snat_proto_to_ip_proto (s->in2out.protocol);
220 l_port = s->in2out.port;
221 r_port = s->ext_host_port;
222 l_addr = &s->in2out.addr;
223 r_addr = &s->ext_host_addr;
224 proto = snat_proto_to_ip_proto (s->in2out.protocol);
225 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
228 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
229 nat_elog_warn ("in2out_ed key del failed");
233 /* session lookup tables */
234 if (is_ed_session (s))
236 if (is_affinity_sessions (s))
237 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
238 s->in2out.protocol, s->out2in.port);
239 l_addr = &s->out2in.addr;
240 r_addr = &s->ext_host_addr;
241 fib_index = s->out2in.fib_index;
242 if (snat_is_unk_proto_session (s))
244 proto = s->in2out.port;
250 proto = snat_proto_to_ip_proto (s->in2out.protocol);
251 l_port = s->out2in.port;
252 r_port = s->ext_host_port;
254 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
256 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
257 nat_elog_warn ("out2in_ed key del failed");
258 l_addr = &s->in2out.addr;
259 fib_index = s->in2out.fib_index;
260 if (!snat_is_unk_proto_session (s))
261 l_port = s->in2out.port;
262 if (is_twice_nat_session (s))
264 r_addr = &s->ext_host_nat_addr;
265 r_port = s->ext_host_nat_port;
267 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
269 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
270 nat_elog_warn ("in2out_ed key del failed");
273 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
274 &s->in2out.addr, s->in2out.port,
275 &s->ext_host_nat_addr, s->ext_host_nat_port,
276 &s->out2in.addr, s->out2in.port,
277 &s->ext_host_addr, s->ext_host_port,
278 s->in2out.protocol, is_twice_nat_session (s));
282 kv.key = s->in2out.as_u64;
283 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
284 nat_elog_warn ("in2out key del failed");
285 kv.key = s->out2in.as_u64;
286 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
287 nat_elog_warn ("out2in key del failed");
290 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
291 &s->in2out.addr, s->in2out.port,
292 &s->out2in.addr, s->out2in.port,
296 if (snat_is_unk_proto_session (s))
302 snat_ipfix_logging_nat44_ses_delete (thread_index,
303 s->in2out.addr.as_u32,
304 s->out2in.addr.as_u32,
308 s->in2out.fib_index);
310 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
311 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
315 /* Twice NAT address and port for external host */
316 if (is_twice_nat_session (s))
318 key.protocol = s->in2out.protocol;
319 key.port = s->ext_host_nat_port;
320 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
321 snat_free_outside_address_and_port (sm->twice_nat_addresses,
325 if (snat_is_session_static (s))
328 snat_free_outside_address_and_port (sm->addresses, thread_index,
333 nat44_free_session_data (snat_main_t * sm, snat_session_t * s,
334 u32 thread_index, u8 is_ha)
336 snat_session_key_t key;
339 ip4_address_t *l_addr, *r_addr;
341 clib_bihash_kv_16_8_t ed_kv;
342 snat_main_per_thread_data_t *tsm =
343 vec_elt_at_index (sm->per_thread_data, thread_index);
345 if (is_fwd_bypass_session (s))
347 if (snat_is_unk_proto_session (s))
349 proto = s->in2out.port;
355 proto = snat_proto_to_ip_proto (s->in2out.protocol);
356 l_port = s->in2out.port;
357 r_port = s->ext_host_port;
360 l_addr = &s->in2out.addr;
361 r_addr = &s->ext_host_addr;
363 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
367 (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
368 nat_elog_warn ("in2out_ed key del failed");
372 /* session lookup tables */
373 if (is_affinity_sessions (s))
374 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
375 s->in2out.protocol, s->out2in.port);
376 l_addr = &s->out2in.addr;
377 r_addr = &s->ext_host_addr;
378 fib_index = s->out2in.fib_index;
379 if (snat_is_unk_proto_session (s))
381 proto = s->in2out.port;
387 proto = snat_proto_to_ip_proto (s->in2out.protocol);
388 l_port = s->out2in.port;
389 r_port = s->ext_host_port;
391 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
394 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)))
395 nat_elog_warn ("out2in_ed key del failed");
397 l_addr = &s->in2out.addr;
398 fib_index = s->in2out.fib_index;
400 if (!snat_is_unk_proto_session (s))
401 l_port = s->in2out.port;
403 if (is_twice_nat_session (s))
405 r_addr = &s->ext_host_nat_addr;
406 r_port = s->ext_host_nat_port;
408 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
411 if (PREDICT_FALSE (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)))
412 nat_elog_warn ("in2out_ed key del failed");
416 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
417 &s->in2out.addr, s->in2out.port,
418 &s->ext_host_nat_addr, s->ext_host_nat_port,
419 &s->out2in.addr, s->out2in.port,
420 &s->ext_host_addr, s->ext_host_port,
421 s->in2out.protocol, is_twice_nat_session (s));
424 if (snat_is_unk_proto_session (s))
430 snat_ipfix_logging_nat44_ses_delete (thread_index,
431 s->in2out.addr.as_u32,
432 s->out2in.addr.as_u32,
436 s->in2out.fib_index);
437 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
438 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
442 /* Twice NAT address and port for external host */
443 if (is_twice_nat_session (s))
445 key.protocol = s->in2out.protocol;
446 key.port = s->ext_host_nat_port;
447 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
448 snat_free_outside_address_and_port (sm->twice_nat_addresses,
452 if (snat_is_session_static (s))
455 // should be called for every dynamic session
456 snat_free_outside_address_and_port (sm->addresses, thread_index,
462 nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index,
466 snat_user_key_t user_key;
467 clib_bihash_kv_8_8_t kv, value;
468 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
469 dlist_elt_t *per_user_list_head_elt;
471 user_key.addr.as_u32 = addr->as_u32;
472 user_key.fib_index = fib_index;
473 kv.key = user_key.as_u64;
475 /* Ever heard of the "user" = src ip4 address before? */
476 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
478 /* no, make a new one */
479 pool_get (tsm->users, u);
480 clib_memset (u, 0, sizeof (*u));
482 u->addr.as_u32 = addr->as_u32;
483 u->fib_index = fib_index;
485 pool_get (tsm->list_pool, per_user_list_head_elt);
487 u->sessions_per_user_list_head_index = per_user_list_head_elt -
490 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
492 kv.value = u - tsm->users;
495 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
497 nat_elog_warn ("user_hash key add failed");
498 nat44_delete_user_with_no_session (sm, u, thread_index);
502 vlib_set_simple_counter (&sm->total_users, thread_index, 0,
503 pool_elts (tsm->users));
507 u = pool_elt_at_index (tsm->users, value.value);
514 nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u,
515 u32 thread_index, f64 now)
518 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
519 u32 oldest_per_user_translation_list_index, session_index;
520 dlist_elt_t *oldest_per_user_translation_list_elt;
521 dlist_elt_t *per_user_translation_list_elt;
523 /* Over quota? Recycle the least recently used translation */
524 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
526 oldest_per_user_translation_list_index =
527 clib_dlist_remove_head (tsm->list_pool,
528 u->sessions_per_user_list_head_index);
530 ASSERT (oldest_per_user_translation_list_index != ~0);
532 /* Add it back to the end of the LRU list */
533 clib_dlist_addtail (tsm->list_pool,
534 u->sessions_per_user_list_head_index,
535 oldest_per_user_translation_list_index);
536 /* Get the list element */
537 oldest_per_user_translation_list_elt =
538 pool_elt_at_index (tsm->list_pool,
539 oldest_per_user_translation_list_index);
541 /* Get the session index from the list element */
542 session_index = oldest_per_user_translation_list_elt->value;
544 /* Get the session */
545 s = pool_elt_at_index (tsm->sessions, session_index);
546 nat_free_session_data (sm, s, thread_index, 0);
547 if (snat_is_session_static (s))
548 u->nstaticsessions--;
555 s->ext_host_addr.as_u32 = 0;
556 s->ext_host_port = 0;
557 s->ext_host_nat_addr.as_u32 = 0;
558 s->ext_host_nat_port = 0;
562 pool_get (tsm->sessions, s);
563 clib_memset (s, 0, sizeof (*s));
565 /* Create list elts */
566 pool_get (tsm->list_pool, per_user_translation_list_elt);
567 clib_dlist_init (tsm->list_pool,
568 per_user_translation_list_elt - tsm->list_pool);
570 per_user_translation_list_elt->value = s - tsm->sessions;
571 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
572 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
574 clib_dlist_addtail (tsm->list_pool,
575 s->per_user_list_head_index,
576 per_user_translation_list_elt - tsm->list_pool);
578 dlist_elt_t *global_lru_list_elt;
579 pool_get (tsm->global_lru_pool, global_lru_list_elt);
580 global_lru_list_elt->value = s - tsm->sessions;
581 s->global_lru_index = global_lru_list_elt - tsm->global_lru_pool;
582 clib_dlist_addtail (tsm->global_lru_pool, tsm->global_lru_head_index,
583 s->global_lru_index);
584 s->last_lru_update = now;
586 s->user_index = u - tsm->users;
587 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
588 pool_elts (tsm->sessions));
591 s->ha_last_refreshed = now;
597 nat_global_lru_free_one (snat_main_t * sm, int thread_index, f64 now)
599 snat_session_t *s = NULL;
600 dlist_elt_t *oldest_elt;
601 u64 sess_timeout_time;
603 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
604 oldest_index = clib_dlist_remove_head (tsm->global_lru_pool,
605 tsm->global_lru_head_index);
606 if (~0 != oldest_index)
608 oldest_elt = pool_elt_at_index (tsm->global_lru_pool, oldest_index);
609 s = pool_elt_at_index (tsm->sessions, oldest_elt->value);
612 s->last_heard + (f64) nat44_session_get_timeout (sm, s);
613 if (now >= sess_timeout_time
614 || (s->tcp_close_timestamp && now >= s->tcp_close_timestamp))
616 nat_free_session_data (sm, s, thread_index, 0);
617 nat44_ed_delete_session (sm, s, thread_index, 0);
622 clib_dlist_addhead (tsm->global_lru_pool,
623 tsm->global_lru_head_index, oldest_index);
630 nat_ed_session_alloc (snat_main_t * sm, u32 thread_index, f64 now)
633 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
635 nat_global_lru_free_one (sm, thread_index, now);
637 pool_get (tsm->sessions, s);
638 clib_memset (s, 0, sizeof (*s));
640 nat44_global_lru_insert (tsm, s, now);
642 s->ha_last_refreshed = now;
643 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
644 pool_elts (tsm->sessions));
649 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
652 fib_prefix_t prefix = {
654 .fp_proto = FIB_PROTOCOL_IP4,
656 .ip4.as_u32 = addr->as_u32,
659 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
662 fib_table_entry_update_one_path (fib_index,
665 (FIB_ENTRY_FLAG_CONNECTED |
666 FIB_ENTRY_FLAG_LOCAL |
667 FIB_ENTRY_FLAG_EXCLUSIVE),
671 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
673 fib_table_entry_delete (fib_index, &prefix, nat_fib_src_low);
677 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
682 vlib_thread_main_t *tm = vlib_get_thread_main ();
684 if (twice_nat && !sm->endpoint_dependent)
685 return VNET_API_ERROR_FEATURE_DISABLED;
687 /* Check if address already exists */
689 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
691 if (ap->addr.as_u32 == addr->as_u32)
692 return VNET_API_ERROR_VALUE_EXIST;
697 vec_add2 (sm->twice_nat_addresses, ap, 1);
699 vec_add2 (sm->addresses, ap, 1);
704 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
708 #define _(N, i, n, s) \
709 clib_memset(ap->busy_##n##_port_refcounts, 0, sizeof(ap->busy_##n##_port_refcounts));\
710 ap->busy_##n##_ports = 0; \
711 ap->busy_##n##_ports_per_thread = 0;\
712 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
713 foreach_snat_protocol
718 /* Add external address to FIB */
720 pool_foreach (i, sm->interfaces,
722 if (nat_interface_is_inside(i) || sm->out2in_dpo)
725 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
728 pool_foreach (i, sm->output_feature_interfaces,
730 if (nat_interface_is_inside(i) || sm->out2in_dpo)
733 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
742 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
744 snat_static_mapping_t *m;
746 pool_foreach (m, sm->static_mappings,
748 if (is_addr_only_static_mapping (m) ||
749 is_out2in_only_static_mapping (m) ||
750 is_identity_static_mapping (m))
752 if (m->external_addr.as_u32 == addr.as_u32)
761 snat_add_static_mapping_when_resolved (snat_main_t * sm,
762 ip4_address_t l_addr,
767 snat_protocol_t proto,
768 int addr_only, int is_add, u8 * tag,
769 int twice_nat, int out2in_only,
772 snat_static_map_resolve_t *rp;
774 vec_add2 (sm->to_resolve, rp, 1);
775 rp->l_addr.as_u32 = l_addr.as_u32;
777 rp->sw_if_index = sw_if_index;
781 rp->addr_only = addr_only;
783 rp->twice_nat = twice_nat;
784 rp->out2in_only = out2in_only;
785 rp->identity_nat = identity_nat;
786 rp->tag = vec_dup (tag);
790 get_thread_idx_by_port (u16 e_port)
792 snat_main_t *sm = &snat_main;
793 u32 thread_idx = sm->num_workers;
794 if (sm->num_workers > 1)
797 sm->first_worker_index +
798 sm->workers[(e_port - 1024) / sm->port_per_thread];
804 snat_static_mapping_del_sessions (snat_main_t * sm,
805 snat_main_per_thread_data_t * tsm,
806 snat_user_key_t u_key, int addr_only,
807 ip4_address_t e_addr, u16 e_port)
809 clib_bihash_kv_8_8_t kv, value;
810 kv.key = u_key.as_u64;
812 dlist_elt_t *head, *elt;
815 u32 elt_index, head_index, ses_index;
816 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
818 user_index = value.value;
819 u = pool_elt_at_index (tsm->users, user_index);
820 if (u->nstaticsessions)
822 head_index = u->sessions_per_user_list_head_index;
823 head = pool_elt_at_index (tsm->list_pool, head_index);
824 elt_index = head->next;
825 elt = pool_elt_at_index (tsm->list_pool, elt_index);
826 ses_index = elt->value;
827 while (ses_index != ~0)
829 s = pool_elt_at_index (tsm->sessions, ses_index);
830 elt = pool_elt_at_index (tsm->list_pool, elt->next);
831 ses_index = elt->value;
835 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
836 (clib_net_to_host_u16 (s->out2in.port) != e_port))
840 if (is_lb_session (s))
843 if (!snat_is_session_static (s))
846 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
847 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
857 snat_ed_static_mapping_del_sessions (snat_main_t * sm,
858 snat_main_per_thread_data_t * tsm,
859 ip4_address_t l_addr,
862 u32 fib_index, int addr_only,
863 ip4_address_t e_addr, u16 e_port)
866 u32 *indexes_to_free = NULL;
868 pool_foreach (s, tsm->sessions, {
869 if (s->in2out.fib_index != fib_index ||
870 s->in2out.addr.as_u32 != l_addr.as_u32)
876 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
877 (clib_net_to_host_u16 (s->out2in.port) != e_port) ||
878 clib_net_to_host_u16 (s->in2out.port) != l_port ||
879 s->in2out.protocol != protocol)
883 if (is_lb_session (s))
885 if (!snat_is_session_static (s))
887 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
888 vec_add1 (indexes_to_free, s - tsm->sessions);
894 vec_foreach (ses_index, indexes_to_free)
896 s = pool_elt_at_index (tsm->sessions, *ses_index);
897 nat44_ed_delete_session (sm, s, tsm - sm->per_thread_data, 1);
899 vec_free (indexes_to_free);
903 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
904 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
905 u32 sw_if_index, snat_protocol_t proto, int is_add,
906 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
909 snat_main_t *sm = &snat_main;
910 snat_static_mapping_t *m;
911 snat_session_key_t m_key;
912 clib_bihash_kv_8_8_t kv, value;
913 snat_address_t *a = 0;
915 snat_interface_t *interface;
917 snat_main_per_thread_data_t *tsm;
918 snat_user_key_t u_key;
920 dlist_elt_t *head, *elt;
921 u32 elt_index, head_index;
925 snat_static_map_resolve_t *rp, *rp_match = 0;
926 nat44_lb_addr_port_t *local;
929 if (!sm->endpoint_dependent)
931 if (twice_nat || out2in_only)
932 return VNET_API_ERROR_FEATURE_DISABLED;
935 /* If the external address is a specific interface address */
936 if (sw_if_index != ~0)
938 ip4_address_t *first_int_addr;
940 for (i = 0; i < vec_len (sm->to_resolve); i++)
942 rp = sm->to_resolve + i;
943 if (rp->sw_if_index != sw_if_index ||
944 rp->l_addr.as_u32 != l_addr.as_u32 ||
945 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
950 if ((rp->l_port != l_port && rp->e_port != e_port)
951 || rp->proto != proto)
959 /* Might be already set... */
960 first_int_addr = ip4_interface_first_address
961 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
966 return VNET_API_ERROR_VALUE_EXIST;
968 snat_add_static_mapping_when_resolved
969 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
970 addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
972 /* DHCP resolution required? */
973 if (first_int_addr == 0)
979 e_addr.as_u32 = first_int_addr->as_u32;
980 /* Identity mapping? */
981 if (l_addr.as_u32 == 0)
982 l_addr.as_u32 = e_addr.as_u32;
988 return VNET_API_ERROR_NO_SUCH_ENTRY;
990 vec_del1 (sm->to_resolve, i);
994 e_addr.as_u32 = first_int_addr->as_u32;
995 /* Identity mapping? */
996 if (l_addr.as_u32 == 0)
997 l_addr.as_u32 = e_addr.as_u32;
1004 m_key.addr = e_addr;
1005 m_key.port = addr_only ? 0 : e_port;
1006 m_key.protocol = addr_only ? 0 : proto;
1007 m_key.fib_index = 0;
1008 kv.key = m_key.as_u64;
1009 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1012 m = pool_elt_at_index (sm->static_mappings, value.value);
1018 if (is_identity_static_mapping (m))
1021 pool_foreach (local, m->locals,
1023 if (local->vrf_id == vrf_id)
1024 return VNET_API_ERROR_VALUE_EXIST;
1027 pool_get (m->locals, local);
1028 local->vrf_id = vrf_id;
1030 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1032 m_key.addr = m->local_addr;
1033 m_key.port = m->local_port;
1034 m_key.protocol = m->proto;
1035 m_key.fib_index = local->fib_index;
1036 kv.key = m_key.as_u64;
1037 kv.value = m - sm->static_mappings;
1038 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1042 return VNET_API_ERROR_VALUE_EXIST;
1045 if (twice_nat && addr_only)
1046 return VNET_API_ERROR_UNSUPPORTED;
1048 /* Convert VRF id to FIB index */
1051 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1053 /* If not specified use inside VRF id from SNAT plugin startup config */
1056 fib_index = sm->inside_fib_index;
1057 vrf_id = sm->inside_vrf_id;
1058 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1061 if (!(out2in_only || identity_nat))
1063 m_key.addr = l_addr;
1064 m_key.port = addr_only ? 0 : l_port;
1065 m_key.protocol = addr_only ? 0 : proto;
1066 m_key.fib_index = fib_index;
1067 kv.key = m_key.as_u64;
1068 if (!clib_bihash_search_8_8
1069 (&sm->static_mapping_by_local, &kv, &value))
1070 return VNET_API_ERROR_VALUE_EXIST;
1073 /* Find external address in allocated addresses and reserve port for
1074 address and port pair mapping when dynamic translations enabled */
1075 if (!(addr_only || sm->static_mapping_only || out2in_only))
1077 for (i = 0; i < vec_len (sm->addresses); i++)
1079 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1081 a = sm->addresses + i;
1082 /* External port must be unused */
1085 #define _(N, j, n, s) \
1086 case SNAT_PROTOCOL_##N: \
1087 if (a->busy_##n##_port_refcounts[e_port]) \
1088 return VNET_API_ERROR_INVALID_VALUE; \
1089 ++a->busy_##n##_port_refcounts[e_port]; \
1090 if (e_port > 1024) \
1092 a->busy_##n##_ports++; \
1093 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1096 foreach_snat_protocol
1099 nat_elog_info ("unknown protocol");
1100 return VNET_API_ERROR_INVALID_VALUE_2;
1105 /* External address must be allocated */
1106 if (!a && (l_addr.as_u32 != e_addr.as_u32))
1108 if (sw_if_index != ~0)
1110 for (i = 0; i < vec_len (sm->to_resolve); i++)
1112 rp = sm->to_resolve + i;
1115 if (rp->sw_if_index != sw_if_index &&
1116 rp->l_addr.as_u32 != l_addr.as_u32 &&
1117 rp->vrf_id != vrf_id && rp->l_port != l_port &&
1118 rp->e_port != e_port && rp->proto != proto)
1121 vec_del1 (sm->to_resolve, i);
1125 return VNET_API_ERROR_NO_SUCH_ENTRY;
1129 pool_get (sm->static_mappings, m);
1130 clib_memset (m, 0, sizeof (*m));
1131 m->tag = vec_dup (tag);
1132 m->local_addr = l_addr;
1133 m->external_addr = e_addr;
1134 m->twice_nat = twice_nat;
1136 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1138 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
1141 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
1142 pool_get (m->locals, local);
1143 local->vrf_id = vrf_id;
1144 local->fib_index = fib_index;
1149 m->fib_index = fib_index;
1153 m->local_port = l_port;
1154 m->external_port = e_port;
1158 if (sm->num_workers > 1)
1161 .src_address = m->local_addr,
1163 vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index, 0));
1164 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1167 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1169 m_key.addr = m->local_addr;
1170 m_key.port = m->local_port;
1171 m_key.protocol = m->proto;
1172 m_key.fib_index = fib_index;
1173 kv.key = m_key.as_u64;
1174 kv.value = m - sm->static_mappings;
1176 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1178 m_key.addr = m->external_addr;
1179 m_key.port = m->external_port;
1180 m_key.fib_index = 0;
1181 kv.key = m_key.as_u64;
1182 kv.value = m - sm->static_mappings;
1183 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
1185 /* Delete dynamic sessions matching local address (+ local port) */
1186 if (!(sm->static_mapping_only))
1188 u_key.addr = m->local_addr;
1189 u_key.fib_index = m->fib_index;
1190 kv.key = u_key.as_u64;
1191 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1193 user_index = value.value;
1194 u = pool_elt_at_index (tsm->users, user_index);
1197 head_index = u->sessions_per_user_list_head_index;
1198 head = pool_elt_at_index (tsm->list_pool, head_index);
1199 elt_index = head->next;
1200 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1201 ses_index = elt->value;
1202 while (ses_index != ~0)
1204 s = pool_elt_at_index (tsm->sessions, ses_index);
1205 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1206 ses_index = elt->value;
1208 if (snat_is_session_static (s))
1212 && (clib_net_to_host_u16 (s->in2out.port) !=
1216 nat_free_session_data (sm, s,
1217 tsm - sm->per_thread_data, 0);
1218 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1220 if (!addr_only && !sm->endpoint_dependent)
1231 if (sw_if_index != ~0)
1234 return VNET_API_ERROR_NO_SUCH_ENTRY;
1240 vrf_id = sm->inside_vrf_id;
1243 pool_foreach (local, m->locals,
1245 if (local->vrf_id == vrf_id)
1246 find = local - m->locals;
1250 return VNET_API_ERROR_NO_SUCH_ENTRY;
1252 local = pool_elt_at_index (m->locals, find);
1253 fib_index = local->fib_index;
1254 pool_put (m->locals, local);
1257 fib_index = m->fib_index;
1259 /* Free external address port */
1260 if (!(addr_only || sm->static_mapping_only || out2in_only))
1262 for (i = 0; i < vec_len (sm->addresses); i++)
1264 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1266 a = sm->addresses + i;
1269 #define _(N, j, n, s) \
1270 case SNAT_PROTOCOL_##N: \
1271 --a->busy_##n##_port_refcounts[e_port]; \
1272 if (e_port > 1024) \
1274 a->busy_##n##_ports--; \
1275 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1278 foreach_snat_protocol
1281 nat_elog_info ("unknown protocol");
1282 return VNET_API_ERROR_INVALID_VALUE_2;
1289 if (sm->num_workers > 1)
1290 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1292 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1294 m_key.addr = m->local_addr;
1295 m_key.port = m->local_port;
1296 m_key.protocol = m->proto;
1297 m_key.fib_index = fib_index;
1298 kv.key = m_key.as_u64;
1300 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
1302 /* Delete session(s) for static mapping if exist */
1303 if (!(sm->static_mapping_only) ||
1304 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
1306 if (sm->endpoint_dependent)
1308 snat_ed_static_mapping_del_sessions (sm, tsm, m->local_addr,
1309 m->local_port, m->proto,
1310 fib_index, addr_only,
1315 u_key.addr = m->local_addr;
1316 u_key.fib_index = fib_index;
1317 kv.key = u_key.as_u64;
1318 snat_static_mapping_del_sessions (sm, tsm, u_key, addr_only,
1323 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1324 if (pool_elts (m->locals))
1327 m_key.addr = m->external_addr;
1328 m_key.port = m->external_port;
1329 m_key.fib_index = 0;
1330 kv.key = m_key.as_u64;
1331 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
1334 vec_free (m->workers);
1335 /* Delete static mapping from pool */
1336 pool_put (sm->static_mappings, m);
1339 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
1342 /* Add/delete external address to FIB */
1344 pool_foreach (interface, sm->interfaces,
1346 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1349 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1352 pool_foreach (interface, sm->output_feature_interfaces,
1354 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1357 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1366 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1367 snat_protocol_t proto,
1368 nat44_lb_addr_port_t * locals, u8 is_add,
1369 twice_nat_type_t twice_nat, u8 out2in_only,
1370 u8 * tag, u32 affinity)
1372 snat_main_t *sm = &snat_main;
1373 snat_static_mapping_t *m;
1374 snat_session_key_t m_key;
1375 clib_bihash_kv_8_8_t kv, value;
1376 snat_address_t *a = 0;
1378 nat44_lb_addr_port_t *local;
1379 snat_main_per_thread_data_t *tsm;
1383 if (!sm->endpoint_dependent)
1384 return VNET_API_ERROR_FEATURE_DISABLED;
1386 m_key.addr = e_addr;
1387 m_key.port = e_port;
1388 m_key.protocol = proto;
1389 m_key.fib_index = 0;
1390 kv.key = m_key.as_u64;
1391 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1394 m = pool_elt_at_index (sm->static_mappings, value.value);
1399 return VNET_API_ERROR_VALUE_EXIST;
1401 if (vec_len (locals) < 2)
1402 return VNET_API_ERROR_INVALID_VALUE;
1404 /* Find external address in allocated addresses and reserve port for
1405 address and port pair mapping when dynamic translations enabled */
1406 if (!(sm->static_mapping_only || out2in_only))
1408 for (i = 0; i < vec_len (sm->addresses); i++)
1410 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1412 a = sm->addresses + i;
1413 /* External port must be unused */
1416 #define _(N, j, n, s) \
1417 case SNAT_PROTOCOL_##N: \
1418 if (a->busy_##n##_port_refcounts[e_port]) \
1419 return VNET_API_ERROR_INVALID_VALUE; \
1420 ++a->busy_##n##_port_refcounts[e_port]; \
1421 if (e_port > 1024) \
1423 a->busy_##n##_ports++; \
1424 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1427 foreach_snat_protocol
1430 nat_elog_info ("unknown protocol");
1431 return VNET_API_ERROR_INVALID_VALUE_2;
1436 /* External address must be allocated */
1438 return VNET_API_ERROR_NO_SUCH_ENTRY;
1441 pool_get (sm->static_mappings, m);
1442 clib_memset (m, 0, sizeof (*m));
1443 m->tag = vec_dup (tag);
1444 m->external_addr = e_addr;
1445 m->external_port = e_port;
1447 m->twice_nat = twice_nat;
1448 m->flags |= NAT_STATIC_MAPPING_FLAG_LB;
1450 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1451 m->affinity = affinity;
1454 m->affinity_per_service_list_head_index =
1455 nat_affinity_get_per_service_list_head_index ();
1457 m->affinity_per_service_list_head_index = ~0;
1459 m_key.addr = m->external_addr;
1460 m_key.port = m->external_port;
1461 m_key.protocol = m->proto;
1462 m_key.fib_index = 0;
1463 kv.key = m_key.as_u64;
1464 kv.value = m - sm->static_mappings;
1465 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
1467 nat_elog_err ("static_mapping_by_external key add failed");
1468 return VNET_API_ERROR_UNSPECIFIED;
1471 m_key.fib_index = m->fib_index;
1472 for (i = 0; i < vec_len (locals); i++)
1474 locals[i].fib_index =
1475 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1478 m_key.addr = locals[i].addr;
1479 m_key.fib_index = locals[i].fib_index;
1482 m_key.port = locals[i].port;
1483 kv.key = m_key.as_u64;
1484 kv.value = m - sm->static_mappings;
1485 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1487 locals[i].prefix = (i == 0) ? locals[i].probability :
1488 (locals[i - 1].prefix + locals[i].probability);
1489 pool_get (m->locals, local);
1491 if (sm->num_workers > 1)
1494 .src_address = locals[i].addr,
1497 clib_bitmap_set (bitmap,
1498 sm->worker_in2out_cb (&ip, m->fib_index, 0),
1503 /* Assign workers */
1504 if (sm->num_workers > 1)
1507 clib_bitmap_foreach (i, bitmap,
1509 vec_add1(m->workers, i);
1517 return VNET_API_ERROR_NO_SUCH_ENTRY;
1519 if (!is_lb_static_mapping (m))
1520 return VNET_API_ERROR_INVALID_VALUE;
1522 /* Free external address port */
1523 if (!(sm->static_mapping_only || out2in_only))
1525 for (i = 0; i < vec_len (sm->addresses); i++)
1527 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1529 a = sm->addresses + i;
1532 #define _(N, j, n, s) \
1533 case SNAT_PROTOCOL_##N: \
1534 --a->busy_##n##_port_refcounts[e_port]; \
1535 if (e_port > 1024) \
1537 a->busy_##n##_ports--; \
1538 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1541 foreach_snat_protocol
1544 nat_elog_info ("unknown protocol");
1545 return VNET_API_ERROR_INVALID_VALUE_2;
1552 m_key.addr = m->external_addr;
1553 m_key.port = m->external_port;
1554 m_key.protocol = m->proto;
1555 m_key.fib_index = 0;
1556 kv.key = m_key.as_u64;
1557 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1559 nat_elog_err ("static_mapping_by_external key del failed");
1560 return VNET_API_ERROR_UNSPECIFIED;
1564 pool_foreach (local, m->locals,
1566 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1568 m_key.addr = local->addr;
1571 m_key.port = local->port;
1572 m_key.fib_index = local->fib_index;
1573 kv.key = m_key.as_u64;
1574 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1576 nat_elog_err ("static_mapping_by_local key del failed");
1577 return VNET_API_ERROR_UNSPECIFIED;
1581 if (sm->num_workers > 1)
1584 .src_address = local->addr,
1586 tsm = vec_elt_at_index (sm->per_thread_data,
1587 sm->worker_in2out_cb (&ip, m->fib_index, 0));
1590 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1592 /* Delete sessions */
1593 pool_foreach (s, tsm->sessions, {
1594 if (!(is_lb_session (s)))
1597 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1598 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1601 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1602 nat44_ed_delete_session (sm, s, tsm - sm->per_thread_data, 1);
1607 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1608 pool_free (m->locals);
1610 vec_free (m->workers);
1612 pool_put (sm->static_mappings, m);
1619 nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1620 ip4_address_t l_addr, u16 l_port,
1621 snat_protocol_t proto, u32 vrf_id,
1622 u8 probability, u8 is_add)
1624 snat_main_t *sm = &snat_main;
1625 snat_static_mapping_t *m = 0;
1626 snat_session_key_t m_key;
1627 clib_bihash_kv_8_8_t kv, value;
1628 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1629 snat_main_per_thread_data_t *tsm;
1635 if (!sm->endpoint_dependent)
1636 return VNET_API_ERROR_FEATURE_DISABLED;
1638 m_key.addr = e_addr;
1639 m_key.port = e_port;
1640 m_key.protocol = proto;
1641 m_key.fib_index = 0;
1642 kv.key = m_key.as_u64;
1643 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1644 m = pool_elt_at_index (sm->static_mappings, value.value);
1647 return VNET_API_ERROR_NO_SUCH_ENTRY;
1649 if (!is_lb_static_mapping (m))
1650 return VNET_API_ERROR_INVALID_VALUE;
1653 pool_foreach (local, m->locals,
1655 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1656 (local->vrf_id == vrf_id))
1658 match_local = local;
1667 return VNET_API_ERROR_VALUE_EXIST;
1669 pool_get (m->locals, local);
1670 clib_memset (local, 0, sizeof (*local));
1671 local->addr.as_u32 = l_addr.as_u32;
1672 local->port = l_port;
1673 local->probability = probability;
1674 local->vrf_id = vrf_id;
1676 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1679 if (!is_out2in_only_static_mapping (m))
1681 m_key.addr = l_addr;
1682 m_key.port = l_port;
1683 m_key.fib_index = local->fib_index;
1684 kv.key = m_key.as_u64;
1685 kv.value = m - sm->static_mappings;
1686 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1))
1687 nat_elog_err ("static_mapping_by_local key add failed");
1693 return VNET_API_ERROR_NO_SUCH_ENTRY;
1695 if (pool_elts (m->locals) < 3)
1696 return VNET_API_ERROR_UNSPECIFIED;
1698 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1701 if (!is_out2in_only_static_mapping (m))
1703 m_key.addr = l_addr;
1704 m_key.port = l_port;
1705 m_key.fib_index = match_local->fib_index;
1706 kv.key = m_key.as_u64;
1707 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0))
1708 nat_elog_err ("static_mapping_by_local key del failed");
1711 if (sm->num_workers > 1)
1714 .src_address = local->addr,
1716 tsm = vec_elt_at_index (sm->per_thread_data,
1717 sm->worker_in2out_cb (&ip, m->fib_index,
1721 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1723 /* Delete sessions */
1725 pool_foreach (s, tsm->sessions, {
1726 if (!(is_lb_session (s)))
1729 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1730 (clib_net_to_host_u16 (s->in2out.port) != match_local->port))
1733 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1734 nat44_ed_delete_session (sm, s, tsm - sm->per_thread_data, 1);
1738 pool_put (m->locals, match_local);
1741 vec_free (m->workers);
1744 pool_foreach (local, m->locals,
1746 vec_add1 (locals, local - m->locals);
1747 if (sm->num_workers > 1)
1750 ip.src_address.as_u32 = local->addr.as_u32,
1751 bitmap = clib_bitmap_set (bitmap,
1752 sm->worker_in2out_cb (&ip, local->fib_index, 0),
1758 ASSERT (vec_len (locals) > 1);
1760 local = pool_elt_at_index (m->locals, locals[0]);
1761 local->prefix = local->probability;
1762 for (i = 1; i < vec_len (locals); i++)
1764 local = pool_elt_at_index (m->locals, locals[i]);
1765 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1766 local->prefix = local->probability + prev_local->prefix;
1769 /* Assign workers */
1770 if (sm->num_workers > 1)
1773 clib_bitmap_foreach (i, bitmap, ({ vec_add1(m->workers, i); }));
1781 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1784 snat_address_t *a = 0;
1785 snat_session_t *ses;
1786 u32 *ses_to_be_removed = 0, *ses_index;
1787 snat_main_per_thread_data_t *tsm;
1788 snat_static_mapping_t *m;
1789 snat_interface_t *interface;
1791 snat_address_t *addresses =
1792 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1794 /* Find SNAT address */
1795 for (i = 0; i < vec_len (addresses); i++)
1797 if (addresses[i].addr.as_u32 == addr.as_u32)
1804 return VNET_API_ERROR_NO_SUCH_ENTRY;
1809 pool_foreach (m, sm->static_mappings,
1811 if (m->external_addr.as_u32 == addr.as_u32)
1812 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1813 m->local_port, m->external_port,
1814 m->vrf_id, is_addr_only_static_mapping(m), ~0,
1815 m->proto, 0, m->twice_nat,
1816 is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
1822 /* Check if address is used in some static mapping */
1823 if (is_snat_address_used_in_static_mapping (sm, addr))
1825 nat_elog_notice ("address used in static mapping");
1826 return VNET_API_ERROR_UNSPECIFIED;
1830 if (a->fib_index != ~0)
1831 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nat_fib_src_low);
1833 /* Delete sessions using address */
1834 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1837 vec_foreach (tsm, sm->per_thread_data)
1839 pool_foreach (ses, tsm->sessions, ({
1840 if (ses->out2in.addr.as_u32 == addr.as_u32)
1842 nat_free_session_data (sm, ses, tsm - sm->per_thread_data, 0);
1843 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1847 if (sm->endpoint_dependent){
1848 vec_foreach (ses_index, ses_to_be_removed)
1850 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1851 nat44_ed_delete_session (sm, ses, tsm - sm->per_thread_data, 1);
1854 vec_foreach (ses_index, ses_to_be_removed)
1856 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1857 nat44_delete_session (sm, ses, tsm - sm->per_thread_data);
1861 vec_free (ses_to_be_removed);
1866 #define _(N, i, n, s) \
1867 vec_free (a->busy_##n##_ports_per_thread);
1868 foreach_snat_protocol
1872 vec_del1 (sm->twice_nat_addresses, i);
1876 vec_del1 (sm->addresses, i);
1878 /* Delete external address from FIB */
1880 pool_foreach (interface, sm->interfaces,
1882 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1885 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1888 pool_foreach (interface, sm->output_feature_interfaces,
1890 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1893 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1902 snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1904 snat_main_t *sm = &snat_main;
1905 snat_interface_t *i;
1906 const char *feature_name, *del_feature_name;
1908 snat_static_mapping_t *m;
1910 nat_outside_fib_t *outside_fib;
1911 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1914 if (sm->out2in_dpo && !is_inside)
1915 return VNET_API_ERROR_UNSUPPORTED;
1918 pool_foreach (i, sm->output_feature_interfaces,
1920 if (i->sw_if_index == sw_if_index)
1921 return VNET_API_ERROR_VALUE_EXIST;
1925 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1926 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1929 if (sm->num_workers > 1 && !sm->deterministic)
1931 is_inside ? "nat44-in2out-worker-handoff" :
1932 "nat44-out2in-worker-handoff";
1933 else if (sm->deterministic)
1934 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1935 else if (sm->endpoint_dependent)
1937 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1940 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1943 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1944 sm->fq_in2out_index =
1945 vlib_frame_queue_main_init (sm->handoff_in2out_index, NAT_FQ_NELTS);
1947 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1948 sm->fq_out2in_index =
1949 vlib_frame_queue_main_init (sm->handoff_out2in_index, NAT_FQ_NELTS);
1954 vec_foreach (outside_fib, sm->outside_fibs)
1956 if (outside_fib->fib_index == fib_index)
1960 outside_fib->refcount--;
1961 if (!outside_fib->refcount)
1962 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1965 outside_fib->refcount++;
1972 vec_add2 (sm->outside_fibs, outside_fib, 1);
1973 outside_fib->refcount = 1;
1974 outside_fib->fib_index = fib_index;
1979 pool_foreach (i, sm->interfaces,
1981 if (i->sw_if_index == sw_if_index)
1985 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1988 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1990 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1992 if (sm->num_workers > 1 && !sm->deterministic)
1994 del_feature_name = "nat44-handoff-classify";
1995 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1996 "nat44-out2in-worker-handoff";
1998 else if (sm->deterministic)
2000 del_feature_name = "nat44-det-classify";
2001 feature_name = !is_inside ? "nat44-det-in2out" :
2004 else if (sm->endpoint_dependent)
2006 del_feature_name = "nat44-ed-classify";
2007 feature_name = !is_inside ? "nat-pre-in2out" :
2012 del_feature_name = "nat44-classify";
2013 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
2016 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2019 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
2020 sw_if_index, 0, 0, 0);
2021 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2022 sw_if_index, 1, 0, 0);
2025 if (sm->endpoint_dependent)
2026 vnet_feature_enable_disable ("ip4-local",
2027 "nat44-ed-hairpinning",
2028 sw_if_index, 1, 0, 0);
2029 else if (!sm->deterministic)
2030 vnet_feature_enable_disable ("ip4-local",
2031 "nat44-hairpinning",
2032 sw_if_index, 1, 0, 0);
2037 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2040 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2041 sw_if_index, 0, 0, 0);
2042 pool_put (sm->interfaces, i);
2045 if (sm->endpoint_dependent)
2046 vnet_feature_enable_disable ("ip4-local",
2047 "nat44-ed-hairpinning",
2048 sw_if_index, 0, 0, 0);
2049 else if (!sm->deterministic)
2050 vnet_feature_enable_disable ("ip4-local",
2051 "nat44-hairpinning",
2052 sw_if_index, 0, 0, 0);
2058 if ((nat_interface_is_inside(i) && is_inside) ||
2059 (nat_interface_is_outside(i) && !is_inside))
2062 if (sm->num_workers > 1 && !sm->deterministic)
2064 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
2065 "nat44-out2in-worker-handoff";
2066 feature_name = "nat44-handoff-classify";
2068 else if (sm->deterministic)
2070 del_feature_name = !is_inside ? "nat44-det-in2out" :
2072 feature_name = "nat44-det-classify";
2074 else if (sm->endpoint_dependent)
2076 del_feature_name = !is_inside ? "nat-pre-in2out" :
2079 feature_name = "nat44-ed-classify";
2083 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
2084 feature_name = "nat44-classify";
2087 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2090 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
2091 sw_if_index, 0, 0, 0);
2092 vnet_feature_enable_disable ("ip4-unicast", feature_name,
2093 sw_if_index, 1, 0, 0);
2096 if (sm->endpoint_dependent)
2097 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2098 sw_if_index, 0, 0, 0);
2099 else if (!sm->deterministic)
2100 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2101 sw_if_index, 0, 0, 0);
2112 return VNET_API_ERROR_NO_SUCH_ENTRY;
2114 pool_get (sm->interfaces, i);
2115 i->sw_if_index = sw_if_index;
2117 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
2120 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
2124 if (is_inside && !sm->out2in_dpo)
2126 if (sm->endpoint_dependent)
2127 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
2128 sw_if_index, 1, 0, 0);
2129 else if (!sm->deterministic)
2130 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
2131 sw_if_index, 1, 0, 0);
2137 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2141 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2143 /* Add/delete external addresses to FIB */
2146 vec_foreach (ap, sm->addresses)
2147 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2149 pool_foreach (m, sm->static_mappings,
2151 if (!(is_addr_only_static_mapping(m)) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2154 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2157 pool_foreach (dm, sm->det_maps,
2159 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
2167 snat_interface_add_del_output_feature (u32 sw_if_index,
2168 u8 is_inside, int is_del)
2170 snat_main_t *sm = &snat_main;
2171 snat_interface_t *i;
2173 snat_static_mapping_t *m;
2174 nat_outside_fib_t *outside_fib;
2175 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2179 if (sm->deterministic ||
2180 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
2181 return VNET_API_ERROR_UNSUPPORTED;
2184 pool_foreach (i, sm->interfaces,
2186 if (i->sw_if_index == sw_if_index)
2187 return VNET_API_ERROR_VALUE_EXIST;
2194 vec_foreach (outside_fib, sm->outside_fibs)
2196 if (outside_fib->fib_index == fib_index)
2200 outside_fib->refcount--;
2201 if (!outside_fib->refcount)
2202 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2205 outside_fib->refcount++;
2212 vec_add2 (sm->outside_fibs, outside_fib, 1);
2213 outside_fib->refcount = 1;
2214 outside_fib->fib_index = fib_index;
2221 if (sm->endpoint_dependent)
2224 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2228 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2232 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
2233 sw_if_index, !is_del, 0, 0);
2234 vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
2235 sw_if_index, !is_del, 0, 0);
2240 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2244 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2248 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
2249 sw_if_index, !is_del, 0, 0);
2250 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
2251 sw_if_index, !is_del, 0, 0);
2256 if (sm->num_workers > 1)
2258 int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2262 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, !is_del);
2265 vnet_feature_enable_disable ("ip4-unicast",
2266 "nat44-out2in-worker-handoff",
2267 sw_if_index, !is_del, 0, 0);
2268 vnet_feature_enable_disable ("ip4-output",
2269 "nat44-in2out-output-worker-handoff",
2270 sw_if_index, !is_del, 0, 0);
2274 if (sm->endpoint_dependent)
2277 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2281 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2285 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
2286 sw_if_index, !is_del, 0, 0);
2287 vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output",
2288 sw_if_index, !is_del, 0, 0);
2293 ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
2297 ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
2301 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
2302 sw_if_index, !is_del, 0, 0);
2303 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
2304 sw_if_index, !is_del, 0, 0);
2309 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
2310 sm->fq_in2out_output_index =
2311 vlib_frame_queue_main_init (sm->handoff_in2out_output_index, 0);
2313 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
2314 sm->fq_out2in_index =
2315 vlib_frame_queue_main_init (sm->handoff_out2in_index, 0);
2318 pool_foreach (i, sm->output_feature_interfaces,
2320 if (i->sw_if_index == sw_if_index)
2323 pool_put (sm->output_feature_interfaces, i);
2325 return VNET_API_ERROR_VALUE_EXIST;
2333 return VNET_API_ERROR_NO_SUCH_ENTRY;
2335 pool_get (sm->output_feature_interfaces, i);
2336 i->sw_if_index = sw_if_index;
2339 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2341 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2343 /* Add/delete external addresses to FIB */
2349 vec_foreach (ap, sm->addresses)
2350 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2352 pool_foreach (m, sm->static_mappings,
2354 if (!((is_addr_only_static_mapping(m))) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2357 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2365 snat_set_workers (uword * bitmap)
2367 snat_main_t *sm = &snat_main;
2370 if (sm->num_workers < 2)
2371 return VNET_API_ERROR_FEATURE_DISABLED;
2373 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
2374 return VNET_API_ERROR_INVALID_WORKER;
2376 vec_free (sm->workers);
2378 clib_bitmap_foreach (i, bitmap,
2380 vec_add1(sm->workers, i);
2381 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2382 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
2387 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2388 sm->num_snat_thread = _vec_len (sm->workers);
2394 snat_update_outside_fib (u32 sw_if_index, u32 new_fib_index,
2397 snat_main_t *sm = &snat_main;
2398 nat_outside_fib_t *outside_fib;
2399 snat_interface_t *i;
2403 if (new_fib_index == old_fib_index)
2406 if (!vec_len (sm->outside_fibs))
2410 pool_foreach (i, sm->interfaces,
2412 if (i->sw_if_index == sw_if_index)
2414 if (!(nat_interface_is_outside (i)))
2420 pool_foreach (i, sm->output_feature_interfaces,
2422 if (i->sw_if_index == sw_if_index)
2424 if (!(nat_interface_is_outside (i)))
2434 vec_foreach (outside_fib, sm->outside_fibs)
2436 if (outside_fib->fib_index == old_fib_index)
2438 outside_fib->refcount--;
2439 if (!outside_fib->refcount)
2440 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2445 vec_foreach (outside_fib, sm->outside_fibs)
2447 if (outside_fib->fib_index == new_fib_index)
2449 outside_fib->refcount++;
2457 vec_add2 (sm->outside_fibs, outside_fib, 1);
2458 outside_fib->refcount = 1;
2459 outside_fib->fib_index = new_fib_index;
2464 snat_ip4_table_bind (ip4_main_t * im,
2466 u32 sw_if_index, u32 new_fib_index, u32 old_fib_index)
2468 snat_update_outside_fib (sw_if_index, new_fib_index, old_fib_index);
2472 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2475 ip4_address_t * address,
2477 u32 if_address_index, u32 is_delete);
2480 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
2483 ip4_address_t * address,
2485 u32 if_address_index, u32 is_delete);
2488 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2491 snat_session_key_t * k,
2492 u16 port_per_thread, u32 snat_thread_index);
2495 test_ed_make_split ()
2497 ip4_address_t l_addr;
2498 l_addr.as_u8[0] = 1;
2499 l_addr.as_u8[1] = 1;
2500 l_addr.as_u8[2] = 1;
2501 l_addr.as_u8[3] = 1;
2502 ip4_address_t r_addr;
2503 r_addr.as_u8[0] = 2;
2504 r_addr.as_u8[1] = 2;
2505 r_addr.as_u8[2] = 2;
2506 r_addr.as_u8[3] = 2;
2510 u32 fib_index = 9000001;
2512 clib_bihash_kv_16_8_t kv;
2513 make_ed_kv (&l_addr, &r_addr, proto, fib_index, l_port, r_port, value, &kv);
2514 ip4_address_t l_addr2;
2515 ip4_address_t r_addr2;
2516 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2517 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2522 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2524 u64 value2 = kv.value;
2525 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2526 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2527 ASSERT (l_port == l_port2);
2528 ASSERT (r_port == r_port2);
2529 ASSERT (proto == proto2);
2530 ASSERT (fib_index == fib_index2);
2531 ASSERT (value == value2);
2534 static clib_error_t *
2535 snat_init (vlib_main_t * vm)
2537 snat_main_t *sm = &snat_main;
2538 clib_error_t *error = 0;
2539 ip4_main_t *im = &ip4_main;
2540 ip_lookup_main_t *lm = &im->lookup_main;
2542 vlib_thread_registration_t *tr;
2543 vlib_thread_main_t *tm = vlib_get_thread_main ();
2546 ip4_add_del_interface_address_callback_t cb4;
2550 sm->vnet_main = vnet_get_main ();
2552 sm->ip4_lookup_main = lm;
2553 sm->api_main = vlibapi_get_main ();
2554 sm->first_worker_index = 0;
2555 sm->num_workers = 0;
2556 sm->num_snat_thread = 1;
2558 sm->port_per_thread = 0xffff - 1024;
2559 sm->fq_in2out_index = ~0;
2560 sm->fq_in2out_output_index = ~0;
2561 sm->fq_out2in_index = ~0;
2563 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
2564 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
2565 sm->forwarding_enabled = 0;
2566 sm->log_class = vlib_log_register_class ("nat", 0);
2567 sm->log_level = SNAT_LOG_ERROR;
2568 sm->mss_clamping = 0;
2570 node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
2571 sm->error_node_index = node->index;
2573 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2574 sm->pre_in2out_node_index = node->index;
2575 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2576 sm->pre_out2in_node_index = node->index;
2578 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-in2out");
2579 sm->pre_in2out_node_index = node->index;
2581 node = vlib_get_node_by_name (vm, (u8 *) "nat-pre-out2in");
2582 sm->pre_out2in_node_index = node->index;
2584 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out");
2585 sm->in2out_node_index = node->index;
2586 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output");
2587 sm->in2out_output_node_index = node->index;
2588 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-fast");
2589 sm->in2out_fast_node_index = node->index;
2590 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-slowpath");
2591 sm->in2out_slowpath_node_index = node->index;
2592 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output-slowpath");
2593 sm->in2out_slowpath_output_node_index = node->index;
2595 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2596 sm->ed_in2out_node_index = node->index;
2597 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-slowpath");
2598 sm->ed_in2out_slowpath_node_index = node->index;
2600 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in");
2601 sm->out2in_node_index = node->index;
2602 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-fast");
2603 sm->out2in_fast_node_index = node->index;
2605 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2606 sm->ed_out2in_node_index = node->index;
2607 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-slowpath");
2608 sm->ed_out2in_slowpath_node_index = node->index;
2610 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-in2out");
2611 sm->det_in2out_node_index = node->index;
2612 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-out2in");
2613 sm->det_out2in_node_index = node->index;
2615 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpinning");
2616 sm->hairpinning_node_index = node->index;
2617 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-dst");
2618 sm->hairpin_dst_node_index = node->index;
2619 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-src");
2620 sm->hairpin_src_node_index = node->index;
2621 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpinning");
2622 sm->ed_hairpinning_node_index = node->index;
2623 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-dst");
2624 sm->ed_hairpin_dst_node_index = node->index;
2625 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-src");
2626 sm->ed_hairpin_src_node_index = node->index;
2628 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2631 tr = (vlib_thread_registration_t *) p[0];
2634 sm->num_workers = tr->count;
2635 sm->first_worker_index = tr->first_index;
2639 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
2641 /* Use all available workers by default */
2642 if (sm->num_workers > 1)
2644 for (i = 0; i < sm->num_workers; i++)
2645 bitmap = clib_bitmap_set (bitmap, i, 1);
2646 snat_set_workers (bitmap);
2647 clib_bitmap_free (bitmap);
2651 sm->per_thread_data[0].snat_thread_index = 0;
2654 error = snat_api_init (vm, sm);
2658 /* Set up the interface address add/del callback */
2659 cb4.function = snat_ip4_add_del_interface_address_cb;
2660 cb4.function_opaque = 0;
2662 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2664 cb4.function = nat_ip4_add_del_addr_only_sm_cb;
2665 cb4.function_opaque = 0;
2667 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2669 nat_dpo_module_init ();
2672 sm->total_users.name = "total-users";
2673 sm->total_users.stat_segment_name = "/nat44/total-users";
2674 vlib_validate_simple_counter (&sm->total_users, 0);
2675 vlib_zero_simple_counter (&sm->total_users, 0);
2676 sm->total_sessions.name = "total-sessions";
2677 sm->total_sessions.stat_segment_name = "/nat44/total-sessions";
2678 vlib_validate_simple_counter (&sm->total_sessions, 0);
2679 vlib_zero_simple_counter (&sm->total_sessions, 0);
2681 /* Init IPFIX logging */
2682 snat_ipfix_logging_init (vm);
2685 error = nat64_init (vm);
2691 ip4_table_bind_callback_t cbt4 = {
2692 .function = snat_ip4_table_bind,
2694 vec_add1 (ip4_main.table_bind_callbacks, cbt4);
2696 nat_fib_src_hi = fib_source_allocate ("nat-hi",
2697 FIB_SOURCE_PRIORITY_HI,
2698 FIB_SOURCE_BH_SIMPLE);
2699 nat_fib_src_low = fib_source_allocate ("nat-low",
2700 FIB_SOURCE_PRIORITY_LOW,
2701 FIB_SOURCE_BH_SIMPLE);
2703 test_ed_make_split ();
2707 VLIB_INIT_FUNCTION (snat_init);
2710 snat_free_outside_address_and_port (snat_address_t * addresses,
2711 u32 thread_index, snat_session_key_t * k)
2715 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
2717 for (address_index = 0; address_index < vec_len (addresses);
2720 if (addresses[address_index].addr.as_u32 == k->addr.as_u32)
2724 ASSERT (address_index < vec_len (addresses));
2726 a = addresses + address_index;
2728 switch (k->protocol)
2730 #define _(N, i, n, s) \
2731 case SNAT_PROTOCOL_##N: \
2732 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
2733 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
2734 a->busy_##n##_ports--; \
2735 a->busy_##n##_ports_per_thread[thread_index]--; \
2737 foreach_snat_protocol
2740 nat_elog_info ("unknown protocol");
2746 nat_set_outside_address_and_port (snat_address_t * addresses,
2747 u32 thread_index, snat_session_key_t * k)
2749 snat_address_t *a = 0;
2751 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
2753 for (address_index = 0; address_index < vec_len (addresses);
2756 if (addresses[address_index].addr.as_u32 != k->addr.as_u32)
2759 a = addresses + address_index;
2760 switch (k->protocol)
2762 #define _(N, j, n, s) \
2763 case SNAT_PROTOCOL_##N: \
2764 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
2765 return VNET_API_ERROR_INSTANCE_IN_USE; \
2766 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
2767 a->busy_##n##_ports_per_thread[thread_index]++; \
2768 a->busy_##n##_ports++; \
2770 foreach_snat_protocol
2773 nat_elog_info ("unknown protocol");
2778 return VNET_API_ERROR_NO_SUCH_ENTRY;
2782 snat_static_mapping_match (snat_main_t * sm,
2783 snat_session_key_t match,
2784 snat_session_key_t * mapping,
2787 twice_nat_type_t * twice_nat,
2788 lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
2789 u8 * is_identity_nat)
2791 clib_bihash_kv_8_8_t kv, value;
2792 snat_static_mapping_t *m;
2793 snat_session_key_t m_key;
2794 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
2795 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2797 nat44_lb_addr_port_t *local;
2799 m_key.fib_index = match.fib_index;
2802 mapping_hash = &sm->static_mapping_by_external;
2803 m_key.fib_index = 0;
2806 m_key.addr = match.addr;
2807 m_key.port = clib_net_to_host_u16 (match.port);
2808 m_key.protocol = match.protocol;
2810 kv.key = m_key.as_u64;
2812 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2814 /* Try address only mapping */
2817 kv.key = m_key.as_u64;
2818 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2822 m = pool_elt_at_index (sm->static_mappings, value.value);
2826 if (is_lb_static_mapping (m))
2828 if (PREDICT_FALSE (lb != 0))
2829 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2830 if (m->affinity && !nat_affinity_find_and_lock (ext_host_addr[0],
2836 local = pool_elt_at_index (m->locals, backend_index);
2837 mapping->addr = local->addr;
2838 mapping->port = clib_host_to_net_u16 (local->port);
2839 mapping->fib_index = local->fib_index;
2842 // pick locals matching this worker
2843 if (PREDICT_FALSE (sm->num_workers > 1))
2845 u32 thread_index = vlib_get_thread_index ();
2847 pool_foreach_index (i, m->locals,
2849 local = pool_elt_at_index (m->locals, i);
2852 .src_address = local->addr,
2855 if (sm->worker_in2out_cb (&ip, m->fib_index, 0) ==
2862 ASSERT (vec_len (tmp) != 0);
2867 pool_foreach_index (i, m->locals,
2873 hi = vec_len (tmp) - 1;
2874 local = pool_elt_at_index (m->locals, tmp[hi]);
2875 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2878 mid = ((hi - lo) >> 1) + lo;
2879 local = pool_elt_at_index (m->locals, tmp[mid]);
2880 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2882 local = pool_elt_at_index (m->locals, tmp[lo]);
2883 if (!(local->prefix >= rand))
2885 mapping->addr = local->addr;
2886 mapping->port = clib_host_to_net_u16 (local->port);
2887 mapping->fib_index = local->fib_index;
2890 if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr,
2891 match.protocol, match.port,
2892 tmp[lo], m->affinity,
2893 m->affinity_per_service_list_head_index))
2894 nat_elog_info ("create affinity record failed");
2900 if (PREDICT_FALSE (lb != 0))
2902 mapping->fib_index = m->fib_index;
2903 mapping->addr = m->local_addr;
2904 /* Address only mapping doesn't change port */
2905 mapping->port = is_addr_only_static_mapping (m) ? match.port
2906 : clib_host_to_net_u16 (m->local_port);
2908 mapping->protocol = m->proto;
2912 mapping->addr = m->external_addr;
2913 /* Address only mapping doesn't change port */
2914 mapping->port = is_addr_only_static_mapping (m) ? match.port
2915 : clib_host_to_net_u16 (m->external_port);
2916 mapping->fib_index = sm->outside_fib_index;
2920 if (PREDICT_FALSE (is_addr_only != 0))
2921 *is_addr_only = is_addr_only_static_mapping (m);
2923 if (PREDICT_FALSE (twice_nat != 0))
2924 *twice_nat = m->twice_nat;
2926 if (PREDICT_FALSE (is_identity_nat != 0))
2927 *is_identity_nat = is_identity_static_mapping (m);
2932 static_always_inline u16
2933 snat_random_port (u16 min, u16 max)
2935 snat_main_t *sm = &snat_main;
2936 return min + random_u32 (&sm->random_seed) /
2937 (random_u32_max () / (max - min + 1) + 1);
2941 snat_alloc_outside_address_and_port (snat_address_t * addresses,
2944 snat_session_key_t * k,
2945 u16 port_per_thread,
2946 u32 snat_thread_index)
2948 snat_main_t *sm = &snat_main;
2950 return sm->alloc_addr_and_port (addresses, fib_index, thread_index, k,
2951 port_per_thread, snat_thread_index);
2955 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2958 snat_session_key_t * k,
2959 u16 port_per_thread, u32 snat_thread_index)
2962 snat_address_t *a, *ga = 0;
2965 for (i = 0; i < vec_len (addresses); i++)
2968 switch (k->protocol)
2970 #define _(N, j, n, s) \
2971 case SNAT_PROTOCOL_##N: \
2972 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
2974 if (a->fib_index == fib_index) \
2978 portnum = (port_per_thread * \
2979 snat_thread_index) + \
2980 snat_random_port(1, port_per_thread) + 1024; \
2981 if (a->busy_##n##_port_refcounts[portnum]) \
2983 --a->busy_##n##_port_refcounts[portnum]; \
2984 a->busy_##n##_ports_per_thread[thread_index]++; \
2985 a->busy_##n##_ports++; \
2986 k->addr = a->addr; \
2987 k->port = clib_host_to_net_u16(portnum); \
2991 else if (a->fib_index == ~0) \
2997 foreach_snat_protocol
3000 nat_elog_info ("unknown protocol");
3009 switch (k->protocol)
3011 #define _(N, j, n, s) \
3012 case SNAT_PROTOCOL_##N: \
3015 portnum = (port_per_thread * \
3016 snat_thread_index) + \
3017 snat_random_port(1, port_per_thread) + 1024; \
3018 if (a->busy_##n##_port_refcounts[portnum]) \
3020 ++a->busy_##n##_port_refcounts[portnum]; \
3021 a->busy_##n##_ports_per_thread[thread_index]++; \
3022 a->busy_##n##_ports++; \
3023 k->addr = a->addr; \
3024 k->port = clib_host_to_net_u16(portnum); \
3028 foreach_snat_protocol
3031 nat_elog_info ("unknown protocol");
3036 /* Totally out of translations to use... */
3037 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
3042 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
3045 snat_session_key_t * k,
3046 u16 port_per_thread, u32 snat_thread_index)
3048 snat_main_t *sm = &snat_main;
3049 snat_address_t *a = addresses;
3050 u16 m, ports, portnum, A, j;
3051 m = 16 - (sm->psid_offset + sm->psid_length);
3052 ports = (1 << (16 - sm->psid_length)) - (1 << m);
3054 if (!vec_len (addresses))
3057 switch (k->protocol)
3059 #define _(N, i, n, s) \
3060 case SNAT_PROTOCOL_##N: \
3061 if (a->busy_##n##_ports < ports) \
3065 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
3066 j = snat_random_port(0, pow2_mask(m)); \
3067 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
3068 if (a->busy_##n##_port_refcounts[portnum]) \
3070 ++a->busy_##n##_port_refcounts[portnum]; \
3071 a->busy_##n##_ports++; \
3072 k->addr = a->addr; \
3073 k->port = clib_host_to_net_u16 (portnum); \
3078 foreach_snat_protocol
3081 nat_elog_info ("unknown protocol");
3086 /* Totally out of translations to use... */
3087 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
3092 nat_alloc_addr_and_port_range (snat_address_t * addresses,
3095 snat_session_key_t * k,
3096 u16 port_per_thread, u32 snat_thread_index)
3098 snat_main_t *sm = &snat_main;
3099 snat_address_t *a = addresses;
3102 ports = sm->end_port - sm->start_port + 1;
3104 if (!vec_len (addresses))
3107 switch (k->protocol)
3109 #define _(N, i, n, s) \
3110 case SNAT_PROTOCOL_##N: \
3111 if (a->busy_##n##_ports < ports) \
3115 portnum = snat_random_port(sm->start_port, sm->end_port); \
3116 if (a->busy_##n##_port_refcounts[portnum]) \
3118 ++a->busy_##n##_port_refcounts[portnum]; \
3119 a->busy_##n##_ports++; \
3120 k->addr = a->addr; \
3121 k->port = clib_host_to_net_u16 (portnum); \
3126 foreach_snat_protocol
3129 nat_elog_info ("unknown protocol");
3134 /* Totally out of translations to use... */
3135 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
3140 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
3142 dpo_id_t dpo_v4 = DPO_INVALID;
3143 fib_prefix_t pfx = {
3144 .fp_proto = FIB_PROTOCOL_IP4,
3146 .fp_addr.ip4.as_u32 = addr.as_u32,
3151 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
3152 fib_table_entry_special_dpo_add (0, &pfx, nat_fib_src_hi,
3153 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
3154 dpo_reset (&dpo_v4);
3158 fib_table_entry_special_remove (0, &pfx, nat_fib_src_hi);
3163 format_session_kvp (u8 * s, va_list * args)
3165 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3166 snat_session_key_t k;
3170 s = format (s, "%U session-index %llu", format_snat_key, &k, v->value);
3176 format_static_mapping_kvp (u8 * s, va_list * args)
3178 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3179 snat_session_key_t k;
3183 s = format (s, "%U static-mapping-index %llu",
3184 format_static_mapping_key, &k, v->value);
3190 format_user_kvp (u8 * s, va_list * args)
3192 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
3197 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
3198 k.fib_index, v->value);
3204 format_ed_session_kvp (u8 * s, va_list * args)
3206 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
3210 ip4_address_t l_addr, r_addr;
3213 split_ed_kv (v, &l_addr, &r_addr, &proto, &fib_index, &l_port, &r_port);
3215 format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu",
3216 format_ip4_address, &l_addr, clib_net_to_host_u16 (l_port),
3217 format_ip4_address, &r_addr, clib_net_to_host_u16 (r_port),
3218 format_ip_protocol, proto, fib_index, v->value);
3224 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
3227 snat_main_t *sm = &snat_main;
3228 u32 next_worker_index = 0;
3231 next_worker_index = sm->first_worker_index;
3232 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
3233 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
3235 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3236 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3238 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3240 return next_worker_index;
3244 snat_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip0,
3245 u32 rx_fib_index0, u8 is_output)
3247 snat_main_t *sm = &snat_main;
3250 snat_session_key_t m_key;
3251 clib_bihash_kv_8_8_t kv, value;
3252 snat_static_mapping_t *m;
3254 u32 next_worker_index = 0;
3256 /* first try static mappings without port */
3257 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3259 m_key.addr = ip0->dst_address;
3262 m_key.fib_index = rx_fib_index0;
3263 kv.key = m_key.as_u64;
3264 if (!clib_bihash_search_8_8
3265 (&sm->static_mapping_by_external, &kv, &value))
3267 m = pool_elt_at_index (sm->static_mappings, value.value);
3268 return m->workers[0];
3272 proto = ip_proto_to_snat_proto (ip0->protocol);
3273 udp = ip4_next_header (ip0);
3274 port = udp->dst_port;
3276 /* unknown protocol */
3277 if (PREDICT_FALSE (proto == ~0))
3279 /* use current thread */
3280 return vlib_get_thread_index ();
3283 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
3285 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3286 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3287 if (!icmp_type_is_error_message
3288 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3289 port = vnet_buffer (b)->ip.reass.l4_src_port;
3292 /* if error message, then it's not fragmented and we can access it */
3293 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3294 proto = ip_proto_to_snat_proto (inner_ip->protocol);
3295 void *l4_header = ip4_next_header (inner_ip);
3298 case SNAT_PROTOCOL_ICMP:
3299 icmp = (icmp46_header_t *) l4_header;
3300 echo = (icmp_echo_header_t *) (icmp + 1);
3301 port = echo->identifier;
3303 case SNAT_PROTOCOL_UDP:
3304 case SNAT_PROTOCOL_TCP:
3305 port = ((tcp_udp_header_t *) l4_header)->src_port;
3308 return vlib_get_thread_index ();
3313 /* try static mappings with port */
3314 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3316 m_key.addr = ip0->dst_address;
3317 m_key.port = clib_net_to_host_u16 (port);
3318 m_key.protocol = proto;
3319 m_key.fib_index = rx_fib_index0;
3320 kv.key = m_key.as_u64;
3321 if (!clib_bihash_search_8_8
3322 (&sm->static_mapping_by_external, &kv, &value))
3324 m = pool_elt_at_index (sm->static_mappings, value.value);
3325 return m->workers[0];
3329 /* worker by outside port */
3330 next_worker_index = sm->first_worker_index;
3331 next_worker_index +=
3332 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3333 return next_worker_index;
3337 nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
3340 snat_main_t *sm = &snat_main;
3341 u32 next_worker_index = sm->first_worker_index;
3344 clib_bihash_kv_16_8_t kv16, value16;
3345 snat_main_per_thread_data_t *tsm;
3348 if (PREDICT_FALSE (is_output))
3350 u32 fib_index = sm->outside_fib_index;
3351 nat_outside_fib_t *outside_fib;
3352 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3353 fib_prefix_t pfx = {
3354 .fp_proto = FIB_PROTOCOL_IP4,
3357 .ip4.as_u32 = ip->dst_address.as_u32,
3362 udp = ip4_next_header (ip);
3364 switch (vec_len (sm->outside_fibs))
3367 fib_index = sm->outside_fib_index;
3370 fib_index = sm->outside_fibs[0].fib_index;
3374 vec_foreach (outside_fib, sm->outside_fibs)
3376 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3377 if (FIB_NODE_INDEX_INVALID != fei)
3379 if (fib_entry_get_resolving_interface (fei) != ~0)
3381 fib_index = outside_fib->fib_index;
3390 make_ed_kv (&ip->src_address, &ip->dst_address,
3391 ip->protocol, fib_index, udp->src_port, udp->dst_port,
3395 vec_foreach (tsm, sm->per_thread_data)
3397 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&tsm->out2in_ed,
3400 next_worker_index += tsm->thread_index;
3402 nat_elog_debug_handoff (
3403 "HANDOFF IN2OUT-OUTPUT-FEATURE (session)",
3404 next_worker_index, fib_index,
3405 clib_net_to_host_u32 (ip->src_address.as_u32),
3406 clib_net_to_host_u32 (ip->dst_address.as_u32));
3408 return next_worker_index;
3414 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3415 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3417 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3418 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3420 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3422 if (PREDICT_TRUE (!is_output))
3424 nat_elog_debug_handoff ("HANDOFF IN2OUT",
3425 next_worker_index, rx_fib_index,
3426 clib_net_to_host_u32 (ip->src_address.as_u32),
3427 clib_net_to_host_u32 (ip->dst_address.as_u32));
3431 nat_elog_debug_handoff ("HANDOFF IN2OUT-OUTPUT-FEATURE",
3432 next_worker_index, rx_fib_index,
3433 clib_net_to_host_u32 (ip->src_address.as_u32),
3434 clib_net_to_host_u32 (ip->dst_address.as_u32));
3437 return next_worker_index;
3441 nat44_ed_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip,
3442 u32 rx_fib_index, u8 is_output)
3444 snat_main_t *sm = &snat_main;
3445 clib_bihash_kv_8_8_t kv, value;
3446 clib_bihash_kv_16_8_t kv16, value16;
3447 snat_main_per_thread_data_t *tsm;
3449 u32 proto, next_worker_index = 0;
3452 snat_static_mapping_t *m;
3455 proto = ip_proto_to_snat_proto (ip->protocol);
3457 if (PREDICT_TRUE (proto == SNAT_PROTOCOL_UDP || proto == SNAT_PROTOCOL_TCP))
3459 udp = ip4_next_header (ip);
3461 make_ed_kv (&ip->dst_address, &ip->src_address,
3462 ip->protocol, rx_fib_index, udp->dst_port, udp->src_port,
3466 vec_foreach (tsm, sm->per_thread_data)
3468 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&tsm->out2in_ed,
3471 next_worker_index = sm->first_worker_index + tsm->thread_index;
3472 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3473 next_worker_index, rx_fib_index,
3474 clib_net_to_host_u32 (ip->src_address.as_u32),
3475 clib_net_to_host_u32 (ip->dst_address.as_u32));
3476 return next_worker_index;
3481 else if (proto == SNAT_PROTOCOL_ICMP)
3483 if (!get_icmp_o2i_ed_key (b, ip, rx_fib_index, ~0ULL, 0, 0, 0, &kv16))
3486 vec_foreach (tsm, sm->per_thread_data)
3488 if (PREDICT_TRUE (!clib_bihash_search_16_8 (&tsm->out2in_ed,
3491 next_worker_index = sm->first_worker_index +
3493 nat_elog_debug_handoff ("HANDOFF OUT2IN (session)",
3494 next_worker_index, rx_fib_index,
3495 clib_net_to_host_u32 (ip->src_address.as_u32),
3496 clib_net_to_host_u32 (ip->dst_address.as_u32));
3497 return next_worker_index;
3504 /* first try static mappings without port */
3505 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3507 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
3508 if (!clib_bihash_search_8_8
3509 (&sm->static_mapping_by_external, &kv, &value))
3511 m = pool_elt_at_index (sm->static_mappings, value.value);
3512 next_worker_index = m->workers[0];
3517 /* unknown protocol */
3518 if (PREDICT_FALSE (proto == ~0))
3520 /* use current thread */
3521 next_worker_index = vlib_get_thread_index ();
3525 udp = ip4_next_header (ip);
3526 port = udp->dst_port;
3528 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
3530 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3531 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3532 if (!icmp_type_is_error_message
3533 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3534 port = vnet_buffer (b)->ip.reass.l4_src_port;
3537 /* if error message, then it's not fragmented and we can access it */
3538 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3539 proto = ip_proto_to_snat_proto (inner_ip->protocol);
3540 void *l4_header = ip4_next_header (inner_ip);
3543 case SNAT_PROTOCOL_ICMP:
3544 icmp = (icmp46_header_t *) l4_header;
3545 echo = (icmp_echo_header_t *) (icmp + 1);
3546 port = echo->identifier;
3548 case SNAT_PROTOCOL_UDP:
3549 case SNAT_PROTOCOL_TCP:
3550 port = ((tcp_udp_header_t *) l4_header)->src_port;
3553 next_worker_index = vlib_get_thread_index ();
3559 /* try static mappings with port */
3560 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3562 make_sm_kv (&kv, &ip->dst_address, proto, 0,
3563 clib_net_to_host_u16 (port));
3564 if (!clib_bihash_search_8_8
3565 (&sm->static_mapping_by_external, &kv, &value))
3567 m = pool_elt_at_index (sm->static_mappings, value.value);
3568 if (!is_lb_static_mapping (m))
3570 next_worker_index = m->workers[0];
3574 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3575 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3577 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3579 m->workers[hash & (_vec_len (m->workers) - 1)];
3581 next_worker_index = m->workers[hash % _vec_len (m->workers)];
3586 /* worker by outside port */
3587 next_worker_index = sm->first_worker_index;
3588 next_worker_index +=
3589 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3592 nat_elog_debug_handoff ("HANDOFF OUT2IN", next_worker_index, rx_fib_index,
3593 clib_net_to_host_u32 (ip->src_address.as_u32),
3594 clib_net_to_host_u32 (ip->dst_address.as_u32));
3595 return next_worker_index;
3599 nat_ha_sadd_cb (ip4_address_t * in_addr, u16 in_port,
3600 ip4_address_t * out_addr, u16 out_port,
3601 ip4_address_t * eh_addr, u16 eh_port,
3602 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
3603 u32 fib_index, u16 flags, u32 thread_index)
3605 snat_main_t *sm = &snat_main;
3606 snat_session_key_t key;
3609 clib_bihash_kv_8_8_t kv;
3610 f64 now = vlib_time_now (sm->vlib_main);
3611 nat_outside_fib_t *outside_fib;
3612 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3613 snat_main_per_thread_data_t *tsm;
3614 fib_prefix_t pfx = {
3615 .fp_proto = FIB_PROTOCOL_IP4,
3618 .ip4.as_u32 = eh_addr->as_u32,
3622 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3624 key.addr.as_u32 = out_addr->as_u32;
3625 key.port = out_port;
3626 key.protocol = proto;
3628 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
3630 if (nat_set_outside_address_and_port
3631 (sm->addresses, thread_index, &key))
3635 u = nat_user_get_or_create (sm, in_addr, fib_index, thread_index);
3639 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
3643 s->last_heard = now;
3645 s->ext_host_addr.as_u32 = eh_addr->as_u32;
3646 s->ext_host_port = eh_port;
3647 user_session_increment (sm, u, snat_is_session_static (s));
3648 switch (vec_len (sm->outside_fibs))
3651 key.fib_index = sm->outside_fib_index;
3654 key.fib_index = sm->outside_fibs[0].fib_index;
3658 vec_foreach (outside_fib, sm->outside_fibs)
3660 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3661 if (FIB_NODE_INDEX_INVALID != fei)
3663 if (fib_entry_get_resolving_interface (fei) != ~0)
3665 key.fib_index = outside_fib->fib_index;
3674 kv.key = key.as_u64;
3675 kv.value = s - tsm->sessions;
3676 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 1))
3677 nat_elog_warn ("out2in key add failed");
3679 key.addr.as_u32 = in_addr->as_u32;
3681 key.fib_index = fib_index;
3683 kv.key = key.as_u64;
3684 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 1))
3685 nat_elog_warn ("in2out key add failed");
3689 nat_ha_sdel_cb (ip4_address_t * out_addr, u16 out_port,
3690 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
3693 snat_main_t *sm = &snat_main;
3694 snat_session_key_t key;
3695 clib_bihash_kv_8_8_t kv, value;
3698 snat_main_per_thread_data_t *tsm;
3700 if (sm->num_workers > 1)
3702 sm->first_worker_index +
3703 (sm->workers[(clib_net_to_host_u16 (out_port) -
3704 1024) / sm->port_per_thread]);
3706 thread_index = sm->num_workers;
3707 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3709 key.addr.as_u32 = out_addr->as_u32;
3710 key.port = out_port;
3711 key.protocol = proto;
3712 key.fib_index = fib_index;
3713 kv.key = key.as_u64;
3714 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
3717 s = pool_elt_at_index (tsm->sessions, value.value);
3718 nat_free_session_data (sm, s, thread_index, 1);
3719 nat44_delete_session (sm, s, thread_index);
3723 nat_ha_sref_cb (ip4_address_t * out_addr, u16 out_port,
3724 ip4_address_t * eh_addr, u16 eh_port, u8 proto, u32 fib_index,
3725 u32 total_pkts, u64 total_bytes, u32 thread_index)
3727 snat_main_t *sm = &snat_main;
3728 snat_session_key_t key;
3729 clib_bihash_kv_8_8_t kv, value;
3731 snat_main_per_thread_data_t *tsm;
3733 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3735 key.addr.as_u32 = out_addr->as_u32;
3736 key.port = out_port;
3737 key.protocol = proto;
3738 key.fib_index = fib_index;
3739 kv.key = key.as_u64;
3740 if (clib_bihash_search_8_8 (&tsm->out2in, &kv, &value))
3743 s = pool_elt_at_index (tsm->sessions, value.value);
3744 s->total_pkts = total_pkts;
3745 s->total_bytes = total_bytes;
3749 nat_ha_sadd_ed_cb (ip4_address_t * in_addr, u16 in_port,
3750 ip4_address_t * out_addr, u16 out_port,
3751 ip4_address_t * eh_addr, u16 eh_port,
3752 ip4_address_t * ehn_addr, u16 ehn_port, u8 proto,
3753 u32 fib_index, u16 flags, u32 thread_index)
3755 snat_main_t *sm = &snat_main;
3756 snat_session_key_t key;
3758 clib_bihash_kv_16_8_t kv;
3759 f64 now = vlib_time_now (sm->vlib_main);
3760 nat_outside_fib_t *outside_fib;
3761 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
3762 snat_main_per_thread_data_t *tsm;
3763 fib_prefix_t pfx = {
3764 .fp_proto = FIB_PROTOCOL_IP4,
3767 .ip4.as_u32 = eh_addr->as_u32,
3771 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3773 key.addr.as_u32 = out_addr->as_u32;
3774 key.port = out_port;
3775 key.protocol = proto;
3777 if (!(flags & SNAT_SESSION_FLAG_STATIC_MAPPING))
3779 if (nat_set_outside_address_and_port
3780 (sm->addresses, thread_index, &key))
3784 key.addr.as_u32 = ehn_addr->as_u32;
3785 key.port = ehn_port;
3786 if (flags & SNAT_SESSION_FLAG_TWICE_NAT)
3788 if (nat_set_outside_address_and_port
3789 (sm->twice_nat_addresses, thread_index, &key))
3793 s = nat_ed_session_alloc (sm, thread_index, now);
3797 s->last_heard = now;
3799 s->ext_host_nat_addr.as_u32 = s->ext_host_addr.as_u32 = eh_addr->as_u32;
3800 s->ext_host_nat_port = s->ext_host_port = eh_port;
3801 if (is_twice_nat_session (s))
3803 s->ext_host_nat_addr.as_u32 = ehn_addr->as_u32;
3804 s->ext_host_nat_port = ehn_port;
3806 switch (vec_len (sm->outside_fibs))
3809 key.fib_index = sm->outside_fib_index;
3812 key.fib_index = sm->outside_fibs[0].fib_index;
3816 vec_foreach (outside_fib, sm->outside_fibs)
3818 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
3819 if (FIB_NODE_INDEX_INVALID != fei)
3821 if (fib_entry_get_resolving_interface (fei) != ~0)
3823 key.fib_index = outside_fib->fib_index;
3831 key.addr.as_u32 = out_addr->as_u32;
3832 key.port = out_port;
3834 kv.value = s - tsm->sessions;
3836 key.addr.as_u32 = in_addr->as_u32;
3838 key.fib_index = fib_index;
3841 make_ed_kv (in_addr, &s->ext_host_nat_addr,
3842 snat_proto_to_ip_proto (proto), fib_index, in_port,
3843 s->ext_host_nat_port, s - tsm->sessions, &kv);
3844 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
3845 nat_elog_warn ("in2out key add failed");
3847 make_ed_kv (out_addr, eh_addr, snat_proto_to_ip_proto (proto),
3848 s->out2in.fib_index, out_port, eh_port, s - tsm->sessions, &kv);
3849 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 1))
3850 nat_elog_warn ("out2in key add failed");
3854 nat_ha_sdel_ed_cb (ip4_address_t * out_addr, u16 out_port,
3855 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3856 u32 fib_index, u32 ti)
3858 snat_main_t *sm = &snat_main;
3859 clib_bihash_kv_16_8_t kv, value;
3862 snat_main_per_thread_data_t *tsm;
3864 if (sm->num_workers > 1)
3866 sm->first_worker_index +
3867 (sm->workers[(clib_net_to_host_u16 (out_port) -
3868 1024) / sm->port_per_thread]);
3870 thread_index = sm->num_workers;
3871 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3873 make_ed_kv (out_addr, eh_addr, proto, fib_index, out_port, eh_port, ~0ULL,
3875 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
3878 s = pool_elt_at_index (tsm->sessions, value.value);
3879 nat_free_session_data (sm, s, thread_index, 1);
3880 nat44_delete_session (sm, s, thread_index);
3884 nat_ha_sref_ed_cb (ip4_address_t * out_addr, u16 out_port,
3885 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3886 u32 fib_index, u32 total_pkts, u64 total_bytes,
3889 snat_main_t *sm = &snat_main;
3890 clib_bihash_kv_16_8_t kv, value;
3892 snat_main_per_thread_data_t *tsm;
3894 tsm = vec_elt_at_index (sm->per_thread_data, thread_index);
3896 make_ed_kv (out_addr, eh_addr, proto, fib_index, out_port, eh_port, ~0ULL,
3898 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
3901 s = pool_elt_at_index (tsm->sessions, value.value);
3902 s->total_pkts = total_pkts;
3903 s->total_bytes = total_bytes;
3906 static clib_error_t *
3907 snat_config (vlib_main_t * vm, unformat_input_t * input)
3909 snat_main_t *sm = &snat_main;
3910 nat66_main_t *nm = &nat66_main;
3911 //dslite_main_t *dm = &dslite_main;
3912 snat_main_per_thread_data_t *tsm;
3914 u32 static_mapping_buckets = 1024;
3915 uword static_mapping_memory_size = 64 << 20;
3917 u32 nat64_bib_buckets = 1024;
3918 u32 nat64_bib_memory_size = 128 << 20;
3920 u32 nat64_st_buckets = 2048;
3921 uword nat64_st_memory_size = 256 << 20;
3923 u32 user_buckets = 128;
3924 uword user_memory_size = 64 << 20;
3925 u32 translation_buckets = 1024;
3926 uword translation_memory_size = 128 << 20;
3928 u32 max_translations_per_user = ~0;
3930 u32 outside_vrf_id = 0;
3931 u32 outside_ip6_vrf_id = 0;
3932 u32 inside_vrf_id = 0;
3933 u8 static_mapping_only = 0;
3934 u8 static_mapping_connection_tracking = 0;
3936 // configurable timeouts
3937 u32 udp_timeout = SNAT_UDP_TIMEOUT;
3938 u32 icmp_timeout = SNAT_ICMP_TIMEOUT;
3939 u32 tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
3940 u32 tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
3942 sm->deterministic = 0;
3944 sm->endpoint_dependent = 0;
3946 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
3949 (input, "translation hash buckets %d", &translation_buckets))
3951 else if (unformat (input, "udp timeout %d", &udp_timeout))
3953 else if (unformat (input, "icmp timeout %d", &icmp_timeout))
3955 else if (unformat (input, "tcp transitory timeout %d",
3956 &tcp_transitory_timeout));
3957 else if (unformat (input, "tcp established timeout %d",
3958 &tcp_established_timeout));
3959 else if (unformat (input, "translation hash memory %d",
3960 &translation_memory_size));
3961 else if (unformat (input, "user hash buckets %d", &user_buckets))
3963 else if (unformat (input, "user hash memory %d", &user_memory_size))
3965 else if (unformat (input, "max translations per user %d",
3966 &max_translations_per_user))
3968 else if (unformat (input, "outside VRF id %d", &outside_vrf_id))
3970 else if (unformat (input, "outside ip6 VRF id %d", &outside_ip6_vrf_id))
3972 else if (unformat (input, "inside VRF id %d", &inside_vrf_id))
3974 else if (unformat (input, "static mapping only"))
3976 static_mapping_only = 1;
3977 if (unformat (input, "connection tracking"))
3978 static_mapping_connection_tracking = 1;
3980 else if (unformat (input, "deterministic"))
3981 sm->deterministic = 1;
3982 else if (unformat (input, "nat64 bib hash buckets %d",
3983 &nat64_bib_buckets))
3985 else if (unformat (input, "nat64 bib hash memory %d",
3986 &nat64_bib_memory_size))
3989 if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
3991 else if (unformat (input, "nat64 st hash memory %d",
3992 &nat64_st_memory_size))
3994 else if (unformat (input, "out2in dpo"))
3996 //else if (unformat (input, "dslite ce"))
3997 //dslite_set_ce (dm, 1);
3998 else if (unformat (input, "endpoint-dependent"))
3999 sm->endpoint_dependent = 1;
4001 return clib_error_return (0, "unknown input '%U'",
4002 format_unformat_error, input);
4005 if (sm->deterministic && sm->endpoint_dependent)
4006 return clib_error_return (0,
4007 "deterministic and endpoint-dependent modes are mutually exclusive");
4009 if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent))
4010 return clib_error_return (0,
4011 "static mapping only mode available only for simple nat");
4013 if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent))
4014 return clib_error_return (0,
4015 "out2in dpo mode available only for simple nat");
4017 /* optionally configurable timeouts for testing purposes */
4018 sm->udp_timeout = udp_timeout;
4019 sm->tcp_transitory_timeout = tcp_transitory_timeout;
4020 sm->tcp_established_timeout = tcp_established_timeout;
4021 sm->icmp_timeout = icmp_timeout;
4023 sm->user_buckets = user_buckets;
4024 sm->user_memory_size = user_memory_size;
4026 sm->translation_buckets = translation_buckets;
4027 sm->translation_memory_size = translation_memory_size;
4029 /* do not exceed load factor 10 */
4030 sm->max_translations = 10 * translation_buckets;
4031 sm->max_translations_per_user = max_translations_per_user == ~0 ?
4032 sm->max_translations : max_translations_per_user;
4034 sm->outside_vrf_id = outside_vrf_id;
4035 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
4038 nm->outside_vrf_id = outside_ip6_vrf_id;
4039 nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6,
4042 sm->inside_vrf_id = inside_vrf_id;
4043 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
4046 sm->static_mapping_only = static_mapping_only;
4047 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
4049 nat64_set_hash (nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
4050 nat64_st_memory_size);
4052 if (sm->deterministic)
4054 sm->in2out_node_index = snat_det_in2out_node.index;
4055 sm->in2out_output_node_index = ~0;
4056 sm->out2in_node_index = snat_det_out2in_node.index;
4057 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
4058 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
4062 if (sm->endpoint_dependent)
4064 sm->worker_in2out_cb = nat44_ed_get_worker_in2out_cb;
4065 sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb;
4067 sm->handoff_out2in_index = nat_pre_out2in_node.index;
4068 sm->handoff_in2out_index = nat_pre_in2out_node.index;
4069 sm->handoff_in2out_output_index = nat44_ed_in2out_output_node.index;
4071 sm->in2out_node_index = nat44_ed_in2out_node.index;
4072 sm->in2out_output_node_index = nat44_ed_in2out_output_node.index;
4073 sm->out2in_node_index = nat44_ed_out2in_node.index;
4075 sm->icmp_match_in2out_cb = icmp_match_in2out_ed;
4076 sm->icmp_match_out2in_cb = icmp_match_out2in_ed;
4077 nat_affinity_init (vm);
4078 nat_ha_init (vm, nat_ha_sadd_ed_cb, nat_ha_sdel_ed_cb,
4083 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
4084 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
4086 sm->handoff_out2in_index = snat_out2in_node.index;
4087 sm->handoff_in2out_index = snat_in2out_node.index;
4088 sm->handoff_in2out_output_index = snat_in2out_output_node.index;
4090 sm->in2out_node_index = snat_in2out_node.index;
4091 sm->in2out_output_node_index = snat_in2out_output_node.index;
4092 sm->out2in_node_index = snat_out2in_node.index;
4093 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
4094 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
4095 nat_ha_init (vm, nat_ha_sadd_cb, nat_ha_sdel_cb, nat_ha_sref_cb);
4097 if (!static_mapping_only ||
4098 (static_mapping_only && static_mapping_connection_tracking))
4101 vec_foreach (tsm, sm->per_thread_data)
4103 pool_alloc (tsm->sessions, sm->max_translations);
4104 pool_alloc (tsm->list_pool, sm->max_translations);
4105 pool_alloc (tsm->global_lru_pool, sm->max_translations);
4108 pool_get (tsm->global_lru_pool, head);
4109 tsm->global_lru_head_index = head - tsm->global_lru_pool;
4110 clib_dlist_init (tsm->global_lru_pool,
4111 tsm->global_lru_head_index);
4113 if (sm->endpoint_dependent)
4115 clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed",
4116 translation_buckets,
4117 translation_memory_size);
4118 clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed,
4119 format_ed_session_kvp);
4121 clib_bihash_init_16_8 (&tsm->out2in_ed, "out2in-ed",
4122 translation_buckets,
4123 translation_memory_size);
4124 clib_bihash_set_kvp_format_fn_16_8 (&tsm->out2in_ed,
4125 format_ed_session_kvp);
4129 clib_bihash_init_8_8 (&tsm->in2out, "in2out",
4130 translation_buckets,
4131 translation_memory_size);
4132 clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out,
4133 format_session_kvp);
4135 clib_bihash_init_8_8 (&tsm->out2in, "out2in",
4136 translation_buckets,
4137 translation_memory_size);
4138 clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in,
4139 format_session_kvp);
4142 clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets,
4144 clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash,
4152 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
4153 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
4155 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
4156 "static_mapping_by_local", static_mapping_buckets,
4157 static_mapping_memory_size);
4158 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
4159 format_static_mapping_kvp);
4161 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
4162 "static_mapping_by_external",
4163 static_mapping_buckets,
4164 static_mapping_memory_size);
4165 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
4166 format_static_mapping_kvp);
4172 VLIB_CONFIG_FUNCTION (snat_config, "nat");
4175 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
4178 ip4_address_t * address,
4180 u32 if_address_index, u32 is_delete)
4182 snat_main_t *sm = &snat_main;
4183 snat_static_map_resolve_t *rp;
4184 snat_static_mapping_t *m;
4185 snat_session_key_t m_key;
4186 clib_bihash_kv_8_8_t kv, value;
4188 ip4_address_t l_addr;
4190 for (i = 0; i < vec_len (sm->to_resolve); i++)
4192 rp = sm->to_resolve + i;
4193 if (rp->addr_only == 0)
4195 if (rp->sw_if_index == sw_if_index)
4202 m_key.addr.as_u32 = address->as_u32;
4203 m_key.port = rp->addr_only ? 0 : rp->e_port;
4204 m_key.protocol = rp->addr_only ? 0 : rp->proto;
4205 m_key.fib_index = sm->outside_fib_index;
4206 kv.key = m_key.as_u64;
4207 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
4210 m = pool_elt_at_index (sm->static_mappings, value.value);
4214 /* Don't trip over lease renewal, static config */
4224 /* Indetity mapping? */
4225 if (rp->l_addr.as_u32 == 0)
4226 l_addr.as_u32 = address[0].as_u32;
4228 l_addr.as_u32 = rp->l_addr.as_u32;
4229 /* Add the static mapping */
4230 rv = snat_add_static_mapping (l_addr,
4235 rp->addr_only, ~0 /* sw_if_index */ ,
4236 rp->proto, !is_delete, rp->twice_nat,
4237 rp->out2in_only, rp->tag, rp->identity_nat);
4239 nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv);
4243 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
4246 ip4_address_t * address,
4248 u32 if_address_index, u32 is_delete)
4250 snat_main_t *sm = &snat_main;
4251 snat_static_map_resolve_t *rp;
4252 ip4_address_t l_addr;
4256 snat_address_t *addresses = sm->addresses;
4258 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
4260 if (sw_if_index == sm->auto_add_sw_if_indices[i])
4264 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
4267 addresses = sm->twice_nat_addresses;
4268 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
4277 /* Don't trip over lease renewal, static config */
4278 for (j = 0; j < vec_len (addresses); j++)
4279 if (addresses[j].addr.as_u32 == address->as_u32)
4282 (void) snat_add_address (sm, address, ~0, twice_nat);
4283 /* Scan static map resolution vector */
4284 for (j = 0; j < vec_len (sm->to_resolve); j++)
4286 rp = sm->to_resolve + j;
4289 /* On this interface? */
4290 if (rp->sw_if_index == sw_if_index)
4292 /* Indetity mapping? */
4293 if (rp->l_addr.as_u32 == 0)
4294 l_addr.as_u32 = address[0].as_u32;
4296 l_addr.as_u32 = rp->l_addr.as_u32;
4297 /* Add the static mapping */
4298 rv = snat_add_static_mapping (l_addr,
4304 ~0 /* sw_if_index */ ,
4306 rp->is_add, rp->twice_nat,
4307 rp->out2in_only, rp->tag,
4310 nat_elog_notice_X1 ("snat_add_static_mapping returned %d",
4318 (void) snat_del_address (sm, address[0], 1, twice_nat);
4325 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
4328 ip4_main_t *ip4_main = sm->ip4_main;
4329 ip4_address_t *first_int_addr;
4330 snat_static_map_resolve_t *rp;
4331 u32 *indices_to_delete = 0;
4333 u32 *auto_add_sw_if_indices =
4335 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
4337 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
4340 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
4342 if (auto_add_sw_if_indices[i] == sw_if_index)
4346 /* if have address remove it */
4348 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
4351 for (j = 0; j < vec_len (sm->to_resolve); j++)
4353 rp = sm->to_resolve + j;
4354 if (rp->sw_if_index == sw_if_index)
4355 vec_add1 (indices_to_delete, j);
4357 if (vec_len (indices_to_delete))
4359 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
4360 vec_del1 (sm->to_resolve, j);
4361 vec_free (indices_to_delete);
4365 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
4367 vec_del1 (sm->auto_add_sw_if_indices, i);
4370 return VNET_API_ERROR_VALUE_EXIST;
4377 return VNET_API_ERROR_NO_SUCH_ENTRY;
4379 /* add to the auto-address list */
4381 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
4383 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
4385 /* If the address is already bound - or static - add it now */
4387 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
4393 nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4394 snat_protocol_t proto, u32 vrf_id, int is_in)
4396 snat_main_per_thread_data_t *tsm;
4397 clib_bihash_kv_8_8_t kv, value;
4399 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4400 snat_session_key_t key;
4402 clib_bihash_8_8_t *t;
4404 if (sm->endpoint_dependent)
4405 return VNET_API_ERROR_UNSUPPORTED;
4407 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4408 if (sm->num_workers > 1)
4410 vec_elt_at_index (sm->per_thread_data,
4411 sm->worker_in2out_cb (&ip, fib_index, 0));
4413 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4415 key.addr.as_u32 = addr->as_u32;
4416 key.port = clib_host_to_net_u16 (port);
4417 key.protocol = proto;
4418 key.fib_index = fib_index;
4419 kv.key = key.as_u64;
4420 t = is_in ? &tsm->in2out : &tsm->out2in;
4421 if (!clib_bihash_search_8_8 (t, &kv, &value))
4423 if (pool_is_free_index (tsm->sessions, value.value))
4424 return VNET_API_ERROR_UNSPECIFIED;
4426 s = pool_elt_at_index (tsm->sessions, value.value);
4427 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4428 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
4432 return VNET_API_ERROR_NO_SUCH_ENTRY;
4436 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
4437 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
4438 u32 vrf_id, int is_in)
4441 clib_bihash_16_8_t *t;
4442 clib_bihash_kv_16_8_t kv, value;
4443 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
4445 snat_main_per_thread_data_t *tsm;
4447 if (!sm->endpoint_dependent)
4448 return VNET_API_ERROR_FEATURE_DISABLED;
4450 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
4451 if (sm->num_workers > 1)
4453 vec_elt_at_index (sm->per_thread_data,
4454 sm->worker_in2out_cb (&ip, fib_index, 0));
4456 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
4458 t = is_in ? &tsm->in2out_ed : &tsm->out2in_ed;
4459 make_ed_kv (addr, eh_addr, proto, fib_index, clib_host_to_net_u16 (port),
4460 clib_host_to_net_u16 (eh_port), ~0ULL, &kv);
4461 if (clib_bihash_search_16_8 (t, &kv, &value))
4463 return VNET_API_ERROR_NO_SUCH_ENTRY;
4466 if (pool_is_free_index (tsm->sessions, value.value))
4467 return VNET_API_ERROR_UNSPECIFIED;
4468 s = pool_elt_at_index (tsm->sessions, value.value);
4469 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
4470 nat44_ed_delete_session (sm, s, tsm - sm->per_thread_data, 1);
4475 nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length)
4477 snat_main_t *sm = &snat_main;
4479 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE;
4480 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
4482 sm->psid_offset = psid_offset;
4483 sm->psid_length = psid_length;
4487 nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port)
4489 snat_main_t *sm = &snat_main;
4491 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE;
4492 sm->alloc_addr_and_port = nat_alloc_addr_and_port_range;
4493 sm->start_port = start_port;
4494 sm->end_port = end_port;
4498 nat_set_alloc_addr_and_port_default (void)
4500 snat_main_t *sm = &snat_main;
4502 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
4503 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
4506 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
4507 vlib_node_runtime_t * node,
4508 vlib_frame_t * frame)
4514 VLIB_REGISTER_NODE (nat_default_node) = {
4515 .name = "nat-default",
4516 .vector_size = sizeof (u32),
4518 .type = VLIB_NODE_TYPE_INTERNAL,
4520 .n_next_nodes = NAT_N_NEXT,
4522 [NAT_NEXT_DROP] = "error-drop",
4523 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4524 [NAT_NEXT_IN2OUT_PRE] = "nat-pre-in2out",
4525 [NAT_NEXT_OUT2IN_PRE] = "nat-pre-out2in",
4526 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
4527 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
4528 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
4529 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
4530 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
4536 * fd.io coding-style-patch-verification: ON
4539 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob