2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <snat/snat.h>
26 #include <snat/snat_ipfix_logging.h>
27 #include <snat/snat_det.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
37 } snat_out2in_trace_t;
40 u32 next_worker_index;
42 } snat_out2in_worker_handoff_trace_t;
44 /* packet trace format function */
45 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
47 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
51 s = format (s, "SNAT_OUT2IN: sw_if_index %d, next index %d, session index %d",
52 t->sw_if_index, t->next_index, t->session_index);
56 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
58 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
59 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
60 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
62 s = format (s, "SNAT_OUT2IN_FAST: sw_if_index %d, next index %d",
63 t->sw_if_index, t->next_index);
67 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
69 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
70 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
71 snat_out2in_worker_handoff_trace_t * t =
72 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
75 m = t->do_handoff ? "next worker" : "same worker";
76 s = format (s, "SNAT_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
81 vlib_node_registration_t snat_out2in_node;
82 vlib_node_registration_t snat_out2in_fast_node;
83 vlib_node_registration_t snat_out2in_worker_handoff_node;
84 vlib_node_registration_t snat_det_out2in_node;
86 #define foreach_snat_out2in_error \
87 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
88 _(OUT2IN_PACKETS, "Good out2in packets processed") \
89 _(BAD_ICMP_TYPE, "icmp type not echo-reply") \
90 _(NO_TRANSLATION, "No translation")
93 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
94 foreach_snat_out2in_error
97 } snat_out2in_error_t;
99 static char * snat_out2in_error_strings[] = {
100 #define _(sym,string) string,
101 foreach_snat_out2in_error
106 SNAT_OUT2IN_NEXT_DROP,
107 SNAT_OUT2IN_NEXT_LOOKUP,
108 SNAT_OUT2IN_NEXT_ICMP_ERROR,
110 } snat_out2in_next_t;
113 * @brief Create session for static mapping.
115 * Create NAT session initiated by host from external network with static
118 * @param sm SNAT main.
119 * @param b0 Vlib buffer.
120 * @param in2out In2out SNAT session key.
121 * @param out2in Out2in SNAT session key.
122 * @param node Vlib node.
124 * @returns SNAT session if successfully created otherwise 0.
126 static inline snat_session_t *
127 create_session_for_static_mapping (snat_main_t *sm,
129 snat_session_key_t in2out,
130 snat_session_key_t out2in,
131 vlib_node_runtime_t * node,
135 snat_user_key_t user_key;
137 clib_bihash_kv_8_8_t kv0, value0;
138 dlist_elt_t * per_user_translation_list_elt;
139 dlist_elt_t * per_user_list_head_elt;
141 user_key.addr = in2out.addr;
142 user_key.fib_index = in2out.fib_index;
143 kv0.key = user_key.as_u64;
145 /* Ever heard of the "user" = inside ip4 address before? */
146 if (clib_bihash_search_8_8 (&sm->user_hash, &kv0, &value0))
148 /* no, make a new one */
149 pool_get (sm->per_thread_data[cpu_index].users, u);
150 memset (u, 0, sizeof (*u));
151 u->addr = in2out.addr;
152 u->fib_index = in2out.fib_index;
154 pool_get (sm->per_thread_data[cpu_index].list_pool,
155 per_user_list_head_elt);
157 u->sessions_per_user_list_head_index = per_user_list_head_elt -
158 sm->per_thread_data[cpu_index].list_pool;
160 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
161 u->sessions_per_user_list_head_index);
163 kv0.value = u - sm->per_thread_data[cpu_index].users;
166 clib_bihash_add_del_8_8 (&sm->user_hash, &kv0, 1 /* is_add */);
168 /* add non-traslated packets worker lookup */
169 kv0.value = cpu_index;
170 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
174 u = pool_elt_at_index (sm->per_thread_data[cpu_index].users,
178 pool_get (sm->per_thread_data[cpu_index].sessions, s);
179 memset (s, 0, sizeof (*s));
181 s->outside_address_index = ~0;
182 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
183 u->nstaticsessions++;
185 /* Create list elts */
186 pool_get (sm->per_thread_data[cpu_index].list_pool,
187 per_user_translation_list_elt);
188 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
189 per_user_translation_list_elt -
190 sm->per_thread_data[cpu_index].list_pool);
192 per_user_translation_list_elt->value =
193 s - sm->per_thread_data[cpu_index].sessions;
195 per_user_translation_list_elt - sm->per_thread_data[cpu_index].list_pool;
196 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
198 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
199 s->per_user_list_head_index,
200 per_user_translation_list_elt -
201 sm->per_thread_data[cpu_index].list_pool);
205 s->in2out.protocol = out2in.protocol;
207 /* Add to translation hashes */
208 kv0.key = s->in2out.as_u64;
209 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
210 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 1 /* is_add */))
211 clib_warning ("in2out key add failed");
213 kv0.key = s->out2in.as_u64;
214 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
216 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 1 /* is_add */))
217 clib_warning ("out2in key add failed");
220 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
221 s->out2in.addr.as_u32,
225 s->in2out.fib_index);
230 u16 src_port, dst_port;
233 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
236 icmp46_header_t * icmp0,
239 vlib_node_runtime_t * node,
242 snat_session_t ** p_s0)
244 snat_session_key_t key0, sm0;
245 icmp_echo_header_t *echo0, *inner_echo0 = 0;
246 ip4_header_t *inner_ip0 = 0;
248 icmp46_header_t *inner_icmp0;
249 clib_bihash_kv_8_8_t kv0, value0;
250 snat_session_t * s0 = 0;
251 u32 new_addr0, old_addr0;
252 u16 old_id0, new_id0;
255 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
256 u8 is_error_message = 0;
258 echo0 = (icmp_echo_header_t *)(icmp0+1);
260 key0.addr = ip0->dst_address;
261 key0.fib_index = rx_fib_index0;
265 case ICMP4_destination_unreachable:
266 case ICMP4_time_exceeded:
267 case ICMP4_parameter_problem:
268 case ICMP4_source_quench:
270 case ICMP4_alternate_host_address:
271 is_error_message = 1;
274 if (!is_error_message)
276 key0.protocol = SNAT_PROTOCOL_ICMP;
277 key0.port = echo0->identifier;
281 inner_ip0 = (ip4_header_t *)(echo0+1);
282 l4_header = ip4_next_header (inner_ip0);
283 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
284 switch (key0.protocol)
286 case SNAT_PROTOCOL_ICMP:
287 inner_icmp0 = (icmp46_header_t*)l4_header;
288 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
289 key0.port = inner_echo0->identifier;
291 case SNAT_PROTOCOL_UDP:
292 case SNAT_PROTOCOL_TCP:
293 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
296 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
297 next0 = SNAT_OUT2IN_NEXT_DROP;
302 kv0.key = key0.as_u64;
304 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
306 /* Try to match static mapping by external address and port,
307 destination address and port in packet */
308 if (snat_static_mapping_match(sm, key0, &sm0, 1))
310 ip4_address_t * first_int_addr;
312 if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
315 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
316 0 /* just want the address */);
317 rt->cached_sw_if_index = sw_if_index0;
319 rt->cached_ip4_address = first_int_addr->as_u32;
321 rt->cached_ip4_address = 0;
324 /* Don't NAT packet aimed at the intfc address */
325 if (PREDICT_FALSE(ip0->dst_address.as_u32 == rt->cached_ip4_address))
328 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
329 next0 = SNAT_OUT2IN_NEXT_DROP;
333 if (is_error_message)
335 next0 = SNAT_OUT2IN_NEXT_DROP;
339 /* Create session initiated by host from external network */
340 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
345 next0 = SNAT_OUT2IN_NEXT_DROP;
350 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
353 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && !is_error_message))
355 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
356 next0 = SNAT_OUT2IN_NEXT_DROP;
360 sum0 = ip_incremental_checksum (0, icmp0,
361 ntohs(ip0->length) - ip4_header_bytes (ip0));
362 checksum0 = ~ip_csum_fold (sum0);
363 if (checksum0 != 0 && checksum0 != 0xffff)
365 next0 = SNAT_OUT2IN_NEXT_DROP;
369 old_addr0 = ip0->dst_address.as_u32;
370 ip0->dst_address = s0->in2out.addr;
371 new_addr0 = ip0->dst_address.as_u32;
372 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
374 sum0 = ip0->checksum;
375 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
376 dst_address /* changed member */);
377 ip0->checksum = ip_csum_fold (sum0);
379 if (!is_error_message)
381 old_id0 = echo0->identifier;
382 new_id0 = s0->in2out.port;
383 echo0->identifier = new_id0;
385 sum0 = icmp0->checksum;
386 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
387 identifier /* changed member */);
388 icmp0->checksum = ip_csum_fold (sum0);
392 if (!ip4_header_checksum_is_valid (inner_ip0))
394 next0 = SNAT_OUT2IN_NEXT_DROP;
398 old_addr0 = inner_ip0->src_address.as_u32;
399 inner_ip0->src_address = s0->in2out.addr;
400 new_addr0 = inner_ip0->src_address.as_u32;
402 sum0 = icmp0->checksum;
403 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
404 src_address /* changed member */);
405 icmp0->checksum = ip_csum_fold (sum0);
407 switch (key0.protocol)
409 case SNAT_PROTOCOL_ICMP:
410 old_id0 = inner_echo0->identifier;
411 new_id0 = s0->in2out.port;
412 inner_echo0->identifier = new_id0;
414 sum0 = icmp0->checksum;
415 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
417 icmp0->checksum = ip_csum_fold (sum0);
419 case SNAT_PROTOCOL_UDP:
420 case SNAT_PROTOCOL_TCP:
421 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
422 new_id0 = s0->in2out.port;
423 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
425 sum0 = icmp0->checksum;
426 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
428 icmp0->checksum = ip_csum_fold (sum0);
436 s0->last_heard = now;
438 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
439 /* Per-user LRU list maintenance for dynamic translation */
440 if (!snat_is_session_static (s0))
442 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
444 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
445 s0->per_user_list_head_index,
455 snat_out2in_node_fn (vlib_main_t * vm,
456 vlib_node_runtime_t * node,
457 vlib_frame_t * frame)
459 u32 n_left_from, * from, * to_next;
460 snat_out2in_next_t next_index;
461 u32 pkts_processed = 0;
462 snat_main_t * sm = &snat_main;
463 f64 now = vlib_time_now (vm);
464 u32 cpu_index = os_get_cpu_number ();
466 from = vlib_frame_vector_args (frame);
467 n_left_from = frame->n_vectors;
468 next_index = node->cached_next_index;
470 while (n_left_from > 0)
474 vlib_get_next_frame (vm, node, next_index,
475 to_next, n_left_to_next);
477 while (n_left_from >= 4 && n_left_to_next >= 2)
480 vlib_buffer_t * b0, * b1;
481 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
482 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
483 u32 sw_if_index0, sw_if_index1;
484 ip4_header_t * ip0, *ip1;
485 ip_csum_t sum0, sum1;
486 u32 new_addr0, old_addr0;
487 u16 new_port0, old_port0;
488 u32 new_addr1, old_addr1;
489 u16 new_port1, old_port1;
490 udp_header_t * udp0, * udp1;
491 tcp_header_t * tcp0, * tcp1;
492 icmp46_header_t * icmp0, * icmp1;
493 snat_session_key_t key0, key1, sm0, sm1;
494 u32 rx_fib_index0, rx_fib_index1;
496 snat_session_t * s0 = 0, * s1 = 0;
497 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
499 /* Prefetch next iteration. */
501 vlib_buffer_t * p2, * p3;
503 p2 = vlib_get_buffer (vm, from[2]);
504 p3 = vlib_get_buffer (vm, from[3]);
506 vlib_prefetch_buffer_header (p2, LOAD);
507 vlib_prefetch_buffer_header (p3, LOAD);
509 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
510 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
513 /* speculatively enqueue b0 and b1 to the current next frame */
514 to_next[0] = bi0 = from[0];
515 to_next[1] = bi1 = from[1];
521 b0 = vlib_get_buffer (vm, bi0);
522 b1 = vlib_get_buffer (vm, bi1);
524 ip0 = vlib_buffer_get_current (b0);
525 udp0 = ip4_next_header (ip0);
526 tcp0 = (tcp_header_t *) udp0;
527 icmp0 = (icmp46_header_t *) udp0;
529 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
530 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
533 proto0 = ip_proto_to_snat_proto (ip0->protocol);
535 if (PREDICT_FALSE (proto0 == ~0))
538 if (PREDICT_FALSE(ip0->ttl == 1))
540 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
541 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
542 ICMP4_time_exceeded_ttl_exceeded_in_transit,
544 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
548 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
550 next0 = icmp_out2in_slow_path
551 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
552 next0, now, cpu_index, &s0);
556 key0.addr = ip0->dst_address;
557 key0.port = udp0->dst_port;
558 key0.protocol = proto0;
559 key0.fib_index = rx_fib_index0;
561 kv0.key = key0.as_u64;
563 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
565 /* Try to match static mapping by external address and port,
566 destination address and port in packet */
567 if (snat_static_mapping_match(sm, key0, &sm0, 1))
569 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
571 * Send DHCP packets to the ipv4 stack, or we won't
572 * be able to use dhcp client on the outside interface
574 if (proto0 != SNAT_PROTOCOL_UDP
576 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
577 next0 = SNAT_OUT2IN_NEXT_DROP;
581 /* Create session initiated by host from external network */
582 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
586 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
587 next0 = SNAT_OUT2IN_NEXT_DROP;
592 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
595 old_addr0 = ip0->dst_address.as_u32;
596 ip0->dst_address = s0->in2out.addr;
597 new_addr0 = ip0->dst_address.as_u32;
598 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
600 sum0 = ip0->checksum;
601 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
603 dst_address /* changed member */);
604 ip0->checksum = ip_csum_fold (sum0);
606 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
608 old_port0 = tcp0->dst_port;
609 tcp0->dst_port = s0->in2out.port;
610 new_port0 = tcp0->dst_port;
612 sum0 = tcp0->checksum;
613 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
615 dst_address /* changed member */);
617 sum0 = ip_csum_update (sum0, old_port0, new_port0,
618 ip4_header_t /* cheat */,
619 length /* changed member */);
620 tcp0->checksum = ip_csum_fold(sum0);
624 old_port0 = udp0->dst_port;
625 udp0->dst_port = s0->in2out.port;
630 s0->last_heard = now;
632 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
633 /* Per-user LRU list maintenance for dynamic translation */
634 if (!snat_is_session_static (s0))
636 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
638 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
639 s0->per_user_list_head_index,
644 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
645 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
647 snat_out2in_trace_t *t =
648 vlib_add_trace (vm, node, b0, sizeof (*t));
649 t->sw_if_index = sw_if_index0;
650 t->next_index = next0;
651 t->session_index = ~0;
653 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
656 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
659 ip1 = vlib_buffer_get_current (b1);
660 udp1 = ip4_next_header (ip1);
661 tcp1 = (tcp_header_t *) udp1;
662 icmp1 = (icmp46_header_t *) udp1;
664 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
665 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
668 proto1 = ip_proto_to_snat_proto (ip1->protocol);
670 if (PREDICT_FALSE (proto1 == ~0))
673 if (PREDICT_FALSE(ip0->ttl == 1))
675 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
676 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
677 ICMP4_time_exceeded_ttl_exceeded_in_transit,
679 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
683 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
685 next1 = icmp_out2in_slow_path
686 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
687 next1, now, cpu_index, &s1);
691 key1.addr = ip1->dst_address;
692 key1.port = udp1->dst_port;
693 key1.protocol = proto1;
694 key1.fib_index = rx_fib_index1;
696 kv1.key = key1.as_u64;
698 if (clib_bihash_search_8_8 (&sm->out2in, &kv1, &value1))
700 /* Try to match static mapping by external address and port,
701 destination address and port in packet */
702 if (snat_static_mapping_match(sm, key1, &sm1, 1))
704 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
706 * Send DHCP packets to the ipv4 stack, or we won't
707 * be able to use dhcp client on the outside interface
709 if (proto1 != SNAT_PROTOCOL_UDP
711 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
712 next1 = SNAT_OUT2IN_NEXT_DROP;
716 /* Create session initiated by host from external network */
717 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
721 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
722 next1 = SNAT_OUT2IN_NEXT_DROP;
727 s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
730 old_addr1 = ip1->dst_address.as_u32;
731 ip1->dst_address = s1->in2out.addr;
732 new_addr1 = ip1->dst_address.as_u32;
733 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
735 sum1 = ip1->checksum;
736 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
738 dst_address /* changed member */);
739 ip1->checksum = ip_csum_fold (sum1);
741 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
743 old_port1 = tcp1->dst_port;
744 tcp1->dst_port = s1->in2out.port;
745 new_port1 = tcp1->dst_port;
747 sum1 = tcp1->checksum;
748 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
750 dst_address /* changed member */);
752 sum1 = ip_csum_update (sum1, old_port1, new_port1,
753 ip4_header_t /* cheat */,
754 length /* changed member */);
755 tcp1->checksum = ip_csum_fold(sum1);
759 old_port1 = udp1->dst_port;
760 udp1->dst_port = s1->in2out.port;
765 s1->last_heard = now;
767 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
768 /* Per-user LRU list maintenance for dynamic translation */
769 if (!snat_is_session_static (s1))
771 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
773 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
774 s1->per_user_list_head_index,
779 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
780 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
782 snat_out2in_trace_t *t =
783 vlib_add_trace (vm, node, b1, sizeof (*t));
784 t->sw_if_index = sw_if_index1;
785 t->next_index = next1;
786 t->session_index = ~0;
788 t->session_index = s1 - sm->per_thread_data[cpu_index].sessions;
791 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
793 /* verify speculative enqueues, maybe switch current next frame */
794 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
795 to_next, n_left_to_next,
796 bi0, bi1, next0, next1);
799 while (n_left_from > 0 && n_left_to_next > 0)
803 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
807 u32 new_addr0, old_addr0;
808 u16 new_port0, old_port0;
811 icmp46_header_t * icmp0;
812 snat_session_key_t key0, sm0;
815 snat_session_t * s0 = 0;
816 clib_bihash_kv_8_8_t kv0, value0;
818 /* speculatively enqueue b0 to the current next frame */
826 b0 = vlib_get_buffer (vm, bi0);
828 ip0 = vlib_buffer_get_current (b0);
829 udp0 = ip4_next_header (ip0);
830 tcp0 = (tcp_header_t *) udp0;
831 icmp0 = (icmp46_header_t *) udp0;
833 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
834 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
837 proto0 = ip_proto_to_snat_proto (ip0->protocol);
839 if (PREDICT_FALSE (proto0 == ~0))
842 if (PREDICT_FALSE(ip0->ttl == 1))
844 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
845 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
846 ICMP4_time_exceeded_ttl_exceeded_in_transit,
848 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
852 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
854 next0 = icmp_out2in_slow_path
855 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
856 next0, now, cpu_index, &s0);
860 key0.addr = ip0->dst_address;
861 key0.port = udp0->dst_port;
862 key0.protocol = proto0;
863 key0.fib_index = rx_fib_index0;
865 kv0.key = key0.as_u64;
867 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
869 /* Try to match static mapping by external address and port,
870 destination address and port in packet */
871 if (snat_static_mapping_match(sm, key0, &sm0, 1))
873 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
875 * Send DHCP packets to the ipv4 stack, or we won't
876 * be able to use dhcp client on the outside interface
878 if (proto0 != SNAT_PROTOCOL_UDP
880 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
882 next0 = SNAT_OUT2IN_NEXT_DROP;
886 /* Create session initiated by host from external network */
887 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
891 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
892 next0 = SNAT_OUT2IN_NEXT_DROP;
897 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
900 old_addr0 = ip0->dst_address.as_u32;
901 ip0->dst_address = s0->in2out.addr;
902 new_addr0 = ip0->dst_address.as_u32;
903 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
905 sum0 = ip0->checksum;
906 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
908 dst_address /* changed member */);
909 ip0->checksum = ip_csum_fold (sum0);
911 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
913 old_port0 = tcp0->dst_port;
914 tcp0->dst_port = s0->in2out.port;
915 new_port0 = tcp0->dst_port;
917 sum0 = tcp0->checksum;
918 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
920 dst_address /* changed member */);
922 sum0 = ip_csum_update (sum0, old_port0, new_port0,
923 ip4_header_t /* cheat */,
924 length /* changed member */);
925 tcp0->checksum = ip_csum_fold(sum0);
929 old_port0 = udp0->dst_port;
930 udp0->dst_port = s0->in2out.port;
935 s0->last_heard = now;
937 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
938 /* Per-user LRU list maintenance for dynamic translation */
939 if (!snat_is_session_static (s0))
941 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
943 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
944 s0->per_user_list_head_index,
949 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
950 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
952 snat_out2in_trace_t *t =
953 vlib_add_trace (vm, node, b0, sizeof (*t));
954 t->sw_if_index = sw_if_index0;
955 t->next_index = next0;
956 t->session_index = ~0;
958 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
961 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
963 /* verify speculative enqueue, maybe switch current next frame */
964 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
965 to_next, n_left_to_next,
969 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
972 vlib_node_increment_counter (vm, snat_out2in_node.index,
973 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
975 return frame->n_vectors;
978 VLIB_REGISTER_NODE (snat_out2in_node) = {
979 .function = snat_out2in_node_fn,
980 .name = "snat-out2in",
981 .vector_size = sizeof (u32),
982 .format_trace = format_snat_out2in_trace,
983 .type = VLIB_NODE_TYPE_INTERNAL,
985 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
986 .error_strings = snat_out2in_error_strings,
988 .runtime_data_bytes = sizeof (snat_runtime_t),
990 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
992 /* edit / add dispositions here */
994 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
995 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
996 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
999 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1001 /**************************/
1002 /*** deterministic mode ***/
1003 /**************************/
1005 snat_det_out2in_node_fn (vlib_main_t * vm,
1006 vlib_node_runtime_t * node,
1007 vlib_frame_t * frame)
1009 u32 n_left_from, * from, * to_next;
1010 snat_out2in_next_t next_index;
1011 u32 pkts_processed = 0;
1012 snat_main_t * sm = &snat_main;
1014 from = vlib_frame_vector_args (frame);
1015 n_left_from = frame->n_vectors;
1016 next_index = node->cached_next_index;
1018 while (n_left_from > 0)
1022 vlib_get_next_frame (vm, node, next_index,
1023 to_next, n_left_to_next);
1025 while (n_left_from >= 4 && n_left_to_next >= 2)
1028 vlib_buffer_t * b0, * b1;
1029 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1030 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1031 u32 sw_if_index0, sw_if_index1;
1032 ip4_header_t * ip0, * ip1;
1033 ip_csum_t sum0, sum1;
1034 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
1035 u16 new_port0, old_port0, old_port1, new_port1;
1036 udp_header_t * udp0, * udp1;
1037 tcp_header_t * tcp0, * tcp1;
1039 snat_det_out_key_t key0, key1;
1040 snat_det_map_t * dm0, * dm1;
1041 snat_det_session_t * ses0 = 0, * ses1 = 0;
1043 /* Prefetch next iteration. */
1045 vlib_buffer_t * p2, * p3;
1047 p2 = vlib_get_buffer (vm, from[2]);
1048 p3 = vlib_get_buffer (vm, from[3]);
1050 vlib_prefetch_buffer_header (p2, LOAD);
1051 vlib_prefetch_buffer_header (p3, LOAD);
1053 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1054 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1057 /* speculatively enqueue b0 and b1 to the current next frame */
1058 to_next[0] = bi0 = from[0];
1059 to_next[1] = bi1 = from[1];
1063 n_left_to_next -= 2;
1065 b0 = vlib_get_buffer (vm, bi0);
1066 b1 = vlib_get_buffer (vm, bi1);
1068 ip0 = vlib_buffer_get_current (b0);
1069 udp0 = ip4_next_header (ip0);
1070 tcp0 = (tcp_header_t *) udp0;
1072 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1074 key0.ext_host_addr = ip0->src_address;
1075 key0.ext_host_port = tcp0->src;
1076 key0.out_port = tcp0->dst;
1078 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1079 if (PREDICT_FALSE(!dm0))
1081 clib_warning("unknown dst address: %U",
1082 format_ip4_address, &ip0->dst_address);
1083 next0 = SNAT_OUT2IN_NEXT_DROP;
1087 snat_det_reverse(dm0, &ip0->dst_address,
1088 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1090 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1091 if (PREDICT_FALSE(!ses0))
1093 clib_warning("no match src %U:%d dst %d for user %U",
1094 format_ip4_address, &ip0->dst_address,
1095 clib_net_to_host_u16 (tcp0->src),
1096 clib_net_to_host_u16 (tcp0->dst),
1097 format_ip4_address, &new_addr0);
1098 next0 = SNAT_OUT2IN_NEXT_DROP;
1101 new_port0 = ses0->in_port;
1103 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1105 old_addr0 = ip0->dst_address;
1106 ip0->dst_address = new_addr0;
1107 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1109 sum0 = ip0->checksum;
1110 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1112 dst_address /* changed member */);
1113 ip0->checksum = ip_csum_fold (sum0);
1115 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1117 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1118 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1119 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1120 snat_det_ses_close(dm0, ses0);
1122 old_port0 = tcp0->dst;
1123 tcp0->dst = new_port0;
1125 sum0 = tcp0->checksum;
1126 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1128 dst_address /* changed member */);
1130 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1131 ip4_header_t /* cheat */,
1132 length /* changed member */);
1133 tcp0->checksum = ip_csum_fold(sum0);
1137 old_port0 = udp0->dst_port;
1138 udp0->dst_port = new_port0;
1144 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1145 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1147 snat_out2in_trace_t *t =
1148 vlib_add_trace (vm, node, b0, sizeof (*t));
1149 t->sw_if_index = sw_if_index0;
1150 t->next_index = next0;
1151 t->session_index = ~0;
1153 t->session_index = ses0 - dm0->sessions;
1156 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1158 b1 = vlib_get_buffer (vm, bi1);
1160 ip1 = vlib_buffer_get_current (b1);
1161 udp1 = ip4_next_header (ip1);
1162 tcp1 = (tcp_header_t *) udp1;
1164 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1166 key1.ext_host_addr = ip1->src_address;
1167 key1.ext_host_port = tcp1->src;
1168 key1.out_port = tcp1->dst;
1170 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
1171 if (PREDICT_FALSE(!dm1))
1173 clib_warning("unknown dst address: %U",
1174 format_ip4_address, &ip1->dst_address);
1175 next1 = SNAT_OUT2IN_NEXT_DROP;
1179 snat_det_reverse(dm1, &ip1->dst_address,
1180 clib_net_to_host_u16(tcp1->dst), &new_addr1);
1182 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
1183 if (PREDICT_FALSE(!ses1))
1185 clib_warning("no match src %U:%d dst %d for user %U",
1186 format_ip4_address, &ip1->dst_address,
1187 clib_net_to_host_u16 (tcp1->src),
1188 clib_net_to_host_u16 (tcp1->dst),
1189 format_ip4_address, &new_addr1);
1190 next1 = SNAT_OUT2IN_NEXT_DROP;
1193 new_port1 = ses1->in_port;
1195 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1197 old_addr1 = ip1->dst_address;
1198 ip1->dst_address = new_addr1;
1199 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1201 sum1 = ip1->checksum;
1202 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1204 dst_address /* changed member */);
1205 ip1->checksum = ip_csum_fold (sum1);
1207 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1209 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
1210 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1211 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
1212 snat_det_ses_close(dm1, ses1);
1214 old_port1 = tcp1->dst;
1215 tcp1->dst = new_port1;
1217 sum1 = tcp1->checksum;
1218 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1220 dst_address /* changed member */);
1222 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1223 ip4_header_t /* cheat */,
1224 length /* changed member */);
1225 tcp1->checksum = ip_csum_fold(sum1);
1229 old_port1 = udp1->dst_port;
1230 udp1->dst_port = new_port1;
1236 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1237 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1239 snat_out2in_trace_t *t =
1240 vlib_add_trace (vm, node, b1, sizeof (*t));
1241 t->sw_if_index = sw_if_index1;
1242 t->next_index = next1;
1243 t->session_index = ~0;
1245 t->session_index = ses1 - dm1->sessions;
1248 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1250 /* verify speculative enqueues, maybe switch current next frame */
1251 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1252 to_next, n_left_to_next,
1253 bi0, bi1, next0, next1);
1256 while (n_left_from > 0 && n_left_to_next > 0)
1260 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1264 ip4_address_t new_addr0, old_addr0;
1265 u16 new_port0, old_port0;
1266 udp_header_t * udp0;
1267 tcp_header_t * tcp0;
1269 snat_det_out_key_t key0;
1270 snat_det_map_t * dm0;
1271 snat_det_session_t * ses0 = 0;
1273 /* speculatively enqueue b0 to the current next frame */
1279 n_left_to_next -= 1;
1281 b0 = vlib_get_buffer (vm, bi0);
1283 ip0 = vlib_buffer_get_current (b0);
1284 udp0 = ip4_next_header (ip0);
1285 tcp0 = (tcp_header_t *) udp0;
1287 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1289 key0.ext_host_addr = ip0->src_address;
1290 key0.ext_host_port = tcp0->src;
1291 key0.out_port = tcp0->dst;
1293 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1294 if (PREDICT_FALSE(!dm0))
1296 clib_warning("unknown dst address: %U",
1297 format_ip4_address, &ip0->dst_address);
1298 next0 = SNAT_OUT2IN_NEXT_DROP;
1302 snat_det_reverse(dm0, &ip0->dst_address,
1303 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1305 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1306 if (PREDICT_FALSE(!ses0))
1308 clib_warning("no match src %U:%d dst %d for user %U",
1309 format_ip4_address, &ip0->dst_address,
1310 clib_net_to_host_u16 (tcp0->src),
1311 clib_net_to_host_u16 (tcp0->dst),
1312 format_ip4_address, &new_addr0);
1313 next0 = SNAT_OUT2IN_NEXT_DROP;
1316 new_port0 = ses0->in_port;
1318 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1320 old_addr0 = ip0->dst_address;
1321 ip0->dst_address = new_addr0;
1322 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1324 sum0 = ip0->checksum;
1325 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1327 dst_address /* changed member */);
1328 ip0->checksum = ip_csum_fold (sum0);
1330 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1332 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1333 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1334 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1335 snat_det_ses_close(dm0, ses0);
1337 old_port0 = tcp0->dst;
1338 tcp0->dst = new_port0;
1340 sum0 = tcp0->checksum;
1341 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1343 dst_address /* changed member */);
1345 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1346 ip4_header_t /* cheat */,
1347 length /* changed member */);
1348 tcp0->checksum = ip_csum_fold(sum0);
1352 old_port0 = udp0->dst_port;
1353 udp0->dst_port = new_port0;
1359 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1360 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1362 snat_out2in_trace_t *t =
1363 vlib_add_trace (vm, node, b0, sizeof (*t));
1364 t->sw_if_index = sw_if_index0;
1365 t->next_index = next0;
1366 t->session_index = ~0;
1368 t->session_index = ses0 - dm0->sessions;
1371 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1373 /* verify speculative enqueue, maybe switch current next frame */
1374 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1375 to_next, n_left_to_next,
1379 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1382 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
1383 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1385 return frame->n_vectors;
1388 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
1389 .function = snat_det_out2in_node_fn,
1390 .name = "snat-det-out2in",
1391 .vector_size = sizeof (u32),
1392 .format_trace = format_snat_out2in_trace,
1393 .type = VLIB_NODE_TYPE_INTERNAL,
1395 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1396 .error_strings = snat_out2in_error_strings,
1398 .runtime_data_bytes = sizeof (snat_runtime_t),
1402 /* edit / add dispositions here */
1404 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1405 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1408 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
1410 /**********************/
1411 /*** worker handoff ***/
1412 /**********************/
1414 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
1415 vlib_node_runtime_t * node,
1416 vlib_frame_t * frame)
1418 snat_main_t *sm = &snat_main;
1419 vlib_thread_main_t *tm = vlib_get_thread_main ();
1420 u32 n_left_from, *from, *to_next = 0;
1421 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
1422 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
1424 vlib_frame_queue_elt_t *hf = 0;
1425 vlib_frame_t *f = 0;
1427 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
1428 u32 next_worker_index = 0;
1429 u32 current_worker_index = ~0;
1430 u32 cpu_index = os_get_cpu_number ();
1432 ASSERT (vec_len (sm->workers));
1434 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
1436 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
1438 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
1439 sm->first_worker_index + sm->num_workers - 1,
1440 (vlib_frame_queue_t *) (~0));
1443 from = vlib_frame_vector_args (frame);
1444 n_left_from = frame->n_vectors;
1446 while (n_left_from > 0)
1459 b0 = vlib_get_buffer (vm, bi0);
1461 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1462 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1464 ip0 = vlib_buffer_get_current (b0);
1466 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
1468 if (PREDICT_FALSE (next_worker_index != cpu_index))
1472 if (next_worker_index != current_worker_index)
1475 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1477 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
1479 handoff_queue_elt_by_worker_index);
1481 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
1482 to_next_worker = &hf->buffer_index[hf->n_vectors];
1483 current_worker_index = next_worker_index;
1486 /* enqueue to correct worker thread */
1487 to_next_worker[0] = bi0;
1489 n_left_to_next_worker--;
1491 if (n_left_to_next_worker == 0)
1493 hf->n_vectors = VLIB_FRAME_SIZE;
1494 vlib_put_frame_queue_elt (hf);
1495 current_worker_index = ~0;
1496 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
1503 /* if this is 1st frame */
1506 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
1507 to_next = vlib_frame_vector_args (f);
1515 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1516 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1518 snat_out2in_worker_handoff_trace_t *t =
1519 vlib_add_trace (vm, node, b0, sizeof (*t));
1520 t->next_worker_index = next_worker_index;
1521 t->do_handoff = do_handoff;
1526 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
1529 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1531 /* Ship frames to the worker nodes */
1532 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
1534 if (handoff_queue_elt_by_worker_index[i])
1536 hf = handoff_queue_elt_by_worker_index[i];
1538 * It works better to let the handoff node
1539 * rate-adapt, always ship the handoff queue element.
1541 if (1 || hf->n_vectors == hf->last_n_vectors)
1543 vlib_put_frame_queue_elt (hf);
1544 handoff_queue_elt_by_worker_index[i] = 0;
1547 hf->last_n_vectors = hf->n_vectors;
1549 congested_handoff_queue_by_worker_index[i] =
1550 (vlib_frame_queue_t *) (~0);
1553 current_worker_index = ~0;
1554 return frame->n_vectors;
1557 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
1558 .function = snat_out2in_worker_handoff_fn,
1559 .name = "snat-out2in-worker-handoff",
1560 .vector_size = sizeof (u32),
1561 .format_trace = format_snat_out2in_worker_handoff_trace,
1562 .type = VLIB_NODE_TYPE_INTERNAL,
1571 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
1573 /********************************/
1574 /*** static mapping only mode ***/
1575 /********************************/
1576 static inline u32 icmp_out2in_fast (snat_main_t *sm,
1579 icmp46_header_t * icmp0,
1581 vlib_node_runtime_t * node,
1585 snat_session_key_t key0, sm0;
1586 icmp_echo_header_t *echo0;
1587 u32 new_addr0, old_addr0;
1588 u16 old_id0, new_id0;
1590 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
1592 echo0 = (icmp_echo_header_t *)(icmp0+1);
1594 key0.addr = ip0->dst_address;
1595 key0.port = echo0->identifier;
1596 key0.fib_index = rx_fib_index0;
1598 if (snat_static_mapping_match(sm, key0, &sm0, 1))
1600 ip4_address_t * first_int_addr;
1602 if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
1605 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
1606 0 /* just want the address */);
1607 rt->cached_sw_if_index = sw_if_index0;
1609 rt->cached_ip4_address = first_int_addr->as_u32;
1611 rt->cached_ip4_address = 0;
1614 /* Don't NAT packet aimed at the intfc address */
1615 if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
1616 rt->cached_ip4_address))
1619 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1620 return SNAT_OUT2IN_NEXT_DROP;
1623 new_addr0 = sm0.addr.as_u32;
1625 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1627 old_addr0 = ip0->dst_address.as_u32;
1628 ip0->dst_address.as_u32 = new_addr0;
1630 sum0 = ip0->checksum;
1631 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1633 dst_address /* changed member */);
1634 ip0->checksum = ip_csum_fold (sum0);
1636 if (PREDICT_FALSE(new_id0 != echo0->identifier))
1638 old_id0 = echo0->identifier;
1639 echo0->identifier = new_id0;
1641 sum0 = icmp0->checksum;
1642 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
1644 icmp0->checksum = ip_csum_fold (sum0);
1651 snat_out2in_fast_node_fn (vlib_main_t * vm,
1652 vlib_node_runtime_t * node,
1653 vlib_frame_t * frame)
1655 u32 n_left_from, * from, * to_next;
1656 snat_out2in_next_t next_index;
1657 u32 pkts_processed = 0;
1658 snat_main_t * sm = &snat_main;
1660 from = vlib_frame_vector_args (frame);
1661 n_left_from = frame->n_vectors;
1662 next_index = node->cached_next_index;
1664 while (n_left_from > 0)
1668 vlib_get_next_frame (vm, node, next_index,
1669 to_next, n_left_to_next);
1671 while (n_left_from > 0 && n_left_to_next > 0)
1675 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
1679 u32 new_addr0, old_addr0;
1680 u16 new_port0, old_port0;
1681 udp_header_t * udp0;
1682 tcp_header_t * tcp0;
1683 icmp46_header_t * icmp0;
1684 snat_session_key_t key0, sm0;
1688 /* speculatively enqueue b0 to the current next frame */
1694 n_left_to_next -= 1;
1696 b0 = vlib_get_buffer (vm, bi0);
1698 ip0 = vlib_buffer_get_current (b0);
1699 udp0 = ip4_next_header (ip0);
1700 tcp0 = (tcp_header_t *) udp0;
1701 icmp0 = (icmp46_header_t *) udp0;
1703 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1704 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1706 vnet_feature_next (sw_if_index0, &next0, b0);
1708 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1710 if (PREDICT_FALSE (proto0 == ~0))
1713 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1715 next0 = icmp_out2in_fast
1716 (sm, b0, ip0, icmp0, sw_if_index0, node, next0, rx_fib_index0);
1720 key0.addr = ip0->dst_address;
1721 key0.port = udp0->dst_port;
1722 key0.fib_index = rx_fib_index0;
1724 if (snat_static_mapping_match(sm, key0, &sm0, 1))
1726 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1730 new_addr0 = sm0.addr.as_u32;
1731 new_port0 = sm0.port;
1732 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1733 old_addr0 = ip0->dst_address.as_u32;
1734 ip0->dst_address.as_u32 = new_addr0;
1736 sum0 = ip0->checksum;
1737 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1739 dst_address /* changed member */);
1740 ip0->checksum = ip_csum_fold (sum0);
1742 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
1744 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1746 old_port0 = tcp0->dst_port;
1747 tcp0->dst_port = new_port0;
1749 sum0 = tcp0->checksum;
1750 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1752 dst_address /* changed member */);
1754 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1755 ip4_header_t /* cheat */,
1756 length /* changed member */);
1757 tcp0->checksum = ip_csum_fold(sum0);
1761 old_port0 = udp0->dst_port;
1762 udp0->dst_port = new_port0;
1768 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1770 sum0 = tcp0->checksum;
1771 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1773 dst_address /* changed member */);
1775 tcp0->checksum = ip_csum_fold(sum0);
1781 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1782 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1784 snat_out2in_trace_t *t =
1785 vlib_add_trace (vm, node, b0, sizeof (*t));
1786 t->sw_if_index = sw_if_index0;
1787 t->next_index = next0;
1790 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1792 /* verify speculative enqueue, maybe switch current next frame */
1793 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1794 to_next, n_left_to_next,
1798 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1801 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
1802 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1804 return frame->n_vectors;
1807 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
1808 .function = snat_out2in_fast_node_fn,
1809 .name = "snat-out2in-fast",
1810 .vector_size = sizeof (u32),
1811 .format_trace = format_snat_out2in_fast_trace,
1812 .type = VLIB_NODE_TYPE_INTERNAL,
1814 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1815 .error_strings = snat_out2in_error_strings,
1817 .runtime_data_bytes = sizeof (snat_runtime_t),
1819 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1821 /* edit / add dispositions here */
1823 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1824 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1825 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1828 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob