2 *------------------------------------------------------------------
3 * cnat_db.h - translation database definitions
5 * Copyright (c) 2007-2013 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
24 #include "cnat_ports.h"
25 #include "index_list.h"
27 #define VRF_NAME_LEN_STORED 12
29 typedef struct _cnat_svi_params_entry {
41 u32 vrf_override_id; /* tbl_id for override vrf */
44 } cnat_svi_params_entry;
46 typedef struct _cnat_ingress_vrfid_name_entry {
48 u16 ref_count; /*no# of serviceApps under a single vrf*/
49 u8 vrf_name[VRF_NAME_LEN_STORED];
51 } cnat_ingress_vrfid_name_entry;
52 #define HASH_ENHANCE 4
54 #define CNAT_DB_SIZE (PLATFORM_MAX_NAT_ENTRIES / PLATFORM_CNAT_INSTS)
55 #define CNAT_MAIN_HASH_SIZE (HASH_ENHANCE * PLATFORM_CNAT_MAIN_PRELIM_HASH_SIZE)
56 #define CNAT_MAIN_HASH_MASK (CNAT_MAIN_HASH_SIZE-1)
58 #define CNAT_USER_DB_SIZE (PLATFORM_MAX_USER_ENTRIES / PLATFORM_CNAT_INSTS)
59 #define CNAT_USER_HASH_SIZE (HASH_ENHANCE * PLATFORM_CNAT_USER_PRELIM_HASH_SIZE)
60 #define CNAT_USER_HASH_MASK (CNAT_USER_HASH_SIZE-1)
62 #define CNAT_SESSION_DB_SIZE (PLATFORM_MAX_NAT_ENTRIES / PLATFORM_CNAT_INSTS)
63 #define CNAT_SESSION_HASH_SIZE (HASH_ENHANCE * PLATFORM_CNAT_MAIN_PRELIM_HASH_SIZE)
64 #define CNAT_SESSION_HASH_MASK (CNAT_SESSION_HASH_SIZE-1)
67 #define CNAT_MAX_SESSIONS_PER_BIB 0xFFFF
69 #define NUM_BITS_IN_UWORD (8*sizeof(uword))
71 /* No. of per ip/port config will be limited to 1024 */
72 #define CNAT_TIMEOUT_HASH_SIZE 1024
73 #define CNAT_TIMEOUT_HASH_MASK (CNAT_TIMEOUT_HASH_SIZE - 1)
74 #define CNAT_TIMEOUT_FULL_MASK 0xFFFFFFFFFFFFFFFF
75 #define CNAT_TIMEOUT_IPPROT_MASK PLATFORM_CNAT_TIMEOUT_IPPROT_MASK
76 #define CNAT_TIMEOUT_PORTPROT_MASK PLATFORM_CNAT_TIMEOUT_PORTPROT_MASK
82 * The key structure. All fields are in NETWORK byte order!
87 u16 vrf; //bit0-12:vrf, bit13:unused, bit14-15:protocol
90 /* bit14-15:protocol in cnat_db_key_t */
91 #define CNAT_INVALID_PROTO 0x0000
92 #define CNAT_PPTP 0x0000
93 #define CNAT_UDP 0x4000
94 #define CNAT_TCP 0x8000
95 #define CNAT_ICMP 0xc000
96 #define CNAT_VRF_MASK 0x3fff
97 #define CNAT_PRO_MASK 0xc000
98 #define CNAT_PRO_SHIFT 14
101 * Maximum number of VRF entries supported
103 #define CNAT_MAX_VRFMAP_ENTRIES (CNAT_VRF_MASK + 1)
105 * for hashing purposes, fetch the key in one instr.
115 } cnat_db_key_bucket_t;
124 cnat_db_key_bucket_t ck;
129 } dslite_db_key_bucket_t;
132 /* Per port/ip timeout related strucutres */
133 extern index_slist_t *cnat_timeout_hash;
136 cnat_key_t timeout_key;
141 cnat_timeout_t t_key;
142 index_slist_t t_hash;
143 } cnat_timeout_db_entry_t;
145 extern cnat_timeout_db_entry_t *cnat_timeout_db;
148 * Main translation database entries. Currently 0x5A = 90 bytes in length.
149 * Given 20,000,000 entries, it saves nearly 1gb of SDRAM to pack the entries
150 * and pay the extra prefetch. So, that's what we do.
155 index_slist_t out2in_hash; /* hash-and-chain, x2 */
156 index_slist_t in2out_hash;
159 u16 flags; /* Always need flags... */
160 #define CNAT_DB_FLAG_PORT_PAIR (1<<0)
161 #define CNAT_DB_FLAG_TCP_ACTIVE (1<<1)
162 #define CNAT_DB_FLAG_ENTRY_FREE (1<<2)
163 #define CNAT_DB_FLAG_UDP_ACTIVE (1<<3)
164 #define CNAT_DB_FLAG_STATIC_PORT (1<<4)
165 /* This alg entry is set for FTP data connection */
166 #define CNAT_DB_FLAG_ALG_ENTRY (1<<5)
168 /* Will be set for TCP connection with destination port - 1723
169 * note - here CNAT_DB_FLAG_TCP_ACTIVE is also set */
170 #define CNAT_DB_FLAG_PPTP_TUNNEL_INIT (1<<6)
171 #define CNAT_DB_FLAG_PPTP_TUNNEL_ACTIVE (1<<7)
173 /* for PPTP GRE packtes */
174 #define CNAT_DB_FLAG_PPTP_GRE_ENTRY (1<<8)
176 /* for PCP support */
177 #define CNAT_DB_FLAG_PCPI (1<<9)
178 #define CNAT_DB_FLAG_PCPE (1<<10)
179 #define CNAT_PCP_FLAG (CNAT_DB_FLAG_PCPI | CNAT_DB_FLAG_PCPE)
181 #define CNAT_TAC_SEQ_MISMATCH (1<<11)
182 /* This alg entry is set for ftp control connection */
183 #define CNAT_DB_FLAG_ALG_CTRL_FLOW (1<<12)
185 /* This is for marking the state where connection is closing */
186 #define CNAT_DB_FLAG_TCP_CLOSING (1<<13)
188 #define CNAT_DB_DSLITE_FLAG (1<<14)
189 #define CNAT_DB_NAT64_FLAG (1<<15)
192 u16 vrfmap_index; /* index of vrfmap */
195 u32 user_index; /* index of user that owns this entry */
198 cnat_key_t out2in_key; /* network-to-user, outside-to-inside key */
201 cnat_key_t in2out_key; /* user-to-network, inside-to-outside key */
204 index_dlist_t user_ports; /* per-user translation list */
207 u32 out2in_pkts; /* pkt counters */
213 u32 entry_expires; /* timestamp used to expire translations */
216 union { /* used by FTP ALG, pkt len delta due to FTP PORT cmd */
218 i8 alg_dlt[2]; /* two delta values, 0 for previous, 1 for current */
219 u16 il; /* Used to indicate if interleaved mode is used
220 in case of RTSP ALG */
229 u32 tcp_seq_num; /* last tcp (FTP) seq # that has pkt len change due to PORT */
230 u32 pcp_lifetime; /* peer and map life time value sent in reply*/
233 /* This is for TCP seq check */
234 struct tcp_seq_chk_t {
239 /* used for pptp alg entries
240 1. only tunnel : prev and next = 0xFFFFFFFF
241 2. first gre entry : prev = tunnel db, next = next gre db
242 3. last gre entry : prev = previous gre/tunnel db, next= 0xFFFFFFFF;
244 *while adding gre entry- updated at the begining of head
245 *while deleting gre entry - hash look up will be done and prev and next are adjusted
246 * while deleting need not traverse throufgh the list, as done in index_dlist_remelem
249 index_dlist_t pptp_list;
254 u32 dst_ipv4; /* pointer to ipv4 dst list, used in evil mode */
260 u16 dslite_nat44_inst_id;
263 u32 session_head_index;
277 /* Sizeof cnat_main_db_entry_t = 0x54 */
278 } cnat_main_db_entry_t;
281 * 1. The size of this structure should be same as that of
282 * nat64_bib_user_entry_t
283 * 2. Do not alter the position of first four fields
287 index_slist_t user_hash; /* hash 'n chain bucket chain */
290 u16 ntranslations; /* translations hold by this user */
293 u8 icmp_msg_count; /* use to rate limit imcp send to this user */
296 u8 flags; /* To identfiy whether it is NAT64 or NAT44 etc */
297 #define CNAT_USER_DB_NAT44_FLAG 0
298 #define CNAT_USER_DB_NAT64_FLAG 1
299 #define CNAT_USER_DB_DSLITE_FLAG 2
300 #define CNAT_USER_DB_PORT_LIMIT_EXCEEDED 0X80
303 u32 translation_list_head_index;
306 u32 portmap_index; /* index of bound port-map */
309 cnat_key_t key; /* For dslite this should store IPv6 address */
310 u32 ipv6[4]; // B4 ipv6 address
317 /* 0x28 same as nat64_user_db */
318 #ifndef NO_BULK_LOGGING
319 /* Now adding 8 more bytes for bulk allocation.. This makes it
320 * 0x30 (48). Added the same to nat64_bib_user_entry_t make the
321 * the sizes equal. For nat64 stful, we may support bulk allocation
324 /* Indicates the currently used bulk port range */
325 i16 bulk_port_range_cache[BULK_RANGE_CACHE_SIZE];
326 #endif /* #ifndef NO_BULK_LOGGING */
327 } cnat_user_db_entry_t;
330 * cnat_session_entry_t
331 * This structure represents the cnat session table. It maintains the
332 * information about the destination of a given translation (main db)
333 * There would be entry here only if packets are send to more than 1 destn
334 * from the same source.
339 index_slist_t cnat_session_hash;
342 u32 main_db_index; /* would point to v4 src transport address */
345 cnat_key_t v4_dest_key;
348 u16 flags; /* Same as cnat_main_db_t */
356 index_dlist_t main_list;
359 union { /* alg same as cnat_main_db_t */
384 } cnat_session_entry_t;
389 * out2in and in2out hash bucket arrays are simply arrays of index_slist_t's
393 CNAT_DB_CREATE_DEFAULT=0, /* honor cnat_main_db_max_ports_per_user */
394 CNAT_DB_CREATE_OVERRIDE, /* just do it. */
395 } cnat_db_create_policy_t;
398 cnat_key_t in2out_key;
399 cnat_key_t out2in_key;
400 u32 dst_ipv4; /* evil for mode only */
402 cnat_portmap_t *portmap;
404 cnat_main_db_entry_t *db;
405 cnat_db_create_policy_t policy;
406 port_pair_t pair_of_ports;
407 } cnat_db_create_args_t;
409 extern cnat_main_db_entry_t *cnat_main_db;
410 extern cnat_user_db_entry_t *cnat_user_db;
411 extern cnat_session_entry_t *cnat_session_db;
414 #define S_WA 1 /* waiting for address pool */
415 #define S_WO 2 /* waiting for outside vrf */
416 #define S_RUN 3 /* got everything */
417 #define S_DEL 4 /* just delete */
419 #define INVALID_UIDX 0xffff /*invalid svi app uidb index */
420 #define INVALID_VRFID 0xffffffff /*invalid vrf id */
424 u16 tcp_mss; //tcp max segment size for this inside vrf */
426 u16 i_vrf; //inside SVI uidx
427 u16 o_vrf; //outside SVI uidx
428 u32 i_vrf_id; //inside vrf id
429 u32 o_vrf_id; //outside vrf id
430 cnat_portmap_v2_t *portmap_list;
431 u32 nfv9_logging_index;
432 u32 syslog_logging_index;
434 #ifndef NO_BULK_LOGGING
435 bulk_alloc_size_t bulk_size;
436 #endif /* #ifndef NO_BULK_LOGGING */
440 u8 nf_logging_policy;
441 u8 syslog_logging_policy;
445 u8 tcp_seq_check_enable;
447 u32 tcp_seq_user_window;
453 * When creating cnat_vrfmap entry, ensure that any already
454 * configured logging info is taken into account
456 #define CNAT_SET_VRFMAP_NFV9_LOGGING_INDEX(logging_index, i_vrf) \
458 cnat_nfv9_logging_info_t *my_nfv9_logging_info = 0; \
459 pool_foreach (my_nfv9_logging_info, cnat_nfv9_logging_info, ({ \
460 if (my_nfv9_logging_info->i_vrf == i_vrf) { \
461 logging_index = my_nfv9_logging_info - cnat_nfv9_logging_info; \
470 * spp_ctx_alloc() call failed
472 u64 nfv9_logging_context_creation_fail_count;
475 * Cannot send the existing logging pkt, so cannot create
476 * any additional packets for logging purposes
478 u64 nfv9_logging_context_creation_deferred_count;
481 * Cannot send the existing logging pkt due to cnat_rewrite_output
482 * superframe being full.
484 u64 nfv9_downstream_constipation_count;
487 * buffer for spp_ctx_alloc() call failed
489 u64 nfv9_logging_context_buffer_allocation_fail_count;
491 } cnat_global_counters_t;
494 extern cnat_global_counters_t cnat_global_counters;
496 extern u16 *cnat_portmap_indices_by_vrf;
497 extern cnat_vrfmap_t *cnat_portmap_by_vrf;
498 extern cnat_portmap_t **cnat_portmaps;
499 extern u16 **cnat_portmaps_inuse;
501 extern cnat_vrfmap_t *cnat_map_by_vrf;
504 * Special define to indicate that the VRF map index entry is empty
506 #define VRF_MAP_ENTRY_EMPTY 0xffff
507 extern u16 vrf_map_array[CNAT_MAX_VRFMAP_ENTRIES];
509 extern cnat_svi_params_entry svi_params_array[CNAT_MAX_VRFMAP_ENTRIES];
510 extern cnat_ingress_vrfid_name_entry vrfid_name_map[MAX_VRFID];
512 extern index_slist_t *cnat_out2in_hash;
513 extern index_slist_t *cnat_in2out_hash;
514 extern index_slist_t *cnat_user_hash;
515 extern index_slist_t *cnat_session_hash;
529 cnat_icmp_msg_t gen_icmp_msg;
531 } cnat_gen_icmp_info;
533 typedef cnat_vrfmap_t nat64_vrfmap_t;
534 typedef cnat_portmap_v2_t nat64_portmap_v2_t;
536 #define CNAT_V4_GET_HASH(key64, hash, mask) \
538 b = c = 0x9e3779b97f4a7c13LL; \
539 /* Jenkins hash, arbitrarily use c as the "answer" */ \
540 hash_mix64(a, b, c); \
543 #define CNAT_V4_GET_SESSION_HASH(main_index, in_addr, port, vrf, hash, mask) \
544 a = main_index ^ in_addr ^ port ^ vrf; \
545 b = c = 0x9e3779b9; \
546 /* Jenkins hash, arbitrarily use c as the "answer" */ \
547 hash_mix32(a, b, c); \
550 #define CNAT_V4_GET_FRAG_HASH(key64, key32, hash, mask) \
553 c = 0x9e3779b97f4a7c13LL; \
554 hash_mix64(a, b, c); \
557 #define CNAT_DB_UPDATE_IN2OUT_TIMER \
558 db->entry_expires = cnat_current_time; \
561 #define CNAT_DB_TIMEOUT_RST(db) \
562 if(PREDICT_TRUE(db->entry_expires != 0 )) \
563 db->entry_expires = cnat_current_time;
565 #define DEBUG_I2O_DROP(debug_flag) \
566 if (debug_i_flag & debug_flag) { \
567 cnat_db_debug_i2o_drop(&ki); \
571 cnat_main_db_entry_t *cnat_main_db_create (cnat_db_create_args_t *a);
572 void cnat_main_db_entry_delete(cnat_main_db_entry_t *ep);
574 void cnat_delete_main_db_entry(cnat_main_db_entry_t *ep);
575 void cnat_delete_main_db_entry_v2(cnat_main_db_entry_t *ep);
578 cnat_main_db_entry_t*
579 cnat_get_main_db_entry(cnat_db_key_bucket_t *ki,
580 port_pair_t port_type,
582 cnat_user_db_entry_t ** user_db_entry);
584 cnat_main_db_entry_t*
585 cnat_get_main_db_entry_v2(cnat_db_key_bucket_t *ki,
586 port_pair_t port_pair_type,
587 port_type_t port_type,
588 cnat_gen_icmp_info *info,
589 cnat_key_t *dest_info);
591 cnat_main_db_entry_t*
592 cnat_create_static_main_db_entry_v2(cnat_db_key_bucket_t *ki,
593 cnat_db_key_bucket_t *ko,
594 cnat_vrfmap_t *my_vrfmap,
595 cnat_gen_icmp_info *info);
597 cnat_main_db_entry_t*
598 cnat_create_main_db_entry_and_hash(cnat_db_key_bucket_t *ki,
599 cnat_db_key_bucket_t *ko,
600 cnat_user_db_entry_t *udb);
602 cnat_user_db_entry_t*
603 cnat_user_db_create_entry(cnat_db_key_bucket_t *uki,
606 cnat_user_db_entry_t*
607 cnat_user_db_lookup_entry(cnat_db_key_bucket_t *uki);
609 cnat_main_db_entry_t*
610 cnat_main_db_lookup_entry(cnat_db_key_bucket_t *ki);
612 cnat_main_db_entry_t*
613 cnat_main_db_lookup_entry_out2in (cnat_db_key_bucket_t *ko);
615 void cnat_main_db_entry_dump (cnat_main_db_entry_t *db);
616 void cnat_db_in2out_hash_delete (cnat_main_db_entry_t *ep, cnat_user_db_entry_t *up);
617 void cnat_db_out2in_hash_delete (cnat_main_db_entry_t *ep);
618 void cnat_user_db_delete (cnat_user_db_entry_t *up);
619 void cnat_db_debug_i2o_drop(cnat_db_key_bucket_t *ki);
622 * Function to dump the Hash Table that maps if_num to uidb_index
624 extern void cnat_if_num_hash_table_dump(void);
626 #define MAIN_DB_TYPE 0
627 #define SESSION_DB_TYPE 1
628 u16 query_and_update_db_timeout(void *db, u8 db_type);
630 u16 cnat_timeout_db_create (cnat_timeout_t t_entry);
631 void cnat_timeout_db_delete(cnat_key_t t_key);
633 cnat_session_entry_t *
634 cnat_create_session_db_entry(cnat_key_t *ko,
635 cnat_main_db_entry_t *bdb, u8 log);
637 void cnat_dest_update_main2session(cnat_main_db_entry_t *mdb,
638 cnat_session_entry_t *sdb);
640 cnat_session_entry_t *cnat_handle_1to2_session(
641 cnat_main_db_entry_t *mdb,
642 cnat_key_t *dest_info);
644 void cnat_add_dest_n_log(
645 cnat_main_db_entry_t *mdb,
646 cnat_key_t *dest_info);
648 cnat_session_entry_t *
649 cnat_session_db_lookup_entry(cnat_key_t *ko,u32 main_db_index);
651 cnat_session_entry_t *
652 cnat_session_db_edm_lookup_entry(cnat_key_t *ko,
653 u32 session_head_index,
659 u32 active_translations;
660 u32 num_dynamic_translations;
661 u32 num_static_translations;
662 u64 in2out_drops_port_limit_exceeded;
663 u64 in2out_drops_system_limit_reached;
664 u64 in2out_drops_resource_depletion;
665 u64 no_translation_entry_drops;
668 u64 drops_sessiondb_limit_exceeded;
669 } nat44_dslite_common_stats_t;
672 u32 translation_delete_count;
673 u32 translation_create_count;
674 u32 out2in_forwarding_count;
675 } nat44_dslite_global_stats_t;
678 u64 v4_to_v6_tcp_seq_mismatch_drop_count;
679 u64 v4_to_v6_tcp_seq_mismatch_count;
680 u64 v4_to_v6_out2in_session_create_count;
681 u64 v4_to_v6_end_point_filter_drop_count;
682 } nat44_counters_stats_t;
684 #define NAT44_STATS 0
685 #define DSLITE_STATS 1
686 extern nat44_dslite_common_stats_t nat44_dslite_common_stats[255]; /* 0 is for nat44 */
687 extern nat44_dslite_global_stats_t nat44_dslite_global_stats[2]; /* 0 for nat44 and 1 for dslite */
688 extern nat44_counters_stats_t nat44_counters_stats[CNAT_MAX_VRFMAP_ENTRIES];/*For displaying show cgn <cgn-name> inside-vrf <vrf-name> counters */
690 #define NAT44_COMMON_STATS nat44_dslite_common_stats[NAT44_RESERVED_INST_ID]
691 #define NAT44_GLOBAL_STATS nat44_dslite_global_stats[NAT44_STATS]
692 #define DSLITE_GLOBAL_STATS nat44_dslite_global_stats[DSLITE_STATS]
693 #define SESSION_LOG_ENABLE 1
694 #define ALG_ENABLED_DB(db) \
695 ((db->flags & CNAT_PCP_FLAG) || \
696 (db->flags & CNAT_DB_FLAG_ALG_CTRL_FLOW) || \
697 (db->flags & (CNAT_DB_FLAG_PPTP_TUNNEL_INIT | \
698 CNAT_DB_FLAG_PPTP_TUNNEL_ACTIVE)))
701 #endif /* __CNAT_DB_H__ */