X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fnat.c;h=364d5f5ce94cd3a3c0efc7d0b82190731fa2ed51;hp=ae34f235a3d8762e8dd0e95047dc3d3257b99632;hb=878c646a;hpb=70a26ac05f2ab9d4cc0669599b09f654de580f36 diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index ae34f235a3d..364d5f5ce94 100755 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -44,7 +45,8 @@ VNET_FEATURE_INIT (ip4_snat_in2out, static) = { VNET_FEATURE_INIT (ip4_snat_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_classify, static) = { .arc_name = "ip4-unicast", @@ -59,13 +61,30 @@ VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = { VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-det-out2in", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_det_classify, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-det-classify", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-in2out", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-out2in", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-classify", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-in2out-worker-handoff", @@ -74,7 +93,8 @@ VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = { VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in-worker-handoff", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = { .arc_name = "ip4-unicast", @@ -89,13 +109,19 @@ VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = { VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-out2in-fast", - .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa", + "ip4-dhcp-client-detect"), }; VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = { .arc_name = "ip4-unicast", .node_name = "nat44-hairpin-dst", .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = { + .arc_name = "ip4-unicast", + .node_name = "nat44-ed-hairpin-dst", + .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"), +}; /* Hook up output features */ VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = { @@ -113,6 +139,16 @@ VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = { .node_name = "nat44-hairpin-src", .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = { + .arc_name = "ip4-output", + .node_name = "nat44-ed-in2out-output", + .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), +}; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = { + .arc_name = "ip4-output", + .node_name = "nat44-ed-hairpin-src", + .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"), +}; /* Hook up ip4-local features */ VNET_FEATURE_INIT (ip4_nat_hairpinning, static) = @@ -121,6 +157,12 @@ VNET_FEATURE_INIT (ip4_nat_hairpinning, static) = .node_name = "nat44-hairpinning", .runs_before = VNET_FEATURES("ip4-local-end-of-arc"), }; +VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) = +{ + .arc_name = "ip4-local", + .node_name = "nat44-ed-hairpinning", + .runs_before = VNET_FEATURES("ip4-local-end-of-arc"), +}; /* *INDENT-OFF* */ @@ -131,6 +173,7 @@ VLIB_PLUGIN_REGISTER () = { /* *INDENT-ON* */ vlib_node_registration_t nat44_classify_node; +vlib_node_registration_t nat44_ed_classify_node; vlib_node_registration_t nat44_det_classify_node; vlib_node_registration_t nat44_handoff_classify_node; @@ -147,8 +190,6 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) clib_bihash_kv_8_8_t kv; nat_ed_ses_key_t ed_key; clib_bihash_kv_16_8_t ed_kv; - int i; - snat_address_t *a; snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, thread_index); @@ -162,12 +203,12 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) ed_key.fib_index = 0; ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0)) - clib_warning ("in2out_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) + nat_log_warn ("in2out_ed key del failed"); return; } - /* Endpoint dependent session lookup tables */ + /* session lookup tables */ if (is_ed_session (s)) { ed_key.l_addr = s->out2in.addr; @@ -187,8 +228,8 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0)) - clib_warning ("out2in_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)) + nat_log_warn ("out2in_ed key del failed"); ed_key.l_addr = s->in2out.addr; ed_key.fib_index = s->in2out.fib_index; @@ -201,8 +242,17 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0)) - clib_warning ("in2out_ed key del failed"); + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) + nat_log_warn ("in2out_ed key del failed"); + } + else + { + kv.key = s->in2out.as_u64; + if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0)) + nat_log_warn ("in2out key del failed"); + kv.key = s->out2in.as_u64; + if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0)) + nat_log_warn ("out2in key del failed"); } if (snat_is_unk_proto_session (s)) @@ -219,37 +269,19 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) /* Twice NAT address and port for external host */ if (is_twice_nat_session (s)) { - for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) - { - key.protocol = s->in2out.protocol; - key.port = s->ext_host_nat_port; - a = sm->twice_nat_addresses + i; - if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32) - { - snat_free_outside_address_and_port (sm->twice_nat_addresses, - thread_index, &key, i); - break; - } - } + key.protocol = s->in2out.protocol; + key.port = s->ext_host_nat_port; + key.addr.as_u32 = s->ext_host_nat_addr.as_u32; + snat_free_outside_address_and_port (sm->twice_nat_addresses, + thread_index, &key); } - if (is_ed_session (s)) - return; - - /* Session lookup tables */ - kv.key = s->in2out.as_u64; - if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0)) - clib_warning ("in2out key del failed"); - kv.key = s->out2in.as_u64; - if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0)) - clib_warning ("out2in key del failed"); - if (snat_is_session_static (s)) return; if (s->outside_address_index != ~0) snat_free_outside_address_and_port (sm->addresses, thread_index, - &s->out2in, s->outside_address_index); + &s->out2in); } snat_user_t * @@ -286,7 +318,7 @@ nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, /* add user */ if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1)) - clib_warning ("user_hash keay add failed"); + nat_log_warn ("user_hash keay add failed"); } else { @@ -366,15 +398,71 @@ nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) return s; } +snat_session_t * +nat_ed_session_alloc (snat_main_t *sm, snat_user_t *u, u32 thread_index) +{ + snat_session_t *s; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + dlist_elt_t * per_user_translation_list_elt; + + if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user) + { + nat_log_warn ("max translations per user %U", format_ip4_address, &u->addr); + snat_ipfix_logging_max_entries_per_user (sm->max_translations_per_user, + u->addr.as_u32); + return 0; + } + + pool_get (tsm->sessions, s); + memset (s, 0, sizeof (*s)); + s->outside_address_index = ~0; + + /* Create list elts */ + pool_get (tsm->list_pool, per_user_translation_list_elt); + clib_dlist_init (tsm->list_pool, + per_user_translation_list_elt - tsm->list_pool); + + per_user_translation_list_elt->value = s - tsm->sessions; + s->per_user_index = per_user_translation_list_elt - tsm->list_pool; + s->per_user_list_head_index = u->sessions_per_user_list_head_index; + + clib_dlist_addtail (tsm->list_pool, + s->per_user_list_head_index, + per_user_translation_list_elt - tsm->list_pool); + + return s; +} + +typedef struct { + u8 next_in2out; +} nat44_classify_trace_t; + +static u8 * format_nat44_classify_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *); + char *next; + + next = t->next_in2out ? "nat44-in2out" : "nat44-out2in"; + + s = format (s, "nat44-classify: next %s", next); + + return s; +} + static inline uword nat44_classify_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_frame_t * frame, + int is_ed) { u32 n_left_from, * from, * to_next; nat44_classify_next_t next_index; snat_main_t *sm = &snat_main; snat_static_mapping_t *m; + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -391,11 +479,13 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, { u32 bi0; vlib_buffer_t *b0; - u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT; + u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0; ip4_header_t *ip0; snat_address_t *ap; snat_session_key_t m_key0; clib_bihash_kv_8_8_t kv0, value0; + clib_bihash_kv_16_8_t ed_kv0, ed_value0; + udp_header_t *udp0; /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; @@ -407,6 +497,20 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + + if (is_ed) + { + sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, &ed_value0)) + goto enqueue0; + } vec_foreach (ap, sm->addresses) { @@ -422,7 +526,7 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, m_key0.addr = ip0->dst_address; m_key0.port = 0; m_key0.protocol = 0; - m_key0.fib_index = sm->outside_fib_index; + m_key0.fib_index = 0; kv0.key = m_key0.as_u64; if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0)) { @@ -431,7 +535,6 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, next0 = NAT44_CLASSIFY_NEXT_OUT2IN; goto enqueue0; } - udp_header_t * udp0 = ip4_next_header (ip0); m_key0.port = clib_net_to_host_u16 (udp0->dst_port); m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol); kv0.key = m_key0.as_u64; @@ -444,6 +547,14 @@ nat44_classify_node_fn_inline (vlib_main_t * vm, } enqueue0: + if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_classify_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0; + } + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, @@ -461,13 +572,14 @@ nat44_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_classify_node) = { .function = nat44_classify_node_fn, .name = "nat44-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -478,19 +590,43 @@ VLIB_REGISTER_NODE (nat44_classify_node) = { VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, nat44_classify_node_fn); +static uword +nat44_ed_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 1); +}; + +VLIB_REGISTER_NODE (nat44_ed_classify_node) = { + .function = nat44_ed_classify_node_fn, + .name = "nat44-ed-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node, + nat44_ed_classify_node_fn); static uword nat44_det_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_det_classify_node) = { .function = nat44_det_classify_node_fn, .name = "nat44-det-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -507,13 +643,14 @@ nat44_handoff_classify_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { - return nat44_classify_node_fn_inline (vm, node, frame); + return nat44_classify_node_fn_inline (vm, node, frame, 0); }; VLIB_REGISTER_NODE (nat44_handoff_classify_node) = { .function = nat44_handoff_classify_node_fn, .name = "nat44-handoff-classify", .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_next_nodes = NAT44_CLASSIFY_N_NEXT, .next_nodes = { @@ -570,18 +707,21 @@ snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index, FIB_SOURCE_PLUGIN_LOW); } -void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, +int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, u8 twice_nat) { snat_address_t * ap; snat_interface_t *i; vlib_thread_main_t *tm = vlib_get_thread_main (); + if (twice_nat && !sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; + /* Check if address already exists */ vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses) { if (ap->addr.as_u32 == addr->as_u32) - return; + return VNET_API_ERROR_VALUE_EXIST; } if (twice_nat) @@ -604,7 +744,7 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, #undef _ if (twice_nat) - return; + return 0; /* Add external address to FIB */ pool_foreach (i, sm->interfaces, @@ -623,6 +763,8 @@ void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1); break; })); + + return 0; } static int is_snat_address_used_in_static_mapping (snat_main_t *sm, @@ -720,6 +862,12 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, snat_session_t * s; snat_static_map_resolve_t *rp, *rp_match = 0; + if (!sm->endpoint_dependent) + { + if (twice_nat || out2in_only) + return VNET_API_ERROR_FEATURE_DISABLED; + } + /* If the external address is a specific interface address */ if (sw_if_index != ~0) { @@ -728,14 +876,14 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, for (i = 0; i < vec_len (sm->to_resolve); i++) { rp = sm->to_resolve + i; - if (rp->sw_if_index != sw_if_index && - rp->l_addr.as_u32 != l_addr.as_u32 && - rp->vrf_id != vrf_id && rp->addr_only != addr_only) + if (rp->sw_if_index != sw_if_index || + rp->l_addr.as_u32 != l_addr.as_u32 || + rp->vrf_id != vrf_id || rp->addr_only != addr_only) continue; if (!addr_only) { - if (rp->l_port != l_port && rp->e_port != e_port && rp->proto != proto) + if (rp->l_port != l_port || rp->e_port != e_port || rp->proto != proto) continue; } @@ -791,7 +939,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m_key.addr = e_addr; m_key.port = addr_only ? 0 : e_port; m_key.protocol = addr_only ? 0 : proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) m = 0; @@ -858,7 +1006,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -905,13 +1053,13 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m->proto = proto; } - if (sm->workers) + if (sm->num_workers > 1) { ip4_header_t ip = { .src_address = m->local_addr, }; - m->worker_index = sm->worker_in2out_cb (&ip, m->fib_index); - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); + vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index)); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); } else tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); @@ -924,29 +1072,13 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.value = m - sm->static_mappings; if (!out2in_only) clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (m->local_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1)) - clib_warning ("in2out key add failed"); - } m_key.addr = m->external_addr; m_key.port = m->external_port; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (e_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1)) - clib_warning ("out2in key add failed"); - } /* Delete dynamic sessions matching local address (+ local port) */ if (!(sm->static_mapping_only)) @@ -978,12 +1110,9 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, continue; nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); - if (!addr_only) + if (!addr_only && !sm->endpoint_dependent) break; } } @@ -1022,7 +1151,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1031,7 +1160,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, } if (sm->num_workers > 1) - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); else tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); @@ -1042,28 +1171,12 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.key = m_key.as_u64; if (!out2in_only) clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (m->local_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0)) - clib_warning ("in2out key del failed"); - } m_key.addr = m->external_addr; m_key.port = m->external_port; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0); - if (twice_nat || out2in_only) - { - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0)) - clib_warning ("out2in key del failed"); - } /* Delete session(s) for static mapping if exist */ if (!(sm->static_mapping_only) || @@ -1091,7 +1204,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, if (!addr_only) { - if ((s->out2in.addr.as_u32 != e_addr.as_u32) && + if ((s->out2in.addr.as_u32 != e_addr.as_u32) || (clib_net_to_host_u16 (s->out2in.port) != e_port)) continue; } @@ -1103,24 +1216,17 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, continue; nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nstaticsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); - if (!addr_only) + if (!addr_only && !sm->endpoint_dependent) break; } - if (addr_only && (u->nstaticsessions == 0)) - { - pool_put (tsm->users, u); - clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0); - } } } } vec_free (m->tag); + vec_free (m->workers); /* Delete static mapping from pool */ pool_put (sm->static_mappings, m); } @@ -1149,35 +1255,8 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, return 0; } -static int lb_local_exists (nat44_lb_addr_port_t * local, - ip4_address_t * e_addr, u16 e_port) -{ - snat_main_t *sm = &snat_main; - snat_static_mapping_t *m; - nat44_lb_addr_port_t *ap; - - /* *INDENT-OFF* */ - pool_foreach (m, sm->static_mappings, - ({ - if (vec_len(m->locals)) - { - if (m->external_port == e_port && m->external_addr.as_u32 == e_addr->as_u32) - continue; - - vec_foreach (ap, m->locals) - { - if (ap->port == local->port && ap->addr.as_u32 == local->addr.as_u32) - return 1; - } - } - })); - /* *INDENT-ON* */ - - return 0; -} - int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, - snat_protocol_t proto, u32 vrf_id, + snat_protocol_t proto, nat44_lb_addr_port_t *locals, u8 is_add, twice_nat_type_t twice_nat, u8 out2in_only, u8 *tag) @@ -1186,21 +1265,24 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, snat_static_mapping_t *m; snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; - u32 fib_index; snat_address_t *a = 0; int i; nat44_lb_addr_port_t *local; - u32 worker_index = 0, elt_index, head_index, ses_index; + u32 elt_index, head_index, ses_index; snat_main_per_thread_data_t *tsm; snat_user_key_t u_key; snat_user_t *u; snat_session_t * s; dlist_elt_t * head, * elt; + uword *bitmap = 0; + + if (!sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; m_key.addr = e_addr; m_key.port = e_port; m_key.protocol = proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) m = 0; @@ -1215,10 +1297,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, if (vec_len (locals) < 2) return VNET_API_ERROR_INVALID_VALUE; - fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, - vrf_id, - FIB_SOURCE_PLUGIN_LOW); - /* Find external address in allocated addresses and reserve port for address and port pair mapping when dynamic translations enabled */ if (!(sm->static_mapping_only || out2in_only)) @@ -1245,7 +1323,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1261,8 +1339,6 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m->tag = vec_dup (tag); m->external_addr = e_addr; m->addr_only = 0; - m->vrf_id = vrf_id; - m->fib_index = fib_index; m->external_port = e_port; m->proto = proto; m->twice_nat = twice_nat; @@ -1271,39 +1347,22 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.protocol = m->proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1)) { - clib_warning ("static_mapping_by_external key add failed"); - return VNET_API_ERROR_UNSPECIFIED; - } - - /* Assign worker */ - if (sm->workers) - { - worker_index = sm->first_worker_index + - sm->workers[sm->next_worker++ % vec_len (sm->workers)]; - tsm = vec_elt_at_index (sm->per_thread_data, worker_index); - m->worker_index = worker_index; - } - else - tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); - - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1)) - { - clib_warning ("out2in key add failed"); + nat_log_err ("static_mapping_by_external key add failed"); return VNET_API_ERROR_UNSPECIFIED; } m_key.fib_index = m->fib_index; for (i = 0; i < vec_len (locals); i++) { + locals[i].fib_index = fib_table_find_or_create_and_lock ( + FIB_PROTOCOL_IP4, locals[i].vrf_id, FIB_SOURCE_PLUGIN_LOW); m_key.addr = locals[i].addr; + m_key.fib_index = locals[i].fib_index; if (!out2in_only) { m_key.port = locals[i].port; @@ -1314,24 +1373,30 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, locals[i].prefix = (i == 0) ? locals[i].probability :\ (locals[i - 1].prefix + locals[i].probability); vec_add1 (m->locals, locals[i]); - - m_key.port = clib_host_to_net_u16 (locals[i].port); - kv.key = m_key.as_u64; - kv.value = ~0ULL; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1)) + if (sm->num_workers > 1) { - clib_warning ("in2out key add failed"); - return VNET_API_ERROR_UNSPECIFIED; + ip4_header_t ip = { + .src_address = locals[i].addr, + }; + bitmap = clib_bitmap_set ( + bitmap, sm->worker_in2out_cb (&ip, m->fib_index), 1); } } + + /* Assign workers */ + if (sm->num_workers > 1) + { + clib_bitmap_foreach (i, bitmap, + ({ + vec_add1(m->workers, i); + })); + } } else { if (!m) return VNET_API_ERROR_NO_SUCH_ENTRY; - fib_table_unlock (m->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW); - /* Free external address port */ if (!(sm->static_mapping_only || out2in_only)) { @@ -1354,7 +1419,7 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return VNET_API_ERROR_INVALID_VALUE_2; } break; @@ -1362,51 +1427,45 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, } } - tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index); m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.protocol = m->proto; - m_key.fib_index = sm->outside_fib_index; + m_key.fib_index = 0; kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0)) { - clib_warning ("static_mapping_by_external key del failed"); - return VNET_API_ERROR_UNSPECIFIED; - } - - m_key.port = clib_host_to_net_u16 (m->external_port); - kv.key = m_key.as_u64; - if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0)) - { - clib_warning ("outi2in key del failed"); + nat_log_err ("static_mapping_by_external key del failed"); return VNET_API_ERROR_UNSPECIFIED; } vec_foreach (local, m->locals) { + fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4, + FIB_SOURCE_PLUGIN_LOW); m_key.addr = local->addr; if (!out2in_only) { m_key.port = local->port; - m_key.fib_index = m->fib_index; + m_key.fib_index = local->fib_index; kv.key = m_key.as_u64; if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0)) { - clib_warning ("static_mapping_by_local key del failed"); + nat_log_err ("static_mapping_by_local key del failed"); return VNET_API_ERROR_UNSPECIFIED; } } - if (!lb_local_exists(local, &e_addr, e_port)) + if (sm->num_workers > 1) { - m_key.port = clib_host_to_net_u16 (local->port); - kv.key = m_key.as_u64; - if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0)) - { - clib_warning ("in2out key del failed"); - return VNET_API_ERROR_UNSPECIFIED; - } + ip4_header_t ip = { + .src_address = local->addr, + }; + tsm = vec_elt_at_index (sm->per_thread_data, + sm->worker_in2out_cb (&ip, m->fib_index)); } + else + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + /* Delete sessions */ u_key.addr = local->addr; u_key.fib_index = m->fib_index; @@ -1430,21 +1489,19 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, if (!(is_lb_session (s))) continue; - if ((s->in2out.addr.as_u32 != local->addr.as_u32) && + if ((s->in2out.addr.as_u32 != local->addr.as_u32) || (clib_net_to_host_u16 (s->in2out.port) != local->port)) continue; nat_free_session_data (sm, s, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); - u->nstaticsessions--; + nat44_delete_session (sm, s, tsm - sm->per_thread_data); } } } } vec_free(m->locals); vec_free(m->tag); + vec_free(m->workers); pool_put (sm->static_mappings, m); } @@ -1459,9 +1516,6 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, snat_address_t *a = 0; snat_session_t *ses; u32 *ses_to_be_removed = 0, *ses_index; - clib_bihash_kv_8_8_t kv, value; - snat_user_key_t user_key; - snat_user_t *u; snat_main_per_thread_data_t *tsm; snat_static_mapping_t *m; snat_interface_t *interface; @@ -1497,7 +1551,7 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, /* Check if address is used in some static mapping */ if (is_snat_address_used_in_static_mapping(sm, addr)) { - clib_warning ("address used in static mapping"); + nat_log_notice ("address used in static mapping"); return VNET_API_ERROR_UNSPECIFIED; } } @@ -1516,25 +1570,15 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, { ses->outside_address_index = ~0; nat_free_session_data (sm, ses, tsm - sm->per_thread_data); - clib_dlist_remove (tsm->list_pool, ses->per_user_index); - pool_put_index (tsm->list_pool, ses->per_user_index); vec_add1 (ses_to_be_removed, ses - tsm->sessions); - user_key.addr = ses->in2out.addr; - user_key.fib_index = ses->in2out.fib_index; - kv.key = user_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - u = pool_elt_at_index (tsm->users, value.value); - if (snat_is_session_static (ses)) - u->nstaticsessions--; - else - u->nsessions--; - } } })); vec_foreach (ses_index, ses_to_be_removed) - pool_put_index (tsm->sessions, ses_index[0]); + { + ses = pool_elt_at_index (tsm->sessions, ses_index[0]); + nat44_delete_session (sm, ses, tsm - sm->per_thread_data); + } vec_free (ses_to_be_removed); } @@ -1577,6 +1621,9 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) snat_address_t * ap; snat_static_mapping_t * m; snat_det_map_t * dm; + nat_outside_fib_t *outside_fib; + u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index); if (sm->out2in_dpo && !is_inside) return VNET_API_ERROR_UNSUPPORTED; @@ -1595,16 +1642,45 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff"; else if (sm->deterministic) feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; + else if (sm->endpoint_dependent) + feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in"; else feature_name = is_inside ? "nat44-in2out" : "nat44-out2in"; } if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1) - sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0); + sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, + NAT_FQ_NELTS); if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1) - sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0); + sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, + NAT_FQ_NELTS); + if (!is_inside) + { + vec_foreach (outside_fib, sm->outside_fibs) + { + if (outside_fib->fib_index == fib_index) + { + if (is_del) + { + outside_fib->refcount--; + if (!outside_fib->refcount) + vec_del1 (sm->outside_fibs, outside_fib - sm->outside_fibs); + } + else + outside_fib->refcount++; + goto feature_set; + } + } + if (!is_del) + { + vec_add2 (sm->outside_fibs, outside_fib, 1); + outside_fib->refcount = 1; + outside_fib->fib_index = fib_index; + } + } +feature_set: pool_foreach (i, sm->interfaces, ({ if (i->sw_if_index == sw_if_index) @@ -1630,6 +1706,12 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) feature_name = !is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; } + else if (sm->endpoint_dependent) + { + del_feature_name = "nat44-ed-classify"; + feature_name = !is_inside ? "nat44-ed-in2out" : + "nat44-ed-out2in"; + } else { del_feature_name = "nat44-classify"; @@ -1641,8 +1723,16 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (!is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 1, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", + "nat44-ed-hairpinning", + sw_if_index, 1, 0, 0); + else if (!sm->deterministic) + vnet_feature_enable_disable ("ip4-local", + "nat44-hairpinning", + sw_if_index, 1, 0, 0); + } } else { @@ -1650,8 +1740,16 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) sw_if_index, 0, 0, 0); pool_put (sm->interfaces, i); if (is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 0, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", + "nat44-ed-hairpinning", + sw_if_index, 0, 0, 0); + else if (!sm->deterministic) + vnet_feature_enable_disable ("ip4-local", + "nat44-hairpinning", + sw_if_index, 0, 0, 0); + } } } else @@ -1672,6 +1770,12 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) "nat44-det-out2in"; feature_name = "nat44-det-classify"; } + else if (sm->endpoint_dependent) + { + del_feature_name = !is_inside ? "nat44-ed-in2out" : + "nat44-ed-out2in"; + feature_name = "nat44-ed-classify"; + } else { del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in"; @@ -1683,8 +1787,14 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (!is_inside) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 0, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", + sw_if_index, 0, 0, 0); + else if (!sm->deterministic) + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, 0, 0, 0); + } goto set_flags; } @@ -1701,8 +1811,14 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); if (is_inside && !sm->out2in_dpo) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 1, 0, 0); + { + if (sm->endpoint_dependent) + vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", + sw_if_index, 1, 0, 0); + else if (!sm->deterministic) + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, 1, 0, 0); + } set_flags: if (is_inside) @@ -1755,16 +1871,27 @@ int snat_interface_add_del_output_feature (u32 sw_if_index, if (is_inside) { - vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", - sw_if_index, !is_del, 0, 0); + if (sm->endpoint_dependent) + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src", + sw_if_index, !is_del, 0, 0); + } + else + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", + sw_if_index, !is_del, 0, 0); + } goto fq; } if (sm->num_workers > 1) { - vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in-worker-handoff", + vnet_feature_enable_disable ("ip4-unicast", + "nat44-out2in-worker-handoff", sw_if_index, !is_del, 0, 0); vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output-worker-handoff", @@ -1772,10 +1899,20 @@ int snat_interface_add_del_output_feature (u32 sw_if_index, } else { - vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", sw_if_index, - !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", - sw_if_index, !is_del, 0, 0); + if (sm->endpoint_dependent) + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output", + sw_if_index, !is_del, 0, 0); + } + else + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", + sw_if_index, !is_del, 0, 0); + } } fq: @@ -1894,6 +2031,7 @@ static clib_error_t * snat_init (vlib_main_t * vm) uword *bitmap = 0; u32 i; ip4_add_del_interface_address_callback_t cb4; + vlib_node_t * error_drop_node; sm->vlib_main = vm; sm->vnet_main = vnet_get_main(); @@ -1901,7 +2039,6 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->ip4_lookup_main = lm; sm->api_main = &api_main; sm->first_worker_index = 0; - sm->next_worker = 0; sm->num_workers = 0; sm->num_snat_thread = 1; sm->workers = 0; @@ -1914,6 +2051,9 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->icmp_timeout = SNAT_ICMP_TIMEOUT; sm->alloc_addr_and_port = nat_alloc_addr_and_port_default; sm->forwarding_enabled = 0; + sm->log_class = vlib_log_register_class ("nat", 0); + error_drop_node = vlib_get_node_by_name (vm, (u8 *) "error-drop"); + sm->error_node_index = error_drop_node->index; p = hash_get_mem (tm->thread_registrations_by_name, "workers"); if (p) @@ -1978,12 +2118,18 @@ VLIB_INIT_FUNCTION (snat_init); void snat_free_outside_address_and_port (snat_address_t * addresses, u32 thread_index, - snat_session_key_t * k, - u32 address_index) + snat_session_key_t * k) { snat_address_t *a; + u32 address_index; u16 port_host_byte_order = clib_net_to_host_u16 (k->port); + for (address_index = 0; address_index < vec_len (addresses); address_index++) + { + if (addresses[address_index].addr.as_u32 == k->addr.as_u32) + break; + } + ASSERT (address_index < vec_len (addresses)); a = addresses + address_index; @@ -2002,7 +2148,7 @@ void snat_free_outside_address_and_port (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown_protocol"); + nat_log_info ("unknown protocol"); return; } } @@ -2035,13 +2181,16 @@ int snat_static_mapping_match (snat_main_t * sm, clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local; u32 rand, lo = 0, hi, mid; + m_key.fib_index = match.fib_index; if (by_external) - mapping_hash = &sm->static_mapping_by_external; + { + mapping_hash = &sm->static_mapping_by_external; + m_key.fib_index = 0; + } m_key.addr = match.addr; m_key.port = clib_net_to_host_u16 (match.port); m_key.protocol = match.protocol; - m_key.fib_index = match.fib_index; kv.key = m_key.as_u64; @@ -2061,6 +2210,7 @@ int snat_static_mapping_match (snat_main_t * sm, { if (vec_len (m->locals)) { +get_local: hi = vec_len (m->locals) - 1; rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix); while (lo < hi) @@ -2070,17 +2220,26 @@ int snat_static_mapping_match (snat_main_t * sm, } if (!(m->locals[lo].prefix >= rand)) return 1; + if (PREDICT_FALSE (sm->num_workers > 1)) + { + ip4_header_t ip = { + .src_address = m->locals[lo].addr, + }; + if (sm->worker_in2out_cb (&ip, m->fib_index) != vlib_get_thread_index ()) + goto get_local; + } mapping->addr = m->locals[lo].addr; mapping->port = clib_host_to_net_u16 (m->locals[lo].port); + mapping->fib_index = m->locals[lo].fib_index; } else { + mapping->fib_index = m->fib_index; mapping->addr = m->local_addr; /* Address only mapping doesn't change port */ mapping->port = m->addr_only ? match.port : clib_host_to_net_u16 (m->local_port); } - mapping->fib_index = m->fib_index; mapping->protocol = m->proto; } else @@ -2178,7 +2337,7 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } @@ -2210,7 +2369,7 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning ("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } } @@ -2263,7 +2422,7 @@ nat_alloc_addr_and_port_mape (snat_address_t * addresses, foreach_snat_protocol #undef _ default: - clib_warning("unknown protocol"); + nat_log_info ("unknown protocol"); return 1; } @@ -2329,6 +2488,67 @@ format_snat_protocol (u8 * s, va_list * args) return s; } +u8 * format_snat_key (u8 * s, va_list * args); +u8 * format_static_mapping_key (u8 * s, va_list * args); + +u8 * +format_session_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_session_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U session-index %llu", format_snat_key, &k, v->value); + + return s; +} + +u8 * +format_static_mapping_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_session_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U static-mapping-index %llu", + format_static_mapping_key, &k, v->value); + + return s; +} + +u8 * +format_user_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_8_8_t *v = va_arg (*args, clib_bihash_kv_8_8_t *); + snat_user_key_t k; + + k.as_u64 = v->key; + + s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr, + k.fib_index, v->value); + + return s; +} + +u8 * +format_ed_session_kvp (u8 * s, va_list * args) +{ + clib_bihash_kv_16_8_t *v = va_arg (*args, clib_bihash_kv_16_8_t *); + nat_ed_ses_key_t k; + + k.as_u64[0] = v->key[0]; + k.as_u64[1] = v->key[1]; + + s = format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu", + format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port), + format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port), + format_ip_protocol, k.proto, k.fib_index, v->value); + + return s; +} + static u32 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0) { @@ -2357,11 +2577,6 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; snat_static_mapping_t *m; - nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t s_kv, s_value; - snat_main_per_thread_data_t *tsm; - snat_session_t *s; - int i; u32 proto; u32 next_worker_index = 0; @@ -2376,7 +2591,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) { m = pool_elt_at_index (sm->static_mappings, value.value); - return m->worker_index; + return m->workers[0]; } } @@ -2406,32 +2621,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) /* unknown protocol */ if (PREDICT_FALSE (proto == ~0)) { - key.l_addr = ip0->dst_address; - key.r_addr = ip0->src_address; - key.fib_index = rx_fib_index0; - key.proto = ip0->protocol; - key.r_port = 0; - key.l_port = 0; - s_kv.key[0] = key.as_u64[0]; - s_kv.key[1] = key.as_u64[1]; - - if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value)) - { - for (i = 0; i < _vec_len (sm->per_thread_data); i++) - { - tsm = vec_elt_at_index (sm->per_thread_data, i); - if (!pool_is_free_index(tsm->sessions, s_value.value)) - { - s = pool_elt_at_index (tsm->sessions, s_value.value); - if (s->out2in.addr.as_u32 == ip0->dst_address.as_u32 && - s->out2in.port == ip0->protocol && - snat_is_unk_proto_session (s)) - return i; - } - } - } - - /* if no session use current thread */ + /* use current thread */ return vlib_get_thread_index (); } @@ -2474,7 +2664,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) { m = pool_elt_at_index (sm->static_mappings, value.value); - return m->worker_index; + return m->workers[0]; } } @@ -2485,6 +2675,97 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) return next_worker_index; } +static u32 +nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index) +{ + snat_main_t *sm = &snat_main; + clib_bihash_kv_8_8_t kv, value; + u32 proto, next_worker_index = 0; + udp_header_t *udp; + u16 port; + snat_static_mapping_t *m; + u32 hash; + + /* first try static mappings without port */ + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + make_sm_kv (&kv, &ip->dst_address, 0, rx_fib_index, 0); + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + return m->workers[0]; + } + } + + proto = ip_proto_to_snat_proto (ip->protocol); + + /* unknown protocol */ + if (PREDICT_FALSE (proto == ~0)) + { + /* use current thread */ + return vlib_get_thread_index (); + } + + udp = ip4_next_header (ip); + port = udp->dst_port; + + if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP)) + { + icmp46_header_t * icmp = (icmp46_header_t *) udp; + icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1); + if (!icmp_is_error_message (icmp)) + port = echo->identifier; + else + { + ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1); + proto = ip_proto_to_snat_proto (inner_ip->protocol); + void *l4_header = ip4_next_header (inner_ip); + switch (proto) + { + case SNAT_PROTOCOL_ICMP: + icmp = (icmp46_header_t*)l4_header; + echo = (icmp_echo_header_t *)(icmp + 1); + port = echo->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + port = ((tcp_udp_header_t*)l4_header)->src_port; + break; + default: + return vlib_get_thread_index (); + } + } + } + + /* try static mappings with port */ + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + make_sm_kv (&kv, &ip->dst_address, proto, rx_fib_index, + clib_net_to_host_u16 (port)); + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + if (!vec_len(m->locals)) + return m->workers[0]; + + hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) + + (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >>24); + + if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers)))) + return m->workers[hash & (_vec_len (m->workers) - 1)]; + else + return m->workers[hash % _vec_len (m->workers)]; + } + } + + /* worker by outside port */ + next_worker_index = sm->first_worker_index; + next_worker_index += + sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread]; + + return next_worker_index; +} + static clib_error_t * snat_config (vlib_main_t * vm, unformat_input_t * input) { @@ -2511,6 +2792,7 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->deterministic = 0; sm->out2in_dpo = 0; + sm->endpoint_dependent = 0; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { @@ -2558,11 +2840,25 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->out2in_dpo = 1; else if (unformat (input, "dslite ce")) dslite_set_ce(dm, 1); + else if (unformat (input, "endpoint-dependent")) + sm->endpoint_dependent = 1; else return clib_error_return (0, "unknown input '%U'", format_unformat_error, input); } + if (sm->deterministic && sm->endpoint_dependent) + return clib_error_return ( + 0, "deterministic and endpoint-dependent modes are mutually exclusive"); + + if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent)) + return clib_error_return ( + 0, "static mapping only mode available only for simple nat"); + + if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent)) + return clib_error_return ( + 0, "out2in dpo mode available only for simple nat"); + /* for show commands, etc. */ sm->translation_buckets = translation_buckets; sm->translation_memory_size = translation_memory_size; @@ -2599,34 +2895,66 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) } else { - sm->worker_in2out_cb = snat_get_worker_in2out_cb; - sm->worker_out2in_cb = snat_get_worker_out2in_cb; - sm->in2out_node_index = snat_in2out_node.index; - sm->in2out_output_node_index = snat_in2out_output_node.index; - sm->out2in_node_index = snat_out2in_node.index; - if (!static_mapping_only || - (static_mapping_only && static_mapping_connection_tracking)) + if (sm->endpoint_dependent) + { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb; + sm->in2out_node_index = nat44_ed_in2out_node.index; + sm->in2out_output_node_index = nat44_ed_in2out_output_node.index; + sm->out2in_node_index = nat44_ed_out2in_node.index; + sm->icmp_match_in2out_cb = icmp_match_in2out_ed; + sm->icmp_match_out2in_cb = icmp_match_out2in_ed; + } + else { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = snat_get_worker_out2in_cb; + sm->in2out_node_index = snat_in2out_node.index; + sm->in2out_output_node_index = snat_in2out_output_node.index; + sm->out2in_node_index = snat_out2in_node.index; sm->icmp_match_in2out_cb = icmp_match_in2out_slow; sm->icmp_match_out2in_cb = icmp_match_out2in_slow; - + } + if (!static_mapping_only || + (static_mapping_only && static_mapping_connection_tracking)) + { vec_foreach (tsm, sm->per_thread_data) { - clib_bihash_init_8_8 (&tsm->in2out, "in2out", translation_buckets, - translation_memory_size); - - clib_bihash_init_8_8 (&tsm->out2in, "out2in", translation_buckets, - translation_memory_size); + if (sm->endpoint_dependent) + { + clib_bihash_init_16_8 (&tsm->in2out_ed, "in2out-ed", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_16_8 (&tsm->in2out_ed, + format_ed_session_kvp); + + clib_bihash_init_16_8 (&tsm->out2in_ed, "out2in-ed", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_16_8 (&tsm->out2in_ed, + format_ed_session_kvp); + } + else + { + clib_bihash_init_8_8 (&tsm->in2out, "in2out", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->in2out, + format_session_kvp); + + clib_bihash_init_8_8 (&tsm->out2in, "out2in", + translation_buckets, + translation_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->out2in, + format_session_kvp); + } clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets, user_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash, + format_user_kvp); } - clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed", - translation_buckets, translation_memory_size); - - clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed", - translation_buckets, translation_memory_size); } else { @@ -2636,10 +2964,14 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) clib_bihash_init_8_8 (&sm->static_mapping_by_local, "static_mapping_by_local", static_mapping_buckets, static_mapping_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local, + format_static_mapping_kvp); clib_bihash_init_8_8 (&sm->static_mapping_by_external, "static_mapping_by_external", static_mapping_buckets, static_mapping_memory_size); + clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external, + format_static_mapping_kvp); } return 0; @@ -2675,9 +3007,20 @@ u8 * format_snat_key (u8 * s, va_list * args) return s; } +u8 * format_static_mapping_key (u8 * s, va_list * args) +{ + snat_session_key_t * key = va_arg (*args, snat_session_key_t *); + + s = format (s, "%U proto %U port %d fib %d", + format_ip4_address, &key->addr, + format_snat_protocol, key->protocol, + key->port, key->fib_index); + return s; +} + u8 * format_snat_session (u8 * s, va_list * args) { - snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *); + snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *); snat_session_t * sess = va_arg (*args, snat_session_t *); if (snat_is_unk_proto_session (sess)) @@ -2714,6 +3057,7 @@ u8 * format_snat_session (u8 * s, va_list * args) clib_net_to_host_u16 (sess->ext_host_port)); } } + s = format (s, " index %llu\n", sess - sm->sessions); s = format (s, " last heard %.2f\n", sess->last_heard); s = format (s, " total pkts %d, total bytes %lld\n", sess->total_pkts, sess->total_bytes); @@ -2723,7 +3067,7 @@ u8 * format_snat_session (u8 * s, va_list * args) s = format (s, " dynamic translation\n"); if (is_fwd_bypass_session (sess)) s = format (s, " forwarding-bypass\n"); - if (sess->flags & SNAT_SESSION_FLAG_LOAD_BALANCING) + if (is_lb_session (sess)) s = format (s, " load-balancing\n"); if (is_twice_nat_session (sess)) s = format (s, " twice-nat\n"); @@ -2788,17 +3132,16 @@ u8 * format_snat_static_mapping (u8 * s, va_list * args) { if (vec_len (m->locals)) { - s = format (s, "%U vrf %d external %U:%d %s %s", + s = format (s, "%U external %U:%d %s %s", format_snat_protocol, m->proto, - m->vrf_id, format_ip4_address, &m->external_addr, m->external_port, m->twice_nat == TWICE_NAT ? "twice-nat" : m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", m->out2in_only ? "out2in-only" : ""); vec_foreach (local, m->locals) - s = format (s, "\n local %U:%d probability %d\%", + s = format (s, "\n local %U:%d vrf %d probability %d\%", format_ip4_address, &local->addr, local->port, - local->probability); + local->vrf_id, local->probability); } else s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s", @@ -2930,7 +3273,7 @@ match: !is_delete, 0, 0, rp->tag); if (rv) - clib_warning ("snat_add_static_mapping returned %d", rv); + nat_log_notice ("snat_add_static_mapping returned %d", rv); } static void @@ -2974,7 +3317,7 @@ match: if (addresses[j].addr.as_u32 == address->as_u32) return; - snat_add_address (sm, address, ~0, twice_nat); + (void) snat_add_address (sm, address, ~0, twice_nat); /* Scan static map resolution vector */ for (j = 0; j < vec_len (sm->to_resolve); j++) { @@ -3001,8 +3344,7 @@ match: rp->is_add, 0, 0, rp->tag); if (rv) - clib_warning ("snat_add_static_mapping returned %d", - rv); + nat_log_notice ("snat_add_static_mapping returned %d", rv); } } return; @@ -3076,7 +3418,7 @@ int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del, /* If the address is already bound - or static - add it now */ if (first_int_addr) - snat_add_address (sm, first_int_addr, ~0, twice_nat); + (void) snat_add_address (sm, first_int_addr, ~0, twice_nat); return 0; } @@ -3092,8 +3434,9 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, snat_session_key_t key; snat_session_t *s; clib_bihash_8_8_t *t; - snat_user_key_t u_key; - snat_user_t *u; + + if (sm->endpoint_dependent) + return VNET_API_ERROR_UNSUPPORTED; ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32; if (sm->num_workers > 1) @@ -3115,24 +3458,8 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, return VNET_API_ERROR_UNSPECIFIED; s = pool_elt_at_index (tsm->sessions, value.value); - kv.key = s->in2out.as_u64; - clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0); - kv.key = s->out2in.as_u64; - clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0); - u_key.addr = s->in2out.addr; - u_key.fib_index = s->in2out.fib_index; - kv.key = u_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - u = pool_elt_at_index (tsm->users, value.value); - if (snat_is_session_static (s)) - u->nstaticsessions--; - else - u->nsessions--; - } - clib_dlist_remove (tsm->list_pool, s->per_user_index); - pool_put_index (tsm->list_pool, s->per_user_index); - pool_put (tsm->sessions, s); + nat_free_session_data (sm, s, tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); return 0; } @@ -3148,17 +3475,22 @@ nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, clib_bihash_16_8_t *t; nat_ed_ses_key_t key; clib_bihash_kv_16_8_t kv, value; - u32 thread_index; u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id); snat_session_t *s; + snat_main_per_thread_data_t *tsm; + + if (!sm->endpoint_dependent) + return VNET_API_ERROR_FEATURE_DISABLED; ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32; if (sm->num_workers > 1) - thread_index = sm->worker_in2out_cb (&ip, fib_index); + tsm = + vec_elt_at_index (sm->per_thread_data, + sm->worker_in2out_cb (&ip, fib_index)); else - thread_index = sm->num_workers; + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); - t = is_in ? &sm->in2out_ed : &sm->out2in_ed; + t = is_in ? &tsm->in2out_ed : &tsm->out2in_ed; key.l_addr.as_u32 = addr->as_u32; key.r_addr.as_u32 = eh_addr->as_u32; key.l_port = clib_host_to_net_u16 (port); @@ -3170,11 +3502,11 @@ nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, if (clib_bihash_search_16_8 (t, &kv, &value)) return VNET_API_ERROR_NO_SUCH_ENTRY; - if (pool_is_free_index (sm->per_thread_data[thread_index].sessions, value.value)) + if (pool_is_free_index (tsm->sessions, value.value)) return VNET_API_ERROR_UNSPECIFIED; - s = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, value.value); - nat_free_session_data (sm, s, thread_index); - nat44_delete_session (sm, s, thread_index); + s = pool_elt_at_index (tsm->sessions, value.value); + nat_free_session_data (sm, s, tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); return 0; }