From 6484f4b9cbaf19062444cfe09b39ce1514dd146f Mon Sep 17 00:00:00 2001 From: Filip Varga Date: Sun, 30 Aug 2020 21:19:55 +0200 Subject: [PATCH] nat: twice-nat static mapping pool address Let twice-nat static mapping pick specific address from the twice-nat pool. Type: improvement Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1 Signed-off-by: Filip Varga --- src/plugins/nat/in2out.c | 8 +- src/plugins/nat/in2out_ed.c | 4 +- src/plugins/nat/nat.api | 41 ++++++++++ src/plugins/nat/nat.c | 61 ++++++++++----- src/plugins/nat/nat.h | 56 ++++++++++---- src/plugins/nat/nat44_cli.c | 22 +++--- src/plugins/nat/nat44_hairpinning.c | 2 +- src/plugins/nat/nat_api.c | 93 ++++++++++++++++++++-- src/plugins/nat/out2in.c | 12 +-- src/plugins/nat/out2in_ed.c | 150 ++++++++++++++++++++++++++++-------- 10 files changed, 354 insertions(+), 95 deletions(-) diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index 39957259c69..8e2c5fe6756 100644 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -135,7 +135,7 @@ snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node, if (!snat_static_mapping_match (sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index, proto0, &placeholder_addr, &placeholder_port, - &placeholder_fib_index, 1, 0, 0, 0, 0, 0)) + &placeholder_fib_index, 1, 0, 0, 0, 0, 0, 0)) return 0; } else @@ -274,7 +274,7 @@ slow_path (snat_main_t * sm, vlib_buffer_t * b0, /* First try to match static mapping by local address and port */ if (snat_static_mapping_match (sm, i2o_addr, i2o_port, rx_fib_index0, nat_proto, &sm_addr, - &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat)) + &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat, 0)) { /* Try to create dynamic translation */ if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0, @@ -599,7 +599,7 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node, if (snat_static_mapping_match (sm, *addr, *port, *fib_index, *proto, &sm_addr, &sm_port, - &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0)) + &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0, 0)) { if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0, IP_PROTOCOL_ICMP, @@ -1842,7 +1842,7 @@ VLIB_NODE_FN (snat_in2out_fast_node) (vlib_main_t * vm, if (snat_static_mapping_match (sm, ip0->src_address, udp0->src_port, rx_fib_index0, proto0, - &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0)) + &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0, 0)) { b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; next0 = SNAT_IN2OUT_NEXT_DROP; diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c index a1f5e5bbc71..448e967b8ae 100644 --- a/src/plugins/nat/in2out_ed.c +++ b/src/plugins/nat/in2out_ed.c @@ -370,7 +370,7 @@ slow_path_ed (snat_main_t * sm, /* First try to match static mapping by local address and port */ if (snat_static_mapping_match (sm, l_addr, l_port, rx_fib_index, nat_proto, &sm_addr, &sm_port, - &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat)) + &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat, 0)) { s = nat_ed_session_alloc (sm, thread_index, now, proto); ASSERT (s); @@ -514,7 +514,7 @@ nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t * node, if (!snat_static_mapping_match (sm, ip->dst_address, udp->dst_port, sm->outside_fib_index, proto, &placeholder_addr, &placeholder_port, &placeholder_fib_index, 1, 0, - 0, 0, 0, 0)) + 0, 0, 0, 0, 0)) return 0; } else diff --git a/src/plugins/nat/nat.api b/src/plugins/nat/nat.api index 8b263d4001d..00e9e71ecc6 100644 --- a/src/plugins/nat/nat.api +++ b/src/plugins/nat/nat.api @@ -684,6 +684,47 @@ autoreply define nat44_add_del_static_mapping { string tag[64]; }; +/** \brief Add/delete NAT44 static mapping + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_add - true if add, false if delete + @param match_pool - true if use specific pool_ip_address + @param flags - flag NAT_IS_ADDR_ONLY if address only mapping, + flag nat_is_twice_nat if nat address range for external hosts, + flag NAT_IS_SELF_TWICE_NAT if translate external host address + and port whenever external host address equals local + address of internal host, + flag NAT_IS_OUT2IN_ONLY if rule match only out2in direction + @param pool_ip_address - pool IPv4 address to match with pool + @param local_ip_address - local IPv4 address + @param external_ip_address - external IPv4 address + @param protocol - IP protocol, used only if addr_only=0 + @param local_port - local port number, used only if addr_only=0 + @param external_port - external port number, used only if addr_only=0 + @param external_sw_if_index - external interface (if set + external_ip_address is ignored, ~0 means not + used) + @param vfr_id - VRF ID + @param tag - opaque string tag +*/ +autoreply define nat44_add_del_static_mapping_v2 { + option status="in_progress"; + u32 client_index; + u32 context; + bool is_add; + bool match_pool; + vl_api_nat_config_flags_t flags; + vl_api_ip4_address_t pool_ip_address; + vl_api_ip4_address_t local_ip_address; + vl_api_ip4_address_t external_ip_address; + u8 protocol; + u16 local_port; + u16 external_port; + vl_api_interface_index_t external_sw_if_index; + u32 vrf_id; + string tag[64]; +}; + /** \brief Dump NAT44 static mappings @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index 796d9d010d4..61a36ec4e90 100644 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -692,7 +692,8 @@ snat_add_static_mapping_when_resolved (snat_main_t * sm, nat_protocol_t proto, int addr_only, int is_add, u8 * tag, int twice_nat, int out2in_only, - int identity_nat) + int identity_nat, + ip4_address_t pool_addr, int exact) { snat_static_map_resolve_t *rp; @@ -709,6 +710,8 @@ snat_add_static_mapping_when_resolved (snat_main_t * sm, rp->out2in_only = out2in_only; rp->identity_nat = identity_nat; rp->tag = vec_dup (tag); + rp->pool_addr = pool_addr; + rp->exact = exact; } static u32 @@ -829,7 +832,7 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, u16 l_port, u16 e_port, u32 vrf_id, int addr_only, u32 sw_if_index, nat_protocol_t proto, int is_add, twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag, - u8 identity_nat) + u8 identity_nat, ip4_address_t pool_addr, int exact) { snat_main_t *sm = &snat_main; snat_static_mapping_t *m; @@ -891,7 +894,8 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, snat_add_static_mapping_when_resolved (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto, - addr_only, is_add, tag, twice_nat, out2in_only, identity_nat); + addr_only, is_add, tag, twice_nat, out2in_only, + identity_nat, pool_addr, exact); /* DHCP resolution required? */ if (first_int_addr == 0) @@ -1046,6 +1050,13 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, m->local_addr = l_addr; m->external_addr = e_addr; m->twice_nat = twice_nat; + + if (twice_nat == TWICE_NAT && exact) + { + m->flags |= NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS; + m->pool_addr = pool_addr; + } + if (out2in_only) m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY; if (addr_only) @@ -1673,15 +1684,21 @@ snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm, if (delete_sm) { + ip4_address_t pool_addr = { 0 }; /* *INDENT-OFF* */ pool_foreach (m, sm->static_mappings, ({ if (m->external_addr.as_u32 == addr.as_u32) (void) snat_add_static_mapping (m->local_addr, m->external_addr, m->local_port, m->external_port, - m->vrf_id, is_addr_only_static_mapping(m), ~0, - m->proto, 0, m->twice_nat, - is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m)); + m->vrf_id, + is_addr_only_static_mapping(m), ~0, + m->proto, 0 /* is_add */, + m->twice_nat, + is_out2in_only_static_mapping(m), + m->tag, + is_identity_static_mapping(m), + pool_addr, 0); })); /* *INDENT-ON* */ } @@ -2801,40 +2818,39 @@ snat_static_mapping_match (snat_main_t * sm, u8 * is_addr_only, twice_nat_type_t * twice_nat, lb_nat_type_t * lb, ip4_address_t * ext_host_addr, - u8 * is_identity_nat) + u8 * is_identity_nat, snat_static_mapping_t ** out) { clib_bihash_kv_8_8_t kv, value; + clib_bihash_8_8_t *mapping_hash; snat_static_mapping_t *m; - clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local; u32 rand, lo = 0, hi, mid, *tmp = 0, i; - u8 backend_index; nat44_lb_addr_port_t *local; + u8 backend_index; - if (by_external) + if (!by_external) { - mapping_hash = &sm->static_mapping_by_external; - init_nat_k (&kv, match_addr, match_port, 0, match_protocol); + mapping_hash = &sm->static_mapping_by_local; + init_nat_k (&kv, match_addr, match_port, match_fib_index, + match_protocol); if (clib_bihash_search_8_8 (mapping_hash, &kv, &value)) { /* Try address only mapping */ - init_nat_k (&kv, match_addr, 0, 0, 0); + init_nat_k (&kv, match_addr, 0, match_fib_index, 0); if (clib_bihash_search_8_8 (mapping_hash, &kv, &value)) return 1; } - } else { - init_nat_k (&kv, match_addr, match_port, match_fib_index, - match_protocol); + mapping_hash = &sm->static_mapping_by_external; + init_nat_k (&kv, match_addr, match_port, 0, match_protocol); if (clib_bihash_search_8_8 (mapping_hash, &kv, &value)) { /* Try address only mapping */ - init_nat_k (&kv, match_addr, 0, match_fib_index, 0); + init_nat_k (&kv, match_addr, 0, 0, 0); if (clib_bihash_search_8_8 (mapping_hash, &kv, &value)) return 1; } - } m = pool_elt_at_index (sm->static_mappings, value.value); @@ -2943,6 +2959,9 @@ end: if (PREDICT_FALSE (is_identity_nat != 0)) *is_identity_nat = is_identity_static_mapping (m); + if (out != 0) + *out = m; + return 0; } @@ -4358,7 +4377,8 @@ match: rp->vrf_id, rp->addr_only, ~0 /* sw_if_index */ , rp->proto, !is_delete, rp->twice_nat, - rp->out2in_only, rp->tag, rp->identity_nat); + rp->out2in_only, rp->tag, rp->identity_nat, + rp->pool_addr, rp->exact); if (rv) nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv); } @@ -4429,7 +4449,8 @@ match: rp->proto, rp->is_add, rp->twice_nat, rp->out2in_only, rp->tag, - rp->identity_nat); + rp->identity_nat, + rp->pool_addr, rp->exact); if (rv) nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv); diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index 518f2002056..ab699221e69 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -187,16 +187,18 @@ typedef enum #define SNAT_SESSION_FLAG_FWD_BYPASS 32 #define SNAT_SESSION_FLAG_AFFINITY 64 #define SNAT_SESSION_FLAG_OUTPUT_FEATURE 128 +#define SNAT_SESSION_FLAG_EXACT_ADDRESS 256 /* NAT interface flags */ #define NAT_INTERFACE_FLAG_IS_INSIDE 1 #define NAT_INTERFACE_FLAG_IS_OUTSIDE 2 /* Static mapping flags */ -#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY 1 -#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY 2 -#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4 -#define NAT_STATIC_MAPPING_FLAG_LB 8 +#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY 1 +#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY 2 +#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4 +#define NAT_STATIC_MAPPING_FLAG_LB 8 +#define NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS 16 /* *INDENT-OFF* */ typedef CLIB_PACKED(struct @@ -350,6 +352,8 @@ typedef enum typedef struct { + /* prefered pool address */ + ip4_address_t pool_addr; /* local IP address */ ip4_address_t local_addr; /* external IP address */ @@ -388,6 +392,7 @@ typedef struct typedef struct { ip4_address_t l_addr; + ip4_address_t pool_addr; u16 l_port; u16 e_port; u32 sw_if_index; @@ -399,6 +404,7 @@ typedef struct int is_add; int out2in_only; int identity_nat; + int exact; u8 *tag; } snat_static_map_resolve_t; @@ -776,6 +782,12 @@ unformat_function_t unformat_nat_protocol; */ #define is_affinity_sessions(s) (s->flags & SNAT_SESSION_FLAG_AFFINITY) +/** \brief Check if exact pool address should be used. + @param s SNAT session + @return 1 if exact pool address or 0 +*/ +#define is_exact_address_session(s) (s->flags & SNAT_SESSION_FLAG_EXACT_ADDRESS) + /** \brief Check if NAT interface is inside. @param i NAT interface @return 1 if inside interface @@ -818,6 +830,12 @@ unformat_function_t unformat_nat_protocol; */ #define is_lb_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_LB) +/** \brief Check if exact pool address should be used. + @param s SNAT session + @return 1 if exact pool address or 0 +*/ +#define is_exact_address(s) (s->flags & NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS) + /** \brief Check if client initiating TCP connection (received SYN from client) @param t TCP header @return 1 if client initiating TCP connection @@ -1138,6 +1156,8 @@ void nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add); * @param out2in_only if 1 rule match only out2in direction * @param tag opaque string tag * @param identity_nat identity NAT + * @param pool_addr pool IPv4 address + * @param exact 1 = exact pool address * * @return 0 on success, non-zero value otherwise */ @@ -1146,7 +1166,8 @@ int snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, int addr_only, u32 sw_if_index, nat_protocol_t proto, int is_add, twice_nat_type_t twice_nat, u8 out2in_only, - u8 * tag, u8 identity_nat); + u8 * tag, u8 identity_nat, + ip4_address_t pool_addr, int exact); /** * @brief Add/delete static mapping with load-balancing (multiple backends) @@ -1394,16 +1415,18 @@ void expire_per_vrf_sessions (u32 fib_index); /** * @brief Match NAT44 static mapping. * - * @param key address and port to match - * @param addr external/local address of the matched mapping - * @param port port of the matched mapping - * @param fib_index fib index of the matched mapping - * @param by_external if 0 match by local address otherwise match by external - * address - * @param is_addr_only 1 if matched mapping is address only - * @param twice_nat matched mapping is twice NAT type - * @param lb 1 if matched mapping is load-balanced - * @param ext_host_addr external host address + * @param key address and port to match + * @param addr external/local address of the matched mapping + * @param port port of the matched mapping + * @param fib_index fib index of the matched mapping + * @param by_external if 0 match by local address otherwise match by external + * address + * @param is_addr_only 1 if matched mapping is address only + * @param twice_nat matched mapping is twice NAT type + * @param lb 1 if matched mapping is load-balanced + * @param ext_host_addr external host address + * @param is_identity_nat 1 if indentity mapping + * @param out if !=0 set to pointer of the mapping structure * * @returns 0 if match found otherwise 1. */ @@ -1420,7 +1443,8 @@ int snat_static_mapping_match (snat_main_t * sm, twice_nat_type_t * twice_nat, lb_nat_type_t * lb, ip4_address_t * ext_host_addr, - u8 * is_identity_nat); + u8 * is_identity_nat, + snat_static_mapping_t ** out); /** * @brief Add/del NAT address to FIB. diff --git a/src/plugins/nat/nat44_cli.c b/src/plugins/nat/nat44_cli.c index 65f40753a3f..f61ce2c2ab7 100644 --- a/src/plugins/nat/nat44_cli.c +++ b/src/plugins/nat/nat44_cli.c @@ -980,13 +980,11 @@ add_static_mapping_command_fn (vlib_main_t * vm, { unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *error = 0; - ip4_address_t l_addr, e_addr; + ip4_address_t l_addr, e_addr, exact_addr; u32 l_port = 0, e_port = 0, vrf_id = ~0; - int is_add = 1; - int addr_only = 1; + int is_add = 1, addr_only = 1, rv, exact = 0; u32 sw_if_index = ~0; vnet_main_t *vnm = vnet_get_main (); - int rv; nat_protocol_t proto = NAT_PROTOCOL_OTHER; u8 proto_set = 0; twice_nat_type_t twice_nat = TWICE_NAT_DISABLED; @@ -1014,10 +1012,12 @@ add_static_mapping_command_fn (vlib_main_t * vm, unformat_vnet_sw_interface, vnm, &sw_if_index, &e_port)) addr_only = 0; - else if (unformat (line_input, "external %U", unformat_vnet_sw_interface, vnm, &sw_if_index)) ; + else if (unformat (line_input, "exact %U", unformat_ip4_address, + &exact_addr)) + exact = 1; else if (unformat (line_input, "vrf %u", &vrf_id)) ; else if (unformat (line_input, "%U", unformat_nat_protocol, &proto)) @@ -1063,7 +1063,8 @@ add_static_mapping_command_fn (vlib_main_t * vm, rv = snat_add_static_mapping (l_addr, e_addr, clib_host_to_net_u16 (l_port), clib_host_to_net_u16 (e_port), vrf_id, addr_only, sw_if_index, proto, is_add, - twice_nat, out2in_only, 0, 0); + twice_nat, out2in_only, 0, 0, exact_addr, + exact); switch (rv) { @@ -1104,7 +1105,7 @@ add_identity_mapping_command_fn (vlib_main_t * vm, { unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *error = 0; - ip4_address_t addr; + ip4_address_t addr, pool_addr = { 0 }; u32 port = 0, vrf_id = ~0; int is_add = 1; int addr_only = 1; @@ -1144,7 +1145,8 @@ add_identity_mapping_command_fn (vlib_main_t * vm, rv = snat_add_static_mapping (addr, addr, clib_host_to_net_u16 (port), clib_host_to_net_u16 (port), vrf_id, addr_only, - sw_if_index, proto, is_add, 0, 0, 0, 1); + sw_if_index, proto, is_add, 0, 0, 0, 1, + pool_addr, 0); switch (rv) { @@ -2254,6 +2256,8 @@ VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = { * To create ICMP static mapping between local and external with ICMP echo * identifier 10 use: * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10 + * To force use of specific pool address, vrf independent + * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2 * @cliexend ?*/ VLIB_CLI_COMMAND (add_static_mapping_command, static) = { @@ -2262,7 +2266,7 @@ VLIB_CLI_COMMAND (add_static_mapping_command, static) = { .short_help = "nat44 add static mapping tcp|udp|icmp local [] " "external [] [vrf ] [twice-nat|self-twice-nat] " - "[out2in-only] [del]", + "[out2in-only] [exact ] [del]", }; /*? diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c index 45444c58a73..9eadcf30832 100644 --- a/src/plugins/nat/nat44_hairpinning.c +++ b/src/plugins/nat/nat44_hairpinning.c @@ -111,7 +111,7 @@ snat_hairpinning (vlib_main_t * vm, vlib_node_runtime_t * node, /* Check if destination is static mappings */ if (!snat_static_mapping_match (sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index, proto0, - &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0)) + &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0, 0)) { new_dst_addr0 = sm0_addr.as_u32; new_dst_port0 = sm0_port; diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c index ad67375fb7a..bbb1645b5e3 100644 --- a/src/plugins/nat/nat_api.c +++ b/src/plugins/nat/nat_api.c @@ -1105,7 +1105,7 @@ static void { snat_main_t *sm = &snat_main; vl_api_nat44_add_del_static_mapping_reply_t *rmp; - ip4_address_t local_addr, external_addr; + ip4_address_t local_addr, external_addr, pool_addr = { 0 }; u16 local_port = 0, external_port = 0; u32 vrf_id, external_sw_if_index; twice_nat_type_t twice_nat = TWICE_NAT_DISABLED; @@ -1139,12 +1139,61 @@ static void mp->flags & NAT_API_IS_ADDR_ONLY, external_sw_if_index, proto, mp->is_add, twice_nat, - mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0); + mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0, + pool_addr, 0); vec_free (tag); REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_REPLY); } +static void + vl_api_nat44_add_del_static_mapping_v2_t_handler + (vl_api_nat44_add_del_static_mapping_v2_t * mp) +{ + snat_main_t *sm = &snat_main; + vl_api_nat44_add_del_static_mapping_v2_reply_t *rmp; + ip4_address_t local_addr, external_addr, pool_addr; + u16 local_port = 0, external_port = 0; + u32 vrf_id, external_sw_if_index; + twice_nat_type_t twice_nat = TWICE_NAT_DISABLED; + int rv = 0; + nat_protocol_t proto; + u8 *tag = 0; + + memcpy (&pool_addr.as_u8, mp->pool_ip_address, 4); + memcpy (&local_addr.as_u8, mp->local_ip_address, 4); + memcpy (&external_addr.as_u8, mp->external_ip_address, 4); + + if (!(mp->flags & NAT_API_IS_ADDR_ONLY)) + { + local_port = mp->local_port; + external_port = mp->external_port; + } + + vrf_id = clib_net_to_host_u32 (mp->vrf_id); + external_sw_if_index = clib_net_to_host_u32 (mp->external_sw_if_index); + proto = ip_proto_to_nat_proto (mp->protocol); + + if (mp->flags & NAT_API_IS_TWICE_NAT) + twice_nat = TWICE_NAT; + else if (mp->flags & NAT_API_IS_SELF_TWICE_NAT) + twice_nat = TWICE_NAT_SELF; + mp->tag[sizeof (mp->tag) - 1] = 0; + tag = format (0, "%s", mp->tag); + vec_terminate_c_string (tag); + + rv = snat_add_static_mapping (local_addr, external_addr, local_port, + external_port, vrf_id, + mp->flags & NAT_API_IS_ADDR_ONLY, + external_sw_if_index, proto, + mp->is_add, twice_nat, + mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0, + pool_addr, mp->match_pool); + vec_free (tag); + + REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_V2_REPLY); +} + static void *vl_api_nat44_add_del_static_mapping_t_print (vl_api_nat44_add_del_static_mapping_t * mp, void *handle) { @@ -1174,6 +1223,39 @@ static void *vl_api_nat44_add_del_static_mapping_t_print FINISH; } +static void *vl_api_nat44_add_del_static_mapping_v2_t_print + (vl_api_nat44_add_del_static_mapping_v2_t * mp, void *handle) +{ + u8 *s; + + s = format (0, "SCRIPT: nat44_add_del_static_mapping_v2 "); + s = format (s, "protocol %d local_addr %U external_addr %U ", + mp->protocol, + format_ip4_address, mp->local_ip_address, + format_ip4_address, mp->external_ip_address); + + if (!(mp->flags & NAT_API_IS_ADDR_ONLY)) + s = format (s, "local_port %d external_port %d ", + clib_net_to_host_u16 (mp->local_port), + clib_net_to_host_u16 (mp->external_port)); + + s = format (s, "twice_nat %d out2in_only %d ", + mp->flags & NAT_API_IS_TWICE_NAT, + mp->flags & NAT_API_IS_OUT2IN_ONLY); + + if (mp->vrf_id != ~0) + s = format (s, "vrf %d", clib_net_to_host_u32 (mp->vrf_id)); + + if (mp->external_sw_if_index != ~0) + s = format (s, "external_sw_if_index %d", + clib_net_to_host_u32 (mp->external_sw_if_index)); + if (mp->match_pool) + s = format (s, "match pool address %U", + format_ip4_address, mp->pool_ip_address); + + FINISH; +} + static void send_nat44_static_mapping_details (snat_static_mapping_t * m, vl_api_registration_t * reg, u32 context) @@ -1301,7 +1383,7 @@ static void { snat_main_t *sm = &snat_main; vl_api_nat44_add_del_identity_mapping_reply_t *rmp; - ip4_address_t addr; + ip4_address_t addr, pool_addr = { 0 }; u16 port = 0; u32 vrf_id, sw_if_index; int rv = 0; @@ -1326,7 +1408,7 @@ static void rv = snat_add_static_mapping (addr, addr, port, port, vrf_id, mp->flags & NAT_API_IS_ADDR_ONLY, sw_if_index, - proto, mp->is_add, 0, 0, tag, 1); + proto, mp->is_add, 0, 0, tag, 1, pool_addr, 0); vec_free (tag); REPLY_MACRO (VL_API_NAT44_ADD_DEL_IDENTITY_MAPPING_REPLY); @@ -2047,7 +2129,7 @@ vl_api_nat44_del_session_t_print (vl_api_nat44_del_session_t * mp, { u8 *s; - s = format (0, "SCRIPT: nat44_add_del_static_mapping "); + s = format (0, "SCRIPT: nat44_add_del_session "); s = format (s, "addr %U port %d protocol %d vrf_id %d is_in %d", format_ip4_address, mp->address, clib_net_to_host_u16 (mp->port), @@ -2663,6 +2745,7 @@ _(NAT_HA_RESYNC, nat_ha_resync) \ _(NAT44_ADD_DEL_ADDRESS_RANGE, nat44_add_del_address_range) \ _(NAT44_INTERFACE_ADD_DEL_FEATURE, nat44_interface_add_del_feature) \ _(NAT44_ADD_DEL_STATIC_MAPPING, nat44_add_del_static_mapping) \ +_(NAT44_ADD_DEL_STATIC_MAPPING_V2, nat44_add_del_static_mapping_v2) \ _(NAT44_ADD_DEL_IDENTITY_MAPPING, nat44_add_del_identity_mapping) \ _(NAT44_STATIC_MAPPING_DUMP, nat44_static_mapping_dump) \ _(NAT44_IDENTITY_MAPPING_DUMP, nat44_identity_mapping_dump) \ diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index 5684a93b2a5..c17f0e233d6 100644 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -359,7 +359,7 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node, if (snat_static_mapping_match (sm, *addr, *port, *fib_index, *proto, &mapping_addr, &mapping_port, &mapping_fib_index, 1, &is_addr_only, - 0, 0, 0, &identity_nat)) + 0, 0, 0, &identity_nat, 0)) { if (!sm->forwarding_enabled) { @@ -485,7 +485,7 @@ icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node, } if (snat_static_mapping_match (sm, addr, port, rx_fib_index0, *proto, mapping_addr, mapping_port, - mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0)) + mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0, 0)) { /* Don't NAT packet aimed at the intfc address */ if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32)) @@ -835,7 +835,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm, (sm, ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, - 0, &identity_nat0)) + 0, &identity_nat0, 0)) { /* * Send DHCP packets to the ipv4 stack, or we won't @@ -1017,7 +1017,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm, (sm, ip1->dst_address, vnet_buffer (b1)->ip.reass.l4_dst_port, proto1, rx_fib_index1, &sm_addr1, &sm_port1, &sm_fib_index1, 1, 0, - 0, 0, 0, &identity_nat1)) + 0, 0, 0, &identity_nat1, 0)) { /* * Send DHCP packets to the ipv4 stack, or we won't @@ -1236,7 +1236,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm, (sm, ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, - 0, &identity_nat0)) + 0, &identity_nat0, 0)) { /* * Send DHCP packets to the ipv4 stack, or we won't @@ -1462,7 +1462,7 @@ VLIB_NODE_FN (snat_out2in_fast_node) (vlib_main_t * vm, if (snat_static_mapping_match (sm, ip0->dst_address, udp0->dst_port, rx_fib_index0, proto0, - &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0)) + &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0, 0)) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; goto trace00; diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c index 9868fe751f2..8eef1e43535 100644 --- a/src/plugins/nat/out2in_ed.c +++ b/src/plugins/nat/out2in_ed.c @@ -190,6 +190,52 @@ nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg) } #endif +// allocate exact address based on preference +static_always_inline int +nat_alloc_addr_and_port_exact (snat_address_t * a, + u32 thread_index, + nat_protocol_t proto, + ip4_address_t * addr, + u16 * port, + u16 port_per_thread, u32 snat_thread_index) +{ + u32 portnum; + + switch (proto) + { +#define _(N, j, n, s) \ + case NAT_PROTOCOL_##N: \ + if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \ + { \ + while (1) \ + { \ + portnum = (port_per_thread * \ + snat_thread_index) + \ + snat_random_port(0, port_per_thread - 1) + 1024; \ + if (a->busy_##n##_port_refcounts[portnum]) \ + continue; \ + --a->busy_##n##_port_refcounts[portnum]; \ + a->busy_##n##_ports_per_thread[thread_index]++; \ + a->busy_##n##_ports++; \ + *addr = a->addr; \ + *port = clib_host_to_net_u16(portnum); \ + return 0; \ + } \ + } \ + break; + foreach_nat_protocol +#undef _ + default: + nat_elog_info ("unknown protocol"); + return 1; + } + + /* Totally out of translations to use... */ + snat_ipfix_logging_addresses_exhausted (thread_index, 0); + return 1; +} + + static snat_session_t * create_session_for_static_mapping_ed (snat_main_t * sm, vlib_buffer_t * b, @@ -204,7 +250,8 @@ create_session_for_static_mapping_ed (snat_main_t * sm, u32 rx_fib_index, u32 thread_index, twice_nat_type_t twice_nat, - lb_nat_type_t lb_nat, f64 now) + lb_nat_type_t lb_nat, f64 now, + snat_static_mapping_t * mapping) { snat_session_t *s; ip4_header_t *ip; @@ -261,13 +308,46 @@ create_session_for_static_mapping_ed (snat_main_t * sm, if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF && ip->src_address.as_u32 == i2o_addr.as_u32)) { - if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0, - thread_index, - nat_proto, - &s->ext_host_nat_addr, - &s->ext_host_nat_port, - sm->port_per_thread, - tsm->snat_thread_index)) + int rc = 0; + snat_address_t *filter = 0; + + // if exact address is specified use this address + if (is_exact_address (mapping)) + { + snat_address_t *ap; + vec_foreach (ap, sm->twice_nat_addresses) + { + if (mapping->pool_addr.as_u32 == ap->addr.as_u32) + { + filter = ap; + break; + } + } + } + + if (filter) + { + rc = nat_alloc_addr_and_port_exact (filter, + thread_index, + nat_proto, + &s->ext_host_nat_addr, + &s->ext_host_nat_port, + sm->port_per_thread, + tsm->snat_thread_index); + s->flags |= SNAT_SESSION_FLAG_EXACT_ADDRESS; + } + else + { + rc = + snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0, + thread_index, nat_proto, + &s->ext_host_nat_addr, + &s->ext_host_nat_port, + sm->port_per_thread, + tsm->snat_thread_index); + } + + if (rc) { b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS]; nat_ed_session_delete (sm, s, thread_index, 1); @@ -275,6 +355,7 @@ create_session_for_static_mapping_ed (snat_main_t * sm, nat_elog_notice ("out2in-ed key del failed"); return 0; } + s->flags |= SNAT_SESSION_FLAG_TWICE_NAT; init_ed_kv (&kv, i2o_addr, i2o_port, s->ext_host_nat_addr, s->ext_host_nat_port, i2o_fib_index, ip->protocol, @@ -459,6 +540,7 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, u16 sm_port; u32 sm_fib_index; *dont_translate = 0; + snat_static_mapping_t *m; sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX]; rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); @@ -473,12 +555,12 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value)) { - /* Try to match static mapping */ if (snat_static_mapping_match (sm, ip->dst_address, l_port, rx_fib_index, ip_proto_to_nat_proto (ip->protocol), &sm_addr, &sm_port, - &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat)) + &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat, &m)) { + // static mapping not matched if (!sm->forwarding_enabled) { /* Don't NAT packet aimed at the intfc address */ @@ -486,11 +568,12 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, ip->dst_address.as_u32))) { *dont_translate = 1; - goto out; } - b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; - next = NAT_NEXT_DROP; - goto out; + else + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next = NAT_NEXT_DROP; + } } else { @@ -499,14 +582,17 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, thread_index, rx_fib_index)) { next = NAT_NEXT_IN2OUT_ED_FAST_PATH; - goto out; } - if (sm->num_workers > 1) - create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index); else - create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index); - goto out; + { + if (sm->num_workers > 1) + create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index); + else + create_bypass_for_fwd (sm, b, ip, rx_fib_index, + thread_index); + } } + goto out; } if (PREDICT_FALSE @@ -533,13 +619,9 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, l_port, rx_fib_index, *proto, node, rx_fib_index, thread_index, 0, 0, - vlib_time_now (vm)); - + vlib_time_now (vm), m); if (!s) - { - next = NAT_NEXT_DROP; - goto out; - } + next = NAT_NEXT_DROP; } else { @@ -978,6 +1060,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm, f64 now = vlib_time_now (vm); u32 thread_index = vm->thread_index; snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + snat_static_mapping_t *m; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -1087,7 +1170,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm, (sm, ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0, &sm_addr, &sm_port, &sm_fib_index, 1, 0, - &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0)) + &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0, &m)) { /* * Send DHCP packets to the ipv4 stack, or we won't @@ -1115,13 +1198,16 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm, thread_index, rx_fib_index0)) { next[0] = NAT_NEXT_IN2OUT_ED_FAST_PATH; - goto trace0; } - if (sm->num_workers > 1) - create_bypass_for_fwd_worker (sm, b0, ip0, rx_fib_index0); else - create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0, - thread_index); + { + if (sm->num_workers > 1) + create_bypass_for_fwd_worker (sm, b0, ip0, + rx_fib_index0); + else + create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0, + thread_index); + } } goto trace0; } @@ -1148,7 +1234,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm, rx_fib_index0, proto0, node, rx_fib_index0, thread_index, twice_nat0, - lb_nat0, now); + lb_nat0, now, m); if (!s0) { next[0] = NAT_NEXT_DROP; -- 2.16.6