2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
30 #include <vppinfra/hash.h>
31 #include <vppinfra/error.h>
32 #include <vppinfra/elog.h>
38 } snat_out2in_trace_t;
41 u32 next_worker_index;
43 } snat_out2in_worker_handoff_trace_t;
45 /* packet trace format function */
46 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
48 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
49 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
50 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
52 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
53 t->sw_if_index, t->next_index, t->session_index);
57 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
59 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
60 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
61 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
63 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
64 t->sw_if_index, t->next_index);
68 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
70 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
71 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
72 snat_out2in_worker_handoff_trace_t * t =
73 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
76 m = t->do_handoff ? "next worker" : "same worker";
77 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
86 } nat44_out2in_reass_trace_t;
88 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
90 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
91 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
92 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
94 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
95 t->sw_if_index, t->next_index,
96 t->cached ? "cached" : "translated");
101 vlib_node_registration_t snat_out2in_node;
102 vlib_node_registration_t snat_out2in_fast_node;
103 vlib_node_registration_t snat_out2in_worker_handoff_node;
104 vlib_node_registration_t snat_det_out2in_node;
105 vlib_node_registration_t nat44_out2in_reass_node;
107 #define foreach_snat_out2in_error \
108 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
109 _(OUT2IN_PACKETS, "Good out2in packets processed") \
110 _(OUT_OF_PORTS, "Out of ports") \
111 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
112 _(NO_TRANSLATION, "No translation") \
113 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
114 _(DROP_FRAGMENT, "Drop fragment") \
115 _(MAX_REASS, "Maximum reassemblies exceeded") \
116 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")
119 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
120 foreach_snat_out2in_error
123 } snat_out2in_error_t;
125 static char * snat_out2in_error_strings[] = {
126 #define _(sym,string) string,
127 foreach_snat_out2in_error
132 SNAT_OUT2IN_NEXT_DROP,
133 SNAT_OUT2IN_NEXT_LOOKUP,
134 SNAT_OUT2IN_NEXT_ICMP_ERROR,
135 SNAT_OUT2IN_NEXT_REASS,
136 SNAT_OUT2IN_NEXT_IN2OUT,
138 } snat_out2in_next_t;
141 * @brief Create session for static mapping.
143 * Create NAT session initiated by host from external network with static
146 * @param sm NAT main.
147 * @param b0 Vlib buffer.
148 * @param in2out In2out NAT44 session key.
149 * @param out2in Out2in NAT44 session key.
150 * @param node Vlib node.
152 * @returns SNAT session if successfully created otherwise 0.
154 static inline snat_session_t *
155 create_session_for_static_mapping (snat_main_t *sm,
157 snat_session_key_t in2out,
158 snat_session_key_t out2in,
159 vlib_node_runtime_t * node,
164 clib_bihash_kv_8_8_t kv0;
168 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
170 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 ip0 = vlib_buffer_get_current (b0);
175 udp0 = ip4_next_header (ip0);
177 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
180 clib_warning ("create NAT user failed");
184 s = nat_session_alloc_or_recycle (sm, u, thread_index);
187 clib_warning ("create NAT session failed");
191 s->outside_address_index = ~0;
192 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
193 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
194 s->ext_host_port = udp0->src_port;
195 u->nstaticsessions++;
198 s->in2out.protocol = out2in.protocol;
200 /* Add to translation hashes */
201 kv0.key = s->in2out.as_u64;
202 kv0.value = s - sm->per_thread_data[thread_index].sessions;
203 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
205 clib_warning ("in2out key add failed");
207 kv0.key = s->out2in.as_u64;
209 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
211 clib_warning ("out2in key add failed");
214 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
215 s->out2in.addr.as_u32,
219 s->in2out.fib_index);
224 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
225 snat_session_key_t *p_key0)
227 icmp46_header_t *icmp0;
228 snat_session_key_t key0;
229 icmp_echo_header_t *echo0, *inner_echo0 = 0;
230 ip4_header_t *inner_ip0;
232 icmp46_header_t *inner_icmp0;
234 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
235 echo0 = (icmp_echo_header_t *)(icmp0+1);
237 if (!icmp_is_error_message (icmp0))
239 key0.protocol = SNAT_PROTOCOL_ICMP;
240 key0.addr = ip0->dst_address;
241 key0.port = echo0->identifier;
245 inner_ip0 = (ip4_header_t *)(echo0+1);
246 l4_header = ip4_next_header (inner_ip0);
247 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
248 key0.addr = inner_ip0->src_address;
249 switch (key0.protocol)
251 case SNAT_PROTOCOL_ICMP:
252 inner_icmp0 = (icmp46_header_t*)l4_header;
253 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
254 key0.port = inner_echo0->identifier;
256 case SNAT_PROTOCOL_UDP:
257 case SNAT_PROTOCOL_TCP:
258 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
261 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
265 return -1; /* success */
268 static_always_inline int
269 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
271 icmp46_header_t *icmp0;
272 nat_ed_ses_key_t key0;
273 icmp_echo_header_t *echo0, *inner_echo0 = 0;
274 ip4_header_t *inner_ip0;
276 icmp46_header_t *inner_icmp0;
278 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
279 echo0 = (icmp_echo_header_t *)(icmp0+1);
281 if (!icmp_is_error_message (icmp0))
283 key0.proto = IP_PROTOCOL_ICMP;
284 key0.l_addr = ip0->dst_address;
285 key0.r_addr = ip0->src_address;
286 key0.l_port = key0.r_port = echo0->identifier;
290 inner_ip0 = (ip4_header_t *)(echo0+1);
291 l4_header = ip4_next_header (inner_ip0);
292 key0.proto = inner_ip0->protocol;
293 key0.l_addr = inner_ip0->src_address;
294 key0.r_addr = inner_ip0->dst_address;
295 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
297 case SNAT_PROTOCOL_ICMP:
298 inner_icmp0 = (icmp46_header_t*)l4_header;
299 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
300 key0.l_port = key0.r_port = inner_echo0->identifier;
302 case SNAT_PROTOCOL_UDP:
303 case SNAT_PROTOCOL_TCP:
304 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
305 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
316 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
319 snat_session_key_t key;
320 clib_bihash_kv_8_8_t kv, value;
322 key.addr = ip->src_address;
324 key.protocol = proto;
325 key.fib_index = sm->inside_fib_index;
328 if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
336 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
338 nat_ed_ses_key_t key;
339 clib_bihash_kv_16_8_t kv;
342 if (ip->protocol == IP_PROTOCOL_ICMP)
344 if (icmp_get_ed_key (ip, &key))
347 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
349 udp = ip4_next_header(ip);
350 key.r_addr = ip->src_address;
351 key.l_addr = ip->dst_address;
352 key.proto = ip->protocol;
353 key.l_port = udp->dst_port;
354 key.r_port = udp->src_port;
358 key.r_addr = ip->src_address;
359 key.l_addr = ip->dst_address;
360 key.proto = ip->protocol;
361 key.l_port = key.r_port = 0;
364 kv.key[0] = key.as_u64[0];
365 kv.key[1] = key.as_u64[1];
368 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
369 clib_warning ("in2out_ed key add failed");
373 * Get address and port values to be used for ICMP packet translation
374 * and create session if needed
376 * @param[in,out] sm NAT main
377 * @param[in,out] node NAT node runtime
378 * @param[in] thread_index thread index
379 * @param[in,out] b0 buffer containing packet to be translated
380 * @param[out] p_proto protocol used for matching
381 * @param[out] p_value address and port after NAT translation
382 * @param[out] p_dont_translate if packet should not be translated
383 * @param d optional parameter
384 * @param e optional parameter
386 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
387 u32 thread_index, vlib_buffer_t *b0,
388 ip4_header_t *ip0, u8 *p_proto,
389 snat_session_key_t *p_value,
390 u8 *p_dont_translate, void *d, void *e)
392 icmp46_header_t *icmp0;
395 snat_session_key_t key0;
396 snat_session_key_t sm0;
397 snat_session_t *s0 = 0;
398 u8 dont_translate = 0;
399 clib_bihash_kv_8_8_t kv0, value0;
404 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
405 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
406 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
410 err = icmp_get_key (ip0, &key0);
413 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
414 next0 = SNAT_OUT2IN_NEXT_DROP;
417 key0.fib_index = rx_fib_index0;
419 kv0.key = key0.as_u64;
421 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
424 /* Try to match static mapping by external address and port,
425 destination address and port in packet */
426 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0))
428 if (!sm->forwarding_enabled)
430 /* Don't NAT packet aimed at the intfc address */
431 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
432 ip0->dst_address.as_u32)))
437 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
438 next0 = SNAT_OUT2IN_NEXT_DROP;
444 if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
446 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
449 create_bypass_for_fwd(sm, ip0);
454 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
455 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
457 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
458 next0 = SNAT_OUT2IN_NEXT_DROP;
462 /* Create session initiated by host from external network */
463 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
468 next0 = SNAT_OUT2IN_NEXT_DROP;
474 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
475 icmp0->type != ICMP4_echo_request &&
476 !icmp_is_error_message (icmp0)))
478 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
479 next0 = SNAT_OUT2IN_NEXT_DROP;
483 if (PREDICT_FALSE (value0.value == ~0ULL))
485 nat_ed_ses_key_t key;
486 clib_bihash_kv_16_8_t s_kv, s_value;
490 if (icmp_get_ed_key (ip0, &key))
492 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
493 next0 = SNAT_OUT2IN_NEXT_DROP;
496 key.fib_index = rx_fib_index0;
497 s_kv.key[0] = key.as_u64[0];
498 s_kv.key[1] = key.as_u64[1];
499 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
500 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
504 next0 = SNAT_OUT2IN_NEXT_DROP;
509 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
514 *p_proto = key0.protocol;
516 *p_value = s0->in2out;
517 *p_dont_translate = dont_translate;
519 *(snat_session_t**)d = s0;
524 * Get address and port values to be used for ICMP packet translation
526 * @param[in] sm NAT main
527 * @param[in,out] node NAT node runtime
528 * @param[in] thread_index thread index
529 * @param[in,out] b0 buffer containing packet to be translated
530 * @param[out] p_proto protocol used for matching
531 * @param[out] p_value address and port after NAT translation
532 * @param[out] p_dont_translate if packet should not be translated
533 * @param d optional parameter
534 * @param e optional parameter
536 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
537 u32 thread_index, vlib_buffer_t *b0,
538 ip4_header_t *ip0, u8 *p_proto,
539 snat_session_key_t *p_value,
540 u8 *p_dont_translate, void *d, void *e)
542 icmp46_header_t *icmp0;
545 snat_session_key_t key0;
546 snat_session_key_t sm0;
547 u8 dont_translate = 0;
552 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
553 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
554 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
556 err = icmp_get_key (ip0, &key0);
559 b0->error = node->errors[err];
560 next0 = SNAT_OUT2IN_NEXT_DROP;
563 key0.fib_index = rx_fib_index0;
565 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0))
567 /* Don't NAT packet aimed at the intfc address */
568 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
573 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
574 next0 = SNAT_OUT2IN_NEXT_DROP;
578 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
579 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
580 !icmp_is_error_message (icmp0)))
582 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
583 next0 = SNAT_OUT2IN_NEXT_DROP;
590 *p_proto = key0.protocol;
591 *p_dont_translate = dont_translate;
595 static inline u32 icmp_out2in (snat_main_t *sm,
598 icmp46_header_t * icmp0,
601 vlib_node_runtime_t * node,
607 snat_session_key_t sm0;
609 icmp_echo_header_t *echo0, *inner_echo0 = 0;
610 ip4_header_t *inner_ip0 = 0;
612 icmp46_header_t *inner_icmp0;
614 u32 new_addr0, old_addr0;
615 u16 old_id0, new_id0;
620 echo0 = (icmp_echo_header_t *)(icmp0+1);
622 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
623 &protocol, &sm0, &dont_translate, d, e);
626 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
629 sum0 = ip_incremental_checksum (0, icmp0,
630 ntohs(ip0->length) - ip4_header_bytes (ip0));
631 checksum0 = ~ip_csum_fold (sum0);
632 if (checksum0 != 0 && checksum0 != 0xffff)
634 next0 = SNAT_OUT2IN_NEXT_DROP;
638 old_addr0 = ip0->dst_address.as_u32;
639 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
640 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
642 sum0 = ip0->checksum;
643 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
644 dst_address /* changed member */);
645 ip0->checksum = ip_csum_fold (sum0);
647 if (!icmp_is_error_message (icmp0))
650 if (PREDICT_FALSE(new_id0 != echo0->identifier))
652 old_id0 = echo0->identifier;
654 echo0->identifier = new_id0;
656 sum0 = icmp0->checksum;
657 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
658 identifier /* changed member */);
659 icmp0->checksum = ip_csum_fold (sum0);
664 inner_ip0 = (ip4_header_t *)(echo0+1);
665 l4_header = ip4_next_header (inner_ip0);
667 if (!ip4_header_checksum_is_valid (inner_ip0))
669 next0 = SNAT_OUT2IN_NEXT_DROP;
673 old_addr0 = inner_ip0->src_address.as_u32;
674 inner_ip0->src_address = sm0.addr;
675 new_addr0 = inner_ip0->src_address.as_u32;
677 sum0 = icmp0->checksum;
678 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
679 src_address /* changed member */);
680 icmp0->checksum = ip_csum_fold (sum0);
684 case SNAT_PROTOCOL_ICMP:
685 inner_icmp0 = (icmp46_header_t*)l4_header;
686 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
688 old_id0 = inner_echo0->identifier;
690 inner_echo0->identifier = new_id0;
692 sum0 = icmp0->checksum;
693 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
695 icmp0->checksum = ip_csum_fold (sum0);
697 case SNAT_PROTOCOL_UDP:
698 case SNAT_PROTOCOL_TCP:
699 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
701 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
703 sum0 = icmp0->checksum;
704 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
706 icmp0->checksum = ip_csum_fold (sum0);
718 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
721 icmp46_header_t * icmp0,
724 vlib_node_runtime_t * node,
727 snat_session_t ** p_s0)
729 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
730 next0, thread_index, p_s0, 0);
731 snat_session_t * s0 = *p_s0;
732 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
735 s0->last_heard = now;
737 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
738 /* Per-user LRU list maintenance */
739 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
741 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
742 s0->per_user_list_head_index,
748 static snat_session_t *
749 snat_out2in_unknown_proto (snat_main_t *sm,
756 vlib_node_runtime_t * node)
758 clib_bihash_kv_8_8_t kv, value;
759 clib_bihash_kv_16_8_t s_kv, s_value;
760 snat_static_mapping_t *m;
761 snat_session_key_t m_key;
762 u32 old_addr, new_addr;
764 nat_ed_ses_key_t key;
766 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
769 old_addr = ip->dst_address.as_u32;
771 key.l_addr = ip->dst_address;
772 key.r_addr = ip->src_address;
773 key.fib_index = rx_fib_index;
774 key.proto = ip->protocol;
777 s_kv.key[0] = key.as_u64[0];
778 s_kv.key[1] = key.as_u64[1];
780 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
782 s = pool_elt_at_index (tsm->sessions, s_value.value);
783 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
787 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
789 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
793 m_key.addr = ip->dst_address;
796 m_key.fib_index = rx_fib_index;
797 kv.key = m_key.as_u64;
798 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
800 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
804 m = pool_elt_at_index (sm->static_mappings, value.value);
806 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
808 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
812 clib_warning ("create NAT user failed");
816 /* Create a new session */
817 s = nat_session_alloc_or_recycle (sm, u, thread_index);
820 clib_warning ("create NAT session failed");
824 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
825 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
826 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
827 s->outside_address_index = ~0;
828 s->out2in.addr.as_u32 = old_addr;
829 s->out2in.fib_index = rx_fib_index;
830 s->in2out.addr.as_u32 = new_addr;
831 s->in2out.fib_index = m->fib_index;
832 s->in2out.port = s->out2in.port = ip->protocol;
833 u->nstaticsessions++;
835 /* Add to lookup tables */
836 s_kv.value = s - tsm->sessions;
837 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
838 clib_warning ("out2in key add failed");
840 key.l_addr = ip->dst_address;
841 key.fib_index = m->fib_index;
842 s_kv.key[0] = key.as_u64[0];
843 s_kv.key[1] = key.as_u64[1];
844 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
845 clib_warning ("in2out key add failed");
848 /* Update IP checksum */
850 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
851 ip->checksum = ip_csum_fold (sum);
853 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
858 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
859 /* Per-user LRU list maintenance */
860 clib_dlist_remove (tsm->list_pool, s->per_user_index);
861 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
867 static snat_session_t *
868 snat_out2in_lb (snat_main_t *sm,
875 vlib_node_runtime_t * node)
877 nat_ed_ses_key_t key;
878 clib_bihash_kv_16_8_t s_kv, s_value;
879 udp_header_t *udp = ip4_next_header (ip);
880 tcp_header_t *tcp = (tcp_header_t *) udp;
881 snat_session_t *s = 0;
882 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
883 snat_session_key_t e_key, l_key;
884 u32 old_addr, new_addr;
885 u32 proto = ip_proto_to_snat_proto (ip->protocol);
886 u16 new_port, old_port;
890 snat_session_key_t eh_key;
893 old_addr = ip->dst_address.as_u32;
895 key.l_addr = ip->dst_address;
896 key.r_addr = ip->src_address;
897 key.fib_index = rx_fib_index;
898 key.proto = ip->protocol;
899 key.r_port = udp->src_port;
900 key.l_port = udp->dst_port;
901 s_kv.key[0] = key.as_u64[0];
902 s_kv.key[1] = key.as_u64[1];
904 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
906 s = pool_elt_at_index (tsm->sessions, s_value.value);
910 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
912 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
916 e_key.addr = ip->dst_address;
917 e_key.port = udp->dst_port;
918 e_key.protocol = proto;
919 e_key.fib_index = rx_fib_index;
920 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0, &twice_nat))
923 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index,
927 clib_warning ("create NAT user failed");
931 s = nat_session_alloc_or_recycle (sm, u, thread_index);
934 clib_warning ("create NAT session failed");
938 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
939 s->ext_host_port = udp->src_port;
940 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
941 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
942 s->outside_address_index = ~0;
945 u->nstaticsessions++;
947 /* Add to lookup tables */
948 s_kv.value = s - tsm->sessions;
949 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
950 clib_warning ("out2in-ed key add failed");
954 eh_key.protocol = proto;
955 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
956 thread_index, &eh_key,
959 sm->per_thread_data[thread_index].snat_thread_index))
961 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
964 key.r_addr.as_u32 = s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
965 key.r_port = s->ext_host_nat_port = eh_key.port;
966 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
968 key.l_addr = l_key.addr;
969 key.fib_index = l_key.fib_index;
970 key.l_port = l_key.port;
971 s_kv.key[0] = key.as_u64[0];
972 s_kv.key[1] = key.as_u64[1];
973 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
974 clib_warning ("in2out-ed key add failed");
977 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
979 /* Update IP checksum */
981 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
982 if (is_twice_nat_session (s))
983 sum = ip_csum_update (sum, ip->src_address.as_u32,
984 s->ext_host_nat_addr.as_u32, ip4_header_t,
986 ip->checksum = ip_csum_fold (sum);
988 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
990 old_port = tcp->dst_port;
991 tcp->dst_port = s->in2out.port;
992 new_port = tcp->dst_port;
995 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
996 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
997 if (is_twice_nat_session (s))
999 sum = ip_csum_update (sum, ip->src_address.as_u32,
1000 s->ext_host_nat_addr.as_u32, ip4_header_t,
1002 sum = ip_csum_update (sum, tcp->src_port, s->ext_host_nat_port,
1003 ip4_header_t, length);
1004 tcp->src_port = s->ext_host_nat_port;
1005 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1007 tcp->checksum = ip_csum_fold(sum);
1011 udp->dst_port = s->in2out.port;
1012 if (is_twice_nat_session (s))
1014 udp->src_port = s->ext_host_nat_port;
1015 ip->src_address.as_u32 = s->ext_host_nat_addr.as_u32;
1020 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
1023 s->last_heard = now;
1025 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
1026 /* Per-user LRU list maintenance */
1027 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1028 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
1035 snat_out2in_node_fn (vlib_main_t * vm,
1036 vlib_node_runtime_t * node,
1037 vlib_frame_t * frame)
1039 u32 n_left_from, * from, * to_next;
1040 snat_out2in_next_t next_index;
1041 u32 pkts_processed = 0;
1042 snat_main_t * sm = &snat_main;
1043 f64 now = vlib_time_now (vm);
1044 u32 thread_index = vlib_get_thread_index ();
1046 from = vlib_frame_vector_args (frame);
1047 n_left_from = frame->n_vectors;
1048 next_index = node->cached_next_index;
1050 while (n_left_from > 0)
1054 vlib_get_next_frame (vm, node, next_index,
1055 to_next, n_left_to_next);
1057 while (n_left_from >= 4 && n_left_to_next >= 2)
1060 vlib_buffer_t * b0, * b1;
1061 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1062 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1063 u32 sw_if_index0, sw_if_index1;
1064 ip4_header_t * ip0, *ip1;
1065 ip_csum_t sum0, sum1;
1066 u32 new_addr0, old_addr0;
1067 u16 new_port0, old_port0;
1068 u32 new_addr1, old_addr1;
1069 u16 new_port1, old_port1;
1070 udp_header_t * udp0, * udp1;
1071 tcp_header_t * tcp0, * tcp1;
1072 icmp46_header_t * icmp0, * icmp1;
1073 snat_session_key_t key0, key1, sm0, sm1;
1074 u32 rx_fib_index0, rx_fib_index1;
1076 snat_session_t * s0 = 0, * s1 = 0;
1077 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
1079 /* Prefetch next iteration. */
1081 vlib_buffer_t * p2, * p3;
1083 p2 = vlib_get_buffer (vm, from[2]);
1084 p3 = vlib_get_buffer (vm, from[3]);
1086 vlib_prefetch_buffer_header (p2, LOAD);
1087 vlib_prefetch_buffer_header (p3, LOAD);
1089 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1090 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1093 /* speculatively enqueue b0 and b1 to the current next frame */
1094 to_next[0] = bi0 = from[0];
1095 to_next[1] = bi1 = from[1];
1099 n_left_to_next -= 2;
1101 b0 = vlib_get_buffer (vm, bi0);
1102 b1 = vlib_get_buffer (vm, bi1);
1104 vnet_buffer (b0)->snat.flags = 0;
1105 vnet_buffer (b1)->snat.flags = 0;
1107 ip0 = vlib_buffer_get_current (b0);
1108 udp0 = ip4_next_header (ip0);
1109 tcp0 = (tcp_header_t *) udp0;
1110 icmp0 = (icmp46_header_t *) udp0;
1112 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1113 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1116 if (PREDICT_FALSE(ip0->ttl == 1))
1118 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1119 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1120 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1122 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1126 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1128 if (PREDICT_FALSE (proto0 == ~0))
1130 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1131 thread_index, now, vm, node);
1132 if (!sm->forwarding_enabled)
1134 next0 = SNAT_OUT2IN_NEXT_DROP;
1138 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1140 next0 = icmp_out2in_slow_path
1141 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1142 next0, now, thread_index, &s0);
1146 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1148 next0 = SNAT_OUT2IN_NEXT_REASS;
1152 key0.addr = ip0->dst_address;
1153 key0.port = udp0->dst_port;
1154 key0.protocol = proto0;
1155 key0.fib_index = rx_fib_index0;
1157 kv0.key = key0.as_u64;
1159 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1162 /* Try to match static mapping by external address and port,
1163 destination address and port in packet */
1164 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1166 if (!sm->forwarding_enabled)
1168 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1170 * Send DHCP packets to the ipv4 stack, or we won't
1171 * be able to use dhcp client on the outside interface
1173 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1175 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1176 next0 = SNAT_OUT2IN_NEXT_DROP;
1179 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1185 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1187 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1190 create_bypass_for_fwd(sm, ip0);
1195 /* Create session initiated by host from external network */
1196 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1200 next0 = SNAT_OUT2IN_NEXT_DROP;
1206 if (PREDICT_FALSE (value0.value == ~0ULL))
1208 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1211 next0 = SNAT_OUT2IN_NEXT_DROP;
1216 s0 = pool_elt_at_index (
1217 sm->per_thread_data[thread_index].sessions,
1222 old_addr0 = ip0->dst_address.as_u32;
1223 ip0->dst_address = s0->in2out.addr;
1224 new_addr0 = ip0->dst_address.as_u32;
1225 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1227 sum0 = ip0->checksum;
1228 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1230 dst_address /* changed member */);
1231 ip0->checksum = ip_csum_fold (sum0);
1233 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1235 old_port0 = tcp0->dst_port;
1236 tcp0->dst_port = s0->in2out.port;
1237 new_port0 = tcp0->dst_port;
1239 sum0 = tcp0->checksum;
1240 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1242 dst_address /* changed member */);
1244 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1245 ip4_header_t /* cheat */,
1246 length /* changed member */);
1247 tcp0->checksum = ip_csum_fold(sum0);
1251 old_port0 = udp0->dst_port;
1252 udp0->dst_port = s0->in2out.port;
1257 s0->last_heard = now;
1259 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1260 /* Per-user LRU list maintenance */
1261 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1262 s0->per_user_index);
1263 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1264 s0->per_user_list_head_index,
1265 s0->per_user_index);
1268 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1269 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1271 snat_out2in_trace_t *t =
1272 vlib_add_trace (vm, node, b0, sizeof (*t));
1273 t->sw_if_index = sw_if_index0;
1274 t->next_index = next0;
1275 t->session_index = ~0;
1277 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1280 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1283 ip1 = vlib_buffer_get_current (b1);
1284 udp1 = ip4_next_header (ip1);
1285 tcp1 = (tcp_header_t *) udp1;
1286 icmp1 = (icmp46_header_t *) udp1;
1288 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1289 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1292 if (PREDICT_FALSE(ip1->ttl == 1))
1294 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1295 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1296 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1298 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1302 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1304 if (PREDICT_FALSE (proto1 == ~0))
1306 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1307 thread_index, now, vm, node);
1308 if (!sm->forwarding_enabled)
1310 next1 = SNAT_OUT2IN_NEXT_DROP;
1314 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1316 next1 = icmp_out2in_slow_path
1317 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1318 next1, now, thread_index, &s1);
1322 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
1324 next1 = SNAT_OUT2IN_NEXT_REASS;
1328 key1.addr = ip1->dst_address;
1329 key1.port = udp1->dst_port;
1330 key1.protocol = proto1;
1331 key1.fib_index = rx_fib_index1;
1333 kv1.key = key1.as_u64;
1335 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1338 /* Try to match static mapping by external address and port,
1339 destination address and port in packet */
1340 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0))
1342 if (!sm->forwarding_enabled)
1344 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1346 * Send DHCP packets to the ipv4 stack, or we won't
1347 * be able to use dhcp client on the outside interface
1349 if (PREDICT_TRUE (proto1 != SNAT_PROTOCOL_UDP
1351 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1352 next1 = SNAT_OUT2IN_NEXT_DROP;
1355 (vnet_buffer (b1)->sw_if_index[VLIB_RX],
1361 if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
1363 next1 = SNAT_OUT2IN_NEXT_IN2OUT;
1366 create_bypass_for_fwd(sm, ip1);
1371 /* Create session initiated by host from external network */
1372 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1376 next1 = SNAT_OUT2IN_NEXT_DROP;
1382 if (PREDICT_FALSE (value1.value == ~0ULL))
1384 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1387 next1 = SNAT_OUT2IN_NEXT_DROP;
1392 s1 = pool_elt_at_index (
1393 sm->per_thread_data[thread_index].sessions,
1398 old_addr1 = ip1->dst_address.as_u32;
1399 ip1->dst_address = s1->in2out.addr;
1400 new_addr1 = ip1->dst_address.as_u32;
1401 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1403 sum1 = ip1->checksum;
1404 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1406 dst_address /* changed member */);
1407 ip1->checksum = ip_csum_fold (sum1);
1409 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1411 old_port1 = tcp1->dst_port;
1412 tcp1->dst_port = s1->in2out.port;
1413 new_port1 = tcp1->dst_port;
1415 sum1 = tcp1->checksum;
1416 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1418 dst_address /* changed member */);
1420 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1421 ip4_header_t /* cheat */,
1422 length /* changed member */);
1423 tcp1->checksum = ip_csum_fold(sum1);
1427 old_port1 = udp1->dst_port;
1428 udp1->dst_port = s1->in2out.port;
1433 s1->last_heard = now;
1435 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1436 /* Per-user LRU list maintenance */
1437 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1438 s1->per_user_index);
1439 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1440 s1->per_user_list_head_index,
1441 s1->per_user_index);
1444 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1445 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1447 snat_out2in_trace_t *t =
1448 vlib_add_trace (vm, node, b1, sizeof (*t));
1449 t->sw_if_index = sw_if_index1;
1450 t->next_index = next1;
1451 t->session_index = ~0;
1453 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1456 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1458 /* verify speculative enqueues, maybe switch current next frame */
1459 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1460 to_next, n_left_to_next,
1461 bi0, bi1, next0, next1);
1464 while (n_left_from > 0 && n_left_to_next > 0)
1468 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1472 u32 new_addr0, old_addr0;
1473 u16 new_port0, old_port0;
1474 udp_header_t * udp0;
1475 tcp_header_t * tcp0;
1476 icmp46_header_t * icmp0;
1477 snat_session_key_t key0, sm0;
1480 snat_session_t * s0 = 0;
1481 clib_bihash_kv_8_8_t kv0, value0;
1483 /* speculatively enqueue b0 to the current next frame */
1489 n_left_to_next -= 1;
1491 b0 = vlib_get_buffer (vm, bi0);
1493 vnet_buffer (b0)->snat.flags = 0;
1495 ip0 = vlib_buffer_get_current (b0);
1496 udp0 = ip4_next_header (ip0);
1497 tcp0 = (tcp_header_t *) udp0;
1498 icmp0 = (icmp46_header_t *) udp0;
1500 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1501 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1504 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1506 if (PREDICT_FALSE (proto0 == ~0))
1508 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1509 thread_index, now, vm, node);
1510 if (!sm->forwarding_enabled)
1512 next0 = SNAT_OUT2IN_NEXT_DROP;
1516 if (PREDICT_FALSE(ip0->ttl == 1))
1518 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1519 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1520 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1522 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1526 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1528 next0 = icmp_out2in_slow_path
1529 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1530 next0, now, thread_index, &s0);
1534 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1536 next0 = SNAT_OUT2IN_NEXT_REASS;
1540 key0.addr = ip0->dst_address;
1541 key0.port = udp0->dst_port;
1542 key0.protocol = proto0;
1543 key0.fib_index = rx_fib_index0;
1545 kv0.key = key0.as_u64;
1547 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1550 /* Try to match static mapping by external address and port,
1551 destination address and port in packet */
1552 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1554 if (!sm->forwarding_enabled)
1556 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1558 * Send DHCP packets to the ipv4 stack, or we won't
1559 * be able to use dhcp client on the outside interface
1561 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1563 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1564 next0 = SNAT_OUT2IN_NEXT_DROP;
1567 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1573 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1575 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1578 create_bypass_for_fwd(sm, ip0);
1583 /* Create session initiated by host from external network */
1584 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1588 next0 = SNAT_OUT2IN_NEXT_DROP;
1594 if (PREDICT_FALSE (value0.value == ~0ULL))
1596 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1599 next0 = SNAT_OUT2IN_NEXT_DROP;
1604 s0 = pool_elt_at_index (
1605 sm->per_thread_data[thread_index].sessions,
1610 old_addr0 = ip0->dst_address.as_u32;
1611 ip0->dst_address = s0->in2out.addr;
1612 new_addr0 = ip0->dst_address.as_u32;
1613 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1615 sum0 = ip0->checksum;
1616 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1618 dst_address /* changed member */);
1619 ip0->checksum = ip_csum_fold (sum0);
1621 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1623 old_port0 = tcp0->dst_port;
1624 tcp0->dst_port = s0->in2out.port;
1625 new_port0 = tcp0->dst_port;
1627 sum0 = tcp0->checksum;
1628 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1630 dst_address /* changed member */);
1632 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1633 ip4_header_t /* cheat */,
1634 length /* changed member */);
1635 tcp0->checksum = ip_csum_fold(sum0);
1639 old_port0 = udp0->dst_port;
1640 udp0->dst_port = s0->in2out.port;
1645 s0->last_heard = now;
1647 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1648 /* Per-user LRU list maintenance */
1649 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1650 s0->per_user_index);
1651 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1652 s0->per_user_list_head_index,
1653 s0->per_user_index);
1656 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1657 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1659 snat_out2in_trace_t *t =
1660 vlib_add_trace (vm, node, b0, sizeof (*t));
1661 t->sw_if_index = sw_if_index0;
1662 t->next_index = next0;
1663 t->session_index = ~0;
1665 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1668 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1670 /* verify speculative enqueue, maybe switch current next frame */
1671 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1672 to_next, n_left_to_next,
1676 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1679 vlib_node_increment_counter (vm, snat_out2in_node.index,
1680 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1682 return frame->n_vectors;
1685 VLIB_REGISTER_NODE (snat_out2in_node) = {
1686 .function = snat_out2in_node_fn,
1687 .name = "nat44-out2in",
1688 .vector_size = sizeof (u32),
1689 .format_trace = format_snat_out2in_trace,
1690 .type = VLIB_NODE_TYPE_INTERNAL,
1692 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1693 .error_strings = snat_out2in_error_strings,
1695 .runtime_data_bytes = sizeof (snat_runtime_t),
1697 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1699 /* edit / add dispositions here */
1701 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1702 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1703 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1704 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1705 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
1708 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1711 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1712 vlib_node_runtime_t * node,
1713 vlib_frame_t * frame)
1715 u32 n_left_from, *from, *to_next;
1716 snat_out2in_next_t next_index;
1717 u32 pkts_processed = 0;
1718 snat_main_t *sm = &snat_main;
1719 f64 now = vlib_time_now (vm);
1720 u32 thread_index = vlib_get_thread_index ();
1721 snat_main_per_thread_data_t *per_thread_data =
1722 &sm->per_thread_data[thread_index];
1723 u32 *fragments_to_drop = 0;
1724 u32 *fragments_to_loopback = 0;
1726 from = vlib_frame_vector_args (frame);
1727 n_left_from = frame->n_vectors;
1728 next_index = node->cached_next_index;
1730 while (n_left_from > 0)
1734 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1736 while (n_left_from > 0 && n_left_to_next > 0)
1738 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1743 nat_reass_ip4_t *reass0;
1744 udp_header_t * udp0;
1745 tcp_header_t * tcp0;
1746 snat_session_key_t key0, sm0;
1747 clib_bihash_kv_8_8_t kv0, value0;
1748 snat_session_t * s0 = 0;
1749 u16 old_port0, new_port0;
1752 /* speculatively enqueue b0 to the current next frame */
1758 n_left_to_next -= 1;
1760 b0 = vlib_get_buffer (vm, bi0);
1761 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1763 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1764 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1767 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1769 next0 = SNAT_OUT2IN_NEXT_DROP;
1770 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1774 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1775 udp0 = ip4_next_header (ip0);
1776 tcp0 = (tcp_header_t *) udp0;
1777 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1779 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1784 &fragments_to_drop);
1786 if (PREDICT_FALSE (!reass0))
1788 next0 = SNAT_OUT2IN_NEXT_DROP;
1789 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1793 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1795 key0.addr = ip0->dst_address;
1796 key0.port = udp0->dst_port;
1797 key0.protocol = proto0;
1798 key0.fib_index = rx_fib_index0;
1799 kv0.key = key0.as_u64;
1801 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1803 /* Try to match static mapping by external address and port,
1804 destination address and port in packet */
1805 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
1807 if (!sm->forwarding_enabled)
1809 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1811 * Send DHCP packets to the ipv4 stack, or we won't
1812 * be able to use dhcp client on the outside interface
1814 if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_UDP
1816 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1817 next0 = SNAT_OUT2IN_NEXT_DROP;
1820 (vnet_buffer (b0)->sw_if_index[VLIB_RX],
1826 if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
1828 next0 = SNAT_OUT2IN_NEXT_IN2OUT;
1831 create_bypass_for_fwd(sm, ip0);
1836 /* Create session initiated by host from external network */
1837 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1841 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1842 next0 = SNAT_OUT2IN_NEXT_DROP;
1845 reass0->sess_index = s0 - per_thread_data->sessions;
1846 reass0->thread_index = thread_index;
1850 s0 = pool_elt_at_index (per_thread_data->sessions,
1852 reass0->sess_index = value0.value;
1854 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1858 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1860 if (nat_ip4_reass_add_fragment (reass0, bi0))
1862 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1863 next0 = SNAT_OUT2IN_NEXT_DROP;
1869 s0 = pool_elt_at_index (per_thread_data->sessions,
1870 reass0->sess_index);
1873 old_addr0 = ip0->dst_address.as_u32;
1874 ip0->dst_address = s0->in2out.addr;
1875 new_addr0 = ip0->dst_address.as_u32;
1876 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1878 sum0 = ip0->checksum;
1879 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1881 dst_address /* changed member */);
1882 ip0->checksum = ip_csum_fold (sum0);
1884 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1886 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1888 old_port0 = tcp0->dst_port;
1889 tcp0->dst_port = s0->in2out.port;
1890 new_port0 = tcp0->dst_port;
1892 sum0 = tcp0->checksum;
1893 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1895 dst_address /* changed member */);
1897 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1898 ip4_header_t /* cheat */,
1899 length /* changed member */);
1900 tcp0->checksum = ip_csum_fold(sum0);
1904 old_port0 = udp0->dst_port;
1905 udp0->dst_port = s0->in2out.port;
1911 s0->last_heard = now;
1913 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1914 /* Per-user LRU list maintenance */
1915 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1916 s0->per_user_index);
1917 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1918 s0->per_user_list_head_index,
1919 s0->per_user_index);
1922 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1923 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1925 nat44_out2in_reass_trace_t *t =
1926 vlib_add_trace (vm, node, b0, sizeof (*t));
1927 t->cached = cached0;
1928 t->sw_if_index = sw_if_index0;
1929 t->next_index = next0;
1939 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1941 /* verify speculative enqueue, maybe switch current next frame */
1942 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1943 to_next, n_left_to_next,
1947 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1949 from = vlib_frame_vector_args (frame);
1950 u32 len = vec_len (fragments_to_loopback);
1951 if (len <= VLIB_FRAME_SIZE)
1953 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
1955 vec_reset_length (fragments_to_loopback);
1960 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
1961 sizeof (u32) * VLIB_FRAME_SIZE);
1962 n_left_from = VLIB_FRAME_SIZE;
1963 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1968 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1971 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
1972 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1975 nat_send_all_to_node (vm, fragments_to_drop, node,
1976 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1977 SNAT_OUT2IN_NEXT_DROP);
1979 vec_free (fragments_to_drop);
1980 vec_free (fragments_to_loopback);
1981 return frame->n_vectors;
1984 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1985 .function = nat44_out2in_reass_node_fn,
1986 .name = "nat44-out2in-reass",
1987 .vector_size = sizeof (u32),
1988 .format_trace = format_nat44_out2in_reass_trace,
1989 .type = VLIB_NODE_TYPE_INTERNAL,
1991 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1992 .error_strings = snat_out2in_error_strings,
1994 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1996 /* edit / add dispositions here */
1998 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1999 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2000 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2001 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2002 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2005 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
2006 nat44_out2in_reass_node_fn);
2008 /**************************/
2009 /*** deterministic mode ***/
2010 /**************************/
2012 snat_det_out2in_node_fn (vlib_main_t * vm,
2013 vlib_node_runtime_t * node,
2014 vlib_frame_t * frame)
2016 u32 n_left_from, * from, * to_next;
2017 snat_out2in_next_t next_index;
2018 u32 pkts_processed = 0;
2019 snat_main_t * sm = &snat_main;
2020 u32 thread_index = vlib_get_thread_index ();
2022 from = vlib_frame_vector_args (frame);
2023 n_left_from = frame->n_vectors;
2024 next_index = node->cached_next_index;
2026 while (n_left_from > 0)
2030 vlib_get_next_frame (vm, node, next_index,
2031 to_next, n_left_to_next);
2033 while (n_left_from >= 4 && n_left_to_next >= 2)
2036 vlib_buffer_t * b0, * b1;
2037 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2038 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2039 u32 sw_if_index0, sw_if_index1;
2040 ip4_header_t * ip0, * ip1;
2041 ip_csum_t sum0, sum1;
2042 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2043 u16 new_port0, old_port0, old_port1, new_port1;
2044 udp_header_t * udp0, * udp1;
2045 tcp_header_t * tcp0, * tcp1;
2047 snat_det_out_key_t key0, key1;
2048 snat_det_map_t * dm0, * dm1;
2049 snat_det_session_t * ses0 = 0, * ses1 = 0;
2050 u32 rx_fib_index0, rx_fib_index1;
2051 icmp46_header_t * icmp0, * icmp1;
2053 /* Prefetch next iteration. */
2055 vlib_buffer_t * p2, * p3;
2057 p2 = vlib_get_buffer (vm, from[2]);
2058 p3 = vlib_get_buffer (vm, from[3]);
2060 vlib_prefetch_buffer_header (p2, LOAD);
2061 vlib_prefetch_buffer_header (p3, LOAD);
2063 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2064 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2067 /* speculatively enqueue b0 and b1 to the current next frame */
2068 to_next[0] = bi0 = from[0];
2069 to_next[1] = bi1 = from[1];
2073 n_left_to_next -= 2;
2075 b0 = vlib_get_buffer (vm, bi0);
2076 b1 = vlib_get_buffer (vm, bi1);
2078 ip0 = vlib_buffer_get_current (b0);
2079 udp0 = ip4_next_header (ip0);
2080 tcp0 = (tcp_header_t *) udp0;
2082 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2084 if (PREDICT_FALSE(ip0->ttl == 1))
2086 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2087 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2088 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2090 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2094 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2096 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2098 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2099 icmp0 = (icmp46_header_t *) udp0;
2101 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2102 rx_fib_index0, node, next0, thread_index,
2107 key0.ext_host_addr = ip0->src_address;
2108 key0.ext_host_port = tcp0->src;
2109 key0.out_port = tcp0->dst;
2111 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2112 if (PREDICT_FALSE(!dm0))
2114 clib_warning("unknown dst address: %U",
2115 format_ip4_address, &ip0->dst_address);
2116 next0 = SNAT_OUT2IN_NEXT_DROP;
2117 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2121 snat_det_reverse(dm0, &ip0->dst_address,
2122 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2124 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2125 if (PREDICT_FALSE(!ses0))
2127 clib_warning("no match src %U:%d dst %U:%d for user %U",
2128 format_ip4_address, &ip0->src_address,
2129 clib_net_to_host_u16 (tcp0->src),
2130 format_ip4_address, &ip0->dst_address,
2131 clib_net_to_host_u16 (tcp0->dst),
2132 format_ip4_address, &new_addr0);
2133 next0 = SNAT_OUT2IN_NEXT_DROP;
2134 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2137 new_port0 = ses0->in_port;
2139 old_addr0 = ip0->dst_address;
2140 ip0->dst_address = new_addr0;
2141 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2143 sum0 = ip0->checksum;
2144 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2146 dst_address /* changed member */);
2147 ip0->checksum = ip_csum_fold (sum0);
2149 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2151 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2152 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2153 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2154 snat_det_ses_close(dm0, ses0);
2156 old_port0 = tcp0->dst;
2157 tcp0->dst = new_port0;
2159 sum0 = tcp0->checksum;
2160 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2162 dst_address /* changed member */);
2164 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2165 ip4_header_t /* cheat */,
2166 length /* changed member */);
2167 tcp0->checksum = ip_csum_fold(sum0);
2171 old_port0 = udp0->dst_port;
2172 udp0->dst_port = new_port0;
2178 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2179 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2181 snat_out2in_trace_t *t =
2182 vlib_add_trace (vm, node, b0, sizeof (*t));
2183 t->sw_if_index = sw_if_index0;
2184 t->next_index = next0;
2185 t->session_index = ~0;
2187 t->session_index = ses0 - dm0->sessions;
2190 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2192 b1 = vlib_get_buffer (vm, bi1);
2194 ip1 = vlib_buffer_get_current (b1);
2195 udp1 = ip4_next_header (ip1);
2196 tcp1 = (tcp_header_t *) udp1;
2198 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2200 if (PREDICT_FALSE(ip1->ttl == 1))
2202 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2203 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2204 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2206 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2210 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2212 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
2214 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
2215 icmp1 = (icmp46_header_t *) udp1;
2217 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
2218 rx_fib_index1, node, next1, thread_index,
2223 key1.ext_host_addr = ip1->src_address;
2224 key1.ext_host_port = tcp1->src;
2225 key1.out_port = tcp1->dst;
2227 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
2228 if (PREDICT_FALSE(!dm1))
2230 clib_warning("unknown dst address: %U",
2231 format_ip4_address, &ip1->dst_address);
2232 next1 = SNAT_OUT2IN_NEXT_DROP;
2233 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2237 snat_det_reverse(dm1, &ip1->dst_address,
2238 clib_net_to_host_u16(tcp1->dst), &new_addr1);
2240 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
2241 if (PREDICT_FALSE(!ses1))
2243 clib_warning("no match src %U:%d dst %U:%d for user %U",
2244 format_ip4_address, &ip1->src_address,
2245 clib_net_to_host_u16 (tcp1->src),
2246 format_ip4_address, &ip1->dst_address,
2247 clib_net_to_host_u16 (tcp1->dst),
2248 format_ip4_address, &new_addr1);
2249 next1 = SNAT_OUT2IN_NEXT_DROP;
2250 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2253 new_port1 = ses1->in_port;
2255 old_addr1 = ip1->dst_address;
2256 ip1->dst_address = new_addr1;
2257 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2259 sum1 = ip1->checksum;
2260 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2262 dst_address /* changed member */);
2263 ip1->checksum = ip_csum_fold (sum1);
2265 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
2267 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
2268 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2269 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
2270 snat_det_ses_close(dm1, ses1);
2272 old_port1 = tcp1->dst;
2273 tcp1->dst = new_port1;
2275 sum1 = tcp1->checksum;
2276 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
2278 dst_address /* changed member */);
2280 sum1 = ip_csum_update (sum1, old_port1, new_port1,
2281 ip4_header_t /* cheat */,
2282 length /* changed member */);
2283 tcp1->checksum = ip_csum_fold(sum1);
2287 old_port1 = udp1->dst_port;
2288 udp1->dst_port = new_port1;
2294 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2295 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2297 snat_out2in_trace_t *t =
2298 vlib_add_trace (vm, node, b1, sizeof (*t));
2299 t->sw_if_index = sw_if_index1;
2300 t->next_index = next1;
2301 t->session_index = ~0;
2303 t->session_index = ses1 - dm1->sessions;
2306 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
2308 /* verify speculative enqueues, maybe switch current next frame */
2309 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2310 to_next, n_left_to_next,
2311 bi0, bi1, next0, next1);
2314 while (n_left_from > 0 && n_left_to_next > 0)
2318 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2322 ip4_address_t new_addr0, old_addr0;
2323 u16 new_port0, old_port0;
2324 udp_header_t * udp0;
2325 tcp_header_t * tcp0;
2327 snat_det_out_key_t key0;
2328 snat_det_map_t * dm0;
2329 snat_det_session_t * ses0 = 0;
2331 icmp46_header_t * icmp0;
2333 /* speculatively enqueue b0 to the current next frame */
2339 n_left_to_next -= 1;
2341 b0 = vlib_get_buffer (vm, bi0);
2343 ip0 = vlib_buffer_get_current (b0);
2344 udp0 = ip4_next_header (ip0);
2345 tcp0 = (tcp_header_t *) udp0;
2347 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2349 if (PREDICT_FALSE(ip0->ttl == 1))
2351 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2352 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2353 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2355 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2359 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2361 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2363 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2364 icmp0 = (icmp46_header_t *) udp0;
2366 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2367 rx_fib_index0, node, next0, thread_index,
2372 key0.ext_host_addr = ip0->src_address;
2373 key0.ext_host_port = tcp0->src;
2374 key0.out_port = tcp0->dst;
2376 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2377 if (PREDICT_FALSE(!dm0))
2379 clib_warning("unknown dst address: %U",
2380 format_ip4_address, &ip0->dst_address);
2381 next0 = SNAT_OUT2IN_NEXT_DROP;
2382 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2386 snat_det_reverse(dm0, &ip0->dst_address,
2387 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2389 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2390 if (PREDICT_FALSE(!ses0))
2392 clib_warning("no match src %U:%d dst %U:%d for user %U",
2393 format_ip4_address, &ip0->src_address,
2394 clib_net_to_host_u16 (tcp0->src),
2395 format_ip4_address, &ip0->dst_address,
2396 clib_net_to_host_u16 (tcp0->dst),
2397 format_ip4_address, &new_addr0);
2398 next0 = SNAT_OUT2IN_NEXT_DROP;
2399 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2402 new_port0 = ses0->in_port;
2404 old_addr0 = ip0->dst_address;
2405 ip0->dst_address = new_addr0;
2406 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2408 sum0 = ip0->checksum;
2409 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2411 dst_address /* changed member */);
2412 ip0->checksum = ip_csum_fold (sum0);
2414 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2416 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2417 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2418 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2419 snat_det_ses_close(dm0, ses0);
2421 old_port0 = tcp0->dst;
2422 tcp0->dst = new_port0;
2424 sum0 = tcp0->checksum;
2425 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2427 dst_address /* changed member */);
2429 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2430 ip4_header_t /* cheat */,
2431 length /* changed member */);
2432 tcp0->checksum = ip_csum_fold(sum0);
2436 old_port0 = udp0->dst_port;
2437 udp0->dst_port = new_port0;
2443 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2444 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2446 snat_out2in_trace_t *t =
2447 vlib_add_trace (vm, node, b0, sizeof (*t));
2448 t->sw_if_index = sw_if_index0;
2449 t->next_index = next0;
2450 t->session_index = ~0;
2452 t->session_index = ses0 - dm0->sessions;
2455 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2457 /* verify speculative enqueue, maybe switch current next frame */
2458 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2459 to_next, n_left_to_next,
2463 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2466 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
2467 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2469 return frame->n_vectors;
2472 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2473 .function = snat_det_out2in_node_fn,
2474 .name = "nat44-det-out2in",
2475 .vector_size = sizeof (u32),
2476 .format_trace = format_snat_out2in_trace,
2477 .type = VLIB_NODE_TYPE_INTERNAL,
2479 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2480 .error_strings = snat_out2in_error_strings,
2482 .runtime_data_bytes = sizeof (snat_runtime_t),
2484 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2486 /* edit / add dispositions here */
2488 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2489 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2490 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2491 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2492 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2495 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2498 * Get address and port values to be used for ICMP packet translation
2499 * and create session if needed
2501 * @param[in,out] sm NAT main
2502 * @param[in,out] node NAT node runtime
2503 * @param[in] thread_index thread index
2504 * @param[in,out] b0 buffer containing packet to be translated
2505 * @param[out] p_proto protocol used for matching
2506 * @param[out] p_value address and port after NAT translation
2507 * @param[out] p_dont_translate if packet should not be translated
2508 * @param d optional parameter
2509 * @param e optional parameter
2511 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2512 u32 thread_index, vlib_buffer_t *b0,
2513 ip4_header_t *ip0, u8 *p_proto,
2514 snat_session_key_t *p_value,
2515 u8 *p_dont_translate, void *d, void *e)
2517 icmp46_header_t *icmp0;
2520 snat_det_out_key_t key0;
2521 u8 dont_translate = 0;
2523 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2524 ip4_header_t *inner_ip0;
2525 void *l4_header = 0;
2526 icmp46_header_t *inner_icmp0;
2527 snat_det_map_t * dm0 = 0;
2528 ip4_address_t new_addr0 = {{0}};
2529 snat_det_session_t * ses0 = 0;
2530 ip4_address_t out_addr;
2532 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2533 echo0 = (icmp_echo_header_t *)(icmp0+1);
2534 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2536 if (!icmp_is_error_message (icmp0))
2538 protocol = SNAT_PROTOCOL_ICMP;
2539 key0.ext_host_addr = ip0->src_address;
2540 key0.ext_host_port = 0;
2541 key0.out_port = echo0->identifier;
2542 out_addr = ip0->dst_address;
2546 inner_ip0 = (ip4_header_t *)(echo0+1);
2547 l4_header = ip4_next_header (inner_ip0);
2548 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2549 key0.ext_host_addr = inner_ip0->dst_address;
2550 out_addr = inner_ip0->src_address;
2553 case SNAT_PROTOCOL_ICMP:
2554 inner_icmp0 = (icmp46_header_t*)l4_header;
2555 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2556 key0.ext_host_port = 0;
2557 key0.out_port = inner_echo0->identifier;
2559 case SNAT_PROTOCOL_UDP:
2560 case SNAT_PROTOCOL_TCP:
2561 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2562 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2565 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2566 next0 = SNAT_OUT2IN_NEXT_DROP;
2571 dm0 = snat_det_map_by_out(sm, &out_addr);
2572 if (PREDICT_FALSE(!dm0))
2574 /* Don't NAT packet aimed at the intfc address */
2575 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2576 ip0->dst_address.as_u32)))
2581 clib_warning("unknown dst address: %U",
2582 format_ip4_address, &ip0->dst_address);
2586 snat_det_reverse(dm0, &ip0->dst_address,
2587 clib_net_to_host_u16(key0.out_port), &new_addr0);
2589 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2590 if (PREDICT_FALSE(!ses0))
2592 /* Don't NAT packet aimed at the intfc address */
2593 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2594 ip0->dst_address.as_u32)))
2599 clib_warning("no match src %U:%d dst %U:%d for user %U",
2600 format_ip4_address, &key0.ext_host_addr,
2601 clib_net_to_host_u16 (key0.ext_host_port),
2602 format_ip4_address, &out_addr,
2603 clib_net_to_host_u16 (key0.out_port),
2604 format_ip4_address, &new_addr0);
2605 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2606 next0 = SNAT_OUT2IN_NEXT_DROP;
2610 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2611 !icmp_is_error_message (icmp0)))
2613 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2614 next0 = SNAT_OUT2IN_NEXT_DROP;
2621 *p_proto = protocol;
2624 p_value->addr = new_addr0;
2625 p_value->fib_index = sm->inside_fib_index;
2626 p_value->port = ses0->in_port;
2628 *p_dont_translate = dont_translate;
2630 *(snat_det_session_t**)d = ses0;
2632 *(snat_det_map_t**)e = dm0;
2636 /**********************/
2637 /*** worker handoff ***/
2638 /**********************/
2640 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2641 vlib_node_runtime_t * node,
2642 vlib_frame_t * frame)
2644 snat_main_t *sm = &snat_main;
2645 vlib_thread_main_t *tm = vlib_get_thread_main ();
2646 u32 n_left_from, *from, *to_next = 0;
2647 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2648 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2650 vlib_frame_queue_elt_t *hf = 0;
2651 vlib_frame_t *f = 0;
2653 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2654 u32 next_worker_index = 0;
2655 u32 current_worker_index = ~0;
2656 u32 thread_index = vlib_get_thread_index ();
2658 ASSERT (vec_len (sm->workers));
2660 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2662 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2664 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2665 sm->first_worker_index + sm->num_workers - 1,
2666 (vlib_frame_queue_t *) (~0));
2669 from = vlib_frame_vector_args (frame);
2670 n_left_from = frame->n_vectors;
2672 while (n_left_from > 0)
2685 b0 = vlib_get_buffer (vm, bi0);
2687 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2688 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2690 ip0 = vlib_buffer_get_current (b0);
2692 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2694 if (PREDICT_FALSE (next_worker_index != thread_index))
2698 if (next_worker_index != current_worker_index)
2701 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2703 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2705 handoff_queue_elt_by_worker_index);
2707 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2708 to_next_worker = &hf->buffer_index[hf->n_vectors];
2709 current_worker_index = next_worker_index;
2712 /* enqueue to correct worker thread */
2713 to_next_worker[0] = bi0;
2715 n_left_to_next_worker--;
2717 if (n_left_to_next_worker == 0)
2719 hf->n_vectors = VLIB_FRAME_SIZE;
2720 vlib_put_frame_queue_elt (hf);
2721 current_worker_index = ~0;
2722 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2729 /* if this is 1st frame */
2732 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2733 to_next = vlib_frame_vector_args (f);
2741 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2742 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2744 snat_out2in_worker_handoff_trace_t *t =
2745 vlib_add_trace (vm, node, b0, sizeof (*t));
2746 t->next_worker_index = next_worker_index;
2747 t->do_handoff = do_handoff;
2752 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2755 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2757 /* Ship frames to the worker nodes */
2758 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2760 if (handoff_queue_elt_by_worker_index[i])
2762 hf = handoff_queue_elt_by_worker_index[i];
2764 * It works better to let the handoff node
2765 * rate-adapt, always ship the handoff queue element.
2767 if (1 || hf->n_vectors == hf->last_n_vectors)
2769 vlib_put_frame_queue_elt (hf);
2770 handoff_queue_elt_by_worker_index[i] = 0;
2773 hf->last_n_vectors = hf->n_vectors;
2775 congested_handoff_queue_by_worker_index[i] =
2776 (vlib_frame_queue_t *) (~0);
2779 current_worker_index = ~0;
2780 return frame->n_vectors;
2783 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2784 .function = snat_out2in_worker_handoff_fn,
2785 .name = "nat44-out2in-worker-handoff",
2786 .vector_size = sizeof (u32),
2787 .format_trace = format_snat_out2in_worker_handoff_trace,
2788 .type = VLIB_NODE_TYPE_INTERNAL,
2797 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2800 snat_out2in_fast_node_fn (vlib_main_t * vm,
2801 vlib_node_runtime_t * node,
2802 vlib_frame_t * frame)
2804 u32 n_left_from, * from, * to_next;
2805 snat_out2in_next_t next_index;
2806 u32 pkts_processed = 0;
2807 snat_main_t * sm = &snat_main;
2809 from = vlib_frame_vector_args (frame);
2810 n_left_from = frame->n_vectors;
2811 next_index = node->cached_next_index;
2813 while (n_left_from > 0)
2817 vlib_get_next_frame (vm, node, next_index,
2818 to_next, n_left_to_next);
2820 while (n_left_from > 0 && n_left_to_next > 0)
2824 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2828 u32 new_addr0, old_addr0;
2829 u16 new_port0, old_port0;
2830 udp_header_t * udp0;
2831 tcp_header_t * tcp0;
2832 icmp46_header_t * icmp0;
2833 snat_session_key_t key0, sm0;
2837 /* speculatively enqueue b0 to the current next frame */
2843 n_left_to_next -= 1;
2845 b0 = vlib_get_buffer (vm, bi0);
2847 ip0 = vlib_buffer_get_current (b0);
2848 udp0 = ip4_next_header (ip0);
2849 tcp0 = (tcp_header_t *) udp0;
2850 icmp0 = (icmp46_header_t *) udp0;
2852 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2853 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2855 vnet_feature_next (sw_if_index0, &next0, b0);
2857 if (PREDICT_FALSE(ip0->ttl == 1))
2859 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2860 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2861 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2863 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2867 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2869 if (PREDICT_FALSE (proto0 == ~0))
2872 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2874 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2875 rx_fib_index0, node, next0, ~0, 0, 0);
2879 key0.addr = ip0->dst_address;
2880 key0.port = udp0->dst_port;
2881 key0.fib_index = rx_fib_index0;
2883 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0))
2885 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2889 new_addr0 = sm0.addr.as_u32;
2890 new_port0 = sm0.port;
2891 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2892 old_addr0 = ip0->dst_address.as_u32;
2893 ip0->dst_address.as_u32 = new_addr0;
2895 sum0 = ip0->checksum;
2896 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2898 dst_address /* changed member */);
2899 ip0->checksum = ip_csum_fold (sum0);
2901 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2903 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2905 old_port0 = tcp0->dst_port;
2906 tcp0->dst_port = new_port0;
2908 sum0 = tcp0->checksum;
2909 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2911 dst_address /* changed member */);
2913 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2914 ip4_header_t /* cheat */,
2915 length /* changed member */);
2916 tcp0->checksum = ip_csum_fold(sum0);
2920 old_port0 = udp0->dst_port;
2921 udp0->dst_port = new_port0;
2927 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2929 sum0 = tcp0->checksum;
2930 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2932 dst_address /* changed member */);
2934 tcp0->checksum = ip_csum_fold(sum0);
2940 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2941 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2943 snat_out2in_trace_t *t =
2944 vlib_add_trace (vm, node, b0, sizeof (*t));
2945 t->sw_if_index = sw_if_index0;
2946 t->next_index = next0;
2949 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2951 /* verify speculative enqueue, maybe switch current next frame */
2952 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2953 to_next, n_left_to_next,
2957 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2960 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
2961 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2963 return frame->n_vectors;
2966 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
2967 .function = snat_out2in_fast_node_fn,
2968 .name = "nat44-out2in-fast",
2969 .vector_size = sizeof (u32),
2970 .format_trace = format_snat_out2in_fast_trace,
2971 .type = VLIB_NODE_TYPE_INTERNAL,
2973 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2974 .error_strings = snat_out2in_error_strings,
2976 .runtime_data_bytes = sizeof (snat_runtime_t),
2978 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2980 /* edit / add dispositions here */
2982 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2983 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2984 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2985 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
2986 [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
2989 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob