2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
38 } snat_out2in_trace_t;
41 u32 next_worker_index;
43 } snat_out2in_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
52 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
53 t->sw_if_index, t->next_index, t->session_index);
57 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
59 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
60 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
61 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
63 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
64 t->sw_if_index, t->next_index);
68 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 snat_out2in_worker_handoff_trace_t * t =
73 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
76 m = t->do_handoff ? "next worker" : "same worker";
77 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 } nat44_out2in_reass_trace_t;
88 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
90 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
91 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
92 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
94 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
95 t->sw_if_index, t->next_index,
96 t->cached ? "cached" : "translated");
101 vlib_node_registration_t snat_out2in_node;
102 vlib_node_registration_t snat_out2in_fast_node;
103 vlib_node_registration_t snat_out2in_worker_handoff_node;
104 vlib_node_registration_t snat_det_out2in_node;
105 vlib_node_registration_t nat44_out2in_reass_node;
107 #define foreach_snat_out2in_error \
108 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
109 _(OUT2IN_PACKETS, "Good out2in packets processed") \
110 _(OUT_OF_PORTS, "Out of ports") \
111 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
112 _(NO_TRANSLATION, "No translation") \
113 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
114 _(DROP_FRAGMENT, "Drop fragment") \
115 _(MAX_REASS, "Maximum reassemblies exceeded") \
116 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
119 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
120 foreach_snat_out2in_error
123 } snat_out2in_error_t;
125 static char * snat_out2in_error_strings[] = {
126 #define _(sym,string) string,
127 foreach_snat_out2in_error
132 SNAT_OUT2IN_NEXT_DROP,
133 SNAT_OUT2IN_NEXT_LOOKUP,
134 SNAT_OUT2IN_NEXT_ICMP_ERROR,
135 SNAT_OUT2IN_NEXT_REASS,
136 SNAT_OUT2IN_NEXT_IN2OUT,
138 } snat_out2in_next_t;
141 * @brief Create session for static mapping.
143 * Create NAT session initiated by host from external network with static
146 * @param sm NAT main.
147 * @param b0 Vlib buffer.
148 * @param in2out In2out NAT44 session key.
149 * @param out2in Out2in NAT44 session key.
150 * @param node Vlib node.
152 * @returns SNAT session if successfully created otherwise 0.
154 static inline snat_session_t *
155 create_session_for_static_mapping (snat_main_t *sm,
157 snat_session_key_t in2out,
158 snat_session_key_t out2in,
159 vlib_node_runtime_t * node,
164 clib_bihash_kv_8_8_t kv0;
168 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
170 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 ip0 = vlib_buffer_get_current (b0);
175 udp0 = ip4_next_header (ip0);
177 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
180 clib_warning ("create NAT user failed");
184 s = nat_session_alloc_or_recycle (sm, u, thread_index);
187 clib_warning ("create NAT session failed");
191 s->outside_address_index = ~0;
192 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
193 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
194 s->ext_host_port = udp0->src_port;
195 user_session_increment (sm, u, 1 /* static */);
198 s->in2out.protocol = out2in.protocol;
200 /* Add to translation hashes */
201 kv0.key = s->in2out.as_u64;
202 kv0.value = s - sm->per_thread_data[thread_index].sessions;
203 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
205 clib_warning ("in2out key add failed");
207 kv0.key = s->out2in.as_u64;
209 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
211 clib_warning ("out2in key add failed");
214 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
215 s->out2in.addr.as_u32,
219 s->in2out.fib_index);
224 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
225 snat_session_key_t *p_key0)
227 icmp46_header_t *icmp0;
228 snat_session_key_t key0;
229 icmp_echo_header_t *echo0, *inner_echo0 = 0;
230 ip4_header_t *inner_ip0;
232 icmp46_header_t *inner_icmp0;
234 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
235 echo0 = (icmp_echo_header_t *)(icmp0+1);
237 if (!icmp_is_error_message (icmp0))
239 key0.protocol = SNAT_PROTOCOL_ICMP;
240 key0.addr = ip0->dst_address;
241 key0.port = echo0->identifier;
245 inner_ip0 = (ip4_header_t *)(echo0+1);
246 l4_header = ip4_next_header (inner_ip0);
247 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
248 key0.addr = inner_ip0->src_address;
249 switch (key0.protocol)
251 case SNAT_PROTOCOL_ICMP:
252 inner_icmp0 = (icmp46_header_t*)l4_header;
253 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
254 key0.port = inner_echo0->identifier;
256 case SNAT_PROTOCOL_UDP:
257 case SNAT_PROTOCOL_TCP:
258 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
261 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
265 return -1; /* success */
268 static_always_inline int
269 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
271 icmp46_header_t *icmp0;
272 nat_ed_ses_key_t key0;
273 icmp_echo_header_t *echo0, *inner_echo0 = 0;
274 ip4_header_t *inner_ip0;
276 icmp46_header_t *inner_icmp0;
278 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
279 echo0 = (icmp_echo_header_t *)(icmp0+1);
281 if (!icmp_is_error_message (icmp0))
283 key0.proto = IP_PROTOCOL_ICMP;
284 key0.l_addr = ip0->dst_address;
285 key0.r_addr = ip0->src_address;
286 key0.l_port = key0.r_port = echo0->identifier;
290 inner_ip0 = (ip4_header_t *)(echo0+1);
291 l4_header = ip4_next_header (inner_ip0);
292 key0.proto = inner_ip0->protocol;
293 key0.l_addr = inner_ip0->src_address;
294 key0.r_addr = inner_ip0->dst_address;
295 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
297 case SNAT_PROTOCOL_ICMP:
298 inner_icmp0 = (icmp46_header_t*)l4_header;
299 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
300 key0.l_port = key0.r_port = inner_echo0->identifier;
302 case SNAT_PROTOCOL_UDP:
303 case SNAT_PROTOCOL_TCP:
304 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
305 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
316 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
319 snat_session_key_t key;
320 clib_bihash_kv_8_8_t kv, value;
322 key.addr = ip->src_address;
324 key.protocol = proto;
325 key.fib_index = sm->inside_fib_index;
328 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
336 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
338 nat_ed_ses_key_t key;
339 clib_bihash_kv_16_8_t kv;
342 if (ip->protocol == IP_PROTOCOL_ICMP)
344 if (icmp_get_ed_key (ip, &key))
347 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
349 udp = ip4_next_header(ip);
350 key.r_addr = ip->src_address;
351 key.l_addr = ip->dst_address;
352 key.proto = ip->protocol;
353 key.l_port = udp->dst_port;
354 key.r_port = udp->src_port;
358 key.r_addr = ip->src_address;
359 key.l_addr = ip->dst_address;
360 key.proto = ip->protocol;
361 key.l_port = key.r_port = 0;
364 kv.key[0] = key.as_u64[0];
365 kv.key[1] = key.as_u64[1];
368 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
369 clib_warning ("in2out_ed key add failed");
373 * Get address and port values to be used for ICMP packet translation
374 * and create session if needed
376 * @param[in,out] sm NAT main
377 * @param[in,out] node NAT node runtime
378 * @param[in] thread_index thread index
379 * @param[in,out] b0 buffer containing packet to be translated
380 * @param[out] p_proto protocol used for matching
381 * @param[out] p_value address and port after NAT translation
382 * @param[out] p_dont_translate if packet should not be translated
383 * @param d optional parameter
384 * @param e optional parameter
386 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
387 u32 thread_index, vlib_buffer_t *b0,
388 ip4_header_t *ip0, u8 *p_proto,
389 snat_session_key_t *p_value,
390 u8 *p_dont_translate, void *d, void *e)
392 icmp46_header_t *icmp0;
395 snat_session_key_t key0;
396 snat_session_key_t sm0;
397 snat_session_t *s0 = 0;
398 u8 dont_translate = 0;
399 clib_bihash_kv_8_8_t kv0, value0;
404 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
405 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
406 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
410 err = icmp_get_key (ip0, &key0);
413 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
414 next0 = SNAT_OUT2IN_NEXT_DROP;
417 key0.fib_index = rx_fib_index0;
419 kv0.key = key0.as_u64;
421 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
424 /* Try to match static mapping by external address and port,
425 destination address and port in packet */
426 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
428 if (!sm->forwarding_enabled)
430 /* Don't NAT packet aimed at the intfc address */
431 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
432 ip0->dst_address.as_u32)))
437 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
438 next0 = SNAT_OUT2IN_NEXT_DROP;
444 if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
446 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
449 create_bypass_for_fwd(sm, ip0);
454 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
455 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
457 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
458 next0 = SNAT_OUT2IN_NEXT_DROP;
462 /* Create session initiated by host from external network */
463 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
468 next0 = SNAT_OUT2IN_NEXT_DROP;
474 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
475 icmp0->type != ICMP4_echo_request &&
476 !icmp_is_error_message (icmp0)))
478 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
479 next0 = SNAT_OUT2IN_NEXT_DROP;
483 if (PREDICT_FALSE (value0.value == ~0ULL))
485 nat_ed_ses_key_t key;
486 clib_bihash_kv_16_8_t s_kv, s_value;
490 if (icmp_get_ed_key (ip0, &key))
492 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
493 next0 = SNAT_OUT2IN_NEXT_DROP;
496 key.fib_index = rx_fib_index0;
497 s_kv.key[0] = key.as_u64[0];
498 s_kv.key[1] = key.as_u64[1];
499 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
500 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
504 next0 = SNAT_OUT2IN_NEXT_DROP;
509 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
514 *p_proto = key0.protocol;
516 *p_value = s0->in2out;
517 *p_dont_translate = dont_translate;
519 *(snat_session_t**)d = s0;
524 * Get address and port values to be used for ICMP packet translation
526 * @param[in] sm NAT main
527 * @param[in,out] node NAT node runtime
528 * @param[in] thread_index thread index
529 * @param[in,out] b0 buffer containing packet to be translated
530 * @param[out] p_proto protocol used for matching
531 * @param[out] p_value address and port after NAT translation
532 * @param[out] p_dont_translate if packet should not be translated
533 * @param d optional parameter
534 * @param e optional parameter
536 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
537 u32 thread_index, vlib_buffer_t *b0,
538 ip4_header_t *ip0, u8 *p_proto,
539 snat_session_key_t *p_value,
540 u8 *p_dont_translate, void *d, void *e)
542 icmp46_header_t *icmp0;
545 snat_session_key_t key0;
546 snat_session_key_t sm0;
547 u8 dont_translate = 0;
552 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
553 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
554 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
556 err = icmp_get_key (ip0, &key0);
559 b0->error = node->errors[err];
560 next0 = SNAT_OUT2IN_NEXT_DROP;
563 key0.fib_index = rx_fib_index0;
565 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
567 /* Don't NAT packet aimed at the intfc address */
568 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
573 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
574 next0 = SNAT_OUT2IN_NEXT_DROP;
578 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
579 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
580 !icmp_is_error_message (icmp0)))
582 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
583 next0 = SNAT_OUT2IN_NEXT_DROP;
590 *p_proto = key0.protocol;
591 *p_dont_translate = dont_translate;
595 static inline u32 icmp_out2in (snat_main_t *sm,
598 icmp46_header_t * icmp0,
601 vlib_node_runtime_t * node,
607 snat_session_key_t sm0;
609 icmp_echo_header_t *echo0, *inner_echo0 = 0;
610 ip4_header_t *inner_ip0 = 0;
612 icmp46_header_t *inner_icmp0;
614 u32 new_addr0, old_addr0;
615 u16 old_id0, new_id0;
620 echo0 = (icmp_echo_header_t *)(icmp0+1);
622 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
623 &protocol, &sm0, &dont_translate, d, e);
626 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
629 sum0 = ip_incremental_checksum (0, icmp0,
630 ntohs(ip0->length) - ip4_header_bytes (ip0));
631 checksum0 = ~ip_csum_fold (sum0);
632 if (checksum0 != 0 && checksum0 != 0xffff)
634 next0 = SNAT_OUT2IN_NEXT_DROP;
638 old_addr0 = ip0->dst_address.as_u32;
639 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
640 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
642 sum0 = ip0->checksum;
643 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
644 dst_address /* changed member */);
645 ip0->checksum = ip_csum_fold (sum0);
647 if (icmp0->checksum == 0)
648 icmp0->checksum = 0xffff;
650 if (!icmp_is_error_message (icmp0))
653 if (PREDICT_FALSE(new_id0 != echo0->identifier))
655 old_id0 = echo0->identifier;
657 echo0->identifier = new_id0;
659 sum0 = icmp0->checksum;
660 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
661 identifier /* changed member */);
662 icmp0->checksum = ip_csum_fold (sum0);
667 inner_ip0 = (ip4_header_t *)(echo0+1);
668 l4_header = ip4_next_header (inner_ip0);
670 if (!ip4_header_checksum_is_valid (inner_ip0))
672 next0 = SNAT_OUT2IN_NEXT_DROP;
676 old_addr0 = inner_ip0->src_address.as_u32;
677 inner_ip0->src_address = sm0.addr;
678 new_addr0 = inner_ip0->src_address.as_u32;
680 sum0 = icmp0->checksum;
681 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
682 src_address /* changed member */);
683 icmp0->checksum = ip_csum_fold (sum0);
687 case SNAT_PROTOCOL_ICMP:
688 inner_icmp0 = (icmp46_header_t*)l4_header;
689 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
691 old_id0 = inner_echo0->identifier;
693 inner_echo0->identifier = new_id0;
695 sum0 = icmp0->checksum;
696 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
698 icmp0->checksum = ip_csum_fold (sum0);
700 case SNAT_PROTOCOL_UDP:
701 case SNAT_PROTOCOL_TCP:
702 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
704 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
706 sum0 = icmp0->checksum;
707 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
709 icmp0->checksum = ip_csum_fold (sum0);
721 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
724 icmp46_header_t * icmp0,
727 vlib_node_runtime_t * node,
730 snat_session_t ** p_s0)
732 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
733 next0, thread_index, p_s0, 0);
734 snat_session_t * s0 = *p_s0;
735 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
738 s0->last_heard = now;
740 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
741 /* Per-user LRU list maintenance */
742 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
744 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
745 s0->per_user_list_head_index,
751 static snat_session_t *
752 snat_out2in_unknown_proto (snat_main_t *sm,
759 vlib_node_runtime_t * node)
761 clib_bihash_kv_8_8_t kv, value;
762 clib_bihash_kv_16_8_t s_kv, s_value;
763 snat_static_mapping_t *m;
764 snat_session_key_t m_key;
765 u32 old_addr, new_addr;
767 nat_ed_ses_key_t key;
769 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
772 old_addr = ip->dst_address.as_u32;
774 key.l_addr = ip->dst_address;
775 key.r_addr = ip->src_address;
776 key.fib_index = rx_fib_index;
777 key.proto = ip->protocol;
780 s_kv.key[0] = key.as_u64[0];
781 s_kv.key[1] = key.as_u64[1];
783 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
785 s = pool_elt_at_index (tsm->sessions, s_value.value);
786 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
790 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
792 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
796 m_key.addr = ip->dst_address;
799 m_key.fib_index = rx_fib_index;
800 kv.key = m_key.as_u64;
801 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
803 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
807 m = pool_elt_at_index (sm->static_mappings, value.value);
809 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
811 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
815 clib_warning ("create NAT user failed");
819 /* Create a new session */
820 s = nat_session_alloc_or_recycle (sm, u, thread_index);
823 clib_warning ("create NAT session failed");
827 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
828 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
829 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
830 s->outside_address_index = ~0;
831 s->out2in.addr.as_u32 = old_addr;
832 s->out2in.fib_index = rx_fib_index;
833 s->in2out.addr.as_u32 = new_addr;
834 s->in2out.fib_index = m->fib_index;
835 s->in2out.port = s->out2in.port = ip->protocol;
836 user_session_increment (sm, u, 1 /* static */);
838 /* Add to lookup tables */
839 s_kv.value = s - tsm->sessions;
840 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
841 clib_warning ("out2in key add failed");
843 key.l_addr = ip->dst_address;
844 key.fib_index = m->fib_index;
845 s_kv.key[0] = key.as_u64[0];
846 s_kv.key[1] = key.as_u64[1];
847 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
848 clib_warning ("in2out key add failed");
851 /* Update IP checksum */
853 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
854 ip->checksum = ip_csum_fold (sum);
856 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
861 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
862 /* Per-user LRU list maintenance */
863 clib_dlist_remove (tsm->list_pool, s->per_user_index);
864 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
870 static snat_session_t *
871 snat_out2in_lb (snat_main_t *sm,
878 vlib_node_runtime_t * node)
880 nat_ed_ses_key_t key;
881 clib_bihash_kv_16_8_t s_kv, s_value;
882 udp_header_t *udp = ip4_next_header (ip);
883 tcp_header_t *tcp = (tcp_header_t *) udp;
884 snat_session_t *s = 0;
885 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
886 snat_session_key_t e_key, l_key;
887 u32 old_addr, new_addr;
888 u32 proto = ip_proto_to_snat_proto (ip->protocol);
889 u16 new_port, old_port;
893 snat_session_key_t eh_key;
896 old_addr = ip->dst_address.as_u32;
898 key.l_addr = ip->dst_address;
899 key.r_addr = ip->src_address;
900 key.fib_index = rx_fib_index;
901 key.proto = ip->protocol;
902 key.r_port = udp->src_port;
903 key.l_port = udp->dst_port;
904 s_kv.key[0] = key.as_u64[0];
905 s_kv.key[1] = key.as_u64[1];
907 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
909 s = pool_elt_at_index (tsm->sessions, s_value.value);
913 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
915 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
919 e_key.addr = ip->dst_address;
920 e_key.port = udp->dst_port;
921 e_key.protocol = proto;
922 e_key.fib_index = rx_fib_index;
923 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0, &twice_nat, &lb))
926 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index,
930 clib_warning ("create NAT user failed");
934 s = nat_session_alloc_or_recycle (sm, u, thread_index);
937 clib_warning ("create NAT session failed");
941 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
942 s->ext_host_port = udp->src_port;
943 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
945 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
946 s->outside_address_index = ~0;
949 user_session_increment (sm, u, 1 /* static */);
951 /* Add to lookup tables */
952 s_kv.value = s - tsm->sessions;
953 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
954 clib_warning ("out2in-ed key add failed");
958 eh_key.protocol = proto;
959 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
960 thread_index, &eh_key,
963 sm->per_thread_data[thread_index].snat_thread_index))
965 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
968 key.r_addr.as_u32 = s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
969 key.r_port = s->ext_host_nat_port = eh_key.port;
970 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
972 key.l_addr = l_key.addr;
973 key.fib_index = l_key.fib_index;
974 key.l_port = l_key.port;
975 s_kv.key[0] = key.as_u64[0];
976 s_kv.key[1] = key.as_u64[1];
977 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
978 clib_warning ("in2out-ed key add failed");
981 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
983 /* Update IP checksum */
985 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
986 if (is_twice_nat_session (s))
987 sum = ip_csum_update (sum, ip->src_address.as_u32,
988 s->ext_host_nat_addr.as_u32, ip4_header_t,
990 ip->checksum = ip_csum_fold (sum);
992 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
994 old_port = tcp->dst_port;
995 tcp->dst_port = s->in2out.port;
996 new_port = tcp->dst_port;
999 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1000 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1001 if (is_twice_nat_session (s))
1003 sum = ip_csum_update (sum, ip->src_address.as_u32,
1004 s->ext_host_nat_addr.as_u32, ip4_header_t,
1006 sum = ip_csum_update (sum, tcp->src_port, s->ext_host_nat_port,
1007 ip4_header_t, length);
1008 tcp->src_port = s->ext_host_nat_port;
1009 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1011 tcp->checksum = ip_csum_fold(sum);
1015 udp->dst_port = s->in2out.port;
1016 if (is_twice_nat_session (s))
1018 udp->src_port = s->ext_host_nat_port;
1019 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1024 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1027 s->last_heard = now;
1029 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1030 /* Per-user LRU list maintenance */
1031 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1032 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1039 snat_out2in_node_fn (vlib_main_t * vm,
1040 vlib_node_runtime_t * node,
1041 vlib_frame_t * frame)
1043 u32 n_left_from, * from, * to_next;
1044 snat_out2in_next_t next_index;
1045 u32 pkts_processed = 0;
1046 snat_main_t * sm = &snat_main;
1047 f64 now = vlib_time_now (vm);
1048 u32 thread_index = vlib_get_thread_index ();
1050 from = vlib_frame_vector_args (frame);
1051 n_left_from = frame->n_vectors;
1052 next_index = node->cached_next_index;
1054 while (n_left_from > 0)
1058 vlib_get_next_frame (vm, node, next_index,
1059 to_next, n_left_to_next);
1061 while (n_left_from >= 4 && n_left_to_next >= 2)
1064 vlib_buffer_t * b0, * b1;
1065 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1066 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1067 u32 sw_if_index0, sw_if_index1;
1068 ip4_header_t * ip0, *ip1;
1069 ip_csum_t sum0, sum1;
1070 u32 new_addr0, old_addr0;
1071 u16 new_port0, old_port0;
1072 u32 new_addr1, old_addr1;
1073 u16 new_port1, old_port1;
1074 udp_header_t * udp0, * udp1;
1075 tcp_header_t * tcp0, * tcp1;
1076 icmp46_header_t * icmp0, * icmp1;
1077 snat_session_key_t key0, key1, sm0, sm1;
1078 u32 rx_fib_index0, rx_fib_index1;
1080 snat_session_t * s0 = 0, * s1 = 0;
1081 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
1083 /* Prefetch next iteration. */
1085 vlib_buffer_t * p2, * p3;
1087 p2 = vlib_get_buffer (vm, from[2]);
1088 p3 = vlib_get_buffer (vm, from[3]);
1090 vlib_prefetch_buffer_header (p2, LOAD);
1091 vlib_prefetch_buffer_header (p3, LOAD);
1093 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1094 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1097 /* speculatively enqueue b0 and b1 to the current next frame */
1098 to_next[0] = bi0 = from[0];
1099 to_next[1] = bi1 = from[1];
1103 n_left_to_next -= 2;
1105 b0 = vlib_get_buffer (vm, bi0);
1106 b1 = vlib_get_buffer (vm, bi1);
1108 vnet_buffer (b0)->snat.flags = 0;
1109 vnet_buffer (b1)->snat.flags = 0;
1111 ip0 = vlib_buffer_get_current (b0);
1112 udp0 = ip4_next_header (ip0);
1113 tcp0 = (tcp_header_t *) udp0;
1114 icmp0 = (icmp46_header_t *) udp0;
1116 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1117 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1120 if (PREDICT_FALSE(ip0->ttl == 1))
1122 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1123 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1124 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1126 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1130 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1132 if (PREDICT_FALSE (proto0 == ~0))
1134 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1135 thread_index, now, vm, node);
1136 if (!sm->forwarding_enabled)
1138 next0 = SNAT_OUT2IN_NEXT_DROP;
1142 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1144 next0 = icmp_out2in_slow_path
1145 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1146 next0, now, thread_index, &s0);
1150 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1152 next0 = SNAT_OUT2IN_NEXT_REASS;
1156 key0.addr = ip0->dst_address;
1157 key0.port = udp0->dst_port;
1158 key0.protocol = proto0;
1159 key0.fib_index = rx_fib_index0;
1161 kv0.key = key0.as_u64;
1163 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1166 /* Try to match static mapping by external address and port,
1167 destination address and port in packet */
1168 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1171 * Send DHCP packets to the ipv4 stack, or we won't
1172 * be able to use dhcp client on the outside interface
1174 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1175 && (udp0->dst_port ==
1176 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1179 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1183 if (!sm->forwarding_enabled)
1185 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1186 next0 = SNAT_OUT2IN_NEXT_DROP;
1191 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1193 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1196 create_bypass_for_fwd(sm, ip0);
1201 /* Create session initiated by host from external network */
1202 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1206 next0 = SNAT_OUT2IN_NEXT_DROP;
1212 if (PREDICT_FALSE (value0.value == ~0ULL))
1214 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1217 next0 = SNAT_OUT2IN_NEXT_DROP;
1222 s0 = pool_elt_at_index (
1223 sm->per_thread_data[thread_index].sessions,
1228 old_addr0 = ip0->dst_address.as_u32;
1229 ip0->dst_address = s0->in2out.addr;
1230 new_addr0 = ip0->dst_address.as_u32;
1231 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1233 sum0 = ip0->checksum;
1234 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1236 dst_address /* changed member */);
1237 ip0->checksum = ip_csum_fold (sum0);
1239 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1241 old_port0 = tcp0->dst_port;
1242 tcp0->dst_port = s0->in2out.port;
1243 new_port0 = tcp0->dst_port;
1245 sum0 = tcp0->checksum;
1246 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1248 dst_address /* changed member */);
1250 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1251 ip4_header_t /* cheat */,
1252 length /* changed member */);
1253 tcp0->checksum = ip_csum_fold(sum0);
1257 old_port0 = udp0->dst_port;
1258 udp0->dst_port = s0->in2out.port;
1263 s0->last_heard = now;
1265 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1266 /* Per-user LRU list maintenance */
1267 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1268 s0->per_user_index);
1269 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1270 s0->per_user_list_head_index,
1271 s0->per_user_index);
1274 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1275 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1277 snat_out2in_trace_t *t =
1278 vlib_add_trace (vm, node, b0, sizeof (*t));
1279 t->sw_if_index = sw_if_index0;
1280 t->next_index = next0;
1281 t->session_index = ~0;
1283 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1286 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1289 ip1 = vlib_buffer_get_current (b1);
1290 udp1 = ip4_next_header (ip1);
1291 tcp1 = (tcp_header_t *) udp1;
1292 icmp1 = (icmp46_header_t *) udp1;
1294 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1295 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1298 if (PREDICT_FALSE(ip1->ttl == 1))
1300 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1301 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1302 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1304 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1308 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1310 if (PREDICT_FALSE (proto1 == ~0))
1312 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1313 thread_index, now, vm, node);
1314 if (!sm->forwarding_enabled)
1316 next1 = SNAT_OUT2IN_NEXT_DROP;
1320 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1322 next1 = icmp_out2in_slow_path
1323 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1324 next1, now, thread_index, &s1);
1328 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
1330 next1 = SNAT_OUT2IN_NEXT_REASS;
1334 key1.addr = ip1->dst_address;
1335 key1.port = udp1->dst_port;
1336 key1.protocol = proto1;
1337 key1.fib_index = rx_fib_index1;
1339 kv1.key = key1.as_u64;
1341 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1344 /* Try to match static mapping by external address and port,
1345 destination address and port in packet */
1346 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0))
1349 * Send DHCP packets to the ipv4 stack, or we won't
1350 * be able to use dhcp client on the outside interface
1352 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1353 && (udp1->dst_port ==
1354 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1357 (vnet_buffer (b1)->sw_if_index[VLIB_RX], &next1, b1);
1361 if (!sm->forwarding_enabled)
1363 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1364 next1 = SNAT_OUT2IN_NEXT_DROP;
1369 if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
1371 next1 = SNAT_OUT2IN_NEXT_IN2OUT;
1374 create_bypass_for_fwd(sm, ip1);
1379 /* Create session initiated by host from external network */
1380 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1384 next1 = SNAT_OUT2IN_NEXT_DROP;
1390 if (PREDICT_FALSE (value1.value == ~0ULL))
1392 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1395 next1 = SNAT_OUT2IN_NEXT_DROP;
1400 s1 = pool_elt_at_index (
1401 sm->per_thread_data[thread_index].sessions,
1406 old_addr1 = ip1->dst_address.as_u32;
1407 ip1->dst_address = s1->in2out.addr;
1408 new_addr1 = ip1->dst_address.as_u32;
1409 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1411 sum1 = ip1->checksum;
1412 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1414 dst_address /* changed member */);
1415 ip1->checksum = ip_csum_fold (sum1);
1417 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1419 old_port1 = tcp1->dst_port;
1420 tcp1->dst_port = s1->in2out.port;
1421 new_port1 = tcp1->dst_port;
1423 sum1 = tcp1->checksum;
1424 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1426 dst_address /* changed member */);
1428 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1429 ip4_header_t /* cheat */,
1430 length /* changed member */);
1431 tcp1->checksum = ip_csum_fold(sum1);
1435 old_port1 = udp1->dst_port;
1436 udp1->dst_port = s1->in2out.port;
1441 s1->last_heard = now;
1443 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1444 /* Per-user LRU list maintenance */
1445 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1446 s1->per_user_index);
1447 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1448 s1->per_user_list_head_index,
1449 s1->per_user_index);
1452 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1453 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1455 snat_out2in_trace_t *t =
1456 vlib_add_trace (vm, node, b1, sizeof (*t));
1457 t->sw_if_index = sw_if_index1;
1458 t->next_index = next1;
1459 t->session_index = ~0;
1461 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1464 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1466 /* verify speculative enqueues, maybe switch current next frame */
1467 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1468 to_next, n_left_to_next,
1469 bi0, bi1, next0, next1);
1472 while (n_left_from > 0 && n_left_to_next > 0)
1476 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1480 u32 new_addr0, old_addr0;
1481 u16 new_port0, old_port0;
1482 udp_header_t * udp0;
1483 tcp_header_t * tcp0;
1484 icmp46_header_t * icmp0;
1485 snat_session_key_t key0, sm0;
1488 snat_session_t * s0 = 0;
1489 clib_bihash_kv_8_8_t kv0, value0;
1491 /* speculatively enqueue b0 to the current next frame */
1497 n_left_to_next -= 1;
1499 b0 = vlib_get_buffer (vm, bi0);
1501 vnet_buffer (b0)->snat.flags = 0;
1503 ip0 = vlib_buffer_get_current (b0);
1504 udp0 = ip4_next_header (ip0);
1505 tcp0 = (tcp_header_t *) udp0;
1506 icmp0 = (icmp46_header_t *) udp0;
1508 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1509 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1512 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1514 if (PREDICT_FALSE (proto0 == ~0))
1516 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1517 thread_index, now, vm, node);
1518 if (!sm->forwarding_enabled)
1520 next0 = SNAT_OUT2IN_NEXT_DROP;
1524 if (PREDICT_FALSE(ip0->ttl == 1))
1526 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1527 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1528 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1530 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1534 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1536 next0 = icmp_out2in_slow_path
1537 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1538 next0, now, thread_index, &s0);
1542 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1544 next0 = SNAT_OUT2IN_NEXT_REASS;
1548 key0.addr = ip0->dst_address;
1549 key0.port = udp0->dst_port;
1550 key0.protocol = proto0;
1551 key0.fib_index = rx_fib_index0;
1553 kv0.key = key0.as_u64;
1555 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1558 /* Try to match static mapping by external address and port,
1559 destination address and port in packet */
1560 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1563 * Send DHCP packets to the ipv4 stack, or we won't
1564 * be able to use dhcp client on the outside interface
1566 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1567 && (udp0->dst_port ==
1568 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1571 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1575 if (!sm->forwarding_enabled)
1577 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1578 next0 = SNAT_OUT2IN_NEXT_DROP;
1583 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1585 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1588 create_bypass_for_fwd(sm, ip0);
1593 /* Create session initiated by host from external network */
1594 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1598 next0 = SNAT_OUT2IN_NEXT_DROP;
1604 if (PREDICT_FALSE (value0.value == ~0ULL))
1606 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1609 next0 = SNAT_OUT2IN_NEXT_DROP;
1614 s0 = pool_elt_at_index (
1615 sm->per_thread_data[thread_index].sessions,
1620 old_addr0 = ip0->dst_address.as_u32;
1621 ip0->dst_address = s0->in2out.addr;
1622 new_addr0 = ip0->dst_address.as_u32;
1623 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1625 sum0 = ip0->checksum;
1626 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1628 dst_address /* changed member */);
1629 ip0->checksum = ip_csum_fold (sum0);
1631 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1633 old_port0 = tcp0->dst_port;
1634 tcp0->dst_port = s0->in2out.port;
1635 new_port0 = tcp0->dst_port;
1637 sum0 = tcp0->checksum;
1638 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1640 dst_address /* changed member */);
1642 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1643 ip4_header_t /* cheat */,
1644 length /* changed member */);
1645 tcp0->checksum = ip_csum_fold(sum0);
1649 old_port0 = udp0->dst_port;
1650 udp0->dst_port = s0->in2out.port;
1655 s0->last_heard = now;
1657 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1658 /* Per-user LRU list maintenance */
1659 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1660 s0->per_user_index);
1661 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1662 s0->per_user_list_head_index,
1663 s0->per_user_index);
1666 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1667 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1669 snat_out2in_trace_t *t =
1670 vlib_add_trace (vm, node, b0, sizeof (*t));
1671 t->sw_if_index = sw_if_index0;
1672 t->next_index = next0;
1673 t->session_index = ~0;
1675 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1678 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1680 /* verify speculative enqueue, maybe switch current next frame */
1681 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1682 to_next, n_left_to_next,
1686 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1689 vlib_node_increment_counter (vm, snat_out2in_node.index,
1690 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1692 return frame->n_vectors;
1695 VLIB_REGISTER_NODE (snat_out2in_node) = {
1696 .function = snat_out2in_node_fn,
1697 .name = "nat44-out2in",
1698 .vector_size = sizeof (u32),
1699 .format_trace = format_snat_out2in_trace,
1700 .type = VLIB_NODE_TYPE_INTERNAL,
1702 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1703 .error_strings = snat_out2in_error_strings,
1705 .runtime_data_bytes = sizeof (snat_runtime_t),
1707 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1709 /* edit / add dispositions here */
1711 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1712 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1713 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1714 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1715 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
1718 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1721 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1722 vlib_node_runtime_t * node,
1723 vlib_frame_t * frame)
1725 u32 n_left_from, *from, *to_next;
1726 snat_out2in_next_t next_index;
1727 u32 pkts_processed = 0;
1728 snat_main_t *sm = &snat_main;
1729 f64 now = vlib_time_now (vm);
1730 u32 thread_index = vlib_get_thread_index ();
1731 snat_main_per_thread_data_t *per_thread_data =
1732 &sm->per_thread_data[thread_index];
1733 u32 *fragments_to_drop = 0;
1734 u32 *fragments_to_loopback = 0;
1736 from = vlib_frame_vector_args (frame);
1737 n_left_from = frame->n_vectors;
1738 next_index = node->cached_next_index;
1740 while (n_left_from > 0)
1744 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1746 while (n_left_from > 0 && n_left_to_next > 0)
1748 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1753 nat_reass_ip4_t *reass0;
1754 udp_header_t * udp0;
1755 tcp_header_t * tcp0;
1756 snat_session_key_t key0, sm0;
1757 clib_bihash_kv_8_8_t kv0, value0;
1758 snat_session_t * s0 = 0;
1759 u16 old_port0, new_port0;
1762 /* speculatively enqueue b0 to the current next frame */
1768 n_left_to_next -= 1;
1770 b0 = vlib_get_buffer (vm, bi0);
1771 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1773 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1774 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1777 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1779 next0 = SNAT_OUT2IN_NEXT_DROP;
1780 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1784 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1785 udp0 = ip4_next_header (ip0);
1786 tcp0 = (tcp_header_t *) udp0;
1787 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1789 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1794 &fragments_to_drop);
1796 if (PREDICT_FALSE (!reass0))
1798 next0 = SNAT_OUT2IN_NEXT_DROP;
1799 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1803 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1805 key0.addr = ip0->dst_address;
1806 key0.port = udp0->dst_port;
1807 key0.protocol = proto0;
1808 key0.fib_index = rx_fib_index0;
1809 kv0.key = key0.as_u64;
1811 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1813 /* Try to match static mapping by external address and port,
1814 destination address and port in packet */
1815 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1818 * Send DHCP packets to the ipv4 stack, or we won't
1819 * be able to use dhcp client on the outside interface
1821 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1823 == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1826 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1831 if (!sm->forwarding_enabled)
1833 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1834 next0 = SNAT_OUT2IN_NEXT_DROP;
1839 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1841 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1844 create_bypass_for_fwd(sm, ip0);
1849 /* Create session initiated by host from external network */
1850 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1854 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1855 next0 = SNAT_OUT2IN_NEXT_DROP;
1858 reass0->sess_index = s0 - per_thread_data->sessions;
1859 reass0->thread_index = thread_index;
1863 s0 = pool_elt_at_index (per_thread_data->sessions,
1865 reass0->sess_index = value0.value;
1867 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1871 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1873 if (nat_ip4_reass_add_fragment (reass0, bi0))
1875 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1876 next0 = SNAT_OUT2IN_NEXT_DROP;
1882 s0 = pool_elt_at_index (per_thread_data->sessions,
1883 reass0->sess_index);
1886 old_addr0 = ip0->dst_address.as_u32;
1887 ip0->dst_address = s0->in2out.addr;
1888 new_addr0 = ip0->dst_address.as_u32;
1889 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1891 sum0 = ip0->checksum;
1892 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1894 dst_address /* changed member */);
1895 ip0->checksum = ip_csum_fold (sum0);
1897 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1899 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1901 old_port0 = tcp0->dst_port;
1902 tcp0->dst_port = s0->in2out.port;
1903 new_port0 = tcp0->dst_port;
1905 sum0 = tcp0->checksum;
1906 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1908 dst_address /* changed member */);
1910 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1911 ip4_header_t /* cheat */,
1912 length /* changed member */);
1913 tcp0->checksum = ip_csum_fold(sum0);
1917 old_port0 = udp0->dst_port;
1918 udp0->dst_port = s0->in2out.port;
1924 s0->last_heard = now;
1926 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1927 /* Per-user LRU list maintenance */
1928 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1929 s0->per_user_index);
1930 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1931 s0->per_user_list_head_index,
1932 s0->per_user_index);
1935 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1936 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1938 nat44_out2in_reass_trace_t *t =
1939 vlib_add_trace (vm, node, b0, sizeof (*t));
1940 t->cached = cached0;
1941 t->sw_if_index = sw_if_index0;
1942 t->next_index = next0;
1952 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1954 /* verify speculative enqueue, maybe switch current next frame */
1955 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1956 to_next, n_left_to_next,
1960 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1962 from = vlib_frame_vector_args (frame);
1963 u32 len = vec_len (fragments_to_loopback);
1964 if (len <= VLIB_FRAME_SIZE)
1966 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
1968 vec_reset_length (fragments_to_loopback);
1973 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
1974 sizeof (u32) * VLIB_FRAME_SIZE);
1975 n_left_from = VLIB_FRAME_SIZE;
1976 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1981 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1984 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
1985 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1988 nat_send_all_to_node (vm, fragments_to_drop, node,
1989 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1990 SNAT_OUT2IN_NEXT_DROP);
1992 vec_free (fragments_to_drop);
1993 vec_free (fragments_to_loopback);
1994 return frame->n_vectors;
1997 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1998 .function = nat44_out2in_reass_node_fn,
1999 .name = "nat44-out2in-reass",
2000 .vector_size = sizeof (u32),
2001 .format_trace = format_nat44_out2in_reass_trace,
2002 .type = VLIB_NODE_TYPE_INTERNAL,
2004 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2005 .error_strings = snat_out2in_error_strings,
2007 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2009 /* edit / add dispositions here */
2011 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2012 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2013 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2014 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2015 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2018 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
2019 nat44_out2in_reass_node_fn);
2021 /**************************/
2022 /*** deterministic mode ***/
2023 /**************************/
2025 snat_det_out2in_node_fn (vlib_main_t * vm,
2026 vlib_node_runtime_t * node,
2027 vlib_frame_t * frame)
2029 u32 n_left_from, * from, * to_next;
2030 snat_out2in_next_t next_index;
2031 u32 pkts_processed = 0;
2032 snat_main_t * sm = &snat_main;
2033 u32 thread_index = vlib_get_thread_index ();
2035 from = vlib_frame_vector_args (frame);
2036 n_left_from = frame->n_vectors;
2037 next_index = node->cached_next_index;
2039 while (n_left_from > 0)
2043 vlib_get_next_frame (vm, node, next_index,
2044 to_next, n_left_to_next);
2046 while (n_left_from >= 4 && n_left_to_next >= 2)
2049 vlib_buffer_t * b0, * b1;
2050 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2051 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2052 u32 sw_if_index0, sw_if_index1;
2053 ip4_header_t * ip0, * ip1;
2054 ip_csum_t sum0, sum1;
2055 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2056 u16 new_port0, old_port0, old_port1, new_port1;
2057 udp_header_t * udp0, * udp1;
2058 tcp_header_t * tcp0, * tcp1;
2060 snat_det_out_key_t key0, key1;
2061 snat_det_map_t * dm0, * dm1;
2062 snat_det_session_t * ses0 = 0, * ses1 = 0;
2063 u32 rx_fib_index0, rx_fib_index1;
2064 icmp46_header_t * icmp0, * icmp1;
2066 /* Prefetch next iteration. */
2068 vlib_buffer_t * p2, * p3;
2070 p2 = vlib_get_buffer (vm, from[2]);
2071 p3 = vlib_get_buffer (vm, from[3]);
2073 vlib_prefetch_buffer_header (p2, LOAD);
2074 vlib_prefetch_buffer_header (p3, LOAD);
2076 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2077 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2080 /* speculatively enqueue b0 and b1 to the current next frame */
2081 to_next[0] = bi0 = from[0];
2082 to_next[1] = bi1 = from[1];
2086 n_left_to_next -= 2;
2088 b0 = vlib_get_buffer (vm, bi0);
2089 b1 = vlib_get_buffer (vm, bi1);
2091 ip0 = vlib_buffer_get_current (b0);
2092 udp0 = ip4_next_header (ip0);
2093 tcp0 = (tcp_header_t *) udp0;
2095 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2097 if (PREDICT_FALSE(ip0->ttl == 1))
2099 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2100 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2101 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2103 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2107 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2109 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2111 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2112 icmp0 = (icmp46_header_t *) udp0;
2114 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2115 rx_fib_index0, node, next0, thread_index,
2120 key0.ext_host_addr = ip0->src_address;
2121 key0.ext_host_port = tcp0->src;
2122 key0.out_port = tcp0->dst;
2124 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2125 if (PREDICT_FALSE(!dm0))
2127 clib_warning("unknown dst address: %U",
2128 format_ip4_address, &ip0->dst_address);
2129 next0 = SNAT_OUT2IN_NEXT_DROP;
2130 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2134 snat_det_reverse(dm0, &ip0->dst_address,
2135 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2137 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2138 if (PREDICT_FALSE(!ses0))
2140 clib_warning("no match src %U:%d dst %U:%d for user %U",
2141 format_ip4_address, &ip0->src_address,
2142 clib_net_to_host_u16 (tcp0->src),
2143 format_ip4_address, &ip0->dst_address,
2144 clib_net_to_host_u16 (tcp0->dst),
2145 format_ip4_address, &new_addr0);
2146 next0 = SNAT_OUT2IN_NEXT_DROP;
2147 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2150 new_port0 = ses0->in_port;
2152 old_addr0 = ip0->dst_address;
2153 ip0->dst_address = new_addr0;
2154 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2156 sum0 = ip0->checksum;
2157 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2159 dst_address /* changed member */);
2160 ip0->checksum = ip_csum_fold (sum0);
2162 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2164 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2165 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2166 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2167 snat_det_ses_close(dm0, ses0);
2169 old_port0 = tcp0->dst;
2170 tcp0->dst = new_port0;
2172 sum0 = tcp0->checksum;
2173 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2175 dst_address /* changed member */);
2177 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2178 ip4_header_t /* cheat */,
2179 length /* changed member */);
2180 tcp0->checksum = ip_csum_fold(sum0);
2184 old_port0 = udp0->dst_port;
2185 udp0->dst_port = new_port0;
2191 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2192 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2194 snat_out2in_trace_t *t =
2195 vlib_add_trace (vm, node, b0, sizeof (*t));
2196 t->sw_if_index = sw_if_index0;
2197 t->next_index = next0;
2198 t->session_index = ~0;
2200 t->session_index = ses0 - dm0->sessions;
2203 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2205 b1 = vlib_get_buffer (vm, bi1);
2207 ip1 = vlib_buffer_get_current (b1);
2208 udp1 = ip4_next_header (ip1);
2209 tcp1 = (tcp_header_t *) udp1;
2211 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2213 if (PREDICT_FALSE(ip1->ttl == 1))
2215 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2216 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2217 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2219 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2223 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2225 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2227 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2228 icmp1 = (icmp46_header_t *) udp1;
2230 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
2231 rx_fib_index1, node, next1, thread_index,
2236 key1.ext_host_addr = ip1->src_address;
2237 key1.ext_host_port = tcp1->src;
2238 key1.out_port = tcp1->dst;
2240 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
2241 if (PREDICT_FALSE(!dm1))
2243 clib_warning("unknown dst address: %U",
2244 format_ip4_address, &ip1->dst_address);
2245 next1 = SNAT_OUT2IN_NEXT_DROP;
2246 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2250 snat_det_reverse(dm1, &ip1->dst_address,
2251 clib_net_to_host_u16(tcp1->dst), &new_addr1);
2253 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
2254 if (PREDICT_FALSE(!ses1))
2256 clib_warning("no match src %U:%d dst %U:%d for user %U",
2257 format_ip4_address, &ip1->src_address,
2258 clib_net_to_host_u16 (tcp1->src),
2259 format_ip4_address, &ip1->dst_address,
2260 clib_net_to_host_u16 (tcp1->dst),
2261 format_ip4_address, &new_addr1);
2262 next1 = SNAT_OUT2IN_NEXT_DROP;
2263 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2266 new_port1 = ses1->in_port;
2268 old_addr1 = ip1->dst_address;
2269 ip1->dst_address = new_addr1;
2270 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2272 sum1 = ip1->checksum;
2273 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2275 dst_address /* changed member */);
2276 ip1->checksum = ip_csum_fold (sum1);
2278 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2280 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2281 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2282 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
2283 snat_det_ses_close(dm1, ses1);
2285 old_port1 = tcp1->dst;
2286 tcp1->dst = new_port1;
2288 sum1 = tcp1->checksum;
2289 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2291 dst_address /* changed member */);
2293 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2294 ip4_header_t /* cheat */,
2295 length /* changed member */);
2296 tcp1->checksum = ip_csum_fold(sum1);
2300 old_port1 = udp1->dst_port;
2301 udp1->dst_port = new_port1;
2307 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2308 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2310 snat_out2in_trace_t *t =
2311 vlib_add_trace (vm, node, b1, sizeof (*t));
2312 t->sw_if_index = sw_if_index1;
2313 t->next_index = next1;
2314 t->session_index = ~0;
2316 t->session_index = ses1 - dm1->sessions;
2319 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
2321 /* verify speculative enqueues, maybe switch current next frame */
2322 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2323 to_next, n_left_to_next,
2324 bi0, bi1, next0, next1);
2327 while (n_left_from > 0 && n_left_to_next > 0)
2331 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2335 ip4_address_t new_addr0, old_addr0;
2336 u16 new_port0, old_port0;
2337 udp_header_t * udp0;
2338 tcp_header_t * tcp0;
2340 snat_det_out_key_t key0;
2341 snat_det_map_t * dm0;
2342 snat_det_session_t * ses0 = 0;
2344 icmp46_header_t * icmp0;
2346 /* speculatively enqueue b0 to the current next frame */
2352 n_left_to_next -= 1;
2354 b0 = vlib_get_buffer (vm, bi0);
2356 ip0 = vlib_buffer_get_current (b0);
2357 udp0 = ip4_next_header (ip0);
2358 tcp0 = (tcp_header_t *) udp0;
2360 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2362 if (PREDICT_FALSE(ip0->ttl == 1))
2364 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2365 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2366 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2368 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2372 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2374 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2376 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2377 icmp0 = (icmp46_header_t *) udp0;
2379 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2380 rx_fib_index0, node, next0, thread_index,
2385 key0.ext_host_addr = ip0->src_address;
2386 key0.ext_host_port = tcp0->src;
2387 key0.out_port = tcp0->dst;
2389 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2390 if (PREDICT_FALSE(!dm0))
2392 clib_warning("unknown dst address: %U",
2393 format_ip4_address, &ip0->dst_address);
2394 next0 = SNAT_OUT2IN_NEXT_DROP;
2395 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2399 snat_det_reverse(dm0, &ip0->dst_address,
2400 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2402 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2403 if (PREDICT_FALSE(!ses0))
2405 clib_warning("no match src %U:%d dst %U:%d for user %U",
2406 format_ip4_address, &ip0->src_address,
2407 clib_net_to_host_u16 (tcp0->src),
2408 format_ip4_address, &ip0->dst_address,
2409 clib_net_to_host_u16 (tcp0->dst),
2410 format_ip4_address, &new_addr0);
2411 next0 = SNAT_OUT2IN_NEXT_DROP;
2412 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2415 new_port0 = ses0->in_port;
2417 old_addr0 = ip0->dst_address;
2418 ip0->dst_address = new_addr0;
2419 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2421 sum0 = ip0->checksum;
2422 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2424 dst_address /* changed member */);
2425 ip0->checksum = ip_csum_fold (sum0);
2427 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2429 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2430 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2431 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2432 snat_det_ses_close(dm0, ses0);
2434 old_port0 = tcp0->dst;
2435 tcp0->dst = new_port0;
2437 sum0 = tcp0->checksum;
2438 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2440 dst_address /* changed member */);
2442 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2443 ip4_header_t /* cheat */,
2444 length /* changed member */);
2445 tcp0->checksum = ip_csum_fold(sum0);
2449 old_port0 = udp0->dst_port;
2450 udp0->dst_port = new_port0;
2456 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2457 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2459 snat_out2in_trace_t *t =
2460 vlib_add_trace (vm, node, b0, sizeof (*t));
2461 t->sw_if_index = sw_if_index0;
2462 t->next_index = next0;
2463 t->session_index = ~0;
2465 t->session_index = ses0 - dm0->sessions;
2468 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2470 /* verify speculative enqueue, maybe switch current next frame */
2471 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2472 to_next, n_left_to_next,
2476 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2479 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
2480 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2482 return frame->n_vectors;
2485 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2486 .function = snat_det_out2in_node_fn,
2487 .name = "nat44-det-out2in",
2488 .vector_size = sizeof (u32),
2489 .format_trace = format_snat_out2in_trace,
2490 .type = VLIB_NODE_TYPE_INTERNAL,
2492 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2493 .error_strings = snat_out2in_error_strings,
2495 .runtime_data_bytes = sizeof (snat_runtime_t),
2497 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2499 /* edit / add dispositions here */
2501 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2502 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2503 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2504 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2505 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2508 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2511 * Get address and port values to be used for ICMP packet translation
2512 * and create session if needed
2514 * @param[in,out] sm NAT main
2515 * @param[in,out] node NAT node runtime
2516 * @param[in] thread_index thread index
2517 * @param[in,out] b0 buffer containing packet to be translated
2518 * @param[out] p_proto protocol used for matching
2519 * @param[out] p_value address and port after NAT translation
2520 * @param[out] p_dont_translate if packet should not be translated
2521 * @param d optional parameter
2522 * @param e optional parameter
2524 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2525 u32 thread_index, vlib_buffer_t *b0,
2526 ip4_header_t *ip0, u8 *p_proto,
2527 snat_session_key_t *p_value,
2528 u8 *p_dont_translate, void *d, void *e)
2530 icmp46_header_t *icmp0;
2533 snat_det_out_key_t key0;
2534 u8 dont_translate = 0;
2536 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2537 ip4_header_t *inner_ip0;
2538 void *l4_header = 0;
2539 icmp46_header_t *inner_icmp0;
2540 snat_det_map_t * dm0 = 0;
2541 ip4_address_t new_addr0 = {{0}};
2542 snat_det_session_t * ses0 = 0;
2543 ip4_address_t out_addr;
2545 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2546 echo0 = (icmp_echo_header_t *)(icmp0+1);
2547 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2549 if (!icmp_is_error_message (icmp0))
2551 protocol = SNAT_PROTOCOL_ICMP;
2552 key0.ext_host_addr = ip0->src_address;
2553 key0.ext_host_port = 0;
2554 key0.out_port = echo0->identifier;
2555 out_addr = ip0->dst_address;
2559 inner_ip0 = (ip4_header_t *)(echo0+1);
2560 l4_header = ip4_next_header (inner_ip0);
2561 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2562 key0.ext_host_addr = inner_ip0->dst_address;
2563 out_addr = inner_ip0->src_address;
2566 case SNAT_PROTOCOL_ICMP:
2567 inner_icmp0 = (icmp46_header_t*)l4_header;
2568 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2569 key0.ext_host_port = 0;
2570 key0.out_port = inner_echo0->identifier;
2572 case SNAT_PROTOCOL_UDP:
2573 case SNAT_PROTOCOL_TCP:
2574 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2575 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2578 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2579 next0 = SNAT_OUT2IN_NEXT_DROP;
2584 dm0 = snat_det_map_by_out(sm, &out_addr);
2585 if (PREDICT_FALSE(!dm0))
2587 /* Don't NAT packet aimed at the intfc address */
2588 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2589 ip0->dst_address.as_u32)))
2594 clib_warning("unknown dst address: %U",
2595 format_ip4_address, &ip0->dst_address);
2599 snat_det_reverse(dm0, &ip0->dst_address,
2600 clib_net_to_host_u16(key0.out_port), &new_addr0);
2602 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2603 if (PREDICT_FALSE(!ses0))
2605 /* Don't NAT packet aimed at the intfc address */
2606 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2607 ip0->dst_address.as_u32)))
2612 clib_warning("no match src %U:%d dst %U:%d for user %U",
2613 format_ip4_address, &key0.ext_host_addr,
2614 clib_net_to_host_u16 (key0.ext_host_port),
2615 format_ip4_address, &out_addr,
2616 clib_net_to_host_u16 (key0.out_port),
2617 format_ip4_address, &new_addr0);
2618 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2619 next0 = SNAT_OUT2IN_NEXT_DROP;
2623 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2624 !icmp_is_error_message (icmp0)))
2626 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2627 next0 = SNAT_OUT2IN_NEXT_DROP;
2634 *p_proto = protocol;
2637 p_value->addr = new_addr0;
2638 p_value->fib_index = sm->inside_fib_index;
2639 p_value->port = ses0->in_port;
2641 *p_dont_translate = dont_translate;
2643 *(snat_det_session_t**)d = ses0;
2645 *(snat_det_map_t**)e = dm0;
2649 /**********************/
2650 /*** worker handoff ***/
2651 /**********************/
2653 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2654 vlib_node_runtime_t * node,
2655 vlib_frame_t * frame)
2657 snat_main_t *sm = &snat_main;
2658 vlib_thread_main_t *tm = vlib_get_thread_main ();
2659 u32 n_left_from, *from, *to_next = 0;
2660 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2661 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2663 vlib_frame_queue_elt_t *hf = 0;
2664 vlib_frame_t *f = 0;
2666 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2667 u32 next_worker_index = 0;
2668 u32 current_worker_index = ~0;
2669 u32 thread_index = vlib_get_thread_index ();
2671 ASSERT (vec_len (sm->workers));
2673 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2675 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2677 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2678 sm->first_worker_index + sm->num_workers - 1,
2679 (vlib_frame_queue_t *) (~0));
2682 from = vlib_frame_vector_args (frame);
2683 n_left_from = frame->n_vectors;
2685 while (n_left_from > 0)
2698 b0 = vlib_get_buffer (vm, bi0);
2700 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2701 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2703 ip0 = vlib_buffer_get_current (b0);
2705 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2707 if (PREDICT_FALSE (next_worker_index != thread_index))
2711 if (next_worker_index != current_worker_index)
2714 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2716 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2718 handoff_queue_elt_by_worker_index);
2720 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2721 to_next_worker = &hf->buffer_index[hf->n_vectors];
2722 current_worker_index = next_worker_index;
2725 /* enqueue to correct worker thread */
2726 to_next_worker[0] = bi0;
2728 n_left_to_next_worker--;
2730 if (n_left_to_next_worker == 0)
2732 hf->n_vectors = VLIB_FRAME_SIZE;
2733 vlib_put_frame_queue_elt (hf);
2734 current_worker_index = ~0;
2735 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2742 /* if this is 1st frame */
2745 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2746 to_next = vlib_frame_vector_args (f);
2754 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2755 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2757 snat_out2in_worker_handoff_trace_t *t =
2758 vlib_add_trace (vm, node, b0, sizeof (*t));
2759 t->next_worker_index = next_worker_index;
2760 t->do_handoff = do_handoff;
2765 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2768 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2770 /* Ship frames to the worker nodes */
2771 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2773 if (handoff_queue_elt_by_worker_index[i])
2775 hf = handoff_queue_elt_by_worker_index[i];
2777 * It works better to let the handoff node
2778 * rate-adapt, always ship the handoff queue element.
2780 if (1 || hf->n_vectors == hf->last_n_vectors)
2782 vlib_put_frame_queue_elt (hf);
2783 handoff_queue_elt_by_worker_index[i] = 0;
2786 hf->last_n_vectors = hf->n_vectors;
2788 congested_handoff_queue_by_worker_index[i] =
2789 (vlib_frame_queue_t *) (~0);
2792 current_worker_index = ~0;
2793 return frame->n_vectors;
2796 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2797 .function = snat_out2in_worker_handoff_fn,
2798 .name = "nat44-out2in-worker-handoff",
2799 .vector_size = sizeof (u32),
2800 .format_trace = format_snat_out2in_worker_handoff_trace,
2801 .type = VLIB_NODE_TYPE_INTERNAL,
2810 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2813 snat_out2in_fast_node_fn (vlib_main_t * vm,
2814 vlib_node_runtime_t * node,
2815 vlib_frame_t * frame)
2817 u32 n_left_from, * from, * to_next;
2818 snat_out2in_next_t next_index;
2819 u32 pkts_processed = 0;
2820 snat_main_t * sm = &snat_main;
2822 from = vlib_frame_vector_args (frame);
2823 n_left_from = frame->n_vectors;
2824 next_index = node->cached_next_index;
2826 while (n_left_from > 0)
2830 vlib_get_next_frame (vm, node, next_index,
2831 to_next, n_left_to_next);
2833 while (n_left_from > 0 && n_left_to_next > 0)
2837 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2841 u32 new_addr0, old_addr0;
2842 u16 new_port0, old_port0;
2843 udp_header_t * udp0;
2844 tcp_header_t * tcp0;
2845 icmp46_header_t * icmp0;
2846 snat_session_key_t key0, sm0;
2850 /* speculatively enqueue b0 to the current next frame */
2856 n_left_to_next -= 1;
2858 b0 = vlib_get_buffer (vm, bi0);
2860 ip0 = vlib_buffer_get_current (b0);
2861 udp0 = ip4_next_header (ip0);
2862 tcp0 = (tcp_header_t *) udp0;
2863 icmp0 = (icmp46_header_t *) udp0;
2865 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2866 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2868 vnet_feature_next (sw_if_index0, &next0, b0);
2870 if (PREDICT_FALSE(ip0->ttl == 1))
2872 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2873 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2874 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2876 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2880 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2882 if (PREDICT_FALSE (proto0 == ~0))
2885 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2887 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2888 rx_fib_index0, node, next0, ~0, 0, 0);
2892 key0.addr = ip0->dst_address;
2893 key0.port = udp0->dst_port;
2894 key0.fib_index = rx_fib_index0;
2896 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
2898 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2902 new_addr0 = sm0.addr.as_u32;
2903 new_port0 = sm0.port;
2904 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2905 old_addr0 = ip0->dst_address.as_u32;
2906 ip0->dst_address.as_u32 = new_addr0;
2908 sum0 = ip0->checksum;
2909 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2911 dst_address /* changed member */);
2912 ip0->checksum = ip_csum_fold (sum0);
2914 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2916 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2918 old_port0 = tcp0->dst_port;
2919 tcp0->dst_port = new_port0;
2921 sum0 = tcp0->checksum;
2922 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2924 dst_address /* changed member */);
2926 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2927 ip4_header_t /* cheat */,
2928 length /* changed member */);
2929 tcp0->checksum = ip_csum_fold(sum0);
2933 old_port0 = udp0->dst_port;
2934 udp0->dst_port = new_port0;
2940 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2942 sum0 = tcp0->checksum;
2943 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2945 dst_address /* changed member */);
2947 tcp0->checksum = ip_csum_fold(sum0);
2953 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2954 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2956 snat_out2in_trace_t *t =
2957 vlib_add_trace (vm, node, b0, sizeof (*t));
2958 t->sw_if_index = sw_if_index0;
2959 t->next_index = next0;
2962 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2964 /* verify speculative enqueue, maybe switch current next frame */
2965 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2966 to_next, n_left_to_next,
2970 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2973 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
2974 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2976 return frame->n_vectors;
2979 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
2980 .function = snat_out2in_fast_node_fn,
2981 .name = "nat44-out2in-fast",
2982 .vector_size = sizeof (u32),
2983 .format_trace = format_snat_out2in_fast_trace,
2984 .type = VLIB_NODE_TYPE_INTERNAL,
2986 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2987 .error_strings = snat_out2in_error_strings,
2989 .runtime_data_bytes = sizeof (snat_runtime_t),
2991 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2993 /* edit / add dispositions here */
2995 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2996 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2997 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2998 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2999 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
3002 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob