2 * Copyright (c) 2020 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vnet/ip/ip.h>
17 #include <cnat/cnat_snat.h>
18 #include <cnat/cnat_translation.h>
20 cnat_snat_policy_main_t cnat_snat_policy_main;
23 cnat_set_snat_policy (cnat_snat_policy_t fp)
25 cnat_snat_policy_main.snat_policy = fp;
29 cnat_snat_policy_cmd (vlib_main_t *vm, unformat_input_t *input,
30 vlib_cli_command_t *cmd)
32 cnat_snat_policy_t fp = NULL;
34 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
36 if (unformat (input, "none"))
39 return clib_error_return (0, "unknown input '%U'",
40 format_unformat_error, input);
43 cnat_set_snat_policy (fp);
47 VLIB_CLI_COMMAND (cnat_snat_policy_command, static) = {
48 .path = "cnat set snat policy",
49 .short_help = "cnat set snat policy {none,k8s}",
50 .function = cnat_snat_policy_cmd,
54 show_cnat_snat_policy_cmd (vlib_main_t *vm, unformat_input_t *input,
55 vlib_cli_command_t *cmd)
57 u8 *s = format (NULL, "snat policy: ");
58 if (cnat_snat_policy_main.snat_policy == NULL)
59 s = format (s, "none");
61 s = format (s, "unknown (%x)", cnat_snat_policy_main.snat_policy);
63 vlib_cli_output (vm, (char *) s);
67 VLIB_CLI_COMMAND (show_cnat_snat_policy_command, static) = {
68 .path = "show cnat snat policy",
69 .short_help = "show cnat snat policy",
70 .function = show_cnat_snat_policy_cmd,
74 cnat_compute_prefix_lengths_in_search_order (cnat_snat_pfx_table_t *
75 table, ip_address_family_t af)
78 vec_reset_length (table->meta[af].prefix_lengths_in_search_order);
79 /* Note: bitmap reversed so this is in fact a longest prefix match */
80 clib_bitmap_foreach (i, table->meta[af].non_empty_dst_address_length_bitmap)
82 int dst_address_length = 128 - i;
83 vec_add1 (table->meta[af].prefix_lengths_in_search_order, dst_address_length);
88 cnat_add_snat_prefix (ip_prefix_t * pfx)
90 /* All packets destined to this prefix won't be source-NAT-ed */
91 cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
92 clib_bihash_kv_24_8_t kv;
94 u64 af = ip_prefix_version (pfx);;
96 mask = &table->ip_masks[pfx->len];
99 kv.key[0] = (u64) ip_prefix_v4 (pfx).as_u32 & mask->as_u64[0];
104 kv.key[0] = ip_prefix_v6 (pfx).as_u64[0] & mask->as_u64[0];
105 kv.key[1] = ip_prefix_v6 (pfx).as_u64[1] & mask->as_u64[1];
107 kv.key[2] = ((u64) af << 32) | pfx->len;
108 clib_bihash_add_del_24_8 (&table->ip_hash, &kv, 1 /* is_add */ );
110 table->meta[af].dst_address_length_refcounts[pfx->len]++;
111 table->meta[af].non_empty_dst_address_length_bitmap =
112 clib_bitmap_set (table->meta[af].non_empty_dst_address_length_bitmap,
114 cnat_compute_prefix_lengths_in_search_order (table, af);
119 cnat_del_snat_prefix (ip_prefix_t * pfx)
121 cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
122 clib_bihash_kv_24_8_t kv, val;
124 u64 af = ip_prefix_version (pfx);;
126 mask = &table->ip_masks[pfx->len];
129 kv.key[0] = (u64) ip_prefix_v4 (pfx).as_u32 & mask->as_u64[0];
134 kv.key[0] = ip_prefix_v6 (pfx).as_u64[0] & mask->as_u64[0];
135 kv.key[1] = ip_prefix_v6 (pfx).as_u64[1] & mask->as_u64[1];
137 kv.key[2] = ((u64) af << 32) | pfx->len;
139 if (clib_bihash_search_24_8 (&table->ip_hash, &kv, &val))
143 clib_bihash_add_del_24_8 (&table->ip_hash, &kv, 0 /* is_add */ );
144 /* refcount accounting */
145 ASSERT (table->meta[af].dst_address_length_refcounts[pfx->len] > 0);
146 if (--table->meta[af].dst_address_length_refcounts[pfx->len] == 0)
148 table->meta[af].non_empty_dst_address_length_bitmap =
149 clib_bitmap_set (table->meta[af].non_empty_dst_address_length_bitmap,
151 cnat_compute_prefix_lengths_in_search_order (table, af);
157 cnat_search_snat_prefix (ip46_address_t * addr, ip_address_family_t af)
159 /* Returns 0 if addr matches any of the listed prefixes */
160 cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
161 clib_bihash_kv_24_8_t kv, val;
163 n_p = vec_len (table->meta[af].prefix_lengths_in_search_order);
166 kv.key[0] = addr->ip4.as_u32;
171 kv.key[0] = addr->as_u64[0];
172 kv.key[1] = addr->as_u64[1];
176 * start search from a mask length same length or shorter.
177 * we don't want matches longer than the mask passed
182 int dst_address_length =
183 table->meta[af].prefix_lengths_in_search_order[i];
184 ip6_address_t *mask = &table->ip_masks[dst_address_length];
186 ASSERT (dst_address_length >= 0 && dst_address_length <= 128);
187 /* As lengths are decreasing, masks are increasingly specific. */
188 kv.key[0] &= mask->as_u64[0];
189 kv.key[1] &= mask->as_u64[1];
190 kv.key[2] = ((u64) af << 32) | dst_address_length;
191 rv = clib_bihash_search_inline_2_24_8 (&table->ip_hash, &kv, &val);
199 format_cnat_snat_prefix (u8 * s, va_list * args)
201 clib_bihash_kv_24_8_t *kv = va_arg (*args, clib_bihash_kv_24_8_t *);
202 CLIB_UNUSED (int verbose) = va_arg (*args, int);
203 u32 af = kv->key[2] >> 32;
204 u32 len = kv->key[2] & 0xffffffff;
206 s = format (s, "%U/%d", format_ip4_address, &kv->key[0], len);
208 s = format (s, "%U/%d", format_ip6_address, &kv->key[0], len);
213 cnat_set_snat (ip4_address_t * ip4, ip6_address_t * ip6, u32 sw_if_index)
217 cnat_translation_unwatch_addr (INDEX_INVALID, CNAT_RESOLV_ADDR_SNAT);
219 ip_address_set (&cnat_main.snat_ip4.ce_ip, ip4, AF_IP4);
220 ip_address_set (&cnat_main.snat_ip6.ce_ip, ip6, AF_IP6);
221 cnat_main.snat_ip4.ce_sw_if_index = sw_if_index;
222 cnat_main.snat_ip6.ce_sw_if_index = sw_if_index;
224 cnat_resolve_ep (&cnat_main.snat_ip4);
225 cnat_resolve_ep (&cnat_main.snat_ip6);
226 cnat_translation_watch_addr (INDEX_INVALID, 0, &cnat_main.snat_ip4,
227 CNAT_RESOLV_ADDR_SNAT);
228 cnat_translation_watch_addr (INDEX_INVALID, 0, &cnat_main.snat_ip6,
229 CNAT_RESOLV_ADDR_SNAT);
232 static clib_error_t *
233 cnat_set_snat_cli (vlib_main_t * vm,
234 unformat_input_t * input, vlib_cli_command_t * cmd)
236 unformat_input_t _line_input, *line_input = &_line_input;
237 vnet_main_t *vnm = vnet_get_main ();
238 ip4_address_t ip4 = { {0} };
239 ip6_address_t ip6 = { {0} };
241 u32 sw_if_index = INDEX_INVALID;
245 /* Get a line of input. */
246 if (!unformat_user (input, unformat_line_input, line_input))
249 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
251 if (unformat_user (line_input, unformat_ip4_address, &ip4))
253 else if (unformat_user (line_input, unformat_ip6_address, &ip6))
255 else if (unformat_user (line_input, unformat_vnet_sw_interface,
260 e = clib_error_return (0, "unknown input '%U'",
261 format_unformat_error, input);
266 cnat_set_snat (&ip4, &ip6, sw_if_index);
269 unformat_free (line_input);
274 VLIB_CLI_COMMAND (cnat_set_snat_command, static) =
276 .path = "cnat snat with",
277 .short_help = "cnat snat with [<ip4-address>][<ip6-address>][sw_if_index]",
278 .function = cnat_set_snat_cli,
281 static clib_error_t *
282 cnat_snat_exclude (vlib_main_t * vm,
283 unformat_input_t * input, vlib_cli_command_t * cmd)
289 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
291 if (unformat (input, "%U", unformat_ip_prefix, &pfx))
293 else if (unformat (input, "del"))
296 return (clib_error_return (0, "unknown input '%U'",
297 format_unformat_error, input));
301 rv = cnat_add_snat_prefix (&pfx);
303 rv = cnat_del_snat_prefix (&pfx);
307 return (clib_error_return (0, "error %d", rv, input));
313 VLIB_CLI_COMMAND (cnat_snat_exclude_command, static) =
315 .path = "cnat snat exclude",
316 .short_help = "cnat snat exclude [ip]",
317 .function = cnat_snat_exclude,
320 static clib_error_t *
321 cnat_show_snat (vlib_main_t * vm,
322 unformat_input_t * input, vlib_cli_command_t * cmd)
324 cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
325 vlib_cli_output (vm, "Source NAT\nip4: %U\nip6: %U\n",
326 format_cnat_endpoint, &cnat_main.snat_ip4,
327 format_cnat_endpoint, &cnat_main.snat_ip6);
328 vlib_cli_output (vm, "Prefixes:\n%U\n",
329 format_bihash_24_8, &table->ip_hash, 1);
333 VLIB_CLI_COMMAND (cnat_show_snat_command, static) =
335 .path = "show cnat snat",
336 .short_help = "show cnat snat",
337 .function = cnat_show_snat,
340 static clib_error_t *
341 cnat_snat_init (vlib_main_t * vm)
343 cnat_main_t *cm = &cnat_main;
344 cnat_snat_pfx_table_t *table = &cm->snat_pfx_table;
346 for (i = 0; i < ARRAY_LEN (table->ip_masks); i++)
353 for (j = 0; j < i0; j++)
354 table->ip_masks[i].as_u32[j] = ~0;
357 table->ip_masks[i].as_u32[i0] =
358 clib_host_to_net_u32 (pow2_mask (i1) << (32 - i1));
360 clib_bihash_init_24_8 (&table->ip_hash, "snat prefixes",
361 cm->snat_hash_buckets, cm->snat_hash_memory);
362 clib_bihash_set_kvp_format_fn_24_8 (&table->ip_hash,
363 format_cnat_snat_prefix);
368 VLIB_INIT_FUNCTION (cnat_snat_init);
372 * fd.io coding-style-patch-verification: ON
375 * eval: (c-set-style "gnu")