summaryrefslogtreecommitdiffstats
path: root/src/plugins/cnat/cnat_snat.c
diff options
context:
space:
mode:
authorNathan Skrzypczak <nathan.skrzypczak@gmail.com>2021-02-25 17:39:03 +0100
committerDave Barach <openvpp@barachs.net>2021-03-04 12:35:15 +0000
commit3fd77f7dea1ac91c5b4c9ede69b992a4e2243153 (patch)
tree21550f5d6e28f55f4e64ee1ddb7697c9e261dd85 /src/plugins/cnat/cnat_snat.c
parent8786a4cd4a62f2817da7060afd8523857f504912 (diff)
cnat: Prepare extended snat policies
Type: refactor Change-Id: I9ca3333274d6f32b6aff57f0fb3d2049c066337a Signed-off-by: Nathan Skrzypczak <nathan.skrzypczak@gmail.com>
Diffstat (limited to 'src/plugins/cnat/cnat_snat.c')
-rw-r--r--src/plugins/cnat/cnat_snat.c377
1 files changed, 0 insertions, 377 deletions
diff --git a/src/plugins/cnat/cnat_snat.c b/src/plugins/cnat/cnat_snat.c
deleted file mode 100644
index b063715d585..00000000000
--- a/src/plugins/cnat/cnat_snat.c
+++ /dev/null
@@ -1,377 +0,0 @@
-/*
- * Copyright (c) 2020 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <vnet/ip/ip.h>
-#include <cnat/cnat_snat.h>
-#include <cnat/cnat_translation.h>
-
-cnat_snat_policy_main_t cnat_snat_policy_main;
-
-void
-cnat_set_snat_policy (cnat_snat_policy_t fp)
-{
- cnat_snat_policy_main.snat_policy = fp;
-}
-
-static clib_error_t *
-cnat_snat_policy_cmd (vlib_main_t *vm, unformat_input_t *input,
- vlib_cli_command_t *cmd)
-{
- cnat_snat_policy_t fp = NULL;
-
- while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (input, "none"))
- ;
- else
- return clib_error_return (0, "unknown input '%U'",
- format_unformat_error, input);
- }
-
- cnat_set_snat_policy (fp);
- return NULL;
-}
-
-VLIB_CLI_COMMAND (cnat_snat_policy_command, static) = {
- .path = "cnat set snat policy",
- .short_help = "cnat set snat policy {none,k8s}",
- .function = cnat_snat_policy_cmd,
-};
-
-static clib_error_t *
-show_cnat_snat_policy_cmd (vlib_main_t *vm, unformat_input_t *input,
- vlib_cli_command_t *cmd)
-{
- u8 *s = format (NULL, "snat policy: ");
- if (cnat_snat_policy_main.snat_policy == NULL)
- s = format (s, "none");
- else
- s = format (s, "unknown (%x)", cnat_snat_policy_main.snat_policy);
-
- vlib_cli_output (vm, (char *) s);
- return NULL;
-}
-
-VLIB_CLI_COMMAND (show_cnat_snat_policy_command, static) = {
- .path = "show cnat snat policy",
- .short_help = "show cnat snat policy",
- .function = show_cnat_snat_policy_cmd,
-};
-
-static void
-cnat_compute_prefix_lengths_in_search_order (cnat_snat_pfx_table_t *
- table, ip_address_family_t af)
-{
- int i;
- vec_reset_length (table->meta[af].prefix_lengths_in_search_order);
- /* Note: bitmap reversed so this is in fact a longest prefix match */
- clib_bitmap_foreach (i, table->meta[af].non_empty_dst_address_length_bitmap)
- {
- int dst_address_length = 128 - i;
- vec_add1 (table->meta[af].prefix_lengths_in_search_order, dst_address_length);
- }
-}
-
-int
-cnat_add_snat_prefix (ip_prefix_t * pfx)
-{
- /* All packets destined to this prefix won't be source-NAT-ed */
- cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
- clib_bihash_kv_24_8_t kv;
- ip6_address_t *mask;
- u64 af = ip_prefix_version (pfx);;
-
- mask = &table->ip_masks[pfx->len];
- if (AF_IP4 == af)
- {
- kv.key[0] = (u64) ip_prefix_v4 (pfx).as_u32 & mask->as_u64[0];
- kv.key[1] = 0;
- }
- else
- {
- kv.key[0] = ip_prefix_v6 (pfx).as_u64[0] & mask->as_u64[0];
- kv.key[1] = ip_prefix_v6 (pfx).as_u64[1] & mask->as_u64[1];
- }
- kv.key[2] = ((u64) af << 32) | pfx->len;
- clib_bihash_add_del_24_8 (&table->ip_hash, &kv, 1 /* is_add */ );
-
- table->meta[af].dst_address_length_refcounts[pfx->len]++;
- table->meta[af].non_empty_dst_address_length_bitmap =
- clib_bitmap_set (table->meta[af].non_empty_dst_address_length_bitmap,
- 128 - pfx->len, 1);
- cnat_compute_prefix_lengths_in_search_order (table, af);
- return 0;
-}
-
-int
-cnat_del_snat_prefix (ip_prefix_t * pfx)
-{
- cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
- clib_bihash_kv_24_8_t kv, val;
- ip6_address_t *mask;
- u64 af = ip_prefix_version (pfx);;
-
- mask = &table->ip_masks[pfx->len];
- if (AF_IP4 == af)
- {
- kv.key[0] = (u64) ip_prefix_v4 (pfx).as_u32 & mask->as_u64[0];
- kv.key[1] = 0;
- }
- else
- {
- kv.key[0] = ip_prefix_v6 (pfx).as_u64[0] & mask->as_u64[0];
- kv.key[1] = ip_prefix_v6 (pfx).as_u64[1] & mask->as_u64[1];
- }
- kv.key[2] = ((u64) af << 32) | pfx->len;
-
- if (clib_bihash_search_24_8 (&table->ip_hash, &kv, &val))
- {
- return 1;
- }
- clib_bihash_add_del_24_8 (&table->ip_hash, &kv, 0 /* is_add */ );
- /* refcount accounting */
- ASSERT (table->meta[af].dst_address_length_refcounts[pfx->len] > 0);
- if (--table->meta[af].dst_address_length_refcounts[pfx->len] == 0)
- {
- table->meta[af].non_empty_dst_address_length_bitmap =
- clib_bitmap_set (table->meta[af].non_empty_dst_address_length_bitmap,
- 128 - pfx->len, 0);
- cnat_compute_prefix_lengths_in_search_order (table, af);
- }
- return 0;
-}
-
-int
-cnat_search_snat_prefix (ip46_address_t * addr, ip_address_family_t af)
-{
- /* Returns 0 if addr matches any of the listed prefixes */
- cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
- clib_bihash_kv_24_8_t kv, val;
- int i, n_p, rv;
- n_p = vec_len (table->meta[af].prefix_lengths_in_search_order);
- if (AF_IP4 == af)
- {
- kv.key[0] = addr->ip4.as_u32;
- kv.key[1] = 0;
- }
- else
- {
- kv.key[0] = addr->as_u64[0];
- kv.key[1] = addr->as_u64[1];
- }
-
- /*
- * start search from a mask length same length or shorter.
- * we don't want matches longer than the mask passed
- */
- i = 0;
- for (; i < n_p; i++)
- {
- int dst_address_length =
- table->meta[af].prefix_lengths_in_search_order[i];
- ip6_address_t *mask = &table->ip_masks[dst_address_length];
-
- ASSERT (dst_address_length >= 0 && dst_address_length <= 128);
- /* As lengths are decreasing, masks are increasingly specific. */
- kv.key[0] &= mask->as_u64[0];
- kv.key[1] &= mask->as_u64[1];
- kv.key[2] = ((u64) af << 32) | dst_address_length;
- rv = clib_bihash_search_inline_2_24_8 (&table->ip_hash, &kv, &val);
- if (rv == 0)
- return 0;
- }
- return -1;
-}
-
-u8 *
-format_cnat_snat_prefix (u8 * s, va_list * args)
-{
- clib_bihash_kv_24_8_t *kv = va_arg (*args, clib_bihash_kv_24_8_t *);
- CLIB_UNUSED (int verbose) = va_arg (*args, int);
- u32 af = kv->key[2] >> 32;
- u32 len = kv->key[2] & 0xffffffff;
- if (AF_IP4 == af)
- s = format (s, "%U/%d", format_ip4_address, &kv->key[0], len);
- else
- s = format (s, "%U/%d", format_ip6_address, &kv->key[0], len);
- return (s);
-}
-
-void
-cnat_set_snat (ip4_address_t * ip4, ip6_address_t * ip6, u32 sw_if_index)
-{
- cnat_lazy_init ();
-
- cnat_translation_unwatch_addr (INDEX_INVALID, CNAT_RESOLV_ADDR_SNAT);
-
- ip_address_set (&cnat_main.snat_ip4.ce_ip, ip4, AF_IP4);
- ip_address_set (&cnat_main.snat_ip6.ce_ip, ip6, AF_IP6);
- cnat_main.snat_ip4.ce_sw_if_index = sw_if_index;
- cnat_main.snat_ip6.ce_sw_if_index = sw_if_index;
-
- cnat_resolve_ep (&cnat_main.snat_ip4);
- cnat_resolve_ep (&cnat_main.snat_ip6);
- cnat_translation_watch_addr (INDEX_INVALID, 0, &cnat_main.snat_ip4,
- CNAT_RESOLV_ADDR_SNAT);
- cnat_translation_watch_addr (INDEX_INVALID, 0, &cnat_main.snat_ip6,
- CNAT_RESOLV_ADDR_SNAT);
-}
-
-static clib_error_t *
-cnat_set_snat_cli (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- vnet_main_t *vnm = vnet_get_main ();
- ip4_address_t ip4 = { {0} };
- ip6_address_t ip6 = { {0} };
- clib_error_t *e = 0;
- u32 sw_if_index = INDEX_INVALID;
-
- cnat_lazy_init ();
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat_user (line_input, unformat_ip4_address, &ip4))
- ;
- else if (unformat_user (line_input, unformat_ip6_address, &ip6))
- ;
- else if (unformat_user (line_input, unformat_vnet_sw_interface,
- vnm, &sw_if_index))
- ;
- else
- {
- e = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, input);
- goto done;
- }
- }
-
- cnat_set_snat (&ip4, &ip6, sw_if_index);
-
-done:
- unformat_free (line_input);
-
- return (e);
-}
-
-VLIB_CLI_COMMAND (cnat_set_snat_command, static) =
-{
- .path = "cnat snat with",
- .short_help = "cnat snat with [<ip4-address>][<ip6-address>][sw_if_index]",
- .function = cnat_set_snat_cli,
-};
-
-static clib_error_t *
-cnat_snat_exclude (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
-{
- ip_prefix_t pfx;
- u8 is_add = 1;
- int rv;
-
- while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (input, "%U", unformat_ip_prefix, &pfx))
- ;
- else if (unformat (input, "del"))
- is_add = 0;
- else
- return (clib_error_return (0, "unknown input '%U'",
- format_unformat_error, input));
- }
-
- if (is_add)
- rv = cnat_add_snat_prefix (&pfx);
- else
- rv = cnat_del_snat_prefix (&pfx);
-
- if (rv)
- {
- return (clib_error_return (0, "error %d", rv, input));
- }
-
- return (NULL);
-}
-
-VLIB_CLI_COMMAND (cnat_snat_exclude_command, static) =
-{
- .path = "cnat snat exclude",
- .short_help = "cnat snat exclude [ip]",
- .function = cnat_snat_exclude,
-};
-
-static clib_error_t *
-cnat_show_snat (vlib_main_t * vm,
- unformat_input_t * input, vlib_cli_command_t * cmd)
-{
- cnat_snat_pfx_table_t *table = &cnat_main.snat_pfx_table;
- vlib_cli_output (vm, "Source NAT\nip4: %U\nip6: %U\n",
- format_cnat_endpoint, &cnat_main.snat_ip4,
- format_cnat_endpoint, &cnat_main.snat_ip6);
- vlib_cli_output (vm, "Prefixes:\n%U\n",
- format_bihash_24_8, &table->ip_hash, 1);
- return (NULL);
-}
-
-VLIB_CLI_COMMAND (cnat_show_snat_command, static) =
-{
- .path = "show cnat snat",
- .short_help = "show cnat snat",
- .function = cnat_show_snat,
-};
-
-static clib_error_t *
-cnat_snat_init (vlib_main_t * vm)
-{
- cnat_main_t *cm = &cnat_main;
- cnat_snat_pfx_table_t *table = &cm->snat_pfx_table;
- int i;
- for (i = 0; i < ARRAY_LEN (table->ip_masks); i++)
- {
- u32 j, i0, i1;
-
- i0 = i / 32;
- i1 = i % 32;
-
- for (j = 0; j < i0; j++)
- table->ip_masks[i].as_u32[j] = ~0;
-
- if (i1)
- table->ip_masks[i].as_u32[i0] =
- clib_host_to_net_u32 (pow2_mask (i1) << (32 - i1));
- }
- clib_bihash_init_24_8 (&table->ip_hash, "snat prefixes",
- cm->snat_hash_buckets, cm->snat_hash_memory);
- clib_bihash_set_kvp_format_fn_24_8 (&table->ip_hash,
- format_cnat_snat_prefix);
-
- return (NULL);
-}
-
-VLIB_INIT_FUNCTION (cnat_snat_init);
-
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */