NAT: TCP MSS clamping

[vpp.git] / src / plugins / nat / nat64_in2out.c

diff --git a/src/plugins/nat/nat64_in2out.c b/src/plugins/nat/nat64_in2out.c
index 9f77ca3..e843fcf 100644 (file)
--- a/src/plugins/nat/nat64_in2out.c
+++ b/src/plugins/nat/nat64_in2out.c
@@ -19,6 +19,7 @@
 
 #include <nat/nat64.h>
 #include <nat/nat_reass.h>
+#include <nat/nat_inlines.h>
 #include <vnet/ip/ip6_to_ip4.h>
 #include <vnet/fib/fib_table.h>
 
@@ -115,6 +116,26 @@ typedef struct nat64_in2out_set_ctx_t_
   u32 thread_index;
 } nat64_in2out_set_ctx_t;
 
+static inline u8
+nat64_not_translate (u32 sw_if_index, ip6_address_t ip6_addr)
+{
+  ip6_address_t *addr;
+  ip6_main_t *im6 = &ip6_main;
+  ip_lookup_main_t *lm6 = &im6->lookup_main;
+  ip_interface_address_t *ia = 0;
+
+  /* *INDENT-OFF* */
+  foreach_ip_interface_address (lm6, ia, sw_if_index, 0,
+  ({
+       addr = ip_interface_address_get_address (lm6, ia);
+       if (0 == ip6_address_compare (addr, &ip6_addr))
+               return 1;
+  }));
+  /* *INDENT-ON* */
+
+  return 0;
+}
+
 /**
  * @brief Check whether is a hairpinning.
  *
@@ -190,8 +211,7 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
 
          bibe =
            nat64_db_bib_entry_create (db, &ip6->src_address, &out_addr,
-                                      sport, clib_host_to_net_u16 (out_port),
-                                      fib_index, proto, 0);
+                                      sport, out_port, fib_index, proto, 0);
          if (!bibe)
            return -1;
        }
@@ -204,8 +224,6 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
        return -1;
     }
 
-  nat64_session_reset_timeout (ste, ctx->vm);
-
   ip4->src_address.as_u32 = bibe->out_addr.as_u32;
   udp->src_port = bibe->out_port;
 
@@ -217,12 +235,16 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
       ip_csum_t csum;
       tcp_header_t *tcp = ip6_next_header (ip6);
 
+      nat64_tcp_session_set_state (ste, tcp, 1);
       checksum = &tcp->checksum;
       csum = ip_csum_sub_even (*checksum, sport);
       csum = ip_csum_add_even (csum, udp->src_port);
+      mss_clamping (nm->sm, tcp, &csum);
       *checksum = ip_csum_fold (csum);
     }
 
+  nat64_session_reset_timeout (ste, ctx->vm);
+
   return 0;
 }
 
@@ -279,8 +301,7 @@ nat64_in2out_icmp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
 
              bibe =
                nat64_db_bib_entry_create (db, &ip6->src_address,
-                                          &out_addr, in_id,
-                                          clib_host_to_net_u16 (out_id),
+                                          &out_addr, in_id, out_id,
                                           fib_index, IP_PROTOCOL_ICMP, 0);
              if (!bibe)
                return -1;
@@ -604,8 +625,7 @@ nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
 
          bibe =
            nat64_db_bib_entry_create (db, &ip6->src_address, &out_addr,
-                                      sport, clib_host_to_net_u16 (out_port),
-                                      fib_index, proto, 0);
+                                      sport, out_port, fib_index, proto, 0);
          if (!bibe)
            return -1;
        }
@@ -618,6 +638,9 @@ nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
        return -1;
     }
 
+  if (proto == IP_PROTOCOL_TCP)
+    nat64_tcp_session_set_state (ste, tcp, 1);
+
   nat64_session_reset_timeout (ste, vm);
 
   sport = udp->src_port = bibe->out_port;
@@ -904,7 +927,7 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
   nat64_in2out_next_t next_index;
   u32 pkts_processed = 0;
   u32 stats_node_index;
-  u32 thread_index = vlib_get_thread_index ();
+  u32 thread_index = vm->thread_index;
 
   stats_node_index =
     is_slow_path ? nat64_in2out_slowpath_node.index : nat64_in2out_node.index;
@@ -929,6 +952,7 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
          u8 l4_protocol0;
          u32 proto0;
          nat64_in2out_set_ctx_t ctx0;
+         u32 sw_if_index0;
 
          /* speculatively enqueue b0 to the current next frame */
          bi0 = from[0];
@@ -957,6 +981,14 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              goto trace0;
            }
 
+         sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
+
+         if (nat64_not_translate (sw_if_index0, ip60->dst_address))
+           {
+             next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
+             goto trace0;
+           }
+
          proto0 = ip_proto_to_snat_proto (l4_protocol0);
 
          if (is_slow_path)
@@ -1176,6 +1208,7 @@ nat64_in2out_frag_set_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
          ip_csum_t csum;
          tcp_header_t *tcp = (tcp_header_t *) udp;
 
+         nat64_tcp_session_set_state (ste, tcp, 1);
          checksum = &tcp->checksum;
          csum = ip_csum_sub_even (*checksum, tcp->src_port);
          csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[0]);
@@ -1236,6 +1269,9 @@ nat64_in2out_frag_hairpinning (vlib_buffer_t * b, ip6_header_t * ip6,
   if (!bibe)
     return -1;
 
+  if (ctx->proto == IP_PROTOCOL_TCP)
+    nat64_tcp_session_set_state (ste, tcp, 1);
+
   nat64_session_reset_timeout (ste, ctx->vm);
 
   sport = bibe->out_port;
@@ -1289,7 +1325,7 @@ nat64_in2out_reass_node_fn (vlib_main_t * vm,
   u32 *fragments_to_drop = 0;
   u32 *fragments_to_loopback = 0;
   nat64_main_t *nm = &nat64_main;
-  u32 thread_index = vlib_get_thread_index ();
+  u32 thread_index = vm->thread_index;
 
   from = vlib_frame_vector_args (frame);
   n_left_from = frame->n_vectors;
@@ -1389,7 +1425,8 @@ nat64_in2out_reass_node_fn (vlib_main_t * vm,
              ctx0.first_frag = 0;
              if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
                {
-                 if (nat_ip6_reass_add_fragment (reass0, bi0))
+                 if (nat_ip6_reass_add_fragment
+                     (reass0, bi0, &fragments_to_drop))
                    {
                      b0->error = node->errors[NAT64_IN2OUT_ERROR_MAX_FRAG];
                      next0 = NAT64_IN2OUT_NEXT_DROP;
@@ -1435,8 +1472,7 @@ nat64_in2out_reass_node_fn (vlib_main_t * vm,
                        nat64_db_bib_entry_create (db,
                                                   &ip60->src_address,
                                                   &out_addr0, udp0->src_port,
-                                                  clib_host_to_net_u16
-                                                  (out_port0), fib_index0,
+                                                  out_port0, fib_index0,
                                                   l4_protocol0, 0);
                      if (!bibe0)
                        {
@@ -1618,7 +1654,7 @@ nat64_in2out_handoff_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
   u32 n_left_to_next_worker = 0, *to_next_worker = 0;
   u32 next_worker_index = 0;
   u32 current_worker_index = ~0;
-  u32 thread_index = vlib_get_thread_index ();
+  u32 thread_index = vm->thread_index;
   u32 fq_index;
   u32 to_node_index;
 
@@ -1692,6 +1728,8 @@ nat64_in2out_handoff_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
              current_worker_index = next_worker_index;
            }
 
+         ASSERT (to_next_worker != 0);
+
          /* enqueue to correct worker thread */
          to_next_worker[0] = bi0;
          to_next_worker++;