diff options
Diffstat (limited to 'src/plugins/nat/lib')
-rw-r--r-- | src/plugins/nat/lib/ipfix_logging.c | 7 | ||||
-rw-r--r-- | src/plugins/nat/lib/ipfix_logging.h | 2 | ||||
-rw-r--r-- | src/plugins/nat/lib/lib.h | 24 | ||||
-rw-r--r-- | src/plugins/nat/lib/nat_syslog.c | 288 | ||||
-rw-r--r-- | src/plugins/nat/lib/nat_syslog.h | 73 |
5 files changed, 393 insertions, 1 deletions
diff --git a/src/plugins/nat/lib/ipfix_logging.c b/src/plugins/nat/lib/ipfix_logging.c index 6a944692f47..f66458572d3 100644 --- a/src/plugins/nat/lib/ipfix_logging.c +++ b/src/plugins/nat/lib/ipfix_logging.c @@ -1269,6 +1269,13 @@ nat_ipfix_flush (u32 thread_index) 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, do_flush); } +int +nat_ipfix_logging_enabled () +{ + nat_ipfix_logging_main_t *silm = &nat_ipfix_logging_main; + return !clib_atomic_fetch_or(&silm->enabled, 0); +} + void nat_ipfix_flush_from_main (void) { diff --git a/src/plugins/nat/lib/ipfix_logging.h b/src/plugins/nat/lib/ipfix_logging.h index 53aa86b2a38..0b2357a2604 100644 --- a/src/plugins/nat/lib/ipfix_logging.h +++ b/src/plugins/nat/lib/ipfix_logging.h @@ -112,6 +112,8 @@ typedef struct { extern nat_ipfix_logging_main_t nat_ipfix_logging_main; +int nat_ipfix_logging_enabled (); + void nat_ipfix_logging_init (vlib_main_t * vm); int nat_ipfix_logging_enable_disable (int enable, u32 domain_id, u16 src_port); void nat_ipfix_logging_nat44_ses_create (u32 thread_index, u32 src_ip, diff --git a/src/plugins/nat/lib/lib.h b/src/plugins/nat/lib/lib.h index febe829ce56..04bad5c74f7 100644 --- a/src/plugins/nat/lib/lib.h +++ b/src/plugins/nat/lib/lib.h @@ -67,12 +67,34 @@ typedef enum #undef _ } nat_protocol_t; -/* default session timeouts */ +/* default protocol timeouts */ #define NAT_UDP_TIMEOUT 300 #define NAT_TCP_TRANSITORY_TIMEOUT 240 #define NAT_TCP_ESTABLISHED_TIMEOUT 7440 #define NAT_ICMP_TIMEOUT 60 +typedef struct +{ + struct + { + u32 established; + u32 transitory; + } tcp; + + u32 udp; + u32 icmp; + +} nat_timeouts_t; + +static_always_inline void +nat_reset_timeouts (nat_timeouts_t * timeouts) +{ + timeouts->udp = NAT_UDP_TIMEOUT; + timeouts->tcp.established = NAT_TCP_ESTABLISHED_TIMEOUT; + timeouts->tcp.transitory = NAT_TCP_TRANSITORY_TIMEOUT; + timeouts->icmp = NAT_ICMP_TIMEOUT; +} + // TODO: move common formating definitions here #endif /* included_nat_lib_h__ */ diff --git a/src/plugins/nat/lib/nat_syslog.c b/src/plugins/nat/lib/nat_syslog.c new file mode 100644 index 00000000000..2c395bf7fd8 --- /dev/null +++ b/src/plugins/nat/lib/nat_syslog.c @@ -0,0 +1,288 @@ +/* + * Copyright (c) 2020 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT syslog logging + */ +#include <vnet/fib/fib_table.h> +#include <vnet/ip/ip.h> +#include <vnet/syslog/syslog.h> + +#include <nat/lib/nat_syslog.h> +#include <nat/lib/inlines.h> + +#define NAT_FACILITY SYSLOG_FACILITY_LOCAL0 + +#define NAT_APPNAME "NAT" + +#define SADD_SDEL_SEVERITY SYSLOG_SEVERITY_INFORMATIONAL +#define APMADD_APMDEL_SEVERITY SYSLOG_SEVERITY_INFORMATIONAL + +#define SADD_MSGID "SADD" +#define SDEL_MSGID "SDEL" +#define APMADD_MSGID "APMADD" +#define APMDEL_MSGID "APMDEL" + +#define NSESS_SDID "nsess" +#define NAPMAP_SDID "napmap" + +#define SSUBIX_SDPARAM_NAME "SSUBIX" +#define SVLAN_SDPARAM_NAME "SVLAN" +#define IATYP_SDPARAM_NAME "IATYP" +#define ISADDR_SDPARAM_NAME "ISADDR" +#define ISPORT_SDPARAM_NAME "ISPORT" +#define IDADDR_SDPARAM_NAME "IDADDR" +#define IDPORT_SDPARAM_NAME "IDPORT" +#define XATYP_SDPARAM_NAME "XATYP" +#define XSADDR_SDPARAM_NAME "XSADDR" +#define XSPORT_SDPARAM_NAME "XSPORT" +#define XDADDR_SDPARAM_NAME "XDADDR" +#define XDPORT_SDPARAM_NAME "XDPORT" +#define PROTO_SDPARAM_NAME "PROTO" +#define SV6ENC_SDPARAM_NAME "SV6ENC" + +#define IATYP_IPV4 "IPv4" +#define IATYP_IPV6 "IPv6" + +static inline void +nat_syslog_nat44_apmap (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto, u8 is_add, + ip6_address_t * sv6enc) +{ + syslog_msg_t syslog_msg; + fib_table_t *fib; + + if (!syslog_is_enabled ()) + return; + + if (syslog_severity_filter_block (APMADD_APMDEL_SEVERITY)) + return; + + syslog_msg_init (&syslog_msg, NAT_FACILITY, APMADD_APMDEL_SEVERITY, + NAT_APPNAME, is_add ? APMADD_MSGID : APMDEL_MSGID); + + syslog_msg_sd_init (&syslog_msg, NAPMAP_SDID); + syslog_msg_add_sd_param (&syslog_msg, SSUBIX_SDPARAM_NAME, "%d", ssubix); + if (sv6enc) + { + syslog_msg_add_sd_param (&syslog_msg, SV6ENC_SDPARAM_NAME, "%U", + format_ip6_address, sv6enc); + } + else + { + fib = fib_table_get (sfibix, FIB_PROTOCOL_IP4); + syslog_msg_add_sd_param (&syslog_msg, SVLAN_SDPARAM_NAME, "%d", + fib->ft_table_id); + } + syslog_msg_add_sd_param (&syslog_msg, IATYP_SDPARAM_NAME, IATYP_IPV4); + syslog_msg_add_sd_param (&syslog_msg, ISADDR_SDPARAM_NAME, "%U", + format_ip4_address, isaddr); + syslog_msg_add_sd_param (&syslog_msg, ISPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (isport)); + syslog_msg_add_sd_param (&syslog_msg, XATYP_SDPARAM_NAME, IATYP_IPV4); + syslog_msg_add_sd_param (&syslog_msg, XSADDR_SDPARAM_NAME, "%U", + format_ip4_address, xsaddr); + syslog_msg_add_sd_param (&syslog_msg, XSPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (xsport)); + syslog_msg_add_sd_param (&syslog_msg, PROTO_SDPARAM_NAME, "%d", + nat_proto_to_ip_proto (proto)); + + syslog_msg_send (&syslog_msg); +} + +void +nat_syslog_nat44_apmadd (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto) +{ + nat_syslog_nat44_apmap (ssubix, sfibix, isaddr, isport, xsaddr, xsport, + proto, 1, 0); +} + +void +nat_syslog_nat44_apmdel (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto) +{ + nat_syslog_nat44_apmap (ssubix, sfibix, isaddr, isport, xsaddr, xsport, + proto, 0, 0); +} + +void +nat_syslog_dslite_apmadd (u32 ssubix, ip6_address_t * sv6enc, + ip4_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto) +{ + nat_syslog_nat44_apmap (ssubix, 0, isaddr, isport, xsaddr, xsport, + proto, 1, sv6enc); +} + +void +nat_syslog_dslite_apmdel (u32 ssubix, ip6_address_t * sv6enc, + ip4_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto) +{ + nat_syslog_nat44_apmap (ssubix, 0, isaddr, isport, xsaddr, xsport, + proto, 0, sv6enc); +} + +static inline void +nat_syslog_nat44_sess (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * idaddr, u16 idport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_add, u8 is_twicenat) +{ + syslog_msg_t syslog_msg; + fib_table_t *fib; + + if (!syslog_is_enabled ()) + return; + + if (syslog_severity_filter_block (SADD_SDEL_SEVERITY)) + return; + + fib = fib_table_get (sfibix, FIB_PROTOCOL_IP4); + + syslog_msg_init (&syslog_msg, NAT_FACILITY, SADD_SDEL_SEVERITY, NAT_APPNAME, + is_add ? SADD_MSGID : SDEL_MSGID); + + syslog_msg_sd_init (&syslog_msg, NSESS_SDID); + syslog_msg_add_sd_param (&syslog_msg, SSUBIX_SDPARAM_NAME, "%d", ssubix); + syslog_msg_add_sd_param (&syslog_msg, SVLAN_SDPARAM_NAME, "%d", + fib->ft_table_id); + syslog_msg_add_sd_param (&syslog_msg, IATYP_SDPARAM_NAME, IATYP_IPV4); + syslog_msg_add_sd_param (&syslog_msg, ISADDR_SDPARAM_NAME, "%U", + format_ip4_address, isaddr); + syslog_msg_add_sd_param (&syslog_msg, ISPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (isport)); + syslog_msg_add_sd_param (&syslog_msg, XATYP_SDPARAM_NAME, IATYP_IPV4); + syslog_msg_add_sd_param (&syslog_msg, XSADDR_SDPARAM_NAME, "%U", + format_ip4_address, xsaddr); + syslog_msg_add_sd_param (&syslog_msg, XSPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (xsport)); + syslog_msg_add_sd_param (&syslog_msg, PROTO_SDPARAM_NAME, "%d", + nat_proto_to_ip_proto (proto)); + syslog_msg_add_sd_param (&syslog_msg, XDADDR_SDPARAM_NAME, "%U", + format_ip4_address, xdaddr); + syslog_msg_add_sd_param (&syslog_msg, XDPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (xdport)); + if (is_twicenat) + { + syslog_msg_add_sd_param (&syslog_msg, IDADDR_SDPARAM_NAME, "%U", + format_ip4_address, idaddr); + syslog_msg_add_sd_param (&syslog_msg, IDPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (idport)); + } + + syslog_msg_send (&syslog_msg); +} + +void +nat_syslog_nat44_sadd (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * idaddr, u16 idport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_twicenat) +{ + nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport, + idaddr, idport, xdaddr, xdport, proto, 1, + is_twicenat); +} + +void +nat_syslog_nat44_sdel (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * idaddr, u16 idport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_twicenat) +{ + nat_syslog_nat44_sess (ssubix, sfibix, isaddr, isport, xsaddr, xsport, + idaddr, idport, xdaddr, xdport, proto, 0, + is_twicenat); +} + +static inline void +nat_syslog_nat64_sess (u32 sfibix, ip6_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_add) +{ + syslog_msg_t syslog_msg; + fib_table_t *fib; + + if (!syslog_is_enabled ()) + return; + + if (syslog_severity_filter_block (SADD_SDEL_SEVERITY)) + return; + + fib = fib_table_get (sfibix, FIB_PROTOCOL_IP6); + + syslog_msg_init (&syslog_msg, NAT_FACILITY, SADD_SDEL_SEVERITY, NAT_APPNAME, + is_add ? SADD_MSGID : SDEL_MSGID); + + syslog_msg_sd_init (&syslog_msg, NSESS_SDID); + syslog_msg_add_sd_param (&syslog_msg, SVLAN_SDPARAM_NAME, "%d", + fib->ft_table_id); + syslog_msg_add_sd_param (&syslog_msg, IATYP_SDPARAM_NAME, IATYP_IPV6); + syslog_msg_add_sd_param (&syslog_msg, ISADDR_SDPARAM_NAME, "%U", + format_ip6_address, isaddr); + syslog_msg_add_sd_param (&syslog_msg, ISPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (isport)); + syslog_msg_add_sd_param (&syslog_msg, XATYP_SDPARAM_NAME, IATYP_IPV4); + syslog_msg_add_sd_param (&syslog_msg, XSADDR_SDPARAM_NAME, "%U", + format_ip4_address, xsaddr); + syslog_msg_add_sd_param (&syslog_msg, XSPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (xsport)); + syslog_msg_add_sd_param (&syslog_msg, PROTO_SDPARAM_NAME, "%d", proto); + syslog_msg_add_sd_param (&syslog_msg, XDADDR_SDPARAM_NAME, "%U", + format_ip4_address, xdaddr); + syslog_msg_add_sd_param (&syslog_msg, XDPORT_SDPARAM_NAME, "%d", + clib_net_to_host_u16 (xdport)); + + syslog_msg_send (&syslog_msg); +} + +void +nat_syslog_nat64_sadd (u32 sfibix, ip6_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto) +{ + nat_syslog_nat64_sess (sfibix, isaddr, isport, xsaddr, xsport, xdaddr, + xdport, proto, 1); +} + +void +nat_syslog_nat64_sdel (u32 sfibix, ip6_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto) +{ + nat_syslog_nat64_sess (sfibix, isaddr, isport, xsaddr, xsport, xdaddr, + xdport, proto, 0); +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/lib/nat_syslog.h b/src/plugins/nat/lib/nat_syslog.h new file mode 100644 index 00000000000..9721664cf54 --- /dev/null +++ b/src/plugins/nat/lib/nat_syslog.h @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2020 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT syslog logging + */ +#ifndef __included_nat_syslog_h__ +#define __included_nat_syslog_h__ + +#include <nat/lib/lib.h> + +void nat_syslog_nat44_apmadd (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto); + +void nat_syslog_nat44_apmdel (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto); + +void +nat_syslog_dslite_apmadd (u32 ssubix, ip6_address_t * sv6enc, + ip4_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto); + +void +nat_syslog_dslite_apmdel (u32 ssubix, ip6_address_t * sv6enc, + ip4_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + nat_protocol_t proto); + +void nat_syslog_nat44_sadd (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * idaddr, u16 idport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_twicenat); + +void nat_syslog_nat44_sdel (u32 ssubix, u32 sfibix, ip4_address_t * isaddr, + u16 isport, ip4_address_t * idaddr, u16 idport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto, u8 is_twicenat); + +void nat_syslog_nat64_sadd (u32 sfibix, ip6_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto); + +void nat_syslog_nat64_sdel (u32 sfibix, ip6_address_t * isaddr, u16 isport, + ip4_address_t * xsaddr, u16 xsport, + ip4_address_t * xdaddr, u16 xdport, + nat_protocol_t proto); + +#endif /* __included_nat_syslog_h__ */ +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |