2 * nat44_ei.c - nat44 endpoint dependent plugin
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 * License for the specific language governing permissions and limitations
18 #include <vnet/plugin/plugin.h>
19 #include <vpp/app/version.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ip/ip4.h>
24 #include <vnet/ip/ip_table.h>
25 #include <vnet/ip/reass/ip4_sv_reass.h>
26 #include <vnet/fib/fib_table.h>
27 #include <vnet/fib/ip4_fib.h>
28 #include <vnet/plugin/plugin.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/nat_inlines.h>
34 #include <nat/lib/ipfix_logging.h>
36 #include <nat/nat44-ei/nat44_ei_dpo.h>
37 #include <nat/nat44-ei/nat44_ei_inlines.h>
38 #include <nat/nat44-ei/nat44_ei.h>
40 nat44_ei_main_t nat44_ei_main;
42 extern vlib_node_registration_t nat44_ei_hairpinning_node;
43 extern vlib_node_registration_t
44 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node;
45 extern vlib_node_registration_t
46 nat44_ei_in2out_hairpinning_finish_interface_output_node;
48 #define skip_if_disabled() \
51 nat44_ei_main_t *nm = &nat44_ei_main; \
52 if (PREDICT_FALSE (!nm->enabled)) \
57 #define fail_if_enabled() \
60 nat44_ei_main_t *nm = &nat44_ei_main; \
61 if (PREDICT_FALSE (nm->enabled)) \
63 nat44_ei_log_err ("plugin enabled"); \
69 #define fail_if_disabled() \
72 nat44_ei_main_t *nm = &nat44_ei_main; \
73 if (PREDICT_FALSE (!nm->enabled)) \
75 nat44_ei_log_err ("plugin disabled"); \
81 /* Hook up input features */
82 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
83 .arc_name = "ip4-unicast",
84 .node_name = "nat44-ei-classify",
85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
86 "ip4-sv-reassembly-feature"),
88 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
89 .arc_name = "ip4-unicast",
90 .node_name = "nat44-ei-handoff-classify",
91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
92 "ip4-sv-reassembly-feature"),
94 VNET_FEATURE_INIT (ip4_nat44_ei_in2out, static) = {
95 .arc_name = "ip4-unicast",
96 .node_name = "nat44-ei-in2out",
97 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
98 "ip4-sv-reassembly-feature"),
100 VNET_FEATURE_INIT (ip4_nat44_ei_out2in, static) = {
101 .arc_name = "ip4-unicast",
102 .node_name = "nat44-ei-out2in",
103 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
104 "ip4-sv-reassembly-feature",
105 "ip4-dhcp-client-detect"),
107 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output, static) = {
108 .arc_name = "ip4-output",
109 .node_name = "nat44-ei-in2out-output",
110 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
111 "ip4-sv-reassembly-output-feature"),
113 VNET_FEATURE_INIT (ip4_nat44_ei_hairpinning, static) = {
114 .arc_name = "ip4-local",
115 .node_name = "nat44-ei-hairpinning",
116 .runs_before = VNET_FEATURES ("ip4-local-end-of-arc"),
118 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_worker_handoff, static) = {
119 .arc_name = "ip4-unicast",
120 .node_name = "nat44-ei-in2out-worker-handoff",
121 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
123 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_worker_handoff, static) = {
124 .arc_name = "ip4-unicast",
125 .node_name = "nat44-ei-out2in-worker-handoff",
126 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
127 "ip4-dhcp-client-detect"),
129 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output_worker_handoff, static) = {
130 .arc_name = "ip4-output",
131 .node_name = "nat44-ei-in2out-output-worker-handoff",
132 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
133 "ip4-sv-reassembly-output-feature"),
136 VLIB_PLUGIN_REGISTER () = {
137 .version = VPP_BUILD_VER,
138 .description = "IPv4 Endpoint-Independent NAT (NAT44 EI)",
141 #define foreach_nat44_ei_classify_error \
142 _ (NEXT_IN2OUT, "next in2out") \
143 _ (NEXT_OUT2IN, "next out2in") \
144 _ (FRAG_CACHED, "fragment cached")
148 #define _(sym, str) NAT44_EI_CLASSIFY_ERROR_##sym,
149 foreach_nat44_ei_classify_error
151 NAT44_EI_CLASSIFY_N_ERROR,
152 } nat44_ei_classify_error_t;
154 static char *nat44_ei_classify_error_strings[] = {
155 #define _(sym, string) string,
156 foreach_nat44_ei_classify_error
162 NAT44_EI_CLASSIFY_NEXT_IN2OUT,
163 NAT44_EI_CLASSIFY_NEXT_OUT2IN,
164 NAT44_EI_CLASSIFY_NEXT_DROP,
165 NAT44_EI_CLASSIFY_N_NEXT,
166 } nat44_ei_classify_next_t;
172 } nat44_ei_classify_trace_t;
174 void nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len,
175 u32 sw_if_index, int is_add);
177 static void nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm);
179 static int nat44_ei_add_static_mapping_internal (
180 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
181 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags,
182 ip4_address_t pool_addr, u8 *tag);
184 static int nat44_ei_del_static_mapping_internal (
185 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
186 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags);
189 nat44_ei_port_get (nat44_ei_address_t *a, u8 proto, u16 port)
191 nat44_ei_main_t *nm = &nat44_ei_main;
193 #define _(N, i, n, s) \
194 case NAT_PROTOCOL_##N: \
195 a->busy_##n##_port_bitmap = \
196 clib_bitmap_set (a->busy_##n##_port_bitmap, port, 1); \
201 foreach_nat_protocol;
203 nat_elog_info (nm, "unknown protocol");
210 nat44_ei_port_put (nat44_ei_address_t *a, u8 proto, u16 port)
212 nat44_ei_main_t *nm = &nat44_ei_main;
214 #define _(N, i, n, s) \
215 case NAT_PROTOCOL_##N: \
216 a->busy_##n##_port_bitmap = \
217 clib_bitmap_set (a->busy_##n##_port_bitmap, port, 0); \
222 foreach_nat_protocol;
224 nat_elog_info (nm, "unknown protocol");
231 nat44_ei_port_is_used (nat44_ei_address_t *a, u8 proto, u16 port)
233 nat44_ei_main_t *nm = &nat44_ei_main;
235 #define _(N, i, n, s) \
236 case NAT_PROTOCOL_##N: \
237 return clib_bitmap_get (a->busy_##n##_port_bitmap, port);
241 foreach_nat_protocol;
243 nat_elog_info (nm, "unknown protocol");
252 format_nat44_ei_classify_trace (u8 *s, va_list *args)
254 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
255 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
256 nat44_ei_classify_trace_t *t = va_arg (*args, nat44_ei_classify_trace_t *);
260 s = format (s, "nat44-ei-classify: fragment cached");
263 next = t->next_in2out ? "nat44-ei-in2out" : "nat44-ei-out2in";
264 s = format (s, "nat44-ei-classify: next %s", next);
270 static void nat44_ei_db_init (u32 translations, u32 translation_buckets,
273 static void nat44_ei_ip4_add_del_interface_address_cb (
274 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
275 u32 address_length, u32 if_address_index, u32 is_delete);
277 static void nat44_ei_ip4_add_del_addr_only_sm_cb (
278 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
279 u32 address_length, u32 if_address_index, u32 is_delete);
281 static void nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque,
282 u32 sw_if_index, u32 new_fib_index,
286 nat44_ei_set_node_indexes (nat44_ei_main_t *nm, vlib_main_t *vm)
289 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-out2in");
290 nm->out2in_node_index = node->index;
291 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out");
292 nm->in2out_node_index = node->index;
293 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out-output");
294 nm->in2out_output_node_index = node->index;
298 nat44_ei_set_workers (uword *bitmap)
300 nat44_ei_main_t *nm = &nat44_ei_main;
303 if (nm->num_workers < 2)
304 return VNET_API_ERROR_FEATURE_DISABLED;
306 if (clib_bitmap_last_set (bitmap) >= nm->num_workers)
307 return VNET_API_ERROR_INVALID_WORKER;
309 vec_free (nm->workers);
310 clib_bitmap_foreach (i, bitmap)
312 vec_add1 (nm->workers, i);
313 nm->per_thread_data[nm->first_worker_index + i].snat_thread_index = j;
314 nm->per_thread_data[nm->first_worker_index + i].thread_index = i;
318 nm->port_per_thread = (0xffff - 1024) / _vec_len (nm->workers);
323 #define nat_validate_simple_counter(c, i) \
326 vlib_validate_simple_counter (&c, i); \
327 vlib_zero_simple_counter (&c, i); \
331 #define nat_init_simple_counter(c, n, sn) \
335 c.stat_segment_name = sn; \
336 nat_validate_simple_counter (c, 0); \
340 static_always_inline void
341 nat_validate_interface_counters (nat44_ei_main_t *nm, u32 sw_if_index)
344 nat_validate_simple_counter (nm->counters.fastpath.in2out.x, sw_if_index); \
345 nat_validate_simple_counter (nm->counters.fastpath.out2in.x, sw_if_index); \
346 nat_validate_simple_counter (nm->counters.slowpath.in2out.x, sw_if_index); \
347 nat_validate_simple_counter (nm->counters.slowpath.out2in.x, sw_if_index);
350 nat_validate_simple_counter (nm->counters.hairpinning, sw_if_index);
354 nat44_ei_add_del_addr_to_fib_foreach_out_if (ip4_address_t *addr, u8 is_add)
356 nat44_ei_main_t *nm = &nat44_ei_main;
357 nat44_ei_interface_t *i;
359 pool_foreach (i, nm->interfaces)
361 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
363 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
366 pool_foreach (i, nm->output_feature_interfaces)
368 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
370 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
375 static_always_inline void
376 nat44_ei_add_del_addr_to_fib_foreach_addr (u32 sw_if_index, u8 is_add)
378 nat44_ei_main_t *nm = &nat44_ei_main;
379 nat44_ei_address_t *ap;
381 vec_foreach (ap, nm->addresses)
383 nat44_ei_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, is_add);
387 static_always_inline void
388 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (u32 sw_if_index, u8 is_add)
390 nat44_ei_main_t *nm = &nat44_ei_main;
391 nat44_ei_static_mapping_t *m;
393 pool_foreach (m, nm->static_mappings)
395 if (is_sm_addr_only (m->flags) &&
396 !(m->local_addr.as_u32 == m->external_addr.as_u32))
398 nat44_ei_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index,
405 nat44_ei_is_address_used_in_static_mapping (ip4_address_t addr)
407 nat44_ei_main_t *nm = &nat44_ei_main;
408 nat44_ei_static_mapping_t *m;
409 pool_foreach (m, nm->static_mappings)
411 if (is_sm_addr_only (m->flags) || is_sm_identity_nat (m->flags))
415 if (m->external_addr.as_u32 == addr.as_u32)
424 nat44_ei_init (vlib_main_t *vm)
426 nat44_ei_main_t *nm = &nat44_ei_main;
427 vlib_thread_main_t *tm = vlib_get_thread_main ();
428 vlib_thread_registration_t *tr;
429 ip4_add_del_interface_address_callback_t cbi = { 0 };
430 ip4_table_bind_callback_t cbt = { 0 };
431 u32 i, num_threads = 0;
432 uword *p, *bitmap = 0;
434 clib_memset (nm, 0, sizeof (*nm));
437 nm->vnet_main = vnet_get_main ();
439 nm->ip4_main = &ip4_main;
440 nm->api_main = vlibapi_get_main ();
441 nm->ip4_lookup_main = &ip4_main.lookup_main;
444 nm->fq_out2in_index = ~0;
445 nm->fq_in2out_index = ~0;
446 nm->fq_in2out_output_index = ~0;
448 nm->log_level = NAT_LOG_ERROR;
450 nat44_ei_set_node_indexes (nm, vm);
451 nm->log_class = vlib_log_register_class ("nat44-ei", 0);
453 nat_init_simple_counter (nm->total_users, "total-users",
454 "/nat44-ei/total-users");
455 nat_init_simple_counter (nm->total_sessions, "total-sessions",
456 "/nat44-ei/total-sessions");
457 nat_init_simple_counter (nm->user_limit_reached, "user-limit-reached",
458 "/nat44-ei/user-limit-reached");
461 nat_init_simple_counter (nm->counters.fastpath.in2out.x, #x, \
462 "/nat44-ei/in2out/fastpath/" #x); \
463 nat_init_simple_counter (nm->counters.fastpath.out2in.x, #x, \
464 "/nat44-ei/out2in/fastpath/" #x); \
465 nat_init_simple_counter (nm->counters.slowpath.in2out.x, #x, \
466 "/nat44-ei/in2out/slowpath/" #x); \
467 nat_init_simple_counter (nm->counters.slowpath.out2in.x, #x, \
468 "/nat44-ei/out2in/slowpath/" #x);
471 nat_init_simple_counter (nm->counters.hairpinning, "hairpinning",
472 "/nat44-ei/hairpinning");
474 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
477 tr = (vlib_thread_registration_t *) p[0];
480 nm->num_workers = tr->count;
481 nm->first_worker_index = tr->first_index;
484 num_threads = tm->n_vlib_mains - 1;
485 nm->port_per_thread = 0xffff - 1024;
486 vec_validate (nm->per_thread_data, num_threads);
488 /* Use all available workers by default */
489 if (nm->num_workers > 1)
491 for (i = 0; i < nm->num_workers; i++)
492 bitmap = clib_bitmap_set (bitmap, i, 1);
493 nat44_ei_set_workers (bitmap);
494 clib_bitmap_free (bitmap);
498 nm->per_thread_data[0].snat_thread_index = 0;
501 /* callbacks to call when interface address changes. */
502 cbi.function = nat44_ei_ip4_add_del_interface_address_cb;
503 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
504 cbi.function = nat44_ei_ip4_add_del_addr_only_sm_cb;
505 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
507 /* callbacks to call when interface to table biding changes */
508 cbt.function = nat44_ei_update_outside_fib;
509 vec_add1 (nm->ip4_main->table_bind_callbacks, cbt);
511 nm->fib_src_low = fib_source_allocate (
512 "nat44-ei-low", FIB_SOURCE_PRIORITY_LOW, FIB_SOURCE_BH_SIMPLE);
513 nm->fib_src_hi = fib_source_allocate ("nat44-ei-hi", FIB_SOURCE_PRIORITY_HI,
514 FIB_SOURCE_BH_SIMPLE);
516 // used only by out2in-dpo feature
517 nat_dpo_module_init ();
518 nat_ha_init (vm, nm->num_workers, num_threads);
520 nm->hairpinning_fq_index =
521 vlib_frame_queue_main_init (nat44_ei_hairpinning_node.index, 0);
522 nm->in2out_hairpinning_finish_ip4_lookup_node_fq_index =
523 vlib_frame_queue_main_init (
524 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node.index, 0);
525 nm->in2out_hairpinning_finish_interface_output_node_fq_index =
526 vlib_frame_queue_main_init (
527 nat44_ei_in2out_hairpinning_finish_interface_output_node.index, 0);
528 return nat44_ei_api_hookup (vm);
531 VLIB_INIT_FUNCTION (nat44_ei_init);
534 nat44_ei_plugin_enable (nat44_ei_config_t c)
536 nat44_ei_main_t *nm = &nat44_ei_main;
544 c.sessions = 10 * 1024;
546 if (!c.user_sessions)
547 c.user_sessions = c.sessions;
551 if (!nm->frame_queue_nelts)
552 nm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
554 nm->translations = c.sessions;
555 nm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
556 nm->user_buckets = nat_calc_bihash_buckets (c.users);
558 nm->pat = (!c.static_mapping_only ||
559 (c.static_mapping_only && c.connection_tracking));
561 nm->static_mapping_only = c.static_mapping_only;
562 nm->static_mapping_connection_tracking = c.connection_tracking;
563 nm->out2in_dpo = c.out2in_dpo;
564 nm->forwarding_enabled = 0;
565 nm->mss_clamping = 0;
567 nm->max_users_per_thread = c.users;
568 nm->max_translations_per_thread = c.sessions;
569 nm->max_translations_per_user = c.user_sessions;
571 nm->inside_vrf_id = c.inside_vrf;
572 nm->inside_fib_index = fib_table_find_or_create_and_lock (
573 FIB_PROTOCOL_IP4, c.inside_vrf, nm->fib_src_hi);
575 nm->outside_vrf_id = c.outside_vrf;
576 nm->outside_fib_index = fib_table_find_or_create_and_lock (
577 FIB_PROTOCOL_IP4, c.outside_vrf, nm->fib_src_hi);
579 nat_reset_timeouts (&nm->timeouts);
580 nat44_ei_db_init (nm->translations, nm->translation_buckets,
582 nat44_ei_set_alloc_default ();
584 vlib_zero_simple_counter (&nm->total_users, 0);
585 vlib_zero_simple_counter (&nm->total_sessions, 0);
586 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
588 if (nm->num_workers > 1)
590 if (nm->fq_in2out_index == ~0)
592 nm->fq_in2out_index = vlib_frame_queue_main_init (
593 nm->in2out_node_index, nm->frame_queue_nelts);
595 if (nm->fq_out2in_index == ~0)
597 nm->fq_out2in_index = vlib_frame_queue_main_init (
598 nm->out2in_node_index, nm->frame_queue_nelts);
600 if (nm->fq_in2out_output_index == ~0)
602 nm->fq_in2out_output_index = vlib_frame_queue_main_init (
603 nm->in2out_output_node_index, nm->frame_queue_nelts);
613 static_always_inline nat44_ei_outside_fib_t *
614 nat44_ei_get_outside_fib (nat44_ei_outside_fib_t *outside_fibs, u32 fib_index)
616 nat44_ei_outside_fib_t *f;
617 vec_foreach (f, outside_fibs)
619 if (f->fib_index == fib_index)
627 static_always_inline nat44_ei_interface_t *
628 nat44_ei_get_interface (nat44_ei_interface_t *interfaces, u32 sw_if_index)
630 nat44_ei_interface_t *i;
631 pool_foreach (i, interfaces)
633 if (i->sw_if_index == sw_if_index)
641 static_always_inline int
642 nat44_ei_hairpinning_enable (u8 is_enable)
644 nat44_ei_main_t *nm = &nat44_ei_main;
645 u32 sw_if_index = 0; // local0
649 nm->hairpin_reg += 1;
650 if (1 == nm->hairpin_reg)
652 return vnet_feature_enable_disable (
653 "ip4-local", "nat44-ei-hairpinning", sw_if_index, is_enable, 0, 0);
658 if (0 == nm->hairpin_reg)
661 nm->hairpin_reg -= 1;
662 if (0 == nm->hairpin_reg)
664 return vnet_feature_enable_disable (
665 "ip4-local", "nat44-ei-hairpinning", sw_if_index, is_enable, 0, 0);
673 nat44_ei_add_interface (u32 sw_if_index, u8 is_inside)
675 const char *feature_name, *del_feature_name;
676 nat44_ei_main_t *nm = &nat44_ei_main;
678 nat44_ei_outside_fib_t *outside_fib;
679 nat44_ei_interface_t *i;
685 if (nm->out2in_dpo && !is_inside)
687 nat44_ei_log_err ("error unsupported");
688 return VNET_API_ERROR_UNSUPPORTED;
691 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
693 nat44_ei_log_err ("error interface already configured");
694 return VNET_API_ERROR_VALUE_EXIST;
697 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
700 if ((nat44_ei_interface_is_inside (i) && is_inside) ||
701 (nat44_ei_interface_is_outside (i) && !is_inside))
705 if (nm->num_workers > 1)
707 del_feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
708 "nat44-ei-out2in-worker-handoff";
709 feature_name = "nat44-ei-handoff-classify";
714 !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
716 feature_name = "nat44-ei-classify";
719 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
724 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
725 sw_if_index, 0, 0, 0);
730 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
731 sw_if_index, 1, 0, 0);
738 rv = nat44_ei_hairpinning_enable (0);
747 if (nm->num_workers > 1)
749 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
750 "nat44-ei-out2in-worker-handoff";
754 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
756 nat_validate_interface_counters (nm, sw_if_index);
758 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
763 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
764 sw_if_index, 1, 0, 0);
769 if (is_inside && !nm->out2in_dpo)
771 rv = nat44_ei_hairpinning_enable (1);
778 pool_get (nm->interfaces, i);
779 i->sw_if_index = sw_if_index;
784 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
788 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
790 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
793 outside_fib->refcount++;
797 vec_add2 (nm->outside_fibs, outside_fib, 1);
798 outside_fib->fib_index = fib_index;
799 outside_fib->refcount = 1;
802 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
803 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
807 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
814 nat44_ei_del_interface (u32 sw_if_index, u8 is_inside)
816 const char *feature_name, *del_feature_name;
817 nat44_ei_main_t *nm = &nat44_ei_main;
819 nat44_ei_outside_fib_t *outside_fib;
820 nat44_ei_interface_t *i;
826 if (nm->out2in_dpo && !is_inside)
828 nat44_ei_log_err ("error unsupported");
829 return VNET_API_ERROR_UNSUPPORTED;
832 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
835 nat44_ei_log_err ("error interface couldn't be found");
836 return VNET_API_ERROR_NO_SUCH_ENTRY;
839 if (nat44_ei_interface_is_inside (i) && nat44_ei_interface_is_outside (i))
841 if (nm->num_workers > 1)
843 del_feature_name = "nat44-ei-handoff-classify";
844 feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
845 "nat44-ei-out2in-worker-handoff";
849 del_feature_name = "nat44-ei-classify";
850 feature_name = !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
853 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
858 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
859 sw_if_index, 0, 0, 0);
864 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
865 sw_if_index, 1, 0, 0);
872 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
876 rv = nat44_ei_hairpinning_enable (1);
881 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
886 if (nm->num_workers > 1)
888 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
889 "nat44-ei-out2in-worker-handoff";
893 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
896 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
901 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
902 sw_if_index, 0, 0, 0);
909 rv = nat44_ei_hairpinning_enable (0);
917 pool_put (nm->interfaces, i);
923 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
924 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
927 outside_fib->refcount--;
928 if (!outside_fib->refcount)
930 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
934 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
935 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
942 nat44_ei_add_output_interface (u32 sw_if_index)
944 nat44_ei_main_t *nm = &nat44_ei_main;
946 nat44_ei_outside_fib_t *outside_fib;
947 nat44_ei_interface_t *i;
953 if (nat44_ei_get_interface (nm->interfaces, sw_if_index))
955 nat44_ei_log_err ("error interface already configured");
956 return VNET_API_ERROR_VALUE_EXIST;
959 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
961 nat44_ei_log_err ("error interface already configured");
962 return VNET_API_ERROR_VALUE_EXIST;
965 if (nm->num_workers > 1)
967 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
972 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
977 rv = vnet_feature_enable_disable (
978 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 1, 0, 0);
983 rv = vnet_feature_enable_disable (
984 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 1,
993 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
998 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1003 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
1004 sw_if_index, 1, 0, 0);
1009 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
1010 sw_if_index, 1, 0, 0);
1017 nat_validate_interface_counters (nm, sw_if_index);
1019 pool_get (nm->output_feature_interfaces, i);
1020 i->sw_if_index = sw_if_index;
1022 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
1023 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
1026 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1027 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
1030 outside_fib->refcount++;
1034 vec_add2 (nm->outside_fibs, outside_fib, 1);
1035 outside_fib->fib_index = fib_index;
1036 outside_fib->refcount = 1;
1039 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
1040 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
1046 nat44_ei_del_output_interface (u32 sw_if_index)
1048 nat44_ei_main_t *nm = &nat44_ei_main;
1050 nat44_ei_outside_fib_t *outside_fib;
1051 nat44_ei_interface_t *i;
1055 fail_if_disabled ();
1057 i = nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index);
1060 nat44_ei_log_err ("error interface couldn't be found");
1061 return VNET_API_ERROR_NO_SUCH_ENTRY;
1064 if (nm->num_workers > 1)
1066 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1071 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1076 rv = vnet_feature_enable_disable (
1077 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1082 rv = vnet_feature_enable_disable (
1083 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 0,
1092 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1097 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1102 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
1103 sw_if_index, 0, 0, 0);
1108 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
1109 sw_if_index, 0, 0, 0);
1116 pool_put (nm->output_feature_interfaces, i);
1119 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1120 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
1123 outside_fib->refcount--;
1124 if (!outside_fib->refcount)
1126 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
1130 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
1131 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
1137 nat44_ei_add_del_output_interface (u32 sw_if_index, int is_del)
1141 return nat44_ei_del_output_interface (sw_if_index);
1145 return nat44_ei_add_output_interface (sw_if_index);
1150 nat44_ei_del_addresses ()
1152 nat44_ei_main_t *nm = &nat44_ei_main;
1153 nat44_ei_address_t *a, *vec;
1156 vec = vec_dup (nm->addresses);
1157 vec_foreach (a, vec)
1159 error = nat44_ei_del_address (a->addr, 0);
1163 nat44_ei_log_err ("error occurred while removing adderess");
1167 vec_free (nm->addresses);
1170 vec_free (nm->auto_add_sw_if_indices);
1171 nm->auto_add_sw_if_indices = 0;
1176 nat44_ei_del_interfaces ()
1178 nat44_ei_main_t *nm = &nat44_ei_main;
1179 nat44_ei_interface_t *i, *pool;
1182 pool = pool_dup (nm->interfaces);
1183 pool_foreach (i, pool)
1185 if (nat44_ei_interface_is_inside (i))
1187 error = nat44_ei_del_interface (i->sw_if_index, 1);
1189 if (nat44_ei_interface_is_outside (i))
1191 error = nat44_ei_del_interface (i->sw_if_index, 0);
1196 nat44_ei_log_err ("error occurred while removing interface");
1200 pool_free (nm->interfaces);
1206 nat44_ei_del_output_interfaces ()
1208 nat44_ei_main_t *nm = &nat44_ei_main;
1209 nat44_ei_interface_t *i, *pool;
1212 pool = pool_dup (nm->output_feature_interfaces);
1213 pool_foreach (i, pool)
1215 error = nat44_ei_del_output_interface (i->sw_if_index);
1218 nat44_ei_log_err ("error occurred while removing output interface");
1222 pool_free (nm->output_feature_interfaces);
1223 nm->output_feature_interfaces = 0;
1228 nat44_ei_del_static_mappings ()
1230 nat44_ei_main_t *nm = &nat44_ei_main;
1231 nat44_ei_static_mapping_t *m, *pool;
1234 pool = pool_dup (nm->static_mappings);
1235 pool_foreach (m, pool)
1237 error = nat44_ei_del_static_mapping_internal (
1238 m->local_addr, m->external_addr, m->local_port, m->external_port,
1239 m->proto, m->vrf_id, ~0, m->flags);
1242 nat44_ei_log_err ("error occurred while removing mapping");
1246 pool_free (nm->static_mappings);
1247 nm->static_mappings = 0;
1249 vec_free (nm->to_resolve);
1252 clib_bihash_free_8_8 (&nm->static_mapping_by_local);
1253 clib_bihash_free_8_8 (&nm->static_mapping_by_external);
1259 nat44_ei_plugin_disable ()
1261 nat44_ei_main_t *nm = &nat44_ei_main;
1262 nat44_ei_main_per_thread_data_t *tnm;
1267 rc = nat44_ei_del_static_mappings ();
1271 rc = nat44_ei_del_addresses ();
1275 rc = nat44_ei_del_interfaces ();
1279 rc = nat44_ei_del_output_interfaces ();
1285 clib_bihash_free_8_8 (&nm->in2out);
1286 clib_bihash_free_8_8 (&nm->out2in);
1288 vec_foreach (tnm, nm->per_thread_data)
1290 nat44_ei_worker_db_free (tnm);
1294 clib_memset (&nm->rconfig, 0, sizeof (nm->rconfig));
1296 nm->forwarding_enabled = 0;
1303 nat44_ei_set_outside_address_and_port (nat44_ei_address_t *addresses,
1304 u32 thread_index, ip4_address_t addr,
1305 u16 port, nat_protocol_t protocol)
1307 nat44_ei_main_t *nm = &nat44_ei_main;
1308 nat44_ei_address_t *a = 0;
1310 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1312 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1314 if (addresses[address_index].addr.as_u32 != addr.as_u32)
1317 a = addresses + address_index;
1320 #define _(N, j, n, s) \
1321 case NAT_PROTOCOL_##N: \
1322 if (nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, port_host_byte_order)) \
1323 return VNET_API_ERROR_INSTANCE_IN_USE; \
1324 nat44_ei_port_get (a, NAT_PROTOCOL_##N, port_host_byte_order); \
1325 a->busy_##n##_ports_per_thread[thread_index]++; \
1326 a->busy_##n##_ports++; \
1328 foreach_nat_protocol
1330 default : nat_elog_info (nm, "unknown protocol");
1335 return VNET_API_ERROR_NO_SUCH_ENTRY;
1339 nat44_ei_add_del_address_dpo (ip4_address_t addr, u8 is_add)
1341 nat44_ei_main_t *nm = &nat44_ei_main;
1342 dpo_id_t dpo_v4 = DPO_INVALID;
1343 fib_prefix_t pfx = {
1344 .fp_proto = FIB_PROTOCOL_IP4,
1346 .fp_addr.ip4.as_u32 = addr.as_u32,
1351 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
1352 fib_table_entry_special_dpo_add (0, &pfx, nm->fib_src_hi,
1353 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
1354 dpo_reset (&dpo_v4);
1358 fib_table_entry_special_remove (0, &pfx, nm->fib_src_hi);
1363 nat44_ei_free_outside_address_and_port (nat44_ei_address_t *addresses,
1364 u32 thread_index, ip4_address_t *addr,
1365 u16 port, nat_protocol_t protocol)
1367 nat44_ei_main_t *nm = &nat44_ei_main;
1368 nat44_ei_address_t *a;
1370 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1372 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1374 if (addresses[address_index].addr.as_u32 == addr->as_u32)
1378 ASSERT (address_index < vec_len (addresses));
1380 a = addresses + address_index;
1384 #define _(N, i, n, s) \
1385 case NAT_PROTOCOL_##N: \
1387 nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, port_host_byte_order)); \
1388 nat44_ei_port_put (a, NAT_PROTOCOL_##N, port_host_byte_order); \
1389 a->busy_##n##_ports--; \
1390 a->busy_##n##_ports_per_thread[thread_index]--; \
1392 foreach_nat_protocol
1394 default : nat_elog_info (nm, "unknown protocol");
1400 nat44_ei_free_session_data_v2 (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1401 u32 thread_index, u8 is_ha)
1403 clib_bihash_kv_8_8_t kv;
1405 /* session lookup tables */
1406 init_nat_i2o_k (&kv, s);
1407 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1408 nat_elog_warn (nm, "in2out key del failed");
1409 init_nat_o2i_k (&kv, s);
1410 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1411 nat_elog_warn (nm, "out2in key del failed");
1414 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1415 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
1416 s->out2in.port, s->nat_proto);
1418 if (nat44_ei_is_unk_proto_session (s))
1424 nat_ipfix_logging_nat44_ses_delete (
1425 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1426 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1427 s->in2out.fib_index);
1429 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1430 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1434 if (nat44_ei_is_session_static (s))
1437 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1438 &s->out2in.addr, s->out2in.port,
1443 nat44_ei_user_get_or_create (nat44_ei_main_t *nm, ip4_address_t *addr,
1444 u32 fib_index, u32 thread_index)
1446 nat44_ei_user_t *u = 0;
1447 nat44_ei_user_key_t user_key;
1448 clib_bihash_kv_8_8_t kv, value;
1449 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1450 dlist_elt_t *per_user_list_head_elt;
1452 user_key.addr.as_u32 = addr->as_u32;
1453 user_key.fib_index = fib_index;
1454 kv.key = user_key.as_u64;
1456 /* Ever heard of the "user" = src ip4 address before? */
1457 if (clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1459 if (pool_elts (tnm->users) >= nm->max_users_per_thread)
1461 vlib_increment_simple_counter (&nm->user_limit_reached, thread_index,
1463 nat_elog_warn (nm, "maximum user limit reached");
1466 /* no, make a new one */
1467 pool_get (tnm->users, u);
1468 clib_memset (u, 0, sizeof (*u));
1470 u->addr.as_u32 = addr->as_u32;
1471 u->fib_index = fib_index;
1473 pool_get (tnm->list_pool, per_user_list_head_elt);
1475 u->sessions_per_user_list_head_index =
1476 per_user_list_head_elt - tnm->list_pool;
1478 clib_dlist_init (tnm->list_pool, u->sessions_per_user_list_head_index);
1480 kv.value = u - tnm->users;
1483 if (clib_bihash_add_del_8_8 (&tnm->user_hash, &kv, 1))
1485 nat_elog_warn (nm, "user_hash key add failed");
1486 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
1490 vlib_set_simple_counter (&nm->total_users, thread_index, 0,
1491 pool_elts (tnm->users));
1495 u = pool_elt_at_index (tnm->users, value.value);
1501 nat44_ei_session_t *
1502 nat44_ei_session_alloc_or_recycle (nat44_ei_main_t *nm, nat44_ei_user_t *u,
1503 u32 thread_index, f64 now)
1505 nat44_ei_session_t *s;
1506 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1507 u32 oldest_per_user_translation_list_index, session_index;
1508 dlist_elt_t *oldest_per_user_translation_list_elt;
1509 dlist_elt_t *per_user_translation_list_elt;
1511 /* Over quota? Recycle the least recently used translation */
1512 if ((u->nsessions + u->nstaticsessions) >= nm->max_translations_per_user)
1514 oldest_per_user_translation_list_index = clib_dlist_remove_head (
1515 tnm->list_pool, u->sessions_per_user_list_head_index);
1517 ASSERT (oldest_per_user_translation_list_index != ~0);
1519 /* Add it back to the end of the LRU list */
1520 clib_dlist_addtail (tnm->list_pool, u->sessions_per_user_list_head_index,
1521 oldest_per_user_translation_list_index);
1522 /* Get the list element */
1523 oldest_per_user_translation_list_elt = pool_elt_at_index (
1524 tnm->list_pool, oldest_per_user_translation_list_index);
1526 /* Get the session index from the list element */
1527 session_index = oldest_per_user_translation_list_elt->value;
1529 /* Get the session */
1530 s = pool_elt_at_index (tnm->sessions, session_index);
1532 nat44_ei_free_session_data_v2 (nm, s, thread_index, 0);
1533 if (nat44_ei_is_session_static (s))
1534 u->nstaticsessions--;
1541 s->ext_host_addr.as_u32 = 0;
1542 s->ext_host_port = 0;
1543 s->ext_host_nat_addr.as_u32 = 0;
1544 s->ext_host_nat_port = 0;
1548 pool_get (tnm->sessions, s);
1549 clib_memset (s, 0, sizeof (*s));
1551 /* Create list elts */
1552 pool_get (tnm->list_pool, per_user_translation_list_elt);
1553 clib_dlist_init (tnm->list_pool,
1554 per_user_translation_list_elt - tnm->list_pool);
1556 per_user_translation_list_elt->value = s - tnm->sessions;
1557 s->per_user_index = per_user_translation_list_elt - tnm->list_pool;
1558 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1560 clib_dlist_addtail (tnm->list_pool, s->per_user_list_head_index,
1561 per_user_translation_list_elt - tnm->list_pool);
1563 s->user_index = u - tnm->users;
1564 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
1565 pool_elts (tnm->sessions));
1568 s->ha_last_refreshed = now;
1574 nat44_ei_free_session_data (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1575 u32 thread_index, u8 is_ha)
1577 clib_bihash_kv_8_8_t kv;
1579 init_nat_i2o_k (&kv, s);
1580 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1581 nat_elog_warn (nm, "in2out key del failed");
1583 init_nat_o2i_k (&kv, s);
1584 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1585 nat_elog_warn (nm, "out2in key del failed");
1589 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1590 &s->in2out.addr, s->in2out.port,
1591 &s->out2in.addr, s->out2in.port, s->nat_proto);
1593 nat_ipfix_logging_nat44_ses_delete (
1594 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1595 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1596 s->in2out.fib_index);
1598 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1599 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1603 if (nat44_ei_is_session_static (s))
1606 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1607 &s->out2in.addr, s->out2in.port,
1611 static_always_inline void
1612 nat44_ei_user_del_sessions (nat44_ei_user_t *u, u32 thread_index)
1615 nat44_ei_session_t *s;
1617 nat44_ei_main_t *nm = &nat44_ei_main;
1618 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1622 pool_elt_at_index (tnm->list_pool, u->sessions_per_user_list_head_index);
1623 // get first element
1624 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1626 while (elt->value != ~0)
1628 s = pool_elt_at_index (tnm->sessions, elt->value);
1629 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1631 nat44_ei_free_session_data (nm, s, thread_index, 0);
1632 nat44_ei_delete_session (nm, s, thread_index);
1637 nat44_ei_user_del (ip4_address_t *addr, u32 fib_index)
1641 nat44_ei_main_t *nm = &nat44_ei_main;
1642 nat44_ei_main_per_thread_data_t *tnm;
1644 nat44_ei_user_key_t user_key;
1645 clib_bihash_kv_8_8_t kv, value;
1647 user_key.addr.as_u32 = addr->as_u32;
1648 user_key.fib_index = fib_index;
1649 kv.key = user_key.as_u64;
1651 if (nm->num_workers > 1)
1653 vec_foreach (tnm, nm->per_thread_data)
1655 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1657 nat44_ei_user_del_sessions (
1658 pool_elt_at_index (tnm->users, value.value),
1667 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
1668 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1670 nat44_ei_user_del_sessions (
1671 pool_elt_at_index (tnm->users, value.value), tnm->thread_index);
1679 nat44_ei_static_mapping_del_sessions (nat44_ei_main_t *nm,
1680 nat44_ei_main_per_thread_data_t *tnm,
1681 nat44_ei_user_key_t u_key, int addr_only,
1682 ip4_address_t e_addr, u16 e_port)
1684 clib_bihash_kv_8_8_t kv, value;
1685 kv.key = u_key.as_u64;
1687 dlist_elt_t *head, *elt;
1689 nat44_ei_session_t *s;
1690 u32 elt_index, head_index, ses_index;
1692 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1694 user_index = value.value;
1695 u = pool_elt_at_index (tnm->users, user_index);
1696 if (u->nstaticsessions)
1698 head_index = u->sessions_per_user_list_head_index;
1699 head = pool_elt_at_index (tnm->list_pool, head_index);
1700 elt_index = head->next;
1701 elt = pool_elt_at_index (tnm->list_pool, elt_index);
1702 ses_index = elt->value;
1703 while (ses_index != ~0)
1705 s = pool_elt_at_index (tnm->sessions, ses_index);
1706 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1707 ses_index = elt->value;
1711 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
1712 (s->out2in.port != e_port))
1716 if (!nat44_ei_is_session_static (s))
1719 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
1721 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
1731 nat44_ei_get_in2out_worker_index (ip4_header_t *ip0, u32 rx_fib_index0,
1734 nat44_ei_main_t *nm = &nat44_ei_main;
1735 u32 next_worker_index = 0;
1738 next_worker_index = nm->first_worker_index;
1739 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
1740 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
1742 if (PREDICT_TRUE (is_pow2 (_vec_len (nm->workers))))
1743 next_worker_index += nm->workers[hash & (_vec_len (nm->workers) - 1)];
1745 next_worker_index += nm->workers[hash % _vec_len (nm->workers)];
1747 return next_worker_index;
1751 nat44_ei_get_thread_idx_by_port (u16 e_port)
1753 nat44_ei_main_t *nm = &nat44_ei_main;
1754 u32 thread_idx = nm->num_workers;
1755 if (nm->num_workers > 1)
1757 thread_idx = nm->first_worker_index +
1758 nm->workers[(e_port - 1024) / nm->port_per_thread %
1759 _vec_len (nm->workers)];
1765 nat44_ei_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip0,
1766 u32 rx_fib_index0, u8 is_output)
1768 nat44_ei_main_t *nm = &nat44_ei_main;
1771 clib_bihash_kv_8_8_t kv, value;
1772 nat44_ei_static_mapping_t *m;
1774 u32 next_worker_index = 0;
1776 /* first try static mappings without port */
1777 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1779 init_nat_k (&kv, ip0->dst_address, 0, rx_fib_index0, 0);
1780 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1783 m = pool_elt_at_index (nm->static_mappings, value.value);
1784 return m->workers[0];
1788 proto = ip_proto_to_nat_proto (ip0->protocol);
1789 udp = ip4_next_header (ip0);
1790 port = vnet_buffer (b)->ip.reass.l4_dst_port;
1792 /* unknown protocol */
1793 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
1795 /* use current thread */
1796 return vlib_get_thread_index ();
1799 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
1801 icmp46_header_t *icmp = (icmp46_header_t *) udp;
1802 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
1803 if (!icmp_type_is_error_message (
1804 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
1805 port = vnet_buffer (b)->ip.reass.l4_src_port;
1808 /* if error message, then it's not fragmented and we can access it */
1809 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
1810 proto = ip_proto_to_nat_proto (inner_ip->protocol);
1811 void *l4_header = ip4_next_header (inner_ip);
1814 case NAT_PROTOCOL_ICMP:
1815 icmp = (icmp46_header_t *) l4_header;
1816 echo = (icmp_echo_header_t *) (icmp + 1);
1817 port = echo->identifier;
1819 case NAT_PROTOCOL_UDP:
1820 case NAT_PROTOCOL_TCP:
1821 port = ((tcp_udp_header_t *) l4_header)->src_port;
1824 return vlib_get_thread_index ();
1829 /* try static mappings with port */
1830 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1832 init_nat_k (&kv, ip0->dst_address, port, rx_fib_index0, proto);
1833 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1836 m = pool_elt_at_index (nm->static_mappings, value.value);
1837 return m->workers[0];
1841 /* worker by outside port */
1843 nat44_ei_get_thread_idx_by_port (clib_net_to_host_u16 (port));
1844 return next_worker_index;
1848 nat44_ei_alloc_default_cb (nat44_ei_address_t *addresses, u32 fib_index,
1849 u32 thread_index, nat_protocol_t proto,
1850 ip4_address_t s_addr, ip4_address_t *addr,
1851 u16 *port, u16 port_per_thread,
1852 u32 snat_thread_index)
1854 nat44_ei_main_t *nm = &nat44_ei_main;
1855 nat44_ei_address_t *a, *ga = 0;
1859 if (vec_len (addresses) > 0)
1862 int s_addr_offset = s_addr.as_u32 % vec_len (addresses);
1864 for (i = s_addr_offset; i < vec_len (addresses); ++i)
1869 #define _(N, j, n, s) \
1870 case NAT_PROTOCOL_##N: \
1871 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
1873 if (a->fib_index == fib_index) \
1877 portnum = (port_per_thread * snat_thread_index) + \
1878 nat_random_port (&nm->random_seed, 0, \
1879 port_per_thread - 1) + \
1881 if (nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, portnum)) \
1883 nat44_ei_port_get (a, NAT_PROTOCOL_##N, portnum); \
1884 a->busy_##n##_ports_per_thread[thread_index]++; \
1885 a->busy_##n##_ports++; \
1887 *port = clib_host_to_net_u16 (portnum); \
1891 else if (a->fib_index == ~0) \
1897 foreach_nat_protocol;
1899 nat_elog_info (nm, "unknown protocol");
1904 for (i = 0; i < s_addr_offset; ++i)
1909 foreach_nat_protocol;
1911 nat_elog_info (nm, "unknown protocol");
1918 // fake fib index to reuse macro
1922 foreach_nat_protocol;
1923 default : nat_elog_info (nm, "unknown protocol");
1931 /* Totally out of translations to use... */
1932 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1937 nat44_ei_alloc_range_cb (nat44_ei_address_t *addresses, u32 fib_index,
1938 u32 thread_index, nat_protocol_t proto,
1939 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1940 u16 port_per_thread, u32 snat_thread_index)
1942 nat44_ei_main_t *nm = &nat44_ei_main;
1943 nat44_ei_address_t *a = addresses;
1946 ports = nm->end_port - nm->start_port + 1;
1948 if (!vec_len (addresses))
1953 #define _(N, i, n, s) \
1954 case NAT_PROTOCOL_##N: \
1955 if (a->busy_##n##_ports < ports) \
1959 portnum = nat_random_port (&nm->random_seed, nm->start_port, \
1961 if (nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, portnum)) \
1963 nat44_ei_port_get (a, NAT_PROTOCOL_##N, portnum); \
1964 a->busy_##n##_ports++; \
1966 *port = clib_host_to_net_u16 (portnum); \
1971 foreach_nat_protocol
1973 default : nat_elog_info (nm, "unknown protocol");
1978 /* Totally out of translations to use... */
1979 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1984 nat44_ei_alloc_mape_cb (nat44_ei_address_t *addresses, u32 fib_index,
1985 u32 thread_index, nat_protocol_t proto,
1986 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1987 u16 port_per_thread, u32 snat_thread_index)
1989 nat44_ei_main_t *nm = &nat44_ei_main;
1990 nat44_ei_address_t *a = addresses;
1991 u16 m, ports, portnum, A, j;
1992 m = 16 - (nm->psid_offset + nm->psid_length);
1993 ports = (1 << (16 - nm->psid_length)) - (1 << m);
1995 if (!vec_len (addresses))
2000 #define _(N, i, n, s) \
2001 case NAT_PROTOCOL_##N: \
2002 if (a->busy_##n##_ports < ports) \
2006 A = nat_random_port (&nm->random_seed, 1, \
2007 pow2_mask (nm->psid_offset)); \
2008 j = nat_random_port (&nm->random_seed, 0, pow2_mask (m)); \
2009 portnum = A | (nm->psid << nm->psid_offset) | (j << (16 - m)); \
2010 if (nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, portnum)) \
2012 nat44_ei_port_get (a, NAT_PROTOCOL_##N, portnum); \
2013 a->busy_##n##_ports++; \
2015 *port = clib_host_to_net_u16 (portnum); \
2020 foreach_nat_protocol
2022 default : nat_elog_info (nm, "unknown protocol");
2027 /* Totally out of translations to use... */
2028 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
2033 nat44_ei_set_alloc_default ()
2035 nat44_ei_main_t *nm = &nat44_ei_main;
2037 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
2038 nm->alloc_addr_and_port = nat44_ei_alloc_default_cb;
2042 nat44_ei_set_alloc_range (u16 start_port, u16 end_port)
2044 nat44_ei_main_t *nm = &nat44_ei_main;
2046 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_RANGE;
2047 nm->alloc_addr_and_port = nat44_ei_alloc_range_cb;
2048 nm->start_port = start_port;
2049 nm->end_port = end_port;
2053 nat44_ei_set_alloc_mape (u16 psid, u16 psid_offset, u16 psid_length)
2055 nat44_ei_main_t *nm = &nat44_ei_main;
2057 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_MAPE;
2058 nm->alloc_addr_and_port = nat44_ei_alloc_mape_cb;
2060 nm->psid_offset = psid_offset;
2061 nm->psid_length = psid_length;
2065 nat44_ei_delete_session (nat44_ei_main_t *nm, nat44_ei_session_t *ses,
2068 nat44_ei_main_per_thread_data_t *tnm =
2069 vec_elt_at_index (nm->per_thread_data, thread_index);
2070 clib_bihash_kv_8_8_t kv, value;
2072 const nat44_ei_user_key_t u_key = { .addr = ses->in2out.addr,
2073 .fib_index = ses->in2out.fib_index };
2074 const u8 u_static = nat44_ei_is_session_static (ses);
2076 clib_dlist_remove (tnm->list_pool, ses->per_user_index);
2077 pool_put_index (tnm->list_pool, ses->per_user_index);
2079 pool_put (tnm->sessions, ses);
2080 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
2081 pool_elts (tnm->sessions));
2083 kv.key = u_key.as_u64;
2084 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2086 u = pool_elt_at_index (tnm->users, value.value);
2088 u->nstaticsessions--;
2092 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
2097 nat44_ei_del_session (nat44_ei_main_t *nm, ip4_address_t *addr, u16 port,
2098 nat_protocol_t proto, u32 vrf_id, int is_in)
2100 nat44_ei_main_per_thread_data_t *tnm;
2101 clib_bihash_kv_8_8_t kv, value;
2103 nat44_ei_session_t *s;
2104 clib_bihash_8_8_t *t;
2106 fail_if_disabled ();
2108 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
2109 init_nat_k (&kv, *addr, port, fib_index, proto);
2110 t = is_in ? &nm->in2out : &nm->out2in;
2111 if (!clib_bihash_search_8_8 (t, &kv, &value))
2113 // this is called from API/CLI, so the world is stopped here
2114 // it's safe to manipulate arbitrary per-thread data
2115 u32 thread_index = nat_value_get_thread_index (&value);
2116 tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
2117 u32 session_index = nat_value_get_session_index (&value);
2118 if (pool_is_free_index (tnm->sessions, session_index))
2119 return VNET_API_ERROR_UNSPECIFIED;
2121 s = pool_elt_at_index (tnm->sessions, session_index);
2122 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data, 0);
2123 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2127 return VNET_API_ERROR_NO_SUCH_ENTRY;
2131 nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len, u32 sw_if_index,
2134 nat44_ei_main_t *nm = &nat44_ei_main;
2135 fib_prefix_t prefix = {
2137 .fp_proto = FIB_PROTOCOL_IP4,
2139 .ip4.as_u32 = addr->as_u32,
2142 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
2146 fib_table_entry_update_one_path (fib_index, &prefix, nm->fib_src_low,
2147 (FIB_ENTRY_FLAG_CONNECTED |
2148 FIB_ENTRY_FLAG_LOCAL |
2149 FIB_ENTRY_FLAG_EXCLUSIVE),
2150 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
2151 NULL, FIB_ROUTE_PATH_FLAG_NONE);
2155 fib_table_entry_delete (fib_index, &prefix, nm->fib_src_low);
2160 nat44_ei_reserve_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2162 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2163 nat44_ei_main_t *nm = &nat44_ei_main;
2164 nat44_ei_address_t *a = 0;
2167 for (i = 0; i < vec_len (nm->addresses); i++)
2169 a = nm->addresses + i;
2171 if (a->addr.as_u32 != addr.as_u32)
2176 #define _(N, j, n, s) \
2177 case NAT_PROTOCOL_##N: \
2178 if (nat44_ei_port_is_used (a, NAT_PROTOCOL_##N, port)) \
2180 nat44_ei_port_get (a, NAT_PROTOCOL_##N, port); \
2183 a->busy_##n##_ports++; \
2184 a->busy_##n##_ports_per_thread[ti]++; \
2187 foreach_nat_protocol
2189 default : nat_elog_info (nm, "unknown protocol");
2201 nat44_ei_free_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2203 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2204 nat44_ei_main_t *nm = &nat44_ei_main;
2205 nat44_ei_address_t *a = 0;
2208 for (i = 0; i < vec_len (nm->addresses); i++)
2210 a = nm->addresses + i;
2212 if (a->addr.as_u32 != addr.as_u32)
2217 #define _(N, j, n, s) \
2218 case NAT_PROTOCOL_##N: \
2219 nat44_ei_port_put (a, NAT_PROTOCOL_##N, port); \
2222 a->busy_##n##_ports--; \
2223 a->busy_##n##_ports_per_thread[ti]--; \
2226 foreach_nat_protocol
2228 default : nat_elog_info (nm, "unknown protocol");
2240 nat44_ei_add_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2241 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2242 u32 flags, ip4_address_t pool_addr, u8 *tag)
2244 nat44_ei_static_map_resolve_t *rp;
2245 nat44_ei_main_t *nm = &nat44_ei_main;
2247 vec_add2 (nm->to_resolve, rp, 1);
2248 rp->l_addr.as_u32 = l_addr.as_u32;
2249 rp->l_port = l_port;
2250 rp->e_port = e_port;
2251 rp->sw_if_index = sw_if_index;
2252 rp->vrf_id = vrf_id;
2255 rp->pool_addr = pool_addr;
2256 rp->tag = vec_dup (tag);
2260 nat44_ei_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2261 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2262 u32 flags, int *out)
2264 nat44_ei_static_map_resolve_t *rp;
2265 nat44_ei_main_t *nm = &nat44_ei_main;
2268 for (i = 0; i < vec_len (nm->to_resolve); i++)
2270 rp = nm->to_resolve + i;
2272 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
2274 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
2276 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2278 if (rp->e_port != e_port || rp->proto != proto)
2284 else if (rp->l_addr.as_u32 == l_addr.as_u32)
2286 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2288 if (rp->l_port != l_port || rp->e_port != e_port ||
2310 nat44_ei_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2311 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2314 nat44_ei_main_t *nm = &nat44_ei_main;
2316 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2317 sw_if_index, flags, &i))
2319 vec_del1 (nm->to_resolve, i);
2326 delete_matching_dynamic_sessions (const nat44_ei_static_mapping_t *m,
2329 nat44_ei_main_t *nm = &nat44_ei_main;
2330 clib_bihash_kv_8_8_t kv, value;
2331 nat44_ei_session_t *s;
2332 nat44_ei_user_key_t u_key;
2334 nat44_ei_main_per_thread_data_t *tnm;
2335 dlist_elt_t *head, *elt;
2336 u32 elt_index, head_index;
2340 if (nm->static_mapping_only)
2343 tnm = vec_elt_at_index (nm->per_thread_data, worker_index);
2345 u_key.addr = m->local_addr;
2346 u_key.fib_index = m->fib_index;
2347 kv.key = u_key.as_u64;
2348 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2350 user_index = value.value;
2351 u = pool_elt_at_index (tnm->users, user_index);
2354 head_index = u->sessions_per_user_list_head_index;
2355 head = pool_elt_at_index (tnm->list_pool, head_index);
2356 elt_index = head->next;
2357 elt = pool_elt_at_index (tnm->list_pool, elt_index);
2358 ses_index = elt->value;
2359 while (ses_index != ~0)
2361 s = pool_elt_at_index (tnm->sessions, ses_index);
2362 elt = pool_elt_at_index (tnm->list_pool, elt->next);
2363 ses_index = elt->value;
2365 if (nat44_ei_is_session_static (s))
2368 if (!is_sm_addr_only (m->flags) &&
2369 s->in2out.port != m->local_port)
2372 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
2374 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2376 if (!is_sm_addr_only (m->flags))
2384 nat44_ei_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2385 u16 l_port, u16 e_port, nat_protocol_t proto,
2386 u32 vrf_id, u32 sw_if_index, u32 flags,
2387 ip4_address_t pool_addr, u8 *tag)
2390 nat44_ei_main_t *nm = &nat44_ei_main;
2392 if (is_sm_switch_address (flags))
2394 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2395 sw_if_index, flags, 0))
2397 return VNET_API_ERROR_VALUE_EXIST;
2400 nat44_ei_add_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2401 sw_if_index, flags, pool_addr, tag);
2403 ip4_address_t *first_int_addr =
2404 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2405 if (!first_int_addr)
2407 // dhcp resolution required
2411 e_addr.as_u32 = first_int_addr->as_u32;
2414 return nat44_ei_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
2415 proto, vrf_id, sw_if_index,
2416 flags, pool_addr, tag);
2420 nat44_ei_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2421 u16 l_port, u16 e_port, nat_protocol_t proto,
2422 u32 vrf_id, u32 sw_if_index, u32 flags)
2424 nat44_ei_main_t *nm = &nat44_ei_main;
2426 if (is_sm_switch_address (flags))
2429 if (nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2430 sw_if_index, flags))
2432 return VNET_API_ERROR_NO_SUCH_ENTRY;
2435 ip4_address_t *first_int_addr =
2436 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2437 if (!first_int_addr)
2439 // dhcp resolution required
2443 e_addr.as_u32 = first_int_addr->as_u32;
2446 return nat44_ei_del_static_mapping_internal (
2447 l_addr, e_addr, l_port, e_port, proto, vrf_id, sw_if_index, flags);
2451 nat44_ei_add_static_mapping_internal (ip4_address_t l_addr,
2452 ip4_address_t e_addr, u16 l_port,
2453 u16 e_port, nat_protocol_t proto,
2454 u32 vrf_id, u32 sw_if_index, u32 flags,
2455 ip4_address_t pool_addr, u8 *tag)
2457 nat44_ei_main_t *nm = &nat44_ei_main;
2458 clib_bihash_kv_8_8_t kv, value;
2459 nat44_ei_lb_addr_port_t *local;
2460 nat44_ei_static_mapping_t *m;
2464 fail_if_disabled ();
2466 if (is_sm_addr_only (flags))
2468 e_port = l_port = proto = 0;
2471 if (is_sm_identity_nat (flags))
2474 l_addr.as_u32 = e_addr.as_u32;
2478 init_nat_k (&kv, e_addr, e_port, 0, proto);
2480 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2482 m = pool_elt_at_index (nm->static_mappings, value.value);
2483 if (!is_sm_identity_nat (m->flags))
2485 return VNET_API_ERROR_VALUE_EXIST;
2489 // adding local identity nat record for different vrf table
2490 pool_foreach (local, m->locals)
2492 if (local->vrf_id == vrf_id)
2494 return VNET_API_ERROR_VALUE_EXIST;
2498 pool_get (m->locals, local);
2500 local->vrf_id = vrf_id;
2501 local->fib_index = fib_table_find_or_create_and_lock (
2502 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2504 init_nat_kv (&kv, m->local_addr, m->local_port, local->fib_index,
2505 m->proto, 0, m - nm->static_mappings);
2506 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2513 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
2518 // fallback to default vrf
2519 vrf_id = nm->inside_vrf_id;
2520 fib_index = nm->inside_fib_index;
2521 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2524 if (!is_sm_identity_nat (flags))
2526 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2527 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2529 return VNET_API_ERROR_VALUE_EXIST;
2533 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2535 if (nat44_ei_reserve_port (e_addr, e_port, proto))
2537 // remove resolve record
2538 if ((is_sm_switch_address (flags)) && !is_sm_identity_nat (flags))
2540 nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto,
2541 vrf_id, sw_if_index, flags);
2543 return VNET_API_ERROR_NO_SUCH_ENTRY;
2547 pool_get (nm->static_mappings, m);
2548 clib_memset (m, 0, sizeof (*m));
2551 m->local_addr = l_addr;
2552 m->external_addr = e_addr;
2554 m->tag = vec_dup (tag);
2556 if (!is_sm_addr_only (flags))
2558 m->local_port = l_port;
2559 m->external_port = e_port;
2563 if (is_sm_identity_nat (flags))
2565 pool_get (m->locals, local);
2567 local->vrf_id = vrf_id;
2568 local->fib_index = fib_index;
2573 m->fib_index = fib_index;
2576 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto, 0,
2577 m - nm->static_mappings);
2578 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2580 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
2581 m - nm->static_mappings);
2582 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 1);
2584 if (nm->num_workers > 1)
2586 // store worker index for this record
2588 .src_address = m->local_addr,
2590 worker_index = nat44_ei_get_in2out_worker_index (&ip, m->fib_index, 0);
2591 vec_add1 (m->workers, worker_index);
2595 worker_index = nm->num_workers;
2597 delete_matching_dynamic_sessions (m, worker_index);
2599 if (is_sm_addr_only (flags))
2601 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 1);
2608 nat44_ei_del_static_mapping_internal (ip4_address_t l_addr,
2609 ip4_address_t e_addr, u16 l_port,
2610 u16 e_port, nat_protocol_t proto,
2611 u32 vrf_id, u32 sw_if_index, u32 flags)
2613 nat44_ei_main_per_thread_data_t *tnm;
2614 nat44_ei_main_t *nm = &nat44_ei_main;
2615 clib_bihash_kv_8_8_t kv, value;
2616 nat44_ei_lb_addr_port_t *local;
2617 nat44_ei_static_mapping_t *m;
2619 nat44_ei_user_key_t u_key;
2621 fail_if_disabled ();
2623 if (is_sm_addr_only (flags))
2625 e_port = l_port = proto = 0;
2628 if (is_sm_identity_nat (flags))
2631 l_addr.as_u32 = e_addr.as_u32;
2635 init_nat_k (&kv, e_addr, e_port, 0, proto);
2637 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2639 if (is_sm_switch_address (flags))
2643 return VNET_API_ERROR_NO_SUCH_ENTRY;
2646 m = pool_elt_at_index (nm->static_mappings, value.value);
2648 if (is_sm_identity_nat (flags))
2654 vrf_id = nm->inside_vrf_id;
2657 pool_foreach (local, m->locals)
2659 if (local->vrf_id == vrf_id)
2661 local = pool_elt_at_index (m->locals, local - m->locals);
2662 fib_index = local->fib_index;
2663 pool_put (m->locals, local);
2669 return VNET_API_ERROR_NO_SUCH_ENTRY;
2674 fib_index = m->fib_index;
2677 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2679 if (nat44_ei_free_port (e_addr, e_port, proto))
2681 return VNET_API_ERROR_INVALID_VALUE;
2685 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2686 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 0);
2688 if (!nm->static_mapping_only || nm->static_mapping_connection_tracking)
2690 // delete sessions for static mapping
2691 if (nm->num_workers > 1)
2692 tnm = vec_elt_at_index (nm->per_thread_data, m->workers[0]);
2694 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
2696 u_key.addr = m->local_addr;
2697 u_key.fib_index = fib_index;
2698 kv.key = u_key.as_u64;
2699 nat44_ei_static_mapping_del_sessions (
2700 nm, tnm, u_key, is_sm_addr_only (flags), e_addr, e_port);
2703 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2705 if (!pool_elts (m->locals))
2707 // this is last record remove all required stuff
2709 init_nat_k (&kv, e_addr, e_port, 0, proto);
2710 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 0);
2713 vec_free (m->workers);
2714 pool_put (nm->static_mappings, m);
2716 if (is_sm_addr_only (flags) && !is_sm_identity_nat (flags))
2718 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 0);
2726 nat44_ei_static_mapping_match (ip4_address_t match_addr, u16 match_port,
2727 u32 match_fib_index,
2728 nat_protocol_t match_protocol,
2729 ip4_address_t *mapping_addr, u16 *mapping_port,
2730 u32 *mapping_fib_index, u8 by_external,
2731 u8 *is_addr_only, u8 *is_identity_nat)
2733 nat44_ei_main_t *nm = &nat44_ei_main;
2734 clib_bihash_kv_8_8_t kv, value;
2735 nat44_ei_static_mapping_t *m;
2740 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
2741 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2744 /* Try address only mapping */
2745 init_nat_k (&kv, match_addr, 0, 0, 0);
2746 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2750 m = pool_elt_at_index (nm->static_mappings, value.value);
2752 *mapping_fib_index = m->fib_index;
2753 *mapping_addr = m->local_addr;
2754 port = m->local_port;
2758 init_nat_k (&kv, match_addr, match_port, match_fib_index,
2760 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2762 /* Try address only mapping */
2763 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
2764 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv,
2768 m = pool_elt_at_index (nm->static_mappings, value.value);
2770 *mapping_fib_index = nm->outside_fib_index;
2771 *mapping_addr = m->external_addr;
2772 port = m->external_port;
2775 /* Address only mapping doesn't change port */
2776 if (is_sm_addr_only (m->flags))
2777 *mapping_port = match_port;
2779 *mapping_port = port;
2781 if (PREDICT_FALSE (is_addr_only != 0))
2782 *is_addr_only = is_sm_addr_only (m->flags);
2784 if (PREDICT_FALSE (is_identity_nat != 0))
2785 *is_identity_nat = is_sm_identity_nat (m->flags);
2791 nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm)
2793 pool_free (tnm->list_pool);
2794 pool_free (tnm->lru_pool);
2795 pool_free (tnm->sessions);
2796 pool_free (tnm->users);
2798 clib_bihash_free_8_8 (&tnm->user_hash);
2802 format_nat44_ei_key (u8 *s, va_list *args)
2804 u64 key = va_arg (*args, u64);
2808 nat_protocol_t protocol;
2811 split_nat_key (key, &addr, &port, &fib_index, &protocol);
2813 s = format (s, "%U proto %U port %d fib %d", format_ip4_address, &addr,
2814 format_nat_protocol, protocol, clib_net_to_host_u16 (port),
2820 format_nat44_ei_user_kvp (u8 *s, va_list *args)
2822 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2823 nat44_ei_user_key_t k;
2827 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2828 k.fib_index, v->value);
2834 format_nat44_ei_session_kvp (u8 *s, va_list *args)
2836 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2838 s = format (s, "%U thread-index %llu session-index %llu",
2839 format_nat44_ei_key, v->key, nat_value_get_thread_index (v),
2840 nat_value_get_session_index (v));
2846 format_nat44_ei_static_mapping_kvp (u8 *s, va_list *args)
2848 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2850 s = format (s, "%U static-mapping-index %llu", format_nat44_ei_key, v->key,
2857 nat44_ei_worker_db_init (nat44_ei_main_per_thread_data_t *tnm,
2858 u32 translations, u32 translation_buckets,
2863 pool_alloc (tnm->list_pool, translations);
2864 pool_alloc (tnm->lru_pool, translations);
2865 pool_alloc (tnm->sessions, translations);
2867 clib_bihash_init_8_8 (&tnm->user_hash, "users", user_buckets, 0);
2869 clib_bihash_set_kvp_format_fn_8_8 (&tnm->user_hash,
2870 format_nat44_ei_user_kvp);
2872 pool_get (tnm->lru_pool, head);
2873 tnm->tcp_trans_lru_head_index = head - tnm->lru_pool;
2874 clib_dlist_init (tnm->lru_pool, tnm->tcp_trans_lru_head_index);
2876 pool_get (tnm->lru_pool, head);
2877 tnm->tcp_estab_lru_head_index = head - tnm->lru_pool;
2878 clib_dlist_init (tnm->lru_pool, tnm->tcp_estab_lru_head_index);
2880 pool_get (tnm->lru_pool, head);
2881 tnm->udp_lru_head_index = head - tnm->lru_pool;
2882 clib_dlist_init (tnm->lru_pool, tnm->udp_lru_head_index);
2884 pool_get (tnm->lru_pool, head);
2885 tnm->icmp_lru_head_index = head - tnm->lru_pool;
2886 clib_dlist_init (tnm->lru_pool, tnm->icmp_lru_head_index);
2888 pool_get (tnm->lru_pool, head);
2889 tnm->unk_proto_lru_head_index = head - tnm->lru_pool;
2890 clib_dlist_init (tnm->lru_pool, tnm->unk_proto_lru_head_index);
2894 nat44_ei_db_init (u32 translations, u32 translation_buckets, u32 user_buckets)
2896 nat44_ei_main_t *nm = &nat44_ei_main;
2897 nat44_ei_main_per_thread_data_t *tnm;
2899 u32 static_mapping_buckets = 1024;
2900 u32 static_mapping_memory_size = 64 << 20;
2902 clib_bihash_init_8_8 (&nm->static_mapping_by_local,
2903 "static_mapping_by_local", static_mapping_buckets,
2904 static_mapping_memory_size);
2905 clib_bihash_init_8_8 (&nm->static_mapping_by_external,
2906 "static_mapping_by_external", static_mapping_buckets,
2907 static_mapping_memory_size);
2908 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_local,
2909 format_nat44_ei_static_mapping_kvp);
2910 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_external,
2911 format_nat44_ei_static_mapping_kvp);
2915 clib_bihash_init_8_8 (&nm->in2out, "in2out", translation_buckets, 0);
2916 clib_bihash_init_8_8 (&nm->out2in, "out2in", translation_buckets, 0);
2917 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2918 format_nat44_ei_session_kvp);
2919 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2920 format_nat44_ei_session_kvp);
2921 vec_foreach (tnm, nm->per_thread_data)
2923 nat44_ei_worker_db_init (tnm, translations, translation_buckets,
2930 nat44_ei_sessions_clear ()
2932 nat44_ei_main_t *nm = &nat44_ei_main;
2933 nat44_ei_main_per_thread_data_t *tnm;
2937 clib_bihash_free_8_8 (&nm->in2out);
2938 clib_bihash_free_8_8 (&nm->out2in);
2939 clib_bihash_init_8_8 (&nm->in2out, "in2out", nm->translation_buckets, 0);
2940 clib_bihash_init_8_8 (&nm->out2in, "out2in", nm->translation_buckets, 0);
2941 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2942 format_nat44_ei_session_kvp);
2943 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2944 format_nat44_ei_session_kvp);
2945 vec_foreach (tnm, nm->per_thread_data)
2947 nat44_ei_worker_db_free (tnm);
2948 nat44_ei_worker_db_init (tnm, nm->translations,
2949 nm->translation_buckets, nm->user_buckets);
2953 vlib_zero_simple_counter (&nm->total_users, 0);
2954 vlib_zero_simple_counter (&nm->total_sessions, 0);
2955 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
2959 nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque, u32 sw_if_index,
2960 u32 new_fib_index, u32 old_fib_index)
2962 nat44_ei_main_t *nm = &nat44_ei_main;
2963 nat44_ei_outside_fib_t *outside_fib;
2964 nat44_ei_interface_t *i;
2968 if (!nm->enabled || (new_fib_index == old_fib_index) ||
2969 (!vec_len (nm->outside_fibs)))
2974 pool_foreach (i, nm->interfaces)
2976 if (i->sw_if_index == sw_if_index)
2978 if (!(nat44_ei_interface_is_outside (i)))
2984 pool_foreach (i, nm->output_feature_interfaces)
2986 if (i->sw_if_index == sw_if_index)
2988 if (!(nat44_ei_interface_is_outside (i)))
2997 vec_foreach (outside_fib, nm->outside_fibs)
2999 if (outside_fib->fib_index == old_fib_index)
3001 outside_fib->refcount--;
3002 if (!outside_fib->refcount)
3003 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
3008 vec_foreach (outside_fib, nm->outside_fibs)
3010 if (outside_fib->fib_index == new_fib_index)
3012 outside_fib->refcount++;
3020 vec_add2 (nm->outside_fibs, outside_fib, 1);
3021 outside_fib->refcount = 1;
3022 outside_fib->fib_index = new_fib_index;
3027 nat44_ei_add_address (ip4_address_t *addr, u32 vrf_id)
3029 nat44_ei_main_t *nm = &nat44_ei_main;
3030 vlib_thread_main_t *tm = vlib_get_thread_main ();
3031 nat44_ei_address_t *ap;
3033 fail_if_disabled ();
3035 /* Check if address already exists */
3036 vec_foreach (ap, nm->addresses)
3038 if (ap->addr.as_u32 == addr->as_u32)
3040 nat44_ei_log_err ("address exist");
3041 return VNET_API_ERROR_VALUE_EXIST;
3045 vec_add2 (nm->addresses, ap, 1);
3052 ap->fib_index = fib_table_find_or_create_and_lock (
3053 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
3056 #define _(N, i, n, s) \
3057 ap->busy_##n##_port_bitmap = 0; \
3058 ap->busy_##n##_ports = 0; \
3059 ap->busy_##n##_ports_per_thread = 0; \
3060 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, \
3061 tm->n_vlib_mains - 1, 0);
3062 foreach_nat_protocol
3065 nat44_ei_add_del_addr_to_fib_foreach_out_if (addr, 1);
3071 nat44_ei_del_address (ip4_address_t addr, u8 delete_sm)
3073 nat44_ei_main_t *nm = &nat44_ei_main;
3074 nat44_ei_address_t *a = 0;
3075 nat44_ei_session_t *ses;
3076 u32 *ses_to_be_removed = 0, *ses_index;
3077 nat44_ei_main_per_thread_data_t *tnm;
3078 nat44_ei_static_mapping_t *m;
3081 fail_if_disabled ();
3083 /* Find SNAT address */
3084 for (j = 0; j < vec_len (nm->addresses); j++)
3086 if (nm->addresses[j].addr.as_u32 == addr.as_u32)
3088 a = nm->addresses + j;
3094 nat44_ei_log_err ("no such address");
3095 return VNET_API_ERROR_NO_SUCH_ENTRY;
3100 pool_foreach (m, nm->static_mappings)
3102 if (m->external_addr.as_u32 == addr.as_u32)
3103 nat44_ei_del_static_mapping_internal (
3104 m->local_addr, m->external_addr, m->local_port, m->external_port,
3105 m->proto, m->vrf_id, ~0, m->flags);
3110 /* Check if address is used in some static mapping */
3111 if (nat44_ei_is_address_used_in_static_mapping (addr))
3113 nat44_ei_log_err ("address used in static mapping");
3114 return VNET_API_ERROR_UNSPECIFIED;
3118 /* Delete sessions using address */
3119 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
3121 vec_foreach (tnm, nm->per_thread_data)
3123 pool_foreach (ses, tnm->sessions)
3125 if (ses->out2in.addr.as_u32 == addr.as_u32)
3127 nat44_ei_free_session_data (nm, ses,
3128 tnm - nm->per_thread_data, 0);
3129 vec_add1 (ses_to_be_removed, ses - tnm->sessions);
3132 vec_foreach (ses_index, ses_to_be_removed)
3134 ses = pool_elt_at_index (tnm->sessions, ses_index[0]);
3135 nat44_ei_delete_session (nm, ses, tnm - nm->per_thread_data);
3137 vec_free (ses_to_be_removed);
3141 nat44_ei_add_del_addr_to_fib_foreach_out_if (&addr, 0);
3143 if (a->fib_index != ~0)
3145 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
3148 #define _(N, i, n, s) vec_free (a->busy_##n##_ports_per_thread);
3149 foreach_nat_protocol
3152 vec_del1 (nm->addresses, j);
3157 nat44_ei_add_interface_address (u32 sw_if_index)
3159 nat44_ei_main_t *nm = &nat44_ei_main;
3160 ip4_main_t *ip4_main = nm->ip4_main;
3161 ip4_address_t *first_int_addr;
3162 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3165 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3167 if (auto_add_sw_if_indices[i] == sw_if_index)
3169 return VNET_API_ERROR_VALUE_EXIST;
3173 /* add to the auto-address list */
3174 vec_add1 (nm->auto_add_sw_if_indices, sw_if_index);
3176 // if the address is already bound - or static - add it now
3177 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3180 (void) nat44_ei_add_address (first_int_addr, ~0);
3187 nat44_ei_del_interface_address (u32 sw_if_index)
3189 nat44_ei_main_t *nm = &nat44_ei_main;
3190 ip4_main_t *ip4_main = nm->ip4_main;
3191 ip4_address_t *first_int_addr;
3192 nat44_ei_static_map_resolve_t *rp;
3193 u32 *indices_to_delete = 0;
3195 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3197 fail_if_disabled ();
3199 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3201 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3203 if (auto_add_sw_if_indices[i] == sw_if_index)
3206 ip4_interface_first_address (ip4_main, sw_if_index, 0);
3209 (void) nat44_ei_del_address (first_int_addr[0], 1);
3213 for (j = 0; j < vec_len (nm->to_resolve); j++)
3215 rp = nm->to_resolve + j;
3216 if (rp->sw_if_index == sw_if_index)
3218 vec_add1 (indices_to_delete, j);
3221 if (vec_len (indices_to_delete))
3223 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3225 vec_del1 (nm->to_resolve, j);
3227 vec_free (indices_to_delete);
3231 vec_del1 (nm->auto_add_sw_if_indices, i);
3235 return VNET_API_ERROR_NO_SUCH_ENTRY;
3238 static_always_inline int
3239 is_sw_if_index_reg_for_auto_resolve (u32 *sw_if_indices, u32 sw_if_index)
3242 vec_foreach (i, sw_if_indices)
3244 if (*i == sw_if_index)
3253 nat44_ei_ip4_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3255 ip4_address_t *address,
3257 u32 if_address_index, u32 is_delete)
3259 nat44_ei_main_t *nm = &nat44_ei_main;
3260 nat44_ei_static_map_resolve_t *rp;
3261 nat44_ei_address_t *addresses = nm->addresses;
3269 if (!is_sw_if_index_reg_for_auto_resolve (nm->auto_add_sw_if_indices,
3277 /* Don't trip over lease renewal, static config */
3278 for (i = 0; i < vec_len (addresses); i++)
3280 if (addresses[i].addr.as_u32 == address->as_u32)
3286 (void) nat44_ei_add_address (address, ~0);
3288 /* Scan static map resolution vector */
3289 for (i = 0; i < vec_len (nm->to_resolve); i++)
3291 rp = nm->to_resolve + i;
3292 if (is_sm_addr_only (rp->flags))
3296 /* On this interface? */
3297 if (rp->sw_if_index == sw_if_index)
3299 rv = nat44_ei_add_static_mapping_internal (
3300 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3301 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3304 nat_elog_notice_X1 (
3305 nm, "add_static_mapping_internal returned %d", "i4", rv);
3312 // remove all static mapping records
3313 (void) nat44_ei_del_address (address[0], 1);
3318 nat44_ei_set_frame_queue_nelts (u32 frame_queue_nelts)
3321 nat44_ei_main_t *nm = &nat44_ei_main;
3322 nm->frame_queue_nelts = frame_queue_nelts;
3327 nat44_ei_ip4_add_del_addr_only_sm_cb (ip4_main_t *im, uword opaque,
3328 u32 sw_if_index, ip4_address_t *address,
3329 u32 address_length, u32 if_address_index,
3332 nat44_ei_main_t *nm = &nat44_ei_main;
3333 nat44_ei_static_map_resolve_t *rp;
3334 nat44_ei_static_mapping_t *m;
3335 clib_bihash_kv_8_8_t kv, value;
3336 int i, rv = 0, match = 0;
3343 for (i = 0; i < vec_len (nm->to_resolve); i++)
3345 rp = nm->to_resolve + i;
3347 if (is_sm_addr_only (rp->flags) && rp->sw_if_index == sw_if_index)
3359 init_nat_k (&kv, *address, is_sm_addr_only (rp->flags) ? 0 : rp->e_port,
3360 nm->outside_fib_index,
3361 is_sm_addr_only (rp->flags) ? 0 : rp->proto);
3362 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
3365 m = pool_elt_at_index (nm->static_mappings, value.value);
3371 rv = nat44_ei_del_static_mapping_internal (
3372 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3376 nat_elog_notice_X1 (nm, "nat44_ei_del_static_mapping returned %d",
3384 rv = nat44_ei_add_static_mapping_internal (
3385 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto, rp->vrf_id,
3386 ~0, rp->flags, rp->pool_addr, rp->tag);
3390 nat_elog_notice_X1 (nm, "nat44_ei_add_static_mapping returned %d",
3396 static_always_inline uword
3397 nat44_ei_classify_inline_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
3398 vlib_frame_t *frame)
3400 u32 n_left_from, *from, *to_next;
3401 nat44_ei_classify_next_t next_index;
3402 nat44_ei_main_t *nm = &nat44_ei_main;
3403 nat44_ei_static_mapping_t *m;
3404 u32 next_in2out = 0, next_out2in = 0;
3406 from = vlib_frame_vector_args (frame);
3407 n_left_from = frame->n_vectors;
3408 next_index = node->cached_next_index;
3410 while (n_left_from > 0)
3414 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
3416 while (n_left_from > 0 && n_left_to_next > 0)
3420 u32 next0 = NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3422 nat44_ei_address_t *ap;
3423 clib_bihash_kv_8_8_t kv0, value0;
3425 /* speculatively enqueue b0 to the current next frame */
3431 n_left_to_next -= 1;
3433 b0 = vlib_get_buffer (vm, bi0);
3434 ip0 = vlib_buffer_get_current (b0);
3436 vec_foreach (ap, nm->addresses)
3438 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
3440 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3445 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
3447 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
3448 /* try to classify the fragment based on IP header alone */
3449 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3452 m = pool_elt_at_index (nm->static_mappings, value0.value);
3453 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3454 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3457 init_nat_k (&kv0, ip0->dst_address,
3458 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
3459 ip_proto_to_nat_proto (ip0->protocol));
3460 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3463 m = pool_elt_at_index (nm->static_mappings, value0.value);
3464 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3465 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3470 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
3471 (b0->flags & VLIB_BUFFER_IS_TRACED)))
3473 nat44_ei_classify_trace_t *t =
3474 vlib_add_trace (vm, node, b0, sizeof (*t));
3476 t->next_in2out = next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
3479 next_in2out += next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3480 next_out2in += next0 == NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3482 /* verify speculative enqueue, maybe switch current next frame */
3483 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
3484 n_left_to_next, bi0, next0);
3487 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3490 vlib_node_increment_counter (
3491 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
3492 vlib_node_increment_counter (
3493 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
3494 return frame->n_vectors;
3497 VLIB_NODE_FN (nat44_ei_classify_node)
3498 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3500 return nat44_ei_classify_inline_fn (vm, node, frame);
3503 VLIB_REGISTER_NODE (nat44_ei_classify_node) = {
3504 .name = "nat44-ei-classify",
3505 .vector_size = sizeof (u32),
3506 .format_trace = format_nat44_ei_classify_trace,
3507 .type = VLIB_NODE_TYPE_INTERNAL,
3508 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3509 .error_strings = nat44_ei_classify_error_strings,
3510 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3512 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out",
3513 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in",
3514 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3518 VLIB_NODE_FN (nat44_ei_handoff_classify_node)
3519 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3521 return nat44_ei_classify_inline_fn (vm, node, frame);
3524 VLIB_REGISTER_NODE (nat44_ei_handoff_classify_node) = {
3525 .name = "nat44-ei-handoff-classify",
3526 .vector_size = sizeof (u32),
3527 .format_trace = format_nat44_ei_classify_trace,
3528 .type = VLIB_NODE_TYPE_INTERNAL,
3529 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3530 .error_strings = nat44_ei_classify_error_strings,
3531 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3533 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out-worker-handoff",
3534 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in-worker-handoff",
3535 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3540 * fd.io coding-style-patch-verification: ON
3543 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob