2 * nat44_ei.c - nat44 endpoint dependent plugin
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 * License for the specific language governing permissions and limitations
18 #include <vnet/plugin/plugin.h>
19 #include <vpp/app/version.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ip/ip4.h>
24 #include <vnet/ip/ip_table.h>
25 #include <vnet/ip/reass/ip4_sv_reass.h>
26 #include <vnet/fib/fib_table.h>
27 #include <vnet/fib/ip4_fib.h>
28 #include <vnet/plugin/plugin.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/nat_inlines.h>
34 #include <nat/lib/ipfix_logging.h>
36 #include <nat/nat44-ei/nat44_ei_dpo.h>
37 #include <nat/nat44-ei/nat44_ei_inlines.h>
38 #include <nat/nat44-ei/nat44_ei.h>
40 nat44_ei_main_t nat44_ei_main;
42 extern vlib_node_registration_t nat44_ei_hairpinning_node;
43 extern vlib_node_registration_t nat44_ei_hairpin_dst_node;
44 extern vlib_node_registration_t
45 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node;
46 extern vlib_node_registration_t
47 nat44_ei_in2out_hairpinning_finish_interface_output_node;
49 #define skip_if_disabled() \
52 nat44_ei_main_t *nm = &nat44_ei_main; \
53 if (PREDICT_FALSE (!nm->enabled)) \
58 #define fail_if_enabled() \
61 nat44_ei_main_t *nm = &nat44_ei_main; \
62 if (PREDICT_FALSE (nm->enabled)) \
64 nat44_ei_log_err ("plugin enabled"); \
70 #define fail_if_disabled() \
73 nat44_ei_main_t *nm = &nat44_ei_main; \
74 if (PREDICT_FALSE (!nm->enabled)) \
76 nat44_ei_log_err ("plugin disabled"); \
82 /* Hook up input features */
83 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
84 .arc_name = "ip4-unicast",
85 .node_name = "nat44-ei-classify",
86 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
87 "ip4-sv-reassembly-feature"),
89 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
90 .arc_name = "ip4-unicast",
91 .node_name = "nat44-ei-handoff-classify",
92 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
93 "ip4-sv-reassembly-feature"),
95 VNET_FEATURE_INIT (ip4_nat44_ei_in2out, static) = {
96 .arc_name = "ip4-unicast",
97 .node_name = "nat44-ei-in2out",
98 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
99 "ip4-sv-reassembly-feature"),
101 VNET_FEATURE_INIT (ip4_nat44_ei_out2in, static) = {
102 .arc_name = "ip4-unicast",
103 .node_name = "nat44-ei-out2in",
104 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
105 "ip4-sv-reassembly-feature",
106 "ip4-dhcp-client-detect"),
108 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output, static) = {
109 .arc_name = "ip4-output",
110 .node_name = "nat44-ei-in2out-output",
111 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
112 "ip4-sv-reassembly-output-feature"),
114 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_fast, static) = {
115 .arc_name = "ip4-unicast",
116 .node_name = "nat44-ei-in2out-fast",
117 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
118 "ip4-sv-reassembly-feature"),
120 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_fast, static) = {
121 .arc_name = "ip4-unicast",
122 .node_name = "nat44-ei-out2in-fast",
123 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
124 "ip4-sv-reassembly-feature",
125 "ip4-dhcp-client-detect"),
127 VNET_FEATURE_INIT (ip4_nat44_ei_hairpin_dst, static) = {
128 .arc_name = "ip4-unicast",
129 .node_name = "nat44-ei-hairpin-dst",
130 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
131 "ip4-sv-reassembly-feature"),
133 VNET_FEATURE_INIT (ip4_nat44_ei_hairpin_src, static) = {
134 .arc_name = "ip4-output",
135 .node_name = "nat44-ei-hairpin-src",
136 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
137 "ip4-sv-reassembly-output-feature"),
139 VNET_FEATURE_INIT (ip4_nat44_ei_hairpinning, static) = {
140 .arc_name = "ip4-local",
141 .node_name = "nat44-ei-hairpinning",
142 .runs_before = VNET_FEATURES ("ip4-local-end-of-arc"),
144 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_worker_handoff, static) = {
145 .arc_name = "ip4-unicast",
146 .node_name = "nat44-ei-in2out-worker-handoff",
147 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
149 VNET_FEATURE_INIT (ip4_nat44_ei_out2in_worker_handoff, static) = {
150 .arc_name = "ip4-unicast",
151 .node_name = "nat44-ei-out2in-worker-handoff",
152 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
153 "ip4-dhcp-client-detect"),
155 VNET_FEATURE_INIT (ip4_nat44_ei_in2out_output_worker_handoff, static) = {
156 .arc_name = "ip4-output",
157 .node_name = "nat44-ei-in2out-output-worker-handoff",
158 .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa",
159 "ip4-sv-reassembly-output-feature"),
162 VLIB_PLUGIN_REGISTER () = {
163 .version = VPP_BUILD_VER,
164 .description = "IPv4 Endpoint-Independent NAT (NAT44 EI)",
167 #define foreach_nat44_ei_classify_error \
168 _ (NEXT_IN2OUT, "next in2out") \
169 _ (NEXT_OUT2IN, "next out2in") \
170 _ (FRAG_CACHED, "fragment cached")
174 #define _(sym, str) NAT44_EI_CLASSIFY_ERROR_##sym,
175 foreach_nat44_ei_classify_error
177 NAT44_EI_CLASSIFY_N_ERROR,
178 } nat44_ei_classify_error_t;
180 static char *nat44_ei_classify_error_strings[] = {
181 #define _(sym, string) string,
182 foreach_nat44_ei_classify_error
188 NAT44_EI_CLASSIFY_NEXT_IN2OUT,
189 NAT44_EI_CLASSIFY_NEXT_OUT2IN,
190 NAT44_EI_CLASSIFY_NEXT_DROP,
191 NAT44_EI_CLASSIFY_N_NEXT,
192 } nat44_ei_classify_next_t;
198 } nat44_ei_classify_trace_t;
200 void nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len,
201 u32 sw_if_index, int is_add);
204 format_nat44_ei_classify_trace (u8 *s, va_list *args)
206 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
207 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
208 nat44_ei_classify_trace_t *t = va_arg (*args, nat44_ei_classify_trace_t *);
212 s = format (s, "nat44-ei-classify: fragment cached");
215 next = t->next_in2out ? "nat44-ei-in2out" : "nat44-ei-out2in";
216 s = format (s, "nat44-ei-classify: next %s", next);
222 static void nat44_ei_db_free ();
224 static void nat44_ei_db_init (u32 translations, u32 translation_buckets,
227 static void nat44_ei_ip4_add_del_interface_address_cb (
228 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
229 u32 address_length, u32 if_address_index, u32 is_delete);
231 static void nat44_ei_ip4_add_del_addr_only_sm_cb (
232 ip4_main_t *im, uword opaque, u32 sw_if_index, ip4_address_t *address,
233 u32 address_length, u32 if_address_index, u32 is_delete);
235 static void nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque,
236 u32 sw_if_index, u32 new_fib_index,
240 nat44_ei_set_node_indexes (nat44_ei_main_t *nm, vlib_main_t *vm)
243 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-out2in");
244 nm->out2in_node_index = node->index;
245 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out");
246 nm->in2out_node_index = node->index;
247 node = vlib_get_node_by_name (vm, (u8 *) "nat44-ei-in2out-output");
248 nm->in2out_output_node_index = node->index;
252 nat44_ei_set_workers (uword *bitmap)
254 nat44_ei_main_t *nm = &nat44_ei_main;
257 if (nm->num_workers < 2)
258 return VNET_API_ERROR_FEATURE_DISABLED;
260 if (clib_bitmap_last_set (bitmap) >= nm->num_workers)
261 return VNET_API_ERROR_INVALID_WORKER;
263 vec_free (nm->workers);
264 clib_bitmap_foreach (i, bitmap)
266 vec_add1 (nm->workers, i);
267 nm->per_thread_data[nm->first_worker_index + i].snat_thread_index = j;
268 nm->per_thread_data[nm->first_worker_index + i].thread_index = i;
272 nm->port_per_thread = (0xffff - 1024) / _vec_len (nm->workers);
277 #define nat_validate_simple_counter(c, i) \
280 vlib_validate_simple_counter (&c, i); \
281 vlib_zero_simple_counter (&c, i); \
285 #define nat_init_simple_counter(c, n, sn) \
289 c.stat_segment_name = sn; \
290 nat_validate_simple_counter (c, 0); \
294 static_always_inline void
295 nat_validate_interface_counters (nat44_ei_main_t *nm, u32 sw_if_index)
298 nat_validate_simple_counter (nm->counters.fastpath.in2out.x, sw_if_index); \
299 nat_validate_simple_counter (nm->counters.fastpath.out2in.x, sw_if_index); \
300 nat_validate_simple_counter (nm->counters.slowpath.in2out.x, sw_if_index); \
301 nat_validate_simple_counter (nm->counters.slowpath.out2in.x, sw_if_index);
304 nat_validate_simple_counter (nm->counters.hairpinning, sw_if_index);
308 nat44_ei_add_del_addr_to_fib_foreach_out_if (ip4_address_t *addr, u8 is_add)
310 nat44_ei_main_t *nm = &nat44_ei_main;
311 nat44_ei_interface_t *i;
313 pool_foreach (i, nm->interfaces)
315 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
317 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
320 pool_foreach (i, nm->output_feature_interfaces)
322 if (nat44_ei_interface_is_outside (i) && !nm->out2in_dpo)
324 nat44_ei_add_del_addr_to_fib (addr, 32, i->sw_if_index, is_add);
329 static_always_inline void
330 nat44_ei_add_del_addr_to_fib_foreach_addr (u32 sw_if_index, u8 is_add)
332 nat44_ei_main_t *nm = &nat44_ei_main;
333 nat44_ei_address_t *ap;
335 vec_foreach (ap, nm->addresses)
337 nat44_ei_add_del_addr_to_fib (&ap->addr, 32, sw_if_index, is_add);
341 static_always_inline void
342 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (u32 sw_if_index, u8 is_add)
344 nat44_ei_main_t *nm = &nat44_ei_main;
345 nat44_ei_static_mapping_t *m;
347 pool_foreach (m, nm->static_mappings)
349 if (is_sm_addr_only (m->flags) &&
350 !(m->local_addr.as_u32 == m->external_addr.as_u32))
352 nat44_ei_add_del_addr_to_fib (&m->external_addr, 32, sw_if_index,
359 nat44_ei_is_address_used_in_static_mapping (ip4_address_t addr)
361 nat44_ei_main_t *nm = &nat44_ei_main;
362 nat44_ei_static_mapping_t *m;
363 pool_foreach (m, nm->static_mappings)
365 if (is_sm_addr_only (m->flags) || is_sm_identity_nat (m->flags))
369 if (m->external_addr.as_u32 == addr.as_u32)
378 nat44_ei_init (vlib_main_t *vm)
380 nat44_ei_main_t *nm = &nat44_ei_main;
381 vlib_thread_main_t *tm = vlib_get_thread_main ();
382 vlib_thread_registration_t *tr;
383 ip4_add_del_interface_address_callback_t cbi = { 0 };
384 ip4_table_bind_callback_t cbt = { 0 };
385 u32 i, num_threads = 0;
386 uword *p, *bitmap = 0;
388 clib_memset (nm, 0, sizeof (*nm));
391 nm->vnet_main = vnet_get_main ();
393 nm->ip4_main = &ip4_main;
394 nm->api_main = vlibapi_get_main ();
395 nm->ip4_lookup_main = &ip4_main.lookup_main;
398 nm->fq_out2in_index = ~0;
399 nm->fq_in2out_index = ~0;
400 nm->fq_in2out_output_index = ~0;
402 nm->log_level = NAT_LOG_ERROR;
404 nat44_ei_set_node_indexes (nm, vm);
405 nm->log_class = vlib_log_register_class ("nat44-ei", 0);
407 nat_init_simple_counter (nm->total_users, "total-users",
408 "/nat44-ei/total-users");
409 nat_init_simple_counter (nm->total_sessions, "total-sessions",
410 "/nat44-ei/total-sessions");
411 nat_init_simple_counter (nm->user_limit_reached, "user-limit-reached",
412 "/nat44-ei/user-limit-reached");
415 nat_init_simple_counter (nm->counters.fastpath.in2out.x, #x, \
416 "/nat44-ei/in2out/fastpath/" #x); \
417 nat_init_simple_counter (nm->counters.fastpath.out2in.x, #x, \
418 "/nat44-ei/out2in/fastpath/" #x); \
419 nat_init_simple_counter (nm->counters.slowpath.in2out.x, #x, \
420 "/nat44-ei/in2out/slowpath/" #x); \
421 nat_init_simple_counter (nm->counters.slowpath.out2in.x, #x, \
422 "/nat44-ei/out2in/slowpath/" #x);
425 nat_init_simple_counter (nm->counters.hairpinning, "hairpinning",
426 "/nat44-ei/hairpinning");
428 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
431 tr = (vlib_thread_registration_t *) p[0];
434 nm->num_workers = tr->count;
435 nm->first_worker_index = tr->first_index;
438 num_threads = tm->n_vlib_mains - 1;
439 nm->port_per_thread = 0xffff - 1024;
440 vec_validate (nm->per_thread_data, num_threads);
442 /* Use all available workers by default */
443 if (nm->num_workers > 1)
445 for (i = 0; i < nm->num_workers; i++)
446 bitmap = clib_bitmap_set (bitmap, i, 1);
447 nat44_ei_set_workers (bitmap);
448 clib_bitmap_free (bitmap);
452 nm->per_thread_data[0].snat_thread_index = 0;
455 /* callbacks to call when interface address changes. */
456 cbi.function = nat44_ei_ip4_add_del_interface_address_cb;
457 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
458 cbi.function = nat44_ei_ip4_add_del_addr_only_sm_cb;
459 vec_add1 (nm->ip4_main->add_del_interface_address_callbacks, cbi);
461 /* callbacks to call when interface to table biding changes */
462 cbt.function = nat44_ei_update_outside_fib;
463 vec_add1 (nm->ip4_main->table_bind_callbacks, cbt);
465 nm->fib_src_low = fib_source_allocate (
466 "nat44-ei-low", FIB_SOURCE_PRIORITY_LOW, FIB_SOURCE_BH_SIMPLE);
467 nm->fib_src_hi = fib_source_allocate ("nat44-ei-hi", FIB_SOURCE_PRIORITY_HI,
468 FIB_SOURCE_BH_SIMPLE);
470 // used only by out2in-dpo feature
471 nat_dpo_module_init ();
472 nat_ha_init (vm, nm->num_workers, num_threads);
474 nm->hairpinning_fq_index =
475 vlib_frame_queue_main_init (nat44_ei_hairpinning_node.index, 0);
476 nm->hairpin_dst_fq_index =
477 vlib_frame_queue_main_init (nat44_ei_hairpin_dst_node.index, 0);
478 nm->in2out_hairpinning_finish_ip4_lookup_node_fq_index =
479 vlib_frame_queue_main_init (
480 nat44_ei_in2out_hairpinning_finish_ip4_lookup_node.index, 0);
481 nm->in2out_hairpinning_finish_interface_output_node_fq_index =
482 vlib_frame_queue_main_init (
483 nat44_ei_in2out_hairpinning_finish_interface_output_node.index, 0);
484 return nat44_ei_api_hookup (vm);
487 VLIB_INIT_FUNCTION (nat44_ei_init);
490 nat44_ei_plugin_enable (nat44_ei_config_t c)
492 nat44_ei_main_t *nm = &nat44_ei_main;
500 c.sessions = 10 * 1024;
502 if (!c.user_sessions)
503 c.user_sessions = c.sessions;
507 if (!nm->frame_queue_nelts)
508 nm->frame_queue_nelts = NAT_FQ_NELTS_DEFAULT;
510 nm->translations = c.sessions;
511 nm->translation_buckets = nat_calc_bihash_buckets (c.sessions);
512 nm->user_buckets = nat_calc_bihash_buckets (c.users);
514 nm->pat = (!c.static_mapping_only ||
515 (c.static_mapping_only && c.connection_tracking));
517 nm->static_mapping_only = c.static_mapping_only;
518 nm->static_mapping_connection_tracking = c.connection_tracking;
519 nm->out2in_dpo = c.out2in_dpo;
520 nm->forwarding_enabled = 0;
521 nm->mss_clamping = 0;
523 nm->max_users_per_thread = c.users;
524 nm->max_translations_per_thread = c.sessions;
525 nm->max_translations_per_user = c.user_sessions;
527 nm->inside_vrf_id = c.inside_vrf;
528 nm->inside_fib_index = fib_table_find_or_create_and_lock (
529 FIB_PROTOCOL_IP4, c.inside_vrf, nm->fib_src_hi);
531 nm->outside_vrf_id = c.outside_vrf;
532 nm->outside_fib_index = fib_table_find_or_create_and_lock (
533 FIB_PROTOCOL_IP4, c.outside_vrf, nm->fib_src_hi);
535 nat_reset_timeouts (&nm->timeouts);
536 nat44_ei_db_init (nm->translations, nm->translation_buckets,
538 nat44_ei_set_alloc_default ();
540 // TODO: zero simple counter for all counters missing
542 vlib_zero_simple_counter (&nm->total_users, 0);
543 vlib_zero_simple_counter (&nm->total_sessions, 0);
544 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
546 if (nm->num_workers > 1)
548 if (nm->fq_in2out_index == ~0)
550 nm->fq_in2out_index = vlib_frame_queue_main_init (
551 nm->in2out_node_index, nm->frame_queue_nelts);
553 if (nm->fq_out2in_index == ~0)
555 nm->fq_out2in_index = vlib_frame_queue_main_init (
556 nm->out2in_node_index, nm->frame_queue_nelts);
558 if (nm->fq_in2out_output_index == ~0)
560 nm->fq_in2out_output_index = vlib_frame_queue_main_init (
561 nm->in2out_output_node_index, nm->frame_queue_nelts);
572 nat44_ei_addresses_free (nat44_ei_address_t **addresses)
574 nat44_ei_address_t *ap;
575 vec_foreach (ap, *addresses)
577 #define _(N, i, n, s) vec_free (ap->busy_##n##_ports_per_thread);
581 vec_free (*addresses);
585 static_always_inline nat44_ei_outside_fib_t *
586 nat44_ei_get_outside_fib (nat44_ei_outside_fib_t *outside_fibs, u32 fib_index)
588 nat44_ei_outside_fib_t *f;
589 vec_foreach (f, outside_fibs)
591 if (f->fib_index == fib_index)
599 static_always_inline nat44_ei_interface_t *
600 nat44_ei_get_interface (nat44_ei_interface_t *interfaces, u32 sw_if_index)
602 nat44_ei_interface_t *i;
603 pool_foreach (i, interfaces)
605 if (i->sw_if_index == sw_if_index)
613 static_always_inline int
614 nat44_ei_add_interface (u32 sw_if_index, u8 is_inside)
616 const char *feature_name, *del_feature_name;
617 nat44_ei_main_t *nm = &nat44_ei_main;
619 nat44_ei_outside_fib_t *outside_fib;
620 nat44_ei_interface_t *i;
626 if (nm->out2in_dpo && !is_inside)
628 nat44_ei_log_err ("error unsupported");
629 return VNET_API_ERROR_UNSUPPORTED;
632 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
634 nat44_ei_log_err ("error interface already configured");
635 return VNET_API_ERROR_VALUE_EXIST;
638 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
641 if ((nat44_ei_interface_is_inside (i) && is_inside) ||
642 (nat44_ei_interface_is_outside (i) && !is_inside))
646 if (nm->num_workers > 1)
648 del_feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
649 "nat44-ei-out2in-worker-handoff";
650 feature_name = "nat44-ei-handoff-classify";
655 !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
657 feature_name = "nat44-ei-classify";
660 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
665 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
666 sw_if_index, 0, 0, 0);
671 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
672 sw_if_index, 1, 0, 0);
679 rv = vnet_feature_enable_disable (
680 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 0, 0, 0);
689 if (nm->num_workers > 1)
691 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
692 "nat44-ei-out2in-worker-handoff";
696 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
698 nat_validate_interface_counters (nm, sw_if_index);
700 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
705 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
706 sw_if_index, 1, 0, 0);
711 if (is_inside && !nm->out2in_dpo)
713 rv = vnet_feature_enable_disable (
714 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 1, 0, 0);
721 pool_get (nm->interfaces, i);
722 i->sw_if_index = sw_if_index;
727 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
731 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
733 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
736 outside_fib->refcount++;
740 vec_add2 (nm->outside_fibs, outside_fib, 1);
741 outside_fib->fib_index = fib_index;
742 outside_fib->refcount = 1;
745 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
746 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
750 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
756 static_always_inline int
757 nat44_ei_del_interface (u32 sw_if_index, u8 is_inside)
759 const char *feature_name, *del_feature_name;
760 nat44_ei_main_t *nm = &nat44_ei_main;
762 nat44_ei_outside_fib_t *outside_fib;
763 nat44_ei_interface_t *i;
769 if (nm->out2in_dpo && !is_inside)
771 nat44_ei_log_err ("error unsupported");
772 return VNET_API_ERROR_UNSUPPORTED;
775 i = nat44_ei_get_interface (nm->interfaces, sw_if_index);
778 nat44_ei_log_err ("error interface couldn't be found");
779 return VNET_API_ERROR_NO_SUCH_ENTRY;
782 if (nat44_ei_interface_is_inside (i) && nat44_ei_interface_is_outside (i))
784 if (nm->num_workers > 1)
786 del_feature_name = "nat44-ei-handoff-classify";
787 feature_name = !is_inside ? "nat44-ei-in2out-worker-handoff" :
788 "nat44-ei-out2in-worker-handoff";
792 del_feature_name = "nat44-ei-classify";
793 feature_name = !is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
796 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
801 rv = vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
802 sw_if_index, 0, 0, 0);
807 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
808 sw_if_index, 1, 0, 0);
815 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
819 rv = vnet_feature_enable_disable (
820 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 1, 0, 0);
825 i->flags &= ~NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
830 if (nm->num_workers > 1)
832 feature_name = is_inside ? "nat44-ei-in2out-worker-handoff" :
833 "nat44-ei-out2in-worker-handoff";
837 feature_name = is_inside ? "nat44-ei-in2out" : "nat44-ei-out2in";
840 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
845 rv = vnet_feature_enable_disable ("ip4-unicast", feature_name,
846 sw_if_index, 0, 0, 0);
853 rv = vnet_feature_enable_disable (
854 "ip4-local", "nat44-ei-hairpinning", sw_if_index, 0, 0, 0);
862 pool_put (nm->interfaces, i);
868 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
869 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
872 outside_fib->refcount--;
873 if (!outside_fib->refcount)
875 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
879 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 0);
880 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 0);
887 nat44_ei_add_del_interface (u32 sw_if_index, u8 is_inside, int is_del)
891 return nat44_ei_del_interface (sw_if_index, is_inside);
895 return nat44_ei_add_interface (sw_if_index, is_inside);
899 static_always_inline int
900 nat44_ei_add_output_interface (u32 sw_if_index)
902 nat44_ei_main_t *nm = &nat44_ei_main;
904 nat44_ei_outside_fib_t *outside_fib;
905 nat44_ei_interface_t *i;
911 if (nat44_ei_get_interface (nm->interfaces, sw_if_index))
913 nat44_ei_log_err ("error interface already configured");
914 return VNET_API_ERROR_VALUE_EXIST;
917 if (nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index))
919 nat44_ei_log_err ("error interface already configured");
920 return VNET_API_ERROR_VALUE_EXIST;
923 if (nm->num_workers > 1)
925 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
930 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
935 rv = vnet_feature_enable_disable (
936 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 1, 0, 0);
941 rv = vnet_feature_enable_disable (
942 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 1,
951 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
956 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 1);
961 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
962 sw_if_index, 1, 0, 0);
967 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
968 sw_if_index, 1, 0, 0);
975 nat_validate_interface_counters (nm, sw_if_index);
977 pool_get (nm->output_feature_interfaces, i);
978 i->sw_if_index = sw_if_index;
980 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_INSIDE;
981 i->flags |= NAT44_EI_INTERFACE_FLAG_IS_OUTSIDE;
984 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
985 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
988 outside_fib->refcount++;
992 vec_add2 (nm->outside_fibs, outside_fib, 1);
993 outside_fib->fib_index = fib_index;
994 outside_fib->refcount = 1;
997 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
998 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
1003 static_always_inline int
1004 nat44_ei_del_output_interface (u32 sw_if_index)
1006 nat44_ei_main_t *nm = &nat44_ei_main;
1008 nat44_ei_outside_fib_t *outside_fib;
1009 nat44_ei_interface_t *i;
1013 fail_if_disabled ();
1015 i = nat44_ei_get_interface (nm->output_feature_interfaces, sw_if_index);
1018 nat44_ei_log_err ("error interface couldn't be found");
1019 return VNET_API_ERROR_NO_SUCH_ENTRY;
1022 if (nm->num_workers > 1)
1024 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1029 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1034 rv = vnet_feature_enable_disable (
1035 "ip4-unicast", "nat44-ei-out2in-worker-handoff", sw_if_index, 0, 0, 0);
1040 rv = vnet_feature_enable_disable (
1041 "ip4-output", "nat44-ei-in2out-output-worker-handoff", sw_if_index, 0,
1050 rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
1055 rv = ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, 0);
1060 rv = vnet_feature_enable_disable ("ip4-unicast", "nat44-ei-out2in",
1061 sw_if_index, 0, 0, 0);
1066 rv = vnet_feature_enable_disable ("ip4-output", "nat44-ei-in2out-output",
1067 sw_if_index, 0, 0, 0);
1074 pool_put (nm->output_feature_interfaces, i);
1077 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index);
1078 outside_fib = nat44_ei_get_outside_fib (nm->outside_fibs, fib_index);
1081 outside_fib->refcount--;
1082 if (!outside_fib->refcount)
1084 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
1088 nat44_ei_add_del_addr_to_fib_foreach_addr (sw_if_index, 1);
1089 nat44_ei_add_del_addr_to_fib_foreach_addr_only_sm (sw_if_index, 1);
1095 nat44_ei_add_del_output_interface (u32 sw_if_index, int is_del)
1099 return nat44_ei_del_output_interface (sw_if_index);
1103 return nat44_ei_add_output_interface (sw_if_index);
1108 nat44_ei_plugin_disable ()
1110 nat44_ei_main_t *nm = &nat44_ei_main;
1111 nat44_ei_interface_t *i, *pool;
1114 // first unregister all nodes from interfaces
1115 pool = pool_dup (nm->interfaces);
1116 pool_foreach (i, pool)
1118 if (nat44_ei_interface_is_inside (i))
1120 error = nat44_ei_del_interface (i->sw_if_index, 1);
1122 if (nat44_ei_interface_is_outside (i))
1124 error = nat44_ei_del_interface (i->sw_if_index, 0);
1129 nat44_ei_log_err ("error occurred while removing interface %u",
1134 pool_free (nm->interfaces);
1136 pool = pool_dup (nm->output_feature_interfaces);
1137 pool_foreach (i, pool)
1139 error = nat44_ei_del_output_interface (i->sw_if_index);
1142 nat44_ei_log_err ("error occurred while removing interface %u",
1147 pool_free (nm->output_feature_interfaces);
1150 nat44_ei_db_free ();
1152 nat44_ei_addresses_free (&nm->addresses);
1154 vec_free (nm->to_resolve);
1155 vec_free (nm->auto_add_sw_if_indices);
1158 nm->auto_add_sw_if_indices = 0;
1160 nm->forwarding_enabled = 0;
1163 clib_memset (&nm->rconfig, 0, sizeof (nm->rconfig));
1169 nat44_ei_set_outside_address_and_port (nat44_ei_address_t *addresses,
1170 u32 thread_index, ip4_address_t addr,
1171 u16 port, nat_protocol_t protocol)
1173 nat44_ei_main_t *nm = &nat44_ei_main;
1174 nat44_ei_address_t *a = 0;
1176 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1178 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1180 if (addresses[address_index].addr.as_u32 != addr.as_u32)
1183 a = addresses + address_index;
1186 #define _(N, j, n, s) \
1187 case NAT_PROTOCOL_##N: \
1188 if (a->busy_##n##_port_refcounts[port_host_byte_order]) \
1189 return VNET_API_ERROR_INSTANCE_IN_USE; \
1190 ++a->busy_##n##_port_refcounts[port_host_byte_order]; \
1191 a->busy_##n##_ports_per_thread[thread_index]++; \
1192 a->busy_##n##_ports++; \
1194 foreach_nat_protocol
1196 default : nat_elog_info (nm, "unknown protocol");
1201 return VNET_API_ERROR_NO_SUCH_ENTRY;
1205 nat44_ei_add_del_address_dpo (ip4_address_t addr, u8 is_add)
1207 nat44_ei_main_t *nm = &nat44_ei_main;
1208 dpo_id_t dpo_v4 = DPO_INVALID;
1209 fib_prefix_t pfx = {
1210 .fp_proto = FIB_PROTOCOL_IP4,
1212 .fp_addr.ip4.as_u32 = addr.as_u32,
1217 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
1218 fib_table_entry_special_dpo_add (0, &pfx, nm->fib_src_hi,
1219 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
1220 dpo_reset (&dpo_v4);
1224 fib_table_entry_special_remove (0, &pfx, nm->fib_src_hi);
1229 nat44_ei_free_outside_address_and_port (nat44_ei_address_t *addresses,
1230 u32 thread_index, ip4_address_t *addr,
1231 u16 port, nat_protocol_t protocol)
1233 nat44_ei_main_t *nm = &nat44_ei_main;
1234 nat44_ei_address_t *a;
1236 u16 port_host_byte_order = clib_net_to_host_u16 (port);
1238 for (address_index = 0; address_index < vec_len (addresses); address_index++)
1240 if (addresses[address_index].addr.as_u32 == addr->as_u32)
1244 ASSERT (address_index < vec_len (addresses));
1246 a = addresses + address_index;
1250 #define _(N, i, n, s) \
1251 case NAT_PROTOCOL_##N: \
1252 ASSERT (a->busy_##n##_port_refcounts[port_host_byte_order] >= 1); \
1253 --a->busy_##n##_port_refcounts[port_host_byte_order]; \
1254 a->busy_##n##_ports--; \
1255 a->busy_##n##_ports_per_thread[thread_index]--; \
1257 foreach_nat_protocol
1259 default : nat_elog_info (nm, "unknown protocol");
1265 nat44_ei_free_session_data_v2 (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1266 u32 thread_index, u8 is_ha)
1268 clib_bihash_kv_8_8_t kv;
1270 /* session lookup tables */
1271 init_nat_i2o_k (&kv, s);
1272 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1273 nat_elog_warn (nm, "in2out key del failed");
1274 init_nat_o2i_k (&kv, s);
1275 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1276 nat_elog_warn (nm, "out2in key del failed");
1279 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1280 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
1281 s->out2in.port, s->nat_proto);
1283 if (nat44_ei_is_unk_proto_session (s))
1289 nat_ipfix_logging_nat44_ses_delete (
1290 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1291 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1292 s->in2out.fib_index);
1294 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1295 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1299 if (nat44_ei_is_session_static (s))
1302 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1303 &s->out2in.addr, s->out2in.port,
1308 nat44_ei_user_get_or_create (nat44_ei_main_t *nm, ip4_address_t *addr,
1309 u32 fib_index, u32 thread_index)
1311 nat44_ei_user_t *u = 0;
1312 nat44_ei_user_key_t user_key;
1313 clib_bihash_kv_8_8_t kv, value;
1314 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1315 dlist_elt_t *per_user_list_head_elt;
1317 user_key.addr.as_u32 = addr->as_u32;
1318 user_key.fib_index = fib_index;
1319 kv.key = user_key.as_u64;
1321 /* Ever heard of the "user" = src ip4 address before? */
1322 if (clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1324 if (pool_elts (tnm->users) >= nm->max_users_per_thread)
1326 vlib_increment_simple_counter (&nm->user_limit_reached, thread_index,
1328 nat_elog_warn (nm, "maximum user limit reached");
1331 /* no, make a new one */
1332 pool_get (tnm->users, u);
1333 clib_memset (u, 0, sizeof (*u));
1335 u->addr.as_u32 = addr->as_u32;
1336 u->fib_index = fib_index;
1338 pool_get (tnm->list_pool, per_user_list_head_elt);
1340 u->sessions_per_user_list_head_index =
1341 per_user_list_head_elt - tnm->list_pool;
1343 clib_dlist_init (tnm->list_pool, u->sessions_per_user_list_head_index);
1345 kv.value = u - tnm->users;
1348 if (clib_bihash_add_del_8_8 (&tnm->user_hash, &kv, 1))
1350 nat_elog_warn (nm, "user_hash key add failed");
1351 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
1355 vlib_set_simple_counter (&nm->total_users, thread_index, 0,
1356 pool_elts (tnm->users));
1360 u = pool_elt_at_index (tnm->users, value.value);
1366 nat44_ei_session_t *
1367 nat44_ei_session_alloc_or_recycle (nat44_ei_main_t *nm, nat44_ei_user_t *u,
1368 u32 thread_index, f64 now)
1370 nat44_ei_session_t *s;
1371 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1372 u32 oldest_per_user_translation_list_index, session_index;
1373 dlist_elt_t *oldest_per_user_translation_list_elt;
1374 dlist_elt_t *per_user_translation_list_elt;
1376 /* Over quota? Recycle the least recently used translation */
1377 if ((u->nsessions + u->nstaticsessions) >= nm->max_translations_per_user)
1379 oldest_per_user_translation_list_index = clib_dlist_remove_head (
1380 tnm->list_pool, u->sessions_per_user_list_head_index);
1382 ASSERT (oldest_per_user_translation_list_index != ~0);
1384 /* Add it back to the end of the LRU list */
1385 clib_dlist_addtail (tnm->list_pool, u->sessions_per_user_list_head_index,
1386 oldest_per_user_translation_list_index);
1387 /* Get the list element */
1388 oldest_per_user_translation_list_elt = pool_elt_at_index (
1389 tnm->list_pool, oldest_per_user_translation_list_index);
1391 /* Get the session index from the list element */
1392 session_index = oldest_per_user_translation_list_elt->value;
1394 /* Get the session */
1395 s = pool_elt_at_index (tnm->sessions, session_index);
1397 nat44_ei_free_session_data_v2 (nm, s, thread_index, 0);
1398 if (nat44_ei_is_session_static (s))
1399 u->nstaticsessions--;
1406 s->ext_host_addr.as_u32 = 0;
1407 s->ext_host_port = 0;
1408 s->ext_host_nat_addr.as_u32 = 0;
1409 s->ext_host_nat_port = 0;
1413 pool_get (tnm->sessions, s);
1414 clib_memset (s, 0, sizeof (*s));
1416 /* Create list elts */
1417 pool_get (tnm->list_pool, per_user_translation_list_elt);
1418 clib_dlist_init (tnm->list_pool,
1419 per_user_translation_list_elt - tnm->list_pool);
1421 per_user_translation_list_elt->value = s - tnm->sessions;
1422 s->per_user_index = per_user_translation_list_elt - tnm->list_pool;
1423 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1425 clib_dlist_addtail (tnm->list_pool, s->per_user_list_head_index,
1426 per_user_translation_list_elt - tnm->list_pool);
1428 s->user_index = u - tnm->users;
1429 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
1430 pool_elts (tnm->sessions));
1433 s->ha_last_refreshed = now;
1439 nat44_ei_free_session_data (nat44_ei_main_t *nm, nat44_ei_session_t *s,
1440 u32 thread_index, u8 is_ha)
1442 clib_bihash_kv_8_8_t kv;
1444 init_nat_i2o_k (&kv, s);
1445 if (clib_bihash_add_del_8_8 (&nm->in2out, &kv, 0))
1446 nat_elog_warn (nm, "in2out key del failed");
1448 init_nat_o2i_k (&kv, s);
1449 if (clib_bihash_add_del_8_8 (&nm->out2in, &kv, 0))
1450 nat_elog_warn (nm, "out2in key del failed");
1454 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
1455 &s->in2out.addr, s->in2out.port,
1456 &s->out2in.addr, s->out2in.port, s->nat_proto);
1458 nat_ipfix_logging_nat44_ses_delete (
1459 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
1460 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
1461 s->in2out.fib_index);
1463 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
1464 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
1468 if (nat44_ei_is_session_static (s))
1471 nat44_ei_free_outside_address_and_port (nm->addresses, thread_index,
1472 &s->out2in.addr, s->out2in.port,
1476 static_always_inline void
1477 nat44_ei_user_del_sessions (nat44_ei_user_t *u, u32 thread_index)
1480 nat44_ei_session_t *s;
1482 nat44_ei_main_t *nm = &nat44_ei_main;
1483 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
1487 pool_elt_at_index (tnm->list_pool, u->sessions_per_user_list_head_index);
1488 // get first element
1489 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1491 while (elt->value != ~0)
1493 s = pool_elt_at_index (tnm->sessions, elt->value);
1494 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1496 nat44_ei_free_session_data (nm, s, thread_index, 0);
1497 nat44_ei_delete_session (nm, s, thread_index);
1502 nat44_ei_user_del (ip4_address_t *addr, u32 fib_index)
1506 nat44_ei_main_t *nm = &nat44_ei_main;
1507 nat44_ei_main_per_thread_data_t *tnm;
1509 nat44_ei_user_key_t user_key;
1510 clib_bihash_kv_8_8_t kv, value;
1512 user_key.addr.as_u32 = addr->as_u32;
1513 user_key.fib_index = fib_index;
1514 kv.key = user_key.as_u64;
1516 if (nm->num_workers > 1)
1518 vec_foreach (tnm, nm->per_thread_data)
1520 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1522 nat44_ei_user_del_sessions (
1523 pool_elt_at_index (tnm->users, value.value),
1532 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
1533 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1535 nat44_ei_user_del_sessions (
1536 pool_elt_at_index (tnm->users, value.value), tnm->thread_index);
1544 nat44_ei_static_mapping_del_sessions (nat44_ei_main_t *nm,
1545 nat44_ei_main_per_thread_data_t *tnm,
1546 nat44_ei_user_key_t u_key, int addr_only,
1547 ip4_address_t e_addr, u16 e_port)
1549 clib_bihash_kv_8_8_t kv, value;
1550 kv.key = u_key.as_u64;
1552 dlist_elt_t *head, *elt;
1554 nat44_ei_session_t *s;
1555 u32 elt_index, head_index, ses_index;
1557 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1559 user_index = value.value;
1560 u = pool_elt_at_index (tnm->users, user_index);
1561 if (u->nstaticsessions)
1563 head_index = u->sessions_per_user_list_head_index;
1564 head = pool_elt_at_index (tnm->list_pool, head_index);
1565 elt_index = head->next;
1566 elt = pool_elt_at_index (tnm->list_pool, elt_index);
1567 ses_index = elt->value;
1568 while (ses_index != ~0)
1570 s = pool_elt_at_index (tnm->sessions, ses_index);
1571 elt = pool_elt_at_index (tnm->list_pool, elt->next);
1572 ses_index = elt->value;
1576 if ((s->out2in.addr.as_u32 != e_addr.as_u32) ||
1577 (s->out2in.port != e_port))
1581 if (!nat44_ei_is_session_static (s))
1584 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
1586 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
1596 nat44_ei_get_in2out_worker_index (ip4_header_t *ip0, u32 rx_fib_index0,
1599 nat44_ei_main_t *nm = &nat44_ei_main;
1600 u32 next_worker_index = 0;
1603 next_worker_index = nm->first_worker_index;
1604 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
1605 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24);
1607 if (PREDICT_TRUE (is_pow2 (_vec_len (nm->workers))))
1608 next_worker_index += nm->workers[hash & (_vec_len (nm->workers) - 1)];
1610 next_worker_index += nm->workers[hash % _vec_len (nm->workers)];
1612 return next_worker_index;
1616 nat44_ei_get_out2in_worker_index (vlib_buffer_t *b, ip4_header_t *ip0,
1617 u32 rx_fib_index0, u8 is_output)
1619 nat44_ei_main_t *nm = &nat44_ei_main;
1622 clib_bihash_kv_8_8_t kv, value;
1623 nat44_ei_static_mapping_t *m;
1625 u32 next_worker_index = 0;
1627 /* first try static mappings without port */
1628 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1630 init_nat_k (&kv, ip0->dst_address, 0, rx_fib_index0, 0);
1631 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1634 m = pool_elt_at_index (nm->static_mappings, value.value);
1635 return m->workers[0];
1639 proto = ip_proto_to_nat_proto (ip0->protocol);
1640 udp = ip4_next_header (ip0);
1641 port = vnet_buffer (b)->ip.reass.l4_dst_port;
1643 /* unknown protocol */
1644 if (PREDICT_FALSE (proto == NAT_PROTOCOL_OTHER))
1646 /* use current thread */
1647 return vlib_get_thread_index ();
1650 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
1652 icmp46_header_t *icmp = (icmp46_header_t *) udp;
1653 icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
1654 if (!icmp_type_is_error_message (
1655 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
1656 port = vnet_buffer (b)->ip.reass.l4_src_port;
1659 /* if error message, then it's not fragmented and we can access it */
1660 ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
1661 proto = ip_proto_to_nat_proto (inner_ip->protocol);
1662 void *l4_header = ip4_next_header (inner_ip);
1665 case NAT_PROTOCOL_ICMP:
1666 icmp = (icmp46_header_t *) l4_header;
1667 echo = (icmp_echo_header_t *) (icmp + 1);
1668 port = echo->identifier;
1670 case NAT_PROTOCOL_UDP:
1671 case NAT_PROTOCOL_TCP:
1672 port = ((tcp_udp_header_t *) l4_header)->src_port;
1675 return vlib_get_thread_index ();
1680 /* try static mappings with port */
1681 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
1683 init_nat_k (&kv, ip0->dst_address, port, rx_fib_index0, proto);
1684 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
1687 m = pool_elt_at_index (nm->static_mappings, value.value);
1688 return m->workers[0];
1692 /* worker by outside port */
1693 next_worker_index = nm->first_worker_index;
1694 next_worker_index +=
1695 nm->workers[(clib_net_to_host_u16 (port) - 1024) / nm->port_per_thread];
1696 return next_worker_index;
1700 nat44_ei_alloc_default_cb (nat44_ei_address_t *addresses, u32 fib_index,
1701 u32 thread_index, nat_protocol_t proto,
1702 ip4_address_t s_addr, ip4_address_t *addr,
1703 u16 *port, u16 port_per_thread,
1704 u32 snat_thread_index)
1706 nat44_ei_main_t *nm = &nat44_ei_main;
1707 nat44_ei_address_t *a, *ga = 0;
1711 if (vec_len (addresses) > 0)
1714 int s_addr_offset = s_addr.as_u32 % vec_len (addresses);
1716 for (i = s_addr_offset; i < vec_len (addresses); ++i)
1721 #define _(N, j, n, s) \
1722 case NAT_PROTOCOL_##N: \
1723 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
1725 if (a->fib_index == fib_index) \
1729 portnum = (port_per_thread * snat_thread_index) + \
1730 nat_random_port (&nm->random_seed, 0, \
1731 port_per_thread - 1) + \
1733 if (a->busy_##n##_port_refcounts[portnum]) \
1735 --a->busy_##n##_port_refcounts[portnum]; \
1736 a->busy_##n##_ports_per_thread[thread_index]++; \
1737 a->busy_##n##_ports++; \
1739 *port = clib_host_to_net_u16 (portnum); \
1743 else if (a->fib_index == ~0) \
1749 foreach_nat_protocol;
1751 nat_elog_info (nm, "unknown protocol");
1756 for (i = 0; i < s_addr_offset; ++i)
1761 foreach_nat_protocol;
1763 nat_elog_info (nm, "unknown protocol");
1770 // fake fib index to reuse macro
1774 foreach_nat_protocol;
1775 default : nat_elog_info (nm, "unknown protocol");
1783 /* Totally out of translations to use... */
1784 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1789 nat44_ei_alloc_range_cb (nat44_ei_address_t *addresses, u32 fib_index,
1790 u32 thread_index, nat_protocol_t proto,
1791 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1792 u16 port_per_thread, u32 snat_thread_index)
1794 nat44_ei_main_t *nm = &nat44_ei_main;
1795 nat44_ei_address_t *a = addresses;
1798 ports = nm->end_port - nm->start_port + 1;
1800 if (!vec_len (addresses))
1805 #define _(N, i, n, s) \
1806 case NAT_PROTOCOL_##N: \
1807 if (a->busy_##n##_ports < ports) \
1811 portnum = nat_random_port (&nm->random_seed, nm->start_port, \
1813 if (a->busy_##n##_port_refcounts[portnum]) \
1815 ++a->busy_##n##_port_refcounts[portnum]; \
1816 a->busy_##n##_ports++; \
1818 *port = clib_host_to_net_u16 (portnum); \
1823 foreach_nat_protocol
1825 default : nat_elog_info (nm, "unknown protocol");
1830 /* Totally out of translations to use... */
1831 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1836 nat44_ei_alloc_mape_cb (nat44_ei_address_t *addresses, u32 fib_index,
1837 u32 thread_index, nat_protocol_t proto,
1838 ip4_address_t s_addr, ip4_address_t *addr, u16 *port,
1839 u16 port_per_thread, u32 snat_thread_index)
1841 nat44_ei_main_t *nm = &nat44_ei_main;
1842 nat44_ei_address_t *a = addresses;
1843 u16 m, ports, portnum, A, j;
1844 m = 16 - (nm->psid_offset + nm->psid_length);
1845 ports = (1 << (16 - nm->psid_length)) - (1 << m);
1847 if (!vec_len (addresses))
1852 #define _(N, i, n, s) \
1853 case NAT_PROTOCOL_##N: \
1854 if (a->busy_##n##_ports < ports) \
1858 A = nat_random_port (&nm->random_seed, 1, \
1859 pow2_mask (nm->psid_offset)); \
1860 j = nat_random_port (&nm->random_seed, 0, pow2_mask (m)); \
1861 portnum = A | (nm->psid << nm->psid_offset) | (j << (16 - m)); \
1862 if (a->busy_##n##_port_refcounts[portnum]) \
1864 ++a->busy_##n##_port_refcounts[portnum]; \
1865 a->busy_##n##_ports++; \
1867 *port = clib_host_to_net_u16 (portnum); \
1872 foreach_nat_protocol
1874 default : nat_elog_info (nm, "unknown protocol");
1879 /* Totally out of translations to use... */
1880 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
1885 nat44_ei_set_alloc_default ()
1887 nat44_ei_main_t *nm = &nat44_ei_main;
1889 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_DEFAULT;
1890 nm->alloc_addr_and_port = nat44_ei_alloc_default_cb;
1894 nat44_ei_set_alloc_range (u16 start_port, u16 end_port)
1896 nat44_ei_main_t *nm = &nat44_ei_main;
1898 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_RANGE;
1899 nm->alloc_addr_and_port = nat44_ei_alloc_range_cb;
1900 nm->start_port = start_port;
1901 nm->end_port = end_port;
1905 nat44_ei_set_alloc_mape (u16 psid, u16 psid_offset, u16 psid_length)
1907 nat44_ei_main_t *nm = &nat44_ei_main;
1909 nm->addr_and_port_alloc_alg = NAT44_EI_ADDR_AND_PORT_ALLOC_ALG_MAPE;
1910 nm->alloc_addr_and_port = nat44_ei_alloc_mape_cb;
1912 nm->psid_offset = psid_offset;
1913 nm->psid_length = psid_length;
1917 nat44_ei_delete_session (nat44_ei_main_t *nm, nat44_ei_session_t *ses,
1920 nat44_ei_main_per_thread_data_t *tnm =
1921 vec_elt_at_index (nm->per_thread_data, thread_index);
1922 clib_bihash_kv_8_8_t kv, value;
1924 const nat44_ei_user_key_t u_key = { .addr = ses->in2out.addr,
1925 .fib_index = ses->in2out.fib_index };
1926 const u8 u_static = nat44_ei_is_session_static (ses);
1928 clib_dlist_remove (tnm->list_pool, ses->per_user_index);
1929 pool_put_index (tnm->list_pool, ses->per_user_index);
1931 pool_put (tnm->sessions, ses);
1932 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
1933 pool_elts (tnm->sessions));
1935 kv.key = u_key.as_u64;
1936 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
1938 u = pool_elt_at_index (tnm->users, value.value);
1940 u->nstaticsessions--;
1944 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
1949 nat44_ei_del_session (nat44_ei_main_t *nm, ip4_address_t *addr, u16 port,
1950 nat_protocol_t proto, u32 vrf_id, int is_in)
1952 nat44_ei_main_per_thread_data_t *tnm;
1953 clib_bihash_kv_8_8_t kv, value;
1955 nat44_ei_session_t *s;
1956 clib_bihash_8_8_t *t;
1958 fail_if_disabled ();
1960 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
1961 init_nat_k (&kv, *addr, port, fib_index, proto);
1962 t = is_in ? &nm->in2out : &nm->out2in;
1963 if (!clib_bihash_search_8_8 (t, &kv, &value))
1965 // this is called from API/CLI, so the world is stopped here
1966 // it's safe to manipulate arbitrary per-thread data
1967 u32 thread_index = nat_value_get_thread_index (&value);
1968 tnm = vec_elt_at_index (nm->per_thread_data, thread_index);
1969 u32 session_index = nat_value_get_session_index (&value);
1970 if (pool_is_free_index (tnm->sessions, session_index))
1971 return VNET_API_ERROR_UNSPECIFIED;
1973 s = pool_elt_at_index (tnm->sessions, session_index);
1974 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data, 0);
1975 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
1979 return VNET_API_ERROR_NO_SUCH_ENTRY;
1983 nat44_ei_get_thread_idx_by_port (u16 e_port)
1985 nat44_ei_main_t *nm = &nat44_ei_main;
1986 u32 thread_idx = nm->num_workers;
1987 if (nm->num_workers > 1)
1989 thread_idx = nm->first_worker_index +
1990 nm->workers[(e_port - 1024) / nm->port_per_thread];
1996 nat44_ei_add_del_addr_to_fib (ip4_address_t *addr, u8 p_len, u32 sw_if_index,
1999 nat44_ei_main_t *nm = &nat44_ei_main;
2000 fib_prefix_t prefix = {
2002 .fp_proto = FIB_PROTOCOL_IP4,
2004 .ip4.as_u32 = addr->as_u32,
2007 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
2011 fib_table_entry_update_one_path (fib_index, &prefix, nm->fib_src_low,
2012 (FIB_ENTRY_FLAG_CONNECTED |
2013 FIB_ENTRY_FLAG_LOCAL |
2014 FIB_ENTRY_FLAG_EXCLUSIVE),
2015 DPO_PROTO_IP4, NULL, sw_if_index, ~0, 1,
2016 NULL, FIB_ROUTE_PATH_FLAG_NONE);
2020 fib_table_entry_delete (fib_index, &prefix, nm->fib_src_low);
2025 nat44_ei_reserve_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2027 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2028 nat44_ei_main_t *nm = &nat44_ei_main;
2029 nat44_ei_address_t *a = 0;
2032 for (i = 0; i < vec_len (nm->addresses); i++)
2034 a = nm->addresses + i;
2036 if (a->addr.as_u32 != addr.as_u32)
2041 #define _(N, j, n, s) \
2042 case NAT_PROTOCOL_##N: \
2043 if (a->busy_##n##_port_refcounts[port]) \
2045 ++a->busy_##n##_port_refcounts[port]; \
2048 a->busy_##n##_ports++; \
2049 a->busy_##n##_ports_per_thread[ti]++; \
2052 foreach_nat_protocol
2054 default : nat_elog_info (nm, "unknown protocol");
2066 nat44_ei_free_port (ip4_address_t addr, u16 port, nat_protocol_t proto)
2068 u32 ti = nat44_ei_get_thread_idx_by_port (port);
2069 nat44_ei_main_t *nm = &nat44_ei_main;
2070 nat44_ei_address_t *a = 0;
2073 for (i = 0; i < vec_len (nm->addresses); i++)
2075 a = nm->addresses + i;
2077 if (a->addr.as_u32 != addr.as_u32)
2082 #define _(N, j, n, s) \
2083 case NAT_PROTOCOL_##N: \
2084 --a->busy_##n##_port_refcounts[port]; \
2087 a->busy_##n##_ports--; \
2088 a->busy_##n##_ports_per_thread[ti]--; \
2091 foreach_nat_protocol
2093 default : nat_elog_info (nm, "unknown protocol");
2105 nat44_ei_add_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2106 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2107 u32 flags, ip4_address_t pool_addr, u8 *tag)
2109 nat44_ei_static_map_resolve_t *rp;
2110 nat44_ei_main_t *nm = &nat44_ei_main;
2112 vec_add2 (nm->to_resolve, rp, 1);
2113 rp->l_addr.as_u32 = l_addr.as_u32;
2114 rp->l_port = l_port;
2115 rp->e_port = e_port;
2116 rp->sw_if_index = sw_if_index;
2117 rp->vrf_id = vrf_id;
2120 rp->pool_addr = pool_addr;
2121 rp->tag = vec_dup (tag);
2125 nat44_ei_get_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2126 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2127 u32 flags, int *out)
2129 nat44_ei_static_map_resolve_t *rp;
2130 nat44_ei_main_t *nm = &nat44_ei_main;
2133 for (i = 0; i < vec_len (nm->to_resolve); i++)
2135 rp = nm->to_resolve + i;
2137 if (rp->sw_if_index == sw_if_index && rp->vrf_id == vrf_id)
2139 if (is_sm_identity_nat (rp->flags) && is_sm_identity_nat (flags))
2141 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2143 if (rp->e_port != e_port || rp->proto != proto)
2149 else if (rp->l_addr.as_u32 == l_addr.as_u32)
2151 if (!(is_sm_addr_only (rp->flags) && is_sm_addr_only (flags)))
2153 if (rp->l_port != l_port || rp->e_port != e_port ||
2175 nat44_ei_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
2176 nat_protocol_t proto, u32 vrf_id, u32 sw_if_index,
2179 nat44_ei_main_t *nm = &nat44_ei_main;
2181 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2182 sw_if_index, flags, &i))
2184 vec_del1 (nm->to_resolve, i);
2191 delete_matching_dynamic_sessions (const nat44_ei_static_mapping_t *m,
2194 nat44_ei_main_t *nm = &nat44_ei_main;
2195 clib_bihash_kv_8_8_t kv, value;
2196 nat44_ei_session_t *s;
2197 nat44_ei_user_key_t u_key;
2199 nat44_ei_main_per_thread_data_t *tnm;
2200 dlist_elt_t *head, *elt;
2201 u32 elt_index, head_index;
2205 if (nm->static_mapping_only)
2208 tnm = vec_elt_at_index (nm->per_thread_data, worker_index);
2210 u_key.addr = m->local_addr;
2211 u_key.fib_index = m->fib_index;
2212 kv.key = u_key.as_u64;
2213 if (!clib_bihash_search_8_8 (&tnm->user_hash, &kv, &value))
2215 user_index = value.value;
2216 u = pool_elt_at_index (tnm->users, user_index);
2219 head_index = u->sessions_per_user_list_head_index;
2220 head = pool_elt_at_index (tnm->list_pool, head_index);
2221 elt_index = head->next;
2222 elt = pool_elt_at_index (tnm->list_pool, elt_index);
2223 ses_index = elt->value;
2224 while (ses_index != ~0)
2226 s = pool_elt_at_index (tnm->sessions, ses_index);
2227 elt = pool_elt_at_index (tnm->list_pool, elt->next);
2228 ses_index = elt->value;
2230 if (nat44_ei_is_session_static (s))
2233 if (!is_sm_addr_only (m->flags) &&
2234 s->in2out.port != m->local_port)
2237 nat44_ei_free_session_data_v2 (nm, s, tnm - nm->per_thread_data,
2239 nat44_ei_delete_session (nm, s, tnm - nm->per_thread_data);
2241 if (!is_sm_addr_only (m->flags))
2249 nat44_ei_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2250 u16 l_port, u16 e_port, nat_protocol_t proto,
2251 u32 vrf_id, u32 sw_if_index, u32 flags,
2252 ip4_address_t pool_addr, u8 *tag)
2254 nat44_ei_main_t *nm = &nat44_ei_main;
2255 clib_bihash_kv_8_8_t kv, value;
2256 nat44_ei_lb_addr_port_t *local;
2257 nat44_ei_static_mapping_t *m;
2261 fail_if_disabled ();
2263 if (is_sm_addr_only (flags))
2265 e_port = l_port = proto = 0;
2268 if (sw_if_index != ~0)
2270 // this mapping is interface bound
2271 ip4_address_t *first_int_addr;
2273 // check if this record isn't registered for resolve
2274 if (!nat44_ei_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2275 sw_if_index, flags, 0))
2277 return VNET_API_ERROR_VALUE_EXIST;
2279 // register record for resolve
2280 nat44_ei_add_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2281 sw_if_index, flags, pool_addr, tag);
2284 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2285 if (!first_int_addr)
2287 // dhcp resolution required
2291 e_addr.as_u32 = first_int_addr->as_u32;
2294 if (is_sm_identity_nat (flags))
2297 l_addr.as_u32 = e_addr.as_u32;
2301 init_nat_k (&kv, e_addr, e_port, 0, proto);
2303 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2305 m = pool_elt_at_index (nm->static_mappings, value.value);
2306 if (!is_sm_identity_nat (m->flags))
2308 return VNET_API_ERROR_VALUE_EXIST;
2312 // adding local identity nat record for different vrf table
2313 pool_foreach (local, m->locals)
2315 if (local->vrf_id == vrf_id)
2317 return VNET_API_ERROR_VALUE_EXIST;
2321 pool_get (m->locals, local);
2323 local->vrf_id = vrf_id;
2324 local->fib_index = fib_table_find_or_create_and_lock (
2325 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2327 init_nat_kv (&kv, m->local_addr, m->local_port, local->fib_index,
2328 m->proto, 0, m - nm->static_mappings);
2329 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2336 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
2341 // fallback to default vrf
2342 vrf_id = nm->inside_vrf_id;
2343 fib_index = nm->inside_fib_index;
2344 fib_table_lock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2347 if (!is_sm_identity_nat (flags))
2349 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2350 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2352 return VNET_API_ERROR_VALUE_EXIST;
2356 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2358 if (nat44_ei_reserve_port (e_addr, e_port, proto))
2360 // remove resolve record
2361 if ((sw_if_index != ~0) && !is_sm_identity_nat (flags))
2363 nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto,
2364 vrf_id, sw_if_index, flags);
2366 return VNET_API_ERROR_NO_SUCH_ENTRY;
2370 pool_get (nm->static_mappings, m);
2371 clib_memset (m, 0, sizeof (*m));
2374 m->local_addr = l_addr;
2375 m->external_addr = e_addr;
2377 m->tag = vec_dup (tag);
2379 if (!is_sm_addr_only (flags))
2381 m->local_port = l_port;
2382 m->external_port = e_port;
2386 if (is_sm_identity_nat (flags))
2388 pool_get (m->locals, local);
2390 local->vrf_id = vrf_id;
2391 local->fib_index = fib_index;
2396 m->fib_index = fib_index;
2399 init_nat_kv (&kv, m->local_addr, m->local_port, fib_index, m->proto, 0,
2400 m - nm->static_mappings);
2401 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 1);
2403 init_nat_kv (&kv, m->external_addr, m->external_port, 0, m->proto, 0,
2404 m - nm->static_mappings);
2405 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 1);
2407 if (nm->num_workers > 1)
2409 // store worker index for this record
2411 .src_address = m->local_addr,
2413 worker_index = nat44_ei_get_in2out_worker_index (&ip, m->fib_index, 0);
2414 vec_add1 (m->workers, worker_index);
2418 worker_index = nm->num_workers;
2420 delete_matching_dynamic_sessions (m, worker_index);
2422 if (is_sm_addr_only (flags))
2424 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 1);
2431 nat44_ei_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
2432 u16 l_port, u16 e_port, nat_protocol_t proto,
2433 u32 vrf_id, u32 sw_if_index, u32 flags)
2435 nat44_ei_main_per_thread_data_t *tnm;
2436 nat44_ei_main_t *nm = &nat44_ei_main;
2437 clib_bihash_kv_8_8_t kv, value;
2438 nat44_ei_lb_addr_port_t *local;
2439 nat44_ei_static_mapping_t *m;
2441 nat44_ei_user_key_t u_key;
2443 fail_if_disabled ();
2445 if (is_sm_addr_only (flags))
2447 e_port = l_port = proto = 0;
2450 if (sw_if_index != ~0)
2452 // this mapping is interface bound
2453 ip4_address_t *first_int_addr;
2455 // delete record registered for resolve
2456 if (nat44_ei_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
2457 sw_if_index, flags))
2459 return VNET_API_ERROR_NO_SUCH_ENTRY;
2463 ip4_interface_first_address (nm->ip4_main, sw_if_index, 0);
2464 if (!first_int_addr)
2466 // dhcp resolution required
2470 e_addr.as_u32 = first_int_addr->as_u32;
2473 if (is_sm_identity_nat (flags))
2476 l_addr.as_u32 = e_addr.as_u32;
2480 init_nat_k (&kv, e_addr, e_port, 0, proto);
2482 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
2484 if (sw_if_index != ~0)
2488 return VNET_API_ERROR_NO_SUCH_ENTRY;
2491 m = pool_elt_at_index (nm->static_mappings, value.value);
2493 if (is_sm_identity_nat (flags))
2499 vrf_id = nm->inside_vrf_id;
2502 pool_foreach (local, m->locals)
2504 if (local->vrf_id == vrf_id)
2506 local = pool_elt_at_index (m->locals, local - m->locals);
2507 fib_index = local->fib_index;
2508 pool_put (m->locals, local);
2514 return VNET_API_ERROR_NO_SUCH_ENTRY;
2519 fib_index = m->fib_index;
2522 if (!(is_sm_addr_only (flags) || nm->static_mapping_only))
2524 if (nat44_ei_free_port (e_addr, e_port, proto))
2526 return VNET_API_ERROR_INVALID_VALUE;
2530 init_nat_k (&kv, l_addr, l_port, fib_index, proto);
2531 clib_bihash_add_del_8_8 (&nm->static_mapping_by_local, &kv, 0);
2533 if (!nm->static_mapping_only || nm->static_mapping_connection_tracking)
2535 // delete sessions for static mapping
2536 if (nm->num_workers > 1)
2537 tnm = vec_elt_at_index (nm->per_thread_data, m->workers[0]);
2539 tnm = vec_elt_at_index (nm->per_thread_data, nm->num_workers);
2541 u_key.addr = m->local_addr;
2542 u_key.fib_index = fib_index;
2543 kv.key = u_key.as_u64;
2544 nat44_ei_static_mapping_del_sessions (
2545 nm, tnm, u_key, is_sm_addr_only (flags), e_addr, e_port);
2548 fib_table_unlock (fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2550 if (!pool_elts (m->locals))
2552 // this is last record remove all required stuff
2554 init_nat_k (&kv, e_addr, e_port, 0, proto);
2555 clib_bihash_add_del_8_8 (&nm->static_mapping_by_external, &kv, 0);
2558 vec_free (m->workers);
2559 pool_put (nm->static_mappings, m);
2561 if (is_sm_addr_only (flags) && !is_sm_identity_nat (flags))
2563 nat44_ei_add_del_addr_to_fib_foreach_out_if (&e_addr, 0);
2571 nat44_ei_static_mapping_match (ip4_address_t match_addr, u16 match_port,
2572 u32 match_fib_index,
2573 nat_protocol_t match_protocol,
2574 ip4_address_t *mapping_addr, u16 *mapping_port,
2575 u32 *mapping_fib_index, u8 by_external,
2576 u8 *is_addr_only, u8 *is_identity_nat)
2578 nat44_ei_main_t *nm = &nat44_ei_main;
2579 clib_bihash_kv_8_8_t kv, value;
2580 nat44_ei_static_mapping_t *m;
2585 init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
2586 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2589 /* Try address only mapping */
2590 init_nat_k (&kv, match_addr, 0, 0, 0);
2591 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv,
2595 m = pool_elt_at_index (nm->static_mappings, value.value);
2597 *mapping_fib_index = m->fib_index;
2598 *mapping_addr = m->local_addr;
2599 port = m->local_port;
2603 init_nat_k (&kv, match_addr, match_port, match_fib_index,
2605 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
2607 /* Try address only mapping */
2608 init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
2609 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv,
2613 m = pool_elt_at_index (nm->static_mappings, value.value);
2615 *mapping_fib_index = nm->outside_fib_index;
2616 *mapping_addr = m->external_addr;
2617 port = m->external_port;
2620 /* Address only mapping doesn't change port */
2621 if (is_sm_addr_only (m->flags))
2622 *mapping_port = match_port;
2624 *mapping_port = port;
2626 if (PREDICT_FALSE (is_addr_only != 0))
2627 *is_addr_only = is_sm_addr_only (m->flags);
2629 if (PREDICT_FALSE (is_identity_nat != 0))
2630 *is_identity_nat = is_sm_identity_nat (m->flags);
2636 nat44_ei_worker_db_free (nat44_ei_main_per_thread_data_t *tnm)
2638 pool_free (tnm->list_pool);
2639 pool_free (tnm->lru_pool);
2640 pool_free (tnm->sessions);
2641 pool_free (tnm->users);
2643 clib_bihash_free_8_8 (&tnm->user_hash);
2647 format_nat44_ei_key (u8 *s, va_list *args)
2649 u64 key = va_arg (*args, u64);
2653 nat_protocol_t protocol;
2656 split_nat_key (key, &addr, &port, &fib_index, &protocol);
2658 s = format (s, "%U proto %U port %d fib %d", format_ip4_address, &addr,
2659 format_nat_protocol, protocol, clib_net_to_host_u16 (port),
2665 format_nat44_ei_user_kvp (u8 *s, va_list *args)
2667 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2668 nat44_ei_user_key_t k;
2672 s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr,
2673 k.fib_index, v->value);
2679 format_nat44_ei_session_kvp (u8 *s, va_list *args)
2681 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2683 s = format (s, "%U thread-index %llu session-index %llu",
2684 format_nat44_ei_key, v->key, nat_value_get_thread_index (v),
2685 nat_value_get_session_index (v));
2691 format_nat44_ei_static_mapping_kvp (u8 *s, va_list *args)
2693 clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *);
2695 s = format (s, "%U static-mapping-index %llu", format_nat44_ei_key, v->key,
2702 nat44_ei_worker_db_init (nat44_ei_main_per_thread_data_t *tnm,
2703 u32 translations, u32 translation_buckets,
2708 pool_alloc (tnm->list_pool, translations);
2709 pool_alloc (tnm->lru_pool, translations);
2710 pool_alloc (tnm->sessions, translations);
2712 clib_bihash_init_8_8 (&tnm->user_hash, "users", user_buckets, 0);
2714 clib_bihash_set_kvp_format_fn_8_8 (&tnm->user_hash,
2715 format_nat44_ei_user_kvp);
2717 pool_get (tnm->lru_pool, head);
2718 tnm->tcp_trans_lru_head_index = head - tnm->lru_pool;
2719 clib_dlist_init (tnm->lru_pool, tnm->tcp_trans_lru_head_index);
2721 pool_get (tnm->lru_pool, head);
2722 tnm->tcp_estab_lru_head_index = head - tnm->lru_pool;
2723 clib_dlist_init (tnm->lru_pool, tnm->tcp_estab_lru_head_index);
2725 pool_get (tnm->lru_pool, head);
2726 tnm->udp_lru_head_index = head - tnm->lru_pool;
2727 clib_dlist_init (tnm->lru_pool, tnm->udp_lru_head_index);
2729 pool_get (tnm->lru_pool, head);
2730 tnm->icmp_lru_head_index = head - tnm->lru_pool;
2731 clib_dlist_init (tnm->lru_pool, tnm->icmp_lru_head_index);
2733 pool_get (tnm->lru_pool, head);
2734 tnm->unk_proto_lru_head_index = head - tnm->lru_pool;
2735 clib_dlist_init (tnm->lru_pool, tnm->unk_proto_lru_head_index);
2741 nat44_ei_main_t *nm = &nat44_ei_main;
2742 nat44_ei_main_per_thread_data_t *tnm;
2744 pool_free (nm->static_mappings);
2745 clib_bihash_free_8_8 (&nm->static_mapping_by_local);
2746 clib_bihash_free_8_8 (&nm->static_mapping_by_external);
2750 clib_bihash_free_8_8 (&nm->in2out);
2751 clib_bihash_free_8_8 (&nm->out2in);
2752 vec_foreach (tnm, nm->per_thread_data)
2754 nat44_ei_worker_db_free (tnm);
2760 nat44_ei_db_init (u32 translations, u32 translation_buckets, u32 user_buckets)
2762 nat44_ei_main_t *nm = &nat44_ei_main;
2763 nat44_ei_main_per_thread_data_t *tnm;
2765 u32 static_mapping_buckets = 1024;
2766 u32 static_mapping_memory_size = 64 << 20;
2768 clib_bihash_init_8_8 (&nm->static_mapping_by_local,
2769 "static_mapping_by_local", static_mapping_buckets,
2770 static_mapping_memory_size);
2771 clib_bihash_init_8_8 (&nm->static_mapping_by_external,
2772 "static_mapping_by_external", static_mapping_buckets,
2773 static_mapping_memory_size);
2774 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_local,
2775 format_nat44_ei_static_mapping_kvp);
2776 clib_bihash_set_kvp_format_fn_8_8 (&nm->static_mapping_by_external,
2777 format_nat44_ei_static_mapping_kvp);
2781 clib_bihash_init_8_8 (&nm->in2out, "in2out", translation_buckets, 0);
2782 clib_bihash_init_8_8 (&nm->out2in, "out2in", translation_buckets, 0);
2783 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2784 format_nat44_ei_session_kvp);
2785 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2786 format_nat44_ei_session_kvp);
2787 vec_foreach (tnm, nm->per_thread_data)
2789 nat44_ei_worker_db_init (tnm, translations, translation_buckets,
2796 nat44_ei_sessions_clear ()
2798 nat44_ei_main_t *nm = &nat44_ei_main;
2799 nat44_ei_main_per_thread_data_t *tnm;
2803 clib_bihash_free_8_8 (&nm->in2out);
2804 clib_bihash_free_8_8 (&nm->out2in);
2805 clib_bihash_init_8_8 (&nm->in2out, "in2out", nm->translation_buckets, 0);
2806 clib_bihash_init_8_8 (&nm->out2in, "out2in", nm->translation_buckets, 0);
2807 clib_bihash_set_kvp_format_fn_8_8 (&nm->in2out,
2808 format_nat44_ei_session_kvp);
2809 clib_bihash_set_kvp_format_fn_8_8 (&nm->out2in,
2810 format_nat44_ei_session_kvp);
2811 vec_foreach (tnm, nm->per_thread_data)
2813 nat44_ei_worker_db_free (tnm);
2814 nat44_ei_worker_db_init (tnm, nm->translations,
2815 nm->translation_buckets, nm->user_buckets);
2819 vlib_zero_simple_counter (&nm->total_users, 0);
2820 vlib_zero_simple_counter (&nm->total_sessions, 0);
2821 vlib_zero_simple_counter (&nm->user_limit_reached, 0);
2825 nat44_ei_update_outside_fib (ip4_main_t *im, uword opaque, u32 sw_if_index,
2826 u32 new_fib_index, u32 old_fib_index)
2828 nat44_ei_main_t *nm = &nat44_ei_main;
2829 nat44_ei_outside_fib_t *outside_fib;
2830 nat44_ei_interface_t *i;
2834 if (!nm->enabled || (new_fib_index == old_fib_index) ||
2835 (!vec_len (nm->outside_fibs)))
2840 pool_foreach (i, nm->interfaces)
2842 if (i->sw_if_index == sw_if_index)
2844 if (!(nat44_ei_interface_is_outside (i)))
2850 pool_foreach (i, nm->output_feature_interfaces)
2852 if (i->sw_if_index == sw_if_index)
2854 if (!(nat44_ei_interface_is_outside (i)))
2863 vec_foreach (outside_fib, nm->outside_fibs)
2865 if (outside_fib->fib_index == old_fib_index)
2867 outside_fib->refcount--;
2868 if (!outside_fib->refcount)
2869 vec_del1 (nm->outside_fibs, outside_fib - nm->outside_fibs);
2874 vec_foreach (outside_fib, nm->outside_fibs)
2876 if (outside_fib->fib_index == new_fib_index)
2878 outside_fib->refcount++;
2886 vec_add2 (nm->outside_fibs, outside_fib, 1);
2887 outside_fib->refcount = 1;
2888 outside_fib->fib_index = new_fib_index;
2893 nat44_ei_add_address (ip4_address_t *addr, u32 vrf_id)
2895 nat44_ei_main_t *nm = &nat44_ei_main;
2896 vlib_thread_main_t *tm = vlib_get_thread_main ();
2897 nat44_ei_address_t *ap;
2899 fail_if_disabled ();
2901 /* Check if address already exists */
2902 vec_foreach (ap, nm->addresses)
2904 if (ap->addr.as_u32 == addr->as_u32)
2906 nat44_ei_log_err ("address exist");
2907 return VNET_API_ERROR_VALUE_EXIST;
2911 vec_add2 (nm->addresses, ap, 1);
2918 ap->fib_index = fib_table_find_or_create_and_lock (
2919 FIB_PROTOCOL_IP4, vrf_id, nm->fib_src_low);
2922 #define _(N, i, n, s) \
2923 clib_memset (ap->busy_##n##_port_refcounts, 0, \
2924 sizeof (ap->busy_##n##_port_refcounts)); \
2925 ap->busy_##n##_ports = 0; \
2926 ap->busy_##n##_ports_per_thread = 0; \
2927 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, \
2928 tm->n_vlib_mains - 1, 0);
2929 foreach_nat_protocol
2932 nat44_ei_add_del_addr_to_fib_foreach_out_if (addr, 1);
2938 nat44_ei_del_address (ip4_address_t addr, u8 delete_sm)
2940 nat44_ei_main_t *nm = &nat44_ei_main;
2941 nat44_ei_address_t *a = 0;
2942 nat44_ei_session_t *ses;
2943 u32 *ses_to_be_removed = 0, *ses_index;
2944 nat44_ei_main_per_thread_data_t *tnm;
2945 nat44_ei_static_mapping_t *m;
2948 fail_if_disabled ();
2950 /* Find SNAT address */
2951 for (j = 0; j < vec_len (nm->addresses); j++)
2953 if (nm->addresses[j].addr.as_u32 == addr.as_u32)
2955 a = nm->addresses + j;
2961 nat44_ei_log_err ("no such address");
2962 return VNET_API_ERROR_NO_SUCH_ENTRY;
2967 pool_foreach (m, nm->static_mappings)
2969 if (m->external_addr.as_u32 == addr.as_u32)
2970 nat44_ei_del_static_mapping (m->local_addr, m->external_addr,
2971 m->local_port, m->external_port,
2972 m->proto, m->vrf_id, ~0, m->flags);
2977 /* Check if address is used in some static mapping */
2978 if (nat44_ei_is_address_used_in_static_mapping (addr))
2980 nat44_ei_log_err ("address used in static mapping");
2981 return VNET_API_ERROR_UNSPECIFIED;
2985 if (a->fib_index != ~0)
2987 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, nm->fib_src_low);
2990 /* Delete sessions using address */
2991 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
2993 vec_foreach (tnm, nm->per_thread_data)
2995 pool_foreach (ses, tnm->sessions)
2997 if (ses->out2in.addr.as_u32 == addr.as_u32)
2999 nat44_ei_free_session_data (nm, ses,
3000 tnm - nm->per_thread_data, 0);
3001 vec_add1 (ses_to_be_removed, ses - tnm->sessions);
3004 vec_foreach (ses_index, ses_to_be_removed)
3006 ses = pool_elt_at_index (tnm->sessions, ses_index[0]);
3007 nat44_ei_delete_session (nm, ses, tnm - nm->per_thread_data);
3009 vec_free (ses_to_be_removed);
3013 #define _(N, i, n, s) vec_free (a->busy_##n##_ports_per_thread);
3014 foreach_nat_protocol
3017 vec_del1 (nm->addresses, j);
3019 nat44_ei_add_del_addr_to_fib_foreach_out_if (&addr, 0);
3025 nat44_ei_add_interface_address (u32 sw_if_index)
3027 nat44_ei_main_t *nm = &nat44_ei_main;
3028 ip4_main_t *ip4_main = nm->ip4_main;
3029 ip4_address_t *first_int_addr;
3030 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3033 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3035 if (auto_add_sw_if_indices[i] == sw_if_index)
3037 return VNET_API_ERROR_VALUE_EXIST;
3041 /* add to the auto-address list */
3042 vec_add1 (nm->auto_add_sw_if_indices, sw_if_index);
3044 // if the address is already bound - or static - add it now
3045 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3048 (void) nat44_ei_add_address (first_int_addr, ~0);
3055 nat44_ei_del_interface_address (u32 sw_if_index)
3057 nat44_ei_main_t *nm = &nat44_ei_main;
3058 ip4_main_t *ip4_main = nm->ip4_main;
3059 ip4_address_t *first_int_addr;
3060 nat44_ei_static_map_resolve_t *rp;
3061 u32 *indices_to_delete = 0;
3063 u32 *auto_add_sw_if_indices = nm->auto_add_sw_if_indices;
3065 fail_if_disabled ();
3067 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
3069 for (i = 0; i < vec_len (auto_add_sw_if_indices); i++)
3071 if (auto_add_sw_if_indices[i] == sw_if_index)
3074 ip4_interface_first_address (ip4_main, sw_if_index, 0);
3077 (void) nat44_ei_del_address (first_int_addr[0], 1);
3081 for (j = 0; j < vec_len (nm->to_resolve); j++)
3083 rp = nm->to_resolve + j;
3084 if (rp->sw_if_index == sw_if_index)
3086 vec_add1 (indices_to_delete, j);
3089 if (vec_len (indices_to_delete))
3091 for (j = vec_len (indices_to_delete) - 1; j >= 0; j--)
3093 vec_del1 (nm->to_resolve, j);
3095 vec_free (indices_to_delete);
3099 vec_del1 (nm->auto_add_sw_if_indices, i);
3103 return VNET_API_ERROR_NO_SUCH_ENTRY;
3106 static_always_inline int
3107 is_sw_if_index_reg_for_auto_resolve (u32 *sw_if_indices, u32 sw_if_index)
3110 vec_foreach (i, sw_if_indices)
3112 if (*i == sw_if_index)
3121 nat44_ei_ip4_add_del_interface_address_cb (ip4_main_t *im, uword opaque,
3123 ip4_address_t *address,
3125 u32 if_address_index, u32 is_delete)
3127 nat44_ei_main_t *nm = &nat44_ei_main;
3128 nat44_ei_static_map_resolve_t *rp;
3129 nat44_ei_address_t *addresses = nm->addresses;
3137 if (!is_sw_if_index_reg_for_auto_resolve (nm->auto_add_sw_if_indices,
3145 /* Don't trip over lease renewal, static config */
3146 for (i = 0; i < vec_len (addresses); i++)
3148 if (addresses[i].addr.as_u32 == address->as_u32)
3154 (void) nat44_ei_add_address (address, ~0);
3156 /* Scan static map resolution vector */
3157 for (i = 0; i < vec_len (nm->to_resolve); i++)
3159 rp = nm->to_resolve + i;
3160 if (is_sm_addr_only (rp->flags))
3164 /* On this interface? */
3165 if (rp->sw_if_index == sw_if_index)
3167 rv = nat44_ei_add_static_mapping (
3168 rp->l_addr, address[0], rp->l_port, rp->e_port, rp->proto,
3169 rp->vrf_id, ~0, rp->flags, rp->pool_addr, rp->tag);
3172 nat_elog_notice_X1 (nm, "add_static_mapping returned %d",
3180 // remove all static mapping records
3181 (void) nat44_ei_del_address (address[0], 1);
3186 nat44_ei_set_frame_queue_nelts (u32 frame_queue_nelts)
3189 nat44_ei_main_t *nm = &nat44_ei_main;
3190 nm->frame_queue_nelts = frame_queue_nelts;
3195 nat44_ei_ip4_add_del_addr_only_sm_cb (ip4_main_t *im, uword opaque,
3196 u32 sw_if_index, ip4_address_t *address,
3197 u32 address_length, u32 if_address_index,
3200 nat44_ei_main_t *nm = &nat44_ei_main;
3201 nat44_ei_static_map_resolve_t *rp;
3202 nat44_ei_static_mapping_t *m;
3203 clib_bihash_kv_8_8_t kv, value;
3204 int i, rv = 0, match = 0;
3211 for (i = 0; i < vec_len (nm->to_resolve); i++)
3213 rp = nm->to_resolve + i;
3215 if (is_sm_addr_only (rp->flags) && rp->sw_if_index == sw_if_index)
3227 init_nat_k (&kv, *address, is_sm_addr_only (rp->flags) ? 0 : rp->e_port,
3228 nm->outside_fib_index,
3229 is_sm_addr_only (rp->flags) ? 0 : rp->proto);
3230 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
3233 m = pool_elt_at_index (nm->static_mappings, value.value);
3239 rv = nat44_ei_del_static_mapping (rp->l_addr, address[0], rp->l_port,
3240 rp->e_port, rp->proto, rp->vrf_id, ~0,
3244 nat_elog_notice_X1 (nm, "nat44_ei_del_static_mapping returned %d",
3252 rv = nat44_ei_add_static_mapping (rp->l_addr, address[0], rp->l_port,
3253 rp->e_port, rp->proto, rp->vrf_id, ~0,
3254 rp->flags, rp->pool_addr, rp->tag);
3257 nat_elog_notice_X1 (nm, "nat44_ei_add_static_mapping returned %d",
3263 static_always_inline uword
3264 nat44_ei_classify_inline_fn (vlib_main_t *vm, vlib_node_runtime_t *node,
3265 vlib_frame_t *frame)
3267 u32 n_left_from, *from, *to_next;
3268 nat44_ei_classify_next_t next_index;
3269 nat44_ei_main_t *nm = &nat44_ei_main;
3270 nat44_ei_static_mapping_t *m;
3271 u32 next_in2out = 0, next_out2in = 0;
3273 from = vlib_frame_vector_args (frame);
3274 n_left_from = frame->n_vectors;
3275 next_index = node->cached_next_index;
3277 while (n_left_from > 0)
3281 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
3283 while (n_left_from > 0 && n_left_to_next > 0)
3287 u32 next0 = NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3289 nat44_ei_address_t *ap;
3290 clib_bihash_kv_8_8_t kv0, value0;
3292 /* speculatively enqueue b0 to the current next frame */
3298 n_left_to_next -= 1;
3300 b0 = vlib_get_buffer (vm, bi0);
3301 ip0 = vlib_buffer_get_current (b0);
3303 vec_foreach (ap, nm->addresses)
3305 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
3307 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3312 if (PREDICT_FALSE (pool_elts (nm->static_mappings)))
3314 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
3315 /* try to classify the fragment based on IP header alone */
3316 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3319 m = pool_elt_at_index (nm->static_mappings, value0.value);
3320 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3321 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3324 init_nat_k (&kv0, ip0->dst_address,
3325 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
3326 ip_proto_to_nat_proto (ip0->protocol));
3327 if (!clib_bihash_search_8_8 (&nm->static_mapping_by_external,
3330 m = pool_elt_at_index (nm->static_mappings, value0.value);
3331 if (m->local_addr.as_u32 != m->external_addr.as_u32)
3332 next0 = NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3337 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
3338 (b0->flags & VLIB_BUFFER_IS_TRACED)))
3340 nat44_ei_classify_trace_t *t =
3341 vlib_add_trace (vm, node, b0, sizeof (*t));
3343 t->next_in2out = next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
3346 next_in2out += next0 == NAT44_EI_CLASSIFY_NEXT_IN2OUT;
3347 next_out2in += next0 == NAT44_EI_CLASSIFY_NEXT_OUT2IN;
3349 /* verify speculative enqueue, maybe switch current next frame */
3350 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
3351 n_left_to_next, bi0, next0);
3354 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3357 vlib_node_increment_counter (
3358 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
3359 vlib_node_increment_counter (
3360 vm, node->node_index, NAT44_EI_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
3361 return frame->n_vectors;
3364 VLIB_NODE_FN (nat44_ei_classify_node)
3365 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3367 return nat44_ei_classify_inline_fn (vm, node, frame);
3370 VLIB_REGISTER_NODE (nat44_ei_classify_node) = {
3371 .name = "nat44-ei-classify",
3372 .vector_size = sizeof (u32),
3373 .format_trace = format_nat44_ei_classify_trace,
3374 .type = VLIB_NODE_TYPE_INTERNAL,
3375 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3376 .error_strings = nat44_ei_classify_error_strings,
3377 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3379 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out",
3380 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in",
3381 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3385 VLIB_NODE_FN (nat44_ei_handoff_classify_node)
3386 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
3388 return nat44_ei_classify_inline_fn (vm, node, frame);
3391 VLIB_REGISTER_NODE (nat44_ei_handoff_classify_node) = {
3392 .name = "nat44-ei-handoff-classify",
3393 .vector_size = sizeof (u32),
3394 .format_trace = format_nat44_ei_classify_trace,
3395 .type = VLIB_NODE_TYPE_INTERNAL,
3396 .n_errors = ARRAY_LEN(nat44_ei_classify_error_strings),
3397 .error_strings = nat44_ei_classify_error_strings,
3398 .n_next_nodes = NAT44_EI_CLASSIFY_N_NEXT,
3400 [NAT44_EI_CLASSIFY_NEXT_IN2OUT] = "nat44-ei-in2out-worker-handoff",
3401 [NAT44_EI_CLASSIFY_NEXT_OUT2IN] = "nat44-ei-out2in-worker-handoff",
3402 [NAT44_EI_CLASSIFY_NEXT_DROP] = "error-drop",
3407 * fd.io coding-style-patch-verification: ON
3410 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob