2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 EI inside to outside network translation
20 #include <vlib/vlib.h>
22 #include <vnet/vnet.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/udp/udp_local.h>
26 #include <vnet/fib/ip4_fib.h>
28 #include <vppinfra/hash.h>
29 #include <vppinfra/error.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/ipfix_logging.h>
34 #include <nat/lib/nat_inlines.h>
35 #include <nat/nat44-ei/nat44_ei_inlines.h>
36 #include <nat/nat44-ei/nat44_ei.h>
37 #include <nat/nat44-ei/nat44_ei_hairpinning.h>
46 } nat44_ei_in2out_trace_t;
48 /* packet trace format function */
50 format_nat44_ei_in2out_trace (u8 *s, va_list *args)
52 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
53 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
54 nat44_ei_in2out_trace_t *t = va_arg (*args, nat44_ei_in2out_trace_t *);
57 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
59 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
60 t->sw_if_index, t->next_index, t->session_index);
61 if (t->is_hairpinning)
63 s = format (s, ", with-hairpinning");
70 format_nat44_ei_in2out_fast_trace (u8 *s, va_list *args)
72 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
73 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
74 nat44_ei_in2out_trace_t *t = va_arg (*args, nat44_ei_in2out_trace_t *);
76 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
77 t->sw_if_index, t->next_index);
82 #define foreach_nat44_ei_in2out_error \
83 _ (UNSUPPORTED_PROTOCOL, "unsupported protocol") \
84 _ (OUT_OF_PORTS, "out of ports") \
85 _ (BAD_OUTSIDE_FIB, "outside VRF ID not found") \
86 _ (BAD_ICMP_TYPE, "unsupported ICMP type") \
87 _ (NO_TRANSLATION, "no translation") \
88 _ (MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
89 _ (CANNOT_CREATE_USER, "cannot create NAT user")
93 #define _(sym, str) NAT44_EI_IN2OUT_ERROR_##sym,
94 foreach_nat44_ei_in2out_error
96 NAT44_EI_IN2OUT_N_ERROR,
97 } nat44_ei_in2out_error_t;
99 static char *nat44_ei_in2out_error_strings[] = {
100 #define _(sym,string) string,
101 foreach_nat44_ei_in2out_error
107 NAT44_EI_IN2OUT_NEXT_LOOKUP,
108 NAT44_EI_IN2OUT_NEXT_DROP,
109 NAT44_EI_IN2OUT_NEXT_ICMP_ERROR,
110 NAT44_EI_IN2OUT_NEXT_SLOW_PATH,
111 NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF,
112 NAT44_EI_IN2OUT_N_NEXT,
113 } nat44_ei_in2out_next_t;
117 NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP,
118 NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_LOOKUP,
119 NAT44_EI_IN2OUT_HAIRPINNING_FINISH_N_NEXT,
120 } nat44_ei_in2out_hairpinnig_finish_next_t;
123 nat44_ei_not_translate_fast (vlib_node_runtime_t *node, u32 sw_if_index0,
124 ip4_header_t *ip0, u32 proto0, u32 rx_fib_index0)
126 nat44_ei_main_t *nm = &nat44_ei_main;
131 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
132 nat44_ei_outside_fib_t *outside_fib;
134 .fp_proto = FIB_PROTOCOL_IP4,
137 .ip4.as_u32 = ip0->dst_address.as_u32,
142 /* Don't NAT packet aimed at the intfc address */
143 if (PREDICT_FALSE (nat44_ei_is_interface_addr (
144 nm->ip4_main, node, sw_if_index0, ip0->dst_address.as_u32)))
147 fei = fib_table_lookup (rx_fib_index0, &pfx);
148 if (FIB_NODE_INDEX_INVALID != fei)
150 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
151 if (sw_if_index == ~0)
153 vec_foreach (outside_fib, nm->outside_fibs)
155 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
156 if (FIB_NODE_INDEX_INVALID != fei)
158 sw_if_index = fib_entry_get_resolving_interface (fei);
159 if (sw_if_index != ~0)
164 if (sw_if_index == ~0)
167 nat44_ei_interface_t *i;
168 pool_foreach (i, nm->interfaces)
170 /* NAT packet aimed at outside interface */
171 if ((nat44_ei_interface_is_outside (i)) &&
172 (sw_if_index == i->sw_if_index))
181 nat44_ei_not_translate (nat44_ei_main_t *nm, vlib_node_runtime_t *node,
182 u32 sw_if_index0, ip4_header_t *ip0, u32 proto0,
183 u32 rx_fib_index0, u32 thread_index)
185 udp_header_t *udp0 = ip4_next_header (ip0);
186 clib_bihash_kv_8_8_t kv0, value0;
188 init_nat_k (&kv0, ip0->dst_address, udp0->dst_port, nm->outside_fib_index,
191 /* NAT packet aimed at external address if */
192 /* has active sessions */
193 if (clib_bihash_search_8_8 (&nm->out2in, &kv0, &value0))
195 /* or is static mappings */
196 ip4_address_t placeholder_addr;
197 u16 placeholder_port;
198 u32 placeholder_fib_index;
199 if (!nat44_ei_static_mapping_match (ip0->dst_address, udp0->dst_port,
200 nm->outside_fib_index, proto0,
201 &placeholder_addr, &placeholder_port,
202 &placeholder_fib_index, 1, 0, 0))
208 if (nm->forwarding_enabled)
211 return nat44_ei_not_translate_fast (node, sw_if_index0, ip0, proto0,
216 nat44_ei_not_translate_output_feature (nat44_ei_main_t *nm, ip4_header_t *ip0,
217 u32 proto0, u16 src_port, u16 dst_port,
218 u32 thread_index, u32 sw_if_index)
220 clib_bihash_kv_8_8_t kv0, value0;
221 nat44_ei_interface_t *i;
224 init_nat_k (&kv0, ip0->src_address, src_port,
225 ip4_fib_table_get_index_for_sw_if_index (sw_if_index), proto0);
227 if (!clib_bihash_search_8_8 (&nm->out2in, &kv0, &value0))
231 init_nat_k (&kv0, ip0->dst_address, dst_port,
232 ip4_fib_table_get_index_for_sw_if_index (sw_if_index), proto0);
233 if (!clib_bihash_search_8_8 (&nm->in2out, &kv0, &value0))
236 pool_foreach (i, nm->output_feature_interfaces)
238 if ((nat44_ei_interface_is_inside (i)) &&
239 (sw_if_index == i->sw_if_index))
248 #ifndef CLIB_MARCH_VARIANT
250 nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
252 nat44_ei_main_t *nm = &nat44_ei_main;
253 nat44_ei_is_idle_session_ctx_t *ctx = arg;
254 nat44_ei_session_t *s;
255 u64 sess_timeout_time;
256 nat44_ei_main_per_thread_data_t *tnm =
257 vec_elt_at_index (nm->per_thread_data, ctx->thread_index);
258 clib_bihash_kv_8_8_t s_kv;
260 if (ctx->thread_index != nat_value_get_thread_index (kv))
265 s = pool_elt_at_index (tnm->sessions, nat_value_get_session_index (kv));
266 sess_timeout_time = s->last_heard + (f64) nat_session_get_timeout (
267 &nm->timeouts, s->nat_proto, s->state);
268 if (ctx->now >= sess_timeout_time)
270 init_nat_o2i_k (&s_kv, s);
271 if (clib_bihash_add_del_8_8 (&nm->out2in, &s_kv, 0))
272 nat_elog_warn (nm, "out2in key del failed");
274 nat_ipfix_logging_nat44_ses_delete (
275 ctx->thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
276 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
277 s->in2out.fib_index);
279 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
280 &s->in2out.addr, s->in2out.port,
281 &s->out2in.addr, s->out2in.port, s->nat_proto);
283 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
284 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
287 if (!nat44_ei_is_session_static (s))
288 nat44_ei_free_outside_address_and_port (
289 nm->addresses, ctx->thread_index, &s->out2in.addr, s->out2in.port,
292 nat44_ei_delete_session (nm, s, ctx->thread_index);
301 slow_path (nat44_ei_main_t *nm, vlib_buffer_t *b0, ip4_header_t *ip0,
302 ip4_address_t i2o_addr, u16 i2o_port, u32 rx_fib_index0,
303 nat_protocol_t nat_proto, nat44_ei_session_t **sessionp,
304 vlib_node_runtime_t *node, u32 next0, u32 thread_index, f64 now)
307 nat44_ei_session_t *s = 0;
308 clib_bihash_kv_8_8_t kv0;
310 nat44_ei_outside_fib_t *outside_fib;
311 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
314 .fp_proto = FIB_PROTOCOL_IP4,
317 .ip4.as_u32 = ip0->dst_address.as_u32,
320 nat44_ei_is_idle_session_ctx_t ctx0;
321 ip4_address_t sm_addr;
325 if (PREDICT_FALSE (nat44_ei_maximum_sessions_exceeded (nm, thread_index)))
327 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
328 nat_ipfix_logging_max_sessions (thread_index,
329 nm->max_translations_per_thread);
330 nat_elog_notice (nm, "maximum sessions exceeded");
331 return NAT44_EI_IN2OUT_NEXT_DROP;
334 /* First try to match static mapping by local address and port */
335 if (nat44_ei_static_mapping_match (i2o_addr, i2o_port, rx_fib_index0,
336 nat_proto, &sm_addr, &sm_port,
337 &sm_fib_index, 0, 0, &identity_nat))
339 /* Try to create dynamic translation */
340 if (nm->alloc_addr_and_port (
341 nm->addresses, rx_fib_index0, thread_index, nat_proto,
342 ip0->src_address, &sm_addr, &sm_port, nm->port_per_thread,
343 nm->per_thread_data[thread_index].snat_thread_index))
345 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_OUT_OF_PORTS];
346 return NAT44_EI_IN2OUT_NEXT_DROP;
351 if (PREDICT_FALSE (identity_nat))
360 u = nat44_ei_user_get_or_create (nm, &ip0->src_address, rx_fib_index0,
364 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_CANNOT_CREATE_USER];
365 return NAT44_EI_IN2OUT_NEXT_DROP;
368 s = nat44_ei_session_alloc_or_recycle (nm, u, thread_index, now);
371 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
372 nat_elog_warn (nm, "create NAT session failed");
373 return NAT44_EI_IN2OUT_NEXT_DROP;
377 s->flags |= NAT44_EI_SESSION_FLAG_STATIC_MAPPING;
378 nat44_ei_user_session_increment (nm, u, is_sm);
379 s->in2out.addr = i2o_addr;
380 s->in2out.port = i2o_port;
381 s->in2out.fib_index = rx_fib_index0;
382 s->nat_proto = nat_proto;
383 s->out2in.addr = sm_addr;
384 s->out2in.port = sm_port;
385 s->out2in.fib_index = nm->outside_fib_index;
386 switch (vec_len (nm->outside_fibs))
389 s->out2in.fib_index = nm->outside_fib_index;
392 s->out2in.fib_index = nm->outside_fibs[0].fib_index;
395 vec_foreach (outside_fib, nm->outside_fibs)
397 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
398 if (FIB_NODE_INDEX_INVALID != fei)
400 if (fib_entry_get_resolving_interface (fei) != ~0)
402 s->out2in.fib_index = outside_fib->fib_index;
409 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
410 s->ext_host_port = vnet_buffer (b0)->ip.reass.l4_dst_port;
413 /* Add to translation hashes */
415 ctx0.thread_index = thread_index;
416 init_nat_i2o_kv (&kv0, s, thread_index,
417 s - nm->per_thread_data[thread_index].sessions);
418 if (clib_bihash_add_or_overwrite_stale_8_8 (
419 &nm->in2out, &kv0, nat44_i2o_is_idle_session_cb, &ctx0))
420 nat_elog_notice (nm, "in2out key add failed");
422 init_nat_o2i_kv (&kv0, s, thread_index,
423 s - nm->per_thread_data[thread_index].sessions);
424 if (clib_bihash_add_or_overwrite_stale_8_8 (
425 &nm->out2in, &kv0, nat44_o2i_is_idle_session_cb, &ctx0))
426 nat_elog_notice (nm, "out2in key add failed");
429 nat_ipfix_logging_nat44_ses_create (
430 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
431 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
432 s->in2out.fib_index);
434 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index, &s->in2out.addr,
435 s->in2out.port, &s->out2in.addr, s->out2in.port,
438 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
439 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
440 &s->ext_host_nat_addr, s->ext_host_nat_port, s->nat_proto,
441 s->in2out.fib_index, s->flags, thread_index, 0);
446 #ifndef CLIB_MARCH_VARIANT
447 static_always_inline nat44_ei_in2out_error_t
448 icmp_get_key (vlib_buffer_t *b, ip4_header_t *ip0, ip4_address_t *addr,
449 u16 *port, nat_protocol_t *nat_proto)
451 icmp46_header_t *icmp0;
452 icmp_echo_header_t *echo0, *inner_echo0 = 0;
453 ip4_header_t *inner_ip0 = 0;
455 icmp46_header_t *inner_icmp0;
457 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
458 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
460 if (!icmp_type_is_error_message
461 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
463 *nat_proto = NAT_PROTOCOL_ICMP;
464 *addr = ip0->src_address;
465 *port = vnet_buffer (b)->ip.reass.l4_src_port;
469 inner_ip0 = (ip4_header_t *) (echo0 + 1);
470 l4_header = ip4_next_header (inner_ip0);
471 *nat_proto = ip_proto_to_nat_proto (inner_ip0->protocol);
472 *addr = inner_ip0->dst_address;
475 case NAT_PROTOCOL_ICMP:
476 inner_icmp0 = (icmp46_header_t *) l4_header;
477 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
478 *port = inner_echo0->identifier;
480 case NAT_PROTOCOL_UDP:
481 case NAT_PROTOCOL_TCP:
482 *port = ((tcp_udp_header_t *) l4_header)->dst_port;
485 return NAT44_EI_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
488 return -1; /* success */
492 * Get address and port values to be used for ICMP packet translation
493 * and create session if needed
495 * @param[in,out] nm NAT main
496 * @param[in,out] node NAT node runtime
497 * @param[in] thread_index thread index
498 * @param[in,out] b0 buffer containing packet to be translated
499 * @param[in,out] ip0 ip header
500 * @param[out] p_proto protocol used for matching
501 * @param[out] p_value address and port after NAT translation
502 * @param[out] p_dont_translate if packet should not be translated
503 * @param d optional parameter
504 * @param e optional parameter
507 nat44_ei_icmp_match_in2out_slow (vlib_node_runtime_t *node, u32 thread_index,
508 vlib_buffer_t *b0, ip4_header_t *ip0,
509 ip4_address_t *addr, u16 *port,
510 u32 *fib_index, nat_protocol_t *proto,
511 nat44_ei_session_t **p_s0, u8 *dont_translate)
513 nat44_ei_main_t *nm = &nat44_ei_main;
514 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
516 nat44_ei_session_t *s0 = 0;
517 clib_bihash_kv_8_8_t kv0, value0;
520 vlib_main_t *vm = vlib_get_main ();
523 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
524 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
526 err = icmp_get_key (b0, ip0, addr, port, proto);
529 b0->error = node->errors[err];
530 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
534 init_nat_k (&kv0, *addr, *port, *fib_index, *proto);
535 if (clib_bihash_search_8_8 (&nm->in2out, &kv0, &value0))
537 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0)
539 if (PREDICT_FALSE (nat44_ei_not_translate_output_feature (
540 nm, ip0, *proto, *port, *port, thread_index, sw_if_index0)))
548 if (PREDICT_FALSE (nat44_ei_not_translate (
549 nm, node, sw_if_index0, ip0, NAT_PROTOCOL_ICMP, *fib_index,
558 (icmp_type_is_error_message
559 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags)))
561 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_BAD_ICMP_TYPE];
562 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
566 next0 = slow_path (nm, b0, ip0, *addr, *port, *fib_index, *proto, &s0,
567 node, next0, thread_index, vlib_time_now (vm));
569 if (PREDICT_FALSE (next0 == NAT44_EI_IN2OUT_NEXT_DROP))
581 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
583 && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
585 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
586 reass.icmp_type_or_tcp_flags)))
588 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_BAD_ICMP_TYPE];
589 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
593 s0 = pool_elt_at_index (tnm->sessions,
594 nat_value_get_session_index (&value0));
600 *addr = s0->out2in.addr;
601 *port = s0->out2in.port;
602 *fib_index = s0->out2in.fib_index;
610 #ifndef CLIB_MARCH_VARIANT
612 nat44_ei_icmp_match_in2out_fast (vlib_node_runtime_t *node, u32 thread_index,
613 vlib_buffer_t *b0, ip4_header_t *ip0,
614 ip4_address_t *addr, u16 *port,
615 u32 *fib_index, nat_protocol_t *proto,
616 nat44_ei_session_t **s0, u8 *dont_translate)
624 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
625 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
627 err = icmp_get_key (b0, ip0, addr, port, proto);
630 b0->error = node->errors[err];
631 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
635 ip4_address_t sm_addr;
639 if (nat44_ei_static_mapping_match (*addr, *port, *fib_index, *proto,
640 &sm_addr, &sm_port, &sm_fib_index, 0,
643 if (PREDICT_FALSE (nat44_ei_not_translate_fast (
644 node, sw_if_index0, ip0, IP_PROTOCOL_ICMP, *fib_index)))
650 if (icmp_type_is_error_message
651 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
653 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
657 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_NO_TRANSLATION];
658 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
663 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_request
664 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
665 ICMP4_echo_reply || !is_addr_only)
666 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
667 reass.icmp_type_or_tcp_flags)))
669 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_BAD_ICMP_TYPE];
670 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
679 u32 nat44_ei_icmp_in2out (vlib_buffer_t *b0, ip4_header_t *ip0,
680 icmp46_header_t *icmp0, u32 sw_if_index0,
681 u32 rx_fib_index0, vlib_node_runtime_t *node,
682 u32 next0, u32 thread_index,
683 nat44_ei_session_t **p_s0);
685 #ifndef CLIB_MARCH_VARIANT
687 nat44_ei_icmp_in2out (vlib_buffer_t *b0, ip4_header_t *ip0,
688 icmp46_header_t *icmp0, u32 sw_if_index0,
689 u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0,
690 u32 thread_index, nat44_ei_session_t **p_s0)
692 nat44_ei_main_t *nm = &nat44_ei_main;
693 vlib_main_t *vm = vlib_get_main ();
697 nat_protocol_t proto;
698 icmp_echo_header_t *echo0, *inner_echo0 = 0;
699 ip4_header_t *inner_ip0;
701 icmp46_header_t *inner_icmp0;
703 u32 new_addr0, old_addr0;
704 u16 old_id0, new_id0;
705 u16 old_checksum0, new_checksum0;
709 u32 required_thread_index = thread_index;
711 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
713 if (PREDICT_TRUE (nm->pat))
715 next0_tmp = nat44_ei_icmp_match_in2out_slow (
716 node, thread_index, b0, ip0, &addr, &port, &fib_index, &proto, p_s0,
721 next0_tmp = nat44_ei_icmp_match_in2out_fast (
722 node, thread_index, b0, ip0, &addr, &port, &fib_index, &proto, p_s0,
728 if (next0 == NAT44_EI_IN2OUT_NEXT_DROP || dont_translate)
731 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
734 ip_incremental_checksum_buffer (vm, b0,
736 (u8 *) vlib_buffer_get_current (b0),
737 ntohs (ip0->length) -
738 ip4_header_bytes (ip0), 0);
739 checksum0 = ~ip_csum_fold (sum0);
740 if (PREDICT_FALSE (checksum0 != 0 && checksum0 != 0xffff))
742 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
747 old_addr0 = ip0->src_address.as_u32;
748 new_addr0 = ip0->src_address.as_u32 = addr.as_u32;
750 sum0 = ip0->checksum;
751 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
752 src_address /* changed member */ );
753 ip0->checksum = ip_csum_fold (sum0);
755 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
757 if (icmp0->checksum == 0)
758 icmp0->checksum = 0xffff;
760 if (!icmp_type_is_error_message (icmp0->type))
763 if (PREDICT_FALSE (new_id0 != echo0->identifier))
765 old_id0 = echo0->identifier;
767 echo0->identifier = new_id0;
769 sum0 = icmp0->checksum;
771 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
773 icmp0->checksum = ip_csum_fold (sum0);
778 inner_ip0 = (ip4_header_t *) (echo0 + 1);
779 l4_header = ip4_next_header (inner_ip0);
781 if (!ip4_header_checksum_is_valid (inner_ip0))
783 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
787 /* update inner destination IP address */
788 old_addr0 = inner_ip0->dst_address.as_u32;
789 inner_ip0->dst_address = addr;
790 new_addr0 = inner_ip0->dst_address.as_u32;
791 sum0 = icmp0->checksum;
792 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
793 dst_address /* changed member */ );
794 icmp0->checksum = ip_csum_fold (sum0);
796 /* update inner IP header checksum */
797 old_checksum0 = inner_ip0->checksum;
798 sum0 = inner_ip0->checksum;
799 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
800 dst_address /* changed member */ );
801 inner_ip0->checksum = ip_csum_fold (sum0);
802 new_checksum0 = inner_ip0->checksum;
803 sum0 = icmp0->checksum;
805 ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t,
807 icmp0->checksum = ip_csum_fold (sum0);
811 case NAT_PROTOCOL_ICMP:
812 inner_icmp0 = (icmp46_header_t *) l4_header;
813 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
815 old_id0 = inner_echo0->identifier;
817 inner_echo0->identifier = new_id0;
819 sum0 = icmp0->checksum;
821 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
823 icmp0->checksum = ip_csum_fold (sum0);
825 case NAT_PROTOCOL_UDP:
826 case NAT_PROTOCOL_TCP:
827 old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port;
829 ((tcp_udp_header_t *) l4_header)->dst_port = new_id0;
831 sum0 = icmp0->checksum;
832 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
834 icmp0->checksum = ip_csum_fold (sum0);
842 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0)
844 if (0 != nat44_ei_icmp_hairpinning (nm, b0, thread_index, ip0, icmp0,
845 &required_thread_index))
846 vnet_buffer (b0)->sw_if_index[VLIB_TX] = fib_index;
847 if (thread_index != required_thread_index)
849 vnet_buffer (b0)->snat.required_thread_index = required_thread_index;
850 next0 = NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF;
859 static_always_inline u32
860 nat44_ei_icmp_in2out_slow_path (nat44_ei_main_t *nm, vlib_buffer_t *b0,
861 ip4_header_t *ip0, icmp46_header_t *icmp0,
862 u32 sw_if_index0, u32 rx_fib_index0,
863 vlib_node_runtime_t *node, u32 next0, f64 now,
864 u32 thread_index, nat44_ei_session_t **p_s0)
866 vlib_main_t *vm = vlib_get_main ();
868 next0 = nat44_ei_icmp_in2out (b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
869 node, next0, thread_index, p_s0);
870 nat44_ei_session_t *s0 = *p_s0;
871 if (PREDICT_TRUE (next0 != NAT44_EI_IN2OUT_NEXT_DROP && s0))
874 nat44_ei_session_update_counters (
875 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
876 /* Per-user LRU list maintenance */
877 nat44_ei_session_update_lru (nm, s0, thread_index);
883 nat_in2out_sm_unknown_proto (nat44_ei_main_t *nm, vlib_buffer_t *b,
884 ip4_header_t *ip, u32 rx_fib_index)
886 clib_bihash_kv_8_8_t kv, value;
887 nat44_ei_static_mapping_t *m;
888 u32 old_addr, new_addr;
891 init_nat_k (&kv, ip->src_address, 0, rx_fib_index, 0);
892 if (clib_bihash_search_8_8 (&nm->static_mapping_by_local, &kv, &value))
895 m = pool_elt_at_index (nm->static_mappings, value.value);
897 old_addr = ip->src_address.as_u32;
898 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
900 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
901 ip->checksum = ip_csum_fold (sum);
905 if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
907 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
908 nat44_ei_hairpinning_sm_unknown_proto (nm, b, ip);
915 nat44_ei_in2out_node_fn_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
916 vlib_frame_t *frame, int is_slow_path,
917 int is_output_feature)
919 u32 n_left_from, *from;
920 nat44_ei_main_t *nm = &nat44_ei_main;
921 f64 now = vlib_time_now (vm);
922 u32 thread_index = vm->thread_index;
924 from = vlib_frame_vector_args (frame);
925 n_left_from = frame->n_vectors;
927 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
928 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
929 vlib_get_buffers (vm, from, b, n_left_from);
931 while (n_left_from >= 2)
933 vlib_buffer_t *b0, *b1;
935 u32 rx_sw_if_index0, rx_sw_if_index1;
936 u32 tx_sw_if_index0, tx_sw_if_index1;
937 u32 cntr_sw_if_index0, cntr_sw_if_index1;
938 ip4_header_t *ip0, *ip1;
939 ip_csum_t sum0, sum1;
940 u32 new_addr0, old_addr0, new_addr1, old_addr1;
941 u16 old_port0, new_port0, old_port1, new_port1;
942 udp_header_t *udp0, *udp1;
943 tcp_header_t *tcp0, *tcp1;
944 icmp46_header_t *icmp0, *icmp1;
945 u32 rx_fib_index0, rx_fib_index1;
947 nat44_ei_session_t *s0 = 0, *s1 = 0;
948 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
949 u32 iph_offset0 = 0, iph_offset1 = 0;
956 /* Prefetch next iteration. */
957 if (PREDICT_TRUE (n_left_from >= 4))
959 vlib_buffer_t *p2, *p3;
964 vlib_prefetch_buffer_header (p2, LOAD);
965 vlib_prefetch_buffer_header (p3, LOAD);
967 clib_prefetch_load (p2->data);
968 clib_prefetch_load (p3->data);
971 if (is_output_feature)
972 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
974 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
977 udp0 = ip4_next_header (ip0);
978 tcp0 = (tcp_header_t *) udp0;
979 icmp0 = (icmp46_header_t *) udp0;
981 rx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
982 tx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
984 is_output_feature ? tx_sw_if_index0 : rx_sw_if_index0;
986 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index0);
988 next0 = next1 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
990 if (PREDICT_FALSE (ip0->ttl == 1))
992 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
993 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
994 ICMP4_time_exceeded_ttl_exceeded_in_transit,
996 next0 = NAT44_EI_IN2OUT_NEXT_ICMP_ERROR;
1000 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1002 /* Next configured feature, probably ip4-lookup */
1005 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1007 if (nat_in2out_sm_unknown_proto (nm, b0, ip0, rx_fib_index0))
1009 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
1011 node->errors[NAT44_EI_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1013 vlib_increment_simple_counter (
1014 is_slow_path ? &nm->counters.slowpath.in2out.other :
1015 &nm->counters.fastpath.in2out.other,
1016 thread_index, cntr_sw_if_index0, 1);
1020 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1022 next0 = nat44_ei_icmp_in2out_slow_path (
1023 nm, b0, ip0, icmp0, rx_sw_if_index0, rx_fib_index0, node,
1024 next0, now, thread_index, &s0);
1025 vlib_increment_simple_counter (
1026 is_slow_path ? &nm->counters.slowpath.in2out.icmp :
1027 &nm->counters.fastpath.in2out.icmp,
1028 thread_index, cntr_sw_if_index0, 1);
1034 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1036 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1040 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1042 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1047 init_nat_k (&kv0, ip0->src_address,
1048 vnet_buffer (b0)->ip.reass.l4_src_port, rx_fib_index0,
1050 if (PREDICT_FALSE (clib_bihash_search_8_8 (&nm->in2out, &kv0, &value0) !=
1055 if (is_output_feature)
1057 if (PREDICT_FALSE (nat44_ei_not_translate_output_feature (
1059 vnet_buffer (b0)->ip.reass.l4_src_port,
1060 vnet_buffer (b0)->ip.reass.l4_dst_port, thread_index,
1065 * Send DHCP packets to the ipv4 stack, or we won't
1066 * be able to use dhcp client on the outside interface
1069 (proto0 == NAT_PROTOCOL_UDP
1070 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1071 clib_host_to_net_u16
1072 (UDP_DST_PORT_dhcp_to_server))
1073 && ip0->dst_address.as_u32 == 0xffffffff))
1078 if (PREDICT_FALSE (nat44_ei_not_translate (
1079 nm, node, rx_sw_if_index0, ip0, proto0, rx_fib_index0,
1084 next0 = slow_path (nm, b0, ip0, ip0->src_address,
1085 vnet_buffer (b0)->ip.reass.l4_src_port,
1086 rx_fib_index0, proto0, &s0, node, next0,
1088 if (PREDICT_FALSE (next0 == NAT44_EI_IN2OUT_NEXT_DROP))
1091 if (PREDICT_FALSE (!s0))
1096 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1101 s0 = pool_elt_at_index (nm->per_thread_data[thread_index].sessions,
1102 nat_value_get_session_index (&value0));
1104 b0->flags |= VNET_BUFFER_F_IS_NATED;
1106 old_addr0 = ip0->src_address.as_u32;
1107 ip0->src_address = s0->out2in.addr;
1108 new_addr0 = ip0->src_address.as_u32;
1109 if (!is_output_feature)
1110 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1112 sum0 = ip0->checksum;
1113 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1114 ip4_header_t, src_address /* changed member */ );
1115 ip0->checksum = ip_csum_fold (sum0);
1118 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1120 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1122 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1123 new_port0 = udp0->src_port = s0->out2in.port;
1124 sum0 = tcp0->checksum;
1125 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1127 dst_address /* changed member */ );
1128 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1129 ip4_header_t /* cheat */ ,
1130 length /* changed member */ );
1131 mss_clamping (nm->mss_clamping, tcp0, &sum0);
1132 tcp0->checksum = ip_csum_fold (sum0);
1134 vlib_increment_simple_counter (is_slow_path ?
1135 &nm->counters.slowpath.in2out.tcp :
1136 &nm->counters.fastpath.in2out.tcp,
1137 thread_index, cntr_sw_if_index0, 1);
1141 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1143 udp0->src_port = s0->out2in.port;
1144 if (PREDICT_FALSE (udp0->checksum))
1146 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1147 new_port0 = udp0->src_port;
1148 sum0 = udp0->checksum;
1149 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
1152 ip_csum_update (sum0, old_port0, new_port0,
1153 ip4_header_t /* cheat */ ,
1154 length /* changed member */ );
1155 udp0->checksum = ip_csum_fold (sum0);
1158 vlib_increment_simple_counter (is_slow_path ?
1159 &nm->counters.slowpath.in2out.udp :
1160 &nm->counters.fastpath.in2out.udp,
1161 thread_index, cntr_sw_if_index0, 1);
1165 nat44_ei_session_update_counters (
1166 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
1167 /* Per-user LRU list maintenance */
1168 nat44_ei_session_update_lru (nm, s0, thread_index);
1171 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1172 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1174 nat44_ei_in2out_trace_t *t =
1175 vlib_add_trace (vm, node, b0, sizeof (*t));
1176 t->is_slow_path = is_slow_path;
1177 t->sw_if_index = rx_sw_if_index0;
1178 t->next_index = next0;
1179 t->session_index = ~0;
1181 t->session_index = s0 - nm->per_thread_data[thread_index].sessions;
1184 if (next0 == NAT44_EI_IN2OUT_NEXT_DROP)
1186 vlib_increment_simple_counter (
1187 is_slow_path ? &nm->counters.slowpath.in2out.drops :
1188 &nm->counters.fastpath.in2out.drops,
1189 thread_index, cntr_sw_if_index0, 1);
1192 if (is_output_feature)
1193 iph_offset1 = vnet_buffer (b1)->ip.reass.save_rewrite_length;
1195 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1198 udp1 = ip4_next_header (ip1);
1199 tcp1 = (tcp_header_t *) udp1;
1200 icmp1 = (icmp46_header_t *) udp1;
1202 rx_sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1203 tx_sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_TX];
1205 is_output_feature ? tx_sw_if_index1 : rx_sw_if_index1;
1207 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index1);
1209 if (PREDICT_FALSE (ip1->ttl == 1))
1211 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1212 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1213 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1215 next1 = NAT44_EI_IN2OUT_NEXT_ICMP_ERROR;
1219 proto1 = ip_proto_to_nat_proto (ip1->protocol);
1221 /* Next configured feature, probably ip4-lookup */
1224 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
1226 if (nat_in2out_sm_unknown_proto (nm, b1, ip1, rx_fib_index1))
1228 next1 = NAT44_EI_IN2OUT_NEXT_DROP;
1230 node->errors[NAT44_EI_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1232 vlib_increment_simple_counter (
1233 is_slow_path ? &nm->counters.slowpath.in2out.other :
1234 &nm->counters.fastpath.in2out.other,
1235 thread_index, cntr_sw_if_index1, 1);
1239 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1241 next1 = nat44_ei_icmp_in2out_slow_path (
1242 nm, b1, ip1, icmp1, rx_sw_if_index1, rx_fib_index1, node,
1243 next1, now, thread_index, &s1);
1244 vlib_increment_simple_counter (
1245 is_slow_path ? &nm->counters.slowpath.in2out.icmp :
1246 &nm->counters.fastpath.in2out.icmp,
1247 thread_index, cntr_sw_if_index1, 1);
1253 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
1255 next1 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1259 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1261 next1 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1266 init_nat_k (&kv1, ip1->src_address,
1267 vnet_buffer (b1)->ip.reass.l4_src_port, rx_fib_index1,
1269 if (PREDICT_FALSE (clib_bihash_search_8_8 (&nm->in2out, &kv1, &value1) !=
1274 if (is_output_feature)
1276 if (PREDICT_FALSE (nat44_ei_not_translate_output_feature (
1278 vnet_buffer (b1)->ip.reass.l4_src_port,
1279 vnet_buffer (b1)->ip.reass.l4_dst_port, thread_index,
1284 * Send DHCP packets to the ipv4 stack, or we won't
1285 * be able to use dhcp client on the outside interface
1288 (proto1 == NAT_PROTOCOL_UDP
1289 && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
1290 clib_host_to_net_u16
1291 (UDP_DST_PORT_dhcp_to_server))
1292 && ip1->dst_address.as_u32 == 0xffffffff))
1297 if (PREDICT_FALSE (nat44_ei_not_translate (
1298 nm, node, rx_sw_if_index1, ip1, proto1, rx_fib_index1,
1303 next1 = slow_path (nm, b1, ip1, ip1->src_address,
1304 vnet_buffer (b1)->ip.reass.l4_src_port,
1305 rx_fib_index1, proto1, &s1, node, next1,
1307 if (PREDICT_FALSE (next1 == NAT44_EI_IN2OUT_NEXT_DROP))
1310 if (PREDICT_FALSE (!s1))
1315 next1 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1320 s1 = pool_elt_at_index (nm->per_thread_data[thread_index].sessions,
1321 nat_value_get_session_index (&value1));
1323 b1->flags |= VNET_BUFFER_F_IS_NATED;
1325 old_addr1 = ip1->src_address.as_u32;
1326 ip1->src_address = s1->out2in.addr;
1327 new_addr1 = ip1->src_address.as_u32;
1328 if (!is_output_feature)
1329 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1331 sum1 = ip1->checksum;
1332 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1333 ip4_header_t, src_address /* changed member */ );
1334 ip1->checksum = ip_csum_fold (sum1);
1336 if (PREDICT_TRUE (proto1 == NAT_PROTOCOL_TCP))
1338 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1340 old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
1341 new_port1 = udp1->src_port = s1->out2in.port;
1342 sum1 = tcp1->checksum;
1343 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1345 dst_address /* changed member */ );
1346 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1347 ip4_header_t /* cheat */ ,
1348 length /* changed member */ );
1349 mss_clamping (nm->mss_clamping, tcp1, &sum1);
1350 tcp1->checksum = ip_csum_fold (sum1);
1352 vlib_increment_simple_counter (is_slow_path ?
1353 &nm->counters.slowpath.in2out.tcp :
1354 &nm->counters.fastpath.in2out.tcp,
1355 thread_index, cntr_sw_if_index1, 1);
1359 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1361 udp1->src_port = s1->out2in.port;
1362 if (PREDICT_FALSE (udp1->checksum))
1364 old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
1365 new_port1 = udp1->src_port;
1366 sum1 = udp1->checksum;
1367 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, dst_address /* changed member */
1370 ip_csum_update (sum1, old_port1, new_port1,
1371 ip4_header_t /* cheat */ ,
1372 length /* changed member */ );
1373 udp1->checksum = ip_csum_fold (sum1);
1376 vlib_increment_simple_counter (is_slow_path ?
1377 &nm->counters.slowpath.in2out.udp :
1378 &nm->counters.fastpath.in2out.udp,
1379 thread_index, cntr_sw_if_index1, 1);
1383 nat44_ei_session_update_counters (
1384 s1, now, vlib_buffer_length_in_chain (vm, b1), thread_index);
1385 /* Per-user LRU list maintenance */
1386 nat44_ei_session_update_lru (nm, s1, thread_index);
1389 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1390 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1392 nat44_ei_in2out_trace_t *t =
1393 vlib_add_trace (vm, node, b1, sizeof (*t));
1394 t->sw_if_index = rx_sw_if_index1;
1395 t->next_index = next1;
1396 t->session_index = ~0;
1398 t->session_index = s1 - nm->per_thread_data[thread_index].sessions;
1401 if (next1 == NAT44_EI_IN2OUT_NEXT_DROP)
1403 vlib_increment_simple_counter (
1404 is_slow_path ? &nm->counters.slowpath.in2out.drops :
1405 &nm->counters.fastpath.in2out.drops,
1406 thread_index, cntr_sw_if_index1, 1);
1415 while (n_left_from > 0)
1419 u32 rx_sw_if_index0;
1420 u32 tx_sw_if_index0;
1421 u32 cntr_sw_if_index0;
1424 u32 new_addr0, old_addr0;
1425 u16 old_port0, new_port0;
1428 icmp46_header_t *icmp0;
1431 nat44_ei_session_t *s0 = 0;
1432 clib_bihash_kv_8_8_t kv0, value0;
1433 u32 iph_offset0 = 0;
1437 next0 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
1439 if (is_output_feature)
1440 iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
1442 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1445 udp0 = ip4_next_header (ip0);
1446 tcp0 = (tcp_header_t *) udp0;
1447 icmp0 = (icmp46_header_t *) udp0;
1449 rx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1450 tx_sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
1452 is_output_feature ? tx_sw_if_index0 : rx_sw_if_index0;
1454 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, rx_sw_if_index0);
1456 if (PREDICT_FALSE (ip0->ttl == 1))
1458 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1459 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1460 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1462 next0 = NAT44_EI_IN2OUT_NEXT_ICMP_ERROR;
1466 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1468 /* Next configured feature, probably ip4-lookup */
1471 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1473 if (nat_in2out_sm_unknown_proto (nm, b0, ip0, rx_fib_index0))
1475 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
1477 node->errors[NAT44_EI_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1479 vlib_increment_simple_counter (
1480 is_slow_path ? &nm->counters.slowpath.in2out.other :
1481 &nm->counters.fastpath.in2out.other,
1482 thread_index, cntr_sw_if_index0, 1);
1486 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1488 next0 = nat44_ei_icmp_in2out_slow_path (
1489 nm, b0, ip0, icmp0, rx_sw_if_index0, rx_fib_index0, node,
1490 next0, now, thread_index, &s0);
1491 vlib_increment_simple_counter (
1492 is_slow_path ? &nm->counters.slowpath.in2out.icmp :
1493 &nm->counters.fastpath.in2out.icmp,
1494 thread_index, cntr_sw_if_index0, 1);
1500 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1502 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1506 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1508 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1513 init_nat_k (&kv0, ip0->src_address,
1514 vnet_buffer (b0)->ip.reass.l4_src_port, rx_fib_index0,
1517 if (clib_bihash_search_8_8 (&nm->in2out, &kv0, &value0))
1521 if (is_output_feature)
1523 if (PREDICT_FALSE (nat44_ei_not_translate_output_feature (
1525 vnet_buffer (b0)->ip.reass.l4_src_port,
1526 vnet_buffer (b0)->ip.reass.l4_dst_port, thread_index,
1531 * Send DHCP packets to the ipv4 stack, or we won't
1532 * be able to use dhcp client on the outside interface
1535 (proto0 == NAT_PROTOCOL_UDP
1536 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1537 clib_host_to_net_u16
1538 (UDP_DST_PORT_dhcp_to_server))
1539 && ip0->dst_address.as_u32 == 0xffffffff))
1544 if (PREDICT_FALSE (nat44_ei_not_translate (
1545 nm, node, rx_sw_if_index0, ip0, proto0, rx_fib_index0,
1550 next0 = slow_path (nm, b0, ip0, ip0->src_address,
1551 vnet_buffer (b0)->ip.reass.l4_src_port,
1552 rx_fib_index0, proto0, &s0, node, next0,
1555 if (PREDICT_FALSE (next0 == NAT44_EI_IN2OUT_NEXT_DROP))
1558 if (PREDICT_FALSE (!s0))
1563 next0 = NAT44_EI_IN2OUT_NEXT_SLOW_PATH;
1568 s0 = pool_elt_at_index (nm->per_thread_data[thread_index].sessions,
1569 nat_value_get_session_index (&value0));
1571 b0->flags |= VNET_BUFFER_F_IS_NATED;
1573 old_addr0 = ip0->src_address.as_u32;
1574 ip0->src_address = s0->out2in.addr;
1575 new_addr0 = ip0->src_address.as_u32;
1576 if (!is_output_feature)
1577 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1579 sum0 = ip0->checksum;
1580 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1581 ip4_header_t, src_address /* changed member */ );
1582 ip0->checksum = ip_csum_fold (sum0);
1584 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1586 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1588 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1589 new_port0 = udp0->src_port = s0->out2in.port;
1590 sum0 = tcp0->checksum;
1592 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1593 dst_address /* changed member */ );
1595 ip_csum_update (sum0, old_port0, new_port0,
1596 ip4_header_t /* cheat */ ,
1597 length /* changed member */ );
1598 mss_clamping (nm->mss_clamping, tcp0, &sum0);
1599 tcp0->checksum = ip_csum_fold (sum0);
1601 vlib_increment_simple_counter (is_slow_path ?
1602 &nm->counters.slowpath.in2out.tcp :
1603 &nm->counters.fastpath.in2out.tcp,
1604 thread_index, cntr_sw_if_index0, 1);
1608 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1610 udp0->src_port = s0->out2in.port;
1611 if (PREDICT_FALSE (udp0->checksum))
1613 old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1614 new_port0 = udp0->src_port;
1615 sum0 = udp0->checksum;
1617 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1618 dst_address /* changed member */ );
1620 ip_csum_update (sum0, old_port0, new_port0,
1621 ip4_header_t /* cheat */ ,
1622 length /* changed member */ );
1623 udp0->checksum = ip_csum_fold (sum0);
1626 vlib_increment_simple_counter (is_slow_path ?
1627 &nm->counters.slowpath.in2out.udp :
1628 &nm->counters.fastpath.in2out.udp,
1629 thread_index, cntr_sw_if_index0, 1);
1633 nat44_ei_session_update_counters (
1634 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
1635 /* Per-user LRU list maintenance */
1636 nat44_ei_session_update_lru (nm, s0, thread_index);
1639 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1640 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1642 nat44_ei_in2out_trace_t *t =
1643 vlib_add_trace (vm, node, b0, sizeof (*t));
1644 t->is_slow_path = is_slow_path;
1645 t->sw_if_index = rx_sw_if_index0;
1646 t->next_index = next0;
1647 t->session_index = ~0;
1649 t->session_index = s0 - nm->per_thread_data[thread_index].sessions;
1652 if (next0 == NAT44_EI_IN2OUT_NEXT_DROP)
1654 vlib_increment_simple_counter (
1655 is_slow_path ? &nm->counters.slowpath.in2out.drops :
1656 &nm->counters.fastpath.in2out.drops,
1657 thread_index, cntr_sw_if_index0, 1);
1665 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1667 return frame->n_vectors;
1670 VLIB_NODE_FN (nat44_ei_in2out_node)
1671 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
1673 return nat44_ei_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */,
1677 VLIB_REGISTER_NODE (nat44_ei_in2out_node) = {
1678 .name = "nat44-ei-in2out",
1679 .vector_size = sizeof (u32),
1680 .format_trace = format_nat44_ei_in2out_trace,
1681 .type = VLIB_NODE_TYPE_INTERNAL,
1683 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
1684 .error_strings = nat44_ei_in2out_error_strings,
1686 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1688 .n_next_nodes = NAT44_EI_IN2OUT_N_NEXT,
1690 /* edit / add dispositions here */
1692 [NAT44_EI_IN2OUT_NEXT_DROP] = "error-drop",
1693 [NAT44_EI_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1694 [NAT44_EI_IN2OUT_NEXT_SLOW_PATH] = "nat44-ei-in2out-slowpath",
1695 [NAT44_EI_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1696 [NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF] = "nat44-ei-in2out-hairpinning-handoff-ip4-lookup",
1700 VLIB_NODE_FN (nat44_ei_in2out_output_node)
1701 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
1703 return nat44_ei_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */,
1707 VLIB_REGISTER_NODE (nat44_ei_in2out_output_node) = {
1708 .name = "nat44-ei-in2out-output",
1709 .vector_size = sizeof (u32),
1710 .format_trace = format_nat44_ei_in2out_trace,
1711 .type = VLIB_NODE_TYPE_INTERNAL,
1713 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
1714 .error_strings = nat44_ei_in2out_error_strings,
1716 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1718 .n_next_nodes = NAT44_EI_IN2OUT_N_NEXT,
1720 /* edit / add dispositions here */
1722 [NAT44_EI_IN2OUT_NEXT_DROP] = "error-drop",
1723 [NAT44_EI_IN2OUT_NEXT_LOOKUP] = "interface-output",
1724 [NAT44_EI_IN2OUT_NEXT_SLOW_PATH] = "nat44-ei-in2out-output-slowpath",
1725 [NAT44_EI_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1726 [NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF] = "nat44-ei-in2out-hairpinning-handoff-interface-output",
1730 VLIB_NODE_FN (nat44_ei_in2out_slowpath_node)
1731 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
1733 return nat44_ei_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */,
1737 VLIB_REGISTER_NODE (nat44_ei_in2out_slowpath_node) = {
1738 .name = "nat44-ei-in2out-slowpath",
1739 .vector_size = sizeof (u32),
1740 .format_trace = format_nat44_ei_in2out_trace,
1741 .type = VLIB_NODE_TYPE_INTERNAL,
1743 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
1744 .error_strings = nat44_ei_in2out_error_strings,
1746 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1748 .n_next_nodes = NAT44_EI_IN2OUT_N_NEXT,
1750 /* edit / add dispositions here */
1752 [NAT44_EI_IN2OUT_NEXT_DROP] = "error-drop",
1753 [NAT44_EI_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1754 [NAT44_EI_IN2OUT_NEXT_SLOW_PATH] = "nat44-ei-in2out-slowpath",
1755 [NAT44_EI_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1756 [NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF] = "nat44-ei-in2out-hairpinning-handoff-ip4-lookup",
1760 VLIB_NODE_FN (nat44_ei_in2out_output_slowpath_node)
1761 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
1763 return nat44_ei_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */,
1767 VLIB_REGISTER_NODE (nat44_ei_in2out_output_slowpath_node) = {
1768 .name = "nat44-ei-in2out-output-slowpath",
1769 .vector_size = sizeof (u32),
1770 .format_trace = format_nat44_ei_in2out_trace,
1771 .type = VLIB_NODE_TYPE_INTERNAL,
1773 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
1774 .error_strings = nat44_ei_in2out_error_strings,
1776 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1778 .n_next_nodes = NAT44_EI_IN2OUT_N_NEXT,
1780 /* edit / add dispositions here */
1782 [NAT44_EI_IN2OUT_NEXT_DROP] = "error-drop",
1783 [NAT44_EI_IN2OUT_NEXT_LOOKUP] = "interface-output",
1784 [NAT44_EI_IN2OUT_NEXT_SLOW_PATH] = "nat44-ei-in2out-output-slowpath",
1785 [NAT44_EI_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1786 [NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF] = "nat44-ei-in2out-hairpinning-handoff-interface-output",
1790 VLIB_NODE_FN (nat44_ei_in2out_fast_node)
1791 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
1793 u32 n_left_from, *from, *to_next;
1794 u32 thread_index = vm->thread_index;
1795 nat44_ei_in2out_next_t next_index;
1796 nat44_ei_main_t *nm = &nat44_ei_main;
1797 int is_hairpinning = 0;
1799 from = vlib_frame_vector_args (frame);
1800 n_left_from = frame->n_vectors;
1801 next_index = node->cached_next_index;
1803 while (n_left_from > 0)
1807 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1809 while (n_left_from > 0 && n_left_to_next > 0)
1817 u32 new_addr0, old_addr0;
1818 u16 old_port0, new_port0;
1821 icmp46_header_t *icmp0;
1824 ip4_address_t sm0_addr;
1827 u32 required_thread_index = thread_index;
1829 /* speculatively enqueue b0 to the current next frame */
1835 n_left_to_next -= 1;
1837 b0 = vlib_get_buffer (vm, bi0);
1838 next0 = NAT44_EI_IN2OUT_NEXT_LOOKUP;
1840 ip0 = vlib_buffer_get_current (b0);
1841 udp0 = ip4_next_header (ip0);
1842 tcp0 = (tcp_header_t *) udp0;
1843 icmp0 = (icmp46_header_t *) udp0;
1845 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1847 ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
1849 if (PREDICT_FALSE (ip0->ttl == 1))
1851 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1852 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1853 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1855 next0 = NAT44_EI_IN2OUT_NEXT_ICMP_ERROR;
1859 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1861 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1864 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1866 next0 = nat44_ei_icmp_in2out (b0, ip0, icmp0, sw_if_index0,
1867 rx_fib_index0, node, next0, ~0, 0);
1871 if (nat44_ei_static_mapping_match (
1872 ip0->src_address, udp0->src_port, rx_fib_index0, proto0,
1873 &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0))
1875 b0->error = node->errors[NAT44_EI_IN2OUT_ERROR_NO_TRANSLATION];
1876 next0 = NAT44_EI_IN2OUT_NEXT_DROP;
1880 new_addr0 = sm0_addr.as_u32;
1881 new_port0 = sm0_port;
1882 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0_fib_index;
1883 old_addr0 = ip0->src_address.as_u32;
1884 ip0->src_address.as_u32 = new_addr0;
1886 sum0 = ip0->checksum;
1887 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1889 src_address /* changed member */ );
1890 ip0->checksum = ip_csum_fold (sum0);
1892 if (PREDICT_FALSE (new_port0 != udp0->dst_port))
1894 old_port0 = udp0->src_port;
1895 udp0->src_port = new_port0;
1897 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1899 sum0 = tcp0->checksum;
1900 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1902 dst_address /* changed member */ );
1903 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1904 ip4_header_t /* cheat */ ,
1905 length /* changed member */ );
1906 mss_clamping (nm->mss_clamping, tcp0, &sum0);
1907 tcp0->checksum = ip_csum_fold (sum0);
1909 else if (udp0->checksum)
1911 sum0 = udp0->checksum;
1912 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1914 dst_address /* changed member */ );
1915 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1916 ip4_header_t /* cheat */ ,
1917 length /* changed member */ );
1918 udp0->checksum = ip_csum_fold (sum0);
1923 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1925 sum0 = tcp0->checksum;
1926 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1928 dst_address /* changed member */ );
1929 mss_clamping (nm->mss_clamping, tcp0, &sum0);
1930 tcp0->checksum = ip_csum_fold (sum0);
1932 else if (udp0->checksum)
1934 sum0 = udp0->checksum;
1935 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1937 dst_address /* changed member */ );
1938 udp0->checksum = ip_csum_fold (sum0);
1943 is_hairpinning = nat44_ei_hairpinning (
1944 vm, node, nm, thread_index, b0, ip0, udp0, tcp0, proto0,
1945 0 /* do_trace */, &required_thread_index);
1947 if (thread_index != required_thread_index)
1949 vnet_buffer (b0)->snat.required_thread_index =
1950 required_thread_index;
1951 next0 = NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF;
1955 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1956 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1958 nat44_ei_in2out_trace_t *t =
1959 vlib_add_trace (vm, node, b0, sizeof (*t));
1960 t->sw_if_index = sw_if_index0;
1961 t->next_index = next0;
1962 t->is_hairpinning = is_hairpinning;
1965 if (next0 != NAT44_EI_IN2OUT_NEXT_DROP)
1968 vlib_increment_simple_counter (
1969 &nm->counters.fastpath.in2out.other, sw_if_index0,
1970 vm->thread_index, 1);
1973 /* verify speculative enqueue, maybe switch current next frame */
1974 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1975 to_next, n_left_to_next,
1979 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1982 return frame->n_vectors;
1985 VLIB_REGISTER_NODE (nat44_ei_in2out_fast_node) = {
1986 .name = "nat44-ei-in2out-fast",
1987 .vector_size = sizeof (u32),
1988 .format_trace = format_nat44_ei_in2out_fast_trace,
1989 .type = VLIB_NODE_TYPE_INTERNAL,
1991 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
1992 .error_strings = nat44_ei_in2out_error_strings,
1994 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1996 .n_next_nodes = NAT44_EI_IN2OUT_N_NEXT,
1998 /* edit / add dispositions here */
2000 [NAT44_EI_IN2OUT_NEXT_DROP] = "error-drop",
2001 [NAT44_EI_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2002 [NAT44_EI_IN2OUT_NEXT_SLOW_PATH] = "nat44-ei-in2out-slowpath",
2003 [NAT44_EI_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2004 [NAT44_EI_IN2OUT_NEXT_HAIRPINNING_HANDOFF] = "nat44-ei-in2out-hairpinning-handoff-ip4-lookup",
2008 VLIB_NODE_FN (nat44_ei_in2out_hairpinning_handoff_ip4_lookup_node)
2009 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
2011 return nat44_ei_hairpinning_handoff_fn_inline (
2013 nat44_ei_main.in2out_hairpinning_finish_ip4_lookup_node_fq_index);
2016 VLIB_REGISTER_NODE (nat44_ei_in2out_hairpinning_handoff_ip4_lookup_node) = {
2017 .name = "nat44-ei-in2out-hairpinning-handoff-ip4-lookup",
2018 .vector_size = sizeof (u32),
2019 .n_errors = ARRAY_LEN(nat44_ei_hairpinning_handoff_error_strings),
2020 .error_strings = nat44_ei_hairpinning_handoff_error_strings,
2021 .format_trace = format_nat44_ei_hairpinning_handoff_trace,
2030 VLIB_NODE_FN (nat44_ei_in2out_hairpinning_handoff_interface_output_node)
2031 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
2033 return nat44_ei_hairpinning_handoff_fn_inline (
2035 nat44_ei_main.in2out_hairpinning_finish_interface_output_node_fq_index);
2038 VLIB_REGISTER_NODE (nat44_ei_in2out_hairpinning_handoff_interface_output_node) = {
2039 .name = "nat44-ei-in2out-hairpinning-handoff-interface-output",
2040 .vector_size = sizeof (u32),
2041 .n_errors = ARRAY_LEN(nat44_ei_hairpinning_handoff_error_strings),
2042 .error_strings = nat44_ei_hairpinning_handoff_error_strings,
2043 .format_trace = format_nat44_ei_hairpinning_handoff_trace,
2052 static_always_inline int
2053 nat44_ei_in2out_hairpinning_finish_inline (vlib_main_t *vm,
2054 vlib_node_runtime_t *node,
2055 vlib_frame_t *frame)
2057 u32 n_left_from, *from, *to_next;
2058 u32 thread_index = vm->thread_index;
2059 nat44_ei_in2out_next_t next_index;
2060 nat44_ei_main_t *nm = &nat44_ei_main;
2061 int is_hairpinning = 0;
2063 from = vlib_frame_vector_args (frame);
2064 n_left_from = frame->n_vectors;
2065 next_index = node->cached_next_index;
2067 while (n_left_from > 0)
2071 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2073 while (n_left_from > 0 && n_left_to_next > 0)
2082 icmp46_header_t *icmp0;
2084 u32 required_thread_index = thread_index;
2086 /* speculatively enqueue b0 to the current next frame */
2092 n_left_to_next -= 1;
2094 b0 = vlib_get_buffer (vm, bi0);
2095 next0 = NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_LOOKUP;
2097 ip0 = vlib_buffer_get_current (b0);
2098 udp0 = ip4_next_header (ip0);
2099 tcp0 = (tcp_header_t *) udp0;
2100 icmp0 = (icmp46_header_t *) udp0;
2102 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2103 proto0 = ip_proto_to_nat_proto (ip0->protocol);
2107 case NAT_PROTOCOL_TCP:
2109 case NAT_PROTOCOL_UDP:
2110 is_hairpinning = nat44_ei_hairpinning (
2111 vm, node, nm, thread_index, b0, ip0, udp0, tcp0, proto0,
2112 0 /* do_trace */, &required_thread_index);
2114 case NAT_PROTOCOL_ICMP:
2115 is_hairpinning = (0 == nat44_ei_icmp_hairpinning (
2116 nm, b0, thread_index, ip0, icmp0,
2117 &required_thread_index));
2119 case NAT_PROTOCOL_OTHER:
2120 // this should never happen
2121 next0 = NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP;
2125 if (thread_index != required_thread_index)
2127 // but we already did a handoff ...
2128 next0 = NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP;
2131 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) &&
2132 (b0->flags & VLIB_BUFFER_IS_TRACED)))
2134 nat44_ei_in2out_trace_t *t =
2135 vlib_add_trace (vm, node, b0, sizeof (*t));
2136 t->sw_if_index = sw_if_index0;
2137 t->next_index = next0;
2138 t->is_hairpinning = is_hairpinning;
2141 if (next0 != NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP)
2143 vlib_increment_simple_counter (
2144 &nm->counters.fastpath.in2out.other, sw_if_index0,
2145 vm->thread_index, 1);
2148 /* verify speculative enqueue, maybe switch current next frame */
2149 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
2150 n_left_to_next, bi0, next0);
2153 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2156 return frame->n_vectors;
2159 VLIB_NODE_FN (nat44_ei_in2out_hairpinning_finish_ip4_lookup_node)
2160 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
2162 return nat44_ei_in2out_hairpinning_finish_inline (vm, node, frame);
2165 VLIB_REGISTER_NODE (nat44_ei_in2out_hairpinning_finish_ip4_lookup_node) = {
2166 .name = "nat44-ei-in2out-hairpinning-finish-ip4-lookup",
2167 .vector_size = sizeof (u32),
2168 .format_trace = format_nat44_ei_in2out_fast_trace,
2169 .type = VLIB_NODE_TYPE_INTERNAL,
2171 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
2172 .error_strings = nat44_ei_in2out_error_strings,
2174 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
2176 .n_next_nodes = NAT44_EI_IN2OUT_HAIRPINNING_FINISH_N_NEXT,
2178 /* edit / add dispositions here */
2180 [NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP] = "error-drop",
2181 [NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_LOOKUP] = "ip4-lookup",
2185 VLIB_NODE_FN (nat44_ei_in2out_hairpinning_finish_interface_output_node)
2186 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
2188 return nat44_ei_in2out_hairpinning_finish_inline (vm, node, frame);
2191 VLIB_REGISTER_NODE (nat44_ei_in2out_hairpinning_finish_interface_output_node) = {
2192 .name = "nat44-ei-in2out-hairpinning-finish-interface-output",
2193 .vector_size = sizeof (u32),
2194 .format_trace = format_nat44_ei_in2out_fast_trace,
2195 .type = VLIB_NODE_TYPE_INTERNAL,
2197 .n_errors = ARRAY_LEN(nat44_ei_in2out_error_strings),
2198 .error_strings = nat44_ei_in2out_error_strings,
2200 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
2202 .n_next_nodes = NAT44_EI_IN2OUT_HAIRPINNING_FINISH_N_NEXT,
2204 /* edit / add dispositions here */
2206 [NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_DROP] = "error-drop",
2207 [NAT44_EI_IN2OUT_HAIRPINNING_FINISH_NEXT_LOOKUP] = "interface-output",
2212 * fd.io coding-style-patch-verification: ON
2215 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob