aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
diff options
context:
space:
mode:
authorFilip Varga <fivarga@cisco.com>2020-08-30 21:19:55 +0200
committerOle Trøan <otroan@employees.org>2020-09-02 16:42:41 +0000
commit6484f4b9cbaf19062444cfe09b39ce1514dd146f (patch)
treead70ca1ed7815b0899ba24e962de02a0501908f1 /src/plugins/nat
parent42845dd56e0694a88a6318f5974724adee8312fe (diff)
nat: twice-nat static mapping pool address
Let twice-nat static mapping pick specific address from the twice-nat pool. Type: improvement Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1 Signed-off-by: Filip Varga <fivarga@cisco.com>
Diffstat (limited to 'src/plugins/nat')
-rw-r--r--src/plugins/nat/in2out.c8
-rw-r--r--src/plugins/nat/in2out_ed.c4
-rw-r--r--src/plugins/nat/nat.api41
-rw-r--r--src/plugins/nat/nat.c61
-rw-r--r--src/plugins/nat/nat.h56
-rw-r--r--src/plugins/nat/nat44_cli.c22
-rw-r--r--src/plugins/nat/nat44_hairpinning.c2
-rw-r--r--src/plugins/nat/nat_api.c93
-rw-r--r--src/plugins/nat/out2in.c12
-rw-r--r--src/plugins/nat/out2in_ed.c150
10 files changed, 354 insertions, 95 deletions
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c
index 39957259c69..8e2c5fe6756 100644
--- a/src/plugins/nat/in2out.c
+++ b/src/plugins/nat/in2out.c
@@ -135,7 +135,7 @@ snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
if (!snat_static_mapping_match
(sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index,
proto0, &placeholder_addr, &placeholder_port,
- &placeholder_fib_index, 1, 0, 0, 0, 0, 0))
+ &placeholder_fib_index, 1, 0, 0, 0, 0, 0, 0))
return 0;
}
else
@@ -274,7 +274,7 @@ slow_path (snat_main_t * sm, vlib_buffer_t * b0,
/* First try to match static mapping by local address and port */
if (snat_static_mapping_match
(sm, i2o_addr, i2o_port, rx_fib_index0, nat_proto, &sm_addr,
- &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat))
+ &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat, 0))
{
/* Try to create dynamic translation */
if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
@@ -599,7 +599,7 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
if (snat_static_mapping_match
(sm, *addr, *port, *fib_index, *proto, &sm_addr, &sm_port,
- &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0))
+ &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0, 0))
{
if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0,
IP_PROTOCOL_ICMP,
@@ -1842,7 +1842,7 @@ VLIB_NODE_FN (snat_in2out_fast_node) (vlib_main_t * vm,
if (snat_static_mapping_match
(sm, ip0->src_address, udp0->src_port, rx_fib_index0, proto0,
- &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0))
+ &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0, 0))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
next0 = SNAT_IN2OUT_NEXT_DROP;
diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c
index a1f5e5bbc71..448e967b8ae 100644
--- a/src/plugins/nat/in2out_ed.c
+++ b/src/plugins/nat/in2out_ed.c
@@ -370,7 +370,7 @@ slow_path_ed (snat_main_t * sm,
/* First try to match static mapping by local address and port */
if (snat_static_mapping_match
(sm, l_addr, l_port, rx_fib_index, nat_proto, &sm_addr, &sm_port,
- &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat))
+ &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat, 0))
{
s = nat_ed_session_alloc (sm, thread_index, now, proto);
ASSERT (s);
@@ -514,7 +514,7 @@ nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
if (!snat_static_mapping_match
(sm, ip->dst_address, udp->dst_port, sm->outside_fib_index, proto,
&placeholder_addr, &placeholder_port, &placeholder_fib_index, 1, 0,
- 0, 0, 0, 0))
+ 0, 0, 0, 0, 0))
return 0;
}
else
diff --git a/src/plugins/nat/nat.api b/src/plugins/nat/nat.api
index 8b263d4001d..00e9e71ecc6 100644
--- a/src/plugins/nat/nat.api
+++ b/src/plugins/nat/nat.api
@@ -684,6 +684,47 @@ autoreply define nat44_add_del_static_mapping {
string tag[64];
};
+/** \brief Add/delete NAT44 static mapping
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param is_add - true if add, false if delete
+ @param match_pool - true if use specific pool_ip_address
+ @param flags - flag NAT_IS_ADDR_ONLY if address only mapping,
+ flag nat_is_twice_nat if nat address range for external hosts,
+ flag NAT_IS_SELF_TWICE_NAT if translate external host address
+ and port whenever external host address equals local
+ address of internal host,
+ flag NAT_IS_OUT2IN_ONLY if rule match only out2in direction
+ @param pool_ip_address - pool IPv4 address to match with pool
+ @param local_ip_address - local IPv4 address
+ @param external_ip_address - external IPv4 address
+ @param protocol - IP protocol, used only if addr_only=0
+ @param local_port - local port number, used only if addr_only=0
+ @param external_port - external port number, used only if addr_only=0
+ @param external_sw_if_index - external interface (if set
+ external_ip_address is ignored, ~0 means not
+ used)
+ @param vfr_id - VRF ID
+ @param tag - opaque string tag
+*/
+autoreply define nat44_add_del_static_mapping_v2 {
+ option status="in_progress";
+ u32 client_index;
+ u32 context;
+ bool is_add;
+ bool match_pool;
+ vl_api_nat_config_flags_t flags;
+ vl_api_ip4_address_t pool_ip_address;
+ vl_api_ip4_address_t local_ip_address;
+ vl_api_ip4_address_t external_ip_address;
+ u8 protocol;
+ u16 local_port;
+ u16 external_port;
+ vl_api_interface_index_t external_sw_if_index;
+ u32 vrf_id;
+ string tag[64];
+};
+
/** \brief Dump NAT44 static mappings
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index 796d9d010d4..61a36ec4e90 100644
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -692,7 +692,8 @@ snat_add_static_mapping_when_resolved (snat_main_t * sm,
nat_protocol_t proto,
int addr_only, int is_add, u8 * tag,
int twice_nat, int out2in_only,
- int identity_nat)
+ int identity_nat,
+ ip4_address_t pool_addr, int exact)
{
snat_static_map_resolve_t *rp;
@@ -709,6 +710,8 @@ snat_add_static_mapping_when_resolved (snat_main_t * sm,
rp->out2in_only = out2in_only;
rp->identity_nat = identity_nat;
rp->tag = vec_dup (tag);
+ rp->pool_addr = pool_addr;
+ rp->exact = exact;
}
static u32
@@ -829,7 +832,7 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
u32 sw_if_index, nat_protocol_t proto, int is_add,
twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
- u8 identity_nat)
+ u8 identity_nat, ip4_address_t pool_addr, int exact)
{
snat_main_t *sm = &snat_main;
snat_static_mapping_t *m;
@@ -891,7 +894,8 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
snat_add_static_mapping_when_resolved
(sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
- addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
+ addr_only, is_add, tag, twice_nat, out2in_only,
+ identity_nat, pool_addr, exact);
/* DHCP resolution required? */
if (first_int_addr == 0)
@@ -1046,6 +1050,13 @@ snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
m->local_addr = l_addr;
m->external_addr = e_addr;
m->twice_nat = twice_nat;
+
+ if (twice_nat == TWICE_NAT && exact)
+ {
+ m->flags |= NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS;
+ m->pool_addr = pool_addr;
+ }
+
if (out2in_only)
m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
if (addr_only)
@@ -1673,15 +1684,21 @@ snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm,
if (delete_sm)
{
+ ip4_address_t pool_addr = { 0 };
/* *INDENT-OFF* */
pool_foreach (m, sm->static_mappings,
({
if (m->external_addr.as_u32 == addr.as_u32)
(void) snat_add_static_mapping (m->local_addr, m->external_addr,
m->local_port, m->external_port,
- m->vrf_id, is_addr_only_static_mapping(m), ~0,
- m->proto, 0, m->twice_nat,
- is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
+ m->vrf_id,
+ is_addr_only_static_mapping(m), ~0,
+ m->proto, 0 /* is_add */,
+ m->twice_nat,
+ is_out2in_only_static_mapping(m),
+ m->tag,
+ is_identity_static_mapping(m),
+ pool_addr, 0);
}));
/* *INDENT-ON* */
}
@@ -2801,40 +2818,39 @@ snat_static_mapping_match (snat_main_t * sm,
u8 * is_addr_only,
twice_nat_type_t * twice_nat,
lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
- u8 * is_identity_nat)
+ u8 * is_identity_nat, snat_static_mapping_t ** out)
{
clib_bihash_kv_8_8_t kv, value;
+ clib_bihash_8_8_t *mapping_hash;
snat_static_mapping_t *m;
- clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
u32 rand, lo = 0, hi, mid, *tmp = 0, i;
- u8 backend_index;
nat44_lb_addr_port_t *local;
+ u8 backend_index;
- if (by_external)
+ if (!by_external)
{
- mapping_hash = &sm->static_mapping_by_external;
- init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
+ mapping_hash = &sm->static_mapping_by_local;
+ init_nat_k (&kv, match_addr, match_port, match_fib_index,
+ match_protocol);
if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
{
/* Try address only mapping */
- init_nat_k (&kv, match_addr, 0, 0, 0);
+ init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
return 1;
}
-
}
else
{
- init_nat_k (&kv, match_addr, match_port, match_fib_index,
- match_protocol);
+ mapping_hash = &sm->static_mapping_by_external;
+ init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
{
/* Try address only mapping */
- init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
+ init_nat_k (&kv, match_addr, 0, 0, 0);
if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
return 1;
}
-
}
m = pool_elt_at_index (sm->static_mappings, value.value);
@@ -2943,6 +2959,9 @@ end:
if (PREDICT_FALSE (is_identity_nat != 0))
*is_identity_nat = is_identity_static_mapping (m);
+ if (out != 0)
+ *out = m;
+
return 0;
}
@@ -4358,7 +4377,8 @@ match:
rp->vrf_id,
rp->addr_only, ~0 /* sw_if_index */ ,
rp->proto, !is_delete, rp->twice_nat,
- rp->out2in_only, rp->tag, rp->identity_nat);
+ rp->out2in_only, rp->tag, rp->identity_nat,
+ rp->pool_addr, rp->exact);
if (rv)
nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv);
}
@@ -4429,7 +4449,8 @@ match:
rp->proto,
rp->is_add, rp->twice_nat,
rp->out2in_only, rp->tag,
- rp->identity_nat);
+ rp->identity_nat,
+ rp->pool_addr, rp->exact);
if (rv)
nat_elog_notice_X1 ("snat_add_static_mapping returned %d",
"i4", rv);
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h
index 518f2002056..ab699221e69 100644
--- a/src/plugins/nat/nat.h
+++ b/src/plugins/nat/nat.h
@@ -187,16 +187,18 @@ typedef enum
#define SNAT_SESSION_FLAG_FWD_BYPASS 32
#define SNAT_SESSION_FLAG_AFFINITY 64
#define SNAT_SESSION_FLAG_OUTPUT_FEATURE 128
+#define SNAT_SESSION_FLAG_EXACT_ADDRESS 256
/* NAT interface flags */
#define NAT_INTERFACE_FLAG_IS_INSIDE 1
#define NAT_INTERFACE_FLAG_IS_OUTSIDE 2
/* Static mapping flags */
-#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY 1
-#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY 2
-#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4
-#define NAT_STATIC_MAPPING_FLAG_LB 8
+#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY 1
+#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY 2
+#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4
+#define NAT_STATIC_MAPPING_FLAG_LB 8
+#define NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS 16
/* *INDENT-OFF* */
typedef CLIB_PACKED(struct
@@ -350,6 +352,8 @@ typedef enum
typedef struct
{
+ /* prefered pool address */
+ ip4_address_t pool_addr;
/* local IP address */
ip4_address_t local_addr;
/* external IP address */
@@ -388,6 +392,7 @@ typedef struct
typedef struct
{
ip4_address_t l_addr;
+ ip4_address_t pool_addr;
u16 l_port;
u16 e_port;
u32 sw_if_index;
@@ -399,6 +404,7 @@ typedef struct
int is_add;
int out2in_only;
int identity_nat;
+ int exact;
u8 *tag;
} snat_static_map_resolve_t;
@@ -776,6 +782,12 @@ unformat_function_t unformat_nat_protocol;
*/
#define is_affinity_sessions(s) (s->flags & SNAT_SESSION_FLAG_AFFINITY)
+/** \brief Check if exact pool address should be used.
+ @param s SNAT session
+ @return 1 if exact pool address or 0
+*/
+#define is_exact_address_session(s) (s->flags & SNAT_SESSION_FLAG_EXACT_ADDRESS)
+
/** \brief Check if NAT interface is inside.
@param i NAT interface
@return 1 if inside interface
@@ -818,6 +830,12 @@ unformat_function_t unformat_nat_protocol;
*/
#define is_lb_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_LB)
+/** \brief Check if exact pool address should be used.
+ @param s SNAT session
+ @return 1 if exact pool address or 0
+*/
+#define is_exact_address(s) (s->flags & NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS)
+
/** \brief Check if client initiating TCP connection (received SYN from client)
@param t TCP header
@return 1 if client initiating TCP connection
@@ -1138,6 +1156,8 @@ void nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add);
* @param out2in_only if 1 rule match only out2in direction
* @param tag opaque string tag
* @param identity_nat identity NAT
+ * @param pool_addr pool IPv4 address
+ * @param exact 1 = exact pool address
*
* @return 0 on success, non-zero value otherwise
*/
@@ -1146,7 +1166,8 @@ int snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
int addr_only, u32 sw_if_index,
nat_protocol_t proto, int is_add,
twice_nat_type_t twice_nat, u8 out2in_only,
- u8 * tag, u8 identity_nat);
+ u8 * tag, u8 identity_nat,
+ ip4_address_t pool_addr, int exact);
/**
* @brief Add/delete static mapping with load-balancing (multiple backends)
@@ -1394,16 +1415,18 @@ void expire_per_vrf_sessions (u32 fib_index);
/**
* @brief Match NAT44 static mapping.
*
- * @param key address and port to match
- * @param addr external/local address of the matched mapping
- * @param port port of the matched mapping
- * @param fib_index fib index of the matched mapping
- * @param by_external if 0 match by local address otherwise match by external
- * address
- * @param is_addr_only 1 if matched mapping is address only
- * @param twice_nat matched mapping is twice NAT type
- * @param lb 1 if matched mapping is load-balanced
- * @param ext_host_addr external host address
+ * @param key address and port to match
+ * @param addr external/local address of the matched mapping
+ * @param port port of the matched mapping
+ * @param fib_index fib index of the matched mapping
+ * @param by_external if 0 match by local address otherwise match by external
+ * address
+ * @param is_addr_only 1 if matched mapping is address only
+ * @param twice_nat matched mapping is twice NAT type
+ * @param lb 1 if matched mapping is load-balanced
+ * @param ext_host_addr external host address
+ * @param is_identity_nat 1 if indentity mapping
+ * @param out if !=0 set to pointer of the mapping structure
*
* @returns 0 if match found otherwise 1.
*/
@@ -1420,7 +1443,8 @@ int snat_static_mapping_match (snat_main_t * sm,
twice_nat_type_t * twice_nat,
lb_nat_type_t * lb,
ip4_address_t * ext_host_addr,
- u8 * is_identity_nat);
+ u8 * is_identity_nat,
+ snat_static_mapping_t ** out);
/**
* @brief Add/del NAT address to FIB.
diff --git a/src/plugins/nat/nat44_cli.c b/src/plugins/nat/nat44_cli.c
index 65f40753a3f..f61ce2c2ab7 100644
--- a/src/plugins/nat/nat44_cli.c
+++ b/src/plugins/nat/nat44_cli.c
@@ -980,13 +980,11 @@ add_static_mapping_command_fn (vlib_main_t * vm,
{
unformat_input_t _line_input, *line_input = &_line_input;
clib_error_t *error = 0;
- ip4_address_t l_addr, e_addr;
+ ip4_address_t l_addr, e_addr, exact_addr;
u32 l_port = 0, e_port = 0, vrf_id = ~0;
- int is_add = 1;
- int addr_only = 1;
+ int is_add = 1, addr_only = 1, rv, exact = 0;
u32 sw_if_index = ~0;
vnet_main_t *vnm = vnet_get_main ();
- int rv;
nat_protocol_t proto = NAT_PROTOCOL_OTHER;
u8 proto_set = 0;
twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
@@ -1014,10 +1012,12 @@ add_static_mapping_command_fn (vlib_main_t * vm,
unformat_vnet_sw_interface, vnm, &sw_if_index,
&e_port))
addr_only = 0;
-
else if (unformat (line_input, "external %U",
unformat_vnet_sw_interface, vnm, &sw_if_index))
;
+ else if (unformat (line_input, "exact %U", unformat_ip4_address,
+ &exact_addr))
+ exact = 1;
else if (unformat (line_input, "vrf %u", &vrf_id))
;
else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
@@ -1063,7 +1063,8 @@ add_static_mapping_command_fn (vlib_main_t * vm,
rv = snat_add_static_mapping (l_addr, e_addr, clib_host_to_net_u16 (l_port),
clib_host_to_net_u16 (e_port),
vrf_id, addr_only, sw_if_index, proto, is_add,
- twice_nat, out2in_only, 0, 0);
+ twice_nat, out2in_only, 0, 0, exact_addr,
+ exact);
switch (rv)
{
@@ -1104,7 +1105,7 @@ add_identity_mapping_command_fn (vlib_main_t * vm,
{
unformat_input_t _line_input, *line_input = &_line_input;
clib_error_t *error = 0;
- ip4_address_t addr;
+ ip4_address_t addr, pool_addr = { 0 };
u32 port = 0, vrf_id = ~0;
int is_add = 1;
int addr_only = 1;
@@ -1144,7 +1145,8 @@ add_identity_mapping_command_fn (vlib_main_t * vm,
rv =
snat_add_static_mapping (addr, addr, clib_host_to_net_u16 (port),
clib_host_to_net_u16 (port), vrf_id, addr_only,
- sw_if_index, proto, is_add, 0, 0, 0, 1);
+ sw_if_index, proto, is_add, 0, 0, 0, 1,
+ pool_addr, 0);
switch (rv)
{
@@ -2254,6 +2256,8 @@ VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
* To create ICMP static mapping between local and external with ICMP echo
* identifier 10 use:
* vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
+ * To force use of specific pool address, vrf independent
+ * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
* @cliexend
?*/
VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
@@ -2262,7 +2266,7 @@ VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
.short_help =
"nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
"external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
- "[out2in-only] [del]",
+ "[out2in-only] [exact <pool-addr>] [del]",
};
/*?
diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c
index 45444c58a73..9eadcf30832 100644
--- a/src/plugins/nat/nat44_hairpinning.c
+++ b/src/plugins/nat/nat44_hairpinning.c
@@ -111,7 +111,7 @@ snat_hairpinning (vlib_main_t * vm, vlib_node_runtime_t * node,
/* Check if destination is static mappings */
if (!snat_static_mapping_match
(sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index, proto0,
- &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0))
+ &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0, 0))
{
new_dst_addr0 = sm0_addr.as_u32;
new_dst_port0 = sm0_port;
diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c
index ad67375fb7a..bbb1645b5e3 100644
--- a/src/plugins/nat/nat_api.c
+++ b/src/plugins/nat/nat_api.c
@@ -1105,7 +1105,7 @@ static void
{
snat_main_t *sm = &snat_main;
vl_api_nat44_add_del_static_mapping_reply_t *rmp;
- ip4_address_t local_addr, external_addr;
+ ip4_address_t local_addr, external_addr, pool_addr = { 0 };
u16 local_port = 0, external_port = 0;
u32 vrf_id, external_sw_if_index;
twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
@@ -1139,12 +1139,61 @@ static void
mp->flags & NAT_API_IS_ADDR_ONLY,
external_sw_if_index, proto,
mp->is_add, twice_nat,
- mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0);
+ mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0,
+ pool_addr, 0);
vec_free (tag);
REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_REPLY);
}
+static void
+ vl_api_nat44_add_del_static_mapping_v2_t_handler
+ (vl_api_nat44_add_del_static_mapping_v2_t * mp)
+{
+ snat_main_t *sm = &snat_main;
+ vl_api_nat44_add_del_static_mapping_v2_reply_t *rmp;
+ ip4_address_t local_addr, external_addr, pool_addr;
+ u16 local_port = 0, external_port = 0;
+ u32 vrf_id, external_sw_if_index;
+ twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
+ int rv = 0;
+ nat_protocol_t proto;
+ u8 *tag = 0;
+
+ memcpy (&pool_addr.as_u8, mp->pool_ip_address, 4);
+ memcpy (&local_addr.as_u8, mp->local_ip_address, 4);
+ memcpy (&external_addr.as_u8, mp->external_ip_address, 4);
+
+ if (!(mp->flags & NAT_API_IS_ADDR_ONLY))
+ {
+ local_port = mp->local_port;
+ external_port = mp->external_port;
+ }
+
+ vrf_id = clib_net_to_host_u32 (mp->vrf_id);
+ external_sw_if_index = clib_net_to_host_u32 (mp->external_sw_if_index);
+ proto = ip_proto_to_nat_proto (mp->protocol);
+
+ if (mp->flags & NAT_API_IS_TWICE_NAT)
+ twice_nat = TWICE_NAT;
+ else if (mp->flags & NAT_API_IS_SELF_TWICE_NAT)
+ twice_nat = TWICE_NAT_SELF;
+ mp->tag[sizeof (mp->tag) - 1] = 0;
+ tag = format (0, "%s", mp->tag);
+ vec_terminate_c_string (tag);
+
+ rv = snat_add_static_mapping (local_addr, external_addr, local_port,
+ external_port, vrf_id,
+ mp->flags & NAT_API_IS_ADDR_ONLY,
+ external_sw_if_index, proto,
+ mp->is_add, twice_nat,
+ mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0,
+ pool_addr, mp->match_pool);
+ vec_free (tag);
+
+ REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_V2_REPLY);
+}
+
static void *vl_api_nat44_add_del_static_mapping_t_print
(vl_api_nat44_add_del_static_mapping_t * mp, void *handle)
{
@@ -1174,6 +1223,39 @@ static void *vl_api_nat44_add_del_static_mapping_t_print
FINISH;
}
+static void *vl_api_nat44_add_del_static_mapping_v2_t_print
+ (vl_api_nat44_add_del_static_mapping_v2_t * mp, void *handle)
+{
+ u8 *s;
+
+ s = format (0, "SCRIPT: nat44_add_del_static_mapping_v2 ");
+ s = format (s, "protocol %d local_addr %U external_addr %U ",
+ mp->protocol,
+ format_ip4_address, mp->local_ip_address,
+ format_ip4_address, mp->external_ip_address);
+
+ if (!(mp->flags & NAT_API_IS_ADDR_ONLY))
+ s = format (s, "local_port %d external_port %d ",
+ clib_net_to_host_u16 (mp->local_port),
+ clib_net_to_host_u16 (mp->external_port));
+
+ s = format (s, "twice_nat %d out2in_only %d ",
+ mp->flags & NAT_API_IS_TWICE_NAT,
+ mp->flags & NAT_API_IS_OUT2IN_ONLY);
+
+ if (mp->vrf_id != ~0)
+ s = format (s, "vrf %d", clib_net_to_host_u32 (mp->vrf_id));
+
+ if (mp->external_sw_if_index != ~0)
+ s = format (s, "external_sw_if_index %d",
+ clib_net_to_host_u32 (mp->external_sw_if_index));
+ if (mp->match_pool)
+ s = format (s, "match pool address %U",
+ format_ip4_address, mp->pool_ip_address);
+
+ FINISH;
+}
+
static void
send_nat44_static_mapping_details (snat_static_mapping_t * m,
vl_api_registration_t * reg, u32 context)
@@ -1301,7 +1383,7 @@ static void
{
snat_main_t *sm = &snat_main;
vl_api_nat44_add_del_identity_mapping_reply_t *rmp;
- ip4_address_t addr;
+ ip4_address_t addr, pool_addr = { 0 };
u16 port = 0;
u32 vrf_id, sw_if_index;
int rv = 0;
@@ -1326,7 +1408,7 @@ static void
rv =
snat_add_static_mapping (addr, addr, port, port, vrf_id,
mp->flags & NAT_API_IS_ADDR_ONLY, sw_if_index,
- proto, mp->is_add, 0, 0, tag, 1);
+ proto, mp->is_add, 0, 0, tag, 1, pool_addr, 0);
vec_free (tag);
REPLY_MACRO (VL_API_NAT44_ADD_DEL_IDENTITY_MAPPING_REPLY);
@@ -2047,7 +2129,7 @@ vl_api_nat44_del_session_t_print (vl_api_nat44_del_session_t * mp,
{
u8 *s;
- s = format (0, "SCRIPT: nat44_add_del_static_mapping ");
+ s = format (0, "SCRIPT: nat44_add_del_session ");
s = format (s, "addr %U port %d protocol %d vrf_id %d is_in %d",
format_ip4_address, mp->address,
clib_net_to_host_u16 (mp->port),
@@ -2663,6 +2745,7 @@ _(NAT_HA_RESYNC, nat_ha_resync) \
_(NAT44_ADD_DEL_ADDRESS_RANGE, nat44_add_del_address_range) \
_(NAT44_INTERFACE_ADD_DEL_FEATURE, nat44_interface_add_del_feature) \
_(NAT44_ADD_DEL_STATIC_MAPPING, nat44_add_del_static_mapping) \
+_(NAT44_ADD_DEL_STATIC_MAPPING_V2, nat44_add_del_static_mapping_v2) \
_(NAT44_ADD_DEL_IDENTITY_MAPPING, nat44_add_del_identity_mapping) \
_(NAT44_STATIC_MAPPING_DUMP, nat44_static_mapping_dump) \
_(NAT44_IDENTITY_MAPPING_DUMP, nat44_identity_mapping_dump) \
diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index 5684a93b2a5..c17f0e233d6 100644
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -359,7 +359,7 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
if (snat_static_mapping_match
(sm, *addr, *port, *fib_index, *proto,
&mapping_addr, &mapping_port, &mapping_fib_index, 1, &is_addr_only,
- 0, 0, 0, &identity_nat))
+ 0, 0, 0, &identity_nat, 0))
{
if (!sm->forwarding_enabled)
{
@@ -485,7 +485,7 @@ icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
}
if (snat_static_mapping_match
(sm, addr, port, rx_fib_index0, *proto, mapping_addr, mapping_port,
- mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0))
+ mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0, 0))
{
/* Don't NAT packet aimed at the intfc address */
if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32))
@@ -835,7 +835,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
(sm, ip0->dst_address,
vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
- 0, &identity_nat0))
+ 0, &identity_nat0, 0))
{
/*
* Send DHCP packets to the ipv4 stack, or we won't
@@ -1017,7 +1017,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
(sm, ip1->dst_address,
vnet_buffer (b1)->ip.reass.l4_dst_port, proto1,
rx_fib_index1, &sm_addr1, &sm_port1, &sm_fib_index1, 1, 0,
- 0, 0, 0, &identity_nat1))
+ 0, 0, 0, &identity_nat1, 0))
{
/*
* Send DHCP packets to the ipv4 stack, or we won't
@@ -1236,7 +1236,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
(sm, ip0->dst_address,
vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
- 0, &identity_nat0))
+ 0, &identity_nat0, 0))
{
/*
* Send DHCP packets to the ipv4 stack, or we won't
@@ -1462,7 +1462,7 @@ VLIB_NODE_FN (snat_out2in_fast_node) (vlib_main_t * vm,
if (snat_static_mapping_match
(sm, ip0->dst_address, udp0->dst_port, rx_fib_index0, proto0,
- &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0))
+ &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0, 0))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
goto trace00;
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 9868fe751f2..8eef1e43535 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -190,6 +190,52 @@ nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
}
#endif
+// allocate exact address based on preference
+static_always_inline int
+nat_alloc_addr_and_port_exact (snat_address_t * a,
+ u32 thread_index,
+ nat_protocol_t proto,
+ ip4_address_t * addr,
+ u16 * port,
+ u16 port_per_thread, u32 snat_thread_index)
+{
+ u32 portnum;
+
+ switch (proto)
+ {
+#define _(N, j, n, s) \
+ case NAT_PROTOCOL_##N: \
+ if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
+ { \
+ while (1) \
+ { \
+ portnum = (port_per_thread * \
+ snat_thread_index) + \
+ snat_random_port(0, port_per_thread - 1) + 1024; \
+ if (a->busy_##n##_port_refcounts[portnum]) \
+ continue; \
+ --a->busy_##n##_port_refcounts[portnum]; \
+ a->busy_##n##_ports_per_thread[thread_index]++; \
+ a->busy_##n##_ports++; \
+ *addr = a->addr; \
+ *port = clib_host_to_net_u16(portnum); \
+ return 0; \
+ } \
+ } \
+ break;
+ foreach_nat_protocol
+#undef _
+ default:
+ nat_elog_info ("unknown protocol");
+ return 1;
+ }
+
+ /* Totally out of translations to use... */
+ snat_ipfix_logging_addresses_exhausted (thread_index, 0);
+ return 1;
+}
+
+
static snat_session_t *
create_session_for_static_mapping_ed (snat_main_t * sm,
vlib_buffer_t * b,
@@ -204,7 +250,8 @@ create_session_for_static_mapping_ed (snat_main_t * sm,
u32 rx_fib_index,
u32 thread_index,
twice_nat_type_t twice_nat,
- lb_nat_type_t lb_nat, f64 now)
+ lb_nat_type_t lb_nat, f64 now,
+ snat_static_mapping_t * mapping)
{
snat_session_t *s;
ip4_header_t *ip;
@@ -261,13 +308,46 @@ create_session_for_static_mapping_ed (snat_main_t * sm,
if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
ip->src_address.as_u32 == i2o_addr.as_u32))
{
- if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
- thread_index,
- nat_proto,
- &s->ext_host_nat_addr,
- &s->ext_host_nat_port,
- sm->port_per_thread,
- tsm->snat_thread_index))
+ int rc = 0;
+ snat_address_t *filter = 0;
+
+ // if exact address is specified use this address
+ if (is_exact_address (mapping))
+ {
+ snat_address_t *ap;
+ vec_foreach (ap, sm->twice_nat_addresses)
+ {
+ if (mapping->pool_addr.as_u32 == ap->addr.as_u32)
+ {
+ filter = ap;
+ break;
+ }
+ }
+ }
+
+ if (filter)
+ {
+ rc = nat_alloc_addr_and_port_exact (filter,
+ thread_index,
+ nat_proto,
+ &s->ext_host_nat_addr,
+ &s->ext_host_nat_port,
+ sm->port_per_thread,
+ tsm->snat_thread_index);
+ s->flags |= SNAT_SESSION_FLAG_EXACT_ADDRESS;
+ }
+ else
+ {
+ rc =
+ snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
+ thread_index, nat_proto,
+ &s->ext_host_nat_addr,
+ &s->ext_host_nat_port,
+ sm->port_per_thread,
+ tsm->snat_thread_index);
+ }
+
+ if (rc)
{
b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
nat_ed_session_delete (sm, s, thread_index, 1);
@@ -275,6 +355,7 @@ create_session_for_static_mapping_ed (snat_main_t * sm,
nat_elog_notice ("out2in-ed key del failed");
return 0;
}
+
s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
init_ed_kv (&kv, i2o_addr, i2o_port, s->ext_host_nat_addr,
s->ext_host_nat_port, i2o_fib_index, ip->protocol,
@@ -459,6 +540,7 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
u16 sm_port;
u32 sm_fib_index;
*dont_translate = 0;
+ snat_static_mapping_t *m;
sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
@@ -473,12 +555,12 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
{
- /* Try to match static mapping */
if (snat_static_mapping_match
(sm, ip->dst_address, l_port, rx_fib_index,
ip_proto_to_nat_proto (ip->protocol), &sm_addr, &sm_port,
- &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat))
+ &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat, &m))
{
+ // static mapping not matched
if (!sm->forwarding_enabled)
{
/* Don't NAT packet aimed at the intfc address */
@@ -486,11 +568,12 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
ip->dst_address.as_u32)))
{
*dont_translate = 1;
- goto out;
}
- b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
- next = NAT_NEXT_DROP;
- goto out;
+ else
+ {
+ b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
+ next = NAT_NEXT_DROP;
+ }
}
else
{
@@ -499,14 +582,17 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
thread_index, rx_fib_index))
{
next = NAT_NEXT_IN2OUT_ED_FAST_PATH;
- goto out;
}
- if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
else
- create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
- goto out;
+ {
+ if (sm->num_workers > 1)
+ create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
+ else
+ create_bypass_for_fwd (sm, b, ip, rx_fib_index,
+ thread_index);
+ }
}
+ goto out;
}
if (PREDICT_FALSE
@@ -533,13 +619,9 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
l_port, rx_fib_index, *proto,
node, rx_fib_index,
thread_index, 0, 0,
- vlib_time_now (vm));
-
+ vlib_time_now (vm), m);
if (!s)
- {
- next = NAT_NEXT_DROP;
- goto out;
- }
+ next = NAT_NEXT_DROP;
}
else
{
@@ -978,6 +1060,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
f64 now = vlib_time_now (vm);
u32 thread_index = vm->thread_index;
snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
+ snat_static_mapping_t *m;
from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
@@ -1087,7 +1170,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
(sm, ip0->dst_address,
vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
proto0, &sm_addr, &sm_port, &sm_fib_index, 1, 0,
- &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0))
+ &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0, &m))
{
/*
* Send DHCP packets to the ipv4 stack, or we won't
@@ -1115,13 +1198,16 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
thread_index, rx_fib_index0))
{
next[0] = NAT_NEXT_IN2OUT_ED_FAST_PATH;
- goto trace0;
}
- if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, b0, ip0, rx_fib_index0);
else
- create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
- thread_index);
+ {
+ if (sm->num_workers > 1)
+ create_bypass_for_fwd_worker (sm, b0, ip0,
+ rx_fib_index0);
+ else
+ create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
+ thread_index);
+ }
}
goto trace0;
}
@@ -1148,7 +1234,7 @@ nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
rx_fib_index0, proto0,
node, rx_fib_index0,
thread_index, twice_nat0,
- lb_nat0, now);
+ lb_nat0, now, m);
if (!s0)
{
next[0] = NAT_NEXT_DROP;