2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
38 } snat_out2in_trace_t;
41 u32 next_worker_index;
43 } snat_out2in_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
52 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
53 t->sw_if_index, t->next_index, t->session_index);
57 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
59 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
60 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
61 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
63 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
64 t->sw_if_index, t->next_index);
68 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 snat_out2in_worker_handoff_trace_t * t =
73 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
76 m = t->do_handoff ? "next worker" : "same worker";
77 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 } nat44_out2in_reass_trace_t;
88 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
90 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
91 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
92 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
94 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
95 t->sw_if_index, t->next_index,
96 t->cached ? "cached" : "translated");
101 vlib_node_registration_t snat_out2in_node;
102 vlib_node_registration_t snat_out2in_fast_node;
103 vlib_node_registration_t snat_out2in_worker_handoff_node;
104 vlib_node_registration_t snat_det_out2in_node;
105 vlib_node_registration_t nat44_out2in_reass_node;
107 #define foreach_snat_out2in_error \
108 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
109 _(OUT2IN_PACKETS, "Good out2in packets processed") \
110 _(OUT_OF_PORTS, "Out of ports") \
111 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
112 _(NO_TRANSLATION, "No translation") \
113 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
114 _(DROP_FRAGMENT, "Drop fragment") \
115 _(MAX_REASS, "Maximum reassemblies exceeded") \
116 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
119 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
120 foreach_snat_out2in_error
123 } snat_out2in_error_t;
125 static char * snat_out2in_error_strings[] = {
126 #define _(sym,string) string,
127 foreach_snat_out2in_error
132 SNAT_OUT2IN_NEXT_DROP,
133 SNAT_OUT2IN_NEXT_LOOKUP,
134 SNAT_OUT2IN_NEXT_ICMP_ERROR,
135 SNAT_OUT2IN_NEXT_REASS,
137 } snat_out2in_next_t;
140 * @brief Create session for static mapping.
142 * Create NAT session initiated by host from external network with static
145 * @param sm NAT main.
146 * @param b0 Vlib buffer.
147 * @param in2out In2out NAT44 session key.
148 * @param out2in Out2in NAT44 session key.
149 * @param node Vlib node.
151 * @returns SNAT session if successfully created otherwise 0.
153 static inline snat_session_t *
154 create_session_for_static_mapping (snat_main_t *sm,
156 snat_session_key_t in2out,
157 snat_session_key_t out2in,
158 vlib_node_runtime_t * node,
163 clib_bihash_kv_8_8_t kv0;
167 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
169 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
173 ip0 = vlib_buffer_get_current (b0);
174 udp0 = ip4_next_header (ip0);
176 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
179 clib_warning ("create NAT user failed");
183 s = nat_session_alloc_or_recycle (sm, u, thread_index);
186 clib_warning ("create NAT session failed");
190 s->outside_address_index = ~0;
191 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
192 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
193 s->ext_host_port = udp0->src_port;
194 u->nstaticsessions++;
197 s->in2out.protocol = out2in.protocol;
199 /* Add to translation hashes */
200 kv0.key = s->in2out.as_u64;
201 kv0.value = s - sm->per_thread_data[thread_index].sessions;
202 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
204 clib_warning ("in2out key add failed");
206 kv0.key = s->out2in.as_u64;
208 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
210 clib_warning ("out2in key add failed");
213 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
214 s->out2in.addr.as_u32,
218 s->in2out.fib_index);
223 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
224 snat_session_key_t *p_key0)
226 icmp46_header_t *icmp0;
227 snat_session_key_t key0;
228 icmp_echo_header_t *echo0, *inner_echo0 = 0;
229 ip4_header_t *inner_ip0;
231 icmp46_header_t *inner_icmp0;
233 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
234 echo0 = (icmp_echo_header_t *)(icmp0+1);
236 if (!icmp_is_error_message (icmp0))
238 key0.protocol = SNAT_PROTOCOL_ICMP;
239 key0.addr = ip0->dst_address;
240 key0.port = echo0->identifier;
244 inner_ip0 = (ip4_header_t *)(echo0+1);
245 l4_header = ip4_next_header (inner_ip0);
246 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
247 key0.addr = inner_ip0->src_address;
248 switch (key0.protocol)
250 case SNAT_PROTOCOL_ICMP:
251 inner_icmp0 = (icmp46_header_t*)l4_header;
252 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
253 key0.port = inner_echo0->identifier;
255 case SNAT_PROTOCOL_UDP:
256 case SNAT_PROTOCOL_TCP:
257 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
260 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
264 return -1; /* success */
267 static_always_inline int
268 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
270 icmp46_header_t *icmp0;
271 nat_ed_ses_key_t key0;
272 icmp_echo_header_t *echo0, *inner_echo0 = 0;
273 ip4_header_t *inner_ip0;
275 icmp46_header_t *inner_icmp0;
277 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
278 echo0 = (icmp_echo_header_t *)(icmp0+1);
280 if (!icmp_is_error_message (icmp0))
282 key0.proto = IP_PROTOCOL_ICMP;
283 key0.l_addr = ip0->dst_address;
284 key0.r_addr = ip0->src_address;
285 key0.l_port = key0.r_port = echo0->identifier;
289 inner_ip0 = (ip4_header_t *)(echo0+1);
290 l4_header = ip4_next_header (inner_ip0);
291 key0.proto = inner_ip0->protocol;
292 key0.l_addr = inner_ip0->src_address;
293 key0.r_addr = inner_ip0->dst_address;
294 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
296 case SNAT_PROTOCOL_ICMP:
297 inner_icmp0 = (icmp46_header_t*)l4_header;
298 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
299 key0.l_port = key0.r_port = inner_echo0->identifier;
301 case SNAT_PROTOCOL_UDP:
302 case SNAT_PROTOCOL_TCP:
303 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
304 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
315 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
317 nat_ed_ses_key_t key;
318 clib_bihash_kv_16_8_t kv;
321 if (ip->protocol == IP_PROTOCOL_ICMP)
323 if (icmp_get_ed_key (ip, &key))
326 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
328 udp = ip4_next_header(ip);
329 key.r_addr = ip->src_address;
330 key.l_addr = ip->dst_address;
331 key.proto = ip->protocol;
332 key.l_port = udp->dst_port;
333 key.r_port = udp->src_port;
337 key.r_addr = ip->src_address;
338 key.l_addr = ip->dst_address;
339 key.proto = ip->protocol;
340 key.l_port = key.r_port = 0;
343 kv.key[0] = key.as_u64[0];
344 kv.key[1] = key.as_u64[1];
347 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
348 clib_warning ("in2out_ed key add failed");
352 * Get address and port values to be used for ICMP packet translation
353 * and create session if needed
355 * @param[in,out] sm NAT main
356 * @param[in,out] node NAT node runtime
357 * @param[in] thread_index thread index
358 * @param[in,out] b0 buffer containing packet to be translated
359 * @param[out] p_proto protocol used for matching
360 * @param[out] p_value address and port after NAT translation
361 * @param[out] p_dont_translate if packet should not be translated
362 * @param d optional parameter
363 * @param e optional parameter
365 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
366 u32 thread_index, vlib_buffer_t *b0,
367 ip4_header_t *ip0, u8 *p_proto,
368 snat_session_key_t *p_value,
369 u8 *p_dont_translate, void *d, void *e)
371 icmp46_header_t *icmp0;
374 snat_session_key_t key0;
375 snat_session_key_t sm0;
376 snat_session_t *s0 = 0;
377 u8 dont_translate = 0;
378 clib_bihash_kv_8_8_t kv0, value0;
383 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
384 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
385 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
389 err = icmp_get_key (ip0, &key0);
392 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
393 next0 = SNAT_OUT2IN_NEXT_DROP;
396 key0.fib_index = rx_fib_index0;
398 kv0.key = key0.as_u64;
400 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
403 /* Try to match static mapping by external address and port,
404 destination address and port in packet */
405 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0))
407 if (!sm->forwarding_enabled)
409 /* Don't NAT packet aimed at the intfc address */
410 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
411 ip0->dst_address.as_u32)))
416 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
417 next0 = SNAT_OUT2IN_NEXT_DROP;
422 create_bypass_for_fwd(sm, ip0);
428 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
429 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
431 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
432 next0 = SNAT_OUT2IN_NEXT_DROP;
436 /* Create session initiated by host from external network */
437 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
442 next0 = SNAT_OUT2IN_NEXT_DROP;
448 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
449 icmp0->type != ICMP4_echo_request &&
450 !icmp_is_error_message (icmp0)))
452 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
453 next0 = SNAT_OUT2IN_NEXT_DROP;
457 if (PREDICT_FALSE (value0.value == ~0ULL))
459 nat_ed_ses_key_t key;
460 clib_bihash_kv_16_8_t s_kv, s_value;
464 if (icmp_get_ed_key (ip0, &key))
466 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
467 next0 = SNAT_OUT2IN_NEXT_DROP;
470 key.fib_index = rx_fib_index0;
471 s_kv.key[0] = key.as_u64[0];
472 s_kv.key[1] = key.as_u64[1];
473 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
474 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
478 next0 = SNAT_OUT2IN_NEXT_DROP;
483 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
488 *p_proto = key0.protocol;
490 *p_value = s0->in2out;
491 *p_dont_translate = dont_translate;
493 *(snat_session_t**)d = s0;
498 * Get address and port values to be used for ICMP packet translation
500 * @param[in] sm NAT main
501 * @param[in,out] node NAT node runtime
502 * @param[in] thread_index thread index
503 * @param[in,out] b0 buffer containing packet to be translated
504 * @param[out] p_proto protocol used for matching
505 * @param[out] p_value address and port after NAT translation
506 * @param[out] p_dont_translate if packet should not be translated
507 * @param d optional parameter
508 * @param e optional parameter
510 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
511 u32 thread_index, vlib_buffer_t *b0,
512 ip4_header_t *ip0, u8 *p_proto,
513 snat_session_key_t *p_value,
514 u8 *p_dont_translate, void *d, void *e)
516 icmp46_header_t *icmp0;
519 snat_session_key_t key0;
520 snat_session_key_t sm0;
521 u8 dont_translate = 0;
526 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
527 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
528 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
530 err = icmp_get_key (ip0, &key0);
533 b0->error = node->errors[err];
534 next0 = SNAT_OUT2IN_NEXT_DROP;
537 key0.fib_index = rx_fib_index0;
539 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0))
541 /* Don't NAT packet aimed at the intfc address */
542 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
547 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
548 next0 = SNAT_OUT2IN_NEXT_DROP;
552 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
553 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
554 !icmp_is_error_message (icmp0)))
556 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
557 next0 = SNAT_OUT2IN_NEXT_DROP;
564 *p_proto = key0.protocol;
565 *p_dont_translate = dont_translate;
569 static inline u32 icmp_out2in (snat_main_t *sm,
572 icmp46_header_t * icmp0,
575 vlib_node_runtime_t * node,
581 snat_session_key_t sm0;
583 icmp_echo_header_t *echo0, *inner_echo0 = 0;
584 ip4_header_t *inner_ip0 = 0;
586 icmp46_header_t *inner_icmp0;
588 u32 new_addr0, old_addr0;
589 u16 old_id0, new_id0;
594 echo0 = (icmp_echo_header_t *)(icmp0+1);
596 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
597 &protocol, &sm0, &dont_translate, d, e);
600 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
603 sum0 = ip_incremental_checksum (0, icmp0,
604 ntohs(ip0->length) - ip4_header_bytes (ip0));
605 checksum0 = ~ip_csum_fold (sum0);
606 if (checksum0 != 0 && checksum0 != 0xffff)
608 next0 = SNAT_OUT2IN_NEXT_DROP;
612 old_addr0 = ip0->dst_address.as_u32;
613 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
614 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
616 sum0 = ip0->checksum;
617 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
618 dst_address /* changed member */);
619 ip0->checksum = ip_csum_fold (sum0);
621 if (!icmp_is_error_message (icmp0))
624 if (PREDICT_FALSE(new_id0 != echo0->identifier))
626 old_id0 = echo0->identifier;
628 echo0->identifier = new_id0;
630 sum0 = icmp0->checksum;
631 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
632 identifier /* changed member */);
633 icmp0->checksum = ip_csum_fold (sum0);
638 inner_ip0 = (ip4_header_t *)(echo0+1);
639 l4_header = ip4_next_header (inner_ip0);
641 if (!ip4_header_checksum_is_valid (inner_ip0))
643 next0 = SNAT_OUT2IN_NEXT_DROP;
647 old_addr0 = inner_ip0->src_address.as_u32;
648 inner_ip0->src_address = sm0.addr;
649 new_addr0 = inner_ip0->src_address.as_u32;
651 sum0 = icmp0->checksum;
652 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
653 src_address /* changed member */);
654 icmp0->checksum = ip_csum_fold (sum0);
658 case SNAT_PROTOCOL_ICMP:
659 inner_icmp0 = (icmp46_header_t*)l4_header;
660 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
662 old_id0 = inner_echo0->identifier;
664 inner_echo0->identifier = new_id0;
666 sum0 = icmp0->checksum;
667 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
669 icmp0->checksum = ip_csum_fold (sum0);
671 case SNAT_PROTOCOL_UDP:
672 case SNAT_PROTOCOL_TCP:
673 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
675 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
677 sum0 = icmp0->checksum;
678 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
680 icmp0->checksum = ip_csum_fold (sum0);
692 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
695 icmp46_header_t * icmp0,
698 vlib_node_runtime_t * node,
701 snat_session_t ** p_s0)
703 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
704 next0, thread_index, p_s0, 0);
705 snat_session_t * s0 = *p_s0;
706 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
709 s0->last_heard = now;
711 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
712 /* Per-user LRU list maintenance */
713 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
715 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
716 s0->per_user_list_head_index,
722 static snat_session_t *
723 snat_out2in_unknown_proto (snat_main_t *sm,
730 vlib_node_runtime_t * node)
732 clib_bihash_kv_8_8_t kv, value;
733 clib_bihash_kv_16_8_t s_kv, s_value;
734 snat_static_mapping_t *m;
735 snat_session_key_t m_key;
736 u32 old_addr, new_addr;
738 nat_ed_ses_key_t key;
740 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
743 old_addr = ip->dst_address.as_u32;
745 key.l_addr = ip->dst_address;
746 key.r_addr = ip->src_address;
747 key.fib_index = rx_fib_index;
748 key.proto = ip->protocol;
751 s_kv.key[0] = key.as_u64[0];
752 s_kv.key[1] = key.as_u64[1];
754 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
756 s = pool_elt_at_index (tsm->sessions, s_value.value);
757 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
761 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
763 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
767 m_key.addr = ip->dst_address;
770 m_key.fib_index = rx_fib_index;
771 kv.key = m_key.as_u64;
772 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
774 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
778 m = pool_elt_at_index (sm->static_mappings, value.value);
780 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
782 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
786 clib_warning ("create NAT user failed");
790 /* Create a new session */
791 s = nat_session_alloc_or_recycle (sm, u, thread_index);
794 clib_warning ("create NAT session failed");
798 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
799 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
800 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
801 s->outside_address_index = ~0;
802 s->out2in.addr.as_u32 = old_addr;
803 s->out2in.fib_index = rx_fib_index;
804 s->in2out.addr.as_u32 = new_addr;
805 s->in2out.fib_index = m->fib_index;
806 s->in2out.port = s->out2in.port = ip->protocol;
807 u->nstaticsessions++;
809 /* Add to lookup tables */
810 s_kv.value = s - tsm->sessions;
811 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
812 clib_warning ("out2in key add failed");
814 key.l_addr = ip->dst_address;
815 key.fib_index = m->fib_index;
816 s_kv.key[0] = key.as_u64[0];
817 s_kv.key[1] = key.as_u64[1];
818 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
819 clib_warning ("in2out key add failed");
822 /* Update IP checksum */
824 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
825 ip->checksum = ip_csum_fold (sum);
827 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
832 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
833 /* Per-user LRU list maintenance */
834 clib_dlist_remove (tsm->list_pool, s->per_user_index);
835 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
841 static snat_session_t *
842 snat_out2in_lb (snat_main_t *sm,
849 vlib_node_runtime_t * node)
851 nat_ed_ses_key_t key;
852 clib_bihash_kv_16_8_t s_kv, s_value;
853 udp_header_t *udp = ip4_next_header (ip);
854 tcp_header_t *tcp = (tcp_header_t *) udp;
855 snat_session_t *s = 0;
856 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
857 snat_session_key_t e_key, l_key;
858 u32 old_addr, new_addr;
859 u32 proto = ip_proto_to_snat_proto (ip->protocol);
860 u16 new_port, old_port;
864 snat_session_key_t eh_key;
867 old_addr = ip->dst_address.as_u32;
869 key.l_addr = ip->dst_address;
870 key.r_addr = ip->src_address;
871 key.fib_index = rx_fib_index;
872 key.proto = ip->protocol;
873 key.r_port = udp->src_port;
874 key.l_port = udp->dst_port;
875 s_kv.key[0] = key.as_u64[0];
876 s_kv.key[1] = key.as_u64[1];
878 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
880 s = pool_elt_at_index (tsm->sessions, s_value.value);
884 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
886 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
890 e_key.addr = ip->dst_address;
891 e_key.port = udp->dst_port;
892 e_key.protocol = proto;
893 e_key.fib_index = rx_fib_index;
894 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0, &twice_nat))
897 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index,
901 clib_warning ("create NAT user failed");
905 s = nat_session_alloc_or_recycle (sm, u, thread_index);
908 clib_warning ("create NAT session failed");
912 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
913 s->ext_host_port = udp->src_port;
914 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
915 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
916 s->outside_address_index = ~0;
919 u->nstaticsessions++;
921 /* Add to lookup tables */
922 s_kv.value = s - tsm->sessions;
923 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
924 clib_warning ("out2in-ed key add failed");
928 eh_key.protocol = proto;
929 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
930 thread_index, &eh_key,
933 sm->per_thread_data[thread_index].snat_thread_index))
935 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
938 key.r_addr.as_u32 = s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
939 key.r_port = s->ext_host_nat_port = eh_key.port;
940 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
942 key.l_addr = l_key.addr;
943 key.fib_index = l_key.fib_index;
944 key.l_port = l_key.port;
945 s_kv.key[0] = key.as_u64[0];
946 s_kv.key[1] = key.as_u64[1];
947 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
948 clib_warning ("in2out-ed key add failed");
951 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
953 /* Update IP checksum */
955 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
956 if (is_twice_nat_session (s))
957 sum = ip_csum_update (sum, ip->src_address.as_u32,
958 s->ext_host_nat_addr.as_u32, ip4_header_t,
960 ip->checksum = ip_csum_fold (sum);
962 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
964 old_port = tcp->dst_port;
965 tcp->dst_port = s->in2out.port;
966 new_port = tcp->dst_port;
969 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
970 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
971 if (is_twice_nat_session (s))
973 sum = ip_csum_update (sum, ip->src_address.as_u32,
974 s->ext_host_nat_addr.as_u32, ip4_header_t,
976 sum = ip_csum_update (sum, tcp->src_port, s->ext_host_nat_port,
977 ip4_header_t, length);
978 tcp->src_port = s->ext_host_nat_port;
979 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
981 tcp->checksum = ip_csum_fold(sum);
985 udp->dst_port = s->in2out.port;
986 if (is_twice_nat_session (s))
988 udp->src_port = s->ext_host_nat_port;
989 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
994 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
999 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1000 /* Per-user LRU list maintenance */
1001 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1002 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1009 snat_out2in_node_fn (vlib_main_t * vm,
1010 vlib_node_runtime_t * node,
1011 vlib_frame_t * frame)
1013 u32 n_left_from, * from, * to_next;
1014 snat_out2in_next_t next_index;
1015 u32 pkts_processed = 0;
1016 snat_main_t * sm = &snat_main;
1017 f64 now = vlib_time_now (vm);
1018 u32 thread_index = vlib_get_thread_index ();
1020 from = vlib_frame_vector_args (frame);
1021 n_left_from = frame->n_vectors;
1022 next_index = node->cached_next_index;
1024 while (n_left_from > 0)
1028 vlib_get_next_frame (vm, node, next_index,
1029 to_next, n_left_to_next);
1031 while (n_left_from >= 4 && n_left_to_next >= 2)
1034 vlib_buffer_t * b0, * b1;
1035 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1036 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1037 u32 sw_if_index0, sw_if_index1;
1038 ip4_header_t * ip0, *ip1;
1039 ip_csum_t sum0, sum1;
1040 u32 new_addr0, old_addr0;
1041 u16 new_port0, old_port0;
1042 u32 new_addr1, old_addr1;
1043 u16 new_port1, old_port1;
1044 udp_header_t * udp0, * udp1;
1045 tcp_header_t * tcp0, * tcp1;
1046 icmp46_header_t * icmp0, * icmp1;
1047 snat_session_key_t key0, key1, sm0, sm1;
1048 u32 rx_fib_index0, rx_fib_index1;
1050 snat_session_t * s0 = 0, * s1 = 0;
1051 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
1053 /* Prefetch next iteration. */
1055 vlib_buffer_t * p2, * p3;
1057 p2 = vlib_get_buffer (vm, from[2]);
1058 p3 = vlib_get_buffer (vm, from[3]);
1060 vlib_prefetch_buffer_header (p2, LOAD);
1061 vlib_prefetch_buffer_header (p3, LOAD);
1063 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1064 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1067 /* speculatively enqueue b0 and b1 to the current next frame */
1068 to_next[0] = bi0 = from[0];
1069 to_next[1] = bi1 = from[1];
1073 n_left_to_next -= 2;
1075 b0 = vlib_get_buffer (vm, bi0);
1076 b1 = vlib_get_buffer (vm, bi1);
1078 vnet_buffer (b0)->snat.flags = 0;
1079 vnet_buffer (b1)->snat.flags = 0;
1081 ip0 = vlib_buffer_get_current (b0);
1082 udp0 = ip4_next_header (ip0);
1083 tcp0 = (tcp_header_t *) udp0;
1084 icmp0 = (icmp46_header_t *) udp0;
1086 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1087 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1090 if (PREDICT_FALSE(ip0->ttl == 1))
1092 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1093 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1094 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1096 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1100 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1102 if (PREDICT_FALSE (proto0 == ~0))
1104 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1105 thread_index, now, vm, node);
1106 if (!sm->forwarding_enabled)
1108 next0 = SNAT_OUT2IN_NEXT_DROP;
1112 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1114 next0 = icmp_out2in_slow_path
1115 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1116 next0, now, thread_index, &s0);
1120 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1122 next0 = SNAT_OUT2IN_NEXT_REASS;
1126 key0.addr = ip0->dst_address;
1127 key0.port = udp0->dst_port;
1128 key0.protocol = proto0;
1129 key0.fib_index = rx_fib_index0;
1131 kv0.key = key0.as_u64;
1133 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1136 /* Try to match static mapping by external address and port,
1137 destination address and port in packet */
1138 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1140 if (!sm->forwarding_enabled)
1142 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1144 * Send DHCP packets to the ipv4 stack, or we won't
1145 * be able to use dhcp client on the outside interface
1147 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1149 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1150 next0 = SNAT_OUT2IN_NEXT_DROP;
1153 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1159 create_bypass_for_fwd(sm, ip0);
1164 /* Create session initiated by host from external network */
1165 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1169 next0 = SNAT_OUT2IN_NEXT_DROP;
1175 if (PREDICT_FALSE (value0.value == ~0ULL))
1177 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1180 next0 = SNAT_OUT2IN_NEXT_DROP;
1185 s0 = pool_elt_at_index (
1186 sm->per_thread_data[thread_index].sessions,
1191 old_addr0 = ip0->dst_address.as_u32;
1192 ip0->dst_address = s0->in2out.addr;
1193 new_addr0 = ip0->dst_address.as_u32;
1194 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1196 sum0 = ip0->checksum;
1197 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1199 dst_address /* changed member */);
1200 ip0->checksum = ip_csum_fold (sum0);
1202 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1204 old_port0 = tcp0->dst_port;
1205 tcp0->dst_port = s0->in2out.port;
1206 new_port0 = tcp0->dst_port;
1208 sum0 = tcp0->checksum;
1209 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1211 dst_address /* changed member */);
1213 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1214 ip4_header_t /* cheat */,
1215 length /* changed member */);
1216 tcp0->checksum = ip_csum_fold(sum0);
1220 old_port0 = udp0->dst_port;
1221 udp0->dst_port = s0->in2out.port;
1226 s0->last_heard = now;
1228 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1229 /* Per-user LRU list maintenance */
1230 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1231 s0->per_user_index);
1232 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1233 s0->per_user_list_head_index,
1234 s0->per_user_index);
1237 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1238 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1240 snat_out2in_trace_t *t =
1241 vlib_add_trace (vm, node, b0, sizeof (*t));
1242 t->sw_if_index = sw_if_index0;
1243 t->next_index = next0;
1244 t->session_index = ~0;
1246 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1249 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1252 ip1 = vlib_buffer_get_current (b1);
1253 udp1 = ip4_next_header (ip1);
1254 tcp1 = (tcp_header_t *) udp1;
1255 icmp1 = (icmp46_header_t *) udp1;
1257 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1258 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1261 if (PREDICT_FALSE(ip1->ttl == 1))
1263 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1264 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1265 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1267 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1271 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1273 if (PREDICT_FALSE (proto1 == ~0))
1275 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1276 thread_index, now, vm, node);
1277 if (!sm->forwarding_enabled)
1279 next1 = SNAT_OUT2IN_NEXT_DROP;
1283 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1285 next1 = icmp_out2in_slow_path
1286 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1287 next1, now, thread_index, &s1);
1291 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
1293 next1 = SNAT_OUT2IN_NEXT_REASS;
1297 key1.addr = ip1->dst_address;
1298 key1.port = udp1->dst_port;
1299 key1.protocol = proto1;
1300 key1.fib_index = rx_fib_index1;
1302 kv1.key = key1.as_u64;
1304 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1307 /* Try to match static mapping by external address and port,
1308 destination address and port in packet */
1309 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0))
1311 if (!sm->forwarding_enabled)
1313 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1315 * Send DHCP packets to the ipv4 stack, or we won't
1316 * be able to use dhcp client on the outside interface
1318 if (PREDICT_TRUE (proto1 != SNAT_PROTOCOL_UDP
1320 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1321 next1 = SNAT_OUT2IN_NEXT_DROP;
1324 (vnet_buffer (b1)->sw_if_index[VLIB_RX],
1330 create_bypass_for_fwd(sm, ip1);
1335 /* Create session initiated by host from external network */
1336 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1340 next1 = SNAT_OUT2IN_NEXT_DROP;
1346 if (PREDICT_FALSE (value1.value == ~0ULL))
1348 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1351 next1 = SNAT_OUT2IN_NEXT_DROP;
1356 s1 = pool_elt_at_index (
1357 sm->per_thread_data[thread_index].sessions,
1362 old_addr1 = ip1->dst_address.as_u32;
1363 ip1->dst_address = s1->in2out.addr;
1364 new_addr1 = ip1->dst_address.as_u32;
1365 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1367 sum1 = ip1->checksum;
1368 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1370 dst_address /* changed member */);
1371 ip1->checksum = ip_csum_fold (sum1);
1373 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1375 old_port1 = tcp1->dst_port;
1376 tcp1->dst_port = s1->in2out.port;
1377 new_port1 = tcp1->dst_port;
1379 sum1 = tcp1->checksum;
1380 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1382 dst_address /* changed member */);
1384 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1385 ip4_header_t /* cheat */,
1386 length /* changed member */);
1387 tcp1->checksum = ip_csum_fold(sum1);
1391 old_port1 = udp1->dst_port;
1392 udp1->dst_port = s1->in2out.port;
1397 s1->last_heard = now;
1399 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1400 /* Per-user LRU list maintenance */
1401 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1402 s1->per_user_index);
1403 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1404 s1->per_user_list_head_index,
1405 s1->per_user_index);
1408 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1409 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1411 snat_out2in_trace_t *t =
1412 vlib_add_trace (vm, node, b1, sizeof (*t));
1413 t->sw_if_index = sw_if_index1;
1414 t->next_index = next1;
1415 t->session_index = ~0;
1417 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1420 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1422 /* verify speculative enqueues, maybe switch current next frame */
1423 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1424 to_next, n_left_to_next,
1425 bi0, bi1, next0, next1);
1428 while (n_left_from > 0 && n_left_to_next > 0)
1432 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1436 u32 new_addr0, old_addr0;
1437 u16 new_port0, old_port0;
1438 udp_header_t * udp0;
1439 tcp_header_t * tcp0;
1440 icmp46_header_t * icmp0;
1441 snat_session_key_t key0, sm0;
1444 snat_session_t * s0 = 0;
1445 clib_bihash_kv_8_8_t kv0, value0;
1447 /* speculatively enqueue b0 to the current next frame */
1453 n_left_to_next -= 1;
1455 b0 = vlib_get_buffer (vm, bi0);
1457 vnet_buffer (b0)->snat.flags = 0;
1459 ip0 = vlib_buffer_get_current (b0);
1460 udp0 = ip4_next_header (ip0);
1461 tcp0 = (tcp_header_t *) udp0;
1462 icmp0 = (icmp46_header_t *) udp0;
1464 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1465 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1468 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1470 if (PREDICT_FALSE (proto0 == ~0))
1472 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1473 thread_index, now, vm, node);
1474 if (!sm->forwarding_enabled)
1476 next0 = SNAT_OUT2IN_NEXT_DROP;
1480 if (PREDICT_FALSE(ip0->ttl == 1))
1482 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1483 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1484 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1486 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1490 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1492 next0 = icmp_out2in_slow_path
1493 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1494 next0, now, thread_index, &s0);
1498 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1500 next0 = SNAT_OUT2IN_NEXT_REASS;
1504 key0.addr = ip0->dst_address;
1505 key0.port = udp0->dst_port;
1506 key0.protocol = proto0;
1507 key0.fib_index = rx_fib_index0;
1509 kv0.key = key0.as_u64;
1511 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1514 /* Try to match static mapping by external address and port,
1515 destination address and port in packet */
1516 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1518 if (!sm->forwarding_enabled)
1520 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1522 * Send DHCP packets to the ipv4 stack, or we won't
1523 * be able to use dhcp client on the outside interface
1525 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1527 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1528 next0 = SNAT_OUT2IN_NEXT_DROP;
1531 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1537 create_bypass_for_fwd(sm, ip0);
1542 /* Create session initiated by host from external network */
1543 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1547 next0 = SNAT_OUT2IN_NEXT_DROP;
1553 if (PREDICT_FALSE (value0.value == ~0ULL))
1555 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1558 next0 = SNAT_OUT2IN_NEXT_DROP;
1563 s0 = pool_elt_at_index (
1564 sm->per_thread_data[thread_index].sessions,
1569 old_addr0 = ip0->dst_address.as_u32;
1570 ip0->dst_address = s0->in2out.addr;
1571 new_addr0 = ip0->dst_address.as_u32;
1572 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1574 sum0 = ip0->checksum;
1575 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1577 dst_address /* changed member */);
1578 ip0->checksum = ip_csum_fold (sum0);
1580 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1582 old_port0 = tcp0->dst_port;
1583 tcp0->dst_port = s0->in2out.port;
1584 new_port0 = tcp0->dst_port;
1586 sum0 = tcp0->checksum;
1587 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1589 dst_address /* changed member */);
1591 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1592 ip4_header_t /* cheat */,
1593 length /* changed member */);
1594 tcp0->checksum = ip_csum_fold(sum0);
1598 old_port0 = udp0->dst_port;
1599 udp0->dst_port = s0->in2out.port;
1604 s0->last_heard = now;
1606 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1607 /* Per-user LRU list maintenance */
1608 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1609 s0->per_user_index);
1610 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1611 s0->per_user_list_head_index,
1612 s0->per_user_index);
1615 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1616 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1618 snat_out2in_trace_t *t =
1619 vlib_add_trace (vm, node, b0, sizeof (*t));
1620 t->sw_if_index = sw_if_index0;
1621 t->next_index = next0;
1622 t->session_index = ~0;
1624 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1627 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1629 /* verify speculative enqueue, maybe switch current next frame */
1630 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1631 to_next, n_left_to_next,
1635 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1638 vlib_node_increment_counter (vm, snat_out2in_node.index,
1639 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1641 return frame->n_vectors;
1644 VLIB_REGISTER_NODE (snat_out2in_node) = {
1645 .function = snat_out2in_node_fn,
1646 .name = "nat44-out2in",
1647 .vector_size = sizeof (u32),
1648 .format_trace = format_snat_out2in_trace,
1649 .type = VLIB_NODE_TYPE_INTERNAL,
1651 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1652 .error_strings = snat_out2in_error_strings,
1654 .runtime_data_bytes = sizeof (snat_runtime_t),
1656 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1658 /* edit / add dispositions here */
1660 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1661 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1662 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1663 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1666 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1669 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1670 vlib_node_runtime_t * node,
1671 vlib_frame_t * frame)
1673 u32 n_left_from, *from, *to_next;
1674 snat_out2in_next_t next_index;
1675 u32 pkts_processed = 0;
1676 snat_main_t *sm = &snat_main;
1677 f64 now = vlib_time_now (vm);
1678 u32 thread_index = vlib_get_thread_index ();
1679 snat_main_per_thread_data_t *per_thread_data =
1680 &sm->per_thread_data[thread_index];
1681 u32 *fragments_to_drop = 0;
1682 u32 *fragments_to_loopback = 0;
1684 from = vlib_frame_vector_args (frame);
1685 n_left_from = frame->n_vectors;
1686 next_index = node->cached_next_index;
1688 while (n_left_from > 0)
1692 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1694 while (n_left_from > 0 && n_left_to_next > 0)
1696 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1701 nat_reass_ip4_t *reass0;
1702 udp_header_t * udp0;
1703 tcp_header_t * tcp0;
1704 snat_session_key_t key0, sm0;
1705 clib_bihash_kv_8_8_t kv0, value0;
1706 snat_session_t * s0 = 0;
1707 u16 old_port0, new_port0;
1710 /* speculatively enqueue b0 to the current next frame */
1716 n_left_to_next -= 1;
1718 b0 = vlib_get_buffer (vm, bi0);
1719 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1721 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1722 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1725 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1727 next0 = SNAT_OUT2IN_NEXT_DROP;
1728 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1732 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1733 udp0 = ip4_next_header (ip0);
1734 tcp0 = (tcp_header_t *) udp0;
1735 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1737 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1742 &fragments_to_drop);
1744 if (PREDICT_FALSE (!reass0))
1746 next0 = SNAT_OUT2IN_NEXT_DROP;
1747 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1751 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1753 key0.addr = ip0->dst_address;
1754 key0.port = udp0->dst_port;
1755 key0.protocol = proto0;
1756 key0.fib_index = rx_fib_index0;
1757 kv0.key = key0.as_u64;
1759 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1761 /* Try to match static mapping by external address and port,
1762 destination address and port in packet */
1763 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1765 if (!sm->forwarding_enabled)
1767 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1769 * Send DHCP packets to the ipv4 stack, or we won't
1770 * be able to use dhcp client on the outside interface
1772 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1774 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1775 next0 = SNAT_OUT2IN_NEXT_DROP;
1778 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1784 create_bypass_for_fwd(sm, ip0);
1789 /* Create session initiated by host from external network */
1790 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1794 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1795 next0 = SNAT_OUT2IN_NEXT_DROP;
1798 reass0->sess_index = s0 - per_thread_data->sessions;
1799 reass0->thread_index = thread_index;
1803 s0 = pool_elt_at_index (per_thread_data->sessions,
1805 reass0->sess_index = value0.value;
1807 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1811 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1813 if (nat_ip4_reass_add_fragment (reass0, bi0))
1815 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1816 next0 = SNAT_OUT2IN_NEXT_DROP;
1822 s0 = pool_elt_at_index (per_thread_data->sessions,
1823 reass0->sess_index);
1826 old_addr0 = ip0->dst_address.as_u32;
1827 ip0->dst_address = s0->in2out.addr;
1828 new_addr0 = ip0->dst_address.as_u32;
1829 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1831 sum0 = ip0->checksum;
1832 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1834 dst_address /* changed member */);
1835 ip0->checksum = ip_csum_fold (sum0);
1837 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1839 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1841 old_port0 = tcp0->dst_port;
1842 tcp0->dst_port = s0->in2out.port;
1843 new_port0 = tcp0->dst_port;
1845 sum0 = tcp0->checksum;
1846 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1848 dst_address /* changed member */);
1850 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1851 ip4_header_t /* cheat */,
1852 length /* changed member */);
1853 tcp0->checksum = ip_csum_fold(sum0);
1857 old_port0 = udp0->dst_port;
1858 udp0->dst_port = s0->in2out.port;
1864 s0->last_heard = now;
1866 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1867 /* Per-user LRU list maintenance */
1868 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1869 s0->per_user_index);
1870 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1871 s0->per_user_list_head_index,
1872 s0->per_user_index);
1875 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1876 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1878 nat44_out2in_reass_trace_t *t =
1879 vlib_add_trace (vm, node, b0, sizeof (*t));
1880 t->cached = cached0;
1881 t->sw_if_index = sw_if_index0;
1882 t->next_index = next0;
1892 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1894 /* verify speculative enqueue, maybe switch current next frame */
1895 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1896 to_next, n_left_to_next,
1900 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1902 from = vlib_frame_vector_args (frame);
1903 u32 len = vec_len (fragments_to_loopback);
1904 if (len <= VLIB_FRAME_SIZE)
1906 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
1908 vec_reset_length (fragments_to_loopback);
1913 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
1914 sizeof (u32) * VLIB_FRAME_SIZE);
1915 n_left_from = VLIB_FRAME_SIZE;
1916 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1921 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1924 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
1925 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1928 nat_send_all_to_node (vm, fragments_to_drop, node,
1929 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1930 SNAT_OUT2IN_NEXT_DROP);
1932 vec_free (fragments_to_drop);
1933 vec_free (fragments_to_loopback);
1934 return frame->n_vectors;
1937 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1938 .function = nat44_out2in_reass_node_fn,
1939 .name = "nat44-out2in-reass",
1940 .vector_size = sizeof (u32),
1941 .format_trace = format_nat44_out2in_reass_trace,
1942 .type = VLIB_NODE_TYPE_INTERNAL,
1944 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1945 .error_strings = snat_out2in_error_strings,
1947 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1949 /* edit / add dispositions here */
1951 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1952 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1953 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1954 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1957 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
1958 nat44_out2in_reass_node_fn);
1960 /**************************/
1961 /*** deterministic mode ***/
1962 /**************************/
1964 snat_det_out2in_node_fn (vlib_main_t * vm,
1965 vlib_node_runtime_t * node,
1966 vlib_frame_t * frame)
1968 u32 n_left_from, * from, * to_next;
1969 snat_out2in_next_t next_index;
1970 u32 pkts_processed = 0;
1971 snat_main_t * sm = &snat_main;
1972 u32 thread_index = vlib_get_thread_index ();
1974 from = vlib_frame_vector_args (frame);
1975 n_left_from = frame->n_vectors;
1976 next_index = node->cached_next_index;
1978 while (n_left_from > 0)
1982 vlib_get_next_frame (vm, node, next_index,
1983 to_next, n_left_to_next);
1985 while (n_left_from >= 4 && n_left_to_next >= 2)
1988 vlib_buffer_t * b0, * b1;
1989 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1990 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1991 u32 sw_if_index0, sw_if_index1;
1992 ip4_header_t * ip0, * ip1;
1993 ip_csum_t sum0, sum1;
1994 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
1995 u16 new_port0, old_port0, old_port1, new_port1;
1996 udp_header_t * udp0, * udp1;
1997 tcp_header_t * tcp0, * tcp1;
1999 snat_det_out_key_t key0, key1;
2000 snat_det_map_t * dm0, * dm1;
2001 snat_det_session_t * ses0 = 0, * ses1 = 0;
2002 u32 rx_fib_index0, rx_fib_index1;
2003 icmp46_header_t * icmp0, * icmp1;
2005 /* Prefetch next iteration. */
2007 vlib_buffer_t * p2, * p3;
2009 p2 = vlib_get_buffer (vm, from[2]);
2010 p3 = vlib_get_buffer (vm, from[3]);
2012 vlib_prefetch_buffer_header (p2, LOAD);
2013 vlib_prefetch_buffer_header (p3, LOAD);
2015 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2016 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2019 /* speculatively enqueue b0 and b1 to the current next frame */
2020 to_next[0] = bi0 = from[0];
2021 to_next[1] = bi1 = from[1];
2025 n_left_to_next -= 2;
2027 b0 = vlib_get_buffer (vm, bi0);
2028 b1 = vlib_get_buffer (vm, bi1);
2030 ip0 = vlib_buffer_get_current (b0);
2031 udp0 = ip4_next_header (ip0);
2032 tcp0 = (tcp_header_t *) udp0;
2034 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2036 if (PREDICT_FALSE(ip0->ttl == 1))
2038 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2039 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2040 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2042 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2046 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2048 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2050 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2051 icmp0 = (icmp46_header_t *) udp0;
2053 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2054 rx_fib_index0, node, next0, thread_index,
2059 key0.ext_host_addr = ip0->src_address;
2060 key0.ext_host_port = tcp0->src;
2061 key0.out_port = tcp0->dst;
2063 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2064 if (PREDICT_FALSE(!dm0))
2066 clib_warning("unknown dst address: %U",
2067 format_ip4_address, &ip0->dst_address);
2068 next0 = SNAT_OUT2IN_NEXT_DROP;
2069 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2073 snat_det_reverse(dm0, &ip0->dst_address,
2074 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2076 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2077 if (PREDICT_FALSE(!ses0))
2079 clib_warning("no match src %U:%d dst %U:%d for user %U",
2080 format_ip4_address, &ip0->src_address,
2081 clib_net_to_host_u16 (tcp0->src),
2082 format_ip4_address, &ip0->dst_address,
2083 clib_net_to_host_u16 (tcp0->dst),
2084 format_ip4_address, &new_addr0);
2085 next0 = SNAT_OUT2IN_NEXT_DROP;
2086 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2089 new_port0 = ses0->in_port;
2091 old_addr0 = ip0->dst_address;
2092 ip0->dst_address = new_addr0;
2093 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2095 sum0 = ip0->checksum;
2096 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2098 dst_address /* changed member */);
2099 ip0->checksum = ip_csum_fold (sum0);
2101 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2103 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2104 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2105 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2106 snat_det_ses_close(dm0, ses0);
2108 old_port0 = tcp0->dst;
2109 tcp0->dst = new_port0;
2111 sum0 = tcp0->checksum;
2112 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2114 dst_address /* changed member */);
2116 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2117 ip4_header_t /* cheat */,
2118 length /* changed member */);
2119 tcp0->checksum = ip_csum_fold(sum0);
2123 old_port0 = udp0->dst_port;
2124 udp0->dst_port = new_port0;
2130 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2131 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2133 snat_out2in_trace_t *t =
2134 vlib_add_trace (vm, node, b0, sizeof (*t));
2135 t->sw_if_index = sw_if_index0;
2136 t->next_index = next0;
2137 t->session_index = ~0;
2139 t->session_index = ses0 - dm0->sessions;
2142 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2144 b1 = vlib_get_buffer (vm, bi1);
2146 ip1 = vlib_buffer_get_current (b1);
2147 udp1 = ip4_next_header (ip1);
2148 tcp1 = (tcp_header_t *) udp1;
2150 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2152 if (PREDICT_FALSE(ip1->ttl == 1))
2154 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2155 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2156 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2158 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2162 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2164 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2166 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2167 icmp1 = (icmp46_header_t *) udp1;
2169 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
2170 rx_fib_index1, node, next1, thread_index,
2175 key1.ext_host_addr = ip1->src_address;
2176 key1.ext_host_port = tcp1->src;
2177 key1.out_port = tcp1->dst;
2179 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
2180 if (PREDICT_FALSE(!dm1))
2182 clib_warning("unknown dst address: %U",
2183 format_ip4_address, &ip1->dst_address);
2184 next1 = SNAT_OUT2IN_NEXT_DROP;
2185 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2189 snat_det_reverse(dm1, &ip1->dst_address,
2190 clib_net_to_host_u16(tcp1->dst), &new_addr1);
2192 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
2193 if (PREDICT_FALSE(!ses1))
2195 clib_warning("no match src %U:%d dst %U:%d for user %U",
2196 format_ip4_address, &ip1->src_address,
2197 clib_net_to_host_u16 (tcp1->src),
2198 format_ip4_address, &ip1->dst_address,
2199 clib_net_to_host_u16 (tcp1->dst),
2200 format_ip4_address, &new_addr1);
2201 next1 = SNAT_OUT2IN_NEXT_DROP;
2202 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2205 new_port1 = ses1->in_port;
2207 old_addr1 = ip1->dst_address;
2208 ip1->dst_address = new_addr1;
2209 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2211 sum1 = ip1->checksum;
2212 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2214 dst_address /* changed member */);
2215 ip1->checksum = ip_csum_fold (sum1);
2217 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2219 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2220 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2221 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
2222 snat_det_ses_close(dm1, ses1);
2224 old_port1 = tcp1->dst;
2225 tcp1->dst = new_port1;
2227 sum1 = tcp1->checksum;
2228 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2230 dst_address /* changed member */);
2232 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2233 ip4_header_t /* cheat */,
2234 length /* changed member */);
2235 tcp1->checksum = ip_csum_fold(sum1);
2239 old_port1 = udp1->dst_port;
2240 udp1->dst_port = new_port1;
2246 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2247 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2249 snat_out2in_trace_t *t =
2250 vlib_add_trace (vm, node, b1, sizeof (*t));
2251 t->sw_if_index = sw_if_index1;
2252 t->next_index = next1;
2253 t->session_index = ~0;
2255 t->session_index = ses1 - dm1->sessions;
2258 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
2260 /* verify speculative enqueues, maybe switch current next frame */
2261 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2262 to_next, n_left_to_next,
2263 bi0, bi1, next0, next1);
2266 while (n_left_from > 0 && n_left_to_next > 0)
2270 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2274 ip4_address_t new_addr0, old_addr0;
2275 u16 new_port0, old_port0;
2276 udp_header_t * udp0;
2277 tcp_header_t * tcp0;
2279 snat_det_out_key_t key0;
2280 snat_det_map_t * dm0;
2281 snat_det_session_t * ses0 = 0;
2283 icmp46_header_t * icmp0;
2285 /* speculatively enqueue b0 to the current next frame */
2291 n_left_to_next -= 1;
2293 b0 = vlib_get_buffer (vm, bi0);
2295 ip0 = vlib_buffer_get_current (b0);
2296 udp0 = ip4_next_header (ip0);
2297 tcp0 = (tcp_header_t *) udp0;
2299 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2301 if (PREDICT_FALSE(ip0->ttl == 1))
2303 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2304 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2305 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2307 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2311 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2313 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2315 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2316 icmp0 = (icmp46_header_t *) udp0;
2318 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2319 rx_fib_index0, node, next0, thread_index,
2324 key0.ext_host_addr = ip0->src_address;
2325 key0.ext_host_port = tcp0->src;
2326 key0.out_port = tcp0->dst;
2328 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2329 if (PREDICT_FALSE(!dm0))
2331 clib_warning("unknown dst address: %U",
2332 format_ip4_address, &ip0->dst_address);
2333 next0 = SNAT_OUT2IN_NEXT_DROP;
2334 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2338 snat_det_reverse(dm0, &ip0->dst_address,
2339 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2341 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2342 if (PREDICT_FALSE(!ses0))
2344 clib_warning("no match src %U:%d dst %U:%d for user %U",
2345 format_ip4_address, &ip0->src_address,
2346 clib_net_to_host_u16 (tcp0->src),
2347 format_ip4_address, &ip0->dst_address,
2348 clib_net_to_host_u16 (tcp0->dst),
2349 format_ip4_address, &new_addr0);
2350 next0 = SNAT_OUT2IN_NEXT_DROP;
2351 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2354 new_port0 = ses0->in_port;
2356 old_addr0 = ip0->dst_address;
2357 ip0->dst_address = new_addr0;
2358 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2360 sum0 = ip0->checksum;
2361 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2363 dst_address /* changed member */);
2364 ip0->checksum = ip_csum_fold (sum0);
2366 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2368 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2369 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2370 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2371 snat_det_ses_close(dm0, ses0);
2373 old_port0 = tcp0->dst;
2374 tcp0->dst = new_port0;
2376 sum0 = tcp0->checksum;
2377 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2379 dst_address /* changed member */);
2381 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2382 ip4_header_t /* cheat */,
2383 length /* changed member */);
2384 tcp0->checksum = ip_csum_fold(sum0);
2388 old_port0 = udp0->dst_port;
2389 udp0->dst_port = new_port0;
2395 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2396 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2398 snat_out2in_trace_t *t =
2399 vlib_add_trace (vm, node, b0, sizeof (*t));
2400 t->sw_if_index = sw_if_index0;
2401 t->next_index = next0;
2402 t->session_index = ~0;
2404 t->session_index = ses0 - dm0->sessions;
2407 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2409 /* verify speculative enqueue, maybe switch current next frame */
2410 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2411 to_next, n_left_to_next,
2415 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2418 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
2419 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2421 return frame->n_vectors;
2424 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2425 .function = snat_det_out2in_node_fn,
2426 .name = "nat44-det-out2in",
2427 .vector_size = sizeof (u32),
2428 .format_trace = format_snat_out2in_trace,
2429 .type = VLIB_NODE_TYPE_INTERNAL,
2431 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2432 .error_strings = snat_out2in_error_strings,
2434 .runtime_data_bytes = sizeof (snat_runtime_t),
2436 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2438 /* edit / add dispositions here */
2440 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2441 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2442 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2443 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2446 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2449 * Get address and port values to be used for ICMP packet translation
2450 * and create session if needed
2452 * @param[in,out] sm NAT main
2453 * @param[in,out] node NAT node runtime
2454 * @param[in] thread_index thread index
2455 * @param[in,out] b0 buffer containing packet to be translated
2456 * @param[out] p_proto protocol used for matching
2457 * @param[out] p_value address and port after NAT translation
2458 * @param[out] p_dont_translate if packet should not be translated
2459 * @param d optional parameter
2460 * @param e optional parameter
2462 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2463 u32 thread_index, vlib_buffer_t *b0,
2464 ip4_header_t *ip0, u8 *p_proto,
2465 snat_session_key_t *p_value,
2466 u8 *p_dont_translate, void *d, void *e)
2468 icmp46_header_t *icmp0;
2471 snat_det_out_key_t key0;
2472 u8 dont_translate = 0;
2474 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2475 ip4_header_t *inner_ip0;
2476 void *l4_header = 0;
2477 icmp46_header_t *inner_icmp0;
2478 snat_det_map_t * dm0 = 0;
2479 ip4_address_t new_addr0 = {{0}};
2480 snat_det_session_t * ses0 = 0;
2481 ip4_address_t out_addr;
2483 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2484 echo0 = (icmp_echo_header_t *)(icmp0+1);
2485 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2487 if (!icmp_is_error_message (icmp0))
2489 protocol = SNAT_PROTOCOL_ICMP;
2490 key0.ext_host_addr = ip0->src_address;
2491 key0.ext_host_port = 0;
2492 key0.out_port = echo0->identifier;
2493 out_addr = ip0->dst_address;
2497 inner_ip0 = (ip4_header_t *)(echo0+1);
2498 l4_header = ip4_next_header (inner_ip0);
2499 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2500 key0.ext_host_addr = inner_ip0->dst_address;
2501 out_addr = inner_ip0->src_address;
2504 case SNAT_PROTOCOL_ICMP:
2505 inner_icmp0 = (icmp46_header_t*)l4_header;
2506 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2507 key0.ext_host_port = 0;
2508 key0.out_port = inner_echo0->identifier;
2510 case SNAT_PROTOCOL_UDP:
2511 case SNAT_PROTOCOL_TCP:
2512 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2513 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2516 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2517 next0 = SNAT_OUT2IN_NEXT_DROP;
2522 dm0 = snat_det_map_by_out(sm, &out_addr);
2523 if (PREDICT_FALSE(!dm0))
2525 /* Don't NAT packet aimed at the intfc address */
2526 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2527 ip0->dst_address.as_u32)))
2532 clib_warning("unknown dst address: %U",
2533 format_ip4_address, &ip0->dst_address);
2537 snat_det_reverse(dm0, &ip0->dst_address,
2538 clib_net_to_host_u16(key0.out_port), &new_addr0);
2540 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2541 if (PREDICT_FALSE(!ses0))
2543 /* Don't NAT packet aimed at the intfc address */
2544 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2545 ip0->dst_address.as_u32)))
2550 clib_warning("no match src %U:%d dst %U:%d for user %U",
2551 format_ip4_address, &key0.ext_host_addr,
2552 clib_net_to_host_u16 (key0.ext_host_port),
2553 format_ip4_address, &out_addr,
2554 clib_net_to_host_u16 (key0.out_port),
2555 format_ip4_address, &new_addr0);
2556 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2557 next0 = SNAT_OUT2IN_NEXT_DROP;
2561 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2562 !icmp_is_error_message (icmp0)))
2564 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2565 next0 = SNAT_OUT2IN_NEXT_DROP;
2572 *p_proto = protocol;
2575 p_value->addr = new_addr0;
2576 p_value->fib_index = sm->inside_fib_index;
2577 p_value->port = ses0->in_port;
2579 *p_dont_translate = dont_translate;
2581 *(snat_det_session_t**)d = ses0;
2583 *(snat_det_map_t**)e = dm0;
2587 /**********************/
2588 /*** worker handoff ***/
2589 /**********************/
2591 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2592 vlib_node_runtime_t * node,
2593 vlib_frame_t * frame)
2595 snat_main_t *sm = &snat_main;
2596 vlib_thread_main_t *tm = vlib_get_thread_main ();
2597 u32 n_left_from, *from, *to_next = 0;
2598 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2599 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2601 vlib_frame_queue_elt_t *hf = 0;
2602 vlib_frame_t *f = 0;
2604 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2605 u32 next_worker_index = 0;
2606 u32 current_worker_index = ~0;
2607 u32 thread_index = vlib_get_thread_index ();
2609 ASSERT (vec_len (sm->workers));
2611 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2613 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2615 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2616 sm->first_worker_index + sm->num_workers - 1,
2617 (vlib_frame_queue_t *) (~0));
2620 from = vlib_frame_vector_args (frame);
2621 n_left_from = frame->n_vectors;
2623 while (n_left_from > 0)
2636 b0 = vlib_get_buffer (vm, bi0);
2638 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2639 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2641 ip0 = vlib_buffer_get_current (b0);
2643 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2645 if (PREDICT_FALSE (next_worker_index != thread_index))
2649 if (next_worker_index != current_worker_index)
2652 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2654 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2656 handoff_queue_elt_by_worker_index);
2658 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2659 to_next_worker = &hf->buffer_index[hf->n_vectors];
2660 current_worker_index = next_worker_index;
2663 /* enqueue to correct worker thread */
2664 to_next_worker[0] = bi0;
2666 n_left_to_next_worker--;
2668 if (n_left_to_next_worker == 0)
2670 hf->n_vectors = VLIB_FRAME_SIZE;
2671 vlib_put_frame_queue_elt (hf);
2672 current_worker_index = ~0;
2673 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2680 /* if this is 1st frame */
2683 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2684 to_next = vlib_frame_vector_args (f);
2692 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2693 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2695 snat_out2in_worker_handoff_trace_t *t =
2696 vlib_add_trace (vm, node, b0, sizeof (*t));
2697 t->next_worker_index = next_worker_index;
2698 t->do_handoff = do_handoff;
2703 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2706 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2708 /* Ship frames to the worker nodes */
2709 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2711 if (handoff_queue_elt_by_worker_index[i])
2713 hf = handoff_queue_elt_by_worker_index[i];
2715 * It works better to let the handoff node
2716 * rate-adapt, always ship the handoff queue element.
2718 if (1 || hf->n_vectors == hf->last_n_vectors)
2720 vlib_put_frame_queue_elt (hf);
2721 handoff_queue_elt_by_worker_index[i] = 0;
2724 hf->last_n_vectors = hf->n_vectors;
2726 congested_handoff_queue_by_worker_index[i] =
2727 (vlib_frame_queue_t *) (~0);
2730 current_worker_index = ~0;
2731 return frame->n_vectors;
2734 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2735 .function = snat_out2in_worker_handoff_fn,
2736 .name = "nat44-out2in-worker-handoff",
2737 .vector_size = sizeof (u32),
2738 .format_trace = format_snat_out2in_worker_handoff_trace,
2739 .type = VLIB_NODE_TYPE_INTERNAL,
2748 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2751 snat_out2in_fast_node_fn (vlib_main_t * vm,
2752 vlib_node_runtime_t * node,
2753 vlib_frame_t * frame)
2755 u32 n_left_from, * from, * to_next;
2756 snat_out2in_next_t next_index;
2757 u32 pkts_processed = 0;
2758 snat_main_t * sm = &snat_main;
2760 from = vlib_frame_vector_args (frame);
2761 n_left_from = frame->n_vectors;
2762 next_index = node->cached_next_index;
2764 while (n_left_from > 0)
2768 vlib_get_next_frame (vm, node, next_index,
2769 to_next, n_left_to_next);
2771 while (n_left_from > 0 && n_left_to_next > 0)
2775 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2779 u32 new_addr0, old_addr0;
2780 u16 new_port0, old_port0;
2781 udp_header_t * udp0;
2782 tcp_header_t * tcp0;
2783 icmp46_header_t * icmp0;
2784 snat_session_key_t key0, sm0;
2788 /* speculatively enqueue b0 to the current next frame */
2794 n_left_to_next -= 1;
2796 b0 = vlib_get_buffer (vm, bi0);
2798 ip0 = vlib_buffer_get_current (b0);
2799 udp0 = ip4_next_header (ip0);
2800 tcp0 = (tcp_header_t *) udp0;
2801 icmp0 = (icmp46_header_t *) udp0;
2803 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2804 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2806 vnet_feature_next (sw_if_index0, &next0, b0);
2808 if (PREDICT_FALSE(ip0->ttl == 1))
2810 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2811 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2812 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2814 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2818 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2820 if (PREDICT_FALSE (proto0 == ~0))
2823 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2825 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2826 rx_fib_index0, node, next0, ~0, 0, 0);
2830 key0.addr = ip0->dst_address;
2831 key0.port = udp0->dst_port;
2832 key0.fib_index = rx_fib_index0;
2834 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
2836 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2840 new_addr0 = sm0.addr.as_u32;
2841 new_port0 = sm0.port;
2842 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2843 old_addr0 = ip0->dst_address.as_u32;
2844 ip0->dst_address.as_u32 = new_addr0;
2846 sum0 = ip0->checksum;
2847 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2849 dst_address /* changed member */);
2850 ip0->checksum = ip_csum_fold (sum0);
2852 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2854 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2856 old_port0 = tcp0->dst_port;
2857 tcp0->dst_port = new_port0;
2859 sum0 = tcp0->checksum;
2860 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2862 dst_address /* changed member */);
2864 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2865 ip4_header_t /* cheat */,
2866 length /* changed member */);
2867 tcp0->checksum = ip_csum_fold(sum0);
2871 old_port0 = udp0->dst_port;
2872 udp0->dst_port = new_port0;
2878 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2880 sum0 = tcp0->checksum;
2881 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2883 dst_address /* changed member */);
2885 tcp0->checksum = ip_csum_fold(sum0);
2891 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2892 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2894 snat_out2in_trace_t *t =
2895 vlib_add_trace (vm, node, b0, sizeof (*t));
2896 t->sw_if_index = sw_if_index0;
2897 t->next_index = next0;
2900 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2902 /* verify speculative enqueue, maybe switch current next frame */
2903 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2904 to_next, n_left_to_next,
2908 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2911 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
2912 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2914 return frame->n_vectors;
2917 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
2918 .function = snat_out2in_fast_node_fn,
2919 .name = "nat44-out2in-fast",
2920 .vector_size = sizeof (u32),
2921 .format_trace = format_snat_out2in_fast_trace,
2922 .type = VLIB_NODE_TYPE_INTERNAL,
2924 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2925 .error_strings = snat_out2in_error_strings,
2927 .runtime_data_bytes = sizeof (snat_runtime_t),
2929 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2931 /* edit / add dispositions here */
2933 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2934 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2935 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2936 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2939 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob