2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/nat_ipfix_logging.h>
25 #include <nat/nat_det.h>
26 #include <nat/nat64.h>
27 #include <nat/nat66.h>
28 #include <nat/dslite.h>
29 #include <nat/nat_reass.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat_affinity.h>
32 #include <vnet/fib/fib_table.h>
33 #include <vnet/fib/ip4_fib.h>
35 #include <vpp/app/version.h>
37 snat_main_t snat_main;
41 /* Hook up input features */
42 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
43 .arc_name = "ip4-unicast",
44 .node_name = "nat44-in2out",
45 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
47 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
48 .arc_name = "ip4-unicast",
49 .node_name = "nat44-out2in",
50 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
51 "ip4-dhcp-client-detect"),
53 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
54 .arc_name = "ip4-unicast",
55 .node_name = "nat44-classify",
56 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
58 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
59 .arc_name = "ip4-unicast",
60 .node_name = "nat44-det-in2out",
61 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
63 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
64 .arc_name = "ip4-unicast",
65 .node_name = "nat44-det-out2in",
66 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
67 "ip4-dhcp-client-detect"),
69 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
70 .arc_name = "ip4-unicast",
71 .node_name = "nat44-det-classify",
72 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
74 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
75 .arc_name = "ip4-unicast",
76 .node_name = "nat44-ed-in2out",
77 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
79 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
80 .arc_name = "ip4-unicast",
81 .node_name = "nat44-ed-out2in",
82 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
83 "ip4-dhcp-client-detect"),
85 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
86 .arc_name = "ip4-unicast",
87 .node_name = "nat44-ed-classify",
88 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
90 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
91 .arc_name = "ip4-unicast",
92 .node_name = "nat44-in2out-worker-handoff",
93 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
95 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
96 .arc_name = "ip4-unicast",
97 .node_name = "nat44-out2in-worker-handoff",
98 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
99 "ip4-dhcp-client-detect"),
101 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
102 .arc_name = "ip4-unicast",
103 .node_name = "nat44-handoff-classify",
104 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
106 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
107 .arc_name = "ip4-unicast",
108 .node_name = "nat44-in2out-fast",
109 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
111 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
112 .arc_name = "ip4-unicast",
113 .node_name = "nat44-out2in-fast",
114 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
115 "ip4-dhcp-client-detect"),
117 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
118 .arc_name = "ip4-unicast",
119 .node_name = "nat44-hairpin-dst",
120 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
122 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
123 .arc_name = "ip4-unicast",
124 .node_name = "nat44-ed-hairpin-dst",
125 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
128 /* Hook up output features */
129 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
130 .arc_name = "ip4-output",
131 .node_name = "nat44-in2out-output",
132 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
134 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
135 .arc_name = "ip4-output",
136 .node_name = "nat44-in2out-output-worker-handoff",
137 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
139 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
140 .arc_name = "ip4-output",
141 .node_name = "nat44-hairpin-src",
142 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
144 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
145 .arc_name = "ip4-output",
146 .node_name = "nat44-ed-in2out-output",
147 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
149 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
150 .arc_name = "ip4-output",
151 .node_name = "nat44-ed-hairpin-src",
152 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
155 /* Hook up ip4-local features */
156 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
158 .arc_name = "ip4-local",
159 .node_name = "nat44-hairpinning",
160 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
162 VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) =
164 .arc_name = "ip4-local",
165 .node_name = "nat44-ed-hairpinning",
166 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
170 VLIB_PLUGIN_REGISTER () = {
171 .version = VPP_BUILD_VER,
172 .description = "Network Address Translation",
177 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index)
179 snat_session_key_t key;
180 clib_bihash_kv_8_8_t kv;
181 nat_ed_ses_key_t ed_key;
182 clib_bihash_kv_16_8_t ed_kv;
183 snat_main_per_thread_data_t *tsm =
184 vec_elt_at_index (sm->per_thread_data, thread_index);
186 if (is_fwd_bypass_session (s))
188 ed_key.l_addr = s->in2out.addr;
189 ed_key.r_addr = s->ext_host_addr;
190 ed_key.l_port = s->in2out.port;
191 ed_key.r_port = s->ext_host_port;
192 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
193 ed_key.fib_index = 0;
194 ed_kv.key[0] = ed_key.as_u64[0];
195 ed_kv.key[1] = ed_key.as_u64[1];
196 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
197 nat_log_warn ("in2out_ed key del failed");
201 /* session lookup tables */
202 if (is_ed_session (s))
204 if (is_affinity_sessions (s))
205 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
206 s->in2out.protocol, s->out2in.port);
207 ed_key.l_addr = s->out2in.addr;
208 ed_key.r_addr = s->ext_host_addr;
209 ed_key.fib_index = s->out2in.fib_index;
210 if (snat_is_unk_proto_session (s))
212 ed_key.proto = s->in2out.port;
218 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
219 ed_key.l_port = s->out2in.port;
220 ed_key.r_port = s->ext_host_port;
222 ed_kv.key[0] = ed_key.as_u64[0];
223 ed_kv.key[1] = ed_key.as_u64[1];
224 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
225 nat_log_warn ("out2in_ed key del failed");
226 ed_key.l_addr = s->in2out.addr;
227 ed_key.fib_index = s->in2out.fib_index;
228 if (!snat_is_unk_proto_session (s))
229 ed_key.l_port = s->in2out.port;
230 if (is_twice_nat_session (s))
232 ed_key.r_addr = s->ext_host_nat_addr;
233 ed_key.r_port = s->ext_host_nat_port;
235 ed_kv.key[0] = ed_key.as_u64[0];
236 ed_kv.key[1] = ed_key.as_u64[1];
237 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
238 nat_log_warn ("in2out_ed key del failed");
242 kv.key = s->in2out.as_u64;
243 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
244 nat_log_warn ("in2out key del failed");
245 kv.key = s->out2in.as_u64;
246 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
247 nat_log_warn ("out2in key del failed");
250 if (snat_is_unk_proto_session (s))
254 snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32,
255 s->out2in.addr.as_u32,
258 s->out2in.port, s->in2out.fib_index);
260 /* Twice NAT address and port for external host */
261 if (is_twice_nat_session (s))
263 key.protocol = s->in2out.protocol;
264 key.port = s->ext_host_nat_port;
265 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
266 snat_free_outside_address_and_port (sm->twice_nat_addresses,
270 if (snat_is_session_static (s))
273 snat_free_outside_address_and_port (sm->addresses, thread_index,
278 nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index,
282 snat_user_key_t user_key;
283 clib_bihash_kv_8_8_t kv, value;
284 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
285 dlist_elt_t *per_user_list_head_elt;
287 user_key.addr.as_u32 = addr->as_u32;
288 user_key.fib_index = fib_index;
289 kv.key = user_key.as_u64;
291 /* Ever heard of the "user" = src ip4 address before? */
292 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
294 /* no, make a new one */
295 pool_get (tsm->users, u);
296 memset (u, 0, sizeof (*u));
297 u->addr.as_u32 = addr->as_u32;
298 u->fib_index = fib_index;
300 pool_get (tsm->list_pool, per_user_list_head_elt);
302 u->sessions_per_user_list_head_index = per_user_list_head_elt -
305 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
307 kv.value = u - tsm->users;
310 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
311 nat_log_warn ("user_hash keay add failed");
315 u = pool_elt_at_index (tsm->users, value.value);
322 nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u,
326 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
327 u32 oldest_per_user_translation_list_index, session_index;
328 dlist_elt_t *oldest_per_user_translation_list_elt;
329 dlist_elt_t *per_user_translation_list_elt;
331 /* Over quota? Recycle the least recently used translation */
332 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
334 oldest_per_user_translation_list_index =
335 clib_dlist_remove_head (tsm->list_pool,
336 u->sessions_per_user_list_head_index);
338 ASSERT (oldest_per_user_translation_list_index != ~0);
340 /* Add it back to the end of the LRU list */
341 clib_dlist_addtail (tsm->list_pool,
342 u->sessions_per_user_list_head_index,
343 oldest_per_user_translation_list_index);
344 /* Get the list element */
345 oldest_per_user_translation_list_elt =
346 pool_elt_at_index (tsm->list_pool,
347 oldest_per_user_translation_list_index);
349 /* Get the session index from the list element */
350 session_index = oldest_per_user_translation_list_elt->value;
352 /* Get the session */
353 s = pool_elt_at_index (tsm->sessions, session_index);
354 nat_free_session_data (sm, s, thread_index);
355 if (snat_is_session_static (s))
356 u->nstaticsessions--;
363 s->ext_host_addr.as_u32 = 0;
364 s->ext_host_port = 0;
365 s->ext_host_nat_addr.as_u32 = 0;
366 s->ext_host_nat_port = 0;
370 pool_get (tsm->sessions, s);
371 memset (s, 0, sizeof (*s));
373 /* Create list elts */
374 pool_get (tsm->list_pool, per_user_translation_list_elt);
375 clib_dlist_init (tsm->list_pool,
376 per_user_translation_list_elt - tsm->list_pool);
378 per_user_translation_list_elt->value = s - tsm->sessions;
379 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
380 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
382 clib_dlist_addtail (tsm->list_pool,
383 s->per_user_list_head_index,
384 per_user_translation_list_elt - tsm->list_pool);
391 nat_ed_session_alloc (snat_main_t * sm, snat_user_t * u, u32 thread_index,
395 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
396 dlist_elt_t *per_user_translation_list_elt, *oldest_elt;
398 u64 sess_timeout_time;
400 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
403 clib_dlist_remove_head (tsm->list_pool,
404 u->sessions_per_user_list_head_index);
405 oldest_elt = pool_elt_at_index (tsm->list_pool, oldest_index);
406 s = pool_elt_at_index (tsm->sessions, oldest_elt->value);
408 s->last_heard + (f64) nat44_session_get_timeout (sm, s);
409 if (now >= sess_timeout_time)
411 clib_dlist_addtail (tsm->list_pool,
412 u->sessions_per_user_list_head_index,
414 nat_free_session_data (sm, s, thread_index);
415 if (snat_is_session_static (s))
416 u->nstaticsessions--;
423 s->ext_host_addr.as_u32 = 0;
424 s->ext_host_port = 0;
425 s->ext_host_nat_addr.as_u32 = 0;
426 s->ext_host_nat_port = 0;
430 clib_dlist_addhead (tsm->list_pool,
431 u->sessions_per_user_list_head_index,
433 nat_log_warn ("max translations per user %U", format_ip4_address,
435 snat_ipfix_logging_max_entries_per_user
436 (sm->max_translations_per_user, u->addr.as_u32);
442 pool_get (tsm->sessions, s);
443 memset (s, 0, sizeof (*s));
445 /* Create list elts */
446 pool_get (tsm->list_pool, per_user_translation_list_elt);
447 clib_dlist_init (tsm->list_pool,
448 per_user_translation_list_elt - tsm->list_pool);
450 per_user_translation_list_elt->value = s - tsm->sessions;
451 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
452 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
454 clib_dlist_addtail (tsm->list_pool,
455 s->per_user_list_head_index,
456 per_user_translation_list_elt - tsm->list_pool);
462 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
465 fib_prefix_t prefix = {
467 .fp_proto = FIB_PROTOCOL_IP4,
469 .ip4.as_u32 = addr->as_u32,
472 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
475 fib_table_entry_update_one_path (fib_index,
477 FIB_SOURCE_PLUGIN_LOW,
478 (FIB_ENTRY_FLAG_CONNECTED |
479 FIB_ENTRY_FLAG_LOCAL |
480 FIB_ENTRY_FLAG_EXCLUSIVE),
484 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
486 fib_table_entry_delete (fib_index, &prefix, FIB_SOURCE_PLUGIN_LOW);
490 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
495 vlib_thread_main_t *tm = vlib_get_thread_main ();
497 if (twice_nat && !sm->endpoint_dependent)
498 return VNET_API_ERROR_FEATURE_DISABLED;
500 /* Check if address already exists */
502 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
504 if (ap->addr.as_u32 == addr->as_u32)
505 return VNET_API_ERROR_VALUE_EXIST;
510 vec_add2 (sm->twice_nat_addresses, ap, 1);
512 vec_add2 (sm->addresses, ap, 1);
517 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
518 FIB_SOURCE_PLUGIN_LOW);
521 #define _(N, i, n, s) \
522 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535); \
523 ap->busy_##n##_ports = 0; \
524 ap->busy_##n##_ports_per_thread = 0;\
525 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
526 foreach_snat_protocol
531 /* Add external address to FIB */
533 pool_foreach (i, sm->interfaces,
535 if (nat_interface_is_inside(i) || sm->out2in_dpo)
538 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
541 pool_foreach (i, sm->output_feature_interfaces,
543 if (nat_interface_is_inside(i) || sm->out2in_dpo)
546 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
555 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
557 snat_static_mapping_t *m;
559 pool_foreach (m, sm->static_mappings,
561 if (m->external_addr.as_u32 == addr.as_u32)
570 increment_v4_address (ip4_address_t * a)
574 v = clib_net_to_host_u32 (a->as_u32) + 1;
575 a->as_u32 = clib_host_to_net_u32 (v);
579 snat_add_static_mapping_when_resolved (snat_main_t * sm,
580 ip4_address_t l_addr,
585 snat_protocol_t proto,
586 int addr_only, int is_add, u8 * tag,
587 int twice_nat, int out2in_only,
590 snat_static_map_resolve_t *rp;
592 vec_add2 (sm->to_resolve, rp, 1);
593 rp->l_addr.as_u32 = l_addr.as_u32;
595 rp->sw_if_index = sw_if_index;
599 rp->addr_only = addr_only;
601 rp->twice_nat = twice_nat;
602 rp->out2in_only = out2in_only;
603 rp->identity_nat = identity_nat;
604 rp->tag = vec_dup (tag);
608 get_thread_idx_by_port (u16 e_port)
610 snat_main_t *sm = &snat_main;
611 u32 thread_idx = sm->num_workers;
612 if (sm->num_workers > 1)
615 sm->first_worker_index +
616 sm->workers[(e_port - 1024) / sm->port_per_thread];
622 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
623 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
624 u32 sw_if_index, snat_protocol_t proto, int is_add,
625 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
628 snat_main_t *sm = &snat_main;
629 snat_static_mapping_t *m;
630 snat_session_key_t m_key;
631 clib_bihash_kv_8_8_t kv, value;
632 snat_address_t *a = 0;
635 snat_interface_t *interface;
637 snat_main_per_thread_data_t *tsm;
638 snat_user_key_t u_key;
640 dlist_elt_t *head, *elt;
641 u32 elt_index, head_index;
645 snat_static_map_resolve_t *rp, *rp_match = 0;
647 if (!sm->endpoint_dependent)
649 if (twice_nat || out2in_only)
650 return VNET_API_ERROR_FEATURE_DISABLED;
653 /* If the external address is a specific interface address */
654 if (sw_if_index != ~0)
656 ip4_address_t *first_int_addr;
658 for (i = 0; i < vec_len (sm->to_resolve); i++)
660 rp = sm->to_resolve + i;
661 if (rp->sw_if_index != sw_if_index ||
662 rp->l_addr.as_u32 != l_addr.as_u32 ||
663 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
668 if (rp->l_port != l_port || rp->e_port != e_port
669 || rp->proto != proto)
677 /* Might be already set... */
678 first_int_addr = ip4_interface_first_address
679 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
684 return VNET_API_ERROR_VALUE_EXIST;
686 snat_add_static_mapping_when_resolved
687 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
688 addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
690 /* DHCP resolution required? */
691 if (first_int_addr == 0)
697 e_addr.as_u32 = first_int_addr->as_u32;
698 /* Identity mapping? */
699 if (l_addr.as_u32 == 0)
700 l_addr.as_u32 = e_addr.as_u32;
706 return VNET_API_ERROR_NO_SUCH_ENTRY;
708 vec_del1 (sm->to_resolve, i);
712 e_addr.as_u32 = first_int_addr->as_u32;
713 /* Identity mapping? */
714 if (l_addr.as_u32 == 0)
715 l_addr.as_u32 = e_addr.as_u32;
723 m_key.port = addr_only ? 0 : e_port;
724 m_key.protocol = addr_only ? 0 : proto;
726 kv.key = m_key.as_u64;
727 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
730 m = pool_elt_at_index (sm->static_mappings, value.value);
735 return VNET_API_ERROR_VALUE_EXIST;
737 if (twice_nat && addr_only)
738 return VNET_API_ERROR_UNSUPPORTED;
740 /* Convert VRF id to FIB index */
743 p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id);
745 return VNET_API_ERROR_NO_SUCH_FIB;
748 /* If not specified use inside VRF id from SNAT plugin startup config */
751 fib_index = sm->inside_fib_index;
752 vrf_id = sm->inside_vrf_id;
758 m_key.port = addr_only ? 0 : l_port;
759 m_key.protocol = addr_only ? 0 : proto;
760 m_key.fib_index = fib_index;
761 kv.key = m_key.as_u64;
762 if (!clib_bihash_search_8_8
763 (&sm->static_mapping_by_local, &kv, &value))
764 return VNET_API_ERROR_VALUE_EXIST;
767 /* Find external address in allocated addresses and reserve port for
768 address and port pair mapping when dynamic translations enabled */
769 if (!(addr_only || sm->static_mapping_only || out2in_only))
771 for (i = 0; i < vec_len (sm->addresses); i++)
773 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
775 a = sm->addresses + i;
776 /* External port must be unused */
779 #define _(N, j, n, s) \
780 case SNAT_PROTOCOL_##N: \
781 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
782 return VNET_API_ERROR_INVALID_VALUE; \
783 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
786 a->busy_##n##_ports++; \
787 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
790 foreach_snat_protocol
793 nat_log_info ("unknown protocol");
794 return VNET_API_ERROR_INVALID_VALUE_2;
799 /* External address must be allocated */
800 if (!a && (l_addr.as_u32 != e_addr.as_u32))
802 if (sw_if_index != ~0)
804 for (i = 0; i < vec_len (sm->to_resolve); i++)
806 rp = sm->to_resolve + i;
809 if (rp->sw_if_index != sw_if_index &&
810 rp->l_addr.as_u32 != l_addr.as_u32 &&
811 rp->vrf_id != vrf_id && rp->l_port != l_port &&
812 rp->e_port != e_port && rp->proto != proto)
815 vec_del1 (sm->to_resolve, i);
819 return VNET_API_ERROR_NO_SUCH_ENTRY;
823 pool_get (sm->static_mappings, m);
824 memset (m, 0, sizeof (*m));
825 m->tag = vec_dup (tag);
826 m->local_addr = l_addr;
827 m->external_addr = e_addr;
829 m->fib_index = fib_index;
830 m->twice_nat = twice_nat;
832 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
834 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
836 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
839 m->local_port = l_port;
840 m->external_port = e_port;
844 if (sm->num_workers > 1)
847 .src_address = m->local_addr,
849 vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index));
850 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
853 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
855 m_key.addr = m->local_addr;
856 m_key.port = m->local_port;
857 m_key.protocol = m->proto;
858 m_key.fib_index = m->fib_index;
859 kv.key = m_key.as_u64;
860 kv.value = m - sm->static_mappings;
862 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
864 m_key.addr = m->external_addr;
865 m_key.port = m->external_port;
867 kv.key = m_key.as_u64;
868 kv.value = m - sm->static_mappings;
869 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
871 /* Delete dynamic sessions matching local address (+ local port) */
872 if (!(sm->static_mapping_only))
874 u_key.addr = m->local_addr;
875 u_key.fib_index = m->fib_index;
876 kv.key = u_key.as_u64;
877 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
879 user_index = value.value;
880 u = pool_elt_at_index (tsm->users, user_index);
883 head_index = u->sessions_per_user_list_head_index;
884 head = pool_elt_at_index (tsm->list_pool, head_index);
885 elt_index = head->next;
886 elt = pool_elt_at_index (tsm->list_pool, elt_index);
887 ses_index = elt->value;
888 while (ses_index != ~0)
890 s = pool_elt_at_index (tsm->sessions, ses_index);
891 elt = pool_elt_at_index (tsm->list_pool, elt->next);
892 ses_index = elt->value;
894 if (snat_is_session_static (s))
898 && (clib_net_to_host_u16 (s->in2out.port) !=
902 nat_free_session_data (sm, s,
903 tsm - sm->per_thread_data);
904 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
906 if (!addr_only && !sm->endpoint_dependent)
917 if (sw_if_index != ~0)
920 return VNET_API_ERROR_NO_SUCH_ENTRY;
923 /* Free external address port */
924 if (!(addr_only || sm->static_mapping_only || out2in_only))
926 for (i = 0; i < vec_len (sm->addresses); i++)
928 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
930 a = sm->addresses + i;
933 #define _(N, j, n, s) \
934 case SNAT_PROTOCOL_##N: \
935 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
938 a->busy_##n##_ports--; \
939 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
942 foreach_snat_protocol
945 nat_log_info ("unknown protocol");
946 return VNET_API_ERROR_INVALID_VALUE_2;
953 if (sm->num_workers > 1)
954 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
956 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
958 m_key.addr = m->local_addr;
959 m_key.port = m->local_port;
960 m_key.protocol = m->proto;
961 m_key.fib_index = m->fib_index;
962 kv.key = m_key.as_u64;
964 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
966 m_key.addr = m->external_addr;
967 m_key.port = m->external_port;
969 kv.key = m_key.as_u64;
970 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
972 /* Delete session(s) for static mapping if exist */
973 if (!(sm->static_mapping_only) ||
974 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
976 u_key.addr = m->local_addr;
977 u_key.fib_index = m->fib_index;
978 kv.key = u_key.as_u64;
979 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
981 user_index = value.value;
982 u = pool_elt_at_index (tsm->users, user_index);
983 if (u->nstaticsessions)
985 head_index = u->sessions_per_user_list_head_index;
986 head = pool_elt_at_index (tsm->list_pool, head_index);
987 elt_index = head->next;
988 elt = pool_elt_at_index (tsm->list_pool, elt_index);
989 ses_index = elt->value;
990 while (ses_index != ~0)
992 s = pool_elt_at_index (tsm->sessions, ses_index);
993 elt = pool_elt_at_index (tsm->list_pool, elt->next);
994 ses_index = elt->value;
998 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
999 (clib_net_to_host_u16 (s->out2in.port) !=
1004 if (is_lb_session (s))
1007 if (!snat_is_session_static (s))
1010 nat_free_session_data (sm, s,
1011 tsm - sm->per_thread_data);
1012 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1014 if (!addr_only && !sm->endpoint_dependent)
1022 vec_free (m->workers);
1023 /* Delete static mapping from pool */
1024 pool_put (sm->static_mappings, m);
1027 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
1030 /* Add/delete external address to FIB */
1032 pool_foreach (interface, sm->interfaces,
1034 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1037 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1040 pool_foreach (interface, sm->output_feature_interfaces,
1042 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1045 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1054 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1055 snat_protocol_t proto,
1056 nat44_lb_addr_port_t * locals, u8 is_add,
1057 twice_nat_type_t twice_nat, u8 out2in_only,
1058 u8 * tag, u32 affinity)
1060 snat_main_t *sm = &snat_main;
1061 snat_static_mapping_t *m;
1062 snat_session_key_t m_key;
1063 clib_bihash_kv_8_8_t kv, value;
1064 snat_address_t *a = 0;
1066 nat44_lb_addr_port_t *local;
1067 u32 elt_index, head_index, ses_index;
1068 snat_main_per_thread_data_t *tsm;
1069 snat_user_key_t u_key;
1072 dlist_elt_t *head, *elt;
1075 if (!sm->endpoint_dependent)
1076 return VNET_API_ERROR_FEATURE_DISABLED;
1078 m_key.addr = e_addr;
1079 m_key.port = e_port;
1080 m_key.protocol = proto;
1081 m_key.fib_index = 0;
1082 kv.key = m_key.as_u64;
1083 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1086 m = pool_elt_at_index (sm->static_mappings, value.value);
1091 return VNET_API_ERROR_VALUE_EXIST;
1093 if (vec_len (locals) < 2)
1094 return VNET_API_ERROR_INVALID_VALUE;
1096 /* Find external address in allocated addresses and reserve port for
1097 address and port pair mapping when dynamic translations enabled */
1098 if (!(sm->static_mapping_only || out2in_only))
1100 for (i = 0; i < vec_len (sm->addresses); i++)
1102 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1104 a = sm->addresses + i;
1105 /* External port must be unused */
1108 #define _(N, j, n, s) \
1109 case SNAT_PROTOCOL_##N: \
1110 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
1111 return VNET_API_ERROR_INVALID_VALUE; \
1112 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
1113 if (e_port > 1024) \
1115 a->busy_##n##_ports++; \
1116 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1119 foreach_snat_protocol
1122 nat_log_info ("unknown protocol");
1123 return VNET_API_ERROR_INVALID_VALUE_2;
1128 /* External address must be allocated */
1130 return VNET_API_ERROR_NO_SUCH_ENTRY;
1133 pool_get (sm->static_mappings, m);
1134 memset (m, 0, sizeof (*m));
1135 m->tag = vec_dup (tag);
1136 m->external_addr = e_addr;
1137 m->external_port = e_port;
1139 m->twice_nat = twice_nat;
1141 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1142 m->affinity = affinity;
1145 m->affinity_per_service_list_head_index =
1146 nat_affinity_get_per_service_list_head_index ();
1148 m->affinity_per_service_list_head_index = ~0;
1150 m_key.addr = m->external_addr;
1151 m_key.port = m->external_port;
1152 m_key.protocol = m->proto;
1153 m_key.fib_index = 0;
1154 kv.key = m_key.as_u64;
1155 kv.value = m - sm->static_mappings;
1156 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
1158 nat_log_err ("static_mapping_by_external key add failed");
1159 return VNET_API_ERROR_UNSPECIFIED;
1162 m_key.fib_index = m->fib_index;
1163 for (i = 0; i < vec_len (locals); i++)
1165 locals[i].fib_index =
1166 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1168 FIB_SOURCE_PLUGIN_LOW);
1169 m_key.addr = locals[i].addr;
1170 m_key.fib_index = locals[i].fib_index;
1173 m_key.port = locals[i].port;
1174 kv.key = m_key.as_u64;
1175 kv.value = m - sm->static_mappings;
1176 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1178 locals[i].prefix = (i == 0) ? locals[i].probability :
1179 (locals[i - 1].prefix + locals[i].probability);
1180 vec_add1 (m->locals, locals[i]);
1181 if (sm->num_workers > 1)
1184 .src_address = locals[i].addr,
1187 clib_bitmap_set (bitmap,
1188 sm->worker_in2out_cb (&ip, m->fib_index), 1);
1192 /* Assign workers */
1193 if (sm->num_workers > 1)
1196 clib_bitmap_foreach (i, bitmap,
1198 vec_add1(m->workers, i);
1206 return VNET_API_ERROR_NO_SUCH_ENTRY;
1208 /* Free external address port */
1209 if (!(sm->static_mapping_only || out2in_only))
1211 for (i = 0; i < vec_len (sm->addresses); i++)
1213 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1215 a = sm->addresses + i;
1218 #define _(N, j, n, s) \
1219 case SNAT_PROTOCOL_##N: \
1220 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
1221 if (e_port > 1024) \
1223 a->busy_##n##_ports--; \
1224 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1227 foreach_snat_protocol
1230 nat_log_info ("unknown protocol");
1231 return VNET_API_ERROR_INVALID_VALUE_2;
1238 m_key.addr = m->external_addr;
1239 m_key.port = m->external_port;
1240 m_key.protocol = m->proto;
1241 m_key.fib_index = 0;
1242 kv.key = m_key.as_u64;
1243 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1245 nat_log_err ("static_mapping_by_external key del failed");
1246 return VNET_API_ERROR_UNSPECIFIED;
1250 vec_foreach (local, m->locals)
1252 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1253 FIB_SOURCE_PLUGIN_LOW);
1254 m_key.addr = local->addr;
1257 m_key.port = local->port;
1258 m_key.fib_index = local->fib_index;
1259 kv.key = m_key.as_u64;
1260 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1262 nat_log_err ("static_mapping_by_local key del failed");
1263 return VNET_API_ERROR_UNSPECIFIED;
1267 if (sm->num_workers > 1)
1270 .src_address = local->addr,
1272 tsm = vec_elt_at_index (sm->per_thread_data,
1273 sm->worker_in2out_cb (&ip, m->fib_index));
1276 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1278 /* Delete sessions */
1279 u_key.addr = local->addr;
1280 u_key.fib_index = m->fib_index;
1281 kv.key = u_key.as_u64;
1282 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1284 u = pool_elt_at_index (tsm->users, value.value);
1285 if (u->nstaticsessions)
1287 head_index = u->sessions_per_user_list_head_index;
1288 head = pool_elt_at_index (tsm->list_pool, head_index);
1289 elt_index = head->next;
1290 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1291 ses_index = elt->value;
1292 while (ses_index != ~0)
1294 s = pool_elt_at_index (tsm->sessions, ses_index);
1295 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1296 ses_index = elt->value;
1298 if (!(is_lb_session (s)))
1301 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1302 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1305 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
1306 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1313 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1314 vec_free (m->locals);
1316 vec_free (m->workers);
1318 pool_put (sm->static_mappings, m);
1325 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1328 snat_address_t *a = 0;
1329 snat_session_t *ses;
1330 u32 *ses_to_be_removed = 0, *ses_index;
1331 snat_main_per_thread_data_t *tsm;
1332 snat_static_mapping_t *m;
1333 snat_interface_t *interface;
1335 snat_address_t *addresses =
1336 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1338 /* Find SNAT address */
1339 for (i = 0; i < vec_len (addresses); i++)
1341 if (addresses[i].addr.as_u32 == addr.as_u32)
1348 return VNET_API_ERROR_NO_SUCH_ENTRY;
1353 pool_foreach (m, sm->static_mappings,
1355 if (m->external_addr.as_u32 == addr.as_u32)
1356 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1357 m->local_port, m->external_port,
1358 m->vrf_id, is_addr_only_static_mapping(m), ~0,
1359 m->proto, 0, m->twice_nat,
1360 is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
1366 /* Check if address is used in some static mapping */
1367 if (is_snat_address_used_in_static_mapping (sm, addr))
1369 nat_log_notice ("address used in static mapping");
1370 return VNET_API_ERROR_UNSPECIFIED;
1374 if (a->fib_index != ~0)
1375 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW);
1377 /* Delete sessions using address */
1378 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1381 vec_foreach (tsm, sm->per_thread_data)
1383 pool_foreach (ses, tsm->sessions, ({
1384 if (ses->out2in.addr.as_u32 == addr.as_u32)
1386 nat_free_session_data (sm, ses, tsm - sm->per_thread_data);
1387 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1391 vec_foreach (ses_index, ses_to_be_removed)
1393 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1394 nat44_delete_session (sm, ses, tsm - sm->per_thread_data);
1397 vec_free (ses_to_be_removed);
1402 #define _(N, i, n, s) \
1403 clib_bitmap_free (a->busy_##n##_port_bitmap); \
1404 vec_free (a->busy_##n##_ports_per_thread);
1405 foreach_snat_protocol
1409 vec_del1 (sm->twice_nat_addresses, i);
1413 vec_del1 (sm->addresses, i);
1415 /* Delete external address from FIB */
1417 pool_foreach (interface, sm->interfaces,
1419 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1422 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1425 pool_foreach (interface, sm->output_feature_interfaces,
1427 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1430 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1439 snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1441 snat_main_t *sm = &snat_main;
1442 snat_interface_t *i;
1443 const char *feature_name, *del_feature_name;
1445 snat_static_mapping_t *m;
1447 nat_outside_fib_t *outside_fib;
1448 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1451 if (sm->out2in_dpo && !is_inside)
1452 return VNET_API_ERROR_UNSUPPORTED;
1455 pool_foreach (i, sm->output_feature_interfaces,
1457 if (i->sw_if_index == sw_if_index)
1458 return VNET_API_ERROR_VALUE_EXIST;
1462 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1463 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1466 if (sm->num_workers > 1 && !sm->deterministic)
1468 is_inside ? "nat44-in2out-worker-handoff" :
1469 "nat44-out2in-worker-handoff";
1470 else if (sm->deterministic)
1471 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1472 else if (sm->endpoint_dependent)
1473 feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in";
1475 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1478 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1479 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index,
1482 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1483 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index,
1489 vec_foreach (outside_fib, sm->outside_fibs)
1491 if (outside_fib->fib_index == fib_index)
1495 outside_fib->refcount--;
1496 if (!outside_fib->refcount)
1497 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1500 outside_fib->refcount++;
1507 vec_add2 (sm->outside_fibs, outside_fib, 1);
1508 outside_fib->refcount = 1;
1509 outside_fib->fib_index = fib_index;
1514 pool_foreach (i, sm->interfaces,
1516 if (i->sw_if_index == sw_if_index)
1520 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1523 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1525 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1527 if (sm->num_workers > 1 && !sm->deterministic)
1529 del_feature_name = "nat44-handoff-classify";
1530 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1531 "nat44-out2in-worker-handoff";
1533 else if (sm->deterministic)
1535 del_feature_name = "nat44-det-classify";
1536 feature_name = !is_inside ? "nat44-det-in2out" :
1539 else if (sm->endpoint_dependent)
1541 del_feature_name = "nat44-ed-classify";
1542 feature_name = !is_inside ? "nat44-ed-in2out" :
1547 del_feature_name = "nat44-classify";
1548 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1551 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1552 sw_if_index, 0, 0, 0);
1553 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1554 sw_if_index, 1, 0, 0);
1557 if (sm->endpoint_dependent)
1558 vnet_feature_enable_disable ("ip4-local",
1559 "nat44-ed-hairpinning",
1560 sw_if_index, 1, 0, 0);
1561 else if (!sm->deterministic)
1562 vnet_feature_enable_disable ("ip4-local",
1563 "nat44-hairpinning",
1564 sw_if_index, 1, 0, 0);
1569 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1570 sw_if_index, 0, 0, 0);
1571 pool_put (sm->interfaces, i);
1574 if (sm->endpoint_dependent)
1575 vnet_feature_enable_disable ("ip4-local",
1576 "nat44-ed-hairpinning",
1577 sw_if_index, 0, 0, 0);
1578 else if (!sm->deterministic)
1579 vnet_feature_enable_disable ("ip4-local",
1580 "nat44-hairpinning",
1581 sw_if_index, 0, 0, 0);
1587 if ((nat_interface_is_inside(i) && is_inside) ||
1588 (nat_interface_is_outside(i) && !is_inside))
1591 if (sm->num_workers > 1 && !sm->deterministic)
1593 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1594 "nat44-out2in-worker-handoff";
1595 feature_name = "nat44-handoff-classify";
1597 else if (sm->deterministic)
1599 del_feature_name = !is_inside ? "nat44-det-in2out" :
1601 feature_name = "nat44-det-classify";
1603 else if (sm->endpoint_dependent)
1605 del_feature_name = !is_inside ? "nat44-ed-in2out" :
1607 feature_name = "nat44-ed-classify";
1611 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1612 feature_name = "nat44-classify";
1615 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1616 sw_if_index, 0, 0, 0);
1617 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1618 sw_if_index, 1, 0, 0);
1621 if (sm->endpoint_dependent)
1622 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
1623 sw_if_index, 0, 0, 0);
1624 else if (!sm->deterministic)
1625 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1626 sw_if_index, 0, 0, 0);
1637 return VNET_API_ERROR_NO_SUCH_ENTRY;
1639 pool_get (sm->interfaces, i);
1640 i->sw_if_index = sw_if_index;
1642 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
1645 if (is_inside && !sm->out2in_dpo)
1647 if (sm->endpoint_dependent)
1648 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
1649 sw_if_index, 1, 0, 0);
1650 else if (!sm->deterministic)
1651 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1652 sw_if_index, 1, 0, 0);
1658 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1662 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1664 /* Add/delete external addresses to FIB */
1667 vec_foreach (ap, sm->addresses)
1668 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1670 pool_foreach (m, sm->static_mappings,
1672 if (!(is_addr_only_static_mapping(m)) || (m->local_addr.as_u32 == m->external_addr.as_u32))
1675 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1678 pool_foreach (dm, sm->det_maps,
1680 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
1688 snat_interface_add_del_output_feature (u32 sw_if_index,
1689 u8 is_inside, int is_del)
1691 snat_main_t *sm = &snat_main;
1692 snat_interface_t *i;
1694 snat_static_mapping_t *m;
1696 if (sm->deterministic ||
1697 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
1698 return VNET_API_ERROR_UNSUPPORTED;
1701 pool_foreach (i, sm->interfaces,
1703 if (i->sw_if_index == sw_if_index)
1704 return VNET_API_ERROR_VALUE_EXIST;
1710 if (sm->endpoint_dependent)
1712 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
1713 sw_if_index, !is_del, 0, 0);
1714 vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
1715 sw_if_index, !is_del, 0, 0);
1719 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
1720 sw_if_index, !is_del, 0, 0);
1721 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
1722 sw_if_index, !is_del, 0, 0);
1727 if (sm->num_workers > 1)
1729 vnet_feature_enable_disable ("ip4-unicast",
1730 "nat44-out2in-worker-handoff",
1731 sw_if_index, !is_del, 0, 0);
1732 vnet_feature_enable_disable ("ip4-output",
1733 "nat44-in2out-output-worker-handoff",
1734 sw_if_index, !is_del, 0, 0);
1738 if (sm->endpoint_dependent)
1740 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in",
1741 sw_if_index, !is_del, 0, 0);
1742 vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output",
1743 sw_if_index, !is_del, 0, 0);
1747 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
1748 sw_if_index, !is_del, 0, 0);
1749 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
1750 sw_if_index, !is_del, 0, 0);
1755 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
1756 sm->fq_in2out_output_index =
1757 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
1759 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
1760 sm->fq_out2in_index =
1761 vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1764 pool_foreach (i, sm->output_feature_interfaces,
1766 if (i->sw_if_index == sw_if_index)
1769 pool_put (sm->output_feature_interfaces, i);
1771 return VNET_API_ERROR_VALUE_EXIST;
1779 return VNET_API_ERROR_NO_SUCH_ENTRY;
1781 pool_get (sm->output_feature_interfaces, i);
1782 i->sw_if_index = sw_if_index;
1785 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1787 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1789 /* Add/delete external addresses to FIB */
1795 vec_foreach (ap, sm->addresses)
1796 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1798 pool_foreach (m, sm->static_mappings,
1800 if (!((is_addr_only_static_mapping(m))) || (m->local_addr.as_u32 == m->external_addr.as_u32))
1803 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1811 snat_set_workers (uword * bitmap)
1813 snat_main_t *sm = &snat_main;
1816 if (sm->num_workers < 2)
1817 return VNET_API_ERROR_FEATURE_DISABLED;
1819 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1820 return VNET_API_ERROR_INVALID_WORKER;
1822 vec_free (sm->workers);
1824 clib_bitmap_foreach (i, bitmap,
1826 vec_add1(sm->workers, i);
1827 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
1832 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
1833 sm->num_snat_thread = _vec_len (sm->workers);
1840 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1843 ip4_address_t * address,
1845 u32 if_address_index, u32 is_delete);
1848 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
1851 ip4_address_t * address,
1853 u32 if_address_index, u32 is_delete);
1856 nat_alloc_addr_and_port_default (snat_address_t * addresses,
1859 snat_session_key_t * k,
1860 u16 port_per_thread, u32 snat_thread_index);
1862 static clib_error_t *
1863 snat_init (vlib_main_t * vm)
1865 snat_main_t *sm = &snat_main;
1866 clib_error_t *error = 0;
1867 ip4_main_t *im = &ip4_main;
1868 ip_lookup_main_t *lm = &im->lookup_main;
1870 vlib_thread_registration_t *tr;
1871 vlib_thread_main_t *tm = vlib_get_thread_main ();
1874 ip4_add_del_interface_address_callback_t cb4;
1875 vlib_node_t *error_drop_node;
1878 sm->vnet_main = vnet_get_main ();
1880 sm->ip4_lookup_main = lm;
1881 sm->api_main = &api_main;
1882 sm->first_worker_index = 0;
1883 sm->num_workers = 0;
1884 sm->num_snat_thread = 1;
1886 sm->port_per_thread = 0xffff - 1024;
1887 sm->fq_in2out_index = ~0;
1888 sm->fq_out2in_index = ~0;
1889 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1890 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1891 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1892 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1893 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
1894 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
1895 sm->forwarding_enabled = 0;
1896 sm->log_class = vlib_log_register_class ("nat", 0);
1897 error_drop_node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
1898 sm->error_node_index = error_drop_node->index;
1899 sm->mss_clamping = 0;
1901 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
1904 tr = (vlib_thread_registration_t *) p[0];
1907 sm->num_workers = tr->count;
1908 sm->first_worker_index = tr->first_index;
1912 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
1914 /* Use all available workers by default */
1915 if (sm->num_workers > 1)
1917 for (i = 0; i < sm->num_workers; i++)
1918 bitmap = clib_bitmap_set (bitmap, i, 1);
1919 snat_set_workers (bitmap);
1920 clib_bitmap_free (bitmap);
1924 sm->per_thread_data[0].snat_thread_index = 0;
1927 error = snat_api_init (vm, sm);
1931 /* Set up the interface address add/del callback */
1932 cb4.function = snat_ip4_add_del_interface_address_cb;
1933 cb4.function_opaque = 0;
1935 vec_add1 (im->add_del_interface_address_callbacks, cb4);
1937 cb4.function = nat_ip4_add_del_addr_only_sm_cb;
1938 cb4.function_opaque = 0;
1940 vec_add1 (im->add_del_interface_address_callbacks, cb4);
1942 nat_dpo_module_init ();
1944 /* Init IPFIX logging */
1945 snat_ipfix_logging_init (vm);
1948 error = nat64_init (vm);
1956 /* Init virtual fragmenentation reassembly */
1957 return nat_reass_init (vm);
1960 VLIB_INIT_FUNCTION (snat_init);
1963 snat_free_outside_address_and_port (snat_address_t * addresses,
1964 u32 thread_index, snat_session_key_t * k)
1968 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
1970 for (address_index = 0; address_index < vec_len (addresses);
1973 if (addresses[address_index].addr.as_u32 == k->addr.as_u32)
1977 ASSERT (address_index < vec_len (addresses));
1979 a = addresses + address_index;
1981 switch (k->protocol)
1983 #define _(N, i, n, s) \
1984 case SNAT_PROTOCOL_##N: \
1985 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
1986 port_host_byte_order) == 1); \
1987 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
1988 port_host_byte_order, 0); \
1989 a->busy_##n##_ports--; \
1990 a->busy_##n##_ports_per_thread[thread_index]--; \
1992 foreach_snat_protocol
1995 nat_log_info ("unknown protocol");
2001 snat_static_mapping_match (snat_main_t * sm,
2002 snat_session_key_t match,
2003 snat_session_key_t * mapping,
2006 twice_nat_type_t * twice_nat,
2007 lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
2008 u8 * is_identity_nat)
2010 clib_bihash_kv_8_8_t kv, value;
2011 snat_static_mapping_t *m;
2012 snat_session_key_t m_key;
2013 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
2014 u32 rand, lo = 0, hi, mid;
2017 m_key.fib_index = match.fib_index;
2020 mapping_hash = &sm->static_mapping_by_external;
2021 m_key.fib_index = 0;
2024 m_key.addr = match.addr;
2025 m_key.port = clib_net_to_host_u16 (match.port);
2026 m_key.protocol = match.protocol;
2028 kv.key = m_key.as_u64;
2030 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2032 /* Try address only mapping */
2035 kv.key = m_key.as_u64;
2036 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2040 m = pool_elt_at_index (sm->static_mappings, value.value);
2044 if (vec_len (m->locals))
2046 if (PREDICT_FALSE (lb != 0))
2047 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2050 if (nat_affinity_find_and_lock (ext_host_addr[0], match.addr,
2051 match.protocol, match.port,
2055 mapping->addr = m->locals[backend_index].addr;
2057 clib_host_to_net_u16 (m->locals[backend_index].port);
2058 mapping->fib_index = m->locals[backend_index].fib_index;
2062 hi = vec_len (m->locals) - 1;
2063 rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix);
2066 mid = ((hi - lo) >> 1) + lo;
2067 (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid);
2069 if (!(m->locals[lo].prefix >= rand))
2071 if (PREDICT_FALSE (sm->num_workers > 1))
2074 .src_address = m->locals[lo].addr,
2076 if (sm->worker_in2out_cb (&ip, m->fib_index) !=
2077 vlib_get_thread_index ())
2080 mapping->addr = m->locals[lo].addr;
2081 mapping->port = clib_host_to_net_u16 (m->locals[lo].port);
2082 mapping->fib_index = m->locals[lo].fib_index;
2085 if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr,
2086 match.protocol, match.port,
2088 m->affinity_per_service_list_head_index))
2089 nat_log_info ("create affinity record failed");
2094 if (PREDICT_FALSE (lb != 0))
2096 mapping->fib_index = m->fib_index;
2097 mapping->addr = m->local_addr;
2098 /* Address only mapping doesn't change port */
2099 mapping->port = is_addr_only_static_mapping (m) ? match.port
2100 : clib_host_to_net_u16 (m->local_port);
2102 mapping->protocol = m->proto;
2106 mapping->addr = m->external_addr;
2107 /* Address only mapping doesn't change port */
2108 mapping->port = is_addr_only_static_mapping (m) ? match.port
2109 : clib_host_to_net_u16 (m->external_port);
2110 mapping->fib_index = sm->outside_fib_index;
2114 if (PREDICT_FALSE (is_addr_only != 0))
2115 *is_addr_only = is_addr_only_static_mapping (m);
2117 if (PREDICT_FALSE (twice_nat != 0))
2118 *twice_nat = m->twice_nat;
2120 if (PREDICT_FALSE (is_identity_nat != 0))
2121 *is_identity_nat = is_identity_static_mapping (m);
2126 static_always_inline u16
2127 snat_random_port (u16 min, u16 max)
2129 snat_main_t *sm = &snat_main;
2130 return min + random_u32 (&sm->random_seed) /
2131 (random_u32_max () / (max - min + 1) + 1);
2135 snat_alloc_outside_address_and_port (snat_address_t * addresses,
2138 snat_session_key_t * k,
2139 u16 port_per_thread,
2140 u32 snat_thread_index)
2142 snat_main_t *sm = &snat_main;
2144 return sm->alloc_addr_and_port (addresses, fib_index, thread_index, k,
2145 port_per_thread, snat_thread_index);
2149 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2152 snat_session_key_t * k,
2153 u16 port_per_thread, u32 snat_thread_index)
2156 snat_address_t *a, *ga = 0;
2159 for (i = 0; i < vec_len (addresses); i++)
2162 switch (k->protocol)
2164 #define _(N, j, n, s) \
2165 case SNAT_PROTOCOL_##N: \
2166 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
2168 if (a->fib_index == fib_index) \
2172 portnum = (port_per_thread * \
2173 snat_thread_index) + \
2174 snat_random_port(1, port_per_thread) + 1024; \
2175 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2177 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2178 a->busy_##n##_ports_per_thread[thread_index]++; \
2179 a->busy_##n##_ports++; \
2180 k->addr = a->addr; \
2181 k->port = clib_host_to_net_u16(portnum); \
2185 else if (a->fib_index == ~0) \
2191 foreach_snat_protocol
2194 nat_log_info ("unknown protocol");
2203 switch (k->protocol)
2205 #define _(N, j, n, s) \
2206 case SNAT_PROTOCOL_##N: \
2209 portnum = (port_per_thread * \
2210 snat_thread_index) + \
2211 snat_random_port(1, port_per_thread) + 1024; \
2212 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2214 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2215 a->busy_##n##_ports_per_thread[thread_index]++; \
2216 a->busy_##n##_ports++; \
2217 k->addr = a->addr; \
2218 k->port = clib_host_to_net_u16(portnum); \
2222 foreach_snat_protocol
2225 nat_log_info ("unknown protocol");
2230 /* Totally out of translations to use... */
2231 snat_ipfix_logging_addresses_exhausted (0);
2236 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
2239 snat_session_key_t * k,
2240 u16 port_per_thread, u32 snat_thread_index)
2242 snat_main_t *sm = &snat_main;
2243 snat_address_t *a = addresses;
2244 u16 m, ports, portnum, A, j;
2245 m = 16 - (sm->psid_offset + sm->psid_length);
2246 ports = (1 << (16 - sm->psid_length)) - (1 << m);
2248 if (!vec_len (addresses))
2251 switch (k->protocol)
2253 #define _(N, i, n, s) \
2254 case SNAT_PROTOCOL_##N: \
2255 if (a->busy_##n##_ports < ports) \
2259 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
2260 j = snat_random_port(0, pow2_mask(m)); \
2261 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
2262 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2264 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2265 a->busy_##n##_ports++; \
2266 k->addr = a->addr; \
2267 k->port = clib_host_to_net_u16 (portnum); \
2272 foreach_snat_protocol
2275 nat_log_info ("unknown protocol");
2280 /* Totally out of translations to use... */
2281 snat_ipfix_logging_addresses_exhausted (0);
2286 nat_alloc_addr_and_port_range (snat_address_t * addresses,
2289 snat_session_key_t * k,
2290 u16 port_per_thread, u32 snat_thread_index)
2292 snat_main_t *sm = &snat_main;
2293 snat_address_t *a = addresses;
2296 ports = sm->end_port - sm->start_port + 1;
2298 if (!vec_len (addresses))
2301 switch (k->protocol)
2303 #define _(N, i, n, s) \
2304 case SNAT_PROTOCOL_##N: \
2305 if (a->busy_##n##_ports < ports) \
2309 portnum = snat_random_port(sm->start_port, sm->end_port); \
2310 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2312 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2313 a->busy_##n##_ports++; \
2314 k->addr = a->addr; \
2315 k->port = clib_host_to_net_u16 (portnum); \
2320 foreach_snat_protocol
2323 nat_log_info ("unknown protocol");
2328 /* Totally out of translations to use... */
2329 snat_ipfix_logging_addresses_exhausted (0);
2334 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
2336 dpo_id_t dpo_v4 = DPO_INVALID;
2337 fib_prefix_t pfx = {
2338 .fp_proto = FIB_PROTOCOL_IP4,
2340 .fp_addr.ip4.as_u32 = addr.as_u32,
2345 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
2346 fib_table_entry_special_dpo_add (0, &pfx, FIB_SOURCE_PLUGIN_HI,
2347 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
2348 dpo_reset (&dpo_v4);
2352 fib_table_entry_special_remove (0, &pfx, FIB_SOURCE_PLUGIN_HI);
2357 format_session_kvp (u8 * s, va_list * args)
2359 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2360 snat_session_key_t k;
2364 s = format (s, "%U session-index %llu", format_snat_key, &k, v->value);
2370 format_static_mapping_kvp (u8 * s, va_list * args)
2372 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2373 snat_session_key_t k;
2377 s = format (s, "%U static-mapping-index %llu",
2378 format_static_mapping_key, &k, v->value);
2384 format_user_kvp (u8 * s, va_list * args)
2386 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2391 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2392 k.fib_index, v->value);
2398 format_ed_session_kvp (u8 * s, va_list * args)
2400 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
2403 k.as_u64[0] = v->key[0];
2404 k.as_u64[1] = v->key[1];
2407 format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu",
2408 format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port),
2409 format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port),
2410 format_ip_protocol, k.proto, k.fib_index, v->value);
2416 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2418 snat_main_t *sm = &snat_main;
2419 u32 next_worker_index = 0;
2422 next_worker_index = sm->first_worker_index;
2423 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
2424 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
2426 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2427 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2429 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2431 return next_worker_index;
2435 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2437 snat_main_t *sm = &snat_main;
2440 snat_session_key_t m_key;
2441 clib_bihash_kv_8_8_t kv, value;
2442 snat_static_mapping_t *m;
2444 u32 next_worker_index = 0;
2446 /* first try static mappings without port */
2447 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2449 m_key.addr = ip0->dst_address;
2452 m_key.fib_index = rx_fib_index0;
2453 kv.key = m_key.as_u64;
2454 if (!clib_bihash_search_8_8
2455 (&sm->static_mapping_by_external, &kv, &value))
2457 m = pool_elt_at_index (sm->static_mappings, value.value);
2458 return m->workers[0];
2462 proto = ip_proto_to_snat_proto (ip0->protocol);
2463 udp = ip4_next_header (ip0);
2464 port = udp->dst_port;
2466 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
2468 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
2469 return vlib_get_thread_index ();
2471 if (PREDICT_TRUE (!ip4_is_first_fragment (ip0)))
2473 nat_reass_ip4_t *reass;
2475 reass = nat_ip4_reass_find (ip0->src_address, ip0->dst_address,
2476 ip0->fragment_id, ip0->protocol);
2478 if (reass && (reass->thread_index != (u32) ~ 0))
2479 return reass->thread_index;
2481 return vlib_get_thread_index ();
2485 /* unknown protocol */
2486 if (PREDICT_FALSE (proto == ~0))
2488 /* use current thread */
2489 return vlib_get_thread_index ();
2492 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
2494 icmp46_header_t *icmp = (icmp46_header_t *) udp;
2495 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
2496 if (!icmp_is_error_message (icmp))
2497 port = echo->identifier;
2500 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
2501 proto = ip_proto_to_snat_proto (inner_ip->protocol);
2502 void *l4_header = ip4_next_header (inner_ip);
2505 case SNAT_PROTOCOL_ICMP:
2506 icmp = (icmp46_header_t *) l4_header;
2507 echo = (icmp_echo_header_t *) (icmp + 1);
2508 port = echo->identifier;
2510 case SNAT_PROTOCOL_UDP:
2511 case SNAT_PROTOCOL_TCP:
2512 port = ((tcp_udp_header_t *) l4_header)->src_port;
2515 return vlib_get_thread_index ();
2520 /* try static mappings with port */
2521 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2523 m_key.addr = ip0->dst_address;
2524 m_key.port = clib_net_to_host_u16 (port);
2525 m_key.protocol = proto;
2526 m_key.fib_index = rx_fib_index0;
2527 kv.key = m_key.as_u64;
2528 if (!clib_bihash_search_8_8
2529 (&sm->static_mapping_by_external, &kv, &value))
2531 m = pool_elt_at_index (sm->static_mappings, value.value);
2532 return m->workers[0];
2536 /* worker by outside port */
2537 next_worker_index = sm->first_worker_index;
2538 next_worker_index +=
2539 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
2540 return next_worker_index;
2544 nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index)
2546 snat_main_t *sm = &snat_main;
2547 clib_bihash_kv_8_8_t kv, value;
2548 u32 proto, next_worker_index = 0;
2551 snat_static_mapping_t *m;
2554 /* first try static mappings without port */
2555 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2557 make_sm_kv (&kv, &ip->dst_address, 0, rx_fib_index, 0);
2558 if (!clib_bihash_search_8_8
2559 (&sm->static_mapping_by_external, &kv, &value))
2561 m = pool_elt_at_index (sm->static_mappings, value.value);
2562 return m->workers[0];
2566 proto = ip_proto_to_snat_proto (ip->protocol);
2568 /* unknown protocol */
2569 if (PREDICT_FALSE (proto == ~0))
2571 /* use current thread */
2572 return vlib_get_thread_index ();
2575 udp = ip4_next_header (ip);
2576 port = udp->dst_port;
2578 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
2580 icmp46_header_t *icmp = (icmp46_header_t *) udp;
2581 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
2582 if (!icmp_is_error_message (icmp))
2583 port = echo->identifier;
2586 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
2587 proto = ip_proto_to_snat_proto (inner_ip->protocol);
2588 void *l4_header = ip4_next_header (inner_ip);
2591 case SNAT_PROTOCOL_ICMP:
2592 icmp = (icmp46_header_t *) l4_header;
2593 echo = (icmp_echo_header_t *) (icmp + 1);
2594 port = echo->identifier;
2596 case SNAT_PROTOCOL_UDP:
2597 case SNAT_PROTOCOL_TCP:
2598 port = ((tcp_udp_header_t *) l4_header)->src_port;
2601 return vlib_get_thread_index ();
2606 /* try static mappings with port */
2607 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2609 make_sm_kv (&kv, &ip->dst_address, proto, rx_fib_index,
2610 clib_net_to_host_u16 (port));
2611 if (!clib_bihash_search_8_8
2612 (&sm->static_mapping_by_external, &kv, &value))
2614 m = pool_elt_at_index (sm->static_mappings, value.value);
2615 if (!vec_len (m->locals))
2616 return m->workers[0];
2618 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
2619 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
2621 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
2622 return m->workers[hash & (_vec_len (m->workers) - 1)];
2624 return m->workers[hash % _vec_len (m->workers)];
2628 /* worker by outside port */
2629 next_worker_index = sm->first_worker_index;
2630 next_worker_index +=
2631 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
2633 return next_worker_index;
2636 static clib_error_t *
2637 snat_config (vlib_main_t * vm, unformat_input_t * input)
2639 snat_main_t *sm = &snat_main;
2640 nat66_main_t *nm = &nat66_main;
2641 u32 translation_buckets = 1024;
2642 u32 translation_memory_size = 128 << 20;
2643 u32 user_buckets = 128;
2644 u32 user_memory_size = 64 << 20;
2645 u32 max_translations_per_user = 100;
2646 u32 outside_vrf_id = 0;
2647 u32 outside_ip6_vrf_id = 0;
2648 u32 inside_vrf_id = 0;
2649 u32 static_mapping_buckets = 1024;
2650 u32 static_mapping_memory_size = 64 << 20;
2651 u32 nat64_bib_buckets = 1024;
2652 u32 nat64_bib_memory_size = 128 << 20;
2653 u32 nat64_st_buckets = 2048;
2654 u32 nat64_st_memory_size = 256 << 20;
2655 u8 static_mapping_only = 0;
2656 u8 static_mapping_connection_tracking = 0;
2657 snat_main_per_thread_data_t *tsm;
2658 dslite_main_t *dm = &dslite_main;
2660 sm->deterministic = 0;
2662 sm->endpoint_dependent = 0;
2664 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
2667 (input, "translation hash buckets %d", &translation_buckets))
2669 else if (unformat (input, "translation hash memory %d",
2670 &translation_memory_size));
2671 else if (unformat (input, "user hash buckets %d", &user_buckets))
2673 else if (unformat (input, "user hash memory %d", &user_memory_size))
2675 else if (unformat (input, "max translations per user %d",
2676 &max_translations_per_user))
2678 else if (unformat (input, "outside VRF id %d", &outside_vrf_id))
2680 else if (unformat (input, "outside ip6 VRF id %d", &outside_ip6_vrf_id))
2682 else if (unformat (input, "inside VRF id %d", &inside_vrf_id))
2684 else if (unformat (input, "static mapping only"))
2686 static_mapping_only = 1;
2687 if (unformat (input, "connection tracking"))
2688 static_mapping_connection_tracking = 1;
2690 else if (unformat (input, "deterministic"))
2691 sm->deterministic = 1;
2692 else if (unformat (input, "nat64 bib hash buckets %d",
2693 &nat64_bib_buckets))
2695 else if (unformat (input, "nat64 bib hash memory %d",
2696 &nat64_bib_memory_size))
2699 if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
2701 else if (unformat (input, "nat64 st hash memory %d",
2702 &nat64_st_memory_size))
2704 else if (unformat (input, "out2in dpo"))
2706 else if (unformat (input, "dslite ce"))
2707 dslite_set_ce (dm, 1);
2708 else if (unformat (input, "endpoint-dependent"))
2709 sm->endpoint_dependent = 1;
2711 return clib_error_return (0, "unknown input '%U'",
2712 format_unformat_error, input);
2715 if (sm->deterministic && sm->endpoint_dependent)
2716 return clib_error_return (0,
2717 "deterministic and endpoint-dependent modes are mutually exclusive");
2719 if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent))
2720 return clib_error_return (0,
2721 "static mapping only mode available only for simple nat");
2723 if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent))
2724 return clib_error_return (0,
2725 "out2in dpo mode available only for simple nat");
2727 /* for show commands, etc. */
2728 sm->translation_buckets = translation_buckets;
2729 sm->translation_memory_size = translation_memory_size;
2730 /* do not exceed load factor 10 */
2731 sm->max_translations = 10 * translation_buckets;
2732 sm->user_buckets = user_buckets;
2733 sm->user_memory_size = user_memory_size;
2734 sm->max_translations_per_user = max_translations_per_user;
2735 sm->outside_vrf_id = outside_vrf_id;
2736 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2738 FIB_SOURCE_PLUGIN_HI);
2739 nm->outside_vrf_id = outside_ip6_vrf_id;
2740 nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6,
2742 FIB_SOURCE_PLUGIN_HI);
2743 sm->inside_vrf_id = inside_vrf_id;
2744 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2746 FIB_SOURCE_PLUGIN_HI);
2747 sm->static_mapping_only = static_mapping_only;
2748 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
2750 nat64_set_hash (nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
2751 nat64_st_memory_size);
2753 if (sm->deterministic)
2755 sm->in2out_node_index = snat_det_in2out_node.index;
2756 sm->in2out_output_node_index = ~0;
2757 sm->out2in_node_index = snat_det_out2in_node.index;
2758 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
2759 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
2763 if (sm->endpoint_dependent)
2765 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
2766 sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb;
2767 sm->in2out_node_index = nat44_ed_in2out_node.index;
2768 sm->in2out_output_node_index = nat44_ed_in2out_output_node.index;
2769 sm->out2in_node_index = nat44_ed_out2in_node.index;
2770 sm->icmp_match_in2out_cb = icmp_match_in2out_ed;
2771 sm->icmp_match_out2in_cb = icmp_match_out2in_ed;
2772 nat_affinity_init (vm);
2776 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
2777 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
2778 sm->in2out_node_index = snat_in2out_node.index;
2779 sm->in2out_output_node_index = snat_in2out_output_node.index;
2780 sm->out2in_node_index = snat_out2in_node.index;
2781 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
2782 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
2784 if (!static_mapping_only ||
2785 (static_mapping_only && static_mapping_connection_tracking))
2788 vec_foreach (tsm, sm->per_thread_data)
2790 if (sm->endpoint_dependent)
2792 clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed",
2793 translation_buckets,
2794 translation_memory_size);
2795 clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed,
2796 format_ed_session_kvp);
2798 clib_bihash_init_16_8 (&tsm->out2in_ed, "out2in-ed",
2799 translation_buckets,
2800 translation_memory_size);
2801 clib_bihash_set_kvp_format_fn_16_8 (&tsm->out2in_ed,
2802 format_ed_session_kvp);
2806 clib_bihash_init_8_8 (&tsm->in2out, "in2out",
2807 translation_buckets,
2808 translation_memory_size);
2809 clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out,
2810 format_session_kvp);
2812 clib_bihash_init_8_8 (&tsm->out2in, "out2in",
2813 translation_buckets,
2814 translation_memory_size);
2815 clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in,
2816 format_session_kvp);
2819 clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets,
2821 clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash,
2829 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
2830 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
2832 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
2833 "static_mapping_by_local", static_mapping_buckets,
2834 static_mapping_memory_size);
2835 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
2836 format_static_mapping_kvp);
2838 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
2839 "static_mapping_by_external",
2840 static_mapping_buckets,
2841 static_mapping_memory_size);
2842 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
2843 format_static_mapping_kvp);
2849 VLIB_CONFIG_FUNCTION (snat_config, "nat");
2852 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
2855 ip4_address_t * address,
2857 u32 if_address_index, u32 is_delete)
2859 snat_main_t *sm = &snat_main;
2860 snat_static_map_resolve_t *rp;
2861 snat_static_mapping_t *m;
2862 snat_session_key_t m_key;
2863 clib_bihash_kv_8_8_t kv, value;
2865 ip4_address_t l_addr;
2867 for (i = 0; i < vec_len (sm->to_resolve); i++)
2869 rp = sm->to_resolve + i;
2870 if (rp->addr_only == 0)
2872 if (rp->sw_if_index == sw_if_index)
2879 m_key.addr.as_u32 = address->as_u32;
2880 m_key.port = rp->addr_only ? 0 : rp->e_port;
2881 m_key.protocol = rp->addr_only ? 0 : rp->proto;
2882 m_key.fib_index = sm->outside_fib_index;
2883 kv.key = m_key.as_u64;
2884 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2887 m = pool_elt_at_index (sm->static_mappings, value.value);
2891 /* Don't trip over lease renewal, static config */
2901 /* Indetity mapping? */
2902 if (rp->l_addr.as_u32 == 0)
2903 l_addr.as_u32 = address[0].as_u32;
2905 l_addr.as_u32 = rp->l_addr.as_u32;
2906 /* Add the static mapping */
2907 rv = snat_add_static_mapping (l_addr,
2912 rp->addr_only, ~0 /* sw_if_index */ ,
2913 rp->proto, !is_delete, rp->twice_nat,
2914 rp->out2in_only, rp->tag, rp->identity_nat);
2916 nat_log_notice ("snat_add_static_mapping returned %d", rv);
2920 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2923 ip4_address_t * address,
2925 u32 if_address_index, u32 is_delete)
2927 snat_main_t *sm = &snat_main;
2928 snat_static_map_resolve_t *rp;
2929 ip4_address_t l_addr;
2933 snat_address_t *addresses = sm->addresses;
2935 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
2937 if (sw_if_index == sm->auto_add_sw_if_indices[i])
2941 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
2944 addresses = sm->twice_nat_addresses;
2945 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
2954 /* Don't trip over lease renewal, static config */
2955 for (j = 0; j < vec_len (addresses); j++)
2956 if (addresses[j].addr.as_u32 == address->as_u32)
2959 (void) snat_add_address (sm, address, ~0, twice_nat);
2960 /* Scan static map resolution vector */
2961 for (j = 0; j < vec_len (sm->to_resolve); j++)
2963 rp = sm->to_resolve + j;
2966 /* On this interface? */
2967 if (rp->sw_if_index == sw_if_index)
2969 /* Indetity mapping? */
2970 if (rp->l_addr.as_u32 == 0)
2971 l_addr.as_u32 = address[0].as_u32;
2973 l_addr.as_u32 = rp->l_addr.as_u32;
2974 /* Add the static mapping */
2975 rv = snat_add_static_mapping (l_addr,
2981 ~0 /* sw_if_index */ ,
2983 rp->is_add, rp->twice_nat,
2984 rp->out2in_only, rp->tag,
2987 nat_log_notice ("snat_add_static_mapping returned %d", rv);
2994 (void) snat_del_address (sm, address[0], 1, twice_nat);
3001 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
3004 ip4_main_t *ip4_main = sm->ip4_main;
3005 ip4_address_t *first_int_addr;
3006 snat_static_map_resolve_t *rp;
3007 u32 *indices_to_delete = 0;
3009 u32 *auto_add_sw_if_indices =
3011 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
3013 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
3016 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3018 if (auto_add_sw_if_indices[i] == sw_if_index)
3022 /* if have address remove it */
3024 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
3027 for (j = 0; j < vec_len (sm->to_resolve); j++)
3029 rp = sm->to_resolve + j;
3030 if (rp->sw_if_index == sw_if_index)
3031 vec_add1 (indices_to_delete, j);
3033 if (vec_len (indices_to_delete))
3035 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3036 vec_del1 (sm->to_resolve, j);
3037 vec_free (indices_to_delete);
3041 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
3043 vec_del1 (sm->auto_add_sw_if_indices, i);
3046 return VNET_API_ERROR_VALUE_EXIST;
3053 return VNET_API_ERROR_NO_SUCH_ENTRY;
3055 /* add to the auto-address list */
3057 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
3059 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
3061 /* If the address is already bound - or static - add it now */
3063 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
3069 nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
3070 snat_protocol_t proto, u32 vrf_id, int is_in)
3072 snat_main_per_thread_data_t *tsm;
3073 clib_bihash_kv_8_8_t kv, value;
3075 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3076 snat_session_key_t key;
3078 clib_bihash_8_8_t *t;
3080 if (sm->endpoint_dependent)
3081 return VNET_API_ERROR_UNSUPPORTED;
3083 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3084 if (sm->num_workers > 1)
3086 vec_elt_at_index (sm->per_thread_data,
3087 sm->worker_in2out_cb (&ip, fib_index));
3089 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3091 key.addr.as_u32 = addr->as_u32;
3092 key.port = clib_host_to_net_u16 (port);
3093 key.protocol = proto;
3094 key.fib_index = fib_index;
3095 kv.key = key.as_u64;
3096 t = is_in ? &tsm->in2out : &tsm->out2in;
3097 if (!clib_bihash_search_8_8 (t, &kv, &value))
3099 if (pool_is_free_index (tsm->sessions, value.value))
3100 return VNET_API_ERROR_UNSPECIFIED;
3102 s = pool_elt_at_index (tsm->sessions, value.value);
3103 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
3104 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
3108 return VNET_API_ERROR_NO_SUCH_ENTRY;
3112 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
3113 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3114 u32 vrf_id, int is_in)
3117 clib_bihash_16_8_t *t;
3118 nat_ed_ses_key_t key;
3119 clib_bihash_kv_16_8_t kv, value;
3120 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3122 snat_main_per_thread_data_t *tsm;
3124 if (!sm->endpoint_dependent)
3125 return VNET_API_ERROR_FEATURE_DISABLED;
3127 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3128 if (sm->num_workers > 1)
3130 vec_elt_at_index (sm->per_thread_data,
3131 sm->worker_in2out_cb (&ip, fib_index));
3133 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3135 t = is_in ? &tsm->in2out_ed : &tsm->out2in_ed;
3136 key.l_addr.as_u32 = addr->as_u32;
3137 key.r_addr.as_u32 = eh_addr->as_u32;
3138 key.l_port = clib_host_to_net_u16 (port);
3139 key.r_port = clib_host_to_net_u16 (eh_port);
3141 key.fib_index = fib_index;
3142 kv.key[0] = key.as_u64[0];
3143 kv.key[1] = key.as_u64[1];
3144 if (clib_bihash_search_16_8 (t, &kv, &value))
3145 return VNET_API_ERROR_NO_SUCH_ENTRY;
3147 if (pool_is_free_index (tsm->sessions, value.value))
3148 return VNET_API_ERROR_UNSPECIFIED;
3149 s = pool_elt_at_index (tsm->sessions, value.value);
3150 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
3151 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
3156 nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length)
3158 snat_main_t *sm = &snat_main;
3160 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE;
3161 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
3163 sm->psid_offset = psid_offset;
3164 sm->psid_length = psid_length;
3168 nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port)
3170 snat_main_t *sm = &snat_main;
3172 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE;
3173 sm->alloc_addr_and_port = nat_alloc_addr_and_port_range;
3174 sm->start_port = start_port;
3175 sm->end_port = end_port;
3179 nat_set_alloc_addr_and_port_default (void)
3181 snat_main_t *sm = &snat_main;
3183 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
3184 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
3188 * fd.io coding-style-patch-verification: ON
3191 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob