2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 * @file NAT plugin global declarations
18 #ifndef __included_nat_h__
19 #define __included_nat_h__
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/ip/icmp46_packet.h>
25 #include <vnet/api_errno.h>
26 #include <vppinfra/elog.h>
27 #include <vppinfra/bihash_8_8.h>
28 #include <vppinfra/bihash_16_8.h>
29 #include <vppinfra/dlist.h>
30 #include <vppinfra/error.h>
31 #include <vlibapi/api.h>
34 /* default session timeouts */
35 #define SNAT_UDP_TIMEOUT 300
36 #define SNAT_TCP_TRANSITORY_TIMEOUT 240
37 #define SNAT_TCP_ESTABLISHED_TIMEOUT 7440
38 #define SNAT_ICMP_TIMEOUT 60
40 /* number of worker handoff frame queue elements */
41 #define NAT_FQ_NELTS 64
43 /* NAT buffer flags */
44 #define SNAT_FLAG_HAIRPINNING (1 << 0)
46 /* session key (4-tuple) */
55 u16 protocol:3, fib_index:13;
61 /* endpoint-dependent session key (6-tuple) */
70 u32 proto:8, fib_index:24;
78 /* deterministic session outside key */
85 ip4_address_t ext_host_addr;
93 /* user (internal host) key */
112 } nat44_reass_trace_t;
114 /* NAT API Configuration flags */
115 #define foreach_nat_config_flag \
116 _(0x01, IS_TWICE_NAT) \
117 _(0x02, IS_SELF_TWICE_NAT) \
118 _(0x04, IS_OUT2IN_ONLY) \
119 _(0x08, IS_ADDR_ONLY) \
120 _(0x10, IS_OUTSIDE) \
123 _(0x80, IS_EXT_HOST_VALID) \
125 typedef enum nat_config_flags_t_
127 #define _(n,f) NAT_API_##f = n,
128 foreach_nat_config_flag
130 } nat_config_flags_t;
132 /* External address and port allocation modes */
133 #define foreach_nat_addr_and_port_alloc_alg \
134 _(0, DEFAULT, "default") \
135 _(1, MAPE, "map-e") \
136 _(2, RANGE, "port-range")
140 #define _(v, N, s) NAT_ADDR_AND_PORT_ALLOC_ALG_##N = v,
141 foreach_nat_addr_and_port_alloc_alg
143 } nat_addr_and_port_alloc_alg_t;
146 /* Supported L4 protocols */
147 #define foreach_snat_protocol \
148 _(UDP, 0, udp, "udp") \
149 _(TCP, 1, tcp, "tcp") \
150 _(ICMP, 2, icmp, "icmp")
154 #define _(N, i, n, s) SNAT_PROTOCOL_##N = i,
155 foreach_snat_protocol
161 #define foreach_snat_session_state \
162 _(0, UNKNOWN, "unknown") \
163 _(1, UDP_ACTIVE, "udp-active") \
164 _(2, TCP_SYN_SENT, "tcp-syn-sent") \
165 _(3, TCP_ESTABLISHED, "tcp-established") \
166 _(4, TCP_FIN_WAIT, "tcp-fin-wait") \
167 _(5, TCP_CLOSE_WAIT, "tcp-close-wait") \
168 _(6, TCP_CLOSING, "tcp-closing") \
169 _(7, TCP_LAST_ACK, "tcp-last-ack") \
170 _(8, TCP_CLOSED, "tcp-closed") \
171 _(9, ICMP_ACTIVE, "icmp-active")
175 #define _(v, N, s) SNAT_SESSION_##N = v,
176 foreach_snat_session_state
178 } snat_session_state_t;
180 /* Endpoint dependent TCP session state */
181 #define NAT44_SES_I2O_FIN 1
182 #define NAT44_SES_O2I_FIN 2
183 #define NAT44_SES_I2O_FIN_ACK 4
184 #define NAT44_SES_O2I_FIN_ACK 8
185 #define NAT44_SES_I2O_SYN 16
186 #define NAT44_SES_O2I_SYN 32
187 #define NAT44_SES_RST 64
190 #define SNAT_SESSION_FLAG_STATIC_MAPPING 1
191 #define SNAT_SESSION_FLAG_UNKNOWN_PROTO 2
192 #define SNAT_SESSION_FLAG_LOAD_BALANCING 4
193 #define SNAT_SESSION_FLAG_TWICE_NAT 8
194 #define SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT 16
195 #define SNAT_SESSION_FLAG_FWD_BYPASS 32
196 #define SNAT_SESSION_FLAG_AFFINITY 64
197 #define SNAT_SESSION_FLAG_OUTPUT_FEATURE 128
199 /* NAT interface flags */
200 #define NAT_INTERFACE_FLAG_IS_INSIDE 1
201 #define NAT_INTERFACE_FLAG_IS_OUTSIDE 2
203 /* Static mapping flags */
204 #define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY 1
205 #define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY 2
206 #define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4
207 #define NAT_STATIC_MAPPING_FLAG_LB 8
210 typedef CLIB_PACKED(struct
212 /* Outside network key */
213 snat_session_key_t out2in;
215 /* Inside network key */
216 snat_session_key_t in2out;
221 /* Per-user translations */
223 u32 per_user_list_head_index;
225 /* Last heard timer */
228 /* Last HA refresh */
229 f64 ha_last_refreshed;
235 /* External host address and port */
236 ip4_address_t ext_host_addr;
239 /* External host address and port after translation */
240 ip4_address_t ext_host_nat_addr;
241 u16 ext_host_nat_port;
243 /* TCP session state */
258 u32 sessions_per_user_list_head_index;
268 #define _(N, i, n, s) \
269 u16 busy_##n##_ports; \
270 u16 * busy_##n##_ports_per_thread; \
271 uword * busy_##n##_port_bitmap;
272 foreach_snat_protocol
285 /* Inside network port */
287 /* Outside network address and port */
288 snat_det_out_key_t out;
293 } snat_det_session_t;
297 /* inside IP address range */
298 ip4_address_t in_addr;
300 /* outside IP address range */
301 ip4_address_t out_addr;
303 /* inside IP addresses / outside IP addresses */
305 /* number of ports available to internal host */
307 /* session counter */
309 /* vector of sessions */
310 snat_det_session_t *sessions;
315 /* backend IP address */
317 /* backend port number */
319 /* probability of the backend to be randomly matched */
322 /* backend FIB table */
325 } nat44_lb_addr_port_t;
329 /* twice-nat disabled */
331 /* twice-nat enabled */
333 /* twice-nat only when src IP equals dst IP after translation */
339 /* no load-balancing */
343 /* load-balancing with affinity */
349 /* local IP address */
350 ip4_address_t local_addr;
351 /* external IP address */
352 ip4_address_t external_addr;
358 twice_nat_type_t twice_nat;
359 /* local FIB table */
363 snat_protocol_t proto;
364 /* 0 = disabled, otherwise client IP affinity sticky time in seconds */
366 /* worker threads used by backends/local host */
368 /* opaque string tag */
370 /* backends for load-balancing mode */
371 nat44_lb_addr_port_t *locals;
372 /* affinity per service lis */
373 u32 affinity_per_service_list_head_index;
376 } snat_static_mapping_t;
386 ip4_address_t l_addr;
391 snat_protocol_t proto;
399 } snat_static_map_resolve_t;
403 /* Main lookup tables */
404 clib_bihash_8_8_t out2in;
405 clib_bihash_8_8_t in2out;
407 /* Endpoint dependent sessions lookup tables */
408 clib_bihash_16_8_t out2in_ed;
409 clib_bihash_16_8_t in2out_ed;
411 /* Find-a-user => src address lookup */
412 clib_bihash_8_8_t user_hash;
418 snat_session_t *sessions;
420 /* Pool of doubly-linked list elements */
421 dlist_elt_t *list_pool;
423 /* NAT thread index */
424 u32 snat_thread_index;
425 } snat_main_per_thread_data_t;
429 /* ICMP session match function */
430 typedef u32 (snat_icmp_match_function_t) (struct snat_main_s * sm,
431 vlib_node_runtime_t * node,
434 ip4_header_t * ip0, u8 * p_proto,
435 snat_session_key_t * p_value,
436 u8 * p_dont_translate, void *d,
439 /* Return worker thread index for given packet */
440 typedef u32 (snat_get_worker_function_t) (ip4_header_t * ip,
443 /* NAT address and port allacotaion function */
444 typedef int (nat_alloc_out_addr_and_port_function_t) (snat_address_t *
448 snat_session_key_t * k,
450 u32 snat_thread_index);
452 typedef struct snat_main_s
454 /* ICMP session match functions */
455 snat_icmp_match_function_t *icmp_match_in2out_cb;
456 snat_icmp_match_function_t *icmp_match_out2in_cb;
458 /* Thread settings */
460 u32 first_worker_index;
462 snat_get_worker_function_t *worker_in2out_cb;
463 snat_get_worker_function_t *worker_out2in_cb;
467 /* Per thread data */
468 snat_main_per_thread_data_t *per_thread_data;
470 /* Find a static mapping by local */
471 clib_bihash_8_8_t static_mapping_by_local;
473 /* Find a static mapping by external */
474 clib_bihash_8_8_t static_mapping_by_external;
476 /* Static mapping pool */
477 snat_static_mapping_t *static_mappings;
480 snat_interface_t *interfaces;
481 snat_interface_t *output_feature_interfaces;
483 /* Vector of outside addresses */
484 snat_address_t *addresses;
485 /* Address and port allocation function */
486 nat_alloc_out_addr_and_port_function_t *alloc_addr_and_port;
487 /* Address and port allocation type */
488 nat_addr_and_port_alloc_alg_t addr_and_port_alloc_alg;
489 /* Port set parameters (MAP-E) */
493 /* Port range parameters */
497 /* vector of outside fibs */
498 nat_outside_fib_t *outside_fibs;
500 /* Vector of twice NAT addresses for extenal hosts */
501 snat_address_t *twice_nat_addresses;
503 /* sw_if_indices whose intfc addresses should be auto-added */
504 u32 *auto_add_sw_if_indices;
505 u32 *auto_add_sw_if_indices_twice_nat;
507 /* vector of interface address static mappings to resolve. */
508 snat_static_map_resolve_t *to_resolve;
510 /* Randomize port allocation order */
513 /* Worker handoff frame-queue index */
515 u32 fq_in2out_output_index;
519 u32 error_node_index;
521 u32 in2out_node_index;
522 u32 in2out_output_node_index;
523 u32 in2out_fast_node_index;
524 u32 in2out_slowpath_node_index;
525 u32 in2out_slowpath_output_node_index;
526 u32 in2out_reass_node_index;
527 u32 ed_in2out_node_index;
528 u32 ed_in2out_slowpath_node_index;
529 u32 ed_in2out_reass_node_index;
530 u32 out2in_node_index;
531 u32 out2in_fast_node_index;
532 u32 out2in_reass_node_index;
533 u32 ed_out2in_node_index;
534 u32 ed_out2in_slowpath_node_index;
535 u32 ed_out2in_reass_node_index;
536 u32 det_in2out_node_index;
537 u32 det_out2in_node_index;
539 u32 hairpinning_node_index;
540 u32 hairpin_dst_node_index;
541 u32 hairpin_src_node_index;
542 u32 ed_hairpinning_node_index;
543 u32 ed_hairpin_dst_node_index;
544 u32 ed_hairpin_src_node_index;
547 /* Deterministic NAT mappings */
548 snat_det_map_t *det_maps;
550 /* If forwarding is enabled */
551 u8 forwarding_enabled;
553 /* Config parameters */
554 u8 static_mapping_only;
555 u8 static_mapping_connection_tracking;
558 u8 endpoint_dependent;
559 u32 translation_buckets;
560 u32 translation_memory_size;
561 u32 max_translations;
563 u32 user_memory_size;
564 u32 max_translations_per_user;
566 u32 outside_fib_index;
568 u32 inside_fib_index;
570 /* values of various timeouts */
572 u32 tcp_established_timeout;
573 u32 tcp_transitory_timeout;
576 /* TCP MSS clamping */
580 /* counters/gauges */
581 vlib_simple_counter_main_t total_users;
582 vlib_simple_counter_main_t total_sessions;
584 /* API message ID base */
588 vlib_log_class_t log_class;
593 vlib_main_t *vlib_main;
594 vnet_main_t *vnet_main;
595 ip4_main_t *ip4_main;
596 ip_lookup_main_t *ip4_lookup_main;
597 api_main_t *api_main;
604 } nat44_is_idle_session_ctx_t;
608 u32 cached_sw_if_index;
609 u32 cached_ip4_address;
612 extern snat_main_t snat_main;
613 extern vlib_node_registration_t snat_in2out_node;
614 extern vlib_node_registration_t snat_in2out_output_node;
615 extern vlib_node_registration_t snat_out2in_node;
616 extern vlib_node_registration_t snat_in2out_fast_node;
617 extern vlib_node_registration_t snat_out2in_fast_node;
618 extern vlib_node_registration_t snat_in2out_worker_handoff_node;
619 extern vlib_node_registration_t snat_in2out_output_worker_handoff_node;
620 extern vlib_node_registration_t snat_out2in_worker_handoff_node;
621 extern vlib_node_registration_t snat_det_in2out_node;
622 extern vlib_node_registration_t snat_det_out2in_node;
623 extern vlib_node_registration_t snat_hairpin_dst_node;
624 extern vlib_node_registration_t snat_hairpin_src_node;
625 extern vlib_node_registration_t nat44_ed_in2out_node;
626 extern vlib_node_registration_t nat44_ed_in2out_output_node;
627 extern vlib_node_registration_t nat44_ed_out2in_node;
628 extern vlib_node_registration_t nat44_ed_hairpin_dst_node;
629 extern vlib_node_registration_t nat44_ed_hairpin_src_node;
630 extern vlib_node_registration_t nat44_ed_in2out_worker_handoff_node;
631 extern vlib_node_registration_t nat44_ed_in2out_output_worker_handoff_node;
632 extern vlib_node_registration_t nat44_ed_out2in_worker_handoff_node;
634 /* format functions */
635 format_function_t format_snat_user;
636 format_function_t format_snat_static_mapping;
637 format_function_t format_snat_static_map_to_resolve;
638 format_function_t format_snat_session;
639 format_function_t format_det_map_ses;
640 format_function_t format_snat_key;
641 format_function_t format_static_mapping_key;
642 format_function_t format_snat_protocol;
643 format_function_t format_nat_addr_and_port_alloc_alg;
644 format_function_t format_nat44_reass_trace;
645 /* unformat functions */
646 unformat_function_t unformat_snat_protocol;
648 /** \brief Check if SNAT session is created from static mapping.
649 @param s SNAT session
650 @return 1 if SNAT session is created from static mapping otherwise 0
652 #define snat_is_session_static(s) (s->flags & SNAT_SESSION_FLAG_STATIC_MAPPING)
654 /** \brief Check if SNAT session for unknown protocol.
655 @param s SNAT session
656 @return 1 if SNAT session for unknown protocol otherwise 0
658 #define snat_is_unk_proto_session(s) (s->flags & SNAT_SESSION_FLAG_UNKNOWN_PROTO)
660 /** \brief Check if NAT session is twice NAT.
662 @return 1 if NAT session is twice NAT
664 #define is_twice_nat_session(s) (s->flags & SNAT_SESSION_FLAG_TWICE_NAT)
666 /** \brief Check if NAT session is load-balancing.
668 @return 1 if NAT session is load-balancing
670 #define is_lb_session(s) (s->flags & SNAT_SESSION_FLAG_LOAD_BALANCING)
672 /** \brief Check if NAT session is forwarding bypass.
674 @return 1 if NAT session is load-balancing
676 #define is_fwd_bypass_session(s) (s->flags & SNAT_SESSION_FLAG_FWD_BYPASS)
678 /** \brief Check if NAT session is endpoint dependent.
680 @return 1 if NAT session is endpoint dependent
682 #define is_ed_session(s) (s->flags & SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT)
684 /** \brief Check if NAT session has affinity record.
686 @return 1 if NAT session has affinity record
688 #define is_affinity_sessions(s) (s->flags & SNAT_SESSION_FLAG_AFFINITY)
690 /** \brief Check if NAT interface is inside.
691 @param i NAT interfce
692 @return 1 if inside interface
694 #define nat_interface_is_inside(i) i->flags & NAT_INTERFACE_FLAG_IS_INSIDE
696 /** \brief Check if NAT interface is outside.
697 @param i NAT interfce
698 @return 1 if outside interface
700 #define nat_interface_is_outside(i) i->flags & NAT_INTERFACE_FLAG_IS_OUTSIDE
702 /** \brief Check if NAT44 endpoint-dependent TCP session is closed.
704 @return 1 if session is closed
706 #define nat44_is_ses_closed(s) s->state == 0xf
708 /** \brief Check if NAT static mapping is address only (1:1NAT).
709 @param sm NAT static mapping
710 @return 1 if 1:1NAT, 0 if 1:1NAPT
712 #define is_addr_only_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_ADDR_ONLY)
714 /** \brief Check if NAT static mapping match only out2in direction.
715 @param sm NAT static mapping
716 @return 1 if rule match only out2in direction
718 #define is_out2in_only_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY)
720 /** \brief Check if NAT static mapping is identity NAT.
721 @param sm NAT static mapping
722 @return 1 if identity NAT
724 #define is_identity_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT)
726 /** \brief Check if NAT static mapping is load-balancing.
727 @param sm NAT static mapping
728 @return 1 if load-balancing
730 #define is_lb_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_LB)
732 /** \brief Check if client initiating TCP connection (received SYN from client)
734 @return 1 if client initiating TCP connection
736 #define tcp_is_init(t) ((t->flags & TCP_FLAG_SYN) && !(t->flags & TCP_FLAG_ACK))
739 #define nat_log_err(...) \
740 vlib_log(VLIB_LOG_LEVEL_ERR, snat_main.log_class, __VA_ARGS__)
741 #define nat_log_warn(...) \
742 vlib_log(VLIB_LOG_LEVEL_WARNING, snat_main.log_class, __VA_ARGS__)
743 #define nat_log_notice(...) \
744 vlib_log(VLIB_LOG_LEVEL_NOTICE, snat_main.log_class, __VA_ARGS__)
745 #define nat_log_info(...) \
746 vlib_log(VLIB_LOG_LEVEL_INFO, snat_main.log_class, __VA_ARGS__)
747 #define nat_log_debug(...)\
748 vlib_log(VLIB_LOG_LEVEL_DEBUG, snat_main.log_class, __VA_ARGS__)
750 /* NAT API Logging Levels */
751 #define foreach_nat_log_level \
754 _(0x02, LOG_WARNING) \
755 _(0x03, LOG_NOTICE) \
759 typedef enum nat_log_level_t_
761 #define _(n,f) SNAT_##f = n,
762 foreach_nat_log_level
766 #define nat_elog(_level, _str) \
769 snat_main_t *sm = &snat_main; \
770 if (PREDICT_FALSE (sm->log_level >= _level)) \
772 ELOG_TYPE_DECLARE (e) = \
774 .format = "nat-msg" _str, \
777 ELOG_DATA (&sm->vlib_main->elog_main, e); \
781 #define nat_elog_addr(_level, _str, _addr) \
784 if (PREDICT_FALSE (sm->log_level >= _level)) \
786 ELOG_TYPE_DECLARE (e) = \
788 .format = "nat-msg " _str " %d.%d.%d.%d", \
789 .format_args = "i1i1i1i1", \
798 ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
799 ed->oct4 = _addr >> 24; \
800 ed->oct3 = _addr >> 16; \
801 ed->oct2 = _addr >> 8; \
806 #define nat_elog_X1(_level, _fmt, _arg, _val1) \
809 snat_main_t *sm = &snat_main; \
810 if (PREDICT_FALSE (sm->log_level >= _level)) \
812 ELOG_TYPE_DECLARE (e) = \
814 .format = "nat-msg " _fmt, \
815 .format_args = _arg, \
819 typeof (_val1) val1; \
821 ed = ELOG_DATA (&sm->vlib_main->elog_main, e); \
826 #define nat_elog_notice(nat_elog_str) \
827 nat_elog(SNAT_LOG_INFO, "[notice] " nat_elog_str)
828 #define nat_elog_warn(nat_elog_str) \
829 nat_elog(SNAT_LOG_WARNING, "[warning] " nat_elog_str)
830 #define nat_elog_err(nat_elog_str) \
831 nat_elog(SNAT_LOG_ERROR, "[error] " nat_elog_str)
832 #define nat_elog_debug(nat_elog_str) \
833 nat_elog(SNAT_LOG_DEBUG, "[debug] " nat_elog_str)
834 #define nat_elog_info(nat_elog_str) \
835 nat_elog(SNAT_LOG_INFO, "[info] " nat_elog_str)
837 #define nat_elog_notice_X1(nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1) \
838 nat_elog_X1(SNAT_LOG_NOTICE, "[notice] " nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1)
839 #define nat_elog_warn_X1(nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1) \
840 nat_elog_X1(SNAT_LOG_WARNING, "[warning] " nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1)
841 #define nat_elog_err_X1(nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1) \
842 nat_elog_X1(SNAT_LOG_ERROR, "[error] " nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1)
843 #define nat_elog_debug_X1(nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1) \
844 nat_elog_X1(SNAT_LOG_DEBUG, "[debug] " nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1)
845 #define nat_elog_info_X1(nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1) \
846 nat_elog_X1(SNAT_LOG_INFO, "[info] " nat_elog_fmt_str, nat_elog_fmt_arg, nat_elog_val1)
848 /* ICMP session match functions */
849 u32 icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
850 u32 thread_index, vlib_buffer_t * b0,
851 ip4_header_t * ip0, u8 * p_proto,
852 snat_session_key_t * p_value,
853 u8 * p_dont_translate, void *d, void *e);
854 u32 icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
855 u32 thread_index, vlib_buffer_t * b0,
856 ip4_header_t * ip0, u8 * p_proto,
857 snat_session_key_t * p_value,
858 u8 * p_dont_translate, void *d, void *e);
859 u32 icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
860 u32 thread_index, vlib_buffer_t * b0,
861 ip4_header_t * ip0, u8 * p_proto,
862 snat_session_key_t * p_value,
863 u8 * p_dont_translate, void *d, void *e);
864 u32 icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
865 u32 thread_index, vlib_buffer_t * b0,
866 ip4_header_t * ip0, u8 * p_proto,
867 snat_session_key_t * p_value,
868 u8 * p_dont_translate, void *d, void *e);
870 /* ICMP deterministic NAT session match functions */
871 u32 icmp_match_out2in_det (snat_main_t * sm, vlib_node_runtime_t * node,
872 u32 thread_index, vlib_buffer_t * b0,
873 ip4_header_t * ip0, u8 * p_proto,
874 snat_session_key_t * p_value,
875 u8 * p_dont_translate, void *d, void *e);
876 u32 icmp_match_in2out_det (snat_main_t * sm, vlib_node_runtime_t * node,
877 u32 thread_index, vlib_buffer_t * b0,
878 ip4_header_t * ip0, u8 * p_proto,
879 snat_session_key_t * p_value,
880 u8 * p_dont_translate, void *d, void *e);
882 /* ICMP endpoint-dependent session match functions */
883 u32 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
884 u32 thread_index, vlib_buffer_t * b0,
885 ip4_header_t * ip0, u8 * p_proto,
886 snat_session_key_t * p_value,
887 u8 * p_dont_translate, void *d, void *e);
888 u32 icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
889 u32 thread_index, vlib_buffer_t * b0,
890 ip4_header_t * ip0, u8 * p_proto,
891 snat_session_key_t * p_value,
892 u8 * p_dont_translate, void *d, void *e);
894 u32 icmp_in2out (snat_main_t * sm, vlib_buffer_t * b0, ip4_header_t * ip0,
895 icmp46_header_t * icmp0, u32 sw_if_index0, u32 rx_fib_index0,
896 vlib_node_runtime_t * node, u32 next0, u32 thread_index,
899 u32 icmp_out2in (snat_main_t * sm, vlib_buffer_t * b0, ip4_header_t * ip0,
900 icmp46_header_t * icmp0, u32 sw_if_index0, u32 rx_fib_index0,
901 vlib_node_runtime_t * node, u32 next0, u32 thread_index,
904 /* hairpinning functions */
905 u32 snat_icmp_hairpinning (snat_main_t * sm, vlib_buffer_t * b0,
906 ip4_header_t * ip0, icmp46_header_t * icmp0,
908 void nat_hairpinning_sm_unknown_proto (snat_main_t * sm, vlib_buffer_t * b,
910 void nat44_ed_hairpinning_unknown_proto (snat_main_t * sm, vlib_buffer_t * b,
912 int snat_hairpinning (snat_main_t * sm, vlib_buffer_t * b0,
913 ip4_header_t * ip0, udp_header_t * udp0,
914 tcp_header_t * tcp0, u32 proto0, int is_ed);
915 void nat44_reass_hairpinning (snat_main_t * sm, vlib_buffer_t * b0,
916 ip4_header_t * ip0, u16 sport, u16 dport,
917 u32 proto0, int is_ed);
919 /* Call back functions for clib_bihash_add_or_overwrite_stale */
920 int nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg);
921 int nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg);
922 int nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg);
923 int nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg);
926 * @brief Increment IPv4 address
928 void increment_v4_address (ip4_address_t * a);
931 * @brief Add external address to NAT44 pool
933 * @param addr IPv4 address
934 * @param vrf_id VRF id of tenant, ~0 means independent of VRF
935 * @param twice_nat 1 if twice NAT address
937 * @return 0 on success, non-zero value otherwise
939 int snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id,
943 * @brief Delete external address from NAT44 pool
945 * @param addr IPv4 address
946 * @param delete_sm 1 if delete static mapping using address
947 * @param twice_nat 1 if twice NAT address
949 * @return 0 on success, non-zero value otherwise
951 int snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
955 * @brief Add/delete external address to FIB DPO (out2in DPO mode)
957 * @param addr IPv4 address
958 * @param is_add 1 = add, 0 = delete
960 * @return 0 on success, non-zero value otherwise
962 void nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add);
965 * @brief Add/delete NAT44 static mapping
967 * @param l_addr local IPv4 address
968 * @param e_addr external IPv4 address
969 * @param l_port local port number
970 * @param e_port external port number
971 * @param vrf_id local VRF ID
972 * @param addr_only 1 = 1:1NAT, 0 = 1:1NAPT
973 * @param sw_if_index use interface address as external IPv4 address
974 * @param proto L4 protocol
975 * @param is_add 1 = add, 0 = delete
976 * @param twice_nat twice-nat mode
977 * @param out2in_only if 1 rule match only out2in direction
978 * @param tag opaque string tag
979 * @param identity_nat identity NAT
981 * @return 0 on success, non-zero value otherwise
983 int snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
984 u16 l_port, u16 e_port, u32 vrf_id,
985 int addr_only, u32 sw_if_index,
986 snat_protocol_t proto, int is_add,
987 twice_nat_type_t twice_nat, u8 out2in_only,
988 u8 * tag, u8 identity_nat);
991 * @brief Add/delete static mapping with load-balancing (multiple backends)
993 * @param e_addr external IPv4 address
994 * @param e_port external port number
995 * @param proto L4 protocol
996 * @param locals list of local backends
997 * @param is_add 1 = add, 0 = delete
998 * @param twice_nat twice-nat mode
999 * @param out2in_only if 1 rule match only out2in direction
1000 * @param tag opaque string tag
1001 * @param affinity 0 = disabled, otherwise client IP affinity sticky time
1003 * @return 0 on success, non-zero value otherwise
1005 int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1006 snat_protocol_t proto,
1007 nat44_lb_addr_port_t * locals, u8 is_add,
1008 twice_nat_type_t twice_nat,
1009 u8 out2in_only, u8 * tag, u32 affinity);
1011 int nat44_lb_static_mapping_add_del_local (ip4_address_t e_addr, u16 e_port,
1012 ip4_address_t l_addr, u16 l_port,
1013 snat_protocol_t proto, u32 vrf_id,
1014 u8 probability, u8 is_add);
1016 clib_error_t *snat_api_init (vlib_main_t * vm, snat_main_t * sm);
1019 * @brief Set NAT plugin workers
1021 * @param bitmap NAT workers bitmap
1023 * @return 0 on success, non-zero value otherwise
1025 int snat_set_workers (uword * bitmap);
1028 * @brief Enable/disable NAT44 feature on the interface
1030 * @param sw_if_index software index of the interface
1031 * @param is_inside 1 = inside, 0 = outside
1032 * @param is_del 1 = delete, 0 = add
1034 * @return 0 on success, non-zero value otherwise
1036 int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del);
1039 * @brief Enable/disable NAT44 output feature on the interface (postrouting NAT)
1041 * @param sw_if_index software index of the interface
1042 * @param is_inside 1 = inside, 0 = outside
1043 * @param is_del 1 = delete, 0 = add
1045 * @return 0 on success, non-zero value otherwise
1047 int snat_interface_add_del_output_feature (u32 sw_if_index, u8 is_inside,
1051 * @brief Add/delete NAT44 pool address from specific interfce
1053 * @param sw_if_index software index of the interface
1054 * @param is_del 1 = delete, 0 = add
1055 * @param twice_nat 1 = twice NAT address for extenal hosts
1057 * @return 0 on success, non-zero value otherwise
1059 int snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del,
1063 * @brief Delete NAT44 session
1065 * @param addr IPv4 address
1066 * @param port L4 port number
1067 * @param proto L4 protocol
1068 * @param vrf_id VRF ID
1069 * @param is_in 1 = inside network address and port pair, 0 = outside
1071 * @return 0 on success, non-zero value otherwise
1073 int nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
1074 snat_protocol_t proto, u32 vrf_id, int is_in);
1077 * @brief Delete NAT44 endpoint-dependent session
1079 * @param addr IPv4 address
1080 * @param port L4 port number
1081 * @param proto L4 protocol
1082 * @param vrf_id VRF ID
1083 * @param is_in 1 = inside network address and port pair, 0 = outside
1085 * @return 0 on success, non-zero value otherwise
1087 int nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port,
1088 ip4_address_t * eh_addr, u16 eh_port, u8 proto,
1089 u32 vrf_id, int is_in);
1092 * @brief Free NAT44 session data (lookup keys, external addrres port)
1094 * @param s NAT session
1095 * @param thread_index thread index
1096 * @param is_ha is HA event
1098 void nat_free_session_data (snat_main_t * sm, snat_session_t * s,
1099 u32 thread_index, u8 is_ha);
1102 * @brief Find or create NAT user
1104 * @param addr IPv4 address
1105 * @param fib_index FIB table index
1106 * @param thread_index thread index
1108 * @return NAT user data structure on success otherwise zero value
1110 snat_user_t *nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr,
1111 u32 fib_index, u32 thread_index);
1114 * @brief Allocate new NAT session or recycle last used
1117 * @param thread_index thread index
1119 * @return session data structure on success otherwise zero value
1121 snat_session_t *nat_session_alloc_or_recycle (snat_main_t * sm,
1123 u32 thread_index, f64 now);
1126 * @brief Allocate NAT endpoint-dependent session
1129 * @param thread_index thread index
1131 * @return session data structure on success otherwise zero value
1133 snat_session_t *nat_ed_session_alloc (snat_main_t * sm, snat_user_t * u,
1134 u32 thread_index, f64 now);
1137 * @brief Set address and port assignment algorithm for MAP-E CE
1139 * @param psid Port Set Identifier value
1140 * @param psid_offset number of offset bits
1141 * @param psid_length length of PSID
1143 void nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset,
1147 * @brief Set address and port assignment algorithm for port range
1149 * @param start_port beginning of the port range
1150 * @param end_port end of the port range
1152 void nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port);
1155 * @brief Set address and port assignment algorithm to default/standard
1157 void nat_set_alloc_addr_and_port_default (void);
1160 * @brief Free outside address and port pair
1162 * @param addresses vector of outside addresses
1163 * @param thread_index thread index
1164 * @param k address, port and protocol
1166 void snat_free_outside_address_and_port (snat_address_t * addresses,
1168 snat_session_key_t * k);
1171 * @brief Alloc outside address and port
1173 * @param addresses vector of outside addresses
1174 * @param fib_index FIB table index
1175 * @param thread_index thread index
1176 * @param k allocated address and port pair
1177 * @param port_per_thread number of ports per threead
1178 * @param snat_thread_index NAT thread index
1180 * @return 0 on success, non-zero value otherwise
1182 int snat_alloc_outside_address_and_port (snat_address_t * addresses,
1185 snat_session_key_t * k,
1186 u16 port_per_thread,
1187 u32 snat_thread_index);
1190 * @brief Match NAT44 static mapping.
1192 * @param match address and port to match
1193 * @param mapping external/local address and port of the matched mapping
1194 * @param by_external if 0 match by local address otherwise match by external
1196 * @param is_addr_only 1 if matched mapping is address only
1197 * @param twice_nat matched mapping is twice NAT type
1198 * @param lb 1 if matched mapping is load-balanced
1199 * @param ext_host_addr external host address
1201 * @returns 0 if match found otherwise 1.
1203 int snat_static_mapping_match (snat_main_t * sm,
1204 snat_session_key_t match,
1205 snat_session_key_t * mapping,
1208 twice_nat_type_t * twice_nat,
1210 ip4_address_t * ext_host_addr,
1211 u8 * is_identity_nat);
1214 * @brief Add/del NAT address to FIB.
1216 * Add the external NAT address to the FIB as receive entries. This ensures
1217 * that VPP will reply to ARP for this address and we don't need to enable
1218 * proxy ARP on the outside interface.
1220 * @param addr IPv4 address
1221 * @param plen address prefix length
1222 * @param sw_if_index software index of the outside interface
1223 * @param is_add 0 = delete, 1 = add.
1225 void snat_add_del_addr_to_fib (ip4_address_t * addr,
1226 u8 p_len, u32 sw_if_index, int is_add);
1229 * Why is this here? Because we don't need to touch this layer to
1230 * simply reply to an icmp. We need to change id to a unique
1231 * value to NAT an echo request/reply.
1238 } icmp_echo_header_t;
1242 u16 src_port, dst_port;
1245 #endif /* __included_nat_h__ */
1248 * fd.io coding-style-patch-verification: ON
1251 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob