2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
24 #include <vnet/ip/ip.h>
25 #include <vnet/udp/udp.h>
26 #include <vnet/ethernet/ethernet.h>
27 #include <vnet/fib/ip4_fib.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_reass.h>
31 #include <nat/nat_inlines.h>
32 #include <nat/nat_syslog.h>
34 #include <vppinfra/hash.h>
35 #include <vppinfra/error.h>
36 #include <vppinfra/elog.h>
43 } snat_out2in_trace_t;
45 /* packet trace format function */
47 format_snat_out2in_trace (u8 * s, va_list * args)
49 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
50 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
51 snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
55 "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
56 t->sw_if_index, t->next_index, t->session_index);
61 format_snat_out2in_fast_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
67 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
68 t->sw_if_index, t->next_index);
72 #define foreach_snat_out2in_error \
73 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
74 _(OUT2IN_PACKETS, "good out2in packets processed") \
75 _(OUT_OF_PORTS, "out of ports") \
76 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
77 _(NO_TRANSLATION, "no translation") \
78 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
79 _(DROP_FRAGMENT, "drop fragment") \
80 _(MAX_REASS, "maximum reassemblies exceeded") \
81 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\
82 _(TCP_PACKETS, "TCP packets") \
83 _(UDP_PACKETS, "UDP packets") \
84 _(ICMP_PACKETS, "ICMP packets") \
85 _(OTHER_PACKETS, "other protocol packets") \
86 _(FRAGMENTS, "fragments") \
87 _(CACHED_FRAGMENTS, "cached fragments") \
88 _(PROCESSED_FRAGMENTS, "processed fragments")
92 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
93 foreach_snat_out2in_error
96 } snat_out2in_error_t;
98 static char *snat_out2in_error_strings[] = {
99 #define _(sym,string) string,
100 foreach_snat_out2in_error
106 SNAT_OUT2IN_NEXT_DROP,
107 SNAT_OUT2IN_NEXT_LOOKUP,
108 SNAT_OUT2IN_NEXT_ICMP_ERROR,
109 SNAT_OUT2IN_NEXT_REASS,
111 } snat_out2in_next_t;
113 #ifndef CLIB_MARCH_VARIANT
115 nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
117 snat_main_t *sm = &snat_main;
118 nat44_is_idle_session_ctx_t *ctx = arg;
120 u64 sess_timeout_time;
121 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
123 clib_bihash_kv_8_8_t s_kv;
125 s = pool_elt_at_index (tsm->sessions, kv->value);
126 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
127 if (ctx->now >= sess_timeout_time)
129 s_kv.key = s->in2out.as_u64;
130 if (clib_bihash_add_del_8_8 (&tsm->in2out, &s_kv, 0))
131 nat_log_warn ("out2in key del failed");
133 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
134 s->in2out.addr.as_u32,
135 s->out2in.addr.as_u32,
139 s->in2out.fib_index);
141 nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
142 &s->in2out.addr, s->in2out.port,
143 &s->out2in.addr, s->out2in.port,
146 if (!snat_is_session_static (s))
147 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
150 nat44_delete_session (sm, s, ctx->thread_index);
159 * @brief Create session for static mapping.
161 * Create NAT session initiated by host from external network with static
164 * @param sm NAT main.
165 * @param b0 Vlib buffer.
166 * @param in2out In2out NAT44 session key.
167 * @param out2in Out2in NAT44 session key.
168 * @param node Vlib node.
170 * @returns SNAT session if successfully created otherwise 0.
172 static inline snat_session_t *
173 create_session_for_static_mapping (snat_main_t * sm,
175 snat_session_key_t in2out,
176 snat_session_key_t out2in,
177 vlib_node_runtime_t * node,
178 u32 thread_index, f64 now)
182 clib_bihash_kv_8_8_t kv0;
185 nat44_is_idle_session_ctx_t ctx0;
187 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
189 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
190 nat_log_notice ("maximum sessions exceeded");
194 ip0 = vlib_buffer_get_current (b0);
195 udp0 = ip4_next_header (ip0);
198 nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
201 nat_log_warn ("create NAT user failed");
205 s = nat_session_alloc_or_recycle (sm, u, thread_index);
208 nat44_delete_user_with_no_session (sm, u, thread_index);
209 nat_log_warn ("create NAT session failed");
213 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
214 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
215 s->ext_host_port = udp0->src_port;
216 user_session_increment (sm, u, 1 /* static */ );
219 s->in2out.protocol = out2in.protocol;
221 /* Add to translation hashes */
223 ctx0.thread_index = thread_index;
224 kv0.key = s->in2out.as_u64;
225 kv0.value = s - sm->per_thread_data[thread_index].sessions;
226 if (clib_bihash_add_or_overwrite_stale_8_8
227 (&sm->per_thread_data[thread_index].in2out, &kv0,
228 nat44_i2o_is_idle_session_cb, &ctx0))
229 nat_log_notice ("in2out key add failed");
231 kv0.key = s->out2in.as_u64;
233 if (clib_bihash_add_or_overwrite_stale_8_8
234 (&sm->per_thread_data[thread_index].out2in, &kv0,
235 nat44_o2i_is_idle_session_cb, &ctx0))
236 nat_log_notice ("out2in key add failed");
239 snat_ipfix_logging_nat44_ses_create (thread_index,
240 s->in2out.addr.as_u32,
241 s->out2in.addr.as_u32,
244 s->out2in.port, s->in2out.fib_index);
246 nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
247 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
248 s->out2in.port, s->in2out.protocol);
254 snat_out2in_error_t icmp_get_key (ip4_header_t * ip0,
255 snat_session_key_t * p_key0)
257 icmp46_header_t *icmp0;
258 snat_session_key_t key0;
259 icmp_echo_header_t *echo0, *inner_echo0 = 0;
260 ip4_header_t *inner_ip0;
262 icmp46_header_t *inner_icmp0;
264 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
265 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
267 if (!icmp_is_error_message (icmp0))
269 key0.protocol = SNAT_PROTOCOL_ICMP;
270 key0.addr = ip0->dst_address;
271 key0.port = echo0->identifier;
275 inner_ip0 = (ip4_header_t *) (echo0 + 1);
276 l4_header = ip4_next_header (inner_ip0);
277 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
278 key0.addr = inner_ip0->src_address;
279 switch (key0.protocol)
281 case SNAT_PROTOCOL_ICMP:
282 inner_icmp0 = (icmp46_header_t *) l4_header;
283 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
284 key0.port = inner_echo0->identifier;
286 case SNAT_PROTOCOL_UDP:
287 case SNAT_PROTOCOL_TCP:
288 key0.port = ((tcp_udp_header_t *) l4_header)->src_port;
291 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
295 return -1; /* success */
298 #ifndef CLIB_MARCH_VARIANT
300 * Get address and port values to be used for ICMP packet translation
301 * and create session if needed
303 * @param[in,out] sm NAT main
304 * @param[in,out] node NAT node runtime
305 * @param[in] thread_index thread index
306 * @param[in,out] b0 buffer containing packet to be translated
307 * @param[out] p_proto protocol used for matching
308 * @param[out] p_value address and port after NAT translation
309 * @param[out] p_dont_translate if packet should not be translated
310 * @param d optional parameter
311 * @param e optional parameter
314 icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
315 u32 thread_index, vlib_buffer_t * b0,
316 ip4_header_t * ip0, u8 * p_proto,
317 snat_session_key_t * p_value,
318 u8 * p_dont_translate, void *d, void *e)
320 icmp46_header_t *icmp0;
323 snat_session_key_t key0;
324 snat_session_key_t sm0;
325 snat_session_t *s0 = 0;
326 u8 dont_translate = 0;
327 clib_bihash_kv_8_8_t kv0, value0;
333 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
334 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
335 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
339 err = icmp_get_key (ip0, &key0);
342 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
343 next0 = SNAT_OUT2IN_NEXT_DROP;
346 key0.fib_index = rx_fib_index0;
348 kv0.key = key0.as_u64;
350 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
353 /* Try to match static mapping by external address and port,
354 destination address and port in packet */
355 if (snat_static_mapping_match
356 (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, &identity_nat))
358 if (!sm->forwarding_enabled)
360 /* Don't NAT packet aimed at the intfc address */
361 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0,
362 ip0->dst_address.as_u32)))
367 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
368 next0 = SNAT_OUT2IN_NEXT_DROP;
378 if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
379 (icmp0->type != ICMP4_echo_request
382 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
383 next0 = SNAT_OUT2IN_NEXT_DROP;
387 if (PREDICT_FALSE (identity_nat))
392 /* Create session initiated by host from external network */
393 s0 = create_session_for_static_mapping (sm, b0, sm0, key0,
395 vlib_time_now (sm->vlib_main));
399 next0 = SNAT_OUT2IN_NEXT_DROP;
405 if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
406 icmp0->type != ICMP4_echo_request &&
407 !icmp_is_error_message (icmp0)))
409 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
410 next0 = SNAT_OUT2IN_NEXT_DROP;
414 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
419 *p_proto = key0.protocol;
421 *p_value = s0->in2out;
422 *p_dont_translate = dont_translate;
424 *(snat_session_t **) d = s0;
429 #ifndef CLIB_MARCH_VARIANT
431 * Get address and port values to be used for ICMP packet translation
433 * @param[in] sm NAT main
434 * @param[in,out] node NAT node runtime
435 * @param[in] thread_index thread index
436 * @param[in,out] b0 buffer containing packet to be translated
437 * @param[out] p_proto protocol used for matching
438 * @param[out] p_value address and port after NAT translation
439 * @param[out] p_dont_translate if packet should not be translated
440 * @param d optional parameter
441 * @param e optional parameter
444 icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
445 u32 thread_index, vlib_buffer_t * b0,
446 ip4_header_t * ip0, u8 * p_proto,
447 snat_session_key_t * p_value,
448 u8 * p_dont_translate, void *d, void *e)
450 icmp46_header_t *icmp0;
453 snat_session_key_t key0;
454 snat_session_key_t sm0;
455 u8 dont_translate = 0;
460 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
461 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
462 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
464 err = icmp_get_key (ip0, &key0);
467 b0->error = node->errors[err];
468 next0 = SNAT_OUT2IN_NEXT_DROP;
471 key0.fib_index = rx_fib_index0;
473 if (snat_static_mapping_match
474 (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, 0))
476 /* Don't NAT packet aimed at the intfc address */
477 if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32))
482 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
483 next0 = SNAT_OUT2IN_NEXT_DROP;
487 if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
488 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
489 !icmp_is_error_message (icmp0)))
491 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
492 next0 = SNAT_OUT2IN_NEXT_DROP;
499 *p_proto = key0.protocol;
500 *p_dont_translate = dont_translate;
505 #ifndef CLIB_MARCH_VARIANT
507 icmp_out2in (snat_main_t * sm,
510 icmp46_header_t * icmp0,
513 vlib_node_runtime_t * node,
514 u32 next0, u32 thread_index, void *d, void *e)
516 snat_session_key_t sm0;
518 icmp_echo_header_t *echo0, *inner_echo0 = 0;
519 ip4_header_t *inner_ip0 = 0;
521 icmp46_header_t *inner_icmp0;
523 u32 new_addr0, old_addr0;
524 u16 old_id0, new_id0;
529 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
531 next0_tmp = sm->icmp_match_out2in_cb (sm, node, thread_index, b0, ip0,
532 &protocol, &sm0, &dont_translate, d,
536 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
539 if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
541 sum0 = ip_incremental_checksum_buffer (sm->vlib_main, b0, (u8 *) icmp0 -
543 vlib_buffer_get_current (b0),
544 ntohs (ip0->length) -
545 ip4_header_bytes (ip0), 0);
546 checksum0 = ~ip_csum_fold (sum0);
547 if (checksum0 != 0 && checksum0 != 0xffff)
549 next0 = SNAT_OUT2IN_NEXT_DROP;
554 old_addr0 = ip0->dst_address.as_u32;
555 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
556 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
558 sum0 = ip0->checksum;
559 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
560 dst_address /* changed member */ );
561 ip0->checksum = ip_csum_fold (sum0);
563 if (icmp0->checksum == 0)
564 icmp0->checksum = 0xffff;
566 if (!icmp_is_error_message (icmp0))
569 if (PREDICT_FALSE (new_id0 != echo0->identifier))
571 old_id0 = echo0->identifier;
573 echo0->identifier = new_id0;
575 sum0 = icmp0->checksum;
576 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
577 identifier /* changed member */ );
578 icmp0->checksum = ip_csum_fold (sum0);
583 inner_ip0 = (ip4_header_t *) (echo0 + 1);
584 l4_header = ip4_next_header (inner_ip0);
586 if (!ip4_header_checksum_is_valid (inner_ip0))
588 next0 = SNAT_OUT2IN_NEXT_DROP;
592 old_addr0 = inner_ip0->src_address.as_u32;
593 inner_ip0->src_address = sm0.addr;
594 new_addr0 = inner_ip0->src_address.as_u32;
596 sum0 = icmp0->checksum;
597 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
598 src_address /* changed member */ );
599 icmp0->checksum = ip_csum_fold (sum0);
603 case SNAT_PROTOCOL_ICMP:
604 inner_icmp0 = (icmp46_header_t *) l4_header;
605 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
607 old_id0 = inner_echo0->identifier;
609 inner_echo0->identifier = new_id0;
611 sum0 = icmp0->checksum;
612 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
614 icmp0->checksum = ip_csum_fold (sum0);
616 case SNAT_PROTOCOL_UDP:
617 case SNAT_PROTOCOL_TCP:
618 old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
620 ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
622 sum0 = icmp0->checksum;
623 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
625 icmp0->checksum = ip_csum_fold (sum0);
638 icmp_out2in_slow_path (snat_main_t * sm,
641 icmp46_header_t * icmp0,
644 vlib_node_runtime_t * node,
646 u32 thread_index, snat_session_t ** p_s0)
648 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
649 next0, thread_index, p_s0, 0);
650 snat_session_t *s0 = *p_s0;
651 if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP && s0))
654 nat44_session_update_counters (s0, now,
655 vlib_buffer_length_in_chain
656 (sm->vlib_main, b0));
657 /* Per-user LRU list maintenance */
658 nat44_session_update_lru (sm, s0, thread_index);
664 nat_out2in_sm_unknown_proto (snat_main_t * sm,
666 ip4_header_t * ip, u32 rx_fib_index)
668 clib_bihash_kv_8_8_t kv, value;
669 snat_static_mapping_t *m;
670 snat_session_key_t m_key;
671 u32 old_addr, new_addr;
674 m_key.addr = ip->dst_address;
678 kv.key = m_key.as_u64;
679 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
682 m = pool_elt_at_index (sm->static_mappings, value.value);
684 old_addr = ip->dst_address.as_u32;
685 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
687 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
688 ip->checksum = ip_csum_fold (sum);
690 vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
694 VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
695 vlib_node_runtime_t * node,
696 vlib_frame_t * frame)
698 u32 n_left_from, *from, *to_next;
699 snat_out2in_next_t next_index;
700 u32 pkts_processed = 0;
701 snat_main_t *sm = &snat_main;
702 f64 now = vlib_time_now (vm);
703 u32 thread_index = vm->thread_index;
704 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
707 from = vlib_frame_vector_args (frame);
708 n_left_from = frame->n_vectors;
709 next_index = node->cached_next_index;
711 while (n_left_from > 0)
715 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
717 while (n_left_from >= 4 && n_left_to_next >= 2)
720 vlib_buffer_t *b0, *b1;
721 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
722 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
723 u32 sw_if_index0, sw_if_index1;
724 ip4_header_t *ip0, *ip1;
725 ip_csum_t sum0, sum1;
726 u32 new_addr0, old_addr0;
727 u16 new_port0, old_port0;
728 u32 new_addr1, old_addr1;
729 u16 new_port1, old_port1;
730 udp_header_t *udp0, *udp1;
731 tcp_header_t *tcp0, *tcp1;
732 icmp46_header_t *icmp0, *icmp1;
733 snat_session_key_t key0, key1, sm0, sm1;
734 u32 rx_fib_index0, rx_fib_index1;
736 snat_session_t *s0 = 0, *s1 = 0;
737 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
738 u8 identity_nat0, identity_nat1;
740 /* Prefetch next iteration. */
742 vlib_buffer_t *p2, *p3;
744 p2 = vlib_get_buffer (vm, from[2]);
745 p3 = vlib_get_buffer (vm, from[3]);
747 vlib_prefetch_buffer_header (p2, LOAD);
748 vlib_prefetch_buffer_header (p3, LOAD);
750 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
751 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
754 /* speculatively enqueue b0 and b1 to the current next frame */
755 to_next[0] = bi0 = from[0];
756 to_next[1] = bi1 = from[1];
762 b0 = vlib_get_buffer (vm, bi0);
763 b1 = vlib_get_buffer (vm, bi1);
765 vnet_buffer (b0)->snat.flags = 0;
766 vnet_buffer (b1)->snat.flags = 0;
768 ip0 = vlib_buffer_get_current (b0);
769 udp0 = ip4_next_header (ip0);
770 tcp0 = (tcp_header_t *) udp0;
771 icmp0 = (icmp46_header_t *) udp0;
773 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
774 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
777 if (PREDICT_FALSE (ip0->ttl == 1))
779 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
780 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
781 ICMP4_time_exceeded_ttl_exceeded_in_transit,
783 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
787 proto0 = ip_proto_to_snat_proto (ip0->protocol);
789 if (PREDICT_FALSE (proto0 == ~0))
791 if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
793 if (!sm->forwarding_enabled)
796 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
797 next0 = SNAT_OUT2IN_NEXT_DROP;
804 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
806 next0 = SNAT_OUT2IN_NEXT_REASS;
811 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
813 next0 = icmp_out2in_slow_path
814 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
815 next0, now, thread_index, &s0);
820 key0.addr = ip0->dst_address;
821 key0.port = udp0->dst_port;
822 key0.protocol = proto0;
823 key0.fib_index = rx_fib_index0;
825 kv0.key = key0.as_u64;
827 if (clib_bihash_search_8_8
828 (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
830 /* Try to match static mapping by external address and port,
831 destination address and port in packet */
832 if (snat_static_mapping_match
833 (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
836 * Send DHCP packets to the ipv4 stack, or we won't
837 * be able to use dhcp client on the outside interface
839 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
840 && (udp0->dst_port ==
842 (UDP_DST_PORT_dhcp_to_client))))
844 vnet_feature_next (&next0, b0);
848 if (!sm->forwarding_enabled)
851 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
852 next0 = SNAT_OUT2IN_NEXT_DROP;
857 if (PREDICT_FALSE (identity_nat0))
860 /* Create session initiated by host from external network */
861 s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node,
865 next0 = SNAT_OUT2IN_NEXT_DROP;
871 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
874 old_addr0 = ip0->dst_address.as_u32;
875 ip0->dst_address = s0->in2out.addr;
876 new_addr0 = ip0->dst_address.as_u32;
877 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
879 sum0 = ip0->checksum;
880 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
882 dst_address /* changed member */ );
883 ip0->checksum = ip_csum_fold (sum0);
885 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
887 old_port0 = tcp0->dst_port;
888 tcp0->dst_port = s0->in2out.port;
889 new_port0 = tcp0->dst_port;
891 sum0 = tcp0->checksum;
892 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
894 dst_address /* changed member */ );
896 sum0 = ip_csum_update (sum0, old_port0, new_port0,
897 ip4_header_t /* cheat */ ,
898 length /* changed member */ );
899 tcp0->checksum = ip_csum_fold (sum0);
904 old_port0 = udp0->dst_port;
905 udp0->dst_port = s0->in2out.port;
911 nat44_session_update_counters (s0, now,
912 vlib_buffer_length_in_chain (vm,
914 /* Per-user LRU list maintenance */
915 nat44_session_update_lru (sm, s0, thread_index);
918 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
919 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
921 snat_out2in_trace_t *t =
922 vlib_add_trace (vm, node, b0, sizeof (*t));
923 t->sw_if_index = sw_if_index0;
924 t->next_index = next0;
925 t->session_index = ~0;
928 s0 - sm->per_thread_data[thread_index].sessions;
931 pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
934 ip1 = vlib_buffer_get_current (b1);
935 udp1 = ip4_next_header (ip1);
936 tcp1 = (tcp_header_t *) udp1;
937 icmp1 = (icmp46_header_t *) udp1;
939 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
940 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
943 if (PREDICT_FALSE (ip1->ttl == 1))
945 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
946 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
947 ICMP4_time_exceeded_ttl_exceeded_in_transit,
949 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
953 proto1 = ip_proto_to_snat_proto (ip1->protocol);
955 if (PREDICT_FALSE (proto1 == ~0))
957 if (nat_out2in_sm_unknown_proto (sm, b1, ip1, rx_fib_index1))
959 if (!sm->forwarding_enabled)
962 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
963 next1 = SNAT_OUT2IN_NEXT_DROP;
970 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
972 next1 = SNAT_OUT2IN_NEXT_REASS;
977 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
979 next1 = icmp_out2in_slow_path
980 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
981 next1, now, thread_index, &s1);
986 key1.addr = ip1->dst_address;
987 key1.port = udp1->dst_port;
988 key1.protocol = proto1;
989 key1.fib_index = rx_fib_index1;
991 kv1.key = key1.as_u64;
993 if (clib_bihash_search_8_8
994 (&sm->per_thread_data[thread_index].out2in, &kv1, &value1))
996 /* Try to match static mapping by external address and port,
997 destination address and port in packet */
998 if (snat_static_mapping_match
999 (sm, key1, &sm1, 1, 0, 0, 0, 0, &identity_nat1))
1002 * Send DHCP packets to the ipv4 stack, or we won't
1003 * be able to use dhcp client on the outside interface
1005 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1006 && (udp1->dst_port ==
1007 clib_host_to_net_u16
1008 (UDP_DST_PORT_dhcp_to_client))))
1010 vnet_feature_next (&next1, b1);
1014 if (!sm->forwarding_enabled)
1017 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1018 next1 = SNAT_OUT2IN_NEXT_DROP;
1023 if (PREDICT_FALSE (identity_nat1))
1026 /* Create session initiated by host from external network */
1027 s1 = create_session_for_static_mapping (sm, b1, sm1, key1, node,
1031 next1 = SNAT_OUT2IN_NEXT_DROP;
1037 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1040 old_addr1 = ip1->dst_address.as_u32;
1041 ip1->dst_address = s1->in2out.addr;
1042 new_addr1 = ip1->dst_address.as_u32;
1043 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1045 sum1 = ip1->checksum;
1046 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1048 dst_address /* changed member */ );
1049 ip1->checksum = ip_csum_fold (sum1);
1051 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1053 old_port1 = tcp1->dst_port;
1054 tcp1->dst_port = s1->in2out.port;
1055 new_port1 = tcp1->dst_port;
1057 sum1 = tcp1->checksum;
1058 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1060 dst_address /* changed member */ );
1062 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1063 ip4_header_t /* cheat */ ,
1064 length /* changed member */ );
1065 tcp1->checksum = ip_csum_fold (sum1);
1070 old_port1 = udp1->dst_port;
1071 udp1->dst_port = s1->in2out.port;
1077 nat44_session_update_counters (s1, now,
1078 vlib_buffer_length_in_chain (vm,
1080 /* Per-user LRU list maintenance */
1081 nat44_session_update_lru (sm, s1, thread_index);
1084 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1085 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1087 snat_out2in_trace_t *t =
1088 vlib_add_trace (vm, node, b1, sizeof (*t));
1089 t->sw_if_index = sw_if_index1;
1090 t->next_index = next1;
1091 t->session_index = ~0;
1094 s1 - sm->per_thread_data[thread_index].sessions;
1097 pkts_processed += next1 == SNAT_OUT2IN_NEXT_LOOKUP;
1099 /* verify speculative enqueues, maybe switch current next frame */
1100 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1101 to_next, n_left_to_next,
1102 bi0, bi1, next0, next1);
1105 while (n_left_from > 0 && n_left_to_next > 0)
1109 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1113 u32 new_addr0, old_addr0;
1114 u16 new_port0, old_port0;
1117 icmp46_header_t *icmp0;
1118 snat_session_key_t key0, sm0;
1121 snat_session_t *s0 = 0;
1122 clib_bihash_kv_8_8_t kv0, value0;
1125 /* speculatively enqueue b0 to the current next frame */
1131 n_left_to_next -= 1;
1133 b0 = vlib_get_buffer (vm, bi0);
1135 vnet_buffer (b0)->snat.flags = 0;
1137 ip0 = vlib_buffer_get_current (b0);
1138 udp0 = ip4_next_header (ip0);
1139 tcp0 = (tcp_header_t *) udp0;
1140 icmp0 = (icmp46_header_t *) udp0;
1142 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1143 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1146 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1148 if (PREDICT_FALSE (proto0 == ~0))
1150 if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1152 if (!sm->forwarding_enabled)
1155 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1156 next0 = SNAT_OUT2IN_NEXT_DROP;
1163 if (PREDICT_FALSE (ip0->ttl == 1))
1165 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1166 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1167 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1169 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1173 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1175 next0 = SNAT_OUT2IN_NEXT_REASS;
1180 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1182 next0 = icmp_out2in_slow_path
1183 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1184 next0, now, thread_index, &s0);
1189 key0.addr = ip0->dst_address;
1190 key0.port = udp0->dst_port;
1191 key0.protocol = proto0;
1192 key0.fib_index = rx_fib_index0;
1194 kv0.key = key0.as_u64;
1196 if (clib_bihash_search_8_8
1197 (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
1199 /* Try to match static mapping by external address and port,
1200 destination address and port in packet */
1201 if (snat_static_mapping_match
1202 (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
1205 * Send DHCP packets to the ipv4 stack, or we won't
1206 * be able to use dhcp client on the outside interface
1208 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1209 && (udp0->dst_port ==
1210 clib_host_to_net_u16
1211 (UDP_DST_PORT_dhcp_to_client))))
1213 vnet_feature_next (&next0, b0);
1217 if (!sm->forwarding_enabled)
1220 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1221 next0 = SNAT_OUT2IN_NEXT_DROP;
1226 if (PREDICT_FALSE (identity_nat0))
1229 /* Create session initiated by host from external network */
1230 s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node,
1234 next0 = SNAT_OUT2IN_NEXT_DROP;
1240 pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1243 old_addr0 = ip0->dst_address.as_u32;
1244 ip0->dst_address = s0->in2out.addr;
1245 new_addr0 = ip0->dst_address.as_u32;
1246 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1248 sum0 = ip0->checksum;
1249 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1251 dst_address /* changed member */ );
1252 ip0->checksum = ip_csum_fold (sum0);
1254 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1256 old_port0 = tcp0->dst_port;
1257 tcp0->dst_port = s0->in2out.port;
1258 new_port0 = tcp0->dst_port;
1260 sum0 = tcp0->checksum;
1261 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1263 dst_address /* changed member */ );
1265 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1266 ip4_header_t /* cheat */ ,
1267 length /* changed member */ );
1268 tcp0->checksum = ip_csum_fold (sum0);
1273 old_port0 = udp0->dst_port;
1274 udp0->dst_port = s0->in2out.port;
1280 nat44_session_update_counters (s0, now,
1281 vlib_buffer_length_in_chain (vm,
1283 /* Per-user LRU list maintenance */
1284 nat44_session_update_lru (sm, s0, thread_index);
1287 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1288 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1290 snat_out2in_trace_t *t =
1291 vlib_add_trace (vm, node, b0, sizeof (*t));
1292 t->sw_if_index = sw_if_index0;
1293 t->next_index = next0;
1294 t->session_index = ~0;
1297 s0 - sm->per_thread_data[thread_index].sessions;
1300 pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
1302 /* verify speculative enqueue, maybe switch current next frame */
1303 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1304 to_next, n_left_to_next,
1308 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1311 vlib_node_increment_counter (vm, sm->out2in_node_index,
1312 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1314 vlib_node_increment_counter (vm, sm->out2in_node_index,
1315 SNAT_OUT2IN_ERROR_TCP_PACKETS, tcp_packets);
1316 vlib_node_increment_counter (vm, sm->out2in_node_index,
1317 SNAT_OUT2IN_ERROR_UDP_PACKETS, udp_packets);
1318 vlib_node_increment_counter (vm, sm->out2in_node_index,
1319 SNAT_OUT2IN_ERROR_ICMP_PACKETS, icmp_packets);
1320 vlib_node_increment_counter (vm, sm->out2in_node_index,
1321 SNAT_OUT2IN_ERROR_OTHER_PACKETS,
1323 vlib_node_increment_counter (vm, sm->out2in_node_index,
1324 SNAT_OUT2IN_ERROR_FRAGMENTS, fragments);
1326 return frame->n_vectors;
1330 VLIB_REGISTER_NODE (snat_out2in_node) = {
1331 .name = "nat44-out2in",
1332 .vector_size = sizeof (u32),
1333 .format_trace = format_snat_out2in_trace,
1334 .type = VLIB_NODE_TYPE_INTERNAL,
1336 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1337 .error_strings = snat_out2in_error_strings,
1339 .runtime_data_bytes = sizeof (snat_runtime_t),
1341 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1343 /* edit / add dispositions here */
1345 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1346 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1347 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1348 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1353 VLIB_NODE_FN (nat44_out2in_reass_node) (vlib_main_t * vm,
1354 vlib_node_runtime_t * node,
1355 vlib_frame_t * frame)
1357 u32 n_left_from, *from, *to_next;
1358 snat_out2in_next_t next_index;
1359 u32 pkts_processed = 0, cached_fragments = 0;
1360 snat_main_t *sm = &snat_main;
1361 f64 now = vlib_time_now (vm);
1362 u32 thread_index = vm->thread_index;
1363 snat_main_per_thread_data_t *per_thread_data =
1364 &sm->per_thread_data[thread_index];
1365 u32 *fragments_to_drop = 0;
1366 u32 *fragments_to_loopback = 0;
1368 from = vlib_frame_vector_args (frame);
1369 n_left_from = frame->n_vectors;
1370 next_index = node->cached_next_index;
1372 while (n_left_from > 0)
1376 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1378 while (n_left_from > 0 && n_left_to_next > 0)
1380 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1385 nat_reass_ip4_t *reass0;
1388 icmp46_header_t *icmp0;
1389 snat_session_key_t key0, sm0;
1390 clib_bihash_kv_8_8_t kv0, value0;
1391 snat_session_t *s0 = 0;
1392 u16 old_port0, new_port0;
1396 /* speculatively enqueue b0 to the current next frame */
1402 n_left_to_next -= 1;
1404 b0 = vlib_get_buffer (vm, bi0);
1405 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1407 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1409 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1412 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1414 next0 = SNAT_OUT2IN_NEXT_DROP;
1415 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1419 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1420 udp0 = ip4_next_header (ip0);
1421 tcp0 = (tcp_header_t *) udp0;
1422 icmp0 = (icmp46_header_t *) udp0;
1423 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1425 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1429 1, &fragments_to_drop);
1431 if (PREDICT_FALSE (!reass0))
1433 next0 = SNAT_OUT2IN_NEXT_DROP;
1434 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1435 nat_log_notice ("maximum reassemblies exceeded");
1439 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1441 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1443 next0 = icmp_out2in_slow_path
1444 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1445 next0, now, thread_index, &s0);
1447 if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP))
1450 reass0->sess_index = s0 - per_thread_data->sessions;
1452 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1453 reass0->thread_index = thread_index;
1454 nat_ip4_reass_get_frags (reass0,
1455 &fragments_to_loopback);
1461 key0.addr = ip0->dst_address;
1462 key0.port = udp0->dst_port;
1463 key0.protocol = proto0;
1464 key0.fib_index = rx_fib_index0;
1465 kv0.key = key0.as_u64;
1467 if (clib_bihash_search_8_8
1468 (&per_thread_data->out2in, &kv0, &value0))
1470 /* Try to match static mapping by external address and port,
1471 destination address and port in packet */
1472 if (snat_static_mapping_match
1473 (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
1476 * Send DHCP packets to the ipv4 stack, or we won't
1477 * be able to use dhcp client on the outside interface
1479 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1482 clib_host_to_net_u16
1483 (UDP_DST_PORT_dhcp_to_client))))
1485 vnet_feature_next (&next0, b0);
1489 if (!sm->forwarding_enabled)
1492 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1493 next0 = SNAT_OUT2IN_NEXT_DROP;
1497 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1498 nat_ip4_reass_get_frags (reass0,
1499 &fragments_to_loopback);
1504 if (PREDICT_FALSE (identity_nat0))
1507 /* Create session initiated by host from external network */
1509 create_session_for_static_mapping (sm, b0, sm0, key0,
1515 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1516 next0 = SNAT_OUT2IN_NEXT_DROP;
1519 reass0->sess_index = s0 - per_thread_data->sessions;
1520 reass0->thread_index = thread_index;
1524 s0 = pool_elt_at_index (per_thread_data->sessions,
1526 reass0->sess_index = value0.value;
1528 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1532 if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
1534 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1536 if (nat_ip4_reass_add_fragment
1537 (thread_index, reass0, bi0, &fragments_to_drop))
1539 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1541 ("maximum fragments per reassembly exceeded");
1542 next0 = SNAT_OUT2IN_NEXT_DROP;
1548 s0 = pool_elt_at_index (per_thread_data->sessions,
1549 reass0->sess_index);
1552 old_addr0 = ip0->dst_address.as_u32;
1553 ip0->dst_address = s0->in2out.addr;
1554 new_addr0 = ip0->dst_address.as_u32;
1555 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1557 sum0 = ip0->checksum;
1558 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1560 dst_address /* changed member */ );
1561 ip0->checksum = ip_csum_fold (sum0);
1563 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1565 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1567 old_port0 = tcp0->dst_port;
1568 tcp0->dst_port = s0->in2out.port;
1569 new_port0 = tcp0->dst_port;
1571 sum0 = tcp0->checksum;
1572 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1574 dst_address /* changed member */ );
1576 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1577 ip4_header_t /* cheat */ ,
1578 length /* changed member */ );
1579 tcp0->checksum = ip_csum_fold (sum0);
1583 old_port0 = udp0->dst_port;
1584 udp0->dst_port = s0->in2out.port;
1590 nat44_session_update_counters (s0, now,
1591 vlib_buffer_length_in_chain (vm,
1593 /* Per-user LRU list maintenance */
1594 nat44_session_update_lru (sm, s0, thread_index);
1597 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1598 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1600 nat44_reass_trace_t *t =
1601 vlib_add_trace (vm, node, b0, sizeof (*t));
1602 t->cached = cached0;
1603 t->sw_if_index = sw_if_index0;
1604 t->next_index = next0;
1615 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1617 /* verify speculative enqueue, maybe switch current next frame */
1618 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1619 to_next, n_left_to_next,
1623 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1625 from = vlib_frame_vector_args (frame);
1626 u32 len = vec_len (fragments_to_loopback);
1627 if (len <= VLIB_FRAME_SIZE)
1629 clib_memcpy_fast (from, fragments_to_loopback,
1630 sizeof (u32) * len);
1632 vec_reset_length (fragments_to_loopback);
1636 clib_memcpy_fast (from, fragments_to_loopback +
1637 (len - VLIB_FRAME_SIZE),
1638 sizeof (u32) * VLIB_FRAME_SIZE);
1639 n_left_from = VLIB_FRAME_SIZE;
1640 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1645 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1648 vlib_node_increment_counter (vm, sm->out2in_reass_node_index,
1649 SNAT_OUT2IN_ERROR_PROCESSED_FRAGMENTS,
1651 vlib_node_increment_counter (vm, sm->out2in_reass_node_index,
1652 SNAT_OUT2IN_ERROR_CACHED_FRAGMENTS,
1655 nat_send_all_to_node (vm, fragments_to_drop, node,
1656 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1657 SNAT_OUT2IN_NEXT_DROP);
1659 vec_free (fragments_to_drop);
1660 vec_free (fragments_to_loopback);
1661 return frame->n_vectors;
1665 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1666 .name = "nat44-out2in-reass",
1667 .vector_size = sizeof (u32),
1668 .format_trace = format_nat44_reass_trace,
1669 .type = VLIB_NODE_TYPE_INTERNAL,
1671 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1672 .error_strings = snat_out2in_error_strings,
1674 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1676 /* edit / add dispositions here */
1678 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1679 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1680 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1681 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1686 VLIB_NODE_FN (snat_out2in_fast_node) (vlib_main_t * vm,
1687 vlib_node_runtime_t * node,
1688 vlib_frame_t * frame)
1690 u32 n_left_from, *from, *to_next;
1691 snat_out2in_next_t next_index;
1692 u32 pkts_processed = 0;
1693 snat_main_t *sm = &snat_main;
1695 from = vlib_frame_vector_args (frame);
1696 n_left_from = frame->n_vectors;
1697 next_index = node->cached_next_index;
1699 while (n_left_from > 0)
1703 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1705 while (n_left_from > 0 && n_left_to_next > 0)
1709 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
1713 u32 new_addr0, old_addr0;
1714 u16 new_port0, old_port0;
1717 icmp46_header_t *icmp0;
1718 snat_session_key_t key0, sm0;
1722 /* speculatively enqueue b0 to the current next frame */
1728 n_left_to_next -= 1;
1730 b0 = vlib_get_buffer (vm, bi0);
1732 ip0 = vlib_buffer_get_current (b0);
1733 udp0 = ip4_next_header (ip0);
1734 tcp0 = (tcp_header_t *) udp0;
1735 icmp0 = (icmp46_header_t *) udp0;
1737 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1739 ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
1741 vnet_feature_next (&next0, b0);
1743 if (PREDICT_FALSE (ip0->ttl == 1))
1745 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1746 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1747 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1749 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1753 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1755 if (PREDICT_FALSE (proto0 == ~0))
1758 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1760 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0,
1761 rx_fib_index0, node, next0, ~0, 0, 0);
1765 key0.addr = ip0->dst_address;
1766 key0.port = udp0->dst_port;
1767 key0.fib_index = rx_fib_index0;
1769 if (snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
1771 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1775 new_addr0 = sm0.addr.as_u32;
1776 new_port0 = sm0.port;
1777 vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1778 old_addr0 = ip0->dst_address.as_u32;
1779 ip0->dst_address.as_u32 = new_addr0;
1781 sum0 = ip0->checksum;
1782 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1784 dst_address /* changed member */ );
1785 ip0->checksum = ip_csum_fold (sum0);
1787 if (PREDICT_FALSE (new_port0 != udp0->dst_port))
1789 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1791 old_port0 = tcp0->dst_port;
1792 tcp0->dst_port = new_port0;
1794 sum0 = tcp0->checksum;
1795 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1797 dst_address /* changed member */ );
1799 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1800 ip4_header_t /* cheat */ ,
1801 length /* changed member */ );
1802 tcp0->checksum = ip_csum_fold (sum0);
1806 old_port0 = udp0->dst_port;
1807 udp0->dst_port = new_port0;
1813 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1815 sum0 = tcp0->checksum;
1816 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1818 dst_address /* changed member */ );
1820 tcp0->checksum = ip_csum_fold (sum0);
1826 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1827 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1829 snat_out2in_trace_t *t =
1830 vlib_add_trace (vm, node, b0, sizeof (*t));
1831 t->sw_if_index = sw_if_index0;
1832 t->next_index = next0;
1835 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1837 /* verify speculative enqueue, maybe switch current next frame */
1838 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1839 to_next, n_left_to_next,
1843 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1846 vlib_node_increment_counter (vm, sm->out2in_fast_node_index,
1847 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1849 return frame->n_vectors;
1853 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
1854 .name = "nat44-out2in-fast",
1855 .vector_size = sizeof (u32),
1856 .format_trace = format_snat_out2in_fast_trace,
1857 .type = VLIB_NODE_TYPE_INTERNAL,
1859 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1860 .error_strings = snat_out2in_error_strings,
1862 .runtime_data_bytes = sizeof (snat_runtime_t),
1864 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1866 /* edit / add dispositions here */
1868 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1869 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1870 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1871 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1877 * fd.io coding-style-patch-verification: ON
1880 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob