X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fplugins%2Fnat%2Fout2in.c;h=a0128b8d61db7069af890e9c6118e1e9c4b79e0c;hb=1e5c07d379a092f4829e7081aa962d013b31fdfc;hp=a626bf5c2a6798f74fd2140b413b6d81c95a28f3;hpb=13c08184c3fb77a54e8d7e46cb45f091cc71fcc3;p=vpp.git diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index a626bf5c2a6..a0128b8d61d 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -333,11 +333,15 @@ next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port, } static void -create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index, + u32 thread_index) { nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t kv; + clib_bihash_kv_16_8_t kv, value; udp_header_t *udp; + snat_user_t *u; + snat_session_t *s = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; if (ip->protocol == IP_PROTOCOL_ICMP) { @@ -363,10 +367,50 @@ create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) key.fib_index = 0; kv.key[0] = key.as_u64[0]; kv.key[1] = key.as_u64[1]; - kv.value = ~0ULL; - if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) - clib_warning ("in2out_ed key add failed"); + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + } + else + { + if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) + return; + + u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, thread_index); + if (!u) + { + clib_warning ("create NAT user failed"); + return; + } + + s = nat_session_alloc_or_recycle (sm, u, thread_index); + if (!s) + { + clib_warning ("create NAT session failed"); + return; + } + + s->ext_host_addr = key.r_addr; + s->ext_host_port = key.r_port; + s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS; + s->outside_address_index = ~0; + s->out2in.addr = key.l_addr; + s->out2in.port = key.l_port; + s->out2in.protocol = ip_proto_to_snat_proto (key.proto); + s->out2in.fib_index = 0; + s->in2out = s->out2in; + user_session_increment (sm, u, 0); + + kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); + } + + /* Per-user LRU list maintenance */ + clib_dlist_remove (tsm->list_pool, s->per_user_index); + clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index, + s->per_user_index); } /** @@ -446,7 +490,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto out; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto out; } } @@ -827,6 +871,7 @@ snat_out2in_unknown_proto (snat_main_t *sm, s->ext_host_addr.as_u32 = ip->src_address.as_u32; s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO; s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; s->outside_address_index = ~0; s->out2in.addr.as_u32 = old_addr; s->out2in.fib_index = rx_fib_index; @@ -891,7 +936,8 @@ snat_out2in_lb (snat_main_t *sm, snat_user_t *u; u32 address_index; snat_session_key_t eh_key; - u8 twice_nat, lb; + twice_nat_type_t twice_nat; + u8 lb; old_addr = ip->dst_address.as_u32; @@ -943,6 +989,7 @@ snat_out2in_lb (snat_main_t *sm, s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; if (lb) s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; s->outside_address_index = ~0; s->out2in = e_key; s->in2out = l_key; @@ -953,7 +1000,9 @@ snat_out2in_lb (snat_main_t *sm, if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1)) clib_warning ("out2in-ed key add failed"); - if (twice_nat) + if (twice_nat == TWICE_NAT || + (twice_nat == TWICE_NAT_SELF && + ip->src_address.as_u32 == l_key.addr.as_u32)) { eh_key.protocol = proto; if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0, @@ -1167,21 +1216,23 @@ snat_out2in_node_fn (vlib_main_t * vm, destination address and port in packet */ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0)) { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port == + clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0); + goto trace0; + } + if (!sm->forwarding_enabled) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP - || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - next0 = SNAT_OUT2IN_NEXT_DROP; - else - vnet_feature_next - (vnet_buffer (b0)->sw_if_index[VLIB_RX], - &next0, b0); + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace0; } else @@ -1191,7 +1242,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace0; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace0; } } @@ -1343,21 +1394,23 @@ snat_out2in_node_fn (vlib_main_t * vm, destination address and port in packet */ if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0)) { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP + && (udp1->dst_port == + clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next + (vnet_buffer (b1)->sw_if_index[VLIB_RX], &next1, b1); + goto trace1; + } + if (!sm->forwarding_enabled) { b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_TRUE (proto1 != SNAT_PROTOCOL_UDP - || (udp1->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - next1 = SNAT_OUT2IN_NEXT_DROP; - else - vnet_feature_next - (vnet_buffer (b1)->sw_if_index[VLIB_RX], - &next1, b1); + next1 = SNAT_OUT2IN_NEXT_DROP; goto trace1; } else @@ -1367,7 +1420,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next1 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace1; } - create_bypass_for_fwd(sm, ip1); + create_bypass_for_fwd(sm, ip1, rx_fib_index1, thread_index); goto trace1; } } @@ -1555,21 +1608,23 @@ snat_out2in_node_fn (vlib_main_t * vm, destination address and port in packet */ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0)) { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port == + clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0); + goto trace00; + } + if (!sm->forwarding_enabled) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP - || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - next0 = SNAT_OUT2IN_NEXT_DROP; - else - vnet_feature_next - (vnet_buffer (b0)->sw_if_index[VLIB_RX], - &next0, b0); + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace00; } else @@ -1579,7 +1634,7 @@ snat_out2in_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace00; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace00; } } @@ -1808,21 +1863,24 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, destination address and port in packet */ if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0)) { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port + == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next + (vnet_buffer (b0)->sw_if_index[VLIB_RX], + &next0, b0); + goto trace0; + } + if (!sm->forwarding_enabled) { b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP - || (udp0->dst_port - != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - next0 = SNAT_OUT2IN_NEXT_DROP; - else - vnet_feature_next - (vnet_buffer (b0)->sw_if_index[VLIB_RX], - &next0, b0); + next0 = SNAT_OUT2IN_NEXT_DROP; goto trace0; } else @@ -1832,7 +1890,7 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, next0 = SNAT_OUT2IN_NEXT_IN2OUT; goto trace0; } - create_bypass_for_fwd(sm, ip0); + create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index); goto trace0; } }