2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 inside to outside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp_local.h>
28 #include <nat/lib/ipfix_logging.h>
29 #include <nat/nat_inlines.h>
30 #include <nat/lib/nat_syslog.h>
31 #include <nat/nat44-ei/nat44_ei_inlines.h>
32 #include <nat/nat44-ei/nat44_ei.h>
34 #include <vppinfra/hash.h>
35 #include <vppinfra/error.h>
36 #include <vppinfra/elog.h>
37 #include <nat/lib/nat_inlines.h>
46 } snat_in2out_trace_t;
48 /* packet trace format function */
50 format_snat_in2out_trace (u8 * s, va_list * args)
52 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
53 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
54 snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *);
57 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
59 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
60 t->sw_if_index, t->next_index, t->session_index);
61 if (t->is_hairpinning)
63 s = format (s, ", with-hairpinning");
70 format_snat_in2out_fast_trace (u8 * s, va_list * args)
72 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
73 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
74 snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *);
76 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
77 t->sw_if_index, t->next_index);
82 #define foreach_snat_in2out_error \
83 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
84 _(OUT_OF_PORTS, "out of ports") \
85 _(BAD_OUTSIDE_FIB, "outside VRF ID not found") \
86 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
87 _(NO_TRANSLATION, "no translation") \
88 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
89 _(CANNOT_CREATE_USER, "cannot create NAT user")
93 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
94 foreach_snat_in2out_error
97 } snat_in2out_error_t;
99 static char *snat_in2out_error_strings[] = {
100 #define _(sym,string) string,
101 foreach_snat_in2out_error
107 SNAT_IN2OUT_NEXT_LOOKUP,
108 SNAT_IN2OUT_NEXT_DROP,
109 SNAT_IN2OUT_NEXT_ICMP_ERROR,
110 SNAT_IN2OUT_NEXT_SLOW_PATH,
112 } snat_in2out_next_t;
115 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
116 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
117 u32 rx_fib_index0, u32 thread_index)
119 udp_header_t *udp0 = ip4_next_header (ip0);
120 clib_bihash_kv_8_8_t kv0, value0;
122 init_nat_k (&kv0, ip0->dst_address, udp0->dst_port, sm->outside_fib_index,
125 /* NAT packet aimed at external address if */
126 /* has active sessions */
127 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
129 /* or is static mappings */
130 ip4_address_t placeholder_addr;
131 u16 placeholder_port;
132 u32 placeholder_fib_index;
133 if (!nat44_ei_static_mapping_match (ip0->dst_address, udp0->dst_port,
134 sm->outside_fib_index, proto0,
135 &placeholder_addr, &placeholder_port,
136 &placeholder_fib_index, 1, 0, 0))
142 if (sm->forwarding_enabled)
145 return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
150 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
151 u32 proto0, u16 src_port, u16 dst_port,
152 u32 thread_index, u32 sw_if_index)
154 clib_bihash_kv_8_8_t kv0, value0;
158 init_nat_k (&kv0, ip0->src_address, src_port,
159 ip4_fib_table_get_index_for_sw_if_index (sw_if_index), proto0);
161 if (!clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
165 init_nat_k (&kv0, ip0->dst_address, dst_port,
166 ip4_fib_table_get_index_for_sw_if_index (sw_if_index), proto0);
167 if (!clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
171 pool_foreach (i, sm->output_feature_interfaces)
173 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
183 #ifndef CLIB_MARCH_VARIANT
185 nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
187 snat_main_t *sm = &snat_main;
188 nat44_is_idle_session_ctx_t *ctx = arg;
190 u64 sess_timeout_time;
191 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
193 clib_bihash_kv_8_8_t s_kv;
195 s = pool_elt_at_index (tsm->sessions, kv->value);
196 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
197 if (ctx->now >= sess_timeout_time)
199 init_nat_o2i_k (&s_kv, s);
200 if (clib_bihash_add_del_8_8 (&sm->out2in, &s_kv, 0))
201 nat_elog_warn ("out2in key del failed");
203 nat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
204 s->in2out.addr.as_u32,
205 s->out2in.addr.as_u32,
209 s->in2out.fib_index);
211 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
212 &s->in2out.addr, s->in2out.port,
213 &s->out2in.addr, s->out2in.port, s->nat_proto);
215 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
216 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
219 if (!snat_is_session_static (s))
220 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
222 s->out2in.port, s->nat_proto);
224 nat44_delete_session (sm, s, ctx->thread_index);
233 slow_path (snat_main_t * sm, vlib_buffer_t * b0,
235 ip4_address_t i2o_addr,
238 nat_protocol_t nat_proto,
239 snat_session_t ** sessionp,
240 vlib_node_runtime_t * node, u32 next0, u32 thread_index, f64 now)
243 snat_session_t *s = 0;
244 clib_bihash_kv_8_8_t kv0;
246 nat_outside_fib_t *outside_fib;
247 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
250 .fp_proto = FIB_PROTOCOL_IP4,
253 .ip4.as_u32 = ip0->dst_address.as_u32,
256 nat44_is_idle_session_ctx_t ctx0;
257 ip4_address_t sm_addr;
261 if (PREDICT_FALSE (nat44_ei_maximum_sessions_exceeded (sm, thread_index)))
263 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
264 nat_ipfix_logging_max_sessions (thread_index,
265 sm->max_translations_per_thread);
266 nat_elog_notice ("maximum sessions exceeded");
267 return SNAT_IN2OUT_NEXT_DROP;
270 /* First try to match static mapping by local address and port */
271 if (nat44_ei_static_mapping_match (i2o_addr, i2o_port, rx_fib_index0,
272 nat_proto, &sm_addr, &sm_port,
273 &sm_fib_index, 0, 0, &identity_nat))
275 /* Try to create dynamic translation */
276 if (sm->alloc_addr_and_port (
277 sm->addresses, rx_fib_index0, thread_index, nat_proto, &sm_addr,
278 &sm_port, sm->port_per_thread,
279 sm->per_thread_data[thread_index].snat_thread_index))
281 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
282 return SNAT_IN2OUT_NEXT_DROP;
287 if (PREDICT_FALSE (identity_nat))
296 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
300 b0->error = node->errors[SNAT_IN2OUT_ERROR_CANNOT_CREATE_USER];
301 return SNAT_IN2OUT_NEXT_DROP;
304 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
307 nat44_delete_user_with_no_session (sm, u, thread_index);
308 nat_elog_warn ("create NAT session failed");
309 return SNAT_IN2OUT_NEXT_DROP;
313 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
314 user_session_increment (sm, u, is_sm);
315 s->in2out.addr = i2o_addr;
316 s->in2out.port = i2o_port;
317 s->in2out.fib_index = rx_fib_index0;
318 s->nat_proto = nat_proto;
319 s->out2in.addr = sm_addr;
320 s->out2in.port = sm_port;
321 s->out2in.fib_index = sm->outside_fib_index;
322 switch (vec_len (sm->outside_fibs))
325 s->out2in.fib_index = sm->outside_fib_index;
328 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
332 vec_foreach (outside_fib, sm->outside_fibs)
334 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
335 if (FIB_NODE_INDEX_INVALID != fei)
337 if (fib_entry_get_resolving_interface (fei) != ~0)
339 s->out2in.fib_index = outside_fib->fib_index;
347 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
348 s->ext_host_port = vnet_buffer (b0)->ip.reass.l4_dst_port;
351 /* Add to translation hashes */
353 ctx0.thread_index = thread_index;
354 init_nat_i2o_kv (&kv0, s, thread_index,
355 s - sm->per_thread_data[thread_index].sessions);
356 if (clib_bihash_add_or_overwrite_stale_8_8 (
357 &sm->in2out, &kv0, nat44_i2o_is_idle_session_cb, &ctx0))
358 nat_elog_notice ("in2out key add failed");
360 init_nat_o2i_kv (&kv0, s, thread_index,
361 s - sm->per_thread_data[thread_index].sessions);
362 if (clib_bihash_add_or_overwrite_stale_8_8 (
363 &sm->out2in, &kv0, nat44_o2i_is_idle_session_cb, &ctx0))
364 nat_elog_notice ("out2in key add failed");
367 nat_ipfix_logging_nat44_ses_create (thread_index,
368 s->in2out.addr.as_u32,
369 s->out2in.addr.as_u32,
372 s->out2in.port, s->in2out.fib_index);
374 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
375 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
376 s->out2in.port, s->nat_proto);
378 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
379 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
380 &s->ext_host_nat_addr, s->ext_host_nat_port,
381 s->nat_proto, s->in2out.fib_index, s->flags, thread_index, 0);
386 #ifndef CLIB_MARCH_VARIANT
387 static_always_inline snat_in2out_error_t
388 icmp_get_key (vlib_buffer_t * b, ip4_header_t * ip0,
389 ip4_address_t * addr, u16 * port, nat_protocol_t * nat_proto)
391 icmp46_header_t *icmp0;
392 icmp_echo_header_t *echo0, *inner_echo0 = 0;
393 ip4_header_t *inner_ip0 = 0;
395 icmp46_header_t *inner_icmp0;
397 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
398 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
400 if (!icmp_type_is_error_message
401 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
403 *nat_proto = NAT_PROTOCOL_ICMP;
404 *addr = ip0->src_address;
405 *port = vnet_buffer (b)->ip.reass.l4_src_port;
409 inner_ip0 = (ip4_header_t *) (echo0 + 1);
410 l4_header = ip4_next_header (inner_ip0);
411 *nat_proto = ip_proto_to_nat_proto (inner_ip0->protocol);
412 *addr = inner_ip0->dst_address;
415 case NAT_PROTOCOL_ICMP:
416 inner_icmp0 = (icmp46_header_t *) l4_header;
417 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
418 *port = inner_echo0->identifier;
420 case NAT_PROTOCOL_UDP:
421 case NAT_PROTOCOL_TCP:
422 *port = ((tcp_udp_header_t *) l4_header)->dst_port;
425 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
428 return -1; /* success */
432 * Get address and port values to be used for ICMP packet translation
433 * and create session if needed
435 * @param[in,out] sm NAT main
436 * @param[in,out] node NAT node runtime
437 * @param[in] thread_index thread index
438 * @param[in,out] b0 buffer containing packet to be translated
439 * @param[in,out] ip0 ip header
440 * @param[out] p_proto protocol used for matching
441 * @param[out] p_value address and port after NAT translation
442 * @param[out] p_dont_translate if packet should not be translated
443 * @param d optional parameter
444 * @param e optional parameter
447 icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
448 u32 thread_index, vlib_buffer_t * b0,
449 ip4_header_t * ip0, ip4_address_t * addr, u16 * port,
450 u32 * fib_index, nat_protocol_t * proto, void *d,
451 void *e, u8 * dont_translate)
453 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
455 snat_session_t *s0 = 0;
456 clib_bihash_kv_8_8_t kv0, value0;
459 vlib_main_t *vm = vlib_get_main ();
462 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
463 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
465 err = icmp_get_key (b0, ip0, addr, port, proto);
468 b0->error = node->errors[err];
469 next0 = SNAT_IN2OUT_NEXT_DROP;
473 init_nat_k (&kv0, *addr, *port, *fib_index, *proto);
474 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
476 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0)
479 (nat_not_translate_output_feature
480 (sm, ip0, *proto, *port, *port, thread_index, sw_if_index0)))
488 if (PREDICT_FALSE (snat_not_translate (sm, node, sw_if_index0,
489 ip0, NAT_PROTOCOL_ICMP,
490 *fib_index, thread_index)))
498 (icmp_type_is_error_message
499 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags)))
501 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
502 next0 = SNAT_IN2OUT_NEXT_DROP;
507 slow_path (sm, b0, ip0, *addr, *port, *fib_index, *proto, &s0, node,
508 next0, thread_index, vlib_time_now (vm));
510 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
522 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
524 && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
526 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
527 reass.icmp_type_or_tcp_flags)))
529 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
530 next0 = SNAT_IN2OUT_NEXT_DROP;
534 s0 = pool_elt_at_index (tsm->sessions,
535 nat_value_get_session_index (&value0));
541 *addr = s0->out2in.addr;
542 *port = s0->out2in.port;
543 *fib_index = s0->out2in.fib_index;
546 *(snat_session_t **) (d) = s0;
551 #ifndef CLIB_MARCH_VARIANT
553 * Get address and port values to be used for ICMP packet translation
555 * @param[in] sm NAT main
556 * @param[in,out] node NAT node runtime
557 * @param[in] thread_index thread index
558 * @param[in,out] b0 buffer containing packet to be translated
559 * @param[in,out] ip0 ip header
560 * @param[out] p_proto protocol used for matching
561 * @param[out] p_value address and port after NAT translation
562 * @param[out] p_dont_translate if packet should not be translated
563 * @param d optional parameter
564 * @param e optional parameter
567 icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
568 u32 thread_index, vlib_buffer_t * b0,
569 ip4_header_t * ip0, ip4_address_t * addr, u16 * port,
570 u32 * fib_index, nat_protocol_t * proto, void *d,
571 void *e, u8 * dont_translate)
579 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
580 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
582 err = icmp_get_key (b0, ip0, addr, port, proto);
585 b0->error = node->errors[err];
586 next0 = SNAT_IN2OUT_NEXT_DROP;
590 ip4_address_t sm_addr;
594 if (nat44_ei_static_mapping_match (*addr, *port, *fib_index, *proto,
595 &sm_addr, &sm_port, &sm_fib_index, 0,
598 if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0,
606 if (icmp_type_is_error_message
607 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
609 next0 = SNAT_IN2OUT_NEXT_DROP;
613 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
614 next0 = SNAT_IN2OUT_NEXT_DROP;
619 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_request
620 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
621 ICMP4_echo_reply || !is_addr_only)
622 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
623 reass.icmp_type_or_tcp_flags)))
625 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
626 next0 = SNAT_IN2OUT_NEXT_DROP;
635 #ifndef CLIB_MARCH_VARIANT
637 icmp_in2out (snat_main_t * sm,
640 icmp46_header_t * icmp0,
643 vlib_node_runtime_t * node,
644 u32 next0, u32 thread_index, void *d, void *e)
646 vlib_main_t *vm = vlib_get_main ();
650 nat_protocol_t protocol;
651 icmp_echo_header_t *echo0, *inner_echo0 = 0;
652 ip4_header_t *inner_ip0;
654 icmp46_header_t *inner_icmp0;
656 u32 new_addr0, old_addr0;
657 u16 old_id0, new_id0;
658 u16 old_checksum0, new_checksum0;
663 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
666 sm->icmp_match_in2out_cb (sm, node, thread_index, b0, ip0, &addr, &port,
667 &fib_index, &protocol, d, e, &dont_translate);
670 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
673 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
676 ip_incremental_checksum_buffer (vm, b0,
678 (u8 *) vlib_buffer_get_current (b0),
679 ntohs (ip0->length) -
680 ip4_header_bytes (ip0), 0);
681 checksum0 = ~ip_csum_fold (sum0);
682 if (PREDICT_FALSE (checksum0 != 0 && checksum0 != 0xffff))
684 next0 = SNAT_IN2OUT_NEXT_DROP;
689 old_addr0 = ip0->src_address.as_u32;
690 new_addr0 = ip0->src_address.as_u32 = addr.as_u32;
692 sum0 = ip0->checksum;
693 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
694 src_address /* changed member */ );
695 ip0->checksum = ip_csum_fold (sum0);
697 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
699 if (icmp0->checksum == 0)
700 icmp0->checksum = 0xffff;
702 if (!icmp_type_is_error_message (icmp0->type))
705 if (PREDICT_FALSE (new_id0 != echo0->identifier))
707 old_id0 = echo0->identifier;
709 echo0->identifier = new_id0;
711 sum0 = icmp0->checksum;
713 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
715 icmp0->checksum = ip_csum_fold (sum0);
720 inner_ip0 = (ip4_header_t *) (echo0 + 1);
721 l4_header = ip4_next_header (inner_ip0);
723 if (!ip4_header_checksum_is_valid (inner_ip0))
725 next0 = SNAT_IN2OUT_NEXT_DROP;
729 /* update inner destination IP address */
730 old_addr0 = inner_ip0->dst_address.as_u32;
731 inner_ip0->dst_address = addr;
732 new_addr0 = inner_ip0->dst_address.as_u32;
733 sum0 = icmp0->checksum;
734 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
735 dst_address /* changed member */ );
736 icmp0->checksum = ip_csum_fold (sum0);
738 /* update inner IP header checksum */
739 old_checksum0 = inner_ip0->checksum;
740 sum0 = inner_ip0->checksum;
741 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
742 dst_address /* changed member */ );
743 inner_ip0->checksum = ip_csum_fold (sum0);
744 new_checksum0 = inner_ip0->checksum;
745 sum0 = icmp0->checksum;
747 ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t,
749 icmp0->checksum = ip_csum_fold (sum0);
753 case NAT_PROTOCOL_ICMP:
754 inner_icmp0 = (icmp46_header_t *) l4_header;
755 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
757 old_id0 = inner_echo0->identifier;
759 inner_echo0->identifier = new_id0;
761 sum0 = icmp0->checksum;
763 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
765 icmp0->checksum = ip_csum_fold (sum0);
767 case NAT_PROTOCOL_UDP:
768 case NAT_PROTOCOL_TCP:
769 old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port;
771 ((tcp_udp_header_t *) l4_header)->dst_port = new_id0;
773 sum0 = icmp0->checksum;
774 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
776 icmp0->checksum = ip_csum_fold (sum0);
784 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0)
786 if (0 != snat_icmp_hairpinning (sm, b0, ip0, icmp0))
787 vnet_buffer (b0)->sw_if_index[VLIB_TX] = fib_index;
796 icmp_in2out_slow_path (snat_main_t * sm,
799 icmp46_header_t * icmp0,
802 vlib_node_runtime_t * node,
804 f64 now, u32 thread_index, snat_session_t ** p_s0)
806 vlib_main_t *vm = vlib_get_main ();
808 next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
809 next0, thread_index, p_s0, 0);
810 snat_session_t *s0 = *p_s0;
811 if (PREDICT_TRUE (next0 != SNAT_IN2OUT_NEXT_DROP && s0))
814 nat44_ei_session_update_counters (
815 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
816 /* Per-user LRU list maintenance */
817 nat44_session_update_lru (sm, s0, thread_index);
823 nat_in2out_sm_unknown_proto (snat_main_t * sm,
825 ip4_header_t * ip, u32 rx_fib_index)
827 clib_bihash_kv_8_8_t kv, value;
828 snat_static_mapping_t *m;
829 u32 old_addr, new_addr;
832 init_nat_k (&kv, ip->src_address, 0, rx_fib_index, 0);
833 if (clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
836 m = pool_elt_at_index (sm->static_mappings, value.value);
838 old_addr = ip->src_address.as_u32;
839 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
841 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
842 ip->checksum = ip_csum_fold (sum);
846 if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
848 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
849 nat_hairpinning_sm_unknown_proto (sm, b, ip);
856 snat_in2out_node_fn_inline (vlib_main_t * vm,
857 vlib_node_runtime_t * node,
858 vlib_frame_t * frame, int is_slow_path,
859 int is_output_feature)
861 u32 n_left_from, *from;
862 snat_main_t *sm = &snat_main;
863 f64 now = vlib_time_now (vm);
864 u32 thread_index = vm->thread_index;
866 from = vlib_frame_vector_args (frame);
867 n_left_from = frame->n_vectors;
869 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
870 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
871 vlib_get_buffers (vm, from, b, n_left_from);
873 while (n_left_from >= 2)
875 vlib_buffer_t *b0, *b1;
877 u32 sw_if_index0, sw_if_index1;
878 ip4_header_t *ip0, *ip1;
879 ip_csum_t sum0, sum1;
880 u32 new_addr0, old_addr0, new_addr1, old_addr1;
881 u16 old_port0, new_port0, old_port1, new_port1;
882 udp_header_t *udp0, *udp1;
883 tcp_header_t *tcp0, *tcp1;
884 icmp46_header_t *icmp0, *icmp1;
885 u32 rx_fib_index0, rx_fib_index1;
887 snat_session_t *s0 = 0, *s1 = 0;
888 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
889 u32 iph_offset0 = 0, iph_offset1 = 0;
896 /* Prefetch next iteration. */
897 if (PREDICT_TRUE (n_left_from >= 4))
899 vlib_buffer_t *p2, *p3;
904 vlib_prefetch_buffer_header (p2, LOAD);
905 vlib_prefetch_buffer_header (p3, LOAD);
907 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, LOAD);
908 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, LOAD);
911 if (is_output_feature)
912 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
914 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
917 udp0 = ip4_next_header (ip0);
918 tcp0 = (tcp_header_t *) udp0;
919 icmp0 = (icmp46_header_t *) udp0;
921 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
922 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
925 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
927 if (PREDICT_FALSE (ip0->ttl == 1))
929 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
930 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
931 ICMP4_time_exceeded_ttl_exceeded_in_transit,
933 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
937 proto0 = ip_proto_to_nat_proto (ip0->protocol);
939 /* Next configured feature, probably ip4-lookup */
942 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
944 if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
946 next0 = SNAT_IN2OUT_NEXT_DROP;
948 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
950 vlib_increment_simple_counter (is_slow_path ? &sm->
951 counters.slowpath.in2out.
952 other : &sm->counters.fastpath.
953 in2out.other, thread_index,
958 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
960 next0 = icmp_in2out_slow_path
961 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
962 node, next0, now, thread_index, &s0);
963 vlib_increment_simple_counter (is_slow_path ? &sm->
964 counters.slowpath.in2out.
965 icmp : &sm->counters.fastpath.
966 in2out.icmp, thread_index,
973 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
975 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
979 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
981 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
986 init_nat_k (&kv0, ip0->src_address,
987 vnet_buffer (b0)->ip.reass.l4_src_port, rx_fib_index0,
989 if (PREDICT_FALSE (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0) !=
994 if (is_output_feature)
997 (nat_not_translate_output_feature
999 vnet_buffer (b0)->ip.reass.l4_src_port,
1000 vnet_buffer (b0)->ip.reass.l4_dst_port,
1001 thread_index, sw_if_index0)))
1005 * Send DHCP packets to the ipv4 stack, or we won't
1006 * be able to use dhcp client on the outside interface
1009 (proto0 == NAT_PROTOCOL_UDP
1010 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1011 clib_host_to_net_u16
1012 (UDP_DST_PORT_dhcp_to_server))
1013 && ip0->dst_address.as_u32 == 0xffffffff))
1020 (sm, node, sw_if_index0, ip0, proto0,
1021 rx_fib_index0, thread_index)))
1025 next0 = slow_path (sm, b0, ip0,
1027 vnet_buffer (b0)->ip.reass.l4_src_port,
1029 proto0, &s0, node, next0, thread_index, now);
1030 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1033 if (PREDICT_FALSE (!s0))
1038 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1043 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1044 nat_value_get_session_index (&value0));
1046 b0->flags |= VNET_BUFFER_F_IS_NATED;
1048 old_addr0 = ip0->src_address.as_u32;
1049 ip0->src_address = s0->out2in.addr;
1050 new_addr0 = ip0->src_address.as_u32;
1051 if (!is_output_feature)
1052 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1054 sum0 = ip0->checksum;
1055 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1056 ip4_header_t, src_address /* changed member */ );
1057 ip0->checksum = ip_csum_fold (sum0);
1060 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1062 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1064 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1065 new_port0 = udp0->src_port = s0->out2in.port;
1066 sum0 = tcp0->checksum;
1067 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1069 dst_address /* changed member */ );
1070 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1071 ip4_header_t /* cheat */ ,
1072 length /* changed member */ );
1073 mss_clamping (sm->mss_clamping, tcp0, &sum0);
1074 tcp0->checksum = ip_csum_fold (sum0);
1076 vlib_increment_simple_counter (is_slow_path ? &sm->
1077 counters.slowpath.in2out.tcp : &sm->
1078 counters.fastpath.in2out.tcp,
1079 thread_index, sw_if_index0, 1);
1083 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1085 udp0->src_port = s0->out2in.port;
1086 if (PREDICT_FALSE (udp0->checksum))
1088 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1089 new_port0 = udp0->src_port;
1090 sum0 = udp0->checksum;
1091 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
1094 ip_csum_update (sum0, old_port0, new_port0,
1095 ip4_header_t /* cheat */ ,
1096 length /* changed member */ );
1097 udp0->checksum = ip_csum_fold (sum0);
1100 vlib_increment_simple_counter (is_slow_path ? &sm->
1101 counters.slowpath.in2out.udp : &sm->
1102 counters.fastpath.in2out.udp,
1103 thread_index, sw_if_index0, 1);
1107 nat44_ei_session_update_counters (
1108 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
1109 /* Per-user LRU list maintenance */
1110 nat44_session_update_lru (sm, s0, thread_index);
1113 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1114 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1116 snat_in2out_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
1117 t->is_slow_path = is_slow_path;
1118 t->sw_if_index = sw_if_index0;
1119 t->next_index = next0;
1120 t->session_index = ~0;
1123 s0 - sm->per_thread_data[thread_index].sessions;
1126 if (next0 == SNAT_IN2OUT_NEXT_DROP)
1128 vlib_increment_simple_counter (is_slow_path ? &sm->
1129 counters.slowpath.in2out.
1130 drops : &sm->counters.fastpath.
1131 in2out.drops, thread_index,
1135 if (is_output_feature)
1136 iph_offset1 = vnet_buffer (b1)->ip.reass.save_rewrite_length;
1138 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1141 udp1 = ip4_next_header (ip1);
1142 tcp1 = (tcp_header_t *) udp1;
1143 icmp1 = (icmp46_header_t *) udp1;
1145 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1146 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1149 if (PREDICT_FALSE (ip1->ttl == 1))
1151 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1152 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1153 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1155 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1159 proto1 = ip_proto_to_nat_proto (ip1->protocol);
1161 /* Next configured feature, probably ip4-lookup */
1164 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
1166 if (nat_in2out_sm_unknown_proto (sm, b1, ip1, rx_fib_index1))
1168 next1 = SNAT_IN2OUT_NEXT_DROP;
1170 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1172 vlib_increment_simple_counter (is_slow_path ? &sm->
1173 counters.slowpath.in2out.
1174 other : &sm->counters.fastpath.
1175 in2out.other, thread_index,
1180 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1182 next1 = icmp_in2out_slow_path
1183 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1184 next1, now, thread_index, &s1);
1185 vlib_increment_simple_counter (is_slow_path ? &sm->
1186 counters.slowpath.in2out.
1187 icmp : &sm->counters.fastpath.
1188 in2out.icmp, thread_index,
1195 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
1197 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1201 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1203 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1208 init_nat_k (&kv1, ip1->src_address,
1209 vnet_buffer (b1)->ip.reass.l4_src_port, rx_fib_index1,
1211 if (PREDICT_FALSE (clib_bihash_search_8_8 (&sm->in2out, &kv1, &value1) !=
1216 if (is_output_feature)
1219 (nat_not_translate_output_feature
1221 vnet_buffer (b1)->ip.reass.l4_src_port,
1222 vnet_buffer (b1)->ip.reass.l4_dst_port,
1223 thread_index, sw_if_index1)))
1227 * Send DHCP packets to the ipv4 stack, or we won't
1228 * be able to use dhcp client on the outside interface
1231 (proto1 == NAT_PROTOCOL_UDP
1232 && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
1233 clib_host_to_net_u16
1234 (UDP_DST_PORT_dhcp_to_server))
1235 && ip1->dst_address.as_u32 == 0xffffffff))
1242 (sm, node, sw_if_index1, ip1, proto1,
1243 rx_fib_index1, thread_index)))
1248 slow_path (sm, b1, ip1, ip1->src_address,
1249 vnet_buffer (b1)->ip.reass.l4_src_port,
1250 rx_fib_index1, proto1, &s1, node, next1,
1252 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1255 if (PREDICT_FALSE (!s1))
1260 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1265 s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1266 nat_value_get_session_index (&value1));
1268 b1->flags |= VNET_BUFFER_F_IS_NATED;
1270 old_addr1 = ip1->src_address.as_u32;
1271 ip1->src_address = s1->out2in.addr;
1272 new_addr1 = ip1->src_address.as_u32;
1273 if (!is_output_feature)
1274 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1276 sum1 = ip1->checksum;
1277 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1278 ip4_header_t, src_address /* changed member */ );
1279 ip1->checksum = ip_csum_fold (sum1);
1281 if (PREDICT_TRUE (proto1 == NAT_PROTOCOL_TCP))
1283 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1285 old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
1286 new_port1 = udp1->src_port = s1->out2in.port;
1287 sum1 = tcp1->checksum;
1288 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1290 dst_address /* changed member */ );
1291 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1292 ip4_header_t /* cheat */ ,
1293 length /* changed member */ );
1294 mss_clamping (sm->mss_clamping, tcp1, &sum1);
1295 tcp1->checksum = ip_csum_fold (sum1);
1297 vlib_increment_simple_counter (is_slow_path ? &sm->
1298 counters.slowpath.in2out.tcp : &sm->
1299 counters.fastpath.in2out.tcp,
1300 thread_index, sw_if_index1, 1);
1304 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1306 udp1->src_port = s1->out2in.port;
1307 if (PREDICT_FALSE (udp1->checksum))
1309 old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
1310 new_port1 = udp1->src_port;
1311 sum1 = udp1->checksum;
1312 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, dst_address /* changed member */
1315 ip_csum_update (sum1, old_port1, new_port1,
1316 ip4_header_t /* cheat */ ,
1317 length /* changed member */ );
1318 udp1->checksum = ip_csum_fold (sum1);
1321 vlib_increment_simple_counter (is_slow_path ? &sm->
1322 counters.slowpath.in2out.udp : &sm->
1323 counters.fastpath.in2out.udp,
1324 thread_index, sw_if_index1, 1);
1328 nat44_ei_session_update_counters (
1329 s1, now, vlib_buffer_length_in_chain (vm, b1), thread_index);
1330 /* Per-user LRU list maintenance */
1331 nat44_session_update_lru (sm, s1, thread_index);
1334 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1335 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1337 snat_in2out_trace_t *t = vlib_add_trace (vm, node, b1, sizeof (*t));
1338 t->sw_if_index = sw_if_index1;
1339 t->next_index = next1;
1340 t->session_index = ~0;
1343 s1 - sm->per_thread_data[thread_index].sessions;
1346 if (next1 == SNAT_IN2OUT_NEXT_DROP)
1348 vlib_increment_simple_counter (is_slow_path ? &sm->
1349 counters.slowpath.in2out.
1350 drops : &sm->counters.fastpath.
1351 in2out.drops, thread_index,
1361 while (n_left_from > 0)
1368 u32 new_addr0, old_addr0;
1369 u16 old_port0, new_port0;
1372 icmp46_header_t *icmp0;
1375 snat_session_t *s0 = 0;
1376 clib_bihash_kv_8_8_t kv0, value0;
1377 u32 iph_offset0 = 0;
1381 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1383 if (is_output_feature)
1384 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
1386 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1389 udp0 = ip4_next_header (ip0);
1390 tcp0 = (tcp_header_t *) udp0;
1391 icmp0 = (icmp46_header_t *) udp0;
1393 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1394 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1397 if (PREDICT_FALSE (ip0->ttl == 1))
1399 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1400 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1401 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1403 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1407 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1409 /* Next configured feature, probably ip4-lookup */
1412 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1414 if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1416 next0 = SNAT_IN2OUT_NEXT_DROP;
1418 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1420 vlib_increment_simple_counter (is_slow_path ? &sm->
1421 counters.slowpath.in2out.
1422 other : &sm->counters.fastpath.
1423 in2out.other, thread_index,
1428 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1430 next0 = icmp_in2out_slow_path
1431 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1432 next0, now, thread_index, &s0);
1433 vlib_increment_simple_counter (is_slow_path ? &sm->
1434 counters.slowpath.in2out.
1435 icmp : &sm->counters.fastpath.
1436 in2out.icmp, thread_index,
1443 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1445 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1449 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1451 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1456 init_nat_k (&kv0, ip0->src_address,
1457 vnet_buffer (b0)->ip.reass.l4_src_port, rx_fib_index0,
1460 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
1464 if (is_output_feature)
1467 (nat_not_translate_output_feature
1469 vnet_buffer (b0)->ip.reass.l4_src_port,
1470 vnet_buffer (b0)->ip.reass.l4_dst_port,
1471 thread_index, sw_if_index0)))
1475 * Send DHCP packets to the ipv4 stack, or we won't
1476 * be able to use dhcp client on the outside interface
1479 (proto0 == NAT_PROTOCOL_UDP
1480 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1481 clib_host_to_net_u16
1482 (UDP_DST_PORT_dhcp_to_server))
1483 && ip0->dst_address.as_u32 == 0xffffffff))
1490 (sm, node, sw_if_index0, ip0, proto0, rx_fib_index0,
1496 slow_path (sm, b0, ip0, ip0->src_address,
1497 vnet_buffer (b0)->ip.reass.l4_src_port,
1498 rx_fib_index0, proto0, &s0, node, next0,
1501 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1504 if (PREDICT_FALSE (!s0))
1509 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1514 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1515 nat_value_get_session_index (&value0));
1517 b0->flags |= VNET_BUFFER_F_IS_NATED;
1519 old_addr0 = ip0->src_address.as_u32;
1520 ip0->src_address = s0->out2in.addr;
1521 new_addr0 = ip0->src_address.as_u32;
1522 if (!is_output_feature)
1523 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1525 sum0 = ip0->checksum;
1526 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1527 ip4_header_t, src_address /* changed member */ );
1528 ip0->checksum = ip_csum_fold (sum0);
1530 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1532 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1534 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1535 new_port0 = udp0->src_port = s0->out2in.port;
1536 sum0 = tcp0->checksum;
1538 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1539 dst_address /* changed member */ );
1541 ip_csum_update (sum0, old_port0, new_port0,
1542 ip4_header_t /* cheat */ ,
1543 length /* changed member */ );
1544 mss_clamping (sm->mss_clamping, tcp0, &sum0);
1545 tcp0->checksum = ip_csum_fold (sum0);
1547 vlib_increment_simple_counter (is_slow_path ? &sm->
1548 counters.slowpath.in2out.tcp : &sm->
1549 counters.fastpath.in2out.tcp,
1550 thread_index, sw_if_index0, 1);
1554 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1556 udp0->src_port = s0->out2in.port;
1557 if (PREDICT_FALSE (udp0->checksum))
1559 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1560 new_port0 = udp0->src_port;
1561 sum0 = udp0->checksum;
1563 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1564 dst_address /* changed member */ );
1566 ip_csum_update (sum0, old_port0, new_port0,
1567 ip4_header_t /* cheat */ ,
1568 length /* changed member */ );
1569 udp0->checksum = ip_csum_fold (sum0);
1572 vlib_increment_simple_counter (is_slow_path ? &sm->
1573 counters.slowpath.in2out.udp : &sm->
1574 counters.fastpath.in2out.udp,
1575 thread_index, sw_if_index0, 1);
1579 nat44_ei_session_update_counters (
1580 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
1581 /* Per-user LRU list maintenance */
1582 nat44_session_update_lru (sm, s0, thread_index);
1585 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1586 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1588 snat_in2out_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
1589 t->is_slow_path = is_slow_path;
1590 t->sw_if_index = sw_if_index0;
1591 t->next_index = next0;
1592 t->session_index = ~0;
1595 s0 - sm->per_thread_data[thread_index].sessions;
1598 if (next0 == SNAT_IN2OUT_NEXT_DROP)
1600 vlib_increment_simple_counter (is_slow_path ? &sm->
1601 counters.slowpath.in2out.
1602 drops : &sm->counters.fastpath.
1603 in2out.drops, thread_index,
1612 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1614 return frame->n_vectors;
1617 VLIB_NODE_FN (snat_in2out_node) (vlib_main_t * vm,
1618 vlib_node_runtime_t * node,
1619 vlib_frame_t * frame)
1621 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ ,
1626 VLIB_REGISTER_NODE (snat_in2out_node) = {
1627 .name = "nat44-in2out",
1628 .vector_size = sizeof (u32),
1629 .format_trace = format_snat_in2out_trace,
1630 .type = VLIB_NODE_TYPE_INTERNAL,
1632 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1633 .error_strings = snat_in2out_error_strings,
1635 .runtime_data_bytes = sizeof (snat_runtime_t),
1637 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1639 /* edit / add dispositions here */
1641 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1642 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1643 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1644 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1649 VLIB_NODE_FN (snat_in2out_output_node) (vlib_main_t * vm,
1650 vlib_node_runtime_t * node,
1651 vlib_frame_t * frame)
1653 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ ,
1658 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
1659 .name = "nat44-in2out-output",
1660 .vector_size = sizeof (u32),
1661 .format_trace = format_snat_in2out_trace,
1662 .type = VLIB_NODE_TYPE_INTERNAL,
1664 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1665 .error_strings = snat_in2out_error_strings,
1667 .runtime_data_bytes = sizeof (snat_runtime_t),
1669 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1671 /* edit / add dispositions here */
1673 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1674 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1675 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1676 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1681 VLIB_NODE_FN (snat_in2out_slowpath_node) (vlib_main_t * vm,
1682 vlib_node_runtime_t * node,
1683 vlib_frame_t * frame)
1685 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ ,
1690 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
1691 .name = "nat44-in2out-slowpath",
1692 .vector_size = sizeof (u32),
1693 .format_trace = format_snat_in2out_trace,
1694 .type = VLIB_NODE_TYPE_INTERNAL,
1696 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1697 .error_strings = snat_in2out_error_strings,
1699 .runtime_data_bytes = sizeof (snat_runtime_t),
1701 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1703 /* edit / add dispositions here */
1705 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1706 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1707 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1708 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1713 VLIB_NODE_FN (snat_in2out_output_slowpath_node) (vlib_main_t * vm,
1714 vlib_node_runtime_t * node,
1715 vlib_frame_t * frame)
1717 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ ,
1722 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
1723 .name = "nat44-in2out-output-slowpath",
1724 .vector_size = sizeof (u32),
1725 .format_trace = format_snat_in2out_trace,
1726 .type = VLIB_NODE_TYPE_INTERNAL,
1728 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1729 .error_strings = snat_in2out_error_strings,
1731 .runtime_data_bytes = sizeof (snat_runtime_t),
1733 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1735 /* edit / add dispositions here */
1737 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1738 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1739 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1740 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1745 VLIB_NODE_FN (snat_in2out_fast_node) (vlib_main_t * vm,
1746 vlib_node_runtime_t * node,
1747 vlib_frame_t * frame)
1749 u32 n_left_from, *from, *to_next;
1750 snat_in2out_next_t next_index;
1751 snat_main_t *sm = &snat_main;
1752 int is_hairpinning = 0;
1754 from = vlib_frame_vector_args (frame);
1755 n_left_from = frame->n_vectors;
1756 next_index = node->cached_next_index;
1758 while (n_left_from > 0)
1762 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1764 while (n_left_from > 0 && n_left_to_next > 0)
1772 u32 new_addr0, old_addr0;
1773 u16 old_port0, new_port0;
1776 icmp46_header_t *icmp0;
1779 ip4_address_t sm0_addr;
1784 /* speculatively enqueue b0 to the current next frame */
1790 n_left_to_next -= 1;
1792 b0 = vlib_get_buffer (vm, bi0);
1793 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1795 ip0 = vlib_buffer_get_current (b0);
1796 udp0 = ip4_next_header (ip0);
1797 tcp0 = (tcp_header_t *) udp0;
1798 icmp0 = (icmp46_header_t *) udp0;
1800 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1802 ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
1804 if (PREDICT_FALSE (ip0->ttl == 1))
1806 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1807 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1808 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1810 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1814 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1816 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1819 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1821 next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0,
1822 rx_fib_index0, node, next0, ~0, 0, 0);
1826 if (nat44_ei_static_mapping_match (
1827 ip0->src_address, udp0->src_port, rx_fib_index0, proto0,
1828 &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0))
1830 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1831 next0 = SNAT_IN2OUT_NEXT_DROP;
1835 new_addr0 = sm0_addr.as_u32;
1836 new_port0 = sm0_port;
1837 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0_fib_index;
1838 old_addr0 = ip0->src_address.as_u32;
1839 ip0->src_address.as_u32 = new_addr0;
1841 sum0 = ip0->checksum;
1842 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1844 src_address /* changed member */ );
1845 ip0->checksum = ip_csum_fold (sum0);
1847 if (PREDICT_FALSE (new_port0 != udp0->dst_port))
1849 old_port0 = udp0->src_port;
1850 udp0->src_port = new_port0;
1852 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1854 sum0 = tcp0->checksum;
1855 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1857 dst_address /* changed member */ );
1858 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1859 ip4_header_t /* cheat */ ,
1860 length /* changed member */ );
1861 mss_clamping (sm->mss_clamping, tcp0, &sum0);
1862 tcp0->checksum = ip_csum_fold (sum0);
1864 else if (udp0->checksum)
1866 sum0 = udp0->checksum;
1867 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1869 dst_address /* changed member */ );
1870 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1871 ip4_header_t /* cheat */ ,
1872 length /* changed member */ );
1873 udp0->checksum = ip_csum_fold (sum0);
1878 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1880 sum0 = tcp0->checksum;
1881 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1883 dst_address /* changed member */ );
1884 mss_clamping (sm->mss_clamping, tcp0, &sum0);
1885 tcp0->checksum = ip_csum_fold (sum0);
1887 else if (udp0->checksum)
1889 sum0 = udp0->checksum;
1890 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1892 dst_address /* changed member */ );
1893 udp0->checksum = ip_csum_fold (sum0);
1898 is_hairpinning = snat_hairpinning (vm, node, sm, b0, ip0, udp0, tcp0,
1899 proto0, 0 /* do_trace */);
1902 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1903 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1905 snat_in2out_trace_t *t =
1906 vlib_add_trace (vm, node, b0, sizeof (*t));
1907 t->sw_if_index = sw_if_index0;
1908 t->next_index = next0;
1909 t->is_hairpinning = is_hairpinning;
1912 if (next0 != SNAT_IN2OUT_NEXT_DROP)
1915 vlib_increment_simple_counter (&sm->counters.fastpath.
1916 in2out.other, sw_if_index0,
1917 vm->thread_index, 1);
1920 /* verify speculative enqueue, maybe switch current next frame */
1921 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1922 to_next, n_left_to_next,
1926 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1929 return frame->n_vectors;
1934 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
1935 .name = "nat44-in2out-fast",
1936 .vector_size = sizeof (u32),
1937 .format_trace = format_snat_in2out_fast_trace,
1938 .type = VLIB_NODE_TYPE_INTERNAL,
1940 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1941 .error_strings = snat_in2out_error_strings,
1943 .runtime_data_bytes = sizeof (snat_runtime_t),
1945 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1947 /* edit / add dispositions here */
1949 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1950 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1951 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1952 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1958 * fd.io coding-style-patch-verification: ON
1961 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob