From 96068d6b94207435f9c9619e2ce7921ebc812ade Mon Sep 17 00:00:00 2001 From: Ole Troan Date: Wed, 1 Jul 2020 13:16:16 +0200 Subject: nat: nat66 to plugin Type: refactor Change-Id: I8c1f0c02a4522c1f9e461ddadd59938579ec00c6 Signed-off-by: Ole Troan --- src/plugins/nat/CMakeLists.txt | 27 ++- src/plugins/nat/nat.api | 97 +---------- src/plugins/nat/nat.c | 8 - src/plugins/nat/nat66.c | 251 --------------------------- src/plugins/nat/nat66.h | 92 ---------- src/plugins/nat/nat66/nat66.api | 99 +++++++++++ src/plugins/nat/nat66/nat66.c | 284 +++++++++++++++++++++++++++++++ src/plugins/nat/nat66/nat66.h | 123 ++++++++++++++ src/plugins/nat/nat66/nat66_api.c | 174 +++++++++++++++++++ src/plugins/nat/nat66/nat66_cli.c | 319 ++++++++++++++++++++++++++++++++++ src/plugins/nat/nat66/nat66_in2out.c | 262 ++++++++++++++++++++++++++++ src/plugins/nat/nat66/nat66_out2in.c | 220 ++++++++++++++++++++++++ src/plugins/nat/nat66_cli.c | 320 ----------------------------------- src/plugins/nat/nat66_in2out.c | 262 ---------------------------- src/plugins/nat/nat66_out2in.c | 220 ------------------------ src/plugins/nat/nat_api.c | 195 +-------------------- src/plugins/nat/nat_types.api | 29 ++++ src/plugins/nat/test/test_nat.py | 153 ----------------- src/plugins/nat/test/test_nat66.py | 196 +++++++++++++++++++++ 19 files changed, 1729 insertions(+), 1602 deletions(-) delete mode 100644 src/plugins/nat/nat66.c delete mode 100644 src/plugins/nat/nat66.h create mode 100644 src/plugins/nat/nat66/nat66.api create mode 100644 src/plugins/nat/nat66/nat66.c create mode 100644 src/plugins/nat/nat66/nat66.h create mode 100644 src/plugins/nat/nat66/nat66_api.c create mode 100644 src/plugins/nat/nat66/nat66_cli.c create mode 100644 src/plugins/nat/nat66/nat66_in2out.c create mode 100644 src/plugins/nat/nat66/nat66_out2in.c delete mode 100644 src/plugins/nat/nat66_cli.c delete mode 100644 src/plugins/nat/nat66_in2out.c delete mode 100644 src/plugins/nat/nat66_out2in.c create mode 100644 src/plugins/nat/nat_types.api create mode 100644 src/plugins/nat/test/test_nat66.py (limited to 'src/plugins') diff --git a/src/plugins/nat/CMakeLists.txt b/src/plugins/nat/CMakeLists.txt index 8803ee0819e..5ce8b8a3273 100644 --- a/src/plugins/nat/CMakeLists.txt +++ b/src/plugins/nat/CMakeLists.txt @@ -43,10 +43,6 @@ add_vpp_plugin(nat nat64_in2out.c nat64_out2in.c nat64_db.c - nat66.c - nat66_cli.c - nat66_in2out.c - nat66_out2in.c nat_affinity.c nat_format.c nat_syslog.c @@ -60,8 +56,6 @@ add_vpp_plugin(nat nat44_handoff.c nat64_in2out.c nat64_out2in.c - nat66_in2out.c - nat66_out2in.c nat_det_in2out.c nat_det_out2in.c out2in.c @@ -69,6 +63,7 @@ add_vpp_plugin(nat API_FILES nat.api + nat_types.api API_TEST_SOURCES nat_test.c @@ -101,3 +96,23 @@ add_vpp_plugin(dslite LINK_LIBRARIES nat ) + +add_vpp_plugin(nat66 + SOURCES + nat_syslog.c + nat66/nat66.c + nat66/nat66_cli.c + nat66/nat66_api.c + nat66/nat66_in2out.c + nat66/nat66_out2in.c + + MULTIARCH_SOURCES + nat66/nat66_in2out.c + nat66/nat66_out2in.c + + API_FILES + nat66/nat66.api + nat_types.api + + LINK_LIBRARIES nat +) diff --git a/src/plugins/nat/nat.api b/src/plugins/nat/nat.api index 134f3e06d7a..cd50c19963c 100644 --- a/src/plugins/nat/nat.api +++ b/src/plugins/nat/nat.api @@ -16,6 +16,7 @@ option version = "5.2.0"; import "vnet/ip/ip_types.api"; import "vnet/interface_types.api"; +import "plugins/nat/nat_types.api"; /** * @file nat.api @@ -29,19 +30,6 @@ import "vnet/interface_types.api"; * Common NAT plugin APIs */ -enum nat_config_flags : u8 -{ - NAT_IS_NONE = 0x00, - NAT_IS_TWICE_NAT = 0x01, - NAT_IS_SELF_TWICE_NAT = 0x02, - NAT_IS_OUT2IN_ONLY = 0x04, - NAT_IS_ADDR_ONLY = 0x08, - NAT_IS_OUTSIDE = 0x10, - NAT_IS_INSIDE = 0x20, - NAT_IS_STATIC = 0x40, - NAT_IS_EXT_HOST_VALID = 0x80, -}; - /** \brief Control ping from client to api server request @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request @@ -1398,86 +1386,3 @@ autoreply define nat64_add_del_interface_addr { bool is_add; vl_api_interface_index_t sw_if_index; }; - -/* - * NAT66 APIs - */ -/** \brief Enable/disable NAT66 feature on the interface - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param is_add - true if add, false if delete - @param flags - flag NAT_IS_INSIDE if interface is inside or - interface is outside, - @param sw_if_index - software index of the interface -*/ -autoreply define nat66_add_del_interface { - u32 client_index; - u32 context; - bool is_add; - vl_api_nat_config_flags_t flags; - vl_api_interface_index_t sw_if_index; -}; - -/** \brief Dump interfaces with NAT66 feature - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request -*/ -define nat66_interface_dump { - u32 client_index; - u32 context; -}; - -/** \brief NAT66 interface details response - @param context - sender context, to match reply w/ request - @param flags - flag NAT_IS_INSIDE if interface is inside or - interface is outside, - @param sw_if_index - software index of the interface -*/ -define nat66_interface_details { - u32 context; - vl_api_nat_config_flags_t flags; - vl_api_interface_index_t sw_if_index; -}; - -/** \brief Add/delete 1:1 NAT66 - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param is_add - true if add, false if delete - @param local_ip_address - local IPv6 address - @param external_ip_address - external IPv6 address - @param vrf_id - VRF id of tenant -*/ -autoreply define nat66_add_del_static_mapping { - u32 client_index; - u32 context; - bool is_add; - vl_api_ip6_address_t local_ip_address; - vl_api_ip6_address_t external_ip_address; - u32 vrf_id; -}; - -/** \brief Dump NAT66 static mappings - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request -*/ -define nat66_static_mapping_dump { - u32 client_index; - u32 context; -}; - -/** \brief NAT66 static mapping details response - @param context - sender context, to match reply w/ request - @param local_ip_address - local IPv6 address - @param external_ip_address - external IPv6 address - @param vrf_id - VRF id of tenant - @param total_bytes - count of bytes sent through static mapping - @param total_pkts - count of pakets sent through static mapping -*/ -define nat66_static_mapping_details { - u32 context; - vl_api_ip6_address_t local_ip_address; - vl_api_ip6_address_t external_ip_address; - u32 vrf_id; - u64 total_bytes; - u64 total_pkts; -}; diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index 60ef22f05cc..c4c5dd87c86 100644 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -24,7 +24,6 @@ #include #include #include -#include #include #include #include @@ -2598,8 +2597,6 @@ snat_init (vlib_main_t * vm) if (error) return error; - nat66_init (vm); - ip4_table_bind_callback_t cbt4 = { .function = snat_ip4_table_bind, }; @@ -3913,7 +3910,6 @@ static clib_error_t * snat_config (vlib_main_t * vm, unformat_input_t * input) { snat_main_t *sm = &snat_main; - nat66_main_t *nm = &nat66_main; snat_main_per_thread_data_t *tsm; u32 static_mapping_buckets = 1024; @@ -4075,10 +4071,6 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, outside_vrf_id, nat_fib_src_hi); - nm->outside_vrf_id = outside_ip6_vrf_id; - nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, - outside_ip6_vrf_id, - nat_fib_src_hi); sm->inside_vrf_id = inside_vrf_id; sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, inside_vrf_id, diff --git a/src/plugins/nat/nat66.c b/src/plugins/nat/nat66.c deleted file mode 100644 index 3ac773c7da4..00000000000 --- a/src/plugins/nat/nat66.c +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (c) 2018 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/** - * @file - * @brief NAT66 implementation - */ - -#include -#include -#include - -nat66_main_t nat66_main; - -/* *INDENT-OFF* */ - -/* Hook up input features */ -VNET_FEATURE_INIT (nat66_in2out, static) = { - .arc_name = "ip6-unicast", - .node_name = "nat66-in2out", - .runs_before = VNET_FEATURES ("ip6-lookup"), - .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"), -}; -VNET_FEATURE_INIT (nat66_out2in, static) = { - .arc_name = "ip6-unicast", - .node_name = "nat66-out2in", - .runs_before = VNET_FEATURES ("ip6-lookup"), - .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"), -}; - -/* *INDENT-ON* */ - - -void -nat66_init (vlib_main_t * vm) -{ - nat66_main_t *nm = &nat66_main; - vlib_node_t *node; - u32 static_mapping_buckets = 1024; - uword static_mapping_memory_size = 64 << 20; - - node = vlib_get_node_by_name (vm, (u8 *) "nat66-in2out"); - nm->in2out_node_index = node->index; - - node = vlib_get_node_by_name (vm, (u8 *) "nat66-out2in"); - nm->out2in_node_index = node->index; - - clib_bihash_init_24_8 (&nm->sm_l, "nat66-static-map-by-local", - static_mapping_buckets, static_mapping_memory_size); - clib_bihash_init_24_8 (&nm->sm_e, "nat66-static-map-by-external", - static_mapping_buckets, static_mapping_memory_size); - - nm->session_counters.name = "session counters"; -} - -int -nat66_interface_add_del (u32 sw_if_index, u8 is_inside, u8 is_add) -{ - nat66_main_t *nm = &nat66_main; - snat_interface_t *interface = 0, *i; - const char *feature_name; - - /* *INDENT-OFF* */ - pool_foreach (i, nm->interfaces, - ({ - if (i->sw_if_index == sw_if_index) - { - interface = i; - break; - } - })); - /* *INDENT-ON* */ - - if (is_add) - { - if (interface) - return VNET_API_ERROR_VALUE_EXIST; - - pool_get (nm->interfaces, interface); - interface->sw_if_index = sw_if_index; - interface->flags = - is_inside ? NAT_INTERFACE_FLAG_IS_INSIDE : - NAT_INTERFACE_FLAG_IS_OUTSIDE; - } - else - { - if (!interface) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - pool_put (nm->interfaces, interface); - } - - feature_name = is_inside ? "nat66-in2out" : "nat66-out2in"; - int rv = ip6_sv_reass_enable_disable_with_refcnt (sw_if_index, is_add); - if (rv) - return rv; - return vnet_feature_enable_disable ("ip6-unicast", feature_name, - sw_if_index, is_add, 0, 0); -} - -void -nat66_interfaces_walk (nat66_interface_walk_fn_t fn, void *ctx) -{ - nat66_main_t *nm = &nat66_main; - snat_interface_t *i = 0; - - /* *INDENT-OFF* */ - pool_foreach (i, nm->interfaces, - ({ - if (fn (i, ctx)) - break; - })); - /* *INDENT-ON* */ -} - -nat66_static_mapping_t * -nat66_static_mapping_get (ip6_address_t * addr, u32 fib_index, u8 is_local) -{ - nat66_main_t *nm = &nat66_main; - nat66_static_mapping_t *sm = 0; - nat66_sm_key_t sm_key; - clib_bihash_kv_24_8_t kv, value; - - sm_key.addr.as_u64[0] = addr->as_u64[0]; - sm_key.addr.as_u64[1] = addr->as_u64[1]; - sm_key.fib_index = fib_index; - sm_key.rsvd = 0; - - kv.key[0] = sm_key.as_u64[0]; - kv.key[1] = sm_key.as_u64[1]; - kv.key[2] = sm_key.as_u64[2]; - - if (!clib_bihash_search_24_8 - (is_local ? &nm->sm_l : &nm->sm_e, &kv, &value)) - sm = pool_elt_at_index (nm->sm, value.value); - - return sm; -} - -int -nat66_static_mapping_add_del (ip6_address_t * l_addr, ip6_address_t * e_addr, - u32 vrf_id, u8 is_add) -{ - nat66_main_t *nm = &nat66_main; - int rv = 0; - nat66_static_mapping_t *sm = 0; - nat66_sm_key_t sm_key; - clib_bihash_kv_24_8_t kv, value; - u32 fib_index = fib_table_find (FIB_PROTOCOL_IP6, vrf_id); - - sm_key.addr.as_u64[0] = l_addr->as_u64[0]; - sm_key.addr.as_u64[1] = l_addr->as_u64[1]; - sm_key.fib_index = fib_index; - sm_key.rsvd = 0; - kv.key[0] = sm_key.as_u64[0]; - kv.key[1] = sm_key.as_u64[1]; - kv.key[2] = sm_key.as_u64[2]; - - if (!clib_bihash_search_24_8 (&nm->sm_l, &kv, &value)) - sm = pool_elt_at_index (nm->sm, value.value); - - if (is_add) - { - if (sm) - return VNET_API_ERROR_VALUE_EXIST; - - fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, vrf_id, - nat_fib_src_hi); - pool_get (nm->sm, sm); - clib_memset (sm, 0, sizeof (*sm)); - sm->l_addr.as_u64[0] = l_addr->as_u64[0]; - sm->l_addr.as_u64[1] = l_addr->as_u64[1]; - sm->e_addr.as_u64[0] = e_addr->as_u64[0]; - sm->e_addr.as_u64[1] = e_addr->as_u64[1]; - sm->fib_index = fib_index; - - sm_key.fib_index = fib_index; - kv.key[0] = sm_key.as_u64[0]; - kv.key[1] = sm_key.as_u64[1]; - kv.key[2] = sm_key.as_u64[2]; - kv.value = sm - nm->sm; - if (clib_bihash_add_del_24_8 (&nm->sm_l, &kv, 1)) - nat_elog_warn ("nat66-static-map-by-local add key failed"); - sm_key.addr.as_u64[0] = e_addr->as_u64[0]; - sm_key.addr.as_u64[1] = e_addr->as_u64[1]; - sm_key.fib_index = 0; - kv.key[0] = sm_key.as_u64[0]; - kv.key[1] = sm_key.as_u64[1]; - kv.key[2] = sm_key.as_u64[2]; - if (clib_bihash_add_del_24_8 (&nm->sm_e, &kv, 1)) - nat_elog_warn ("nat66-static-map-by-external add key failed"); - - vlib_validate_combined_counter (&nm->session_counters, kv.value); - vlib_zero_combined_counter (&nm->session_counters, kv.value); - } - else - { - if (!sm) - return VNET_API_ERROR_NO_SUCH_ENTRY; - - kv.value = sm - nm->sm; - if (clib_bihash_add_del_24_8 (&nm->sm_l, &kv, 0)) - nat_elog_warn ("nat66-static-map-by-local delete key failed"); - sm_key.addr.as_u64[0] = e_addr->as_u64[0]; - sm_key.addr.as_u64[1] = e_addr->as_u64[1]; - sm_key.fib_index = 0; - kv.key[0] = sm_key.as_u64[0]; - kv.key[1] = sm_key.as_u64[1]; - kv.key[2] = sm_key.as_u64[2]; - if (clib_bihash_add_del_24_8 (&nm->sm_e, &kv, 0)) - nat_elog_warn ("nat66-static-map-by-external delete key failed"); - fib_table_unlock (sm->fib_index, FIB_PROTOCOL_IP6, nat_fib_src_hi); - pool_put (nm->sm, sm); - } - - return rv; -} - -void -nat66_static_mappings_walk (nat66_static_mapping_walk_fn_t fn, void *ctx) -{ - nat66_main_t *nm = &nat66_main; - nat66_static_mapping_t *sm = 0; - - /* *INDENT-OFF* */ - pool_foreach (sm, nm->sm, - ({ - if (fn (sm, ctx)) - break; - })); - /* *INDENT-ON* */ -} - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/nat/nat66.h b/src/plugins/nat/nat66.h deleted file mode 100644 index 7b0ffed6dfc..00000000000 --- a/src/plugins/nat/nat66.h +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2018 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/** - * @file - * @brief NAT66 global declarations - */ -#ifndef __included_nat66_h__ -#define __included_nat66_h__ - -#include -#include - -typedef struct -{ - ip6_address_t l_addr; - ip6_address_t e_addr; - u32 fib_index; -} nat66_static_mapping_t; - -typedef struct -{ - union - { - struct - { - ip6_address_t addr; - u32 fib_index; - u32 rsvd; - }; - u64 as_u64[3]; - }; -} nat66_sm_key_t; - -typedef struct -{ - /** Interface pool */ - snat_interface_t *interfaces; - /** Static mapping pool */ - nat66_static_mapping_t *sm; - /** Static mapping by local address lookup table */ - clib_bihash_24_8_t sm_l; - /** Static mapping by external address lookup table */ - clib_bihash_24_8_t sm_e; - /** Session counters */ - vlib_combined_counter_main_t session_counters; - /** node index **/ - u32 in2out_node_index; - u32 out2in_node_index; - - u32 outside_vrf_id; - u32 outside_fib_index; -} nat66_main_t; - -extern nat66_main_t nat66_main; -extern vlib_node_registration_t nat66_in2out_node; -extern vlib_node_registration_t nat66_out2in_node; - -void nat66_init (vlib_main_t * vm); -typedef int (*nat66_interface_walk_fn_t) (snat_interface_t * i, void *ctx); -void nat66_interfaces_walk (nat66_interface_walk_fn_t fn, void *ctx); -int nat66_interface_add_del (u32 sw_if_index, u8 is_inside, u8 is_add); -typedef int (*nat66_static_mapping_walk_fn_t) (nat66_static_mapping_t * sm, - void *ctx); -void nat66_static_mappings_walk (nat66_static_mapping_walk_fn_t fn, - void *ctx); -nat66_static_mapping_t *nat66_static_mapping_get (ip6_address_t * addr, - u32 fib_index, u8 is_local); -int nat66_static_mapping_add_del (ip6_address_t * l_addr, - ip6_address_t * e_addr, u32 vrf_id, - u8 is_add); - -#endif /* __included_nat66_h__ */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/nat/nat66/nat66.api b/src/plugins/nat/nat66/nat66.api new file mode 100644 index 00000000000..6906e41f539 --- /dev/null +++ b/src/plugins/nat/nat66/nat66.api @@ -0,0 +1,99 @@ +/* + * Copyright (c) 2020 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +option version = "1.0.0"; +import "vnet/ip/ip_types.api"; +import "vnet/interface_types.api"; +import "plugins/nat/nat_types.api"; + +/** \brief Enable/disable NAT66 feature on the interface + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_add - true if add, false if delete + @param flags - flag NAT_IS_INSIDE if interface is inside or + interface is outside, + @param sw_if_index - software index of the interface +*/ +autoreply define nat66_add_del_interface { + u32 client_index; + u32 context; + bool is_add; + vl_api_nat_config_flags_t flags; + vl_api_interface_index_t sw_if_index; +}; + +/** \brief Dump interfaces with NAT66 feature + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define nat66_interface_dump { + u32 client_index; + u32 context; +}; + +/** \brief NAT66 interface details response + @param context - sender context, to match reply w/ request + @param flags - flag NAT_IS_INSIDE if interface is inside or + interface is outside, + @param sw_if_index - software index of the interface +*/ +define nat66_interface_details { + u32 context; + vl_api_nat_config_flags_t flags; + vl_api_interface_index_t sw_if_index; +}; + +/** \brief Add/delete 1:1 NAT66 + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param is_add - true if add, false if delete + @param local_ip_address - local IPv6 address + @param external_ip_address - external IPv6 address + @param vrf_id - VRF id of tenant +*/ +autoreply define nat66_add_del_static_mapping { + u32 client_index; + u32 context; + bool is_add; + vl_api_ip6_address_t local_ip_address; + vl_api_ip6_address_t external_ip_address; + u32 vrf_id; +}; + +/** \brief Dump NAT66 static mappings + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request +*/ +define nat66_static_mapping_dump { + u32 client_index; + u32 context; +}; + +/** \brief NAT66 static mapping details response + @param context - sender context, to match reply w/ request + @param local_ip_address - local IPv6 address + @param external_ip_address - external IPv6 address + @param vrf_id - VRF id of tenant + @param total_bytes - count of bytes sent through static mapping + @param total_pkts - count of pakets sent through static mapping +*/ +define nat66_static_mapping_details { + u32 context; + vl_api_ip6_address_t local_ip_address; + vl_api_ip6_address_t external_ip_address; + u32 vrf_id; + u64 total_bytes; + u64 total_pkts; +}; diff --git a/src/plugins/nat/nat66/nat66.c b/src/plugins/nat/nat66/nat66.c new file mode 100644 index 00000000000..36d5d733a6d --- /dev/null +++ b/src/plugins/nat/nat66/nat66.c @@ -0,0 +1,284 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT66 implementation + */ + +#include +#include +#include +#include +#include + +nat66_main_t nat66_main; +fib_source_t nat_fib_src_hi; + +/* *INDENT-OFF* */ + +/* Hook up input features */ +VNET_FEATURE_INIT (nat66_in2out, static) = { + .arc_name = "ip6-unicast", + .node_name = "nat66-in2out", + .runs_before = VNET_FEATURES ("ip6-lookup"), + .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"), +}; +VNET_FEATURE_INIT (nat66_out2in, static) = { + .arc_name = "ip6-unicast", + .node_name = "nat66-out2in", + .runs_before = VNET_FEATURES ("ip6-lookup"), + .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"), +}; + +/* *INDENT-ON* */ + +clib_error_t *nat66_plugin_api_hookup (vlib_main_t * vm); +static clib_error_t * +nat66_init (vlib_main_t * vm) +{ + nat66_main_t *nm = &nat66_main; + vlib_node_t *node; + u32 static_mapping_buckets = 1024; + uword static_mapping_memory_size = 64 << 20; + + node = vlib_get_node_by_name (vm, (u8 *) "nat66-in2out"); + nm->in2out_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "nat66-out2in"); + nm->out2in_node_index = node->index; + + clib_bihash_init_24_8 (&nm->sm_l, "nat66-static-map-by-local", + static_mapping_buckets, static_mapping_memory_size); + clib_bihash_init_24_8 (&nm->sm_e, "nat66-static-map-by-external", + static_mapping_buckets, static_mapping_memory_size); + + nm->session_counters.name = "session counters"; + + nat_fib_src_hi = fib_source_allocate ("nat66-hi", + FIB_SOURCE_PRIORITY_HI, + FIB_SOURCE_BH_SIMPLE); + + return nat66_plugin_api_hookup (vm); +} + +int +nat66_interface_add_del (u32 sw_if_index, u8 is_inside, u8 is_add) +{ + nat66_main_t *nm = &nat66_main; + nat66_interface_t *interface = 0, *i; + const char *feature_name; + + /* *INDENT-OFF* */ + pool_foreach (i, nm->interfaces, + ({ + if (i->sw_if_index == sw_if_index) + { + interface = i; + break; + } + })); + /* *INDENT-ON* */ + + if (is_add) + { + if (interface) + return VNET_API_ERROR_VALUE_EXIST; + + pool_get (nm->interfaces, interface); + interface->sw_if_index = sw_if_index; + interface->flags = + is_inside ? NAT66_INTERFACE_FLAG_IS_INSIDE : + NAT66_INTERFACE_FLAG_IS_OUTSIDE; + } + else + { + if (!interface) + return VNET_API_ERROR_NO_SUCH_ENTRY; + + pool_put (nm->interfaces, interface); + } + + feature_name = is_inside ? "nat66-in2out" : "nat66-out2in"; + int rv = ip6_sv_reass_enable_disable_with_refcnt (sw_if_index, is_add); + if (rv) + return rv; + return vnet_feature_enable_disable ("ip6-unicast", feature_name, + sw_if_index, is_add, 0, 0); +} + +void +nat66_interfaces_walk (nat66_interface_walk_fn_t fn, void *ctx) +{ + nat66_main_t *nm = &nat66_main; + nat66_interface_t *i = 0; + + /* *INDENT-OFF* */ + pool_foreach (i, nm->interfaces, + ({ + if (fn (i, ctx)) + break; + })); + /* *INDENT-ON* */ +} + +nat66_static_mapping_t * +nat66_static_mapping_get (ip6_address_t * addr, u32 fib_index, u8 is_local) +{ + nat66_main_t *nm = &nat66_main; + nat66_static_mapping_t *sm = 0; + nat66_sm_key_t sm_key; + clib_bihash_kv_24_8_t kv, value; + + sm_key.addr.as_u64[0] = addr->as_u64[0]; + sm_key.addr.as_u64[1] = addr->as_u64[1]; + sm_key.fib_index = fib_index; + sm_key.rsvd = 0; + + kv.key[0] = sm_key.as_u64[0]; + kv.key[1] = sm_key.as_u64[1]; + kv.key[2] = sm_key.as_u64[2]; + + if (!clib_bihash_search_24_8 + (is_local ? &nm->sm_l : &nm->sm_e, &kv, &value)) + sm = pool_elt_at_index (nm->sm, value.value); + + return sm; +} + +int +nat66_static_mapping_add_del (ip6_address_t * l_addr, ip6_address_t * e_addr, + u32 vrf_id, u8 is_add) +{ + nat66_main_t *nm = &nat66_main; + int rv = 0; + nat66_static_mapping_t *sm = 0; + nat66_sm_key_t sm_key; + clib_bihash_kv_24_8_t kv, value; + u32 fib_index = fib_table_find (FIB_PROTOCOL_IP6, vrf_id); + + sm_key.addr.as_u64[0] = l_addr->as_u64[0]; + sm_key.addr.as_u64[1] = l_addr->as_u64[1]; + sm_key.fib_index = fib_index; + sm_key.rsvd = 0; + kv.key[0] = sm_key.as_u64[0]; + kv.key[1] = sm_key.as_u64[1]; + kv.key[2] = sm_key.as_u64[2]; + + if (!clib_bihash_search_24_8 (&nm->sm_l, &kv, &value)) + sm = pool_elt_at_index (nm->sm, value.value); + + if (is_add) + { + if (sm) + return VNET_API_ERROR_VALUE_EXIST; + + fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, vrf_id, + nat_fib_src_hi); + pool_get (nm->sm, sm); + clib_memset (sm, 0, sizeof (*sm)); + sm->l_addr.as_u64[0] = l_addr->as_u64[0]; + sm->l_addr.as_u64[1] = l_addr->as_u64[1]; + sm->e_addr.as_u64[0] = e_addr->as_u64[0]; + sm->e_addr.as_u64[1] = e_addr->as_u64[1]; + sm->fib_index = fib_index; + + sm_key.fib_index = fib_index; + kv.key[0] = sm_key.as_u64[0]; + kv.key[1] = sm_key.as_u64[1]; + kv.key[2] = sm_key.as_u64[2]; + kv.value = sm - nm->sm; + if (clib_bihash_add_del_24_8 (&nm->sm_l, &kv, 1)) + nat66_elog_warn ("nat66-static-map-by-local add key failed"); + sm_key.addr.as_u64[0] = e_addr->as_u64[0]; + sm_key.addr.as_u64[1] = e_addr->as_u64[1]; + sm_key.fib_index = 0; + kv.key[0] = sm_key.as_u64[0]; + kv.key[1] = sm_key.as_u64[1]; + kv.key[2] = sm_key.as_u64[2]; + if (clib_bihash_add_del_24_8 (&nm->sm_e, &kv, 1)) + nat66_elog_warn ("nat66-static-map-by-external add key failed"); + + vlib_validate_combined_counter (&nm->session_counters, kv.value); + vlib_zero_combined_counter (&nm->session_counters, kv.value); + } + else + { + if (!sm) + return VNET_API_ERROR_NO_SUCH_ENTRY; + + kv.value = sm - nm->sm; + if (clib_bihash_add_del_24_8 (&nm->sm_l, &kv, 0)) + nat66_elog_warn ("nat66-static-map-by-local delete key failed"); + sm_key.addr.as_u64[0] = e_addr->as_u64[0]; + sm_key.addr.as_u64[1] = e_addr->as_u64[1]; + sm_key.fib_index = 0; + kv.key[0] = sm_key.as_u64[0]; + kv.key[1] = sm_key.as_u64[1]; + kv.key[2] = sm_key.as_u64[2]; + if (clib_bihash_add_del_24_8 (&nm->sm_e, &kv, 0)) + nat66_elog_warn ("nat66-static-map-by-external delete key failed"); + fib_table_unlock (sm->fib_index, FIB_PROTOCOL_IP6, nat_fib_src_hi); + pool_put (nm->sm, sm); + } + + return rv; +} + +void +nat66_static_mappings_walk (nat66_static_mapping_walk_fn_t fn, void *ctx) +{ + nat66_main_t *nm = &nat66_main; + nat66_static_mapping_t *sm = 0; + + /* *INDENT-OFF* */ + pool_foreach (sm, nm->sm, + ({ + if (fn (sm, ctx)) + break; + })); + /* *INDENT-ON* */ +} + +/*static*/ void +nat66_config (void) +{ + nat66_main_t *nm = &nat66_main; + u32 outside_ip6_vrf_id = 0; + + nm->outside_vrf_id = outside_ip6_vrf_id; + nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, + outside_ip6_vrf_id, + nat_fib_src_hi); + +} + +/* *INDENT-OFF* */ +VLIB_PLUGIN_REGISTER () = +{ + .version = VPP_BUILD_VER, + .description = "NAT66", +}; + +VLIB_INIT_FUNCTION (nat66_init); + +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat66/nat66.h b/src/plugins/nat/nat66/nat66.h new file mode 100644 index 00000000000..9757f030032 --- /dev/null +++ b/src/plugins/nat/nat66/nat66.h @@ -0,0 +1,123 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT66 global declarations + */ +#ifndef __included_nat66_h__ +#define __included_nat66_h__ + +#include +#include + +typedef struct +{ + ip6_address_t l_addr; + ip6_address_t e_addr; + u32 fib_index; +} nat66_static_mapping_t; + +typedef struct +{ + union + { + struct + { + ip6_address_t addr; + u32 fib_index; + u32 rsvd; + }; + u64 as_u64[3]; + }; +} nat66_sm_key_t; + +typedef struct +{ + u32 sw_if_index; + u8 flags; +} nat66_interface_t; +#define NAT66_INTERFACE_FLAG_IS_INSIDE 1 +#define NAT66_INTERFACE_FLAG_IS_OUTSIDE 2 +#define nat66_interface_is_inside(i) i->flags & NAT66_INTERFACE_FLAG_IS_INSIDE +#define nat66_interface_is_outside(i) i->flags & NAT66_INTERFACE_FLAG_IS_OUTSIDE + +typedef struct +{ + /** Interface pool */ + nat66_interface_t *interfaces; + /** Static mapping pool */ + nat66_static_mapping_t *sm; + /** Static mapping by local address lookup table */ + clib_bihash_24_8_t sm_l; + /** Static mapping by external address lookup table */ + clib_bihash_24_8_t sm_e; + /** Session counters */ + vlib_combined_counter_main_t session_counters; + /** node index **/ + u32 in2out_node_index; + u32 out2in_node_index; + + u32 outside_vrf_id; + u32 outside_fib_index; + + u16 msg_id_base; + u8 log_level; +} nat66_main_t; + +#define nat66_elog(_level, _str) \ +do \ + { \ + nat66_main_t *nm = &nat66_main; \ + if (PREDICT_FALSE (nm->log_level >= _level)) \ + { \ + ELOG_TYPE_DECLARE (e) = \ + { \ + .format = "nat66-msg " _str, \ + .format_args = "", \ + }; \ + ELOG_DATA (&vlib_global_main.elog_main, e); \ + } \ + } while (0); + +#define nat66_elog_warn(nat_elog_str) \ + nat66_elog(0x02, "[warning] " nat_elog_str) + + +extern nat66_main_t nat66_main; +extern vlib_node_registration_t nat66_in2out_node; +extern vlib_node_registration_t nat66_out2in_node; + +typedef int (*nat66_interface_walk_fn_t) (nat66_interface_t * i, void *ctx); +void nat66_interfaces_walk (nat66_interface_walk_fn_t fn, void *ctx); +int nat66_interface_add_del (u32 sw_if_index, u8 is_inside, u8 is_add); +typedef int (*nat66_static_mapping_walk_fn_t) (nat66_static_mapping_t * sm, + void *ctx); +void nat66_static_mappings_walk (nat66_static_mapping_walk_fn_t fn, + void *ctx); +nat66_static_mapping_t *nat66_static_mapping_get (ip6_address_t * addr, + u32 fib_index, u8 is_local); +int nat66_static_mapping_add_del (ip6_address_t * l_addr, + ip6_address_t * e_addr, u32 vrf_id, + u8 is_add); + +#endif /* __included_nat66_h__ */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat66/nat66_api.c b/src/plugins/nat/nat66/nat66_api.c new file mode 100644 index 00000000000..2a2b3cc07ad --- /dev/null +++ b/src/plugins/nat/nat66/nat66_api.c @@ -0,0 +1,174 @@ +/* + * Copyright (c) 2020 Cisco and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include + +#define REPLY_MSG_ID_BASE nm->msg_id_base +#include + +/*************/ +/*** NAT66 ***/ +/*************/ + +static void +vl_api_nat66_add_del_interface_t_handler (vl_api_nat66_add_del_interface_t * + mp) +{ + nat66_main_t *nm = &nat66_main; + vl_api_nat66_add_del_interface_reply_t *rmp; + int rv = 0; + + VALIDATE_SW_IF_INDEX (mp); + + rv = + nat66_interface_add_del (ntohl (mp->sw_if_index), + mp->flags & NAT_IS_INSIDE, mp->is_add); + + BAD_SW_IF_INDEX_LABEL; + + REPLY_MACRO (VL_API_NAT66_ADD_DEL_INTERFACE_REPLY); +} + +static void + vl_api_nat66_add_del_static_mapping_t_handler + (vl_api_nat66_add_del_static_mapping_t * mp) +{ + nat66_main_t *nm = &nat66_main; + vl_api_nat66_add_del_static_mapping_reply_t *rmp; + ip6_address_t l_addr, e_addr; + int rv = 0; + + memcpy (&l_addr.as_u8, mp->local_ip_address, 16); + memcpy (&e_addr.as_u8, mp->external_ip_address, 16); + + rv = + nat66_static_mapping_add_del (&l_addr, &e_addr, + clib_net_to_host_u32 (mp->vrf_id), + mp->is_add); + + REPLY_MACRO (VL_API_NAT66_ADD_DEL_STATIC_MAPPING_REPLY); +} + +typedef struct nat66_api_walk_ctx_t_ +{ + vl_api_registration_t *rp; + u32 context; +} nat66_api_walk_ctx_t; + +static int +nat66_api_interface_walk (nat66_interface_t * i, void *arg) +{ + vl_api_nat66_interface_details_t *rmp; + nat66_main_t *nm = &nat66_main; + nat66_api_walk_ctx_t *ctx = arg; + + rmp = vl_msg_api_alloc (sizeof (*rmp)); + clib_memset (rmp, 0, sizeof (*rmp)); + rmp->_vl_msg_id = ntohs (VL_API_NAT66_INTERFACE_DETAILS + nm->msg_id_base); + rmp->sw_if_index = ntohl (i->sw_if_index); + if (nat66_interface_is_inside (i)) + rmp->flags |= NAT_IS_INSIDE; + rmp->context = ctx->context; + + vl_api_send_msg (ctx->rp, (u8 *) rmp); + + return 0; +} + +static void +vl_api_nat66_interface_dump_t_handler (vl_api_nat66_interface_dump_t * mp) +{ + vl_api_registration_t *rp; + + rp = vl_api_client_index_to_registration (mp->client_index); + if (rp == 0) + return; + + nat66_api_walk_ctx_t ctx = { + .rp = rp, + .context = mp->context, + }; + + nat66_interfaces_walk (nat66_api_interface_walk, &ctx); +} + +static int +nat66_api_static_mapping_walk (nat66_static_mapping_t * m, void *arg) +{ + vl_api_nat66_static_mapping_details_t *rmp; + nat66_main_t *nm = &nat66_main; + nat66_api_walk_ctx_t *ctx = arg; + fib_table_t *fib; + vlib_counter_t vc; + + fib = fib_table_get (m->fib_index, FIB_PROTOCOL_IP6); + if (!fib) + return -1; + + vlib_get_combined_counter (&nm->session_counters, m - nm->sm, &vc); + + rmp = vl_msg_api_alloc (sizeof (*rmp)); + clib_memset (rmp, 0, sizeof (*rmp)); + rmp->_vl_msg_id = + ntohs (VL_API_NAT66_STATIC_MAPPING_DETAILS + nm->msg_id_base); + clib_memcpy (rmp->local_ip_address, &m->l_addr, 16); + clib_memcpy (rmp->external_ip_address, &m->e_addr, 16); + rmp->vrf_id = ntohl (fib->ft_table_id); + rmp->total_bytes = clib_host_to_net_u64 (vc.bytes); + rmp->total_pkts = clib_host_to_net_u64 (vc.packets); + rmp->context = ctx->context; + + vl_api_send_msg (ctx->rp, (u8 *) rmp); + + return 0; +} + +static void +vl_api_nat66_static_mapping_dump_t_handler (vl_api_nat66_static_mapping_dump_t + * mp) +{ + vl_api_registration_t *rp; + + rp = vl_api_client_index_to_registration (mp->client_index); + if (rp == 0) + return; + + nat66_api_walk_ctx_t ctx = { + .rp = rp, + .context = mp->context, + }; + + nat66_static_mappings_walk (nat66_api_static_mapping_walk, &ctx); +} + +/* API definitions */ +#include +#include + +/* Set up the API message handling tables */ +clib_error_t * +nat66_plugin_api_hookup (vlib_main_t * vm) +{ + nat66_main_t *nm = &nat66_main; + + nm->msg_id_base = setup_message_id_table (); + + return 0; +} diff --git a/src/plugins/nat/nat66/nat66_cli.c b/src/plugins/nat/nat66/nat66_cli.c new file mode 100644 index 00000000000..da963877c8a --- /dev/null +++ b/src/plugins/nat/nat66/nat66_cli.c @@ -0,0 +1,319 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT66 CLI + */ + +#include +#include + +static clib_error_t * +nat66_interface_feature_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + vnet_main_t *vnm = vnet_get_main (); + clib_error_t *error = 0; + u32 sw_if_index; + u32 *inside_sw_if_indices = 0; + u32 *outside_sw_if_indices = 0; + u8 is_add = 1; + int i, rv; + + /* Get a line of input. */ + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "in %U", unformat_vnet_sw_interface, + vnm, &sw_if_index)) + vec_add1 (inside_sw_if_indices, sw_if_index); + else if (unformat (line_input, "out %U", unformat_vnet_sw_interface, + vnm, &sw_if_index)) + vec_add1 (outside_sw_if_indices, sw_if_index); + else if (unformat (line_input, "del")) + is_add = 0; + else + { + error = clib_error_return (0, "unknown input '%U'", + format_unformat_error, line_input); + goto done; + } + } + + if (vec_len (inside_sw_if_indices)) + { + for (i = 0; i < vec_len (inside_sw_if_indices); i++) + { + sw_if_index = inside_sw_if_indices[i]; + rv = nat66_interface_add_del (sw_if_index, 1, is_add); + switch (rv) + { + case VNET_API_ERROR_NO_SUCH_ENTRY: + error = + clib_error_return (0, "%U NAT66 feature not enabled.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + case VNET_API_ERROR_VALUE_EXIST: + error = + clib_error_return (0, "%U NAT66 feature already enabled.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + case VNET_API_ERROR_INVALID_VALUE: + case VNET_API_ERROR_INVALID_VALUE_2: + error = + clib_error_return (0, + "%U NAT66 feature enable/disable failed.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + default: + break; + + } + } + } + + if (vec_len (outside_sw_if_indices)) + { + for (i = 0; i < vec_len (outside_sw_if_indices); i++) + { + sw_if_index = outside_sw_if_indices[i]; + rv = nat66_interface_add_del (sw_if_index, 0, is_add); + switch (rv) + { + case VNET_API_ERROR_NO_SUCH_ENTRY: + error = + clib_error_return (0, "%U NAT66 feature not enabled.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + case VNET_API_ERROR_VALUE_EXIST: + error = + clib_error_return (0, "%U NAT66 feature already enabled.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + case VNET_API_ERROR_INVALID_VALUE: + case VNET_API_ERROR_INVALID_VALUE_2: + error = + clib_error_return (0, + "%U NAT66 feature enable/disable failed.", + format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, sw_if_index)); + goto done; + default: + break; + + } + } + } + +done: + unformat_free (line_input); + vec_free (inside_sw_if_indices); + vec_free (outside_sw_if_indices); + + return error; +} + +static int +nat66_cli_interface_walk (nat66_interface_t * i, void *ctx) +{ + vlib_main_t *vm = ctx; + vnet_main_t *vnm = vnet_get_main (); + + vlib_cli_output (vm, " %U %s", format_vnet_sw_interface_name, vnm, + vnet_get_sw_interface (vnm, i->sw_if_index), + nat66_interface_is_inside (i) ? "in" : "out"); + return 0; +} + +static clib_error_t * +nat66_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + vlib_cli_output (vm, "NAT66 interfaces:"); + nat66_interfaces_walk (nat66_cli_interface_walk, vm); + + return 0; +} + +static clib_error_t * +nat66_add_del_static_mapping_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + clib_error_t *error = 0; + u8 is_add = 1; + ip6_address_t l_addr, e_addr; + u32 vrf_id = 0; + int rv; + + /* Get a line of input. */ + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "local %U external %U", + unformat_ip6_address, &l_addr, + unformat_ip6_address, &e_addr)) + ; + else if (unformat (line_input, "vrf %u", &vrf_id)) + ; + else if (unformat (line_input, "del")) + is_add = 0; + else + { + error = clib_error_return (0, "unknown input: '%U'", + format_unformat_error, line_input); + goto done; + } + } + + rv = nat66_static_mapping_add_del (&l_addr, &e_addr, vrf_id, is_add); + + switch (rv) + { + case VNET_API_ERROR_NO_SUCH_ENTRY: + error = clib_error_return (0, "NAT66 static mapping entry not exist."); + goto done; + case VNET_API_ERROR_VALUE_EXIST: + error = clib_error_return (0, "NAT66 static mapping entry exist."); + goto done; + default: + break; + } + +done: + unformat_free (line_input); + + return error; +} + +static int +nat66_cli_static_mapping_walk (nat66_static_mapping_t * sm, void *ctx) +{ + nat66_main_t *nm = &nat66_main; + vlib_main_t *vm = ctx; + fib_table_t *fib; + vlib_counter_t vc; + + fib = fib_table_get (sm->fib_index, FIB_PROTOCOL_IP6); + if (!fib) + return -1; + + vlib_get_combined_counter (&nm->session_counters, sm - nm->sm, &vc); + + vlib_cli_output (vm, " local %U external %U vrf %d", + format_ip6_address, &sm->l_addr, + format_ip6_address, &sm->e_addr, fib->ft_table_id); + vlib_cli_output (vm, " total pkts %lld, total bytes %lld", vc.packets, + vc.bytes); + + return 0; +} + +static clib_error_t * +nat66_show_static_mappings_command_fn (vlib_main_t * vm, + unformat_input_t * input, + vlib_cli_command_t * cmd) +{ + vlib_cli_output (vm, "NAT66 static mappings:"); + nat66_static_mappings_walk (nat66_cli_static_mapping_walk, vm); + return 0; +} + +/* *INDENT-OFF* */ +/*? + * @cliexpar + * @cliexstart{set interface nat66} + * Enable/disable NAT66 feature on the interface. + * To enable NAT66 feature with local (IPv6) network interface + * GigabitEthernet0/8/0 and external (IPv4) network interface + * GigabitEthernet0/a/0 use: + * vpp# set interface nat66 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0 + * @cliexend +?*/ +VLIB_CLI_COMMAND (set_interface_nat66_command, static) = { + .path = "set interface nat66", + .short_help = "set interface nat66 in|out [del]", + .function = nat66_interface_feature_command_fn, +}; + +/*? + * @cliexpar + * @cliexstart{show nat66 interfaces} + * Show interfaces with NAT66 feature. + * To show interfaces with NAT66 feature use: + * vpp# show nat66 interfaces + * NAT66 interfaces: + * GigabitEthernet0/8/0 in + * GigabitEthernet0/a/0 out + * @cliexend +?*/ +VLIB_CLI_COMMAND (show_nat66_interfaces_command, static) = { + .path = "show nat66 interfaces", + .short_help = "show nat66 interfaces", + .function = nat66_show_interfaces_command_fn, +}; + +/*? + * @cliexpar + * @cliexstart{nat66 add static mapping} + * Add/delete NAT66 static mapping entry. + * To add NAT66 static mapping entry use: + * vpp# nat66 add static mapping local fd01:1::4 external 2001:db8:c000:223:: + * vpp# nat66 add static mapping local fd01:1::2 external 2001:db8:c000:221:: vrf 10 + * @cliexend +?*/ +VLIB_CLI_COMMAND (show_nat66_add_del_static_mapping_command, static) = { + .path = "nat66 add static mapping", + .short_help = "nat66 add static mapping local external " + " [vfr ] [del]", + .function = nat66_add_del_static_mapping_command_fn, +}; + +/*? + * @cliexpar + * @cliexstart{show nat66 static mappings} + * Show NAT66 static mappings. + * To show NAT66 static mappings use: + * vpp# show nat66 static mappings + * NAT66 static mappings: + * local fd01:1::4 external 2001:db8:c000:223:: vrf 0 + * local fd01:1::2 external 2001:db8:c000:221:: vrf 10 + * @cliexend +?*/ +VLIB_CLI_COMMAND (show_nat66_static_mappings_command, static) = { + .path = "show nat66 static mappings", + .short_help = "show nat66 static mappings", + .function = nat66_show_static_mappings_command_fn, +}; + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat66/nat66_in2out.c b/src/plugins/nat/nat66/nat66_in2out.c new file mode 100644 index 00000000000..5a027e2cd50 --- /dev/null +++ b/src/plugins/nat/nat66/nat66_in2out.c @@ -0,0 +1,262 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT66 inside to outside network translation + */ + +#include +#include +#include + +typedef struct +{ + u32 sw_if_index; + u32 next_index; +} nat66_in2out_trace_t; + +static u8 * +format_nat66_in2out_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat66_in2out_trace_t *t = va_arg (*args, nat66_in2out_trace_t *); + + s = + format (s, "NAT66-in2out: sw_if_index %d, next index %d", t->sw_if_index, + t->next_index); + + return s; +} + +#define foreach_nat66_in2out_error \ +_(IN2OUT_PACKETS, "good in2out packets processed") \ +_(NO_TRANSLATION, "no translation") \ +_(UNKNOWN, "unknown") + +typedef enum +{ +#define _(sym,str) NAT66_IN2OUT_ERROR_##sym, + foreach_nat66_in2out_error +#undef _ + NAT66_IN2OUT_N_ERROR, +} nat66_in2out_error_t; + +static char *nat66_in2out_error_strings[] = { +#define _(sym,string) string, + foreach_nat66_in2out_error +#undef _ +}; + +typedef enum +{ + NAT66_IN2OUT_NEXT_IP6_LOOKUP, + NAT66_IN2OUT_NEXT_DROP, + NAT66_IN2OUT_N_NEXT, +} nat66_in2out_next_t; + +static inline u8 +nat66_not_translate (u32 rx_fib_index, ip6_address_t ip6_addr) +{ + nat66_main_t *nm = &nat66_main; + u32 sw_if_index; + nat66_interface_t *i; + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP6, + .fp_len = 128, + .fp_addr = { + .ip6 = ip6_addr, + }, + }; + + fei = fib_table_lookup (rx_fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID == fei) + return 1; + sw_if_index = fib_entry_get_resolving_interface (fei); + + if (sw_if_index == ~0) + { + fei = fib_table_lookup (nm->outside_fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID == fei) + return 1; + sw_if_index = fib_entry_get_resolving_interface (fei); + } + + /* *INDENT-OFF* */ + pool_foreach (i, nm->interfaces, + ({ + /* NAT packet aimed at outside interface */ + if (nat66_interface_is_outside (i) && sw_if_index == i->sw_if_index) + return 0; + })); + /* *INDENT-ON* */ + + return 1; +} + +VLIB_NODE_FN (nat66_in2out_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + nat66_in2out_next_t next_index; + u32 pkts_processed = 0; + u32 thread_index = vm->thread_index; + nat66_main_t *nm = &nat66_main; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = NAT66_IN2OUT_NEXT_IP6_LOOKUP; + ip6_header_t *ip60; + u16 l4_offset0, frag_offset0; + u8 l4_protocol0; + nat66_static_mapping_t *sm0; + u32 sw_if_index0, fib_index0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + u16 *checksum0 = 0; + ip_csum_t csum0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + ip60 = vlib_buffer_get_current (b0); + + if (PREDICT_FALSE + (ip6_parse + (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0, + &frag_offset0))) + { + next0 = NAT66_IN2OUT_NEXT_DROP; + b0->error = node->errors[NAT66_IN2OUT_ERROR_UNKNOWN]; + goto trace0; + } + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, + sw_if_index0); + + if (nat66_not_translate (fib_index0, ip60->dst_address)) + goto trace0; + + sm0 = nat66_static_mapping_get (&ip60->src_address, fib_index0, 1); + if (PREDICT_FALSE (!sm0)) + { + goto trace0; + } + + if (l4_protocol0 == IP_PROTOCOL_UDP) + { + udp0 = (udp_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &udp0->checksum; + } + else if (l4_protocol0 == IP_PROTOCOL_TCP) + { + tcp0 = (tcp_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &tcp0->checksum; + } + else if (l4_protocol0 == IP_PROTOCOL_ICMP6) + { + icmp0 = (icmp46_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &icmp0->checksum; + } + else + goto skip_csum0; + + csum0 = ip_csum_sub_even (*checksum0, ip60->src_address.as_u64[0]); + csum0 = ip_csum_sub_even (csum0, ip60->src_address.as_u64[1]); + csum0 = ip_csum_add_even (csum0, sm0->e_addr.as_u64[0]); + csum0 = ip_csum_add_even (csum0, sm0->e_addr.as_u64[1]); + *checksum0 = ip_csum_fold (csum0); + + skip_csum0: + ip60->src_address.as_u64[0] = sm0->e_addr.as_u64[0]; + ip60->src_address.as_u64[1] = sm0->e_addr.as_u64[1]; + + vlib_increment_combined_counter (&nm->session_counters, + thread_index, sm0 - nm->sm, 1, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat66_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + t->next_index = next0; + } + + pkts_processed += next0 != NAT66_IN2OUT_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, + n_left_to_next, bi0, next0); + } + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, nm->in2out_node_index, + NAT66_IN2OUT_ERROR_IN2OUT_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat66_in2out_node) = { + .name = "nat66-in2out", + .vector_size = sizeof (u32), + .format_trace = format_nat66_in2out_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat66_in2out_error_strings), + .error_strings = nat66_in2out_error_strings, + .n_next_nodes = NAT66_IN2OUT_N_NEXT, + /* edit / add dispositions here */ + .next_nodes = { + [NAT66_IN2OUT_NEXT_DROP] = "error-drop", + [NAT66_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup", + }, +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat66/nat66_out2in.c b/src/plugins/nat/nat66/nat66_out2in.c new file mode 100644 index 00000000000..563ad6f5178 --- /dev/null +++ b/src/plugins/nat/nat66/nat66_out2in.c @@ -0,0 +1,220 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT66 outside to inside network translation + */ + +#include +#include +#include + +typedef struct +{ + u32 sw_if_index; + u32 next_index; +} nat66_out2in_trace_t; + +static u8 * +format_nat66_out2in_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat66_out2in_trace_t *t = va_arg (*args, nat66_out2in_trace_t *); + + s = + format (s, "NAT66-out2in: sw_if_index %d, next index %d", t->sw_if_index, + t->next_index); + + return s; +} + +#define foreach_nat66_out2in_error \ +_(OUT2IN_PACKETS, "good out2in packets processed") \ +_(NO_TRANSLATION, "no translation") \ +_(UNKNOWN, "unknown") + +typedef enum +{ +#define _(sym,str) NAT66_OUT2IN_ERROR_##sym, + foreach_nat66_out2in_error +#undef _ + NAT66_OUT2IN_N_ERROR, +} nat66_out2in_error_t; + +static char *nat66_out2in_error_strings[] = { +#define _(sym,string) string, + foreach_nat66_out2in_error +#undef _ +}; + +typedef enum +{ + NAT66_OUT2IN_NEXT_IP6_LOOKUP, + NAT66_OUT2IN_NEXT_DROP, + NAT66_OUT2IN_N_NEXT, +} nat66_out2in_next_t; + +VLIB_NODE_FN (nat66_out2in_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + nat66_out2in_next_t next_index; + u32 pkts_processed = 0; + u32 thread_index = vm->thread_index; + nat66_main_t *nm = &nat66_main; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = NAT66_OUT2IN_NEXT_IP6_LOOKUP; + ip6_header_t *ip60; + u16 l4_offset0, frag_offset0; + u8 l4_protocol0; + nat66_static_mapping_t *sm0; + u32 sw_if_index0, fib_index0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + u16 *checksum0 = 0; + ip_csum_t csum0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + ip60 = vlib_buffer_get_current (b0); + + if (PREDICT_FALSE + (ip6_parse + (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0, + &frag_offset0))) + { + next0 = NAT66_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT66_OUT2IN_ERROR_UNKNOWN]; + goto trace0; + } + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, + sw_if_index0); + + sm0 = nat66_static_mapping_get (&ip60->dst_address, fib_index0, 0); + if (PREDICT_FALSE (!sm0)) + { + goto trace0; + } + + if (l4_protocol0 == IP_PROTOCOL_UDP) + { + udp0 = (udp_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &udp0->checksum; + } + else if (l4_protocol0 == IP_PROTOCOL_TCP) + { + tcp0 = (tcp_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &tcp0->checksum; + } + else if (l4_protocol0 == IP_PROTOCOL_ICMP6) + { + icmp0 = (icmp46_header_t *) u8_ptr_add (ip60, l4_offset0); + checksum0 = &icmp0->checksum; + } + else + goto skip_csum0; + + csum0 = ip_csum_sub_even (*checksum0, ip60->dst_address.as_u64[0]); + csum0 = ip_csum_sub_even (csum0, ip60->dst_address.as_u64[1]); + csum0 = ip_csum_add_even (csum0, sm0->l_addr.as_u64[0]); + csum0 = ip_csum_add_even (csum0, sm0->l_addr.as_u64[1]); + *checksum0 = ip_csum_fold (csum0); + + skip_csum0: + ip60->dst_address.as_u64[0] = sm0->l_addr.as_u64[0]; + ip60->dst_address.as_u64[1] = sm0->l_addr.as_u64[1]; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0->fib_index; + + vlib_increment_combined_counter (&nm->session_counters, + thread_index, sm0 - nm->sm, 1, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat66_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + t->next_index = next0; + } + + pkts_processed += next0 != NAT66_OUT2IN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, + n_left_to_next, bi0, next0); + } + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, nm->out2in_node_index, + NAT66_OUT2IN_ERROR_OUT2IN_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat66_out2in_node) = { + .name = "nat66-out2in", + .vector_size = sizeof (u32), + .format_trace = format_nat66_out2in_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat66_out2in_error_strings), + .error_strings = nat66_out2in_error_strings, + .n_next_nodes = NAT66_OUT2IN_N_NEXT, + /* edit / add dispositions here */ + .next_nodes = { + [NAT66_OUT2IN_NEXT_DROP] = "error-drop", + [NAT66_OUT2IN_NEXT_IP6_LOOKUP] = "ip6-lookup", + }, +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat66_cli.c b/src/plugins/nat/nat66_cli.c deleted file mode 100644 index d34c1715aea..00000000000 --- a/src/plugins/nat/nat66_cli.c +++ /dev/null @@ -1,320 +0,0 @@ -/* - * Copyright (c) 2018 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/** - * @file - * @brief NAT66 CLI - */ - -#include -#include -#include - -static clib_error_t * -nat66_interface_feature_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - vnet_main_t *vnm = vnet_get_main (); - clib_error_t *error = 0; - u32 sw_if_index; - u32 *inside_sw_if_indices = 0; - u32 *outside_sw_if_indices = 0; - u8 is_add = 1; - int i, rv; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "in %U", unformat_vnet_sw_interface, - vnm, &sw_if_index)) - vec_add1 (inside_sw_if_indices, sw_if_index); - else if (unformat (line_input, "out %U", unformat_vnet_sw_interface, - vnm, &sw_if_index)) - vec_add1 (outside_sw_if_indices, sw_if_index); - else if (unformat (line_input, "del")) - is_add = 0; - else - { - error = clib_error_return (0, "unknown input '%U'", - format_unformat_error, line_input); - goto done; - } - } - - if (vec_len (inside_sw_if_indices)) - { - for (i = 0; i < vec_len (inside_sw_if_indices); i++) - { - sw_if_index = inside_sw_if_indices[i]; - rv = nat66_interface_add_del (sw_if_index, 1, is_add); - switch (rv) - { - case VNET_API_ERROR_NO_SUCH_ENTRY: - error = - clib_error_return (0, "%U NAT66 feature not enabled.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - case VNET_API_ERROR_VALUE_EXIST: - error = - clib_error_return (0, "%U NAT66 feature already enabled.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - case VNET_API_ERROR_INVALID_VALUE: - case VNET_API_ERROR_INVALID_VALUE_2: - error = - clib_error_return (0, - "%U NAT66 feature enable/disable failed.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - default: - break; - - } - } - } - - if (vec_len (outside_sw_if_indices)) - { - for (i = 0; i < vec_len (outside_sw_if_indices); i++) - { - sw_if_index = outside_sw_if_indices[i]; - rv = nat66_interface_add_del (sw_if_index, 0, is_add); - switch (rv) - { - case VNET_API_ERROR_NO_SUCH_ENTRY: - error = - clib_error_return (0, "%U NAT66 feature not enabled.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - case VNET_API_ERROR_VALUE_EXIST: - error = - clib_error_return (0, "%U NAT66 feature already enabled.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - case VNET_API_ERROR_INVALID_VALUE: - case VNET_API_ERROR_INVALID_VALUE_2: - error = - clib_error_return (0, - "%U NAT66 feature enable/disable failed.", - format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, sw_if_index)); - goto done; - default: - break; - - } - } - } - -done: - unformat_free (line_input); - vec_free (inside_sw_if_indices); - vec_free (outside_sw_if_indices); - - return error; -} - -static int -nat66_cli_interface_walk (snat_interface_t * i, void *ctx) -{ - vlib_main_t *vm = ctx; - vnet_main_t *vnm = vnet_get_main (); - - vlib_cli_output (vm, " %U %s", format_vnet_sw_interface_name, vnm, - vnet_get_sw_interface (vnm, i->sw_if_index), - nat_interface_is_inside (i) ? "in" : "out"); - return 0; -} - -static clib_error_t * -nat66_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - vlib_cli_output (vm, "NAT66 interfaces:"); - nat66_interfaces_walk (nat66_cli_interface_walk, vm); - - return 0; -} - -static clib_error_t * -nat66_add_del_static_mapping_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - clib_error_t *error = 0; - u8 is_add = 1; - ip6_address_t l_addr, e_addr; - u32 vrf_id = 0; - int rv; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat (line_input, "local %U external %U", - unformat_ip6_address, &l_addr, - unformat_ip6_address, &e_addr)) - ; - else if (unformat (line_input, "vrf %u", &vrf_id)) - ; - else if (unformat (line_input, "del")) - is_add = 0; - else - { - error = clib_error_return (0, "unknown input: '%U'", - format_unformat_error, line_input); - goto done; - } - } - - rv = nat66_static_mapping_add_del (&l_addr, &e_addr, vrf_id, is_add); - - switch (rv) - { - case VNET_API_ERROR_NO_SUCH_ENTRY: - error = clib_error_return (0, "NAT66 static mapping entry not exist."); - goto done; - case VNET_API_ERROR_VALUE_EXIST: - error = clib_error_return (0, "NAT66 static mapping entry exist."); - goto done; - default: - break; - } - -done: - unformat_free (line_input); - - return error; -} - -static int -nat66_cli_static_mapping_walk (nat66_static_mapping_t * sm, void *ctx) -{ - nat66_main_t *nm = &nat66_main; - vlib_main_t *vm = ctx; - fib_table_t *fib; - vlib_counter_t vc; - - fib = fib_table_get (sm->fib_index, FIB_PROTOCOL_IP6); - if (!fib) - return -1; - - vlib_get_combined_counter (&nm->session_counters, sm - nm->sm, &vc); - - vlib_cli_output (vm, " local %U external %U vrf %d", - format_ip6_address, &sm->l_addr, - format_ip6_address, &sm->e_addr, fib->ft_table_id); - vlib_cli_output (vm, " total pkts %lld, total bytes %lld", vc.packets, - vc.bytes); - - return 0; -} - -static clib_error_t * -nat66_show_static_mappings_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - vlib_cli_output (vm, "NAT66 static mappings:"); - nat66_static_mappings_walk (nat66_cli_static_mapping_walk, vm); - return 0; -} - -/* *INDENT-OFF* */ -/*? - * @cliexpar - * @cliexstart{set interface nat66} - * Enable/disable NAT66 feature on the interface. - * To enable NAT66 feature with local (IPv6) network interface - * GigabitEthernet0/8/0 and external (IPv4) network interface - * GigabitEthernet0/a/0 use: - * vpp# set interface nat66 in GigabitEthernet0/8/0 out GigabitEthernet0/a/0 - * @cliexend -?*/ -VLIB_CLI_COMMAND (set_interface_nat66_command, static) = { - .path = "set interface nat66", - .short_help = "set interface nat66 in|out [del]", - .function = nat66_interface_feature_command_fn, -}; - -/*? - * @cliexpar - * @cliexstart{show nat66 interfaces} - * Show interfaces with NAT66 feature. - * To show interfaces with NAT66 feature use: - * vpp# show nat66 interfaces - * NAT66 interfaces: - * GigabitEthernet0/8/0 in - * GigabitEthernet0/a/0 out - * @cliexend -?*/ -VLIB_CLI_COMMAND (show_nat66_interfaces_command, static) = { - .path = "show nat66 interfaces", - .short_help = "show nat66 interfaces", - .function = nat66_show_interfaces_command_fn, -}; - -/*? - * @cliexpar - * @cliexstart{nat66 add static mapping} - * Add/delete NAT66 static mapping entry. - * To add NAT66 static mapping entry use: - * vpp# nat66 add static mapping local fd01:1::4 external 2001:db8:c000:223:: - * vpp# nat66 add static mapping local fd01:1::2 external 2001:db8:c000:221:: vrf 10 - * @cliexend -?*/ -VLIB_CLI_COMMAND (show_nat66_add_del_static_mapping_command, static) = { - .path = "nat66 add static mapping", - .short_help = "nat66 add static mapping local external " - " [vfr ] [del]", - .function = nat66_add_del_static_mapping_command_fn, -}; - -/*? - * @cliexpar - * @cliexstart{show nat66 static mappings} - * Show NAT66 static mappings. - * To show NAT66 static mappings use: - * vpp# show nat66 static mappings - * NAT66 static mappings: - * local fd01:1::4 external 2001:db8:c000:223:: vrf 0 - * local fd01:1::2 external 2001:db8:c000:221:: vrf 10 - * @cliexend -?*/ -VLIB_CLI_COMMAND (show_nat66_static_mappings_command, static) = { - .path = "show nat66 static mappings", - .short_help = "show nat66 static mappings", - .function = nat66_show_static_mappings_command_fn, -}; - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/nat/nat66_in2out.c b/src/plugins/nat/nat66_in2out.c deleted file mode 100644 index 437d66550f6..00000000000 --- a/src/plugins/nat/nat66_in2out.c +++ /dev/null @@ -1,262 +0,0 @@ -/* - * Copyright (c) 2018 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/** - * @file - * @brief NAT66 inside to outside network translation - */ - -#include -#include -#include - -typedef struct -{ - u32 sw_if_index; - u32 next_index; -} nat66_in2out_trace_t; - -static u8 * -format_nat66_in2out_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat66_in2out_trace_t *t = va_arg (*args, nat66_in2out_trace_t *); - - s = - format (s, "NAT66-in2out: sw_if_index %d, next index %d", t->sw_if_index, - t->next_index); - - return s; -} - -#define foreach_nat66_in2out_error \ -_(IN2OUT_PACKETS, "good in2out packets processed") \ -_(NO_TRANSLATION, "no translation") \ -_(UNKNOWN, "unknown") - -typedef enum -{ -#define _(sym,str) NAT66_IN2OUT_ERROR_##sym, - foreach_nat66_in2out_error -#undef _ - NAT66_IN2OUT_N_ERROR, -} nat66_in2out_error_t; - -static char *nat66_in2out_error_strings[] = { -#define _(sym,string) string, - foreach_nat66_in2out_error -#undef _ -}; - -typedef enum -{ - NAT66_IN2OUT_NEXT_IP6_LOOKUP, - NAT66_IN2OUT_NEXT_DROP, - NAT66_IN2OUT_N_NEXT, -} nat66_in2out_next_t; - -static inline u8 -nat66_not_translate (u32 rx_fib_index, ip6_address_t ip6_addr) -{ - nat66_main_t *nm = &nat66_main; - u32 sw_if_index; - snat_interface_t *i; - fib_node_index_t fei = FIB_NODE_INDEX_INVALID; - fib_prefix_t pfx = { - .fp_proto = FIB_PROTOCOL_IP6, - .fp_len = 128, - .fp_addr = { - .ip6 = ip6_addr, - }, - }; - - fei = fib_table_lookup (rx_fib_index, &pfx); - if (FIB_NODE_INDEX_INVALID == fei) - return 1; - sw_if_index = fib_entry_get_resolving_interface (fei); - - if (sw_if_index == ~0) - { - fei = fib_table_lookup (nm->outside_fib_index, &pfx); - if (FIB_NODE_INDEX_INVALID == fei) - return 1; - sw_if_index = fib_entry_get_resolving_interface (fei); - } - - /* *INDENT-OFF* */ - pool_foreach (i, nm->interfaces, - ({ - /* NAT packet aimed at outside interface */ - if (nat_interface_is_outside (i) && sw_if_index == i->sw_if_index) - return 0; - })); - /* *INDENT-ON* */ - - return 1; -} - -VLIB_NODE_FN (nat66_in2out_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, *from, *to_next; - nat66_in2out_next_t next_index; - u32 pkts_processed = 0; - u32 thread_index = vm->thread_index; - nat66_main_t *nm = &nat66_main; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0 = NAT66_IN2OUT_NEXT_IP6_LOOKUP; - ip6_header_t *ip60; - u16 l4_offset0, frag_offset0; - u8 l4_protocol0; - nat66_static_mapping_t *sm0; - u32 sw_if_index0, fib_index0; - udp_header_t *udp0; - tcp_header_t *tcp0; - icmp46_header_t *icmp0; - u16 *checksum0 = 0; - ip_csum_t csum0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - ip60 = vlib_buffer_get_current (b0); - - if (PREDICT_FALSE - (ip6_parse - (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0, - &frag_offset0))) - { - next0 = NAT66_IN2OUT_NEXT_DROP; - b0->error = node->errors[NAT66_IN2OUT_ERROR_UNKNOWN]; - goto trace0; - } - - sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - fib_index0 = - fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, - sw_if_index0); - - if (nat66_not_translate (fib_index0, ip60->dst_address)) - goto trace0; - - sm0 = nat66_static_mapping_get (&ip60->src_address, fib_index0, 1); - if (PREDICT_FALSE (!sm0)) - { - goto trace0; - } - - if (l4_protocol0 == IP_PROTOCOL_UDP) - { - udp0 = (udp_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &udp0->checksum; - } - else if (l4_protocol0 == IP_PROTOCOL_TCP) - { - tcp0 = (tcp_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &tcp0->checksum; - } - else if (l4_protocol0 == IP_PROTOCOL_ICMP6) - { - icmp0 = (icmp46_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &icmp0->checksum; - } - else - goto skip_csum0; - - csum0 = ip_csum_sub_even (*checksum0, ip60->src_address.as_u64[0]); - csum0 = ip_csum_sub_even (csum0, ip60->src_address.as_u64[1]); - csum0 = ip_csum_add_even (csum0, sm0->e_addr.as_u64[0]); - csum0 = ip_csum_add_even (csum0, sm0->e_addr.as_u64[1]); - *checksum0 = ip_csum_fold (csum0); - - skip_csum0: - ip60->src_address.as_u64[0] = sm0->e_addr.as_u64[0]; - ip60->src_address.as_u64[1] = sm0->e_addr.as_u64[1]; - - vlib_increment_combined_counter (&nm->session_counters, - thread_index, sm0 - nm->sm, 1, - vlib_buffer_length_in_chain (vm, - b0)); - - trace0: - if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat66_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - t->next_index = next0; - } - - pkts_processed += next0 != NAT66_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, nm->in2out_node_index, - NAT66_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (nat66_in2out_node) = { - .name = "nat66-in2out", - .vector_size = sizeof (u32), - .format_trace = format_nat66_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (nat66_in2out_error_strings), - .error_strings = nat66_in2out_error_strings, - .n_next_nodes = NAT66_IN2OUT_N_NEXT, - /* edit / add dispositions here */ - .next_nodes = { - [NAT66_IN2OUT_NEXT_DROP] = "error-drop", - [NAT66_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup", - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/nat/nat66_out2in.c b/src/plugins/nat/nat66_out2in.c deleted file mode 100644 index 8386cd3ca73..00000000000 --- a/src/plugins/nat/nat66_out2in.c +++ /dev/null @@ -1,220 +0,0 @@ -/* - * Copyright (c) 2018 Cisco and/or its affiliates. - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at: - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/** - * @file - * @brief NAT66 outside to inside network translation - */ - -#include -#include -#include - -typedef struct -{ - u32 sw_if_index; - u32 next_index; -} nat66_out2in_trace_t; - -static u8 * -format_nat66_out2in_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat66_out2in_trace_t *t = va_arg (*args, nat66_out2in_trace_t *); - - s = - format (s, "NAT66-out2in: sw_if_index %d, next index %d", t->sw_if_index, - t->next_index); - - return s; -} - -#define foreach_nat66_out2in_error \ -_(OUT2IN_PACKETS, "good out2in packets processed") \ -_(NO_TRANSLATION, "no translation") \ -_(UNKNOWN, "unknown") - -typedef enum -{ -#define _(sym,str) NAT66_OUT2IN_ERROR_##sym, - foreach_nat66_out2in_error -#undef _ - NAT66_OUT2IN_N_ERROR, -} nat66_out2in_error_t; - -static char *nat66_out2in_error_strings[] = { -#define _(sym,string) string, - foreach_nat66_out2in_error -#undef _ -}; - -typedef enum -{ - NAT66_OUT2IN_NEXT_IP6_LOOKUP, - NAT66_OUT2IN_NEXT_DROP, - NAT66_OUT2IN_N_NEXT, -} nat66_out2in_next_t; - -VLIB_NODE_FN (nat66_out2in_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, *from, *to_next; - nat66_out2in_next_t next_index; - u32 pkts_processed = 0; - u32 thread_index = vm->thread_index; - nat66_main_t *nm = &nat66_main; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0 = NAT66_OUT2IN_NEXT_IP6_LOOKUP; - ip6_header_t *ip60; - u16 l4_offset0, frag_offset0; - u8 l4_protocol0; - nat66_static_mapping_t *sm0; - u32 sw_if_index0, fib_index0; - udp_header_t *udp0; - tcp_header_t *tcp0; - icmp46_header_t *icmp0; - u16 *checksum0 = 0; - ip_csum_t csum0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - ip60 = vlib_buffer_get_current (b0); - - if (PREDICT_FALSE - (ip6_parse - (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0, - &frag_offset0))) - { - next0 = NAT66_OUT2IN_NEXT_DROP; - b0->error = node->errors[NAT66_OUT2IN_ERROR_UNKNOWN]; - goto trace0; - } - - sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - fib_index0 = - fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, - sw_if_index0); - - sm0 = nat66_static_mapping_get (&ip60->dst_address, fib_index0, 0); - if (PREDICT_FALSE (!sm0)) - { - goto trace0; - } - - if (l4_protocol0 == IP_PROTOCOL_UDP) - { - udp0 = (udp_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &udp0->checksum; - } - else if (l4_protocol0 == IP_PROTOCOL_TCP) - { - tcp0 = (tcp_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &tcp0->checksum; - } - else if (l4_protocol0 == IP_PROTOCOL_ICMP6) - { - icmp0 = (icmp46_header_t *) u8_ptr_add (ip60, l4_offset0); - checksum0 = &icmp0->checksum; - } - else - goto skip_csum0; - - csum0 = ip_csum_sub_even (*checksum0, ip60->dst_address.as_u64[0]); - csum0 = ip_csum_sub_even (csum0, ip60->dst_address.as_u64[1]); - csum0 = ip_csum_add_even (csum0, sm0->l_addr.as_u64[0]); - csum0 = ip_csum_add_even (csum0, sm0->l_addr.as_u64[1]); - *checksum0 = ip_csum_fold (csum0); - - skip_csum0: - ip60->dst_address.as_u64[0] = sm0->l_addr.as_u64[0]; - ip60->dst_address.as_u64[1] = sm0->l_addr.as_u64[1]; - vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0->fib_index; - - vlib_increment_combined_counter (&nm->session_counters, - thread_index, sm0 - nm->sm, 1, - vlib_buffer_length_in_chain (vm, - b0)); - - trace0: - if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat66_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - t->next_index = next0; - } - - pkts_processed += next0 != NAT66_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, - n_left_to_next, bi0, next0); - } - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, nm->out2in_node_index, - NAT66_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (nat66_out2in_node) = { - .name = "nat66-out2in", - .vector_size = sizeof (u32), - .format_trace = format_nat66_out2in_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN (nat66_out2in_error_strings), - .error_strings = nat66_out2in_error_strings, - .n_next_nodes = NAT66_OUT2IN_N_NEXT, - /* edit / add dispositions here */ - .next_nodes = { - [NAT66_OUT2IN_NEXT_DROP] = "error-drop", - [NAT66_OUT2IN_NEXT_IP6_LOOKUP] = "ip6-lookup", - }, -}; -/* *INDENT-ON* */ - -/* - * fd.io coding-style-patch-verification: ON - * - * Local Variables: - * eval: (c-set-style "gnu") - * End: - */ diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c index 9d1ed1bd9a9..b447395fd57 100644 --- a/src/plugins/nat/nat_api.c +++ b/src/plugins/nat/nat_api.c @@ -21,7 +21,6 @@ #include #include #include -#include #include #include #include @@ -3035,194 +3034,6 @@ static void *vl_api_nat64_add_del_interface_addr_t_print FINISH; } -/*************/ -/*** NAT66 ***/ -/*************/ - -static void -vl_api_nat66_add_del_interface_t_handler (vl_api_nat66_add_del_interface_t * - mp) -{ - snat_main_t *sm = &snat_main; - vl_api_nat66_add_del_interface_reply_t *rmp; - int rv = 0; - - VALIDATE_SW_IF_INDEX (mp); - - rv = - nat66_interface_add_del (ntohl (mp->sw_if_index), - mp->flags & NAT_API_IS_INSIDE, mp->is_add); - - BAD_SW_IF_INDEX_LABEL; - - REPLY_MACRO (VL_API_NAT66_ADD_DEL_INTERFACE_REPLY); -} - -static void * -vl_api_nat66_add_del_interface_t_print (vl_api_nat66_add_del_interface_t * mp, - void *handle) -{ - u8 *s; - - s = format (0, "SCRIPT: nat66_add_del_interface "); - s = format (s, "sw_if_index %d %s %s", - clib_host_to_net_u32 (mp->sw_if_index), - mp->flags & NAT_API_IS_INSIDE ? "in" : "out", - mp->is_add ? "" : "del"); - - FINISH; -} - -static void - vl_api_nat66_add_del_static_mapping_t_handler - (vl_api_nat66_add_del_static_mapping_t * mp) -{ - snat_main_t *sm = &snat_main; - vl_api_nat66_add_del_static_mapping_reply_t *rmp; - ip6_address_t l_addr, e_addr; - int rv = 0; - - memcpy (&l_addr.as_u8, mp->local_ip_address, 16); - memcpy (&e_addr.as_u8, mp->external_ip_address, 16); - - rv = - nat66_static_mapping_add_del (&l_addr, &e_addr, - clib_net_to_host_u32 (mp->vrf_id), - mp->is_add); - - REPLY_MACRO (VL_API_NAT66_ADD_DEL_STATIC_MAPPING_REPLY); -} - -static void *vl_api_nat66_add_del_static_mapping_t_print - (vl_api_nat66_add_del_static_mapping_t * mp, void *handle) -{ - u8 *s; - - s = format (0, "SCRIPT: nat66_add_del_static_mapping "); - s = format (s, "local_ip_address %U external_ip_address %U vrf_id %d %s", - format_ip6_address, mp->local_ip_address, - format_ip6_address, mp->external_ip_address, - clib_net_to_host_u32 (mp->vrf_id), mp->is_add ? "" : "del"); - - FINISH; -} - -typedef struct nat66_api_walk_ctx_t_ -{ - vl_api_registration_t *rp; - u32 context; -} nat66_api_walk_ctx_t; - -static int -nat66_api_interface_walk (snat_interface_t * i, void *arg) -{ - vl_api_nat66_interface_details_t *rmp; - snat_main_t *sm = &snat_main; - nat66_api_walk_ctx_t *ctx = arg; - - rmp = vl_msg_api_alloc (sizeof (*rmp)); - clib_memset (rmp, 0, sizeof (*rmp)); - rmp->_vl_msg_id = ntohs (VL_API_NAT66_INTERFACE_DETAILS + sm->msg_id_base); - rmp->sw_if_index = ntohl (i->sw_if_index); - if (nat_interface_is_inside (i)) - rmp->flags |= NAT_API_IS_INSIDE; - rmp->context = ctx->context; - - vl_api_send_msg (ctx->rp, (u8 *) rmp); - - return 0; -} - -static void -vl_api_nat66_interface_dump_t_handler (vl_api_nat66_interface_dump_t * mp) -{ - vl_api_registration_t *rp; - - rp = vl_api_client_index_to_registration (mp->client_index); - if (rp == 0) - return; - - nat66_api_walk_ctx_t ctx = { - .rp = rp, - .context = mp->context, - }; - - nat66_interfaces_walk (nat66_api_interface_walk, &ctx); -} - -static void * -vl_api_nat66_interface_dump_t_print (vl_api_nat66_interface_dump_t * mp, - void *handle) -{ - u8 *s; - - s = format (0, "SCRIPT: nat66_interface_dump "); - - FINISH; -} - -static int -nat66_api_static_mapping_walk (nat66_static_mapping_t * m, void *arg) -{ - vl_api_nat66_static_mapping_details_t *rmp; - nat66_main_t *nm = &nat66_main; - snat_main_t *sm = &snat_main; - nat66_api_walk_ctx_t *ctx = arg; - fib_table_t *fib; - vlib_counter_t vc; - - fib = fib_table_get (m->fib_index, FIB_PROTOCOL_IP6); - if (!fib) - return -1; - - vlib_get_combined_counter (&nm->session_counters, m - nm->sm, &vc); - - rmp = vl_msg_api_alloc (sizeof (*rmp)); - clib_memset (rmp, 0, sizeof (*rmp)); - rmp->_vl_msg_id = - ntohs (VL_API_NAT66_STATIC_MAPPING_DETAILS + sm->msg_id_base); - clib_memcpy (rmp->local_ip_address, &m->l_addr, 16); - clib_memcpy (rmp->external_ip_address, &m->e_addr, 16); - rmp->vrf_id = ntohl (fib->ft_table_id); - rmp->total_bytes = clib_host_to_net_u64 (vc.bytes); - rmp->total_pkts = clib_host_to_net_u64 (vc.packets); - rmp->context = ctx->context; - - vl_api_send_msg (ctx->rp, (u8 *) rmp); - - return 0; -} - -static void -vl_api_nat66_static_mapping_dump_t_handler (vl_api_nat66_static_mapping_dump_t - * mp) -{ - vl_api_registration_t *rp; - - rp = vl_api_client_index_to_registration (mp->client_index); - if (rp == 0) - return; - - nat66_api_walk_ctx_t ctx = { - .rp = rp, - .context = mp->context, - }; - - nat66_static_mappings_walk (nat66_api_static_mapping_walk, &ctx); -} - -static void * -vl_api_nat66_static_mapping_dump_t_print (vl_api_nat66_static_mapping_dump_t * - mp, void *handle) -{ - u8 *s; - - s = format (0, "SCRIPT: nat66_static_mapping_dump "); - - FINISH; -} - - /* List of message types that this plugin understands */ #define foreach_snat_plugin_api_msg \ _(NAT_CONTROL_PING, nat_control_ping) \ @@ -3284,11 +3095,7 @@ _(NAT64_BIB_DUMP, nat64_bib_dump) \ _(NAT64_ST_DUMP, nat64_st_dump) \ _(NAT64_ADD_DEL_PREFIX, nat64_add_del_prefix) \ _(NAT64_PREFIX_DUMP, nat64_prefix_dump) \ -_(NAT64_ADD_DEL_INTERFACE_ADDR, nat64_add_del_interface_addr) \ -_(NAT66_ADD_DEL_INTERFACE, nat66_add_del_interface) \ -_(NAT66_INTERFACE_DUMP, nat66_interface_dump) \ -_(NAT66_ADD_DEL_STATIC_MAPPING, nat66_add_del_static_mapping) \ -_(NAT66_STATIC_MAPPING_DUMP, nat66_static_mapping_dump) +_(NAT64_ADD_DEL_INTERFACE_ADDR, nat64_add_del_interface_addr) /* Set up the API message handling tables */ static clib_error_t * diff --git a/src/plugins/nat/nat_types.api b/src/plugins/nat/nat_types.api new file mode 100644 index 00000000000..f348e6154a3 --- /dev/null +++ b/src/plugins/nat/nat_types.api @@ -0,0 +1,29 @@ +/* + * Copyright (c) 2020 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +option version = "0.0.1"; + +enum nat_config_flags : u8 +{ + NAT_IS_NONE = 0x00, + NAT_IS_TWICE_NAT = 0x01, + NAT_IS_SELF_TWICE_NAT = 0x02, + NAT_IS_OUT2IN_ONLY = 0x04, + NAT_IS_ADDR_ONLY = 0x08, + NAT_IS_OUTSIDE = 0x10, + NAT_IS_INSIDE = 0x20, + NAT_IS_STATIC = 0x40, + NAT_IS_EXT_HOST_VALID = 0x80, +}; diff --git a/src/plugins/nat/test/test_nat.py b/src/plugins/nat/test/test_nat.py index 640e8036611..78c20ee3d70 100644 --- a/src/plugins/nat/test/test_nat.py +++ b/src/plugins/nat/test/test_nat.py @@ -9506,158 +9506,5 @@ class TestNAT64(MethodHolder): self.logger.info(self.vapi.cli("show nat64 session table all")) -class TestNAT66(MethodHolder): - """ NAT66 Test Cases """ - - @classmethod - def setUpClass(cls): - super(TestNAT66, cls).setUpClass() - - cls.nat_addr = 'fd01:ff::2' - - cls.create_pg_interfaces(range(2)) - cls.interfaces = list(cls.pg_interfaces) - - for i in cls.interfaces: - i.admin_up() - i.config_ip6() - i.configure_ipv6_neighbors() - - @classmethod - def tearDownClass(cls): - super(TestNAT66, cls).tearDownClass() - - def test_static(self): - """ 1:1 NAT66 test """ - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat66_add_del_interface(is_add=1, flags=flags, - sw_if_index=self.pg0.sw_if_index) - self.vapi.nat66_add_del_interface(is_add=1, - sw_if_index=self.pg1.sw_if_index) - self.vapi.nat66_add_del_static_mapping( - local_ip_address=self.pg0.remote_ip6, - external_ip_address=self.nat_addr, - is_add=1) - - # in2out - pkts = [] - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / - TCP()) - pkts.append(p) - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / - UDP()) - pkts.append(p) - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / - ICMPv6EchoRequest()) - pkts.append(p) - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / - GRE() / IP() / TCP()) - pkts.append(p) - self.pg0.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(len(pkts)) - - for packet in capture: - try: - self.assertEqual(packet[IPv6].src, self.nat_addr) - self.assertEqual(packet[IPv6].dst, self.pg1.remote_ip6) - self.assert_packet_checksums_valid(packet) - except: - self.logger.error(ppp("Unexpected or invalid packet:", packet)) - raise - - # out2in - pkts = [] - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / - TCP()) - pkts.append(p) - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / - UDP()) - pkts.append(p) - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / - ICMPv6EchoReply()) - pkts.append(p) - p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / - IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / - GRE() / IP() / TCP()) - pkts.append(p) - self.pg1.add_stream(pkts) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg0.get_capture(len(pkts)) - for packet in capture: - try: - self.assertEqual(packet[IPv6].src, self.pg1.remote_ip6) - self.assertEqual(packet[IPv6].dst, self.pg0.remote_ip6) - self.assert_packet_checksums_valid(packet) - except: - self.logger.error(ppp("Unexpected or invalid packet:", packet)) - raise - - sm = self.vapi.nat66_static_mapping_dump() - self.assertEqual(len(sm), 1) - self.assertEqual(sm[0].total_pkts, 8) - - def test_check_no_translate(self): - """ NAT66 translate only when egress interface is outside interface """ - flags = self.config_flags.NAT_IS_INSIDE - self.vapi.nat66_add_del_interface(is_add=1, flags=flags, - sw_if_index=self.pg0.sw_if_index) - self.vapi.nat66_add_del_interface(is_add=1, flags=flags, - sw_if_index=self.pg1.sw_if_index) - self.vapi.nat66_add_del_static_mapping( - local_ip_address=self.pg0.remote_ip6, - external_ip_address=self.nat_addr, - is_add=1) - - # in2out - p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / - IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / - UDP()) - self.pg0.add_stream([p]) - self.pg_enable_capture(self.pg_interfaces) - self.pg_start() - capture = self.pg1.get_capture(1) - packet = capture[0] - try: - self.assertEqual(packet[IPv6].src, self.pg0.remote_ip6) - self.assertEqual(packet[IPv6].dst, self.pg1.remote_ip6) - except: - self.logger.error(ppp("Unexpected or invalid packet:", packet)) - raise - - def clear_nat66(self): - """ - Clear NAT66 configuration. - """ - interfaces = self.vapi.nat66_interface_dump() - for intf in interfaces: - self.vapi.nat66_add_del_interface(is_add=0, flags=intf.flags, - sw_if_index=intf.sw_if_index) - - static_mappings = self.vapi.nat66_static_mapping_dump() - for sm in static_mappings: - self.vapi.nat66_add_del_static_mapping( - local_ip_address=sm.local_ip_address, - external_ip_address=sm.external_ip_address, vrf_id=sm.vrf_id, - is_add=0) - - def tearDown(self): - super(TestNAT66, self).tearDown() - self.clear_nat66() - - def show_commands_at_teardown(self): - self.logger.info(self.vapi.cli("show nat66 interfaces")) - self.logger.info(self.vapi.cli("show nat66 static mappings")) - - if __name__ == '__main__': unittest.main(testRunner=VppTestRunner) diff --git a/src/plugins/nat/test/test_nat66.py b/src/plugins/nat/test/test_nat66.py new file mode 100644 index 00000000000..bd1b50b9ee2 --- /dev/null +++ b/src/plugins/nat/test/test_nat66.py @@ -0,0 +1,196 @@ +#!/usr/bin/env python3 + +import ipaddress +import random +import socket +import struct +import unittest +from io import BytesIO +from time import sleep + +import scapy.compat +from framework import VppTestCase, VppTestRunner, running_extended_tests +from ipfix import IPFIX, Set, Template, Data, IPFIXDecoder +from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \ + IPField, IntField, LongField, XByteField, FlagsField, FieldLenField, \ + PacketListField +from scapy.data import IP_PROTOS +from scapy.layers.inet import IP, TCP, UDP, ICMP +from scapy.layers.inet import IPerror, TCPerror, UDPerror, ICMPerror +from scapy.layers.inet6 import ICMPv6DestUnreach, IPerror6, IPv6ExtHdrFragment +from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest, ICMPv6EchoReply, \ + ICMPv6ND_NS, ICMPv6ND_NA, ICMPv6NDOptDstLLAddr, fragment6 +from scapy.layers.l2 import Ether, ARP, GRE +from scapy.packet import Raw +from syslog_rfc5424_parser import SyslogMessage, ParseError +from syslog_rfc5424_parser.constants import SyslogSeverity +from util import ip4_range +from util import ppc, ppp +from vpp_acl import AclRule, VppAcl, VppAclInterface +from vpp_ip_route import VppIpRoute, VppRoutePath +from vpp_neighbor import VppNeighbor +from vpp_papi import VppEnum + + +class MethodHolder(VppTestCase): + """ NAT create capture and verify method holder """ + @property + def config_flags(self): + return VppEnum.vl_api_nat_config_flags_t + + +class TestNAT66(MethodHolder): + """ NAT66 Test Cases """ + + @classmethod + def setUpClass(cls): + super(TestNAT66, cls).setUpClass() + + cls.nat_addr = 'fd01:ff::2' + + cls.create_pg_interfaces(range(2)) + cls.interfaces = list(cls.pg_interfaces) + + for i in cls.interfaces: + i.admin_up() + i.config_ip6() + i.configure_ipv6_neighbors() + + @classmethod + def tearDownClass(cls): + super(TestNAT66, cls).tearDownClass() + + def test_static(self): + """ 1:1 NAT66 test """ + flags = self.config_flags.NAT_IS_INSIDE + self.vapi.nat66_add_del_interface(is_add=1, flags=flags, + sw_if_index=self.pg0.sw_if_index) + self.vapi.nat66_add_del_interface(is_add=1, + sw_if_index=self.pg1.sw_if_index) + self.vapi.nat66_add_del_static_mapping( + local_ip_address=self.pg0.remote_ip6, + external_ip_address=self.nat_addr, + is_add=1) + + # in2out + pkts = [] + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + TCP()) + pkts.append(p) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + UDP()) + pkts.append(p) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + ICMPv6EchoRequest()) + pkts.append(p) + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + GRE() / IP() / TCP()) + pkts.append(p) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + + for packet in capture: + try: + self.assertEqual(packet[IPv6].src, self.nat_addr) + self.assertEqual(packet[IPv6].dst, self.pg1.remote_ip6) + self.assert_packet_checksums_valid(packet) + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + + # out2in + pkts = [] + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / + TCP()) + pkts.append(p) + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / + UDP()) + pkts.append(p) + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / + ICMPv6EchoReply()) + pkts.append(p) + p = (Ether(dst=self.pg1.local_mac, src=self.pg1.remote_mac) / + IPv6(src=self.pg1.remote_ip6, dst=self.nat_addr) / + GRE() / IP() / TCP()) + pkts.append(p) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + for packet in capture: + try: + self.assertEqual(packet[IPv6].src, self.pg1.remote_ip6) + self.assertEqual(packet[IPv6].dst, self.pg0.remote_ip6) + self.assert_packet_checksums_valid(packet) + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + + sm = self.vapi.nat66_static_mapping_dump() + self.assertEqual(len(sm), 1) + self.assertEqual(sm[0].total_pkts, 8) + + def test_check_no_translate(self): + """ NAT66 translate only when egress interface is outside interface """ + flags = self.config_flags.NAT_IS_INSIDE + self.vapi.nat66_add_del_interface(is_add=1, flags=flags, + sw_if_index=self.pg0.sw_if_index) + self.vapi.nat66_add_del_interface(is_add=1, flags=flags, + sw_if_index=self.pg1.sw_if_index) + self.vapi.nat66_add_del_static_mapping( + local_ip_address=self.pg0.remote_ip6, + external_ip_address=self.nat_addr, + is_add=1) + + # in2out + p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) / + IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6) / + UDP()) + self.pg0.add_stream([p]) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(1) + packet = capture[0] + try: + self.assertEqual(packet[IPv6].src, self.pg0.remote_ip6) + self.assertEqual(packet[IPv6].dst, self.pg1.remote_ip6) + except: + self.logger.error(ppp("Unexpected or invalid packet:", packet)) + raise + + def clear_nat66(self): + """ + Clear NAT66 configuration. + """ + interfaces = self.vapi.nat66_interface_dump() + for intf in interfaces: + self.vapi.nat66_add_del_interface(is_add=0, flags=intf.flags, + sw_if_index=intf.sw_if_index) + + static_mappings = self.vapi.nat66_static_mapping_dump() + for sm in static_mappings: + self.vapi.nat66_add_del_static_mapping( + local_ip_address=sm.local_ip_address, + external_ip_address=sm.external_ip_address, vrf_id=sm.vrf_id, + is_add=0) + + def tearDown(self): + super(TestNAT66, self).tearDown() + self.clear_nat66() + + def show_commands_at_teardown(self): + self.logger.info(self.vapi.cli("show nat66 interfaces")) + self.logger.info(self.vapi.cli("show nat66 static mappings")) + + +if __name__ == '__main__': + unittest.main(testRunner=VppTestRunner) -- cgit 1.2.3-korg