2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 inside to outside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
24 #include <vnet/ip/ip.h>
25 #include <vnet/ethernet/ethernet.h>
26 #include <vnet/fib/ip4_fib.h>
28 #include <nat/nat_ipfix_logging.h>
29 #include <nat/nat_reass.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat_syslog.h>
32 #include <nat/nat_ha.h>
34 #include <vppinfra/hash.h>
35 #include <vppinfra/error.h>
36 #include <vppinfra/elog.h>
44 } snat_in2out_trace_t;
46 /* packet trace format function */
48 format_snat_in2out_trace (u8 * s, va_list * args)
50 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
51 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
52 snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *);
55 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
57 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
58 t->sw_if_index, t->next_index, t->session_index);
64 format_snat_in2out_fast_trace (u8 * s, va_list * args)
66 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
67 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
68 snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *);
70 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
71 t->sw_if_index, t->next_index);
76 #define foreach_snat_in2out_error \
77 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
78 _(IN2OUT_PACKETS, "good in2out packets processed") \
79 _(OUT_OF_PORTS, "out of ports") \
80 _(BAD_OUTSIDE_FIB, "outside VRF ID not found") \
81 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
82 _(NO_TRANSLATION, "no translation") \
83 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
84 _(DROP_FRAGMENT, "drop fragment") \
85 _(MAX_REASS, "maximum reassemblies exceeded") \
86 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\
87 _(TCP_PACKETS, "TCP packets") \
88 _(UDP_PACKETS, "UDP packets") \
89 _(ICMP_PACKETS, "ICMP packets") \
90 _(OTHER_PACKETS, "other protocol packets") \
91 _(FRAGMENTS, "fragments") \
92 _(CACHED_FRAGMENTS, "cached fragments") \
93 _(PROCESSED_FRAGMENTS, "processed fragments")
97 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
98 foreach_snat_in2out_error
101 } snat_in2out_error_t;
103 static char *snat_in2out_error_strings[] = {
104 #define _(sym,string) string,
105 foreach_snat_in2out_error
111 SNAT_IN2OUT_NEXT_LOOKUP,
112 SNAT_IN2OUT_NEXT_DROP,
113 SNAT_IN2OUT_NEXT_ICMP_ERROR,
114 SNAT_IN2OUT_NEXT_SLOW_PATH,
115 SNAT_IN2OUT_NEXT_REASS,
117 } snat_in2out_next_t;
120 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
121 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
122 u32 rx_fib_index0, u32 thread_index)
124 udp_header_t *udp0 = ip4_next_header (ip0);
125 snat_session_key_t key0, sm0;
126 clib_bihash_kv_8_8_t kv0, value0;
128 key0.addr = ip0->dst_address;
129 key0.port = udp0->dst_port;
130 key0.protocol = proto0;
131 key0.fib_index = sm->outside_fib_index;
132 kv0.key = key0.as_u64;
134 /* NAT packet aimed at external address if */
135 /* has active sessions */
136 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
139 /* or is static mappings */
140 if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
146 if (sm->forwarding_enabled)
149 return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0,
154 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
155 u32 proto0, u16 src_port, u16 dst_port,
156 u32 thread_index, u32 sw_if_index)
158 snat_session_key_t key0;
159 clib_bihash_kv_8_8_t kv0, value0;
163 key0.addr = ip0->src_address;
164 key0.port = src_port;
165 key0.protocol = proto0;
166 key0.fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
167 kv0.key = key0.as_u64;
169 if (!clib_bihash_search_8_8
170 (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
174 key0.addr = ip0->dst_address;
175 key0.port = dst_port;
176 key0.protocol = proto0;
177 kv0.key = key0.as_u64;
178 if (!clib_bihash_search_8_8
179 (&sm->per_thread_data[thread_index].in2out, &kv0, &value0))
183 pool_foreach (i, sm->output_feature_interfaces,
185 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
195 #ifndef CLIB_MARCH_VARIANT
197 nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
199 snat_main_t *sm = &snat_main;
200 nat44_is_idle_session_ctx_t *ctx = arg;
202 u64 sess_timeout_time;
203 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
205 clib_bihash_kv_8_8_t s_kv;
207 s = pool_elt_at_index (tsm->sessions, kv->value);
208 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
209 if (ctx->now >= sess_timeout_time)
211 s_kv.key = s->out2in.as_u64;
212 if (clib_bihash_add_del_8_8 (&tsm->out2in, &s_kv, 0))
213 nat_elog_warn ("out2in key del failed");
215 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
216 s->in2out.addr.as_u32,
217 s->out2in.addr.as_u32,
221 s->in2out.fib_index);
223 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
224 &s->in2out.addr, s->in2out.port,
225 &s->out2in.addr, s->out2in.port,
228 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
229 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
232 if (!snat_is_session_static (s))
233 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
236 nat44_delete_session (sm, s, ctx->thread_index);
245 slow_path (snat_main_t * sm, vlib_buffer_t * b0,
248 snat_session_key_t * key0,
249 snat_session_t ** sessionp,
250 vlib_node_runtime_t * node, u32 next0, u32 thread_index, f64 now)
253 snat_session_t *s = 0;
254 clib_bihash_kv_8_8_t kv0;
255 snat_session_key_t key1;
256 udp_header_t *udp0 = ip4_next_header (ip0);
258 nat_outside_fib_t *outside_fib;
259 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
262 .fp_proto = FIB_PROTOCOL_IP4,
265 .ip4.as_u32 = ip0->dst_address.as_u32,
268 nat44_is_idle_session_ctx_t ctx0;
270 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
272 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
273 nat_ipfix_logging_max_sessions (thread_index, sm->max_translations);
274 nat_elog_notice ("maximum sessions exceeded");
275 return SNAT_IN2OUT_NEXT_DROP;
278 key1.protocol = key0->protocol;
280 /* First try to match static mapping by local address and port */
281 if (snat_static_mapping_match
282 (sm, *key0, &key1, 0, 0, 0, 0, 0, &identity_nat))
284 /* Try to create dynamic translation */
285 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
289 [thread_index].snat_thread_index))
291 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
292 return SNAT_IN2OUT_NEXT_DROP;
297 if (PREDICT_FALSE (identity_nat))
306 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
310 nat_elog_warn ("create NAT user failed");
311 return SNAT_IN2OUT_NEXT_DROP;
314 s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
317 nat44_delete_user_with_no_session (sm, u, thread_index);
318 nat_elog_warn ("create NAT session failed");
319 return SNAT_IN2OUT_NEXT_DROP;
323 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
324 user_session_increment (sm, u, is_sm);
327 s->out2in.protocol = key0->protocol;
328 s->out2in.fib_index = sm->outside_fib_index;
329 switch (vec_len (sm->outside_fibs))
332 s->out2in.fib_index = sm->outside_fib_index;
335 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
339 vec_foreach (outside_fib, sm->outside_fibs)
341 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
342 if (FIB_NODE_INDEX_INVALID != fei)
344 if (fib_entry_get_resolving_interface (fei) != ~0)
346 s->out2in.fib_index = outside_fib->fib_index;
354 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
355 s->ext_host_port = udp0->dst_port;
358 /* Add to translation hashes */
360 ctx0.thread_index = thread_index;
361 kv0.key = s->in2out.as_u64;
362 kv0.value = s - sm->per_thread_data[thread_index].sessions;
363 if (clib_bihash_add_or_overwrite_stale_8_8
364 (&sm->per_thread_data[thread_index].in2out, &kv0,
365 nat44_i2o_is_idle_session_cb, &ctx0))
366 nat_elog_notice ("in2out key add failed");
368 kv0.key = s->out2in.as_u64;
369 kv0.value = s - sm->per_thread_data[thread_index].sessions;
371 if (clib_bihash_add_or_overwrite_stale_8_8
372 (&sm->per_thread_data[thread_index].out2in, &kv0,
373 nat44_o2i_is_idle_session_cb, &ctx0))
374 nat_elog_notice ("out2in key add failed");
377 snat_ipfix_logging_nat44_ses_create (thread_index,
378 s->in2out.addr.as_u32,
379 s->out2in.addr.as_u32,
382 s->out2in.port, s->in2out.fib_index);
384 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
385 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
386 s->out2in.port, s->in2out.protocol);
388 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
389 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
390 &s->ext_host_nat_addr, s->ext_host_nat_port,
391 s->in2out.protocol, s->in2out.fib_index, s->flags,
397 #ifndef CLIB_MARCH_VARIANT
399 snat_in2out_error_t icmp_get_key (ip4_header_t * ip0,
400 snat_session_key_t * p_key0)
402 icmp46_header_t *icmp0;
403 snat_session_key_t key0;
404 icmp_echo_header_t *echo0, *inner_echo0 = 0;
405 ip4_header_t *inner_ip0 = 0;
407 icmp46_header_t *inner_icmp0;
409 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
410 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
412 if (!icmp_is_error_message (icmp0))
414 key0.protocol = SNAT_PROTOCOL_ICMP;
415 key0.addr = ip0->src_address;
416 key0.port = echo0->identifier;
420 inner_ip0 = (ip4_header_t *) (echo0 + 1);
421 l4_header = ip4_next_header (inner_ip0);
422 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
423 key0.addr = inner_ip0->dst_address;
424 switch (key0.protocol)
426 case SNAT_PROTOCOL_ICMP:
427 inner_icmp0 = (icmp46_header_t *) l4_header;
428 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
429 key0.port = inner_echo0->identifier;
431 case SNAT_PROTOCOL_UDP:
432 case SNAT_PROTOCOL_TCP:
433 key0.port = ((tcp_udp_header_t *) l4_header)->dst_port;
436 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
440 return -1; /* success */
444 * Get address and port values to be used for ICMP packet translation
445 * and create session if needed
447 * @param[in,out] sm NAT main
448 * @param[in,out] node NAT node runtime
449 * @param[in] thread_index thread index
450 * @param[in,out] b0 buffer containing packet to be translated
451 * @param[out] p_proto protocol used for matching
452 * @param[out] p_value address and port after NAT translation
453 * @param[out] p_dont_translate if packet should not be translated
454 * @param d optional parameter
455 * @param e optional parameter
458 icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
459 u32 thread_index, vlib_buffer_t * b0,
460 ip4_header_t * ip0, u8 * p_proto,
461 snat_session_key_t * p_value,
462 u8 * p_dont_translate, void *d, void *e)
464 icmp46_header_t *icmp0;
467 snat_session_key_t key0;
468 snat_session_t *s0 = 0;
469 u8 dont_translate = 0;
470 clib_bihash_kv_8_8_t kv0, value0;
474 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
475 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
476 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
478 err = icmp_get_key (ip0, &key0);
481 b0->error = node->errors[err];
482 next0 = SNAT_IN2OUT_NEXT_DROP;
485 key0.fib_index = rx_fib_index0;
487 kv0.key = key0.as_u64;
489 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
492 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0)
494 if (PREDICT_FALSE (nat_not_translate_output_feature (sm, ip0,
507 if (PREDICT_FALSE (snat_not_translate (sm, node, sw_if_index0,
508 ip0, SNAT_PROTOCOL_ICMP,
517 if (PREDICT_FALSE (icmp_is_error_message (icmp0)))
519 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
520 next0 = SNAT_IN2OUT_NEXT_DROP;
524 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, &s0, node, next0,
525 thread_index, vlib_time_now (sm->vlib_main));
527 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
538 if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request &&
539 icmp0->type != ICMP4_echo_reply &&
540 !icmp_is_error_message (icmp0)))
542 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
543 next0 = SNAT_IN2OUT_NEXT_DROP;
547 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
552 *p_proto = key0.protocol;
554 *p_value = s0->out2in;
555 *p_dont_translate = dont_translate;
557 *(snat_session_t **) d = s0;
562 #ifndef CLIB_MARCH_VARIANT
564 * Get address and port values to be used for ICMP packet translation
566 * @param[in] sm NAT main
567 * @param[in,out] node NAT node runtime
568 * @param[in] thread_index thread index
569 * @param[in,out] b0 buffer containing packet to be translated
570 * @param[out] p_proto protocol used for matching
571 * @param[out] p_value address and port after NAT translation
572 * @param[out] p_dont_translate if packet should not be translated
573 * @param d optional parameter
574 * @param e optional parameter
577 icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
578 u32 thread_index, vlib_buffer_t * b0,
579 ip4_header_t * ip0, u8 * p_proto,
580 snat_session_key_t * p_value,
581 u8 * p_dont_translate, void *d, void *e)
583 icmp46_header_t *icmp0;
586 snat_session_key_t key0;
587 snat_session_key_t sm0;
588 u8 dont_translate = 0;
593 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
594 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
595 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
597 err = icmp_get_key (ip0, &key0);
600 b0->error = node->errors[err];
601 next0 = SNAT_IN2OUT_NEXT_DROP;
604 key0.fib_index = rx_fib_index0;
606 if (snat_static_mapping_match
607 (sm, key0, &sm0, 0, &is_addr_only, 0, 0, 0, 0))
609 if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0,
617 if (icmp_is_error_message (icmp0))
619 next0 = SNAT_IN2OUT_NEXT_DROP;
623 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
624 next0 = SNAT_IN2OUT_NEXT_DROP;
628 if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request &&
629 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
630 !icmp_is_error_message (icmp0)))
632 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
633 next0 = SNAT_IN2OUT_NEXT_DROP;
640 *p_proto = key0.protocol;
641 *p_dont_translate = dont_translate;
646 #ifndef CLIB_MARCH_VARIANT
648 icmp_in2out (snat_main_t * sm,
651 icmp46_header_t * icmp0,
654 vlib_node_runtime_t * node,
655 u32 next0, u32 thread_index, void *d, void *e)
657 snat_session_key_t sm0;
659 icmp_echo_header_t *echo0, *inner_echo0 = 0;
660 ip4_header_t *inner_ip0;
662 icmp46_header_t *inner_icmp0;
664 u32 new_addr0, old_addr0;
665 u16 old_id0, new_id0;
666 u16 old_checksum0, new_checksum0;
671 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
673 next0_tmp = sm->icmp_match_in2out_cb (sm, node, thread_index, b0, ip0,
674 &protocol, &sm0, &dont_translate, d,
678 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
681 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
683 sum0 = ip_incremental_checksum_buffer (sm->vlib_main, b0, (u8 *) icmp0 -
685 vlib_buffer_get_current (b0),
686 ntohs (ip0->length) -
687 ip4_header_bytes (ip0), 0);
688 checksum0 = ~ip_csum_fold (sum0);
689 if (PREDICT_FALSE (checksum0 != 0 && checksum0 != 0xffff))
691 next0 = SNAT_IN2OUT_NEXT_DROP;
696 old_addr0 = ip0->src_address.as_u32;
697 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
699 sum0 = ip0->checksum;
700 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
701 src_address /* changed member */ );
702 ip0->checksum = ip_csum_fold (sum0);
704 if (icmp0->checksum == 0)
705 icmp0->checksum = 0xffff;
707 if (!icmp_is_error_message (icmp0))
710 if (PREDICT_FALSE (new_id0 != echo0->identifier))
712 old_id0 = echo0->identifier;
714 echo0->identifier = new_id0;
716 sum0 = icmp0->checksum;
717 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
719 icmp0->checksum = ip_csum_fold (sum0);
724 inner_ip0 = (ip4_header_t *) (echo0 + 1);
725 l4_header = ip4_next_header (inner_ip0);
727 if (!ip4_header_checksum_is_valid (inner_ip0))
729 next0 = SNAT_IN2OUT_NEXT_DROP;
733 /* update inner destination IP address */
734 old_addr0 = inner_ip0->dst_address.as_u32;
735 inner_ip0->dst_address = sm0.addr;
736 new_addr0 = inner_ip0->dst_address.as_u32;
737 sum0 = icmp0->checksum;
738 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
739 dst_address /* changed member */ );
740 icmp0->checksum = ip_csum_fold (sum0);
742 /* update inner IP header checksum */
743 old_checksum0 = inner_ip0->checksum;
744 sum0 = inner_ip0->checksum;
745 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
746 dst_address /* changed member */ );
747 inner_ip0->checksum = ip_csum_fold (sum0);
748 new_checksum0 = inner_ip0->checksum;
749 sum0 = icmp0->checksum;
750 sum0 = ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t,
752 icmp0->checksum = ip_csum_fold (sum0);
756 case SNAT_PROTOCOL_ICMP:
757 inner_icmp0 = (icmp46_header_t *) l4_header;
758 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
760 old_id0 = inner_echo0->identifier;
762 inner_echo0->identifier = new_id0;
764 sum0 = icmp0->checksum;
765 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
767 icmp0->checksum = ip_csum_fold (sum0);
769 case SNAT_PROTOCOL_UDP:
770 case SNAT_PROTOCOL_TCP:
771 old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port;
773 ((tcp_udp_header_t *) l4_header)->dst_port = new_id0;
775 sum0 = icmp0->checksum;
776 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
778 icmp0->checksum = ip_csum_fold (sum0);
785 if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0)
787 if (sm->deterministic ||
788 0 != snat_icmp_hairpinning (sm, b0, ip0, icmp0,
789 sm->endpoint_dependent))
790 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
799 icmp_in2out_slow_path (snat_main_t * sm,
802 icmp46_header_t * icmp0,
805 vlib_node_runtime_t * node,
807 f64 now, u32 thread_index, snat_session_t ** p_s0)
809 next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
810 next0, thread_index, p_s0, 0);
811 snat_session_t *s0 = *p_s0;
812 if (PREDICT_TRUE (next0 != SNAT_IN2OUT_NEXT_DROP && s0))
815 nat44_session_update_counters (s0, now,
816 vlib_buffer_length_in_chain
817 (sm->vlib_main, b0), thread_index);
818 /* Per-user LRU list maintenance */
819 nat44_session_update_lru (sm, s0, thread_index);
825 nat_in2out_sm_unknown_proto (snat_main_t * sm,
827 ip4_header_t * ip, u32 rx_fib_index)
829 clib_bihash_kv_8_8_t kv, value;
830 snat_static_mapping_t *m;
831 snat_session_key_t m_key;
832 u32 old_addr, new_addr;
835 m_key.addr = ip->src_address;
838 m_key.fib_index = rx_fib_index;
839 kv.key = m_key.as_u64;
840 if (clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
843 m = pool_elt_at_index (sm->static_mappings, value.value);
845 old_addr = ip->src_address.as_u32;
846 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
848 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
849 ip->checksum = ip_csum_fold (sum);
853 if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
855 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
856 nat_hairpinning_sm_unknown_proto (sm, b, ip);
863 snat_in2out_node_fn_inline (vlib_main_t * vm,
864 vlib_node_runtime_t * node,
865 vlib_frame_t * frame, int is_slow_path,
866 int is_output_feature)
868 u32 n_left_from, *from, *to_next;
869 snat_in2out_next_t next_index;
870 u32 pkts_processed = 0;
871 snat_main_t *sm = &snat_main;
872 f64 now = vlib_time_now (vm);
873 u32 stats_node_index;
874 u32 thread_index = vm->thread_index;
875 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
878 stats_node_index = is_slow_path ? sm->in2out_slowpath_node_index :
879 sm->in2out_node_index;
881 from = vlib_frame_vector_args (frame);
882 n_left_from = frame->n_vectors;
883 next_index = node->cached_next_index;
885 while (n_left_from > 0)
889 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
891 while (n_left_from >= 4 && n_left_to_next >= 2)
894 vlib_buffer_t *b0, *b1;
896 u32 sw_if_index0, sw_if_index1;
897 ip4_header_t *ip0, *ip1;
898 ip_csum_t sum0, sum1;
899 u32 new_addr0, old_addr0, new_addr1, old_addr1;
900 u16 old_port0, new_port0, old_port1, new_port1;
901 udp_header_t *udp0, *udp1;
902 tcp_header_t *tcp0, *tcp1;
903 icmp46_header_t *icmp0, *icmp1;
904 snat_session_key_t key0, key1;
905 u32 rx_fib_index0, rx_fib_index1;
907 snat_session_t *s0 = 0, *s1 = 0;
908 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
909 u32 iph_offset0 = 0, iph_offset1 = 0;
911 /* Prefetch next iteration. */
913 vlib_buffer_t *p2, *p3;
915 p2 = vlib_get_buffer (vm, from[2]);
916 p3 = vlib_get_buffer (vm, from[3]);
918 vlib_prefetch_buffer_header (p2, LOAD);
919 vlib_prefetch_buffer_header (p3, LOAD);
921 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
922 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
925 /* speculatively enqueue b0 and b1 to the current next frame */
926 to_next[0] = bi0 = from[0];
927 to_next[1] = bi1 = from[1];
933 b0 = vlib_get_buffer (vm, bi0);
934 b1 = vlib_get_buffer (vm, bi1);
936 if (is_output_feature)
937 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
939 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
942 udp0 = ip4_next_header (ip0);
943 tcp0 = (tcp_header_t *) udp0;
944 icmp0 = (icmp46_header_t *) udp0;
946 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
947 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
950 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
952 if (PREDICT_FALSE (ip0->ttl == 1))
954 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
955 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
956 ICMP4_time_exceeded_ttl_exceeded_in_transit,
958 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
962 proto0 = ip_proto_to_snat_proto (ip0->protocol);
964 /* Next configured feature, probably ip4-lookup */
967 if (PREDICT_FALSE (proto0 == ~0))
969 if (nat_in2out_sm_unknown_proto
970 (sm, b0, ip0, rx_fib_index0))
972 next0 = SNAT_IN2OUT_NEXT_DROP;
974 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
980 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
982 next0 = icmp_in2out_slow_path
983 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
984 node, next0, now, thread_index, &s0);
991 if (PREDICT_FALSE (proto0 == ~0))
993 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
997 if (ip4_is_fragment (ip0))
999 next0 = SNAT_IN2OUT_NEXT_REASS;
1004 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1006 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1011 key0.addr = ip0->src_address;
1012 key0.port = udp0->src_port;
1013 key0.protocol = proto0;
1014 key0.fib_index = rx_fib_index0;
1016 kv0.key = key0.as_u64;
1019 (clib_bihash_search_8_8
1020 (&sm->per_thread_data[thread_index].in2out, &kv0,
1025 if (is_output_feature)
1027 if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
1040 (sm, node, sw_if_index0, ip0, proto0,
1041 rx_fib_index0, thread_index)))
1045 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1046 &s0, node, next0, thread_index, now);
1047 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1050 if (PREDICT_FALSE (!s0))
1055 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1061 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1064 b0->flags |= VNET_BUFFER_F_IS_NATED;
1066 old_addr0 = ip0->src_address.as_u32;
1067 ip0->src_address = s0->out2in.addr;
1068 new_addr0 = ip0->src_address.as_u32;
1069 if (!is_output_feature)
1070 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1072 sum0 = ip0->checksum;
1073 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1075 src_address /* changed member */ );
1076 ip0->checksum = ip_csum_fold (sum0);
1078 old_port0 = udp0->src_port;
1079 new_port0 = udp0->src_port = s0->out2in.port;
1081 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1083 sum0 = tcp0->checksum;
1084 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1086 dst_address /* changed member */ );
1087 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1088 ip4_header_t /* cheat */ ,
1089 length /* changed member */ );
1090 mss_clamping (sm, tcp0, &sum0);
1091 tcp0->checksum = ip_csum_fold (sum0);
1096 if (PREDICT_FALSE (udp0->checksum))
1098 sum0 = udp0->checksum;
1099 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1101 dst_address /* changed member */ );
1102 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1103 ip4_header_t /* cheat */ ,
1104 length /* changed member */ );
1105 udp0->checksum = ip_csum_fold (sum0);
1111 nat44_session_update_counters (s0, now,
1112 vlib_buffer_length_in_chain (vm, b0),
1114 /* Per-user LRU list maintenance */
1115 nat44_session_update_lru (sm, s0, thread_index);
1118 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1119 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1121 snat_in2out_trace_t *t =
1122 vlib_add_trace (vm, node, b0, sizeof (*t));
1123 t->is_slow_path = is_slow_path;
1124 t->sw_if_index = sw_if_index0;
1125 t->next_index = next0;
1126 t->session_index = ~0;
1129 s0 - sm->per_thread_data[thread_index].sessions;
1132 pkts_processed += next0 == SNAT_IN2OUT_NEXT_LOOKUP;
1134 if (is_output_feature)
1135 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1137 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1140 udp1 = ip4_next_header (ip1);
1141 tcp1 = (tcp_header_t *) udp1;
1142 icmp1 = (icmp46_header_t *) udp1;
1144 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1145 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1148 if (PREDICT_FALSE (ip1->ttl == 1))
1150 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1151 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1152 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1154 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1158 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1160 /* Next configured feature, probably ip4-lookup */
1163 if (PREDICT_FALSE (proto1 == ~0))
1165 if (nat_in2out_sm_unknown_proto
1166 (sm, b1, ip1, rx_fib_index1))
1168 next1 = SNAT_IN2OUT_NEXT_DROP;
1170 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1176 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1178 next1 = icmp_in2out_slow_path
1179 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1180 next1, now, thread_index, &s1);
1187 if (PREDICT_FALSE (proto1 == ~0))
1189 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1193 if (ip4_is_fragment (ip1))
1195 next1 = SNAT_IN2OUT_NEXT_REASS;
1200 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1202 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1207 key1.addr = ip1->src_address;
1208 key1.port = udp1->src_port;
1209 key1.protocol = proto1;
1210 key1.fib_index = rx_fib_index1;
1212 kv1.key = key1.as_u64;
1215 (clib_bihash_search_8_8
1216 (&sm->per_thread_data[thread_index].in2out, &kv1,
1221 if (is_output_feature)
1223 if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
1236 (sm, node, sw_if_index1, ip1, proto1,
1237 rx_fib_index1, thread_index)))
1241 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1242 &s1, node, next1, thread_index, now);
1243 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1246 if (PREDICT_FALSE (!s1))
1251 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1257 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1260 b1->flags |= VNET_BUFFER_F_IS_NATED;
1262 old_addr1 = ip1->src_address.as_u32;
1263 ip1->src_address = s1->out2in.addr;
1264 new_addr1 = ip1->src_address.as_u32;
1265 if (!is_output_feature)
1266 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1268 sum1 = ip1->checksum;
1269 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1271 src_address /* changed member */ );
1272 ip1->checksum = ip_csum_fold (sum1);
1274 old_port1 = udp1->src_port;
1275 new_port1 = udp1->src_port = s1->out2in.port;
1277 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1279 sum1 = tcp1->checksum;
1280 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1282 dst_address /* changed member */ );
1283 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1284 ip4_header_t /* cheat */ ,
1285 length /* changed member */ );
1286 mss_clamping (sm, tcp1, &sum1);
1287 tcp1->checksum = ip_csum_fold (sum1);
1292 if (PREDICT_FALSE (udp1->checksum))
1294 sum1 = udp1->checksum;
1295 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1297 dst_address /* changed member */ );
1298 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1299 ip4_header_t /* cheat */ ,
1300 length /* changed member */ );
1301 udp1->checksum = ip_csum_fold (sum1);
1307 nat44_session_update_counters (s1, now,
1308 vlib_buffer_length_in_chain (vm, b1),
1310 /* Per-user LRU list maintenance */
1311 nat44_session_update_lru (sm, s1, thread_index);
1314 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1315 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1317 snat_in2out_trace_t *t =
1318 vlib_add_trace (vm, node, b1, sizeof (*t));
1319 t->sw_if_index = sw_if_index1;
1320 t->next_index = next1;
1321 t->session_index = ~0;
1324 s1 - sm->per_thread_data[thread_index].sessions;
1327 pkts_processed += next1 == SNAT_IN2OUT_NEXT_LOOKUP;
1329 /* verify speculative enqueues, maybe switch current next frame */
1330 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1331 to_next, n_left_to_next,
1332 bi0, bi1, next0, next1);
1335 while (n_left_from > 0 && n_left_to_next > 0)
1343 u32 new_addr0, old_addr0;
1344 u16 old_port0, new_port0;
1347 icmp46_header_t *icmp0;
1348 snat_session_key_t key0;
1351 snat_session_t *s0 = 0;
1352 clib_bihash_kv_8_8_t kv0, value0;
1353 u32 iph_offset0 = 0;
1355 /* speculatively enqueue b0 to the current next frame */
1361 n_left_to_next -= 1;
1363 b0 = vlib_get_buffer (vm, bi0);
1364 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1366 if (is_output_feature)
1367 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1369 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1372 udp0 = ip4_next_header (ip0);
1373 tcp0 = (tcp_header_t *) udp0;
1374 icmp0 = (icmp46_header_t *) udp0;
1376 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1377 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1380 if (PREDICT_FALSE (ip0->ttl == 1))
1382 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1383 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1384 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1386 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1390 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1392 /* Next configured feature, probably ip4-lookup */
1395 if (PREDICT_FALSE (proto0 == ~0))
1397 if (nat_in2out_sm_unknown_proto
1398 (sm, b0, ip0, rx_fib_index0))
1400 next0 = SNAT_IN2OUT_NEXT_DROP;
1402 node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
1408 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1410 next0 = icmp_in2out_slow_path
1411 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1412 next0, now, thread_index, &s0);
1419 if (PREDICT_FALSE (proto0 == ~0))
1421 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1425 if (ip4_is_fragment (ip0))
1427 next0 = SNAT_IN2OUT_NEXT_REASS;
1432 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1434 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1439 key0.addr = ip0->src_address;
1440 key0.port = udp0->src_port;
1441 key0.protocol = proto0;
1442 key0.fib_index = rx_fib_index0;
1444 kv0.key = key0.as_u64;
1446 if (clib_bihash_search_8_8
1447 (&sm->per_thread_data[thread_index].in2out, &kv0, &value0))
1451 if (is_output_feature)
1453 if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
1466 (sm, node, sw_if_index0, ip0, proto0,
1467 rx_fib_index0, thread_index)))
1471 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1472 &s0, node, next0, thread_index, now);
1474 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1477 if (PREDICT_FALSE (!s0))
1482 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1488 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1491 b0->flags |= VNET_BUFFER_F_IS_NATED;
1493 old_addr0 = ip0->src_address.as_u32;
1494 ip0->src_address = s0->out2in.addr;
1495 new_addr0 = ip0->src_address.as_u32;
1496 if (!is_output_feature)
1497 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1499 sum0 = ip0->checksum;
1500 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1502 src_address /* changed member */ );
1503 ip0->checksum = ip_csum_fold (sum0);
1505 old_port0 = udp0->src_port;
1506 new_port0 = udp0->src_port = s0->out2in.port;
1508 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1510 sum0 = tcp0->checksum;
1511 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1513 dst_address /* changed member */ );
1514 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1515 ip4_header_t /* cheat */ ,
1516 length /* changed member */ );
1517 mss_clamping (sm, tcp0, &sum0);
1518 tcp0->checksum = ip_csum_fold (sum0);
1523 if (PREDICT_FALSE (udp0->checksum))
1525 sum0 = udp0->checksum;
1526 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1528 dst_address /* changed member */ );
1529 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1530 ip4_header_t /* cheat */ ,
1531 length /* changed member */ );
1532 udp0->checksum = ip_csum_fold (sum0);
1538 nat44_session_update_counters (s0, now,
1539 vlib_buffer_length_in_chain (vm, b0),
1541 /* Per-user LRU list maintenance */
1542 nat44_session_update_lru (sm, s0, thread_index);
1545 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1546 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1548 snat_in2out_trace_t *t =
1549 vlib_add_trace (vm, node, b0, sizeof (*t));
1550 t->is_slow_path = is_slow_path;
1551 t->sw_if_index = sw_if_index0;
1552 t->next_index = next0;
1553 t->session_index = ~0;
1556 s0 - sm->per_thread_data[thread_index].sessions;
1559 pkts_processed += next0 == SNAT_IN2OUT_NEXT_LOOKUP;
1561 /* verify speculative enqueue, maybe switch current next frame */
1562 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1563 to_next, n_left_to_next,
1567 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1570 vlib_node_increment_counter (vm, stats_node_index,
1571 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1573 vlib_node_increment_counter (vm, stats_node_index,
1574 SNAT_IN2OUT_ERROR_TCP_PACKETS, tcp_packets);
1575 vlib_node_increment_counter (vm, stats_node_index,
1576 SNAT_IN2OUT_ERROR_UDP_PACKETS, tcp_packets);
1577 vlib_node_increment_counter (vm, stats_node_index,
1578 SNAT_IN2OUT_ERROR_ICMP_PACKETS, icmp_packets);
1579 vlib_node_increment_counter (vm, stats_node_index,
1580 SNAT_IN2OUT_ERROR_OTHER_PACKETS,
1582 vlib_node_increment_counter (vm, stats_node_index,
1583 SNAT_IN2OUT_ERROR_FRAGMENTS, fragments);
1585 return frame->n_vectors;
1588 VLIB_NODE_FN (snat_in2out_node) (vlib_main_t * vm,
1589 vlib_node_runtime_t * node,
1590 vlib_frame_t * frame)
1592 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ ,
1597 VLIB_REGISTER_NODE (snat_in2out_node) = {
1598 .name = "nat44-in2out",
1599 .vector_size = sizeof (u32),
1600 .format_trace = format_snat_in2out_trace,
1601 .type = VLIB_NODE_TYPE_INTERNAL,
1603 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1604 .error_strings = snat_in2out_error_strings,
1606 .runtime_data_bytes = sizeof (snat_runtime_t),
1608 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1610 /* edit / add dispositions here */
1612 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1613 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1614 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1615 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1616 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1621 VLIB_NODE_FN (snat_in2out_output_node) (vlib_main_t * vm,
1622 vlib_node_runtime_t * node,
1623 vlib_frame_t * frame)
1625 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ ,
1630 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
1631 .name = "nat44-in2out-output",
1632 .vector_size = sizeof (u32),
1633 .format_trace = format_snat_in2out_trace,
1634 .type = VLIB_NODE_TYPE_INTERNAL,
1636 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1637 .error_strings = snat_in2out_error_strings,
1639 .runtime_data_bytes = sizeof (snat_runtime_t),
1641 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1643 /* edit / add dispositions here */
1645 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1646 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1647 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1648 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1649 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1654 VLIB_NODE_FN (snat_in2out_slowpath_node) (vlib_main_t * vm,
1655 vlib_node_runtime_t * node,
1656 vlib_frame_t * frame)
1658 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ ,
1663 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
1664 .name = "nat44-in2out-slowpath",
1665 .vector_size = sizeof (u32),
1666 .format_trace = format_snat_in2out_trace,
1667 .type = VLIB_NODE_TYPE_INTERNAL,
1669 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1670 .error_strings = snat_in2out_error_strings,
1672 .runtime_data_bytes = sizeof (snat_runtime_t),
1674 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1676 /* edit / add dispositions here */
1678 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1679 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1680 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1681 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1682 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1687 VLIB_NODE_FN (snat_in2out_output_slowpath_node) (vlib_main_t * vm,
1688 vlib_node_runtime_t * node,
1689 vlib_frame_t * frame)
1691 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ ,
1696 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
1697 .name = "nat44-in2out-output-slowpath",
1698 .vector_size = sizeof (u32),
1699 .format_trace = format_snat_in2out_trace,
1700 .type = VLIB_NODE_TYPE_INTERNAL,
1702 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1703 .error_strings = snat_in2out_error_strings,
1705 .runtime_data_bytes = sizeof (snat_runtime_t),
1707 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1709 /* edit / add dispositions here */
1711 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1712 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
1713 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
1714 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1715 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1720 VLIB_NODE_FN (nat44_in2out_reass_node) (vlib_main_t * vm,
1721 vlib_node_runtime_t * node,
1722 vlib_frame_t * frame)
1724 u32 n_left_from, *from, *to_next;
1725 snat_in2out_next_t next_index;
1726 u32 pkts_processed = 0, cached_fragments = 0;
1727 snat_main_t *sm = &snat_main;
1728 f64 now = vlib_time_now (vm);
1729 u32 thread_index = vm->thread_index;
1730 snat_main_per_thread_data_t *per_thread_data =
1731 &sm->per_thread_data[thread_index];
1732 u32 *fragments_to_drop = 0;
1733 u32 *fragments_to_loopback = 0;
1735 from = vlib_frame_vector_args (frame);
1736 n_left_from = frame->n_vectors;
1737 next_index = node->cached_next_index;
1739 while (n_left_from > 0)
1743 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1745 while (n_left_from > 0 && n_left_to_next > 0)
1747 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1752 nat_reass_ip4_t *reass0;
1755 icmp46_header_t *icmp0;
1756 snat_session_key_t key0;
1757 clib_bihash_kv_8_8_t kv0, value0;
1758 snat_session_t *s0 = 0;
1759 u16 old_port0, new_port0;
1762 /* speculatively enqueue b0 to the current next frame */
1768 n_left_to_next -= 1;
1770 b0 = vlib_get_buffer (vm, bi0);
1771 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1773 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1775 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1778 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1780 next0 = SNAT_IN2OUT_NEXT_DROP;
1781 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
1785 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1786 udp0 = ip4_next_header (ip0);
1787 tcp0 = (tcp_header_t *) udp0;
1788 icmp0 = (icmp46_header_t *) udp0;
1789 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1791 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1795 1, &fragments_to_drop);
1797 if (PREDICT_FALSE (!reass0))
1799 next0 = SNAT_IN2OUT_NEXT_DROP;
1800 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
1801 nat_elog_notice ("maximum reassemblies exceeded");
1805 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1807 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1809 next0 = icmp_in2out_slow_path
1810 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1811 next0, now, thread_index, &s0);
1813 if (PREDICT_TRUE (next0 != SNAT_IN2OUT_NEXT_DROP))
1816 reass0->sess_index = s0 - per_thread_data->sessions;
1818 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1819 nat_ip4_reass_get_frags (reass0,
1820 &fragments_to_loopback);
1826 key0.addr = ip0->src_address;
1827 key0.port = udp0->src_port;
1828 key0.protocol = proto0;
1829 key0.fib_index = rx_fib_index0;
1830 kv0.key = key0.as_u64;
1832 if (clib_bihash_search_8_8
1833 (&per_thread_data->in2out, &kv0, &value0))
1837 (sm, node, sw_if_index0, ip0, proto0, rx_fib_index0,
1841 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1842 &s0, node, next0, thread_index, now);
1844 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1847 if (PREDICT_FALSE (!s0))
1850 reass0->sess_index = s0 - per_thread_data->sessions;
1854 s0 = pool_elt_at_index (per_thread_data->sessions,
1856 reass0->sess_index = value0.value;
1858 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1862 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1864 if (nat_ip4_reass_add_fragment
1865 (thread_index, reass0, bi0, &fragments_to_drop))
1867 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
1869 ("maximum fragments per reassembly exceeded");
1870 next0 = SNAT_IN2OUT_NEXT_DROP;
1876 s0 = pool_elt_at_index (per_thread_data->sessions,
1877 reass0->sess_index);
1880 old_addr0 = ip0->src_address.as_u32;
1881 ip0->src_address = s0->out2in.addr;
1882 new_addr0 = ip0->src_address.as_u32;
1883 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1885 sum0 = ip0->checksum;
1886 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1888 src_address /* changed member */ );
1889 ip0->checksum = ip_csum_fold (sum0);
1891 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1893 old_port0 = udp0->src_port;
1894 new_port0 = udp0->src_port = s0->out2in.port;
1896 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1898 sum0 = tcp0->checksum;
1899 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1901 dst_address /* changed member */ );
1902 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1903 ip4_header_t /* cheat */ ,
1904 length /* changed member */ );
1905 tcp0->checksum = ip_csum_fold (sum0);
1907 else if (PREDICT_FALSE (udp0->checksum))
1909 sum0 = udp0->checksum;
1910 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1912 dst_address /* changed member */ );
1913 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1914 ip4_header_t /* cheat */ ,
1915 length /* changed member */ );
1916 udp0->checksum = ip_csum_fold (sum0);
1921 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
1922 s0->ext_host_port, proto0, 0);
1925 nat44_session_update_counters (s0, now,
1926 vlib_buffer_length_in_chain (vm, b0),
1928 /* Per-user LRU list maintenance */
1929 nat44_session_update_lru (sm, s0, thread_index);
1932 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1933 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1935 nat44_reass_trace_t *t =
1936 vlib_add_trace (vm, node, b0, sizeof (*t));
1937 t->cached = cached0;
1938 t->sw_if_index = sw_if_index0;
1939 t->next_index = next0;
1950 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1952 /* verify speculative enqueue, maybe switch current next frame */
1953 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1954 to_next, n_left_to_next,
1958 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1960 from = vlib_frame_vector_args (frame);
1961 u32 len = vec_len (fragments_to_loopback);
1962 if (len <= VLIB_FRAME_SIZE)
1964 clib_memcpy_fast (from, fragments_to_loopback,
1965 sizeof (u32) * len);
1967 vec_reset_length (fragments_to_loopback);
1971 clib_memcpy_fast (from, fragments_to_loopback +
1972 (len - VLIB_FRAME_SIZE),
1973 sizeof (u32) * VLIB_FRAME_SIZE);
1974 n_left_from = VLIB_FRAME_SIZE;
1975 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1980 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1983 vlib_node_increment_counter (vm, sm->in2out_reass_node_index,
1984 SNAT_IN2OUT_ERROR_PROCESSED_FRAGMENTS,
1986 vlib_node_increment_counter (vm, sm->in2out_reass_node_index,
1987 SNAT_IN2OUT_ERROR_CACHED_FRAGMENTS,
1990 nat_send_all_to_node (vm, fragments_to_drop, node,
1991 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
1992 SNAT_IN2OUT_NEXT_DROP);
1994 vec_free (fragments_to_drop);
1995 vec_free (fragments_to_loopback);
1996 return frame->n_vectors;
2000 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2001 .name = "nat44-in2out-reass",
2002 .vector_size = sizeof (u32),
2003 .format_trace = format_nat44_reass_trace,
2004 .type = VLIB_NODE_TYPE_INTERNAL,
2006 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2007 .error_strings = snat_in2out_error_strings,
2009 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2011 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2012 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2013 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2014 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2015 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2020 VLIB_NODE_FN (snat_in2out_fast_node) (vlib_main_t * vm,
2021 vlib_node_runtime_t * node,
2022 vlib_frame_t * frame)
2024 u32 n_left_from, *from, *to_next;
2025 snat_in2out_next_t next_index;
2026 u32 pkts_processed = 0;
2027 snat_main_t *sm = &snat_main;
2028 u32 stats_node_index;
2030 stats_node_index = sm->in2out_fast_node_index;
2032 from = vlib_frame_vector_args (frame);
2033 n_left_from = frame->n_vectors;
2034 next_index = node->cached_next_index;
2036 while (n_left_from > 0)
2040 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2042 while (n_left_from > 0 && n_left_to_next > 0)
2050 u32 new_addr0, old_addr0;
2051 u16 old_port0, new_port0;
2054 icmp46_header_t *icmp0;
2055 snat_session_key_t key0, sm0;
2059 /* speculatively enqueue b0 to the current next frame */
2065 n_left_to_next -= 1;
2067 b0 = vlib_get_buffer (vm, bi0);
2068 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2070 ip0 = vlib_buffer_get_current (b0);
2071 udp0 = ip4_next_header (ip0);
2072 tcp0 = (tcp_header_t *) udp0;
2073 icmp0 = (icmp46_header_t *) udp0;
2075 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2077 ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
2079 if (PREDICT_FALSE (ip0->ttl == 1))
2081 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2082 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2083 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2085 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2089 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2091 if (PREDICT_FALSE (proto0 == ~0))
2094 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2096 next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0,
2097 rx_fib_index0, node, next0, ~0, 0, 0);
2101 key0.addr = ip0->src_address;
2102 key0.protocol = proto0;
2103 key0.port = udp0->src_port;
2104 key0.fib_index = rx_fib_index0;
2106 if (snat_static_mapping_match (sm, key0, &sm0, 0, 0, 0, 0, 0, 0))
2108 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2109 next0 = SNAT_IN2OUT_NEXT_DROP;
2113 new_addr0 = sm0.addr.as_u32;
2114 new_port0 = sm0.port;
2115 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2116 old_addr0 = ip0->src_address.as_u32;
2117 ip0->src_address.as_u32 = new_addr0;
2119 sum0 = ip0->checksum;
2120 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2122 src_address /* changed member */ );
2123 ip0->checksum = ip_csum_fold (sum0);
2125 if (PREDICT_FALSE (new_port0 != udp0->dst_port))
2127 old_port0 = udp0->src_port;
2128 udp0->src_port = new_port0;
2130 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2132 sum0 = tcp0->checksum;
2133 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2135 dst_address /* changed member */ );
2136 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2137 ip4_header_t /* cheat */ ,
2138 length /* changed member */ );
2139 mss_clamping (sm, tcp0, &sum0);
2140 tcp0->checksum = ip_csum_fold (sum0);
2142 else if (udp0->checksum)
2144 sum0 = udp0->checksum;
2145 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2147 dst_address /* changed member */ );
2148 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2149 ip4_header_t /* cheat */ ,
2150 length /* changed member */ );
2151 udp0->checksum = ip_csum_fold (sum0);
2156 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2158 sum0 = tcp0->checksum;
2159 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2161 dst_address /* changed member */ );
2162 mss_clamping (sm, tcp0, &sum0);
2163 tcp0->checksum = ip_csum_fold (sum0);
2165 else if (udp0->checksum)
2167 sum0 = udp0->checksum;
2168 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2170 dst_address /* changed member */ );
2171 udp0->checksum = ip_csum_fold (sum0);
2176 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, 0);
2179 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2180 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2182 snat_in2out_trace_t *t =
2183 vlib_add_trace (vm, node, b0, sizeof (*t));
2184 t->sw_if_index = sw_if_index0;
2185 t->next_index = next0;
2188 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2190 /* verify speculative enqueue, maybe switch current next frame */
2191 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2192 to_next, n_left_to_next,
2196 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2199 vlib_node_increment_counter (vm, stats_node_index,
2200 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2202 return frame->n_vectors;
2207 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
2208 .name = "nat44-in2out-fast",
2209 .vector_size = sizeof (u32),
2210 .format_trace = format_snat_in2out_fast_trace,
2211 .type = VLIB_NODE_TYPE_INTERNAL,
2213 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2214 .error_strings = snat_in2out_error_strings,
2216 .runtime_data_bytes = sizeof (snat_runtime_t),
2218 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2220 /* edit / add dispositions here */
2222 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2223 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2224 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2225 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2226 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2232 * fd.io coding-style-patch-verification: ON
2235 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob