2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent inside to outside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_reass.h>
31 #include <nat/nat_inlines.h>
32 #include <nat/nat44_inlines.h>
33 #include <nat/nat_syslog.h>
34 #include <nat/nat_ha.h>
36 static char *nat_in2out_ed_error_strings[] = {
37 #define _(sym,string) string,
38 foreach_nat_in2out_ed_error
48 } nat_in2out_ed_trace_t;
51 format_nat_in2out_ed_trace (u8 * s, va_list * args)
53 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
54 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
55 nat_in2out_ed_trace_t *t = va_arg (*args, nat_in2out_ed_trace_t *);
59 t->is_slow_path ? "NAT44_IN2OUT_ED_SLOW_PATH" :
60 "NAT44_IN2OUT_ED_FAST_PATH";
62 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
63 t->sw_if_index, t->next_index, t->session_index);
68 #ifndef CLIB_MARCH_VARIANT
70 nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
72 snat_main_t *sm = &snat_main;
73 nat44_is_idle_session_ctx_t *ctx = arg;
75 u64 sess_timeout_time;
76 nat_ed_ses_key_t ed_key;
77 clib_bihash_kv_16_8_t ed_kv;
80 snat_session_key_t key;
81 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
84 s = pool_elt_at_index (tsm->sessions, kv->value);
85 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
86 if (ctx->now >= sess_timeout_time)
88 if (is_fwd_bypass_session (s))
91 ed_key.l_addr = s->out2in.addr;
92 ed_key.r_addr = s->ext_host_addr;
93 ed_key.fib_index = s->out2in.fib_index;
94 if (snat_is_unk_proto_session (s))
96 ed_key.proto = s->in2out.port;
102 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
103 ed_key.l_port = s->out2in.port;
104 ed_key.r_port = s->ext_host_port;
106 ed_kv.key[0] = ed_key.as_u64[0];
107 ed_kv.key[1] = ed_key.as_u64[1];
108 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0))
109 nat_elog_warn ("out2in_ed key del failed");
111 if (snat_is_unk_proto_session (s))
114 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
115 s->in2out.addr.as_u32,
116 s->out2in.addr.as_u32,
120 s->in2out.fib_index);
122 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
123 &s->in2out.addr, s->in2out.port,
124 &s->ext_host_nat_addr, s->ext_host_nat_port,
125 &s->out2in.addr, s->out2in.port,
126 &s->ext_host_addr, s->ext_host_port,
127 s->in2out.protocol, is_twice_nat_session (s));
129 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
130 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
133 if (is_twice_nat_session (s))
135 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
137 key.protocol = s->in2out.protocol;
138 key.port = s->ext_host_nat_port;
139 a = sm->twice_nat_addresses + i;
140 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
142 snat_free_outside_address_and_port (sm->twice_nat_addresses,
150 if (snat_is_session_static (s))
153 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
156 nat44_delete_session (sm, s, ctx->thread_index);
165 icmp_in2out_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
166 ip4_header_t * ip0, icmp46_header_t * icmp0,
167 u32 sw_if_index0, u32 rx_fib_index0,
168 vlib_node_runtime_t * node, u32 next0, f64 now,
169 u32 thread_index, snat_session_t ** p_s0)
171 next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
172 next0, thread_index, p_s0, 0);
173 snat_session_t *s0 = *p_s0;
174 if (PREDICT_TRUE (next0 != NAT_NEXT_DROP && s0))
177 nat44_session_update_counters (s0, now,
178 vlib_buffer_length_in_chain
179 (sm->vlib_main, b0), thread_index);
180 /* Per-user LRU list maintenance */
181 nat44_session_update_lru (sm, s0, thread_index);
187 slow_path_ed (snat_main_t * sm,
190 clib_bihash_kv_16_8_t * kv,
191 snat_session_t ** sessionp,
192 vlib_node_runtime_t * node, u32 next, u32 thread_index, f64 now,
195 snat_session_t *s = 0;
197 snat_session_key_t key0, key1;
198 lb_nat_type_t lb = 0, is_sm = 0;
199 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
200 nat_ed_ses_key_t *key = (nat_ed_ses_key_t *) kv->key;
201 u32 proto = ip_proto_to_snat_proto (key->proto);
202 nat_outside_fib_t *outside_fib;
203 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
206 .fp_proto = FIB_PROTOCOL_IP4,
209 .ip4.as_u32 = key->r_addr.as_u32,
212 nat44_is_idle_session_ctx_t ctx;
214 nat44_session_try_cleanup (&key->l_addr, rx_fib_index, thread_index, now);
216 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
218 b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
219 nat_ipfix_logging_max_sessions (thread_index, sm->max_translations);
220 nat_elog_notice ("maximum sessions exceeded");
221 return NAT_NEXT_DROP;
224 key0.addr = key->l_addr;
225 key0.port = key->l_port;
226 key1.protocol = key0.protocol = proto;
227 key0.fib_index = rx_fib_index;
228 key1.fib_index = sm->outside_fib_index;
229 /* First try to match static mapping by local address and port */
230 if (snat_static_mapping_match
231 (sm, key0, &key1, 0, 0, 0, &lb, 0, &identity_nat))
233 /* Try to create dynamic translation */
234 if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index,
237 tsm->snat_thread_index))
239 nat_elog_notice ("addresses exhausted");
240 b->error = node->errors[NAT_IN2OUT_ED_ERROR_OUT_OF_PORTS];
241 return NAT_NEXT_DROP;
246 if (PREDICT_FALSE (identity_nat))
255 if (proto == SNAT_PROTOCOL_TCP)
257 if (!tcp_is_init (tcp))
259 b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
260 return NAT_NEXT_DROP;
264 u = nat_user_get_or_create (sm, &key->l_addr, rx_fib_index, thread_index);
267 nat_elog_warn ("create NAT user failed");
269 snat_free_outside_address_and_port (sm->addresses,
270 thread_index, &key1);
271 return NAT_NEXT_DROP;
274 s = nat_ed_session_alloc (sm, u, thread_index, now);
277 nat44_delete_user_with_no_session (sm, u, thread_index);
278 nat_elog_warn ("create NAT session failed");
280 snat_free_outside_address_and_port (sm->addresses,
281 thread_index, &key1);
282 return NAT_NEXT_DROP;
285 user_session_increment (sm, u, is_sm);
287 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
289 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
290 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
291 s->ext_host_addr = key->r_addr;
292 s->ext_host_port = key->r_port;
295 s->out2in.protocol = key0.protocol;
297 switch (vec_len (sm->outside_fibs))
300 s->out2in.fib_index = sm->outside_fib_index;
303 s->out2in.fib_index = sm->outside_fibs[0].fib_index;
307 vec_foreach (outside_fib, sm->outside_fibs)
309 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
310 if (FIB_NODE_INDEX_INVALID != fei)
312 if (fib_entry_get_resolving_interface (fei) != ~0)
314 s->out2in.fib_index = outside_fib->fib_index;
323 /* Add to lookup tables */
324 kv->value = s - tsm->sessions;
326 ctx.thread_index = thread_index;
327 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, kv,
328 nat44_i2o_ed_is_idle_session_cb,
330 nat_elog_notice ("in2out-ed key add failed");
332 make_ed_kv (kv, &key1.addr, &key->r_addr, key->proto, s->out2in.fib_index,
333 key1.port, key->r_port);
334 kv->value = s - tsm->sessions;
335 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, kv,
336 nat44_o2i_ed_is_idle_session_cb,
338 nat_elog_notice ("out2in-ed key add failed");
343 snat_ipfix_logging_nat44_ses_create (thread_index,
344 s->in2out.addr.as_u32,
345 s->out2in.addr.as_u32,
348 s->out2in.port, s->in2out.fib_index);
350 nat_syslog_nat44_sadd (s->user_index, s->in2out.fib_index,
351 &s->in2out.addr, s->in2out.port,
352 &s->ext_host_nat_addr, s->ext_host_nat_port,
353 &s->out2in.addr, s->out2in.port,
354 &s->ext_host_addr, s->ext_host_port,
355 s->in2out.protocol, 0);
357 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
358 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
359 &s->ext_host_nat_addr, s->ext_host_nat_port,
360 s->in2out.protocol, s->in2out.fib_index, s->flags,
366 static_always_inline int
367 nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t * node,
368 u32 sw_if_index, ip4_header_t * ip, u32 proto,
369 u32 rx_fib_index, u32 thread_index)
371 udp_header_t *udp = ip4_next_header (ip);
372 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
373 clib_bihash_kv_16_8_t kv, value;
374 snat_session_key_t key0, key1;
376 make_ed_kv (&kv, &ip->dst_address, &ip->src_address, ip->protocol,
377 sm->outside_fib_index, udp->dst_port, udp->src_port);
379 /* NAT packet aimed at external address if */
380 /* has active sessions */
381 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
383 key0.addr = ip->dst_address;
384 key0.port = udp->dst_port;
385 key0.protocol = proto;
386 key0.fib_index = sm->outside_fib_index;
387 /* or is static mappings */
388 if (!snat_static_mapping_match (sm, key0, &key1, 1, 0, 0, 0, 0, 0))
394 if (sm->forwarding_enabled)
397 return snat_not_translate_fast (sm, node, sw_if_index, ip, proto,
401 static_always_inline int
402 nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
403 u32 thread_index, f64 now,
404 vlib_main_t * vm, vlib_buffer_t * b)
406 nat_ed_ses_key_t key;
407 clib_bihash_kv_16_8_t kv, value;
409 snat_session_t *s = 0;
410 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
412 if (!sm->forwarding_enabled)
415 if (ip->protocol == IP_PROTOCOL_ICMP)
417 key.as_u64[0] = key.as_u64[1] = 0;
418 if (get_icmp_i2o_ed_key (ip, &key))
421 kv.key[0] = key.as_u64[0];
422 kv.key[1] = key.as_u64[1];
424 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
426 udp = ip4_next_header (ip);
427 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0,
428 udp->src_port, udp->dst_port);
432 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, 0,
436 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
438 s = pool_elt_at_index (tsm->sessions, value.value);
439 if (is_fwd_bypass_session (s))
441 if (ip->protocol == IP_PROTOCOL_TCP)
443 tcp_header_t *tcp = ip4_next_header (ip);
444 if (nat44_set_tcp_session_state_i2o (sm, s, tcp, thread_index))
448 nat44_session_update_counters (s, now,
449 vlib_buffer_length_in_chain (vm, b),
451 /* Per-user LRU list maintenance */
452 nat44_session_update_lru (sm, s, thread_index);
462 static_always_inline int
463 nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip,
464 u8 proto, u16 src_port, u16 dst_port,
465 u32 thread_index, u32 rx_sw_if_index,
468 clib_bihash_kv_16_8_t kv, value;
469 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
472 u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index);
473 u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index);
476 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index,
478 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
480 s = pool_elt_at_index (tsm->sessions, value.value);
481 if (nat44_is_ses_closed (s))
483 nat_free_session_data (sm, s, thread_index, 0);
484 nat44_delete_session (sm, s, thread_index);
487 s->flags |= SNAT_SESSION_FLAG_OUTPUT_FEATURE;
492 make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index,
494 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
496 s = pool_elt_at_index (tsm->sessions, value.value);
497 if (is_fwd_bypass_session (s))
502 pool_foreach (i, sm->output_feature_interfaces,
504 if ((nat_interface_is_inside (i)) && (rx_sw_if_index == i->sw_if_index))
514 #ifndef CLIB_MARCH_VARIANT
516 icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
517 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
518 u8 * p_proto, snat_session_key_t * p_value,
519 u8 * p_dont_translate, void *d, void *e)
521 icmp46_header_t *icmp;
524 nat_ed_ses_key_t key;
525 snat_session_t *s = 0;
526 u8 dont_translate = 0;
527 clib_bihash_kv_16_8_t kv, value;
530 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
532 icmp = (icmp46_header_t *) ip4_next_header (ip);
533 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
534 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
536 key.as_u64[0] = key.as_u64[1] = 0;
537 err = get_icmp_i2o_ed_key (ip, &key);
540 b->error = node->errors[err];
541 next = NAT_NEXT_DROP;
544 key.fib_index = rx_fib_index;
546 kv.key[0] = key.as_u64[0];
547 kv.key[1] = key.as_u64[1];
549 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
551 if (vnet_buffer (b)->sw_if_index[VLIB_TX] != ~0)
553 if (PREDICT_FALSE (nat44_ed_not_translate_output_feature (sm, ip,
572 if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, sw_if_index,
573 ip, SNAT_PROTOCOL_ICMP,
582 if (PREDICT_FALSE (icmp_is_error_message (icmp)))
584 b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
585 next = NAT_NEXT_DROP;
589 next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next,
590 thread_index, vlib_time_now (sm->vlib_main), 0);
592 if (PREDICT_FALSE (next == NAT_NEXT_DROP))
603 if (PREDICT_FALSE (icmp->type != ICMP4_echo_request &&
604 icmp->type != ICMP4_echo_reply &&
605 !icmp_is_error_message (icmp)))
607 b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
608 next = NAT_NEXT_DROP;
612 s = pool_elt_at_index (tsm->sessions, value.value);
615 *p_proto = ip_proto_to_snat_proto (key.proto);
618 *p_value = s->out2in;
619 *p_dont_translate = dont_translate;
621 *(snat_session_t **) d = s;
626 static snat_session_t *
627 nat44_ed_in2out_unknown_proto (snat_main_t * sm,
633 vlib_main_t * vm, vlib_node_runtime_t * node)
635 clib_bihash_kv_8_8_t kv, value;
636 clib_bihash_kv_16_8_t s_kv, s_value;
637 snat_static_mapping_t *m;
638 u32 old_addr, new_addr = 0;
641 dlist_elt_t *head, *elt;
642 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
643 u32 elt_index, head_index, ses_index;
645 u32 outside_fib_index = sm->outside_fib_index;
648 nat_outside_fib_t *outside_fib;
649 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
651 .fp_proto = FIB_PROTOCOL_IP4,
654 .ip4.as_u32 = ip->dst_address.as_u32,
658 switch (vec_len (sm->outside_fibs))
661 outside_fib_index = sm->outside_fib_index;
664 outside_fib_index = sm->outside_fibs[0].fib_index;
668 vec_foreach (outside_fib, sm->outside_fibs)
670 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
671 if (FIB_NODE_INDEX_INVALID != fei)
673 if (fib_entry_get_resolving_interface (fei) != ~0)
675 outside_fib_index = outside_fib->fib_index;
683 old_addr = ip->src_address.as_u32;
685 make_ed_kv (&s_kv, &ip->src_address, &ip->dst_address, ip->protocol,
688 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &s_kv, &s_value))
690 s = pool_elt_at_index (tsm->sessions, s_value.value);
691 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
695 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
697 b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED];
698 nat_ipfix_logging_max_sessions (thread_index, sm->max_translations);
699 nat_elog_notice ("maximum sessions exceeded");
703 u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index,
707 nat_elog_warn ("create NAT user failed");
711 make_sm_kv (&kv, &ip->src_address, 0, rx_fib_index, 0);
713 /* Try to find static mapping first */
714 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value))
716 m = pool_elt_at_index (sm->static_mappings, value.value);
717 new_addr = ip->src_address.as_u32 = m->external_addr.as_u32;
721 /* Fallback to 3-tuple key */
724 /* Choose same out address as for TCP/UDP session to same destination */
725 head_index = u->sessions_per_user_list_head_index;
726 head = pool_elt_at_index (tsm->list_pool, head_index);
727 elt_index = head->next;
728 if (PREDICT_FALSE (elt_index == ~0))
732 elt = pool_elt_at_index (tsm->list_pool, elt_index);
733 ses_index = elt->value;
736 while (ses_index != ~0)
738 s = pool_elt_at_index (tsm->sessions, ses_index);
739 elt_index = elt->next;
740 elt = pool_elt_at_index (tsm->list_pool, elt_index);
741 ses_index = elt->value;
743 if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32)
745 new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32;
747 make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address,
748 ip->protocol, outside_fib_index, 0, 0);
749 if (clib_bihash_search_16_8
750 (&tsm->out2in_ed, &s_kv, &s_value))
757 for (i = 0; i < vec_len (sm->addresses); i++)
759 make_ed_kv (&s_kv, &sm->addresses[i].addr, &ip->dst_address,
760 ip->protocol, outside_fib_index, 0, 0);
761 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
763 new_addr = ip->src_address.as_u32 =
764 sm->addresses[i].addr.as_u32;
772 s = nat_ed_session_alloc (sm, u, thread_index, now);
775 nat44_delete_user_with_no_session (sm, u, thread_index);
776 nat_elog_warn ("create NAT session failed");
780 s->ext_host_addr.as_u32 = ip->dst_address.as_u32;
781 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
782 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
783 s->out2in.addr.as_u32 = new_addr;
784 s->out2in.fib_index = outside_fib_index;
785 s->in2out.addr.as_u32 = old_addr;
786 s->in2out.fib_index = rx_fib_index;
787 s->in2out.port = s->out2in.port = ip->protocol;
789 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
790 user_session_increment (sm, u, is_sm);
792 /* Add to lookup tables */
793 make_ed_kv (&s_kv, &s->in2out.addr, &ip->dst_address, ip->protocol,
795 s_kv.value = s - tsm->sessions;
796 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
797 nat_elog_notice ("in2out key add failed");
799 make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, ip->protocol,
800 outside_fib_index, 0, 0);
801 s_kv.value = s - tsm->sessions;
802 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
803 nat_elog_notice ("out2in key add failed");
806 /* Update IP checksum */
808 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address);
809 ip->checksum = ip_csum_fold (sum);
812 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
814 /* Per-user LRU list maintenance */
815 nat44_session_update_lru (sm, s, thread_index);
818 if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
819 nat44_ed_hairpinning_unknown_proto (sm, b, ip);
821 if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0)
822 vnet_buffer (b)->sw_if_index[VLIB_TX] = outside_fib_index;
828 nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
829 vlib_node_runtime_t * node,
830 vlib_frame_t * frame, int is_slow_path,
831 int is_output_feature)
833 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
834 nat_next_t next_index;
835 snat_main_t *sm = &snat_main;
836 f64 now = vlib_time_now (vm);
837 u32 thread_index = vm->thread_index;
838 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
839 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
840 0, fragments = 0, def_slow, def_reass;
842 def_slow = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH :
843 NAT_NEXT_IN2OUT_ED_SLOW_PATH;
845 def_reass = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_REASS :
846 NAT_NEXT_IN2OUT_ED_REASS;
848 stats_node_index = is_slow_path ? sm->ed_in2out_slowpath_node_index :
849 sm->ed_in2out_node_index;
851 from = vlib_frame_vector_args (frame);
852 n_left_from = frame->n_vectors;
853 next_index = node->cached_next_index;
855 while (n_left_from > 0)
859 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
861 while (n_left_from >= 4 && n_left_to_next >= 2)
864 vlib_buffer_t *b0, *b1;
865 u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
866 new_addr0, old_addr0;
867 u32 next1, sw_if_index1, rx_fib_index1, iph_offset1 = 0, proto1,
868 new_addr1, old_addr1;
869 u16 old_port0, new_port0, old_port1, new_port1;
870 ip4_header_t *ip0, *ip1;
871 udp_header_t *udp0, *udp1;
872 tcp_header_t *tcp0, *tcp1;
873 icmp46_header_t *icmp0, *icmp1;
874 snat_session_t *s0 = 0, *s1 = 0;
875 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
876 ip_csum_t sum0, sum1;
878 /* Prefetch next iteration. */
880 vlib_buffer_t *p2, *p3;
882 p2 = vlib_get_buffer (vm, from[2]);
883 p3 = vlib_get_buffer (vm, from[3]);
885 vlib_prefetch_buffer_header (p2, LOAD);
886 vlib_prefetch_buffer_header (p3, LOAD);
888 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
889 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
892 /* speculatively enqueue b0 and b1 to the current next frame */
893 to_next[0] = bi0 = from[0];
894 to_next[1] = bi1 = from[1];
900 b0 = vlib_get_buffer (vm, bi0);
901 b1 = vlib_get_buffer (vm, bi1);
903 if (is_output_feature)
905 // output feature fast path is enabled on the arc
906 // we need new arc_next feature
907 if (PREDICT_TRUE (!is_slow_path))
909 vnet_feature_next (&nat_buffer_opaque (b0)->arc_next, b0);
910 vnet_feature_next (&nat_buffer_opaque (b1)->arc_next, b1);
913 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
914 iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
917 next0 = nat_buffer_opaque (b0)->arc_next;
918 next1 = nat_buffer_opaque (b1)->arc_next;
920 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
923 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
925 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
928 if (PREDICT_FALSE (ip0->ttl == 1))
930 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
931 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
932 ICMP4_time_exceeded_ttl_exceeded_in_transit,
934 next0 = NAT_NEXT_ICMP_ERROR;
938 udp0 = ip4_next_header (ip0);
939 tcp0 = (tcp_header_t *) udp0;
940 icmp0 = (icmp46_header_t *) udp0;
941 proto0 = ip_proto_to_snat_proto (ip0->protocol);
945 if (PREDICT_FALSE (proto0 == ~0))
947 s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
949 thread_index, now, vm,
952 next0 = NAT_NEXT_DROP;
957 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
959 next0 = icmp_in2out_ed_slow_path
960 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
961 next0, now, thread_index, &s0);
968 if (PREDICT_FALSE (proto0 == ~0))
974 if (ip4_is_fragment (ip0))
981 if (is_output_feature)
984 (nat_not_translate_output_feature_fwd
985 (sm, ip0, thread_index, now, vm, b0)))
989 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
996 make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
997 ip0->protocol, rx_fib_index0, udp0->src_port,
1000 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
1004 if (is_output_feature)
1007 (nat44_ed_not_translate_output_feature
1008 (sm, ip0, ip0->protocol, udp0->src_port,
1009 udp0->dst_port, thread_index, sw_if_index0,
1010 vnet_buffer (b0)->sw_if_index[VLIB_TX])))
1014 * Send DHCP packets to the ipv4 stack, or we won't
1015 * be able to use dhcp client on the outside interface
1018 ((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
1019 && proto0 == SNAT_PROTOCOL_UDP
1020 && (udp0->dst_port ==
1021 clib_host_to_net_u16
1022 (UDP_DST_PORT_dhcp_to_server))))
1027 if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
1036 slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
1037 next0, thread_index, now, tcp0);
1039 if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
1042 if (PREDICT_FALSE (!s0))
1053 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1056 b0->flags |= VNET_BUFFER_F_IS_NATED;
1058 if (!is_output_feature)
1059 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1061 old_addr0 = ip0->src_address.as_u32;
1062 new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
1063 sum0 = ip0->checksum;
1064 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1066 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1067 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1068 s0->ext_host_addr.as_u32, ip4_header_t,
1070 ip0->checksum = ip_csum_fold (sum0);
1072 old_port0 = udp0->src_port;
1073 new_port0 = udp0->src_port = s0->out2in.port;
1075 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1077 sum0 = tcp0->checksum;
1078 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1080 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1082 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1084 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1085 s0->ext_host_addr.as_u32,
1086 ip4_header_t, dst_address);
1087 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1088 s0->ext_host_port, ip4_header_t,
1090 tcp0->dst_port = s0->ext_host_port;
1091 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1093 mss_clamping (sm, tcp0, &sum0);
1094 tcp0->checksum = ip_csum_fold (sum0);
1096 if (nat44_set_tcp_session_state_i2o
1097 (sm, s0, tcp0, thread_index))
1100 else if (udp0->checksum)
1102 sum0 = udp0->checksum;
1103 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1105 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1107 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1109 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1110 s0->ext_host_addr.as_u32,
1111 ip4_header_t, dst_address);
1112 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1113 s0->ext_host_port, ip4_header_t,
1115 udp0->dst_port = s0->ext_host_port;
1116 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1118 udp0->checksum = ip_csum_fold (sum0);
1123 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1125 udp0->dst_port = s0->ext_host_port;
1126 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1132 nat44_session_update_counters (s0, now,
1133 vlib_buffer_length_in_chain (vm,
1136 /* Per-user LRU list maintenance */
1137 nat44_session_update_lru (sm, s0, thread_index);
1140 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1141 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1143 nat_in2out_ed_trace_t *t =
1144 vlib_add_trace (vm, node, b0, sizeof (*t));
1145 t->is_slow_path = is_slow_path;
1146 t->sw_if_index = sw_if_index0;
1147 t->next_index = next0;
1148 t->session_index = ~0;
1150 t->session_index = s0 - tsm->sessions;
1153 pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
1155 ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
1158 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1160 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1163 if (PREDICT_FALSE (ip1->ttl == 1))
1165 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1166 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1167 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1169 next1 = NAT_NEXT_ICMP_ERROR;
1173 udp1 = ip4_next_header (ip1);
1174 tcp1 = (tcp_header_t *) udp1;
1175 icmp1 = (icmp46_header_t *) udp1;
1176 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1180 if (PREDICT_FALSE (proto1 == ~0))
1182 s1 = nat44_ed_in2out_unknown_proto (sm, b1, ip1,
1184 thread_index, now, vm,
1187 next1 = NAT_NEXT_DROP;
1192 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1194 next1 = icmp_in2out_ed_slow_path
1195 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1196 next1, now, thread_index, &s1);
1203 if (PREDICT_FALSE (proto1 == ~0))
1209 if (ip4_is_fragment (ip1))
1216 if (is_output_feature)
1219 (nat_not_translate_output_feature_fwd
1220 (sm, ip1, thread_index, now, vm, b1)))
1224 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1231 make_ed_kv (&kv1, &ip1->src_address, &ip1->dst_address,
1232 ip1->protocol, rx_fib_index1, udp1->src_port,
1235 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv1, &value1))
1239 if (is_output_feature)
1242 (nat44_ed_not_translate_output_feature
1243 (sm, ip1, ip1->protocol, udp1->src_port,
1244 udp1->dst_port, thread_index, sw_if_index1,
1245 vnet_buffer (b1)->sw_if_index[VLIB_TX])))
1249 * Send DHCP packets to the ipv4 stack, or we won't
1250 * be able to use dhcp client on the outside interface
1253 ((b1->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
1254 && proto1 == SNAT_PROTOCOL_UDP
1255 && (udp1->dst_port ==
1256 clib_host_to_net_u16
1257 (UDP_DST_PORT_dhcp_to_server))))
1262 if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
1271 slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node,
1272 next1, thread_index, now, tcp1);
1274 if (PREDICT_FALSE (next1 == NAT_NEXT_DROP))
1277 if (PREDICT_FALSE (!s1))
1288 s1 = pool_elt_at_index (tsm->sessions, value1.value);
1291 b1->flags |= VNET_BUFFER_F_IS_NATED;
1293 if (!is_output_feature)
1294 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1296 old_addr1 = ip1->src_address.as_u32;
1297 new_addr1 = ip1->src_address.as_u32 = s1->out2in.addr.as_u32;
1298 sum1 = ip1->checksum;
1299 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1301 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1302 sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
1303 s1->ext_host_addr.as_u32, ip4_header_t,
1305 ip1->checksum = ip_csum_fold (sum1);
1307 old_port1 = udp1->src_port;
1308 new_port1 = udp1->src_port = s1->out2in.port;
1310 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1312 sum1 = tcp1->checksum;
1313 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1315 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1317 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1319 sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
1320 s1->ext_host_addr.as_u32,
1321 ip4_header_t, dst_address);
1322 sum1 = ip_csum_update (sum1, tcp1->dst_port,
1323 s1->ext_host_port, ip4_header_t,
1325 tcp1->dst_port = s1->ext_host_port;
1326 ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
1328 tcp1->checksum = ip_csum_fold (sum1);
1329 mss_clamping (sm, tcp1, &sum1);
1331 if (nat44_set_tcp_session_state_i2o
1332 (sm, s1, tcp1, thread_index))
1335 else if (udp1->checksum)
1337 sum1 = udp1->checksum;
1338 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1340 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1343 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1345 sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
1346 s1->ext_host_addr.as_u32,
1347 ip4_header_t, dst_address);
1348 sum1 = ip_csum_update (sum1, tcp1->dst_port,
1349 s1->ext_host_port, ip4_header_t,
1351 udp1->dst_port = s1->ext_host_port;
1352 ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
1354 udp1->checksum = ip_csum_fold (sum1);
1359 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1361 udp1->dst_port = s1->ext_host_port;
1362 ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
1368 nat44_session_update_counters (s1, now,
1369 vlib_buffer_length_in_chain (vm, b1),
1371 /* Per-user LRU list maintenance */
1372 nat44_session_update_lru (sm, s1, thread_index);
1375 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1376 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1378 nat_in2out_ed_trace_t *t =
1379 vlib_add_trace (vm, node, b1, sizeof (*t));
1380 t->is_slow_path = is_slow_path;
1381 t->sw_if_index = sw_if_index1;
1382 t->next_index = next1;
1383 t->session_index = ~0;
1385 t->session_index = s1 - tsm->sessions;
1388 pkts_processed += next1 == nat_buffer_opaque (b1)->arc_next;
1391 /* verify speculative enqueues, maybe switch current next frame */
1392 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1393 to_next, n_left_to_next,
1394 bi0, bi1, next0, next1);
1397 while (n_left_from > 0 && n_left_to_next > 0)
1401 u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0,
1402 new_addr0, old_addr0;
1403 u16 old_port0, new_port0;
1407 icmp46_header_t *icmp0;
1408 snat_session_t *s0 = 0;
1409 clib_bihash_kv_16_8_t kv0, value0;
1412 /* speculatively enqueue b0 to the current next frame */
1418 n_left_to_next -= 1;
1420 b0 = vlib_get_buffer (vm, bi0);
1422 if (is_output_feature)
1424 // output feature fast path is enabled on the arc
1425 // we need new arc_next feature
1426 if (PREDICT_TRUE (!is_slow_path))
1427 vnet_feature_next (&nat_buffer_opaque (b0)->arc_next, b0);
1429 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1432 next0 = nat_buffer_opaque (b0)->arc_next;
1434 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1437 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1439 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1442 if (PREDICT_FALSE (ip0->ttl == 1))
1444 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1445 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1446 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1448 next0 = NAT_NEXT_ICMP_ERROR;
1452 udp0 = ip4_next_header (ip0);
1453 tcp0 = (tcp_header_t *) udp0;
1454 icmp0 = (icmp46_header_t *) udp0;
1455 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1459 if (PREDICT_FALSE (proto0 == ~0))
1461 s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
1463 thread_index, now, vm,
1466 next0 = NAT_NEXT_DROP;
1471 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1473 next0 = icmp_in2out_ed_slow_path
1474 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1475 next0, now, thread_index, &s0);
1482 if (PREDICT_FALSE (proto0 == ~0))
1488 if (ip4_is_fragment (ip0))
1495 if (is_output_feature)
1498 (nat_not_translate_output_feature_fwd
1499 (sm, ip0, thread_index, now, vm, b0)))
1503 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1510 make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
1511 ip0->protocol, rx_fib_index0, udp0->src_port,
1514 if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
1518 if (is_output_feature)
1521 (nat44_ed_not_translate_output_feature
1522 (sm, ip0, ip0->protocol, udp0->src_port,
1523 udp0->dst_port, thread_index, sw_if_index0,
1524 vnet_buffer (b0)->sw_if_index[VLIB_TX])))
1528 * Send DHCP packets to the ipv4 stack, or we won't
1529 * be able to use dhcp client on the outside interface
1532 ((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
1533 && proto0 == SNAT_PROTOCOL_UDP
1534 && (udp0->dst_port ==
1535 clib_host_to_net_u16
1536 (UDP_DST_PORT_dhcp_to_server))))
1541 if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
1550 slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
1551 next0, thread_index, now, tcp0);
1553 if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
1556 if (PREDICT_FALSE (!s0))
1567 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1570 b0->flags |= VNET_BUFFER_F_IS_NATED;
1572 if (!is_output_feature)
1573 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1575 old_addr0 = ip0->src_address.as_u32;
1576 new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32;
1577 sum0 = ip0->checksum;
1578 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1580 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1581 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1582 s0->ext_host_addr.as_u32, ip4_header_t,
1584 ip0->checksum = ip_csum_fold (sum0);
1586 old_port0 = udp0->src_port;
1587 new_port0 = udp0->src_port = s0->out2in.port;
1589 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1591 sum0 = tcp0->checksum;
1592 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1594 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1596 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1598 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1599 s0->ext_host_addr.as_u32,
1600 ip4_header_t, dst_address);
1601 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1602 s0->ext_host_port, ip4_header_t,
1604 tcp0->dst_port = s0->ext_host_port;
1605 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1607 mss_clamping (sm, tcp0, &sum0);
1608 tcp0->checksum = ip_csum_fold (sum0);
1610 if (nat44_set_tcp_session_state_i2o
1611 (sm, s0, tcp0, thread_index))
1614 else if (udp0->checksum)
1616 sum0 = udp0->checksum;
1617 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1619 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1621 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1623 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1624 s0->ext_host_addr.as_u32,
1625 ip4_header_t, dst_address);
1626 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1627 s0->ext_host_port, ip4_header_t,
1629 udp0->dst_port = s0->ext_host_port;
1630 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1632 udp0->checksum = ip_csum_fold (sum0);
1637 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1639 udp0->dst_port = s0->ext_host_port;
1640 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1646 nat44_session_update_counters (s0, now,
1647 vlib_buffer_length_in_chain (vm, b0),
1649 /* Per-user LRU list maintenance */
1650 nat44_session_update_lru (sm, s0, thread_index);
1653 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1654 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1656 nat_in2out_ed_trace_t *t =
1657 vlib_add_trace (vm, node, b0, sizeof (*t));
1658 t->is_slow_path = is_slow_path;
1659 t->sw_if_index = sw_if_index0;
1660 t->next_index = next0;
1661 t->session_index = ~0;
1663 t->session_index = s0 - tsm->sessions;
1666 pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
1668 /* verify speculative enqueue, maybe switch current next frame */
1669 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1670 to_next, n_left_to_next,
1674 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1677 vlib_node_increment_counter (vm, stats_node_index,
1678 NAT_IN2OUT_ED_ERROR_IN2OUT_PACKETS,
1680 vlib_node_increment_counter (vm, stats_node_index,
1681 NAT_IN2OUT_ED_ERROR_TCP_PACKETS, tcp_packets);
1682 vlib_node_increment_counter (vm, stats_node_index,
1683 NAT_IN2OUT_ED_ERROR_UDP_PACKETS, udp_packets);
1684 vlib_node_increment_counter (vm, stats_node_index,
1685 NAT_IN2OUT_ED_ERROR_ICMP_PACKETS,
1687 vlib_node_increment_counter (vm, stats_node_index,
1688 NAT_IN2OUT_ED_ERROR_OTHER_PACKETS,
1690 vlib_node_increment_counter (vm, stats_node_index,
1691 NAT_IN2OUT_ED_ERROR_FRAGMENTS, fragments);
1693 return frame->n_vectors;
1697 nat44_ed_in2out_reass_node_fn_inline (vlib_main_t * vm,
1698 vlib_node_runtime_t * node,
1699 vlib_frame_t * frame,
1700 int is_output_feature)
1702 u32 n_left_from, *from, *to_next;
1703 nat_next_t next_index;
1704 u32 pkts_processed = 0, cached_fragments = 0;
1705 snat_main_t *sm = &snat_main;
1706 f64 now = vlib_time_now (vm);
1707 u32 thread_index = vm->thread_index;
1708 snat_main_per_thread_data_t *per_thread_data =
1709 &sm->per_thread_data[thread_index];
1710 u32 *fragments_to_drop = 0;
1711 u32 *fragments_to_loopback = 0;
1713 from = vlib_frame_vector_args (frame);
1714 n_left_from = frame->n_vectors;
1715 next_index = node->cached_next_index;
1717 while (n_left_from > 0)
1721 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1723 while (n_left_from > 0 && n_left_to_next > 0)
1725 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1726 u32 iph_offset0 = 0;
1730 ip4_header_t *ip0 = 0;
1731 nat_reass_ip4_t *reass0;
1734 icmp46_header_t *icmp0;
1735 clib_bihash_kv_16_8_t kv0, value0;
1736 snat_session_t *s0 = 0;
1737 u16 old_port0, new_port0;
1740 /* speculatively enqueue b0 to the current next frame */
1746 n_left_to_next -= 1;
1748 b0 = vlib_get_buffer (vm, bi0);
1750 next0 = nat_buffer_opaque (b0)->arc_next;
1752 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1754 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1757 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1759 next0 = NAT_NEXT_DROP;
1760 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT];
1764 if (is_output_feature)
1765 iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
1767 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
1770 udp0 = ip4_next_header (ip0);
1771 tcp0 = (tcp_header_t *) udp0;
1772 icmp0 = (icmp46_header_t *) udp0;
1773 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1775 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1779 1, &fragments_to_drop);
1781 if (PREDICT_FALSE (!reass0))
1783 next0 = NAT_NEXT_DROP;
1784 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_REASS];
1785 nat_elog_notice ("maximum reassemblies exceeded");
1789 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1791 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1793 if (is_output_feature)
1796 (nat_not_translate_output_feature_fwd
1797 (sm, ip0, thread_index, now, vm, b0)))
1798 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1802 next0 = icmp_in2out_ed_slow_path
1803 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1804 next0, now, thread_index, &s0);
1806 if (PREDICT_TRUE (next0 != NAT_NEXT_DROP))
1809 reass0->sess_index = s0 - per_thread_data->sessions;
1811 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1812 nat_ip4_reass_get_frags (reass0,
1813 &fragments_to_loopback);
1819 make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
1820 ip0->protocol, rx_fib_index0, udp0->src_port,
1823 if (clib_bihash_search_16_8
1824 (&per_thread_data->in2out_ed, &kv0, &value0))
1826 if (is_output_feature)
1829 (nat44_ed_not_translate_output_feature
1830 (sm, ip0, ip0->protocol, udp0->src_port,
1831 udp0->dst_port, thread_index, sw_if_index0,
1832 vnet_buffer (b0)->sw_if_index[VLIB_TX])))
1834 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1835 nat_ip4_reass_get_frags (reass0,
1836 &fragments_to_loopback);
1841 * Send DHCP packets to the ipv4 stack, or we won't
1842 * be able to use dhcp client on the outside interface
1845 ((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
1846 && proto0 == SNAT_PROTOCOL_UDP
1847 && (udp0->dst_port ==
1848 clib_host_to_net_u16
1849 (UDP_DST_PORT_dhcp_to_server))))
1854 if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
1860 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1861 nat_ip4_reass_get_frags (reass0,
1862 &fragments_to_loopback);
1867 next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0,
1868 &s0, node, next0, thread_index, now,
1871 if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
1874 if (PREDICT_FALSE (!s0))
1876 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1880 reass0->sess_index = s0 - per_thread_data->sessions;
1884 s0 = pool_elt_at_index (per_thread_data->sessions,
1886 reass0->sess_index = value0.value;
1888 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1892 if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
1894 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1896 if (nat_ip4_reass_add_fragment
1897 (thread_index, reass0, bi0, &fragments_to_drop))
1899 b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_FRAG];
1901 ("maximum fragments per reassembly exceeded");
1902 next0 = NAT_NEXT_DROP;
1908 s0 = pool_elt_at_index (per_thread_data->sessions,
1909 reass0->sess_index);
1912 old_addr0 = ip0->src_address.as_u32;
1913 ip0->src_address = s0->out2in.addr;
1914 new_addr0 = ip0->src_address.as_u32;
1915 if (!is_output_feature)
1916 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1918 sum0 = ip0->checksum;
1919 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1921 src_address /* changed member */ );
1922 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1923 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1924 s0->ext_host_addr.as_u32, ip4_header_t,
1926 ip0->checksum = ip_csum_fold (sum0);
1928 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1930 old_port0 = udp0->src_port;
1931 new_port0 = udp0->src_port = s0->out2in.port;
1933 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1935 sum0 = tcp0->checksum;
1936 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1938 dst_address /* changed member */ );
1939 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1940 ip4_header_t /* cheat */ ,
1941 length /* changed member */ );
1942 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1944 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1945 s0->ext_host_addr.as_u32,
1946 ip4_header_t, dst_address);
1947 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1948 s0->ext_host_port, ip4_header_t,
1950 tcp0->dst_port = s0->ext_host_port;
1951 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1953 tcp0->checksum = ip_csum_fold (sum0);
1955 else if (udp0->checksum)
1957 sum0 = udp0->checksum;
1959 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1962 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1964 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1966 sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
1967 s0->ext_host_addr.as_u32,
1968 ip4_header_t, dst_address);
1969 sum0 = ip_csum_update (sum0, tcp0->dst_port,
1970 s0->ext_host_port, ip4_header_t,
1972 udp0->dst_port = s0->ext_host_port;
1973 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1975 udp0->checksum = ip_csum_fold (sum0);
1979 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1981 udp0->dst_port = s0->ext_host_port;
1982 ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
1988 nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
1989 s0->ext_host_port, proto0, 1);
1992 nat44_session_update_counters (s0, now,
1993 vlib_buffer_length_in_chain (vm, b0),
1995 /* Per-user LRU list maintenance */
1996 nat44_session_update_lru (sm, s0, thread_index);
1999 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2000 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2002 nat44_reass_trace_t *t =
2003 vlib_add_trace (vm, node, b0, sizeof (*t));
2004 t->cached = cached0;
2005 t->sw_if_index = sw_if_index0;
2006 t->next_index = next0;
2017 pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
2019 /* verify speculative enqueue, maybe switch current next frame */
2020 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2021 to_next, n_left_to_next,
2025 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2027 from = vlib_frame_vector_args (frame);
2028 u32 len = vec_len (fragments_to_loopback);
2029 if (len <= VLIB_FRAME_SIZE)
2031 clib_memcpy_fast (from, fragments_to_loopback,
2032 sizeof (u32) * len);
2034 vec_reset_length (fragments_to_loopback);
2038 clib_memcpy_fast (from, fragments_to_loopback +
2039 (len - VLIB_FRAME_SIZE),
2040 sizeof (u32) * VLIB_FRAME_SIZE);
2041 n_left_from = VLIB_FRAME_SIZE;
2042 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2047 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2050 vlib_node_increment_counter (vm, sm->ed_in2out_reass_node_index,
2051 NAT_IN2OUT_ED_ERROR_PROCESSED_FRAGMENTS,
2053 vlib_node_increment_counter (vm, sm->ed_in2out_reass_node_index,
2054 NAT_IN2OUT_ED_ERROR_CACHED_FRAGMENTS,
2057 nat_send_all_to_node (vm, fragments_to_drop, node,
2058 &node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT],
2061 vec_free (fragments_to_drop);
2062 vec_free (fragments_to_loopback);
2063 return frame->n_vectors;
2066 VLIB_NODE_FN (nat44_ed_in2out_node) (vlib_main_t * vm,
2067 vlib_node_runtime_t * node,
2068 vlib_frame_t * frame)
2070 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 0);
2074 VLIB_REGISTER_NODE (nat44_ed_in2out_node) = {
2075 .name = "nat44-ed-in2out",
2076 .vector_size = sizeof (u32),
2077 .sibling_of = "nat-default",
2078 .format_trace = format_nat_in2out_ed_trace,
2079 .type = VLIB_NODE_TYPE_INTERNAL,
2080 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2081 .error_strings = nat_in2out_ed_error_strings,
2082 .runtime_data_bytes = sizeof (snat_runtime_t),
2086 VLIB_NODE_FN (nat44_ed_in2out_output_node) (vlib_main_t * vm,
2087 vlib_node_runtime_t * node,
2088 vlib_frame_t * frame)
2090 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 1);
2094 VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = {
2095 .name = "nat44-ed-in2out-output",
2096 .vector_size = sizeof (u32),
2097 .sibling_of = "nat-default",
2098 .format_trace = format_nat_in2out_ed_trace,
2099 .type = VLIB_NODE_TYPE_INTERNAL,
2100 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2101 .error_strings = nat_in2out_ed_error_strings,
2102 .runtime_data_bytes = sizeof (snat_runtime_t),
2106 VLIB_NODE_FN (nat44_ed_in2out_slowpath_node) (vlib_main_t * vm,
2107 vlib_node_runtime_t * node,
2108 vlib_frame_t * frame)
2110 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 0);
2114 VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = {
2115 .name = "nat44-ed-in2out-slowpath",
2116 .vector_size = sizeof (u32),
2117 .sibling_of = "nat-default",
2118 .format_trace = format_nat_in2out_ed_trace,
2119 .type = VLIB_NODE_TYPE_INTERNAL,
2120 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2121 .error_strings = nat_in2out_ed_error_strings,
2122 .runtime_data_bytes = sizeof (snat_runtime_t),
2126 VLIB_NODE_FN (nat44_ed_in2out_output_slowpath_node) (vlib_main_t * vm,
2127 vlib_node_runtime_t *
2129 vlib_frame_t * frame)
2131 return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 1);
2135 VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = {
2136 .name = "nat44-ed-in2out-output-slowpath",
2137 .vector_size = sizeof (u32),
2138 .sibling_of = "nat-default",
2139 .format_trace = format_nat_in2out_ed_trace,
2140 .type = VLIB_NODE_TYPE_INTERNAL,
2141 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2142 .error_strings = nat_in2out_ed_error_strings,
2143 .runtime_data_bytes = sizeof (snat_runtime_t),
2148 VLIB_NODE_FN (nat44_ed_in2out_reass_node) (vlib_main_t * vm,
2149 vlib_node_runtime_t * node,
2150 vlib_frame_t * frame)
2152 return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 0);
2156 VLIB_REGISTER_NODE (nat44_ed_in2out_reass_node) = {
2157 .name = "nat44-ed-in2out-reass",
2158 .vector_size = sizeof (u32),
2159 .sibling_of = "nat-default",
2160 .format_trace = format_nat44_reass_trace,
2161 .type = VLIB_NODE_TYPE_INTERNAL,
2162 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2163 .error_strings = nat_in2out_ed_error_strings,
2167 VLIB_NODE_FN (nat44_ed_in2out_reass_output_node) (vlib_main_t * vm,
2168 vlib_node_runtime_t * node,
2169 vlib_frame_t * frame)
2171 return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 1);
2175 VLIB_REGISTER_NODE (nat44_ed_in2out_reass_output_node) = {
2176 .name = "nat44-ed-in2out-reass-output",
2177 .vector_size = sizeof (u32),
2178 .sibling_of = "nat-default",
2179 .format_trace = format_nat44_reass_trace,
2180 .type = VLIB_NODE_TYPE_INTERNAL,
2181 .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
2182 .error_strings = nat_in2out_ed_error_strings,
2187 format_nat_pre_trace (u8 * s, va_list * args)
2189 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
2190 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
2191 nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
2192 return format (s, "in2out next_index %d", t->next_index);
2195 VLIB_NODE_FN (nat_pre_in2out_node) (vlib_main_t * vm,
2196 vlib_node_runtime_t * node,
2197 vlib_frame_t * frame)
2199 return nat_pre_node_fn_inline (vm, node, frame,
2200 NAT_NEXT_IN2OUT_ED_FAST_PATH);
2204 VLIB_REGISTER_NODE (nat_pre_in2out_node) = {
2205 .name = "nat-pre-in2out",
2206 .vector_size = sizeof (u32),
2207 .sibling_of = "nat-default",
2208 .format_trace = format_nat_pre_trace,
2209 .type = VLIB_NODE_TYPE_INTERNAL,
2215 * fd.io coding-style-patch-verification: ON
2218 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob