X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fin2out.c;h=a453328c38fc475383675661caa6b88eaaf28125;hb=87233b51bc4d088ff566cef09a7c96f1f0dac078;hp=b0dbbc8fa11d0bfdf27541e63d01459145ae4470;hpb=cba6936c45bc3265ae695e8266bdefc65e7a5116;p=vpp.git diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index b0dbbc8fa11..a453328c38f 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -162,7 +162,7 @@ typedef enum { /** * @brief Check if packet should be translated * - * Packets aimed at outside interface and external addresss with active session + * Packets aimed at outside interface and external address with active session * should be translated. * * @param sm NAT main @@ -273,6 +273,7 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) { b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_ipfix_logging_max_sessions(sm->max_translations); return SNAT_IN2OUT_NEXT_DROP; } @@ -294,13 +295,6 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, return SNAT_IN2OUT_NEXT_DROP; } - s = nat_session_alloc_or_recycle (sm, u, thread_index); - if (!s) - { - clib_warning ("create NAT session failed"); - return SNAT_IN2OUT_NEXT_DROP; - } - /* First try to match static mapping by local address and port */ if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0)) { @@ -319,9 +313,17 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, else { u->nstaticsessions++; - s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; } + s = nat_session_alloc_or_recycle (sm, u, thread_index); + if (!s) + { + clib_warning ("create NAT session failed"); + return SNAT_IN2OUT_NEXT_DROP; + } + + if (address_index == ~0) + s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; s->outside_address_index = address_index; s->in2out = *key0; s->out2in = key1; @@ -400,6 +402,53 @@ snat_in2out_error_t icmp_get_key(ip4_header_t *ip0, return -1; /* success */ } +static_always_inline int +icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) +{ + icmp46_header_t *icmp0; + nat_ed_ses_key_t key0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0 = 0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *)(icmp0+1); + + if (!icmp_is_error_message (icmp0)) + { + key0.proto = IP_PROTOCOL_ICMP; + key0.l_addr = ip0->src_address; + key0.r_addr = ip0->dst_address; + key0.l_port = key0.r_port = echo0->identifier; + } + else + { + inner_ip0 = (ip4_header_t *)(echo0+1); + l4_header = ip4_next_header (inner_ip0); + key0.proto = inner_ip0->protocol; + key0.r_addr = inner_ip0->src_address; + key0.l_addr = inner_ip0->dst_address; + switch (ip_proto_to_snat_proto (inner_ip0->protocol)) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t*)l4_header; + inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); + key0.r_port = key0.l_port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port; + key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port; + break; + default: + return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL; + } + } + *p_key0 = key0; + return 0; +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -480,8 +529,34 @@ u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, goto out; } - s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); + if (PREDICT_FALSE (value0.value == ~0ULL)) + { + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t s_kv, s_value; + + key.as_u64[0] = 0; + key.as_u64[1] = 0; + if (icmp_get_ed_key (ip0, &key)) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } + key.fib_index = rx_fib_index0; + s_kv.key[0] = key.as_u64[0]; + s_kv.key[1] = key.as_u64[1]; + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value)) + s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + s_value.value); + else + { + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } + } + else + s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value0.value); } out: @@ -1002,6 +1077,7 @@ snat_in2out_unknown_proto (snat_main_t *sm, if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) { b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_ipfix_logging_max_sessions(sm->max_translations); return 0; } @@ -1189,6 +1265,7 @@ snat_in2out_lb (snat_main_t *sm, if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) { b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_ipfix_logging_max_sessions(sm->max_translations); return 0; } @@ -1463,7 +1540,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node); - if (!s0) + if (!s0 && !sm->forwarding_enabled) next0 = SNAT_IN2OUT_NEXT_DROP; goto trace00; } @@ -1642,7 +1719,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1, thread_index, now, vm, node); - if (!s1) + if (!s1 && !sm->forwarding_enabled) next1 = SNAT_IN2OUT_NEXT_DROP; goto trace01; } @@ -1854,7 +1931,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node); - if (!s0) + if (!s0 && !sm->forwarding_enabled) next0 = SNAT_IN2OUT_NEXT_DROP; goto trace0; }