2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
38 } snat_in2out_trace_t;
41 u32 next_worker_index;
43 } snat_in2out_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
53 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
55 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
56 t->sw_if_index, t->next_index, t->session_index);
61 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
67 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
73 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
77 snat_in2out_worker_handoff_trace_t * t =
78 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
81 m = t->do_handoff ? "next worker" : "same worker";
82 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
91 } nat44_in2out_reass_trace_t;
93 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
95 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
96 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
97 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
99 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
100 t->sw_if_index, t->next_index,
101 t->cached ? "cached" : "translated");
106 vlib_node_registration_t snat_in2out_node;
107 vlib_node_registration_t snat_in2out_slowpath_node;
108 vlib_node_registration_t snat_in2out_fast_node;
109 vlib_node_registration_t snat_in2out_worker_handoff_node;
110 vlib_node_registration_t snat_det_in2out_node;
111 vlib_node_registration_t snat_in2out_output_node;
112 vlib_node_registration_t snat_in2out_output_slowpath_node;
113 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
114 vlib_node_registration_t snat_hairpin_dst_node;
115 vlib_node_registration_t snat_hairpin_src_node;
116 vlib_node_registration_t nat44_hairpinning_node;
117 vlib_node_registration_t nat44_in2out_reass_node;
120 #define foreach_snat_in2out_error \
121 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
122 _(IN2OUT_PACKETS, "Good in2out packets processed") \
123 _(OUT_OF_PORTS, "Out of ports") \
124 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
125 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
126 _(NO_TRANSLATION, "No translation") \
127 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
128 _(DROP_FRAGMENT, "Drop fragment") \
129 _(MAX_REASS, "Maximum reassemblies exceeded") \
130 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
133 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
134 foreach_snat_in2out_error
137 } snat_in2out_error_t;
139 static char * snat_in2out_error_strings[] = {
140 #define _(sym,string) string,
141 foreach_snat_in2out_error
146 SNAT_IN2OUT_NEXT_LOOKUP,
147 SNAT_IN2OUT_NEXT_DROP,
148 SNAT_IN2OUT_NEXT_ICMP_ERROR,
149 SNAT_IN2OUT_NEXT_SLOW_PATH,
150 SNAT_IN2OUT_NEXT_REASS,
152 } snat_in2out_next_t;
155 SNAT_HAIRPIN_SRC_NEXT_DROP,
156 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
157 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
158 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
159 SNAT_HAIRPIN_SRC_N_NEXT,
160 } snat_hairpin_next_t;
163 * @brief Check if packet should be translated
165 * Packets aimed at outside interface and external address with active session
166 * should be translated.
169 * @param rt NAT runtime data
170 * @param sw_if_index0 index of the inside interface
171 * @param ip0 IPv4 header
172 * @param proto0 NAT protocol
173 * @param rx_fib_index0 RX FIB index
175 * @returns 0 if packet should be translated otherwise 1
178 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
185 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
187 .fp_proto = FIB_PROTOCOL_IP4,
190 .ip4.as_u32 = ip0->dst_address.as_u32,
194 /* Don't NAT packet aimed at the intfc address */
195 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
196 ip0->dst_address.as_u32)))
199 fei = fib_table_lookup (rx_fib_index0, &pfx);
200 if (FIB_NODE_INDEX_INVALID != fei)
202 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
203 if (sw_if_index == ~0)
205 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
206 if (FIB_NODE_INDEX_INVALID != fei)
207 sw_if_index = fib_entry_get_resolving_interface (fei);
210 pool_foreach (i, sm->interfaces,
212 /* NAT packet aimed at outside interface */
213 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
222 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
223 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
224 u32 rx_fib_index0, u32 thread_index)
226 udp_header_t * udp0 = ip4_next_header (ip0);
227 snat_session_key_t key0, sm0;
228 clib_bihash_kv_8_8_t kv0, value0;
230 key0.addr = ip0->dst_address;
231 key0.port = udp0->dst_port;
232 key0.protocol = proto0;
233 key0.fib_index = sm->outside_fib_index;
234 kv0.key = key0.as_u64;
236 /* NAT packet aimed at external address if */
237 /* has active sessions */
238 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
241 /* or is static mappings */
242 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
248 if (sm->forwarding_enabled)
251 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
256 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
257 u32 proto0, u16 src_port, u16 dst_port,
258 u32 thread_index, u32 sw_if_index)
260 snat_session_key_t key0;
261 clib_bihash_kv_8_8_t kv0, value0;
265 key0.addr = ip0->src_address;
266 key0.port = src_port;
267 key0.protocol = proto0;
268 key0.fib_index = sm->outside_fib_index;
269 kv0.key = key0.as_u64;
271 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
276 key0.addr = ip0->dst_address;
277 key0.port = dst_port;
278 key0.protocol = proto0;
279 key0.fib_index = sm->inside_fib_index;
280 kv0.key = key0.as_u64;
281 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
285 pool_foreach (i, sm->output_feature_interfaces,
287 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
296 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
299 snat_session_key_t * key0,
300 snat_session_t ** sessionp,
301 vlib_node_runtime_t * node,
307 clib_bihash_kv_8_8_t kv0;
308 snat_session_key_t key1;
309 u32 address_index = ~0;
310 u32 outside_fib_index;
312 udp_header_t * udp0 = ip4_next_header (ip0);
315 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
317 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
318 nat_ipfix_logging_max_sessions(sm->max_translations);
319 return SNAT_IN2OUT_NEXT_DROP;
322 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
325 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
326 return SNAT_IN2OUT_NEXT_DROP;
328 outside_fib_index = p[0];
330 key1.protocol = key0->protocol;
332 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
336 clib_warning ("create NAT user failed");
337 return SNAT_IN2OUT_NEXT_DROP;
340 /* First try to match static mapping by local address and port */
341 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0, 0))
343 /* Try to create dynamic translation */
344 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
348 sm->per_thread_data[thread_index].snat_thread_index))
350 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
351 return SNAT_IN2OUT_NEXT_DROP;
357 s = nat_session_alloc_or_recycle (sm, u, thread_index);
360 clib_warning ("create NAT session failed");
361 return SNAT_IN2OUT_NEXT_DROP;
365 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
366 user_session_increment (sm, u, is_sm);
367 s->outside_address_index = address_index;
370 s->out2in.protocol = key0->protocol;
371 s->out2in.fib_index = outside_fib_index;
372 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
373 s->ext_host_port = udp0->dst_port;
376 /* Add to translation hashes */
377 kv0.key = s->in2out.as_u64;
378 kv0.value = s - sm->per_thread_data[thread_index].sessions;
379 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
381 clib_warning ("in2out key add failed");
383 kv0.key = s->out2in.as_u64;
384 kv0.value = s - sm->per_thread_data[thread_index].sessions;
386 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
388 clib_warning ("out2in key add failed");
391 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
392 s->out2in.addr.as_u32,
396 s->in2out.fib_index);
401 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
402 snat_session_key_t *p_key0)
404 icmp46_header_t *icmp0;
405 snat_session_key_t key0;
406 icmp_echo_header_t *echo0, *inner_echo0 = 0;
407 ip4_header_t *inner_ip0 = 0;
409 icmp46_header_t *inner_icmp0;
411 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
412 echo0 = (icmp_echo_header_t *)(icmp0+1);
414 if (!icmp_is_error_message (icmp0))
416 key0.protocol = SNAT_PROTOCOL_ICMP;
417 key0.addr = ip0->src_address;
418 key0.port = echo0->identifier;
422 inner_ip0 = (ip4_header_t *)(echo0+1);
423 l4_header = ip4_next_header (inner_ip0);
424 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
425 key0.addr = inner_ip0->dst_address;
426 switch (key0.protocol)
428 case SNAT_PROTOCOL_ICMP:
429 inner_icmp0 = (icmp46_header_t*)l4_header;
430 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
431 key0.port = inner_echo0->identifier;
433 case SNAT_PROTOCOL_UDP:
434 case SNAT_PROTOCOL_TCP:
435 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
438 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
442 return -1; /* success */
445 static_always_inline int
446 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
448 icmp46_header_t *icmp0;
449 nat_ed_ses_key_t key0;
450 icmp_echo_header_t *echo0, *inner_echo0 = 0;
451 ip4_header_t *inner_ip0 = 0;
453 icmp46_header_t *inner_icmp0;
455 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
456 echo0 = (icmp_echo_header_t *)(icmp0+1);
458 if (!icmp_is_error_message (icmp0))
460 key0.proto = IP_PROTOCOL_ICMP;
461 key0.l_addr = ip0->src_address;
462 key0.r_addr = ip0->dst_address;
463 key0.l_port = key0.r_port = echo0->identifier;
467 inner_ip0 = (ip4_header_t *)(echo0+1);
468 l4_header = ip4_next_header (inner_ip0);
469 key0.proto = inner_ip0->protocol;
470 key0.r_addr = inner_ip0->src_address;
471 key0.l_addr = inner_ip0->dst_address;
472 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
474 case SNAT_PROTOCOL_ICMP:
475 inner_icmp0 = (icmp46_header_t*)l4_header;
476 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
477 key0.r_port = key0.l_port = inner_echo0->identifier;
479 case SNAT_PROTOCOL_UDP:
480 case SNAT_PROTOCOL_TCP:
481 key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port;
482 key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port;
485 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
493 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
496 nat_ed_ses_key_t key;
497 clib_bihash_kv_16_8_t kv, value;
499 snat_session_t *s = 0;
500 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
502 if (!sm->forwarding_enabled)
505 if (ip->protocol == IP_PROTOCOL_ICMP)
507 if (icmp_get_ed_key (ip, &key))
510 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
512 udp = ip4_next_header(ip);
513 key.l_addr = ip->src_address;
514 key.r_addr = ip->dst_address;
515 key.proto = ip->protocol;
516 key.r_port = udp->dst_port;
517 key.l_port = udp->src_port;
521 key.l_addr = ip->src_address;
522 key.r_addr = ip->dst_address;
523 key.proto = ip->protocol;
524 key.l_port = key.r_port = 0;
527 kv.key[0] = key.as_u64[0];
528 kv.key[1] = key.as_u64[1];
530 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
532 s = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, value.value);
533 if (is_fwd_bypass_session (s))
535 if (ip->protocol == IP_PROTOCOL_TCP)
537 tcp_header_t *tcp = ip4_next_header(ip);
538 if (nat44_set_tcp_session_state (sm, s, tcp, thread_index))
541 /* Per-user LRU list maintenance */
542 clib_dlist_remove (tsm->list_pool, s->per_user_index);
543 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
555 * Get address and port values to be used for ICMP packet translation
556 * and create session if needed
558 * @param[in,out] sm NAT main
559 * @param[in,out] node NAT node runtime
560 * @param[in] thread_index thread index
561 * @param[in,out] b0 buffer containing packet to be translated
562 * @param[out] p_proto protocol used for matching
563 * @param[out] p_value address and port after NAT translation
564 * @param[out] p_dont_translate if packet should not be translated
565 * @param d optional parameter
566 * @param e optional parameter
568 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
569 u32 thread_index, vlib_buffer_t *b0,
570 ip4_header_t *ip0, u8 *p_proto,
571 snat_session_key_t *p_value,
572 u8 *p_dont_translate, void *d, void *e)
574 icmp46_header_t *icmp0;
577 snat_session_key_t key0;
578 snat_session_t *s0 = 0;
579 u8 dont_translate = 0;
580 clib_bihash_kv_8_8_t kv0, value0;
584 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
585 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
586 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
588 err = icmp_get_key (ip0, &key0);
591 b0->error = node->errors[err];
592 next0 = SNAT_IN2OUT_NEXT_DROP;
595 key0.fib_index = rx_fib_index0;
597 kv0.key = key0.as_u64;
599 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
602 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0)
604 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
605 ip0, SNAT_PROTOCOL_ICMP, key0.port, key0.port, thread_index, sw_if_index0)))
613 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
614 ip0, SNAT_PROTOCOL_ICMP, rx_fib_index0, thread_index)))
621 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
623 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
624 next0 = SNAT_IN2OUT_NEXT_DROP;
628 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
629 &s0, node, next0, thread_index);
631 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
636 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
637 icmp0->type != ICMP4_echo_reply &&
638 !icmp_is_error_message (icmp0)))
640 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
641 next0 = SNAT_IN2OUT_NEXT_DROP;
645 if (PREDICT_FALSE (value0.value == ~0ULL))
647 nat_ed_ses_key_t key;
648 clib_bihash_kv_16_8_t s_kv, s_value;
652 if (icmp_get_ed_key (ip0, &key))
654 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
655 next0 = SNAT_IN2OUT_NEXT_DROP;
658 key.fib_index = rx_fib_index0;
659 s_kv.key[0] = key.as_u64[0];
660 s_kv.key[1] = key.as_u64[1];
661 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
662 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
666 next0 = SNAT_IN2OUT_NEXT_DROP;
671 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
676 *p_proto = key0.protocol;
678 *p_value = s0->out2in;
679 *p_dont_translate = dont_translate;
681 *(snat_session_t**)d = s0;
686 * Get address and port values to be used for ICMP packet translation
688 * @param[in] sm NAT main
689 * @param[in,out] node NAT node runtime
690 * @param[in] thread_index thread index
691 * @param[in,out] b0 buffer containing packet to be translated
692 * @param[out] p_proto protocol used for matching
693 * @param[out] p_value address and port after NAT translation
694 * @param[out] p_dont_translate if packet should not be translated
695 * @param d optional parameter
696 * @param e optional parameter
698 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
699 u32 thread_index, vlib_buffer_t *b0,
700 ip4_header_t *ip0, u8 *p_proto,
701 snat_session_key_t *p_value,
702 u8 *p_dont_translate, void *d, void *e)
704 icmp46_header_t *icmp0;
707 snat_session_key_t key0;
708 snat_session_key_t sm0;
709 u8 dont_translate = 0;
714 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
715 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
716 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
718 err = icmp_get_key (ip0, &key0);
721 b0->error = node->errors[err];
722 next0 = SNAT_IN2OUT_NEXT_DROP;
725 key0.fib_index = rx_fib_index0;
727 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0, 0))
729 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
730 IP_PROTOCOL_ICMP, rx_fib_index0)))
736 if (icmp_is_error_message (icmp0))
738 next0 = SNAT_IN2OUT_NEXT_DROP;
742 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
743 next0 = SNAT_IN2OUT_NEXT_DROP;
747 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
748 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
749 !icmp_is_error_message (icmp0)))
751 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
752 next0 = SNAT_IN2OUT_NEXT_DROP;
759 *p_proto = key0.protocol;
760 *p_dont_translate = dont_translate;
764 static inline u32 icmp_in2out (snat_main_t *sm,
767 icmp46_header_t * icmp0,
770 vlib_node_runtime_t * node,
776 snat_session_key_t sm0;
778 icmp_echo_header_t *echo0, *inner_echo0 = 0;
779 ip4_header_t *inner_ip0;
781 icmp46_header_t *inner_icmp0;
783 u32 new_addr0, old_addr0;
784 u16 old_id0, new_id0;
789 echo0 = (icmp_echo_header_t *)(icmp0+1);
791 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
792 &protocol, &sm0, &dont_translate, d, e);
795 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
798 sum0 = ip_incremental_checksum (0, icmp0,
799 ntohs(ip0->length) - ip4_header_bytes (ip0));
800 checksum0 = ~ip_csum_fold (sum0);
801 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
803 next0 = SNAT_IN2OUT_NEXT_DROP;
807 old_addr0 = ip0->src_address.as_u32;
808 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
809 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
810 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
812 sum0 = ip0->checksum;
813 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
814 src_address /* changed member */);
815 ip0->checksum = ip_csum_fold (sum0);
817 if (icmp0->checksum == 0)
818 icmp0->checksum = 0xffff;
820 if (!icmp_is_error_message (icmp0))
823 if (PREDICT_FALSE(new_id0 != echo0->identifier))
825 old_id0 = echo0->identifier;
827 echo0->identifier = new_id0;
829 sum0 = icmp0->checksum;
830 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
832 icmp0->checksum = ip_csum_fold (sum0);
837 inner_ip0 = (ip4_header_t *)(echo0+1);
838 l4_header = ip4_next_header (inner_ip0);
840 if (!ip4_header_checksum_is_valid (inner_ip0))
842 next0 = SNAT_IN2OUT_NEXT_DROP;
846 old_addr0 = inner_ip0->dst_address.as_u32;
847 inner_ip0->dst_address = sm0.addr;
848 new_addr0 = inner_ip0->dst_address.as_u32;
850 sum0 = icmp0->checksum;
851 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
852 dst_address /* changed member */);
853 icmp0->checksum = ip_csum_fold (sum0);
857 case SNAT_PROTOCOL_ICMP:
858 inner_icmp0 = (icmp46_header_t*)l4_header;
859 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
861 old_id0 = inner_echo0->identifier;
863 inner_echo0->identifier = new_id0;
865 sum0 = icmp0->checksum;
866 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
868 icmp0->checksum = ip_csum_fold (sum0);
870 case SNAT_PROTOCOL_UDP:
871 case SNAT_PROTOCOL_TCP:
872 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
874 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
876 sum0 = icmp0->checksum;
877 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
879 icmp0->checksum = ip_csum_fold (sum0);
893 * Hairpinning allows two endpoints on the internal side of the NAT to
894 * communicate even if they only use each other's external IP addresses
897 * @param sm NAT main.
898 * @param b0 Vlib buffer.
899 * @param ip0 IP header.
900 * @param udp0 UDP header.
901 * @param tcp0 TCP header.
902 * @param proto0 NAT protocol.
905 snat_hairpinning (snat_main_t *sm,
912 snat_session_key_t key0, sm0;
914 clib_bihash_kv_8_8_t kv0, value0;
916 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
917 u16 new_dst_port0, old_dst_port0;
919 key0.addr = ip0->dst_address;
920 key0.port = udp0->dst_port;
921 key0.protocol = proto0;
922 key0.fib_index = sm->outside_fib_index;
923 kv0.key = key0.as_u64;
925 /* Check if destination is static mappings */
926 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
928 new_dst_addr0 = sm0.addr.as_u32;
929 new_dst_port0 = sm0.port;
930 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
932 /* or active session */
935 if (sm->num_workers > 1)
936 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
938 ti = sm->num_workers;
940 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
944 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
945 new_dst_addr0 = s0->in2out.addr.as_u32;
946 new_dst_port0 = s0->in2out.port;
947 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
951 /* Destination is behind the same NAT, use internal address and port */
954 old_dst_addr0 = ip0->dst_address.as_u32;
955 ip0->dst_address.as_u32 = new_dst_addr0;
956 sum0 = ip0->checksum;
957 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
958 ip4_header_t, dst_address);
959 ip0->checksum = ip_csum_fold (sum0);
961 old_dst_port0 = tcp0->dst;
962 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
964 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
966 tcp0->dst = new_dst_port0;
967 sum0 = tcp0->checksum;
968 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
969 ip4_header_t, dst_address);
970 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
971 ip4_header_t /* cheat */, length);
972 tcp0->checksum = ip_csum_fold(sum0);
976 udp0->dst_port = new_dst_port0;
982 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
984 sum0 = tcp0->checksum;
985 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
986 ip4_header_t, dst_address);
987 tcp0->checksum = ip_csum_fold(sum0);
996 snat_icmp_hairpinning (snat_main_t *sm,
999 icmp46_header_t * icmp0)
1001 snat_session_key_t key0, sm0;
1002 clib_bihash_kv_8_8_t kv0, value0;
1003 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
1007 if (!icmp_is_error_message (icmp0))
1009 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
1010 u16 icmp_id0 = echo0->identifier;
1011 key0.addr = ip0->dst_address;
1012 key0.port = icmp_id0;
1013 key0.protocol = SNAT_PROTOCOL_ICMP;
1014 key0.fib_index = sm->outside_fib_index;
1015 kv0.key = key0.as_u64;
1017 if (sm->num_workers > 1)
1018 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
1020 ti = sm->num_workers;
1022 /* Check if destination is in active sessions */
1023 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
1026 /* or static mappings */
1027 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1029 new_dst_addr0 = sm0.addr.as_u32;
1030 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1037 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
1038 new_dst_addr0 = s0->in2out.addr.as_u32;
1039 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1040 echo0->identifier = s0->in2out.port;
1041 sum0 = icmp0->checksum;
1042 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
1043 icmp_echo_header_t, identifier);
1044 icmp0->checksum = ip_csum_fold (sum0);
1047 /* Destination is behind the same NAT, use internal address and port */
1050 old_dst_addr0 = ip0->dst_address.as_u32;
1051 ip0->dst_address.as_u32 = new_dst_addr0;
1052 sum0 = ip0->checksum;
1053 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
1054 ip4_header_t, dst_address);
1055 ip0->checksum = ip_csum_fold (sum0);
1061 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
1064 icmp46_header_t * icmp0,
1067 vlib_node_runtime_t * node,
1071 snat_session_t ** p_s0)
1073 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1074 next0, thread_index, p_s0, 0);
1075 snat_session_t * s0 = *p_s0;
1076 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
1079 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
1080 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
1082 s0->last_heard = now;
1084 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
1085 /* Per-user LRU list maintenance */
1086 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1087 s0->per_user_index);
1088 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1089 s0->per_user_list_head_index,
1090 s0->per_user_index);
1095 snat_hairpinning_unknown_proto (snat_main_t *sm,
1099 u32 old_addr, new_addr = 0, ti = 0;
1100 clib_bihash_kv_8_8_t kv, value;
1101 clib_bihash_kv_16_8_t s_kv, s_value;
1102 nat_ed_ses_key_t key;
1103 snat_session_key_t m_key;
1104 snat_static_mapping_t *m;
1108 old_addr = ip->dst_address.as_u32;
1109 key.l_addr.as_u32 = ip->dst_address.as_u32;
1110 key.r_addr.as_u32 = ip->src_address.as_u32;
1111 key.fib_index = sm->outside_fib_index;
1112 key.proto = ip->protocol;
1115 s_kv.key[0] = key.as_u64[0];
1116 s_kv.key[1] = key.as_u64[1];
1117 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1119 m_key.addr = ip->dst_address;
1120 m_key.fib_index = sm->outside_fib_index;
1123 kv.key = m_key.as_u64;
1124 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1127 m = pool_elt_at_index (sm->static_mappings, value.value);
1128 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1129 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1130 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1134 if (sm->num_workers > 1)
1135 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
1137 ti = sm->num_workers;
1139 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
1140 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1141 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1142 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1145 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1146 ip->checksum = ip_csum_fold (sum);
1149 static snat_session_t *
1150 snat_in2out_unknown_proto (snat_main_t *sm,
1157 vlib_node_runtime_t * node)
1159 clib_bihash_kv_8_8_t kv, value;
1160 clib_bihash_kv_16_8_t s_kv, s_value;
1161 snat_static_mapping_t *m;
1162 snat_session_key_t m_key;
1163 u32 old_addr, new_addr = 0;
1166 dlist_elt_t *head, *elt;
1167 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1168 u32 elt_index, head_index, ses_index;
1170 nat_ed_ses_key_t key;
1171 u32 address_index = ~0;
1175 old_addr = ip->src_address.as_u32;
1177 key.l_addr = ip->src_address;
1178 key.r_addr = ip->dst_address;
1179 key.fib_index = rx_fib_index;
1180 key.proto = ip->protocol;
1183 s_kv.key[0] = key.as_u64[0];
1184 s_kv.key[1] = key.as_u64[1];
1186 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1188 s = pool_elt_at_index (tsm->sessions, s_value.value);
1189 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1193 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1195 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1196 nat_ipfix_logging_max_sessions(sm->max_translations);
1200 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1204 clib_warning ("create NAT user failed");
1208 m_key.addr = ip->src_address;
1211 m_key.fib_index = rx_fib_index;
1212 kv.key = m_key.as_u64;
1214 /* Try to find static mapping first */
1215 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1217 m = pool_elt_at_index (sm->static_mappings, value.value);
1218 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1222 /* Fallback to 3-tuple key */
1225 /* Choose same out address as for TCP/UDP session to same destination */
1226 head_index = u->sessions_per_user_list_head_index;
1227 head = pool_elt_at_index (tsm->list_pool, head_index);
1228 elt_index = head->next;
1229 if (PREDICT_FALSE (elt_index == ~0))
1233 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1234 ses_index = elt->value;
1237 while (ses_index != ~0)
1239 s = pool_elt_at_index (tsm->sessions, ses_index);
1240 elt_index = elt->next;
1241 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1242 ses_index = elt->value;
1244 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1246 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1247 address_index = s->outside_address_index;
1249 key.fib_index = sm->outside_fib_index;
1250 key.l_addr.as_u32 = new_addr;
1251 s_kv.key[0] = key.as_u64[0];
1252 s_kv.key[1] = key.as_u64[1];
1253 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1259 key.fib_index = sm->outside_fib_index;
1260 for (i = 0; i < vec_len (sm->addresses); i++)
1262 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1263 s_kv.key[0] = key.as_u64[0];
1264 s_kv.key[1] = key.as_u64[1];
1265 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1267 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1276 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1279 clib_warning ("create NAT session failed");
1283 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1284 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1285 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1286 s->outside_address_index = address_index;
1287 s->out2in.addr.as_u32 = new_addr;
1288 s->out2in.fib_index = sm->outside_fib_index;
1289 s->in2out.addr.as_u32 = old_addr;
1290 s->in2out.fib_index = rx_fib_index;
1291 s->in2out.port = s->out2in.port = ip->protocol;
1293 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1294 user_session_increment (sm, u, is_sm);
1296 /* Add to lookup tables */
1297 key.l_addr.as_u32 = old_addr;
1298 key.r_addr = ip->dst_address;
1299 key.proto = ip->protocol;
1300 key.fib_index = rx_fib_index;
1301 s_kv.key[0] = key.as_u64[0];
1302 s_kv.key[1] = key.as_u64[1];
1303 s_kv.value = s - tsm->sessions;
1304 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1305 clib_warning ("in2out key add failed");
1307 key.l_addr.as_u32 = new_addr;
1308 key.fib_index = sm->outside_fib_index;
1309 s_kv.key[0] = key.as_u64[0];
1310 s_kv.key[1] = key.as_u64[1];
1311 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1312 clib_warning ("out2in key add failed");
1315 /* Update IP checksum */
1317 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1318 ip->checksum = ip_csum_fold (sum);
1321 s->last_heard = now;
1323 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1324 /* Per-user LRU list maintenance */
1325 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1326 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1330 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1331 snat_hairpinning_unknown_proto(sm, b, ip);
1333 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1334 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1339 static snat_session_t *
1340 snat_in2out_lb (snat_main_t *sm,
1347 vlib_node_runtime_t * node)
1349 nat_ed_ses_key_t key;
1350 clib_bihash_kv_16_8_t s_kv, s_value;
1351 udp_header_t *udp = ip4_next_header (ip);
1352 tcp_header_t *tcp = (tcp_header_t *) udp;
1353 snat_session_t *s = 0;
1354 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1355 u32 old_addr, new_addr;
1356 u16 new_port, old_port;
1358 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1359 snat_session_key_t e_key, l_key;
1363 old_addr = ip->src_address.as_u32;
1365 key.l_addr = ip->src_address;
1366 key.r_addr = ip->dst_address;
1367 key.fib_index = rx_fib_index;
1368 key.proto = ip->protocol;
1369 key.r_port = udp->dst_port;
1370 key.l_port = udp->src_port;
1371 s_kv.key[0] = key.as_u64[0];
1372 s_kv.key[1] = key.as_u64[1];
1374 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1376 s = pool_elt_at_index (tsm->sessions, s_value.value);
1377 if (is_fwd_bypass_session (s))
1379 if (ip->protocol == IP_PROTOCOL_TCP)
1381 if (nat44_set_tcp_session_state (sm, s, tcp, thread_index))
1384 /* Per-user LRU list maintenance */
1385 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1386 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1393 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
1395 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1396 nat_ipfix_logging_max_sessions(sm->max_translations);
1400 l_key.addr = ip->src_address;
1401 l_key.port = udp->src_port;
1402 l_key.protocol = proto;
1403 l_key.fib_index = rx_fib_index;
1404 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0, 0, &lb))
1407 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1411 clib_warning ("create NAT user failed");
1415 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1418 clib_warning ("create NAT session failed");
1422 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1423 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1425 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1426 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1427 s->outside_address_index = ~0;
1430 s->out2in.protocol = l_key.protocol;
1431 user_session_increment (sm, u, 1 /* static */);
1433 /* Add to lookup tables */
1434 s_kv.value = s - tsm->sessions;
1435 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1436 clib_warning ("in2out-ed key add failed");
1438 key.l_addr = e_key.addr;
1439 key.fib_index = e_key.fib_index;
1440 key.l_port = e_key.port;
1441 s_kv.key[0] = key.as_u64[0];
1442 s_kv.key[1] = key.as_u64[1];
1443 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1444 clib_warning ("out2in-ed key add failed");
1447 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1449 /* Update IP checksum */
1451 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1452 if (is_twice_nat_session (s))
1453 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1454 s->ext_host_addr.as_u32, ip4_header_t, dst_address);
1455 ip->checksum = ip_csum_fold (sum);
1457 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1458 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1460 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1462 old_port = tcp->src_port;
1463 tcp->src_port = s->out2in.port;
1464 new_port = tcp->src_port;
1466 sum = tcp->checksum;
1467 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1468 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1469 if (is_twice_nat_session (s))
1471 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1472 s->ext_host_addr.as_u32, ip4_header_t,
1474 sum = ip_csum_update (sum, tcp->dst_port, s->ext_host_port,
1475 ip4_header_t, length);
1476 tcp->dst_port = s->ext_host_port;
1477 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1479 tcp->checksum = ip_csum_fold(sum);
1480 if (nat44_set_tcp_session_state (sm, s, tcp, thread_index))
1485 udp->src_port = s->out2in.port;
1486 if (is_twice_nat_session (s))
1488 udp->dst_port = s->ext_host_port;
1489 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1495 s->last_heard = now;
1497 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1498 /* Per-user LRU list maintenance */
1499 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1500 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1506 snat_in2out_node_fn_inline (vlib_main_t * vm,
1507 vlib_node_runtime_t * node,
1508 vlib_frame_t * frame, int is_slow_path,
1509 int is_output_feature)
1511 u32 n_left_from, * from, * to_next;
1512 snat_in2out_next_t next_index;
1513 u32 pkts_processed = 0;
1514 snat_main_t * sm = &snat_main;
1515 f64 now = vlib_time_now (vm);
1516 u32 stats_node_index;
1517 u32 thread_index = vlib_get_thread_index ();
1519 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1520 snat_in2out_node.index;
1522 from = vlib_frame_vector_args (frame);
1523 n_left_from = frame->n_vectors;
1524 next_index = node->cached_next_index;
1526 while (n_left_from > 0)
1530 vlib_get_next_frame (vm, node, next_index,
1531 to_next, n_left_to_next);
1533 while (n_left_from >= 4 && n_left_to_next >= 2)
1536 vlib_buffer_t * b0, * b1;
1538 u32 sw_if_index0, sw_if_index1;
1539 ip4_header_t * ip0, * ip1;
1540 ip_csum_t sum0, sum1;
1541 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1542 u16 old_port0, new_port0, old_port1, new_port1;
1543 udp_header_t * udp0, * udp1;
1544 tcp_header_t * tcp0, * tcp1;
1545 icmp46_header_t * icmp0, * icmp1;
1546 snat_session_key_t key0, key1;
1547 u32 rx_fib_index0, rx_fib_index1;
1549 snat_session_t * s0 = 0, * s1 = 0;
1550 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1551 u32 iph_offset0 = 0, iph_offset1 = 0;
1553 /* Prefetch next iteration. */
1555 vlib_buffer_t * p2, * p3;
1557 p2 = vlib_get_buffer (vm, from[2]);
1558 p3 = vlib_get_buffer (vm, from[3]);
1560 vlib_prefetch_buffer_header (p2, LOAD);
1561 vlib_prefetch_buffer_header (p3, LOAD);
1563 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1564 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1567 /* speculatively enqueue b0 and b1 to the current next frame */
1568 to_next[0] = bi0 = from[0];
1569 to_next[1] = bi1 = from[1];
1573 n_left_to_next -= 2;
1575 b0 = vlib_get_buffer (vm, bi0);
1576 b1 = vlib_get_buffer (vm, bi1);
1578 if (is_output_feature)
1579 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1581 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1584 udp0 = ip4_next_header (ip0);
1585 tcp0 = (tcp_header_t *) udp0;
1586 icmp0 = (icmp46_header_t *) udp0;
1588 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1589 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1592 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1594 if (PREDICT_FALSE(ip0->ttl == 1))
1596 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1597 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1598 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1600 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1604 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1606 /* Next configured feature, probably ip4-lookup */
1609 if (PREDICT_FALSE (proto0 == ~0))
1611 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1612 thread_index, now, vm, node);
1614 next0 = SNAT_IN2OUT_NEXT_DROP;
1618 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1620 next0 = icmp_in2out_slow_path
1621 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1622 node, next0, now, thread_index, &s0);
1628 if (is_output_feature)
1630 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0, thread_index)))
1634 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1636 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1640 if (ip4_is_fragment (ip0))
1642 next0 = SNAT_IN2OUT_NEXT_REASS;
1647 key0.addr = ip0->src_address;
1648 key0.port = udp0->src_port;
1649 key0.protocol = proto0;
1650 key0.fib_index = rx_fib_index0;
1652 kv0.key = key0.as_u64;
1654 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1655 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1659 if (is_output_feature)
1661 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1662 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
1667 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1668 ip0, proto0, rx_fib_index0, thread_index)))
1672 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1673 &s0, node, next0, thread_index);
1674 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1679 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1685 if (PREDICT_FALSE (value0.value == ~0ULL))
1689 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1690 thread_index, now, vm, node);
1691 if (!s0 && !sm->forwarding_enabled)
1692 next0 = SNAT_IN2OUT_NEXT_DROP;
1697 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1703 s0 = pool_elt_at_index (
1704 sm->per_thread_data[thread_index].sessions,
1709 b0->flags |= VNET_BUFFER_F_IS_NATED;
1711 old_addr0 = ip0->src_address.as_u32;
1712 ip0->src_address = s0->out2in.addr;
1713 new_addr0 = ip0->src_address.as_u32;
1714 if (!is_output_feature)
1715 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1717 sum0 = ip0->checksum;
1718 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1720 src_address /* changed member */);
1721 ip0->checksum = ip_csum_fold (sum0);
1723 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1725 old_port0 = tcp0->src_port;
1726 tcp0->src_port = s0->out2in.port;
1727 new_port0 = tcp0->src_port;
1729 sum0 = tcp0->checksum;
1730 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1732 dst_address /* changed member */);
1733 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1734 ip4_header_t /* cheat */,
1735 length /* changed member */);
1736 tcp0->checksum = ip_csum_fold(sum0);
1737 if (nat44_set_tcp_session_state (sm, s0, tcp0, thread_index))
1742 old_port0 = udp0->src_port;
1743 udp0->src_port = s0->out2in.port;
1748 s0->last_heard = now;
1750 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1751 /* Per-user LRU list maintenance */
1752 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1753 s0->per_user_index);
1754 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1755 s0->per_user_list_head_index,
1756 s0->per_user_index);
1759 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1760 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1762 snat_in2out_trace_t *t =
1763 vlib_add_trace (vm, node, b0, sizeof (*t));
1764 t->is_slow_path = is_slow_path;
1765 t->sw_if_index = sw_if_index0;
1766 t->next_index = next0;
1767 t->session_index = ~0;
1769 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1772 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1774 if (is_output_feature)
1775 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1777 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1780 udp1 = ip4_next_header (ip1);
1781 tcp1 = (tcp_header_t *) udp1;
1782 icmp1 = (icmp46_header_t *) udp1;
1784 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1785 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1788 if (PREDICT_FALSE(ip1->ttl == 1))
1790 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1791 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1792 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1794 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1798 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1800 /* Next configured feature, probably ip4-lookup */
1803 if (PREDICT_FALSE (proto1 == ~0))
1805 s1 = snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1806 thread_index, now, vm, node);
1808 next1 = SNAT_IN2OUT_NEXT_DROP;
1812 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1814 next1 = icmp_in2out_slow_path
1815 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1816 next1, now, thread_index, &s1);
1822 if (is_output_feature)
1824 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1, thread_index)))
1828 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1830 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1834 if (ip4_is_fragment (ip1))
1836 next1 = SNAT_IN2OUT_NEXT_REASS;
1841 key1.addr = ip1->src_address;
1842 key1.port = udp1->src_port;
1843 key1.protocol = proto1;
1844 key1.fib_index = rx_fib_index1;
1846 kv1.key = key1.as_u64;
1848 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1849 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1853 if (is_output_feature)
1855 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1856 ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1)))
1861 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1862 ip1, proto1, rx_fib_index1, thread_index)))
1866 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1867 &s1, node, next1, thread_index);
1868 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1873 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1879 if (PREDICT_FALSE (value1.value == ~0ULL))
1883 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1,
1884 thread_index, now, vm, node);
1885 if (!s1 && !sm->forwarding_enabled)
1886 next1 = SNAT_IN2OUT_NEXT_DROP;
1891 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1897 s1 = pool_elt_at_index (
1898 sm->per_thread_data[thread_index].sessions,
1903 b1->flags |= VNET_BUFFER_F_IS_NATED;
1905 old_addr1 = ip1->src_address.as_u32;
1906 ip1->src_address = s1->out2in.addr;
1907 new_addr1 = ip1->src_address.as_u32;
1908 if (!is_output_feature)
1909 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1911 sum1 = ip1->checksum;
1912 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1914 src_address /* changed member */);
1915 ip1->checksum = ip_csum_fold (sum1);
1917 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1919 old_port1 = tcp1->src_port;
1920 tcp1->src_port = s1->out2in.port;
1921 new_port1 = tcp1->src_port;
1923 sum1 = tcp1->checksum;
1924 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1926 dst_address /* changed member */);
1927 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1928 ip4_header_t /* cheat */,
1929 length /* changed member */);
1930 tcp1->checksum = ip_csum_fold(sum1);
1931 if (nat44_set_tcp_session_state (sm, s1, tcp1, thread_index))
1936 old_port1 = udp1->src_port;
1937 udp1->src_port = s1->out2in.port;
1942 s1->last_heard = now;
1944 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1945 /* Per-user LRU list maintenance */
1946 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1947 s1->per_user_index);
1948 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1949 s1->per_user_list_head_index,
1950 s1->per_user_index);
1953 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1954 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1956 snat_in2out_trace_t *t =
1957 vlib_add_trace (vm, node, b1, sizeof (*t));
1958 t->sw_if_index = sw_if_index1;
1959 t->next_index = next1;
1960 t->session_index = ~0;
1962 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1965 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1967 /* verify speculative enqueues, maybe switch current next frame */
1968 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1969 to_next, n_left_to_next,
1970 bi0, bi1, next0, next1);
1973 while (n_left_from > 0 && n_left_to_next > 0)
1981 u32 new_addr0, old_addr0;
1982 u16 old_port0, new_port0;
1983 udp_header_t * udp0;
1984 tcp_header_t * tcp0;
1985 icmp46_header_t * icmp0;
1986 snat_session_key_t key0;
1989 snat_session_t * s0 = 0;
1990 clib_bihash_kv_8_8_t kv0, value0;
1991 u32 iph_offset0 = 0;
1993 /* speculatively enqueue b0 to the current next frame */
1999 n_left_to_next -= 1;
2001 b0 = vlib_get_buffer (vm, bi0);
2002 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2004 if (is_output_feature)
2005 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
2007 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
2010 udp0 = ip4_next_header (ip0);
2011 tcp0 = (tcp_header_t *) udp0;
2012 icmp0 = (icmp46_header_t *) udp0;
2014 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2015 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
2018 if (PREDICT_FALSE(ip0->ttl == 1))
2020 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2021 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2022 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2024 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2028 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2030 /* Next configured feature, probably ip4-lookup */
2033 if (PREDICT_FALSE (proto0 == ~0))
2035 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
2036 thread_index, now, vm, node);
2038 next0 = SNAT_IN2OUT_NEXT_DROP;
2042 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2044 next0 = icmp_in2out_slow_path
2045 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2046 next0, now, thread_index, &s0);
2052 if (is_output_feature)
2054 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0, thread_index)))
2058 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2060 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2064 if (ip4_is_fragment (ip0))
2066 next0 = SNAT_IN2OUT_NEXT_REASS;
2071 key0.addr = ip0->src_address;
2072 key0.port = udp0->src_port;
2073 key0.protocol = proto0;
2074 key0.fib_index = rx_fib_index0;
2076 kv0.key = key0.as_u64;
2078 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
2083 if (is_output_feature)
2085 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
2086 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
2091 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2092 ip0, proto0, rx_fib_index0, thread_index)))
2096 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2097 &s0, node, next0, thread_index);
2099 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2104 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2110 if (PREDICT_FALSE (value0.value == ~0ULL))
2114 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
2115 thread_index, now, vm, node);
2116 if (!s0 && !sm->forwarding_enabled)
2117 next0 = SNAT_IN2OUT_NEXT_DROP;
2122 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2128 s0 = pool_elt_at_index (
2129 sm->per_thread_data[thread_index].sessions,
2134 b0->flags |= VNET_BUFFER_F_IS_NATED;
2136 old_addr0 = ip0->src_address.as_u32;
2137 ip0->src_address = s0->out2in.addr;
2138 new_addr0 = ip0->src_address.as_u32;
2139 if (!is_output_feature)
2140 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2142 sum0 = ip0->checksum;
2143 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2145 src_address /* changed member */);
2146 ip0->checksum = ip_csum_fold (sum0);
2148 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2150 old_port0 = tcp0->src_port;
2151 tcp0->src_port = s0->out2in.port;
2152 new_port0 = tcp0->src_port;
2154 sum0 = tcp0->checksum;
2155 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2157 dst_address /* changed member */);
2158 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2159 ip4_header_t /* cheat */,
2160 length /* changed member */);
2161 tcp0->checksum = ip_csum_fold(sum0);
2162 if (nat44_set_tcp_session_state (sm, s0, tcp0, thread_index))
2167 old_port0 = udp0->src_port;
2168 udp0->src_port = s0->out2in.port;
2173 s0->last_heard = now;
2175 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2176 /* Per-user LRU list maintenance */
2177 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2178 s0->per_user_index);
2179 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2180 s0->per_user_list_head_index,
2181 s0->per_user_index);
2184 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2185 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2187 snat_in2out_trace_t *t =
2188 vlib_add_trace (vm, node, b0, sizeof (*t));
2189 t->is_slow_path = is_slow_path;
2190 t->sw_if_index = sw_if_index0;
2191 t->next_index = next0;
2192 t->session_index = ~0;
2194 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
2197 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2199 /* verify speculative enqueue, maybe switch current next frame */
2200 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2201 to_next, n_left_to_next,
2205 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2208 vlib_node_increment_counter (vm, stats_node_index,
2209 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2211 return frame->n_vectors;
2215 snat_in2out_fast_path_fn (vlib_main_t * vm,
2216 vlib_node_runtime_t * node,
2217 vlib_frame_t * frame)
2219 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
2222 VLIB_REGISTER_NODE (snat_in2out_node) = {
2223 .function = snat_in2out_fast_path_fn,
2224 .name = "nat44-in2out",
2225 .vector_size = sizeof (u32),
2226 .format_trace = format_snat_in2out_trace,
2227 .type = VLIB_NODE_TYPE_INTERNAL,
2229 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2230 .error_strings = snat_in2out_error_strings,
2232 .runtime_data_bytes = sizeof (snat_runtime_t),
2234 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2236 /* edit / add dispositions here */
2238 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2239 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2240 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2241 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2242 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2246 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
2249 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
2250 vlib_node_runtime_t * node,
2251 vlib_frame_t * frame)
2253 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
2256 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
2257 .function = snat_in2out_output_fast_path_fn,
2258 .name = "nat44-in2out-output",
2259 .vector_size = sizeof (u32),
2260 .format_trace = format_snat_in2out_trace,
2261 .type = VLIB_NODE_TYPE_INTERNAL,
2263 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2264 .error_strings = snat_in2out_error_strings,
2266 .runtime_data_bytes = sizeof (snat_runtime_t),
2268 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2270 /* edit / add dispositions here */
2272 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2273 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2274 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2275 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2276 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2280 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2281 snat_in2out_output_fast_path_fn);
2284 snat_in2out_slow_path_fn (vlib_main_t * vm,
2285 vlib_node_runtime_t * node,
2286 vlib_frame_t * frame)
2288 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2291 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2292 .function = snat_in2out_slow_path_fn,
2293 .name = "nat44-in2out-slowpath",
2294 .vector_size = sizeof (u32),
2295 .format_trace = format_snat_in2out_trace,
2296 .type = VLIB_NODE_TYPE_INTERNAL,
2298 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2299 .error_strings = snat_in2out_error_strings,
2301 .runtime_data_bytes = sizeof (snat_runtime_t),
2303 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2305 /* edit / add dispositions here */
2307 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2308 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2309 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2310 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2311 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2315 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2316 snat_in2out_slow_path_fn);
2319 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2320 vlib_node_runtime_t * node,
2321 vlib_frame_t * frame)
2323 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2326 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2327 .function = snat_in2out_output_slow_path_fn,
2328 .name = "nat44-in2out-output-slowpath",
2329 .vector_size = sizeof (u32),
2330 .format_trace = format_snat_in2out_trace,
2331 .type = VLIB_NODE_TYPE_INTERNAL,
2333 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2334 .error_strings = snat_in2out_error_strings,
2336 .runtime_data_bytes = sizeof (snat_runtime_t),
2338 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2340 /* edit / add dispositions here */
2342 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2343 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2344 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2345 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2346 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2350 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2351 snat_in2out_output_slow_path_fn);
2353 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
2356 nat44_hairpinning_fn (vlib_main_t * vm,
2357 vlib_node_runtime_t * node,
2358 vlib_frame_t * frame)
2360 u32 n_left_from, * from, * to_next;
2361 snat_in2out_next_t next_index;
2362 u32 pkts_processed = 0;
2363 snat_main_t * sm = &snat_main;
2364 vnet_feature_main_t *fm = &feature_main;
2365 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
2366 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
2368 from = vlib_frame_vector_args (frame);
2369 n_left_from = frame->n_vectors;
2370 next_index = node->cached_next_index;
2372 while (n_left_from > 0)
2376 vlib_get_next_frame (vm, node, next_index,
2377 to_next, n_left_to_next);
2379 while (n_left_from > 0 && n_left_to_next > 0)
2386 udp_header_t * udp0;
2387 tcp_header_t * tcp0;
2389 /* speculatively enqueue b0 to the current next frame */
2395 n_left_to_next -= 1;
2397 b0 = vlib_get_buffer (vm, bi0);
2398 ip0 = vlib_buffer_get_current (b0);
2399 udp0 = ip4_next_header (ip0);
2400 tcp0 = (tcp_header_t *) udp0;
2402 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2404 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
2407 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0))
2408 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2410 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2412 /* verify speculative enqueue, maybe switch current next frame */
2413 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2414 to_next, n_left_to_next,
2418 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2421 vlib_node_increment_counter (vm, nat44_hairpinning_node.index,
2422 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2424 return frame->n_vectors;
2427 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
2428 .function = nat44_hairpinning_fn,
2429 .name = "nat44-hairpinning",
2430 .vector_size = sizeof (u32),
2431 .type = VLIB_NODE_TYPE_INTERNAL,
2432 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2433 .error_strings = snat_in2out_error_strings,
2436 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2437 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2441 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
2442 nat44_hairpinning_fn);
2445 nat44_reass_hairpinning (snat_main_t *sm,
2452 snat_session_key_t key0, sm0;
2453 snat_session_t * s0;
2454 clib_bihash_kv_8_8_t kv0, value0;
2456 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2457 u16 new_dst_port0, old_dst_port0;
2458 udp_header_t * udp0;
2459 tcp_header_t * tcp0;
2461 key0.addr = ip0->dst_address;
2463 key0.protocol = proto0;
2464 key0.fib_index = sm->outside_fib_index;
2465 kv0.key = key0.as_u64;
2467 udp0 = ip4_next_header (ip0);
2469 /* Check if destination is static mappings */
2470 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
2472 new_dst_addr0 = sm0.addr.as_u32;
2473 new_dst_port0 = sm0.port;
2474 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2476 /* or active sessions */
2479 if (sm->num_workers > 1)
2480 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2482 ti = sm->num_workers;
2484 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2487 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2488 new_dst_addr0 = s0->in2out.addr.as_u32;
2489 new_dst_port0 = s0->in2out.port;
2490 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2494 /* Destination is behind the same NAT, use internal address and port */
2497 old_dst_addr0 = ip0->dst_address.as_u32;
2498 ip0->dst_address.as_u32 = new_dst_addr0;
2499 sum0 = ip0->checksum;
2500 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2501 ip4_header_t, dst_address);
2502 ip0->checksum = ip_csum_fold (sum0);
2504 old_dst_port0 = dport;
2505 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2506 ip4_is_first_fragment (ip0)))
2508 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2510 tcp0 = ip4_next_header (ip0);
2511 tcp0->dst = new_dst_port0;
2512 sum0 = tcp0->checksum;
2513 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2514 ip4_header_t, dst_address);
2515 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2516 ip4_header_t /* cheat */, length);
2517 tcp0->checksum = ip_csum_fold(sum0);
2521 udp0->dst_port = new_dst_port0;
2527 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2529 tcp0 = ip4_next_header (ip0);
2530 sum0 = tcp0->checksum;
2531 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2532 ip4_header_t, dst_address);
2533 tcp0->checksum = ip_csum_fold(sum0);
2540 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2541 vlib_node_runtime_t * node,
2542 vlib_frame_t * frame)
2544 u32 n_left_from, *from, *to_next;
2545 snat_in2out_next_t next_index;
2546 u32 pkts_processed = 0;
2547 snat_main_t *sm = &snat_main;
2548 f64 now = vlib_time_now (vm);
2549 u32 thread_index = vlib_get_thread_index ();
2550 snat_main_per_thread_data_t *per_thread_data =
2551 &sm->per_thread_data[thread_index];
2552 u32 *fragments_to_drop = 0;
2553 u32 *fragments_to_loopback = 0;
2555 from = vlib_frame_vector_args (frame);
2556 n_left_from = frame->n_vectors;
2557 next_index = node->cached_next_index;
2559 while (n_left_from > 0)
2563 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2565 while (n_left_from > 0 && n_left_to_next > 0)
2567 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2572 nat_reass_ip4_t *reass0;
2573 udp_header_t * udp0;
2574 tcp_header_t * tcp0;
2575 snat_session_key_t key0;
2576 clib_bihash_kv_8_8_t kv0, value0;
2577 snat_session_t * s0 = 0;
2578 u16 old_port0, new_port0;
2581 /* speculatively enqueue b0 to the current next frame */
2587 n_left_to_next -= 1;
2589 b0 = vlib_get_buffer (vm, bi0);
2590 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2592 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2593 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2596 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2598 next0 = SNAT_IN2OUT_NEXT_DROP;
2599 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2603 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2604 udp0 = ip4_next_header (ip0);
2605 tcp0 = (tcp_header_t *) udp0;
2606 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2608 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2613 &fragments_to_drop);
2615 if (PREDICT_FALSE (!reass0))
2617 next0 = SNAT_IN2OUT_NEXT_DROP;
2618 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2622 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2624 key0.addr = ip0->src_address;
2625 key0.port = udp0->src_port;
2626 key0.protocol = proto0;
2627 key0.fib_index = rx_fib_index0;
2628 kv0.key = key0.as_u64;
2630 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2632 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2633 ip0, proto0, rx_fib_index0, thread_index)))
2636 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2637 &s0, node, next0, thread_index);
2639 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2642 reass0->sess_index = s0 - per_thread_data->sessions;
2646 s0 = pool_elt_at_index (per_thread_data->sessions,
2648 reass0->sess_index = value0.value;
2650 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2654 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2656 if (nat_ip4_reass_add_fragment (reass0, bi0))
2658 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2659 next0 = SNAT_IN2OUT_NEXT_DROP;
2665 s0 = pool_elt_at_index (per_thread_data->sessions,
2666 reass0->sess_index);
2669 old_addr0 = ip0->src_address.as_u32;
2670 ip0->src_address = s0->out2in.addr;
2671 new_addr0 = ip0->src_address.as_u32;
2672 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2674 sum0 = ip0->checksum;
2675 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2677 src_address /* changed member */);
2678 ip0->checksum = ip_csum_fold (sum0);
2681 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2682 s0->ext_host_port, proto0);
2684 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2686 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2688 old_port0 = tcp0->src_port;
2689 tcp0->src_port = s0->out2in.port;
2690 new_port0 = tcp0->src_port;
2692 sum0 = tcp0->checksum;
2693 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2695 dst_address /* changed member */);
2696 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2697 ip4_header_t /* cheat */,
2698 length /* changed member */);
2699 tcp0->checksum = ip_csum_fold(sum0);
2700 if (nat44_set_tcp_session_state (sm, s0, tcp0, thread_index))
2705 old_port0 = udp0->src_port;
2706 udp0->src_port = s0->out2in.port;
2712 s0->last_heard = now;
2714 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2715 /* Per-user LRU list maintenance */
2716 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2717 s0->per_user_index);
2718 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2719 s0->per_user_list_head_index,
2720 s0->per_user_index);
2723 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2724 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2726 nat44_in2out_reass_trace_t *t =
2727 vlib_add_trace (vm, node, b0, sizeof (*t));
2728 t->cached = cached0;
2729 t->sw_if_index = sw_if_index0;
2730 t->next_index = next0;
2740 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2742 /* verify speculative enqueue, maybe switch current next frame */
2743 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2744 to_next, n_left_to_next,
2748 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2750 from = vlib_frame_vector_args (frame);
2751 u32 len = vec_len (fragments_to_loopback);
2752 if (len <= VLIB_FRAME_SIZE)
2754 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2756 vec_reset_length (fragments_to_loopback);
2761 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2762 sizeof (u32) * VLIB_FRAME_SIZE);
2763 n_left_from = VLIB_FRAME_SIZE;
2764 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2769 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2772 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2773 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2776 nat_send_all_to_node (vm, fragments_to_drop, node,
2777 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2778 SNAT_IN2OUT_NEXT_DROP);
2780 vec_free (fragments_to_drop);
2781 vec_free (fragments_to_loopback);
2782 return frame->n_vectors;
2785 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2786 .function = nat44_in2out_reass_node_fn,
2787 .name = "nat44-in2out-reass",
2788 .vector_size = sizeof (u32),
2789 .format_trace = format_nat44_in2out_reass_trace,
2790 .type = VLIB_NODE_TYPE_INTERNAL,
2792 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2793 .error_strings = snat_in2out_error_strings,
2795 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2797 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2798 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2799 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2800 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2801 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2805 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2806 nat44_in2out_reass_node_fn);
2808 /**************************/
2809 /*** deterministic mode ***/
2810 /**************************/
2812 snat_det_in2out_node_fn (vlib_main_t * vm,
2813 vlib_node_runtime_t * node,
2814 vlib_frame_t * frame)
2816 u32 n_left_from, * from, * to_next;
2817 snat_in2out_next_t next_index;
2818 u32 pkts_processed = 0;
2819 snat_main_t * sm = &snat_main;
2820 u32 now = (u32) vlib_time_now (vm);
2821 u32 thread_index = vlib_get_thread_index ();
2823 from = vlib_frame_vector_args (frame);
2824 n_left_from = frame->n_vectors;
2825 next_index = node->cached_next_index;
2827 while (n_left_from > 0)
2831 vlib_get_next_frame (vm, node, next_index,
2832 to_next, n_left_to_next);
2834 while (n_left_from >= 4 && n_left_to_next >= 2)
2837 vlib_buffer_t * b0, * b1;
2839 u32 sw_if_index0, sw_if_index1;
2840 ip4_header_t * ip0, * ip1;
2841 ip_csum_t sum0, sum1;
2842 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2843 u16 old_port0, new_port0, lo_port0, i0;
2844 u16 old_port1, new_port1, lo_port1, i1;
2845 udp_header_t * udp0, * udp1;
2846 tcp_header_t * tcp0, * tcp1;
2848 snat_det_out_key_t key0, key1;
2849 snat_det_map_t * dm0, * dm1;
2850 snat_det_session_t * ses0 = 0, * ses1 = 0;
2851 u32 rx_fib_index0, rx_fib_index1;
2852 icmp46_header_t * icmp0, * icmp1;
2854 /* Prefetch next iteration. */
2856 vlib_buffer_t * p2, * p3;
2858 p2 = vlib_get_buffer (vm, from[2]);
2859 p3 = vlib_get_buffer (vm, from[3]);
2861 vlib_prefetch_buffer_header (p2, LOAD);
2862 vlib_prefetch_buffer_header (p3, LOAD);
2864 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2865 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2868 /* speculatively enqueue b0 and b1 to the current next frame */
2869 to_next[0] = bi0 = from[0];
2870 to_next[1] = bi1 = from[1];
2874 n_left_to_next -= 2;
2876 b0 = vlib_get_buffer (vm, bi0);
2877 b1 = vlib_get_buffer (vm, bi1);
2879 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2880 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2882 ip0 = vlib_buffer_get_current (b0);
2883 udp0 = ip4_next_header (ip0);
2884 tcp0 = (tcp_header_t *) udp0;
2886 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2888 if (PREDICT_FALSE(ip0->ttl == 1))
2890 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2891 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2892 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2894 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2898 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2900 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2902 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2903 icmp0 = (icmp46_header_t *) udp0;
2905 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2906 rx_fib_index0, node, next0, thread_index,
2911 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2912 if (PREDICT_FALSE(!dm0))
2914 clib_warning("no match for internal host %U",
2915 format_ip4_address, &ip0->src_address);
2916 next0 = SNAT_IN2OUT_NEXT_DROP;
2917 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2921 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2923 key0.ext_host_addr = ip0->dst_address;
2924 key0.ext_host_port = tcp0->dst;
2926 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2927 if (PREDICT_FALSE(!ses0))
2929 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2931 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2932 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2934 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2937 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2940 if (PREDICT_FALSE(!ses0))
2942 /* too many sessions for user, send ICMP error packet */
2944 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2945 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2946 ICMP4_destination_unreachable_destination_unreachable_host,
2948 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2953 new_port0 = ses0->out.out_port;
2955 old_addr0.as_u32 = ip0->src_address.as_u32;
2956 ip0->src_address.as_u32 = new_addr0.as_u32;
2957 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2959 sum0 = ip0->checksum;
2960 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2962 src_address /* changed member */);
2963 ip0->checksum = ip_csum_fold (sum0);
2965 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2967 if (tcp0->flags & TCP_FLAG_SYN)
2968 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2969 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2970 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2971 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2972 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2973 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2974 snat_det_ses_close(dm0, ses0);
2975 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2976 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2977 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2978 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2980 old_port0 = tcp0->src;
2981 tcp0->src = new_port0;
2983 sum0 = tcp0->checksum;
2984 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2986 dst_address /* changed member */);
2987 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2988 ip4_header_t /* cheat */,
2989 length /* changed member */);
2990 tcp0->checksum = ip_csum_fold(sum0);
2994 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2995 old_port0 = udp0->src_port;
2996 udp0->src_port = new_port0;
3002 case SNAT_SESSION_UDP_ACTIVE:
3003 ses0->expire = now + sm->udp_timeout;
3005 case SNAT_SESSION_TCP_SYN_SENT:
3006 case SNAT_SESSION_TCP_FIN_WAIT:
3007 case SNAT_SESSION_TCP_CLOSE_WAIT:
3008 case SNAT_SESSION_TCP_LAST_ACK:
3009 ses0->expire = now + sm->tcp_transitory_timeout;
3011 case SNAT_SESSION_TCP_ESTABLISHED:
3012 ses0->expire = now + sm->tcp_established_timeout;
3017 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3018 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3020 snat_in2out_trace_t *t =
3021 vlib_add_trace (vm, node, b0, sizeof (*t));
3022 t->is_slow_path = 0;
3023 t->sw_if_index = sw_if_index0;
3024 t->next_index = next0;
3025 t->session_index = ~0;
3027 t->session_index = ses0 - dm0->sessions;
3030 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3032 ip1 = vlib_buffer_get_current (b1);
3033 udp1 = ip4_next_header (ip1);
3034 tcp1 = (tcp_header_t *) udp1;
3036 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
3038 if (PREDICT_FALSE(ip1->ttl == 1))
3040 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3041 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
3042 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3044 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3048 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3050 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
3052 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
3053 icmp1 = (icmp46_header_t *) udp1;
3055 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
3056 rx_fib_index1, node, next1, thread_index,
3061 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
3062 if (PREDICT_FALSE(!dm1))
3064 clib_warning("no match for internal host %U",
3065 format_ip4_address, &ip0->src_address);
3066 next1 = SNAT_IN2OUT_NEXT_DROP;
3067 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3071 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
3073 key1.ext_host_addr = ip1->dst_address;
3074 key1.ext_host_port = tcp1->dst;
3076 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
3077 if (PREDICT_FALSE(!ses1))
3079 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
3081 key1.out_port = clib_host_to_net_u16 (lo_port1 +
3082 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
3084 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
3087 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
3090 if (PREDICT_FALSE(!ses1))
3092 /* too many sessions for user, send ICMP error packet */
3094 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3095 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
3096 ICMP4_destination_unreachable_destination_unreachable_host,
3098 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3103 new_port1 = ses1->out.out_port;
3105 old_addr1.as_u32 = ip1->src_address.as_u32;
3106 ip1->src_address.as_u32 = new_addr1.as_u32;
3107 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3109 sum1 = ip1->checksum;
3110 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3112 src_address /* changed member */);
3113 ip1->checksum = ip_csum_fold (sum1);
3115 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
3117 if (tcp1->flags & TCP_FLAG_SYN)
3118 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
3119 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
3120 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3121 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
3122 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
3123 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
3124 snat_det_ses_close(dm1, ses1);
3125 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3126 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
3127 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
3128 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3130 old_port1 = tcp1->src;
3131 tcp1->src = new_port1;
3133 sum1 = tcp1->checksum;
3134 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3136 dst_address /* changed member */);
3137 sum1 = ip_csum_update (sum1, old_port1, new_port1,
3138 ip4_header_t /* cheat */,
3139 length /* changed member */);
3140 tcp1->checksum = ip_csum_fold(sum1);
3144 ses1->state = SNAT_SESSION_UDP_ACTIVE;
3145 old_port1 = udp1->src_port;
3146 udp1->src_port = new_port1;
3152 case SNAT_SESSION_UDP_ACTIVE:
3153 ses1->expire = now + sm->udp_timeout;
3155 case SNAT_SESSION_TCP_SYN_SENT:
3156 case SNAT_SESSION_TCP_FIN_WAIT:
3157 case SNAT_SESSION_TCP_CLOSE_WAIT:
3158 case SNAT_SESSION_TCP_LAST_ACK:
3159 ses1->expire = now + sm->tcp_transitory_timeout;
3161 case SNAT_SESSION_TCP_ESTABLISHED:
3162 ses1->expire = now + sm->tcp_established_timeout;
3167 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3168 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3170 snat_in2out_trace_t *t =
3171 vlib_add_trace (vm, node, b1, sizeof (*t));
3172 t->is_slow_path = 0;
3173 t->sw_if_index = sw_if_index1;
3174 t->next_index = next1;
3175 t->session_index = ~0;
3177 t->session_index = ses1 - dm1->sessions;
3180 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
3182 /* verify speculative enqueues, maybe switch current next frame */
3183 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3184 to_next, n_left_to_next,
3185 bi0, bi1, next0, next1);
3188 while (n_left_from > 0 && n_left_to_next > 0)
3196 ip4_address_t new_addr0, old_addr0;
3197 u16 old_port0, new_port0, lo_port0, i0;
3198 udp_header_t * udp0;
3199 tcp_header_t * tcp0;
3201 snat_det_out_key_t key0;
3202 snat_det_map_t * dm0;
3203 snat_det_session_t * ses0 = 0;
3205 icmp46_header_t * icmp0;
3207 /* speculatively enqueue b0 to the current next frame */
3213 n_left_to_next -= 1;
3215 b0 = vlib_get_buffer (vm, bi0);
3216 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3218 ip0 = vlib_buffer_get_current (b0);
3219 udp0 = ip4_next_header (ip0);
3220 tcp0 = (tcp_header_t *) udp0;
3222 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3224 if (PREDICT_FALSE(ip0->ttl == 1))
3226 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3227 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3228 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3230 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3234 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3236 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
3238 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3239 icmp0 = (icmp46_header_t *) udp0;
3241 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3242 rx_fib_index0, node, next0, thread_index,
3247 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
3248 if (PREDICT_FALSE(!dm0))
3250 clib_warning("no match for internal host %U",
3251 format_ip4_address, &ip0->src_address);
3252 next0 = SNAT_IN2OUT_NEXT_DROP;
3253 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3257 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
3259 key0.ext_host_addr = ip0->dst_address;
3260 key0.ext_host_port = tcp0->dst;
3262 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
3263 if (PREDICT_FALSE(!ses0))
3265 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3267 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3268 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
3270 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
3273 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
3276 if (PREDICT_FALSE(!ses0))
3278 /* too many sessions for user, send ICMP error packet */
3280 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3281 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
3282 ICMP4_destination_unreachable_destination_unreachable_host,
3284 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3289 new_port0 = ses0->out.out_port;
3291 old_addr0.as_u32 = ip0->src_address.as_u32;
3292 ip0->src_address.as_u32 = new_addr0.as_u32;
3293 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3295 sum0 = ip0->checksum;
3296 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3298 src_address /* changed member */);
3299 ip0->checksum = ip_csum_fold (sum0);
3301 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3303 if (tcp0->flags & TCP_FLAG_SYN)
3304 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
3305 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
3306 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3307 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3308 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
3309 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
3310 snat_det_ses_close(dm0, ses0);
3311 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3312 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
3313 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
3314 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3316 old_port0 = tcp0->src;
3317 tcp0->src = new_port0;
3319 sum0 = tcp0->checksum;
3320 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3322 dst_address /* changed member */);
3323 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3324 ip4_header_t /* cheat */,
3325 length /* changed member */);
3326 tcp0->checksum = ip_csum_fold(sum0);
3330 ses0->state = SNAT_SESSION_UDP_ACTIVE;
3331 old_port0 = udp0->src_port;
3332 udp0->src_port = new_port0;
3338 case SNAT_SESSION_UDP_ACTIVE:
3339 ses0->expire = now + sm->udp_timeout;
3341 case SNAT_SESSION_TCP_SYN_SENT:
3342 case SNAT_SESSION_TCP_FIN_WAIT:
3343 case SNAT_SESSION_TCP_CLOSE_WAIT:
3344 case SNAT_SESSION_TCP_LAST_ACK:
3345 ses0->expire = now + sm->tcp_transitory_timeout;
3347 case SNAT_SESSION_TCP_ESTABLISHED:
3348 ses0->expire = now + sm->tcp_established_timeout;
3353 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3354 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3356 snat_in2out_trace_t *t =
3357 vlib_add_trace (vm, node, b0, sizeof (*t));
3358 t->is_slow_path = 0;
3359 t->sw_if_index = sw_if_index0;
3360 t->next_index = next0;
3361 t->session_index = ~0;
3363 t->session_index = ses0 - dm0->sessions;
3366 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3368 /* verify speculative enqueue, maybe switch current next frame */
3369 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3370 to_next, n_left_to_next,
3374 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3377 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
3378 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3380 return frame->n_vectors;
3383 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
3384 .function = snat_det_in2out_node_fn,
3385 .name = "nat44-det-in2out",
3386 .vector_size = sizeof (u32),
3387 .format_trace = format_snat_in2out_trace,
3388 .type = VLIB_NODE_TYPE_INTERNAL,
3390 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3391 .error_strings = snat_in2out_error_strings,
3393 .runtime_data_bytes = sizeof (snat_runtime_t),
3397 /* edit / add dispositions here */
3399 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3400 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3401 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3405 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
3408 * Get address and port values to be used for ICMP packet translation
3409 * and create session if needed
3411 * @param[in,out] sm NAT main
3412 * @param[in,out] node NAT node runtime
3413 * @param[in] thread_index thread index
3414 * @param[in,out] b0 buffer containing packet to be translated
3415 * @param[out] p_proto protocol used for matching
3416 * @param[out] p_value address and port after NAT translation
3417 * @param[out] p_dont_translate if packet should not be translated
3418 * @param d optional parameter
3419 * @param e optional parameter
3421 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
3422 u32 thread_index, vlib_buffer_t *b0,
3423 ip4_header_t *ip0, u8 *p_proto,
3424 snat_session_key_t *p_value,
3425 u8 *p_dont_translate, void *d, void *e)
3427 icmp46_header_t *icmp0;
3431 snat_det_out_key_t key0;
3432 u8 dont_translate = 0;
3434 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3435 ip4_header_t *inner_ip0;
3436 void *l4_header = 0;
3437 icmp46_header_t *inner_icmp0;
3438 snat_det_map_t * dm0 = 0;
3439 ip4_address_t new_addr0;
3441 snat_det_session_t * ses0 = 0;
3442 ip4_address_t in_addr;
3445 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3446 echo0 = (icmp_echo_header_t *)(icmp0+1);
3447 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3448 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
3450 if (!icmp_is_error_message (icmp0))
3452 protocol = SNAT_PROTOCOL_ICMP;
3453 in_addr = ip0->src_address;
3454 in_port = echo0->identifier;
3458 inner_ip0 = (ip4_header_t *)(echo0+1);
3459 l4_header = ip4_next_header (inner_ip0);
3460 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3461 in_addr = inner_ip0->dst_address;
3464 case SNAT_PROTOCOL_ICMP:
3465 inner_icmp0 = (icmp46_header_t*)l4_header;
3466 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3467 in_port = inner_echo0->identifier;
3469 case SNAT_PROTOCOL_UDP:
3470 case SNAT_PROTOCOL_TCP:
3471 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3474 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
3475 next0 = SNAT_IN2OUT_NEXT_DROP;
3480 dm0 = snat_det_map_by_user(sm, &in_addr);
3481 if (PREDICT_FALSE(!dm0))
3483 clib_warning("no match for internal host %U",
3484 format_ip4_address, &in_addr);
3485 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3486 IP_PROTOCOL_ICMP, rx_fib_index0)))
3491 next0 = SNAT_IN2OUT_NEXT_DROP;
3492 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3496 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
3498 key0.ext_host_addr = ip0->dst_address;
3499 key0.ext_host_port = 0;
3501 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
3502 if (PREDICT_FALSE(!ses0))
3504 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3505 IP_PROTOCOL_ICMP, rx_fib_index0)))
3510 if (icmp0->type != ICMP4_echo_request)
3512 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3513 next0 = SNAT_IN2OUT_NEXT_DROP;
3516 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3518 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3519 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
3521 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
3524 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
3527 if (PREDICT_FALSE(!ses0))
3529 next0 = SNAT_IN2OUT_NEXT_DROP;
3530 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3535 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3536 !icmp_is_error_message (icmp0)))
3538 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3539 next0 = SNAT_IN2OUT_NEXT_DROP;
3543 u32 now = (u32) vlib_time_now (sm->vlib_main);
3545 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3546 ses0->expire = now + sm->icmp_timeout;
3549 *p_proto = protocol;
3552 p_value->addr = new_addr0;
3553 p_value->fib_index = sm->outside_fib_index;
3554 p_value->port = ses0->out.out_port;
3556 *p_dont_translate = dont_translate;
3558 *(snat_det_session_t**)d = ses0;
3560 *(snat_det_map_t**)e = dm0;
3564 /**********************/
3565 /*** worker handoff ***/
3566 /**********************/
3568 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3569 vlib_node_runtime_t * node,
3570 vlib_frame_t * frame,
3573 snat_main_t *sm = &snat_main;
3574 vlib_thread_main_t *tm = vlib_get_thread_main ();
3575 u32 n_left_from, *from, *to_next = 0;
3576 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3577 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3579 vlib_frame_queue_elt_t *hf = 0;
3580 vlib_frame_t *f = 0;
3582 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3583 u32 next_worker_index = 0;
3584 u32 current_worker_index = ~0;
3585 u32 thread_index = vlib_get_thread_index ();
3589 ASSERT (vec_len (sm->workers));
3593 fq_index = sm->fq_in2out_output_index;
3594 to_node_index = sm->in2out_output_node_index;
3598 fq_index = sm->fq_in2out_index;
3599 to_node_index = sm->in2out_node_index;
3602 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3604 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3606 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3607 sm->first_worker_index + sm->num_workers - 1,
3608 (vlib_frame_queue_t *) (~0));
3611 from = vlib_frame_vector_args (frame);
3612 n_left_from = frame->n_vectors;
3614 while (n_left_from > 0)
3627 b0 = vlib_get_buffer (vm, bi0);
3629 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3630 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3632 ip0 = vlib_buffer_get_current (b0);
3634 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3636 if (PREDICT_FALSE (next_worker_index != thread_index))
3640 if (next_worker_index != current_worker_index)
3643 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3645 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3647 handoff_queue_elt_by_worker_index);
3649 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3650 to_next_worker = &hf->buffer_index[hf->n_vectors];
3651 current_worker_index = next_worker_index;
3654 /* enqueue to correct worker thread */
3655 to_next_worker[0] = bi0;
3657 n_left_to_next_worker--;
3659 if (n_left_to_next_worker == 0)
3661 hf->n_vectors = VLIB_FRAME_SIZE;
3662 vlib_put_frame_queue_elt (hf);
3663 current_worker_index = ~0;
3664 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3671 /* if this is 1st frame */
3674 f = vlib_get_frame_to_node (vm, to_node_index);
3675 to_next = vlib_frame_vector_args (f);
3683 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3684 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3686 snat_in2out_worker_handoff_trace_t *t =
3687 vlib_add_trace (vm, node, b0, sizeof (*t));
3688 t->next_worker_index = next_worker_index;
3689 t->do_handoff = do_handoff;
3694 vlib_put_frame_to_node (vm, to_node_index, f);
3697 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3699 /* Ship frames to the worker nodes */
3700 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3702 if (handoff_queue_elt_by_worker_index[i])
3704 hf = handoff_queue_elt_by_worker_index[i];
3706 * It works better to let the handoff node
3707 * rate-adapt, always ship the handoff queue element.
3709 if (1 || hf->n_vectors == hf->last_n_vectors)
3711 vlib_put_frame_queue_elt (hf);
3712 handoff_queue_elt_by_worker_index[i] = 0;
3715 hf->last_n_vectors = hf->n_vectors;
3717 congested_handoff_queue_by_worker_index[i] =
3718 (vlib_frame_queue_t *) (~0);
3721 current_worker_index = ~0;
3722 return frame->n_vectors;
3726 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3727 vlib_node_runtime_t * node,
3728 vlib_frame_t * frame)
3730 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3733 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3734 .function = snat_in2out_worker_handoff_fn,
3735 .name = "nat44-in2out-worker-handoff",
3736 .vector_size = sizeof (u32),
3737 .format_trace = format_snat_in2out_worker_handoff_trace,
3738 .type = VLIB_NODE_TYPE_INTERNAL,
3747 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3748 snat_in2out_worker_handoff_fn);
3751 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3752 vlib_node_runtime_t * node,
3753 vlib_frame_t * frame)
3755 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3758 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3759 .function = snat_in2out_output_worker_handoff_fn,
3760 .name = "nat44-in2out-output-worker-handoff",
3761 .vector_size = sizeof (u32),
3762 .format_trace = format_snat_in2out_worker_handoff_trace,
3763 .type = VLIB_NODE_TYPE_INTERNAL,
3772 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3773 snat_in2out_output_worker_handoff_fn);
3775 static_always_inline int
3776 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3778 snat_address_t * ap;
3779 clib_bihash_kv_8_8_t kv, value;
3780 snat_session_key_t m_key;
3782 vec_foreach (ap, sm->addresses)
3784 if (ap->addr.as_u32 == dst_addr->as_u32)
3788 m_key.addr.as_u32 = dst_addr->as_u32;
3789 m_key.fib_index = sm->outside_fib_index;
3792 kv.key = m_key.as_u64;
3793 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3800 snat_hairpin_dst_fn (vlib_main_t * vm,
3801 vlib_node_runtime_t * node,
3802 vlib_frame_t * frame)
3804 u32 n_left_from, * from, * to_next;
3805 snat_in2out_next_t next_index;
3806 u32 pkts_processed = 0;
3807 snat_main_t * sm = &snat_main;
3809 from = vlib_frame_vector_args (frame);
3810 n_left_from = frame->n_vectors;
3811 next_index = node->cached_next_index;
3813 while (n_left_from > 0)
3817 vlib_get_next_frame (vm, node, next_index,
3818 to_next, n_left_to_next);
3820 while (n_left_from > 0 && n_left_to_next > 0)
3828 /* speculatively enqueue b0 to the current next frame */
3834 n_left_to_next -= 1;
3836 b0 = vlib_get_buffer (vm, bi0);
3837 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3838 ip0 = vlib_buffer_get_current (b0);
3840 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3842 vnet_buffer (b0)->snat.flags = 0;
3843 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3845 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3847 udp_header_t * udp0 = ip4_next_header (ip0);
3848 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3850 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3852 else if (proto0 == SNAT_PROTOCOL_ICMP)
3854 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3856 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3860 snat_hairpinning_unknown_proto (sm, b0, ip0);
3863 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3866 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3868 /* verify speculative enqueue, maybe switch current next frame */
3869 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3870 to_next, n_left_to_next,
3874 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3877 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3878 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3880 return frame->n_vectors;
3883 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3884 .function = snat_hairpin_dst_fn,
3885 .name = "nat44-hairpin-dst",
3886 .vector_size = sizeof (u32),
3887 .type = VLIB_NODE_TYPE_INTERNAL,
3888 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3889 .error_strings = snat_in2out_error_strings,
3892 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3893 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3897 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3898 snat_hairpin_dst_fn);
3901 snat_hairpin_src_fn (vlib_main_t * vm,
3902 vlib_node_runtime_t * node,
3903 vlib_frame_t * frame)
3905 u32 n_left_from, * from, * to_next;
3906 snat_in2out_next_t next_index;
3907 u32 pkts_processed = 0;
3908 snat_main_t *sm = &snat_main;
3910 from = vlib_frame_vector_args (frame);
3911 n_left_from = frame->n_vectors;
3912 next_index = node->cached_next_index;
3914 while (n_left_from > 0)
3918 vlib_get_next_frame (vm, node, next_index,
3919 to_next, n_left_to_next);
3921 while (n_left_from > 0 && n_left_to_next > 0)
3926 snat_interface_t *i;
3929 /* speculatively enqueue b0 to the current next frame */
3935 n_left_to_next -= 1;
3937 b0 = vlib_get_buffer (vm, bi0);
3938 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3939 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3941 pool_foreach (i, sm->output_feature_interfaces,
3943 /* Only packets from NAT inside interface */
3944 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
3946 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3947 SNAT_FLAG_HAIRPINNING))
3949 if (PREDICT_TRUE (sm->num_workers > 1))
3950 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3952 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3958 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3960 /* verify speculative enqueue, maybe switch current next frame */
3961 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3962 to_next, n_left_to_next,
3966 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3969 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3970 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3972 return frame->n_vectors;
3975 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3976 .function = snat_hairpin_src_fn,
3977 .name = "nat44-hairpin-src",
3978 .vector_size = sizeof (u32),
3979 .type = VLIB_NODE_TYPE_INTERNAL,
3980 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3981 .error_strings = snat_in2out_error_strings,
3982 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3984 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3985 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3986 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3987 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3991 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3992 snat_hairpin_src_fn);
3995 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3996 vlib_node_runtime_t * node,
3997 vlib_frame_t * frame)
3999 u32 n_left_from, * from, * to_next;
4000 snat_in2out_next_t next_index;
4001 u32 pkts_processed = 0;
4002 snat_main_t * sm = &snat_main;
4003 u32 stats_node_index;
4005 stats_node_index = snat_in2out_fast_node.index;
4007 from = vlib_frame_vector_args (frame);
4008 n_left_from = frame->n_vectors;
4009 next_index = node->cached_next_index;
4011 while (n_left_from > 0)
4015 vlib_get_next_frame (vm, node, next_index,
4016 to_next, n_left_to_next);
4018 while (n_left_from > 0 && n_left_to_next > 0)
4026 u32 new_addr0, old_addr0;
4027 u16 old_port0, new_port0;
4028 udp_header_t * udp0;
4029 tcp_header_t * tcp0;
4030 icmp46_header_t * icmp0;
4031 snat_session_key_t key0, sm0;
4035 /* speculatively enqueue b0 to the current next frame */
4041 n_left_to_next -= 1;
4043 b0 = vlib_get_buffer (vm, bi0);
4044 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
4046 ip0 = vlib_buffer_get_current (b0);
4047 udp0 = ip4_next_header (ip0);
4048 tcp0 = (tcp_header_t *) udp0;
4049 icmp0 = (icmp46_header_t *) udp0;
4051 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4052 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4054 if (PREDICT_FALSE(ip0->ttl == 1))
4056 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4057 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
4058 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4060 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4064 proto0 = ip_proto_to_snat_proto (ip0->protocol);
4066 if (PREDICT_FALSE (proto0 == ~0))
4069 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
4071 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
4072 rx_fib_index0, node, next0, ~0, 0, 0);
4076 key0.addr = ip0->src_address;
4077 key0.protocol = proto0;
4078 key0.port = udp0->src_port;
4079 key0.fib_index = rx_fib_index0;
4081 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0, 0))
4083 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4084 next0= SNAT_IN2OUT_NEXT_DROP;
4088 new_addr0 = sm0.addr.as_u32;
4089 new_port0 = sm0.port;
4090 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
4091 old_addr0 = ip0->src_address.as_u32;
4092 ip0->src_address.as_u32 = new_addr0;
4094 sum0 = ip0->checksum;
4095 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4097 src_address /* changed member */);
4098 ip0->checksum = ip_csum_fold (sum0);
4100 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
4102 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4104 old_port0 = tcp0->src_port;
4105 tcp0->src_port = new_port0;
4107 sum0 = tcp0->checksum;
4108 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4110 dst_address /* changed member */);
4111 sum0 = ip_csum_update (sum0, old_port0, new_port0,
4112 ip4_header_t /* cheat */,
4113 length /* changed member */);
4114 tcp0->checksum = ip_csum_fold(sum0);
4118 old_port0 = udp0->src_port;
4119 udp0->src_port = new_port0;
4125 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4127 sum0 = tcp0->checksum;
4128 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4130 dst_address /* changed member */);
4131 tcp0->checksum = ip_csum_fold(sum0);
4136 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
4139 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4140 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4142 snat_in2out_trace_t *t =
4143 vlib_add_trace (vm, node, b0, sizeof (*t));
4144 t->sw_if_index = sw_if_index0;
4145 t->next_index = next0;
4148 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
4150 /* verify speculative enqueue, maybe switch current next frame */
4151 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
4152 to_next, n_left_to_next,
4156 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
4159 vlib_node_increment_counter (vm, stats_node_index,
4160 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
4162 return frame->n_vectors;
4166 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
4167 .function = snat_in2out_fast_static_map_fn,
4168 .name = "nat44-in2out-fast",
4169 .vector_size = sizeof (u32),
4170 .format_trace = format_snat_in2out_fast_trace,
4171 .type = VLIB_NODE_TYPE_INTERNAL,
4173 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
4174 .error_strings = snat_in2out_error_strings,
4176 .runtime_data_bytes = sizeof (snat_runtime_t),
4178 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
4180 /* edit / add dispositions here */
4182 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
4183 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
4184 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
4185 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4186 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
4190 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob