2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat44/inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
34 #include <nat/nat44/ed_inlines.h>
36 static char *nat_out2in_ed_error_strings[] = {
37 #define _(sym,string) string,
38 foreach_nat_out2in_ed_error
48 } nat44_ed_out2in_trace_t;
51 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
53 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
54 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
55 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
59 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
60 "NAT44_OUT2IN_ED_FAST_PATH";
62 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
63 t->sw_if_index, t->next_index, t->session_index);
69 icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
70 ip4_header_t * ip0, icmp46_header_t * icmp0,
71 u32 sw_if_index0, u32 rx_fib_index0,
72 vlib_node_runtime_t * node, u32 next0, f64 now,
73 u32 thread_index, snat_session_t ** p_s0)
75 vlib_main_t *vm = vlib_get_main ();
77 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
78 next0, thread_index, p_s0, 0);
79 snat_session_t *s0 = *p_s0;
80 if (PREDICT_TRUE (next0 != NAT_NEXT_DROP && s0))
83 nat44_session_update_counters (s0, now,
84 vlib_buffer_length_in_chain
85 (vm, b0), thread_index);
86 /* Per-user LRU list maintenance */
87 nat44_session_update_lru (sm, s0, thread_index);
92 #ifndef CLIB_MARCH_VARIANT
94 nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
96 snat_main_t *sm = &snat_main;
97 nat44_is_idle_session_ctx_t *ctx = arg;
99 u64 sess_timeout_time;
102 ip4_address_t *l_addr, *r_addr;
104 clib_bihash_kv_16_8_t ed_kv;
107 snat_session_key_t key;
108 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
111 s = pool_elt_at_index (tsm->sessions, kv->value);
112 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
113 if (ctx->now >= sess_timeout_time)
115 l_addr = &s->in2out.addr;
116 r_addr = &s->ext_host_addr;
117 fib_index = s->in2out.fib_index;
118 if (snat_is_unk_proto_session (s))
120 proto = s->in2out.port;
126 proto = nat_proto_to_ip_proto (s->in2out.protocol);
127 l_port = s->in2out.port;
128 r_port = s->ext_host_port;
130 if (is_twice_nat_session (s))
132 r_addr = &s->ext_host_nat_addr;
133 r_port = s->ext_host_nat_port;
135 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
137 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
138 nat_elog_warn ("in2out_ed key del failed");
140 if (snat_is_unk_proto_session (s))
143 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
144 s->in2out.addr.as_u32,
145 s->out2in.addr.as_u32,
149 s->in2out.fib_index);
151 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
152 &s->in2out.addr, s->in2out.port,
153 &s->ext_host_nat_addr, s->ext_host_nat_port,
154 &s->out2in.addr, s->out2in.port,
155 &s->ext_host_addr, s->ext_host_port,
156 s->in2out.protocol, is_twice_nat_session (s));
158 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
159 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
162 if (is_twice_nat_session (s))
164 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
166 key.protocol = s->in2out.protocol;
167 key.port = s->ext_host_nat_port;
168 a = sm->twice_nat_addresses + i;
169 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
171 snat_free_outside_address_and_port (sm->twice_nat_addresses,
179 if (snat_is_session_static (s))
182 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
185 nat_ed_session_delete (sm, s, ctx->thread_index, 1);
193 static snat_session_t *
194 create_session_for_static_mapping_ed (snat_main_t * sm,
196 snat_session_key_t l_key,
197 snat_session_key_t e_key,
198 vlib_node_runtime_t * node,
201 twice_nat_type_t twice_nat,
202 lb_nat_type_t lb_nat, f64 now)
207 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
208 clib_bihash_kv_16_8_t kv;
209 snat_session_key_t eh_key;
210 nat44_is_idle_session_ctx_t ctx;
213 (nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
215 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
216 nat_elog_notice ("maximum sessions exceeded");
220 s = nat_ed_session_alloc (sm, thread_index, now, e_key.protocol);
223 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_USER_SESS_EXCEEDED];
224 nat_elog_warn ("create NAT session failed");
228 ip = vlib_buffer_get_current (b);
229 udp = ip4_next_header (ip);
231 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
232 s->ext_host_port = e_key.protocol == NAT_PROTOCOL_ICMP ? 0 : udp->src_port;
233 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
235 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
236 if (lb_nat == AFFINITY_LB_NAT)
237 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
238 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
241 s->in2out.protocol = s->out2in.protocol;
243 /* Add to lookup tables */
244 make_ed_kv (&e_key.addr, &s->ext_host_addr, ip->protocol,
245 e_key.fib_index, e_key.port, s->ext_host_port,
246 s - tsm->sessions, &kv);
248 ctx.thread_index = thread_index;
249 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv,
250 nat44_o2i_ed_is_idle_session_cb,
252 nat_elog_notice ("out2in-ed key add failed");
254 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
255 ip->src_address.as_u32 == l_key.addr.as_u32))
257 eh_key.protocol = e_key.protocol;
258 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
259 thread_index, &eh_key,
261 tsm->snat_thread_index))
263 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
264 nat_ed_session_delete (sm, s, thread_index, 1);
265 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
266 nat_elog_notice ("out2in-ed key del failed");
269 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
270 s->ext_host_nat_port = eh_key.port;
271 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
272 make_ed_kv (&l_key.addr, &s->ext_host_nat_addr, ip->protocol,
273 l_key.fib_index, l_key.port, s->ext_host_nat_port,
274 s - tsm->sessions, &kv);
278 make_ed_kv (&l_key.addr, &s->ext_host_addr, ip->protocol,
279 l_key.fib_index, l_key.port, s->ext_host_port,
280 s - tsm->sessions, &kv);
282 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv,
283 nat44_i2o_ed_is_idle_session_cb,
285 nat_elog_notice ("in2out-ed key add failed");
287 snat_ipfix_logging_nat44_ses_create (thread_index,
288 s->in2out.addr.as_u32,
289 s->out2in.addr.as_u32,
292 s->out2in.port, s->in2out.fib_index);
294 nat_syslog_nat44_sadd (s->user_index, s->in2out.fib_index,
295 &s->in2out.addr, s->in2out.port,
296 &s->ext_host_nat_addr, s->ext_host_nat_port,
297 &s->out2in.addr, s->out2in.port,
298 &s->ext_host_addr, s->ext_host_port,
299 s->in2out.protocol, is_twice_nat_session (s));
301 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
302 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
303 &s->ext_host_nat_addr, s->ext_host_nat_port,
304 s->in2out.protocol, s->in2out.fib_index, s->flags,
311 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u16 src_port,
312 u16 dst_port, u32 thread_index, u32 rx_fib_index)
314 clib_bihash_kv_16_8_t kv, value;
315 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
317 make_ed_kv (&ip->src_address, &ip->dst_address, ip->protocol,
318 rx_fib_index, src_port, dst_port, ~0ULL, &kv);
319 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
326 create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
327 u32 rx_fib_index, u32 thread_index)
329 clib_bihash_kv_16_8_t kv, value;
331 snat_session_t *s = 0;
332 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
333 vlib_main_t *vm = vlib_get_main ();
334 f64 now = vlib_time_now (vm);
337 if (ip->protocol == IP_PROTOCOL_ICMP)
339 if (get_icmp_o2i_ed_key
340 (b, ip, rx_fib_index, ~0ULL, 0, &l_port, &r_port, &kv))
345 if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
347 udp = ip4_next_header (ip);
348 l_port = udp->dst_port;
349 r_port = udp->src_port;
356 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol,
357 rx_fib_index, l_port, r_port, ~0ULL, &kv);
360 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
362 s = pool_elt_at_index (tsm->sessions, value.value);
369 (nat44_ed_maximum_sessions_exceeded
370 (sm, rx_fib_index, thread_index)))
373 s = nat_ed_session_alloc (sm, thread_index, now, ip->protocol);
376 nat_elog_warn ("create NAT session failed");
380 proto = ip_proto_to_nat_proto (ip->protocol);
382 s->ext_host_addr = ip->src_address;
383 s->ext_host_port = r_port;
384 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
385 s->out2in.addr = ip->dst_address;
386 s->out2in.port = l_port;
387 s->out2in.protocol = proto;
388 if (proto == NAT_PROTOCOL_OTHER)
390 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
391 s->out2in.port = ip->protocol;
393 s->out2in.fib_index = 0;
394 s->in2out = s->out2in;
396 kv.value = s - tsm->sessions;
397 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
398 nat_elog_notice ("in2out_ed key add failed");
401 if (ip->protocol == IP_PROTOCOL_TCP)
403 tcp_header_t *tcp = ip4_next_header (ip);
404 if (nat44_set_tcp_session_state_o2i
405 (sm, now, s, tcp->flags, tcp->ack_number, tcp->seq_number,
411 nat44_session_update_counters (s, now, 0, thread_index);
412 /* Per-user LRU list maintenance */
413 nat44_session_update_lru (sm, s, thread_index);
417 create_bypass_for_fwd_worker (snat_main_t * sm, vlib_buffer_t * b,
418 ip4_header_t * ip, u32 rx_fib_index)
420 ip4_header_t ip_wkr = {
421 .src_address = ip->dst_address,
423 u32 thread_index = sm->worker_in2out_cb (&ip_wkr, rx_fib_index, 0);
425 create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
428 #ifndef CLIB_MARCH_VARIANT
430 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
431 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
432 u8 * p_proto, snat_session_key_t * p_value,
433 u8 * p_dont_translate, void *d, void *e)
435 u32 next = ~0, sw_if_index, rx_fib_index;
436 clib_bihash_kv_16_8_t kv, value;
437 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
438 snat_session_t *s = 0;
439 u8 dont_translate = 0, is_addr_only, identity_nat;
440 snat_session_key_t e_key, l_key;
442 vlib_main_t *vm = vlib_get_main ();
444 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
445 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
447 if (get_icmp_o2i_ed_key
448 (b, ip, rx_fib_index, ~0ULL, p_proto, &l_port, &r_port, &kv))
450 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
451 next = NAT_NEXT_DROP;
455 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
457 /* Try to match static mapping */
458 e_key.addr = ip->dst_address;
460 e_key.protocol = ip_proto_to_nat_proto (ip->protocol);
461 e_key.fib_index = rx_fib_index;
462 if (snat_static_mapping_match
463 (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0, &identity_nat))
465 if (!sm->forwarding_enabled)
467 /* Don't NAT packet aimed at the intfc address */
468 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index,
469 ip->dst_address.as_u32)))
474 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
475 next = NAT_NEXT_DROP;
481 if (next_src_nat (sm, ip, l_port, r_port,
482 thread_index, rx_fib_index))
484 next = NAT_NEXT_IN2OUT_ED_FAST_PATH;
487 if (sm->num_workers > 1)
488 create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
490 create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
496 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
498 && (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
499 ICMP4_echo_request || !is_addr_only)))
501 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
502 next = NAT_NEXT_DROP;
506 if (PREDICT_FALSE (identity_nat))
512 /* Create session initiated by host from external network */
513 s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node,
514 rx_fib_index, thread_index, 0,
515 0, vlib_time_now (vm));
519 next = NAT_NEXT_DROP;
526 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
528 && vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
530 && !icmp_type_is_error_message (vnet_buffer (b)->ip.
531 reass.icmp_type_or_tcp_flags)))
533 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
534 next = NAT_NEXT_DROP;
538 s = pool_elt_at_index (tsm->sessions, value.value);
542 *p_value = s->in2out;
543 *p_dont_translate = dont_translate;
545 *(snat_session_t **) d = s;
550 static snat_session_t *
551 nat44_ed_out2in_unknown_proto (snat_main_t * sm,
557 vlib_main_t * vm, vlib_node_runtime_t * node)
559 clib_bihash_kv_8_8_t kv, value;
560 clib_bihash_kv_16_8_t s_kv, s_value;
561 snat_static_mapping_t *m;
562 u32 old_addr, new_addr;
565 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
567 old_addr = ip->dst_address.as_u32;
569 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol, rx_fib_index,
572 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
574 s = pool_elt_at_index (tsm->sessions, s_value.value);
575 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
580 (nat44_ed_maximum_sessions_exceeded
581 (sm, rx_fib_index, thread_index)))
583 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
584 nat_elog_notice ("maximum sessions exceeded");
588 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
589 if (clib_bihash_search_8_8
590 (&sm->static_mapping_by_external, &kv, &value))
592 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
596 m = pool_elt_at_index (sm->static_mappings, value.value);
598 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
600 /* Create a new session */
601 s = nat_ed_session_alloc (sm, thread_index, now, ip->protocol);
604 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_USER_SESS_EXCEEDED];
605 nat_elog_warn ("create NAT session failed");
609 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
610 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
611 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
612 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
613 s->out2in.addr.as_u32 = old_addr;
614 s->out2in.fib_index = rx_fib_index;
615 s->in2out.addr.as_u32 = new_addr;
616 s->in2out.fib_index = m->fib_index;
617 s->in2out.port = s->out2in.port = ip->protocol;
619 /* Add to lookup tables */
620 s_kv.value = s - tsm->sessions;
621 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
622 nat_elog_notice ("out2in key add failed");
624 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol,
625 m->fib_index, 0, 0, s - tsm->sessions, &s_kv);
626 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
627 nat_elog_notice ("in2out key add failed");
630 /* Update IP checksum */
632 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
633 ip->checksum = ip_csum_fold (sum);
635 vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
638 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
640 /* Per-user LRU list maintenance */
641 nat44_session_update_lru (sm, s, thread_index);
647 nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
648 vlib_node_runtime_t * node,
649 vlib_frame_t * frame)
651 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
652 nat_next_t next_index;
653 snat_main_t *sm = &snat_main;
654 f64 now = vlib_time_now (vm);
655 u32 thread_index = vm->thread_index;
656 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
657 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
660 stats_node_index = sm->ed_out2in_node_index;
662 from = vlib_frame_vector_args (frame);
663 n_left_from = frame->n_vectors;
664 next_index = node->cached_next_index;
666 while (n_left_from > 0)
670 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
672 while (n_left_from > 0 && n_left_to_next > 0)
676 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
678 u16 old_port0, new_port0;
682 snat_session_t *s0 = 0;
683 clib_bihash_kv_16_8_t kv0, value0;
686 /* speculatively enqueue b0 to the current next frame */
694 b0 = vlib_get_buffer (vm, bi0);
695 next0 = vnet_buffer2 (b0)->nat.arc_next;
697 vnet_buffer (b0)->snat.flags = 0;
698 ip0 = vlib_buffer_get_current (b0);
700 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
702 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
705 if (PREDICT_FALSE (ip0->ttl == 1))
707 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
708 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
709 ICMP4_time_exceeded_ttl_exceeded_in_transit,
711 next0 = NAT_NEXT_ICMP_ERROR;
715 udp0 = ip4_next_header (ip0);
716 tcp0 = (tcp_header_t *) udp0;
717 proto0 = ip_proto_to_nat_proto (ip0->protocol);
719 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
721 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
725 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
727 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
731 make_ed_kv (&ip0->dst_address, &ip0->src_address,
732 ip0->protocol, rx_fib_index0,
733 vnet_buffer (b0)->ip.reass.l4_dst_port,
734 vnet_buffer (b0)->ip.reass.l4_src_port, ~0ULL, &kv0);
736 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
738 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
741 s0 = pool_elt_at_index (tsm->sessions, value0.value);
743 if (s0->tcp_closed_timestamp)
745 if (now >= s0->tcp_closed_timestamp)
747 // session is closed, go slow path
748 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
752 // session in transitory timeout, drop
753 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TCP_CLOSED];
754 next0 = NAT_NEXT_DROP;
759 // drop if session expired
760 u64 sess_timeout_time;
761 sess_timeout_time = s0->last_heard +
762 (f64) nat44_session_get_timeout (sm, s0);
763 if (now >= sess_timeout_time)
765 // session is closed, go slow path
766 nat_free_session_data (sm, s0, thread_index, 0);
767 nat_ed_session_delete (sm, s0, thread_index, 1);
768 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
773 old_addr0 = ip0->dst_address.as_u32;
774 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
775 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
777 sum0 = ip0->checksum;
778 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
780 if (PREDICT_FALSE (is_twice_nat_session (s0)))
781 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
782 s0->ext_host_nat_addr.as_u32, ip4_header_t,
784 ip0->checksum = ip_csum_fold (sum0);
786 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
788 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
790 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
792 new_port0 = udp0->dst_port = s0->in2out.port;
793 sum0 = tcp0->checksum;
795 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
798 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
800 if (is_twice_nat_session (s0))
802 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
803 s0->ext_host_nat_addr.as_u32,
804 ip4_header_t, dst_address);
806 ip_csum_update (sum0,
807 vnet_buffer (b0)->ip.
809 s0->ext_host_nat_port, ip4_header_t,
811 tcp0->src_port = s0->ext_host_nat_port;
812 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
814 tcp0->checksum = ip_csum_fold (sum0);
817 if (nat44_set_tcp_session_state_o2i
819 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
820 vnet_buffer (b0)->ip.reass.tcp_ack_number,
821 vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
824 else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
827 new_port0 = udp0->dst_port = s0->in2out.port;
828 sum0 = udp0->checksum;
829 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
831 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
833 if (PREDICT_FALSE (is_twice_nat_session (s0)))
835 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
836 s0->ext_host_nat_addr.as_u32,
837 ip4_header_t, dst_address);
839 ip_csum_update (sum0,
840 vnet_buffer (b0)->ip.reass.l4_src_port,
841 s0->ext_host_nat_port, ip4_header_t,
843 udp0->src_port = s0->ext_host_nat_port;
844 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
846 udp0->checksum = ip_csum_fold (sum0);
851 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
853 new_port0 = udp0->dst_port = s0->in2out.port;
854 if (PREDICT_FALSE (is_twice_nat_session (s0)))
856 udp0->src_port = s0->ext_host_nat_port;
857 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
864 nat44_session_update_counters (s0, now,
865 vlib_buffer_length_in_chain (vm, b0),
867 /* Per-user LRU list maintenance */
868 nat44_session_update_lru (sm, s0, thread_index);
871 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
872 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
874 nat44_ed_out2in_trace_t *t =
875 vlib_add_trace (vm, node, b0, sizeof (*t));
876 t->sw_if_index = sw_if_index0;
877 t->next_index = next0;
881 t->session_index = s0 - tsm->sessions;
883 t->session_index = ~0;
886 pkts_processed += next0 == vnet_buffer2 (b0)->nat.arc_next;
887 /* verify speculative enqueue, maybe switch current next frame */
888 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
889 to_next, n_left_to_next,
893 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
896 vlib_node_increment_counter (vm, stats_node_index,
897 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
899 vlib_node_increment_counter (vm, stats_node_index,
900 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
901 vlib_node_increment_counter (vm, stats_node_index,
902 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
903 vlib_node_increment_counter (vm, stats_node_index,
904 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
906 vlib_node_increment_counter (vm, stats_node_index,
907 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
909 vlib_node_increment_counter (vm, stats_node_index,
910 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
911 return frame->n_vectors;
915 nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
916 vlib_node_runtime_t * node,
917 vlib_frame_t * frame)
919 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
920 nat_next_t next_index;
921 snat_main_t *sm = &snat_main;
923 f64 now = vlib_time_now (vm);
924 u32 thread_index = vm->thread_index;
925 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
926 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
929 stats_node_index = sm->ed_out2in_slowpath_node_index;
931 from = vlib_frame_vector_args (frame);
932 n_left_from = frame->n_vectors;
933 next_index = node->cached_next_index;
935 while (n_left_from > 0)
939 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
941 while (n_left_from > 0 && n_left_to_next > 0)
945 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
947 u16 old_port0, new_port0;
951 icmp46_header_t *icmp0;
952 snat_session_t *s0 = 0;
953 clib_bihash_kv_16_8_t kv0, value0;
955 snat_session_key_t e_key0, l_key0;
956 lb_nat_type_t lb_nat0;
957 twice_nat_type_t twice_nat0;
960 /* speculatively enqueue b0 to the current next frame */
968 b0 = vlib_get_buffer (vm, bi0);
969 next0 = vnet_buffer2 (b0)->nat.arc_next;
971 vnet_buffer (b0)->snat.flags = 0;
972 ip0 = vlib_buffer_get_current (b0);
974 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
976 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
979 if (PREDICT_FALSE (ip0->ttl == 1))
981 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
982 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
983 ICMP4_time_exceeded_ttl_exceeded_in_transit,
985 next0 = NAT_NEXT_ICMP_ERROR;
989 udp0 = ip4_next_header (ip0);
990 tcp0 = (tcp_header_t *) udp0;
991 icmp0 = (icmp46_header_t *) udp0;
992 proto0 = ip_proto_to_nat_proto (ip0->protocol);
994 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
997 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
998 thread_index, now, vm, node);
999 if (!sm->forwarding_enabled)
1002 next0 = NAT_NEXT_DROP;
1008 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1010 next0 = icmp_out2in_ed_slow_path
1011 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1012 next0, now, thread_index, &s0);
1017 make_ed_kv (&ip0->dst_address, &ip0->src_address,
1018 ip0->protocol, rx_fib_index0,
1019 vnet_buffer (b0)->ip.reass.l4_dst_port,
1020 vnet_buffer (b0)->ip.reass.l4_src_port, ~0ULL, &kv0);
1023 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
1025 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1027 if (s0->tcp_closed_timestamp && now >= s0->tcp_closed_timestamp)
1029 nat_free_session_data (sm, s0, thread_index, 0);
1030 nat_ed_session_delete (sm, s0, thread_index, 1);
1037 /* Try to match static mapping by external address and port,
1038 destination address and port in packet */
1039 e_key0.addr = ip0->dst_address;
1040 e_key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
1041 e_key0.protocol = proto0;
1042 e_key0.fib_index = rx_fib_index0;
1044 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1045 &twice_nat0, &lb_nat0,
1050 * Send DHCP packets to the ipv4 stack, or we won't
1051 * be able to use dhcp client on the outside interface
1053 if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_UDP
1054 && (vnet_buffer (b0)->ip.
1055 reass.l4_dst_port ==
1056 clib_host_to_net_u16
1057 (UDP_DST_PORT_dhcp_to_client))))
1062 if (!sm->forwarding_enabled)
1065 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1066 next0 = NAT_NEXT_DROP;
1071 (sm, ip0, vnet_buffer (b0)->ip.reass.l4_src_port,
1072 vnet_buffer (b0)->ip.reass.l4_dst_port,
1073 thread_index, rx_fib_index0))
1075 next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
1078 if (sm->num_workers > 1)
1079 create_bypass_for_fwd_worker (sm, b0, ip0,
1082 create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
1088 if (PREDICT_FALSE (identity_nat0))
1091 if ((proto0 == NAT_PROTOCOL_TCP)
1092 && !tcp_flags_is_init (vnet_buffer (b0)->ip.
1093 reass.icmp_type_or_tcp_flags))
1095 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1096 next0 = NAT_NEXT_DROP;
1100 /* Create session initiated by host from external network */
1101 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1109 next0 = NAT_NEXT_DROP;
1114 old_addr0 = ip0->dst_address.as_u32;
1115 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
1116 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1118 sum0 = ip0->checksum;
1119 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1121 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1122 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1123 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1125 ip0->checksum = ip_csum_fold (sum0);
1127 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1129 if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1131 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1133 new_port0 = udp0->dst_port = s0->in2out.port;
1134 sum0 = tcp0->checksum;
1136 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1139 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1141 if (is_twice_nat_session (s0))
1143 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1144 s0->ext_host_nat_addr.as_u32,
1145 ip4_header_t, dst_address);
1147 ip_csum_update (sum0,
1148 vnet_buffer (b0)->ip.
1150 s0->ext_host_nat_port, ip4_header_t,
1152 tcp0->src_port = s0->ext_host_nat_port;
1153 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1155 tcp0->checksum = ip_csum_fold (sum0);
1158 if (nat44_set_tcp_session_state_o2i
1160 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
1161 vnet_buffer (b0)->ip.reass.tcp_ack_number,
1162 vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
1165 else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
1168 new_port0 = udp0->dst_port = s0->in2out.port;
1169 sum0 = udp0->checksum;
1170 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1172 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1174 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1176 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1177 s0->ext_host_nat_addr.as_u32,
1178 ip4_header_t, dst_address);
1180 ip_csum_update (sum0,
1181 vnet_buffer (b0)->ip.reass.l4_src_port,
1182 s0->ext_host_nat_port, ip4_header_t,
1184 udp0->src_port = s0->ext_host_nat_port;
1185 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1187 udp0->checksum = ip_csum_fold (sum0);
1192 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1194 new_port0 = udp0->dst_port = s0->in2out.port;
1195 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1197 udp0->src_port = s0->ext_host_nat_port;
1198 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1205 nat44_session_update_counters (s0, now,
1206 vlib_buffer_length_in_chain (vm, b0),
1208 /* Per-user LRU list maintenance */
1209 nat44_session_update_lru (sm, s0, thread_index);
1212 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1213 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1215 nat44_ed_out2in_trace_t *t =
1216 vlib_add_trace (vm, node, b0, sizeof (*t));
1217 t->sw_if_index = sw_if_index0;
1218 t->next_index = next0;
1219 t->is_slow_path = 1;
1222 t->session_index = s0 - tsm->sessions;
1224 t->session_index = ~0;
1227 pkts_processed += next0 == vnet_buffer2 (b0)->nat.arc_next;
1228 /* verify speculative enqueue, maybe switch current next frame */
1229 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1230 to_next, n_left_to_next,
1234 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1237 vlib_node_increment_counter (vm, stats_node_index,
1238 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1240 vlib_node_increment_counter (vm, stats_node_index,
1241 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
1242 vlib_node_increment_counter (vm, stats_node_index,
1243 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
1244 vlib_node_increment_counter (vm, stats_node_index,
1245 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
1247 vlib_node_increment_counter (vm, stats_node_index,
1248 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
1250 vlib_node_increment_counter (vm, stats_node_index,
1251 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
1252 return frame->n_vectors;
1255 VLIB_NODE_FN (nat44_ed_out2in_node) (vlib_main_t * vm,
1256 vlib_node_runtime_t * node,
1257 vlib_frame_t * frame)
1259 return nat44_ed_out2in_fast_path_node_fn_inline (vm, node, frame);
1263 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1264 .name = "nat44-ed-out2in",
1265 .vector_size = sizeof (u32),
1266 .sibling_of = "nat-default",
1267 .format_trace = format_nat44_ed_out2in_trace,
1268 .type = VLIB_NODE_TYPE_INTERNAL,
1269 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1270 .error_strings = nat_out2in_ed_error_strings,
1271 .runtime_data_bytes = sizeof (snat_runtime_t),
1275 VLIB_NODE_FN (nat44_ed_out2in_slowpath_node) (vlib_main_t * vm,
1276 vlib_node_runtime_t * node,
1277 vlib_frame_t * frame)
1279 return nat44_ed_out2in_slow_path_node_fn_inline (vm, node, frame);
1283 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1284 .name = "nat44-ed-out2in-slowpath",
1285 .vector_size = sizeof (u32),
1286 .sibling_of = "nat-default",
1287 .format_trace = format_nat44_ed_out2in_trace,
1288 .type = VLIB_NODE_TYPE_INTERNAL,
1289 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1290 .error_strings = nat_out2in_ed_error_strings,
1291 .runtime_data_bytes = sizeof (snat_runtime_t),
1296 format_nat_pre_trace (u8 * s, va_list * args)
1298 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1299 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1300 nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
1301 return format (s, "out2in next_index %d arc_next_index %d", t->next_index,
1305 VLIB_NODE_FN (nat_pre_out2in_node) (vlib_main_t * vm,
1306 vlib_node_runtime_t * node,
1307 vlib_frame_t * frame)
1309 return nat_pre_node_fn_inline (vm, node, frame,
1310 NAT_NEXT_OUT2IN_ED_FAST_PATH);
1314 VLIB_REGISTER_NODE (nat_pre_out2in_node) = {
1315 .name = "nat-pre-out2in",
1316 .vector_size = sizeof (u32),
1317 .sibling_of = "nat-default",
1318 .format_trace = format_nat_pre_trace,
1319 .type = VLIB_NODE_TYPE_INTERNAL,
1325 * fd.io coding-style-patch-verification: ON
1328 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob