2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
24 #include <vnet/ip/ip.h>
25 #include <vnet/udp/udp.h>
26 #include <vnet/ethernet/ethernet.h>
27 #include <vnet/fib/ip4_fib.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat44/inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
35 #include <vppinfra/hash.h>
36 #include <vppinfra/error.h>
37 #include <vppinfra/elog.h>
44 } snat_out2in_trace_t;
46 /* packet trace format function */
48 format_snat_out2in_trace (u8 * s, va_list * args)
50 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
51 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
52 snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
56 "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
57 t->sw_if_index, t->next_index, t->session_index);
62 format_snat_out2in_fast_trace (u8 * s, va_list * args)
64 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
65 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
66 snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
68 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
69 t->sw_if_index, t->next_index);
73 #define foreach_snat_out2in_error \
74 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
75 _(OUT2IN_PACKETS, "good out2in packets processed") \
76 _(OUT_OF_PORTS, "out of ports") \
77 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
78 _(NO_TRANSLATION, "no translation") \
79 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
80 _(DROP_FRAGMENT, "drop fragment") \
81 _(MAX_REASS, "maximum reassemblies exceeded") \
82 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\
83 _(TCP_PACKETS, "TCP packets") \
84 _(UDP_PACKETS, "UDP packets") \
85 _(ICMP_PACKETS, "ICMP packets") \
86 _(OTHER_PACKETS, "other protocol packets") \
87 _(FRAGMENTS, "fragments") \
88 _(CACHED_FRAGMENTS, "cached fragments") \
89 _(PROCESSED_FRAGMENTS, "processed fragments")
93 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
94 foreach_snat_out2in_error
97 } snat_out2in_error_t;
99 static char *snat_out2in_error_strings[] = {
100 #define _(sym,string) string,
101 foreach_snat_out2in_error
107 SNAT_OUT2IN_NEXT_DROP,
108 SNAT_OUT2IN_NEXT_LOOKUP,
109 SNAT_OUT2IN_NEXT_ICMP_ERROR,
111 } snat_out2in_next_t;
113 #ifndef CLIB_MARCH_VARIANT
115 nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
117 snat_main_t *sm = &snat_main;
118 nat44_is_idle_session_ctx_t *ctx = arg;
120 u64 sess_timeout_time;
121 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
123 clib_bihash_kv_8_8_t s_kv;
125 s = pool_elt_at_index (tsm->sessions, kv->value);
126 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
127 if (ctx->now >= sess_timeout_time)
129 init_nat_i2o_k (&s_kv, s);
130 if (clib_bihash_add_del_8_8 (&tsm->in2out, &s_kv, 0))
131 nat_elog_warn ("out2in key del failed");
133 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
134 s->in2out.addr.as_u32,
135 s->out2in.addr.as_u32,
139 s->in2out.fib_index);
141 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
142 &s->in2out.addr, s->in2out.port,
143 &s->out2in.addr, s->out2in.port, s->nat_proto);
145 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
146 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
149 if (!snat_is_session_static (s))
150 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
151 &s->out2in.addr, s->out2in.port,
154 nat44_delete_session (sm, s, ctx->thread_index);
163 * @brief Create session for static mapping.
165 * Create NAT session initiated by host from external network with static
168 * @param sm NAT main.
169 * @param b0 Vlib buffer.
170 * @param in2out In2out NAT44 session key.
171 * @param out2in Out2in NAT44 session key.
172 * @param node Vlib node.
174 * @returns SNAT session if successfully created otherwise 0.
176 static inline snat_session_t *
177 create_session_for_static_mapping (snat_main_t * sm,
179 ip4_address_t i2o_addr,
182 ip4_address_t o2i_addr,
185 nat_protocol_t proto,
186 vlib_node_runtime_t * node,
187 u32 thread_index, f64 now)
191 clib_bihash_kv_8_8_t kv0;
194 nat44_is_idle_session_ctx_t ctx0;
196 if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index)))
198 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
199 nat_elog_notice ("maximum sessions exceeded");
203 ip0 = vlib_buffer_get_current (b0);
204 udp0 = ip4_next_header (ip0);
206 u = nat_user_get_or_create (sm, &i2o_addr, i2o_fib_index, thread_index);
209 nat_elog_warn ("create NAT user failed");
213 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
216 nat44_delete_user_with_no_session (sm, u, thread_index);
217 nat_elog_warn ("create NAT session failed");
221 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
222 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
223 s->ext_host_port = udp0->src_port;
224 user_session_increment (sm, u, 1 /* static */ );
225 s->in2out.addr = i2o_addr;
226 s->in2out.port = i2o_port;
227 s->in2out.fib_index = i2o_fib_index;
228 s->out2in.addr = o2i_addr;
229 s->out2in.port = o2i_port;
230 s->out2in.fib_index = o2i_fib_index;
231 s->nat_proto = proto;
233 /* Add to translation hashes */
235 ctx0.thread_index = thread_index;
236 init_nat_i2o_kv (&kv0, s, s - sm->per_thread_data[thread_index].sessions);
237 if (clib_bihash_add_or_overwrite_stale_8_8
238 (&sm->per_thread_data[thread_index].in2out, &kv0,
239 nat44_i2o_is_idle_session_cb, &ctx0))
240 nat_elog_notice ("in2out key add failed");
242 init_nat_o2i_kv (&kv0, s, s - sm->per_thread_data[thread_index].sessions);
243 if (clib_bihash_add_or_overwrite_stale_8_8
244 (&sm->per_thread_data[thread_index].out2in, &kv0,
245 nat44_o2i_is_idle_session_cb, &ctx0))
246 nat_elog_notice ("out2in key add failed");
249 snat_ipfix_logging_nat44_ses_create (thread_index,
250 s->in2out.addr.as_u32,
251 s->out2in.addr.as_u32,
254 s->out2in.port, s->in2out.fib_index);
256 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
257 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
258 s->out2in.port, s->nat_proto);
260 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
261 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
262 &s->ext_host_nat_addr, s->ext_host_nat_port,
263 s->nat_proto, s->in2out.fib_index, s->flags, thread_index, 0);
268 #ifndef CLIB_MARCH_VARIANT
269 static_always_inline snat_out2in_error_t
270 icmp_get_key (vlib_buffer_t * b, ip4_header_t * ip0,
271 ip4_address_t * addr, u16 * port, nat_protocol_t * nat_proto)
273 icmp46_header_t *icmp0;
274 icmp_echo_header_t *echo0, *inner_echo0 = 0;
275 ip4_header_t *inner_ip0;
277 icmp46_header_t *inner_icmp0;
279 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
280 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
282 if (!icmp_type_is_error_message
283 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
285 *nat_proto = NAT_PROTOCOL_ICMP;
286 *addr = ip0->dst_address;
287 *port = vnet_buffer (b)->ip.reass.l4_src_port;
291 inner_ip0 = (ip4_header_t *) (echo0 + 1);
292 l4_header = ip4_next_header (inner_ip0);
293 *nat_proto = ip_proto_to_nat_proto (inner_ip0->protocol);
294 *addr = inner_ip0->src_address;
297 case NAT_PROTOCOL_ICMP:
298 inner_icmp0 = (icmp46_header_t *) l4_header;
299 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
300 *port = inner_echo0->identifier;
302 case NAT_PROTOCOL_UDP:
303 case NAT_PROTOCOL_TCP:
304 *port = ((tcp_udp_header_t *) l4_header)->src_port;
307 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
310 return -1; /* success */
314 * Get address and port values to be used for ICMP packet translation
315 * and create session if needed
317 * @param[in,out] sm NAT main
318 * @param[in,out] node NAT node runtime
319 * @param[in] thread_index thread index
320 * @param[in,out] b0 buffer containing packet to be translated
321 * @param[in,out] ip0 ip header
322 * @param[out] p_proto protocol used for matching
323 * @param[out] p_value address and port after NAT translation
324 * @param[out] p_dont_translate if packet should not be translated
325 * @param d optional parameter
326 * @param e optional parameter
329 icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
330 u32 thread_index, vlib_buffer_t * b0,
331 ip4_header_t * ip0, ip4_address_t * addr,
332 u16 * port, u32 * fib_index,
333 nat_protocol_t * proto, void *d, void *e,
336 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
338 snat_session_t *s0 = 0;
339 clib_bihash_kv_8_8_t kv0, value0;
344 vlib_main_t *vm = vlib_get_main ();
347 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
348 *fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
352 err = icmp_get_key (b0, ip0, addr, port, proto);
355 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
356 next0 = SNAT_OUT2IN_NEXT_DROP;
360 ip4_address_t mapping_addr;
362 u32 mapping_fib_index;
364 init_nat_k (&kv0, *addr, *port, *fib_index, *proto);
365 if (clib_bihash_search_8_8 (&tsm->out2in, &kv0, &value0))
367 /* Try to match static mapping by external address and port,
368 destination address and port in packet */
369 if (snat_static_mapping_match
370 (sm, *addr, *port, *fib_index, *proto,
371 &mapping_addr, &mapping_port, &mapping_fib_index, 1, &is_addr_only,
372 0, 0, 0, &identity_nat))
374 if (!sm->forwarding_enabled)
376 /* Don't NAT packet aimed at the intfc address */
377 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0,
378 ip0->dst_address.as_u32)))
383 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
384 next0 = SNAT_OUT2IN_NEXT_DROP;
395 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
397 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
398 ICMP4_echo_request || !is_addr_only)))
400 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
401 next0 = SNAT_OUT2IN_NEXT_DROP;
405 if (PREDICT_FALSE (identity_nat))
410 /* Create session initiated by host from external network */
412 create_session_for_static_mapping (sm, b0, mapping_addr, mapping_port,
413 mapping_fib_index, *addr, *port,
414 *fib_index, *proto, node,
415 thread_index, vlib_time_now (vm));
419 next0 = SNAT_OUT2IN_NEXT_DROP;
426 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
428 && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
430 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
431 reass.icmp_type_or_tcp_flags)))
433 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
434 next0 = SNAT_OUT2IN_NEXT_DROP;
438 s0 = pool_elt_at_index (tsm->sessions, value0.value);
444 *addr = s0->in2out.addr;
445 *port = s0->in2out.port;
446 *fib_index = s0->in2out.fib_index;
449 *(snat_session_t **) d = s0;
454 #ifndef CLIB_MARCH_VARIANT
456 * Get address and port values to be used for ICMP packet translation
458 * @param[in] sm NAT main
459 * @param[in,out] node NAT node runtime
460 * @param[in] thread_index thread index
461 * @param[in,out] b0 buffer containing packet to be translated
462 * @param[in,out] ip0 ip header
463 * @param[out] p_proto protocol used for matching
464 * @param[out] p_value address and port after NAT translation
465 * @param[out] p_dont_translate if packet should not be translated
466 * @param d optional parameter
467 * @param e optional parameter
470 icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
471 u32 thread_index, vlib_buffer_t * b0,
472 ip4_header_t * ip0, ip4_address_t * mapping_addr,
473 u16 * mapping_port, u32 * mapping_fib_index,
474 nat_protocol_t * proto, void *d, void *e,
486 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
487 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
489 err = icmp_get_key (b0, ip0, &addr, &port, proto);
492 b0->error = node->errors[err];
493 next0 = SNAT_OUT2IN_NEXT_DROP;
496 if (snat_static_mapping_match
497 (sm, addr, port, rx_fib_index0, *proto, mapping_addr, mapping_port,
498 mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0))
500 /* Don't NAT packet aimed at the intfc address */
501 if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32))
506 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
507 next0 = SNAT_OUT2IN_NEXT_DROP;
512 (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
513 && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
514 ICMP4_echo_request || !is_addr_only)
515 && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
516 reass.icmp_type_or_tcp_flags)))
518 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
519 next0 = SNAT_OUT2IN_NEXT_DROP;
528 #ifndef CLIB_MARCH_VARIANT
530 icmp_out2in (snat_main_t * sm,
533 icmp46_header_t * icmp0,
536 vlib_node_runtime_t * node,
537 u32 next0, u32 thread_index, void *d, void *e)
539 icmp_echo_header_t *echo0, *inner_echo0 = 0;
540 ip4_header_t *inner_ip0 = 0;
542 icmp46_header_t *inner_icmp0;
544 u32 new_addr0, old_addr0;
545 u16 old_id0, new_id0;
549 vlib_main_t *vm = vlib_get_main ();
553 nat_protocol_t proto;
555 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
557 next0_tmp = sm->icmp_match_out2in_cb (sm, node, thread_index, b0, ip0,
558 &addr, &port, &fib_index, &proto,
559 d, e, &dont_translate);
562 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
565 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
568 ip_incremental_checksum_buffer (vm, b0,
570 (u8 *) vlib_buffer_get_current (b0),
571 ntohs (ip0->length) -
572 ip4_header_bytes (ip0), 0);
573 checksum0 = ~ip_csum_fold (sum0);
574 if (checksum0 != 0 && checksum0 != 0xffff)
576 next0 = SNAT_OUT2IN_NEXT_DROP;
581 old_addr0 = ip0->dst_address.as_u32;
582 new_addr0 = ip0->dst_address.as_u32 = addr.as_u32;
583 vnet_buffer (b0)->sw_if_index[VLIB_TX] = fib_index;
585 sum0 = ip0->checksum;
586 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
587 dst_address /* changed member */ );
588 ip0->checksum = ip_csum_fold (sum0);
591 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
593 if (icmp0->checksum == 0)
594 icmp0->checksum = 0xffff;
596 if (!icmp_type_is_error_message (icmp0->type))
599 if (PREDICT_FALSE (new_id0 != echo0->identifier))
601 old_id0 = echo0->identifier;
603 echo0->identifier = new_id0;
605 sum0 = icmp0->checksum;
607 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
608 identifier /* changed member */ );
609 icmp0->checksum = ip_csum_fold (sum0);
614 inner_ip0 = (ip4_header_t *) (echo0 + 1);
615 l4_header = ip4_next_header (inner_ip0);
617 if (!ip4_header_checksum_is_valid (inner_ip0))
619 next0 = SNAT_OUT2IN_NEXT_DROP;
623 old_addr0 = inner_ip0->src_address.as_u32;
624 inner_ip0->src_address = addr;
625 new_addr0 = inner_ip0->src_address.as_u32;
627 sum0 = icmp0->checksum;
628 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
629 src_address /* changed member */ );
630 icmp0->checksum = ip_csum_fold (sum0);
634 case NAT_PROTOCOL_ICMP:
635 inner_icmp0 = (icmp46_header_t *) l4_header;
636 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
638 old_id0 = inner_echo0->identifier;
640 inner_echo0->identifier = new_id0;
642 sum0 = icmp0->checksum;
644 ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
646 icmp0->checksum = ip_csum_fold (sum0);
648 case NAT_PROTOCOL_UDP:
649 case NAT_PROTOCOL_TCP:
650 old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
652 ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
654 sum0 = icmp0->checksum;
655 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
657 icmp0->checksum = ip_csum_fold (sum0);
671 icmp_out2in_slow_path (snat_main_t * sm,
674 icmp46_header_t * icmp0,
677 vlib_node_runtime_t * node,
679 u32 thread_index, snat_session_t ** p_s0)
681 vlib_main_t *vm = vlib_get_main ();
683 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
684 next0, thread_index, p_s0, 0);
685 snat_session_t *s0 = *p_s0;
686 if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP && s0))
689 nat44_session_update_counters (s0, now,
690 vlib_buffer_length_in_chain
691 (vm, b0), thread_index);
692 /* Per-user LRU list maintenance */
693 nat44_session_update_lru (sm, s0, thread_index);
699 nat_out2in_sm_unknown_proto (snat_main_t * sm,
701 ip4_header_t * ip, u32 rx_fib_index)
703 clib_bihash_kv_8_8_t kv, value;
704 snat_static_mapping_t *m;
705 u32 old_addr, new_addr;
708 init_nat_k (&kv, ip->dst_address, 0, 0, 0);
709 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
712 m = pool_elt_at_index (sm->static_mappings, value.value);
714 old_addr = ip->dst_address.as_u32;
715 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
717 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
718 ip->checksum = ip_csum_fold (sum);
720 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
724 VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
725 vlib_node_runtime_t * node,
726 vlib_frame_t * frame)
728 u32 n_left_from, *from, *to_next;
729 snat_out2in_next_t next_index;
730 u32 pkts_processed = 0;
731 snat_main_t *sm = &snat_main;
732 f64 now = vlib_time_now (vm);
733 u32 thread_index = vm->thread_index;
734 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
735 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
738 from = vlib_frame_vector_args (frame);
739 n_left_from = frame->n_vectors;
740 next_index = node->cached_next_index;
742 while (n_left_from > 0)
746 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
748 while (n_left_from >= 4 && n_left_to_next >= 2)
751 vlib_buffer_t *b0, *b1;
752 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
753 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
754 u32 sw_if_index0, sw_if_index1;
755 ip4_header_t *ip0, *ip1;
756 ip_csum_t sum0, sum1;
757 u32 new_addr0, old_addr0;
758 u16 new_port0, old_port0;
759 u32 new_addr1, old_addr1;
760 u16 new_port1, old_port1;
761 udp_header_t *udp0, *udp1;
762 tcp_header_t *tcp0, *tcp1;
763 icmp46_header_t *icmp0, *icmp1;
764 u32 rx_fib_index0, rx_fib_index1;
766 snat_session_t *s0 = 0, *s1 = 0;
767 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
768 u8 identity_nat0, identity_nat1;
769 ip4_address_t sm_addr0, sm_addr1;
770 u16 sm_port0, sm_port1;
771 u32 sm_fib_index0, sm_fib_index1;
773 /* Prefetch next iteration. */
775 vlib_buffer_t *p2, *p3;
777 p2 = vlib_get_buffer (vm, from[2]);
778 p3 = vlib_get_buffer (vm, from[3]);
780 vlib_prefetch_buffer_header (p2, LOAD);
781 vlib_prefetch_buffer_header (p3, LOAD);
783 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, LOAD);
784 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, LOAD);
787 /* speculatively enqueue b0 and b1 to the current next frame */
788 to_next[0] = bi0 = from[0];
789 to_next[1] = bi1 = from[1];
795 b0 = vlib_get_buffer (vm, bi0);
796 b1 = vlib_get_buffer (vm, bi1);
798 vnet_buffer (b0)->snat.flags = 0;
799 vnet_buffer (b1)->snat.flags = 0;
801 ip0 = vlib_buffer_get_current (b0);
802 udp0 = ip4_next_header (ip0);
803 tcp0 = (tcp_header_t *) udp0;
804 icmp0 = (icmp46_header_t *) udp0;
806 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
807 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
810 if (PREDICT_FALSE (ip0->ttl == 1))
812 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
813 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
814 ICMP4_time_exceeded_ttl_exceeded_in_transit,
816 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
820 proto0 = ip_proto_to_nat_proto (ip0->protocol);
822 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
824 if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
826 if (!sm->forwarding_enabled)
829 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
830 next0 = SNAT_OUT2IN_NEXT_DROP;
837 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
839 next0 = icmp_out2in_slow_path
840 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
841 next0, now, thread_index, &s0);
846 init_nat_k (&kv0, ip0->dst_address,
847 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
849 if (clib_bihash_search_8_8
850 (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
852 /* Try to match static mapping by external address and port,
853 destination address and port in packet */
854 if (snat_static_mapping_match
855 (sm, ip0->dst_address,
856 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
857 proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
861 * Send DHCP packets to the ipv4 stack, or we won't
862 * be able to use dhcp client on the outside interface
865 (proto0 == NAT_PROTOCOL_UDP
866 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
868 (UDP_DST_PORT_dhcp_to_client))))
870 vnet_feature_next (&next0, b0);
874 if (!sm->forwarding_enabled)
877 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
878 next0 = SNAT_OUT2IN_NEXT_DROP;
883 if (PREDICT_FALSE (identity_nat0))
886 /* Create session initiated by host from external network */
887 s0 = create_session_for_static_mapping (sm, b0,
892 ip.reass.l4_dst_port,
893 rx_fib_index0, proto0,
898 next0 = SNAT_OUT2IN_NEXT_DROP;
903 s0 = pool_elt_at_index (tsm->sessions, value0.value);
905 old_addr0 = ip0->dst_address.as_u32;
906 ip0->dst_address = s0->in2out.addr;
907 new_addr0 = ip0->dst_address.as_u32;
908 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
910 sum0 = ip0->checksum;
911 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
913 dst_address /* changed member */ );
914 ip0->checksum = ip_csum_fold (sum0);
916 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
918 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
920 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
921 new_port0 = udp0->dst_port = s0->in2out.port;
922 sum0 = tcp0->checksum;
923 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
925 dst_address /* changed member */ );
927 sum0 = ip_csum_update (sum0, old_port0, new_port0,
928 ip4_header_t /* cheat */ ,
929 length /* changed member */ );
930 tcp0->checksum = ip_csum_fold (sum0);
936 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
938 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
939 new_port0 = udp0->dst_port = s0->in2out.port;
940 if (PREDICT_FALSE (udp0->checksum))
942 sum0 = udp0->checksum;
943 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
946 ip_csum_update (sum0, old_port0, new_port0,
947 ip4_header_t /* cheat */ ,
948 length /* changed member */ );
949 udp0->checksum = ip_csum_fold (sum0);
956 nat44_session_update_counters (s0, now,
957 vlib_buffer_length_in_chain (vm, b0),
959 /* Per-user LRU list maintenance */
960 nat44_session_update_lru (sm, s0, thread_index);
963 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
964 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
966 snat_out2in_trace_t *t =
967 vlib_add_trace (vm, node, b0, sizeof (*t));
968 t->sw_if_index = sw_if_index0;
969 t->next_index = next0;
970 t->session_index = ~0;
973 s0 - sm->per_thread_data[thread_index].sessions;
976 pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
979 ip1 = vlib_buffer_get_current (b1);
980 udp1 = ip4_next_header (ip1);
981 tcp1 = (tcp_header_t *) udp1;
982 icmp1 = (icmp46_header_t *) udp1;
984 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
985 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
988 if (PREDICT_FALSE (ip1->ttl == 1))
990 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
991 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
992 ICMP4_time_exceeded_ttl_exceeded_in_transit,
994 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
998 proto1 = ip_proto_to_nat_proto (ip1->protocol);
1000 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
1002 if (nat_out2in_sm_unknown_proto (sm, b1, ip1, rx_fib_index1))
1004 if (!sm->forwarding_enabled)
1007 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1008 next1 = SNAT_OUT2IN_NEXT_DROP;
1015 if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1017 next1 = icmp_out2in_slow_path
1018 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1019 next1, now, thread_index, &s1);
1024 init_nat_k (&kv1, ip1->dst_address,
1025 vnet_buffer (b1)->ip.reass.l4_dst_port, rx_fib_index1,
1028 if (clib_bihash_search_8_8
1029 (&sm->per_thread_data[thread_index].out2in, &kv1, &value1))
1031 /* Try to match static mapping by external address and port,
1032 destination address and port in packet */
1033 if (snat_static_mapping_match
1034 (sm, ip1->dst_address,
1035 vnet_buffer (b1)->ip.reass.l4_dst_port, proto1,
1036 rx_fib_index1, &sm_addr1, &sm_port1, &sm_fib_index1, 1, 0,
1037 0, 0, 0, &identity_nat1))
1040 * Send DHCP packets to the ipv4 stack, or we won't
1041 * be able to use dhcp client on the outside interface
1044 (proto1 == NAT_PROTOCOL_UDP
1045 && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
1046 clib_host_to_net_u16
1047 (UDP_DST_PORT_dhcp_to_client))))
1049 vnet_feature_next (&next1, b1);
1053 if (!sm->forwarding_enabled)
1056 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1057 next1 = SNAT_OUT2IN_NEXT_DROP;
1062 if (PREDICT_FALSE (identity_nat1))
1065 /* Create session initiated by host from external network */
1067 create_session_for_static_mapping (sm, b1, sm_addr1, sm_port1,
1070 vnet_buffer (b1)->ip.
1072 rx_fib_index1, proto1,
1073 node, thread_index, now);
1076 next1 = SNAT_OUT2IN_NEXT_DROP;
1082 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1085 old_addr1 = ip1->dst_address.as_u32;
1086 ip1->dst_address = s1->in2out.addr;
1087 new_addr1 = ip1->dst_address.as_u32;
1088 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1090 sum1 = ip1->checksum;
1091 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1093 dst_address /* changed member */ );
1094 ip1->checksum = ip_csum_fold (sum1);
1096 if (PREDICT_TRUE (proto1 == NAT_PROTOCOL_TCP))
1098 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1100 old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1101 new_port1 = udp1->dst_port = s1->in2out.port;
1103 sum1 = tcp1->checksum;
1104 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1106 dst_address /* changed member */ );
1108 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1109 ip4_header_t /* cheat */ ,
1110 length /* changed member */ );
1111 tcp1->checksum = ip_csum_fold (sum1);
1117 if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1119 old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1120 new_port1 = udp1->dst_port = s1->in2out.port;
1121 if (PREDICT_FALSE (udp1->checksum))
1124 sum1 = udp1->checksum;
1126 ip_csum_update (sum1, old_addr1, new_addr1,
1128 dst_address /* changed member */ );
1130 ip_csum_update (sum1, old_port1, new_port1,
1131 ip4_header_t /* cheat */ ,
1132 length /* changed member */ );
1133 udp1->checksum = ip_csum_fold (sum1);
1140 nat44_session_update_counters (s1, now,
1141 vlib_buffer_length_in_chain (vm, b1),
1143 /* Per-user LRU list maintenance */
1144 nat44_session_update_lru (sm, s1, thread_index);
1147 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1148 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1150 snat_out2in_trace_t *t =
1151 vlib_add_trace (vm, node, b1, sizeof (*t));
1152 t->sw_if_index = sw_if_index1;
1153 t->next_index = next1;
1154 t->session_index = ~0;
1157 s1 - sm->per_thread_data[thread_index].sessions;
1160 pkts_processed += next1 == SNAT_OUT2IN_NEXT_LOOKUP;
1162 /* verify speculative enqueues, maybe switch current next frame */
1163 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1164 to_next, n_left_to_next,
1165 bi0, bi1, next0, next1);
1168 while (n_left_from > 0 && n_left_to_next > 0)
1172 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1176 u32 new_addr0, old_addr0;
1177 u16 new_port0, old_port0;
1180 icmp46_header_t *icmp0;
1183 snat_session_t *s0 = 0;
1184 clib_bihash_kv_8_8_t kv0, value0;
1186 ip4_address_t sm_addr0;
1190 /* speculatively enqueue b0 to the current next frame */
1196 n_left_to_next -= 1;
1198 b0 = vlib_get_buffer (vm, bi0);
1200 vnet_buffer (b0)->snat.flags = 0;
1202 ip0 = vlib_buffer_get_current (b0);
1203 udp0 = ip4_next_header (ip0);
1204 tcp0 = (tcp_header_t *) udp0;
1205 icmp0 = (icmp46_header_t *) udp0;
1207 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1208 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1211 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1213 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1215 if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1217 if (!sm->forwarding_enabled)
1220 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1221 next0 = SNAT_OUT2IN_NEXT_DROP;
1228 if (PREDICT_FALSE (ip0->ttl == 1))
1230 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1231 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1232 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1234 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1238 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1240 next0 = icmp_out2in_slow_path
1241 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1242 next0, now, thread_index, &s0);
1247 init_nat_k (&kv0, ip0->dst_address,
1248 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
1251 if (clib_bihash_search_8_8
1252 (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
1254 /* Try to match static mapping by external address and port,
1255 destination address and port in packet */
1256 if (snat_static_mapping_match
1257 (sm, ip0->dst_address,
1258 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
1259 proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
1263 * Send DHCP packets to the ipv4 stack, or we won't
1264 * be able to use dhcp client on the outside interface
1267 (proto0 == NAT_PROTOCOL_UDP
1268 && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1269 clib_host_to_net_u16
1270 (UDP_DST_PORT_dhcp_to_client))))
1272 vnet_feature_next (&next0, b0);
1276 if (!sm->forwarding_enabled)
1279 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1280 next0 = SNAT_OUT2IN_NEXT_DROP;
1285 if (PREDICT_FALSE (identity_nat0))
1288 /* Create session initiated by host from external network */
1289 s0 = create_session_for_static_mapping (sm, b0,
1294 ip.reass.l4_dst_port,
1295 rx_fib_index0, proto0,
1300 next0 = SNAT_OUT2IN_NEXT_DROP;
1306 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1309 old_addr0 = ip0->dst_address.as_u32;
1310 ip0->dst_address = s0->in2out.addr;
1311 new_addr0 = ip0->dst_address.as_u32;
1312 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1314 sum0 = ip0->checksum;
1315 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1317 dst_address /* changed member */ );
1318 ip0->checksum = ip_csum_fold (sum0);
1320 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1322 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1324 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1325 new_port0 = udp0->dst_port = s0->in2out.port;
1327 sum0 = tcp0->checksum;
1328 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1330 dst_address /* changed member */ );
1332 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1333 ip4_header_t /* cheat */ ,
1334 length /* changed member */ );
1335 tcp0->checksum = ip_csum_fold (sum0);
1341 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1343 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1344 new_port0 = udp0->dst_port = s0->in2out.port;
1345 if (PREDICT_FALSE (udp0->checksum))
1347 sum0 = udp0->checksum;
1348 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
1351 ip_csum_update (sum0, old_port0, new_port0,
1352 ip4_header_t /* cheat */ ,
1353 length /* changed member */ );
1354 udp0->checksum = ip_csum_fold (sum0);
1361 nat44_session_update_counters (s0, now,
1362 vlib_buffer_length_in_chain (vm, b0),
1364 /* Per-user LRU list maintenance */
1365 nat44_session_update_lru (sm, s0, thread_index);
1368 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1369 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1371 snat_out2in_trace_t *t =
1372 vlib_add_trace (vm, node, b0, sizeof (*t));
1373 t->sw_if_index = sw_if_index0;
1374 t->next_index = next0;
1375 t->session_index = ~0;
1378 s0 - sm->per_thread_data[thread_index].sessions;
1381 pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
1383 /* verify speculative enqueue, maybe switch current next frame */
1384 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1385 to_next, n_left_to_next,
1389 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1392 vlib_node_increment_counter (vm, sm->out2in_node_index,
1393 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1395 vlib_node_increment_counter (vm, sm->out2in_node_index,
1396 SNAT_OUT2IN_ERROR_TCP_PACKETS, tcp_packets);
1397 vlib_node_increment_counter (vm, sm->out2in_node_index,
1398 SNAT_OUT2IN_ERROR_UDP_PACKETS, udp_packets);
1399 vlib_node_increment_counter (vm, sm->out2in_node_index,
1400 SNAT_OUT2IN_ERROR_ICMP_PACKETS, icmp_packets);
1401 vlib_node_increment_counter (vm, sm->out2in_node_index,
1402 SNAT_OUT2IN_ERROR_OTHER_PACKETS,
1404 vlib_node_increment_counter (vm, sm->out2in_node_index,
1405 SNAT_OUT2IN_ERROR_FRAGMENTS, fragments);
1407 return frame->n_vectors;
1411 VLIB_REGISTER_NODE (snat_out2in_node) = {
1412 .name = "nat44-out2in",
1413 .vector_size = sizeof (u32),
1414 .format_trace = format_snat_out2in_trace,
1415 .type = VLIB_NODE_TYPE_INTERNAL,
1417 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1418 .error_strings = snat_out2in_error_strings,
1420 .runtime_data_bytes = sizeof (snat_runtime_t),
1422 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1424 /* edit / add dispositions here */
1426 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1427 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1428 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1433 VLIB_NODE_FN (snat_out2in_fast_node) (vlib_main_t * vm,
1434 vlib_node_runtime_t * node,
1435 vlib_frame_t * frame)
1437 u32 n_left_from, *from, *to_next;
1438 snat_out2in_next_t next_index;
1439 u32 pkts_processed = 0;
1440 snat_main_t *sm = &snat_main;
1442 from = vlib_frame_vector_args (frame);
1443 n_left_from = frame->n_vectors;
1444 next_index = node->cached_next_index;
1446 while (n_left_from > 0)
1450 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1452 while (n_left_from > 0 && n_left_to_next > 0)
1456 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
1460 u32 new_addr0, old_addr0;
1461 u16 new_port0, old_port0;
1464 icmp46_header_t *icmp0;
1467 ip4_address_t sm_addr0;
1471 /* speculatively enqueue b0 to the current next frame */
1477 n_left_to_next -= 1;
1479 b0 = vlib_get_buffer (vm, bi0);
1481 ip0 = vlib_buffer_get_current (b0);
1482 udp0 = ip4_next_header (ip0);
1483 tcp0 = (tcp_header_t *) udp0;
1484 icmp0 = (icmp46_header_t *) udp0;
1486 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1488 ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
1490 vnet_feature_next (&next0, b0);
1492 if (PREDICT_FALSE (ip0->ttl == 1))
1494 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1495 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1496 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1498 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1502 proto0 = ip_proto_to_nat_proto (ip0->protocol);
1504 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1507 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1509 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0,
1510 rx_fib_index0, node, next0, ~0, 0, 0);
1514 if (snat_static_mapping_match
1515 (sm, ip0->dst_address, udp0->dst_port, rx_fib_index0, proto0,
1516 &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0))
1518 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1522 new_addr0 = sm_addr0.as_u32;
1523 new_port0 = sm_port0;
1524 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm_fib_index0;
1525 old_addr0 = ip0->dst_address.as_u32;
1526 ip0->dst_address.as_u32 = new_addr0;
1528 sum0 = ip0->checksum;
1529 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1531 dst_address /* changed member */ );
1532 ip0->checksum = ip_csum_fold (sum0);
1534 if (PREDICT_FALSE (new_port0 != udp0->dst_port))
1536 old_port0 = udp0->dst_port;
1537 udp0->dst_port = new_port0;
1539 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1541 sum0 = tcp0->checksum;
1542 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1544 dst_address /* changed member */ );
1545 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1546 ip4_header_t /* cheat */ ,
1547 length /* changed member */ );
1548 tcp0->checksum = ip_csum_fold (sum0);
1550 else if (udp0->checksum)
1552 sum0 = udp0->checksum;
1553 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1555 dst_address /* changed member */ );
1556 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1557 ip4_header_t /* cheat */ ,
1558 length /* changed member */ );
1559 udp0->checksum = ip_csum_fold (sum0);
1564 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1566 sum0 = tcp0->checksum;
1567 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1569 dst_address /* changed member */ );
1570 tcp0->checksum = ip_csum_fold (sum0);
1572 else if (udp0->checksum)
1574 sum0 = udp0->checksum;
1575 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1577 dst_address /* changed member */ );
1578 udp0->checksum = ip_csum_fold (sum0);
1584 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1585 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1587 snat_out2in_trace_t *t =
1588 vlib_add_trace (vm, node, b0, sizeof (*t));
1589 t->sw_if_index = sw_if_index0;
1590 t->next_index = next0;
1593 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1595 /* verify speculative enqueue, maybe switch current next frame */
1596 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1597 to_next, n_left_to_next,
1601 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1604 vlib_node_increment_counter (vm, sm->out2in_fast_node_index,
1605 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1607 return frame->n_vectors;
1611 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
1612 .name = "nat44-out2in-fast",
1613 .vector_size = sizeof (u32),
1614 .format_trace = format_snat_out2in_fast_trace,
1615 .type = VLIB_NODE_TYPE_INTERNAL,
1617 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1618 .error_strings = snat_out2in_error_strings,
1620 .runtime_data_bytes = sizeof (snat_runtime_t),
1622 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1624 /* edit / add dispositions here */
1626 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1627 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1628 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1634 * fd.io coding-style-patch-verification: ON
1637 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob