2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief Classify for one armed NAT44 (in+out interface)
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/fib/ip4_fib.h>
24 #include <nat/nat_reass.h>
25 #include <nat/nat_inlines.h>
27 #define foreach_nat44_classify_error \
28 _(MAX_REASS, "Maximum reassemblies exceeded") \
29 _(MAX_FRAG, "Maximum fragments per reassembly exceeded") \
30 _(NEXT_IN2OUT, "next in2out") \
31 _(NEXT_OUT2IN, "next out2in") \
32 _(FRAG_CACHED, "fragment cached")
36 #define _(sym,str) NAT44_CLASSIFY_ERROR_##sym,
37 foreach_nat44_classify_error
39 NAT44_CLASSIFY_N_ERROR,
40 } nat44_classify_error_t;
42 static char *nat44_classify_error_strings[] = {
43 #define _(sym,string) string,
44 foreach_nat44_classify_error
50 NAT44_CLASSIFY_NEXT_IN2OUT,
51 NAT44_CLASSIFY_NEXT_OUT2IN,
52 NAT44_CLASSIFY_NEXT_DROP,
53 NAT44_CLASSIFY_N_NEXT,
54 } nat44_classify_next_t;
60 } nat44_classify_trace_t;
63 format_nat44_classify_trace (u8 * s, va_list * args)
65 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
66 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
67 nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *);
71 s = format (s, "nat44-classify: fragment cached");
74 next = t->next_in2out ? "nat44-in2out" : "nat44-out2in";
75 s = format (s, "nat44-classify: next %s", next);
82 nat44_classify_node_fn_inline (vlib_main_t * vm,
83 vlib_node_runtime_t * node,
86 u32 n_left_from, *from, *to_next;
87 nat44_classify_next_t next_index;
88 snat_main_t *sm = &snat_main;
89 snat_static_mapping_t *m;
90 u32 thread_index = vm->thread_index;
91 u32 *fragments_to_drop = 0;
92 u32 *fragments_to_loopback = 0;
93 u32 next_in2out = 0, next_out2in = 0, frag_cached = 0;
95 from = vlib_frame_vector_args (frame);
96 n_left_from = frame->n_vectors;
97 next_index = node->cached_next_index;
99 while (n_left_from > 0)
103 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
105 while (n_left_from > 0 && n_left_to_next > 0)
109 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
112 snat_session_key_t m_key0;
113 clib_bihash_kv_8_8_t kv0, value0;
115 nat_reass_ip4_t *reass0;
118 /* speculatively enqueue b0 to the current next frame */
126 b0 = vlib_get_buffer (vm, bi0);
127 ip0 = vlib_buffer_get_current (b0);
128 udp0 = ip4_next_header (ip0);
131 vec_foreach (ap, sm->addresses)
133 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
135 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
141 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
143 m_key0.addr = ip0->dst_address;
146 m_key0.fib_index = 0;
147 kv0.key = m_key0.as_u64;
148 /* try to classify the fragment based on IP header alone */
149 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
152 m = pool_elt_at_index (sm->static_mappings, value0.value);
153 if (m->local_addr.as_u32 != m->external_addr.as_u32)
154 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
157 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
159 /* process leading fragment/whole packet (with L4 header) */
160 m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
161 m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
162 kv0.key = m_key0.as_u64;
163 if (!clib_bihash_search_8_8
164 (&sm->static_mapping_by_external, &kv0, &value0))
167 pool_elt_at_index (sm->static_mappings, value0.value);
168 if (m->local_addr.as_u32 != m->external_addr.as_u32)
169 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
171 if (ip4_is_fragment (ip0))
173 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
179 if (PREDICT_FALSE (!reass0))
181 next0 = NAT44_CLASSIFY_NEXT_DROP;
183 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
184 nat_elog_notice ("maximum reassemblies exceeded");
187 /* save classification for future fragments and set past
188 * fragments to be looped over and reprocessed */
189 if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN)
190 reass0->classify_next =
191 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN;
193 reass0->classify_next =
194 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
195 nat_ip4_reass_get_frags (reass0,
196 &fragments_to_loopback);
201 /* process non-first fragment */
202 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
208 if (PREDICT_FALSE (!reass0))
210 next0 = NAT44_CLASSIFY_NEXT_DROP;
212 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
213 nat_elog_notice ("maximum reassemblies exceeded");
216 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
217 /* first fragment still hasn't arrived */
219 if (nat_ip4_reass_add_fragment
220 (thread_index, reass0, bi0, &fragments_to_drop))
223 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
225 ("maximum fragments per reassembly exceeded");
226 next0 = NAT44_CLASSIFY_NEXT_DROP;
232 else if (reass0->classify_next ==
233 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
234 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
235 else if (reass0->classify_next ==
236 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
237 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
242 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
243 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
245 nat44_classify_trace_t *t =
246 vlib_add_trace (vm, node, b0, sizeof (*t));
249 t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0;
260 next_in2out += next0 == NAT44_CLASSIFY_NEXT_IN2OUT;
261 next_out2in += next0 == NAT44_CLASSIFY_NEXT_OUT2IN;
263 /* verify speculative enqueue, maybe switch current next frame */
264 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
265 to_next, n_left_to_next,
269 if (n_left_from == 0 && vec_len (fragments_to_loopback))
271 from = vlib_frame_vector_args (frame);
272 u32 len = vec_len (fragments_to_loopback);
273 if (len <= VLIB_FRAME_SIZE)
275 clib_memcpy_fast (from, fragments_to_loopback,
278 vec_reset_length (fragments_to_loopback);
282 clib_memcpy_fast (from, fragments_to_loopback +
283 (len - VLIB_FRAME_SIZE),
284 sizeof (u32) * VLIB_FRAME_SIZE);
285 n_left_from = VLIB_FRAME_SIZE;
286 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
291 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
294 nat_send_all_to_node (vm, fragments_to_drop, node, 0,
295 NAT44_CLASSIFY_NEXT_DROP);
297 vec_free (fragments_to_drop);
299 vlib_node_increment_counter (vm, node->node_index,
300 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
301 vlib_node_increment_counter (vm, node->node_index,
302 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
303 vlib_node_increment_counter (vm, node->node_index,
304 NAT44_CLASSIFY_ERROR_FRAG_CACHED, frag_cached);
306 return frame->n_vectors;
310 nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
311 vlib_node_runtime_t * node,
312 vlib_frame_t * frame)
314 u32 n_left_from, *from, *to_next;
315 nat44_classify_next_t next_index;
316 snat_main_t *sm = &snat_main;
317 snat_static_mapping_t *m;
318 u32 thread_index = vm->thread_index;
319 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
320 u32 *fragments_to_drop = 0;
321 u32 *fragments_to_loopback = 0;
322 u32 next_in2out = 0, next_out2in = 0, frag_cached = 0;
325 from = vlib_frame_vector_args (frame);
326 n_left_from = frame->n_vectors;
327 next_index = node->cached_next_index;
329 while (n_left_from > 0)
333 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
335 while (n_left_from > 0 && n_left_to_next > 0)
340 NAT_NEXT_IN2OUT_ED_FAST_PATH, sw_if_index0, rx_fib_index0;
343 snat_session_key_t m_key0;
344 clib_bihash_kv_8_8_t kv0, value0;
345 clib_bihash_kv_16_8_t ed_kv0, ed_value0;
347 nat_reass_ip4_t *reass0;
350 /* speculatively enqueue b0 to the current next frame */
358 b0 = vlib_get_buffer (vm, bi0);
359 ip0 = vlib_buffer_get_current (b0);
360 udp0 = ip4_next_header (ip0);
366 vnet_feature_next (&arc_next, b0);
367 nat_buffer_opaque (b0)->arc_next = arc_next;
370 if (ip0->protocol != IP_PROTOCOL_ICMP)
372 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
374 /* process leading fragment/whole packet (with L4 header) */
375 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
377 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
379 make_ed_kv (&ed_kv0, &ip0->src_address,
380 &ip0->dst_address, ip0->protocol,
381 rx_fib_index0, udp0->src_port, udp0->dst_port);
382 if (ip4_is_fragment (ip0))
385 nat_ip4_reass_find_or_create (ip0->src_address,
390 if (PREDICT_FALSE (!reass0))
392 next0 = NAT_NEXT_DROP;
394 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
395 nat_elog_notice ("maximum reassemblies exceeded");
398 if (!clib_bihash_search_16_8
399 (&tsm->in2out_ed, &ed_kv0, &ed_value0))
401 /* session exists so classify as IN2OUT,
402 * save this information for future fragments and set
403 * past fragments to be looped over and reprocessed */
404 reass0->sess_index = ed_value0.value;
405 reass0->classify_next =
406 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
407 nat_ip4_reass_get_frags (reass0,
408 &fragments_to_loopback);
413 /* session doesn't exist so continue in the code,
414 * save this information for future fragments and set
415 * past fragments to be looped over and reprocessed */
417 NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE;
418 nat_ip4_reass_get_frags (reass0,
419 &fragments_to_loopback);
424 /* process whole packet */
425 if (!clib_bihash_search_16_8
426 (&tsm->in2out_ed, &ed_kv0, &ed_value0))
428 /* session doesn't exist so continue in code */
433 /* process non-first fragment */
434 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
440 if (PREDICT_FALSE (!reass0))
442 next0 = NAT_NEXT_DROP;
444 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
445 nat_elog_notice ("maximum reassemblies exceeded");
448 /* check if first fragment has arrived */
449 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE
451 NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE))
453 /* first fragment still hasn't arrived, cache this fragment */
454 if (nat_ip4_reass_add_fragment
455 (thread_index, reass0, bi0, &fragments_to_drop))
458 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
460 ("maximum fragments per reassembly exceeded");
461 next0 = NAT_NEXT_DROP;
467 if (reass0->classify_next ==
468 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
470 /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set
471 * so keep the default next0 and continue in code to
472 * potentially find other classification for this packet */
477 vec_foreach (ap, sm->addresses)
479 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
481 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
487 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
489 m_key0.addr = ip0->dst_address;
492 m_key0.fib_index = 0;
493 kv0.key = m_key0.as_u64;
494 /* try to classify the fragment based on IP header alone */
495 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external,
498 m = pool_elt_at_index (sm->static_mappings, value0.value);
499 if (m->local_addr.as_u32 != m->external_addr.as_u32)
500 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
503 if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
505 /* process leading fragment/whole packet (with L4 header) */
506 m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
507 m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
508 kv0.key = m_key0.as_u64;
509 if (!clib_bihash_search_8_8
510 (&sm->static_mapping_by_external, &kv0, &value0))
513 pool_elt_at_index (sm->static_mappings, value0.value);
514 if (m->local_addr.as_u32 != m->external_addr.as_u32)
515 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
517 if (ip4_is_fragment (ip0))
519 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
525 if (PREDICT_FALSE (!reass0))
527 next0 = NAT_NEXT_DROP;
529 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
530 nat_elog_notice ("maximum reassemblies exceeded");
533 /* save classification for future fragments and set past
534 * fragments to be looped over and reprocessed */
535 if (next0 == NAT_NEXT_OUT2IN_ED_FAST_PATH)
536 reass0->classify_next = NAT_NEXT_OUT2IN_ED_REASS;
538 reass0->classify_next = NAT_NEXT_IN2OUT_ED_REASS;
539 nat_ip4_reass_get_frags (reass0,
540 &fragments_to_loopback);
545 /* process non-first fragment */
546 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
552 if (PREDICT_FALSE (!reass0))
554 next0 = NAT_NEXT_DROP;
556 node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
557 nat_elog_notice ("maximum reassemblies exceeded");
560 if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
561 /* first fragment still hasn't arrived */
563 if (nat_ip4_reass_add_fragment
564 (thread_index, reass0, bi0, &fragments_to_drop))
567 node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
569 ("maximum fragments per reassembly exceeded");
570 next0 = NAT_NEXT_DROP;
576 else if (reass0->classify_next ==
577 NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
578 next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
579 else if (reass0->classify_next ==
580 NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
581 next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
586 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
587 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
589 nat44_classify_trace_t *t =
590 vlib_add_trace (vm, node, b0, sizeof (*t));
594 next0 == NAT_NEXT_IN2OUT_ED_FAST_PATH ? 1 : 0;
605 next_in2out += next0 == NAT_NEXT_IN2OUT_ED_FAST_PATH;
606 next_out2in += next0 == NAT_NEXT_OUT2IN_ED_FAST_PATH;
608 /* verify speculative enqueue, maybe switch current next frame */
609 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
610 to_next, n_left_to_next,
614 if (n_left_from == 0 && vec_len (fragments_to_loopback))
617 from = vlib_frame_vector_args (frame);
618 u32 len = vec_len (fragments_to_loopback);
619 if (len <= VLIB_FRAME_SIZE)
621 clib_memcpy_fast (from, fragments_to_loopback,
624 vec_reset_length (fragments_to_loopback);
628 clib_memcpy_fast (from, fragments_to_loopback +
629 (len - VLIB_FRAME_SIZE),
630 sizeof (u32) * VLIB_FRAME_SIZE);
631 n_left_from = VLIB_FRAME_SIZE;
632 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
637 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
640 nat_send_all_to_node (vm, fragments_to_drop, node, 0,
641 NAT44_CLASSIFY_NEXT_DROP);
643 vec_free (fragments_to_drop);
645 vlib_node_increment_counter (vm, node->node_index,
646 NAT44_CLASSIFY_ERROR_NEXT_IN2OUT, next_in2out);
647 vlib_node_increment_counter (vm, node->node_index,
648 NAT44_CLASSIFY_ERROR_NEXT_OUT2IN, next_out2in);
649 vlib_node_increment_counter (vm, node->node_index,
650 NAT44_CLASSIFY_ERROR_FRAG_CACHED, frag_cached);
652 return frame->n_vectors;
655 VLIB_NODE_FN (nat44_classify_node) (vlib_main_t * vm,
656 vlib_node_runtime_t * node,
657 vlib_frame_t * frame)
659 return nat44_classify_node_fn_inline (vm, node, frame);
663 VLIB_REGISTER_NODE (nat44_classify_node) = {
664 .name = "nat44-classify",
665 .vector_size = sizeof (u32),
666 .format_trace = format_nat44_classify_trace,
667 .type = VLIB_NODE_TYPE_INTERNAL,
668 .n_errors = ARRAY_LEN(nat44_classify_error_strings),
669 .error_strings = nat44_classify_error_strings,
670 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
672 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
673 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
674 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
679 VLIB_NODE_FN (nat44_ed_classify_node) (vlib_main_t * vm,
680 vlib_node_runtime_t * node,
681 vlib_frame_t * frame)
683 return nat44_ed_classify_node_fn_inline (vm, node, frame);
687 VLIB_REGISTER_NODE (nat44_ed_classify_node) = {
688 .name = "nat44-ed-classify",
689 .vector_size = sizeof (u32),
690 .sibling_of = "nat-default",
691 .format_trace = format_nat44_classify_trace,
692 .type = VLIB_NODE_TYPE_INTERNAL,
696 VLIB_NODE_FN (nat44_det_classify_node) (vlib_main_t * vm,
697 vlib_node_runtime_t * node,
698 vlib_frame_t * frame)
700 return nat44_classify_node_fn_inline (vm, node, frame);
704 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
705 .name = "nat44-det-classify",
706 .vector_size = sizeof (u32),
707 .format_trace = format_nat44_classify_trace,
708 .type = VLIB_NODE_TYPE_INTERNAL,
709 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
711 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
712 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
713 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
718 VLIB_NODE_FN (nat44_handoff_classify_node) (vlib_main_t * vm,
719 vlib_node_runtime_t * node,
720 vlib_frame_t * frame)
722 return nat44_classify_node_fn_inline (vm, node, frame);
726 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
727 .name = "nat44-handoff-classify",
728 .vector_size = sizeof (u32),
729 .format_trace = format_nat44_classify_trace,
730 .type = VLIB_NODE_TYPE_INTERNAL,
731 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
733 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff",
734 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff",
735 [NAT44_CLASSIFY_NEXT_DROP] = "error-drop",
742 * fd.io coding-style-patch-verification: ON
745 * eval: (c-set-style "gnu")