2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
28 #include <nat/nat_inlines.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
39 } snat_in2out_trace_t;
42 u32 next_worker_index;
44 } snat_in2out_worker_handoff_trace_t;
46 /* packet trace format function */
47 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
49 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
50 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
51 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
54 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
56 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
57 t->sw_if_index, t->next_index, t->session_index);
62 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
64 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
65 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
66 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
68 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
69 t->sw_if_index, t->next_index);
74 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
76 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
77 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
78 snat_in2out_worker_handoff_trace_t * t =
79 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
82 m = t->do_handoff ? "next worker" : "same worker";
83 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
92 } nat44_in2out_reass_trace_t;
94 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
96 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
97 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
98 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
100 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
101 t->sw_if_index, t->next_index,
102 t->cached ? "cached" : "translated");
107 vlib_node_registration_t snat_in2out_node;
108 vlib_node_registration_t snat_in2out_slowpath_node;
109 vlib_node_registration_t snat_in2out_fast_node;
110 vlib_node_registration_t snat_in2out_worker_handoff_node;
111 vlib_node_registration_t snat_det_in2out_node;
112 vlib_node_registration_t snat_in2out_output_node;
113 vlib_node_registration_t snat_in2out_output_slowpath_node;
114 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
115 vlib_node_registration_t snat_hairpin_dst_node;
116 vlib_node_registration_t snat_hairpin_src_node;
117 vlib_node_registration_t nat44_hairpinning_node;
118 vlib_node_registration_t nat44_in2out_reass_node;
119 vlib_node_registration_t nat44_ed_in2out_node;
120 vlib_node_registration_t nat44_ed_in2out_slowpath_node;
121 vlib_node_registration_t nat44_ed_in2out_output_node;
122 vlib_node_registration_t nat44_ed_in2out_output_slowpath_node;
123 vlib_node_registration_t nat44_ed_hairpin_dst_node;
124 vlib_node_registration_t nat44_ed_hairpin_src_node;
125 vlib_node_registration_t nat44_ed_hairpinning_node;
127 #define foreach_snat_in2out_error \
128 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
129 _(IN2OUT_PACKETS, "Good in2out packets processed") \
130 _(OUT_OF_PORTS, "Out of ports") \
131 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
132 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
133 _(NO_TRANSLATION, "No translation") \
134 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
135 _(DROP_FRAGMENT, "Drop fragment") \
136 _(MAX_REASS, "Maximum reassemblies exceeded") \
137 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")\
138 _(FQ_CONGESTED, "Handoff frame queue congested")
141 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
142 foreach_snat_in2out_error
145 } snat_in2out_error_t;
147 static char * snat_in2out_error_strings[] = {
148 #define _(sym,string) string,
149 foreach_snat_in2out_error
154 SNAT_IN2OUT_NEXT_LOOKUP,
155 SNAT_IN2OUT_NEXT_DROP,
156 SNAT_IN2OUT_NEXT_ICMP_ERROR,
157 SNAT_IN2OUT_NEXT_SLOW_PATH,
158 SNAT_IN2OUT_NEXT_REASS,
160 } snat_in2out_next_t;
163 SNAT_HAIRPIN_SRC_NEXT_DROP,
164 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
165 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
166 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
167 SNAT_HAIRPIN_SRC_N_NEXT,
168 } snat_hairpin_next_t;
171 * @brief Check if packet should be translated
173 * Packets aimed at outside interface and external address with active session
174 * should be translated.
177 * @param rt NAT runtime data
178 * @param sw_if_index0 index of the inside interface
179 * @param ip0 IPv4 header
180 * @param proto0 NAT protocol
181 * @param rx_fib_index0 RX FIB index
183 * @returns 0 if packet should be translated otherwise 1
186 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
187 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
193 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
194 nat_outside_fib_t *outside_fib;
196 .fp_proto = FIB_PROTOCOL_IP4,
199 .ip4.as_u32 = ip0->dst_address.as_u32,
203 /* Don't NAT packet aimed at the intfc address */
204 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
205 ip0->dst_address.as_u32)))
208 fei = fib_table_lookup (rx_fib_index0, &pfx);
209 if (FIB_NODE_INDEX_INVALID != fei)
211 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
212 if (sw_if_index == ~0)
214 vec_foreach (outside_fib, sm->outside_fibs)
216 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
217 if (FIB_NODE_INDEX_INVALID != fei)
219 sw_if_index = fib_entry_get_resolving_interface (fei);
220 if (sw_if_index != ~0)
225 if (sw_if_index == ~0)
229 pool_foreach (i, sm->interfaces,
231 /* NAT packet aimed at outside interface */
232 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
241 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
242 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
243 u32 rx_fib_index0, u32 thread_index)
245 udp_header_t * udp0 = ip4_next_header (ip0);
246 snat_session_key_t key0, sm0;
247 clib_bihash_kv_8_8_t kv0, value0;
249 key0.addr = ip0->dst_address;
250 key0.port = udp0->dst_port;
251 key0.protocol = proto0;
252 key0.fib_index = sm->outside_fib_index;
253 kv0.key = key0.as_u64;
255 /* NAT packet aimed at external address if */
256 /* has active sessions */
257 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
260 /* or is static mappings */
261 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0))
267 if (sm->forwarding_enabled)
270 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
275 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
276 u32 proto0, u16 src_port, u16 dst_port,
277 u32 thread_index, u32 sw_if_index)
279 snat_session_key_t key0;
280 clib_bihash_kv_8_8_t kv0, value0;
284 key0.addr = ip0->src_address;
285 key0.port = src_port;
286 key0.protocol = proto0;
287 key0.fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
288 kv0.key = key0.as_u64;
290 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
295 key0.addr = ip0->dst_address;
296 key0.port = dst_port;
297 key0.protocol = proto0;
298 kv0.key = key0.as_u64;
299 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
303 pool_foreach (i, sm->output_feature_interfaces,
305 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
315 nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void * arg)
317 snat_main_t *sm = &snat_main;
318 nat44_is_idle_session_ctx_t *ctx = arg;
320 u64 sess_timeout_time;
321 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
323 clib_bihash_kv_8_8_t s_kv;
325 s = pool_elt_at_index (tsm->sessions, kv->value);
326 sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s);
327 if (ctx->now >= sess_timeout_time)
329 s_kv.key = s->out2in.as_u64;
330 if (clib_bihash_add_del_8_8 (&tsm->out2in, &s_kv, 0))
331 nat_log_warn ("out2in key del failed");
333 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
334 s->out2in.addr.as_u32,
338 s->in2out.fib_index);
340 if (!snat_is_session_static (s))
341 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
344 nat44_delete_session (sm, s, ctx->thread_index);
351 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
354 snat_session_key_t * key0,
355 snat_session_t ** sessionp,
356 vlib_node_runtime_t * node,
363 clib_bihash_kv_8_8_t kv0;
364 snat_session_key_t key1;
365 u32 address_index = ~0;
366 udp_header_t * udp0 = ip4_next_header (ip0);
368 nat_outside_fib_t *outside_fib;
369 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
371 .fp_proto = FIB_PROTOCOL_IP4,
374 .ip4.as_u32 = ip0->dst_address.as_u32,
377 nat44_is_idle_session_ctx_t ctx0;
379 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
381 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
382 nat_ipfix_logging_max_sessions(sm->max_translations);
383 nat_log_notice ("maximum sessions exceeded");
384 return SNAT_IN2OUT_NEXT_DROP;
387 key1.protocol = key0->protocol;
389 /* First try to match static mapping by local address and port */
390 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0, 0, 0))
392 /* Try to create dynamic translation */
393 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
397 sm->per_thread_data[thread_index].snat_thread_index))
399 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
400 return SNAT_IN2OUT_NEXT_DROP;
406 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
410 nat_log_warn ("create NAT user failed");
411 return SNAT_IN2OUT_NEXT_DROP;
414 s = nat_session_alloc_or_recycle (sm, u, thread_index);
417 nat44_delete_user_with_no_session (sm, u, thread_index);
418 nat_log_warn ("create NAT session failed");
419 return SNAT_IN2OUT_NEXT_DROP;
423 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
424 user_session_increment (sm, u, is_sm);
425 s->outside_address_index = address_index;
428 s->out2in.protocol = key0->protocol;
429 s->out2in.fib_index = sm->outside_fib_index;
430 switch (vec_len (sm->outside_fibs))
433 s->out2in.fib_index = sm->outside_fib_index;
436 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
439 vec_foreach (outside_fib, sm->outside_fibs)
441 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
442 if (FIB_NODE_INDEX_INVALID != fei)
444 if (fib_entry_get_resolving_interface (fei) != ~0)
446 s->out2in.fib_index = outside_fib->fib_index;
453 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
454 s->ext_host_port = udp0->dst_port;
457 /* Add to translation hashes */
459 ctx0.thread_index = thread_index;
460 kv0.key = s->in2out.as_u64;
461 kv0.value = s - sm->per_thread_data[thread_index].sessions;
462 if (clib_bihash_add_or_overwrite_stale_8_8 (
463 &sm->per_thread_data[thread_index].in2out, &kv0,
464 nat44_i2o_is_idle_session_cb, &ctx0))
465 nat_log_notice ("in2out key add failed");
467 kv0.key = s->out2in.as_u64;
468 kv0.value = s - sm->per_thread_data[thread_index].sessions;
470 if (clib_bihash_add_or_overwrite_stale_8_8 (
471 &sm->per_thread_data[thread_index].out2in, &kv0,
472 nat44_o2i_is_idle_session_cb, &ctx0))
473 nat_log_notice ("out2in key add failed");
476 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
477 s->out2in.addr.as_u32,
481 s->in2out.fib_index);
486 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
487 snat_session_key_t *p_key0)
489 icmp46_header_t *icmp0;
490 snat_session_key_t key0;
491 icmp_echo_header_t *echo0, *inner_echo0 = 0;
492 ip4_header_t *inner_ip0 = 0;
494 icmp46_header_t *inner_icmp0;
496 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
497 echo0 = (icmp_echo_header_t *)(icmp0+1);
499 if (!icmp_is_error_message (icmp0))
501 key0.protocol = SNAT_PROTOCOL_ICMP;
502 key0.addr = ip0->src_address;
503 key0.port = echo0->identifier;
507 inner_ip0 = (ip4_header_t *)(echo0+1);
508 l4_header = ip4_next_header (inner_ip0);
509 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
510 key0.addr = inner_ip0->dst_address;
511 switch (key0.protocol)
513 case SNAT_PROTOCOL_ICMP:
514 inner_icmp0 = (icmp46_header_t*)l4_header;
515 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
516 key0.port = inner_echo0->identifier;
518 case SNAT_PROTOCOL_UDP:
519 case SNAT_PROTOCOL_TCP:
520 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
523 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
527 return -1; /* success */
531 * Get address and port values to be used for ICMP packet translation
532 * and create session if needed
534 * @param[in,out] sm NAT main
535 * @param[in,out] node NAT node runtime
536 * @param[in] thread_index thread index
537 * @param[in,out] b0 buffer containing packet to be translated
538 * @param[out] p_proto protocol used for matching
539 * @param[out] p_value address and port after NAT translation
540 * @param[out] p_dont_translate if packet should not be translated
541 * @param d optional parameter
542 * @param e optional parameter
544 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
545 u32 thread_index, vlib_buffer_t *b0,
546 ip4_header_t *ip0, u8 *p_proto,
547 snat_session_key_t *p_value,
548 u8 *p_dont_translate, void *d, void *e)
550 icmp46_header_t *icmp0;
553 snat_session_key_t key0;
554 snat_session_t *s0 = 0;
555 u8 dont_translate = 0;
556 clib_bihash_kv_8_8_t kv0, value0;
560 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
561 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
562 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
564 err = icmp_get_key (ip0, &key0);
567 b0->error = node->errors[err];
568 next0 = SNAT_IN2OUT_NEXT_DROP;
571 key0.fib_index = rx_fib_index0;
573 kv0.key = key0.as_u64;
575 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
578 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0)
580 if (PREDICT_FALSE(nat_not_translate_output_feature(sm, ip0,
581 key0.protocol, key0.port, key0.port, thread_index, sw_if_index0)))
589 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
590 ip0, SNAT_PROTOCOL_ICMP, rx_fib_index0, thread_index)))
597 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
599 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
600 next0 = SNAT_IN2OUT_NEXT_DROP;
604 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, &s0, node, next0,
605 thread_index, vlib_time_now (sm->vlib_main));
607 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
612 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
613 icmp0->type != ICMP4_echo_reply &&
614 !icmp_is_error_message (icmp0)))
616 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
617 next0 = SNAT_IN2OUT_NEXT_DROP;
621 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
626 *p_proto = key0.protocol;
628 *p_value = s0->out2in;
629 *p_dont_translate = dont_translate;
631 *(snat_session_t**)d = s0;
636 * Get address and port values to be used for ICMP packet translation
638 * @param[in] sm NAT main
639 * @param[in,out] node NAT node runtime
640 * @param[in] thread_index thread index
641 * @param[in,out] b0 buffer containing packet to be translated
642 * @param[out] p_proto protocol used for matching
643 * @param[out] p_value address and port after NAT translation
644 * @param[out] p_dont_translate if packet should not be translated
645 * @param d optional parameter
646 * @param e optional parameter
648 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
649 u32 thread_index, vlib_buffer_t *b0,
650 ip4_header_t *ip0, u8 *p_proto,
651 snat_session_key_t *p_value,
652 u8 *p_dont_translate, void *d, void *e)
654 icmp46_header_t *icmp0;
657 snat_session_key_t key0;
658 snat_session_key_t sm0;
659 u8 dont_translate = 0;
664 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
665 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
666 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
668 err = icmp_get_key (ip0, &key0);
671 b0->error = node->errors[err];
672 next0 = SNAT_IN2OUT_NEXT_DROP;
675 key0.fib_index = rx_fib_index0;
677 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0, 0, 0))
679 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
680 IP_PROTOCOL_ICMP, rx_fib_index0)))
686 if (icmp_is_error_message (icmp0))
688 next0 = SNAT_IN2OUT_NEXT_DROP;
692 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
693 next0 = SNAT_IN2OUT_NEXT_DROP;
697 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
698 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
699 !icmp_is_error_message (icmp0)))
701 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
702 next0 = SNAT_IN2OUT_NEXT_DROP;
709 *p_proto = key0.protocol;
710 *p_dont_translate = dont_translate;
714 static inline u32 icmp_in2out (snat_main_t *sm,
717 icmp46_header_t * icmp0,
720 vlib_node_runtime_t * node,
726 snat_session_key_t sm0;
728 icmp_echo_header_t *echo0, *inner_echo0 = 0;
729 ip4_header_t *inner_ip0;
731 icmp46_header_t *inner_icmp0;
733 u32 new_addr0, old_addr0;
734 u16 old_id0, new_id0;
739 echo0 = (icmp_echo_header_t *)(icmp0+1);
741 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
742 &protocol, &sm0, &dont_translate, d, e);
745 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
748 sum0 = ip_incremental_checksum (0, icmp0,
749 ntohs(ip0->length) - ip4_header_bytes (ip0));
750 checksum0 = ~ip_csum_fold (sum0);
751 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
753 next0 = SNAT_IN2OUT_NEXT_DROP;
757 old_addr0 = ip0->src_address.as_u32;
758 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
759 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
760 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
762 sum0 = ip0->checksum;
763 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
764 src_address /* changed member */);
765 ip0->checksum = ip_csum_fold (sum0);
767 if (icmp0->checksum == 0)
768 icmp0->checksum = 0xffff;
770 if (!icmp_is_error_message (icmp0))
773 if (PREDICT_FALSE(new_id0 != echo0->identifier))
775 old_id0 = echo0->identifier;
777 echo0->identifier = new_id0;
779 sum0 = icmp0->checksum;
780 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
782 icmp0->checksum = ip_csum_fold (sum0);
787 inner_ip0 = (ip4_header_t *)(echo0+1);
788 l4_header = ip4_next_header (inner_ip0);
790 if (!ip4_header_checksum_is_valid (inner_ip0))
792 next0 = SNAT_IN2OUT_NEXT_DROP;
796 old_addr0 = inner_ip0->dst_address.as_u32;
797 inner_ip0->dst_address = sm0.addr;
798 new_addr0 = inner_ip0->dst_address.as_u32;
800 sum0 = icmp0->checksum;
801 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
802 dst_address /* changed member */);
803 icmp0->checksum = ip_csum_fold (sum0);
807 case SNAT_PROTOCOL_ICMP:
808 inner_icmp0 = (icmp46_header_t*)l4_header;
809 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
811 old_id0 = inner_echo0->identifier;
813 inner_echo0->identifier = new_id0;
815 sum0 = icmp0->checksum;
816 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
818 icmp0->checksum = ip_csum_fold (sum0);
820 case SNAT_PROTOCOL_UDP:
821 case SNAT_PROTOCOL_TCP:
822 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
824 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
826 sum0 = icmp0->checksum;
827 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
829 icmp0->checksum = ip_csum_fold (sum0);
843 * Hairpinning allows two endpoints on the internal side of the NAT to
844 * communicate even if they only use each other's external IP addresses
847 * @param sm NAT main.
848 * @param b0 Vlib buffer.
849 * @param ip0 IP header.
850 * @param udp0 UDP header.
851 * @param tcp0 TCP header.
852 * @param proto0 NAT protocol.
855 snat_hairpinning (snat_main_t *sm,
863 snat_session_key_t key0, sm0;
865 clib_bihash_kv_8_8_t kv0, value0;
867 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
868 u16 new_dst_port0, old_dst_port0;
871 key0.addr = ip0->dst_address;
872 key0.port = udp0->dst_port;
873 key0.protocol = proto0;
874 key0.fib_index = sm->outside_fib_index;
875 kv0.key = key0.as_u64;
877 /* Check if destination is static mappings */
878 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0))
880 new_dst_addr0 = sm0.addr.as_u32;
881 new_dst_port0 = sm0.port;
882 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
884 /* or active session */
887 if (sm->num_workers > 1)
888 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
890 ti = sm->num_workers;
894 clib_bihash_kv_16_8_t ed_kv, ed_value;
895 make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address,
896 ip0->protocol, sm->outside_fib_index, udp0->dst_port,
898 rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed,
904 rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
911 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
912 new_dst_addr0 = s0->in2out.addr.as_u32;
913 new_dst_port0 = s0->in2out.port;
914 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
917 /* Destination is behind the same NAT, use internal address and port */
920 old_dst_addr0 = ip0->dst_address.as_u32;
921 ip0->dst_address.as_u32 = new_dst_addr0;
922 sum0 = ip0->checksum;
923 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
924 ip4_header_t, dst_address);
925 ip0->checksum = ip_csum_fold (sum0);
927 old_dst_port0 = tcp0->dst;
928 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
930 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
932 tcp0->dst = new_dst_port0;
933 sum0 = tcp0->checksum;
934 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
935 ip4_header_t, dst_address);
936 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
937 ip4_header_t /* cheat */, length);
938 tcp0->checksum = ip_csum_fold(sum0);
942 udp0->dst_port = new_dst_port0;
948 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
950 sum0 = tcp0->checksum;
951 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
952 ip4_header_t, dst_address);
953 tcp0->checksum = ip_csum_fold(sum0);
962 snat_icmp_hairpinning (snat_main_t *sm,
965 icmp46_header_t * icmp0,
968 snat_session_key_t key0, sm0;
969 clib_bihash_kv_8_8_t kv0, value0;
970 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
975 if (!icmp_is_error_message (icmp0))
977 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
978 u16 icmp_id0 = echo0->identifier;
979 key0.addr = ip0->dst_address;
980 key0.port = icmp_id0;
981 key0.protocol = SNAT_PROTOCOL_ICMP;
982 key0.fib_index = sm->outside_fib_index;
983 kv0.key = key0.as_u64;
985 if (sm->num_workers > 1)
986 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
988 ti = sm->num_workers;
990 /* Check if destination is in active sessions */
993 clib_bihash_kv_16_8_t ed_kv, ed_value;
994 make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address,
995 IP_PROTOCOL_ICMP, sm->outside_fib_index, icmp_id0, 0);
996 rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed,
1002 rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
1008 /* or static mappings */
1009 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0))
1011 new_dst_addr0 = sm0.addr.as_u32;
1012 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1017 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
1018 new_dst_addr0 = s0->in2out.addr.as_u32;
1019 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1020 echo0->identifier = s0->in2out.port;
1021 sum0 = icmp0->checksum;
1022 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
1023 icmp_echo_header_t, identifier);
1024 icmp0->checksum = ip_csum_fold (sum0);
1027 /* Destination is behind the same NAT, use internal address and port */
1030 old_dst_addr0 = ip0->dst_address.as_u32;
1031 ip0->dst_address.as_u32 = new_dst_addr0;
1032 sum0 = ip0->checksum;
1033 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
1034 ip4_header_t, dst_address);
1035 ip0->checksum = ip_csum_fold (sum0);
1041 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
1044 icmp46_header_t * icmp0,
1047 vlib_node_runtime_t * node,
1051 snat_session_t ** p_s0)
1053 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1054 next0, thread_index, p_s0, 0);
1055 snat_session_t * s0 = *p_s0;
1056 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
1059 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
1060 snat_icmp_hairpinning(sm, b0, ip0, icmp0, sm->endpoint_dependent);
1062 nat44_session_update_counters (s0, now,
1063 vlib_buffer_length_in_chain (sm->vlib_main, b0));
1064 /* Per-user LRU list maintenance */
1065 nat44_session_update_lru (sm, s0, thread_index);
1071 nat_hairpinning_sm_unknown_proto (snat_main_t * sm,
1075 clib_bihash_kv_8_8_t kv, value;
1076 snat_static_mapping_t *m;
1077 u32 old_addr, new_addr;
1080 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
1081 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1084 m = pool_elt_at_index (sm->static_mappings, value.value);
1086 old_addr = ip->dst_address.as_u32;
1087 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1089 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1090 ip->checksum = ip_csum_fold (sum);
1092 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1093 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1097 nat_in2out_sm_unknown_proto (snat_main_t *sm,
1102 clib_bihash_kv_8_8_t kv, value;
1103 snat_static_mapping_t *m;
1104 snat_session_key_t m_key;
1105 u32 old_addr, new_addr;
1108 m_key.addr = ip->src_address;
1111 m_key.fib_index = rx_fib_index;
1112 kv.key = m_key.as_u64;
1113 if (clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1116 m = pool_elt_at_index (sm->static_mappings, value.value);
1118 old_addr = ip->src_address.as_u32;
1119 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1121 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1122 ip->checksum = ip_csum_fold (sum);
1126 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1128 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1129 nat_hairpinning_sm_unknown_proto (sm, b, ip);
1136 snat_in2out_node_fn_inline (vlib_main_t * vm,
1137 vlib_node_runtime_t * node,
1138 vlib_frame_t * frame, int is_slow_path,
1139 int is_output_feature)
1141 u32 n_left_from, * from, * to_next;
1142 snat_in2out_next_t next_index;
1143 u32 pkts_processed = 0;
1144 snat_main_t * sm = &snat_main;
1145 f64 now = vlib_time_now (vm);
1146 u32 stats_node_index;
1147 u32 thread_index = vm->thread_index;
1149 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1150 snat_in2out_node.index;
1152 from = vlib_frame_vector_args (frame);
1153 n_left_from = frame->n_vectors;
1154 next_index = node->cached_next_index;
1156 while (n_left_from > 0)
1160 vlib_get_next_frame (vm, node, next_index,
1161 to_next, n_left_to_next);
1163 while (n_left_from >= 4 && n_left_to_next >= 2)
1166 vlib_buffer_t * b0, * b1;
1168 u32 sw_if_index0, sw_if_index1;
1169 ip4_header_t * ip0, * ip1;
1170 ip_csum_t sum0, sum1;
1171 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1172 u16 old_port0, new_port0, old_port1, new_port1;
1173 udp_header_t * udp0, * udp1;
1174 tcp_header_t * tcp0, * tcp1;
1175 icmp46_header_t * icmp0, * icmp1;
1176 snat_session_key_t key0, key1;
1177 u32 rx_fib_index0, rx_fib_index1;
1179 snat_session_t * s0 = 0, * s1 = 0;
1180 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1181 u32 iph_offset0 = 0, iph_offset1 = 0;
1183 /* Prefetch next iteration. */
1185 vlib_buffer_t * p2, * p3;
1187 p2 = vlib_get_buffer (vm, from[2]);
1188 p3 = vlib_get_buffer (vm, from[3]);
1190 vlib_prefetch_buffer_header (p2, LOAD);
1191 vlib_prefetch_buffer_header (p3, LOAD);
1193 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1194 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1197 /* speculatively enqueue b0 and b1 to the current next frame */
1198 to_next[0] = bi0 = from[0];
1199 to_next[1] = bi1 = from[1];
1203 n_left_to_next -= 2;
1205 b0 = vlib_get_buffer (vm, bi0);
1206 b1 = vlib_get_buffer (vm, bi1);
1208 if (is_output_feature)
1209 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1211 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1214 udp0 = ip4_next_header (ip0);
1215 tcp0 = (tcp_header_t *) udp0;
1216 icmp0 = (icmp46_header_t *) udp0;
1218 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1219 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1222 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1224 if (PREDICT_FALSE(ip0->ttl == 1))
1226 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1227 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1228 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1230 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1234 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1236 /* Next configured feature, probably ip4-lookup */
1239 if (PREDICT_FALSE (proto0 == ~0))
1241 if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1243 next0 = SNAT_IN2OUT_NEXT_DROP;
1244 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1249 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1251 next0 = icmp_in2out_slow_path
1252 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1253 node, next0, now, thread_index, &s0);
1259 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1261 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1265 if (ip4_is_fragment (ip0))
1267 next0 = SNAT_IN2OUT_NEXT_REASS;
1272 key0.addr = ip0->src_address;
1273 key0.port = udp0->src_port;
1274 key0.protocol = proto0;
1275 key0.fib_index = rx_fib_index0;
1277 kv0.key = key0.as_u64;
1279 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1280 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1284 if (is_output_feature)
1286 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1287 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
1292 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1293 ip0, proto0, rx_fib_index0, thread_index)))
1297 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1298 &s0, node, next0, thread_index, now);
1299 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1304 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1309 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1312 b0->flags |= VNET_BUFFER_F_IS_NATED;
1314 old_addr0 = ip0->src_address.as_u32;
1315 ip0->src_address = s0->out2in.addr;
1316 new_addr0 = ip0->src_address.as_u32;
1317 if (!is_output_feature)
1318 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1320 sum0 = ip0->checksum;
1321 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1323 src_address /* changed member */);
1324 ip0->checksum = ip_csum_fold (sum0);
1326 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1328 old_port0 = tcp0->src_port;
1329 tcp0->src_port = s0->out2in.port;
1330 new_port0 = tcp0->src_port;
1332 sum0 = tcp0->checksum;
1333 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1335 dst_address /* changed member */);
1336 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1337 ip4_header_t /* cheat */,
1338 length /* changed member */);
1339 tcp0->checksum = ip_csum_fold(sum0);
1343 old_port0 = udp0->src_port;
1344 udp0->src_port = s0->out2in.port;
1349 nat44_session_update_counters (s0, now,
1350 vlib_buffer_length_in_chain (vm, b0));
1351 /* Per-user LRU list maintenance */
1352 nat44_session_update_lru (sm, s0, thread_index);
1355 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1356 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1358 snat_in2out_trace_t *t =
1359 vlib_add_trace (vm, node, b0, sizeof (*t));
1360 t->is_slow_path = is_slow_path;
1361 t->sw_if_index = sw_if_index0;
1362 t->next_index = next0;
1363 t->session_index = ~0;
1365 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1368 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1370 if (is_output_feature)
1371 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1373 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1376 udp1 = ip4_next_header (ip1);
1377 tcp1 = (tcp_header_t *) udp1;
1378 icmp1 = (icmp46_header_t *) udp1;
1380 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1381 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1384 if (PREDICT_FALSE(ip1->ttl == 1))
1386 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1387 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1388 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1390 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1394 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1396 /* Next configured feature, probably ip4-lookup */
1399 if (PREDICT_FALSE (proto1 == ~0))
1401 if (nat_in2out_sm_unknown_proto (sm, b1, ip1, rx_fib_index1))
1403 next1 = SNAT_IN2OUT_NEXT_DROP;
1404 b1->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1409 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1411 next1 = icmp_in2out_slow_path
1412 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1413 next1, now, thread_index, &s1);
1419 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1421 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1425 if (ip4_is_fragment (ip1))
1427 next1 = SNAT_IN2OUT_NEXT_REASS;
1432 key1.addr = ip1->src_address;
1433 key1.port = udp1->src_port;
1434 key1.protocol = proto1;
1435 key1.fib_index = rx_fib_index1;
1437 kv1.key = key1.as_u64;
1439 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1440 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1444 if (is_output_feature)
1446 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1447 ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1)))
1452 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1453 ip1, proto1, rx_fib_index1, thread_index)))
1457 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1458 &s1, node, next1, thread_index, now);
1459 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1464 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1469 s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1472 b1->flags |= VNET_BUFFER_F_IS_NATED;
1474 old_addr1 = ip1->src_address.as_u32;
1475 ip1->src_address = s1->out2in.addr;
1476 new_addr1 = ip1->src_address.as_u32;
1477 if (!is_output_feature)
1478 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1480 sum1 = ip1->checksum;
1481 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1483 src_address /* changed member */);
1484 ip1->checksum = ip_csum_fold (sum1);
1486 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1488 old_port1 = tcp1->src_port;
1489 tcp1->src_port = s1->out2in.port;
1490 new_port1 = tcp1->src_port;
1492 sum1 = tcp1->checksum;
1493 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1495 dst_address /* changed member */);
1496 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1497 ip4_header_t /* cheat */,
1498 length /* changed member */);
1499 tcp1->checksum = ip_csum_fold(sum1);
1503 old_port1 = udp1->src_port;
1504 udp1->src_port = s1->out2in.port;
1509 nat44_session_update_counters (s1, now,
1510 vlib_buffer_length_in_chain (vm, b1));
1511 /* Per-user LRU list maintenance */
1512 nat44_session_update_lru (sm, s1, thread_index);
1515 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1516 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1518 snat_in2out_trace_t *t =
1519 vlib_add_trace (vm, node, b1, sizeof (*t));
1520 t->sw_if_index = sw_if_index1;
1521 t->next_index = next1;
1522 t->session_index = ~0;
1524 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1527 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1529 /* verify speculative enqueues, maybe switch current next frame */
1530 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1531 to_next, n_left_to_next,
1532 bi0, bi1, next0, next1);
1535 while (n_left_from > 0 && n_left_to_next > 0)
1543 u32 new_addr0, old_addr0;
1544 u16 old_port0, new_port0;
1545 udp_header_t * udp0;
1546 tcp_header_t * tcp0;
1547 icmp46_header_t * icmp0;
1548 snat_session_key_t key0;
1551 snat_session_t * s0 = 0;
1552 clib_bihash_kv_8_8_t kv0, value0;
1553 u32 iph_offset0 = 0;
1555 /* speculatively enqueue b0 to the current next frame */
1561 n_left_to_next -= 1;
1563 b0 = vlib_get_buffer (vm, bi0);
1564 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1566 if (is_output_feature)
1567 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1569 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1572 udp0 = ip4_next_header (ip0);
1573 tcp0 = (tcp_header_t *) udp0;
1574 icmp0 = (icmp46_header_t *) udp0;
1576 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1577 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1580 if (PREDICT_FALSE(ip0->ttl == 1))
1582 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1583 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1584 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1586 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1590 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1592 /* Next configured feature, probably ip4-lookup */
1595 if (PREDICT_FALSE (proto0 == ~0))
1597 if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1599 next0 = SNAT_IN2OUT_NEXT_DROP;
1600 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1605 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1607 next0 = icmp_in2out_slow_path
1608 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1609 next0, now, thread_index, &s0);
1615 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1617 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1621 if (ip4_is_fragment (ip0))
1623 next0 = SNAT_IN2OUT_NEXT_REASS;
1628 key0.addr = ip0->src_address;
1629 key0.port = udp0->src_port;
1630 key0.protocol = proto0;
1631 key0.fib_index = rx_fib_index0;
1633 kv0.key = key0.as_u64;
1635 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
1640 if (is_output_feature)
1642 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1643 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
1648 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1649 ip0, proto0, rx_fib_index0, thread_index)))
1653 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1654 &s0, node, next0, thread_index, now);
1656 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1661 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1666 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1669 b0->flags |= VNET_BUFFER_F_IS_NATED;
1671 old_addr0 = ip0->src_address.as_u32;
1672 ip0->src_address = s0->out2in.addr;
1673 new_addr0 = ip0->src_address.as_u32;
1674 if (!is_output_feature)
1675 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1677 sum0 = ip0->checksum;
1678 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1680 src_address /* changed member */);
1681 ip0->checksum = ip_csum_fold (sum0);
1683 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1685 old_port0 = tcp0->src_port;
1686 tcp0->src_port = s0->out2in.port;
1687 new_port0 = tcp0->src_port;
1689 sum0 = tcp0->checksum;
1690 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1692 dst_address /* changed member */);
1693 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1694 ip4_header_t /* cheat */,
1695 length /* changed member */);
1696 tcp0->checksum = ip_csum_fold(sum0);
1700 old_port0 = udp0->src_port;
1701 udp0->src_port = s0->out2in.port;
1706 nat44_session_update_counters (s0, now,
1707 vlib_buffer_length_in_chain (vm, b0));
1708 /* Per-user LRU list maintenance */
1709 nat44_session_update_lru (sm, s0, thread_index);
1712 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1713 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1715 snat_in2out_trace_t *t =
1716 vlib_add_trace (vm, node, b0, sizeof (*t));
1717 t->is_slow_path = is_slow_path;
1718 t->sw_if_index = sw_if_index0;
1719 t->next_index = next0;
1720 t->session_index = ~0;
1722 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1725 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1727 /* verify speculative enqueue, maybe switch current next frame */
1728 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1729 to_next, n_left_to_next,
1733 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1736 vlib_node_increment_counter (vm, stats_node_index,
1737 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1739 return frame->n_vectors;
1743 snat_in2out_fast_path_fn (vlib_main_t * vm,
1744 vlib_node_runtime_t * node,
1745 vlib_frame_t * frame)
1747 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
1750 VLIB_REGISTER_NODE (snat_in2out_node) = {
1751 .function = snat_in2out_fast_path_fn,
1752 .name = "nat44-in2out",
1753 .vector_size = sizeof (u32),
1754 .format_trace = format_snat_in2out_trace,
1755 .type = VLIB_NODE_TYPE_INTERNAL,
1757 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1758 .error_strings = snat_in2out_error_strings,
1760 .runtime_data_bytes = sizeof (snat_runtime_t),
1762 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1764 /* edit / add dispositions here */
1766 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1767 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1768 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1769 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1770 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1774 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
1777 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
1778 vlib_node_runtime_t * node,
1779 vlib_frame_t * frame)
1781 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
1784 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
1785 .function = snat_in2out_output_fast_path_fn,
1786 .name = "nat44-in2out-output",
1787 .vector_size = sizeof (u32),
1788 .format_trace = format_snat_in2out_trace,
1789 .type = VLIB_NODE_TYPE_INTERNAL,
1791 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1792 .error_strings = snat_in2out_error_strings,
1794 .runtime_data_bytes = sizeof (snat_runtime_t),
1796 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1798 /* edit / add dispositions here */
1800 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1801 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1802 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1803 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1804 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1808 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
1809 snat_in2out_output_fast_path_fn);
1812 snat_in2out_slow_path_fn (vlib_main_t * vm,
1813 vlib_node_runtime_t * node,
1814 vlib_frame_t * frame)
1816 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
1819 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
1820 .function = snat_in2out_slow_path_fn,
1821 .name = "nat44-in2out-slowpath",
1822 .vector_size = sizeof (u32),
1823 .format_trace = format_snat_in2out_trace,
1824 .type = VLIB_NODE_TYPE_INTERNAL,
1826 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1827 .error_strings = snat_in2out_error_strings,
1829 .runtime_data_bytes = sizeof (snat_runtime_t),
1831 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1833 /* edit / add dispositions here */
1835 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1836 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1837 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1838 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1839 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1843 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
1844 snat_in2out_slow_path_fn);
1847 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
1848 vlib_node_runtime_t * node,
1849 vlib_frame_t * frame)
1851 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
1854 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
1855 .function = snat_in2out_output_slow_path_fn,
1856 .name = "nat44-in2out-output-slowpath",
1857 .vector_size = sizeof (u32),
1858 .format_trace = format_snat_in2out_trace,
1859 .type = VLIB_NODE_TYPE_INTERNAL,
1861 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1862 .error_strings = snat_in2out_error_strings,
1864 .runtime_data_bytes = sizeof (snat_runtime_t),
1866 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1868 /* edit / add dispositions here */
1870 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1871 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1872 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1873 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1874 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1878 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
1879 snat_in2out_output_slow_path_fn);
1881 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
1884 nat44_hairpinning_fn_inline (vlib_main_t * vm,
1885 vlib_node_runtime_t * node,
1886 vlib_frame_t * frame,
1889 u32 n_left_from, * from, * to_next, stats_node_index;
1890 snat_in2out_next_t next_index;
1891 u32 pkts_processed = 0;
1892 snat_main_t * sm = &snat_main;
1893 vnet_feature_main_t *fm = &feature_main;
1894 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
1895 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
1897 stats_node_index = is_ed ? nat44_ed_hairpinning_node.index :
1898 nat44_hairpinning_node.index;
1899 from = vlib_frame_vector_args (frame);
1900 n_left_from = frame->n_vectors;
1901 next_index = node->cached_next_index;
1903 while (n_left_from > 0)
1907 vlib_get_next_frame (vm, node, next_index,
1908 to_next, n_left_to_next);
1910 while (n_left_from > 0 && n_left_to_next > 0)
1917 udp_header_t * udp0;
1918 tcp_header_t * tcp0;
1920 /* speculatively enqueue b0 to the current next frame */
1926 n_left_to_next -= 1;
1928 b0 = vlib_get_buffer (vm, bi0);
1929 ip0 = vlib_buffer_get_current (b0);
1930 udp0 = ip4_next_header (ip0);
1931 tcp0 = (tcp_header_t *) udp0;
1933 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1935 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
1938 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed))
1939 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1941 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1943 /* verify speculative enqueue, maybe switch current next frame */
1944 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1945 to_next, n_left_to_next,
1949 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1952 vlib_node_increment_counter (vm, stats_node_index,
1953 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1955 return frame->n_vectors;
1959 nat44_hairpinning_fn (vlib_main_t * vm,
1960 vlib_node_runtime_t * node,
1961 vlib_frame_t * frame)
1963 return nat44_hairpinning_fn_inline (vm, node, frame, 0);
1966 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
1967 .function = nat44_hairpinning_fn,
1968 .name = "nat44-hairpinning",
1969 .vector_size = sizeof (u32),
1970 .type = VLIB_NODE_TYPE_INTERNAL,
1971 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1972 .error_strings = snat_in2out_error_strings,
1975 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1976 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1980 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
1981 nat44_hairpinning_fn);
1984 nat44_ed_hairpinning_fn (vlib_main_t * vm,
1985 vlib_node_runtime_t * node,
1986 vlib_frame_t * frame)
1988 return nat44_hairpinning_fn_inline (vm, node, frame, 1);
1991 VLIB_REGISTER_NODE (nat44_ed_hairpinning_node) = {
1992 .function = nat44_ed_hairpinning_fn,
1993 .name = "nat44-ed-hairpinning",
1994 .vector_size = sizeof (u32),
1995 .type = VLIB_NODE_TYPE_INTERNAL,
1996 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1997 .error_strings = snat_in2out_error_strings,
2000 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2001 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2005 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpinning_node,
2006 nat44_ed_hairpinning_fn);
2009 nat44_reass_hairpinning (snat_main_t *sm,
2016 snat_session_key_t key0, sm0;
2017 snat_session_t * s0;
2018 clib_bihash_kv_8_8_t kv0, value0;
2020 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2021 u16 new_dst_port0, old_dst_port0;
2022 udp_header_t * udp0;
2023 tcp_header_t * tcp0;
2025 key0.addr = ip0->dst_address;
2027 key0.protocol = proto0;
2028 key0.fib_index = sm->outside_fib_index;
2029 kv0.key = key0.as_u64;
2031 udp0 = ip4_next_header (ip0);
2033 /* Check if destination is static mappings */
2034 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0))
2036 new_dst_addr0 = sm0.addr.as_u32;
2037 new_dst_port0 = sm0.port;
2038 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2040 /* or active sessions */
2043 if (sm->num_workers > 1)
2044 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2046 ti = sm->num_workers;
2048 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2051 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2052 new_dst_addr0 = s0->in2out.addr.as_u32;
2053 new_dst_port0 = s0->in2out.port;
2054 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2058 /* Destination is behind the same NAT, use internal address and port */
2061 old_dst_addr0 = ip0->dst_address.as_u32;
2062 ip0->dst_address.as_u32 = new_dst_addr0;
2063 sum0 = ip0->checksum;
2064 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2065 ip4_header_t, dst_address);
2066 ip0->checksum = ip_csum_fold (sum0);
2068 old_dst_port0 = dport;
2069 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2070 ip4_is_first_fragment (ip0)))
2072 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2074 tcp0 = ip4_next_header (ip0);
2075 tcp0->dst = new_dst_port0;
2076 sum0 = tcp0->checksum;
2077 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2078 ip4_header_t, dst_address);
2079 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2080 ip4_header_t /* cheat */, length);
2081 tcp0->checksum = ip_csum_fold(sum0);
2085 udp0->dst_port = new_dst_port0;
2091 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2093 tcp0 = ip4_next_header (ip0);
2094 sum0 = tcp0->checksum;
2095 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2096 ip4_header_t, dst_address);
2097 tcp0->checksum = ip_csum_fold(sum0);
2104 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2105 vlib_node_runtime_t * node,
2106 vlib_frame_t * frame)
2108 u32 n_left_from, *from, *to_next;
2109 snat_in2out_next_t next_index;
2110 u32 pkts_processed = 0;
2111 snat_main_t *sm = &snat_main;
2112 f64 now = vlib_time_now (vm);
2113 u32 thread_index = vm->thread_index;
2114 snat_main_per_thread_data_t *per_thread_data =
2115 &sm->per_thread_data[thread_index];
2116 u32 *fragments_to_drop = 0;
2117 u32 *fragments_to_loopback = 0;
2119 from = vlib_frame_vector_args (frame);
2120 n_left_from = frame->n_vectors;
2121 next_index = node->cached_next_index;
2123 while (n_left_from > 0)
2127 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2129 while (n_left_from > 0 && n_left_to_next > 0)
2131 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2136 nat_reass_ip4_t *reass0;
2137 udp_header_t * udp0;
2138 tcp_header_t * tcp0;
2139 snat_session_key_t key0;
2140 clib_bihash_kv_8_8_t kv0, value0;
2141 snat_session_t * s0 = 0;
2142 u16 old_port0, new_port0;
2145 /* speculatively enqueue b0 to the current next frame */
2151 n_left_to_next -= 1;
2153 b0 = vlib_get_buffer (vm, bi0);
2154 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2156 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2157 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2160 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2162 next0 = SNAT_IN2OUT_NEXT_DROP;
2163 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2167 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2168 udp0 = ip4_next_header (ip0);
2169 tcp0 = (tcp_header_t *) udp0;
2170 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2172 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2177 &fragments_to_drop);
2179 if (PREDICT_FALSE (!reass0))
2181 next0 = SNAT_IN2OUT_NEXT_DROP;
2182 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2183 nat_log_notice ("maximum reassemblies exceeded");
2187 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2189 key0.addr = ip0->src_address;
2190 key0.port = udp0->src_port;
2191 key0.protocol = proto0;
2192 key0.fib_index = rx_fib_index0;
2193 kv0.key = key0.as_u64;
2195 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2197 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2198 ip0, proto0, rx_fib_index0, thread_index)))
2201 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2202 &s0, node, next0, thread_index, now);
2204 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2207 reass0->sess_index = s0 - per_thread_data->sessions;
2211 s0 = pool_elt_at_index (per_thread_data->sessions,
2213 reass0->sess_index = value0.value;
2215 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2219 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2221 if (nat_ip4_reass_add_fragment (reass0, bi0))
2223 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2224 nat_log_notice ("maximum fragments per reassembly exceeded");
2225 next0 = SNAT_IN2OUT_NEXT_DROP;
2231 s0 = pool_elt_at_index (per_thread_data->sessions,
2232 reass0->sess_index);
2235 old_addr0 = ip0->src_address.as_u32;
2236 ip0->src_address = s0->out2in.addr;
2237 new_addr0 = ip0->src_address.as_u32;
2238 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2240 sum0 = ip0->checksum;
2241 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2243 src_address /* changed member */);
2244 ip0->checksum = ip_csum_fold (sum0);
2246 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2248 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2250 old_port0 = tcp0->src_port;
2251 tcp0->src_port = s0->out2in.port;
2252 new_port0 = tcp0->src_port;
2254 sum0 = tcp0->checksum;
2255 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2257 dst_address /* changed member */);
2258 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2259 ip4_header_t /* cheat */,
2260 length /* changed member */);
2261 tcp0->checksum = ip_csum_fold(sum0);
2265 old_port0 = udp0->src_port;
2266 udp0->src_port = s0->out2in.port;
2272 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2273 s0->ext_host_port, proto0);
2276 nat44_session_update_counters (s0, now,
2277 vlib_buffer_length_in_chain (vm, b0));
2278 /* Per-user LRU list maintenance */
2279 nat44_session_update_lru (sm, s0, thread_index);
2282 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2283 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2285 nat44_in2out_reass_trace_t *t =
2286 vlib_add_trace (vm, node, b0, sizeof (*t));
2287 t->cached = cached0;
2288 t->sw_if_index = sw_if_index0;
2289 t->next_index = next0;
2299 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2301 /* verify speculative enqueue, maybe switch current next frame */
2302 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2303 to_next, n_left_to_next,
2307 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2309 from = vlib_frame_vector_args (frame);
2310 u32 len = vec_len (fragments_to_loopback);
2311 if (len <= VLIB_FRAME_SIZE)
2313 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2315 vec_reset_length (fragments_to_loopback);
2320 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2321 sizeof (u32) * VLIB_FRAME_SIZE);
2322 n_left_from = VLIB_FRAME_SIZE;
2323 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2328 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2331 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2332 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2335 nat_send_all_to_node (vm, fragments_to_drop, node,
2336 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2337 SNAT_IN2OUT_NEXT_DROP);
2339 vec_free (fragments_to_drop);
2340 vec_free (fragments_to_loopback);
2341 return frame->n_vectors;
2344 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2345 .function = nat44_in2out_reass_node_fn,
2346 .name = "nat44-in2out-reass",
2347 .vector_size = sizeof (u32),
2348 .format_trace = format_nat44_in2out_reass_trace,
2349 .type = VLIB_NODE_TYPE_INTERNAL,
2351 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2352 .error_strings = snat_in2out_error_strings,
2354 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2356 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2357 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2358 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2359 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2360 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2364 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2365 nat44_in2out_reass_node_fn);
2367 /*******************************/
2368 /*** endpoint-dependent mode ***/
2369 /*******************************/
2371 static_always_inline int
2372 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
2374 icmp46_header_t *icmp0;
2375 nat_ed_ses_key_t key0;
2376 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2377 ip4_header_t *inner_ip0 = 0;
2378 void *l4_header = 0;
2379 icmp46_header_t *inner_icmp0;
2381 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2382 echo0 = (icmp_echo_header_t *)(icmp0+1);
2384 if (!icmp_is_error_message (icmp0))
2386 key0.proto = IP_PROTOCOL_ICMP;
2387 key0.l_addr = ip0->src_address;
2388 key0.r_addr = ip0->dst_address;
2389 key0.l_port = echo0->identifier;
2394 inner_ip0 = (ip4_header_t *)(echo0+1);
2395 l4_header = ip4_next_header (inner_ip0);
2396 key0.proto = inner_ip0->protocol;
2397 key0.r_addr = inner_ip0->src_address;
2398 key0.l_addr = inner_ip0->dst_address;
2399 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
2401 case SNAT_PROTOCOL_ICMP:
2402 inner_icmp0 = (icmp46_header_t*)l4_header;
2403 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2405 key0.l_port = inner_echo0->identifier;
2407 case SNAT_PROTOCOL_UDP:
2408 case SNAT_PROTOCOL_TCP:
2409 key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2410 key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port;
2413 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
2421 nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void * arg)
2423 snat_main_t *sm = &snat_main;
2424 nat44_is_idle_session_ctx_t *ctx = arg;
2426 u64 sess_timeout_time;
2427 nat_ed_ses_key_t ed_key;
2428 clib_bihash_kv_16_8_t ed_kv;
2431 snat_session_key_t key;
2432 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
2435 s = pool_elt_at_index (tsm->sessions, kv->value);
2436 sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s);
2437 if (ctx->now >= sess_timeout_time)
2439 if (is_fwd_bypass_session (s))
2442 ed_key.l_addr = s->out2in.addr;
2443 ed_key.r_addr = s->ext_host_addr;
2444 ed_key.fib_index = s->out2in.fib_index;
2445 if (snat_is_unk_proto_session (s))
2447 ed_key.proto = s->in2out.port;
2453 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
2454 ed_key.l_port = s->out2in.port;
2455 ed_key.r_port = s->ext_host_port;
2457 ed_kv.key[0] = ed_key.as_u64[0];
2458 ed_kv.key[1] = ed_key.as_u64[1];
2459 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
2460 nat_log_warn ("out2in_ed key del failed");
2462 if (snat_is_unk_proto_session (s))
2465 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
2466 s->out2in.addr.as_u32,
2470 s->in2out.fib_index);
2472 if (is_twice_nat_session (s))
2474 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
2476 key.protocol = s->in2out.protocol;
2477 key.port = s->ext_host_nat_port;
2478 a = sm->twice_nat_addresses + i;
2479 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
2481 snat_free_outside_address_and_port (sm->twice_nat_addresses,
2482 ctx->thread_index, &key);
2488 if (snat_is_session_static (s))
2491 if (s->outside_address_index != ~0)
2492 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
2495 nat44_delete_session (sm, s, ctx->thread_index);
2503 icmp_in2out_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
2504 ip4_header_t * ip0, icmp46_header_t * icmp0,
2505 u32 sw_if_index0, u32 rx_fib_index0,
2506 vlib_node_runtime_t * node, u32 next0, f64 now,
2507 u32 thread_index, snat_session_t ** p_s0)
2509 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2510 next0, thread_index, p_s0, 0);
2511 snat_session_t * s0 = *p_s0;
2512 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
2515 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
2516 snat_icmp_hairpinning(sm, b0, ip0, icmp0, sm->endpoint_dependent);
2518 nat44_session_update_counters (s0, now,
2519 vlib_buffer_length_in_chain (sm->vlib_main, b0));
2525 slow_path_ed (snat_main_t *sm,
2528 clib_bihash_kv_16_8_t *kv,
2529 snat_session_t ** sessionp,
2530 vlib_node_runtime_t * node,
2537 snat_session_key_t key0, key1;
2538 lb_nat_type_t lb = 0, is_sm = 0;
2539 u32 address_index = ~0;
2540 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2541 nat_ed_ses_key_t *key = (nat_ed_ses_key_t *) kv->key;
2542 u32 proto = ip_proto_to_snat_proto (key->proto);
2543 nat_outside_fib_t *outside_fib;
2544 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
2545 fib_prefix_t pfx = {
2546 .fp_proto = FIB_PROTOCOL_IP4,
2549 .ip4.as_u32 = key->r_addr.as_u32,
2552 nat44_is_idle_session_ctx_t ctx;
2554 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
2556 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
2557 nat_ipfix_logging_max_sessions(sm->max_translations);
2558 nat_log_notice ("maximum sessions exceeded");
2559 return SNAT_IN2OUT_NEXT_DROP;
2562 key0.addr = key->l_addr;
2563 key0.port = key->l_port;
2564 key1.protocol = key0.protocol = proto;
2565 key0.fib_index = rx_fib_index;
2566 key1.fib_index = sm->outside_fib_index;
2567 /* First try to match static mapping by local address and port */
2568 if (snat_static_mapping_match (sm, key0, &key1, 0, 0, 0, &lb, 0))
2570 /* Try to create dynamic translation */
2571 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index,
2572 thread_index, &key1,
2574 sm->port_per_thread,
2575 tsm->snat_thread_index))
2577 nat_log_notice ("addresses exhausted");
2578 b->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
2579 return SNAT_IN2OUT_NEXT_DROP;
2585 u = nat_user_get_or_create (sm, &key->l_addr, rx_fib_index, thread_index);
2588 nat_log_warn ("create NAT user failed");
2590 snat_free_outside_address_and_port (sm->addresses,
2591 thread_index, &key1);
2592 return SNAT_IN2OUT_NEXT_DROP;
2595 s = nat_ed_session_alloc (sm, u, thread_index);
2598 nat44_delete_user_with_no_session (sm, u, thread_index);
2599 nat_log_warn ("create NAT session failed");
2601 snat_free_outside_address_and_port (sm->addresses,
2602 thread_index, &key1);
2603 return SNAT_IN2OUT_NEXT_DROP;
2606 user_session_increment (sm, u, is_sm);
2608 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
2610 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
2611 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
2612 s->outside_address_index = address_index;
2613 s->ext_host_addr = key->r_addr;
2614 s->ext_host_port = key->r_port;
2617 s->out2in.protocol = key0.protocol;
2619 switch (vec_len (sm->outside_fibs))
2622 s->out2in.fib_index = sm->outside_fib_index;
2625 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
2628 vec_foreach (outside_fib, sm->outside_fibs)
2630 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
2631 if (FIB_NODE_INDEX_INVALID != fei)
2633 if (fib_entry_get_resolving_interface (fei) != ~0)
2635 s->out2in.fib_index = outside_fib->fib_index;
2643 /* Add to lookup tables */
2644 kv->value = s - tsm->sessions;
2646 ctx.thread_index = thread_index;
2647 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, kv,
2648 nat44_i2o_ed_is_idle_session_cb,
2650 nat_log_notice ("in2out-ed key add failed");
2652 make_ed_kv (kv, &key1.addr, &key->r_addr, key->proto, s->out2in.fib_index,
2653 key1.port, key->r_port);
2654 kv->value = s - tsm->sessions;
2655 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, kv,
2656 nat44_o2i_ed_is_idle_session_cb,
2658 nat_log_notice ("out2in-ed key add failed");
2663 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
2664 s->out2in.addr.as_u32,
2668 s->in2out.fib_index);
2672 static_always_inline int
2673 nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
2674 u32 sw_if_index, ip4_header_t * ip, u32 proto,
2675 u32 rx_fib_index, u32 thread_index)
2677 udp_header_t *udp = ip4_next_header (ip);
2678 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2679 clib_bihash_kv_16_8_t kv, value;
2680 snat_session_key_t key0, key1;
2682 make_ed_kv (&kv, &ip->dst_address, &ip->src_address, ip->protocol,
2683 sm->outside_fib_index, udp->dst_port, udp->src_port);
2685 /* NAT packet aimed at external address if */
2686 /* has active sessions */
2687 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
2689 key0.addr = ip->dst_address;
2690 key0.port = udp->dst_port;
2691 key0.protocol = proto;
2692 key0.fib_index = sm->outside_fib_index;
2693 /* or is static mappings */
2694 if (!snat_static_mapping_match(sm, key0, &key1, 1, 0, 0, 0, 0))
2700 if (sm->forwarding_enabled)
2703 return snat_not_translate_fast(sm, node, sw_if_index, ip, proto, rx_fib_index);
2706 static_always_inline int
2707 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
2708 u32 thread_index, f64 now,
2709 vlib_main_t * vm, vlib_buffer_t * b)
2711 nat_ed_ses_key_t key;
2712 clib_bihash_kv_16_8_t kv, value;
2714 snat_session_t *s = 0;
2715 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2717 if (!sm->forwarding_enabled)
2720 if (ip->protocol == IP_PROTOCOL_ICMP)
2722 key.as_u64[0] = key.as_u64[1] = 0;
2723 if (icmp_get_ed_key (ip, &key))
2726 kv.key[0] = key.as_u64[0];
2727 kv.key[1] = key.as_u64[1];
2729 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
2731 udp = ip4_next_header(ip);
2732 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0,
2733 udp->src_port, udp->dst_port);
2737 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, 0,
2741 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
2743 s = pool_elt_at_index (tsm->sessions, value.value);
2744 if (is_fwd_bypass_session (s))
2746 if (ip->protocol == IP_PROTOCOL_TCP)
2748 tcp_header_t *tcp = ip4_next_header(ip);
2749 if (nat44_set_tcp_session_state_i2o (sm, s, tcp, thread_index))
2753 nat44_session_update_counters (s, now,
2754 vlib_buffer_length_in_chain (vm, b));
2764 static_always_inline int
2765 nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip,
2766 u8 proto, u16 src_port, u16 dst_port,
2767 u32 thread_index, u32 rx_sw_if_index,
2770 clib_bihash_kv_16_8_t kv, value;
2771 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2772 snat_interface_t *i;
2774 u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index);
2775 u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index);
2778 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index,
2779 src_port, dst_port);
2780 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
2784 make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index,
2785 dst_port, src_port);
2786 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
2788 s = pool_elt_at_index (tsm->sessions, value.value);
2789 if (is_fwd_bypass_session (s))
2793 pool_foreach (i, sm->output_feature_interfaces,
2795 if ((nat_interface_is_inside(i)) && (rx_sw_if_index == i->sw_if_index))
2805 icmp_match_in2out_ed(snat_main_t *sm, vlib_node_runtime_t *node,
2806 u32 thread_index, vlib_buffer_t *b, ip4_header_t *ip,
2807 u8 *p_proto, snat_session_key_t *p_value,
2808 u8 *p_dont_translate, void *d, void *e)
2810 icmp46_header_t *icmp;
2813 nat_ed_ses_key_t key;
2814 snat_session_t *s = 0;
2815 u8 dont_translate = 0;
2816 clib_bihash_kv_16_8_t kv, value;
2819 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2821 icmp = (icmp46_header_t *) ip4_next_header (ip);
2822 sw_if_index = vnet_buffer(b)->sw_if_index[VLIB_RX];
2823 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
2825 key.as_u64[0] = key.as_u64[1] = 0;
2826 err = icmp_get_ed_key (ip, &key);
2829 b->error = node->errors[err];
2830 next = SNAT_IN2OUT_NEXT_DROP;
2833 key.fib_index = rx_fib_index;
2835 kv.key[0] = key.as_u64[0];
2836 kv.key[1] = key.as_u64[1];
2838 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
2840 if (vnet_buffer(b)->sw_if_index[VLIB_TX] != ~0)
2842 if (PREDICT_FALSE(nat44_ed_not_translate_output_feature(sm, ip,
2843 key.proto, key.l_port, key.r_port, thread_index, sw_if_index,
2844 vnet_buffer(b)->sw_if_index[VLIB_TX])))
2852 if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, sw_if_index,
2853 ip, SNAT_PROTOCOL_ICMP, rx_fib_index, thread_index)))
2860 if (PREDICT_FALSE(icmp_is_error_message (icmp)))
2862 b->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
2863 next = SNAT_IN2OUT_NEXT_DROP;
2867 next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next,
2868 thread_index, vlib_time_now (sm->vlib_main));
2870 if (PREDICT_FALSE (next == SNAT_IN2OUT_NEXT_DROP))
2875 if (PREDICT_FALSE(icmp->type != ICMP4_echo_request &&
2876 icmp->type != ICMP4_echo_reply &&
2877 !icmp_is_error_message (icmp)))
2879 b->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
2880 next = SNAT_IN2OUT_NEXT_DROP;
2884 s = pool_elt_at_index (tsm->sessions, value.value);
2887 *p_proto = ip_proto_to_snat_proto (key.proto);
2890 *p_value = s->out2in;
2891 *p_dont_translate = dont_translate;
2893 *(snat_session_t**)d = s;
2898 nat44_ed_hairpinning_unknown_proto (snat_main_t *sm,
2902 u32 old_addr, new_addr = 0, ti = 0;
2903 clib_bihash_kv_8_8_t kv, value;
2904 clib_bihash_kv_16_8_t s_kv, s_value;
2905 snat_static_mapping_t *m;
2908 snat_main_per_thread_data_t *tsm;
2910 if (sm->num_workers > 1)
2911 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
2913 ti = sm->num_workers;
2914 tsm = &sm->per_thread_data[ti];
2916 old_addr = ip->dst_address.as_u32;
2917 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
2918 sm->outside_fib_index, 0, 0);
2919 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
2921 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
2922 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2925 m = pool_elt_at_index (sm->static_mappings, value.value);
2926 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
2927 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
2928 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
2932 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
2933 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
2934 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
2935 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
2938 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
2939 ip->checksum = ip_csum_fold (sum);
2942 static snat_session_t *
2943 nat44_ed_in2out_unknown_proto (snat_main_t *sm,
2950 vlib_node_runtime_t * node)
2952 clib_bihash_kv_8_8_t kv, value;
2953 clib_bihash_kv_16_8_t s_kv, s_value;
2954 snat_static_mapping_t *m;
2955 u32 old_addr, new_addr = 0;
2958 dlist_elt_t *head, *elt;
2959 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2960 u32 elt_index, head_index, ses_index;
2962 u32 address_index = ~0, outside_fib_index = sm->outside_fib_index;
2965 nat_outside_fib_t *outside_fib;
2966 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
2967 fib_prefix_t pfx = {
2968 .fp_proto = FIB_PROTOCOL_IP4,
2971 .ip4.as_u32 = ip->dst_address.as_u32,
2975 switch (vec_len (sm->outside_fibs))
2978 outside_fib_index = sm->outside_fib_index;
2981 outside_fib_index = sm->outside_fibs[0].fib_index;
2984 vec_foreach (outside_fib, sm->outside_fibs)
2986 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
2987 if (FIB_NODE_INDEX_INVALID != fei)
2989 if (fib_entry_get_resolving_interface (fei) != ~0)
2991 outside_fib_index = outside_fib->fib_index;
2998 old_addr = ip->src_address.as_u32;
3000 make_ed_kv (&s_kv, &ip->src_address, &ip->dst_address, ip->protocol,
3001 rx_fib_index, 0, 0);
3003 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &s_kv, &s_value))
3005 s = pool_elt_at_index (tsm->sessions, s_value.value);
3006 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
3010 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
3012 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
3013 nat_ipfix_logging_max_sessions(sm->max_translations);
3014 nat_log_notice ("maximum sessions exceeded");
3018 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
3022 nat_log_warn ("create NAT user failed");
3026 make_sm_kv (&kv, &ip->src_address, 0, rx_fib_index, 0);
3028 /* Try to find static mapping first */
3029 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
3031 m = pool_elt_at_index (sm->static_mappings, value.value);
3032 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
3036 /* Fallback to 3-tuple key */
3039 /* Choose same out address as for TCP/UDP session to same destination */
3040 head_index = u->sessions_per_user_list_head_index;
3041 head = pool_elt_at_index (tsm->list_pool, head_index);
3042 elt_index = head->next;
3043 if (PREDICT_FALSE (elt_index == ~0))
3047 elt = pool_elt_at_index (tsm->list_pool, elt_index);
3048 ses_index = elt->value;
3051 while (ses_index != ~0)
3053 s = pool_elt_at_index (tsm->sessions, ses_index);
3054 elt_index = elt->next;
3055 elt = pool_elt_at_index (tsm->list_pool, elt_index);
3056 ses_index = elt->value;
3058 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
3060 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
3061 address_index = s->outside_address_index;
3063 make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address,
3064 ip->protocol, outside_fib_index, 0, 0);
3065 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
3072 for (i = 0; i < vec_len (sm->addresses); i++)
3074 make_ed_kv (&s_kv, &sm->addresses[i].addr, &ip->dst_address,
3075 ip->protocol, outside_fib_index, 0, 0);
3076 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
3078 new_addr = ip->src_address.as_u32 =
3079 sm->addresses[i].addr.as_u32;
3088 s = nat_ed_session_alloc (sm, u, thread_index);
3091 nat44_delete_user_with_no_session (sm, u, thread_index);
3092 nat_log_warn ("create NAT session failed");
3096 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
3097 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
3098 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
3099 s->outside_address_index = address_index;
3100 s->out2in.addr.as_u32 = new_addr;
3101 s->out2in.fib_index = outside_fib_index;
3102 s->in2out.addr.as_u32 = old_addr;
3103 s->in2out.fib_index = rx_fib_index;
3104 s->in2out.port = s->out2in.port = ip->protocol;
3106 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
3107 user_session_increment (sm, u, is_sm);
3109 /* Add to lookup tables */
3110 make_ed_kv (&s_kv, &s->in2out.addr, &ip->dst_address, ip->protocol,
3111 rx_fib_index, 0, 0);
3112 s_kv.value = s - tsm->sessions;
3113 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
3114 nat_log_notice ("in2out key add failed");
3116 make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, ip->protocol,
3117 outside_fib_index, 0, 0);
3118 s_kv.value = s - tsm->sessions;
3119 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
3120 nat_log_notice ("out2in key add failed");
3123 /* Update IP checksum */
3125 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
3126 ip->checksum = ip_csum_fold (sum);
3129 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b));
3132 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
3133 nat44_ed_hairpinning_unknown_proto(sm, b, ip);
3135 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
3136 vnet_buffer(b)->sw_if_index[VLIB_TX] = outside_fib_index;
3142 nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
3143 vlib_node_runtime_t * node,
3144 vlib_frame_t * frame, int is_slow_path,
3145 int is_output_feature)
3147 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
3148 snat_in2out_next_t next_index;
3149 snat_main_t *sm = &snat_main;
3150 f64 now = vlib_time_now (vm);
3151 u32 thread_index = vm->thread_index;
3152 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
3154 stats_node_index = is_slow_path ? nat44_ed_in2out_slowpath_node.index :
3155 nat44_ed_in2out_node.index;
3157 from = vlib_frame_vector_args (frame);
3158 n_left_from = frame->n_vectors;
3159 next_index = node->cached_next_index;
3161 while (n_left_from > 0)
3165 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
3167 while (n_left_from >= 4 && n_left_to_next >= 2)
3170 vlib_buffer_t *b0, *b1;
3171 u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
3172 new_addr0, old_addr0;
3173 u32 next1, sw_if_index1, rx_fib_index1, iph_offset1 = 0, proto1,
3174 new_addr1, old_addr1;
3175 u16 old_port0, new_port0, old_port1, new_port1;
3176 ip4_header_t *ip0, *ip1;
3177 udp_header_t *udp0, *udp1;
3178 tcp_header_t *tcp0, *tcp1;
3179 icmp46_header_t *icmp0, *icmp1;
3180 snat_session_t *s0 = 0, *s1 = 0;
3181 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
3182 ip_csum_t sum0, sum1;
3184 /* Prefetch next iteration. */
3186 vlib_buffer_t * p2, * p3;
3188 p2 = vlib_get_buffer (vm, from[2]);
3189 p3 = vlib_get_buffer (vm, from[3]);
3191 vlib_prefetch_buffer_header (p2, LOAD);
3192 vlib_prefetch_buffer_header (p3, LOAD);
3194 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
3195 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
3198 /* speculatively enqueue b0 and b1 to the current next frame */
3199 to_next[0] = bi0 = from[0];
3200 to_next[1] = bi1 = from[1];
3204 n_left_to_next -= 2;
3206 b0 = vlib_get_buffer (vm, bi0);
3207 b1 = vlib_get_buffer (vm, bi1);
3209 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3211 if (is_output_feature)
3212 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
3214 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
3217 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3218 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
3221 if (PREDICT_FALSE(ip0->ttl == 1))
3223 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3224 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3225 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3227 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3231 udp0 = ip4_next_header (ip0);
3232 tcp0 = (tcp_header_t *) udp0;
3233 icmp0 = (icmp46_header_t *) udp0;
3234 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3238 if (PREDICT_FALSE (proto0 == ~0))
3240 s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
3242 thread_index, now, vm,
3245 next0 = SNAT_IN2OUT_NEXT_DROP;
3249 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3251 next0 = icmp_in2out_ed_slow_path
3252 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
3253 next0, now, thread_index, &s0);
3259 if (is_output_feature)
3261 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(
3262 sm, ip0, thread_index, now, vm, b0)))
3266 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
3268 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3272 if (ip4_is_fragment (ip0))
3274 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
3275 next0 = SNAT_IN2OUT_NEXT_DROP;
3280 make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, ip0->protocol,
3281 rx_fib_index0, udp0->src_port, udp0->dst_port);
3283 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
3287 if (is_output_feature)
3289 if (PREDICT_FALSE(nat44_ed_not_translate_output_feature(
3290 sm, ip0, ip0->protocol, udp0->src_port,
3291 udp0->dst_port, thread_index, sw_if_index0,
3292 vnet_buffer(b0)->sw_if_index[VLIB_TX])))
3297 if (PREDICT_FALSE(nat44_ed_not_translate(sm, node,
3298 sw_if_index0, ip0, proto0, rx_fib_index0,
3303 next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
3304 next0, thread_index, now);
3306 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
3311 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3317 s0 = pool_elt_at_index (tsm->sessions, value0.value);
3320 b0->flags |= VNET_BUFFER_F_IS_NATED;
3322 if (!is_output_feature)
3323 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
3325 old_addr0 = ip0->src_address.as_u32;
3326 new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
3327 sum0 = ip0->checksum;
3328 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
3330 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3331 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
3332 s0->ext_host_addr.as_u32, ip4_header_t,
3334 ip0->checksum = ip_csum_fold (sum0);
3336 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
3338 old_port0 = tcp0->src_port;
3339 new_port0 = tcp0->src_port = s0->out2in.port;
3341 sum0 = tcp0->checksum;
3342 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
3344 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
3346 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3348 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
3349 s0->ext_host_addr.as_u32,
3350 ip4_header_t, dst_address);
3351 sum0 = ip_csum_update (sum0, tcp0->dst_port,
3352 s0->ext_host_port, ip4_header_t,
3354 tcp0->dst_port = s0->ext_host_port;
3355 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
3357 tcp0->checksum = ip_csum_fold(sum0);
3358 if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index))
3363 udp0->src_port = s0->out2in.port;
3365 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3367 udp0->dst_port = s0->ext_host_port;
3368 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
3373 nat44_session_update_counters (s0, now,
3374 vlib_buffer_length_in_chain (vm, b0));
3377 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3378 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3380 snat_in2out_trace_t *t =
3381 vlib_add_trace (vm, node, b0, sizeof (*t));
3382 t->is_slow_path = is_slow_path;
3383 t->sw_if_index = sw_if_index0;
3384 t->next_index = next0;
3385 t->session_index = ~0;
3387 t->session_index = s0 - tsm->sessions;
3390 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3393 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
3395 if (is_output_feature)
3396 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
3398 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
3401 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
3402 rx_fib_index1 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
3405 if (PREDICT_FALSE(ip1->ttl == 1))
3407 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3408 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
3409 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3411 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3415 udp1 = ip4_next_header (ip1);
3416 tcp1 = (tcp_header_t *) udp1;
3417 icmp1 = (icmp46_header_t *) udp1;
3418 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3422 if (PREDICT_FALSE (proto1 == ~0))
3424 s1 = nat44_ed_in2out_unknown_proto (sm, b1, ip1,
3426 thread_index, now, vm,
3429 next1 = SNAT_IN2OUT_NEXT_DROP;
3433 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
3435 next1 = icmp_in2out_ed_slow_path
3436 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
3437 next1, now, thread_index, &s1);
3443 if (is_output_feature)
3445 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(
3446 sm, ip1, thread_index, now, vm, b1)))
3450 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
3452 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3456 if (ip4_is_fragment (ip1))
3458 b1->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
3459 next1 = SNAT_IN2OUT_NEXT_DROP;
3464 make_ed_kv (&kv1, &ip1->src_address, &ip1->dst_address, ip1->protocol,
3465 rx_fib_index1, udp1->src_port, udp1->dst_port);
3467 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv1, &value1))
3471 if (is_output_feature)
3473 if (PREDICT_FALSE(nat44_ed_not_translate_output_feature(
3474 sm, ip1, ip1->protocol, udp1->src_port,
3475 udp1->dst_port, thread_index, sw_if_index1,
3476 vnet_buffer(b1)->sw_if_index[VLIB_TX])))
3481 if (PREDICT_FALSE(nat44_ed_not_translate(sm, node,
3482 sw_if_index1, ip1, proto1, rx_fib_index1,
3487 next1 = slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node,
3488 next1, thread_index, now);
3490 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
3495 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3501 s1 = pool_elt_at_index (tsm->sessions, value1.value);
3504 b1->flags |= VNET_BUFFER_F_IS_NATED;
3506 if (!is_output_feature)
3507 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
3509 old_addr1 = ip1->src_address.as_u32;
3510 new_addr1 = ip1->src_address.as_u32 = s1->out2in.addr.as_u32;
3511 sum1 = ip1->checksum;
3512 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
3514 if (PREDICT_FALSE (is_twice_nat_session (s1)))
3515 sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
3516 s1->ext_host_addr.as_u32, ip4_header_t,
3518 ip1->checksum = ip_csum_fold (sum1);
3520 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
3522 old_port1 = tcp1->src_port;
3523 new_port1 = tcp1->src_port = s1->out2in.port;
3525 sum1 = tcp1->checksum;
3526 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
3528 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
3530 if (PREDICT_FALSE (is_twice_nat_session (s1)))
3532 sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
3533 s1->ext_host_addr.as_u32,
3534 ip4_header_t, dst_address);
3535 sum1 = ip_csum_update (sum1, tcp1->dst_port,
3536 s1->ext_host_port, ip4_header_t,
3538 tcp1->dst_port = s1->ext_host_port;
3539 ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
3541 tcp1->checksum = ip_csum_fold(sum1);
3542 if (nat44_set_tcp_session_state_i2o (sm, s1, tcp1, thread_index))
3547 udp1->src_port = s1->out2in.port;
3549 if (PREDICT_FALSE (is_twice_nat_session (s1)))
3551 udp1->dst_port = s1->ext_host_port;
3552 ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
3557 nat44_session_update_counters (s1, now,
3558 vlib_buffer_length_in_chain (vm, b1));
3561 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3562 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3564 snat_in2out_trace_t *t =
3565 vlib_add_trace (vm, node, b1, sizeof (*t));
3566 t->is_slow_path = is_slow_path;
3567 t->sw_if_index = sw_if_index1;
3568 t->next_index = next1;
3569 t->session_index = ~0;
3571 t->session_index = s1 - tsm->sessions;
3574 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
3576 /* verify speculative enqueues, maybe switch current next frame */
3577 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3578 to_next, n_left_to_next,
3579 bi0, bi1, next0, next1);
3582 while (n_left_from > 0 && n_left_to_next > 0)
3586 u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
3587 new_addr0, old_addr0;
3588 u16 old_port0, new_port0;
3592 icmp46_header_t * icmp0;
3593 snat_session_t *s0 = 0;
3594 clib_bihash_kv_16_8_t kv0, value0;
3597 /* speculatively enqueue b0 to the current next frame */
3603 n_left_to_next -= 1;
3605 b0 = vlib_get_buffer (vm, bi0);
3606 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3608 if (is_output_feature)
3609 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
3611 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
3614 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3615 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
3618 if (PREDICT_FALSE(ip0->ttl == 1))
3620 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3621 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3622 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3624 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3628 udp0 = ip4_next_header (ip0);
3629 tcp0 = (tcp_header_t *) udp0;
3630 icmp0 = (icmp46_header_t *) udp0;
3631 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3635 if (PREDICT_FALSE (proto0 == ~0))
3637 s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
3639 thread_index, now, vm,
3642 next0 = SNAT_IN2OUT_NEXT_DROP;
3646 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3648 next0 = icmp_in2out_ed_slow_path
3649 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
3650 next0, now, thread_index, &s0);
3656 if (is_output_feature)
3658 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(
3659 sm, ip0, thread_index, now, vm, b0)))
3663 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
3665 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3669 if (ip4_is_fragment (ip0))
3671 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
3672 next0 = SNAT_IN2OUT_NEXT_DROP;
3677 make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, ip0->protocol,
3678 rx_fib_index0, udp0->src_port, udp0->dst_port);
3680 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
3684 if (is_output_feature)
3686 if (PREDICT_FALSE(nat44_ed_not_translate_output_feature(
3687 sm, ip0, ip0->protocol, udp0->src_port,
3688 udp0->dst_port, thread_index, sw_if_index0,
3689 vnet_buffer(b0)->sw_if_index[VLIB_TX])))
3694 if (PREDICT_FALSE(nat44_ed_not_translate(sm, node,
3695 sw_if_index0, ip0, proto0, rx_fib_index0,
3700 next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
3701 next0, thread_index, now);
3703 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
3708 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
3714 s0 = pool_elt_at_index (tsm->sessions, value0.value);
3717 b0->flags |= VNET_BUFFER_F_IS_NATED;
3719 if (!is_output_feature)
3720 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
3722 old_addr0 = ip0->src_address.as_u32;
3723 new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
3724 sum0 = ip0->checksum;
3725 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
3727 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3728 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
3729 s0->ext_host_addr.as_u32, ip4_header_t,
3731 ip0->checksum = ip_csum_fold (sum0);
3733 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
3735 old_port0 = tcp0->src_port;
3736 new_port0 = tcp0->src_port = s0->out2in.port;
3738 sum0 = tcp0->checksum;
3739 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
3741 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
3743 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3745 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
3746 s0->ext_host_addr.as_u32,
3747 ip4_header_t, dst_address);
3748 sum0 = ip_csum_update (sum0, tcp0->dst_port,
3749 s0->ext_host_port, ip4_header_t,
3751 tcp0->dst_port = s0->ext_host_port;
3752 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
3754 tcp0->checksum = ip_csum_fold(sum0);
3755 if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index))
3760 udp0->src_port = s0->out2in.port;
3762 if (PREDICT_FALSE (is_twice_nat_session (s0)))
3764 udp0->dst_port = s0->ext_host_port;
3765 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
3770 nat44_session_update_counters (s0, now,
3771 vlib_buffer_length_in_chain (vm, b0));
3774 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3775 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3777 snat_in2out_trace_t *t =
3778 vlib_add_trace (vm, node, b0, sizeof (*t));
3779 t->is_slow_path = is_slow_path;
3780 t->sw_if_index = sw_if_index0;
3781 t->next_index = next0;
3782 t->session_index = ~0;
3784 t->session_index = s0 - tsm->sessions;
3787 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3789 /* verify speculative enqueue, maybe switch current next frame */
3790 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3791 to_next, n_left_to_next,
3795 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3798 vlib_node_increment_counter (vm, stats_node_index,
3799 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3801 return frame->n_vectors;
3805 nat44_ed_in2out_fast_path_fn (vlib_main_t * vm,
3806 vlib_node_runtime_t * node,
3807 vlib_frame_t * frame)
3809 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 0);
3812 VLIB_REGISTER_NODE (nat44_ed_in2out_node) = {
3813 .function = nat44_ed_in2out_fast_path_fn,
3814 .name = "nat44-ed-in2out",
3815 .vector_size = sizeof (u32),
3816 .format_trace = format_snat_in2out_trace,
3817 .type = VLIB_NODE_TYPE_INTERNAL,
3819 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3820 .error_strings = snat_in2out_error_strings,
3822 .runtime_data_bytes = sizeof (snat_runtime_t),
3824 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3826 /* edit / add dispositions here */
3828 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3829 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3830 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath",
3831 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3832 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3836 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_node, nat44_ed_in2out_fast_path_fn);
3839 nat44_ed_in2out_output_fast_path_fn (vlib_main_t * vm,
3840 vlib_node_runtime_t * node,
3841 vlib_frame_t * frame)
3843 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 1);
3846 VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = {
3847 .function = nat44_ed_in2out_output_fast_path_fn,
3848 .name = "nat44-ed-in2out-output",
3849 .vector_size = sizeof (u32),
3850 .format_trace = format_snat_in2out_trace,
3851 .type = VLIB_NODE_TYPE_INTERNAL,
3853 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3854 .error_strings = snat_in2out_error_strings,
3856 .runtime_data_bytes = sizeof (snat_runtime_t),
3858 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3860 /* edit / add dispositions here */
3862 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3863 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
3864 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
3865 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3866 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3870 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_node,
3871 nat44_ed_in2out_output_fast_path_fn);
3874 nat44_ed_in2out_slow_path_fn (vlib_main_t * vm,
3875 vlib_node_runtime_t * node,
3876 vlib_frame_t * frame)
3878 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 0);
3881 VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = {
3882 .function = nat44_ed_in2out_slow_path_fn,
3883 .name = "nat44-ed-in2out-slowpath",
3884 .vector_size = sizeof (u32),
3885 .format_trace = format_snat_in2out_trace,
3886 .type = VLIB_NODE_TYPE_INTERNAL,
3888 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3889 .error_strings = snat_in2out_error_strings,
3891 .runtime_data_bytes = sizeof (snat_runtime_t),
3893 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3895 /* edit / add dispositions here */
3897 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3898 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3899 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath",
3900 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3901 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3905 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_slowpath_node,
3906 nat44_ed_in2out_slow_path_fn);
3909 nat44_ed_in2out_output_slow_path_fn (vlib_main_t * vm,
3910 vlib_node_runtime_t * node,
3911 vlib_frame_t * frame)
3913 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 1);
3916 VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = {
3917 .function = nat44_ed_in2out_output_slow_path_fn,
3918 .name = "nat44-ed-in2out-output-slowpath",
3919 .vector_size = sizeof (u32),
3920 .format_trace = format_snat_in2out_trace,
3921 .type = VLIB_NODE_TYPE_INTERNAL,
3923 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3924 .error_strings = snat_in2out_error_strings,
3926 .runtime_data_bytes = sizeof (snat_runtime_t),
3928 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3930 /* edit / add dispositions here */
3932 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3933 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
3934 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
3935 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3936 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3940 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_slowpath_node,
3941 nat44_ed_in2out_output_slow_path_fn);
3943 /**************************/
3944 /*** deterministic mode ***/
3945 /**************************/
3947 snat_det_in2out_node_fn (vlib_main_t * vm,
3948 vlib_node_runtime_t * node,
3949 vlib_frame_t * frame)
3951 u32 n_left_from, * from, * to_next;
3952 snat_in2out_next_t next_index;
3953 u32 pkts_processed = 0;
3954 snat_main_t * sm = &snat_main;
3955 u32 now = (u32) vlib_time_now (vm);
3956 u32 thread_index = vm->thread_index;
3958 from = vlib_frame_vector_args (frame);
3959 n_left_from = frame->n_vectors;
3960 next_index = node->cached_next_index;
3962 while (n_left_from > 0)
3966 vlib_get_next_frame (vm, node, next_index,
3967 to_next, n_left_to_next);
3969 while (n_left_from >= 4 && n_left_to_next >= 2)
3972 vlib_buffer_t * b0, * b1;
3974 u32 sw_if_index0, sw_if_index1;
3975 ip4_header_t * ip0, * ip1;
3976 ip_csum_t sum0, sum1;
3977 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
3978 u16 old_port0, new_port0, lo_port0, i0;
3979 u16 old_port1, new_port1, lo_port1, i1;
3980 udp_header_t * udp0, * udp1;
3981 tcp_header_t * tcp0, * tcp1;
3983 snat_det_out_key_t key0, key1;
3984 snat_det_map_t * dm0, * dm1;
3985 snat_det_session_t * ses0 = 0, * ses1 = 0;
3986 u32 rx_fib_index0, rx_fib_index1;
3987 icmp46_header_t * icmp0, * icmp1;
3989 /* Prefetch next iteration. */
3991 vlib_buffer_t * p2, * p3;
3993 p2 = vlib_get_buffer (vm, from[2]);
3994 p3 = vlib_get_buffer (vm, from[3]);
3996 vlib_prefetch_buffer_header (p2, LOAD);
3997 vlib_prefetch_buffer_header (p3, LOAD);
3999 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
4000 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
4003 /* speculatively enqueue b0 and b1 to the current next frame */
4004 to_next[0] = bi0 = from[0];
4005 to_next[1] = bi1 = from[1];
4009 n_left_to_next -= 2;
4011 b0 = vlib_get_buffer (vm, bi0);
4012 b1 = vlib_get_buffer (vm, bi1);
4014 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
4015 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
4017 ip0 = vlib_buffer_get_current (b0);
4018 udp0 = ip4_next_header (ip0);
4019 tcp0 = (tcp_header_t *) udp0;
4021 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4023 if (PREDICT_FALSE(ip0->ttl == 1))
4025 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4026 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
4027 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4029 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4033 proto0 = ip_proto_to_snat_proto (ip0->protocol);
4035 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
4037 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4038 icmp0 = (icmp46_header_t *) udp0;
4040 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
4041 rx_fib_index0, node, next0, thread_index,
4046 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
4047 if (PREDICT_FALSE(!dm0))
4049 nat_log_info ("no match for internal host %U",
4050 format_ip4_address, &ip0->src_address);
4051 next0 = SNAT_IN2OUT_NEXT_DROP;
4052 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4056 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
4058 key0.ext_host_addr = ip0->dst_address;
4059 key0.ext_host_port = tcp0->dst;
4061 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
4062 if (PREDICT_FALSE(!ses0))
4064 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
4066 key0.out_port = clib_host_to_net_u16 (lo_port0 +
4067 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
4069 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
4072 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
4075 if (PREDICT_FALSE(!ses0))
4077 /* too many sessions for user, send ICMP error packet */
4079 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4080 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
4081 ICMP4_destination_unreachable_destination_unreachable_host,
4083 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4088 new_port0 = ses0->out.out_port;
4090 old_addr0.as_u32 = ip0->src_address.as_u32;
4091 ip0->src_address.as_u32 = new_addr0.as_u32;
4092 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
4094 sum0 = ip0->checksum;
4095 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
4097 src_address /* changed member */);
4098 ip0->checksum = ip_csum_fold (sum0);
4100 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4102 if (tcp0->flags & TCP_FLAG_SYN)
4103 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
4104 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
4105 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
4106 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
4107 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
4108 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
4109 snat_det_ses_close(dm0, ses0);
4110 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
4111 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
4112 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
4113 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
4115 old_port0 = tcp0->src;
4116 tcp0->src = new_port0;
4118 sum0 = tcp0->checksum;
4119 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
4121 dst_address /* changed member */);
4122 sum0 = ip_csum_update (sum0, old_port0, new_port0,
4123 ip4_header_t /* cheat */,
4124 length /* changed member */);
4125 tcp0->checksum = ip_csum_fold(sum0);
4129 ses0->state = SNAT_SESSION_UDP_ACTIVE;
4130 old_port0 = udp0->src_port;
4131 udp0->src_port = new_port0;
4137 case SNAT_SESSION_UDP_ACTIVE:
4138 ses0->expire = now + sm->udp_timeout;
4140 case SNAT_SESSION_TCP_SYN_SENT:
4141 case SNAT_SESSION_TCP_FIN_WAIT:
4142 case SNAT_SESSION_TCP_CLOSE_WAIT:
4143 case SNAT_SESSION_TCP_LAST_ACK:
4144 ses0->expire = now + sm->tcp_transitory_timeout;
4146 case SNAT_SESSION_TCP_ESTABLISHED:
4147 ses0->expire = now + sm->tcp_established_timeout;
4152 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4153 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4155 snat_in2out_trace_t *t =
4156 vlib_add_trace (vm, node, b0, sizeof (*t));
4157 t->is_slow_path = 0;
4158 t->sw_if_index = sw_if_index0;
4159 t->next_index = next0;
4160 t->session_index = ~0;
4162 t->session_index = ses0 - dm0->sessions;
4165 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
4167 ip1 = vlib_buffer_get_current (b1);
4168 udp1 = ip4_next_header (ip1);
4169 tcp1 = (tcp_header_t *) udp1;
4171 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
4173 if (PREDICT_FALSE(ip1->ttl == 1))
4175 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4176 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
4177 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4179 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4183 proto1 = ip_proto_to_snat_proto (ip1->protocol);
4185 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
4187 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
4188 icmp1 = (icmp46_header_t *) udp1;
4190 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
4191 rx_fib_index1, node, next1, thread_index,
4196 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
4197 if (PREDICT_FALSE(!dm1))
4199 nat_log_info ("no match for internal host %U",
4200 format_ip4_address, &ip0->src_address);
4201 next1 = SNAT_IN2OUT_NEXT_DROP;
4202 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4206 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
4208 key1.ext_host_addr = ip1->dst_address;
4209 key1.ext_host_port = tcp1->dst;
4211 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
4212 if (PREDICT_FALSE(!ses1))
4214 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
4216 key1.out_port = clib_host_to_net_u16 (lo_port1 +
4217 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
4219 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
4222 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
4225 if (PREDICT_FALSE(!ses1))
4227 /* too many sessions for user, send ICMP error packet */
4229 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4230 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
4231 ICMP4_destination_unreachable_destination_unreachable_host,
4233 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4238 new_port1 = ses1->out.out_port;
4240 old_addr1.as_u32 = ip1->src_address.as_u32;
4241 ip1->src_address.as_u32 = new_addr1.as_u32;
4242 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
4244 sum1 = ip1->checksum;
4245 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
4247 src_address /* changed member */);
4248 ip1->checksum = ip_csum_fold (sum1);
4250 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
4252 if (tcp1->flags & TCP_FLAG_SYN)
4253 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
4254 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
4255 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
4256 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
4257 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
4258 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
4259 snat_det_ses_close(dm1, ses1);
4260 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
4261 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
4262 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
4263 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
4265 old_port1 = tcp1->src;
4266 tcp1->src = new_port1;
4268 sum1 = tcp1->checksum;
4269 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
4271 dst_address /* changed member */);
4272 sum1 = ip_csum_update (sum1, old_port1, new_port1,
4273 ip4_header_t /* cheat */,
4274 length /* changed member */);
4275 tcp1->checksum = ip_csum_fold(sum1);
4279 ses1->state = SNAT_SESSION_UDP_ACTIVE;
4280 old_port1 = udp1->src_port;
4281 udp1->src_port = new_port1;
4287 case SNAT_SESSION_UDP_ACTIVE:
4288 ses1->expire = now + sm->udp_timeout;
4290 case SNAT_SESSION_TCP_SYN_SENT:
4291 case SNAT_SESSION_TCP_FIN_WAIT:
4292 case SNAT_SESSION_TCP_CLOSE_WAIT:
4293 case SNAT_SESSION_TCP_LAST_ACK:
4294 ses1->expire = now + sm->tcp_transitory_timeout;
4296 case SNAT_SESSION_TCP_ESTABLISHED:
4297 ses1->expire = now + sm->tcp_established_timeout;
4302 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4303 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
4305 snat_in2out_trace_t *t =
4306 vlib_add_trace (vm, node, b1, sizeof (*t));
4307 t->is_slow_path = 0;
4308 t->sw_if_index = sw_if_index1;
4309 t->next_index = next1;
4310 t->session_index = ~0;
4312 t->session_index = ses1 - dm1->sessions;
4315 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
4317 /* verify speculative enqueues, maybe switch current next frame */
4318 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
4319 to_next, n_left_to_next,
4320 bi0, bi1, next0, next1);
4323 while (n_left_from > 0 && n_left_to_next > 0)
4331 ip4_address_t new_addr0, old_addr0;
4332 u16 old_port0, new_port0, lo_port0, i0;
4333 udp_header_t * udp0;
4334 tcp_header_t * tcp0;
4336 snat_det_out_key_t key0;
4337 snat_det_map_t * dm0;
4338 snat_det_session_t * ses0 = 0;
4340 icmp46_header_t * icmp0;
4342 /* speculatively enqueue b0 to the current next frame */
4348 n_left_to_next -= 1;
4350 b0 = vlib_get_buffer (vm, bi0);
4351 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
4353 ip0 = vlib_buffer_get_current (b0);
4354 udp0 = ip4_next_header (ip0);
4355 tcp0 = (tcp_header_t *) udp0;
4357 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4359 if (PREDICT_FALSE(ip0->ttl == 1))
4361 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4362 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
4363 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4365 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4369 proto0 = ip_proto_to_snat_proto (ip0->protocol);
4371 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
4373 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4374 icmp0 = (icmp46_header_t *) udp0;
4376 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
4377 rx_fib_index0, node, next0, thread_index,
4382 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
4383 if (PREDICT_FALSE(!dm0))
4385 nat_log_info ("no match for internal host %U",
4386 format_ip4_address, &ip0->src_address);
4387 next0 = SNAT_IN2OUT_NEXT_DROP;
4388 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4392 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
4394 key0.ext_host_addr = ip0->dst_address;
4395 key0.ext_host_port = tcp0->dst;
4397 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
4398 if (PREDICT_FALSE(!ses0))
4400 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
4402 key0.out_port = clib_host_to_net_u16 (lo_port0 +
4403 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
4405 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
4408 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
4411 if (PREDICT_FALSE(!ses0))
4413 /* too many sessions for user, send ICMP error packet */
4415 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4416 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
4417 ICMP4_destination_unreachable_destination_unreachable_host,
4419 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4424 new_port0 = ses0->out.out_port;
4426 old_addr0.as_u32 = ip0->src_address.as_u32;
4427 ip0->src_address.as_u32 = new_addr0.as_u32;
4428 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
4430 sum0 = ip0->checksum;
4431 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
4433 src_address /* changed member */);
4434 ip0->checksum = ip_csum_fold (sum0);
4436 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4438 if (tcp0->flags & TCP_FLAG_SYN)
4439 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
4440 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
4441 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
4442 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
4443 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
4444 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
4445 snat_det_ses_close(dm0, ses0);
4446 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
4447 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
4448 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
4449 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
4451 old_port0 = tcp0->src;
4452 tcp0->src = new_port0;
4454 sum0 = tcp0->checksum;
4455 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
4457 dst_address /* changed member */);
4458 sum0 = ip_csum_update (sum0, old_port0, new_port0,
4459 ip4_header_t /* cheat */,
4460 length /* changed member */);
4461 tcp0->checksum = ip_csum_fold(sum0);
4465 ses0->state = SNAT_SESSION_UDP_ACTIVE;
4466 old_port0 = udp0->src_port;
4467 udp0->src_port = new_port0;
4473 case SNAT_SESSION_UDP_ACTIVE:
4474 ses0->expire = now + sm->udp_timeout;
4476 case SNAT_SESSION_TCP_SYN_SENT:
4477 case SNAT_SESSION_TCP_FIN_WAIT:
4478 case SNAT_SESSION_TCP_CLOSE_WAIT:
4479 case SNAT_SESSION_TCP_LAST_ACK:
4480 ses0->expire = now + sm->tcp_transitory_timeout;
4482 case SNAT_SESSION_TCP_ESTABLISHED:
4483 ses0->expire = now + sm->tcp_established_timeout;
4488 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4489 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4491 snat_in2out_trace_t *t =
4492 vlib_add_trace (vm, node, b0, sizeof (*t));
4493 t->is_slow_path = 0;
4494 t->sw_if_index = sw_if_index0;
4495 t->next_index = next0;
4496 t->session_index = ~0;
4498 t->session_index = ses0 - dm0->sessions;
4501 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
4503 /* verify speculative enqueue, maybe switch current next frame */
4504 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
4505 to_next, n_left_to_next,
4509 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
4512 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
4513 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
4515 return frame->n_vectors;
4518 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
4519 .function = snat_det_in2out_node_fn,
4520 .name = "nat44-det-in2out",
4521 .vector_size = sizeof (u32),
4522 .format_trace = format_snat_in2out_trace,
4523 .type = VLIB_NODE_TYPE_INTERNAL,
4525 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
4526 .error_strings = snat_in2out_error_strings,
4528 .runtime_data_bytes = sizeof (snat_runtime_t),
4532 /* edit / add dispositions here */
4534 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
4535 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
4536 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4540 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
4543 * Get address and port values to be used for ICMP packet translation
4544 * and create session if needed
4546 * @param[in,out] sm NAT main
4547 * @param[in,out] node NAT node runtime
4548 * @param[in] thread_index thread index
4549 * @param[in,out] b0 buffer containing packet to be translated
4550 * @param[out] p_proto protocol used for matching
4551 * @param[out] p_value address and port after NAT translation
4552 * @param[out] p_dont_translate if packet should not be translated
4553 * @param d optional parameter
4554 * @param e optional parameter
4556 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
4557 u32 thread_index, vlib_buffer_t *b0,
4558 ip4_header_t *ip0, u8 *p_proto,
4559 snat_session_key_t *p_value,
4560 u8 *p_dont_translate, void *d, void *e)
4562 icmp46_header_t *icmp0;
4566 snat_det_out_key_t key0;
4567 u8 dont_translate = 0;
4569 icmp_echo_header_t *echo0, *inner_echo0 = 0;
4570 ip4_header_t *inner_ip0;
4571 void *l4_header = 0;
4572 icmp46_header_t *inner_icmp0;
4573 snat_det_map_t * dm0 = 0;
4574 ip4_address_t new_addr0;
4576 snat_det_session_t * ses0 = 0;
4577 ip4_address_t in_addr;
4580 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
4581 echo0 = (icmp_echo_header_t *)(icmp0+1);
4582 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4583 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
4585 if (!icmp_is_error_message (icmp0))
4587 protocol = SNAT_PROTOCOL_ICMP;
4588 in_addr = ip0->src_address;
4589 in_port = echo0->identifier;
4593 inner_ip0 = (ip4_header_t *)(echo0+1);
4594 l4_header = ip4_next_header (inner_ip0);
4595 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
4596 in_addr = inner_ip0->dst_address;
4599 case SNAT_PROTOCOL_ICMP:
4600 inner_icmp0 = (icmp46_header_t*)l4_header;
4601 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
4602 in_port = inner_echo0->identifier;
4604 case SNAT_PROTOCOL_UDP:
4605 case SNAT_PROTOCOL_TCP:
4606 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
4609 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
4610 next0 = SNAT_IN2OUT_NEXT_DROP;
4615 dm0 = snat_det_map_by_user(sm, &in_addr);
4616 if (PREDICT_FALSE(!dm0))
4618 nat_log_info ("no match for internal host %U",
4619 format_ip4_address, &in_addr);
4620 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
4621 IP_PROTOCOL_ICMP, rx_fib_index0)))
4626 next0 = SNAT_IN2OUT_NEXT_DROP;
4627 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4631 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
4633 key0.ext_host_addr = ip0->dst_address;
4634 key0.ext_host_port = 0;
4636 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
4637 if (PREDICT_FALSE(!ses0))
4639 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
4640 IP_PROTOCOL_ICMP, rx_fib_index0)))
4645 if (icmp0->type != ICMP4_echo_request)
4647 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
4648 next0 = SNAT_IN2OUT_NEXT_DROP;
4651 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
4653 key0.out_port = clib_host_to_net_u16 (lo_port0 +
4654 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
4656 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
4659 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
4662 if (PREDICT_FALSE(!ses0))
4664 next0 = SNAT_IN2OUT_NEXT_DROP;
4665 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
4670 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
4671 !icmp_is_error_message (icmp0)))
4673 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
4674 next0 = SNAT_IN2OUT_NEXT_DROP;
4678 u32 now = (u32) vlib_time_now (sm->vlib_main);
4680 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
4681 ses0->expire = now + sm->icmp_timeout;
4684 *p_proto = protocol;
4687 p_value->addr = new_addr0;
4688 p_value->fib_index = sm->outside_fib_index;
4689 p_value->port = ses0->out.out_port;
4691 *p_dont_translate = dont_translate;
4693 *(snat_det_session_t**)d = ses0;
4695 *(snat_det_map_t**)e = dm0;
4699 /**********************/
4700 /*** worker handoff ***/
4701 /**********************/
4703 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
4704 vlib_node_runtime_t * node,
4705 vlib_frame_t * frame,
4708 snat_main_t *sm = &snat_main;
4709 vlib_thread_main_t *tm = vlib_get_thread_main ();
4710 u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0;
4711 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
4712 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
4714 vlib_frame_queue_elt_t *hf = 0;
4715 vlib_frame_queue_t *fq;
4716 vlib_frame_t *f = 0;
4718 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
4719 u32 next_worker_index = 0;
4720 u32 current_worker_index = ~0;
4721 u32 thread_index = vm->thread_index;
4724 vlib_frame_t *d = 0;
4726 ASSERT (vec_len (sm->workers));
4730 fq_index = sm->fq_in2out_output_index;
4731 to_node_index = sm->in2out_output_node_index;
4735 fq_index = sm->fq_in2out_index;
4736 to_node_index = sm->in2out_node_index;
4739 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
4741 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
4743 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
4744 tm->n_vlib_mains - 1,
4745 (vlib_frame_queue_t *) (~0));
4748 from = vlib_frame_vector_args (frame);
4749 n_left_from = frame->n_vectors;
4751 while (n_left_from > 0)
4764 b0 = vlib_get_buffer (vm, bi0);
4766 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
4767 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4769 ip0 = vlib_buffer_get_current (b0);
4771 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
4773 if (PREDICT_FALSE (next_worker_index != thread_index))
4777 if (next_worker_index != current_worker_index)
4779 fq = is_vlib_frame_queue_congested (
4780 fq_index, next_worker_index, NAT_FQ_NELTS - 2,
4781 congested_handoff_queue_by_worker_index);
4785 /* if this is 1st frame */
4788 d = vlib_get_frame_to_node (vm, sm->error_node_index);
4789 to_next_drop = vlib_frame_vector_args (d);
4792 to_next_drop[0] = bi0;
4795 b0->error = node->errors[SNAT_IN2OUT_ERROR_FQ_CONGESTED];
4800 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
4802 hf = vlib_get_worker_handoff_queue_elt (fq_index,
4804 handoff_queue_elt_by_worker_index);
4806 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
4807 to_next_worker = &hf->buffer_index[hf->n_vectors];
4808 current_worker_index = next_worker_index;
4811 /* enqueue to correct worker thread */
4812 to_next_worker[0] = bi0;
4814 n_left_to_next_worker--;
4816 if (n_left_to_next_worker == 0)
4818 hf->n_vectors = VLIB_FRAME_SIZE;
4819 vlib_put_frame_queue_elt (hf);
4820 current_worker_index = ~0;
4821 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
4828 /* if this is 1st frame */
4831 f = vlib_get_frame_to_node (vm, to_node_index);
4832 to_next = vlib_frame_vector_args (f);
4841 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
4842 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4844 snat_in2out_worker_handoff_trace_t *t =
4845 vlib_add_trace (vm, node, b0, sizeof (*t));
4846 t->next_worker_index = next_worker_index;
4847 t->do_handoff = do_handoff;
4852 vlib_put_frame_to_node (vm, to_node_index, f);
4855 vlib_put_frame_to_node (vm, sm->error_node_index, d);
4858 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
4860 /* Ship frames to the worker nodes */
4861 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
4863 if (handoff_queue_elt_by_worker_index[i])
4865 hf = handoff_queue_elt_by_worker_index[i];
4867 * It works better to let the handoff node
4868 * rate-adapt, always ship the handoff queue element.
4870 if (1 || hf->n_vectors == hf->last_n_vectors)
4872 vlib_put_frame_queue_elt (hf);
4873 handoff_queue_elt_by_worker_index[i] = 0;
4876 hf->last_n_vectors = hf->n_vectors;
4878 congested_handoff_queue_by_worker_index[i] =
4879 (vlib_frame_queue_t *) (~0);
4882 current_worker_index = ~0;
4883 return frame->n_vectors;
4887 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
4888 vlib_node_runtime_t * node,
4889 vlib_frame_t * frame)
4891 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
4894 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
4895 .function = snat_in2out_worker_handoff_fn,
4896 .name = "nat44-in2out-worker-handoff",
4897 .vector_size = sizeof (u32),
4898 .format_trace = format_snat_in2out_worker_handoff_trace,
4899 .type = VLIB_NODE_TYPE_INTERNAL,
4901 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
4902 .error_strings = snat_in2out_error_strings,
4911 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
4912 snat_in2out_worker_handoff_fn);
4915 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
4916 vlib_node_runtime_t * node,
4917 vlib_frame_t * frame)
4919 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
4922 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
4923 .function = snat_in2out_output_worker_handoff_fn,
4924 .name = "nat44-in2out-output-worker-handoff",
4925 .vector_size = sizeof (u32),
4926 .format_trace = format_snat_in2out_worker_handoff_trace,
4927 .type = VLIB_NODE_TYPE_INTERNAL,
4936 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
4937 snat_in2out_output_worker_handoff_fn);
4939 static_always_inline int
4940 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
4942 snat_address_t * ap;
4943 clib_bihash_kv_8_8_t kv, value;
4944 snat_session_key_t m_key;
4946 vec_foreach (ap, sm->addresses)
4948 if (ap->addr.as_u32 == dst_addr->as_u32)
4952 m_key.addr.as_u32 = dst_addr->as_u32;
4953 m_key.fib_index = 0;
4956 kv.key = m_key.as_u64;
4957 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
4964 snat_hairpin_dst_fn_inline (vlib_main_t * vm,
4965 vlib_node_runtime_t * node,
4966 vlib_frame_t * frame,
4969 u32 n_left_from, * from, * to_next, stats_node_index;
4970 snat_in2out_next_t next_index;
4971 u32 pkts_processed = 0;
4972 snat_main_t * sm = &snat_main;
4974 stats_node_index = is_ed ? nat44_ed_hairpin_dst_node.index :
4975 snat_hairpin_dst_node.index;
4977 from = vlib_frame_vector_args (frame);
4978 n_left_from = frame->n_vectors;
4979 next_index = node->cached_next_index;
4981 while (n_left_from > 0)
4985 vlib_get_next_frame (vm, node, next_index,
4986 to_next, n_left_to_next);
4988 while (n_left_from > 0 && n_left_to_next > 0)
4996 /* speculatively enqueue b0 to the current next frame */
5002 n_left_to_next -= 1;
5004 b0 = vlib_get_buffer (vm, bi0);
5005 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
5006 ip0 = vlib_buffer_get_current (b0);
5008 proto0 = ip_proto_to_snat_proto (ip0->protocol);
5010 vnet_buffer (b0)->snat.flags = 0;
5011 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
5013 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
5015 udp_header_t * udp0 = ip4_next_header (ip0);
5016 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
5018 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed);
5020 else if (proto0 == SNAT_PROTOCOL_ICMP)
5022 icmp46_header_t * icmp0 = ip4_next_header (ip0);
5024 snat_icmp_hairpinning (sm, b0, ip0, icmp0, is_ed);
5029 nat44_ed_hairpinning_unknown_proto (sm, b0, ip0);
5031 nat_hairpinning_sm_unknown_proto (sm, b0, ip0);
5034 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
5037 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
5039 /* verify speculative enqueue, maybe switch current next frame */
5040 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
5041 to_next, n_left_to_next,
5045 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
5048 vlib_node_increment_counter (vm, stats_node_index,
5049 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
5051 return frame->n_vectors;
5055 snat_hairpin_dst_fn (vlib_main_t * vm,
5056 vlib_node_runtime_t * node,
5057 vlib_frame_t * frame)
5059 return snat_hairpin_dst_fn_inline (vm, node, frame, 0);
5062 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
5063 .function = snat_hairpin_dst_fn,
5064 .name = "nat44-hairpin-dst",
5065 .vector_size = sizeof (u32),
5066 .type = VLIB_NODE_TYPE_INTERNAL,
5067 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
5068 .error_strings = snat_in2out_error_strings,
5071 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
5072 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
5076 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
5077 snat_hairpin_dst_fn);
5080 nat44_ed_hairpin_dst_fn (vlib_main_t * vm,
5081 vlib_node_runtime_t * node,
5082 vlib_frame_t * frame)
5084 return snat_hairpin_dst_fn_inline (vm, node, frame, 1);
5087 VLIB_REGISTER_NODE (nat44_ed_hairpin_dst_node) = {
5088 .function = nat44_ed_hairpin_dst_fn,
5089 .name = "nat44-ed-hairpin-dst",
5090 .vector_size = sizeof (u32),
5091 .type = VLIB_NODE_TYPE_INTERNAL,
5092 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
5093 .error_strings = snat_in2out_error_strings,
5096 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
5097 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
5101 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_dst_node,
5102 nat44_ed_hairpin_dst_fn);
5105 snat_hairpin_src_fn_inline (vlib_main_t * vm,
5106 vlib_node_runtime_t * node,
5107 vlib_frame_t * frame,
5110 u32 n_left_from, * from, * to_next, stats_node_index;
5111 snat_in2out_next_t next_index;
5112 u32 pkts_processed = 0;
5113 snat_main_t *sm = &snat_main;
5115 stats_node_index = is_ed ? nat44_ed_hairpin_src_node.index :
5116 snat_hairpin_src_node.index;
5118 from = vlib_frame_vector_args (frame);
5119 n_left_from = frame->n_vectors;
5120 next_index = node->cached_next_index;
5122 while (n_left_from > 0)
5126 vlib_get_next_frame (vm, node, next_index,
5127 to_next, n_left_to_next);
5129 while (n_left_from > 0 && n_left_to_next > 0)
5134 snat_interface_t *i;
5137 /* speculatively enqueue b0 to the current next frame */
5143 n_left_to_next -= 1;
5145 b0 = vlib_get_buffer (vm, bi0);
5146 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
5147 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
5149 pool_foreach (i, sm->output_feature_interfaces,
5151 /* Only packets from NAT inside interface */
5152 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
5154 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
5155 SNAT_FLAG_HAIRPINNING))
5157 if (PREDICT_TRUE (sm->num_workers > 1))
5158 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
5160 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
5166 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
5168 /* verify speculative enqueue, maybe switch current next frame */
5169 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
5170 to_next, n_left_to_next,
5174 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
5177 vlib_node_increment_counter (vm, stats_node_index,
5178 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
5180 return frame->n_vectors;
5184 snat_hairpin_src_fn (vlib_main_t * vm,
5185 vlib_node_runtime_t * node,
5186 vlib_frame_t * frame)
5188 return snat_hairpin_src_fn_inline (vm, node, frame, 0);
5191 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
5192 .function = snat_hairpin_src_fn,
5193 .name = "nat44-hairpin-src",
5194 .vector_size = sizeof (u32),
5195 .type = VLIB_NODE_TYPE_INTERNAL,
5196 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
5197 .error_strings = snat_in2out_error_strings,
5198 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
5200 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
5201 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
5202 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
5203 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
5207 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
5208 snat_hairpin_src_fn);
5211 nat44_ed_hairpin_src_fn (vlib_main_t * vm,
5212 vlib_node_runtime_t * node,
5213 vlib_frame_t * frame)
5215 return snat_hairpin_src_fn_inline (vm, node, frame, 1);
5218 VLIB_REGISTER_NODE (nat44_ed_hairpin_src_node) = {
5219 .function = nat44_ed_hairpin_src_fn,
5220 .name = "nat44-ed-hairpin-src",
5221 .vector_size = sizeof (u32),
5222 .type = VLIB_NODE_TYPE_INTERNAL,
5223 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
5224 .error_strings = snat_in2out_error_strings,
5225 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
5227 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
5228 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-ed-in2out-output",
5229 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
5230 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
5234 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_src_node,
5235 nat44_ed_hairpin_src_fn);
5238 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
5239 vlib_node_runtime_t * node,
5240 vlib_frame_t * frame)
5242 u32 n_left_from, * from, * to_next;
5243 snat_in2out_next_t next_index;
5244 u32 pkts_processed = 0;
5245 snat_main_t * sm = &snat_main;
5246 u32 stats_node_index;
5248 stats_node_index = snat_in2out_fast_node.index;
5250 from = vlib_frame_vector_args (frame);
5251 n_left_from = frame->n_vectors;
5252 next_index = node->cached_next_index;
5254 while (n_left_from > 0)
5258 vlib_get_next_frame (vm, node, next_index,
5259 to_next, n_left_to_next);
5261 while (n_left_from > 0 && n_left_to_next > 0)
5269 u32 new_addr0, old_addr0;
5270 u16 old_port0, new_port0;
5271 udp_header_t * udp0;
5272 tcp_header_t * tcp0;
5273 icmp46_header_t * icmp0;
5274 snat_session_key_t key0, sm0;
5278 /* speculatively enqueue b0 to the current next frame */
5284 n_left_to_next -= 1;
5286 b0 = vlib_get_buffer (vm, bi0);
5287 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
5289 ip0 = vlib_buffer_get_current (b0);
5290 udp0 = ip4_next_header (ip0);
5291 tcp0 = (tcp_header_t *) udp0;
5292 icmp0 = (icmp46_header_t *) udp0;
5294 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
5295 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
5297 if (PREDICT_FALSE(ip0->ttl == 1))
5299 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
5300 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
5301 ICMP4_time_exceeded_ttl_exceeded_in_transit,
5303 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
5307 proto0 = ip_proto_to_snat_proto (ip0->protocol);
5309 if (PREDICT_FALSE (proto0 == ~0))
5312 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
5314 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
5315 rx_fib_index0, node, next0, ~0, 0, 0);
5319 key0.addr = ip0->src_address;
5320 key0.protocol = proto0;
5321 key0.port = udp0->src_port;
5322 key0.fib_index = rx_fib_index0;
5324 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0, 0, 0))
5326 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
5327 next0= SNAT_IN2OUT_NEXT_DROP;
5331 new_addr0 = sm0.addr.as_u32;
5332 new_port0 = sm0.port;
5333 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
5334 old_addr0 = ip0->src_address.as_u32;
5335 ip0->src_address.as_u32 = new_addr0;
5337 sum0 = ip0->checksum;
5338 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
5340 src_address /* changed member */);
5341 ip0->checksum = ip_csum_fold (sum0);
5343 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
5345 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
5347 old_port0 = tcp0->src_port;
5348 tcp0->src_port = new_port0;
5350 sum0 = tcp0->checksum;
5351 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
5353 dst_address /* changed member */);
5354 sum0 = ip_csum_update (sum0, old_port0, new_port0,
5355 ip4_header_t /* cheat */,
5356 length /* changed member */);
5357 tcp0->checksum = ip_csum_fold(sum0);
5361 old_port0 = udp0->src_port;
5362 udp0->src_port = new_port0;
5368 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
5370 sum0 = tcp0->checksum;
5371 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
5373 dst_address /* changed member */);
5374 tcp0->checksum = ip_csum_fold(sum0);
5379 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, 0);
5382 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
5383 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
5385 snat_in2out_trace_t *t =
5386 vlib_add_trace (vm, node, b0, sizeof (*t));
5387 t->sw_if_index = sw_if_index0;
5388 t->next_index = next0;
5391 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
5393 /* verify speculative enqueue, maybe switch current next frame */
5394 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
5395 to_next, n_left_to_next,
5399 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
5402 vlib_node_increment_counter (vm, stats_node_index,
5403 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
5405 return frame->n_vectors;
5409 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
5410 .function = snat_in2out_fast_static_map_fn,
5411 .name = "nat44-in2out-fast",
5412 .vector_size = sizeof (u32),
5413 .format_trace = format_snat_in2out_fast_trace,
5414 .type = VLIB_NODE_TYPE_INTERNAL,
5416 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
5417 .error_strings = snat_in2out_error_strings,
5419 .runtime_data_bytes = sizeof (snat_runtime_t),
5421 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
5423 /* edit / add dispositions here */
5425 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
5426 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
5427 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
5428 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
5429 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
5433 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob