2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief Classify for one armed NAT44 (in+out interface)
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/fib/ip4_fib.h>
24 #include <nat/nat_reass.h>
25 #include <nat/nat_inlines.h>
27 vlib_node_registration_t nat44_classify_node;
28 vlib_node_registration_t nat44_ed_classify_node;
29 vlib_node_registration_t nat44_det_classify_node;
30 vlib_node_registration_t nat44_handoff_classify_node;
32 #define foreach_nat44_classify_error \
33 _(MAX_REASS, "Maximum reassemblies exceeded") \
34 _(MAX_FRAG, "Maximum fragments per reassembly exceeded") \
35 _(NEXT_IN2OUT, "next in2out") \
36 _(NEXT_OUT2IN, "next out2in") \
37 _(FRAG_CACHED, "fragment cached")
41 #define _(sym,str) NAT44_CLASSIFY_ERROR_##sym,
42 foreach_nat44_classify_error
44 NAT44_CLASSIFY_N_ERROR,
45 } nat44_classify_error_t;
47 static char *nat44_classify_error_strings[] = {
48 #define _(sym,string) string,
49 foreach_nat44_classify_error
55 NAT44_CLASSIFY_NEXT_IN2OUT,
56 NAT44_CLASSIFY_NEXT_OUT2IN,
57 NAT44_CLASSIFY_NEXT_DROP,
58 NAT44_CLASSIFY_N_NEXT,
59 } nat44_classify_next_t;
65 } nat44_classify_trace_t;
68 format_nat44_classify_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *);
76 s = format (s, "nat44-classify: fragment cached");
79 next = t->next_in2out ? "nat44-in2out" : "nat44-out2in";
80 s = format (s, "nat44-classify: next %s", next);
87 nat44_classify_node_fn_inline (vlib_main_t * vm,
88 vlib_node_runtime_t * node,
89 vlib_frame_t * frame, int is_ed)
91 u32 n_left_from, *from, *to_next;
92 nat44_classify_next_t next_index;
93 snat_main_t *sm = &snat_main;
94 snat_static_mapping_t *m;
95 u32 thread_index = vm->thread_index;
96 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
97 u32 *fragments_to_drop = 0;
98 u32 *fragments_to_loopback = 0;
99 u32 next_in2out = 0, next_out2in = 0, frag_cached = 0;
101 from = vlib_frame_vector_args (frame);
102 n_left_from = frame->n_vectors;
103 next_index = node->cached_next_index;
105 while (n_left_from > 0)
109 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
111 while (n_left_from > 0 && n_left_to_next > 0)
115 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0;
118 snat_session_key_t m_key0;
119 clib_bihash_kv_8_8_t kv0, value0;
120 clib_bihash_kv_16_8_t ed_kv0, ed_value0;
122 nat_reass_ip4_t *reass0;
125 /* speculatively enqueue b0 to the current next frame */
133 b0 = vlib_get_buffer (vm, bi0);
134 ip0 = vlib_buffer_get_current (b0);
135 udp0 = ip4_next_header (ip0);
137 if (is_ed && ip0->protocol != IP_PROTOCOL_ICMP)
139 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
141 /* process leading fragment/whole packet (with L4 header) */
142 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
144 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
146 make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address,
147 ip0->protocol, rx_fib_index0, udp0->src_port,
149 if (ip4_is_fragment (ip0))
151 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
157 if (PREDICT_FALSE (!reass0))
159 next0 = NAT44_CLASSIFY_NEXT_DROP;
161 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
162 nat_log_notice ("maximum reassemblies exceeded");
165 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0,
168 /* session exists so classify as IN2OUT,
169 * save this information for future fragments and set
170 * past fragments to be looped over and reprocessed */
171 reass0->sess_index = ed_value0.value;
172 reass0->classify_next =
173 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
174 nat_ip4_reass_get_frags (reass0,
175 &fragments_to_loopback);
180 /* session doesn't exist so continue in the code,
181 * save this information for future fragments and set
182 * past fragments to be looped over and reprocessed */
184 NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE;
185 nat_ip4_reass_get_frags (reass0,
186 &fragments_to_loopback);
191 /* process whole packet */
192 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0,
195 /* session doesn't exist so continue in code */
200 /* process non-first fragment */
201 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
207 if (PREDICT_FALSE (!reass0))
209 next0 = NAT44_CLASSIFY_NEXT_DROP;
211 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
212 nat_log_notice ("maximum reassemblies exceeded");
215 /* check if first fragment has arrived */
216 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE &&
217 !(reass0->flags & NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE))
219 /* first fragment still hasn't arrived, cache this fragment */
220 if (nat_ip4_reass_add_fragment (reass0, bi0,
224 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
226 ("maximum fragments per reassembly exceeded");
227 next0 = NAT44_CLASSIFY_NEXT_DROP;
233 if (reass0->classify_next ==
234 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
236 /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set
237 * so keep the default next0 and continue in code to
238 * potentially find other classification for this packet */
243 vec_foreach (ap, sm->addresses)
245 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
247 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
253 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
255 m_key0.addr = ip0->dst_address;
258 m_key0.fib_index = 0;
259 kv0.key = m_key0.as_u64;
260 /* try to classify the fragment based on IP header alone */
261 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
264 m = pool_elt_at_index (sm->static_mappings, value0.value);
265 if (m->local_addr.as_u32 != m->external_addr.as_u32)
266 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
269 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
271 /* process leading fragment/whole packet (with L4 header) */
272 m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
273 m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
274 kv0.key = m_key0.as_u64;
275 if (!clib_bihash_search_8_8
276 (&sm->static_mapping_by_external, &kv0, &value0))
279 pool_elt_at_index (sm->static_mappings, value0.value);
280 if (m->local_addr.as_u32 != m->external_addr.as_u32)
281 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
283 if (ip4_is_fragment (ip0))
285 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
291 if (PREDICT_FALSE (!reass0))
293 next0 = NAT44_CLASSIFY_NEXT_DROP;
295 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
296 nat_log_notice ("maximum reassemblies exceeded");
299 /* save classification for future fragments and set past
300 * fragments to be looped over and reprocessed */
301 if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN)
302 reass0->classify_next =
303 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN;
305 reass0->classify_next =
306 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
307 nat_ip4_reass_get_frags (reass0,
308 &fragments_to_loopback);
313 /* process non-first fragment */
314 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
320 if (PREDICT_FALSE (!reass0))
322 next0 = NAT44_CLASSIFY_NEXT_DROP;
324 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
325 nat_log_notice ("maximum reassemblies exceeded");
328 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
329 /* first fragment still hasn't arrived */
331 if (nat_ip4_reass_add_fragment (reass0, bi0,
335 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
337 ("maximum fragments per reassembly exceeded");
338 next0 = NAT44_CLASSIFY_NEXT_DROP;
344 else if (reass0->classify_next ==
345 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
346 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
347 else if (reass0->classify_next ==
348 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
349 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
354 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
355 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
357 nat44_classify_trace_t *t =
358 vlib_add_trace (vm, node, b0, sizeof (*t));
361 t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
372 next_in2out += next0 == NAT44_CLASSIFY_NEXT_IN2OUT;
373 next_out2in += next0 == NAT44_CLASSIFY_NEXT_OUT2IN;
375 /* verify speculative enqueue, maybe switch current next frame */
376 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
377 to_next, n_left_to_next,
381 if (n_left_from == 0 && vec_len (fragments_to_loopback))
383 from = vlib_frame_vector_args (frame);
384 u32 len = vec_len (fragments_to_loopback);
385 if (len <= VLIB_FRAME_SIZE)
387 clib_memcpy_fast (from, fragments_to_loopback,
390 vec_reset_length (fragments_to_loopback);
394 clib_memcpy_fast (from, fragments_to_loopback +
395 (len - VLIB_FRAME_SIZE),
396 sizeof (u32) * VLIB_FRAME_SIZE);
397 n_left_from = VLIB_FRAME_SIZE;
398 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
403 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
406 nat_send_all_to_node (vm, fragments_to_drop, node, 0,
407 NAT44_CLASSIFY_NEXT_DROP);
409 vec_free (fragments_to_drop);
411 vlib_node_increment_counter (vm, node->node_index,
412 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
413 vlib_node_increment_counter (vm, node->node_index,
414 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
415 vlib_node_increment_counter (vm, node->node_index,
416 NAT44_CLASSIFY_ERROR_FRAG_CACHED, frag_cached);
418 return frame->n_vectors;
422 nat44_classify_node_fn (vlib_main_t * vm,
423 vlib_node_runtime_t * node, vlib_frame_t * frame)
425 return nat44_classify_node_fn_inline (vm, node, frame, 0);
429 VLIB_REGISTER_NODE (nat44_classify_node) = {
430 .function = nat44_classify_node_fn,
431 .name = "nat44-classify",
432 .vector_size = sizeof (u32),
433 .format_trace = format_nat44_classify_trace,
434 .type = VLIB_NODE_TYPE_INTERNAL,
435 .n_errors = ARRAY_LEN(nat44_classify_error_strings),
436 .error_strings = nat44_classify_error_strings,
437 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
439 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
440 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
441 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
446 VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, nat44_classify_node_fn);
448 nat44_ed_classify_node_fn (vlib_main_t * vm,
449 vlib_node_runtime_t * node, vlib_frame_t * frame)
451 return nat44_classify_node_fn_inline (vm, node, frame, 1);
455 VLIB_REGISTER_NODE (nat44_ed_classify_node) = {
456 .function = nat44_ed_classify_node_fn,
457 .name = "nat44-ed-classify",
458 .vector_size = sizeof (u32),
459 .format_trace = format_nat44_classify_trace,
460 .type = VLIB_NODE_TYPE_INTERNAL,
461 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
463 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out",
464 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in",
465 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
470 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node,
471 nat44_ed_classify_node_fn);
474 nat44_det_classify_node_fn (vlib_main_t * vm,
475 vlib_node_runtime_t * node, vlib_frame_t * frame)
477 return nat44_classify_node_fn_inline (vm, node, frame, 0);
481 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
482 .function = nat44_det_classify_node_fn,
483 .name = "nat44-det-classify",
484 .vector_size = sizeof (u32),
485 .format_trace = format_nat44_classify_trace,
486 .type = VLIB_NODE_TYPE_INTERNAL,
487 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
489 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
490 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
491 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
496 VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node,
497 nat44_det_classify_node_fn);
500 nat44_handoff_classify_node_fn (vlib_main_t * vm,
501 vlib_node_runtime_t * node,
502 vlib_frame_t * frame)
504 return nat44_classify_node_fn_inline (vm, node, frame, 0);
508 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
509 .function = nat44_handoff_classify_node_fn,
510 .name = "nat44-handoff-classify",
511 .vector_size = sizeof (u32),
512 .format_trace = format_nat44_classify_trace,
513 .type = VLIB_NODE_TYPE_INTERNAL,
514 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
516 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff",
517 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff",
518 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
522 VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node,
523 nat44_handoff_classify_node_fn);
527 * fd.io coding-style-patch-verification: ON
530 * eval: (c-set-style "gnu")