2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 EI outside to inside network translation
20 #include <vlib/vlib.h>
22 #include <vnet/vnet.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/udp/udp_local.h>
26 #include <vnet/fib/ip4_fib.h>
28 #include <vppinfra/hash.h>
29 #include <vppinfra/error.h>
31 #include <nat/lib/log.h>
32 #include <nat/lib/nat_syslog.h>
33 #include <nat/lib/ipfix_logging.h>
34 #include <nat/nat44-ei/nat44_ei_inlines.h>
35 #include <nat/nat44-ei/nat44_ei.h>
42 } nat44_ei_out2in_trace_t;
44 /* packet trace format function */
46 format_nat44_ei_out2in_trace (u8 *s, va_list *args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 nat44_ei_out2in_trace_t *t = va_arg (*args, nat44_ei_out2in_trace_t *);
54 "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
55 t->sw_if_index, t->next_index, t->session_index);
59 #define foreach_nat44_ei_out2in_error \
60 _ (UNSUPPORTED_PROTOCOL, "unsupported protocol") \
61 _ (OUT_OF_PORTS, "out of ports") \
62 _ (BAD_ICMP_TYPE, "unsupported ICMP type") \
63 _ (NO_TRANSLATION, "no translation") \
64 _ (MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
65 _ (CANNOT_CREATE_USER, "cannot create NAT user")
69 #define _(sym, str) NAT44_EI_OUT2IN_ERROR_##sym,
70 foreach_nat44_ei_out2in_error
72 NAT44_EI_OUT2IN_N_ERROR,
73 } nat44_ei_out2in_error_t;
75 static char *nat44_ei_out2in_error_strings[] = {
76 #define _(sym,string) string,
77 foreach_nat44_ei_out2in_error
83 NAT44_EI_OUT2IN_NEXT_DROP,
84 NAT44_EI_OUT2IN_NEXT_LOOKUP,
85 NAT44_EI_OUT2IN_NEXT_ICMP_ERROR,
86 NAT44_EI_OUT2IN_N_NEXT,
87 } nat44_ei_out2in_next_t;
89 #ifndef CLIB_MARCH_VARIANT
91 nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
93 nat44_ei_main_t *nm = &nat44_ei_main;
94 nat44_ei_is_idle_session_ctx_t *ctx = arg;
95 nat44_ei_session_t *s;
96 u64 sess_timeout_time;
97 nat44_ei_main_per_thread_data_t *tnm =
98 vec_elt_at_index (nm->per_thread_data, ctx->thread_index);
99 clib_bihash_kv_8_8_t s_kv;
101 if (ctx->thread_index != nat_value_get_thread_index (kv))
106 s = pool_elt_at_index (tnm->sessions, nat_value_get_session_index (kv));
107 sess_timeout_time = s->last_heard + (f64) nat_session_get_timeout (
108 &nm->timeouts, s->nat_proto, s->state);
109 if (ctx->now >= sess_timeout_time)
111 init_nat_i2o_k (&s_kv, s);
112 if (clib_bihash_add_del_8_8 (&nm->in2out, &s_kv, 0))
113 nat_elog_warn (nm, "out2in key del failed");
115 nat_ipfix_logging_nat44_ses_delete (
116 ctx->thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
117 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
118 s->in2out.fib_index);
120 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
121 &s->in2out.addr, s->in2out.port,
122 &s->out2in.addr, s->out2in.port, s->nat_proto);
124 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
125 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
128 if (!nat44_ei_is_session_static (s))
129 nat44_ei_free_outside_address_and_port (
130 nm->addresses, ctx->thread_index, &s->out2in.addr, s->out2in.port,
133 nat44_ei_delete_session (nm, s, ctx->thread_index);
142 * @brief Create session for static mapping.
144 * Create NAT session initiated by host from external network with static
147 * @param nm NAT main.
148 * @param b0 Vlib buffer.
149 * @param in2out In2out NAT44 session key.
150 * @param out2in Out2in NAT44 session key.
151 * @param node Vlib node.
153 * @returns NAT44_EI session if successfully created otherwise 0.
155 static inline nat44_ei_session_t *
156 create_session_for_static_mapping (
157 nat44_ei_main_t *nm, vlib_buffer_t *b0, ip4_address_t i2o_addr, u16 i2o_port,
158 u32 i2o_fib_index, ip4_address_t o2i_addr, u16 o2i_port, u32 o2i_fib_index,
159 nat_protocol_t proto, vlib_node_runtime_t *node, u32 thread_index, f64 now)
162 nat44_ei_session_t *s;
163 clib_bihash_kv_8_8_t kv0;
166 nat44_ei_is_idle_session_ctx_t ctx0;
168 if (PREDICT_FALSE (nat44_ei_maximum_sessions_exceeded (nm, thread_index)))
170 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
171 nat_elog_notice (nm, "maximum sessions exceeded");
175 ip0 = vlib_buffer_get_current (b0);
176 udp0 = ip4_next_header (ip0);
178 u = nat44_ei_user_get_or_create (nm, &i2o_addr, i2o_fib_index, thread_index);
181 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_CANNOT_CREATE_USER];
185 s = nat44_ei_session_alloc_or_recycle (nm, u, thread_index, now);
188 nat44_ei_delete_user_with_no_session (nm, u, thread_index);
189 nat_elog_warn (nm, "create NAT session failed");
193 s->flags |= NAT44_EI_SESSION_FLAG_STATIC_MAPPING;
194 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
195 s->ext_host_port = udp0->src_port;
196 nat44_ei_user_session_increment (nm, u, 1 /* static */);
197 s->in2out.addr = i2o_addr;
198 s->in2out.port = i2o_port;
199 s->in2out.fib_index = i2o_fib_index;
200 s->out2in.addr = o2i_addr;
201 s->out2in.port = o2i_port;
202 s->out2in.fib_index = o2i_fib_index;
203 s->nat_proto = proto;
205 /* Add to translation hashes */
207 ctx0.thread_index = thread_index;
208 init_nat_i2o_kv (&kv0, s, thread_index,
209 s - nm->per_thread_data[thread_index].sessions);
210 if (clib_bihash_add_or_overwrite_stale_8_8 (
211 &nm->in2out, &kv0, nat44_i2o_is_idle_session_cb, &ctx0))
212 nat_elog_notice (nm, "in2out key add failed");
214 init_nat_o2i_kv (&kv0, s, thread_index,
215 s - nm->per_thread_data[thread_index].sessions);
216 if (clib_bihash_add_or_overwrite_stale_8_8 (
217 &nm->out2in, &kv0, nat44_o2i_is_idle_session_cb, &ctx0))
218 nat_elog_notice (nm, "out2in key add failed");
221 nat_ipfix_logging_nat44_ses_create (
222 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32,
223 nat_proto_to_ip_proto (s->nat_proto), s->in2out.port, s->out2in.port,
224 s->in2out.fib_index);
226 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
227 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
228 s->out2in.port, s->nat_proto);
230 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
231 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
232 &s->ext_host_nat_addr, s->ext_host_nat_port,
233 s->nat_proto, s->in2out.fib_index, s->flags, thread_index, 0);
238 #ifndef CLIB_MARCH_VARIANT
239 static_always_inline nat44_ei_out2in_error_t
240 icmp_get_key (vlib_buffer_t *b, ip4_header_t *ip0, ip4_address_t *addr,
241 u16 *port, nat_protocol_t *nat_proto)
243 icmp46_header_t *icmp0;
244 icmp_echo_header_t *echo0, *inner_echo0 = 0;
245 ip4_header_t *inner_ip0;
247 icmp46_header_t *inner_icmp0;
249 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
250 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
252 if (!icmp_type_is_error_message
253 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
255 *nat_proto = NAT_PROTOCOL_ICMP;
256 *addr = ip0->dst_address;
257 *port = vnet_buffer (b)->ip.reass.l4_src_port;
261 inner_ip0 = (ip4_header_t *) (echo0 + 1);
262 l4_header = ip4_next_header (inner_ip0);
263 *nat_proto = ip_proto_to_nat_proto (inner_ip0->protocol);
264 *addr = inner_ip0->src_address;
267 case NAT_PROTOCOL_ICMP:
268 inner_icmp0 = (icmp46_header_t *) l4_header;
269 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
270 *port = inner_echo0->identifier;
272 case NAT_PROTOCOL_UDP:
273 case NAT_PROTOCOL_TCP:
274 *port = ((tcp_udp_header_t *) l4_header)->src_port;
277 return NAT44_EI_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
280 return -1; /* success */
284 * Get address and port values to be used for ICMP packet translation
285 * and create session if needed
287 * @param[in,out] nm NAT main
288 * @param[in,out] node NAT node runtime
289 * @param[in] thread_index thread index
290 * @param[in,out] b0 buffer containing packet to be translated
291 * @param[in,out] ip0 ip header
292 * @param[out] p_proto protocol used for matching
293 * @param[out] p_value address and port after NAT translation
294 * @param[out] p_dont_translate if packet should not be translated
295 * @param d optional parameter
296 * @param e optional parameter
299 nat44_ei_icmp_match_out2in_slow (vlib_node_runtime_t *node, u32 thread_index,
300 vlib_buffer_t *b0, ip4_header_t *ip0,
301 ip4_address_t *addr, u16 *port,
302 u32 *fib_index, nat_protocol_t *proto,
303 nat44_ei_session_t **p_s0, u8 *dont_translate)
305 nat44_ei_main_t *nm = &nat44_ei_main;
306 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
308 nat44_ei_session_t *s0 = 0;
309 clib_bihash_kv_8_8_t kv0, value0;
314 vlib_main_t *vm = vlib_get_main ();
317 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
318 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
322 err = icmp_get_key (b0, ip0, addr, port, proto);
325 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
326 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
330 ip4_address_t mapping_addr;
332 u32 mapping_fib_index;
334 init_nat_k (&kv0, *addr, *port, *fib_index, *proto);
335 if (clib_bihash_search_8_8 (&nm->out2in, &kv0, &value0))
337 /* Try to match static mapping by external address and port,
338 destination address and port in packet */
339 if (nat44_ei_static_mapping_match (
340 *addr, *port, *fib_index, *proto, &mapping_addr, &mapping_port,
341 &mapping_fib_index, 1, &is_addr_only, &identity_nat))
343 if (!nm->forwarding_enabled)
345 /* Don't NAT packet aimed at the intfc address */
346 if (PREDICT_FALSE (nat44_ei_is_interface_addr (
347 nm->ip4_main, node, sw_if_index0,
348 ip0->dst_address.as_u32)))
353 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_NO_TRANSLATION];
354 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
365 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
367 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
368 ICMP4_echo_request || !is_addr_only)))
370 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_BAD_ICMP_TYPE];
371 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
375 if (PREDICT_FALSE (identity_nat))
380 /* Create session initiated by host from external network */
381 s0 = create_session_for_static_mapping (
382 nm, b0, mapping_addr, mapping_port, mapping_fib_index, *addr, *port,
383 *fib_index, *proto, node, thread_index, vlib_time_now (vm));
387 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
394 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
396 && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
398 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
399 reass.icmp_type_or_tcp_flags)))
401 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_BAD_ICMP_TYPE];
402 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
406 s0 = pool_elt_at_index (tnm->sessions,
407 nat_value_get_session_index (&value0));
413 *addr = s0->in2out.addr;
414 *port = s0->in2out.port;
415 *fib_index = s0->in2out.fib_index;
423 #ifndef CLIB_MARCH_VARIANT
425 nat44_ei_icmp_match_out2in_fast (vlib_node_runtime_t *node, u32 thread_index,
426 vlib_buffer_t *b0, ip4_header_t *ip0,
427 ip4_address_t *mapping_addr,
428 u16 *mapping_port, u32 *mapping_fib_index,
429 nat_protocol_t *proto,
430 nat44_ei_session_t **p_s0, u8 *dont_translate)
432 nat44_ei_main_t *nm = &nat44_ei_main;
442 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
443 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
445 err = icmp_get_key (b0, ip0, &addr, &port, proto);
448 b0->error = node->errors[err];
449 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
452 if (nat44_ei_static_mapping_match (addr, port, rx_fib_index0, *proto,
453 mapping_addr, mapping_port,
454 mapping_fib_index, 1, &is_addr_only, 0))
456 /* Don't NAT packet aimed at the intfc address */
457 if (nat44_ei_is_interface_addr (nm->ip4_main, node, sw_if_index0,
458 ip0->dst_address.as_u32))
463 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_NO_TRANSLATION];
464 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
469 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
470 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
471 ICMP4_echo_request || !is_addr_only)
472 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
473 reass.icmp_type_or_tcp_flags)))
475 b0->error = node->errors[NAT44_EI_OUT2IN_ERROR_BAD_ICMP_TYPE];
476 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
485 u32 nat44_ei_icmp_out2in (vlib_buffer_t *b0, ip4_header_t *ip0,
486 icmp46_header_t *icmp0, u32 sw_if_index0,
487 u32 rx_fib_index0, vlib_node_runtime_t *node,
488 u32 next0, u32 thread_index,
489 nat44_ei_session_t **p_s0);
491 #ifndef CLIB_MARCH_VARIANT
493 nat44_ei_icmp_out2in (vlib_buffer_t *b0, ip4_header_t *ip0,
494 icmp46_header_t *icmp0, u32 sw_if_index0,
495 u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0,
496 u32 thread_index, nat44_ei_session_t **p_s0)
498 nat44_ei_main_t *nm = &nat44_ei_main;
499 icmp_echo_header_t *echo0, *inner_echo0 = 0;
500 ip4_header_t *inner_ip0 = 0;
502 icmp46_header_t *inner_icmp0;
504 u32 new_addr0, old_addr0;
505 u16 old_id0, new_id0;
509 vlib_main_t *vm = vlib_get_main ();
513 nat_protocol_t proto;
515 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
517 if (PREDICT_TRUE (nm->pat))
519 next0_tmp = nat44_ei_icmp_match_out2in_slow (
520 node, thread_index, b0, ip0, &addr, &port, &fib_index, &proto, p_s0,
525 next0_tmp = nat44_ei_icmp_match_out2in_fast (
526 node, thread_index, b0, ip0, &addr, &port, &fib_index, &proto, p_s0,
532 if (next0 == NAT44_EI_OUT2IN_NEXT_DROP || dont_translate)
535 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
538 ip_incremental_checksum_buffer (vm, b0,
540 (u8 *) vlib_buffer_get_current (b0),
541 ntohs (ip0->length) -
542 ip4_header_bytes (ip0), 0);
543 checksum0 = ~ip_csum_fold (sum0);
544 if (checksum0 != 0 && checksum0 != 0xffff)
546 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
551 old_addr0 = ip0->dst_address.as_u32;
552 new_addr0 = ip0->dst_address.as_u32 = addr.as_u32;
553 vnet_buffer (b0)->sw_if_index[VLIB_TX] = fib_index;
555 sum0 = ip0->checksum;
556 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
557 dst_address /* changed member */ );
558 ip0->checksum = ip_csum_fold (sum0);
561 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
563 if (icmp0->checksum == 0)
564 icmp0->checksum = 0xffff;
566 if (!icmp_type_is_error_message (icmp0->type))
569 if (PREDICT_FALSE (new_id0 != echo0->identifier))
571 old_id0 = echo0->identifier;
573 echo0->identifier = new_id0;
575 sum0 = icmp0->checksum;
577 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
578 identifier /* changed member */ );
579 icmp0->checksum = ip_csum_fold (sum0);
584 inner_ip0 = (ip4_header_t *) (echo0 + 1);
585 l4_header = ip4_next_header (inner_ip0);
587 if (!ip4_header_checksum_is_valid (inner_ip0))
589 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
593 old_addr0 = inner_ip0->src_address.as_u32;
594 inner_ip0->src_address = addr;
595 new_addr0 = inner_ip0->src_address.as_u32;
597 sum0 = icmp0->checksum;
598 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
599 src_address /* changed member */ );
600 icmp0->checksum = ip_csum_fold (sum0);
604 case NAT_PROTOCOL_ICMP:
605 inner_icmp0 = (icmp46_header_t *) l4_header;
606 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
608 old_id0 = inner_echo0->identifier;
610 inner_echo0->identifier = new_id0;
612 sum0 = icmp0->checksum;
614 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
616 icmp0->checksum = ip_csum_fold (sum0);
618 case NAT_PROTOCOL_UDP:
619 case NAT_PROTOCOL_TCP:
620 old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
622 ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
624 sum0 = icmp0->checksum;
625 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
627 icmp0->checksum = ip_csum_fold (sum0);
641 nat44_ei_icmp_out2in_slow_path (nat44_ei_main_t *nm, vlib_buffer_t *b0,
642 ip4_header_t *ip0, icmp46_header_t *icmp0,
643 u32 sw_if_index0, u32 rx_fib_index0,
644 vlib_node_runtime_t *node, u32 next0, f64 now,
645 u32 thread_index, nat44_ei_session_t **p_s0)
647 vlib_main_t *vm = vlib_get_main ();
649 next0 = nat44_ei_icmp_out2in (b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
650 node, next0, thread_index, p_s0);
651 nat44_ei_session_t *s0 = *p_s0;
652 if (PREDICT_TRUE (next0 != NAT44_EI_OUT2IN_NEXT_DROP && s0))
655 nat44_ei_session_update_counters (
656 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
657 /* Per-user LRU list maintenance */
658 nat44_ei_session_update_lru (nm, s0, thread_index);
664 nat_out2in_sm_unknown_proto (nat44_ei_main_t *nm, vlib_buffer_t *b,
665 ip4_header_t *ip, u32 rx_fib_index)
667 clib_bihash_kv_8_8_t kv, value;
668 nat44_ei_static_mapping_t *m;
669 u32 old_addr, new_addr;
672 init_nat_k (&kv, ip->dst_address, 0, 0, 0);
673 if (clib_bihash_search_8_8 (&nm->static_mapping_by_external, &kv, &value))
676 m = pool_elt_at_index (nm->static_mappings, value.value);
678 old_addr = ip->dst_address.as_u32;
679 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
681 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
682 ip->checksum = ip_csum_fold (sum);
684 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
688 VLIB_NODE_FN (nat44_ei_out2in_node)
689 (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame)
691 u32 n_left_from, *from;
692 nat44_ei_main_t *nm = &nat44_ei_main;
693 f64 now = vlib_time_now (vm);
694 u32 thread_index = vm->thread_index;
695 nat44_ei_main_per_thread_data_t *tnm = &nm->per_thread_data[thread_index];
697 from = vlib_frame_vector_args (frame);
698 n_left_from = frame->n_vectors;
700 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
701 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
702 vlib_get_buffers (vm, from, b, n_left_from);
704 while (n_left_from >= 2)
706 vlib_buffer_t *b0, *b1;
707 u32 next0 = NAT44_EI_OUT2IN_NEXT_LOOKUP;
708 u32 next1 = NAT44_EI_OUT2IN_NEXT_LOOKUP;
709 u32 sw_if_index0, sw_if_index1;
710 ip4_header_t *ip0, *ip1;
711 ip_csum_t sum0, sum1;
712 u32 new_addr0, old_addr0;
713 u16 new_port0, old_port0;
714 u32 new_addr1, old_addr1;
715 u16 new_port1, old_port1;
716 udp_header_t *udp0, *udp1;
717 tcp_header_t *tcp0, *tcp1;
718 icmp46_header_t *icmp0, *icmp1;
719 u32 rx_fib_index0, rx_fib_index1;
721 nat44_ei_session_t *s0 = 0, *s1 = 0;
722 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
723 u8 identity_nat0, identity_nat1;
724 ip4_address_t sm_addr0, sm_addr1;
725 u16 sm_port0, sm_port1;
726 u32 sm_fib_index0, sm_fib_index1;
733 /* Prefetch next iteration. */
734 if (PREDICT_TRUE (n_left_from >= 4))
736 vlib_buffer_t *p2, *p3;
741 vlib_prefetch_buffer_header (p2, LOAD);
742 vlib_prefetch_buffer_header (p3, LOAD);
744 clib_prefetch_load (p2->data);
745 clib_prefetch_load (p3->data);
748 vnet_buffer (b0)->snat.flags = 0;
749 vnet_buffer (b1)->snat.flags = 0;
751 ip0 = vlib_buffer_get_current (b0);
752 udp0 = ip4_next_header (ip0);
753 tcp0 = (tcp_header_t *) udp0;
754 icmp0 = (icmp46_header_t *) udp0;
756 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
758 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, sw_if_index0);
760 if (PREDICT_FALSE (ip0->ttl == 1))
762 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
763 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
764 ICMP4_time_exceeded_ttl_exceeded_in_transit,
766 next0 = NAT44_EI_OUT2IN_NEXT_ICMP_ERROR;
770 proto0 = ip_proto_to_nat_proto (ip0->protocol);
772 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
774 if (nat_out2in_sm_unknown_proto (nm, b0, ip0, rx_fib_index0))
776 if (!nm->forwarding_enabled)
779 node->errors[NAT44_EI_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
780 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
783 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.other,
784 thread_index, sw_if_index0, 1);
789 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
791 next0 = nat44_ei_icmp_out2in_slow_path (
792 nm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, next0, now,
794 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.icmp,
795 thread_index, sw_if_index0, 1);
799 init_nat_k (&kv0, ip0->dst_address,
800 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
802 if (clib_bihash_search_8_8 (&nm->out2in, &kv0, &value0))
804 /* Try to match static mapping by external address and port,
805 destination address and port in packet */
806 if (nat44_ei_static_mapping_match (
807 ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port,
808 rx_fib_index0, proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1,
812 * Send DHCP packets to the ipv4 stack, or we won't
813 * be able to use dhcp client on the outside interface
816 (proto0 == NAT_PROTOCOL_UDP
817 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
818 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_client))))
820 vnet_feature_next (&next0, b0);
824 if (!nm->forwarding_enabled)
827 node->errors[NAT44_EI_OUT2IN_ERROR_NO_TRANSLATION];
828 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
833 if (PREDICT_FALSE (identity_nat0))
836 /* Create session initiated by host from external network */
837 s0 = create_session_for_static_mapping (
838 nm, b0, sm_addr0, sm_port0, sm_fib_index0, ip0->dst_address,
839 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0,
840 node, thread_index, now);
843 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
848 s0 = pool_elt_at_index (tnm->sessions,
849 nat_value_get_session_index (&value0));
851 old_addr0 = ip0->dst_address.as_u32;
852 ip0->dst_address = s0->in2out.addr;
853 new_addr0 = ip0->dst_address.as_u32;
854 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
856 sum0 = ip0->checksum;
857 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
858 ip4_header_t, dst_address /* changed member */ );
859 ip0->checksum = ip_csum_fold (sum0);
861 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
863 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
865 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
866 new_port0 = udp0->dst_port = s0->in2out.port;
867 sum0 = tcp0->checksum;
868 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
870 dst_address /* changed member */ );
872 sum0 = ip_csum_update (sum0, old_port0, new_port0,
873 ip4_header_t /* cheat */ ,
874 length /* changed member */ );
875 tcp0->checksum = ip_csum_fold (sum0);
877 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.tcp,
878 thread_index, sw_if_index0, 1);
882 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
884 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
885 new_port0 = udp0->dst_port = s0->in2out.port;
886 if (PREDICT_FALSE (udp0->checksum))
888 sum0 = udp0->checksum;
889 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
892 ip_csum_update (sum0, old_port0, new_port0,
893 ip4_header_t /* cheat */ ,
894 length /* changed member */ );
895 udp0->checksum = ip_csum_fold (sum0);
898 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.udp,
899 thread_index, sw_if_index0, 1);
903 nat44_ei_session_update_counters (
904 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
905 /* Per-user LRU list maintenance */
906 nat44_ei_session_update_lru (nm, s0, thread_index);
909 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
910 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
912 nat44_ei_out2in_trace_t *t =
913 vlib_add_trace (vm, node, b0, sizeof (*t));
914 t->sw_if_index = sw_if_index0;
915 t->next_index = next0;
916 t->session_index = ~0;
918 t->session_index = s0 - nm->per_thread_data[thread_index].sessions;
921 if (next0 == NAT44_EI_OUT2IN_NEXT_DROP)
923 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.drops,
924 thread_index, sw_if_index0, 1);
928 ip1 = vlib_buffer_get_current (b1);
929 udp1 = ip4_next_header (ip1);
930 tcp1 = (tcp_header_t *) udp1;
931 icmp1 = (icmp46_header_t *) udp1;
933 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
935 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, sw_if_index1);
937 if (PREDICT_FALSE (ip1->ttl == 1))
939 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
940 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
941 ICMP4_time_exceeded_ttl_exceeded_in_transit,
943 next1 = NAT44_EI_OUT2IN_NEXT_ICMP_ERROR;
947 proto1 = ip_proto_to_nat_proto (ip1->protocol);
949 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
951 if (nat_out2in_sm_unknown_proto (nm, b1, ip1, rx_fib_index1))
953 if (!nm->forwarding_enabled)
956 node->errors[NAT44_EI_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
957 next1 = NAT44_EI_OUT2IN_NEXT_DROP;
960 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.other,
961 thread_index, sw_if_index1, 1);
965 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
967 next1 = nat44_ei_icmp_out2in_slow_path (
968 nm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, next1, now,
970 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.icmp,
971 thread_index, sw_if_index1, 1);
975 init_nat_k (&kv1, ip1->dst_address,
976 vnet_buffer (b1)->ip.reass.l4_dst_port, rx_fib_index1,
978 if (clib_bihash_search_8_8 (&nm->out2in, &kv1, &value1))
980 /* Try to match static mapping by external address and port,
981 destination address and port in packet */
982 if (nat44_ei_static_mapping_match (
983 ip1->dst_address, vnet_buffer (b1)->ip.reass.l4_dst_port,
984 rx_fib_index1, proto1, &sm_addr1, &sm_port1, &sm_fib_index1, 1,
988 * Send DHCP packets to the ipv4 stack, or we won't
989 * be able to use dhcp client on the outside interface
992 (proto1 == NAT_PROTOCOL_UDP
993 && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
994 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_client))))
996 vnet_feature_next (&next1, b1);
1000 if (!nm->forwarding_enabled)
1003 node->errors[NAT44_EI_OUT2IN_ERROR_NO_TRANSLATION];
1004 next1 = NAT44_EI_OUT2IN_NEXT_DROP;
1009 if (PREDICT_FALSE (identity_nat1))
1012 /* Create session initiated by host from external network */
1013 s1 = create_session_for_static_mapping (
1014 nm, b1, sm_addr1, sm_port1, sm_fib_index1, ip1->dst_address,
1015 vnet_buffer (b1)->ip.reass.l4_dst_port, rx_fib_index1, proto1,
1016 node, thread_index, now);
1019 next1 = NAT44_EI_OUT2IN_NEXT_DROP;
1024 s1 = pool_elt_at_index (nm->per_thread_data[thread_index].sessions,
1025 nat_value_get_session_index (&value1));
1027 old_addr1 = ip1->dst_address.as_u32;
1028 ip1->dst_address = s1->in2out.addr;
1029 new_addr1 = ip1->dst_address.as_u32;
1030 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1032 sum1 = ip1->checksum;
1033 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1034 ip4_header_t, dst_address /* changed member */ );
1035 ip1->checksum = ip_csum_fold (sum1);
1037 if (PREDICT_TRUE (proto1 == NAT_PROTOCOL_TCP))
1039 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1041 old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1042 new_port1 = udp1->dst_port = s1->in2out.port;
1044 sum1 = tcp1->checksum;
1045 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1047 dst_address /* changed member */ );
1049 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1050 ip4_header_t /* cheat */ ,
1051 length /* changed member */ );
1052 tcp1->checksum = ip_csum_fold (sum1);
1054 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.tcp,
1055 thread_index, sw_if_index1, 1);
1059 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1061 old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1062 new_port1 = udp1->dst_port = s1->in2out.port;
1063 if (PREDICT_FALSE (udp1->checksum))
1066 sum1 = udp1->checksum;
1068 ip_csum_update (sum1, old_addr1, new_addr1,
1070 dst_address /* changed member */ );
1072 ip_csum_update (sum1, old_port1, new_port1,
1073 ip4_header_t /* cheat */ ,
1074 length /* changed member */ );
1075 udp1->checksum = ip_csum_fold (sum1);
1078 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.udp,
1079 thread_index, sw_if_index1, 1);
1083 nat44_ei_session_update_counters (
1084 s1, now, vlib_buffer_length_in_chain (vm, b1), thread_index);
1085 /* Per-user LRU list maintenance */
1086 nat44_ei_session_update_lru (nm, s1, thread_index);
1089 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1090 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1092 nat44_ei_out2in_trace_t *t =
1093 vlib_add_trace (vm, node, b1, sizeof (*t));
1094 t->sw_if_index = sw_if_index1;
1095 t->next_index = next1;
1096 t->session_index = ~0;
1098 t->session_index = s1 - nm->per_thread_data[thread_index].sessions;
1101 if (next1 == NAT44_EI_OUT2IN_NEXT_DROP)
1103 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.drops,
1104 thread_index, sw_if_index1, 1);
1113 while (n_left_from > 0)
1116 u32 next0 = NAT44_EI_OUT2IN_NEXT_LOOKUP;
1120 u32 new_addr0, old_addr0;
1121 u16 new_port0, old_port0;
1124 icmp46_header_t *icmp0;
1127 nat44_ei_session_t *s0 = 0;
1128 clib_bihash_kv_8_8_t kv0, value0;
1130 ip4_address_t sm_addr0;
1137 vnet_buffer (b0)->snat.flags = 0;
1139 ip0 = vlib_buffer_get_current (b0);
1140 udp0 = ip4_next_header (ip0);
1141 tcp0 = (tcp_header_t *) udp0;
1142 icmp0 = (icmp46_header_t *) udp0;
1144 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1146 vec_elt (nm->ip4_main->fib_index_by_sw_if_index, sw_if_index0);
1148 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1150 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1152 if (nat_out2in_sm_unknown_proto (nm, b0, ip0, rx_fib_index0))
1154 if (!nm->forwarding_enabled)
1157 node->errors[NAT44_EI_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1158 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
1161 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.other,
1162 thread_index, sw_if_index0, 1);
1166 if (PREDICT_FALSE (ip0->ttl == 1))
1168 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1169 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1170 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1172 next0 = NAT44_EI_OUT2IN_NEXT_ICMP_ERROR;
1176 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1178 next0 = nat44_ei_icmp_out2in_slow_path (
1179 nm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, next0, now,
1181 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.icmp,
1182 thread_index, sw_if_index0, 1);
1186 init_nat_k (&kv0, ip0->dst_address,
1187 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
1190 if (clib_bihash_search_8_8 (&nm->out2in, &kv0, &value0))
1192 /* Try to match static mapping by external address and port,
1193 destination address and port in packet */
1194 if (nat44_ei_static_mapping_match (
1195 ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port,
1196 rx_fib_index0, proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1,
1200 * Send DHCP packets to the ipv4 stack, or we won't
1201 * be able to use dhcp client on the outside interface
1204 (proto0 == NAT_PROTOCOL_UDP
1205 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1206 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_client))))
1208 vnet_feature_next (&next0, b0);
1212 if (!nm->forwarding_enabled)
1215 node->errors[NAT44_EI_OUT2IN_ERROR_NO_TRANSLATION];
1216 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
1221 if (PREDICT_FALSE (identity_nat0))
1224 /* Create session initiated by host from external network */
1225 s0 = create_session_for_static_mapping (
1226 nm, b0, sm_addr0, sm_port0, sm_fib_index0, ip0->dst_address,
1227 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0,
1228 node, thread_index, now);
1231 next0 = NAT44_EI_OUT2IN_NEXT_DROP;
1236 s0 = pool_elt_at_index (nm->per_thread_data[thread_index].sessions,
1237 nat_value_get_session_index (&value0));
1239 old_addr0 = ip0->dst_address.as_u32;
1240 ip0->dst_address = s0->in2out.addr;
1241 new_addr0 = ip0->dst_address.as_u32;
1242 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1244 sum0 = ip0->checksum;
1245 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1246 ip4_header_t, dst_address /* changed member */ );
1247 ip0->checksum = ip_csum_fold (sum0);
1249 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1251 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1253 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1254 new_port0 = udp0->dst_port = s0->in2out.port;
1256 sum0 = tcp0->checksum;
1257 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1259 dst_address /* changed member */ );
1261 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1262 ip4_header_t /* cheat */ ,
1263 length /* changed member */ );
1264 tcp0->checksum = ip_csum_fold (sum0);
1266 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.tcp,
1267 thread_index, sw_if_index0, 1);
1271 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1273 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1274 new_port0 = udp0->dst_port = s0->in2out.port;
1275 if (PREDICT_FALSE (udp0->checksum))
1277 sum0 = udp0->checksum;
1278 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
1281 ip_csum_update (sum0, old_port0, new_port0,
1282 ip4_header_t /* cheat */ ,
1283 length /* changed member */ );
1284 udp0->checksum = ip_csum_fold (sum0);
1287 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.udp,
1288 thread_index, sw_if_index0, 1);
1292 nat44_ei_session_update_counters (
1293 s0, now, vlib_buffer_length_in_chain (vm, b0), thread_index);
1294 /* Per-user LRU list maintenance */
1295 nat44_ei_session_update_lru (nm, s0, thread_index);
1298 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1299 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1301 nat44_ei_out2in_trace_t *t =
1302 vlib_add_trace (vm, node, b0, sizeof (*t));
1303 t->sw_if_index = sw_if_index0;
1304 t->next_index = next0;
1305 t->session_index = ~0;
1307 t->session_index = s0 - nm->per_thread_data[thread_index].sessions;
1310 if (next0 == NAT44_EI_OUT2IN_NEXT_DROP)
1312 vlib_increment_simple_counter (&nm->counters.slowpath.out2in.drops,
1313 thread_index, sw_if_index0, 1);
1321 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1324 return frame->n_vectors;
1327 VLIB_REGISTER_NODE (nat44_ei_out2in_node) = {
1328 .name = "nat44-ei-out2in",
1329 .vector_size = sizeof (u32),
1330 .format_trace = format_nat44_ei_out2in_trace,
1331 .type = VLIB_NODE_TYPE_INTERNAL,
1333 .n_errors = ARRAY_LEN(nat44_ei_out2in_error_strings),
1334 .error_strings = nat44_ei_out2in_error_strings,
1336 .runtime_data_bytes = sizeof (nat44_ei_runtime_t),
1338 .n_next_nodes = NAT44_EI_OUT2IN_N_NEXT,
1340 /* edit / add dispositions here */
1342 [NAT44_EI_OUT2IN_NEXT_DROP] = "error-drop",
1343 [NAT44_EI_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1344 [NAT44_EI_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1349 * fd.io coding-style-patch-verification: ON
1352 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob