2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 * @brief The NAT inline functions
19 #ifndef __included_nat_inlines_h__
20 #define __included_nat_inlines_h__
22 #include <vnet/fib/ip4_fib.h>
24 #include <nat/nat_ha.h>
27 calc_nat_key (ip4_address_t addr, u16 port, u32 fib_index, u8 proto)
29 ASSERT (fib_index <= (1 << 14) - 1);
30 ASSERT (proto <= (1 << 3) - 1);
31 return (u64) addr.as_u32 << 32 | (u64) port << 16 | fib_index << 3 |
36 split_nat_key (u64 key, ip4_address_t * addr, u16 * port,
37 u32 * fib_index, nat_protocol_t * proto)
41 addr->as_u32 = key >> 32;
45 *port = (key >> 16) & (u16) ~ 0;
49 *fib_index = key >> 3 & ((1 << 13) - 1);
58 init_nat_k (clib_bihash_kv_8_8_t * kv, ip4_address_t addr, u16 port,
59 u32 fib_index, nat_protocol_t proto)
61 kv->key = calc_nat_key (addr, port, fib_index, proto);
66 init_nat_kv (clib_bihash_kv_8_8_t * kv, ip4_address_t addr, u16 port,
67 u32 fib_index, nat_protocol_t proto, u64 value)
69 init_nat_k (kv, addr, port, fib_index, proto);
74 init_nat_i2o_k (clib_bihash_kv_8_8_t * kv, snat_session_t * s)
76 return init_nat_k (kv, s->in2out.addr, s->in2out.port, s->in2out.fib_index,
81 init_nat_i2o_kv (clib_bihash_kv_8_8_t * kv, snat_session_t * s, u64 value)
83 init_nat_k (kv, s->in2out.addr, s->in2out.port, s->in2out.fib_index,
89 init_nat_o2i_k (clib_bihash_kv_8_8_t * kv, snat_session_t * s)
91 return init_nat_k (kv, s->out2in.addr, s->out2in.port, s->out2in.fib_index,
96 init_nat_o2i_kv (clib_bihash_kv_8_8_t * kv, snat_session_t * s, u64 value)
98 init_nat_k (kv, s->out2in.addr, s->out2in.port, s->out2in.fib_index,
104 nat_pre_node_fn_inline (vlib_main_t * vm,
105 vlib_node_runtime_t * node,
106 vlib_frame_t * frame, u32 def_next)
108 u32 n_left_from, *from, *to_next;
111 from = vlib_frame_vector_args (frame);
112 n_left_from = frame->n_vectors;
113 next_index = node->cached_next_index;
115 while (n_left_from > 0)
119 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
121 while (n_left_from >= 4 && n_left_to_next >= 2)
124 u32 arc_next0, arc_next1;
126 vlib_buffer_t *b0, *b1;
128 /* Prefetch next iteration. */
130 vlib_buffer_t *p2, *p3;
132 p2 = vlib_get_buffer (vm, from[2]);
133 p3 = vlib_get_buffer (vm, from[3]);
135 vlib_prefetch_buffer_header (p2, LOAD);
136 vlib_prefetch_buffer_header (p3, LOAD);
138 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, LOAD);
139 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, LOAD);
142 /* speculatively enqueue b0 and b1 to the current next frame */
143 to_next[0] = bi0 = from[0];
144 to_next[1] = bi1 = from[1];
150 b0 = vlib_get_buffer (vm, bi0);
151 b1 = vlib_get_buffer (vm, bi1);
156 vnet_feature_next (&arc_next0, b0);
157 vnet_feature_next (&arc_next1, b1);
159 vnet_buffer2 (b0)->nat.arc_next = arc_next0;
160 vnet_buffer2 (b1)->nat.arc_next = arc_next1;
162 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)))
164 if (b0->flags & VLIB_BUFFER_IS_TRACED)
167 vlib_add_trace (vm, node, b0, sizeof (*t));
168 t->next_index = next0;
169 t->arc_next_index = arc_next0;
171 if (b1->flags & VLIB_BUFFER_IS_TRACED)
174 vlib_add_trace (vm, node, b0, sizeof (*t));
175 t->next_index = next1;
176 t->arc_next_index = arc_next1;
180 /* verify speculative enqueues, maybe switch current next frame */
181 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
182 to_next, n_left_to_next,
183 bi0, bi1, next0, next1);
186 while (n_left_from > 0 && n_left_to_next > 0)
193 /* speculatively enqueue b0 to the current next frame */
201 b0 = vlib_get_buffer (vm, bi0);
203 vnet_feature_next (&arc_next0, b0);
204 vnet_buffer2 (b0)->nat.arc_next = arc_next0;
206 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
207 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
209 nat_pre_trace_t *t = vlib_add_trace (vm, node, b0, sizeof (*t));
210 t->next_index = next0;
211 t->arc_next_index = arc_next0;
214 /* verify speculative enqueue, maybe switch current next frame */
215 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
216 to_next, n_left_to_next,
220 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
223 return frame->n_vectors;
227 is_interface_addr (snat_main_t * sm, vlib_node_runtime_t * node,
228 u32 sw_if_index0, u32 ip4_addr)
230 snat_runtime_t *rt = (snat_runtime_t *) node->runtime_data;
231 ip4_address_t *first_int_addr;
233 if (PREDICT_FALSE (rt->cached_sw_if_index != sw_if_index0))
236 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
237 0 /* just want the address */ );
238 rt->cached_sw_if_index = sw_if_index0;
240 rt->cached_ip4_address = first_int_addr->as_u32;
242 rt->cached_ip4_address = 0;
245 if (PREDICT_FALSE (ip4_addr == rt->cached_ip4_address))
252 maximum_sessions_exceeded (snat_main_t * sm, u32 thread_index)
254 if (pool_elts (sm->per_thread_data[thread_index].sessions) >=
255 sm->max_translations_per_thread)
262 user_session_increment (snat_main_t * sm, snat_user_t * u, u8 is_static)
264 if (u->nsessions + u->nstaticsessions < sm->max_translations_per_user)
267 u->nstaticsessions++;
274 nat44_delete_user_with_no_session (snat_main_t * sm, snat_user_t * u,
277 clib_bihash_kv_8_8_t kv;
278 snat_user_key_t u_key;
279 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
282 if (u->nstaticsessions == 0 && u->nsessions == 0)
284 u_key.addr.as_u32 = u->addr.as_u32;
285 u_key.fib_index = u->fib_index;
286 kv.key = u_key.as_u64;
287 pool_put_index (tsm->list_pool, u->sessions_per_user_list_head_index);
288 pool_put (tsm->users, u);
289 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0);
290 vlib_set_simple_counter (&sm->total_users, thread_index, 0,
291 pool_elts (tsm->users));
296 nat44_delete_session (snat_main_t * sm, snat_session_t * ses,
299 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
301 clib_bihash_kv_8_8_t kv, value;
303 const snat_user_key_t u_key = {
304 .addr = ses->in2out.addr,
305 .fib_index = ses->in2out.fib_index
307 const u8 u_static = snat_is_session_static (ses);
309 clib_dlist_remove (tsm->list_pool, ses->per_user_index);
310 pool_put_index (tsm->list_pool, ses->per_user_index);
311 if (sm->endpoint_dependent)
313 clib_dlist_remove (tsm->lru_pool, ses->lru_index);
314 pool_put_index (tsm->lru_pool, ses->lru_index);
316 pool_put (tsm->sessions, ses);
317 vlib_set_simple_counter (&sm->total_sessions, thread_index, 0,
318 pool_elts (tsm->sessions));
320 kv.key = u_key.as_u64;
321 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
323 u = pool_elt_at_index (tsm->users, value.value);
325 u->nstaticsessions--;
329 nat44_delete_user_with_no_session (sm, u, thread_index);
333 /** \brief Set TCP session state.
334 @return 1 if session was closed, otherwise 0
337 nat44_set_tcp_session_state_i2o (snat_main_t * sm, f64 now,
338 snat_session_t * ses, vlib_buffer_t * b,
341 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
342 u8 tcp_flags = vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags;
343 u32 tcp_ack_number = vnet_buffer (b)->ip.reass.tcp_ack_number;
344 u32 tcp_seq_number = vnet_buffer (b)->ip.reass.tcp_seq_number;
345 if ((ses->state == 0) && (tcp_flags & TCP_FLAG_RST))
346 ses->state = NAT44_SES_RST;
347 if ((ses->state == NAT44_SES_RST) && !(tcp_flags & TCP_FLAG_RST))
349 if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
350 (ses->state & NAT44_SES_O2I_SYN))
352 if (tcp_flags & TCP_FLAG_SYN)
353 ses->state |= NAT44_SES_I2O_SYN;
354 if (tcp_flags & TCP_FLAG_FIN)
356 ses->i2o_fin_seq = clib_net_to_host_u32 (tcp_seq_number);
357 ses->state |= NAT44_SES_I2O_FIN;
359 if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_O2I_FIN))
361 if (clib_net_to_host_u32 (tcp_ack_number) > ses->o2i_fin_seq)
363 ses->state |= NAT44_SES_O2I_FIN_ACK;
364 if (nat44_is_ses_closed (ses))
365 { // if session is now closed, save the timestamp
366 ses->tcp_closed_timestamp = now + sm->tcp_transitory_timeout;
367 ses->last_lru_update = now;
372 // move the session to proper LRU
375 ses->lru_head_index = tsm->tcp_trans_lru_head_index;
379 ses->lru_head_index = tsm->tcp_estab_lru_head_index;
381 clib_dlist_remove (tsm->lru_pool, ses->lru_index);
382 clib_dlist_addtail (tsm->lru_pool, ses->lru_head_index, ses->lru_index);
387 nat44_set_tcp_session_state_o2i (snat_main_t * sm, f64 now,
388 snat_session_t * ses, u8 tcp_flags,
389 u32 tcp_ack_number, u32 tcp_seq_number,
392 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
393 if ((ses->state == 0) && (tcp_flags & TCP_FLAG_RST))
394 ses->state = NAT44_SES_RST;
395 if ((ses->state == NAT44_SES_RST) && !(tcp_flags & TCP_FLAG_RST))
397 if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
398 (ses->state & NAT44_SES_O2I_SYN))
400 if (tcp_flags & TCP_FLAG_SYN)
401 ses->state |= NAT44_SES_O2I_SYN;
402 if (tcp_flags & TCP_FLAG_FIN)
404 ses->o2i_fin_seq = clib_net_to_host_u32 (tcp_seq_number);
405 ses->state |= NAT44_SES_O2I_FIN;
407 if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_FIN))
409 if (clib_net_to_host_u32 (tcp_ack_number) > ses->i2o_fin_seq)
410 ses->state |= NAT44_SES_I2O_FIN_ACK;
411 if (nat44_is_ses_closed (ses))
412 { // if session is now closed, save the timestamp
413 ses->tcp_closed_timestamp = now + sm->tcp_transitory_timeout;
414 ses->last_lru_update = now;
417 // move the session to proper LRU
420 ses->lru_head_index = tsm->tcp_trans_lru_head_index;
424 ses->lru_head_index = tsm->tcp_estab_lru_head_index;
426 clib_dlist_remove (tsm->lru_pool, ses->lru_index);
427 clib_dlist_addtail (tsm->lru_pool, ses->lru_head_index, ses->lru_index);
432 nat44_session_get_timeout (snat_main_t * sm, snat_session_t * s)
434 switch (s->nat_proto)
436 case NAT_PROTOCOL_ICMP:
437 return sm->icmp_timeout;
438 case NAT_PROTOCOL_UDP:
439 return sm->udp_timeout;
440 case NAT_PROTOCOL_TCP:
443 return sm->tcp_transitory_timeout;
445 return sm->tcp_established_timeout;
448 return sm->udp_timeout;
455 nat44_session_update_counters (snat_session_t * s, f64 now, uword bytes,
460 s->total_bytes += bytes;
461 nat_ha_sref (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
462 s->ext_host_port, s->nat_proto, s->out2in.fib_index,
463 s->total_pkts, s->total_bytes, thread_index,
464 &s->ha_last_refreshed, now);
467 /** \brief Per-user LRU list maintenance */
469 nat44_session_update_lru (snat_main_t * sm, snat_session_t * s,
472 /* don't update too often - timeout is in magnitude of seconds anyway */
473 if (s->last_heard > s->last_lru_update + 1)
475 if (!sm->endpoint_dependent)
477 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
479 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
480 s->per_user_list_head_index, s->per_user_index);
484 clib_dlist_remove (sm->per_thread_data[thread_index].lru_pool,
486 clib_dlist_addtail (sm->per_thread_data[thread_index].lru_pool,
487 s->lru_head_index, s->lru_index);
489 s->last_lru_update = s->last_heard;
494 init_ed_k (clib_bihash_kv_16_8_t * kv, ip4_address_t l_addr, u16 l_port,
495 ip4_address_t r_addr, u16 r_port, u32 fib_index, u8 proto)
497 kv->key[0] = (u64) r_addr.as_u32 << 32 | l_addr.as_u32;
499 (u64) r_port << 48 | (u64) l_port << 32 | fib_index << 8 | proto;
503 init_ed_kv (clib_bihash_kv_16_8_t * kv, ip4_address_t l_addr, u16 l_port,
504 ip4_address_t r_addr, u16 r_port, u32 fib_index, u8 proto,
505 u32 thread_index, u32 session_index)
507 init_ed_k (kv, l_addr, l_port, r_addr, r_port, fib_index, proto);
508 kv->value = (u64) thread_index << 32 | session_index;
512 ed_value_get_thread_index (clib_bihash_kv_16_8_t * value)
514 return value->value >> 32;
518 ed_value_get_session_index (clib_bihash_kv_16_8_t * value)
520 return value->value & ~(u32) 0;
524 split_ed_value (clib_bihash_kv_16_8_t * value, u32 * thread_index,
529 *thread_index = ed_value_get_thread_index (value);
533 *session_index = ed_value_get_session_index (value);
538 split_ed_kv (clib_bihash_kv_16_8_t * kv,
539 ip4_address_t * l_addr, ip4_address_t * r_addr, u8 * proto,
540 u32 * fib_index, u16 * l_port, u16 * r_port)
544 l_addr->as_u32 = kv->key[0] & (u32) ~ 0;
548 r_addr->as_u32 = kv->key[0] >> 32;
552 *r_port = kv->key[1] >> 48;
556 *l_port = (kv->key[1] >> 32) & (u16) ~ 0;
560 *fib_index = (kv->key[1] >> 8) & ((1 << 24) - 1);
564 *proto = kv->key[1] & (u8) ~ 0;
568 static_always_inline int
569 get_icmp_i2o_ed_key (vlib_buffer_t * b, ip4_header_t * ip0, u32 rx_fib_index,
570 u32 thread_index, u32 session_index,
571 nat_protocol_t * nat_proto, u16 * l_port, u16 * r_port,
572 clib_bihash_kv_16_8_t * kv)
575 u16 _l_port, _r_port;
576 ip4_address_t *l_addr, *r_addr;
578 icmp46_header_t *icmp0;
579 icmp_echo_header_t *echo0, *inner_echo0 = 0;
580 ip4_header_t *inner_ip0 = 0;
582 icmp46_header_t *inner_icmp0;
584 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
585 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
587 if (!icmp_type_is_error_message
588 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
590 proto = IP_PROTOCOL_ICMP;
591 l_addr = &ip0->src_address;
592 r_addr = &ip0->dst_address;
593 _l_port = vnet_buffer (b)->ip.reass.l4_src_port;
598 inner_ip0 = (ip4_header_t *) (echo0 + 1);
599 l4_header = ip4_next_header (inner_ip0);
600 proto = inner_ip0->protocol;
601 r_addr = &inner_ip0->src_address;
602 l_addr = &inner_ip0->dst_address;
603 switch (ip_proto_to_nat_proto (inner_ip0->protocol))
605 case NAT_PROTOCOL_ICMP:
606 inner_icmp0 = (icmp46_header_t *) l4_header;
607 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
609 _l_port = inner_echo0->identifier;
611 case NAT_PROTOCOL_UDP:
612 case NAT_PROTOCOL_TCP:
613 _l_port = ((tcp_udp_header_t *) l4_header)->dst_port;
614 _r_port = ((tcp_udp_header_t *) l4_header)->src_port;
617 return NAT_IN2OUT_ED_ERROR_UNSUPPORTED_PROTOCOL;
620 init_ed_kv (kv, *l_addr, _l_port, *r_addr, _r_port, rx_fib_index, proto,
621 thread_index, session_index);
624 *nat_proto = ip_proto_to_nat_proto (proto);
637 static_always_inline int
638 get_icmp_o2i_ed_key (vlib_buffer_t * b, ip4_header_t * ip0, u32 rx_fib_index,
639 u32 thread_index, u32 session_index,
640 nat_protocol_t * nat_proto, u16 * l_port, u16 * r_port,
641 clib_bihash_kv_16_8_t * kv)
643 icmp46_header_t *icmp0;
645 ip4_address_t *l_addr, *r_addr;
646 u16 _l_port, _r_port;
647 icmp_echo_header_t *echo0, *inner_echo0 = 0;
648 ip4_header_t *inner_ip0;
650 icmp46_header_t *inner_icmp0;
652 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
653 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
655 if (!icmp_type_is_error_message
656 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
658 proto = IP_PROTOCOL_ICMP;
659 l_addr = &ip0->dst_address;
660 r_addr = &ip0->src_address;
661 _l_port = vnet_buffer (b)->ip.reass.l4_src_port;
666 inner_ip0 = (ip4_header_t *) (echo0 + 1);
667 l4_header = ip4_next_header (inner_ip0);
668 proto = inner_ip0->protocol;
669 l_addr = &inner_ip0->src_address;
670 r_addr = &inner_ip0->dst_address;
671 switch (ip_proto_to_nat_proto (inner_ip0->protocol))
673 case NAT_PROTOCOL_ICMP:
674 inner_icmp0 = (icmp46_header_t *) l4_header;
675 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
676 _l_port = inner_echo0->identifier;
679 case NAT_PROTOCOL_UDP:
680 case NAT_PROTOCOL_TCP:
681 _l_port = ((tcp_udp_header_t *) l4_header)->src_port;
682 _r_port = ((tcp_udp_header_t *) l4_header)->dst_port;
688 init_ed_kv (kv, *l_addr, _l_port, *r_addr, _r_port, rx_fib_index, proto,
689 thread_index, session_index);
692 *nat_proto = ip_proto_to_nat_proto (proto);
706 * @brief Check if packet should be translated
708 * Packets aimed at outside interface and external address with active session
709 * should be translated.
712 * @param rt NAT runtime data
713 * @param sw_if_index0 index of the inside interface
714 * @param ip0 IPv4 header
715 * @param proto0 NAT protocol
716 * @param rx_fib_index0 RX FIB index
718 * @returns 0 if packet should be translated otherwise 1
721 snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t * node,
722 u32 sw_if_index0, ip4_header_t * ip0, u32 proto0,
728 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
729 nat_outside_fib_t *outside_fib;
731 .fp_proto = FIB_PROTOCOL_IP4,
734 .ip4.as_u32 = ip0->dst_address.as_u32,
739 /* Don't NAT packet aimed at the intfc address */
740 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0,
741 ip0->dst_address.as_u32)))
744 fei = fib_table_lookup (rx_fib_index0, &pfx);
745 if (FIB_NODE_INDEX_INVALID != fei)
747 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
748 if (sw_if_index == ~0)
750 vec_foreach (outside_fib, sm->outside_fibs)
752 fei = fib_table_lookup (outside_fib->fib_index, &pfx);
753 if (FIB_NODE_INDEX_INVALID != fei)
755 sw_if_index = fib_entry_get_resolving_interface (fei);
756 if (sw_if_index != ~0)
761 if (sw_if_index == ~0)
766 pool_foreach (i, sm->interfaces, ({
767 /* NAT packet aimed at outside interface */
768 if ((nat_interface_is_outside (i)) && (sw_if_index == i->sw_if_index))
778 increment_v4_address (ip4_address_t * a)
782 v = clib_net_to_host_u32 (a->as_u32) + 1;
783 a->as_u32 = clib_host_to_net_u32 (v);
786 static_always_inline u16
787 snat_random_port (u16 min, u16 max)
789 snat_main_t *sm = &snat_main;
793 rwide = random_u32 (&sm->random_seed);
795 if (r >= min && r <= max)
798 return min + (rwide % (max - min + 1));
801 #endif /* __included_nat_inlines_h__ */
804 * fd.io coding-style-patch-verification: ON
807 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob