2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
25 #include <nat/nat_ipfix_logging.h>
26 #include <nat/nat_det.h>
28 #include <vppinfra/hash.h>
29 #include <vppinfra/error.h>
30 #include <vppinfra/elog.h>
37 } snat_in2out_trace_t;
40 u32 next_worker_index;
42 } snat_in2out_worker_handoff_trace_t;
44 /* packet trace format function */
45 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
47 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
52 tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH";
54 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
55 t->sw_if_index, t->next_index, t->session_index);
60 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
62 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
63 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
64 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
66 s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d",
67 t->sw_if_index, t->next_index);
72 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
74 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
75 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
76 snat_in2out_worker_handoff_trace_t * t =
77 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
80 m = t->do_handoff ? "next worker" : "same worker";
81 s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 vlib_node_registration_t snat_in2out_node;
87 vlib_node_registration_t snat_in2out_slowpath_node;
88 vlib_node_registration_t snat_in2out_fast_node;
89 vlib_node_registration_t snat_in2out_worker_handoff_node;
90 vlib_node_registration_t snat_det_in2out_node;
91 vlib_node_registration_t snat_in2out_output_node;
92 vlib_node_registration_t snat_in2out_output_slowpath_node;
93 vlib_node_registration_t snat_in2out_output_worker_handoff_node;
94 vlib_node_registration_t snat_hairpin_dst_node;
95 vlib_node_registration_t snat_hairpin_src_node;
98 #define foreach_snat_in2out_error \
99 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
100 _(IN2OUT_PACKETS, "Good in2out packets processed") \
101 _(OUT_OF_PORTS, "Out of ports") \
102 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
103 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
104 _(NO_TRANSLATION, "No translation")
107 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
108 foreach_snat_in2out_error
111 } snat_in2out_error_t;
113 static char * snat_in2out_error_strings[] = {
114 #define _(sym,string) string,
115 foreach_snat_in2out_error
120 SNAT_IN2OUT_NEXT_LOOKUP,
121 SNAT_IN2OUT_NEXT_DROP,
122 SNAT_IN2OUT_NEXT_ICMP_ERROR,
123 SNAT_IN2OUT_NEXT_SLOW_PATH,
125 } snat_in2out_next_t;
128 SNAT_HAIRPIN_SRC_NEXT_DROP,
129 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT,
130 SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH,
131 SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT,
132 SNAT_HAIRPIN_SRC_N_NEXT,
133 } snat_hairpin_next_t;
136 * @brief Check if packet should be translated
138 * Packets aimed at outside interface and external addresss with active session
139 * should be translated.
142 * @param rt NAT runtime data
143 * @param sw_if_index0 index of the inside interface
144 * @param ip0 IPv4 header
145 * @param proto0 NAT protocol
146 * @param rx_fib_index0 RX FIB index
148 * @returns 0 if packet should be translated otherwise 1
151 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node,
152 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
155 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
157 .fp_proto = FIB_PROTOCOL_IP4,
160 .ip4.as_u32 = ip0->dst_address.as_u32,
164 /* Don't NAT packet aimed at the intfc address */
165 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
166 ip0->dst_address.as_u32)))
169 fei = fib_table_lookup (rx_fib_index0, &pfx);
170 if (FIB_NODE_INDEX_INVALID != fei)
172 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
173 if (sw_if_index == ~0)
175 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
176 if (FIB_NODE_INDEX_INVALID != fei)
177 sw_if_index = fib_entry_get_resolving_interface (fei);
180 pool_foreach (i, sm->interfaces,
182 /* NAT packet aimed at outside interface */
183 if ((i->is_inside == 0) && (sw_if_index == i->sw_if_index))
192 snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
193 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
194 u32 rx_fib_index0, u32 thread_index)
196 udp_header_t * udp0 = ip4_next_header (ip0);
197 snat_session_key_t key0, sm0;
198 clib_bihash_kv_8_8_t kv0, value0;
200 key0.addr = ip0->dst_address;
201 key0.port = udp0->dst_port;
202 key0.protocol = proto0;
203 key0.fib_index = sm->outside_fib_index;
204 kv0.key = key0.as_u64;
206 /* NAT packet aimed at external address if */
207 /* has active sessions */
208 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
211 /* or is static mappings */
212 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
218 return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0,
222 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
225 snat_session_key_t * key0,
226 snat_session_t ** sessionp,
227 vlib_node_runtime_t * node,
232 snat_user_key_t user_key;
234 clib_bihash_kv_8_8_t kv0, value0;
235 u32 oldest_per_user_translation_list_index;
236 dlist_elt_t * oldest_per_user_translation_list_elt;
237 dlist_elt_t * per_user_translation_list_elt;
238 dlist_elt_t * per_user_list_head_elt;
240 snat_session_key_t key1;
241 u32 address_index = ~0;
242 u32 outside_fib_index;
245 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
248 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
249 return SNAT_IN2OUT_NEXT_DROP;
251 outside_fib_index = p[0];
253 key1.protocol = key0->protocol;
254 user_key.addr = ip0->src_address;
255 user_key.fib_index = rx_fib_index0;
256 kv0.key = user_key.as_u64;
258 /* Ever heard of the "user" = src ip4 address before? */
259 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].user_hash,
262 /* no, make a new one */
263 pool_get (sm->per_thread_data[thread_index].users, u);
264 memset (u, 0, sizeof (*u));
265 u->addr = ip0->src_address;
266 u->fib_index = rx_fib_index0;
268 pool_get (sm->per_thread_data[thread_index].list_pool, per_user_list_head_elt);
270 u->sessions_per_user_list_head_index = per_user_list_head_elt -
271 sm->per_thread_data[thread_index].list_pool;
273 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
274 u->sessions_per_user_list_head_index);
276 kv0.value = u - sm->per_thread_data[thread_index].users;
279 clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].user_hash,
280 &kv0, 1 /* is_add */);
284 u = pool_elt_at_index (sm->per_thread_data[thread_index].users,
288 /* Over quota? Recycle the least recently used dynamic translation */
289 if (u->nsessions >= sm->max_translations_per_user)
291 /* Remove the oldest dynamic translation */
293 oldest_per_user_translation_list_index =
294 clib_dlist_remove_head (sm->per_thread_data[thread_index].list_pool,
295 u->sessions_per_user_list_head_index);
297 ASSERT (oldest_per_user_translation_list_index != ~0);
299 /* add it back to the end of the LRU list */
300 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
301 u->sessions_per_user_list_head_index,
302 oldest_per_user_translation_list_index);
303 /* Get the list element */
304 oldest_per_user_translation_list_elt =
305 pool_elt_at_index (sm->per_thread_data[thread_index].list_pool,
306 oldest_per_user_translation_list_index);
308 /* Get the session index from the list element */
309 session_index = oldest_per_user_translation_list_elt->value;
311 /* Get the session */
312 s = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
314 } while (snat_is_session_static (s));
316 if (snat_is_unk_proto_session (s))
318 clib_bihash_kv_16_8_t up_kv;
319 nat_ed_ses_key_t key;
321 /* Remove from lookup tables */
322 key.l_addr = s->in2out.addr;
323 key.r_addr = s->ext_host_addr;
324 key.fib_index = s->in2out.fib_index;
325 key.proto = s->in2out.port;
328 up_kv.key[0] = key.as_u64[0];
329 up_kv.key[1] = key.as_u64[1];
330 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &up_kv, 0))
331 clib_warning ("in2out key del failed");
333 key.l_addr = s->out2in.addr;
334 key.fib_index = s->out2in.fib_index;
335 up_kv.key[0] = key.as_u64[0];
336 up_kv.key[1] = key.as_u64[1];
337 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &up_kv, 0))
338 clib_warning ("out2in key del failed");
342 /* Remove in2out, out2in keys */
343 kv0.key = s->in2out.as_u64;
344 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out,
345 &kv0, 0 /* is_add */))
346 clib_warning ("in2out key delete failed");
347 kv0.key = s->out2in.as_u64;
348 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in,
349 &kv0, 0 /* is_add */))
350 clib_warning ("out2in key delete failed");
353 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
354 s->out2in.addr.as_u32,
358 s->in2out.fib_index);
360 snat_free_outside_address_and_port
361 (sm, thread_index, &s->out2in, s->outside_address_index);
363 s->outside_address_index = ~0;
365 if (snat_alloc_outside_address_and_port (sm, rx_fib_index0, thread_index,
366 &key1, &address_index))
370 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
371 return SNAT_IN2OUT_NEXT_DROP;
373 s->outside_address_index = address_index;
377 u8 static_mapping = 1;
379 /* First try to match static mapping by local address and port */
380 if (snat_static_mapping_match (sm, *key0, &key1, 0, 0))
383 /* Try to create dynamic translation */
384 if (snat_alloc_outside_address_and_port (sm, rx_fib_index0,
388 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
389 return SNAT_IN2OUT_NEXT_DROP;
393 /* Create a new session */
394 pool_get (sm->per_thread_data[thread_index].sessions, s);
395 memset (s, 0, sizeof (*s));
397 s->outside_address_index = address_index;
401 u->nstaticsessions++;
402 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
409 /* Create list elts */
410 pool_get (sm->per_thread_data[thread_index].list_pool,
411 per_user_translation_list_elt);
412 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
413 per_user_translation_list_elt -
414 sm->per_thread_data[thread_index].list_pool);
416 per_user_translation_list_elt->value =
417 s - sm->per_thread_data[thread_index].sessions;
418 s->per_user_index = per_user_translation_list_elt -
419 sm->per_thread_data[thread_index].list_pool;
420 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
422 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
423 s->per_user_list_head_index,
424 per_user_translation_list_elt -
425 sm->per_thread_data[thread_index].list_pool);
430 s->out2in.protocol = key0->protocol;
431 s->out2in.fib_index = outside_fib_index;
432 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
435 /* Add to translation hashes */
436 kv0.key = s->in2out.as_u64;
437 kv0.value = s - sm->per_thread_data[thread_index].sessions;
438 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
440 clib_warning ("in2out key add failed");
442 kv0.key = s->out2in.as_u64;
443 kv0.value = s - sm->per_thread_data[thread_index].sessions;
445 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
447 clib_warning ("out2in key add failed");
450 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
451 s->out2in.addr.as_u32,
455 s->in2out.fib_index);
460 snat_in2out_error_t icmp_get_key(ip4_header_t *ip0,
461 snat_session_key_t *p_key0)
463 icmp46_header_t *icmp0;
464 snat_session_key_t key0;
465 icmp_echo_header_t *echo0, *inner_echo0 = 0;
466 ip4_header_t *inner_ip0 = 0;
468 icmp46_header_t *inner_icmp0;
470 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
471 echo0 = (icmp_echo_header_t *)(icmp0+1);
473 if (!icmp_is_error_message (icmp0))
475 key0.protocol = SNAT_PROTOCOL_ICMP;
476 key0.addr = ip0->src_address;
477 key0.port = echo0->identifier;
481 inner_ip0 = (ip4_header_t *)(echo0+1);
482 l4_header = ip4_next_header (inner_ip0);
483 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
484 key0.addr = inner_ip0->dst_address;
485 switch (key0.protocol)
487 case SNAT_PROTOCOL_ICMP:
488 inner_icmp0 = (icmp46_header_t*)l4_header;
489 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
490 key0.port = inner_echo0->identifier;
492 case SNAT_PROTOCOL_UDP:
493 case SNAT_PROTOCOL_TCP:
494 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
497 return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL;
501 return -1; /* success */
505 * Get address and port values to be used for ICMP packet translation
506 * and create session if needed
508 * @param[in,out] sm NAT main
509 * @param[in,out] node NAT node runtime
510 * @param[in] thread_index thread index
511 * @param[in,out] b0 buffer containing packet to be translated
512 * @param[out] p_proto protocol used for matching
513 * @param[out] p_value address and port after NAT translation
514 * @param[out] p_dont_translate if packet should not be translated
515 * @param d optional parameter
516 * @param e optional parameter
518 u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
519 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
520 snat_session_key_t *p_value,
521 u8 *p_dont_translate, void *d, void *e)
524 icmp46_header_t *icmp0;
527 snat_session_key_t key0;
528 snat_session_t *s0 = 0;
529 u8 dont_translate = 0;
530 clib_bihash_kv_8_8_t kv0, value0;
535 if (PREDICT_FALSE(vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0))
537 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
539 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + iph_offset0);
540 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
541 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
542 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
544 err = icmp_get_key (ip0, &key0);
547 b0->error = node->errors[err];
548 next0 = SNAT_IN2OUT_NEXT_DROP;
551 key0.fib_index = rx_fib_index0;
553 kv0.key = key0.as_u64;
555 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
558 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, ip0,
559 IP_PROTOCOL_ICMP, rx_fib_index0, thread_index) &&
560 vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0))
566 if (PREDICT_FALSE(icmp_is_error_message (icmp0)))
568 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
569 next0 = SNAT_IN2OUT_NEXT_DROP;
573 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
574 &s0, node, next0, thread_index);
576 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
581 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
582 icmp0->type != ICMP4_echo_reply &&
583 !icmp_is_error_message (icmp0)))
585 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
586 next0 = SNAT_IN2OUT_NEXT_DROP;
590 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
595 *p_proto = key0.protocol;
597 *p_value = s0->out2in;
598 *p_dont_translate = dont_translate;
600 *(snat_session_t**)d = s0;
605 * Get address and port values to be used for ICMP packet translation
607 * @param[in] sm NAT main
608 * @param[in,out] node NAT node runtime
609 * @param[in] thread_index thread index
610 * @param[in,out] b0 buffer containing packet to be translated
611 * @param[out] p_proto protocol used for matching
612 * @param[out] p_value address and port after NAT translation
613 * @param[out] p_dont_translate if packet should not be translated
614 * @param d optional parameter
615 * @param e optional parameter
617 u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node,
618 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
619 snat_session_key_t *p_value,
620 u8 *p_dont_translate, void *d, void *e)
623 icmp46_header_t *icmp0;
626 snat_session_key_t key0;
627 snat_session_key_t sm0;
628 u8 dont_translate = 0;
633 ip0 = vlib_buffer_get_current (b0);
634 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
635 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
636 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
638 err = icmp_get_key (ip0, &key0);
641 b0->error = node->errors[err];
642 next0 = SNAT_IN2OUT_NEXT_DROP;
645 key0.fib_index = rx_fib_index0;
647 if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only))
649 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
650 IP_PROTOCOL_ICMP, rx_fib_index0)))
656 if (icmp_is_error_message (icmp0))
658 next0 = SNAT_IN2OUT_NEXT_DROP;
662 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
663 next0 = SNAT_IN2OUT_NEXT_DROP;
667 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
668 (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
669 !icmp_is_error_message (icmp0)))
671 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
672 next0 = SNAT_IN2OUT_NEXT_DROP;
679 *p_proto = key0.protocol;
680 *p_dont_translate = dont_translate;
684 static inline u32 icmp_in2out (snat_main_t *sm,
687 icmp46_header_t * icmp0,
690 vlib_node_runtime_t * node,
696 snat_session_key_t sm0;
698 icmp_echo_header_t *echo0, *inner_echo0 = 0;
699 ip4_header_t *inner_ip0;
701 icmp46_header_t *inner_icmp0;
703 u32 new_addr0, old_addr0;
704 u16 old_id0, new_id0;
709 echo0 = (icmp_echo_header_t *)(icmp0+1);
711 next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0,
712 &protocol, &sm0, &dont_translate, d, e);
715 if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate)
718 sum0 = ip_incremental_checksum (0, icmp0,
719 ntohs(ip0->length) - ip4_header_bytes (ip0));
720 checksum0 = ~ip_csum_fold (sum0);
721 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
723 next0 = SNAT_IN2OUT_NEXT_DROP;
727 old_addr0 = ip0->src_address.as_u32;
728 new_addr0 = ip0->src_address.as_u32 = sm0.addr.as_u32;
729 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0)
730 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
732 sum0 = ip0->checksum;
733 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
734 src_address /* changed member */);
735 ip0->checksum = ip_csum_fold (sum0);
737 if (!icmp_is_error_message (icmp0))
740 if (PREDICT_FALSE(new_id0 != echo0->identifier))
742 old_id0 = echo0->identifier;
744 echo0->identifier = new_id0;
746 sum0 = icmp0->checksum;
747 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
749 icmp0->checksum = ip_csum_fold (sum0);
754 inner_ip0 = (ip4_header_t *)(echo0+1);
755 l4_header = ip4_next_header (inner_ip0);
757 if (!ip4_header_checksum_is_valid (inner_ip0))
759 next0 = SNAT_IN2OUT_NEXT_DROP;
763 old_addr0 = inner_ip0->dst_address.as_u32;
764 inner_ip0->dst_address = sm0.addr;
765 new_addr0 = inner_ip0->dst_address.as_u32;
767 sum0 = icmp0->checksum;
768 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
769 dst_address /* changed member */);
770 icmp0->checksum = ip_csum_fold (sum0);
774 case SNAT_PROTOCOL_ICMP:
775 inner_icmp0 = (icmp46_header_t*)l4_header;
776 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
778 old_id0 = inner_echo0->identifier;
780 inner_echo0->identifier = new_id0;
782 sum0 = icmp0->checksum;
783 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
785 icmp0->checksum = ip_csum_fold (sum0);
787 case SNAT_PROTOCOL_UDP:
788 case SNAT_PROTOCOL_TCP:
789 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
791 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
793 sum0 = icmp0->checksum;
794 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
796 icmp0->checksum = ip_csum_fold (sum0);
810 * Hairpinning allows two endpoints on the internal side of the NAT to
811 * communicate even if they only use each other's external IP addresses
814 * @param sm NAT main.
815 * @param b0 Vlib buffer.
816 * @param ip0 IP header.
817 * @param udp0 UDP header.
818 * @param tcp0 TCP header.
819 * @param proto0 NAT protocol.
822 snat_hairpinning (snat_main_t *sm,
829 snat_session_key_t key0, sm0;
831 clib_bihash_kv_8_8_t kv0, value0;
833 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
834 u16 new_dst_port0, old_dst_port0;
836 key0.addr = ip0->dst_address;
837 key0.port = udp0->dst_port;
838 key0.protocol = proto0;
839 key0.fib_index = sm->outside_fib_index;
840 kv0.key = key0.as_u64;
842 /* Check if destination is static mappings */
843 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
845 new_dst_addr0 = sm0.addr.as_u32;
846 new_dst_port0 = sm0.port;
847 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
849 /* or active session */
852 if (sm->num_workers > 1)
853 ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread;
855 ti = sm->num_workers;
857 if (!clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, &value0))
861 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
862 new_dst_addr0 = s0->in2out.addr.as_u32;
863 new_dst_port0 = s0->in2out.port;
864 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
868 /* Destination is behind the same NAT, use internal address and port */
871 old_dst_addr0 = ip0->dst_address.as_u32;
872 ip0->dst_address.as_u32 = new_dst_addr0;
873 sum0 = ip0->checksum;
874 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
875 ip4_header_t, dst_address);
876 ip0->checksum = ip_csum_fold (sum0);
878 old_dst_port0 = tcp0->dst;
879 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
881 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
883 tcp0->dst = new_dst_port0;
884 sum0 = tcp0->checksum;
885 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
886 ip4_header_t, dst_address);
887 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
888 ip4_header_t /* cheat */, length);
889 tcp0->checksum = ip_csum_fold(sum0);
893 udp0->dst_port = new_dst_port0;
899 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
901 sum0 = tcp0->checksum;
902 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
903 ip4_header_t, dst_address);
904 tcp0->checksum = ip_csum_fold(sum0);
911 snat_icmp_hairpinning (snat_main_t *sm,
914 icmp46_header_t * icmp0)
916 snat_session_key_t key0, sm0;
917 clib_bihash_kv_8_8_t kv0, value0;
918 u32 new_dst_addr0 = 0, old_dst_addr0, si, ti = 0;
922 if (!icmp_is_error_message (icmp0))
924 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
925 u16 icmp_id0 = echo0->identifier;
926 key0.addr = ip0->dst_address;
927 key0.port = icmp_id0;
928 key0.protocol = SNAT_PROTOCOL_ICMP;
929 key0.fib_index = sm->outside_fib_index;
930 kv0.key = key0.as_u64;
932 if (sm->num_workers > 1)
933 ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread;
935 ti = sm->num_workers;
937 /* Check if destination is in active sessions */
938 if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0,
941 /* or static mappings */
942 if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0))
944 new_dst_addr0 = sm0.addr.as_u32;
945 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
952 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
953 new_dst_addr0 = s0->in2out.addr.as_u32;
954 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
955 echo0->identifier = s0->in2out.port;
956 sum0 = icmp0->checksum;
957 sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port,
958 icmp_echo_header_t, identifier);
959 icmp0->checksum = ip_csum_fold (sum0);
962 /* Destination is behind the same NAT, use internal address and port */
965 old_dst_addr0 = ip0->dst_address.as_u32;
966 ip0->dst_address.as_u32 = new_dst_addr0;
967 sum0 = ip0->checksum;
968 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
969 ip4_header_t, dst_address);
970 ip0->checksum = ip_csum_fold (sum0);
976 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
979 icmp46_header_t * icmp0,
982 vlib_node_runtime_t * node,
986 snat_session_t ** p_s0)
988 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
989 next0, thread_index, p_s0, 0);
990 snat_session_t * s0 = *p_s0;
991 if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0))
994 if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == 0)
995 snat_icmp_hairpinning(sm, b0, ip0, icmp0);
997 s0->last_heard = now;
999 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
1000 /* Per-user LRU list maintenance for dynamic translations */
1001 if (!snat_is_session_static (s0))
1003 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1004 s0->per_user_index);
1005 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1006 s0->per_user_list_head_index,
1007 s0->per_user_index);
1013 snat_hairpinning_unknown_proto (snat_main_t *sm,
1017 u32 old_addr, new_addr = 0, ti = 0;
1018 clib_bihash_kv_8_8_t kv, value;
1019 clib_bihash_kv_16_8_t s_kv, s_value;
1020 nat_ed_ses_key_t key;
1021 snat_session_key_t m_key;
1022 snat_static_mapping_t *m;
1026 old_addr = ip->dst_address.as_u32;
1027 key.l_addr.as_u32 = ip->dst_address.as_u32;
1028 key.r_addr.as_u32 = ip->src_address.as_u32;
1029 key.fib_index = sm->outside_fib_index;
1030 key.proto = ip->protocol;
1033 s_kv.key[0] = key.as_u64[0];
1034 s_kv.key[1] = key.as_u64[1];
1035 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1037 m_key.addr = ip->dst_address;
1038 m_key.fib_index = sm->outside_fib_index;
1041 kv.key = m_key.as_u64;
1042 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1045 m = pool_elt_at_index (sm->static_mappings, value.value);
1046 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1047 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
1048 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1052 if (sm->num_workers > 1)
1053 ti = sm->worker_out2in_cb (ip, sm->outside_fib_index);
1055 ti = sm->num_workers;
1057 s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value);
1058 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1059 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1060 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1063 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1064 ip->checksum = ip_csum_fold (sum);
1068 snat_in2out_unknown_proto (snat_main_t *sm,
1076 clib_bihash_kv_8_8_t kv, value;
1077 clib_bihash_kv_16_8_t s_kv, s_value;
1078 snat_static_mapping_t *m;
1079 snat_session_key_t m_key;
1080 u32 old_addr, new_addr = 0;
1082 snat_user_key_t u_key;
1084 dlist_elt_t *head, *elt, *oldest;
1085 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1086 u32 elt_index, head_index, ses_index, oldest_index;
1088 nat_ed_ses_key_t key;
1089 u32 address_index = ~0;
1093 old_addr = ip->src_address.as_u32;
1095 key.l_addr = ip->src_address;
1096 key.r_addr = ip->dst_address;
1097 key.fib_index = rx_fib_index;
1098 key.proto = ip->protocol;
1101 s_kv.key[0] = key.as_u64[0];
1102 s_kv.key[1] = key.as_u64[1];
1104 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1106 s = pool_elt_at_index (tsm->sessions, s_value.value);
1107 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1111 u_key.addr = ip->src_address;
1112 u_key.fib_index = rx_fib_index;
1113 kv.key = u_key.as_u64;
1115 /* Ever heard of the "user" = src ip4 address before? */
1116 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1118 /* no, make a new one */
1119 pool_get (tsm->users, u);
1120 memset (u, 0, sizeof (*u));
1121 u->addr = ip->src_address;
1122 u->fib_index = rx_fib_index;
1124 pool_get (tsm->list_pool, head);
1125 u->sessions_per_user_list_head_index = head - tsm->list_pool;
1127 clib_dlist_init (tsm->list_pool,
1128 u->sessions_per_user_list_head_index);
1130 kv.value = u - tsm->users;
1133 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1);
1137 u = pool_elt_at_index (tsm->users, value.value);
1140 m_key.addr = ip->src_address;
1143 m_key.fib_index = rx_fib_index;
1144 kv.key = m_key.as_u64;
1146 /* Try to find static mapping first */
1147 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
1149 m = pool_elt_at_index (sm->static_mappings, value.value);
1150 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
1154 /* Fallback to 3-tuple key */
1157 /* Choose same out address as for TCP/UDP session to same destination */
1158 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1160 head_index = u->sessions_per_user_list_head_index;
1161 head = pool_elt_at_index (tsm->list_pool, head_index);
1162 elt_index = head->next;
1163 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1164 ses_index = elt->value;
1165 while (ses_index != ~0)
1167 s = pool_elt_at_index (tsm->sessions, ses_index);
1168 elt_index = elt->next;
1169 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1170 ses_index = elt->value;
1172 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
1174 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1175 address_index = s->outside_address_index;
1177 key.fib_index = sm->outside_fib_index;
1178 key.l_addr.as_u32 = new_addr;
1179 s_kv.key[0] = key.as_u64[0];
1180 s_kv.key[1] = key.as_u64[1];
1181 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1188 key.fib_index = sm->outside_fib_index;
1189 for (i = 0; i < vec_len (sm->addresses); i++)
1191 key.l_addr.as_u32 = sm->addresses[i].addr.as_u32;
1192 s_kv.key[0] = key.as_u64[0];
1193 s_kv.key[1] = key.as_u64[1];
1194 if (clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
1196 new_addr = ip->src_address.as_u32 = key.l_addr.as_u32;
1205 /* Over quota? Recycle the least recently used dynamic translation */
1206 if (u->nsessions >= sm->max_translations_per_user && !is_sm)
1208 /* Remove the oldest dynamic translation */
1210 oldest_index = clib_dlist_remove_head (
1211 tsm->list_pool, u->sessions_per_user_list_head_index);
1213 ASSERT (oldest_index != ~0);
1215 /* add it back to the end of the LRU list */
1216 clib_dlist_addtail (tsm->list_pool,
1217 u->sessions_per_user_list_head_index,
1219 /* Get the list element */
1220 oldest = pool_elt_at_index (tsm->list_pool, oldest_index);
1222 /* Get the session index from the list element */
1223 ses_index = oldest->value;
1225 /* Get the session */
1226 s = pool_elt_at_index (tsm->sessions, ses_index);
1227 } while (snat_is_session_static (s));
1229 if (snat_is_unk_proto_session (s))
1231 /* Remove from lookup tables */
1232 key.l_addr = s->in2out.addr;
1233 key.r_addr = s->ext_host_addr;
1234 key.fib_index = s->in2out.fib_index;
1235 key.proto = s->in2out.port;
1236 s_kv.key[0] = key.as_u64[0];
1237 s_kv.key[1] = key.as_u64[1];
1238 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 0))
1239 clib_warning ("in2out key del failed");
1241 key.l_addr = s->out2in.addr;
1242 key.fib_index = s->out2in.fib_index;
1243 s_kv.key[0] = key.as_u64[0];
1244 s_kv.key[1] = key.as_u64[1];
1245 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 0))
1246 clib_warning ("out2in key del failed");
1251 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
1252 s->out2in.addr.as_u32,
1256 s->in2out.fib_index);
1258 snat_free_outside_address_and_port (sm, thread_index, &s->out2in,
1259 s->outside_address_index);
1261 /* Remove in2out, out2in keys */
1262 kv.key = s->in2out.as_u64;
1263 if (clib_bihash_add_del_8_8 (
1264 &sm->per_thread_data[thread_index].in2out, &kv, 0))
1265 clib_warning ("in2out key del failed");
1266 kv.key = s->out2in.as_u64;
1267 if (clib_bihash_add_del_8_8 (
1268 &sm->per_thread_data[thread_index].out2in, &kv, 0))
1269 clib_warning ("out2in key del failed");
1274 /* Create a new session */
1275 pool_get (tsm->sessions, s);
1276 memset (s, 0, sizeof (*s));
1278 /* Create list elts */
1279 pool_get (tsm->list_pool, elt);
1280 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
1281 elt->value = s - tsm->sessions;
1282 s->per_user_index = elt - tsm->list_pool;
1283 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1284 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1288 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1289 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1290 s->outside_address_index = address_index;
1291 s->out2in.addr.as_u32 = new_addr;
1292 s->out2in.fib_index = sm->outside_fib_index;
1293 s->in2out.addr.as_u32 = old_addr;
1294 s->in2out.fib_index = rx_fib_index;
1295 s->in2out.port = s->out2in.port = ip->protocol;
1298 u->nstaticsessions++;
1299 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1306 /* Add to lookup tables */
1307 key.l_addr.as_u32 = old_addr;
1308 key.r_addr = ip->dst_address;
1309 key.proto = ip->protocol;
1310 key.fib_index = rx_fib_index;
1311 s_kv.key[0] = key.as_u64[0];
1312 s_kv.key[1] = key.as_u64[1];
1313 s_kv.value = s - tsm->sessions;
1314 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1315 clib_warning ("in2out key add failed");
1317 key.l_addr.as_u32 = new_addr;
1318 key.fib_index = sm->outside_fib_index;
1319 s_kv.key[0] = key.as_u64[0];
1320 s_kv.key[1] = key.as_u64[1];
1321 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1322 clib_warning ("out2in key add failed");
1325 /* Update IP checksum */
1327 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1328 ip->checksum = ip_csum_fold (sum);
1331 s->last_heard = now;
1333 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1334 /* Per-user LRU list maintenance */
1335 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1336 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1340 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1341 snat_hairpinning_unknown_proto(sm, b, ip);
1343 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1344 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1347 static snat_session_t *
1348 snat_in2out_lb (snat_main_t *sm,
1356 nat_ed_ses_key_t key;
1357 clib_bihash_kv_16_8_t s_kv, s_value;
1358 udp_header_t *udp = ip4_next_header (ip);
1359 tcp_header_t *tcp = (tcp_header_t *) udp;
1360 snat_session_t *s = 0;
1361 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1362 u32 old_addr, new_addr;
1363 u16 new_port, old_port;
1365 u32 proto = ip_proto_to_snat_proto (ip->protocol);
1366 snat_session_key_t e_key, l_key;
1367 clib_bihash_kv_8_8_t kv, value;
1368 snat_user_key_t u_key;
1370 dlist_elt_t *head, *elt;
1372 old_addr = ip->src_address.as_u32;
1374 key.l_addr = ip->src_address;
1375 key.r_addr = ip->dst_address;
1376 key.fib_index = rx_fib_index;
1377 key.proto = ip->protocol;
1379 key.l_port = udp->src_port;
1380 s_kv.key[0] = key.as_u64[0];
1381 s_kv.key[1] = key.as_u64[1];
1383 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
1385 s = pool_elt_at_index (tsm->sessions, s_value.value);
1389 l_key.addr = ip->src_address;
1390 l_key.port = udp->src_port;
1391 l_key.protocol = proto;
1392 l_key.fib_index = rx_fib_index;
1393 if (snat_static_mapping_match(sm, l_key, &e_key, 0, 0))
1396 u_key.addr = ip->src_address;
1397 u_key.fib_index = rx_fib_index;
1398 kv.key = u_key.as_u64;
1400 /* Ever heard of the "user" = src ip4 address before? */
1401 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1403 /* no, make a new one */
1404 pool_get (tsm->users, u);
1405 memset (u, 0, sizeof (*u));
1406 u->addr = ip->src_address;
1407 u->fib_index = rx_fib_index;
1409 pool_get (tsm->list_pool, head);
1410 u->sessions_per_user_list_head_index = head - tsm->list_pool;
1412 clib_dlist_init (tsm->list_pool,
1413 u->sessions_per_user_list_head_index);
1415 kv.value = u - tsm->users;
1418 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
1419 clib_warning ("user key add failed");
1423 u = pool_elt_at_index (tsm->users, value.value);
1426 /* Create a new session */
1427 pool_get (tsm->sessions, s);
1428 memset (s, 0, sizeof (*s));
1430 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
1431 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1432 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1433 s->outside_address_index = ~0;
1436 u->nstaticsessions++;
1438 /* Create list elts */
1439 pool_get (tsm->list_pool, elt);
1440 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
1441 elt->value = s - tsm->sessions;
1442 s->per_user_index = elt - tsm->list_pool;
1443 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
1444 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1447 /* Add to lookup tables */
1448 s_kv.value = s - tsm->sessions;
1449 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1450 clib_warning ("in2out-ed key add failed");
1452 key.l_addr = e_key.addr;
1453 key.fib_index = e_key.fib_index;
1454 key.l_port = e_key.port;
1455 s_kv.key[0] = key.as_u64[0];
1456 s_kv.key[1] = key.as_u64[1];
1457 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1458 clib_warning ("out2in-ed key add failed");
1461 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
1463 /* Update IP checksum */
1465 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1466 ip->checksum = ip_csum_fold (sum);
1468 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1470 old_port = tcp->src_port;
1471 tcp->src_port = s->out2in.port;
1472 new_port = tcp->src_port;
1474 sum = tcp->checksum;
1475 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
1476 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1477 tcp->checksum = ip_csum_fold(sum);
1481 udp->src_port = s->out2in.port;
1485 if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0)
1486 vnet_buffer(b)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
1489 s->last_heard = now;
1491 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1496 snat_in2out_node_fn_inline (vlib_main_t * vm,
1497 vlib_node_runtime_t * node,
1498 vlib_frame_t * frame, int is_slow_path,
1499 int is_output_feature)
1501 u32 n_left_from, * from, * to_next;
1502 snat_in2out_next_t next_index;
1503 u32 pkts_processed = 0;
1504 snat_main_t * sm = &snat_main;
1505 f64 now = vlib_time_now (vm);
1506 u32 stats_node_index;
1507 u32 thread_index = vlib_get_thread_index ();
1509 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
1510 snat_in2out_node.index;
1512 from = vlib_frame_vector_args (frame);
1513 n_left_from = frame->n_vectors;
1514 next_index = node->cached_next_index;
1516 while (n_left_from > 0)
1520 vlib_get_next_frame (vm, node, next_index,
1521 to_next, n_left_to_next);
1523 while (n_left_from >= 4 && n_left_to_next >= 2)
1526 vlib_buffer_t * b0, * b1;
1528 u32 sw_if_index0, sw_if_index1;
1529 ip4_header_t * ip0, * ip1;
1530 ip_csum_t sum0, sum1;
1531 u32 new_addr0, old_addr0, new_addr1, old_addr1;
1532 u16 old_port0, new_port0, old_port1, new_port1;
1533 udp_header_t * udp0, * udp1;
1534 tcp_header_t * tcp0, * tcp1;
1535 icmp46_header_t * icmp0, * icmp1;
1536 snat_session_key_t key0, key1;
1537 u32 rx_fib_index0, rx_fib_index1;
1539 snat_session_t * s0 = 0, * s1 = 0;
1540 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
1541 u32 iph_offset0 = 0, iph_offset1 = 0;
1543 /* Prefetch next iteration. */
1545 vlib_buffer_t * p2, * p3;
1547 p2 = vlib_get_buffer (vm, from[2]);
1548 p3 = vlib_get_buffer (vm, from[3]);
1550 vlib_prefetch_buffer_header (p2, LOAD);
1551 vlib_prefetch_buffer_header (p3, LOAD);
1553 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1554 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1557 /* speculatively enqueue b0 and b1 to the current next frame */
1558 to_next[0] = bi0 = from[0];
1559 to_next[1] = bi1 = from[1];
1563 n_left_to_next -= 2;
1565 b0 = vlib_get_buffer (vm, bi0);
1566 b1 = vlib_get_buffer (vm, bi1);
1568 if (is_output_feature)
1569 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1571 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1574 udp0 = ip4_next_header (ip0);
1575 tcp0 = (tcp_header_t *) udp0;
1576 icmp0 = (icmp46_header_t *) udp0;
1578 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1579 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1582 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
1584 if (PREDICT_FALSE(ip0->ttl == 1))
1586 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1587 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1588 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1590 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1594 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1596 /* Next configured feature, probably ip4-lookup */
1599 if (PREDICT_FALSE (proto0 == ~0))
1601 snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1602 thread_index, now, vm);
1606 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1608 next0 = icmp_in2out_slow_path
1609 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1610 node, next0, now, thread_index, &s0);
1616 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1618 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1623 key0.addr = ip0->src_address;
1624 key0.port = udp0->src_port;
1625 key0.protocol = proto0;
1626 key0.fib_index = rx_fib_index0;
1628 kv0.key = key0.as_u64;
1630 if (PREDICT_FALSE (clib_bihash_search_8_8 (
1631 &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0))
1635 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
1636 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
1639 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1640 &s0, node, next0, thread_index);
1641 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1646 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1652 if (PREDICT_FALSE (value0.value == ~0ULL))
1656 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1662 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1668 s0 = pool_elt_at_index (
1669 sm->per_thread_data[thread_index].sessions,
1674 old_addr0 = ip0->src_address.as_u32;
1675 ip0->src_address = s0->out2in.addr;
1676 new_addr0 = ip0->src_address.as_u32;
1677 if (!is_output_feature)
1678 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1680 sum0 = ip0->checksum;
1681 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1683 src_address /* changed member */);
1684 ip0->checksum = ip_csum_fold (sum0);
1686 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1688 old_port0 = tcp0->src_port;
1689 tcp0->src_port = s0->out2in.port;
1690 new_port0 = tcp0->src_port;
1692 sum0 = tcp0->checksum;
1693 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1695 dst_address /* changed member */);
1696 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1697 ip4_header_t /* cheat */,
1698 length /* changed member */);
1699 tcp0->checksum = ip_csum_fold(sum0);
1703 old_port0 = udp0->src_port;
1704 udp0->src_port = s0->out2in.port;
1709 if (!is_output_feature)
1710 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
1713 s0->last_heard = now;
1715 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1716 /* Per-user LRU list maintenance for dynamic translation */
1717 if (!snat_is_session_static (s0))
1719 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1720 s0->per_user_index);
1721 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1722 s0->per_user_list_head_index,
1723 s0->per_user_index);
1727 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1728 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1730 snat_in2out_trace_t *t =
1731 vlib_add_trace (vm, node, b0, sizeof (*t));
1732 t->is_slow_path = is_slow_path;
1733 t->sw_if_index = sw_if_index0;
1734 t->next_index = next0;
1735 t->session_index = ~0;
1737 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1740 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1742 if (is_output_feature)
1743 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
1745 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1748 udp1 = ip4_next_header (ip1);
1749 tcp1 = (tcp_header_t *) udp1;
1750 icmp1 = (icmp46_header_t *) udp1;
1752 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1753 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1756 if (PREDICT_FALSE(ip1->ttl == 1))
1758 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1759 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1760 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1762 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1766 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1768 /* Next configured feature, probably ip4-lookup */
1771 if (PREDICT_FALSE (proto1 == ~0))
1773 snat_in2out_unknown_proto (sm, b1, ip1, rx_fib_index1,
1774 thread_index, now, vm);
1778 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1780 next1 = icmp_in2out_slow_path
1781 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1782 next1, now, thread_index, &s1);
1788 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
1790 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1795 key1.addr = ip1->src_address;
1796 key1.port = udp1->src_port;
1797 key1.protocol = proto1;
1798 key1.fib_index = rx_fib_index1;
1800 kv1.key = key1.as_u64;
1802 if (PREDICT_FALSE(clib_bihash_search_8_8 (
1803 &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0))
1807 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1,
1808 ip1, proto1, rx_fib_index1, thread_index)) && !is_output_feature)
1811 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
1812 &s1, node, next1, thread_index);
1813 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
1818 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1824 if (PREDICT_FALSE (value1.value == ~0ULL))
1828 s1 = snat_in2out_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1834 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1840 s1 = pool_elt_at_index (
1841 sm->per_thread_data[thread_index].sessions,
1846 old_addr1 = ip1->src_address.as_u32;
1847 ip1->src_address = s1->out2in.addr;
1848 new_addr1 = ip1->src_address.as_u32;
1849 if (!is_output_feature)
1850 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1852 sum1 = ip1->checksum;
1853 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1855 src_address /* changed member */);
1856 ip1->checksum = ip_csum_fold (sum1);
1858 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1860 old_port1 = tcp1->src_port;
1861 tcp1->src_port = s1->out2in.port;
1862 new_port1 = tcp1->src_port;
1864 sum1 = tcp1->checksum;
1865 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1867 dst_address /* changed member */);
1868 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1869 ip4_header_t /* cheat */,
1870 length /* changed member */);
1871 tcp1->checksum = ip_csum_fold(sum1);
1875 old_port1 = udp1->src_port;
1876 udp1->src_port = s1->out2in.port;
1881 if (!is_output_feature)
1882 snat_hairpinning (sm, b1, ip1, udp1, tcp1, proto1);
1885 s1->last_heard = now;
1887 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1888 /* Per-user LRU list maintenance for dynamic translation */
1889 if (!snat_is_session_static (s1))
1891 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1892 s1->per_user_index);
1893 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1894 s1->per_user_list_head_index,
1895 s1->per_user_index);
1899 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1900 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1902 snat_in2out_trace_t *t =
1903 vlib_add_trace (vm, node, b1, sizeof (*t));
1904 t->sw_if_index = sw_if_index1;
1905 t->next_index = next1;
1906 t->session_index = ~0;
1908 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1911 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1913 /* verify speculative enqueues, maybe switch current next frame */
1914 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1915 to_next, n_left_to_next,
1916 bi0, bi1, next0, next1);
1919 while (n_left_from > 0 && n_left_to_next > 0)
1927 u32 new_addr0, old_addr0;
1928 u16 old_port0, new_port0;
1929 udp_header_t * udp0;
1930 tcp_header_t * tcp0;
1931 icmp46_header_t * icmp0;
1932 snat_session_key_t key0;
1935 snat_session_t * s0 = 0;
1936 clib_bihash_kv_8_8_t kv0, value0;
1937 u32 iph_offset0 = 0;
1939 /* speculatively enqueue b0 to the current next frame */
1945 n_left_to_next -= 1;
1947 b0 = vlib_get_buffer (vm, bi0);
1948 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1950 if (is_output_feature)
1951 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1953 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1956 udp0 = ip4_next_header (ip0);
1957 tcp0 = (tcp_header_t *) udp0;
1958 icmp0 = (icmp46_header_t *) udp0;
1960 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1961 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1964 if (PREDICT_FALSE(ip0->ttl == 1))
1966 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1967 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1968 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1970 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1974 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1976 /* Next configured feature, probably ip4-lookup */
1979 if (PREDICT_FALSE (proto0 == ~0))
1981 snat_in2out_unknown_proto (sm, b0, ip0, rx_fib_index0,
1982 thread_index, now, vm);
1986 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1988 next0 = icmp_in2out_slow_path
1989 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1990 next0, now, thread_index, &s0);
1996 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1998 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2003 key0.addr = ip0->src_address;
2004 key0.port = udp0->src_port;
2005 key0.protocol = proto0;
2006 key0.fib_index = rx_fib_index0;
2008 kv0.key = key0.as_u64;
2010 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out,
2015 if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0,
2016 ip0, proto0, rx_fib_index0, thread_index)) && !is_output_feature)
2019 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
2020 &s0, node, next0, thread_index);
2022 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
2027 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2033 if (PREDICT_FALSE (value0.value == ~0ULL))
2037 s0 = snat_in2out_lb(sm, b0, ip0, rx_fib_index0, thread_index,
2043 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
2049 s0 = pool_elt_at_index (
2050 sm->per_thread_data[thread_index].sessions,
2055 old_addr0 = ip0->src_address.as_u32;
2056 ip0->src_address = s0->out2in.addr;
2057 new_addr0 = ip0->src_address.as_u32;
2058 if (!is_output_feature)
2059 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
2061 sum0 = ip0->checksum;
2062 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2064 src_address /* changed member */);
2065 ip0->checksum = ip_csum_fold (sum0);
2067 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2069 old_port0 = tcp0->src_port;
2070 tcp0->src_port = s0->out2in.port;
2071 new_port0 = tcp0->src_port;
2073 sum0 = tcp0->checksum;
2074 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2076 dst_address /* changed member */);
2077 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2078 ip4_header_t /* cheat */,
2079 length /* changed member */);
2080 tcp0->checksum = ip_csum_fold(sum0);
2084 old_port0 = udp0->src_port;
2085 udp0->src_port = s0->out2in.port;
2090 if (!is_output_feature)
2091 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
2094 s0->last_heard = now;
2096 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
2097 /* Per-user LRU list maintenance for dynamic translation */
2098 if (!snat_is_session_static (s0))
2100 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
2101 s0->per_user_index);
2102 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
2103 s0->per_user_list_head_index,
2104 s0->per_user_index);
2108 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2109 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2111 snat_in2out_trace_t *t =
2112 vlib_add_trace (vm, node, b0, sizeof (*t));
2113 t->is_slow_path = is_slow_path;
2114 t->sw_if_index = sw_if_index0;
2115 t->next_index = next0;
2116 t->session_index = ~0;
2118 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
2121 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2123 /* verify speculative enqueue, maybe switch current next frame */
2124 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2125 to_next, n_left_to_next,
2129 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2132 vlib_node_increment_counter (vm, stats_node_index,
2133 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2135 return frame->n_vectors;
2139 snat_in2out_fast_path_fn (vlib_main_t * vm,
2140 vlib_node_runtime_t * node,
2141 vlib_frame_t * frame)
2143 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0);
2146 VLIB_REGISTER_NODE (snat_in2out_node) = {
2147 .function = snat_in2out_fast_path_fn,
2148 .name = "nat44-in2out",
2149 .vector_size = sizeof (u32),
2150 .format_trace = format_snat_in2out_trace,
2151 .type = VLIB_NODE_TYPE_INTERNAL,
2153 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2154 .error_strings = snat_in2out_error_strings,
2156 .runtime_data_bytes = sizeof (snat_runtime_t),
2158 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2160 /* edit / add dispositions here */
2162 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2163 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2164 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2165 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2169 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
2172 snat_in2out_output_fast_path_fn (vlib_main_t * vm,
2173 vlib_node_runtime_t * node,
2174 vlib_frame_t * frame)
2176 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1);
2179 VLIB_REGISTER_NODE (snat_in2out_output_node) = {
2180 .function = snat_in2out_output_fast_path_fn,
2181 .name = "nat44-in2out-output",
2182 .vector_size = sizeof (u32),
2183 .format_trace = format_snat_in2out_trace,
2184 .type = VLIB_NODE_TYPE_INTERNAL,
2186 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2187 .error_strings = snat_in2out_error_strings,
2189 .runtime_data_bytes = sizeof (snat_runtime_t),
2191 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2193 /* edit / add dispositions here */
2195 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2196 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2197 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2198 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2202 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node,
2203 snat_in2out_output_fast_path_fn);
2206 snat_in2out_slow_path_fn (vlib_main_t * vm,
2207 vlib_node_runtime_t * node,
2208 vlib_frame_t * frame)
2210 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0);
2213 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
2214 .function = snat_in2out_slow_path_fn,
2215 .name = "nat44-in2out-slowpath",
2216 .vector_size = sizeof (u32),
2217 .format_trace = format_snat_in2out_trace,
2218 .type = VLIB_NODE_TYPE_INTERNAL,
2220 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2221 .error_strings = snat_in2out_error_strings,
2223 .runtime_data_bytes = sizeof (snat_runtime_t),
2225 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2227 /* edit / add dispositions here */
2229 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2230 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2231 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
2232 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2236 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node,
2237 snat_in2out_slow_path_fn);
2240 snat_in2out_output_slow_path_fn (vlib_main_t * vm,
2241 vlib_node_runtime_t * node,
2242 vlib_frame_t * frame)
2244 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1);
2247 VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
2248 .function = snat_in2out_output_slow_path_fn,
2249 .name = "nat44-in2out-output-slowpath",
2250 .vector_size = sizeof (u32),
2251 .format_trace = format_snat_in2out_trace,
2252 .type = VLIB_NODE_TYPE_INTERNAL,
2254 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2255 .error_strings = snat_in2out_error_strings,
2257 .runtime_data_bytes = sizeof (snat_runtime_t),
2259 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
2261 /* edit / add dispositions here */
2263 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2264 [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
2265 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
2266 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2270 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node,
2271 snat_in2out_output_slow_path_fn);
2273 /**************************/
2274 /*** deterministic mode ***/
2275 /**************************/
2277 snat_det_in2out_node_fn (vlib_main_t * vm,
2278 vlib_node_runtime_t * node,
2279 vlib_frame_t * frame)
2281 u32 n_left_from, * from, * to_next;
2282 snat_in2out_next_t next_index;
2283 u32 pkts_processed = 0;
2284 snat_main_t * sm = &snat_main;
2285 u32 now = (u32) vlib_time_now (vm);
2286 u32 thread_index = vlib_get_thread_index ();
2288 from = vlib_frame_vector_args (frame);
2289 n_left_from = frame->n_vectors;
2290 next_index = node->cached_next_index;
2292 while (n_left_from > 0)
2296 vlib_get_next_frame (vm, node, next_index,
2297 to_next, n_left_to_next);
2299 while (n_left_from >= 4 && n_left_to_next >= 2)
2302 vlib_buffer_t * b0, * b1;
2304 u32 sw_if_index0, sw_if_index1;
2305 ip4_header_t * ip0, * ip1;
2306 ip_csum_t sum0, sum1;
2307 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2308 u16 old_port0, new_port0, lo_port0, i0;
2309 u16 old_port1, new_port1, lo_port1, i1;
2310 udp_header_t * udp0, * udp1;
2311 tcp_header_t * tcp0, * tcp1;
2313 snat_det_out_key_t key0, key1;
2314 snat_det_map_t * dm0, * dm1;
2315 snat_det_session_t * ses0 = 0, * ses1 = 0;
2316 u32 rx_fib_index0, rx_fib_index1;
2317 icmp46_header_t * icmp0, * icmp1;
2319 /* Prefetch next iteration. */
2321 vlib_buffer_t * p2, * p3;
2323 p2 = vlib_get_buffer (vm, from[2]);
2324 p3 = vlib_get_buffer (vm, from[3]);
2326 vlib_prefetch_buffer_header (p2, LOAD);
2327 vlib_prefetch_buffer_header (p3, LOAD);
2329 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2330 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2333 /* speculatively enqueue b0 and b1 to the current next frame */
2334 to_next[0] = bi0 = from[0];
2335 to_next[1] = bi1 = from[1];
2339 n_left_to_next -= 2;
2341 b0 = vlib_get_buffer (vm, bi0);
2342 b1 = vlib_get_buffer (vm, bi1);
2344 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2345 next1 = SNAT_IN2OUT_NEXT_LOOKUP;
2347 ip0 = vlib_buffer_get_current (b0);
2348 udp0 = ip4_next_header (ip0);
2349 tcp0 = (tcp_header_t *) udp0;
2351 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2353 if (PREDICT_FALSE(ip0->ttl == 1))
2355 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2356 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2357 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2359 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2363 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2365 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2367 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2368 icmp0 = (icmp46_header_t *) udp0;
2370 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2371 rx_fib_index0, node, next0, thread_index,
2376 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2377 if (PREDICT_FALSE(!dm0))
2379 clib_warning("no match for internal host %U",
2380 format_ip4_address, &ip0->src_address);
2381 next0 = SNAT_IN2OUT_NEXT_DROP;
2382 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2386 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2388 key0.ext_host_addr = ip0->dst_address;
2389 key0.ext_host_port = tcp0->dst;
2391 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2392 if (PREDICT_FALSE(!ses0))
2394 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2396 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2397 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2399 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2402 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2405 if (PREDICT_FALSE(!ses0))
2407 /* too many sessions for user, send ICMP error packet */
2409 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2410 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2411 ICMP4_destination_unreachable_destination_unreachable_host,
2413 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2418 new_port0 = ses0->out.out_port;
2420 old_addr0.as_u32 = ip0->src_address.as_u32;
2421 ip0->src_address.as_u32 = new_addr0.as_u32;
2422 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2424 sum0 = ip0->checksum;
2425 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2427 src_address /* changed member */);
2428 ip0->checksum = ip_csum_fold (sum0);
2430 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2432 if (tcp0->flags & TCP_FLAG_SYN)
2433 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2434 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2435 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2436 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2437 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2438 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2439 snat_det_ses_close(dm0, ses0);
2440 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2441 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2442 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2443 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2445 old_port0 = tcp0->src;
2446 tcp0->src = new_port0;
2448 sum0 = tcp0->checksum;
2449 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2451 dst_address /* changed member */);
2452 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2453 ip4_header_t /* cheat */,
2454 length /* changed member */);
2455 tcp0->checksum = ip_csum_fold(sum0);
2459 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2460 old_port0 = udp0->src_port;
2461 udp0->src_port = new_port0;
2467 case SNAT_SESSION_UDP_ACTIVE:
2468 ses0->expire = now + sm->udp_timeout;
2470 case SNAT_SESSION_TCP_SYN_SENT:
2471 case SNAT_SESSION_TCP_FIN_WAIT:
2472 case SNAT_SESSION_TCP_CLOSE_WAIT:
2473 case SNAT_SESSION_TCP_LAST_ACK:
2474 ses0->expire = now + sm->tcp_transitory_timeout;
2476 case SNAT_SESSION_TCP_ESTABLISHED:
2477 ses0->expire = now + sm->tcp_established_timeout;
2482 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2483 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2485 snat_in2out_trace_t *t =
2486 vlib_add_trace (vm, node, b0, sizeof (*t));
2487 t->is_slow_path = 0;
2488 t->sw_if_index = sw_if_index0;
2489 t->next_index = next0;
2490 t->session_index = ~0;
2492 t->session_index = ses0 - dm0->sessions;
2495 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2497 ip1 = vlib_buffer_get_current (b1);
2498 udp1 = ip4_next_header (ip1);
2499 tcp1 = (tcp_header_t *) udp1;
2501 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2503 if (PREDICT_FALSE(ip1->ttl == 1))
2505 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2506 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2507 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2509 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2513 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2515 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2517 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2518 icmp1 = (icmp46_header_t *) udp1;
2520 next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1,
2521 rx_fib_index1, node, next1, thread_index,
2526 dm1 = snat_det_map_by_user(sm, &ip1->src_address);
2527 if (PREDICT_FALSE(!dm1))
2529 clib_warning("no match for internal host %U",
2530 format_ip4_address, &ip0->src_address);
2531 next1 = SNAT_IN2OUT_NEXT_DROP;
2532 b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2536 snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1);
2538 key1.ext_host_addr = ip1->dst_address;
2539 key1.ext_host_port = tcp1->dst;
2541 ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1);
2542 if (PREDICT_FALSE(!ses1))
2544 for (i1 = 0; i1 < dm1->ports_per_host; i1++)
2546 key1.out_port = clib_host_to_net_u16 (lo_port1 +
2547 ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host));
2549 if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64))
2552 ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1);
2555 if (PREDICT_FALSE(!ses1))
2557 /* too many sessions for user, send ICMP error packet */
2559 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2560 icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable,
2561 ICMP4_destination_unreachable_destination_unreachable_host,
2563 next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2568 new_port1 = ses1->out.out_port;
2570 old_addr1.as_u32 = ip1->src_address.as_u32;
2571 ip1->src_address.as_u32 = new_addr1.as_u32;
2572 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2574 sum1 = ip1->checksum;
2575 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2577 src_address /* changed member */);
2578 ip1->checksum = ip_csum_fold (sum1);
2580 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2582 if (tcp1->flags & TCP_FLAG_SYN)
2583 ses1->state = SNAT_SESSION_TCP_SYN_SENT;
2584 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT)
2585 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2586 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2587 ses1->state = SNAT_SESSION_TCP_FIN_WAIT;
2588 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT)
2589 snat_det_ses_close(dm1, ses1);
2590 else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2591 ses1->state = SNAT_SESSION_TCP_LAST_ACK;
2592 else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN)
2593 ses1->state = SNAT_SESSION_TCP_ESTABLISHED;
2595 old_port1 = tcp1->src;
2596 tcp1->src = new_port1;
2598 sum1 = tcp1->checksum;
2599 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2601 dst_address /* changed member */);
2602 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2603 ip4_header_t /* cheat */,
2604 length /* changed member */);
2605 tcp1->checksum = ip_csum_fold(sum1);
2609 ses1->state = SNAT_SESSION_UDP_ACTIVE;
2610 old_port1 = udp1->src_port;
2611 udp1->src_port = new_port1;
2617 case SNAT_SESSION_UDP_ACTIVE:
2618 ses1->expire = now + sm->udp_timeout;
2620 case SNAT_SESSION_TCP_SYN_SENT:
2621 case SNAT_SESSION_TCP_FIN_WAIT:
2622 case SNAT_SESSION_TCP_CLOSE_WAIT:
2623 case SNAT_SESSION_TCP_LAST_ACK:
2624 ses1->expire = now + sm->tcp_transitory_timeout;
2626 case SNAT_SESSION_TCP_ESTABLISHED:
2627 ses1->expire = now + sm->tcp_established_timeout;
2632 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2633 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2635 snat_in2out_trace_t *t =
2636 vlib_add_trace (vm, node, b1, sizeof (*t));
2637 t->is_slow_path = 0;
2638 t->sw_if_index = sw_if_index1;
2639 t->next_index = next1;
2640 t->session_index = ~0;
2642 t->session_index = ses1 - dm1->sessions;
2645 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
2647 /* verify speculative enqueues, maybe switch current next frame */
2648 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2649 to_next, n_left_to_next,
2650 bi0, bi1, next0, next1);
2653 while (n_left_from > 0 && n_left_to_next > 0)
2661 ip4_address_t new_addr0, old_addr0;
2662 u16 old_port0, new_port0, lo_port0, i0;
2663 udp_header_t * udp0;
2664 tcp_header_t * tcp0;
2666 snat_det_out_key_t key0;
2667 snat_det_map_t * dm0;
2668 snat_det_session_t * ses0 = 0;
2670 icmp46_header_t * icmp0;
2672 /* speculatively enqueue b0 to the current next frame */
2678 n_left_to_next -= 1;
2680 b0 = vlib_get_buffer (vm, bi0);
2681 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
2683 ip0 = vlib_buffer_get_current (b0);
2684 udp0 = ip4_next_header (ip0);
2685 tcp0 = (tcp_header_t *) udp0;
2687 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2689 if (PREDICT_FALSE(ip0->ttl == 1))
2691 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2692 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2693 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2695 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2699 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2701 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2703 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2704 icmp0 = (icmp46_header_t *) udp0;
2706 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
2707 rx_fib_index0, node, next0, thread_index,
2712 dm0 = snat_det_map_by_user(sm, &ip0->src_address);
2713 if (PREDICT_FALSE(!dm0))
2715 clib_warning("no match for internal host %U",
2716 format_ip4_address, &ip0->src_address);
2717 next0 = SNAT_IN2OUT_NEXT_DROP;
2718 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2722 snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0);
2724 key0.ext_host_addr = ip0->dst_address;
2725 key0.ext_host_port = tcp0->dst;
2727 ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0);
2728 if (PREDICT_FALSE(!ses0))
2730 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2732 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2733 ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host));
2735 if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64))
2738 ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0);
2741 if (PREDICT_FALSE(!ses0))
2743 /* too many sessions for user, send ICMP error packet */
2745 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2746 icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable,
2747 ICMP4_destination_unreachable_destination_unreachable_host,
2749 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
2754 new_port0 = ses0->out.out_port;
2756 old_addr0.as_u32 = ip0->src_address.as_u32;
2757 ip0->src_address.as_u32 = new_addr0.as_u32;
2758 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index;
2760 sum0 = ip0->checksum;
2761 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2763 src_address /* changed member */);
2764 ip0->checksum = ip_csum_fold (sum0);
2766 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2768 if (tcp0->flags & TCP_FLAG_SYN)
2769 ses0->state = SNAT_SESSION_TCP_SYN_SENT;
2770 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT)
2771 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2772 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2773 ses0->state = SNAT_SESSION_TCP_FIN_WAIT;
2774 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT)
2775 snat_det_ses_close(dm0, ses0);
2776 else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT)
2777 ses0->state = SNAT_SESSION_TCP_LAST_ACK;
2778 else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN)
2779 ses0->state = SNAT_SESSION_TCP_ESTABLISHED;
2781 old_port0 = tcp0->src;
2782 tcp0->src = new_port0;
2784 sum0 = tcp0->checksum;
2785 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2787 dst_address /* changed member */);
2788 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2789 ip4_header_t /* cheat */,
2790 length /* changed member */);
2791 tcp0->checksum = ip_csum_fold(sum0);
2795 ses0->state = SNAT_SESSION_UDP_ACTIVE;
2796 old_port0 = udp0->src_port;
2797 udp0->src_port = new_port0;
2803 case SNAT_SESSION_UDP_ACTIVE:
2804 ses0->expire = now + sm->udp_timeout;
2806 case SNAT_SESSION_TCP_SYN_SENT:
2807 case SNAT_SESSION_TCP_FIN_WAIT:
2808 case SNAT_SESSION_TCP_CLOSE_WAIT:
2809 case SNAT_SESSION_TCP_LAST_ACK:
2810 ses0->expire = now + sm->tcp_transitory_timeout;
2812 case SNAT_SESSION_TCP_ESTABLISHED:
2813 ses0->expire = now + sm->tcp_established_timeout;
2818 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2819 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2821 snat_in2out_trace_t *t =
2822 vlib_add_trace (vm, node, b0, sizeof (*t));
2823 t->is_slow_path = 0;
2824 t->sw_if_index = sw_if_index0;
2825 t->next_index = next0;
2826 t->session_index = ~0;
2828 t->session_index = ses0 - dm0->sessions;
2831 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
2833 /* verify speculative enqueue, maybe switch current next frame */
2834 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2835 to_next, n_left_to_next,
2839 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2842 vlib_node_increment_counter (vm, snat_det_in2out_node.index,
2843 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
2845 return frame->n_vectors;
2848 VLIB_REGISTER_NODE (snat_det_in2out_node) = {
2849 .function = snat_det_in2out_node_fn,
2850 .name = "nat44-det-in2out",
2851 .vector_size = sizeof (u32),
2852 .format_trace = format_snat_in2out_trace,
2853 .type = VLIB_NODE_TYPE_INTERNAL,
2855 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
2856 .error_strings = snat_in2out_error_strings,
2858 .runtime_data_bytes = sizeof (snat_runtime_t),
2862 /* edit / add dispositions here */
2864 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
2865 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
2866 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2870 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn);
2873 * Get address and port values to be used for ICMP packet translation
2874 * and create session if needed
2876 * @param[in,out] sm NAT main
2877 * @param[in,out] node NAT node runtime
2878 * @param[in] thread_index thread index
2879 * @param[in,out] b0 buffer containing packet to be translated
2880 * @param[out] p_proto protocol used for matching
2881 * @param[out] p_value address and port after NAT translation
2882 * @param[out] p_dont_translate if packet should not be translated
2883 * @param d optional parameter
2884 * @param e optional parameter
2886 u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node,
2887 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
2888 snat_session_key_t *p_value,
2889 u8 *p_dont_translate, void *d, void *e)
2892 icmp46_header_t *icmp0;
2896 snat_det_out_key_t key0;
2897 u8 dont_translate = 0;
2899 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2900 ip4_header_t *inner_ip0;
2901 void *l4_header = 0;
2902 icmp46_header_t *inner_icmp0;
2903 snat_det_map_t * dm0 = 0;
2904 ip4_address_t new_addr0;
2906 snat_det_session_t * ses0 = 0;
2907 ip4_address_t in_addr;
2910 ip0 = vlib_buffer_get_current (b0);
2911 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2912 echo0 = (icmp_echo_header_t *)(icmp0+1);
2913 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2914 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
2916 if (!icmp_is_error_message (icmp0))
2918 protocol = SNAT_PROTOCOL_ICMP;
2919 in_addr = ip0->src_address;
2920 in_port = echo0->identifier;
2924 inner_ip0 = (ip4_header_t *)(echo0+1);
2925 l4_header = ip4_next_header (inner_ip0);
2926 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2927 in_addr = inner_ip0->dst_address;
2930 case SNAT_PROTOCOL_ICMP:
2931 inner_icmp0 = (icmp46_header_t*)l4_header;
2932 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2933 in_port = inner_echo0->identifier;
2935 case SNAT_PROTOCOL_UDP:
2936 case SNAT_PROTOCOL_TCP:
2937 in_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2940 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
2941 next0 = SNAT_IN2OUT_NEXT_DROP;
2946 dm0 = snat_det_map_by_user(sm, &in_addr);
2947 if (PREDICT_FALSE(!dm0))
2949 clib_warning("no match for internal host %U",
2950 format_ip4_address, &in_addr);
2951 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
2952 IP_PROTOCOL_ICMP, rx_fib_index0)))
2957 next0 = SNAT_IN2OUT_NEXT_DROP;
2958 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
2962 snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0);
2964 key0.ext_host_addr = ip0->dst_address;
2965 key0.ext_host_port = 0;
2967 ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0);
2968 if (PREDICT_FALSE(!ses0))
2970 if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0,
2971 IP_PROTOCOL_ICMP, rx_fib_index0)))
2976 if (icmp0->type != ICMP4_echo_request)
2978 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
2979 next0 = SNAT_IN2OUT_NEXT_DROP;
2982 for (i0 = 0; i0 < dm0->ports_per_host; i0++)
2984 key0.out_port = clib_host_to_net_u16 (lo_port0 +
2985 ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host));
2987 if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64))
2990 ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0);
2993 if (PREDICT_FALSE(!ses0))
2995 next0 = SNAT_IN2OUT_NEXT_DROP;
2996 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
3001 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request &&
3002 !icmp_is_error_message (icmp0)))
3004 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
3005 next0 = SNAT_IN2OUT_NEXT_DROP;
3009 u32 now = (u32) vlib_time_now (sm->vlib_main);
3011 ses0->state = SNAT_SESSION_ICMP_ACTIVE;
3012 ses0->expire = now + sm->icmp_timeout;
3015 *p_proto = protocol;
3018 p_value->addr = new_addr0;
3019 p_value->fib_index = sm->outside_fib_index;
3020 p_value->port = ses0->out.out_port;
3022 *p_dont_translate = dont_translate;
3024 *(snat_det_session_t**)d = ses0;
3026 *(snat_det_map_t**)e = dm0;
3030 /**********************/
3031 /*** worker handoff ***/
3032 /**********************/
3034 snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm,
3035 vlib_node_runtime_t * node,
3036 vlib_frame_t * frame,
3039 snat_main_t *sm = &snat_main;
3040 vlib_thread_main_t *tm = vlib_get_thread_main ();
3041 u32 n_left_from, *from, *to_next = 0;
3042 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3043 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3045 vlib_frame_queue_elt_t *hf = 0;
3046 vlib_frame_t *f = 0;
3048 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3049 u32 next_worker_index = 0;
3050 u32 current_worker_index = ~0;
3051 u32 thread_index = vlib_get_thread_index ();
3055 ASSERT (vec_len (sm->workers));
3059 fq_index = sm->fq_in2out_output_index;
3060 to_node_index = sm->in2out_output_node_index;
3064 fq_index = sm->fq_in2out_index;
3065 to_node_index = sm->in2out_node_index;
3068 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3070 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3072 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3073 sm->first_worker_index + sm->num_workers - 1,
3074 (vlib_frame_queue_t *) (~0));
3077 from = vlib_frame_vector_args (frame);
3078 n_left_from = frame->n_vectors;
3080 while (n_left_from > 0)
3093 b0 = vlib_get_buffer (vm, bi0);
3095 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3096 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3098 ip0 = vlib_buffer_get_current (b0);
3100 next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0);
3102 if (PREDICT_FALSE (next_worker_index != thread_index))
3106 if (next_worker_index != current_worker_index)
3109 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3111 hf = vlib_get_worker_handoff_queue_elt (fq_index,
3113 handoff_queue_elt_by_worker_index);
3115 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3116 to_next_worker = &hf->buffer_index[hf->n_vectors];
3117 current_worker_index = next_worker_index;
3120 /* enqueue to correct worker thread */
3121 to_next_worker[0] = bi0;
3123 n_left_to_next_worker--;
3125 if (n_left_to_next_worker == 0)
3127 hf->n_vectors = VLIB_FRAME_SIZE;
3128 vlib_put_frame_queue_elt (hf);
3129 current_worker_index = ~0;
3130 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3137 /* if this is 1st frame */
3140 f = vlib_get_frame_to_node (vm, to_node_index);
3141 to_next = vlib_frame_vector_args (f);
3149 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3150 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3152 snat_in2out_worker_handoff_trace_t *t =
3153 vlib_add_trace (vm, node, b0, sizeof (*t));
3154 t->next_worker_index = next_worker_index;
3155 t->do_handoff = do_handoff;
3160 vlib_put_frame_to_node (vm, to_node_index, f);
3163 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3165 /* Ship frames to the worker nodes */
3166 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3168 if (handoff_queue_elt_by_worker_index[i])
3170 hf = handoff_queue_elt_by_worker_index[i];
3172 * It works better to let the handoff node
3173 * rate-adapt, always ship the handoff queue element.
3175 if (1 || hf->n_vectors == hf->last_n_vectors)
3177 vlib_put_frame_queue_elt (hf);
3178 handoff_queue_elt_by_worker_index[i] = 0;
3181 hf->last_n_vectors = hf->n_vectors;
3183 congested_handoff_queue_by_worker_index[i] =
3184 (vlib_frame_queue_t *) (~0);
3187 current_worker_index = ~0;
3188 return frame->n_vectors;
3192 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
3193 vlib_node_runtime_t * node,
3194 vlib_frame_t * frame)
3196 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0);
3199 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
3200 .function = snat_in2out_worker_handoff_fn,
3201 .name = "nat44-in2out-worker-handoff",
3202 .vector_size = sizeof (u32),
3203 .format_trace = format_snat_in2out_worker_handoff_trace,
3204 .type = VLIB_NODE_TYPE_INTERNAL,
3213 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node,
3214 snat_in2out_worker_handoff_fn);
3217 snat_in2out_output_worker_handoff_fn (vlib_main_t * vm,
3218 vlib_node_runtime_t * node,
3219 vlib_frame_t * frame)
3221 return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1);
3224 VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = {
3225 .function = snat_in2out_output_worker_handoff_fn,
3226 .name = "nat44-in2out-output-worker-handoff",
3227 .vector_size = sizeof (u32),
3228 .format_trace = format_snat_in2out_worker_handoff_trace,
3229 .type = VLIB_NODE_TYPE_INTERNAL,
3238 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node,
3239 snat_in2out_output_worker_handoff_fn);
3241 static_always_inline int
3242 is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr)
3244 snat_address_t * ap;
3245 clib_bihash_kv_8_8_t kv, value;
3246 snat_session_key_t m_key;
3248 vec_foreach (ap, sm->addresses)
3250 if (ap->addr.as_u32 == dst_addr->as_u32)
3254 m_key.addr.as_u32 = dst_addr->as_u32;
3255 m_key.fib_index = sm->outside_fib_index;
3258 kv.key = m_key.as_u64;
3259 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
3266 snat_hairpin_dst_fn (vlib_main_t * vm,
3267 vlib_node_runtime_t * node,
3268 vlib_frame_t * frame)
3270 u32 n_left_from, * from, * to_next;
3271 snat_in2out_next_t next_index;
3272 u32 pkts_processed = 0;
3273 snat_main_t * sm = &snat_main;
3275 from = vlib_frame_vector_args (frame);
3276 n_left_from = frame->n_vectors;
3277 next_index = node->cached_next_index;
3279 while (n_left_from > 0)
3283 vlib_get_next_frame (vm, node, next_index,
3284 to_next, n_left_to_next);
3286 while (n_left_from > 0 && n_left_to_next > 0)
3294 /* speculatively enqueue b0 to the current next frame */
3300 n_left_to_next -= 1;
3302 b0 = vlib_get_buffer (vm, bi0);
3303 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3304 ip0 = vlib_buffer_get_current (b0);
3306 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3308 vnet_buffer (b0)->snat.flags = 0;
3309 if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address)))
3311 if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP)
3313 udp_header_t * udp0 = ip4_next_header (ip0);
3314 tcp_header_t * tcp0 = (tcp_header_t *) udp0;
3316 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3318 else if (proto0 == SNAT_PROTOCOL_ICMP)
3320 icmp46_header_t * icmp0 = ip4_next_header (ip0);
3322 snat_icmp_hairpinning (sm, b0, ip0, icmp0);
3326 snat_hairpinning_unknown_proto (sm, b0, ip0);
3329 vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING;
3330 clib_warning("is hairpinning");
3333 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3335 /* verify speculative enqueue, maybe switch current next frame */
3336 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3337 to_next, n_left_to_next,
3341 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3344 vlib_node_increment_counter (vm, snat_hairpin_dst_node.index,
3345 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3347 return frame->n_vectors;
3350 VLIB_REGISTER_NODE (snat_hairpin_dst_node) = {
3351 .function = snat_hairpin_dst_fn,
3352 .name = "nat44-hairpin-dst",
3353 .vector_size = sizeof (u32),
3354 .type = VLIB_NODE_TYPE_INTERNAL,
3355 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3356 .error_strings = snat_in2out_error_strings,
3359 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3360 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3364 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node,
3365 snat_hairpin_dst_fn);
3368 snat_hairpin_src_fn (vlib_main_t * vm,
3369 vlib_node_runtime_t * node,
3370 vlib_frame_t * frame)
3372 u32 n_left_from, * from, * to_next;
3373 snat_in2out_next_t next_index;
3374 u32 pkts_processed = 0;
3375 snat_main_t *sm = &snat_main;
3377 from = vlib_frame_vector_args (frame);
3378 n_left_from = frame->n_vectors;
3379 next_index = node->cached_next_index;
3381 while (n_left_from > 0)
3385 vlib_get_next_frame (vm, node, next_index,
3386 to_next, n_left_to_next);
3388 while (n_left_from > 0 && n_left_to_next > 0)
3393 snat_interface_t *i;
3396 /* speculatively enqueue b0 to the current next frame */
3402 n_left_to_next -= 1;
3404 b0 = vlib_get_buffer (vm, bi0);
3405 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3406 next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT;
3408 pool_foreach (i, sm->output_feature_interfaces,
3410 /* Only packets from NAT inside interface */
3411 if ((i->is_inside == 1) && (sw_if_index0 == i->sw_if_index))
3413 if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) &
3414 SNAT_FLAG_HAIRPINNING))
3416 if (PREDICT_TRUE (sm->num_workers > 1))
3417 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH;
3419 next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT;
3425 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3427 /* verify speculative enqueue, maybe switch current next frame */
3428 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3429 to_next, n_left_to_next,
3433 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3436 vlib_node_increment_counter (vm, snat_hairpin_src_node.index,
3437 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3439 return frame->n_vectors;
3442 VLIB_REGISTER_NODE (snat_hairpin_src_node) = {
3443 .function = snat_hairpin_src_fn,
3444 .name = "nat44-hairpin-src",
3445 .vector_size = sizeof (u32),
3446 .type = VLIB_NODE_TYPE_INTERNAL,
3447 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3448 .error_strings = snat_in2out_error_strings,
3449 .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT,
3451 [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop",
3452 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output",
3453 [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output",
3454 [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff",
3458 VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node,
3459 snat_hairpin_src_fn);
3462 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
3463 vlib_node_runtime_t * node,
3464 vlib_frame_t * frame)
3466 u32 n_left_from, * from, * to_next;
3467 snat_in2out_next_t next_index;
3468 u32 pkts_processed = 0;
3469 snat_main_t * sm = &snat_main;
3470 u32 stats_node_index;
3472 stats_node_index = snat_in2out_fast_node.index;
3474 from = vlib_frame_vector_args (frame);
3475 n_left_from = frame->n_vectors;
3476 next_index = node->cached_next_index;
3478 while (n_left_from > 0)
3482 vlib_get_next_frame (vm, node, next_index,
3483 to_next, n_left_to_next);
3485 while (n_left_from > 0 && n_left_to_next > 0)
3493 u32 new_addr0, old_addr0;
3494 u16 old_port0, new_port0;
3495 udp_header_t * udp0;
3496 tcp_header_t * tcp0;
3497 icmp46_header_t * icmp0;
3498 snat_session_key_t key0, sm0;
3502 /* speculatively enqueue b0 to the current next frame */
3508 n_left_to_next -= 1;
3510 b0 = vlib_get_buffer (vm, bi0);
3511 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
3513 ip0 = vlib_buffer_get_current (b0);
3514 udp0 = ip4_next_header (ip0);
3515 tcp0 = (tcp_header_t *) udp0;
3516 icmp0 = (icmp46_header_t *) udp0;
3518 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3519 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3521 if (PREDICT_FALSE(ip0->ttl == 1))
3523 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3524 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3525 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3527 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
3531 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3533 if (PREDICT_FALSE (proto0 == ~0))
3536 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3538 next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0,
3539 rx_fib_index0, node, next0, ~0, 0, 0);
3543 key0.addr = ip0->src_address;
3544 key0.protocol = proto0;
3545 key0.port = udp0->src_port;
3546 key0.fib_index = rx_fib_index0;
3548 if (snat_static_mapping_match(sm, key0, &sm0, 0, 0))
3550 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
3551 next0= SNAT_IN2OUT_NEXT_DROP;
3555 new_addr0 = sm0.addr.as_u32;
3556 new_port0 = sm0.port;
3557 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
3558 old_addr0 = ip0->src_address.as_u32;
3559 ip0->src_address.as_u32 = new_addr0;
3561 sum0 = ip0->checksum;
3562 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3564 src_address /* changed member */);
3565 ip0->checksum = ip_csum_fold (sum0);
3567 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
3569 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3571 old_port0 = tcp0->src_port;
3572 tcp0->src_port = new_port0;
3574 sum0 = tcp0->checksum;
3575 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3577 dst_address /* changed member */);
3578 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3579 ip4_header_t /* cheat */,
3580 length /* changed member */);
3581 tcp0->checksum = ip_csum_fold(sum0);
3585 old_port0 = udp0->src_port;
3586 udp0->src_port = new_port0;
3592 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3594 sum0 = tcp0->checksum;
3595 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3597 dst_address /* changed member */);
3598 tcp0->checksum = ip_csum_fold(sum0);
3603 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
3606 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3607 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3609 snat_in2out_trace_t *t =
3610 vlib_add_trace (vm, node, b0, sizeof (*t));
3611 t->sw_if_index = sw_if_index0;
3612 t->next_index = next0;
3615 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
3617 /* verify speculative enqueue, maybe switch current next frame */
3618 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3619 to_next, n_left_to_next,
3623 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3626 vlib_node_increment_counter (vm, stats_node_index,
3627 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
3629 return frame->n_vectors;
3633 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
3634 .function = snat_in2out_fast_static_map_fn,
3635 .name = "nat44-in2out-fast",
3636 .vector_size = sizeof (u32),
3637 .format_trace = format_snat_in2out_fast_trace,
3638 .type = VLIB_NODE_TYPE_INTERNAL,
3640 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
3641 .error_strings = snat_in2out_error_strings,
3643 .runtime_data_bytes = sizeof (snat_runtime_t),
3645 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
3647 /* edit / add dispositions here */
3649 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
3650 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
3651 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
3652 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3656 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob