2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
38 } snat_out2in_trace_t;
41 u32 next_worker_index;
43 } snat_out2in_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
52 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
53 t->sw_if_index, t->next_index, t->session_index);
57 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
59 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
60 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
61 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
63 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
64 t->sw_if_index, t->next_index);
68 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 snat_out2in_worker_handoff_trace_t * t =
73 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
76 m = t->do_handoff ? "next worker" : "same worker";
77 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 } nat44_out2in_reass_trace_t;
88 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
90 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
91 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
92 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
94 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
95 t->sw_if_index, t->next_index,
96 t->cached ? "cached" : "translated");
101 vlib_node_registration_t snat_out2in_node;
102 vlib_node_registration_t snat_out2in_fast_node;
103 vlib_node_registration_t snat_out2in_worker_handoff_node;
104 vlib_node_registration_t snat_det_out2in_node;
105 vlib_node_registration_t nat44_out2in_reass_node;
107 #define foreach_snat_out2in_error \
108 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
109 _(OUT2IN_PACKETS, "Good out2in packets processed") \
110 _(OUT_OF_PORTS, "Out of ports") \
111 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
112 _(NO_TRANSLATION, "No translation") \
113 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
114 _(DROP_FRAGMENT, "Drop fragment") \
115 _(MAX_REASS, "Maximum reassemblies exceeded") \
116 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
119 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
120 foreach_snat_out2in_error
123 } snat_out2in_error_t;
125 static char * snat_out2in_error_strings[] = {
126 #define _(sym,string) string,
127 foreach_snat_out2in_error
132 SNAT_OUT2IN_NEXT_DROP,
133 SNAT_OUT2IN_NEXT_LOOKUP,
134 SNAT_OUT2IN_NEXT_ICMP_ERROR,
135 SNAT_OUT2IN_NEXT_REASS,
136 SNAT_OUT2IN_NEXT_IN2OUT,
138 } snat_out2in_next_t;
141 * @brief Create session for static mapping.
143 * Create NAT session initiated by host from external network with static
146 * @param sm NAT main.
147 * @param b0 Vlib buffer.
148 * @param in2out In2out NAT44 session key.
149 * @param out2in Out2in NAT44 session key.
150 * @param node Vlib node.
152 * @returns SNAT session if successfully created otherwise 0.
154 static inline snat_session_t *
155 create_session_for_static_mapping (snat_main_t *sm,
157 snat_session_key_t in2out,
158 snat_session_key_t out2in,
159 vlib_node_runtime_t * node,
164 clib_bihash_kv_8_8_t kv0;
168 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
170 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 ip0 = vlib_buffer_get_current (b0);
175 udp0 = ip4_next_header (ip0);
177 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
180 clib_warning ("create NAT user failed");
184 s = nat_session_alloc_or_recycle (sm, u, thread_index);
187 clib_warning ("create NAT session failed");
191 s->outside_address_index = ~0;
192 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
193 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
194 s->ext_host_port = udp0->src_port;
195 user_session_increment (sm, u, 1 /* static */);
198 s->in2out.protocol = out2in.protocol;
200 /* Add to translation hashes */
201 kv0.key = s->in2out.as_u64;
202 kv0.value = s - sm->per_thread_data[thread_index].sessions;
203 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
205 clib_warning ("in2out key add failed");
207 kv0.key = s->out2in.as_u64;
209 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
211 clib_warning ("out2in key add failed");
214 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
215 s->out2in.addr.as_u32,
219 s->in2out.fib_index);
224 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
225 snat_session_key_t *p_key0)
227 icmp46_header_t *icmp0;
228 snat_session_key_t key0;
229 icmp_echo_header_t *echo0, *inner_echo0 = 0;
230 ip4_header_t *inner_ip0;
232 icmp46_header_t *inner_icmp0;
234 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
235 echo0 = (icmp_echo_header_t *)(icmp0+1);
237 if (!icmp_is_error_message (icmp0))
239 key0.protocol = SNAT_PROTOCOL_ICMP;
240 key0.addr = ip0->dst_address;
241 key0.port = echo0->identifier;
245 inner_ip0 = (ip4_header_t *)(echo0+1);
246 l4_header = ip4_next_header (inner_ip0);
247 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
248 key0.addr = inner_ip0->src_address;
249 switch (key0.protocol)
251 case SNAT_PROTOCOL_ICMP:
252 inner_icmp0 = (icmp46_header_t*)l4_header;
253 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
254 key0.port = inner_echo0->identifier;
256 case SNAT_PROTOCOL_UDP:
257 case SNAT_PROTOCOL_TCP:
258 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
261 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
265 return -1; /* success */
268 static_always_inline int
269 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
271 icmp46_header_t *icmp0;
272 nat_ed_ses_key_t key0;
273 icmp_echo_header_t *echo0, *inner_echo0 = 0;
274 ip4_header_t *inner_ip0;
276 icmp46_header_t *inner_icmp0;
278 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
279 echo0 = (icmp_echo_header_t *)(icmp0+1);
281 if (!icmp_is_error_message (icmp0))
283 key0.proto = IP_PROTOCOL_ICMP;
284 key0.l_addr = ip0->dst_address;
285 key0.r_addr = ip0->src_address;
286 key0.l_port = key0.r_port = echo0->identifier;
290 inner_ip0 = (ip4_header_t *)(echo0+1);
291 l4_header = ip4_next_header (inner_ip0);
292 key0.proto = inner_ip0->protocol;
293 key0.l_addr = inner_ip0->src_address;
294 key0.r_addr = inner_ip0->dst_address;
295 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
297 case SNAT_PROTOCOL_ICMP:
298 inner_icmp0 = (icmp46_header_t*)l4_header;
299 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
300 key0.l_port = key0.r_port = inner_echo0->identifier;
302 case SNAT_PROTOCOL_UDP:
303 case SNAT_PROTOCOL_TCP:
304 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
305 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
316 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
319 snat_session_key_t key;
320 clib_bihash_kv_8_8_t kv, value;
322 key.addr = ip->src_address;
324 key.protocol = proto;
325 key.fib_index = sm->inside_fib_index;
328 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
336 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
339 nat_ed_ses_key_t key;
340 clib_bihash_kv_16_8_t kv, value;
343 snat_session_t *s = 0;
344 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
346 if (ip->protocol == IP_PROTOCOL_ICMP)
348 if (icmp_get_ed_key (ip, &key))
351 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
353 udp = ip4_next_header(ip);
354 key.r_addr = ip->src_address;
355 key.l_addr = ip->dst_address;
356 key.proto = ip->protocol;
357 key.l_port = udp->dst_port;
358 key.r_port = udp->src_port;
362 key.r_addr = ip->src_address;
363 key.l_addr = ip->dst_address;
364 key.proto = ip->protocol;
365 key.l_port = key.r_port = 0;
368 kv.key[0] = key.as_u64[0];
369 kv.key[1] = key.as_u64[1];
371 if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
373 s = pool_elt_at_index (tsm->sessions, value.value);
377 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
380 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, thread_index);
383 clib_warning ("create NAT user failed");
387 s = nat_session_alloc_or_recycle (sm, u, thread_index);
390 clib_warning ("create NAT session failed");
394 s->ext_host_addr = key.r_addr;
395 s->ext_host_port = key.r_port;
396 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
397 s->outside_address_index = ~0;
398 s->out2in.addr = key.l_addr;
399 s->out2in.port = key.l_port;
400 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
401 s->out2in.fib_index = 0;
402 s->in2out = s->out2in;
403 user_session_increment (sm, u, 0);
405 kv.value = s - tsm->sessions;
406 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
407 clib_warning ("in2out_ed key add failed");
410 /* Per-user LRU list maintenance */
411 clib_dlist_remove (tsm->list_pool, s->per_user_index);
412 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
417 * Get address and port values to be used for ICMP packet translation
418 * and create session if needed
420 * @param[in,out] sm NAT main
421 * @param[in,out] node NAT node runtime
422 * @param[in] thread_index thread index
423 * @param[in,out] b0 buffer containing packet to be translated
424 * @param[out] p_proto protocol used for matching
425 * @param[out] p_value address and port after NAT translation
426 * @param[out] p_dont_translate if packet should not be translated
427 * @param d optional parameter
428 * @param e optional parameter
430 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
431 u32 thread_index, vlib_buffer_t *b0,
432 ip4_header_t *ip0, u8 *p_proto,
433 snat_session_key_t *p_value,
434 u8 *p_dont_translate, void *d, void *e)
436 icmp46_header_t *icmp0;
439 snat_session_key_t key0;
440 snat_session_key_t sm0;
441 snat_session_t *s0 = 0;
442 u8 dont_translate = 0;
443 clib_bihash_kv_8_8_t kv0, value0;
448 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
449 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
450 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
454 err = icmp_get_key (ip0, &key0);
457 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
458 next0 = SNAT_OUT2IN_NEXT_DROP;
461 key0.fib_index = rx_fib_index0;
463 kv0.key = key0.as_u64;
465 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
468 /* Try to match static mapping by external address and port,
469 destination address and port in packet */
470 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
472 if (!sm->forwarding_enabled)
474 /* Don't NAT packet aimed at the intfc address */
475 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
476 ip0->dst_address.as_u32)))
481 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
482 next0 = SNAT_OUT2IN_NEXT_DROP;
488 if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
490 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
493 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
498 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
499 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
501 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
502 next0 = SNAT_OUT2IN_NEXT_DROP;
506 /* Create session initiated by host from external network */
507 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
512 next0 = SNAT_OUT2IN_NEXT_DROP;
518 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
519 icmp0->type != ICMP4_echo_request &&
520 !icmp_is_error_message (icmp0)))
522 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
523 next0 = SNAT_OUT2IN_NEXT_DROP;
527 if (PREDICT_FALSE (value0.value == ~0ULL))
529 nat_ed_ses_key_t key;
530 clib_bihash_kv_16_8_t s_kv, s_value;
534 if (icmp_get_ed_key (ip0, &key))
536 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
537 next0 = SNAT_OUT2IN_NEXT_DROP;
540 key.fib_index = rx_fib_index0;
541 s_kv.key[0] = key.as_u64[0];
542 s_kv.key[1] = key.as_u64[1];
543 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
544 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
548 next0 = SNAT_OUT2IN_NEXT_DROP;
553 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
558 *p_proto = key0.protocol;
560 *p_value = s0->in2out;
561 *p_dont_translate = dont_translate;
563 *(snat_session_t**)d = s0;
568 * Get address and port values to be used for ICMP packet translation
570 * @param[in] sm NAT main
571 * @param[in,out] node NAT node runtime
572 * @param[in] thread_index thread index
573 * @param[in,out] b0 buffer containing packet to be translated
574 * @param[out] p_proto protocol used for matching
575 * @param[out] p_value address and port after NAT translation
576 * @param[out] p_dont_translate if packet should not be translated
577 * @param d optional parameter
578 * @param e optional parameter
580 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
581 u32 thread_index, vlib_buffer_t *b0,
582 ip4_header_t *ip0, u8 *p_proto,
583 snat_session_key_t *p_value,
584 u8 *p_dont_translate, void *d, void *e)
586 icmp46_header_t *icmp0;
589 snat_session_key_t key0;
590 snat_session_key_t sm0;
591 u8 dont_translate = 0;
596 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
597 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
598 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
600 err = icmp_get_key (ip0, &key0);
603 b0->error = node->errors[err];
604 next0 = SNAT_OUT2IN_NEXT_DROP;
607 key0.fib_index = rx_fib_index0;
609 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
611 /* Don't NAT packet aimed at the intfc address */
612 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
617 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
618 next0 = SNAT_OUT2IN_NEXT_DROP;
622 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
623 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
624 !icmp_is_error_message (icmp0)))
626 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
627 next0 = SNAT_OUT2IN_NEXT_DROP;
634 *p_proto = key0.protocol;
635 *p_dont_translate = dont_translate;
639 static inline u32 icmp_out2in (snat_main_t *sm,
642 icmp46_header_t * icmp0,
645 vlib_node_runtime_t * node,
651 snat_session_key_t sm0;
653 icmp_echo_header_t *echo0, *inner_echo0 = 0;
654 ip4_header_t *inner_ip0 = 0;
656 icmp46_header_t *inner_icmp0;
658 u32 new_addr0, old_addr0;
659 u16 old_id0, new_id0;
664 echo0 = (icmp_echo_header_t *)(icmp0+1);
666 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
667 &protocol, &sm0, &dont_translate, d, e);
670 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
673 sum0 = ip_incremental_checksum (0, icmp0,
674 ntohs(ip0->length) - ip4_header_bytes (ip0));
675 checksum0 = ~ip_csum_fold (sum0);
676 if (checksum0 != 0 && checksum0 != 0xffff)
678 next0 = SNAT_OUT2IN_NEXT_DROP;
682 old_addr0 = ip0->dst_address.as_u32;
683 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
684 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
686 sum0 = ip0->checksum;
687 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
688 dst_address /* changed member */);
689 ip0->checksum = ip_csum_fold (sum0);
691 if (icmp0->checksum == 0)
692 icmp0->checksum = 0xffff;
694 if (!icmp_is_error_message (icmp0))
697 if (PREDICT_FALSE(new_id0 != echo0->identifier))
699 old_id0 = echo0->identifier;
701 echo0->identifier = new_id0;
703 sum0 = icmp0->checksum;
704 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
705 identifier /* changed member */);
706 icmp0->checksum = ip_csum_fold (sum0);
711 inner_ip0 = (ip4_header_t *)(echo0+1);
712 l4_header = ip4_next_header (inner_ip0);
714 if (!ip4_header_checksum_is_valid (inner_ip0))
716 next0 = SNAT_OUT2IN_NEXT_DROP;
720 old_addr0 = inner_ip0->src_address.as_u32;
721 inner_ip0->src_address = sm0.addr;
722 new_addr0 = inner_ip0->src_address.as_u32;
724 sum0 = icmp0->checksum;
725 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
726 src_address /* changed member */);
727 icmp0->checksum = ip_csum_fold (sum0);
731 case SNAT_PROTOCOL_ICMP:
732 inner_icmp0 = (icmp46_header_t*)l4_header;
733 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
735 old_id0 = inner_echo0->identifier;
737 inner_echo0->identifier = new_id0;
739 sum0 = icmp0->checksum;
740 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
742 icmp0->checksum = ip_csum_fold (sum0);
744 case SNAT_PROTOCOL_UDP:
745 case SNAT_PROTOCOL_TCP:
746 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
748 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
750 sum0 = icmp0->checksum;
751 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
753 icmp0->checksum = ip_csum_fold (sum0);
765 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
768 icmp46_header_t * icmp0,
771 vlib_node_runtime_t * node,
774 snat_session_t ** p_s0)
776 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
777 next0, thread_index, p_s0, 0);
778 snat_session_t * s0 = *p_s0;
779 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
782 s0->last_heard = now;
784 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
785 /* Per-user LRU list maintenance */
786 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
788 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
789 s0->per_user_list_head_index,
795 static snat_session_t *
796 snat_out2in_unknown_proto (snat_main_t *sm,
803 vlib_node_runtime_t * node)
805 clib_bihash_kv_8_8_t kv, value;
806 clib_bihash_kv_16_8_t s_kv, s_value;
807 snat_static_mapping_t *m;
808 snat_session_key_t m_key;
809 u32 old_addr, new_addr;
811 nat_ed_ses_key_t key;
813 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
816 old_addr = ip->dst_address.as_u32;
818 key.l_addr = ip->dst_address;
819 key.r_addr = ip->src_address;
820 key.fib_index = rx_fib_index;
821 key.proto = ip->protocol;
824 s_kv.key[0] = key.as_u64[0];
825 s_kv.key[1] = key.as_u64[1];
827 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
829 s = pool_elt_at_index (tsm->sessions, s_value.value);
830 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
834 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
836 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
840 m_key.addr = ip->dst_address;
843 m_key.fib_index = rx_fib_index;
844 kv.key = m_key.as_u64;
845 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
847 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
851 m = pool_elt_at_index (sm->static_mappings, value.value);
853 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
855 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
859 clib_warning ("create NAT user failed");
863 /* Create a new session */
864 s = nat_session_alloc_or_recycle (sm, u, thread_index);
867 clib_warning ("create NAT session failed");
871 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
872 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
873 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
874 s->outside_address_index = ~0;
875 s->out2in.addr.as_u32 = old_addr;
876 s->out2in.fib_index = rx_fib_index;
877 s->in2out.addr.as_u32 = new_addr;
878 s->in2out.fib_index = m->fib_index;
879 s->in2out.port = s->out2in.port = ip->protocol;
880 user_session_increment (sm, u, 1 /* static */);
882 /* Add to lookup tables */
883 s_kv.value = s - tsm->sessions;
884 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
885 clib_warning ("out2in key add failed");
887 key.l_addr = ip->dst_address;
888 key.fib_index = m->fib_index;
889 s_kv.key[0] = key.as_u64[0];
890 s_kv.key[1] = key.as_u64[1];
891 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
892 clib_warning ("in2out key add failed");
895 /* Update IP checksum */
897 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
898 ip->checksum = ip_csum_fold (sum);
900 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
905 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
906 /* Per-user LRU list maintenance */
907 clib_dlist_remove (tsm->list_pool, s->per_user_index);
908 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
914 static snat_session_t *
915 snat_out2in_lb (snat_main_t *sm,
922 vlib_node_runtime_t * node)
924 nat_ed_ses_key_t key;
925 clib_bihash_kv_16_8_t s_kv, s_value;
926 udp_header_t *udp = ip4_next_header (ip);
927 tcp_header_t *tcp = (tcp_header_t *) udp;
928 snat_session_t *s = 0;
929 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
930 snat_session_key_t e_key, l_key;
931 u32 old_addr, new_addr;
932 u32 proto = ip_proto_to_snat_proto (ip->protocol);
933 u16 new_port, old_port;
937 snat_session_key_t eh_key;
940 old_addr = ip->dst_address.as_u32;
942 key.l_addr = ip->dst_address;
943 key.r_addr = ip->src_address;
944 key.fib_index = rx_fib_index;
945 key.proto = ip->protocol;
946 key.r_port = udp->src_port;
947 key.l_port = udp->dst_port;
948 s_kv.key[0] = key.as_u64[0];
949 s_kv.key[1] = key.as_u64[1];
951 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
953 s = pool_elt_at_index (tsm->sessions, s_value.value);
957 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
959 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
963 e_key.addr = ip->dst_address;
964 e_key.port = udp->dst_port;
965 e_key.protocol = proto;
966 e_key.fib_index = rx_fib_index;
967 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0, &twice_nat, &lb))
970 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index,
974 clib_warning ("create NAT user failed");
978 s = nat_session_alloc_or_recycle (sm, u, thread_index);
981 clib_warning ("create NAT session failed");
985 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
986 s->ext_host_port = udp->src_port;
987 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
989 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
990 s->outside_address_index = ~0;
993 user_session_increment (sm, u, 1 /* static */);
995 /* Add to lookup tables */
996 s_kv.value = s - tsm->sessions;
997 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
998 clib_warning ("out2in-ed key add failed");
1002 eh_key.protocol = proto;
1003 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
1004 thread_index, &eh_key,
1006 sm->port_per_thread,
1007 sm->per_thread_data[thread_index].snat_thread_index))
1009 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
1012 key.r_addr.as_u32 = s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
1013 key.r_port = s->ext_host_nat_port = eh_key.port;
1014 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
1016 key.l_addr = l_key.addr;
1017 key.fib_index = l_key.fib_index;
1018 key.l_port = l_key.port;
1019 s_kv.key[0] = key.as_u64[0];
1020 s_kv.key[1] = key.as_u64[1];
1021 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
1022 clib_warning ("in2out-ed key add failed");
1025 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1027 /* Update IP checksum */
1029 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1030 if (is_twice_nat_session (s))
1031 sum = ip_csum_update (sum, ip->src_address.as_u32,
1032 s->ext_host_nat_addr.as_u32, ip4_header_t,
1034 ip->checksum = ip_csum_fold (sum);
1036 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
1038 old_port = tcp->dst_port;
1039 tcp->dst_port = s->in2out.port;
1040 new_port = tcp->dst_port;
1042 sum = tcp->checksum;
1043 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
1044 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
1045 if (is_twice_nat_session (s))
1047 sum = ip_csum_update (sum, ip->src_address.as_u32,
1048 s->ext_host_nat_addr.as_u32, ip4_header_t,
1050 sum = ip_csum_update (sum, tcp->src_port, s->ext_host_nat_port,
1051 ip4_header_t, length);
1052 tcp->src_port = s->ext_host_nat_port;
1053 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1055 tcp->checksum = ip_csum_fold(sum);
1059 udp->dst_port = s->in2out.port;
1060 if (is_twice_nat_session (s))
1062 udp->src_port = s->ext_host_nat_port;
1063 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1068 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1071 s->last_heard = now;
1073 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1074 /* Per-user LRU list maintenance */
1075 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1076 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1083 snat_out2in_node_fn (vlib_main_t * vm,
1084 vlib_node_runtime_t * node,
1085 vlib_frame_t * frame)
1087 u32 n_left_from, * from, * to_next;
1088 snat_out2in_next_t next_index;
1089 u32 pkts_processed = 0;
1090 snat_main_t * sm = &snat_main;
1091 f64 now = vlib_time_now (vm);
1092 u32 thread_index = vlib_get_thread_index ();
1094 from = vlib_frame_vector_args (frame);
1095 n_left_from = frame->n_vectors;
1096 next_index = node->cached_next_index;
1098 while (n_left_from > 0)
1102 vlib_get_next_frame (vm, node, next_index,
1103 to_next, n_left_to_next);
1105 while (n_left_from >= 4 && n_left_to_next >= 2)
1108 vlib_buffer_t * b0, * b1;
1109 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1110 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1111 u32 sw_if_index0, sw_if_index1;
1112 ip4_header_t * ip0, *ip1;
1113 ip_csum_t sum0, sum1;
1114 u32 new_addr0, old_addr0;
1115 u16 new_port0, old_port0;
1116 u32 new_addr1, old_addr1;
1117 u16 new_port1, old_port1;
1118 udp_header_t * udp0, * udp1;
1119 tcp_header_t * tcp0, * tcp1;
1120 icmp46_header_t * icmp0, * icmp1;
1121 snat_session_key_t key0, key1, sm0, sm1;
1122 u32 rx_fib_index0, rx_fib_index1;
1124 snat_session_t * s0 = 0, * s1 = 0;
1125 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
1127 /* Prefetch next iteration. */
1129 vlib_buffer_t * p2, * p3;
1131 p2 = vlib_get_buffer (vm, from[2]);
1132 p3 = vlib_get_buffer (vm, from[3]);
1134 vlib_prefetch_buffer_header (p2, LOAD);
1135 vlib_prefetch_buffer_header (p3, LOAD);
1137 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1138 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1141 /* speculatively enqueue b0 and b1 to the current next frame */
1142 to_next[0] = bi0 = from[0];
1143 to_next[1] = bi1 = from[1];
1147 n_left_to_next -= 2;
1149 b0 = vlib_get_buffer (vm, bi0);
1150 b1 = vlib_get_buffer (vm, bi1);
1152 vnet_buffer (b0)->snat.flags = 0;
1153 vnet_buffer (b1)->snat.flags = 0;
1155 ip0 = vlib_buffer_get_current (b0);
1156 udp0 = ip4_next_header (ip0);
1157 tcp0 = (tcp_header_t *) udp0;
1158 icmp0 = (icmp46_header_t *) udp0;
1160 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1161 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1164 if (PREDICT_FALSE(ip0->ttl == 1))
1166 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1167 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1168 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1170 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1174 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1176 if (PREDICT_FALSE (proto0 == ~0))
1178 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1179 thread_index, now, vm, node);
1180 if (!sm->forwarding_enabled)
1182 next0 = SNAT_OUT2IN_NEXT_DROP;
1186 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1188 next0 = icmp_out2in_slow_path
1189 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1190 next0, now, thread_index, &s0);
1194 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1196 next0 = SNAT_OUT2IN_NEXT_REASS;
1200 key0.addr = ip0->dst_address;
1201 key0.port = udp0->dst_port;
1202 key0.protocol = proto0;
1203 key0.fib_index = rx_fib_index0;
1205 kv0.key = key0.as_u64;
1207 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1210 /* Try to match static mapping by external address and port,
1211 destination address and port in packet */
1212 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1215 * Send DHCP packets to the ipv4 stack, or we won't
1216 * be able to use dhcp client on the outside interface
1218 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1219 && (udp0->dst_port ==
1220 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1223 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1227 if (!sm->forwarding_enabled)
1229 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1230 next0 = SNAT_OUT2IN_NEXT_DROP;
1235 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1237 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1240 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1245 /* Create session initiated by host from external network */
1246 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1250 next0 = SNAT_OUT2IN_NEXT_DROP;
1256 if (PREDICT_FALSE (value0.value == ~0ULL))
1258 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1261 next0 = SNAT_OUT2IN_NEXT_DROP;
1266 s0 = pool_elt_at_index (
1267 sm->per_thread_data[thread_index].sessions,
1272 old_addr0 = ip0->dst_address.as_u32;
1273 ip0->dst_address = s0->in2out.addr;
1274 new_addr0 = ip0->dst_address.as_u32;
1275 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1277 sum0 = ip0->checksum;
1278 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1280 dst_address /* changed member */);
1281 ip0->checksum = ip_csum_fold (sum0);
1283 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1285 old_port0 = tcp0->dst_port;
1286 tcp0->dst_port = s0->in2out.port;
1287 new_port0 = tcp0->dst_port;
1289 sum0 = tcp0->checksum;
1290 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1292 dst_address /* changed member */);
1294 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1295 ip4_header_t /* cheat */,
1296 length /* changed member */);
1297 tcp0->checksum = ip_csum_fold(sum0);
1301 old_port0 = udp0->dst_port;
1302 udp0->dst_port = s0->in2out.port;
1307 s0->last_heard = now;
1309 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1310 /* Per-user LRU list maintenance */
1311 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1312 s0->per_user_index);
1313 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1314 s0->per_user_list_head_index,
1315 s0->per_user_index);
1318 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1319 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1321 snat_out2in_trace_t *t =
1322 vlib_add_trace (vm, node, b0, sizeof (*t));
1323 t->sw_if_index = sw_if_index0;
1324 t->next_index = next0;
1325 t->session_index = ~0;
1327 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1330 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1333 ip1 = vlib_buffer_get_current (b1);
1334 udp1 = ip4_next_header (ip1);
1335 tcp1 = (tcp_header_t *) udp1;
1336 icmp1 = (icmp46_header_t *) udp1;
1338 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1339 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1342 if (PREDICT_FALSE(ip1->ttl == 1))
1344 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1345 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1346 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1348 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1352 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1354 if (PREDICT_FALSE (proto1 == ~0))
1356 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1357 thread_index, now, vm, node);
1358 if (!sm->forwarding_enabled)
1360 next1 = SNAT_OUT2IN_NEXT_DROP;
1364 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1366 next1 = icmp_out2in_slow_path
1367 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1368 next1, now, thread_index, &s1);
1372 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
1374 next1 = SNAT_OUT2IN_NEXT_REASS;
1378 key1.addr = ip1->dst_address;
1379 key1.port = udp1->dst_port;
1380 key1.protocol = proto1;
1381 key1.fib_index = rx_fib_index1;
1383 kv1.key = key1.as_u64;
1385 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1388 /* Try to match static mapping by external address and port,
1389 destination address and port in packet */
1390 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0))
1393 * Send DHCP packets to the ipv4 stack, or we won't
1394 * be able to use dhcp client on the outside interface
1396 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1397 && (udp1->dst_port ==
1398 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1401 (vnet_buffer (b1)->sw_if_index[VLIB_RX], &next1, b1);
1405 if (!sm->forwarding_enabled)
1407 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1408 next1 = SNAT_OUT2IN_NEXT_DROP;
1413 if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
1415 next1 = SNAT_OUT2IN_NEXT_IN2OUT;
1418 create_bypass_for_fwd(sm, ip1, rx_fib_index1, thread_index);
1423 /* Create session initiated by host from external network */
1424 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1428 next1 = SNAT_OUT2IN_NEXT_DROP;
1434 if (PREDICT_FALSE (value1.value == ~0ULL))
1436 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1439 next1 = SNAT_OUT2IN_NEXT_DROP;
1444 s1 = pool_elt_at_index (
1445 sm->per_thread_data[thread_index].sessions,
1450 old_addr1 = ip1->dst_address.as_u32;
1451 ip1->dst_address = s1->in2out.addr;
1452 new_addr1 = ip1->dst_address.as_u32;
1453 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1455 sum1 = ip1->checksum;
1456 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1458 dst_address /* changed member */);
1459 ip1->checksum = ip_csum_fold (sum1);
1461 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1463 old_port1 = tcp1->dst_port;
1464 tcp1->dst_port = s1->in2out.port;
1465 new_port1 = tcp1->dst_port;
1467 sum1 = tcp1->checksum;
1468 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1470 dst_address /* changed member */);
1472 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1473 ip4_header_t /* cheat */,
1474 length /* changed member */);
1475 tcp1->checksum = ip_csum_fold(sum1);
1479 old_port1 = udp1->dst_port;
1480 udp1->dst_port = s1->in2out.port;
1485 s1->last_heard = now;
1487 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1488 /* Per-user LRU list maintenance */
1489 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1490 s1->per_user_index);
1491 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1492 s1->per_user_list_head_index,
1493 s1->per_user_index);
1496 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1497 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1499 snat_out2in_trace_t *t =
1500 vlib_add_trace (vm, node, b1, sizeof (*t));
1501 t->sw_if_index = sw_if_index1;
1502 t->next_index = next1;
1503 t->session_index = ~0;
1505 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1508 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1510 /* verify speculative enqueues, maybe switch current next frame */
1511 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1512 to_next, n_left_to_next,
1513 bi0, bi1, next0, next1);
1516 while (n_left_from > 0 && n_left_to_next > 0)
1520 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1524 u32 new_addr0, old_addr0;
1525 u16 new_port0, old_port0;
1526 udp_header_t * udp0;
1527 tcp_header_t * tcp0;
1528 icmp46_header_t * icmp0;
1529 snat_session_key_t key0, sm0;
1532 snat_session_t * s0 = 0;
1533 clib_bihash_kv_8_8_t kv0, value0;
1535 /* speculatively enqueue b0 to the current next frame */
1541 n_left_to_next -= 1;
1543 b0 = vlib_get_buffer (vm, bi0);
1545 vnet_buffer (b0)->snat.flags = 0;
1547 ip0 = vlib_buffer_get_current (b0);
1548 udp0 = ip4_next_header (ip0);
1549 tcp0 = (tcp_header_t *) udp0;
1550 icmp0 = (icmp46_header_t *) udp0;
1552 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1553 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1556 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1558 if (PREDICT_FALSE (proto0 == ~0))
1560 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1561 thread_index, now, vm, node);
1562 if (!sm->forwarding_enabled)
1564 next0 = SNAT_OUT2IN_NEXT_DROP;
1568 if (PREDICT_FALSE(ip0->ttl == 1))
1570 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1571 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1572 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1574 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1578 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1580 next0 = icmp_out2in_slow_path
1581 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1582 next0, now, thread_index, &s0);
1586 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1588 next0 = SNAT_OUT2IN_NEXT_REASS;
1592 key0.addr = ip0->dst_address;
1593 key0.port = udp0->dst_port;
1594 key0.protocol = proto0;
1595 key0.fib_index = rx_fib_index0;
1597 kv0.key = key0.as_u64;
1599 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1602 /* Try to match static mapping by external address and port,
1603 destination address and port in packet */
1604 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1607 * Send DHCP packets to the ipv4 stack, or we won't
1608 * be able to use dhcp client on the outside interface
1610 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1611 && (udp0->dst_port ==
1612 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1615 (vnet_buffer (b0)->sw_if_index[VLIB_RX], &next0, b0);
1619 if (!sm->forwarding_enabled)
1621 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1622 next0 = SNAT_OUT2IN_NEXT_DROP;
1627 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1629 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1632 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1637 /* Create session initiated by host from external network */
1638 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1642 next0 = SNAT_OUT2IN_NEXT_DROP;
1648 if (PREDICT_FALSE (value0.value == ~0ULL))
1650 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1653 next0 = SNAT_OUT2IN_NEXT_DROP;
1658 s0 = pool_elt_at_index (
1659 sm->per_thread_data[thread_index].sessions,
1664 old_addr0 = ip0->dst_address.as_u32;
1665 ip0->dst_address = s0->in2out.addr;
1666 new_addr0 = ip0->dst_address.as_u32;
1667 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1669 sum0 = ip0->checksum;
1670 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1672 dst_address /* changed member */);
1673 ip0->checksum = ip_csum_fold (sum0);
1675 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1677 old_port0 = tcp0->dst_port;
1678 tcp0->dst_port = s0->in2out.port;
1679 new_port0 = tcp0->dst_port;
1681 sum0 = tcp0->checksum;
1682 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1684 dst_address /* changed member */);
1686 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1687 ip4_header_t /* cheat */,
1688 length /* changed member */);
1689 tcp0->checksum = ip_csum_fold(sum0);
1693 old_port0 = udp0->dst_port;
1694 udp0->dst_port = s0->in2out.port;
1699 s0->last_heard = now;
1701 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1702 /* Per-user LRU list maintenance */
1703 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1704 s0->per_user_index);
1705 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1706 s0->per_user_list_head_index,
1707 s0->per_user_index);
1710 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1711 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1713 snat_out2in_trace_t *t =
1714 vlib_add_trace (vm, node, b0, sizeof (*t));
1715 t->sw_if_index = sw_if_index0;
1716 t->next_index = next0;
1717 t->session_index = ~0;
1719 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1722 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1724 /* verify speculative enqueue, maybe switch current next frame */
1725 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1726 to_next, n_left_to_next,
1730 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1733 vlib_node_increment_counter (vm, snat_out2in_node.index,
1734 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1736 return frame->n_vectors;
1739 VLIB_REGISTER_NODE (snat_out2in_node) = {
1740 .function = snat_out2in_node_fn,
1741 .name = "nat44-out2in",
1742 .vector_size = sizeof (u32),
1743 .format_trace = format_snat_out2in_trace,
1744 .type = VLIB_NODE_TYPE_INTERNAL,
1746 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1747 .error_strings = snat_out2in_error_strings,
1749 .runtime_data_bytes = sizeof (snat_runtime_t),
1751 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1753 /* edit / add dispositions here */
1755 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1756 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1757 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1758 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1759 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
1762 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1765 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1766 vlib_node_runtime_t * node,
1767 vlib_frame_t * frame)
1769 u32 n_left_from, *from, *to_next;
1770 snat_out2in_next_t next_index;
1771 u32 pkts_processed = 0;
1772 snat_main_t *sm = &snat_main;
1773 f64 now = vlib_time_now (vm);
1774 u32 thread_index = vlib_get_thread_index ();
1775 snat_main_per_thread_data_t *per_thread_data =
1776 &sm->per_thread_data[thread_index];
1777 u32 *fragments_to_drop = 0;
1778 u32 *fragments_to_loopback = 0;
1780 from = vlib_frame_vector_args (frame);
1781 n_left_from = frame->n_vectors;
1782 next_index = node->cached_next_index;
1784 while (n_left_from > 0)
1788 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1790 while (n_left_from > 0 && n_left_to_next > 0)
1792 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1797 nat_reass_ip4_t *reass0;
1798 udp_header_t * udp0;
1799 tcp_header_t * tcp0;
1800 snat_session_key_t key0, sm0;
1801 clib_bihash_kv_8_8_t kv0, value0;
1802 snat_session_t * s0 = 0;
1803 u16 old_port0, new_port0;
1806 /* speculatively enqueue b0 to the current next frame */
1812 n_left_to_next -= 1;
1814 b0 = vlib_get_buffer (vm, bi0);
1815 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1817 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1818 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1821 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1823 next0 = SNAT_OUT2IN_NEXT_DROP;
1824 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1828 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1829 udp0 = ip4_next_header (ip0);
1830 tcp0 = (tcp_header_t *) udp0;
1831 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1833 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1838 &fragments_to_drop);
1840 if (PREDICT_FALSE (!reass0))
1842 next0 = SNAT_OUT2IN_NEXT_DROP;
1843 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1847 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1849 key0.addr = ip0->dst_address;
1850 key0.port = udp0->dst_port;
1851 key0.protocol = proto0;
1852 key0.fib_index = rx_fib_index0;
1853 kv0.key = key0.as_u64;
1855 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1857 /* Try to match static mapping by external address and port,
1858 destination address and port in packet */
1859 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1862 * Send DHCP packets to the ipv4 stack, or we won't
1863 * be able to use dhcp client on the outside interface
1865 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1867 == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1870 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1875 if (!sm->forwarding_enabled)
1877 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1878 next0 = SNAT_OUT2IN_NEXT_DROP;
1883 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1885 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1888 create_bypass_for_fwd(sm, ip0, rx_fib_index0, thread_index);
1893 /* Create session initiated by host from external network */
1894 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1898 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1899 next0 = SNAT_OUT2IN_NEXT_DROP;
1902 reass0->sess_index = s0 - per_thread_data->sessions;
1903 reass0->thread_index = thread_index;
1907 s0 = pool_elt_at_index (per_thread_data->sessions,
1909 reass0->sess_index = value0.value;
1911 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1915 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1917 if (nat_ip4_reass_add_fragment (reass0, bi0))
1919 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1920 next0 = SNAT_OUT2IN_NEXT_DROP;
1926 s0 = pool_elt_at_index (per_thread_data->sessions,
1927 reass0->sess_index);
1930 old_addr0 = ip0->dst_address.as_u32;
1931 ip0->dst_address = s0->in2out.addr;
1932 new_addr0 = ip0->dst_address.as_u32;
1933 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1935 sum0 = ip0->checksum;
1936 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1938 dst_address /* changed member */);
1939 ip0->checksum = ip_csum_fold (sum0);
1941 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1943 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1945 old_port0 = tcp0->dst_port;
1946 tcp0->dst_port = s0->in2out.port;
1947 new_port0 = tcp0->dst_port;
1949 sum0 = tcp0->checksum;
1950 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1952 dst_address /* changed member */);
1954 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1955 ip4_header_t /* cheat */,
1956 length /* changed member */);
1957 tcp0->checksum = ip_csum_fold(sum0);
1961 old_port0 = udp0->dst_port;
1962 udp0->dst_port = s0->in2out.port;
1968 s0->last_heard = now;
1970 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1971 /* Per-user LRU list maintenance */
1972 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1973 s0->per_user_index);
1974 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1975 s0->per_user_list_head_index,
1976 s0->per_user_index);
1979 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1980 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1982 nat44_out2in_reass_trace_t *t =
1983 vlib_add_trace (vm, node, b0, sizeof (*t));
1984 t->cached = cached0;
1985 t->sw_if_index = sw_if_index0;
1986 t->next_index = next0;
1996 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1998 /* verify speculative enqueue, maybe switch current next frame */
1999 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2000 to_next, n_left_to_next,
2004 if (n_left_from == 0 && vec_len (fragments_to_loopback))
2006 from = vlib_frame_vector_args (frame);
2007 u32 len = vec_len (fragments_to_loopback);
2008 if (len <= VLIB_FRAME_SIZE)
2010 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
2012 vec_reset_length (fragments_to_loopback);
2017 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
2018 sizeof (u32) * VLIB_FRAME_SIZE);
2019 n_left_from = VLIB_FRAME_SIZE;
2020 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
2025 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2028 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
2029 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2032 nat_send_all_to_node (vm, fragments_to_drop, node,
2033 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
2034 SNAT_OUT2IN_NEXT_DROP);
2036 vec_free (fragments_to_drop);
2037 vec_free (fragments_to_loopback);
2038 return frame->n_vectors;
2041 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
2042 .function = nat44_out2in_reass_node_fn,
2043 .name = "nat44-out2in-reass",
2044 .vector_size = sizeof (u32),
2045 .format_trace = format_nat44_out2in_reass_trace,
2046 .type = VLIB_NODE_TYPE_INTERNAL,
2048 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2049 .error_strings = snat_out2in_error_strings,
2051 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2053 /* edit / add dispositions here */
2055 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2056 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2057 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2058 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2059 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2062 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
2063 nat44_out2in_reass_node_fn);
2065 /**************************/
2066 /*** deterministic mode ***/
2067 /**************************/
2069 snat_det_out2in_node_fn (vlib_main_t * vm,
2070 vlib_node_runtime_t * node,
2071 vlib_frame_t * frame)
2073 u32 n_left_from, * from, * to_next;
2074 snat_out2in_next_t next_index;
2075 u32 pkts_processed = 0;
2076 snat_main_t * sm = &snat_main;
2077 u32 thread_index = vlib_get_thread_index ();
2079 from = vlib_frame_vector_args (frame);
2080 n_left_from = frame->n_vectors;
2081 next_index = node->cached_next_index;
2083 while (n_left_from > 0)
2087 vlib_get_next_frame (vm, node, next_index,
2088 to_next, n_left_to_next);
2090 while (n_left_from >= 4 && n_left_to_next >= 2)
2093 vlib_buffer_t * b0, * b1;
2094 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2095 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2096 u32 sw_if_index0, sw_if_index1;
2097 ip4_header_t * ip0, * ip1;
2098 ip_csum_t sum0, sum1;
2099 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2100 u16 new_port0, old_port0, old_port1, new_port1;
2101 udp_header_t * udp0, * udp1;
2102 tcp_header_t * tcp0, * tcp1;
2104 snat_det_out_key_t key0, key1;
2105 snat_det_map_t * dm0, * dm1;
2106 snat_det_session_t * ses0 = 0, * ses1 = 0;
2107 u32 rx_fib_index0, rx_fib_index1;
2108 icmp46_header_t * icmp0, * icmp1;
2110 /* Prefetch next iteration. */
2112 vlib_buffer_t * p2, * p3;
2114 p2 = vlib_get_buffer (vm, from[2]);
2115 p3 = vlib_get_buffer (vm, from[3]);
2117 vlib_prefetch_buffer_header (p2, LOAD);
2118 vlib_prefetch_buffer_header (p3, LOAD);
2120 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2121 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2124 /* speculatively enqueue b0 and b1 to the current next frame */
2125 to_next[0] = bi0 = from[0];
2126 to_next[1] = bi1 = from[1];
2130 n_left_to_next -= 2;
2132 b0 = vlib_get_buffer (vm, bi0);
2133 b1 = vlib_get_buffer (vm, bi1);
2135 ip0 = vlib_buffer_get_current (b0);
2136 udp0 = ip4_next_header (ip0);
2137 tcp0 = (tcp_header_t *) udp0;
2139 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2141 if (PREDICT_FALSE(ip0->ttl == 1))
2143 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2144 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2145 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2147 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2151 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2153 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2155 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2156 icmp0 = (icmp46_header_t *) udp0;
2158 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2159 rx_fib_index0, node, next0, thread_index,
2164 key0.ext_host_addr = ip0->src_address;
2165 key0.ext_host_port = tcp0->src;
2166 key0.out_port = tcp0->dst;
2168 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2169 if (PREDICT_FALSE(!dm0))
2171 clib_warning("unknown dst address: %U",
2172 format_ip4_address, &ip0->dst_address);
2173 next0 = SNAT_OUT2IN_NEXT_DROP;
2174 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2178 snat_det_reverse(dm0, &ip0->dst_address,
2179 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2181 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2182 if (PREDICT_FALSE(!ses0))
2184 clib_warning("no match src %U:%d dst %U:%d for user %U",
2185 format_ip4_address, &ip0->src_address,
2186 clib_net_to_host_u16 (tcp0->src),
2187 format_ip4_address, &ip0->dst_address,
2188 clib_net_to_host_u16 (tcp0->dst),
2189 format_ip4_address, &new_addr0);
2190 next0 = SNAT_OUT2IN_NEXT_DROP;
2191 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2194 new_port0 = ses0->in_port;
2196 old_addr0 = ip0->dst_address;
2197 ip0->dst_address = new_addr0;
2198 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2200 sum0 = ip0->checksum;
2201 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2203 dst_address /* changed member */);
2204 ip0->checksum = ip_csum_fold (sum0);
2206 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2208 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2209 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2210 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2211 snat_det_ses_close(dm0, ses0);
2213 old_port0 = tcp0->dst;
2214 tcp0->dst = new_port0;
2216 sum0 = tcp0->checksum;
2217 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2219 dst_address /* changed member */);
2221 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2222 ip4_header_t /* cheat */,
2223 length /* changed member */);
2224 tcp0->checksum = ip_csum_fold(sum0);
2228 old_port0 = udp0->dst_port;
2229 udp0->dst_port = new_port0;
2235 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2236 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2238 snat_out2in_trace_t *t =
2239 vlib_add_trace (vm, node, b0, sizeof (*t));
2240 t->sw_if_index = sw_if_index0;
2241 t->next_index = next0;
2242 t->session_index = ~0;
2244 t->session_index = ses0 - dm0->sessions;
2247 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2249 b1 = vlib_get_buffer (vm, bi1);
2251 ip1 = vlib_buffer_get_current (b1);
2252 udp1 = ip4_next_header (ip1);
2253 tcp1 = (tcp_header_t *) udp1;
2255 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2257 if (PREDICT_FALSE(ip1->ttl == 1))
2259 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2260 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2261 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2263 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2267 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2269 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2271 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2272 icmp1 = (icmp46_header_t *) udp1;
2274 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
2275 rx_fib_index1, node, next1, thread_index,
2280 key1.ext_host_addr = ip1->src_address;
2281 key1.ext_host_port = tcp1->src;
2282 key1.out_port = tcp1->dst;
2284 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
2285 if (PREDICT_FALSE(!dm1))
2287 clib_warning("unknown dst address: %U",
2288 format_ip4_address, &ip1->dst_address);
2289 next1 = SNAT_OUT2IN_NEXT_DROP;
2290 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2294 snat_det_reverse(dm1, &ip1->dst_address,
2295 clib_net_to_host_u16(tcp1->dst), &new_addr1);
2297 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
2298 if (PREDICT_FALSE(!ses1))
2300 clib_warning("no match src %U:%d dst %U:%d for user %U",
2301 format_ip4_address, &ip1->src_address,
2302 clib_net_to_host_u16 (tcp1->src),
2303 format_ip4_address, &ip1->dst_address,
2304 clib_net_to_host_u16 (tcp1->dst),
2305 format_ip4_address, &new_addr1);
2306 next1 = SNAT_OUT2IN_NEXT_DROP;
2307 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2310 new_port1 = ses1->in_port;
2312 old_addr1 = ip1->dst_address;
2313 ip1->dst_address = new_addr1;
2314 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2316 sum1 = ip1->checksum;
2317 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2319 dst_address /* changed member */);
2320 ip1->checksum = ip_csum_fold (sum1);
2322 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2324 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2325 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2326 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
2327 snat_det_ses_close(dm1, ses1);
2329 old_port1 = tcp1->dst;
2330 tcp1->dst = new_port1;
2332 sum1 = tcp1->checksum;
2333 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2335 dst_address /* changed member */);
2337 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2338 ip4_header_t /* cheat */,
2339 length /* changed member */);
2340 tcp1->checksum = ip_csum_fold(sum1);
2344 old_port1 = udp1->dst_port;
2345 udp1->dst_port = new_port1;
2351 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2352 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2354 snat_out2in_trace_t *t =
2355 vlib_add_trace (vm, node, b1, sizeof (*t));
2356 t->sw_if_index = sw_if_index1;
2357 t->next_index = next1;
2358 t->session_index = ~0;
2360 t->session_index = ses1 - dm1->sessions;
2363 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
2365 /* verify speculative enqueues, maybe switch current next frame */
2366 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2367 to_next, n_left_to_next,
2368 bi0, bi1, next0, next1);
2371 while (n_left_from > 0 && n_left_to_next > 0)
2375 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2379 ip4_address_t new_addr0, old_addr0;
2380 u16 new_port0, old_port0;
2381 udp_header_t * udp0;
2382 tcp_header_t * tcp0;
2384 snat_det_out_key_t key0;
2385 snat_det_map_t * dm0;
2386 snat_det_session_t * ses0 = 0;
2388 icmp46_header_t * icmp0;
2390 /* speculatively enqueue b0 to the current next frame */
2396 n_left_to_next -= 1;
2398 b0 = vlib_get_buffer (vm, bi0);
2400 ip0 = vlib_buffer_get_current (b0);
2401 udp0 = ip4_next_header (ip0);
2402 tcp0 = (tcp_header_t *) udp0;
2404 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2406 if (PREDICT_FALSE(ip0->ttl == 1))
2408 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2409 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2410 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2412 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2416 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2418 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2420 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2421 icmp0 = (icmp46_header_t *) udp0;
2423 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2424 rx_fib_index0, node, next0, thread_index,
2429 key0.ext_host_addr = ip0->src_address;
2430 key0.ext_host_port = tcp0->src;
2431 key0.out_port = tcp0->dst;
2433 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2434 if (PREDICT_FALSE(!dm0))
2436 clib_warning("unknown dst address: %U",
2437 format_ip4_address, &ip0->dst_address);
2438 next0 = SNAT_OUT2IN_NEXT_DROP;
2439 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2443 snat_det_reverse(dm0, &ip0->dst_address,
2444 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2446 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2447 if (PREDICT_FALSE(!ses0))
2449 clib_warning("no match src %U:%d dst %U:%d for user %U",
2450 format_ip4_address, &ip0->src_address,
2451 clib_net_to_host_u16 (tcp0->src),
2452 format_ip4_address, &ip0->dst_address,
2453 clib_net_to_host_u16 (tcp0->dst),
2454 format_ip4_address, &new_addr0);
2455 next0 = SNAT_OUT2IN_NEXT_DROP;
2456 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2459 new_port0 = ses0->in_port;
2461 old_addr0 = ip0->dst_address;
2462 ip0->dst_address = new_addr0;
2463 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2465 sum0 = ip0->checksum;
2466 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2468 dst_address /* changed member */);
2469 ip0->checksum = ip_csum_fold (sum0);
2471 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2473 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2474 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2475 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2476 snat_det_ses_close(dm0, ses0);
2478 old_port0 = tcp0->dst;
2479 tcp0->dst = new_port0;
2481 sum0 = tcp0->checksum;
2482 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2484 dst_address /* changed member */);
2486 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2487 ip4_header_t /* cheat */,
2488 length /* changed member */);
2489 tcp0->checksum = ip_csum_fold(sum0);
2493 old_port0 = udp0->dst_port;
2494 udp0->dst_port = new_port0;
2500 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2501 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2503 snat_out2in_trace_t *t =
2504 vlib_add_trace (vm, node, b0, sizeof (*t));
2505 t->sw_if_index = sw_if_index0;
2506 t->next_index = next0;
2507 t->session_index = ~0;
2509 t->session_index = ses0 - dm0->sessions;
2512 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2514 /* verify speculative enqueue, maybe switch current next frame */
2515 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2516 to_next, n_left_to_next,
2520 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2523 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
2524 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2526 return frame->n_vectors;
2529 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2530 .function = snat_det_out2in_node_fn,
2531 .name = "nat44-det-out2in",
2532 .vector_size = sizeof (u32),
2533 .format_trace = format_snat_out2in_trace,
2534 .type = VLIB_NODE_TYPE_INTERNAL,
2536 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2537 .error_strings = snat_out2in_error_strings,
2539 .runtime_data_bytes = sizeof (snat_runtime_t),
2541 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2543 /* edit / add dispositions here */
2545 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2546 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2547 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2548 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2549 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2552 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2555 * Get address and port values to be used for ICMP packet translation
2556 * and create session if needed
2558 * @param[in,out] sm NAT main
2559 * @param[in,out] node NAT node runtime
2560 * @param[in] thread_index thread index
2561 * @param[in,out] b0 buffer containing packet to be translated
2562 * @param[out] p_proto protocol used for matching
2563 * @param[out] p_value address and port after NAT translation
2564 * @param[out] p_dont_translate if packet should not be translated
2565 * @param d optional parameter
2566 * @param e optional parameter
2568 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2569 u32 thread_index, vlib_buffer_t *b0,
2570 ip4_header_t *ip0, u8 *p_proto,
2571 snat_session_key_t *p_value,
2572 u8 *p_dont_translate, void *d, void *e)
2574 icmp46_header_t *icmp0;
2577 snat_det_out_key_t key0;
2578 u8 dont_translate = 0;
2580 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2581 ip4_header_t *inner_ip0;
2582 void *l4_header = 0;
2583 icmp46_header_t *inner_icmp0;
2584 snat_det_map_t * dm0 = 0;
2585 ip4_address_t new_addr0 = {{0}};
2586 snat_det_session_t * ses0 = 0;
2587 ip4_address_t out_addr;
2589 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2590 echo0 = (icmp_echo_header_t *)(icmp0+1);
2591 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2593 if (!icmp_is_error_message (icmp0))
2595 protocol = SNAT_PROTOCOL_ICMP;
2596 key0.ext_host_addr = ip0->src_address;
2597 key0.ext_host_port = 0;
2598 key0.out_port = echo0->identifier;
2599 out_addr = ip0->dst_address;
2603 inner_ip0 = (ip4_header_t *)(echo0+1);
2604 l4_header = ip4_next_header (inner_ip0);
2605 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2606 key0.ext_host_addr = inner_ip0->dst_address;
2607 out_addr = inner_ip0->src_address;
2610 case SNAT_PROTOCOL_ICMP:
2611 inner_icmp0 = (icmp46_header_t*)l4_header;
2612 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2613 key0.ext_host_port = 0;
2614 key0.out_port = inner_echo0->identifier;
2616 case SNAT_PROTOCOL_UDP:
2617 case SNAT_PROTOCOL_TCP:
2618 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2619 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2622 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2623 next0 = SNAT_OUT2IN_NEXT_DROP;
2628 dm0 = snat_det_map_by_out(sm, &out_addr);
2629 if (PREDICT_FALSE(!dm0))
2631 /* Don't NAT packet aimed at the intfc address */
2632 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2633 ip0->dst_address.as_u32)))
2638 clib_warning("unknown dst address: %U",
2639 format_ip4_address, &ip0->dst_address);
2643 snat_det_reverse(dm0, &ip0->dst_address,
2644 clib_net_to_host_u16(key0.out_port), &new_addr0);
2646 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2647 if (PREDICT_FALSE(!ses0))
2649 /* Don't NAT packet aimed at the intfc address */
2650 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2651 ip0->dst_address.as_u32)))
2656 clib_warning("no match src %U:%d dst %U:%d for user %U",
2657 format_ip4_address, &key0.ext_host_addr,
2658 clib_net_to_host_u16 (key0.ext_host_port),
2659 format_ip4_address, &out_addr,
2660 clib_net_to_host_u16 (key0.out_port),
2661 format_ip4_address, &new_addr0);
2662 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2663 next0 = SNAT_OUT2IN_NEXT_DROP;
2667 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2668 !icmp_is_error_message (icmp0)))
2670 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2671 next0 = SNAT_OUT2IN_NEXT_DROP;
2678 *p_proto = protocol;
2681 p_value->addr = new_addr0;
2682 p_value->fib_index = sm->inside_fib_index;
2683 p_value->port = ses0->in_port;
2685 *p_dont_translate = dont_translate;
2687 *(snat_det_session_t**)d = ses0;
2689 *(snat_det_map_t**)e = dm0;
2693 /**********************/
2694 /*** worker handoff ***/
2695 /**********************/
2697 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2698 vlib_node_runtime_t * node,
2699 vlib_frame_t * frame)
2701 snat_main_t *sm = &snat_main;
2702 vlib_thread_main_t *tm = vlib_get_thread_main ();
2703 u32 n_left_from, *from, *to_next = 0;
2704 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2705 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2707 vlib_frame_queue_elt_t *hf = 0;
2708 vlib_frame_t *f = 0;
2710 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2711 u32 next_worker_index = 0;
2712 u32 current_worker_index = ~0;
2713 u32 thread_index = vlib_get_thread_index ();
2715 ASSERT (vec_len (sm->workers));
2717 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2719 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2721 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2722 sm->first_worker_index + sm->num_workers - 1,
2723 (vlib_frame_queue_t *) (~0));
2726 from = vlib_frame_vector_args (frame);
2727 n_left_from = frame->n_vectors;
2729 while (n_left_from > 0)
2742 b0 = vlib_get_buffer (vm, bi0);
2744 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2745 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2747 ip0 = vlib_buffer_get_current (b0);
2749 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2751 if (PREDICT_FALSE (next_worker_index != thread_index))
2755 if (next_worker_index != current_worker_index)
2758 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2760 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2762 handoff_queue_elt_by_worker_index);
2764 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2765 to_next_worker = &hf->buffer_index[hf->n_vectors];
2766 current_worker_index = next_worker_index;
2769 /* enqueue to correct worker thread */
2770 to_next_worker[0] = bi0;
2772 n_left_to_next_worker--;
2774 if (n_left_to_next_worker == 0)
2776 hf->n_vectors = VLIB_FRAME_SIZE;
2777 vlib_put_frame_queue_elt (hf);
2778 current_worker_index = ~0;
2779 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2786 /* if this is 1st frame */
2789 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2790 to_next = vlib_frame_vector_args (f);
2798 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2799 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2801 snat_out2in_worker_handoff_trace_t *t =
2802 vlib_add_trace (vm, node, b0, sizeof (*t));
2803 t->next_worker_index = next_worker_index;
2804 t->do_handoff = do_handoff;
2809 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2812 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2814 /* Ship frames to the worker nodes */
2815 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2817 if (handoff_queue_elt_by_worker_index[i])
2819 hf = handoff_queue_elt_by_worker_index[i];
2821 * It works better to let the handoff node
2822 * rate-adapt, always ship the handoff queue element.
2824 if (1 || hf->n_vectors == hf->last_n_vectors)
2826 vlib_put_frame_queue_elt (hf);
2827 handoff_queue_elt_by_worker_index[i] = 0;
2830 hf->last_n_vectors = hf->n_vectors;
2832 congested_handoff_queue_by_worker_index[i] =
2833 (vlib_frame_queue_t *) (~0);
2836 current_worker_index = ~0;
2837 return frame->n_vectors;
2840 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2841 .function = snat_out2in_worker_handoff_fn,
2842 .name = "nat44-out2in-worker-handoff",
2843 .vector_size = sizeof (u32),
2844 .format_trace = format_snat_out2in_worker_handoff_trace,
2845 .type = VLIB_NODE_TYPE_INTERNAL,
2854 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2857 snat_out2in_fast_node_fn (vlib_main_t * vm,
2858 vlib_node_runtime_t * node,
2859 vlib_frame_t * frame)
2861 u32 n_left_from, * from, * to_next;
2862 snat_out2in_next_t next_index;
2863 u32 pkts_processed = 0;
2864 snat_main_t * sm = &snat_main;
2866 from = vlib_frame_vector_args (frame);
2867 n_left_from = frame->n_vectors;
2868 next_index = node->cached_next_index;
2870 while (n_left_from > 0)
2874 vlib_get_next_frame (vm, node, next_index,
2875 to_next, n_left_to_next);
2877 while (n_left_from > 0 && n_left_to_next > 0)
2881 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2885 u32 new_addr0, old_addr0;
2886 u16 new_port0, old_port0;
2887 udp_header_t * udp0;
2888 tcp_header_t * tcp0;
2889 icmp46_header_t * icmp0;
2890 snat_session_key_t key0, sm0;
2894 /* speculatively enqueue b0 to the current next frame */
2900 n_left_to_next -= 1;
2902 b0 = vlib_get_buffer (vm, bi0);
2904 ip0 = vlib_buffer_get_current (b0);
2905 udp0 = ip4_next_header (ip0);
2906 tcp0 = (tcp_header_t *) udp0;
2907 icmp0 = (icmp46_header_t *) udp0;
2909 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2910 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2912 vnet_feature_next (sw_if_index0, &next0, b0);
2914 if (PREDICT_FALSE(ip0->ttl == 1))
2916 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2917 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2918 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2920 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2924 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2926 if (PREDICT_FALSE (proto0 == ~0))
2929 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2931 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2932 rx_fib_index0, node, next0, ~0, 0, 0);
2936 key0.addr = ip0->dst_address;
2937 key0.port = udp0->dst_port;
2938 key0.fib_index = rx_fib_index0;
2940 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
2942 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2946 new_addr0 = sm0.addr.as_u32;
2947 new_port0 = sm0.port;
2948 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2949 old_addr0 = ip0->dst_address.as_u32;
2950 ip0->dst_address.as_u32 = new_addr0;
2952 sum0 = ip0->checksum;
2953 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2955 dst_address /* changed member */);
2956 ip0->checksum = ip_csum_fold (sum0);
2958 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2960 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2962 old_port0 = tcp0->dst_port;
2963 tcp0->dst_port = new_port0;
2965 sum0 = tcp0->checksum;
2966 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2968 dst_address /* changed member */);
2970 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2971 ip4_header_t /* cheat */,
2972 length /* changed member */);
2973 tcp0->checksum = ip_csum_fold(sum0);
2977 old_port0 = udp0->dst_port;
2978 udp0->dst_port = new_port0;
2984 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2986 sum0 = tcp0->checksum;
2987 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2989 dst_address /* changed member */);
2991 tcp0->checksum = ip_csum_fold(sum0);
2997 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2998 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3000 snat_out2in_trace_t *t =
3001 vlib_add_trace (vm, node, b0, sizeof (*t));
3002 t->sw_if_index = sw_if_index0;
3003 t->next_index = next0;
3006 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3008 /* verify speculative enqueue, maybe switch current next frame */
3009 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3010 to_next, n_left_to_next,
3014 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3017 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
3018 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3020 return frame->n_vectors;
3023 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
3024 .function = snat_out2in_fast_node_fn,
3025 .name = "nat44-out2in-fast",
3026 .vector_size = sizeof (u32),
3027 .format_trace = format_snat_out2in_fast_trace,
3028 .type = VLIB_NODE_TYPE_INTERNAL,
3030 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3031 .error_strings = snat_out2in_error_strings,
3033 .runtime_data_bytes = sizeof (snat_runtime_t),
3035 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3037 /* edit / add dispositions here */
3039 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3040 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3041 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3042 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3043 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
3046 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob