Code Review / vpp.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
nat: scavenging functionality removed
[vpp.git] / src / plugins / nat / in2out_ed.c
1 /*
2  * Copyright (c) 2018 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  *     http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 /**
16  * @file
17  * @brief NAT44 endpoint-dependent inside to outside network translation
18  */
19
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
28 #include <nat/nat.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat44/inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
34
35 static char *nat_in2out_ed_error_strings[] = {
36 #define _(sym,string) string,
37   foreach_nat_in2out_ed_error
38 #undef _
39 };
40
41 typedef struct
42 {
43   u32 sw_if_index;
44   u32 next_index;
45   u32 session_index;
46   u32 is_slow_path;
47 } nat_in2out_ed_trace_t;
48
49 static u8 *
50 format_nat_in2out_ed_trace (u8 * s, va_list * args)
51 {
52   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
53   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
54   nat_in2out_ed_trace_t *t = va_arg (*args, nat_in2out_ed_trace_t *);
55   char *tag;
56
57   tag =
58     t->is_slow_path ? "NAT44_IN2OUT_ED_SLOW_PATH" :
59     "NAT44_IN2OUT_ED_FAST_PATH";
60
61   s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
62               t->sw_if_index, t->next_index, t->session_index);
63
64   return s;
65 }
66
67 #ifndef CLIB_MARCH_VARIANT
68 int
69 nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
70 {
71   snat_main_t *sm = &snat_main;
72   nat44_is_idle_session_ctx_t *ctx = arg;
73   snat_session_t *s;
74   u64 sess_timeout_time;
75   nat_ed_ses_key_t ed_key;
76   clib_bihash_kv_16_8_t ed_kv;
77   int i;
78   snat_address_t *a;
79   snat_session_key_t key;
80   snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
81                                                        ctx->thread_index);
82
83   s = pool_elt_at_index (tsm->sessions, kv->value);
84   sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
85   if (ctx->now >= sess_timeout_time)
86     {
87       if (is_fwd_bypass_session (s))
88         goto delete;
89
90       ed_key.l_addr = s->out2in.addr;
91       ed_key.r_addr = s->ext_host_addr;
92       ed_key.fib_index = s->out2in.fib_index;
93       if (snat_is_unk_proto_session (s))
94         {
95           ed_key.proto = s->in2out.port;
96           ed_key.r_port = 0;
97           ed_key.l_port = 0;
98         }
99       else
100         {
101           ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
102           ed_key.l_port = s->out2in.port;
103           ed_key.r_port = s->ext_host_port;
104         }
105       ed_kv.key[0] = ed_key.as_u64[0];
106       ed_kv.key[1] = ed_key.as_u64[1];
107       if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
108         nat_elog_warn ("out2in_ed key del failed");
109
110       ed_bihash_kv_t bihash_key;
111       clib_memset (&bihash_key, 0, sizeof (bihash_key));
112       bihash_key.k.dst_address = s->ext_host_addr.as_u32;
113       bihash_key.k.dst_port = s->ext_host_port;
114       bihash_key.k.src_address = s->out2in.addr.as_u32;
115       bihash_key.k.src_port = s->out2in.port;
116       bihash_key.k.protocol = s->out2in.protocol;
117       clib_bihash_add_del_16_8 (&sm->ed_ext_ports, &bihash_key.kv,
118                                 0 /* is_add */ );
119
120       if (snat_is_unk_proto_session (s))
121         goto delete;
122
123       snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
124                                            s->in2out.addr.as_u32,
125                                            s->out2in.addr.as_u32,
126                                            s->in2out.protocol,
127                                            s->in2out.port,
128                                            s->out2in.port,
129                                            s->in2out.fib_index);
130
131       nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
132                              &s->in2out.addr, s->in2out.port,
133                              &s->ext_host_nat_addr, s->ext_host_nat_port,
134                              &s->out2in.addr, s->out2in.port,
135                              &s->ext_host_addr, s->ext_host_port,
136                              s->in2out.protocol, is_twice_nat_session (s));
137
138       nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
139                    s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
140                    ctx->thread_index);
141
142       if (is_twice_nat_session (s))
143         {
144           for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
145             {
146               key.protocol = s->in2out.protocol;
147               key.port = s->ext_host_nat_port;
148               a = sm->twice_nat_addresses + i;
149               if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
150                 {
151                   snat_free_outside_address_and_port (sm->twice_nat_addresses,
152                                                       ctx->thread_index,
153                                                       &key);
154                   break;
155                 }
156             }
157         }
158
159       if (snat_is_session_static (s))
160         goto delete;
161
162       snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
163                                           &s->out2in);
164     delete:
165       nat44_delete_session (sm, s, ctx->thread_index);
166       return 1;
167     }
168
169   return 0;
170 }
171 #endif
172
173 static inline u32
174 icmp_in2out_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
175                           ip4_header_t * ip0, icmp46_header_t * icmp0,
176                           u32 sw_if_index0, u32 rx_fib_index0,
177                           vlib_node_runtime_t * node, u32 next0, f64 now,
178                           u32 thread_index, snat_session_t ** p_s0)
179 {
180   next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
181                        next0, thread_index, p_s0, 0);
182   snat_session_t *s0 = *p_s0;
183   if (PREDICT_TRUE (next0 != NAT_NEXT_DROP && s0))
184     {
185       /* Accounting */
186       nat44_session_update_counters (s0, now,
187                                      vlib_buffer_length_in_chain
188                                      (sm->vlib_main, b0), thread_index);
189       /* Per-user LRU list maintenance */
190       nat44_session_update_lru (sm, s0, thread_index);
191     }
192   return next0;
193 }
194
195 static_always_inline u16
196 snat_random_port (u16 min, u16 max)
197 {
198   snat_main_t *sm = &snat_main;
199   return min + random_u32 (&sm->random_seed) /
200     (random_u32_max () / (max - min + 1) + 1);
201 }
202
203 static int
204 nat_alloc_addr_and_port_ed (snat_address_t * addresses, u32 fib_index,
205                             u32 thread_index, nat_ed_ses_key_t * key,
206                             snat_session_key_t * key1, u16 port_per_thread,
207                             u32 snat_thread_index)
208 {
209   int i;
210   snat_address_t *a, *ga = 0;
211   u32 portnum;
212
213   const u16 port_thread_offset = (port_per_thread * snat_thread_index) + 1024;
214   ed_bihash_kv_t bihash_key;
215   clib_memset (&bihash_key, 0, sizeof (bihash_key));
216   bihash_key.k.dst_address = key->r_addr.as_u32;
217   bihash_key.k.dst_port = key->r_port;
218   bihash_key.k.protocol = key1->protocol;
219
220   for (i = 0; i < vec_len (addresses); i++)
221     {
222       a = addresses + i;
223       switch (key1->protocol)
224         {
225 #define _(N, j, n, s)                                                     \
226   case SNAT_PROTOCOL_##N:                                                 \
227     if (a->fib_index == fib_index)                                        \
228       {                                                                   \
229         bihash_key.k.src_address = a->addr.as_u32;                        \
230         u16 port = snat_random_port (1, port_per_thread);                 \
231         u16 attempts = port_per_thread;                                   \
232         while (attempts > 0)                                              \
233           {                                                               \
234             --attempts;                                                   \
235             portnum = port_thread_offset + port;                          \
236             bihash_key.k.src_port = clib_host_to_net_u16 (portnum);       \
237             int rv = clib_bihash_add_del_16_8 (                           \
238                 &snat_main.ed_ext_ports, &bihash_key.kv, 2 /* is_add */); \
239             if (0 == rv)                                                  \
240               {                                                           \
241                 ++a->busy_##n##_port_refcounts[portnum];                  \
242                 a->busy_##n##_ports_per_thread[thread_index]++;           \
243                 a->busy_##n##_ports++;                                    \
244                 key1->addr = a->addr;                                     \
245                 key1->port = clib_host_to_net_u16 (portnum);              \
246                 return 0;                                                 \
247               }                                                           \
248             port = (port + 1) % port_per_thread;                          \
249           }                                                               \
250       }                                                                   \
251     else if (a->fib_index == ~0)                                          \
252       {                                                                   \
253         ga = a;                                                           \
254       }                                                                   \
255     break;
256
257           foreach_snat_protocol;
258         default:
259           nat_elog_info ("unknown protocol");
260           return 1;
261         }
262     }
263
264   if (ga)
265     {
266       /* fake fib_index to reuse macro */
267       fib_index = ~0;
268       a = ga;
269       switch (key1->protocol)
270         {
271           foreach_snat_protocol;
272         default:
273           nat_elog_info ("unknown protocol");
274           return 1;
275         }
276     }
277
278 #undef _
279
280   /* Totally out of translations to use... */
281   snat_ipfix_logging_addresses_exhausted (thread_index, 0);
282   return 1;
283 }
284
285 static u32
286 slow_path_ed (snat_main_t * sm,
287               vlib_buffer_t * b,
288               u32 rx_fib_index,
289               clib_bihash_kv_16_8_t * kv,
290               snat_session_t ** sessionp,
291               vlib_node_runtime_t * node, u32 next, u32 thread_index, f64 now)
292 {
293   snat_session_t *s = 0;
294   snat_user_t *u;
295   snat_session_key_t key0, key1;
296   lb_nat_type_t lb = 0, is_sm = 0;
297   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
298   nat_ed_ses_key_t *key = (nat_ed_ses_key_t *) kv->key;
299   u32 proto = ip_proto_to_snat_proto (key->proto);
300   nat_outside_fib_t *outside_fib;
301   fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
302   u8 identity_nat;
303   fib_prefix_t pfx = {
304     .fp_proto = FIB_PROTOCOL_IP4,
305     .fp_len = 32,
306     .fp_addr = {
307                 .ip4.as_u32 = key->r_addr.as_u32,
308                 },
309   };
310   nat44_is_idle_session_ctx_t ctx;
311
312   if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index)))
313     {
314       b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
315       nat_ipfix_logging_max_sessions (thread_index, sm->max_translations);
316       nat_elog_notice ("maximum sessions exceeded");
317       return NAT_NEXT_DROP;
318     }
319
320   key0.addr = key->l_addr;
321   key0.port = key->l_port;
322   key1.protocol = key0.protocol = proto;
323   key0.fib_index = rx_fib_index;
324   key1.fib_index = sm->outside_fib_index;
325
326   /* First try to match static mapping by local address and port */
327   if (snat_static_mapping_match
328       (sm, key0, &key1, 0, 0, 0, &lb, 0, &identity_nat))
329     {
330       /* Try to create dynamic translation */
331       if (nat_alloc_addr_and_port_ed (sm->addresses, rx_fib_index,
332                                       thread_index, key, &key1,
333                                       sm->port_per_thread,
334                                       tsm->snat_thread_index))
335         {
336           nat_elog_notice ("addresses exhausted");
337           b->error = node->errors[NAT_IN2OUT_ED_ERROR_OUT_OF_PORTS];
338           return NAT_NEXT_DROP;
339         }
340     }
341   else
342     {
343       if (PREDICT_FALSE (identity_nat))
344         {
345           *sessionp = s;
346           return next;
347         }
348       is_sm = 1;
349     }
350
351   if (PREDICT_TRUE (proto == SNAT_PROTOCOL_TCP))
352     {
353       if (PREDICT_FALSE
354           (!tcp_flags_is_init
355            (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
356         {
357           b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
358           if (!is_sm)
359             snat_free_outside_address_and_port (sm->addresses,
360                                                 thread_index, &key1);
361           return NAT_NEXT_DROP;
362         }
363     }
364
365   u = nat_user_get_or_create (sm, &key->l_addr, rx_fib_index, thread_index);
366   if (!u)
367     {
368       nat_elog_warn ("create NAT user failed");
369       if (!is_sm)
370         snat_free_outside_address_and_port (sm->addresses,
371                                             thread_index, &key1);
372       b->error = node->errors[NAT_IN2OUT_ED_ERROR_CANNOT_CREATE_USER];
373       return NAT_NEXT_DROP;
374     }
375
376   s = nat_ed_session_alloc (sm, u, thread_index, now);
377   if (!s)
378     {
379       nat44_delete_user_with_no_session (sm, u, thread_index);
380       nat_elog_warn ("create NAT session failed");
381       if (!is_sm)
382         snat_free_outside_address_and_port (sm->addresses,
383                                             thread_index, &key1);
384       b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_USER_SESS_EXCEEDED];
385       return NAT_NEXT_DROP;
386     }
387
388   user_session_increment (sm, u, is_sm);
389   if (is_sm)
390     s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
391   if (lb)
392     s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
393   s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
394   s->ext_host_addr = key->r_addr;
395   s->ext_host_port = key->r_port;
396   s->in2out = key0;
397   s->out2in = key1;
398   s->out2in.protocol = key0.protocol;
399
400   switch (vec_len (sm->outside_fibs))
401     {
402     case 0:
403       s->out2in.fib_index = sm->outside_fib_index;
404       break;
405     case 1:
406       s->out2in.fib_index = sm->outside_fibs[0].fib_index;
407       break;
408     default:
409       /* *INDENT-OFF* */
410       vec_foreach (outside_fib, sm->outside_fibs)
411        {
412           fei = fib_table_lookup (outside_fib->fib_index, &pfx);
413           if (FIB_NODE_INDEX_INVALID != fei)
414             {
415               if (fib_entry_get_resolving_interface (fei) != ~0)
416                 {
417                   s->out2in.fib_index = outside_fib->fib_index;
418                   break;
419                 }
420             }
421         }
422       /* *INDENT-ON* */
423       break;
424     }
425
426   /* Add to lookup tables */
427   kv->value = s - tsm->sessions;
428   ctx.now = now;
429   ctx.thread_index = thread_index;
430   if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, kv,
431                                                nat44_i2o_ed_is_idle_session_cb,
432                                                &ctx))
433     nat_elog_notice ("in2out-ed key add failed");
434
435   make_ed_kv (kv, &key1.addr, &key->r_addr, key->proto, s->out2in.fib_index,
436               key1.port, key->r_port);
437   kv->value = s - tsm->sessions;
438   if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, kv,
439                                                nat44_o2i_ed_is_idle_session_cb,
440                                                &ctx))
441     nat_elog_notice ("out2in-ed key add failed");
442
443   *sessionp = s;
444
445   /* log NAT event */
446   snat_ipfix_logging_nat44_ses_create (thread_index,
447                                        s->in2out.addr.as_u32,
448                                        s->out2in.addr.as_u32,
449                                        s->in2out.protocol,
450                                        s->in2out.port,
451                                        s->out2in.port, s->in2out.fib_index);
452
453   nat_syslog_nat44_sadd (s->user_index, s->in2out.fib_index,
454                          &s->in2out.addr, s->in2out.port,
455                          &s->ext_host_nat_addr, s->ext_host_nat_port,
456                          &s->out2in.addr, s->out2in.port,
457                          &s->ext_host_addr, s->ext_host_port,
458                          s->in2out.protocol, 0);
459
460   nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
461                s->out2in.port, &s->ext_host_addr, s->ext_host_port,
462                &s->ext_host_nat_addr, s->ext_host_nat_port,
463                s->in2out.protocol, s->in2out.fib_index, s->flags,
464                thread_index, 0);
465
466   return next;
467 }
468
469 static_always_inline int
470 nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
471                         u32 sw_if_index, ip4_header_t * ip, u32 proto,
472                         u32 rx_fib_index, u32 thread_index)
473 {
474   udp_header_t *udp = ip4_next_header (ip);
475   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
476   clib_bihash_kv_16_8_t kv, value;
477   snat_session_key_t key0, key1;
478
479   make_ed_kv (&kv, &ip->dst_address, &ip->src_address, ip->protocol,
480               sm->outside_fib_index, udp->dst_port, udp->src_port);
481
482   /* NAT packet aimed at external address if */
483   /* has active sessions */
484   if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
485     {
486       key0.addr = ip->dst_address;
487       key0.port = udp->dst_port;
488       key0.protocol = proto;
489       key0.fib_index = sm->outside_fib_index;
490       /* or is static mappings */
491       if (!snat_static_mapping_match (sm, key0, &key1, 1, 0, 0, 0, 0, 0))
492         return 0;
493     }
494   else
495     return 0;
496
497   if (sm->forwarding_enabled)
498     return 1;
499
500   return snat_not_translate_fast (sm, node, sw_if_index, ip, proto,
501                                   rx_fib_index);
502 }
503
504 static_always_inline int
505 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
506                                       u32 thread_index, f64 now,
507                                       vlib_main_t * vm, vlib_buffer_t * b)
508 {
509   nat_ed_ses_key_t key;
510   clib_bihash_kv_16_8_t kv, value;
511   snat_session_t *s = 0;
512   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
513
514   if (!sm->forwarding_enabled)
515     return 0;
516
517   if (ip->protocol == IP_PROTOCOL_ICMP)
518     {
519       key.as_u64[0] = key.as_u64[1] = 0;
520       if (get_icmp_i2o_ed_key (b, ip, &key))
521         return 0;
522       key.fib_index = 0;
523       kv.key[0] = key.as_u64[0];
524       kv.key[1] = key.as_u64[1];
525     }
526   else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
527     {
528       make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0,
529                   vnet_buffer (b)->ip.reass.l4_src_port,
530                   vnet_buffer (b)->ip.reass.l4_dst_port);
531     }
532   else
533     {
534       make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, 0,
535                   0);
536     }
537
538   if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
539     {
540       s = pool_elt_at_index (tsm->sessions, value.value);
541       if (is_fwd_bypass_session (s))
542         {
543           if (ip->protocol == IP_PROTOCOL_TCP)
544             {
545               if (nat44_set_tcp_session_state_i2o
546                   (sm, now, s, b, thread_index))
547                 return 1;
548             }
549           /* Accounting */
550           nat44_session_update_counters (s, now,
551                                          vlib_buffer_length_in_chain (vm, b),
552                                          thread_index);
553           /* Per-user LRU list maintenance */
554           nat44_session_update_lru (sm, s, thread_index);
555           return 1;
556         }
557       else
558         return 0;
559     }
560
561   return 0;
562 }
563
564 static_always_inline int
565 nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip,
566                                        u8 proto, u16 src_port, u16 dst_port,
567                                        u32 thread_index, u32 rx_sw_if_index,
568                                        u32 tx_sw_if_index)
569 {
570   clib_bihash_kv_16_8_t kv, value;
571   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
572   snat_interface_t *i;
573   snat_session_t *s;
574   u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index);
575   u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index);
576
577   /* src NAT check */
578   make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index,
579               src_port, dst_port);
580   if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
581     {
582       s = pool_elt_at_index (tsm->sessions, value.value);
583       if (nat44_is_ses_closed (s))
584         {
585           nat_free_session_data (sm, s, thread_index, 0);
586           nat44_delete_session (sm, s, thread_index);
587         }
588       else
589         s->flags |= SNAT_SESSION_FLAG_OUTPUT_FEATURE;
590       return 1;
591     }
592
593   /* dst NAT check */
594   make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index,
595               dst_port, src_port);
596   if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
597     {
598       s = pool_elt_at_index (tsm->sessions, value.value);
599       if (is_fwd_bypass_session (s))
600         return 0;
601
602       /* hairpinning */
603       /* *INDENT-OFF* */
604       pool_foreach (i, sm->output_feature_interfaces,
605       ({
606         if ((nat_interface_is_inside (i)) && (rx_sw_if_index == i->sw_if_index))
607            return 0;
608       }));
609       /* *INDENT-ON* */
610       return 1;
611     }
612
613   return 0;
614 }
615
616 #ifndef CLIB_MARCH_VARIANT
617 u32
618 icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
619                       u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
620                       u8 * p_proto, snat_session_key_t * p_value,
621                       u8 * p_dont_translate, void *d, void *e)
622 {
623   u32 sw_if_index;
624   u32 rx_fib_index;
625   nat_ed_ses_key_t key;
626   snat_session_t *s = 0;
627   u8 dont_translate = 0;
628   clib_bihash_kv_16_8_t kv, value;
629   u32 next = ~0;
630   int err;
631   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
632
633   sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
634   rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
635
636   key.as_u64[0] = key.as_u64[1] = 0;
637   err = get_icmp_i2o_ed_key (b, ip, &key);
638   if (err != 0)
639     {
640       b->error = node->errors[err];
641       next = NAT_NEXT_DROP;
642       goto out;
643     }
644   key.fib_index = rx_fib_index;
645
646   kv.key[0] = key.as_u64[0];
647   kv.key[1] = key.as_u64[1];
648
649   if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
650     {
651       if (vnet_buffer (b)->sw_if_index[VLIB_TX] != ~0)
652         {
653           if (PREDICT_FALSE
654               (nat44_ed_not_translate_output_feature
655                (sm, ip, key.proto, key.l_port, key.r_port, thread_index,
656                 sw_if_index, vnet_buffer (b)->sw_if_index[VLIB_TX])))
657             {
658               dont_translate = 1;
659               goto out;
660             }
661         }
662       else
663         {
664           if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, sw_if_index,
665                                                      ip, SNAT_PROTOCOL_ICMP,
666                                                      rx_fib_index,
667                                                      thread_index)))
668             {
669               dont_translate = 1;
670               goto out;
671             }
672         }
673
674       if (PREDICT_FALSE
675           (icmp_type_is_error_message
676            (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
677         {
678           b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
679           next = NAT_NEXT_DROP;
680           goto out;
681         }
682
683       next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next,
684                            thread_index, vlib_time_now (sm->vlib_main));
685
686       if (PREDICT_FALSE (next == NAT_NEXT_DROP))
687         goto out;
688
689       if (!s)
690         {
691           dont_translate = 1;
692           goto out;
693         }
694     }
695   else
696     {
697       if (PREDICT_FALSE
698           (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
699            ICMP4_echo_request
700            && vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
701            ICMP4_echo_reply
702            && !icmp_type_is_error_message (vnet_buffer (b)->ip.
703                                            reass.icmp_type_or_tcp_flags)))
704         {
705           b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
706           next = NAT_NEXT_DROP;
707           goto out;
708         }
709
710       s = pool_elt_at_index (tsm->sessions, value.value);
711     }
712
713   *p_proto = ip_proto_to_snat_proto (key.proto);
714 out:
715   if (s)
716     *p_value = s->out2in;
717   *p_dont_translate = dont_translate;
718   if (d)
719     *(snat_session_t **) d = s;
720   return next;
721 }
722 #endif
723
724 static snat_session_t *
725 nat44_ed_in2out_unknown_proto (snat_main_t * sm,
726                                vlib_buffer_t * b,
727                                ip4_header_t * ip,
728                                u32 rx_fib_index,
729                                u32 thread_index,
730                                f64 now,
731                                vlib_main_t * vm, vlib_node_runtime_t * node)
732 {
733   clib_bihash_kv_8_8_t kv, value;
734   clib_bihash_kv_16_8_t s_kv, s_value;
735   snat_static_mapping_t *m;
736   u32 old_addr, new_addr = 0;
737   ip_csum_t sum;
738   snat_user_t *u;
739   dlist_elt_t *head, *elt;
740   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
741   u32 elt_index, head_index, ses_index;
742   snat_session_t *s;
743   u32 outside_fib_index = sm->outside_fib_index;
744   int i;
745   u8 is_sm = 0;
746   nat_outside_fib_t *outside_fib;
747   fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
748   fib_prefix_t pfx = {
749     .fp_proto = FIB_PROTOCOL_IP4,
750     .fp_len = 32,
751     .fp_addr = {
752                 .ip4.as_u32 = ip->dst_address.as_u32,
753                 },
754   };
755
756   switch (vec_len (sm->outside_fibs))
757     {
758     case 0:
759       outside_fib_index = sm->outside_fib_index;
760       break;
761     case 1:
762       outside_fib_index = sm->outside_fibs[0].fib_index;
763       break;
764     default:
765       /* *INDENT-OFF* */
766       vec_foreach (outside_fib, sm->outside_fibs)
767         {
768           fei = fib_table_lookup (outside_fib->fib_index, &pfx);
769           if (FIB_NODE_INDEX_INVALID != fei)
770             {
771               if (fib_entry_get_resolving_interface (fei) != ~0)
772                 {
773                   outside_fib_index = outside_fib->fib_index;
774                   break;
775                 }
776             }
777         }
778       /* *INDENT-ON* */
779       break;
780     }
781   old_addr = ip->src_address.as_u32;
782
783   make_ed_kv (&s_kv, &ip->src_address, &ip->dst_address, ip->protocol,
784               rx_fib_index, 0, 0);
785
786   if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &s_kv, &s_value))
787     {
788       s = pool_elt_at_index (tsm->sessions, s_value.value);
789       new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
790     }
791   else
792     {
793       if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index)))
794         {
795           b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
796           nat_ipfix_logging_max_sessions (thread_index, sm->max_translations);
797           nat_elog_notice ("maximum sessions exceeded");
798           return 0;
799         }
800
801       u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
802                                   thread_index);
803       if (!u)
804         {
805           b->error = node->errors[NAT_IN2OUT_ED_ERROR_CANNOT_CREATE_USER];
806           nat_elog_warn ("create NAT user failed");
807           return 0;
808         }
809
810       make_sm_kv (&kv, &ip->src_address, 0, rx_fib_index, 0);
811
812       /* Try to find static mapping first */
813       if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
814         {
815           m = pool_elt_at_index (sm->static_mappings, value.value);
816           new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
817           is_sm = 1;
818           goto create_ses;
819         }
820       /* Fallback to 3-tuple key */
821       else
822         {
823           /* Choose same out address as for TCP/UDP session to same destination */
824           head_index = u->sessions_per_user_list_head_index;
825           head = pool_elt_at_index (tsm->list_pool, head_index);
826           elt_index = head->next;
827           if (PREDICT_FALSE (elt_index == ~0))
828             ses_index = ~0;
829           else
830             {
831               elt = pool_elt_at_index (tsm->list_pool, elt_index);
832               ses_index = elt->value;
833             }
834
835           while (ses_index != ~0)
836             {
837               s = pool_elt_at_index (tsm->sessions, ses_index);
838               elt_index = elt->next;
839               elt = pool_elt_at_index (tsm->list_pool, elt_index);
840               ses_index = elt->value;
841
842               if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
843                 {
844                   new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
845
846                   make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address,
847                               ip->protocol, outside_fib_index, 0, 0);
848                   if (clib_bihash_search_16_8
849                       (&tsm->out2in_ed, &s_kv, &s_value))
850                     goto create_ses;
851
852                   break;
853                 }
854             }
855
856           for (i = 0; i < vec_len (sm->addresses); i++)
857             {
858               make_ed_kv (&s_kv, &sm->addresses[i].addr, &ip->dst_address,
859                           ip->protocol, outside_fib_index, 0, 0);
860               if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
861                 {
862                   new_addr = ip->src_address.as_u32 =
863                     sm->addresses[i].addr.as_u32;
864                   goto create_ses;
865                 }
866             }
867           return 0;
868         }
869
870     create_ses:
871       s = nat_ed_session_alloc (sm, u, thread_index, now);
872       if (!s)
873         {
874           b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_USER_SESS_EXCEEDED];
875           nat44_delete_user_with_no_session (sm, u, thread_index);
876           nat_elog_warn ("create NAT session failed");
877           return 0;
878         }
879
880       s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
881       s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
882       s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
883       s->out2in.addr.as_u32 = new_addr;
884       s->out2in.fib_index = outside_fib_index;
885       s->in2out.addr.as_u32 = old_addr;
886       s->in2out.fib_index = rx_fib_index;
887       s->in2out.port = s->out2in.port = ip->protocol;
888       if (is_sm)
889         s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
890       user_session_increment (sm, u, is_sm);
891
892       /* Add to lookup tables */
893       make_ed_kv (&s_kv, &s->in2out.addr, &ip->dst_address, ip->protocol,
894                   rx_fib_index, 0, 0);
895       s_kv.value = s - tsm->sessions;
896       if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
897         nat_elog_notice ("in2out key add failed");
898
899       make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, ip->protocol,
900                   outside_fib_index, 0, 0);
901       s_kv.value = s - tsm->sessions;
902       if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
903         nat_elog_notice ("out2in key add failed");
904     }
905
906   /* Update IP checksum */
907   sum = ip->checksum;
908   sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
909   ip->checksum = ip_csum_fold (sum);
910
911   /* Accounting */
912   nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
913                                  thread_index);
914   /* Per-user LRU list maintenance */
915   nat44_session_update_lru (sm, s, thread_index);
916
917   /* Hairpinning */
918   if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
919     nat44_ed_hairpinning_unknown_proto (sm, b, ip);
920
921   if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
922     vnet_buffer (b)->sw_if_index[VLIB_TX] = outside_fib_index;
923
924   return s;
925 }
926
927 static inline uword
928 nat44_ed_in2out_fast_path_node_fn_inline (vlib_main_t * vm,
929                                           vlib_node_runtime_t * node,
930                                           vlib_frame_t * frame,
931                                           int is_output_feature)
932 {
933   u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
934   nat_next_t next_index;
935   snat_main_t *sm = &snat_main;
936   f64 now = vlib_time_now (vm);
937   u32 thread_index = vm->thread_index;
938   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
939   u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
940     0, def_slow;
941
942   def_slow = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH :
943     NAT_NEXT_IN2OUT_ED_SLOW_PATH;
944
945   stats_node_index = sm->ed_in2out_node_index;
946
947   from = vlib_frame_vector_args (frame);
948   n_left_from = frame->n_vectors;
949   next_index = node->cached_next_index;
950
951   while (n_left_from > 0)
952     {
953       u32 n_left_to_next;
954
955       vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
956
957       while (n_left_from > 0 && n_left_to_next > 0)
958         {
959           u32 bi0;
960           vlib_buffer_t *b0;
961           u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
962             new_addr0, old_addr0;
963           u16 old_port0, new_port0;
964           ip4_header_t *ip0;
965           udp_header_t *udp0;
966           tcp_header_t *tcp0;
967           snat_session_t *s0 = 0;
968           clib_bihash_kv_16_8_t kv0, value0;
969           ip_csum_t sum0;
970
971           /* speculatively enqueue b0 to the current next frame */
972           bi0 = from[0];
973           to_next[0] = bi0;
974           from += 1;
975           to_next += 1;
976           n_left_from -= 1;
977           n_left_to_next -= 1;
978
979           b0 = vlib_get_buffer (vm, bi0);
980
981           if (is_output_feature)
982             {
983               vnet_feature_next (&nat_buffer_opaque (b0)->arc_next, b0);
984               iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
985             }
986
987           next0 = nat_buffer_opaque (b0)->arc_next;
988
989           ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
990                                   iph_offset0);
991
992           sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
993           rx_fib_index0 =
994             fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
995                                                  sw_if_index0);
996
997           if (PREDICT_FALSE (ip0->ttl == 1))
998             {
999               vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1000               icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1001                                            ICMP4_time_exceeded_ttl_exceeded_in_transit,
1002                                            0);
1003               next0 = NAT_NEXT_ICMP_ERROR;
1004               goto trace0;
1005             }
1006
1007           udp0 = ip4_next_header (ip0);
1008           tcp0 = (tcp_header_t *) udp0;
1009           proto0 = ip_proto_to_snat_proto (ip0->protocol);
1010
1011           if (PREDICT_FALSE (proto0 == ~0))
1012             {
1013               next0 = def_slow;
1014               goto trace0;
1015             }
1016
1017           if (is_output_feature)
1018             {
1019               if (PREDICT_FALSE (nat_not_translate_output_feature_fwd
1020                                  (sm, ip0, thread_index, now, vm, b0)))
1021                 goto trace0;
1022             }
1023
1024           if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1025             {
1026               next0 = def_slow;
1027               goto trace0;
1028             }
1029
1030           make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
1031                       ip0->protocol, rx_fib_index0,
1032                       vnet_buffer (b0)->ip.reass.l4_src_port,
1033                       vnet_buffer (b0)->ip.reass.l4_dst_port);
1034
1035           // lookup for session
1036           if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
1037             {
1038               // session does not exist go slow path
1039               next0 = def_slow;
1040               goto trace0;
1041             }
1042           s0 = pool_elt_at_index (tsm->sessions, value0.value);
1043
1044           if (s0->tcp_close_timestamp)
1045             {
1046               if (now >= s0->tcp_close_timestamp)
1047                 {
1048                   // session is closed, go slow path
1049                   next0 = def_slow;
1050                 }
1051               else
1052                 {
1053                   // session in transitory timeout, drop
1054                   b0->error = node->errors[NAT_IN2OUT_ED_ERROR_TCP_CLOSED];
1055                   next0 = NAT_NEXT_DROP;
1056                 }
1057               goto trace0;
1058             }
1059
1060           // drop if session expired
1061           u64 sess_timeout_time;
1062           sess_timeout_time = s0->last_heard +
1063             (f64) nat44_session_get_timeout (sm, s0);
1064           if (now >= sess_timeout_time)
1065             {
1066               nat_free_session_data (sm, s0, thread_index, 0);
1067               nat44_delete_session (sm, s0, thread_index);
1068               // session is closed, go slow path
1069               next0 = def_slow;
1070               goto trace0;
1071             }
1072
1073           b0->flags |= VNET_BUFFER_F_IS_NATED;
1074
1075           if (!is_output_feature)
1076             vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1077
1078           old_addr0 = ip0->src_address.as_u32;
1079           new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
1080           sum0 = ip0->checksum;
1081           sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1082                                  src_address);
1083           if (PREDICT_FALSE (is_twice_nat_session (s0)))
1084             sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1085                                    s0->ext_host_addr.as_u32, ip4_header_t,
1086                                    dst_address);
1087           ip0->checksum = ip_csum_fold (sum0);
1088
1089           old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1090
1091           if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1092             {
1093               if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1094                 {
1095                   new_port0 = udp0->src_port = s0->out2in.port;
1096                   sum0 = tcp0->checksum;
1097                   sum0 =
1098                     ip_csum_update (sum0, old_addr0, new_addr0,
1099                                     ip4_header_t, dst_address);
1100                   sum0 =
1101                     ip_csum_update (sum0, old_port0, new_port0,
1102                                     ip4_header_t, length);
1103                   if (PREDICT_FALSE (is_twice_nat_session (s0)))
1104                     {
1105                       sum0 =
1106                         ip_csum_update (sum0, ip0->dst_address.as_u32,
1107                                         s0->ext_host_addr.as_u32,
1108                                         ip4_header_t, dst_address);
1109                       sum0 =
1110                         ip_csum_update (sum0,
1111                                         vnet_buffer (b0)->ip.
1112                                         reass.l4_dst_port, s0->ext_host_port,
1113                                         ip4_header_t, length);
1114                       tcp0->dst_port = s0->ext_host_port;
1115                       ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1116                     }
1117                   mss_clamping (sm, tcp0, &sum0);
1118                   tcp0->checksum = ip_csum_fold (sum0);
1119                 }
1120               tcp_packets++;
1121               if (nat44_set_tcp_session_state_i2o
1122                   (sm, now, s0, b0, thread_index))
1123                 goto trace0;
1124             }
1125           else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
1126                    && udp0->checksum)
1127             {
1128               new_port0 = udp0->src_port = s0->out2in.port;
1129               sum0 = udp0->checksum;
1130               sum0 =
1131                 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1132                                 dst_address);
1133               sum0 =
1134                 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1135                                 length);
1136               if (PREDICT_FALSE (is_twice_nat_session (s0)))
1137                 {
1138                   sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1139                                          s0->ext_host_addr.as_u32,
1140                                          ip4_header_t, dst_address);
1141                   sum0 =
1142                     ip_csum_update (sum0,
1143                                     vnet_buffer (b0)->ip.reass.l4_dst_port,
1144                                     s0->ext_host_port, ip4_header_t, length);
1145                   udp0->dst_port = s0->ext_host_port;
1146                   ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1147                 }
1148               udp0->checksum = ip_csum_fold (sum0);
1149               udp_packets++;
1150             }
1151           else
1152             {
1153               if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1154                 {
1155                   new_port0 = udp0->src_port = s0->out2in.port;
1156                   if (PREDICT_FALSE (is_twice_nat_session (s0)))
1157                     {
1158                       udp0->dst_port = s0->ext_host_port;
1159                       ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1160                     }
1161                   udp_packets++;
1162                 }
1163             }
1164
1165           /* Accounting */
1166           nat44_session_update_counters (s0, now,
1167                                          vlib_buffer_length_in_chain
1168                                          (vm, b0), thread_index);
1169           /* Per-user LRU list maintenance */
1170           nat44_session_update_lru (sm, s0, thread_index);
1171
1172         trace0:
1173           if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1174                              && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1175             {
1176               nat_in2out_ed_trace_t *t =
1177                 vlib_add_trace (vm, node, b0, sizeof (*t));
1178               t->sw_if_index = sw_if_index0;
1179               t->next_index = next0;
1180               t->is_slow_path = 0;
1181
1182               if (s0)
1183                 t->session_index = s0 - tsm->sessions;
1184               else
1185                 t->session_index = ~0;
1186             }
1187
1188           pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
1189           /* verify speculative enqueue, maybe switch current next frame */
1190           vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1191                                            to_next, n_left_to_next,
1192                                            bi0, next0);
1193         }
1194
1195       vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1196     }
1197
1198   vlib_node_increment_counter (vm, stats_node_index,
1199                                NAT_IN2OUT_ED_ERROR_IN2OUT_PACKETS,
1200                                pkts_processed);
1201   vlib_node_increment_counter (vm, stats_node_index,
1202                                NAT_IN2OUT_ED_ERROR_TCP_PACKETS, tcp_packets);
1203   vlib_node_increment_counter (vm, stats_node_index,
1204                                NAT_IN2OUT_ED_ERROR_UDP_PACKETS, udp_packets);
1205   vlib_node_increment_counter (vm, stats_node_index,
1206                                NAT_IN2OUT_ED_ERROR_ICMP_PACKETS,
1207                                icmp_packets);
1208   vlib_node_increment_counter (vm, stats_node_index,
1209                                NAT_IN2OUT_ED_ERROR_OTHER_PACKETS,
1210                                other_packets);
1211   return frame->n_vectors;
1212 }
1213
1214 static inline uword
1215 nat44_ed_in2out_slow_path_node_fn_inline (vlib_main_t * vm,
1216                                           vlib_node_runtime_t * node,
1217                                           vlib_frame_t * frame,
1218                                           int is_output_feature)
1219 {
1220   u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
1221   nat_next_t next_index;
1222   snat_main_t *sm = &snat_main;
1223   f64 now = vlib_time_now (vm);
1224   u32 thread_index = vm->thread_index;
1225   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1226   u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets = 0;
1227
1228   stats_node_index = sm->ed_in2out_slowpath_node_index;
1229
1230   from = vlib_frame_vector_args (frame);
1231   n_left_from = frame->n_vectors;
1232   next_index = node->cached_next_index;
1233
1234   while (n_left_from > 0)
1235     {
1236       u32 n_left_to_next;
1237
1238       vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1239
1240       while (n_left_from > 0 && n_left_to_next > 0)
1241         {
1242           u32 bi0;
1243           vlib_buffer_t *b0;
1244           u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
1245             new_addr0, old_addr0;
1246           u16 old_port0, new_port0;
1247           ip4_header_t *ip0;
1248           udp_header_t *udp0;
1249           tcp_header_t *tcp0;
1250           icmp46_header_t *icmp0;
1251           snat_session_t *s0 = 0;
1252           clib_bihash_kv_16_8_t kv0, value0;
1253           ip_csum_t sum0;
1254
1255           /* speculatively enqueue b0 to the current next frame */
1256           bi0 = from[0];
1257           to_next[0] = bi0;
1258           from += 1;
1259           to_next += 1;
1260           n_left_from -= 1;
1261           n_left_to_next -= 1;
1262
1263           b0 = vlib_get_buffer (vm, bi0);
1264
1265           if (is_output_feature)
1266             iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
1267
1268           next0 = nat_buffer_opaque (b0)->arc_next;
1269
1270           ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1271                                   iph_offset0);
1272
1273           sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1274           rx_fib_index0 =
1275             fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1276                                                  sw_if_index0);
1277
1278           if (PREDICT_FALSE (ip0->ttl == 1))
1279             {
1280               vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1281               icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1282                                            ICMP4_time_exceeded_ttl_exceeded_in_transit,
1283                                            0);
1284               next0 = NAT_NEXT_ICMP_ERROR;
1285               goto trace0;
1286             }
1287
1288           udp0 = ip4_next_header (ip0);
1289           tcp0 = (tcp_header_t *) udp0;
1290           icmp0 = (icmp46_header_t *) udp0;
1291           proto0 = ip_proto_to_snat_proto (ip0->protocol);
1292
1293           if (PREDICT_FALSE (proto0 == ~0))
1294             {
1295               s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
1296                                                   rx_fib_index0,
1297                                                   thread_index, now,
1298                                                   vm, node);
1299               if (!s0)
1300                 next0 = NAT_NEXT_DROP;
1301
1302               other_packets++;
1303               goto trace0;
1304             }
1305
1306           if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1307             {
1308               next0 = icmp_in2out_ed_slow_path
1309                 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
1310                  node, next0, now, thread_index, &s0);
1311               icmp_packets++;
1312               goto trace0;
1313             }
1314
1315           // move down
1316           make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
1317                       ip0->protocol, rx_fib_index0,
1318                       vnet_buffer (b0)->ip.reass.l4_src_port,
1319                       vnet_buffer (b0)->ip.reass.l4_dst_port);
1320
1321           if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
1322             {
1323               s0 = pool_elt_at_index (tsm->sessions, value0.value);
1324
1325               if (s0->tcp_close_timestamp && now >= s0->tcp_close_timestamp)
1326                 {
1327                   nat_free_session_data (sm, s0, thread_index, 0);
1328                   nat44_delete_session (sm, s0, thread_index);
1329                   s0 = NULL;
1330                 }
1331             }
1332
1333           if (!s0)
1334             {
1335               if (is_output_feature)
1336                 {
1337                   if (PREDICT_FALSE
1338                       (nat44_ed_not_translate_output_feature
1339                        (sm, ip0, ip0->protocol,
1340                         vnet_buffer (b0)->ip.reass.l4_src_port,
1341                         vnet_buffer (b0)->ip.reass.l4_dst_port,
1342                         thread_index, sw_if_index0,
1343                         vnet_buffer (b0)->sw_if_index[VLIB_TX])))
1344                     goto trace0;
1345
1346                   /*
1347                    * Send DHCP packets to the ipv4 stack, or we won't
1348                    * be able to use dhcp client on the outside interface
1349                    */
1350                   if (PREDICT_FALSE
1351                       (proto0 == SNAT_PROTOCOL_UDP
1352                        && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1353                            clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_server))
1354                        && ip0->dst_address.as_u32 == 0xffffffff))
1355                     goto trace0;
1356                 }
1357               else
1358                 {
1359                   if (PREDICT_FALSE
1360                       (nat44_ed_not_translate
1361                        (sm, node, sw_if_index0, ip0, proto0, rx_fib_index0,
1362                         thread_index)))
1363                     goto trace0;
1364                 }
1365
1366               next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
1367                                     next0, thread_index, now);
1368
1369               if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
1370                 goto trace0;
1371
1372               if (PREDICT_FALSE (!s0))
1373                 goto trace0;
1374
1375             }
1376
1377           b0->flags |= VNET_BUFFER_F_IS_NATED;
1378
1379           if (!is_output_feature)
1380             vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1381
1382           old_addr0 = ip0->src_address.as_u32;
1383           new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
1384           sum0 = ip0->checksum;
1385           sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1386                                  src_address);
1387           if (PREDICT_FALSE (is_twice_nat_session (s0)))
1388             sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1389                                    s0->ext_host_addr.as_u32, ip4_header_t,
1390                                    dst_address);
1391           ip0->checksum = ip_csum_fold (sum0);
1392
1393           old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
1394
1395           if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1396             {
1397               if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1398                 {
1399                   new_port0 = udp0->src_port = s0->out2in.port;
1400                   sum0 = tcp0->checksum;
1401                   sum0 =
1402                     ip_csum_update (sum0, old_addr0, new_addr0,
1403                                     ip4_header_t, dst_address);
1404                   sum0 =
1405                     ip_csum_update (sum0, old_port0, new_port0,
1406                                     ip4_header_t, length);
1407                   if (PREDICT_FALSE (is_twice_nat_session (s0)))
1408                     {
1409                       sum0 =
1410                         ip_csum_update (sum0, ip0->dst_address.as_u32,
1411                                         s0->ext_host_addr.as_u32,
1412                                         ip4_header_t, dst_address);
1413                       sum0 =
1414                         ip_csum_update (sum0,
1415                                         vnet_buffer (b0)->ip.
1416                                         reass.l4_dst_port, s0->ext_host_port,
1417                                         ip4_header_t, length);
1418                       tcp0->dst_port = s0->ext_host_port;
1419                       ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1420                     }
1421                   mss_clamping (sm, tcp0, &sum0);
1422                   tcp0->checksum = ip_csum_fold (sum0);
1423                 }
1424               tcp_packets++;
1425               if (nat44_set_tcp_session_state_i2o
1426                   (sm, now, s0, b0, thread_index))
1427                 goto trace0;
1428             }
1429           else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
1430                    && udp0->checksum)
1431             {
1432               new_port0 = udp0->src_port = s0->out2in.port;
1433               sum0 = udp0->checksum;
1434               sum0 =
1435                 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1436                                 dst_address);
1437               sum0 =
1438                 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1439                                 length);
1440               if (PREDICT_FALSE (is_twice_nat_session (s0)))
1441                 {
1442                   sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1443                                          s0->ext_host_addr.as_u32,
1444                                          ip4_header_t, dst_address);
1445                   sum0 =
1446                     ip_csum_update (sum0,
1447                                     vnet_buffer (b0)->ip.reass.l4_dst_port,
1448                                     s0->ext_host_port, ip4_header_t, length);
1449                   udp0->dst_port = s0->ext_host_port;
1450                   ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1451                 }
1452               udp0->checksum = ip_csum_fold (sum0);
1453               udp_packets++;
1454             }
1455           else
1456             {
1457               if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1458                 {
1459                   new_port0 = udp0->src_port = s0->out2in.port;
1460                   if (PREDICT_FALSE (is_twice_nat_session (s0)))
1461                     {
1462                       udp0->dst_port = s0->ext_host_port;
1463                       ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1464                     }
1465                   udp_packets++;
1466                 }
1467             }
1468
1469           /* Accounting */
1470           nat44_session_update_counters (s0, now,
1471                                          vlib_buffer_length_in_chain
1472                                          (vm, b0), thread_index);
1473           /* Per-user LRU list maintenance */
1474           nat44_session_update_lru (sm, s0, thread_index);
1475
1476         trace0:
1477           if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1478                              && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1479             {
1480               nat_in2out_ed_trace_t *t =
1481                 vlib_add_trace (vm, node, b0, sizeof (*t));
1482               t->sw_if_index = sw_if_index0;
1483               t->next_index = next0;
1484               t->is_slow_path = 1;
1485
1486               if (s0)
1487                 t->session_index = s0 - tsm->sessions;
1488               else
1489                 t->session_index = ~0;
1490             }
1491
1492           pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
1493
1494           /* verify speculative enqueue, maybe switch current next frame */
1495           vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1496                                            to_next, n_left_to_next,
1497                                            bi0, next0);
1498         }
1499
1500       vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1501     }
1502
1503   vlib_node_increment_counter (vm, stats_node_index,
1504                                NAT_IN2OUT_ED_ERROR_IN2OUT_PACKETS,
1505                                pkts_processed);
1506   vlib_node_increment_counter (vm, stats_node_index,
1507                                NAT_IN2OUT_ED_ERROR_TCP_PACKETS, tcp_packets);
1508   vlib_node_increment_counter (vm, stats_node_index,
1509                                NAT_IN2OUT_ED_ERROR_UDP_PACKETS, udp_packets);
1510   vlib_node_increment_counter (vm, stats_node_index,
1511                                NAT_IN2OUT_ED_ERROR_ICMP_PACKETS,
1512                                icmp_packets);
1513   vlib_node_increment_counter (vm, stats_node_index,
1514                                NAT_IN2OUT_ED_ERROR_OTHER_PACKETS,
1515                                other_packets);
1516   return frame->n_vectors;
1517 }
1518
1519 VLIB_NODE_FN (nat44_ed_in2out_node) (vlib_main_t * vm,
1520                                      vlib_node_runtime_t * node,
1521                                      vlib_frame_t * frame)
1522 {
1523   return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 0);
1524 }
1525
1526 /* *INDENT-OFF* */
1527 VLIB_REGISTER_NODE (nat44_ed_in2out_node) = {
1528   .name = "nat44-ed-in2out",
1529   .vector_size = sizeof (u32),
1530   .sibling_of = "nat-default",
1531   .format_trace = format_nat_in2out_ed_trace,
1532   .type = VLIB_NODE_TYPE_INTERNAL,
1533   .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1534   .error_strings = nat_in2out_ed_error_strings,
1535   .runtime_data_bytes = sizeof (snat_runtime_t),
1536 };
1537 /* *INDENT-ON* */
1538
1539 VLIB_NODE_FN (nat44_ed_in2out_output_node) (vlib_main_t * vm,
1540                                             vlib_node_runtime_t * node,
1541                                             vlib_frame_t * frame)
1542 {
1543   return nat44_ed_in2out_fast_path_node_fn_inline (vm, node, frame, 1);
1544 }
1545
1546 /* *INDENT-OFF* */
1547 VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = {
1548   .name = "nat44-ed-in2out-output",
1549   .vector_size = sizeof (u32),
1550   .sibling_of = "nat-default",
1551   .format_trace = format_nat_in2out_ed_trace,
1552   .type = VLIB_NODE_TYPE_INTERNAL,
1553   .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1554   .error_strings = nat_in2out_ed_error_strings,
1555   .runtime_data_bytes = sizeof (snat_runtime_t),
1556 };
1557 /* *INDENT-ON* */
1558
1559 VLIB_NODE_FN (nat44_ed_in2out_slowpath_node) (vlib_main_t * vm,
1560                                               vlib_node_runtime_t *
1561                                               node, vlib_frame_t * frame)
1562 {
1563   return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 0);
1564 }
1565
1566 /* *INDENT-OFF* */
1567 VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = {
1568   .name = "nat44-ed-in2out-slowpath",
1569   .vector_size = sizeof (u32),
1570   .sibling_of = "nat-default",
1571   .format_trace = format_nat_in2out_ed_trace,
1572   .type = VLIB_NODE_TYPE_INTERNAL,
1573   .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1574   .error_strings = nat_in2out_ed_error_strings,
1575   .runtime_data_bytes = sizeof (snat_runtime_t),
1576 };
1577 /* *INDENT-ON* */
1578
1579 VLIB_NODE_FN (nat44_ed_in2out_output_slowpath_node) (vlib_main_t * vm,
1580                                                      vlib_node_runtime_t
1581                                                      * node,
1582                                                      vlib_frame_t * frame)
1583 {
1584   return nat44_ed_in2out_slow_path_node_fn_inline (vm, node, frame, 1);
1585 }
1586
1587 /* *INDENT-OFF* */
1588 VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = {
1589   .name = "nat44-ed-in2out-output-slowpath",
1590   .vector_size = sizeof (u32),
1591   .sibling_of = "nat-default",
1592   .format_trace = format_nat_in2out_ed_trace,
1593   .type = VLIB_NODE_TYPE_INTERNAL,
1594   .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
1595   .error_strings = nat_in2out_ed_error_strings,
1596   .runtime_data_bytes = sizeof (snat_runtime_t),
1597 };
1598 /* *INDENT-ON* */
1599
1600 static u8 *
1601 format_nat_pre_trace (u8 * s, va_list * args)
1602 {
1603   CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1604   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1605   nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
1606   return format (s, "in2out next_index %d", t->next_index);
1607 }
1608
1609 VLIB_NODE_FN (nat_pre_in2out_node)
1610   (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
1611 {
1612   return nat_pre_node_fn_inline (vm, node, frame,
1613                                  NAT_NEXT_IN2OUT_ED_FAST_PATH);
1614 }
1615
1616 /* *INDENT-OFF* */
1617 VLIB_REGISTER_NODE (nat_pre_in2out_node) = {
1618   .name = "nat-pre-in2out",
1619   .vector_size = sizeof (u32),
1620   .sibling_of = "nat-default",
1621   .format_trace = format_nat_pre_trace,
1622   .type = VLIB_NODE_TYPE_INTERNAL,
1623   .n_errors = 0,
1624 };
1625 /* *INDENT-ON* */
1626
1627 /*
1628  * fd.io coding-style-patch-verification: ON
1629  *
1630  * Local Variables:
1631  * eval: (c-set-style "gnu")
1632  * End:
1633  */
Vector Packet Processing