2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief Classify for one armed NAT44 (in+out interface)
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/fib/ip4_fib.h>
24 #include <nat/nat_inlines.h>
26 #define foreach_nat44_classify_error \
27 _(NEXT_IN2OUT, "next in2out") \
28 _(NEXT_OUT2IN, "next out2in") \
29 _(FRAG_CACHED, "fragment cached")
33 #define _(sym,str) NAT44_CLASSIFY_ERROR_##sym,
34 foreach_nat44_classify_error
36 NAT44_CLASSIFY_N_ERROR,
37 } nat44_classify_error_t;
39 static char *nat44_classify_error_strings[] = {
40 #define _(sym,string) string,
41 foreach_nat44_classify_error
47 NAT44_CLASSIFY_NEXT_IN2OUT,
48 NAT44_CLASSIFY_NEXT_OUT2IN,
49 NAT44_CLASSIFY_NEXT_DROP,
50 NAT44_CLASSIFY_N_NEXT,
51 } nat44_classify_next_t;
57 } nat44_classify_trace_t;
60 format_nat44_classify_trace (u8 * s, va_list * args)
62 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
63 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
64 nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *);
68 s = format (s, "nat44-classify: fragment cached");
71 next = t->next_in2out ? "nat44-in2out" : "nat44-out2in";
72 s = format (s, "nat44-classify: next %s", next);
79 nat44_classify_node_fn_inline (vlib_main_t * vm,
80 vlib_node_runtime_t * node,
83 u32 n_left_from, *from, *to_next;
84 nat44_classify_next_t next_index;
85 snat_main_t *sm = &snat_main;
86 snat_static_mapping_t *m;
87 u32 next_in2out = 0, next_out2in = 0;
89 from = vlib_frame_vector_args (frame);
90 n_left_from = frame->n_vectors;
91 next_index = node->cached_next_index;
93 while (n_left_from > 0)
97 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
99 while (n_left_from > 0 && n_left_to_next > 0)
103 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
106 clib_bihash_kv_8_8_t kv0, value0;
108 /* speculatively enqueue b0 to the current next frame */
116 b0 = vlib_get_buffer (vm, bi0);
117 ip0 = vlib_buffer_get_current (b0);
120 vec_foreach (ap, sm->addresses)
122 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
124 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
130 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
132 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
133 /* try to classify the fragment based on IP header alone */
134 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
137 m = pool_elt_at_index (sm->static_mappings, value0.value);
138 if (m->local_addr.as_u32 != m->external_addr.as_u32)
139 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
142 init_nat_k (&kv0, ip0->dst_address,
143 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
144 ip_proto_to_nat_proto (ip0->protocol));
145 if (!clib_bihash_search_8_8
146 (&sm->static_mapping_by_external, &kv0, &value0))
148 m = pool_elt_at_index (sm->static_mappings, value0.value);
149 if (m->local_addr.as_u32 != m->external_addr.as_u32)
150 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
155 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
156 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
158 nat44_classify_trace_t *t =
159 vlib_add_trace (vm, node, b0, sizeof (*t));
161 t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
164 next_in2out += next0 == NAT44_CLASSIFY_NEXT_IN2OUT;
165 next_out2in += next0 == NAT44_CLASSIFY_NEXT_OUT2IN;
167 /* verify speculative enqueue, maybe switch current next frame */
168 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
169 to_next, n_left_to_next,
173 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
176 vlib_node_increment_counter (vm, node->node_index,
177 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
178 vlib_node_increment_counter (vm, node->node_index,
179 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
180 return frame->n_vectors;
184 nat44_handoff_classify_node_fn_inline (vlib_main_t * vm,
185 vlib_node_runtime_t * node,
186 vlib_frame_t * frame)
188 u32 n_left_from, *from, *to_next;
189 nat44_classify_next_t next_index;
190 snat_main_t *sm = &snat_main;
191 snat_static_mapping_t *m;
192 u32 next_in2out = 0, next_out2in = 0;
194 from = vlib_frame_vector_args (frame);
195 n_left_from = frame->n_vectors;
196 next_index = node->cached_next_index;
198 while (n_left_from > 0)
202 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
204 while (n_left_from > 0 && n_left_to_next > 0)
208 u32 next0 = NAT_NEXT_IN2OUT_CLASSIFY;
211 clib_bihash_kv_8_8_t kv0, value0;
213 /* speculatively enqueue b0 to the current next frame */
221 b0 = vlib_get_buffer (vm, bi0);
222 ip0 = vlib_buffer_get_current (b0);
225 vec_foreach (ap, sm->addresses)
227 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
229 next0 = NAT_NEXT_OUT2IN_CLASSIFY;
235 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
237 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
238 /* try to classify the fragment based on IP header alone */
239 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
242 m = pool_elt_at_index (sm->static_mappings, value0.value);
243 if (m->local_addr.as_u32 != m->external_addr.as_u32)
244 next0 = NAT_NEXT_OUT2IN_CLASSIFY;
247 init_nat_k (&kv0, ip0->dst_address,
248 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
249 ip_proto_to_nat_proto (ip0->protocol));
250 if (!clib_bihash_search_8_8
251 (&sm->static_mapping_by_external, &kv0, &value0))
253 m = pool_elt_at_index (sm->static_mappings, value0.value);
254 if (m->local_addr.as_u32 != m->external_addr.as_u32)
255 next0 = NAT_NEXT_OUT2IN_CLASSIFY;
260 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
261 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
263 nat44_classify_trace_t *t =
264 vlib_add_trace (vm, node, b0, sizeof (*t));
266 t->next_in2out = next0 == NAT_NEXT_IN2OUT_CLASSIFY ? 1 : 0;
269 next_in2out += next0 == NAT_NEXT_IN2OUT_CLASSIFY;
270 next_out2in += next0 == NAT_NEXT_OUT2IN_CLASSIFY;
272 /* verify speculative enqueue, maybe switch current next frame */
273 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
274 to_next, n_left_to_next,
278 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
281 vlib_node_increment_counter (vm, node->node_index,
282 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
283 vlib_node_increment_counter (vm, node->node_index,
284 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
285 return frame->n_vectors;
289 nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
290 vlib_node_runtime_t * node,
291 vlib_frame_t * frame)
293 u32 n_left_from, *from, *to_next;
294 nat44_classify_next_t next_index;
295 snat_main_t *sm = &snat_main;
296 snat_static_mapping_t *m;
297 u32 thread_index = vm->thread_index;
298 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
299 u32 next_in2out = 0, next_out2in = 0;
301 from = vlib_frame_vector_args (frame);
302 n_left_from = frame->n_vectors;
303 next_index = node->cached_next_index;
305 while (n_left_from > 0)
309 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
311 while (n_left_from > 0 && n_left_to_next > 0)
315 u32 next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
316 u32 sw_if_index0, rx_fib_index0;
319 clib_bihash_kv_8_8_t kv0, value0;
320 clib_bihash_kv_16_8_t ed_kv0, ed_value0;
322 /* speculatively enqueue b0 to the current next frame */
330 b0 = vlib_get_buffer (vm, bi0);
331 ip0 = vlib_buffer_get_current (b0);
334 vnet_feature_next (&arc_next, b0);
335 vnet_buffer2 (b0)->nat.arc_next = arc_next;
337 if (ip0->protocol != IP_PROTOCOL_ICMP)
339 /* process leading fragment/whole packet (with L4 header) */
340 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
342 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
344 init_ed_k (&ed_kv0, ip0->src_address,
345 vnet_buffer (b0)->ip.reass.l4_src_port,
347 vnet_buffer (b0)->ip.reass.l4_dst_port,
348 rx_fib_index0, ip0->protocol);
349 /* process whole packet */
350 if (!clib_bihash_search_16_8
351 (&tsm->in2out_ed, &ed_kv0, &ed_value0))
353 /* session doesn't exist so continue in code */
357 vec_foreach (ap, sm->addresses)
359 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
361 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
367 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
369 init_nat_k (&kv0, ip0->dst_address, 0, 0, 0);
370 /* try to classify the fragment based on IP header alone */
371 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
374 m = pool_elt_at_index (sm->static_mappings, value0.value);
375 if (m->local_addr.as_u32 != m->external_addr.as_u32)
376 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
379 init_nat_k (&kv0, ip0->dst_address,
380 vnet_buffer (b0)->ip.reass.l4_dst_port, 0,
381 ip_proto_to_nat_proto (ip0->protocol));
382 if (!clib_bihash_search_8_8
383 (&sm->static_mapping_by_external, &kv0, &value0))
385 m = pool_elt_at_index (sm->static_mappings, value0.value);
386 if (m->local_addr.as_u32 != m->external_addr.as_u32)
387 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
392 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
393 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
395 nat44_classify_trace_t *t =
396 vlib_add_trace (vm, node, b0, sizeof (*t));
398 t->next_in2out = next0 == NAT_NEXT_IN2OUT_ED_FAST_PATH ? 1 : 0;
401 next_in2out += next0 == NAT_NEXT_IN2OUT_ED_FAST_PATH;
402 next_out2in += next0 == NAT_NEXT_OUT2IN_ED_FAST_PATH;
404 /* verify speculative enqueue, maybe switch current next frame */
405 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
406 to_next, n_left_to_next,
410 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
413 vlib_node_increment_counter (vm, node->node_index,
414 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
415 vlib_node_increment_counter (vm, node->node_index,
416 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
417 return frame->n_vectors;
420 VLIB_NODE_FN (nat44_classify_node) (vlib_main_t * vm,
421 vlib_node_runtime_t * node,
422 vlib_frame_t * frame)
424 return nat44_classify_node_fn_inline (vm, node, frame);
428 VLIB_REGISTER_NODE (nat44_classify_node) = {
429 .name = "nat44-classify",
430 .vector_size = sizeof (u32),
431 .format_trace = format_nat44_classify_trace,
432 .type = VLIB_NODE_TYPE_INTERNAL,
433 .n_errors = ARRAY_LEN(nat44_classify_error_strings),
434 .error_strings = nat44_classify_error_strings,
435 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
437 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
438 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
439 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
444 VLIB_NODE_FN (nat44_ed_classify_node) (vlib_main_t * vm,
445 vlib_node_runtime_t * node,
446 vlib_frame_t * frame)
448 return nat44_ed_classify_node_fn_inline (vm, node, frame);
452 VLIB_REGISTER_NODE (nat44_ed_classify_node) = {
453 .name = "nat44-ed-classify",
454 .vector_size = sizeof (u32),
455 .sibling_of = "nat-default",
456 .format_trace = format_nat44_classify_trace,
457 .type = VLIB_NODE_TYPE_INTERNAL,
461 VLIB_NODE_FN (nat44_det_classify_node) (vlib_main_t * vm,
462 vlib_node_runtime_t * node,
463 vlib_frame_t * frame)
465 return nat44_classify_node_fn_inline (vm, node, frame);
469 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
470 .name = "nat44-det-classify",
471 .vector_size = sizeof (u32),
472 .format_trace = format_nat44_classify_trace,
473 .type = VLIB_NODE_TYPE_INTERNAL,
474 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
476 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
477 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
478 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
483 VLIB_NODE_FN (nat44_handoff_classify_node) (vlib_main_t * vm,
484 vlib_node_runtime_t * node,
485 vlib_frame_t * frame)
487 return nat44_handoff_classify_node_fn_inline (vm, node, frame);
491 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
492 .name = "nat44-handoff-classify",
493 .vector_size = sizeof (u32),
494 .sibling_of = "nat-default",
495 .format_trace = format_nat44_classify_trace,
496 .type = VLIB_NODE_TYPE_INTERNAL,
502 * fd.io coding-style-patch-verification: ON
505 * eval: (c-set-style "gnu")