SNAT_OUT2IN_NEXT_LOOKUP,
SNAT_OUT2IN_NEXT_ICMP_ERROR,
SNAT_OUT2IN_NEXT_REASS,
+ SNAT_OUT2IN_NEXT_IN2OUT,
SNAT_OUT2IN_N_NEXT,
} snat_out2in_next_t;
return 0;
}
+static int
+next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
+ u32 thread_index)
+{
+ snat_session_key_t key;
+ clib_bihash_kv_8_8_t kv, value;
+
+ key.addr = ip->src_address;
+ key.port = src_port;
+ key.protocol = proto;
+ key.fib_index = sm->inside_fib_index;
+ kv.key = key.as_u64;
+
+ if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
+ &value))
+ return 1;
+
+ return 0;
+}
+
+static void
+create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
+{
+ nat_ed_ses_key_t key;
+ clib_bihash_kv_16_8_t kv;
+ udp_header_t *udp;
+
+ if (ip->protocol == IP_PROTOCOL_ICMP)
+ {
+ if (icmp_get_ed_key (ip, &key))
+ return;
+ }
+ else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
+ {
+ udp = ip4_next_header(ip);
+ key.r_addr = ip->src_address;
+ key.l_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.l_port = udp->dst_port;
+ key.r_port = udp->src_port;
+ }
+ else
+ {
+ key.r_addr = ip->src_address;
+ key.l_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.l_port = key.r_port = 0;
+ }
+ key.fib_index = 0;
+ kv.key[0] = key.as_u64[0];
+ kv.key[1] = key.as_u64[1];
+ kv.value = ~0ULL;
+
+ if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
+ clib_warning ("in2out_ed key add failed");
+}
+
/**
* Get address and port values to be used for ICMP packet translation
* and create session if needed
else
{
dont_translate = 1;
+ if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
+ {
+ next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+ goto out;
+ }
+ create_bypass_for_fwd(sm, ip0);
goto out;
}
}
dst_address /* changed member */);
ip0->checksum = ip_csum_fold (sum0);
+ if (icmp0->checksum == 0)
+ icmp0->checksum = 0xffff;
+
if (!icmp_is_error_message (icmp0))
{
new_id0 = sm0.port;
{
s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
thread_index, now, vm, node);
- if (!s0)
- next0 = SNAT_OUT2IN_NEXT_DROP;
+ if (!sm->forwarding_enabled)
+ if (!s0)
+ next0 = SNAT_OUT2IN_NEXT_DROP;
goto trace0;
}
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (proto0 != SNAT_PROTOCOL_UDP
+ if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
|| (udp0->dst_port
- != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
next0 = SNAT_OUT2IN_NEXT_DROP;
+ else
+ vnet_feature_next
+ (vnet_buffer (b0)->sw_if_index[VLIB_RX],
+ &next0, b0);
goto trace0;
}
else
- goto trace0;
+ {
+ if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+ {
+ next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+ goto trace0;
+ }
+ create_bypass_for_fwd(sm, ip0);
+ goto trace0;
+ }
}
/* Create session initiated by host from external network */
{
s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
thread_index, now, vm, node);
- if (!s1)
- next1 = SNAT_OUT2IN_NEXT_DROP;
+ if (!sm->forwarding_enabled)
+ if (!s1)
+ next1 = SNAT_OUT2IN_NEXT_DROP;
goto trace1;
}
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (proto1 != SNAT_PROTOCOL_UDP
+ if (PREDICT_TRUE (proto1 != SNAT_PROTOCOL_UDP
|| (udp1->dst_port
- != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
next1 = SNAT_OUT2IN_NEXT_DROP;
+ else
+ vnet_feature_next
+ (vnet_buffer (b1)->sw_if_index[VLIB_RX],
+ &next1, b1);
goto trace1;
}
else
- goto trace1;
+ {
+ if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
+ {
+ next1 = SNAT_OUT2IN_NEXT_IN2OUT;
+ goto trace1;
+ }
+ create_bypass_for_fwd(sm, ip1);
+ goto trace1;
+ }
}
/* Create session initiated by host from external network */
{
s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
thread_index, now, vm, node);
- if (!s0)
- next0 = SNAT_OUT2IN_NEXT_DROP;
+ if (!sm->forwarding_enabled)
+ if (!s0)
+ next0 = SNAT_OUT2IN_NEXT_DROP;
goto trace00;
}
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (proto0 != SNAT_PROTOCOL_UDP
+ if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
|| (udp0->dst_port
- != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
next0 = SNAT_OUT2IN_NEXT_DROP;
+ else
+ vnet_feature_next
+ (vnet_buffer (b0)->sw_if_index[VLIB_RX],
+ &next0, b0);
goto trace00;
}
else
- goto trace00;
+ {
+ if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+ {
+ next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+ goto trace00;
+ }
+ create_bypass_for_fwd(sm, ip0);
+ goto trace00;
+ }
}
/* Create session initiated by host from external network */
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+ [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (proto0 != SNAT_PROTOCOL_UDP
+ if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
|| (udp0->dst_port
- != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
+ != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
next0 = SNAT_OUT2IN_NEXT_DROP;
+ else
+ vnet_feature_next
+ (vnet_buffer (b0)->sw_if_index[VLIB_RX],
+ &next0, b0);
goto trace0;
}
else
- goto trace0;
+ {
+ if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+ {
+ next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+ goto trace0;
+ }
+ create_bypass_for_fwd(sm, ip0);
+ goto trace0;
+ }
}
/* Create session initiated by host from external network */
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+ [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+ [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
[SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+ [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blobdiff