X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fnat_inlines.h;h=e3a6f1942f75b7734109d29d5cc96095cdc0cadd;hb=5c2f96436afd0cef13797f764474a54f464d7916;hp=8922c05c39307598b272b7635c2548e1606e3d04;hpb=bb4e022502dd7f76d4f1cd705a7bac628d8c098c;p=vpp.git diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h index 8922c05c393..e3a6f1942f7 100644 --- a/src/plugins/nat/nat_inlines.h +++ b/src/plugins/nat/nat_inlines.h @@ -19,7 +19,9 @@ #ifndef __included_nat_inlines_h__ #define __included_nat_inlines_h__ +#include #include +#include always_inline u32 ip_proto_to_snat_proto (u8 ip_proto) @@ -120,7 +122,8 @@ nat_send_all_to_node (vlib_main_t * vm, u32 * bi_vector, to_next += 1; n_left_to_next -= 1; vlib_buffer_t *p0 = vlib_get_buffer (vm, bi0); - p0->error = *error; + if (error) + p0->error = *error; vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next); } @@ -157,6 +160,8 @@ nat44_delete_user_with_no_session (snat_main_t * sm, snat_user_t * u, pool_put_index (tsm->list_pool, u->sessions_per_user_list_head_index); pool_put (tsm->users, u); clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0); + vlib_set_simple_counter (&sm->total_users, thread_index, 0, + pool_elts (tsm->users)); } } @@ -170,11 +175,11 @@ nat44_delete_session (snat_main_t * sm, snat_session_t * ses, snat_user_key_t u_key; snat_user_t *u; - nat_log_debug ("session deleted %U", format_snat_session, tsm, ses); - clib_dlist_remove (tsm->list_pool, ses->per_user_index); pool_put_index (tsm->list_pool, ses->per_user_index); pool_put (tsm->sessions, ses); + vlib_set_simple_counter (&sm->total_sessions, thread_index, 0, + pool_elts (tsm->sessions)); u_key.addr = ses->in2out.addr; u_key.fib_index = ses->in2out.fib_index; @@ -198,6 +203,10 @@ always_inline int nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses, tcp_header_t * tcp, u32 thread_index) { + if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST)) + ses->state = NAT44_SES_RST; + if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST)) + ses->state = 0; if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) && (ses->state & NAT44_SES_O2I_SYN)) ses->state = 0; @@ -213,11 +222,10 @@ nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses, if (clib_net_to_host_u32 (tcp->ack_number) > ses->o2i_fin_seq) ses->state |= NAT44_SES_O2I_FIN_ACK; } - if (nat44_is_ses_closed (ses)) + if (nat44_is_ses_closed (ses) + && !(ses->flags & SNAT_SESSION_FLAG_OUTPUT_FEATURE)) { - nat_log_debug ("TCP close connection %U", format_snat_session, - &sm->per_thread_data[thread_index], ses); - nat_free_session_data (sm, ses, thread_index); + nat_free_session_data (sm, ses, thread_index, 0); nat44_delete_session (sm, ses, thread_index); return 1; } @@ -228,6 +236,10 @@ always_inline int nat44_set_tcp_session_state_o2i (snat_main_t * sm, snat_session_t * ses, tcp_header_t * tcp, u32 thread_index) { + if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST)) + ses->state = NAT44_SES_RST; + if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST)) + ses->state = 0; if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) && (ses->state & NAT44_SES_O2I_SYN)) ses->state = 0; @@ -245,9 +257,7 @@ nat44_set_tcp_session_state_o2i (snat_main_t * sm, snat_session_t * ses, } if (nat44_is_ses_closed (ses)) { - nat_log_debug ("TCP close connection %U", format_snat_session, - &sm->per_thread_data[thread_index], ses); - nat_free_session_data (sm, ses, thread_index); + nat_free_session_data (sm, ses, thread_index, 0); nat44_delete_session (sm, ses, thread_index); return 1; } @@ -278,11 +288,16 @@ nat44_session_get_timeout (snat_main_t * sm, snat_session_t * s) } always_inline void -nat44_session_update_counters (snat_session_t * s, f64 now, uword bytes) +nat44_session_update_counters (snat_session_t * s, f64 now, uword bytes, + u32 thread_index) { s->last_heard = now; s->total_pkts++; s->total_bytes += bytes; + nat_ha_sref (&s->out2in.addr, s->out2in.port, &s->ext_host_addr, + s->ext_host_port, s->out2in.protocol, s->out2in.fib_index, + s->total_pkts, s->total_bytes, thread_index, + &s->ha_last_refreshed, now); } /** \brief Per-user LRU list maintenance */ @@ -328,6 +343,105 @@ make_sm_kv (clib_bihash_kv_8_8_t * kv, ip4_address_t * addr, u8 proto, kv->value = ~0ULL; } +static_always_inline int +get_icmp_i2o_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0) +{ + icmp46_header_t *icmp0; + nat_ed_ses_key_t key0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0 = 0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + + if (!icmp_is_error_message (icmp0)) + { + key0.proto = IP_PROTOCOL_ICMP; + key0.l_addr = ip0->src_address; + key0.r_addr = ip0->dst_address; + key0.l_port = echo0->identifier; + key0.r_port = 0; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + key0.proto = inner_ip0->protocol; + key0.r_addr = inner_ip0->src_address; + key0.l_addr = inner_ip0->dst_address; + switch (ip_proto_to_snat_proto (inner_ip0->protocol)) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.r_port = 0; + key0.l_port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.l_port = ((tcp_udp_header_t *) l4_header)->dst_port; + key0.r_port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + return NAT_IN2OUT_ED_ERROR_UNSUPPORTED_PROTOCOL; + } + } + *p_key0 = key0; + return 0; +} + + +static_always_inline int +get_icmp_o2i_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0) +{ + icmp46_header_t *icmp0; + nat_ed_ses_key_t key0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + + if (!icmp_is_error_message (icmp0)) + { + key0.proto = IP_PROTOCOL_ICMP; + key0.l_addr = ip0->dst_address; + key0.r_addr = ip0->src_address; + key0.l_port = echo0->identifier; + key0.r_port = 0; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + key0.proto = inner_ip0->protocol; + key0.l_addr = inner_ip0->src_address; + key0.r_addr = inner_ip0->dst_address; + switch (ip_proto_to_snat_proto (inner_ip0->protocol)) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.l_port = inner_echo0->identifier; + key0.r_port = 0; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.l_port = ((tcp_udp_header_t *) l4_header)->src_port; + key0.r_port = ((tcp_udp_header_t *) l4_header)->dst_port; + break; + default: + return -1; + } + } + *p_key0 = key0; + return 0; +} + always_inline void mss_clamping (snat_main_t * sm, tcp_header_t * tcp, ip_csum_t * sum) { @@ -369,13 +483,85 @@ mss_clamping (snat_main_t * sm, tcp_header_t * tcp, ip_csum_t * sum) *sum = ip_csum_update (*sum, mss, sm->mss_value_net, ip4_header_t, length); - clib_memcpy (data + 2, &sm->mss_value_net, 2); + clib_memcpy_fast (data + 2, &sm->mss_value_net, 2); } return; } } } +/** + * @brief Check if packet should be translated + * + * Packets aimed at outside interface and external address with active session + * should be translated. + * + * @param sm NAT main + * @param rt NAT runtime data + * @param sw_if_index0 index of the inside interface + * @param ip0 IPv4 header + * @param proto0 NAT protocol + * @param rx_fib_index0 RX FIB index + * + * @returns 0 if packet should be translated otherwise 1 + */ +static inline int +snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 sw_if_index0, ip4_header_t * ip0, u32 proto0, + u32 rx_fib_index0) +{ + if (sm->out2in_dpo) + return 0; + + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + nat_outside_fib_t *outside_fib; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP4, + .fp_len = 32, + .fp_addr = { + .ip4.as_u32 = ip0->dst_address.as_u32, + } + , + }; + + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0, + ip0->dst_address.as_u32))) + return 1; + + fei = fib_table_lookup (rx_fib_index0, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + u32 sw_if_index = fib_entry_get_resolving_interface (fei); + if (sw_if_index == ~0) + { + vec_foreach (outside_fib, sm->outside_fibs) + { + fei = fib_table_lookup (outside_fib->fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + sw_if_index = fib_entry_get_resolving_interface (fei); + if (sw_if_index != ~0) + break; + } + } + } + if (sw_if_index == ~0) + return 1; + + snat_interface_t *i; + pool_foreach (i, sm->interfaces, ( + { + /* NAT packet aimed at outside interface */ + if ((nat_interface_is_outside (i)) + && (sw_if_index == + i->sw_if_index)) return 0;} + )); + } + + return 1; +} + #endif /* __included_nat_inlines_h__ */ /*