2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
22 #include <snat/snat.h>
23 #include <snat/snat_ipfix_logging.h>
24 #include <snat/snat_det.h>
25 #include <vnet/fib/fib_table.h>
26 #include <vnet/fib/ip4_fib.h>
28 #include <vpp/app/version.h>
30 snat_main_t snat_main;
33 /* Hook up input features */
34 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
35 .arc_name = "ip4-unicast",
36 .node_name = "snat-in2out",
37 .runs_before = VNET_FEATURES ("snat-out2in"),
39 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
40 .arc_name = "ip4-unicast",
41 .node_name = "snat-out2in",
42 .runs_before = VNET_FEATURES ("ip4-lookup"),
44 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
45 .arc_name = "ip4-unicast",
46 .node_name = "snat-det-in2out",
47 .runs_before = VNET_FEATURES ("snat-det-out2in"),
49 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
50 .arc_name = "ip4-unicast",
51 .node_name = "snat-det-out2in",
52 .runs_before = VNET_FEATURES ("ip4-lookup"),
54 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
55 .arc_name = "ip4-unicast",
56 .node_name = "snat-in2out-worker-handoff",
57 .runs_before = VNET_FEATURES ("snat-out2in-worker-handoff"),
59 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
60 .arc_name = "ip4-unicast",
61 .node_name = "snat-out2in-worker-handoff",
62 .runs_before = VNET_FEATURES ("ip4-lookup"),
64 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
65 .arc_name = "ip4-unicast",
66 .node_name = "snat-in2out-fast",
67 .runs_before = VNET_FEATURES ("snat-out2in-fast"),
69 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
70 .arc_name = "ip4-unicast",
71 .node_name = "snat-out2in-fast",
72 .runs_before = VNET_FEATURES ("ip4-lookup"),
76 VLIB_PLUGIN_REGISTER () = {
77 .version = VPP_BUILD_VER,
78 .description = "Network Address Translation",
83 * @brief Add/del NAT address to FIB.
85 * Add the external NAT address to the FIB as receive entries. This ensures
86 * that VPP will reply to ARP for this address and we don't need to enable
87 * proxy ARP on the outside interface.
89 * @param addr IPv4 address.
90 * @param plen address prefix length
91 * @param sw_if_index Interface.
92 * @param is_add If 0 delete, otherwise add.
95 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
98 fib_prefix_t prefix = {
100 .fp_proto = FIB_PROTOCOL_IP4,
102 .ip4.as_u32 = addr->as_u32,
105 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index(sw_if_index);
108 fib_table_entry_update_one_path(fib_index,
110 FIB_SOURCE_PLUGIN_HI,
111 (FIB_ENTRY_FLAG_CONNECTED |
112 FIB_ENTRY_FLAG_LOCAL |
113 FIB_ENTRY_FLAG_EXCLUSIVE),
120 FIB_ROUTE_PATH_FLAG_NONE);
122 fib_table_entry_delete(fib_index,
124 FIB_SOURCE_PLUGIN_HI);
127 void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id)
135 /* Check if address already exists */
136 vec_foreach (ap, sm->addresses)
138 if (ap->addr.as_u32 == addr->as_u32)
142 vec_add2 (sm->addresses, ap, 1);
144 ap->fib_index = ip4_fib_index_from_table_id(vrf_id);
145 #define _(N, i, n, s) \
146 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535);
147 foreach_snat_protocol
150 /* Add external address to FIB */
151 pool_foreach (i, sm->interfaces,
156 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
161 static int is_snat_address_used_in_static_mapping (snat_main_t *sm,
164 snat_static_mapping_t *m;
165 pool_foreach (m, sm->static_mappings,
167 if (m->external_addr.as_u32 == addr.as_u32)
174 void increment_v4_address (ip4_address_t * a)
178 v = clib_net_to_host_u32(a->as_u32) + 1;
179 a->as_u32 = clib_host_to_net_u32(v);
183 snat_add_static_mapping_when_resolved (snat_main_t * sm,
184 ip4_address_t l_addr,
189 snat_protocol_t proto,
193 snat_static_map_resolve_t *rp;
195 vec_add2 (sm->to_resolve, rp, 1);
196 rp->l_addr.as_u32 = l_addr.as_u32;
198 rp->sw_if_index = sw_if_index;
202 rp->addr_only = addr_only;
207 * @brief Add static mapping.
209 * Create static mapping between local addr+port and external addr+port.
211 * @param l_addr Local IPv4 address.
212 * @param e_addr External IPv4 address.
213 * @param l_port Local port number.
214 * @param e_port External port number.
215 * @param vrf_id VRF ID.
216 * @param addr_only If 0 address port and pair mapping, otherwise address only.
217 * @param sw_if_index External port instead of specific IP address.
218 * @param is_add If 0 delete static mapping, otherwise add.
222 int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
223 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
224 u32 sw_if_index, snat_protocol_t proto, int is_add)
226 snat_main_t * sm = &snat_main;
227 snat_static_mapping_t *m;
228 snat_session_key_t m_key;
229 clib_bihash_kv_8_8_t kv, value;
230 snat_address_t *a = 0;
233 snat_interface_t *interface;
236 /* If the external address is a specific interface address */
237 if (sw_if_index != ~0)
239 ip4_address_t * first_int_addr;
241 /* Might be already set... */
242 first_int_addr = ip4_interface_first_address
243 (sm->ip4_main, sw_if_index, 0 /* just want the address*/);
245 /* DHCP resolution required? */
246 if (first_int_addr == 0)
248 snat_add_static_mapping_when_resolved
249 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
254 e_addr.as_u32 = first_int_addr->as_u32;
258 m_key.port = addr_only ? 0 : e_port;
259 m_key.protocol = addr_only ? 0 : proto;
260 m_key.fib_index = sm->outside_fib_index;
261 kv.key = m_key.as_u64;
262 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
265 m = pool_elt_at_index (sm->static_mappings, value.value);
270 return VNET_API_ERROR_VALUE_EXIST;
272 /* Convert VRF id to FIB index */
275 p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id);
277 return VNET_API_ERROR_NO_SUCH_FIB;
280 /* If not specified use inside VRF id from SNAT plugin startup config */
283 fib_index = sm->inside_fib_index;
284 vrf_id = sm->inside_vrf_id;
287 /* Find external address in allocated addresses and reserve port for
288 address and port pair mapping when dynamic translations enabled */
289 if (!addr_only && !(sm->static_mapping_only))
291 for (i = 0; i < vec_len (sm->addresses); i++)
293 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
295 a = sm->addresses + i;
296 /* External port must be unused */
299 #define _(N, j, n, s) \
300 case SNAT_PROTOCOL_##N: \
301 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
302 return VNET_API_ERROR_INVALID_VALUE; \
303 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
305 a->busy_##n##_ports++; \
307 foreach_snat_protocol
310 clib_warning("unknown_protocol");
311 return VNET_API_ERROR_INVALID_VALUE_2;
316 /* External address must be allocated */
318 return VNET_API_ERROR_NO_SUCH_ENTRY;
321 pool_get (sm->static_mappings, m);
322 memset (m, 0, sizeof (*m));
323 m->local_addr = l_addr;
324 m->external_addr = e_addr;
325 m->addr_only = addr_only;
327 m->fib_index = fib_index;
330 m->local_port = l_port;
331 m->external_port = e_port;
335 m_key.addr = m->local_addr;
336 m_key.port = m->local_port;
337 m_key.protocol = m->proto;
338 m_key.fib_index = m->fib_index;
339 kv.key = m_key.as_u64;
340 kv.value = m - sm->static_mappings;
341 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
343 m_key.addr = m->external_addr;
344 m_key.port = m->external_port;
345 m_key.fib_index = sm->outside_fib_index;
346 kv.key = m_key.as_u64;
347 kv.value = m - sm->static_mappings;
348 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1);
353 snat_user_key_t w_key0;
354 snat_worker_key_t w_key1;
356 w_key0.addr = m->local_addr;
357 w_key0.fib_index = m->fib_index;
358 kv.key = w_key0.as_u64;
360 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value))
362 kv.value = sm->first_worker_index +
363 sm->workers[sm->next_worker++ % vec_len (sm->workers)];
365 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv, 1);
369 kv.value = value.value;
372 w_key1.addr = m->external_addr;
373 w_key1.port = clib_host_to_net_u16 (m->external_port);
374 w_key1.fib_index = sm->outside_fib_index;
375 kv.key = w_key1.as_u64;
376 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv, 1);
382 return VNET_API_ERROR_NO_SUCH_ENTRY;
384 /* Free external address port */
385 if (!addr_only && !(sm->static_mapping_only))
387 for (i = 0; i < vec_len (sm->addresses); i++)
389 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
391 a = sm->addresses + i;
394 #define _(N, j, n, s) \
395 case SNAT_PROTOCOL_##N: \
396 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
398 a->busy_##n##_ports--; \
400 foreach_snat_protocol
403 clib_warning("unknown_protocol");
404 return VNET_API_ERROR_INVALID_VALUE_2;
411 m_key.addr = m->local_addr;
412 m_key.port = m->local_port;
413 m_key.protocol = m->proto;
414 m_key.fib_index = m->fib_index;
415 kv.key = m_key.as_u64;
416 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
418 m_key.addr = m->external_addr;
419 m_key.port = m->external_port;
420 m_key.fib_index = sm->outside_fib_index;
421 kv.key = m_key.as_u64;
422 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0);
424 /* Delete session(s) for static mapping if exist */
425 if (!(sm->static_mapping_only) ||
426 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
428 snat_user_key_t u_key;
430 dlist_elt_t * head, * elt;
431 u32 elt_index, head_index, del_elt_index;
435 snat_main_per_thread_data_t *tsm;
437 u_key.addr = m->local_addr;
438 u_key.fib_index = m->fib_index;
439 kv.key = u_key.as_u64;
440 if (!clib_bihash_search_8_8 (&sm->user_hash, &kv, &value))
442 user_index = value.value;
443 if (!clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value))
444 tsm = vec_elt_at_index (sm->per_thread_data, value.value);
446 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
447 u = pool_elt_at_index (tsm->users, user_index);
448 if (u->nstaticsessions)
450 head_index = u->sessions_per_user_list_head_index;
451 head = pool_elt_at_index (tsm->list_pool, head_index);
452 elt_index = head->next;
453 elt = pool_elt_at_index (tsm->list_pool, elt_index);
454 ses_index = elt->value;
455 while (ses_index != ~0)
457 s = pool_elt_at_index (tsm->sessions, ses_index);
458 del_elt_index = elt_index;
459 elt_index = elt->next;
460 elt = pool_elt_at_index (tsm->list_pool, elt_index);
461 ses_index = elt->value;
465 if ((s->out2in.addr.as_u32 != e_addr.as_u32) &&
466 (clib_net_to_host_u16 (s->out2in.port) != e_port))
471 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
472 s->out2in.addr.as_u32,
476 s->in2out.fib_index);
478 value.key = s->in2out.as_u64;
479 clib_bihash_add_del_8_8 (&sm->in2out, &value, 0);
480 value.key = s->out2in.as_u64;
481 clib_bihash_add_del_8_8 (&sm->out2in, &value, 0);
482 pool_put (tsm->sessions, s);
484 clib_dlist_remove (tsm->list_pool, del_elt_index);
485 pool_put_index (tsm->list_pool, del_elt_index);
486 u->nstaticsessions--;
493 pool_put (tsm->users, u);
494 clib_bihash_add_del_8_8 (&sm->user_hash, &kv, 0);
500 /* Delete static mapping from pool */
501 pool_put (sm->static_mappings, m);
507 /* Add/delete external address to FIB */
508 pool_foreach (interface, sm->interfaces,
510 if (interface->is_inside)
513 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
520 int snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm)
522 snat_address_t *a = 0;
524 u32 *ses_to_be_removed = 0, *ses_index;
525 clib_bihash_kv_8_8_t kv, value;
526 snat_user_key_t user_key;
528 snat_main_per_thread_data_t *tsm;
529 snat_static_mapping_t *m;
530 snat_interface_t *interface;
533 /* Find SNAT address */
534 for (i=0; i < vec_len (sm->addresses); i++)
536 if (sm->addresses[i].addr.as_u32 == addr.as_u32)
538 a = sm->addresses + i;
543 return VNET_API_ERROR_NO_SUCH_ENTRY;
547 pool_foreach (m, sm->static_mappings,
549 if (m->external_addr.as_u32 == addr.as_u32)
550 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
551 m->local_port, m->external_port,
552 m->vrf_id, m->addr_only, ~0,
558 /* Check if address is used in some static mapping */
559 if (is_snat_address_used_in_static_mapping(sm, addr))
561 clib_warning ("address used in static mapping");
562 return VNET_API_ERROR_UNSPECIFIED;
566 /* Delete sessions using address */
567 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
569 vec_foreach (tsm, sm->per_thread_data)
571 pool_foreach (ses, tsm->sessions, ({
572 if (ses->out2in.addr.as_u32 == addr.as_u32)
575 snat_ipfix_logging_nat44_ses_delete(ses->in2out.addr.as_u32,
576 ses->out2in.addr.as_u32,
577 ses->in2out.protocol,
580 ses->in2out.fib_index);
581 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
582 kv.key = ses->in2out.as_u64;
583 clib_bihash_add_del_8_8 (&sm->in2out, &kv, 0);
584 kv.key = ses->out2in.as_u64;
585 clib_bihash_add_del_8_8 (&sm->out2in, &kv, 0);
586 clib_dlist_remove (tsm->list_pool, ses->per_user_index);
587 user_key.addr = ses->in2out.addr;
588 user_key.fib_index = ses->in2out.fib_index;
589 kv.key = user_key.as_u64;
590 if (!clib_bihash_search_8_8 (&sm->user_hash, &kv, &value))
592 u = pool_elt_at_index (tsm->users, value.value);
598 vec_foreach (ses_index, ses_to_be_removed)
599 pool_put_index (tsm->sessions, ses_index[0]);
601 vec_free (ses_to_be_removed);
605 vec_del1 (sm->addresses, i);
607 /* Delete external address from FIB */
608 pool_foreach (interface, sm->interfaces,
610 if (interface->is_inside)
613 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
620 int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
622 snat_main_t *sm = &snat_main;
624 const char * feature_name;
626 snat_static_mapping_t * m;
629 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
630 feature_name = is_inside ? "snat-in2out-fast" : "snat-out2in-fast";
633 if (sm->num_workers > 1 && !sm->deterministic)
634 feature_name = is_inside ? "snat-in2out-worker-handoff" : "snat-out2in-worker-handoff";
635 else if (sm->deterministic)
636 feature_name = is_inside ? "snat-det-in2out" : "snat-det-out2in";
638 feature_name = is_inside ? "snat-in2out" : "snat-out2in";
641 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index,
644 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
645 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0);
647 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
648 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
650 pool_foreach (i, sm->interfaces,
652 if (i->sw_if_index == sw_if_index)
655 pool_put (sm->interfaces, i);
657 return VNET_API_ERROR_VALUE_EXIST;
664 return VNET_API_ERROR_NO_SUCH_ENTRY;
666 pool_get (sm->interfaces, i);
667 i->sw_if_index = sw_if_index;
668 i->is_inside = is_inside;
670 /* Add/delete external addresses to FIB */
675 vec_foreach (ap, sm->addresses)
676 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
678 pool_foreach (m, sm->static_mappings,
683 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
686 pool_foreach (dm, sm->det_maps,
688 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
694 int snat_set_workers (uword * bitmap)
696 snat_main_t *sm = &snat_main;
699 if (sm->num_workers < 2)
700 return VNET_API_ERROR_FEATURE_DISABLED;
702 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
703 return VNET_API_ERROR_INVALID_WORKER;
705 vec_free (sm->workers);
706 clib_bitmap_foreach (i, bitmap,
708 vec_add1(sm->workers, i);
716 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
719 ip4_address_t * address,
721 u32 if_address_index,
724 static clib_error_t * snat_init (vlib_main_t * vm)
726 snat_main_t * sm = &snat_main;
727 clib_error_t * error = 0;
728 ip4_main_t * im = &ip4_main;
729 ip_lookup_main_t * lm = &im->lookup_main;
731 vlib_thread_registration_t *tr;
732 vlib_thread_main_t *tm = vlib_get_thread_main ();
735 ip4_add_del_interface_address_callback_t cb4;
738 sm->vnet_main = vnet_get_main();
740 sm->ip4_lookup_main = lm;
741 sm->api_main = &api_main;
742 sm->first_worker_index = 0;
746 sm->fq_in2out_index = ~0;
747 sm->fq_out2in_index = ~0;
748 sm->udp_timeout = SNAT_UDP_TIMEOUT;
749 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
750 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
751 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
753 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
756 tr = (vlib_thread_registration_t *) p[0];
759 sm->num_workers = tr->count;
760 sm->first_worker_index = tr->first_index;
764 /* Use all available workers by default */
765 if (sm->num_workers > 1)
767 for (i=0; i < sm->num_workers; i++)
768 bitmap = clib_bitmap_set (bitmap, i, 1);
769 snat_set_workers(bitmap);
770 clib_bitmap_free (bitmap);
773 error = snat_api_init(vm, sm);
775 /* Set up the interface address add/del callback */
776 cb4.function = snat_ip4_add_del_interface_address_cb;
777 cb4.function_opaque = 0;
779 vec_add1 (im->add_del_interface_address_callbacks, cb4);
781 /* Init IPFIX logging */
782 snat_ipfix_logging_init(vm);
787 VLIB_INIT_FUNCTION (snat_init);
789 void snat_free_outside_address_and_port (snat_main_t * sm,
790 snat_session_key_t * k,
794 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
796 ASSERT (address_index < vec_len (sm->addresses));
798 a = sm->addresses + address_index;
802 #define _(N, i, n, s) \
803 case SNAT_PROTOCOL_##N: \
804 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
805 port_host_byte_order) == 1); \
806 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
807 port_host_byte_order, 0); \
808 a->busy_##n##_ports--; \
810 foreach_snat_protocol
813 clib_warning("unknown_protocol");
819 * @brief Match SNAT static mapping.
821 * @param sm SNAT main.
822 * @param match Address and port to match.
823 * @param mapping External or local address and port of the matched mapping.
824 * @param by_external If 0 match by local address otherwise match by external
826 * @param is_addr_only If matched mapping is address only
828 * @returns 0 if match found otherwise 1.
830 int snat_static_mapping_match (snat_main_t * sm,
831 snat_session_key_t match,
832 snat_session_key_t * mapping,
836 clib_bihash_kv_8_8_t kv, value;
837 snat_static_mapping_t *m;
838 snat_session_key_t m_key;
839 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
842 mapping_hash = &sm->static_mapping_by_external;
844 m_key.addr = match.addr;
845 m_key.port = clib_net_to_host_u16 (match.port);
846 m_key.protocol = match.protocol;
847 m_key.fib_index = match.fib_index;
849 kv.key = m_key.as_u64;
851 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
853 /* Try address only mapping */
856 kv.key = m_key.as_u64;
857 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
861 m = pool_elt_at_index (sm->static_mappings, value.value);
865 mapping->addr = m->local_addr;
866 /* Address only mapping doesn't change port */
867 mapping->port = m->addr_only ? match.port
868 : clib_host_to_net_u16 (m->local_port);
869 mapping->fib_index = m->fib_index;
873 mapping->addr = m->external_addr;
874 /* Address only mapping doesn't change port */
875 mapping->port = m->addr_only ? match.port
876 : clib_host_to_net_u16 (m->external_port);
877 mapping->fib_index = sm->outside_fib_index;
880 if (PREDICT_FALSE(is_addr_only != 0))
881 *is_addr_only = m->addr_only;
886 int snat_alloc_outside_address_and_port (snat_main_t * sm,
888 snat_session_key_t * k,
889 u32 * address_indexp)
895 for (i = 0; i < vec_len (sm->addresses); i++)
897 a = sm->addresses + i;
898 if (sm->vrf_mode && a->fib_index != ~0 && a->fib_index != fib_index)
902 #define _(N, j, n, s) \
903 case SNAT_PROTOCOL_##N: \
904 if (a->busy_##n##_ports < (65535-1024)) \
908 portnum = random_u32 (&sm->random_seed); \
910 if (portnum < 1024) \
912 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
914 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
915 a->busy_##n##_ports++; \
917 k->port = clib_host_to_net_u16(portnum); \
918 *address_indexp = i; \
923 foreach_snat_protocol
926 clib_warning("unknown protocol");
931 /* Totally out of translations to use... */
932 snat_ipfix_logging_addresses_exhausted(0);
937 static clib_error_t *
938 add_address_command_fn (vlib_main_t * vm,
939 unformat_input_t * input,
940 vlib_cli_command_t * cmd)
942 unformat_input_t _line_input, *line_input = &_line_input;
943 snat_main_t * sm = &snat_main;
944 ip4_address_t start_addr, end_addr, this_addr;
945 u32 start_host_order, end_host_order;
950 clib_error_t *error = 0;
952 /* Get a line of input. */
953 if (!unformat_user (input, unformat_line_input, line_input))
956 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
958 if (unformat (line_input, "%U - %U",
959 unformat_ip4_address, &start_addr,
960 unformat_ip4_address, &end_addr))
962 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
964 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
965 end_addr = start_addr;
966 else if (unformat (line_input, "del"))
970 error = clib_error_return (0, "unknown input '%U'",
971 format_unformat_error, line_input);
976 if (sm->static_mapping_only)
978 error = clib_error_return (0, "static mapping only mode");
982 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
983 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
985 if (end_host_order < start_host_order)
987 error = clib_error_return (0, "end address less than start address");
991 count = (end_host_order - start_host_order) + 1;
994 clib_warning ("%U - %U, %d addresses...",
995 format_ip4_address, &start_addr,
996 format_ip4_address, &end_addr,
999 this_addr = start_addr;
1001 for (i = 0; i < count; i++)
1004 snat_add_address (sm, &this_addr, vrf_id);
1006 rv = snat_del_address (sm, this_addr, 0);
1010 case VNET_API_ERROR_NO_SUCH_ENTRY:
1011 error = clib_error_return (0, "S-NAT address not exist.");
1013 case VNET_API_ERROR_UNSPECIFIED:
1014 error = clib_error_return (0, "S-NAT address used in static mapping.");
1020 increment_v4_address (&this_addr);
1024 unformat_free (line_input);
1029 VLIB_CLI_COMMAND (add_address_command, static) = {
1030 .path = "snat add address",
1031 .short_help = "snat add addresses <ip4-range-start> [- <ip4-range-end>] "
1032 "[tenant-vrf <vrf-id>] [del]",
1033 .function = add_address_command_fn,
1036 static clib_error_t *
1037 snat_feature_command_fn (vlib_main_t * vm,
1038 unformat_input_t * input,
1039 vlib_cli_command_t * cmd)
1041 unformat_input_t _line_input, *line_input = &_line_input;
1042 vnet_main_t * vnm = vnet_get_main();
1043 clib_error_t * error = 0;
1045 u32 * inside_sw_if_indices = 0;
1046 u32 * outside_sw_if_indices = 0;
1052 /* Get a line of input. */
1053 if (!unformat_user (input, unformat_line_input, line_input))
1056 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1058 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
1060 vec_add1 (inside_sw_if_indices, sw_if_index);
1061 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
1063 vec_add1 (outside_sw_if_indices, sw_if_index);
1064 else if (unformat (line_input, "del"))
1068 error = clib_error_return (0, "unknown input '%U'",
1069 format_unformat_error, line_input);
1074 if (vec_len (inside_sw_if_indices))
1076 for (i = 0; i < vec_len(inside_sw_if_indices); i++)
1078 sw_if_index = inside_sw_if_indices[i];
1079 snat_interface_add_del (sw_if_index, 1, is_del);
1083 if (vec_len (outside_sw_if_indices))
1085 for (i = 0; i < vec_len(outside_sw_if_indices); i++)
1087 sw_if_index = outside_sw_if_indices[i];
1088 snat_interface_add_del (sw_if_index, 0, is_del);
1093 unformat_free (line_input);
1094 vec_free (inside_sw_if_indices);
1095 vec_free (outside_sw_if_indices);
1100 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1101 .path = "set interface snat",
1102 .function = snat_feature_command_fn,
1103 .short_help = "set interface snat in <intfc> out <intfc> [del]",
1107 unformat_snat_protocol (unformat_input_t * input, va_list * args)
1109 u32 *r = va_arg (*args, u32 *);
1112 #define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N;
1113 foreach_snat_protocol
1121 format_snat_protocol (u8 * s, va_list * args)
1123 u32 i = va_arg (*args, u32);
1128 #define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break;
1129 foreach_snat_protocol
1132 s = format (s, "unknown");
1134 s = format (s, "%s", t);
1138 static clib_error_t *
1139 add_static_mapping_command_fn (vlib_main_t * vm,
1140 unformat_input_t * input,
1141 vlib_cli_command_t * cmd)
1143 unformat_input_t _line_input, *line_input = &_line_input;
1144 clib_error_t * error = 0;
1145 ip4_address_t l_addr, e_addr;
1146 u32 l_port = 0, e_port = 0, vrf_id = ~0;
1149 u32 sw_if_index = ~0;
1150 vnet_main_t * vnm = vnet_get_main();
1152 snat_protocol_t proto;
1155 /* Get a line of input. */
1156 if (!unformat_user (input, unformat_line_input, line_input))
1159 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1161 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
1164 else if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
1166 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
1169 else if (unformat (line_input, "external %U", unformat_ip4_address,
1172 else if (unformat (line_input, "external %U %u",
1173 unformat_vnet_sw_interface, vnm, &sw_if_index,
1177 else if (unformat (line_input, "external %U",
1178 unformat_vnet_sw_interface, vnm, &sw_if_index))
1180 else if (unformat (line_input, "vrf %u", &vrf_id))
1182 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
1184 else if (unformat (line_input, "del"))
1188 error = clib_error_return (0, "unknown input: '%U'",
1189 format_unformat_error, line_input);
1194 if (!addr_only && !proto_set)
1196 error = clib_error_return (0, "missing protocol");
1200 rv = snat_add_static_mapping(l_addr, e_addr, (u16) l_port, (u16) e_port,
1201 vrf_id, addr_only, sw_if_index, proto, is_add);
1205 case VNET_API_ERROR_INVALID_VALUE:
1206 error = clib_error_return (0, "External port already in use.");
1208 case VNET_API_ERROR_NO_SUCH_ENTRY:
1210 error = clib_error_return (0, "External addres must be allocated.");
1212 error = clib_error_return (0, "Mapping not exist.");
1214 case VNET_API_ERROR_NO_SUCH_FIB:
1215 error = clib_error_return (0, "No such VRF id.");
1217 case VNET_API_ERROR_VALUE_EXIST:
1218 error = clib_error_return (0, "Mapping already exist.");
1225 unformat_free (line_input);
1232 * @cliexstart{snat add static mapping}
1233 * Static mapping allows hosts on the external network to initiate connection
1234 * to to the local network host.
1235 * To create static mapping between local host address 10.0.0.3 port 6303 and
1236 * external address 4.4.4.4 port 3606 for TCP protocol use:
1237 * vpp# snat add static mapping local tcp 10.0.0.3 6303 external 4.4.4.4 3606
1238 * If not runnig "static mapping only" S-NAT plugin mode use before:
1239 * vpp# snat add address 4.4.4.4
1240 * To create static mapping between local and external address use:
1241 * vpp# snat add static mapping local 10.0.0.3 external 4.4.4.4
1244 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1245 .path = "snat add static mapping",
1246 .function = add_static_mapping_command_fn,
1248 "snat add static mapping local tcp|udp|icmp <addr> [<port>] external <addr> [<port>] [vrf <table-id>] [del]",
1251 static clib_error_t *
1252 set_workers_command_fn (vlib_main_t * vm,
1253 unformat_input_t * input,
1254 vlib_cli_command_t * cmd)
1256 unformat_input_t _line_input, *line_input = &_line_input;
1259 clib_error_t *error = 0;
1261 /* Get a line of input. */
1262 if (!unformat_user (input, unformat_line_input, line_input))
1265 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1267 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
1271 error = clib_error_return (0, "unknown input '%U'",
1272 format_unformat_error, line_input);
1279 error = clib_error_return (0, "List of workers must be specified.");
1283 rv = snat_set_workers(bitmap);
1285 clib_bitmap_free (bitmap);
1289 case VNET_API_ERROR_INVALID_WORKER:
1290 error = clib_error_return (0, "Invalid worker(s).");
1292 case VNET_API_ERROR_FEATURE_DISABLED:
1293 error = clib_error_return (0,
1294 "Supported only if 2 or more workes available.");
1301 unformat_free (line_input);
1308 * @cliexstart{set snat workers}
1309 * Set SNAT workers if 2 or more workers available, use:
1310 * vpp# set snat workers 0-2,5
1313 VLIB_CLI_COMMAND (set_workers_command, static) = {
1314 .path = "set snat workers",
1315 .function = set_workers_command_fn,
1317 "set snat workers <workers-list>",
1320 static clib_error_t *
1321 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
1322 unformat_input_t * input,
1323 vlib_cli_command_t * cmd)
1325 unformat_input_t _line_input, *line_input = &_line_input;
1330 clib_error_t *error = 0;
1332 /* Get a line of input. */
1333 if (!unformat_user (input, unformat_line_input, line_input))
1336 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1338 if (unformat (line_input, "domain %d", &domain_id))
1340 else if (unformat (line_input, "src-port %d", &src_port))
1342 else if (unformat (line_input, "disable"))
1346 error = clib_error_return (0, "unknown input '%U'",
1347 format_unformat_error, line_input);
1352 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
1356 error = clib_error_return (0, "ipfix logging enable failed");
1361 unformat_free (line_input);
1368 * @cliexstart{snat ipfix logging}
1369 * To enable SNAT IPFIX logging use:
1370 * vpp# snat ipfix logging
1371 * To set IPFIX exporter use:
1372 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1375 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1376 .path = "snat ipfix logging",
1377 .function = snat_ipfix_logging_enable_disable_command_fn,
1378 .short_help = "snat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
1382 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
1384 snat_main_t *sm = &snat_main;
1385 snat_user_key_t key0;
1386 clib_bihash_kv_8_8_t kv0, value0;
1387 u32 next_worker_index = 0;
1389 key0.addr = ip0->src_address;
1390 key0.fib_index = rx_fib_index0;
1392 kv0.key = key0.as_u64;
1394 /* Ever heard of of the "user" before? */
1395 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv0, &value0))
1397 /* No, assign next available worker (RR) */
1398 next_worker_index = sm->first_worker_index;
1399 if (vec_len (sm->workers))
1401 next_worker_index +=
1402 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
1405 /* add non-traslated packets worker lookup */
1406 kv0.value = next_worker_index;
1407 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
1410 next_worker_index = value0.value;
1412 return next_worker_index;
1416 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
1418 snat_main_t *sm = &snat_main;
1419 snat_worker_key_t key0;
1420 clib_bihash_kv_8_8_t kv0, value0;
1421 udp_header_t * udp0;
1422 u32 next_worker_index = 0;
1424 udp0 = ip4_next_header (ip0);
1426 key0.addr = ip0->dst_address;
1427 key0.port = udp0->dst_port;
1428 key0.fib_index = rx_fib_index0;
1430 if (PREDICT_FALSE(ip0->protocol == IP_PROTOCOL_ICMP))
1432 icmp46_header_t * icmp0 = (icmp46_header_t *) udp0;
1433 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
1434 key0.port = echo0->identifier;
1437 kv0.key = key0.as_u64;
1439 /* Ever heard of of the "user" before? */
1440 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
1443 kv0.key = key0.as_u64;
1445 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
1447 /* No, assign next available worker (RR) */
1448 next_worker_index = sm->first_worker_index;
1449 if (vec_len (sm->workers))
1451 next_worker_index +=
1452 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
1457 /* Static mapping without port */
1458 next_worker_index = value0.value;
1461 /* Add to translated packets worker lookup */
1462 kv0.value = next_worker_index;
1463 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv0, 1);
1466 next_worker_index = value0.value;
1468 return next_worker_index;
1471 static clib_error_t *
1472 snat_config (vlib_main_t * vm, unformat_input_t * input)
1474 snat_main_t * sm = &snat_main;
1475 u32 translation_buckets = 1024;
1476 u32 translation_memory_size = 128<<20;
1477 u32 user_buckets = 128;
1478 u32 user_memory_size = 64<<20;
1479 u32 max_translations_per_user = 100;
1480 u32 outside_vrf_id = 0;
1481 u32 inside_vrf_id = 0;
1482 u32 static_mapping_buckets = 1024;
1483 u32 static_mapping_memory_size = 64<<20;
1484 u8 static_mapping_only = 0;
1485 u8 static_mapping_connection_tracking = 0;
1486 vlib_thread_main_t *tm = vlib_get_thread_main ();
1488 sm->deterministic = 0;
1490 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1492 if (unformat (input, "translation hash buckets %d", &translation_buckets))
1494 else if (unformat (input, "translation hash memory %d",
1495 &translation_memory_size));
1496 else if (unformat (input, "user hash buckets %d", &user_buckets))
1498 else if (unformat (input, "user hash memory %d",
1501 else if (unformat (input, "max translations per user %d",
1502 &max_translations_per_user))
1504 else if (unformat (input, "outside VRF id %d",
1507 else if (unformat (input, "inside VRF id %d",
1510 else if (unformat (input, "static mapping only"))
1512 static_mapping_only = 1;
1513 if (unformat (input, "connection tracking"))
1514 static_mapping_connection_tracking = 1;
1516 else if (unformat (input, "deterministic"))
1517 sm->deterministic = 1;
1519 return clib_error_return (0, "unknown input '%U'",
1520 format_unformat_error, input);
1523 /* for show commands, etc. */
1524 sm->translation_buckets = translation_buckets;
1525 sm->translation_memory_size = translation_memory_size;
1526 sm->user_buckets = user_buckets;
1527 sm->user_memory_size = user_memory_size;
1528 sm->max_translations_per_user = max_translations_per_user;
1529 sm->outside_vrf_id = outside_vrf_id;
1530 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1532 sm->inside_vrf_id = inside_vrf_id;
1533 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1535 sm->static_mapping_only = static_mapping_only;
1536 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
1538 if (sm->deterministic)
1540 sm->in2out_node_index = snat_det_in2out_node.index;
1541 sm->out2in_node_index = snat_det_out2in_node.index;
1542 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
1543 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
1547 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
1548 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
1549 sm->in2out_node_index = snat_in2out_node.index;
1550 sm->out2in_node_index = snat_out2in_node.index;
1551 if (!static_mapping_only ||
1552 (static_mapping_only && static_mapping_connection_tracking))
1554 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
1555 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
1557 clib_bihash_init_8_8 (&sm->worker_by_in, "worker-by-in", user_buckets,
1560 clib_bihash_init_8_8 (&sm->worker_by_out, "worker-by-out", user_buckets,
1563 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
1565 clib_bihash_init_8_8 (&sm->in2out, "in2out", translation_buckets,
1566 translation_memory_size);
1568 clib_bihash_init_8_8 (&sm->out2in, "out2in", translation_buckets,
1569 translation_memory_size);
1571 clib_bihash_init_8_8 (&sm->user_hash, "users", user_buckets,
1576 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
1577 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
1579 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
1580 "static_mapping_by_local", static_mapping_buckets,
1581 static_mapping_memory_size);
1583 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
1584 "static_mapping_by_external", static_mapping_buckets,
1585 static_mapping_memory_size);
1591 VLIB_CONFIG_FUNCTION (snat_config, "snat");
1593 u8 * format_snat_session_state (u8 * s, va_list * args)
1595 u32 i = va_arg (*args, u32);
1600 #define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break;
1601 foreach_snat_session_state
1604 t = format (t, "unknown");
1606 s = format (s, "%s", t);
1610 u8 * format_snat_key (u8 * s, va_list * args)
1612 snat_session_key_t * key = va_arg (*args, snat_session_key_t *);
1613 char * protocol_string = "unknown";
1614 static char *protocol_strings[] = {
1620 if (key->protocol < ARRAY_LEN(protocol_strings))
1621 protocol_string = protocol_strings[key->protocol];
1623 s = format (s, "%U proto %s port %d fib %d",
1624 format_ip4_address, &key->addr, protocol_string,
1625 clib_net_to_host_u16 (key->port), key->fib_index);
1629 u8 * format_snat_session (u8 * s, va_list * args)
1631 snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *);
1632 snat_session_t * sess = va_arg (*args, snat_session_t *);
1634 s = format (s, " i2o %U\n", format_snat_key, &sess->in2out);
1635 s = format (s, " o2i %U\n", format_snat_key, &sess->out2in);
1636 s = format (s, " last heard %.2f\n", sess->last_heard);
1637 s = format (s, " total pkts %d, total bytes %lld\n",
1638 sess->total_pkts, sess->total_bytes);
1639 if (snat_is_session_static (sess))
1640 s = format (s, " static translation\n");
1642 s = format (s, " dynamic translation\n");
1647 u8 * format_snat_user (u8 * s, va_list * args)
1649 snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *);
1650 snat_user_t * u = va_arg (*args, snat_user_t *);
1651 int verbose = va_arg (*args, int);
1652 dlist_elt_t * head, * elt;
1653 u32 elt_index, head_index;
1655 snat_session_t * sess;
1657 s = format (s, "%U: %d dynamic translations, %d static translations\n",
1658 format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions);
1663 if (u->nsessions || u->nstaticsessions)
1665 head_index = u->sessions_per_user_list_head_index;
1666 head = pool_elt_at_index (sm->list_pool, head_index);
1668 elt_index = head->next;
1669 elt = pool_elt_at_index (sm->list_pool, elt_index);
1670 session_index = elt->value;
1672 while (session_index != ~0)
1674 sess = pool_elt_at_index (sm->sessions, session_index);
1676 s = format (s, " %U\n", format_snat_session, sm, sess);
1678 elt_index = elt->next;
1679 elt = pool_elt_at_index (sm->list_pool, elt_index);
1680 session_index = elt->value;
1687 u8 * format_snat_static_mapping (u8 * s, va_list * args)
1689 snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *);
1692 s = format (s, "local %U external %U vrf %d",
1693 format_ip4_address, &m->local_addr,
1694 format_ip4_address, &m->external_addr,
1697 s = format (s, "%U local %U:%d external %U:%d vrf %d",
1698 format_snat_protocol, m->proto,
1699 format_ip4_address, &m->local_addr, m->local_port,
1700 format_ip4_address, &m->external_addr, m->external_port,
1706 u8 * format_snat_static_map_to_resolve (u8 * s, va_list * args)
1708 snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *);
1709 vnet_main_t *vnm = vnet_get_main();
1712 s = format (s, "local %U external %U vrf %d",
1713 format_ip4_address, &m->l_addr,
1714 format_vnet_sw_interface_name, vnm,
1715 vnet_get_sw_interface (vnm, m->sw_if_index),
1718 s = format (s, "%U local %U:%d external %U:%d vrf %d",
1719 format_snat_protocol, m->proto,
1720 format_ip4_address, &m->l_addr, m->l_port,
1721 format_vnet_sw_interface_name, vnm,
1722 vnet_get_sw_interface (vnm, m->sw_if_index), m->e_port,
1728 u8 * format_det_map_ses (u8 * s, va_list * args)
1730 snat_det_map_t * det_map = va_arg (*args, snat_det_map_t *);
1731 ip4_address_t in_addr, out_addr;
1732 u32 in_offset, out_offset;
1733 snat_det_session_t * ses = va_arg (*args, snat_det_session_t *);
1734 u32 * i = va_arg (*args, u32 *);
1736 u32 user_index = *i / SNAT_DET_SES_PER_USER;
1737 in_addr.as_u32 = clib_host_to_net_u32 (
1738 clib_net_to_host_u32(det_map->in_addr.as_u32) + user_index);
1739 in_offset = clib_net_to_host_u32(in_addr.as_u32) -
1740 clib_net_to_host_u32(det_map->in_addr.as_u32);
1741 out_offset = in_offset / det_map->sharing_ratio;
1742 out_addr.as_u32 = clib_host_to_net_u32(
1743 clib_net_to_host_u32(det_map->out_addr.as_u32) + out_offset);
1744 s = format (s, "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n",
1745 format_ip4_address, &in_addr,
1746 clib_net_to_host_u16 (ses->in_port),
1747 format_ip4_address, &out_addr,
1748 clib_net_to_host_u16 (ses->out.out_port),
1749 format_ip4_address, &ses->out.ext_host_addr,
1750 clib_net_to_host_u16 (ses->out.ext_host_port),
1751 format_snat_session_state, ses->state,
1757 static clib_error_t *
1758 show_snat_command_fn (vlib_main_t * vm,
1759 unformat_input_t * input,
1760 vlib_cli_command_t * cmd)
1763 snat_main_t * sm = &snat_main;
1765 snat_static_mapping_t *m;
1766 snat_interface_t *i;
1767 snat_address_t * ap;
1768 vnet_main_t *vnm = vnet_get_main();
1769 snat_main_per_thread_data_t *tsm;
1770 u32 users_num = 0, sessions_num = 0, *worker, *sw_if_index;
1772 snat_static_map_resolve_t *rp;
1773 snat_det_map_t * dm;
1774 snat_det_session_t * ses;
1776 if (unformat (input, "detail"))
1778 else if (unformat (input, "verbose"))
1781 if (sm->static_mapping_only)
1783 if (sm->static_mapping_connection_tracking)
1784 vlib_cli_output (vm, "SNAT mode: static mapping only connection "
1787 vlib_cli_output (vm, "SNAT mode: static mapping only");
1789 else if (sm->deterministic)
1791 vlib_cli_output (vm, "SNAT mode: deterministic mapping");
1795 vlib_cli_output (vm, "SNAT mode: dynamic translations enabled");
1800 pool_foreach (i, sm->interfaces,
1802 vlib_cli_output (vm, "%U %s", format_vnet_sw_interface_name, vnm,
1803 vnet_get_sw_interface (vnm, i->sw_if_index),
1804 i->is_inside ? "in" : "out");
1807 if (vec_len (sm->auto_add_sw_if_indices))
1809 vlib_cli_output (vm, "SNAT pool addresses interfaces:");
1810 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1812 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
1813 vnet_get_sw_interface (vnm, *sw_if_index));
1817 vec_foreach (ap, sm->addresses)
1819 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
1820 if (ap->fib_index != ~0)
1821 vlib_cli_output (vm, " tenant VRF: %u",
1822 ip4_fib_get(ap->fib_index)->table_id);
1824 vlib_cli_output (vm, " tenant VRF independent");
1825 #define _(N, i, n, s) \
1826 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
1827 foreach_snat_protocol
1832 if (sm->num_workers > 1)
1834 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
1837 vec_foreach (worker, sm->workers)
1839 vlib_worker_thread_t *w =
1840 vlib_worker_threads + *worker + sm->first_worker_index;
1841 vlib_cli_output (vm, " %s", w->name);
1846 if (sm->deterministic)
1848 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
1849 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1850 sm->tcp_established_timeout);
1851 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1852 sm->tcp_transitory_timeout);
1853 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
1854 vlib_cli_output (vm, "%d deterministic mappings",
1855 pool_elts (sm->det_maps));
1858 pool_foreach (dm, sm->det_maps,
1860 vlib_cli_output (vm, "in %U/%d out %U/%d\n",
1861 format_ip4_address, &dm->in_addr, dm->in_plen,
1862 format_ip4_address, &dm->out_addr, dm->out_plen);
1863 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
1865 vlib_cli_output (vm, " number of ports per inside host: %d\n",
1866 dm->ports_per_host);
1867 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
1870 vec_foreach_index (j, dm->sessions)
1872 ses = vec_elt_at_index (dm->sessions, j);
1874 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses,
1883 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1885 vlib_cli_output (vm, "%d static mappings",
1886 pool_elts (sm->static_mappings));
1890 pool_foreach (m, sm->static_mappings,
1892 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
1898 vec_foreach (tsm, sm->per_thread_data)
1900 users_num += pool_elts (tsm->users);
1901 sessions_num += pool_elts (tsm->sessions);
1904 vlib_cli_output (vm, "%d users, %d outside addresses, %d active sessions,"
1905 " %d static mappings",
1907 vec_len (sm->addresses),
1909 pool_elts (sm->static_mappings));
1913 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->in2out,
1915 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->out2in,
1917 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->worker_by_in,
1919 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->worker_by_out,
1921 vec_foreach_index (j, sm->per_thread_data)
1923 tsm = vec_elt_at_index (sm->per_thread_data, j);
1925 if (pool_elts (tsm->users) == 0)
1928 vlib_worker_thread_t *w = vlib_worker_threads + j;
1929 vlib_cli_output (vm, "Thread %d (%s at lcore %u):", j, w->name,
1931 vlib_cli_output (vm, " %d list pool elements",
1932 pool_elts (tsm->list_pool));
1934 pool_foreach (u, tsm->users,
1936 vlib_cli_output (vm, " %U", format_snat_user, tsm, u,
1941 if (pool_elts (sm->static_mappings))
1943 vlib_cli_output (vm, "static mappings:");
1944 pool_foreach (m, sm->static_mappings,
1946 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
1948 for (j = 0; j < vec_len (sm->to_resolve); j++)
1950 rp = sm->to_resolve + j;
1951 vlib_cli_output (vm, "%U",
1952 format_snat_static_map_to_resolve, rp);
1961 VLIB_CLI_COMMAND (show_snat_command, static) = {
1962 .path = "show snat",
1963 .short_help = "show snat",
1964 .function = show_snat_command_fn,
1969 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1972 ip4_address_t * address,
1974 u32 if_address_index,
1977 snat_main_t *sm = &snat_main;
1978 snat_static_map_resolve_t *rp;
1979 u32 *indices_to_delete = 0;
1983 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
1985 if (sw_if_index == sm->auto_add_sw_if_indices[i])
1989 /* Don't trip over lease renewal, static config */
1990 for (j = 0; j < vec_len(sm->addresses); j++)
1991 if (sm->addresses[j].addr.as_u32 == address->as_u32)
1994 snat_add_address (sm, address, ~0);
1995 /* Scan static map resolution vector */
1996 for (j = 0; j < vec_len (sm->to_resolve); j++)
1998 rp = sm->to_resolve + j;
1999 /* On this interface? */
2000 if (rp->sw_if_index == sw_if_index)
2002 /* Add the static mapping */
2003 rv = snat_add_static_mapping (rp->l_addr,
2009 ~0 /* sw_if_index */,
2013 clib_warning ("snat_add_static_mapping returned %d",
2015 vec_add1 (indices_to_delete, j);
2018 /* If we resolved any of the outstanding static mappings */
2019 if (vec_len(indices_to_delete))
2022 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
2023 vec_delete(sm->to_resolve, 1, j);
2024 vec_free(indices_to_delete);
2030 (void) snat_del_address(sm, address[0], 1);
2038 int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del)
2040 ip4_main_t * ip4_main = sm->ip4_main;
2041 ip4_address_t * first_int_addr;
2042 snat_static_map_resolve_t *rp;
2043 u32 *indices_to_delete = 0;
2046 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index,
2047 0 /* just want the address*/);
2049 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
2051 if (sm->auto_add_sw_if_indices[i] == sw_if_index)
2055 /* if have address remove it */
2057 (void) snat_del_address (sm, first_int_addr[0], 1);
2060 for (j = 0; j < vec_len (sm->to_resolve); j++)
2062 rp = sm->to_resolve + j;
2063 if (rp->sw_if_index == sw_if_index)
2064 vec_add1 (indices_to_delete, j);
2066 if (vec_len(indices_to_delete))
2068 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
2069 vec_del1(sm->to_resolve, j);
2070 vec_free(indices_to_delete);
2073 vec_del1(sm->auto_add_sw_if_indices, i);
2076 return VNET_API_ERROR_VALUE_EXIST;
2083 return VNET_API_ERROR_NO_SUCH_ENTRY;
2085 /* add to the auto-address list */
2086 vec_add1(sm->auto_add_sw_if_indices, sw_if_index);
2088 /* If the address is already bound - or static - add it now */
2090 snat_add_address (sm, first_int_addr, ~0);
2095 static clib_error_t *
2096 snat_add_interface_address_command_fn (vlib_main_t * vm,
2097 unformat_input_t * input,
2098 vlib_cli_command_t * cmd)
2100 snat_main_t *sm = &snat_main;
2101 unformat_input_t _line_input, *line_input = &_line_input;
2105 clib_error_t *error = 0;
2107 /* Get a line of input. */
2108 if (!unformat_user (input, unformat_line_input, line_input))
2111 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2113 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
2114 sm->vnet_main, &sw_if_index))
2116 else if (unformat (line_input, "del"))
2120 error = clib_error_return (0, "unknown input '%U'",
2121 format_unformat_error, line_input);
2126 rv = snat_add_interface_address (sm, sw_if_index, is_del);
2134 error = clib_error_return (0, "snat_add_interface_address returned %d",
2140 unformat_free (line_input);
2145 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2146 .path = "snat add interface address",
2147 .short_help = "snat add interface address <interface> [del]",
2148 .function = snat_add_interface_address_command_fn,
2151 static clib_error_t *
2152 snat_det_map_command_fn (vlib_main_t * vm,
2153 unformat_input_t * input,
2154 vlib_cli_command_t * cmd)
2156 snat_main_t *sm = &snat_main;
2157 unformat_input_t _line_input, *line_input = &_line_input;
2158 ip4_address_t in_addr, out_addr;
2159 u32 in_plen, out_plen;
2161 clib_error_t *error = 0;
2163 /* Get a line of input. */
2164 if (!unformat_user (input, unformat_line_input, line_input))
2167 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2169 if (unformat (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
2171 else if (unformat (line_input, "out %U/%u", unformat_ip4_address, &out_addr, &out_plen))
2173 else if (unformat (line_input, "del"))
2177 error = clib_error_return (0, "unknown input '%U'",
2178 format_unformat_error, line_input);
2183 unformat_free (line_input);
2185 rv = snat_det_add_map(sm, &in_addr, (u8) in_plen, &out_addr, (u8)out_plen,
2190 error = clib_error_return (0, "snat_det_add_map return %d", rv);
2195 unformat_free (line_input);
2202 * @cliexstart{snat deterministic add}
2203 * Create bijective mapping of inside address to outside address and port range
2204 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
2206 * To create deterministic mapping between inside network 10.0.0.0/18 and
2207 * outside network 1.1.1.0/30 use:
2208 * # vpp# snat deterministic add in 10.0.0.0/18 out 1.1.1.0/30
2211 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
2212 .path = "snat deterministic add",
2213 .short_help = "snat deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
2214 .function = snat_det_map_command_fn,
2217 static clib_error_t *
2218 snat_det_forward_command_fn (vlib_main_t * vm,
2219 unformat_input_t * input,
2220 vlib_cli_command_t * cmd)
2222 snat_main_t *sm = &snat_main;
2223 unformat_input_t _line_input, *line_input = &_line_input;
2224 ip4_address_t in_addr, out_addr;
2226 snat_det_map_t * dm;
2227 clib_error_t *error = 0;
2229 /* Get a line of input. */
2230 if (!unformat_user (input, unformat_line_input, line_input))
2233 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2235 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
2239 error = clib_error_return (0, "unknown input '%U'",
2240 format_unformat_error, line_input);
2245 unformat_free (line_input);
2247 dm = snat_det_map_by_user(sm, &in_addr);
2249 vlib_cli_output (vm, "no match");
2252 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
2253 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
2254 lo_port, lo_port + dm->ports_per_host - 1);
2258 unformat_free (line_input);
2265 * @cliexstart{snat deterministic forward}
2266 * Return outside address and port range from inside address for deterministic
2268 * To obtain outside address and port of inside host use:
2269 * vpp# snat deterministic forward 10.0.0.2
2270 * 1.1.1.0:<1054-1068>
2273 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
2274 .path = "snat deterministic forward",
2275 .short_help = "snat deterministic forward <addr>",
2276 .function = snat_det_forward_command_fn,
2279 static clib_error_t *
2280 snat_det_reverse_command_fn (vlib_main_t * vm,
2281 unformat_input_t * input,
2282 vlib_cli_command_t * cmd)
2284 snat_main_t *sm = &snat_main;
2285 unformat_input_t _line_input, *line_input = &_line_input;
2286 ip4_address_t in_addr, out_addr;
2288 snat_det_map_t * dm;
2289 clib_error_t *error = 0;
2291 /* Get a line of input. */
2292 if (!unformat_user (input, unformat_line_input, line_input))
2295 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2297 if (unformat (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
2301 error = clib_error_return (0, "unknown input '%U'",
2302 format_unformat_error, line_input);
2306 unformat_free (line_input);
2308 if (out_port < 1024 || out_port > 65535)
2310 error = clib_error_return (0, "wrong port, must be <1024-65535>");
2314 dm = snat_det_map_by_out(sm, &out_addr);
2316 vlib_cli_output (vm, "no match");
2319 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
2320 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
2324 unformat_free (line_input);
2331 * @cliexstart{snat deterministic reverse}
2332 * Return inside address from outside address and port for deterministic NAT.
2333 * To obtain inside host address from outside address and port use:
2334 * #vpp snat deterministic reverse 1.1.1.1:1276
2338 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
2339 .path = "snat deterministic reverse",
2340 .short_help = "snat deterministic reverse <addr>:<port>",
2341 .function = snat_det_reverse_command_fn,
2344 static clib_error_t *
2345 set_timeout_command_fn (vlib_main_t * vm,
2346 unformat_input_t * input,
2347 vlib_cli_command_t * cmd)
2349 snat_main_t *sm = &snat_main;
2350 unformat_input_t _line_input, *line_input = &_line_input;
2351 clib_error_t *error = 0;
2353 /* Get a line of input. */
2354 if (!unformat_user (input, unformat_line_input, line_input))
2357 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2359 if (unformat (line_input, "udp %u", &sm->udp_timeout))
2361 else if (unformat (line_input, "tcp-established %u",
2362 &sm->tcp_established_timeout))
2364 else if (unformat (line_input, "tcp-transitory %u",
2365 &sm->tcp_transitory_timeout))
2367 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
2369 else if (unformat (line_input, "reset"))
2371 sm->udp_timeout = SNAT_UDP_TIMEOUT;
2372 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
2373 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
2374 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
2378 error = clib_error_return (0, "unknown input '%U'",
2379 format_unformat_error, line_input);
2384 unformat_free (line_input);
2387 unformat_free (line_input);
2394 * @cliexstart{set snat deterministic timeout}
2395 * Set values of timeouts for deterministic NAT (in seconds), use:
2396 * vpp# set snat deterministic timeout udp 120 tcp-established 7500
2397 * tcp-transitory 250 icmp 90
2398 * To reset default values use:
2399 * vpp# set snat deterministic timeout reset
2402 VLIB_CLI_COMMAND (set_timeout_command, static) = {
2403 .path = "set snat deterministic timeout",
2404 .function = set_timeout_command_fn,
2406 "set snat deterministic timeout [udp <sec> | tcp-established <sec> "
2407 "tcp-transitory <sec> | icmp <sec> | reset]",
2410 static clib_error_t *
2411 snat_det_close_session_out_fn (vlib_main_t *vm,
2412 unformat_input_t * input,
2413 vlib_cli_command_t * cmd)
2415 snat_main_t *sm = &snat_main;
2416 unformat_input_t _line_input, *line_input = &_line_input;
2417 ip4_address_t out_addr, ext_addr, in_addr;
2418 u16 out_port, ext_port;
2419 snat_det_map_t * dm;
2420 snat_det_session_t * ses;
2421 snat_det_out_key_t key;
2422 clib_error_t *error = 0;
2424 /* Get a line of input. */
2425 if (!unformat_user (input, unformat_line_input, line_input))
2428 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2430 if (unformat (line_input, "%U:%d %U:%d",
2431 unformat_ip4_address, &out_addr, &out_port,
2432 unformat_ip4_address, &ext_addr, &ext_port))
2436 error = clib_error_return (0, "unknown input '%U'",
2437 format_unformat_error, line_input);
2442 unformat_free (line_input);
2444 dm = snat_det_map_by_out(sm, &out_addr);
2446 vlib_cli_output (vm, "no match");
2449 snat_det_reverse(dm, &ext_addr, out_port, &in_addr);
2450 key.ext_host_addr = out_addr;
2451 key.ext_host_port = ntohs(ext_port);
2452 key.out_port = ntohs(out_port);
2453 ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64);
2455 vlib_cli_output (vm, "no match");
2457 snat_det_ses_close(dm, ses);
2461 unformat_free (line_input);
2468 * @cliexstart{snat deterministic close session out}
2469 * Close session using outside ip address and port
2470 * and external ip address and port, use:
2471 * vpp# snat deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
2474 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
2475 .path = "snat deterministic close session out",
2476 .short_help = "snat deterministic close session out "
2477 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
2478 .function = snat_det_close_session_out_fn,
2481 static clib_error_t *
2482 snat_det_close_session_in_fn (vlib_main_t *vm,
2483 unformat_input_t * input,
2484 vlib_cli_command_t * cmd)
2486 snat_main_t *sm = &snat_main;
2487 unformat_input_t _line_input, *line_input = &_line_input;
2488 ip4_address_t in_addr, ext_addr;
2489 u16 in_port, ext_port;
2490 snat_det_map_t * dm;
2491 snat_det_session_t * ses;
2492 snat_det_out_key_t key;
2493 clib_error_t *error = 0;
2495 /* Get a line of input. */
2496 if (!unformat_user (input, unformat_line_input, line_input))
2499 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2501 if (unformat (line_input, "%U:%d %U:%d",
2502 unformat_ip4_address, &in_addr, &in_port,
2503 unformat_ip4_address, &ext_addr, &ext_port))
2507 error = clib_error_return (0, "unknown input '%U'",
2508 format_unformat_error, line_input);
2513 unformat_free (line_input);
2515 dm = snat_det_map_by_user (sm, &in_addr);
2517 vlib_cli_output (vm, "no match");
2520 key.ext_host_addr = ext_addr;
2521 key.ext_host_port = ntohs (ext_port);
2522 ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs(in_port), key);
2524 vlib_cli_output (vm, "no match");
2526 snat_det_ses_close(dm, ses);
2530 unformat_free(line_input);
2537 * @cliexstart{snat deterministic close_session_in}
2538 * Close session using inside ip address and port
2539 * and external ip address and port, use:
2540 * vpp# snat deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
2543 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
2544 .path = "snat deterministic close session in",
2545 .short_help = "snat deterministic close session in "
2546 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
2547 .function = snat_det_close_session_in_fn,
Code Review / vpp.git / blob