aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins')
-rwxr-xr-xsrc/plugins/nat/in2out.c22
-rw-r--r--src/plugins/nat/nat64_db.c63
-rw-r--r--src/plugins/nat/nat64_db.h7
-rw-r--r--src/plugins/nat/nat_det.h3
-rw-r--r--src/plugins/nat/nat_ipfix_logging.c1197
-rw-r--r--src/plugins/nat/nat_ipfix_logging.h51
-rw-r--r--src/plugins/nat/nat_reass.c17
7 files changed, 1337 insertions, 23 deletions
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c
index b0dbbc8fa11..5f2f43f7f81 100755
--- a/src/plugins/nat/in2out.c
+++ b/src/plugins/nat/in2out.c
@@ -162,7 +162,7 @@ typedef enum {
/**
* @brief Check if packet should be translated
*
- * Packets aimed at outside interface and external addresss with active session
+ * Packets aimed at outside interface and external address with active session
* should be translated.
*
* @param sm NAT main
@@ -273,6 +273,7 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
+ nat_ipfix_logging_max_sessions(sm->max_translations);
return SNAT_IN2OUT_NEXT_DROP;
}
@@ -294,13 +295,6 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
return SNAT_IN2OUT_NEXT_DROP;
}
- s = nat_session_alloc_or_recycle (sm, u, thread_index);
- if (!s)
- {
- clib_warning ("create NAT session failed");
- return SNAT_IN2OUT_NEXT_DROP;
- }
-
/* First try to match static mapping by local address and port */
if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0))
{
@@ -319,9 +313,17 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
else
{
u->nstaticsessions++;
- s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
}
+ s = nat_session_alloc_or_recycle (sm, u, thread_index);
+ if (!s)
+ {
+ clib_warning ("create NAT session failed");
+ return SNAT_IN2OUT_NEXT_DROP;
+ }
+
+ if (address_index == ~0)
+ s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
s->outside_address_index = address_index;
s->in2out = *key0;
s->out2in = key1;
@@ -1002,6 +1004,7 @@ snat_in2out_unknown_proto (snat_main_t *sm,
if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
{
b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
+ nat_ipfix_logging_max_sessions(sm->max_translations);
return 0;
}
@@ -1189,6 +1192,7 @@ snat_in2out_lb (snat_main_t *sm,
if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
{
b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
+ nat_ipfix_logging_max_sessions(sm->max_translations);
return 0;
}
diff --git a/src/plugins/nat/nat64_db.c b/src/plugins/nat/nat64_db.c
index 7ce28bc6c7f..3edc1a43006 100644
--- a/src/plugins/nat/nat64_db.c
+++ b/src/plugins/nat/nat64_db.c
@@ -17,6 +17,8 @@
* @brief NAT64 DB
*/
#include <nat/nat64_db.h>
+#include <nat/nat_ipfix_logging.h>
+#include <vnet/fib/fib_table.h>
int
nat64_db_init (nat64_db_t * db, u32 bib_buckets, u32 bib_memory_size,
@@ -36,6 +38,12 @@ nat64_db_init (nat64_db_t * db, u32 bib_buckets, u32 bib_memory_size,
st_memory_size);
db->free_addr_port_cb = free_addr_port_cb;
+ db->bib.limit = 10 * bib_buckets;
+ db->bib.bib_entries_num = 0;
+ db->st.limit = 10 * st_buckets;
+ db->st.st_entries_num = 0;
+ db->addr_free = 0;
+
return 0;
}
@@ -48,6 +56,14 @@ nat64_db_bib_entry_create (nat64_db_t * db, ip6_address_t * in_addr,
nat64_db_bib_entry_t *bibe;
nat64_db_bib_entry_key_t bibe_key;
clib_bihash_kv_24_8_t kv;
+ fib_table_t *fib;
+
+ if (db->bib.bib_entries_num >= db->bib.limit)
+ {
+ db->free_addr_port_cb (db, out_addr, out_port, proto);
+ nat_ipfix_logging_max_bibs (db->bib.limit);
+ return 0;
+ }
/* create pool entry */
switch (ip_proto_to_snat_proto (proto))
@@ -66,6 +82,9 @@ nat64_db_bib_entry_create (nat64_db_t * db, ip6_address_t * in_addr,
kv.value = bibe - db->bib._unk_proto_bib;
break;
}
+
+ db->bib.bib_entries_num++;
+
memset (bibe, 0, sizeof (*bibe));
bibe->in_addr.as_u64[0] = in_addr->as_u64[0];
bibe->in_addr.as_u64[1] = in_addr->as_u64[1];
@@ -97,6 +116,9 @@ nat64_db_bib_entry_create (nat64_db_t * db, ip6_address_t * in_addr,
kv.key[2] = bibe_key.as_u64[2];
clib_bihash_add_del_24_8 (&db->bib.out2in, &kv, 1);
+ fib = fib_table_get (bibe->fib_index, FIB_PROTOCOL_IP6);
+ nat_ipfix_logging_nat64_bib (in_addr, out_addr, proto, in_port, out_port,
+ fib->ft_table_id, 1);
return bibe;
}
@@ -108,6 +130,7 @@ nat64_db_bib_entry_free (nat64_db_t * db, nat64_db_bib_entry_t * bibe)
nat64_db_bib_entry_t *bib;
u32 *ste_to_be_free = 0, *ste_index, bibe_index;
nat64_db_st_entry_t *st, *ste;
+ fib_table_t *fib;
switch (ip_proto_to_snat_proto (bibe->proto))
{
@@ -126,6 +149,8 @@ nat64_db_bib_entry_free (nat64_db_t * db, nat64_db_bib_entry_t * bibe)
break;
}
+ db->bib.bib_entries_num--;
+
bibe_index = bibe - bib;
/* delete ST entries for static BIB entry */
@@ -162,7 +187,14 @@ nat64_db_bib_entry_free (nat64_db_t * db, nat64_db_bib_entry_t * bibe)
kv.key[2] = bibe_key.as_u64[2];
clib_bihash_add_del_24_8 (&db->bib.out2in, &kv, 0);
- db->free_addr_port_cb (db, &bibe->out_addr, bibe->out_port, bibe->proto);
+ if (!db->addr_free)
+ db->free_addr_port_cb (db, &bibe->out_addr, bibe->out_port, bibe->proto);
+
+ fib = fib_table_get (bibe->fib_index, FIB_PROTOCOL_IP6);
+ nat_ipfix_logging_nat64_bib (&bibe->in_addr, &bibe->out_addr, bibe->proto,
+ bibe->in_port, bibe->out_port,
+ fib->ft_table_id, 0);
+
/* delete from pool */
pool_put (bib, bibe);
@@ -344,6 +376,13 @@ nat64_db_st_entry_create (nat64_db_t * db, nat64_db_bib_entry_t * bibe,
nat64_db_bib_entry_t *bib;
nat64_db_st_entry_key_t ste_key;
clib_bihash_kv_48_8_t kv;
+ fib_table_t *fib;
+
+ if (db->st.st_entries_num >= db->st.limit)
+ {
+ nat_ipfix_logging_max_sessions (db->st.limit);
+ return 0;
+ }
/* create pool entry */
switch (ip_proto_to_snat_proto (bibe->proto))
@@ -364,6 +403,9 @@ nat64_db_st_entry_create (nat64_db_t * db, nat64_db_bib_entry_t * bibe,
bib = db->bib._unk_proto_bib;
break;
}
+
+ db->st.st_entries_num++;
+
memset (ste, 0, sizeof (*ste));
ste->in_r_addr.as_u64[0] = in_r_addr->as_u64[0];
ste->in_r_addr.as_u64[1] = in_r_addr->as_u64[1];
@@ -407,6 +449,13 @@ nat64_db_st_entry_create (nat64_db_t * db, nat64_db_bib_entry_t * bibe,
kv.key[5] = ste_key.as_u64[5];
clib_bihash_add_del_48_8 (&db->st.out2in, &kv, 1);
+ fib = fib_table_get (bibe->fib_index, FIB_PROTOCOL_IP6);
+ nat_ipfix_logging_nat64_session (&bibe->in_addr, &bibe->out_addr,
+ bibe->proto, bibe->in_port, bibe->out_port,
+ &ste->in_r_addr, &ste->out_r_addr,
+ ste->r_port, ste->r_port, fib->ft_table_id,
+ 1);
+
return ste;
}
@@ -417,6 +466,7 @@ nat64_db_st_entry_free (nat64_db_t * db, nat64_db_st_entry_t * ste)
nat64_db_bib_entry_t *bib, *bibe;
nat64_db_st_entry_key_t ste_key;
clib_bihash_kv_48_8_t kv;
+ fib_table_t *fib;
switch (ip_proto_to_snat_proto (ste->proto))
{
@@ -437,6 +487,8 @@ nat64_db_st_entry_free (nat64_db_t * db, nat64_db_st_entry_t * ste)
bibe = pool_elt_at_index (bib, ste->bibe_index);
+ db->st.st_entries_num--;
+
/* delete hash lookup */
memset (&ste_key, 0, sizeof (ste_key));
ste_key.l_addr.as_u64[0] = bibe->in_addr.as_u64[0];
@@ -469,6 +521,13 @@ nat64_db_st_entry_free (nat64_db_t * db, nat64_db_st_entry_t * ste)
kv.key[5] = ste_key.as_u64[5];
clib_bihash_add_del_48_8 (&db->st.out2in, &kv, 0);
+ fib = fib_table_get (bibe->fib_index, FIB_PROTOCOL_IP6);
+ nat_ipfix_logging_nat64_session (&bibe->in_addr, &bibe->out_addr,
+ bibe->proto, bibe->in_port, bibe->out_port,
+ &ste->in_r_addr, &ste->out_r_addr,
+ ste->r_port, ste->r_port, fib->ft_table_id,
+ 0);
+
/* delete from pool */
pool_put (st, ste);
@@ -613,6 +672,7 @@ nat64_db_free_out_addr (nat64_db_t * db, ip4_address_t * out_addr)
nat64_db_st_entry_t *st, *ste;
nat64_db_bib_entry_t *bibe;
+ db->addr_free = 1;
/* *INDENT-OFF* */
#define _(N, i, n, s) \
st = db->st._##n##_st; \
@@ -636,6 +696,7 @@ nat64_db_free_out_addr (nat64_db_t * db, ip4_address_t * out_addr)
vec_foreach (ste_index, ste_to_be_free)
nat64_db_st_entry_free (db, pool_elt_at_index(st, ste_index[0]));
vec_free (ste_to_be_free);
+ db->addr_free = 0;
/* *INDENT-ON* */
}
diff --git a/src/plugins/nat/nat64_db.h b/src/plugins/nat/nat64_db.h
index 4345fd30974..f1b93cf8928 100644
--- a/src/plugins/nat/nat64_db.h
+++ b/src/plugins/nat/nat64_db.h
@@ -68,6 +68,9 @@ typedef struct
/* BIB lookup */
clib_bihash_24_8_t in2out;
clib_bihash_24_8_t out2in;
+
+ u32 limit;
+ u32 bib_entries_num;
} nat64_db_bib_t;
typedef struct
@@ -115,6 +118,9 @@ typedef struct
/* session lookup */
clib_bihash_48_8_t in2out;
clib_bihash_48_8_t out2in;
+
+ u32 limit;
+ u32 st_entries_num;
} nat64_db_st_t;
struct nat64_db_s;
@@ -132,6 +138,7 @@ typedef struct nat64_db_s
nat64_db_bib_t bib;
nat64_db_st_t st;
nat64_db_free_addr_port_function_t free_addr_port_cb;
+ u8 addr_free;
} nat64_db_t;
/**
diff --git a/src/plugins/nat/nat_det.h b/src/plugins/nat/nat_det.h
index 2ab7f27eece..ce876bca9fb 100644
--- a/src/plugins/nat/nat_det.h
+++ b/src/plugins/nat/nat_det.h
@@ -171,7 +171,8 @@ snat_det_ses_create (snat_det_map_t * dm, ip4_address_t * in_addr,
}
}
- snat_ipfix_logging_max_entries_per_user (in_addr->as_u32);
+ snat_ipfix_logging_max_entries_per_user (SNAT_DET_SES_PER_USER,
+ in_addr->as_u32);
return 0;
}
diff --git a/src/plugins/nat/nat_ipfix_logging.c b/src/plugins/nat/nat_ipfix_logging.c
index 18430f5a7b8..ef1ab859d8d 100644
--- a/src/plugins/nat/nat_ipfix_logging.c
+++ b/src/plugins/nat/nat_ipfix_logging.c
@@ -17,18 +17,28 @@
#include <vnet/flow/flow_report.h>
#include <vlibmemory/api.h>
-#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
snat_ipfix_logging_main_t snat_ipfix_logging_main;
#define NAT44_SESSION_CREATE_LEN 26
#define NAT_ADDRESSES_EXHAUTED_LEN 13
-#define MAX_ENTRIES_PER_USER_LEN 17
+#define MAX_ENTRIES_PER_USER_LEN 21
+#define MAX_SESSIONS_LEN 17
+#define MAX_BIBS_LEN 17
+#define MAX_FRAGMENTS_IP4_LEN 21
+#define MAX_FRAGMENTS_IP6_LEN 33
+#define NAT64_BIB_LEN 38
+#define NAT64_SES_LEN 62
#define NAT44_SESSION_CREATE_FIELD_COUNT 8
#define NAT_ADDRESSES_EXHAUTED_FIELD_COUNT 3
-#define MAX_ENTRIES_PER_USER_FIELD_COUNT 4
+#define MAX_ENTRIES_PER_USER_FIELD_COUNT 5
+#define MAX_SESSIONS_FIELD_COUNT 4
+#define MAX_BIBS_FIELD_COUNT 4
+#define MAX_FRAGMENTS_FIELD_COUNT 5
+#define NAT64_BIB_FIELD_COUNT 8
+#define NAT64_SES_FIELD_COUNT 12
typedef struct
{
@@ -48,9 +58,58 @@ typedef struct
typedef struct
{
+ u32 limit;
u32 src_ip;
} snat_ipfix_logging_max_entries_per_user_args_t;
+typedef struct
+{
+ u32 limit;
+} nat_ipfix_logging_max_sessions_args_t;
+
+typedef struct
+{
+ u32 limit;
+} nat_ipfix_logging_max_bibs_args_t;
+
+typedef struct
+{
+ u32 limit;
+ u32 src;
+} nat_ipfix_logging_max_frags_ip4_args_t;
+
+typedef struct
+{
+ u32 limit;
+ u64 src[2];
+} nat_ipfix_logging_max_frags_ip6_args_t;
+
+typedef struct
+{
+ u8 nat_event;
+ u64 src_ip[2];
+ u32 nat_src_ip;
+ u8 proto;
+ u16 src_port;
+ u16 nat_src_port;
+ u64 dst_ip[2];
+ u32 nat_dst_ip;
+ u32 vrf_id;
+ u16 dst_port;
+ u16 nat_dst_port;
+} nat_ipfix_logging_nat64_ses_args_t;
+
+typedef struct
+{
+ u8 nat_event;
+ u64 src_ip[2];
+ u32 nat_src_ip;
+ u8 proto;
+ u16 src_port;
+ u16 nat_src_port;
+ u32 vrf_id;
+} nat_ipfix_logging_nat64_bib_args_t;
+
#define skip_if_disabled() \
do { \
snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main; \
@@ -105,6 +164,16 @@ snat_template_rewrite (flow_report_main_t * frm,
field_count = NAT44_SESSION_CREATE_FIELD_COUNT;
silm->nat44_session_template_id = fr->template_id;
}
+ else if (event == NAT64_BIB_CREATE)
+ {
+ field_count = NAT64_BIB_FIELD_COUNT;
+ silm->nat64_bib_template_id = fr->template_id;
+ }
+ else if (event == NAT64_SESSION_CREATE)
+ {
+ field_count = NAT64_SES_FIELD_COUNT;
+ silm->nat64_ses_template_id = fr->template_id;
+ }
else if (event == QUOTA_EXCEEDED)
{
if (quota_event == MAX_ENTRIES_PER_USER)
@@ -112,6 +181,26 @@ snat_template_rewrite (flow_report_main_t * frm,
field_count = MAX_ENTRIES_PER_USER_FIELD_COUNT;
silm->max_entries_per_user_template_id = fr->template_id;
}
+ else if (quota_event == MAX_SESSION_ENTRIES)
+ {
+ field_count = MAX_SESSIONS_FIELD_COUNT;
+ silm->max_sessions_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_BIB_ENTRIES)
+ {
+ field_count = MAX_BIBS_FIELD_COUNT;
+ silm->max_bibs_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
+ {
+ field_count = MAX_FRAGMENTS_FIELD_COUNT;
+ silm->max_frags_ip4_template_id = fr->template_id;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
+ {
+ field_count = MAX_FRAGMENTS_FIELD_COUNT;
+ silm->max_frags_ip6_template_id = fr->template_id;
+ }
}
/* allocate rewrite space */
@@ -169,6 +258,53 @@ snat_template_rewrite (flow_report_main_t * frm,
f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
f++;
}
+ else if (event == NAT64_BIB_CREATE)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATSourceIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, protocolIdentifier, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTSourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
+ f++;
+ }
+ else if (event == NAT64_SESSION_CREATE)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds, 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATSourceIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, protocolIdentifier, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTSourceTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, destinationIPv6Address, 16);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNATDestinationIPv4Address, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, destinationTransportPort, 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, postNAPTDestinationTransportPort,
+ 2);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, ingressVRFID, 4);
+ f++;
+ }
else if (event == QUOTA_EXCEEDED)
{
if (quota_event == MAX_ENTRIES_PER_USER)
@@ -180,9 +316,65 @@ snat_template_rewrite (flow_report_main_t * frm,
f++;
f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
f++;
+ f->e_id_length = ipfix_e_id_length (0, maxEntriesPerUser, 4);
+ f++;
f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4);
f++;
}
+ else if (quota_event == MAX_SESSION_ENTRIES)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxSessionEntries, 4);
+ f++;
+ }
+ else if (quota_event == MAX_BIB_ENTRIES)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxBIBEntries, 4);
+ f++;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
+ 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4);
+ f++;
+ }
+ else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
+ {
+ f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
+ 8);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
+ 4);
+ f++;
+ f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
+ f++;
+ }
}
/* Back to the template packet... */
@@ -240,6 +432,76 @@ snat_template_rewrite_max_entries_per_usr (flow_report_main_t * frm,
MAX_ENTRIES_PER_USER);
}
+u8 *
+nat_template_rewrite_max_sessions (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_SESSION_ENTRIES);
+}
+
+u8 *
+nat_template_rewrite_max_bibs (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_BIB_ENTRIES);
+}
+
+u8 *
+nat_template_rewrite_max_frags_ip4 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY);
+}
+
+u8 *
+nat_template_rewrite_max_frags_ip6 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, QUOTA_EXCEEDED,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6);
+}
+
+u8 *
+nat_template_rewrite_nat64_bib (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, NAT64_BIB_CREATE, 0);
+}
+
+u8 *
+nat_template_rewrite_nat64_session (flow_report_main_t * frm,
+ flow_report_t * fr,
+ ip4_address_t * collector_address,
+ ip4_address_t * src_address,
+ u16 collector_port)
+{
+ return snat_template_rewrite (frm, fr, collector_address, src_address,
+ collector_port, NAT64_SESSION_CREATE, 0);
+}
+
static inline void
snat_ipfix_header_create (flow_report_main_t * frm,
vlib_buffer_t * b0, u32 * offset)
@@ -518,7 +780,7 @@ snat_ipfix_logging_addr_exhausted (u32 pool_id, int do_flush)
}
static void
-snat_ipfix_logging_max_entries_per_usr (u32 src_ip, int do_flush)
+snat_ipfix_logging_max_entries_per_usr (u32 limit, u32 src_ip, int do_flush)
{
snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
flow_report_main_t *frm = &flow_report_main;
@@ -590,6 +852,9 @@ snat_ipfix_logging_max_entries_per_usr (u32 src_ip, int do_flush)
clib_memcpy (b0->data + offset, &quota_event, sizeof (quota_event));
offset += sizeof (quota_event);
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
clib_memcpy (b0->data + offset, &src_ip, sizeof (src_ip));
offset += sizeof (src_ip);
@@ -608,6 +873,590 @@ snat_ipfix_logging_max_entries_per_usr (u32 src_ip, int do_flush)
}
static void
+nat_ipfix_logging_max_ses (u32 limit, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_SESSION_ENTRIES;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_sessions_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_sessions_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_sessions_next_record_offset;
+ }
+
+ f = silm->max_sessions_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_sessions_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, &quota_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ b0->current_length += MAX_SESSIONS_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_SESSIONS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_sessions_template_id);
+ silm->max_sessions_frame = 0;
+ silm->max_sessions_buffer = 0;
+ offset = 0;
+ }
+ silm->max_sessions_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_bib (u32 limit, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_BIB_ENTRIES;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_bibs_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_bibs_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_bibs_next_record_offset;
+ }
+
+ f = silm->max_bibs_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_bibs_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, &quota_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ b0->current_length += MAX_BIBS_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_bibs_template_id);
+ silm->max_bibs_frame = 0;
+ silm->max_bibs_buffer = 0;
+ offset = 0;
+ }
+ silm->max_bibs_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip4 (u32 limit, u32 src, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_frags_ip4_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_frags_ip4_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_frags_ip4_next_record_offset;
+ }
+
+ f = silm->max_frags_ip4_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_frags_ip4_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, &quota_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ clib_memcpy (b0->data + offset, &src, sizeof (src));
+ offset += sizeof (src);
+
+ b0->current_length += MAX_FRAGMENTS_IP4_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_frags_ip4_template_id);
+ silm->max_frags_ip4_frame = 0;
+ silm->max_frags_ip4_buffer = 0;
+ offset = 0;
+ }
+ silm->max_frags_ip4_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip6 (u32 limit, ip6_address_t * src, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+ u8 nat_event = QUOTA_EXCEEDED;
+ u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->max_frags_ip6_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->max_frags_ip6_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->max_frags_ip6_next_record_offset;
+ }
+
+ f = silm->max_frags_ip6_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->max_frags_ip6_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, &quota_event, sizeof (quota_event));
+ offset += sizeof (quota_event);
+
+ clib_memcpy (b0->data + offset, &limit, sizeof (limit));
+ offset += sizeof (limit);
+
+ clib_memcpy (b0->data + offset, src, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ b0->current_length += MAX_FRAGMENTS_IP6_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->max_frags_ip6_template_id);
+ silm->max_frags_ip6_frame = 0;
+ silm->max_frags_ip6_buffer = 0;
+ offset = 0;
+ }
+ silm->max_frags_ip6_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_nat64_bibe (u8 nat_event, ip6_address_t * src_ip,
+ u32 nat_src_ip, u8 proto, u16 src_port,
+ u16 nat_src_port, u32 vrf_id, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->nat64_bib_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->nat64_bib_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->nat64_bib_next_record_offset;
+ }
+
+ f = silm->nat64_bib_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->nat64_bib_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, src_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_src_ip, sizeof (nat_src_ip));
+ offset += sizeof (nat_src_ip);
+
+ clib_memcpy (b0->data + offset, &proto, sizeof (proto));
+ offset += sizeof (proto);
+
+ clib_memcpy (b0->data + offset, &src_port, sizeof (src_port));
+ offset += sizeof (src_port);
+
+ clib_memcpy (b0->data + offset, &nat_src_port, sizeof (nat_src_port));
+ offset += sizeof (nat_src_port);
+
+ clib_memcpy (b0->data + offset, &vrf_id, sizeof (vrf_id));
+ offset += sizeof (vrf_id);
+
+ b0->current_length += NAT64_BIB_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + NAT64_BIB_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->nat64_bib_template_id);
+ silm->nat64_bib_frame = 0;
+ silm->nat64_bib_buffer = 0;
+ offset = 0;
+ }
+ silm->nat64_bib_next_record_offset = offset;
+}
+
+static void
+nat_ipfix_logging_nat64_ses (u8 nat_event, ip6_address_t * src_ip,
+ u32 nat_src_ip, u8 proto, u16 src_port,
+ u16 nat_src_port, ip6_address_t * dst_ip,
+ u32 nat_dst_ip, u16 dst_port, u16 nat_dst_port,
+ u32 vrf_id, int do_flush)
+{
+ snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
+ flow_report_main_t *frm = &flow_report_main;
+ vlib_frame_t *f;
+ vlib_buffer_t *b0 = 0;
+ u32 bi0 = ~0;
+ u32 offset;
+ vlib_main_t *vm = frm->vlib_main;
+ u64 now;
+ vlib_buffer_free_list_t *fl;
+
+ if (!silm->enabled)
+ return;
+
+ now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
+ now += silm->milisecond_time_0;
+
+ b0 = silm->nat64_ses_buffer;
+
+ if (PREDICT_FALSE (b0 == 0))
+ {
+ if (do_flush)
+ return;
+
+ if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
+ {
+ clib_warning ("can't allocate buffer for NAT IPFIX event");
+ return;
+ }
+
+ b0 = silm->nat64_ses_buffer = vlib_get_buffer (vm, bi0);
+ fl =
+ vlib_buffer_get_free_list (vm, VLIB_BUFFER_DEFAULT_FREE_LIST_INDEX);
+ vlib_buffer_init_for_free_list (b0, fl);
+ VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
+ offset = 0;
+ }
+ else
+ {
+ bi0 = vlib_get_buffer_index (vm, b0);
+ offset = silm->nat64_ses_next_record_offset;
+ }
+
+ f = silm->nat64_ses_frame;
+ if (PREDICT_FALSE (f == 0))
+ {
+ u32 *to_next;
+ f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
+ silm->nat64_ses_frame = f;
+ to_next = vlib_frame_vector_args (f);
+ to_next[0] = bi0;
+ f->n_vectors = 1;
+ }
+
+ if (PREDICT_FALSE (offset == 0))
+ snat_ipfix_header_create (frm, b0, &offset);
+
+ if (PREDICT_TRUE (do_flush == 0))
+ {
+ u64 time_stamp = clib_host_to_net_u64 (now);
+ clib_memcpy (b0->data + offset, &time_stamp, sizeof (time_stamp));
+ offset += sizeof (time_stamp);
+
+ clib_memcpy (b0->data + offset, &nat_event, sizeof (nat_event));
+ offset += sizeof (nat_event);
+
+ clib_memcpy (b0->data + offset, src_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_src_ip, sizeof (nat_src_ip));
+ offset += sizeof (nat_src_ip);
+
+ clib_memcpy (b0->data + offset, &proto, sizeof (proto));
+ offset += sizeof (proto);
+
+ clib_memcpy (b0->data + offset, &src_port, sizeof (src_port));
+ offset += sizeof (src_port);
+
+ clib_memcpy (b0->data + offset, &nat_src_port, sizeof (nat_src_port));
+ offset += sizeof (nat_src_port);
+
+ clib_memcpy (b0->data + offset, dst_ip, sizeof (ip6_address_t));
+ offset += sizeof (ip6_address_t);
+
+ clib_memcpy (b0->data + offset, &nat_dst_ip, sizeof (nat_dst_ip));
+ offset += sizeof (nat_dst_ip);
+
+ clib_memcpy (b0->data + offset, &dst_port, sizeof (dst_port));
+ offset += sizeof (dst_port);
+
+ clib_memcpy (b0->data + offset, &nat_dst_port, sizeof (nat_dst_port));
+ offset += sizeof (nat_dst_port);
+
+ clib_memcpy (b0->data + offset, &vrf_id, sizeof (vrf_id));
+ offset += sizeof (vrf_id);
+
+ b0->current_length += NAT64_SES_LEN;
+ }
+
+ if (PREDICT_FALSE
+ (do_flush || (offset + NAT64_SES_LEN) > frm->path_mtu))
+ {
+ snat_ipfix_send (frm, f, b0, silm->nat64_ses_template_id);
+ silm->nat64_ses_frame = 0;
+ silm->nat64_ses_buffer = 0;
+ offset = 0;
+ }
+ silm->nat64_ses_next_record_offset = offset;
+}
+
+static void
snat_ipfix_logging_nat44_ses_rpc_cb (snat_ipfix_logging_nat44_ses_args_t * a)
{
snat_ipfix_logging_nat44_ses (a->nat_event, a->src_ip, a->nat_src_ip,
@@ -731,22 +1580,24 @@ static void
snat_ipfix_logging_max_entries_per_usr_rpc_cb
(snat_ipfix_logging_max_entries_per_user_args_t * a)
{
- snat_ipfix_logging_max_entries_per_usr (a->src_ip, 0);
+ snat_ipfix_logging_max_entries_per_usr (a->limit, a->src_ip, 0);
}
/**
* @brief Generate maximum entries per user exceeded event
*
+ * @param limit maximum NAT entries that can be created per user
* @param src_ip source IPv4 address
*/
void
-snat_ipfix_logging_max_entries_per_user (u32 src_ip)
+snat_ipfix_logging_max_entries_per_user (u32 limit, u32 src_ip)
{
//TODO: This event SHOULD be rate limited
snat_ipfix_logging_max_entries_per_user_args_t a;
skip_if_disabled ();
+ a.limit = limit;
a.src_ip = src_ip;
vl_api_rpc_call_main_thread (snat_ipfix_logging_max_entries_per_usr_rpc_cb,
@@ -759,7 +1610,279 @@ snat_data_callback_max_entries_per_usr (flow_report_main_t * frm,
vlib_frame_t * f,
u32 * to_next, u32 node_index)
{
- snat_ipfix_logging_max_entries_per_usr (0, 1);
+ snat_ipfix_logging_max_entries_per_usr (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_ses_rpc_cb (nat_ipfix_logging_max_sessions_args_t * a)
+{
+ nat_ipfix_logging_max_ses (a->limit, 0);
+}
+
+/**
+ * @brief Generate maximum session entries exceeded event
+ *
+ * @param limit configured limit
+ */
+void
+nat_ipfix_logging_max_sessions (u32 limit)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_sessions_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_sessions (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_ses (0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_bib_rpc_cb (nat_ipfix_logging_max_bibs_args_t * a)
+{
+ nat_ipfix_logging_max_bib (a->limit, 0);
+}
+
+/**
+ * @brief Generate maximum BIB entries exceeded event
+ *
+ * @param limit configured limit
+ */
+void
+nat_ipfix_logging_max_bibs (u32 limit)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_bibs_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_bib_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_bibs (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_bib (0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip4_rpc_cb (nat_ipfix_logging_max_frags_ip4_args_t * a)
+{
+ nat_ipfix_logging_max_frag_ip4 (a->limit, a->src, 0);
+}
+
+/**
+ * @brief Generate maximum IPv4 fragments pending reassembly exceeded event
+ *
+ * @param limit configured limit
+ * @param src source IPv4 address
+ */
+void
+nat_ipfix_logging_max_fragments_ip4 (u32 limit, ip4_address_t * src)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_frags_ip4_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+ a.src = src->as_u32;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_frag_ip4_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_frags_ip4 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_frag_ip4 (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_max_frag_ip6_rpc_cb (nat_ipfix_logging_max_frags_ip6_args_t * a)
+{
+ ip6_address_t src;
+ src.as_u64[0] = a->src[0];
+ src.as_u64[1] = a->src[1];
+ nat_ipfix_logging_max_frag_ip6 (a->limit, &src, 0);
+}
+
+/**
+ * @brief Generate maximum IPv6 fragments pending reassembly exceeded event
+ *
+ * @param limit configured limit
+ * @param src source IPv6 address
+ */
+void
+nat_ipfix_logging_max_fragments_ip6 (u32 limit, ip6_address_t * src)
+{
+ //TODO: This event SHOULD be rate limited
+ nat_ipfix_logging_max_frags_ip6_args_t a;
+
+ skip_if_disabled ();
+
+ a.limit = limit;
+ a.src[0] = src->as_u64[0];
+ a.src[1] = src->as_u64[1];
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_max_frag_ip6_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_max_frags_ip6 (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_max_frag_ip6 (0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_nat64_bib_rpc_cb (nat_ipfix_logging_nat64_bib_args_t * a)
+{
+ ip6_address_t src_ip;
+ src_ip.as_u64[0] = a->src_ip[0];
+ src_ip.as_u64[1] = a->src_ip[1];
+ nat_ipfix_logging_nat64_bibe (a->nat_event, &src_ip, a->nat_src_ip,
+ a->proto, a->src_port, a->nat_src_port,
+ a->vrf_id, 0);
+}
+
+/**
+ * @brief Generate NAT64 BIB create and delete events
+ *
+ * @param src_ip source IPv6 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param proto L4 protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param vrf_id VRF ID
+ * @param is_create non-zero value if create event otherwise delete event
+ */
+void
+nat_ipfix_logging_nat64_bib (ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port, u32 vrf_id,
+ u8 is_create)
+{
+ nat_ipfix_logging_nat64_bib_args_t a;
+
+ skip_if_disabled ();
+
+ a.src_ip[0] = src_ip->as_u64[0];
+ a.src_ip[1] = src_ip->as_u64[1];
+ a.nat_src_ip = nat_src_ip->as_u32;
+ a.proto = proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.vrf_id = vrf_id;
+ a.nat_event = is_create ? NAT64_BIB_CREATE : NAT64_BIB_DELETE;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_nat64_bib_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_nat64_bib (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_nat64_bibe (0, 0, 0, 0, 0, 0, 0, 1);
+ return f;
+}
+
+static void
+nat_ipfix_logging_nat64_ses_rpc_cb (nat_ipfix_logging_nat64_ses_args_t * a)
+{
+ ip6_address_t src_ip, dst_ip;
+ src_ip.as_u64[0] = a->src_ip[0];
+ src_ip.as_u64[1] = a->src_ip[1];
+ dst_ip.as_u64[0] = a->dst_ip[0];
+ dst_ip.as_u64[1] = a->dst_ip[1];
+ nat_ipfix_logging_nat64_ses (a->nat_event, &src_ip, a->nat_src_ip,
+ a->proto, a->src_port, a->nat_src_port,
+ &dst_ip, a->nat_dst_ip, a->dst_port,
+ a->nat_dst_port, a->vrf_id, 0);
+}
+
+/**
+ * @brief Generate NAT64 session create and delete events
+ *
+ * @param src_ip source IPv6 address
+ * @param nat_src_ip transaltes source IPv4 address
+ * @param proto L4 protocol
+ * @param src_port source port
+ * @param nat_src_port translated source port
+ * @param dst_ip destination IPv6 address
+ * @param nat_dst_ip destination IPv4 address
+ * @param dst_port destination port
+ * @param nat_dst_port translated destination port
+ * @param vrf_id VRF ID
+ * @param is_create non-zero value if create event otherwise delete event
+ */
+void
+nat_ipfix_logging_nat64_session (ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port,
+ ip6_address_t * dst_ip,
+ ip4_address_t * nat_dst_ip, u16 dst_port,
+ u16 nat_dst_port, u32 vrf_id, u8 is_create)
+{
+ nat_ipfix_logging_nat64_ses_args_t a;
+
+ skip_if_disabled ();
+
+ a.src_ip[0] = src_ip->as_u64[0];
+ a.src_ip[1] = src_ip->as_u64[1];
+ a.nat_src_ip = nat_src_ip->as_u32;
+ a.proto = proto;
+ a.src_port = src_port;
+ a.nat_src_port = nat_src_port;
+ a.dst_ip[0] = dst_ip->as_u64[0];
+ a.dst_ip[1] = dst_ip->as_u64[1];
+ a.nat_dst_ip = nat_dst_ip->as_u32;
+ a.dst_port = dst_port;
+ a.nat_dst_port = nat_dst_port;
+ a.vrf_id = vrf_id;
+ a.nat_event = is_create ? NAT64_SESSION_CREATE : NAT64_SESSION_DELETE;
+
+ vl_api_rpc_call_main_thread (nat_ipfix_logging_nat64_ses_rpc_cb,
+ (u8 *) & a, sizeof (a));
+}
+
+vlib_frame_t *
+nat_data_callback_nat64_session (flow_report_main_t * frm,
+ flow_report_t * fr,
+ vlib_frame_t * f,
+ u32 * to_next, u32 node_index)
+{
+ nat_ipfix_logging_nat64_ses (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1);
return f;
}
@@ -825,6 +1948,66 @@ snat_ipfix_logging_enable_disable (int enable, u32 domain_id, u16 src_port)
clib_warning ("vnet_flow_report_add_del returned %d", rv);
return -1;
}
+
+ a.rewrite_callback = nat_template_rewrite_max_sessions;
+ a.flow_data_callback = nat_data_callback_max_sessions;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_bibs;
+ a.flow_data_callback = nat_data_callback_max_bibs;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_frags_ip4;
+ a.flow_data_callback = nat_data_callback_max_frags_ip4;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_max_frags_ip6;
+ a.flow_data_callback = nat_data_callback_max_frags_ip6;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_nat64_bib;
+ a.flow_data_callback = nat_data_callback_nat64_bib;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
+
+ a.rewrite_callback = nat_template_rewrite_nat64_session;
+ a.flow_data_callback = nat_data_callback_nat64_session;
+
+ rv = vnet_flow_report_add_del (frm, &a, NULL);
+ if (rv)
+ {
+ clib_warning ("vnet_flow_report_add_del returned %d", rv);
+ return -1;
+ }
}
return 0;
diff --git a/src/plugins/nat/nat_ipfix_logging.h b/src/plugins/nat/nat_ipfix_logging.h
index 6dbf6627fba..0750149d7a5 100644
--- a/src/plugins/nat/nat_ipfix_logging.h
+++ b/src/plugins/nat/nat_ipfix_logging.h
@@ -17,16 +17,26 @@
#ifndef __included_nat_ipfix_logging_h__
#define __included_nat_ipfix_logging_h__
+#include <nat/nat.h>
+
typedef enum {
NAT_ADDRESSES_EXHAUTED = 3,
NAT44_SESSION_CREATE = 4,
NAT44_SESSION_DELETE = 5,
+ NAT64_SESSION_CREATE = 6,
+ NAT64_SESSION_DELETE = 7,
+ NAT64_BIB_CREATE = 10,
+ NAT64_BIB_DELETE = 11,
NAT_PORTS_EXHAUSTED = 12,
QUOTA_EXCEEDED = 13,
} nat_event_t;
typedef enum {
+ MAX_SESSION_ENTRIES = 1,
+ MAX_BIB_ENTRIES = 2,
MAX_ENTRIES_PER_USER = 3,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY = 5,
+ MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6,
} quota_exceed_event_t;
typedef struct {
@@ -37,16 +47,34 @@ typedef struct {
vlib_buffer_t *nat44_session_buffer;
vlib_buffer_t *addr_exhausted_buffer;
vlib_buffer_t *max_entries_per_user_buffer;
+ vlib_buffer_t *max_sessions_buffer;
+ vlib_buffer_t *max_bibs_buffer;
+ vlib_buffer_t *max_frags_ip4_buffer;
+ vlib_buffer_t *max_frags_ip6_buffer;
+ vlib_buffer_t *nat64_bib_buffer;
+ vlib_buffer_t *nat64_ses_buffer;
/** frames containing ipfix buffers */
vlib_frame_t *nat44_session_frame;
vlib_frame_t *addr_exhausted_frame;
vlib_frame_t *max_entries_per_user_frame;
+ vlib_frame_t *max_sessions_frame;
+ vlib_frame_t *max_bibs_frame;
+ vlib_frame_t *max_frags_ip4_frame;
+ vlib_frame_t *max_frags_ip6_frame;
+ vlib_frame_t *nat64_bib_frame;
+ vlib_frame_t *nat64_ses_frame;
/** next record offset */
u32 nat44_session_next_record_offset;
u32 addr_exhausted_next_record_offset;
u32 max_entries_per_user_next_record_offset;
+ u32 max_sessions_next_record_offset;
+ u32 max_bibs_next_record_offset;
+ u32 max_frags_ip4_next_record_offset;
+ u32 max_frags_ip6_next_record_offset;
+ u32 nat64_bib_next_record_offset;
+ u32 nat64_ses_next_record_offset;
/** Time reference pair */
u64 milisecond_time_0;
@@ -56,6 +84,12 @@ typedef struct {
u16 nat44_session_template_id;
u16 addr_exhausted_template_id;
u16 max_entries_per_user_template_id;
+ u16 max_sessions_template_id;
+ u16 max_bibs_template_id;
+ u16 max_frags_ip4_template_id;
+ u16 max_frags_ip6_template_id;
+ u16 nat64_bib_template_id;
+ u16 nat64_ses_template_id;
/** stream index */
u32 stream_index;
@@ -74,6 +108,21 @@ void snat_ipfix_logging_nat44_ses_delete (u32 src_ip, u32 nat_src_ip,
u16 src_port, u16 nat_src_port,
u32 vrf_id);
void snat_ipfix_logging_addresses_exhausted(u32 pool_id);
-void snat_ipfix_logging_max_entries_per_user(u32 src_ip);
+void snat_ipfix_logging_max_entries_per_user(u32 limit, u32 src_ip);
+void nat_ipfix_logging_max_sessions(u32 limit);
+void nat_ipfix_logging_max_bibs(u32 limit);
+void nat_ipfix_logging_max_fragments_ip4(u32 limit, ip4_address_t * src);
+void nat_ipfix_logging_max_fragments_ip6(u32 limit, ip6_address_t * src);
+void nat_ipfix_logging_nat64_session(ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port,
+ ip6_address_t * dst_ip,
+ ip4_address_t * nat_dst_ip,
+ u16 dst_port, u16 nat_dst_port,
+ u32 vrf_id, u8 is_create);
+void nat_ipfix_logging_nat64_bib(ip6_address_t * src_ip,
+ ip4_address_t * nat_src_ip, u8 proto,
+ u16 src_port, u16 nat_src_port,
+ u32 vrf_id, u8 is_create);
#endif /* __included_nat_ipfix_logging_h__ */
diff --git a/src/plugins/nat/nat_reass.c b/src/plugins/nat/nat_reass.c
index a97d8f017e9..0a3660d9200 100644
--- a/src/plugins/nat/nat_reass.c
+++ b/src/plugins/nat/nat_reass.c
@@ -19,6 +19,7 @@
#include <vnet/vnet.h>
#include <nat/nat_reass.h>
+#include <nat/nat_ipfix_logging.h>
nat_reass_main_t nat_reass_main;
@@ -325,7 +326,11 @@ nat_ip4_reass_add_fragment (nat_reass_ip4_t * reass, u32 bi)
u32 elt_index;
if (reass->frag_n >= srm->ip4_max_frag)
- return -1;
+ {
+ nat_ipfix_logging_max_fragments_ip4 (srm->ip4_max_frag,
+ &reass->key.src);
+ return -1;
+ }
clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
@@ -517,7 +522,11 @@ nat_ip6_reass_add_fragment (nat_reass_ip6_t * reass, u32 bi)
u32 elt_index;
if (reass->frag_n >= srm->ip6_max_frag)
- return -1;
+ {
+ nat_ipfix_logging_max_fragments_ip6 (srm->ip6_max_frag,
+ &reass->key.src);
+ return -1;
+ }
clib_spinlock_lock_if_init (&srm->ip6_reass_lock);
@@ -718,7 +727,7 @@ show_nat_reass_command_fn (vlib_main_t * vm, unformat_input_t * input,
{
vlib_cli_output (vm, "NAT IPv4 virtual fragmentation reassembly is %s",
nat_reass_is_drop_frag (0) ? "DISABLED" : "ENABLED");
- vlib_cli_output (vm, " max-reasssemblies %u", nat_reass_get_max_reass (0));
+ vlib_cli_output (vm, " max-reassemblies %u", nat_reass_get_max_reass (0));
vlib_cli_output (vm, " max-fragments %u", nat_reass_get_max_frag (0));
vlib_cli_output (vm, " timeout %usec", nat_reass_get_timeout (0));
vlib_cli_output (vm, " reassemblies:");
@@ -726,7 +735,7 @@ show_nat_reass_command_fn (vlib_main_t * vm, unformat_input_t * input,
vlib_cli_output (vm, "NAT IPv6 virtual fragmentation reassembly is %s",
nat_reass_is_drop_frag (1) ? "DISABLED" : "ENABLED");
- vlib_cli_output (vm, " max-reasssemblies %u", nat_reass_get_max_reass (1));
+ vlib_cli_output (vm, " max-reassemblies %u", nat_reass_get_max_reass (1));
vlib_cli_output (vm, " max-fragments %u", nat_reass_get_max_frag (1));
vlib_cli_output (vm, " timeout %usec", nat_reass_get_timeout (1));
vlib_cli_output (vm, " reassemblies:");