2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
24 #include <snat/snat.h>
25 #include <snat/snat_ipfix_logging.h>
26 #include <snat/snat_det.h>
28 #include <vppinfra/hash.h>
29 #include <vppinfra/error.h>
30 #include <vppinfra/elog.h>
37 } snat_in2out_trace_t;
40 u32 next_worker_index;
42 } snat_in2out_worker_handoff_trace_t;
44 /* packet trace format function */
45 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
47 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
52 tag = t->is_slow_path ? "SNAT_IN2OUT_SLOW_PATH" : "SNAT_IN2OUT_FAST_PATH";
54 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
55 t->sw_if_index, t->next_index, t->session_index);
60 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
62 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
63 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
64 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
66 s = format (s, "SANT_IN2OUT_FAST: sw_if_index %d, next index %d",
67 t->sw_if_index, t->next_index);
72 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
74 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
75 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
76 snat_in2out_worker_handoff_trace_t * t =
77 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
80 m = t->do_handoff ? "next worker" : "same worker";
81 s = format (s, "SNAT_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 vlib_node_registration_t snat_in2out_node;
87 vlib_node_registration_t snat_in2out_slowpath_node;
88 vlib_node_registration_t snat_in2out_fast_node;
89 vlib_node_registration_t snat_in2out_worker_handoff_node;
90 vlib_node_registration_t snat_det_in2out_node;
92 #define foreach_snat_in2out_error \
93 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
94 _(IN2OUT_PACKETS, "Good in2out packets processed") \
95 _(OUT_OF_PORTS, "Out of ports") \
96 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
97 _(BAD_ICMP_TYPE, "icmp type not echo-request") \
98 _(NO_TRANSLATION, "No translation")
101 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
102 foreach_snat_in2out_error
105 } snat_in2out_error_t;
107 static char * snat_in2out_error_strings[] = {
108 #define _(sym,string) string,
109 foreach_snat_in2out_error
114 SNAT_IN2OUT_NEXT_LOOKUP,
115 SNAT_IN2OUT_NEXT_DROP,
116 SNAT_IN2OUT_NEXT_ICMP_ERROR,
117 SNAT_IN2OUT_NEXT_SLOW_PATH,
119 } snat_in2out_next_t;
122 * @brief Check if packet should be translated
124 * Packets aimed at outside interface and external addresss with active session
125 * should be translated.
127 * @param sm SNAT main
128 * @param rt SNAT runtime data
129 * @param sw_if_index0 index of the inside interface
130 * @param ip0 IPv4 header
131 * @param proto0 SNAT protocol
132 * @param rx_fib_index0 RX FIB index
134 * @returns 0 if packet should be translated otherwise 1
137 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
138 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
141 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
143 .fp_proto = FIB_PROTOCOL_IP4,
146 .ip4.as_u32 = ip0->dst_address.as_u32,
150 /* Don't NAT packet aimed at the intfc address */
151 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
152 ip0->dst_address.as_u32)))
155 fei = fib_table_lookup (rx_fib_index0, &pfx);
156 if (FIB_NODE_INDEX_INVALID != fei)
158 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
159 if (sw_if_index == ~0)
161 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
162 if (FIB_NODE_INDEX_INVALID != fei)
163 sw_if_index = fib_entry_get_resolving_interface (fei);
166 pool_foreach (i, sm->interfaces,
168 /* NAT packet aimed at outside interface */
169 if ((i->is_inside == 0) && (sw_if_index == i->sw_if_index))
178 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
182 udp_header_t * udp0 = ip4_next_header (ip0);
183 snat_session_key_t key0, sm0;
184 clib_bihash_kv_8_8_t kv0, value0;
186 key0.addr = ip0->dst_address;
187 key0.port = udp0->dst_port;
188 key0.protocol = proto0;
189 key0.fib_index = sm->outside_fib_index;
190 kv0.key = key0.as_u64;
192 /* NAT packet aimed at external address if */
193 /* has active sessions */
194 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
196 /* or is static mappings */
197 if (!snat_static_mapping_match(sm, key0, &sm0, 1))
203 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
207 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
210 snat_session_key_t * key0,
211 snat_session_t ** sessionp,
212 vlib_node_runtime_t * node,
217 snat_user_key_t user_key;
219 clib_bihash_kv_8_8_t kv0, value0;
220 u32 oldest_per_user_translation_list_index;
221 dlist_elt_t * oldest_per_user_translation_list_elt;
222 dlist_elt_t * per_user_translation_list_elt;
223 dlist_elt_t * per_user_list_head_elt;
225 snat_session_key_t key1;
226 u32 address_index = ~0;
227 u32 outside_fib_index;
229 snat_worker_key_t worker_by_out_key;
231 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
234 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
235 return SNAT_IN2OUT_NEXT_DROP;
237 outside_fib_index = p[0];
239 key1.protocol = key0->protocol;
240 user_key.addr = ip0->src_address;
241 user_key.fib_index = rx_fib_index0;
242 kv0.key = user_key.as_u64;
244 /* Ever heard of the "user" = src ip4 address before? */
245 if (clib_bihash_search_8_8 (&sm->user_hash, &kv0, &value0))
247 /* no, make a new one */
248 pool_get (sm->per_thread_data[thread_index].users, u);
249 memset (u, 0, sizeof (*u));
250 u->addr = ip0->src_address;
251 u->fib_index = rx_fib_index0;
253 pool_get (sm->per_thread_data[thread_index].list_pool, per_user_list_head_elt);
255 u->sessions_per_user_list_head_index = per_user_list_head_elt -
256 sm->per_thread_data[thread_index].list_pool;
258 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
259 u->sessions_per_user_list_head_index);
261 kv0.value = u - sm->per_thread_data[thread_index].users;
264 clib_bihash_add_del_8_8 (&sm->user_hash, &kv0, 1 /* is_add */);
268 u = pool_elt_at_index (sm->per_thread_data[thread_index].users,
272 /* Over quota? Recycle the least recently used dynamic translation */
273 if (u->nsessions >= sm->max_translations_per_user)
275 /* Remove the oldest dynamic translation */
277 oldest_per_user_translation_list_index =
278 clib_dlist_remove_head (sm->per_thread_data[thread_index].list_pool,
279 u->sessions_per_user_list_head_index);
281 ASSERT (oldest_per_user_translation_list_index != ~0);
283 /* add it back to the end of the LRU list */
284 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
285 u->sessions_per_user_list_head_index,
286 oldest_per_user_translation_list_index);
287 /* Get the list element */
288 oldest_per_user_translation_list_elt =
289 pool_elt_at_index (sm->per_thread_data[thread_index].list_pool,
290 oldest_per_user_translation_list_index);
292 /* Get the session index from the list element */
293 session_index = oldest_per_user_translation_list_elt->value;
295 /* Get the session */
296 s = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
298 } while (snat_is_session_static (s));
300 /* Remove in2out, out2in keys */
301 kv0.key = s->in2out.as_u64;
302 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 0 /* is_add */))
303 clib_warning ("in2out key delete failed");
304 kv0.key = s->out2in.as_u64;
305 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 0 /* is_add */))
306 clib_warning ("out2in key delete failed");
309 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
310 s->out2in.addr.as_u32,
314 s->in2out.fib_index);
316 snat_free_outside_address_and_port
317 (sm, &s->out2in, s->outside_address_index);
318 s->outside_address_index = ~0;
320 if (snat_alloc_outside_address_and_port (sm, rx_fib_index0, &key1,
325 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
326 return SNAT_IN2OUT_NEXT_DROP;
328 s->outside_address_index = address_index;
332 u8 static_mapping = 1;
334 /* First try to match static mapping by local address and port */
335 if (snat_static_mapping_match (sm, *key0, &key1, 0))
338 /* Try to create dynamic translation */
339 if (snat_alloc_outside_address_and_port (sm, rx_fib_index0, &key1,
342 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
343 return SNAT_IN2OUT_NEXT_DROP;
347 /* Create a new session */
348 pool_get (sm->per_thread_data[thread_index].sessions, s);
349 memset (s, 0, sizeof (*s));
351 s->outside_address_index = address_index;
355 u->nstaticsessions++;
356 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
363 /* Create list elts */
364 pool_get (sm->per_thread_data[thread_index].list_pool,
365 per_user_translation_list_elt);
366 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
367 per_user_translation_list_elt -
368 sm->per_thread_data[thread_index].list_pool);
370 per_user_translation_list_elt->value =
371 s - sm->per_thread_data[thread_index].sessions;
372 s->per_user_index = per_user_translation_list_elt -
373 sm->per_thread_data[thread_index].list_pool;
374 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
376 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
377 s->per_user_list_head_index,
378 per_user_translation_list_elt -
379 sm->per_thread_data[thread_index].list_pool);
384 s->out2in.protocol = key0->protocol;
385 s->out2in.fib_index = outside_fib_index;
388 /* Add to translation hashes */
389 kv0.key = s->in2out.as_u64;
390 kv0.value = s - sm->per_thread_data[thread_index].sessions;
391 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 1 /* is_add */))
392 clib_warning ("in2out key add failed");
394 kv0.key = s->out2in.as_u64;
395 kv0.value = s - sm->per_thread_data[thread_index].sessions;
397 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 1 /* is_add */))
398 clib_warning ("out2in key add failed");
400 /* Add to translated packets worker lookup */
401 worker_by_out_key.addr = s->out2in.addr;
402 worker_by_out_key.port = s->out2in.port;
403 worker_by_out_key.fib_index = s->out2in.fib_index;
404 kv0.key = worker_by_out_key.as_u64;
405 kv0.value = thread_index;
406 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv0, 1);
409 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
410 s->out2in.addr.as_u32,
414 s->in2out.fib_index);
419 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
420 snat_session_key_t *p_key0)
422 icmp46_header_t *icmp0;
423 snat_session_key_t key0;
424 icmp_echo_header_t *echo0, *inner_echo0 = 0;
425 ip4_header_t *inner_ip0 = 0;
427 icmp46_header_t *inner_icmp0;
429 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
430 echo0 = (icmp_echo_header_t *)(icmp0+1);
432 if (!icmp_is_error_message (icmp0))
434 key0.protocol = SNAT_PROTOCOL_ICMP;
435 key0.addr = ip0->src_address;
436 key0.port = echo0->identifier;
440 inner_ip0 = (ip4_header_t *)(echo0+1);
441 l4_header = ip4_next_header (inner_ip0);
442 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
443 key0.addr = inner_ip0->dst_address;
444 switch (key0.protocol)
446 case SNAT_PROTOCOL_ICMP:
447 inner_icmp0 = (icmp46_header_t*)l4_header;
448 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
449 key0.port = inner_echo0->identifier;
451 case SNAT_PROTOCOL_UDP:
452 case SNAT_PROTOCOL_TCP:
453 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
456 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
460 return -1; /* success */
464 * Get address and port values to be used for packet SNAT translation
465 * and create session if needed
467 * @param[in,out] sm SNAT main
468 * @param[in,out] node SNAT node runtime
469 * @param[in] thread_index thread index
470 * @param[in,out] b0 buffer containing packet to be translated
471 * @param[out] p_proto protocol used for matching
472 * @param[out] p_value address and port after NAT translation
473 * @param[out] p_dont_translate if packet should not be translated
474 * @param d optional parameter
476 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
477 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
478 snat_session_key_t *p_value,
479 u8 *p_dont_translate, void *d)
482 icmp46_header_t *icmp0;
485 snat_session_key_t key0;
486 snat_session_t *s0 = 0;
487 u8 dont_translate = 0;
488 clib_bihash_kv_8_8_t kv0, value0;
492 ip0 = vlib_buffer_get_current (b0);
493 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
494 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
495 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
497 err = icmp_get_key (ip0, &key0);
500 b0->error = node->errors[err];
501 next0 = SNAT_IN2OUT_NEXT_DROP;
504 key0.fib_index = rx_fib_index0;
506 kv0.key = key0.as_u64;
508 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
510 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
511 IP_PROTOCOL_ICMP, rx_fib_index0)))
517 if (icmp_is_error_message (icmp0))
519 next0 = SNAT_IN2OUT_NEXT_DROP;
523 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
524 &s0, node, next0, thread_index);
526 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
530 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
533 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
534 !icmp_is_error_message (icmp0)))
536 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
537 next0 = SNAT_IN2OUT_NEXT_DROP;
542 *p_proto = key0.protocol;
544 *p_value = s0->out2in;
545 *p_dont_translate = dont_translate;
547 *(snat_session_t**)d = s0;
552 * Get address and port values to be used for packet SNAT translation
554 * @param[in] sm SNAT main
555 * @param[in,out] node SNAT node runtime
556 * @param[in] thread_index thread index
557 * @param[in,out] b0 buffer containing packet to be translated
558 * @param[out] p_proto protocol used for matching
559 * @param[out] p_value address and port after NAT translation
560 * @param[out] p_dont_translate if packet should not be translated
561 * @param d optional parameter
563 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
564 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
565 snat_session_key_t *p_value,
566 u8 *p_dont_translate, void *d)
569 icmp46_header_t *icmp0;
572 snat_session_key_t key0;
573 snat_session_key_t sm0;
574 u8 dont_translate = 0;
578 ip0 = vlib_buffer_get_current (b0);
579 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
580 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
581 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
583 err = icmp_get_key (ip0, &key0);
586 b0->error = node->errors[err];
587 next0 = SNAT_IN2OUT_NEXT_DROP;
590 key0.fib_index = rx_fib_index0;
592 if (snat_static_mapping_match(sm, key0, &sm0, 0))
594 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
595 IP_PROTOCOL_ICMP, rx_fib_index0)))
601 if (icmp_is_error_message (icmp0))
603 next0 = SNAT_IN2OUT_NEXT_DROP;
607 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
608 next0 = SNAT_IN2OUT_NEXT_DROP;
612 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
613 !icmp_is_error_message (icmp0)))
615 if (icmp0->type != ICMP4_echo_reply || key0.port != sm0.port)
617 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
618 next0 = SNAT_IN2OUT_NEXT_DROP;
626 *p_proto = key0.protocol;
627 *p_dont_translate = dont_translate;
631 static inline u32 icmp_in2out (snat_main_t *sm,
634 icmp46_header_t * icmp0,
637 vlib_node_runtime_t * node,
642 snat_session_key_t sm0;
644 icmp_echo_header_t *echo0, *inner_echo0 = 0;
645 ip4_header_t *inner_ip0;
647 icmp46_header_t *inner_icmp0;
649 u32 new_addr0, old_addr0;
650 u16 old_id0, new_id0;
655 echo0 = (icmp_echo_header_t *)(icmp0+1);
657 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0,
658 &protocol, &sm0, &dont_translate, d);
661 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
664 sum0 = ip_incremental_checksum (0, icmp0,
665 ntohs(ip0->length) - ip4_header_bytes (ip0));
666 checksum0 = ~ip_csum_fold (sum0);
667 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
669 next0 = SNAT_IN2OUT_NEXT_DROP;
673 old_addr0 = ip0->src_address.as_u32;
674 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
675 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
677 sum0 = ip0->checksum;
678 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
679 src_address /* changed member */);
680 ip0->checksum = ip_csum_fold (sum0);
682 if (!icmp_is_error_message (icmp0))
685 if (PREDICT_FALSE(new_id0 != echo0->identifier))
687 old_id0 = echo0->identifier;
689 echo0->identifier = new_id0;
691 sum0 = icmp0->checksum;
692 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
694 icmp0->checksum = ip_csum_fold (sum0);
699 inner_ip0 = (ip4_header_t *)(echo0+1);
700 l4_header = ip4_next_header (inner_ip0);
702 if (!ip4_header_checksum_is_valid (inner_ip0))
704 next0 = SNAT_IN2OUT_NEXT_DROP;
708 old_addr0 = inner_ip0->dst_address.as_u32;
709 inner_ip0->dst_address = sm0.addr;
710 new_addr0 = inner_ip0->dst_address.as_u32;
712 sum0 = icmp0->checksum;
713 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
714 dst_address /* changed member */);
715 icmp0->checksum = ip_csum_fold (sum0);
719 case SNAT_PROTOCOL_ICMP:
720 inner_icmp0 = (icmp46_header_t*)l4_header;
721 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
723 old_id0 = inner_echo0->identifier;
725 inner_echo0->identifier = new_id0;
727 sum0 = icmp0->checksum;
728 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
730 icmp0->checksum = ip_csum_fold (sum0);
732 case SNAT_PROTOCOL_UDP:
733 case SNAT_PROTOCOL_TCP:
734 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
736 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
738 sum0 = icmp0->checksum;
739 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
741 icmp0->checksum = ip_csum_fold (sum0);
755 * Hairpinning allows two endpoints on the internal side of the NAT to
756 * communicate even if they only use each other's external IP addresses
759 * @param sm SNAT main.
760 * @param b0 Vlib buffer.
761 * @param ip0 IP header.
762 * @param udp0 UDP header.
763 * @param tcp0 TCP header.
764 * @param proto0 SNAT protocol.
767 snat_hairpinning (snat_main_t *sm,
774 snat_session_key_t key0, sm0;
775 snat_worker_key_t k0;
777 clib_bihash_kv_8_8_t kv0, value0;
779 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
780 u16 new_dst_port0, old_dst_port0;
782 key0.addr = ip0->dst_address;
783 key0.port = udp0->dst_port;
784 key0.protocol = proto0;
785 key0.fib_index = sm->outside_fib_index;
786 kv0.key = key0.as_u64;
788 /* Check if destination is in active sessions */
789 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
791 /* or static mappings */
792 if (!snat_static_mapping_match(sm, key0, &sm0, 1))
794 new_dst_addr0 = sm0.addr.as_u32;
795 new_dst_port0 = sm0.port;
796 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
802 if (sm->num_workers > 1)
804 k0.addr = ip0->dst_address;
805 k0.port = udp0->dst_port;
806 k0.fib_index = sm->outside_fib_index;
808 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
814 ti = sm->num_workers;
816 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
817 new_dst_addr0 = s0->in2out.addr.as_u32;
818 new_dst_port0 = s0->in2out.port;
819 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
822 /* Destination is behind the same NAT, use internal address and port */
825 old_dst_addr0 = ip0->dst_address.as_u32;
826 ip0->dst_address.as_u32 = new_dst_addr0;
827 sum0 = ip0->checksum;
828 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
829 ip4_header_t, dst_address);
830 ip0->checksum = ip_csum_fold (sum0);
832 old_dst_port0 = tcp0->dst;
833 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
835 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
837 tcp0->dst = new_dst_port0;
838 sum0 = tcp0->checksum;
839 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
840 ip4_header_t, dst_address);
841 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
842 ip4_header_t /* cheat */, length);
843 tcp0->checksum = ip_csum_fold(sum0);
847 udp0->dst_port = new_dst_port0;
854 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
857 icmp46_header_t * icmp0,
860 vlib_node_runtime_t * node,
864 snat_session_t ** p_s0)
866 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
867 next0, thread_index, p_s0);
868 snat_session_t * s0 = *p_s0;
869 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
872 s0->last_heard = now;
874 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
875 /* Per-user LRU list maintenance for dynamic translations */
876 if (!snat_is_session_static (s0))
878 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
880 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
881 s0->per_user_list_head_index,
889 snat_in2out_node_fn_inline (vlib_main_t * vm,
890 vlib_node_runtime_t * node,
891 vlib_frame_t * frame, int is_slow_path)
893 u32 n_left_from, * from, * to_next;
894 snat_in2out_next_t next_index;
895 u32 pkts_processed = 0;
896 snat_main_t * sm = &snat_main;
897 f64 now = vlib_time_now (vm);
898 u32 stats_node_index;
899 u32 thread_index = vlib_get_thread_index ();
901 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
902 snat_in2out_node.index;
904 from = vlib_frame_vector_args (frame);
905 n_left_from = frame->n_vectors;
906 next_index = node->cached_next_index;
908 while (n_left_from > 0)
912 vlib_get_next_frame (vm, node, next_index,
913 to_next, n_left_to_next);
915 while (n_left_from >= 4 && n_left_to_next >= 2)
918 vlib_buffer_t * b0, * b1;
920 u32 sw_if_index0, sw_if_index1;
921 ip4_header_t * ip0, * ip1;
922 ip_csum_t sum0, sum1;
923 u32 new_addr0, old_addr0, new_addr1, old_addr1;
924 u16 old_port0, new_port0, old_port1, new_port1;
925 udp_header_t * udp0, * udp1;
926 tcp_header_t * tcp0, * tcp1;
927 icmp46_header_t * icmp0, * icmp1;
928 snat_session_key_t key0, key1;
929 u32 rx_fib_index0, rx_fib_index1;
931 snat_session_t * s0 = 0, * s1 = 0;
932 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
934 /* Prefetch next iteration. */
936 vlib_buffer_t * p2, * p3;
938 p2 = vlib_get_buffer (vm, from[2]);
939 p3 = vlib_get_buffer (vm, from[3]);
941 vlib_prefetch_buffer_header (p2, LOAD);
942 vlib_prefetch_buffer_header (p3, LOAD);
944 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
945 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
948 /* speculatively enqueue b0 and b1 to the current next frame */
949 to_next[0] = bi0 = from[0];
950 to_next[1] = bi1 = from[1];
956 b0 = vlib_get_buffer (vm, bi0);
957 b1 = vlib_get_buffer (vm, bi1);
959 ip0 = vlib_buffer_get_current (b0);
960 udp0 = ip4_next_header (ip0);
961 tcp0 = (tcp_header_t *) udp0;
962 icmp0 = (icmp46_header_t *) udp0;
964 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
965 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
968 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
970 if (PREDICT_FALSE(ip0->ttl == 1))
972 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
973 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
974 ICMP4_time_exceeded_ttl_exceeded_in_transit,
976 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
980 proto0 = ip_proto_to_snat_proto (ip0->protocol);
982 /* Next configured feature, probably ip4-lookup */
985 if (PREDICT_FALSE (proto0 == ~0))
988 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
990 next0 = icmp_in2out_slow_path
991 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
992 node, next0, now, thread_index, &s0);
998 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1000 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1005 key0.addr = ip0->src_address;
1006 key0.port = udp0->src_port;
1007 key0.protocol = proto0;
1008 key0.fib_index = rx_fib_index0;
1010 kv0.key = key0.as_u64;
1012 if (PREDICT_FALSE (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0) != 0))
1016 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
1017 proto0, rx_fib_index0)))
1020 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1021 &s0, node, next0, thread_index);
1022 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1027 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1032 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1035 old_addr0 = ip0->src_address.as_u32;
1036 ip0->src_address = s0->out2in.addr;
1037 new_addr0 = ip0->src_address.as_u32;
1038 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1040 sum0 = ip0->checksum;
1041 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1043 src_address /* changed member */);
1044 ip0->checksum = ip_csum_fold (sum0);
1046 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1048 old_port0 = tcp0->src_port;
1049 tcp0->src_port = s0->out2in.port;
1050 new_port0 = tcp0->src_port;
1052 sum0 = tcp0->checksum;
1053 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1055 dst_address /* changed member */);
1056 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1057 ip4_header_t /* cheat */,
1058 length /* changed member */);
1059 tcp0->checksum = ip_csum_fold(sum0);
1063 old_port0 = udp0->src_port;
1064 udp0->src_port = s0->out2in.port;
1069 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
1072 s0->last_heard = now;
1074 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1075 /* Per-user LRU list maintenance for dynamic translation */
1076 if (!snat_is_session_static (s0))
1078 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1079 s0->per_user_index);
1080 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1081 s0->per_user_list_head_index,
1082 s0->per_user_index);
1086 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1087 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1089 snat_in2out_trace_t *t =
1090 vlib_add_trace (vm, node, b0, sizeof (*t));
1091 t->is_slow_path = is_slow_path;
1092 t->sw_if_index = sw_if_index0;
1093 t->next_index = next0;
1094 t->session_index = ~0;
1096 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1099 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1101 ip1 = vlib_buffer_get_current (b1);
1102 udp1 = ip4_next_header (ip1);
1103 tcp1 = (tcp_header_t *) udp1;
1104 icmp1 = (icmp46_header_t *) udp1;
1106 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1107 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1110 if (PREDICT_FALSE(ip1->ttl == 1))
1112 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1113 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1114 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1116 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1120 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1122 /* Next configured feature, probably ip4-lookup */
1125 if (PREDICT_FALSE (proto1 == ~0))
1128 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1130 next1 = icmp_in2out_slow_path
1131 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1132 next1, now, thread_index, &s1);
1138 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1140 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1145 key1.addr = ip1->src_address;
1146 key1.port = udp1->src_port;
1147 key1.protocol = proto1;
1148 key1.fib_index = rx_fib_index1;
1150 kv1.key = key1.as_u64;
1152 if (PREDICT_FALSE(clib_bihash_search_8_8 (&sm->in2out, &kv1, &value1) != 0))
1156 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1, ip1,
1157 proto1, rx_fib_index1)))
1160 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1161 &s1, node, next1, thread_index);
1162 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1167 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1172 s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1175 old_addr1 = ip1->src_address.as_u32;
1176 ip1->src_address = s1->out2in.addr;
1177 new_addr1 = ip1->src_address.as_u32;
1178 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1180 sum1 = ip1->checksum;
1181 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1183 src_address /* changed member */);
1184 ip1->checksum = ip_csum_fold (sum1);
1186 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1188 old_port1 = tcp1->src_port;
1189 tcp1->src_port = s1->out2in.port;
1190 new_port1 = tcp1->src_port;
1192 sum1 = tcp1->checksum;
1193 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1195 dst_address /* changed member */);
1196 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1197 ip4_header_t /* cheat */,
1198 length /* changed member */);
1199 tcp1->checksum = ip_csum_fold(sum1);
1203 old_port1 = udp1->src_port;
1204 udp1->src_port = s1->out2in.port;
1209 snat_hairpinning (sm, b1, ip1, udp1, tcp1, proto1);
1212 s1->last_heard = now;
1214 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1215 /* Per-user LRU list maintenance for dynamic translation */
1216 if (!snat_is_session_static (s1))
1218 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1219 s1->per_user_index);
1220 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1221 s1->per_user_list_head_index,
1222 s1->per_user_index);
1226 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1227 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1229 snat_in2out_trace_t *t =
1230 vlib_add_trace (vm, node, b1, sizeof (*t));
1231 t->sw_if_index = sw_if_index1;
1232 t->next_index = next1;
1233 t->session_index = ~0;
1235 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1238 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1240 /* verify speculative enqueues, maybe switch current next frame */
1241 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1242 to_next, n_left_to_next,
1243 bi0, bi1, next0, next1);
1246 while (n_left_from > 0 && n_left_to_next > 0)
1254 u32 new_addr0, old_addr0;
1255 u16 old_port0, new_port0;
1256 udp_header_t * udp0;
1257 tcp_header_t * tcp0;
1258 icmp46_header_t * icmp0;
1259 snat_session_key_t key0;
1262 snat_session_t * s0 = 0;
1263 clib_bihash_kv_8_8_t kv0, value0;
1265 /* speculatively enqueue b0 to the current next frame */
1271 n_left_to_next -= 1;
1273 b0 = vlib_get_buffer (vm, bi0);
1274 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1276 ip0 = vlib_buffer_get_current (b0);
1277 udp0 = ip4_next_header (ip0);
1278 tcp0 = (tcp_header_t *) udp0;
1279 icmp0 = (icmp46_header_t *) udp0;
1281 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1282 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1285 if (PREDICT_FALSE(ip0->ttl == 1))
1287 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1288 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1289 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1291 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1295 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1297 /* Next configured feature, probably ip4-lookup */
1300 if (PREDICT_FALSE (proto0 == ~0))
1303 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1305 next0 = icmp_in2out_slow_path
1306 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1307 next0, now, thread_index, &s0);
1313 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1315 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1320 key0.addr = ip0->src_address;
1321 key0.port = udp0->src_port;
1322 key0.protocol = proto0;
1323 key0.fib_index = rx_fib_index0;
1325 kv0.key = key0.as_u64;
1327 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
1331 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
1332 proto0, rx_fib_index0)))
1335 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1336 &s0, node, next0, thread_index);
1338 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1343 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1348 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1351 old_addr0 = ip0->src_address.as_u32;
1352 ip0->src_address = s0->out2in.addr;
1353 new_addr0 = ip0->src_address.as_u32;
1354 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1356 sum0 = ip0->checksum;
1357 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1359 src_address /* changed member */);
1360 ip0->checksum = ip_csum_fold (sum0);
1362 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1364 old_port0 = tcp0->src_port;
1365 tcp0->src_port = s0->out2in.port;
1366 new_port0 = tcp0->src_port;
1368 sum0 = tcp0->checksum;
1369 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1371 dst_address /* changed member */);
1372 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1373 ip4_header_t /* cheat */,
1374 length /* changed member */);
1375 tcp0->checksum = ip_csum_fold(sum0);
1379 old_port0 = udp0->src_port;
1380 udp0->src_port = s0->out2in.port;
1385 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
1388 s0->last_heard = now;
1390 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1391 /* Per-user LRU list maintenance for dynamic translation */
1392 if (!snat_is_session_static (s0))
1394 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1395 s0->per_user_index);
1396 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1397 s0->per_user_list_head_index,
1398 s0->per_user_index);
1402 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1403 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1405 snat_in2out_trace_t *t =
1406 vlib_add_trace (vm, node, b0, sizeof (*t));
1407 t->is_slow_path = is_slow_path;
1408 t->sw_if_index = sw_if_index0;
1409 t->next_index = next0;
1410 t->session_index = ~0;
1412 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1415 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1417 /* verify speculative enqueue, maybe switch current next frame */
1418 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1419 to_next, n_left_to_next,
1423 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1426 vlib_node_increment_counter (vm, stats_node_index,
1427 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1429 return frame->n_vectors;
1433 snat_in2out_fast_path_fn (vlib_main_t * vm,
1434 vlib_node_runtime_t * node,
1435 vlib_frame_t * frame)
1437 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */);
1440 VLIB_REGISTER_NODE (snat_in2out_node) = {
1441 .function = snat_in2out_fast_path_fn,
1442 .name = "snat-in2out",
1443 .vector_size = sizeof (u32),
1444 .format_trace = format_snat_in2out_trace,
1445 .type = VLIB_NODE_TYPE_INTERNAL,
1447 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1448 .error_strings = snat_in2out_error_strings,
1450 .runtime_data_bytes = sizeof (snat_runtime_t),
1452 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1454 /* edit / add dispositions here */
1456 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1457 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1458 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
1459 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1463 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
1466 snat_in2out_slow_path_fn (vlib_main_t * vm,
1467 vlib_node_runtime_t * node,
1468 vlib_frame_t * frame)
1470 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */);
1473 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
1474 .function = snat_in2out_slow_path_fn,
1475 .name = "snat-in2out-slowpath",
1476 .vector_size = sizeof (u32),
1477 .format_trace = format_snat_in2out_trace,
1478 .type = VLIB_NODE_TYPE_INTERNAL,
1480 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1481 .error_strings = snat_in2out_error_strings,
1483 .runtime_data_bytes = sizeof (snat_runtime_t),
1485 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1487 /* edit / add dispositions here */
1489 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1490 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1491 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
1492 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1496 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node, snat_in2out_slow_path_fn);
1498 /**************************/
1499 /*** deterministic mode ***/
1500 /**************************/
1502 snat_det_in2out_node_fn (vlib_main_t * vm,
1503 vlib_node_runtime_t * node,
1504 vlib_frame_t * frame)
1506 u32 n_left_from, * from, * to_next;
1507 snat_in2out_next_t next_index;
1508 u32 pkts_processed = 0;
1509 snat_main_t * sm = &snat_main;
1510 u32 now = (u32) vlib_time_now (vm);
1512 from = vlib_frame_vector_args (frame);
1513 n_left_from = frame->n_vectors;
1514 next_index = node->cached_next_index;
1516 while (n_left_from > 0)
1520 vlib_get_next_frame (vm, node, next_index,
1521 to_next, n_left_to_next);
1523 while (n_left_from >= 4 && n_left_to_next >= 2)
1526 vlib_buffer_t * b0, * b1;
1528 u32 sw_if_index0, sw_if_index1;
1529 ip4_header_t * ip0, * ip1;
1530 ip_csum_t sum0, sum1;
1531 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
1532 u16 old_port0, new_port0, lo_port0, i0;
1533 u16 old_port1, new_port1, lo_port1, i1;
1534 udp_header_t * udp0, * udp1;
1535 tcp_header_t * tcp0, * tcp1;
1537 snat_det_out_key_t key0, key1;
1538 snat_det_map_t * dm0, * dm1;
1539 snat_det_session_t * ses0 = 0, * ses1 = 0;
1541 /* Prefetch next iteration. */
1543 vlib_buffer_t * p2, * p3;
1545 p2 = vlib_get_buffer (vm, from[2]);
1546 p3 = vlib_get_buffer (vm, from[3]);
1548 vlib_prefetch_buffer_header (p2, LOAD);
1549 vlib_prefetch_buffer_header (p3, LOAD);
1551 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1552 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1555 /* speculatively enqueue b0 and b1 to the current next frame */
1556 to_next[0] = bi0 = from[0];
1557 to_next[1] = bi1 = from[1];
1561 n_left_to_next -= 2;
1563 b0 = vlib_get_buffer (vm, bi0);
1564 b1 = vlib_get_buffer (vm, bi1);
1566 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1567 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1569 ip0 = vlib_buffer_get_current (b0);
1570 udp0 = ip4_next_header (ip0);
1571 tcp0 = (tcp_header_t *) udp0;
1573 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1575 if (PREDICT_FALSE(ip0->ttl == 1))
1577 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1578 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1579 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1581 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1585 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
1586 if (PREDICT_FALSE(!dm0))
1588 clib_warning("no match for internal host %U",
1589 format_ip4_address, &ip0->src_address);
1590 next0 = SNAT_IN2OUT_NEXT_DROP;
1591 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1595 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
1597 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src);
1598 if (PREDICT_FALSE(!ses0))
1600 key0.ext_host_addr = ip0->dst_address;
1601 key0.ext_host_port = tcp0->dst;
1602 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
1604 key0.out_port = clib_host_to_net_u16 (lo_port0 +
1605 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
1607 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
1610 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
1613 if (PREDICT_FALSE(!ses0))
1615 next0 = SNAT_IN2OUT_NEXT_DROP;
1616 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
1621 new_port0 = ses0->out.out_port;
1622 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1624 old_addr0.as_u32 = ip0->src_address.as_u32;
1625 ip0->src_address.as_u32 = new_addr0.as_u32;
1626 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1628 sum0 = ip0->checksum;
1629 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1631 src_address /* changed member */);
1632 ip0->checksum = ip_csum_fold (sum0);
1634 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1636 if (tcp0->flags & TCP_FLAG_SYN)
1637 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
1638 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
1639 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
1640 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1641 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
1642 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
1643 snat_det_ses_close(dm0, ses0);
1644 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
1645 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
1646 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
1647 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
1649 old_port0 = tcp0->src;
1650 tcp0->src = new_port0;
1652 sum0 = tcp0->checksum;
1653 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1655 dst_address /* changed member */);
1656 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1657 ip4_header_t /* cheat */,
1658 length /* changed member */);
1659 tcp0->checksum = ip_csum_fold(sum0);
1663 ses0->state = SNAT_SESSION_UDP_ACTIVE;
1664 old_port0 = udp0->src_port;
1665 udp0->src_port = new_port0;
1671 case SNAT_SESSION_UDP_ACTIVE:
1672 ses0->expire = now + SNAT_UDP_TIMEOUT;
1674 case SNAT_SESSION_TCP_SYN_SENT:
1675 case SNAT_SESSION_TCP_FIN_WAIT:
1676 case SNAT_SESSION_TCP_CLOSE_WAIT:
1677 case SNAT_SESSION_TCP_LAST_ACK:
1678 ses0->expire = now + SNAT_TCP_TRANSITORY_TIMEOUT;
1680 case SNAT_SESSION_TCP_ESTABLISHED:
1681 ses0->expire = now + SNAT_TCP_ESTABLISHED_TIMEOUT;
1686 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1687 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1689 snat_in2out_trace_t *t =
1690 vlib_add_trace (vm, node, b0, sizeof (*t));
1691 t->is_slow_path = 0;
1692 t->sw_if_index = sw_if_index0;
1693 t->next_index = next0;
1694 t->session_index = ~0;
1696 t->session_index = ses0 - dm0->sessions;
1699 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1701 ip1 = vlib_buffer_get_current (b1);
1702 udp1 = ip4_next_header (ip1);
1703 tcp1 = (tcp_header_t *) udp1;
1705 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1707 if (PREDICT_FALSE(ip1->ttl == 1))
1709 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1710 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1711 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1713 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1717 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
1718 if (PREDICT_FALSE(!dm1))
1720 clib_warning("no match for internal host %U",
1721 format_ip4_address, &ip0->src_address);
1722 next1 = SNAT_IN2OUT_NEXT_DROP;
1723 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1727 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
1729 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src);
1730 if (PREDICT_FALSE(!ses1))
1732 key1.ext_host_addr = ip1->dst_address;
1733 key1.ext_host_port = tcp1->dst;
1734 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
1736 key1.out_port = clib_host_to_net_u16 (lo_port1 +
1737 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
1739 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
1742 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
1745 if (PREDICT_FALSE(!ses1))
1747 next1 = SNAT_IN2OUT_NEXT_DROP;
1748 b1->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
1753 new_port1 = ses1->out.out_port;
1754 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1756 old_addr1.as_u32 = ip1->src_address.as_u32;
1757 ip1->src_address.as_u32 = new_addr1.as_u32;
1758 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1760 sum1 = ip1->checksum;
1761 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1763 src_address /* changed member */);
1764 ip1->checksum = ip_csum_fold (sum1);
1766 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1768 if (tcp1->flags & TCP_FLAG_SYN)
1769 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
1770 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
1771 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
1772 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
1773 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
1774 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
1775 snat_det_ses_close(dm1, ses1);
1776 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
1777 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
1778 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
1779 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
1781 old_port1 = tcp1->src;
1782 tcp1->src = new_port1;
1784 sum1 = tcp1->checksum;
1785 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1787 dst_address /* changed member */);
1788 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1789 ip4_header_t /* cheat */,
1790 length /* changed member */);
1791 tcp1->checksum = ip_csum_fold(sum1);
1795 ses1->state = SNAT_SESSION_UDP_ACTIVE;
1796 old_port1 = udp1->src_port;
1797 udp1->src_port = new_port1;
1803 case SNAT_SESSION_UDP_ACTIVE:
1804 ses1->expire = now + SNAT_UDP_TIMEOUT;
1806 case SNAT_SESSION_TCP_SYN_SENT:
1807 case SNAT_SESSION_TCP_FIN_WAIT:
1808 case SNAT_SESSION_TCP_CLOSE_WAIT:
1809 case SNAT_SESSION_TCP_LAST_ACK:
1810 ses1->expire = now + SNAT_TCP_TRANSITORY_TIMEOUT;
1812 case SNAT_SESSION_TCP_ESTABLISHED:
1813 ses1->expire = now + SNAT_TCP_ESTABLISHED_TIMEOUT;
1818 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1819 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1821 snat_in2out_trace_t *t =
1822 vlib_add_trace (vm, node, b1, sizeof (*t));
1823 t->is_slow_path = 0;
1824 t->sw_if_index = sw_if_index1;
1825 t->next_index = next1;
1826 t->session_index = ~0;
1828 t->session_index = ses1 - dm1->sessions;
1831 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1833 /* verify speculative enqueues, maybe switch current next frame */
1834 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1835 to_next, n_left_to_next,
1836 bi0, bi1, next0, next1);
1839 while (n_left_from > 0 && n_left_to_next > 0)
1847 ip4_address_t new_addr0, old_addr0;
1848 u16 old_port0, new_port0, lo_port0, i0;
1849 udp_header_t * udp0;
1850 tcp_header_t * tcp0;
1852 snat_det_out_key_t key0;
1853 snat_det_map_t * dm0;
1854 snat_det_session_t * ses0 = 0;
1856 /* speculatively enqueue b0 to the current next frame */
1862 n_left_to_next -= 1;
1864 b0 = vlib_get_buffer (vm, bi0);
1865 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1867 ip0 = vlib_buffer_get_current (b0);
1868 udp0 = ip4_next_header (ip0);
1869 tcp0 = (tcp_header_t *) udp0;
1871 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1873 if (PREDICT_FALSE(ip0->ttl == 1))
1875 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1876 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1877 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1879 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1883 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
1884 if (PREDICT_FALSE(!dm0))
1886 clib_warning("no match for internal host %U",
1887 format_ip4_address, &ip0->src_address);
1888 next0 = SNAT_IN2OUT_NEXT_DROP;
1889 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1893 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
1895 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src);
1896 if (PREDICT_FALSE(!ses0))
1898 key0.ext_host_addr = ip0->dst_address;
1899 key0.ext_host_port = tcp0->dst;
1900 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
1902 key0.out_port = clib_host_to_net_u16 (lo_port0 +
1903 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
1905 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
1908 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
1911 if (PREDICT_FALSE(!ses0))
1913 next0 = SNAT_IN2OUT_NEXT_DROP;
1914 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
1919 new_port0 = ses0->out.out_port;
1920 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1922 old_addr0.as_u32 = ip0->src_address.as_u32;
1923 ip0->src_address.as_u32 = new_addr0.as_u32;
1924 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1926 sum0 = ip0->checksum;
1927 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1929 src_address /* changed member */);
1930 ip0->checksum = ip_csum_fold (sum0);
1932 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1934 if (tcp0->flags & TCP_FLAG_SYN)
1935 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
1936 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
1937 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
1938 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1939 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
1940 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
1941 snat_det_ses_close(dm0, ses0);
1942 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
1943 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
1944 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
1945 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
1947 old_port0 = tcp0->src;
1948 tcp0->src = new_port0;
1950 sum0 = tcp0->checksum;
1951 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1953 dst_address /* changed member */);
1954 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1955 ip4_header_t /* cheat */,
1956 length /* changed member */);
1957 tcp0->checksum = ip_csum_fold(sum0);
1961 ses0->state = SNAT_SESSION_UDP_ACTIVE;
1962 old_port0 = udp0->src_port;
1963 udp0->src_port = new_port0;
1969 case SNAT_SESSION_UDP_ACTIVE:
1970 ses0->expire = now + SNAT_UDP_TIMEOUT;
1972 case SNAT_SESSION_TCP_SYN_SENT:
1973 case SNAT_SESSION_TCP_FIN_WAIT:
1974 case SNAT_SESSION_TCP_CLOSE_WAIT:
1975 case SNAT_SESSION_TCP_LAST_ACK:
1976 ses0->expire = now + SNAT_TCP_TRANSITORY_TIMEOUT;
1978 case SNAT_SESSION_TCP_ESTABLISHED:
1979 ses0->expire = now + SNAT_TCP_ESTABLISHED_TIMEOUT;
1984 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1985 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1987 snat_in2out_trace_t *t =
1988 vlib_add_trace (vm, node, b0, sizeof (*t));
1989 t->is_slow_path = 0;
1990 t->sw_if_index = sw_if_index0;
1991 t->next_index = next0;
1992 t->session_index = ~0;
1994 t->session_index = ses0 - dm0->sessions;
1997 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1999 /* verify speculative enqueue, maybe switch current next frame */
2000 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2001 to_next, n_left_to_next,
2005 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2008 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
2009 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2011 return frame->n_vectors;
2014 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
2015 .function = snat_det_in2out_node_fn,
2016 .name = "snat-det-in2out",
2017 .vector_size = sizeof (u32),
2018 .format_trace = format_snat_in2out_trace,
2019 .type = VLIB_NODE_TYPE_INTERNAL,
2021 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2022 .error_strings = snat_in2out_error_strings,
2024 .runtime_data_bytes = sizeof (snat_runtime_t),
2028 /* edit / add dispositions here */
2030 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2031 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2032 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2036 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
2038 /**********************/
2039 /*** worker handoff ***/
2040 /**********************/
2042 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
2043 vlib_node_runtime_t * node,
2044 vlib_frame_t * frame)
2046 snat_main_t *sm = &snat_main;
2047 vlib_thread_main_t *tm = vlib_get_thread_main ();
2048 u32 n_left_from, *from, *to_next = 0;
2049 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2050 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2052 vlib_frame_queue_elt_t *hf = 0;
2053 vlib_frame_t *f = 0;
2055 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2056 u32 next_worker_index = 0;
2057 u32 current_worker_index = ~0;
2058 u32 thread_index = vlib_get_thread_index ();
2060 ASSERT (vec_len (sm->workers));
2062 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2064 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2066 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2067 sm->first_worker_index + sm->num_workers - 1,
2068 (vlib_frame_queue_t *) (~0));
2071 from = vlib_frame_vector_args (frame);
2072 n_left_from = frame->n_vectors;
2074 while (n_left_from > 0)
2087 b0 = vlib_get_buffer (vm, bi0);
2089 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2090 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2092 ip0 = vlib_buffer_get_current (b0);
2094 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
2096 if (PREDICT_FALSE (next_worker_index != thread_index))
2100 if (next_worker_index != current_worker_index)
2103 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2105 hf = vlib_get_worker_handoff_queue_elt (sm->fq_in2out_index,
2107 handoff_queue_elt_by_worker_index);
2109 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2110 to_next_worker = &hf->buffer_index[hf->n_vectors];
2111 current_worker_index = next_worker_index;
2114 /* enqueue to correct worker thread */
2115 to_next_worker[0] = bi0;
2117 n_left_to_next_worker--;
2119 if (n_left_to_next_worker == 0)
2121 hf->n_vectors = VLIB_FRAME_SIZE;
2122 vlib_put_frame_queue_elt (hf);
2123 current_worker_index = ~0;
2124 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2131 /* if this is 1st frame */
2134 f = vlib_get_frame_to_node (vm, sm->in2out_node_index);
2135 to_next = vlib_frame_vector_args (f);
2143 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2144 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2146 snat_in2out_worker_handoff_trace_t *t =
2147 vlib_add_trace (vm, node, b0, sizeof (*t));
2148 t->next_worker_index = next_worker_index;
2149 t->do_handoff = do_handoff;
2154 vlib_put_frame_to_node (vm, sm->in2out_node_index, f);
2157 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2159 /* Ship frames to the worker nodes */
2160 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2162 if (handoff_queue_elt_by_worker_index[i])
2164 hf = handoff_queue_elt_by_worker_index[i];
2166 * It works better to let the handoff node
2167 * rate-adapt, always ship the handoff queue element.
2169 if (1 || hf->n_vectors == hf->last_n_vectors)
2171 vlib_put_frame_queue_elt (hf);
2172 handoff_queue_elt_by_worker_index[i] = 0;
2175 hf->last_n_vectors = hf->n_vectors;
2177 congested_handoff_queue_by_worker_index[i] =
2178 (vlib_frame_queue_t *) (~0);
2181 current_worker_index = ~0;
2182 return frame->n_vectors;
2185 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
2186 .function = snat_in2out_worker_handoff_fn,
2187 .name = "snat-in2out-worker-handoff",
2188 .vector_size = sizeof (u32),
2189 .format_trace = format_snat_in2out_worker_handoff_trace,
2190 .type = VLIB_NODE_TYPE_INTERNAL,
2199 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node, snat_in2out_worker_handoff_fn);
2202 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
2203 vlib_node_runtime_t * node,
2204 vlib_frame_t * frame)
2206 u32 n_left_from, * from, * to_next;
2207 snat_in2out_next_t next_index;
2208 u32 pkts_processed = 0;
2209 snat_main_t * sm = &snat_main;
2210 u32 stats_node_index;
2212 stats_node_index = snat_in2out_fast_node.index;
2214 from = vlib_frame_vector_args (frame);
2215 n_left_from = frame->n_vectors;
2216 next_index = node->cached_next_index;
2218 while (n_left_from > 0)
2222 vlib_get_next_frame (vm, node, next_index,
2223 to_next, n_left_to_next);
2225 while (n_left_from > 0 && n_left_to_next > 0)
2233 u32 new_addr0, old_addr0;
2234 u16 old_port0, new_port0;
2235 udp_header_t * udp0;
2236 tcp_header_t * tcp0;
2237 icmp46_header_t * icmp0;
2238 snat_session_key_t key0, sm0;
2242 /* speculatively enqueue b0 to the current next frame */
2248 n_left_to_next -= 1;
2250 b0 = vlib_get_buffer (vm, bi0);
2251 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2253 ip0 = vlib_buffer_get_current (b0);
2254 udp0 = ip4_next_header (ip0);
2255 tcp0 = (tcp_header_t *) udp0;
2256 icmp0 = (icmp46_header_t *) udp0;
2258 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2259 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2261 if (PREDICT_FALSE(ip0->ttl == 1))
2263 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2264 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2265 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2267 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2271 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2273 if (PREDICT_FALSE (proto0 == ~0))
2276 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2278 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2279 rx_fib_index0, node, next0, ~0, 0);
2283 key0.addr = ip0->src_address;
2284 key0.port = udp0->src_port;
2285 key0.fib_index = rx_fib_index0;
2287 if (snat_static_mapping_match(sm, key0, &sm0, 0))
2289 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2290 next0= SNAT_IN2OUT_NEXT_DROP;
2294 new_addr0 = sm0.addr.as_u32;
2295 new_port0 = sm0.port;
2296 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2297 old_addr0 = ip0->src_address.as_u32;
2298 ip0->src_address.as_u32 = new_addr0;
2300 sum0 = ip0->checksum;
2301 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2303 src_address /* changed member */);
2304 ip0->checksum = ip_csum_fold (sum0);
2306 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2308 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2310 old_port0 = tcp0->src_port;
2311 tcp0->src_port = new_port0;
2313 sum0 = tcp0->checksum;
2314 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2316 dst_address /* changed member */);
2317 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2318 ip4_header_t /* cheat */,
2319 length /* changed member */);
2320 tcp0->checksum = ip_csum_fold(sum0);
2324 old_port0 = udp0->src_port;
2325 udp0->src_port = new_port0;
2331 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2333 sum0 = tcp0->checksum;
2334 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2336 dst_address /* changed member */);
2337 tcp0->checksum = ip_csum_fold(sum0);
2342 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
2345 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2346 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2348 snat_in2out_trace_t *t =
2349 vlib_add_trace (vm, node, b0, sizeof (*t));
2350 t->sw_if_index = sw_if_index0;
2351 t->next_index = next0;
2354 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2356 /* verify speculative enqueue, maybe switch current next frame */
2357 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2358 to_next, n_left_to_next,
2362 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2365 vlib_node_increment_counter (vm, stats_node_index,
2366 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2368 return frame->n_vectors;
2372 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
2373 .function = snat_in2out_fast_static_map_fn,
2374 .name = "snat-in2out-fast",
2375 .vector_size = sizeof (u32),
2376 .format_trace = format_snat_in2out_fast_trace,
2377 .type = VLIB_NODE_TYPE_INTERNAL,
2379 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2380 .error_strings = snat_in2out_error_strings,
2382 .runtime_data_bytes = sizeof (snat_runtime_t),
2384 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2386 /* edit / add dispositions here */
2388 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2389 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2390 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
2391 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2395 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob