2 * Copyright (c) 2020 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <nat/nat64/nat64.h>
17 #include <vnet/ip/ip6_to_ip4.h>
18 #include <vnet/fib/fib_table.h>
19 #include <nat/lib/nat_inlines.h>
26 } nat64_in2out_trace_t;
29 format_nat64_in2out_trace (u8 * s, va_list * args)
31 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
32 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
33 nat64_in2out_trace_t *t = va_arg (*args, nat64_in2out_trace_t *);
36 tag = t->is_slow_path ? "NAT64-in2out-slowpath" : "NAT64-in2out";
39 format (s, "%s: sw_if_index %d, next index %d", tag, t->sw_if_index,
45 #define foreach_nat64_in2out_error \
46 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
47 _(NO_TRANSLATION, "no translation") \
53 #define _(sym,str) NAT64_IN2OUT_ERROR_##sym,
54 foreach_nat64_in2out_error
57 } nat64_in2out_error_t;
59 static char *nat64_in2out_error_strings[] = {
60 #define _(sym,string) string,
61 foreach_nat64_in2out_error
67 NAT64_IN2OUT_NEXT_IP4_LOOKUP,
68 NAT64_IN2OUT_NEXT_IP6_LOOKUP,
69 NAT64_IN2OUT_NEXT_DROP,
70 NAT64_IN2OUT_NEXT_SLOWPATH,
72 } nat64_in2out_next_t;
74 typedef struct nat64_in2out_set_ctx_t_
79 } nat64_in2out_set_ctx_t;
82 nat64_not_translate (u32 sw_if_index, ip6_address_t ip6_addr)
85 ip6_main_t *im6 = &ip6_main;
86 ip_lookup_main_t *lm6 = &im6->lookup_main;
87 ip_interface_address_t *ia = 0;
89 foreach_ip_interface_address (lm6, ia, sw_if_index, 0,
91 addr = ip_interface_address_get_address (lm6, ia);
92 if (0 == ip6_address_compare (addr, &ip6_addr))
100 * @brief Check whether is a hairpinning.
102 * If the destination IP address of the packet is an IPv4 address assigned to
103 * the NAT64 itself, then the packet is a hairpin packet.
105 * param dst_addr Destination address of the packet.
107 * @returns 1 if hairpinning, otherwise 0.
109 static_always_inline int
110 is_hairpinning (ip6_address_t * dst_addr)
112 nat64_main_t *nm = &nat64_main;
115 for (i = 0; i < vec_len (nm->addr_pool); i++)
117 if (nm->addr_pool[i].addr.as_u32 == dst_addr->as_u32[3])
125 nat64_in2out_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p, u16 l4_offset,
126 u16 frag_hdr_offset, nat64_in2out_set_ctx_t * ctx)
134 nat64_main_t *nm = &nat64_main;
135 nat64_db_bib_entry_t *bibe;
136 nat64_db_st_entry_t *ste;
137 ip46_address_t old_saddr, old_daddr;
138 ip4_address_t new_daddr;
139 u32 sw_if_index, fib_index;
140 u8 proto = vnet_buffer (p)->ip.reass.ip_proto;
141 u16 sport = vnet_buffer (p)->ip.reass.l4_src_port;
142 u16 dport = vnet_buffer (p)->ip.reass.l4_dst_port;
143 nat64_db_t *db = &nm->db[ctx->thread_index];
145 ip6 = vlib_buffer_get_current (p);
147 vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
148 ip4 = vlib_buffer_get_current (p);
150 u32 ip_version_traffic_class_and_flow_label =
151 ip6->ip_version_traffic_class_and_flow_label;
152 u16 payload_length = ip6->payload_length;
153 u8 hop_limit = ip6->hop_limit;
155 old_saddr.as_u64[0] = ip6->src_address.as_u64[0];
156 old_saddr.as_u64[1] = ip6->src_address.as_u64[1];
157 old_daddr.as_u64[0] = ip6->dst_address.as_u64[0];
158 old_daddr.as_u64[1] = ip6->dst_address.as_u64[1];
160 if (PREDICT_FALSE (frag_hdr_offset))
162 //Only the first fragment
163 ip6_frag_hdr_t *hdr =
164 (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
165 fragment_id = frag_id_6to4 (hdr->identification);
166 frag_more = ip6_frag_hdr_more (hdr);
167 frag_offset = ip6_frag_hdr_offset (hdr);
176 ip4->ip_version_and_header_length =
177 IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
178 ip4->tos = ip6_translate_tos (ip_version_traffic_class_and_flow_label);
180 u16_net_add (payload_length, sizeof (*ip4) + sizeof (*ip6) - l4_offset);
181 ip4->fragment_id = fragment_id;
182 ip4->flags_and_fragment_offset =
183 clib_host_to_net_u16 (frag_offset |
184 (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
185 ip4->ttl = hop_limit;
186 ip4->protocol = (proto == IP_PROTOCOL_ICMP6) ? IP_PROTOCOL_ICMP : proto;
188 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
190 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
193 nat64_db_st_entry_find (db, &old_saddr, &old_daddr, sport, dport, proto,
198 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
205 nat64_db_bib_entry_find (db, &old_saddr, sport, proto, fib_index, 1);
210 ip4_address_t out_addr;
211 if (nat64_alloc_out_addr_and_port
212 (fib_index, ip_proto_to_nat_proto (proto), &out_addr,
213 &out_port, ctx->thread_index))
217 nat64_db_bib_entry_create (ctx->thread_index, db,
218 &old_saddr.ip6, &out_addr, sport,
219 out_port, fib_index, proto, 0);
223 vlib_set_simple_counter (&nm->total_bibs, ctx->thread_index, 0,
224 db->bib.bib_entries_num);
227 nat64_extract_ip4 (&old_daddr.ip6, &new_daddr, fib_index);
229 nat64_db_st_entry_create (ctx->thread_index, db, bibe,
230 &old_daddr.ip6, &new_daddr, dport);
234 vlib_set_simple_counter (&nm->total_sessions, ctx->thread_index, 0,
235 db->st.st_entries_num);
238 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
239 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
241 ip4->checksum = ip4_header_checksum (ip4);
243 if (!vnet_buffer (p)->ip.reass.is_non_first_fragment)
245 udp_header_t *udp = (udp_header_t *) (ip4 + 1);
246 udp->src_port = bibe->out_port;
248 //UDP checksum is optional over IPv4
249 if (proto == IP_PROTOCOL_UDP)
255 tcp_header_t *tcp = (tcp_header_t *) (ip4 + 1);
256 csum = ip_csum_sub_even (tcp->checksum, old_saddr.as_u64[0]);
257 csum = ip_csum_sub_even (csum, old_saddr.as_u64[1]);
258 csum = ip_csum_sub_even (csum, old_daddr.as_u64[0]);
259 csum = ip_csum_sub_even (csum, old_daddr.as_u64[1]);
260 csum = ip_csum_add_even (csum, ip4->dst_address.as_u32);
261 csum = ip_csum_add_even (csum, ip4->src_address.as_u32);
262 csum = ip_csum_sub_even (csum, sport);
263 csum = ip_csum_add_even (csum, udp->src_port);
264 mss_clamping (nm->mss_clamping, tcp, &csum);
265 tcp->checksum = ip_csum_fold (csum);
267 nat64_tcp_session_set_state (ste, tcp, 1);
271 nat64_session_reset_timeout (ste, ctx->vm);
277 nat64_in2out_icmp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
279 nat64_main_t *nm = &nat64_main;
280 nat64_in2out_set_ctx_t *ctx = arg;
281 nat64_db_bib_entry_t *bibe;
282 nat64_db_st_entry_t *ste;
283 ip46_address_t saddr, daddr;
284 u32 sw_if_index, fib_index;
285 icmp46_header_t *icmp = ip6_next_header (ip6);
286 nat64_db_t *db = &nm->db[ctx->thread_index];
288 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
290 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
292 saddr.as_u64[0] = ip6->src_address.as_u64[0];
293 saddr.as_u64[1] = ip6->src_address.as_u64[1];
294 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
295 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
297 if (icmp->type == ICMP4_echo_request || icmp->type == ICMP4_echo_reply)
299 u16 in_id = ((u16 *) (icmp))[2];
301 nat64_db_st_entry_find (db, &saddr, &daddr, in_id, 0,
302 IP_PROTOCOL_ICMP, fib_index, 1);
307 nat64_db_bib_entry_by_index (db, IP_PROTOCOL_ICMP,
315 nat64_db_bib_entry_find (db, &saddr, in_id,
316 IP_PROTOCOL_ICMP, fib_index, 1);
321 ip4_address_t out_addr;
322 if (nat64_alloc_out_addr_and_port
323 (fib_index, NAT_PROTOCOL_ICMP, &out_addr, &out_id,
328 nat64_db_bib_entry_create (ctx->thread_index, db,
329 &ip6->src_address, &out_addr,
330 in_id, out_id, fib_index,
331 IP_PROTOCOL_ICMP, 0);
335 vlib_set_simple_counter (&nm->total_bibs, ctx->thread_index, 0,
336 db->bib.bib_entries_num);
339 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
341 nat64_db_st_entry_create (ctx->thread_index, db, bibe,
342 &ip6->dst_address, &daddr.ip4, 0);
346 vlib_set_simple_counter (&nm->total_sessions, ctx->thread_index, 0,
347 db->st.st_entries_num);
350 nat64_session_reset_timeout (ste, ctx->vm);
352 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
353 ((u16 *) (icmp))[2] = bibe->out_port;
355 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
359 if (!vec_len (nm->addr_pool))
362 ip4->src_address.as_u32 = nm->addr_pool[0].addr.as_u32;
363 nat64_extract_ip4 (&ip6->dst_address, &ip4->dst_address, fib_index);
370 nat64_in2out_inner_icmp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
373 nat64_main_t *nm = &nat64_main;
374 nat64_in2out_set_ctx_t *ctx = arg;
375 nat64_db_st_entry_t *ste;
376 nat64_db_bib_entry_t *bibe;
377 ip46_address_t saddr, daddr;
378 u32 sw_if_index, fib_index;
379 u8 proto = ip6->protocol;
380 nat64_db_t *db = &nm->db[ctx->thread_index];
382 sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
384 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
386 saddr.as_u64[0] = ip6->src_address.as_u64[0];
387 saddr.as_u64[1] = ip6->src_address.as_u64[1];
388 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
389 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
391 if (proto == IP_PROTOCOL_ICMP6)
393 icmp46_header_t *icmp = ip6_next_header (ip6);
394 u16 in_id = ((u16 *) (icmp))[2];
395 proto = IP_PROTOCOL_ICMP;
398 (icmp->type == ICMP4_echo_request
399 || icmp->type == ICMP4_echo_reply))
403 nat64_db_st_entry_find (db, &daddr, &saddr, in_id, 0, proto,
408 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
412 ip4->dst_address.as_u32 = bibe->out_addr.as_u32;
413 ((u16 *) (icmp))[2] = bibe->out_port;
414 ip4->src_address.as_u32 = ste->out_r_addr.as_u32;
418 udp_header_t *udp = ip6_next_header (ip6);
419 tcp_header_t *tcp = ip6_next_header (ip6);
423 u16 sport = udp->src_port;
424 u16 dport = udp->dst_port;
427 nat64_db_st_entry_find (db, &daddr, &saddr, dport, sport, proto,
432 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
436 ip4->dst_address.as_u32 = bibe->out_addr.as_u32;
437 udp->dst_port = bibe->out_port;
438 ip4->src_address.as_u32 = ste->out_r_addr.as_u32;
440 if (proto == IP_PROTOCOL_TCP)
441 checksum = &tcp->checksum;
443 checksum = &udp->checksum;
444 csum = ip_csum_sub_even (*checksum, dport);
445 csum = ip_csum_add_even (csum, udp->dst_port);
446 *checksum = ip_csum_fold (csum);
452 typedef struct unk_proto_st_walk_ctx_t_
454 ip6_address_t src_addr;
455 ip6_address_t dst_addr;
456 ip4_address_t out_addr;
460 } unk_proto_st_walk_ctx_t;
463 unk_proto_st_walk (nat64_db_st_entry_t * ste, void *arg)
465 nat64_main_t *nm = &nat64_main;
466 unk_proto_st_walk_ctx_t *ctx = arg;
467 nat64_db_bib_entry_t *bibe;
468 ip46_address_t saddr, daddr;
469 nat64_db_t *db = &nm->db[ctx->thread_index];
471 if (ip6_address_is_equal (&ste->in_r_addr, &ctx->dst_addr))
473 bibe = nat64_db_bib_entry_by_index (db, ste->proto, ste->bibe_index);
477 if (ip6_address_is_equal (&bibe->in_addr, &ctx->src_addr)
478 && bibe->fib_index == ctx->fib_index)
480 clib_memset (&saddr, 0, sizeof (saddr));
481 saddr.ip4.as_u32 = bibe->out_addr.as_u32;
482 clib_memset (&daddr, 0, sizeof (daddr));
483 nat64_extract_ip4 (&ctx->dst_addr, &daddr.ip4, ctx->fib_index);
485 if (nat64_db_st_entry_find
486 (db, &daddr, &saddr, 0, 0, ctx->proto, ctx->fib_index, 0))
489 ctx->out_addr.as_u32 = bibe->out_addr.as_u32;
498 nat64_in2out_unk_proto (vlib_main_t * vm, vlib_buffer_t * p, u8 l4_protocol,
499 u16 l4_offset, u16 frag_hdr_offset,
500 nat64_in2out_set_ctx_t * s_ctx)
508 ip6 = vlib_buffer_get_current (p);
510 ip4 = (ip4_header_t *) u8_ptr_add (ip6, l4_offset - sizeof (*ip4));
512 vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
514 if (PREDICT_FALSE (frag_hdr_offset))
516 //Only the first fragment
517 ip6_frag_hdr_t *hdr =
518 (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
519 fragment_id = frag_id_6to4 (hdr->identification);
520 frag_offset = ip6_frag_hdr_offset (hdr);
521 frag_more = ip6_frag_hdr_more (hdr);
530 nat64_main_t *nm = &nat64_main;
531 nat64_db_bib_entry_t *bibe;
532 nat64_db_st_entry_t *ste;
533 ip46_address_t saddr, daddr, addr;
534 u32 sw_if_index, fib_index;
536 nat64_db_t *db = &nm->db[s_ctx->thread_index];
538 sw_if_index = vnet_buffer (s_ctx->b)->sw_if_index[VLIB_RX];
540 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
542 saddr.as_u64[0] = ip6->src_address.as_u64[0];
543 saddr.as_u64[1] = ip6->src_address.as_u64[1];
544 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
545 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
548 nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, l4_protocol, fib_index,
553 bibe = nat64_db_bib_entry_by_index (db, l4_protocol, ste->bibe_index);
560 nat64_db_bib_entry_find (db, &saddr, 0, l4_protocol, fib_index, 1);
564 /* Choose same out address as for TCP/UDP session to same dst */
565 unk_proto_st_walk_ctx_t ctx = {
566 .src_addr.as_u64[0] = ip6->src_address.as_u64[0],
567 .src_addr.as_u64[1] = ip6->src_address.as_u64[1],
568 .dst_addr.as_u64[0] = ip6->dst_address.as_u64[0],
569 .dst_addr.as_u64[1] = ip6->dst_address.as_u64[1],
570 .out_addr.as_u32 = 0,
571 .fib_index = fib_index,
572 .proto = l4_protocol,
573 .thread_index = s_ctx->thread_index,
576 nat64_db_st_walk (db, IP_PROTOCOL_TCP, unk_proto_st_walk, &ctx);
578 if (!ctx.out_addr.as_u32)
579 nat64_db_st_walk (db, IP_PROTOCOL_UDP, unk_proto_st_walk, &ctx);
581 /* Verify if out address is not already in use for protocol */
582 clib_memset (&addr, 0, sizeof (addr));
583 addr.ip4.as_u32 = ctx.out_addr.as_u32;
584 if (nat64_db_bib_entry_find (db, &addr, 0, l4_protocol, 0, 0))
585 ctx.out_addr.as_u32 = 0;
587 if (!ctx.out_addr.as_u32)
589 for (i = 0; i < vec_len (nm->addr_pool); i++)
591 addr.ip4.as_u32 = nm->addr_pool[i].addr.as_u32;
592 if (!nat64_db_bib_entry_find
593 (db, &addr, 0, l4_protocol, 0, 0))
598 if (!ctx.out_addr.as_u32)
602 nat64_db_bib_entry_create (s_ctx->thread_index, db,
603 &ip6->src_address, &ctx.out_addr,
604 0, 0, fib_index, l4_protocol, 0);
608 vlib_set_simple_counter (&nm->total_bibs, s_ctx->thread_index, 0,
609 db->bib.bib_entries_num);
612 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
614 nat64_db_st_entry_create (s_ctx->thread_index, db, bibe,
615 &ip6->dst_address, &daddr.ip4, 0);
619 vlib_set_simple_counter (&nm->total_sessions, s_ctx->thread_index, 0,
620 db->st.st_entries_num);
623 nat64_session_reset_timeout (ste, s_ctx->vm);
625 ip4->src_address.as_u32 = bibe->out_addr.as_u32;
626 ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
628 ip4->ip_version_and_header_length =
629 IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
630 ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
631 ip4->length = u16_net_add (ip6->payload_length,
632 sizeof (*ip4) + sizeof (*ip6) - l4_offset);
633 ip4->fragment_id = fragment_id;
634 ip4->flags_and_fragment_offset =
635 clib_host_to_net_u16 (frag_offset |
636 (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
637 ip4->ttl = ip6->hop_limit;
638 ip4->protocol = l4_protocol;
639 ip4->checksum = ip4_header_checksum (ip4);
645 nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
646 ip6_header_t * ip6, u32 l4_offset,
649 nat64_main_t *nm = &nat64_main;
650 nat64_db_bib_entry_t *bibe;
651 nat64_db_st_entry_t *ste;
652 ip46_address_t saddr, daddr;
653 u32 sw_if_index, fib_index;
654 udp_header_t *udp = (udp_header_t *) u8_ptr_add (ip6, l4_offset);
655 tcp_header_t *tcp = (tcp_header_t *) u8_ptr_add (ip6, l4_offset);
656 u8 proto = vnet_buffer (b)->ip.reass.ip_proto;
657 u16 sport = vnet_buffer (b)->ip.reass.l4_src_port;
658 u16 dport = vnet_buffer (b)->ip.reass.l4_dst_port;
659 u16 *checksum = NULL;
661 nat64_db_t *db = &nm->db[thread_index];
663 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
665 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
667 saddr.as_u64[0] = ip6->src_address.as_u64[0];
668 saddr.as_u64[1] = ip6->src_address.as_u64[1];
669 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
670 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
672 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
674 if (proto == IP_PROTOCOL_UDP)
675 checksum = &udp->checksum;
677 checksum = &tcp->checksum;
678 csum = ip_csum_sub_even (*checksum, ip6->src_address.as_u64[0]);
679 csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
680 csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
681 csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
685 nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
690 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
696 bibe = nat64_db_bib_entry_find (db, &saddr, sport, proto, fib_index, 1);
701 ip4_address_t out_addr;
702 if (nat64_alloc_out_addr_and_port
703 (fib_index, ip_proto_to_nat_proto (proto), &out_addr,
704 &out_port, thread_index))
708 nat64_db_bib_entry_create (thread_index, db, &ip6->src_address,
709 &out_addr, sport, out_port, fib_index,
714 vlib_set_simple_counter (&nm->total_bibs, thread_index, 0,
715 db->bib.bib_entries_num);
718 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
720 nat64_db_st_entry_create (thread_index, db, bibe, &ip6->dst_address,
725 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
726 db->st.st_entries_num);
729 if (proto == IP_PROTOCOL_TCP)
730 nat64_tcp_session_set_state (ste, tcp, 1);
732 nat64_session_reset_timeout (ste, vm);
734 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
736 udp->src_port = bibe->out_port;
739 nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, fib_index);
741 clib_memset (&daddr, 0, sizeof (daddr));
742 daddr.ip4.as_u32 = ste->out_r_addr.as_u32;
745 vec_foreach (db, nm->db)
747 bibe = nat64_db_bib_entry_find (db, &daddr, dport, proto, 0, 0);
756 ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
757 ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
759 if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
761 csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
762 csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
763 csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
764 csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
765 csum = ip_csum_sub_even (csum, sport);
766 csum = ip_csum_sub_even (csum, dport);
767 udp->dst_port = bibe->in_port;
768 csum = ip_csum_add_even (csum, udp->src_port);
769 csum = ip_csum_add_even (csum, udp->dst_port);
770 *checksum = ip_csum_fold (csum);
777 nat64_in2out_icmp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
778 ip6_header_t * ip6, u32 thread_index)
780 nat64_main_t *nm = &nat64_main;
781 nat64_db_bib_entry_t *bibe;
782 nat64_db_st_entry_t *ste;
783 icmp46_header_t *icmp = ip6_next_header (ip6);
784 ip6_header_t *inner_ip6;
785 ip46_address_t saddr, daddr;
786 u32 sw_if_index, fib_index;
790 u16 *checksum, sport, dport;
792 nat64_db_t *db = &nm->db[thread_index];
794 if (icmp->type == ICMP6_echo_request || icmp->type == ICMP6_echo_reply)
797 inner_ip6 = (ip6_header_t *) u8_ptr_add (icmp, 8);
799 proto = inner_ip6->protocol;
801 if (proto == IP_PROTOCOL_ICMP6)
804 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
806 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
808 saddr.as_u64[0] = inner_ip6->src_address.as_u64[0];
809 saddr.as_u64[1] = inner_ip6->src_address.as_u64[1];
810 daddr.as_u64[0] = inner_ip6->dst_address.as_u64[0];
811 daddr.as_u64[1] = inner_ip6->dst_address.as_u64[1];
813 udp = ip6_next_header (inner_ip6);
814 tcp = ip6_next_header (inner_ip6);
816 sport = udp->src_port;
817 dport = udp->dst_port;
819 if (proto == IP_PROTOCOL_UDP)
820 checksum = &udp->checksum;
822 checksum = &tcp->checksum;
824 csum = ip_csum_sub_even (*checksum, inner_ip6->src_address.as_u64[0]);
825 csum = ip_csum_sub_even (csum, inner_ip6->src_address.as_u64[1]);
826 csum = ip_csum_sub_even (csum, inner_ip6->dst_address.as_u64[0]);
827 csum = ip_csum_sub_even (csum, inner_ip6->dst_address.as_u64[1]);
828 csum = ip_csum_sub_even (csum, sport);
829 csum = ip_csum_sub_even (csum, dport);
832 nat64_db_st_entry_find (db, &daddr, &saddr, dport, sport, proto,
837 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
841 dport = udp->dst_port = bibe->out_port;
842 nat64_compose_ip6 (&inner_ip6->dst_address, &bibe->out_addr, fib_index);
844 clib_memset (&saddr, 0, sizeof (saddr));
845 clib_memset (&daddr, 0, sizeof (daddr));
846 saddr.ip4.as_u32 = ste->out_r_addr.as_u32;
847 daddr.ip4.as_u32 = bibe->out_addr.as_u32;
850 vec_foreach (db, nm->db)
852 ste = nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
862 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
866 inner_ip6->src_address.as_u64[0] = bibe->in_addr.as_u64[0];
867 inner_ip6->src_address.as_u64[1] = bibe->in_addr.as_u64[1];
868 udp->src_port = bibe->in_port;
870 csum = ip_csum_add_even (csum, inner_ip6->src_address.as_u64[0]);
871 csum = ip_csum_add_even (csum, inner_ip6->src_address.as_u64[1]);
872 csum = ip_csum_add_even (csum, inner_ip6->dst_address.as_u64[0]);
873 csum = ip_csum_add_even (csum, inner_ip6->dst_address.as_u64[1]);
874 csum = ip_csum_add_even (csum, udp->src_port);
875 csum = ip_csum_add_even (csum, udp->dst_port);
876 *checksum = ip_csum_fold (csum);
878 if (!vec_len (nm->addr_pool))
881 nat64_compose_ip6 (&ip6->src_address, &nm->addr_pool[0].addr, fib_index);
882 ip6->dst_address.as_u64[0] = inner_ip6->src_address.as_u64[0];
883 ip6->dst_address.as_u64[1] = inner_ip6->src_address.as_u64[1];
886 csum = ip_csum_with_carry (0, ip6->payload_length);
887 csum = ip_csum_with_carry (csum, clib_host_to_net_u16 (ip6->protocol));
888 csum = ip_csum_with_carry (csum, ip6->src_address.as_u64[0]);
889 csum = ip_csum_with_carry (csum, ip6->src_address.as_u64[1]);
890 csum = ip_csum_with_carry (csum, ip6->dst_address.as_u64[0]);
891 csum = ip_csum_with_carry (csum, ip6->dst_address.as_u64[1]);
893 ip_incremental_checksum (csum, icmp,
894 clib_net_to_host_u16 (ip6->payload_length));
895 icmp->checksum = ~ip_csum_fold (csum);
901 nat64_in2out_unk_proto_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
902 ip6_header_t * ip6, u32 thread_index)
904 nat64_main_t *nm = &nat64_main;
905 nat64_db_bib_entry_t *bibe;
906 nat64_db_st_entry_t *ste;
907 ip46_address_t saddr, daddr, addr;
908 u32 sw_if_index, fib_index;
909 u8 proto = ip6->protocol;
911 nat64_db_t *db = &nm->db[thread_index];
913 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
915 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
917 saddr.as_u64[0] = ip6->src_address.as_u64[0];
918 saddr.as_u64[1] = ip6->src_address.as_u64[1];
919 daddr.as_u64[0] = ip6->dst_address.as_u64[0];
920 daddr.as_u64[1] = ip6->dst_address.as_u64[1];
923 nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, proto, fib_index, 1);
927 bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
933 bibe = nat64_db_bib_entry_find (db, &saddr, 0, proto, fib_index, 1);
937 /* Choose same out address as for TCP/UDP session to same dst */
938 unk_proto_st_walk_ctx_t ctx = {
939 .src_addr.as_u64[0] = ip6->src_address.as_u64[0],
940 .src_addr.as_u64[1] = ip6->src_address.as_u64[1],
941 .dst_addr.as_u64[0] = ip6->dst_address.as_u64[0],
942 .dst_addr.as_u64[1] = ip6->dst_address.as_u64[1],
943 .out_addr.as_u32 = 0,
944 .fib_index = fib_index,
946 .thread_index = thread_index,
949 nat64_db_st_walk (db, IP_PROTOCOL_TCP, unk_proto_st_walk, &ctx);
951 if (!ctx.out_addr.as_u32)
952 nat64_db_st_walk (db, IP_PROTOCOL_UDP, unk_proto_st_walk, &ctx);
954 /* Verify if out address is not already in use for protocol */
955 clib_memset (&addr, 0, sizeof (addr));
956 addr.ip4.as_u32 = ctx.out_addr.as_u32;
957 if (nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
958 ctx.out_addr.as_u32 = 0;
960 if (!ctx.out_addr.as_u32)
962 for (i = 0; i < vec_len (nm->addr_pool); i++)
964 addr.ip4.as_u32 = nm->addr_pool[i].addr.as_u32;
965 if (!nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
970 if (!ctx.out_addr.as_u32)
974 nat64_db_bib_entry_create (thread_index, db, &ip6->src_address,
975 &ctx.out_addr, 0, 0, fib_index, proto,
980 vlib_set_simple_counter (&nm->total_bibs, thread_index, 0,
981 db->bib.bib_entries_num);
984 nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
986 nat64_db_st_entry_create (thread_index, db, bibe, &ip6->dst_address,
991 vlib_set_simple_counter (&nm->total_sessions, thread_index, 0,
992 db->st.st_entries_num);
995 nat64_session_reset_timeout (ste, vm);
997 nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, fib_index);
999 clib_memset (&daddr, 0, sizeof (daddr));
1000 daddr.ip4.as_u32 = ste->out_r_addr.as_u32;
1003 vec_foreach (db, nm->db)
1005 bibe = nat64_db_bib_entry_find (db, &daddr, 0, proto, 0, 0);
1014 ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
1015 ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
1021 nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
1022 vlib_frame_t * frame, u8 is_slow_path)
1024 u32 n_left_from, *from, *to_next;
1025 nat64_in2out_next_t next_index;
1026 u32 thread_index = vm->thread_index;
1027 nat64_main_t *nm = &nat64_main;
1029 from = vlib_frame_vector_args (frame);
1030 n_left_from = frame->n_vectors;
1031 next_index = node->cached_next_index;
1033 while (n_left_from > 0)
1037 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1039 while (n_left_from > 0 && n_left_to_next > 0)
1045 u16 l4_offset0, frag_hdr_offset0;
1048 nat64_in2out_set_ctx_t ctx0;
1051 /* speculatively enqueue b0 to the current next frame */
1057 n_left_to_next -= 1;
1059 b0 = vlib_get_buffer (vm, bi0);
1060 ip60 = vlib_buffer_get_current (b0);
1062 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1066 ctx0.thread_index = thread_index;
1068 next0 = NAT64_IN2OUT_NEXT_IP4_LOOKUP;
1072 (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0,
1073 &frag_hdr_offset0)))
1075 next0 = NAT64_IN2OUT_NEXT_DROP;
1076 b0->error = node->errors[NAT64_IN2OUT_ERROR_UNKNOWN];
1080 if (nat64_not_translate (sw_if_index0, ip60->dst_address))
1082 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1086 proto0 = ip_proto_to_nat_proto (l4_protocol0);
1090 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_OTHER))
1092 vlib_increment_simple_counter (&nm->counters.in2out.other,
1093 thread_index, sw_if_index0,
1095 if (is_hairpinning (&ip60->dst_address))
1097 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1098 if (nat64_in2out_unk_proto_hairpinning
1099 (vm, b0, ip60, thread_index))
1101 next0 = NAT64_IN2OUT_NEXT_DROP;
1103 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1108 if (nat64_in2out_unk_proto
1109 (vm, b0, l4_protocol0, l4_offset0, frag_hdr_offset0,
1112 next0 = NAT64_IN2OUT_NEXT_DROP;
1114 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1122 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1124 next0 = NAT64_IN2OUT_NEXT_SLOWPATH;
1129 if (proto0 == NAT_PROTOCOL_ICMP)
1131 vlib_increment_simple_counter (&nm->counters.in2out.icmp,
1132 thread_index, sw_if_index0, 1);
1133 if (is_hairpinning (&ip60->dst_address))
1135 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1136 if (nat64_in2out_icmp_hairpinning
1137 (vm, b0, ip60, thread_index))
1139 next0 = NAT64_IN2OUT_NEXT_DROP;
1141 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1147 (vm, b0, nat64_in2out_icmp_set_cb, &ctx0,
1148 nat64_in2out_inner_icmp_set_cb, &ctx0))
1150 next0 = NAT64_IN2OUT_NEXT_DROP;
1151 b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1155 else if (proto0 == NAT_PROTOCOL_TCP || proto0 == NAT_PROTOCOL_UDP)
1157 if (proto0 == NAT_PROTOCOL_TCP)
1158 vlib_increment_simple_counter (&nm->counters.in2out.tcp,
1159 thread_index, sw_if_index0, 1);
1161 vlib_increment_simple_counter (&nm->counters.in2out.udp,
1162 thread_index, sw_if_index0, 1);
1164 if (is_hairpinning (&ip60->dst_address))
1166 next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
1167 if (nat64_in2out_tcp_udp_hairpinning
1168 (vm, b0, ip60, l4_offset0, thread_index))
1170 next0 = NAT64_IN2OUT_NEXT_DROP;
1172 node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1177 if (nat64_in2out_tcp_udp
1178 (vm, b0, l4_offset0, frag_hdr_offset0, &ctx0))
1180 next0 = NAT64_IN2OUT_NEXT_DROP;
1181 b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
1187 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1188 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1190 nat64_in2out_trace_t *t =
1191 vlib_add_trace (vm, node, b0, sizeof (*t));
1192 t->sw_if_index = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1193 t->next_index = next0;
1194 t->is_slow_path = is_slow_path;
1197 if (next0 == NAT64_IN2OUT_NEXT_DROP)
1199 vlib_increment_simple_counter (&nm->counters.in2out.drops,
1200 thread_index, sw_if_index0, 1);
1204 /* verify speculative enqueue, maybe switch current next frame */
1205 vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
1206 n_left_to_next, bi0, next0);
1208 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1211 return frame->n_vectors;
1214 VLIB_NODE_FN (nat64_in2out_node) (vlib_main_t * vm,
1215 vlib_node_runtime_t * node,
1216 vlib_frame_t * frame)
1218 return nat64_in2out_node_fn_inline (vm, node, frame, 0);
1221 VLIB_REGISTER_NODE (nat64_in2out_node) = {
1222 .name = "nat64-in2out",
1223 .vector_size = sizeof (u32),
1224 .format_trace = format_nat64_in2out_trace,
1225 .type = VLIB_NODE_TYPE_INTERNAL,
1226 .n_errors = ARRAY_LEN (nat64_in2out_error_strings),
1227 .error_strings = nat64_in2out_error_strings,
1228 .n_next_nodes = NAT64_IN2OUT_N_NEXT,
1229 /* edit / add dispositions here */
1231 [NAT64_IN2OUT_NEXT_DROP] = "error-drop",
1232 [NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
1233 [NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
1234 [NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
1238 VLIB_NODE_FN (nat64_in2out_slowpath_node) (vlib_main_t * vm,
1239 vlib_node_runtime_t * node,
1240 vlib_frame_t * frame)
1242 return nat64_in2out_node_fn_inline (vm, node, frame, 1);
1245 VLIB_REGISTER_NODE (nat64_in2out_slowpath_node) = {
1246 .name = "nat64-in2out-slowpath",
1247 .vector_size = sizeof (u32),
1248 .format_trace = format_nat64_in2out_trace,
1249 .type = VLIB_NODE_TYPE_INTERNAL,
1250 .n_errors = ARRAY_LEN (nat64_in2out_error_strings),
1251 .error_strings = nat64_in2out_error_strings,
1252 .n_next_nodes = NAT64_IN2OUT_N_NEXT,
1253 /* edit / add dispositions here */
1255 [NAT64_IN2OUT_NEXT_DROP] = "error-drop",
1256 [NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
1257 [NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
1258 [NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
1262 typedef struct nat64_in2out_frag_set_ctx_t_
1270 } nat64_in2out_frag_set_ctx_t;
1273 #define foreach_nat64_in2out_handoff_error \
1274 _(CONGESTION_DROP, "congestion drop") \
1275 _(SAME_WORKER, "same worker") \
1276 _(DO_HANDOFF, "do handoff")
1280 #define _(sym,str) NAT64_IN2OUT_HANDOFF_ERROR_##sym,
1281 foreach_nat64_in2out_handoff_error
1283 NAT64_IN2OUT_HANDOFF_N_ERROR,
1284 } nat64_in2out_handoff_error_t;
1286 static char *nat64_in2out_handoff_error_strings[] = {
1287 #define _(sym,string) string,
1288 foreach_nat64_in2out_handoff_error
1294 u32 next_worker_index;
1295 } nat64_in2out_handoff_trace_t;
1298 format_nat64_in2out_handoff_trace (u8 * s, va_list * args)
1300 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1301 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1302 nat64_in2out_handoff_trace_t *t =
1303 va_arg (*args, nat64_in2out_handoff_trace_t *);
1306 format (s, "NAT64-IN2OUT-HANDOFF: next-worker %d", t->next_worker_index);
1311 VLIB_NODE_FN (nat64_in2out_handoff_node) (vlib_main_t * vm,
1312 vlib_node_runtime_t * node,
1313 vlib_frame_t * frame)
1315 nat64_main_t *nm = &nat64_main;
1316 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
1317 u32 n_enq, n_left_from, *from;
1318 u16 thread_indices[VLIB_FRAME_SIZE], *ti;
1320 u32 thread_index = vm->thread_index;
1321 u32 do_handoff = 0, same_worker = 0;
1323 from = vlib_frame_vector_args (frame);
1324 n_left_from = frame->n_vectors;
1325 vlib_get_buffers (vm, from, bufs, n_left_from);
1328 ti = thread_indices;
1330 fq_index = nm->fq_in2out_index;
1332 while (n_left_from > 0)
1336 ip0 = vlib_buffer_get_current (b[0]);
1337 ti[0] = nat64_get_worker_in2out (&ip0->src_address);
1339 if (ti[0] != thread_index)
1345 ((node->flags & VLIB_NODE_FLAG_TRACE)
1346 && (b[0]->flags & VLIB_BUFFER_IS_TRACED)))
1348 nat64_in2out_handoff_trace_t *t =
1349 vlib_add_trace (vm, node, b[0], sizeof (*t));
1350 t->next_worker_index = ti[0];
1358 n_enq = vlib_buffer_enqueue_to_thread (vm, node, fq_index, from,
1359 thread_indices, frame->n_vectors, 1);
1361 if (n_enq < frame->n_vectors)
1362 vlib_node_increment_counter (vm, node->node_index,
1363 NAT64_IN2OUT_HANDOFF_ERROR_CONGESTION_DROP,
1364 frame->n_vectors - n_enq);
1365 vlib_node_increment_counter (vm, node->node_index,
1366 NAT64_IN2OUT_HANDOFF_ERROR_SAME_WORKER,
1368 vlib_node_increment_counter (vm, node->node_index,
1369 NAT64_IN2OUT_HANDOFF_ERROR_DO_HANDOFF,
1372 return frame->n_vectors;
1375 VLIB_REGISTER_NODE (nat64_in2out_handoff_node) = {
1376 .name = "nat64-in2out-handoff",
1377 .vector_size = sizeof (u32),
1378 .format_trace = format_nat64_in2out_handoff_trace,
1379 .type = VLIB_NODE_TYPE_INTERNAL,
1380 .n_errors = ARRAY_LEN(nat64_in2out_handoff_error_strings),
1381 .error_strings = nat64_in2out_handoff_error_strings,
1391 * fd.io coding-style-patch-verification: ON
1394 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob