2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
38 } snat_in2out_trace_t;
41 u32 next_worker_index;
43 } snat_in2out_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
53 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
55 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
56 t->sw_if_index, t->next_index, t->session_index);
61 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
67 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
73 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
77 snat_in2out_worker_handoff_trace_t * t =
78 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
81 m = t->do_handoff ? "next worker" : "same worker";
82 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
91 } nat44_in2out_reass_trace_t;
93 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
95 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
96 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
97 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
99 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
100 t->sw_if_index, t->next_index,
101 t->cached ? "cached" : "translated");
106 vlib_node_registration_t snat_in2out_node;
107 vlib_node_registration_t snat_in2out_slowpath_node;
108 vlib_node_registration_t snat_in2out_fast_node;
109 vlib_node_registration_t snat_in2out_worker_handoff_node;
110 vlib_node_registration_t snat_det_in2out_node;
111 vlib_node_registration_t snat_in2out_output_node;
112 vlib_node_registration_t snat_in2out_output_slowpath_node;
113 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
114 vlib_node_registration_t snat_hairpin_dst_node;
115 vlib_node_registration_t snat_hairpin_src_node;
116 vlib_node_registration_t nat44_hairpinning_node;
117 vlib_node_registration_t nat44_in2out_reass_node;
120 #define foreach_snat_in2out_error \
121 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
122 _(IN2OUT_PACKETS, "Good in2out packets processed") \
123 _(OUT_OF_PORTS, "Out of ports") \
124 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
125 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
126 _(NO_TRANSLATION, "No translation") \
127 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
128 _(DROP_FRAGMENT, "Drop fragment") \
129 _(MAX_REASS, "Maximum reassemblies exceeded") \
130 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
133 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
134 foreach_snat_in2out_error
137 } snat_in2out_error_t;
139 static char * snat_in2out_error_strings[] = {
140 #define _(sym,string) string,
141 foreach_snat_in2out_error
146 SNAT_IN2OUT_NEXT_LOOKUP,
147 SNAT_IN2OUT_NEXT_DROP,
148 SNAT_IN2OUT_NEXT_ICMP_ERROR,
149 SNAT_IN2OUT_NEXT_SLOW_PATH,
150 SNAT_IN2OUT_NEXT_REASS,
152 } snat_in2out_next_t;
155 SNAT_HAIRPIN_SRC_NEXT_DROP,
156 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
157 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
158 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
159 SNAT_HAIRPIN_SRC_N_NEXT,
160 } snat_hairpin_next_t;
163 * @brief Check if packet should be translated
165 * Packets aimed at outside interface and external address with active session
166 * should be translated.
169 * @param rt NAT runtime data
170 * @param sw_if_index0 index of the inside interface
171 * @param ip0 IPv4 header
172 * @param proto0 NAT protocol
173 * @param rx_fib_index0 RX FIB index
175 * @returns 0 if packet should be translated otherwise 1
178 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
185 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
187 .fp_proto = FIB_PROTOCOL_IP4,
190 .ip4.as_u32 = ip0->dst_address.as_u32,
194 /* Don't NAT packet aimed at the intfc address */
195 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
196 ip0->dst_address.as_u32)))
199 fei = fib_table_lookup (rx_fib_index0, &pfx);
200 if (FIB_NODE_INDEX_INVALID != fei)
202 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
203 if (sw_if_index == ~0)
205 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
206 if (FIB_NODE_INDEX_INVALID != fei)
207 sw_if_index = fib_entry_get_resolving_interface (fei);
210 pool_foreach (i, sm->interfaces,
212 /* NAT packet aimed at outside interface */
213 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
222 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
223 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
224 u32 rx_fib_index0, u32 thread_index)
226 udp_header_t * udp0 = ip4_next_header (ip0);
227 snat_session_key_t key0, sm0;
228 clib_bihash_kv_8_8_t kv0, value0;
230 key0.addr = ip0->dst_address;
231 key0.port = udp0->dst_port;
232 key0.protocol = proto0;
233 key0.fib_index = sm->outside_fib_index;
234 kv0.key = key0.as_u64;
236 /* NAT packet aimed at external address if */
237 /* has active sessions */
238 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
241 /* or is static mappings */
242 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
248 if (sm->forwarding_enabled)
251 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
255 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
258 snat_session_key_t * key0,
259 snat_session_t ** sessionp,
260 vlib_node_runtime_t * node,
266 clib_bihash_kv_8_8_t kv0;
267 snat_session_key_t key1;
268 u32 address_index = ~0;
269 u32 outside_fib_index;
271 udp_header_t * udp0 = ip4_next_header (ip0);
273 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
275 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
276 nat_ipfix_logging_max_sessions(sm->max_translations);
277 return SNAT_IN2OUT_NEXT_DROP;
280 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
283 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
284 return SNAT_IN2OUT_NEXT_DROP;
286 outside_fib_index = p[0];
288 key1.protocol = key0->protocol;
290 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
294 clib_warning ("create NAT user failed");
295 return SNAT_IN2OUT_NEXT_DROP;
298 /* First try to match static mapping by local address and port */
299 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0))
301 /* Try to create dynamic translation */
302 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
306 sm->per_thread_data[thread_index].snat_thread_index))
308 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
309 return SNAT_IN2OUT_NEXT_DROP;
315 u->nstaticsessions++;
318 s = nat_session_alloc_or_recycle (sm, u, thread_index);
321 clib_warning ("create NAT session failed");
322 return SNAT_IN2OUT_NEXT_DROP;
325 if (address_index == ~0)
326 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
327 s->outside_address_index = address_index;
330 s->out2in.protocol = key0->protocol;
331 s->out2in.fib_index = outside_fib_index;
332 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
333 s->ext_host_port = udp0->dst_port;
336 /* Add to translation hashes */
337 kv0.key = s->in2out.as_u64;
338 kv0.value = s - sm->per_thread_data[thread_index].sessions;
339 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
341 clib_warning ("in2out key add failed");
343 kv0.key = s->out2in.as_u64;
344 kv0.value = s - sm->per_thread_data[thread_index].sessions;
346 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
348 clib_warning ("out2in key add failed");
351 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
352 s->out2in.addr.as_u32,
356 s->in2out.fib_index);
361 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
362 snat_session_key_t *p_key0)
364 icmp46_header_t *icmp0;
365 snat_session_key_t key0;
366 icmp_echo_header_t *echo0, *inner_echo0 = 0;
367 ip4_header_t *inner_ip0 = 0;
369 icmp46_header_t *inner_icmp0;
371 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
372 echo0 = (icmp_echo_header_t *)(icmp0+1);
374 if (!icmp_is_error_message (icmp0))
376 key0.protocol = SNAT_PROTOCOL_ICMP;
377 key0.addr = ip0->src_address;
378 key0.port = echo0->identifier;
382 inner_ip0 = (ip4_header_t *)(echo0+1);
383 l4_header = ip4_next_header (inner_ip0);
384 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
385 key0.addr = inner_ip0->dst_address;
386 switch (key0.protocol)
388 case SNAT_PROTOCOL_ICMP:
389 inner_icmp0 = (icmp46_header_t*)l4_header;
390 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
391 key0.port = inner_echo0->identifier;
393 case SNAT_PROTOCOL_UDP:
394 case SNAT_PROTOCOL_TCP:
395 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
398 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
402 return -1; /* success */
406 * Get address and port values to be used for ICMP packet translation
407 * and create session if needed
409 * @param[in,out] sm NAT main
410 * @param[in,out] node NAT node runtime
411 * @param[in] thread_index thread index
412 * @param[in,out] b0 buffer containing packet to be translated
413 * @param[out] p_proto protocol used for matching
414 * @param[out] p_value address and port after NAT translation
415 * @param[out] p_dont_translate if packet should not be translated
416 * @param d optional parameter
417 * @param e optional parameter
419 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
420 u32 thread_index, vlib_buffer_t *b0,
421 ip4_header_t *ip0, u8 *p_proto,
422 snat_session_key_t *p_value,
423 u8 *p_dont_translate, void *d, void *e)
425 icmp46_header_t *icmp0;
428 snat_session_key_t key0;
429 snat_session_t *s0 = 0;
430 u8 dont_translate = 0;
431 clib_bihash_kv_8_8_t kv0, value0;
435 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
436 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
437 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
439 err = icmp_get_key (ip0, &key0);
442 b0->error = node->errors[err];
443 next0 = SNAT_IN2OUT_NEXT_DROP;
446 key0.fib_index = rx_fib_index0;
448 kv0.key = key0.as_u64;
450 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
453 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
454 IP_PROTOCOL_ICMP, rx_fib_index0, thread_index) &&
455 vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0))
461 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
463 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
464 next0 = SNAT_IN2OUT_NEXT_DROP;
468 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
469 &s0, node, next0, thread_index);
471 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
476 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
477 icmp0->type != ICMP4_echo_reply &&
478 !icmp_is_error_message (icmp0)))
480 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
481 next0 = SNAT_IN2OUT_NEXT_DROP;
485 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
490 *p_proto = key0.protocol;
492 *p_value = s0->out2in;
493 *p_dont_translate = dont_translate;
495 *(snat_session_t**)d = s0;
500 * Get address and port values to be used for ICMP packet translation
502 * @param[in] sm NAT main
503 * @param[in,out] node NAT node runtime
504 * @param[in] thread_index thread index
505 * @param[in,out] b0 buffer containing packet to be translated
506 * @param[out] p_proto protocol used for matching
507 * @param[out] p_value address and port after NAT translation
508 * @param[out] p_dont_translate if packet should not be translated
509 * @param d optional parameter
510 * @param e optional parameter
512 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
513 u32 thread_index, vlib_buffer_t *b0,
514 ip4_header_t *ip0, u8 *p_proto,
515 snat_session_key_t *p_value,
516 u8 *p_dont_translate, void *d, void *e)
518 icmp46_header_t *icmp0;
521 snat_session_key_t key0;
522 snat_session_key_t sm0;
523 u8 dont_translate = 0;
528 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
529 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
530 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
532 err = icmp_get_key (ip0, &key0);
535 b0->error = node->errors[err];
536 next0 = SNAT_IN2OUT_NEXT_DROP;
539 key0.fib_index = rx_fib_index0;
541 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0))
543 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
544 IP_PROTOCOL_ICMP, rx_fib_index0)))
550 if (icmp_is_error_message (icmp0))
552 next0 = SNAT_IN2OUT_NEXT_DROP;
556 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
557 next0 = SNAT_IN2OUT_NEXT_DROP;
561 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
562 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
563 !icmp_is_error_message (icmp0)))
565 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
566 next0 = SNAT_IN2OUT_NEXT_DROP;
573 *p_proto = key0.protocol;
574 *p_dont_translate = dont_translate;
578 static inline u32 icmp_in2out (snat_main_t *sm,
581 icmp46_header_t * icmp0,
584 vlib_node_runtime_t * node,
590 snat_session_key_t sm0;
592 icmp_echo_header_t *echo0, *inner_echo0 = 0;
593 ip4_header_t *inner_ip0;
595 icmp46_header_t *inner_icmp0;
597 u32 new_addr0, old_addr0;
598 u16 old_id0, new_id0;
603 echo0 = (icmp_echo_header_t *)(icmp0+1);
605 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
606 &protocol, &sm0, &dont_translate, d, e);
609 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
612 sum0 = ip_incremental_checksum (0, icmp0,
613 ntohs(ip0->length) - ip4_header_bytes (ip0));
614 checksum0 = ~ip_csum_fold (sum0);
615 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
617 next0 = SNAT_IN2OUT_NEXT_DROP;
621 old_addr0 = ip0->src_address.as_u32;
622 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
623 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
624 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
626 sum0 = ip0->checksum;
627 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
628 src_address /* changed member */);
629 ip0->checksum = ip_csum_fold (sum0);
631 if (!icmp_is_error_message (icmp0))
634 if (PREDICT_FALSE(new_id0 != echo0->identifier))
636 old_id0 = echo0->identifier;
638 echo0->identifier = new_id0;
640 sum0 = icmp0->checksum;
641 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
643 icmp0->checksum = ip_csum_fold (sum0);
648 inner_ip0 = (ip4_header_t *)(echo0+1);
649 l4_header = ip4_next_header (inner_ip0);
651 if (!ip4_header_checksum_is_valid (inner_ip0))
653 next0 = SNAT_IN2OUT_NEXT_DROP;
657 old_addr0 = inner_ip0->dst_address.as_u32;
658 inner_ip0->dst_address = sm0.addr;
659 new_addr0 = inner_ip0->dst_address.as_u32;
661 sum0 = icmp0->checksum;
662 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
663 dst_address /* changed member */);
664 icmp0->checksum = ip_csum_fold (sum0);
668 case SNAT_PROTOCOL_ICMP:
669 inner_icmp0 = (icmp46_header_t*)l4_header;
670 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
672 old_id0 = inner_echo0->identifier;
674 inner_echo0->identifier = new_id0;
676 sum0 = icmp0->checksum;
677 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
679 icmp0->checksum = ip_csum_fold (sum0);
681 case SNAT_PROTOCOL_UDP:
682 case SNAT_PROTOCOL_TCP:
683 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
685 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
687 sum0 = icmp0->checksum;
688 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
690 icmp0->checksum = ip_csum_fold (sum0);
704 * Hairpinning allows two endpoints on the internal side of the NAT to
705 * communicate even if they only use each other's external IP addresses
708 * @param sm NAT main.
709 * @param b0 Vlib buffer.
710 * @param ip0 IP header.
711 * @param udp0 UDP header.
712 * @param tcp0 TCP header.
713 * @param proto0 NAT protocol.
716 snat_hairpinning (snat_main_t *sm,
723 snat_session_key_t key0, sm0;
725 clib_bihash_kv_8_8_t kv0, value0;
727 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
728 u16 new_dst_port0, old_dst_port0;
730 key0.addr = ip0->dst_address;
731 key0.port = udp0->dst_port;
732 key0.protocol = proto0;
733 key0.fib_index = sm->outside_fib_index;
734 kv0.key = key0.as_u64;
736 /* Check if destination is static mappings */
737 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
739 new_dst_addr0 = sm0.addr.as_u32;
740 new_dst_port0 = sm0.port;
741 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
743 /* or active session */
746 if (sm->num_workers > 1)
747 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
749 ti = sm->num_workers;
751 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
755 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
756 new_dst_addr0 = s0->in2out.addr.as_u32;
757 new_dst_port0 = s0->in2out.port;
758 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
762 /* Destination is behind the same NAT, use internal address and port */
765 old_dst_addr0 = ip0->dst_address.as_u32;
766 ip0->dst_address.as_u32 = new_dst_addr0;
767 sum0 = ip0->checksum;
768 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
769 ip4_header_t, dst_address);
770 ip0->checksum = ip_csum_fold (sum0);
772 old_dst_port0 = tcp0->dst;
773 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
775 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
777 tcp0->dst = new_dst_port0;
778 sum0 = tcp0->checksum;
779 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
780 ip4_header_t, dst_address);
781 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
782 ip4_header_t /* cheat */, length);
783 tcp0->checksum = ip_csum_fold(sum0);
787 udp0->dst_port = new_dst_port0;
793 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
795 sum0 = tcp0->checksum;
796 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
797 ip4_header_t, dst_address);
798 tcp0->checksum = ip_csum_fold(sum0);
807 snat_icmp_hairpinning (snat_main_t *sm,
810 icmp46_header_t * icmp0)
812 snat_session_key_t key0, sm0;
813 clib_bihash_kv_8_8_t kv0, value0;
814 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
818 if (!icmp_is_error_message (icmp0))
820 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
821 u16 icmp_id0 = echo0->identifier;
822 key0.addr = ip0->dst_address;
823 key0.port = icmp_id0;
824 key0.protocol = SNAT_PROTOCOL_ICMP;
825 key0.fib_index = sm->outside_fib_index;
826 kv0.key = key0.as_u64;
828 if (sm->num_workers > 1)
829 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
831 ti = sm->num_workers;
833 /* Check if destination is in active sessions */
834 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
837 /* or static mappings */
838 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
840 new_dst_addr0 = sm0.addr.as_u32;
841 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
848 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
849 new_dst_addr0 = s0->in2out.addr.as_u32;
850 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
851 echo0->identifier = s0->in2out.port;
852 sum0 = icmp0->checksum;
853 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
854 icmp_echo_header_t, identifier);
855 icmp0->checksum = ip_csum_fold (sum0);
858 /* Destination is behind the same NAT, use internal address and port */
861 old_dst_addr0 = ip0->dst_address.as_u32;
862 ip0->dst_address.as_u32 = new_dst_addr0;
863 sum0 = ip0->checksum;
864 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
865 ip4_header_t, dst_address);
866 ip0->checksum = ip_csum_fold (sum0);
872 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
875 icmp46_header_t * icmp0,
878 vlib_node_runtime_t * node,
882 snat_session_t ** p_s0)
884 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
885 next0, thread_index, p_s0, 0);
886 snat_session_t * s0 = *p_s0;
887 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
890 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
891 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
893 s0->last_heard = now;
895 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
896 /* Per-user LRU list maintenance */
897 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
899 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
900 s0->per_user_list_head_index,
906 snat_hairpinning_unknown_proto (snat_main_t *sm,
910 u32 old_addr, new_addr = 0, ti = 0;
911 clib_bihash_kv_8_8_t kv, value;
912 clib_bihash_kv_16_8_t s_kv, s_value;
913 nat_ed_ses_key_t key;
914 snat_session_key_t m_key;
915 snat_static_mapping_t *m;
919 old_addr = ip->dst_address.as_u32;
920 key.l_addr.as_u32 = ip->dst_address.as_u32;
921 key.r_addr.as_u32 = ip->src_address.as_u32;
922 key.fib_index = sm->outside_fib_index;
923 key.proto = ip->protocol;
926 s_kv.key[0] = key.as_u64[0];
927 s_kv.key[1] = key.as_u64[1];
928 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
930 m_key.addr = ip->dst_address;
931 m_key.fib_index = sm->outside_fib_index;
934 kv.key = m_key.as_u64;
935 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
938 m = pool_elt_at_index (sm->static_mappings, value.value);
939 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
940 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
941 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
945 if (sm->num_workers > 1)
946 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
948 ti = sm->num_workers;
950 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
951 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
952 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
953 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
956 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
957 ip->checksum = ip_csum_fold (sum);
960 static snat_session_t *
961 snat_in2out_unknown_proto (snat_main_t *sm,
968 vlib_node_runtime_t * node)
970 clib_bihash_kv_8_8_t kv, value;
971 clib_bihash_kv_16_8_t s_kv, s_value;
972 snat_static_mapping_t *m;
973 snat_session_key_t m_key;
974 u32 old_addr, new_addr = 0;
977 dlist_elt_t *head, *elt;
978 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
979 u32 elt_index, head_index, ses_index;
981 nat_ed_ses_key_t key;
982 u32 address_index = ~0;
986 old_addr = ip->src_address.as_u32;
988 key.l_addr = ip->src_address;
989 key.r_addr = ip->dst_address;
990 key.fib_index = rx_fib_index;
991 key.proto = ip->protocol;
994 s_kv.key[0] = key.as_u64[0];
995 s_kv.key[1] = key.as_u64[1];
997 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
999 s = pool_elt_at_index (tsm->sessions, s_value.value);
1000 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1004 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1006 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1007 nat_ipfix_logging_max_sessions(sm->max_translations);
1011 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1015 clib_warning ("create NAT user failed");
1019 m_key.addr = ip->src_address;
1022 m_key.fib_index = rx_fib_index;
1023 kv.key = m_key.as_u64;
1025 /* Try to find static mapping first */
1026 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1028 m = pool_elt_at_index (sm->static_mappings, value.value);
1029 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1033 /* Fallback to 3-tuple key */
1036 /* Choose same out address as for TCP/UDP session to same destination */
1037 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1039 head_index = u->sessions_per_user_list_head_index;
1040 head = pool_elt_at_index (tsm->list_pool, head_index);
1041 elt_index = head->next;
1042 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1043 ses_index = elt->value;
1044 while (ses_index != ~0)
1046 s = pool_elt_at_index (tsm->sessions, ses_index);
1047 elt_index = elt->next;
1048 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1049 ses_index = elt->value;
1051 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1053 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1054 address_index = s->outside_address_index;
1056 key.fib_index = sm->outside_fib_index;
1057 key.l_addr.as_u32 = new_addr;
1058 s_kv.key[0] = key.as_u64[0];
1059 s_kv.key[1] = key.as_u64[1];
1060 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1067 key.fib_index = sm->outside_fib_index;
1068 for (i = 0; i < vec_len (sm->addresses); i++)
1070 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1071 s_kv.key[0] = key.as_u64[0];
1072 s_kv.key[1] = key.as_u64[1];
1073 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1075 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1084 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1087 clib_warning ("create NAT session failed");
1091 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1092 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1093 s->outside_address_index = address_index;
1094 s->out2in.addr.as_u32 = new_addr;
1095 s->out2in.fib_index = sm->outside_fib_index;
1096 s->in2out.addr.as_u32 = old_addr;
1097 s->in2out.fib_index = rx_fib_index;
1098 s->in2out.port = s->out2in.port = ip->protocol;
1101 u->nstaticsessions++;
1102 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1109 /* Add to lookup tables */
1110 key.l_addr.as_u32 = old_addr;
1111 key.r_addr = ip->dst_address;
1112 key.proto = ip->protocol;
1113 key.fib_index = rx_fib_index;
1114 s_kv.key[0] = key.as_u64[0];
1115 s_kv.key[1] = key.as_u64[1];
1116 s_kv.value = s - tsm->sessions;
1117 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1118 clib_warning ("in2out key add failed");
1120 key.l_addr.as_u32 = new_addr;
1121 key.fib_index = sm->outside_fib_index;
1122 s_kv.key[0] = key.as_u64[0];
1123 s_kv.key[1] = key.as_u64[1];
1124 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1125 clib_warning ("out2in key add failed");
1128 /* Update IP checksum */
1130 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1131 ip->checksum = ip_csum_fold (sum);
1134 s->last_heard = now;
1136 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1137 /* Per-user LRU list maintenance */
1138 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1139 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1143 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1144 snat_hairpinning_unknown_proto(sm, b, ip);
1146 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1147 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1152 static snat_session_t *
1153 snat_in2out_lb (snat_main_t *sm,
1160 vlib_node_runtime_t * node)
1162 nat_ed_ses_key_t key;
1163 clib_bihash_kv_16_8_t s_kv, s_value;
1164 udp_header_t *udp = ip4_next_header (ip);
1165 tcp_header_t *tcp = (tcp_header_t *) udp;
1166 snat_session_t *s = 0;
1167 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1168 u32 old_addr, new_addr;
1169 u16 new_port, old_port;
1171 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1172 snat_session_key_t e_key, l_key;
1175 old_addr = ip->src_address.as_u32;
1177 key.l_addr = ip->src_address;
1178 key.r_addr = ip->dst_address;
1179 key.fib_index = rx_fib_index;
1180 key.proto = ip->protocol;
1181 key.r_port = udp->dst_port;
1182 key.l_port = udp->src_port;
1183 s_kv.key[0] = key.as_u64[0];
1184 s_kv.key[1] = key.as_u64[1];
1186 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1188 s = pool_elt_at_index (tsm->sessions, s_value.value);
1192 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
1194 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1195 nat_ipfix_logging_max_sessions(sm->max_translations);
1199 l_key.addr = ip->src_address;
1200 l_key.port = udp->src_port;
1201 l_key.protocol = proto;
1202 l_key.fib_index = rx_fib_index;
1203 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0, 0))
1206 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1210 clib_warning ("create NAT user failed");
1214 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1217 clib_warning ("create NAT session failed");
1221 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1222 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1223 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1224 s->outside_address_index = ~0;
1227 u->nstaticsessions++;
1229 /* Add to lookup tables */
1230 s_kv.value = s - tsm->sessions;
1231 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1232 clib_warning ("in2out-ed key add failed");
1234 key.l_addr = e_key.addr;
1235 key.fib_index = e_key.fib_index;
1236 key.l_port = e_key.port;
1237 s_kv.key[0] = key.as_u64[0];
1238 s_kv.key[1] = key.as_u64[1];
1239 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1240 clib_warning ("out2in-ed key add failed");
1243 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1245 /* Update IP checksum */
1247 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1248 if (is_twice_nat_session (s))
1249 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1250 s->ext_host_addr.as_u32, ip4_header_t, dst_address);
1251 ip->checksum = ip_csum_fold (sum);
1253 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1255 old_port = tcp->src_port;
1256 tcp->src_port = s->out2in.port;
1257 new_port = tcp->src_port;
1259 sum = tcp->checksum;
1260 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1261 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1262 if (is_twice_nat_session (s))
1264 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1265 s->ext_host_addr.as_u32, ip4_header_t,
1267 sum = ip_csum_update (sum, tcp->dst_port, s->ext_host_port,
1268 ip4_header_t, length);
1269 tcp->dst_port = s->ext_host_port;
1270 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1272 tcp->checksum = ip_csum_fold(sum);
1276 udp->src_port = s->out2in.port;
1277 if (is_twice_nat_session (s))
1279 udp->dst_port = s->ext_host_port;
1280 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1285 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1286 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1289 s->last_heard = now;
1291 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1292 /* Per-user LRU list maintenance */
1293 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1294 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1300 snat_in2out_node_fn_inline (vlib_main_t * vm,
1301 vlib_node_runtime_t * node,
1302 vlib_frame_t * frame, int is_slow_path,
1303 int is_output_feature)
1305 u32 n_left_from, * from, * to_next;
1306 snat_in2out_next_t next_index;
1307 u32 pkts_processed = 0;
1308 snat_main_t * sm = &snat_main;
1309 f64 now = vlib_time_now (vm);
1310 u32 stats_node_index;
1311 u32 thread_index = vlib_get_thread_index ();
1313 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1314 snat_in2out_node.index;
1316 from = vlib_frame_vector_args (frame);
1317 n_left_from = frame->n_vectors;
1318 next_index = node->cached_next_index;
1320 while (n_left_from > 0)
1324 vlib_get_next_frame (vm, node, next_index,
1325 to_next, n_left_to_next);
1327 while (n_left_from >= 4 && n_left_to_next >= 2)
1330 vlib_buffer_t * b0, * b1;
1332 u32 sw_if_index0, sw_if_index1;
1333 ip4_header_t * ip0, * ip1;
1334 ip_csum_t sum0, sum1;
1335 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1336 u16 old_port0, new_port0, old_port1, new_port1;
1337 udp_header_t * udp0, * udp1;
1338 tcp_header_t * tcp0, * tcp1;
1339 icmp46_header_t * icmp0, * icmp1;
1340 snat_session_key_t key0, key1;
1341 u32 rx_fib_index0, rx_fib_index1;
1343 snat_session_t * s0 = 0, * s1 = 0;
1344 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1345 u32 iph_offset0 = 0, iph_offset1 = 0;
1347 /* Prefetch next iteration. */
1349 vlib_buffer_t * p2, * p3;
1351 p2 = vlib_get_buffer (vm, from[2]);
1352 p3 = vlib_get_buffer (vm, from[3]);
1354 vlib_prefetch_buffer_header (p2, LOAD);
1355 vlib_prefetch_buffer_header (p3, LOAD);
1357 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1358 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1361 /* speculatively enqueue b0 and b1 to the current next frame */
1362 to_next[0] = bi0 = from[0];
1363 to_next[1] = bi1 = from[1];
1367 n_left_to_next -= 2;
1369 b0 = vlib_get_buffer (vm, bi0);
1370 b1 = vlib_get_buffer (vm, bi1);
1372 if (is_output_feature)
1373 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1375 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1378 udp0 = ip4_next_header (ip0);
1379 tcp0 = (tcp_header_t *) udp0;
1380 icmp0 = (icmp46_header_t *) udp0;
1382 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1383 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1386 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1388 if (PREDICT_FALSE(ip0->ttl == 1))
1390 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1391 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1392 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1394 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1398 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1400 /* Next configured feature, probably ip4-lookup */
1403 if (PREDICT_FALSE (proto0 == ~0))
1405 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1406 thread_index, now, vm, node);
1408 next0 = SNAT_IN2OUT_NEXT_DROP;
1412 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1414 next0 = icmp_in2out_slow_path
1415 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1416 node, next0, now, thread_index, &s0);
1422 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1424 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1428 if (ip4_is_fragment (ip0))
1430 next0 = SNAT_IN2OUT_NEXT_REASS;
1435 key0.addr = ip0->src_address;
1436 key0.port = udp0->src_port;
1437 key0.protocol = proto0;
1438 key0.fib_index = rx_fib_index0;
1440 kv0.key = key0.as_u64;
1442 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1443 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1447 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1448 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
1451 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1452 &s0, node, next0, thread_index);
1453 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1458 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1464 if (PREDICT_FALSE (value0.value == ~0ULL))
1468 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1469 thread_index, now, vm, node);
1470 if (!s0 && !sm->forwarding_enabled)
1471 next0 = SNAT_IN2OUT_NEXT_DROP;
1476 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1482 s0 = pool_elt_at_index (
1483 sm->per_thread_data[thread_index].sessions,
1488 b0->flags |= VNET_BUFFER_F_IS_NATED;
1490 old_addr0 = ip0->src_address.as_u32;
1491 ip0->src_address = s0->out2in.addr;
1492 new_addr0 = ip0->src_address.as_u32;
1493 if (!is_output_feature)
1494 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1496 sum0 = ip0->checksum;
1497 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1499 src_address /* changed member */);
1500 ip0->checksum = ip_csum_fold (sum0);
1502 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1504 old_port0 = tcp0->src_port;
1505 tcp0->src_port = s0->out2in.port;
1506 new_port0 = tcp0->src_port;
1508 sum0 = tcp0->checksum;
1509 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1511 dst_address /* changed member */);
1512 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1513 ip4_header_t /* cheat */,
1514 length /* changed member */);
1515 tcp0->checksum = ip_csum_fold(sum0);
1519 old_port0 = udp0->src_port;
1520 udp0->src_port = s0->out2in.port;
1525 s0->last_heard = now;
1527 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1528 /* Per-user LRU list maintenance */
1529 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1530 s0->per_user_index);
1531 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1532 s0->per_user_list_head_index,
1533 s0->per_user_index);
1536 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1537 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1539 snat_in2out_trace_t *t =
1540 vlib_add_trace (vm, node, b0, sizeof (*t));
1541 t->is_slow_path = is_slow_path;
1542 t->sw_if_index = sw_if_index0;
1543 t->next_index = next0;
1544 t->session_index = ~0;
1546 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1549 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1551 if (is_output_feature)
1552 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1554 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1557 udp1 = ip4_next_header (ip1);
1558 tcp1 = (tcp_header_t *) udp1;
1559 icmp1 = (icmp46_header_t *) udp1;
1561 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1562 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1565 if (PREDICT_FALSE(ip1->ttl == 1))
1567 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1568 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1569 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1571 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1575 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1577 /* Next configured feature, probably ip4-lookup */
1580 if (PREDICT_FALSE (proto1 == ~0))
1582 s1 = snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1583 thread_index, now, vm, node);
1585 next1 = SNAT_IN2OUT_NEXT_DROP;
1589 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1591 next1 = icmp_in2out_slow_path
1592 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1593 next1, now, thread_index, &s1);
1599 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1601 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1605 if (ip4_is_fragment (ip1))
1607 next1 = SNAT_IN2OUT_NEXT_REASS;
1612 b1->flags |= VNET_BUFFER_F_IS_NATED;
1614 key1.addr = ip1->src_address;
1615 key1.port = udp1->src_port;
1616 key1.protocol = proto1;
1617 key1.fib_index = rx_fib_index1;
1619 kv1.key = key1.as_u64;
1621 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1622 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1626 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1627 ip1, proto1, rx_fib_index1, thread_index)) && !is_output_feature)
1630 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1631 &s1, node, next1, thread_index);
1632 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1637 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1643 if (PREDICT_FALSE (value1.value == ~0ULL))
1647 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1,
1648 thread_index, now, vm, node);
1649 if (!s1 && !sm->forwarding_enabled)
1650 next1 = SNAT_IN2OUT_NEXT_DROP;
1655 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1661 s1 = pool_elt_at_index (
1662 sm->per_thread_data[thread_index].sessions,
1667 old_addr1 = ip1->src_address.as_u32;
1668 ip1->src_address = s1->out2in.addr;
1669 new_addr1 = ip1->src_address.as_u32;
1670 if (!is_output_feature)
1671 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1673 sum1 = ip1->checksum;
1674 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1676 src_address /* changed member */);
1677 ip1->checksum = ip_csum_fold (sum1);
1679 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1681 old_port1 = tcp1->src_port;
1682 tcp1->src_port = s1->out2in.port;
1683 new_port1 = tcp1->src_port;
1685 sum1 = tcp1->checksum;
1686 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1688 dst_address /* changed member */);
1689 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1690 ip4_header_t /* cheat */,
1691 length /* changed member */);
1692 tcp1->checksum = ip_csum_fold(sum1);
1696 old_port1 = udp1->src_port;
1697 udp1->src_port = s1->out2in.port;
1702 s1->last_heard = now;
1704 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1705 /* Per-user LRU list maintenance */
1706 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1707 s1->per_user_index);
1708 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1709 s1->per_user_list_head_index,
1710 s1->per_user_index);
1713 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1714 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1716 snat_in2out_trace_t *t =
1717 vlib_add_trace (vm, node, b1, sizeof (*t));
1718 t->sw_if_index = sw_if_index1;
1719 t->next_index = next1;
1720 t->session_index = ~0;
1722 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1725 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1727 /* verify speculative enqueues, maybe switch current next frame */
1728 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1729 to_next, n_left_to_next,
1730 bi0, bi1, next0, next1);
1733 while (n_left_from > 0 && n_left_to_next > 0)
1741 u32 new_addr0, old_addr0;
1742 u16 old_port0, new_port0;
1743 udp_header_t * udp0;
1744 tcp_header_t * tcp0;
1745 icmp46_header_t * icmp0;
1746 snat_session_key_t key0;
1749 snat_session_t * s0 = 0;
1750 clib_bihash_kv_8_8_t kv0, value0;
1751 u32 iph_offset0 = 0;
1753 /* speculatively enqueue b0 to the current next frame */
1759 n_left_to_next -= 1;
1761 b0 = vlib_get_buffer (vm, bi0);
1762 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1764 if (is_output_feature)
1765 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1767 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1770 udp0 = ip4_next_header (ip0);
1771 tcp0 = (tcp_header_t *) udp0;
1772 icmp0 = (icmp46_header_t *) udp0;
1774 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1775 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1778 if (PREDICT_FALSE(ip0->ttl == 1))
1780 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1781 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1782 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1784 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1788 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1790 /* Next configured feature, probably ip4-lookup */
1793 if (PREDICT_FALSE (proto0 == ~0))
1795 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1796 thread_index, now, vm, node);
1798 next0 = SNAT_IN2OUT_NEXT_DROP;
1802 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1804 next0 = icmp_in2out_slow_path
1805 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1806 next0, now, thread_index, &s0);
1812 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1814 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1818 if (ip4_is_fragment (ip0))
1820 next0 = SNAT_IN2OUT_NEXT_REASS;
1825 key0.addr = ip0->src_address;
1826 key0.port = udp0->src_port;
1827 key0.protocol = proto0;
1828 key0.fib_index = rx_fib_index0;
1830 kv0.key = key0.as_u64;
1832 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
1837 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1838 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
1841 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1842 &s0, node, next0, thread_index);
1844 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1849 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1855 if (PREDICT_FALSE (value0.value == ~0ULL))
1859 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1860 thread_index, now, vm, node);
1861 if (!s0 && !sm->forwarding_enabled)
1862 next0 = SNAT_IN2OUT_NEXT_DROP;
1867 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1873 s0 = pool_elt_at_index (
1874 sm->per_thread_data[thread_index].sessions,
1879 b0->flags |= VNET_BUFFER_F_IS_NATED;
1881 old_addr0 = ip0->src_address.as_u32;
1882 ip0->src_address = s0->out2in.addr;
1883 new_addr0 = ip0->src_address.as_u32;
1884 if (!is_output_feature)
1885 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1887 sum0 = ip0->checksum;
1888 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1890 src_address /* changed member */);
1891 ip0->checksum = ip_csum_fold (sum0);
1893 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1895 old_port0 = tcp0->src_port;
1896 tcp0->src_port = s0->out2in.port;
1897 new_port0 = tcp0->src_port;
1899 sum0 = tcp0->checksum;
1900 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1902 dst_address /* changed member */);
1903 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1904 ip4_header_t /* cheat */,
1905 length /* changed member */);
1906 tcp0->checksum = ip_csum_fold(sum0);
1910 old_port0 = udp0->src_port;
1911 udp0->src_port = s0->out2in.port;
1916 s0->last_heard = now;
1918 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1919 /* Per-user LRU list maintenance */
1920 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1921 s0->per_user_index);
1922 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1923 s0->per_user_list_head_index,
1924 s0->per_user_index);
1927 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1928 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1930 snat_in2out_trace_t *t =
1931 vlib_add_trace (vm, node, b0, sizeof (*t));
1932 t->is_slow_path = is_slow_path;
1933 t->sw_if_index = sw_if_index0;
1934 t->next_index = next0;
1935 t->session_index = ~0;
1937 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1940 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1942 /* verify speculative enqueue, maybe switch current next frame */
1943 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1944 to_next, n_left_to_next,
1948 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1951 vlib_node_increment_counter (vm, stats_node_index,
1952 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1954 return frame->n_vectors;
1958 snat_in2out_fast_path_fn (vlib_main_t * vm,
1959 vlib_node_runtime_t * node,
1960 vlib_frame_t * frame)
1962 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
1965 VLIB_REGISTER_NODE (snat_in2out_node) = {
1966 .function = snat_in2out_fast_path_fn,
1967 .name = "nat44-in2out",
1968 .vector_size = sizeof (u32),
1969 .format_trace = format_snat_in2out_trace,
1970 .type = VLIB_NODE_TYPE_INTERNAL,
1972 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1973 .error_strings = snat_in2out_error_strings,
1975 .runtime_data_bytes = sizeof (snat_runtime_t),
1977 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1979 /* edit / add dispositions here */
1981 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1982 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1983 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1984 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1985 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1989 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
1992 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
1993 vlib_node_runtime_t * node,
1994 vlib_frame_t * frame)
1996 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
1999 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
2000 .function = snat_in2out_output_fast_path_fn,
2001 .name = "nat44-in2out-output",
2002 .vector_size = sizeof (u32),
2003 .format_trace = format_snat_in2out_trace,
2004 .type = VLIB_NODE_TYPE_INTERNAL,
2006 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2007 .error_strings = snat_in2out_error_strings,
2009 .runtime_data_bytes = sizeof (snat_runtime_t),
2011 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2013 /* edit / add dispositions here */
2015 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2016 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2017 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2018 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2019 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2023 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2024 snat_in2out_output_fast_path_fn);
2027 snat_in2out_slow_path_fn (vlib_main_t * vm,
2028 vlib_node_runtime_t * node,
2029 vlib_frame_t * frame)
2031 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2034 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2035 .function = snat_in2out_slow_path_fn,
2036 .name = "nat44-in2out-slowpath",
2037 .vector_size = sizeof (u32),
2038 .format_trace = format_snat_in2out_trace,
2039 .type = VLIB_NODE_TYPE_INTERNAL,
2041 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2042 .error_strings = snat_in2out_error_strings,
2044 .runtime_data_bytes = sizeof (snat_runtime_t),
2046 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2048 /* edit / add dispositions here */
2050 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2051 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2052 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2053 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2054 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2058 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2059 snat_in2out_slow_path_fn);
2062 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2063 vlib_node_runtime_t * node,
2064 vlib_frame_t * frame)
2066 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2069 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2070 .function = snat_in2out_output_slow_path_fn,
2071 .name = "nat44-in2out-output-slowpath",
2072 .vector_size = sizeof (u32),
2073 .format_trace = format_snat_in2out_trace,
2074 .type = VLIB_NODE_TYPE_INTERNAL,
2076 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2077 .error_strings = snat_in2out_error_strings,
2079 .runtime_data_bytes = sizeof (snat_runtime_t),
2081 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2083 /* edit / add dispositions here */
2085 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2086 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2087 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2088 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2089 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2093 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2094 snat_in2out_output_slow_path_fn);
2096 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
2099 nat44_hairpinning_fn (vlib_main_t * vm,
2100 vlib_node_runtime_t * node,
2101 vlib_frame_t * frame)
2103 u32 n_left_from, * from, * to_next;
2104 snat_in2out_next_t next_index;
2105 u32 pkts_processed = 0;
2106 snat_main_t * sm = &snat_main;
2107 vnet_feature_main_t *fm = &feature_main;
2108 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
2109 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
2111 from = vlib_frame_vector_args (frame);
2112 n_left_from = frame->n_vectors;
2113 next_index = node->cached_next_index;
2115 while (n_left_from > 0)
2119 vlib_get_next_frame (vm, node, next_index,
2120 to_next, n_left_to_next);
2122 while (n_left_from > 0 && n_left_to_next > 0)
2129 udp_header_t * udp0;
2130 tcp_header_t * tcp0;
2132 /* speculatively enqueue b0 to the current next frame */
2138 n_left_to_next -= 1;
2140 b0 = vlib_get_buffer (vm, bi0);
2141 ip0 = vlib_buffer_get_current (b0);
2142 udp0 = ip4_next_header (ip0);
2143 tcp0 = (tcp_header_t *) udp0;
2145 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2147 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
2150 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0))
2151 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2153 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2155 /* verify speculative enqueue, maybe switch current next frame */
2156 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2157 to_next, n_left_to_next,
2161 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2164 vlib_node_increment_counter (vm, nat44_hairpinning_node.index,
2165 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2167 return frame->n_vectors;
2170 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
2171 .function = nat44_hairpinning_fn,
2172 .name = "nat44-hairpinning",
2173 .vector_size = sizeof (u32),
2174 .type = VLIB_NODE_TYPE_INTERNAL,
2175 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2176 .error_strings = snat_in2out_error_strings,
2179 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2180 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2184 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
2185 nat44_hairpinning_fn);
2188 nat44_reass_hairpinning (snat_main_t *sm,
2195 snat_session_key_t key0, sm0;
2196 snat_session_t * s0;
2197 clib_bihash_kv_8_8_t kv0, value0;
2199 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2200 u16 new_dst_port0, old_dst_port0;
2201 udp_header_t * udp0;
2202 tcp_header_t * tcp0;
2204 key0.addr = ip0->dst_address;
2206 key0.protocol = proto0;
2207 key0.fib_index = sm->outside_fib_index;
2208 kv0.key = key0.as_u64;
2210 udp0 = ip4_next_header (ip0);
2212 /* Check if destination is static mappings */
2213 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
2215 new_dst_addr0 = sm0.addr.as_u32;
2216 new_dst_port0 = sm0.port;
2217 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2219 /* or active sessions */
2222 if (sm->num_workers > 1)
2223 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2225 ti = sm->num_workers;
2227 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2230 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2231 new_dst_addr0 = s0->in2out.addr.as_u32;
2232 new_dst_port0 = s0->in2out.port;
2233 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2237 /* Destination is behind the same NAT, use internal address and port */
2240 old_dst_addr0 = ip0->dst_address.as_u32;
2241 ip0->dst_address.as_u32 = new_dst_addr0;
2242 sum0 = ip0->checksum;
2243 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2244 ip4_header_t, dst_address);
2245 ip0->checksum = ip_csum_fold (sum0);
2247 old_dst_port0 = dport;
2248 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2249 ip4_is_first_fragment (ip0)))
2251 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2253 tcp0 = ip4_next_header (ip0);
2254 tcp0->dst = new_dst_port0;
2255 sum0 = tcp0->checksum;
2256 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2257 ip4_header_t, dst_address);
2258 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2259 ip4_header_t /* cheat */, length);
2260 tcp0->checksum = ip_csum_fold(sum0);
2264 udp0->dst_port = new_dst_port0;
2270 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2272 tcp0 = ip4_next_header (ip0);
2273 sum0 = tcp0->checksum;
2274 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2275 ip4_header_t, dst_address);
2276 tcp0->checksum = ip_csum_fold(sum0);
2283 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2284 vlib_node_runtime_t * node,
2285 vlib_frame_t * frame)
2287 u32 n_left_from, *from, *to_next;
2288 snat_in2out_next_t next_index;
2289 u32 pkts_processed = 0;
2290 snat_main_t *sm = &snat_main;
2291 f64 now = vlib_time_now (vm);
2292 u32 thread_index = vlib_get_thread_index ();
2293 snat_main_per_thread_data_t *per_thread_data =
2294 &sm->per_thread_data[thread_index];
2295 u32 *fragments_to_drop = 0;
2296 u32 *fragments_to_loopback = 0;
2298 from = vlib_frame_vector_args (frame);
2299 n_left_from = frame->n_vectors;
2300 next_index = node->cached_next_index;
2302 while (n_left_from > 0)
2306 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2308 while (n_left_from > 0 && n_left_to_next > 0)
2310 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2315 nat_reass_ip4_t *reass0;
2316 udp_header_t * udp0;
2317 tcp_header_t * tcp0;
2318 snat_session_key_t key0;
2319 clib_bihash_kv_8_8_t kv0, value0;
2320 snat_session_t * s0 = 0;
2321 u16 old_port0, new_port0;
2324 /* speculatively enqueue b0 to the current next frame */
2330 n_left_to_next -= 1;
2332 b0 = vlib_get_buffer (vm, bi0);
2333 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2335 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2336 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2339 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2341 next0 = SNAT_IN2OUT_NEXT_DROP;
2342 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2346 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2347 udp0 = ip4_next_header (ip0);
2348 tcp0 = (tcp_header_t *) udp0;
2349 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2351 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2356 &fragments_to_drop);
2358 if (PREDICT_FALSE (!reass0))
2360 next0 = SNAT_IN2OUT_NEXT_DROP;
2361 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2365 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2367 key0.addr = ip0->src_address;
2368 key0.port = udp0->src_port;
2369 key0.protocol = proto0;
2370 key0.fib_index = rx_fib_index0;
2371 kv0.key = key0.as_u64;
2373 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2375 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2376 ip0, proto0, rx_fib_index0, thread_index)))
2379 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2380 &s0, node, next0, thread_index);
2382 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2385 reass0->sess_index = s0 - per_thread_data->sessions;
2389 s0 = pool_elt_at_index (per_thread_data->sessions,
2391 reass0->sess_index = value0.value;
2393 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2397 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2399 if (nat_ip4_reass_add_fragment (reass0, bi0))
2401 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2402 next0 = SNAT_IN2OUT_NEXT_DROP;
2408 s0 = pool_elt_at_index (per_thread_data->sessions,
2409 reass0->sess_index);
2412 old_addr0 = ip0->src_address.as_u32;
2413 ip0->src_address = s0->out2in.addr;
2414 new_addr0 = ip0->src_address.as_u32;
2415 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2417 sum0 = ip0->checksum;
2418 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2420 src_address /* changed member */);
2421 ip0->checksum = ip_csum_fold (sum0);
2423 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2425 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2427 old_port0 = tcp0->src_port;
2428 tcp0->src_port = s0->out2in.port;
2429 new_port0 = tcp0->src_port;
2431 sum0 = tcp0->checksum;
2432 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2434 dst_address /* changed member */);
2435 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2436 ip4_header_t /* cheat */,
2437 length /* changed member */);
2438 tcp0->checksum = ip_csum_fold(sum0);
2442 old_port0 = udp0->src_port;
2443 udp0->src_port = s0->out2in.port;
2449 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2450 s0->ext_host_port, proto0);
2453 s0->last_heard = now;
2455 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2456 /* Per-user LRU list maintenance */
2457 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2458 s0->per_user_index);
2459 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2460 s0->per_user_list_head_index,
2461 s0->per_user_index);
2464 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2465 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2467 nat44_in2out_reass_trace_t *t =
2468 vlib_add_trace (vm, node, b0, sizeof (*t));
2469 t->cached = cached0;
2470 t->sw_if_index = sw_if_index0;
2471 t->next_index = next0;
2481 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2483 /* verify speculative enqueue, maybe switch current next frame */
2484 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2485 to_next, n_left_to_next,
2489 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2491 from = vlib_frame_vector_args (frame);
2492 u32 len = vec_len (fragments_to_loopback);
2493 if (len <= VLIB_FRAME_SIZE)
2495 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2497 vec_reset_length (fragments_to_loopback);
2502 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2503 sizeof (u32) * VLIB_FRAME_SIZE);
2504 n_left_from = VLIB_FRAME_SIZE;
2505 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2510 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2513 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2514 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2517 nat_send_all_to_node (vm, fragments_to_drop, node,
2518 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2519 SNAT_IN2OUT_NEXT_DROP);
2521 vec_free (fragments_to_drop);
2522 vec_free (fragments_to_loopback);
2523 return frame->n_vectors;
2526 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2527 .function = nat44_in2out_reass_node_fn,
2528 .name = "nat44-in2out-reass",
2529 .vector_size = sizeof (u32),
2530 .format_trace = format_nat44_in2out_reass_trace,
2531 .type = VLIB_NODE_TYPE_INTERNAL,
2533 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2534 .error_strings = snat_in2out_error_strings,
2536 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2538 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2539 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2540 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2541 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2542 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2546 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2547 nat44_in2out_reass_node_fn);
2549 /**************************/
2550 /*** deterministic mode ***/
2551 /**************************/
2553 snat_det_in2out_node_fn (vlib_main_t * vm,
2554 vlib_node_runtime_t * node,
2555 vlib_frame_t * frame)
2557 u32 n_left_from, * from, * to_next;
2558 snat_in2out_next_t next_index;
2559 u32 pkts_processed = 0;
2560 snat_main_t * sm = &snat_main;
2561 u32 now = (u32) vlib_time_now (vm);
2562 u32 thread_index = vlib_get_thread_index ();
2564 from = vlib_frame_vector_args (frame);
2565 n_left_from = frame->n_vectors;
2566 next_index = node->cached_next_index;
2568 while (n_left_from > 0)
2572 vlib_get_next_frame (vm, node, next_index,
2573 to_next, n_left_to_next);
2575 while (n_left_from >= 4 && n_left_to_next >= 2)
2578 vlib_buffer_t * b0, * b1;
2580 u32 sw_if_index0, sw_if_index1;
2581 ip4_header_t * ip0, * ip1;
2582 ip_csum_t sum0, sum1;
2583 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2584 u16 old_port0, new_port0, lo_port0, i0;
2585 u16 old_port1, new_port1, lo_port1, i1;
2586 udp_header_t * udp0, * udp1;
2587 tcp_header_t * tcp0, * tcp1;
2589 snat_det_out_key_t key0, key1;
2590 snat_det_map_t * dm0, * dm1;
2591 snat_det_session_t * ses0 = 0, * ses1 = 0;
2592 u32 rx_fib_index0, rx_fib_index1;
2593 icmp46_header_t * icmp0, * icmp1;
2595 /* Prefetch next iteration. */
2597 vlib_buffer_t * p2, * p3;
2599 p2 = vlib_get_buffer (vm, from[2]);
2600 p3 = vlib_get_buffer (vm, from[3]);
2602 vlib_prefetch_buffer_header (p2, LOAD);
2603 vlib_prefetch_buffer_header (p3, LOAD);
2605 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2606 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2609 /* speculatively enqueue b0 and b1 to the current next frame */
2610 to_next[0] = bi0 = from[0];
2611 to_next[1] = bi1 = from[1];
2615 n_left_to_next -= 2;
2617 b0 = vlib_get_buffer (vm, bi0);
2618 b1 = vlib_get_buffer (vm, bi1);
2620 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2621 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2623 ip0 = vlib_buffer_get_current (b0);
2624 udp0 = ip4_next_header (ip0);
2625 tcp0 = (tcp_header_t *) udp0;
2627 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2629 if (PREDICT_FALSE(ip0->ttl == 1))
2631 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2632 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2633 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2635 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2639 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2641 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2643 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2644 icmp0 = (icmp46_header_t *) udp0;
2646 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2647 rx_fib_index0, node, next0, thread_index,
2652 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2653 if (PREDICT_FALSE(!dm0))
2655 clib_warning("no match for internal host %U",
2656 format_ip4_address, &ip0->src_address);
2657 next0 = SNAT_IN2OUT_NEXT_DROP;
2658 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2662 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2664 key0.ext_host_addr = ip0->dst_address;
2665 key0.ext_host_port = tcp0->dst;
2667 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2668 if (PREDICT_FALSE(!ses0))
2670 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2672 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2673 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2675 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2678 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2681 if (PREDICT_FALSE(!ses0))
2683 /* too many sessions for user, send ICMP error packet */
2685 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2686 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2687 ICMP4_destination_unreachable_destination_unreachable_host,
2689 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2694 new_port0 = ses0->out.out_port;
2696 old_addr0.as_u32 = ip0->src_address.as_u32;
2697 ip0->src_address.as_u32 = new_addr0.as_u32;
2698 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2700 sum0 = ip0->checksum;
2701 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2703 src_address /* changed member */);
2704 ip0->checksum = ip_csum_fold (sum0);
2706 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2708 if (tcp0->flags & TCP_FLAG_SYN)
2709 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2710 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2711 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2712 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2713 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2714 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2715 snat_det_ses_close(dm0, ses0);
2716 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2717 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2718 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2719 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2721 old_port0 = tcp0->src;
2722 tcp0->src = new_port0;
2724 sum0 = tcp0->checksum;
2725 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2727 dst_address /* changed member */);
2728 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2729 ip4_header_t /* cheat */,
2730 length /* changed member */);
2731 tcp0->checksum = ip_csum_fold(sum0);
2735 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2736 old_port0 = udp0->src_port;
2737 udp0->src_port = new_port0;
2743 case SNAT_SESSION_UDP_ACTIVE:
2744 ses0->expire = now + sm->udp_timeout;
2746 case SNAT_SESSION_TCP_SYN_SENT:
2747 case SNAT_SESSION_TCP_FIN_WAIT:
2748 case SNAT_SESSION_TCP_CLOSE_WAIT:
2749 case SNAT_SESSION_TCP_LAST_ACK:
2750 ses0->expire = now + sm->tcp_transitory_timeout;
2752 case SNAT_SESSION_TCP_ESTABLISHED:
2753 ses0->expire = now + sm->tcp_established_timeout;
2758 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2759 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2761 snat_in2out_trace_t *t =
2762 vlib_add_trace (vm, node, b0, sizeof (*t));
2763 t->is_slow_path = 0;
2764 t->sw_if_index = sw_if_index0;
2765 t->next_index = next0;
2766 t->session_index = ~0;
2768 t->session_index = ses0 - dm0->sessions;
2771 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2773 ip1 = vlib_buffer_get_current (b1);
2774 udp1 = ip4_next_header (ip1);
2775 tcp1 = (tcp_header_t *) udp1;
2777 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2779 if (PREDICT_FALSE(ip1->ttl == 1))
2781 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2782 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2783 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2785 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2789 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2791 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2793 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2794 icmp1 = (icmp46_header_t *) udp1;
2796 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
2797 rx_fib_index1, node, next1, thread_index,
2802 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
2803 if (PREDICT_FALSE(!dm1))
2805 clib_warning("no match for internal host %U",
2806 format_ip4_address, &ip0->src_address);
2807 next1 = SNAT_IN2OUT_NEXT_DROP;
2808 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2812 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
2814 key1.ext_host_addr = ip1->dst_address;
2815 key1.ext_host_port = tcp1->dst;
2817 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
2818 if (PREDICT_FALSE(!ses1))
2820 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
2822 key1.out_port = clib_host_to_net_u16 (lo_port1 +
2823 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
2825 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
2828 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
2831 if (PREDICT_FALSE(!ses1))
2833 /* too many sessions for user, send ICMP error packet */
2835 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2836 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
2837 ICMP4_destination_unreachable_destination_unreachable_host,
2839 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2844 new_port1 = ses1->out.out_port;
2846 old_addr1.as_u32 = ip1->src_address.as_u32;
2847 ip1->src_address.as_u32 = new_addr1.as_u32;
2848 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2850 sum1 = ip1->checksum;
2851 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2853 src_address /* changed member */);
2854 ip1->checksum = ip_csum_fold (sum1);
2856 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2858 if (tcp1->flags & TCP_FLAG_SYN)
2859 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
2860 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
2861 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2862 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2863 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
2864 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
2865 snat_det_ses_close(dm1, ses1);
2866 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2867 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
2868 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
2869 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2871 old_port1 = tcp1->src;
2872 tcp1->src = new_port1;
2874 sum1 = tcp1->checksum;
2875 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2877 dst_address /* changed member */);
2878 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2879 ip4_header_t /* cheat */,
2880 length /* changed member */);
2881 tcp1->checksum = ip_csum_fold(sum1);
2885 ses1->state = SNAT_SESSION_UDP_ACTIVE;
2886 old_port1 = udp1->src_port;
2887 udp1->src_port = new_port1;
2893 case SNAT_SESSION_UDP_ACTIVE:
2894 ses1->expire = now + sm->udp_timeout;
2896 case SNAT_SESSION_TCP_SYN_SENT:
2897 case SNAT_SESSION_TCP_FIN_WAIT:
2898 case SNAT_SESSION_TCP_CLOSE_WAIT:
2899 case SNAT_SESSION_TCP_LAST_ACK:
2900 ses1->expire = now + sm->tcp_transitory_timeout;
2902 case SNAT_SESSION_TCP_ESTABLISHED:
2903 ses1->expire = now + sm->tcp_established_timeout;
2908 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2909 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2911 snat_in2out_trace_t *t =
2912 vlib_add_trace (vm, node, b1, sizeof (*t));
2913 t->is_slow_path = 0;
2914 t->sw_if_index = sw_if_index1;
2915 t->next_index = next1;
2916 t->session_index = ~0;
2918 t->session_index = ses1 - dm1->sessions;
2921 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
2923 /* verify speculative enqueues, maybe switch current next frame */
2924 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2925 to_next, n_left_to_next,
2926 bi0, bi1, next0, next1);
2929 while (n_left_from > 0 && n_left_to_next > 0)
2937 ip4_address_t new_addr0, old_addr0;
2938 u16 old_port0, new_port0, lo_port0, i0;
2939 udp_header_t * udp0;
2940 tcp_header_t * tcp0;
2942 snat_det_out_key_t key0;
2943 snat_det_map_t * dm0;
2944 snat_det_session_t * ses0 = 0;
2946 icmp46_header_t * icmp0;
2948 /* speculatively enqueue b0 to the current next frame */
2954 n_left_to_next -= 1;
2956 b0 = vlib_get_buffer (vm, bi0);
2957 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2959 ip0 = vlib_buffer_get_current (b0);
2960 udp0 = ip4_next_header (ip0);
2961 tcp0 = (tcp_header_t *) udp0;
2963 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2965 if (PREDICT_FALSE(ip0->ttl == 1))
2967 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2968 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2969 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2971 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2975 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2977 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2979 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2980 icmp0 = (icmp46_header_t *) udp0;
2982 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2983 rx_fib_index0, node, next0, thread_index,
2988 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2989 if (PREDICT_FALSE(!dm0))
2991 clib_warning("no match for internal host %U",
2992 format_ip4_address, &ip0->src_address);
2993 next0 = SNAT_IN2OUT_NEXT_DROP;
2994 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2998 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
3000 key0.ext_host_addr = ip0->dst_address;
3001 key0.ext_host_port = tcp0->dst;
3003 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
3004 if (PREDICT_FALSE(!ses0))
3006 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3008 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3009 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
3011 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
3014 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
3017 if (PREDICT_FALSE(!ses0))
3019 /* too many sessions for user, send ICMP error packet */
3021 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3022 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
3023 ICMP4_destination_unreachable_destination_unreachable_host,
3025 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3030 new_port0 = ses0->out.out_port;
3032 old_addr0.as_u32 = ip0->src_address.as_u32;
3033 ip0->src_address.as_u32 = new_addr0.as_u32;
3034 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3036 sum0 = ip0->checksum;
3037 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3039 src_address /* changed member */);
3040 ip0->checksum = ip_csum_fold (sum0);
3042 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3044 if (tcp0->flags & TCP_FLAG_SYN)
3045 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
3046 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
3047 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3048 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3049 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
3050 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
3051 snat_det_ses_close(dm0, ses0);
3052 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3053 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
3054 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
3055 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3057 old_port0 = tcp0->src;
3058 tcp0->src = new_port0;
3060 sum0 = tcp0->checksum;
3061 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3063 dst_address /* changed member */);
3064 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3065 ip4_header_t /* cheat */,
3066 length /* changed member */);
3067 tcp0->checksum = ip_csum_fold(sum0);
3071 ses0->state = SNAT_SESSION_UDP_ACTIVE;
3072 old_port0 = udp0->src_port;
3073 udp0->src_port = new_port0;
3079 case SNAT_SESSION_UDP_ACTIVE:
3080 ses0->expire = now + sm->udp_timeout;
3082 case SNAT_SESSION_TCP_SYN_SENT:
3083 case SNAT_SESSION_TCP_FIN_WAIT:
3084 case SNAT_SESSION_TCP_CLOSE_WAIT:
3085 case SNAT_SESSION_TCP_LAST_ACK:
3086 ses0->expire = now + sm->tcp_transitory_timeout;
3088 case SNAT_SESSION_TCP_ESTABLISHED:
3089 ses0->expire = now + sm->tcp_established_timeout;
3094 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3095 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3097 snat_in2out_trace_t *t =
3098 vlib_add_trace (vm, node, b0, sizeof (*t));
3099 t->is_slow_path = 0;
3100 t->sw_if_index = sw_if_index0;
3101 t->next_index = next0;
3102 t->session_index = ~0;
3104 t->session_index = ses0 - dm0->sessions;
3107 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3109 /* verify speculative enqueue, maybe switch current next frame */
3110 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3111 to_next, n_left_to_next,
3115 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3118 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
3119 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3121 return frame->n_vectors;
3124 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
3125 .function = snat_det_in2out_node_fn,
3126 .name = "nat44-det-in2out",
3127 .vector_size = sizeof (u32),
3128 .format_trace = format_snat_in2out_trace,
3129 .type = VLIB_NODE_TYPE_INTERNAL,
3131 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3132 .error_strings = snat_in2out_error_strings,
3134 .runtime_data_bytes = sizeof (snat_runtime_t),
3138 /* edit / add dispositions here */
3140 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3141 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3142 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3146 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
3149 * Get address and port values to be used for ICMP packet translation
3150 * and create session if needed
3152 * @param[in,out] sm NAT main
3153 * @param[in,out] node NAT node runtime
3154 * @param[in] thread_index thread index
3155 * @param[in,out] b0 buffer containing packet to be translated
3156 * @param[out] p_proto protocol used for matching
3157 * @param[out] p_value address and port after NAT translation
3158 * @param[out] p_dont_translate if packet should not be translated
3159 * @param d optional parameter
3160 * @param e optional parameter
3162 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
3163 u32 thread_index, vlib_buffer_t *b0,
3164 ip4_header_t *ip0, u8 *p_proto,
3165 snat_session_key_t *p_value,
3166 u8 *p_dont_translate, void *d, void *e)
3168 icmp46_header_t *icmp0;
3172 snat_det_out_key_t key0;
3173 u8 dont_translate = 0;
3175 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3176 ip4_header_t *inner_ip0;
3177 void *l4_header = 0;
3178 icmp46_header_t *inner_icmp0;
3179 snat_det_map_t * dm0 = 0;
3180 ip4_address_t new_addr0;
3182 snat_det_session_t * ses0 = 0;
3183 ip4_address_t in_addr;
3186 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3187 echo0 = (icmp_echo_header_t *)(icmp0+1);
3188 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3189 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
3191 if (!icmp_is_error_message (icmp0))
3193 protocol = SNAT_PROTOCOL_ICMP;
3194 in_addr = ip0->src_address;
3195 in_port = echo0->identifier;
3199 inner_ip0 = (ip4_header_t *)(echo0+1);
3200 l4_header = ip4_next_header (inner_ip0);
3201 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3202 in_addr = inner_ip0->dst_address;
3205 case SNAT_PROTOCOL_ICMP:
3206 inner_icmp0 = (icmp46_header_t*)l4_header;
3207 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3208 in_port = inner_echo0->identifier;
3210 case SNAT_PROTOCOL_UDP:
3211 case SNAT_PROTOCOL_TCP:
3212 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3215 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
3216 next0 = SNAT_IN2OUT_NEXT_DROP;
3221 dm0 = snat_det_map_by_user(sm, &in_addr);
3222 if (PREDICT_FALSE(!dm0))
3224 clib_warning("no match for internal host %U",
3225 format_ip4_address, &in_addr);
3226 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3227 IP_PROTOCOL_ICMP, rx_fib_index0)))
3232 next0 = SNAT_IN2OUT_NEXT_DROP;
3233 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3237 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
3239 key0.ext_host_addr = ip0->dst_address;
3240 key0.ext_host_port = 0;
3242 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
3243 if (PREDICT_FALSE(!ses0))
3245 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3246 IP_PROTOCOL_ICMP, rx_fib_index0)))
3251 if (icmp0->type != ICMP4_echo_request)
3253 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3254 next0 = SNAT_IN2OUT_NEXT_DROP;
3257 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3259 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3260 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
3262 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
3265 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
3268 if (PREDICT_FALSE(!ses0))
3270 next0 = SNAT_IN2OUT_NEXT_DROP;
3271 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3276 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3277 !icmp_is_error_message (icmp0)))
3279 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3280 next0 = SNAT_IN2OUT_NEXT_DROP;
3284 u32 now = (u32) vlib_time_now (sm->vlib_main);
3286 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3287 ses0->expire = now + sm->icmp_timeout;
3290 *p_proto = protocol;
3293 p_value->addr = new_addr0;
3294 p_value->fib_index = sm->outside_fib_index;
3295 p_value->port = ses0->out.out_port;
3297 *p_dont_translate = dont_translate;
3299 *(snat_det_session_t**)d = ses0;
3301 *(snat_det_map_t**)e = dm0;
3305 /**********************/
3306 /*** worker handoff ***/
3307 /**********************/
3309 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3310 vlib_node_runtime_t * node,
3311 vlib_frame_t * frame,
3314 snat_main_t *sm = &snat_main;
3315 vlib_thread_main_t *tm = vlib_get_thread_main ();
3316 u32 n_left_from, *from, *to_next = 0;
3317 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3318 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3320 vlib_frame_queue_elt_t *hf = 0;
3321 vlib_frame_t *f = 0;
3323 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3324 u32 next_worker_index = 0;
3325 u32 current_worker_index = ~0;
3326 u32 thread_index = vlib_get_thread_index ();
3330 ASSERT (vec_len (sm->workers));
3334 fq_index = sm->fq_in2out_output_index;
3335 to_node_index = sm->in2out_output_node_index;
3339 fq_index = sm->fq_in2out_index;
3340 to_node_index = sm->in2out_node_index;
3343 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3345 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3347 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3348 sm->first_worker_index + sm->num_workers - 1,
3349 (vlib_frame_queue_t *) (~0));
3352 from = vlib_frame_vector_args (frame);
3353 n_left_from = frame->n_vectors;
3355 while (n_left_from > 0)
3368 b0 = vlib_get_buffer (vm, bi0);
3370 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3371 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3373 ip0 = vlib_buffer_get_current (b0);
3375 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3377 if (PREDICT_FALSE (next_worker_index != thread_index))
3381 if (next_worker_index != current_worker_index)
3384 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3386 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3388 handoff_queue_elt_by_worker_index);
3390 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3391 to_next_worker = &hf->buffer_index[hf->n_vectors];
3392 current_worker_index = next_worker_index;
3395 /* enqueue to correct worker thread */
3396 to_next_worker[0] = bi0;
3398 n_left_to_next_worker--;
3400 if (n_left_to_next_worker == 0)
3402 hf->n_vectors = VLIB_FRAME_SIZE;
3403 vlib_put_frame_queue_elt (hf);
3404 current_worker_index = ~0;
3405 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3412 /* if this is 1st frame */
3415 f = vlib_get_frame_to_node (vm, to_node_index);
3416 to_next = vlib_frame_vector_args (f);
3424 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3425 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3427 snat_in2out_worker_handoff_trace_t *t =
3428 vlib_add_trace (vm, node, b0, sizeof (*t));
3429 t->next_worker_index = next_worker_index;
3430 t->do_handoff = do_handoff;
3435 vlib_put_frame_to_node (vm, to_node_index, f);
3438 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3440 /* Ship frames to the worker nodes */
3441 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3443 if (handoff_queue_elt_by_worker_index[i])
3445 hf = handoff_queue_elt_by_worker_index[i];
3447 * It works better to let the handoff node
3448 * rate-adapt, always ship the handoff queue element.
3450 if (1 || hf->n_vectors == hf->last_n_vectors)
3452 vlib_put_frame_queue_elt (hf);
3453 handoff_queue_elt_by_worker_index[i] = 0;
3456 hf->last_n_vectors = hf->n_vectors;
3458 congested_handoff_queue_by_worker_index[i] =
3459 (vlib_frame_queue_t *) (~0);
3462 current_worker_index = ~0;
3463 return frame->n_vectors;
3467 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3468 vlib_node_runtime_t * node,
3469 vlib_frame_t * frame)
3471 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3474 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3475 .function = snat_in2out_worker_handoff_fn,
3476 .name = "nat44-in2out-worker-handoff",
3477 .vector_size = sizeof (u32),
3478 .format_trace = format_snat_in2out_worker_handoff_trace,
3479 .type = VLIB_NODE_TYPE_INTERNAL,
3488 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3489 snat_in2out_worker_handoff_fn);
3492 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3493 vlib_node_runtime_t * node,
3494 vlib_frame_t * frame)
3496 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3499 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3500 .function = snat_in2out_output_worker_handoff_fn,
3501 .name = "nat44-in2out-output-worker-handoff",
3502 .vector_size = sizeof (u32),
3503 .format_trace = format_snat_in2out_worker_handoff_trace,
3504 .type = VLIB_NODE_TYPE_INTERNAL,
3513 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3514 snat_in2out_output_worker_handoff_fn);
3516 static_always_inline int
3517 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3519 snat_address_t * ap;
3520 clib_bihash_kv_8_8_t kv, value;
3521 snat_session_key_t m_key;
3523 vec_foreach (ap, sm->addresses)
3525 if (ap->addr.as_u32 == dst_addr->as_u32)
3529 m_key.addr.as_u32 = dst_addr->as_u32;
3530 m_key.fib_index = sm->outside_fib_index;
3533 kv.key = m_key.as_u64;
3534 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3541 snat_hairpin_dst_fn (vlib_main_t * vm,
3542 vlib_node_runtime_t * node,
3543 vlib_frame_t * frame)
3545 u32 n_left_from, * from, * to_next;
3546 snat_in2out_next_t next_index;
3547 u32 pkts_processed = 0;
3548 snat_main_t * sm = &snat_main;
3550 from = vlib_frame_vector_args (frame);
3551 n_left_from = frame->n_vectors;
3552 next_index = node->cached_next_index;
3554 while (n_left_from > 0)
3558 vlib_get_next_frame (vm, node, next_index,
3559 to_next, n_left_to_next);
3561 while (n_left_from > 0 && n_left_to_next > 0)
3569 /* speculatively enqueue b0 to the current next frame */
3575 n_left_to_next -= 1;
3577 b0 = vlib_get_buffer (vm, bi0);
3578 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3579 ip0 = vlib_buffer_get_current (b0);
3581 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3583 vnet_buffer (b0)->snat.flags = 0;
3584 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3586 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3588 udp_header_t * udp0 = ip4_next_header (ip0);
3589 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3591 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3593 else if (proto0 == SNAT_PROTOCOL_ICMP)
3595 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3597 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3601 snat_hairpinning_unknown_proto (sm, b0, ip0);
3604 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3607 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3609 /* verify speculative enqueue, maybe switch current next frame */
3610 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3611 to_next, n_left_to_next,
3615 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3618 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3619 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3621 return frame->n_vectors;
3624 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3625 .function = snat_hairpin_dst_fn,
3626 .name = "nat44-hairpin-dst",
3627 .vector_size = sizeof (u32),
3628 .type = VLIB_NODE_TYPE_INTERNAL,
3629 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3630 .error_strings = snat_in2out_error_strings,
3633 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3634 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3638 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3639 snat_hairpin_dst_fn);
3642 snat_hairpin_src_fn (vlib_main_t * vm,
3643 vlib_node_runtime_t * node,
3644 vlib_frame_t * frame)
3646 u32 n_left_from, * from, * to_next;
3647 snat_in2out_next_t next_index;
3648 u32 pkts_processed = 0;
3649 snat_main_t *sm = &snat_main;
3651 from = vlib_frame_vector_args (frame);
3652 n_left_from = frame->n_vectors;
3653 next_index = node->cached_next_index;
3655 while (n_left_from > 0)
3659 vlib_get_next_frame (vm, node, next_index,
3660 to_next, n_left_to_next);
3662 while (n_left_from > 0 && n_left_to_next > 0)
3667 snat_interface_t *i;
3670 /* speculatively enqueue b0 to the current next frame */
3676 n_left_to_next -= 1;
3678 b0 = vlib_get_buffer (vm, bi0);
3679 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3680 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3682 pool_foreach (i, sm->output_feature_interfaces,
3684 /* Only packets from NAT inside interface */
3685 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
3687 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3688 SNAT_FLAG_HAIRPINNING))
3690 if (PREDICT_TRUE (sm->num_workers > 1))
3691 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3693 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3699 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3701 /* verify speculative enqueue, maybe switch current next frame */
3702 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3703 to_next, n_left_to_next,
3707 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3710 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3711 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3713 return frame->n_vectors;
3716 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3717 .function = snat_hairpin_src_fn,
3718 .name = "nat44-hairpin-src",
3719 .vector_size = sizeof (u32),
3720 .type = VLIB_NODE_TYPE_INTERNAL,
3721 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3722 .error_strings = snat_in2out_error_strings,
3723 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3725 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3726 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3727 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3728 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3732 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3733 snat_hairpin_src_fn);
3736 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3737 vlib_node_runtime_t * node,
3738 vlib_frame_t * frame)
3740 u32 n_left_from, * from, * to_next;
3741 snat_in2out_next_t next_index;
3742 u32 pkts_processed = 0;
3743 snat_main_t * sm = &snat_main;
3744 u32 stats_node_index;
3746 stats_node_index = snat_in2out_fast_node.index;
3748 from = vlib_frame_vector_args (frame);
3749 n_left_from = frame->n_vectors;
3750 next_index = node->cached_next_index;
3752 while (n_left_from > 0)
3756 vlib_get_next_frame (vm, node, next_index,
3757 to_next, n_left_to_next);
3759 while (n_left_from > 0 && n_left_to_next > 0)
3767 u32 new_addr0, old_addr0;
3768 u16 old_port0, new_port0;
3769 udp_header_t * udp0;
3770 tcp_header_t * tcp0;
3771 icmp46_header_t * icmp0;
3772 snat_session_key_t key0, sm0;
3776 /* speculatively enqueue b0 to the current next frame */
3782 n_left_to_next -= 1;
3784 b0 = vlib_get_buffer (vm, bi0);
3785 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3787 ip0 = vlib_buffer_get_current (b0);
3788 udp0 = ip4_next_header (ip0);
3789 tcp0 = (tcp_header_t *) udp0;
3790 icmp0 = (icmp46_header_t *) udp0;
3792 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3793 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3795 if (PREDICT_FALSE(ip0->ttl == 1))
3797 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3798 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3799 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3801 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3805 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3807 if (PREDICT_FALSE (proto0 == ~0))
3810 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3812 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3813 rx_fib_index0, node, next0, ~0, 0, 0);
3817 key0.addr = ip0->src_address;
3818 key0.protocol = proto0;
3819 key0.port = udp0->src_port;
3820 key0.fib_index = rx_fib_index0;
3822 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0))
3824 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3825 next0= SNAT_IN2OUT_NEXT_DROP;
3829 new_addr0 = sm0.addr.as_u32;
3830 new_port0 = sm0.port;
3831 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
3832 old_addr0 = ip0->src_address.as_u32;
3833 ip0->src_address.as_u32 = new_addr0;
3835 sum0 = ip0->checksum;
3836 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3838 src_address /* changed member */);
3839 ip0->checksum = ip_csum_fold (sum0);
3841 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
3843 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3845 old_port0 = tcp0->src_port;
3846 tcp0->src_port = new_port0;
3848 sum0 = tcp0->checksum;
3849 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3851 dst_address /* changed member */);
3852 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3853 ip4_header_t /* cheat */,
3854 length /* changed member */);
3855 tcp0->checksum = ip_csum_fold(sum0);
3859 old_port0 = udp0->src_port;
3860 udp0->src_port = new_port0;
3866 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3868 sum0 = tcp0->checksum;
3869 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3871 dst_address /* changed member */);
3872 tcp0->checksum = ip_csum_fold(sum0);
3877 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3880 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3881 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3883 snat_in2out_trace_t *t =
3884 vlib_add_trace (vm, node, b0, sizeof (*t));
3885 t->sw_if_index = sw_if_index0;
3886 t->next_index = next0;
3889 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3891 /* verify speculative enqueue, maybe switch current next frame */
3892 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3893 to_next, n_left_to_next,
3897 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3900 vlib_node_increment_counter (vm, stats_node_index,
3901 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3903 return frame->n_vectors;
3907 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
3908 .function = snat_in2out_fast_static_map_fn,
3909 .name = "nat44-in2out-fast",
3910 .vector_size = sizeof (u32),
3911 .format_trace = format_snat_in2out_fast_trace,
3912 .type = VLIB_NODE_TYPE_INTERNAL,
3914 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3915 .error_strings = snat_in2out_error_strings,
3917 .runtime_data_bytes = sizeof (snat_runtime_t),
3919 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3921 /* edit / add dispositions here */
3923 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3924 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3925 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
3926 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3927 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3931 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob