X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fnat.c;h=896fe5fd59e6a9ef357702389545b21a6a509419;hb=ab7a805fbb99661b2c125268aa9d7b96c435c1d1;hp=612085fc1323d177dd6d1f574a8fefd0c8b7472a;hpb=41fef50d5db5e7deb3cfd901c3108abbc4406813;p=vpp.git diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index 612085fc132..896fe5fd59e 100644 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -23,6 +23,8 @@ #include #include #include +#include +#include #include #include @@ -42,6 +44,11 @@ VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .node_name = "nat44-out2in", .runs_before = VNET_FEATURES ("ip4-lookup"), }; +VNET_FEATURE_INIT (ip4_nat_classify, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-classify", + .runs_before = VNET_FEATURES ("ip4-lookup"), +}; VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-det-in2out", @@ -52,6 +59,11 @@ VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = { .node_name = "nat44-det-out2in", .runs_before = VNET_FEATURES ("ip4-lookup"), }; +VNET_FEATURE_INIT (ip4_nat_det_classify, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-det-classify", + .runs_before = VNET_FEATURES ("ip4-lookup"), +}; VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-in2out-worker-handoff", @@ -62,6 +74,11 @@ VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = { .node_name = "nat44-out2in-worker-handoff", .runs_before = VNET_FEATURES ("ip4-lookup"), }; +VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-handoff-classify", + .runs_before = VNET_FEATURES ("ip4-lookup"), +}; VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-in2out-fast", @@ -95,6 +112,14 @@ VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = { .runs_before = VNET_FEATURES ("interface-output"), }; +/* Hook up ip4-local features */ +VNET_FEATURE_INIT (ip4_nat_hairpinning, static) = +{ + .arc_name = "ip4-local", + .node_name = "nat44-hairpinning", + .runs_before = VNET_FEATURES("ip4-local-end-of-arc"), +}; + /* *INDENT-OFF* */ VLIB_PLUGIN_REGISTER () = { @@ -103,6 +128,159 @@ VLIB_PLUGIN_REGISTER () = { }; /* *INDENT-ON* */ +vlib_node_registration_t nat44_classify_node; +vlib_node_registration_t nat44_det_classify_node; +vlib_node_registration_t nat44_handoff_classify_node; + +typedef enum { + NAT44_CLASSIFY_NEXT_IN2OUT, + NAT44_CLASSIFY_NEXT_OUT2IN, + NAT44_CLASSIFY_N_NEXT, +} nat44_classify_next_t; + +static inline uword +nat44_classify_node_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + u32 n_left_from, * from, * to_next; + nat44_classify_next_t next_index; + snat_main_t *sm = &snat_main; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, + to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT; + ip4_header_t *ip0; + snat_address_t *ap; + snat_session_key_t m_key0; + clib_bihash_kv_8_8_t kv0, value0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + ip0 = vlib_buffer_get_current (b0); + + vec_foreach (ap, sm->addresses) + { + if (ip0->dst_address.as_u32 == ap->addr.as_u32) + { + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + break; + } + } + + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + m_key0.addr = ip0->dst_address; + m_key0.port = 0; + m_key0.protocol = 0; + m_key0.fib_index = sm->outside_fib_index; + kv0.key = m_key0.as_u64; + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0)) + { + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + } + } + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + return frame->n_vectors; +} + +static uword +nat44_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame); +}; + +VLIB_REGISTER_NODE (nat44_classify_node) = { + .function = nat44_classify_node_fn, + .name = "nat44-classify", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, + nat44_classify_node_fn); + +static uword +nat44_det_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame); +}; + +VLIB_REGISTER_NODE (nat44_det_classify_node) = { + .function = nat44_det_classify_node_fn, + .name = "nat44-det-classify", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node, + nat44_det_classify_node_fn); + +static uword +nat44_handoff_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame); +}; + +VLIB_REGISTER_NODE (nat44_handoff_classify_node) = { + .function = nat44_handoff_classify_node_fn, + .name = "nat44-handoff-classify", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node, + nat44_handoff_classify_node_fn); + /** * @brief Add/del NAT address to FIB. * @@ -182,7 +360,7 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id) /* Add external address to FIB */ pool_foreach (i, sm->interfaces, ({ - if (i->is_inside) + if (nat_interface_is_inside(i)) continue; snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1); @@ -190,7 +368,7 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id) })); pool_foreach (i, sm->output_feature_interfaces, ({ - if (i->is_inside) + if (nat_interface_is_inside(i)) continue; snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1); @@ -390,28 +568,12 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.value = m - sm->static_mappings; clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1); - /* Assign worker */ if (sm->workers) { - snat_user_key_t w_key0; - - w_key0.addr = m->local_addr; - w_key0.fib_index = m->fib_index; - kv.key = w_key0.as_u64; - - if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value)) - { - kv.value = sm->first_worker_index + - sm->workers[sm->next_worker++ % vec_len (sm->workers)]; - - clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv, 1); - } - else - { - kv.value = value.value; - } - - m->worker_index = kv.value; + ip4_header_t ip = { + .src_address = m->local_addr, + }; + m->worker_index = sm->worker_in2out_cb (&ip, m->fib_index); } } else @@ -478,8 +640,8 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, u_key.addr = m->local_addr; u_key.fib_index = m->fib_index; kv.key = u_key.as_u64; - if (!clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value)) - tsm = vec_elt_at_index (sm->per_thread_data, value.value); + if (sm->num_workers > 1) + tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); else tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) @@ -571,13 +733,13 @@ delete: pool_put (sm->static_mappings, m); } - if (!addr_only) + if (!addr_only || (l_addr.as_u32 == e_addr.as_u32)) return 0; /* Add/delete external address to FIB */ pool_foreach (interface, sm->interfaces, ({ - if (interface->is_inside) + if (nat_interface_is_inside(interface)) continue; snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add); @@ -585,7 +747,7 @@ delete: })); pool_foreach (interface, sm->output_feature_interfaces, ({ - if (interface->is_inside) + if (nat_interface_is_inside(interface)) continue; snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add); @@ -607,7 +769,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, snat_address_t *a = 0; int i; nat44_lb_addr_port_t *local; - snat_user_key_t w_key0; u32 worker_index = 0; snat_main_per_thread_data_t *tsm; @@ -694,16 +855,8 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, /* Assign worker */ if (sm->workers) { - w_key0.addr = locals[0].addr; - w_key0.fib_index = fib_index; - kv.key = w_key0.as_u64; - - if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value)) - worker_index = sm->first_worker_index + - sm->workers[sm->next_worker++ % vec_len (sm->workers)]; - else - worker_index = value.value; - + worker_index = sm->first_worker_index + + sm->workers[sm->next_worker++ % vec_len (sm->workers)]; tsm = vec_elt_at_index (sm->per_thread_data, worker_index); m->worker_index = worker_index; } @@ -730,6 +883,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, locals[i].prefix = (i == 0) ? locals[i].probability :\ (locals[i - 1].prefix + locals[i].probability); vec_add1 (m->locals, locals[i]); + m_key.port = clib_host_to_net_u16 (locals[i].port); kv.key = m_key.as_u64; kv.value = ~0ULL; @@ -738,19 +892,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, clib_warning ("in2out key add failed"); return VNET_API_ERROR_UNSPECIFIED; } - /* Assign worker */ - if (sm->workers) - { - w_key0.addr = locals[i].addr; - w_key0.fib_index = fib_index; - kv.key = w_key0.as_u64; - kv.value = worker_index; - if (clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv, 1)) - { - clib_warning ("worker-by-in key add failed"); - return VNET_API_ERROR_UNSPECIFIED; - } - } } } else @@ -801,6 +942,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, clib_warning ("static_mapping_by_external key del failed"); return VNET_API_ERROR_UNSPECIFIED; } + m_key.port = clib_host_to_net_u16 (m->external_port); kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0)) @@ -820,6 +962,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, clib_warning ("static_mapping_by_local key del failed"); return VNET_API_ERROR_UNSPECIFIED; } + m_key.port = clib_host_to_net_u16 (local->port); kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0)) @@ -957,7 +1100,7 @@ int snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm) /* Delete external address from FIB */ pool_foreach (interface, sm->interfaces, ({ - if (interface->is_inside) + if (nat_interface_is_inside(interface)) continue; snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0); @@ -965,7 +1108,7 @@ int snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm) })); pool_foreach (interface, sm->output_feature_interfaces, ({ - if (interface->is_inside) + if (nat_interface_is_inside(interface)) continue; snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0); @@ -979,7 +1122,7 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) { snat_main_t *sm = &snat_main; snat_interface_t *i; - const char * feature_name; + const char * feature_name, *del_feature_name; snat_address_t * ap; snat_static_mapping_t * m; snat_det_map_t * dm; @@ -996,9 +1139,6 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) feature_name = is_inside ? "nat44-in2out" : "nat44-out2in"; } - vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, - !is_del, 0, 0); - if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1) sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0); @@ -1010,9 +1150,63 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) if (i->sw_if_index == sw_if_index) { if (is_del) - pool_put (sm->interfaces, i); + { + if (nat_interface_is_inside(i) && nat_interface_is_outside(i)) + { + if (is_inside) + i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE; + else + i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE; + + if (sm->num_workers > 1 && !sm->deterministic) + del_feature_name = "nat44-handoff-classify"; + else if (sm->deterministic) + del_feature_name = "nat44-det-classify"; + else + del_feature_name = "nat44-classify"; + + vnet_feature_enable_disable ("ip4-unicast", del_feature_name, + sw_if_index, 0, 0, 0); + vnet_feature_enable_disable ("ip4-unicast", feature_name, + sw_if_index, 1, 0, 0); + } + else + { + vnet_feature_enable_disable ("ip4-unicast", feature_name, + sw_if_index, 0, 0, 0); + pool_put (sm->interfaces, i); + } + } else - return VNET_API_ERROR_VALUE_EXIST; + { + if ((nat_interface_is_inside(i) && is_inside) || + (nat_interface_is_outside(i) && !is_inside)) + return 0; + + if (sm->num_workers > 1 && !sm->deterministic) + { + del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" : + "nat44-out2in-worker-handoff"; + feature_name = "nat44-handoff-classify"; + } + else if (sm->deterministic) + { + del_feature_name = !is_inside ? "nat44-det-in2out" : + "nat44-det-out2in"; + feature_name = "nat44-det-classify"; + } + else + { + del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in"; + feature_name = "nat44-classify"; + } + + vnet_feature_enable_disable ("ip4-unicast", del_feature_name, + sw_if_index, 0, 0, 0); + vnet_feature_enable_disable ("ip4-unicast", feature_name, + sw_if_index, 1, 0, 0); + goto set_flags; + } goto fib; } @@ -1023,19 +1217,30 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) pool_get (sm->interfaces, i); i->sw_if_index = sw_if_index; - i->is_inside = is_inside; + i->flags = 0; + vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); + +set_flags: + if (is_inside) + i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE; + else + i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE; /* Add/delete external addresses to FIB */ fib: if (is_inside) - return 0; + { + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, !is_del, 0, 0); + return 0; + } vec_foreach (ap, sm->addresses) snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del); pool_foreach (m, sm->static_mappings, ({ - if (!(m->addr_only)) + if (!(m->addr_only) || (m->local_addr.as_u32 == m->external_addr.as_u32)) continue; snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del); @@ -1113,7 +1318,11 @@ fq: pool_get (sm->output_feature_interfaces, i); i->sw_if_index = sw_if_index; - i->is_inside = is_inside; + i->flags = 0; + if (is_inside) + i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE; + else + i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE; /* Add/delete external addresses to FIB */ fib: @@ -1169,6 +1378,16 @@ snat_ip4_add_del_interface_address_cb (ip4_main_t * im, u32 if_address_index, u32 is_delete); +static int +nat_alloc_addr_and_port_default (snat_address_t * addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u32 * address_indexp, + u8 vrf_mode, + u16 port_per_thread, + u32 snat_thread_index); + static clib_error_t * snat_init (vlib_main_t * vm) { snat_main_t * sm = &snat_main; @@ -1199,6 +1418,7 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT; sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT; sm->icmp_timeout = SNAT_ICMP_TIMEOUT; + sm->alloc_addr_and_port = nat_alloc_addr_and_port_default; p = hash_get_mem (tm->thread_registrations_by_name, "workers"); if (p) @@ -1239,14 +1459,20 @@ static clib_error_t * snat_init (vlib_main_t * vm) /* Init IPFIX logging */ snat_ipfix_logging_init(vm); + /* Init NAT64 */ error = nat64_init(vm); + if (error) + return error; - return error; + dslite_init(vm); + + /* Init virtual fragmenentation reassembly */ + return nat_reass_init(vm); } VLIB_INIT_FUNCTION (snat_init); -void snat_free_outside_address_and_port (snat_main_t * sm, +void snat_free_outside_address_and_port (snat_address_t * addresses, u32 thread_index, snat_session_key_t * k, u32 address_index) @@ -1254,9 +1480,9 @@ void snat_free_outside_address_and_port (snat_main_t * sm, snat_address_t *a; u16 port_host_byte_order = clib_net_to_host_u16 (k->port); - ASSERT (address_index < vec_len (sm->addresses)); + ASSERT (address_index < vec_len (addresses)); - a = sm->addresses + address_index; + a = addresses + address_index; switch (k->protocol) { @@ -1365,38 +1591,60 @@ int snat_static_mapping_match (snat_main_t * sm, } static_always_inline u16 -snat_random_port (snat_main_t * sm, u16 min, u16 max) +snat_random_port (u16 min, u16 max) { + snat_main_t *sm = &snat_main; return min + random_u32 (&sm->random_seed) / (random_u32_max() / (max - min + 1) + 1); } -int snat_alloc_outside_address_and_port (snat_main_t * sm, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp) +int +snat_alloc_outside_address_and_port (snat_address_t * addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u32 * address_indexp, + u8 vrf_mode, + u16 port_per_thread, + u32 snat_thread_index) +{ + snat_main_t *sm = &snat_main; + + return sm->alloc_addr_and_port(addresses, fib_index, thread_index, k, + address_indexp, vrf_mode, port_per_thread, + snat_thread_index); +} + +static int +nat_alloc_addr_and_port_default (snat_address_t * addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u32 * address_indexp, + u8 vrf_mode, + u16 port_per_thread, + u32 snat_thread_index) { int i; snat_address_t *a; u32 portnum; - for (i = 0; i < vec_len (sm->addresses); i++) + for (i = 0; i < vec_len (addresses); i++) { - a = sm->addresses + i; - if (sm->vrf_mode && a->fib_index != ~0 && a->fib_index != fib_index) + a = addresses + i; + if (vrf_mode && a->fib_index != ~0 && a->fib_index != fib_index) continue; switch (k->protocol) { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ - if (a->busy_##n##_ports_per_thread[thread_index] < sm->port_per_thread) \ + if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \ { \ while (1) \ { \ - portnum = (sm->port_per_thread * \ - sm->per_thread_data[thread_index].snat_thread_index) + \ - snat_random_port(sm, 1, sm->port_per_thread) + 1024; \ + portnum = (port_per_thread * \ + snat_thread_index) + \ + snat_random_port(1, port_per_thread) + 1024; \ if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \ continue; \ clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \ @@ -1422,6 +1670,59 @@ int snat_alloc_outside_address_and_port (snat_main_t * sm, return 1; } +static int +nat_alloc_addr_and_port_mape (snat_address_t * addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u32 * address_indexp, + u8 vrf_mode, + u16 port_per_thread, + u32 snat_thread_index) +{ + snat_main_t *sm = &snat_main; + snat_address_t *a = addresses; + u16 m, ports, portnum, A, j; + m = 16 - (sm->psid_offset + sm->psid_length); + ports = (1 << (16 - sm->psid_length)) - (1 << m); + + if (!vec_len (addresses)) + goto exhausted; + + switch (k->protocol) + { +#define _(N, i, n, s) \ + case SNAT_PROTOCOL_##N: \ + if (a->busy_##n##_ports < ports) \ + { \ + while (1) \ + { \ + A = snat_random_port(1, pow2_mask(sm->psid_offset)); \ + j = snat_random_port(0, pow2_mask(m)); \ + portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \ + if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \ + continue; \ + clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \ + a->busy_##n##_ports++; \ + k->addr = a->addr; \ + k->port = clib_host_to_net_u16 (portnum); \ + *address_indexp = i; \ + return 0; \ + } \ + } \ + break; + foreach_snat_protocol +#undef _ + default: + clib_warning("unknown protocol"); + return 1; + } + +exhausted: + /* Totally out of translations to use... */ + snat_ipfix_logging_addresses_exhausted(0); + return 1; +} static clib_error_t * add_address_command_fn (vlib_main_t * vm, @@ -1689,7 +1990,7 @@ add_static_mapping_command_fn (vlib_main_t * vm, u32 sw_if_index = ~0; vnet_main_t * vnm = vnet_get_main(); int rv; - snat_protocol_t proto; + snat_protocol_t proto = ~0; u8 proto_set = 0; /* Get a line of input. */ @@ -1788,6 +2089,100 @@ VLIB_CLI_COMMAND (add_static_mapping_command, static) = { "nat44 add static mapping tcp|udp|icmp local [] external [] [vrf ] [del]", }; +static clib_error_t * +add_identity_mapping_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + clib_error_t * error = 0; + ip4_address_t addr; + u32 port = 0, vrf_id = ~0; + int is_add = 1; + int addr_only = 1; + u32 sw_if_index = ~0; + vnet_main_t * vnm = vnet_get_main(); + int rv; + snat_protocol_t proto; + + addr.as_u32 = 0; + + /* Get a line of input. */ + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "%U", unformat_ip4_address, &addr)) + ; + else if (unformat (line_input, "external %U", + unformat_vnet_sw_interface, vnm, &sw_if_index)) + ; + else if (unformat (line_input, "vrf %u", &vrf_id)) + ; + else if (unformat (line_input, "%U %u", unformat_snat_protocol, &proto, + &port)) + addr_only = 0; + else if (unformat (line_input, "del")) + is_add = 0; + else + { + error = clib_error_return (0, "unknown input: '%U'", + format_unformat_error, line_input); + goto done; + } + } + + rv = snat_add_static_mapping(addr, addr, (u16) port, (u16) port, + vrf_id, addr_only, sw_if_index, proto, is_add); + + switch (rv) + { + case VNET_API_ERROR_INVALID_VALUE: + error = clib_error_return (0, "External port already in use."); + goto done; + case VNET_API_ERROR_NO_SUCH_ENTRY: + if (is_add) + error = clib_error_return (0, "External addres must be allocated."); + else + error = clib_error_return (0, "Mapping not exist."); + goto done; + case VNET_API_ERROR_NO_SUCH_FIB: + error = clib_error_return (0, "No such VRF id."); + goto done; + case VNET_API_ERROR_VALUE_EXIST: + error = clib_error_return (0, "Mapping already exist."); + goto done; + default: + break; + } + +done: + unformat_free (line_input); + + return error; +} + +/*? + * @cliexpar + * @cliexstart{snat add identity mapping} + * Identity mapping translate an IP address to itself. + * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol + * use: + * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303 + * To create identity mapping for address 10.0.0.3 use: + * vpp# nat44 add identity mapping 10.0.0.3 + * To create identity mapping for DHCP addressed interface use: + * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606 + * @cliexend +?*/ +VLIB_CLI_COMMAND (add_identity_mapping_command, static) = { + .path = "nat44 add identity mapping", + .function = add_identity_mapping_command_fn, + .short_help = "nat44 add identity mapping | " + "[ ] [vrf ] [del]", +}; + static clib_error_t * add_lb_static_mapping_command_fn (vlib_main_t * vm, unformat_input_t * input, @@ -2017,32 +2412,17 @@ static u32 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0) { snat_main_t *sm = &snat_main; - snat_user_key_t key0; - clib_bihash_kv_8_8_t kv0, value0; u32 next_worker_index = 0; + u32 hash; - key0.addr = ip0->src_address; - key0.fib_index = rx_fib_index0; - - kv0.key = key0.as_u64; - - /* Ever heard of of the "user" before? */ - if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv0, &value0)) - { - /* No, assign next available worker (RR) */ - next_worker_index = sm->first_worker_index; - if (vec_len (sm->workers)) - { - next_worker_index += - sm->workers[sm->next_worker++ % _vec_len (sm->workers)]; - } + next_worker_index = sm->first_worker_index; + hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) + + (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >>24); - /* add non-traslated packets worker lookup */ - kv0.value = next_worker_index; - clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1); - } + if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers)))) + next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)]; else - next_worker_index = value0.value; + next_worker_index += sm->workers[hash % _vec_len (sm->workers)]; return next_worker_index; } @@ -2265,9 +2645,6 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) user_memory_size); } - clib_bihash_init_8_8 (&sm->worker_by_in, "worker-by-in", user_buckets, - user_memory_size); - clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed", translation_buckets, translation_memory_size); @@ -2527,7 +2904,9 @@ show_snat_command_fn (vlib_main_t * vm, ({ vlib_cli_output (vm, "%U %s", format_vnet_sw_interface_name, vnm, vnet_get_sw_interface (vnm, i->sw_if_index), - i->is_inside ? "in" : "out"); + (nat_interface_is_inside(i) && + nat_interface_is_outside(i)) ? "in out" : + (nat_interface_is_inside(i) ? "in" : "out")); })); pool_foreach (i, sm->output_feature_interfaces, @@ -2535,7 +2914,9 @@ show_snat_command_fn (vlib_main_t * vm, vlib_cli_output (vm, "%U output-feature %s", format_vnet_sw_interface_name, vnm, vnet_get_sw_interface (vnm, i->sw_if_index), - i->is_inside ? "in" : "out"); + (nat_interface_is_inside(i) && + nat_interface_is_outside(i)) ? "in out" : + (nat_interface_is_inside(i) ? "in" : "out")); })); if (vec_len (sm->auto_add_sw_if_indices)) @@ -2648,8 +3029,6 @@ show_snat_command_fn (vlib_main_t * vm, verbose - 1); vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed, verbose - 1); - vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->worker_by_in, - verbose - 1); vec_foreach_index (j, sm->per_thread_data) { tsm = vec_elt_at_index (sm->per_thread_data, j); @@ -2691,6 +3070,7 @@ show_snat_command_fn (vlib_main_t * vm, } } } + return 0; } @@ -2713,6 +3093,7 @@ snat_ip4_add_del_interface_address_cb (ip4_main_t * im, snat_main_t *sm = &snat_main; snat_static_map_resolve_t *rp; u32 *indices_to_delete = 0; + ip4_address_t l_addr; int i, j; int rv; @@ -2735,8 +3116,13 @@ snat_ip4_add_del_interface_address_cb (ip4_main_t * im, /* On this interface? */ if (rp->sw_if_index == sw_if_index) { + /* Indetity mapping? */ + if (rp->l_addr.as_u32 == 0) + l_addr.as_u32 = address[0].as_u32; + else + l_addr.as_u32 = rp->l_addr.as_u32; /* Add the static mapping */ - rv = snat_add_static_mapping (rp->l_addr, + rv = snat_add_static_mapping (l_addr, address[0], rp->l_port, rp->e_port, @@ -2746,7 +3132,7 @@ snat_ip4_add_del_interface_address_cb (ip4_main_t * im, rp->proto, rp->is_add); if (rv) - clib_warning ("snat_add_static_mapping returned %d", + clib_warning ("snat_add_static_mapping returned %d", rv); vec_add1 (indices_to_delete, j); } @@ -2884,6 +3270,165 @@ VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = { .function = snat_add_interface_address_command_fn, }; +int +nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, + snat_protocol_t proto, u32 vrf_id, int is_in) +{ + snat_main_per_thread_data_t *tsm; + clib_bihash_kv_8_8_t kv, value; + ip4_header_t ip; + u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id); + snat_session_key_t key; + snat_session_t *s; + clib_bihash_8_8_t *t; + snat_user_key_t u_key; + snat_user_t *u; + + ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32; + if (sm->num_workers) + tsm = + vec_elt_at_index (sm->per_thread_data, + sm->worker_in2out_cb (&ip, fib_index)); + else + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + + key.addr.as_u32 = addr->as_u32; + key.port = clib_host_to_net_u16 (port); + key.protocol = proto; + key.fib_index = fib_index; + kv.key = key.as_u64; + t = is_in ? &tsm->in2out : &tsm->out2in; + if (!clib_bihash_search_8_8 (t, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + kv.key = s->in2out.as_u64; + clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0); + kv.key = s->out2in.as_u64; + clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0); + u_key.addr = s->in2out.addr; + u_key.fib_index = s->in2out.fib_index; + kv.key = u_key.as_u64; + if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) + { + u = pool_elt_at_index (tsm->users, value.value); + u->nsessions--; + } + clib_dlist_remove (tsm->list_pool, s->per_user_index); + pool_put (tsm->sessions, s); + return 0; + } + + return VNET_API_ERROR_NO_SUCH_ENTRY; +} + +static clib_error_t * +nat44_del_session_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + snat_main_t *sm = &snat_main; + unformat_input_t _line_input, *line_input = &_line_input; + int is_in = 0; + clib_error_t *error = 0; + ip4_address_t addr; + u32 port = 0, vrf_id = sm->outside_vrf_id; + snat_protocol_t proto; + int rv; + + /* Get a line of input. */ + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port, + unformat_snat_protocol, &proto)) + ; + else if (unformat (line_input, "in")) + { + is_in = 1; + vrf_id = sm->inside_vrf_id; + } + else if (unformat (line_input, "vrf %u", &vrf_id)) + ; + else + { + error = clib_error_return (0, "unknown input '%U'", + format_unformat_error, line_input); + goto done; + } + } + + rv = nat44_del_session(sm, &addr, port, proto, vrf_id, is_in); + + switch (rv) + { + case 0: + break; + + default: + error = clib_error_return (0, "nat44_del_session returned %d", rv); + goto done; + } + +done: + unformat_free (line_input); + + return error; +} + +VLIB_CLI_COMMAND (nat44_del_session_command, static) = { + .path = "nat44 del session", + .short_help = "nat44 del session in|out : tcp|udp|icmp [vrf ]", + .function = nat44_del_session_command_fn, +}; + +static clib_error_t * +nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + snat_main_t *sm = &snat_main; + unformat_input_t _line_input, *line_input = &_line_input; + clib_error_t *error = 0; + u32 psid, psid_offset, psid_length; + + /* Get a line of input. */ + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "default")) + sm->alloc_addr_and_port = nat_alloc_addr_and_port_default; + else if (unformat (line_input, "map-e psid %d psid-offset %d psid-len %d", + &psid, &psid_offset, &psid_length)) + { + sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape; + sm->psid = (u16) psid; + sm->psid_offset = (u16) psid_offset; + sm->psid_length = (u16) psid_length; + } + else + { + error = clib_error_return (0, "unknown input '%U'", + format_unformat_error, line_input); + goto done; + } + } + +done: + unformat_free (line_input); + + return error; +}; + +VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = { + .path = "nat44 addr-port-assignment-alg", + .short_help = "nat44 addr-port-assignment-alg []", + .function = nat44_set_alloc_addr_and_port_alg_command_fn, +}; + static clib_error_t * snat_det_map_command_fn (vlib_main_t * vm, unformat_input_t * input, @@ -3151,7 +3696,7 @@ snat_det_close_session_out_fn (vlib_main_t *vm, snat_main_t *sm = &snat_main; unformat_input_t _line_input, *line_input = &_line_input; ip4_address_t out_addr, ext_addr, in_addr; - u16 out_port, ext_port; + u32 out_port, ext_port; snat_det_map_t * dm; snat_det_session_t * ses; snat_det_out_key_t key; @@ -3182,10 +3727,10 @@ snat_det_close_session_out_fn (vlib_main_t *vm, vlib_cli_output (vm, "no match"); else { - snat_det_reverse(dm, &ext_addr, out_port, &in_addr); + snat_det_reverse(dm, &ext_addr, (u16)out_port, &in_addr); key.ext_host_addr = out_addr; - key.ext_host_port = ntohs(ext_port); - key.out_port = ntohs(out_port); + key.ext_host_port = ntohs((u16)ext_port); + key.out_port = ntohs((u16)out_port); ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64); if (!ses) vlib_cli_output (vm, "no match"); @@ -3222,7 +3767,7 @@ snat_det_close_session_in_fn (vlib_main_t *vm, snat_main_t *sm = &snat_main; unformat_input_t _line_input, *line_input = &_line_input; ip4_address_t in_addr, ext_addr; - u16 in_port, ext_port; + u32 in_port, ext_port; snat_det_map_t * dm; snat_det_session_t * ses; snat_det_out_key_t key; @@ -3254,8 +3799,8 @@ snat_det_close_session_in_fn (vlib_main_t *vm, else { key.ext_host_addr = ext_addr; - key.ext_host_port = ntohs (ext_port); - ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs(in_port), key); + key.ext_host_port = ntohs ((u16)ext_port); + ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs((u16)in_port), key); if (!ses) vlib_cli_output (vm, "no match"); else