cnat_client.c

Go to the documentation of this file.

/*
 * Copyright (c) 2020 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

#include <vnet/fib/fib_table.h>
#include <vnet/dpo/drop_dpo.h>

#include <cnat/cnat_client.h>
#include <cnat/cnat_translation.h>

cnat_client_t *cnat_client_pool;

cnat_client_db_t cnat_client_db;

dpo_type_t cnat_client_dpo;

static_always_inline u8
cnat_client_is_clone (cnat_client_t * cc)
{
  return (FIB_NODE_INDEX_INVALID == cc->cc_fei);
}

static void
cnat_client_db_remove (cnat_client_t * cc)
{
  if (ip_addr_version (&cc->cc_ip) == AF_IP4)
    hash_unset (cnat_client_db.crd_cip4, ip_addr_v4 (&cc->cc_ip).as_u32);
  else
    hash_unset_mem_free (&cnat_client_db.crd_cip6, &ip_addr_v6 (&cc->cc_ip));
}

static void
cnat_client_destroy (cnat_client_t * cc)
{
  ASSERT (!cnat_client_is_clone (cc));
  if (!(cc->flags & CNAT_FLAG_EXCLUSIVE))
    {
      ASSERT (fib_entry_is_sourced (cc->cc_fei, cnat_fib_source));
      fib_table_entry_delete_index (cc->cc_fei, cnat_fib_source);
    }
  cnat_client_db_remove (cc);
  dpo_reset (&cc->cc_parent);
  pool_put (cnat_client_pool, cc);
}

void
cnat_client_free_by_ip (ip46_address_t * ip, u8 af)
{
  cnat_client_t *cc;
  cc = (AF_IP4 == af ?
        cnat_client_ip4_find (&ip->ip4) : cnat_client_ip6_find (&ip->ip6));
  ASSERT (NULL != cc);

  if ((0 == cnat_client_uncnt_session (cc))
      && (cc->flags & CNAT_FLAG_EXPIRES) && (0 == cc->tr_refcnt))
    cnat_client_destroy (cc);
}

void
cnat_client_throttle_pool_process ()
{
  /* This processes ips stored in the throttle pool
     to update session refcounts
     and should be called before cnat_client_free_by_ip */
  vlib_thread_main_t *tm = vlib_get_thread_main ();
  cnat_client_t *cc;
  int nthreads;
  u32 *del_vec = NULL, *ai;
  ip_address_t *addr;
  nthreads = tm->n_threads + 1;
  for (int i = 0; i < nthreads; i++)
    {
      vec_reset_length (del_vec);
      clib_spinlock_lock (&cnat_client_db.throttle_pool_lock[i]);
      /* *INDENT-OFF* */
      pool_foreach (addr, cnat_client_db.throttle_pool[i])  {
        cc = (AF_IP4 == addr->version ?
              cnat_client_ip4_find (&ip_addr_v4(addr)) :
              cnat_client_ip6_find (&ip_addr_v6(addr)));
        /* Client might not already be created */
        if (NULL != cc)
          {
            cnat_client_cnt_session (cc);
            vec_add1(del_vec, addr - cnat_client_db.throttle_pool[i]);
          }
      }
      /* *INDENT-ON* */
      vec_foreach (ai, del_vec)
      {
        addr = pool_elt_at_index (cnat_client_db.throttle_pool[i], *ai);
        pool_put (cnat_client_db.throttle_pool[i], addr);
      }
      clib_spinlock_unlock (&cnat_client_db.throttle_pool_lock[i]);
    }
}

void
cnat_client_translation_added (index_t cci)
{
  cnat_client_t *cc;
  if (INDEX_INVALID == cci)
    return;

  cc = cnat_client_get (cci);
  ASSERT (!(cc->flags & CNAT_FLAG_EXPIRES));
  cc->tr_refcnt++;
}

void
cnat_client_translation_deleted (index_t cci)
{
  cnat_client_t *cc;
  if (INDEX_INVALID == cci)
    return;

  cc = cnat_client_get (cci);
  ASSERT (!(cc->flags & CNAT_FLAG_EXPIRES));
  cc->tr_refcnt--;

  if (0 == cc->tr_refcnt && 0 == cc->session_refcnt)
    cnat_client_destroy (cc);
}

static void
cnat_client_db_add (cnat_client_t * cc)
{
  index_t cci;

  cci = cc - cnat_client_pool;

  if (ip_addr_version (&cc->cc_ip) == AF_IP4)
    hash_set (cnat_client_db.crd_cip4, ip_addr_v4 (&cc->cc_ip).as_u32, cci);
  else
    hash_set_mem_alloc (&cnat_client_db.crd_cip6,
                        &ip_addr_v6 (&cc->cc_ip), cci);
}


index_t
cnat_client_add (const ip_address_t * ip, u8 flags)
{
  cnat_client_t *cc;
  dpo_id_t tmp = DPO_INVALID;
  fib_node_index_t fei;
  dpo_proto_t dproto;
  fib_prefix_t pfx;
  index_t cci;
  u32 fib_flags;

  /* check again if we need this client */
  cc = (AF_IP4 == ip->version ?
        cnat_client_ip4_find (&ip->ip.ip4) :
        cnat_client_ip6_find (&ip->ip.ip6));

  if (NULL != cc)
    return (cc - cnat_client_pool);


  pool_get_aligned (cnat_client_pool, cc, CLIB_CACHE_LINE_BYTES);
  cc->cc_locks = 1;
  cci = cc - cnat_client_pool;
  cc->parent_cci = cci;
  cc->flags = flags;
  cc->tr_refcnt = 0;
  cc->session_refcnt = 0;

  ip_address_copy (&cc->cc_ip, ip);
  cnat_client_db_add (cc);

  ip_address_to_fib_prefix (&cc->cc_ip, &pfx);

  dproto = fib_proto_to_dpo (pfx.fp_proto);
  dpo_set (&tmp, cnat_client_dpo, dproto, cci);
  dpo_stack (cnat_client_dpo, dproto, &cc->cc_parent, drop_dpo_get (dproto));

  fib_flags = FIB_ENTRY_FLAG_LOOSE_URPF_EXEMPT;
  fib_flags |= (flags & CNAT_FLAG_EXCLUSIVE) ?
    FIB_ENTRY_FLAG_EXCLUSIVE : FIB_ENTRY_FLAG_INTERPOSE;

  fei = fib_table_entry_special_dpo_add (CNAT_FIB_TABLE,
                                         &pfx, cnat_fib_source, fib_flags,
                                         &tmp);

  cc = pool_elt_at_index (cnat_client_pool, cci);
  cc->cc_fei = fei;

  return (cci);
}

void
cnat_client_learn (const cnat_learn_arg_t * l)
{
  /* RPC call to add a client from the dataplane */
  index_t cci;
  cnat_client_t *cc;
  cci = cnat_client_add (&l->addr, CNAT_FLAG_EXPIRES);
  cc = pool_elt_at_index (cnat_client_pool, cci);
  cnat_client_cnt_session (cc);
  /* Process throttled calls if any */
  cnat_client_throttle_pool_process ();
}

/**
 * Interpose a policy DPO
 */
static void
cnat_client_dpo_interpose (const dpo_id_t * original,
                           const dpo_id_t * parent, dpo_id_t * clone)
{
  cnat_client_t *cc, *cc_clone;

  pool_get_zero (cnat_client_pool, cc_clone);
  cc = cnat_client_get (original->dpoi_index);

  cc_clone->cc_fei = FIB_NODE_INDEX_INVALID;
  cc_clone->parent_cci = cc->parent_cci;
  cc_clone->flags = cc->flags;
  ip_address_copy (&cc_clone->cc_ip, &cc->cc_ip);

  /* stack the clone on the FIB provided parent */
  dpo_stack (cnat_client_dpo, original->dpoi_proto, &cc_clone->cc_parent,
             parent);

  /* return the clone */
  dpo_set (clone,
           cnat_client_dpo,
           original->dpoi_proto, cc_clone - cnat_client_pool);
}

int
cnat_client_purge (void)
{
  vlib_thread_main_t *tm = vlib_get_thread_main ();
  int nthreads;
  nthreads = tm->n_threads + 1;
  ASSERT (0 == hash_elts (cnat_client_db.crd_cip6));
  ASSERT (0 == hash_elts (cnat_client_db.crd_cip4));
  ASSERT (0 == pool_elts (cnat_client_pool));
  for (int i = 0; i < nthreads; i++)
    {
      ASSERT (0 == pool_elts (cnat_client_db.throttle_pool[i]));
    }
  return (0);
}

u8 *
format_cnat_client (u8 * s, va_list * args)
{
  index_t cci = va_arg (*args, index_t);
  u32 indent = va_arg (*args, u32);

  cnat_client_t *cc = pool_elt_at_index (cnat_client_pool, cci);

  s = format (s, "[%d] cnat-client:[%U] tr:%d sess:%d", cci,
              format_ip_address, &cc->cc_ip,
              cc->tr_refcnt, cc->session_refcnt);
  if (cc->flags & CNAT_FLAG_EXPIRES)
    s = format (s, " expires");

  if (cc->flags & CNAT_FLAG_EXCLUSIVE)
    s = format (s, " exclusive");

  if (cnat_client_is_clone (cc))
    s = format (s, "\n%Uclone of [%d]\n%U%U",
                format_white_space, indent + 2, cc->parent_cci,
                format_white_space, indent + 2,
                format_dpo_id, &cc->cc_parent, indent + 4);

  return (s);
}


static clib_error_t *
cnat_client_show (vlib_main_t * vm,
                  unformat_input_t * input, vlib_cli_command_t * cmd)
{
  index_t cci;

  cci = INDEX_INVALID;

  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
    {
      if (unformat (input, "%d", &cci))
        ;
      else
        return (clib_error_return (0, "unknown input '%U'",
                                   format_unformat_error, input));
    }

  if (INDEX_INVALID == cci)
    {
      /* *INDENT-OFF* */
      pool_foreach_index (cci, cnat_client_pool)
        vlib_cli_output(vm, "%U", format_cnat_client, cci, 0);
      /* *INDENT-ON* */

      vlib_cli_output (vm, "%d clients", pool_elts (cnat_client_pool));
      vlib_cli_output (vm, "%d timestamps", pool_elts (cnat_timestamps));
    }
  else
    {
      vlib_cli_output (vm, "Invalid policy ID:%d", cci);
    }

  return (NULL);
}

/* *INDENT-OFF* */
VLIB_CLI_COMMAND (cnat_client_show_cmd_node, static) = {
  .path = "show cnat client",
  .function = cnat_client_show,
  .short_help = "show cnat client",
  .is_mp_safe = 1,
};
/* *INDENT-ON* */

const static char *const cnat_client_dpo_ip4_nodes[] = {
  "ip4-cnat-tx",
  NULL,
};

const static char *const cnat_client_dpo_ip6_nodes[] = {
  "ip6-cnat-tx",
  NULL,
};

const static char *const *const cnat_client_dpo_nodes[DPO_PROTO_NUM] = {
  [DPO_PROTO_IP4] = cnat_client_dpo_ip4_nodes,
  [DPO_PROTO_IP6] = cnat_client_dpo_ip6_nodes,
};

static void
cnat_client_dpo_lock (dpo_id_t * dpo)
{
  cnat_client_t *cc;

  cc = cnat_client_get (dpo->dpoi_index);

  cc->cc_locks++;
}

static void
cnat_client_dpo_unlock (dpo_id_t * dpo)
{
  cnat_client_t *cc;

  cc = cnat_client_get (dpo->dpoi_index);

  cc->cc_locks--;

  if (0 == cc->cc_locks)
    {
      ASSERT (cnat_client_is_clone (cc));
      pool_put (cnat_client_pool, cc);
    }
}

u8 *
format_cnat_client_dpo (u8 * s, va_list * ap)
{
  index_t cci = va_arg (*ap, index_t);
  u32 indent = va_arg (*ap, u32);

  s = format (s, "%U", format_cnat_client, cci, indent);

  return (s);
}

const static dpo_vft_t cnat_client_dpo_vft = {
  .dv_lock = cnat_client_dpo_lock,
  .dv_unlock = cnat_client_dpo_unlock,
  .dv_format = format_cnat_client_dpo,
  .dv_mk_interpose = cnat_client_dpo_interpose,
};

static clib_error_t *
cnat_client_init (vlib_main_t * vm)
{
  vlib_thread_main_t *tm = vlib_get_thread_main ();
  int nthreads = tm->n_threads + 1;
  int i;
  cnat_client_dpo = dpo_register_new_type (&cnat_client_dpo_vft,
                                           cnat_client_dpo_nodes);

  cnat_client_db.crd_cip6 = hash_create_mem (0,
                                             sizeof (ip6_address_t),
                                             sizeof (uword));

  vec_validate (cnat_client_db.throttle_pool, nthreads);
  vec_validate (cnat_client_db.throttle_pool_lock, nthreads);
  for (i = 0; i < nthreads; i++)
    clib_spinlock_init (&cnat_client_db.throttle_pool_lock[i]);

  return (NULL);
}

VLIB_INIT_FUNCTION (cnat_client_init);

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */