snat_session_key_t in2out,
snat_session_key_t out2in,
vlib_node_runtime_t * node,
- u32 cpu_index)
+ u32 thread_index)
{
snat_user_t *u;
snat_user_key_t user_key;
if (clib_bihash_search_8_8 (&sm->user_hash, &kv0, &value0))
{
/* no, make a new one */
- pool_get (sm->per_thread_data[cpu_index].users, u);
+ pool_get (sm->per_thread_data[thread_index].users, u);
memset (u, 0, sizeof (*u));
u->addr = in2out.addr;
u->fib_index = in2out.fib_index;
- pool_get (sm->per_thread_data[cpu_index].list_pool,
+ pool_get (sm->per_thread_data[thread_index].list_pool,
per_user_list_head_elt);
u->sessions_per_user_list_head_index = per_user_list_head_elt -
- sm->per_thread_data[cpu_index].list_pool;
+ sm->per_thread_data[thread_index].list_pool;
- clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
u->sessions_per_user_list_head_index);
- kv0.value = u - sm->per_thread_data[cpu_index].users;
+ kv0.value = u - sm->per_thread_data[thread_index].users;
/* add user */
clib_bihash_add_del_8_8 (&sm->user_hash, &kv0, 1 /* is_add */);
/* add non-traslated packets worker lookup */
- kv0.value = cpu_index;
+ kv0.value = thread_index;
clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
}
else
{
- u = pool_elt_at_index (sm->per_thread_data[cpu_index].users,
+ u = pool_elt_at_index (sm->per_thread_data[thread_index].users,
value0.value);
}
- pool_get (sm->per_thread_data[cpu_index].sessions, s);
+ pool_get (sm->per_thread_data[thread_index].sessions, s);
memset (s, 0, sizeof (*s));
s->outside_address_index = ~0;
u->nstaticsessions++;
/* Create list elts */
- pool_get (sm->per_thread_data[cpu_index].list_pool,
+ pool_get (sm->per_thread_data[thread_index].list_pool,
per_user_translation_list_elt);
- clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
per_user_translation_list_elt -
- sm->per_thread_data[cpu_index].list_pool);
+ sm->per_thread_data[thread_index].list_pool);
per_user_translation_list_elt->value =
- s - sm->per_thread_data[cpu_index].sessions;
+ s - sm->per_thread_data[thread_index].sessions;
s->per_user_index =
- per_user_translation_list_elt - sm->per_thread_data[cpu_index].list_pool;
+ per_user_translation_list_elt - sm->per_thread_data[thread_index].list_pool;
s->per_user_list_head_index = u->sessions_per_user_list_head_index;
- clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
s->per_user_list_head_index,
per_user_translation_list_elt -
- sm->per_thread_data[cpu_index].list_pool);
+ sm->per_thread_data[thread_index].list_pool);
s->in2out = in2out;
s->out2in = out2in;
/* Add to translation hashes */
kv0.key = s->in2out.as_u64;
- kv0.value = s - sm->per_thread_data[cpu_index].sessions;
+ kv0.value = s - sm->per_thread_data[thread_index].sessions;
if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 1 /* is_add */))
clib_warning ("in2out key add failed");
kv0.key = s->out2in.as_u64;
- kv0.value = s - sm->per_thread_data[cpu_index].sessions;
+ kv0.value = s - sm->per_thread_data[thread_index].sessions;
if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 1 /* is_add */))
clib_warning ("out2in key add failed");
}
static_always_inline
-snat_out2in_error_t icmp_get_key(icmp46_header_t *icmp0,
+snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
snat_session_key_t *p_key0)
{
+ icmp46_header_t *icmp0;
snat_session_key_t key0;
icmp_echo_header_t *echo0, *inner_echo0 = 0;
ip4_header_t *inner_ip0;
void *l4_header = 0;
icmp46_header_t *inner_icmp0;
+ icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
echo0 = (icmp_echo_header_t *)(icmp0+1);
if (!icmp_is_error_message (icmp0))
{
key0.protocol = SNAT_PROTOCOL_ICMP;
+ key0.addr = ip0->dst_address;
key0.port = echo0->identifier;
}
else
inner_ip0 = (ip4_header_t *)(echo0+1);
l4_header = ip4_next_header (inner_ip0);
key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
+ key0.addr = inner_ip0->src_address;
switch (key0.protocol)
{
case SNAT_PROTOCOL_ICMP:
return -1; /* success */
}
-static_always_inline u8
-is_interface_addr(snat_main_t *sm, vlib_node_runtime_t *node, u32 sw_if_index0,
- u32 ip4_addr)
-{
- snat_runtime_t *rt = (snat_runtime_t *) node->runtime_data;
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- if (PREDICT_FALSE(ip4_addr == rt->cached_ip4_address))
- return 1;
- else
- return 0;
-}
-
/**
* Get address and port values to be used for packet SNAT translation
* and create session if needed
*
* @param[in,out] sm SNAT main
* @param[in,out] node SNAT node runtime
- * @param[in] cpu_index CPU index
+ * @param[in] thread_index thread index
* @param[in,out] b0 buffer containing packet to be translated
- * @param[out] p_key address and port before NAT translation
+ * @param[out] p_proto protocol used for matching
* @param[out] p_value address and port after NAT translation
* @param[out] p_dont_translate if packet should not be translated
* @param d optional parameter
*/
u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
- u32 cpu_index, vlib_buffer_t *b0,
- snat_session_key_t *p_key,
+ u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
snat_session_key_t *p_value,
u8 *p_dont_translate, void *d)
{
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- err = icmp_get_key (icmp0, &key0);
+ err = icmp_get_key (ip0, &key0);
if (err != -1)
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
next0 = SNAT_OUT2IN_NEXT_DROP;
goto out;
}
- key0.addr = ip0->dst_address;
key0.fib_index = rx_fib_index0;
kv0.key = key0.as_u64;
if (snat_static_mapping_match(sm, key0, &sm0, 1))
{
/* Don't NAT packet aimed at the intfc address */
- if (is_interface_addr(sm, node, sw_if_index0,
- ip0->dst_address.as_u32))
+ if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
+ ip0->dst_address.as_u32)))
{
dont_translate = 1;
goto out;
/* Create session initiated by host from external network */
s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
- node, cpu_index);
+ node, thread_index);
if (!s0)
{
}
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
value0.value);
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
+ !icmp_is_error_message (icmp0)))
+ {
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto out;
+ }
+
out:
- *p_key = key0;
+ *p_proto = key0.protocol;
if (s0)
*p_value = s0->in2out;
*p_dont_translate = dont_translate;
*
* @param[in] sm SNAT main
* @param[in,out] node SNAT node runtime
- * @param[in] cpu_index CPU index
+ * @param[in] thread_index thread index
* @param[in,out] b0 buffer containing packet to be translated
- * @param[out] p_key address and port before NAT translation
+ * @param[out] p_proto protocol used for matching
* @param[out] p_value address and port after NAT translation
* @param[out] p_dont_translate if packet should not be translated
* @param d optional parameter
*/
u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
- u32 cpu_index, vlib_buffer_t *b0,
- snat_session_key_t *p_key,
+ u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
snat_session_key_t *p_value,
u8 *p_dont_translate, void *d)
{
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- err = icmp_get_key (icmp0, &key0);
+ err = icmp_get_key (ip0, &key0);
if (err != -1)
{
b0->error = node->errors[err];
next0 = SNAT_OUT2IN_NEXT_DROP;
goto out2;
}
- key0.addr = ip0->dst_address;
key0.fib_index = rx_fib_index0;
if (snat_static_mapping_match(sm, key0, &sm0, 1))
goto out;
}
+ if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
+ !icmp_is_error_message (icmp0)))
+ {
+ if (icmp0->type != ICMP4_echo_request || key0.port != sm0.port)
+ {
+ b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto out;
+ }
+ }
+
out:
*p_value = sm0;
out2:
- *p_key = key0;
+ *p_proto = key0.protocol;
*p_dont_translate = dont_translate;
return next0;
}
u32 rx_fib_index0,
vlib_node_runtime_t * node,
u32 next0,
- u32 cpu_index,
+ u32 thread_index,
void *d)
{
- snat_session_key_t key0, sm0;
+ snat_session_key_t sm0;
+ u8 protocol;
icmp_echo_header_t *echo0, *inner_echo0 = 0;
ip4_header_t *inner_ip0 = 0;
void *l4_header = 0;
echo0 = (icmp_echo_header_t *)(icmp0+1);
- next0_tmp = sm->icmp_match_out2in_cb(sm, node, cpu_index, b0,
- &key0, &sm0, &dont_translate, d);
+ next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0,
+ &protocol, &sm0, &dont_translate, d);
if (next0_tmp != ~0)
next0 = next0_tmp;
if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
goto out;
- if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
- !icmp_is_error_message (icmp0)))
- {
- b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto out;
- }
-
sum0 = ip_incremental_checksum (0, icmp0,
ntohs(ip0->length) - ip4_header_bytes (ip0));
checksum0 = ~ip_csum_fold (sum0);
src_address /* changed member */);
icmp0->checksum = ip_csum_fold (sum0);
- switch (key0.protocol)
+ switch (protocol)
{
case SNAT_PROTOCOL_ICMP:
inner_icmp0 = (icmp46_header_t*)l4_header;
u32 rx_fib_index0,
vlib_node_runtime_t * node,
u32 next0, f64 now,
- u32 cpu_index,
+ u32 thread_index,
snat_session_t ** p_s0)
{
next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, cpu_index, p_s0);
+ next0, thread_index, p_s0);
snat_session_t * s0 = *p_s0;
if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
{
/* Per-user LRU list maintenance for dynamic translation */
if (!snat_is_session_static (s0))
{
- clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
s0->per_user_index);
- clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
s0->per_user_list_head_index,
s0->per_user_index);
}
u32 pkts_processed = 0;
snat_main_t * sm = &snat_main;
f64 now = vlib_time_now (vm);
- u32 cpu_index = os_get_cpu_number ();
+ u32 thread_index = vlib_get_thread_index ();
from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
sw_if_index0);
- proto0 = ip_proto_to_snat_proto (ip0->protocol);
-
- if (PREDICT_FALSE (proto0 == ~0))
- goto trace0;
-
if (PREDICT_FALSE(ip0->ttl == 1))
{
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
goto trace0;
}
+ proto0 = ip_proto_to_snat_proto (ip0->protocol);
+
+ if (PREDICT_FALSE (proto0 == ~0))
+ goto trace0;
+
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = icmp_out2in_slow_path
(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, cpu_index, &s0);
+ next0, now, thread_index, &s0);
goto trace0;
}
/* Create session initiated by host from external network */
s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
- cpu_index);
+ thread_index);
if (!s0)
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
}
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
value0.value);
old_addr0 = ip0->dst_address.as_u32;
/* Per-user LRU list maintenance for dynamic translation */
if (!snat_is_session_static (s0))
{
- clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
s0->per_user_index);
- clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
s0->per_user_list_head_index,
s0->per_user_index);
}
t->next_index = next0;
t->session_index = ~0;
if (s0)
- t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
+ t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
}
pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
sw_if_index1);
- proto1 = ip_proto_to_snat_proto (ip1->protocol);
-
- if (PREDICT_FALSE (proto1 == ~0))
- goto trace1;
-
- if (PREDICT_FALSE(ip0->ttl == 1))
+ if (PREDICT_FALSE(ip1->ttl == 1))
{
vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
ICMP4_time_exceeded_ttl_exceeded_in_transit,
0);
- next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
goto trace1;
}
+ proto1 = ip_proto_to_snat_proto (ip1->protocol);
+
+ if (PREDICT_FALSE (proto1 == ~0))
+ goto trace1;
+
if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = icmp_out2in_slow_path
(sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
- next1, now, cpu_index, &s1);
+ next1, now, thread_index, &s1);
goto trace1;
}
/* Create session initiated by host from external network */
s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
- cpu_index);
+ thread_index);
if (!s1)
{
b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
}
}
else
- s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
+ s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
value1.value);
old_addr1 = ip1->dst_address.as_u32;
/* Per-user LRU list maintenance for dynamic translation */
if (!snat_is_session_static (s1))
{
- clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
s1->per_user_index);
- clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
s1->per_user_list_head_index,
s1->per_user_index);
}
t->next_index = next1;
t->session_index = ~0;
if (s1)
- t->session_index = s1 - sm->per_thread_data[cpu_index].sessions;
+ t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
}
pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
{
next0 = icmp_out2in_slow_path
(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, cpu_index, &s0);
+ next0, now, thread_index, &s0);
goto trace00;
}
/* Create session initiated by host from external network */
s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
- cpu_index);
+ thread_index);
if (!s0)
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
}
}
else
- s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
+ s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
value0.value);
old_addr0 = ip0->dst_address.as_u32;
/* Per-user LRU list maintenance for dynamic translation */
if (!snat_is_session_static (s0))
{
- clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
s0->per_user_index);
- clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
+ clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
s0->per_user_list_head_index,
s0->per_user_index);
}
t->next_index = next0;
t->session_index = ~0;
if (s0)
- t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
+ t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
}
pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace0;
+ }
+
key0.ext_host_addr = ip0->src_address;
key0.ext_host_port = tcp0->src;
key0.out_port = tcp0->dst;
sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip1->ttl == 1))
+ {
+ vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace1;
+ }
+
key1.ext_host_addr = ip1->src_address;
key1.ext_host_port = tcp1->src;
key1.out_port = tcp1->dst;
sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace00;
+ }
+
key0.ext_host_addr = ip0->src_address;
key0.ext_host_port = tcp0->src;
key0.out_port = tcp0->dst;
.runtime_data_bytes = sizeof (snat_runtime_t),
- .n_next_nodes = 2,
+ .n_next_nodes = SNAT_OUT2IN_N_NEXT,
/* edit / add dispositions here */
.next_nodes = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
+ [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
},
};
VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
u32 n_left_to_next_worker = 0, *to_next_worker = 0;
u32 next_worker_index = 0;
u32 current_worker_index = ~0;
- u32 cpu_index = os_get_cpu_number ();
+ u32 thread_index = vlib_get_thread_index ();
ASSERT (vec_len (sm->workers));
next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
- if (PREDICT_FALSE (next_worker_index != cpu_index))
+ if (PREDICT_FALSE (next_worker_index != thread_index))
{
do_handoff = 1;
vnet_feature_next (sw_if_index0, &next0, b0);
+ if (PREDICT_FALSE(ip0->ttl == 1))
+ {
+ vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
+ ICMP4_time_exceeded_ttl_exceeded_in_transit,
+ 0);
+ next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
+ goto trace00;
+ }
+
proto0 = ip_proto_to_snat_proto (ip0->protocol);
if (PREDICT_FALSE (proto0 == ~0))
Code Review / vpp.git / blobdiff