2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent inside to outside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <vnet/udp/udp_local.h>
26 #include <vppinfra/error.h>
28 #include <nat/lib/nat_inlines.h>
29 #include <nat/lib/ipfix_logging.h>
31 #include <nat/nat44-ed/nat44_ed.h>
32 #include <nat/nat44-ed/nat44_ed_inlines.h>
34 static char *nat_in2out_ed_error_strings[] = {
35 #define _(sym,string) string,
36 foreach_nat_in2out_ed_error
45 nat_translation_error_e translation_error;
48 clib_bihash_kv_16_8_t search_key;
50 u8 translation_via_i2of;
52 } nat_in2out_ed_trace_t;
55 format_nat_in2out_ed_trace (u8 * s, va_list * args)
57 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
58 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
59 nat_in2out_ed_trace_t *t = va_arg (*args, nat_in2out_ed_trace_t *);
63 t->is_slow_path ? "NAT44_IN2OUT_ED_SLOW_PATH" :
64 "NAT44_IN2OUT_ED_FAST_PATH";
66 s = format (s, "%s: sw_if_index %d, next index %d", tag, t->sw_if_index,
68 if (~0 != t->session_index)
70 s = format (s, ", session %d, translation result '%U' via %s",
71 t->session_index, format_nat_ed_translation_error,
73 t->translation_via_i2of ? "i2of" : "o2if");
74 s = format (s, "\n i2of %U", format_nat_6t_flow, &t->i2of);
75 s = format (s, "\n o2if %U", format_nat_6t_flow, &t->o2if);
79 if (t->lookup_skipped)
81 s = format (s, "\n lookup skipped - cached session index used");
85 s = format (s, "\n search key %U", format_ed_session_kvp,
94 * @brief Check if packet should be translated
96 * Packets aimed at outside interface and external address with active session
97 * should be translated.
100 * @param rt NAT runtime data
101 * @param sw_if_index0 index of the inside interface
102 * @param ip0 IPv4 header
103 * @param rx_fib_index0 RX FIB index
105 * @returns 0 if packet should be translated otherwise 1
108 snat_not_translate_fast (snat_main_t *sm, vlib_node_runtime_t *node,
109 u32 sw_if_index0, ip4_header_t *ip0,
112 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
113 nat_outside_fib_t *outside_fib;
115 .fp_proto = FIB_PROTOCOL_IP4,
118 .ip4.as_u32 = ip0->dst_address.as_u32,
123 /* Don't NAT packet aimed at the intfc address */
125 is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32)))
128 fei = fib_table_lookup (rx_fib_index0, &pfx);
129 if (FIB_NODE_INDEX_INVALID != fei)
131 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
132 if (sw_if_index == ~0)
134 vec_foreach (outside_fib, sm->outside_fibs)
136 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
137 if (FIB_NODE_INDEX_INVALID != fei)
139 sw_if_index = fib_entry_get_resolving_interface (fei);
140 if (sw_if_index != ~0)
145 if (sw_if_index == ~0)
149 pool_foreach (i, sm->interfaces)
151 /* NAT packet aimed at outside interface */
152 if ((nat44_ed_is_interface_outside (i)) &&
153 (sw_if_index == i->sw_if_index))
162 nat_ed_alloc_addr_and_port_with_snat_address (
163 snat_main_t *sm, u8 proto, u32 thread_index, snat_address_t *a,
164 u16 port_per_thread, u32 snat_thread_index, snat_session_t *s,
165 ip4_address_t *outside_addr, u16 *outside_port)
167 const u16 port_thread_offset = (port_per_thread * snat_thread_index) + 1024;
169 s->o2i.match.daddr = a->addr;
170 /* first try port suggested by caller */
171 u16 port = clib_net_to_host_u16 (*outside_port);
172 u16 port_offset = port - port_thread_offset;
173 if (port <= port_thread_offset ||
174 port > port_thread_offset + port_per_thread)
176 /* need to pick a different port, suggested port doesn't fit in
177 * this thread's port range */
178 port_offset = snat_random_port (0, port_per_thread - 1);
179 port = port_thread_offset + port_offset;
181 u16 attempts = ED_PORT_ALLOC_ATTEMPTS;
184 if (IP_PROTOCOL_ICMP == proto)
186 s->o2i.match.sport = clib_host_to_net_u16 (port);
188 s->o2i.match.dport = clib_host_to_net_u16 (port);
189 if (0 == nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 2))
191 *outside_addr = a->addr;
192 *outside_port = clib_host_to_net_u16 (port);
195 port_offset = snat_random_port (0, port_per_thread - 1);
196 port = port_thread_offset + port_offset;
199 while (attempts > 0);
204 nat_ed_alloc_addr_and_port (snat_main_t *sm, u32 rx_fib_index,
205 u32 tx_sw_if_index, u32 nat_proto,
206 u32 thread_index, ip4_address_t s_addr,
207 ip4_address_t d_addr, u32 snat_thread_index,
208 snat_session_t *s, ip4_address_t *outside_addr,
211 if (vec_len (sm->addresses) > 0)
213 u32 s_addr_offset = s_addr.as_u32 % vec_len (sm->addresses);
214 snat_address_t *a, *ja = 0, *ra = 0, *ba = 0;
218 if (tx_sw_if_index != ~0)
220 for (i = s_addr_offset; i < vec_len (sm->addresses); ++i)
222 a = sm->addresses + i;
223 if (a->fib_index == rx_fib_index)
225 if (a->sw_if_index == tx_sw_if_index)
227 if ((a->addr_len != ~0) &&
229 (d_addr.as_u32 & ip4_main.fib_masks[a->addr_len])))
232 return nat_ed_alloc_addr_and_port_with_snat_address (
233 sm, nat_proto, thread_index, a,
234 sm->port_per_thread, snat_thread_index, s,
235 outside_addr, outside_port);
241 else if (a->fib_index == ~0)
246 for (i = 0; i < s_addr_offset; ++i)
248 a = sm->addresses + i;
249 if (a->fib_index == rx_fib_index)
251 if (a->sw_if_index == tx_sw_if_index)
253 if ((a->addr_len != ~0) &&
255 (d_addr.as_u32 & ip4_main.fib_masks[a->addr_len])))
258 return nat_ed_alloc_addr_and_port_with_snat_address (
259 sm, nat_proto, thread_index, a,
260 sm->port_per_thread, snat_thread_index, s,
261 outside_addr, outside_port);
267 else if (a->fib_index == ~0)
274 return nat_ed_alloc_addr_and_port_with_snat_address (
275 sm, nat_proto, thread_index, ra, sm->port_per_thread,
276 snat_thread_index, s, outside_addr, outside_port);
281 // first try nat pool addresses to sw interface addreses mappings
282 for (i = s_addr_offset; i < vec_len (sm->addresses); ++i)
284 a = sm->addresses + i;
285 if (a->fib_index == rx_fib_index)
287 if ((a->addr_len != ~0) &&
289 (d_addr.as_u32 & ip4_main.fib_masks[a->addr_len])))
291 return nat_ed_alloc_addr_and_port_with_snat_address (
292 sm, nat_proto, thread_index, a, sm->port_per_thread,
293 snat_thread_index, s, outside_addr, outside_port);
297 else if (a->fib_index == ~0)
302 for (i = 0; i < s_addr_offset; ++i)
304 a = sm->addresses + i;
305 if (a->fib_index == rx_fib_index)
307 if ((a->addr_len != ~0) &&
309 (d_addr.as_u32 & ip4_main.fib_masks[a->addr_len])))
311 return nat_ed_alloc_addr_and_port_with_snat_address (
312 sm, nat_proto, thread_index, a, sm->port_per_thread,
313 snat_thread_index, s, outside_addr, outside_port);
317 else if (a->fib_index == ~0)
327 return nat_ed_alloc_addr_and_port_with_snat_address (
328 sm, nat_proto, thread_index, a, sm->port_per_thread,
329 snat_thread_index, s, outside_addr, outside_port);
332 /* Totally out of translations to use... */
333 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
337 static_always_inline u32
338 nat_outside_fib_index_lookup (snat_main_t * sm, ip4_address_t addr)
340 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
341 nat_outside_fib_t *outside_fib;
343 .fp_proto = FIB_PROTOCOL_IP4,
345 .fp_addr = {.ip4.as_u32 = addr.as_u32,}
348 vec_foreach (outside_fib, sm->outside_fibs)
350 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
351 if (FIB_NODE_INDEX_INVALID != fei)
353 if (fib_entry_get_resolving_interface (fei) != ~0)
355 return outside_fib->fib_index;
362 static_always_inline int
363 nat44_ed_external_sm_lookup (snat_main_t *sm, ip4_address_t match_addr,
364 u16 match_port, ip_protocol_t match_protocol,
365 ip4_address_t *daddr, u16 *dport)
367 snat_static_mapping_t *m =
368 nat44_ed_sm_o2i_lookup (sm, match_addr, match_port, 0, match_protocol);
371 /* Try address only mapping */
372 m = nat44_ed_sm_o2i_lookup (sm, match_addr, 0, 0, 0);
376 *daddr = m->local_addr;
379 /* Address only mapping doesn't change port */
380 *dport = is_sm_addr_only (m->flags) ? match_port : m->local_port;
386 slow_path_ed (vlib_main_t *vm, snat_main_t *sm, vlib_buffer_t *b,
387 ip4_address_t l_addr, ip4_address_t r_addr, u16 l_port,
388 u16 r_port, u8 proto, u32 rx_fib_index, u32 tx_sw_if_index,
389 snat_session_t **sessionp, vlib_node_runtime_t *node, u32 next,
390 u32 thread_index, f64 now)
392 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
393 ip4_address_t outside_addr;
395 u32 outside_fib_index;
396 u8 is_identity_nat = 0;
398 snat_session_t *s = NULL;
399 lb_nat_type_t lb = 0;
400 ip4_address_t daddr = r_addr;
404 (nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
406 if (!nat_lru_free_one (sm, thread_index, now))
408 b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
409 nat_ipfix_logging_max_sessions (thread_index,
410 sm->max_translations_per_thread);
411 nat_elog_notice (sm, "maximum sessions exceeded");
412 return NAT_NEXT_DROP;
416 outside_fib_index = sm->outside_fib_index;
418 switch (vec_len (sm->outside_fibs))
421 outside_fib_index = sm->outside_fib_index;
424 outside_fib_index = sm->outside_fibs[0].fib_index;
427 outside_fib_index = nat_outside_fib_index_lookup (sm, r_addr);
431 ip4_address_t sm_addr;
434 /* First try to match static mapping by local address and port */
436 if (snat_static_mapping_match (vm, sm, l_addr, l_port, rx_fib_index, proto,
437 &sm_addr, &sm_port, &sm_fib_index, 0, 0, 0,
438 &lb, 0, &is_identity_nat, 0))
444 if (PREDICT_FALSE (is_identity_nat))
452 if (PREDICT_TRUE (proto == IP_PROTOCOL_TCP))
454 if (PREDICT_FALSE (!tcp_flags_is_init (
455 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
457 b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
458 return NAT_NEXT_DROP;
462 s = nat_ed_session_alloc (sm, thread_index, now, proto);
467 s->in2out.addr = l_addr;
468 s->in2out.port = l_port;
470 s->in2out.fib_index = rx_fib_index;
471 s->out2in.fib_index = outside_fib_index;
473 // suggest using local port to allocation function
474 outside_port = l_port;
477 int is_hairpinning = nat44_ed_external_sm_lookup (sm, r_addr, r_port,
478 proto, &daddr, &dport);
479 s->flags |= is_hairpinning * SNAT_SESSION_FLAG_HAIRPINNING;
481 // destination addr/port updated with real values in
482 // nat_ed_alloc_addr_and_port
483 nat_6t_o2i_flow_init (sm, thread_index, s, daddr, dport, daddr, 0,
484 s->out2in.fib_index, proto);
485 nat_6t_flow_daddr_rewrite_set (&s->o2i, l_addr.as_u32);
486 if (IP_PROTOCOL_ICMP == proto)
488 nat_6t_flow_icmp_id_rewrite_set (&s->o2i, l_port);
492 nat_6t_flow_dport_rewrite_set (&s->o2i, l_port);
494 nat_6t_flow_txfib_rewrite_set (&s->o2i, rx_fib_index);
496 if (nat_ed_alloc_addr_and_port (
497 sm, rx_fib_index, tx_sw_if_index, proto, thread_index, l_addr,
498 r_addr, tsm->snat_thread_index, s, &outside_addr, &outside_port))
500 nat_elog_notice (sm, "addresses exhausted");
501 b->error = node->errors[NAT_IN2OUT_ED_ERROR_OUT_OF_PORTS];
502 nat_ed_session_delete (sm, s, thread_index, 1);
503 return NAT_NEXT_DROP;
505 s->out2in.addr = outside_addr;
506 s->out2in.port = outside_port;
511 s->out2in.addr = outside_addr = sm_addr;
512 s->out2in.port = outside_port = sm_port;
513 s->in2out.addr = l_addr;
514 s->in2out.port = l_port;
516 s->in2out.fib_index = rx_fib_index;
517 s->out2in.fib_index = outside_fib_index;
518 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
521 int is_hairpinning = nat44_ed_external_sm_lookup (sm, r_addr, r_port,
522 proto, &daddr, &dport);
523 s->flags |= is_hairpinning * SNAT_SESSION_FLAG_HAIRPINNING;
525 if (IP_PROTOCOL_ICMP == proto)
527 nat_6t_o2i_flow_init (sm, thread_index, s, daddr, sm_port, sm_addr,
528 sm_port, s->out2in.fib_index, proto);
529 nat_6t_flow_icmp_id_rewrite_set (&s->o2i, l_port);
533 nat_6t_o2i_flow_init (sm, thread_index, s, daddr, dport, sm_addr,
534 sm_port, s->out2in.fib_index, proto);
535 nat_6t_flow_dport_rewrite_set (&s->o2i, l_port);
537 nat_6t_flow_daddr_rewrite_set (&s->o2i, l_addr.as_u32);
538 nat_6t_flow_txfib_rewrite_set (&s->o2i, rx_fib_index);
539 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 2))
541 nat_elog_notice (sm, "out2in key add failed");
547 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
548 s->ext_host_addr = r_addr;
549 s->ext_host_port = r_port;
551 nat_6t_i2o_flow_init (sm, thread_index, s, l_addr, l_port, r_addr, r_port,
552 rx_fib_index, proto);
553 nat_6t_flow_saddr_rewrite_set (&s->i2o, outside_addr.as_u32);
554 nat_6t_flow_daddr_rewrite_set (&s->i2o, daddr.as_u32);
556 if (IP_PROTOCOL_ICMP == proto)
558 nat_6t_flow_icmp_id_rewrite_set (&s->i2o, outside_port);
562 nat_6t_flow_sport_rewrite_set (&s->i2o, outside_port);
563 nat_6t_flow_dport_rewrite_set (&s->i2o, dport);
565 nat_6t_flow_txfib_rewrite_set (&s->i2o, outside_fib_index);
567 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 1))
569 nat_elog_notice (sm, "in2out key add failed");
574 nat_ipfix_logging_nat44_ses_create (
575 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32, s->proto,
576 s->in2out.port, s->out2in.port, s->in2out.fib_index);
578 nat_syslog_nat44_sadd (0, s->in2out.fib_index, &s->in2out.addr,
579 s->in2out.port, &s->ext_host_nat_addr,
580 s->ext_host_nat_port, &s->out2in.addr, s->out2in.port,
581 &s->ext_host_addr, s->ext_host_port, s->proto, 0);
583 per_vrf_sessions_register_session (s, thread_index);
590 nat_ed_session_delete (sm, s, thread_index, 1);
592 *sessionp = s = NULL;
593 return NAT_NEXT_DROP;
596 static_always_inline int
597 nat44_ed_not_translate (vlib_main_t *vm, snat_main_t *sm,
598 vlib_node_runtime_t *node, u32 sw_if_index,
599 vlib_buffer_t *b, ip4_header_t *ip, u32 proto,
602 clib_bihash_kv_16_8_t kv, value;
604 init_ed_k (&kv, ip->dst_address.as_u32,
605 vnet_buffer (b)->ip.reass.l4_dst_port, ip->src_address.as_u32,
606 vnet_buffer (b)->ip.reass.l4_src_port, sm->outside_fib_index,
609 /* NAT packet aimed at external address if has active sessions */
610 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
612 /* or is static mappings */
613 ip4_address_t placeholder_addr;
614 u16 placeholder_port;
615 u32 placeholder_fib_index;
616 if (!snat_static_mapping_match (
617 vm, sm, ip->dst_address, vnet_buffer (b)->ip.reass.l4_dst_port,
618 sm->outside_fib_index, proto, &placeholder_addr, &placeholder_port,
619 &placeholder_fib_index, 1, 0, 0, 0, 0, 0, 0))
625 if (sm->forwarding_enabled)
628 return snat_not_translate_fast (sm, node, sw_if_index, ip, rx_fib_index);
631 static_always_inline int
632 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
633 u32 thread_index, f64 now,
634 vlib_main_t * vm, vlib_buffer_t * b)
636 clib_bihash_kv_16_8_t kv, value;
637 snat_session_t *s = 0;
638 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
640 if (!sm->forwarding_enabled)
643 if (ip->protocol == IP_PROTOCOL_ICMP)
645 ip4_address_t lookup_saddr, lookup_daddr;
646 u16 lookup_sport, lookup_dport;
648 if (nat_get_icmp_session_lookup_values (b, ip, &lookup_saddr,
649 &lookup_sport, &lookup_daddr,
650 &lookup_dport, &lookup_protocol))
652 init_ed_k (&kv, lookup_saddr.as_u32, lookup_sport, lookup_daddr.as_u32,
653 lookup_dport, 0, lookup_protocol);
655 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
657 init_ed_k (&kv, ip->src_address.as_u32,
658 vnet_buffer (b)->ip.reass.l4_src_port, ip->dst_address.as_u32,
659 vnet_buffer (b)->ip.reass.l4_dst_port, 0, ip->protocol);
663 init_ed_k (&kv, ip->src_address.as_u32, 0, ip->dst_address.as_u32, 0, 0,
667 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
669 ASSERT (thread_index == ed_value_get_thread_index (&value));
671 pool_elt_at_index (tsm->sessions,
672 ed_value_get_session_index (&value));
674 if (na44_ed_is_fwd_bypass_session (s))
676 if (ip->protocol == IP_PROTOCOL_TCP)
678 nat44_set_tcp_session_state_i2o (sm, now, s, b, thread_index);
681 nat44_session_update_counters (s, now,
682 vlib_buffer_length_in_chain (vm, b),
684 /* Per-user LRU list maintenance */
685 nat44_session_update_lru (sm, s, thread_index);
695 static_always_inline int
696 nat44_ed_not_translate_output_feature (snat_main_t *sm, vlib_buffer_t *b,
697 ip4_header_t *ip, u16 src_port,
698 u16 dst_port, u32 thread_index,
699 u32 rx_sw_if_index, u32 tx_sw_if_index,
700 f64 now, int is_multi_worker)
702 clib_bihash_kv_16_8_t kv, value;
703 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
706 u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index);
707 u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index);
710 init_ed_k (&kv, ip->src_address.as_u32, src_port, ip->dst_address.as_u32,
711 dst_port, tx_fib_index, ip->protocol);
712 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
714 ASSERT (thread_index == ed_value_get_thread_index (&value));
716 pool_elt_at_index (tsm->sessions,
717 ed_value_get_session_index (&value));
718 if (nat44_is_ses_closed (s)
719 && (!s->tcp_closed_timestamp || now >= s->tcp_closed_timestamp))
721 nat44_ed_free_session_data (sm, s, thread_index, 0);
722 nat_ed_session_delete (sm, s, thread_index, 1);
728 if (is_multi_worker &&
729 PREDICT_TRUE (!pool_is_free_index (
730 tsm->sessions, vnet_buffer2 (b)->nat.cached_dst_nat_session_index)))
733 lookup.fib_index = rx_fib_index;
734 lookup.proto = ip->protocol;
735 lookup.daddr.as_u32 = ip->src_address.as_u32;
736 lookup.dport = src_port;
737 lookup.saddr.as_u32 = ip->dst_address.as_u32;
738 lookup.sport = dst_port;
739 s = pool_elt_at_index (
740 tsm->sessions, vnet_buffer2 (b)->nat.cached_dst_nat_session_index);
741 if (PREDICT_TRUE (nat_6t_t_eq (&s->i2o.match, &lookup)))
743 goto skip_dst_nat_lookup;
748 init_ed_k (&kv, ip->dst_address.as_u32, dst_port, ip->src_address.as_u32,
749 src_port, rx_fib_index, ip->protocol);
750 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
752 ASSERT (thread_index == ed_value_get_thread_index (&value));
754 pool_elt_at_index (tsm->sessions,
755 ed_value_get_session_index (&value));
758 if (na44_ed_is_fwd_bypass_session (s))
762 pool_foreach (i, sm->output_feature_interfaces)
764 if ((nat44_ed_is_interface_inside (i)) &&
765 (rx_sw_if_index == i->sw_if_index))
775 icmp_in2out_ed_slow_path (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
776 icmp46_header_t *icmp, u32 sw_if_index,
777 u32 tx_sw_if_index, u32 rx_fib_index,
778 vlib_node_runtime_t *node, u32 next, f64 now,
779 u32 thread_index, snat_session_t **s_p,
782 vlib_main_t *vm = vlib_get_main ();
785 snat_session_t *s = NULL;
786 u8 lookup_protocol = ip->protocol;
787 u16 lookup_sport, lookup_dport;
788 ip4_address_t lookup_saddr, lookup_daddr;
790 err = nat_get_icmp_session_lookup_values (b, ip, &lookup_saddr,
791 &lookup_sport, &lookup_daddr,
792 &lookup_dport, &lookup_protocol);
795 b->error = node->errors[err];
796 return NAT_NEXT_DROP;
799 if (tx_sw_if_index != ~0)
801 if (PREDICT_FALSE (nat44_ed_not_translate_output_feature (
802 sm, b, ip, lookup_sport, lookup_dport, thread_index, sw_if_index,
803 tx_sw_if_index, now, is_multi_worker)))
810 if (PREDICT_FALSE (nat44_ed_not_translate (
811 vm, sm, node, sw_if_index, b, ip, IP_PROTOCOL_ICMP, rx_fib_index)))
817 if (PREDICT_FALSE (icmp_type_is_error_message (
818 vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
820 b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
821 return NAT_NEXT_DROP;
825 slow_path_ed (vm, sm, b, ip->src_address, ip->dst_address, lookup_sport,
826 lookup_dport, ip->protocol, rx_fib_index, tx_sw_if_index, &s,
827 node, next, thread_index, vlib_time_now (vm));
829 if (NAT_NEXT_DROP == next)
832 if (PREDICT_TRUE (!ip4_is_fragment (ip)))
834 ip_csum_t sum = ip_incremental_checksum_buffer (
835 vm, b, (u8 *) icmp - (u8 *) vlib_buffer_get_current (b),
836 ntohs (ip->length) - ip4_header_bytes (ip), 0);
837 checksum = ~ip_csum_fold (sum);
838 if (PREDICT_FALSE (checksum != 0 && checksum != 0xffff))
840 next = NAT_NEXT_DROP;
846 if (PREDICT_TRUE (next != NAT_NEXT_DROP && s))
849 nat44_session_update_counters (
850 s, now, vlib_buffer_length_in_chain (vm, b), thread_index);
851 /* Per-user LRU list maintenance */
852 nat44_session_update_lru (sm, s, thread_index);
858 static snat_session_t *
859 nat44_ed_in2out_slowpath_unknown_proto (snat_main_t *sm, vlib_buffer_t *b,
860 ip4_header_t *ip, u32 rx_fib_index,
861 u32 thread_index, f64 now,
863 vlib_node_runtime_t *node)
865 clib_bihash_kv_16_8_t s_kv, s_value;
866 snat_static_mapping_t *m = NULL;
867 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
868 snat_session_t *s = NULL;
869 u32 outside_fib_index = sm->outside_fib_index;
871 ip4_address_t new_src_addr = { 0 };
872 ip4_address_t new_dst_addr = ip->dst_address;
875 nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
877 b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
878 nat_ipfix_logging_max_sessions (thread_index,
879 sm->max_translations_per_thread);
880 nat_elog_notice (sm, "maximum sessions exceeded");
884 switch (vec_len (sm->outside_fibs))
887 outside_fib_index = sm->outside_fib_index;
890 outside_fib_index = sm->outside_fibs[0].fib_index;
893 outside_fib_index = nat_outside_fib_index_lookup (sm, ip->dst_address);
897 /* Try to find static mapping first */
898 m = nat44_ed_sm_i2o_lookup (sm, ip->src_address, 0, rx_fib_index,
902 new_src_addr = m->external_addr;
906 pool_foreach (s, tsm->sessions)
908 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
910 init_ed_k (&s_kv, s->out2in.addr.as_u32, 0,
911 ip->dst_address.as_u32, 0, outside_fib_index,
913 if (clib_bihash_search_16_8 (&sm->flow_hash, &s_kv, &s_value))
915 new_src_addr = s->out2in.addr;
921 if (!new_src_addr.as_u32)
923 for (i = 0; i < vec_len (sm->addresses); i++)
925 init_ed_k (&s_kv, sm->addresses[i].addr.as_u32, 0,
926 ip->dst_address.as_u32, 0, outside_fib_index,
928 if (clib_bihash_search_16_8 (&sm->flow_hash, &s_kv, &s_value))
930 new_src_addr = sm->addresses[i].addr;
936 if (!new_src_addr.as_u32)
938 // could not allocate address for translation ...
942 s = nat_ed_session_alloc (sm, thread_index, now, ip->protocol);
945 b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
946 nat_elog_warn (sm, "create NAT session failed");
950 nat_6t_i2o_flow_init (sm, thread_index, s, ip->src_address, 0,
951 ip->dst_address, 0, rx_fib_index, ip->protocol);
952 nat_6t_flow_saddr_rewrite_set (&s->i2o, new_src_addr.as_u32);
953 nat_6t_flow_txfib_rewrite_set (&s->i2o, outside_fib_index);
956 int is_hairpinning = nat44_ed_external_sm_lookup (
957 sm, ip->dst_address, 0, ip->protocol, &new_dst_addr, NULL);
958 s->flags |= is_hairpinning * SNAT_SESSION_FLAG_HAIRPINNING;
960 nat_6t_flow_daddr_rewrite_set (&s->i2o, new_dst_addr.as_u32);
961 nat_6t_flow_txfib_rewrite_set (&s->i2o, outside_fib_index);
963 nat_6t_o2i_flow_init (sm, thread_index, s, new_dst_addr, 0, new_src_addr, 0,
964 outside_fib_index, ip->protocol);
965 nat_6t_flow_saddr_rewrite_set (&s->o2i, ip->dst_address.as_u32);
966 nat_6t_flow_daddr_rewrite_set (&s->o2i, ip->src_address.as_u32);
967 nat_6t_flow_txfib_rewrite_set (&s->o2i, rx_fib_index);
969 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
970 s->out2in.addr.as_u32 = new_src_addr.as_u32;
971 s->out2in.fib_index = outside_fib_index;
972 s->in2out.addr.as_u32 = ip->src_address.as_u32;
973 s->in2out.fib_index = rx_fib_index;
974 s->in2out.port = s->out2in.port = ip->protocol;
976 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
978 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 1))
980 nat_elog_notice (sm, "in2out flow hash add failed");
981 nat_ed_session_delete (sm, s, thread_index, 1);
985 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 1))
987 nat_elog_notice (sm, "out2in flow hash add failed");
988 nat_ed_session_delete (sm, s, thread_index, 1);
992 per_vrf_sessions_register_session (s, thread_index);
995 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
997 /* Per-user LRU list maintenance */
998 nat44_session_update_lru (sm, s, thread_index);
1004 nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t *vm,
1005 vlib_node_runtime_t *node,
1006 vlib_frame_t *frame,
1007 int is_output_feature,
1008 int is_multi_worker)
1010 u32 n_left_from, *from;
1011 snat_main_t *sm = &snat_main;
1012 f64 now = vlib_time_now (vm);
1013 u32 thread_index = vm->thread_index;
1014 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1015 u32 def_slow = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH
1016 : NAT_NEXT_IN2OUT_ED_SLOW_PATH;
1018 from = vlib_frame_vector_args (frame);
1019 n_left_from = frame->n_vectors;
1021 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
1022 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
1023 vlib_get_buffers (vm, from, b, n_left_from);
1025 while (n_left_from > 0)
1028 u32 rx_sw_if_index0, rx_fib_index0, iph_offset0 = 0;
1029 u32 tx_sw_if_index0;
1030 u32 cntr_sw_if_index0;
1031 ip_protocol_t proto0;
1033 snat_session_t *s0 = 0;
1034 clib_bihash_kv_16_8_t kv0, value0;
1035 nat_translation_error_e translation_error = NAT_ED_TRNSL_ERR_SUCCESS;
1036 nat_6t_flow_t *f = 0;
1038 int lookup_skipped = 0;
1043 /* Prefetch next iteration. */
1044 if (PREDICT_TRUE (n_left_from >= 2))
1050 vlib_prefetch_buffer_header (p2, LOAD);
1052 clib_prefetch_load (p2->data);
1055 if (is_output_feature)
1057 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
1060 next[0] = vnet_buffer2 (b0)->nat.arc_next;
1063 (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + iph_offset0);
1065 rx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1066 tx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
1068 is_output_feature ? tx_sw_if_index0 : rx_sw_if_index0;
1069 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1071 lookup.fib_index = rx_fib_index0;
1073 if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
1075 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1076 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1077 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1079 next[0] = NAT_NEXT_ICMP_ERROR;
1083 proto0 = ip0->protocol;
1085 if (is_output_feature)
1088 (nat_not_translate_output_feature_fwd
1089 (sm, ip0, thread_index, now, vm, b0)))
1093 if (PREDICT_FALSE (proto0 == IP_PROTOCOL_ICMP))
1095 if (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
1096 ICMP4_echo_request &&
1097 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
1099 !icmp_type_is_error_message (
1100 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
1102 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
1103 next[0] = NAT_NEXT_DROP;
1106 int err = nat_get_icmp_session_lookup_values (
1107 b0, ip0, &lookup.saddr, &lookup.sport, &lookup.daddr,
1108 &lookup.dport, &lookup.proto);
1111 b0->error = node->errors[err];
1112 next[0] = NAT_NEXT_DROP;
1118 lookup.proto = ip0->protocol;
1119 lookup.saddr.as_u32 = ip0->src_address.as_u32;
1120 lookup.daddr.as_u32 = ip0->dst_address.as_u32;
1121 lookup.sport = vnet_buffer (b0)->ip.reass.l4_src_port;
1122 lookup.dport = vnet_buffer (b0)->ip.reass.l4_dst_port;
1125 /* there might be a stashed index in vnet_buffer2 from handoff or
1126 * classify node, see if it can be used */
1127 if (is_multi_worker &&
1128 !pool_is_free_index (tsm->sessions,
1129 vnet_buffer2 (b0)->nat.cached_session_index))
1131 s0 = pool_elt_at_index (tsm->sessions,
1132 vnet_buffer2 (b0)->nat.cached_session_index);
1134 nat_6t_t_eq (&s0->i2o.match, &lookup)
1135 // for some hairpinning cases there are two "i2i" flows instead
1136 // of i2o and o2i as both hosts are on inside
1137 || (s0->flags & SNAT_SESSION_FLAG_HAIRPINNING &&
1138 nat_6t_t_eq (&s0->o2i.match, &lookup))))
1140 /* yes, this is the droid we're looking for */
1147 init_ed_k (&kv0, lookup.saddr.as_u32, lookup.sport, lookup.daddr.as_u32,
1148 lookup.dport, lookup.fib_index, lookup.proto);
1151 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv0, &value0))
1153 // flow does not exist go slow path
1158 ASSERT (thread_index == ed_value_get_thread_index (&value0));
1160 pool_elt_at_index (tsm->sessions,
1161 ed_value_get_session_index (&value0));
1165 ASSERT (thread_index == s0->thread_index);
1167 if (PREDICT_FALSE (per_vrf_sessions_is_expired (s0, thread_index)))
1169 // session is closed, go slow path
1170 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1171 nat_ed_session_delete (sm, s0, thread_index, 1);
1172 next[0] = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
1176 if (s0->tcp_closed_timestamp)
1178 if (now >= s0->tcp_closed_timestamp)
1180 // session is closed, go slow path, freed in slow path
1185 // session in transitory timeout, drop
1186 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TCP_CLOSED];
1187 next[0] = NAT_NEXT_DROP;
1192 // drop if session expired
1193 u64 sess_timeout_time;
1195 s0->last_heard + (f64) nat44_session_get_timeout (sm, s0);
1196 if (now >= sess_timeout_time)
1198 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1199 nat_ed_session_delete (sm, s0, thread_index, 1);
1200 // session is closed, go slow path
1205 b0->flags |= VNET_BUFFER_F_IS_NATED;
1207 if (nat_6t_t_eq (&s0->i2o.match, &lookup))
1211 else if (s0->flags & SNAT_SESSION_FLAG_HAIRPINNING &&
1212 nat_6t_t_eq (&s0->o2i.match, &lookup))
1218 translation_error = NAT_ED_TRNSL_ERR_FLOW_MISMATCH;
1219 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1220 nat_ed_session_delete (sm, s0, thread_index, 1);
1221 next[0] = NAT_NEXT_DROP;
1222 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
1226 if (NAT_ED_TRNSL_ERR_SUCCESS !=
1227 (translation_error = nat_6t_flow_buf_translate_i2o (
1228 vm, sm, b0, ip0, f, proto0, is_output_feature)))
1230 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1231 nat_ed_session_delete (sm, s0, thread_index, 1);
1232 next[0] = NAT_NEXT_DROP;
1233 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
1239 case IP_PROTOCOL_TCP:
1240 vlib_increment_simple_counter (&sm->counters.fastpath.in2out.tcp,
1241 thread_index, cntr_sw_if_index0, 1);
1242 nat44_set_tcp_session_state_i2o (sm, now, s0, b0, thread_index);
1244 case IP_PROTOCOL_UDP:
1245 vlib_increment_simple_counter (&sm->counters.fastpath.in2out.udp,
1246 thread_index, cntr_sw_if_index0, 1);
1248 case IP_PROTOCOL_ICMP:
1249 vlib_increment_simple_counter (&sm->counters.fastpath.in2out.icmp,
1250 thread_index, cntr_sw_if_index0, 1);
1253 vlib_increment_simple_counter (&sm->counters.fastpath.in2out.other,
1254 thread_index, cntr_sw_if_index0, 1);
1259 nat44_session_update_counters (s0, now,
1260 vlib_buffer_length_in_chain (vm, b0),
1262 /* Per-user LRU list maintenance */
1263 nat44_session_update_lru (sm, s0, thread_index);
1267 ((node->flags & VLIB_NODE_FLAG_TRACE)
1268 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1270 nat_in2out_ed_trace_t *t =
1271 vlib_add_trace (vm, node, b0, sizeof (*t));
1272 t->sw_if_index = rx_sw_if_index0;
1273 t->next_index = next[0];
1274 t->is_slow_path = 0;
1275 t->translation_error = translation_error;
1276 t->lookup_skipped = lookup_skipped;
1277 clib_memcpy (&t->search_key, &kv0, sizeof (t->search_key));
1281 t->session_index = s0 - tsm->sessions;
1282 clib_memcpy (&t->i2of, &s0->i2o, sizeof (t->i2of));
1283 clib_memcpy (&t->o2if, &s0->o2i, sizeof (t->o2if));
1284 t->translation_via_i2of = (&s0->i2o == f);
1288 t->session_index = ~0;
1292 if (next[0] == NAT_NEXT_DROP)
1294 vlib_increment_simple_counter (&sm->counters.fastpath.in2out.drops,
1295 thread_index, cntr_sw_if_index0, 1);
1302 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1304 return frame->n_vectors;
1308 nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t *vm,
1309 vlib_node_runtime_t *node,
1310 vlib_frame_t *frame,
1311 int is_output_feature,
1312 int is_multi_worker)
1314 u32 n_left_from, *from;
1315 snat_main_t *sm = &snat_main;
1316 f64 now = vlib_time_now (vm);
1317 u32 thread_index = vm->thread_index;
1318 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1320 from = vlib_frame_vector_args (frame);
1321 n_left_from = frame->n_vectors;
1323 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
1324 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
1325 vlib_get_buffers (vm, from, b, n_left_from);
1327 while (n_left_from > 0)
1330 u32 rx_sw_if_index0, rx_fib_index0, iph_offset0 = 0;
1331 u32 tx_sw_if_index0;
1332 u32 cntr_sw_if_index0;
1333 ip_protocol_t proto0;
1336 icmp46_header_t *icmp0;
1337 snat_session_t *s0 = 0;
1338 clib_bihash_kv_16_8_t kv0, value0;
1339 int translation_error = NAT_ED_TRNSL_ERR_SUCCESS;
1343 if (is_output_feature)
1344 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
1346 next[0] = vnet_buffer2 (b0)->nat.arc_next;
1348 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1351 rx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1352 tx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
1354 is_output_feature ? tx_sw_if_index0 : rx_sw_if_index0;
1355 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1358 if (PREDICT_FALSE (!is_output_feature && ip0->ttl == 1))
1360 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1361 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1362 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1364 next[0] = NAT_NEXT_ICMP_ERROR;
1368 udp0 = ip4_next_header (ip0);
1369 icmp0 = (icmp46_header_t *) udp0;
1370 proto0 = ip0->protocol;
1372 if (PREDICT_FALSE (nat44_ed_is_unk_proto (proto0)))
1374 s0 = nat44_ed_in2out_slowpath_unknown_proto (
1375 sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node);
1377 next[0] = NAT_NEXT_DROP;
1379 if (NAT_NEXT_DROP != next[0] && s0 &&
1380 NAT_ED_TRNSL_ERR_SUCCESS !=
1381 (translation_error = nat_6t_flow_buf_translate_i2o (
1382 vm, sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
1384 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1385 nat_ed_session_delete (sm, s0, thread_index, 1);
1386 next[0] = NAT_NEXT_DROP;
1387 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
1391 vlib_increment_simple_counter (&sm->counters.slowpath.in2out.other,
1392 thread_index, cntr_sw_if_index0, 1);
1396 if (PREDICT_FALSE (proto0 == IP_PROTOCOL_ICMP))
1398 next[0] = icmp_in2out_ed_slow_path (
1399 sm, b0, ip0, icmp0, rx_sw_if_index0, tx_sw_if_index0,
1400 rx_fib_index0, node, next[0], now, thread_index, &s0,
1402 if (NAT_NEXT_DROP != next[0] && s0 &&
1403 NAT_ED_TRNSL_ERR_SUCCESS !=
1404 (translation_error = nat_6t_flow_buf_translate_i2o (
1405 vm, sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
1407 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1408 nat_ed_session_delete (sm, s0, thread_index, 1);
1409 next[0] = NAT_NEXT_DROP;
1410 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
1414 vlib_increment_simple_counter (&sm->counters.slowpath.in2out.icmp,
1415 thread_index, cntr_sw_if_index0, 1);
1420 &kv0, ip0->src_address.as_u32, vnet_buffer (b0)->ip.reass.l4_src_port,
1421 ip0->dst_address.as_u32, vnet_buffer (b0)->ip.reass.l4_dst_port,
1422 rx_fib_index0, ip0->protocol);
1423 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv0, &value0))
1425 ASSERT (thread_index == ed_value_get_thread_index (&value0));
1427 pool_elt_at_index (tsm->sessions,
1428 ed_value_get_session_index (&value0));
1430 if (s0->tcp_closed_timestamp && now >= s0->tcp_closed_timestamp)
1432 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1433 nat_ed_session_delete (sm, s0, thread_index, 1);
1440 if (is_output_feature)
1442 if (PREDICT_FALSE (nat44_ed_not_translate_output_feature (
1443 sm, b0, ip0, vnet_buffer (b0)->ip.reass.l4_src_port,
1444 vnet_buffer (b0)->ip.reass.l4_dst_port, thread_index,
1445 rx_sw_if_index0, tx_sw_if_index0, now, is_multi_worker)))
1449 * Send DHCP packets to the ipv4 stack, or we won't
1450 * be able to use dhcp client on the outside interface
1453 proto0 == IP_PROTOCOL_UDP &&
1454 (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1455 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_server)) &&
1456 ip0->dst_address.as_u32 == 0xffffffff))
1462 nat44_ed_not_translate (vm, sm, node, rx_sw_if_index0, b0,
1463 ip0, proto0, rx_fib_index0)))
1468 slow_path_ed (vm, sm, b0, ip0->src_address, ip0->dst_address,
1469 vnet_buffer (b0)->ip.reass.l4_src_port,
1470 vnet_buffer (b0)->ip.reass.l4_dst_port,
1471 ip0->protocol, rx_fib_index0, tx_sw_if_index0, &s0,
1472 node, next[0], thread_index, now);
1474 if (PREDICT_FALSE (next[0] == NAT_NEXT_DROP))
1477 if (PREDICT_FALSE (!s0))
1482 b0->flags |= VNET_BUFFER_F_IS_NATED;
1484 if (NAT_ED_TRNSL_ERR_SUCCESS !=
1485 (translation_error = nat_6t_flow_buf_translate_i2o (
1486 vm, sm, b0, ip0, &s0->i2o, proto0, is_output_feature)))
1488 nat44_ed_free_session_data (sm, s0, thread_index, 0);
1489 nat_ed_session_delete (sm, s0, thread_index, 1);
1490 next[0] = NAT_NEXT_DROP;
1491 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TRNSL_FAILED];
1495 if (PREDICT_TRUE (proto0 == IP_PROTOCOL_TCP))
1497 vlib_increment_simple_counter (&sm->counters.slowpath.in2out.tcp,
1498 thread_index, cntr_sw_if_index0, 1);
1499 nat44_set_tcp_session_state_i2o (sm, now, s0, b0, thread_index);
1503 vlib_increment_simple_counter (&sm->counters.slowpath.in2out.udp,
1504 thread_index, cntr_sw_if_index0, 1);
1508 nat44_session_update_counters (s0, now,
1509 vlib_buffer_length_in_chain
1510 (vm, b0), thread_index);
1511 /* Per-user LRU list maintenance */
1512 nat44_session_update_lru (sm, s0, thread_index);
1515 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1516 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1518 nat_in2out_ed_trace_t *t =
1519 vlib_add_trace (vm, node, b0, sizeof (*t));
1520 t->sw_if_index = rx_sw_if_index0;
1521 t->next_index = next[0];
1522 t->is_slow_path = 1;
1523 t->translation_error = translation_error;
1524 clib_memcpy (&t->search_key, &kv0, sizeof (t->search_key));
1528 t->session_index = s0 - tsm->sessions;
1529 clib_memcpy (&t->i2of, &s0->i2o, sizeof (t->i2of));
1530 clib_memcpy (&t->o2if, &s0->o2i, sizeof (t->o2if));
1531 t->translation_via_i2of = 1;
1536 t->session_index = ~0;
1540 if (next[0] == NAT_NEXT_DROP)
1542 vlib_increment_simple_counter (&sm->counters.slowpath.in2out.drops,
1543 thread_index, cntr_sw_if_index0, 1);
1551 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1554 return frame->n_vectors;
1557 VLIB_NODE_FN (nat44_ed_in2out_node) (vlib_main_t * vm,
1558 vlib_node_runtime_t * node,
1559 vlib_frame_t * frame)
1561 if (snat_main.num_workers > 1)
1563 return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 0, 1);
1567 return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 0, 0);
1571 VLIB_REGISTER_NODE (nat44_ed_in2out_node) = {
1572 .name = "nat44-ed-in2out",
1573 .vector_size = sizeof (u32),
1574 .sibling_of = "nat-default",
1575 .format_trace = format_nat_in2out_ed_trace,
1576 .type = VLIB_NODE_TYPE_INTERNAL,
1577 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1578 .error_strings = nat_in2out_ed_error_strings,
1579 .runtime_data_bytes = sizeof (snat_runtime_t),
1582 VLIB_NODE_FN (nat44_ed_in2out_output_node) (vlib_main_t * vm,
1583 vlib_node_runtime_t * node,
1584 vlib_frame_t * frame)
1586 if (snat_main.num_workers > 1)
1588 return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 1, 1);
1592 return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 1, 0);
1596 VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = {
1597 .name = "nat44-ed-in2out-output",
1598 .vector_size = sizeof (u32),
1599 .sibling_of = "nat-default",
1600 .format_trace = format_nat_in2out_ed_trace,
1601 .type = VLIB_NODE_TYPE_INTERNAL,
1602 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1603 .error_strings = nat_in2out_ed_error_strings,
1604 .runtime_data_bytes = sizeof (snat_runtime_t),
1607 VLIB_NODE_FN (nat44_ed_in2out_slowpath_node) (vlib_main_t * vm,
1608 vlib_node_runtime_t *
1609 node, vlib_frame_t * frame)
1611 if (snat_main.num_workers > 1)
1613 return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 0, 1);
1617 return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 0, 0);
1621 VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = {
1622 .name = "nat44-ed-in2out-slowpath",
1623 .vector_size = sizeof (u32),
1624 .sibling_of = "nat-default",
1625 .format_trace = format_nat_in2out_ed_trace,
1626 .type = VLIB_NODE_TYPE_INTERNAL,
1627 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1628 .error_strings = nat_in2out_ed_error_strings,
1629 .runtime_data_bytes = sizeof (snat_runtime_t),
1632 VLIB_NODE_FN (nat44_ed_in2out_output_slowpath_node) (vlib_main_t * vm,
1635 vlib_frame_t * frame)
1637 if (snat_main.num_workers > 1)
1639 return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 1, 1);
1643 return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 1, 0);
1647 VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = {
1648 .name = "nat44-ed-in2out-output-slowpath",
1649 .vector_size = sizeof (u32),
1650 .sibling_of = "nat-default",
1651 .format_trace = format_nat_in2out_ed_trace,
1652 .type = VLIB_NODE_TYPE_INTERNAL,
1653 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1654 .error_strings = nat_in2out_ed_error_strings,
1655 .runtime_data_bytes = sizeof (snat_runtime_t),
1659 format_nat_pre_trace (u8 * s, va_list * args)
1661 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1662 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1663 nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
1664 return format (s, "in2out next_index %d arc_next_index %d", t->next_index,
1668 VLIB_NODE_FN (nat_pre_in2out_node)
1669 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
1671 return nat_pre_node_fn_inline (vm, node, frame,
1672 NAT_NEXT_IN2OUT_ED_FAST_PATH);
1675 VLIB_NODE_FN (nat_pre_in2out_output_node)
1676 (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
1678 return nat_pre_node_fn_inline (vm, node, frame,
1679 NAT_NEXT_IN2OUT_ED_OUTPUT_FAST_PATH);
1682 VLIB_REGISTER_NODE (nat_pre_in2out_node) = {
1683 .name = "nat-pre-in2out",
1684 .vector_size = sizeof (u32),
1685 .sibling_of = "nat-default",
1686 .format_trace = format_nat_pre_trace,
1687 .type = VLIB_NODE_TYPE_INTERNAL,
1691 VLIB_REGISTER_NODE (nat_pre_in2out_output_node) = {
1692 .name = "nat-pre-in2out-output",
1693 .vector_size = sizeof (u32),
1694 .sibling_of = "nat-default",
1695 .format_trace = format_nat_pre_trace,
1696 .type = VLIB_NODE_TYPE_INTERNAL,
1701 * fd.io coding-style-patch-verification: ON
1704 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob