2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief Classify for one armed NAT44 (in+out interface)
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/fib/ip4_fib.h>
24 #include <nat/nat_reass.h>
25 #include <nat/nat_inlines.h>
27 vlib_node_registration_t nat44_classify_node;
28 vlib_node_registration_t nat44_ed_classify_node;
29 vlib_node_registration_t nat44_det_classify_node;
30 vlib_node_registration_t nat44_handoff_classify_node;
32 #define foreach_nat44_classify_error \
33 _(MAX_REASS, "Maximum reassemblies exceeded") \
34 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
38 #define _(sym,str) NAT44_CLASSIFY_ERROR_##sym,
39 foreach_nat44_classify_error
41 NAT44_CLASSIFY_N_ERROR,
42 } nat44_classify_error_t;
44 static char *nat44_classify_error_strings[] = {
45 #define _(sym,string) string,
46 foreach_nat44_classify_error
52 NAT44_CLASSIFY_NEXT_IN2OUT,
53 NAT44_CLASSIFY_NEXT_OUT2IN,
54 NAT44_CLASSIFY_NEXT_DROP,
55 NAT44_CLASSIFY_N_NEXT,
56 } nat44_classify_next_t;
62 } nat44_classify_trace_t;
65 format_nat44_classify_trace (u8 * s, va_list * args)
67 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
68 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
69 nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *);
73 s = format (s, "nat44-classify: fragment cached");
76 next = t->next_in2out ? "nat44-in2out" : "nat44-out2in";
77 s = format (s, "nat44-classify: next %s", next);
84 nat44_classify_node_fn_inline (vlib_main_t * vm,
85 vlib_node_runtime_t * node,
86 vlib_frame_t * frame, int is_ed)
88 u32 n_left_from, *from, *to_next;
89 nat44_classify_next_t next_index;
90 snat_main_t *sm = &snat_main;
91 snat_static_mapping_t *m;
92 u32 thread_index = vm->thread_index;
93 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
94 u32 *fragments_to_drop = 0;
95 u32 *fragments_to_loopback = 0;
97 from = vlib_frame_vector_args (frame);
98 n_left_from = frame->n_vectors;
99 next_index = node->cached_next_index;
101 while (n_left_from > 0)
105 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
107 while (n_left_from > 0 && n_left_to_next > 0)
111 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0;
114 snat_session_key_t m_key0;
115 clib_bihash_kv_8_8_t kv0, value0;
116 clib_bihash_kv_16_8_t ed_kv0, ed_value0;
118 nat_reass_ip4_t *reass0;
121 /* speculatively enqueue b0 to the current next frame */
129 b0 = vlib_get_buffer (vm, bi0);
130 ip0 = vlib_buffer_get_current (b0);
131 udp0 = ip4_next_header (ip0);
133 if (is_ed && ip0->protocol != IP_PROTOCOL_ICMP)
135 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
137 /* process leading fragment/whole packet (with L4 header) */
138 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
140 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
142 make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address,
143 ip0->protocol, rx_fib_index0, udp0->src_port,
145 if (ip4_is_fragment (ip0))
147 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
153 if (PREDICT_FALSE (!reass0))
155 next0 = NAT44_CLASSIFY_NEXT_DROP;
157 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
158 nat_log_notice ("maximum reassemblies exceeded");
161 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0,
164 /* session exists so classify as IN2OUT,
165 * save this information for future fragments and set
166 * past fragments to be looped over and reprocessed */
167 reass0->sess_index = ed_value0.value;
168 reass0->classify_next =
169 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
170 nat_ip4_reass_get_frags (reass0,
171 &fragments_to_loopback);
176 /* session doesn't exist so continue in the code,
177 * save this information for future fragments and set
178 * past fragments to be looped over and reprocessed */
180 NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE;
181 nat_ip4_reass_get_frags (reass0,
182 &fragments_to_loopback);
187 /* process whole packet */
188 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0,
191 /* session doesn't exist so continue in code */
196 /* process non-first fragment */
197 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
203 if (PREDICT_FALSE (!reass0))
205 next0 = NAT44_CLASSIFY_NEXT_DROP;
207 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
208 nat_log_notice ("maximum reassemblies exceeded");
211 /* check if first fragment has arrived */
212 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE &&
213 !(reass0->flags & NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE))
215 /* first fragment still hasn't arrived, cache this fragment */
216 if (nat_ip4_reass_add_fragment (reass0, bi0,
220 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
222 ("maximum fragments per reassembly exceeded");
223 next0 = NAT44_CLASSIFY_NEXT_DROP;
229 if (reass0->classify_next ==
230 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
232 /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set
233 * so keep the default next0 and continue in code to
234 * potentially find other classification for this packet */
239 vec_foreach (ap, sm->addresses)
241 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
243 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
249 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
251 m_key0.addr = ip0->dst_address;
254 m_key0.fib_index = 0;
255 kv0.key = m_key0.as_u64;
256 /* try to classify the fragment based on IP header alone */
257 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
260 m = pool_elt_at_index (sm->static_mappings, value0.value);
261 if (m->local_addr.as_u32 != m->external_addr.as_u32)
262 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
265 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
267 /* process leading fragment/whole packet (with L4 header) */
268 m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
269 m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
270 kv0.key = m_key0.as_u64;
271 if (!clib_bihash_search_8_8
272 (&sm->static_mapping_by_external, &kv0, &value0))
275 pool_elt_at_index (sm->static_mappings, value0.value);
276 if (m->local_addr.as_u32 != m->external_addr.as_u32)
277 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
279 if (ip4_is_fragment (ip0))
281 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
287 if (PREDICT_FALSE (!reass0))
289 next0 = NAT44_CLASSIFY_NEXT_DROP;
291 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
292 nat_log_notice ("maximum reassemblies exceeded");
295 /* save classification for future fragments and set past
296 * fragments to be looped over and reprocessed */
297 if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN)
298 reass0->classify_next =
299 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN;
301 reass0->classify_next =
302 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
303 nat_ip4_reass_get_frags (reass0,
304 &fragments_to_loopback);
309 /* process non-first fragment */
310 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
316 if (PREDICT_FALSE (!reass0))
318 next0 = NAT44_CLASSIFY_NEXT_DROP;
320 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
321 nat_log_notice ("maximum reassemblies exceeded");
324 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
325 /* first fragment still hasn't arrived */
327 if (nat_ip4_reass_add_fragment (reass0, bi0,
331 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
333 ("maximum fragments per reassembly exceeded");
334 next0 = NAT44_CLASSIFY_NEXT_DROP;
340 else if (reass0->classify_next ==
341 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
342 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
343 else if (reass0->classify_next ==
344 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
345 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
350 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
351 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
353 nat44_classify_trace_t *t =
354 vlib_add_trace (vm, node, b0, sizeof (*t));
357 t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
366 /* verify speculative enqueue, maybe switch current next frame */
367 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
368 to_next, n_left_to_next,
371 if (n_left_from == 0 && vec_len (fragments_to_loopback))
373 from = vlib_frame_vector_args (frame);
374 u32 len = vec_len (fragments_to_loopback);
375 if (len <= VLIB_FRAME_SIZE)
377 clib_memcpy_fast (from, fragments_to_loopback,
380 vec_reset_length (fragments_to_loopback);
384 clib_memcpy_fast (from, fragments_to_loopback +
385 (len - VLIB_FRAME_SIZE),
386 sizeof (u32) * VLIB_FRAME_SIZE);
387 n_left_from = VLIB_FRAME_SIZE;
388 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
393 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
396 nat_send_all_to_node (vm, fragments_to_drop, node, 0,
397 NAT44_CLASSIFY_NEXT_DROP);
399 vec_free (fragments_to_drop);
401 return frame->n_vectors;
405 nat44_classify_node_fn (vlib_main_t * vm,
406 vlib_node_runtime_t * node, vlib_frame_t * frame)
408 return nat44_classify_node_fn_inline (vm, node, frame, 0);
412 VLIB_REGISTER_NODE (nat44_classify_node) = {
413 .function = nat44_classify_node_fn,
414 .name = "nat44-classify",
415 .vector_size = sizeof (u32),
416 .format_trace = format_nat44_classify_trace,
417 .type = VLIB_NODE_TYPE_INTERNAL,
418 .n_errors = ARRAY_LEN(nat44_classify_error_strings),
419 .error_strings = nat44_classify_error_strings,
420 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
422 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
423 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
424 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
429 VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, nat44_classify_node_fn);
431 nat44_ed_classify_node_fn (vlib_main_t * vm,
432 vlib_node_runtime_t * node, vlib_frame_t * frame)
434 return nat44_classify_node_fn_inline (vm, node, frame, 1);
438 VLIB_REGISTER_NODE (nat44_ed_classify_node) = {
439 .function = nat44_ed_classify_node_fn,
440 .name = "nat44-ed-classify",
441 .vector_size = sizeof (u32),
442 .format_trace = format_nat44_classify_trace,
443 .type = VLIB_NODE_TYPE_INTERNAL,
444 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
446 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out",
447 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in",
448 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
453 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node,
454 nat44_ed_classify_node_fn);
457 nat44_det_classify_node_fn (vlib_main_t * vm,
458 vlib_node_runtime_t * node, vlib_frame_t * frame)
460 return nat44_classify_node_fn_inline (vm, node, frame, 0);
464 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
465 .function = nat44_det_classify_node_fn,
466 .name = "nat44-det-classify",
467 .vector_size = sizeof (u32),
468 .format_trace = format_nat44_classify_trace,
469 .type = VLIB_NODE_TYPE_INTERNAL,
470 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
472 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
473 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
474 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
479 VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node,
480 nat44_det_classify_node_fn);
483 nat44_handoff_classify_node_fn (vlib_main_t * vm,
484 vlib_node_runtime_t * node,
485 vlib_frame_t * frame)
487 return nat44_classify_node_fn_inline (vm, node, frame, 0);
491 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
492 .function = nat44_handoff_classify_node_fn,
493 .name = "nat44-handoff-classify",
494 .vector_size = sizeof (u32),
495 .format_trace = format_nat44_classify_trace,
496 .type = VLIB_NODE_TYPE_INTERNAL,
497 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
499 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff",
500 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff",
501 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
505 VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node,
506 nat44_handoff_classify_node_fn);
510 * fd.io coding-style-patch-verification: ON
513 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob