2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
27 #include <nat/nat_reass.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
38 } snat_in2out_trace_t;
41 u32 next_worker_index;
43 } snat_in2out_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
53 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
55 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
56 t->sw_if_index, t->next_index, t->session_index);
61 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
67 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
73 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
75 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
76 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
77 snat_in2out_worker_handoff_trace_t * t =
78 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
81 m = t->do_handoff ? "next worker" : "same worker";
82 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
91 } nat44_in2out_reass_trace_t;
93 static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args)
95 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
96 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
97 nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *);
99 s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s",
100 t->sw_if_index, t->next_index,
101 t->cached ? "cached" : "translated");
106 vlib_node_registration_t snat_in2out_node;
107 vlib_node_registration_t snat_in2out_slowpath_node;
108 vlib_node_registration_t snat_in2out_fast_node;
109 vlib_node_registration_t snat_in2out_worker_handoff_node;
110 vlib_node_registration_t snat_det_in2out_node;
111 vlib_node_registration_t snat_in2out_output_node;
112 vlib_node_registration_t snat_in2out_output_slowpath_node;
113 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
114 vlib_node_registration_t snat_hairpin_dst_node;
115 vlib_node_registration_t snat_hairpin_src_node;
116 vlib_node_registration_t nat44_hairpinning_node;
117 vlib_node_registration_t nat44_in2out_reass_node;
120 #define foreach_snat_in2out_error \
121 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
122 _(IN2OUT_PACKETS, "Good in2out packets processed") \
123 _(OUT_OF_PORTS, "Out of ports") \
124 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
125 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
126 _(NO_TRANSLATION, "No translation") \
127 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
128 _(DROP_FRAGMENT, "Drop fragment") \
129 _(MAX_REASS, "Maximum reassemblies exceeded") \
130 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
133 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
134 foreach_snat_in2out_error
137 } snat_in2out_error_t;
139 static char * snat_in2out_error_strings[] = {
140 #define _(sym,string) string,
141 foreach_snat_in2out_error
146 SNAT_IN2OUT_NEXT_LOOKUP,
147 SNAT_IN2OUT_NEXT_DROP,
148 SNAT_IN2OUT_NEXT_ICMP_ERROR,
149 SNAT_IN2OUT_NEXT_SLOW_PATH,
150 SNAT_IN2OUT_NEXT_REASS,
152 } snat_in2out_next_t;
155 SNAT_HAIRPIN_SRC_NEXT_DROP,
156 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
157 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
158 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
159 SNAT_HAIRPIN_SRC_N_NEXT,
160 } snat_hairpin_next_t;
163 * @brief Check if packet should be translated
165 * Packets aimed at outside interface and external addresss with active session
166 * should be translated.
169 * @param rt NAT runtime data
170 * @param sw_if_index0 index of the inside interface
171 * @param ip0 IPv4 header
172 * @param proto0 NAT protocol
173 * @param rx_fib_index0 RX FIB index
175 * @returns 0 if packet should be translated otherwise 1
178 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
179 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
182 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
184 .fp_proto = FIB_PROTOCOL_IP4,
187 .ip4.as_u32 = ip0->dst_address.as_u32,
191 /* Don't NAT packet aimed at the intfc address */
192 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
193 ip0->dst_address.as_u32)))
196 fei = fib_table_lookup (rx_fib_index0, &pfx);
197 if (FIB_NODE_INDEX_INVALID != fei)
199 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
200 if (sw_if_index == ~0)
202 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
203 if (FIB_NODE_INDEX_INVALID != fei)
204 sw_if_index = fib_entry_get_resolving_interface (fei);
207 pool_foreach (i, sm->interfaces,
209 /* NAT packet aimed at outside interface */
210 if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index))
219 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
220 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
221 u32 rx_fib_index0, u32 thread_index)
223 udp_header_t * udp0 = ip4_next_header (ip0);
224 snat_session_key_t key0, sm0;
225 clib_bihash_kv_8_8_t kv0, value0;
227 key0.addr = ip0->dst_address;
228 key0.port = udp0->dst_port;
229 key0.protocol = proto0;
230 key0.fib_index = sm->outside_fib_index;
231 kv0.key = key0.as_u64;
233 /* NAT packet aimed at external address if */
234 /* has active sessions */
235 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
238 /* or is static mappings */
239 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
245 if (sm->forwarding_enabled)
248 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
252 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
255 snat_session_key_t * key0,
256 snat_session_t ** sessionp,
257 vlib_node_runtime_t * node,
263 clib_bihash_kv_8_8_t kv0;
264 snat_session_key_t key1;
265 u32 address_index = ~0;
266 u32 outside_fib_index;
268 udp_header_t * udp0 = ip4_next_header (ip0);
270 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
272 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
273 return SNAT_IN2OUT_NEXT_DROP;
276 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
279 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
280 return SNAT_IN2OUT_NEXT_DROP;
282 outside_fib_index = p[0];
284 key1.protocol = key0->protocol;
286 u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0,
290 clib_warning ("create NAT user failed");
291 return SNAT_IN2OUT_NEXT_DROP;
294 s = nat_session_alloc_or_recycle (sm, u, thread_index);
297 clib_warning ("create NAT session failed");
298 return SNAT_IN2OUT_NEXT_DROP;
301 /* First try to match static mapping by local address and port */
302 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0))
304 /* Try to create dynamic translation */
305 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
309 sm->per_thread_data[thread_index].snat_thread_index))
311 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
312 return SNAT_IN2OUT_NEXT_DROP;
318 u->nstaticsessions++;
319 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
322 s->outside_address_index = address_index;
325 s->out2in.protocol = key0->protocol;
326 s->out2in.fib_index = outside_fib_index;
327 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
328 s->ext_host_port = udp0->dst_port;
331 /* Add to translation hashes */
332 kv0.key = s->in2out.as_u64;
333 kv0.value = s - sm->per_thread_data[thread_index].sessions;
334 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
336 clib_warning ("in2out key add failed");
338 kv0.key = s->out2in.as_u64;
339 kv0.value = s - sm->per_thread_data[thread_index].sessions;
341 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
343 clib_warning ("out2in key add failed");
346 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
347 s->out2in.addr.as_u32,
351 s->in2out.fib_index);
356 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
357 snat_session_key_t *p_key0)
359 icmp46_header_t *icmp0;
360 snat_session_key_t key0;
361 icmp_echo_header_t *echo0, *inner_echo0 = 0;
362 ip4_header_t *inner_ip0 = 0;
364 icmp46_header_t *inner_icmp0;
366 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
367 echo0 = (icmp_echo_header_t *)(icmp0+1);
369 if (!icmp_is_error_message (icmp0))
371 key0.protocol = SNAT_PROTOCOL_ICMP;
372 key0.addr = ip0->src_address;
373 key0.port = echo0->identifier;
377 inner_ip0 = (ip4_header_t *)(echo0+1);
378 l4_header = ip4_next_header (inner_ip0);
379 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
380 key0.addr = inner_ip0->dst_address;
381 switch (key0.protocol)
383 case SNAT_PROTOCOL_ICMP:
384 inner_icmp0 = (icmp46_header_t*)l4_header;
385 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
386 key0.port = inner_echo0->identifier;
388 case SNAT_PROTOCOL_UDP:
389 case SNAT_PROTOCOL_TCP:
390 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
393 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
397 return -1; /* success */
401 * Get address and port values to be used for ICMP packet translation
402 * and create session if needed
404 * @param[in,out] sm NAT main
405 * @param[in,out] node NAT node runtime
406 * @param[in] thread_index thread index
407 * @param[in,out] b0 buffer containing packet to be translated
408 * @param[out] p_proto protocol used for matching
409 * @param[out] p_value address and port after NAT translation
410 * @param[out] p_dont_translate if packet should not be translated
411 * @param d optional parameter
412 * @param e optional parameter
414 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
415 u32 thread_index, vlib_buffer_t *b0,
416 ip4_header_t *ip0, u8 *p_proto,
417 snat_session_key_t *p_value,
418 u8 *p_dont_translate, void *d, void *e)
420 icmp46_header_t *icmp0;
423 snat_session_key_t key0;
424 snat_session_t *s0 = 0;
425 u8 dont_translate = 0;
426 clib_bihash_kv_8_8_t kv0, value0;
430 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
431 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
432 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
434 err = icmp_get_key (ip0, &key0);
437 b0->error = node->errors[err];
438 next0 = SNAT_IN2OUT_NEXT_DROP;
441 key0.fib_index = rx_fib_index0;
443 kv0.key = key0.as_u64;
445 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
448 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
449 IP_PROTOCOL_ICMP, rx_fib_index0, thread_index) &&
450 vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0))
456 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
458 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
459 next0 = SNAT_IN2OUT_NEXT_DROP;
463 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
464 &s0, node, next0, thread_index);
466 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
471 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
472 icmp0->type != ICMP4_echo_reply &&
473 !icmp_is_error_message (icmp0)))
475 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
476 next0 = SNAT_IN2OUT_NEXT_DROP;
480 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
485 *p_proto = key0.protocol;
487 *p_value = s0->out2in;
488 *p_dont_translate = dont_translate;
490 *(snat_session_t**)d = s0;
495 * Get address and port values to be used for ICMP packet translation
497 * @param[in] sm NAT main
498 * @param[in,out] node NAT node runtime
499 * @param[in] thread_index thread index
500 * @param[in,out] b0 buffer containing packet to be translated
501 * @param[out] p_proto protocol used for matching
502 * @param[out] p_value address and port after NAT translation
503 * @param[out] p_dont_translate if packet should not be translated
504 * @param d optional parameter
505 * @param e optional parameter
507 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
508 u32 thread_index, vlib_buffer_t *b0,
509 ip4_header_t *ip0, u8 *p_proto,
510 snat_session_key_t *p_value,
511 u8 *p_dont_translate, void *d, void *e)
513 icmp46_header_t *icmp0;
516 snat_session_key_t key0;
517 snat_session_key_t sm0;
518 u8 dont_translate = 0;
523 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
524 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
525 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
527 err = icmp_get_key (ip0, &key0);
530 b0->error = node->errors[err];
531 next0 = SNAT_IN2OUT_NEXT_DROP;
534 key0.fib_index = rx_fib_index0;
536 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0))
538 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
539 IP_PROTOCOL_ICMP, rx_fib_index0)))
545 if (icmp_is_error_message (icmp0))
547 next0 = SNAT_IN2OUT_NEXT_DROP;
551 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
552 next0 = SNAT_IN2OUT_NEXT_DROP;
556 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
557 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
558 !icmp_is_error_message (icmp0)))
560 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
561 next0 = SNAT_IN2OUT_NEXT_DROP;
568 *p_proto = key0.protocol;
569 *p_dont_translate = dont_translate;
573 static inline u32 icmp_in2out (snat_main_t *sm,
576 icmp46_header_t * icmp0,
579 vlib_node_runtime_t * node,
585 snat_session_key_t sm0;
587 icmp_echo_header_t *echo0, *inner_echo0 = 0;
588 ip4_header_t *inner_ip0;
590 icmp46_header_t *inner_icmp0;
592 u32 new_addr0, old_addr0;
593 u16 old_id0, new_id0;
598 echo0 = (icmp_echo_header_t *)(icmp0+1);
600 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0,
601 &protocol, &sm0, &dont_translate, d, e);
604 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
607 sum0 = ip_incremental_checksum (0, icmp0,
608 ntohs(ip0->length) - ip4_header_bytes (ip0));
609 checksum0 = ~ip_csum_fold (sum0);
610 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
612 next0 = SNAT_IN2OUT_NEXT_DROP;
616 old_addr0 = ip0->src_address.as_u32;
617 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
618 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
619 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
621 sum0 = ip0->checksum;
622 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
623 src_address /* changed member */);
624 ip0->checksum = ip_csum_fold (sum0);
626 if (!icmp_is_error_message (icmp0))
629 if (PREDICT_FALSE(new_id0 != echo0->identifier))
631 old_id0 = echo0->identifier;
633 echo0->identifier = new_id0;
635 sum0 = icmp0->checksum;
636 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
638 icmp0->checksum = ip_csum_fold (sum0);
643 inner_ip0 = (ip4_header_t *)(echo0+1);
644 l4_header = ip4_next_header (inner_ip0);
646 if (!ip4_header_checksum_is_valid (inner_ip0))
648 next0 = SNAT_IN2OUT_NEXT_DROP;
652 old_addr0 = inner_ip0->dst_address.as_u32;
653 inner_ip0->dst_address = sm0.addr;
654 new_addr0 = inner_ip0->dst_address.as_u32;
656 sum0 = icmp0->checksum;
657 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
658 dst_address /* changed member */);
659 icmp0->checksum = ip_csum_fold (sum0);
663 case SNAT_PROTOCOL_ICMP:
664 inner_icmp0 = (icmp46_header_t*)l4_header;
665 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
667 old_id0 = inner_echo0->identifier;
669 inner_echo0->identifier = new_id0;
671 sum0 = icmp0->checksum;
672 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
674 icmp0->checksum = ip_csum_fold (sum0);
676 case SNAT_PROTOCOL_UDP:
677 case SNAT_PROTOCOL_TCP:
678 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
680 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
682 sum0 = icmp0->checksum;
683 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
685 icmp0->checksum = ip_csum_fold (sum0);
699 * Hairpinning allows two endpoints on the internal side of the NAT to
700 * communicate even if they only use each other's external IP addresses
703 * @param sm NAT main.
704 * @param b0 Vlib buffer.
705 * @param ip0 IP header.
706 * @param udp0 UDP header.
707 * @param tcp0 TCP header.
708 * @param proto0 NAT protocol.
711 snat_hairpinning (snat_main_t *sm,
718 snat_session_key_t key0, sm0;
720 clib_bihash_kv_8_8_t kv0, value0;
722 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
723 u16 new_dst_port0, old_dst_port0;
725 key0.addr = ip0->dst_address;
726 key0.port = udp0->dst_port;
727 key0.protocol = proto0;
728 key0.fib_index = sm->outside_fib_index;
729 kv0.key = key0.as_u64;
731 /* Check if destination is static mappings */
732 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
734 new_dst_addr0 = sm0.addr.as_u32;
735 new_dst_port0 = sm0.port;
736 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
738 /* or active session */
741 if (sm->num_workers > 1)
742 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
744 ti = sm->num_workers;
746 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
750 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
751 new_dst_addr0 = s0->in2out.addr.as_u32;
752 new_dst_port0 = s0->in2out.port;
753 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
757 /* Destination is behind the same NAT, use internal address and port */
760 old_dst_addr0 = ip0->dst_address.as_u32;
761 ip0->dst_address.as_u32 = new_dst_addr0;
762 sum0 = ip0->checksum;
763 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
764 ip4_header_t, dst_address);
765 ip0->checksum = ip_csum_fold (sum0);
767 old_dst_port0 = tcp0->dst;
768 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
770 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
772 tcp0->dst = new_dst_port0;
773 sum0 = tcp0->checksum;
774 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
775 ip4_header_t, dst_address);
776 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
777 ip4_header_t /* cheat */, length);
778 tcp0->checksum = ip_csum_fold(sum0);
782 udp0->dst_port = new_dst_port0;
788 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
790 sum0 = tcp0->checksum;
791 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
792 ip4_header_t, dst_address);
793 tcp0->checksum = ip_csum_fold(sum0);
802 snat_icmp_hairpinning (snat_main_t *sm,
805 icmp46_header_t * icmp0)
807 snat_session_key_t key0, sm0;
808 clib_bihash_kv_8_8_t kv0, value0;
809 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
813 if (!icmp_is_error_message (icmp0))
815 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
816 u16 icmp_id0 = echo0->identifier;
817 key0.addr = ip0->dst_address;
818 key0.port = icmp_id0;
819 key0.protocol = SNAT_PROTOCOL_ICMP;
820 key0.fib_index = sm->outside_fib_index;
821 kv0.key = key0.as_u64;
823 if (sm->num_workers > 1)
824 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
826 ti = sm->num_workers;
828 /* Check if destination is in active sessions */
829 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
832 /* or static mappings */
833 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
835 new_dst_addr0 = sm0.addr.as_u32;
836 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
843 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
844 new_dst_addr0 = s0->in2out.addr.as_u32;
845 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
846 echo0->identifier = s0->in2out.port;
847 sum0 = icmp0->checksum;
848 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
849 icmp_echo_header_t, identifier);
850 icmp0->checksum = ip_csum_fold (sum0);
853 /* Destination is behind the same NAT, use internal address and port */
856 old_dst_addr0 = ip0->dst_address.as_u32;
857 ip0->dst_address.as_u32 = new_dst_addr0;
858 sum0 = ip0->checksum;
859 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
860 ip4_header_t, dst_address);
861 ip0->checksum = ip_csum_fold (sum0);
867 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
870 icmp46_header_t * icmp0,
873 vlib_node_runtime_t * node,
877 snat_session_t ** p_s0)
879 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
880 next0, thread_index, p_s0, 0);
881 snat_session_t * s0 = *p_s0;
882 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
885 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
886 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
888 s0->last_heard = now;
890 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
891 /* Per-user LRU list maintenance */
892 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
894 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
895 s0->per_user_list_head_index,
901 snat_hairpinning_unknown_proto (snat_main_t *sm,
905 u32 old_addr, new_addr = 0, ti = 0;
906 clib_bihash_kv_8_8_t kv, value;
907 clib_bihash_kv_16_8_t s_kv, s_value;
908 nat_ed_ses_key_t key;
909 snat_session_key_t m_key;
910 snat_static_mapping_t *m;
914 old_addr = ip->dst_address.as_u32;
915 key.l_addr.as_u32 = ip->dst_address.as_u32;
916 key.r_addr.as_u32 = ip->src_address.as_u32;
917 key.fib_index = sm->outside_fib_index;
918 key.proto = ip->protocol;
921 s_kv.key[0] = key.as_u64[0];
922 s_kv.key[1] = key.as_u64[1];
923 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
925 m_key.addr = ip->dst_address;
926 m_key.fib_index = sm->outside_fib_index;
929 kv.key = m_key.as_u64;
930 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
933 m = pool_elt_at_index (sm->static_mappings, value.value);
934 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
935 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
936 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
940 if (sm->num_workers > 1)
941 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
943 ti = sm->num_workers;
945 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
946 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
947 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
948 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
951 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
952 ip->checksum = ip_csum_fold (sum);
955 static snat_session_t *
956 snat_in2out_unknown_proto (snat_main_t *sm,
963 vlib_node_runtime_t * node)
965 clib_bihash_kv_8_8_t kv, value;
966 clib_bihash_kv_16_8_t s_kv, s_value;
967 snat_static_mapping_t *m;
968 snat_session_key_t m_key;
969 u32 old_addr, new_addr = 0;
972 dlist_elt_t *head, *elt;
973 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
974 u32 elt_index, head_index, ses_index;
976 nat_ed_ses_key_t key;
977 u32 address_index = ~0;
981 old_addr = ip->src_address.as_u32;
983 key.l_addr = ip->src_address;
984 key.r_addr = ip->dst_address;
985 key.fib_index = rx_fib_index;
986 key.proto = ip->protocol;
989 s_kv.key[0] = key.as_u64[0];
990 s_kv.key[1] = key.as_u64[1];
992 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
994 s = pool_elt_at_index (tsm->sessions, s_value.value);
995 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
999 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1001 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1005 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1009 clib_warning ("create NAT user failed");
1013 m_key.addr = ip->src_address;
1016 m_key.fib_index = rx_fib_index;
1017 kv.key = m_key.as_u64;
1019 /* Try to find static mapping first */
1020 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1022 m = pool_elt_at_index (sm->static_mappings, value.value);
1023 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1027 /* Fallback to 3-tuple key */
1030 /* Choose same out address as for TCP/UDP session to same destination */
1031 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1033 head_index = u->sessions_per_user_list_head_index;
1034 head = pool_elt_at_index (tsm->list_pool, head_index);
1035 elt_index = head->next;
1036 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1037 ses_index = elt->value;
1038 while (ses_index != ~0)
1040 s = pool_elt_at_index (tsm->sessions, ses_index);
1041 elt_index = elt->next;
1042 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1043 ses_index = elt->value;
1045 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1047 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1048 address_index = s->outside_address_index;
1050 key.fib_index = sm->outside_fib_index;
1051 key.l_addr.as_u32 = new_addr;
1052 s_kv.key[0] = key.as_u64[0];
1053 s_kv.key[1] = key.as_u64[1];
1054 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1061 key.fib_index = sm->outside_fib_index;
1062 for (i = 0; i < vec_len (sm->addresses); i++)
1064 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1065 s_kv.key[0] = key.as_u64[0];
1066 s_kv.key[1] = key.as_u64[1];
1067 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1069 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1078 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1081 clib_warning ("create NAT session failed");
1085 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1086 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1087 s->outside_address_index = address_index;
1088 s->out2in.addr.as_u32 = new_addr;
1089 s->out2in.fib_index = sm->outside_fib_index;
1090 s->in2out.addr.as_u32 = old_addr;
1091 s->in2out.fib_index = rx_fib_index;
1092 s->in2out.port = s->out2in.port = ip->protocol;
1095 u->nstaticsessions++;
1096 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1103 /* Add to lookup tables */
1104 key.l_addr.as_u32 = old_addr;
1105 key.r_addr = ip->dst_address;
1106 key.proto = ip->protocol;
1107 key.fib_index = rx_fib_index;
1108 s_kv.key[0] = key.as_u64[0];
1109 s_kv.key[1] = key.as_u64[1];
1110 s_kv.value = s - tsm->sessions;
1111 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1112 clib_warning ("in2out key add failed");
1114 key.l_addr.as_u32 = new_addr;
1115 key.fib_index = sm->outside_fib_index;
1116 s_kv.key[0] = key.as_u64[0];
1117 s_kv.key[1] = key.as_u64[1];
1118 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1119 clib_warning ("out2in key add failed");
1122 /* Update IP checksum */
1124 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1125 ip->checksum = ip_csum_fold (sum);
1128 s->last_heard = now;
1130 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1131 /* Per-user LRU list maintenance */
1132 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1133 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1137 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1138 snat_hairpinning_unknown_proto(sm, b, ip);
1140 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1141 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1146 static snat_session_t *
1147 snat_in2out_lb (snat_main_t *sm,
1154 vlib_node_runtime_t * node)
1156 nat_ed_ses_key_t key;
1157 clib_bihash_kv_16_8_t s_kv, s_value;
1158 udp_header_t *udp = ip4_next_header (ip);
1159 tcp_header_t *tcp = (tcp_header_t *) udp;
1160 snat_session_t *s = 0;
1161 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1162 u32 old_addr, new_addr;
1163 u16 new_port, old_port;
1165 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1166 snat_session_key_t e_key, l_key;
1169 old_addr = ip->src_address.as_u32;
1171 key.l_addr = ip->src_address;
1172 key.r_addr = ip->dst_address;
1173 key.fib_index = rx_fib_index;
1174 key.proto = ip->protocol;
1175 key.r_port = udp->dst_port;
1176 key.l_port = udp->src_port;
1177 s_kv.key[0] = key.as_u64[0];
1178 s_kv.key[1] = key.as_u64[1];
1180 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1182 s = pool_elt_at_index (tsm->sessions, s_value.value);
1186 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
1188 b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED];
1192 l_key.addr = ip->src_address;
1193 l_key.port = udp->src_port;
1194 l_key.protocol = proto;
1195 l_key.fib_index = rx_fib_index;
1196 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0, 0))
1199 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
1203 clib_warning ("create NAT user failed");
1207 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1210 clib_warning ("create NAT session failed");
1214 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1215 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1216 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1217 s->outside_address_index = ~0;
1220 u->nstaticsessions++;
1222 /* Add to lookup tables */
1223 s_kv.value = s - tsm->sessions;
1224 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1225 clib_warning ("in2out-ed key add failed");
1227 key.l_addr = e_key.addr;
1228 key.fib_index = e_key.fib_index;
1229 key.l_port = e_key.port;
1230 s_kv.key[0] = key.as_u64[0];
1231 s_kv.key[1] = key.as_u64[1];
1232 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1233 clib_warning ("out2in-ed key add failed");
1236 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1238 /* Update IP checksum */
1240 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1241 if (is_twice_nat_session (s))
1242 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1243 s->ext_host_addr.as_u32, ip4_header_t, dst_address);
1244 ip->checksum = ip_csum_fold (sum);
1246 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1248 old_port = tcp->src_port;
1249 tcp->src_port = s->out2in.port;
1250 new_port = tcp->src_port;
1252 sum = tcp->checksum;
1253 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1254 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1255 if (is_twice_nat_session (s))
1257 sum = ip_csum_update (sum, ip->dst_address.as_u32,
1258 s->ext_host_addr.as_u32, ip4_header_t,
1260 sum = ip_csum_update (sum, tcp->dst_port, s->ext_host_port,
1261 ip4_header_t, length);
1262 tcp->dst_port = s->ext_host_port;
1263 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1265 tcp->checksum = ip_csum_fold(sum);
1269 udp->src_port = s->out2in.port;
1270 if (is_twice_nat_session (s))
1272 udp->dst_port = s->ext_host_port;
1273 ip->dst_address.as_u32 = s->ext_host_addr.as_u32;
1278 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1279 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1282 s->last_heard = now;
1284 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1285 /* Per-user LRU list maintenance */
1286 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1287 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1293 snat_in2out_node_fn_inline (vlib_main_t * vm,
1294 vlib_node_runtime_t * node,
1295 vlib_frame_t * frame, int is_slow_path,
1296 int is_output_feature)
1298 u32 n_left_from, * from, * to_next;
1299 snat_in2out_next_t next_index;
1300 u32 pkts_processed = 0;
1301 snat_main_t * sm = &snat_main;
1302 f64 now = vlib_time_now (vm);
1303 u32 stats_node_index;
1304 u32 thread_index = vlib_get_thread_index ();
1306 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1307 snat_in2out_node.index;
1309 from = vlib_frame_vector_args (frame);
1310 n_left_from = frame->n_vectors;
1311 next_index = node->cached_next_index;
1313 while (n_left_from > 0)
1317 vlib_get_next_frame (vm, node, next_index,
1318 to_next, n_left_to_next);
1320 while (n_left_from >= 4 && n_left_to_next >= 2)
1323 vlib_buffer_t * b0, * b1;
1325 u32 sw_if_index0, sw_if_index1;
1326 ip4_header_t * ip0, * ip1;
1327 ip_csum_t sum0, sum1;
1328 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1329 u16 old_port0, new_port0, old_port1, new_port1;
1330 udp_header_t * udp0, * udp1;
1331 tcp_header_t * tcp0, * tcp1;
1332 icmp46_header_t * icmp0, * icmp1;
1333 snat_session_key_t key0, key1;
1334 u32 rx_fib_index0, rx_fib_index1;
1336 snat_session_t * s0 = 0, * s1 = 0;
1337 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1338 u32 iph_offset0 = 0, iph_offset1 = 0;
1340 /* Prefetch next iteration. */
1342 vlib_buffer_t * p2, * p3;
1344 p2 = vlib_get_buffer (vm, from[2]);
1345 p3 = vlib_get_buffer (vm, from[3]);
1347 vlib_prefetch_buffer_header (p2, LOAD);
1348 vlib_prefetch_buffer_header (p3, LOAD);
1350 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1351 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1354 /* speculatively enqueue b0 and b1 to the current next frame */
1355 to_next[0] = bi0 = from[0];
1356 to_next[1] = bi1 = from[1];
1360 n_left_to_next -= 2;
1362 b0 = vlib_get_buffer (vm, bi0);
1363 b1 = vlib_get_buffer (vm, bi1);
1365 if (is_output_feature)
1366 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1368 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1371 udp0 = ip4_next_header (ip0);
1372 tcp0 = (tcp_header_t *) udp0;
1373 icmp0 = (icmp46_header_t *) udp0;
1375 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1376 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1379 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1381 if (PREDICT_FALSE(ip0->ttl == 1))
1383 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1384 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1385 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1387 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1391 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1393 /* Next configured feature, probably ip4-lookup */
1396 if (PREDICT_FALSE (proto0 == ~0))
1398 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1399 thread_index, now, vm, node);
1401 next0 = SNAT_IN2OUT_NEXT_DROP;
1405 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1407 next0 = icmp_in2out_slow_path
1408 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1409 node, next0, now, thread_index, &s0);
1415 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1417 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1421 if (ip4_is_fragment (ip0))
1423 next0 = SNAT_IN2OUT_NEXT_REASS;
1428 key0.addr = ip0->src_address;
1429 key0.port = udp0->src_port;
1430 key0.protocol = proto0;
1431 key0.fib_index = rx_fib_index0;
1433 kv0.key = key0.as_u64;
1435 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1436 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1440 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1441 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
1444 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1445 &s0, node, next0, thread_index);
1446 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1451 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1457 if (PREDICT_FALSE (value0.value == ~0ULL))
1461 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1462 thread_index, now, vm, node);
1464 next0 = SNAT_IN2OUT_NEXT_DROP;
1469 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1475 s0 = pool_elt_at_index (
1476 sm->per_thread_data[thread_index].sessions,
1481 b0->flags |= VNET_BUFFER_F_IS_NATED;
1483 old_addr0 = ip0->src_address.as_u32;
1484 ip0->src_address = s0->out2in.addr;
1485 new_addr0 = ip0->src_address.as_u32;
1486 if (!is_output_feature)
1487 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1489 sum0 = ip0->checksum;
1490 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1492 src_address /* changed member */);
1493 ip0->checksum = ip_csum_fold (sum0);
1495 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1497 old_port0 = tcp0->src_port;
1498 tcp0->src_port = s0->out2in.port;
1499 new_port0 = tcp0->src_port;
1501 sum0 = tcp0->checksum;
1502 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1504 dst_address /* changed member */);
1505 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1506 ip4_header_t /* cheat */,
1507 length /* changed member */);
1508 tcp0->checksum = ip_csum_fold(sum0);
1512 old_port0 = udp0->src_port;
1513 udp0->src_port = s0->out2in.port;
1518 s0->last_heard = now;
1520 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1521 /* Per-user LRU list maintenance */
1522 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1523 s0->per_user_index);
1524 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1525 s0->per_user_list_head_index,
1526 s0->per_user_index);
1529 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1530 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1532 snat_in2out_trace_t *t =
1533 vlib_add_trace (vm, node, b0, sizeof (*t));
1534 t->is_slow_path = is_slow_path;
1535 t->sw_if_index = sw_if_index0;
1536 t->next_index = next0;
1537 t->session_index = ~0;
1539 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1542 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1544 if (is_output_feature)
1545 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1547 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1550 udp1 = ip4_next_header (ip1);
1551 tcp1 = (tcp_header_t *) udp1;
1552 icmp1 = (icmp46_header_t *) udp1;
1554 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1555 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1558 if (PREDICT_FALSE(ip1->ttl == 1))
1560 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1561 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1562 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1564 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1568 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1570 /* Next configured feature, probably ip4-lookup */
1573 if (PREDICT_FALSE (proto1 == ~0))
1575 s1 = snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1576 thread_index, now, vm, node);
1578 next1 = SNAT_IN2OUT_NEXT_DROP;
1582 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1584 next1 = icmp_in2out_slow_path
1585 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1586 next1, now, thread_index, &s1);
1592 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1594 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1598 if (ip4_is_fragment (ip1))
1600 next1 = SNAT_IN2OUT_NEXT_REASS;
1605 b1->flags |= VNET_BUFFER_F_IS_NATED;
1607 key1.addr = ip1->src_address;
1608 key1.port = udp1->src_port;
1609 key1.protocol = proto1;
1610 key1.fib_index = rx_fib_index1;
1612 kv1.key = key1.as_u64;
1614 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1615 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1619 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1620 ip1, proto1, rx_fib_index1, thread_index)) && !is_output_feature)
1623 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1624 &s1, node, next1, thread_index);
1625 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1630 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1636 if (PREDICT_FALSE (value1.value == ~0ULL))
1640 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1,
1641 thread_index, now, vm, node);
1643 next1 = SNAT_IN2OUT_NEXT_DROP;
1648 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1654 s1 = pool_elt_at_index (
1655 sm->per_thread_data[thread_index].sessions,
1660 old_addr1 = ip1->src_address.as_u32;
1661 ip1->src_address = s1->out2in.addr;
1662 new_addr1 = ip1->src_address.as_u32;
1663 if (!is_output_feature)
1664 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1666 sum1 = ip1->checksum;
1667 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1669 src_address /* changed member */);
1670 ip1->checksum = ip_csum_fold (sum1);
1672 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1674 old_port1 = tcp1->src_port;
1675 tcp1->src_port = s1->out2in.port;
1676 new_port1 = tcp1->src_port;
1678 sum1 = tcp1->checksum;
1679 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1681 dst_address /* changed member */);
1682 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1683 ip4_header_t /* cheat */,
1684 length /* changed member */);
1685 tcp1->checksum = ip_csum_fold(sum1);
1689 old_port1 = udp1->src_port;
1690 udp1->src_port = s1->out2in.port;
1695 s1->last_heard = now;
1697 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1698 /* Per-user LRU list maintenance */
1699 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1700 s1->per_user_index);
1701 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1702 s1->per_user_list_head_index,
1703 s1->per_user_index);
1706 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1707 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1709 snat_in2out_trace_t *t =
1710 vlib_add_trace (vm, node, b1, sizeof (*t));
1711 t->sw_if_index = sw_if_index1;
1712 t->next_index = next1;
1713 t->session_index = ~0;
1715 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1718 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1720 /* verify speculative enqueues, maybe switch current next frame */
1721 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1722 to_next, n_left_to_next,
1723 bi0, bi1, next0, next1);
1726 while (n_left_from > 0 && n_left_to_next > 0)
1734 u32 new_addr0, old_addr0;
1735 u16 old_port0, new_port0;
1736 udp_header_t * udp0;
1737 tcp_header_t * tcp0;
1738 icmp46_header_t * icmp0;
1739 snat_session_key_t key0;
1742 snat_session_t * s0 = 0;
1743 clib_bihash_kv_8_8_t kv0, value0;
1744 u32 iph_offset0 = 0;
1746 /* speculatively enqueue b0 to the current next frame */
1752 n_left_to_next -= 1;
1754 b0 = vlib_get_buffer (vm, bi0);
1755 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1757 if (is_output_feature)
1758 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1760 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1763 udp0 = ip4_next_header (ip0);
1764 tcp0 = (tcp_header_t *) udp0;
1765 icmp0 = (icmp46_header_t *) udp0;
1767 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1768 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1771 if (PREDICT_FALSE(ip0->ttl == 1))
1773 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1774 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1775 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1777 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1781 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1783 /* Next configured feature, probably ip4-lookup */
1786 if (PREDICT_FALSE (proto0 == ~0))
1788 s0 = snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1789 thread_index, now, vm, node);
1791 next0 = SNAT_IN2OUT_NEXT_DROP;
1795 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1797 next0 = icmp_in2out_slow_path
1798 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1799 next0, now, thread_index, &s0);
1805 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1807 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1811 if (ip4_is_fragment (ip0))
1813 next0 = SNAT_IN2OUT_NEXT_REASS;
1818 key0.addr = ip0->src_address;
1819 key0.port = udp0->src_port;
1820 key0.protocol = proto0;
1821 key0.fib_index = rx_fib_index0;
1823 kv0.key = key0.as_u64;
1825 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
1830 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1831 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
1834 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1835 &s0, node, next0, thread_index);
1837 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1842 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1848 if (PREDICT_FALSE (value0.value == ~0ULL))
1852 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0,
1853 thread_index, now, vm, node);
1855 next0 = SNAT_IN2OUT_NEXT_DROP;
1860 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1866 s0 = pool_elt_at_index (
1867 sm->per_thread_data[thread_index].sessions,
1872 b0->flags |= VNET_BUFFER_F_IS_NATED;
1874 old_addr0 = ip0->src_address.as_u32;
1875 ip0->src_address = s0->out2in.addr;
1876 new_addr0 = ip0->src_address.as_u32;
1877 if (!is_output_feature)
1878 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1880 sum0 = ip0->checksum;
1881 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1883 src_address /* changed member */);
1884 ip0->checksum = ip_csum_fold (sum0);
1886 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1888 old_port0 = tcp0->src_port;
1889 tcp0->src_port = s0->out2in.port;
1890 new_port0 = tcp0->src_port;
1892 sum0 = tcp0->checksum;
1893 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1895 dst_address /* changed member */);
1896 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1897 ip4_header_t /* cheat */,
1898 length /* changed member */);
1899 tcp0->checksum = ip_csum_fold(sum0);
1903 old_port0 = udp0->src_port;
1904 udp0->src_port = s0->out2in.port;
1909 s0->last_heard = now;
1911 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1912 /* Per-user LRU list maintenance */
1913 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1914 s0->per_user_index);
1915 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1916 s0->per_user_list_head_index,
1917 s0->per_user_index);
1920 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1921 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1923 snat_in2out_trace_t *t =
1924 vlib_add_trace (vm, node, b0, sizeof (*t));
1925 t->is_slow_path = is_slow_path;
1926 t->sw_if_index = sw_if_index0;
1927 t->next_index = next0;
1928 t->session_index = ~0;
1930 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1933 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1935 /* verify speculative enqueue, maybe switch current next frame */
1936 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1937 to_next, n_left_to_next,
1941 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1944 vlib_node_increment_counter (vm, stats_node_index,
1945 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1947 return frame->n_vectors;
1951 snat_in2out_fast_path_fn (vlib_main_t * vm,
1952 vlib_node_runtime_t * node,
1953 vlib_frame_t * frame)
1955 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
1958 VLIB_REGISTER_NODE (snat_in2out_node) = {
1959 .function = snat_in2out_fast_path_fn,
1960 .name = "nat44-in2out",
1961 .vector_size = sizeof (u32),
1962 .format_trace = format_snat_in2out_trace,
1963 .type = VLIB_NODE_TYPE_INTERNAL,
1965 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1966 .error_strings = snat_in2out_error_strings,
1968 .runtime_data_bytes = sizeof (snat_runtime_t),
1970 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1972 /* edit / add dispositions here */
1974 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1975 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1976 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
1977 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1978 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
1982 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
1985 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
1986 vlib_node_runtime_t * node,
1987 vlib_frame_t * frame)
1989 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
1992 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
1993 .function = snat_in2out_output_fast_path_fn,
1994 .name = "nat44-in2out-output",
1995 .vector_size = sizeof (u32),
1996 .format_trace = format_snat_in2out_trace,
1997 .type = VLIB_NODE_TYPE_INTERNAL,
1999 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2000 .error_strings = snat_in2out_error_strings,
2002 .runtime_data_bytes = sizeof (snat_runtime_t),
2004 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2006 /* edit / add dispositions here */
2008 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2009 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2010 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2011 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2012 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2016 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2017 snat_in2out_output_fast_path_fn);
2020 snat_in2out_slow_path_fn (vlib_main_t * vm,
2021 vlib_node_runtime_t * node,
2022 vlib_frame_t * frame)
2024 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2027 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2028 .function = snat_in2out_slow_path_fn,
2029 .name = "nat44-in2out-slowpath",
2030 .vector_size = sizeof (u32),
2031 .format_trace = format_snat_in2out_trace,
2032 .type = VLIB_NODE_TYPE_INTERNAL,
2034 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2035 .error_strings = snat_in2out_error_strings,
2037 .runtime_data_bytes = sizeof (snat_runtime_t),
2039 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2041 /* edit / add dispositions here */
2043 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2044 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2045 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2046 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2047 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2051 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2052 snat_in2out_slow_path_fn);
2055 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2056 vlib_node_runtime_t * node,
2057 vlib_frame_t * frame)
2059 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2062 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2063 .function = snat_in2out_output_slow_path_fn,
2064 .name = "nat44-in2out-output-slowpath",
2065 .vector_size = sizeof (u32),
2066 .format_trace = format_snat_in2out_trace,
2067 .type = VLIB_NODE_TYPE_INTERNAL,
2069 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2070 .error_strings = snat_in2out_error_strings,
2072 .runtime_data_bytes = sizeof (snat_runtime_t),
2074 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2076 /* edit / add dispositions here */
2078 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2079 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2080 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2081 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2082 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2086 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2087 snat_in2out_output_slow_path_fn);
2089 extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local;
2092 nat44_hairpinning_fn (vlib_main_t * vm,
2093 vlib_node_runtime_t * node,
2094 vlib_frame_t * frame)
2096 u32 n_left_from, * from, * to_next;
2097 snat_in2out_next_t next_index;
2098 u32 pkts_processed = 0;
2099 snat_main_t * sm = &snat_main;
2100 vnet_feature_main_t *fm = &feature_main;
2101 u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index;
2102 vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index];
2104 from = vlib_frame_vector_args (frame);
2105 n_left_from = frame->n_vectors;
2106 next_index = node->cached_next_index;
2108 while (n_left_from > 0)
2112 vlib_get_next_frame (vm, node, next_index,
2113 to_next, n_left_to_next);
2115 while (n_left_from > 0 && n_left_to_next > 0)
2122 udp_header_t * udp0;
2123 tcp_header_t * tcp0;
2125 /* speculatively enqueue b0 to the current next frame */
2131 n_left_to_next -= 1;
2133 b0 = vlib_get_buffer (vm, bi0);
2134 ip0 = vlib_buffer_get_current (b0);
2135 udp0 = ip4_next_header (ip0);
2136 tcp0 = (tcp_header_t *) udp0;
2138 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2140 vnet_get_config_data (&cm->config_main, &b0->current_config_index,
2143 if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0))
2144 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2146 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2148 /* verify speculative enqueue, maybe switch current next frame */
2149 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2150 to_next, n_left_to_next,
2154 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2157 vlib_node_increment_counter (vm, nat44_hairpinning_node.index,
2158 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2160 return frame->n_vectors;
2163 VLIB_REGISTER_NODE (nat44_hairpinning_node) = {
2164 .function = nat44_hairpinning_fn,
2165 .name = "nat44-hairpinning",
2166 .vector_size = sizeof (u32),
2167 .type = VLIB_NODE_TYPE_INTERNAL,
2168 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2169 .error_strings = snat_in2out_error_strings,
2172 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2173 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2177 VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node,
2178 nat44_hairpinning_fn);
2181 nat44_reass_hairpinning (snat_main_t *sm,
2188 snat_session_key_t key0, sm0;
2189 snat_session_t * s0;
2190 clib_bihash_kv_8_8_t kv0, value0;
2192 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
2193 u16 new_dst_port0, old_dst_port0;
2194 udp_header_t * udp0;
2195 tcp_header_t * tcp0;
2197 key0.addr = ip0->dst_address;
2199 key0.protocol = proto0;
2200 key0.fib_index = sm->outside_fib_index;
2201 kv0.key = key0.as_u64;
2203 udp0 = ip4_next_header (ip0);
2205 /* Check if destination is static mappings */
2206 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
2208 new_dst_addr0 = sm0.addr.as_u32;
2209 new_dst_port0 = sm0.port;
2210 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2212 /* or active sessions */
2215 if (sm->num_workers > 1)
2216 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
2218 ti = sm->num_workers;
2220 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
2223 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
2224 new_dst_addr0 = s0->in2out.addr.as_u32;
2225 new_dst_port0 = s0->in2out.port;
2226 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2230 /* Destination is behind the same NAT, use internal address and port */
2233 old_dst_addr0 = ip0->dst_address.as_u32;
2234 ip0->dst_address.as_u32 = new_dst_addr0;
2235 sum0 = ip0->checksum;
2236 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2237 ip4_header_t, dst_address);
2238 ip0->checksum = ip_csum_fold (sum0);
2240 old_dst_port0 = dport;
2241 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 &&
2242 ip4_is_first_fragment (ip0)))
2244 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2246 tcp0 = ip4_next_header (ip0);
2247 tcp0->dst = new_dst_port0;
2248 sum0 = tcp0->checksum;
2249 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2250 ip4_header_t, dst_address);
2251 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
2252 ip4_header_t /* cheat */, length);
2253 tcp0->checksum = ip_csum_fold(sum0);
2257 udp0->dst_port = new_dst_port0;
2263 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2265 tcp0 = ip4_next_header (ip0);
2266 sum0 = tcp0->checksum;
2267 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
2268 ip4_header_t, dst_address);
2269 tcp0->checksum = ip_csum_fold(sum0);
2276 nat44_in2out_reass_node_fn (vlib_main_t * vm,
2277 vlib_node_runtime_t * node,
2278 vlib_frame_t * frame)
2280 u32 n_left_from, *from, *to_next;
2281 snat_in2out_next_t next_index;
2282 u32 pkts_processed = 0;
2283 snat_main_t *sm = &snat_main;
2284 f64 now = vlib_time_now (vm);
2285 u32 thread_index = vlib_get_thread_index ();
2286 snat_main_per_thread_data_t *per_thread_data =
2287 &sm->per_thread_data[thread_index];
2288 u32 *fragments_to_drop = 0;
2289 u32 *fragments_to_loopback = 0;
2291 from = vlib_frame_vector_args (frame);
2292 n_left_from = frame->n_vectors;
2293 next_index = node->cached_next_index;
2295 while (n_left_from > 0)
2299 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2301 while (n_left_from > 0 && n_left_to_next > 0)
2303 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
2308 nat_reass_ip4_t *reass0;
2309 udp_header_t * udp0;
2310 tcp_header_t * tcp0;
2311 snat_session_key_t key0;
2312 clib_bihash_kv_8_8_t kv0, value0;
2313 snat_session_t * s0 = 0;
2314 u16 old_port0, new_port0;
2317 /* speculatively enqueue b0 to the current next frame */
2323 n_left_to_next -= 1;
2325 b0 = vlib_get_buffer (vm, bi0);
2326 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2328 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2329 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2332 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
2334 next0 = SNAT_IN2OUT_NEXT_DROP;
2335 b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
2339 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
2340 udp0 = ip4_next_header (ip0);
2341 tcp0 = (tcp_header_t *) udp0;
2342 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2344 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
2349 &fragments_to_drop);
2351 if (PREDICT_FALSE (!reass0))
2353 next0 = SNAT_IN2OUT_NEXT_DROP;
2354 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
2358 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2360 key0.addr = ip0->src_address;
2361 key0.port = udp0->src_port;
2362 key0.protocol = proto0;
2363 key0.fib_index = rx_fib_index0;
2364 kv0.key = key0.as_u64;
2366 if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0))
2368 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2369 ip0, proto0, rx_fib_index0, thread_index)))
2372 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2373 &s0, node, next0, thread_index);
2375 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2378 reass0->sess_index = s0 - per_thread_data->sessions;
2382 s0 = pool_elt_at_index (per_thread_data->sessions,
2384 reass0->sess_index = value0.value;
2386 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
2390 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
2392 if (nat_ip4_reass_add_fragment (reass0, bi0))
2394 b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
2395 next0 = SNAT_IN2OUT_NEXT_DROP;
2401 s0 = pool_elt_at_index (per_thread_data->sessions,
2402 reass0->sess_index);
2405 old_addr0 = ip0->src_address.as_u32;
2406 ip0->src_address = s0->out2in.addr;
2407 new_addr0 = ip0->src_address.as_u32;
2408 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2410 sum0 = ip0->checksum;
2411 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2413 src_address /* changed member */);
2414 ip0->checksum = ip_csum_fold (sum0);
2416 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
2418 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2420 old_port0 = tcp0->src_port;
2421 tcp0->src_port = s0->out2in.port;
2422 new_port0 = tcp0->src_port;
2424 sum0 = tcp0->checksum;
2425 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2427 dst_address /* changed member */);
2428 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2429 ip4_header_t /* cheat */,
2430 length /* changed member */);
2431 tcp0->checksum = ip_csum_fold(sum0);
2435 old_port0 = udp0->src_port;
2436 udp0->src_port = s0->out2in.port;
2442 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
2443 s0->ext_host_port, proto0);
2446 s0->last_heard = now;
2448 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2449 /* Per-user LRU list maintenance */
2450 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2451 s0->per_user_index);
2452 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2453 s0->per_user_list_head_index,
2454 s0->per_user_index);
2457 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2458 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2460 nat44_in2out_reass_trace_t *t =
2461 vlib_add_trace (vm, node, b0, sizeof (*t));
2462 t->cached = cached0;
2463 t->sw_if_index = sw_if_index0;
2464 t->next_index = next0;
2474 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2476 /* verify speculative enqueue, maybe switch current next frame */
2477 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2478 to_next, n_left_to_next,
2482 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2484 from = vlib_frame_vector_args (frame);
2485 u32 len = vec_len (fragments_to_loopback);
2486 if (len <= VLIB_FRAME_SIZE)
2488 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2490 vec_reset_length (fragments_to_loopback);
2495 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2496 sizeof (u32) * VLIB_FRAME_SIZE);
2497 n_left_from = VLIB_FRAME_SIZE;
2498 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2503 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2506 vlib_node_increment_counter (vm, nat44_in2out_reass_node.index,
2507 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2510 nat_send_all_to_node (vm, fragments_to_drop, node,
2511 &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
2512 SNAT_IN2OUT_NEXT_DROP);
2514 vec_free (fragments_to_drop);
2515 vec_free (fragments_to_loopback);
2516 return frame->n_vectors;
2519 VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
2520 .function = nat44_in2out_reass_node_fn,
2521 .name = "nat44-in2out-reass",
2522 .vector_size = sizeof (u32),
2523 .format_trace = format_nat44_in2out_reass_trace,
2524 .type = VLIB_NODE_TYPE_INTERNAL,
2526 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2527 .error_strings = snat_in2out_error_strings,
2529 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2531 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2532 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2533 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2534 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2535 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
2539 VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node,
2540 nat44_in2out_reass_node_fn);
2542 /**************************/
2543 /*** deterministic mode ***/
2544 /**************************/
2546 snat_det_in2out_node_fn (vlib_main_t * vm,
2547 vlib_node_runtime_t * node,
2548 vlib_frame_t * frame)
2550 u32 n_left_from, * from, * to_next;
2551 snat_in2out_next_t next_index;
2552 u32 pkts_processed = 0;
2553 snat_main_t * sm = &snat_main;
2554 u32 now = (u32) vlib_time_now (vm);
2555 u32 thread_index = vlib_get_thread_index ();
2557 from = vlib_frame_vector_args (frame);
2558 n_left_from = frame->n_vectors;
2559 next_index = node->cached_next_index;
2561 while (n_left_from > 0)
2565 vlib_get_next_frame (vm, node, next_index,
2566 to_next, n_left_to_next);
2568 while (n_left_from >= 4 && n_left_to_next >= 2)
2571 vlib_buffer_t * b0, * b1;
2573 u32 sw_if_index0, sw_if_index1;
2574 ip4_header_t * ip0, * ip1;
2575 ip_csum_t sum0, sum1;
2576 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2577 u16 old_port0, new_port0, lo_port0, i0;
2578 u16 old_port1, new_port1, lo_port1, i1;
2579 udp_header_t * udp0, * udp1;
2580 tcp_header_t * tcp0, * tcp1;
2582 snat_det_out_key_t key0, key1;
2583 snat_det_map_t * dm0, * dm1;
2584 snat_det_session_t * ses0 = 0, * ses1 = 0;
2585 u32 rx_fib_index0, rx_fib_index1;
2586 icmp46_header_t * icmp0, * icmp1;
2588 /* Prefetch next iteration. */
2590 vlib_buffer_t * p2, * p3;
2592 p2 = vlib_get_buffer (vm, from[2]);
2593 p3 = vlib_get_buffer (vm, from[3]);
2595 vlib_prefetch_buffer_header (p2, LOAD);
2596 vlib_prefetch_buffer_header (p3, LOAD);
2598 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2599 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2602 /* speculatively enqueue b0 and b1 to the current next frame */
2603 to_next[0] = bi0 = from[0];
2604 to_next[1] = bi1 = from[1];
2608 n_left_to_next -= 2;
2610 b0 = vlib_get_buffer (vm, bi0);
2611 b1 = vlib_get_buffer (vm, bi1);
2613 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2614 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2616 ip0 = vlib_buffer_get_current (b0);
2617 udp0 = ip4_next_header (ip0);
2618 tcp0 = (tcp_header_t *) udp0;
2620 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2622 if (PREDICT_FALSE(ip0->ttl == 1))
2624 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2625 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2626 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2628 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2632 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2634 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2636 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2637 icmp0 = (icmp46_header_t *) udp0;
2639 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2640 rx_fib_index0, node, next0, thread_index,
2645 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2646 if (PREDICT_FALSE(!dm0))
2648 clib_warning("no match for internal host %U",
2649 format_ip4_address, &ip0->src_address);
2650 next0 = SNAT_IN2OUT_NEXT_DROP;
2651 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2655 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2657 key0.ext_host_addr = ip0->dst_address;
2658 key0.ext_host_port = tcp0->dst;
2660 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2661 if (PREDICT_FALSE(!ses0))
2663 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2665 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2666 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2668 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2671 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2674 if (PREDICT_FALSE(!ses0))
2676 /* too many sessions for user, send ICMP error packet */
2678 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2679 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2680 ICMP4_destination_unreachable_destination_unreachable_host,
2682 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2687 new_port0 = ses0->out.out_port;
2689 old_addr0.as_u32 = ip0->src_address.as_u32;
2690 ip0->src_address.as_u32 = new_addr0.as_u32;
2691 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2693 sum0 = ip0->checksum;
2694 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2696 src_address /* changed member */);
2697 ip0->checksum = ip_csum_fold (sum0);
2699 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2701 if (tcp0->flags & TCP_FLAG_SYN)
2702 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2703 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2704 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2705 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2706 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2707 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2708 snat_det_ses_close(dm0, ses0);
2709 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2710 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2711 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2712 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2714 old_port0 = tcp0->src;
2715 tcp0->src = new_port0;
2717 sum0 = tcp0->checksum;
2718 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2720 dst_address /* changed member */);
2721 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2722 ip4_header_t /* cheat */,
2723 length /* changed member */);
2724 tcp0->checksum = ip_csum_fold(sum0);
2728 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2729 old_port0 = udp0->src_port;
2730 udp0->src_port = new_port0;
2736 case SNAT_SESSION_UDP_ACTIVE:
2737 ses0->expire = now + sm->udp_timeout;
2739 case SNAT_SESSION_TCP_SYN_SENT:
2740 case SNAT_SESSION_TCP_FIN_WAIT:
2741 case SNAT_SESSION_TCP_CLOSE_WAIT:
2742 case SNAT_SESSION_TCP_LAST_ACK:
2743 ses0->expire = now + sm->tcp_transitory_timeout;
2745 case SNAT_SESSION_TCP_ESTABLISHED:
2746 ses0->expire = now + sm->tcp_established_timeout;
2751 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2752 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2754 snat_in2out_trace_t *t =
2755 vlib_add_trace (vm, node, b0, sizeof (*t));
2756 t->is_slow_path = 0;
2757 t->sw_if_index = sw_if_index0;
2758 t->next_index = next0;
2759 t->session_index = ~0;
2761 t->session_index = ses0 - dm0->sessions;
2764 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2766 ip1 = vlib_buffer_get_current (b1);
2767 udp1 = ip4_next_header (ip1);
2768 tcp1 = (tcp_header_t *) udp1;
2770 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2772 if (PREDICT_FALSE(ip1->ttl == 1))
2774 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2775 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2776 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2778 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2782 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2784 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2786 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2787 icmp1 = (icmp46_header_t *) udp1;
2789 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
2790 rx_fib_index1, node, next1, thread_index,
2795 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
2796 if (PREDICT_FALSE(!dm1))
2798 clib_warning("no match for internal host %U",
2799 format_ip4_address, &ip0->src_address);
2800 next1 = SNAT_IN2OUT_NEXT_DROP;
2801 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2805 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
2807 key1.ext_host_addr = ip1->dst_address;
2808 key1.ext_host_port = tcp1->dst;
2810 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
2811 if (PREDICT_FALSE(!ses1))
2813 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
2815 key1.out_port = clib_host_to_net_u16 (lo_port1 +
2816 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
2818 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
2821 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
2824 if (PREDICT_FALSE(!ses1))
2826 /* too many sessions for user, send ICMP error packet */
2828 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2829 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
2830 ICMP4_destination_unreachable_destination_unreachable_host,
2832 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2837 new_port1 = ses1->out.out_port;
2839 old_addr1.as_u32 = ip1->src_address.as_u32;
2840 ip1->src_address.as_u32 = new_addr1.as_u32;
2841 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2843 sum1 = ip1->checksum;
2844 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2846 src_address /* changed member */);
2847 ip1->checksum = ip_csum_fold (sum1);
2849 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2851 if (tcp1->flags & TCP_FLAG_SYN)
2852 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
2853 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
2854 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2855 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2856 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
2857 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
2858 snat_det_ses_close(dm1, ses1);
2859 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2860 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
2861 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
2862 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2864 old_port1 = tcp1->src;
2865 tcp1->src = new_port1;
2867 sum1 = tcp1->checksum;
2868 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2870 dst_address /* changed member */);
2871 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2872 ip4_header_t /* cheat */,
2873 length /* changed member */);
2874 tcp1->checksum = ip_csum_fold(sum1);
2878 ses1->state = SNAT_SESSION_UDP_ACTIVE;
2879 old_port1 = udp1->src_port;
2880 udp1->src_port = new_port1;
2886 case SNAT_SESSION_UDP_ACTIVE:
2887 ses1->expire = now + sm->udp_timeout;
2889 case SNAT_SESSION_TCP_SYN_SENT:
2890 case SNAT_SESSION_TCP_FIN_WAIT:
2891 case SNAT_SESSION_TCP_CLOSE_WAIT:
2892 case SNAT_SESSION_TCP_LAST_ACK:
2893 ses1->expire = now + sm->tcp_transitory_timeout;
2895 case SNAT_SESSION_TCP_ESTABLISHED:
2896 ses1->expire = now + sm->tcp_established_timeout;
2901 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2902 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2904 snat_in2out_trace_t *t =
2905 vlib_add_trace (vm, node, b1, sizeof (*t));
2906 t->is_slow_path = 0;
2907 t->sw_if_index = sw_if_index1;
2908 t->next_index = next1;
2909 t->session_index = ~0;
2911 t->session_index = ses1 - dm1->sessions;
2914 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
2916 /* verify speculative enqueues, maybe switch current next frame */
2917 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2918 to_next, n_left_to_next,
2919 bi0, bi1, next0, next1);
2922 while (n_left_from > 0 && n_left_to_next > 0)
2930 ip4_address_t new_addr0, old_addr0;
2931 u16 old_port0, new_port0, lo_port0, i0;
2932 udp_header_t * udp0;
2933 tcp_header_t * tcp0;
2935 snat_det_out_key_t key0;
2936 snat_det_map_t * dm0;
2937 snat_det_session_t * ses0 = 0;
2939 icmp46_header_t * icmp0;
2941 /* speculatively enqueue b0 to the current next frame */
2947 n_left_to_next -= 1;
2949 b0 = vlib_get_buffer (vm, bi0);
2950 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2952 ip0 = vlib_buffer_get_current (b0);
2953 udp0 = ip4_next_header (ip0);
2954 tcp0 = (tcp_header_t *) udp0;
2956 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2958 if (PREDICT_FALSE(ip0->ttl == 1))
2960 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2961 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2962 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2964 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2968 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2970 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2972 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2973 icmp0 = (icmp46_header_t *) udp0;
2975 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2976 rx_fib_index0, node, next0, thread_index,
2981 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2982 if (PREDICT_FALSE(!dm0))
2984 clib_warning("no match for internal host %U",
2985 format_ip4_address, &ip0->src_address);
2986 next0 = SNAT_IN2OUT_NEXT_DROP;
2987 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2991 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2993 key0.ext_host_addr = ip0->dst_address;
2994 key0.ext_host_port = tcp0->dst;
2996 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2997 if (PREDICT_FALSE(!ses0))
2999 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3001 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3002 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
3004 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
3007 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
3010 if (PREDICT_FALSE(!ses0))
3012 /* too many sessions for user, send ICMP error packet */
3014 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3015 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
3016 ICMP4_destination_unreachable_destination_unreachable_host,
3018 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3023 new_port0 = ses0->out.out_port;
3025 old_addr0.as_u32 = ip0->src_address.as_u32;
3026 ip0->src_address.as_u32 = new_addr0.as_u32;
3027 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
3029 sum0 = ip0->checksum;
3030 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3032 src_address /* changed member */);
3033 ip0->checksum = ip_csum_fold (sum0);
3035 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3037 if (tcp0->flags & TCP_FLAG_SYN)
3038 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
3039 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
3040 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3041 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3042 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
3043 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
3044 snat_det_ses_close(dm0, ses0);
3045 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
3046 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
3047 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
3048 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
3050 old_port0 = tcp0->src;
3051 tcp0->src = new_port0;
3053 sum0 = tcp0->checksum;
3054 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3056 dst_address /* changed member */);
3057 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3058 ip4_header_t /* cheat */,
3059 length /* changed member */);
3060 tcp0->checksum = ip_csum_fold(sum0);
3064 ses0->state = SNAT_SESSION_UDP_ACTIVE;
3065 old_port0 = udp0->src_port;
3066 udp0->src_port = new_port0;
3072 case SNAT_SESSION_UDP_ACTIVE:
3073 ses0->expire = now + sm->udp_timeout;
3075 case SNAT_SESSION_TCP_SYN_SENT:
3076 case SNAT_SESSION_TCP_FIN_WAIT:
3077 case SNAT_SESSION_TCP_CLOSE_WAIT:
3078 case SNAT_SESSION_TCP_LAST_ACK:
3079 ses0->expire = now + sm->tcp_transitory_timeout;
3081 case SNAT_SESSION_TCP_ESTABLISHED:
3082 ses0->expire = now + sm->tcp_established_timeout;
3087 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3088 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3090 snat_in2out_trace_t *t =
3091 vlib_add_trace (vm, node, b0, sizeof (*t));
3092 t->is_slow_path = 0;
3093 t->sw_if_index = sw_if_index0;
3094 t->next_index = next0;
3095 t->session_index = ~0;
3097 t->session_index = ses0 - dm0->sessions;
3100 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3102 /* verify speculative enqueue, maybe switch current next frame */
3103 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3104 to_next, n_left_to_next,
3108 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3111 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
3112 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3114 return frame->n_vectors;
3117 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
3118 .function = snat_det_in2out_node_fn,
3119 .name = "nat44-det-in2out",
3120 .vector_size = sizeof (u32),
3121 .format_trace = format_snat_in2out_trace,
3122 .type = VLIB_NODE_TYPE_INTERNAL,
3124 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3125 .error_strings = snat_in2out_error_strings,
3127 .runtime_data_bytes = sizeof (snat_runtime_t),
3131 /* edit / add dispositions here */
3133 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3134 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3135 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3139 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
3142 * Get address and port values to be used for ICMP packet translation
3143 * and create session if needed
3145 * @param[in,out] sm NAT main
3146 * @param[in,out] node NAT node runtime
3147 * @param[in] thread_index thread index
3148 * @param[in,out] b0 buffer containing packet to be translated
3149 * @param[out] p_proto protocol used for matching
3150 * @param[out] p_value address and port after NAT translation
3151 * @param[out] p_dont_translate if packet should not be translated
3152 * @param d optional parameter
3153 * @param e optional parameter
3155 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
3156 u32 thread_index, vlib_buffer_t *b0,
3157 ip4_header_t *ip0, u8 *p_proto,
3158 snat_session_key_t *p_value,
3159 u8 *p_dont_translate, void *d, void *e)
3161 icmp46_header_t *icmp0;
3165 snat_det_out_key_t key0;
3166 u8 dont_translate = 0;
3168 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3169 ip4_header_t *inner_ip0;
3170 void *l4_header = 0;
3171 icmp46_header_t *inner_icmp0;
3172 snat_det_map_t * dm0 = 0;
3173 ip4_address_t new_addr0;
3175 snat_det_session_t * ses0 = 0;
3176 ip4_address_t in_addr;
3179 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3180 echo0 = (icmp_echo_header_t *)(icmp0+1);
3181 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3182 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
3184 if (!icmp_is_error_message (icmp0))
3186 protocol = SNAT_PROTOCOL_ICMP;
3187 in_addr = ip0->src_address;
3188 in_port = echo0->identifier;
3192 inner_ip0 = (ip4_header_t *)(echo0+1);
3193 l4_header = ip4_next_header (inner_ip0);
3194 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3195 in_addr = inner_ip0->dst_address;
3198 case SNAT_PROTOCOL_ICMP:
3199 inner_icmp0 = (icmp46_header_t*)l4_header;
3200 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3201 in_port = inner_echo0->identifier;
3203 case SNAT_PROTOCOL_UDP:
3204 case SNAT_PROTOCOL_TCP:
3205 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3208 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
3209 next0 = SNAT_IN2OUT_NEXT_DROP;
3214 dm0 = snat_det_map_by_user(sm, &in_addr);
3215 if (PREDICT_FALSE(!dm0))
3217 clib_warning("no match for internal host %U",
3218 format_ip4_address, &in_addr);
3219 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3220 IP_PROTOCOL_ICMP, rx_fib_index0)))
3225 next0 = SNAT_IN2OUT_NEXT_DROP;
3226 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3230 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
3232 key0.ext_host_addr = ip0->dst_address;
3233 key0.ext_host_port = 0;
3235 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
3236 if (PREDICT_FALSE(!ses0))
3238 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
3239 IP_PROTOCOL_ICMP, rx_fib_index0)))
3244 if (icmp0->type != ICMP4_echo_request)
3246 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3247 next0 = SNAT_IN2OUT_NEXT_DROP;
3250 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
3252 key0.out_port = clib_host_to_net_u16 (lo_port0 +
3253 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
3255 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
3258 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
3261 if (PREDICT_FALSE(!ses0))
3263 next0 = SNAT_IN2OUT_NEXT_DROP;
3264 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3269 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3270 !icmp_is_error_message (icmp0)))
3272 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3273 next0 = SNAT_IN2OUT_NEXT_DROP;
3277 u32 now = (u32) vlib_time_now (sm->vlib_main);
3279 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3280 ses0->expire = now + sm->icmp_timeout;
3283 *p_proto = protocol;
3286 p_value->addr = new_addr0;
3287 p_value->fib_index = sm->outside_fib_index;
3288 p_value->port = ses0->out.out_port;
3290 *p_dont_translate = dont_translate;
3292 *(snat_det_session_t**)d = ses0;
3294 *(snat_det_map_t**)e = dm0;
3298 /**********************/
3299 /*** worker handoff ***/
3300 /**********************/
3302 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3303 vlib_node_runtime_t * node,
3304 vlib_frame_t * frame,
3307 snat_main_t *sm = &snat_main;
3308 vlib_thread_main_t *tm = vlib_get_thread_main ();
3309 u32 n_left_from, *from, *to_next = 0;
3310 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3311 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3313 vlib_frame_queue_elt_t *hf = 0;
3314 vlib_frame_t *f = 0;
3316 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3317 u32 next_worker_index = 0;
3318 u32 current_worker_index = ~0;
3319 u32 thread_index = vlib_get_thread_index ();
3323 ASSERT (vec_len (sm->workers));
3327 fq_index = sm->fq_in2out_output_index;
3328 to_node_index = sm->in2out_output_node_index;
3332 fq_index = sm->fq_in2out_index;
3333 to_node_index = sm->in2out_node_index;
3336 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3338 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3340 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3341 sm->first_worker_index + sm->num_workers - 1,
3342 (vlib_frame_queue_t *) (~0));
3345 from = vlib_frame_vector_args (frame);
3346 n_left_from = frame->n_vectors;
3348 while (n_left_from > 0)
3361 b0 = vlib_get_buffer (vm, bi0);
3363 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3364 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3366 ip0 = vlib_buffer_get_current (b0);
3368 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3370 if (PREDICT_FALSE (next_worker_index != thread_index))
3374 if (next_worker_index != current_worker_index)
3377 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3379 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3381 handoff_queue_elt_by_worker_index);
3383 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3384 to_next_worker = &hf->buffer_index[hf->n_vectors];
3385 current_worker_index = next_worker_index;
3388 /* enqueue to correct worker thread */
3389 to_next_worker[0] = bi0;
3391 n_left_to_next_worker--;
3393 if (n_left_to_next_worker == 0)
3395 hf->n_vectors = VLIB_FRAME_SIZE;
3396 vlib_put_frame_queue_elt (hf);
3397 current_worker_index = ~0;
3398 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3405 /* if this is 1st frame */
3408 f = vlib_get_frame_to_node (vm, to_node_index);
3409 to_next = vlib_frame_vector_args (f);
3417 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3418 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3420 snat_in2out_worker_handoff_trace_t *t =
3421 vlib_add_trace (vm, node, b0, sizeof (*t));
3422 t->next_worker_index = next_worker_index;
3423 t->do_handoff = do_handoff;
3428 vlib_put_frame_to_node (vm, to_node_index, f);
3431 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3433 /* Ship frames to the worker nodes */
3434 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3436 if (handoff_queue_elt_by_worker_index[i])
3438 hf = handoff_queue_elt_by_worker_index[i];
3440 * It works better to let the handoff node
3441 * rate-adapt, always ship the handoff queue element.
3443 if (1 || hf->n_vectors == hf->last_n_vectors)
3445 vlib_put_frame_queue_elt (hf);
3446 handoff_queue_elt_by_worker_index[i] = 0;
3449 hf->last_n_vectors = hf->n_vectors;
3451 congested_handoff_queue_by_worker_index[i] =
3452 (vlib_frame_queue_t *) (~0);
3455 current_worker_index = ~0;
3456 return frame->n_vectors;
3460 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3461 vlib_node_runtime_t * node,
3462 vlib_frame_t * frame)
3464 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3467 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3468 .function = snat_in2out_worker_handoff_fn,
3469 .name = "nat44-in2out-worker-handoff",
3470 .vector_size = sizeof (u32),
3471 .format_trace = format_snat_in2out_worker_handoff_trace,
3472 .type = VLIB_NODE_TYPE_INTERNAL,
3481 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3482 snat_in2out_worker_handoff_fn);
3485 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3486 vlib_node_runtime_t * node,
3487 vlib_frame_t * frame)
3489 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3492 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3493 .function = snat_in2out_output_worker_handoff_fn,
3494 .name = "nat44-in2out-output-worker-handoff",
3495 .vector_size = sizeof (u32),
3496 .format_trace = format_snat_in2out_worker_handoff_trace,
3497 .type = VLIB_NODE_TYPE_INTERNAL,
3506 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3507 snat_in2out_output_worker_handoff_fn);
3509 static_always_inline int
3510 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3512 snat_address_t * ap;
3513 clib_bihash_kv_8_8_t kv, value;
3514 snat_session_key_t m_key;
3516 vec_foreach (ap, sm->addresses)
3518 if (ap->addr.as_u32 == dst_addr->as_u32)
3522 m_key.addr.as_u32 = dst_addr->as_u32;
3523 m_key.fib_index = sm->outside_fib_index;
3526 kv.key = m_key.as_u64;
3527 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3534 snat_hairpin_dst_fn (vlib_main_t * vm,
3535 vlib_node_runtime_t * node,
3536 vlib_frame_t * frame)
3538 u32 n_left_from, * from, * to_next;
3539 snat_in2out_next_t next_index;
3540 u32 pkts_processed = 0;
3541 snat_main_t * sm = &snat_main;
3543 from = vlib_frame_vector_args (frame);
3544 n_left_from = frame->n_vectors;
3545 next_index = node->cached_next_index;
3547 while (n_left_from > 0)
3551 vlib_get_next_frame (vm, node, next_index,
3552 to_next, n_left_to_next);
3554 while (n_left_from > 0 && n_left_to_next > 0)
3562 /* speculatively enqueue b0 to the current next frame */
3568 n_left_to_next -= 1;
3570 b0 = vlib_get_buffer (vm, bi0);
3571 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3572 ip0 = vlib_buffer_get_current (b0);
3574 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3576 vnet_buffer (b0)->snat.flags = 0;
3577 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3579 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3581 udp_header_t * udp0 = ip4_next_header (ip0);
3582 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3584 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3586 else if (proto0 == SNAT_PROTOCOL_ICMP)
3588 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3590 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3594 snat_hairpinning_unknown_proto (sm, b0, ip0);
3597 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3600 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3602 /* verify speculative enqueue, maybe switch current next frame */
3603 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3604 to_next, n_left_to_next,
3608 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3611 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3612 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3614 return frame->n_vectors;
3617 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3618 .function = snat_hairpin_dst_fn,
3619 .name = "nat44-hairpin-dst",
3620 .vector_size = sizeof (u32),
3621 .type = VLIB_NODE_TYPE_INTERNAL,
3622 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3623 .error_strings = snat_in2out_error_strings,
3626 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3627 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3631 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3632 snat_hairpin_dst_fn);
3635 snat_hairpin_src_fn (vlib_main_t * vm,
3636 vlib_node_runtime_t * node,
3637 vlib_frame_t * frame)
3639 u32 n_left_from, * from, * to_next;
3640 snat_in2out_next_t next_index;
3641 u32 pkts_processed = 0;
3642 snat_main_t *sm = &snat_main;
3644 from = vlib_frame_vector_args (frame);
3645 n_left_from = frame->n_vectors;
3646 next_index = node->cached_next_index;
3648 while (n_left_from > 0)
3652 vlib_get_next_frame (vm, node, next_index,
3653 to_next, n_left_to_next);
3655 while (n_left_from > 0 && n_left_to_next > 0)
3660 snat_interface_t *i;
3663 /* speculatively enqueue b0 to the current next frame */
3669 n_left_to_next -= 1;
3671 b0 = vlib_get_buffer (vm, bi0);
3672 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3673 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3675 pool_foreach (i, sm->output_feature_interfaces,
3677 /* Only packets from NAT inside interface */
3678 if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index))
3680 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3681 SNAT_FLAG_HAIRPINNING))
3683 if (PREDICT_TRUE (sm->num_workers > 1))
3684 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3686 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3692 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3694 /* verify speculative enqueue, maybe switch current next frame */
3695 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3696 to_next, n_left_to_next,
3700 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3703 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3704 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3706 return frame->n_vectors;
3709 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3710 .function = snat_hairpin_src_fn,
3711 .name = "nat44-hairpin-src",
3712 .vector_size = sizeof (u32),
3713 .type = VLIB_NODE_TYPE_INTERNAL,
3714 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3715 .error_strings = snat_in2out_error_strings,
3716 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3718 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3719 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3720 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3721 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3725 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3726 snat_hairpin_src_fn);
3729 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3730 vlib_node_runtime_t * node,
3731 vlib_frame_t * frame)
3733 u32 n_left_from, * from, * to_next;
3734 snat_in2out_next_t next_index;
3735 u32 pkts_processed = 0;
3736 snat_main_t * sm = &snat_main;
3737 u32 stats_node_index;
3739 stats_node_index = snat_in2out_fast_node.index;
3741 from = vlib_frame_vector_args (frame);
3742 n_left_from = frame->n_vectors;
3743 next_index = node->cached_next_index;
3745 while (n_left_from > 0)
3749 vlib_get_next_frame (vm, node, next_index,
3750 to_next, n_left_to_next);
3752 while (n_left_from > 0 && n_left_to_next > 0)
3760 u32 new_addr0, old_addr0;
3761 u16 old_port0, new_port0;
3762 udp_header_t * udp0;
3763 tcp_header_t * tcp0;
3764 icmp46_header_t * icmp0;
3765 snat_session_key_t key0, sm0;
3769 /* speculatively enqueue b0 to the current next frame */
3775 n_left_to_next -= 1;
3777 b0 = vlib_get_buffer (vm, bi0);
3778 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3780 ip0 = vlib_buffer_get_current (b0);
3781 udp0 = ip4_next_header (ip0);
3782 tcp0 = (tcp_header_t *) udp0;
3783 icmp0 = (icmp46_header_t *) udp0;
3785 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3786 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3788 if (PREDICT_FALSE(ip0->ttl == 1))
3790 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3791 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3792 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3794 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3798 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3800 if (PREDICT_FALSE (proto0 == ~0))
3803 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3805 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3806 rx_fib_index0, node, next0, ~0, 0, 0);
3810 key0.addr = ip0->src_address;
3811 key0.protocol = proto0;
3812 key0.port = udp0->src_port;
3813 key0.fib_index = rx_fib_index0;
3815 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0))
3817 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3818 next0= SNAT_IN2OUT_NEXT_DROP;
3822 new_addr0 = sm0.addr.as_u32;
3823 new_port0 = sm0.port;
3824 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
3825 old_addr0 = ip0->src_address.as_u32;
3826 ip0->src_address.as_u32 = new_addr0;
3828 sum0 = ip0->checksum;
3829 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3831 src_address /* changed member */);
3832 ip0->checksum = ip_csum_fold (sum0);
3834 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
3836 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3838 old_port0 = tcp0->src_port;
3839 tcp0->src_port = new_port0;
3841 sum0 = tcp0->checksum;
3842 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3844 dst_address /* changed member */);
3845 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3846 ip4_header_t /* cheat */,
3847 length /* changed member */);
3848 tcp0->checksum = ip_csum_fold(sum0);
3852 old_port0 = udp0->src_port;
3853 udp0->src_port = new_port0;
3859 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3861 sum0 = tcp0->checksum;
3862 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3864 dst_address /* changed member */);
3865 tcp0->checksum = ip_csum_fold(sum0);
3870 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3873 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3874 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3876 snat_in2out_trace_t *t =
3877 vlib_add_trace (vm, node, b0, sizeof (*t));
3878 t->sw_if_index = sw_if_index0;
3879 t->next_index = next0;
3882 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3884 /* verify speculative enqueue, maybe switch current next frame */
3885 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3886 to_next, n_left_to_next,
3890 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3893 vlib_node_increment_counter (vm, stats_node_index,
3894 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3896 return frame->n_vectors;
3900 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
3901 .function = snat_in2out_fast_static_map_fn,
3902 .name = "nat44-in2out-fast",
3903 .vector_size = sizeof (u32),
3904 .format_trace = format_snat_in2out_fast_trace,
3905 .type = VLIB_NODE_TYPE_INTERNAL,
3907 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3908 .error_strings = snat_in2out_error_strings,
3910 .runtime_data_bytes = sizeof (snat_runtime_t),
3912 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3914 /* edit / add dispositions here */
3916 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3917 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3918 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
3919 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3920 [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
3924 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob