add option to NAT44 static mapping API/CLI to make rule asymmetrical (rule match only out2in direction)
Change-Id: If262a3ff375a24d3059f0de1f1ac387a4fe09475
Signed-off-by: Matus Fabian <matfabia@cisco.com>
* limitations under the License.
*/
-vl_api_version 2.2.0
+vl_api_version 2.3.0
/**
* @file nat.api
@param vfr_id - VRF ID
@param twice_nat - if 1 translate external host address and port, only for
1:1 NAPT (addr_only must be 0)
+ @param out2in_only - if 1 rule match only out2in direction
*/
autoreply define nat44_add_del_static_mapping {
u32 client_index;
u32 external_sw_if_index;
u32 vrf_id;
u8 twice_nat;
+ u8 out2in_only;
};
/** \brief Dump NAT44 static mappings
@param external_sw_if_index - external interface
@param vfr_id - VRF ID
@param twice_nat - if 1 translate external host address and port
+ @param out2in_only - if 1 rule match only out2in direction
*/
define nat44_static_mapping_details {
u32 context;
u32 external_sw_if_index;
u32 vrf_id;
u8 twice_nat;
+ u8 out2in_only;
};
/** \brief Add/delete NAT44 identity mapping
* @param sw_if_index External port instead of specific IP address.
* @param is_add If 0 delete static mapping, otherwise add.
* @param twice_nat If 1 translate external host address and port.
+ * @param out2in_only If 1 rule match only out2in direction
*
* @returns
*/
int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
u32 sw_if_index, snat_protocol_t proto, int is_add,
- u8 twice_nat)
+ u8 twice_nat, u8 out2in_only)
{
snat_main_t * sm = &snat_main;
snat_static_mapping_t *m;
/* Find external address in allocated addresses and reserve port for
address and port pair mapping when dynamic translations enabled */
- if (!addr_only && !(sm->static_mapping_only))
+ if (!(addr_only || sm->static_mapping_only || out2in_only))
{
for (i = 0; i < vec_len (sm->addresses); i++)
{
m->vrf_id = vrf_id;
m->fib_index = fib_index;
m->twice_nat = twice_nat;
+ m->out2in_only = out2in_only;
if (!addr_only)
{
m->local_port = l_port;
m_key.fib_index = m->fib_index;
kv.key = m_key.as_u64;
kv.value = m - sm->static_mappings;
- clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
- if (twice_nat)
+ if (!out2in_only)
+ clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
+ if (twice_nat || out2in_only)
{
m_key.port = clib_host_to_net_u16 (l_port);
kv.key = m_key.as_u64;
kv.key = m_key.as_u64;
kv.value = m - sm->static_mappings;
clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1);
- if (twice_nat)
+ if (twice_nat || out2in_only)
{
m_key.port = clib_host_to_net_u16 (e_port);
kv.key = m_key.as_u64;
return VNET_API_ERROR_NO_SUCH_ENTRY;
/* Free external address port */
- if (!addr_only && !(sm->static_mapping_only))
+ if (!(addr_only || sm->static_mapping_only || out2in_only))
{
for (i = 0; i < vec_len (sm->addresses); i++)
{
m_key.protocol = m->proto;
m_key.fib_index = m->fib_index;
kv.key = m_key.as_u64;
- clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
- if (twice_nat)
+ if (!out2in_only)
+ clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
+ if (twice_nat || out2in_only)
{
m_key.port = clib_host_to_net_u16 (m->local_port);
kv.key = m_key.as_u64;
m_key.fib_index = sm->outside_fib_index;
kv.key = m_key.as_u64;
clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0);
- if (twice_nat)
+ if (twice_nat || out2in_only)
{
m_key.port = clib_host_to_net_u16 (m->external_port);
kv.key = m_key.as_u64;
(void) snat_add_static_mapping (m->local_addr, m->external_addr,
m->local_port, m->external_port,
m->vrf_id, m->addr_only, ~0,
- m->proto, 0, m->twice_nat);
+ m->proto, 0, m->twice_nat,
+ m->out2in_only);
}));
}
else
snat_protocol_t proto = ~0;
u8 proto_set = 0;
u8 twice_nat = 0;
+ u8 out2in_only = 0;
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
proto_set = 1;
else if (unformat (line_input, "twice-nat"))
twice_nat = 1;
+ else if (unformat (line_input, "out2in-only"))
+ out2in_only = 1;
else if (unformat (line_input, "del"))
is_add = 0;
else
rv = snat_add_static_mapping(l_addr, e_addr, (u16) l_port, (u16) e_port,
vrf_id, addr_only, sw_if_index, proto, is_add,
- twice_nat);
+ twice_nat, out2in_only);
switch (rv)
{
.function = add_static_mapping_command_fn,
.short_help =
"nat44 add static mapping tcp|udp|icmp local <addr> [<port>] "
- "external <addr> [<port>] [vrf <table-id>] [twice-nat] [del]",
+ "external <addr> [<port>] [vrf <table-id>] [twice-nat] [out2in-only] [del]",
};
static clib_error_t *
rv = snat_add_static_mapping(addr, addr, (u16) port, (u16) port,
vrf_id, addr_only, sw_if_index, proto, is_add,
- 0);
+ 0, 0);
switch (rv)
{
{
if (vec_len (m->locals))
{
- s = format (s, "%U vrf %d external %U:%d %s",
+ s = format (s, "%U vrf %d external %U:%d %s %s",
format_snat_protocol, m->proto,
m->vrf_id,
format_ip4_address, &m->external_addr, m->external_port,
- m->twice_nat ? "twice-nat" : "");
+ m->twice_nat ? "twice-nat" : "",
+ m->out2in_only ? "out2in-only" : "");
vec_foreach (local, m->locals)
s = format (s, "\n local %U:%d probability %d\%",
format_ip4_address, &local->addr, local->port,
local->probability);
}
else
- s = format (s, "%U local %U:%d external %U:%d vrf %d %s",
+ s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s",
format_snat_protocol, m->proto,
format_ip4_address, &m->local_addr, m->local_port,
format_ip4_address, &m->external_addr, m->external_port,
- m->vrf_id, m->twice_nat ? "twice-nat" : "");
+ m->vrf_id, m->twice_nat ? "twice-nat" : "",
+ m->out2in_only ? "out2in-only" : "");
}
return s;
}
~0 /* sw_if_index */,
rp->proto,
rp->is_add,
- 0);
+ 0, 0);
if (rv)
clib_warning ("snat_add_static_mapping returned %d",
rv);
int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
u32 sw_if_index, snat_protocol_t proto, int is_add,
- u8 twice_nat);
+ u8 twice_nat, u8 out2in_only);
clib_error_t * snat_api_init(vlib_main_t * vm, snat_main_t * sm);
int snat_set_workers (uword * bitmap);
int snat_interface_add_del(u32 sw_if_index, u8 is_inside, int is_del);
rv = snat_add_static_mapping (local_addr, external_addr, local_port,
external_port, vrf_id, mp->addr_only,
external_sw_if_index, proto, mp->is_add,
- mp->twice_nat);
+ mp->twice_nat, mp->out2in_only);
REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_REPLY);
}
clib_net_to_host_u16 (mp->local_port),
clib_net_to_host_u16 (mp->external_port));
- s = format (s, "twice_nat %d ", mp->twice_nat);
+ s = format (s, "twice_nat %d out2in_only %d ",
+ mp->twice_nat, mp->out2in_only);
if (mp->vrf_id != ~0)
s = format (s, "vrf %d", clib_net_to_host_u32 (mp->vrf_id));
rmp->protocol = snat_proto_to_ip_proto (m->proto);
rmp->context = context;
rmp->twice_nat = m->twice_nat;
+ rmp->out2in_only = m->out2in_only;
vl_api_send_msg (reg, (u8 *) rmp);
}
rv =
snat_add_static_mapping (addr, addr, port, port, vrf_id, mp->addr_only,
- sw_if_index, proto, mp->is_add, 0);
+ sw_if_index, proto, mp->is_add, 0, 0);
REPLY_MACRO (VL_API_NAT44_ADD_DEL_IDENTITY_MAPPING_REPLY);
}
u8 *s;
s = format (0, "SCRIPT: nat44_add_del_lb_static_mapping ");
- s = format (s, "is_add %d twice_nat %d out2in_only ",
+ s = format (s, "is_add %d twice_nat %d out2in_only %d ",
mp->is_add, mp->twice_nat, mp->out2in_only);
FINISH;
vrf_id=sm.vrf_id,
protocol=sm.protocol,
twice_nat=sm.twice_nat,
+ out2in_only=sm.out2in_only,
is_add=0)
lb_static_mappings = self.vapi.nat44_lb_static_mapping_dump()
def nat44_add_static_mapping(self, local_ip, external_ip='0.0.0.0',
local_port=0, external_port=0, vrf_id=0,
is_add=1, external_sw_if_index=0xFFFFFFFF,
- proto=0, twice_nat=0):
+ proto=0, twice_nat=0, out2in_only=0):
"""
Add/delete NAT44 static mapping
:param external_sw_if_index: External interface instead of IP address
:param proto: IP protocol (Mandatory if port specified)
:param twice_nat: 1 if translate external host address and port
+ :param out2in_only: if 1 rule is matching only out2in direction
"""
addr_only = 1
if local_port and external_port:
vrf_id,
proto,
twice_nat,
+ out2in_only,
is_add)
def nat44_add_address(self, ip, is_add=1, vrf_id=0xFFFFFFFF, twice_nat=0):
capture = self.pg1.get_capture(len(pkts))
self.verify_capture_out(capture)
+ def test_static_with_port_out2(self):
+ """ 1:1 NAPT symmetrical rule """
+
+ external_port = 80
+ local_port = 8080
+
+ self.vapi.nat44_forwarding_enable_disable(1)
+ self.nat44_add_static_mapping(self.pg0.remote_ip4, self.nat_addr,
+ local_port, external_port,
+ proto=IP_PROTOS.tcp, out2in_only=1)
+ self.vapi.nat44_interface_add_del_feature(self.pg0.sw_if_index)
+ self.vapi.nat44_interface_add_del_feature(self.pg1.sw_if_index,
+ is_inside=0)
+
+ # from client to service
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.nat_addr) /
+ TCP(sport=12345, dport=external_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ server = None
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.check_tcp_checksum(p)
+ self.check_ip_checksum(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12345))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.nat_addr)
+ self.assertEqual(tcp.sport, external_port)
+ self.check_tcp_checksum(p)
+ self.check_ip_checksum(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from client to server (no translation)
+ p = (Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) /
+ IP(src=self.pg1.remote_ip4, dst=self.pg0.remote_ip4) /
+ TCP(sport=12346, dport=local_port))
+ self.pg1.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(1)
+ p = capture[0]
+ server = None
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.dst, self.pg0.remote_ip4)
+ self.assertEqual(tcp.dport, local_port)
+ self.check_tcp_checksum(p)
+ self.check_ip_checksum(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
+ # from service back to client (no translation)
+ p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
+ TCP(sport=local_port, dport=12346))
+ self.pg0.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.pg0.remote_ip4)
+ self.assertEqual(tcp.sport, local_port)
+ self.check_tcp_checksum(p)
+ self.check_ip_checksum(p)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
+
def test_static_vrf_aware(self):
""" 1:1 NAT VRF awareness """
self.assertEqual(tcp.dport, host_in_port)
self.check_tcp_checksum(p)
except:
- self.logger.error(ppp("Unexpected or invalid packet:"), p)
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
raise
def test_hairpinning2(self):
self.assertEqual(tcp.dport, host_in_port)
self.check_tcp_checksum(p)
except:
- self.logger.error(ppp("Unexpected or invalid packet:"), p)
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
raise
def test_one_armed_nat44(self):
vrf_id=0,
protocol=0,
twice_nat=0,
+ out2in_only=0,
is_add=1):
"""Add/delete NAT44 static mapping
:param vrf_id: VRF ID
:param protocol: IP protocol (Default value = 0)
:param twice_nat: 1 if translate external host address and port
+ :param out2in_only: if 1 rule is matching only out2in direction
:param is_add: 1 if add, 0 if delete (Default value = 1)
"""
return self.api(
'external_sw_if_index': external_sw_if_index,
'vrf_id': vrf_id,
'protocol': protocol,
- 'twice_nat': twice_nat})
+ 'twice_nat': twice_nat,
+ 'out2in_only': out2in_only})
def nat44_add_del_identity_mapping(
self,
Code Review / vpp.git / commitdiff