2 * nat44_ei.c - nat44 endpoint dependent plugin
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 * License for the specific language governing permissions and limitations
18 #include <vnet/plugin/plugin.h>
19 #include <vpp/app/version.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ip/ip4.h>
24 #include <vnet/ip/ip_table.h>
25 #include <vnet/ip/reass/ip4_sv_reass.h>
26 #include <vnet/fib/fib_table.h>
27 #include <vnet/fib/ip4_fib.h>
28 #include <vnet/plugin/plugin.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/nat_inlines.h>
34 #include <nat/lib/ipfix_logging.h>
36 #include <nat/nat44-ei/nat44_ei_dpo.h>
37 #include <nat/nat44-ei/nat44_ei_inlines.h>
38 #include <nat/nat44-ei/nat44_ei.h>
40 nat44_ei_main_t nat44_ei_main;
42 extern vlib_node_registration_t nat44_ei_hairpinning_node;
43 extern vlib_node_registration_t nat44_ei_hairpin_dst_node;
44 extern vlib_node_registration_t
45 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node;
46 extern vlib_node_registration_t
47 nat44_ei_in2out_hairpinning_finish_interface_output_node;
49 #define skip_if_disabled() \
52 nat44_ei_main_t *nm = &nat44_ei_main; \
53 if (PREDICT_FALSE (!nm->enabled)) \
58 #define fail_if_enabled() \
61 nat44_ei_main_t *nm = &nat44_ei_main; \
62 if (PREDICT_FALSE (nm->enabled)) \
64 nat44_ei_log_err ("plugin enabled"); \
70 #define fail_if_disabled() \
73 nat44_ei_main_t *nm = &nat44_ei_main; \
74 if (PREDICT_FALSE (!nm->enabled)) \
76 nat44_ei_log_err ("plugin disabled"); \
82 /* Hook up input features */
83 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
84 .arc_name = "ip4-unicast",
85 .node_name = "nat44-ei-classify",
86 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
87 "ip4-sv-reassembly-feature"),
89 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
90 .arc_name = "ip4-unicast",
91 .node_name = "nat44-ei-handoff-classify",
92 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
93 "ip4-sv-reassembly-feature"),
95 VNET_FEATURE_INIT (ip4_nat44_ei_in2out, static) = {
96 .arc_name = "ip4-unicast",
97 .node_name = "nat44-ei-in2out",
98 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
99 "ip4-sv-reassembly-feature"),
101 VNET_FEATURE_INIT (ip4_nat44_ei_out2in, static) = {
102 .arc_name = "ip4-unicast",
103 .node_name = "nat44-ei-out2in",
104 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
105 "ip4-sv-reassembly-feature",
106 "ip4-dhcp-client-detect"),
108 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output, static) = {
109 .arc_name = "ip4-output",
110 .node_name = "nat44-ei-in2out-output",
111 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
112 "ip4-sv-reassembly-output-feature"),
114 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_fast, static) = {
115 .arc_name = "ip4-unicast",
116 .node_name = "nat44-ei-in2out-fast",
117 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
118 "ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_fast, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-ei-out2in-fast",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
124 "ip4-sv-reassembly-feature",
125 "ip4-dhcp-client-detect"),
127 VNET_FEATURE_INIT (ip4_nat44_ei_hairpin_dst, static) = {
128 .arc_name = "ip4-unicast",
129 .node_name = "nat44-ei-hairpin-dst",
130 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
131 "ip4-sv-reassembly-feature"),
133 VNET_FEATURE_INIT (ip4_nat44_ei_hairpin_src, static) = {
134 .arc_name = "ip4-output",
135 .node_name = "nat44-ei-hairpin-src",
136 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
137 "ip4-sv-reassembly-output-feature"),
139 VNET_FEATURE_INIT (ip4_nat44_ei_hairpinning, static) = {
140 .arc_name = "ip4-local",
141 .node_name = "nat44-ei-hairpinning",
142 .runs_before = VNET_FEATURES ("ip4-local-end-of-arc"),
144 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_worker_handoff, static) = {
145 .arc_name = "ip4-unicast",
146 .node_name = "nat44-ei-in2out-worker-handoff",
147 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
149 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_worker_handoff, static) = {
150 .arc_name = "ip4-unicast",
151 .node_name = "nat44-ei-out2in-worker-handoff",
152 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
153 "ip4-dhcp-client-detect"),
155 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output_worker_handoff, static) = {
156 .arc_name = "ip4-output",
157 .node_name = "nat44-ei-in2out-output-worker-handoff",
158 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
159 "ip4-sv-reassembly-output-feature"),
162 VLIB_PLUGIN_REGISTER () = {
163 .version = VPP_BUILD_VER,
164 .description = "IPv4 Endpoint-Independent NAT (NAT44 EI)",
167 #define foreach_nat44_ei_classify_error \
168 _ (NEXT_IN2OUT, "next in2out") \
169 _ (NEXT_OUT2IN, "next out2in") \
170 _ (FRAG_CACHED, "fragment cached")
174 #define _(sym, str) NAT44_EI_CLASSIFY_ERROR_##sym,
175 foreach_nat44_ei_classify_error
177 NAT44_EI_CLASSIFY_N_ERROR,
178 } nat44_ei_classify_error_t;
180 static char *nat44_ei_classify_error_strings[] = {
181 #define _(sym, string) string,
182 foreach_nat44_ei_classify_error
188 NAT44_EI_CLASSIFY_NEXT_IN2OUT,
189 NAT44_EI_CLASSIFY_NEXT_OUT2IN,
190 NAT44_EI_CLASSIFY_NEXT_DROP,
191 NAT44_EI_CLASSIFY_N_NEXT,
192 } nat44_ei_classify_next_t;
198 } nat44_ei_classify_trace_t;
200 void nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len,
201 u32 sw_if_index, int is_add);
203 static void nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm);
205 static int nat44_ei_add_static_mapping_internal (
206 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
207 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags,
208 ip4_address_t pool_addr, u8 *tag);
210 static int nat44_ei_del_static_mapping_internal (
211 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
212 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags);
215 format_nat44_ei_classify_trace (u8 *s, va_list *args)
217 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
218 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
219 nat44_ei_classify_trace_t *t = va_arg (*args, nat44_ei_classify_trace_t *);
223 s = format (s, "nat44-ei-classify: fragment cached");
226 next = t->next_in2out ? "nat44-ei-in2out" : "nat44-ei-out2in";
227 s = format (s, "nat44-ei-classify: next %s", next);
233 static void nat44_ei_db_init (u32 translations, u32 translation_buckets,
236 static void nat44_ei_ip4_add_del_interface_address_cb (
237 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
238 u32 address_length, u32 if_address_index, u32 is_delete);
240 static void nat44_ei_ip4_add_del_addr_only_sm_cb (
241 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
242 u32 address_length, u32 if_address_index, u32 is_delete);
244 static void nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque,
245 u32 sw_if_index, u32 new_fib_index,
249 nat44_ei_set_node_indexes (nat44_ei_main_t *nm, vlib_main_t *vm)
252 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-out2in");
253 nm->out2in_node_index = node->index;
254 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out");
255 nm->in2out_node_index = node->index;
256 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out-output");
257 nm->in2out_output_node_index = node->index;
261 nat44_ei_set_workers (uword *bitmap)
263 nat44_ei_main_t *nm = &nat44_ei_main;
266 if (nm->num_workers < 2)
267 return VNET_API_ERROR_FEATURE_DISABLED;
269 if (clib_bitmap_last_set (bitmap) >= nm->num_workers)
270 return VNET_API_ERROR_INVALID_WORKER;
272 vec_free (nm->workers);
273 clib_bitmap_foreach (i, bitmap)
275 vec_add1 (nm->workers, i);
276 nm->per_thread_data[nm->first_worker_index + i].snat_thread_index = j;
277 nm->per_thread_data[nm->first_worker_index + i].thread_index = i;
281 nm->port_per_thread = (0xffff - 1024) / _vec_len (nm->workers);
286 #define nat_validate_simple_counter(c, i) \
289 vlib_validate_simple_counter (&c, i); \
290 vlib_zero_simple_counter (&c, i); \
294 #define nat_init_simple_counter(c, n, sn) \
298 c.stat_segment_name = sn; \
299 nat_validate_simple_counter (c, 0); \
303 static_always_inline void
304 nat_validate_interface_counters (nat44_ei_main_t *nm, u32 sw_if_index)
307 nat_validate_simple_counter (nm->counters.fastpath.in2out.x, sw_if_index); \
308 nat_validate_simple_counter (nm->counters.fastpath.out2in.x, sw_if_index); \
309 nat_validate_simple_counter (nm->counters.slowpath.in2out.x, sw_if_index); \
310 nat_validate_simple_counter (nm->counters.slowpath.out2in.x, sw_if_index);
313 nat_validate_simple_counter (nm->counters.hairpinning, sw_if_index);
317 nat44_ei_add_del_addr_to_fib_foreach_out_if (ip4_address_t *addr, u8 is_add)
319 nat44_ei_main_t *nm = &nat44_ei_main;
320 nat44_ei_interface_t *i;
322 pool_foreach (i, nm->interfaces)
324 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
326 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
329 pool_foreach (i, nm->output_feature_interfaces)
331 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
333 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
338 static_always_inline void
339 nat44_ei_add_del_addr_to_fib_foreach_addr (u32 sw_if_index, u8 is_add)
341 nat44_ei_main_t *nm = &nat44_ei_main;
342 nat44_ei_address_t *ap;
344 vec_foreach (ap, nm->addresses)
346 nat44_ei_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, is_add);
350 static_always_inline void
351 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (u32 sw_if_index, u8 is_add)
353 nat44_ei_main_t *nm = &nat44_ei_main;
354 nat44_ei_static_mapping_t *m;
356 pool_foreach (m, nm->static_mappings)
358 if (is_sm_addr_only (m->flags) &&
359 !(m->local_addr.as_u32 == m->external_addr.as_u32))
361 nat44_ei_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index,
368 nat44_ei_is_address_used_in_static_mapping (ip4_address_t addr)
370 nat44_ei_main_t *nm = &nat44_ei_main;
371 nat44_ei_static_mapping_t *m;
372 pool_foreach (m, nm->static_mappings)
374 if (is_sm_addr_only (m->flags) || is_sm_identity_nat (m->flags))
378 if (m->external_addr.as_u32 == addr.as_u32)
387 nat44_ei_init (vlib_main_t *vm)
389 nat44_ei_main_t *nm = &nat44_ei_main;
390 vlib_thread_main_t *tm = vlib_get_thread_main ();
391 vlib_thread_registration_t *tr;
392 ip4_add_del_interface_address_callback_t cbi = { 0 };
393 ip4_table_bind_callback_t cbt = { 0 };
394 u32 i, num_threads = 0;
395 uword *p, *bitmap = 0;
397 clib_memset (nm, 0, sizeof (*nm));
400 nm->vnet_main = vnet_get_main ();
402 nm->ip4_main = &ip4_main;
403 nm->api_main = vlibapi_get_main ();
404 nm->ip4_lookup_main = &ip4_main.lookup_main;
407 nm->fq_out2in_index = ~0;
408 nm->fq_in2out_index = ~0;
409 nm->fq_in2out_output_index = ~0;
411 nm->log_level = NAT_LOG_ERROR;
413 nat44_ei_set_node_indexes (nm, vm);
414 nm->log_class = vlib_log_register_class ("nat44-ei", 0);
416 nat_init_simple_counter (nm->total_users, "total-users",
417 "/nat44-ei/total-users");
418 nat_init_simple_counter (nm->total_sessions, "total-sessions",
419 "/nat44-ei/total-sessions");
420 nat_init_simple_counter (nm->user_limit_reached, "user-limit-reached",
421 "/nat44-ei/user-limit-reached");
424 nat_init_simple_counter (nm->counters.fastpath.in2out.x, #x, \
425 "/nat44-ei/in2out/fastpath/" #x); \
426 nat_init_simple_counter (nm->counters.fastpath.out2in.x, #x, \
427 "/nat44-ei/out2in/fastpath/" #x); \
428 nat_init_simple_counter (nm->counters.slowpath.in2out.x, #x, \
429 "/nat44-ei/in2out/slowpath/" #x); \
430 nat_init_simple_counter (nm->counters.slowpath.out2in.x, #x, \
431 "/nat44-ei/out2in/slowpath/" #x);
434 nat_init_simple_counter (nm->counters.hairpinning, "hairpinning",
435 "/nat44-ei/hairpinning");
437 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
440 tr = (vlib_thread_registration_t *) p[0];
443 nm->num_workers = tr->count;
444 nm->first_worker_index = tr->first_index;
447 num_threads = tm->n_vlib_mains - 1;
448 nm->port_per_thread = 0xffff - 1024;
449 vec_validate (nm->per_thread_data, num_threads);
451 /* Use all available workers by default */
452 if (nm->num_workers > 1)
454 for (i = 0; i < nm->num_workers; i++)
455 bitmap = clib_bitmap_set (bitmap, i, 1);
456 nat44_ei_set_workers (bitmap);
457 clib_bitmap_free (bitmap);
461 nm->per_thread_data[0].snat_thread_index = 0;
464 /* callbacks to call when interface address changes. */
465 cbi.function = nat44_ei_ip4_add_del_interface_address_cb;
466 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
467 cbi.function = nat44_ei_ip4_add_del_addr_only_sm_cb;
468 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
470 /* callbacks to call when interface to table biding changes */
471 cbt.function = nat44_ei_update_outside_fib;
472 vec_add1 (nm->ip4_main->table_bind_callbacks, cbt);
474 nm->fib_src_low = fib_source_allocate (
475 "nat44-ei-low", FIB_SOURCE_PRIORITY_LOW, FIB_SOURCE_BH_SIMPLE);
476 nm->fib_src_hi = fib_source_allocate ("nat44-ei-hi", FIB_SOURCE_PRIORITY_HI,
477 FIB_SOURCE_BH_SIMPLE);
479 // used only by out2in-dpo feature
480 nat_dpo_module_init ();
481 nat_ha_init (vm, nm->num_workers, num_threads);
483 nm->hairpinning_fq_index =
484 vlib_frame_queue_main_init (nat44_ei_hairpinning_node.index, 0);
485 nm->hairpin_dst_fq_index =
486 vlib_frame_queue_main_init (nat44_ei_hairpin_dst_node.index, 0);
487 nm->in2out_hairpinning_finish_ip4_lookup_node_fq_index =
488 vlib_frame_queue_main_init (
489 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node.index, 0);
490 nm->in2out_hairpinning_finish_interface_output_node_fq_index =
491 vlib_frame_queue_main_init (
492 nat44_ei_in2out_hairpinning_finish_interface_output_node.index, 0);
493 return nat44_ei_api_hookup (vm);
496 VLIB_INIT_FUNCTION (nat44_ei_init);
499 nat44_ei_plugin_enable (nat44_ei_config_t c)
501 nat44_ei_main_t *nm = &nat44_ei_main;
509 c.sessions = 10 * 1024;
511 if (!c.user_sessions)
512 c.user_sessions = c.sessions;
516 if (!nm->frame_queue_nelts)
517 nm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
519 nm->translations = c.sessions;
520 nm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
521 nm->user_buckets = nat_calc_bihash_buckets (c.users);
523 nm->pat = (!c.static_mapping_only ||
524 (c.static_mapping_only && c.connection_tracking));
526 nm->static_mapping_only = c.static_mapping_only;
527 nm->static_mapping_connection_tracking = c.connection_tracking;
528 nm->out2in_dpo = c.out2in_dpo;
529 nm->forwarding_enabled = 0;
530 nm->mss_clamping = 0;
532 nm->max_users_per_thread = c.users;
533 nm->max_translations_per_thread = c.sessions;
534 nm->max_translations_per_user = c.user_sessions;
536 nm->inside_vrf_id = c.inside_vrf;
537 nm->inside_fib_index = fib_table_find_or_create_and_lock (
538 FIB_PROTOCOL_IP4, c.inside_vrf, nm->fib_src_hi);
540 nm->outside_vrf_id = c.outside_vrf;
541 nm->outside_fib_index = fib_table_find_or_create_and_lock (
542 FIB_PROTOCOL_IP4, c.outside_vrf, nm->fib_src_hi);
544 nat_reset_timeouts (&nm->timeouts);
545 nat44_ei_db_init (nm->translations, nm->translation_buckets,
547 nat44_ei_set_alloc_default ();
549 // TODO: zero simple counter for all counters missing
551 vlib_zero_simple_counter (&nm->total_users, 0);
552 vlib_zero_simple_counter (&nm->total_sessions, 0);
553 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
555 if (nm->num_workers > 1)
557 if (nm->fq_in2out_index == ~0)
559 nm->fq_in2out_index = vlib_frame_queue_main_init (
560 nm->in2out_node_index, nm->frame_queue_nelts);
562 if (nm->fq_out2in_index == ~0)
564 nm->fq_out2in_index = vlib_frame_queue_main_init (
565 nm->out2in_node_index, nm->frame_queue_nelts);
567 if (nm->fq_in2out_output_index == ~0)
569 nm->fq_in2out_output_index = vlib_frame_queue_main_init (
570 nm->in2out_output_node_index, nm->frame_queue_nelts);
580 static_always_inline nat44_ei_outside_fib_t *
581 nat44_ei_get_outside_fib (nat44_ei_outside_fib_t *outside_fibs, u32 fib_index)
583 nat44_ei_outside_fib_t *f;
584 vec_foreach (f, outside_fibs)
586 if (f->fib_index == fib_index)
594 static_always_inline nat44_ei_interface_t *
595 nat44_ei_get_interface (nat44_ei_interface_t *interfaces, u32 sw_if_index)
597 nat44_ei_interface_t *i;
598 pool_foreach (i, interfaces)
600 if (i->sw_if_index == sw_if_index)
609 nat44_ei_add_interface (u32 sw_if_index, u8 is_inside)
611 const char *feature_name, *del_feature_name;
612 nat44_ei_main_t *nm = &nat44_ei_main;
614 nat44_ei_outside_fib_t *outside_fib;
615 nat44_ei_interface_t *i;
621 if (nm->out2in_dpo && !is_inside)
623 nat44_ei_log_err ("error unsupported");
624 return VNET_API_ERROR_UNSUPPORTED;
627 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
629 nat44_ei_log_err ("error interface already configured");
630 return VNET_API_ERROR_VALUE_EXIST;
633 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
636 if ((nat44_ei_interface_is_inside (i) && is_inside) ||
637 (nat44_ei_interface_is_outside (i) && !is_inside))
641 if (nm->num_workers > 1)
643 del_feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
644 "nat44-ei-out2in-worker-handoff";
645 feature_name = "nat44-ei-handoff-classify";
650 !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
652 feature_name = "nat44-ei-classify";
655 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
660 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
661 sw_if_index, 0, 0, 0);
666 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
667 sw_if_index, 1, 0, 0);
674 rv = vnet_feature_enable_disable (
675 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 0, 0, 0);
684 if (nm->num_workers > 1)
686 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
687 "nat44-ei-out2in-worker-handoff";
691 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
693 nat_validate_interface_counters (nm, sw_if_index);
695 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
700 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
701 sw_if_index, 1, 0, 0);
706 if (is_inside && !nm->out2in_dpo)
708 rv = vnet_feature_enable_disable (
709 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 1, 0, 0);
716 pool_get (nm->interfaces, i);
717 i->sw_if_index = sw_if_index;
722 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
726 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
728 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
731 outside_fib->refcount++;
735 vec_add2 (nm->outside_fibs, outside_fib, 1);
736 outside_fib->fib_index = fib_index;
737 outside_fib->refcount = 1;
740 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
741 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
745 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
752 nat44_ei_del_interface (u32 sw_if_index, u8 is_inside)
754 const char *feature_name, *del_feature_name;
755 nat44_ei_main_t *nm = &nat44_ei_main;
757 nat44_ei_outside_fib_t *outside_fib;
758 nat44_ei_interface_t *i;
764 if (nm->out2in_dpo && !is_inside)
766 nat44_ei_log_err ("error unsupported");
767 return VNET_API_ERROR_UNSUPPORTED;
770 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
773 nat44_ei_log_err ("error interface couldn't be found");
774 return VNET_API_ERROR_NO_SUCH_ENTRY;
777 if (nat44_ei_interface_is_inside (i) && nat44_ei_interface_is_outside (i))
779 if (nm->num_workers > 1)
781 del_feature_name = "nat44-ei-handoff-classify";
782 feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
783 "nat44-ei-out2in-worker-handoff";
787 del_feature_name = "nat44-ei-classify";
788 feature_name = !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
791 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
796 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
797 sw_if_index, 0, 0, 0);
802 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
803 sw_if_index, 1, 0, 0);
810 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
814 rv = vnet_feature_enable_disable (
815 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 1, 0, 0);
820 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
825 if (nm->num_workers > 1)
827 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
828 "nat44-ei-out2in-worker-handoff";
832 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
835 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
840 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
841 sw_if_index, 0, 0, 0);
848 rv = vnet_feature_enable_disable (
849 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 0, 0, 0);
857 pool_put (nm->interfaces, i);
863 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
864 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
867 outside_fib->refcount--;
868 if (!outside_fib->refcount)
870 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
874 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
875 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
882 nat44_ei_add_output_interface (u32 sw_if_index)
884 nat44_ei_main_t *nm = &nat44_ei_main;
886 nat44_ei_outside_fib_t *outside_fib;
887 nat44_ei_interface_t *i;
893 if (nat44_ei_get_interface (nm->interfaces, sw_if_index))
895 nat44_ei_log_err ("error interface already configured");
896 return VNET_API_ERROR_VALUE_EXIST;
899 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
901 nat44_ei_log_err ("error interface already configured");
902 return VNET_API_ERROR_VALUE_EXIST;
905 if (nm->num_workers > 1)
907 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
912 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
917 rv = vnet_feature_enable_disable (
918 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 1, 0, 0);
923 rv = vnet_feature_enable_disable (
924 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 1,
933 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
938 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
943 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
944 sw_if_index, 1, 0, 0);
949 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
950 sw_if_index, 1, 0, 0);
957 nat_validate_interface_counters (nm, sw_if_index);
959 pool_get (nm->output_feature_interfaces, i);
960 i->sw_if_index = sw_if_index;
962 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
963 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
966 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
967 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
970 outside_fib->refcount++;
974 vec_add2 (nm->outside_fibs, outside_fib, 1);
975 outside_fib->fib_index = fib_index;
976 outside_fib->refcount = 1;
979 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
980 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
986 nat44_ei_del_output_interface (u32 sw_if_index)
988 nat44_ei_main_t *nm = &nat44_ei_main;
990 nat44_ei_outside_fib_t *outside_fib;
991 nat44_ei_interface_t *i;
997 i = nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index);
1000 nat44_ei_log_err ("error interface couldn't be found");
1001 return VNET_API_ERROR_NO_SUCH_ENTRY;
1004 if (nm->num_workers > 1)
1006 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1011 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1016 rv = vnet_feature_enable_disable (
1017 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1022 rv = vnet_feature_enable_disable (
1023 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 0,
1032 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1037 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1042 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
1043 sw_if_index, 0, 0, 0);
1048 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
1049 sw_if_index, 0, 0, 0);
1056 pool_put (nm->output_feature_interfaces, i);
1059 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1060 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
1063 outside_fib->refcount--;
1064 if (!outside_fib->refcount)
1066 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
1070 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
1071 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
1077 nat44_ei_add_del_output_interface (u32 sw_if_index, int is_del)
1081 return nat44_ei_del_output_interface (sw_if_index);
1085 return nat44_ei_add_output_interface (sw_if_index);
1090 nat44_ei_del_addresses ()
1092 nat44_ei_main_t *nm = &nat44_ei_main;
1093 nat44_ei_address_t *a, *vec;
1096 vec = vec_dup (nm->addresses);
1097 vec_foreach (a, vec)
1099 error = nat44_ei_del_address (a->addr, 0);
1103 nat44_ei_log_err ("error occurred while removing adderess");
1107 vec_free (nm->addresses);
1110 vec_free (nm->auto_add_sw_if_indices);
1111 nm->auto_add_sw_if_indices = 0;
1116 nat44_ei_del_interfaces ()
1118 nat44_ei_main_t *nm = &nat44_ei_main;
1119 nat44_ei_interface_t *i, *pool;
1122 pool = pool_dup (nm->interfaces);
1123 pool_foreach (i, pool)
1125 if (nat44_ei_interface_is_inside (i))
1127 error = nat44_ei_del_interface (i->sw_if_index, 1);
1129 if (nat44_ei_interface_is_outside (i))
1131 error = nat44_ei_del_interface (i->sw_if_index, 0);
1136 nat44_ei_log_err ("error occurred while removing interface");
1140 pool_free (nm->interfaces);
1146 nat44_ei_del_output_interfaces ()
1148 nat44_ei_main_t *nm = &nat44_ei_main;
1149 nat44_ei_interface_t *i, *pool;
1152 pool = pool_dup (nm->output_feature_interfaces);
1153 pool_foreach (i, pool)
1155 error = nat44_ei_del_output_interface (i->sw_if_index);
1158 nat44_ei_log_err ("error occurred while removing output interface");
1162 pool_free (nm->output_feature_interfaces);
1163 nm->output_feature_interfaces = 0;
1168 nat44_ei_del_static_mappings ()
1170 nat44_ei_main_t *nm = &nat44_ei_main;
1171 nat44_ei_static_mapping_t *m, *pool;
1174 pool = pool_dup (nm->static_mappings);
1175 pool_foreach (m, pool)
1177 error = nat44_ei_del_static_mapping_internal (
1178 m->local_addr, m->external_addr, m->local_port, m->external_port,
1179 m->proto, m->vrf_id, ~0, m->flags);
1182 nat44_ei_log_err ("error occurred while removing mapping");
1186 pool_free (nm->static_mappings);
1187 nm->static_mappings = 0;
1189 vec_free (nm->to_resolve);
1192 clib_bihash_free_8_8 (&nm->static_mapping_by_local);
1193 clib_bihash_free_8_8 (&nm->static_mapping_by_external);
1199 nat44_ei_plugin_disable ()
1201 nat44_ei_main_t *nm = &nat44_ei_main;
1202 nat44_ei_main_per_thread_data_t *tnm;
1207 rc = nat44_ei_del_static_mappings ();
1211 rc = nat44_ei_del_addresses ();
1215 rc = nat44_ei_del_interfaces ();
1219 rc = nat44_ei_del_output_interfaces ();
1225 clib_bihash_free_8_8 (&nm->in2out);
1226 clib_bihash_free_8_8 (&nm->out2in);
1228 vec_foreach (tnm, nm->per_thread_data)
1230 nat44_ei_worker_db_free (tnm);
1234 clib_memset (&nm->rconfig, 0, sizeof (nm->rconfig));
1236 nm->forwarding_enabled = 0;
1243 nat44_ei_set_outside_address_and_port (nat44_ei_address_t *addresses,
1244 u32 thread_index, ip4_address_t addr,
1245 u16 port, nat_protocol_t protocol)
1247 nat44_ei_main_t *nm = &nat44_ei_main;
1248 nat44_ei_address_t *a = 0;
1250 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1252 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1254 if (addresses[address_index].addr.as_u32 != addr.as_u32)
1257 a = addresses + address_index;
1260 #define _(N, j, n, s) \
1261 case NAT_PROTOCOL_##N: \
1262 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
1263 return VNET_API_ERROR_INSTANCE_IN_USE; \
1264 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
1265 a->busy_##n##_ports_per_thread[thread_index]++; \
1266 a->busy_##n##_ports++; \
1268 foreach_nat_protocol
1270 default : nat_elog_info (nm, "unknown protocol");
1275 return VNET_API_ERROR_NO_SUCH_ENTRY;
1279 nat44_ei_add_del_address_dpo (ip4_address_t addr, u8 is_add)
1281 nat44_ei_main_t *nm = &nat44_ei_main;
1282 dpo_id_t dpo_v4 = DPO_INVALID;
1283 fib_prefix_t pfx = {
1284 .fp_proto = FIB_PROTOCOL_IP4,
1286 .fp_addr.ip4.as_u32 = addr.as_u32,
1291 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
1292 fib_table_entry_special_dpo_add (0, &pfx, nm->fib_src_hi,
1293 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
1294 dpo_reset (&dpo_v4);
1298 fib_table_entry_special_remove (0, &pfx, nm->fib_src_hi);
1303 nat44_ei_free_outside_address_and_port (nat44_ei_address_t *addresses,
1304 u32 thread_index, ip4_address_t *addr,
1305 u16 port, nat_protocol_t protocol)
1307 nat44_ei_main_t *nm = &nat44_ei_main;
1308 nat44_ei_address_t *a;
1310 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1312 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1314 if (addresses[address_index].addr.as_u32 == addr->as_u32)
1318 ASSERT (address_index < vec_len (addresses));
1320 a = addresses + address_index;
1324 #define _(N, i, n, s) \
1325 case NAT_PROTOCOL_##N: \
1326 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
1327 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
1328 a->busy_##n##_ports--; \
1329 a->busy_##n##_ports_per_thread[thread_index]--; \
1331 foreach_nat_protocol
1333 default : nat_elog_info (nm, "unknown protocol");
1339 nat44_ei_free_session_data_v2 (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1340 u32 thread_index, u8 is_ha)
1342 clib_bihash_kv_8_8_t kv;
1344 /* session lookup tables */
1345 init_nat_i2o_k (&kv, s);
1346 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1347 nat_elog_warn (nm, "in2out key del failed");
1348 init_nat_o2i_k (&kv, s);
1349 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1350 nat_elog_warn (nm, "out2in key del failed");
1353 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1354 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
1355 s->out2in.port, s->nat_proto);
1357 if (nat44_ei_is_unk_proto_session (s))
1363 nat_ipfix_logging_nat44_ses_delete (
1364 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1365 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1366 s->in2out.fib_index);
1368 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1369 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1373 if (nat44_ei_is_session_static (s))
1376 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1377 &s->out2in.addr, s->out2in.port,
1382 nat44_ei_user_get_or_create (nat44_ei_main_t *nm, ip4_address_t *addr,
1383 u32 fib_index, u32 thread_index)
1385 nat44_ei_user_t *u = 0;
1386 nat44_ei_user_key_t user_key;
1387 clib_bihash_kv_8_8_t kv, value;
1388 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1389 dlist_elt_t *per_user_list_head_elt;
1391 user_key.addr.as_u32 = addr->as_u32;
1392 user_key.fib_index = fib_index;
1393 kv.key = user_key.as_u64;
1395 /* Ever heard of the "user" = src ip4 address before? */
1396 if (clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1398 if (pool_elts (tnm->users) >= nm->max_users_per_thread)
1400 vlib_increment_simple_counter (&nm->user_limit_reached, thread_index,
1402 nat_elog_warn (nm, "maximum user limit reached");
1405 /* no, make a new one */
1406 pool_get (tnm->users, u);
1407 clib_memset (u, 0, sizeof (*u));
1409 u->addr.as_u32 = addr->as_u32;
1410 u->fib_index = fib_index;
1412 pool_get (tnm->list_pool, per_user_list_head_elt);
1414 u->sessions_per_user_list_head_index =
1415 per_user_list_head_elt - tnm->list_pool;
1417 clib_dlist_init (tnm->list_pool, u->sessions_per_user_list_head_index);
1419 kv.value = u - tnm->users;
1422 if (clib_bihash_add_del_8_8 (&tnm->user_hash, &kv, 1))
1424 nat_elog_warn (nm, "user_hash key add failed");
1425 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
1429 vlib_set_simple_counter (&nm->total_users, thread_index, 0,
1430 pool_elts (tnm->users));
1434 u = pool_elt_at_index (tnm->users, value.value);
1440 nat44_ei_session_t *
1441 nat44_ei_session_alloc_or_recycle (nat44_ei_main_t *nm, nat44_ei_user_t *u,
1442 u32 thread_index, f64 now)
1444 nat44_ei_session_t *s;
1445 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1446 u32 oldest_per_user_translation_list_index, session_index;
1447 dlist_elt_t *oldest_per_user_translation_list_elt;
1448 dlist_elt_t *per_user_translation_list_elt;
1450 /* Over quota? Recycle the least recently used translation */
1451 if ((u->nsessions + u->nstaticsessions) >= nm->max_translations_per_user)
1453 oldest_per_user_translation_list_index = clib_dlist_remove_head (
1454 tnm->list_pool, u->sessions_per_user_list_head_index);
1456 ASSERT (oldest_per_user_translation_list_index != ~0);
1458 /* Add it back to the end of the LRU list */
1459 clib_dlist_addtail (tnm->list_pool, u->sessions_per_user_list_head_index,
1460 oldest_per_user_translation_list_index);
1461 /* Get the list element */
1462 oldest_per_user_translation_list_elt = pool_elt_at_index (
1463 tnm->list_pool, oldest_per_user_translation_list_index);
1465 /* Get the session index from the list element */
1466 session_index = oldest_per_user_translation_list_elt->value;
1468 /* Get the session */
1469 s = pool_elt_at_index (tnm->sessions, session_index);
1471 nat44_ei_free_session_data_v2 (nm, s, thread_index, 0);
1472 if (nat44_ei_is_session_static (s))
1473 u->nstaticsessions--;
1480 s->ext_host_addr.as_u32 = 0;
1481 s->ext_host_port = 0;
1482 s->ext_host_nat_addr.as_u32 = 0;
1483 s->ext_host_nat_port = 0;
1487 pool_get (tnm->sessions, s);
1488 clib_memset (s, 0, sizeof (*s));
1490 /* Create list elts */
1491 pool_get (tnm->list_pool, per_user_translation_list_elt);
1492 clib_dlist_init (tnm->list_pool,
1493 per_user_translation_list_elt - tnm->list_pool);
1495 per_user_translation_list_elt->value = s - tnm->sessions;
1496 s->per_user_index = per_user_translation_list_elt - tnm->list_pool;
1497 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1499 clib_dlist_addtail (tnm->list_pool, s->per_user_list_head_index,
1500 per_user_translation_list_elt - tnm->list_pool);
1502 s->user_index = u - tnm->users;
1503 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
1504 pool_elts (tnm->sessions));
1507 s->ha_last_refreshed = now;
1513 nat44_ei_free_session_data (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1514 u32 thread_index, u8 is_ha)
1516 clib_bihash_kv_8_8_t kv;
1518 init_nat_i2o_k (&kv, s);
1519 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1520 nat_elog_warn (nm, "in2out key del failed");
1522 init_nat_o2i_k (&kv, s);
1523 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1524 nat_elog_warn (nm, "out2in key del failed");
1528 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1529 &s->in2out.addr, s->in2out.port,
1530 &s->out2in.addr, s->out2in.port, s->nat_proto);
1532 nat_ipfix_logging_nat44_ses_delete (
1533 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1534 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1535 s->in2out.fib_index);
1537 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1538 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1542 if (nat44_ei_is_session_static (s))
1545 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1546 &s->out2in.addr, s->out2in.port,
1550 static_always_inline void
1551 nat44_ei_user_del_sessions (nat44_ei_user_t *u, u32 thread_index)
1554 nat44_ei_session_t *s;
1556 nat44_ei_main_t *nm = &nat44_ei_main;
1557 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1561 pool_elt_at_index (tnm->list_pool, u->sessions_per_user_list_head_index);
1562 // get first element
1563 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1565 while (elt->value != ~0)
1567 s = pool_elt_at_index (tnm->sessions, elt->value);
1568 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1570 nat44_ei_free_session_data (nm, s, thread_index, 0);
1571 nat44_ei_delete_session (nm, s, thread_index);
1576 nat44_ei_user_del (ip4_address_t *addr, u32 fib_index)
1580 nat44_ei_main_t *nm = &nat44_ei_main;
1581 nat44_ei_main_per_thread_data_t *tnm;
1583 nat44_ei_user_key_t user_key;
1584 clib_bihash_kv_8_8_t kv, value;
1586 user_key.addr.as_u32 = addr->as_u32;
1587 user_key.fib_index = fib_index;
1588 kv.key = user_key.as_u64;
1590 if (nm->num_workers > 1)
1592 vec_foreach (tnm, nm->per_thread_data)
1594 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1596 nat44_ei_user_del_sessions (
1597 pool_elt_at_index (tnm->users, value.value),
1606 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
1607 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1609 nat44_ei_user_del_sessions (
1610 pool_elt_at_index (tnm->users, value.value), tnm->thread_index);
1618 nat44_ei_static_mapping_del_sessions (nat44_ei_main_t *nm,
1619 nat44_ei_main_per_thread_data_t *tnm,
1620 nat44_ei_user_key_t u_key, int addr_only,
1621 ip4_address_t e_addr, u16 e_port)
1623 clib_bihash_kv_8_8_t kv, value;
1624 kv.key = u_key.as_u64;
1626 dlist_elt_t *head, *elt;
1628 nat44_ei_session_t *s;
1629 u32 elt_index, head_index, ses_index;
1631 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1633 user_index = value.value;
1634 u = pool_elt_at_index (tnm->users, user_index);
1635 if (u->nstaticsessions)
1637 head_index = u->sessions_per_user_list_head_index;
1638 head = pool_elt_at_index (tnm->list_pool, head_index);
1639 elt_index = head->next;
1640 elt = pool_elt_at_index (tnm->list_pool, elt_index);
1641 ses_index = elt->value;
1642 while (ses_index != ~0)
1644 s = pool_elt_at_index (tnm->sessions, ses_index);
1645 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1646 ses_index = elt->value;
1650 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
1651 (s->out2in.port != e_port))
1655 if (!nat44_ei_is_session_static (s))
1658 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
1660 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
1670 nat44_ei_get_in2out_worker_index (ip4_header_t *ip0, u32 rx_fib_index0,
1673 nat44_ei_main_t *nm = &nat44_ei_main;
1674 u32 next_worker_index = 0;
1677 next_worker_index = nm->first_worker_index;
1678 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
1679 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
1681 if (PREDICT_TRUE (is_pow2 (_vec_len (nm->workers))))
1682 next_worker_index += nm->workers[hash & (_vec_len (nm->workers) - 1)];
1684 next_worker_index += nm->workers[hash % _vec_len (nm->workers)];
1686 return next_worker_index;
1690 nat44_ei_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip0,
1691 u32 rx_fib_index0, u8 is_output)
1693 nat44_ei_main_t *nm = &nat44_ei_main;
1696 clib_bihash_kv_8_8_t kv, value;
1697 nat44_ei_static_mapping_t *m;
1699 u32 next_worker_index = 0;
1701 /* first try static mappings without port */
1702 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1704 init_nat_k (&kv, ip0->dst_address, 0, rx_fib_index0, 0);
1705 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1708 m = pool_elt_at_index (nm->static_mappings, value.value);
1709 return m->workers[0];
1713 proto = ip_proto_to_nat_proto (ip0->protocol);
1714 udp = ip4_next_header (ip0);
1715 port = vnet_buffer (b)->ip.reass.l4_dst_port;
1717 /* unknown protocol */
1718 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
1720 /* use current thread */
1721 return vlib_get_thread_index ();
1724 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
1726 icmp46_header_t *icmp = (icmp46_header_t *) udp;
1727 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
1728 if (!icmp_type_is_error_message (
1729 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
1730 port = vnet_buffer (b)->ip.reass.l4_src_port;
1733 /* if error message, then it's not fragmented and we can access it */
1734 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
1735 proto = ip_proto_to_nat_proto (inner_ip->protocol);
1736 void *l4_header = ip4_next_header (inner_ip);
1739 case NAT_PROTOCOL_ICMP:
1740 icmp = (icmp46_header_t *) l4_header;
1741 echo = (icmp_echo_header_t *) (icmp + 1);
1742 port = echo->identifier;
1744 case NAT_PROTOCOL_UDP:
1745 case NAT_PROTOCOL_TCP:
1746 port = ((tcp_udp_header_t *) l4_header)->src_port;
1749 return vlib_get_thread_index ();
1754 /* try static mappings with port */
1755 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1757 init_nat_k (&kv, ip0->dst_address, port, rx_fib_index0, proto);
1758 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1761 m = pool_elt_at_index (nm->static_mappings, value.value);
1762 return m->workers[0];
1766 /* worker by outside port */
1767 next_worker_index = nm->first_worker_index;
1768 next_worker_index +=
1769 nm->workers[(clib_net_to_host_u16 (port) - 1024) / nm->port_per_thread];
1770 return next_worker_index;
1774 nat44_ei_alloc_default_cb (nat44_ei_address_t *addresses, u32 fib_index,
1775 u32 thread_index, nat_protocol_t proto,
1776 ip4_address_t s_addr, ip4_address_t *addr,
1777 u16 *port, u16 port_per_thread,
1778 u32 snat_thread_index)
1780 nat44_ei_main_t *nm = &nat44_ei_main;
1781 nat44_ei_address_t *a, *ga = 0;
1785 if (vec_len (addresses) > 0)
1788 int s_addr_offset = s_addr.as_u32 % vec_len (addresses);
1790 for (i = s_addr_offset; i < vec_len (addresses); ++i)
1795 #define _(N, j, n, s) \
1796 case NAT_PROTOCOL_##N: \
1797 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
1799 if (a->fib_index == fib_index) \
1803 portnum = (port_per_thread * snat_thread_index) + \
1804 nat_random_port (&nm->random_seed, 0, \
1805 port_per_thread - 1) + \
1807 if (a->busy_##n##_port_refcounts[portnum]) \
1809 --a->busy_##n##_port_refcounts[portnum]; \
1810 a->busy_##n##_ports_per_thread[thread_index]++; \
1811 a->busy_##n##_ports++; \
1813 *port = clib_host_to_net_u16 (portnum); \
1817 else if (a->fib_index == ~0) \
1823 foreach_nat_protocol;
1825 nat_elog_info (nm, "unknown protocol");
1830 for (i = 0; i < s_addr_offset; ++i)
1835 foreach_nat_protocol;
1837 nat_elog_info (nm, "unknown protocol");
1844 // fake fib index to reuse macro
1848 foreach_nat_protocol;
1849 default : nat_elog_info (nm, "unknown protocol");
1857 /* Totally out of translations to use... */
1858 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1863 nat44_ei_alloc_range_cb (nat44_ei_address_t *addresses, u32 fib_index,
1864 u32 thread_index, nat_protocol_t proto,
1865 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1866 u16 port_per_thread, u32 snat_thread_index)
1868 nat44_ei_main_t *nm = &nat44_ei_main;
1869 nat44_ei_address_t *a = addresses;
1872 ports = nm->end_port - nm->start_port + 1;
1874 if (!vec_len (addresses))
1879 #define _(N, i, n, s) \
1880 case NAT_PROTOCOL_##N: \
1881 if (a->busy_##n##_ports < ports) \
1885 portnum = nat_random_port (&nm->random_seed, nm->start_port, \
1887 if (a->busy_##n##_port_refcounts[portnum]) \
1889 ++a->busy_##n##_port_refcounts[portnum]; \
1890 a->busy_##n##_ports++; \
1892 *port = clib_host_to_net_u16 (portnum); \
1897 foreach_nat_protocol
1899 default : nat_elog_info (nm, "unknown protocol");
1904 /* Totally out of translations to use... */
1905 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1910 nat44_ei_alloc_mape_cb (nat44_ei_address_t *addresses, u32 fib_index,
1911 u32 thread_index, nat_protocol_t proto,
1912 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1913 u16 port_per_thread, u32 snat_thread_index)
1915 nat44_ei_main_t *nm = &nat44_ei_main;
1916 nat44_ei_address_t *a = addresses;
1917 u16 m, ports, portnum, A, j;
1918 m = 16 - (nm->psid_offset + nm->psid_length);
1919 ports = (1 << (16 - nm->psid_length)) - (1 << m);
1921 if (!vec_len (addresses))
1926 #define _(N, i, n, s) \
1927 case NAT_PROTOCOL_##N: \
1928 if (a->busy_##n##_ports < ports) \
1932 A = nat_random_port (&nm->random_seed, 1, \
1933 pow2_mask (nm->psid_offset)); \
1934 j = nat_random_port (&nm->random_seed, 0, pow2_mask (m)); \
1935 portnum = A | (nm->psid << nm->psid_offset) | (j << (16 - m)); \
1936 if (a->busy_##n##_port_refcounts[portnum]) \
1938 ++a->busy_##n##_port_refcounts[portnum]; \
1939 a->busy_##n##_ports++; \
1941 *port = clib_host_to_net_u16 (portnum); \
1946 foreach_nat_protocol
1948 default : nat_elog_info (nm, "unknown protocol");
1953 /* Totally out of translations to use... */
1954 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1959 nat44_ei_set_alloc_default ()
1961 nat44_ei_main_t *nm = &nat44_ei_main;
1963 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
1964 nm->alloc_addr_and_port = nat44_ei_alloc_default_cb;
1968 nat44_ei_set_alloc_range (u16 start_port, u16 end_port)
1970 nat44_ei_main_t *nm = &nat44_ei_main;
1972 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_RANGE;
1973 nm->alloc_addr_and_port = nat44_ei_alloc_range_cb;
1974 nm->start_port = start_port;
1975 nm->end_port = end_port;
1979 nat44_ei_set_alloc_mape (u16 psid, u16 psid_offset, u16 psid_length)
1981 nat44_ei_main_t *nm = &nat44_ei_main;
1983 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_MAPE;
1984 nm->alloc_addr_and_port = nat44_ei_alloc_mape_cb;
1986 nm->psid_offset = psid_offset;
1987 nm->psid_length = psid_length;
1991 nat44_ei_delete_session (nat44_ei_main_t *nm, nat44_ei_session_t *ses,
1994 nat44_ei_main_per_thread_data_t *tnm =
1995 vec_elt_at_index (nm->per_thread_data, thread_index);
1996 clib_bihash_kv_8_8_t kv, value;
1998 const nat44_ei_user_key_t u_key = { .addr = ses->in2out.addr,
1999 .fib_index = ses->in2out.fib_index };
2000 const u8 u_static = nat44_ei_is_session_static (ses);
2002 clib_dlist_remove (tnm->list_pool, ses->per_user_index);
2003 pool_put_index (tnm->list_pool, ses->per_user_index);
2005 pool_put (tnm->sessions, ses);
2006 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
2007 pool_elts (tnm->sessions));
2009 kv.key = u_key.as_u64;
2010 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2012 u = pool_elt_at_index (tnm->users, value.value);
2014 u->nstaticsessions--;
2018 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
2023 nat44_ei_del_session (nat44_ei_main_t *nm, ip4_address_t *addr, u16 port,
2024 nat_protocol_t proto, u32 vrf_id, int is_in)
2026 nat44_ei_main_per_thread_data_t *tnm;
2027 clib_bihash_kv_8_8_t kv, value;
2029 nat44_ei_session_t *s;
2030 clib_bihash_8_8_t *t;
2032 fail_if_disabled ();
2034 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
2035 init_nat_k (&kv, *addr, port, fib_index, proto);
2036 t = is_in ? &nm->in2out : &nm->out2in;
2037 if (!clib_bihash_search_8_8 (t, &kv, &value))
2039 // this is called from API/CLI, so the world is stopped here
2040 // it's safe to manipulate arbitrary per-thread data
2041 u32 thread_index = nat_value_get_thread_index (&value);
2042 tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
2043 u32 session_index = nat_value_get_session_index (&value);
2044 if (pool_is_free_index (tnm->sessions, session_index))
2045 return VNET_API_ERROR_UNSPECIFIED;
2047 s = pool_elt_at_index (tnm->sessions, session_index);
2048 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data, 0);
2049 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2053 return VNET_API_ERROR_NO_SUCH_ENTRY;
2057 nat44_ei_get_thread_idx_by_port (u16 e_port)
2059 nat44_ei_main_t *nm = &nat44_ei_main;
2060 u32 thread_idx = nm->num_workers;
2061 if (nm->num_workers > 1)
2063 thread_idx = nm->first_worker_index +
2064 nm->workers[(e_port - 1024) / nm->port_per_thread];
2070 nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len, u32 sw_if_index,
2073 nat44_ei_main_t *nm = &nat44_ei_main;
2074 fib_prefix_t prefix = {
2076 .fp_proto = FIB_PROTOCOL_IP4,
2078 .ip4.as_u32 = addr->as_u32,
2081 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
2085 fib_table_entry_update_one_path (fib_index, &prefix, nm->fib_src_low,
2086 (FIB_ENTRY_FLAG_CONNECTED |
2087 FIB_ENTRY_FLAG_LOCAL |
2088 FIB_ENTRY_FLAG_EXCLUSIVE),
2089 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
2090 NULL, FIB_ROUTE_PATH_FLAG_NONE);
2094 fib_table_entry_delete (fib_index, &prefix, nm->fib_src_low);
2099 nat44_ei_reserve_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2101 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2102 nat44_ei_main_t *nm = &nat44_ei_main;
2103 nat44_ei_address_t *a = 0;
2106 for (i = 0; i < vec_len (nm->addresses); i++)
2108 a = nm->addresses + i;
2110 if (a->addr.as_u32 != addr.as_u32)
2115 #define _(N, j, n, s) \
2116 case NAT_PROTOCOL_##N: \
2117 if (a->busy_##n##_port_refcounts[port]) \
2119 ++a->busy_##n##_port_refcounts[port]; \
2122 a->busy_##n##_ports++; \
2123 a->busy_##n##_ports_per_thread[ti]++; \
2126 foreach_nat_protocol
2128 default : nat_elog_info (nm, "unknown protocol");
2140 nat44_ei_free_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2142 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2143 nat44_ei_main_t *nm = &nat44_ei_main;
2144 nat44_ei_address_t *a = 0;
2147 for (i = 0; i < vec_len (nm->addresses); i++)
2149 a = nm->addresses + i;
2151 if (a->addr.as_u32 != addr.as_u32)
2156 #define _(N, j, n, s) \
2157 case NAT_PROTOCOL_##N: \
2158 --a->busy_##n##_port_refcounts[port]; \
2161 a->busy_##n##_ports--; \
2162 a->busy_##n##_ports_per_thread[ti]--; \
2165 foreach_nat_protocol
2167 default : nat_elog_info (nm, "unknown protocol");
2179 nat44_ei_add_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2180 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2181 u32 flags, ip4_address_t pool_addr, u8 *tag)
2183 nat44_ei_static_map_resolve_t *rp;
2184 nat44_ei_main_t *nm = &nat44_ei_main;
2186 vec_add2 (nm->to_resolve, rp, 1);
2187 rp->l_addr.as_u32 = l_addr.as_u32;
2188 rp->l_port = l_port;
2189 rp->e_port = e_port;
2190 rp->sw_if_index = sw_if_index;
2191 rp->vrf_id = vrf_id;
2194 rp->pool_addr = pool_addr;
2195 rp->tag = vec_dup (tag);
2199 nat44_ei_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2200 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2201 u32 flags, int *out)
2203 nat44_ei_static_map_resolve_t *rp;
2204 nat44_ei_main_t *nm = &nat44_ei_main;
2207 for (i = 0; i < vec_len (nm->to_resolve); i++)
2209 rp = nm->to_resolve + i;
2211 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
2213 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
2215 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2217 if (rp->e_port != e_port || rp->proto != proto)
2223 else if (rp->l_addr.as_u32 == l_addr.as_u32)
2225 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2227 if (rp->l_port != l_port || rp->e_port != e_port ||
2249 nat44_ei_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2250 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2253 nat44_ei_main_t *nm = &nat44_ei_main;
2255 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2256 sw_if_index, flags, &i))
2258 vec_del1 (nm->to_resolve, i);
2265 delete_matching_dynamic_sessions (const nat44_ei_static_mapping_t *m,
2268 nat44_ei_main_t *nm = &nat44_ei_main;
2269 clib_bihash_kv_8_8_t kv, value;
2270 nat44_ei_session_t *s;
2271 nat44_ei_user_key_t u_key;
2273 nat44_ei_main_per_thread_data_t *tnm;
2274 dlist_elt_t *head, *elt;
2275 u32 elt_index, head_index;
2279 if (nm->static_mapping_only)
2282 tnm = vec_elt_at_index (nm->per_thread_data, worker_index);
2284 u_key.addr = m->local_addr;
2285 u_key.fib_index = m->fib_index;
2286 kv.key = u_key.as_u64;
2287 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2289 user_index = value.value;
2290 u = pool_elt_at_index (tnm->users, user_index);
2293 head_index = u->sessions_per_user_list_head_index;
2294 head = pool_elt_at_index (tnm->list_pool, head_index);
2295 elt_index = head->next;
2296 elt = pool_elt_at_index (tnm->list_pool, elt_index);
2297 ses_index = elt->value;
2298 while (ses_index != ~0)
2300 s = pool_elt_at_index (tnm->sessions, ses_index);
2301 elt = pool_elt_at_index (tnm->list_pool, elt->next);
2302 ses_index = elt->value;
2304 if (nat44_ei_is_session_static (s))
2307 if (!is_sm_addr_only (m->flags) &&
2308 s->in2out.port != m->local_port)
2311 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
2313 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2315 if (!is_sm_addr_only (m->flags))
2323 nat44_ei_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2324 u16 l_port, u16 e_port, nat_protocol_t proto,
2325 u32 vrf_id, u32 sw_if_index, u32 flags,
2326 ip4_address_t pool_addr, u8 *tag)
2329 nat44_ei_main_t *nm = &nat44_ei_main;
2331 if (is_sm_switch_address (flags))
2333 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2334 sw_if_index, flags, 0))
2336 return VNET_API_ERROR_VALUE_EXIST;
2339 nat44_ei_add_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2340 sw_if_index, flags, pool_addr, tag);
2342 ip4_address_t *first_int_addr =
2343 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2344 if (!first_int_addr)
2346 // dhcp resolution required
2350 e_addr.as_u32 = first_int_addr->as_u32;
2353 return nat44_ei_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
2354 proto, vrf_id, sw_if_index,
2355 flags, pool_addr, tag);
2359 nat44_ei_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2360 u16 l_port, u16 e_port, nat_protocol_t proto,
2361 u32 vrf_id, u32 sw_if_index, u32 flags)
2363 nat44_ei_main_t *nm = &nat44_ei_main;
2365 if (is_sm_switch_address (flags))
2368 if (nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2369 sw_if_index, flags))
2371 return VNET_API_ERROR_NO_SUCH_ENTRY;
2374 ip4_address_t *first_int_addr =
2375 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2376 if (!first_int_addr)
2378 // dhcp resolution required
2382 e_addr.as_u32 = first_int_addr->as_u32;
2385 return nat44_ei_del_static_mapping_internal (
2386 l_addr, e_addr, l_port, e_port, proto, vrf_id, sw_if_index, flags);
2390 nat44_ei_add_static_mapping_internal (ip4_address_t l_addr,
2391 ip4_address_t e_addr, u16 l_port,
2392 u16 e_port, nat_protocol_t proto,
2393 u32 vrf_id, u32 sw_if_index, u32 flags,
2394 ip4_address_t pool_addr, u8 *tag)
2396 nat44_ei_main_t *nm = &nat44_ei_main;
2397 clib_bihash_kv_8_8_t kv, value;
2398 nat44_ei_lb_addr_port_t *local;
2399 nat44_ei_static_mapping_t *m;
2403 fail_if_disabled ();
2405 if (is_sm_addr_only (flags))
2407 e_port = l_port = proto = 0;
2410 if (is_sm_identity_nat (flags))
2413 l_addr.as_u32 = e_addr.as_u32;
2417 init_nat_k (&kv, e_addr, e_port, 0, proto);
2419 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2421 m = pool_elt_at_index (nm->static_mappings, value.value);
2422 if (!is_sm_identity_nat (m->flags))
2424 return VNET_API_ERROR_VALUE_EXIST;
2428 // adding local identity nat record for different vrf table
2429 pool_foreach (local, m->locals)
2431 if (local->vrf_id == vrf_id)
2433 return VNET_API_ERROR_VALUE_EXIST;
2437 pool_get (m->locals, local);
2439 local->vrf_id = vrf_id;
2440 local->fib_index = fib_table_find_or_create_and_lock (
2441 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2443 init_nat_kv (&kv, m->local_addr, m->local_port, local->fib_index,
2444 m->proto, 0, m - nm->static_mappings);
2445 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2452 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
2457 // fallback to default vrf
2458 vrf_id = nm->inside_vrf_id;
2459 fib_index = nm->inside_fib_index;
2460 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2463 if (!is_sm_identity_nat (flags))
2465 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2466 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2468 return VNET_API_ERROR_VALUE_EXIST;
2472 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2474 if (nat44_ei_reserve_port (e_addr, e_port, proto))
2476 // remove resolve record
2477 if ((is_sm_switch_address (flags)) && !is_sm_identity_nat (flags))
2479 nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto,
2480 vrf_id, sw_if_index, flags);
2482 return VNET_API_ERROR_NO_SUCH_ENTRY;
2486 pool_get (nm->static_mappings, m);
2487 clib_memset (m, 0, sizeof (*m));
2490 m->local_addr = l_addr;
2491 m->external_addr = e_addr;
2493 m->tag = vec_dup (tag);
2495 if (!is_sm_addr_only (flags))
2497 m->local_port = l_port;
2498 m->external_port = e_port;
2502 if (is_sm_identity_nat (flags))
2504 pool_get (m->locals, local);
2506 local->vrf_id = vrf_id;
2507 local->fib_index = fib_index;
2512 m->fib_index = fib_index;
2515 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto, 0,
2516 m - nm->static_mappings);
2517 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2519 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
2520 m - nm->static_mappings);
2521 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 1);
2523 if (nm->num_workers > 1)
2525 // store worker index for this record
2527 .src_address = m->local_addr,
2529 worker_index = nat44_ei_get_in2out_worker_index (&ip, m->fib_index, 0);
2530 vec_add1 (m->workers, worker_index);
2534 worker_index = nm->num_workers;
2536 delete_matching_dynamic_sessions (m, worker_index);
2538 if (is_sm_addr_only (flags))
2540 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 1);
2547 nat44_ei_del_static_mapping_internal (ip4_address_t l_addr,
2548 ip4_address_t e_addr, u16 l_port,
2549 u16 e_port, nat_protocol_t proto,
2550 u32 vrf_id, u32 sw_if_index, u32 flags)
2552 nat44_ei_main_per_thread_data_t *tnm;
2553 nat44_ei_main_t *nm = &nat44_ei_main;
2554 clib_bihash_kv_8_8_t kv, value;
2555 nat44_ei_lb_addr_port_t *local;
2556 nat44_ei_static_mapping_t *m;
2558 nat44_ei_user_key_t u_key;
2560 fail_if_disabled ();
2562 if (is_sm_addr_only (flags))
2564 e_port = l_port = proto = 0;
2567 if (is_sm_identity_nat (flags))
2570 l_addr.as_u32 = e_addr.as_u32;
2574 init_nat_k (&kv, e_addr, e_port, 0, proto);
2576 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2578 if (is_sm_switch_address (flags))
2582 return VNET_API_ERROR_NO_SUCH_ENTRY;
2585 m = pool_elt_at_index (nm->static_mappings, value.value);
2587 if (is_sm_identity_nat (flags))
2593 vrf_id = nm->inside_vrf_id;
2596 pool_foreach (local, m->locals)
2598 if (local->vrf_id == vrf_id)
2600 local = pool_elt_at_index (m->locals, local - m->locals);
2601 fib_index = local->fib_index;
2602 pool_put (m->locals, local);
2608 return VNET_API_ERROR_NO_SUCH_ENTRY;
2613 fib_index = m->fib_index;
2616 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2618 if (nat44_ei_free_port (e_addr, e_port, proto))
2620 return VNET_API_ERROR_INVALID_VALUE;
2624 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2625 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 0);
2627 if (!nm->static_mapping_only || nm->static_mapping_connection_tracking)
2629 // delete sessions for static mapping
2630 if (nm->num_workers > 1)
2631 tnm = vec_elt_at_index (nm->per_thread_data, m->workers[0]);
2633 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
2635 u_key.addr = m->local_addr;
2636 u_key.fib_index = fib_index;
2637 kv.key = u_key.as_u64;
2638 nat44_ei_static_mapping_del_sessions (
2639 nm, tnm, u_key, is_sm_addr_only (flags), e_addr, e_port);
2642 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2644 if (!pool_elts (m->locals))
2646 // this is last record remove all required stuff
2648 init_nat_k (&kv, e_addr, e_port, 0, proto);
2649 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 0);
2652 vec_free (m->workers);
2653 pool_put (nm->static_mappings, m);
2655 if (is_sm_addr_only (flags) && !is_sm_identity_nat (flags))
2657 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 0);
2665 nat44_ei_static_mapping_match (ip4_address_t match_addr, u16 match_port,
2666 u32 match_fib_index,
2667 nat_protocol_t match_protocol,
2668 ip4_address_t *mapping_addr, u16 *mapping_port,
2669 u32 *mapping_fib_index, u8 by_external,
2670 u8 *is_addr_only, u8 *is_identity_nat)
2672 nat44_ei_main_t *nm = &nat44_ei_main;
2673 clib_bihash_kv_8_8_t kv, value;
2674 nat44_ei_static_mapping_t *m;
2679 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
2680 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2683 /* Try address only mapping */
2684 init_nat_k (&kv, match_addr, 0, 0, 0);
2685 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2689 m = pool_elt_at_index (nm->static_mappings, value.value);
2691 *mapping_fib_index = m->fib_index;
2692 *mapping_addr = m->local_addr;
2693 port = m->local_port;
2697 init_nat_k (&kv, match_addr, match_port, match_fib_index,
2699 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2701 /* Try address only mapping */
2702 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
2703 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv,
2707 m = pool_elt_at_index (nm->static_mappings, value.value);
2709 *mapping_fib_index = nm->outside_fib_index;
2710 *mapping_addr = m->external_addr;
2711 port = m->external_port;
2714 /* Address only mapping doesn't change port */
2715 if (is_sm_addr_only (m->flags))
2716 *mapping_port = match_port;
2718 *mapping_port = port;
2720 if (PREDICT_FALSE (is_addr_only != 0))
2721 *is_addr_only = is_sm_addr_only (m->flags);
2723 if (PREDICT_FALSE (is_identity_nat != 0))
2724 *is_identity_nat = is_sm_identity_nat (m->flags);
2730 nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm)
2732 pool_free (tnm->list_pool);
2733 pool_free (tnm->lru_pool);
2734 pool_free (tnm->sessions);
2735 pool_free (tnm->users);
2737 clib_bihash_free_8_8 (&tnm->user_hash);
2741 format_nat44_ei_key (u8 *s, va_list *args)
2743 u64 key = va_arg (*args, u64);
2747 nat_protocol_t protocol;
2750 split_nat_key (key, &addr, &port, &fib_index, &protocol);
2752 s = format (s, "%U proto %U port %d fib %d", format_ip4_address, &addr,
2753 format_nat_protocol, protocol, clib_net_to_host_u16 (port),
2759 format_nat44_ei_user_kvp (u8 *s, va_list *args)
2761 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2762 nat44_ei_user_key_t k;
2766 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2767 k.fib_index, v->value);
2773 format_nat44_ei_session_kvp (u8 *s, va_list *args)
2775 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2777 s = format (s, "%U thread-index %llu session-index %llu",
2778 format_nat44_ei_key, v->key, nat_value_get_thread_index (v),
2779 nat_value_get_session_index (v));
2785 format_nat44_ei_static_mapping_kvp (u8 *s, va_list *args)
2787 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2789 s = format (s, "%U static-mapping-index %llu", format_nat44_ei_key, v->key,
2796 nat44_ei_worker_db_init (nat44_ei_main_per_thread_data_t *tnm,
2797 u32 translations, u32 translation_buckets,
2802 pool_alloc (tnm->list_pool, translations);
2803 pool_alloc (tnm->lru_pool, translations);
2804 pool_alloc (tnm->sessions, translations);
2806 clib_bihash_init_8_8 (&tnm->user_hash, "users", user_buckets, 0);
2808 clib_bihash_set_kvp_format_fn_8_8 (&tnm->user_hash,
2809 format_nat44_ei_user_kvp);
2811 pool_get (tnm->lru_pool, head);
2812 tnm->tcp_trans_lru_head_index = head - tnm->lru_pool;
2813 clib_dlist_init (tnm->lru_pool, tnm->tcp_trans_lru_head_index);
2815 pool_get (tnm->lru_pool, head);
2816 tnm->tcp_estab_lru_head_index = head - tnm->lru_pool;
2817 clib_dlist_init (tnm->lru_pool, tnm->tcp_estab_lru_head_index);
2819 pool_get (tnm->lru_pool, head);
2820 tnm->udp_lru_head_index = head - tnm->lru_pool;
2821 clib_dlist_init (tnm->lru_pool, tnm->udp_lru_head_index);
2823 pool_get (tnm->lru_pool, head);
2824 tnm->icmp_lru_head_index = head - tnm->lru_pool;
2825 clib_dlist_init (tnm->lru_pool, tnm->icmp_lru_head_index);
2827 pool_get (tnm->lru_pool, head);
2828 tnm->unk_proto_lru_head_index = head - tnm->lru_pool;
2829 clib_dlist_init (tnm->lru_pool, tnm->unk_proto_lru_head_index);
2833 nat44_ei_db_init (u32 translations, u32 translation_buckets, u32 user_buckets)
2835 nat44_ei_main_t *nm = &nat44_ei_main;
2836 nat44_ei_main_per_thread_data_t *tnm;
2838 u32 static_mapping_buckets = 1024;
2839 u32 static_mapping_memory_size = 64 << 20;
2841 clib_bihash_init_8_8 (&nm->static_mapping_by_local,
2842 "static_mapping_by_local", static_mapping_buckets,
2843 static_mapping_memory_size);
2844 clib_bihash_init_8_8 (&nm->static_mapping_by_external,
2845 "static_mapping_by_external", static_mapping_buckets,
2846 static_mapping_memory_size);
2847 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_local,
2848 format_nat44_ei_static_mapping_kvp);
2849 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_external,
2850 format_nat44_ei_static_mapping_kvp);
2854 clib_bihash_init_8_8 (&nm->in2out, "in2out", translation_buckets, 0);
2855 clib_bihash_init_8_8 (&nm->out2in, "out2in", translation_buckets, 0);
2856 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2857 format_nat44_ei_session_kvp);
2858 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2859 format_nat44_ei_session_kvp);
2860 vec_foreach (tnm, nm->per_thread_data)
2862 nat44_ei_worker_db_init (tnm, translations, translation_buckets,
2869 nat44_ei_sessions_clear ()
2871 nat44_ei_main_t *nm = &nat44_ei_main;
2872 nat44_ei_main_per_thread_data_t *tnm;
2876 clib_bihash_free_8_8 (&nm->in2out);
2877 clib_bihash_free_8_8 (&nm->out2in);
2878 clib_bihash_init_8_8 (&nm->in2out, "in2out", nm->translation_buckets, 0);
2879 clib_bihash_init_8_8 (&nm->out2in, "out2in", nm->translation_buckets, 0);
2880 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2881 format_nat44_ei_session_kvp);
2882 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2883 format_nat44_ei_session_kvp);
2884 vec_foreach (tnm, nm->per_thread_data)
2886 nat44_ei_worker_db_free (tnm);
2887 nat44_ei_worker_db_init (tnm, nm->translations,
2888 nm->translation_buckets, nm->user_buckets);
2892 vlib_zero_simple_counter (&nm->total_users, 0);
2893 vlib_zero_simple_counter (&nm->total_sessions, 0);
2894 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
2898 nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque, u32 sw_if_index,
2899 u32 new_fib_index, u32 old_fib_index)
2901 nat44_ei_main_t *nm = &nat44_ei_main;
2902 nat44_ei_outside_fib_t *outside_fib;
2903 nat44_ei_interface_t *i;
2907 if (!nm->enabled || (new_fib_index == old_fib_index) ||
2908 (!vec_len (nm->outside_fibs)))
2913 pool_foreach (i, nm->interfaces)
2915 if (i->sw_if_index == sw_if_index)
2917 if (!(nat44_ei_interface_is_outside (i)))
2923 pool_foreach (i, nm->output_feature_interfaces)
2925 if (i->sw_if_index == sw_if_index)
2927 if (!(nat44_ei_interface_is_outside (i)))
2936 vec_foreach (outside_fib, nm->outside_fibs)
2938 if (outside_fib->fib_index == old_fib_index)
2940 outside_fib->refcount--;
2941 if (!outside_fib->refcount)
2942 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
2947 vec_foreach (outside_fib, nm->outside_fibs)
2949 if (outside_fib->fib_index == new_fib_index)
2951 outside_fib->refcount++;
2959 vec_add2 (nm->outside_fibs, outside_fib, 1);
2960 outside_fib->refcount = 1;
2961 outside_fib->fib_index = new_fib_index;
2966 nat44_ei_add_address (ip4_address_t *addr, u32 vrf_id)
2968 nat44_ei_main_t *nm = &nat44_ei_main;
2969 vlib_thread_main_t *tm = vlib_get_thread_main ();
2970 nat44_ei_address_t *ap;
2972 fail_if_disabled ();
2974 /* Check if address already exists */
2975 vec_foreach (ap, nm->addresses)
2977 if (ap->addr.as_u32 == addr->as_u32)
2979 nat44_ei_log_err ("address exist");
2980 return VNET_API_ERROR_VALUE_EXIST;
2984 vec_add2 (nm->addresses, ap, 1);
2991 ap->fib_index = fib_table_find_or_create_and_lock (
2992 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2995 #define _(N, i, n, s) \
2996 clib_memset (ap->busy_##n##_port_refcounts, 0, \
2997 sizeof (ap->busy_##n##_port_refcounts)); \
2998 ap->busy_##n##_ports = 0; \
2999 ap->busy_##n##_ports_per_thread = 0; \
3000 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, \
3001 tm->n_vlib_mains - 1, 0);
3002 foreach_nat_protocol
3005 nat44_ei_add_del_addr_to_fib_foreach_out_if (addr, 1);
3011 nat44_ei_del_address (ip4_address_t addr, u8 delete_sm)
3013 nat44_ei_main_t *nm = &nat44_ei_main;
3014 nat44_ei_address_t *a = 0;
3015 nat44_ei_session_t *ses;
3016 u32 *ses_to_be_removed = 0, *ses_index;
3017 nat44_ei_main_per_thread_data_t *tnm;
3018 nat44_ei_static_mapping_t *m;
3021 fail_if_disabled ();
3023 /* Find SNAT address */
3024 for (j = 0; j < vec_len (nm->addresses); j++)
3026 if (nm->addresses[j].addr.as_u32 == addr.as_u32)
3028 a = nm->addresses + j;
3034 nat44_ei_log_err ("no such address");
3035 return VNET_API_ERROR_NO_SUCH_ENTRY;
3040 pool_foreach (m, nm->static_mappings)
3042 if (m->external_addr.as_u32 == addr.as_u32)
3043 nat44_ei_del_static_mapping_internal (
3044 m->local_addr, m->external_addr, m->local_port, m->external_port,
3045 m->proto, m->vrf_id, ~0, m->flags);
3050 /* Check if address is used in some static mapping */
3051 if (nat44_ei_is_address_used_in_static_mapping (addr))
3053 nat44_ei_log_err ("address used in static mapping");
3054 return VNET_API_ERROR_UNSPECIFIED;
3058 /* Delete sessions using address */
3059 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
3061 vec_foreach (tnm, nm->per_thread_data)
3063 pool_foreach (ses, tnm->sessions)
3065 if (ses->out2in.addr.as_u32 == addr.as_u32)
3067 nat44_ei_free_session_data (nm, ses,
3068 tnm - nm->per_thread_data, 0);
3069 vec_add1 (ses_to_be_removed, ses - tnm->sessions);
3072 vec_foreach (ses_index, ses_to_be_removed)
3074 ses = pool_elt_at_index (tnm->sessions, ses_index[0]);
3075 nat44_ei_delete_session (nm, ses, tnm - nm->per_thread_data);
3077 vec_free (ses_to_be_removed);
3081 nat44_ei_add_del_addr_to_fib_foreach_out_if (&addr, 0);
3083 if (a->fib_index != ~0)
3085 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
3088 #define _(N, i, n, s) vec_free (a->busy_##n##_ports_per_thread);
3089 foreach_nat_protocol
3092 vec_del1 (nm->addresses, j);
3097 nat44_ei_add_interface_address (u32 sw_if_index)
3099 nat44_ei_main_t *nm = &nat44_ei_main;
3100 ip4_main_t *ip4_main = nm->ip4_main;
3101 ip4_address_t *first_int_addr;
3102 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3105 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3107 if (auto_add_sw_if_indices[i] == sw_if_index)
3109 return VNET_API_ERROR_VALUE_EXIST;
3113 /* add to the auto-address list */
3114 vec_add1 (nm->auto_add_sw_if_indices, sw_if_index);
3116 // if the address is already bound - or static - add it now
3117 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3120 (void) nat44_ei_add_address (first_int_addr, ~0);
3127 nat44_ei_del_interface_address (u32 sw_if_index)
3129 nat44_ei_main_t *nm = &nat44_ei_main;
3130 ip4_main_t *ip4_main = nm->ip4_main;
3131 ip4_address_t *first_int_addr;
3132 nat44_ei_static_map_resolve_t *rp;
3133 u32 *indices_to_delete = 0;
3135 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3137 fail_if_disabled ();
3139 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3141 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3143 if (auto_add_sw_if_indices[i] == sw_if_index)
3146 ip4_interface_first_address (ip4_main, sw_if_index, 0);
3149 (void) nat44_ei_del_address (first_int_addr[0], 1);
3153 for (j = 0; j < vec_len (nm->to_resolve); j++)
3155 rp = nm->to_resolve + j;
3156 if (rp->sw_if_index == sw_if_index)
3158 vec_add1 (indices_to_delete, j);
3161 if (vec_len (indices_to_delete))
3163 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3165 vec_del1 (nm->to_resolve, j);
3167 vec_free (indices_to_delete);
3171 vec_del1 (nm->auto_add_sw_if_indices, i);
3175 return VNET_API_ERROR_NO_SUCH_ENTRY;
3178 static_always_inline int
3179 is_sw_if_index_reg_for_auto_resolve (u32 *sw_if_indices, u32 sw_if_index)
3182 vec_foreach (i, sw_if_indices)
3184 if (*i == sw_if_index)
3193 nat44_ei_ip4_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3195 ip4_address_t *address,
3197 u32 if_address_index, u32 is_delete)
3199 nat44_ei_main_t *nm = &nat44_ei_main;
3200 nat44_ei_static_map_resolve_t *rp;
3201 nat44_ei_address_t *addresses = nm->addresses;
3209 if (!is_sw_if_index_reg_for_auto_resolve (nm->auto_add_sw_if_indices,
3217 /* Don't trip over lease renewal, static config */
3218 for (i = 0; i < vec_len (addresses); i++)
3220 if (addresses[i].addr.as_u32 == address->as_u32)
3226 (void) nat44_ei_add_address (address, ~0);
3228 /* Scan static map resolution vector */
3229 for (i = 0; i < vec_len (nm->to_resolve); i++)
3231 rp = nm->to_resolve + i;
3232 if (is_sm_addr_only (rp->flags))
3236 /* On this interface? */
3237 if (rp->sw_if_index == sw_if_index)
3239 rv = nat44_ei_add_static_mapping_internal (
3240 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3241 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3244 nat_elog_notice_X1 (
3245 nm, "add_static_mapping_internal returned %d", "i4", rv);
3252 // remove all static mapping records
3253 (void) nat44_ei_del_address (address[0], 1);
3258 nat44_ei_set_frame_queue_nelts (u32 frame_queue_nelts)
3261 nat44_ei_main_t *nm = &nat44_ei_main;
3262 nm->frame_queue_nelts = frame_queue_nelts;
3267 nat44_ei_ip4_add_del_addr_only_sm_cb (ip4_main_t *im, uword opaque,
3268 u32 sw_if_index, ip4_address_t *address,
3269 u32 address_length, u32 if_address_index,
3272 nat44_ei_main_t *nm = &nat44_ei_main;
3273 nat44_ei_static_map_resolve_t *rp;
3274 nat44_ei_static_mapping_t *m;
3275 clib_bihash_kv_8_8_t kv, value;
3276 int i, rv = 0, match = 0;
3283 for (i = 0; i < vec_len (nm->to_resolve); i++)
3285 rp = nm->to_resolve + i;
3287 if (is_sm_addr_only (rp->flags) && rp->sw_if_index == sw_if_index)
3299 init_nat_k (&kv, *address, is_sm_addr_only (rp->flags) ? 0 : rp->e_port,
3300 nm->outside_fib_index,
3301 is_sm_addr_only (rp->flags) ? 0 : rp->proto);
3302 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
3305 m = pool_elt_at_index (nm->static_mappings, value.value);
3311 rv = nat44_ei_del_static_mapping_internal (
3312 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3316 nat_elog_notice_X1 (nm, "nat44_ei_del_static_mapping returned %d",
3324 rv = nat44_ei_add_static_mapping_internal (
3325 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3326 ~0, rp->flags, rp->pool_addr, rp->tag);
3330 nat_elog_notice_X1 (nm, "nat44_ei_add_static_mapping returned %d",
3336 static_always_inline uword
3337 nat44_ei_classify_inline_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
3338 vlib_frame_t *frame)
3340 u32 n_left_from, *from, *to_next;
3341 nat44_ei_classify_next_t next_index;
3342 nat44_ei_main_t *nm = &nat44_ei_main;
3343 nat44_ei_static_mapping_t *m;
3344 u32 next_in2out = 0, next_out2in = 0;
3346 from = vlib_frame_vector_args (frame);
3347 n_left_from = frame->n_vectors;
3348 next_index = node->cached_next_index;
3350 while (n_left_from > 0)
3354 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
3356 while (n_left_from > 0 && n_left_to_next > 0)
3360 u32 next0 = NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3362 nat44_ei_address_t *ap;
3363 clib_bihash_kv_8_8_t kv0, value0;
3365 /* speculatively enqueue b0 to the current next frame */
3371 n_left_to_next -= 1;
3373 b0 = vlib_get_buffer (vm, bi0);
3374 ip0 = vlib_buffer_get_current (b0);
3376 vec_foreach (ap, nm->addresses)
3378 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
3380 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3385 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
3387 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
3388 /* try to classify the fragment based on IP header alone */
3389 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3392 m = pool_elt_at_index (nm->static_mappings, value0.value);
3393 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3394 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3397 init_nat_k (&kv0, ip0->dst_address,
3398 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
3399 ip_proto_to_nat_proto (ip0->protocol));
3400 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3403 m = pool_elt_at_index (nm->static_mappings, value0.value);
3404 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3405 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3410 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
3411 (b0->flags & VLIB_BUFFER_IS_TRACED)))
3413 nat44_ei_classify_trace_t *t =
3414 vlib_add_trace (vm, node, b0, sizeof (*t));
3416 t->next_in2out = next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
3419 next_in2out += next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3420 next_out2in += next0 == NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3422 /* verify speculative enqueue, maybe switch current next frame */
3423 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
3424 n_left_to_next, bi0, next0);
3427 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3430 vlib_node_increment_counter (
3431 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
3432 vlib_node_increment_counter (
3433 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
3434 return frame->n_vectors;
3437 VLIB_NODE_FN (nat44_ei_classify_node)
3438 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3440 return nat44_ei_classify_inline_fn (vm, node, frame);
3443 VLIB_REGISTER_NODE (nat44_ei_classify_node) = {
3444 .name = "nat44-ei-classify",
3445 .vector_size = sizeof (u32),
3446 .format_trace = format_nat44_ei_classify_trace,
3447 .type = VLIB_NODE_TYPE_INTERNAL,
3448 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3449 .error_strings = nat44_ei_classify_error_strings,
3450 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3452 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out",
3453 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in",
3454 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3458 VLIB_NODE_FN (nat44_ei_handoff_classify_node)
3459 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3461 return nat44_ei_classify_inline_fn (vm, node, frame);
3464 VLIB_REGISTER_NODE (nat44_ei_handoff_classify_node) = {
3465 .name = "nat44-ei-handoff-classify",
3466 .vector_size = sizeof (u32),
3467 .format_trace = format_nat44_ei_classify_trace,
3468 .type = VLIB_NODE_TYPE_INTERNAL,
3469 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3470 .error_strings = nat44_ei_classify_error_strings,
3471 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3473 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out-worker-handoff",
3474 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in-worker-handoff",
3475 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3480 * fd.io coding-style-patch-verification: ON
3483 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob