2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
38 } snat_in2out_trace_t;
41 u32 next_worker_index;
43 } snat_in2out_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
53 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
55 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
56 t->sw_if_index, t->next_index, t->session_index);
61 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
67 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
73 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
77 snat_in2out_worker_handoff_trace_t * t =
78 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
81 m = t->do_handoff ? "next worker" : "same worker";
82 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
91 } nat44_in2out_reass_trace_t;
93 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
95 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
96 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
97 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
99 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
100 t->sw_if_index, t->next_index,
101 t->cached ? "cached" : "translated");
106 vlib_node_registration_t snat_in2out_node;
107 vlib_node_registration_t snat_in2out_slowpath_node;
108 vlib_node_registration_t snat_in2out_fast_node;
109 vlib_node_registration_t snat_in2out_worker_handoff_node;
110 vlib_node_registration_t snat_det_in2out_node;
111 vlib_node_registration_t snat_in2out_output_node;
112 vlib_node_registration_t snat_in2out_output_slowpath_node;
113 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
114 vlib_node_registration_t snat_hairpin_dst_node;
115 vlib_node_registration_t snat_hairpin_src_node;
116 vlib_node_registration_t nat44_hairpinning_node;
117 vlib_node_registration_t nat44_in2out_reass_node;
120 #define foreach_snat_in2out_error \
121 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
122 _(IN2OUT_PACKETS, "Good in2out packets processed") \
123 _(OUT_OF_PORTS, "Out of ports") \
124 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
125 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
126 _(NO_TRANSLATION, "No translation") \
127 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
128 _(DROP_FRAGMENT, "Drop fragment") \
129 _(MAX_REASS, "Maximum reassemblies exceeded") \
130 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
133 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
134 foreach_snat_in2out_error
137 } snat_in2out_error_t;
139 static char * snat_in2out_error_strings[] = {
140 #define _(sym,string) string,
141 foreach_snat_in2out_error
146 SNAT_IN2OUT_NEXT_LOOKUP,
147 SNAT_IN2OUT_NEXT_DROP,
148 SNAT_IN2OUT_NEXT_ICMP_ERROR,
149 SNAT_IN2OUT_NEXT_SLOW_PATH,
150 SNAT_IN2OUT_NEXT_REASS,
152 } snat_in2out_next_t;
155 SNAT_HAIRPIN_SRC_NEXT_DROP,
156 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
157 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
158 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
159 SNAT_HAIRPIN_SRC_N_NEXT,
160 } snat_hairpin_next_t;
163 * @brief Check if packet should be translated
165 * Packets aimed at outside interface and external address with active session
166 * should be translated.
169 * @param rt NAT runtime data
170 * @param sw_if_index0 index of the inside interface
171 * @param ip0 IPv4 header
172 * @param proto0 NAT protocol
173 * @param rx_fib_index0 RX FIB index
175 * @returns 0 if packet should be translated otherwise 1
178 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
185 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
187 .fp_proto = FIB_PROTOCOL_IP4,
190 .ip4.as_u32 = ip0->dst_address.as_u32,
194 /* Don't NAT packet aimed at the intfc address */
195 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
196 ip0->dst_address.as_u32)))
199 fei = fib_table_lookup (rx_fib_index0, &pfx);
200 if (FIB_NODE_INDEX_INVALID != fei)
202 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
203 if (sw_if_index == ~0)
205 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
206 if (FIB_NODE_INDEX_INVALID != fei)
207 sw_if_index = fib_entry_get_resolving_interface (fei);
210 pool_foreach (i, sm->interfaces,
212 /* NAT packet aimed at outside interface */
213 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
222 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
223 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
224 u32 rx_fib_index0, u32 thread_index)
226 udp_header_t * udp0 = ip4_next_header (ip0);
227 snat_session_key_t key0, sm0;
228 clib_bihash_kv_8_8_t kv0, value0;
230 key0.addr = ip0->dst_address;
231 key0.port = udp0->dst_port;
232 key0.protocol = proto0;
233 key0.fib_index = sm->outside_fib_index;
234 kv0.key = key0.as_u64;
236 /* NAT packet aimed at external address if */
237 /* has active sessions */
238 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
241 /* or is static mappings */
242 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
248 if (sm->forwarding_enabled)
251 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
256 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
257 u32 proto0, u16 src_port, u16 dst_port,
258 u32 thread_index, u32 sw_if_index)
260 snat_session_key_t key0;
261 clib_bihash_kv_8_8_t kv0, value0;
265 key0.addr = ip0->src_address;
266 key0.port = src_port;
267 key0.protocol = proto0;
268 key0.fib_index = sm->outside_fib_index;
269 kv0.key = key0.as_u64;
271 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
276 key0.addr = ip0->dst_address;
277 key0.port = dst_port;
278 key0.protocol = proto0;
279 key0.fib_index = sm->inside_fib_index;
280 kv0.key = key0.as_u64;
281 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
285 pool_foreach (i, sm->output_feature_interfaces,
287 if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
296 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
299 snat_session_key_t * key0,
300 snat_session_t ** sessionp,
301 vlib_node_runtime_t * node,
307 clib_bihash_kv_8_8_t kv0;
308 snat_session_key_t key1;
309 u32 address_index = ~0;
310 u32 outside_fib_index;
312 udp_header_t * udp0 = ip4_next_header (ip0);
314 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
316 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
317 nat_ipfix_logging_max_sessions(sm->max_translations);
318 return SNAT_IN2OUT_NEXT_DROP;
321 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
324 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
325 return SNAT_IN2OUT_NEXT_DROP;
327 outside_fib_index = p[0];
329 key1.protocol = key0->protocol;
331 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
335 clib_warning ("create NAT user failed");
336 return SNAT_IN2OUT_NEXT_DROP;
339 /* First try to match static mapping by local address and port */
340 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0))
342 /* Try to create dynamic translation */
343 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
347 sm->per_thread_data[thread_index].snat_thread_index))
349 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
350 return SNAT_IN2OUT_NEXT_DROP;
356 u->nstaticsessions++;
359 s = nat_session_alloc_or_recycle (sm, u, thread_index);
362 clib_warning ("create NAT session failed");
363 return SNAT_IN2OUT_NEXT_DROP;
366 if (address_index == ~0)
367 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
368 s->outside_address_index = address_index;
371 s->out2in.protocol = key0->protocol;
372 s->out2in.fib_index = outside_fib_index;
373 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
374 s->ext_host_port = udp0->dst_port;
377 /* Add to translation hashes */
378 kv0.key = s->in2out.as_u64;
379 kv0.value = s - sm->per_thread_data[thread_index].sessions;
380 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
382 clib_warning ("in2out key add failed");
384 kv0.key = s->out2in.as_u64;
385 kv0.value = s - sm->per_thread_data[thread_index].sessions;
387 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
389 clib_warning ("out2in key add failed");
392 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
393 s->out2in.addr.as_u32,
397 s->in2out.fib_index);
402 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
403 snat_session_key_t *p_key0)
405 icmp46_header_t *icmp0;
406 snat_session_key_t key0;
407 icmp_echo_header_t *echo0, *inner_echo0 = 0;
408 ip4_header_t *inner_ip0 = 0;
410 icmp46_header_t *inner_icmp0;
412 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
413 echo0 = (icmp_echo_header_t *)(icmp0+1);
415 if (!icmp_is_error_message (icmp0))
417 key0.protocol = SNAT_PROTOCOL_ICMP;
418 key0.addr = ip0->src_address;
419 key0.port = echo0->identifier;
423 inner_ip0 = (ip4_header_t *)(echo0+1);
424 l4_header = ip4_next_header (inner_ip0);
425 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
426 key0.addr = inner_ip0->dst_address;
427 switch (key0.protocol)
429 case SNAT_PROTOCOL_ICMP:
430 inner_icmp0 = (icmp46_header_t*)l4_header;
431 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
432 key0.port = inner_echo0->identifier;
434 case SNAT_PROTOCOL_UDP:
435 case SNAT_PROTOCOL_TCP:
436 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
439 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
443 return -1; /* success */
446 static_always_inline int
447 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
449 icmp46_header_t *icmp0;
450 nat_ed_ses_key_t key0;
451 icmp_echo_header_t *echo0, *inner_echo0 = 0;
452 ip4_header_t *inner_ip0 = 0;
454 icmp46_header_t *inner_icmp0;
456 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
457 echo0 = (icmp_echo_header_t *)(icmp0+1);
459 if (!icmp_is_error_message (icmp0))
461 key0.proto = IP_PROTOCOL_ICMP;
462 key0.l_addr = ip0->src_address;
463 key0.r_addr = ip0->dst_address;
464 key0.l_port = key0.r_port = echo0->identifier;
468 inner_ip0 = (ip4_header_t *)(echo0+1);
469 l4_header = ip4_next_header (inner_ip0);
470 key0.proto = inner_ip0->protocol;
471 key0.r_addr = inner_ip0->src_address;
472 key0.l_addr = inner_ip0->dst_address;
473 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
475 case SNAT_PROTOCOL_ICMP:
476 inner_icmp0 = (icmp46_header_t*)l4_header;
477 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
478 key0.r_port = key0.l_port = inner_echo0->identifier;
480 case SNAT_PROTOCOL_UDP:
481 case SNAT_PROTOCOL_TCP:
482 key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port;
483 key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port;
486 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
494 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip)
496 nat_ed_ses_key_t key;
497 clib_bihash_kv_16_8_t kv, value;
500 if (!sm->forwarding_enabled)
503 if (ip->protocol == IP_PROTOCOL_ICMP)
505 if (icmp_get_ed_key (ip, &key))
508 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
510 udp = ip4_next_header(ip);
511 key.l_addr = ip->src_address;
512 key.r_addr = ip->dst_address;
513 key.proto = ip->protocol;
514 key.r_port = udp->dst_port;
515 key.l_port = udp->src_port;
519 key.l_addr = ip->src_address;
520 key.r_addr = ip->dst_address;
521 key.proto = ip->protocol;
522 key.l_port = key.r_port = 0;
525 kv.key[0] = key.as_u64[0];
526 kv.key[1] = key.as_u64[1];
528 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
529 return value.value == ~0ULL;
535 * Get address and port values to be used for ICMP packet translation
536 * and create session if needed
538 * @param[in,out] sm NAT main
539 * @param[in,out] node NAT node runtime
540 * @param[in] thread_index thread index
541 * @param[in,out] b0 buffer containing packet to be translated
542 * @param[out] p_proto protocol used for matching
543 * @param[out] p_value address and port after NAT translation
544 * @param[out] p_dont_translate if packet should not be translated
545 * @param d optional parameter
546 * @param e optional parameter
548 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
549 u32 thread_index, vlib_buffer_t *b0,
550 ip4_header_t *ip0, u8 *p_proto,
551 snat_session_key_t *p_value,
552 u8 *p_dont_translate, void *d, void *e)
554 icmp46_header_t *icmp0;
557 snat_session_key_t key0;
558 snat_session_t *s0 = 0;
559 u8 dont_translate = 0;
560 clib_bihash_kv_8_8_t kv0, value0;
564 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
565 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
566 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
568 err = icmp_get_key (ip0, &key0);
571 b0->error = node->errors[err];
572 next0 = SNAT_IN2OUT_NEXT_DROP;
575 key0.fib_index = rx_fib_index0;
577 kv0.key = key0.as_u64;
579 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
582 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0)
584 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
585 ip0, SNAT_PROTOCOL_ICMP, key0.port, key0.port, thread_index, sw_if_index0)))
593 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
594 ip0, SNAT_PROTOCOL_ICMP, rx_fib_index0, thread_index)))
601 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
603 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
604 next0 = SNAT_IN2OUT_NEXT_DROP;
608 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
609 &s0, node, next0, thread_index);
611 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
616 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
617 icmp0->type != ICMP4_echo_reply &&
618 !icmp_is_error_message (icmp0)))
620 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
621 next0 = SNAT_IN2OUT_NEXT_DROP;
625 if (PREDICT_FALSE (value0.value == ~0ULL))
627 nat_ed_ses_key_t key;
628 clib_bihash_kv_16_8_t s_kv, s_value;
632 if (icmp_get_ed_key (ip0, &key))
634 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
635 next0 = SNAT_IN2OUT_NEXT_DROP;
638 key.fib_index = rx_fib_index0;
639 s_kv.key[0] = key.as_u64[0];
640 s_kv.key[1] = key.as_u64[1];
641 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
642 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
646 next0 = SNAT_IN2OUT_NEXT_DROP;
651 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
656 *p_proto = key0.protocol;
658 *p_value = s0->out2in;
659 *p_dont_translate = dont_translate;
661 *(snat_session_t**)d = s0;
666 * Get address and port values to be used for ICMP packet translation
668 * @param[in] sm NAT main
669 * @param[in,out] node NAT node runtime
670 * @param[in] thread_index thread index
671 * @param[in,out] b0 buffer containing packet to be translated
672 * @param[out] p_proto protocol used for matching
673 * @param[out] p_value address and port after NAT translation
674 * @param[out] p_dont_translate if packet should not be translated
675 * @param d optional parameter
676 * @param e optional parameter
678 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
679 u32 thread_index, vlib_buffer_t *b0,
680 ip4_header_t *ip0, u8 *p_proto,
681 snat_session_key_t *p_value,
682 u8 *p_dont_translate, void *d, void *e)
684 icmp46_header_t *icmp0;
687 snat_session_key_t key0;
688 snat_session_key_t sm0;
689 u8 dont_translate = 0;
694 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
695 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
696 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
698 err = icmp_get_key (ip0, &key0);
701 b0->error = node->errors[err];
702 next0 = SNAT_IN2OUT_NEXT_DROP;
705 key0.fib_index = rx_fib_index0;
707 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0))
709 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
710 IP_PROTOCOL_ICMP, rx_fib_index0)))
716 if (icmp_is_error_message (icmp0))
718 next0 = SNAT_IN2OUT_NEXT_DROP;
722 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
723 next0 = SNAT_IN2OUT_NEXT_DROP;
727 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
728 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
729 !icmp_is_error_message (icmp0)))
731 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
732 next0 = SNAT_IN2OUT_NEXT_DROP;
739 *p_proto = key0.protocol;
740 *p_dont_translate = dont_translate;
744 static inline u32 icmp_in2out (snat_main_t *sm,
747 icmp46_header_t * icmp0,
750 vlib_node_runtime_t * node,
756 snat_session_key_t sm0;
758 icmp_echo_header_t *echo0, *inner_echo0 = 0;
759 ip4_header_t *inner_ip0;
761 icmp46_header_t *inner_icmp0;
763 u32 new_addr0, old_addr0;
764 u16 old_id0, new_id0;
769 echo0 = (icmp_echo_header_t *)(icmp0+1);
771 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
772 &protocol, &sm0, &dont_translate, d, e);
775 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
778 sum0 = ip_incremental_checksum (0, icmp0,
779 ntohs(ip0->length) - ip4_header_bytes (ip0));
780 checksum0 = ~ip_csum_fold (sum0);
781 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
783 next0 = SNAT_IN2OUT_NEXT_DROP;
787 old_addr0 = ip0->src_address.as_u32;
788 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
789 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
790 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
792 sum0 = ip0->checksum;
793 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
794 src_address /* changed member */);
795 ip0->checksum = ip_csum_fold (sum0);
797 if (icmp0->checksum == 0)
798 icmp0->checksum = 0xffff;
800 if (!icmp_is_error_message (icmp0))
803 if (PREDICT_FALSE(new_id0 != echo0->identifier))
805 old_id0 = echo0->identifier;
807 echo0->identifier = new_id0;
809 sum0 = icmp0->checksum;
810 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
812 icmp0->checksum = ip_csum_fold (sum0);
817 inner_ip0 = (ip4_header_t *)(echo0+1);
818 l4_header = ip4_next_header (inner_ip0);
820 if (!ip4_header_checksum_is_valid (inner_ip0))
822 next0 = SNAT_IN2OUT_NEXT_DROP;
826 old_addr0 = inner_ip0->dst_address.as_u32;
827 inner_ip0->dst_address = sm0.addr;
828 new_addr0 = inner_ip0->dst_address.as_u32;
830 sum0 = icmp0->checksum;
831 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
832 dst_address /* changed member */);
833 icmp0->checksum = ip_csum_fold (sum0);
837 case SNAT_PROTOCOL_ICMP:
838 inner_icmp0 = (icmp46_header_t*)l4_header;
839 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
841 old_id0 = inner_echo0->identifier;
843 inner_echo0->identifier = new_id0;
845 sum0 = icmp0->checksum;
846 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
848 icmp0->checksum = ip_csum_fold (sum0);
850 case SNAT_PROTOCOL_UDP:
851 case SNAT_PROTOCOL_TCP:
852 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
854 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
856 sum0 = icmp0->checksum;
857 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
859 icmp0->checksum = ip_csum_fold (sum0);
873 * Hairpinning allows two endpoints on the internal side of the NAT to
874 * communicate even if they only use each other's external IP addresses
877 * @param sm NAT main.
878 * @param b0 Vlib buffer.
879 * @param ip0 IP header.
880 * @param udp0 UDP header.
881 * @param tcp0 TCP header.
882 * @param proto0 NAT protocol.
885 snat_hairpinning (snat_main_t *sm,
892 snat_session_key_t key0, sm0;
894 clib_bihash_kv_8_8_t kv0, value0;
896 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
897 u16 new_dst_port0, old_dst_port0;
899 key0.addr = ip0->dst_address;
900 key0.port = udp0->dst_port;
901 key0.protocol = proto0;
902 key0.fib_index = sm->outside_fib_index;
903 kv0.key = key0.as_u64;
905 /* Check if destination is static mappings */
906 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
908 new_dst_addr0 = sm0.addr.as_u32;
909 new_dst_port0 = sm0.port;
910 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
912 /* or active session */
915 if (sm->num_workers > 1)
916 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
918 ti = sm->num_workers;
920 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
924 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
925 new_dst_addr0 = s0->in2out.addr.as_u32;
926 new_dst_port0 = s0->in2out.port;
927 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
931 /* Destination is behind the same NAT, use internal address and port */
934 old_dst_addr0 = ip0->dst_address.as_u32;
935 ip0->dst_address.as_u32 = new_dst_addr0;
936 sum0 = ip0->checksum;
937 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
938 ip4_header_t, dst_address);
939 ip0->checksum = ip_csum_fold (sum0);
941 old_dst_port0 = tcp0->dst;
942 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
944 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
946 tcp0->dst = new_dst_port0;
947 sum0 = tcp0->checksum;
948 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
949 ip4_header_t, dst_address);
950 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
951 ip4_header_t /* cheat */, length);
952 tcp0->checksum = ip_csum_fold(sum0);
956 udp0->dst_port = new_dst_port0;
962 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
964 sum0 = tcp0->checksum;
965 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
966 ip4_header_t, dst_address);
967 tcp0->checksum = ip_csum_fold(sum0);
976 snat_icmp_hairpinning (snat_main_t *sm,
979 icmp46_header_t * icmp0)
981 snat_session_key_t key0, sm0;
982 clib_bihash_kv_8_8_t kv0, value0;
983 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
987 if (!icmp_is_error_message (icmp0))
989 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
990 u16 icmp_id0 = echo0->identifier;
991 key0.addr = ip0->dst_address;
992 key0.port = icmp_id0;
993 key0.protocol = SNAT_PROTOCOL_ICMP;
994 key0.fib_index = sm->outside_fib_index;
995 kv0.key = key0.as_u64;
997 if (sm->num_workers > 1)
998 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
1000 ti = sm->num_workers;
1002 /* Check if destination is in active sessions */
1003 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
1006 /* or static mappings */
1007 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1009 new_dst_addr0 = sm0.addr.as_u32;
1010 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1017 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
1018 new_dst_addr0 = s0->in2out.addr.as_u32;
1019 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1020 echo0->identifier = s0->in2out.port;
1021 sum0 = icmp0->checksum;
1022 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
1023 icmp_echo_header_t, identifier);
1024 icmp0->checksum = ip_csum_fold (sum0);
1027 /* Destination is behind the same NAT, use internal address and port */
1030 old_dst_addr0 = ip0->dst_address.as_u32;
1031 ip0->dst_address.as_u32 = new_dst_addr0;
1032 sum0 = ip0->checksum;
1033 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
1034 ip4_header_t, dst_address);
1035 ip0->checksum = ip_csum_fold (sum0);
1041 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
1044 icmp46_header_t * icmp0,
1047 vlib_node_runtime_t * node,
1051 snat_session_t ** p_s0)
1053 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1054 next0, thread_index, p_s0, 0);
1055 snat_session_t * s0 = *p_s0;
1056 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
1059 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
1060 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
1062 s0->last_heard = now;
1064 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
1065 /* Per-user LRU list maintenance */
1066 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1067 s0->per_user_index);
1068 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1069 s0->per_user_list_head_index,
1070 s0->per_user_index);
1075 snat_hairpinning_unknown_proto (snat_main_t *sm,
1079 u32 old_addr, new_addr = 0, ti = 0;
1080 clib_bihash_kv_8_8_t kv, value;
1081 clib_bihash_kv_16_8_t s_kv, s_value;
1082 nat_ed_ses_key_t key;
1083 snat_session_key_t m_key;
1084 snat_static_mapping_t *m;
1088 old_addr = ip->dst_address.as_u32;
1089 key.l_addr.as_u32 = ip->dst_address.as_u32;
1090 key.r_addr.as_u32 = ip->src_address.as_u32;
1091 key.fib_index = sm->outside_fib_index;
1092 key.proto = ip->protocol;
1095 s_kv.key[0] = key.as_u64[0];
1096 s_kv.key[1] = key.as_u64[1];
1097 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1099 m_key.addr = ip->dst_address;
1100 m_key.fib_index = sm->outside_fib_index;
1103 kv.key = m_key.as_u64;
1104 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1107 m = pool_elt_at_index (sm->static_mappings, value.value);
1108 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1109 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1110 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1114 if (sm->num_workers > 1)
1115 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
1117 ti = sm->num_workers;
1119 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
1120 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1121 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1122 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1125 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1126 ip->checksum = ip_csum_fold (sum);
1129 static snat_session_t *
1130 snat_in2out_unknown_proto (snat_main_t *sm,
1137 vlib_node_runtime_t * node)
1139 clib_bihash_kv_8_8_t kv, value;
1140 clib_bihash_kv_16_8_t s_kv, s_value;
1141 snat_static_mapping_t *m;
1142 snat_session_key_t m_key;
1143 u32 old_addr, new_addr = 0;
1146 dlist_elt_t *head, *elt;
1147 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1148 u32 elt_index, head_index, ses_index;
1150 nat_ed_ses_key_t key;
1151 u32 address_index = ~0;
1155 old_addr = ip->src_address.as_u32;
1157 key.l_addr = ip->src_address;
1158 key.r_addr = ip->dst_address;
1159 key.fib_index = rx_fib_index;
1160 key.proto = ip->protocol;
1163 s_kv.key[0] = key.as_u64[0];
1164 s_kv.key[1] = key.as_u64[1];
1166 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1168 s = pool_elt_at_index (tsm->sessions, s_value.value);
1169 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1173 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1175 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1176 nat_ipfix_logging_max_sessions(sm->max_translations);
1180 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1184 clib_warning ("create NAT user failed");
1188 m_key.addr = ip->src_address;
1191 m_key.fib_index = rx_fib_index;
1192 kv.key = m_key.as_u64;
1194 /* Try to find static mapping first */
1195 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1197 m = pool_elt_at_index (sm->static_mappings, value.value);
1198 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1202 /* Fallback to 3-tuple key */
1205 /* Choose same out address as for TCP/UDP session to same destination */
1206 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1208 head_index = u->sessions_per_user_list_head_index;
1209 head = pool_elt_at_index (tsm->list_pool, head_index);
1210 elt_index = head->next;
1211 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1212 ses_index = elt->value;
1213 while (ses_index != ~0)
1215 s = pool_elt_at_index (tsm->sessions, ses_index);
1216 elt_index = elt->next;
1217 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1218 ses_index = elt->value;
1220 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1222 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1223 address_index = s->outside_address_index;
1225 key.fib_index = sm->outside_fib_index;
1226 key.l_addr.as_u32 = new_addr;
1227 s_kv.key[0] = key.as_u64[0];
1228 s_kv.key[1] = key.as_u64[1];
1229 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1236 key.fib_index = sm->outside_fib_index;
1237 for (i = 0; i < vec_len (sm->addresses); i++)
1239 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1240 s_kv.key[0] = key.as_u64[0];
1241 s_kv.key[1] = key.as_u64[1];
1242 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1244 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1253 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1256 clib_warning ("create NAT session failed");
1260 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1261 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1262 s->outside_address_index = address_index;
1263 s->out2in.addr.as_u32 = new_addr;
1264 s->out2in.fib_index = sm->outside_fib_index;
1265 s->in2out.addr.as_u32 = old_addr;
1266 s->in2out.fib_index = rx_fib_index;
1267 s->in2out.port = s->out2in.port = ip->protocol;
1270 u->nstaticsessions++;
1271 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1278 /* Add to lookup tables */
1279 key.l_addr.as_u32 = old_addr;
1280 key.r_addr = ip->dst_address;
1281 key.proto = ip->protocol;
1282 key.fib_index = rx_fib_index;
1283 s_kv.key[0] = key.as_u64[0];
1284 s_kv.key[1] = key.as_u64[1];
1285 s_kv.value = s - tsm->sessions;
1286 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1287 clib_warning ("in2out key add failed");
1289 key.l_addr.as_u32 = new_addr;
1290 key.fib_index = sm->outside_fib_index;
1291 s_kv.key[0] = key.as_u64[0];
1292 s_kv.key[1] = key.as_u64[1];
1293 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1294 clib_warning ("out2in key add failed");
1297 /* Update IP checksum */
1299 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1300 ip->checksum = ip_csum_fold (sum);
1303 s->last_heard = now;
1305 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1306 /* Per-user LRU list maintenance */
1307 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1308 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1312 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1313 snat_hairpinning_unknown_proto(sm, b, ip);
1315 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1316 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1321 static snat_session_t *
1322 snat_in2out_lb (snat_main_t *sm,
1329 vlib_node_runtime_t * node)
1331 nat_ed_ses_key_t key;
1332 clib_bihash_kv_16_8_t s_kv, s_value;
1333 udp_header_t *udp = ip4_next_header (ip);
1334 tcp_header_t *tcp = (tcp_header_t *) udp;
1335 snat_session_t *s = 0;
1336 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1337 u32 old_addr, new_addr;
1338 u16 new_port, old_port;
1340 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1341 snat_session_key_t e_key, l_key;
1344 old_addr = ip->src_address.as_u32;
1346 key.l_addr = ip->src_address;
1347 key.r_addr = ip->dst_address;
1348 key.fib_index = rx_fib_index;
1349 key.proto = ip->protocol;
1350 key.r_port = udp->dst_port;
1351 key.l_port = udp->src_port;
1352 s_kv.key[0] = key.as_u64[0];
1353 s_kv.key[1] = key.as_u64[1];
1355 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1357 if (s_value.value == ~0ULL)
1359 s = pool_elt_at_index (tsm->sessions, s_value.value);
1363 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
1365 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1366 nat_ipfix_logging_max_sessions(sm->max_translations);
1370 l_key.addr = ip->src_address;
1371 l_key.port = udp->src_port;
1372 l_key.protocol = proto;
1373 l_key.fib_index = rx_fib_index;
1374 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0, 0))
1377 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1381 clib_warning ("create NAT user failed");
1385 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1388 clib_warning ("create NAT session failed");
1392 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1393 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1394 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1395 s->outside_address_index = ~0;
1398 s->out2in.protocol = l_key.protocol;
1399 u->nstaticsessions++;
1401 /* Add to lookup tables */
1402 s_kv.value = s - tsm->sessions;
1403 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1404 clib_warning ("in2out-ed key add failed");
1406 key.l_addr = e_key.addr;
1407 key.fib_index = e_key.fib_index;
1408 key.l_port = e_key.port;
1409 s_kv.key[0] = key.as_u64[0];
1410 s_kv.key[1] = key.as_u64[1];
1411 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1412 clib_warning ("out2in-ed key add failed");
1415 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1417 /* Update IP checksum */
1419 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1420 if (is_twice_nat_session (s))
1421 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1422 s->ext_host_addr.as_u32, ip4_header_t, dst_address);
1423 ip->checksum = ip_csum_fold (sum);
1425 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1427 old_port = tcp->src_port;
1428 tcp->src_port = s->out2in.port;
1429 new_port = tcp->src_port;
1431 sum = tcp->checksum;
1432 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1433 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1434 if (is_twice_nat_session (s))
1436 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1437 s->ext_host_addr.as_u32, ip4_header_t,
1439 sum = ip_csum_update (sum, tcp->dst_port, s->ext_host_port,
1440 ip4_header_t, length);
1441 tcp->dst_port = s->ext_host_port;
1442 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1444 tcp->checksum = ip_csum_fold(sum);
1448 udp->src_port = s->out2in.port;
1449 if (is_twice_nat_session (s))
1451 udp->dst_port = s->ext_host_port;
1452 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1457 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1458 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1461 s->last_heard = now;
1463 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1464 /* Per-user LRU list maintenance */
1465 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1466 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1472 snat_in2out_node_fn_inline (vlib_main_t * vm,
1473 vlib_node_runtime_t * node,
1474 vlib_frame_t * frame, int is_slow_path,
1475 int is_output_feature)
1477 u32 n_left_from, * from, * to_next;
1478 snat_in2out_next_t next_index;
1479 u32 pkts_processed = 0;
1480 snat_main_t * sm = &snat_main;
1481 f64 now = vlib_time_now (vm);
1482 u32 stats_node_index;
1483 u32 thread_index = vlib_get_thread_index ();
1485 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1486 snat_in2out_node.index;
1488 from = vlib_frame_vector_args (frame);
1489 n_left_from = frame->n_vectors;
1490 next_index = node->cached_next_index;
1492 while (n_left_from > 0)
1496 vlib_get_next_frame (vm, node, next_index,
1497 to_next, n_left_to_next);
1499 while (n_left_from >= 4 && n_left_to_next >= 2)
1502 vlib_buffer_t * b0, * b1;
1504 u32 sw_if_index0, sw_if_index1;
1505 ip4_header_t * ip0, * ip1;
1506 ip_csum_t sum0, sum1;
1507 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1508 u16 old_port0, new_port0, old_port1, new_port1;
1509 udp_header_t * udp0, * udp1;
1510 tcp_header_t * tcp0, * tcp1;
1511 icmp46_header_t * icmp0, * icmp1;
1512 snat_session_key_t key0, key1;
1513 u32 rx_fib_index0, rx_fib_index1;
1515 snat_session_t * s0 = 0, * s1 = 0;
1516 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1517 u32 iph_offset0 = 0, iph_offset1 = 0;
1519 /* Prefetch next iteration. */
1521 vlib_buffer_t * p2, * p3;
1523 p2 = vlib_get_buffer (vm, from[2]);
1524 p3 = vlib_get_buffer (vm, from[3]);
1526 vlib_prefetch_buffer_header (p2, LOAD);
1527 vlib_prefetch_buffer_header (p3, LOAD);
1529 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1530 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1533 /* speculatively enqueue b0 and b1 to the current next frame */
1534 to_next[0] = bi0 = from[0];
1535 to_next[1] = bi1 = from[1];
1539 n_left_to_next -= 2;
1541 b0 = vlib_get_buffer (vm, bi0);
1542 b1 = vlib_get_buffer (vm, bi1);
1544 if (is_output_feature)
1545 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1547 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1550 udp0 = ip4_next_header (ip0);
1551 tcp0 = (tcp_header_t *) udp0;
1552 icmp0 = (icmp46_header_t *) udp0;
1554 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1555 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1558 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1560 if (PREDICT_FALSE(ip0->ttl == 1))
1562 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1563 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1564 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1566 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1570 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1572 /* Next configured feature, probably ip4-lookup */
1575 if (PREDICT_FALSE (proto0 == ~0))
1577 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1578 thread_index, now, vm, node);
1580 next0 = SNAT_IN2OUT_NEXT_DROP;
1584 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1586 next0 = icmp_in2out_slow_path
1587 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1588 node, next0, now, thread_index, &s0);
1594 if (is_output_feature)
1596 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
1600 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1602 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1606 if (ip4_is_fragment (ip0))
1608 next0 = SNAT_IN2OUT_NEXT_REASS;
1613 key0.addr = ip0->src_address;
1614 key0.port = udp0->src_port;
1615 key0.protocol = proto0;
1616 key0.fib_index = rx_fib_index0;
1618 kv0.key = key0.as_u64;
1620 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1621 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1625 if (is_output_feature)
1627 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1628 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
1633 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1634 ip0, proto0, rx_fib_index0, thread_index)))
1638 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1639 &s0, node, next0, thread_index);
1640 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1645 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1651 if (PREDICT_FALSE (value0.value == ~0ULL))
1655 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1656 thread_index, now, vm, node);
1657 if (!s0 && !sm->forwarding_enabled)
1658 next0 = SNAT_IN2OUT_NEXT_DROP;
1663 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1669 s0 = pool_elt_at_index (
1670 sm->per_thread_data[thread_index].sessions,
1675 b0->flags |= VNET_BUFFER_F_IS_NATED;
1677 old_addr0 = ip0->src_address.as_u32;
1678 ip0->src_address = s0->out2in.addr;
1679 new_addr0 = ip0->src_address.as_u32;
1680 if (!is_output_feature)
1681 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1683 sum0 = ip0->checksum;
1684 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1686 src_address /* changed member */);
1687 ip0->checksum = ip_csum_fold (sum0);
1689 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1691 old_port0 = tcp0->src_port;
1692 tcp0->src_port = s0->out2in.port;
1693 new_port0 = tcp0->src_port;
1695 sum0 = tcp0->checksum;
1696 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1698 dst_address /* changed member */);
1699 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1700 ip4_header_t /* cheat */,
1701 length /* changed member */);
1702 tcp0->checksum = ip_csum_fold(sum0);
1706 old_port0 = udp0->src_port;
1707 udp0->src_port = s0->out2in.port;
1712 s0->last_heard = now;
1714 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1715 /* Per-user LRU list maintenance */
1716 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1717 s0->per_user_index);
1718 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1719 s0->per_user_list_head_index,
1720 s0->per_user_index);
1723 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1724 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1726 snat_in2out_trace_t *t =
1727 vlib_add_trace (vm, node, b0, sizeof (*t));
1728 t->is_slow_path = is_slow_path;
1729 t->sw_if_index = sw_if_index0;
1730 t->next_index = next0;
1731 t->session_index = ~0;
1733 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1736 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1738 if (is_output_feature)
1739 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1741 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1744 udp1 = ip4_next_header (ip1);
1745 tcp1 = (tcp_header_t *) udp1;
1746 icmp1 = (icmp46_header_t *) udp1;
1748 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1749 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1752 if (PREDICT_FALSE(ip1->ttl == 1))
1754 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1755 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1756 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1758 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1762 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1764 /* Next configured feature, probably ip4-lookup */
1767 if (PREDICT_FALSE (proto1 == ~0))
1769 s1 = snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1770 thread_index, now, vm, node);
1772 next1 = SNAT_IN2OUT_NEXT_DROP;
1776 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1778 next1 = icmp_in2out_slow_path
1779 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1780 next1, now, thread_index, &s1);
1786 if (is_output_feature)
1788 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1)))
1792 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1794 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1798 if (ip4_is_fragment (ip1))
1800 next1 = SNAT_IN2OUT_NEXT_REASS;
1805 key1.addr = ip1->src_address;
1806 key1.port = udp1->src_port;
1807 key1.protocol = proto1;
1808 key1.fib_index = rx_fib_index1;
1810 kv1.key = key1.as_u64;
1812 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1813 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1817 if (is_output_feature)
1819 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
1820 ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1)))
1825 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1826 ip1, proto1, rx_fib_index1, thread_index)))
1830 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1831 &s1, node, next1, thread_index);
1832 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1837 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1843 if (PREDICT_FALSE (value1.value == ~0ULL))
1847 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1,
1848 thread_index, now, vm, node);
1849 if (!s1 && !sm->forwarding_enabled)
1850 next1 = SNAT_IN2OUT_NEXT_DROP;
1855 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1861 s1 = pool_elt_at_index (
1862 sm->per_thread_data[thread_index].sessions,
1867 b1->flags |= VNET_BUFFER_F_IS_NATED;
1869 old_addr1 = ip1->src_address.as_u32;
1870 ip1->src_address = s1->out2in.addr;
1871 new_addr1 = ip1->src_address.as_u32;
1872 if (!is_output_feature)
1873 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1875 sum1 = ip1->checksum;
1876 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1878 src_address /* changed member */);
1879 ip1->checksum = ip_csum_fold (sum1);
1881 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1883 old_port1 = tcp1->src_port;
1884 tcp1->src_port = s1->out2in.port;
1885 new_port1 = tcp1->src_port;
1887 sum1 = tcp1->checksum;
1888 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1890 dst_address /* changed member */);
1891 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1892 ip4_header_t /* cheat */,
1893 length /* changed member */);
1894 tcp1->checksum = ip_csum_fold(sum1);
1898 old_port1 = udp1->src_port;
1899 udp1->src_port = s1->out2in.port;
1904 s1->last_heard = now;
1906 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1907 /* Per-user LRU list maintenance */
1908 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1909 s1->per_user_index);
1910 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1911 s1->per_user_list_head_index,
1912 s1->per_user_index);
1915 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1916 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1918 snat_in2out_trace_t *t =
1919 vlib_add_trace (vm, node, b1, sizeof (*t));
1920 t->sw_if_index = sw_if_index1;
1921 t->next_index = next1;
1922 t->session_index = ~0;
1924 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1927 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1929 /* verify speculative enqueues, maybe switch current next frame */
1930 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1931 to_next, n_left_to_next,
1932 bi0, bi1, next0, next1);
1935 while (n_left_from > 0 && n_left_to_next > 0)
1943 u32 new_addr0, old_addr0;
1944 u16 old_port0, new_port0;
1945 udp_header_t * udp0;
1946 tcp_header_t * tcp0;
1947 icmp46_header_t * icmp0;
1948 snat_session_key_t key0;
1951 snat_session_t * s0 = 0;
1952 clib_bihash_kv_8_8_t kv0, value0;
1953 u32 iph_offset0 = 0;
1955 /* speculatively enqueue b0 to the current next frame */
1961 n_left_to_next -= 1;
1963 b0 = vlib_get_buffer (vm, bi0);
1964 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1966 if (is_output_feature)
1967 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1969 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1972 udp0 = ip4_next_header (ip0);
1973 tcp0 = (tcp_header_t *) udp0;
1974 icmp0 = (icmp46_header_t *) udp0;
1976 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1977 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1980 if (PREDICT_FALSE(ip0->ttl == 1))
1982 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1983 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1984 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1986 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1990 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1992 /* Next configured feature, probably ip4-lookup */
1995 if (PREDICT_FALSE (proto0 == ~0))
1997 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1998 thread_index, now, vm, node);
2000 next0 = SNAT_IN2OUT_NEXT_DROP;
2004 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2006 next0 = icmp_in2out_slow_path
2007 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2008 next0, now, thread_index, &s0);
2014 if (is_output_feature)
2016 if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
2020 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2022 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2026 if (ip4_is_fragment (ip0))
2028 next0 = SNAT_IN2OUT_NEXT_REASS;
2033 key0.addr = ip0->src_address;
2034 key0.port = udp0->src_port;
2035 key0.protocol = proto0;
2036 key0.fib_index = rx_fib_index0;
2038 kv0.key = key0.as_u64;
2040 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
2045 if (is_output_feature)
2047 if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
2048 ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
2053 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2054 ip0, proto0, rx_fib_index0, thread_index)))
2058 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2059 &s0, node, next0, thread_index);
2061 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2066 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2072 if (PREDICT_FALSE (value0.value == ~0ULL))
2076 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
2077 thread_index, now, vm, node);
2078 if (!s0 && !sm->forwarding_enabled)
2079 next0 = SNAT_IN2OUT_NEXT_DROP;
2084 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2090 s0 = pool_elt_at_index (
2091 sm->per_thread_data[thread_index].sessions,
2096 b0->flags |= VNET_BUFFER_F_IS_NATED;
2098 old_addr0 = ip0->src_address.as_u32;
2099 ip0->src_address = s0->out2in.addr;
2100 new_addr0 = ip0->src_address.as_u32;
2101 if (!is_output_feature)
2102 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2104 sum0 = ip0->checksum;
2105 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2107 src_address /* changed member */);
2108 ip0->checksum = ip_csum_fold (sum0);
2110 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2112 old_port0 = tcp0->src_port;
2113 tcp0->src_port = s0->out2in.port;
2114 new_port0 = tcp0->src_port;
2116 sum0 = tcp0->checksum;
2117 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2119 dst_address /* changed member */);
2120 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2121 ip4_header_t /* cheat */,
2122 length /* changed member */);
2123 tcp0->checksum = ip_csum_fold(sum0);
2127 old_port0 = udp0->src_port;
2128 udp0->src_port = s0->out2in.port;
2133 s0->last_heard = now;
2135 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2136 /* Per-user LRU list maintenance */
2137 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2138 s0->per_user_index);
2139 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2140 s0->per_user_list_head_index,
2141 s0->per_user_index);
2144 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2145 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2147 snat_in2out_trace_t *t =
2148 vlib_add_trace (vm, node, b0, sizeof (*t));
2149 t->is_slow_path = is_slow_path;
2150 t->sw_if_index = sw_if_index0;
2151 t->next_index = next0;
2152 t->session_index = ~0;
2154 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
2157 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2159 /* verify speculative enqueue, maybe switch current next frame */
2160 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2161 to_next, n_left_to_next,
2165 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2168 vlib_node_increment_counter (vm, stats_node_index,
2169 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2171 return frame->n_vectors;
2175 snat_in2out_fast_path_fn (vlib_main_t * vm,
2176 vlib_node_runtime_t * node,
2177 vlib_frame_t * frame)
2179 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
2182 VLIB_REGISTER_NODE (snat_in2out_node) = {
2183 .function = snat_in2out_fast_path_fn,
2184 .name = "nat44-in2out",
2185 .vector_size = sizeof (u32),
2186 .format_trace = format_snat_in2out_trace,
2187 .type = VLIB_NODE_TYPE_INTERNAL,
2189 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2190 .error_strings = snat_in2out_error_strings,
2192 .runtime_data_bytes = sizeof (snat_runtime_t),
2194 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2196 /* edit / add dispositions here */
2198 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2199 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2200 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2201 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2202 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2206 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
2209 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
2210 vlib_node_runtime_t * node,
2211 vlib_frame_t * frame)
2213 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
2216 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
2217 .function = snat_in2out_output_fast_path_fn,
2218 .name = "nat44-in2out-output",
2219 .vector_size = sizeof (u32),
2220 .format_trace = format_snat_in2out_trace,
2221 .type = VLIB_NODE_TYPE_INTERNAL,
2223 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2224 .error_strings = snat_in2out_error_strings,
2226 .runtime_data_bytes = sizeof (snat_runtime_t),
2228 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2230 /* edit / add dispositions here */
2232 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2233 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2234 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2235 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2236 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2240 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2241 snat_in2out_output_fast_path_fn);
2244 snat_in2out_slow_path_fn (vlib_main_t * vm,
2245 vlib_node_runtime_t * node,
2246 vlib_frame_t * frame)
2248 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2251 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2252 .function = snat_in2out_slow_path_fn,
2253 .name = "nat44-in2out-slowpath",
2254 .vector_size = sizeof (u32),
2255 .format_trace = format_snat_in2out_trace,
2256 .type = VLIB_NODE_TYPE_INTERNAL,
2258 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2259 .error_strings = snat_in2out_error_strings,
2261 .runtime_data_bytes = sizeof (snat_runtime_t),
2263 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2265 /* edit / add dispositions here */
2267 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2268 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2269 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2270 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2271 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2275 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2276 snat_in2out_slow_path_fn);
2279 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2280 vlib_node_runtime_t * node,
2281 vlib_frame_t * frame)
2283 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2286 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2287 .function = snat_in2out_output_slow_path_fn,
2288 .name = "nat44-in2out-output-slowpath",
2289 .vector_size = sizeof (u32),
2290 .format_trace = format_snat_in2out_trace,
2291 .type = VLIB_NODE_TYPE_INTERNAL,
2293 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2294 .error_strings = snat_in2out_error_strings,
2296 .runtime_data_bytes = sizeof (snat_runtime_t),
2298 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2300 /* edit / add dispositions here */
2302 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2303 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2304 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2305 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2306 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2310 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2311 snat_in2out_output_slow_path_fn);
2313 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
2316 nat44_hairpinning_fn (vlib_main_t * vm,
2317 vlib_node_runtime_t * node,
2318 vlib_frame_t * frame)
2320 u32 n_left_from, * from, * to_next;
2321 snat_in2out_next_t next_index;
2322 u32 pkts_processed = 0;
2323 snat_main_t * sm = &snat_main;
2324 vnet_feature_main_t *fm = &feature_main;
2325 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
2326 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
2328 from = vlib_frame_vector_args (frame);
2329 n_left_from = frame->n_vectors;
2330 next_index = node->cached_next_index;
2332 while (n_left_from > 0)
2336 vlib_get_next_frame (vm, node, next_index,
2337 to_next, n_left_to_next);
2339 while (n_left_from > 0 && n_left_to_next > 0)
2346 udp_header_t * udp0;
2347 tcp_header_t * tcp0;
2349 /* speculatively enqueue b0 to the current next frame */
2355 n_left_to_next -= 1;
2357 b0 = vlib_get_buffer (vm, bi0);
2358 ip0 = vlib_buffer_get_current (b0);
2359 udp0 = ip4_next_header (ip0);
2360 tcp0 = (tcp_header_t *) udp0;
2362 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2364 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
2367 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0))
2368 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2370 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2372 /* verify speculative enqueue, maybe switch current next frame */
2373 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2374 to_next, n_left_to_next,
2378 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2381 vlib_node_increment_counter (vm, nat44_hairpinning_node.index,
2382 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2384 return frame->n_vectors;
2387 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
2388 .function = nat44_hairpinning_fn,
2389 .name = "nat44-hairpinning",
2390 .vector_size = sizeof (u32),
2391 .type = VLIB_NODE_TYPE_INTERNAL,
2392 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2393 .error_strings = snat_in2out_error_strings,
2396 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2397 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2401 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
2402 nat44_hairpinning_fn);
2405 nat44_reass_hairpinning (snat_main_t *sm,
2412 snat_session_key_t key0, sm0;
2413 snat_session_t * s0;
2414 clib_bihash_kv_8_8_t kv0, value0;
2416 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2417 u16 new_dst_port0, old_dst_port0;
2418 udp_header_t * udp0;
2419 tcp_header_t * tcp0;
2421 key0.addr = ip0->dst_address;
2423 key0.protocol = proto0;
2424 key0.fib_index = sm->outside_fib_index;
2425 kv0.key = key0.as_u64;
2427 udp0 = ip4_next_header (ip0);
2429 /* Check if destination is static mappings */
2430 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
2432 new_dst_addr0 = sm0.addr.as_u32;
2433 new_dst_port0 = sm0.port;
2434 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2436 /* or active sessions */
2439 if (sm->num_workers > 1)
2440 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2442 ti = sm->num_workers;
2444 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2447 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2448 new_dst_addr0 = s0->in2out.addr.as_u32;
2449 new_dst_port0 = s0->in2out.port;
2450 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2454 /* Destination is behind the same NAT, use internal address and port */
2457 old_dst_addr0 = ip0->dst_address.as_u32;
2458 ip0->dst_address.as_u32 = new_dst_addr0;
2459 sum0 = ip0->checksum;
2460 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2461 ip4_header_t, dst_address);
2462 ip0->checksum = ip_csum_fold (sum0);
2464 old_dst_port0 = dport;
2465 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2466 ip4_is_first_fragment (ip0)))
2468 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2470 tcp0 = ip4_next_header (ip0);
2471 tcp0->dst = new_dst_port0;
2472 sum0 = tcp0->checksum;
2473 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2474 ip4_header_t, dst_address);
2475 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2476 ip4_header_t /* cheat */, length);
2477 tcp0->checksum = ip_csum_fold(sum0);
2481 udp0->dst_port = new_dst_port0;
2487 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2489 tcp0 = ip4_next_header (ip0);
2490 sum0 = tcp0->checksum;
2491 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2492 ip4_header_t, dst_address);
2493 tcp0->checksum = ip_csum_fold(sum0);
2500 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2501 vlib_node_runtime_t * node,
2502 vlib_frame_t * frame)
2504 u32 n_left_from, *from, *to_next;
2505 snat_in2out_next_t next_index;
2506 u32 pkts_processed = 0;
2507 snat_main_t *sm = &snat_main;
2508 f64 now = vlib_time_now (vm);
2509 u32 thread_index = vlib_get_thread_index ();
2510 snat_main_per_thread_data_t *per_thread_data =
2511 &sm->per_thread_data[thread_index];
2512 u32 *fragments_to_drop = 0;
2513 u32 *fragments_to_loopback = 0;
2515 from = vlib_frame_vector_args (frame);
2516 n_left_from = frame->n_vectors;
2517 next_index = node->cached_next_index;
2519 while (n_left_from > 0)
2523 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2525 while (n_left_from > 0 && n_left_to_next > 0)
2527 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2532 nat_reass_ip4_t *reass0;
2533 udp_header_t * udp0;
2534 tcp_header_t * tcp0;
2535 snat_session_key_t key0;
2536 clib_bihash_kv_8_8_t kv0, value0;
2537 snat_session_t * s0 = 0;
2538 u16 old_port0, new_port0;
2541 /* speculatively enqueue b0 to the current next frame */
2547 n_left_to_next -= 1;
2549 b0 = vlib_get_buffer (vm, bi0);
2550 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2552 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2553 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2556 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2558 next0 = SNAT_IN2OUT_NEXT_DROP;
2559 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2563 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2564 udp0 = ip4_next_header (ip0);
2565 tcp0 = (tcp_header_t *) udp0;
2566 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2568 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2573 &fragments_to_drop);
2575 if (PREDICT_FALSE (!reass0))
2577 next0 = SNAT_IN2OUT_NEXT_DROP;
2578 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2582 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2584 key0.addr = ip0->src_address;
2585 key0.port = udp0->src_port;
2586 key0.protocol = proto0;
2587 key0.fib_index = rx_fib_index0;
2588 kv0.key = key0.as_u64;
2590 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2592 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2593 ip0, proto0, rx_fib_index0, thread_index)))
2596 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2597 &s0, node, next0, thread_index);
2599 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2602 reass0->sess_index = s0 - per_thread_data->sessions;
2606 s0 = pool_elt_at_index (per_thread_data->sessions,
2608 reass0->sess_index = value0.value;
2610 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2614 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2616 if (nat_ip4_reass_add_fragment (reass0, bi0))
2618 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2619 next0 = SNAT_IN2OUT_NEXT_DROP;
2625 s0 = pool_elt_at_index (per_thread_data->sessions,
2626 reass0->sess_index);
2629 old_addr0 = ip0->src_address.as_u32;
2630 ip0->src_address = s0->out2in.addr;
2631 new_addr0 = ip0->src_address.as_u32;
2632 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2634 sum0 = ip0->checksum;
2635 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2637 src_address /* changed member */);
2638 ip0->checksum = ip_csum_fold (sum0);
2640 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2642 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2644 old_port0 = tcp0->src_port;
2645 tcp0->src_port = s0->out2in.port;
2646 new_port0 = tcp0->src_port;
2648 sum0 = tcp0->checksum;
2649 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2651 dst_address /* changed member */);
2652 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2653 ip4_header_t /* cheat */,
2654 length /* changed member */);
2655 tcp0->checksum = ip_csum_fold(sum0);
2659 old_port0 = udp0->src_port;
2660 udp0->src_port = s0->out2in.port;
2666 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2667 s0->ext_host_port, proto0);
2670 s0->last_heard = now;
2672 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2673 /* Per-user LRU list maintenance */
2674 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2675 s0->per_user_index);
2676 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2677 s0->per_user_list_head_index,
2678 s0->per_user_index);
2681 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2682 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2684 nat44_in2out_reass_trace_t *t =
2685 vlib_add_trace (vm, node, b0, sizeof (*t));
2686 t->cached = cached0;
2687 t->sw_if_index = sw_if_index0;
2688 t->next_index = next0;
2698 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2700 /* verify speculative enqueue, maybe switch current next frame */
2701 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2702 to_next, n_left_to_next,
2706 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2708 from = vlib_frame_vector_args (frame);
2709 u32 len = vec_len (fragments_to_loopback);
2710 if (len <= VLIB_FRAME_SIZE)
2712 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2714 vec_reset_length (fragments_to_loopback);
2719 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2720 sizeof (u32) * VLIB_FRAME_SIZE);
2721 n_left_from = VLIB_FRAME_SIZE;
2722 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2727 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2730 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2731 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2734 nat_send_all_to_node (vm, fragments_to_drop, node,
2735 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2736 SNAT_IN2OUT_NEXT_DROP);
2738 vec_free (fragments_to_drop);
2739 vec_free (fragments_to_loopback);
2740 return frame->n_vectors;
2743 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2744 .function = nat44_in2out_reass_node_fn,
2745 .name = "nat44-in2out-reass",
2746 .vector_size = sizeof (u32),
2747 .format_trace = format_nat44_in2out_reass_trace,
2748 .type = VLIB_NODE_TYPE_INTERNAL,
2750 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2751 .error_strings = snat_in2out_error_strings,
2753 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2755 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2756 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2757 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2758 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2759 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2763 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2764 nat44_in2out_reass_node_fn);
2766 /**************************/
2767 /*** deterministic mode ***/
2768 /**************************/
2770 snat_det_in2out_node_fn (vlib_main_t * vm,
2771 vlib_node_runtime_t * node,
2772 vlib_frame_t * frame)
2774 u32 n_left_from, * from, * to_next;
2775 snat_in2out_next_t next_index;
2776 u32 pkts_processed = 0;
2777 snat_main_t * sm = &snat_main;
2778 u32 now = (u32) vlib_time_now (vm);
2779 u32 thread_index = vlib_get_thread_index ();
2781 from = vlib_frame_vector_args (frame);
2782 n_left_from = frame->n_vectors;
2783 next_index = node->cached_next_index;
2785 while (n_left_from > 0)
2789 vlib_get_next_frame (vm, node, next_index,
2790 to_next, n_left_to_next);
2792 while (n_left_from >= 4 && n_left_to_next >= 2)
2795 vlib_buffer_t * b0, * b1;
2797 u32 sw_if_index0, sw_if_index1;
2798 ip4_header_t * ip0, * ip1;
2799 ip_csum_t sum0, sum1;
2800 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2801 u16 old_port0, new_port0, lo_port0, i0;
2802 u16 old_port1, new_port1, lo_port1, i1;
2803 udp_header_t * udp0, * udp1;
2804 tcp_header_t * tcp0, * tcp1;
2806 snat_det_out_key_t key0, key1;
2807 snat_det_map_t * dm0, * dm1;
2808 snat_det_session_t * ses0 = 0, * ses1 = 0;
2809 u32 rx_fib_index0, rx_fib_index1;
2810 icmp46_header_t * icmp0, * icmp1;
2812 /* Prefetch next iteration. */
2814 vlib_buffer_t * p2, * p3;
2816 p2 = vlib_get_buffer (vm, from[2]);
2817 p3 = vlib_get_buffer (vm, from[3]);
2819 vlib_prefetch_buffer_header (p2, LOAD);
2820 vlib_prefetch_buffer_header (p3, LOAD);
2822 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2823 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2826 /* speculatively enqueue b0 and b1 to the current next frame */
2827 to_next[0] = bi0 = from[0];
2828 to_next[1] = bi1 = from[1];
2832 n_left_to_next -= 2;
2834 b0 = vlib_get_buffer (vm, bi0);
2835 b1 = vlib_get_buffer (vm, bi1);
2837 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2838 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2840 ip0 = vlib_buffer_get_current (b0);
2841 udp0 = ip4_next_header (ip0);
2842 tcp0 = (tcp_header_t *) udp0;
2844 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2846 if (PREDICT_FALSE(ip0->ttl == 1))
2848 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2849 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2850 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2852 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2856 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2858 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2860 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2861 icmp0 = (icmp46_header_t *) udp0;
2863 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2864 rx_fib_index0, node, next0, thread_index,
2869 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2870 if (PREDICT_FALSE(!dm0))
2872 clib_warning("no match for internal host %U",
2873 format_ip4_address, &ip0->src_address);
2874 next0 = SNAT_IN2OUT_NEXT_DROP;
2875 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2879 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2881 key0.ext_host_addr = ip0->dst_address;
2882 key0.ext_host_port = tcp0->dst;
2884 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2885 if (PREDICT_FALSE(!ses0))
2887 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2889 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2890 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2892 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2895 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2898 if (PREDICT_FALSE(!ses0))
2900 /* too many sessions for user, send ICMP error packet */
2902 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2903 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2904 ICMP4_destination_unreachable_destination_unreachable_host,
2906 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2911 new_port0 = ses0->out.out_port;
2913 old_addr0.as_u32 = ip0->src_address.as_u32;
2914 ip0->src_address.as_u32 = new_addr0.as_u32;
2915 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2917 sum0 = ip0->checksum;
2918 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2920 src_address /* changed member */);
2921 ip0->checksum = ip_csum_fold (sum0);
2923 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2925 if (tcp0->flags & TCP_FLAG_SYN)
2926 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2927 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2928 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2929 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2930 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2931 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2932 snat_det_ses_close(dm0, ses0);
2933 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2934 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2935 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2936 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2938 old_port0 = tcp0->src;
2939 tcp0->src = new_port0;
2941 sum0 = tcp0->checksum;
2942 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2944 dst_address /* changed member */);
2945 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2946 ip4_header_t /* cheat */,
2947 length /* changed member */);
2948 tcp0->checksum = ip_csum_fold(sum0);
2952 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2953 old_port0 = udp0->src_port;
2954 udp0->src_port = new_port0;
2960 case SNAT_SESSION_UDP_ACTIVE:
2961 ses0->expire = now + sm->udp_timeout;
2963 case SNAT_SESSION_TCP_SYN_SENT:
2964 case SNAT_SESSION_TCP_FIN_WAIT:
2965 case SNAT_SESSION_TCP_CLOSE_WAIT:
2966 case SNAT_SESSION_TCP_LAST_ACK:
2967 ses0->expire = now + sm->tcp_transitory_timeout;
2969 case SNAT_SESSION_TCP_ESTABLISHED:
2970 ses0->expire = now + sm->tcp_established_timeout;
2975 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2976 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2978 snat_in2out_trace_t *t =
2979 vlib_add_trace (vm, node, b0, sizeof (*t));
2980 t->is_slow_path = 0;
2981 t->sw_if_index = sw_if_index0;
2982 t->next_index = next0;
2983 t->session_index = ~0;
2985 t->session_index = ses0 - dm0->sessions;
2988 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2990 ip1 = vlib_buffer_get_current (b1);
2991 udp1 = ip4_next_header (ip1);
2992 tcp1 = (tcp_header_t *) udp1;
2994 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2996 if (PREDICT_FALSE(ip1->ttl == 1))
2998 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2999 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
3000 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3002 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3006 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3008 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
3010 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
3011 icmp1 = (icmp46_header_t *) udp1;
3013 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
3014 rx_fib_index1, node, next1, thread_index,
3019 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
3020 if (PREDICT_FALSE(!dm1))
3022 clib_warning("no match for internal host %U",
3023 format_ip4_address, &ip0->src_address);
3024 next1 = SNAT_IN2OUT_NEXT_DROP;
3025 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3029 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
3031 key1.ext_host_addr = ip1->dst_address;
3032 key1.ext_host_port = tcp1->dst;
3034 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
3035 if (PREDICT_FALSE(!ses1))
3037 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
3039 key1.out_port = clib_host_to_net_u16 (lo_port1 +
3040 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
3042 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
3045 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
3048 if (PREDICT_FALSE(!ses1))
3050 /* too many sessions for user, send ICMP error packet */
3052 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3053 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
3054 ICMP4_destination_unreachable_destination_unreachable_host,
3056 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3061 new_port1 = ses1->out.out_port;
3063 old_addr1.as_u32 = ip1->src_address.as_u32;
3064 ip1->src_address.as_u32 = new_addr1.as_u32;
3065 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3067 sum1 = ip1->checksum;
3068 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3070 src_address /* changed member */);
3071 ip1->checksum = ip_csum_fold (sum1);
3073 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
3075 if (tcp1->flags & TCP_FLAG_SYN)
3076 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
3077 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
3078 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3079 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
3080 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
3081 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
3082 snat_det_ses_close(dm1, ses1);
3083 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3084 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
3085 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
3086 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
3088 old_port1 = tcp1->src;
3089 tcp1->src = new_port1;
3091 sum1 = tcp1->checksum;
3092 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3094 dst_address /* changed member */);
3095 sum1 = ip_csum_update (sum1, old_port1, new_port1,
3096 ip4_header_t /* cheat */,
3097 length /* changed member */);
3098 tcp1->checksum = ip_csum_fold(sum1);
3102 ses1->state = SNAT_SESSION_UDP_ACTIVE;
3103 old_port1 = udp1->src_port;
3104 udp1->src_port = new_port1;
3110 case SNAT_SESSION_UDP_ACTIVE:
3111 ses1->expire = now + sm->udp_timeout;
3113 case SNAT_SESSION_TCP_SYN_SENT:
3114 case SNAT_SESSION_TCP_FIN_WAIT:
3115 case SNAT_SESSION_TCP_CLOSE_WAIT:
3116 case SNAT_SESSION_TCP_LAST_ACK:
3117 ses1->expire = now + sm->tcp_transitory_timeout;
3119 case SNAT_SESSION_TCP_ESTABLISHED:
3120 ses1->expire = now + sm->tcp_established_timeout;
3125 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3126 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3128 snat_in2out_trace_t *t =
3129 vlib_add_trace (vm, node, b1, sizeof (*t));
3130 t->is_slow_path = 0;
3131 t->sw_if_index = sw_if_index1;
3132 t->next_index = next1;
3133 t->session_index = ~0;
3135 t->session_index = ses1 - dm1->sessions;
3138 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
3140 /* verify speculative enqueues, maybe switch current next frame */
3141 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3142 to_next, n_left_to_next,
3143 bi0, bi1, next0, next1);
3146 while (n_left_from > 0 && n_left_to_next > 0)
3154 ip4_address_t new_addr0, old_addr0;
3155 u16 old_port0, new_port0, lo_port0, i0;
3156 udp_header_t * udp0;
3157 tcp_header_t * tcp0;
3159 snat_det_out_key_t key0;
3160 snat_det_map_t * dm0;
3161 snat_det_session_t * ses0 = 0;
3163 icmp46_header_t * icmp0;
3165 /* speculatively enqueue b0 to the current next frame */
3171 n_left_to_next -= 1;
3173 b0 = vlib_get_buffer (vm, bi0);
3174 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3176 ip0 = vlib_buffer_get_current (b0);
3177 udp0 = ip4_next_header (ip0);
3178 tcp0 = (tcp_header_t *) udp0;
3180 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3182 if (PREDICT_FALSE(ip0->ttl == 1))
3184 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3185 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3186 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3188 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3192 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3194 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
3196 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3197 icmp0 = (icmp46_header_t *) udp0;
3199 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3200 rx_fib_index0, node, next0, thread_index,
3205 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
3206 if (PREDICT_FALSE(!dm0))
3208 clib_warning("no match for internal host %U",
3209 format_ip4_address, &ip0->src_address);
3210 next0 = SNAT_IN2OUT_NEXT_DROP;
3211 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3215 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
3217 key0.ext_host_addr = ip0->dst_address;
3218 key0.ext_host_port = tcp0->dst;
3220 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
3221 if (PREDICT_FALSE(!ses0))
3223 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3225 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3226 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
3228 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
3231 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
3234 if (PREDICT_FALSE(!ses0))
3236 /* too many sessions for user, send ICMP error packet */
3238 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3239 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
3240 ICMP4_destination_unreachable_destination_unreachable_host,
3242 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3247 new_port0 = ses0->out.out_port;
3249 old_addr0.as_u32 = ip0->src_address.as_u32;
3250 ip0->src_address.as_u32 = new_addr0.as_u32;
3251 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3253 sum0 = ip0->checksum;
3254 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3256 src_address /* changed member */);
3257 ip0->checksum = ip_csum_fold (sum0);
3259 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3261 if (tcp0->flags & TCP_FLAG_SYN)
3262 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
3263 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
3264 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3265 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3266 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
3267 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
3268 snat_det_ses_close(dm0, ses0);
3269 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3270 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
3271 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
3272 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3274 old_port0 = tcp0->src;
3275 tcp0->src = new_port0;
3277 sum0 = tcp0->checksum;
3278 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3280 dst_address /* changed member */);
3281 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3282 ip4_header_t /* cheat */,
3283 length /* changed member */);
3284 tcp0->checksum = ip_csum_fold(sum0);
3288 ses0->state = SNAT_SESSION_UDP_ACTIVE;
3289 old_port0 = udp0->src_port;
3290 udp0->src_port = new_port0;
3296 case SNAT_SESSION_UDP_ACTIVE:
3297 ses0->expire = now + sm->udp_timeout;
3299 case SNAT_SESSION_TCP_SYN_SENT:
3300 case SNAT_SESSION_TCP_FIN_WAIT:
3301 case SNAT_SESSION_TCP_CLOSE_WAIT:
3302 case SNAT_SESSION_TCP_LAST_ACK:
3303 ses0->expire = now + sm->tcp_transitory_timeout;
3305 case SNAT_SESSION_TCP_ESTABLISHED:
3306 ses0->expire = now + sm->tcp_established_timeout;
3311 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3312 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3314 snat_in2out_trace_t *t =
3315 vlib_add_trace (vm, node, b0, sizeof (*t));
3316 t->is_slow_path = 0;
3317 t->sw_if_index = sw_if_index0;
3318 t->next_index = next0;
3319 t->session_index = ~0;
3321 t->session_index = ses0 - dm0->sessions;
3324 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3326 /* verify speculative enqueue, maybe switch current next frame */
3327 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3328 to_next, n_left_to_next,
3332 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3335 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
3336 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3338 return frame->n_vectors;
3341 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
3342 .function = snat_det_in2out_node_fn,
3343 .name = "nat44-det-in2out",
3344 .vector_size = sizeof (u32),
3345 .format_trace = format_snat_in2out_trace,
3346 .type = VLIB_NODE_TYPE_INTERNAL,
3348 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3349 .error_strings = snat_in2out_error_strings,
3351 .runtime_data_bytes = sizeof (snat_runtime_t),
3355 /* edit / add dispositions here */
3357 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3358 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3359 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3363 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
3366 * Get address and port values to be used for ICMP packet translation
3367 * and create session if needed
3369 * @param[in,out] sm NAT main
3370 * @param[in,out] node NAT node runtime
3371 * @param[in] thread_index thread index
3372 * @param[in,out] b0 buffer containing packet to be translated
3373 * @param[out] p_proto protocol used for matching
3374 * @param[out] p_value address and port after NAT translation
3375 * @param[out] p_dont_translate if packet should not be translated
3376 * @param d optional parameter
3377 * @param e optional parameter
3379 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
3380 u32 thread_index, vlib_buffer_t *b0,
3381 ip4_header_t *ip0, u8 *p_proto,
3382 snat_session_key_t *p_value,
3383 u8 *p_dont_translate, void *d, void *e)
3385 icmp46_header_t *icmp0;
3389 snat_det_out_key_t key0;
3390 u8 dont_translate = 0;
3392 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3393 ip4_header_t *inner_ip0;
3394 void *l4_header = 0;
3395 icmp46_header_t *inner_icmp0;
3396 snat_det_map_t * dm0 = 0;
3397 ip4_address_t new_addr0;
3399 snat_det_session_t * ses0 = 0;
3400 ip4_address_t in_addr;
3403 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3404 echo0 = (icmp_echo_header_t *)(icmp0+1);
3405 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3406 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
3408 if (!icmp_is_error_message (icmp0))
3410 protocol = SNAT_PROTOCOL_ICMP;
3411 in_addr = ip0->src_address;
3412 in_port = echo0->identifier;
3416 inner_ip0 = (ip4_header_t *)(echo0+1);
3417 l4_header = ip4_next_header (inner_ip0);
3418 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3419 in_addr = inner_ip0->dst_address;
3422 case SNAT_PROTOCOL_ICMP:
3423 inner_icmp0 = (icmp46_header_t*)l4_header;
3424 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3425 in_port = inner_echo0->identifier;
3427 case SNAT_PROTOCOL_UDP:
3428 case SNAT_PROTOCOL_TCP:
3429 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3432 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
3433 next0 = SNAT_IN2OUT_NEXT_DROP;
3438 dm0 = snat_det_map_by_user(sm, &in_addr);
3439 if (PREDICT_FALSE(!dm0))
3441 clib_warning("no match for internal host %U",
3442 format_ip4_address, &in_addr);
3443 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3444 IP_PROTOCOL_ICMP, rx_fib_index0)))
3449 next0 = SNAT_IN2OUT_NEXT_DROP;
3450 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3454 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
3456 key0.ext_host_addr = ip0->dst_address;
3457 key0.ext_host_port = 0;
3459 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
3460 if (PREDICT_FALSE(!ses0))
3462 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3463 IP_PROTOCOL_ICMP, rx_fib_index0)))
3468 if (icmp0->type != ICMP4_echo_request)
3470 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3471 next0 = SNAT_IN2OUT_NEXT_DROP;
3474 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3476 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3477 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
3479 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
3482 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
3485 if (PREDICT_FALSE(!ses0))
3487 next0 = SNAT_IN2OUT_NEXT_DROP;
3488 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3493 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3494 !icmp_is_error_message (icmp0)))
3496 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3497 next0 = SNAT_IN2OUT_NEXT_DROP;
3501 u32 now = (u32) vlib_time_now (sm->vlib_main);
3503 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3504 ses0->expire = now + sm->icmp_timeout;
3507 *p_proto = protocol;
3510 p_value->addr = new_addr0;
3511 p_value->fib_index = sm->outside_fib_index;
3512 p_value->port = ses0->out.out_port;
3514 *p_dont_translate = dont_translate;
3516 *(snat_det_session_t**)d = ses0;
3518 *(snat_det_map_t**)e = dm0;
3522 /**********************/
3523 /*** worker handoff ***/
3524 /**********************/
3526 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3527 vlib_node_runtime_t * node,
3528 vlib_frame_t * frame,
3531 snat_main_t *sm = &snat_main;
3532 vlib_thread_main_t *tm = vlib_get_thread_main ();
3533 u32 n_left_from, *from, *to_next = 0;
3534 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3535 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3537 vlib_frame_queue_elt_t *hf = 0;
3538 vlib_frame_t *f = 0;
3540 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3541 u32 next_worker_index = 0;
3542 u32 current_worker_index = ~0;
3543 u32 thread_index = vlib_get_thread_index ();
3547 ASSERT (vec_len (sm->workers));
3551 fq_index = sm->fq_in2out_output_index;
3552 to_node_index = sm->in2out_output_node_index;
3556 fq_index = sm->fq_in2out_index;
3557 to_node_index = sm->in2out_node_index;
3560 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3562 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3564 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3565 sm->first_worker_index + sm->num_workers - 1,
3566 (vlib_frame_queue_t *) (~0));
3569 from = vlib_frame_vector_args (frame);
3570 n_left_from = frame->n_vectors;
3572 while (n_left_from > 0)
3585 b0 = vlib_get_buffer (vm, bi0);
3587 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3588 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3590 ip0 = vlib_buffer_get_current (b0);
3592 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3594 if (PREDICT_FALSE (next_worker_index != thread_index))
3598 if (next_worker_index != current_worker_index)
3601 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3603 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3605 handoff_queue_elt_by_worker_index);
3607 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3608 to_next_worker = &hf->buffer_index[hf->n_vectors];
3609 current_worker_index = next_worker_index;
3612 /* enqueue to correct worker thread */
3613 to_next_worker[0] = bi0;
3615 n_left_to_next_worker--;
3617 if (n_left_to_next_worker == 0)
3619 hf->n_vectors = VLIB_FRAME_SIZE;
3620 vlib_put_frame_queue_elt (hf);
3621 current_worker_index = ~0;
3622 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3629 /* if this is 1st frame */
3632 f = vlib_get_frame_to_node (vm, to_node_index);
3633 to_next = vlib_frame_vector_args (f);
3641 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3642 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3644 snat_in2out_worker_handoff_trace_t *t =
3645 vlib_add_trace (vm, node, b0, sizeof (*t));
3646 t->next_worker_index = next_worker_index;
3647 t->do_handoff = do_handoff;
3652 vlib_put_frame_to_node (vm, to_node_index, f);
3655 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3657 /* Ship frames to the worker nodes */
3658 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3660 if (handoff_queue_elt_by_worker_index[i])
3662 hf = handoff_queue_elt_by_worker_index[i];
3664 * It works better to let the handoff node
3665 * rate-adapt, always ship the handoff queue element.
3667 if (1 || hf->n_vectors == hf->last_n_vectors)
3669 vlib_put_frame_queue_elt (hf);
3670 handoff_queue_elt_by_worker_index[i] = 0;
3673 hf->last_n_vectors = hf->n_vectors;
3675 congested_handoff_queue_by_worker_index[i] =
3676 (vlib_frame_queue_t *) (~0);
3679 current_worker_index = ~0;
3680 return frame->n_vectors;
3684 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3685 vlib_node_runtime_t * node,
3686 vlib_frame_t * frame)
3688 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3691 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3692 .function = snat_in2out_worker_handoff_fn,
3693 .name = "nat44-in2out-worker-handoff",
3694 .vector_size = sizeof (u32),
3695 .format_trace = format_snat_in2out_worker_handoff_trace,
3696 .type = VLIB_NODE_TYPE_INTERNAL,
3705 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3706 snat_in2out_worker_handoff_fn);
3709 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3710 vlib_node_runtime_t * node,
3711 vlib_frame_t * frame)
3713 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3716 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3717 .function = snat_in2out_output_worker_handoff_fn,
3718 .name = "nat44-in2out-output-worker-handoff",
3719 .vector_size = sizeof (u32),
3720 .format_trace = format_snat_in2out_worker_handoff_trace,
3721 .type = VLIB_NODE_TYPE_INTERNAL,
3730 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3731 snat_in2out_output_worker_handoff_fn);
3733 static_always_inline int
3734 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3736 snat_address_t * ap;
3737 clib_bihash_kv_8_8_t kv, value;
3738 snat_session_key_t m_key;
3740 vec_foreach (ap, sm->addresses)
3742 if (ap->addr.as_u32 == dst_addr->as_u32)
3746 m_key.addr.as_u32 = dst_addr->as_u32;
3747 m_key.fib_index = sm->outside_fib_index;
3750 kv.key = m_key.as_u64;
3751 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3758 snat_hairpin_dst_fn (vlib_main_t * vm,
3759 vlib_node_runtime_t * node,
3760 vlib_frame_t * frame)
3762 u32 n_left_from, * from, * to_next;
3763 snat_in2out_next_t next_index;
3764 u32 pkts_processed = 0;
3765 snat_main_t * sm = &snat_main;
3767 from = vlib_frame_vector_args (frame);
3768 n_left_from = frame->n_vectors;
3769 next_index = node->cached_next_index;
3771 while (n_left_from > 0)
3775 vlib_get_next_frame (vm, node, next_index,
3776 to_next, n_left_to_next);
3778 while (n_left_from > 0 && n_left_to_next > 0)
3786 /* speculatively enqueue b0 to the current next frame */
3792 n_left_to_next -= 1;
3794 b0 = vlib_get_buffer (vm, bi0);
3795 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3796 ip0 = vlib_buffer_get_current (b0);
3798 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3800 vnet_buffer (b0)->snat.flags = 0;
3801 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3803 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3805 udp_header_t * udp0 = ip4_next_header (ip0);
3806 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3808 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3810 else if (proto0 == SNAT_PROTOCOL_ICMP)
3812 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3814 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3818 snat_hairpinning_unknown_proto (sm, b0, ip0);
3821 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3824 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3826 /* verify speculative enqueue, maybe switch current next frame */
3827 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3828 to_next, n_left_to_next,
3832 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3835 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3836 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3838 return frame->n_vectors;
3841 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3842 .function = snat_hairpin_dst_fn,
3843 .name = "nat44-hairpin-dst",
3844 .vector_size = sizeof (u32),
3845 .type = VLIB_NODE_TYPE_INTERNAL,
3846 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3847 .error_strings = snat_in2out_error_strings,
3850 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3851 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3855 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3856 snat_hairpin_dst_fn);
3859 snat_hairpin_src_fn (vlib_main_t * vm,
3860 vlib_node_runtime_t * node,
3861 vlib_frame_t * frame)
3863 u32 n_left_from, * from, * to_next;
3864 snat_in2out_next_t next_index;
3865 u32 pkts_processed = 0;
3866 snat_main_t *sm = &snat_main;
3868 from = vlib_frame_vector_args (frame);
3869 n_left_from = frame->n_vectors;
3870 next_index = node->cached_next_index;
3872 while (n_left_from > 0)
3876 vlib_get_next_frame (vm, node, next_index,
3877 to_next, n_left_to_next);
3879 while (n_left_from > 0 && n_left_to_next > 0)
3884 snat_interface_t *i;
3887 /* speculatively enqueue b0 to the current next frame */
3893 n_left_to_next -= 1;
3895 b0 = vlib_get_buffer (vm, bi0);
3896 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3897 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3899 pool_foreach (i, sm->output_feature_interfaces,
3901 /* Only packets from NAT inside interface */
3902 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
3904 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3905 SNAT_FLAG_HAIRPINNING))
3907 if (PREDICT_TRUE (sm->num_workers > 1))
3908 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3910 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3916 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3918 /* verify speculative enqueue, maybe switch current next frame */
3919 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3920 to_next, n_left_to_next,
3924 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3927 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3928 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3930 return frame->n_vectors;
3933 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3934 .function = snat_hairpin_src_fn,
3935 .name = "nat44-hairpin-src",
3936 .vector_size = sizeof (u32),
3937 .type = VLIB_NODE_TYPE_INTERNAL,
3938 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3939 .error_strings = snat_in2out_error_strings,
3940 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3942 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3943 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3944 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3945 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3949 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3950 snat_hairpin_src_fn);
3953 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3954 vlib_node_runtime_t * node,
3955 vlib_frame_t * frame)
3957 u32 n_left_from, * from, * to_next;
3958 snat_in2out_next_t next_index;
3959 u32 pkts_processed = 0;
3960 snat_main_t * sm = &snat_main;
3961 u32 stats_node_index;
3963 stats_node_index = snat_in2out_fast_node.index;
3965 from = vlib_frame_vector_args (frame);
3966 n_left_from = frame->n_vectors;
3967 next_index = node->cached_next_index;
3969 while (n_left_from > 0)
3973 vlib_get_next_frame (vm, node, next_index,
3974 to_next, n_left_to_next);
3976 while (n_left_from > 0 && n_left_to_next > 0)
3984 u32 new_addr0, old_addr0;
3985 u16 old_port0, new_port0;
3986 udp_header_t * udp0;
3987 tcp_header_t * tcp0;
3988 icmp46_header_t * icmp0;
3989 snat_session_key_t key0, sm0;
3993 /* speculatively enqueue b0 to the current next frame */
3999 n_left_to_next -= 1;
4001 b0 = vlib_get_buffer (vm, bi0);
4002 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
4004 ip0 = vlib_buffer_get_current (b0);
4005 udp0 = ip4_next_header (ip0);
4006 tcp0 = (tcp_header_t *) udp0;
4007 icmp0 = (icmp46_header_t *) udp0;
4009 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
4010 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
4012 if (PREDICT_FALSE(ip0->ttl == 1))
4014 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
4015 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
4016 ICMP4_time_exceeded_ttl_exceeded_in_transit,
4018 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
4022 proto0 = ip_proto_to_snat_proto (ip0->protocol);
4024 if (PREDICT_FALSE (proto0 == ~0))
4027 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
4029 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
4030 rx_fib_index0, node, next0, ~0, 0, 0);
4034 key0.addr = ip0->src_address;
4035 key0.protocol = proto0;
4036 key0.port = udp0->src_port;
4037 key0.fib_index = rx_fib_index0;
4039 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0))
4041 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
4042 next0= SNAT_IN2OUT_NEXT_DROP;
4046 new_addr0 = sm0.addr.as_u32;
4047 new_port0 = sm0.port;
4048 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
4049 old_addr0 = ip0->src_address.as_u32;
4050 ip0->src_address.as_u32 = new_addr0;
4052 sum0 = ip0->checksum;
4053 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4055 src_address /* changed member */);
4056 ip0->checksum = ip_csum_fold (sum0);
4058 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
4060 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4062 old_port0 = tcp0->src_port;
4063 tcp0->src_port = new_port0;
4065 sum0 = tcp0->checksum;
4066 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4068 dst_address /* changed member */);
4069 sum0 = ip_csum_update (sum0, old_port0, new_port0,
4070 ip4_header_t /* cheat */,
4071 length /* changed member */);
4072 tcp0->checksum = ip_csum_fold(sum0);
4076 old_port0 = udp0->src_port;
4077 udp0->src_port = new_port0;
4083 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
4085 sum0 = tcp0->checksum;
4086 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
4088 dst_address /* changed member */);
4089 tcp0->checksum = ip_csum_fold(sum0);
4094 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
4097 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
4098 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
4100 snat_in2out_trace_t *t =
4101 vlib_add_trace (vm, node, b0, sizeof (*t));
4102 t->sw_if_index = sw_if_index0;
4103 t->next_index = next0;
4106 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
4108 /* verify speculative enqueue, maybe switch current next frame */
4109 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
4110 to_next, n_left_to_next,
4114 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
4117 vlib_node_increment_counter (vm, stats_node_index,
4118 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
4120 return frame->n_vectors;
4124 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
4125 .function = snat_in2out_fast_static_map_fn,
4126 .name = "nat44-in2out-fast",
4127 .vector_size = sizeof (u32),
4128 .format_trace = format_snat_in2out_fast_trace,
4129 .type = VLIB_NODE_TYPE_INTERNAL,
4131 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
4132 .error_strings = snat_in2out_error_strings,
4134 .runtime_data_bytes = sizeof (snat_runtime_t),
4136 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
4138 /* edit / add dispositions here */
4140 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
4141 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
4142 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
4143 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
4144 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
4148 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob