2 * Copyright (c) 2017 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT64 implementation
20 #include <nat/nat64.h>
21 #include <nat/nat64_db.h>
22 #include <vnet/fib/ip4_fib.h>
25 nat64_main_t nat64_main;
29 /* Hook up input features */
30 VNET_FEATURE_INIT (nat64_in2out, static) = {
31 .arc_name = "ip6-unicast",
32 .node_name = "nat64-in2out",
33 .runs_before = VNET_FEATURES ("ip6-lookup"),
35 VNET_FEATURE_INIT (nat64_out2in, static) = {
36 .arc_name = "ip4-unicast",
37 .node_name = "nat64-out2in",
38 .runs_before = VNET_FEATURES ("ip4-lookup"),
41 static u8 well_known_prefix[] = {
42 0x00, 0x64, 0xff, 0x9b,
43 0x00, 0x00, 0x00, 0x00,
44 0x00, 0x00, 0x00, 0x00,
45 0x00, 0x00, 0x00, 0x00
51 nat64_ip4_add_del_interface_address_cb (ip4_main_t * im, uword opaque,
53 ip4_address_t * address,
55 u32 if_address_index, u32 is_delete)
57 nat64_main_t *nm = &nat64_main;
60 for (i = 0; i < vec_len (nm->auto_add_sw_if_indices); i++)
62 if (sw_if_index == nm->auto_add_sw_if_indices[i])
66 /* Don't trip over lease renewal, static config */
67 for (j = 0; j < vec_len (nm->addr_pool); j++)
68 if (nm->addr_pool[j].addr.as_u32 == address->as_u32)
71 (void) nat64_add_del_pool_addr (address, ~0, 1);
76 (void) nat64_add_del_pool_addr (address, ~0, 0);
84 nat64_init (vlib_main_t * vm)
86 nat64_main_t *nm = &nat64_main;
87 clib_error_t *error = 0;
88 vlib_thread_main_t *tm = vlib_get_thread_main ();
89 ip4_add_del_interface_address_callback_t cb4;
90 ip4_main_t *im = &ip4_main;
94 if (tm->n_vlib_mains > 1)
100 if (nat64_db_init (&nm->db))
102 error = clib_error_return (0, "NAT64 DB init failed");
106 /* set session timeouts to default values */
107 nm->udp_timeout = SNAT_UDP_TIMEOUT;
108 nm->icmp_timeout = SNAT_ICMP_TIMEOUT;
109 nm->tcp_trans_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
110 nm->tcp_est_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
111 nm->tcp_incoming_syn_timeout = SNAT_TCP_INCOMING_SYN;
113 /* Set up the interface address add/del callback */
114 cb4.function = nat64_ip4_add_del_interface_address_cb;
115 cb4.function_opaque = 0;
116 vec_add1 (im->add_del_interface_address_callbacks, cb4);
124 nat64_add_del_pool_addr (ip4_address_t * addr, u32 vrf_id, u8 is_add)
126 nat64_main_t *nm = &nat64_main;
127 snat_address_t *a = 0;
128 snat_interface_t *interface;
131 /* Check if address already exists */
132 for (i = 0; i < vec_len (nm->addr_pool); i++)
134 if (nm->addr_pool[i].addr.as_u32 == addr->as_u32)
136 a = nm->addr_pool + i;
144 return VNET_API_ERROR_VALUE_EXIST;
146 vec_add2 (nm->addr_pool, a, 1);
151 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, vrf_id,
152 FIB_SOURCE_PLUGIN_HI);
153 #define _(N, i, n, s) \
154 clib_bitmap_alloc (a->busy_##n##_port_bitmap, 65535);
155 foreach_snat_protocol
161 return VNET_API_ERROR_NO_SUCH_ENTRY;
164 fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP6,
165 FIB_SOURCE_PLUGIN_HI);
167 #define _(N, id, n, s) \
168 clib_bitmap_free (a->busy_##n##_port_bitmap);
169 foreach_snat_protocol
171 /* Delete sessions using address */
172 nat64_db_free_out_addr (&nm->db, &a->addr);
173 vec_del1 (nm->addr_pool, i);
176 /* Add/del external address to FIB */
178 pool_foreach (interface, nm->interfaces,
180 if (nat_interface_is_inside(interface))
183 snat_add_del_addr_to_fib (addr, 32, interface->sw_if_index, is_add);
192 nat64_pool_addr_walk (nat64_pool_addr_walk_fn_t fn, void *ctx)
194 nat64_main_t *nm = &nat64_main;
195 snat_address_t *a = 0;
198 vec_foreach (a, nm->addr_pool)
207 nat64_add_interface_address (u32 sw_if_index, int is_add)
209 nat64_main_t *nm = &nat64_main;
210 ip4_main_t *ip4_main = nm->ip4_main;
211 ip4_address_t *first_int_addr;
214 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0);
216 for (i = 0; i < vec_len (nm->auto_add_sw_if_indices); i++)
218 if (nm->auto_add_sw_if_indices[i] == sw_if_index)
221 return VNET_API_ERROR_VALUE_EXIST;
224 /* if have address remove it */
226 (void) nat64_add_del_pool_addr (first_int_addr, ~0, 0);
228 vec_del1 (nm->auto_add_sw_if_indices, i);
235 return VNET_API_ERROR_NO_SUCH_ENTRY;
237 /* add to the auto-address list */
238 vec_add1 (nm->auto_add_sw_if_indices, sw_if_index);
240 /* If the address is already bound - or static - add it now */
242 (void) nat64_add_del_pool_addr (first_int_addr, ~0, 1);
248 nat64_add_del_interface (u32 sw_if_index, u8 is_inside, u8 is_add)
250 nat64_main_t *nm = &nat64_main;
251 snat_interface_t *interface = 0, *i;
253 const char *feature_name, *arc_name;
255 /* Check if interface already exists */
257 pool_foreach (i, nm->interfaces,
259 if (i->sw_if_index == sw_if_index)
272 pool_get (nm->interfaces, interface);
273 interface->sw_if_index = sw_if_index;
274 interface->flags = 0;
277 interface->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
279 interface->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
284 return VNET_API_ERROR_NO_SUCH_ENTRY;
286 if ((nat_interface_is_inside (interface)
287 && nat_interface_is_outside (interface)))
289 is_inside ? ~NAT_INTERFACE_FLAG_IS_INSIDE :
290 ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
292 pool_put (nm->interfaces, interface);
298 vec_foreach (ap, nm->addr_pool)
299 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, is_add);
303 arc_name = is_inside ? "ip6-unicast" : "ip4-unicast";
304 feature_name = is_inside ? "nat64-in2out" : "nat64-out2in";
306 return vnet_feature_enable_disable (arc_name, feature_name, sw_if_index,
311 nat64_interfaces_walk (nat64_interface_walk_fn_t fn, void *ctx)
313 nat64_main_t *nm = &nat64_main;
314 snat_interface_t *i = 0;
317 pool_foreach (i, nm->interfaces,
326 nat64_alloc_out_addr_and_port (u32 fib_index, snat_protocol_t proto,
327 ip4_address_t * addr, u16 * port)
329 nat64_main_t *nm = &nat64_main;
330 snat_main_t *sm = &snat_main;
332 snat_address_t *a, *ga = 0;
335 for (i = 0; i < vec_len (nm->addr_pool); i++)
337 a = nm->addr_pool + i;
340 #define _(N, j, n, s) \
341 case SNAT_PROTOCOL_##N: \
342 if (a->busy_##n##_ports < (65535-1024)) \
344 if (a->fib_index == fib_index) \
348 portnum = random_u32 (&sm->random_seed); \
350 if (portnum < 1024) \
352 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
355 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
357 a->busy_##n##_ports++; \
359 addr->as_u32 = a->addr.as_u32; \
363 else if (a->fib_index == 0) \
367 foreach_snat_protocol
370 clib_warning ("unknown protocol");
379 #define _(N, j, n, s) \
380 case SNAT_PROTOCOL_##N: \
383 portnum = random_u32 (&sm->random_seed); \
385 if (portnum < 1024) \
387 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
390 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
392 a->busy_##n##_ports++; \
394 addr->as_u32 = a->addr.as_u32; \
398 foreach_snat_protocol
401 clib_warning ("unknown protocol");
406 /* Totally out of translations to use... */
412 nat64_free_out_addr_and_port (ip4_address_t * addr, u16 port,
413 snat_protocol_t proto)
415 nat64_main_t *nm = &nat64_main;
419 for (i = 0; i < vec_len (nm->addr_pool); i++)
421 a = nm->addr_pool + i;
422 if (addr->as_u32 != a->addr.as_u32)
426 #define _(N, j, n, s) \
427 case SNAT_PROTOCOL_##N: \
428 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
430 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, port, 0); \
431 a->busy_##n##_ports--; \
433 foreach_snat_protocol
436 clib_warning ("unknown protocol");
444 nat64_add_del_static_bib_entry (ip6_address_t * in_addr,
445 ip4_address_t * out_addr, u16 in_port,
446 u16 out_port, u8 proto, u32 vrf_id, u8 is_add)
448 nat64_main_t *nm = &nat64_main;
449 nat64_db_bib_entry_t *bibe;
450 u32 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, vrf_id,
451 FIB_SOURCE_PLUGIN_HI);
452 snat_protocol_t p = ip_proto_to_snat_proto (proto);
457 addr.as_u64[0] = in_addr->as_u64[0];
458 addr.as_u64[1] = in_addr->as_u64[1];
460 nat64_db_bib_entry_find (&nm->db, &addr, clib_host_to_net_u16 (in_port),
461 proto, fib_index, 1);
466 return VNET_API_ERROR_VALUE_EXIST;
468 for (i = 0; i < vec_len (nm->addr_pool); i++)
470 a = nm->addr_pool + i;
471 if (out_addr->as_u32 != a->addr.as_u32)
475 #define _(N, j, n, s) \
476 case SNAT_PROTOCOL_##N: \
477 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
479 return VNET_API_ERROR_INVALID_VALUE; \
480 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
482 if (out_port > 1024) \
483 a->busy_##n##_ports++; \
485 foreach_snat_protocol
488 memset (&addr, 0, sizeof (addr));
489 addr.ip4.as_u32 = out_addr->as_u32;
490 if (nat64_db_bib_entry_find
491 (&nm->db, &addr, 0, proto, fib_index, 0))
492 return VNET_API_ERROR_INVALID_VALUE;
497 nat64_db_bib_entry_create (&nm->db, in_addr, out_addr,
498 clib_host_to_net_u16 (in_port),
499 clib_host_to_net_u16 (out_port), fib_index,
502 return VNET_API_ERROR_UNSPECIFIED;
507 return VNET_API_ERROR_NO_SUCH_ENTRY;
509 nat64_free_out_addr_and_port (out_addr, out_port, p);
510 nat64_db_bib_entry_free (&nm->db, bibe);
517 nat64_set_udp_timeout (u32 timeout)
519 nat64_main_t *nm = &nat64_main;
522 nm->udp_timeout = SNAT_UDP_TIMEOUT;
523 else if (timeout < SNAT_UDP_TIMEOUT_MIN)
524 return VNET_API_ERROR_INVALID_VALUE;
526 nm->udp_timeout = timeout;
532 nat64_get_udp_timeout (void)
534 nat64_main_t *nm = &nat64_main;
536 return nm->udp_timeout;
540 nat64_set_icmp_timeout (u32 timeout)
542 nat64_main_t *nm = &nat64_main;
545 nm->icmp_timeout = SNAT_ICMP_TIMEOUT;
547 nm->icmp_timeout = timeout;
553 nat64_get_icmp_timeout (void)
555 nat64_main_t *nm = &nat64_main;
557 return nm->icmp_timeout;
561 nat64_set_tcp_timeouts (u32 trans, u32 est, u32 incoming_syn)
563 nat64_main_t *nm = &nat64_main;
566 nm->tcp_trans_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
568 nm->tcp_trans_timeout = trans;
571 nm->tcp_est_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
573 nm->tcp_est_timeout = est;
575 if (incoming_syn == 0)
576 nm->tcp_incoming_syn_timeout = SNAT_TCP_INCOMING_SYN;
578 nm->tcp_incoming_syn_timeout = incoming_syn;
584 nat64_get_tcp_trans_timeout (void)
586 nat64_main_t *nm = &nat64_main;
588 return nm->tcp_trans_timeout;
592 nat64_get_tcp_est_timeout (void)
594 nat64_main_t *nm = &nat64_main;
596 return nm->tcp_est_timeout;
600 nat64_get_tcp_incoming_syn_timeout (void)
602 nat64_main_t *nm = &nat64_main;
604 return nm->tcp_incoming_syn_timeout;
608 nat64_session_reset_timeout (nat64_db_st_entry_t * ste, vlib_main_t * vm)
610 nat64_main_t *nm = &nat64_main;
611 u32 now = (u32) vlib_time_now (vm);
613 switch (ip_proto_to_snat_proto (ste->proto))
615 case SNAT_PROTOCOL_ICMP:
616 ste->expire = now + nm->icmp_timeout;
618 case SNAT_PROTOCOL_TCP:
620 switch (ste->tcp_state)
622 case NAT64_TCP_STATE_V4_INIT:
623 case NAT64_TCP_STATE_V6_INIT:
624 case NAT64_TCP_STATE_V4_FIN_RCV:
625 case NAT64_TCP_STATE_V6_FIN_RCV:
626 case NAT64_TCP_STATE_V6_FIN_V4_FIN_RCV:
627 case NAT64_TCP_STATE_TRANS:
628 ste->expire = now + nm->tcp_trans_timeout;
630 case NAT64_TCP_STATE_ESTABLISHED:
631 ste->expire = now + nm->tcp_est_timeout;
637 case SNAT_PROTOCOL_UDP:
638 ste->expire = now + nm->udp_timeout;
641 ste->expire = now + nm->udp_timeout;
647 nat64_tcp_session_set_state (nat64_db_st_entry_t * ste, tcp_header_t * tcp,
650 switch (ste->tcp_state)
652 case NAT64_TCP_STATE_CLOSED:
654 if (tcp->flags & TCP_FLAG_SYN)
657 ste->tcp_state = NAT64_TCP_STATE_V6_INIT;
659 ste->tcp_state = NAT64_TCP_STATE_V4_INIT;
663 case NAT64_TCP_STATE_V4_INIT:
665 if (is_ip6 && (tcp->flags & TCP_FLAG_SYN))
666 ste->tcp_state = NAT64_TCP_STATE_ESTABLISHED;
669 case NAT64_TCP_STATE_V6_INIT:
671 if (!is_ip6 && (tcp->flags & TCP_FLAG_SYN))
672 ste->tcp_state = NAT64_TCP_STATE_ESTABLISHED;
675 case NAT64_TCP_STATE_ESTABLISHED:
677 if (tcp->flags & TCP_FLAG_FIN)
680 ste->tcp_state = NAT64_TCP_STATE_V6_FIN_RCV;
682 ste->tcp_state = NAT64_TCP_STATE_V4_FIN_RCV;
684 else if (tcp->flags & TCP_FLAG_RST)
686 ste->tcp_state = NAT64_TCP_STATE_TRANS;
690 case NAT64_TCP_STATE_V4_FIN_RCV:
692 if (is_ip6 && (tcp->flags & TCP_FLAG_FIN))
693 ste->tcp_state = NAT64_TCP_STATE_V6_FIN_V4_FIN_RCV;
696 case NAT64_TCP_STATE_V6_FIN_RCV:
698 if (!is_ip6 && (tcp->flags & TCP_FLAG_FIN))
699 ste->tcp_state = NAT64_TCP_STATE_V6_FIN_V4_FIN_RCV;
702 case NAT64_TCP_STATE_TRANS:
704 if (!(tcp->flags & TCP_FLAG_RST))
705 ste->tcp_state = NAT64_TCP_STATE_ESTABLISHED;
714 nat64_add_del_prefix (ip6_address_t * prefix, u8 plen, u32 vrf_id, u8 is_add)
716 nat64_main_t *nm = &nat64_main;
717 nat64_prefix_t *p = 0;
720 /* Verify prefix length */
721 if (plen != 32 && plen != 40 && plen != 48 && plen != 56 && plen != 64
723 return VNET_API_ERROR_INVALID_VALUE;
725 /* Check if tenant already have prefix */
726 for (i = 0; i < vec_len (nm->pref64); i++)
728 if (nm->pref64[i].vrf_id == vrf_id)
739 vec_add2 (nm->pref64, p, 1);
741 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, vrf_id,
742 FIB_SOURCE_PLUGIN_HI);
746 p->prefix.as_u64[0] = prefix->as_u64[0];
747 p->prefix.as_u64[1] = prefix->as_u64[1];
753 return VNET_API_ERROR_NO_SUCH_ENTRY;
755 vec_del1 (nm->pref64, i);
762 nat64_prefix_walk (nat64_prefix_walk_fn_t fn, void *ctx)
764 nat64_main_t *nm = &nat64_main;
765 nat64_prefix_t *p = 0;
768 vec_foreach (p, nm->pref64)
777 nat64_compose_ip6 (ip6_address_t * ip6, ip4_address_t * ip4, u32 fib_index)
779 nat64_main_t *nm = &nat64_main;
780 nat64_prefix_t *p, *gp = 0, *prefix = 0;
783 vec_foreach (p, nm->pref64)
785 if (p->fib_index == fib_index)
791 if (p->fib_index == 0)
801 clib_memcpy (ip6, &p->prefix, sizeof (ip6_address_t));
805 ip6->as_u32[1] = ip4->as_u32;
808 ip6->as_u8[5] = ip4->as_u8[0];
809 ip6->as_u8[6] = ip4->as_u8[1];
810 ip6->as_u8[7] = ip4->as_u8[2];
811 ip6->as_u8[9] = ip4->as_u8[3];
814 ip6->as_u8[6] = ip4->as_u8[0];
815 ip6->as_u8[7] = ip4->as_u8[1];
816 ip6->as_u8[9] = ip4->as_u8[2];
817 ip6->as_u8[10] = ip4->as_u8[3];
820 ip6->as_u8[7] = ip4->as_u8[0];
821 ip6->as_u8[9] = ip4->as_u8[1];
822 ip6->as_u8[10] = ip4->as_u8[2];
823 ip6->as_u8[11] = ip4->as_u8[3];
826 ip6->as_u8[9] = ip4->as_u8[0];
827 ip6->as_u8[10] = ip4->as_u8[1];
828 ip6->as_u8[11] = ip4->as_u8[2];
829 ip6->as_u8[12] = ip4->as_u8[3];
832 ip6->as_u32[3] = ip4->as_u32;
835 clib_warning ("invalid prefix length");
841 clib_memcpy (ip6, well_known_prefix, sizeof (ip6_address_t));
842 ip6->as_u32[3] = ip4->as_u32;
847 nat64_extract_ip4 (ip6_address_t * ip6, ip4_address_t * ip4, u32 fib_index)
849 nat64_main_t *nm = &nat64_main;
850 nat64_prefix_t *p, *gp = 0;
854 vec_foreach (p, nm->pref64)
856 if (p->fib_index == fib_index)
878 ip4->as_u32 = ip6->as_u32[1];
881 ip4->as_u8[0] = ip6->as_u8[5];
882 ip4->as_u8[1] = ip6->as_u8[6];
883 ip4->as_u8[2] = ip6->as_u8[7];
884 ip4->as_u8[3] = ip6->as_u8[9];
887 ip4->as_u8[0] = ip6->as_u8[6];
888 ip4->as_u8[1] = ip6->as_u8[7];
889 ip4->as_u8[2] = ip6->as_u8[9];
890 ip4->as_u8[3] = ip6->as_u8[10];
893 ip4->as_u8[0] = ip6->as_u8[7];
894 ip4->as_u8[1] = ip6->as_u8[9];
895 ip4->as_u8[2] = ip6->as_u8[10];
896 ip4->as_u8[3] = ip6->as_u8[11];
899 ip4->as_u8[0] = ip6->as_u8[9];
900 ip4->as_u8[1] = ip6->as_u8[10];
901 ip4->as_u8[2] = ip6->as_u8[11];
902 ip4->as_u8[3] = ip6->as_u8[12];
905 ip4->as_u32 = ip6->as_u32[3];
908 clib_warning ("invalid prefix length");
914 * @brief The 'nat64-expire-walk' process's main loop.
916 * Check expire time for NAT64 sessions.
919 nat64_expire_walk_fn (vlib_main_t * vm, vlib_node_runtime_t * rt,
922 nat64_main_t *nm = &nat64_main;
924 while (!nm->is_disabled)
926 vlib_process_wait_for_event_or_clock (vm, 10.0);
927 vlib_process_get_events (vm, NULL);
928 u32 now = (u32) vlib_time_now (vm);
930 nad64_db_st_free_expired (&nm->db, now);
936 static vlib_node_registration_t nat64_expire_walk_node;
939 VLIB_REGISTER_NODE (nat64_expire_walk_node, static) = {
940 .function = nat64_expire_walk_fn,
941 .type = VLIB_NODE_TYPE_PROCESS,
942 .name = "nat64-expire-walk",
947 * fd.io coding-style-patch-verification: ON
950 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob