X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fnat.c;h=cdf05fd351a66dac602dd360169cbfe3c9df8b70;hb=c6c0d2a0;hp=68b43c05ea1cf9f3e701e68d78218e9895690294;hpb=ebdf190a9c4a514329de7e5e9b9178c3af055122;p=vpp.git diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index 68b43c05ea1..cdf05fd351a 100755 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -44,7 +45,8 @@ VNET_FEATURE_INIT (ip4_snat_in2out, static) = { VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_classify, static) = { .arc_name = "ip4-unicast", @@ -59,13 +61,30 @@ VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = { VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-det-out2in", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_det_classify, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-det-classify", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-in2out", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-out2in", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-classify", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-in2out-worker-handoff", @@ -74,7 +93,8 @@ VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = { VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in-worker-handoff", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = { .arc_name = "ip4-unicast", @@ -89,13 +109,19 @@ VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = { VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in-fast", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-hairpin-dst", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-hairpin-dst", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; /* Hook up output features */ VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = { @@ -113,6 +139,16 @@ VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = { .node_name = "nat44-hairpin-src", .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = { + .arc_name = "ip4-output", + .node_name = "nat44-ed-in2out-output", + .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = { + .arc_name = "ip4-output", + .node_name = "nat44-ed-hairpin-src", + .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), +}; /* Hook up ip4-local features */ VNET_FEATURE_INIT (ip4_nat_hairpinning, static) = @@ -121,6 +157,12 @@ VNET_FEATURE_INIT (ip4_nat_hairpinning, static) = .node_name = "nat44-hairpinning", .runs_before = VNET_FEATURES("ip4-local-end-of-arc"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) = +{ + .arc_name = "ip4-local", + .node_name = "nat44-ed-hairpinning", + .runs_before = VNET_FEATURES("ip4-local-end-of-arc"), +}; /* *INDENT-OFF* */ @@ -131,6 +173,7 @@ VLIB_PLUGIN_REGISTER () = { /* *INDENT-ON* */ vlib_node_registration_t nat44_classify_node; +vlib_node_registration_t nat44_ed_classify_node; vlib_node_registration_t nat44_det_classify_node; vlib_node_registration_t nat44_handoff_classify_node; @@ -162,13 +205,12 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) ed_key.fib_index = 0; ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0) && - s->state != SNAT_SESSION_TCP_CLOSED) - clib_warning ("in2out_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) + nat_log_warn ("in2out_ed key del failed"); return; } - /* Endpoint dependent session lookup tables */ + /* session lookup tables */ if (is_ed_session (s)) { ed_key.l_addr = s->out2in.addr; @@ -188,9 +230,8 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0) && - s->state != SNAT_SESSION_TCP_CLOSED) - clib_warning ("out2in_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)) + nat_log_warn ("out2in_ed key del failed"); ed_key.l_addr = s->in2out.addr; ed_key.fib_index = s->in2out.fib_index; @@ -203,9 +244,17 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0) && - s->state != SNAT_SESSION_TCP_CLOSED) - clib_warning ("in2out_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) + nat_log_warn ("in2out_ed key del failed"); + } + else + { + kv.key = s->in2out.as_u64; + if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0)) + nat_log_warn ("in2out key del failed"); + kv.key = s->out2in.as_u64; + if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0)) + nat_log_warn ("out2in key del failed"); } if (snat_is_unk_proto_session (s)) @@ -220,7 +269,7 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) s->in2out.fib_index); /* Twice NAT address and port for external host */ - if (is_twice_nat_session (s) && s->state != SNAT_SESSION_TCP_CLOSED) + if (is_twice_nat_session (s)) { for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) { @@ -236,23 +285,10 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) } } - if (is_ed_session (s)) - return; - - /* Session lookup tables */ - kv.key = s->in2out.as_u64; - if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0) && - s->state != SNAT_SESSION_TCP_CLOSED) - clib_warning ("in2out key del failed"); - kv.key = s->out2in.as_u64; - if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0) && - s->state != SNAT_SESSION_TCP_CLOSED) - clib_warning ("out2in key del failed"); - if (snat_is_session_static (s)) return; - if (s->outside_address_index != ~0 && s->state != SNAT_SESSION_TCP_CLOSED) + if (s->outside_address_index != ~0) snat_free_outside_address_and_port (sm->addresses, thread_index, &s->out2in, s->outside_address_index); } @@ -291,7 +327,7 @@ nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, /* add user */ if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1)) - clib_warning ("user_hash keay add failed"); + nat_log_warn ("user_hash keay add failed"); } else { @@ -334,6 +370,10 @@ nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) /* Get the session */ s = pool_elt_at_index (tsm->sessions, session_index); nat_free_session_data (sm, s, thread_index); + if (snat_is_session_static(s)) + u->nstaticsessions--; + else + u->nsessions--; s->outside_address_index = ~0; s->flags = 0; s->total_bytes = 0; @@ -367,15 +407,36 @@ nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) return s; } +typedef struct { + u8 next_in2out; +} nat44_classify_trace_t; + +static u8 * format_nat44_classify_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *); + char *next; + + next = t->next_in2out ? "nat44-in2out" : "nat44-out2in"; + + s = format (s, "nat44-classify: next %s", next); + + return s; +} + static inline uword nat44_classify_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_frame_t * frame, + int is_ed) { u32 n_left_from, * from, * to_next; nat44_classify_next_t next_index; snat_main_t *sm = &snat_main; snat_static_mapping_t *m; + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -392,11 +453,13 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, { u32 bi0; vlib_buffer_t *b0; - u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT; + u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0; ip4_header_t *ip0; snat_address_t *ap; snat_session_key_t m_key0; clib_bihash_kv_8_8_t kv0, value0; + clib_bihash_kv_16_8_t ed_kv0, ed_value0; + udp_header_t *udp0; /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; @@ -408,6 +471,20 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + + if (is_ed) + { + sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, &ed_value0)) + goto enqueue0; + } vec_foreach (ap, sm->addresses) { @@ -423,7 +500,7 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, m_key0.addr = ip0->dst_address; m_key0.port = 0; m_key0.protocol = 0; - m_key0.fib_index = sm->outside_fib_index; + m_key0.fib_index = 0; kv0.key = m_key0.as_u64; if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0)) { @@ -432,7 +509,6 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, next0 = NAT44_CLASSIFY_NEXT_OUT2IN; goto enqueue0; } - udp_header_t * udp0 = ip4_next_header (ip0); m_key0.port = clib_net_to_host_u16 (udp0->dst_port); m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol); kv0.key = m_key0.as_u64; @@ -445,6 +521,14 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, } enqueue0: + if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_classify_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0; + } + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, @@ -462,13 +546,14 @@ nat44_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_classify_node) = { .function = nat44_classify_node_fn, .name = "nat44-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -479,19 +564,43 @@ VLIB_REGISTER_NODE (nat44_classify_node) = { VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, nat44_classify_node_fn); +static uword +nat44_ed_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 1); +}; + +VLIB_REGISTER_NODE (nat44_ed_classify_node) = { + .function = nat44_ed_classify_node_fn, + .name = "nat44-ed-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node, + nat44_ed_classify_node_fn); static uword nat44_det_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_det_classify_node) = { .function = nat44_det_classify_node_fn, .name = "nat44-det-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -508,13 +617,14 @@ nat44_handoff_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_handoff_classify_node) = { .function = nat44_handoff_classify_node_fn, .name = "nat44-handoff-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -571,18 +681,21 @@ snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index, FIB_SOURCE_PLUGIN_LOW); } -void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, +int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, u8 twice_nat) { snat_address_t * ap; snat_interface_t *i; vlib_thread_main_t *tm = vlib_get_thread_main (); + if (twice_nat && !sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; + /* Check if address already exists */ vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses) { if (ap->addr.as_u32 == addr->as_u32) - return; + return VNET_API_ERROR_VALUE_EXIST; } if (twice_nat) @@ -605,7 +718,7 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, #undef _ if (twice_nat) - return; + return 0; /* Add external address to FIB */ pool_foreach (i, sm->interfaces, @@ -624,6 +737,8 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1); break; })); + + return 0; } static int is_snat_address_used_in_static_mapping (snat_main_t *sm, @@ -721,6 +836,12 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, snat_session_t * s; snat_static_map_resolve_t *rp, *rp_match = 0; + if (!sm->endpoint_dependent) + { + if (twice_nat || out2in_only) + return VNET_API_ERROR_FEATURE_DISABLED; + } + /* If the external address is a specific interface address */ if (sw_if_index != ~0) { @@ -729,14 +850,14 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, for (i = 0; i < vec_len (sm->to_resolve); i++) { rp = sm->to_resolve + i; - if (rp->sw_if_index != sw_if_index && - rp->l_addr.as_u32 != l_addr.as_u32 && - rp->vrf_id != vrf_id && rp->addr_only != addr_only) + if (rp->sw_if_index != sw_if_index || + rp->l_addr.as_u32 != l_addr.as_u32 || + rp->vrf_id != vrf_id || rp->addr_only != addr_only) continue; if (!addr_only) { - if (rp->l_port != l_port && rp->e_port != e_port && rp->proto != proto) + if (rp->l_port != l_port || rp->e_port != e_port || rp->proto != proto) continue; } @@ -792,7 +913,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m_key.addr = e_addr; m_key.port = addr_only ? 0 : e_port; m_key.protocol = addr_only ? 0 : proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) m = 0; @@ -859,7 +980,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -906,13 +1027,13 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m->proto = proto; } - if (sm->workers) + if (sm->num_workers > 1) { ip4_header_t ip = { .src_address = m->local_addr, }; - m->worker_index = sm->worker_in2out_cb (&ip, m->fib_index); - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); + vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index)); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); } else tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); @@ -925,29 +1046,13 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.value = m - sm->static_mappings; if (!out2in_only) clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (l_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1)) - clib_warning ("in2out key add failed"); - } m_key.addr = m->external_addr; m_key.port = m->external_port; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (e_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1)) - clib_warning ("out2in key add failed"); - } /* Delete dynamic sessions matching local address (+ local port) */ if (!(sm->static_mapping_only)) @@ -975,18 +1080,11 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, if (snat_is_session_static (s)) continue; - if (!addr_only) - { - if ((s->out2in.addr.as_u32 != e_addr.as_u32) && - (clib_net_to_host_u16 (s->out2in.port) != e_port)) - continue; - } + if (!addr_only && (clib_net_to_host_u16 (s->in2out.port) != m->local_port)) + continue; nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); if (!addr_only) break; @@ -1027,7 +1125,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1036,7 +1134,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, } if (sm->num_workers > 1) - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); else tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); @@ -1047,28 +1145,12 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.key = m_key.as_u64; if (!out2in_only) clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (m->local_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0)) - clib_warning ("in2out key del failed"); - } m_key.addr = m->external_addr; m_key.port = m->external_port; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0)) - clib_warning ("in2out key del failed"); - } /* Delete session(s) for static mapping if exist */ if (!(sm->static_mapping_only) || @@ -1104,16 +1186,16 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, if (is_lb_session (s)) continue; + if (!snat_is_session_static (s)) + continue; + nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nstaticsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); if (!addr_only) break; } - if (addr_only && (u->nstaticsessions == 0)) + if (addr_only && (u->nstaticsessions == 0) && (u->nsessions == 0)) { pool_put (tsm->users, u); clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0); @@ -1123,6 +1205,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, } vec_free (m->tag); + vec_free (m->workers); /* Delete static mapping from pool */ pool_put (sm->static_mappings, m); } @@ -1151,35 +1234,8 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, return 0; } -static int lb_local_exists (nat44_lb_addr_port_t * local, - ip4_address_t * e_addr, u16 e_port) -{ - snat_main_t *sm = &snat_main; - snat_static_mapping_t *m; - nat44_lb_addr_port_t *ap; - - /* *INDENT-OFF* */ - pool_foreach (m, sm->static_mappings, - ({ - if (vec_len(m->locals)) - { - if (m->external_port == e_port && m->external_addr.as_u32 == e_addr->as_u32) - continue; - - vec_foreach (ap, m->locals) - { - if (ap->port == local->port && ap->addr.as_u32 == local->addr.as_u32) - return 1; - } - } - })); - /* *INDENT-ON* */ - - return 0; -} - int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, - snat_protocol_t proto, u32 vrf_id, + snat_protocol_t proto, nat44_lb_addr_port_t *locals, u8 is_add, twice_nat_type_t twice_nat, u8 out2in_only, u8 *tag) @@ -1188,21 +1244,24 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, snat_static_mapping_t *m; snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; - u32 fib_index; snat_address_t *a = 0; int i; nat44_lb_addr_port_t *local; - u32 worker_index = 0, elt_index, head_index, ses_index; + u32 elt_index, head_index, ses_index; snat_main_per_thread_data_t *tsm; snat_user_key_t u_key; snat_user_t *u; snat_session_t * s; dlist_elt_t * head, * elt; + uword *bitmap = 0; + + if (!sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; m_key.addr = e_addr; m_key.port = e_port; m_key.protocol = proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) m = 0; @@ -1217,10 +1276,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, if (vec_len (locals) < 2) return VNET_API_ERROR_INVALID_VALUE; - fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, - vrf_id, - FIB_SOURCE_PLUGIN_LOW); - /* Find external address in allocated addresses and reserve port for address and port pair mapping when dynamic translations enabled */ if (!(sm->static_mapping_only || out2in_only)) @@ -1247,7 +1302,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1263,8 +1318,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m->tag = vec_dup (tag); m->external_addr = e_addr; m->addr_only = 0; - m->vrf_id = vrf_id; - m->fib_index = fib_index; m->external_port = e_port; m->proto = proto; m->twice_nat = twice_nat; @@ -1273,39 +1326,22 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.protocol = m->proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1)) { - clib_warning ("static_mapping_by_external key add failed"); - return VNET_API_ERROR_UNSPECIFIED; - } - - /* Assign worker */ - if (sm->workers) - { - worker_index = sm->first_worker_index + - sm->workers[sm->next_worker++ % vec_len (sm->workers)]; - tsm = vec_elt_at_index (sm->per_thread_data, worker_index); - m->worker_index = worker_index; - } - else - tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); - - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1)) - { - clib_warning ("out2in key add failed"); + nat_log_err ("static_mapping_by_external key add failed"); return VNET_API_ERROR_UNSPECIFIED; } m_key.fib_index = m->fib_index; for (i = 0; i < vec_len (locals); i++) { + locals[i].fib_index = fib_table_find_or_create_and_lock ( + FIB_PROTOCOL_IP4, locals[i].vrf_id, FIB_SOURCE_PLUGIN_LOW); m_key.addr = locals[i].addr; + m_key.fib_index = locals[i].fib_index; if (!out2in_only) { m_key.port = locals[i].port; @@ -1316,24 +1352,30 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, locals[i].prefix = (i == 0) ? locals[i].probability :\ (locals[i - 1].prefix + locals[i].probability); vec_add1 (m->locals, locals[i]); - - m_key.port = clib_host_to_net_u16 (locals[i].port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1)) + if (sm->num_workers > 1) { - clib_warning ("in2out key add failed"); - return VNET_API_ERROR_UNSPECIFIED; + ip4_header_t ip = { + .src_address = locals[i].addr, + }; + bitmap = clib_bitmap_set ( + bitmap, sm->worker_in2out_cb (&ip, m->fib_index), 1); } } + + /* Assign workers */ + if (sm->num_workers > 1) + { + clib_bitmap_foreach (i, bitmap, + ({ + vec_add1(m->workers, i); + })); + } } else { if (!m) return VNET_API_ERROR_NO_SUCH_ENTRY; - fib_table_unlock (m->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW); - /* Free external address port */ if (!(sm->static_mapping_only || out2in_only)) { @@ -1356,7 +1398,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1364,51 +1406,45 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, } } - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.protocol = m->proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0)) { - clib_warning ("static_mapping_by_external key del failed"); - return VNET_API_ERROR_UNSPECIFIED; - } - - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0)) - { - clib_warning ("outi2in key del failed"); + nat_log_err ("static_mapping_by_external key del failed"); return VNET_API_ERROR_UNSPECIFIED; } vec_foreach (local, m->locals) { + fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4, + FIB_SOURCE_PLUGIN_LOW); m_key.addr = local->addr; if (!out2in_only) { m_key.port = local->port; - m_key.fib_index = m->fib_index; + m_key.fib_index = local->fib_index; kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0)) { - clib_warning ("static_mapping_by_local key del failed"); + nat_log_err ("static_mapping_by_local key del failed"); return VNET_API_ERROR_UNSPECIFIED; } } - if (!lb_local_exists(local, &e_addr, e_port)) + if (sm->num_workers > 1) { - m_key.port = clib_host_to_net_u16 (local->port); - kv.key = m_key.as_u64; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0)) - { - clib_warning ("in2out key del failed"); - return VNET_API_ERROR_UNSPECIFIED; - } + ip4_header_t ip = { + .src_address = local->addr, + }; + tsm = vec_elt_at_index (sm->per_thread_data, + sm->worker_in2out_cb (&ip, m->fib_index)); } + else + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + /* Delete sessions */ u_key.addr = local->addr; u_key.fib_index = m->fib_index; @@ -1437,16 +1473,14 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, continue; nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nstaticsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); } } } } vec_free(m->locals); vec_free(m->tag); + vec_free(m->workers); pool_put (sm->static_mappings, m); } @@ -1461,9 +1495,6 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, snat_address_t *a = 0; snat_session_t *ses; u32 *ses_to_be_removed = 0, *ses_index; - clib_bihash_kv_8_8_t kv, value; - snat_user_key_t user_key; - snat_user_t *u; snat_main_per_thread_data_t *tsm; snat_static_mapping_t *m; snat_interface_t *interface; @@ -1499,7 +1530,7 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, /* Check if address is used in some static mapping */ if (is_snat_address_used_in_static_mapping(sm, addr)) { - clib_warning ("address used in static mapping"); + nat_log_notice ("address used in static mapping"); return VNET_API_ERROR_UNSPECIFIED; } } @@ -1518,22 +1549,15 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, { ses->outside_address_index = ~0; nat_free_session_data (sm, ses, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, ses->per_user_index); - pool_put_index (tsm->list_pool, ses->per_user_index); vec_add1 (ses_to_be_removed, ses - tsm->sessions); - user_key.addr = ses->in2out.addr; - user_key.fib_index = ses->in2out.fib_index; - kv.key = user_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - u = pool_elt_at_index (tsm->users, value.value); - u->nsessions--; - } } })); vec_foreach (ses_index, ses_to_be_removed) - pool_put_index (tsm->sessions, ses_index[0]); + { + ses = pool_elt_at_index (tsm->sessions, ses_index[0]); + nat44_delete_session (sm, ses, tsm - sm->per_thread_data); + } vec_free (ses_to_be_removed); } @@ -1576,6 +1600,9 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) snat_address_t * ap; snat_static_mapping_t * m; snat_det_map_t * dm; + nat_outside_fib_t *outside_fib; + u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index); if (sm->out2in_dpo && !is_inside) return VNET_API_ERROR_UNSUPPORTED; @@ -1594,16 +1621,45 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff"; else if (sm->deterministic) feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; + else if (sm->endpoint_dependent) + feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in"; else feature_name = is_inside ? "nat44-in2out" : "nat44-out2in"; } if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1) - sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0); + sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, + NAT_FQ_NELTS); if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1) - sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0); + sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, + NAT_FQ_NELTS); + if (!is_inside) + { + vec_foreach (outside_fib, sm->outside_fibs) + { + if (outside_fib->fib_index == fib_index) + { + if (is_del) + { + outside_fib->refcount--; + if (!outside_fib->refcount) + vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs); + } + else + outside_fib->refcount++; + goto feature_set; + } + } + if (!is_del) + { + vec_add2 (sm->outside_fibs, outside_fib, 1); + outside_fib->refcount = 1; + outside_fib->fib_index = fib_index; + } + } +feature_set: pool_foreach (i, sm->interfaces, ({ if (i->sw_if_index == sw_if_index) @@ -1629,6 +1685,12 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) feature_name = !is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; } + else if (sm->endpoint_dependent) + { + del_feature_name = "nat44-ed-classify"; + feature_name = !is_inside ? "nat44-ed-in2out" : + "nat44-ed-out2in"; + } else { del_feature_name = "nat44-classify"; @@ -1640,8 +1702,16 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (!is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 1, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", + "nat44-ed-hairpinning", + sw_if_index, 1, 0, 0); + else + vnet_feature_enable_disable ("ip4-local", + "nat44-hairpinning", + sw_if_index, 1, 0, 0); + } } else { @@ -1649,8 +1719,16 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) sw_if_index, 0, 0, 0); pool_put (sm->interfaces, i); if (is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 0, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", + "nat44-ed-hairpinning", + sw_if_index, 0, 0, 0); + else + vnet_feature_enable_disable ("ip4-local", + "nat44-hairpinning", + sw_if_index, 0, 0, 0); + } } } else @@ -1671,6 +1749,12 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) "nat44-det-out2in"; feature_name = "nat44-det-classify"; } + else if (sm->endpoint_dependent) + { + del_feature_name = !is_inside ? "nat44-ed-in2out" : + "nat44-ed-out2in"; + feature_name = "nat44-ed-classify"; + } else { del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in"; @@ -1682,8 +1766,14 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (!is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 0, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", + sw_if_index, 0, 0, 0); + else + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, 0, 0, 0); + } goto set_flags; } @@ -1700,8 +1790,14 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (is_inside && !sm->out2in_dpo) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 1, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", + sw_if_index, 1, 0, 0); + else + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, 1, 0, 0); + } set_flags: if (is_inside) @@ -1754,16 +1850,27 @@ int snat_interface_add_del_output_feature (u32 sw_if_index, if (is_inside) { - vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", - sw_if_index, !is_del, 0, 0); + if (sm->endpoint_dependent) + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src", + sw_if_index, !is_del, 0, 0); + } + else + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", + sw_if_index, !is_del, 0, 0); + } goto fq; } if (sm->num_workers > 1) { - vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in-worker-handoff", + vnet_feature_enable_disable ("ip4-unicast", + "nat44-out2in-worker-handoff", sw_if_index, !is_del, 0, 0); vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output-worker-handoff", @@ -1771,10 +1878,20 @@ int snat_interface_add_del_output_feature (u32 sw_if_index, } else { - vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", sw_if_index, - !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", - sw_if_index, !is_del, 0, 0); + if (sm->endpoint_dependent) + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output", + sw_if_index, !is_del, 0, 0); + } + else + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", + sw_if_index, !is_del, 0, 0); + } } fq: @@ -1893,6 +2010,7 @@ static clib_error_t * snat_init (vlib_main_t * vm) uword *bitmap = 0; u32 i; ip4_add_del_interface_address_callback_t cb4; + vlib_node_t * error_drop_node; sm->vlib_main = vm; sm->vnet_main = vnet_get_main(); @@ -1900,7 +2018,6 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->ip4_lookup_main = lm; sm->api_main = &api_main; sm->first_worker_index = 0; - sm->next_worker = 0; sm->num_workers = 0; sm->num_snat_thread = 1; sm->workers = 0; @@ -1913,6 +2030,9 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->icmp_timeout = SNAT_ICMP_TIMEOUT; sm->alloc_addr_and_port = nat_alloc_addr_and_port_default; sm->forwarding_enabled = 0; + sm->log_class = vlib_log_register_class ("nat", 0); + error_drop_node = vlib_get_node_by_name (vm, (u8 *) "error-drop"); + sm->error_node_index = error_drop_node->index; p = hash_get_mem (tm->thread_registrations_by_name, "workers"); if (p) @@ -2001,7 +2121,7 @@ void snat_free_outside_address_and_port (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return; } } @@ -2034,13 +2154,16 @@ int snat_static_mapping_match (snat_main_t * sm, clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local; u32 rand, lo = 0, hi, mid; + m_key.fib_index = match.fib_index; if (by_external) - mapping_hash = &sm->static_mapping_by_external; + { + mapping_hash = &sm->static_mapping_by_external; + m_key.fib_index = 0; + } m_key.addr = match.addr; m_key.port = clib_net_to_host_u16 (match.port); m_key.protocol = match.protocol; - m_key.fib_index = match.fib_index; kv.key = m_key.as_u64; @@ -2060,6 +2183,7 @@ int snat_static_mapping_match (snat_main_t * sm, { if (vec_len (m->locals)) { +get_local: hi = vec_len (m->locals) - 1; rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix); while (lo < hi) @@ -2069,17 +2193,26 @@ int snat_static_mapping_match (snat_main_t * sm, } if (!(m->locals[lo].prefix >= rand)) return 1; + if (PREDICT_FALSE (sm->num_workers > 1)) + { + ip4_header_t ip = { + .src_address = m->locals[lo].addr, + }; + if (sm->worker_in2out_cb (&ip, m->fib_index) != vlib_get_thread_index ()) + goto get_local; + } mapping->addr = m->locals[lo].addr; mapping->port = clib_host_to_net_u16 (m->locals[lo].port); + mapping->fib_index = m->locals[lo].fib_index; } else { + mapping->fib_index = m->fib_index; mapping->addr = m->local_addr; /* Address only mapping doesn't change port */ mapping->port = m->addr_only ? match.port : clib_host_to_net_u16 (m->local_port); } - mapping->fib_index = m->fib_index; mapping->protocol = m->proto; } else @@ -2177,7 +2310,7 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } @@ -2209,7 +2342,7 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning ("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } } @@ -2262,7 +2395,7 @@ nat_alloc_addr_and_port_mape (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } @@ -2328,6 +2461,65 @@ format_snat_protocol (u8 * s, va_list * args) return s; } +u8 * format_snat_key (u8 * s, va_list * args); + +u8 * +format_session_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_session_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U session-index %llu", format_snat_key, &k, v->value); + + return s; +} + +u8 * +format_static_mapping_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_session_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U static-mapping-index %llu", format_snat_key, &k, v->value); + + return s; +} + +u8 * +format_user_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_user_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr, + k.fib_index, v->value); + + return s; +} + +u8 * +format_ed_session_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *); + nat_ed_ses_key_t k; + + k.as_u64[0] = v->key[0]; + k.as_u64[1] = v->key[1]; + + s = format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu", + format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port), + format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port), + format_ip_protocol, k.proto, k.fib_index, v->value); + + return s; +} + static u32 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0) { @@ -2356,11 +2548,6 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; snat_static_mapping_t *m; - nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t s_kv, s_value; - snat_main_per_thread_data_t *tsm; - snat_session_t *s; - int i; u32 proto; u32 next_worker_index = 0; @@ -2375,7 +2562,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) { m = pool_elt_at_index (sm->static_mappings, value.value); - return m->worker_index; + return m->workers[0]; } } @@ -2405,32 +2592,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) /* unknown protocol */ if (PREDICT_FALSE (proto == ~0)) { - key.l_addr = ip0->dst_address; - key.r_addr = ip0->src_address; - key.fib_index = rx_fib_index0; - key.proto = ip0->protocol; - key.r_port = 0; - key.l_port = 0; - s_kv.key[0] = key.as_u64[0]; - s_kv.key[1] = key.as_u64[1]; - - if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value)) - { - for (i = 0; i < _vec_len (sm->per_thread_data); i++) - { - tsm = vec_elt_at_index (sm->per_thread_data, i); - if (!pool_is_free_index(tsm->sessions, s_value.value)) - { - s = pool_elt_at_index (tsm->sessions, s_value.value); - if (s->out2in.addr.as_u32 == ip0->dst_address.as_u32 && - s->out2in.port == ip0->protocol && - snat_is_unk_proto_session (s)) - return i; - } - } - } - - /* if no session use current thread */ + /* use current thread */ return vlib_get_thread_index (); } @@ -2473,7 +2635,97 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) { m = pool_elt_at_index (sm->static_mappings, value.value); - return m->worker_index; + return m->workers[0]; + } + } + + /* worker by outside port */ + next_worker_index = sm->first_worker_index; + next_worker_index += + sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread]; + return next_worker_index; +} + +static u32 +nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index) +{ + snat_main_t *sm = &snat_main; + clib_bihash_kv_8_8_t kv, value; + u32 proto, next_worker_index = 0; + udp_header_t *udp; + u16 port; + snat_static_mapping_t *m; + u32 hash; + + /* first try static mappings without port */ + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + make_sm_kv (&kv, &ip->dst_address, 0, rx_fib_index, 0); + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + return m->workers[0]; + } + } + + proto = ip_proto_to_snat_proto (ip->protocol); + + /* unknown protocol */ + if (PREDICT_FALSE (proto == ~0)) + { + /* use current thread */ + return vlib_get_thread_index (); + } + + udp = ip4_next_header (ip); + port = udp->dst_port; + + if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP)) + { + icmp46_header_t * icmp = (icmp46_header_t *) udp; + icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1); + if (!icmp_is_error_message (icmp)) + port = echo->identifier; + else + { + ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1); + proto = ip_proto_to_snat_proto (inner_ip->protocol); + void *l4_header = ip4_next_header (inner_ip); + switch (proto) + { + case SNAT_PROTOCOL_ICMP: + icmp = (icmp46_header_t*)l4_header; + echo = (icmp_echo_header_t *)(icmp + 1); + port = echo->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + port = ((tcp_udp_header_t*)l4_header)->src_port; + break; + default: + return vlib_get_thread_index (); + } + } + } + + /* try static mappings with port */ + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + make_sm_kv (&kv, &ip->dst_address, proto, rx_fib_index, + clib_net_to_host_u16 (port)); + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + if (!vec_len(m->locals)) + return m->workers[0]; + + hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) + + (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >>24); + + if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers)))) + return m->workers[hash & (_vec_len (m->workers) - 1)]; + else + return m->workers[hash % _vec_len (m->workers)]; } } @@ -2481,6 +2733,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) next_worker_index = sm->first_worker_index; next_worker_index += sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread]; + return next_worker_index; } @@ -2510,6 +2763,7 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->deterministic = 0; sm->out2in_dpo = 0; + sm->endpoint_dependent = 0; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -2557,6 +2811,8 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->out2in_dpo = 1; else if (unformat (input, "dslite ce")) dslite_set_ce(dm, 1); + else if (unformat (input, "endpoint-dependent")) + sm->endpoint_dependent = 1; else return clib_error_return (0, "unknown input '%U'", format_unformat_error, input); @@ -2598,34 +2854,66 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) } else { - sm->worker_in2out_cb = snat_get_worker_in2out_cb; - sm->worker_out2in_cb = snat_get_worker_out2in_cb; - sm->in2out_node_index = snat_in2out_node.index; - sm->in2out_output_node_index = snat_in2out_output_node.index; - sm->out2in_node_index = snat_out2in_node.index; - if (!static_mapping_only || - (static_mapping_only && static_mapping_connection_tracking)) + if (sm->endpoint_dependent) + { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb; + sm->in2out_node_index = nat44_ed_in2out_node.index; + sm->in2out_output_node_index = nat44_ed_in2out_output_node.index; + sm->out2in_node_index = nat44_ed_out2in_node.index; + sm->icmp_match_in2out_cb = icmp_match_in2out_ed; + sm->icmp_match_out2in_cb = icmp_match_out2in_ed; + } + else { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = snat_get_worker_out2in_cb; + sm->in2out_node_index = snat_in2out_node.index; + sm->in2out_output_node_index = snat_in2out_output_node.index; + sm->out2in_node_index = snat_out2in_node.index; sm->icmp_match_in2out_cb = icmp_match_in2out_slow; sm->icmp_match_out2in_cb = icmp_match_out2in_slow; - + } + if (!static_mapping_only || + (static_mapping_only && static_mapping_connection_tracking)) + { vec_foreach (tsm, sm->per_thread_data) { - clib_bihash_init_8_8 (&tsm->in2out, "in2out", translation_buckets, - translation_memory_size); - - clib_bihash_init_8_8 (&tsm->out2in, "out2in", translation_buckets, - translation_memory_size); + if (sm->endpoint_dependent) + { + clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed, + format_ed_session_kvp); + + clib_bihash_init_16_8 (&tsm->out2in_ed, "out2in-ed", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_16_8 (&tsm->out2in_ed, + format_ed_session_kvp); + } + else + { + clib_bihash_init_8_8 (&tsm->in2out, "in2out", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out, + format_session_kvp); + + clib_bihash_init_8_8 (&tsm->out2in, "out2in", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in, + format_session_kvp); + } clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets, user_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash, + format_user_kvp); } - clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed", - translation_buckets, translation_memory_size); - - clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed", - translation_buckets, translation_memory_size); } else { @@ -2635,10 +2923,14 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) clib_bihash_init_8_8 (&sm->static_mapping_by_local, "static_mapping_by_local", static_mapping_buckets, static_mapping_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local, + format_static_mapping_kvp); clib_bihash_init_8_8 (&sm->static_mapping_by_external, "static_mapping_by_external", static_mapping_buckets, static_mapping_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external, + format_static_mapping_kvp); } return 0; @@ -2676,7 +2968,7 @@ u8 * format_snat_key (u8 * s, va_list * args) u8 * format_snat_session (u8 * s, va_list * args) { - snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *); + snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *); snat_session_t * sess = va_arg (*args, snat_session_t *); if (snat_is_unk_proto_session (sess)) @@ -2695,34 +2987,35 @@ u8 * format_snat_session (u8 * s, va_list * args) s = format (s, " i2o %U\n", format_snat_key, &sess->in2out); s = format (s, " o2i %U\n", format_snat_key, &sess->out2in); } - if (is_twice_nat_session (sess)) - { - s = format (s, " external host o2i %U:%d i2o %U:%d\n", - format_ip4_address, &sess->ext_host_addr, - clib_net_to_host_u16 (sess->ext_host_port), - format_ip4_address, &sess->ext_host_nat_addr, - clib_net_to_host_u16 (sess->ext_host_nat_port)); - } - else + if (is_ed_session (sess) || is_fwd_bypass_session (sess)) { - if (sess->ext_host_addr.as_u32) - s = format (s, " external host %U:%u\n", + if (is_twice_nat_session (sess)) + { + s = format (s, " external host o2i %U:%d i2o %U:%d\n", format_ip4_address, &sess->ext_host_addr, - clib_net_to_host_u16 (sess->ext_host_port)); + clib_net_to_host_u16 (sess->ext_host_port), + format_ip4_address, &sess->ext_host_nat_addr, + clib_net_to_host_u16 (sess->ext_host_nat_port)); + } + else + { + if (sess->ext_host_addr.as_u32) + s = format (s, " external host %U:%u\n", + format_ip4_address, &sess->ext_host_addr, + clib_net_to_host_u16 (sess->ext_host_port)); + } } + s = format (s, " index %llu\n", sess - sm->sessions); s = format (s, " last heard %.2f\n", sess->last_heard); s = format (s, " total pkts %d, total bytes %lld\n", sess->total_pkts, sess->total_bytes); - if (sess->in2out.protocol == SNAT_PROTOCOL_TCP) - { - s = format (s, " state %s\n", - sess->state == SNAT_SESSION_TCP_CLOSED ? "closed" : "open"); - } if (snat_is_session_static (sess)) s = format (s, " static translation\n"); else s = format (s, " dynamic translation\n"); - if (sess->flags & SNAT_SESSION_FLAG_LOAD_BALANCING) + if (is_fwd_bypass_session (sess)) + s = format (s, " forwarding-bypass\n"); + if (is_lb_session (sess)) s = format (s, " load-balancing\n"); if (is_twice_nat_session (sess)) s = format (s, " twice-nat\n"); @@ -2787,17 +3080,16 @@ u8 * format_snat_static_mapping (u8 * s, va_list * args) { if (vec_len (m->locals)) { - s = format (s, "%U vrf %d external %U:%d %s %s", + s = format (s, "%U external %U:%d %s %s", format_snat_protocol, m->proto, - m->vrf_id, format_ip4_address, &m->external_addr, m->external_port, m->twice_nat == TWICE_NAT ? "twice-nat" : m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", m->out2in_only ? "out2in-only" : ""); vec_foreach (local, m->locals) - s = format (s, "\n local %U:%d probability %d\%", + s = format (s, "\n local %U:%d vrf %d probability %d\%", format_ip4_address, &local->addr, local->port, - local->probability); + local->vrf_id, local->probability); } else s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s", @@ -2929,7 +3221,7 @@ match: !is_delete, 0, 0, rp->tag); if (rv) - clib_warning ("snat_add_static_mapping returned %d", rv); + nat_log_notice ("snat_add_static_mapping returned %d", rv); } static void @@ -2973,7 +3265,7 @@ match: if (addresses[j].addr.as_u32 == address->as_u32) return; - snat_add_address (sm, address, ~0, twice_nat); + (void) snat_add_address (sm, address, ~0, twice_nat); /* Scan static map resolution vector */ for (j = 0; j < vec_len (sm->to_resolve); j++) { @@ -3000,8 +3292,7 @@ match: rp->is_add, 0, 0, rp->tag); if (rv) - clib_warning ("snat_add_static_mapping returned %d", - rv); + nat_log_notice ("snat_add_static_mapping returned %d", rv); } } return; @@ -3075,7 +3366,7 @@ int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del, /* If the address is already bound - or static - add it now */ if (first_int_addr) - snat_add_address (sm, first_int_addr, ~0, twice_nat); + (void) snat_add_address (sm, first_int_addr, ~0, twice_nat); return 0; } @@ -3091,8 +3382,9 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, snat_session_key_t key; snat_session_t *s; clib_bihash_8_8_t *t; - snat_user_key_t u_key; - snat_user_t *u; + + if (sm->endpoint_dependent) + return VNET_API_ERROR_UNSUPPORTED; ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32; if (sm->num_workers > 1) @@ -3110,27 +3402,62 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, t = is_in ? &tsm->in2out : &tsm->out2in; if (!clib_bihash_search_8_8 (t, &kv, &value)) { + if (pool_is_free_index (tsm->sessions, value.value)) + return VNET_API_ERROR_UNSPECIFIED; + s = pool_elt_at_index (tsm->sessions, value.value); - kv.key = s->in2out.as_u64; - clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0); - kv.key = s->out2in.as_u64; - clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0); - u_key.addr = s->in2out.addr; - u_key.fib_index = s->in2out.fib_index; - kv.key = u_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - u = pool_elt_at_index (tsm->users, value.value); - u->nsessions--; - } - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); + nat_free_session_data (sm, s, tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); return 0; } return VNET_API_ERROR_NO_SUCH_ENTRY; } +int +nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, + ip4_address_t *eh_addr, u16 eh_port, u8 proto, + u32 vrf_id, int is_in) +{ + ip4_header_t ip; + clib_bihash_16_8_t *t; + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id); + snat_session_t *s; + snat_main_per_thread_data_t *tsm; + + if (!sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; + + ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32; + if (sm->num_workers > 1) + tsm = + vec_elt_at_index (sm->per_thread_data, + sm->worker_in2out_cb (&ip, fib_index)); + else + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + + t = is_in ? &tsm->in2out_ed : &tsm->out2in_ed; + key.l_addr.as_u32 = addr->as_u32; + key.r_addr.as_u32 = eh_addr->as_u32; + key.l_port = clib_host_to_net_u16 (port); + key.r_port = clib_host_to_net_u16 (eh_port); + key.proto = proto; + key.fib_index = clib_host_to_net_u32 (fib_index); + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + if (clib_bihash_search_16_8 (t, &kv, &value)) + return VNET_API_ERROR_NO_SUCH_ENTRY; + + if (pool_is_free_index (tsm->sessions, value.value)) + return VNET_API_ERROR_UNSPECIFIED; + s = pool_elt_at_index (tsm->sessions, value.value); + nat_free_session_data (sm, s, tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); + return 0; +} + void nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length) {