refactor: nat v3 runtime and simplify ipv4 nat keys

Author: ThisSeanZhang

landscape-ebpf/src/bpf/land_nat4_v3.h

@@ -64,19 +64,14 @@ struct nat_mapping_key_v4 {
     // egress: Cp
     // ingress: Np
     __be16 from_port;
-    // 0 means wildcard across WAN interfaces.
-    u32 wan_ifindex;
     // egress: Ca
     // ingress: Na
     __be32 from_addr;
 };
 
-//
 struct nat_timer_key_v4 {
     u8 l4proto;
     u8 _pad[3];
-    // 0 means wildcard across WAN interfaces.
-    u32 wan_ifindex;
     // As:Ps_An:Pn
     struct inet4_pair pair_ip;
 };
@@ -100,6 +95,7 @@ struct nat_timer_value_v4 {
     u64 egress_bytes;
     u64 egress_packets;
     u32 cpu_id;
+    u32 ifindex;
 };
 
 //

landscape-ebpf/src/bpf/land_nat_common.h

@@ -131,7 +131,7 @@ int nat_v4_egress(struct __sk_buff *skb) {
                                    lookup.created || lookup.is_static, lookup.state, &ct_value);
     if (ret == TIMER_NOT_FOUND || ret == TIMER_ERROR) {
         if (lookup.created && !lookup.is_static) {
-            nat4_v3_delete_mapping_and_state(pkg_offset.l4_protocol, skb->ifindex, nat_addr.addr,
+            nat4_v3_delete_mapping_and_state(pkg_offset.l4_protocol, nat_addr.addr,
                                              lookup.egress->port, ip_pair.src_addr.addr,
                                              ip_pair.src_port);
             (void)nat4_v3_queue_push(pkg_offset.l4_protocol, &lookup.alloc_item);

landscape-ebpf/src/bpf/land_nat_v3.bpf.c

@@ -240,7 +240,7 @@ static __always_inline int nat_metric_try_report_v4(struct nat_timer_key_v4 *tim
     event->egress_bytes = timer_value->egress_bytes;
     event->egress_packets = timer_value->egress_packets;
     event->cpu_id = timer_value->cpu_id;
-    event->ifindex = timer_key->wan_ifindex;
+    event->ifindex = timer_value->ifindex;
     event->status = status;
     event->gress = timer_value->gress;
     bpf_ringbuf_submit(event, 0);
@@ -389,15 +389,13 @@ release:;
     egress_mapping_key.gress = NAT_MAPPING_EGRESS;
     egress_mapping_key.from_addr = value->client_addr.addr;
     egress_mapping_key.from_port = value->client_port;
-    egress_mapping_key.wan_ifindex = key->wan_ifindex;
 
     // ingress key: {INGRESS, proto, Pn, An} — from key
     struct nat_mapping_key_v4 ingress_mapping_key = {0};
     ingress_mapping_key.l4proto = key->l4proto;
     ingress_mapping_key.gress = NAT_MAPPING_INGRESS;
     ingress_mapping_key.from_addr = key->pair_ip.dst_addr.addr;
     ingress_mapping_key.from_port = key->pair_ip.dst_port;
-    ingress_mapping_key.wan_ifindex = key->wan_ifindex;
 
     // Check if static: lookup egress mapping, if is_static don't delete mapping entries
     struct nat_mapping_value_v4 *egress_val =
@@ -457,7 +455,6 @@ static __always_inline int lookup_or_new_ct(struct __sk_buff *skb, u8 l4proto, b
     u8 flow_id = get_flow_id(skb->mark);
 
     timer_key.l4proto = l4proto;
-    timer_key.wan_ifindex = skb->ifindex;
     // CT key = {As:Ps, An:Pn}
     __builtin_memcpy(&timer_key.pair_ip, server_nat_pair, sizeof(timer_key.pair_ip));
 
@@ -479,6 +476,7 @@ static __always_inline int lookup_or_new_ct(struct __sk_buff *skb, u8 l4proto, b
     timer_value_new.create_time = bpf_ktime_get_ns();
     timer_value_new.flow_id = flow_id;
     timer_value_new.cpu_id = bpf_get_smp_processor_id();
+    timer_value_new.ifindex = skb->ifindex;
     timer_value = insert_new_nat_timer(l4proto, &timer_key, &timer_value_new);
     if (timer_value == NULL) {
         return TIMER_ERROR;
@@ -497,7 +495,6 @@ insert_mappings_v4(const struct nat_mapping_key_v4 *key, const struct nat_mappin
     struct nat_mapping_key_v4 key_rev = {
         .gress = key->gress ^ GRESS_MASK,
         .l4proto = key->l4proto,
-        .wan_ifindex = key->wan_ifindex,
         .from_addr = val->addr,
         .from_port = val->port,
     };
@@ -550,14 +547,9 @@ static int search_port_callback_v4(u32 index, struct search_port_ctx_v4 *ctx) {
             .gress = NAT_MAPPING_INGRESS,
             .l4proto = ctx->ingress_key.l4proto,
             .from_port = ctx->ingress_key.from_port,
-            .wan_ifindex = ctx->ingress_key.wan_ifindex,
             .from_addr = 0,
         };
         struct nat_mapping_value_v4 *static_val = bpf_map_lookup_elem(&nat4_mappings, &static_key);
-        if (!static_val) {
-            static_key.wan_ifindex = 0;
-            static_val = bpf_map_lookup_elem(&nat4_mappings, &static_key);
-        }
         if (!static_val) {
             ctx->found = true;
             return BPF_LOOP_RET_BREAK;
@@ -592,7 +584,6 @@ ingress_lookup_or_new_mapping4(struct __sk_buff *skb, u8 ip_protocol,
         .gress = NAT_MAPPING_INGRESS,
         .l4proto = ip_protocol,
         .from_port = pkt_ip_pair->dst_port,
-        .wan_ifindex = skb->ifindex,
         .from_addr = pkt_ip_pair->dst_addr.addr,
     };
 
@@ -603,10 +594,6 @@ ingress_lookup_or_new_mapping4(struct __sk_buff *skb, u8 ip_protocol,
         // Fallback: try addr=0 for static mapping {INGRESS, proto, Pn, 0}
         ingress_key.from_addr = 0;
         nat_ingress_value = bpf_map_lookup_elem(&nat4_mappings, &ingress_key);
-        if (!nat_ingress_value) {
-            ingress_key.wan_ifindex = 0;
-            nat_ingress_value = bpf_map_lookup_elem(&nat4_mappings, &ingress_key);
-        }
         if (!nat_ingress_value) {
             return TC_ACT_SHOT;
         }
@@ -629,31 +616,19 @@ egress_lookup_or_new_mapping_v4(struct __sk_buff *skb, u8 ip_protocol, bool allo
     u64 curent_time = bpf_ktime_get_ns();
     struct nat_mapping_key_v4 egress_key = {
         .gress = NAT_MAPPING_EGRESS,
-        .l4proto = ip_protocol,              // 原有的 l4 层协议值
-        .from_port = pkt_ip_pair->src_port,  // 数据包中的 内网端口
-        .wan_ifindex = skb->ifindex,
+        .l4proto = ip_protocol,                   // 原有的 l4 层协议值
+        .from_port = pkt_ip_pair->src_port,       // 数据包中的 内网端口
         .from_addr = pkt_ip_pair->src_addr.addr,  // 内网原始地址
     };
 
     // 倒置的值
     struct nat_mapping_value_v4 *nat_ingress_value = NULL;
     struct nat_mapping_value_v4 *nat_egress_value =
         bpf_map_lookup_elem(&nat4_mappings, &egress_key);
-    if (!nat_egress_value) {
-        // Support wildcard-WAN static host mappings; dynamic entries never use ifindex=0.
-        egress_key.wan_ifindex = 0;
-        nat_egress_value = bpf_map_lookup_elem(&nat4_mappings, &egress_key);
-        egress_key.wan_ifindex = skb->ifindex;
-    }
     if (!nat_egress_value) {
         // Fallback: try addr=0 for static mapping targeting local router
         egress_key.from_addr = 0;
         nat_egress_value = bpf_map_lookup_elem(&nat4_mappings, &egress_key);
-        if (!nat_egress_value) {
-            egress_key.wan_ifindex = 0;
-            nat_egress_value = bpf_map_lookup_elem(&nat4_mappings, &egress_key);
-        }
-        egress_key.wan_ifindex = skb->ifindex;
         egress_key.from_addr = pkt_ip_pair->src_addr.addr;
     }
     if (!nat_egress_value) {
@@ -688,7 +663,6 @@ egress_lookup_or_new_mapping_v4(struct __sk_buff *skb, u8 ip_protocol, bool allo
                 {
                     .gress = NAT_MAPPING_INGRESS,
                     .l4proto = ip_protocol,
-                    .wan_ifindex = skb->ifindex,
                     .from_addr = new_nat_egress_value.addr,
                     .from_port = new_nat_egress_value.port,
                 },
@@ -750,8 +724,7 @@ egress_lookup_or_new_mapping_v4(struct __sk_buff *skb, u8 ip_protocol, bool allo
         // 已经存在就查询另外一个值 并进行刷新时间
         struct nat_mapping_key_v4 ingress_key = {
             .gress = NAT_MAPPING_INGRESS,
-            .l4proto = ip_protocol,  // 原有的 l4 层协议值
-            .wan_ifindex = egress_key.wan_ifindex,
+            .l4proto = ip_protocol,               // 原有的 l4 层协议值
             .from_port = nat_egress_value->port,  // 数据包中的 内网端口
             .from_addr = nat_egress_value->addr,  // 内网原始地址
         };

landscape-ebpf/src/bpf/land_nat_v4.h

@@ -57,6 +57,14 @@ struct {
     __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat6_static_mappings SEC(".maps");
 
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, struct nat_mapping_key_v4);
+    __type(value, struct nat_mapping_value_v4);
+    __uint(max_entries, NAT_MAPPING_CACHE_SIZE);
+    __uint(pinning, LIBBPF_PIN_BY_NAME);
+} nat4_st_map SEC(".maps");
+
 struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __type(key, struct nat_mapping_key_v4);

landscape-ebpf/src/bpf/nat/nat_maps.h

@@ -38,17 +38,24 @@ struct nat_timer_value_v4_v3 {
     u64 egress_bytes;
     u64 egress_packets;
     u32 cpu_id;
+    u32 ifindex;
     u16 generation_snapshot;
     u8 is_final_releaser;
     u8 _pad0;
 };
 
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, struct nat_mapping_key_v4);
+    __type(value, struct nat_mapping_value_v4);
+    __uint(max_entries, NAT_MAPPING_CACHE_SIZE);
+} nat4_dyn_map SEC(".maps");
+
 struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __type(key, struct nat_mapping_key_v4);
     __type(value, struct nat4_mapping_state_v3);
     __uint(max_entries, NAT4_V3_DYNAMIC_STATE_SIZE);
-    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat4_dynamic_state_v3 SEC(".maps");
 
 struct {
@@ -57,28 +64,24 @@ struct {
     __type(value, struct nat_timer_value_v4_v3);
     __uint(max_entries, NAT4_V3_TIMER_SIZE);
     __uint(map_flags, BPF_F_NO_PREALLOC);
-    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat4_mapping_timer_v3 SEC(".maps");
 
 struct {
     __uint(type, BPF_MAP_TYPE_QUEUE);
     __type(value, struct nat4_port_queue_value_v3);
     __uint(max_entries, NAT4_V3_PORT_QUEUE_SIZE);
-    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat4_tcp_free_ports_v3 SEC(".maps");
 
 struct {
     __uint(type, BPF_MAP_TYPE_QUEUE);
     __type(value, struct nat4_port_queue_value_v3);
     __uint(max_entries, NAT4_V3_PORT_QUEUE_SIZE);
-    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat4_udp_free_ports_v3 SEC(".maps");
 
 struct {
     __uint(type, BPF_MAP_TYPE_QUEUE);
     __type(value, struct nat4_port_queue_value_v3);
     __uint(max_entries, NAT4_V3_PORT_QUEUE_SIZE);
-    __uint(pinning, LIBBPF_PIN_BY_NAME);
 } nat4_icmp_free_ports_v3 SEC(".maps");
 
 #endif /* __LD_NAT_V3_MAPS_H__ */

landscape-ebpf/src/bpf/nat/nat_v3_maps.h

@@ -2,7 +2,6 @@
 
 #include "landscape.h"
 #include "nat/nat_maps.h"
-#include "nat/nat_v3_maps.h"
 #include "land_wan_ip.h"
 #include "firewall_share.h"
 #include "metric.h"

landscape-ebpf/src/bpf/share_map.bpf.c

@@ -79,20 +79,18 @@ int nat_v4_timer_step_test(struct __sk_buff *skb) {
     struct nat_mapping_key_v4 ingress_key = {
         .gress = NAT_MAPPING_INGRESS,
         .l4proto = input->key.l4proto,
-        .wan_ifindex = input->key.wan_ifindex,
         .from_addr = nat_addr,
         .from_port = nat_port,
     };
     struct nat_mapping_key_v4 egress_key = {
         .gress = NAT_MAPPING_EGRESS,
         .l4proto = input->key.l4proto,
-        .wan_ifindex = input->key.wan_ifindex,
         .from_addr = client_addr,
         .from_port = client_port,
     };
 
-    result->ingress_mapping_exists = bpf_map_lookup_elem(&nat4_mappings, &ingress_key) ? 1 : 0;
-    result->egress_mapping_exists = bpf_map_lookup_elem(&nat4_mappings, &egress_key) ? 1 : 0;
+    result->ingress_mapping_exists = bpf_map_lookup_elem(&nat4_dyn_map, &ingress_key) ? 1 : 0;
+    result->egress_mapping_exists = bpf_map_lookup_elem(&nat4_dyn_map, &egress_key) ? 1 : 0;
 
     struct nat4_mapping_state_v3 *state = bpf_map_lookup_elem(&nat4_dynamic_state_v3, &ingress_key);
     result->state_exists = state ? 1 : 0;

landscape-ebpf/src/bpf/test_nat_v3_timer.bpf.c

@@ -33,17 +33,10 @@ static MAP_PATHS: Lazy<LandscapeMapPath> = Lazy::new(|| {
     let paths = LandscapeMapPath {
         wan_ip: PathBuf::from(format!("{}/wan_ip_binding", ebpf_map_path)),
         nat6_static_mappings: PathBuf::from(format!("{}/nat_static_mapping", ebpf_map_path)),
+        nat4_st_map: PathBuf::from(format!("{}/nat4_st_map", ebpf_map_path)),
 
         nat4_mappings: PathBuf::from(format!("{}/nat4_mappings", ebpf_map_path)),
         nat4_mapping_timer: PathBuf::from(format!("{}/nat4_mapping_timer", ebpf_map_path)),
-        nat4_dynamic_state_v3: PathBuf::from(format!("{}/nat4_dynamic_state_v3", ebpf_map_path)),
-        nat4_mapping_timer_v3: PathBuf::from(format!("{}/nat4_mapping_timer_v3", ebpf_map_path)),
-        nat4_tcp_free_ports_v3: PathBuf::from(format!("{}/nat4_tcp_free_ports_v3", ebpf_map_path)),
-        nat4_udp_free_ports_v3: PathBuf::from(format!("{}/nat4_udp_free_ports_v3", ebpf_map_path)),
-        nat4_icmp_free_ports_v3: PathBuf::from(format!(
-            "{}/nat4_icmp_free_ports_v3",
-            ebpf_map_path
-        )),
 
         firewall_ipv4_block: PathBuf::from(format!("{}/firewall_block_ip4_map", ebpf_map_path)),
         firewall_ipv6_block: PathBuf::from(format!("{}/firewall_block_ip6_map", ebpf_map_path)),
@@ -94,13 +87,9 @@ pub(crate) struct LandscapeMapPath {
     pub wan_ip: PathBuf,
     // NAT
     pub nat6_static_mappings: PathBuf,
+    pub nat4_st_map: PathBuf,
     pub nat4_mappings: PathBuf,
     pub nat4_mapping_timer: PathBuf,
-    pub nat4_dynamic_state_v3: PathBuf,
-    pub nat4_mapping_timer_v3: PathBuf,
-    pub nat4_tcp_free_ports_v3: PathBuf,
-    pub nat4_udp_free_ports_v3: PathBuf,
-    pub nat4_icmp_free_ports_v3: PathBuf,
 
     // 防火墙黑名单
     pub firewall_ipv4_block: PathBuf,

landscape-ebpf/src/lib.rs

@@ -132,26 +132,6 @@ pub mod route;
 
 pub mod event;
 
-fn cleanup_obsolete_nat_v3_runtime_pins(paths: &LandscapeMapPath) {
-    let obsolete_paths = [
-        &paths.nat4_dynamic_state_v3,
-        &paths.nat4_mapping_timer_v3,
-        &paths.nat4_tcp_free_ports_v3,
-        &paths.nat4_udp_free_ports_v3,
-        &paths.nat4_icmp_free_ports_v3,
-    ];
-    for path in obsolete_paths {
-        match std::fs::remove_file(path) {
-            Ok(()) => tracing::info!("Removed obsolete NAT v3 runtime pin: {}", path.display()),
-            Err(e) if e.kind() == std::io::ErrorKind::NotFound => {}
-            Err(e) => tracing::warn!(
-                "Failed to remove obsolete NAT v3 runtime pin {}: {e}",
-                path.display()
-            ),
-        }
-    }
-}
-
 pub(crate) fn init_path(paths: &LandscapeMapPath) {
     let landscape_builder = ShareMapSkelBuilder::default();
     // landscape_builder.obj_builder.debug(true);
@@ -164,12 +144,12 @@ pub(crate) fn init_path(paths: &LandscapeMapPath) {
         &mut landscape_open.maps.nat6_static_mappings,
         &paths.nat6_static_mappings,
     );
+    reuse_pinned_map_or_recreate(&mut landscape_open.maps.nat4_st_map, &paths.nat4_st_map);
     reuse_pinned_map_or_recreate(
         &mut landscape_open.maps.nat4_mapping_timer,
         &paths.nat4_mapping_timer,
     );
     reuse_pinned_map_or_recreate(&mut landscape_open.maps.nat4_mappings, &paths.nat4_mappings);
-    cleanup_obsolete_nat_v3_runtime_pins(paths);
 
     // firewall
     reuse_pinned_map_or_recreate(
@@ -228,11 +208,6 @@ pub fn cleanup_pinned_maps() {
         // nat4_mapping_timer contains bpf_timer entries whose callbacks hold
         // refcounts on nat_v4 programs, preventing kernel cleanup.
         &MAP_PATHS.nat4_mapping_timer,
-        &MAP_PATHS.nat4_dynamic_state_v3,
-        &MAP_PATHS.nat4_mapping_timer_v3,
-        &MAP_PATHS.nat4_tcp_free_ports_v3,
-        &MAP_PATHS.nat4_udp_free_ports_v3,
-        &MAP_PATHS.nat4_icmp_free_ports_v3,
     ];
     for path in maps_to_unpin {
         match std::fs::remove_file(path) {