From 2c703c7c4637d5cc94dd480b1ce8e4f51c82d8ab Mon Sep 17 00:00:00 2001 From: Juraj Sloboda Date: Wed, 11 Apr 2018 12:54:12 +0200 Subject: [PATCH] NAT: disable CLI/API not supported in active mode (VPP-1234) When in deterministic mode disable nondeterministic CLI/API. When not in deterministic mode disable deterministic CLI/API. Change-Id: Ibf485c14612297e51d3815a6fde541542c8fe7ab Signed-off-by: Juraj Sloboda --- src/plugins/nat/nat44_cli.c | 79 +++++++++++++++++++++++++ src/plugins/nat/nat_api.c | 139 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 215 insertions(+), 3 deletions(-) diff --git a/src/plugins/nat/nat44_cli.c b/src/plugins/nat/nat44_cli.c index f61f59b8d6a..da97a801b7f 100644 --- a/src/plugins/nat/nat44_cli.c +++ b/src/plugins/nat/nat44_cli.c @@ -22,15 +22,24 @@ #include #include +#define UNSUPPORTED_IN_DET_MODE_STR \ + "This command is unsupported in deterministic mode" +#define SUPPORTED_ONLY_IN_DET_MODE_STR \ + "This command is supported only in deterministic mode" + static clib_error_t * set_workers_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; + snat_main_t *sm = &snat_main; uword *bitmap = 0; int rv = 0; clib_error_t *error = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -83,6 +92,9 @@ nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input, snat_main_t *sm = &snat_main; u32 *worker; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + if (sm->num_workers > 1) { vlib_cli_output (vm, "%d workers", vec_len (sm->workers)); @@ -151,9 +163,13 @@ nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; + snat_main_t *sm = &snat_main; clib_error_t *error = 0; u32 psid, psid_offset, psid_length; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -197,6 +213,9 @@ add_address_command_fn (vlib_main_t * vm, clib_error_t *error = 0; u8 twice_nat = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -286,6 +305,9 @@ nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input, snat_main_t *sm = &snat_main; snat_address_t *ap; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + vlib_cli_output (vm, "NAT44 pool addresses:"); /* *INDENT-OFF* */ vec_foreach (ap, sm->addresses) @@ -468,6 +490,7 @@ add_static_mapping_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; + snat_main_t *sm = &snat_main; clib_error_t *error = 0; ip4_address_t l_addr, e_addr; u32 l_port = 0, e_port = 0, vrf_id = ~0; @@ -481,6 +504,9 @@ add_static_mapping_command_fn (vlib_main_t * vm, u8 twice_nat = 0; u8 out2in_only = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -574,6 +600,7 @@ add_identity_mapping_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; + snat_main_t *sm = &snat_main; clib_error_t *error = 0; ip4_address_t addr; u32 port = 0, vrf_id = ~0; @@ -584,6 +611,9 @@ add_identity_mapping_command_fn (vlib_main_t * vm, int rv; snat_protocol_t proto; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + addr.as_u32 = 0; /* Get a line of input. */ @@ -649,6 +679,7 @@ add_lb_static_mapping_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; + snat_main_t *sm = &snat_main; clib_error_t *error = 0; ip4_address_t l_addr, e_addr; u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0; @@ -660,6 +691,9 @@ add_lb_static_mapping_command_fn (vlib_main_t * vm, u8 twice_nat = 0; u8 out2in_only = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -747,6 +781,9 @@ nat44_show_static_mappings_command_fn (vlib_main_t * vm, snat_static_mapping_t *m; snat_static_map_resolve_t *rp; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + vlib_cli_output (vm, "NAT44 static mappings:"); /* *INDENT-OFF* */ pool_foreach (m, sm->static_mappings, @@ -773,6 +810,9 @@ snat_add_interface_address_command_fn (vlib_main_t * vm, clib_error_t *error = 0; u8 twice_nat = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -822,6 +862,9 @@ nat44_show_interface_address_command_fn (vlib_main_t * vm, vnet_main_t *vnm = vnet_get_main (); u32 *sw_if_index; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* *INDENT-OFF* */ vlib_cli_output (vm, "NAT44 pool address interfaces:"); vec_foreach (sw_if_index, sm->auto_add_sw_if_indices) @@ -850,6 +893,9 @@ nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input, snat_user_t *u; int i = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + if (unformat (input, "detail")) verbose = 1; @@ -884,6 +930,9 @@ nat44_del_session_command_fn (vlib_main_t * vm, snat_protocol_t proto; int rv; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -938,6 +987,9 @@ snat_forwarding_set_command_fn (vlib_main_t * vm, u8 forwarding_enable_set = 0; clib_error_t *error = 0; + if (sm->deterministic) + return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return clib_error_return (0, "'enable' or 'disable' expected"); @@ -987,6 +1039,9 @@ snat_det_map_command_fn (vlib_main_t * vm, int is_add = 1, rv; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -1034,6 +1089,9 @@ nat44_det_show_mappings_command_fn (vlib_main_t * vm, snat_main_t *sm = &snat_main; snat_det_map_t *dm; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + vlib_cli_output (vm, "NAT44 deterministic mappings:"); /* *INDENT-OFF* */ pool_foreach (dm, sm->det_maps, @@ -1064,6 +1122,9 @@ snat_det_forward_command_fn (vlib_main_t * vm, snat_det_map_t *dm; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -1108,6 +1169,9 @@ snat_det_reverse_command_fn (vlib_main_t * vm, snat_det_map_t *dm; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -1154,6 +1218,9 @@ set_timeout_command_fn (vlib_main_t * vm, unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -1198,6 +1265,9 @@ nat44_det_show_timeouts_command_fn (vlib_main_t * vm, { snat_main_t *sm = &snat_main; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout); vlib_cli_output (vm, "tcp-established timeout: %dsec", sm->tcp_established_timeout); @@ -1218,6 +1288,9 @@ nat44_det_show_sessions_command_fn (vlib_main_t * vm, snat_det_session_t *ses; int i; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + vlib_cli_output (vm, "NAT44 deterministic sessions:"); /* *INDENT-OFF* */ pool_foreach (dm, sm->det_maps, @@ -1247,6 +1320,9 @@ snat_det_close_session_out_fn (vlib_main_t * vm, snat_det_out_key_t key; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -1303,6 +1379,9 @@ snat_det_close_session_in_fn (vlib_main_t * vm, snat_det_out_key_t key; clib_error_t *error = 0; + if (!sm->deterministic) + return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR); + /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c index d226ad6156e..56b261d1bb9 100644 --- a/src/plugins/nat/nat_api.c +++ b/src/plugins/nat/nat_api.c @@ -133,7 +133,15 @@ vl_api_nat_set_workers_t_handler (vl_api_nat_set_workers_t * mp) vl_api_nat_set_workers_reply_t *rmp; int rv = 0; uword *bitmap = 0; - u64 mask = clib_net_to_host_u64 (mp->worker_mask); + u64 mask; + + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + + mask = clib_net_to_host_u64 (mp->worker_mask); if (sm->num_workers < 2) { @@ -201,6 +209,9 @@ vl_api_nat_worker_dump_t_handler (vl_api_nat_worker_dump_t * mp) snat_main_t *sm = &snat_main; u32 *worker_index; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -411,6 +422,12 @@ static void int rv = 0; u32 *tmp; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + if (sm->static_mapping_only) { rv = VNET_API_ERROR_FEATURE_DISABLED; @@ -500,6 +517,9 @@ vl_api_nat44_address_dump_t_handler (vl_api_nat44_address_dump_t * mp) snat_main_t *sm = &snat_main; snat_address_t *a; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -614,13 +634,19 @@ static void u32 sw_if_index = ntohl (mp->sw_if_index); int rv = 0; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + VALIDATE_SW_IF_INDEX (mp); rv = snat_interface_add_del_output_feature (sw_if_index, mp->is_inside, is_del); BAD_SW_IF_INDEX_LABEL; - +send_reply: REPLY_MACRO (VL_API_NAT44_INTERFACE_ADD_DEL_OUTPUT_FEATURE_REPLY); } @@ -664,6 +690,9 @@ static void snat_main_t *sm = &snat_main; snat_interface_t *i; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -699,6 +728,12 @@ static void snat_protocol_t proto; u8 *tag = 0; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + memcpy (&local_addr.as_u8, mp->local_ip_address, 4); memcpy (&external_addr.as_u8, mp->external_ip_address, 4); if (mp->addr_only == 0) @@ -720,6 +755,7 @@ static void vec_free (tag); +send_reply: REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_REPLY); } @@ -822,6 +858,9 @@ vl_api_nat44_static_mapping_dump_t_handler (vl_api_nat44_static_mapping_dump_t snat_static_map_resolve_t *rp; int j; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -866,6 +905,12 @@ static void snat_protocol_t proto = ~0; u8 *tag = 0; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + if (mp->addr_only == 0) { port = clib_net_to_host_u16 (mp->port); @@ -887,6 +932,7 @@ static void vec_free (tag); +send_reply: REPLY_MACRO (VL_API_NAT44_ADD_DEL_IDENTITY_MAPPING_REPLY); } @@ -970,6 +1016,9 @@ static void snat_static_map_resolve_t *rp; int j; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1010,12 +1059,18 @@ static void u32 sw_if_index = ntohl (mp->sw_if_index); int rv = 0; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + VALIDATE_SW_IF_INDEX (mp); rv = snat_add_interface_address (sm, sw_if_index, is_del, mp->twice_nat); BAD_SW_IF_INDEX_LABEL; - +send_reply: REPLY_MACRO (VL_API_NAT44_ADD_DEL_INTERFACE_ADDR_REPLY); } @@ -1059,6 +1114,9 @@ vl_api_nat44_interface_addr_dump_t_handler (vl_api_nat44_interface_addr_dump_t snat_main_t *sm = &snat_main; u32 *i; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1112,6 +1170,9 @@ vl_api_nat44_user_dump_t_handler (vl_api_nat44_user_dump_t * mp) snat_main_per_thread_data_t *tsm; snat_user_t *u; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1182,6 +1243,9 @@ vl_api_nat44_user_session_dump_t_handler (vl_api_nat44_user_session_dump_t * dlist_elt_t *head, *elt; ip4_header_t ip; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1266,6 +1330,12 @@ static void snat_protocol_t proto; u8 *tag = 0; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + locals = unformat_nat44_lb_addr_port (mp->locals, mp->local_num); clib_memcpy (&e_addr, mp->external_addr, 4); proto = ip_proto_to_snat_proto (mp->protocol); @@ -1283,6 +1353,7 @@ static void vec_free (locals); vec_free (tag); +send_reply: REPLY_MACRO (VL_API_NAT44_ADD_DEL_LB_STATIC_MAPPING_REPLY); } @@ -1346,6 +1417,9 @@ static void snat_main_t *sm = &snat_main; snat_static_mapping_t *m; + if (sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1380,6 +1454,12 @@ vl_api_nat44_del_session_t_handler (vl_api_nat44_del_session_t * mp) int rv = 0; snat_protocol_t proto; + if (sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + memcpy (&addr.as_u8, mp->address, 4); port = clib_net_to_host_u16 (mp->port); vrf_id = clib_net_to_host_u32 (mp->vrf_id); @@ -1387,6 +1467,7 @@ vl_api_nat44_del_session_t_handler (vl_api_nat44_del_session_t * mp) rv = nat44_del_session (sm, &addr, port, proto, vrf_id, mp->is_in); +send_reply: REPLY_MACRO (VL_API_NAT44_DEL_SESSION_REPLY); } @@ -1474,6 +1555,12 @@ vl_api_nat_det_add_del_map_t_handler (vl_api_nat_det_add_del_map_t * mp) int rv = 0; ip4_address_t in_addr, out_addr; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + if (!mp->is_nat44) { rv = VNET_API_ERROR_UNIMPLEMENTED; @@ -1513,6 +1600,13 @@ vl_api_nat_det_forward_t_handler (vl_api_nat_det_forward_t * mp) snat_det_map_t *dm; ip4_address_t in_addr, out_addr; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + REPLY_MACRO (VL_API_NAT_DET_FORWARD_REPLY); + return; + } + if (!mp->is_nat44) { out_addr.as_u32 = 0; @@ -1563,6 +1657,13 @@ vl_api_nat_det_reverse_t_handler (vl_api_nat_det_reverse_t * mp) ip4_address_t out_addr, in_addr; snat_det_map_t *dm; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + REPLY_MACRO (VL_API_NAT_DET_REVERSE_REPLY); + return; + } + in_addr.as_u32 = 0; clib_memcpy (&out_addr, mp->out_addr, 4); dm = snat_det_map_by_out (sm, &out_addr); @@ -1627,6 +1728,9 @@ vl_api_nat_det_map_dump_t_handler (vl_api_nat_det_map_dump_t * mp) snat_main_t *sm = &snat_main; snat_det_map_t *m; + if (!sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; @@ -1654,11 +1758,18 @@ vl_api_nat_det_set_timeouts_t_handler (vl_api_nat_det_set_timeouts_t * mp) vl_api_nat_det_set_timeouts_reply_t *rmp; int rv = 0; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + sm->udp_timeout = ntohl (mp->udp); sm->tcp_established_timeout = ntohl (mp->tcp_established); sm->tcp_transitory_timeout = ntohl (mp->tcp_transitory); sm->icmp_timeout = ntohl (mp->icmp); +send_reply: REPLY_MACRO (VL_API_NAT_DET_SET_TIMEOUTS_REPLY); } @@ -1684,6 +1795,13 @@ vl_api_nat_det_get_timeouts_t_handler (vl_api_nat_det_get_timeouts_t * mp) vl_api_nat_det_get_timeouts_reply_t *rmp; int rv = 0; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + REPLY_MACRO (VL_API_NAT_DET_GET_TIMEOUTS_REPLY); + return; + } + /* *INDENT-OFF* */ REPLY_MACRO2 (VL_API_NAT_DET_GET_TIMEOUTS_REPLY, ({ @@ -1718,6 +1836,12 @@ vl_api_nat_det_close_session_out_t_handler (vl_api_nat_det_close_session_out_t snat_det_session_t *ses; int rv = 0; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + clib_memcpy (&out_addr, mp->out_addr, 4); clib_memcpy (&ext_addr, mp->ext_addr, 4); @@ -1770,6 +1894,12 @@ vl_api_nat_det_close_session_in_t_handler (vl_api_nat_det_close_session_in_t * snat_det_session_t *ses; int rv = 0; + if (!sm->deterministic) + { + rv = VNET_API_ERROR_UNSUPPORTED; + goto send_reply; + } + if (!mp->is_nat44) { rv = VNET_API_ERROR_UNIMPLEMENTED; @@ -1843,6 +1973,9 @@ vl_api_nat_det_session_dump_t_handler (vl_api_nat_det_session_dump_t * mp) snat_det_session_t *s, empty_ses; u16 i; + if (!sm->deterministic) + return; + reg = vl_api_client_index_to_registration (mp->client_index); if (!reg) return; -- 2.16.6