2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
38 } snat_out2in_trace_t;
41 u32 next_worker_index;
43 } snat_out2in_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
52 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
53 t->sw_if_index, t->next_index, t->session_index);
57 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
59 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
60 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
61 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
63 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
64 t->sw_if_index, t->next_index);
68 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 snat_out2in_worker_handoff_trace_t * t =
73 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
76 m = t->do_handoff ? "next worker" : "same worker";
77 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 } nat44_out2in_reass_trace_t;
88 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
90 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
91 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
92 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
94 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
95 t->sw_if_index, t->next_index,
96 t->cached ? "cached" : "translated");
101 vlib_node_registration_t snat_out2in_node;
102 vlib_node_registration_t snat_out2in_fast_node;
103 vlib_node_registration_t snat_out2in_worker_handoff_node;
104 vlib_node_registration_t snat_det_out2in_node;
105 vlib_node_registration_t nat44_out2in_reass_node;
107 #define foreach_snat_out2in_error \
108 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
109 _(OUT2IN_PACKETS, "Good out2in packets processed") \
110 _(OUT_OF_PORTS, "Out of ports") \
111 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
112 _(NO_TRANSLATION, "No translation") \
113 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
114 _(DROP_FRAGMENT, "Drop fragment") \
115 _(MAX_REASS, "Maximum reassemblies exceeded") \
116 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
119 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
120 foreach_snat_out2in_error
123 } snat_out2in_error_t;
125 static char * snat_out2in_error_strings[] = {
126 #define _(sym,string) string,
127 foreach_snat_out2in_error
132 SNAT_OUT2IN_NEXT_DROP,
133 SNAT_OUT2IN_NEXT_LOOKUP,
134 SNAT_OUT2IN_NEXT_ICMP_ERROR,
135 SNAT_OUT2IN_NEXT_REASS,
136 SNAT_OUT2IN_NEXT_IN2OUT,
138 } snat_out2in_next_t;
141 * @brief Create session for static mapping.
143 * Create NAT session initiated by host from external network with static
146 * @param sm NAT main.
147 * @param b0 Vlib buffer.
148 * @param in2out In2out NAT44 session key.
149 * @param out2in Out2in NAT44 session key.
150 * @param node Vlib node.
152 * @returns SNAT session if successfully created otherwise 0.
154 static inline snat_session_t *
155 create_session_for_static_mapping (snat_main_t *sm,
157 snat_session_key_t in2out,
158 snat_session_key_t out2in,
159 vlib_node_runtime_t * node,
164 clib_bihash_kv_8_8_t kv0;
168 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
170 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 ip0 = vlib_buffer_get_current (b0);
175 udp0 = ip4_next_header (ip0);
177 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
180 clib_warning ("create NAT user failed");
184 s = nat_session_alloc_or_recycle (sm, u, thread_index);
187 clib_warning ("create NAT session failed");
191 s->outside_address_index = ~0;
192 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
193 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
194 s->ext_host_port = udp0->src_port;
195 user_session_increment (sm, u, 1 /* static */);
198 s->in2out.protocol = out2in.protocol;
200 /* Add to translation hashes */
201 kv0.key = s->in2out.as_u64;
202 kv0.value = s - sm->per_thread_data[thread_index].sessions;
203 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
205 clib_warning ("in2out key add failed");
207 kv0.key = s->out2in.as_u64;
209 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
211 clib_warning ("out2in key add failed");
214 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
215 s->out2in.addr.as_u32,
219 s->in2out.fib_index);
224 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
225 snat_session_key_t *p_key0)
227 icmp46_header_t *icmp0;
228 snat_session_key_t key0;
229 icmp_echo_header_t *echo0, *inner_echo0 = 0;
230 ip4_header_t *inner_ip0;
232 icmp46_header_t *inner_icmp0;
234 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
235 echo0 = (icmp_echo_header_t *)(icmp0+1);
237 if (!icmp_is_error_message (icmp0))
239 key0.protocol = SNAT_PROTOCOL_ICMP;
240 key0.addr = ip0->dst_address;
241 key0.port = echo0->identifier;
245 inner_ip0 = (ip4_header_t *)(echo0+1);
246 l4_header = ip4_next_header (inner_ip0);
247 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
248 key0.addr = inner_ip0->src_address;
249 switch (key0.protocol)
251 case SNAT_PROTOCOL_ICMP:
252 inner_icmp0 = (icmp46_header_t*)l4_header;
253 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
254 key0.port = inner_echo0->identifier;
256 case SNAT_PROTOCOL_UDP:
257 case SNAT_PROTOCOL_TCP:
258 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
261 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
265 return -1; /* success */
268 static_always_inline int
269 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
271 icmp46_header_t *icmp0;
272 nat_ed_ses_key_t key0;
273 icmp_echo_header_t *echo0, *inner_echo0 = 0;
274 ip4_header_t *inner_ip0;
276 icmp46_header_t *inner_icmp0;
278 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
279 echo0 = (icmp_echo_header_t *)(icmp0+1);
281 if (!icmp_is_error_message (icmp0))
283 key0.proto = IP_PROTOCOL_ICMP;
284 key0.l_addr = ip0->dst_address;
285 key0.r_addr = ip0->src_address;
286 key0.l_port = key0.r_port = echo0->identifier;
290 inner_ip0 = (ip4_header_t *)(echo0+1);
291 l4_header = ip4_next_header (inner_ip0);
292 key0.proto = inner_ip0->protocol;
293 key0.l_addr = inner_ip0->src_address;
294 key0.r_addr = inner_ip0->dst_address;
295 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
297 case SNAT_PROTOCOL_ICMP:
298 inner_icmp0 = (icmp46_header_t*)l4_header;
299 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
300 key0.l_port = key0.r_port = inner_echo0->identifier;
302 case SNAT_PROTOCOL_UDP:
303 case SNAT_PROTOCOL_TCP:
304 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
305 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
316 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
319 snat_session_key_t key;
320 clib_bihash_kv_8_8_t kv, value;
322 key.addr = ip->src_address;
324 key.protocol = proto;
325 key.fib_index = sm->inside_fib_index;
328 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
336 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
339 nat_ed_ses_key_t key;
340 clib_bihash_kv_16_8_t kv, value;
343 snat_session_t *s = 0;
344 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
346 if (ip->protocol == IP_PROTOCOL_ICMP)
348 if (icmp_get_ed_key (ip, &key))
351 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
353 udp = ip4_next_header(ip);
354 key.r_addr = ip->src_address;
355 key.l_addr = ip->dst_address;
356 key.proto = ip->protocol;
357 key.l_port = udp->dst_port;
358 key.r_port = udp->src_port;
362 key.r_addr = ip->src_address;
363 key.l_addr = ip->dst_address;
364 key.proto = ip->protocol;
365 key.l_port = key.r_port = 0;
368 kv.key[0] = key.as_u64[0];
369 kv.key[1] = key.as_u64[1];
371 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
373 s = pool_elt_at_index (tsm->sessions, value.value);
377 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
380 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, thread_index);
383 clib_warning ("create NAT user failed");
387 s = nat_session_alloc_or_recycle (sm, u, thread_index);
390 clib_warning ("create NAT session failed");
394 s->ext_host_addr = key.r_addr;
395 s->ext_host_port = key.r_port;
396 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
397 s->outside_address_index = ~0;
398 s->out2in.addr = key.l_addr;
399 s->out2in.port = key.l_port;
400 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
401 s->out2in.fib_index = 0;
402 s->in2out = s->out2in;
403 user_session_increment (sm, u, 0);
405 kv.value = s - tsm->sessions;
406 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
407 clib_warning ("in2out_ed key add failed");
410 if (ip->protocol == IP_PROTOCOL_TCP)
412 tcp_header_t *tcp = ip4_next_header(ip);
413 nat44_set_tcp_session_state (sm, s, tcp, thread_index);
415 /* Per-user LRU list maintenance */
416 clib_dlist_remove (tsm->list_pool, s->per_user_index);
417 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
422 * Get address and port values to be used for ICMP packet translation
423 * and create session if needed
425 * @param[in,out] sm NAT main
426 * @param[in,out] node NAT node runtime
427 * @param[in] thread_index thread index
428 * @param[in,out] b0 buffer containing packet to be translated
429 * @param[out] p_proto protocol used for matching
430 * @param[out] p_value address and port after NAT translation
431 * @param[out] p_dont_translate if packet should not be translated
432 * @param d optional parameter
433 * @param e optional parameter
435 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
436 u32 thread_index, vlib_buffer_t *b0,
437 ip4_header_t *ip0, u8 *p_proto,
438 snat_session_key_t *p_value,
439 u8 *p_dont_translate, void *d, void *e)
441 icmp46_header_t *icmp0;
444 snat_session_key_t key0;
445 snat_session_key_t sm0;
446 snat_session_t *s0 = 0;
447 u8 dont_translate = 0;
448 clib_bihash_kv_8_8_t kv0, value0;
453 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
454 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
455 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
459 err = icmp_get_key (ip0, &key0);
462 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
463 next0 = SNAT_OUT2IN_NEXT_DROP;
466 key0.fib_index = rx_fib_index0;
468 kv0.key = key0.as_u64;
470 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
473 /* Try to match static mapping by external address and port,
474 destination address and port in packet */
475 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
477 if (!sm->forwarding_enabled)
479 /* Don't NAT packet aimed at the intfc address */
480 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
481 ip0->dst_address.as_u32)))
486 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
487 next0 = SNAT_OUT2IN_NEXT_DROP;
493 if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
495 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
498 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
503 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
504 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
506 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
507 next0 = SNAT_OUT2IN_NEXT_DROP;
511 /* Create session initiated by host from external network */
512 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
517 next0 = SNAT_OUT2IN_NEXT_DROP;
523 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
524 icmp0->type != ICMP4_echo_request &&
525 !icmp_is_error_message (icmp0)))
527 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
528 next0 = SNAT_OUT2IN_NEXT_DROP;
532 if (PREDICT_FALSE (value0.value == ~0ULL))
534 nat_ed_ses_key_t key;
535 clib_bihash_kv_16_8_t s_kv, s_value;
539 if (icmp_get_ed_key (ip0, &key))
541 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
542 next0 = SNAT_OUT2IN_NEXT_DROP;
545 key.fib_index = rx_fib_index0;
546 s_kv.key[0] = key.as_u64[0];
547 s_kv.key[1] = key.as_u64[1];
548 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
549 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
553 next0 = SNAT_OUT2IN_NEXT_DROP;
558 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
563 *p_proto = key0.protocol;
565 *p_value = s0->in2out;
566 *p_dont_translate = dont_translate;
568 *(snat_session_t**)d = s0;
573 * Get address and port values to be used for ICMP packet translation
575 * @param[in] sm NAT main
576 * @param[in,out] node NAT node runtime
577 * @param[in] thread_index thread index
578 * @param[in,out] b0 buffer containing packet to be translated
579 * @param[out] p_proto protocol used for matching
580 * @param[out] p_value address and port after NAT translation
581 * @param[out] p_dont_translate if packet should not be translated
582 * @param d optional parameter
583 * @param e optional parameter
585 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
586 u32 thread_index, vlib_buffer_t *b0,
587 ip4_header_t *ip0, u8 *p_proto,
588 snat_session_key_t *p_value,
589 u8 *p_dont_translate, void *d, void *e)
591 icmp46_header_t *icmp0;
594 snat_session_key_t key0;
595 snat_session_key_t sm0;
596 u8 dont_translate = 0;
601 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
602 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
603 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
605 err = icmp_get_key (ip0, &key0);
608 b0->error = node->errors[err];
609 next0 = SNAT_OUT2IN_NEXT_DROP;
612 key0.fib_index = rx_fib_index0;
614 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
616 /* Don't NAT packet aimed at the intfc address */
617 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
622 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
623 next0 = SNAT_OUT2IN_NEXT_DROP;
627 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
628 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
629 !icmp_is_error_message (icmp0)))
631 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
632 next0 = SNAT_OUT2IN_NEXT_DROP;
639 *p_proto = key0.protocol;
640 *p_dont_translate = dont_translate;
644 static inline u32 icmp_out2in (snat_main_t *sm,
647 icmp46_header_t * icmp0,
650 vlib_node_runtime_t * node,
656 snat_session_key_t sm0;
658 icmp_echo_header_t *echo0, *inner_echo0 = 0;
659 ip4_header_t *inner_ip0 = 0;
661 icmp46_header_t *inner_icmp0;
663 u32 new_addr0, old_addr0;
664 u16 old_id0, new_id0;
669 echo0 = (icmp_echo_header_t *)(icmp0+1);
671 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
672 &protocol, &sm0, &dont_translate, d, e);
675 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
678 sum0 = ip_incremental_checksum (0, icmp0,
679 ntohs(ip0->length) - ip4_header_bytes (ip0));
680 checksum0 = ~ip_csum_fold (sum0);
681 if (checksum0 != 0 && checksum0 != 0xffff)
683 next0 = SNAT_OUT2IN_NEXT_DROP;
687 old_addr0 = ip0->dst_address.as_u32;
688 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
689 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
691 sum0 = ip0->checksum;
692 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
693 dst_address /* changed member */);
694 ip0->checksum = ip_csum_fold (sum0);
696 if (icmp0->checksum == 0)
697 icmp0->checksum = 0xffff;
699 if (!icmp_is_error_message (icmp0))
702 if (PREDICT_FALSE(new_id0 != echo0->identifier))
704 old_id0 = echo0->identifier;
706 echo0->identifier = new_id0;
708 sum0 = icmp0->checksum;
709 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
710 identifier /* changed member */);
711 icmp0->checksum = ip_csum_fold (sum0);
716 inner_ip0 = (ip4_header_t *)(echo0+1);
717 l4_header = ip4_next_header (inner_ip0);
719 if (!ip4_header_checksum_is_valid (inner_ip0))
721 next0 = SNAT_OUT2IN_NEXT_DROP;
725 old_addr0 = inner_ip0->src_address.as_u32;
726 inner_ip0->src_address = sm0.addr;
727 new_addr0 = inner_ip0->src_address.as_u32;
729 sum0 = icmp0->checksum;
730 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
731 src_address /* changed member */);
732 icmp0->checksum = ip_csum_fold (sum0);
736 case SNAT_PROTOCOL_ICMP:
737 inner_icmp0 = (icmp46_header_t*)l4_header;
738 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
740 old_id0 = inner_echo0->identifier;
742 inner_echo0->identifier = new_id0;
744 sum0 = icmp0->checksum;
745 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
747 icmp0->checksum = ip_csum_fold (sum0);
749 case SNAT_PROTOCOL_UDP:
750 case SNAT_PROTOCOL_TCP:
751 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
753 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
755 sum0 = icmp0->checksum;
756 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
758 icmp0->checksum = ip_csum_fold (sum0);
770 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
773 icmp46_header_t * icmp0,
776 vlib_node_runtime_t * node,
779 snat_session_t ** p_s0)
781 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
782 next0, thread_index, p_s0, 0);
783 snat_session_t * s0 = *p_s0;
784 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
787 s0->last_heard = now;
789 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
790 /* Per-user LRU list maintenance */
791 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
793 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
794 s0->per_user_list_head_index,
800 static snat_session_t *
801 snat_out2in_unknown_proto (snat_main_t *sm,
808 vlib_node_runtime_t * node)
810 clib_bihash_kv_8_8_t kv, value;
811 clib_bihash_kv_16_8_t s_kv, s_value;
812 snat_static_mapping_t *m;
813 snat_session_key_t m_key;
814 u32 old_addr, new_addr;
816 nat_ed_ses_key_t key;
818 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
821 old_addr = ip->dst_address.as_u32;
823 key.l_addr = ip->dst_address;
824 key.r_addr = ip->src_address;
825 key.fib_index = rx_fib_index;
826 key.proto = ip->protocol;
829 s_kv.key[0] = key.as_u64[0];
830 s_kv.key[1] = key.as_u64[1];
832 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
834 s = pool_elt_at_index (tsm->sessions, s_value.value);
835 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
839 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
841 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
845 m_key.addr = ip->dst_address;
848 m_key.fib_index = rx_fib_index;
849 kv.key = m_key.as_u64;
850 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
852 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
856 m = pool_elt_at_index (sm->static_mappings, value.value);
858 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
860 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
864 clib_warning ("create NAT user failed");
868 /* Create a new session */
869 s = nat_session_alloc_or_recycle (sm, u, thread_index);
872 clib_warning ("create NAT session failed");
876 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
877 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
878 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
879 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
880 s->outside_address_index = ~0;
881 s->out2in.addr.as_u32 = old_addr;
882 s->out2in.fib_index = rx_fib_index;
883 s->in2out.addr.as_u32 = new_addr;
884 s->in2out.fib_index = m->fib_index;
885 s->in2out.port = s->out2in.port = ip->protocol;
886 user_session_increment (sm, u, 1 /* static */);
888 /* Add to lookup tables */
889 s_kv.value = s - tsm->sessions;
890 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
891 clib_warning ("out2in key add failed");
893 key.l_addr = ip->dst_address;
894 key.fib_index = m->fib_index;
895 s_kv.key[0] = key.as_u64[0];
896 s_kv.key[1] = key.as_u64[1];
897 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
898 clib_warning ("in2out key add failed");
901 /* Update IP checksum */
903 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
904 ip->checksum = ip_csum_fold (sum);
906 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
911 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
912 /* Per-user LRU list maintenance */
913 clib_dlist_remove (tsm->list_pool, s->per_user_index);
914 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
920 static snat_session_t *
921 snat_out2in_lb (snat_main_t *sm,
928 vlib_node_runtime_t * node)
930 nat_ed_ses_key_t key;
931 clib_bihash_kv_16_8_t s_kv, s_value;
932 udp_header_t *udp = ip4_next_header (ip);
933 tcp_header_t *tcp = (tcp_header_t *) udp;
934 snat_session_t *s = 0;
935 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
936 snat_session_key_t e_key, l_key;
937 u32 old_addr, new_addr;
938 u32 proto = ip_proto_to_snat_proto (ip->protocol);
939 u16 new_port, old_port;
943 snat_session_key_t eh_key;
944 twice_nat_type_t twice_nat;
947 old_addr = ip->dst_address.as_u32;
949 key.l_addr = ip->dst_address;
950 key.r_addr = ip->src_address;
951 key.fib_index = rx_fib_index;
952 key.proto = ip->protocol;
953 key.r_port = udp->src_port;
954 key.l_port = udp->dst_port;
955 s_kv.key[0] = key.as_u64[0];
956 s_kv.key[1] = key.as_u64[1];
958 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
960 s = pool_elt_at_index (tsm->sessions, s_value.value);
964 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
966 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
970 e_key.addr = ip->dst_address;
971 e_key.port = udp->dst_port;
972 e_key.protocol = proto;
973 e_key.fib_index = rx_fib_index;
974 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0, &twice_nat, &lb))
977 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index,
981 clib_warning ("create NAT user failed");
985 s = nat_session_alloc_or_recycle (sm, u, thread_index);
988 clib_warning ("create NAT session failed");
992 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
993 s->ext_host_port = udp->src_port;
994 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
996 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
997 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
998 s->outside_address_index = ~0;
1001 user_session_increment (sm, u, 1 /* static */);
1003 /* Add to lookup tables */
1004 s_kv.value = s - tsm->sessions;
1005 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
1006 clib_warning ("out2in-ed key add failed");
1008 if (twice_nat == TWICE_NAT ||
1009 (twice_nat == TWICE_NAT_SELF &&
1010 ip->src_address.as_u32 == l_key.addr.as_u32))
1012 eh_key.protocol = proto;
1013 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
1014 thread_index, &eh_key,
1016 sm->port_per_thread,
1017 sm->per_thread_data[thread_index].snat_thread_index))
1019 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
1022 key.r_addr.as_u32 = s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
1023 key.r_port = s->ext_host_nat_port = eh_key.port;
1024 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
1026 key.l_addr = l_key.addr;
1027 key.fib_index = l_key.fib_index;
1028 key.l_port = l_key.port;
1029 s_kv.key[0] = key.as_u64[0];
1030 s_kv.key[1] = key.as_u64[1];
1031 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1032 clib_warning ("in2out-ed key add failed");
1035 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1037 /* Update IP checksum */
1039 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1040 if (is_twice_nat_session (s))
1041 sum = ip_csum_update (sum, ip->src_address.as_u32,
1042 s->ext_host_nat_addr.as_u32, ip4_header_t,
1044 ip->checksum = ip_csum_fold (sum);
1046 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1048 old_port = tcp->dst_port;
1049 tcp->dst_port = s->in2out.port;
1050 new_port = tcp->dst_port;
1052 sum = tcp->checksum;
1053 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1054 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1055 if (is_twice_nat_session (s))
1057 sum = ip_csum_update (sum, ip->src_address.as_u32,
1058 s->ext_host_nat_addr.as_u32, ip4_header_t,
1060 sum = ip_csum_update (sum, tcp->src_port, s->ext_host_nat_port,
1061 ip4_header_t, length);
1062 tcp->src_port = s->ext_host_nat_port;
1063 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1065 tcp->checksum = ip_csum_fold(sum);
1066 nat44_set_tcp_session_state (sm, s, tcp, thread_index);
1070 udp->dst_port = s->in2out.port;
1071 if (is_twice_nat_session (s))
1073 udp->src_port = s->ext_host_nat_port;
1074 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1079 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1082 s->last_heard = now;
1084 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1085 /* Per-user LRU list maintenance */
1086 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1087 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1094 snat_out2in_node_fn (vlib_main_t * vm,
1095 vlib_node_runtime_t * node,
1096 vlib_frame_t * frame)
1098 u32 n_left_from, * from, * to_next;
1099 snat_out2in_next_t next_index;
1100 u32 pkts_processed = 0;
1101 snat_main_t * sm = &snat_main;
1102 f64 now = vlib_time_now (vm);
1103 u32 thread_index = vlib_get_thread_index ();
1105 from = vlib_frame_vector_args (frame);
1106 n_left_from = frame->n_vectors;
1107 next_index = node->cached_next_index;
1109 while (n_left_from > 0)
1113 vlib_get_next_frame (vm, node, next_index,
1114 to_next, n_left_to_next);
1116 while (n_left_from >= 4 && n_left_to_next >= 2)
1119 vlib_buffer_t * b0, * b1;
1120 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1121 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1122 u32 sw_if_index0, sw_if_index1;
1123 ip4_header_t * ip0, *ip1;
1124 ip_csum_t sum0, sum1;
1125 u32 new_addr0, old_addr0;
1126 u16 new_port0, old_port0;
1127 u32 new_addr1, old_addr1;
1128 u16 new_port1, old_port1;
1129 udp_header_t * udp0, * udp1;
1130 tcp_header_t * tcp0, * tcp1;
1131 icmp46_header_t * icmp0, * icmp1;
1132 snat_session_key_t key0, key1, sm0, sm1;
1133 u32 rx_fib_index0, rx_fib_index1;
1135 snat_session_t * s0 = 0, * s1 = 0;
1136 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
1138 /* Prefetch next iteration. */
1140 vlib_buffer_t * p2, * p3;
1142 p2 = vlib_get_buffer (vm, from[2]);
1143 p3 = vlib_get_buffer (vm, from[3]);
1145 vlib_prefetch_buffer_header (p2, LOAD);
1146 vlib_prefetch_buffer_header (p3, LOAD);
1148 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1149 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1152 /* speculatively enqueue b0 and b1 to the current next frame */
1153 to_next[0] = bi0 = from[0];
1154 to_next[1] = bi1 = from[1];
1158 n_left_to_next -= 2;
1160 b0 = vlib_get_buffer (vm, bi0);
1161 b1 = vlib_get_buffer (vm, bi1);
1163 vnet_buffer (b0)->snat.flags = 0;
1164 vnet_buffer (b1)->snat.flags = 0;
1166 ip0 = vlib_buffer_get_current (b0);
1167 udp0 = ip4_next_header (ip0);
1168 tcp0 = (tcp_header_t *) udp0;
1169 icmp0 = (icmp46_header_t *) udp0;
1171 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1172 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1175 if (PREDICT_FALSE(ip0->ttl == 1))
1177 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1178 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1179 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1181 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1185 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1187 if (PREDICT_FALSE (proto0 == ~0))
1189 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1190 thread_index, now, vm, node);
1191 if (!sm->forwarding_enabled)
1193 next0 = SNAT_OUT2IN_NEXT_DROP;
1197 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1199 next0 = icmp_out2in_slow_path
1200 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1201 next0, now, thread_index, &s0);
1205 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1207 next0 = SNAT_OUT2IN_NEXT_REASS;
1211 key0.addr = ip0->dst_address;
1212 key0.port = udp0->dst_port;
1213 key0.protocol = proto0;
1214 key0.fib_index = rx_fib_index0;
1216 kv0.key = key0.as_u64;
1218 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1221 /* Try to match static mapping by external address and port,
1222 destination address and port in packet */
1223 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1226 * Send DHCP packets to the ipv4 stack, or we won't
1227 * be able to use dhcp client on the outside interface
1229 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1230 && (udp0->dst_port ==
1231 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1234 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1238 if (!sm->forwarding_enabled)
1240 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1241 next0 = SNAT_OUT2IN_NEXT_DROP;
1246 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1248 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1251 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1256 /* Create session initiated by host from external network */
1257 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1261 next0 = SNAT_OUT2IN_NEXT_DROP;
1267 if (PREDICT_FALSE (value0.value == ~0ULL))
1269 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1272 next0 = SNAT_OUT2IN_NEXT_DROP;
1277 s0 = pool_elt_at_index (
1278 sm->per_thread_data[thread_index].sessions,
1283 old_addr0 = ip0->dst_address.as_u32;
1284 ip0->dst_address = s0->in2out.addr;
1285 new_addr0 = ip0->dst_address.as_u32;
1286 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1288 sum0 = ip0->checksum;
1289 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1291 dst_address /* changed member */);
1292 ip0->checksum = ip_csum_fold (sum0);
1294 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1296 old_port0 = tcp0->dst_port;
1297 tcp0->dst_port = s0->in2out.port;
1298 new_port0 = tcp0->dst_port;
1300 sum0 = tcp0->checksum;
1301 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1303 dst_address /* changed member */);
1305 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1306 ip4_header_t /* cheat */,
1307 length /* changed member */);
1308 tcp0->checksum = ip_csum_fold(sum0);
1309 nat44_set_tcp_session_state (sm, s0, tcp0, thread_index);
1313 old_port0 = udp0->dst_port;
1314 udp0->dst_port = s0->in2out.port;
1319 s0->last_heard = now;
1321 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1322 /* Per-user LRU list maintenance */
1323 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1324 s0->per_user_index);
1325 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1326 s0->per_user_list_head_index,
1327 s0->per_user_index);
1330 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1331 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1333 snat_out2in_trace_t *t =
1334 vlib_add_trace (vm, node, b0, sizeof (*t));
1335 t->sw_if_index = sw_if_index0;
1336 t->next_index = next0;
1337 t->session_index = ~0;
1339 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1342 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1345 ip1 = vlib_buffer_get_current (b1);
1346 udp1 = ip4_next_header (ip1);
1347 tcp1 = (tcp_header_t *) udp1;
1348 icmp1 = (icmp46_header_t *) udp1;
1350 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1351 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1354 if (PREDICT_FALSE(ip1->ttl == 1))
1356 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1357 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1358 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1360 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1364 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1366 if (PREDICT_FALSE (proto1 == ~0))
1368 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1369 thread_index, now, vm, node);
1370 if (!sm->forwarding_enabled)
1372 next1 = SNAT_OUT2IN_NEXT_DROP;
1376 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1378 next1 = icmp_out2in_slow_path
1379 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1380 next1, now, thread_index, &s1);
1384 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
1386 next1 = SNAT_OUT2IN_NEXT_REASS;
1390 key1.addr = ip1->dst_address;
1391 key1.port = udp1->dst_port;
1392 key1.protocol = proto1;
1393 key1.fib_index = rx_fib_index1;
1395 kv1.key = key1.as_u64;
1397 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1400 /* Try to match static mapping by external address and port,
1401 destination address and port in packet */
1402 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0))
1405 * Send DHCP packets to the ipv4 stack, or we won't
1406 * be able to use dhcp client on the outside interface
1408 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1409 && (udp1->dst_port ==
1410 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1413 (vnet_buffer (b1)->sw_if_index[VLIB_RX], &next1, b1);
1417 if (!sm->forwarding_enabled)
1419 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1420 next1 = SNAT_OUT2IN_NEXT_DROP;
1425 if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
1427 next1 = SNAT_OUT2IN_NEXT_IN2OUT;
1430 create_bypass_for_fwd(sm, ip1, rx_fib_index1, thread_index);
1435 /* Create session initiated by host from external network */
1436 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1440 next1 = SNAT_OUT2IN_NEXT_DROP;
1446 if (PREDICT_FALSE (value1.value == ~0ULL))
1448 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1451 next1 = SNAT_OUT2IN_NEXT_DROP;
1456 s1 = pool_elt_at_index (
1457 sm->per_thread_data[thread_index].sessions,
1462 old_addr1 = ip1->dst_address.as_u32;
1463 ip1->dst_address = s1->in2out.addr;
1464 new_addr1 = ip1->dst_address.as_u32;
1465 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1467 sum1 = ip1->checksum;
1468 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1470 dst_address /* changed member */);
1471 ip1->checksum = ip_csum_fold (sum1);
1473 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1475 old_port1 = tcp1->dst_port;
1476 tcp1->dst_port = s1->in2out.port;
1477 new_port1 = tcp1->dst_port;
1479 sum1 = tcp1->checksum;
1480 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1482 dst_address /* changed member */);
1484 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1485 ip4_header_t /* cheat */,
1486 length /* changed member */);
1487 tcp1->checksum = ip_csum_fold(sum1);
1488 nat44_set_tcp_session_state (sm, s1, tcp1, thread_index);
1492 old_port1 = udp1->dst_port;
1493 udp1->dst_port = s1->in2out.port;
1498 s1->last_heard = now;
1500 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1501 /* Per-user LRU list maintenance */
1502 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1503 s1->per_user_index);
1504 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1505 s1->per_user_list_head_index,
1506 s1->per_user_index);
1509 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1510 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1512 snat_out2in_trace_t *t =
1513 vlib_add_trace (vm, node, b1, sizeof (*t));
1514 t->sw_if_index = sw_if_index1;
1515 t->next_index = next1;
1516 t->session_index = ~0;
1518 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1521 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1523 /* verify speculative enqueues, maybe switch current next frame */
1524 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1525 to_next, n_left_to_next,
1526 bi0, bi1, next0, next1);
1529 while (n_left_from > 0 && n_left_to_next > 0)
1533 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1537 u32 new_addr0, old_addr0;
1538 u16 new_port0, old_port0;
1539 udp_header_t * udp0;
1540 tcp_header_t * tcp0;
1541 icmp46_header_t * icmp0;
1542 snat_session_key_t key0, sm0;
1545 snat_session_t * s0 = 0;
1546 clib_bihash_kv_8_8_t kv0, value0;
1548 /* speculatively enqueue b0 to the current next frame */
1554 n_left_to_next -= 1;
1556 b0 = vlib_get_buffer (vm, bi0);
1558 vnet_buffer (b0)->snat.flags = 0;
1560 ip0 = vlib_buffer_get_current (b0);
1561 udp0 = ip4_next_header (ip0);
1562 tcp0 = (tcp_header_t *) udp0;
1563 icmp0 = (icmp46_header_t *) udp0;
1565 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1566 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1569 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1571 if (PREDICT_FALSE (proto0 == ~0))
1573 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1574 thread_index, now, vm, node);
1575 if (!sm->forwarding_enabled)
1577 next0 = SNAT_OUT2IN_NEXT_DROP;
1581 if (PREDICT_FALSE(ip0->ttl == 1))
1583 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1584 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1585 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1587 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1591 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1593 next0 = icmp_out2in_slow_path
1594 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1595 next0, now, thread_index, &s0);
1599 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1601 next0 = SNAT_OUT2IN_NEXT_REASS;
1605 key0.addr = ip0->dst_address;
1606 key0.port = udp0->dst_port;
1607 key0.protocol = proto0;
1608 key0.fib_index = rx_fib_index0;
1610 kv0.key = key0.as_u64;
1612 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1615 /* Try to match static mapping by external address and port,
1616 destination address and port in packet */
1617 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1620 * Send DHCP packets to the ipv4 stack, or we won't
1621 * be able to use dhcp client on the outside interface
1623 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1624 && (udp0->dst_port ==
1625 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1628 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1632 if (!sm->forwarding_enabled)
1634 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1635 next0 = SNAT_OUT2IN_NEXT_DROP;
1640 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1642 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1645 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1650 /* Create session initiated by host from external network */
1651 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1655 next0 = SNAT_OUT2IN_NEXT_DROP;
1661 if (PREDICT_FALSE (value0.value == ~0ULL))
1663 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1666 next0 = SNAT_OUT2IN_NEXT_DROP;
1671 s0 = pool_elt_at_index (
1672 sm->per_thread_data[thread_index].sessions,
1677 old_addr0 = ip0->dst_address.as_u32;
1678 ip0->dst_address = s0->in2out.addr;
1679 new_addr0 = ip0->dst_address.as_u32;
1680 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1682 sum0 = ip0->checksum;
1683 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1685 dst_address /* changed member */);
1686 ip0->checksum = ip_csum_fold (sum0);
1688 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1690 old_port0 = tcp0->dst_port;
1691 tcp0->dst_port = s0->in2out.port;
1692 new_port0 = tcp0->dst_port;
1694 sum0 = tcp0->checksum;
1695 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1697 dst_address /* changed member */);
1699 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1700 ip4_header_t /* cheat */,
1701 length /* changed member */);
1702 tcp0->checksum = ip_csum_fold(sum0);
1703 nat44_set_tcp_session_state (sm, s0, tcp0, thread_index);
1707 old_port0 = udp0->dst_port;
1708 udp0->dst_port = s0->in2out.port;
1713 s0->last_heard = now;
1715 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1716 /* Per-user LRU list maintenance */
1717 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1718 s0->per_user_index);
1719 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1720 s0->per_user_list_head_index,
1721 s0->per_user_index);
1724 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1725 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1727 snat_out2in_trace_t *t =
1728 vlib_add_trace (vm, node, b0, sizeof (*t));
1729 t->sw_if_index = sw_if_index0;
1730 t->next_index = next0;
1731 t->session_index = ~0;
1733 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1736 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1738 /* verify speculative enqueue, maybe switch current next frame */
1739 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1740 to_next, n_left_to_next,
1744 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1747 vlib_node_increment_counter (vm, snat_out2in_node.index,
1748 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1750 return frame->n_vectors;
1753 VLIB_REGISTER_NODE (snat_out2in_node) = {
1754 .function = snat_out2in_node_fn,
1755 .name = "nat44-out2in",
1756 .vector_size = sizeof (u32),
1757 .format_trace = format_snat_out2in_trace,
1758 .type = VLIB_NODE_TYPE_INTERNAL,
1760 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1761 .error_strings = snat_out2in_error_strings,
1763 .runtime_data_bytes = sizeof (snat_runtime_t),
1765 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1767 /* edit / add dispositions here */
1769 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1770 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1771 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1772 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1773 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
1776 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1779 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1780 vlib_node_runtime_t * node,
1781 vlib_frame_t * frame)
1783 u32 n_left_from, *from, *to_next;
1784 snat_out2in_next_t next_index;
1785 u32 pkts_processed = 0;
1786 snat_main_t *sm = &snat_main;
1787 f64 now = vlib_time_now (vm);
1788 u32 thread_index = vlib_get_thread_index ();
1789 snat_main_per_thread_data_t *per_thread_data =
1790 &sm->per_thread_data[thread_index];
1791 u32 *fragments_to_drop = 0;
1792 u32 *fragments_to_loopback = 0;
1794 from = vlib_frame_vector_args (frame);
1795 n_left_from = frame->n_vectors;
1796 next_index = node->cached_next_index;
1798 while (n_left_from > 0)
1802 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1804 while (n_left_from > 0 && n_left_to_next > 0)
1806 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1811 nat_reass_ip4_t *reass0;
1812 udp_header_t * udp0;
1813 tcp_header_t * tcp0;
1814 snat_session_key_t key0, sm0;
1815 clib_bihash_kv_8_8_t kv0, value0;
1816 snat_session_t * s0 = 0;
1817 u16 old_port0, new_port0;
1820 /* speculatively enqueue b0 to the current next frame */
1826 n_left_to_next -= 1;
1828 b0 = vlib_get_buffer (vm, bi0);
1829 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1831 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1832 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1835 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1837 next0 = SNAT_OUT2IN_NEXT_DROP;
1838 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1842 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1843 udp0 = ip4_next_header (ip0);
1844 tcp0 = (tcp_header_t *) udp0;
1845 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1847 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1852 &fragments_to_drop);
1854 if (PREDICT_FALSE (!reass0))
1856 next0 = SNAT_OUT2IN_NEXT_DROP;
1857 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1861 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1863 key0.addr = ip0->dst_address;
1864 key0.port = udp0->dst_port;
1865 key0.protocol = proto0;
1866 key0.fib_index = rx_fib_index0;
1867 kv0.key = key0.as_u64;
1869 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1871 /* Try to match static mapping by external address and port,
1872 destination address and port in packet */
1873 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1876 * Send DHCP packets to the ipv4 stack, or we won't
1877 * be able to use dhcp client on the outside interface
1879 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1881 == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1884 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1889 if (!sm->forwarding_enabled)
1891 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1892 next0 = SNAT_OUT2IN_NEXT_DROP;
1897 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1899 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1902 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1907 /* Create session initiated by host from external network */
1908 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1912 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1913 next0 = SNAT_OUT2IN_NEXT_DROP;
1916 reass0->sess_index = s0 - per_thread_data->sessions;
1917 reass0->thread_index = thread_index;
1921 s0 = pool_elt_at_index (per_thread_data->sessions,
1923 reass0->sess_index = value0.value;
1925 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1929 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1931 if (nat_ip4_reass_add_fragment (reass0, bi0))
1933 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1934 next0 = SNAT_OUT2IN_NEXT_DROP;
1940 s0 = pool_elt_at_index (per_thread_data->sessions,
1941 reass0->sess_index);
1944 old_addr0 = ip0->dst_address.as_u32;
1945 ip0->dst_address = s0->in2out.addr;
1946 new_addr0 = ip0->dst_address.as_u32;
1947 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1949 sum0 = ip0->checksum;
1950 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1952 dst_address /* changed member */);
1953 ip0->checksum = ip_csum_fold (sum0);
1955 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1957 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1959 old_port0 = tcp0->dst_port;
1960 tcp0->dst_port = s0->in2out.port;
1961 new_port0 = tcp0->dst_port;
1963 sum0 = tcp0->checksum;
1964 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1966 dst_address /* changed member */);
1968 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1969 ip4_header_t /* cheat */,
1970 length /* changed member */);
1971 tcp0->checksum = ip_csum_fold(sum0);
1972 nat44_set_tcp_session_state (sm, s0, tcp0, thread_index);
1976 old_port0 = udp0->dst_port;
1977 udp0->dst_port = s0->in2out.port;
1983 s0->last_heard = now;
1985 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1986 /* Per-user LRU list maintenance */
1987 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1988 s0->per_user_index);
1989 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1990 s0->per_user_list_head_index,
1991 s0->per_user_index);
1994 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1995 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1997 nat44_out2in_reass_trace_t *t =
1998 vlib_add_trace (vm, node, b0, sizeof (*t));
1999 t->cached = cached0;
2000 t->sw_if_index = sw_if_index0;
2001 t->next_index = next0;
2011 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2013 /* verify speculative enqueue, maybe switch current next frame */
2014 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2015 to_next, n_left_to_next,
2019 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2021 from = vlib_frame_vector_args (frame);
2022 u32 len = vec_len (fragments_to_loopback);
2023 if (len <= VLIB_FRAME_SIZE)
2025 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2027 vec_reset_length (fragments_to_loopback);
2032 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2033 sizeof (u32) * VLIB_FRAME_SIZE);
2034 n_left_from = VLIB_FRAME_SIZE;
2035 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2040 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2043 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
2044 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2047 nat_send_all_to_node (vm, fragments_to_drop, node,
2048 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
2049 SNAT_OUT2IN_NEXT_DROP);
2051 vec_free (fragments_to_drop);
2052 vec_free (fragments_to_loopback);
2053 return frame->n_vectors;
2056 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
2057 .function = nat44_out2in_reass_node_fn,
2058 .name = "nat44-out2in-reass",
2059 .vector_size = sizeof (u32),
2060 .format_trace = format_nat44_out2in_reass_trace,
2061 .type = VLIB_NODE_TYPE_INTERNAL,
2063 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2064 .error_strings = snat_out2in_error_strings,
2066 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2068 /* edit / add dispositions here */
2070 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2071 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2072 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2073 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2074 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2077 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
2078 nat44_out2in_reass_node_fn);
2080 /**************************/
2081 /*** deterministic mode ***/
2082 /**************************/
2084 snat_det_out2in_node_fn (vlib_main_t * vm,
2085 vlib_node_runtime_t * node,
2086 vlib_frame_t * frame)
2088 u32 n_left_from, * from, * to_next;
2089 snat_out2in_next_t next_index;
2090 u32 pkts_processed = 0;
2091 snat_main_t * sm = &snat_main;
2092 u32 thread_index = vlib_get_thread_index ();
2094 from = vlib_frame_vector_args (frame);
2095 n_left_from = frame->n_vectors;
2096 next_index = node->cached_next_index;
2098 while (n_left_from > 0)
2102 vlib_get_next_frame (vm, node, next_index,
2103 to_next, n_left_to_next);
2105 while (n_left_from >= 4 && n_left_to_next >= 2)
2108 vlib_buffer_t * b0, * b1;
2109 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2110 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2111 u32 sw_if_index0, sw_if_index1;
2112 ip4_header_t * ip0, * ip1;
2113 ip_csum_t sum0, sum1;
2114 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2115 u16 new_port0, old_port0, old_port1, new_port1;
2116 udp_header_t * udp0, * udp1;
2117 tcp_header_t * tcp0, * tcp1;
2119 snat_det_out_key_t key0, key1;
2120 snat_det_map_t * dm0, * dm1;
2121 snat_det_session_t * ses0 = 0, * ses1 = 0;
2122 u32 rx_fib_index0, rx_fib_index1;
2123 icmp46_header_t * icmp0, * icmp1;
2125 /* Prefetch next iteration. */
2127 vlib_buffer_t * p2, * p3;
2129 p2 = vlib_get_buffer (vm, from[2]);
2130 p3 = vlib_get_buffer (vm, from[3]);
2132 vlib_prefetch_buffer_header (p2, LOAD);
2133 vlib_prefetch_buffer_header (p3, LOAD);
2135 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2136 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2139 /* speculatively enqueue b0 and b1 to the current next frame */
2140 to_next[0] = bi0 = from[0];
2141 to_next[1] = bi1 = from[1];
2145 n_left_to_next -= 2;
2147 b0 = vlib_get_buffer (vm, bi0);
2148 b1 = vlib_get_buffer (vm, bi1);
2150 ip0 = vlib_buffer_get_current (b0);
2151 udp0 = ip4_next_header (ip0);
2152 tcp0 = (tcp_header_t *) udp0;
2154 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2156 if (PREDICT_FALSE(ip0->ttl == 1))
2158 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2159 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2160 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2162 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2166 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2168 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2170 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2171 icmp0 = (icmp46_header_t *) udp0;
2173 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2174 rx_fib_index0, node, next0, thread_index,
2179 key0.ext_host_addr = ip0->src_address;
2180 key0.ext_host_port = tcp0->src;
2181 key0.out_port = tcp0->dst;
2183 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2184 if (PREDICT_FALSE(!dm0))
2186 clib_warning("unknown dst address: %U",
2187 format_ip4_address, &ip0->dst_address);
2188 next0 = SNAT_OUT2IN_NEXT_DROP;
2189 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2193 snat_det_reverse(dm0, &ip0->dst_address,
2194 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2196 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2197 if (PREDICT_FALSE(!ses0))
2199 clib_warning("no match src %U:%d dst %U:%d for user %U",
2200 format_ip4_address, &ip0->src_address,
2201 clib_net_to_host_u16 (tcp0->src),
2202 format_ip4_address, &ip0->dst_address,
2203 clib_net_to_host_u16 (tcp0->dst),
2204 format_ip4_address, &new_addr0);
2205 next0 = SNAT_OUT2IN_NEXT_DROP;
2206 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2209 new_port0 = ses0->in_port;
2211 old_addr0 = ip0->dst_address;
2212 ip0->dst_address = new_addr0;
2213 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2215 sum0 = ip0->checksum;
2216 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2218 dst_address /* changed member */);
2219 ip0->checksum = ip_csum_fold (sum0);
2221 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2223 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2224 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2225 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2226 snat_det_ses_close(dm0, ses0);
2228 old_port0 = tcp0->dst;
2229 tcp0->dst = new_port0;
2231 sum0 = tcp0->checksum;
2232 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2234 dst_address /* changed member */);
2236 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2237 ip4_header_t /* cheat */,
2238 length /* changed member */);
2239 tcp0->checksum = ip_csum_fold(sum0);
2243 old_port0 = udp0->dst_port;
2244 udp0->dst_port = new_port0;
2250 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2251 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2253 snat_out2in_trace_t *t =
2254 vlib_add_trace (vm, node, b0, sizeof (*t));
2255 t->sw_if_index = sw_if_index0;
2256 t->next_index = next0;
2257 t->session_index = ~0;
2259 t->session_index = ses0 - dm0->sessions;
2262 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2264 b1 = vlib_get_buffer (vm, bi1);
2266 ip1 = vlib_buffer_get_current (b1);
2267 udp1 = ip4_next_header (ip1);
2268 tcp1 = (tcp_header_t *) udp1;
2270 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2272 if (PREDICT_FALSE(ip1->ttl == 1))
2274 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2275 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2276 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2278 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2282 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2284 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2286 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2287 icmp1 = (icmp46_header_t *) udp1;
2289 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
2290 rx_fib_index1, node, next1, thread_index,
2295 key1.ext_host_addr = ip1->src_address;
2296 key1.ext_host_port = tcp1->src;
2297 key1.out_port = tcp1->dst;
2299 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
2300 if (PREDICT_FALSE(!dm1))
2302 clib_warning("unknown dst address: %U",
2303 format_ip4_address, &ip1->dst_address);
2304 next1 = SNAT_OUT2IN_NEXT_DROP;
2305 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2309 snat_det_reverse(dm1, &ip1->dst_address,
2310 clib_net_to_host_u16(tcp1->dst), &new_addr1);
2312 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
2313 if (PREDICT_FALSE(!ses1))
2315 clib_warning("no match src %U:%d dst %U:%d for user %U",
2316 format_ip4_address, &ip1->src_address,
2317 clib_net_to_host_u16 (tcp1->src),
2318 format_ip4_address, &ip1->dst_address,
2319 clib_net_to_host_u16 (tcp1->dst),
2320 format_ip4_address, &new_addr1);
2321 next1 = SNAT_OUT2IN_NEXT_DROP;
2322 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2325 new_port1 = ses1->in_port;
2327 old_addr1 = ip1->dst_address;
2328 ip1->dst_address = new_addr1;
2329 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2331 sum1 = ip1->checksum;
2332 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2334 dst_address /* changed member */);
2335 ip1->checksum = ip_csum_fold (sum1);
2337 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2339 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2340 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2341 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
2342 snat_det_ses_close(dm1, ses1);
2344 old_port1 = tcp1->dst;
2345 tcp1->dst = new_port1;
2347 sum1 = tcp1->checksum;
2348 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2350 dst_address /* changed member */);
2352 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2353 ip4_header_t /* cheat */,
2354 length /* changed member */);
2355 tcp1->checksum = ip_csum_fold(sum1);
2359 old_port1 = udp1->dst_port;
2360 udp1->dst_port = new_port1;
2366 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2367 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2369 snat_out2in_trace_t *t =
2370 vlib_add_trace (vm, node, b1, sizeof (*t));
2371 t->sw_if_index = sw_if_index1;
2372 t->next_index = next1;
2373 t->session_index = ~0;
2375 t->session_index = ses1 - dm1->sessions;
2378 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
2380 /* verify speculative enqueues, maybe switch current next frame */
2381 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2382 to_next, n_left_to_next,
2383 bi0, bi1, next0, next1);
2386 while (n_left_from > 0 && n_left_to_next > 0)
2390 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2394 ip4_address_t new_addr0, old_addr0;
2395 u16 new_port0, old_port0;
2396 udp_header_t * udp0;
2397 tcp_header_t * tcp0;
2399 snat_det_out_key_t key0;
2400 snat_det_map_t * dm0;
2401 snat_det_session_t * ses0 = 0;
2403 icmp46_header_t * icmp0;
2405 /* speculatively enqueue b0 to the current next frame */
2411 n_left_to_next -= 1;
2413 b0 = vlib_get_buffer (vm, bi0);
2415 ip0 = vlib_buffer_get_current (b0);
2416 udp0 = ip4_next_header (ip0);
2417 tcp0 = (tcp_header_t *) udp0;
2419 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2421 if (PREDICT_FALSE(ip0->ttl == 1))
2423 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2424 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2425 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2427 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2431 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2433 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2435 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2436 icmp0 = (icmp46_header_t *) udp0;
2438 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2439 rx_fib_index0, node, next0, thread_index,
2444 key0.ext_host_addr = ip0->src_address;
2445 key0.ext_host_port = tcp0->src;
2446 key0.out_port = tcp0->dst;
2448 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2449 if (PREDICT_FALSE(!dm0))
2451 clib_warning("unknown dst address: %U",
2452 format_ip4_address, &ip0->dst_address);
2453 next0 = SNAT_OUT2IN_NEXT_DROP;
2454 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2458 snat_det_reverse(dm0, &ip0->dst_address,
2459 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2461 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2462 if (PREDICT_FALSE(!ses0))
2464 clib_warning("no match src %U:%d dst %U:%d for user %U",
2465 format_ip4_address, &ip0->src_address,
2466 clib_net_to_host_u16 (tcp0->src),
2467 format_ip4_address, &ip0->dst_address,
2468 clib_net_to_host_u16 (tcp0->dst),
2469 format_ip4_address, &new_addr0);
2470 next0 = SNAT_OUT2IN_NEXT_DROP;
2471 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2474 new_port0 = ses0->in_port;
2476 old_addr0 = ip0->dst_address;
2477 ip0->dst_address = new_addr0;
2478 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2480 sum0 = ip0->checksum;
2481 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2483 dst_address /* changed member */);
2484 ip0->checksum = ip_csum_fold (sum0);
2486 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2488 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2489 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2490 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2491 snat_det_ses_close(dm0, ses0);
2493 old_port0 = tcp0->dst;
2494 tcp0->dst = new_port0;
2496 sum0 = tcp0->checksum;
2497 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2499 dst_address /* changed member */);
2501 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2502 ip4_header_t /* cheat */,
2503 length /* changed member */);
2504 tcp0->checksum = ip_csum_fold(sum0);
2508 old_port0 = udp0->dst_port;
2509 udp0->dst_port = new_port0;
2515 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2516 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2518 snat_out2in_trace_t *t =
2519 vlib_add_trace (vm, node, b0, sizeof (*t));
2520 t->sw_if_index = sw_if_index0;
2521 t->next_index = next0;
2522 t->session_index = ~0;
2524 t->session_index = ses0 - dm0->sessions;
2527 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2529 /* verify speculative enqueue, maybe switch current next frame */
2530 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2531 to_next, n_left_to_next,
2535 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2538 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
2539 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2541 return frame->n_vectors;
2544 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2545 .function = snat_det_out2in_node_fn,
2546 .name = "nat44-det-out2in",
2547 .vector_size = sizeof (u32),
2548 .format_trace = format_snat_out2in_trace,
2549 .type = VLIB_NODE_TYPE_INTERNAL,
2551 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2552 .error_strings = snat_out2in_error_strings,
2554 .runtime_data_bytes = sizeof (snat_runtime_t),
2556 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2558 /* edit / add dispositions here */
2560 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2561 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2562 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2563 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2564 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2567 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2570 * Get address and port values to be used for ICMP packet translation
2571 * and create session if needed
2573 * @param[in,out] sm NAT main
2574 * @param[in,out] node NAT node runtime
2575 * @param[in] thread_index thread index
2576 * @param[in,out] b0 buffer containing packet to be translated
2577 * @param[out] p_proto protocol used for matching
2578 * @param[out] p_value address and port after NAT translation
2579 * @param[out] p_dont_translate if packet should not be translated
2580 * @param d optional parameter
2581 * @param e optional parameter
2583 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2584 u32 thread_index, vlib_buffer_t *b0,
2585 ip4_header_t *ip0, u8 *p_proto,
2586 snat_session_key_t *p_value,
2587 u8 *p_dont_translate, void *d, void *e)
2589 icmp46_header_t *icmp0;
2592 snat_det_out_key_t key0;
2593 u8 dont_translate = 0;
2595 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2596 ip4_header_t *inner_ip0;
2597 void *l4_header = 0;
2598 icmp46_header_t *inner_icmp0;
2599 snat_det_map_t * dm0 = 0;
2600 ip4_address_t new_addr0 = {{0}};
2601 snat_det_session_t * ses0 = 0;
2602 ip4_address_t out_addr;
2604 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2605 echo0 = (icmp_echo_header_t *)(icmp0+1);
2606 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2608 if (!icmp_is_error_message (icmp0))
2610 protocol = SNAT_PROTOCOL_ICMP;
2611 key0.ext_host_addr = ip0->src_address;
2612 key0.ext_host_port = 0;
2613 key0.out_port = echo0->identifier;
2614 out_addr = ip0->dst_address;
2618 inner_ip0 = (ip4_header_t *)(echo0+1);
2619 l4_header = ip4_next_header (inner_ip0);
2620 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2621 key0.ext_host_addr = inner_ip0->dst_address;
2622 out_addr = inner_ip0->src_address;
2625 case SNAT_PROTOCOL_ICMP:
2626 inner_icmp0 = (icmp46_header_t*)l4_header;
2627 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2628 key0.ext_host_port = 0;
2629 key0.out_port = inner_echo0->identifier;
2631 case SNAT_PROTOCOL_UDP:
2632 case SNAT_PROTOCOL_TCP:
2633 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2634 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2637 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2638 next0 = SNAT_OUT2IN_NEXT_DROP;
2643 dm0 = snat_det_map_by_out(sm, &out_addr);
2644 if (PREDICT_FALSE(!dm0))
2646 /* Don't NAT packet aimed at the intfc address */
2647 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2648 ip0->dst_address.as_u32)))
2653 clib_warning("unknown dst address: %U",
2654 format_ip4_address, &ip0->dst_address);
2658 snat_det_reverse(dm0, &ip0->dst_address,
2659 clib_net_to_host_u16(key0.out_port), &new_addr0);
2661 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2662 if (PREDICT_FALSE(!ses0))
2664 /* Don't NAT packet aimed at the intfc address */
2665 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2666 ip0->dst_address.as_u32)))
2671 clib_warning("no match src %U:%d dst %U:%d for user %U",
2672 format_ip4_address, &key0.ext_host_addr,
2673 clib_net_to_host_u16 (key0.ext_host_port),
2674 format_ip4_address, &out_addr,
2675 clib_net_to_host_u16 (key0.out_port),
2676 format_ip4_address, &new_addr0);
2677 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2678 next0 = SNAT_OUT2IN_NEXT_DROP;
2682 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2683 !icmp_is_error_message (icmp0)))
2685 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2686 next0 = SNAT_OUT2IN_NEXT_DROP;
2693 *p_proto = protocol;
2696 p_value->addr = new_addr0;
2697 p_value->fib_index = sm->inside_fib_index;
2698 p_value->port = ses0->in_port;
2700 *p_dont_translate = dont_translate;
2702 *(snat_det_session_t**)d = ses0;
2704 *(snat_det_map_t**)e = dm0;
2708 /**********************/
2709 /*** worker handoff ***/
2710 /**********************/
2712 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2713 vlib_node_runtime_t * node,
2714 vlib_frame_t * frame)
2716 snat_main_t *sm = &snat_main;
2717 vlib_thread_main_t *tm = vlib_get_thread_main ();
2718 u32 n_left_from, *from, *to_next = 0;
2719 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2720 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2722 vlib_frame_queue_elt_t *hf = 0;
2723 vlib_frame_t *f = 0;
2725 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2726 u32 next_worker_index = 0;
2727 u32 current_worker_index = ~0;
2728 u32 thread_index = vlib_get_thread_index ();
2730 ASSERT (vec_len (sm->workers));
2732 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2734 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2736 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2737 sm->first_worker_index + sm->num_workers - 1,
2738 (vlib_frame_queue_t *) (~0));
2741 from = vlib_frame_vector_args (frame);
2742 n_left_from = frame->n_vectors;
2744 while (n_left_from > 0)
2757 b0 = vlib_get_buffer (vm, bi0);
2759 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2760 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2762 ip0 = vlib_buffer_get_current (b0);
2764 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2766 if (PREDICT_FALSE (next_worker_index != thread_index))
2770 if (next_worker_index != current_worker_index)
2773 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2775 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2777 handoff_queue_elt_by_worker_index);
2779 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2780 to_next_worker = &hf->buffer_index[hf->n_vectors];
2781 current_worker_index = next_worker_index;
2784 /* enqueue to correct worker thread */
2785 to_next_worker[0] = bi0;
2787 n_left_to_next_worker--;
2789 if (n_left_to_next_worker == 0)
2791 hf->n_vectors = VLIB_FRAME_SIZE;
2792 vlib_put_frame_queue_elt (hf);
2793 current_worker_index = ~0;
2794 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2801 /* if this is 1st frame */
2804 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2805 to_next = vlib_frame_vector_args (f);
2813 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2814 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2816 snat_out2in_worker_handoff_trace_t *t =
2817 vlib_add_trace (vm, node, b0, sizeof (*t));
2818 t->next_worker_index = next_worker_index;
2819 t->do_handoff = do_handoff;
2824 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2827 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2829 /* Ship frames to the worker nodes */
2830 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2832 if (handoff_queue_elt_by_worker_index[i])
2834 hf = handoff_queue_elt_by_worker_index[i];
2836 * It works better to let the handoff node
2837 * rate-adapt, always ship the handoff queue element.
2839 if (1 || hf->n_vectors == hf->last_n_vectors)
2841 vlib_put_frame_queue_elt (hf);
2842 handoff_queue_elt_by_worker_index[i] = 0;
2845 hf->last_n_vectors = hf->n_vectors;
2847 congested_handoff_queue_by_worker_index[i] =
2848 (vlib_frame_queue_t *) (~0);
2851 current_worker_index = ~0;
2852 return frame->n_vectors;
2855 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2856 .function = snat_out2in_worker_handoff_fn,
2857 .name = "nat44-out2in-worker-handoff",
2858 .vector_size = sizeof (u32),
2859 .format_trace = format_snat_out2in_worker_handoff_trace,
2860 .type = VLIB_NODE_TYPE_INTERNAL,
2869 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2872 snat_out2in_fast_node_fn (vlib_main_t * vm,
2873 vlib_node_runtime_t * node,
2874 vlib_frame_t * frame)
2876 u32 n_left_from, * from, * to_next;
2877 snat_out2in_next_t next_index;
2878 u32 pkts_processed = 0;
2879 snat_main_t * sm = &snat_main;
2881 from = vlib_frame_vector_args (frame);
2882 n_left_from = frame->n_vectors;
2883 next_index = node->cached_next_index;
2885 while (n_left_from > 0)
2889 vlib_get_next_frame (vm, node, next_index,
2890 to_next, n_left_to_next);
2892 while (n_left_from > 0 && n_left_to_next > 0)
2896 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2900 u32 new_addr0, old_addr0;
2901 u16 new_port0, old_port0;
2902 udp_header_t * udp0;
2903 tcp_header_t * tcp0;
2904 icmp46_header_t * icmp0;
2905 snat_session_key_t key0, sm0;
2909 /* speculatively enqueue b0 to the current next frame */
2915 n_left_to_next -= 1;
2917 b0 = vlib_get_buffer (vm, bi0);
2919 ip0 = vlib_buffer_get_current (b0);
2920 udp0 = ip4_next_header (ip0);
2921 tcp0 = (tcp_header_t *) udp0;
2922 icmp0 = (icmp46_header_t *) udp0;
2924 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2925 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2927 vnet_feature_next (sw_if_index0, &next0, b0);
2929 if (PREDICT_FALSE(ip0->ttl == 1))
2931 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2932 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2933 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2935 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2939 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2941 if (PREDICT_FALSE (proto0 == ~0))
2944 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2946 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2947 rx_fib_index0, node, next0, ~0, 0, 0);
2951 key0.addr = ip0->dst_address;
2952 key0.port = udp0->dst_port;
2953 key0.fib_index = rx_fib_index0;
2955 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
2957 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2961 new_addr0 = sm0.addr.as_u32;
2962 new_port0 = sm0.port;
2963 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2964 old_addr0 = ip0->dst_address.as_u32;
2965 ip0->dst_address.as_u32 = new_addr0;
2967 sum0 = ip0->checksum;
2968 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2970 dst_address /* changed member */);
2971 ip0->checksum = ip_csum_fold (sum0);
2973 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2975 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2977 old_port0 = tcp0->dst_port;
2978 tcp0->dst_port = new_port0;
2980 sum0 = tcp0->checksum;
2981 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2983 dst_address /* changed member */);
2985 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2986 ip4_header_t /* cheat */,
2987 length /* changed member */);
2988 tcp0->checksum = ip_csum_fold(sum0);
2992 old_port0 = udp0->dst_port;
2993 udp0->dst_port = new_port0;
2999 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3001 sum0 = tcp0->checksum;
3002 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3004 dst_address /* changed member */);
3006 tcp0->checksum = ip_csum_fold(sum0);
3012 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3013 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3015 snat_out2in_trace_t *t =
3016 vlib_add_trace (vm, node, b0, sizeof (*t));
3017 t->sw_if_index = sw_if_index0;
3018 t->next_index = next0;
3021 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3023 /* verify speculative enqueue, maybe switch current next frame */
3024 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3025 to_next, n_left_to_next,
3029 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3032 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
3033 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3035 return frame->n_vectors;
3038 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
3039 .function = snat_out2in_fast_node_fn,
3040 .name = "nat44-out2in-fast",
3041 .vector_size = sizeof (u32),
3042 .format_trace = format_snat_out2in_fast_trace,
3043 .type = VLIB_NODE_TYPE_INTERNAL,
3045 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3046 .error_strings = snat_out2in_error_strings,
3048 .runtime_data_bytes = sizeof (snat_runtime_t),
3050 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3052 /* edit / add dispositions here */
3054 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3055 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3056 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3057 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3058 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
3061 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob