2 * Copyright (c) 2020 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <nat/nat64/nat64.h>
17 #include <vnet/ip/ip6_to_ip4.h>
18 #include <vnet/fib/fib_table.h>
19 #include <nat/lib/nat_inlines.h>
26 } nat64_in2out_trace_t;
29 format_nat64_in2out_trace (u8 * s, va_list * args)
31 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
32 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
33 nat64_in2out_trace_t *t = va_arg (*args, nat64_in2out_trace_t *);
36 tag = t->is_slow_path ? "NAT64-in2out-slowpath" : "NAT64-in2out";
39 format (s, "%s: sw_if_index %d, next index %d", tag, t->sw_if_index,
45 #define foreach_nat64_in2out_error \
46 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
47 _(NO_TRANSLATION, "no translation") \
53 #define _(sym,str) NAT64_IN2OUT_ERROR_##sym,
54 foreach_nat64_in2out_error
57 } nat64_in2out_error_t;
59 static char *nat64_in2out_error_strings[] = {
60 #define _(sym,string) string,
61 foreach_nat64_in2out_error
67 NAT64_IN2OUT_NEXT_IP4_LOOKUP,
68 NAT64_IN2OUT_NEXT_IP6_LOOKUP,
69 NAT64_IN2OUT_NEXT_DROP,
70 NAT64_IN2OUT_NEXT_SLOWPATH,
72 } nat64_in2out_next_t;
74 typedef struct nat64_in2out_set_ctx_t_
79 } nat64_in2out_set_ctx_t;
82 nat64_not_translate (u32 sw_if_index, ip6_address_t ip6_addr)
85 ip6_main_t *im6 = &ip6_main;
86 ip_lookup_main_t *lm6 = &im6->lookup_main;
87 ip_interface_address_t *ia = 0;
90 foreach_ip_interface_address (lm6, ia, sw_if_index, 0,
92 addr = ip_interface_address_get_address (lm6, ia);
93 if (0 == ip6_address_compare (addr, &ip6_addr))
102 * @brief Check whether is a hairpinning.
104 * If the destination IP address of the packet is an IPv4 address assigned to
105 * the NAT64 itself, then the packet is a hairpin packet.
107 * param dst_addr Destination address of the packet.
109 * @returns 1 if hairpinning, otherwise 0.
111 static_always_inline int
112 is_hairpinning (ip6_address_t * dst_addr)
114 nat64_main_t *nm = &nat64_main;
117 for (i = 0; i < vec_len (nm->addr_pool); i++)
119 if (nm->addr_pool[i].addr.as_u32 == dst_addr->as_u32[3])
127 nat64_in2out_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p, u16 l4_offset,
128 u16 frag_hdr_offset, nat64_in2out_set_ctx_t * ctx)
136 nat64_main_t *nm = &nat64_main;
137 nat64_db_bib_entry_t *bibe;
138 nat64_db_st_entry_t *ste;
139 ip46_address_t old_saddr, old_daddr;
140 ip4_address_t new_daddr;
141 u32 sw_if_index, fib_index;
142 u8 proto = vnet_buffer (p)->ip.reass.ip_proto;
143 u16 sport = vnet_buffer (p)->ip.reass.l4_src_port;
144 u16 dport = vnet_buffer (p)->ip.reass.l4_dst_port;
145 nat64_db_t *db = &nm->db[ctx->thread_index];
147 ip6 = vlib_buffer_get_current (p);
149 vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
150 ip4 = vlib_buffer_get_current (p);
152 u32 ip_version_traffic_class_and_flow_label =
153 ip6->ip_version_traffic_class_and_flow_label;
154 u16 payload_length = ip6->payload_length;
155 u8 hop_limit = ip6->hop_limit;
157 old_saddr.as_u64[0] = ip6->src_address.as_u64[0];
158 old_saddr.as_u64[1] = ip6->src_address.as_u64[1];
159 old_daddr.as_u64[0] = ip6->dst_address.as_u64[0];
160 old_daddr.as_u64[1] = ip6->dst_address.as_u64[1];
162 if (PREDICT_FALSE (frag_hdr_offset))
164 //Only the first fragment
165 ip6_frag_hdr_t *hdr =
166 (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
167 fragment_id = frag_id_6to4 (hdr->identification);
168 frag_more = ip6_frag_hdr_more (hdr);
169 frag_offset = ip6_frag_hdr_offset (hdr);
178 ip4->ip_version_and_header_length =
179 IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
180 ip4->tos = ip6_translate_tos (ip_version_traffic_class_and_flow_label);
182 u16_net_add (payload_length, sizeof (*ip4) + sizeof (*ip6) - l4_offset);
183 ip4->fragment_id = fragment_id;
184 ip4->flags_and_fragment_offset =
185 clib_host_to_net_u16 (frag_offset |
186 (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
187 ip4->ttl = hop_limit;
188 ip4->protocol = (proto == IP_PROTOCOL_ICMP6) ? IP_PROTOCOL_ICMP : proto;
190 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
192 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
