#include <vppinfra/error.h>
#include <vlibapi/api.h>
#include <vlib/log.h>
+#include <vppinfra/bihash_16_8.h>
/* default session timeouts */
#define SNAT_UDP_TIMEOUT 300
_(OUT_OF_PORTS, "out of ports") \
_(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
+_(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \
_(DROP_FRAGMENT, "drop fragment") \
_(MAX_REASS, "maximum reassemblies exceeded") \
_(MAX_FRAG, "maximum fragments per reassembly exceeded")\
+_(CANNOT_CREATE_USER, "cannot create NAT user") \
_(NON_SYN, "non-SYN packet try to create session") \
_(TCP_PACKETS, "TCP packets") \
+_(TCP_CLOSED, "drops due to TCP in transitory timeout") \
_(UDP_PACKETS, "UDP packets") \
_(ICMP_PACKETS, "ICMP packets") \
_(OTHER_PACKETS, "other protocol packets") \
_(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(NO_TRANSLATION, "no translation") \
_(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
+_(MAX_USER_SESS_EXCEEDED, "max user sessions exceeded") \
_(DROP_FRAGMENT, "drop fragment") \
_(MAX_REASS, "maximum reassemblies exceeded") \
_(MAX_FRAG, "maximum fragments per reassembly exceeded")\
+_(CANNOT_CREATE_USER, "cannot create NAT user") \
_(NON_SYN, "non-SYN packet try to create session") \
_(TCP_PACKETS, "TCP packets") \
+_(TCP_CLOSED, "drops due to TCP in transitory timeout") \
_(UDP_PACKETS, "UDP packets") \
_(ICMP_PACKETS, "ICMP packets") \
_(OTHER_PACKETS, "other protocol packets") \
u32 per_user_index;
u32 per_user_list_head_index;
+ /* index in global LRU list */
+ u32 global_lru_index;
+ f64 last_lru_update;
+
/* Last heard timer */
f64 last_heard;
u8 state;
u32 i2o_fin_seq;
u32 o2i_fin_seq;
+ u32 tcp_close_timestamp;
/* user index */
u32 user_index;
u32 sessions_per_user_list_head_index;
u32 nsessions;
u32 nstaticsessions;
+ /* discovered minimum session timeout time */
+ u64 min_session_timeout;
} snat_user_t;
typedef struct
#define _(N, i, n, s) \
u16 busy_##n##_ports; \
u16 * busy_##n##_ports_per_thread; \
- uword * busy_##n##_port_bitmap;
+ u32 busy_##n##_port_refcounts[65535];
foreach_snat_protocol
#undef _
/* *INDENT-ON* */
/* Pool of doubly-linked list elements */
dlist_elt_t *list_pool;
+ /* LRU session list - head is stale, tail is fresh */
+ dlist_elt_t *global_lru_pool;
+ u32 global_lru_head_index;
+
/* NAT thread index */
u32 snat_thread_index;
/* discovered minimum session timeout time */
u64 min_session_timeout;
+
+ /* session scavenging */
+ u32 cleared;
+ u32 cleanup_runs;
+ f64 cleanup_timeout;
+
} snat_main_per_thread_data_t;
struct snat_main_s;
u16 port_per_thread,
u32 snat_thread_index);
+typedef struct ed_bihash_key_s
+{
+ u32 src_address;
+ u32 dst_address;
+ u16 src_port;
+ u16 dst_port;
+ u8 protocol;
+} ed_bihash_key_t;
+
+typedef struct ed_bihash_kv_s
+{
+ union
+ {
+ ed_bihash_key_t k;
+ clib_bihash_kv_16_8_t kv;
+ };
+} ed_bihash_kv_t;
+
+STATIC_ASSERT (STRUCT_SIZE_OF (ed_bihash_kv_t, k) <=
+ STRUCT_SIZE_OF (ed_bihash_kv_t, kv.key),
+ "ed key needs to fit in bihash key");
+
typedef struct snat_main_s
{
/* ICMP session match functions */
u8 out2in_dpo;
u8 endpoint_dependent;
u32 translation_buckets;
- u32 translation_memory_size;
+ uword translation_memory_size;
u32 max_translations;
u32 user_buckets;
- u32 user_memory_size;
+ uword user_memory_size;
u32 max_translations_per_user;
u32 outside_vrf_id;
u32 outside_fib_index;
u32 inside_fib_index;
/* values of various timeouts */
+
+ // min timeout of all proto timeouts
+ u32 min_timeout;
+ // proto timeouts
u32 udp_timeout;
- u32 icmp_timeout;
u32 tcp_transitory_timeout;
u32 tcp_established_timeout;
+ u32 icmp_timeout;
/* TCP MSS clamping */
u16 mss_clamping;
ip4_main_t *ip4_main;
ip_lookup_main_t *ip4_lookup_main;
api_main_t *api_main;
+
+ clib_bihash_16_8_t ed_ext_ports;
} snat_main_t;
typedef struct
extern vlib_node_registration_t snat_in2out_node;
extern vlib_node_registration_t snat_in2out_output_node;
extern vlib_node_registration_t snat_out2in_node;
-extern vlib_node_registration_t snat_in2out_fast_node;
-extern vlib_node_registration_t snat_out2in_fast_node;
extern vlib_node_registration_t snat_in2out_worker_handoff_node;
extern vlib_node_registration_t snat_in2out_output_worker_handoff_node;
extern vlib_node_registration_t snat_out2in_worker_handoff_node;
extern vlib_node_registration_t snat_det_in2out_node;
extern vlib_node_registration_t snat_det_out2in_node;
-extern vlib_node_registration_t snat_hairpin_dst_node;
-extern vlib_node_registration_t snat_hairpin_src_node;
extern vlib_node_registration_t nat44_ed_in2out_node;
extern vlib_node_registration_t nat44_ed_in2out_output_node;
extern vlib_node_registration_t nat44_ed_out2in_node;
-extern vlib_node_registration_t nat44_ed_hairpin_dst_node;
-extern vlib_node_registration_t nat44_ed_hairpin_src_node;
-extern vlib_node_registration_t nat44_ed_in2out_worker_handoff_node;
-extern vlib_node_registration_t nat44_ed_in2out_output_worker_handoff_node;
-extern vlib_node_registration_t nat44_ed_out2in_worker_handoff_node;
extern fib_source_t nat_fib_src_hi;
extern fib_source_t nat_fib_src_low;
/* format functions */
format_function_t format_snat_user;
+format_function_t format_snat_user_v2;
format_function_t format_snat_static_mapping;
format_function_t format_snat_static_map_to_resolve;
format_function_t format_snat_session;
void nat_free_session_data (snat_main_t * sm, snat_session_t * s,
u32 thread_index, u8 is_ha);
+/**
+ * @brief Free NAT44 ED session data (lookup keys, external addrres port)
+ *
+ * @param s NAT session
+ * @param thread_index thread index
+ * @param is_ha is HA event
+ */
+void
+nat44_free_session_data (snat_main_t * sm, snat_session_t * s,
+ u32 thread_index, u8 is_ha);
/**
* @brief Find or create NAT user
*
*
* @return NAT user data structure on success otherwise zero value
*/
-snat_user_t *nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr,
- u32 fib_index, u32 thread_index);
+snat_user_t *nat_user_get_or_create (snat_main_t * sm,
+ ip4_address_t * addr, u32 fib_index,
+ u32 thread_index);
/**
* @brief Allocate new NAT session or recycle last used
} tcp_udp_header_t;
#endif /* __included_nat_h__ */
-
/*
* fd.io coding-style-patch-verification: ON
*