2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vpp/app/version.h>
20 #include <vnet/vnet.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ip/ip4.h>
23 #include <vnet/ip/ip_table.h>
24 #include <vnet/ip/reass/ip4_sv_reass.h>
25 #include <vnet/fib/fib_table.h>
26 #include <vnet/fib/ip4_fib.h>
27 #include <vnet/plugin/plugin.h>
28 #include <vppinfra/bihash_16_8.h>
30 #include <nat/lib/log.h>
31 #include <nat/lib/nat_syslog.h>
32 #include <nat/lib/nat_inlines.h>
33 #include <nat/lib/ipfix_logging.h>
35 #include <nat/nat44-ed/nat44_ed.h>
36 #include <nat/nat44-ed/nat44_ed_affinity.h>
37 #include <nat/nat44-ed/nat44_ed_inlines.h>
39 #include <vpp/stats/stat_segment.h>
41 snat_main_t snat_main;
43 static_always_inline void nat_validate_interface_counters (snat_main_t *sm,
46 #define skip_if_disabled() \
49 snat_main_t *sm = &snat_main; \
50 if (PREDICT_FALSE (!sm->enabled)) \
55 #define fail_if_enabled() \
58 snat_main_t *sm = &snat_main; \
59 if (PREDICT_FALSE (sm->enabled)) \
61 nat_log_err ("plugin enabled"); \
67 #define fail_if_disabled() \
70 snat_main_t *sm = &snat_main; \
71 if (PREDICT_FALSE (!sm->enabled)) \
73 nat_log_err ("plugin disabled"); \
79 /* Hook up input features */
80 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
81 .arc_name = "ip4-unicast",
82 .node_name = "nat-pre-in2out",
83 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
84 "ip4-sv-reassembly-feature"),
86 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
87 .arc_name = "ip4-unicast",
88 .node_name = "nat-pre-out2in",
89 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
90 "ip4-dhcp-client-detect",
91 "ip4-sv-reassembly-feature"),
93 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
94 .arc_name = "ip4-unicast",
95 .node_name = "nat44-in2out-worker-handoff",
96 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
98 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
99 .arc_name = "ip4-unicast",
100 .node_name = "nat44-out2in-worker-handoff",
101 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
102 "ip4-dhcp-client-detect"),
104 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
105 .arc_name = "ip4-unicast",
106 .node_name = "nat44-in2out",
107 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
109 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
110 .arc_name = "ip4-unicast",
111 .node_name = "nat44-out2in",
112 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
113 "ip4-dhcp-client-detect"),
115 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
116 .arc_name = "ip4-unicast",
117 .node_name = "nat44-ed-in2out",
118 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-ed-out2in",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
124 "ip4-dhcp-client-detect"),
126 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
127 .arc_name = "ip4-unicast",
128 .node_name = "nat44-ed-classify",
129 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
131 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
132 .arc_name = "ip4-unicast",
133 .node_name = "nat44-handoff-classify",
134 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
136 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
137 .arc_name = "ip4-unicast",
138 .node_name = "nat44-in2out-fast",
139 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
141 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
142 .arc_name = "ip4-unicast",
143 .node_name = "nat44-out2in-fast",
144 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
145 "ip4-dhcp-client-detect"),
148 /* Hook up output features */
149 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
150 .arc_name = "ip4-output",
151 .node_name = "nat44-in2out-output",
152 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
153 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
155 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
156 .arc_name = "ip4-output",
157 .node_name = "nat44-in2out-output-worker-handoff",
158 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
159 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
161 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
162 .arc_name = "ip4-output",
163 .node_name = "nat-pre-in2out-output",
164 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
165 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
167 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
168 .arc_name = "ip4-output",
169 .node_name = "nat44-ed-in2out-output",
170 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
171 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
174 VLIB_PLUGIN_REGISTER () = {
175 .version = VPP_BUILD_VER,
176 .description = "Network Address Translation (NAT)",
179 static void nat44_ed_db_init (u32 translations, u32 translation_buckets);
181 static void nat44_ed_db_free ();
183 u32 nat_calc_bihash_buckets (u32 n_elts);
186 format_session_kvp (u8 * s, va_list * args)
188 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
190 s = format (s, "%U thread-index %llu session-index %llu", format_snat_key,
191 v->key, nat_value_get_thread_index (v),
192 nat_value_get_session_index (v));
198 format_static_mapping_kvp (u8 * s, va_list * args)
200 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
202 s = format (s, "%U static-mapping-index %llu",
203 format_snat_key, v->key, v->value);
209 format_ed_session_kvp (u8 * s, va_list * args)
211 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
215 ip4_address_t l_addr, r_addr;
218 split_ed_kv (v, &l_addr, &r_addr, &proto, &fib_index, &l_port, &r_port);
220 "local %U:%d remote %U:%d proto %U fib %d thread-index %u "
222 format_ip4_address, &l_addr, clib_net_to_host_u16 (l_port),
223 format_ip4_address, &r_addr, clib_net_to_host_u16 (r_port),
224 format_ip_protocol, proto, fib_index,
225 ed_value_get_thread_index (v), ed_value_get_session_index (v));
231 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index,
234 per_vrf_sessions_unregister_session (s, thread_index);
236 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 0))
237 nat_elog_warn (sm, "flow hash del failed");
239 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 0))
240 nat_elog_warn (sm, "flow hash del failed");
242 if (is_fwd_bypass_session (s))
247 if (is_affinity_sessions (s))
248 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
249 s->nat_proto, s->out2in.port);
252 nat_syslog_nat44_sdel (
253 0, s->in2out.fib_index, &s->in2out.addr, s->in2out.port,
254 &s->ext_host_nat_addr, s->ext_host_nat_port, &s->out2in.addr,
255 s->out2in.port, &s->ext_host_addr, s->ext_host_port, s->nat_proto,
256 is_twice_nat_session (s));
258 if (snat_is_unk_proto_session (s))
264 nat_ipfix_logging_nat44_ses_delete (thread_index,
265 s->in2out.addr.as_u32,
266 s->out2in.addr.as_u32,
270 s->in2out.fib_index);
273 /* Twice NAT address and port for external host */
274 if (is_twice_nat_session (s))
276 snat_free_outside_address_and_port (sm->twice_nat_addresses,
278 &s->ext_host_nat_addr,
279 s->ext_host_nat_port, s->nat_proto);
282 if (snat_is_session_static (s))
285 snat_free_outside_address_and_port (sm->addresses, thread_index,
286 &s->out2in.addr, s->out2in.port,
291 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
294 snat_main_t *sm = &snat_main;
295 fib_prefix_t prefix = {
297 .fp_proto = FIB_PROTOCOL_IP4,
299 .ip4.as_u32 = addr->as_u32,
302 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
305 fib_table_entry_update_one_path (fib_index,
308 (FIB_ENTRY_FLAG_CONNECTED |
309 FIB_ENTRY_FLAG_LOCAL |
310 FIB_ENTRY_FLAG_EXCLUSIVE),
314 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
316 fib_table_entry_delete (fib_index, &prefix, sm->fib_src_low);
320 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
325 vlib_thread_main_t *tm = vlib_get_thread_main ();
327 /* Check if address already exists */
328 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
330 if (ap->addr.as_u32 == addr->as_u32)
332 nat_log_err ("address exist");
333 return VNET_API_ERROR_VALUE_EXIST;
338 vec_add2 (sm->twice_nat_addresses, ap, 1);
340 vec_add2 (sm->addresses, ap, 1);
345 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
350 #define _(N, i, n, s) \
351 clib_memset(ap->busy_##n##_port_refcounts, 0, sizeof(ap->busy_##n##_port_refcounts));\
352 ap->busy_##n##_ports = 0; \
353 ap->busy_##n##_ports_per_thread = 0;\
354 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
361 /* Add external address to FIB */
362 pool_foreach (i, sm->interfaces)
364 if (nat_interface_is_inside (i))
367 snat_add_del_addr_to_fib (addr, 32, i->sw_if_index, 1);
370 pool_foreach (i, sm->output_feature_interfaces)
372 if (nat_interface_is_inside (i))
375 snat_add_del_addr_to_fib (addr, 32, i->sw_if_index, 1);
383 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
385 snat_static_mapping_t *m;
386 pool_foreach (m, sm->static_mappings)
388 if (is_addr_only_static_mapping (m) ||
389 is_out2in_only_static_mapping (m) ||
390 is_identity_static_mapping (m))
392 if (m->external_addr.as_u32 == addr.as_u32)
400 snat_add_static_mapping_when_resolved (snat_main_t *sm, ip4_address_t l_addr,
401 u16 l_port, u32 sw_if_index, u16 e_port,
402 u32 vrf_id, nat_protocol_t proto,
403 int addr_only, u8 *tag, int twice_nat,
404 int out2in_only, int identity_nat,
405 ip4_address_t pool_addr, int exact)
407 snat_static_map_resolve_t *rp;
409 vec_add2 (sm->to_resolve, rp, 1);
410 rp->l_addr.as_u32 = l_addr.as_u32;
412 rp->sw_if_index = sw_if_index;
416 rp->addr_only = addr_only;
417 rp->twice_nat = twice_nat;
418 rp->out2in_only = out2in_only;
419 rp->identity_nat = identity_nat;
420 rp->tag = vec_dup (tag);
421 rp->pool_addr = pool_addr;
426 get_thread_idx_by_port (u16 e_port)
428 snat_main_t *sm = &snat_main;
429 u32 thread_idx = sm->num_workers;
430 if (sm->num_workers > 1)
433 sm->first_worker_index +
434 sm->workers[(e_port - 1024) / sm->port_per_thread];
440 nat_ed_static_mapping_del_sessions (snat_main_t * sm,
441 snat_main_per_thread_data_t * tsm,
442 ip4_address_t l_addr,
445 u32 fib_index, int addr_only,
446 ip4_address_t e_addr, u16 e_port)
449 u32 *indexes_to_free = NULL;
450 pool_foreach (s, tsm->sessions) {
451 if (s->in2out.fib_index != fib_index ||
452 s->in2out.addr.as_u32 != l_addr.as_u32)
458 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
459 s->out2in.port != e_port ||
460 s->in2out.port != l_port ||
461 s->nat_proto != protocol)
465 if (is_lb_session (s))
467 if (!snat_is_session_static (s))
469 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
470 vec_add1 (indexes_to_free, s - tsm->sessions);
475 vec_foreach (ses_index, indexes_to_free)
477 s = pool_elt_at_index (tsm->sessions, *ses_index);
478 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
480 vec_free (indexes_to_free);
484 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
485 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
486 u32 sw_if_index, nat_protocol_t proto, int is_add,
487 twice_nat_type_t twice_nat, u8 out2in_only, u8 *tag,
488 u8 identity_nat, ip4_address_t pool_addr, int exact)
490 snat_main_t *sm = &snat_main;
491 snat_static_mapping_t *m;
492 clib_bihash_kv_8_8_t kv, value;
493 snat_address_t *a = 0;
495 snat_interface_t *interface;
496 snat_main_per_thread_data_t *tsm;
497 snat_static_map_resolve_t *rp, *rp_match = 0;
498 nat44_lb_addr_port_t *local;
502 /* If the external address is a specific interface address */
503 if (sw_if_index != ~0)
505 ip4_address_t *first_int_addr;
507 for (i = 0; i < vec_len (sm->to_resolve); i++)
509 rp = sm->to_resolve + i;
510 if (rp->sw_if_index != sw_if_index ||
511 rp->l_addr.as_u32 != l_addr.as_u32 ||
512 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
517 if ((rp->l_port != l_port && rp->e_port != e_port)
518 || rp->proto != proto)
526 /* Might be already set... */
527 first_int_addr = ip4_interface_first_address
528 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
533 return VNET_API_ERROR_VALUE_EXIST;
535 snat_add_static_mapping_when_resolved (
536 sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto, addr_only,
537 tag, twice_nat, out2in_only, identity_nat, pool_addr, exact);
539 /* DHCP resolution required? */
540 if (first_int_addr == 0)
546 e_addr.as_u32 = first_int_addr->as_u32;
547 /* Identity mapping? */
548 if (l_addr.as_u32 == 0)
549 l_addr.as_u32 = e_addr.as_u32;
555 return VNET_API_ERROR_NO_SUCH_ENTRY;
557 vec_del1 (sm->to_resolve, i);
561 e_addr.as_u32 = first_int_addr->as_u32;
562 /* Identity mapping? */
563 if (l_addr.as_u32 == 0)
564 l_addr.as_u32 = e_addr.as_u32;
571 init_nat_k (&kv, e_addr, addr_only ? 0 : e_port, 0, addr_only ? 0 : proto);
572 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
575 m = pool_elt_at_index (sm->static_mappings, value.value);
581 if (is_identity_static_mapping (m))
583 pool_foreach (local, m->locals)
585 if (local->vrf_id == vrf_id)
586 return VNET_API_ERROR_VALUE_EXIST;
588 pool_get (m->locals, local);
589 local->vrf_id = vrf_id;
591 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
593 init_nat_kv (&kv, m->local_addr, m->local_port, local->fib_index,
594 m->proto, 0, m - sm->static_mappings);
595 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
599 return VNET_API_ERROR_VALUE_EXIST;
602 if (twice_nat && addr_only)
603 return VNET_API_ERROR_UNSUPPORTED;
605 /* Convert VRF id to FIB index */
608 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
610 /* If not specified use inside VRF id from SNAT plugin startup config */
613 fib_index = sm->inside_fib_index;
614 vrf_id = sm->inside_vrf_id;
615 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
618 if (!(out2in_only || identity_nat))
620 init_nat_k (&kv, l_addr, addr_only ? 0 : l_port, fib_index,
621 addr_only ? 0 : proto);
622 if (!clib_bihash_search_8_8
623 (&sm->static_mapping_by_local, &kv, &value))
624 return VNET_API_ERROR_VALUE_EXIST;
627 /* Find external address in allocated addresses and reserve port for
628 address and port pair mapping when dynamic translations enabled */
629 if (!(addr_only || sm->static_mapping_only || out2in_only))
631 for (i = 0; i < vec_len (sm->addresses); i++)
633 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
635 a = sm->addresses + i;
636 /* External port must be unused */
639 #define _(N, j, n, s) \
640 case NAT_PROTOCOL_##N: \
641 if (a->busy_##n##_port_refcounts[e_port]) \
642 return VNET_API_ERROR_INVALID_VALUE; \
643 ++a->busy_##n##_port_refcounts[e_port]; \
646 a->busy_##n##_ports++; \
647 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
652 default : nat_elog_info (sm, "unknown protocol");
653 return VNET_API_ERROR_INVALID_VALUE_2;
658 /* External address must be allocated */
659 if (!a && (l_addr.as_u32 != e_addr.as_u32))
661 if (sw_if_index != ~0)
663 for (i = 0; i < vec_len (sm->to_resolve); i++)
665 rp = sm->to_resolve + i;
668 if (rp->sw_if_index != sw_if_index &&
669 rp->l_addr.as_u32 != l_addr.as_u32 &&
670 rp->vrf_id != vrf_id && rp->l_port != l_port &&
671 rp->e_port != e_port && rp->proto != proto)
674 vec_del1 (sm->to_resolve, i);
678 return VNET_API_ERROR_NO_SUCH_ENTRY;
682 pool_get (sm->static_mappings, m);
683 clib_memset (m, 0, sizeof (*m));
684 m->tag = vec_dup (tag);
685 m->local_addr = l_addr;
686 m->external_addr = e_addr;
687 m->twice_nat = twice_nat;
689 if (twice_nat == TWICE_NAT && exact)
691 m->flags |= NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS;
692 m->pool_addr = pool_addr;
696 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
698 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
701 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
702 pool_get (m->locals, local);
703 local->vrf_id = vrf_id;
704 local->fib_index = fib_index;
709 m->fib_index = fib_index;
713 m->local_port = l_port;
714 m->external_port = e_port;
718 if (sm->num_workers > 1)
721 .src_address = m->local_addr,
723 vec_add1 (m->workers, nat44_ed_get_in2out_worker_index (
724 0, &ip, m->fib_index, 0));
725 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
728 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
732 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto,
733 0, m - sm->static_mappings);
734 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
737 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
738 m - sm->static_mappings);
739 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
745 if (sw_if_index != ~0)
748 return VNET_API_ERROR_NO_SUCH_ENTRY;
754 vrf_id = sm->inside_vrf_id;
756 pool_foreach (local, m->locals)
758 if (local->vrf_id == vrf_id)
759 find = local - m->locals;
762 return VNET_API_ERROR_NO_SUCH_ENTRY;
764 local = pool_elt_at_index (m->locals, find);
765 fib_index = local->fib_index;
766 pool_put (m->locals, local);
769 fib_index = m->fib_index;
771 /* Free external address port */
772 if (!(addr_only || sm->static_mapping_only || out2in_only))
774 for (i = 0; i < vec_len (sm->addresses); i++)
776 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
778 a = sm->addresses + i;
781 #define _(N, j, n, s) \
782 case NAT_PROTOCOL_##N: \
783 --a->busy_##n##_port_refcounts[e_port]; \
786 a->busy_##n##_ports--; \
787 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
792 default : nat_elog_info (sm, "unknown protocol");
793 return VNET_API_ERROR_INVALID_VALUE_2;
800 if (sm->num_workers > 1)
801 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
803 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
805 init_nat_k (&kv, m->local_addr, m->local_port, fib_index, m->proto);
807 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
809 /* Delete session(s) for static mapping if exist */
810 if (!(sm->static_mapping_only) ||
811 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
813 nat_ed_static_mapping_del_sessions (
814 sm, tsm, m->local_addr, m->local_port, m->proto, fib_index,
815 addr_only, e_addr, e_port);
818 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
819 if (pool_elts (m->locals))
822 init_nat_k (&kv, m->external_addr, m->external_port, 0, m->proto);
823 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
826 vec_free (m->workers);
827 /* Delete static mapping from pool */
828 pool_put (sm->static_mappings, m);
831 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
834 /* Add/delete external address to FIB */
835 pool_foreach (interface, sm->interfaces)
837 if (nat_interface_is_inside (interface))
840 snat_add_del_addr_to_fib (&e_addr, 32, interface->sw_if_index, is_add);
843 pool_foreach (interface, sm->output_feature_interfaces)
845 if (nat_interface_is_inside (interface))
848 snat_add_del_addr_to_fib (&e_addr, 32, interface->sw_if_index, is_add);
856 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
857 nat_protocol_t proto,
858 nat44_lb_addr_port_t * locals, u8 is_add,
859 twice_nat_type_t twice_nat, u8 out2in_only,
860 u8 * tag, u32 affinity)
862 snat_main_t *sm = &snat_main;
863 snat_static_mapping_t *m;
864 clib_bihash_kv_8_8_t kv, value;
865 snat_address_t *a = 0;
867 nat44_lb_addr_port_t *local;
868 snat_main_per_thread_data_t *tsm;
872 init_nat_k (&kv, e_addr, e_port, 0, proto);
873 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
876 m = pool_elt_at_index (sm->static_mappings, value.value);
881 return VNET_API_ERROR_VALUE_EXIST;
883 if (vec_len (locals) < 2)
884 return VNET_API_ERROR_INVALID_VALUE;
886 /* Find external address in allocated addresses and reserve port for
887 address and port pair mapping when dynamic translations enabled */
888 if (!(sm->static_mapping_only || out2in_only))
890 for (i = 0; i < vec_len (sm->addresses); i++)
892 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
894 a = sm->addresses + i;
895 /* External port must be unused */
898 #define _(N, j, n, s) \
899 case NAT_PROTOCOL_##N: \
900 if (a->busy_##n##_port_refcounts[e_port]) \
901 return VNET_API_ERROR_INVALID_VALUE; \
902 ++a->busy_##n##_port_refcounts[e_port]; \
905 a->busy_##n##_ports++; \
906 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
911 default : nat_elog_info (sm, "unknown protocol");
912 return VNET_API_ERROR_INVALID_VALUE_2;
917 /* External address must be allocated */
919 return VNET_API_ERROR_NO_SUCH_ENTRY;
922 pool_get (sm->static_mappings, m);
923 clib_memset (m, 0, sizeof (*m));
924 m->tag = vec_dup (tag);
925 m->external_addr = e_addr;
926 m->external_port = e_port;
928 m->twice_nat = twice_nat;
929 m->flags |= NAT_STATIC_MAPPING_FLAG_LB;
931 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
932 m->affinity = affinity;
935 m->affinity_per_service_list_head_index =
936 nat_affinity_get_per_service_list_head_index ();
938 m->affinity_per_service_list_head_index = ~0;
940 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
941 m - sm->static_mappings);
942 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
944 nat_elog_err (sm, "static_mapping_by_external key add failed");
945 return VNET_API_ERROR_UNSPECIFIED;
948 for (i = 0; i < vec_len (locals); i++)
950 locals[i].fib_index =
951 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
956 init_nat_kv (&kv, locals[i].addr, locals[i].port,
957 locals[i].fib_index, m->proto, 0,
958 m - sm->static_mappings);
959 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
961 locals[i].prefix = (i == 0) ? locals[i].probability :
962 (locals[i - 1].prefix + locals[i].probability);
963 pool_get (m->locals, local);
965 if (sm->num_workers > 1)
968 .src_address = locals[i].addr,
970 bitmap = clib_bitmap_set (
972 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0), 1);
977 if (sm->num_workers > 1)
979 clib_bitmap_foreach (i, bitmap)
981 vec_add1(m->workers, i);
988 return VNET_API_ERROR_NO_SUCH_ENTRY;
990 if (!is_lb_static_mapping (m))
991 return VNET_API_ERROR_INVALID_VALUE;
993 /* Free external address port */
994 if (!(sm->static_mapping_only || out2in_only))
996 for (i = 0; i < vec_len (sm->addresses); i++)
998 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1000 a = sm->addresses + i;
1003 #define _(N, j, n, s) \
1004 case NAT_PROTOCOL_##N: \
1005 --a->busy_##n##_port_refcounts[e_port]; \
1006 if (e_port > 1024) \
1008 a->busy_##n##_ports--; \
1009 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1012 foreach_nat_protocol
1014 default : nat_elog_info (sm, "unknown protocol");
1015 return VNET_API_ERROR_INVALID_VALUE_2;
1022 init_nat_k (&kv, m->external_addr, m->external_port, 0, m->proto);
1023 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1025 nat_elog_err (sm, "static_mapping_by_external key del failed");
1026 return VNET_API_ERROR_UNSPECIFIED;
1029 pool_foreach (local, m->locals)
1031 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1035 init_nat_k (&kv, local->addr, local->port, local->fib_index,
1037 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv,
1040 nat_elog_err (sm, "static_mapping_by_local key del failed");
1041 return VNET_API_ERROR_UNSPECIFIED;
1045 if (sm->num_workers > 1)
1048 .src_address = local->addr,
1050 tsm = vec_elt_at_index (
1051 sm->per_thread_data,
1052 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1055 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1057 /* Delete sessions */
1058 pool_foreach (s, tsm->sessions)
1060 if (!(is_lb_session (s)))
1063 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1064 s->in2out.port != local->port)
1067 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1068 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1072 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1073 pool_free (m->locals);
1075 vec_free (m->workers);
1077 pool_put (sm->static_mappings, m);
1084 nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1085 ip4_address_t l_addr, u16 l_port,
1086 nat_protocol_t proto, u32 vrf_id,
1087 u8 probability, u8 is_add)
1089 snat_main_t *sm = &snat_main;
1090 snat_static_mapping_t *m = 0;
1091 clib_bihash_kv_8_8_t kv, value;
1092 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1093 snat_main_per_thread_data_t *tsm;
1099 init_nat_k (&kv, e_addr, e_port, 0, proto);
1100 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1101 m = pool_elt_at_index (sm->static_mappings, value.value);
1104 return VNET_API_ERROR_NO_SUCH_ENTRY;
1106 if (!is_lb_static_mapping (m))
1107 return VNET_API_ERROR_INVALID_VALUE;
1109 pool_foreach (local, m->locals)
1111 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1112 (local->vrf_id == vrf_id))
1114 match_local = local;
1122 return VNET_API_ERROR_VALUE_EXIST;
1124 pool_get (m->locals, local);
1125 clib_memset (local, 0, sizeof (*local));
1126 local->addr.as_u32 = l_addr.as_u32;
1127 local->port = l_port;
1128 local->probability = probability;
1129 local->vrf_id = vrf_id;
1131 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1134 if (!is_out2in_only_static_mapping (m))
1136 init_nat_kv (&kv, l_addr, l_port, local->fib_index, proto, 0,
1137 m - sm->static_mappings);
1138 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1))
1139 nat_elog_err (sm, "static_mapping_by_local key add failed");
1145 return VNET_API_ERROR_NO_SUCH_ENTRY;
1147 if (pool_elts (m->locals) < 3)
1148 return VNET_API_ERROR_UNSPECIFIED;
1150 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1153 if (!is_out2in_only_static_mapping (m))
1155 init_nat_k (&kv, l_addr, l_port, match_local->fib_index, proto);
1156 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0))
1157 nat_elog_err (sm, "static_mapping_by_local key del failed");
1160 if (sm->num_workers > 1)
1163 .src_address = local->addr,
1165 tsm = vec_elt_at_index (
1166 sm->per_thread_data,
1167 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1170 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1172 /* Delete sessions */
1173 pool_foreach (s, tsm->sessions) {
1174 if (!(is_lb_session (s)))
1177 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1178 s->in2out.port != match_local->port)
1181 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1182 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1185 pool_put (m->locals, match_local);
1188 vec_free (m->workers);
1190 pool_foreach (local, m->locals)
1192 vec_add1 (locals, local - m->locals);
1193 if (sm->num_workers > 1)
1196 ip.src_address.as_u32 = local->addr.as_u32,
1197 bitmap = clib_bitmap_set (
1199 nat44_ed_get_in2out_worker_index (0, &ip, local->fib_index, 0), 1);
1203 ASSERT (vec_len (locals) > 1);
1205 local = pool_elt_at_index (m->locals, locals[0]);
1206 local->prefix = local->probability;
1207 for (i = 1; i < vec_len (locals); i++)
1209 local = pool_elt_at_index (m->locals, locals[i]);
1210 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1211 local->prefix = local->probability + prev_local->prefix;
1214 /* Assign workers */
1215 if (sm->num_workers > 1)
1217 clib_bitmap_foreach (i, bitmap) { vec_add1(m->workers, i); }
1224 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1227 snat_address_t *a = 0;
1228 snat_session_t *ses;
1229 u32 *ses_to_be_removed = 0, *ses_index;
1230 snat_main_per_thread_data_t *tsm;
1231 snat_static_mapping_t *m;
1232 snat_interface_t *interface;
1234 snat_address_t *addresses =
1235 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1237 /* Find SNAT address */
1238 for (i = 0; i < vec_len (addresses); i++)
1240 if (addresses[i].addr.as_u32 == addr.as_u32)
1248 nat_log_err ("no such address");
1249 return VNET_API_ERROR_NO_SUCH_ENTRY;
1254 ip4_address_t pool_addr = { 0 };
1255 pool_foreach (m, sm->static_mappings)
1257 if (m->external_addr.as_u32 == addr.as_u32)
1258 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1259 m->local_port, m->external_port,
1261 is_addr_only_static_mapping(m), ~0,
1262 m->proto, 0 /* is_add */,
1264 is_out2in_only_static_mapping(m),
1266 is_identity_static_mapping(m),
1272 /* Check if address is used in some static mapping */
1273 if (is_snat_address_used_in_static_mapping (sm, addr))
1275 nat_log_err ("address used in static mapping");
1276 return VNET_API_ERROR_UNSPECIFIED;
1280 if (a->fib_index != ~0)
1281 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1283 /* Delete sessions using address */
1284 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1286 vec_foreach (tsm, sm->per_thread_data)
1288 pool_foreach (ses, tsm->sessions) {
1289 if (ses->out2in.addr.as_u32 == addr.as_u32)
1291 nat_free_session_data (sm, ses, tsm - sm->per_thread_data, 0);
1292 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1296 vec_foreach (ses_index, ses_to_be_removed)
1298 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1299 nat_ed_session_delete (sm, ses, tsm - sm->per_thread_data, 1);
1302 vec_free (ses_to_be_removed);
1306 #define _(N, i, n, s) \
1307 vec_free (a->busy_##n##_ports_per_thread);
1308 foreach_nat_protocol
1313 vec_del1 (sm->twice_nat_addresses, i);
1316 else vec_del1 (sm->addresses, i);
1318 /* Delete external address from FIB */
1319 pool_foreach (interface, sm->interfaces)
1321 if (nat_interface_is_inside (interface))
1324 snat_add_del_addr_to_fib (&addr, 32, interface->sw_if_index, 0);
1327 pool_foreach (interface, sm->output_feature_interfaces)
1329 if (nat_interface_is_inside (interface))
1332 snat_add_del_addr_to_fib (&addr, 32, interface->sw_if_index, 0);
1340 expire_per_vrf_sessions (u32 fib_index)
1342 per_vrf_sessions_t *per_vrf_sessions;
1343 snat_main_per_thread_data_t *tsm;
1344 snat_main_t *sm = &snat_main;
1346 vec_foreach (tsm, sm->per_thread_data)
1348 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1350 if ((per_vrf_sessions->rx_fib_index == fib_index) ||
1351 (per_vrf_sessions->tx_fib_index == fib_index))
1353 per_vrf_sessions->expired = 1;
1360 update_per_vrf_sessions_vec (u32 fib_index, int is_del)
1362 snat_main_t *sm = &snat_main;
1365 // we don't care if it is outside/inside fib
1366 // we just care about their ref_count
1367 // if it reaches 0 sessions should expire
1368 // because the fib isn't valid for NAT anymore
1370 vec_foreach (fib, sm->fibs)
1372 if (fib->fib_index == fib_index)
1377 if (!fib->ref_count)
1379 vec_del1 (sm->fibs, fib - sm->fibs);
1380 expire_per_vrf_sessions (fib_index);
1390 vec_add2 (sm->fibs, fib, 1);
1392 fib->fib_index = fib_index;
1396 static_always_inline nat_outside_fib_t *
1397 nat44_ed_get_outside_fib (nat_outside_fib_t *outside_fibs, u32 fib_index)
1399 nat_outside_fib_t *f;
1400 vec_foreach (f, outside_fibs)
1402 if (f->fib_index == fib_index)
1410 static_always_inline snat_interface_t *
1411 nat44_ed_get_interface (snat_interface_t *interfaces, u32 sw_if_index)
1413 snat_interface_t *i;
1414 pool_foreach (i, interfaces)
1416 if (i->sw_if_index == sw_if_index)
1425 nat44_ed_add_interface (u32 sw_if_index, u8 is_inside)
1427 const char *del_feature_name, *feature_name;
1428 snat_main_t *sm = &snat_main;
1430 nat_outside_fib_t *outside_fib;
1431 snat_static_mapping_t *m;
1432 snat_interface_t *i;
1439 nat_log_err ("nat44 is disabled");
1440 return VNET_API_ERROR_UNSUPPORTED;
1443 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1445 nat_log_err ("error interface already configured");
1446 return VNET_API_ERROR_VALUE_EXIST;
1449 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1452 if ((nat_interface_is_inside (i) && is_inside) ||
1453 (nat_interface_is_outside (i) && !is_inside))
1457 if (sm->num_workers > 1)
1459 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1460 "nat44-out2in-worker-handoff";
1461 feature_name = "nat44-handoff-classify";
1465 del_feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1467 feature_name = "nat44-ed-classify";
1470 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1473 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1474 sw_if_index, 0, 0, 0);
1475 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1480 if (sm->num_workers > 1)
1482 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1483 "nat44-out2in-worker-handoff";
1487 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1490 nat_validate_interface_counters (sm, sw_if_index);
1491 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1494 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1497 pool_get (sm->interfaces, i);
1498 i->sw_if_index = sw_if_index;
1503 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1505 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
1509 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1511 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1514 outside_fib->refcount++;
1518 vec_add2 (sm->outside_fibs, outside_fib, 1);
1519 outside_fib->fib_index = fib_index;
1520 outside_fib->refcount = 1;
1523 vec_foreach (ap, sm->addresses)
1525 snat_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, 1);
1527 pool_foreach (m, sm->static_mappings)
1529 if (!(is_addr_only_static_mapping (m)) ||
1530 (m->local_addr.as_u32 == m->external_addr.as_u32))
1534 snat_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index, 1);
1539 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1546 nat44_ed_del_interface (u32 sw_if_index, u8 is_inside)
1548 const char *del_feature_name, *feature_name;
1549 snat_main_t *sm = &snat_main;
1551 nat_outside_fib_t *outside_fib;
1552 snat_static_mapping_t *m;
1553 snat_interface_t *i;
1560 nat_log_err ("nat44 is disabled");
1561 return VNET_API_ERROR_UNSUPPORTED;
1564 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1567 nat_log_err ("error interface couldn't be found");
1568 return VNET_API_ERROR_NO_SUCH_ENTRY;
1571 if (nat_interface_is_inside (i) && nat_interface_is_outside (i))
1573 if (sm->num_workers > 1)
1575 del_feature_name = "nat44-handoff-classify";
1576 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1577 "nat44-out2in-worker-handoff";
1581 del_feature_name = "nat44-ed-classify";
1582 feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1585 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1590 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1591 sw_if_index, 0, 0, 0);
1592 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1597 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1601 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1606 if (sm->num_workers > 1)
1608 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1609 "nat44-out2in-worker-handoff";
1613 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1616 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1621 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 0,
1625 pool_put (sm->interfaces, i);
1629 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1631 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
1635 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1638 outside_fib->refcount--;
1639 if (!outside_fib->refcount)
1641 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1645 vec_foreach (ap, sm->addresses)
1647 snat_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, 0);
1650 pool_foreach (m, sm->static_mappings)
1652 if (!(is_addr_only_static_mapping (m)) ||
1653 (m->local_addr.as_u32 == m->external_addr.as_u32))
1657 snat_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index, 0);
1665 nat44_ed_add_output_interface (u32 sw_if_index)
1667 snat_main_t *sm = &snat_main;
1669 nat_outside_fib_t *outside_fib;
1670 snat_static_mapping_t *m;
1671 snat_interface_t *i;
1678 nat_log_err ("nat44 is disabled");
1679 return VNET_API_ERROR_UNSUPPORTED;
1682 if (nat44_ed_get_interface (sm->interfaces, sw_if_index))
1684 nat_log_err ("error interface already configured");
1685 return VNET_API_ERROR_VALUE_EXIST;
1688 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1690 nat_log_err ("error interface already configured");
1691 return VNET_API_ERROR_VALUE_EXIST;
1694 if (sm->num_workers > 1)
1696 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1702 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1708 vnet_feature_enable_disable (
1709 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 1, 0, 0);
1710 vnet_feature_enable_disable ("ip4-output",
1711 "nat44-in2out-output-worker-handoff",
1712 sw_if_index, 1, 0, 0);
1716 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1722 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1728 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
1729 sw_if_index, 1, 0, 0);
1730 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
1731 sw_if_index, 1, 0, 0);
1734 nat_validate_interface_counters (sm, sw_if_index);
1736 pool_get (sm->output_feature_interfaces, i);
1737 i->sw_if_index = sw_if_index;
1739 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1740 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1743 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1744 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
1746 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1749 outside_fib->refcount++;
1753 vec_add2 (sm->outside_fibs, outside_fib, 1);
1754 outside_fib->fib_index = fib_index;
1755 outside_fib->refcount = 1;
1758 vec_foreach (ap, sm->addresses)
1760 snat_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, 1);
1763 pool_foreach (m, sm->static_mappings)
1765 if (!((is_addr_only_static_mapping (m))) ||
1766 (m->local_addr.as_u32 == m->external_addr.as_u32))
1770 snat_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index, 1);
1777 nat44_ed_del_output_interface (u32 sw_if_index)
1779 snat_main_t *sm = &snat_main;
1781 nat_outside_fib_t *outside_fib;
1782 snat_static_mapping_t *m;
1783 snat_interface_t *i;
1790 nat_log_err ("nat44 is disabled");
1791 return VNET_API_ERROR_UNSUPPORTED;
1794 i = nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index);
1797 nat_log_err ("error interface couldn't be found");
1798 return VNET_API_ERROR_NO_SUCH_ENTRY;
1801 if (sm->num_workers > 1)
1803 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1809 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1815 vnet_feature_enable_disable (
1816 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1817 vnet_feature_enable_disable ("ip4-output",
1818 "nat44-in2out-output-worker-handoff",
1819 sw_if_index, 0, 0, 0);
1823 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1829 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1835 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
1836 sw_if_index, 0, 0, 0);
1837 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
1838 sw_if_index, 0, 0, 0);
1842 pool_put (sm->output_feature_interfaces, i);
1845 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1846 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
1848 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1851 outside_fib->refcount--;
1852 if (!outside_fib->refcount)
1854 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1858 vec_foreach (ap, sm->addresses)
1860 snat_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, 0);
1863 pool_foreach (m, sm->static_mappings)
1865 if (!((is_addr_only_static_mapping (m))) ||
1866 (m->local_addr.as_u32 == m->external_addr.as_u32))
1870 snat_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index, 0);
1877 snat_set_workers (uword * bitmap)
1879 snat_main_t *sm = &snat_main;
1882 if (sm->num_workers < 2)
1883 return VNET_API_ERROR_FEATURE_DISABLED;
1885 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1886 return VNET_API_ERROR_INVALID_WORKER;
1888 vec_free (sm->workers);
1889 clib_bitmap_foreach (i, bitmap)
1891 vec_add1(sm->workers, i);
1892 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
1893 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
1897 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
1903 nat44_ed_set_frame_queue_nelts (u32 frame_queue_nelts)
1906 snat_main_t *sm = &snat_main;
1907 sm->frame_queue_nelts = frame_queue_nelts;
1912 snat_update_outside_fib (ip4_main_t * im, uword opaque,
1913 u32 sw_if_index, u32 new_fib_index,
1916 snat_main_t *sm = &snat_main;
1917 nat_outside_fib_t *outside_fib;
1918 snat_interface_t *i;
1922 if (!sm->enabled || (new_fib_index == old_fib_index)
1923 || (!vec_len (sm->outside_fibs)))
1928 pool_foreach (i, sm->interfaces)
1930 if (i->sw_if_index == sw_if_index)
1932 if (!(nat_interface_is_outside (i)))
1938 pool_foreach (i, sm->output_feature_interfaces)
1940 if (i->sw_if_index == sw_if_index)
1942 if (!(nat_interface_is_outside (i)))
1951 vec_foreach (outside_fib, sm->outside_fibs)
1953 if (outside_fib->fib_index == old_fib_index)
1955 outside_fib->refcount--;
1956 if (!outside_fib->refcount)
1957 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1962 vec_foreach (outside_fib, sm->outside_fibs)
1964 if (outside_fib->fib_index == new_fib_index)
1966 outside_fib->refcount++;
1974 vec_add2 (sm->outside_fibs, outside_fib, 1);
1975 outside_fib->refcount = 1;
1976 outside_fib->fib_index = new_fib_index;
1981 snat_update_outside_fib (ip4_main_t * im, uword opaque,
1982 u32 sw_if_index, u32 new_fib_index,
1986 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1989 ip4_address_t * address,
1991 u32 if_address_index, u32 is_delete);
1994 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
1997 ip4_address_t * address,
1999 u32 if_address_index, u32 is_delete);
2002 test_key_calc_split ()
2004 ip4_address_t l_addr;
2005 l_addr.as_u8[0] = 1;
2006 l_addr.as_u8[1] = 1;
2007 l_addr.as_u8[2] = 1;
2008 l_addr.as_u8[3] = 1;
2009 ip4_address_t r_addr;
2010 r_addr.as_u8[0] = 2;
2011 r_addr.as_u8[1] = 2;
2012 r_addr.as_u8[2] = 2;
2013 r_addr.as_u8[3] = 2;
2017 u32 fib_index = 9000001;
2018 u32 thread_index = 3000000001;
2019 u32 session_index = 3000000221;
2020 clib_bihash_kv_16_8_t kv;
2021 init_ed_kv (&kv, l_addr, l_port, r_addr, r_port, fib_index, proto,
2022 thread_index, session_index);
2023 ip4_address_t l_addr2;
2024 ip4_address_t r_addr2;
2025 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2026 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2031 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2033 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2034 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2035 ASSERT (l_port == l_port2);
2036 ASSERT (r_port == r_port2);
2037 ASSERT (proto == proto2);
2038 ASSERT (fib_index == fib_index2);
2039 ASSERT (thread_index == ed_value_get_thread_index (&kv));
2040 ASSERT (session_index == ed_value_get_session_index (&kv));
2044 nat_protocol_t proto3 = ~0;
2045 u64 key = calc_nat_key (l_addr, l_port, fib_index, proto);
2046 split_nat_key (key, &l_addr2, &l_port2, &fib_index2, &proto3);
2047 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2048 ASSERT (l_port == l_port2);
2049 ASSERT (proto == proto3);
2050 ASSERT (fib_index == fib_index2);
2053 static clib_error_t *
2054 nat_ip_table_add_del (vnet_main_t * vnm, u32 table_id, u32 is_add)
2059 fib_index = ip4_fib_index_from_table_id (table_id);
2060 if (fib_index != ~0)
2062 expire_per_vrf_sessions (fib_index);
2068 VNET_IP_TABLE_ADD_DEL_FUNCTION (nat_ip_table_add_del);
2071 nat44_set_node_indexes (snat_main_t * sm, vlib_main_t * vm)
2075 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2076 sm->out2in_node_index = node->index;
2078 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2079 sm->in2out_node_index = node->index;
2081 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-output");
2082 sm->in2out_output_node_index = node->index;
2085 #define nat_validate_simple_counter(c, i) \
2088 vlib_validate_simple_counter (&c, i); \
2089 vlib_zero_simple_counter (&c, i); \
2093 #define nat_init_simple_counter(c, n, sn) \
2097 c.stat_segment_name = sn; \
2098 nat_validate_simple_counter (c, 0); \
2102 static_always_inline void
2103 nat_validate_interface_counters (snat_main_t *sm, u32 sw_if_index)
2106 nat_validate_simple_counter (sm->counters.fastpath.in2out.x, sw_if_index); \
2107 nat_validate_simple_counter (sm->counters.fastpath.out2in.x, sw_if_index); \
2108 nat_validate_simple_counter (sm->counters.slowpath.in2out.x, sw_if_index); \
2109 nat_validate_simple_counter (sm->counters.slowpath.out2in.x, sw_if_index);
2110 foreach_nat_counter;
2112 nat_validate_simple_counter (sm->counters.hairpinning, sw_if_index);
2115 static clib_error_t *
2116 nat_init (vlib_main_t * vm)
2118 snat_main_t *sm = &snat_main;
2119 vlib_thread_main_t *tm = vlib_get_thread_main ();
2120 vlib_thread_registration_t *tr;
2121 ip4_add_del_interface_address_callback_t cbi = { 0 };
2122 ip4_table_bind_callback_t cbt = { 0 };
2123 u32 i, num_threads = 0;
2124 uword *p, *bitmap = 0;
2126 clib_memset (sm, 0, sizeof (*sm));
2129 sm->vnet_main = vnet_get_main ();
2131 sm->ip4_main = &ip4_main;
2132 sm->api_main = vlibapi_get_main ();
2133 sm->ip4_lookup_main = &ip4_main.lookup_main;
2135 // frame queue indices used for handoff
2136 sm->fq_out2in_index = ~0;
2137 sm->fq_in2out_index = ~0;
2138 sm->fq_in2out_output_index = ~0;
2140 sm->log_level = NAT_LOG_ERROR;
2142 nat44_set_node_indexes (sm, vm);
2144 sm->log_class = vlib_log_register_class ("nat", 0);
2145 nat_ipfix_logging_init (vm);
2147 nat_init_simple_counter (sm->total_sessions, "total-sessions",
2148 "/nat44-ed/total-sessions");
2149 sm->max_cfg_sessions_gauge = stat_segment_new_entry (
2150 (u8 *) "/nat44-ed/max-cfg-sessions", STAT_DIR_TYPE_SCALAR_INDEX);
2153 nat_init_simple_counter (sm->counters.fastpath.in2out.x, #x, \
2154 "/nat44-ed/in2out/fastpath/" #x); \
2155 nat_init_simple_counter (sm->counters.fastpath.out2in.x, #x, \
2156 "/nat44-ed/out2in/fastpath/" #x); \
2157 nat_init_simple_counter (sm->counters.slowpath.in2out.x, #x, \
2158 "/nat44-ed/in2out/slowpath/" #x); \
2159 nat_init_simple_counter (sm->counters.slowpath.out2in.x, #x, \
2160 "/nat44-ed/out2in/slowpath/" #x);
2161 foreach_nat_counter;
2163 nat_init_simple_counter (sm->counters.hairpinning, "hairpinning",
2164 "/nat44-ed/hairpinning");
2166 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2169 tr = (vlib_thread_registration_t *) p[0];
2172 sm->num_workers = tr->count;
2173 sm->first_worker_index = tr->first_index;
2176 num_threads = tm->n_vlib_mains - 1;
2177 sm->port_per_thread = 0xffff - 1024;
2178 vec_validate (sm->per_thread_data, num_threads);
2180 /* Use all available workers by default */
2181 if (sm->num_workers > 1)
2183 for (i = 0; i < sm->num_workers; i++)
2184 bitmap = clib_bitmap_set (bitmap, i, 1);
2185 snat_set_workers (bitmap);
2186 clib_bitmap_free (bitmap);
2190 sm->per_thread_data[0].snat_thread_index = 0;
2193 /* callbacks to call when interface address changes. */
2194 cbi.function = snat_ip4_add_del_interface_address_cb;
2195 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2196 cbi.function = nat_ip4_add_del_addr_only_sm_cb;
2197 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2199 /* callbacks to call when interface to table biding changes */
2200 cbt.function = snat_update_outside_fib;
2201 vec_add1 (sm->ip4_main->table_bind_callbacks, cbt);
2204 fib_source_allocate ("nat-low", FIB_SOURCE_PRIORITY_LOW,
2205 FIB_SOURCE_BH_SIMPLE);
2207 fib_source_allocate ("nat-hi", FIB_SOURCE_PRIORITY_HI,
2208 FIB_SOURCE_BH_SIMPLE);
2210 nat_affinity_init (vm);
2211 test_key_calc_split ();
2213 return nat44_api_hookup (vm);
2216 VLIB_INIT_FUNCTION (nat_init);
2219 nat44_plugin_enable (nat44_config_t c)
2221 snat_main_t *sm = &snat_main;
2225 if (c.static_mapping_only && !c.connection_tracking)
2227 nat_log_err ("unsupported combination of configuration");
2231 sm->static_mapping_only = c.static_mapping_only;
2232 sm->static_mapping_connection_tracking = c.connection_tracking;
2234 sm->forwarding_enabled = 0;
2235 sm->mss_clamping = 0;
2236 sm->pat = (!c.static_mapping_only ||
2237 (c.static_mapping_only && c.connection_tracking));
2240 c.sessions = 63 * 1024;
2242 sm->max_translations_per_thread = c.sessions;
2243 stat_segment_set_state_counter (sm->max_cfg_sessions_gauge,
2244 sm->max_translations_per_thread);
2245 sm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
2247 vec_add1 (sm->max_translations_per_fib, sm->max_translations_per_thread);
2249 sm->inside_vrf_id = c.inside_vrf;
2250 sm->inside_fib_index =
2251 fib_table_find_or_create_and_lock
2252 (FIB_PROTOCOL_IP4, c.inside_vrf, sm->fib_src_hi);
2254 sm->outside_vrf_id = c.outside_vrf;
2255 sm->outside_fib_index = fib_table_find_or_create_and_lock (
2256 FIB_PROTOCOL_IP4, c.outside_vrf, sm->fib_src_hi);
2258 nat44_ed_db_init (sm->max_translations_per_thread, sm->translation_buckets);
2260 nat_affinity_enable ();
2262 nat_reset_timeouts (&sm->timeouts);
2264 vlib_zero_simple_counter (&sm->total_sessions, 0);
2266 if (!sm->frame_queue_nelts)
2268 sm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
2271 if (sm->num_workers > 1)
2273 if (sm->fq_in2out_index == ~0)
2275 sm->fq_in2out_index = vlib_frame_queue_main_init (
2276 sm->in2out_node_index, sm->frame_queue_nelts);
2278 if (sm->fq_out2in_index == ~0)
2280 sm->fq_out2in_index = vlib_frame_queue_main_init (
2281 sm->out2in_node_index, sm->frame_queue_nelts);
2283 if (sm->fq_in2out_output_index == ~0)
2285 sm->fq_in2out_output_index = vlib_frame_queue_main_init (
2286 sm->in2out_output_node_index, sm->frame_queue_nelts);
2297 nat44_addresses_free (snat_address_t ** addresses)
2300 vec_foreach (ap, *addresses)
2302 #define _(N, i, n, s) \
2303 vec_free (ap->busy_##n##_ports_per_thread);
2304 foreach_nat_protocol
2307 vec_free (*addresses);
2312 nat44_plugin_disable ()
2314 snat_main_t *sm = &snat_main;
2315 snat_interface_t *i, *pool;
2318 fail_if_disabled ();
2320 pool = pool_dup (sm->interfaces);
2321 pool_foreach (i, pool)
2323 if (nat_interface_is_inside (i))
2325 error = nat44_ed_del_interface (i->sw_if_index, 1);
2327 if (nat_interface_is_outside (i))
2329 error = nat44_ed_del_interface (i->sw_if_index, 0);
2333 nat_log_err ("error occurred while removing interface %u",
2337 pool_free (sm->interfaces);
2341 pool = pool_dup (sm->output_feature_interfaces);
2342 pool_foreach (i, pool)
2344 error = nat44_ed_del_output_interface (i->sw_if_index);
2347 nat_log_err ("error occurred while removing interface %u",
2351 pool_free (sm->output_feature_interfaces);
2353 sm->output_feature_interfaces = 0;
2355 vec_free (sm->max_translations_per_fib);
2357 nat44_ed_db_free ();
2359 nat44_addresses_free (&sm->addresses);
2360 nat44_addresses_free (&sm->twice_nat_addresses);
2362 vec_free (sm->to_resolve);
2363 vec_free (sm->auto_add_sw_if_indices);
2364 vec_free (sm->auto_add_sw_if_indices_twice_nat);
2367 sm->auto_add_sw_if_indices = 0;
2368 sm->auto_add_sw_if_indices_twice_nat = 0;
2370 sm->forwarding_enabled = 0;
2373 clib_memset (&sm->rconfig, 0, sizeof (sm->rconfig));
2379 nat44_ed_forwarding_enable_disable (u8 is_enable)
2381 snat_main_per_thread_data_t *tsm;
2382 snat_main_t *sm = &snat_main;
2385 u32 *ses_to_be_removed = 0, *ses_index;
2387 sm->forwarding_enabled = is_enable != 0;
2392 vec_foreach (tsm, sm->per_thread_data)
2394 pool_foreach (s, tsm->sessions)
2396 if (is_fwd_bypass_session (s))
2398 vec_add1 (ses_to_be_removed, s - tsm->sessions);
2401 vec_foreach (ses_index, ses_to_be_removed)
2403 s = pool_elt_at_index (tsm->sessions, ses_index[0]);
2404 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
2405 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
2408 vec_free (ses_to_be_removed);
2413 snat_free_outside_address_and_port (snat_address_t *addresses,
2414 u32 thread_index, ip4_address_t *addr,
2415 u16 port, nat_protocol_t protocol)
2417 snat_main_t *sm = &snat_main;
2420 u16 port_host_byte_order = clib_net_to_host_u16 (port);
2422 for (address_index = 0; address_index < vec_len (addresses);
2425 if (addresses[address_index].addr.as_u32 == addr->as_u32)
2429 ASSERT (address_index < vec_len (addresses));
2431 a = addresses + address_index;
2435 #define _(N, i, n, s) \
2436 case NAT_PROTOCOL_##N: \
2437 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
2438 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
2439 a->busy_##n##_ports--; \
2440 a->busy_##n##_ports_per_thread[thread_index]--; \
2442 foreach_nat_protocol
2444 default : nat_elog_info (sm, "unknown protocol");
2450 nat_set_outside_address_and_port (snat_address_t *addresses, u32 thread_index,
2451 ip4_address_t addr, u16 port,
2452 nat_protocol_t protocol)
2454 snat_main_t *sm = &snat_main;
2455 snat_address_t *a = 0;
2457 u16 port_host_byte_order = clib_net_to_host_u16 (port);
2459 for (address_index = 0; address_index < vec_len (addresses);
2462 if (addresses[address_index].addr.as_u32 != addr.as_u32)
2465 a = addresses + address_index;
2468 #define _(N, j, n, s) \
2469 case NAT_PROTOCOL_##N: \
2470 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
2471 return VNET_API_ERROR_INSTANCE_IN_USE; \
2472 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
2473 a->busy_##n##_ports_per_thread[thread_index]++; \
2474 a->busy_##n##_ports++; \
2476 foreach_nat_protocol
2478 default : nat_elog_info (sm, "unknown protocol");
2483 return VNET_API_ERROR_NO_SUCH_ENTRY;
2487 snat_static_mapping_match (vlib_main_t *vm, snat_main_t *sm,
2488 ip4_address_t match_addr, u16 match_port,
2489 u32 match_fib_index, nat_protocol_t match_protocol,
2490 ip4_address_t *mapping_addr, u16 *mapping_port,
2491 u32 *mapping_fib_index, u8 by_external,
2492 u8 *is_addr_only, twice_nat_type_t *twice_nat,
2493 lb_nat_type_t *lb, ip4_address_t *ext_host_addr,
2494 u8 *is_identity_nat, snat_static_mapping_t **out)
2496 clib_bihash_kv_8_8_t kv, value;
2497 clib_bihash_8_8_t *mapping_hash;
2498 snat_static_mapping_t *m;
2499 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2500 nat44_lb_addr_port_t *local;
2505 mapping_hash = &sm->static_mapping_by_local;
2506 init_nat_k (&kv, match_addr, match_port, match_fib_index,
2508 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2510 /* Try address only mapping */
2511 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
2512 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2518 mapping_hash = &sm->static_mapping_by_external;
2519 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
2520 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2522 /* Try address only mapping */
2523 init_nat_k (&kv, match_addr, 0, 0, 0);
2524 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2529 m = pool_elt_at_index (sm->static_mappings, value.value);
2533 if (is_lb_static_mapping (m))
2535 if (PREDICT_FALSE (lb != 0))
2536 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2537 if (m->affinity && !nat_affinity_find_and_lock (
2538 vm, ext_host_addr[0], match_addr,
2539 match_protocol, match_port, &backend_index))
2541 local = pool_elt_at_index (m->locals, backend_index);
2542 *mapping_addr = local->addr;
2543 *mapping_port = local->port;
2544 *mapping_fib_index = local->fib_index;
2547 // pick locals matching this worker
2548 if (PREDICT_FALSE (sm->num_workers > 1))
2550 u32 thread_index = vlib_get_thread_index ();
2551 pool_foreach_index (i, m->locals)
2553 local = pool_elt_at_index (m->locals, i);
2556 .src_address = local->addr,
2559 if (nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index,
2565 ASSERT (vec_len (tmp) != 0);
2569 pool_foreach_index (i, m->locals)
2574 hi = vec_len (tmp) - 1;
2575 local = pool_elt_at_index (m->locals, tmp[hi]);
2576 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2579 mid = ((hi - lo) >> 1) + lo;
2580 local = pool_elt_at_index (m->locals, tmp[mid]);
2581 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2583 local = pool_elt_at_index (m->locals, tmp[lo]);
2584 if (!(local->prefix >= rand))
2586 *mapping_addr = local->addr;
2587 *mapping_port = local->port;
2588 *mapping_fib_index = local->fib_index;
2591 if (nat_affinity_create_and_lock (ext_host_addr[0], match_addr,
2592 match_protocol, match_port,
2593 tmp[lo], m->affinity,
2594 m->affinity_per_service_list_head_index))
2595 nat_elog_info (sm, "create affinity record failed");
2601 if (PREDICT_FALSE (lb != 0))
2603 *mapping_fib_index = m->fib_index;
2604 *mapping_addr = m->local_addr;
2605 /* Address only mapping doesn't change port */
2606 *mapping_port = is_addr_only_static_mapping (m) ? match_port
2612 *mapping_addr = m->external_addr;
2613 /* Address only mapping doesn't change port */
2614 *mapping_port = is_addr_only_static_mapping (m) ? match_port
2616 *mapping_fib_index = sm->outside_fib_index;
2620 if (PREDICT_FALSE (is_addr_only != 0))
2621 *is_addr_only = is_addr_only_static_mapping (m);
2623 if (PREDICT_FALSE (twice_nat != 0))
2624 *twice_nat = m->twice_nat;
2626 if (PREDICT_FALSE (is_identity_nat != 0))
2627 *is_identity_nat = is_identity_static_mapping (m);
2636 nat44_ed_get_in2out_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
2637 u32 rx_fib_index, u8 is_output)
2639 snat_main_t *sm = &snat_main;
2640 u32 next_worker_index = sm->first_worker_index;
2643 clib_bihash_kv_16_8_t kv16, value16;
2645 u32 fib_index = rx_fib_index;
2648 if (PREDICT_FALSE (is_output))
2650 fib_index = sm->outside_fib_index;
2651 nat_outside_fib_t *outside_fib;
2652 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
2653 fib_prefix_t pfx = {
2654 .fp_proto = FIB_PROTOCOL_IP4,
2657 .ip4.as_u32 = ip->dst_address.as_u32,
2661 switch (vec_len (sm->outside_fibs))
2664 fib_index = sm->outside_fib_index;
2667 fib_index = sm->outside_fibs[0].fib_index;
2670 vec_foreach (outside_fib, sm->outside_fibs)
2672 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
2673 if (FIB_NODE_INDEX_INVALID != fei)
2675 if (fib_entry_get_resolving_interface (fei) != ~0)
2677 fib_index = outside_fib->fib_index;
2686 init_ed_k (&kv16, ip->src_address, vnet_buffer (b)->ip.reass.l4_src_port,
2687 ip->dst_address, vnet_buffer (b)->ip.reass.l4_dst_port,
2688 fib_index, ip->protocol);
2690 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2692 next_worker_index = ed_value_get_thread_index (&value16);
2693 vnet_buffer2 (b)->nat.cached_session_index =
2694 ed_value_get_session_index (&value16);
2699 init_ed_k (&kv16, ip->dst_address, vnet_buffer (b)->ip.reass.l4_dst_port,
2700 ip->src_address, vnet_buffer (b)->ip.reass.l4_src_port,
2701 rx_fib_index, ip->protocol);
2702 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2704 next_worker_index = ed_value_get_thread_index (&value16);
2705 vnet_buffer2 (b)->nat.cached_dst_nat_session_index =
2706 ed_value_get_session_index (&value16);
2711 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
2712 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
2714 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2715 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2717 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2720 if (PREDICT_TRUE (!is_output))
2722 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT", next_worker_index,
2724 clib_net_to_host_u32 (ip->src_address.as_u32),
2725 clib_net_to_host_u32 (ip->dst_address.as_u32));
2729 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT-OUTPUT-FEATURE",
2730 next_worker_index, rx_fib_index,
2731 clib_net_to_host_u32 (ip->src_address.as_u32),
2732 clib_net_to_host_u32 (ip->dst_address.as_u32));
2735 return next_worker_index;
2739 nat44_ed_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
2740 u32 rx_fib_index, u8 is_output)
2742 snat_main_t *sm = &snat_main;
2743 clib_bihash_kv_8_8_t kv, value;
2744 clib_bihash_kv_16_8_t kv16, value16;
2746 u32 proto, next_worker_index = 0;
2748 snat_static_mapping_t *m;
2751 proto = ip_proto_to_nat_proto (ip->protocol);
2753 if (PREDICT_FALSE (proto == NAT_PROTOCOL_ICMP))
2755 ip4_address_t lookup_saddr, lookup_daddr;
2756 u16 lookup_sport, lookup_dport;
2758 if (!nat_get_icmp_session_lookup_values (
2759 b, ip, &lookup_saddr, &lookup_sport, &lookup_daddr, &lookup_dport,
2762 init_ed_k (&kv16, lookup_saddr, lookup_sport, lookup_daddr,
2763 lookup_dport, rx_fib_index, lookup_protocol);
2765 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
2767 next_worker_index = ed_value_get_thread_index (&value16);
2768 nat_elog_debug_handoff (
2769 sm, "HANDOFF OUT2IN (session)", next_worker_index,
2770 rx_fib_index, clib_net_to_host_u32 (ip->src_address.as_u32),
2771 clib_net_to_host_u32 (ip->dst_address.as_u32));
2772 return next_worker_index;
2777 init_ed_k (&kv16, ip->src_address, vnet_buffer (b)->ip.reass.l4_src_port,
2778 ip->dst_address, vnet_buffer (b)->ip.reass.l4_dst_port,
2779 rx_fib_index, ip->protocol);
2782 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
2784 vnet_buffer2 (b)->nat.cached_session_index =
2785 ed_value_get_session_index (&value16);
2786 next_worker_index = ed_value_get_thread_index (&value16);
2787 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN (session)",
2788 next_worker_index, rx_fib_index,
2789 clib_net_to_host_u32 (ip->src_address.as_u32),
2790 clib_net_to_host_u32 (ip->dst_address.as_u32));
2791 return next_worker_index;
2794 /* first try static mappings without port */
2795 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2797 init_nat_k (&kv, ip->dst_address, 0, 0, 0);
2798 if (!clib_bihash_search_8_8
2799 (&sm->static_mapping_by_external, &kv, &value))
2801 m = pool_elt_at_index (sm->static_mappings, value.value);
2802 next_worker_index = m->workers[0];
2807 /* unknown protocol */
2808 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
2810 /* use current thread */
2811 next_worker_index = vlib_get_thread_index ();
2815 port = vnet_buffer (b)->ip.reass.l4_dst_port;
2817 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
2819 udp_header_t *udp = ip4_next_header (ip);
2820 icmp46_header_t *icmp = (icmp46_header_t *) udp;
2821 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
2822 if (!icmp_type_is_error_message
2823 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
2824 port = vnet_buffer (b)->ip.reass.l4_src_port;
2827 /* if error message, then it's not fragmented and we can access it */
2828 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
2829 proto = ip_proto_to_nat_proto (inner_ip->protocol);
2830 void *l4_header = ip4_next_header (inner_ip);
2833 case NAT_PROTOCOL_ICMP:
2834 icmp = (icmp46_header_t *) l4_header;
2835 echo = (icmp_echo_header_t *) (icmp + 1);
2836 port = echo->identifier;
2838 case NAT_PROTOCOL_UDP:
2839 case NAT_PROTOCOL_TCP:
2840 port = ((tcp_udp_header_t *) l4_header)->src_port;
2843 next_worker_index = vlib_get_thread_index ();
2849 /* try static mappings with port */
2850 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2852 init_nat_k (&kv, ip->dst_address, port, 0, proto);
2853 if (!clib_bihash_search_8_8
2854 (&sm->static_mapping_by_external, &kv, &value))
2856 m = pool_elt_at_index (sm->static_mappings, value.value);
2857 if (!is_lb_static_mapping (m))
2859 next_worker_index = m->workers[0];
2863 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
2864 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
2866 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
2868 m->workers[hash & (_vec_len (m->workers) - 1)];
2870 next_worker_index = m->workers[hash % _vec_len (m->workers)];
2875 /* worker by outside port */
2876 next_worker_index = sm->first_worker_index;
2877 next_worker_index +=
2878 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
2881 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN", next_worker_index,
2883 clib_net_to_host_u32 (ip->src_address.as_u32),
2884 clib_net_to_host_u32 (ip->dst_address.as_u32));
2885 return next_worker_index;
2889 nat44_get_max_session_limit ()
2891 snat_main_t *sm = &snat_main;
2892 u32 max_limit = 0, len = 0;
2894 for (; len < vec_len (sm->max_translations_per_fib); len++)
2896 if (max_limit < sm->max_translations_per_fib[len])
2897 max_limit = sm->max_translations_per_fib[len];
2903 nat44_set_session_limit (u32 session_limit, u32 vrf_id)
2905 snat_main_t *sm = &snat_main;
2906 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
2907 u32 len = vec_len (sm->max_translations_per_fib);
2909 if (len <= fib_index)
2911 vec_validate (sm->max_translations_per_fib, fib_index + 1);
2913 for (; len < vec_len (sm->max_translations_per_fib); len++)
2914 sm->max_translations_per_fib[len] = sm->max_translations_per_thread;
2917 sm->max_translations_per_fib[fib_index] = session_limit;
2922 nat44_update_session_limit (u32 session_limit, u32 vrf_id)
2924 snat_main_t *sm = &snat_main;
2926 if (nat44_set_session_limit (session_limit, vrf_id))
2928 sm->max_translations_per_thread = nat44_get_max_session_limit ();
2930 stat_segment_set_state_counter (sm->max_cfg_sessions_gauge,
2931 sm->max_translations_per_thread);
2933 sm->translation_buckets =
2934 nat_calc_bihash_buckets (sm->max_translations_per_thread);
2936 nat44_ed_sessions_clear ();
2941 nat44_ed_worker_db_init (snat_main_per_thread_data_t *tsm, u32 translations,
2942 u32 translation_buckets)
2946 pool_alloc (tsm->sessions, translations);
2947 pool_alloc (tsm->lru_pool, translations);
2949 pool_get (tsm->lru_pool, head);
2950 tsm->tcp_trans_lru_head_index = head - tsm->lru_pool;
2951 clib_dlist_init (tsm->lru_pool, tsm->tcp_trans_lru_head_index);
2953 pool_get (tsm->lru_pool, head);
2954 tsm->tcp_estab_lru_head_index = head - tsm->lru_pool;
2955 clib_dlist_init (tsm->lru_pool, tsm->tcp_estab_lru_head_index);
2957 pool_get (tsm->lru_pool, head);
2958 tsm->udp_lru_head_index = head - tsm->lru_pool;
2959 clib_dlist_init (tsm->lru_pool, tsm->udp_lru_head_index);
2961 pool_get (tsm->lru_pool, head);
2962 tsm->icmp_lru_head_index = head - tsm->lru_pool;
2963 clib_dlist_init (tsm->lru_pool, tsm->icmp_lru_head_index);
2965 pool_get (tsm->lru_pool, head);
2966 tsm->unk_proto_lru_head_index = head - tsm->lru_pool;
2967 clib_dlist_init (tsm->lru_pool, tsm->unk_proto_lru_head_index);
2971 reinit_ed_flow_hash ()
2973 snat_main_t *sm = &snat_main;
2974 // we expect 2 flows per session, so multiply translation_buckets by 2
2975 clib_bihash_init_16_8 (
2976 &sm->flow_hash, "ed-flow-hash",
2977 clib_max (1, sm->num_workers) * 2 * sm->translation_buckets, 0);
2978 clib_bihash_set_kvp_format_fn_16_8 (&sm->flow_hash, format_ed_session_kvp);
2982 nat44_ed_db_init (u32 translations, u32 translation_buckets)
2984 snat_main_t *sm = &snat_main;
2985 snat_main_per_thread_data_t *tsm;
2986 u32 static_mapping_buckets = 1024;
2987 u32 static_mapping_memory_size = 64 << 20;
2989 reinit_ed_flow_hash ();
2991 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
2992 "static_mapping_by_local", static_mapping_buckets,
2993 static_mapping_memory_size);
2994 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
2995 format_static_mapping_kvp);
2997 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
2998 "static_mapping_by_external", static_mapping_buckets,
2999 static_mapping_memory_size);
3000 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
3001 format_static_mapping_kvp);
3005 vec_foreach (tsm, sm->per_thread_data)
3007 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3008 sm->translation_buckets);
3014 nat44_ed_worker_db_free (snat_main_per_thread_data_t *tsm)
3016 pool_free (tsm->lru_pool);
3017 pool_free (tsm->sessions);
3018 vec_free (tsm->per_vrf_sessions_vec);
3024 snat_main_t *sm = &snat_main;
3025 snat_main_per_thread_data_t *tsm;
3027 pool_free (sm->static_mappings);
3028 clib_bihash_free_16_8 (&sm->flow_hash);
3029 clib_bihash_free_8_8 (&sm->static_mapping_by_local);
3030 clib_bihash_free_8_8 (&sm->static_mapping_by_external);
3034 vec_foreach (tsm, sm->per_thread_data)
3036 nat44_ed_worker_db_free (tsm);
3042 nat44_ed_sessions_clear ()
3044 snat_main_t *sm = &snat_main;
3045 snat_main_per_thread_data_t *tsm;
3047 reinit_ed_flow_hash ();
3051 vec_foreach (tsm, sm->per_thread_data)
3054 nat44_ed_worker_db_free (tsm);
3055 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3056 sm->translation_buckets);
3059 vlib_zero_simple_counter (&sm->total_sessions, 0);
3063 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
3066 ip4_address_t * address,
3068 u32 if_address_index, u32 is_delete)
3070 snat_main_t *sm = &snat_main;
3071 snat_static_map_resolve_t *rp;
3072 snat_static_mapping_t *m;
3073 clib_bihash_kv_8_8_t kv, value;
3075 ip4_address_t l_addr;
3080 for (i = 0; i < vec_len (sm->to_resolve); i++)
3082 rp = sm->to_resolve + i;
3083 if (rp->addr_only == 0)
3085 if (rp->sw_if_index == sw_if_index)
3092 init_nat_k (&kv, *address, rp->addr_only ? 0 : rp->e_port,
3093 sm->outside_fib_index, rp->addr_only ? 0 : rp->proto);
3094 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3097 m = pool_elt_at_index (sm->static_mappings, value.value);
3101 /* Don't trip over lease renewal, static config */
3111 /* Indetity mapping? */
3112 if (rp->l_addr.as_u32 == 0)
3113 l_addr.as_u32 = address[0].as_u32;
3115 l_addr.as_u32 = rp->l_addr.as_u32;
3116 /* Add the static mapping */
3117 rv = snat_add_static_mapping (l_addr,
3122 rp->addr_only, ~0 /* sw_if_index */ ,
3123 rp->proto, !is_delete, rp->twice_nat,
3124 rp->out2in_only, rp->tag, rp->identity_nat,
3125 rp->pool_addr, rp->exact);
3127 nat_elog_notice_X1 (sm, "snat_add_static_mapping returned %d", "i4", rv);
3131 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
3134 ip4_address_t * address,
3136 u32 if_address_index, u32 is_delete)
3138 snat_main_t *sm = &snat_main;
3139 snat_static_map_resolve_t *rp;
3140 ip4_address_t l_addr;
3144 snat_address_t *addresses = sm->addresses;
3149 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
3151 if (sw_if_index == sm->auto_add_sw_if_indices[i])
3155 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
3158 addresses = sm->twice_nat_addresses;
3159 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
3168 /* Don't trip over lease renewal, static config */
3169 for (j = 0; j < vec_len (addresses); j++)
3170 if (addresses[j].addr.as_u32 == address->as_u32)
3173 (void) snat_add_address (sm, address, ~0, twice_nat);
3174 /* Scan static map resolution vector */
3175 for (j = 0; j < vec_len (sm->to_resolve); j++)
3177 rp = sm->to_resolve + j;
3180 /* On this interface? */
3181 if (rp->sw_if_index == sw_if_index)
3183 /* Indetity mapping? */
3184 if (rp->l_addr.as_u32 == 0)
3185 l_addr.as_u32 = address[0].as_u32;
3187 l_addr.as_u32 = rp->l_addr.as_u32;
3188 /* Add the static mapping */
3189 rv = snat_add_static_mapping (
3190 l_addr, address[0], rp->l_port, rp->e_port, rp->vrf_id,
3191 rp->addr_only, ~0 /* sw_if_index */, rp->proto, 1,
3192 rp->twice_nat, rp->out2in_only, rp->tag, rp->identity_nat,
3193 rp->pool_addr, rp->exact);
3195 nat_elog_notice_X1 (sm, "snat_add_static_mapping returned %d",
3203 (void) snat_del_address (sm, address[0], 1, twice_nat);
3209 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
3212 ip4_main_t *ip4_main = sm->ip4_main;
3213 ip4_address_t *first_int_addr;
3214 snat_static_map_resolve_t *rp;
3215 u32 *indices_to_delete = 0;
3217 u32 *auto_add_sw_if_indices =
3219 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
3221 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
3224 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3226 if (auto_add_sw_if_indices[i] == sw_if_index)
3230 /* if have address remove it */
3232 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
3235 for (j = 0; j < vec_len (sm->to_resolve); j++)
3237 rp = sm->to_resolve + j;
3238 if (rp->sw_if_index == sw_if_index)
3239 vec_add1 (indices_to_delete, j);
3241 if (vec_len (indices_to_delete))
3243 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3244 vec_del1 (sm->to_resolve, j);
3245 vec_free (indices_to_delete);
3249 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
3251 vec_del1 (sm->auto_add_sw_if_indices, i);
3254 return VNET_API_ERROR_VALUE_EXIST;
3261 return VNET_API_ERROR_NO_SUCH_ENTRY;
3263 /* add to the auto-address list */
3265 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
3267 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
3269 /* If the address is already bound - or static - add it now */
3271 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
3277 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
3278 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3279 u32 vrf_id, int is_in)
3282 clib_bihash_kv_16_8_t kv, value;
3283 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3285 snat_main_per_thread_data_t *tsm;
3287 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3288 if (sm->num_workers > 1)
3289 tsm = vec_elt_at_index (
3290 sm->per_thread_data,
3291 nat44_ed_get_in2out_worker_index (0, &ip, fib_index, 0));
3293 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3295 init_ed_k (&kv, *addr, port, *eh_addr, eh_port, fib_index, proto);
3296 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
3298 return VNET_API_ERROR_NO_SUCH_ENTRY;
3301 if (pool_is_free_index (tsm->sessions, ed_value_get_session_index (&value)))
3302 return VNET_API_ERROR_UNSPECIFIED;
3303 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
3304 nat_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
3305 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
3309 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
3310 vlib_node_runtime_t * node,
3311 vlib_frame_t * frame)
3316 VLIB_REGISTER_NODE (nat_default_node) = {
3317 .name = "nat-default",
3318 .vector_size = sizeof (u32),
3320 .type = VLIB_NODE_TYPE_INTERNAL,
3322 .n_next_nodes = NAT_N_NEXT,
3324 [NAT_NEXT_DROP] = "error-drop",
3325 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3326 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
3327 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
3328 [NAT_NEXT_IN2OUT_ED_OUTPUT_FAST_PATH] = "nat44-ed-in2out-output",
3329 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
3330 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
3331 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
3332 [NAT_NEXT_IN2OUT_CLASSIFY] = "nat44-in2out-worker-handoff",
3333 [NAT_NEXT_OUT2IN_CLASSIFY] = "nat44-out2in-worker-handoff",
3338 nat_6t_l3_l4_csum_calc (nat_6t_flow_t *f)
3340 f->l3_csum_delta = 0;
3341 f->l4_csum_delta = 0;
3342 if (f->ops & NAT_FLOW_OP_SADDR_REWRITE &&
3343 f->rewrite.saddr.as_u32 != f->match.saddr.as_u32)
3346 ip_csum_add_even (f->l3_csum_delta, f->rewrite.saddr.as_u32);
3348 ip_csum_sub_even (f->l3_csum_delta, f->match.saddr.as_u32);
3352 f->rewrite.saddr.as_u32 = f->match.saddr.as_u32;
3354 if (f->ops & NAT_FLOW_OP_DADDR_REWRITE &&
3355 f->rewrite.daddr.as_u32 != f->match.daddr.as_u32)
3358 ip_csum_add_even (f->l3_csum_delta, f->rewrite.daddr.as_u32);
3360 ip_csum_sub_even (f->l3_csum_delta, f->match.daddr.as_u32);
3364 f->rewrite.daddr.as_u32 = f->match.daddr.as_u32;
3366 if (f->ops & NAT_FLOW_OP_SPORT_REWRITE && f->rewrite.sport != f->match.sport)
3368 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.sport);
3369 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3373 f->rewrite.sport = f->match.sport;
3375 if (f->ops & NAT_FLOW_OP_DPORT_REWRITE && f->rewrite.dport != f->match.dport)
3377 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.dport);
3378 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.dport);
3382 f->rewrite.dport = f->match.dport;
3384 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE &&
3385 f->rewrite.icmp_id != f->match.sport)
3388 ip_csum_add_even (f->l4_csum_delta, f->rewrite.icmp_id);
3389 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3393 f->rewrite.icmp_id = f->match.sport;
3395 if (f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3400 f->rewrite.fib_index = f->match.fib_index;
3404 static_always_inline int nat_6t_flow_icmp_translate (snat_main_t *sm,
3409 static_always_inline void
3410 nat_6t_flow_ip4_translate (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
3411 nat_6t_flow_t *f, nat_protocol_t proto,
3412 int is_icmp_inner_ip4, int skip_saddr_rewrite)
3414 udp_header_t *udp = ip4_next_header (ip);
3415 tcp_header_t *tcp = (tcp_header_t *) udp;
3417 if ((NAT_PROTOCOL_TCP == proto || NAT_PROTOCOL_UDP == proto) &&
3418 !vnet_buffer (b)->ip.reass.is_non_first_fragment)
3420 if (!is_icmp_inner_ip4)
3422 ip->src_address = f->rewrite.saddr;
3423 ip->dst_address = f->rewrite.daddr;
3424 udp->src_port = f->rewrite.sport;
3425 udp->dst_port = f->rewrite.dport;
3428 { // icmp inner ip4 - reversed saddr/daddr
3429 ip->src_address = f->rewrite.daddr;
3430 ip->dst_address = f->rewrite.saddr;
3431 udp->src_port = f->rewrite.dport;
3432 udp->dst_port = f->rewrite.sport;
3435 if (NAT_PROTOCOL_TCP == proto)
3437 ip_csum_t tcp_sum = tcp->checksum;
3438 tcp_sum = ip_csum_sub_even (tcp_sum, f->l3_csum_delta);
3439 tcp_sum = ip_csum_sub_even (tcp_sum, f->l4_csum_delta);
3440 mss_clamping (sm->mss_clamping, tcp, &tcp_sum);
3441 tcp->checksum = ip_csum_fold (tcp_sum);
3443 else if (proto == NAT_PROTOCOL_UDP && udp->checksum)
3445 ip_csum_t udp_sum = udp->checksum;
3446 udp_sum = ip_csum_sub_even (udp_sum, f->l3_csum_delta);
3447 udp_sum = ip_csum_sub_even (udp_sum, f->l4_csum_delta);
3448 udp->checksum = ip_csum_fold (udp_sum);
3453 if (!is_icmp_inner_ip4)
3455 if (!skip_saddr_rewrite)
3457 ip->src_address = f->rewrite.saddr;
3459 ip->dst_address = f->rewrite.daddr;
3462 { // icmp inner ip4 - reversed saddr/daddr
3463 ip->src_address = f->rewrite.daddr;
3464 ip->dst_address = f->rewrite.saddr;
3468 if (skip_saddr_rewrite)
3470 ip->checksum = ip4_header_checksum (ip);
3474 ip_csum_t ip_sum = ip->checksum;
3475 ip_sum = ip_csum_sub_even (ip_sum, f->l3_csum_delta);
3476 ip->checksum = ip_csum_fold (ip_sum);
3478 if (0xffff == ip->checksum)
3480 ASSERT (ip4_header_checksum_is_valid (ip));
3483 static_always_inline int
3484 nat_6t_flow_icmp_translate (snat_main_t *sm, vlib_buffer_t *b,
3485 ip4_header_t *ip, nat_6t_flow_t *f)
3487 if (IP_PROTOCOL_ICMP != ip->protocol)
3488 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3490 icmp46_header_t *icmp = ip4_next_header (ip);
3491 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3493 if ((!vnet_buffer (b)->ip.reass.is_non_first_fragment))
3495 if (icmp->checksum == 0)
3496 icmp->checksum = 0xffff;
3498 if (!icmp_type_is_error_message (icmp->type))
3500 if ((f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE) &&
3501 (f->rewrite.icmp_id != echo->identifier))
3503 ip_csum_t sum = icmp->checksum;
3504 sum = ip_csum_update (sum, echo->identifier, f->rewrite.icmp_id,
3506 identifier /* changed member */);
3507 echo->identifier = f->rewrite.icmp_id;
3508 icmp->checksum = ip_csum_fold (sum);
3513 // errors are not fragmented
3514 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3516 if (!ip4_header_checksum_is_valid (inner_ip))
3518 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3521 nat_protocol_t inner_proto =
3522 ip_proto_to_nat_proto (inner_ip->protocol);
3524 ip_csum_t old_icmp_sum = icmp->checksum;
3525 ip_csum_t old_inner_ip_sum = inner_ip->checksum;
3526 ip_csum_t old_udp_sum;
3527 ip_csum_t old_tcp_sum;
3528 ip_csum_t new_icmp_sum;
3532 switch (inner_proto)
3534 case NAT_PROTOCOL_UDP:
3535 udp = (udp_header_t *) (inner_ip + 1);
3536 old_udp_sum = udp->checksum;
3537 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3538 1 /* is_icmp_inner_ip4 */,
3539 0 /* skip_saddr_rewrite */);
3540 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3541 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3543 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3544 inner_ip->checksum, ip4_header_t, checksum);
3546 ip_csum_update (new_icmp_sum, old_udp_sum, udp->checksum,
3547 udp_header_t, checksum);
3548 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3549 if (0xffff == new_icmp_sum)
3551 icmp->checksum = new_icmp_sum;
3553 case NAT_PROTOCOL_TCP:
3554 tcp = (tcp_header_t *) (inner_ip + 1);
3555 old_tcp_sum = tcp->checksum;
3556 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3557 1 /* is_icmp_inner_ip4 */,
3558 0 /* skip_saddr_rewrite */);
3559 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3560 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3562 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3563 inner_ip->checksum, ip4_header_t, checksum);
3565 ip_csum_update (new_icmp_sum, old_tcp_sum, tcp->checksum,
3566 tcp_header_t, checksum);
3567 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3568 if (0xffff == new_icmp_sum)
3570 icmp->checksum = new_icmp_sum;
3572 case NAT_PROTOCOL_ICMP:
3573 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE)
3575 icmp46_header_t *inner_icmp = ip4_next_header (inner_ip);
3576 icmp_echo_header_t *inner_echo =
3577 (icmp_echo_header_t *) (inner_icmp + 1);
3578 if (f->rewrite.icmp_id != inner_echo->identifier)
3580 ip_csum_t sum = icmp->checksum;
3581 sum = ip_csum_update (
3582 sum, inner_echo->identifier, f->rewrite.icmp_id,
3583 icmp_echo_header_t, identifier /* changed member */);
3584 icmp->checksum = ip_csum_fold (sum);
3585 ip_csum_t inner_sum = inner_icmp->checksum;
3586 inner_sum = ip_csum_update (
3587 sum, inner_echo->identifier, f->rewrite.icmp_id,
3588 icmp_echo_header_t, identifier /* changed member */);
3589 inner_icmp->checksum = ip_csum_fold (inner_sum);
3590 inner_echo->identifier = f->rewrite.icmp_id;
3595 clib_warning ("unexpected NAT protocol value `%d'", inner_proto);
3596 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3601 return NAT_ED_TRNSL_ERR_SUCCESS;
3604 static_always_inline nat_translation_error_e
3605 nat_6t_flow_buf_translate (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
3606 nat_6t_flow_t *f, nat_protocol_t proto,
3607 int is_output_feature, int is_i2o)
3609 if (!is_output_feature && f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3611 vnet_buffer (b)->sw_if_index[VLIB_TX] = f->rewrite.fib_index;
3614 if (NAT_PROTOCOL_ICMP == proto)
3616 if (ip->src_address.as_u32 != f->rewrite.saddr.as_u32)
3618 // packet is returned from a router, not from destination
3619 // skip source address rewrite if in o2i path
3620 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3621 0 /* is_icmp_inner_ip4 */,
3622 !is_i2o /* skip_saddr_rewrite */);
3626 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3627 0 /* is_icmp_inner_ip4 */,
3628 0 /* skip_saddr_rewrite */);
3630 return nat_6t_flow_icmp_translate (sm, b, ip, f);
3633 nat_6t_flow_ip4_translate (sm, b, ip, f, proto, 0 /* is_icmp_inner_ip4 */,
3634 0 /* skip_saddr_rewrite */);
3636 return NAT_ED_TRNSL_ERR_SUCCESS;
3639 nat_translation_error_e
3640 nat_6t_flow_buf_translate_i2o (snat_main_t *sm, vlib_buffer_t *b,
3641 ip4_header_t *ip, nat_6t_flow_t *f,
3642 nat_protocol_t proto, int is_output_feature)
3644 return nat_6t_flow_buf_translate (sm, b, ip, f, proto, is_output_feature,
3648 nat_translation_error_e
3649 nat_6t_flow_buf_translate_o2i (snat_main_t *sm, vlib_buffer_t *b,
3650 ip4_header_t *ip, nat_6t_flow_t *f,
3651 nat_protocol_t proto, int is_output_feature)
3653 return nat_6t_flow_buf_translate (sm, b, ip, f, proto, is_output_feature,
3658 format_nat_6t (u8 *s, va_list *args)
3660 nat_6t_t *t = va_arg (*args, nat_6t_t *);
3662 s = format (s, "saddr %U sport %u daddr %U dport %u proto %U fib_idx %u",
3663 format_ip4_address, t->saddr.as_u8,
3664 clib_net_to_host_u16 (t->sport), format_ip4_address,
3665 t->daddr.as_u8, clib_net_to_host_u16 (t->dport),
3666 format_ip_protocol, t->proto, t->fib_index);
3671 format_nat_ed_translation_error (u8 *s, va_list *args)
3673 nat_translation_error_e e = va_arg (*args, nat_translation_error_e);
3677 case NAT_ED_TRNSL_ERR_SUCCESS:
3678 s = format (s, "success");
3680 case NAT_ED_TRNSL_ERR_TRANSLATION_FAILED:
3681 s = format (s, "translation-failed");
3683 case NAT_ED_TRNSL_ERR_FLOW_MISMATCH:
3684 s = format (s, "flow-mismatch");
3691 format_nat_6t_flow (u8 *s, va_list *args)
3693 nat_6t_flow_t *f = va_arg (*args, nat_6t_flow_t *);
3695 s = format (s, "match: %U ", format_nat_6t, &f->match);
3697 if (f->ops & NAT_FLOW_OP_SADDR_REWRITE)
3699 s = format (s, "rewrite: saddr %U ", format_ip4_address,
3700 f->rewrite.saddr.as_u8);
3703 if (f->ops & NAT_FLOW_OP_SPORT_REWRITE)
3707 s = format (s, "rewrite: ");
3710 s = format (s, "sport %u ", clib_net_to_host_u16 (f->rewrite.sport));
3712 if (f->ops & NAT_FLOW_OP_DADDR_REWRITE)
3716 s = format (s, "rewrite: ");
3719 s = format (s, "daddr %U ", format_ip4_address, f->rewrite.daddr.as_u8);
3721 if (f->ops & NAT_FLOW_OP_DPORT_REWRITE)
3725 s = format (s, "rewrite: ");
3728 s = format (s, "dport %u ", clib_net_to_host_u16 (f->rewrite.dport));
3730 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE)
3734 s = format (s, "rewrite: ");
3737 s = format (s, "icmp-id %u ", clib_net_to_host_u16 (f->rewrite.icmp_id));
3739 if (f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3743 s = format (s, "rewrite: ");
3746 s = format (s, "txfib %u ", f->rewrite.fib_index);
3752 * fd.io coding-style-patch-verification: ON
3755 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob