2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/nat_ipfix_logging.h>
25 #include <nat/nat_det.h>
26 #include <nat/nat64.h>
27 #include <nat/nat66.h>
28 #include <nat/dslite.h>
29 #include <nat/nat_reass.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat_affinity.h>
32 #include <nat/nat_syslog.h>
33 #include <vnet/fib/fib_table.h>
34 #include <vnet/fib/ip4_fib.h>
36 #include <vpp/app/version.h>
38 snat_main_t snat_main;
42 /* Hook up input features */
43 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
44 .arc_name = "ip4-unicast",
45 .node_name = "nat44-in2out",
46 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
48 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
49 .arc_name = "ip4-unicast",
50 .node_name = "nat44-out2in",
51 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
52 "ip4-dhcp-client-detect"),
54 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
55 .arc_name = "ip4-unicast",
56 .node_name = "nat44-classify",
57 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
59 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
60 .arc_name = "ip4-unicast",
61 .node_name = "nat44-det-in2out",
62 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
64 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
65 .arc_name = "ip4-unicast",
66 .node_name = "nat44-det-out2in",
67 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
68 "ip4-dhcp-client-detect"),
70 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
71 .arc_name = "ip4-unicast",
72 .node_name = "nat44-det-classify",
73 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
75 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
76 .arc_name = "ip4-unicast",
77 .node_name = "nat44-ed-in2out",
78 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
80 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
81 .arc_name = "ip4-unicast",
82 .node_name = "nat44-ed-out2in",
83 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
84 "ip4-dhcp-client-detect"),
86 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
87 .arc_name = "ip4-unicast",
88 .node_name = "nat44-ed-classify",
89 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
91 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
92 .arc_name = "ip4-unicast",
93 .node_name = "nat44-in2out-worker-handoff",
94 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
96 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
97 .arc_name = "ip4-unicast",
98 .node_name = "nat44-out2in-worker-handoff",
99 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
100 "ip4-dhcp-client-detect"),
102 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
103 .arc_name = "ip4-unicast",
104 .node_name = "nat44-handoff-classify",
105 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
107 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
108 .arc_name = "ip4-unicast",
109 .node_name = "nat44-in2out-fast",
110 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
112 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
113 .arc_name = "ip4-unicast",
114 .node_name = "nat44-out2in-fast",
115 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
116 "ip4-dhcp-client-detect"),
118 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
119 .arc_name = "ip4-unicast",
120 .node_name = "nat44-hairpin-dst",
121 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
123 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
124 .arc_name = "ip4-unicast",
125 .node_name = "nat44-ed-hairpin-dst",
126 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
129 /* Hook up output features */
130 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
131 .arc_name = "ip4-output",
132 .node_name = "nat44-in2out-output",
133 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
135 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
136 .arc_name = "ip4-output",
137 .node_name = "nat44-in2out-output-worker-handoff",
138 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
140 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
141 .arc_name = "ip4-output",
142 .node_name = "nat44-hairpin-src",
143 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
145 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
146 .arc_name = "ip4-output",
147 .node_name = "nat44-ed-in2out-output",
148 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
150 VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
151 .arc_name = "ip4-output",
152 .node_name = "nat44-ed-hairpin-src",
153 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
156 /* Hook up ip4-local features */
157 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
159 .arc_name = "ip4-local",
160 .node_name = "nat44-hairpinning",
161 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
163 VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) =
165 .arc_name = "ip4-local",
166 .node_name = "nat44-ed-hairpinning",
167 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
171 VLIB_PLUGIN_REGISTER () = {
172 .version = VPP_BUILD_VER,
173 .description = "Network Address Translation",
178 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index)
180 snat_session_key_t key;
181 clib_bihash_kv_8_8_t kv;
182 nat_ed_ses_key_t ed_key;
183 clib_bihash_kv_16_8_t ed_kv;
184 snat_main_per_thread_data_t *tsm =
185 vec_elt_at_index (sm->per_thread_data, thread_index);
187 if (is_fwd_bypass_session (s))
189 ed_key.l_addr = s->in2out.addr;
190 ed_key.r_addr = s->ext_host_addr;
191 ed_key.l_port = s->in2out.port;
192 ed_key.r_port = s->ext_host_port;
193 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
194 ed_key.fib_index = 0;
195 ed_kv.key[0] = ed_key.as_u64[0];
196 ed_kv.key[1] = ed_key.as_u64[1];
197 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
198 nat_log_warn ("in2out_ed key del failed");
202 /* session lookup tables */
203 if (is_ed_session (s))
205 if (is_affinity_sessions (s))
206 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr,
207 s->in2out.protocol, s->out2in.port);
208 ed_key.l_addr = s->out2in.addr;
209 ed_key.r_addr = s->ext_host_addr;
210 ed_key.fib_index = s->out2in.fib_index;
211 if (snat_is_unk_proto_session (s))
213 ed_key.proto = s->in2out.port;
219 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
220 ed_key.l_port = s->out2in.port;
221 ed_key.r_port = s->ext_host_port;
223 ed_kv.key[0] = ed_key.as_u64[0];
224 ed_kv.key[1] = ed_key.as_u64[1];
225 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
226 nat_log_warn ("out2in_ed key del failed");
227 ed_key.l_addr = s->in2out.addr;
228 ed_key.fib_index = s->in2out.fib_index;
229 if (!snat_is_unk_proto_session (s))
230 ed_key.l_port = s->in2out.port;
231 if (is_twice_nat_session (s))
233 ed_key.r_addr = s->ext_host_nat_addr;
234 ed_key.r_port = s->ext_host_nat_port;
236 ed_kv.key[0] = ed_key.as_u64[0];
237 ed_kv.key[1] = ed_key.as_u64[1];
238 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
239 nat_log_warn ("in2out_ed key del failed");
241 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
242 &s->in2out.addr, s->in2out.port,
243 &s->ext_host_nat_addr, s->ext_host_nat_port,
244 &s->out2in.addr, s->out2in.port,
245 &s->ext_host_addr, s->ext_host_port,
246 s->in2out.protocol, is_twice_nat_session (s));
250 kv.key = s->in2out.as_u64;
251 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
252 nat_log_warn ("in2out key del failed");
253 kv.key = s->out2in.as_u64;
254 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
255 nat_log_warn ("out2in key del failed");
257 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
258 &s->in2out.addr, s->in2out.port,
259 &s->out2in.addr, s->out2in.port,
263 if (snat_is_unk_proto_session (s))
267 snat_ipfix_logging_nat44_ses_delete (thread_index,
268 s->in2out.addr.as_u32,
269 s->out2in.addr.as_u32,
272 s->out2in.port, s->in2out.fib_index);
274 /* Twice NAT address and port for external host */
275 if (is_twice_nat_session (s))
277 key.protocol = s->in2out.protocol;
278 key.port = s->ext_host_nat_port;
279 key.addr.as_u32 = s->ext_host_nat_addr.as_u32;
280 snat_free_outside_address_and_port (sm->twice_nat_addresses,
284 if (snat_is_session_static (s))
287 snat_free_outside_address_and_port (sm->addresses, thread_index,
292 nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index,
296 snat_user_key_t user_key;
297 clib_bihash_kv_8_8_t kv, value;
298 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
299 dlist_elt_t *per_user_list_head_elt;
301 user_key.addr.as_u32 = addr->as_u32;
302 user_key.fib_index = fib_index;
303 kv.key = user_key.as_u64;
305 /* Ever heard of the "user" = src ip4 address before? */
306 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
308 /* no, make a new one */
309 pool_get (tsm->users, u);
310 clib_memset (u, 0, sizeof (*u));
311 u->addr.as_u32 = addr->as_u32;
312 u->fib_index = fib_index;
314 pool_get (tsm->list_pool, per_user_list_head_elt);
316 u->sessions_per_user_list_head_index = per_user_list_head_elt -
319 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
321 kv.value = u - tsm->users;
324 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
325 nat_log_warn ("user_hash keay add failed");
327 vlib_set_simple_counter (&sm->total_users, thread_index, 0,
328 pool_elts (tsm->users));
332 u = pool_elt_at_index (tsm->users, value.value);
339 nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u,
343 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
344 u32 oldest_per_user_translation_list_index, session_index;
345 dlist_elt_t *oldest_per_user_translation_list_elt;
346 dlist_elt_t *per_user_translation_list_elt;
348 /* Over quota? Recycle the least recently used translation */
349 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
351 oldest_per_user_translation_list_index =
352 clib_dlist_remove_head (tsm->list_pool,
353 u->sessions_per_user_list_head_index);
355 ASSERT (oldest_per_user_translation_list_index != ~0);
357 /* Add it back to the end of the LRU list */
358 clib_dlist_addtail (tsm->list_pool,
359 u->sessions_per_user_list_head_index,
360 oldest_per_user_translation_list_index);
361 /* Get the list element */
362 oldest_per_user_translation_list_elt =
363 pool_elt_at_index (tsm->list_pool,
364 oldest_per_user_translation_list_index);
366 /* Get the session index from the list element */
367 session_index = oldest_per_user_translation_list_elt->value;
369 /* Get the session */
370 s = pool_elt_at_index (tsm->sessions, session_index);
371 nat_free_session_data (sm, s, thread_index);
372 if (snat_is_session_static (s))
373 u->nstaticsessions--;
380 s->ext_host_addr.as_u32 = 0;
381 s->ext_host_port = 0;
382 s->ext_host_nat_addr.as_u32 = 0;
383 s->ext_host_nat_port = 0;
387 pool_get (tsm->sessions, s);
388 clib_memset (s, 0, sizeof (*s));
390 /* Create list elts */
391 pool_get (tsm->list_pool, per_user_translation_list_elt);
392 clib_dlist_init (tsm->list_pool,
393 per_user_translation_list_elt - tsm->list_pool);
395 per_user_translation_list_elt->value = s - tsm->sessions;
396 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
397 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
399 clib_dlist_addtail (tsm->list_pool,
400 s->per_user_list_head_index,
401 per_user_translation_list_elt - tsm->list_pool);
403 s->user_index = u - tsm->users;
404 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
405 pool_elts (tsm->sessions));
412 nat_ed_session_alloc (snat_main_t * sm, snat_user_t * u, u32 thread_index,
416 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
417 dlist_elt_t *per_user_translation_list_elt, *oldest_elt;
419 u64 sess_timeout_time;
421 if (PREDICT_FALSE (!(u->nsessions) && !(u->nstaticsessions)))
425 clib_dlist_remove_head (tsm->list_pool,
426 u->sessions_per_user_list_head_index);
427 oldest_elt = pool_elt_at_index (tsm->list_pool, oldest_index);
428 s = pool_elt_at_index (tsm->sessions, oldest_elt->value);
429 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
430 if (now >= sess_timeout_time)
432 clib_dlist_addtail (tsm->list_pool,
433 u->sessions_per_user_list_head_index, oldest_index);
434 nat_free_session_data (sm, s, thread_index);
435 if (snat_is_session_static (s))
436 u->nstaticsessions--;
443 s->ext_host_addr.as_u32 = 0;
444 s->ext_host_port = 0;
445 s->ext_host_nat_addr.as_u32 = 0;
446 s->ext_host_nat_port = 0;
450 clib_dlist_addhead (tsm->list_pool,
451 u->sessions_per_user_list_head_index, oldest_index);
452 if ((u->nsessions + u->nstaticsessions) >=
453 sm->max_translations_per_user)
455 nat_log_warn ("max translations per user %U", format_ip4_address,
457 snat_ipfix_logging_max_entries_per_user
458 (thread_index, sm->max_translations_per_user, u->addr.as_u32);
464 pool_get (tsm->sessions, s);
465 clib_memset (s, 0, sizeof (*s));
467 /* Create list elts */
468 pool_get (tsm->list_pool, per_user_translation_list_elt);
469 clib_dlist_init (tsm->list_pool,
470 per_user_translation_list_elt - tsm->list_pool);
472 per_user_translation_list_elt->value = s - tsm->sessions;
473 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
474 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
476 clib_dlist_addtail (tsm->list_pool,
477 s->per_user_list_head_index,
478 per_user_translation_list_elt - tsm->list_pool);
481 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
482 pool_elts (tsm->sessions));
489 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
492 fib_prefix_t prefix = {
494 .fp_proto = FIB_PROTOCOL_IP4,
496 .ip4.as_u32 = addr->as_u32,
499 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
502 fib_table_entry_update_one_path (fib_index,
504 FIB_SOURCE_PLUGIN_LOW,
505 (FIB_ENTRY_FLAG_CONNECTED |
506 FIB_ENTRY_FLAG_LOCAL |
507 FIB_ENTRY_FLAG_EXCLUSIVE),
511 ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE);
513 fib_table_entry_delete (fib_index, &prefix, FIB_SOURCE_PLUGIN_LOW);
517 snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
522 vlib_thread_main_t *tm = vlib_get_thread_main ();
524 if (twice_nat && !sm->endpoint_dependent)
525 return VNET_API_ERROR_FEATURE_DISABLED;
527 /* Check if address already exists */
529 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
531 if (ap->addr.as_u32 == addr->as_u32)
532 return VNET_API_ERROR_VALUE_EXIST;
537 vec_add2 (sm->twice_nat_addresses, ap, 1);
539 vec_add2 (sm->addresses, ap, 1);
544 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
545 FIB_SOURCE_PLUGIN_LOW);
548 #define _(N, i, n, s) \
549 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535); \
550 ap->busy_##n##_ports = 0; \
551 ap->busy_##n##_ports_per_thread = 0;\
552 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
553 foreach_snat_protocol
558 /* Add external address to FIB */
560 pool_foreach (i, sm->interfaces,
562 if (nat_interface_is_inside(i) || sm->out2in_dpo)
565 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
568 pool_foreach (i, sm->output_feature_interfaces,
570 if (nat_interface_is_inside(i) || sm->out2in_dpo)
573 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
582 is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr)
584 snat_static_mapping_t *m;
586 pool_foreach (m, sm->static_mappings,
588 if (is_addr_only_static_mapping (m) ||
589 is_out2in_only_static_mapping (m) ||
590 is_identity_static_mapping (m))
592 if (m->external_addr.as_u32 == addr.as_u32)
601 increment_v4_address (ip4_address_t * a)
605 v = clib_net_to_host_u32 (a->as_u32) + 1;
606 a->as_u32 = clib_host_to_net_u32 (v);
610 snat_add_static_mapping_when_resolved (snat_main_t * sm,
611 ip4_address_t l_addr,
616 snat_protocol_t proto,
617 int addr_only, int is_add, u8 * tag,
618 int twice_nat, int out2in_only,
621 snat_static_map_resolve_t *rp;
623 vec_add2 (sm->to_resolve, rp, 1);
624 rp->l_addr.as_u32 = l_addr.as_u32;
626 rp->sw_if_index = sw_if_index;
630 rp->addr_only = addr_only;
632 rp->twice_nat = twice_nat;
633 rp->out2in_only = out2in_only;
634 rp->identity_nat = identity_nat;
635 rp->tag = vec_dup (tag);
639 get_thread_idx_by_port (u16 e_port)
641 snat_main_t *sm = &snat_main;
642 u32 thread_idx = sm->num_workers;
643 if (sm->num_workers > 1)
646 sm->first_worker_index +
647 sm->workers[(e_port - 1024) / sm->port_per_thread];
653 snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
654 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
655 u32 sw_if_index, snat_protocol_t proto, int is_add,
656 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
659 snat_main_t *sm = &snat_main;
660 snat_static_mapping_t *m;
661 snat_session_key_t m_key;
662 clib_bihash_kv_8_8_t kv, value;
663 snat_address_t *a = 0;
665 snat_interface_t *interface;
667 snat_main_per_thread_data_t *tsm;
668 snat_user_key_t u_key;
670 dlist_elt_t *head, *elt;
671 u32 elt_index, head_index;
675 snat_static_map_resolve_t *rp, *rp_match = 0;
676 nat44_lb_addr_port_t *local;
679 if (!sm->endpoint_dependent)
681 if (twice_nat || out2in_only)
682 return VNET_API_ERROR_FEATURE_DISABLED;
685 /* If the external address is a specific interface address */
686 if (sw_if_index != ~0)
688 ip4_address_t *first_int_addr;
690 for (i = 0; i < vec_len (sm->to_resolve); i++)
692 rp = sm->to_resolve + i;
693 if (rp->sw_if_index != sw_if_index ||
694 rp->l_addr.as_u32 != l_addr.as_u32 ||
695 rp->vrf_id != vrf_id || rp->addr_only != addr_only)
700 if (rp->l_port != l_port || rp->e_port != e_port
701 || rp->proto != proto)
709 /* Might be already set... */
710 first_int_addr = ip4_interface_first_address
711 (sm->ip4_main, sw_if_index, 0 /* just want the address */ );
716 return VNET_API_ERROR_VALUE_EXIST;
718 snat_add_static_mapping_when_resolved
719 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
720 addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
722 /* DHCP resolution required? */
723 if (first_int_addr == 0)
729 e_addr.as_u32 = first_int_addr->as_u32;
730 /* Identity mapping? */
731 if (l_addr.as_u32 == 0)
732 l_addr.as_u32 = e_addr.as_u32;
738 return VNET_API_ERROR_NO_SUCH_ENTRY;
740 vec_del1 (sm->to_resolve, i);
744 e_addr.as_u32 = first_int_addr->as_u32;
745 /* Identity mapping? */
746 if (l_addr.as_u32 == 0)
747 l_addr.as_u32 = e_addr.as_u32;
755 m_key.port = addr_only ? 0 : e_port;
756 m_key.protocol = addr_only ? 0 : proto;
758 kv.key = m_key.as_u64;
759 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
762 m = pool_elt_at_index (sm->static_mappings, value.value);
768 if (is_identity_static_mapping (m))
771 pool_foreach (local, m->locals,
773 if (local->vrf_id == vrf_id)
774 return VNET_API_ERROR_VALUE_EXIST;
777 pool_get (m->locals, local);
778 local->vrf_id = vrf_id;
780 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
781 FIB_SOURCE_PLUGIN_LOW);
782 m_key.addr = m->local_addr;
783 m_key.port = m->local_port;
784 m_key.protocol = m->proto;
785 m_key.fib_index = local->fib_index;
786 kv.key = m_key.as_u64;
787 kv.value = m - sm->static_mappings;
788 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
792 return VNET_API_ERROR_VALUE_EXIST;
795 if (twice_nat && addr_only)
796 return VNET_API_ERROR_UNSUPPORTED;
798 /* Convert VRF id to FIB index */
801 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
802 FIB_SOURCE_PLUGIN_LOW);
803 /* If not specified use inside VRF id from SNAT plugin startup config */
806 fib_index = sm->inside_fib_index;
807 vrf_id = sm->inside_vrf_id;
810 if (!(out2in_only || identity_nat))
813 m_key.port = addr_only ? 0 : l_port;
814 m_key.protocol = addr_only ? 0 : proto;
815 m_key.fib_index = fib_index;
816 kv.key = m_key.as_u64;
817 if (!clib_bihash_search_8_8
818 (&sm->static_mapping_by_local, &kv, &value))
819 return VNET_API_ERROR_VALUE_EXIST;
822 /* Find external address in allocated addresses and reserve port for
823 address and port pair mapping when dynamic translations enabled */
824 if (!(addr_only || sm->static_mapping_only || out2in_only))
826 for (i = 0; i < vec_len (sm->addresses); i++)
828 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
830 a = sm->addresses + i;
831 /* External port must be unused */
834 #define _(N, j, n, s) \
835 case SNAT_PROTOCOL_##N: \
836 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
837 return VNET_API_ERROR_INVALID_VALUE; \
838 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
841 a->busy_##n##_ports++; \
842 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
845 foreach_snat_protocol
848 nat_log_info ("unknown protocol");
849 return VNET_API_ERROR_INVALID_VALUE_2;
854 /* External address must be allocated */
855 if (!a && (l_addr.as_u32 != e_addr.as_u32))
857 if (sw_if_index != ~0)
859 for (i = 0; i < vec_len (sm->to_resolve); i++)
861 rp = sm->to_resolve + i;
864 if (rp->sw_if_index != sw_if_index &&
865 rp->l_addr.as_u32 != l_addr.as_u32 &&
866 rp->vrf_id != vrf_id && rp->l_port != l_port &&
867 rp->e_port != e_port && rp->proto != proto)
870 vec_del1 (sm->to_resolve, i);
874 return VNET_API_ERROR_NO_SUCH_ENTRY;
878 pool_get (sm->static_mappings, m);
879 clib_memset (m, 0, sizeof (*m));
880 m->tag = vec_dup (tag);
881 m->local_addr = l_addr;
882 m->external_addr = e_addr;
883 m->twice_nat = twice_nat;
885 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
887 m->flags |= NAT_STATIC_MAPPING_FLAG_ADDR_ONLY;
890 m->flags |= NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT;
891 pool_get (m->locals, local);
892 local->vrf_id = vrf_id;
893 local->fib_index = fib_index;
898 m->fib_index = fib_index;
902 m->local_port = l_port;
903 m->external_port = e_port;
907 if (sm->num_workers > 1)
910 .src_address = m->local_addr,
912 vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index));
913 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
916 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
918 m_key.addr = m->local_addr;
919 m_key.port = m->local_port;
920 m_key.protocol = m->proto;
921 m_key.fib_index = fib_index;
922 kv.key = m_key.as_u64;
923 kv.value = m - sm->static_mappings;
925 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
927 m_key.addr = m->external_addr;
928 m_key.port = m->external_port;
930 kv.key = m_key.as_u64;
931 kv.value = m - sm->static_mappings;
932 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1);
934 /* Delete dynamic sessions matching local address (+ local port) */
935 if (!(sm->static_mapping_only))
937 u_key.addr = m->local_addr;
938 u_key.fib_index = m->fib_index;
939 kv.key = u_key.as_u64;
940 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
942 user_index = value.value;
943 u = pool_elt_at_index (tsm->users, user_index);
946 head_index = u->sessions_per_user_list_head_index;
947 head = pool_elt_at_index (tsm->list_pool, head_index);
948 elt_index = head->next;
949 elt = pool_elt_at_index (tsm->list_pool, elt_index);
950 ses_index = elt->value;
951 while (ses_index != ~0)
953 s = pool_elt_at_index (tsm->sessions, ses_index);
954 elt = pool_elt_at_index (tsm->list_pool, elt->next);
955 ses_index = elt->value;
957 if (snat_is_session_static (s))
961 && (clib_net_to_host_u16 (s->in2out.port) !=
965 nat_free_session_data (sm, s,
966 tsm - sm->per_thread_data);
967 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
969 if (!addr_only && !sm->endpoint_dependent)
980 if (sw_if_index != ~0)
983 return VNET_API_ERROR_NO_SUCH_ENTRY;
989 vrf_id = sm->inside_vrf_id;
992 pool_foreach (local, m->locals,
994 if (local->vrf_id == vrf_id)
995 find = local - m->locals;
999 return VNET_API_ERROR_NO_SUCH_ENTRY;
1001 local = pool_elt_at_index (m->locals, find);
1002 fib_index = local->fib_index;
1003 pool_put (m->locals, local);
1006 fib_index = m->fib_index;
1008 /* Free external address port */
1009 if (!(addr_only || sm->static_mapping_only || out2in_only))
1011 for (i = 0; i < vec_len (sm->addresses); i++)
1013 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1015 a = sm->addresses + i;
1018 #define _(N, j, n, s) \
1019 case SNAT_PROTOCOL_##N: \
1020 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
1021 if (e_port > 1024) \
1023 a->busy_##n##_ports--; \
1024 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1027 foreach_snat_protocol
1030 nat_log_info ("unknown protocol");
1031 return VNET_API_ERROR_INVALID_VALUE_2;
1038 if (sm->num_workers > 1)
1039 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1041 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1043 m_key.addr = m->local_addr;
1044 m_key.port = m->local_port;
1045 m_key.protocol = m->proto;
1046 m_key.fib_index = fib_index;
1047 kv.key = m_key.as_u64;
1049 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0);
1051 /* Delete session(s) for static mapping if exist */
1052 if (!(sm->static_mapping_only) ||
1053 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
1055 u_key.addr = m->local_addr;
1056 u_key.fib_index = fib_index;
1057 kv.key = u_key.as_u64;
1058 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1060 user_index = value.value;
1061 u = pool_elt_at_index (tsm->users, user_index);
1062 if (u->nstaticsessions)
1064 head_index = u->sessions_per_user_list_head_index;
1065 head = pool_elt_at_index (tsm->list_pool, head_index);
1066 elt_index = head->next;
1067 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1068 ses_index = elt->value;
1069 while (ses_index != ~0)
1071 s = pool_elt_at_index (tsm->sessions, ses_index);
1072 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1073 ses_index = elt->value;
1077 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
1078 (clib_net_to_host_u16 (s->out2in.port) !=
1083 if (is_lb_session (s))
1086 if (!snat_is_session_static (s))
1089 nat_free_session_data (sm, s,
1090 tsm - sm->per_thread_data);
1091 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1093 if (!addr_only && !sm->endpoint_dependent)
1100 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW);
1101 if (pool_elts (m->locals))
1104 m_key.addr = m->external_addr;
1105 m_key.port = m->external_port;
1106 m_key.fib_index = 0;
1107 kv.key = m_key.as_u64;
1108 clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0);
1111 vec_free (m->workers);
1112 /* Delete static mapping from pool */
1113 pool_put (sm->static_mappings, m);
1116 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
1119 /* Add/delete external address to FIB */
1121 pool_foreach (interface, sm->interfaces,
1123 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1126 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1129 pool_foreach (interface, sm->output_feature_interfaces,
1131 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1134 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
1143 nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1144 snat_protocol_t proto,
1145 nat44_lb_addr_port_t * locals, u8 is_add,
1146 twice_nat_type_t twice_nat, u8 out2in_only,
1147 u8 * tag, u32 affinity)
1149 snat_main_t *sm = &snat_main;
1150 snat_static_mapping_t *m;
1151 snat_session_key_t m_key;
1152 clib_bihash_kv_8_8_t kv, value;
1153 snat_address_t *a = 0;
1155 nat44_lb_addr_port_t *local;
1156 u32 elt_index, head_index, ses_index;
1157 snat_main_per_thread_data_t *tsm;
1158 snat_user_key_t u_key;
1161 dlist_elt_t *head, *elt;
1164 if (!sm->endpoint_dependent)
1165 return VNET_API_ERROR_FEATURE_DISABLED;
1167 m_key.addr = e_addr;
1168 m_key.port = e_port;
1169 m_key.protocol = proto;
1170 m_key.fib_index = 0;
1171 kv.key = m_key.as_u64;
1172 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1175 m = pool_elt_at_index (sm->static_mappings, value.value);
1180 return VNET_API_ERROR_VALUE_EXIST;
1182 if (vec_len (locals) < 2)
1183 return VNET_API_ERROR_INVALID_VALUE;
1185 /* Find external address in allocated addresses and reserve port for
1186 address and port pair mapping when dynamic translations enabled */
1187 if (!(sm->static_mapping_only || out2in_only))
1189 for (i = 0; i < vec_len (sm->addresses); i++)
1191 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1193 a = sm->addresses + i;
1194 /* External port must be unused */
1197 #define _(N, j, n, s) \
1198 case SNAT_PROTOCOL_##N: \
1199 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
1200 return VNET_API_ERROR_INVALID_VALUE; \
1201 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
1202 if (e_port > 1024) \
1204 a->busy_##n##_ports++; \
1205 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \
1208 foreach_snat_protocol
1211 nat_log_info ("unknown protocol");
1212 return VNET_API_ERROR_INVALID_VALUE_2;
1217 /* External address must be allocated */
1219 return VNET_API_ERROR_NO_SUCH_ENTRY;
1222 pool_get (sm->static_mappings, m);
1223 clib_memset (m, 0, sizeof (*m));
1224 m->tag = vec_dup (tag);
1225 m->external_addr = e_addr;
1226 m->external_port = e_port;
1228 m->twice_nat = twice_nat;
1229 m->flags |= NAT_STATIC_MAPPING_FLAG_LB;
1231 m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
1232 m->affinity = affinity;
1235 m->affinity_per_service_list_head_index =
1236 nat_affinity_get_per_service_list_head_index ();
1238 m->affinity_per_service_list_head_index = ~0;
1240 m_key.addr = m->external_addr;
1241 m_key.port = m->external_port;
1242 m_key.protocol = m->proto;
1243 m_key.fib_index = 0;
1244 kv.key = m_key.as_u64;
1245 kv.value = m - sm->static_mappings;
1246 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1))
1248 nat_log_err ("static_mapping_by_external key add failed");
1249 return VNET_API_ERROR_UNSPECIFIED;
1252 m_key.fib_index = m->fib_index;
1253 for (i = 0; i < vec_len (locals); i++)
1255 locals[i].fib_index =
1256 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1258 FIB_SOURCE_PLUGIN_LOW);
1259 m_key.addr = locals[i].addr;
1260 m_key.fib_index = locals[i].fib_index;
1263 m_key.port = locals[i].port;
1264 kv.key = m_key.as_u64;
1265 kv.value = m - sm->static_mappings;
1266 clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1);
1268 locals[i].prefix = (i == 0) ? locals[i].probability :
1269 (locals[i - 1].prefix + locals[i].probability);
1270 pool_get (m->locals, local);
1272 if (sm->num_workers > 1)
1275 .src_address = locals[i].addr,
1278 clib_bitmap_set (bitmap,
1279 sm->worker_in2out_cb (&ip, m->fib_index), 1);
1283 /* Assign workers */
1284 if (sm->num_workers > 1)
1287 clib_bitmap_foreach (i, bitmap,
1289 vec_add1(m->workers, i);
1297 return VNET_API_ERROR_NO_SUCH_ENTRY;
1299 if (!is_lb_static_mapping (m))
1300 return VNET_API_ERROR_INVALID_VALUE;
1302 /* Free external address port */
1303 if (!(sm->static_mapping_only || out2in_only))
1305 for (i = 0; i < vec_len (sm->addresses); i++)
1307 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1309 a = sm->addresses + i;
1312 #define _(N, j, n, s) \
1313 case SNAT_PROTOCOL_##N: \
1314 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
1315 if (e_port > 1024) \
1317 a->busy_##n##_ports--; \
1318 a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \
1321 foreach_snat_protocol
1324 nat_log_info ("unknown protocol");
1325 return VNET_API_ERROR_INVALID_VALUE_2;
1332 m_key.addr = m->external_addr;
1333 m_key.port = m->external_port;
1334 m_key.protocol = m->proto;
1335 m_key.fib_index = 0;
1336 kv.key = m_key.as_u64;
1337 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0))
1339 nat_log_err ("static_mapping_by_external key del failed");
1340 return VNET_API_ERROR_UNSPECIFIED;
1344 pool_foreach (local, m->locals,
1346 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4,
1347 FIB_SOURCE_PLUGIN_LOW);
1348 m_key.addr = local->addr;
1351 m_key.port = local->port;
1352 m_key.fib_index = local->fib_index;
1353 kv.key = m_key.as_u64;
1354 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1356 nat_log_err ("static_mapping_by_local key del failed");
1357 return VNET_API_ERROR_UNSPECIFIED;
1361 if (sm->num_workers > 1)
1364 .src_address = local->addr,
1366 tsm = vec_elt_at_index (sm->per_thread_data,
1367 sm->worker_in2out_cb (&ip, m->fib_index));
1370 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1372 /* Delete sessions */
1373 u_key.addr = local->addr;
1374 u_key.fib_index = local->fib_index;
1375 kv.key = u_key.as_u64;
1376 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1378 u = pool_elt_at_index (tsm->users, value.value);
1379 if (u->nstaticsessions)
1381 head_index = u->sessions_per_user_list_head_index;
1382 head = pool_elt_at_index (tsm->list_pool, head_index);
1383 elt_index = head->next;
1384 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1385 ses_index = elt->value;
1386 while (ses_index != ~0)
1388 s = pool_elt_at_index (tsm->sessions, ses_index);
1389 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1390 ses_index = elt->value;
1392 if (!(is_lb_session (s)))
1395 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1396 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1399 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
1400 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1407 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1408 pool_free (m->locals);
1410 vec_free (m->workers);
1412 pool_put (sm->static_mappings, m);
1419 nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1420 ip4_address_t l_addr, u16 l_port,
1421 snat_protocol_t proto, u32 vrf_id,
1422 u8 probability, u8 is_add)
1424 snat_main_t *sm = &snat_main;
1425 snat_static_mapping_t *m = 0;
1426 snat_session_key_t m_key;
1427 clib_bihash_kv_8_8_t kv, value;
1428 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1429 snat_main_per_thread_data_t *tsm;
1430 snat_user_key_t u_key;
1433 dlist_elt_t *head, *elt;
1434 u32 elt_index, head_index, ses_index, *locals = 0;
1438 if (!sm->endpoint_dependent)
1439 return VNET_API_ERROR_FEATURE_DISABLED;
1441 m_key.addr = e_addr;
1442 m_key.port = e_port;
1443 m_key.protocol = proto;
1444 m_key.fib_index = 0;
1445 kv.key = m_key.as_u64;
1446 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1447 m = pool_elt_at_index (sm->static_mappings, value.value);
1450 return VNET_API_ERROR_NO_SUCH_ENTRY;
1452 if (!is_lb_static_mapping (m))
1453 return VNET_API_ERROR_INVALID_VALUE;
1456 pool_foreach (local, m->locals,
1458 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1459 (local->vrf_id == vrf_id))
1461 match_local = local;
1470 return VNET_API_ERROR_VALUE_EXIST;
1472 pool_get (m->locals, local);
1473 clib_memset (local, 0, sizeof (*local));
1474 local->addr.as_u32 = l_addr.as_u32;
1475 local->port = l_port;
1476 local->probability = probability;
1477 local->vrf_id = vrf_id;
1479 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1480 FIB_SOURCE_PLUGIN_LOW);
1482 if (!is_out2in_only_static_mapping (m))
1484 m_key.addr = l_addr;
1485 m_key.port = l_port;
1486 m_key.fib_index = local->fib_index;
1487 kv.key = m_key.as_u64;
1488 kv.value = m - sm->static_mappings;
1489 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1))
1490 nat_log_err ("static_mapping_by_local key add failed");
1496 return VNET_API_ERROR_NO_SUCH_ENTRY;
1498 if (pool_elts (m->locals) < 3)
1499 return VNET_API_ERROR_UNSPECIFIED;
1501 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1502 FIB_SOURCE_PLUGIN_LOW);
1504 if (!is_out2in_only_static_mapping (m))
1506 m_key.addr = l_addr;
1507 m_key.port = l_port;
1508 m_key.fib_index = match_local->fib_index;
1509 kv.key = m_key.as_u64;
1510 if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0))
1511 nat_log_err ("static_mapping_by_local key del failed");
1514 if (sm->num_workers > 1)
1517 .src_address = local->addr,
1519 tsm = vec_elt_at_index (sm->per_thread_data,
1520 sm->worker_in2out_cb (&ip, m->fib_index));
1523 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1525 /* Delete sessions */
1526 u_key.addr = match_local->addr;
1527 u_key.fib_index = match_local->fib_index;
1528 kv.key = u_key.as_u64;
1529 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1531 u = pool_elt_at_index (tsm->users, value.value);
1532 if (u->nstaticsessions)
1534 head_index = u->sessions_per_user_list_head_index;
1535 head = pool_elt_at_index (tsm->list_pool, head_index);
1536 elt_index = head->next;
1537 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1538 ses_index = elt->value;
1539 while (ses_index != ~0)
1541 s = pool_elt_at_index (tsm->sessions, ses_index);
1542 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1543 ses_index = elt->value;
1545 if (!(is_lb_session (s)))
1548 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1549 (clib_net_to_host_u16 (s->in2out.port) !=
1553 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
1554 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
1559 pool_put (m->locals, match_local);
1562 vec_free (m->workers);
1565 pool_foreach (local, m->locals,
1567 vec_add1 (locals, local - m->locals);
1568 if (sm->num_workers > 1)
1571 ip.src_address.as_u32 = local->addr.as_u32,
1572 bitmap = clib_bitmap_set (bitmap,
1573 sm->worker_in2out_cb (&ip, local->fib_index),
1579 ASSERT (vec_len (locals) > 1);
1581 local = pool_elt_at_index (m->locals, locals[0]);
1582 local->prefix = local->probability;
1583 for (i = 1; i < vec_len (locals); i++)
1585 local = pool_elt_at_index (m->locals, locals[i]);
1586 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1587 local->prefix = local->probability + prev_local->prefix;
1590 /* Assign workers */
1591 if (sm->num_workers > 1)
1594 clib_bitmap_foreach (i, bitmap, ({ vec_add1(m->workers, i); }));
1602 snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
1605 snat_address_t *a = 0;
1606 snat_session_t *ses;
1607 u32 *ses_to_be_removed = 0, *ses_index;
1608 snat_main_per_thread_data_t *tsm;
1609 snat_static_mapping_t *m;
1610 snat_interface_t *interface;
1612 snat_address_t *addresses =
1613 twice_nat ? sm->twice_nat_addresses : sm->addresses;
1615 /* Find SNAT address */
1616 for (i = 0; i < vec_len (addresses); i++)
1618 if (addresses[i].addr.as_u32 == addr.as_u32)
1625 return VNET_API_ERROR_NO_SUCH_ENTRY;
1630 pool_foreach (m, sm->static_mappings,
1632 if (m->external_addr.as_u32 == addr.as_u32)
1633 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1634 m->local_port, m->external_port,
1635 m->vrf_id, is_addr_only_static_mapping(m), ~0,
1636 m->proto, 0, m->twice_nat,
1637 is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
1643 /* Check if address is used in some static mapping */
1644 if (is_snat_address_used_in_static_mapping (sm, addr))
1646 nat_log_notice ("address used in static mapping");
1647 return VNET_API_ERROR_UNSPECIFIED;
1651 if (a->fib_index != ~0)
1652 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW);
1654 /* Delete sessions using address */
1655 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1658 vec_foreach (tsm, sm->per_thread_data)
1660 pool_foreach (ses, tsm->sessions, ({
1661 if (ses->out2in.addr.as_u32 == addr.as_u32)
1663 nat_free_session_data (sm, ses, tsm - sm->per_thread_data);
1664 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1668 vec_foreach (ses_index, ses_to_be_removed)
1670 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
1671 nat44_delete_session (sm, ses, tsm - sm->per_thread_data);
1674 vec_free (ses_to_be_removed);
1679 #define _(N, i, n, s) \
1680 clib_bitmap_free (a->busy_##n##_port_bitmap); \
1681 vec_free (a->busy_##n##_ports_per_thread);
1682 foreach_snat_protocol
1686 vec_del1 (sm->twice_nat_addresses, i);
1690 vec_del1 (sm->addresses, i);
1692 /* Delete external address from FIB */
1694 pool_foreach (interface, sm->interfaces,
1696 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1699 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1702 pool_foreach (interface, sm->output_feature_interfaces,
1704 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1707 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1716 snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1718 snat_main_t *sm = &snat_main;
1719 snat_interface_t *i;
1720 const char *feature_name, *del_feature_name;
1722 snat_static_mapping_t *m;
1724 nat_outside_fib_t *outside_fib;
1725 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1728 if (sm->out2in_dpo && !is_inside)
1729 return VNET_API_ERROR_UNSUPPORTED;
1732 pool_foreach (i, sm->output_feature_interfaces,
1734 if (i->sw_if_index == sw_if_index)
1735 return VNET_API_ERROR_VALUE_EXIST;
1739 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1740 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1743 if (sm->num_workers > 1 && !sm->deterministic)
1745 is_inside ? "nat44-in2out-worker-handoff" :
1746 "nat44-out2in-worker-handoff";
1747 else if (sm->deterministic)
1748 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1749 else if (sm->endpoint_dependent)
1750 feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in";
1752 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1755 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1756 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index,
1759 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1760 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index,
1766 vec_foreach (outside_fib, sm->outside_fibs)
1768 if (outside_fib->fib_index == fib_index)
1772 outside_fib->refcount--;
1773 if (!outside_fib->refcount)
1774 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1777 outside_fib->refcount++;
1784 vec_add2 (sm->outside_fibs, outside_fib, 1);
1785 outside_fib->refcount = 1;
1786 outside_fib->fib_index = fib_index;
1791 pool_foreach (i, sm->interfaces,
1793 if (i->sw_if_index == sw_if_index)
1797 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1800 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1802 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1804 if (sm->num_workers > 1 && !sm->deterministic)
1806 del_feature_name = "nat44-handoff-classify";
1807 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1808 "nat44-out2in-worker-handoff";
1810 else if (sm->deterministic)
1812 del_feature_name = "nat44-det-classify";
1813 feature_name = !is_inside ? "nat44-det-in2out" :
1816 else if (sm->endpoint_dependent)
1818 del_feature_name = "nat44-ed-classify";
1819 feature_name = !is_inside ? "nat44-ed-in2out" :
1824 del_feature_name = "nat44-classify";
1825 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1828 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1829 sw_if_index, 0, 0, 0);
1830 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1831 sw_if_index, 1, 0, 0);
1834 if (sm->endpoint_dependent)
1835 vnet_feature_enable_disable ("ip4-local",
1836 "nat44-ed-hairpinning",
1837 sw_if_index, 1, 0, 0);
1838 else if (!sm->deterministic)
1839 vnet_feature_enable_disable ("ip4-local",
1840 "nat44-hairpinning",
1841 sw_if_index, 1, 0, 0);
1846 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1847 sw_if_index, 0, 0, 0);
1848 pool_put (sm->interfaces, i);
1851 if (sm->endpoint_dependent)
1852 vnet_feature_enable_disable ("ip4-local",
1853 "nat44-ed-hairpinning",
1854 sw_if_index, 0, 0, 0);
1855 else if (!sm->deterministic)
1856 vnet_feature_enable_disable ("ip4-local",
1857 "nat44-hairpinning",
1858 sw_if_index, 0, 0, 0);
1864 if ((nat_interface_is_inside(i) && is_inside) ||
1865 (nat_interface_is_outside(i) && !is_inside))
1868 if (sm->num_workers > 1 && !sm->deterministic)
1870 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1871 "nat44-out2in-worker-handoff";
1872 feature_name = "nat44-handoff-classify";
1874 else if (sm->deterministic)
1876 del_feature_name = !is_inside ? "nat44-det-in2out" :
1878 feature_name = "nat44-det-classify";
1880 else if (sm->endpoint_dependent)
1882 del_feature_name = !is_inside ? "nat44-ed-in2out" :
1884 feature_name = "nat44-ed-classify";
1888 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1889 feature_name = "nat44-classify";
1892 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1893 sw_if_index, 0, 0, 0);
1894 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1895 sw_if_index, 1, 0, 0);
1898 if (sm->endpoint_dependent)
1899 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
1900 sw_if_index, 0, 0, 0);
1901 else if (!sm->deterministic)
1902 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1903 sw_if_index, 0, 0, 0);
1914 return VNET_API_ERROR_NO_SUCH_ENTRY;
1916 pool_get (sm->interfaces, i);
1917 i->sw_if_index = sw_if_index;
1919 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
1922 if (is_inside && !sm->out2in_dpo)
1924 if (sm->endpoint_dependent)
1925 vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning",
1926 sw_if_index, 1, 0, 0);
1927 else if (!sm->deterministic)
1928 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1929 sw_if_index, 1, 0, 0);
1935 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1939 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1941 /* Add/delete external addresses to FIB */
1944 vec_foreach (ap, sm->addresses)
1945 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1947 pool_foreach (m, sm->static_mappings,
1949 if (!(is_addr_only_static_mapping(m)) || (m->local_addr.as_u32 == m->external_addr.as_u32))
1952 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1955 pool_foreach (dm, sm->det_maps,
1957 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
1965 snat_interface_add_del_output_feature (u32 sw_if_index,
1966 u8 is_inside, int is_del)
1968 snat_main_t *sm = &snat_main;
1969 snat_interface_t *i;
1971 snat_static_mapping_t *m;
1972 nat_outside_fib_t *outside_fib;
1973 u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1977 if (sm->deterministic ||
1978 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
1979 return VNET_API_ERROR_UNSUPPORTED;
1982 pool_foreach (i, sm->interfaces,
1984 if (i->sw_if_index == sw_if_index)
1985 return VNET_API_ERROR_VALUE_EXIST;
1992 vec_foreach (outside_fib, sm->outside_fibs)
1994 if (outside_fib->fib_index == fib_index)
1998 outside_fib->refcount--;
1999 if (!outside_fib->refcount)
2000 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2003 outside_fib->refcount++;
2010 vec_add2 (sm->outside_fibs, outside_fib, 1);
2011 outside_fib->refcount = 1;
2012 outside_fib->fib_index = fib_index;
2019 if (sm->endpoint_dependent)
2021 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
2022 sw_if_index, !is_del, 0, 0);
2023 vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
2024 sw_if_index, !is_del, 0, 0);
2028 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
2029 sw_if_index, !is_del, 0, 0);
2030 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
2031 sw_if_index, !is_del, 0, 0);
2036 if (sm->num_workers > 1)
2038 vnet_feature_enable_disable ("ip4-unicast",
2039 "nat44-out2in-worker-handoff",
2040 sw_if_index, !is_del, 0, 0);
2041 vnet_feature_enable_disable ("ip4-output",
2042 "nat44-in2out-output-worker-handoff",
2043 sw_if_index, !is_del, 0, 0);
2047 if (sm->endpoint_dependent)
2049 vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in",
2050 sw_if_index, !is_del, 0, 0);
2051 vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output",
2052 sw_if_index, !is_del, 0, 0);
2056 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
2057 sw_if_index, !is_del, 0, 0);
2058 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
2059 sw_if_index, !is_del, 0, 0);
2064 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
2065 sm->fq_in2out_output_index =
2066 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
2068 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
2069 sm->fq_out2in_index =
2070 vlib_frame_queue_main_init (sm->out2in_node_index, 0);
2073 pool_foreach (i, sm->output_feature_interfaces,
2075 if (i->sw_if_index == sw_if_index)
2078 pool_put (sm->output_feature_interfaces, i);
2080 return VNET_API_ERROR_VALUE_EXIST;
2088 return VNET_API_ERROR_NO_SUCH_ENTRY;
2090 pool_get (sm->output_feature_interfaces, i);
2091 i->sw_if_index = sw_if_index;
2094 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
2096 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
2098 /* Add/delete external addresses to FIB */
2104 vec_foreach (ap, sm->addresses)
2105 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
2107 pool_foreach (m, sm->static_mappings,
2109 if (!((is_addr_only_static_mapping(m))) || (m->local_addr.as_u32 == m->external_addr.as_u32))
2112 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
2120 snat_set_workers (uword * bitmap)
2122 snat_main_t *sm = &snat_main;
2125 if (sm->num_workers < 2)
2126 return VNET_API_ERROR_FEATURE_DISABLED;
2128 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
2129 return VNET_API_ERROR_INVALID_WORKER;
2131 vec_free (sm->workers);
2133 clib_bitmap_foreach (i, bitmap,
2135 vec_add1(sm->workers, i);
2136 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2141 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2142 sm->num_snat_thread = _vec_len (sm->workers);
2148 snat_update_outside_fib (u32 sw_if_index, u32 new_fib_index,
2151 snat_main_t *sm = &snat_main;
2152 nat_outside_fib_t *outside_fib;
2153 snat_interface_t *i;
2156 if (new_fib_index == old_fib_index)
2159 if (!vec_len (sm->outside_fibs))
2162 pool_foreach (i, sm->interfaces, (
2164 if (i->sw_if_index == sw_if_index)
2166 if (!(nat_interface_is_outside (i)))
2170 vec_foreach (outside_fib, sm->outside_fibs)
2172 if (outside_fib->fib_index == old_fib_index)
2174 outside_fib->refcount--;
2175 if (!outside_fib->refcount)
2176 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2181 vec_foreach (outside_fib, sm->outside_fibs)
2183 if (outside_fib->fib_index == new_fib_index)
2185 outside_fib->refcount++;
2193 vec_add2 (sm->outside_fibs, outside_fib, 1);
2194 outside_fib->refcount = 1;
2195 outside_fib->fib_index = new_fib_index;
2200 snat_ip4_table_bind (ip4_main_t * im,
2202 u32 sw_if_index, u32 new_fib_index, u32 old_fib_index)
2204 snat_update_outside_fib (sw_if_index, new_fib_index, old_fib_index);
2208 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2211 ip4_address_t * address,
2213 u32 if_address_index, u32 is_delete);
2216 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
2219 ip4_address_t * address,
2221 u32 if_address_index, u32 is_delete);
2224 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2227 snat_session_key_t * k,
2228 u16 port_per_thread, u32 snat_thread_index);
2230 static clib_error_t *
2231 snat_init (vlib_main_t * vm)
2233 snat_main_t *sm = &snat_main;
2234 clib_error_t *error = 0;
2235 ip4_main_t *im = &ip4_main;
2236 ip_lookup_main_t *lm = &im->lookup_main;
2238 vlib_thread_registration_t *tr;
2239 vlib_thread_main_t *tm = vlib_get_thread_main ();
2242 ip4_add_del_interface_address_callback_t cb4;
2246 sm->vnet_main = vnet_get_main ();
2248 sm->ip4_lookup_main = lm;
2249 sm->api_main = &api_main;
2250 sm->first_worker_index = 0;
2251 sm->num_workers = 0;
2252 sm->num_snat_thread = 1;
2254 sm->port_per_thread = 0xffff - 1024;
2255 sm->fq_in2out_index = ~0;
2256 sm->fq_out2in_index = ~0;
2257 sm->udp_timeout = SNAT_UDP_TIMEOUT;
2258 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
2259 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
2260 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
2261 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
2262 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
2263 sm->forwarding_enabled = 0;
2264 sm->log_class = vlib_log_register_class ("nat", 0);
2265 sm->mss_clamping = 0;
2267 node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
2268 sm->error_node_index = node->index;
2270 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out");
2271 sm->in2out_node_index = node->index;
2272 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output");
2273 sm->in2out_output_node_index = node->index;
2274 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-fast");
2275 sm->in2out_fast_node_index = node->index;
2276 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-slowpath");
2277 sm->in2out_slowpath_node_index = node->index;
2278 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output-slowpath");
2279 sm->in2out_slowpath_output_node_index = node->index;
2280 node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-reass");
2281 sm->in2out_reass_node_index = node->index;
2283 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2284 sm->ed_in2out_node_index = node->index;
2285 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-slowpath");
2286 sm->ed_in2out_slowpath_node_index = node->index;
2287 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-reass");
2288 sm->ed_in2out_reass_node_index = node->index;
2290 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in");
2291 sm->out2in_node_index = node->index;
2292 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-fast");
2293 sm->out2in_fast_node_index = node->index;
2294 node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-reass");
2295 sm->out2in_reass_node_index = node->index;
2297 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2298 sm->ed_out2in_node_index = node->index;
2299 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-slowpath");
2300 sm->ed_out2in_slowpath_node_index = node->index;
2301 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-reass");
2302 sm->ed_out2in_reass_node_index = node->index;
2304 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-in2out");
2305 sm->det_in2out_node_index = node->index;
2306 node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-out2in");
2307 sm->det_out2in_node_index = node->index;
2309 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpinning");
2310 sm->hairpinning_node_index = node->index;
2311 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-dst");
2312 sm->hairpin_dst_node_index = node->index;
2313 node = vlib_get_node_by_name (vm, (u8 *) "nat44-hairpin-src");
2314 sm->hairpin_src_node_index = node->index;
2315 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpinning");
2316 sm->ed_hairpinning_node_index = node->index;
2317 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-dst");
2318 sm->ed_hairpin_dst_node_index = node->index;
2319 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-hairpin-src");
2320 sm->ed_hairpin_src_node_index = node->index;
2322 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2325 tr = (vlib_thread_registration_t *) p[0];
2328 sm->num_workers = tr->count;
2329 sm->first_worker_index = tr->first_index;
2333 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
2335 /* Use all available workers by default */
2336 if (sm->num_workers > 1)
2338 for (i = 0; i < sm->num_workers; i++)
2339 bitmap = clib_bitmap_set (bitmap, i, 1);
2340 snat_set_workers (bitmap);
2341 clib_bitmap_free (bitmap);
2345 sm->per_thread_data[0].snat_thread_index = 0;
2348 error = snat_api_init (vm, sm);
2352 /* Set up the interface address add/del callback */
2353 cb4.function = snat_ip4_add_del_interface_address_cb;
2354 cb4.function_opaque = 0;
2356 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2358 cb4.function = nat_ip4_add_del_addr_only_sm_cb;
2359 cb4.function_opaque = 0;
2361 vec_add1 (im->add_del_interface_address_callbacks, cb4);
2363 nat_dpo_module_init ();
2366 sm->total_users.name = "total-users";
2367 sm->total_users.stat_segment_name = "/nat44/total-users";
2368 vlib_validate_simple_counter (&sm->total_users, 0);
2369 vlib_zero_simple_counter (&sm->total_users, 0);
2370 sm->total_sessions.name = "total-sessions";
2371 sm->total_sessions.stat_segment_name = "/nat44/total-sessions";
2372 vlib_validate_simple_counter (&sm->total_sessions, 0);
2373 vlib_zero_simple_counter (&sm->total_sessions, 0);
2375 /* Init IPFIX logging */
2376 snat_ipfix_logging_init (vm);
2379 error = nat64_init (vm);
2387 ip4_table_bind_callback_t cbt4 = {
2388 .function = snat_ip4_table_bind,
2390 vec_add1 (ip4_main.table_bind_callbacks, cbt4);
2392 /* Init virtual fragmenentation reassembly */
2393 return nat_reass_init (vm);
2396 VLIB_INIT_FUNCTION (snat_init);
2399 snat_free_outside_address_and_port (snat_address_t * addresses,
2400 u32 thread_index, snat_session_key_t * k)
2404 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
2406 for (address_index = 0; address_index < vec_len (addresses);
2409 if (addresses[address_index].addr.as_u32 == k->addr.as_u32)
2413 ASSERT (address_index < vec_len (addresses));
2415 a = addresses + address_index;
2417 switch (k->protocol)
2419 #define _(N, i, n, s) \
2420 case SNAT_PROTOCOL_##N: \
2421 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
2422 port_host_byte_order) == 1); \
2423 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
2424 port_host_byte_order, 0); \
2425 a->busy_##n##_ports--; \
2426 a->busy_##n##_ports_per_thread[thread_index]--; \
2428 foreach_snat_protocol
2431 nat_log_info ("unknown protocol");
2437 snat_static_mapping_match (snat_main_t * sm,
2438 snat_session_key_t match,
2439 snat_session_key_t * mapping,
2442 twice_nat_type_t * twice_nat,
2443 lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
2444 u8 * is_identity_nat)
2446 clib_bihash_kv_8_8_t kv, value;
2447 snat_static_mapping_t *m;
2448 snat_session_key_t m_key;
2449 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
2450 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2452 nat44_lb_addr_port_t *local;
2454 m_key.fib_index = match.fib_index;
2457 mapping_hash = &sm->static_mapping_by_external;
2458 m_key.fib_index = 0;
2461 m_key.addr = match.addr;
2462 m_key.port = clib_net_to_host_u16 (match.port);
2463 m_key.protocol = match.protocol;
2465 kv.key = m_key.as_u64;
2467 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2469 /* Try address only mapping */
2472 kv.key = m_key.as_u64;
2473 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
2477 m = pool_elt_at_index (sm->static_mappings, value.value);
2481 if (is_lb_static_mapping (m))
2483 if (PREDICT_FALSE (lb != 0))
2484 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2487 if (nat_affinity_find_and_lock (ext_host_addr[0], match.addr,
2488 match.protocol, match.port,
2492 local = pool_elt_at_index (m->locals, backend_index);
2493 mapping->addr = local->addr;
2494 mapping->port = clib_host_to_net_u16 (local->port);
2495 mapping->fib_index = local->fib_index;
2500 pool_foreach_index (i, m->locals,
2505 hi = vec_len (tmp) - 1;
2506 local = pool_elt_at_index (m->locals, tmp[hi]);
2507 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2510 mid = ((hi - lo) >> 1) + lo;
2511 local = pool_elt_at_index (m->locals, tmp[mid]);
2512 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2514 local = pool_elt_at_index (m->locals, tmp[lo]);
2515 if (!(local->prefix >= rand))
2517 if (PREDICT_FALSE (sm->num_workers > 1))
2520 .src_address = local->addr,
2522 if (sm->worker_in2out_cb (&ip, m->fib_index) !=
2523 vlib_get_thread_index ())
2526 mapping->addr = local->addr;
2527 mapping->port = clib_host_to_net_u16 (local->port);
2528 mapping->fib_index = local->fib_index;
2531 if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr,
2532 match.protocol, match.port,
2533 tmp[lo], m->affinity,
2534 m->affinity_per_service_list_head_index))
2535 nat_log_info ("create affinity record failed");
2541 if (PREDICT_FALSE (lb != 0))
2543 mapping->fib_index = m->fib_index;
2544 mapping->addr = m->local_addr;
2545 /* Address only mapping doesn't change port */
2546 mapping->port = is_addr_only_static_mapping (m) ? match.port
2547 : clib_host_to_net_u16 (m->local_port);
2549 mapping->protocol = m->proto;
2553 mapping->addr = m->external_addr;
2554 /* Address only mapping doesn't change port */
2555 mapping->port = is_addr_only_static_mapping (m) ? match.port
2556 : clib_host_to_net_u16 (m->external_port);
2557 mapping->fib_index = sm->outside_fib_index;
2561 if (PREDICT_FALSE (is_addr_only != 0))
2562 *is_addr_only = is_addr_only_static_mapping (m);
2564 if (PREDICT_FALSE (twice_nat != 0))
2565 *twice_nat = m->twice_nat;
2567 if (PREDICT_FALSE (is_identity_nat != 0))
2568 *is_identity_nat = is_identity_static_mapping (m);
2573 static_always_inline u16
2574 snat_random_port (u16 min, u16 max)
2576 snat_main_t *sm = &snat_main;
2577 return min + random_u32 (&sm->random_seed) /
2578 (random_u32_max () / (max - min + 1) + 1);
2582 snat_alloc_outside_address_and_port (snat_address_t * addresses,
2585 snat_session_key_t * k,
2586 u16 port_per_thread,
2587 u32 snat_thread_index)
2589 snat_main_t *sm = &snat_main;
2591 return sm->alloc_addr_and_port (addresses, fib_index, thread_index, k,
2592 port_per_thread, snat_thread_index);
2596 nat_alloc_addr_and_port_default (snat_address_t * addresses,
2599 snat_session_key_t * k,
2600 u16 port_per_thread, u32 snat_thread_index)
2603 snat_address_t *a, *ga = 0;
2606 for (i = 0; i < vec_len (addresses); i++)
2609 switch (k->protocol)
2611 #define _(N, j, n, s) \
2612 case SNAT_PROTOCOL_##N: \
2613 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
2615 if (a->fib_index == fib_index) \
2619 portnum = (port_per_thread * \
2620 snat_thread_index) + \
2621 snat_random_port(1, port_per_thread) + 1024; \
2622 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2624 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2625 a->busy_##n##_ports_per_thread[thread_index]++; \
2626 a->busy_##n##_ports++; \
2627 k->addr = a->addr; \
2628 k->port = clib_host_to_net_u16(portnum); \
2632 else if (a->fib_index == ~0) \
2638 foreach_snat_protocol
2641 nat_log_info ("unknown protocol");
2650 switch (k->protocol)
2652 #define _(N, j, n, s) \
2653 case SNAT_PROTOCOL_##N: \
2656 portnum = (port_per_thread * \
2657 snat_thread_index) + \
2658 snat_random_port(1, port_per_thread) + 1024; \
2659 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2661 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2662 a->busy_##n##_ports_per_thread[thread_index]++; \
2663 a->busy_##n##_ports++; \
2664 k->addr = a->addr; \
2665 k->port = clib_host_to_net_u16(portnum); \
2669 foreach_snat_protocol
2672 nat_log_info ("unknown protocol");
2677 /* Totally out of translations to use... */
2678 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
2683 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
2686 snat_session_key_t * k,
2687 u16 port_per_thread, u32 snat_thread_index)
2689 snat_main_t *sm = &snat_main;
2690 snat_address_t *a = addresses;
2691 u16 m, ports, portnum, A, j;
2692 m = 16 - (sm->psid_offset + sm->psid_length);
2693 ports = (1 << (16 - sm->psid_length)) - (1 << m);
2695 if (!vec_len (addresses))
2698 switch (k->protocol)
2700 #define _(N, i, n, s) \
2701 case SNAT_PROTOCOL_##N: \
2702 if (a->busy_##n##_ports < ports) \
2706 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
2707 j = snat_random_port(0, pow2_mask(m)); \
2708 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
2709 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2711 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2712 a->busy_##n##_ports++; \
2713 k->addr = a->addr; \
2714 k->port = clib_host_to_net_u16 (portnum); \
2719 foreach_snat_protocol
2722 nat_log_info ("unknown protocol");
2727 /* Totally out of translations to use... */
2728 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
2733 nat_alloc_addr_and_port_range (snat_address_t * addresses,
2736 snat_session_key_t * k,
2737 u16 port_per_thread, u32 snat_thread_index)
2739 snat_main_t *sm = &snat_main;
2740 snat_address_t *a = addresses;
2743 ports = sm->end_port - sm->start_port + 1;
2745 if (!vec_len (addresses))
2748 switch (k->protocol)
2750 #define _(N, i, n, s) \
2751 case SNAT_PROTOCOL_##N: \
2752 if (a->busy_##n##_ports < ports) \
2756 portnum = snat_random_port(sm->start_port, sm->end_port); \
2757 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
2759 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
2760 a->busy_##n##_ports++; \
2761 k->addr = a->addr; \
2762 k->port = clib_host_to_net_u16 (portnum); \
2767 foreach_snat_protocol
2770 nat_log_info ("unknown protocol");
2775 /* Totally out of translations to use... */
2776 snat_ipfix_logging_addresses_exhausted (thread_index, 0);
2781 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
2783 dpo_id_t dpo_v4 = DPO_INVALID;
2784 fib_prefix_t pfx = {
2785 .fp_proto = FIB_PROTOCOL_IP4,
2787 .fp_addr.ip4.as_u32 = addr.as_u32,
2792 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
2793 fib_table_entry_special_dpo_add (0, &pfx, FIB_SOURCE_PLUGIN_HI,
2794 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
2795 dpo_reset (&dpo_v4);
2799 fib_table_entry_special_remove (0, &pfx, FIB_SOURCE_PLUGIN_HI);
2804 format_session_kvp (u8 * s, va_list * args)
2806 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2807 snat_session_key_t k;
2811 s = format (s, "%U session-index %llu", format_snat_key, &k, v->value);
2817 format_static_mapping_kvp (u8 * s, va_list * args)
2819 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2820 snat_session_key_t k;
2824 s = format (s, "%U static-mapping-index %llu",
2825 format_static_mapping_key, &k, v->value);
2831 format_user_kvp (u8 * s, va_list * args)
2833 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2838 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2839 k.fib_index, v->value);
2845 format_ed_session_kvp (u8 * s, va_list * args)
2847 clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *);
2850 k.as_u64[0] = v->key[0];
2851 k.as_u64[1] = v->key[1];
2854 format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu",
2855 format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port),
2856 format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port),
2857 format_ip_protocol, k.proto, k.fib_index, v->value);
2863 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2865 snat_main_t *sm = &snat_main;
2866 u32 next_worker_index = 0;
2869 next_worker_index = sm->first_worker_index;
2870 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
2871 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
2873 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2874 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2876 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2878 return next_worker_index;
2882 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2884 snat_main_t *sm = &snat_main;
2887 snat_session_key_t m_key;
2888 clib_bihash_kv_8_8_t kv, value;
2889 snat_static_mapping_t *m;
2891 u32 next_worker_index = 0;
2893 /* first try static mappings without port */
2894 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2896 m_key.addr = ip0->dst_address;
2899 m_key.fib_index = rx_fib_index0;
2900 kv.key = m_key.as_u64;
2901 if (!clib_bihash_search_8_8
2902 (&sm->static_mapping_by_external, &kv, &value))
2904 m = pool_elt_at_index (sm->static_mappings, value.value);
2905 return m->workers[0];
2909 proto = ip_proto_to_snat_proto (ip0->protocol);
2910 udp = ip4_next_header (ip0);
2911 port = udp->dst_port;
2913 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
2915 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
2916 return vlib_get_thread_index ();
2918 nat_reass_ip4_t *reass;
2919 reass = nat_ip4_reass_find (ip0->src_address, ip0->dst_address,
2920 ip0->fragment_id, ip0->protocol);
2922 if (reass && (reass->thread_index != (u32) ~ 0))
2923 return reass->thread_index;
2925 if (ip4_is_first_fragment (ip0))
2928 nat_ip4_reass_create (ip0->src_address, ip0->dst_address,
2929 ip0->fragment_id, ip0->protocol);
2933 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2935 m_key.addr = ip0->dst_address;
2936 m_key.port = clib_net_to_host_u16 (port);
2937 m_key.protocol = proto;
2938 m_key.fib_index = rx_fib_index0;
2939 kv.key = m_key.as_u64;
2940 if (!clib_bihash_search_8_8
2941 (&sm->static_mapping_by_external, &kv, &value))
2943 m = pool_elt_at_index (sm->static_mappings, value.value);
2944 reass->thread_index = m->workers[0];
2945 return reass->thread_index;
2948 reass->thread_index = sm->first_worker_index;
2949 reass->thread_index +=
2950 sm->workers[(clib_net_to_host_u16 (port) - 1024) /
2951 sm->port_per_thread];
2952 return reass->thread_index;
2955 return vlib_get_thread_index ();
2959 /* unknown protocol */
2960 if (PREDICT_FALSE (proto == ~0))
2962 /* use current thread */
2963 return vlib_get_thread_index ();
2966 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
2968 icmp46_header_t *icmp = (icmp46_header_t *) udp;
2969 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
2970 if (!icmp_is_error_message (icmp))
2971 port = echo->identifier;
2974 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
2975 proto = ip_proto_to_snat_proto (inner_ip->protocol);
2976 void *l4_header = ip4_next_header (inner_ip);
2979 case SNAT_PROTOCOL_ICMP:
2980 icmp = (icmp46_header_t *) l4_header;
2981 echo = (icmp_echo_header_t *) (icmp + 1);
2982 port = echo->identifier;
2984 case SNAT_PROTOCOL_UDP:
2985 case SNAT_PROTOCOL_TCP:
2986 port = ((tcp_udp_header_t *) l4_header)->src_port;
2989 return vlib_get_thread_index ();
2994 /* try static mappings with port */
2995 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2997 m_key.addr = ip0->dst_address;
2998 m_key.port = clib_net_to_host_u16 (port);
2999 m_key.protocol = proto;
3000 m_key.fib_index = rx_fib_index0;
3001 kv.key = m_key.as_u64;
3002 if (!clib_bihash_search_8_8
3003 (&sm->static_mapping_by_external, &kv, &value))
3005 m = pool_elt_at_index (sm->static_mappings, value.value);
3006 return m->workers[0];
3010 /* worker by outside port */
3011 next_worker_index = sm->first_worker_index;
3012 next_worker_index +=
3013 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3014 return next_worker_index;
3018 nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index)
3020 snat_main_t *sm = &snat_main;
3021 clib_bihash_kv_8_8_t kv, value;
3022 u32 proto, next_worker_index = 0;
3025 snat_static_mapping_t *m;
3028 /* first try static mappings without port */
3029 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3031 make_sm_kv (&kv, &ip->dst_address, 0, rx_fib_index, 0);
3032 if (!clib_bihash_search_8_8
3033 (&sm->static_mapping_by_external, &kv, &value))
3035 m = pool_elt_at_index (sm->static_mappings, value.value);
3036 return m->workers[0];
3040 proto = ip_proto_to_snat_proto (ip->protocol);
3042 /* unknown protocol */
3043 if (PREDICT_FALSE (proto == ~0))
3045 /* use current thread */
3046 return vlib_get_thread_index ();
3049 udp = ip4_next_header (ip);
3050 port = udp->dst_port;
3052 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
3054 icmp46_header_t *icmp = (icmp46_header_t *) udp;
3055 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
3056 if (!icmp_is_error_message (icmp))
3057 port = echo->identifier;
3060 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3061 proto = ip_proto_to_snat_proto (inner_ip->protocol);
3062 void *l4_header = ip4_next_header (inner_ip);
3065 case SNAT_PROTOCOL_ICMP:
3066 icmp = (icmp46_header_t *) l4_header;
3067 echo = (icmp_echo_header_t *) (icmp + 1);
3068 port = echo->identifier;
3070 case SNAT_PROTOCOL_UDP:
3071 case SNAT_PROTOCOL_TCP:
3072 port = ((tcp_udp_header_t *) l4_header)->src_port;
3075 return vlib_get_thread_index ();
3080 /* try static mappings with port */
3081 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3083 make_sm_kv (&kv, &ip->dst_address, proto, rx_fib_index,
3084 clib_net_to_host_u16 (port));
3085 if (!clib_bihash_search_8_8
3086 (&sm->static_mapping_by_external, &kv, &value))
3088 m = pool_elt_at_index (sm->static_mappings, value.value);
3089 if (!is_lb_static_mapping (m))
3090 return m->workers[0];
3092 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3093 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3095 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3096 return m->workers[hash & (_vec_len (m->workers) - 1)];
3098 return m->workers[hash % _vec_len (m->workers)];
3102 /* worker by outside port */
3103 next_worker_index = sm->first_worker_index;
3104 next_worker_index +=
3105 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3107 return next_worker_index;
3110 static clib_error_t *
3111 snat_config (vlib_main_t * vm, unformat_input_t * input)
3113 snat_main_t *sm = &snat_main;
3114 nat66_main_t *nm = &nat66_main;
3115 u32 translation_buckets = 1024;
3116 u32 translation_memory_size = 128 << 20;
3117 u32 user_buckets = 128;
3118 u32 user_memory_size = 64 << 20;
3119 u32 max_translations_per_user = 100;
3120 u32 outside_vrf_id = 0;
3121 u32 outside_ip6_vrf_id = 0;
3122 u32 inside_vrf_id = 0;
3123 u32 static_mapping_buckets = 1024;
3124 u32 static_mapping_memory_size = 64 << 20;
3125 u32 nat64_bib_buckets = 1024;
3126 u32 nat64_bib_memory_size = 128 << 20;
3127 u32 nat64_st_buckets = 2048;
3128 u32 nat64_st_memory_size = 256 << 20;
3129 u8 static_mapping_only = 0;
3130 u8 static_mapping_connection_tracking = 0;
3131 snat_main_per_thread_data_t *tsm;
3132 dslite_main_t *dm = &dslite_main;
3134 sm->deterministic = 0;
3136 sm->endpoint_dependent = 0;
3138 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
3141 (input, "translation hash buckets %d", &translation_buckets))
3143 else if (unformat (input, "translation hash memory %d",
3144 &translation_memory_size));
3145 else if (unformat (input, "user hash buckets %d", &user_buckets))
3147 else if (unformat (input, "user hash memory %d", &user_memory_size))
3149 else if (unformat (input, "max translations per user %d",
3150 &max_translations_per_user))
3152 else if (unformat (input, "outside VRF id %d", &outside_vrf_id))
3154 else if (unformat (input, "outside ip6 VRF id %d", &outside_ip6_vrf_id))
3156 else if (unformat (input, "inside VRF id %d", &inside_vrf_id))
3158 else if (unformat (input, "static mapping only"))
3160 static_mapping_only = 1;
3161 if (unformat (input, "connection tracking"))
3162 static_mapping_connection_tracking = 1;
3164 else if (unformat (input, "deterministic"))
3165 sm->deterministic = 1;
3166 else if (unformat (input, "nat64 bib hash buckets %d",
3167 &nat64_bib_buckets))
3169 else if (unformat (input, "nat64 bib hash memory %d",
3170 &nat64_bib_memory_size))
3173 if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
3175 else if (unformat (input, "nat64 st hash memory %d",
3176 &nat64_st_memory_size))
3178 else if (unformat (input, "out2in dpo"))
3180 else if (unformat (input, "dslite ce"))
3181 dslite_set_ce (dm, 1);
3182 else if (unformat (input, "endpoint-dependent"))
3183 sm->endpoint_dependent = 1;
3185 return clib_error_return (0, "unknown input '%U'",
3186 format_unformat_error, input);
3189 if (sm->deterministic && sm->endpoint_dependent)
3190 return clib_error_return (0,
3191 "deterministic and endpoint-dependent modes are mutually exclusive");
3193 if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent))
3194 return clib_error_return (0,
3195 "static mapping only mode available only for simple nat");
3197 if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent))
3198 return clib_error_return (0,
3199 "out2in dpo mode available only for simple nat");
3201 /* for show commands, etc. */
3202 sm->translation_buckets = translation_buckets;
3203 sm->translation_memory_size = translation_memory_size;
3204 /* do not exceed load factor 10 */
3205 sm->max_translations = 10 * translation_buckets;
3206 sm->user_buckets = user_buckets;
3207 sm->user_memory_size = user_memory_size;
3208 sm->max_translations_per_user = max_translations_per_user;
3209 sm->outside_vrf_id = outside_vrf_id;
3210 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
3212 FIB_SOURCE_PLUGIN_HI);
3213 nm->outside_vrf_id = outside_ip6_vrf_id;
3214 nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6,
3216 FIB_SOURCE_PLUGIN_HI);
3217 sm->inside_vrf_id = inside_vrf_id;
3218 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
3220 FIB_SOURCE_PLUGIN_HI);
3221 sm->static_mapping_only = static_mapping_only;
3222 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
3224 nat64_set_hash (nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
3225 nat64_st_memory_size);
3227 if (sm->deterministic)
3229 sm->in2out_node_index = snat_det_in2out_node.index;
3230 sm->in2out_output_node_index = ~0;
3231 sm->out2in_node_index = snat_det_out2in_node.index;
3232 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
3233 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
3237 if (sm->endpoint_dependent)
3239 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
3240 sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb;
3241 sm->in2out_node_index = nat44_ed_in2out_node.index;
3242 sm->in2out_output_node_index = nat44_ed_in2out_output_node.index;
3243 sm->out2in_node_index = nat44_ed_out2in_node.index;
3244 sm->icmp_match_in2out_cb = icmp_match_in2out_ed;
3245 sm->icmp_match_out2in_cb = icmp_match_out2in_ed;
3246 nat_affinity_init (vm);
3250 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
3251 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
3252 sm->in2out_node_index = snat_in2out_node.index;
3253 sm->in2out_output_node_index = snat_in2out_output_node.index;
3254 sm->out2in_node_index = snat_out2in_node.index;
3255 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
3256 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
3258 if (!static_mapping_only ||
3259 (static_mapping_only && static_mapping_connection_tracking))
3262 vec_foreach (tsm, sm->per_thread_data)
3264 if (sm->endpoint_dependent)
3266 clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed",
3267 translation_buckets,
3268 translation_memory_size);
3269 clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed,
3270 format_ed_session_kvp);
3272 clib_bihash_init_16_8 (&tsm->out2in_ed, "out2in-ed",
3273 translation_buckets,
3274 translation_memory_size);
3275 clib_bihash_set_kvp_format_fn_16_8 (&tsm->out2in_ed,
3276 format_ed_session_kvp);
3280 clib_bihash_init_8_8 (&tsm->in2out, "in2out",
3281 translation_buckets,
3282 translation_memory_size);
3283 clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out,
3284 format_session_kvp);
3286 clib_bihash_init_8_8 (&tsm->out2in, "out2in",
3287 translation_buckets,
3288 translation_memory_size);
3289 clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in,
3290 format_session_kvp);
3293 clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets,
3295 clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash,
3303 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
3304 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
3306 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
3307 "static_mapping_by_local", static_mapping_buckets,
3308 static_mapping_memory_size);
3309 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local,
3310 format_static_mapping_kvp);
3312 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
3313 "static_mapping_by_external",
3314 static_mapping_buckets,
3315 static_mapping_memory_size);
3316 clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external,
3317 format_static_mapping_kvp);
3323 VLIB_CONFIG_FUNCTION (snat_config, "nat");
3326 nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im,
3329 ip4_address_t * address,
3331 u32 if_address_index, u32 is_delete)
3333 snat_main_t *sm = &snat_main;
3334 snat_static_map_resolve_t *rp;
3335 snat_static_mapping_t *m;
3336 snat_session_key_t m_key;
3337 clib_bihash_kv_8_8_t kv, value;
3339 ip4_address_t l_addr;
3341 for (i = 0; i < vec_len (sm->to_resolve); i++)
3343 rp = sm->to_resolve + i;
3344 if (rp->addr_only == 0)
3346 if (rp->sw_if_index == sw_if_index)
3353 m_key.addr.as_u32 = address->as_u32;
3354 m_key.port = rp->addr_only ? 0 : rp->e_port;
3355 m_key.protocol = rp->addr_only ? 0 : rp->proto;
3356 m_key.fib_index = sm->outside_fib_index;
3357 kv.key = m_key.as_u64;
3358 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3361 m = pool_elt_at_index (sm->static_mappings, value.value);
3365 /* Don't trip over lease renewal, static config */
3375 /* Indetity mapping? */
3376 if (rp->l_addr.as_u32 == 0)
3377 l_addr.as_u32 = address[0].as_u32;
3379 l_addr.as_u32 = rp->l_addr.as_u32;
3380 /* Add the static mapping */
3381 rv = snat_add_static_mapping (l_addr,
3386 rp->addr_only, ~0 /* sw_if_index */ ,
3387 rp->proto, !is_delete, rp->twice_nat,
3388 rp->out2in_only, rp->tag, rp->identity_nat);
3390 nat_log_notice ("snat_add_static_mapping returned %d", rv);
3394 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
3397 ip4_address_t * address,
3399 u32 if_address_index, u32 is_delete)
3401 snat_main_t *sm = &snat_main;
3402 snat_static_map_resolve_t *rp;
3403 ip4_address_t l_addr;
3407 snat_address_t *addresses = sm->addresses;
3409 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++)
3411 if (sw_if_index == sm->auto_add_sw_if_indices[i])
3415 for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++)
3418 addresses = sm->twice_nat_addresses;
3419 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
3428 /* Don't trip over lease renewal, static config */
3429 for (j = 0; j < vec_len (addresses); j++)
3430 if (addresses[j].addr.as_u32 == address->as_u32)
3433 (void) snat_add_address (sm, address, ~0, twice_nat);
3434 /* Scan static map resolution vector */
3435 for (j = 0; j < vec_len (sm->to_resolve); j++)
3437 rp = sm->to_resolve + j;
3440 /* On this interface? */
3441 if (rp->sw_if_index == sw_if_index)
3443 /* Indetity mapping? */
3444 if (rp->l_addr.as_u32 == 0)
3445 l_addr.as_u32 = address[0].as_u32;
3447 l_addr.as_u32 = rp->l_addr.as_u32;
3448 /* Add the static mapping */
3449 rv = snat_add_static_mapping (l_addr,
3455 ~0 /* sw_if_index */ ,
3457 rp->is_add, rp->twice_nat,
3458 rp->out2in_only, rp->tag,
3461 nat_log_notice ("snat_add_static_mapping returned %d", rv);
3468 (void) snat_del_address (sm, address[0], 1, twice_nat);
3475 snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
3478 ip4_main_t *ip4_main = sm->ip4_main;
3479 ip4_address_t *first_int_addr;
3480 snat_static_map_resolve_t *rp;
3481 u32 *indices_to_delete = 0;
3483 u32 *auto_add_sw_if_indices =
3485 auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
3487 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */
3490 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3492 if (auto_add_sw_if_indices[i] == sw_if_index)
3496 /* if have address remove it */
3498 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
3501 for (j = 0; j < vec_len (sm->to_resolve); j++)
3503 rp = sm->to_resolve + j;
3504 if (rp->sw_if_index == sw_if_index)
3505 vec_add1 (indices_to_delete, j);
3507 if (vec_len (indices_to_delete))
3509 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3510 vec_del1 (sm->to_resolve, j);
3511 vec_free (indices_to_delete);
3515 vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i);
3517 vec_del1 (sm->auto_add_sw_if_indices, i);
3520 return VNET_API_ERROR_VALUE_EXIST;
3527 return VNET_API_ERROR_NO_SUCH_ENTRY;
3529 /* add to the auto-address list */
3531 vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
3533 vec_add1 (sm->auto_add_sw_if_indices, sw_if_index);
3535 /* If the address is already bound - or static - add it now */
3537 (void) snat_add_address (sm, first_int_addr, ~0, twice_nat);
3543 nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
3544 snat_protocol_t proto, u32 vrf_id, int is_in)
3546 snat_main_per_thread_data_t *tsm;
3547 clib_bihash_kv_8_8_t kv, value;
3549 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3550 snat_session_key_t key;
3552 clib_bihash_8_8_t *t;
3554 if (sm->endpoint_dependent)
3555 return VNET_API_ERROR_UNSUPPORTED;
3557 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3558 if (sm->num_workers > 1)
3560 vec_elt_at_index (sm->per_thread_data,
3561 sm->worker_in2out_cb (&ip, fib_index));
3563 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3565 key.addr.as_u32 = addr->as_u32;
3566 key.port = clib_host_to_net_u16 (port);
3567 key.protocol = proto;
3568 key.fib_index = fib_index;
3569 kv.key = key.as_u64;
3570 t = is_in ? &tsm->in2out : &tsm->out2in;
3571 if (!clib_bihash_search_8_8 (t, &kv, &value))
3573 if (pool_is_free_index (tsm->sessions, value.value))
3574 return VNET_API_ERROR_UNSPECIFIED;
3576 s = pool_elt_at_index (tsm->sessions, value.value);
3577 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
3578 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
3582 return VNET_API_ERROR_NO_SUCH_ENTRY;
3586 nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
3587 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
3588 u32 vrf_id, int is_in)
3591 clib_bihash_16_8_t *t;
3592 nat_ed_ses_key_t key;
3593 clib_bihash_kv_16_8_t kv, value;
3594 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3596 snat_main_per_thread_data_t *tsm;
3598 if (!sm->endpoint_dependent)
3599 return VNET_API_ERROR_FEATURE_DISABLED;
3601 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3602 if (sm->num_workers > 1)
3604 vec_elt_at_index (sm->per_thread_data,
3605 sm->worker_in2out_cb (&ip, fib_index));
3607 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3609 t = is_in ? &tsm->in2out_ed : &tsm->out2in_ed;
3610 key.l_addr.as_u32 = addr->as_u32;
3611 key.r_addr.as_u32 = eh_addr->as_u32;
3612 key.l_port = clib_host_to_net_u16 (port);
3613 key.r_port = clib_host_to_net_u16 (eh_port);
3615 key.fib_index = fib_index;
3616 kv.key[0] = key.as_u64[0];
3617 kv.key[1] = key.as_u64[1];
3618 if (clib_bihash_search_16_8 (t, &kv, &value))
3619 return VNET_API_ERROR_NO_SUCH_ENTRY;
3621 if (pool_is_free_index (tsm->sessions, value.value))
3622 return VNET_API_ERROR_UNSPECIFIED;
3623 s = pool_elt_at_index (tsm->sessions, value.value);
3624 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
3625 nat44_delete_session (sm, s, tsm - sm->per_thread_data);
3630 nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, u16 psid_length)
3632 snat_main_t *sm = &snat_main;
3634 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE;
3635 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
3637 sm->psid_offset = psid_offset;
3638 sm->psid_length = psid_length;
3642 nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port)
3644 snat_main_t *sm = &snat_main;
3646 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE;
3647 sm->alloc_addr_and_port = nat_alloc_addr_and_port_range;
3648 sm->start_port = start_port;
3649 sm->end_port = end_port;
3653 nat_set_alloc_addr_and_port_default (void)
3655 snat_main_t *sm = &snat_main;
3657 sm->addr_and_port_alloc_alg = NAT_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
3658 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
3662 * fd.io coding-style-patch-verification: ON
3665 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob