X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fout2in.c;h=00f887d9f1b064894bc899c0a53883d4737add39;hb=82f2e6e50dfedd495f8788f85b0f366f79ae8e1a;hp=7f500a916f00fdb09fb6e8f398a895fb4eee43fd;hpb=87233b51bc4d088ff566cef09a7c96f1f0dac078;p=vpp.git diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index 7f500a916f0..00f887d9f1b 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -133,6 +133,7 @@ typedef enum { SNAT_OUT2IN_NEXT_LOOKUP, SNAT_OUT2IN_NEXT_ICMP_ERROR, SNAT_OUT2IN_NEXT_REASS, + SNAT_OUT2IN_NEXT_IN2OUT, SNAT_OUT2IN_N_NEXT, } snat_out2in_next_t; @@ -191,7 +192,7 @@ create_session_for_static_mapping (snat_main_t *sm, s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; s->ext_host_addr.as_u32 = ip0->src_address.as_u32; s->ext_host_port = udp0->src_port; - u->nstaticsessions++; + user_session_increment (sm, u, 1 /* static */); s->in2out = in2out; s->out2in = out2in; s->in2out.protocol = out2in.protocol; @@ -311,6 +312,63 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static int +next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port, + u32 thread_index) +{ + snat_session_key_t key; + clib_bihash_kv_8_8_t kv, value; + + key.addr = ip->src_address; + key.port = src_port; + key.protocol = proto; + key.fib_index = sm->inside_fib_index; + kv.key = key.as_u64; + + if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv, + &value)) + return 1; + + return 0; +} + +static void +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv; + udp_header_t *udp; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = udp->dst_port; + key.r_port = udp->src_port; + } + else + { + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + kv.value = ~0ULL; + + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -383,6 +441,12 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, else { dont_translate = 1; + if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index)) + { + next0 = SNAT_OUT2IN_NEXT_IN2OUT; + goto out; + } + create_bypass_for_fwd(sm, ip0); goto out; } } @@ -580,6 +644,9 @@ static inline u32 icmp_out2in (snat_main_t *sm, dst_address /* changed member */); ip0->checksum = ip_csum_fold (sum0); + if (icmp0->checksum == 0) + icmp0->checksum = 0xffff; + if (!icmp_is_error_message (icmp0)) { new_id0 = sm0.port; @@ -766,7 +833,7 @@ snat_out2in_unknown_proto (snat_main_t *sm, s->in2out.addr.as_u32 = new_addr; s->in2out.fib_index = m->fib_index; s->in2out.port = s->out2in.port = ip->protocol; - u->nstaticsessions++; + user_session_increment (sm, u, 1 /* static */); /* Add to lookup tables */ s_kv.value = s - tsm->sessions; @@ -878,7 +945,7 @@ snat_out2in_lb (snat_main_t *sm, s->outside_address_index = ~0; s->out2in = e_key; s->in2out = l_key; - u->nstaticsessions++; + user_session_increment (sm, u, 1 /* static */); /* Add to lookup tables */ s_kv.value = s - tsm->sessions; @@ -1065,8 +1132,9 @@ snat_out2in_node_fn (vlib_main_t * vm, { s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node); - if (!s0) - next0 = SNAT_OUT2IN_NEXT_DROP; + if (!sm->forwarding_enabled) + if (!s0) + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace0; } @@ -1105,14 +1173,26 @@ snat_out2in_node_fn (vlib_main_t * vm, * Send DHCP packets to the ipv4 stack, or we won't * be able to use dhcp client on the outside interface */ - if (proto0 != SNAT_PROTOCOL_UDP + if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) next0 = SNAT_OUT2IN_NEXT_DROP; + else + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], + &next0, b0); goto trace0; } else - goto trace0; + { + if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index)) + { + next0 = SNAT_OUT2IN_NEXT_IN2OUT; + goto trace0; + } + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ @@ -1228,8 +1308,9 @@ snat_out2in_node_fn (vlib_main_t * vm, { s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1, thread_index, now, vm, node); - if (!s1) - next1 = SNAT_OUT2IN_NEXT_DROP; + if (!sm->forwarding_enabled) + if (!s1) + next1 = SNAT_OUT2IN_NEXT_DROP; goto trace1; } @@ -1268,14 +1349,26 @@ snat_out2in_node_fn (vlib_main_t * vm, * Send DHCP packets to the ipv4 stack, or we won't * be able to use dhcp client on the outside interface */ - if (proto1 != SNAT_PROTOCOL_UDP + if (PREDICT_TRUE (proto1 != SNAT_PROTOCOL_UDP || (udp1->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) next1 = SNAT_OUT2IN_NEXT_DROP; + else + vnet_feature_next + (vnet_buffer (b1)->sw_if_index[VLIB_RX], + &next1, b1); goto trace1; } else - goto trace1; + { + if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index)) + { + next1 = SNAT_OUT2IN_NEXT_IN2OUT; + goto trace1; + } + create_bypass_for_fwd(sm, ip1); + goto trace1; + } } /* Create session initiated by host from external network */ @@ -1417,8 +1510,9 @@ snat_out2in_node_fn (vlib_main_t * vm, { s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node); - if (!s0) - next0 = SNAT_OUT2IN_NEXT_DROP; + if (!sm->forwarding_enabled) + if (!s0) + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace00; } @@ -1467,14 +1561,26 @@ snat_out2in_node_fn (vlib_main_t * vm, * Send DHCP packets to the ipv4 stack, or we won't * be able to use dhcp client on the outside interface */ - if (proto0 != SNAT_PROTOCOL_UDP + if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) next0 = SNAT_OUT2IN_NEXT_DROP; + else + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], + &next0, b0); goto trace00; } else - goto trace00; + { + if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index)) + { + next0 = SNAT_OUT2IN_NEXT_IN2OUT; + goto trace00; + } + create_bypass_for_fwd(sm, ip0); + goto trace00; + } } /* Create session initiated by host from external network */ @@ -1599,6 +1705,7 @@ VLIB_REGISTER_NODE (snat_out2in_node) = { [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", + [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out", }, }; VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn); @@ -1707,14 +1814,26 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, * Send DHCP packets to the ipv4 stack, or we won't * be able to use dhcp client on the outside interface */ - if (proto0 != SNAT_PROTOCOL_UDP + if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))) + != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) next0 = SNAT_OUT2IN_NEXT_DROP; + else + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], + &next0, b0); goto trace0; } else - goto trace0; + { + if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index)) + { + next0 = SNAT_OUT2IN_NEXT_IN2OUT; + goto trace0; + } + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ @@ -1883,6 +2002,7 @@ VLIB_REGISTER_NODE (nat44_out2in_reass_node) = { [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", + [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out", }, }; VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node, @@ -2372,6 +2492,7 @@ VLIB_REGISTER_NODE (snat_det_out2in_node) = { [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", + [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out", }, }; VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn); @@ -2865,6 +2986,7 @@ VLIB_REGISTER_NODE (snat_out2in_fast_node) = { [SNAT_OUT2IN_NEXT_DROP] = "error-drop", [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", + [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out", }, }; VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);