2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vpp/app/version.h>
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/ip/ip_table.h>
22 #include <vnet/ip/reass/ip4_sv_reass.h>
23 #include <vnet/fib/fib_table.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <vnet/plugin/plugin.h>
26 #include <vppinfra/bihash_16_8.h>
28 #include <nat/lib/log.h>
29 #include <nat/lib/nat_inlines.h>
30 #include <nat/lib/ipfix_logging.h>
31 #include <vnet/syslog/syslog.h>
32 #include <nat/lib/nat_syslog_constants.h>
33 #include <nat/lib/nat_syslog.h>
35 #include <nat/nat44-ed/nat44_ed.h>
36 #include <nat/nat44-ed/nat44_ed_affinity.h>
37 #include <nat/nat44-ed/nat44_ed_inlines.h>
39 #include <vlib/stats/stats.h>
41 snat_main_t snat_main;
43 static_always_inline void nat_validate_interface_counters (snat_main_t *sm,
46 #define skip_if_disabled() \
49 snat_main_t *sm = &snat_main; \
50 if (PREDICT_FALSE (!sm->enabled)) \
55 #define fail_if_enabled() \
58 snat_main_t *sm = &snat_main; \
59 if (PREDICT_FALSE (sm->enabled)) \
61 nat_log_err ("plugin enabled"); \
67 #define fail_if_disabled() \
70 snat_main_t *sm = &snat_main; \
71 if (PREDICT_FALSE (!sm->enabled)) \
73 nat_log_err ("plugin disabled"); \
79 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
80 .arc_name = "ip4-unicast",
81 .node_name = "nat-pre-in2out",
82 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
83 "ip4-sv-reassembly-feature"),
85 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
86 .arc_name = "ip4-unicast",
87 .node_name = "nat-pre-out2in",
88 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
89 "ip4-dhcp-client-detect",
90 "ip4-sv-reassembly-feature"),
92 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
93 .arc_name = "ip4-unicast",
94 .node_name = "nat44-ed-classify",
95 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
96 "ip4-sv-reassembly-feature"),
98 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
99 .arc_name = "ip4-unicast",
100 .node_name = "nat44-handoff-classify",
101 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
102 "ip4-sv-reassembly-feature"),
104 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
105 .arc_name = "ip4-unicast",
106 .node_name = "nat44-in2out-worker-handoff",
107 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
109 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
110 .arc_name = "ip4-unicast",
111 .node_name = "nat44-out2in-worker-handoff",
112 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
113 "ip4-dhcp-client-detect"),
115 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
116 .arc_name = "ip4-unicast",
117 .node_name = "nat44-ed-in2out",
118 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-ed-out2in",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
124 "ip4-dhcp-client-detect"),
126 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
127 .arc_name = "ip4-output",
128 .node_name = "nat-pre-in2out-output",
129 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
130 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
132 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
133 .arc_name = "ip4-output",
134 .node_name = "nat44-in2out-output-worker-handoff",
135 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
136 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
138 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
139 .arc_name = "ip4-output",
140 .node_name = "nat44-ed-in2out-output",
141 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
142 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
145 VLIB_PLUGIN_REGISTER () = {
146 .version = VPP_BUILD_VER,
147 .description = "Network Address Translation (NAT)",
150 static void nat44_ed_db_init (u32 translations, u32 translation_buckets);
151 static void nat44_ed_worker_db_free (snat_main_per_thread_data_t *tsm);
153 static int nat44_ed_add_static_mapping_internal (
154 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
155 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags,
156 ip4_address_t pool_addr, u8 *tag);
157 static int nat44_ed_del_static_mapping_internal (ip4_address_t l_addr,
158 ip4_address_t e_addr,
159 u16 l_port, u16 e_port,
161 u32 vrf_id, u32 flags);
163 u32 nat_calc_bihash_buckets (u32 n_elts);
165 static_always_inline int
166 nat44_ed_sm_i2o_add (snat_main_t *sm, snat_static_mapping_t *m,
167 ip4_address_t addr, u16 port, u32 fib_index, u8 proto)
169 ASSERT (!pool_is_free (sm->static_mappings, m));
170 clib_bihash_kv_16_8_t kv;
171 nat44_ed_sm_init_i2o_kv (&kv, addr.as_u32, port, fib_index, proto,
172 m - sm->static_mappings);
173 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 1 /*is_add*/);
176 static_always_inline int
177 nat44_ed_sm_i2o_del (snat_main_t *sm, ip4_address_t addr, u16 port,
178 u32 fib_index, u8 proto)
180 clib_bihash_kv_16_8_t kv;
181 nat44_ed_sm_init_i2o_k (&kv, addr.as_u32, port, fib_index, proto);
182 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 0 /*is_add*/);
185 static_always_inline int
186 nat44_ed_sm_o2i_add (snat_main_t *sm, snat_static_mapping_t *m,
187 ip4_address_t addr, u16 port, u32 fib_index, u8 proto)
189 ASSERT (!pool_is_free (sm->static_mappings, m));
190 clib_bihash_kv_16_8_t kv;
191 nat44_ed_sm_init_o2i_kv (&kv, addr.as_u32, port, fib_index, proto,
192 m - sm->static_mappings);
193 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 1 /*is_add*/);
196 static_always_inline int
197 nat44_ed_sm_o2i_del (snat_main_t *sm, ip4_address_t addr, u16 port,
198 u32 fib_index, u8 proto)
200 clib_bihash_kv_16_8_t kv;
201 nat44_ed_sm_init_o2i_k (&kv, addr.as_u32, port, fib_index, proto);
202 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 0 /*is_add*/);
206 nat44_ed_free_session_data (snat_main_t *sm, snat_session_t *s,
207 u32 thread_index, u8 is_ha)
209 per_vrf_sessions_unregister_session (s, thread_index);
211 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 0))
212 nat_elog_warn (sm, "flow hash del failed");
214 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 0))
215 nat_elog_warn (sm, "flow hash del failed");
217 if (na44_ed_is_fwd_bypass_session (s))
222 if (nat44_ed_is_affinity_session (s))
223 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr, s->proto,
227 nat_syslog_nat44_sdel (0, s->in2out.fib_index, &s->in2out.addr,
228 s->in2out.port, &s->ext_host_nat_addr,
229 s->ext_host_nat_port, &s->out2in.addr,
230 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
231 s->proto, nat44_ed_is_twice_nat_session (s));
236 nat_ipfix_logging_nat44_ses_delete (
237 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32, s->proto,
238 s->in2out.port, s->out2in.port, s->in2out.fib_index);
242 static ip_interface_address_t *
243 nat44_ed_get_ip_interface_address (u32 sw_if_index, ip4_address_t addr)
245 snat_main_t *sm = &snat_main;
247 ip_lookup_main_t *lm = &sm->ip4_main->lookup_main;
248 ip_interface_address_t *ia;
251 foreach_ip_interface_address (
252 lm, ia, sw_if_index, 1, ({
253 ip4a = ip_interface_address_get_address (lm, ia);
254 nat_log_debug ("sw_if_idx: %u addr: %U ? %U", sw_if_index,
255 format_ip4_address, ip4a, format_ip4_address, &addr);
256 if (ip4a->as_u32 == addr.as_u32)
265 nat44_ed_resolve_nat_addr_len (snat_address_t *ap,
266 snat_interface_t *interfaces)
268 ip_interface_address_t *ia;
272 pool_foreach (i, interfaces)
274 if (!nat44_ed_is_interface_outside (i))
279 fib_index = ip4_fib_table_get_index_for_sw_if_index (i->sw_if_index);
280 if (fib_index != ap->fib_index)
285 if ((ia = nat44_ed_get_ip_interface_address (i->sw_if_index, ap->addr)))
287 ap->addr_len = ia->address_length;
288 ap->sw_if_index = i->sw_if_index;
289 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
290 << (32 - ap->addr_len);
292 nat_log_debug ("pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
293 format_ip4_address, &ap->addr, ap->sw_if_index,
294 format_ip4_address, &ap->net, ap->addr_len);
302 nat44_ed_update_outside_if_addresses (snat_address_t *ap)
304 snat_main_t *sm = &snat_main;
306 if (!nat44_ed_resolve_nat_addr_len (ap, sm->interfaces))
311 if (!nat44_ed_resolve_nat_addr_len (ap, sm->output_feature_interfaces))
318 nat44_ed_bind_if_addr_to_nat_addr (u32 sw_if_index)
320 snat_main_t *sm = &snat_main;
321 ip_interface_address_t *ia;
324 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
326 vec_foreach (ap, sm->addresses)
328 if (fib_index != ap->fib_index)
333 if ((ia = nat44_ed_get_ip_interface_address (sw_if_index, ap->addr)))
335 ap->addr_len = ia->address_length;
336 ap->sw_if_index = sw_if_index;
337 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
338 << (32 - ap->addr_len);
340 nat_log_debug ("pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
341 format_ip4_address, &ap->addr, ap->sw_if_index,
342 format_ip4_address, &ap->net, ap->addr_len);
348 static_always_inline snat_fib_entry_reg_t *
349 nat44_ed_get_fib_entry_reg (ip4_address_t addr, u32 sw_if_index, int *out_idx)
351 snat_main_t *sm = &snat_main;
352 snat_fib_entry_reg_t *fe;
355 for (i = 0; i < vec_len (sm->fib_entry_reg); i++)
357 fe = sm->fib_entry_reg + i;
358 if ((addr.as_u32 == fe->addr.as_u32) && (sw_if_index == fe->sw_if_index))
371 nat44_ed_add_fib_entry_reg (ip4_address_t addr, u32 sw_if_index)
373 // Add the external NAT address to the FIB as receive entries. This ensures
374 // that VPP will reply to ARP for this address and we don't need to enable
375 // proxy ARP on the outside interface.
376 snat_main_t *sm = &snat_main;
377 snat_fib_entry_reg_t *fe;
379 if (!(fe = nat44_ed_get_fib_entry_reg (addr, sw_if_index, 0)))
381 fib_prefix_t prefix = {
383 .fp_proto = FIB_PROTOCOL_IP4,
385 .ip4.as_u32 = addr.as_u32,
388 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
389 fib_table_entry_update_one_path (fib_index, &prefix, sm->fib_src_low,
390 (FIB_ENTRY_FLAG_CONNECTED |
391 FIB_ENTRY_FLAG_LOCAL |
392 FIB_ENTRY_FLAG_EXCLUSIVE),
393 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
394 NULL, FIB_ROUTE_PATH_FLAG_NONE);
396 vec_add2 (sm->fib_entry_reg, fe, 1);
397 clib_memset (fe, 0, sizeof (*fe));
398 fe->addr.as_u32 = addr.as_u32;
399 fe->sw_if_index = sw_if_index;
405 nat44_ed_del_fib_entry_reg (ip4_address_t addr, u32 sw_if_index)
407 snat_main_t *sm = &snat_main;
408 snat_fib_entry_reg_t *fe;
411 if ((fe = nat44_ed_get_fib_entry_reg (addr, sw_if_index, &i)))
416 fib_prefix_t prefix = {
418 .fp_proto = FIB_PROTOCOL_IP4,
420 .ip4.as_u32 = addr.as_u32,
424 ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
425 fib_table_entry_delete (fib_index, &prefix, sm->fib_src_low);
426 vec_del1 (sm->fib_entry_reg, i);
432 nat44_ed_add_del_interface_fib_reg_entries (ip4_address_t addr, u8 is_add)
434 snat_main_t *sm = &snat_main;
437 pool_foreach (i, sm->interfaces)
439 if (nat44_ed_is_interface_outside (i))
443 nat44_ed_add_fib_entry_reg (addr, i->sw_if_index);
447 nat44_ed_del_fib_entry_reg (addr, i->sw_if_index);
451 pool_foreach (i, sm->output_feature_interfaces)
453 if (nat44_ed_is_interface_outside (i))
457 nat44_ed_add_fib_entry_reg (addr, i->sw_if_index);
461 nat44_ed_del_fib_entry_reg (addr, i->sw_if_index);
467 static_always_inline void
468 nat44_ed_add_del_nat_addr_fib_reg_entries (u32 sw_if_index, u8 is_add)
470 snat_main_t *sm = &snat_main;
473 vec_foreach (ap, sm->addresses)
477 nat44_ed_add_fib_entry_reg (ap->addr, sw_if_index);
481 nat44_ed_del_fib_entry_reg (ap->addr, sw_if_index);
486 static_always_inline void
487 nat44_ed_add_del_sm_fib_reg_entries (u32 sw_if_index, u8 is_add)
489 snat_main_t *sm = &snat_main;
490 snat_static_mapping_t *m;
492 pool_foreach (m, sm->static_mappings)
496 nat44_ed_add_fib_entry_reg (m->external_addr, sw_if_index);
500 nat44_ed_del_fib_entry_reg (m->external_addr, sw_if_index);
506 nat44_ed_add_address (ip4_address_t *addr, u32 vrf_id, u8 twice_nat)
508 snat_main_t *sm = &snat_main;
509 snat_address_t *ap, *addresses;
511 addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
515 return VNET_API_ERROR_UNSUPPORTED;
518 // check if address already exists
519 vec_foreach (ap, addresses)
521 if (ap->addr.as_u32 == addr->as_u32)
523 nat_log_err ("address exist");
524 return VNET_API_ERROR_VALUE_EXIST;
530 vec_add2 (sm->twice_nat_addresses, ap, 1);
534 vec_add2 (sm->addresses, ap, 1);
543 ap->fib_index = fib_table_find_or_create_and_lock (
544 FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
549 // if we don't have enabled interface we don't add address
551 nat44_ed_add_del_interface_fib_reg_entries (*addr, 1);
552 nat44_ed_update_outside_if_addresses (ap);
558 nat44_ed_del_address (ip4_address_t addr, u8 twice_nat)
560 snat_main_t *sm = &snat_main;
561 snat_address_t *a = 0, *addresses;
563 u32 *ses_to_be_removed = 0, *ses_index;
564 snat_main_per_thread_data_t *tsm;
567 addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
569 for (j = 0; j < vec_len (addresses); j++)
571 if (addresses[j].addr.as_u32 == addr.as_u32)
579 nat_log_err ("no such address");
580 return VNET_API_ERROR_NO_SUCH_ENTRY;
583 // delete dynamic sessions only
584 vec_foreach (tsm, sm->per_thread_data)
586 pool_foreach (ses, tsm->sessions)
588 if (ses->flags & SNAT_SESSION_FLAG_STATIC_MAPPING)
592 if (ses->out2in.addr.as_u32 == addr.as_u32)
594 nat44_ed_free_session_data (sm, ses, tsm - sm->per_thread_data,
596 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
599 vec_foreach (ses_index, ses_to_be_removed)
601 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
602 nat_ed_session_delete (sm, ses, tsm - sm->per_thread_data, 1);
604 vec_free (ses_to_be_removed);
609 nat44_ed_add_del_interface_fib_reg_entries (addr, 0);
612 if (a->fib_index != ~0)
614 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
619 vec_del1 (sm->addresses, j);
623 vec_del1 (sm->twice_nat_addresses, j);
630 nat44_ed_get_vrf_table (u32 table_vrf_id)
632 snat_main_t *sm = &snat_main;
635 pool_foreach (t, sm->vrf_tables)
637 if (table_vrf_id == t->table_vrf_id)
646 nat44_ed_get_vrf_route (vrf_table_t *t, u32 vrf_id)
650 pool_foreach (r, t->routes)
652 if (vrf_id == r->vrf_id)
661 nat44_ed_add_del_vrf_table (u32 table_vrf_id, bool is_add)
663 snat_main_t *sm = &snat_main;
667 t = nat44_ed_get_vrf_table (table_vrf_id);
672 return VNET_API_ERROR_VALUE_EXIST;
674 pool_foreach (r, t->routes)
676 fib_table_unlock (r->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
678 fib_table_unlock (t->table_fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
680 pool_free (t->routes);
681 pool_put (sm->vrf_tables, t);
687 return VNET_API_ERROR_NO_SUCH_ENTRY;
689 pool_get (sm->vrf_tables, t);
690 clib_memset (t, 0, sizeof (*t));
691 t->table_vrf_id = table_vrf_id;
692 t->table_fib_index = fib_table_find_or_create_and_lock (
693 FIB_PROTOCOL_IP4, table_vrf_id, sm->fib_src_low);
700 nat44_ed_del_vrf_tables ()
702 snat_main_t *sm = &snat_main;
706 pool_foreach (t, sm->vrf_tables)
708 pool_foreach (r, t->routes)
710 fib_table_unlock (r->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
712 fib_table_unlock (t->table_fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
713 pool_free (t->routes);
715 pool_free (sm->vrf_tables);
719 nat44_ed_add_del_vrf_route (u32 table_vrf_id, u32 vrf_id, bool is_add)
721 snat_main_t *sm = &snat_main;
725 t = nat44_ed_get_vrf_table (table_vrf_id);
728 return VNET_API_ERROR_NO_SUCH_ENTRY;
731 r = nat44_ed_get_vrf_route (t, vrf_id);
736 return VNET_API_ERROR_VALUE_EXIST;
738 fib_table_unlock (r->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
739 pool_put (t->routes, r);
745 return VNET_API_ERROR_NO_SUCH_ENTRY;
747 pool_get (t->routes, r);
748 clib_memset (r, 0, sizeof (*r));
750 r->fib_index = fib_table_find_or_create_and_lock (
751 FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
758 get_thread_idx_by_port (u16 e_port)
760 snat_main_t *sm = &snat_main;
761 u32 thread_idx = sm->num_workers;
762 if (sm->num_workers > 1)
765 sm->first_worker_index +
766 sm->workers[(e_port - 1024) / sm->port_per_thread];
772 nat_ed_static_mapping_del_sessions (snat_main_t * sm,
773 snat_main_per_thread_data_t * tsm,
774 ip4_address_t l_addr,
777 u32 fib_index, int addr_only,
778 ip4_address_t e_addr, u16 e_port)
781 u32 *indexes_to_free = NULL;
782 pool_foreach (s, tsm->sessions) {
783 if (s->in2out.fib_index != fib_index ||
784 s->in2out.addr.as_u32 != l_addr.as_u32)
790 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
791 s->out2in.port != e_port || s->in2out.port != l_port ||
792 s->proto != protocol)
796 if (nat44_ed_is_lb_session (s))
798 if (!nat44_ed_is_session_static (s))
800 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
801 vec_add1 (indexes_to_free, s - tsm->sessions);
806 vec_foreach (ses_index, indexes_to_free)
808 s = pool_elt_at_index (tsm->sessions, *ses_index);
809 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
811 vec_free (indexes_to_free);
814 static_always_inline snat_static_mapping_t *
815 nat44_ed_sm_lookup (snat_main_t *sm, clib_bihash_kv_16_8_t *kv)
817 clib_bihash_kv_16_8_t v;
818 int rc = clib_bihash_search_16_8 (&sm->flow_hash, kv, &v);
821 ASSERT (0 == ed_value_get_thread_index (&v));
822 return pool_elt_at_index (sm->static_mappings,
823 ed_value_get_session_index (&v));
828 snat_static_mapping_t *
829 nat44_ed_sm_o2i_lookup (snat_main_t *sm, ip4_address_t addr, u16 port,
830 u32 fib_index, u8 proto)
832 clib_bihash_kv_16_8_t kv;
833 nat44_ed_sm_init_o2i_k (&kv, addr.as_u32, port, fib_index, proto);
834 return nat44_ed_sm_lookup (sm, &kv);
837 snat_static_mapping_t *
838 nat44_ed_sm_i2o_lookup (snat_main_t *sm, ip4_address_t addr, u16 port,
839 u32 fib_index, u8 proto)
841 clib_bihash_kv_16_8_t kv;
842 nat44_ed_sm_init_i2o_k (&kv, addr.as_u32, port, fib_index, proto);
843 return nat44_ed_sm_lookup (sm, &kv);
846 static snat_static_mapping_resolve_t *
847 nat44_ed_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
848 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index,
849 u32 flags, int *out_idx)
851 snat_static_mapping_resolve_t *rp;
852 snat_main_t *sm = &snat_main;
855 for (i = 0; i < vec_len (sm->sm_to_resolve); i++)
857 rp = sm->sm_to_resolve + i;
859 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
861 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
863 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
865 if (rp->e_port != e_port || rp->proto != proto)
871 else if (rp->l_addr.as_u32 == l_addr.as_u32)
873 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
875 if (rp->l_port != l_port || rp->e_port != e_port ||
897 nat44_ed_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
898 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index,
901 snat_main_t *sm = &snat_main;
903 if (nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
904 sw_if_index, flags, &i))
906 vec_del1 (sm->sm_to_resolve, i);
912 static_always_inline int
913 nat44_ed_validate_sm_input (u32 flags)
915 // identity nat can be initiated only from inside interface
916 if (is_sm_identity_nat (flags) && is_sm_out2in_only (flags))
918 return VNET_API_ERROR_UNSUPPORTED;
921 if (is_sm_twice_nat (flags) || is_sm_self_twice_nat (flags))
923 if (is_sm_addr_only (flags) || is_sm_identity_nat (flags))
925 return VNET_API_ERROR_UNSUPPORTED;
932 nat44_ed_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
933 u16 l_port, u16 e_port, ip_protocol_t proto,
934 u32 vrf_id, u32 sw_if_index, u32 flags,
935 ip4_address_t pool_addr, u8 *tag)
937 snat_static_mapping_resolve_t *rp;
938 snat_main_t *sm = &snat_main;
943 return VNET_API_ERROR_UNSUPPORTED;
946 rv = nat44_ed_validate_sm_input (flags);
952 // interface bound mapping
953 if (is_sm_switch_address (flags))
955 if (nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
956 sw_if_index, flags, 0))
958 return VNET_API_ERROR_VALUE_EXIST;
961 vec_add2 (sm->sm_to_resolve, rp, 1);
962 rp->l_addr.as_u32 = l_addr.as_u32;
965 rp->sw_if_index = sw_if_index;
969 rp->pool_addr = pool_addr;
970 rp->tag = vec_dup (tag);
973 ip4_address_t *first_int_addr =
974 ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
980 e_addr.as_u32 = first_int_addr->as_u32;
984 rv = nat44_ed_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
985 proto, vrf_id, sw_if_index, flags,
987 if ((0 != rv) && is_sm_switch_address (flags))
989 nat44_ed_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
997 nat44_ed_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
998 u16 l_port, u16 e_port, ip_protocol_t proto,
999 u32 vrf_id, u32 sw_if_index, u32 flags)
1001 snat_main_t *sm = &snat_main;
1006 return VNET_API_ERROR_UNSUPPORTED;
1009 rv = nat44_ed_validate_sm_input (flags);
1015 // interface bound mapping
1016 if (is_sm_switch_address (flags))
1018 if (nat44_ed_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
1019 sw_if_index, flags))
1021 return VNET_API_ERROR_NO_SUCH_ENTRY;
1024 ip4_address_t *first_int_addr =
1025 ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
1026 if (!first_int_addr)
1028 // dhcp resolution required
1032 e_addr.as_u32 = first_int_addr->as_u32;
1035 return nat44_ed_del_static_mapping_internal (l_addr, e_addr, l_port, e_port,
1036 proto, vrf_id, flags);
1040 nat44_ed_add_static_mapping_internal (ip4_address_t l_addr,
1041 ip4_address_t e_addr, u16 l_port,
1042 u16 e_port, ip_protocol_t proto,
1043 u32 vrf_id, u32 sw_if_index, u32 flags,
1044 ip4_address_t pool_addr, u8 *tag)
1046 snat_main_t *sm = &snat_main;
1047 nat44_lb_addr_port_t *local;
1048 snat_static_mapping_t *m;
1051 if (is_sm_addr_only (flags))
1053 e_port = l_port = proto = 0;
1056 if (is_sm_identity_nat (flags))
1059 l_addr.as_u32 = e_addr.as_u32;
1062 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1066 // adding local identity nat record for different vrf table
1068 if (!is_sm_identity_nat (m->flags))
1070 return VNET_API_ERROR_VALUE_EXIST;
1073 pool_foreach (local, m->locals)
1075 if (local->vrf_id == vrf_id)
1077 return VNET_API_ERROR_VALUE_EXIST;
1081 pool_get (m->locals, local);
1083 local->vrf_id = vrf_id;
1084 local->fib_index = fib_table_find_or_create_and_lock (
1085 FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
1087 nat44_ed_sm_i2o_add (sm, m, m->local_addr, m->local_port,
1088 local->fib_index, m->proto);
1095 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1100 // fallback to default vrf
1101 vrf_id = sm->inside_vrf_id;
1102 fib_index = sm->inside_fib_index;
1103 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1106 // test if local mapping record doesn't exist
1107 // identity nat supports multiple records in local mapping
1108 if (!(is_sm_out2in_only (flags) || is_sm_identity_nat (flags)))
1110 if (nat44_ed_sm_i2o_lookup (sm, l_addr, l_port, fib_index, proto))
1112 return VNET_API_ERROR_VALUE_EXIST;
1116 pool_get (sm->static_mappings, m);
1117 clib_memset (m, 0, sizeof (*m));
1120 m->local_addr = l_addr;
1121 m->external_addr = e_addr;
1123 m->pool_addr = pool_addr;
1124 m->tag = vec_dup (tag);
1126 if (!is_sm_addr_only (flags))
1128 m->local_port = l_port;
1129 m->external_port = e_port;
1133 if (is_sm_identity_nat (flags))
1135 pool_get (m->locals, local);
1137 local->vrf_id = vrf_id;
1138 local->fib_index = fib_index;
1143 m->fib_index = fib_index;
1146 if (!is_sm_out2in_only (flags))
1148 nat44_ed_sm_i2o_add (sm, m, m->local_addr, m->local_port, fib_index,
1152 nat44_ed_sm_o2i_add (sm, m, m->external_addr, m->external_port, 0, m->proto);
1154 if (sm->num_workers > 1)
1156 // store worker index for this record
1158 .src_address = m->local_addr,
1162 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0);
1163 vec_add1 (m->workers, worker_index);
1166 nat44_ed_add_del_interface_fib_reg_entries (e_addr, 1);
1172 nat44_ed_del_static_mapping_internal (ip4_address_t l_addr,
1173 ip4_address_t e_addr, u16 l_port,
1174 u16 e_port, ip_protocol_t proto,
1175 u32 vrf_id, u32 flags)
1177 snat_main_per_thread_data_t *tsm;
1178 snat_main_t *sm = &snat_main;
1180 nat44_lb_addr_port_t *local;
1181 snat_static_mapping_t *m;
1184 if (is_sm_addr_only (flags))
1186 e_port = l_port = proto = 0;
1189 if (is_sm_identity_nat (flags))
1192 l_addr.as_u32 = e_addr.as_u32;
1196 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1199 return VNET_API_ERROR_NO_SUCH_ENTRY;
1202 if (is_sm_identity_nat (flags))
1208 vrf_id = sm->inside_vrf_id;
1211 pool_foreach (local, m->locals)
1213 if (local->vrf_id == vrf_id)
1215 local = pool_elt_at_index (m->locals, local - m->locals);
1216 fib_index = local->fib_index;
1217 pool_put (m->locals, local);
1224 return VNET_API_ERROR_NO_SUCH_ENTRY;
1229 fib_index = m->fib_index;
1232 if (!is_sm_out2in_only (flags))
1234 nat44_ed_sm_i2o_del (sm, l_addr, l_port, fib_index, proto);
1237 // delete sessions for static mapping
1238 if (sm->num_workers > 1)
1240 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1244 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1247 nat_ed_static_mapping_del_sessions (sm, tsm, m->local_addr, m->local_port,
1248 m->proto, fib_index,
1249 is_sm_addr_only (flags), e_addr, e_port);
1251 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1253 if (!pool_elts (m->locals))
1255 // this is last record remove all required stuff
1257 nat44_ed_sm_o2i_del (sm, e_addr, e_port, 0, proto);
1260 vec_free (m->workers);
1261 pool_put (sm->static_mappings, m);
1263 nat44_ed_add_del_interface_fib_reg_entries (e_addr, 0);
1270 nat44_ed_add_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1271 ip_protocol_t proto,
1272 nat44_lb_addr_port_t *locals, u32 flags,
1273 u8 *tag, u32 affinity)
1275 snat_main_t *sm = &snat_main;
1276 snat_static_mapping_t *m;
1277 snat_address_t *a = 0;
1279 nat44_lb_addr_port_t *local;
1287 return VNET_API_ERROR_UNSUPPORTED;
1290 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1294 return VNET_API_ERROR_VALUE_EXIST;
1297 if (vec_len (locals) < 2)
1299 return VNET_API_ERROR_INVALID_VALUE;
1302 if (!is_sm_out2in_only (flags))
1304 /* Find external address in allocated addresses and reserve port for
1305 address and port pair mapping when dynamic translations enabled */
1306 for (i = 0; i < vec_len (sm->addresses); i++)
1308 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1310 /* External port must be unused */
1311 a = sm->addresses + i;
1312 if (nat44_ed_sm_o2i_lookup (sm, a->addr, e_port, 0, proto))
1314 return VNET_API_ERROR_VALUE_EXIST;
1319 // external address must be allocated
1322 return VNET_API_ERROR_NO_SUCH_ENTRY;
1326 pool_get (sm->static_mappings, m);
1327 clib_memset (m, 0, sizeof (*m));
1328 m->tag = vec_dup (tag);
1329 m->external_addr = e_addr;
1330 m->external_port = e_port;
1331 m->affinity = affinity;
1335 m->flags |= NAT_SM_FLAG_LB;
1338 m->affinity_per_service_list_head_index =
1339 nat_affinity_get_per_service_list_head_index ();
1341 m->affinity_per_service_list_head_index = ~0;
1343 if (nat44_ed_sm_o2i_add (sm, m, m->external_addr, m->external_port, 0,
1346 nat_log_err ("sm o2i key add failed");
1347 return VNET_API_ERROR_UNSPECIFIED;
1350 for (i = 0; i < vec_len (locals); i++)
1352 locals[i].fib_index = fib_table_find_or_create_and_lock (
1353 FIB_PROTOCOL_IP4, locals[i].vrf_id, sm->fib_src_low);
1354 if (!is_sm_out2in_only (flags))
1356 if (nat44_ed_sm_o2i_add (sm, m, e_addr, e_port, 0, proto))
1358 nat_log_err ("sm o2i key add failed");
1359 rc = VNET_API_ERROR_UNSPECIFIED;
1360 // here we continue with add operation so that it can be safely
1361 // reversed in delete path - otherwise we'd have to track what
1362 // we've done and deal with partial cleanups and since bihash
1363 // adds are (extremely improbable) the only points of failure,
1364 // it's easier to just do it this way
1367 locals[i].prefix = (i == 0) ?
1368 locals[i].probability :
1369 (locals[i - 1].prefix + locals[i].probability);
1370 pool_get (m->locals, local);
1372 if (sm->num_workers > 1)
1375 .src_address = locals[i].addr,
1377 bitmap = clib_bitmap_set (
1378 bitmap, nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0),
1383 /* Assign workers */
1384 if (sm->num_workers > 1)
1386 clib_bitmap_foreach (i, bitmap)
1388 vec_add1 (m->workers, i);
1396 nat44_ed_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1397 ip_protocol_t proto, u32 flags)
1399 snat_main_t *sm = &snat_main;
1400 snat_static_mapping_t *m;
1402 nat44_lb_addr_port_t *local;
1403 snat_main_per_thread_data_t *tsm;
1408 return VNET_API_ERROR_UNSUPPORTED;
1411 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1413 return VNET_API_ERROR_NO_SUCH_ENTRY;
1415 if (!is_sm_lb (m->flags))
1416 return VNET_API_ERROR_INVALID_VALUE;
1418 if (nat44_ed_sm_o2i_del (sm, m->external_addr, m->external_port, 0,
1421 nat_log_err ("sm o2i key del failed");
1422 return VNET_API_ERROR_UNSPECIFIED;
1425 pool_foreach (local, m->locals)
1427 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1428 if (!is_sm_out2in_only (flags))
1430 if (nat44_ed_sm_i2o_del (sm, local->addr, local->port,
1431 local->fib_index, m->proto))
1433 nat_log_err ("sm i2o key del failed");
1434 return VNET_API_ERROR_UNSPECIFIED;
1438 if (sm->num_workers > 1)
1441 .src_address = local->addr,
1443 tsm = vec_elt_at_index (
1444 sm->per_thread_data,
1445 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1448 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1450 /* Delete sessions */
1451 pool_foreach (s, tsm->sessions)
1453 if (!(nat44_ed_is_lb_session (s)))
1456 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1457 s->in2out.port != local->port)
1460 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1461 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1467 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1470 pool_free (m->locals);
1472 vec_free (m->workers);
1473 pool_put (sm->static_mappings, m);
1479 nat44_ed_add_del_lb_static_mapping_local (ip4_address_t e_addr, u16 e_port,
1480 ip4_address_t l_addr, u16 l_port,
1481 ip_protocol_t proto, u32 vrf_id,
1482 u8 probability, u8 is_add)
1484 snat_main_t *sm = &snat_main;
1485 snat_static_mapping_t *m = 0;
1486 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1487 snat_main_per_thread_data_t *tsm;
1495 return VNET_API_ERROR_UNSUPPORTED;
1498 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1502 return VNET_API_ERROR_NO_SUCH_ENTRY;
1505 if (!is_sm_lb (m->flags))
1507 return VNET_API_ERROR_INVALID_VALUE;
1510 pool_foreach (local, m->locals)
1512 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1513 (local->vrf_id == vrf_id))
1515 match_local = local;
1524 return VNET_API_ERROR_VALUE_EXIST;
1527 pool_get (m->locals, local);
1528 clib_memset (local, 0, sizeof (*local));
1529 local->addr.as_u32 = l_addr.as_u32;
1530 local->port = l_port;
1531 local->probability = probability;
1532 local->vrf_id = vrf_id;
1534 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1537 if (!is_sm_out2in_only (m->flags))
1539 if (nat44_ed_sm_i2o_add (sm, m, l_addr, l_port, local->fib_index,
1542 nat_log_err ("sm i2o key add failed");
1543 pool_put (m->locals, local);
1544 return VNET_API_ERROR_UNSPECIFIED;
1551 return VNET_API_ERROR_NO_SUCH_ENTRY;
1553 if (pool_elts (m->locals) < 3)
1554 return VNET_API_ERROR_UNSPECIFIED;
1556 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1559 if (!is_sm_out2in_only (m->flags))
1561 if (nat44_ed_sm_i2o_del (sm, l_addr, l_port, match_local->fib_index,
1563 nat_log_err ("sm i2o key del failed");
1566 if (sm->num_workers > 1)
1569 .src_address = local->addr,
1571 tsm = vec_elt_at_index (
1572 sm->per_thread_data,
1573 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1576 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1578 /* Delete sessions */
1579 pool_foreach (s, tsm->sessions) {
1580 if (!(nat44_ed_is_lb_session (s)))
1583 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1584 s->in2out.port != match_local->port)
1587 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1588 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1591 pool_put (m->locals, match_local);
1594 vec_free (m->workers);
1596 pool_foreach (local, m->locals)
1598 vec_add1 (locals, local - m->locals);
1599 if (sm->num_workers > 1)
1602 ip.src_address.as_u32 = local->addr.as_u32,
1603 bitmap = clib_bitmap_set (
1605 nat44_ed_get_in2out_worker_index (0, &ip, local->fib_index, 0), 1);
1609 ASSERT (vec_len (locals) > 1);
1611 local = pool_elt_at_index (m->locals, locals[0]);
1612 local->prefix = local->probability;
1613 for (i = 1; i < vec_len (locals); i++)
1615 local = pool_elt_at_index (m->locals, locals[i]);
1616 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1617 local->prefix = local->probability + prev_local->prefix;
1620 /* Assign workers */
1621 if (sm->num_workers > 1)
1623 clib_bitmap_foreach (i, bitmap) { vec_add1(m->workers, i); }
1630 expire_per_vrf_sessions (u32 fib_index)
1632 per_vrf_sessions_t *per_vrf_sessions;
1633 snat_main_per_thread_data_t *tsm;
1634 snat_main_t *sm = &snat_main;
1636 vec_foreach (tsm, sm->per_thread_data)
1638 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1640 if ((per_vrf_sessions->rx_fib_index == fib_index) ||
1641 (per_vrf_sessions->tx_fib_index == fib_index))
1643 per_vrf_sessions->expired = 1;
1650 update_per_vrf_sessions_vec (u32 fib_index, int is_del)
1652 snat_main_t *sm = &snat_main;
1655 // we don't care if it is outside/inside fib
1656 // we just care about their ref_count
1657 // if it reaches 0 sessions should expire
1658 // because the fib isn't valid for NAT anymore
1660 vec_foreach (fib, sm->fibs)
1662 if (fib->fib_index == fib_index)
1667 if (!fib->ref_count)
1669 vec_del1 (sm->fibs, fib - sm->fibs);
1670 expire_per_vrf_sessions (fib_index);
1680 vec_add2 (sm->fibs, fib, 1);
1682 fib->fib_index = fib_index;
1686 static_always_inline nat_fib_t *
1687 nat44_ed_get_outside_fib (nat_fib_t *outside_fibs, u32 fib_index)
1690 vec_foreach (f, outside_fibs)
1692 if (f->fib_index == fib_index)
1700 static_always_inline snat_interface_t *
1701 nat44_ed_get_interface (snat_interface_t *interfaces, u32 sw_if_index)
1703 snat_interface_t *i;
1704 pool_foreach (i, interfaces)
1706 if (i->sw_if_index == sw_if_index)
1715 nat44_ed_add_interface (u32 sw_if_index, u8 is_inside)
1717 const char *del_feature_name, *feature_name;
1718 snat_main_t *sm = &snat_main;
1720 nat_fib_t *outside_fib;
1721 snat_interface_t *i;
1727 nat_log_err ("nat44 is disabled");
1728 return VNET_API_ERROR_UNSUPPORTED;
1731 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1733 nat_log_err ("error interface already configured");
1734 return VNET_API_ERROR_VALUE_EXIST;
1737 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1740 if ((nat44_ed_is_interface_inside (i) && is_inside) ||
1741 (nat44_ed_is_interface_outside (i) && !is_inside))
1745 if (sm->num_workers > 1)
1747 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1748 "nat44-out2in-worker-handoff";
1749 feature_name = "nat44-handoff-classify";
1753 del_feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1755 feature_name = "nat44-ed-classify";
1758 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1761 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1762 sw_if_index, 0, 0, 0);
1763 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1768 if (sm->num_workers > 1)
1770 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1771 "nat44-out2in-worker-handoff";
1775 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1778 nat_validate_interface_counters (sm, sw_if_index);
1779 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1782 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1785 pool_get (sm->interfaces, i);
1786 i->sw_if_index = sw_if_index;
1791 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1793 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
1797 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1799 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1802 outside_fib->ref_count++;
1806 vec_add2 (sm->outside_fibs, outside_fib, 1);
1807 outside_fib->fib_index = fib_index;
1808 outside_fib->ref_count = 1;
1811 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 1);
1812 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 1);
1814 nat44_ed_bind_if_addr_to_nat_addr (sw_if_index);
1818 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1825 nat44_ed_del_interface (u32 sw_if_index, u8 is_inside)
1827 const char *del_feature_name, *feature_name;
1828 snat_main_t *sm = &snat_main;
1830 nat_fib_t *outside_fib;
1831 snat_interface_t *i;
1837 nat_log_err ("nat44 is disabled");
1838 return VNET_API_ERROR_UNSUPPORTED;
1841 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1844 nat_log_err ("error interface couldn't be found");
1845 return VNET_API_ERROR_NO_SUCH_ENTRY;
1848 if (nat44_ed_is_interface_inside (i) && nat44_ed_is_interface_outside (i))
1850 if (sm->num_workers > 1)
1852 del_feature_name = "nat44-handoff-classify";
1853 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1854 "nat44-out2in-worker-handoff";
1858 del_feature_name = "nat44-ed-classify";
1859 feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1862 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1867 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1868 sw_if_index, 0, 0, 0);
1869 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1874 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1878 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1883 if (sm->num_workers > 1)
1885 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1886 "nat44-out2in-worker-handoff";
1890 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1893 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1898 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 0,
1902 pool_put (sm->interfaces, i);
1906 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1908 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
1912 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1915 outside_fib->ref_count--;
1916 if (!outside_fib->ref_count)
1918 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1922 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 0);
1923 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 0);
1930 nat44_ed_add_output_interface (u32 sw_if_index)
1932 snat_main_t *sm = &snat_main;
1934 nat_fib_t *outside_fib;
1935 snat_interface_t *i;
1941 nat_log_err ("nat44 is disabled");
1942 return VNET_API_ERROR_UNSUPPORTED;
1945 if (nat44_ed_get_interface (sm->interfaces, sw_if_index))
1947 nat_log_err ("error interface already configured");
1948 return VNET_API_ERROR_VALUE_EXIST;
1951 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1953 nat_log_err ("error interface already configured");
1954 return VNET_API_ERROR_VALUE_EXIST;
1957 if (sm->num_workers > 1)
1959 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1965 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1971 vnet_feature_enable_disable (
1972 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 1, 0, 0);
1973 vnet_feature_enable_disable ("ip4-output",
1974 "nat44-in2out-output-worker-handoff",
1975 sw_if_index, 1, 0, 0);
1979 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1985 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1991 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
1992 sw_if_index, 1, 0, 0);
1993 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
1994 sw_if_index, 1, 0, 0);
1997 nat_validate_interface_counters (sm, sw_if_index);
1999 pool_get (sm->output_feature_interfaces, i);
2000 i->sw_if_index = sw_if_index;
2002 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2003 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2006 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
2007 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
2009 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
2012 outside_fib->ref_count++;
2016 vec_add2 (sm->outside_fibs, outside_fib, 1);
2017 outside_fib->fib_index = fib_index;
2018 outside_fib->ref_count = 1;
2021 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 1);
2022 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 1);
2024 nat44_ed_bind_if_addr_to_nat_addr (sw_if_index);
2030 nat44_ed_del_output_interface (u32 sw_if_index)
2032 snat_main_t *sm = &snat_main;
2034 nat_fib_t *outside_fib;
2035 snat_interface_t *i;
2041 nat_log_err ("nat44 is disabled");
2042 return VNET_API_ERROR_UNSUPPORTED;
2045 i = nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index);
2048 nat_log_err ("error interface couldn't be found");
2049 return VNET_API_ERROR_NO_SUCH_ENTRY;
2052 if (sm->num_workers > 1)
2054 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2060 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
2066 vnet_feature_enable_disable (
2067 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 0, 0, 0);
2068 vnet_feature_enable_disable ("ip4-output",
2069 "nat44-in2out-output-worker-handoff",
2070 sw_if_index, 0, 0, 0);
2074 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
2080 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
2086 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
2087 sw_if_index, 0, 0, 0);
2088 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
2089 sw_if_index, 0, 0, 0);
2093 pool_put (sm->output_feature_interfaces, i);
2096 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
2097 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
2099 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
2102 outside_fib->ref_count--;
2103 if (!outside_fib->ref_count)
2105 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2109 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 0);
2110 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 0);
2116 snat_set_workers (uword * bitmap)
2118 snat_main_t *sm = &snat_main;
2121 if (sm->num_workers < 2)
2122 return VNET_API_ERROR_FEATURE_DISABLED;
2124 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
2125 return VNET_API_ERROR_INVALID_WORKER;
2127 vec_free (sm->workers);
2128 clib_bitmap_foreach (i, bitmap)
2130 vec_add1(sm->workers, i);
2131 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2132 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
2136 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2142 nat44_ed_set_frame_queue_nelts (u32 frame_queue_nelts)
2145 snat_main_t *sm = &snat_main;
2147 if ((sm->fq_in2out_index != ~0) || (sm->fq_out2in_index != ~0) ||
2148 (sm->fq_in2out_output_index != ~0))
2150 // frame queu nelts can be set only before first
2151 // call to nat44_plugin_enable after that it
2152 // doesn't make sense
2153 nat_log_err ("Frame queue was already initialized. "
2154 "Change is not possible");
2158 sm->frame_queue_nelts = frame_queue_nelts;
2163 nat44_ed_update_outside_fib_cb (ip4_main_t *im, uword opaque, u32 sw_if_index,
2164 u32 new_fib_index, u32 old_fib_index)
2166 snat_main_t *sm = &snat_main;
2167 nat_fib_t *outside_fib;
2168 snat_interface_t *i;
2172 if (!sm->enabled || (new_fib_index == old_fib_index)
2173 || (!vec_len (sm->outside_fibs)))
2178 pool_foreach (i, sm->interfaces)
2180 if (i->sw_if_index == sw_if_index)
2182 if (!(nat44_ed_is_interface_outside (i)))
2188 pool_foreach (i, sm->output_feature_interfaces)
2190 if (i->sw_if_index == sw_if_index)
2192 if (!(nat44_ed_is_interface_outside (i)))
2201 vec_foreach (outside_fib, sm->outside_fibs)
2203 if (outside_fib->fib_index == old_fib_index)
2205 outside_fib->ref_count--;
2206 if (!outside_fib->ref_count)
2207 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2212 vec_foreach (outside_fib, sm->outside_fibs)
2214 if (outside_fib->fib_index == new_fib_index)
2216 outside_fib->ref_count++;
2224 vec_add2 (sm->outside_fibs, outside_fib, 1);
2225 outside_fib->ref_count = 1;
2226 outside_fib->fib_index = new_fib_index;
2230 static void nat44_ed_update_outside_fib_cb (ip4_main_t *im, uword opaque,
2231 u32 sw_if_index, u32 new_fib_index,
2234 static void nat44_ed_add_del_interface_address_cb (
2235 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
2236 u32 address_length, u32 if_address_index, u32 is_delete);
2238 static void nat44_ed_add_del_static_mapping_cb (
2239 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
2240 u32 address_length, u32 if_address_index, u32 is_delete);
2243 test_key_calc_split ()
2245 ip4_address_t l_addr;
2246 l_addr.as_u8[0] = 1;
2247 l_addr.as_u8[1] = 1;
2248 l_addr.as_u8[2] = 1;
2249 l_addr.as_u8[3] = 1;
2250 ip4_address_t r_addr;
2251 r_addr.as_u8[0] = 2;
2252 r_addr.as_u8[1] = 2;
2253 r_addr.as_u8[2] = 2;
2254 r_addr.as_u8[3] = 2;
2258 u32 fib_index = 9000001;
2259 u32 thread_index = 3000000001;
2260 u32 session_index = 3000000221;
2261 clib_bihash_kv_16_8_t kv;
2262 init_ed_kv (&kv, l_addr.as_u32, l_port, r_addr.as_u32, r_port, fib_index,
2263 proto, thread_index, session_index);
2264 ip4_address_t l_addr2;
2265 ip4_address_t r_addr2;
2266 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2267 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2272 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2274 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2275 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2276 ASSERT (l_port == l_port2);
2277 ASSERT (r_port == r_port2);
2278 ASSERT (proto == proto2);
2279 ASSERT (fib_index == fib_index2);
2280 ASSERT (thread_index == ed_value_get_thread_index (&kv));
2281 ASSERT (session_index == ed_value_get_session_index (&kv));
2284 static clib_error_t *
2285 nat_ip_table_add_del (vnet_main_t * vnm, u32 table_id, u32 is_add)
2290 fib_index = ip4_fib_index_from_table_id (table_id);
2291 if (fib_index != ~0)
2293 expire_per_vrf_sessions (fib_index);
2299 VNET_IP_TABLE_ADD_DEL_FUNCTION (nat_ip_table_add_del);
2301 #define nat_validate_simple_counter(c, i) \
2304 vlib_validate_simple_counter (&c, i); \
2305 vlib_zero_simple_counter (&c, i); \
2309 #define nat_init_simple_counter(c, n, sn) \
2313 c.stat_segment_name = sn; \
2314 nat_validate_simple_counter (c, 0); \
2318 static_always_inline void
2319 nat_validate_interface_counters (snat_main_t *sm, u32 sw_if_index)
2322 nat_validate_simple_counter (sm->counters.fastpath.in2out.x, sw_if_index); \
2323 nat_validate_simple_counter (sm->counters.fastpath.out2in.x, sw_if_index); \
2324 nat_validate_simple_counter (sm->counters.slowpath.in2out.x, sw_if_index); \
2325 nat_validate_simple_counter (sm->counters.slowpath.out2in.x, sw_if_index);
2326 foreach_nat_counter;
2328 nat_validate_simple_counter (sm->counters.hairpinning, sw_if_index);
2331 static clib_error_t *
2332 nat_init (vlib_main_t * vm)
2334 snat_main_t *sm = &snat_main;
2335 vlib_thread_main_t *tm = vlib_get_thread_main ();
2336 vlib_thread_registration_t *tr;
2337 ip4_add_del_interface_address_callback_t cbi = { 0 };
2338 ip4_table_bind_callback_t cbt = { 0 };
2339 u32 i, num_threads = 0;
2340 uword *p, *bitmap = 0;
2342 clib_memset (sm, 0, sizeof (*sm));
2345 sm->ip4_main = &ip4_main;
2347 // frame queue indices used for handoff
2348 sm->fq_out2in_index = ~0;
2349 sm->fq_in2out_index = ~0;
2350 sm->fq_in2out_output_index = ~0;
2352 sm->log_level = NAT_LOG_ERROR;
2354 sm->log_class = vlib_log_register_class ("nat", 0);
2355 nat_ipfix_logging_init (vm);
2357 nat_init_simple_counter (sm->total_sessions, "total-sessions",
2358 "/nat44-ed/total-sessions");
2359 sm->max_cfg_sessions_gauge =
2360 vlib_stats_add_gauge ("/nat44-ed/max-cfg-sessions");
2363 nat_init_simple_counter (sm->counters.fastpath.in2out.x, #x, \
2364 "/nat44-ed/in2out/fastpath/" #x); \
2365 nat_init_simple_counter (sm->counters.fastpath.out2in.x, #x, \
2366 "/nat44-ed/out2in/fastpath/" #x); \
2367 nat_init_simple_counter (sm->counters.slowpath.in2out.x, #x, \
2368 "/nat44-ed/in2out/slowpath/" #x); \
2369 nat_init_simple_counter (sm->counters.slowpath.out2in.x, #x, \
2370 "/nat44-ed/out2in/slowpath/" #x);
2371 foreach_nat_counter;
2373 nat_init_simple_counter (sm->counters.hairpinning, "hairpinning",
2374 "/nat44-ed/hairpinning");
2376 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2379 tr = (vlib_thread_registration_t *) p[0];
2382 sm->num_workers = tr->count;
2383 sm->first_worker_index = tr->first_index;
2386 num_threads = tm->n_vlib_mains - 1;
2387 sm->port_per_thread = 0xffff - 1024;
2388 vec_validate (sm->per_thread_data, num_threads);
2390 /* Use all available workers by default */
2391 if (sm->num_workers > 1)
2393 for (i = 0; i < sm->num_workers; i++)
2394 bitmap = clib_bitmap_set (bitmap, i, 1);
2395 snat_set_workers (bitmap);
2396 clib_bitmap_free (bitmap);
2400 sm->per_thread_data[0].snat_thread_index = 0;
2403 /* callbacks to call when interface address changes. */
2404 cbi.function = nat44_ed_add_del_interface_address_cb;
2405 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2406 cbi.function = nat44_ed_add_del_static_mapping_cb;
2407 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2409 /* callbacks to call when interface to table biding changes */
2410 cbt.function = nat44_ed_update_outside_fib_cb;
2411 vec_add1 (sm->ip4_main->table_bind_callbacks, cbt);
2414 fib_source_allocate ("nat-low", FIB_SOURCE_PRIORITY_LOW,
2415 FIB_SOURCE_BH_SIMPLE);
2417 fib_source_allocate ("nat-hi", FIB_SOURCE_PRIORITY_HI,
2418 FIB_SOURCE_BH_SIMPLE);
2420 nat_affinity_init (vm);
2421 test_key_calc_split ();
2423 return nat44_api_hookup (vm);
2426 VLIB_INIT_FUNCTION (nat_init);
2429 nat44_plugin_enable (nat44_config_t c)
2431 snat_main_t *sm = &snat_main;
2435 sm->forwarding_enabled = 0;
2436 sm->mss_clamping = 0;
2439 c.sessions = 63 * 1024;
2441 sm->max_translations_per_thread = c.sessions;
2442 vlib_stats_set_gauge (sm->max_cfg_sessions_gauge,
2443 sm->max_translations_per_thread);
2444 sm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
2446 vec_add1 (sm->max_translations_per_fib, sm->max_translations_per_thread);
2448 sm->inside_vrf_id = c.inside_vrf;
2449 sm->inside_fib_index =
2450 fib_table_find_or_create_and_lock
2451 (FIB_PROTOCOL_IP4, c.inside_vrf, sm->fib_src_hi);
2453 sm->outside_vrf_id = c.outside_vrf;
2454 sm->outside_fib_index = fib_table_find_or_create_and_lock (
2455 FIB_PROTOCOL_IP4, c.outside_vrf, sm->fib_src_hi);
2457 nat44_ed_db_init (sm->max_translations_per_thread, sm->translation_buckets);
2459 nat_affinity_enable ();
2461 nat_reset_timeouts (&sm->timeouts);
2463 vlib_zero_simple_counter (&sm->total_sessions, 0);
2465 if (!sm->frame_queue_nelts)
2467 sm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
2470 if (sm->num_workers > 1)
2472 vlib_main_t *vm = vlib_get_main ();
2475 if (sm->fq_in2out_index == ~0)
2477 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2478 sm->fq_in2out_index =
2479 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2481 if (sm->fq_out2in_index == ~0)
2483 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2484 sm->fq_out2in_index =
2485 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2487 if (sm->fq_in2out_output_index == ~0)
2489 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-output");
2490 sm->fq_in2out_output_index =
2491 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2502 nat44_ed_del_addresses ()
2504 snat_main_t *sm = &snat_main;
2505 snat_address_t *a, *vec;
2508 vec = vec_dup (sm->addresses);
2509 vec_foreach (a, vec)
2511 error = nat44_ed_del_address (a->addr, 0);
2514 nat_log_err ("error occurred while removing adderess");
2518 vec_free (sm->addresses);
2521 vec = vec_dup (sm->twice_nat_addresses);
2522 vec_foreach (a, vec)
2524 error = nat44_ed_del_address (a->addr, 1);
2527 nat_log_err ("error occurred while removing adderess");
2531 vec_free (sm->twice_nat_addresses);
2532 sm->twice_nat_addresses = 0;
2534 vec_free (sm->addr_to_resolve);
2535 sm->addr_to_resolve = 0;
2541 nat44_ed_del_interfaces ()
2543 snat_main_t *sm = &snat_main;
2544 snat_interface_t *i, *pool;
2547 pool = pool_dup (sm->interfaces);
2548 pool_foreach (i, pool)
2550 if (nat44_ed_is_interface_inside (i))
2552 error = nat44_ed_del_interface (i->sw_if_index, 1);
2554 if (nat44_ed_is_interface_outside (i))
2556 error = nat44_ed_del_interface (i->sw_if_index, 0);
2561 nat_log_err ("error occurred while removing interface");
2565 pool_free (sm->interfaces);
2571 nat44_ed_del_output_interfaces ()
2573 snat_main_t *sm = &snat_main;
2574 snat_interface_t *i, *pool;
2577 pool = pool_dup (sm->output_feature_interfaces);
2578 pool_foreach (i, pool)
2580 error = nat44_ed_del_output_interface (i->sw_if_index);
2583 nat_log_err ("error occurred while removing output interface");
2587 pool_free (sm->output_feature_interfaces);
2588 sm->output_feature_interfaces = 0;
2593 nat44_ed_del_static_mappings ()
2595 snat_main_t *sm = &snat_main;
2596 snat_static_mapping_t *m, *pool;
2599 pool = pool_dup (sm->static_mappings);
2600 pool_foreach (m, pool)
2602 error = nat44_ed_del_static_mapping_internal (
2603 m->local_addr, m->external_addr, m->local_port, m->external_port,
2604 m->proto, m->vrf_id, m->flags);
2607 nat_log_err ("error occurred while removing mapping");
2611 pool_free (sm->static_mappings);
2612 sm->static_mappings = 0;
2614 vec_free (sm->sm_to_resolve);
2615 sm->sm_to_resolve = 0;
2621 nat44_plugin_disable ()
2623 snat_main_per_thread_data_t *tsm;
2624 snat_main_t *sm = &snat_main;
2627 fail_if_disabled ();
2629 rc = nat44_ed_del_static_mappings ();
2633 rc = nat44_ed_del_addresses ();
2637 rc = nat44_ed_del_interfaces ();
2641 rc = nat44_ed_del_output_interfaces ();
2645 nat44_ed_del_vrf_tables ();
2647 vec_free (sm->max_translations_per_fib);
2648 sm->max_translations_per_fib = 0;
2650 clib_bihash_free_16_8 (&sm->flow_hash);
2652 vec_foreach (tsm, sm->per_thread_data)
2654 nat44_ed_worker_db_free (tsm);
2657 clib_memset (&sm->rconfig, 0, sizeof (sm->rconfig));
2659 nat_affinity_disable ();
2661 sm->forwarding_enabled = 0;
2668 nat44_ed_forwarding_enable_disable (u8 is_enable)
2670 snat_main_per_thread_data_t *tsm;
2671 snat_main_t *sm = &snat_main;
2674 u32 *ses_to_be_removed = 0, *ses_index;
2676 sm->forwarding_enabled = is_enable != 0;
2678 if (!sm->enabled || is_enable)
2683 vec_foreach (tsm, sm->per_thread_data)
2685 pool_foreach (s, tsm->sessions)
2687 if (na44_ed_is_fwd_bypass_session (s))
2689 vec_add1 (ses_to_be_removed, s - tsm->sessions);
2692 vec_foreach (ses_index, ses_to_be_removed)
2694 s = pool_elt_at_index (tsm->sessions, ses_index[0]);
2695 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
2696 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
2699 vec_free (ses_to_be_removed);
2703 static_always_inline snat_static_mapping_t *
2704 nat44_ed_sm_match (snat_main_t *sm, ip4_address_t match_addr, u16 match_port,
2705 u32 match_fib_index, ip_protocol_t match_protocol,
2708 snat_static_mapping_t *m;
2711 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port, match_fib_index,
2716 // try address only mapping
2717 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, match_fib_index, 0);
2721 // default static mapping fib index (based on configuration)
2722 if (sm->inside_fib_index != match_fib_index)
2724 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port,
2725 sm->inside_fib_index, match_protocol);
2729 // try address only mapping
2730 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, sm->inside_fib_index,
2735 // TODO: this specific use case may be deprecated (needs testing)
2736 if (sm->outside_fib_index != match_fib_index)
2738 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port,
2739 sm->outside_fib_index, match_protocol);
2743 // try address only mapping
2744 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, sm->outside_fib_index,
2753 nat44_ed_sm_o2i_lookup (sm, match_addr, match_port, 0, match_protocol);
2757 // try address only mapping
2758 m = nat44_ed_sm_o2i_lookup (sm, match_addr, 0, 0, 0);
2766 snat_static_mapping_match (vlib_main_t *vm, ip4_address_t match_addr,
2767 u16 match_port, u32 match_fib_index,
2768 ip_protocol_t match_protocol,
2769 ip4_address_t *mapping_addr, u16 *mapping_port,
2770 u32 *mapping_fib_index, int by_external,
2771 u8 *is_addr_only, twice_nat_type_t *twice_nat,
2772 lb_nat_type_t *lb, ip4_address_t *ext_host_addr,
2773 u8 *is_identity_nat, snat_static_mapping_t **out)
2775 snat_main_t *sm = &snat_main;
2776 snat_static_mapping_t *m;
2777 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2778 nat44_lb_addr_port_t *local;
2781 m = nat44_ed_sm_match (sm, match_addr, match_port, match_fib_index,
2782 match_protocol, by_external);
2790 if (is_sm_lb (m->flags))
2792 if (PREDICT_FALSE (lb != 0))
2793 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2794 if (m->affinity && !nat_affinity_find_and_lock (
2795 vm, ext_host_addr[0], match_addr,
2796 match_protocol, match_port, &backend_index))
2798 local = pool_elt_at_index (m->locals, backend_index);
2799 *mapping_addr = local->addr;
2800 *mapping_port = local->port;
2801 *mapping_fib_index = local->fib_index;
2804 // pick locals matching this worker
2805 if (PREDICT_FALSE (sm->num_workers > 1))
2807 u32 thread_index = vlib_get_thread_index ();
2808 pool_foreach_index (i, m->locals)
2810 local = pool_elt_at_index (m->locals, i);
2813 .src_address = local->addr,
2816 if (nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index,
2822 ASSERT (vec_len (tmp) != 0);
2826 pool_foreach_index (i, m->locals)
2831 hi = vec_len (tmp) - 1;
2832 local = pool_elt_at_index (m->locals, tmp[hi]);
2833 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2836 mid = ((hi - lo) >> 1) + lo;
2837 local = pool_elt_at_index (m->locals, tmp[mid]);
2838 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2840 local = pool_elt_at_index (m->locals, tmp[lo]);
2841 if (!(local->prefix >= rand))
2843 *mapping_addr = local->addr;
2844 *mapping_port = local->port;
2845 *mapping_fib_index = local->fib_index;
2848 if (nat_affinity_create_and_lock (ext_host_addr[0], match_addr,
2849 match_protocol, match_port,
2850 tmp[lo], m->affinity,
2851 m->affinity_per_service_list_head_index))
2852 nat_elog_info (sm, "create affinity record failed");
2858 if (PREDICT_FALSE (lb != 0))
2860 *mapping_fib_index = m->fib_index;
2861 *mapping_addr = m->local_addr;
2862 /* Address only mapping doesn't change port */
2864 is_sm_addr_only (m->flags) ? match_port : m->local_port;
2869 *mapping_addr = m->external_addr;
2870 /* Address only mapping doesn't change port */
2872 is_sm_addr_only (m->flags) ? match_port : m->external_port;
2873 *mapping_fib_index = sm->outside_fib_index;
2877 if (PREDICT_FALSE (is_addr_only != 0))
2878 *is_addr_only = is_sm_addr_only (m->flags);
2880 if (PREDICT_FALSE (twice_nat != 0))
2882 *twice_nat = TWICE_NAT_DISABLED;
2884 if (is_sm_twice_nat (m->flags))
2886 *twice_nat = TWICE_NAT;
2888 else if (is_sm_self_twice_nat (m->flags))
2890 *twice_nat = TWICE_NAT_SELF;
2894 if (PREDICT_FALSE (is_identity_nat != 0))
2895 *is_identity_nat = is_sm_identity_nat (m->flags);
2904 nat44_ed_get_in2out_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
2905 u32 rx_fib_index, u8 is_output)
2907 snat_main_t *sm = &snat_main;
2908 u32 next_worker_index = sm->first_worker_index;
2911 clib_bihash_kv_16_8_t kv16, value16;
2913 u32 fib_index = rx_fib_index;
2916 if (PREDICT_FALSE (is_output))
2918 fib_index = sm->outside_fib_index;
2919 nat_fib_t *outside_fib;
2920 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
2921 fib_prefix_t pfx = {
2922 .fp_proto = FIB_PROTOCOL_IP4,
2925 .ip4.as_u32 = ip->dst_address.as_u32,
2929 switch (vec_len (sm->outside_fibs))
2932 fib_index = sm->outside_fib_index;
2935 fib_index = sm->outside_fibs[0].fib_index;
2938 vec_foreach (outside_fib, sm->outside_fibs)
2940 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
2941 if (FIB_NODE_INDEX_INVALID != fei)
2943 if (fib_entry_get_resolving_interface (fei) != ~0)
2945 fib_index = outside_fib->fib_index;
2954 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
2956 ip4_address_t lookup_saddr, lookup_daddr;
2957 u16 lookup_sport, lookup_dport;
2960 if (!nat_get_icmp_session_lookup_values (
2961 b, ip, &lookup_saddr, &lookup_sport, &lookup_daddr,
2962 &lookup_dport, &lookup_protocol))
2964 init_ed_k (&kv16, lookup_saddr.as_u32, lookup_sport,
2965 lookup_daddr.as_u32, lookup_dport, rx_fib_index,
2967 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2969 next_worker_index = ed_value_get_thread_index (&value16);
2970 vnet_buffer2 (b)->nat.cached_session_index =
2971 ed_value_get_session_index (&value16);
2977 init_ed_k (&kv16, ip->src_address.as_u32,
2978 vnet_buffer (b)->ip.reass.l4_src_port, ip->dst_address.as_u32,
2979 vnet_buffer (b)->ip.reass.l4_dst_port, fib_index,
2982 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2984 next_worker_index = ed_value_get_thread_index (&value16);
2985 vnet_buffer2 (b)->nat.cached_session_index =
2986 ed_value_get_session_index (&value16);
2991 init_ed_k (&kv16, ip->dst_address.as_u32,
2992 vnet_buffer (b)->ip.reass.l4_dst_port, ip->src_address.as_u32,
2993 vnet_buffer (b)->ip.reass.l4_src_port, rx_fib_index,
2995 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2997 next_worker_index = ed_value_get_thread_index (&value16);
2998 vnet_buffer2 (b)->nat.cached_dst_nat_session_index =
2999 ed_value_get_session_index (&value16);
3004 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3005 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3007 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
3008 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
3010 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
3013 if (PREDICT_TRUE (!is_output))
3015 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT", next_worker_index,
3017 clib_net_to_host_u32 (ip->src_address.as_u32),
3018 clib_net_to_host_u32 (ip->dst_address.as_u32));
3022 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT-OUTPUT-FEATURE",
3023 next_worker_index, rx_fib_index,
3024 clib_net_to_host_u32 (ip->src_address.as_u32),
3025 clib_net_to_host_u32 (ip->dst_address.as_u32));
3028 return next_worker_index;
3032 nat44_ed_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
3033 u32 rx_fib_index, u8 is_output)
3035 snat_main_t *sm = &snat_main;
3036 clib_bihash_kv_16_8_t kv16, value16;
3038 u8 proto, next_worker_index = 0;
3040 snat_static_mapping_t *m;
3043 proto = ip->protocol;
3045 if (PREDICT_FALSE (IP_PROTOCOL_ICMP == proto))
3047 ip4_address_t lookup_saddr, lookup_daddr;
3048 u16 lookup_sport, lookup_dport;
3050 if (!nat_get_icmp_session_lookup_values (
3051 b, ip, &lookup_saddr, &lookup_sport, &lookup_daddr, &lookup_dport,
3054 init_ed_k (&kv16, lookup_saddr.as_u32, lookup_sport,
3055 lookup_daddr.as_u32, lookup_dport, rx_fib_index,
3058 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
3060 next_worker_index = ed_value_get_thread_index (&value16);
3061 nat_elog_debug_handoff (
3062 sm, "HANDOFF OUT2IN (session)", next_worker_index,
3063 rx_fib_index, clib_net_to_host_u32 (ip->src_address.as_u32),
3064 clib_net_to_host_u32 (ip->dst_address.as_u32));
3065 return next_worker_index;
3070 init_ed_k (&kv16, ip->src_address.as_u32,
3071 vnet_buffer (b)->ip.reass.l4_src_port, ip->dst_address.as_u32,
3072 vnet_buffer (b)->ip.reass.l4_dst_port, rx_fib_index,
3076 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
3078 vnet_buffer2 (b)->nat.cached_session_index =
3079 ed_value_get_session_index (&value16);
3080 next_worker_index = ed_value_get_thread_index (&value16);
3081 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN (session)",
3082 next_worker_index, rx_fib_index,
3083 clib_net_to_host_u32 (ip->src_address.as_u32),
3084 clib_net_to_host_u32 (ip->dst_address.as_u32));
3085 return next_worker_index;
3088 /* first try static mappings without port */
3089 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3091 m = nat44_ed_sm_o2i_lookup (sm, ip->dst_address, 0, 0, proto);
3095 next_worker_index = m->workers[0];
3101 /* unknown protocol */
3102 if (PREDICT_FALSE (nat44_ed_is_unk_proto (proto)))
3104 /* use current thread */
3105 next_worker_index = vlib_get_thread_index ();
3109 port = vnet_buffer (b)->ip.reass.l4_dst_port;
3111 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
3113 udp_header_t *udp = ip4_next_header (ip);
3114 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3115 nat_icmp_echo_header_t *echo = (nat_icmp_echo_header_t *) (icmp + 1);
3116 if (!icmp_type_is_error_message
3117 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
3118 port = vnet_buffer (b)->ip.reass.l4_src_port;
3121 /* if error message, then it's not fragmented and we can access it */
3122 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3123 proto = inner_ip->protocol;
3124 void *l4_header = ip4_next_header (inner_ip);
3127 case IP_PROTOCOL_ICMP:
3128 icmp = (icmp46_header_t *) l4_header;
3129 echo = (nat_icmp_echo_header_t *) (icmp + 1);
3130 port = echo->identifier;
3132 case IP_PROTOCOL_UDP:
3134 case IP_PROTOCOL_TCP:
3135 port = ((nat_tcp_udp_header_t *) l4_header)->src_port;
3138 next_worker_index = vlib_get_thread_index ();
3144 /* try static mappings with port */
3145 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3147 m = nat44_ed_sm_o2i_lookup (sm, ip->dst_address, port, 0, proto);
3150 if (!is_sm_lb (m->flags))
3152 next_worker_index = m->workers[0];
3156 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3157 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3159 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3161 m->workers[hash & (_vec_len (m->workers) - 1)];
3163 next_worker_index = m->workers[hash % _vec_len (m->workers)];
3168 /* worker by outside port */
3169 next_worker_index = sm->first_worker_index;
3170 next_worker_index +=
3171 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3174 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN", next_worker_index,
3176 clib_net_to_host_u32 (ip->src_address.as_u32),
3177 clib_net_to_host_u32 (ip->dst_address.as_u32));
3178 return next_worker_index;
3182 nat44_get_max_session_limit ()
3184 snat_main_t *sm = &snat_main;
3185 u32 max_limit = 0, len = 0;
3187 for (; len < vec_len (sm->max_translations_per_fib); len++)
3189 if (max_limit < sm->max_translations_per_fib[len])
3190 max_limit = sm->max_translations_per_fib[len];
3196 nat44_set_session_limit (u32 session_limit, u32 vrf_id)
3198 snat_main_t *sm = &snat_main;
3199 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3200 u32 len = vec_len (sm->max_translations_per_fib);
3202 if (len <= fib_index)
3204 vec_validate (sm->max_translations_per_fib, fib_index + 1);
3206 for (; len < vec_len (sm->max_translations_per_fib); len++)
3207 sm->max_translations_per_fib[len] = sm->max_translations_per_thread;
3210 sm->max_translations_per_fib[fib_index] = session_limit;
3215 nat44_update_session_limit (u32 session_limit, u32 vrf_id)
3217 snat_main_t *sm = &snat_main;
3219 if (nat44_set_session_limit (session_limit, vrf_id))
3221 sm->max_translations_per_thread = nat44_get_max_session_limit ();
3223 vlib_stats_set_gauge (sm->max_cfg_sessions_gauge,
3224 sm->max_translations_per_thread);
3226 sm->translation_buckets =
3227 nat_calc_bihash_buckets (sm->max_translations_per_thread);
3229 nat44_ed_sessions_clear ();
3234 nat44_ed_worker_db_init (snat_main_per_thread_data_t *tsm, u32 translations,
3235 u32 translation_buckets)
3239 pool_alloc (tsm->sessions, translations);
3240 pool_alloc (tsm->lru_pool, translations);
3242 pool_get (tsm->lru_pool, head);
3243 tsm->tcp_trans_lru_head_index = head - tsm->lru_pool;
3244 clib_dlist_init (tsm->lru_pool, tsm->tcp_trans_lru_head_index);
3246 pool_get (tsm->lru_pool, head);
3247 tsm->tcp_estab_lru_head_index = head - tsm->lru_pool;
3248 clib_dlist_init (tsm->lru_pool, tsm->tcp_estab_lru_head_index);
3250 pool_get (tsm->lru_pool, head);
3251 tsm->udp_lru_head_index = head - tsm->lru_pool;
3252 clib_dlist_init (tsm->lru_pool, tsm->udp_lru_head_index);
3254 pool_get (tsm->lru_pool, head);
3255 tsm->icmp_lru_head_index = head - tsm->lru_pool;
3256 clib_dlist_init (tsm->lru_pool, tsm->icmp_lru_head_index);
3258 pool_get (tsm->lru_pool, head);
3259 tsm->unk_proto_lru_head_index = head - tsm->lru_pool;
3260 clib_dlist_init (tsm->lru_pool, tsm->unk_proto_lru_head_index);
3264 reinit_ed_flow_hash ()
3266 snat_main_t *sm = &snat_main;
3267 // we expect 2 flows per session, so multiply translation_buckets by 2
3268 clib_bihash_init_16_8 (
3269 &sm->flow_hash, "ed-flow-hash",
3270 clib_max (1, sm->num_workers) * 2 * sm->translation_buckets, 0);
3271 clib_bihash_set_kvp_format_fn_16_8 (&sm->flow_hash, format_ed_session_kvp);
3275 nat44_ed_db_init (u32 translations, u32 translation_buckets)
3277 snat_main_t *sm = &snat_main;
3278 snat_main_per_thread_data_t *tsm;
3280 reinit_ed_flow_hash ();
3282 vec_foreach (tsm, sm->per_thread_data)
3284 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3285 sm->translation_buckets);
3290 nat44_ed_worker_db_free (snat_main_per_thread_data_t *tsm)
3292 pool_free (tsm->lru_pool);
3293 pool_free (tsm->sessions);
3294 vec_free (tsm->per_vrf_sessions_vec);
3298 nat44_ed_sessions_clear ()
3300 snat_main_t *sm = &snat_main;
3301 snat_main_per_thread_data_t *tsm;
3303 reinit_ed_flow_hash ();
3305 vec_foreach (tsm, sm->per_thread_data)
3307 nat44_ed_worker_db_free (tsm);
3308 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3309 sm->translation_buckets);
3311 vlib_zero_simple_counter (&sm->total_sessions, 0);
3315 nat44_ed_add_del_static_mapping_cb (ip4_main_t *im, uword opaque,
3316 u32 sw_if_index, ip4_address_t *address,
3317 u32 address_length, u32 if_address_index,
3320 snat_static_mapping_resolve_t *rp;
3321 snat_main_t *sm = &snat_main;
3329 vec_foreach (rp, sm->sm_to_resolve)
3331 if (sw_if_index == rp->sw_if_index)
3335 if (rp->is_resolved)
3337 rv = nat44_ed_del_static_mapping_internal (
3338 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3339 rp->vrf_id, rp->flags);
3342 nat_log_err ("ed del static mapping failed");
3346 rp->is_resolved = 0;
3352 if (!rp->is_resolved)
3354 rv = nat44_ed_add_static_mapping_internal (
3355 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3356 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3359 nat_log_err ("ed add static mapping failed");
3363 rp->is_resolved = 1;
3372 nat44_ed_get_addr_resolve_record (u32 sw_if_index, u8 twice_nat, int *out)
3374 snat_main_t *sm = &snat_main;
3375 snat_address_resolve_t *rp;
3378 for (i = 0; i < vec_len (sm->addr_to_resolve); i++)
3380 rp = sm->addr_to_resolve + i;
3382 if ((rp->sw_if_index == sw_if_index) && (rp->is_twice_nat == twice_nat))
3394 nat44_ed_del_addr_resolve_record (u32 sw_if_index, u8 twice_nat)
3396 snat_main_t *sm = &snat_main;
3398 if (!nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3400 vec_del1 (sm->addr_to_resolve, i);
3407 nat44_ed_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3408 u32 sw_if_index, ip4_address_t *address,
3410 u32 if_address_index, u32 is_delete)
3412 snat_main_t *sm = &snat_main;
3413 snat_address_resolve_t *arp;
3423 if (nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3426 if (nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3429 ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
3430 vec_foreach (ap, sm->addresses)
3432 if ((fib_index == ap->fib_index) &&
3433 (address->as_u32 == ap->addr.as_u32))
3437 ap->addr_len = address_length;
3438 ap->sw_if_index = sw_if_index;
3439 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
3440 << (32 - ap->addr_len);
3443 "pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
3444 format_ip4_address, &ap->addr, ap->sw_if_index,
3445 format_ip4_address, &ap->net, ap->addr_len);
3458 arp = sm->addr_to_resolve + i;
3462 if (arp->is_resolved)
3467 rv = nat44_ed_add_address (address, ~0, arp->is_twice_nat);
3470 arp->is_resolved = 1;
3475 if (!arp->is_resolved)
3480 rv = nat44_ed_del_address (address[0], arp->is_twice_nat);
3483 arp->is_resolved = 0;
3489 nat44_ed_add_interface_address (u32 sw_if_index, u8 twice_nat)
3491 snat_main_t *sm = &snat_main;
3492 ip4_main_t *ip4_main = sm->ip4_main;
3493 ip4_address_t *first_int_addr;
3494 snat_address_resolve_t *ap;
3499 nat_log_err ("nat44 is disabled");
3500 return VNET_API_ERROR_UNSUPPORTED;
3503 if (!nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, 0))
3505 return VNET_API_ERROR_VALUE_EXIST;
3508 vec_add2 (sm->addr_to_resolve, ap, 1);
3509 ap->sw_if_index = sw_if_index;
3510 ap->is_twice_nat = twice_nat;
3511 ap->is_resolved = 0;
3513 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3516 rv = nat44_ed_add_address (first_int_addr, ~0, twice_nat);
3519 nat44_ed_del_addr_resolve_record (sw_if_index, twice_nat);
3522 ap->is_resolved = 1;
3529 nat44_ed_del_interface_address (u32 sw_if_index, u8 twice_nat)
3531 snat_main_t *sm = &snat_main;
3532 ip4_main_t *ip4_main = sm->ip4_main;
3533 ip4_address_t *first_int_addr;
3537 nat_log_err ("nat44 is disabled");
3538 return VNET_API_ERROR_UNSUPPORTED;
3541 if (nat44_ed_del_addr_resolve_record (sw_if_index, twice_nat))
3543 return VNET_API_ERROR_NO_SUCH_ENTRY;
3546 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3549 return nat44_ed_del_address (first_int_addr[0], twice_nat);
3556 nat44_ed_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port,
3557 ip4_address_t *eh_addr, u16 eh_port, u8 proto,
3558 u32 vrf_id, int is_in)
3561 clib_bihash_kv_16_8_t kv, value;
3564 snat_main_per_thread_data_t *tsm;
3568 return VNET_API_ERROR_UNSUPPORTED;
3571 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3572 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3573 if (sm->num_workers > 1)
3574 tsm = vec_elt_at_index (
3575 sm->per_thread_data,
3576 nat44_ed_get_in2out_worker_index (0, &ip, fib_index, 0));
3578 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3580 init_ed_k (&kv, addr->as_u32, port, eh_addr->as_u32, eh_port, fib_index,
3582 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
3584 return VNET_API_ERROR_NO_SUCH_ENTRY;
3587 if (pool_is_free_index (tsm->sessions, ed_value_get_session_index (&value)))
3588 return VNET_API_ERROR_UNSPECIFIED;
3589 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
3590 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
3591 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
3595 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
3596 vlib_node_runtime_t * node,
3597 vlib_frame_t * frame)
3602 VLIB_REGISTER_NODE (nat_default_node) = {
3603 .name = "nat-default",
3604 .vector_size = sizeof (u32),
3606 .type = VLIB_NODE_TYPE_INTERNAL,
3608 .n_next_nodes = NAT_N_NEXT,
3610 [NAT_NEXT_DROP] = "error-drop",
3611 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3612 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
3613 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
3614 [NAT_NEXT_IN2OUT_ED_OUTPUT_FAST_PATH] = "nat44-ed-in2out-output",
3615 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
3616 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
3617 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
3618 [NAT_NEXT_IN2OUT_CLASSIFY] = "nat44-in2out-worker-handoff",
3619 [NAT_NEXT_OUT2IN_CLASSIFY] = "nat44-out2in-worker-handoff",
3624 nat_6t_l3_l4_csum_calc (nat_6t_flow_t *f)
3626 f->l3_csum_delta = 0;
3627 f->l4_csum_delta = 0;
3628 if (f->ops & NAT_FLOW_OP_SADDR_REWRITE &&
3629 f->rewrite.saddr.as_u32 != f->match.saddr.as_u32)
3632 ip_csum_add_even (f->l3_csum_delta, f->rewrite.saddr.as_u32);
3634 ip_csum_sub_even (f->l3_csum_delta, f->match.saddr.as_u32);
3638 f->rewrite.saddr.as_u32 = f->match.saddr.as_u32;
3640 if (f->ops & NAT_FLOW_OP_DADDR_REWRITE &&
3641 f->rewrite.daddr.as_u32 != f->match.daddr.as_u32)
3644 ip_csum_add_even (f->l3_csum_delta, f->rewrite.daddr.as_u32);
3646 ip_csum_sub_even (f->l3_csum_delta, f->match.daddr.as_u32);
3650 f->rewrite.daddr.as_u32 = f->match.daddr.as_u32;
3652 if (f->ops & NAT_FLOW_OP_SPORT_REWRITE && f->rewrite.sport != f->match.sport)
3654 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.sport);
3655 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3659 f->rewrite.sport = f->match.sport;
3661 if (f->ops & NAT_FLOW_OP_DPORT_REWRITE && f->rewrite.dport != f->match.dport)
3663 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.dport);
3664 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.dport);
3668 f->rewrite.dport = f->match.dport;
3670 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE &&
3671 f->rewrite.icmp_id != f->match.sport)
3674 ip_csum_add_even (f->l4_csum_delta, f->rewrite.icmp_id);
3675 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3679 f->rewrite.icmp_id = f->match.sport;
3681 if (f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3686 f->rewrite.fib_index = f->match.fib_index;
3690 static_always_inline int
3691 nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3692 ip4_header_t *ip, nat_6t_flow_t *f);
3694 static_always_inline void
3695 nat_6t_flow_ip4_translate (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
3696 nat_6t_flow_t *f, ip_protocol_t proto,
3697 int is_icmp_inner_ip4, int skip_saddr_rewrite)
3699 udp_header_t *udp = ip4_next_header (ip);
3700 tcp_header_t *tcp = (tcp_header_t *) udp;
3702 if ((IP_PROTOCOL_TCP == proto || IP_PROTOCOL_UDP == proto) &&
3703 !vnet_buffer (b)->ip.reass.is_non_first_fragment)
3705 if (!is_icmp_inner_ip4)
3707 ip->src_address = f->rewrite.saddr;
3708 ip->dst_address = f->rewrite.daddr;
3709 udp->src_port = f->rewrite.sport;
3710 udp->dst_port = f->rewrite.dport;
3713 { // icmp inner ip4 - reversed saddr/daddr
3714 ip->src_address = f->rewrite.daddr;
3715 ip->dst_address = f->rewrite.saddr;
3716 udp->src_port = f->rewrite.dport;
3717 udp->dst_port = f->rewrite.sport;
3720 if (IP_PROTOCOL_TCP == proto)
3722 ip_csum_t tcp_sum = tcp->checksum;
3723 tcp_sum = ip_csum_sub_even (tcp_sum, f->l3_csum_delta);
3724 tcp_sum = ip_csum_sub_even (tcp_sum, f->l4_csum_delta);
3725 mss_clamping (sm->mss_clamping, tcp, &tcp_sum);
3726 tcp->checksum = ip_csum_fold (tcp_sum);
3728 else if (IP_PROTOCOL_UDP == proto && udp->checksum)
3730 ip_csum_t udp_sum = udp->checksum;
3731 udp_sum = ip_csum_sub_even (udp_sum, f->l3_csum_delta);
3732 udp_sum = ip_csum_sub_even (udp_sum, f->l4_csum_delta);
3733 udp->checksum = ip_csum_fold (udp_sum);
3738 if (!is_icmp_inner_ip4)
3740 if (!skip_saddr_rewrite)
3742 ip->src_address = f->rewrite.saddr;
3744 ip->dst_address = f->rewrite.daddr;
3747 { // icmp inner ip4 - reversed saddr/daddr
3748 ip->src_address = f->rewrite.daddr;
3749 ip->dst_address = f->rewrite.saddr;
3753 if (skip_saddr_rewrite)
3755 ip->checksum = ip4_header_checksum (ip);
3759 ip_csum_t ip_sum = ip->checksum;
3760 ip_sum = ip_csum_sub_even (ip_sum, f->l3_csum_delta);
3761 ip->checksum = ip_csum_fold (ip_sum);
3763 if (0xffff == ip->checksum)
3765 ASSERT (ip4_header_checksum_is_valid (ip));
3768 static_always_inline int
3769 it_fits (vlib_main_t *vm, vlib_buffer_t *b, void *object, size_t size)
3771 int result = ((u8 *) object + size <=
3772 (u8 *) vlib_buffer_get_current (b) + b->current_length) &&
3773 vlib_object_within_buffer_data (vm, b, object, size);
3777 static_always_inline int
3778 nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3779 ip4_header_t *ip, nat_6t_flow_t *f)
3781 if (IP_PROTOCOL_ICMP != ip->protocol)
3782 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3784 icmp46_header_t *icmp = ip4_next_header (ip);
3785 nat_icmp_echo_header_t *echo = (nat_icmp_echo_header_t *) (icmp + 1);
3787 if ((!vnet_buffer (b)->ip.reass.is_non_first_fragment))
3789 if (!it_fits (vm, b, icmp, sizeof (*icmp)))
3791 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3794 if (!icmp_type_is_error_message (icmp->type))
3796 if ((f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE) &&
3797 (f->rewrite.icmp_id != echo->identifier))
3799 ip_csum_t sum = icmp->checksum;
3800 sum = ip_csum_update (sum, echo->identifier, f->rewrite.icmp_id,
3801 nat_icmp_echo_header_t,
3802 identifier /* changed member */);
3803 echo->identifier = f->rewrite.icmp_id;
3804 icmp->checksum = ip_csum_fold (sum);
3809 ip_csum_t sum = ip_incremental_checksum (
3811 clib_net_to_host_u16 (ip->length) - ip4_header_bytes (ip));
3812 sum = (u16) ~ip_csum_fold (sum);
3815 return NAT_ED_TRNSL_ERR_INVALID_CSUM;
3818 // errors are not fragmented
3819 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3821 if (!ip4_header_checksum_is_valid (inner_ip))
3823 return NAT_ED_TRNSL_ERR_INNER_IP_CORRUPT;
3826 ip_protocol_t inner_proto = inner_ip->protocol;
3828 ip_csum_t old_icmp_sum = icmp->checksum;
3829 ip_csum_t old_inner_ip_sum = inner_ip->checksum;
3830 ip_csum_t old_udp_sum;
3831 ip_csum_t old_tcp_sum;
3832 ip_csum_t new_icmp_sum;
3836 switch (inner_proto)
3838 case IP_PROTOCOL_UDP:
3839 udp = (udp_header_t *) (inner_ip + 1);
3840 if (!it_fits (vm, b, udp, sizeof (*udp)))
3842 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3844 old_udp_sum = udp->checksum;
3845 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3846 1 /* is_icmp_inner_ip4 */,
3847 0 /* skip_saddr_rewrite */);
3848 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3849 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3851 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3852 inner_ip->checksum, ip4_header_t, checksum);
3854 ip_csum_update (new_icmp_sum, old_udp_sum, udp->checksum,
3855 udp_header_t, checksum);
3856 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3857 icmp->checksum = new_icmp_sum;
3859 case IP_PROTOCOL_TCP:
3860 tcp = (tcp_header_t *) (inner_ip + 1);
3861 if (!it_fits (vm, b, tcp, sizeof (*tcp)))
3863 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3865 old_tcp_sum = tcp->checksum;
3866 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3867 1 /* is_icmp_inner_ip4 */,
3868 0 /* skip_saddr_rewrite */);
3869 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3870 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3872 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3873 inner_ip->checksum, ip4_header_t, checksum);
3875 ip_csum_update (new_icmp_sum, old_tcp_sum, tcp->checksum,
3876 tcp_header_t, checksum);
3877 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3878 icmp->checksum = new_icmp_sum;
3880 case IP_PROTOCOL_ICMP:
3881 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3882 1 /* is_icmp_inner_ip4 */,
3883 0 /* skip_saddr_rewrite */);
3884 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE)
3886 icmp46_header_t *inner_icmp = ip4_next_header (inner_ip);
3887 if (!it_fits (vm, b, inner_icmp, sizeof (*inner_icmp)))
3889 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3891 nat_icmp_echo_header_t *inner_echo =
3892 (nat_icmp_echo_header_t *) (inner_icmp + 1);
3893 if (f->rewrite.icmp_id != inner_echo->identifier)
3895 ip_csum_t sum = icmp->checksum;
3896 sum = ip_csum_update (sum, inner_echo->identifier,
3898 nat_icmp_echo_header_t,
3899 identifier /* changed member */);
3900 icmp->checksum = ip_csum_fold (sum);
3901 ip_csum_t inner_sum = inner_icmp->checksum;
3902 inner_sum = ip_csum_update (
3903 sum, inner_echo->identifier, f->rewrite.icmp_id,
3904 nat_icmp_echo_header_t,
3905 identifier /* changed member */);
3906 inner_icmp->checksum = ip_csum_fold (inner_sum);
3907 inner_echo->identifier = f->rewrite.icmp_id;
3912 clib_warning ("unexpected NAT protocol value `%d'", inner_proto);
3913 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3918 return NAT_ED_TRNSL_ERR_SUCCESS;
3921 static_always_inline nat_translation_error_e
3922 nat_6t_flow_buf_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3923 ip4_header_t *ip, nat_6t_flow_t *f,
3924 ip_protocol_t proto, int is_output_feature,
3927 if (!is_output_feature && f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3929 vnet_buffer (b)->sw_if_index[VLIB_TX] = f->rewrite.fib_index;
3932 if (IP_PROTOCOL_ICMP == proto)
3934 if (ip->src_address.as_u32 != f->rewrite.saddr.as_u32)
3936 // packet is returned from a router, not from destination
3937 // skip source address rewrite if in o2i path
3938 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3939 0 /* is_icmp_inner_ip4 */,
3940 !is_i2o /* skip_saddr_rewrite */);
3944 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3945 0 /* is_icmp_inner_ip4 */,
3946 0 /* skip_saddr_rewrite */);
3948 return nat_6t_flow_icmp_translate (vm, sm, b, ip, f);
3951 nat_6t_flow_ip4_translate (sm, b, ip, f, proto, 0 /* is_icmp_inner_ip4 */,
3952 0 /* skip_saddr_rewrite */);
3954 return NAT_ED_TRNSL_ERR_SUCCESS;
3957 nat_translation_error_e
3958 nat_6t_flow_buf_translate_i2o (vlib_main_t *vm, snat_main_t *sm,
3959 vlib_buffer_t *b, ip4_header_t *ip,
3960 nat_6t_flow_t *f, ip_protocol_t proto,
3961 int is_output_feature)
3963 return nat_6t_flow_buf_translate (vm, sm, b, ip, f, proto, is_output_feature,
3967 nat_translation_error_e
3968 nat_6t_flow_buf_translate_o2i (vlib_main_t *vm, snat_main_t *sm,
3969 vlib_buffer_t *b, ip4_header_t *ip,
3970 nat_6t_flow_t *f, ip_protocol_t proto,
3971 int is_output_feature)
3973 return nat_6t_flow_buf_translate (vm, sm, b, ip, f, proto, is_output_feature,
3977 static_always_inline void
3978 nat_syslog_nat44_sess (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
3979 u16 isport, ip4_address_t *xsaddr, u16 xsport,
3980 ip4_address_t *idaddr, u16 idport,
3981 ip4_address_t *xdaddr, u16 xdport, u8 proto, u8 is_add,
3984 syslog_msg_t syslog_msg;
3987 if (!syslog_is_enabled ())
3990 if (syslog_severity_filter_block (SADD_SDEL_SEVERITY))
3993 fib = fib_table_get (sfibix, FIB_PROTOCOL_IP4);
3995 syslog_msg_init (&syslog_msg, NAT_FACILITY, SADD_SDEL_SEVERITY, NAT_APPNAME,
3996 is_add ? SADD_MSGID : SDEL_MSGID);
3998 syslog_msg_sd_init (&syslog_msg, NSESS_SDID);
3999 syslog_msg_add_sd_param (&syslog_msg, SSUBIX_SDPARAM_NAME, "%d", ssubix);
4000 syslog_msg_add_sd_param (&syslog_msg, SVLAN_SDPARAM_NAME, "%d",
4002 syslog_msg_add_sd_param (&syslog_msg, IATYP_SDPARAM_NAME, IATYP_IPV4);
4003 syslog_msg_add_sd_param (&syslog_msg, ISADDR_SDPARAM_NAME, "%U",
4004 format_ip4_address, isaddr);
4005 syslog_msg_add_sd_param (&syslog_msg, ISPORT_SDPARAM_NAME, "%d",
4006 clib_net_to_host_u16 (isport));
4007 syslog_msg_add_sd_param (&syslog_msg, XATYP_SDPARAM_NAME, IATYP_IPV4);
4008 syslog_msg_add_sd_param (&syslog_msg, XSADDR_SDPARAM_NAME, "%U",
4009 format_ip4_address, xsaddr);
4010 syslog_msg_add_sd_param (&syslog_msg, XSPORT_SDPARAM_NAME, "%d",
4011 clib_net_to_host_u16 (xsport));
4012 syslog_msg_add_sd_param (&syslog_msg, PROTO_SDPARAM_NAME, "%d", proto);
4013 syslog_msg_add_sd_param (&syslog_msg, XDADDR_SDPARAM_NAME, "%U",
4014 format_ip4_address, xdaddr);
4015 syslog_msg_add_sd_param (&syslog_msg, XDPORT_SDPARAM_NAME, "%d",
4016 clib_net_to_host_u16 (xdport));
4019 syslog_msg_add_sd_param (&syslog_msg, IDADDR_SDPARAM_NAME, "%U",
4020 format_ip4_address, idaddr);
4021 syslog_msg_add_sd_param (&syslog_msg, IDPORT_SDPARAM_NAME, "%d",
4022 clib_net_to_host_u16 (idport));
4025 syslog_msg_send (&syslog_msg);
4029 nat_syslog_nat44_sadd (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
4030 u16 isport, ip4_address_t *idaddr, u16 idport,
4031 ip4_address_t *xsaddr, u16 xsport,
4032 ip4_address_t *xdaddr, u16 xdport, u8 proto,
4035 nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport,
4036 idaddr, idport, xdaddr, xdport, proto, 1,
4041 nat_syslog_nat44_sdel (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
4042 u16 isport, ip4_address_t *idaddr, u16 idport,
4043 ip4_address_t *xsaddr, u16 xsport,
4044 ip4_address_t *xdaddr, u16 xdport, u8 proto,
4047 nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport,
4048 idaddr, idport, xdaddr, xdport, proto, 0,
4053 * fd.io coding-style-patch-verification: ON
4056 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob