2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
29 #include <nat/nat_inlines.h>
31 #include <vppinfra/hash.h>
32 #include <vppinfra/error.h>
33 #include <vppinfra/elog.h>
39 } snat_out2in_trace_t;
42 u32 next_worker_index;
44 } snat_out2in_worker_handoff_trace_t;
46 /* packet trace format function */
47 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
49 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
50 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
51 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
53 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
54 t->sw_if_index, t->next_index, t->session_index);
58 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
60 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
61 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
62 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
64 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
65 t->sw_if_index, t->next_index);
69 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
71 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
72 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
73 snat_out2in_worker_handoff_trace_t * t =
74 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
77 m = t->do_handoff ? "next worker" : "same worker";
78 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
87 } nat44_out2in_reass_trace_t;
89 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
91 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
92 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
93 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
95 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
96 t->sw_if_index, t->next_index,
97 t->cached ? "cached" : "translated");
102 vlib_node_registration_t snat_out2in_node;
103 vlib_node_registration_t snat_out2in_fast_node;
104 vlib_node_registration_t snat_out2in_worker_handoff_node;
105 vlib_node_registration_t snat_det_out2in_node;
106 vlib_node_registration_t nat44_out2in_reass_node;
107 vlib_node_registration_t nat44_ed_out2in_node;
108 vlib_node_registration_t nat44_ed_out2in_slowpath_node;
110 #define foreach_snat_out2in_error \
111 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
112 _(OUT2IN_PACKETS, "Good out2in packets processed") \
113 _(OUT_OF_PORTS, "Out of ports") \
114 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
115 _(NO_TRANSLATION, "No translation") \
116 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
117 _(DROP_FRAGMENT, "Drop fragment") \
118 _(MAX_REASS, "Maximum reassemblies exceeded") \
119 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")\
120 _(FQ_CONGESTED, "Handoff frame queue congested")
123 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
124 foreach_snat_out2in_error
127 } snat_out2in_error_t;
129 static char * snat_out2in_error_strings[] = {
130 #define _(sym,string) string,
131 foreach_snat_out2in_error
136 SNAT_OUT2IN_NEXT_DROP,
137 SNAT_OUT2IN_NEXT_LOOKUP,
138 SNAT_OUT2IN_NEXT_ICMP_ERROR,
139 SNAT_OUT2IN_NEXT_REASS,
141 } snat_out2in_next_t;
144 * @brief Create session for static mapping.
146 * Create NAT session initiated by host from external network with static
149 * @param sm NAT main.
150 * @param b0 Vlib buffer.
151 * @param in2out In2out NAT44 session key.
152 * @param out2in Out2in NAT44 session key.
153 * @param node Vlib node.
155 * @returns SNAT session if successfully created otherwise 0.
157 static inline snat_session_t *
158 create_session_for_static_mapping (snat_main_t *sm,
160 snat_session_key_t in2out,
161 snat_session_key_t out2in,
162 vlib_node_runtime_t * node,
167 clib_bihash_kv_8_8_t kv0;
171 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
173 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 nat_log_notice ("maximum sessions exceeded");
178 ip0 = vlib_buffer_get_current (b0);
179 udp0 = ip4_next_header (ip0);
181 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
184 nat_log_warn ("create NAT user failed");
188 s = nat_session_alloc_or_recycle (sm, u, thread_index);
191 nat44_delete_user_with_no_session (sm, u, thread_index);
192 nat_log_warn ("create NAT session failed");
196 s->outside_address_index = ~0;
197 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
198 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
199 s->ext_host_port = udp0->src_port;
200 user_session_increment (sm, u, 1 /* static */);
203 s->in2out.protocol = out2in.protocol;
205 /* Add to translation hashes */
206 kv0.key = s->in2out.as_u64;
207 kv0.value = s - sm->per_thread_data[thread_index].sessions;
208 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
210 nat_log_notice ("in2out key add failed");
212 kv0.key = s->out2in.as_u64;
214 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
216 nat_log_notice ("out2in key add failed");
219 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
220 s->out2in.addr.as_u32,
224 s->in2out.fib_index);
229 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
230 snat_session_key_t *p_key0)
232 icmp46_header_t *icmp0;
233 snat_session_key_t key0;
234 icmp_echo_header_t *echo0, *inner_echo0 = 0;
235 ip4_header_t *inner_ip0;
237 icmp46_header_t *inner_icmp0;
239 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
240 echo0 = (icmp_echo_header_t *)(icmp0+1);
242 if (!icmp_is_error_message (icmp0))
244 key0.protocol = SNAT_PROTOCOL_ICMP;
245 key0.addr = ip0->dst_address;
246 key0.port = echo0->identifier;
250 inner_ip0 = (ip4_header_t *)(echo0+1);
251 l4_header = ip4_next_header (inner_ip0);
252 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
253 key0.addr = inner_ip0->src_address;
254 switch (key0.protocol)
256 case SNAT_PROTOCOL_ICMP:
257 inner_icmp0 = (icmp46_header_t*)l4_header;
258 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
259 key0.port = inner_echo0->identifier;
261 case SNAT_PROTOCOL_UDP:
262 case SNAT_PROTOCOL_TCP:
263 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
266 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
270 return -1; /* success */
274 * Get address and port values to be used for ICMP packet translation
275 * and create session if needed
277 * @param[in,out] sm NAT main
278 * @param[in,out] node NAT node runtime
279 * @param[in] thread_index thread index
280 * @param[in,out] b0 buffer containing packet to be translated
281 * @param[out] p_proto protocol used for matching
282 * @param[out] p_value address and port after NAT translation
283 * @param[out] p_dont_translate if packet should not be translated
284 * @param d optional parameter
285 * @param e optional parameter
287 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
288 u32 thread_index, vlib_buffer_t *b0,
289 ip4_header_t *ip0, u8 *p_proto,
290 snat_session_key_t *p_value,
291 u8 *p_dont_translate, void *d, void *e)
293 icmp46_header_t *icmp0;
296 snat_session_key_t key0;
297 snat_session_key_t sm0;
298 snat_session_t *s0 = 0;
299 u8 dont_translate = 0;
300 clib_bihash_kv_8_8_t kv0, value0;
305 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
306 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
307 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
311 err = icmp_get_key (ip0, &key0);
314 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
315 next0 = SNAT_OUT2IN_NEXT_DROP;
318 key0.fib_index = rx_fib_index0;
320 kv0.key = key0.as_u64;
322 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
325 /* Try to match static mapping by external address and port,
326 destination address and port in packet */
327 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
329 if (!sm->forwarding_enabled)
331 /* Don't NAT packet aimed at the intfc address */
332 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
333 ip0->dst_address.as_u32)))
338 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
339 next0 = SNAT_OUT2IN_NEXT_DROP;
349 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
350 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
352 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
353 next0 = SNAT_OUT2IN_NEXT_DROP;
357 /* Create session initiated by host from external network */
358 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
363 next0 = SNAT_OUT2IN_NEXT_DROP;
369 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
370 icmp0->type != ICMP4_echo_request &&
371 !icmp_is_error_message (icmp0)))
373 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
374 next0 = SNAT_OUT2IN_NEXT_DROP;
378 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
383 *p_proto = key0.protocol;
385 *p_value = s0->in2out;
386 *p_dont_translate = dont_translate;
388 *(snat_session_t**)d = s0;
393 * Get address and port values to be used for ICMP packet translation
395 * @param[in] sm NAT main
396 * @param[in,out] node NAT node runtime
397 * @param[in] thread_index thread index
398 * @param[in,out] b0 buffer containing packet to be translated
399 * @param[out] p_proto protocol used for matching
400 * @param[out] p_value address and port after NAT translation
401 * @param[out] p_dont_translate if packet should not be translated
402 * @param d optional parameter
403 * @param e optional parameter
405 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
406 u32 thread_index, vlib_buffer_t *b0,
407 ip4_header_t *ip0, u8 *p_proto,
408 snat_session_key_t *p_value,
409 u8 *p_dont_translate, void *d, void *e)
411 icmp46_header_t *icmp0;
414 snat_session_key_t key0;
415 snat_session_key_t sm0;
416 u8 dont_translate = 0;
421 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
422 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
423 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
425 err = icmp_get_key (ip0, &key0);
428 b0->error = node->errors[err];
429 next0 = SNAT_OUT2IN_NEXT_DROP;
432 key0.fib_index = rx_fib_index0;
434 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
436 /* Don't NAT packet aimed at the intfc address */
437 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
442 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
443 next0 = SNAT_OUT2IN_NEXT_DROP;
447 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
448 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
449 !icmp_is_error_message (icmp0)))
451 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
452 next0 = SNAT_OUT2IN_NEXT_DROP;
459 *p_proto = key0.protocol;
460 *p_dont_translate = dont_translate;
464 static inline u32 icmp_out2in (snat_main_t *sm,
467 icmp46_header_t * icmp0,
470 vlib_node_runtime_t * node,
476 snat_session_key_t sm0;
478 icmp_echo_header_t *echo0, *inner_echo0 = 0;
479 ip4_header_t *inner_ip0 = 0;
481 icmp46_header_t *inner_icmp0;
483 u32 new_addr0, old_addr0;
484 u16 old_id0, new_id0;
489 echo0 = (icmp_echo_header_t *)(icmp0+1);
491 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
492 &protocol, &sm0, &dont_translate, d, e);
495 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
498 sum0 = ip_incremental_checksum (0, icmp0,
499 ntohs(ip0->length) - ip4_header_bytes (ip0));
500 checksum0 = ~ip_csum_fold (sum0);
501 if (checksum0 != 0 && checksum0 != 0xffff)
503 next0 = SNAT_OUT2IN_NEXT_DROP;
507 old_addr0 = ip0->dst_address.as_u32;
508 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
509 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
511 sum0 = ip0->checksum;
512 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
513 dst_address /* changed member */);
514 ip0->checksum = ip_csum_fold (sum0);
516 if (icmp0->checksum == 0)
517 icmp0->checksum = 0xffff;
519 if (!icmp_is_error_message (icmp0))
522 if (PREDICT_FALSE(new_id0 != echo0->identifier))
524 old_id0 = echo0->identifier;
526 echo0->identifier = new_id0;
528 sum0 = icmp0->checksum;
529 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
530 identifier /* changed member */);
531 icmp0->checksum = ip_csum_fold (sum0);
536 inner_ip0 = (ip4_header_t *)(echo0+1);
537 l4_header = ip4_next_header (inner_ip0);
539 if (!ip4_header_checksum_is_valid (inner_ip0))
541 next0 = SNAT_OUT2IN_NEXT_DROP;
545 old_addr0 = inner_ip0->src_address.as_u32;
546 inner_ip0->src_address = sm0.addr;
547 new_addr0 = inner_ip0->src_address.as_u32;
549 sum0 = icmp0->checksum;
550 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
551 src_address /* changed member */);
552 icmp0->checksum = ip_csum_fold (sum0);
556 case SNAT_PROTOCOL_ICMP:
557 inner_icmp0 = (icmp46_header_t*)l4_header;
558 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
560 old_id0 = inner_echo0->identifier;
562 inner_echo0->identifier = new_id0;
564 sum0 = icmp0->checksum;
565 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
567 icmp0->checksum = ip_csum_fold (sum0);
569 case SNAT_PROTOCOL_UDP:
570 case SNAT_PROTOCOL_TCP:
571 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
573 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
575 sum0 = icmp0->checksum;
576 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
578 icmp0->checksum = ip_csum_fold (sum0);
590 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
593 icmp46_header_t * icmp0,
596 vlib_node_runtime_t * node,
599 snat_session_t ** p_s0)
601 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
602 next0, thread_index, p_s0, 0);
603 snat_session_t * s0 = *p_s0;
604 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
607 nat44_session_update_counters (s0, now,
608 vlib_buffer_length_in_chain (sm->vlib_main, b0));
609 /* Per-user LRU list maintenance */
610 nat44_session_update_lru (sm, s0, thread_index);
616 nat_out2in_sm_unknown_proto (snat_main_t *sm,
621 clib_bihash_kv_8_8_t kv, value;
622 snat_static_mapping_t *m;
623 snat_session_key_t m_key;
624 u32 old_addr, new_addr;
627 m_key.addr = ip->dst_address;
631 kv.key = m_key.as_u64;
632 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
635 m = pool_elt_at_index (sm->static_mappings, value.value);
637 old_addr = ip->dst_address.as_u32;
638 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
640 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
641 ip->checksum = ip_csum_fold (sum);
643 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
648 snat_out2in_node_fn (vlib_main_t * vm,
649 vlib_node_runtime_t * node,
650 vlib_frame_t * frame)
652 u32 n_left_from, * from, * to_next;
653 snat_out2in_next_t next_index;
654 u32 pkts_processed = 0;
655 snat_main_t * sm = &snat_main;
656 f64 now = vlib_time_now (vm);
657 u32 thread_index = vm->thread_index;
659 from = vlib_frame_vector_args (frame);
660 n_left_from = frame->n_vectors;
661 next_index = node->cached_next_index;
663 while (n_left_from > 0)
667 vlib_get_next_frame (vm, node, next_index,
668 to_next, n_left_to_next);
670 while (n_left_from >= 4 && n_left_to_next >= 2)
673 vlib_buffer_t * b0, * b1;
674 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
675 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
676 u32 sw_if_index0, sw_if_index1;
677 ip4_header_t * ip0, *ip1;
678 ip_csum_t sum0, sum1;
679 u32 new_addr0, old_addr0;
680 u16 new_port0, old_port0;
681 u32 new_addr1, old_addr1;
682 u16 new_port1, old_port1;
683 udp_header_t * udp0, * udp1;
684 tcp_header_t * tcp0, * tcp1;
685 icmp46_header_t * icmp0, * icmp1;
686 snat_session_key_t key0, key1, sm0, sm1;
687 u32 rx_fib_index0, rx_fib_index1;
689 snat_session_t * s0 = 0, * s1 = 0;
690 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
692 /* Prefetch next iteration. */
694 vlib_buffer_t * p2, * p3;
696 p2 = vlib_get_buffer (vm, from[2]);
697 p3 = vlib_get_buffer (vm, from[3]);
699 vlib_prefetch_buffer_header (p2, LOAD);
700 vlib_prefetch_buffer_header (p3, LOAD);
702 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
703 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
706 /* speculatively enqueue b0 and b1 to the current next frame */
707 to_next[0] = bi0 = from[0];
708 to_next[1] = bi1 = from[1];
714 b0 = vlib_get_buffer (vm, bi0);
715 b1 = vlib_get_buffer (vm, bi1);
717 vnet_buffer (b0)->snat.flags = 0;
718 vnet_buffer (b1)->snat.flags = 0;
720 ip0 = vlib_buffer_get_current (b0);
721 udp0 = ip4_next_header (ip0);
722 tcp0 = (tcp_header_t *) udp0;
723 icmp0 = (icmp46_header_t *) udp0;
725 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
726 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
729 if (PREDICT_FALSE(ip0->ttl == 1))
731 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
732 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
733 ICMP4_time_exceeded_ttl_exceeded_in_transit,
735 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
739 proto0 = ip_proto_to_snat_proto (ip0->protocol);
741 if (PREDICT_FALSE (proto0 == ~0))
743 if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0))
745 if (!sm->forwarding_enabled)
747 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
748 next0 = SNAT_OUT2IN_NEXT_DROP;
754 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
756 next0 = icmp_out2in_slow_path
757 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
758 next0, now, thread_index, &s0);
762 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
764 next0 = SNAT_OUT2IN_NEXT_REASS;
768 key0.addr = ip0->dst_address;
769 key0.port = udp0->dst_port;
770 key0.protocol = proto0;
771 key0.fib_index = rx_fib_index0;
773 kv0.key = key0.as_u64;
775 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
778 /* Try to match static mapping by external address and port,
779 destination address and port in packet */
780 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
783 * Send DHCP packets to the ipv4 stack, or we won't
784 * be able to use dhcp client on the outside interface
786 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
787 && (udp0->dst_port ==
788 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
790 vnet_feature_next (&next0, b0);
794 if (!sm->forwarding_enabled)
796 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
797 next0 = SNAT_OUT2IN_NEXT_DROP;
802 /* Create session initiated by host from external network */
803 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
807 next0 = SNAT_OUT2IN_NEXT_DROP;
812 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
815 old_addr0 = ip0->dst_address.as_u32;
816 ip0->dst_address = s0->in2out.addr;
817 new_addr0 = ip0->dst_address.as_u32;
818 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
820 sum0 = ip0->checksum;
821 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
823 dst_address /* changed member */);
824 ip0->checksum = ip_csum_fold (sum0);
826 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
828 old_port0 = tcp0->dst_port;
829 tcp0->dst_port = s0->in2out.port;
830 new_port0 = tcp0->dst_port;
832 sum0 = tcp0->checksum;
833 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
835 dst_address /* changed member */);
837 sum0 = ip_csum_update (sum0, old_port0, new_port0,
838 ip4_header_t /* cheat */,
839 length /* changed member */);
840 tcp0->checksum = ip_csum_fold(sum0);
844 old_port0 = udp0->dst_port;
845 udp0->dst_port = s0->in2out.port;
850 nat44_session_update_counters (s0, now,
851 vlib_buffer_length_in_chain (vm, b0));
852 /* Per-user LRU list maintenance */
853 nat44_session_update_lru (sm, s0, thread_index);
856 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
857 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
859 snat_out2in_trace_t *t =
860 vlib_add_trace (vm, node, b0, sizeof (*t));
861 t->sw_if_index = sw_if_index0;
862 t->next_index = next0;
863 t->session_index = ~0;
865 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
868 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
871 ip1 = vlib_buffer_get_current (b1);
872 udp1 = ip4_next_header (ip1);
873 tcp1 = (tcp_header_t *) udp1;
874 icmp1 = (icmp46_header_t *) udp1;
876 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
877 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
880 if (PREDICT_FALSE(ip1->ttl == 1))
882 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
883 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
884 ICMP4_time_exceeded_ttl_exceeded_in_transit,
886 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
890 proto1 = ip_proto_to_snat_proto (ip1->protocol);
892 if (PREDICT_FALSE (proto1 == ~0))
894 if (nat_out2in_sm_unknown_proto(sm, b1, ip1, rx_fib_index1))
896 if (!sm->forwarding_enabled)
898 b1->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
899 next1 = SNAT_OUT2IN_NEXT_DROP;
905 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
907 next1 = icmp_out2in_slow_path
908 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
909 next1, now, thread_index, &s1);
913 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
915 next1 = SNAT_OUT2IN_NEXT_REASS;
919 key1.addr = ip1->dst_address;
920 key1.port = udp1->dst_port;
921 key1.protocol = proto1;
922 key1.fib_index = rx_fib_index1;
924 kv1.key = key1.as_u64;
926 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
929 /* Try to match static mapping by external address and port,
930 destination address and port in packet */
931 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0))
934 * Send DHCP packets to the ipv4 stack, or we won't
935 * be able to use dhcp client on the outside interface
937 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
938 && (udp1->dst_port ==
939 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
941 vnet_feature_next (&next1, b1);
945 if (!sm->forwarding_enabled)
947 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
948 next1 = SNAT_OUT2IN_NEXT_DROP;
953 /* Create session initiated by host from external network */
954 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
958 next1 = SNAT_OUT2IN_NEXT_DROP;
963 s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
966 old_addr1 = ip1->dst_address.as_u32;
967 ip1->dst_address = s1->in2out.addr;
968 new_addr1 = ip1->dst_address.as_u32;
969 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
971 sum1 = ip1->checksum;
972 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
974 dst_address /* changed member */);
975 ip1->checksum = ip_csum_fold (sum1);
977 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
979 old_port1 = tcp1->dst_port;
980 tcp1->dst_port = s1->in2out.port;
981 new_port1 = tcp1->dst_port;
983 sum1 = tcp1->checksum;
984 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
986 dst_address /* changed member */);
988 sum1 = ip_csum_update (sum1, old_port1, new_port1,
989 ip4_header_t /* cheat */,
990 length /* changed member */);
991 tcp1->checksum = ip_csum_fold(sum1);
995 old_port1 = udp1->dst_port;
996 udp1->dst_port = s1->in2out.port;
1001 nat44_session_update_counters (s1, now,
1002 vlib_buffer_length_in_chain (vm, b1));
1003 /* Per-user LRU list maintenance */
1004 nat44_session_update_lru (sm, s1, thread_index);
1007 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1008 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1010 snat_out2in_trace_t *t =
1011 vlib_add_trace (vm, node, b1, sizeof (*t));
1012 t->sw_if_index = sw_if_index1;
1013 t->next_index = next1;
1014 t->session_index = ~0;
1016 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1019 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1021 /* verify speculative enqueues, maybe switch current next frame */
1022 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1023 to_next, n_left_to_next,
1024 bi0, bi1, next0, next1);
1027 while (n_left_from > 0 && n_left_to_next > 0)
1031 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1035 u32 new_addr0, old_addr0;
1036 u16 new_port0, old_port0;
1037 udp_header_t * udp0;
1038 tcp_header_t * tcp0;
1039 icmp46_header_t * icmp0;
1040 snat_session_key_t key0, sm0;
1043 snat_session_t * s0 = 0;
1044 clib_bihash_kv_8_8_t kv0, value0;
1046 /* speculatively enqueue b0 to the current next frame */
1052 n_left_to_next -= 1;
1054 b0 = vlib_get_buffer (vm, bi0);
1056 vnet_buffer (b0)->snat.flags = 0;
1058 ip0 = vlib_buffer_get_current (b0);
1059 udp0 = ip4_next_header (ip0);
1060 tcp0 = (tcp_header_t *) udp0;
1061 icmp0 = (icmp46_header_t *) udp0;
1063 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1064 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1067 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1069 if (PREDICT_FALSE (proto0 == ~0))
1071 if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0))
1073 if (!sm->forwarding_enabled)
1075 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1076 next0 = SNAT_OUT2IN_NEXT_DROP;
1082 if (PREDICT_FALSE(ip0->ttl == 1))
1084 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1085 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1086 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1088 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1092 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1094 next0 = icmp_out2in_slow_path
1095 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1096 next0, now, thread_index, &s0);
1100 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1102 next0 = SNAT_OUT2IN_NEXT_REASS;
1106 key0.addr = ip0->dst_address;
1107 key0.port = udp0->dst_port;
1108 key0.protocol = proto0;
1109 key0.fib_index = rx_fib_index0;
1111 kv0.key = key0.as_u64;
1113 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1116 /* Try to match static mapping by external address and port,
1117 destination address and port in packet */
1118 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1121 * Send DHCP packets to the ipv4 stack, or we won't
1122 * be able to use dhcp client on the outside interface
1124 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1125 && (udp0->dst_port ==
1126 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1128 vnet_feature_next (&next0, b0);
1132 if (!sm->forwarding_enabled)
1134 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1135 next0 = SNAT_OUT2IN_NEXT_DROP;
1140 /* Create session initiated by host from external network */
1141 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1145 next0 = SNAT_OUT2IN_NEXT_DROP;
1150 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1153 old_addr0 = ip0->dst_address.as_u32;
1154 ip0->dst_address = s0->in2out.addr;
1155 new_addr0 = ip0->dst_address.as_u32;
1156 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1158 sum0 = ip0->checksum;
1159 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1161 dst_address /* changed member */);
1162 ip0->checksum = ip_csum_fold (sum0);
1164 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1166 old_port0 = tcp0->dst_port;
1167 tcp0->dst_port = s0->in2out.port;
1168 new_port0 = tcp0->dst_port;
1170 sum0 = tcp0->checksum;
1171 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1173 dst_address /* changed member */);
1175 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1176 ip4_header_t /* cheat */,
1177 length /* changed member */);
1178 tcp0->checksum = ip_csum_fold(sum0);
1182 old_port0 = udp0->dst_port;
1183 udp0->dst_port = s0->in2out.port;
1188 nat44_session_update_counters (s0, now,
1189 vlib_buffer_length_in_chain (vm, b0));
1190 /* Per-user LRU list maintenance */
1191 nat44_session_update_lru (sm, s0, thread_index);
1194 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1195 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1197 snat_out2in_trace_t *t =
1198 vlib_add_trace (vm, node, b0, sizeof (*t));
1199 t->sw_if_index = sw_if_index0;
1200 t->next_index = next0;
1201 t->session_index = ~0;
1203 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1206 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1208 /* verify speculative enqueue, maybe switch current next frame */
1209 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1210 to_next, n_left_to_next,
1214 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1217 vlib_node_increment_counter (vm, snat_out2in_node.index,
1218 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1220 return frame->n_vectors;
1223 VLIB_REGISTER_NODE (snat_out2in_node) = {
1224 .function = snat_out2in_node_fn,
1225 .name = "nat44-out2in",
1226 .vector_size = sizeof (u32),
1227 .format_trace = format_snat_out2in_trace,
1228 .type = VLIB_NODE_TYPE_INTERNAL,
1230 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1231 .error_strings = snat_out2in_error_strings,
1233 .runtime_data_bytes = sizeof (snat_runtime_t),
1235 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1237 /* edit / add dispositions here */
1239 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1240 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1241 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1242 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1245 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1248 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1249 vlib_node_runtime_t * node,
1250 vlib_frame_t * frame)
1252 u32 n_left_from, *from, *to_next;
1253 snat_out2in_next_t next_index;
1254 u32 pkts_processed = 0;
1255 snat_main_t *sm = &snat_main;
1256 f64 now = vlib_time_now (vm);
1257 u32 thread_index = vm->thread_index;
1258 snat_main_per_thread_data_t *per_thread_data =
1259 &sm->per_thread_data[thread_index];
1260 u32 *fragments_to_drop = 0;
1261 u32 *fragments_to_loopback = 0;
1263 from = vlib_frame_vector_args (frame);
1264 n_left_from = frame->n_vectors;
1265 next_index = node->cached_next_index;
1267 while (n_left_from > 0)
1271 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1273 while (n_left_from > 0 && n_left_to_next > 0)
1275 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1280 nat_reass_ip4_t *reass0;
1281 udp_header_t * udp0;
1282 tcp_header_t * tcp0;
1283 snat_session_key_t key0, sm0;
1284 clib_bihash_kv_8_8_t kv0, value0;
1285 snat_session_t * s0 = 0;
1286 u16 old_port0, new_port0;
1289 /* speculatively enqueue b0 to the current next frame */
1295 n_left_to_next -= 1;
1297 b0 = vlib_get_buffer (vm, bi0);
1298 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1300 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1301 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1304 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1306 next0 = SNAT_OUT2IN_NEXT_DROP;
1307 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1311 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1312 udp0 = ip4_next_header (ip0);
1313 tcp0 = (tcp_header_t *) udp0;
1314 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1316 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1321 &fragments_to_drop);
1323 if (PREDICT_FALSE (!reass0))
1325 next0 = SNAT_OUT2IN_NEXT_DROP;
1326 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1327 nat_log_notice ("maximum reassemblies exceeded");
1331 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1333 key0.addr = ip0->dst_address;
1334 key0.port = udp0->dst_port;
1335 key0.protocol = proto0;
1336 key0.fib_index = rx_fib_index0;
1337 kv0.key = key0.as_u64;
1339 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1341 /* Try to match static mapping by external address and port,
1342 destination address and port in packet */
1343 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1346 * Send DHCP packets to the ipv4 stack, or we won't
1347 * be able to use dhcp client on the outside interface
1349 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1351 == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1353 vnet_feature_next (&next0, b0);
1357 if (!sm->forwarding_enabled)
1359 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1360 next0 = SNAT_OUT2IN_NEXT_DROP;
1365 /* Create session initiated by host from external network */
1366 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1370 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1371 next0 = SNAT_OUT2IN_NEXT_DROP;
1374 reass0->sess_index = s0 - per_thread_data->sessions;
1375 reass0->thread_index = thread_index;
1379 s0 = pool_elt_at_index (per_thread_data->sessions,
1381 reass0->sess_index = value0.value;
1383 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1387 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1389 if (nat_ip4_reass_add_fragment (reass0, bi0))
1391 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1392 nat_log_notice ("maximum fragments per reassembly exceeded");
1393 next0 = SNAT_OUT2IN_NEXT_DROP;
1399 s0 = pool_elt_at_index (per_thread_data->sessions,
1400 reass0->sess_index);
1403 old_addr0 = ip0->dst_address.as_u32;
1404 ip0->dst_address = s0->in2out.addr;
1405 new_addr0 = ip0->dst_address.as_u32;
1406 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1408 sum0 = ip0->checksum;
1409 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1411 dst_address /* changed member */);
1412 ip0->checksum = ip_csum_fold (sum0);
1414 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1416 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1418 old_port0 = tcp0->dst_port;
1419 tcp0->dst_port = s0->in2out.port;
1420 new_port0 = tcp0->dst_port;
1422 sum0 = tcp0->checksum;
1423 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1425 dst_address /* changed member */);
1427 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1428 ip4_header_t /* cheat */,
1429 length /* changed member */);
1430 tcp0->checksum = ip_csum_fold(sum0);
1434 old_port0 = udp0->dst_port;
1435 udp0->dst_port = s0->in2out.port;
1441 nat44_session_update_counters (s0, now,
1442 vlib_buffer_length_in_chain (vm, b0));
1443 /* Per-user LRU list maintenance */
1444 nat44_session_update_lru (sm, s0, thread_index);
1447 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1448 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1450 nat44_out2in_reass_trace_t *t =
1451 vlib_add_trace (vm, node, b0, sizeof (*t));
1452 t->cached = cached0;
1453 t->sw_if_index = sw_if_index0;
1454 t->next_index = next0;
1464 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1466 /* verify speculative enqueue, maybe switch current next frame */
1467 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1468 to_next, n_left_to_next,
1472 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1474 from = vlib_frame_vector_args (frame);
1475 u32 len = vec_len (fragments_to_loopback);
1476 if (len <= VLIB_FRAME_SIZE)
1478 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
1480 vec_reset_length (fragments_to_loopback);
1485 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
1486 sizeof (u32) * VLIB_FRAME_SIZE);
1487 n_left_from = VLIB_FRAME_SIZE;
1488 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1493 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1496 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
1497 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1500 nat_send_all_to_node (vm, fragments_to_drop, node,
1501 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1502 SNAT_OUT2IN_NEXT_DROP);
1504 vec_free (fragments_to_drop);
1505 vec_free (fragments_to_loopback);
1506 return frame->n_vectors;
1509 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1510 .function = nat44_out2in_reass_node_fn,
1511 .name = "nat44-out2in-reass",
1512 .vector_size = sizeof (u32),
1513 .format_trace = format_nat44_out2in_reass_trace,
1514 .type = VLIB_NODE_TYPE_INTERNAL,
1516 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1517 .error_strings = snat_out2in_error_strings,
1519 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1521 /* edit / add dispositions here */
1523 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1524 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1525 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1526 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1529 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
1530 nat44_out2in_reass_node_fn);
1532 /*******************************/
1533 /*** endpoint-dependent mode ***/
1534 /*******************************/
1536 NAT44_ED_OUT2IN_NEXT_DROP,
1537 NAT44_ED_OUT2IN_NEXT_LOOKUP,
1538 NAT44_ED_OUT2IN_NEXT_ICMP_ERROR,
1539 NAT44_ED_OUT2IN_NEXT_IN2OUT,
1540 NAT44_ED_OUT2IN_NEXT_SLOW_PATH,
1541 NAT44_ED_OUT2IN_N_NEXT,
1542 } nat44_ed_out2in_next_t;
1549 } nat44_ed_out2in_trace_t;
1552 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
1554 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1555 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1556 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
1559 tag = t->is_slow_path ? "NAT44_OUT2IN_SLOW_PATH" : "NAT44_OUT2IN_FAST_PATH";
1561 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
1562 t->sw_if_index, t->next_index, t->session_index);
1567 static snat_session_t *
1568 create_session_for_static_mapping_ed (snat_main_t * sm,
1570 snat_session_key_t l_key,
1571 snat_session_key_t e_key,
1572 vlib_node_runtime_t * node,
1574 twice_nat_type_t twice_nat,
1581 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1582 clib_bihash_kv_16_8_t kv;
1583 snat_session_key_t eh_key;
1586 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1588 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
1589 nat_log_notice ("maximum sessions exceeded");
1593 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index);
1596 nat_log_warn ("create NAT user failed");
1600 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1603 nat44_delete_user_with_no_session (sm, u, thread_index);
1604 nat_log_warn ("create NAT session failed");
1608 ip = vlib_buffer_get_current (b);
1609 udp = ip4_next_header (ip);
1611 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
1612 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
1613 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1615 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1616 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1617 s->outside_address_index = ~0;
1620 s->in2out.protocol = s->out2in.protocol;
1621 user_session_increment (sm, u, 1);
1623 /* Add to lookup tables */
1624 make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol,
1625 e_key.fib_index, e_key.port, s->ext_host_port);
1626 kv.value = s - tsm->sessions;
1627 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 1))
1628 nat_log_notice ("out2in-ed key add failed");
1630 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
1631 ip->src_address.as_u32 == l_key.addr.as_u32))
1633 eh_key.protocol = e_key.protocol;
1634 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
1635 thread_index, &eh_key,
1637 sm->port_per_thread,
1638 tsm->snat_thread_index))
1640 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
1641 nat44_delete_session (sm, s, thread_index);
1642 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
1643 nat_log_notice ("out2in-ed key del failed");
1646 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
1647 s->ext_host_nat_port = eh_key.port;
1648 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
1649 make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol,
1650 l_key.fib_index, l_key.port, s->ext_host_nat_port);
1654 make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol,
1655 l_key.fib_index, l_key.port, s->ext_host_port);
1657 kv.value = s - tsm->sessions;
1658 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
1659 nat_log_notice ("in2out-ed key add failed");
1664 static_always_inline int
1665 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
1667 icmp46_header_t *icmp0;
1668 nat_ed_ses_key_t key0;
1669 icmp_echo_header_t *echo0, *inner_echo0 = 0;
1670 ip4_header_t *inner_ip0;
1671 void *l4_header = 0;
1672 icmp46_header_t *inner_icmp0;
1674 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
1675 echo0 = (icmp_echo_header_t *)(icmp0+1);
1677 if (!icmp_is_error_message (icmp0))
1679 key0.proto = IP_PROTOCOL_ICMP;
1680 key0.l_addr = ip0->dst_address;
1681 key0.r_addr = ip0->src_address;
1682 key0.l_port = echo0->identifier;
1687 inner_ip0 = (ip4_header_t *)(echo0+1);
1688 l4_header = ip4_next_header (inner_ip0);
1689 key0.proto = inner_ip0->protocol;
1690 key0.l_addr = inner_ip0->src_address;
1691 key0.r_addr = inner_ip0->dst_address;
1692 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
1694 case SNAT_PROTOCOL_ICMP:
1695 inner_icmp0 = (icmp46_header_t*)l4_header;
1696 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
1697 key0.l_port = inner_echo0->identifier;
1700 case SNAT_PROTOCOL_UDP:
1701 case SNAT_PROTOCOL_TCP:
1702 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
1703 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
1714 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
1715 u16 dst_port, u32 thread_index, u32 rx_fib_index)
1717 clib_bihash_kv_16_8_t kv, value;
1718 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1720 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto,
1721 rx_fib_index, src_port, dst_port);
1722 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
1729 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
1732 nat_ed_ses_key_t key;
1733 clib_bihash_kv_16_8_t kv, value;
1736 snat_session_t *s = 0;
1737 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1738 f64 now = vlib_time_now (sm->vlib_main);
1740 if (ip->protocol == IP_PROTOCOL_ICMP)
1742 if (icmp_get_ed_key (ip, &key))
1745 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
1747 udp = ip4_next_header(ip);
1748 key.r_addr = ip->src_address;
1749 key.l_addr = ip->dst_address;
1750 key.proto = ip->protocol;
1751 key.l_port = udp->dst_port;
1752 key.r_port = udp->src_port;
1756 key.r_addr = ip->src_address;
1757 key.l_addr = ip->dst_address;
1758 key.proto = ip->protocol;
1759 key.l_port = key.r_port = 0;
1762 kv.key[0] = key.as_u64[0];
1763 kv.key[1] = key.as_u64[1];
1765 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
1767 s = pool_elt_at_index (tsm->sessions, value.value);
1771 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1774 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index,
1778 nat_log_warn ("create NAT user failed");
1782 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1785 nat44_delete_user_with_no_session (sm, u, thread_index);
1786 nat_log_warn ("create NAT session failed");
1790 s->ext_host_addr = key.r_addr;
1791 s->ext_host_port = key.r_port;
1792 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
1793 s->outside_address_index = ~0;
1794 s->out2in.addr = key.l_addr;
1795 s->out2in.port = key.l_port;
1796 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
1797 s->out2in.fib_index = 0;
1798 s->in2out = s->out2in;
1799 user_session_increment (sm, u, 0);
1801 kv.value = s - tsm->sessions;
1802 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
1803 nat_log_notice ("in2out_ed key add failed");
1806 if (ip->protocol == IP_PROTOCOL_TCP)
1808 tcp_header_t *tcp = ip4_next_header(ip);
1809 if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
1813 /* Per-user LRU list maintenance */
1814 nat44_session_update_lru (sm, s, thread_index);
1816 nat44_session_update_counters (s, now, 0);
1820 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
1821 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
1822 u8 * p_proto, snat_session_key_t * p_value,
1823 u8 * p_dont_translate, void * d, void * e)
1825 u32 next = ~0, sw_if_index, rx_fib_index;
1826 icmp46_header_t *icmp;
1827 nat_ed_ses_key_t key;
1828 clib_bihash_kv_16_8_t kv, value;
1829 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1830 snat_session_t *s = 0;
1831 u8 dont_translate = 0, is_addr_only;
1832 snat_session_key_t e_key, l_key;
1834 icmp = (icmp46_header_t *) ip4_next_header (ip);
1835 sw_if_index = vnet_buffer(b)->sw_if_index[VLIB_RX];
1836 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
1838 if (icmp_get_ed_key (ip, &key))
1840 b->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1841 next = SNAT_OUT2IN_NEXT_DROP;
1844 key.fib_index = rx_fib_index;
1845 kv.key[0] = key.as_u64[0];
1846 kv.key[1] = key.as_u64[1];
1848 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
1850 /* Try to match static mapping */
1851 e_key.addr = ip->dst_address;
1852 e_key.port = key.l_port;
1853 e_key.protocol = ip_proto_to_snat_proto (key.proto);
1854 e_key.fib_index = rx_fib_index;
1855 if (snat_static_mapping_match(sm, e_key, &l_key, 1, &is_addr_only, 0, 0))
1857 if (!sm->forwarding_enabled)
1859 /* Don't NAT packet aimed at the intfc address */
1860 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index,
1861 ip->dst_address.as_u32)))
1866 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1867 next = NAT44_ED_OUT2IN_NEXT_DROP;
1873 if (next_src_nat(sm, ip, key.proto, key.l_port, key.r_port,
1874 thread_index, rx_fib_index))
1876 next = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1879 create_bypass_for_fwd(sm, ip, rx_fib_index, thread_index);
1884 if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply &&
1885 (icmp->type != ICMP4_echo_request || !is_addr_only)))
1887 b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
1888 next = NAT44_ED_OUT2IN_NEXT_DROP;
1892 /* Create session initiated by host from external network */
1893 s = create_session_for_static_mapping_ed(sm, b, l_key, e_key, node,
1894 thread_index, 0, 0);
1898 next = NAT44_ED_OUT2IN_NEXT_DROP;
1904 if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply &&
1905 icmp->type != ICMP4_echo_request &&
1906 !icmp_is_error_message (icmp)))
1908 b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
1909 next = SNAT_OUT2IN_NEXT_DROP;
1913 s = pool_elt_at_index (tsm->sessions, value.value);
1916 *p_proto = ip_proto_to_snat_proto (key.proto);
1919 *p_value = s->in2out;
1920 *p_dont_translate = dont_translate;
1922 *(snat_session_t**)d = s;
1926 static snat_session_t *
1927 nat44_ed_out2in_unknown_proto (snat_main_t *sm,
1934 vlib_node_runtime_t * node)
1936 clib_bihash_kv_8_8_t kv, value;
1937 clib_bihash_kv_16_8_t s_kv, s_value;
1938 snat_static_mapping_t *m;
1939 u32 old_addr, new_addr;
1942 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1945 old_addr = ip->dst_address.as_u32;
1947 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
1948 rx_fib_index, 0, 0);
1950 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
1952 s = pool_elt_at_index (tsm->sessions, s_value.value);
1953 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1957 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1959 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
1960 nat_log_notice ("maximum sessions exceeded");
1964 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
1965 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1967 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1971 m = pool_elt_at_index (sm->static_mappings, value.value);
1973 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1975 u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index,
1979 nat_log_warn ("create NAT user failed");
1983 /* Create a new session */
1984 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1987 nat44_delete_user_with_no_session (sm, u, thread_index);
1988 nat_log_warn ("create NAT session failed");
1992 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
1993 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1994 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1995 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1996 s->outside_address_index = ~0;
1997 s->out2in.addr.as_u32 = old_addr;
1998 s->out2in.fib_index = rx_fib_index;
1999 s->in2out.addr.as_u32 = new_addr;
2000 s->in2out.fib_index = m->fib_index;
2001 s->in2out.port = s->out2in.port = ip->protocol;
2002 user_session_increment (sm, u, 1);
2004 /* Add to lookup tables */
2005 s_kv.value = s - tsm->sessions;
2006 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
2007 nat_log_notice ("out2in key add failed");
2009 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
2010 m->fib_index, 0, 0);
2011 s_kv.value = s - tsm->sessions;
2012 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
2013 nat_log_notice ("in2out key add failed");
2016 /* Update IP checksum */
2018 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
2019 ip->checksum = ip_csum_fold (sum);
2021 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
2024 nat44_session_update_counters (s, now,
2025 vlib_buffer_length_in_chain (vm, b));
2026 /* Per-user LRU list maintenance */
2027 nat44_session_update_lru (sm, s, thread_index);
2033 nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
2034 vlib_node_runtime_t * node,
2035 vlib_frame_t * frame, int is_slow_path)
2037 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
2038 nat44_ed_out2in_next_t next_index;
2039 snat_main_t *sm = &snat_main;
2040 f64 now = vlib_time_now (vm);
2041 u32 thread_index = vm->thread_index;
2042 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2044 stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index :
2045 nat44_ed_out2in_node.index;
2047 from = vlib_frame_vector_args (frame);
2048 n_left_from = frame->n_vectors;
2049 next_index = node->cached_next_index;
2051 while (n_left_from > 0)
2055 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2057 while (n_left_from >= 4 && n_left_to_next >= 2)
2060 vlib_buffer_t *b0, *b1;
2061 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0;
2062 u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1, new_addr1;
2063 u16 old_port0, new_port0, old_port1, new_port1;
2064 ip4_header_t *ip0, *ip1;
2065 udp_header_t *udp0, *udp1;
2066 tcp_header_t *tcp0, *tcp1;
2067 icmp46_header_t *icmp0, *icmp1;
2068 snat_session_t *s0 = 0, *s1 = 0;
2069 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
2070 ip_csum_t sum0, sum1;
2071 snat_session_key_t e_key0, l_key0, e_key1, l_key1;
2073 twice_nat_type_t twice_nat0, twice_nat1;
2075 /* Prefetch next iteration. */
2077 vlib_buffer_t * p2, * p3;
2079 p2 = vlib_get_buffer (vm, from[2]);
2080 p3 = vlib_get_buffer (vm, from[3]);
2082 vlib_prefetch_buffer_header (p2, LOAD);
2083 vlib_prefetch_buffer_header (p3, LOAD);
2085 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2086 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2089 /* speculatively enqueue b0 and b1 to the current next frame */
2090 to_next[0] = bi0 = from[0];
2091 to_next[1] = bi1 = from[1];
2095 n_left_to_next -= 2;
2097 b0 = vlib_get_buffer (vm, bi0);
2098 b1 = vlib_get_buffer (vm, bi1);
2100 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2101 vnet_buffer (b0)->snat.flags = 0;
2102 ip0 = vlib_buffer_get_current (b0);
2104 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2105 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2108 if (PREDICT_FALSE(ip0->ttl == 1))
2110 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2111 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2112 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2114 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2118 udp0 = ip4_next_header (ip0);
2119 tcp0 = (tcp_header_t *) udp0;
2120 icmp0 = (icmp46_header_t *) udp0;
2121 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2125 if (PREDICT_FALSE (proto0 == ~0))
2127 s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
2128 thread_index, now, vm, node);
2129 if (!sm->forwarding_enabled)
2132 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2137 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2139 next0 = icmp_out2in_slow_path
2140 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2141 next0, now, thread_index, &s0);
2147 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2149 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2153 if (ip4_is_fragment (ip0))
2155 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2156 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2161 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol,
2162 rx_fib_index0, udp0->dst_port, udp0->src_port);
2164 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
2168 /* Try to match static mapping by external address and port,
2169 destination address and port in packet */
2170 e_key0.addr = ip0->dst_address;
2171 e_key0.port = udp0->dst_port;
2172 e_key0.protocol = proto0;
2173 e_key0.fib_index = rx_fib_index0;
2174 if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0,
2175 &twice_nat0, &is_lb0))
2178 * Send DHCP packets to the ipv4 stack, or we won't
2179 * be able to use dhcp client on the outside interface
2181 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
2182 && (udp0->dst_port ==
2183 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2185 vnet_feature_next (&next0, b0);
2189 if (!sm->forwarding_enabled)
2191 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2192 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2196 if (next_src_nat(sm, ip0, ip0->protocol,
2197 udp0->src_port, udp0->dst_port,
2198 thread_index, rx_fib_index0))
2200 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2203 create_bypass_for_fwd(sm, ip0, rx_fib_index0,
2209 /* Create session initiated by host from external network */
2210 s0 = create_session_for_static_mapping_ed(sm, b0, l_key0,
2213 twice_nat0, is_lb0);
2217 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2223 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2229 s0 = pool_elt_at_index (tsm->sessions, value0.value);
2232 old_addr0 = ip0->dst_address.as_u32;
2233 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
2234 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2236 sum0 = ip0->checksum;
2237 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2239 if (PREDICT_FALSE (is_twice_nat_session (s0)))
2240 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2241 s0->ext_host_nat_addr.as_u32, ip4_header_t,
2243 ip0->checksum = ip_csum_fold (sum0);
2245 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2247 old_port0 = tcp0->dst_port;
2248 new_port0 = tcp0->dst_port = s0->in2out.port;
2250 sum0 = tcp0->checksum;
2251 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2253 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
2255 if (is_twice_nat_session (s0))
2257 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2258 s0->ext_host_nat_addr.as_u32,
2259 ip4_header_t, dst_address);
2260 sum0 = ip_csum_update (sum0, tcp0->src_port,
2261 s0->ext_host_nat_port, ip4_header_t,
2263 tcp0->src_port = s0->ext_host_nat_port;
2264 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2266 tcp0->checksum = ip_csum_fold(sum0);
2267 if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index))
2272 udp0->dst_port = s0->in2out.port;
2273 if (is_twice_nat_session (s0))
2275 udp0->src_port = s0->ext_host_nat_port;
2276 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2282 nat44_session_update_counters (s0, now,
2283 vlib_buffer_length_in_chain (vm, b0));
2284 /* Per-user LRU list maintenance */
2285 nat44_session_update_lru (sm, s0, thread_index);
2288 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2289 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2291 nat44_ed_out2in_trace_t *t =
2292 vlib_add_trace (vm, node, b0, sizeof (*t));
2293 t->is_slow_path = is_slow_path;
2294 t->sw_if_index = sw_if_index0;
2295 t->next_index = next0;
2296 t->session_index = ~0;
2298 t->session_index = s0 - tsm->sessions;
2301 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
2303 next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2304 vnet_buffer (b1)->snat.flags = 0;
2305 ip1 = vlib_buffer_get_current (b1);
2307 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2308 rx_fib_index1 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2311 if (PREDICT_FALSE(ip1->ttl == 1))
2313 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2314 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2315 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2317 next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2321 udp1 = ip4_next_header (ip1);
2322 tcp1 = (tcp_header_t *) udp1;
2323 icmp1 = (icmp46_header_t *) udp1;
2324 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2328 if (PREDICT_FALSE (proto1 == ~0))
2330 s1 = nat44_ed_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
2331 thread_index, now, vm, node);
2332 if (!sm->forwarding_enabled)
2335 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2340 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
2342 next1 = icmp_out2in_slow_path
2343 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
2344 next1, now, thread_index, &s1);
2350 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
2352 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2356 if (ip4_is_fragment (ip1))
2358 b1->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2359 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2364 make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address, ip1->protocol,
2365 rx_fib_index1, udp1->dst_port, udp1->src_port);
2367 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
2371 /* Try to match static mapping by external address and port,
2372 destination address and port in packet */
2373 e_key1.addr = ip1->dst_address;
2374 e_key1.port = udp1->dst_port;
2375 e_key1.protocol = proto1;
2376 e_key1.fib_index = rx_fib_index1;
2377 if (snat_static_mapping_match(sm, e_key1, &l_key1, 1, 0,
2378 &twice_nat1, &is_lb1))
2381 * Send DHCP packets to the ipv4 stack, or we won't
2382 * be able to use dhcp client on the outside interface
2384 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
2385 && (udp1->dst_port ==
2386 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2388 vnet_feature_next (&next1, b1);
2392 if (!sm->forwarding_enabled)
2394 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2395 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2399 if (next_src_nat(sm, ip1, ip1->protocol,
2400 udp1->src_port, udp1->dst_port,
2401 thread_index, rx_fib_index1))
2403 next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2406 create_bypass_for_fwd(sm, ip1, rx_fib_index1,
2412 /* Create session initiated by host from external network */
2413 s1 = create_session_for_static_mapping_ed(sm, b1, l_key1,
2416 twice_nat1, is_lb1);
2420 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2426 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2432 s1 = pool_elt_at_index (tsm->sessions, value1.value);
2435 old_addr1 = ip1->dst_address.as_u32;
2436 new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32;
2437 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
2439 sum1 = ip1->checksum;
2440 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
2442 if (PREDICT_FALSE (is_twice_nat_session (s1)))
2443 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
2444 s1->ext_host_nat_addr.as_u32, ip4_header_t,
2446 ip1->checksum = ip_csum_fold (sum1);
2448 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
2450 old_port1 = tcp1->dst_port;
2451 new_port1 = tcp1->dst_port = s1->in2out.port;
2453 sum1 = tcp1->checksum;
2454 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
2456 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
2458 if (is_twice_nat_session (s1))
2460 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
2461 s1->ext_host_nat_addr.as_u32,
2462 ip4_header_t, dst_address);
2463 sum1 = ip_csum_update (sum1, tcp1->src_port,
2464 s1->ext_host_nat_port, ip4_header_t,
2466 tcp1->src_port = s1->ext_host_nat_port;
2467 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
2469 tcp1->checksum = ip_csum_fold(sum1);
2470 if (nat44_set_tcp_session_state_o2i (sm, s1, tcp1, thread_index))
2475 udp1->dst_port = s1->in2out.port;
2476 if (is_twice_nat_session (s1))
2478 udp1->src_port = s1->ext_host_nat_port;
2479 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
2485 nat44_session_update_counters (s1, now,
2486 vlib_buffer_length_in_chain (vm, b1));
2487 /* Per-user LRU list maintenance */
2488 nat44_session_update_lru (sm, s1, thread_index);
2491 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2492 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2494 nat44_ed_out2in_trace_t *t =
2495 vlib_add_trace (vm, node, b1, sizeof (*t));
2496 t->is_slow_path = is_slow_path;
2497 t->sw_if_index = sw_if_index1;
2498 t->next_index = next1;
2499 t->session_index = ~0;
2501 t->session_index = s1 - tsm->sessions;
2504 pkts_processed += next1 != NAT44_ED_OUT2IN_NEXT_DROP;
2506 /* verify speculative enqueues, maybe switch current next frame */
2507 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2508 to_next, n_left_to_next,
2509 bi0, bi1, next0, next1);
2512 while (n_left_from > 0 && n_left_to_next > 0)
2516 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0;
2517 u16 old_port0, new_port0;
2521 icmp46_header_t * icmp0;
2522 snat_session_t *s0 = 0;
2523 clib_bihash_kv_16_8_t kv0, value0;
2525 snat_session_key_t e_key0, l_key0;
2527 twice_nat_type_t twice_nat0;
2529 /* speculatively enqueue b0 to the current next frame */
2535 n_left_to_next -= 1;
2537 b0 = vlib_get_buffer (vm, bi0);
2538 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2539 vnet_buffer (b0)->snat.flags = 0;
2540 ip0 = vlib_buffer_get_current (b0);
2542 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2543 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2546 if (PREDICT_FALSE(ip0->ttl == 1))
2548 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2549 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2550 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2552 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2556 udp0 = ip4_next_header (ip0);
2557 tcp0 = (tcp_header_t *) udp0;
2558 icmp0 = (icmp46_header_t *) udp0;
2559 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2563 if (PREDICT_FALSE (proto0 == ~0))
2565 s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
2566 thread_index, now, vm, node);
2567 if (!sm->forwarding_enabled)
2570 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2575 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2577 next0 = icmp_out2in_slow_path
2578 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2579 next0, now, thread_index, &s0);
2585 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2587 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2591 if (ip4_is_fragment (ip0))
2593 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2594 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2599 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol,
2600 rx_fib_index0, udp0->dst_port, udp0->src_port);
2602 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
2606 /* Try to match static mapping by external address and port,
2607 destination address and port in packet */
2608 e_key0.addr = ip0->dst_address;
2609 e_key0.port = udp0->dst_port;
2610 e_key0.protocol = proto0;
2611 e_key0.fib_index = rx_fib_index0;
2612 if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0,
2613 &twice_nat0, &is_lb0))
2616 * Send DHCP packets to the ipv4 stack, or we won't
2617 * be able to use dhcp client on the outside interface
2619 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
2620 && (udp0->dst_port ==
2621 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2623 vnet_feature_next (&next0, b0);
2627 if (!sm->forwarding_enabled)
2629 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2630 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2634 if (next_src_nat(sm, ip0, ip0->protocol,
2635 udp0->src_port, udp0->dst_port,
2636 thread_index, rx_fib_index0))
2638 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2641 create_bypass_for_fwd(sm, ip0, rx_fib_index0,
2647 /* Create session initiated by host from external network */
2648 s0 = create_session_for_static_mapping_ed(sm, b0, l_key0,
2651 twice_nat0, is_lb0);
2655 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2661 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2667 s0 = pool_elt_at_index (tsm->sessions, value0.value);
2670 old_addr0 = ip0->dst_address.as_u32;
2671 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
2672 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2674 sum0 = ip0->checksum;
2675 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2677 if (PREDICT_FALSE (is_twice_nat_session (s0)))
2678 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2679 s0->ext_host_nat_addr.as_u32, ip4_header_t,
2681 ip0->checksum = ip_csum_fold (sum0);
2683 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2685 old_port0 = tcp0->dst_port;
2686 new_port0 = tcp0->dst_port = s0->in2out.port;
2688 sum0 = tcp0->checksum;
2689 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2691 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
2693 if (is_twice_nat_session (s0))
2695 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2696 s0->ext_host_nat_addr.as_u32,
2697 ip4_header_t, dst_address);
2698 sum0 = ip_csum_update (sum0, tcp0->src_port,
2699 s0->ext_host_nat_port, ip4_header_t,
2701 tcp0->src_port = s0->ext_host_nat_port;
2702 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2704 tcp0->checksum = ip_csum_fold(sum0);
2705 if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index))
2710 udp0->dst_port = s0->in2out.port;
2711 if (is_twice_nat_session (s0))
2713 udp0->src_port = s0->ext_host_nat_port;
2714 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2720 nat44_session_update_counters (s0, now,
2721 vlib_buffer_length_in_chain (vm, b0));
2722 /* Per-user LRU list maintenance */
2723 nat44_session_update_lru (sm, s0, thread_index);
2726 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2727 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2729 nat44_ed_out2in_trace_t *t =
2730 vlib_add_trace (vm, node, b0, sizeof (*t));
2731 t->is_slow_path = is_slow_path;
2732 t->sw_if_index = sw_if_index0;
2733 t->next_index = next0;
2734 t->session_index = ~0;
2736 t->session_index = s0 - tsm->sessions;
2739 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
2741 /* verify speculative enqueue, maybe switch current next frame */
2742 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2743 to_next, n_left_to_next,
2747 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2750 vlib_node_increment_counter (vm, stats_node_index,
2751 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2753 return frame->n_vectors;
2757 nat44_ed_out2in_fast_path_fn (vlib_main_t * vm,
2758 vlib_node_runtime_t * node,
2759 vlib_frame_t * frame)
2761 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0);
2764 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
2765 .function = nat44_ed_out2in_fast_path_fn,
2766 .name = "nat44-ed-out2in",
2767 .vector_size = sizeof (u32),
2768 .format_trace = format_nat44_ed_out2in_trace,
2769 .type = VLIB_NODE_TYPE_INTERNAL,
2771 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2772 .error_strings = snat_out2in_error_strings,
2774 .runtime_data_bytes = sizeof (snat_runtime_t),
2776 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
2778 /* edit / add dispositions here */
2780 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
2781 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2782 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
2783 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2784 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
2788 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node, nat44_ed_out2in_fast_path_fn);
2791 nat44_ed_out2in_slow_path_fn (vlib_main_t * vm,
2792 vlib_node_runtime_t * node,
2793 vlib_frame_t * frame)
2795 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1);
2798 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
2799 .function = nat44_ed_out2in_slow_path_fn,
2800 .name = "nat44-ed-out2in-slowpath",
2801 .vector_size = sizeof (u32),
2802 .format_trace = format_nat44_ed_out2in_trace,
2803 .type = VLIB_NODE_TYPE_INTERNAL,
2805 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2806 .error_strings = snat_out2in_error_strings,
2808 .runtime_data_bytes = sizeof (snat_runtime_t),
2810 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
2812 /* edit / add dispositions here */
2814 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
2815 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2816 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
2817 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2818 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
2822 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node,
2823 nat44_ed_out2in_slow_path_fn);
2825 /**************************/
2826 /*** deterministic mode ***/
2827 /**************************/
2829 snat_det_out2in_node_fn (vlib_main_t * vm,
2830 vlib_node_runtime_t * node,
2831 vlib_frame_t * frame)
2833 u32 n_left_from, * from, * to_next;
2834 snat_out2in_next_t next_index;
2835 u32 pkts_processed = 0;
2836 snat_main_t * sm = &snat_main;
2837 u32 thread_index = vm->thread_index;
2839 from = vlib_frame_vector_args (frame);
2840 n_left_from = frame->n_vectors;
2841 next_index = node->cached_next_index;
2843 while (n_left_from > 0)
2847 vlib_get_next_frame (vm, node, next_index,
2848 to_next, n_left_to_next);
2850 while (n_left_from >= 4 && n_left_to_next >= 2)
2853 vlib_buffer_t * b0, * b1;
2854 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2855 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2856 u32 sw_if_index0, sw_if_index1;
2857 ip4_header_t * ip0, * ip1;
2858 ip_csum_t sum0, sum1;
2859 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2860 u16 new_port0, old_port0, old_port1, new_port1;
2861 udp_header_t * udp0, * udp1;
2862 tcp_header_t * tcp0, * tcp1;
2864 snat_det_out_key_t key0, key1;
2865 snat_det_map_t * dm0, * dm1;
2866 snat_det_session_t * ses0 = 0, * ses1 = 0;
2867 u32 rx_fib_index0, rx_fib_index1;
2868 icmp46_header_t * icmp0, * icmp1;
2870 /* Prefetch next iteration. */
2872 vlib_buffer_t * p2, * p3;
2874 p2 = vlib_get_buffer (vm, from[2]);
2875 p3 = vlib_get_buffer (vm, from[3]);
2877 vlib_prefetch_buffer_header (p2, LOAD);
2878 vlib_prefetch_buffer_header (p3, LOAD);
2880 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2881 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2884 /* speculatively enqueue b0 and b1 to the current next frame */
2885 to_next[0] = bi0 = from[0];
2886 to_next[1] = bi1 = from[1];
2890 n_left_to_next -= 2;
2892 b0 = vlib_get_buffer (vm, bi0);
2893 b1 = vlib_get_buffer (vm, bi1);
2895 ip0 = vlib_buffer_get_current (b0);
2896 udp0 = ip4_next_header (ip0);
2897 tcp0 = (tcp_header_t *) udp0;
2899 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2901 if (PREDICT_FALSE(ip0->ttl == 1))
2903 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2904 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2905 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2907 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2911 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2913 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2915 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2916 icmp0 = (icmp46_header_t *) udp0;
2918 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2919 rx_fib_index0, node, next0, thread_index,
2924 key0.ext_host_addr = ip0->src_address;
2925 key0.ext_host_port = tcp0->src;
2926 key0.out_port = tcp0->dst;
2928 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2929 if (PREDICT_FALSE(!dm0))
2931 nat_log_info ("unknown dst address: %U",
2932 format_ip4_address, &ip0->dst_address);
2933 next0 = SNAT_OUT2IN_NEXT_DROP;
2934 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2938 snat_det_reverse(dm0, &ip0->dst_address,
2939 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2941 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2942 if (PREDICT_FALSE(!ses0))
2944 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
2945 format_ip4_address, &ip0->src_address,
2946 clib_net_to_host_u16 (tcp0->src),
2947 format_ip4_address, &ip0->dst_address,
2948 clib_net_to_host_u16 (tcp0->dst),
2949 format_ip4_address, &new_addr0);
2950 next0 = SNAT_OUT2IN_NEXT_DROP;
2951 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2954 new_port0 = ses0->in_port;
2956 old_addr0 = ip0->dst_address;
2957 ip0->dst_address = new_addr0;
2958 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2960 sum0 = ip0->checksum;
2961 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2963 dst_address /* changed member */);
2964 ip0->checksum = ip_csum_fold (sum0);
2966 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2968 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2969 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2970 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2971 snat_det_ses_close(dm0, ses0);
2973 old_port0 = tcp0->dst;
2974 tcp0->dst = new_port0;
2976 sum0 = tcp0->checksum;
2977 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2979 dst_address /* changed member */);
2981 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2982 ip4_header_t /* cheat */,
2983 length /* changed member */);
2984 tcp0->checksum = ip_csum_fold(sum0);
2988 old_port0 = udp0->dst_port;
2989 udp0->dst_port = new_port0;
2995 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2996 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2998 snat_out2in_trace_t *t =
2999 vlib_add_trace (vm, node, b0, sizeof (*t));
3000 t->sw_if_index = sw_if_index0;
3001 t->next_index = next0;
3002 t->session_index = ~0;
3004 t->session_index = ses0 - dm0->sessions;
3007 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3009 b1 = vlib_get_buffer (vm, bi1);
3011 ip1 = vlib_buffer_get_current (b1);
3012 udp1 = ip4_next_header (ip1);
3013 tcp1 = (tcp_header_t *) udp1;
3015 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
3017 if (PREDICT_FALSE(ip1->ttl == 1))
3019 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3020 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
3021 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3023 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3027 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3029 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
3031 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
3032 icmp1 = (icmp46_header_t *) udp1;
3034 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
3035 rx_fib_index1, node, next1, thread_index,
3040 key1.ext_host_addr = ip1->src_address;
3041 key1.ext_host_port = tcp1->src;
3042 key1.out_port = tcp1->dst;
3044 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
3045 if (PREDICT_FALSE(!dm1))
3047 nat_log_info ("unknown dst address: %U",
3048 format_ip4_address, &ip1->dst_address);
3049 next1 = SNAT_OUT2IN_NEXT_DROP;
3050 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3054 snat_det_reverse(dm1, &ip1->dst_address,
3055 clib_net_to_host_u16(tcp1->dst), &new_addr1);
3057 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
3058 if (PREDICT_FALSE(!ses1))
3060 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3061 format_ip4_address, &ip1->src_address,
3062 clib_net_to_host_u16 (tcp1->src),
3063 format_ip4_address, &ip1->dst_address,
3064 clib_net_to_host_u16 (tcp1->dst),
3065 format_ip4_address, &new_addr1);
3066 next1 = SNAT_OUT2IN_NEXT_DROP;
3067 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3070 new_port1 = ses1->in_port;
3072 old_addr1 = ip1->dst_address;
3073 ip1->dst_address = new_addr1;
3074 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
3076 sum1 = ip1->checksum;
3077 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3079 dst_address /* changed member */);
3080 ip1->checksum = ip_csum_fold (sum1);
3082 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
3084 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
3085 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
3086 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
3087 snat_det_ses_close(dm1, ses1);
3089 old_port1 = tcp1->dst;
3090 tcp1->dst = new_port1;
3092 sum1 = tcp1->checksum;
3093 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3095 dst_address /* changed member */);
3097 sum1 = ip_csum_update (sum1, old_port1, new_port1,
3098 ip4_header_t /* cheat */,
3099 length /* changed member */);
3100 tcp1->checksum = ip_csum_fold(sum1);
3104 old_port1 = udp1->dst_port;
3105 udp1->dst_port = new_port1;
3111 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3112 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3114 snat_out2in_trace_t *t =
3115 vlib_add_trace (vm, node, b1, sizeof (*t));
3116 t->sw_if_index = sw_if_index1;
3117 t->next_index = next1;
3118 t->session_index = ~0;
3120 t->session_index = ses1 - dm1->sessions;
3123 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
3125 /* verify speculative enqueues, maybe switch current next frame */
3126 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3127 to_next, n_left_to_next,
3128 bi0, bi1, next0, next1);
3131 while (n_left_from > 0 && n_left_to_next > 0)
3135 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
3139 ip4_address_t new_addr0, old_addr0;
3140 u16 new_port0, old_port0;
3141 udp_header_t * udp0;
3142 tcp_header_t * tcp0;
3144 snat_det_out_key_t key0;
3145 snat_det_map_t * dm0;
3146 snat_det_session_t * ses0 = 0;
3148 icmp46_header_t * icmp0;
3150 /* speculatively enqueue b0 to the current next frame */
3156 n_left_to_next -= 1;
3158 b0 = vlib_get_buffer (vm, bi0);
3160 ip0 = vlib_buffer_get_current (b0);
3161 udp0 = ip4_next_header (ip0);
3162 tcp0 = (tcp_header_t *) udp0;
3164 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3166 if (PREDICT_FALSE(ip0->ttl == 1))
3168 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3169 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3170 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3172 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3176 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3178 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
3180 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3181 icmp0 = (icmp46_header_t *) udp0;
3183 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
3184 rx_fib_index0, node, next0, thread_index,
3189 key0.ext_host_addr = ip0->src_address;
3190 key0.ext_host_port = tcp0->src;
3191 key0.out_port = tcp0->dst;
3193 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
3194 if (PREDICT_FALSE(!dm0))
3196 nat_log_info ("unknown dst address: %U",
3197 format_ip4_address, &ip0->dst_address);
3198 next0 = SNAT_OUT2IN_NEXT_DROP;
3199 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3203 snat_det_reverse(dm0, &ip0->dst_address,
3204 clib_net_to_host_u16(tcp0->dst), &new_addr0);
3206 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
3207 if (PREDICT_FALSE(!ses0))
3209 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3210 format_ip4_address, &ip0->src_address,
3211 clib_net_to_host_u16 (tcp0->src),
3212 format_ip4_address, &ip0->dst_address,
3213 clib_net_to_host_u16 (tcp0->dst),
3214 format_ip4_address, &new_addr0);
3215 next0 = SNAT_OUT2IN_NEXT_DROP;
3216 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3219 new_port0 = ses0->in_port;
3221 old_addr0 = ip0->dst_address;
3222 ip0->dst_address = new_addr0;
3223 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
3225 sum0 = ip0->checksum;
3226 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3228 dst_address /* changed member */);
3229 ip0->checksum = ip_csum_fold (sum0);
3231 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3233 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3234 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
3235 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
3236 snat_det_ses_close(dm0, ses0);
3238 old_port0 = tcp0->dst;
3239 tcp0->dst = new_port0;
3241 sum0 = tcp0->checksum;
3242 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3244 dst_address /* changed member */);
3246 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3247 ip4_header_t /* cheat */,
3248 length /* changed member */);
3249 tcp0->checksum = ip_csum_fold(sum0);
3253 old_port0 = udp0->dst_port;
3254 udp0->dst_port = new_port0;
3260 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3261 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3263 snat_out2in_trace_t *t =
3264 vlib_add_trace (vm, node, b0, sizeof (*t));
3265 t->sw_if_index = sw_if_index0;
3266 t->next_index = next0;
3267 t->session_index = ~0;
3269 t->session_index = ses0 - dm0->sessions;
3272 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3274 /* verify speculative enqueue, maybe switch current next frame */
3275 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3276 to_next, n_left_to_next,
3280 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3283 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
3284 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3286 return frame->n_vectors;
3289 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
3290 .function = snat_det_out2in_node_fn,
3291 .name = "nat44-det-out2in",
3292 .vector_size = sizeof (u32),
3293 .format_trace = format_snat_out2in_trace,
3294 .type = VLIB_NODE_TYPE_INTERNAL,
3296 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3297 .error_strings = snat_out2in_error_strings,
3299 .runtime_data_bytes = sizeof (snat_runtime_t),
3301 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3303 /* edit / add dispositions here */
3305 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3306 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3307 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3308 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3311 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
3314 * Get address and port values to be used for ICMP packet translation
3315 * and create session if needed
3317 * @param[in,out] sm NAT main
3318 * @param[in,out] node NAT node runtime
3319 * @param[in] thread_index thread index
3320 * @param[in,out] b0 buffer containing packet to be translated
3321 * @param[out] p_proto protocol used for matching
3322 * @param[out] p_value address and port after NAT translation
3323 * @param[out] p_dont_translate if packet should not be translated
3324 * @param d optional parameter
3325 * @param e optional parameter
3327 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
3328 u32 thread_index, vlib_buffer_t *b0,
3329 ip4_header_t *ip0, u8 *p_proto,
3330 snat_session_key_t *p_value,
3331 u8 *p_dont_translate, void *d, void *e)
3333 icmp46_header_t *icmp0;
3336 snat_det_out_key_t key0;
3337 u8 dont_translate = 0;
3339 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3340 ip4_header_t *inner_ip0;
3341 void *l4_header = 0;
3342 icmp46_header_t *inner_icmp0;
3343 snat_det_map_t * dm0 = 0;
3344 ip4_address_t new_addr0 = {{0}};
3345 snat_det_session_t * ses0 = 0;
3346 ip4_address_t out_addr;
3348 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3349 echo0 = (icmp_echo_header_t *)(icmp0+1);
3350 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3352 if (!icmp_is_error_message (icmp0))
3354 protocol = SNAT_PROTOCOL_ICMP;
3355 key0.ext_host_addr = ip0->src_address;
3356 key0.ext_host_port = 0;
3357 key0.out_port = echo0->identifier;
3358 out_addr = ip0->dst_address;
3362 inner_ip0 = (ip4_header_t *)(echo0+1);
3363 l4_header = ip4_next_header (inner_ip0);
3364 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3365 key0.ext_host_addr = inner_ip0->dst_address;
3366 out_addr = inner_ip0->src_address;
3369 case SNAT_PROTOCOL_ICMP:
3370 inner_icmp0 = (icmp46_header_t*)l4_header;
3371 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3372 key0.ext_host_port = 0;
3373 key0.out_port = inner_echo0->identifier;
3375 case SNAT_PROTOCOL_UDP:
3376 case SNAT_PROTOCOL_TCP:
3377 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3378 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
3381 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
3382 next0 = SNAT_OUT2IN_NEXT_DROP;
3387 dm0 = snat_det_map_by_out(sm, &out_addr);
3388 if (PREDICT_FALSE(!dm0))
3390 /* Don't NAT packet aimed at the intfc address */
3391 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
3392 ip0->dst_address.as_u32)))
3397 nat_log_info ("unknown dst address: %U",
3398 format_ip4_address, &ip0->dst_address);
3402 snat_det_reverse(dm0, &ip0->dst_address,
3403 clib_net_to_host_u16(key0.out_port), &new_addr0);
3405 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
3406 if (PREDICT_FALSE(!ses0))
3408 /* Don't NAT packet aimed at the intfc address */
3409 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
3410 ip0->dst_address.as_u32)))
3415 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3416 format_ip4_address, &key0.ext_host_addr,
3417 clib_net_to_host_u16 (key0.ext_host_port),
3418 format_ip4_address, &out_addr,
3419 clib_net_to_host_u16 (key0.out_port),
3420 format_ip4_address, &new_addr0);
3421 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3422 next0 = SNAT_OUT2IN_NEXT_DROP;
3426 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
3427 !icmp_is_error_message (icmp0)))
3429 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
3430 next0 = SNAT_OUT2IN_NEXT_DROP;
3437 *p_proto = protocol;
3440 p_value->addr = new_addr0;
3441 p_value->fib_index = sm->inside_fib_index;
3442 p_value->port = ses0->in_port;
3444 *p_dont_translate = dont_translate;
3446 *(snat_det_session_t**)d = ses0;
3448 *(snat_det_map_t**)e = dm0;
3452 /**********************/
3453 /*** worker handoff ***/
3454 /**********************/
3456 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
3457 vlib_node_runtime_t * node,
3458 vlib_frame_t * frame)
3460 snat_main_t *sm = &snat_main;
3461 vlib_thread_main_t *tm = vlib_get_thread_main ();
3462 u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0;
3463 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3464 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3466 vlib_frame_queue_elt_t *hf = 0;
3467 vlib_frame_queue_t *fq;
3468 vlib_frame_t *f = 0;
3470 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3471 u32 next_worker_index = 0;
3472 u32 current_worker_index = ~0;
3473 u32 thread_index = vm->thread_index;
3474 vlib_frame_t *d = 0;
3476 ASSERT (vec_len (sm->workers));
3478 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3480 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3482 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3483 tm->n_vlib_mains - 1,
3484 (vlib_frame_queue_t *) (~0));
3487 from = vlib_frame_vector_args (frame);
3488 n_left_from = frame->n_vectors;
3490 while (n_left_from > 0)
3503 b0 = vlib_get_buffer (vm, bi0);
3505 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3506 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3508 ip0 = vlib_buffer_get_current (b0);
3510 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
3512 if (PREDICT_FALSE (next_worker_index != thread_index))
3516 if (next_worker_index != current_worker_index)
3518 fq = is_vlib_frame_queue_congested (
3519 sm->fq_out2in_index, next_worker_index, NAT_FQ_NELTS - 2,
3520 congested_handoff_queue_by_worker_index);
3524 /* if this is 1st frame */
3527 d = vlib_get_frame_to_node (vm, sm->error_node_index);
3528 to_next_drop = vlib_frame_vector_args (d);
3531 to_next_drop[0] = bi0;
3534 b0->error = node->errors[SNAT_OUT2IN_ERROR_FQ_CONGESTED];
3539 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3541 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
3543 handoff_queue_elt_by_worker_index);
3545 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3546 to_next_worker = &hf->buffer_index[hf->n_vectors];
3547 current_worker_index = next_worker_index;
3550 /* enqueue to correct worker thread */
3551 to_next_worker[0] = bi0;
3553 n_left_to_next_worker--;
3555 if (n_left_to_next_worker == 0)
3557 hf->n_vectors = VLIB_FRAME_SIZE;
3558 vlib_put_frame_queue_elt (hf);
3559 current_worker_index = ~0;
3560 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3567 /* if this is 1st frame */
3570 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
3571 to_next = vlib_frame_vector_args (f);
3580 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3581 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3583 snat_out2in_worker_handoff_trace_t *t =
3584 vlib_add_trace (vm, node, b0, sizeof (*t));
3585 t->next_worker_index = next_worker_index;
3586 t->do_handoff = do_handoff;
3591 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
3594 vlib_put_frame_to_node (vm, sm->error_node_index, d);
3597 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3599 /* Ship frames to the worker nodes */
3600 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3602 if (handoff_queue_elt_by_worker_index[i])
3604 hf = handoff_queue_elt_by_worker_index[i];
3606 * It works better to let the handoff node
3607 * rate-adapt, always ship the handoff queue element.
3609 if (1 || hf->n_vectors == hf->last_n_vectors)
3611 vlib_put_frame_queue_elt (hf);
3612 handoff_queue_elt_by_worker_index[i] = 0;
3615 hf->last_n_vectors = hf->n_vectors;
3617 congested_handoff_queue_by_worker_index[i] =
3618 (vlib_frame_queue_t *) (~0);
3621 current_worker_index = ~0;
3622 return frame->n_vectors;
3625 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
3626 .function = snat_out2in_worker_handoff_fn,
3627 .name = "nat44-out2in-worker-handoff",
3628 .vector_size = sizeof (u32),
3629 .format_trace = format_snat_out2in_worker_handoff_trace,
3630 .type = VLIB_NODE_TYPE_INTERNAL,
3632 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3633 .error_strings = snat_out2in_error_strings,
3642 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
3645 snat_out2in_fast_node_fn (vlib_main_t * vm,
3646 vlib_node_runtime_t * node,
3647 vlib_frame_t * frame)
3649 u32 n_left_from, * from, * to_next;
3650 snat_out2in_next_t next_index;
3651 u32 pkts_processed = 0;
3652 snat_main_t * sm = &snat_main;
3654 from = vlib_frame_vector_args (frame);
3655 n_left_from = frame->n_vectors;
3656 next_index = node->cached_next_index;
3658 while (n_left_from > 0)
3662 vlib_get_next_frame (vm, node, next_index,
3663 to_next, n_left_to_next);
3665 while (n_left_from > 0 && n_left_to_next > 0)
3669 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
3673 u32 new_addr0, old_addr0;
3674 u16 new_port0, old_port0;
3675 udp_header_t * udp0;
3676 tcp_header_t * tcp0;
3677 icmp46_header_t * icmp0;
3678 snat_session_key_t key0, sm0;
3682 /* speculatively enqueue b0 to the current next frame */
3688 n_left_to_next -= 1;
3690 b0 = vlib_get_buffer (vm, bi0);
3692 ip0 = vlib_buffer_get_current (b0);
3693 udp0 = ip4_next_header (ip0);
3694 tcp0 = (tcp_header_t *) udp0;
3695 icmp0 = (icmp46_header_t *) udp0;
3697 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3698 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3700 vnet_feature_next (&next0, b0);
3702 if (PREDICT_FALSE(ip0->ttl == 1))
3704 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3705 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3706 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3708 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3712 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3714 if (PREDICT_FALSE (proto0 == ~0))
3717 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3719 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
3720 rx_fib_index0, node, next0, ~0, 0, 0);
3724 key0.addr = ip0->dst_address;
3725 key0.port = udp0->dst_port;
3726 key0.fib_index = rx_fib_index0;
3728 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
3730 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3734 new_addr0 = sm0.addr.as_u32;
3735 new_port0 = sm0.port;
3736 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
3737 old_addr0 = ip0->dst_address.as_u32;
3738 ip0->dst_address.as_u32 = new_addr0;
3740 sum0 = ip0->checksum;
3741 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3743 dst_address /* changed member */);
3744 ip0->checksum = ip_csum_fold (sum0);
3746 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
3748 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3750 old_port0 = tcp0->dst_port;
3751 tcp0->dst_port = new_port0;
3753 sum0 = tcp0->checksum;
3754 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3756 dst_address /* changed member */);
3758 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3759 ip4_header_t /* cheat */,
3760 length /* changed member */);
3761 tcp0->checksum = ip_csum_fold(sum0);
3765 old_port0 = udp0->dst_port;
3766 udp0->dst_port = new_port0;
3772 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3774 sum0 = tcp0->checksum;
3775 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3777 dst_address /* changed member */);
3779 tcp0->checksum = ip_csum_fold(sum0);
3785 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3786 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3788 snat_out2in_trace_t *t =
3789 vlib_add_trace (vm, node, b0, sizeof (*t));
3790 t->sw_if_index = sw_if_index0;
3791 t->next_index = next0;
3794 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3796 /* verify speculative enqueue, maybe switch current next frame */
3797 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3798 to_next, n_left_to_next,
3802 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3805 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
3806 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3808 return frame->n_vectors;
3811 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
3812 .function = snat_out2in_fast_node_fn,
3813 .name = "nat44-out2in-fast",
3814 .vector_size = sizeof (u32),
3815 .format_trace = format_snat_out2in_fast_trace,
3816 .type = VLIB_NODE_TYPE_INTERNAL,
3818 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3819 .error_strings = snat_out2in_error_strings,
3821 .runtime_data_bytes = sizeof (snat_runtime_t),
3823 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3825 /* edit / add dispositions here */
3827 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3828 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3829 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3830 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3833 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob