2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vpp/app/version.h>
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/ip/ip_table.h>
22 #include <vnet/ip/reass/ip4_sv_reass.h>
23 #include <vnet/fib/fib_table.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <vnet/plugin/plugin.h>
26 #include <vppinfra/bihash_16_8.h>
28 #include <nat/lib/log.h>
29 #include <nat/lib/nat_inlines.h>
30 #include <nat/lib/ipfix_logging.h>
31 #include <vnet/syslog/syslog.h>
32 #include <nat/lib/nat_syslog_constants.h>
33 #include <nat/lib/nat_syslog.h>
35 #include <nat/nat44-ed/nat44_ed.h>
36 #include <nat/nat44-ed/nat44_ed_affinity.h>
37 #include <nat/nat44-ed/nat44_ed_inlines.h>
39 #include <vlib/stats/stats.h>
41 snat_main_t snat_main;
43 static_always_inline void nat_validate_interface_counters (snat_main_t *sm,
46 #define skip_if_disabled() \
49 snat_main_t *sm = &snat_main; \
50 if (PREDICT_FALSE (!sm->enabled)) \
55 #define fail_if_enabled() \
58 snat_main_t *sm = &snat_main; \
59 if (PREDICT_FALSE (sm->enabled)) \
61 nat_log_err ("plugin enabled"); \
67 #define fail_if_disabled() \
70 snat_main_t *sm = &snat_main; \
71 if (PREDICT_FALSE (!sm->enabled)) \
73 nat_log_err ("plugin disabled"); \
79 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
80 .arc_name = "ip4-unicast",
81 .node_name = "nat-pre-in2out",
82 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
83 "ip4-sv-reassembly-feature"),
85 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
86 .arc_name = "ip4-unicast",
87 .node_name = "nat-pre-out2in",
88 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
89 "ip4-dhcp-client-detect",
90 "ip4-sv-reassembly-feature"),
92 VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
93 .arc_name = "ip4-unicast",
94 .node_name = "nat44-ed-classify",
95 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
96 "ip4-sv-reassembly-feature"),
98 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
99 .arc_name = "ip4-unicast",
100 .node_name = "nat44-handoff-classify",
101 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
102 "ip4-sv-reassembly-feature"),
104 VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
105 .arc_name = "ip4-unicast",
106 .node_name = "nat44-in2out-worker-handoff",
107 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
109 VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
110 .arc_name = "ip4-unicast",
111 .node_name = "nat44-out2in-worker-handoff",
112 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
113 "ip4-dhcp-client-detect"),
115 VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
116 .arc_name = "ip4-unicast",
117 .node_name = "nat44-ed-in2out",
118 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-ed-out2in",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
124 "ip4-dhcp-client-detect"),
126 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
127 .arc_name = "ip4-output",
128 .node_name = "nat-pre-in2out-output",
129 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
130 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
132 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
133 .arc_name = "ip4-output",
134 .node_name = "nat44-in2out-output-worker-handoff",
135 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
136 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
138 VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
139 .arc_name = "ip4-output",
140 .node_name = "nat44-ed-in2out-output",
141 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
142 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
145 VLIB_PLUGIN_REGISTER () = {
146 .version = VPP_BUILD_VER,
147 .description = "Network Address Translation (NAT)",
150 static void nat44_ed_db_init (u32 translations, u32 translation_buckets);
151 static void nat44_ed_worker_db_free (snat_main_per_thread_data_t *tsm);
153 static int nat44_ed_add_static_mapping_internal (
154 ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port,
155 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index, u32 flags,
156 ip4_address_t pool_addr, u8 *tag);
157 static int nat44_ed_del_static_mapping_internal (ip4_address_t l_addr,
158 ip4_address_t e_addr,
159 u16 l_port, u16 e_port,
161 u32 vrf_id, u32 flags);
163 u32 nat_calc_bihash_buckets (u32 n_elts);
165 static_always_inline int
166 nat44_ed_sm_i2o_add (snat_main_t *sm, snat_static_mapping_t *m,
167 ip4_address_t addr, u16 port, u32 fib_index, u8 proto)
169 ASSERT (!pool_is_free (sm->static_mappings, m));
170 clib_bihash_kv_16_8_t kv;
171 nat44_ed_sm_init_i2o_kv (&kv, addr.as_u32, port, fib_index, proto,
172 m - sm->static_mappings);
173 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 1 /*is_add*/);
176 static_always_inline int
177 nat44_ed_sm_i2o_del (snat_main_t *sm, ip4_address_t addr, u16 port,
178 u32 fib_index, u8 proto)
180 clib_bihash_kv_16_8_t kv;
181 nat44_ed_sm_init_i2o_k (&kv, addr.as_u32, port, fib_index, proto);
182 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 0 /*is_add*/);
185 static_always_inline int
186 nat44_ed_sm_o2i_add (snat_main_t *sm, snat_static_mapping_t *m,
187 ip4_address_t addr, u16 port, u32 fib_index, u8 proto)
189 ASSERT (!pool_is_free (sm->static_mappings, m));
190 clib_bihash_kv_16_8_t kv;
191 nat44_ed_sm_init_o2i_kv (&kv, addr.as_u32, port, fib_index, proto,
192 m - sm->static_mappings);
193 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 1 /*is_add*/);
196 static_always_inline int
197 nat44_ed_sm_o2i_del (snat_main_t *sm, ip4_address_t addr, u16 port,
198 u32 fib_index, u8 proto)
200 clib_bihash_kv_16_8_t kv;
201 nat44_ed_sm_init_o2i_k (&kv, addr.as_u32, port, fib_index, proto);
202 return clib_bihash_add_del_16_8 (&sm->flow_hash, &kv, 0 /*is_add*/);
206 nat44_ed_free_session_data (snat_main_t *sm, snat_session_t *s,
207 u32 thread_index, u8 is_ha)
209 per_vrf_sessions_unregister_session (s, thread_index);
211 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 0))
212 nat_elog_warn (sm, "flow hash del failed");
214 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 0))
215 nat_elog_warn (sm, "flow hash del failed");
217 if (na44_ed_is_fwd_bypass_session (s))
222 if (nat44_ed_is_affinity_session (s))
223 nat_affinity_unlock (s->ext_host_addr, s->out2in.addr, s->proto,
227 nat_syslog_nat44_sdel (0, s->in2out.fib_index, &s->in2out.addr,
228 s->in2out.port, &s->ext_host_nat_addr,
229 s->ext_host_nat_port, &s->out2in.addr,
230 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
231 s->proto, nat44_ed_is_twice_nat_session (s));
236 nat_ipfix_logging_nat44_ses_delete (
237 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32, s->proto,
238 s->in2out.port, s->out2in.port, s->in2out.fib_index);
242 static ip_interface_address_t *
243 nat44_ed_get_ip_interface_address (u32 sw_if_index, ip4_address_t addr)
245 snat_main_t *sm = &snat_main;
247 ip_lookup_main_t *lm = &sm->ip4_main->lookup_main;
248 ip_interface_address_t *ia;
251 foreach_ip_interface_address (
252 lm, ia, sw_if_index, 1, ({
253 ip4a = ip_interface_address_get_address (lm, ia);
254 nat_log_debug ("sw_if_idx: %u addr: %U ? %U", sw_if_index,
255 format_ip4_address, ip4a, format_ip4_address, &addr);
256 if (ip4a->as_u32 == addr.as_u32)
265 nat44_ed_resolve_nat_addr_len (snat_address_t *ap,
266 snat_interface_t *interfaces)
268 ip_interface_address_t *ia;
272 pool_foreach (i, interfaces)
274 if (!nat44_ed_is_interface_outside (i))
279 fib_index = ip4_fib_table_get_index_for_sw_if_index (i->sw_if_index);
280 if (fib_index != ap->fib_index)
285 if ((ia = nat44_ed_get_ip_interface_address (i->sw_if_index, ap->addr)))
287 ap->addr_len = ia->address_length;
288 ap->sw_if_index = i->sw_if_index;
289 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
290 << (32 - ap->addr_len);
292 nat_log_debug ("pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
293 format_ip4_address, &ap->addr, ap->sw_if_index,
294 format_ip4_address, &ap->net, ap->addr_len);
302 nat44_ed_update_outside_if_addresses (snat_address_t *ap)
304 snat_main_t *sm = &snat_main;
306 if (!nat44_ed_resolve_nat_addr_len (ap, sm->interfaces))
311 if (!nat44_ed_resolve_nat_addr_len (ap, sm->output_feature_interfaces))
318 nat44_ed_bind_if_addr_to_nat_addr (u32 sw_if_index)
320 snat_main_t *sm = &snat_main;
321 ip_interface_address_t *ia;
324 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
326 vec_foreach (ap, sm->addresses)
328 if (fib_index != ap->fib_index)
333 if ((ia = nat44_ed_get_ip_interface_address (sw_if_index, ap->addr)))
335 ap->addr_len = ia->address_length;
336 ap->sw_if_index = sw_if_index;
337 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
338 << (32 - ap->addr_len);
340 nat_log_debug ("pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
341 format_ip4_address, &ap->addr, ap->sw_if_index,
342 format_ip4_address, &ap->net, ap->addr_len);
348 static_always_inline snat_fib_entry_reg_t *
349 nat44_ed_get_fib_entry_reg (ip4_address_t addr, u32 sw_if_index, int *out_idx)
351 snat_main_t *sm = &snat_main;
352 snat_fib_entry_reg_t *fe;
355 for (i = 0; i < vec_len (sm->fib_entry_reg); i++)
357 fe = sm->fib_entry_reg + i;
358 if ((addr.as_u32 == fe->addr.as_u32) && (sw_if_index == fe->sw_if_index))
371 nat44_ed_add_fib_entry_reg (ip4_address_t addr, u32 sw_if_index)
373 // Add the external NAT address to the FIB as receive entries. This ensures
374 // that VPP will reply to ARP for this address and we don't need to enable
375 // proxy ARP on the outside interface.
376 snat_main_t *sm = &snat_main;
377 snat_fib_entry_reg_t *fe;
379 if (!(fe = nat44_ed_get_fib_entry_reg (addr, sw_if_index, 0)))
381 fib_prefix_t prefix = {
383 .fp_proto = FIB_PROTOCOL_IP4,
385 .ip4.as_u32 = addr.as_u32,
388 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
389 fib_table_entry_update_one_path (fib_index, &prefix, sm->fib_src_low,
390 (FIB_ENTRY_FLAG_CONNECTED |
391 FIB_ENTRY_FLAG_LOCAL |
392 FIB_ENTRY_FLAG_EXCLUSIVE),
393 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
394 NULL, FIB_ROUTE_PATH_FLAG_NONE);
396 vec_add2 (sm->fib_entry_reg, fe, 1);
397 clib_memset (fe, 0, sizeof (*fe));
398 fe->addr.as_u32 = addr.as_u32;
399 fe->sw_if_index = sw_if_index;
405 nat44_ed_del_fib_entry_reg (ip4_address_t addr, u32 sw_if_index)
407 snat_main_t *sm = &snat_main;
408 snat_fib_entry_reg_t *fe;
411 if ((fe = nat44_ed_get_fib_entry_reg (addr, sw_if_index, &i)))
416 fib_prefix_t prefix = {
418 .fp_proto = FIB_PROTOCOL_IP4,
420 .ip4.as_u32 = addr.as_u32,
424 ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
425 fib_table_entry_delete (fib_index, &prefix, sm->fib_src_low);
426 vec_del1 (sm->fib_entry_reg, i);
432 nat44_ed_add_del_interface_fib_reg_entries (ip4_address_t addr, u8 is_add)
434 snat_main_t *sm = &snat_main;
437 pool_foreach (i, sm->interfaces)
439 if (nat44_ed_is_interface_outside (i))
443 nat44_ed_add_fib_entry_reg (addr, i->sw_if_index);
447 nat44_ed_del_fib_entry_reg (addr, i->sw_if_index);
451 pool_foreach (i, sm->output_feature_interfaces)
453 if (nat44_ed_is_interface_outside (i))
457 nat44_ed_add_fib_entry_reg (addr, i->sw_if_index);
461 nat44_ed_del_fib_entry_reg (addr, i->sw_if_index);
467 static_always_inline void
468 nat44_ed_add_del_nat_addr_fib_reg_entries (u32 sw_if_index, u8 is_add)
470 snat_main_t *sm = &snat_main;
473 vec_foreach (ap, sm->addresses)
477 nat44_ed_add_fib_entry_reg (ap->addr, sw_if_index);
481 nat44_ed_del_fib_entry_reg (ap->addr, sw_if_index);
486 static_always_inline void
487 nat44_ed_add_del_sm_fib_reg_entries (u32 sw_if_index, u8 is_add)
489 snat_main_t *sm = &snat_main;
490 snat_static_mapping_t *m;
492 pool_foreach (m, sm->static_mappings)
496 nat44_ed_add_fib_entry_reg (m->external_addr, sw_if_index);
500 nat44_ed_del_fib_entry_reg (m->external_addr, sw_if_index);
506 nat44_ed_add_address (ip4_address_t *addr, u32 vrf_id, u8 twice_nat)
508 snat_main_t *sm = &snat_main;
509 snat_address_t *ap, *addresses;
511 addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
515 return VNET_API_ERROR_UNSUPPORTED;
518 // check if address already exists
519 vec_foreach (ap, addresses)
521 if (ap->addr.as_u32 == addr->as_u32)
523 nat_log_err ("address exist");
524 return VNET_API_ERROR_VALUE_EXIST;
530 vec_add2 (sm->twice_nat_addresses, ap, 1);
534 vec_add2 (sm->addresses, ap, 1);
543 ap->fib_index = fib_table_find_or_create_and_lock (
544 FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
549 // if we don't have enabled interface we don't add address
551 nat44_ed_add_del_interface_fib_reg_entries (*addr, 1);
552 nat44_ed_update_outside_if_addresses (ap);
558 nat44_ed_del_address (ip4_address_t addr, u8 twice_nat)
560 snat_main_t *sm = &snat_main;
561 snat_address_t *a = 0, *addresses;
563 u32 *ses_to_be_removed = 0, *ses_index;
564 snat_main_per_thread_data_t *tsm;
567 addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
569 for (j = 0; j < vec_len (addresses); j++)
571 if (addresses[j].addr.as_u32 == addr.as_u32)
579 nat_log_err ("no such address");
580 return VNET_API_ERROR_NO_SUCH_ENTRY;
583 // delete dynamic sessions only
584 vec_foreach (tsm, sm->per_thread_data)
586 pool_foreach (ses, tsm->sessions)
588 if (ses->flags & SNAT_SESSION_FLAG_STATIC_MAPPING)
592 if (ses->out2in.addr.as_u32 == addr.as_u32)
594 nat44_ed_free_session_data (sm, ses, tsm - sm->per_thread_data,
596 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
599 vec_foreach (ses_index, ses_to_be_removed)
601 ses = pool_elt_at_index (tsm->sessions, ses_index[0]);
602 nat_ed_session_delete (sm, ses, tsm - sm->per_thread_data, 1);
604 vec_free (ses_to_be_removed);
609 nat44_ed_add_del_interface_fib_reg_entries (addr, 0);
612 if (a->fib_index != ~0)
614 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
619 vec_del1 (sm->addresses, j);
623 vec_del1 (sm->twice_nat_addresses, j);
630 get_thread_idx_by_port (u16 e_port)
632 snat_main_t *sm = &snat_main;
633 u32 thread_idx = sm->num_workers;
634 if (sm->num_workers > 1)
637 sm->first_worker_index +
638 sm->workers[(e_port - 1024) / sm->port_per_thread];
644 nat_ed_static_mapping_del_sessions (snat_main_t * sm,
645 snat_main_per_thread_data_t * tsm,
646 ip4_address_t l_addr,
649 u32 fib_index, int addr_only,
650 ip4_address_t e_addr, u16 e_port)
653 u32 *indexes_to_free = NULL;
654 pool_foreach (s, tsm->sessions) {
655 if (s->in2out.fib_index != fib_index ||
656 s->in2out.addr.as_u32 != l_addr.as_u32)
662 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
663 s->out2in.port != e_port || s->in2out.port != l_port ||
664 s->proto != protocol)
668 if (nat44_ed_is_lb_session (s))
670 if (!nat44_ed_is_session_static (s))
672 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
673 vec_add1 (indexes_to_free, s - tsm->sessions);
678 vec_foreach (ses_index, indexes_to_free)
680 s = pool_elt_at_index (tsm->sessions, *ses_index);
681 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
683 vec_free (indexes_to_free);
686 static_always_inline snat_static_mapping_t *
687 nat44_ed_sm_lookup (snat_main_t *sm, clib_bihash_kv_16_8_t *kv)
689 clib_bihash_kv_16_8_t v;
690 int rc = clib_bihash_search_16_8 (&sm->flow_hash, kv, &v);
693 ASSERT (0 == ed_value_get_thread_index (&v));
694 return pool_elt_at_index (sm->static_mappings,
695 ed_value_get_session_index (&v));
700 snat_static_mapping_t *
701 nat44_ed_sm_o2i_lookup (snat_main_t *sm, ip4_address_t addr, u16 port,
702 u32 fib_index, u8 proto)
704 clib_bihash_kv_16_8_t kv;
705 nat44_ed_sm_init_o2i_k (&kv, addr.as_u32, port, fib_index, proto);
706 return nat44_ed_sm_lookup (sm, &kv);
709 snat_static_mapping_t *
710 nat44_ed_sm_i2o_lookup (snat_main_t *sm, ip4_address_t addr, u16 port,
711 u32 fib_index, u8 proto)
713 clib_bihash_kv_16_8_t kv;
714 nat44_ed_sm_init_i2o_k (&kv, addr.as_u32, port, fib_index, proto);
715 return nat44_ed_sm_lookup (sm, &kv);
718 static snat_static_mapping_resolve_t *
719 nat44_ed_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
720 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index,
721 u32 flags, int *out_idx)
723 snat_static_mapping_resolve_t *rp;
724 snat_main_t *sm = &snat_main;
727 for (i = 0; i < vec_len (sm->sm_to_resolve); i++)
729 rp = sm->sm_to_resolve + i;
731 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
733 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
735 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
737 if (rp->e_port != e_port || rp->proto != proto)
743 else if (rp->l_addr.as_u32 == l_addr.as_u32)
745 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
747 if (rp->l_port != l_port || rp->e_port != e_port ||
769 nat44_ed_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
770 ip_protocol_t proto, u32 vrf_id, u32 sw_if_index,
773 snat_main_t *sm = &snat_main;
775 if (nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
776 sw_if_index, flags, &i))
778 vec_del1 (sm->sm_to_resolve, i);
784 static_always_inline int
785 nat44_ed_validate_sm_input (u32 flags)
787 // identity nat can be initiated only from inside interface
788 if (is_sm_identity_nat (flags) && is_sm_out2in_only (flags))
790 return VNET_API_ERROR_UNSUPPORTED;
793 if (is_sm_twice_nat (flags) || is_sm_self_twice_nat (flags))
795 if (is_sm_addr_only (flags) || is_sm_identity_nat (flags))
797 return VNET_API_ERROR_UNSUPPORTED;
804 nat44_ed_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
805 u16 l_port, u16 e_port, ip_protocol_t proto,
806 u32 vrf_id, u32 sw_if_index, u32 flags,
807 ip4_address_t pool_addr, u8 *tag)
809 snat_static_mapping_resolve_t *rp;
810 snat_main_t *sm = &snat_main;
815 return VNET_API_ERROR_UNSUPPORTED;
818 rv = nat44_ed_validate_sm_input (flags);
824 // interface bound mapping
825 if (is_sm_switch_address (flags))
827 if (nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
828 sw_if_index, flags, 0))
830 return VNET_API_ERROR_VALUE_EXIST;
833 vec_add2 (sm->sm_to_resolve, rp, 1);
834 rp->l_addr.as_u32 = l_addr.as_u32;
837 rp->sw_if_index = sw_if_index;
841 rp->pool_addr = pool_addr;
842 rp->tag = vec_dup (tag);
845 ip4_address_t *first_int_addr =
846 ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
852 e_addr.as_u32 = first_int_addr->as_u32;
856 rv = nat44_ed_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
857 proto, vrf_id, sw_if_index, flags,
859 if ((0 != rv) && is_sm_switch_address (flags))
861 nat44_ed_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
869 nat44_ed_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
870 u16 l_port, u16 e_port, ip_protocol_t proto,
871 u32 vrf_id, u32 sw_if_index, u32 flags)
873 snat_main_t *sm = &snat_main;
878 return VNET_API_ERROR_UNSUPPORTED;
881 rv = nat44_ed_validate_sm_input (flags);
887 // interface bound mapping
888 if (is_sm_switch_address (flags))
890 if (nat44_ed_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
893 return VNET_API_ERROR_NO_SUCH_ENTRY;
896 ip4_address_t *first_int_addr =
897 ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
900 // dhcp resolution required
904 e_addr.as_u32 = first_int_addr->as_u32;
907 return nat44_ed_del_static_mapping_internal (l_addr, e_addr, l_port, e_port,
908 proto, vrf_id, flags);
912 nat44_ed_add_static_mapping_internal (ip4_address_t l_addr,
913 ip4_address_t e_addr, u16 l_port,
914 u16 e_port, ip_protocol_t proto,
915 u32 vrf_id, u32 sw_if_index, u32 flags,
916 ip4_address_t pool_addr, u8 *tag)
918 snat_main_t *sm = &snat_main;
919 nat44_lb_addr_port_t *local;
920 snat_static_mapping_t *m;
923 if (is_sm_addr_only (flags))
925 e_port = l_port = proto = 0;
928 if (is_sm_identity_nat (flags))
931 l_addr.as_u32 = e_addr.as_u32;
934 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
938 // adding local identity nat record for different vrf table
940 if (!is_sm_identity_nat (m->flags))
942 return VNET_API_ERROR_VALUE_EXIST;
945 pool_foreach (local, m->locals)
947 if (local->vrf_id == vrf_id)
949 return VNET_API_ERROR_VALUE_EXIST;
953 pool_get (m->locals, local);
955 local->vrf_id = vrf_id;
956 local->fib_index = fib_table_find_or_create_and_lock (
957 FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
959 nat44_ed_sm_i2o_add (sm, m, m->local_addr, m->local_port,
960 local->fib_index, m->proto);
967 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
972 // fallback to default vrf
973 vrf_id = sm->inside_vrf_id;
974 fib_index = sm->inside_fib_index;
975 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
978 // test if local mapping record doesn't exist
979 // identity nat supports multiple records in local mapping
980 if (!(is_sm_out2in_only (flags) || is_sm_identity_nat (flags)))
982 if (nat44_ed_sm_i2o_lookup (sm, l_addr, l_port, fib_index, proto))
984 return VNET_API_ERROR_VALUE_EXIST;
988 pool_get (sm->static_mappings, m);
989 clib_memset (m, 0, sizeof (*m));
992 m->local_addr = l_addr;
993 m->external_addr = e_addr;
995 m->pool_addr = pool_addr;
996 m->tag = vec_dup (tag);
998 if (!is_sm_addr_only (flags))
1000 m->local_port = l_port;
1001 m->external_port = e_port;
1005 if (is_sm_identity_nat (flags))
1007 pool_get (m->locals, local);
1009 local->vrf_id = vrf_id;
1010 local->fib_index = fib_index;
1015 m->fib_index = fib_index;
1018 if (!is_sm_out2in_only (flags))
1020 nat44_ed_sm_i2o_add (sm, m, m->local_addr, m->local_port, fib_index,
1024 nat44_ed_sm_o2i_add (sm, m, m->external_addr, m->external_port, 0, m->proto);
1026 if (sm->num_workers > 1)
1028 // store worker index for this record
1030 .src_address = m->local_addr,
1034 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0);
1035 vec_add1 (m->workers, worker_index);
1038 nat44_ed_add_del_interface_fib_reg_entries (e_addr, 1);
1044 nat44_ed_del_static_mapping_internal (ip4_address_t l_addr,
1045 ip4_address_t e_addr, u16 l_port,
1046 u16 e_port, ip_protocol_t proto,
1047 u32 vrf_id, u32 flags)
1049 snat_main_per_thread_data_t *tsm;
1050 snat_main_t *sm = &snat_main;
1052 nat44_lb_addr_port_t *local;
1053 snat_static_mapping_t *m;
1056 if (is_sm_addr_only (flags))
1058 e_port = l_port = proto = 0;
1061 if (is_sm_identity_nat (flags))
1064 l_addr.as_u32 = e_addr.as_u32;
1068 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1071 return VNET_API_ERROR_NO_SUCH_ENTRY;
1074 if (is_sm_identity_nat (flags))
1080 vrf_id = sm->inside_vrf_id;
1083 pool_foreach (local, m->locals)
1085 if (local->vrf_id == vrf_id)
1087 local = pool_elt_at_index (m->locals, local - m->locals);
1088 fib_index = local->fib_index;
1089 pool_put (m->locals, local);
1096 return VNET_API_ERROR_NO_SUCH_ENTRY;
1101 fib_index = m->fib_index;
1104 if (!is_sm_out2in_only (flags))
1106 nat44_ed_sm_i2o_del (sm, l_addr, l_port, fib_index, proto);
1109 // delete sessions for static mapping
1110 if (sm->num_workers > 1)
1112 tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]);
1116 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1119 nat_ed_static_mapping_del_sessions (sm, tsm, m->local_addr, m->local_port,
1120 m->proto, fib_index,
1121 is_sm_addr_only (flags), e_addr, e_port);
1123 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1125 if (!pool_elts (m->locals))
1127 // this is last record remove all required stuff
1129 nat44_ed_sm_o2i_del (sm, e_addr, e_port, 0, proto);
1132 vec_free (m->workers);
1133 pool_put (sm->static_mappings, m);
1135 nat44_ed_add_del_interface_fib_reg_entries (e_addr, 0);
1142 nat44_ed_add_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1143 ip_protocol_t proto,
1144 nat44_lb_addr_port_t *locals, u32 flags,
1145 u8 *tag, u32 affinity)
1147 snat_main_t *sm = &snat_main;
1148 snat_static_mapping_t *m;
1149 snat_address_t *a = 0;
1151 nat44_lb_addr_port_t *local;
1159 return VNET_API_ERROR_UNSUPPORTED;
1162 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1166 return VNET_API_ERROR_VALUE_EXIST;
1169 if (vec_len (locals) < 2)
1171 return VNET_API_ERROR_INVALID_VALUE;
1174 if (!is_sm_out2in_only (flags))
1176 /* Find external address in allocated addresses and reserve port for
1177 address and port pair mapping when dynamic translations enabled */
1178 for (i = 0; i < vec_len (sm->addresses); i++)
1180 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1182 /* External port must be unused */
1183 a = sm->addresses + i;
1184 if (nat44_ed_sm_o2i_lookup (sm, a->addr, e_port, 0, proto))
1186 return VNET_API_ERROR_VALUE_EXIST;
1191 // external address must be allocated
1194 return VNET_API_ERROR_NO_SUCH_ENTRY;
1198 pool_get (sm->static_mappings, m);
1199 clib_memset (m, 0, sizeof (*m));
1200 m->tag = vec_dup (tag);
1201 m->external_addr = e_addr;
1202 m->external_port = e_port;
1203 m->affinity = affinity;
1207 m->flags |= NAT_SM_FLAG_LB;
1210 m->affinity_per_service_list_head_index =
1211 nat_affinity_get_per_service_list_head_index ();
1213 m->affinity_per_service_list_head_index = ~0;
1215 if (nat44_ed_sm_o2i_add (sm, m, m->external_addr, m->external_port, 0,
1218 nat_log_err ("sm o2i key add failed");
1219 return VNET_API_ERROR_UNSPECIFIED;
1222 for (i = 0; i < vec_len (locals); i++)
1224 locals[i].fib_index = fib_table_find_or_create_and_lock (
1225 FIB_PROTOCOL_IP4, locals[i].vrf_id, sm->fib_src_low);
1226 if (!is_sm_out2in_only (flags))
1228 if (nat44_ed_sm_o2i_add (sm, m, e_addr, e_port, 0, proto))
1230 nat_log_err ("sm o2i key add failed");
1231 rc = VNET_API_ERROR_UNSPECIFIED;
1232 // here we continue with add operation so that it can be safely
1233 // reversed in delete path - otherwise we'd have to track what
1234 // we've done and deal with partial cleanups and since bihash
1235 // adds are (extremely improbable) the only points of failure,
1236 // it's easier to just do it this way
1239 locals[i].prefix = (i == 0) ?
1240 locals[i].probability :
1241 (locals[i - 1].prefix + locals[i].probability);
1242 pool_get (m->locals, local);
1244 if (sm->num_workers > 1)
1247 .src_address = locals[i].addr,
1249 bitmap = clib_bitmap_set (
1250 bitmap, nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0),
1255 /* Assign workers */
1256 if (sm->num_workers > 1)
1258 clib_bitmap_foreach (i, bitmap)
1260 vec_add1 (m->workers, i);
1268 nat44_ed_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
1269 ip_protocol_t proto, u32 flags)
1271 snat_main_t *sm = &snat_main;
1272 snat_static_mapping_t *m;
1274 nat44_lb_addr_port_t *local;
1275 snat_main_per_thread_data_t *tsm;
1280 return VNET_API_ERROR_UNSUPPORTED;
1283 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1285 return VNET_API_ERROR_NO_SUCH_ENTRY;
1287 if (!is_sm_lb (m->flags))
1288 return VNET_API_ERROR_INVALID_VALUE;
1290 if (nat44_ed_sm_o2i_del (sm, m->external_addr, m->external_port, 0,
1293 nat_log_err ("sm o2i key del failed");
1294 return VNET_API_ERROR_UNSPECIFIED;
1297 pool_foreach (local, m->locals)
1299 fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
1300 if (!is_sm_out2in_only (flags))
1302 if (nat44_ed_sm_i2o_del (sm, local->addr, local->port,
1303 local->fib_index, m->proto))
1305 nat_log_err ("sm i2o key del failed");
1306 return VNET_API_ERROR_UNSPECIFIED;
1310 if (sm->num_workers > 1)
1313 .src_address = local->addr,
1315 tsm = vec_elt_at_index (
1316 sm->per_thread_data,
1317 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1320 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1322 /* Delete sessions */
1323 pool_foreach (s, tsm->sessions)
1325 if (!(nat44_ed_is_lb_session (s)))
1328 if ((s->in2out.addr.as_u32 != local->addr.as_u32) ||
1329 s->in2out.port != local->port)
1332 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1333 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1339 nat_affinity_flush_service (m->affinity_per_service_list_head_index);
1342 pool_free (m->locals);
1344 vec_free (m->workers);
1345 pool_put (sm->static_mappings, m);
1351 nat44_ed_add_del_lb_static_mapping_local (ip4_address_t e_addr, u16 e_port,
1352 ip4_address_t l_addr, u16 l_port,
1353 ip_protocol_t proto, u32 vrf_id,
1354 u8 probability, u8 is_add)
1356 snat_main_t *sm = &snat_main;
1357 snat_static_mapping_t *m = 0;
1358 nat44_lb_addr_port_t *local, *prev_local, *match_local = 0;
1359 snat_main_per_thread_data_t *tsm;
1367 return VNET_API_ERROR_UNSUPPORTED;
1370 m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
1374 return VNET_API_ERROR_NO_SUCH_ENTRY;
1377 if (!is_sm_lb (m->flags))
1379 return VNET_API_ERROR_INVALID_VALUE;
1382 pool_foreach (local, m->locals)
1384 if ((local->addr.as_u32 == l_addr.as_u32) && (local->port == l_port) &&
1385 (local->vrf_id == vrf_id))
1387 match_local = local;
1396 return VNET_API_ERROR_VALUE_EXIST;
1399 pool_get (m->locals, local);
1400 clib_memset (local, 0, sizeof (*local));
1401 local->addr.as_u32 = l_addr.as_u32;
1402 local->port = l_port;
1403 local->probability = probability;
1404 local->vrf_id = vrf_id;
1406 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
1409 if (!is_sm_out2in_only (m->flags))
1411 if (nat44_ed_sm_i2o_add (sm, m, l_addr, l_port, local->fib_index,
1414 nat_log_err ("sm i2o key add failed");
1415 pool_put (m->locals, local);
1416 return VNET_API_ERROR_UNSPECIFIED;
1423 return VNET_API_ERROR_NO_SUCH_ENTRY;
1425 if (pool_elts (m->locals) < 3)
1426 return VNET_API_ERROR_UNSPECIFIED;
1428 fib_table_unlock (match_local->fib_index, FIB_PROTOCOL_IP4,
1431 if (!is_sm_out2in_only (m->flags))
1433 if (nat44_ed_sm_i2o_del (sm, l_addr, l_port, match_local->fib_index,
1435 nat_log_err ("sm i2o key del failed");
1438 if (sm->num_workers > 1)
1441 .src_address = local->addr,
1443 tsm = vec_elt_at_index (
1444 sm->per_thread_data,
1445 nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index, 0));
1448 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1450 /* Delete sessions */
1451 pool_foreach (s, tsm->sessions) {
1452 if (!(nat44_ed_is_lb_session (s)))
1455 if ((s->in2out.addr.as_u32 != match_local->addr.as_u32) ||
1456 s->in2out.port != match_local->port)
1459 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
1460 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
1463 pool_put (m->locals, match_local);
1466 vec_free (m->workers);
1468 pool_foreach (local, m->locals)
1470 vec_add1 (locals, local - m->locals);
1471 if (sm->num_workers > 1)
1474 ip.src_address.as_u32 = local->addr.as_u32,
1475 bitmap = clib_bitmap_set (
1477 nat44_ed_get_in2out_worker_index (0, &ip, local->fib_index, 0), 1);
1481 ASSERT (vec_len (locals) > 1);
1483 local = pool_elt_at_index (m->locals, locals[0]);
1484 local->prefix = local->probability;
1485 for (i = 1; i < vec_len (locals); i++)
1487 local = pool_elt_at_index (m->locals, locals[i]);
1488 prev_local = pool_elt_at_index (m->locals, locals[i - 1]);
1489 local->prefix = local->probability + prev_local->prefix;
1492 /* Assign workers */
1493 if (sm->num_workers > 1)
1495 clib_bitmap_foreach (i, bitmap) { vec_add1(m->workers, i); }
1502 expire_per_vrf_sessions (u32 fib_index)
1504 per_vrf_sessions_t *per_vrf_sessions;
1505 snat_main_per_thread_data_t *tsm;
1506 snat_main_t *sm = &snat_main;
1508 vec_foreach (tsm, sm->per_thread_data)
1510 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1512 if ((per_vrf_sessions->rx_fib_index == fib_index) ||
1513 (per_vrf_sessions->tx_fib_index == fib_index))
1515 per_vrf_sessions->expired = 1;
1522 update_per_vrf_sessions_vec (u32 fib_index, int is_del)
1524 snat_main_t *sm = &snat_main;
1527 // we don't care if it is outside/inside fib
1528 // we just care about their ref_count
1529 // if it reaches 0 sessions should expire
1530 // because the fib isn't valid for NAT anymore
1532 vec_foreach (fib, sm->fibs)
1534 if (fib->fib_index == fib_index)
1539 if (!fib->ref_count)
1541 vec_del1 (sm->fibs, fib - sm->fibs);
1542 expire_per_vrf_sessions (fib_index);
1552 vec_add2 (sm->fibs, fib, 1);
1554 fib->fib_index = fib_index;
1558 static_always_inline nat_outside_fib_t *
1559 nat44_ed_get_outside_fib (nat_outside_fib_t *outside_fibs, u32 fib_index)
1561 nat_outside_fib_t *f;
1562 vec_foreach (f, outside_fibs)
1564 if (f->fib_index == fib_index)
1572 static_always_inline snat_interface_t *
1573 nat44_ed_get_interface (snat_interface_t *interfaces, u32 sw_if_index)
1575 snat_interface_t *i;
1576 pool_foreach (i, interfaces)
1578 if (i->sw_if_index == sw_if_index)
1587 nat44_ed_add_interface (u32 sw_if_index, u8 is_inside)
1589 const char *del_feature_name, *feature_name;
1590 snat_main_t *sm = &snat_main;
1592 nat_outside_fib_t *outside_fib;
1593 snat_interface_t *i;
1599 nat_log_err ("nat44 is disabled");
1600 return VNET_API_ERROR_UNSUPPORTED;
1603 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1605 nat_log_err ("error interface already configured");
1606 return VNET_API_ERROR_VALUE_EXIST;
1609 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1612 if ((nat44_ed_is_interface_inside (i) && is_inside) ||
1613 (nat44_ed_is_interface_outside (i) && !is_inside))
1617 if (sm->num_workers > 1)
1619 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1620 "nat44-out2in-worker-handoff";
1621 feature_name = "nat44-handoff-classify";
1625 del_feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1627 feature_name = "nat44-ed-classify";
1630 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1633 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1634 sw_if_index, 0, 0, 0);
1635 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1640 if (sm->num_workers > 1)
1642 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1643 "nat44-out2in-worker-handoff";
1647 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1650 nat_validate_interface_counters (sm, sw_if_index);
1651 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1654 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1657 pool_get (sm->interfaces, i);
1658 i->sw_if_index = sw_if_index;
1663 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1665 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
1669 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1671 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1674 outside_fib->refcount++;
1678 vec_add2 (sm->outside_fibs, outside_fib, 1);
1679 outside_fib->fib_index = fib_index;
1680 outside_fib->refcount = 1;
1683 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 1);
1684 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 1);
1686 nat44_ed_bind_if_addr_to_nat_addr (sw_if_index);
1690 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1697 nat44_ed_del_interface (u32 sw_if_index, u8 is_inside)
1699 const char *del_feature_name, *feature_name;
1700 snat_main_t *sm = &snat_main;
1702 nat_outside_fib_t *outside_fib;
1703 snat_interface_t *i;
1709 nat_log_err ("nat44 is disabled");
1710 return VNET_API_ERROR_UNSUPPORTED;
1713 i = nat44_ed_get_interface (sm->interfaces, sw_if_index);
1716 nat_log_err ("error interface couldn't be found");
1717 return VNET_API_ERROR_NO_SUCH_ENTRY;
1720 if (nat44_ed_is_interface_inside (i) && nat44_ed_is_interface_outside (i))
1722 if (sm->num_workers > 1)
1724 del_feature_name = "nat44-handoff-classify";
1725 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1726 "nat44-out2in-worker-handoff";
1730 del_feature_name = "nat44-ed-classify";
1731 feature_name = !is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1734 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1739 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1740 sw_if_index, 0, 0, 0);
1741 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1,
1746 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1750 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1755 if (sm->num_workers > 1)
1757 feature_name = is_inside ? "nat44-in2out-worker-handoff" :
1758 "nat44-out2in-worker-handoff";
1762 feature_name = is_inside ? "nat-pre-in2out" : "nat-pre-out2in";
1765 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1770 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 0,
1774 pool_put (sm->interfaces, i);
1778 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1780 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
1784 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1787 outside_fib->refcount--;
1788 if (!outside_fib->refcount)
1790 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1794 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 0);
1795 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 0);
1802 nat44_ed_add_output_interface (u32 sw_if_index)
1804 snat_main_t *sm = &snat_main;
1806 nat_outside_fib_t *outside_fib;
1807 snat_interface_t *i;
1813 nat_log_err ("nat44 is disabled");
1814 return VNET_API_ERROR_UNSUPPORTED;
1817 if (nat44_ed_get_interface (sm->interfaces, sw_if_index))
1819 nat_log_err ("error interface already configured");
1820 return VNET_API_ERROR_VALUE_EXIST;
1823 if (nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index))
1825 nat_log_err ("error interface already configured");
1826 return VNET_API_ERROR_VALUE_EXIST;
1829 if (sm->num_workers > 1)
1831 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1837 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1843 vnet_feature_enable_disable (
1844 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 1, 0, 0);
1845 vnet_feature_enable_disable ("ip4-output",
1846 "nat44-in2out-output-worker-handoff",
1847 sw_if_index, 1, 0, 0);
1851 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
1857 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
1863 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
1864 sw_if_index, 1, 0, 0);
1865 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
1866 sw_if_index, 1, 0, 0);
1869 nat_validate_interface_counters (sm, sw_if_index);
1871 pool_get (sm->output_feature_interfaces, i);
1872 i->sw_if_index = sw_if_index;
1874 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1875 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1878 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1879 update_per_vrf_sessions_vec (fib_index, 0 /*is_del*/);
1881 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1884 outside_fib->refcount++;
1888 vec_add2 (sm->outside_fibs, outside_fib, 1);
1889 outside_fib->fib_index = fib_index;
1890 outside_fib->refcount = 1;
1893 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 1);
1894 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 1);
1896 nat44_ed_bind_if_addr_to_nat_addr (sw_if_index);
1902 nat44_ed_del_output_interface (u32 sw_if_index)
1904 snat_main_t *sm = &snat_main;
1906 nat_outside_fib_t *outside_fib;
1907 snat_interface_t *i;
1913 nat_log_err ("nat44 is disabled");
1914 return VNET_API_ERROR_UNSUPPORTED;
1917 i = nat44_ed_get_interface (sm->output_feature_interfaces, sw_if_index);
1920 nat_log_err ("error interface couldn't be found");
1921 return VNET_API_ERROR_NO_SUCH_ENTRY;
1924 if (sm->num_workers > 1)
1926 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1932 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1938 vnet_feature_enable_disable (
1939 "ip4-unicast", "nat44-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1940 vnet_feature_enable_disable ("ip4-output",
1941 "nat44-in2out-output-worker-handoff",
1942 sw_if_index, 0, 0, 0);
1946 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1952 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1958 vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
1959 sw_if_index, 0, 0, 0);
1960 vnet_feature_enable_disable ("ip4-output", "nat-pre-in2out-output",
1961 sw_if_index, 0, 0, 0);
1965 pool_put (sm->output_feature_interfaces, i);
1968 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1969 update_per_vrf_sessions_vec (fib_index, 1 /*is_del*/);
1971 outside_fib = nat44_ed_get_outside_fib (sm->outside_fibs, fib_index);
1974 outside_fib->refcount--;
1975 if (!outside_fib->refcount)
1977 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
1981 nat44_ed_add_del_nat_addr_fib_reg_entries (sw_if_index, 0);
1982 nat44_ed_add_del_sm_fib_reg_entries (sw_if_index, 0);
1988 snat_set_workers (uword * bitmap)
1990 snat_main_t *sm = &snat_main;
1993 if (sm->num_workers < 2)
1994 return VNET_API_ERROR_FEATURE_DISABLED;
1996 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1997 return VNET_API_ERROR_INVALID_WORKER;
1999 vec_free (sm->workers);
2000 clib_bitmap_foreach (i, bitmap)
2002 vec_add1(sm->workers, i);
2003 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
2004 sm->per_thread_data[sm->first_worker_index + i].thread_index = i;
2008 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
2014 nat44_ed_set_frame_queue_nelts (u32 frame_queue_nelts)
2017 snat_main_t *sm = &snat_main;
2019 if ((sm->fq_in2out_index != ~0) || (sm->fq_out2in_index != ~0) ||
2020 (sm->fq_in2out_output_index != ~0))
2022 // frame queu nelts can be set only before first
2023 // call to nat44_plugin_enable after that it
2024 // doesn't make sense
2025 nat_log_err ("Frame queue was already initialized. "
2026 "Change is not possible");
2030 sm->frame_queue_nelts = frame_queue_nelts;
2035 nat44_ed_update_outside_fib_cb (ip4_main_t *im, uword opaque, u32 sw_if_index,
2036 u32 new_fib_index, u32 old_fib_index)
2038 snat_main_t *sm = &snat_main;
2039 nat_outside_fib_t *outside_fib;
2040 snat_interface_t *i;
2044 if (!sm->enabled || (new_fib_index == old_fib_index)
2045 || (!vec_len (sm->outside_fibs)))
2050 pool_foreach (i, sm->interfaces)
2052 if (i->sw_if_index == sw_if_index)
2054 if (!(nat44_ed_is_interface_outside (i)))
2060 pool_foreach (i, sm->output_feature_interfaces)
2062 if (i->sw_if_index == sw_if_index)
2064 if (!(nat44_ed_is_interface_outside (i)))
2073 vec_foreach (outside_fib, sm->outside_fibs)
2075 if (outside_fib->fib_index == old_fib_index)
2077 outside_fib->refcount--;
2078 if (!outside_fib->refcount)
2079 vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs);
2084 vec_foreach (outside_fib, sm->outside_fibs)
2086 if (outside_fib->fib_index == new_fib_index)
2088 outside_fib->refcount++;
2096 vec_add2 (sm->outside_fibs, outside_fib, 1);
2097 outside_fib->refcount = 1;
2098 outside_fib->fib_index = new_fib_index;
2102 static void nat44_ed_update_outside_fib_cb (ip4_main_t *im, uword opaque,
2103 u32 sw_if_index, u32 new_fib_index,
2106 static void nat44_ed_add_del_interface_address_cb (
2107 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
2108 u32 address_length, u32 if_address_index, u32 is_delete);
2110 static void nat44_ed_add_del_static_mapping_cb (
2111 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
2112 u32 address_length, u32 if_address_index, u32 is_delete);
2115 test_key_calc_split ()
2117 ip4_address_t l_addr;
2118 l_addr.as_u8[0] = 1;
2119 l_addr.as_u8[1] = 1;
2120 l_addr.as_u8[2] = 1;
2121 l_addr.as_u8[3] = 1;
2122 ip4_address_t r_addr;
2123 r_addr.as_u8[0] = 2;
2124 r_addr.as_u8[1] = 2;
2125 r_addr.as_u8[2] = 2;
2126 r_addr.as_u8[3] = 2;
2130 u32 fib_index = 9000001;
2131 u32 thread_index = 3000000001;
2132 u32 session_index = 3000000221;
2133 clib_bihash_kv_16_8_t kv;
2134 init_ed_kv (&kv, l_addr.as_u32, l_port, r_addr.as_u32, r_port, fib_index,
2135 proto, thread_index, session_index);
2136 ip4_address_t l_addr2;
2137 ip4_address_t r_addr2;
2138 clib_memset (&l_addr2, 0, sizeof (l_addr2));
2139 clib_memset (&r_addr2, 0, sizeof (r_addr2));
2144 split_ed_kv (&kv, &l_addr2, &r_addr2, &proto2, &fib_index2, &l_port2,
2146 ASSERT (l_addr.as_u32 == l_addr2.as_u32);
2147 ASSERT (r_addr.as_u32 == r_addr2.as_u32);
2148 ASSERT (l_port == l_port2);
2149 ASSERT (r_port == r_port2);
2150 ASSERT (proto == proto2);
2151 ASSERT (fib_index == fib_index2);
2152 ASSERT (thread_index == ed_value_get_thread_index (&kv));
2153 ASSERT (session_index == ed_value_get_session_index (&kv));
2156 static clib_error_t *
2157 nat_ip_table_add_del (vnet_main_t * vnm, u32 table_id, u32 is_add)
2162 fib_index = ip4_fib_index_from_table_id (table_id);
2163 if (fib_index != ~0)
2165 expire_per_vrf_sessions (fib_index);
2171 VNET_IP_TABLE_ADD_DEL_FUNCTION (nat_ip_table_add_del);
2173 #define nat_validate_simple_counter(c, i) \
2176 vlib_validate_simple_counter (&c, i); \
2177 vlib_zero_simple_counter (&c, i); \
2181 #define nat_init_simple_counter(c, n, sn) \
2185 c.stat_segment_name = sn; \
2186 nat_validate_simple_counter (c, 0); \
2190 static_always_inline void
2191 nat_validate_interface_counters (snat_main_t *sm, u32 sw_if_index)
2194 nat_validate_simple_counter (sm->counters.fastpath.in2out.x, sw_if_index); \
2195 nat_validate_simple_counter (sm->counters.fastpath.out2in.x, sw_if_index); \
2196 nat_validate_simple_counter (sm->counters.slowpath.in2out.x, sw_if_index); \
2197 nat_validate_simple_counter (sm->counters.slowpath.out2in.x, sw_if_index);
2198 foreach_nat_counter;
2200 nat_validate_simple_counter (sm->counters.hairpinning, sw_if_index);
2203 static clib_error_t *
2204 nat_init (vlib_main_t * vm)
2206 snat_main_t *sm = &snat_main;
2207 vlib_thread_main_t *tm = vlib_get_thread_main ();
2208 vlib_thread_registration_t *tr;
2209 ip4_add_del_interface_address_callback_t cbi = { 0 };
2210 ip4_table_bind_callback_t cbt = { 0 };
2211 u32 i, num_threads = 0;
2212 uword *p, *bitmap = 0;
2214 clib_memset (sm, 0, sizeof (*sm));
2217 sm->vnet_main = vnet_get_main ();
2219 sm->ip4_main = &ip4_main;
2221 // frame queue indices used for handoff
2222 sm->fq_out2in_index = ~0;
2223 sm->fq_in2out_index = ~0;
2224 sm->fq_in2out_output_index = ~0;
2226 sm->log_level = NAT_LOG_ERROR;
2228 sm->log_class = vlib_log_register_class ("nat", 0);
2229 nat_ipfix_logging_init (vm);
2231 nat_init_simple_counter (sm->total_sessions, "total-sessions",
2232 "/nat44-ed/total-sessions");
2233 sm->max_cfg_sessions_gauge =
2234 vlib_stats_add_gauge ("/nat44-ed/max-cfg-sessions");
2237 nat_init_simple_counter (sm->counters.fastpath.in2out.x, #x, \
2238 "/nat44-ed/in2out/fastpath/" #x); \
2239 nat_init_simple_counter (sm->counters.fastpath.out2in.x, #x, \
2240 "/nat44-ed/out2in/fastpath/" #x); \
2241 nat_init_simple_counter (sm->counters.slowpath.in2out.x, #x, \
2242 "/nat44-ed/in2out/slowpath/" #x); \
2243 nat_init_simple_counter (sm->counters.slowpath.out2in.x, #x, \
2244 "/nat44-ed/out2in/slowpath/" #x);
2245 foreach_nat_counter;
2247 nat_init_simple_counter (sm->counters.hairpinning, "hairpinning",
2248 "/nat44-ed/hairpinning");
2250 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
2253 tr = (vlib_thread_registration_t *) p[0];
2256 sm->num_workers = tr->count;
2257 sm->first_worker_index = tr->first_index;
2260 num_threads = tm->n_vlib_mains - 1;
2261 sm->port_per_thread = 0xffff - 1024;
2262 vec_validate (sm->per_thread_data, num_threads);
2264 /* Use all available workers by default */
2265 if (sm->num_workers > 1)
2267 for (i = 0; i < sm->num_workers; i++)
2268 bitmap = clib_bitmap_set (bitmap, i, 1);
2269 snat_set_workers (bitmap);
2270 clib_bitmap_free (bitmap);
2274 sm->per_thread_data[0].snat_thread_index = 0;
2277 /* callbacks to call when interface address changes. */
2278 cbi.function = nat44_ed_add_del_interface_address_cb;
2279 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2280 cbi.function = nat44_ed_add_del_static_mapping_cb;
2281 vec_add1 (sm->ip4_main->add_del_interface_address_callbacks, cbi);
2283 /* callbacks to call when interface to table biding changes */
2284 cbt.function = nat44_ed_update_outside_fib_cb;
2285 vec_add1 (sm->ip4_main->table_bind_callbacks, cbt);
2288 fib_source_allocate ("nat-low", FIB_SOURCE_PRIORITY_LOW,
2289 FIB_SOURCE_BH_SIMPLE);
2291 fib_source_allocate ("nat-hi", FIB_SOURCE_PRIORITY_HI,
2292 FIB_SOURCE_BH_SIMPLE);
2294 nat_affinity_init (vm);
2295 test_key_calc_split ();
2297 return nat44_api_hookup (vm);
2300 VLIB_INIT_FUNCTION (nat_init);
2303 nat44_plugin_enable (nat44_config_t c)
2305 snat_main_t *sm = &snat_main;
2309 sm->forwarding_enabled = 0;
2310 sm->mss_clamping = 0;
2313 c.sessions = 63 * 1024;
2315 sm->max_translations_per_thread = c.sessions;
2316 vlib_stats_set_gauge (sm->max_cfg_sessions_gauge,
2317 sm->max_translations_per_thread);
2318 sm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
2320 vec_add1 (sm->max_translations_per_fib, sm->max_translations_per_thread);
2322 sm->inside_vrf_id = c.inside_vrf;
2323 sm->inside_fib_index =
2324 fib_table_find_or_create_and_lock
2325 (FIB_PROTOCOL_IP4, c.inside_vrf, sm->fib_src_hi);
2327 sm->outside_vrf_id = c.outside_vrf;
2328 sm->outside_fib_index = fib_table_find_or_create_and_lock (
2329 FIB_PROTOCOL_IP4, c.outside_vrf, sm->fib_src_hi);
2331 nat44_ed_db_init (sm->max_translations_per_thread, sm->translation_buckets);
2333 nat44_ed_init_tcp_state_stable (sm);
2335 nat_affinity_enable ();
2337 nat_reset_timeouts (&sm->timeouts);
2339 vlib_zero_simple_counter (&sm->total_sessions, 0);
2341 if (!sm->frame_queue_nelts)
2343 sm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
2346 if (sm->num_workers > 1)
2348 vlib_main_t *vm = vlib_get_main ();
2351 if (sm->fq_in2out_index == ~0)
2353 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
2354 sm->fq_in2out_index =
2355 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2357 if (sm->fq_out2in_index == ~0)
2359 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
2360 sm->fq_out2in_index =
2361 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2363 if (sm->fq_in2out_output_index == ~0)
2365 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-output");
2366 sm->fq_in2out_output_index =
2367 vlib_frame_queue_main_init (node->index, sm->frame_queue_nelts);
2378 nat44_ed_del_addresses ()
2380 snat_main_t *sm = &snat_main;
2381 snat_address_t *a, *vec;
2384 vec = vec_dup (sm->addresses);
2385 vec_foreach (a, vec)
2387 error = nat44_ed_del_address (a->addr, 0);
2390 nat_log_err ("error occurred while removing adderess");
2394 vec_free (sm->addresses);
2397 vec = vec_dup (sm->twice_nat_addresses);
2398 vec_foreach (a, vec)
2400 error = nat44_ed_del_address (a->addr, 1);
2403 nat_log_err ("error occurred while removing adderess");
2407 vec_free (sm->twice_nat_addresses);
2408 sm->twice_nat_addresses = 0;
2410 vec_free (sm->addr_to_resolve);
2411 sm->addr_to_resolve = 0;
2417 nat44_ed_del_interfaces ()
2419 snat_main_t *sm = &snat_main;
2420 snat_interface_t *i, *pool;
2423 pool = pool_dup (sm->interfaces);
2424 pool_foreach (i, pool)
2426 if (nat44_ed_is_interface_inside (i))
2428 error = nat44_ed_del_interface (i->sw_if_index, 1);
2430 if (nat44_ed_is_interface_outside (i))
2432 error = nat44_ed_del_interface (i->sw_if_index, 0);
2437 nat_log_err ("error occurred while removing interface");
2441 pool_free (sm->interfaces);
2447 nat44_ed_del_output_interfaces ()
2449 snat_main_t *sm = &snat_main;
2450 snat_interface_t *i, *pool;
2453 pool = pool_dup (sm->output_feature_interfaces);
2454 pool_foreach (i, pool)
2456 error = nat44_ed_del_output_interface (i->sw_if_index);
2459 nat_log_err ("error occurred while removing output interface");
2463 pool_free (sm->output_feature_interfaces);
2464 sm->output_feature_interfaces = 0;
2469 nat44_ed_del_static_mappings ()
2471 snat_main_t *sm = &snat_main;
2472 snat_static_mapping_t *m, *pool;
2475 pool = pool_dup (sm->static_mappings);
2476 pool_foreach (m, pool)
2478 error = nat44_ed_del_static_mapping_internal (
2479 m->local_addr, m->external_addr, m->local_port, m->external_port,
2480 m->proto, m->vrf_id, m->flags);
2483 nat_log_err ("error occurred while removing mapping");
2487 pool_free (sm->static_mappings);
2488 sm->static_mappings = 0;
2490 vec_free (sm->sm_to_resolve);
2491 sm->sm_to_resolve = 0;
2497 nat44_plugin_disable ()
2499 snat_main_per_thread_data_t *tsm;
2500 snat_main_t *sm = &snat_main;
2503 fail_if_disabled ();
2505 rc = nat44_ed_del_static_mappings ();
2509 rc = nat44_ed_del_addresses ();
2513 rc = nat44_ed_del_interfaces ();
2517 rc = nat44_ed_del_output_interfaces ();
2521 vec_free (sm->max_translations_per_fib);
2522 sm->max_translations_per_fib = 0;
2524 clib_bihash_free_16_8 (&sm->flow_hash);
2526 vec_foreach (tsm, sm->per_thread_data)
2528 nat44_ed_worker_db_free (tsm);
2531 clib_memset (&sm->rconfig, 0, sizeof (sm->rconfig));
2533 nat_affinity_disable ();
2535 sm->forwarding_enabled = 0;
2542 nat44_ed_forwarding_enable_disable (u8 is_enable)
2544 snat_main_per_thread_data_t *tsm;
2545 snat_main_t *sm = &snat_main;
2548 u32 *ses_to_be_removed = 0, *ses_index;
2550 sm->forwarding_enabled = is_enable != 0;
2552 if (!sm->enabled || is_enable)
2557 vec_foreach (tsm, sm->per_thread_data)
2559 pool_foreach (s, tsm->sessions)
2561 if (na44_ed_is_fwd_bypass_session (s))
2563 vec_add1 (ses_to_be_removed, s - tsm->sessions);
2566 vec_foreach (ses_index, ses_to_be_removed)
2568 s = pool_elt_at_index (tsm->sessions, ses_index[0]);
2569 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
2570 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
2573 vec_free (ses_to_be_removed);
2577 static_always_inline snat_static_mapping_t *
2578 nat44_ed_sm_match (snat_main_t *sm, ip4_address_t match_addr, u16 match_port,
2579 u32 match_fib_index, ip_protocol_t match_protocol,
2582 snat_static_mapping_t *m;
2585 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port, match_fib_index,
2590 /* Try address only mapping */
2591 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, match_fib_index, 0);
2595 if (sm->inside_fib_index != match_fib_index)
2597 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port,
2598 sm->inside_fib_index, match_protocol);
2602 /* Try address only mapping */
2603 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, sm->inside_fib_index,
2608 if (sm->outside_fib_index != match_fib_index)
2610 m = nat44_ed_sm_i2o_lookup (sm, match_addr, match_port,
2611 sm->outside_fib_index, match_protocol);
2615 /* Try address only mapping */
2616 m = nat44_ed_sm_i2o_lookup (sm, match_addr, 0, sm->outside_fib_index,
2625 nat44_ed_sm_o2i_lookup (sm, match_addr, match_port, 0, match_protocol);
2629 /* Try address only mapping */
2630 m = nat44_ed_sm_o2i_lookup (sm, match_addr, 0, 0, 0);
2638 snat_static_mapping_match (vlib_main_t *vm, snat_main_t *sm,
2639 ip4_address_t match_addr, u16 match_port,
2640 u32 match_fib_index, ip_protocol_t match_protocol,
2641 ip4_address_t *mapping_addr, u16 *mapping_port,
2642 u32 *mapping_fib_index, int by_external,
2643 u8 *is_addr_only, twice_nat_type_t *twice_nat,
2644 lb_nat_type_t *lb, ip4_address_t *ext_host_addr,
2645 u8 *is_identity_nat, snat_static_mapping_t **out)
2647 snat_static_mapping_t *m;
2648 u32 rand, lo = 0, hi, mid, *tmp = 0, i;
2649 nat44_lb_addr_port_t *local;
2652 m = nat44_ed_sm_match (sm, match_addr, match_port, match_fib_index,
2653 match_protocol, by_external);
2661 if (is_sm_lb (m->flags))
2663 if (PREDICT_FALSE (lb != 0))
2664 *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT;
2665 if (m->affinity && !nat_affinity_find_and_lock (
2666 vm, ext_host_addr[0], match_addr,
2667 match_protocol, match_port, &backend_index))
2669 local = pool_elt_at_index (m->locals, backend_index);
2670 *mapping_addr = local->addr;
2671 *mapping_port = local->port;
2672 *mapping_fib_index = local->fib_index;
2675 // pick locals matching this worker
2676 if (PREDICT_FALSE (sm->num_workers > 1))
2678 u32 thread_index = vlib_get_thread_index ();
2679 pool_foreach_index (i, m->locals)
2681 local = pool_elt_at_index (m->locals, i);
2684 .src_address = local->addr,
2687 if (nat44_ed_get_in2out_worker_index (0, &ip, m->fib_index,
2693 ASSERT (vec_len (tmp) != 0);
2697 pool_foreach_index (i, m->locals)
2702 hi = vec_len (tmp) - 1;
2703 local = pool_elt_at_index (m->locals, tmp[hi]);
2704 rand = 1 + (random_u32 (&sm->random_seed) % local->prefix);
2707 mid = ((hi - lo) >> 1) + lo;
2708 local = pool_elt_at_index (m->locals, tmp[mid]);
2709 (rand > local->prefix) ? (lo = mid + 1) : (hi = mid);
2711 local = pool_elt_at_index (m->locals, tmp[lo]);
2712 if (!(local->prefix >= rand))
2714 *mapping_addr = local->addr;
2715 *mapping_port = local->port;
2716 *mapping_fib_index = local->fib_index;
2719 if (nat_affinity_create_and_lock (ext_host_addr[0], match_addr,
2720 match_protocol, match_port,
2721 tmp[lo], m->affinity,
2722 m->affinity_per_service_list_head_index))
2723 nat_elog_info (sm, "create affinity record failed");
2729 if (PREDICT_FALSE (lb != 0))
2731 *mapping_fib_index = m->fib_index;
2732 *mapping_addr = m->local_addr;
2733 /* Address only mapping doesn't change port */
2735 is_sm_addr_only (m->flags) ? match_port : m->local_port;
2740 *mapping_addr = m->external_addr;
2741 /* Address only mapping doesn't change port */
2743 is_sm_addr_only (m->flags) ? match_port : m->external_port;
2744 *mapping_fib_index = sm->outside_fib_index;
2748 if (PREDICT_FALSE (is_addr_only != 0))
2749 *is_addr_only = is_sm_addr_only (m->flags);
2751 if (PREDICT_FALSE (twice_nat != 0))
2753 *twice_nat = TWICE_NAT_DISABLED;
2755 if (is_sm_twice_nat (m->flags))
2757 *twice_nat = TWICE_NAT;
2759 else if (is_sm_self_twice_nat (m->flags))
2761 *twice_nat = TWICE_NAT_SELF;
2765 if (PREDICT_FALSE (is_identity_nat != 0))
2766 *is_identity_nat = is_sm_identity_nat (m->flags);
2775 nat44_ed_get_in2out_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
2776 u32 rx_fib_index, u8 is_output)
2778 snat_main_t *sm = &snat_main;
2779 u32 next_worker_index = sm->first_worker_index;
2782 clib_bihash_kv_16_8_t kv16, value16;
2784 u32 fib_index = rx_fib_index;
2787 if (PREDICT_FALSE (is_output))
2789 fib_index = sm->outside_fib_index;
2790 nat_outside_fib_t *outside_fib;
2791 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
2792 fib_prefix_t pfx = {
2793 .fp_proto = FIB_PROTOCOL_IP4,
2796 .ip4.as_u32 = ip->dst_address.as_u32,
2800 switch (vec_len (sm->outside_fibs))
2803 fib_index = sm->outside_fib_index;
2806 fib_index = sm->outside_fibs[0].fib_index;
2809 vec_foreach (outside_fib, sm->outside_fibs)
2811 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
2812 if (FIB_NODE_INDEX_INVALID != fei)
2814 if (fib_entry_get_resolving_interface (fei) != ~0)
2816 fib_index = outside_fib->fib_index;
2825 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
2827 ip4_address_t lookup_saddr, lookup_daddr;
2828 u16 lookup_sport, lookup_dport;
2831 if (!nat_get_icmp_session_lookup_values (
2832 b, ip, &lookup_saddr, &lookup_sport, &lookup_daddr,
2833 &lookup_dport, &lookup_protocol))
2835 init_ed_k (&kv16, lookup_saddr.as_u32, lookup_sport,
2836 lookup_daddr.as_u32, lookup_dport, rx_fib_index,
2838 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2840 next_worker_index = ed_value_get_thread_index (&value16);
2841 vnet_buffer2 (b)->nat.cached_session_index =
2842 ed_value_get_session_index (&value16);
2848 init_ed_k (&kv16, ip->src_address.as_u32,
2849 vnet_buffer (b)->ip.reass.l4_src_port, ip->dst_address.as_u32,
2850 vnet_buffer (b)->ip.reass.l4_dst_port, fib_index,
2853 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2855 next_worker_index = ed_value_get_thread_index (&value16);
2856 vnet_buffer2 (b)->nat.cached_session_index =
2857 ed_value_get_session_index (&value16);
2862 init_ed_k (&kv16, ip->dst_address.as_u32,
2863 vnet_buffer (b)->ip.reass.l4_dst_port, ip->src_address.as_u32,
2864 vnet_buffer (b)->ip.reass.l4_src_port, rx_fib_index,
2866 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16))
2868 next_worker_index = ed_value_get_thread_index (&value16);
2869 vnet_buffer2 (b)->nat.cached_dst_nat_session_index =
2870 ed_value_get_session_index (&value16);
2875 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
2876 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
2878 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2879 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2881 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2884 if (PREDICT_TRUE (!is_output))
2886 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT", next_worker_index,
2888 clib_net_to_host_u32 (ip->src_address.as_u32),
2889 clib_net_to_host_u32 (ip->dst_address.as_u32));
2893 nat_elog_debug_handoff (sm, "HANDOFF IN2OUT-OUTPUT-FEATURE",
2894 next_worker_index, rx_fib_index,
2895 clib_net_to_host_u32 (ip->src_address.as_u32),
2896 clib_net_to_host_u32 (ip->dst_address.as_u32));
2899 return next_worker_index;
2903 nat44_ed_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip,
2904 u32 rx_fib_index, u8 is_output)
2906 snat_main_t *sm = &snat_main;
2907 clib_bihash_kv_16_8_t kv16, value16;
2909 u8 proto, next_worker_index = 0;
2911 snat_static_mapping_t *m;
2914 proto = ip->protocol;
2916 if (PREDICT_FALSE (IP_PROTOCOL_ICMP == proto))
2918 ip4_address_t lookup_saddr, lookup_daddr;
2919 u16 lookup_sport, lookup_dport;
2921 if (!nat_get_icmp_session_lookup_values (
2922 b, ip, &lookup_saddr, &lookup_sport, &lookup_daddr, &lookup_dport,
2925 init_ed_k (&kv16, lookup_saddr.as_u32, lookup_sport,
2926 lookup_daddr.as_u32, lookup_dport, rx_fib_index,
2929 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
2931 next_worker_index = ed_value_get_thread_index (&value16);
2932 nat_elog_debug_handoff (
2933 sm, "HANDOFF OUT2IN (session)", next_worker_index,
2934 rx_fib_index, clib_net_to_host_u32 (ip->src_address.as_u32),
2935 clib_net_to_host_u32 (ip->dst_address.as_u32));
2936 return next_worker_index;
2941 init_ed_k (&kv16, ip->src_address.as_u32,
2942 vnet_buffer (b)->ip.reass.l4_src_port, ip->dst_address.as_u32,
2943 vnet_buffer (b)->ip.reass.l4_dst_port, rx_fib_index,
2947 !clib_bihash_search_16_8 (&sm->flow_hash, &kv16, &value16)))
2949 vnet_buffer2 (b)->nat.cached_session_index =
2950 ed_value_get_session_index (&value16);
2951 next_worker_index = ed_value_get_thread_index (&value16);
2952 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN (session)",
2953 next_worker_index, rx_fib_index,
2954 clib_net_to_host_u32 (ip->src_address.as_u32),
2955 clib_net_to_host_u32 (ip->dst_address.as_u32));
2956 return next_worker_index;
2959 /* first try static mappings without port */
2960 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2962 m = nat44_ed_sm_o2i_lookup (sm, ip->dst_address, 0, 0, proto);
2966 next_worker_index = m->workers[0];
2972 /* unknown protocol */
2973 if (PREDICT_FALSE (nat44_ed_is_unk_proto (proto)))
2975 /* use current thread */
2976 next_worker_index = vlib_get_thread_index ();
2980 port = vnet_buffer (b)->ip.reass.l4_dst_port;
2982 if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP))
2984 udp_header_t *udp = ip4_next_header (ip);
2985 icmp46_header_t *icmp = (icmp46_header_t *) udp;
2986 nat_icmp_echo_header_t *echo = (nat_icmp_echo_header_t *) (icmp + 1);
2987 if (!icmp_type_is_error_message
2988 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
2989 port = vnet_buffer (b)->ip.reass.l4_src_port;
2992 /* if error message, then it's not fragmented and we can access it */
2993 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
2994 proto = inner_ip->protocol;
2995 void *l4_header = ip4_next_header (inner_ip);
2998 case IP_PROTOCOL_ICMP:
2999 icmp = (icmp46_header_t *) l4_header;
3000 echo = (nat_icmp_echo_header_t *) (icmp + 1);
3001 port = echo->identifier;
3003 case IP_PROTOCOL_UDP:
3005 case IP_PROTOCOL_TCP:
3006 port = ((nat_tcp_udp_header_t *) l4_header)->src_port;
3009 next_worker_index = vlib_get_thread_index ();
3015 /* try static mappings with port */
3016 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
3018 m = nat44_ed_sm_o2i_lookup (sm, ip->dst_address, port, 0, proto);
3021 if (!is_sm_lb (m->flags))
3023 next_worker_index = m->workers[0];
3027 hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) +
3028 (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24);
3030 if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers))))
3032 m->workers[hash & (_vec_len (m->workers) - 1)];
3034 next_worker_index = m->workers[hash % _vec_len (m->workers)];
3039 /* worker by outside port */
3040 next_worker_index = sm->first_worker_index;
3041 next_worker_index +=
3042 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
3045 nat_elog_debug_handoff (sm, "HANDOFF OUT2IN", next_worker_index,
3047 clib_net_to_host_u32 (ip->src_address.as_u32),
3048 clib_net_to_host_u32 (ip->dst_address.as_u32));
3049 return next_worker_index;
3053 nat44_get_max_session_limit ()
3055 snat_main_t *sm = &snat_main;
3056 u32 max_limit = 0, len = 0;
3058 for (; len < vec_len (sm->max_translations_per_fib); len++)
3060 if (max_limit < sm->max_translations_per_fib[len])
3061 max_limit = sm->max_translations_per_fib[len];
3067 nat44_set_session_limit (u32 session_limit, u32 vrf_id)
3069 snat_main_t *sm = &snat_main;
3070 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3071 u32 len = vec_len (sm->max_translations_per_fib);
3073 if (len <= fib_index)
3075 vec_validate (sm->max_translations_per_fib, fib_index + 1);
3077 for (; len < vec_len (sm->max_translations_per_fib); len++)
3078 sm->max_translations_per_fib[len] = sm->max_translations_per_thread;
3081 sm->max_translations_per_fib[fib_index] = session_limit;
3086 nat44_update_session_limit (u32 session_limit, u32 vrf_id)
3088 snat_main_t *sm = &snat_main;
3090 if (nat44_set_session_limit (session_limit, vrf_id))
3092 sm->max_translations_per_thread = nat44_get_max_session_limit ();
3094 vlib_stats_set_gauge (sm->max_cfg_sessions_gauge,
3095 sm->max_translations_per_thread);
3097 sm->translation_buckets =
3098 nat_calc_bihash_buckets (sm->max_translations_per_thread);
3100 nat44_ed_sessions_clear ();
3105 nat44_ed_worker_db_init (snat_main_per_thread_data_t *tsm, u32 translations,
3106 u32 translation_buckets)
3110 pool_alloc (tsm->sessions, translations);
3111 pool_alloc (tsm->lru_pool, translations);
3113 pool_get (tsm->lru_pool, head);
3114 tsm->tcp_trans_lru_head_index = head - tsm->lru_pool;
3115 clib_dlist_init (tsm->lru_pool, tsm->tcp_trans_lru_head_index);
3117 pool_get (tsm->lru_pool, head);
3118 tsm->tcp_estab_lru_head_index = head - tsm->lru_pool;
3119 clib_dlist_init (tsm->lru_pool, tsm->tcp_estab_lru_head_index);
3121 pool_get (tsm->lru_pool, head);
3122 tsm->udp_lru_head_index = head - tsm->lru_pool;
3123 clib_dlist_init (tsm->lru_pool, tsm->udp_lru_head_index);
3125 pool_get (tsm->lru_pool, head);
3126 tsm->icmp_lru_head_index = head - tsm->lru_pool;
3127 clib_dlist_init (tsm->lru_pool, tsm->icmp_lru_head_index);
3129 pool_get (tsm->lru_pool, head);
3130 tsm->unk_proto_lru_head_index = head - tsm->lru_pool;
3131 clib_dlist_init (tsm->lru_pool, tsm->unk_proto_lru_head_index);
3135 reinit_ed_flow_hash ()
3137 snat_main_t *sm = &snat_main;
3138 // we expect 2 flows per session, so multiply translation_buckets by 2
3139 clib_bihash_init_16_8 (
3140 &sm->flow_hash, "ed-flow-hash",
3141 clib_max (1, sm->num_workers) * 2 * sm->translation_buckets, 0);
3142 clib_bihash_set_kvp_format_fn_16_8 (&sm->flow_hash, format_ed_session_kvp);
3146 nat44_ed_db_init (u32 translations, u32 translation_buckets)
3148 snat_main_t *sm = &snat_main;
3149 snat_main_per_thread_data_t *tsm;
3151 reinit_ed_flow_hash ();
3153 vec_foreach (tsm, sm->per_thread_data)
3155 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3156 sm->translation_buckets);
3161 nat44_ed_worker_db_free (snat_main_per_thread_data_t *tsm)
3163 pool_free (tsm->lru_pool);
3164 pool_free (tsm->sessions);
3165 vec_free (tsm->per_vrf_sessions_vec);
3169 nat44_ed_sessions_clear ()
3171 snat_main_t *sm = &snat_main;
3172 snat_main_per_thread_data_t *tsm;
3174 reinit_ed_flow_hash ();
3176 vec_foreach (tsm, sm->per_thread_data)
3178 nat44_ed_worker_db_free (tsm);
3179 nat44_ed_worker_db_init (tsm, sm->max_translations_per_thread,
3180 sm->translation_buckets);
3182 vlib_zero_simple_counter (&sm->total_sessions, 0);
3186 nat44_ed_add_del_static_mapping_cb (ip4_main_t *im, uword opaque,
3187 u32 sw_if_index, ip4_address_t *address,
3188 u32 address_length, u32 if_address_index,
3191 snat_static_mapping_resolve_t *rp;
3192 snat_main_t *sm = &snat_main;
3200 vec_foreach (rp, sm->sm_to_resolve)
3202 if (sw_if_index == rp->sw_if_index)
3206 if (rp->is_resolved)
3208 rv = nat44_ed_del_static_mapping_internal (
3209 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3210 rp->vrf_id, rp->flags);
3213 nat_log_err ("ed del static mapping failed");
3217 rp->is_resolved = 0;
3223 if (!rp->is_resolved)
3225 rv = nat44_ed_add_static_mapping_internal (
3226 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3227 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3230 nat_log_err ("ed add static mapping failed");
3234 rp->is_resolved = 1;
3243 nat44_ed_get_addr_resolve_record (u32 sw_if_index, u8 twice_nat, int *out)
3245 snat_main_t *sm = &snat_main;
3246 snat_address_resolve_t *rp;
3249 for (i = 0; i < vec_len (sm->addr_to_resolve); i++)
3251 rp = sm->addr_to_resolve + i;
3253 if ((rp->sw_if_index == sw_if_index) && (rp->is_twice_nat == twice_nat))
3265 nat44_ed_del_addr_resolve_record (u32 sw_if_index, u8 twice_nat)
3267 snat_main_t *sm = &snat_main;
3269 if (!nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3271 vec_del1 (sm->addr_to_resolve, i);
3278 nat44_ed_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3279 u32 sw_if_index, ip4_address_t *address,
3281 u32 if_address_index, u32 is_delete)
3283 snat_main_t *sm = &snat_main;
3284 snat_address_resolve_t *arp;
3294 if (nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3297 if (nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, &i))
3300 ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
3301 vec_foreach (ap, sm->addresses)
3303 if ((fib_index == ap->fib_index) &&
3304 (address->as_u32 == ap->addr.as_u32))
3308 ap->addr_len = address_length;
3309 ap->sw_if_index = sw_if_index;
3310 ap->net.as_u32 = (ap->addr.as_u32 >> (32 - ap->addr_len))
3311 << (32 - ap->addr_len);
3314 "pool addr %U binds to -> sw_if_idx: %u net: %U/%u",
3315 format_ip4_address, &ap->addr, ap->sw_if_index,
3316 format_ip4_address, &ap->net, ap->addr_len);
3329 arp = sm->addr_to_resolve + i;
3333 if (arp->is_resolved)
3338 rv = nat44_ed_add_address (address, ~0, arp->is_twice_nat);
3341 arp->is_resolved = 1;
3346 if (!arp->is_resolved)
3351 rv = nat44_ed_del_address (address[0], arp->is_twice_nat);
3354 arp->is_resolved = 0;
3360 nat44_ed_add_interface_address (u32 sw_if_index, u8 twice_nat)
3362 snat_main_t *sm = &snat_main;
3363 ip4_main_t *ip4_main = sm->ip4_main;
3364 ip4_address_t *first_int_addr;
3365 snat_address_resolve_t *ap;
3370 return VNET_API_ERROR_UNSUPPORTED;
3373 if (!nat44_ed_get_addr_resolve_record (sw_if_index, twice_nat, 0))
3375 return VNET_API_ERROR_VALUE_EXIST;
3378 vec_add2 (sm->addr_to_resolve, ap, 1);
3379 ap->sw_if_index = sw_if_index;
3380 ap->is_twice_nat = twice_nat;
3381 ap->is_resolved = 0;
3383 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3386 rv = nat44_ed_add_address (first_int_addr, ~0, twice_nat);
3389 nat44_ed_del_addr_resolve_record (sw_if_index, twice_nat);
3392 ap->is_resolved = 1;
3399 nat44_ed_del_interface_address (u32 sw_if_index, u8 twice_nat)
3401 snat_main_t *sm = &snat_main;
3402 ip4_main_t *ip4_main = sm->ip4_main;
3403 ip4_address_t *first_int_addr;
3407 return VNET_API_ERROR_UNSUPPORTED;
3410 if (nat44_ed_del_addr_resolve_record (sw_if_index, twice_nat))
3412 return VNET_API_ERROR_NO_SUCH_ENTRY;
3415 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3418 return nat44_ed_del_address (first_int_addr[0], twice_nat);
3425 nat44_ed_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port,
3426 ip4_address_t *eh_addr, u16 eh_port, u8 proto,
3427 u32 vrf_id, int is_in)
3430 clib_bihash_kv_16_8_t kv, value;
3433 snat_main_per_thread_data_t *tsm;
3437 return VNET_API_ERROR_UNSUPPORTED;
3440 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3441 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3442 if (sm->num_workers > 1)
3443 tsm = vec_elt_at_index (
3444 sm->per_thread_data,
3445 nat44_ed_get_in2out_worker_index (0, &ip, fib_index, 0));
3447 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3449 init_ed_k (&kv, addr->as_u32, port, eh_addr->as_u32, eh_port, fib_index,
3451 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
3453 return VNET_API_ERROR_NO_SUCH_ENTRY;
3456 if (pool_is_free_index (tsm->sessions, ed_value_get_session_index (&value)))
3457 return VNET_API_ERROR_UNSPECIFIED;
3458 s = pool_elt_at_index (tsm->sessions, ed_value_get_session_index (&value));
3459 nat44_ed_free_session_data (sm, s, tsm - sm->per_thread_data, 0);
3460 nat_ed_session_delete (sm, s, tsm - sm->per_thread_data, 1);
3464 VLIB_NODE_FN (nat_default_node) (vlib_main_t * vm,
3465 vlib_node_runtime_t * node,
3466 vlib_frame_t * frame)
3471 VLIB_REGISTER_NODE (nat_default_node) = {
3472 .name = "nat-default",
3473 .vector_size = sizeof (u32),
3475 .type = VLIB_NODE_TYPE_INTERNAL,
3477 .n_next_nodes = NAT_N_NEXT,
3479 [NAT_NEXT_DROP] = "error-drop",
3480 [NAT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3481 [NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
3482 [NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
3483 [NAT_NEXT_IN2OUT_ED_OUTPUT_FAST_PATH] = "nat44-ed-in2out-output",
3484 [NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
3485 [NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
3486 [NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
3487 [NAT_NEXT_IN2OUT_CLASSIFY] = "nat44-in2out-worker-handoff",
3488 [NAT_NEXT_OUT2IN_CLASSIFY] = "nat44-out2in-worker-handoff",
3493 nat_6t_l3_l4_csum_calc (nat_6t_flow_t *f)
3495 f->l3_csum_delta = 0;
3496 f->l4_csum_delta = 0;
3497 if (f->ops & NAT_FLOW_OP_SADDR_REWRITE &&
3498 f->rewrite.saddr.as_u32 != f->match.saddr.as_u32)
3501 ip_csum_add_even (f->l3_csum_delta, f->rewrite.saddr.as_u32);
3503 ip_csum_sub_even (f->l3_csum_delta, f->match.saddr.as_u32);
3507 f->rewrite.saddr.as_u32 = f->match.saddr.as_u32;
3509 if (f->ops & NAT_FLOW_OP_DADDR_REWRITE &&
3510 f->rewrite.daddr.as_u32 != f->match.daddr.as_u32)
3513 ip_csum_add_even (f->l3_csum_delta, f->rewrite.daddr.as_u32);
3515 ip_csum_sub_even (f->l3_csum_delta, f->match.daddr.as_u32);
3519 f->rewrite.daddr.as_u32 = f->match.daddr.as_u32;
3521 if (f->ops & NAT_FLOW_OP_SPORT_REWRITE && f->rewrite.sport != f->match.sport)
3523 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.sport);
3524 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3528 f->rewrite.sport = f->match.sport;
3530 if (f->ops & NAT_FLOW_OP_DPORT_REWRITE && f->rewrite.dport != f->match.dport)
3532 f->l4_csum_delta = ip_csum_add_even (f->l4_csum_delta, f->rewrite.dport);
3533 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.dport);
3537 f->rewrite.dport = f->match.dport;
3539 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE &&
3540 f->rewrite.icmp_id != f->match.sport)
3543 ip_csum_add_even (f->l4_csum_delta, f->rewrite.icmp_id);
3544 f->l4_csum_delta = ip_csum_sub_even (f->l4_csum_delta, f->match.sport);
3548 f->rewrite.icmp_id = f->match.sport;
3550 if (f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3555 f->rewrite.fib_index = f->match.fib_index;
3559 static_always_inline int
3560 nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3561 ip4_header_t *ip, nat_6t_flow_t *f);
3563 static_always_inline void
3564 nat_6t_flow_ip4_translate (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
3565 nat_6t_flow_t *f, ip_protocol_t proto,
3566 int is_icmp_inner_ip4, int skip_saddr_rewrite)
3568 udp_header_t *udp = ip4_next_header (ip);
3569 tcp_header_t *tcp = (tcp_header_t *) udp;
3571 if ((IP_PROTOCOL_TCP == proto || IP_PROTOCOL_UDP == proto) &&
3572 !vnet_buffer (b)->ip.reass.is_non_first_fragment)
3574 if (!is_icmp_inner_ip4)
3576 ip->src_address = f->rewrite.saddr;
3577 ip->dst_address = f->rewrite.daddr;
3578 udp->src_port = f->rewrite.sport;
3579 udp->dst_port = f->rewrite.dport;
3582 { // icmp inner ip4 - reversed saddr/daddr
3583 ip->src_address = f->rewrite.daddr;
3584 ip->dst_address = f->rewrite.saddr;
3585 udp->src_port = f->rewrite.dport;
3586 udp->dst_port = f->rewrite.sport;
3589 if (IP_PROTOCOL_TCP == proto)
3591 ip_csum_t tcp_sum = tcp->checksum;
3592 tcp_sum = ip_csum_sub_even (tcp_sum, f->l3_csum_delta);
3593 tcp_sum = ip_csum_sub_even (tcp_sum, f->l4_csum_delta);
3594 mss_clamping (sm->mss_clamping, tcp, &tcp_sum);
3595 tcp->checksum = ip_csum_fold (tcp_sum);
3597 else if (IP_PROTOCOL_UDP == proto && udp->checksum)
3599 ip_csum_t udp_sum = udp->checksum;
3600 udp_sum = ip_csum_sub_even (udp_sum, f->l3_csum_delta);
3601 udp_sum = ip_csum_sub_even (udp_sum, f->l4_csum_delta);
3602 udp->checksum = ip_csum_fold (udp_sum);
3607 if (!is_icmp_inner_ip4)
3609 if (!skip_saddr_rewrite)
3611 ip->src_address = f->rewrite.saddr;
3613 ip->dst_address = f->rewrite.daddr;
3616 { // icmp inner ip4 - reversed saddr/daddr
3617 ip->src_address = f->rewrite.daddr;
3618 ip->dst_address = f->rewrite.saddr;
3622 if (skip_saddr_rewrite)
3624 ip->checksum = ip4_header_checksum (ip);
3628 ip_csum_t ip_sum = ip->checksum;
3629 ip_sum = ip_csum_sub_even (ip_sum, f->l3_csum_delta);
3630 ip->checksum = ip_csum_fold (ip_sum);
3632 if (0xffff == ip->checksum)
3634 ASSERT (ip4_header_checksum_is_valid (ip));
3637 static_always_inline int
3638 it_fits (vlib_main_t *vm, vlib_buffer_t *b, void *object, size_t size)
3640 int result = ((u8 *) object + size <=
3641 (u8 *) vlib_buffer_get_current (b) + b->current_length) &&
3642 vlib_object_within_buffer_data (vm, b, object, size);
3646 static_always_inline int
3647 nat_6t_flow_icmp_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3648 ip4_header_t *ip, nat_6t_flow_t *f)
3650 if (IP_PROTOCOL_ICMP != ip->protocol)
3651 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3653 icmp46_header_t *icmp = ip4_next_header (ip);
3654 nat_icmp_echo_header_t *echo = (nat_icmp_echo_header_t *) (icmp + 1);
3656 if ((!vnet_buffer (b)->ip.reass.is_non_first_fragment))
3658 if (!it_fits (vm, b, icmp, sizeof (*icmp)))
3660 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3663 if (!icmp_type_is_error_message (icmp->type))
3665 if ((f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE) &&
3666 (f->rewrite.icmp_id != echo->identifier))
3668 ip_csum_t sum = icmp->checksum;
3669 sum = ip_csum_update (sum, echo->identifier, f->rewrite.icmp_id,
3670 nat_icmp_echo_header_t,
3671 identifier /* changed member */);
3672 echo->identifier = f->rewrite.icmp_id;
3673 icmp->checksum = ip_csum_fold (sum);
3678 ip_csum_t sum = ip_incremental_checksum (
3680 clib_net_to_host_u16 (ip->length) - ip4_header_bytes (ip));
3681 sum = (u16) ~ip_csum_fold (sum);
3684 return NAT_ED_TRNSL_ERR_INVALID_CSUM;
3687 // errors are not fragmented
3688 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
3690 if (!ip4_header_checksum_is_valid (inner_ip))
3692 return NAT_ED_TRNSL_ERR_INNER_IP_CORRUPT;
3695 ip_protocol_t inner_proto = inner_ip->protocol;
3697 ip_csum_t old_icmp_sum = icmp->checksum;
3698 ip_csum_t old_inner_ip_sum = inner_ip->checksum;
3699 ip_csum_t old_udp_sum;
3700 ip_csum_t old_tcp_sum;
3701 ip_csum_t new_icmp_sum;
3705 switch (inner_proto)
3707 case IP_PROTOCOL_UDP:
3708 udp = (udp_header_t *) (inner_ip + 1);
3709 if (!it_fits (vm, b, udp, sizeof (*udp)))
3711 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3713 old_udp_sum = udp->checksum;
3714 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3715 1 /* is_icmp_inner_ip4 */,
3716 0 /* skip_saddr_rewrite */);
3717 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3718 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3720 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3721 inner_ip->checksum, ip4_header_t, checksum);
3723 ip_csum_update (new_icmp_sum, old_udp_sum, udp->checksum,
3724 udp_header_t, checksum);
3725 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3726 icmp->checksum = new_icmp_sum;
3728 case IP_PROTOCOL_TCP:
3729 tcp = (tcp_header_t *) (inner_ip + 1);
3730 if (!it_fits (vm, b, tcp, sizeof (*tcp)))
3732 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3734 old_tcp_sum = tcp->checksum;
3735 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3736 1 /* is_icmp_inner_ip4 */,
3737 0 /* skip_saddr_rewrite */);
3738 new_icmp_sum = ip_csum_sub_even (old_icmp_sum, f->l3_csum_delta);
3739 new_icmp_sum = ip_csum_sub_even (new_icmp_sum, f->l4_csum_delta);
3741 ip_csum_update (new_icmp_sum, old_inner_ip_sum,
3742 inner_ip->checksum, ip4_header_t, checksum);
3744 ip_csum_update (new_icmp_sum, old_tcp_sum, tcp->checksum,
3745 tcp_header_t, checksum);
3746 new_icmp_sum = ip_csum_fold (new_icmp_sum);
3747 icmp->checksum = new_icmp_sum;
3749 case IP_PROTOCOL_ICMP:
3750 nat_6t_flow_ip4_translate (sm, b, inner_ip, f, inner_proto,
3751 1 /* is_icmp_inner_ip4 */,
3752 0 /* skip_saddr_rewrite */);
3753 if (f->ops & NAT_FLOW_OP_ICMP_ID_REWRITE)
3755 icmp46_header_t *inner_icmp = ip4_next_header (inner_ip);
3756 if (!it_fits (vm, b, inner_icmp, sizeof (*inner_icmp)))
3758 return NAT_ED_TRNSL_ERR_PACKET_TRUNCATED;
3760 nat_icmp_echo_header_t *inner_echo =
3761 (nat_icmp_echo_header_t *) (inner_icmp + 1);
3762 if (f->rewrite.icmp_id != inner_echo->identifier)
3764 ip_csum_t sum = icmp->checksum;
3765 sum = ip_csum_update (sum, inner_echo->identifier,
3767 nat_icmp_echo_header_t,
3768 identifier /* changed member */);
3769 icmp->checksum = ip_csum_fold (sum);
3770 ip_csum_t inner_sum = inner_icmp->checksum;
3771 inner_sum = ip_csum_update (
3772 sum, inner_echo->identifier, f->rewrite.icmp_id,
3773 nat_icmp_echo_header_t,
3774 identifier /* changed member */);
3775 inner_icmp->checksum = ip_csum_fold (inner_sum);
3776 inner_echo->identifier = f->rewrite.icmp_id;
3781 clib_warning ("unexpected NAT protocol value `%d'", inner_proto);
3782 return NAT_ED_TRNSL_ERR_TRANSLATION_FAILED;
3787 return NAT_ED_TRNSL_ERR_SUCCESS;
3790 static_always_inline nat_translation_error_e
3791 nat_6t_flow_buf_translate (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
3792 ip4_header_t *ip, nat_6t_flow_t *f,
3793 ip_protocol_t proto, int is_output_feature,
3796 if (!is_output_feature && f->ops & NAT_FLOW_OP_TXFIB_REWRITE)
3798 vnet_buffer (b)->sw_if_index[VLIB_TX] = f->rewrite.fib_index;
3801 if (IP_PROTOCOL_ICMP == proto)
3803 if (ip->src_address.as_u32 != f->rewrite.saddr.as_u32)
3805 // packet is returned from a router, not from destination
3806 // skip source address rewrite if in o2i path
3807 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3808 0 /* is_icmp_inner_ip4 */,
3809 !is_i2o /* skip_saddr_rewrite */);
3813 nat_6t_flow_ip4_translate (sm, b, ip, f, proto,
3814 0 /* is_icmp_inner_ip4 */,
3815 0 /* skip_saddr_rewrite */);
3817 return nat_6t_flow_icmp_translate (vm, sm, b, ip, f);
3820 nat_6t_flow_ip4_translate (sm, b, ip, f, proto, 0 /* is_icmp_inner_ip4 */,
3821 0 /* skip_saddr_rewrite */);
3823 return NAT_ED_TRNSL_ERR_SUCCESS;
3826 nat_translation_error_e
3827 nat_6t_flow_buf_translate_i2o (vlib_main_t *vm, snat_main_t *sm,
3828 vlib_buffer_t *b, ip4_header_t *ip,
3829 nat_6t_flow_t *f, ip_protocol_t proto,
3830 int is_output_feature)
3832 return nat_6t_flow_buf_translate (vm, sm, b, ip, f, proto, is_output_feature,
3836 nat_translation_error_e
3837 nat_6t_flow_buf_translate_o2i (vlib_main_t *vm, snat_main_t *sm,
3838 vlib_buffer_t *b, ip4_header_t *ip,
3839 nat_6t_flow_t *f, ip_protocol_t proto,
3840 int is_output_feature)
3842 return nat_6t_flow_buf_translate (vm, sm, b, ip, f, proto, is_output_feature,
3846 static_always_inline void
3847 nat_syslog_nat44_sess (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
3848 u16 isport, ip4_address_t *xsaddr, u16 xsport,
3849 ip4_address_t *idaddr, u16 idport,
3850 ip4_address_t *xdaddr, u16 xdport, u8 proto, u8 is_add,
3853 syslog_msg_t syslog_msg;
3856 if (!syslog_is_enabled ())
3859 if (syslog_severity_filter_block (SADD_SDEL_SEVERITY))
3862 fib = fib_table_get (sfibix, FIB_PROTOCOL_IP4);
3864 syslog_msg_init (&syslog_msg, NAT_FACILITY, SADD_SDEL_SEVERITY, NAT_APPNAME,
3865 is_add ? SADD_MSGID : SDEL_MSGID);
3867 syslog_msg_sd_init (&syslog_msg, NSESS_SDID);
3868 syslog_msg_add_sd_param (&syslog_msg, SSUBIX_SDPARAM_NAME, "%d", ssubix);
3869 syslog_msg_add_sd_param (&syslog_msg, SVLAN_SDPARAM_NAME, "%d",
3871 syslog_msg_add_sd_param (&syslog_msg, IATYP_SDPARAM_NAME, IATYP_IPV4);
3872 syslog_msg_add_sd_param (&syslog_msg, ISADDR_SDPARAM_NAME, "%U",
3873 format_ip4_address, isaddr);
3874 syslog_msg_add_sd_param (&syslog_msg, ISPORT_SDPARAM_NAME, "%d",
3875 clib_net_to_host_u16 (isport));
3876 syslog_msg_add_sd_param (&syslog_msg, XATYP_SDPARAM_NAME, IATYP_IPV4);
3877 syslog_msg_add_sd_param (&syslog_msg, XSADDR_SDPARAM_NAME, "%U",
3878 format_ip4_address, xsaddr);
3879 syslog_msg_add_sd_param (&syslog_msg, XSPORT_SDPARAM_NAME, "%d",
3880 clib_net_to_host_u16 (xsport));
3881 syslog_msg_add_sd_param (&syslog_msg, PROTO_SDPARAM_NAME, "%d", proto);
3882 syslog_msg_add_sd_param (&syslog_msg, XDADDR_SDPARAM_NAME, "%U",
3883 format_ip4_address, xdaddr);
3884 syslog_msg_add_sd_param (&syslog_msg, XDPORT_SDPARAM_NAME, "%d",
3885 clib_net_to_host_u16 (xdport));
3888 syslog_msg_add_sd_param (&syslog_msg, IDADDR_SDPARAM_NAME, "%U",
3889 format_ip4_address, idaddr);
3890 syslog_msg_add_sd_param (&syslog_msg, IDPORT_SDPARAM_NAME, "%d",
3891 clib_net_to_host_u16 (idport));
3894 syslog_msg_send (&syslog_msg);
3898 nat_syslog_nat44_sadd (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
3899 u16 isport, ip4_address_t *idaddr, u16 idport,
3900 ip4_address_t *xsaddr, u16 xsport,
3901 ip4_address_t *xdaddr, u16 xdport, u8 proto,
3904 nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport,
3905 idaddr, idport, xdaddr, xdport, proto, 1,
3910 nat_syslog_nat44_sdel (u32 ssubix, u32 sfibix, ip4_address_t *isaddr,
3911 u16 isport, ip4_address_t *idaddr, u16 idport,
3912 ip4_address_t *xsaddr, u16 xsport,
3913 ip4_address_t *xdaddr, u16 xdport, u8 proto,
3916 nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport,
3917 idaddr, idport, xdaddr, xdport, proto, 0,
3922 * fd.io coding-style-patch-verification: ON
3925 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob