2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/ip/ip.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <vnet/udp/udp_local.h>
26 #include <vppinfra/error.h>
28 #include <nat/lib/ipfix_logging.h>
30 #include <nat/nat44-ed/nat44_ed.h>
31 #include <nat/nat44-ed/nat44_ed_inlines.h>
33 static char *nat_out2in_ed_error_strings[] = {
34 #define _(sym,string) string,
35 foreach_nat_out2in_ed_error
41 NAT_ED_SP_REASON_NO_REASON,
42 NAT_ED_SP_REASON_LOOKUP_FAILED,
43 NAT_ED_SP_REASON_VRF_EXPIRED,
44 NAT_ED_SP_SESS_EXPIRED,
45 } nat_slow_path_reason_e;
52 nat_translation_error_e translation_error;
55 clib_bihash_kv_16_8_t search_key;
57 u8 translation_via_i2of;
60 nat_slow_path_reason_e slow_path_reason;
61 } nat44_ed_out2in_trace_t;
64 format_slow_path_reason (u8 *s, va_list *args)
66 nat_slow_path_reason_e reason = va_arg (*args, nat_slow_path_reason_e);
69 case NAT_ED_SP_REASON_NO_REASON:
70 return format (s, "no reason for slow path");
71 case NAT_ED_SP_REASON_LOOKUP_FAILED:
72 return format (s, "slow path because lookup failed");
73 case NAT_ED_SP_REASON_VRF_EXPIRED:
74 return format (s, "slow path because vrf expired");
75 case NAT_ED_SP_SESS_EXPIRED:
76 return format (s, "slow path because session expired");
78 return format (s, "invalid reason value");
82 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
84 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
85 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
86 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
90 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
91 "NAT44_OUT2IN_ED_FAST_PATH";
93 s = format (s, "%s: sw_if_index %d, next index %d", tag, t->sw_if_index,
95 if (~0 != t->session_index)
97 s = format (s, ", session %d, translation result '%U' via %s",
98 t->session_index, format_nat_ed_translation_error,
100 t->translation_via_i2of ? "i2of" : "o2if");
101 s = format (s, "\n i2of %U", format_nat_6t_flow, &t->i2of);
102 s = format (s, "\n o2if %U", format_nat_6t_flow, &t->o2if);
104 if (!t->is_slow_path)
106 if (t->lookup_skipped)
108 s = format (s, "\n lookup skipped - cached session index used");
112 s = format (s, "\n search key %U", format_ed_session_kvp,
115 s = format (s, "\n %U", format_slow_path_reason, t->slow_path_reason);
117 if (IP_PROTOCOL_TCP == t->i2of.match.proto)
119 s = format (s, "\n TCP state: %U", format_nat44_ed_tcp_state,
127 next_src_nat (snat_main_t *sm, ip4_header_t *ip, u16 src_port, u16 dst_port,
130 clib_bihash_kv_16_8_t kv, value;
132 init_ed_k (&kv, ip->src_address.as_u32, src_port, ip->dst_address.as_u32,
133 dst_port, rx_fib_index, ip->protocol);
134 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
140 static void create_bypass_for_fwd (snat_main_t *sm, vlib_buffer_t *b,
141 snat_session_t *s, ip4_header_t *ip,
142 u32 rx_fib_index, u32 thread_index);
144 static snat_session_t *create_session_for_static_mapping_ed (
145 snat_main_t *sm, vlib_buffer_t *b, ip4_address_t i2o_addr, u16 i2o_port,
146 u32 i2o_fib_index, ip4_address_t o2i_addr, u16 o2i_port, u32 o2i_fib_index,
147 ip_protocol_t proto, vlib_node_runtime_t *node, u32 thread_index,
148 twice_nat_type_t twice_nat, lb_nat_type_t lb_nat, f64 now,
149 snat_static_mapping_t *mapping);
152 icmp_out2in_ed_slow_path (snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip,
153 icmp46_header_t *icmp, u32 sw_if_index,
154 u32 rx_fib_index, vlib_node_runtime_t *node,
155 u32 next, f64 now, u32 thread_index,
156 snat_session_t **s_p)
158 vlib_main_t *vm = vlib_get_main ();
163 snat_session_t *s = 0;
164 u8 is_addr_only, identity_nat;
165 ip4_address_t sm_addr;
168 snat_static_mapping_t *m;
170 ip4_address_t lookup_saddr, lookup_daddr;
171 u16 lookup_sport, lookup_dport;
173 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
174 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
176 if (nat_get_icmp_session_lookup_values (b, ip, &lookup_saddr, &lookup_sport,
177 &lookup_daddr, &lookup_dport,
180 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
181 next = NAT_NEXT_DROP;
185 if (snat_static_mapping_match (vm, ip->dst_address, lookup_sport,
186 rx_fib_index, ip->protocol, &sm_addr,
187 &sm_port, &sm_fib_index, 1, &is_addr_only, 0,
188 0, 0, &identity_nat, &m))
190 // static mapping not matched
191 if (!sm->forwarding_enabled)
193 /* Don't NAT packet aimed at the intfc address */
194 if (!is_interface_addr (sm, node, sw_if_index,
195 ip->dst_address.as_u32))
197 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
198 next = NAT_NEXT_DROP;
203 if (next_src_nat (sm, ip, lookup_sport, lookup_dport, rx_fib_index))
205 next = NAT_NEXT_IN2OUT_ED_FAST_PATH;
209 create_bypass_for_fwd (sm, b, s, ip, rx_fib_index, thread_index);
215 if (PREDICT_FALSE (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
217 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
218 ICMP4_echo_request ||
221 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
222 next = NAT_NEXT_DROP;
226 if (PREDICT_FALSE (identity_nat))
231 /* Create session initiated by host from external network */
232 s = create_session_for_static_mapping_ed (
233 sm, b, sm_addr, sm_port, sm_fib_index, ip->dst_address, lookup_sport,
234 rx_fib_index, lookup_protocol, node, thread_index, 0, 0,
235 vlib_time_now (vm), m);
237 next = NAT_NEXT_DROP;
239 if (PREDICT_TRUE (!ip4_is_fragment (ip)))
241 sum = ip_incremental_checksum_buffer (
242 vm, b, (u8 *) icmp - (u8 *) vlib_buffer_get_current (b),
243 ntohs (ip->length) - ip4_header_bytes (ip), 0);
244 checksum = ~ip_csum_fold (sum);
245 if (checksum != 0 && checksum != 0xffff)
247 next = NAT_NEXT_DROP;
252 if (PREDICT_TRUE (next != NAT_NEXT_DROP && s))
255 nat44_session_update_counters (
256 s, now, vlib_buffer_length_in_chain (vm, b), thread_index);
257 /* Per-user LRU list maintenance */
258 nat44_session_update_lru (sm, s, thread_index);
261 if (NAT_NEXT_DROP == next && s)
263 nat_ed_session_delete (sm, s, thread_index, 1);
270 static_always_inline int
271 nat44_ed_alloc_i2o_port (snat_main_t *sm, snat_address_t *a, snat_session_t *s,
272 ip4_address_t i2o_addr, u16 i2o_port,
273 u32 i2o_fib_index, ip_protocol_t proto,
274 u32 thread_index, u32 snat_thread_index,
275 ip4_address_t *outside_addr, u16 *outside_port)
279 for (int i = 0; i < ED_PORT_ALLOC_ATTEMPTS; ++i)
281 portnum = (sm->port_per_thread * snat_thread_index) +
282 snat_random_port (0, sm->port_per_thread - 1) + 1024;
283 portnum = clib_host_to_net_u16 (portnum);
284 nat_6t_i2o_flow_init (sm, thread_index, s, i2o_addr, i2o_port, a->addr,
285 portnum, i2o_fib_index, proto);
286 if (!nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s,
289 *outside_addr = a->addr;
290 *outside_port = portnum;
295 /* Totally out of translations to use... */
296 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
300 static_always_inline int
301 nat44_ed_alloc_i2o_addr_and_port (snat_main_t *sm, snat_address_t *addresses,
302 snat_session_t *s, ip4_address_t i2o_addr,
303 u16 i2o_port, u32 i2o_fib_index,
304 ip_protocol_t proto, u32 thread_index,
305 u32 snat_thread_index,
306 ip4_address_t *outside_addr,
309 snat_address_t *a, *ga = 0;
312 if (vec_len (addresses) > 0)
314 int s_addr_offset = i2o_addr.as_u32 % vec_len (addresses);
316 for (i = s_addr_offset; i < vec_len (addresses); ++i)
319 if (a->fib_index == i2o_fib_index)
321 return nat44_ed_alloc_i2o_port (
322 sm, a, s, i2o_addr, i2o_port, i2o_fib_index, proto,
323 thread_index, snat_thread_index, outside_addr, outside_port);
325 else if (a->fib_index == ~0)
331 for (i = 0; i < s_addr_offset; ++i)
334 if (a->fib_index == i2o_fib_index)
336 return nat44_ed_alloc_i2o_port (
337 sm, a, s, i2o_addr, i2o_port, i2o_fib_index, proto,
338 thread_index, snat_thread_index, outside_addr, outside_port);
340 else if (a->fib_index == ~0)
348 return nat44_ed_alloc_i2o_port (
349 sm, a, s, i2o_addr, i2o_port, i2o_fib_index, proto, thread_index,
350 snat_thread_index, outside_addr, outside_port);
354 /* Totally out of translations to use... */
355 nat_ipfix_logging_addresses_exhausted (thread_index, 0);
359 static snat_session_t *
360 create_session_for_static_mapping_ed (
361 snat_main_t *sm, vlib_buffer_t *b, ip4_address_t i2o_addr, u16 i2o_port,
362 u32 i2o_fib_index, ip4_address_t o2i_addr, u16 o2i_port, u32 o2i_fib_index,
363 ip_protocol_t proto, vlib_node_runtime_t *node, u32 thread_index,
364 twice_nat_type_t twice_nat, lb_nat_type_t lb_nat, f64 now,
365 snat_static_mapping_t *mapping)
369 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
372 nat44_ed_maximum_sessions_exceeded (sm, o2i_fib_index, thread_index)))
374 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
375 nat_elog_notice (sm, "maximum sessions exceeded");
379 s = nat_ed_session_alloc (sm, thread_index, now, proto);
382 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
383 nat_elog_warn (sm, "create NAT session failed");
387 ip = vlib_buffer_get_current (b);
389 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
391 proto == IP_PROTOCOL_ICMP ? 0 : vnet_buffer (b)->ip.reass.l4_src_port;
392 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
394 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
395 if (lb_nat == AFFINITY_LB_NAT)
396 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
397 s->out2in.addr = o2i_addr;
398 s->out2in.port = o2i_port;
399 s->out2in.fib_index = o2i_fib_index;
400 s->in2out.addr = i2o_addr;
401 s->in2out.port = i2o_port;
402 s->in2out.fib_index = i2o_fib_index;
405 if (IP_PROTOCOL_ICMP == proto)
407 nat_6t_o2i_flow_init (sm, thread_index, s, s->ext_host_addr, o2i_port,
408 o2i_addr, o2i_port, o2i_fib_index, ip->protocol);
409 nat_6t_flow_icmp_id_rewrite_set (&s->o2i, i2o_port);
413 nat_6t_o2i_flow_init (sm, thread_index, s, s->ext_host_addr,
414 s->ext_host_port, o2i_addr, o2i_port,
415 o2i_fib_index, ip->protocol);
416 nat_6t_flow_dport_rewrite_set (&s->o2i, i2o_port);
418 nat_6t_flow_daddr_rewrite_set (&s->o2i, i2o_addr.as_u32);
419 nat_6t_flow_txfib_rewrite_set (&s->o2i, i2o_fib_index);
421 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 1))
423 b->error = node->errors[NAT_OUT2IN_ED_ERROR_HASH_ADD_FAILED];
424 nat_ed_session_delete (sm, s, thread_index, 1);
425 nat_elog_warn (sm, "out2in flow hash add failed");
429 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
430 ip->src_address.as_u32 == i2o_addr.as_u32))
433 snat_address_t *filter = 0;
435 // if exact address is specified use this address
436 if (is_sm_exact_address (mapping->flags))
439 vec_foreach (ap, sm->twice_nat_addresses)
441 if (mapping->pool_addr.as_u32 == ap->addr.as_u32)
451 rc = nat44_ed_alloc_i2o_port (
452 sm, filter, s, i2o_addr, i2o_port, i2o_fib_index, proto,
453 thread_index, tsm->snat_thread_index, &s->ext_host_nat_addr,
454 &s->ext_host_nat_port);
455 s->flags |= SNAT_SESSION_FLAG_EXACT_ADDRESS;
459 rc = nat44_ed_alloc_i2o_addr_and_port (
460 sm, sm->twice_nat_addresses, s, i2o_addr, i2o_port, i2o_fib_index,
461 proto, thread_index, tsm->snat_thread_index, &s->ext_host_nat_addr,
462 &s->ext_host_nat_port);
467 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
468 nat_ed_session_delete (sm, s, thread_index, 1);
472 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
474 nat_6t_flow_saddr_rewrite_set (&s->o2i, s->ext_host_nat_addr.as_u32);
475 if (IP_PROTOCOL_ICMP == proto)
477 nat_6t_flow_icmp_id_rewrite_set (&s->o2i, s->ext_host_nat_port);
481 nat_6t_flow_sport_rewrite_set (&s->o2i, s->ext_host_nat_port);
484 nat_6t_l3_l4_csum_calc (&s->o2i);
486 nat_6t_flow_daddr_rewrite_set (&s->i2o, s->ext_host_addr.as_u32);
487 if (IP_PROTOCOL_ICMP == proto)
489 nat_6t_flow_icmp_id_rewrite_set (&s->i2o, s->ext_host_port);
493 nat_6t_flow_dport_rewrite_set (&s->i2o, s->ext_host_port);
496 nat_6t_flow_saddr_rewrite_set (&s->i2o, o2i_addr.as_u32);
497 if (IP_PROTOCOL_ICMP == proto)
499 nat_6t_flow_icmp_id_rewrite_set (&s->i2o, o2i_port);
503 nat_6t_flow_sport_rewrite_set (&s->i2o, o2i_port);
505 nat_6t_l3_l4_csum_calc (&s->i2o);
509 if (IP_PROTOCOL_ICMP == proto)
511 nat_6t_i2o_flow_init (sm, thread_index, s, i2o_addr, i2o_port,
512 s->ext_host_addr, i2o_port, i2o_fib_index,
517 nat_6t_i2o_flow_init (sm, thread_index, s, i2o_addr, i2o_port,
518 s->ext_host_addr, s->ext_host_port,
519 i2o_fib_index, ip->protocol);
522 nat_6t_flow_saddr_rewrite_set (&s->i2o, o2i_addr.as_u32);
523 if (IP_PROTOCOL_ICMP == proto)
525 nat_6t_flow_icmp_id_rewrite_set (&s->i2o, o2i_port);
529 nat_6t_flow_sport_rewrite_set (&s->i2o, o2i_port);
532 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 1))
534 nat_elog_notice (sm, "in2out flow hash add failed");
535 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 0))
537 nat_elog_warn (sm, "out2in flow hash del failed");
539 nat_ed_session_delete (sm, s, thread_index, 1);
543 nat_ipfix_logging_nat44_ses_create (
544 thread_index, s->in2out.addr.as_u32, s->out2in.addr.as_u32, s->proto,
545 s->in2out.port, s->out2in.port, s->in2out.fib_index);
547 nat_syslog_nat44_sadd (0, s->in2out.fib_index, &s->in2out.addr,
548 s->in2out.port, &s->ext_host_nat_addr,
549 s->ext_host_nat_port, &s->out2in.addr, s->out2in.port,
