2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
38 } snat_in2out_trace_t;
41 u32 next_worker_index;
43 } snat_in2out_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
53 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
55 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
56 t->sw_if_index, t->next_index, t->session_index);
61 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
67 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
73 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
77 snat_in2out_worker_handoff_trace_t * t =
78 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
81 m = t->do_handoff ? "next worker" : "same worker";
82 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
91 } nat44_in2out_reass_trace_t;
93 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
95 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
96 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
97 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
99 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
100 t->sw_if_index, t->next_index,
101 t->cached ? "cached" : "translated");
106 vlib_node_registration_t snat_in2out_node;
107 vlib_node_registration_t snat_in2out_slowpath_node;
108 vlib_node_registration_t snat_in2out_fast_node;
109 vlib_node_registration_t snat_in2out_worker_handoff_node;
110 vlib_node_registration_t snat_det_in2out_node;
111 vlib_node_registration_t snat_in2out_output_node;
112 vlib_node_registration_t snat_in2out_output_slowpath_node;
113 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
114 vlib_node_registration_t snat_hairpin_dst_node;
115 vlib_node_registration_t snat_hairpin_src_node;
116 vlib_node_registration_t nat44_hairpinning_node;
117 vlib_node_registration_t nat44_in2out_reass_node;
120 #define foreach_snat_in2out_error \
121 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
122 _(IN2OUT_PACKETS, "Good in2out packets processed") \
123 _(OUT_OF_PORTS, "Out of ports") \
124 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
125 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
126 _(NO_TRANSLATION, "No translation") \
127 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
128 _(DROP_FRAGMENT, "Drop fragment") \
129 _(MAX_REASS, "Maximum reassemblies exceeded") \
130 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
133 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
134 foreach_snat_in2out_error
137 } snat_in2out_error_t;
139 static char * snat_in2out_error_strings[] = {
140 #define _(sym,string) string,
141 foreach_snat_in2out_error
146 SNAT_IN2OUT_NEXT_LOOKUP,
147 SNAT_IN2OUT_NEXT_DROP,
148 SNAT_IN2OUT_NEXT_ICMP_ERROR,
149 SNAT_IN2OUT_NEXT_SLOW_PATH,
150 SNAT_IN2OUT_NEXT_REASS,
152 } snat_in2out_next_t;
155 SNAT_HAIRPIN_SRC_NEXT_DROP,
156 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
157 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
158 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
159 SNAT_HAIRPIN_SRC_N_NEXT,
160 } snat_hairpin_next_t;
163 * @brief Check if packet should be translated
165 * Packets aimed at outside interface and external address with active session
166 * should be translated.
169 * @param rt NAT runtime data
170 * @param sw_if_index0 index of the inside interface
171 * @param ip0 IPv4 header
172 * @param proto0 NAT protocol
173 * @param rx_fib_index0 RX FIB index
175 * @returns 0 if packet should be translated otherwise 1
178 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
185 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
187 .fp_proto = FIB_PROTOCOL_IP4,
190 .ip4.as_u32 = ip0->dst_address.as_u32,
194 /* Don't NAT packet aimed at the intfc address */
195 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
196 ip0->dst_address.as_u32)))
199 fei = fib_table_lookup (rx_fib_index0, &pfx);
200 if (FIB_NODE_INDEX_INVALID != fei)
202 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
203 if (sw_if_index == ~0)
205 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
206 if (FIB_NODE_INDEX_INVALID != fei)
207 sw_if_index = fib_entry_get_resolving_interface (fei);
210 pool_foreach (i, sm->interfaces,
212 /* NAT packet aimed at outside interface */
213 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
222 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
223 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
224 u32 rx_fib_index0, u32 thread_index)
226 udp_header_t * udp0 = ip4_next_header (ip0);
227 snat_session_key_t key0, sm0;
228 clib_bihash_kv_8_8_t kv0, value0;
230 key0.addr = ip0->dst_address;
231 key0.port = udp0->dst_port;
232 key0.protocol = proto0;
233 key0.fib_index = sm->outside_fib_index;
234 kv0.key = key0.as_u64;
236 /* NAT packet aimed at external address if */
237 /* has active sessions */
238 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
241 /* or is static mappings */
242 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
248 if (sm->forwarding_enabled)
251 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
256 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
257 u32 proto0, u16 src_port, u16 dst_port,
258 u32 thread_index, u32 sw_if_index)
260 snat_session_key_t key0;
261 clib_bihash_kv_8_8_t kv0, value0;
265 key0.addr = ip0->src_address;
266 key0.port = src_port;
267 key0.protocol = proto0;
268 key0.fib_index = sm->outside_fib_index;
269 kv0.key = key0.as_u64;
271 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
276 key0.addr = ip0->dst_address;
277 key0.port = dst_port;
278 key0.protocol = proto0;
279 key0.fib_index = sm->inside_fib_index;
280 kv0.key = key0.as_u64;
281 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
285 pool_foreach (i, sm->output_feature_interfaces,
287 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
296 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
299 snat_session_key_t * key0,
300 snat_session_t ** sessionp,
301 vlib_node_runtime_t * node,
307 clib_bihash_kv_8_8_t kv0;
308 snat_session_key_t key1;
309 u32 address_index = ~0;
310 u32 outside_fib_index;
312 udp_header_t * udp0 = ip4_next_header (ip0);
315 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
317 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
318 nat_ipfix_logging_max_sessions(sm->max_translations);
319 return SNAT_IN2OUT_NEXT_DROP;
322 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
325 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
326 return SNAT_IN2OUT_NEXT_DROP;
328 outside_fib_index = p[0];
330 key1.protocol = key0->protocol;
332 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
336 clib_warning ("create NAT user failed");
337 return SNAT_IN2OUT_NEXT_DROP;
340 /* First try to match static mapping by local address and port */
341 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0, 0))
343 /* Try to create dynamic translation */
344 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
348 sm->per_thread_data[thread_index].snat_thread_index))
350 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
351 return SNAT_IN2OUT_NEXT_DROP;
357 s = nat_session_alloc_or_recycle (sm, u, thread_index);
360 clib_warning ("create NAT session failed");
361 return SNAT_IN2OUT_NEXT_DROP;
365 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
366 user_session_increment (sm, u, is_sm);
367 s->outside_address_index = address_index;
370 s->out2in.protocol = key0->protocol;
371 s->out2in.fib_index = outside_fib_index;
372 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
373 s->ext_host_port = udp0->dst_port;
376 /* Add to translation hashes */
377 kv0.key = s->in2out.as_u64;
378 kv0.value = s - sm->per_thread_data[thread_index].sessions;
379 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
381 clib_warning ("in2out key add failed");
383 kv0.key = s->out2in.as_u64;
384 kv0.value = s - sm->per_thread_data[thread_index].sessions;
386 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
388 clib_warning ("out2in key add failed");
391 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
392 s->out2in.addr.as_u32,
396 s->in2out.fib_index);
401 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
402 snat_session_key_t *p_key0)
404 icmp46_header_t *icmp0;
405 snat_session_key_t key0;
406 icmp_echo_header_t *echo0, *inner_echo0 = 0;
407 ip4_header_t *inner_ip0 = 0;
409 icmp46_header_t *inner_icmp0;
411 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
412 echo0 = (icmp_echo_header_t *)(icmp0+1);
414 if (!icmp_is_error_message (icmp0))
416 key0.protocol = SNAT_PROTOCOL_ICMP;
417 key0.addr = ip0->src_address;
418 key0.port = echo0->identifier;
422 inner_ip0 = (ip4_header_t *)(echo0+1);
423 l4_header = ip4_next_header (inner_ip0);
424 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
425 key0.addr = inner_ip0->dst_address;
426 switch (key0.protocol)
428 case SNAT_PROTOCOL_ICMP:
429 inner_icmp0 = (icmp46_header_t*)l4_header;
430 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
431 key0.port = inner_echo0->identifier;
433 case SNAT_PROTOCOL_UDP:
434 case SNAT_PROTOCOL_TCP:
435 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
438 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
442 return -1; /* success */
445 static_always_inline int
446 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
448 icmp46_header_t *icmp0;
449 nat_ed_ses_key_t key0;
450 icmp_echo_header_t *echo0, *inner_echo0 = 0;
451 ip4_header_t *inner_ip0 = 0;
453 icmp46_header_t *inner_icmp0;
455 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
456 echo0 = (icmp_echo_header_t *)(icmp0+1);
458 if (!icmp_is_error_message (icmp0))
460 key0.proto = IP_PROTOCOL_ICMP;
461 key0.l_addr = ip0->src_address;
462 key0.r_addr = ip0->dst_address;
463 key0.l_port = key0.r_port = echo0->identifier;
467 inner_ip0 = (ip4_header_t *)(echo0+1);
468 l4_header = ip4_next_header (inner_ip0);
469 key0.proto = inner_ip0->protocol;
470 key0.r_addr = inner_ip0->src_address;
471 key0.l_addr = inner_ip0->dst_address;
472 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
474 case SNAT_PROTOCOL_ICMP:
475 inner_icmp0 = (icmp46_header_t*)l4_header;
476 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
477 key0.r_port = key0.l_port = inner_echo0->identifier;
479 case SNAT_PROTOCOL_UDP:
480 case SNAT_PROTOCOL_TCP:
481 key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port;
482 key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port;
485 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
493 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip)
495 nat_ed_ses_key_t key;
496 clib_bihash_kv_16_8_t kv, value;
499 if (!sm->forwarding_enabled)
502 if (ip->protocol == IP_PROTOCOL_ICMP)
504 if (icmp_get_ed_key (ip, &key))
507 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
509 udp = ip4_next_header(ip);
510 key.l_addr = ip->src_address;
511 key.r_addr = ip->dst_address;
512 key.proto = ip->protocol;
513 key.r_port = udp->dst_port;
514 key.l_port = udp->src_port;
518 key.l_addr = ip->src_address;
519 key.r_addr = ip->dst_address;
520 key.proto = ip->protocol;
521 key.l_port = key.r_port = 0;
524 kv.key[0] = key.as_u64[0];
525 kv.key[1] = key.as_u64[1];
527 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
528 return value.value == ~0ULL;
534 * Get address and port values to be used for ICMP packet translation
535 * and create session if needed
537 * @param[in,out] sm NAT main
538 * @param[in,out] node NAT node runtime
539 * @param[in] thread_index thread index
540 * @param[in,out] b0 buffer containing packet to be translated
541 * @param[out] p_proto protocol used for matching
542 * @param[out] p_value address and port after NAT translation
543 * @param[out] p_dont_translate if packet should not be translated
544 * @param d optional parameter
545 * @param e optional parameter
547 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
548 u32 thread_index, vlib_buffer_t *b0,
549 ip4_header_t *ip0, u8 *p_proto,
550 snat_session_key_t *p_value,
551 u8 *p_dont_translate, void *d, void *e)
553 icmp46_header_t *icmp0;
556 snat_session_key_t key0;
557 snat_session_t *s0 = 0;
558 u8 dont_translate = 0;
559 clib_bihash_kv_8_8_t kv0, value0;
563 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
564 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
565 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
567 err = icmp_get_key (ip0, &key0);
570 b0->error = node->errors[err];
571 next0 = SNAT_IN2OUT_NEXT_DROP;
574 key0.fib_index = rx_fib_index0;
576 kv0.key = key0.as_u64;
578 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
581 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0)
583 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
584 ip0, SNAT_PROTOCOL_ICMP, key0.port, key0.port, thread_index, sw_if_index0)))
592 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
593 ip0, SNAT_PROTOCOL_ICMP, rx_fib_index0, thread_index)))
600 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
602 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
603 next0 = SNAT_IN2OUT_NEXT_DROP;
607 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
608 &s0, node, next0, thread_index);
610 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
615 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
616 icmp0->type != ICMP4_echo_reply &&
617 !icmp_is_error_message (icmp0)))
619 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
620 next0 = SNAT_IN2OUT_NEXT_DROP;
624 if (PREDICT_FALSE (value0.value == ~0ULL))
626 nat_ed_ses_key_t key;
627 clib_bihash_kv_16_8_t s_kv, s_value;
631 if (icmp_get_ed_key (ip0, &key))
633 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
634 next0 = SNAT_IN2OUT_NEXT_DROP;
637 key.fib_index = rx_fib_index0;
638 s_kv.key[0] = key.as_u64[0];
639 s_kv.key[1] = key.as_u64[1];
640 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
641 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
645 next0 = SNAT_IN2OUT_NEXT_DROP;
650 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
655 *p_proto = key0.protocol;
657 *p_value = s0->out2in;
658 *p_dont_translate = dont_translate;
660 *(snat_session_t**)d = s0;
665 * Get address and port values to be used for ICMP packet translation
667 * @param[in] sm NAT main
668 * @param[in,out] node NAT node runtime
669 * @param[in] thread_index thread index
670 * @param[in,out] b0 buffer containing packet to be translated
671 * @param[out] p_proto protocol used for matching
672 * @param[out] p_value address and port after NAT translation
673 * @param[out] p_dont_translate if packet should not be translated
674 * @param d optional parameter
675 * @param e optional parameter
677 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
678 u32 thread_index, vlib_buffer_t *b0,
679 ip4_header_t *ip0, u8 *p_proto,
680 snat_session_key_t *p_value,
681 u8 *p_dont_translate, void *d, void *e)
683 icmp46_header_t *icmp0;
686 snat_session_key_t key0;
687 snat_session_key_t sm0;
688 u8 dont_translate = 0;
693 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
694 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
695 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
697 err = icmp_get_key (ip0, &key0);
700 b0->error = node->errors[err];
701 next0 = SNAT_IN2OUT_NEXT_DROP;
704 key0.fib_index = rx_fib_index0;
706 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0, 0))
708 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
709 IP_PROTOCOL_ICMP, rx_fib_index0)))
715 if (icmp_is_error_message (icmp0))
717 next0 = SNAT_IN2OUT_NEXT_DROP;
721 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
722 next0 = SNAT_IN2OUT_NEXT_DROP;
726 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
727 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
728 !icmp_is_error_message (icmp0)))
730 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
731 next0 = SNAT_IN2OUT_NEXT_DROP;
738 *p_proto = key0.protocol;
739 *p_dont_translate = dont_translate;
743 static inline u32 icmp_in2out (snat_main_t *sm,
746 icmp46_header_t * icmp0,
749 vlib_node_runtime_t * node,
755 snat_session_key_t sm0;
757 icmp_echo_header_t *echo0, *inner_echo0 = 0;
758 ip4_header_t *inner_ip0;
760 icmp46_header_t *inner_icmp0;
762 u32 new_addr0, old_addr0;
763 u16 old_id0, new_id0;
768 echo0 = (icmp_echo_header_t *)(icmp0+1);
770 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
771 &protocol, &sm0, &dont_translate, d, e);
774 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
777 sum0 = ip_incremental_checksum (0, icmp0,
778 ntohs(ip0->length) - ip4_header_bytes (ip0));
779 checksum0 = ~ip_csum_fold (sum0);
780 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
782 next0 = SNAT_IN2OUT_NEXT_DROP;
786 old_addr0 = ip0->src_address.as_u32;
787 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
788 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
789 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
791 sum0 = ip0->checksum;
792 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
793 src_address /* changed member */);
794 ip0->checksum = ip_csum_fold (sum0);
796 if (icmp0->checksum == 0)
797 icmp0->checksum = 0xffff;
799 if (!icmp_is_error_message (icmp0))
802 if (PREDICT_FALSE(new_id0 != echo0->identifier))
804 old_id0 = echo0->identifier;
806 echo0->identifier = new_id0;
808 sum0 = icmp0->checksum;
809 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
811 icmp0->checksum = ip_csum_fold (sum0);
816 inner_ip0 = (ip4_header_t *)(echo0+1);
817 l4_header = ip4_next_header (inner_ip0);
819 if (!ip4_header_checksum_is_valid (inner_ip0))
821 next0 = SNAT_IN2OUT_NEXT_DROP;
825 old_addr0 = inner_ip0->dst_address.as_u32;
826 inner_ip0->dst_address = sm0.addr;
827 new_addr0 = inner_ip0->dst_address.as_u32;
829 sum0 = icmp0->checksum;
830 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
831 dst_address /* changed member */);
832 icmp0->checksum = ip_csum_fold (sum0);
836 case SNAT_PROTOCOL_ICMP:
837 inner_icmp0 = (icmp46_header_t*)l4_header;
838 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
840 old_id0 = inner_echo0->identifier;
842 inner_echo0->identifier = new_id0;
844 sum0 = icmp0->checksum;
845 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
847 icmp0->checksum = ip_csum_fold (sum0);
849 case SNAT_PROTOCOL_UDP:
850 case SNAT_PROTOCOL_TCP:
851 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
853 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
855 sum0 = icmp0->checksum;
856 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
858 icmp0->checksum = ip_csum_fold (sum0);
872 * Hairpinning allows two endpoints on the internal side of the NAT to
873 * communicate even if they only use each other's external IP addresses
876 * @param sm NAT main.
877 * @param b0 Vlib buffer.
878 * @param ip0 IP header.
879 * @param udp0 UDP header.
880 * @param tcp0 TCP header.
881 * @param proto0 NAT protocol.
884 snat_hairpinning (snat_main_t *sm,
891 snat_session_key_t key0, sm0;
893 clib_bihash_kv_8_8_t kv0, value0;
895 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
896 u16 new_dst_port0, old_dst_port0;
898 key0.addr = ip0->dst_address;
899 key0.port = udp0->dst_port;
900 key0.protocol = proto0;
901 key0.fib_index = sm->outside_fib_index;
902 kv0.key = key0.as_u64;
904 /* Check if destination is static mappings */
905 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
907 new_dst_addr0 = sm0.addr.as_u32;
908 new_dst_port0 = sm0.port;
909 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
911 /* or active session */
914 if (sm->num_workers > 1)
915 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
917 ti = sm->num_workers;
919 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
923 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
924 new_dst_addr0 = s0->in2out.addr.as_u32;
925 new_dst_port0 = s0->in2out.port;
926 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
930 /* Destination is behind the same NAT, use internal address and port */
933 old_dst_addr0 = ip0->dst_address.as_u32;
934 ip0->dst_address.as_u32 = new_dst_addr0;
935 sum0 = ip0->checksum;
936 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
937 ip4_header_t, dst_address);
938 ip0->checksum = ip_csum_fold (sum0);
940 old_dst_port0 = tcp0->dst;
941 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
943 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
945 tcp0->dst = new_dst_port0;
946 sum0 = tcp0->checksum;
947 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
948 ip4_header_t, dst_address);
949 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
950 ip4_header_t /* cheat */, length);
951 tcp0->checksum = ip_csum_fold(sum0);
955 udp0->dst_port = new_dst_port0;
961 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
963 sum0 = tcp0->checksum;
964 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
965 ip4_header_t, dst_address);
966 tcp0->checksum = ip_csum_fold(sum0);
975 snat_icmp_hairpinning (snat_main_t *sm,
978 icmp46_header_t * icmp0)
980 snat_session_key_t key0, sm0;
981 clib_bihash_kv_8_8_t kv0, value0;
982 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
986 if (!icmp_is_error_message (icmp0))
988 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
989 u16 icmp_id0 = echo0->identifier;
990 key0.addr = ip0->dst_address;
991 key0.port = icmp_id0;
992 key0.protocol = SNAT_PROTOCOL_ICMP;
993 key0.fib_index = sm->outside_fib_index;
994 kv0.key = key0.as_u64;
996 if (sm->num_workers > 1)
997 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
999 ti = sm->num_workers;
1001 /* Check if destination is in active sessions */
1002 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
1005 /* or static mappings */
1006 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1008 new_dst_addr0 = sm0.addr.as_u32;
1009 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1016 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
1017 new_dst_addr0 = s0->in2out.addr.as_u32;
1018 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1019 echo0->identifier = s0->in2out.port;
1020 sum0 = icmp0->checksum;
1021 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
1022 icmp_echo_header_t, identifier);
1023 icmp0->checksum = ip_csum_fold (sum0);
1026 /* Destination is behind the same NAT, use internal address and port */
1029 old_dst_addr0 = ip0->dst_address.as_u32;
1030 ip0->dst_address.as_u32 = new_dst_addr0;
1031 sum0 = ip0->checksum;
1032 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
1033 ip4_header_t, dst_address);
1034 ip0->checksum = ip_csum_fold (sum0);
1040 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
1043 icmp46_header_t * icmp0,
1046 vlib_node_runtime_t * node,
1050 snat_session_t ** p_s0)
1052 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1053 next0, thread_index, p_s0, 0);
1054 snat_session_t * s0 = *p_s0;
1055 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
1058 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
1059 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
1061 s0->last_heard = now;
1063 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
1064 /* Per-user LRU list maintenance */
1065 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1066 s0->per_user_index);
1067 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1068 s0->per_user_list_head_index,
1069 s0->per_user_index);
1074 snat_hairpinning_unknown_proto (snat_main_t *sm,
1078 u32 old_addr, new_addr = 0, ti = 0;
1079 clib_bihash_kv_8_8_t kv, value;
1080 clib_bihash_kv_16_8_t s_kv, s_value;
1081 nat_ed_ses_key_t key;
1082 snat_session_key_t m_key;
1083 snat_static_mapping_t *m;
1087 old_addr = ip->dst_address.as_u32;
1088 key.l_addr.as_u32 = ip->dst_address.as_u32;
1089 key.r_addr.as_u32 = ip->src_address.as_u32;
1090 key.fib_index = sm->outside_fib_index;
1091 key.proto = ip->protocol;
1094 s_kv.key[0] = key.as_u64[0];
1095 s_kv.key[1] = key.as_u64[1];
1096 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1098 m_key.addr = ip->dst_address;
1099 m_key.fib_index = sm->outside_fib_index;
1102 kv.key = m_key.as_u64;
1103 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1106 m = pool_elt_at_index (sm->static_mappings, value.value);
1107 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1108 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1109 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1113 if (sm->num_workers > 1)
1114 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
1116 ti = sm->num_workers;
1118 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
1119 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1120 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1121 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1124 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1125 ip->checksum = ip_csum_fold (sum);
1128 static snat_session_t *
1129 snat_in2out_unknown_proto (snat_main_t *sm,
1136 vlib_node_runtime_t * node)
1138 clib_bihash_kv_8_8_t kv, value;
1139 clib_bihash_kv_16_8_t s_kv, s_value;
1140 snat_static_mapping_t *m;
1141 snat_session_key_t m_key;
1142 u32 old_addr, new_addr = 0;
1145 dlist_elt_t *head, *elt;
1146 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1147 u32 elt_index, head_index, ses_index;
1149 nat_ed_ses_key_t key;
1150 u32 address_index = ~0;
1154 old_addr = ip->src_address.as_u32;
1156 key.l_addr = ip->src_address;
1157 key.r_addr = ip->dst_address;
1158 key.fib_index = rx_fib_index;
1159 key.proto = ip->protocol;
1162 s_kv.key[0] = key.as_u64[0];
1163 s_kv.key[1] = key.as_u64[1];
1165 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1167 s = pool_elt_at_index (tsm->sessions, s_value.value);
1168 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1172 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1174 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1175 nat_ipfix_logging_max_sessions(sm->max_translations);
1179 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1183 clib_warning ("create NAT user failed");
1187 m_key.addr = ip->src_address;
1190 m_key.fib_index = rx_fib_index;
1191 kv.key = m_key.as_u64;
1193 /* Try to find static mapping first */
1194 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1196 m = pool_elt_at_index (sm->static_mappings, value.value);
1197 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1201 /* Fallback to 3-tuple key */
1204 /* Choose same out address as for TCP/UDP session to same destination */
1205 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1207 head_index = u->sessions_per_user_list_head_index;
1208 head = pool_elt_at_index (tsm->list_pool, head_index);
1209 elt_index = head->next;
1210 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1211 ses_index = elt->value;
1212 while (ses_index != ~0)
1214 s = pool_elt_at_index (tsm->sessions, ses_index);
1215 elt_index = elt->next;
1216 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1217 ses_index = elt->value;
1219 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1221 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1222 address_index = s->outside_address_index;
1224 key.fib_index = sm->outside_fib_index;
1225 key.l_addr.as_u32 = new_addr;
1226 s_kv.key[0] = key.as_u64[0];
1227 s_kv.key[1] = key.as_u64[1];
1228 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1235 key.fib_index = sm->outside_fib_index;
1236 for (i = 0; i < vec_len (sm->addresses); i++)
1238 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1239 s_kv.key[0] = key.as_u64[0];
1240 s_kv.key[1] = key.as_u64[1];
1241 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1243 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1252 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1255 clib_warning ("create NAT session failed");
1259 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1260 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1261 s->outside_address_index = address_index;
1262 s->out2in.addr.as_u32 = new_addr;
1263 s->out2in.fib_index = sm->outside_fib_index;
1264 s->in2out.addr.as_u32 = old_addr;
1265 s->in2out.fib_index = rx_fib_index;
1266 s->in2out.port = s->out2in.port = ip->protocol;
1268 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1269 user_session_increment (sm, u, is_sm);
1271 /* Add to lookup tables */
1272 key.l_addr.as_u32 = old_addr;
1273 key.r_addr = ip->dst_address;
1274 key.proto = ip->protocol;
1275 key.fib_index = rx_fib_index;
1276 s_kv.key[0] = key.as_u64[0];
1277 s_kv.key[1] = key.as_u64[1];
1278 s_kv.value = s - tsm->sessions;
1279 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1280 clib_warning ("in2out key add failed");
1282 key.l_addr.as_u32 = new_addr;
1283 key.fib_index = sm->outside_fib_index;
1284 s_kv.key[0] = key.as_u64[0];
1285 s_kv.key[1] = key.as_u64[1];
1286 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1287 clib_warning ("out2in key add failed");
1290 /* Update IP checksum */
1292 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1293 ip->checksum = ip_csum_fold (sum);
1296 s->last_heard = now;
1298 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1299 /* Per-user LRU list maintenance */
1300 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1301 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1305 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1306 snat_hairpinning_unknown_proto(sm, b, ip);
1308 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1309 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1314 static snat_session_t *
1315 snat_in2out_lb (snat_main_t *sm,
1322 vlib_node_runtime_t * node)
1324 nat_ed_ses_key_t key;
1325 clib_bihash_kv_16_8_t s_kv, s_value;
1326 udp_header_t *udp = ip4_next_header (ip);
1327 tcp_header_t *tcp = (tcp_header_t *) udp;
1328 snat_session_t *s = 0;
1329 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1330 u32 old_addr, new_addr;
1331 u16 new_port, old_port;
1333 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1334 snat_session_key_t e_key, l_key;
1338 old_addr = ip->src_address.as_u32;
1340 key.l_addr = ip->src_address;
1341 key.r_addr = ip->dst_address;
1342 key.fib_index = rx_fib_index;
1343 key.proto = ip->protocol;
1344 key.r_port = udp->dst_port;
1345 key.l_port = udp->src_port;
1346 s_kv.key[0] = key.as_u64[0];
1347 s_kv.key[1] = key.as_u64[1];
1349 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1351 if (s_value.value == ~0ULL)
1353 s = pool_elt_at_index (tsm->sessions, s_value.value);
1357 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
1359 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1360 nat_ipfix_logging_max_sessions(sm->max_translations);
1364 l_key.addr = ip->src_address;
1365 l_key.port = udp->src_port;
1366 l_key.protocol = proto;
1367 l_key.fib_index = rx_fib_index;
1368 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0, 0, &lb))
1371 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1375 clib_warning ("create NAT user failed");
1379 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1382 clib_warning ("create NAT session failed");
1386 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1387 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1389 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1390 s->outside_address_index = ~0;
1393 s->out2in.protocol = l_key.protocol;
1394 user_session_increment (sm, u, 1 /* static */);
1396 /* Add to lookup tables */
1397 s_kv.value = s - tsm->sessions;
1398 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1399 clib_warning ("in2out-ed key add failed");
1401 key.l_addr = e_key.addr;
1402 key.fib_index = e_key.fib_index;
1403 key.l_port = e_key.port;
1404 s_kv.key[0] = key.as_u64[0];
1405 s_kv.key[1] = key.as_u64[1];
1406 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1407 clib_warning ("out2in-ed key add failed");
1410 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1412 /* Update IP checksum */
1414 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1415 if (is_twice_nat_session (s))
1416 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1417 s->ext_host_addr.as_u32, ip4_header_t, dst_address);
1418 ip->checksum = ip_csum_fold (sum);
1420 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1422 old_port = tcp->src_port;
1423 tcp->src_port = s->out2in.port;
1424 new_port = tcp->src_port;
1426 sum = tcp->checksum;
1427 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1428 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1429 if (is_twice_nat_session (s))
1431 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1432 s->ext_host_addr.as_u32, ip4_header_t,
1434 sum = ip_csum_update (sum, tcp->dst_port, s->ext_host_port,
1435 ip4_header_t, length);
1436 tcp->dst_port = s->ext_host_port;
1437 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1439 tcp->checksum = ip_csum_fold(sum);
1443 udp->src_port = s->out2in.port;
1444 if (is_twice_nat_session (s))
1446 udp->dst_port = s->ext_host_port;
1447 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1452 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1453 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1456 s->last_heard = now;
1458 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1459 /* Per-user LRU list maintenance */
1460 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1461 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1467 snat_in2out_node_fn_inline (vlib_main_t * vm,
1468 vlib_node_runtime_t * node,
1469 vlib_frame_t * frame, int is_slow_path,
1470 int is_output_feature)
1472 u32 n_left_from, * from, * to_next;
1473 snat_in2out_next_t next_index;
1474 u32 pkts_processed = 0;
1475 snat_main_t * sm = &snat_main;
1476 f64 now = vlib_time_now (vm);
1477 u32 stats_node_index;
1478 u32 thread_index = vlib_get_thread_index ();
1480 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1481 snat_in2out_node.index;
1483 from = vlib_frame_vector_args (frame);
1484 n_left_from = frame->n_vectors;
1485 next_index = node->cached_next_index;
1487 while (n_left_from > 0)
1491 vlib_get_next_frame (vm, node, next_index,
1492 to_next, n_left_to_next);
1494 while (n_left_from >= 4 && n_left_to_next >= 2)
1497 vlib_buffer_t * b0, * b1;
1499 u32 sw_if_index0, sw_if_index1;
1500 ip4_header_t * ip0, * ip1;
1501 ip_csum_t sum0, sum1;
1502 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1503 u16 old_port0, new_port0, old_port1, new_port1;
1504 udp_header_t * udp0, * udp1;
1505 tcp_header_t * tcp0, * tcp1;
1506 icmp46_header_t * icmp0, * icmp1;
1507 snat_session_key_t key0, key1;
1508 u32 rx_fib_index0, rx_fib_index1;
1510 snat_session_t * s0 = 0, * s1 = 0;
1511 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1512 u32 iph_offset0 = 0, iph_offset1 = 0;
1514 /* Prefetch next iteration. */
1516 vlib_buffer_t * p2, * p3;
1518 p2 = vlib_get_buffer (vm, from[2]);
1519 p3 = vlib_get_buffer (vm, from[3]);
1521 vlib_prefetch_buffer_header (p2, LOAD);
1522 vlib_prefetch_buffer_header (p3, LOAD);
1524 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1525 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1528 /* speculatively enqueue b0 and b1 to the current next frame */
1529 to_next[0] = bi0 = from[0];
1530 to_next[1] = bi1 = from[1];
1534 n_left_to_next -= 2;
1536 b0 = vlib_get_buffer (vm, bi0);
1537 b1 = vlib_get_buffer (vm, bi1);
1539 if (is_output_feature)
1540 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1542 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1545 udp0 = ip4_next_header (ip0);
1546 tcp0 = (tcp_header_t *) udp0;
1547 icmp0 = (icmp46_header_t *) udp0;
1549 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1550 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1553 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1555 if (PREDICT_FALSE(ip0->ttl == 1))
1557 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1558 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1559 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1561 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1565 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1567 /* Next configured feature, probably ip4-lookup */
1570 if (PREDICT_FALSE (proto0 == ~0))
1572 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1573 thread_index, now, vm, node);
1575 next0 = SNAT_IN2OUT_NEXT_DROP;
1579 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1581 next0 = icmp_in2out_slow_path
1582 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1583 node, next0, now, thread_index, &s0);
1589 if (is_output_feature)
1591 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
1595 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1597 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1601 if (ip4_is_fragment (ip0))
1603 next0 = SNAT_IN2OUT_NEXT_REASS;
1608 key0.addr = ip0->src_address;
1609 key0.port = udp0->src_port;
1610 key0.protocol = proto0;
1611 key0.fib_index = rx_fib_index0;
1613 kv0.key = key0.as_u64;
1615 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1616 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1620 if (is_output_feature)
1622 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1623 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
1628 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1629 ip0, proto0, rx_fib_index0, thread_index)))
1633 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1634 &s0, node, next0, thread_index);
1635 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1640 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1646 if (PREDICT_FALSE (value0.value == ~0ULL))
1650 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1651 thread_index, now, vm, node);
1652 if (!s0 && !sm->forwarding_enabled)
1653 next0 = SNAT_IN2OUT_NEXT_DROP;
1658 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1664 s0 = pool_elt_at_index (
1665 sm->per_thread_data[thread_index].sessions,
1670 b0->flags |= VNET_BUFFER_F_IS_NATED;
1672 old_addr0 = ip0->src_address.as_u32;
1673 ip0->src_address = s0->out2in.addr;
1674 new_addr0 = ip0->src_address.as_u32;
1675 if (!is_output_feature)
1676 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1678 sum0 = ip0->checksum;
1679 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1681 src_address /* changed member */);
1682 ip0->checksum = ip_csum_fold (sum0);
1684 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1686 old_port0 = tcp0->src_port;
1687 tcp0->src_port = s0->out2in.port;
1688 new_port0 = tcp0->src_port;
1690 sum0 = tcp0->checksum;
1691 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1693 dst_address /* changed member */);
1694 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1695 ip4_header_t /* cheat */,
1696 length /* changed member */);
1697 tcp0->checksum = ip_csum_fold(sum0);
1701 old_port0 = udp0->src_port;
1702 udp0->src_port = s0->out2in.port;
1707 s0->last_heard = now;
1709 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1710 /* Per-user LRU list maintenance */
1711 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1712 s0->per_user_index);
1713 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1714 s0->per_user_list_head_index,
1715 s0->per_user_index);
1718 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1719 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1721 snat_in2out_trace_t *t =
1722 vlib_add_trace (vm, node, b0, sizeof (*t));
1723 t->is_slow_path = is_slow_path;
1724 t->sw_if_index = sw_if_index0;
1725 t->next_index = next0;
1726 t->session_index = ~0;
1728 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1731 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1733 if (is_output_feature)
1734 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1736 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1739 udp1 = ip4_next_header (ip1);
1740 tcp1 = (tcp_header_t *) udp1;
1741 icmp1 = (icmp46_header_t *) udp1;
1743 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1744 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1747 if (PREDICT_FALSE(ip1->ttl == 1))
1749 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1750 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1751 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1753 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1757 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1759 /* Next configured feature, probably ip4-lookup */
1762 if (PREDICT_FALSE (proto1 == ~0))
1764 s1 = snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1765 thread_index, now, vm, node);
1767 next1 = SNAT_IN2OUT_NEXT_DROP;
1771 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1773 next1 = icmp_in2out_slow_path
1774 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1775 next1, now, thread_index, &s1);
1781 if (is_output_feature)
1783 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1)))
1787 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1789 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1793 if (ip4_is_fragment (ip1))
1795 next1 = SNAT_IN2OUT_NEXT_REASS;
1800 key1.addr = ip1->src_address;
1801 key1.port = udp1->src_port;
1802 key1.protocol = proto1;
1803 key1.fib_index = rx_fib_index1;
1805 kv1.key = key1.as_u64;
1807 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1808 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1812 if (is_output_feature)
1814 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1815 ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1)))
1820 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1821 ip1, proto1, rx_fib_index1, thread_index)))
1825 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1826 &s1, node, next1, thread_index);
1827 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1832 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1838 if (PREDICT_FALSE (value1.value == ~0ULL))
1842 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1,
1843 thread_index, now, vm, node);
1844 if (!s1 && !sm->forwarding_enabled)
1845 next1 = SNAT_IN2OUT_NEXT_DROP;
1850 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1856 s1 = pool_elt_at_index (
1857 sm->per_thread_data[thread_index].sessions,
1862 b1->flags |= VNET_BUFFER_F_IS_NATED;
1864 old_addr1 = ip1->src_address.as_u32;
1865 ip1->src_address = s1->out2in.addr;
1866 new_addr1 = ip1->src_address.as_u32;
1867 if (!is_output_feature)
1868 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1870 sum1 = ip1->checksum;
1871 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1873 src_address /* changed member */);
1874 ip1->checksum = ip_csum_fold (sum1);
1876 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1878 old_port1 = tcp1->src_port;
1879 tcp1->src_port = s1->out2in.port;
1880 new_port1 = tcp1->src_port;
1882 sum1 = tcp1->checksum;
1883 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1885 dst_address /* changed member */);
1886 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1887 ip4_header_t /* cheat */,
1888 length /* changed member */);
1889 tcp1->checksum = ip_csum_fold(sum1);
1893 old_port1 = udp1->src_port;
1894 udp1->src_port = s1->out2in.port;
1899 s1->last_heard = now;
1901 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1902 /* Per-user LRU list maintenance */
1903 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1904 s1->per_user_index);
1905 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1906 s1->per_user_list_head_index,
1907 s1->per_user_index);
1910 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1911 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1913 snat_in2out_trace_t *t =
1914 vlib_add_trace (vm, node, b1, sizeof (*t));
1915 t->sw_if_index = sw_if_index1;
1916 t->next_index = next1;
1917 t->session_index = ~0;
1919 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1922 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1924 /* verify speculative enqueues, maybe switch current next frame */
1925 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1926 to_next, n_left_to_next,
1927 bi0, bi1, next0, next1);
1930 while (n_left_from > 0 && n_left_to_next > 0)
1938 u32 new_addr0, old_addr0;
1939 u16 old_port0, new_port0;
1940 udp_header_t * udp0;
1941 tcp_header_t * tcp0;
1942 icmp46_header_t * icmp0;
1943 snat_session_key_t key0;
1946 snat_session_t * s0 = 0;
1947 clib_bihash_kv_8_8_t kv0, value0;
1948 u32 iph_offset0 = 0;
1950 /* speculatively enqueue b0 to the current next frame */
1956 n_left_to_next -= 1;
1958 b0 = vlib_get_buffer (vm, bi0);
1959 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1961 if (is_output_feature)
1962 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1964 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1967 udp0 = ip4_next_header (ip0);
1968 tcp0 = (tcp_header_t *) udp0;
1969 icmp0 = (icmp46_header_t *) udp0;
1971 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1972 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1975 if (PREDICT_FALSE(ip0->ttl == 1))
1977 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1978 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1979 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1981 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1985 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1987 /* Next configured feature, probably ip4-lookup */
1990 if (PREDICT_FALSE (proto0 == ~0))
1992 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1993 thread_index, now, vm, node);
1995 next0 = SNAT_IN2OUT_NEXT_DROP;
1999 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2001 next0 = icmp_in2out_slow_path
2002 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2003 next0, now, thread_index, &s0);
2009 if (is_output_feature)
2011 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
2015 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2017 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2021 if (ip4_is_fragment (ip0))
2023 next0 = SNAT_IN2OUT_NEXT_REASS;
2028 key0.addr = ip0->src_address;
2029 key0.port = udp0->src_port;
2030 key0.protocol = proto0;
2031 key0.fib_index = rx_fib_index0;
2033 kv0.key = key0.as_u64;
2035 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
2040 if (is_output_feature)
2042 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
2043 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
2048 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2049 ip0, proto0, rx_fib_index0, thread_index)))
2053 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2054 &s0, node, next0, thread_index);
2056 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2061 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2067 if (PREDICT_FALSE (value0.value == ~0ULL))
2071 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
2072 thread_index, now, vm, node);
2073 if (!s0 && !sm->forwarding_enabled)
2074 next0 = SNAT_IN2OUT_NEXT_DROP;
2079 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2085 s0 = pool_elt_at_index (
2086 sm->per_thread_data[thread_index].sessions,
2091 b0->flags |= VNET_BUFFER_F_IS_NATED;
2093 old_addr0 = ip0->src_address.as_u32;
2094 ip0->src_address = s0->out2in.addr;
2095 new_addr0 = ip0->src_address.as_u32;
2096 if (!is_output_feature)
2097 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2099 sum0 = ip0->checksum;
2100 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2102 src_address /* changed member */);
2103 ip0->checksum = ip_csum_fold (sum0);
2105 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2107 old_port0 = tcp0->src_port;
2108 tcp0->src_port = s0->out2in.port;
2109 new_port0 = tcp0->src_port;
2111 sum0 = tcp0->checksum;
2112 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2114 dst_address /* changed member */);
2115 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2116 ip4_header_t /* cheat */,
2117 length /* changed member */);
2118 tcp0->checksum = ip_csum_fold(sum0);
2122 old_port0 = udp0->src_port;
2123 udp0->src_port = s0->out2in.port;
2128 s0->last_heard = now;
2130 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2131 /* Per-user LRU list maintenance */
2132 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2133 s0->per_user_index);
2134 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2135 s0->per_user_list_head_index,
2136 s0->per_user_index);
2139 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2140 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2142 snat_in2out_trace_t *t =
2143 vlib_add_trace (vm, node, b0, sizeof (*t));
2144 t->is_slow_path = is_slow_path;
2145 t->sw_if_index = sw_if_index0;
2146 t->next_index = next0;
2147 t->session_index = ~0;
2149 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
2152 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2154 /* verify speculative enqueue, maybe switch current next frame */
2155 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2156 to_next, n_left_to_next,
2160 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2163 vlib_node_increment_counter (vm, stats_node_index,
2164 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2166 return frame->n_vectors;
2170 snat_in2out_fast_path_fn (vlib_main_t * vm,
2171 vlib_node_runtime_t * node,
2172 vlib_frame_t * frame)
2174 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
2177 VLIB_REGISTER_NODE (snat_in2out_node) = {
2178 .function = snat_in2out_fast_path_fn,
2179 .name = "nat44-in2out",
2180 .vector_size = sizeof (u32),
2181 .format_trace = format_snat_in2out_trace,
2182 .type = VLIB_NODE_TYPE_INTERNAL,
2184 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2185 .error_strings = snat_in2out_error_strings,
2187 .runtime_data_bytes = sizeof (snat_runtime_t),
2189 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2191 /* edit / add dispositions here */
2193 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2194 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2195 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2196 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2197 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2201 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
2204 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
2205 vlib_node_runtime_t * node,
2206 vlib_frame_t * frame)
2208 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
2211 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
2212 .function = snat_in2out_output_fast_path_fn,
2213 .name = "nat44-in2out-output",
2214 .vector_size = sizeof (u32),
2215 .format_trace = format_snat_in2out_trace,
2216 .type = VLIB_NODE_TYPE_INTERNAL,
2218 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2219 .error_strings = snat_in2out_error_strings,
2221 .runtime_data_bytes = sizeof (snat_runtime_t),
2223 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2225 /* edit / add dispositions here */
2227 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2228 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2229 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2230 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2231 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2235 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2236 snat_in2out_output_fast_path_fn);
2239 snat_in2out_slow_path_fn (vlib_main_t * vm,
2240 vlib_node_runtime_t * node,
2241 vlib_frame_t * frame)
2243 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2246 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2247 .function = snat_in2out_slow_path_fn,
2248 .name = "nat44-in2out-slowpath",
2249 .vector_size = sizeof (u32),
2250 .format_trace = format_snat_in2out_trace,
2251 .type = VLIB_NODE_TYPE_INTERNAL,
2253 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2254 .error_strings = snat_in2out_error_strings,
2256 .runtime_data_bytes = sizeof (snat_runtime_t),
2258 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2260 /* edit / add dispositions here */
2262 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2263 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2264 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2265 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2266 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2270 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2271 snat_in2out_slow_path_fn);
2274 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2275 vlib_node_runtime_t * node,
2276 vlib_frame_t * frame)
2278 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2281 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2282 .function = snat_in2out_output_slow_path_fn,
2283 .name = "nat44-in2out-output-slowpath",
2284 .vector_size = sizeof (u32),
2285 .format_trace = format_snat_in2out_trace,
2286 .type = VLIB_NODE_TYPE_INTERNAL,
2288 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2289 .error_strings = snat_in2out_error_strings,
2291 .runtime_data_bytes = sizeof (snat_runtime_t),
2293 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2295 /* edit / add dispositions here */
2297 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2298 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2299 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2300 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2301 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2305 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2306 snat_in2out_output_slow_path_fn);
2308 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
2311 nat44_hairpinning_fn (vlib_main_t * vm,
2312 vlib_node_runtime_t * node,
2313 vlib_frame_t * frame)
2315 u32 n_left_from, * from, * to_next;
2316 snat_in2out_next_t next_index;
2317 u32 pkts_processed = 0;
2318 snat_main_t * sm = &snat_main;
2319 vnet_feature_main_t *fm = &feature_main;
2320 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
2321 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
2323 from = vlib_frame_vector_args (frame);
2324 n_left_from = frame->n_vectors;
2325 next_index = node->cached_next_index;
2327 while (n_left_from > 0)
2331 vlib_get_next_frame (vm, node, next_index,
2332 to_next, n_left_to_next);
2334 while (n_left_from > 0 && n_left_to_next > 0)
2341 udp_header_t * udp0;
2342 tcp_header_t * tcp0;
2344 /* speculatively enqueue b0 to the current next frame */
2350 n_left_to_next -= 1;
2352 b0 = vlib_get_buffer (vm, bi0);
2353 ip0 = vlib_buffer_get_current (b0);
2354 udp0 = ip4_next_header (ip0);
2355 tcp0 = (tcp_header_t *) udp0;
2357 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2359 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
2362 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0))
2363 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2365 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2367 /* verify speculative enqueue, maybe switch current next frame */
2368 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2369 to_next, n_left_to_next,
2373 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2376 vlib_node_increment_counter (vm, nat44_hairpinning_node.index,
2377 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2379 return frame->n_vectors;
2382 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
2383 .function = nat44_hairpinning_fn,
2384 .name = "nat44-hairpinning",
2385 .vector_size = sizeof (u32),
2386 .type = VLIB_NODE_TYPE_INTERNAL,
2387 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2388 .error_strings = snat_in2out_error_strings,
2391 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2392 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2396 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
2397 nat44_hairpinning_fn);
2400 nat44_reass_hairpinning (snat_main_t *sm,
2407 snat_session_key_t key0, sm0;
2408 snat_session_t * s0;
2409 clib_bihash_kv_8_8_t kv0, value0;
2411 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2412 u16 new_dst_port0, old_dst_port0;
2413 udp_header_t * udp0;
2414 tcp_header_t * tcp0;
2416 key0.addr = ip0->dst_address;
2418 key0.protocol = proto0;
2419 key0.fib_index = sm->outside_fib_index;
2420 kv0.key = key0.as_u64;
2422 udp0 = ip4_next_header (ip0);
2424 /* Check if destination is static mappings */
2425 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
2427 new_dst_addr0 = sm0.addr.as_u32;
2428 new_dst_port0 = sm0.port;
2429 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2431 /* or active sessions */
2434 if (sm->num_workers > 1)
2435 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2437 ti = sm->num_workers;
2439 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2442 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2443 new_dst_addr0 = s0->in2out.addr.as_u32;
2444 new_dst_port0 = s0->in2out.port;
2445 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2449 /* Destination is behind the same NAT, use internal address and port */
2452 old_dst_addr0 = ip0->dst_address.as_u32;
2453 ip0->dst_address.as_u32 = new_dst_addr0;
2454 sum0 = ip0->checksum;
2455 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2456 ip4_header_t, dst_address);
2457 ip0->checksum = ip_csum_fold (sum0);
2459 old_dst_port0 = dport;
2460 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2461 ip4_is_first_fragment (ip0)))
2463 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2465 tcp0 = ip4_next_header (ip0);
2466 tcp0->dst = new_dst_port0;
2467 sum0 = tcp0->checksum;
2468 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2469 ip4_header_t, dst_address);
2470 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2471 ip4_header_t /* cheat */, length);
2472 tcp0->checksum = ip_csum_fold(sum0);
2476 udp0->dst_port = new_dst_port0;
2482 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2484 tcp0 = ip4_next_header (ip0);
2485 sum0 = tcp0->checksum;
2486 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2487 ip4_header_t, dst_address);
2488 tcp0->checksum = ip_csum_fold(sum0);
2495 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2496 vlib_node_runtime_t * node,
2497 vlib_frame_t * frame)
2499 u32 n_left_from, *from, *to_next;
2500 snat_in2out_next_t next_index;
2501 u32 pkts_processed = 0;
2502 snat_main_t *sm = &snat_main;
2503 f64 now = vlib_time_now (vm);
2504 u32 thread_index = vlib_get_thread_index ();
2505 snat_main_per_thread_data_t *per_thread_data =
2506 &sm->per_thread_data[thread_index];
2507 u32 *fragments_to_drop = 0;
2508 u32 *fragments_to_loopback = 0;
2510 from = vlib_frame_vector_args (frame);
2511 n_left_from = frame->n_vectors;
2512 next_index = node->cached_next_index;
2514 while (n_left_from > 0)
2518 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2520 while (n_left_from > 0 && n_left_to_next > 0)
2522 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2527 nat_reass_ip4_t *reass0;
2528 udp_header_t * udp0;
2529 tcp_header_t * tcp0;
2530 snat_session_key_t key0;
2531 clib_bihash_kv_8_8_t kv0, value0;
2532 snat_session_t * s0 = 0;
2533 u16 old_port0, new_port0;
2536 /* speculatively enqueue b0 to the current next frame */
2542 n_left_to_next -= 1;
2544 b0 = vlib_get_buffer (vm, bi0);
2545 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2547 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2548 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2551 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2553 next0 = SNAT_IN2OUT_NEXT_DROP;
2554 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2558 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2559 udp0 = ip4_next_header (ip0);
2560 tcp0 = (tcp_header_t *) udp0;
2561 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2563 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2568 &fragments_to_drop);
2570 if (PREDICT_FALSE (!reass0))
2572 next0 = SNAT_IN2OUT_NEXT_DROP;
2573 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2577 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2579 key0.addr = ip0->src_address;
2580 key0.port = udp0->src_port;
2581 key0.protocol = proto0;
2582 key0.fib_index = rx_fib_index0;
2583 kv0.key = key0.as_u64;
2585 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2587 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2588 ip0, proto0, rx_fib_index0, thread_index)))
2591 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2592 &s0, node, next0, thread_index);
2594 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2597 reass0->sess_index = s0 - per_thread_data->sessions;
2601 s0 = pool_elt_at_index (per_thread_data->sessions,
2603 reass0->sess_index = value0.value;
2605 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2609 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2611 if (nat_ip4_reass_add_fragment (reass0, bi0))
2613 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2614 next0 = SNAT_IN2OUT_NEXT_DROP;
2620 s0 = pool_elt_at_index (per_thread_data->sessions,
2621 reass0->sess_index);
2624 old_addr0 = ip0->src_address.as_u32;
2625 ip0->src_address = s0->out2in.addr;
2626 new_addr0 = ip0->src_address.as_u32;
2627 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2629 sum0 = ip0->checksum;
2630 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2632 src_address /* changed member */);
2633 ip0->checksum = ip_csum_fold (sum0);
2635 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2637 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2639 old_port0 = tcp0->src_port;
2640 tcp0->src_port = s0->out2in.port;
2641 new_port0 = tcp0->src_port;
2643 sum0 = tcp0->checksum;
2644 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2646 dst_address /* changed member */);
2647 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2648 ip4_header_t /* cheat */,
2649 length /* changed member */);
2650 tcp0->checksum = ip_csum_fold(sum0);
2654 old_port0 = udp0->src_port;
2655 udp0->src_port = s0->out2in.port;
2661 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2662 s0->ext_host_port, proto0);
2665 s0->last_heard = now;
2667 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2668 /* Per-user LRU list maintenance */
2669 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2670 s0->per_user_index);
2671 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2672 s0->per_user_list_head_index,
2673 s0->per_user_index);
2676 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2677 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2679 nat44_in2out_reass_trace_t *t =
2680 vlib_add_trace (vm, node, b0, sizeof (*t));
2681 t->cached = cached0;
2682 t->sw_if_index = sw_if_index0;
2683 t->next_index = next0;
2693 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2695 /* verify speculative enqueue, maybe switch current next frame */
2696 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2697 to_next, n_left_to_next,
2701 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2703 from = vlib_frame_vector_args (frame);
2704 u32 len = vec_len (fragments_to_loopback);
2705 if (len <= VLIB_FRAME_SIZE)
2707 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2709 vec_reset_length (fragments_to_loopback);
2714 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2715 sizeof (u32) * VLIB_FRAME_SIZE);
2716 n_left_from = VLIB_FRAME_SIZE;
2717 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2722 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2725 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2726 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2729 nat_send_all_to_node (vm, fragments_to_drop, node,
2730 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2731 SNAT_IN2OUT_NEXT_DROP);
2733 vec_free (fragments_to_drop);
2734 vec_free (fragments_to_loopback);
2735 return frame->n_vectors;
2738 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2739 .function = nat44_in2out_reass_node_fn,
2740 .name = "nat44-in2out-reass",
2741 .vector_size = sizeof (u32),
2742 .format_trace = format_nat44_in2out_reass_trace,
2743 .type = VLIB_NODE_TYPE_INTERNAL,
2745 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2746 .error_strings = snat_in2out_error_strings,
2748 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2750 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2751 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2752 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2753 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2754 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2758 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2759 nat44_in2out_reass_node_fn);
2761 /**************************/
2762 /*** deterministic mode ***/
2763 /**************************/
2765 snat_det_in2out_node_fn (vlib_main_t * vm,
2766 vlib_node_runtime_t * node,
2767 vlib_frame_t * frame)
2769 u32 n_left_from, * from, * to_next;
2770 snat_in2out_next_t next_index;
2771 u32 pkts_processed = 0;
2772 snat_main_t * sm = &snat_main;
2773 u32 now = (u32) vlib_time_now (vm);
2774 u32 thread_index = vlib_get_thread_index ();
2776 from = vlib_frame_vector_args (frame);
2777 n_left_from = frame->n_vectors;
2778 next_index = node->cached_next_index;
2780 while (n_left_from > 0)
2784 vlib_get_next_frame (vm, node, next_index,
2785 to_next, n_left_to_next);
2787 while (n_left_from >= 4 && n_left_to_next >= 2)
2790 vlib_buffer_t * b0, * b1;
2792 u32 sw_if_index0, sw_if_index1;
2793 ip4_header_t * ip0, * ip1;
2794 ip_csum_t sum0, sum1;
2795 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2796 u16 old_port0, new_port0, lo_port0, i0;
2797 u16 old_port1, new_port1, lo_port1, i1;
2798 udp_header_t * udp0, * udp1;
2799 tcp_header_t * tcp0, * tcp1;
2801 snat_det_out_key_t key0, key1;
2802 snat_det_map_t * dm0, * dm1;
2803 snat_det_session_t * ses0 = 0, * ses1 = 0;
2804 u32 rx_fib_index0, rx_fib_index1;
2805 icmp46_header_t * icmp0, * icmp1;
2807 /* Prefetch next iteration. */
2809 vlib_buffer_t * p2, * p3;
2811 p2 = vlib_get_buffer (vm, from[2]);
2812 p3 = vlib_get_buffer (vm, from[3]);
2814 vlib_prefetch_buffer_header (p2, LOAD);
2815 vlib_prefetch_buffer_header (p3, LOAD);
2817 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2818 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2821 /* speculatively enqueue b0 and b1 to the current next frame */
2822 to_next[0] = bi0 = from[0];
2823 to_next[1] = bi1 = from[1];
2827 n_left_to_next -= 2;
2829 b0 = vlib_get_buffer (vm, bi0);
2830 b1 = vlib_get_buffer (vm, bi1);
2832 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2833 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2835 ip0 = vlib_buffer_get_current (b0);
2836 udp0 = ip4_next_header (ip0);
2837 tcp0 = (tcp_header_t *) udp0;
2839 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2841 if (PREDICT_FALSE(ip0->ttl == 1))
2843 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2844 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2845 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2847 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2851 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2853 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2855 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2856 icmp0 = (icmp46_header_t *) udp0;
2858 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2859 rx_fib_index0, node, next0, thread_index,
2864 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2865 if (PREDICT_FALSE(!dm0))
2867 clib_warning("no match for internal host %U",
2868 format_ip4_address, &ip0->src_address);
2869 next0 = SNAT_IN2OUT_NEXT_DROP;
2870 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2874 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2876 key0.ext_host_addr = ip0->dst_address;
2877 key0.ext_host_port = tcp0->dst;
2879 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2880 if (PREDICT_FALSE(!ses0))
2882 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2884 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2885 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2887 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2890 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2893 if (PREDICT_FALSE(!ses0))
2895 /* too many sessions for user, send ICMP error packet */
2897 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2898 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2899 ICMP4_destination_unreachable_destination_unreachable_host,
2901 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2906 new_port0 = ses0->out.out_port;
2908 old_addr0.as_u32 = ip0->src_address.as_u32;
2909 ip0->src_address.as_u32 = new_addr0.as_u32;
2910 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2912 sum0 = ip0->checksum;
2913 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2915 src_address /* changed member */);
2916 ip0->checksum = ip_csum_fold (sum0);
2918 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2920 if (tcp0->flags & TCP_FLAG_SYN)
2921 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2922 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2923 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2924 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2925 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2926 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2927 snat_det_ses_close(dm0, ses0);
2928 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2929 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2930 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2931 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2933 old_port0 = tcp0->src;
2934 tcp0->src = new_port0;
2936 sum0 = tcp0->checksum;
2937 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2939 dst_address /* changed member */);
2940 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2941 ip4_header_t /* cheat */,
2942 length /* changed member */);
2943 tcp0->checksum = ip_csum_fold(sum0);
2947 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2948 old_port0 = udp0->src_port;
2949 udp0->src_port = new_port0;
2955 case SNAT_SESSION_UDP_ACTIVE:
2956 ses0->expire = now + sm->udp_timeout;
2958 case SNAT_SESSION_TCP_SYN_SENT:
2959 case SNAT_SESSION_TCP_FIN_WAIT:
2960 case SNAT_SESSION_TCP_CLOSE_WAIT:
2961 case SNAT_SESSION_TCP_LAST_ACK:
2962 ses0->expire = now + sm->tcp_transitory_timeout;
2964 case SNAT_SESSION_TCP_ESTABLISHED:
2965 ses0->expire = now + sm->tcp_established_timeout;
2970 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2971 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2973 snat_in2out_trace_t *t =
2974 vlib_add_trace (vm, node, b0, sizeof (*t));
2975 t->is_slow_path = 0;
2976 t->sw_if_index = sw_if_index0;
2977 t->next_index = next0;
2978 t->session_index = ~0;
2980 t->session_index = ses0 - dm0->sessions;
2983 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2985 ip1 = vlib_buffer_get_current (b1);
2986 udp1 = ip4_next_header (ip1);
2987 tcp1 = (tcp_header_t *) udp1;
2989 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2991 if (PREDICT_FALSE(ip1->ttl == 1))
2993 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2994 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2995 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2997 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3001 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3003 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
3005 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
3006 icmp1 = (icmp46_header_t *) udp1;
3008 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
3009 rx_fib_index1, node, next1, thread_index,
3014 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
3015 if (PREDICT_FALSE(!dm1))
3017 clib_warning("no match for internal host %U",
3018 format_ip4_address, &ip0->src_address);
3019 next1 = SNAT_IN2OUT_NEXT_DROP;
3020 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3024 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
3026 key1.ext_host_addr = ip1->dst_address;
3027 key1.ext_host_port = tcp1->dst;
3029 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
3030 if (PREDICT_FALSE(!ses1))
3032 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
3034 key1.out_port = clib_host_to_net_u16 (lo_port1 +
3035 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
3037 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
3040 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
3043 if (PREDICT_FALSE(!ses1))
3045 /* too many sessions for user, send ICMP error packet */
3047 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3048 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
3049 ICMP4_destination_unreachable_destination_unreachable_host,
3051 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3056 new_port1 = ses1->out.out_port;
3058 old_addr1.as_u32 = ip1->src_address.as_u32;
3059 ip1->src_address.as_u32 = new_addr1.as_u32;
3060 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3062 sum1 = ip1->checksum;
3063 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3065 src_address /* changed member */);
3066 ip1->checksum = ip_csum_fold (sum1);
3068 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
3070 if (tcp1->flags & TCP_FLAG_SYN)
3071 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
3072 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
3073 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3074 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
3075 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
3076 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
3077 snat_det_ses_close(dm1, ses1);
3078 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3079 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
3080 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
3081 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3083 old_port1 = tcp1->src;
3084 tcp1->src = new_port1;
3086 sum1 = tcp1->checksum;
3087 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3089 dst_address /* changed member */);
3090 sum1 = ip_csum_update (sum1, old_port1, new_port1,
3091 ip4_header_t /* cheat */,
3092 length /* changed member */);
3093 tcp1->checksum = ip_csum_fold(sum1);
3097 ses1->state = SNAT_SESSION_UDP_ACTIVE;
3098 old_port1 = udp1->src_port;
3099 udp1->src_port = new_port1;
3105 case SNAT_SESSION_UDP_ACTIVE:
3106 ses1->expire = now + sm->udp_timeout;
3108 case SNAT_SESSION_TCP_SYN_SENT:
3109 case SNAT_SESSION_TCP_FIN_WAIT:
3110 case SNAT_SESSION_TCP_CLOSE_WAIT:
3111 case SNAT_SESSION_TCP_LAST_ACK:
3112 ses1->expire = now + sm->tcp_transitory_timeout;
3114 case SNAT_SESSION_TCP_ESTABLISHED:
3115 ses1->expire = now + sm->tcp_established_timeout;
3120 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3121 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3123 snat_in2out_trace_t *t =
3124 vlib_add_trace (vm, node, b1, sizeof (*t));
3125 t->is_slow_path = 0;
3126 t->sw_if_index = sw_if_index1;
3127 t->next_index = next1;
3128 t->session_index = ~0;
3130 t->session_index = ses1 - dm1->sessions;
3133 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
3135 /* verify speculative enqueues, maybe switch current next frame */
3136 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3137 to_next, n_left_to_next,
3138 bi0, bi1, next0, next1);
3141 while (n_left_from > 0 && n_left_to_next > 0)
3149 ip4_address_t new_addr0, old_addr0;
3150 u16 old_port0, new_port0, lo_port0, i0;
3151 udp_header_t * udp0;
3152 tcp_header_t * tcp0;
3154 snat_det_out_key_t key0;
3155 snat_det_map_t * dm0;
3156 snat_det_session_t * ses0 = 0;
3158 icmp46_header_t * icmp0;
3160 /* speculatively enqueue b0 to the current next frame */
3166 n_left_to_next -= 1;
3168 b0 = vlib_get_buffer (vm, bi0);
3169 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3171 ip0 = vlib_buffer_get_current (b0);
3172 udp0 = ip4_next_header (ip0);
3173 tcp0 = (tcp_header_t *) udp0;
3175 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3177 if (PREDICT_FALSE(ip0->ttl == 1))
3179 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3180 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3181 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3183 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3187 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3189 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
3191 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3192 icmp0 = (icmp46_header_t *) udp0;
3194 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3195 rx_fib_index0, node, next0, thread_index,
3200 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
3201 if (PREDICT_FALSE(!dm0))
3203 clib_warning("no match for internal host %U",
3204 format_ip4_address, &ip0->src_address);
3205 next0 = SNAT_IN2OUT_NEXT_DROP;
3206 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3210 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
3212 key0.ext_host_addr = ip0->dst_address;
3213 key0.ext_host_port = tcp0->dst;
3215 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
3216 if (PREDICT_FALSE(!ses0))
3218 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3220 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3221 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
3223 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
3226 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
3229 if (PREDICT_FALSE(!ses0))
3231 /* too many sessions for user, send ICMP error packet */
3233 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3234 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
3235 ICMP4_destination_unreachable_destination_unreachable_host,
3237 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3242 new_port0 = ses0->out.out_port;
3244 old_addr0.as_u32 = ip0->src_address.as_u32;
3245 ip0->src_address.as_u32 = new_addr0.as_u32;
3246 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3248 sum0 = ip0->checksum;
3249 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3251 src_address /* changed member */);
3252 ip0->checksum = ip_csum_fold (sum0);
3254 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3256 if (tcp0->flags & TCP_FLAG_SYN)
3257 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
3258 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
3259 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3260 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3261 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
3262 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
3263 snat_det_ses_close(dm0, ses0);
3264 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3265 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
3266 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
3267 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3269 old_port0 = tcp0->src;
3270 tcp0->src = new_port0;
3272 sum0 = tcp0->checksum;
3273 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3275 dst_address /* changed member */);
3276 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3277 ip4_header_t /* cheat */,
3278 length /* changed member */);
3279 tcp0->checksum = ip_csum_fold(sum0);
3283 ses0->state = SNAT_SESSION_UDP_ACTIVE;
3284 old_port0 = udp0->src_port;
3285 udp0->src_port = new_port0;
3291 case SNAT_SESSION_UDP_ACTIVE:
3292 ses0->expire = now + sm->udp_timeout;
3294 case SNAT_SESSION_TCP_SYN_SENT:
3295 case SNAT_SESSION_TCP_FIN_WAIT:
3296 case SNAT_SESSION_TCP_CLOSE_WAIT:
3297 case SNAT_SESSION_TCP_LAST_ACK:
3298 ses0->expire = now + sm->tcp_transitory_timeout;
3300 case SNAT_SESSION_TCP_ESTABLISHED:
3301 ses0->expire = now + sm->tcp_established_timeout;
3306 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3307 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3309 snat_in2out_trace_t *t =
3310 vlib_add_trace (vm, node, b0, sizeof (*t));
3311 t->is_slow_path = 0;
3312 t->sw_if_index = sw_if_index0;
3313 t->next_index = next0;
3314 t->session_index = ~0;
3316 t->session_index = ses0 - dm0->sessions;
3319 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3321 /* verify speculative enqueue, maybe switch current next frame */
3322 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3323 to_next, n_left_to_next,
3327 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3330 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
3331 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3333 return frame->n_vectors;
3336 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
3337 .function = snat_det_in2out_node_fn,
3338 .name = "nat44-det-in2out",
3339 .vector_size = sizeof (u32),
3340 .format_trace = format_snat_in2out_trace,
3341 .type = VLIB_NODE_TYPE_INTERNAL,
3343 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3344 .error_strings = snat_in2out_error_strings,
3346 .runtime_data_bytes = sizeof (snat_runtime_t),
3350 /* edit / add dispositions here */
3352 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3353 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3354 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3358 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
3361 * Get address and port values to be used for ICMP packet translation
3362 * and create session if needed
3364 * @param[in,out] sm NAT main
3365 * @param[in,out] node NAT node runtime
3366 * @param[in] thread_index thread index
3367 * @param[in,out] b0 buffer containing packet to be translated
3368 * @param[out] p_proto protocol used for matching
3369 * @param[out] p_value address and port after NAT translation
3370 * @param[out] p_dont_translate if packet should not be translated
3371 * @param d optional parameter
3372 * @param e optional parameter
3374 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
3375 u32 thread_index, vlib_buffer_t *b0,
3376 ip4_header_t *ip0, u8 *p_proto,
3377 snat_session_key_t *p_value,
3378 u8 *p_dont_translate, void *d, void *e)
3380 icmp46_header_t *icmp0;
3384 snat_det_out_key_t key0;
3385 u8 dont_translate = 0;
3387 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3388 ip4_header_t *inner_ip0;
3389 void *l4_header = 0;
3390 icmp46_header_t *inner_icmp0;
3391 snat_det_map_t * dm0 = 0;
3392 ip4_address_t new_addr0;
3394 snat_det_session_t * ses0 = 0;
3395 ip4_address_t in_addr;
3398 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3399 echo0 = (icmp_echo_header_t *)(icmp0+1);
3400 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3401 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
3403 if (!icmp_is_error_message (icmp0))
3405 protocol = SNAT_PROTOCOL_ICMP;
3406 in_addr = ip0->src_address;
3407 in_port = echo0->identifier;
3411 inner_ip0 = (ip4_header_t *)(echo0+1);
3412 l4_header = ip4_next_header (inner_ip0);
3413 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3414 in_addr = inner_ip0->dst_address;
3417 case SNAT_PROTOCOL_ICMP:
3418 inner_icmp0 = (icmp46_header_t*)l4_header;
3419 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3420 in_port = inner_echo0->identifier;
3422 case SNAT_PROTOCOL_UDP:
3423 case SNAT_PROTOCOL_TCP:
3424 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3427 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
3428 next0 = SNAT_IN2OUT_NEXT_DROP;
3433 dm0 = snat_det_map_by_user(sm, &in_addr);
3434 if (PREDICT_FALSE(!dm0))
3436 clib_warning("no match for internal host %U",
3437 format_ip4_address, &in_addr);
3438 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3439 IP_PROTOCOL_ICMP, rx_fib_index0)))
3444 next0 = SNAT_IN2OUT_NEXT_DROP;
3445 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3449 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
3451 key0.ext_host_addr = ip0->dst_address;
3452 key0.ext_host_port = 0;
3454 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
3455 if (PREDICT_FALSE(!ses0))
3457 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3458 IP_PROTOCOL_ICMP, rx_fib_index0)))
3463 if (icmp0->type != ICMP4_echo_request)
3465 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3466 next0 = SNAT_IN2OUT_NEXT_DROP;
3469 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3471 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3472 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
3474 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
3477 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
3480 if (PREDICT_FALSE(!ses0))
3482 next0 = SNAT_IN2OUT_NEXT_DROP;
3483 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3488 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3489 !icmp_is_error_message (icmp0)))
3491 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3492 next0 = SNAT_IN2OUT_NEXT_DROP;
3496 u32 now = (u32) vlib_time_now (sm->vlib_main);
3498 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3499 ses0->expire = now + sm->icmp_timeout;
3502 *p_proto = protocol;
3505 p_value->addr = new_addr0;
3506 p_value->fib_index = sm->outside_fib_index;
3507 p_value->port = ses0->out.out_port;
3509 *p_dont_translate = dont_translate;
3511 *(snat_det_session_t**)d = ses0;
3513 *(snat_det_map_t**)e = dm0;
3517 /**********************/
3518 /*** worker handoff ***/
3519 /**********************/
3521 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3522 vlib_node_runtime_t * node,
3523 vlib_frame_t * frame,
3526 snat_main_t *sm = &snat_main;
3527 vlib_thread_main_t *tm = vlib_get_thread_main ();
3528 u32 n_left_from, *from, *to_next = 0;
3529 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3530 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3532 vlib_frame_queue_elt_t *hf = 0;
3533 vlib_frame_t *f = 0;
3535 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3536 u32 next_worker_index = 0;
3537 u32 current_worker_index = ~0;
3538 u32 thread_index = vlib_get_thread_index ();
3542 ASSERT (vec_len (sm->workers));
3546 fq_index = sm->fq_in2out_output_index;
3547 to_node_index = sm->in2out_output_node_index;
3551 fq_index = sm->fq_in2out_index;
3552 to_node_index = sm->in2out_node_index;
3555 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3557 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3559 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3560 sm->first_worker_index + sm->num_workers - 1,
3561 (vlib_frame_queue_t *) (~0));
3564 from = vlib_frame_vector_args (frame);
3565 n_left_from = frame->n_vectors;
3567 while (n_left_from > 0)
3580 b0 = vlib_get_buffer (vm, bi0);
3582 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3583 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3585 ip0 = vlib_buffer_get_current (b0);
3587 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3589 if (PREDICT_FALSE (next_worker_index != thread_index))
3593 if (next_worker_index != current_worker_index)
3596 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3598 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3600 handoff_queue_elt_by_worker_index);
3602 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3603 to_next_worker = &hf->buffer_index[hf->n_vectors];
3604 current_worker_index = next_worker_index;
3607 /* enqueue to correct worker thread */
3608 to_next_worker[0] = bi0;
3610 n_left_to_next_worker--;
3612 if (n_left_to_next_worker == 0)
3614 hf->n_vectors = VLIB_FRAME_SIZE;
3615 vlib_put_frame_queue_elt (hf);
3616 current_worker_index = ~0;
3617 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3624 /* if this is 1st frame */
3627 f = vlib_get_frame_to_node (vm, to_node_index);
3628 to_next = vlib_frame_vector_args (f);
3636 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3637 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3639 snat_in2out_worker_handoff_trace_t *t =
3640 vlib_add_trace (vm, node, b0, sizeof (*t));
3641 t->next_worker_index = next_worker_index;
3642 t->do_handoff = do_handoff;
3647 vlib_put_frame_to_node (vm, to_node_index, f);
3650 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3652 /* Ship frames to the worker nodes */
3653 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3655 if (handoff_queue_elt_by_worker_index[i])
3657 hf = handoff_queue_elt_by_worker_index[i];
3659 * It works better to let the handoff node
3660 * rate-adapt, always ship the handoff queue element.
3662 if (1 || hf->n_vectors == hf->last_n_vectors)
3664 vlib_put_frame_queue_elt (hf);
3665 handoff_queue_elt_by_worker_index[i] = 0;
3668 hf->last_n_vectors = hf->n_vectors;
3670 congested_handoff_queue_by_worker_index[i] =
3671 (vlib_frame_queue_t *) (~0);
3674 current_worker_index = ~0;
3675 return frame->n_vectors;
3679 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3680 vlib_node_runtime_t * node,
3681 vlib_frame_t * frame)
3683 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3686 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3687 .function = snat_in2out_worker_handoff_fn,
3688 .name = "nat44-in2out-worker-handoff",
3689 .vector_size = sizeof (u32),
3690 .format_trace = format_snat_in2out_worker_handoff_trace,
3691 .type = VLIB_NODE_TYPE_INTERNAL,
3700 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3701 snat_in2out_worker_handoff_fn);
3704 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3705 vlib_node_runtime_t * node,
3706 vlib_frame_t * frame)
3708 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3711 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3712 .function = snat_in2out_output_worker_handoff_fn,
3713 .name = "nat44-in2out-output-worker-handoff",
3714 .vector_size = sizeof (u32),
3715 .format_trace = format_snat_in2out_worker_handoff_trace,
3716 .type = VLIB_NODE_TYPE_INTERNAL,
3725 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3726 snat_in2out_output_worker_handoff_fn);
3728 static_always_inline int
3729 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3731 snat_address_t * ap;
3732 clib_bihash_kv_8_8_t kv, value;
3733 snat_session_key_t m_key;
3735 vec_foreach (ap, sm->addresses)
3737 if (ap->addr.as_u32 == dst_addr->as_u32)
3741 m_key.addr.as_u32 = dst_addr->as_u32;
3742 m_key.fib_index = sm->outside_fib_index;
3745 kv.key = m_key.as_u64;
3746 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3753 snat_hairpin_dst_fn (vlib_main_t * vm,
3754 vlib_node_runtime_t * node,
3755 vlib_frame_t * frame)
3757 u32 n_left_from, * from, * to_next;
3758 snat_in2out_next_t next_index;
3759 u32 pkts_processed = 0;
3760 snat_main_t * sm = &snat_main;
3762 from = vlib_frame_vector_args (frame);
3763 n_left_from = frame->n_vectors;
3764 next_index = node->cached_next_index;
3766 while (n_left_from > 0)
3770 vlib_get_next_frame (vm, node, next_index,
3771 to_next, n_left_to_next);
3773 while (n_left_from > 0 && n_left_to_next > 0)
3781 /* speculatively enqueue b0 to the current next frame */
3787 n_left_to_next -= 1;
3789 b0 = vlib_get_buffer (vm, bi0);
3790 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3791 ip0 = vlib_buffer_get_current (b0);
3793 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3795 vnet_buffer (b0)->snat.flags = 0;
3796 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3798 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3800 udp_header_t * udp0 = ip4_next_header (ip0);
3801 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3803 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3805 else if (proto0 == SNAT_PROTOCOL_ICMP)
3807 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3809 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3813 snat_hairpinning_unknown_proto (sm, b0, ip0);
3816 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3819 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3821 /* verify speculative enqueue, maybe switch current next frame */
3822 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3823 to_next, n_left_to_next,
3827 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3830 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3831 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3833 return frame->n_vectors;
3836 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3837 .function = snat_hairpin_dst_fn,
3838 .name = "nat44-hairpin-dst",
3839 .vector_size = sizeof (u32),
3840 .type = VLIB_NODE_TYPE_INTERNAL,
3841 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3842 .error_strings = snat_in2out_error_strings,
3845 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3846 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3850 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3851 snat_hairpin_dst_fn);
3854 snat_hairpin_src_fn (vlib_main_t * vm,
3855 vlib_node_runtime_t * node,
3856 vlib_frame_t * frame)
3858 u32 n_left_from, * from, * to_next;
3859 snat_in2out_next_t next_index;
3860 u32 pkts_processed = 0;
3861 snat_main_t *sm = &snat_main;
3863 from = vlib_frame_vector_args (frame);
3864 n_left_from = frame->n_vectors;
3865 next_index = node->cached_next_index;
3867 while (n_left_from > 0)
3871 vlib_get_next_frame (vm, node, next_index,
3872 to_next, n_left_to_next);
3874 while (n_left_from > 0 && n_left_to_next > 0)
3879 snat_interface_t *i;
3882 /* speculatively enqueue b0 to the current next frame */
3888 n_left_to_next -= 1;
3890 b0 = vlib_get_buffer (vm, bi0);
3891 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3892 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3894 pool_foreach (i, sm->output_feature_interfaces,
3896 /* Only packets from NAT inside interface */
3897 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
3899 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3900 SNAT_FLAG_HAIRPINNING))
3902 if (PREDICT_TRUE (sm->num_workers > 1))
3903 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3905 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3911 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3913 /* verify speculative enqueue, maybe switch current next frame */
3914 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3915 to_next, n_left_to_next,
3919 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3922 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3923 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3925 return frame->n_vectors;
3928 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3929 .function = snat_hairpin_src_fn,
3930 .name = "nat44-hairpin-src",
3931 .vector_size = sizeof (u32),
3932 .type = VLIB_NODE_TYPE_INTERNAL,
3933 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3934 .error_strings = snat_in2out_error_strings,
3935 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3937 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3938 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3939 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3940 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3944 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3945 snat_hairpin_src_fn);
3948 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3949 vlib_node_runtime_t * node,
3950 vlib_frame_t * frame)
3952 u32 n_left_from, * from, * to_next;
3953 snat_in2out_next_t next_index;
3954 u32 pkts_processed = 0;
3955 snat_main_t * sm = &snat_main;
3956 u32 stats_node_index;
3958 stats_node_index = snat_in2out_fast_node.index;
3960 from = vlib_frame_vector_args (frame);
3961 n_left_from = frame->n_vectors;
3962 next_index = node->cached_next_index;
3964 while (n_left_from > 0)
3968 vlib_get_next_frame (vm, node, next_index,
3969 to_next, n_left_to_next);
3971 while (n_left_from > 0 && n_left_to_next > 0)
3979 u32 new_addr0, old_addr0;
3980 u16 old_port0, new_port0;
3981 udp_header_t * udp0;
3982 tcp_header_t * tcp0;
3983 icmp46_header_t * icmp0;
3984 snat_session_key_t key0, sm0;
3988 /* speculatively enqueue b0 to the current next frame */
3994 n_left_to_next -= 1;
3996 b0 = vlib_get_buffer (vm, bi0);
3997 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3999 ip0 = vlib_buffer_get_current (b0);
4000 udp0 = ip4_next_header (ip0);
4001 tcp0 = (tcp_header_t *) udp0;
4002 icmp0 = (icmp46_header_t *) udp0;
4004 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4005 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4007 if (PREDICT_FALSE(ip0->ttl == 1))
4009 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4010 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
4011 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4013 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4017 proto0 = ip_proto_to_snat_proto (ip0->protocol);
4019 if (PREDICT_FALSE (proto0 == ~0))
4022 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
4024 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
4025 rx_fib_index0, node, next0, ~0, 0, 0);
4029 key0.addr = ip0->src_address;
4030 key0.protocol = proto0;
4031 key0.port = udp0->src_port;
4032 key0.fib_index = rx_fib_index0;
4034 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0, 0))
4036 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4037 next0= SNAT_IN2OUT_NEXT_DROP;
4041 new_addr0 = sm0.addr.as_u32;
4042 new_port0 = sm0.port;
4043 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
4044 old_addr0 = ip0->src_address.as_u32;
4045 ip0->src_address.as_u32 = new_addr0;
4047 sum0 = ip0->checksum;
4048 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4050 src_address /* changed member */);
4051 ip0->checksum = ip_csum_fold (sum0);
4053 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
4055 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4057 old_port0 = tcp0->src_port;
4058 tcp0->src_port = new_port0;
4060 sum0 = tcp0->checksum;
4061 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4063 dst_address /* changed member */);
4064 sum0 = ip_csum_update (sum0, old_port0, new_port0,
4065 ip4_header_t /* cheat */,
4066 length /* changed member */);
4067 tcp0->checksum = ip_csum_fold(sum0);
4071 old_port0 = udp0->src_port;
4072 udp0->src_port = new_port0;
4078 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4080 sum0 = tcp0->checksum;
4081 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4083 dst_address /* changed member */);
4084 tcp0->checksum = ip_csum_fold(sum0);
4089 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
4092 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4093 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4095 snat_in2out_trace_t *t =
4096 vlib_add_trace (vm, node, b0, sizeof (*t));
4097 t->sw_if_index = sw_if_index0;
4098 t->next_index = next0;
4101 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
4103 /* verify speculative enqueue, maybe switch current next frame */
4104 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
4105 to_next, n_left_to_next,
4109 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
4112 vlib_node_increment_counter (vm, stats_node_index,
4113 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
4115 return frame->n_vectors;
4119 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
4120 .function = snat_in2out_fast_static_map_fn,
4121 .name = "nat44-in2out-fast",
4122 .vector_size = sizeof (u32),
4123 .format_trace = format_snat_in2out_fast_trace,
4124 .type = VLIB_NODE_TYPE_INTERNAL,
4126 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
4127 .error_strings = snat_in2out_error_strings,
4129 .runtime_data_bytes = sizeof (snat_runtime_t),
4131 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
4133 /* edit / add dispositions here */
4135 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
4136 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
4137 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
4138 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4139 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
4143 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob