* as if there were no free ports available to conserve resources */
#define ED_PORT_ALLOC_ATTEMPTS (10)
+/* system ports range is 0-1023, first user port is 1024 per
+ * https://www.rfc-editor.org/rfc/rfc6335#section-6
+ */
+#define ED_USER_PORT_OFFSET 1024
+
/* NAT buffer flags */
#define SNAT_FLAG_HAIRPINNING (1 << 0)
typedef enum
{
- NAT44_ED_TCP_FLAG_NONE = 0,
- NAT44_ED_TCP_FLAG_FIN,
+ NAT44_ED_TCP_FLAG_FIN = 0,
NAT44_ED_TCP_FLAG_SYN,
- NAT44_ED_TCP_FLAG_SYNFIN,
NAT44_ED_TCP_FLAG_RST,
- NAT44_ED_TCP_FLAG_FINRST,
- NAT44_ED_TCP_FLAG_SYNRST,
- NAT44_ED_TCP_FLAG_SYNFINRST,
+ NAT44_ED_TCP_FLAG_ACK,
NAT44_ED_TCP_N_FLAG,
} nat44_ed_tcp_flag_e;
typedef enum
{
NAT44_ED_TCP_STATE_CLOSED = 0,
- NAT44_ED_TCP_STATE_SYN_I2O,
- NAT44_ED_TCP_STATE_SYN_O2I,
NAT44_ED_TCP_STATE_ESTABLISHED,
- NAT44_ED_TCP_STATE_FIN_I2O,
- NAT44_ED_TCP_STATE_FIN_O2I,
- NAT44_ED_TCP_STATE_RST_TRANS,
- NAT44_ED_TCP_STATE_FIN_TRANS,
- NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_I2O,
- NAT44_ED_TCP_STATE_FIN_REOPEN_SYN_O2I,
+ NAT44_ED_TCP_STATE_CLOSING,
NAT44_ED_TCP_N_STATE,
} nat44_ed_tcp_state_e;
u16 ext_host_nat_port;
/* TCP session state */
+ u8 tcp_flags[NAT44_ED_N_DIR];
nat44_ed_tcp_state_e tcp_state;
/* per vrf sessions index */
u32 addr_len;
} snat_address_t;
-typedef struct
-{
- u32 fib_index;
- u32 ref_count;
-} nat_fib_t;
-
-typedef struct
-{
- u32 fib_index;
- u32 refcount;
-} nat_outside_fib_t;
-
typedef struct
{
/* backend IP address */
u32 nat44_ed_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
u32 rx_fib_index, u8 is_output);
-/* Return worker thread index for given packet */
-/* NAT address and port allocation function */
-typedef int (nat_alloc_out_addr_and_port_function_t) (
- snat_address_t *addresses, u32 fib_index, u32 thread_index,
- ip_protocol_t proto, ip4_address_t *addr, u16 *port, u16 port_per_thread,
- u32 snat_thread_index);
+typedef struct nat_fib_s
+{
+ u32 fib_index;
+ u32 ref_count;
+} nat_fib_t;
+
+typedef struct vrf_route_s
+{
+ u32 vrf_id;
+ u32 fib_index;
+} vrf_route_t;
+
+typedef struct vrf_table_s
+{
+ u32 table_vrf_id;
+ u32 table_fib_index;
+ vrf_route_t *routes;
+} vrf_table_t;
typedef struct snat_main_s
{
/* Endpoint dependent lookup table */
clib_bihash_16_8_t flow_hash;
+ // vector of fibs
+ nat_fib_t *fibs;
+
+ u32 inside_vrf_id;
+ u32 inside_fib_index;
+
+ u32 outside_vrf_id;
+ u32 outside_fib_index;
+
+ // vector of outside fibs
+ nat_fib_t *outside_fibs;
+
+ // VRF routing table for dynamic sessions
+ vrf_table_t *vrf_tables;
+
/* Interface pool */
snat_interface_t *interfaces;
snat_interface_t *output_feature_interfaces;
/* first interface address should be auto-added */
snat_address_resolve_t *addr_to_resolve;
- /* vector of fibs */
- nat_fib_t *fibs;
-
- /* vector of outside fibs */
- nat_outside_fib_t *outside_fibs;
-
/* vector of fib entries */
snat_fib_entry_reg_t *fib_entry_reg;
u32 max_translations_per_thread;
u32 *max_translations_per_fib;
- u32 outside_vrf_id;
- u32 outside_fib_index;
- u32 inside_vrf_id;
- u32 inside_fib_index;
-
nat_timeouts_t timeouts;
/* TCP MSS clamping */
/* nat44 plugin enabled */
u8 enabled;
- vnet_main_t *vnet_main;
-
/* TCP session state machine table:
* first dimension is possible states
* second dimension is direction (in2out/out2in)
int nat44_ed_add_interface_address (u32 sw_if_index, u8 twice_nat);
int nat44_ed_del_interface_address (u32 sw_if_index, u8 twice_nat);
+int nat44_ed_add_del_vrf_table (u32 table_vrf_id, bool is_add);
+int nat44_ed_add_del_vrf_route (u32 table_vrf_id, u32 vrf_id, bool is_add);
+void nat44_ed_del_vrf_tables ();
+
int nat44_ed_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
u16 l_port, u16 e_port, ip_protocol_t proto,
u32 vrf_id, u32 sw_if_index, u32 flags,
void expire_per_vrf_sessions (u32 fib_index);
-/**
- * @brief Match NAT44 static mapping.
- *
- * @param key address and port to match
- * @param addr external/local address of the matched mapping
- * @param port port of the matched mapping
- * @param fib_index fib index of the matched mapping
- * @param by_external if 0 match by local address otherwise match by external
- * address
- * @param is_addr_only 1 if matched mapping is address only
- * @param twice_nat matched mapping is twice NAT type
- * @param lb 1 if matched mapping is load-balanced
- * @param ext_host_addr external host address
- * @param is_identity_nat 1 if indentity mapping
- * @param out if !=0 set to pointer of the mapping structure
- *
- * @returns 0 if match found otherwise 1.
- */
-int snat_static_mapping_match (
- vlib_main_t *vm, snat_main_t *sm, ip4_address_t match_addr, u16 match_port,
- u32 match_fib_index, ip_protocol_t match_protocol,
- ip4_address_t *mapping_addr, u16 *mapping_port, u32 *mapping_fib_index,
- int by_external, u8 *is_addr_only, twice_nat_type_t *twice_nat,
- lb_nat_type_t *lb, ip4_address_t *ext_host_addr, u8 *is_identity_nat,
- snat_static_mapping_t **out);
+int snat_static_mapping_match (vlib_main_t *vm, ip4_address_t match_addr,
+ u16 match_port, u32 match_fib_index,
+ ip_protocol_t match_protocol,
+ ip4_address_t *mapping_addr, u16 *mapping_port,
+ u32 *mapping_fib_index, int by_external,
+ u8 *is_addr_only, twice_nat_type_t *twice_nat,
+ lb_nat_type_t *lb, ip4_address_t *ext_host_addr,
+ u8 *is_identity_nat,
+ snat_static_mapping_t **out);
u32 get_thread_idx_by_port (u16 e_port);