550 &s->ext_host_addr, s->ext_host_port, s->proto,
551 nat44_ed_is_twice_nat_session (s));
553 per_vrf_sessions_register_session (s, thread_index);
559 create_bypass_for_fwd (snat_main_t *sm, vlib_buffer_t *b, snat_session_t *s,
560 ip4_header_t *ip, u32 rx_fib_index, u32 thread_index)
562 clib_bihash_kv_16_8_t kv, value;
563 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
564 vlib_main_t *vm = vlib_get_main ();
565 f64 now = vlib_time_now (vm);
566 u16 lookup_sport, lookup_dport;
568 ip4_address_t lookup_saddr, lookup_daddr;
570 if (ip->protocol == IP_PROTOCOL_ICMP)
572 if (nat_get_icmp_session_lookup_values (b, ip, &lookup_daddr,
573 &lookup_sport, &lookup_saddr,
574 &lookup_dport, &lookup_protocol))
579 if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
581 lookup_sport = vnet_buffer (b)->ip.reass.l4_dst_port;
582 lookup_dport = vnet_buffer (b)->ip.reass.l4_src_port;
589 lookup_saddr.as_u32 = ip->dst_address.as_u32;
590 lookup_daddr.as_u32 = ip->src_address.as_u32;
591 lookup_protocol = ip->protocol;
594 init_ed_k (&kv, lookup_saddr.as_u32, lookup_sport, lookup_daddr.as_u32,
595 lookup_dport, rx_fib_index, lookup_protocol);
597 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv, &value))
599 ASSERT (thread_index == ed_value_get_thread_index (&value));
601 pool_elt_at_index (tsm->sessions,
602 ed_value_get_session_index (&value));
604 else if (ip->protocol == IP_PROTOCOL_ICMP &&
605 icmp_type_is_error_message
606 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
613 (nat44_ed_maximum_sessions_exceeded
614 (sm, rx_fib_index, thread_index)))
617 s = nat_ed_session_alloc (sm, thread_index, now, ip->protocol);
620 nat_elog_warn (sm, "create NAT session failed");
624 s->ext_host_addr = ip->src_address;
625 s->ext_host_port = lookup_dport;
626 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
627 s->out2in.addr = ip->dst_address;
628 s->out2in.port = lookup_sport;
629 s->proto = ip->protocol;
630 s->out2in.fib_index = rx_fib_index;
631 s->in2out.addr = s->out2in.addr;
632 s->in2out.port = s->out2in.port;
633 s->in2out.fib_index = s->out2in.fib_index;
635 nat_6t_i2o_flow_init (sm, thread_index, s, ip->dst_address, lookup_sport,
636 ip->src_address, lookup_dport, rx_fib_index,
638 nat_6t_flow_txfib_rewrite_set (&s->i2o, rx_fib_index);
639 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 1))
641 nat_elog_notice (sm, "in2out flow add failed");
642 nat_ed_session_delete (sm, s, thread_index, 1);
646 per_vrf_sessions_register_session (s, thread_index);
649 if (ip->protocol == IP_PROTOCOL_TCP)
651 nat44_set_tcp_session_state_o2i (
652 sm, now, s, vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags,
657 nat44_session_update_counters (s, now, 0, thread_index);
658 /* Per-user LRU list maintenance */
659 nat44_session_update_lru (sm, s, thread_index);
662 static snat_session_t *
663 nat44_ed_out2in_slowpath_unknown_proto (snat_main_t *sm, vlib_buffer_t *b,
664 ip4_header_t *ip, u32 rx_fib_index,
665 u32 thread_index, f64 now,
667 vlib_node_runtime_t *node)
669 snat_static_mapping_t *m;
673 nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
675 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
676 nat_elog_notice (sm, "maximum sessions exceeded");
680 m = nat44_ed_sm_o2i_lookup (sm, ip->dst_address, 0, 0, ip->protocol);
683 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
687 /* Create a new session */
688 s = nat_ed_session_alloc (sm, thread_index, now, ip->protocol);
691 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
692 nat_elog_warn (sm, "create NAT session failed");
696 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
697 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
698 s->out2in.addr.as_u32 = ip->dst_address.as_u32;
699 s->out2in.fib_index = rx_fib_index;
700 s->in2out.addr.as_u32 = m->local_addr.as_u32;
701 s->in2out.fib_index = m->fib_index;
702 s->in2out.port = s->out2in.port = ip->protocol;
704 nat_6t_o2i_flow_init (sm, thread_index, s, ip->dst_address, 0,
705 ip->src_address, 0, m->fib_index, ip->protocol);
706 nat_6t_flow_saddr_rewrite_set (&s->i2o, ip->dst_address.as_u32);
707 if (nat_ed_ses_i2o_flow_hash_add_del (sm, thread_index, s, 1))
709 nat_elog_notice (sm, "in2out key add failed");
710 nat_ed_session_delete (sm, s, thread_index, 1);
714 nat_6t_o2i_flow_init (sm, thread_index, s, ip->src_address, 0,
715 ip->dst_address, 0, rx_fib_index, ip->protocol);
716 nat_6t_flow_daddr_rewrite_set (&s->o2i, m->local_addr.as_u32);
717 nat_6t_flow_txfib_rewrite_set (&s->o2i, m->fib_index);
718 if (nat_ed_ses_o2i_flow_hash_add_del (sm, thread_index, s, 1))
720 nat_elog_notice (sm, "out2in flow hash add failed");
721 nat_ed_session_delete (sm, s, thread_index, 1);
725 per_vrf_sessions_register_session (s, thread_index);
728 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
730 /* Per-user LRU list maintenance */
731 nat44_session_update_lru (sm, s, thread_index);
737 nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
738 vlib_node_runtime_t * node,
739 vlib_frame_t * frame,
742 u32 n_left_from, *from;
743 snat_main_t *sm = &snat_main;
744 f64 now = vlib_time_now (vm);
745 u32 thread_index = vm->thread_index;
746 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
748 from = vlib_frame_vector_args (frame);
749 n_left_from = frame->n_vectors;
751 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
752 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
753 vlib_get_buffers (vm, from, b, n_left_from);
755 while (n_left_from > 0)
758 u32 sw_if_index0, rx_fib_index0;
759 ip_protocol_t proto0;
761 snat_session_t *s0 = 0;
762 clib_bihash_kv_16_8_t kv0, value0;
763 nat_translation_error_e translation_error = NAT_ED_TRNSL_ERR_SUCCESS;
764 nat_slow_path_reason_e slow_path_reason = NAT_ED_SP_REASON_NO_REASON;
765 nat_6t_flow_t *f = 0;
767 int lookup_skipped = 0;
772 /* Prefetch next iteration. */
773 if (PREDICT_TRUE (n_left_from >= 2))
779 vlib_prefetch_buffer_header (p2, LOAD);
781 clib_prefetch_load (p2->data);
784 next[0] = vnet_buffer2 (b0)->nat.arc_next;
786 lookup.sport = vnet_buffer (b0)->ip.reass.l4_src_port;
787 lookup.dport = vnet_buffer (b0)->ip.reass.l4_dst_port;
789 vnet_buffer (b0)->snat.flags = 0;
790 ip0 = vlib_buffer_get_current (b0);
792 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
794 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
796 lookup.fib_index = rx_fib_index0;
798 if (PREDICT_FALSE (ip0->ttl == 1))
800 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
801 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
802 ICMP4_time_exceeded_ttl_exceeded_in_transit,
804 next[0] = NAT_NEXT_ICMP_ERROR;
808 proto0 = ip0->protocol;
810 if (PREDICT_FALSE (proto0 == IP_PROTOCOL_ICMP))
812 if (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
813 ICMP4_echo_request &&
814 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
816 !icmp_type_is_error_message (
817 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
819 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
820 next[0] = NAT_NEXT_DROP;
823 int err = nat_get_icmp_session_lookup_values (
824 b0, ip0, &lookup.saddr, &lookup.sport, &lookup.daddr,
825 &lookup.dport, &lookup.proto);
828 b0->error = node->errors[err];
829 next[0] = NAT_NEXT_DROP;
835 lookup.saddr.as_u32 = ip0->src_address.as_u32;
836 lookup.daddr.as_u32 = ip0->dst_address.as_u32;
837 lookup.proto = ip0->protocol;
840 /* there might be a stashed index in vnet_buffer2 from handoff or
841 * classify node, see if it can be used */
842 if (is_multi_worker &&
843 !pool_is_free_index (tsm->sessions,
844 vnet_buffer2 (b0)->nat.cached_session_index))
846 s0 = pool_elt_at_index (tsm->sessions,
847 vnet_buffer2 (b0)->nat.cached_session_index);
848 if (PREDICT_TRUE (nat_6t_t_eq (&s0->o2i.match, &lookup)) ||
849 (s0->flags & SNAT_SESSION_FLAG_TWICE_NAT &&
850 nat_6t_t_eq (&s0->i2o.match, &lookup)))
852 /* yes, this is the droid we're looking for */
859 init_ed_k (&kv0, lookup.saddr.as_u32, lookup.sport, lookup.daddr.as_u32,
860 lookup.dport, lookup.fib_index, lookup.proto);
863 if (clib_bihash_search_16_8 (&sm->flow_hash, &kv0, &value0))
865 // flow does not exist go slow path
866 slow_path_reason = NAT_ED_SP_REASON_LOOKUP_FAILED;
867 next[0] = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
870 ASSERT (thread_index == ed_value_get_thread_index (&value0));
872 pool_elt_at_index (tsm->sessions,
873 ed_value_get_session_index (&value0));
876 ASSERT (thread_index == s0->thread_index);
878 if (PREDICT_FALSE (per_vrf_sessions_is_expired (s0, thread_index)))
880 // session is closed, go slow path
881 nat44_ed_free_session_data (sm, s0, thread_index, 0);
882 nat_ed_session_delete (sm, s0, thread_index, 1);
883 slow_path_reason = NAT_ED_SP_REASON_VRF_EXPIRED;
884 next[0] = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
888 // drop if session expired
889 u64 sess_timeout_time;
891 s0->last_heard + (f64) nat44_session_get_timeout (sm, s0);
892 if (now >= sess_timeout_time)
894 // session is closed, go slow path
895 nat44_ed_free_session_data (sm, s0, thread_index, 0);
896 nat_ed_session_delete (sm, s0, thread_index, 1);
897 slow_path_reason = NAT_ED_SP_SESS_EXPIRED;
898 next[0] = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
902 if (nat_6t_t_eq (&s0->o2i.match, &lookup))
906 else if (s0->flags & SNAT_SESSION_FLAG_TWICE_NAT &&
907 nat_6t_t_eq (&s0->i2o.match, &lookup))
914 * Send DHCP packets to the ipv4 stack, or we won't
915 * be able to use dhcp client on the outside interface
918 proto0 == IP_PROTOCOL_UDP &&
919 (vnet_buffer (b0)->ip.reass.l4_dst_port ==
920 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_client))))
925 if (!sm->forwarding_enabled)
927 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
928 next[0] = NAT_NEXT_DROP;
933 if (nat_6t_t_eq (&s0->i2o.match, &lookup))
939 // FIXME TODO bypass ???
940 // create_bypass_for_fwd (sm, b0, s0, ip0, rx_fib_index0,
942 translation_error = NAT_ED_TRNSL_ERR_FLOW_MISMATCH;
943 nat44_ed_free_session_data (sm, s0, thread_index, 0);
944 nat_ed_session_delete (sm, s0, thread_index, 1);
945 next[0] = NAT_NEXT_DROP;
946 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
952 if (NAT_ED_TRNSL_ERR_SUCCESS !=
953 (translation_error = nat_6t_flow_buf_translate_o2i (
954 vm, sm, b0, ip0, f, proto0, 0 /* is_output_feature */)))
956 next[0] = NAT_NEXT_DROP;
957 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
963 case IP_PROTOCOL_TCP:
964 vlib_increment_simple_counter (&sm->counters.fastpath.out2in.tcp,
965 thread_index, sw_if_index0, 1);
966 nat44_set_tcp_session_state_o2i (sm, now, s0,
967 vnet_buffer (b0)->ip.
968 reass.icmp_type_or_tcp_flags,
971 case IP_PROTOCOL_UDP:
972 vlib_increment_simple_counter (&sm->counters.fastpath.out2in.udp,
973 thread_index, sw_if_index0, 1);
975 case IP_PROTOCOL_ICMP:
976 vlib_increment_simple_counter (&sm->counters.fastpath.out2in.icmp,
977 thread_index, sw_if_index0, 1);
980 vlib_increment_simple_counter (&sm->counters.fastpath.out2in.other,
981 thread_index, sw_if_index0, 1);
986 nat44_session_update_counters (s0, now,
987 vlib_buffer_length_in_chain (vm, b0),
989 /* Per-user LRU list maintenance */
990 nat44_session_update_lru (sm, s0, thread_index);
993 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
994 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
996 nat44_ed_out2in_trace_t *t =
997 vlib_add_trace (vm, node, b0, sizeof (*t));
998 t->sw_if_index = sw_if_index0;
999 t->next_index = next[0];
1000 t->is_slow_path = 0;
1001 t->translation_error = translation_error;
1002 clib_memcpy (&t->search_key, &kv0, sizeof (t->search_key));
1003 t->lookup_skipped = lookup_skipped;
1004 t->slow_path_reason = slow_path_reason;
1008 t->session_index = s0 - tsm->sessions;
1009 clib_memcpy (&t->i2of, &s0->i2o, sizeof (t->i2of));
1010 clib_memcpy (&t->o2if, &s0->o2i, sizeof (t->o2if));
1011 t->translation_via_i2of = (&s0->i2o == f);
1012 t->tcp_state = s0->tcp_state;
1016 t->session_index = ~0;
1020 if (next[0] == NAT_NEXT_DROP)
1022 vlib_increment_simple_counter (&sm->counters.fastpath.out2in.drops,
1023 thread_index, sw_if_index0, 1);
1030 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1032 return frame->n_vectors;
1036 nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
1037 vlib_node_runtime_t * node,
1038 vlib_frame_t * frame)
1040 u32 n_left_from, *from;
1041 snat_main_t *sm = &snat_main;
1042 f64 now = vlib_time_now (vm);
1043 u32 thread_index = vm->thread_index;
1044 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1045 snat_static_mapping_t *m;
1047 from = vlib_frame_vector_args (frame);
1048 n_left_from = frame->n_vectors;
1050 vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
1051 u16 nexts[VLIB_FRAME_SIZE], *next = nexts;
1052 vlib_get_buffers (vm, from, b, n_left_from);
1054 while (n_left_from > 0)
1057 u32 sw_if_index0, rx_fib_index0;
1058 ip_protocol_t proto0;
1061 icmp46_header_t *icmp0;
1062 snat_session_t *s0 = 0;
1063 clib_bihash_kv_16_8_t kv0, value0;
1064 lb_nat_type_t lb_nat0;
1065 twice_nat_type_t twice_nat0;
1067 ip4_address_t sm_addr;
1070 nat_translation_error_e translation_error = NAT_ED_TRNSL_ERR_SUCCESS;
1073 next[0] = vnet_buffer2 (b0)->nat.arc_next;
1075 vnet_buffer (b0)->snat.flags = 0;
1076 ip0 = vlib_buffer_get_current (b0);
1078 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1080 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, sw_if_index0);
1082 if (PREDICT_FALSE (ip0->ttl == 1))
1084 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1085 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1086 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1088 next[0] = NAT_NEXT_ICMP_ERROR;
1092 udp0 = ip4_next_header (ip0);
1093 icmp0 = (icmp46_header_t *) udp0;
1094 proto0 = ip0->protocol;
1096 if (PREDICT_FALSE (nat44_ed_is_unk_proto (proto0)))
1098 s0 = nat44_ed_out2in_slowpath_unknown_proto (
1099 sm, b0, ip0, rx_fib_index0, thread_index, now, vm, node);
1100 if (!sm->forwarding_enabled)
1103 next[0] = NAT_NEXT_DROP;
1105 if (NAT_NEXT_DROP != next[0] && s0 &&
1106 NAT_ED_TRNSL_ERR_SUCCESS !=
1107 (translation_error = nat_6t_flow_buf_translate_o2i (
1108 vm, sm, b0, ip0, &s0->o2i, proto0,
1109 0 /* is_output_feature */)))
1111 next[0] = NAT_NEXT_DROP;
1112 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
1116 vlib_increment_simple_counter (&sm->counters.slowpath.out2in.other,
1117 thread_index, sw_if_index0, 1);
1121 if (PREDICT_FALSE (proto0 == IP_PROTOCOL_ICMP))
1123 next[0] = icmp_out2in_ed_slow_path
1124 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1125 next[0], now, thread_index, &s0);
1127 if (NAT_NEXT_DROP != next[0] && s0 &&
1128 NAT_ED_TRNSL_ERR_SUCCESS !=
1129 (translation_error = nat_6t_flow_buf_translate_o2i (
1130 vm, sm, b0, ip0, &s0->o2i, proto0,
1131 0 /* is_output_feature */)))
1133 next[0] = NAT_NEXT_DROP;
1134 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TRNSL_FAILED];
1138 if (NAT_NEXT_DROP != next[0])
1140 vlib_increment_simple_counter (
1141 &sm->counters.slowpath.out2in.icmp, thread_index, sw_if_index0,
1148 &kv0, ip0->src_address.as_u32, vnet_buffer (b0)->ip.reass.l4_src_port,
1149 ip0->dst_address.as_u32, vnet_buffer (b0)->ip.reass.l4_dst_port,
1150 rx_fib_index0, ip0->protocol);
1153 if (!clib_bihash_search_16_8 (&sm->flow_hash, &kv0, &value0))
1155 ASSERT (thread_index == ed_value_get_thread_index (&value0));
1157 pool_elt_at_index (tsm->sessions,
1158 ed_value_get_session_index (&value0));
1163 /* Try to match static mapping by external address and port,
1164 destination address and port in packet */
1166 if (snat_static_mapping_match (
1167 vm, ip0->dst_address, vnet_buffer (b0)->ip.reass.l4_dst_port,
1168 rx_fib_index0, proto0, &sm_addr, &sm_port, &sm_fib_index, 1, 0,
1169 &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0, &m))
1172 * Send DHCP packets to the ipv4 stack, or we won't
1173 * be able to use dhcp client on the outside interface
1176 proto0 == IP_PROTOCOL_UDP &&
1177 (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1178 clib_host_to_net_u16 (UDP_DST_PORT_dhcp_to_client))))
1183 if (!sm->forwarding_enabled)
1186 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1187 next[0] = NAT_NEXT_DROP;
1192 sm, ip0, vnet_buffer (b0)->ip.reass.l4_src_port,
1193 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0))
1195 next[0] = NAT_NEXT_IN2OUT_ED_FAST_PATH;
1199 create_bypass_for_fwd (sm, b0, s0, ip0, rx_fib_index0,
1206 if (PREDICT_FALSE (identity_nat0))
1209 if ((proto0 == IP_PROTOCOL_TCP) &&
1210 !tcp_flags_is_init (
1211 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
1213 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1214 next[0] = NAT_NEXT_DROP;
1218 /* Create session initiated by host from external network */
1219 s0 = create_session_for_static_mapping_ed (
1220 sm, b0, sm_addr, sm_port, sm_fib_index, ip0->dst_address,
1221 vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0, proto0,
1222 node, thread_index, twice_nat0, lb_nat0, now, m);
1225 next[0] = NAT_NEXT_DROP;
1230 if (NAT_ED_TRNSL_ERR_SUCCESS !=
1231 (translation_error = nat_6t_flow_buf_translate_o2i (
1232 vm, sm, b0, ip0, &s0->o2i, proto0, 0 /* is_output_feature */)))
1234 next[0] = NAT_NEXT_DROP;
1238 if (PREDICT_TRUE (proto0 == IP_PROTOCOL_TCP))
1240 vlib_increment_simple_counter (&sm->counters.slowpath.out2in.tcp,
1241 thread_index, sw_if_index0, 1);
1242 nat44_set_tcp_session_state_o2i (sm, now, s0,
1243 vnet_buffer (b0)->ip.
1244 reass.icmp_type_or_tcp_flags,
1249 vlib_increment_simple_counter (&sm->counters.slowpath.out2in.udp,
1250 thread_index, sw_if_index0, 1);
1254 nat44_session_update_counters (s0, now,
1255 vlib_buffer_length_in_chain (vm, b0),
1257 /* Per-user LRU list maintenance */
1258 nat44_session_update_lru (sm, s0, thread_index);
1261 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1262 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1264 nat44_ed_out2in_trace_t *t =
1265 vlib_add_trace (vm, node, b0, sizeof (*t));
1266 t->sw_if_index = sw_if_index0;
1267 t->next_index = next[0];
1268 t->is_slow_path = 1;
1269 t->translation_error = translation_error;
1270 clib_memcpy (&t->search_key, &kv0, sizeof (t->search_key));
1274 t->session_index = s0 - tsm->sessions;
1275 clib_memcpy (&t->i2of, &s0->i2o, sizeof (t->i2of));
1276 clib_memcpy (&t->o2if, &s0->o2i, sizeof (t->o2if));
1277 t->tcp_state = s0->tcp_state;
1281 t->session_index = ~0;
1285 if (next[0] == NAT_NEXT_DROP)
1287 vlib_increment_simple_counter (&sm->counters.slowpath.out2in.drops,
1288 thread_index, sw_if_index0, 1);
1296 vlib_buffer_enqueue_to_next (vm, node, from, (u16 *) nexts,
1299 return frame->n_vectors;
1302 VLIB_NODE_FN (nat44_ed_out2in_node) (vlib_main_t * vm,
1303 vlib_node_runtime_t * node,
1304 vlib_frame_t * frame)
1306 if (snat_main.num_workers > 1)
1308 return nat44_ed_out2in_fast_path_node_fn_inline (vm, node, frame, 1);
1312 return nat44_ed_out2in_fast_path_node_fn_inline (vm, node, frame, 0);
1316 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1317 .name = "nat44-ed-out2in",
1318 .vector_size = sizeof (u32),
1319 .sibling_of = "nat-default",
1320 .format_trace = format_nat44_ed_out2in_trace,
1321 .type = VLIB_NODE_TYPE_INTERNAL,
1322 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1323 .error_strings = nat_out2in_ed_error_strings,
1324 .runtime_data_bytes = sizeof (snat_runtime_t),
1327 VLIB_NODE_FN (nat44_ed_out2in_slowpath_node) (vlib_main_t * vm,
1328 vlib_node_runtime_t * node,
1329 vlib_frame_t * frame)
1331 return nat44_ed_out2in_slow_path_node_fn_inline (vm, node, frame);
1334 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1335 .name = "nat44-ed-out2in-slowpath",
1336 .vector_size = sizeof (u32),
1337 .sibling_of = "nat-default",
1338 .format_trace = format_nat44_ed_out2in_trace,
1339 .type = VLIB_NODE_TYPE_INTERNAL,
1340 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1341 .error_strings = nat_out2in_ed_error_strings,
1342 .runtime_data_bytes = sizeof (snat_runtime_t),
1346 format_nat_pre_trace (u8 * s, va_list * args)
1348 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1349 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1350 nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
1351 return format (s, "out2in next_index %d arc_next_index %d", t->next_index,
1355 VLIB_NODE_FN (nat_pre_out2in_node) (vlib_main_t * vm,
1356 vlib_node_runtime_t * node,
1357 vlib_frame_t * frame)
1359 return nat_pre_node_fn_inline (vm, node, frame,
1360 NAT_NEXT_OUT2IN_ED_FAST_PATH);
1363 VLIB_REGISTER_NODE (nat_pre_out2in_node) = {
1364 .name = "nat-pre-out2in",
1365 .vector_size = sizeof (u32),
1366 .sibling_of = "nat-default",
1367 .format_trace = format_nat_pre_trace,
1368 .type = VLIB_NODE_TYPE_INTERNAL,
1373 * fd.io coding-style-patch-verification: ON
1376 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob