aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat/det44/det44.h
diff options
context:
space:
mode:
authorFilip Varga <fivarga@cisco.com>2020-07-21 10:27:39 +0200
committerOle Trøan <otroan@employees.org>2020-08-13 10:06:33 +0000
commit603e75465899385a95350f3c96499050f7f960a5 (patch)
treef7a7130769ea795c1c3460db3aea99a49a309b13 /src/plugins/nat/det44/det44.h
parentde118da58e80aec43f4b816a1ea957634a8bc07c (diff)
nat: move deterministic nat to det44 sub feature
Type: refactor Change-Id: I0bb203102a0e13dd7448e2125925ab356bbd7937 Signed-off-by: Filip Varga <fivarga@cisco.com>
Diffstat (limited to 'src/plugins/nat/det44/det44.h')
-rw-r--r--src/plugins/nat/det44/det44.h449
1 files changed, 449 insertions, 0 deletions
diff --git a/src/plugins/nat/det44/det44.h b/src/plugins/nat/det44/det44.h
new file mode 100644
index 00000000000..3ddba6d1405
--- /dev/null
+++ b/src/plugins/nat/det44/det44.h
@@ -0,0 +1,449 @@
+/*
+ * det44.h - deterministic NAT definitions
+ *
+ * Copyright (c) 2020 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @file
+ * @brief Deterministic NAT (CGN) definitions
+ */
+
+#ifndef __included_det44_h__
+#define __included_det44_h__
+
+#include <vnet/vnet.h>
+#include <vnet/ip/ip.h>
+#include <vnet/ethernet/ethernet.h>
+#include <vnet/ip/icmp46_packet.h>
+#include <vnet/api_errno.h>
+#include <vnet/fib/fib_source.h>
+#include <vppinfra/dlist.h>
+#include <vppinfra/error.h>
+#include <vlibapi/api.h>
+#include <vlib/log.h>
+#include <vnet/fib/fib_table.h>
+#include <vnet/fib/ip4_fib.h>
+#include <vnet/ip/reass/ip4_sv_reass.h>
+
+#include <nat/lib/lib.h>
+#include <nat/lib/inlines.h>
+
+/* Session state */
+#define foreach_det44_session_state \
+ _(0, UNKNOWN, "unknown") \
+ _(1, UDP_ACTIVE, "udp-active") \
+ _(2, TCP_SYN_SENT, "tcp-syn-sent") \
+ _(3, TCP_ESTABLISHED, "tcp-established") \
+ _(4, TCP_FIN_WAIT, "tcp-fin-wait") \
+ _(5, TCP_CLOSE_WAIT, "tcp-close-wait") \
+ _(6, TCP_CLOSING, "tcp-closing") \
+ _(7, TCP_LAST_ACK, "tcp-last-ack") \
+ _(8, TCP_CLOSED, "tcp-closed") \
+ _(9, ICMP_ACTIVE, "icmp-active")
+
+typedef enum
+{
+#define _(v, N, s) DET44_SESSION_##N = v,
+ foreach_det44_session_state
+#undef _
+} det44_session_state_t;
+
+#define DET44_SES_PER_USER 1000
+
+typedef struct
+{
+ u16 identifier;
+ u16 sequence;
+} icmp_echo_header_t;
+
+typedef struct
+{
+ u16 src_port, dst_port;
+} tcp_udp_header_t;
+
+typedef struct
+{
+ u32 cached_sw_if_index;
+ u32 cached_ip4_address;
+} det44_runtime_t;
+
+typedef struct nat_timeouts_s
+{
+ u32 udp;
+
+ struct
+ {
+ u32 transitory;
+ u32 established;
+ } tcp;
+
+ u32 icmp;
+
+} nat_timeouts_t;
+
+/* deterministic session outside key */
+typedef struct
+{
+ union
+ {
+ struct
+ {
+ ip4_address_t ext_host_addr;
+ u16 ext_host_port;
+ u16 out_port;
+ };
+ u64 as_u64;
+ };
+} snat_det_out_key_t;
+
+typedef struct
+{
+ /* Inside network port */
+ u16 in_port;
+ /* Outside network address and port */
+ snat_det_out_key_t out;
+ /* Session state */
+ u8 state;
+ /* Expire timeout */
+ u32 expire;
+} snat_det_session_t;
+
+typedef struct
+{
+ /* inside IP address range */
+ ip4_address_t in_addr;
+ u8 in_plen;
+ /* outside IP address range */
+ ip4_address_t out_addr;
+ u8 out_plen;
+ /* inside IP addresses / outside IP addresses */
+ u32 sharing_ratio;
+ /* number of ports available to internal host */
+ u16 ports_per_host;
+ /* session counter */
+ u32 ses_num;
+ /* vector of sessions */
+ snat_det_session_t *sessions;
+} snat_det_map_t;
+
+typedef struct
+{
+ u32 sw_if_index;
+ u8 flags;
+} det44_interface_t;
+
+typedef struct
+{
+
+ u32 outside_vrf_id;
+ u32 inside_vrf_id;
+
+} det44_config_t;
+
+typedef struct
+{
+ u32 fib_index;
+ u32 refcount;
+} det44_fib_t;
+
+typedef struct det44_main_s
+{
+ det44_config_t config;
+
+ u32 outside_fib_index;
+ u32 inside_fib_index;
+
+ /* Vector of outside fibs */
+ det44_fib_t *outside_fibs;
+
+ fib_source_t fib_src_hi;
+ fib_source_t fib_src_low;
+
+ u32 out2in_node_index;
+ u32 in2out_node_index;
+
+ /* Deterministic NAT mappings */
+ snat_det_map_t *det_maps;
+
+ /* TCP MSS clamping */
+ u16 mss_clamping;
+
+ /* Protocol timeouts */
+ nat_timeouts_t timeouts;
+
+ /* Expire walk process node index */
+ u32 expire_walk_node_index;
+
+ u32 enabled;
+
+ /* API message ID base */
+ u16 msg_id_base;
+
+ /* log class */
+ vlib_log_class_t log_class;
+
+ det44_interface_t *interfaces;
+
+ /* convenience */
+ ip4_main_t *ip4_main;
+ /* required */
+ vnet_main_t *vnet_main;
+
+} det44_main_t;
+
+extern det44_main_t det44_main;
+
+/* logging */
+#define det44_log_err(...) \
+ vlib_log(VLIB_LOG_LEVEL_ERR, det44_main.log_class, __VA_ARGS__)
+#define det44_log_warn(...) \
+ vlib_log(VLIB_LOG_LEVEL_WARNING, det44_main.log_class, __VA_ARGS__)
+#define det44_log_notice(...) \
+ vlib_log(VLIB_LOG_LEVEL_NOTICE, det44_main.log_class, __VA_ARGS__)
+#define det44_log_info(...) \
+ vlib_log(VLIB_LOG_LEVEL_INFO, det44_main.log_class, __VA_ARGS__)
+#define det44_log_debug(...)\
+ vlib_log(VLIB_LOG_LEVEL_DEBUG, det44_main.log_class, __VA_ARGS__)
+
+/* Deterministic NAT interface flags */
+#define DET44_INTERFACE_FLAG_IS_INSIDE 1
+#define DET44_INTERFACE_FLAG_IS_OUTSIDE 2
+
+/** \brief Check if Deterministic NAT interface is inside.
+ @param i Deterministic NAT interface
+ @return 1 if inside interface
+*/
+#define det44_interface_is_inside(i) i->flags & DET44_INTERFACE_FLAG_IS_INSIDE
+
+/** \brief Check if Deterministic NAT interface is outside.
+ @param i Deterministic NAT interface
+ @return 1 if outside interface
+*/
+#define det44_interface_is_outside(i) i->flags & DET44_INTERFACE_FLAG_IS_OUTSIDE
+
+static_always_inline u8
+plugin_enabled ()
+{
+ det44_main_t *dm = &det44_main;
+ return dm->enabled;
+}
+
+extern vlib_node_registration_t det44_in2out_node;
+extern vlib_node_registration_t det44_out2in_node;
+
+int det44_plugin_enable ();
+int det44_plugin_disable ();
+
+int det44_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del);
+
+int det44_set_timeouts (nat_timeouts_t * timeouts);
+nat_timeouts_t det44_get_timeouts ();
+void det44_reset_timeouts ();
+
+/* format functions */
+format_function_t format_det_map_ses;
+
+int snat_det_add_map (ip4_address_t * in_addr, u8 in_plen,
+ ip4_address_t * out_addr, u8 out_plen, int is_add);
+
+/* icmp session match functions */
+u32 icmp_match_out2in_det (vlib_node_runtime_t * node,
+ u32 thread_index, vlib_buffer_t * b0,
+ ip4_header_t * ip0, ip4_address_t * addr,
+ u16 * port, u32 * fib_index,
+ nat_protocol_t * proto, void *d, void *e,
+ u8 * dont_translate);
+u32 icmp_match_in2out_det (vlib_node_runtime_t * node,
+ u32 thread_index, vlib_buffer_t * b0,
+ ip4_header_t * ip0, ip4_address_t * addr,
+ u16 * port, u32 * fib_index,
+ nat_protocol_t * proto, void *d, void *e,
+ u8 * dont_translate);
+u32 det44_icmp_in2out (vlib_buffer_t * b0, ip4_header_t * ip0,
+ icmp46_header_t * icmp0, u32 sw_if_index0,
+ u32 rx_fib_index0, vlib_node_runtime_t * node,
+ u32 next0, u32 thread_index, void *d, void *e);
+u32 det44_icmp_out2in (vlib_buffer_t * b0, ip4_header_t * ip0,
+ icmp46_header_t * icmp0, u32 sw_if_index0,
+ u32 rx_fib_index0, vlib_node_runtime_t * node,
+ u32 next0, u32 thread_index, void *d, void *e);
+
+static_always_inline int
+is_addr_in_net (ip4_address_t * addr, ip4_address_t * net, u8 plen)
+{
+ if (net->as_u32 == (addr->as_u32 & ip4_main.fib_masks[plen]))
+ return 1;
+ return 0;
+}
+
+static_always_inline snat_det_map_t *
+snat_det_map_by_user (ip4_address_t * user_addr)
+{
+ det44_main_t *dm = &det44_main;
+ snat_det_map_t *mp;
+ /* *INDENT-OFF* */
+ pool_foreach (mp, dm->det_maps,
+ ({
+ if (is_addr_in_net(user_addr, &mp->in_addr, mp->in_plen))
+ return mp;
+ }));
+ /* *INDENT-ON* */
+ return 0;
+}
+
+static_always_inline snat_det_map_t *
+snat_det_map_by_out (ip4_address_t * out_addr)
+{
+ det44_main_t *dm = &det44_main;
+ snat_det_map_t *mp;
+ /* *INDENT-OFF* */
+ pool_foreach (mp, dm->det_maps,
+ ({
+ if (is_addr_in_net(out_addr, &mp->out_addr, mp->out_plen))
+ return mp;
+ }));
+ /* *INDENT-ON* */
+ return 0;
+}
+
+static_always_inline void
+snat_det_forward (snat_det_map_t * dm, ip4_address_t * in_addr,
+ ip4_address_t * out_addr, u16 * lo_port)
+{
+ u32 in_offset, out_offset;
+
+ in_offset = clib_net_to_host_u32 (in_addr->as_u32) -
+ clib_net_to_host_u32 (dm->in_addr.as_u32);
+ out_offset = in_offset / dm->sharing_ratio;
+ out_addr->as_u32 =
+ clib_host_to_net_u32 (clib_net_to_host_u32 (dm->out_addr.as_u32) +
+ out_offset);
+ *lo_port = 1024 + dm->ports_per_host * (in_offset % dm->sharing_ratio);
+}
+
+static_always_inline void
+snat_det_reverse (snat_det_map_t * dm, ip4_address_t * out_addr, u16 out_port,
+ ip4_address_t * in_addr)
+{
+ u32 in_offset1, in_offset2, out_offset;
+
+ out_offset = clib_net_to_host_u32 (out_addr->as_u32) -
+ clib_net_to_host_u32 (dm->out_addr.as_u32);
+ in_offset1 = out_offset * dm->sharing_ratio;
+ in_offset2 = (out_port - 1024) / dm->ports_per_host;
+ in_addr->as_u32 =
+ clib_host_to_net_u32 (clib_net_to_host_u32 (dm->in_addr.as_u32) +
+ in_offset1 + in_offset2);
+}
+
+static_always_inline u32
+snat_det_user_ses_offset (ip4_address_t * addr, u8 plen)
+{
+ return (clib_net_to_host_u32 (addr->as_u32) & pow2_mask (32 - plen)) *
+ DET44_SES_PER_USER;
+}
+
+static_always_inline snat_det_session_t *
+snat_det_get_ses_by_out (snat_det_map_t * dm, ip4_address_t * in_addr,
+ u64 out_key)
+{
+ u32 user_offset;
+ u16 i;
+
+ user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
+ for (i = 0; i < DET44_SES_PER_USER; i++)
+ {
+ if (dm->sessions[i + user_offset].out.as_u64 == out_key)
+ return &dm->sessions[i + user_offset];
+ }
+
+ return 0;
+}
+
+static_always_inline snat_det_session_t *
+snat_det_find_ses_by_in (snat_det_map_t * dm, ip4_address_t * in_addr,
+ u16 in_port, snat_det_out_key_t out_key)
+{
+ snat_det_session_t *ses;
+ u32 user_offset;
+ u16 i;
+
+ user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
+ for (i = 0; i < DET44_SES_PER_USER; i++)
+ {
+ ses = &dm->sessions[i + user_offset];
+ if (ses->in_port == in_port &&
+ ses->out.ext_host_addr.as_u32 == out_key.ext_host_addr.as_u32 &&
+ ses->out.ext_host_port == out_key.ext_host_port)
+ return &dm->sessions[i + user_offset];
+ }
+
+ return 0;
+}
+
+static_always_inline snat_det_session_t *
+snat_det_ses_create (u32 thread_index, snat_det_map_t * dm,
+ ip4_address_t * in_addr, u16 in_port,
+ snat_det_out_key_t * out)
+{
+ u32 user_offset;
+ u16 i;
+
+ user_offset = snat_det_user_ses_offset (in_addr, dm->in_plen);
+
+ for (i = 0; i < DET44_SES_PER_USER; i++)
+ {
+ if (!dm->sessions[i + user_offset].in_port)
+ {
+ if (clib_atomic_bool_cmp_and_swap
+ (&dm->sessions[i + user_offset].in_port, 0, in_port))
+ {
+ dm->sessions[i + user_offset].out.as_u64 = out->as_u64;
+ dm->sessions[i + user_offset].state = DET44_SESSION_UNKNOWN;
+ dm->sessions[i + user_offset].expire = 0;
+ clib_atomic_add_fetch (&dm->ses_num, 1);
+ return &dm->sessions[i + user_offset];
+ }
+ }
+ }
+
+ // TODO:
+ /*snat_ipfix_logging_max_entries_per_user (thread_index,
+ DET44_SES_PER_USER,
+ in_addr->as_u32); */
+ return 0;
+}
+
+static_always_inline void
+snat_det_ses_close (snat_det_map_t * dm, snat_det_session_t * ses)
+{
+ if (clib_atomic_bool_cmp_and_swap (&ses->in_port, ses->in_port, 0))
+ {
+ ses->out.as_u64 = 0;
+ clib_atomic_add_fetch (&dm->ses_num, -1);
+ }
+}
+
+clib_error_t *det44_api_hookup (vlib_main_t * vm);
+
+#endif /* __included_det44_h__ */
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */