From 36ed73acb16c54d556ffd2bba10f0be05cc66ffb Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Wed, 18 Apr 2018 01:39:17 -0700 Subject: [PATCH] NAT44: recycle old sessions for forwarding bypass (VPP-1240) Change-Id: I7e6b0e7e91cc032b1685f35de5d84363a85158a5 Signed-off-by: Matus Fabian --- src/plugins/nat/in2out.c | 29 ++++++++++++++++------ src/plugins/nat/nat.c | 15 ++++++++++++ src/plugins/nat/nat.h | 7 ++++++ src/plugins/nat/out2in.c | 64 ++++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 98 insertions(+), 17 deletions(-) diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index 996c626d46c..7d9d6c3e6c1 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -490,11 +490,14 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) } static inline int -nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip) +nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip, + u32 thread_index) { nat_ed_ses_key_t key; clib_bihash_kv_16_8_t kv, value; udp_header_t *udp; + snat_session_t *s = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; if (!sm->forwarding_enabled) return 0; @@ -525,7 +528,19 @@ nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip) kv.key[1] = key.as_u64[1]; if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) - return value.value == ~0ULL; + { + s = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, value.value); + if (is_fwd_bypass_session (s)) + { + /* Per-user LRU list maintenance */ + clib_dlist_remove (tsm->list_pool, s->per_user_index); + clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index, + s->per_user_index); + return 1; + } + else + return 0; + } return 0; } @@ -1348,9 +1363,9 @@ snat_in2out_lb (snat_main_t *sm, if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value)) { - if (s_value.value == ~0ULL) - return 0; s = pool_elt_at_index (tsm->sessions, s_value.value); + if (is_fwd_bypass_session (s)) + return 0; } else { @@ -1588,7 +1603,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { if (is_output_feature) { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0, thread_index))) goto trace00; } @@ -1780,7 +1795,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { if (is_output_feature) { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1))) + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1, thread_index))) goto trace01; } @@ -2008,7 +2023,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { if (is_output_feature) { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0, thread_index))) goto trace0; } diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index 764bc1db6bb..51fbb1336e1 100755 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -152,6 +152,21 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, thread_index); + if (is_fwd_bypass_session (s)) + { + ed_key.l_addr = s->in2out.addr; + ed_key.r_addr = s->ext_host_addr; + ed_key.l_port = s->in2out.port; + ed_key.r_port = s->ext_host_port; + ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); + ed_key.fib_index = 0; + ed_kv.key[0] = ed_key.as_u64[0]; + ed_kv.key[1] = ed_key.as_u64[1]; + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0)) + clib_warning ("in2out_ed key del failed"); + return; + } + /* Endpoint dependent session lookup tables */ if (is_ed_session (s)) { diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index fb4ed98f837..8d7d1738fb3 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -129,6 +129,7 @@ typedef enum { #define SNAT_SESSION_FLAG_UNKNOWN_PROTO 2 #define SNAT_SESSION_FLAG_LOAD_BALANCING 4 #define SNAT_SESSION_FLAG_TWICE_NAT 8 +#define SNAT_SESSION_FLAG_FWD_BYPASS 16 #define NAT_INTERFACE_FLAG_IS_INSIDE 1 #define NAT_INTERFACE_FLAG_IS_OUTSIDE 2 @@ -463,6 +464,12 @@ typedef struct { */ #define is_lb_session(s) (s->flags & SNAT_SESSION_FLAG_LOAD_BALANCING) +/** \brief Check if NAT session is forwarding bypass. + @param s NAT session + @return 1 if NAT session is load-balancing +*/ +#define is_fwd_bypass_session(s) (s->flags & SNAT_SESSION_FLAG_FWD_BYPASS) + /** \brief Check if NAT session is endpoint dependent. @param s NAT session @return 1 if NAT session is endpoint dependent diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index 553883d1144..637a07341e0 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -333,11 +333,15 @@ next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port, } static void -create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index, + u32 thread_index) { nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t kv; + clib_bihash_kv_16_8_t kv, value; udp_header_t *udp; + snat_user_t *u; + snat_session_t *s = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; if (ip->protocol == IP_PROTOCOL_ICMP) { @@ -363,10 +367,50 @@ create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) key.fib_index = 0; kv.key[0] = key.as_u64[0]; kv.key[1] = key.as_u64[1]; - kv.value = ~0ULL; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) - clib_warning ("in2out_ed key add failed"); + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + } + else + { + if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) + return; + + u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, thread_index); + if (!u) + { + clib_warning ("create NAT user failed"); + return; + } + + s = nat_session_alloc_or_recycle (sm, u, thread_index); + if (!s) + { + clib_warning ("create NAT session failed"); + return; + } + + s->ext_host_addr = key.r_addr; + s->ext_host_port = key.r_port; + s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS; + s->outside_address_index = ~0; + s->out2in.addr = key.l_addr; + s->out2in.port = key.l_port; + s->out2in.protocol = ip_proto_to_snat_proto (key.proto); + s->out2in.fib_index = 0; + s->in2out = s->out2in; + user_session_increment (sm, u, 0); + + kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); + } + + /* Per-user LRU list maintenance */ + clib_dlist_remove (tsm->list_pool, s->per_user_index); + clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index, + s->per_user_index); } /** @@ -446,7 +490,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto out; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto out; } } @@ -1193,7 +1237,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace0; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace0; } } @@ -1371,7 +1415,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next1 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace1; } - create_bypass_for_fwd(sm, ip1); + create_bypass_for_fwd(sm, ip1, rx_fib_index1, thread_index); goto trace1; } } @@ -1585,7 +1629,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace00; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace00; } } @@ -1841,7 +1885,7 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace0; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace0; } } -- 2.16.6