195 nat64_db_st_entry_find (db, &old_saddr, &old_daddr, sport, dport, proto,
200 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
207 nat64_db_bib_entry_find (db, &old_saddr, sport, proto, fib_index, 1);
212 ip4_address_t out_addr;
213 if (nat64_alloc_out_addr_and_port
214 (fib_index, ip_proto_to_nat_proto (proto), &out_addr,
215 &out_port, ctx->thread_index))
219 nat64_db_bib_entry_create (ctx->thread_index, db,
220 &old_saddr.ip6, &out_addr, sport,
221 out_port, fib_index, proto, 0);
225 vlib_set_simple_counter (&nm->total_bibs, ctx->thread_index, 0,
226 db->bib.bib_entries_num);
229 nat64_extract_ip4 (&old_daddr.ip6, &new_daddr, fib_index);
231 nat64_db_st_entry_create (ctx->thread_index, db, bibe,
232 &old_daddr.ip6, &new_daddr, dport);
236 vlib_set_simple_counter (&nm->total_sessions, ctx->thread_index, 0,
237 db->st.st_entries_num);
240 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
241 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
243 ip4->checksum = ip4_header_checksum (ip4);
245 if (!vnet_buffer (p)->ip.reass.is_non_first_fragment)
247 udp_header_t *udp = (udp_header_t *) (ip4 + 1);
248 udp->src_port = bibe->out_port;
250 //UDP checksum is optional over IPv4
251 if (proto == IP_PROTOCOL_UDP)
257 tcp_header_t *tcp = (tcp_header_t *) (ip4 + 1);
258 csum = ip_csum_sub_even (tcp->checksum, old_saddr.as_u64[0]);
259 csum = ip_csum_sub_even (csum, old_saddr.as_u64[1]);
260 csum = ip_csum_sub_even (csum, old_daddr.as_u64[0]);
261 csum = ip_csum_sub_even (csum, old_daddr.as_u64[1]);
262 csum = ip_csum_add_even (csum, ip4->dst_address.as_u32);
263 csum = ip_csum_add_even (csum, ip4->src_address.as_u32);
264 csum = ip_csum_sub_even (csum, sport);
265 csum = ip_csum_add_even (csum, udp->src_port);
266 mss_clamping (nm->mss_clamping, tcp, &csum);
267 tcp->checksum = ip_csum_fold (csum);
269 nat64_tcp_session_set_state (ste, tcp, 1);
273 nat64_session_reset_timeout (ste, ctx->vm);
279 nat64_in2out_icmp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
281 nat64_main_t *nm = &nat64_main;
282 nat64_in2out_set_ctx_t *ctx = arg;
283 nat64_db_bib_entry_t *bibe;
284 nat64_db_st_entry_t *ste;
285 ip46_address_t saddr, daddr;
286 u32 sw_if_index, fib_index;
287 icmp46_header_t *icmp = ip6_next_header (ip6);
288 nat64_db_t *db = &nm->db[ctx->thread_index];
290 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
292 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
294 saddr.as_u64[0] = ip6->src_address.as_u64[0];
295 saddr.as_u64[1] = ip6->src_address.as_u64[1];
296 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
297 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
299 if (icmp->type == ICMP4_echo_request || icmp->type == ICMP4_echo_reply)
301 u16 in_id = ((u16 *) (icmp))[2];
303 nat64_db_st_entry_find (db, &saddr, &daddr, in_id, 0,
304 IP_PROTOCOL_ICMP, fib_index, 1);
309 nat64_db_bib_entry_by_index (db, IP_PROTOCOL_ICMP,
317 nat64_db_bib_entry_find (db, &saddr, in_id,
318 IP_PROTOCOL_ICMP, fib_index, 1);
323 ip4_address_t out_addr;
324 if (nat64_alloc_out_addr_and_port
325 (fib_index, NAT_PROTOCOL_ICMP, &out_addr, &out_id,
330 nat64_db_bib_entry_create (ctx->thread_index, db,
331 &ip6->src_address, &out_addr,
332 in_id, out_id, fib_index,
333 IP_PROTOCOL_ICMP, 0);
337 vlib_set_simple_counter (&nm->total_bibs, ctx->thread_index, 0,
338 db->bib.bib_entries_num);
341 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
343 nat64_db_st_entry_create (ctx->thread_index, db, bibe,
344 &ip6->dst_address, &daddr.ip4, 0);
348 vlib_set_simple_counter (&nm->total_sessions, ctx->thread_index, 0,
349 db->st.st_entries_num);
352 nat64_session_reset_timeout (ste, ctx->vm);
354 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
355 ((u16 *) (icmp))[2] = bibe->out_port;
357 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
361 if (!vec_len (nm->addr_pool))
364 ip4->src_address.as_u32 = nm->addr_pool[0].addr.as_u32;
365 nat64_extract_ip4 (&ip6->dst_address, &ip4->dst_address, fib_index);
372 nat64_in2out_inner_icmp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
375 nat64_main_t *nm = &nat64_main;
376 nat64_in2out_set_ctx_t *ctx = arg;
377 nat64_db_st_entry_t *ste;
378 nat64_db_bib_entry_t *bibe;
379 ip46_address_t saddr, daddr;
380 u32 sw_if_index, fib_index;
381 u8 proto = ip6->protocol;
382 nat64_db_t *db = &nm->db[ctx->thread_index];
384 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
386 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
388 saddr.as_u64[0] = ip6->src_address.as_u64[0];
389 saddr.as_u64[1] = ip6->src_address.as_u64[1];
390 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
391 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
393 if (proto == IP_PROTOCOL_ICMP6)
395 icmp46_header_t *icmp = ip6_next_header (ip6);
396 u16 in_id = ((u16 *) (icmp))[2];
397 proto = IP_PROTOCOL_ICMP;
400 (icmp->type == ICMP4_echo_request
401 || icmp->type == ICMP4_echo_reply))
405 nat64_db_st_entry_find (db, &daddr, &saddr, in_id, 0, proto,
410 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
414 ip4->dst_address.as_u32 = bibe->out_addr.as_u32;
415 ((u16 *) (icmp))[2] = bibe->out_port;
416 ip4->src_address.as_u32 = ste->out_r_addr.as_u32;
420 udp_header_t *udp = ip6_next_header (ip6);
421 tcp_header_t *tcp = ip6_next_header (ip6);
425 u16 sport = udp->src_port;
426 u16 dport = udp->dst_port;
429 nat64_db_st_entry_find (db, &daddr, &saddr, dport, sport, proto,
434 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
438 ip4->dst_address.as_u32 = bibe->out_addr.as_u32;
439 udp->dst_port = bibe->out_port;
440 ip4->src_address.as_u32 = ste->out_r_addr.as_u32;
442 if (proto == IP_PROTOCOL_TCP)
443 checksum = &tcp->checksum;
445 checksum = &udp->checksum;
446 csum = ip_csum_sub_even (*checksum, dport);
447 csum = ip_csum_add_even (csum, udp->dst_port);
448 *checksum = ip_csum_fold (csum);
454 typedef struct unk_proto_st_walk_ctx_t_
456 ip6_address_t src_addr;
457 ip6_address_t dst_addr;
458 ip4_address_t out_addr;
462 } unk_proto_st_walk_ctx_t;
465 unk_proto_st_walk (nat64_db_st_entry_t * ste, void *arg)
467 nat64_main_t *nm = &nat64_main;
468 unk_proto_st_walk_ctx_t *ctx = arg;
469 nat64_db_bib_entry_t *bibe;
470 ip46_address_t saddr, daddr;
471 nat64_db_t *db = &nm->db[ctx->thread_index];
473 if (ip6_address_is_equal (&ste->in_r_addr, &ctx->dst_addr))
475 bibe = nat64_db_bib_entry_by_index (db, ste->proto, ste->bibe_index);
479 if (ip6_address_is_equal (&bibe->in_addr, &ctx->src_addr)
480 && bibe->fib_index == ctx->fib_index)
482 clib_memset (&saddr, 0, sizeof (saddr));
483 saddr.ip4.as_u32 = bibe->out_addr.as_u32;
484 clib_memset (&daddr, 0, sizeof (daddr));
485 nat64_extract_ip4 (&ctx->dst_addr, &daddr.ip4, ctx->fib_index);
487 if (nat64_db_st_entry_find
488 (db, &daddr, &saddr, 0, 0, ctx->proto, ctx->fib_index, 0))
491 ctx->out_addr.as_u32 = bibe->out_addr.as_u32;
500 nat64_in2out_unk_proto (vlib_main_t * vm, vlib_buffer_t * p, u8 l4_protocol,
501 u16 l4_offset, u16 frag_hdr_offset,
502 nat64_in2out_set_ctx_t * s_ctx)
510 ip6 = vlib_buffer_get_current (p);
512 ip4 = (ip4_header_t *) u8_ptr_add (ip6, l4_offset - sizeof (*ip4));
514 vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
516 if (PREDICT_FALSE (frag_hdr_offset))
518 //Only the first fragment
519 ip6_frag_hdr_t *hdr =
520 (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
521 fragment_id = frag_id_6to4 (hdr->identification);
522 frag_offset = ip6_frag_hdr_offset (hdr);
523 frag_more = ip6_frag_hdr_more (hdr);
532 nat64_main_t *nm = &nat64_main;
533 nat64_db_bib_entry_t *bibe;
534 nat64_db_st_entry_t *ste;
535 ip46_address_t saddr, daddr, addr;
536 u32 sw_if_index, fib_index;
538 nat64_db_t *db = &nm->db[s_ctx->thread_index];
540 sw_if_index = vnet_buffer (s_ctx->b)->sw_if_index[VLIB_RX];
542 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
544 saddr.as_u64[0] = ip6->src_address.as_u64[0];
545 saddr.as_u64[1] = ip6->src_address.as_u64[1];
546 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
547 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
550 nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, l4_protocol, fib_index,
555 bibe = nat64_db_bib_entry_by_index (db, l4_protocol, ste->bibe_index);
562 nat64_db_bib_entry_find (db, &saddr, 0, l4_protocol, fib_index, 1);
566 /* Choose same out address as for TCP/UDP session to same dst */
567 unk_proto_st_walk_ctx_t ctx = {
568 .src_addr.as_u64[0] = ip6->src_address.as_u64[0],
569 .src_addr.as_u64[1] = ip6->src_address.as_u64[1],
570 .dst_addr.as_u64[0] = ip6->dst_address.as_u64[0],
571 .dst_addr.as_u64[1] = ip6->dst_address.as_u64[1],
572 .out_addr.as_u32 = 0,
573 .fib_index = fib_index,
574 .proto = l4_protocol,
575 .thread_index = s_ctx->thread_index,
578 nat64_db_st_walk (db, IP_PROTOCOL_TCP, unk_proto_st_walk, &ctx);
580 if (!ctx.out_addr.as_u32)
581 nat64_db_st_walk (db, IP_PROTOCOL_UDP, unk_proto_st_walk, &ctx);
583 /* Verify if out address is not already in use for protocol */
584 clib_memset (&addr, 0, sizeof (addr));
585 addr.ip4.as_u32 = ctx.out_addr.as_u32;
586 if (nat64_db_bib_entry_find (db, &addr, 0, l4_protocol, 0, 0))
587 ctx.out_addr.as_u32 = 0;
589 if (!ctx.out_addr.as_u32)
591 for (i = 0; i < vec_len (nm->addr_pool); i++)
593 addr.ip4.as_u32 = nm->addr_pool[i].addr.as_u32;
594 if (!nat64_db_bib_entry_find
595 (db, &addr, 0, l4_protocol, 0, 0))
600 if (!ctx.out_addr.as_u32)
604 nat64_db_bib_entry_create (s_ctx->thread_index, db,
605 &ip6->src_address, &ctx.out_addr,
606 0, 0, fib_index, l4_protocol, 0);
610 vlib_set_simple_counter (&nm->total_bibs, s_ctx->thread_index, 0,
611 db->bib.bib_entries_num);
614 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
616 nat64_db_st_entry_create (s_ctx->thread_index, db, bibe,
617 &ip6->dst_address, &daddr.ip4, 0);
621 vlib_set_simple_counter (&nm->total_sessions, s_ctx->thread_index, 0,
622 db->st.st_entries_num);
625 nat64_session_reset_timeout (ste, s_ctx->vm);
627 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
628 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
630 ip4->ip_version_and_header_length =
631 IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
632 ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
633 ip4->length = u16_net_add (ip6->payload_length,
634 sizeof (*ip4) + sizeof (*ip6) - l4_offset);
635 ip4->fragment_id = fragment_id;
636 ip4->flags_and_fragment_offset =
637 clib_host_to_net_u16 (frag_offset |
638 (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
639 ip4->ttl = ip6->hop_limit;
640 ip4->protocol = l4_protocol;
641 ip4->checksum = ip4_header_checksum (ip4);
647 nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
648 ip6_header_t * ip6, u32 l4_offset,
651 nat64_main_t *nm = &nat64_main;
652 nat64_db_bib_entry_t *bibe;
653 nat64_db_st_entry_t *ste;
654 ip46_address_t saddr, daddr;
655 u32 sw_if_index, fib_index;
656 udp_header_t *udp = (udp_header_t *) u8_ptr_add (ip6, l4_offset);
657 tcp_header_t *tcp = (tcp_header_t *) u8_ptr_add (ip6, l4_offset);
658 u8 proto = vnet_buffer (b)->ip.reass.ip_proto;
659 u16 sport = vnet_buffer (b)->ip.reass.l4_src_port;
660 u16 dport = vnet_buffer (b)->ip.reass.l4_dst_port;
661 u16 *checksum = NULL;
663 nat64_db_t *db = &nm->db[thread_index];
665 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
667 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
669 saddr.as_u64[0] = ip6->src_address.as_u64[0];
670 saddr.as_u64[1] = ip6->src_address.as_u64[1];
671 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
672 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
674 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
676 if (proto == IP_PROTOCOL_UDP)
677 checksum = &udp->checksum;
679 checksum = &tcp->checksum;
680 csum = ip_csum_sub_even (*checksum, ip6->src_address.as_u64[0]);
681 csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
682 csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
683 csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
687 nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
692 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
698 bibe = nat64_db_bib_entry_find (db, &saddr, sport, proto, fib_index, 1);
703 ip4_address_t out_addr;
704 if (nat64_alloc_out_addr_and_port
705 (fib_index, ip_proto_to_nat_proto (proto), &out_addr,
706 &out_port, thread_index))
710 nat64_db_bib_entry_create (thread_index, db, &ip6->src_address,
711 &out_addr, sport, out_port, fib_index,
716 vlib_set_simple_counter (&nm->total_bibs, thread_index, 0,
717 db->bib.bib_entries_num);
720 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
722 nat64_db_st_entry_create (thread_index, db, bibe, &ip6->dst_address,
727 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
728 db->st.st_entries_num);
731 if (proto == IP_PROTOCOL_TCP)
732 nat64_tcp_session_set_state (ste, tcp, 1);
734 nat64_session_reset_timeout (ste, vm);
736 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
738 udp->src_port = bibe->out_port;
741 nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, fib_index);
743 clib_memset (&daddr, 0, sizeof (daddr));
744 daddr.ip4.as_u32 = ste->out_r_addr.as_u32;
748 vec_foreach (db, nm->db)
750 bibe = nat64_db_bib_entry_find (db, &daddr, dport, proto, 0, 0);
760 ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
761 ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
763 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
765 csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
766 csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
767 csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
768 csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
769 csum = ip_csum_sub_even (csum, sport);
770 csum = ip_csum_sub_even (csum, dport);
771 udp->dst_port = bibe->in_port;
772 csum = ip_csum_add_even (csum, udp->src_port);
773 csum = ip_csum_add_even (csum, udp->dst_port);
774 *checksum = ip_csum_fold (csum);
781 nat64_in2out_icmp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
782 ip6_header_t * ip6, u32 thread_index)
784 nat64_main_t *nm = &nat64_main;
785 nat64_db_bib_entry_t *bibe;
786 nat64_db_st_entry_t *ste;
787 icmp46_header_t *icmp = ip6_next_header (ip6);
788 ip6_header_t *inner_ip6;
789 ip46_address_t saddr, daddr;
790 u32 sw_if_index, fib_index;
794 u16 *checksum, sport, dport;
796 nat64_db_t *db = &nm->db[thread_index];
798 if (icmp->type == ICMP6_echo_request || icmp->type == ICMP6_echo_reply)
801 inner_ip6 = (ip6_header_t *) u8_ptr_add (icmp, 8);
803 proto = inner_ip6->protocol;
805 if (proto == IP_PROTOCOL_ICMP6)
808 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
810 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
812 saddr.as_u64[0] = inner_ip6->src_address.as_u64[0];
813 saddr.as_u64[1] = inner_ip6->src_address.as_u64[1];
814 daddr.as_u64[0] = inner_ip6->dst_address.as_u64[0];
815 daddr.as_u64[1] = inner_ip6->dst_address.as_u64[1];
817 udp = ip6_next_header (inner_ip6);
818 tcp = ip6_next_header (inner_ip6);
820 sport = udp->src_port;
821 dport = udp->dst_port;
823 if (proto == IP_PROTOCOL_UDP)
824 checksum = &udp->checksum;
826 checksum = &tcp->checksum;
828 csum = ip_csum_sub_even (*checksum, inner_ip6->src_address.as_u64[0]);
829 csum = ip_csum_sub_even (csum, inner_ip6->src_address.as_u64[1]);
830 csum = ip_csum_sub_even (csum, inner_ip6->dst_address.as_u64[0]);
831 csum = ip_csum_sub_even (csum, inner_ip6->dst_address.as_u64[1]);
832 csum = ip_csum_sub_even (csum, sport);
833 csum = ip_csum_sub_even (csum, dport);
836 nat64_db_st_entry_find (db, &daddr, &saddr, dport, sport, proto,
841 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
845 dport = udp->dst_port = bibe->out_port;
846 nat64_compose_ip6 (&inner_ip6->dst_address, &bibe->out_addr, fib_index);
848 clib_memset (&saddr, 0, sizeof (saddr));
849 clib_memset (&daddr, 0, sizeof (daddr));
850 saddr.ip4.as_u32 = ste->out_r_addr.as_u32;
851 daddr.ip4.as_u32 = bibe->out_addr.as_u32;
855 vec_foreach (db, nm->db)
857 ste = nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
868 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
872 inner_ip6->src_address.as_u64[0] = bibe->in_addr.as_u64[0];
873 inner_ip6->src_address.as_u64[1] = bibe->in_addr.as_u64[1];
874 udp->src_port = bibe->in_port;
876 csum = ip_csum_add_even (csum, inner_ip6->src_address.as_u64[0]);
877 csum = ip_csum_add_even (csum, inner_ip6->src_address.as_u64[1]);
878 csum = ip_csum_add_even (csum, inner_ip6->dst_address.as_u64[0]);
879 csum = ip_csum_add_even (csum, inner_ip6->dst_address.as_u64[1]);
880 csum = ip_csum_add_even (csum, udp->src_port);
881 csum = ip_csum_add_even (csum, udp->dst_port);
882 *checksum = ip_csum_fold (csum);
884 if (!vec_len (nm->addr_pool))
887 nat64_compose_ip6 (&ip6->src_address, &nm->addr_pool[0].addr, fib_index);
888 ip6->dst_address.as_u64[0] = inner_ip6->src_address.as_u64[0];
889 ip6->dst_address.as_u64[1] = inner_ip6->src_address.as_u64[1];
892 csum = ip_csum_with_carry (0, ip6->payload_length);
893 csum = ip_csum_with_carry (csum, clib_host_to_net_u16 (ip6->protocol));
894 csum = ip_csum_with_carry (csum, ip6->src_address.as_u64[0]);
895 csum = ip_csum_with_carry (csum, ip6->src_address.as_u64[1]);
896 csum = ip_csum_with_carry (csum, ip6->dst_address.as_u64[0]);
897 csum = ip_csum_with_carry (csum, ip6->dst_address.as_u64[1]);
899 ip_incremental_checksum (csum, icmp,
900 clib_net_to_host_u16 (ip6->payload_length));
901 icmp->checksum = ~ip_csum_fold (csum);
907 nat64_in2out_unk_proto_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
908 ip6_header_t * ip6, u32 thread_index)
910 nat64_main_t *nm = &nat64_main;
911 nat64_db_bib_entry_t *bibe;
912 nat64_db_st_entry_t *ste;
913 ip46_address_t saddr, daddr, addr;
914 u32 sw_if_index, fib_index;
915 u8 proto = ip6->protocol;
917 nat64_db_t *db = &nm->db[thread_index];
919 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
921 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
923 saddr.as_u64[0] = ip6->src_address.as_u64[0];
924 saddr.as_u64[1] = ip6->src_address.as_u64[1];
925 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
926 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
929 nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, proto, fib_index, 1);
933 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
939 bibe = nat64_db_bib_entry_find (db, &saddr, 0, proto, fib_index, 1);
943 /* Choose same out address as for TCP/UDP session to same dst */
944 unk_proto_st_walk_ctx_t ctx = {
945 .src_addr.as_u64[0] = ip6->src_address.as_u64[0],
946 .src_addr.as_u64[1] = ip6->src_address.as_u64[1],
947 .dst_addr.as_u64[0] = ip6->dst_address.as_u64[0],
948 .dst_addr.as_u64[1] = ip6->dst_address.as_u64[1],
949 .out_addr.as_u32 = 0,
950 .fib_index = fib_index,
952 .thread_index = thread_index,
955 nat64_db_st_walk (db, IP_PROTOCOL_TCP, unk_proto_st_walk, &ctx);
957 if (!ctx.out_addr.as_u32)
958 nat64_db_st_walk (db, IP_PROTOCOL_UDP, unk_proto_st_walk, &ctx);
960 /* Verify if out address is not already in use for protocol */
961 clib_memset (&addr, 0, sizeof (addr));
962 addr.ip4.as_u32 = ctx.out_addr.as_u32;
963 if (nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
964 ctx.out_addr.as_u32 = 0;
966 if (!ctx.out_addr.as_u32)
968 for (i = 0; i < vec_len (nm->addr_pool); i++)
970 addr.ip4.as_u32 = nm->addr_pool[i].addr.as_u32;
971 if (!nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
976 if (!ctx.out_addr.as_u32)
980 nat64_db_bib_entry_create (thread_index, db, &ip6->src_address,
981 &ctx.out_addr, 0, 0, fib_index, proto,
986 vlib_set_simple_counter (&nm->total_bibs, thread_index, 0,
987 db->bib.bib_entries_num);
990 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
992 nat64_db_st_entry_create (thread_index, db, bibe, &ip6->dst_address,
997 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
998 db->st.st_entries_num);
1001 nat64_session_reset_timeout (ste, vm);
1003 nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, fib_index);
1005 clib_memset (&daddr, 0, sizeof (daddr));
1006 daddr.ip4.as_u32 = ste->out_r_addr.as_u32;
1010 vec_foreach (db, nm->db)
1012 bibe = nat64_db_bib_entry_find (db, &daddr, 0, proto, 0, 0);
1022 ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
1023 ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
1029 nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
1030 vlib_frame_t * frame, u8 is_slow_path)
1032 u32 n_left_from, *from, *to_next;
1033 nat64_in2out_next_t next_index;
1034 u32 thread_index = vm->thread_index;
1035 nat64_main_t *nm = &nat64_main;
1037 from = vlib_frame_vector_args (frame);
1038 n_left_from = frame->n_vectors;
1039 next_index = node->cached_next_index;
1041 while (n_left_from > 0)
1045 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1047 while (n_left_from > 0 && n_left_to_next > 0)
1053 u16 l4_offset0, frag_hdr_offset0;
1056 nat64_in2out_set_ctx_t ctx0;
1059 /* speculatively enqueue b0 to the current next frame */
1065 n_left_to_next -= 1;
1067 b0 = vlib_get_buffer (vm, bi0);
1068 ip60 = vlib_buffer_get_current (b0);
1070 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1074 ctx0.thread_index = thread_index;
1076 next0 = NAT64_IN2OUT_NEXT_IP4_LOOKUP;
1080 (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0,
1081 &frag_hdr_offset0)))
1083 next0 = NAT64_IN2OUT_NEXT_DROP;
1084 b0->error = node->errors[NAT64_IN2OUT_ERROR_UNKNOWN];
1088 if (nat64_not_translate (sw_if_index0, ip60->dst_address))
1090 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1094 proto0 = ip_proto_to_nat_proto (l4_protocol0);
1098 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_OTHER))
1100 vlib_increment_simple_counter (&nm->counters.in2out.other,
1101 thread_index, sw_if_index0,
1103 if (is_hairpinning (&ip60->dst_address))
1105 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1106 if (nat64_in2out_unk_proto_hairpinning
1107 (vm, b0, ip60, thread_index))
1109 next0 = NAT64_IN2OUT_NEXT_DROP;
1111 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1116 if (nat64_in2out_unk_proto
1117 (vm, b0, l4_protocol0, l4_offset0, frag_hdr_offset0,
1120 next0 = NAT64_IN2OUT_NEXT_DROP;
1122 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1130 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1132 next0 = NAT64_IN2OUT_NEXT_SLOWPATH;
1137 if (proto0 == NAT_PROTOCOL_ICMP)
1139 vlib_increment_simple_counter (&nm->counters.in2out.icmp,
1140 thread_index, sw_if_index0, 1);
1141 if (is_hairpinning (&ip60->dst_address))
1143 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1144 if (nat64_in2out_icmp_hairpinning
1145 (vm, b0, ip60, thread_index))
1147 next0 = NAT64_IN2OUT_NEXT_DROP;
1149 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1155 (vm, b0, nat64_in2out_icmp_set_cb, &ctx0,
1156 nat64_in2out_inner_icmp_set_cb, &ctx0))
1158 next0 = NAT64_IN2OUT_NEXT_DROP;
1159 b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1163 else if (proto0 == NAT_PROTOCOL_TCP || proto0 == NAT_PROTOCOL_UDP)
1165 if (proto0 == NAT_PROTOCOL_TCP)
1166 vlib_increment_simple_counter (&nm->counters.in2out.tcp,
1167 thread_index, sw_if_index0, 1);
1169 vlib_increment_simple_counter (&nm->counters.in2out.udp,
1170 thread_index, sw_if_index0, 1);
1172 if (is_hairpinning (&ip60->dst_address))
1174 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1175 if (nat64_in2out_tcp_udp_hairpinning
1176 (vm, b0, ip60, l4_offset0, thread_index))
1178 next0 = NAT64_IN2OUT_NEXT_DROP;
1180 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1185 if (nat64_in2out_tcp_udp
1186 (vm, b0, l4_offset0, frag_hdr_offset0, &ctx0))
1188 next0 = NAT64_IN2OUT_NEXT_DROP;
1189 b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1195 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1196 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1198 nat64_in2out_trace_t *t =
1199 vlib_add_trace (vm, node, b0, sizeof (*t));
1200 t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1201 t->next_index = next0;
1202 t->is_slow_path = is_slow_path;
1205 if (next0 == NAT64_IN2OUT_NEXT_DROP)
1207 vlib_increment_simple_counter (&nm->counters.in2out.drops,
1208 thread_index, sw_if_index0, 1);
1212 /* verify speculative enqueue, maybe switch current next frame */
1213 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
1214 n_left_to_next, bi0, next0);
1216 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1219 return frame->n_vectors;
1222 VLIB_NODE_FN (nat64_in2out_node) (vlib_main_t * vm,
1223 vlib_node_runtime_t * node,
1224 vlib_frame_t * frame)
1226 return nat64_in2out_node_fn_inline (vm, node, frame, 0);
1230 VLIB_REGISTER_NODE (nat64_in2out_node) = {
1231 .name = "nat64-in2out",
1232 .vector_size = sizeof (u32),
1233 .format_trace = format_nat64_in2out_trace,
1234 .type = VLIB_NODE_TYPE_INTERNAL,
1235 .n_errors = ARRAY_LEN (nat64_in2out_error_strings),
1236 .error_strings = nat64_in2out_error_strings,
1237 .n_next_nodes = NAT64_IN2OUT_N_NEXT,
1238 /* edit / add dispositions here */
1240 [NAT64_IN2OUT_NEXT_DROP] = "error-drop",
1241 [NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
1242 [NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
1243 [NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
1248 VLIB_NODE_FN (nat64_in2out_slowpath_node) (vlib_main_t * vm,
1249 vlib_node_runtime_t * node,
1250 vlib_frame_t * frame)
1252 return nat64_in2out_node_fn_inline (vm, node, frame, 1);
1256 VLIB_REGISTER_NODE (nat64_in2out_slowpath_node) = {
1257 .name = "nat64-in2out-slowpath",
1258 .vector_size = sizeof (u32),
1259 .format_trace = format_nat64_in2out_trace,
1260 .type = VLIB_NODE_TYPE_INTERNAL,
1261 .n_errors = ARRAY_LEN (nat64_in2out_error_strings),
1262 .error_strings = nat64_in2out_error_strings,
1263 .n_next_nodes = NAT64_IN2OUT_N_NEXT,
1264 /* edit / add dispositions here */
1266 [NAT64_IN2OUT_NEXT_DROP] = "error-drop",
1267 [NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
1268 [NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
1269 [NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
1274 typedef struct nat64_in2out_frag_set_ctx_t_
1282 } nat64_in2out_frag_set_ctx_t;
1285 #define foreach_nat64_in2out_handoff_error \
1286 _(CONGESTION_DROP, "congestion drop") \
1287 _(SAME_WORKER, "same worker") \
1288 _(DO_HANDOFF, "do handoff")
1292 #define _(sym,str) NAT64_IN2OUT_HANDOFF_ERROR_##sym,
1293 foreach_nat64_in2out_handoff_error
1295 NAT64_IN2OUT_HANDOFF_N_ERROR,
1296 } nat64_in2out_handoff_error_t;
1298 static char *nat64_in2out_handoff_error_strings[] = {
1299 #define _(sym,string) string,
1300 foreach_nat64_in2out_handoff_error
1306 u32 next_worker_index;
1307 } nat64_in2out_handoff_trace_t;
1310 format_nat64_in2out_handoff_trace (u8 * s, va_list * args)
1312 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1313 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1314 nat64_in2out_handoff_trace_t *t =
1315 va_arg (*args, nat64_in2out_handoff_trace_t *);
1318 format (s, "NAT64-IN2OUT-HANDOFF: next-worker %d", t->next_worker_index);
1323 VLIB_NODE_FN (nat64_in2out_handoff_node) (vlib_main_t * vm,
1324 vlib_node_runtime_t * node,
1325 vlib_frame_t * frame)
1327 nat64_main_t *nm = &nat64_main;
1328 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
1329 u32 n_enq, n_left_from, *from;
1330 u16 thread_indices[VLIB_FRAME_SIZE], *ti;
1332 u32 thread_index = vm->thread_index;
1333 u32 do_handoff = 0, same_worker = 0;
1335 from = vlib_frame_vector_args (frame);
1336 n_left_from = frame->n_vectors;
1337 vlib_get_buffers (vm, from, bufs, n_left_from);
1340 ti = thread_indices;
1342 fq_index = nm->fq_in2out_index;
1344 while (n_left_from > 0)
1348 ip0 = vlib_buffer_get_current (b[0]);
1349 ti[0] = nat64_get_worker_in2out (&ip0->src_address);
1351 if (ti[0] != thread_index)
1357 ((node->flags & VLIB_NODE_FLAG_TRACE)
1358 && (b[0]->flags & VLIB_BUFFER_IS_TRACED)))
1360 nat64_in2out_handoff_trace_t *t =
1361 vlib_add_trace (vm, node, b[0], sizeof (*t));
1362 t->next_worker_index = ti[0];
1371 vlib_buffer_enqueue_to_thread (vm, fq_index, from, thread_indices,
1372 frame->n_vectors, 1);
1374 if (n_enq < frame->n_vectors)
1375 vlib_node_increment_counter (vm, node->node_index,
1376 NAT64_IN2OUT_HANDOFF_ERROR_CONGESTION_DROP,
1377 frame->n_vectors - n_enq);
1378 vlib_node_increment_counter (vm, node->node_index,
1379 NAT64_IN2OUT_HANDOFF_ERROR_SAME_WORKER,
1381 vlib_node_increment_counter (vm, node->node_index,
1382 NAT64_IN2OUT_HANDOFF_ERROR_DO_HANDOFF,
1385 return frame->n_vectors;
1389 VLIB_REGISTER_NODE (nat64_in2out_handoff_node) = {
1390 .name = "nat64-in2out-handoff",
1391 .vector_size = sizeof (u32),
1392 .format_trace = format_nat64_in2out_handoff_trace,
1393 .type = VLIB_NODE_TYPE_INTERNAL,
1394 .n_errors = ARRAY_LEN(nat64_in2out_handoff_error_strings),
1395 .error_strings = nat64_in2out_handoff_error_strings,
1406 * fd.io coding-style-patch-verification: ON
1409 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob