}
#endif
-#ifndef CLIB_MARCH_VARIANT
-void
-nat44_reass_hairpinning (snat_main_t * sm,
- vlib_buffer_t * b0,
- ip4_header_t * ip0,
- u16 sport, u16 dport, u32 proto0, int is_ed)
-{
- snat_session_key_t key0, sm0;
- snat_session_t *s0;
- clib_bihash_kv_8_8_t kv0, value0;
- ip_csum_t sum0;
- u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
- u16 new_dst_port0, old_dst_port0;
- udp_header_t *udp0;
- tcp_header_t *tcp0;
- int rv;
-
- key0.addr = ip0->dst_address;
- key0.port = dport;
- key0.protocol = proto0;
- key0.fib_index = sm->outside_fib_index;
- kv0.key = key0.as_u64;
-
- udp0 = ip4_next_header (ip0);
-
- /* Check if destination is static mappings */
- if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
- {
- new_dst_addr0 = sm0.addr.as_u32;
- new_dst_port0 = sm0.port;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
- }
- /* or active sessions */
- else
- {
- if (sm->num_workers > 1)
- ti =
- (clib_net_to_host_u16 (udp0->dst_port) -
- 1024) / sm->port_per_thread;
- else
- ti = sm->num_workers;
-
- if (is_ed)
- {
- clib_bihash_kv_16_8_t ed_kv, ed_value;
- make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address,
- ip0->protocol, sm->outside_fib_index, udp0->dst_port,
- udp0->src_port);
- rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed,
- &ed_kv, &ed_value);
- si = ed_value.value;
- }
- else
- {
- rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
- &value0);
- si = value0.value;
- }
- if (!rv)
- {
- s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
- new_dst_addr0 = s0->in2out.addr.as_u32;
- new_dst_port0 = s0->in2out.port;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
- }
- }
-
- /* Destination is behind the same NAT, use internal address and port */
- if (new_dst_addr0)
- {
- old_dst_addr0 = ip0->dst_address.as_u32;
- ip0->dst_address.as_u32 = new_dst_addr0;
- sum0 = ip0->checksum;
- sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
- ip4_header_t, dst_address);
- ip0->checksum = ip_csum_fold (sum0);
-
- old_dst_port0 = dport;
- if (PREDICT_TRUE (new_dst_port0 != old_dst_port0 &&
- ip4_is_first_fragment (ip0)))
- {
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- tcp0 = ip4_next_header (ip0);
- tcp0->dst = new_dst_port0;
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
- ip4_header_t /* cheat */ , length);
- tcp0->checksum = ip_csum_fold (sum0);
- }
- else
- {
- udp0->dst_port = new_dst_port0;
- udp0->checksum = 0;
- }
- }
- else
- {
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- tcp0 = ip4_next_header (ip0);
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
- ip4_header_t, dst_address);
- tcp0->checksum = ip_csum_fold (sum0);
- }
- }
- }
-}
-#endif
-
static inline uword
nat44_hairpinning_fn_inline (vlib_main_t * vm,
vlib_node_runtime_t * node,
update_template_id(&silm->max_bibs_template_id,
fr->template_id);
}
- else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
- {
- field_count = MAX_FRAGMENTS_FIELD_COUNT;
-
- update_template_id(&silm->max_frags_ip4_template_id,
- fr->template_id);
- }
- else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
- {
- field_count = MAX_FRAGMENTS_FIELD_COUNT;
-
- update_template_id(&silm->max_frags_ip6_template_id,
- fr->template_id);
- }
}
/* allocate rewrite space */
f->e_id_length = ipfix_e_id_length (0, maxBIBEntries, 4);
f++;
}
- else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY)
- {
- f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
- 8);
- f++;
- f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
- f++;
- f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
- f++;
- f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
- 4);
- f++;
- f->e_id_length = ipfix_e_id_length (0, sourceIPv4Address, 4);
- f++;
- }
- else if (quota_event == MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6)
- {
- f->e_id_length = ipfix_e_id_length (0, observationTimeMilliseconds,
- 8);
- f++;
- f->e_id_length = ipfix_e_id_length (0, natEvent, 1);
- f++;
- f->e_id_length = ipfix_e_id_length (0, natQuotaExceededEvent, 4);
- f++;
- f->e_id_length = ipfix_e_id_length (0, maxFragmentsPendingReassembly,
- 4);
- f++;
- f->e_id_length = ipfix_e_id_length (0, sourceIPv6Address, 16);
- f++;
- }
}
/* Back to the template packet... */
MAX_BIB_ENTRIES);
}
-u8 *
-nat_template_rewrite_max_frags_ip4 (flow_report_main_t * frm,
- flow_report_t * fr,
- ip4_address_t * collector_address,
- ip4_address_t * src_address,
- u16 collector_port,
- ipfix_report_element_t *elts,
- u32 n_elts, u32 *stream_index)
-{
- return snat_template_rewrite (frm, fr, collector_address, src_address,
- collector_port, QUOTA_EXCEEDED,
- MAX_FRAGMENTS_PENDING_REASSEMBLY);
-}
-
-u8 *
-nat_template_rewrite_max_frags_ip6 (flow_report_main_t * frm,
- flow_report_t * fr,
- ip4_address_t * collector_address,
- ip4_address_t * src_address,
- u16 collector_port,
- ipfix_report_element_t *elts,
- u32 n_elts, u32 *stream_index)
-{
- return snat_template_rewrite (frm, fr, collector_address, src_address,
- collector_port, QUOTA_EXCEEDED,
- MAX_FRAGMENTS_PENDING_REASSEMBLY_IP6);
-}
-
u8 *
nat_template_rewrite_nat64_bib (flow_report_main_t * frm,
flow_report_t * fr,
sitd->max_bibs_next_record_offset = offset;
}
-static void
-nat_ipfix_logging_max_frag_ip4 (u32 thread_index,
- u32 limit, u32 src, int do_flush)
-{
- snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
- snat_ipfix_per_thread_data_t *sitd = &silm->per_thread_data[thread_index];
- flow_report_main_t *frm = &flow_report_main;
- vlib_frame_t *f;
- vlib_buffer_t *b0 = 0;
- u32 bi0 = ~0;
- u32 offset;
- vlib_main_t *vm = frm->vlib_main;
- u64 now;
- u8 nat_event = QUOTA_EXCEEDED;
- u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
- u16 template_id;
-
- now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
- now += silm->milisecond_time_0;
-
- b0 = sitd->max_frags_ip4_buffer;
-
- if (PREDICT_FALSE (b0 == 0))
- {
- if (do_flush)
- return;
-
- if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
- {
- nat_elog_err ("can't allocate buffer for NAT IPFIX event");
- return;
- }
-
- b0 = sitd->max_frags_ip4_buffer = vlib_get_buffer (vm, bi0);
- VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
- offset = 0;
- }
- else
- {
- bi0 = vlib_get_buffer_index (vm, b0);
- offset = sitd->max_frags_ip4_next_record_offset;
- }
-
- f = sitd->max_frags_ip4_frame;
- if (PREDICT_FALSE (f == 0))
- {
- u32 *to_next;
- f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
- sitd->max_frags_ip4_frame = f;
- to_next = vlib_frame_vector_args (f);
- to_next[0] = bi0;
- f->n_vectors = 1;
- }
-
- if (PREDICT_FALSE (offset == 0))
- snat_ipfix_header_create (frm, b0, &offset);
-
- if (PREDICT_TRUE (do_flush == 0))
- {
- u64 time_stamp = clib_host_to_net_u64 (now);
- clib_memcpy_fast (b0->data + offset, &time_stamp, sizeof (time_stamp));
- offset += sizeof (time_stamp);
-
- clib_memcpy_fast (b0->data + offset, &nat_event, sizeof (nat_event));
- offset += sizeof (nat_event);
-
- clib_memcpy_fast (b0->data + offset, "a_event, sizeof (quota_event));
- offset += sizeof (quota_event);
-
- clib_memcpy_fast (b0->data + offset, &limit, sizeof (limit));
- offset += sizeof (limit);
-
- clib_memcpy_fast (b0->data + offset, &src, sizeof (src));
- offset += sizeof (src);
-
- b0->current_length += MAX_FRAGMENTS_IP4_LEN;
- }
-
- if (PREDICT_FALSE
- (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
- {
- template_id = clib_atomic_fetch_or (
- &silm->max_frags_ip4_template_id,
- 0);
- snat_ipfix_send (frm, f, b0, template_id);
- sitd->max_frags_ip4_frame = 0;
- sitd->max_frags_ip4_buffer = 0;
- offset = 0;
- }
- sitd->max_frags_ip4_next_record_offset = offset;
-}
-
-static void
-nat_ipfix_logging_max_frag_ip6 (u32 thread_index,
- u32 limit, ip6_address_t * src, int do_flush)
-{
- snat_ipfix_logging_main_t *silm = &snat_ipfix_logging_main;
- snat_ipfix_per_thread_data_t *sitd = &silm->per_thread_data[thread_index];
- flow_report_main_t *frm = &flow_report_main;
- vlib_frame_t *f;
- vlib_buffer_t *b0 = 0;
- u32 bi0 = ~0;
- u32 offset;
- vlib_main_t *vm = frm->vlib_main;
- u64 now;
- u8 nat_event = QUOTA_EXCEEDED;
- u32 quota_event = MAX_FRAGMENTS_PENDING_REASSEMBLY;
- u16 template_id;
-
- now = (u64) ((vlib_time_now (vm) - silm->vlib_time_0) * 1e3);
- now += silm->milisecond_time_0;
-
- b0 = sitd->max_frags_ip6_buffer;
-
- if (PREDICT_FALSE (b0 == 0))
- {
- if (do_flush)
- return;
-
- if (vlib_buffer_alloc (vm, &bi0, 1) != 1)
- {
- nat_elog_err ("can't allocate buffer for NAT IPFIX event");
- return;
- }
-
- b0 = sitd->max_frags_ip6_buffer = vlib_get_buffer (vm, bi0);
- VLIB_BUFFER_TRACE_TRAJECTORY_INIT (b0);
- offset = 0;
- }
- else
- {
- bi0 = vlib_get_buffer_index (vm, b0);
- offset = sitd->max_frags_ip6_next_record_offset;
- }
-
- f = sitd->max_frags_ip6_frame;
- if (PREDICT_FALSE (f == 0))
- {
- u32 *to_next;
- f = vlib_get_frame_to_node (vm, ip4_lookup_node.index);
- sitd->max_frags_ip6_frame = f;
- to_next = vlib_frame_vector_args (f);
- to_next[0] = bi0;
- f->n_vectors = 1;
- }
-
- if (PREDICT_FALSE (offset == 0))
- snat_ipfix_header_create (frm, b0, &offset);
-
- if (PREDICT_TRUE (do_flush == 0))
- {
- u64 time_stamp = clib_host_to_net_u64 (now);
- clib_memcpy_fast (b0->data + offset, &time_stamp, sizeof (time_stamp));
- offset += sizeof (time_stamp);
-
- clib_memcpy_fast (b0->data + offset, &nat_event, sizeof (nat_event));
- offset += sizeof (nat_event);
-
- clib_memcpy_fast (b0->data + offset, "a_event, sizeof (quota_event));
- offset += sizeof (quota_event);
-
- clib_memcpy_fast (b0->data + offset, &limit, sizeof (limit));
- offset += sizeof (limit);
-
- clib_memcpy_fast (b0->data + offset, src, sizeof (ip6_address_t));
- offset += sizeof (ip6_address_t);
-
- b0->current_length += MAX_FRAGMENTS_IP6_LEN;
- }
-
- if (PREDICT_FALSE
- (do_flush || (offset + MAX_BIBS_LEN) > frm->path_mtu))
- {
- template_id = clib_atomic_fetch_or (
- &silm->max_frags_ip6_template_id,
- 0);
- snat_ipfix_send (frm, f, b0, template_id);
- sitd->max_frags_ip6_frame = 0;
- sitd->max_frags_ip6_buffer = 0;
- offset = 0;
- }
- sitd->max_frags_ip6_next_record_offset = offset;
-}
-
static void
nat_ipfix_logging_nat64_bibe (u32 thread_index, u8 nat_event,
ip6_address_t * src_ip, u32 nat_src_ip,
snat_ipfix_logging_max_entries_per_usr (thread_index, 0, 0, do_flush);
nat_ipfix_logging_max_ses (thread_index, 0, do_flush);
nat_ipfix_logging_max_bib (thread_index, 0, do_flush);
- nat_ipfix_logging_max_frag_ip4 (thread_index, 0, 0, do_flush);
- nat_ipfix_logging_max_frag_ip6 (thread_index, 0, 0, do_flush);
nat_ipfix_logging_nat64_bibe (thread_index,
0, 0, 0, 0, 0, 0, 0, do_flush);
nat_ipfix_logging_nat64_ses (thread_index,
nat_ipfix_logging_max_bib (thread_index, limit, 0);
}
-/**
- * @brief Generate maximum IPv4 fragments pending reassembly exceeded event
- *
- * @param thread_index thread index
- * @param limit configured limit
- * @param src source IPv4 address
- */
-void
-nat_ipfix_logging_max_fragments_ip4 (u32 thread_index,
- u32 limit, ip4_address_t * src)
-{
- //TODO: This event SHOULD be rate limited
- skip_if_disabled ();
-
- nat_ipfix_logging_max_frag_ip4 (thread_index, limit, src->as_u32, 0);
-}
-
-/**
- * @brief Generate maximum IPv6 fragments pending reassembly exceeded event
- *
- * @param thread_index thread index
- * @param limit configured limit
- * @param src source IPv6 address
- */
-void
-nat_ipfix_logging_max_fragments_ip6 (u32 thread_index,
- u32 limit, ip6_address_t * src)
-{
- //TODO: This event SHOULD be rate limited
- skip_if_disabled ();
-
- nat_ipfix_logging_max_frag_ip6 (thread_index, limit, src, 0);
-}
-
/**
* @brief Generate NAT64 BIB create and delete events
*
a.rewrite_callback = nat_template_rewrite_max_bibs;
- rv = vnet_flow_report_add_del (frm, &a, NULL);
- if (rv)
- {
- nat_elog_warn_X1 ("vnet_flow_report_add_del returned %d", "i4", rv);
- return -1;
- }
-
- a.rewrite_callback = nat_template_rewrite_max_frags_ip4;
-
- rv = vnet_flow_report_add_del (frm, &a, NULL);
- if (rv)
- {
- nat_elog_warn_X1 ("vnet_flow_report_add_del returned %d", "i4", rv);
- return -1;
- }
-
- a.rewrite_callback = nat_template_rewrite_max_frags_ip6;
-
rv = vnet_flow_report_add_del (frm, &a, NULL);
if (rv)
{
# maxBIBEntries
self.assertEqual(struct.pack("I", limit), record[472])
- def verify_ipfix_max_fragments_ip6(self, data, limit, src_addr):
- """
- Verify IPFIX maximum IPv6 fragments pending reassembly exceeded event
-
- :param data: Decoded IPFIX data records
- :param limit: Number of maximum fragments pending reassembly
- :param src_addr: IPv6 source address
- """
- self.assertEqual(1, len(data))
- record = data[0]
- # natEvent
- self.assertEqual(scapy.compat.orb(record[230]), 13)
- # natQuotaExceededEvent
- self.assertEqual(struct.pack("I", 5), record[466])
- # maxFragmentsPendingReassembly
- self.assertEqual(struct.pack("I", limit), record[475])
- # sourceIPv6Address
- self.assertEqual(src_addr, record[27])
-
- def verify_ipfix_max_fragments_ip4(self, data, limit, src_addr):
- """
- Verify IPFIX maximum IPv4 fragments pending reassembly exceeded event
-
- :param data: Decoded IPFIX data records
- :param limit: Number of maximum fragments pending reassembly
- :param src_addr: IPv4 source address
- """
- self.assertEqual(1, len(data))
- record = data[0]
- # natEvent
- self.assertEqual(scapy.compat.orb(record[230]), 13)
- # natQuotaExceededEvent
- self.assertEqual(struct.pack("I", 5), record[466])
- # maxFragmentsPendingReassembly
- self.assertEqual(struct.pack("I", limit), record[475])
- # sourceIPv4Address
- self.assertEqual(src_addr, record[8])
-
def verify_ipfix_bib(self, data, is_create, src_addr):
"""
Verify IPFIX NAT64 BIB create and delete events
self.verify_capture_out(capture)
self.nat44_add_address(self.nat_addr, is_add=0)
self.vapi.ipfix_flush()
- capture = self.pg3.get_capture(9)
+ capture = self.pg3.get_capture(7)
ipfix = IPFIXDecoder()
# first load template
for p in capture:
self.pg1.assert_nothing_captured()
sleep(1)
self.vapi.ipfix_flush()
- capture = self.pg3.get_capture(9)
+ capture = self.pg3.get_capture(7)
ipfix = IPFIXDecoder()
# first load template
for p in capture:
p = self.pg1.get_capture(1)
self.tcp_port_out = p[0][TCP].sport
self.vapi.ipfix_flush()
- capture = self.pg3.get_capture(10)
+ capture = self.pg3.get_capture(8)
ipfix = IPFIXDecoder()
# first load template
for p in capture: