2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
28 #include <nat/nat_reass.h>
29 #include <nat/nat_inlines.h>
31 #include <vppinfra/hash.h>
32 #include <vppinfra/error.h>
33 #include <vppinfra/elog.h>
39 } snat_out2in_trace_t;
42 u32 next_worker_index;
44 } snat_out2in_worker_handoff_trace_t;
46 /* packet trace format function */
47 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
49 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
50 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
51 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
53 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
54 t->sw_if_index, t->next_index, t->session_index);
58 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
60 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
61 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
62 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
64 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
65 t->sw_if_index, t->next_index);
69 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
71 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
72 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
73 snat_out2in_worker_handoff_trace_t * t =
74 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
77 m = t->do_handoff ? "next worker" : "same worker";
78 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
87 } nat44_out2in_reass_trace_t;
89 static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args)
91 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
92 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
93 nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *);
95 s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s",
96 t->sw_if_index, t->next_index,
97 t->cached ? "cached" : "translated");
102 vlib_node_registration_t snat_out2in_node;
103 vlib_node_registration_t snat_out2in_fast_node;
104 vlib_node_registration_t snat_out2in_worker_handoff_node;
105 vlib_node_registration_t snat_det_out2in_node;
106 vlib_node_registration_t nat44_out2in_reass_node;
107 vlib_node_registration_t nat44_ed_out2in_node;
108 vlib_node_registration_t nat44_ed_out2in_slowpath_node;
110 #define foreach_snat_out2in_error \
111 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
112 _(OUT2IN_PACKETS, "Good out2in packets processed") \
113 _(OUT_OF_PORTS, "Out of ports") \
114 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
115 _(NO_TRANSLATION, "No translation") \
116 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \
117 _(DROP_FRAGMENT, "Drop fragment") \
118 _(MAX_REASS, "Maximum reassemblies exceeded") \
119 _(MAX_FRAG, "Maximum fragments per reassembly exceeded")\
120 _(FQ_CONGESTED, "Handoff frame queue congested")
123 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
124 foreach_snat_out2in_error
127 } snat_out2in_error_t;
129 static char * snat_out2in_error_strings[] = {
130 #define _(sym,string) string,
131 foreach_snat_out2in_error
136 SNAT_OUT2IN_NEXT_DROP,
137 SNAT_OUT2IN_NEXT_LOOKUP,
138 SNAT_OUT2IN_NEXT_ICMP_ERROR,
139 SNAT_OUT2IN_NEXT_REASS,
141 } snat_out2in_next_t;
144 * @brief Create session for static mapping.
146 * Create NAT session initiated by host from external network with static
149 * @param sm NAT main.
150 * @param b0 Vlib buffer.
151 * @param in2out In2out NAT44 session key.
152 * @param out2in Out2in NAT44 session key.
153 * @param node Vlib node.
155 * @returns SNAT session if successfully created otherwise 0.
157 static inline snat_session_t *
158 create_session_for_static_mapping (snat_main_t *sm,
160 snat_session_key_t in2out,
161 snat_session_key_t out2in,
162 vlib_node_runtime_t * node,
167 clib_bihash_kv_8_8_t kv0;
171 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
173 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
174 nat_log_notice ("maximum sessions exceeded");
178 ip0 = vlib_buffer_get_current (b0);
179 udp0 = ip4_next_header (ip0);
181 u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
184 nat_log_warn ("create NAT user failed");
188 s = nat_session_alloc_or_recycle (sm, u, thread_index);
191 nat44_delete_user_with_no_session (sm, u, thread_index);
192 nat_log_warn ("create NAT session failed");
196 s->outside_address_index = ~0;
197 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
198 s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
199 s->ext_host_port = udp0->src_port;
200 user_session_increment (sm, u, 1 /* static */);
203 s->in2out.protocol = out2in.protocol;
205 /* Add to translation hashes */
206 kv0.key = s->in2out.as_u64;
207 kv0.value = s - sm->per_thread_data[thread_index].sessions;
208 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
210 nat_log_notice ("in2out key add failed");
212 kv0.key = s->out2in.as_u64;
214 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
216 nat_log_notice ("out2in key add failed");
219 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
220 s->out2in.addr.as_u32,
224 s->in2out.fib_index);
229 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
230 snat_session_key_t *p_key0)
232 icmp46_header_t *icmp0;
233 snat_session_key_t key0;
234 icmp_echo_header_t *echo0, *inner_echo0 = 0;
235 ip4_header_t *inner_ip0;
237 icmp46_header_t *inner_icmp0;
239 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
240 echo0 = (icmp_echo_header_t *)(icmp0+1);
242 if (!icmp_is_error_message (icmp0))
244 key0.protocol = SNAT_PROTOCOL_ICMP;
245 key0.addr = ip0->dst_address;
246 key0.port = echo0->identifier;
250 inner_ip0 = (ip4_header_t *)(echo0+1);
251 l4_header = ip4_next_header (inner_ip0);
252 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
253 key0.addr = inner_ip0->src_address;
254 switch (key0.protocol)
256 case SNAT_PROTOCOL_ICMP:
257 inner_icmp0 = (icmp46_header_t*)l4_header;
258 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
259 key0.port = inner_echo0->identifier;
261 case SNAT_PROTOCOL_UDP:
262 case SNAT_PROTOCOL_TCP:
263 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
266 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
270 return -1; /* success */
274 * Get address and port values to be used for ICMP packet translation
275 * and create session if needed
277 * @param[in,out] sm NAT main
278 * @param[in,out] node NAT node runtime
279 * @param[in] thread_index thread index
280 * @param[in,out] b0 buffer containing packet to be translated
281 * @param[out] p_proto protocol used for matching
282 * @param[out] p_value address and port after NAT translation
283 * @param[out] p_dont_translate if packet should not be translated
284 * @param d optional parameter
285 * @param e optional parameter
287 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
288 u32 thread_index, vlib_buffer_t *b0,
289 ip4_header_t *ip0, u8 *p_proto,
290 snat_session_key_t *p_value,
291 u8 *p_dont_translate, void *d, void *e)
293 icmp46_header_t *icmp0;
296 snat_session_key_t key0;
297 snat_session_key_t sm0;
298 snat_session_t *s0 = 0;
299 u8 dont_translate = 0;
300 clib_bihash_kv_8_8_t kv0, value0;
305 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
306 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
307 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
311 err = icmp_get_key (ip0, &key0);
314 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
315 next0 = SNAT_OUT2IN_NEXT_DROP;
318 key0.fib_index = rx_fib_index0;
320 kv0.key = key0.as_u64;
322 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
325 /* Try to match static mapping by external address and port,
326 destination address and port in packet */
327 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
329 if (!sm->forwarding_enabled)
331 /* Don't NAT packet aimed at the intfc address */
332 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
333 ip0->dst_address.as_u32)))
338 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
339 next0 = SNAT_OUT2IN_NEXT_DROP;
349 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
350 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
352 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
353 next0 = SNAT_OUT2IN_NEXT_DROP;
357 /* Create session initiated by host from external network */
358 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
363 next0 = SNAT_OUT2IN_NEXT_DROP;
369 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
370 icmp0->type != ICMP4_echo_request &&
371 !icmp_is_error_message (icmp0)))
373 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
374 next0 = SNAT_OUT2IN_NEXT_DROP;
378 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
383 *p_proto = key0.protocol;
385 *p_value = s0->in2out;
386 *p_dont_translate = dont_translate;
388 *(snat_session_t**)d = s0;
393 * Get address and port values to be used for ICMP packet translation
395 * @param[in] sm NAT main
396 * @param[in,out] node NAT node runtime
397 * @param[in] thread_index thread index
398 * @param[in,out] b0 buffer containing packet to be translated
399 * @param[out] p_proto protocol used for matching
400 * @param[out] p_value address and port after NAT translation
401 * @param[out] p_dont_translate if packet should not be translated
402 * @param d optional parameter
403 * @param e optional parameter
405 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
406 u32 thread_index, vlib_buffer_t *b0,
407 ip4_header_t *ip0, u8 *p_proto,
408 snat_session_key_t *p_value,
409 u8 *p_dont_translate, void *d, void *e)
411 icmp46_header_t *icmp0;
414 snat_session_key_t key0;
415 snat_session_key_t sm0;
416 u8 dont_translate = 0;
421 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
422 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
423 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
425 err = icmp_get_key (ip0, &key0);
428 b0->error = node->errors[err];
429 next0 = SNAT_OUT2IN_NEXT_DROP;
432 key0.fib_index = rx_fib_index0;
434 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0))
436 /* Don't NAT packet aimed at the intfc address */
437 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
442 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
443 next0 = SNAT_OUT2IN_NEXT_DROP;
447 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
448 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
449 !icmp_is_error_message (icmp0)))
451 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
452 next0 = SNAT_OUT2IN_NEXT_DROP;
459 *p_proto = key0.protocol;
460 *p_dont_translate = dont_translate;
464 static inline u32 icmp_out2in (snat_main_t *sm,
467 icmp46_header_t * icmp0,
470 vlib_node_runtime_t * node,
476 snat_session_key_t sm0;
478 icmp_echo_header_t *echo0, *inner_echo0 = 0;
479 ip4_header_t *inner_ip0 = 0;
481 icmp46_header_t *inner_icmp0;
483 u32 new_addr0, old_addr0;
484 u16 old_id0, new_id0;
489 echo0 = (icmp_echo_header_t *)(icmp0+1);
491 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
492 &protocol, &sm0, &dont_translate, d, e);
495 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
498 sum0 = ip_incremental_checksum (0, icmp0,
499 ntohs(ip0->length) - ip4_header_bytes (ip0));
500 checksum0 = ~ip_csum_fold (sum0);
501 if (checksum0 != 0 && checksum0 != 0xffff)
503 next0 = SNAT_OUT2IN_NEXT_DROP;
507 old_addr0 = ip0->dst_address.as_u32;
508 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
509 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
511 sum0 = ip0->checksum;
512 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
513 dst_address /* changed member */);
514 ip0->checksum = ip_csum_fold (sum0);
516 if (icmp0->checksum == 0)
517 icmp0->checksum = 0xffff;
519 if (!icmp_is_error_message (icmp0))
522 if (PREDICT_FALSE(new_id0 != echo0->identifier))
524 old_id0 = echo0->identifier;
526 echo0->identifier = new_id0;
528 sum0 = icmp0->checksum;
529 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
530 identifier /* changed member */);
531 icmp0->checksum = ip_csum_fold (sum0);
536 inner_ip0 = (ip4_header_t *)(echo0+1);
537 l4_header = ip4_next_header (inner_ip0);
539 if (!ip4_header_checksum_is_valid (inner_ip0))
541 next0 = SNAT_OUT2IN_NEXT_DROP;
545 old_addr0 = inner_ip0->src_address.as_u32;
546 inner_ip0->src_address = sm0.addr;
547 new_addr0 = inner_ip0->src_address.as_u32;
549 sum0 = icmp0->checksum;
550 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
551 src_address /* changed member */);
552 icmp0->checksum = ip_csum_fold (sum0);
556 case SNAT_PROTOCOL_ICMP:
557 inner_icmp0 = (icmp46_header_t*)l4_header;
558 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
560 old_id0 = inner_echo0->identifier;
562 inner_echo0->identifier = new_id0;
564 sum0 = icmp0->checksum;
565 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
567 icmp0->checksum = ip_csum_fold (sum0);
569 case SNAT_PROTOCOL_UDP:
570 case SNAT_PROTOCOL_TCP:
571 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
573 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
575 sum0 = icmp0->checksum;
576 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
578 icmp0->checksum = ip_csum_fold (sum0);
590 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
593 icmp46_header_t * icmp0,
596 vlib_node_runtime_t * node,
599 snat_session_t ** p_s0)
601 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
602 next0, thread_index, p_s0, 0);
603 snat_session_t * s0 = *p_s0;
604 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
607 nat44_session_update_counters (s0, now,
608 vlib_buffer_length_in_chain (sm->vlib_main, b0));
609 /* Per-user LRU list maintenance */
610 nat44_session_update_lru (sm, s0, thread_index);
616 nat_out2in_sm_unknown_proto (snat_main_t *sm,
621 clib_bihash_kv_8_8_t kv, value;
622 snat_static_mapping_t *m;
623 snat_session_key_t m_key;
624 u32 old_addr, new_addr;
627 m_key.addr = ip->dst_address;
631 kv.key = m_key.as_u64;
632 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
635 m = pool_elt_at_index (sm->static_mappings, value.value);
637 old_addr = ip->dst_address.as_u32;
638 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
640 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
641 ip->checksum = ip_csum_fold (sum);
643 vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index;
648 snat_out2in_node_fn (vlib_main_t * vm,
649 vlib_node_runtime_t * node,
650 vlib_frame_t * frame)
652 u32 n_left_from, * from, * to_next;
653 snat_out2in_next_t next_index;
654 u32 pkts_processed = 0;
655 snat_main_t * sm = &snat_main;
656 f64 now = vlib_time_now (vm);
657 u32 thread_index = vm->thread_index;
659 from = vlib_frame_vector_args (frame);
660 n_left_from = frame->n_vectors;
661 next_index = node->cached_next_index;
663 while (n_left_from > 0)
667 vlib_get_next_frame (vm, node, next_index,
668 to_next, n_left_to_next);
670 while (n_left_from >= 4 && n_left_to_next >= 2)
673 vlib_buffer_t * b0, * b1;
674 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
675 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
676 u32 sw_if_index0, sw_if_index1;
677 ip4_header_t * ip0, *ip1;
678 ip_csum_t sum0, sum1;
679 u32 new_addr0, old_addr0;
680 u16 new_port0, old_port0;
681 u32 new_addr1, old_addr1;
682 u16 new_port1, old_port1;
683 udp_header_t * udp0, * udp1;
684 tcp_header_t * tcp0, * tcp1;
685 icmp46_header_t * icmp0, * icmp1;
686 snat_session_key_t key0, key1, sm0, sm1;
687 u32 rx_fib_index0, rx_fib_index1;
689 snat_session_t * s0 = 0, * s1 = 0;
690 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
692 /* Prefetch next iteration. */
694 vlib_buffer_t * p2, * p3;
696 p2 = vlib_get_buffer (vm, from[2]);
697 p3 = vlib_get_buffer (vm, from[3]);
699 vlib_prefetch_buffer_header (p2, LOAD);
700 vlib_prefetch_buffer_header (p3, LOAD);
702 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
703 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
706 /* speculatively enqueue b0 and b1 to the current next frame */
707 to_next[0] = bi0 = from[0];
708 to_next[1] = bi1 = from[1];
714 b0 = vlib_get_buffer (vm, bi0);
715 b1 = vlib_get_buffer (vm, bi1);
717 vnet_buffer (b0)->snat.flags = 0;
718 vnet_buffer (b1)->snat.flags = 0;
720 ip0 = vlib_buffer_get_current (b0);
721 udp0 = ip4_next_header (ip0);
722 tcp0 = (tcp_header_t *) udp0;
723 icmp0 = (icmp46_header_t *) udp0;
725 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
726 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
729 if (PREDICT_FALSE(ip0->ttl == 1))
731 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
732 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
733 ICMP4_time_exceeded_ttl_exceeded_in_transit,
735 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
739 proto0 = ip_proto_to_snat_proto (ip0->protocol);
741 if (PREDICT_FALSE (proto0 == ~0))
743 if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0))
745 if (!sm->forwarding_enabled)
747 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
748 next0 = SNAT_OUT2IN_NEXT_DROP;
754 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
756 next0 = icmp_out2in_slow_path
757 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
758 next0, now, thread_index, &s0);
762 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
764 next0 = SNAT_OUT2IN_NEXT_REASS;
768 key0.addr = ip0->dst_address;
769 key0.port = udp0->dst_port;
770 key0.protocol = proto0;
771 key0.fib_index = rx_fib_index0;
773 kv0.key = key0.as_u64;
775 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
778 /* Try to match static mapping by external address and port,
779 destination address and port in packet */
780 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
783 * Send DHCP packets to the ipv4 stack, or we won't
784 * be able to use dhcp client on the outside interface
786 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
787 && (udp0->dst_port ==
788 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
790 vnet_feature_next (&next0, b0);
794 if (!sm->forwarding_enabled)
796 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
797 next0 = SNAT_OUT2IN_NEXT_DROP;
802 /* Create session initiated by host from external network */
803 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
807 next0 = SNAT_OUT2IN_NEXT_DROP;
812 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
815 old_addr0 = ip0->dst_address.as_u32;
816 ip0->dst_address = s0->in2out.addr;
817 new_addr0 = ip0->dst_address.as_u32;
818 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
820 sum0 = ip0->checksum;
821 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
823 dst_address /* changed member */);
824 ip0->checksum = ip_csum_fold (sum0);
826 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
828 old_port0 = tcp0->dst_port;
829 tcp0->dst_port = s0->in2out.port;
830 new_port0 = tcp0->dst_port;
832 sum0 = tcp0->checksum;
833 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
835 dst_address /* changed member */);
837 sum0 = ip_csum_update (sum0, old_port0, new_port0,
838 ip4_header_t /* cheat */,
839 length /* changed member */);
840 tcp0->checksum = ip_csum_fold(sum0);
844 old_port0 = udp0->dst_port;
845 udp0->dst_port = s0->in2out.port;
850 nat44_session_update_counters (s0, now,
851 vlib_buffer_length_in_chain (vm, b0));
852 /* Per-user LRU list maintenance */
853 nat44_session_update_lru (sm, s0, thread_index);
856 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
857 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
859 snat_out2in_trace_t *t =
860 vlib_add_trace (vm, node, b0, sizeof (*t));
861 t->sw_if_index = sw_if_index0;
862 t->next_index = next0;
863 t->session_index = ~0;
865 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
868 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
871 ip1 = vlib_buffer_get_current (b1);
872 udp1 = ip4_next_header (ip1);
873 tcp1 = (tcp_header_t *) udp1;
874 icmp1 = (icmp46_header_t *) udp1;
876 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
877 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
880 if (PREDICT_FALSE(ip1->ttl == 1))
882 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
883 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
884 ICMP4_time_exceeded_ttl_exceeded_in_transit,
886 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
890 proto1 = ip_proto_to_snat_proto (ip1->protocol);
892 if (PREDICT_FALSE (proto1 == ~0))
894 if (nat_out2in_sm_unknown_proto(sm, b1, ip1, rx_fib_index1))
896 if (!sm->forwarding_enabled)
898 b1->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
899 next1 = SNAT_OUT2IN_NEXT_DROP;
905 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
907 next1 = icmp_out2in_slow_path
908 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
909 next1, now, thread_index, &s1);
913 if (PREDICT_FALSE (ip4_is_fragment (ip1)))
915 next1 = SNAT_OUT2IN_NEXT_REASS;
919 key1.addr = ip1->dst_address;
920 key1.port = udp1->dst_port;
921 key1.protocol = proto1;
922 key1.fib_index = rx_fib_index1;
924 kv1.key = key1.as_u64;
926 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
929 /* Try to match static mapping by external address and port,
930 destination address and port in packet */
931 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0))
934 * Send DHCP packets to the ipv4 stack, or we won't
935 * be able to use dhcp client on the outside interface
937 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
938 && (udp1->dst_port ==
939 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
941 vnet_feature_next (&next1, b1);
945 if (!sm->forwarding_enabled)
947 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
948 next1 = SNAT_OUT2IN_NEXT_DROP;
953 /* Create session initiated by host from external network */
954 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
958 next1 = SNAT_OUT2IN_NEXT_DROP;
963 s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
966 old_addr1 = ip1->dst_address.as_u32;
967 ip1->dst_address = s1->in2out.addr;
968 new_addr1 = ip1->dst_address.as_u32;
969 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
971 sum1 = ip1->checksum;
972 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
974 dst_address /* changed member */);
975 ip1->checksum = ip_csum_fold (sum1);
977 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
979 old_port1 = tcp1->dst_port;
980 tcp1->dst_port = s1->in2out.port;
981 new_port1 = tcp1->dst_port;
983 sum1 = tcp1->checksum;
984 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
986 dst_address /* changed member */);
988 sum1 = ip_csum_update (sum1, old_port1, new_port1,
989 ip4_header_t /* cheat */,
990 length /* changed member */);
991 tcp1->checksum = ip_csum_fold(sum1);
995 old_port1 = udp1->dst_port;
996 udp1->dst_port = s1->in2out.port;
1001 nat44_session_update_counters (s1, now,
1002 vlib_buffer_length_in_chain (vm, b1));
1003 /* Per-user LRU list maintenance */
1004 nat44_session_update_lru (sm, s1, thread_index);
1007 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1008 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1010 snat_out2in_trace_t *t =
1011 vlib_add_trace (vm, node, b1, sizeof (*t));
1012 t->sw_if_index = sw_if_index1;
1013 t->next_index = next1;
1014 t->session_index = ~0;
1016 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1019 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1021 /* verify speculative enqueues, maybe switch current next frame */
1022 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1023 to_next, n_left_to_next,
1024 bi0, bi1, next0, next1);
1027 while (n_left_from > 0 && n_left_to_next > 0)
1031 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1035 u32 new_addr0, old_addr0;
1036 u16 new_port0, old_port0;
1037 udp_header_t * udp0;
1038 tcp_header_t * tcp0;
1039 icmp46_header_t * icmp0;
1040 snat_session_key_t key0, sm0;
1043 snat_session_t * s0 = 0;
1044 clib_bihash_kv_8_8_t kv0, value0;
1046 /* speculatively enqueue b0 to the current next frame */
1052 n_left_to_next -= 1;
1054 b0 = vlib_get_buffer (vm, bi0);
1056 vnet_buffer (b0)->snat.flags = 0;
1058 ip0 = vlib_buffer_get_current (b0);
1059 udp0 = ip4_next_header (ip0);
1060 tcp0 = (tcp_header_t *) udp0;
1061 icmp0 = (icmp46_header_t *) udp0;
1063 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1064 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1067 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1069 if (PREDICT_FALSE (proto0 == ~0))
1071 if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0))
1073 if (!sm->forwarding_enabled)
1075 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1076 next0 = SNAT_OUT2IN_NEXT_DROP;
1082 if (PREDICT_FALSE(ip0->ttl == 1))
1084 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1085 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1086 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1088 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1092 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1094 next0 = icmp_out2in_slow_path
1095 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1096 next0, now, thread_index, &s0);
1100 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
1102 next0 = SNAT_OUT2IN_NEXT_REASS;
1106 key0.addr = ip0->dst_address;
1107 key0.port = udp0->dst_port;
1108 key0.protocol = proto0;
1109 key0.fib_index = rx_fib_index0;
1111 kv0.key = key0.as_u64;
1113 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1116 /* Try to match static mapping by external address and port,
1117 destination address and port in packet */
1118 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1121 * Send DHCP packets to the ipv4 stack, or we won't
1122 * be able to use dhcp client on the outside interface
1124 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1125 && (udp0->dst_port ==
1126 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1128 vnet_feature_next (&next0, b0);
1132 if (!sm->forwarding_enabled)
1134 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1135 next0 = SNAT_OUT2IN_NEXT_DROP;
1140 /* Create session initiated by host from external network */
1141 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1145 next0 = SNAT_OUT2IN_NEXT_DROP;
1150 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1153 old_addr0 = ip0->dst_address.as_u32;
1154 ip0->dst_address = s0->in2out.addr;
1155 new_addr0 = ip0->dst_address.as_u32;
1156 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1158 sum0 = ip0->checksum;
1159 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1161 dst_address /* changed member */);
1162 ip0->checksum = ip_csum_fold (sum0);
1164 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1166 old_port0 = tcp0->dst_port;
1167 tcp0->dst_port = s0->in2out.port;
1168 new_port0 = tcp0->dst_port;
1170 sum0 = tcp0->checksum;
1171 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1173 dst_address /* changed member */);
1175 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1176 ip4_header_t /* cheat */,
1177 length /* changed member */);
1178 tcp0->checksum = ip_csum_fold(sum0);
1182 old_port0 = udp0->dst_port;
1183 udp0->dst_port = s0->in2out.port;
1188 nat44_session_update_counters (s0, now,
1189 vlib_buffer_length_in_chain (vm, b0));
1190 /* Per-user LRU list maintenance */
1191 nat44_session_update_lru (sm, s0, thread_index);
1194 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1195 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1197 snat_out2in_trace_t *t =
1198 vlib_add_trace (vm, node, b0, sizeof (*t));
1199 t->sw_if_index = sw_if_index0;
1200 t->next_index = next0;
1201 t->session_index = ~0;
1203 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1206 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1208 /* verify speculative enqueue, maybe switch current next frame */
1209 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1210 to_next, n_left_to_next,
1214 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1217 vlib_node_increment_counter (vm, snat_out2in_node.index,
1218 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1220 return frame->n_vectors;
1223 VLIB_REGISTER_NODE (snat_out2in_node) = {
1224 .function = snat_out2in_node_fn,
1225 .name = "nat44-out2in",
1226 .vector_size = sizeof (u32),
1227 .format_trace = format_snat_out2in_trace,
1228 .type = VLIB_NODE_TYPE_INTERNAL,
1230 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1231 .error_strings = snat_out2in_error_strings,
1233 .runtime_data_bytes = sizeof (snat_runtime_t),
1235 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1237 /* edit / add dispositions here */
1239 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1240 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1241 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1242 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1245 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1248 nat44_out2in_reass_node_fn (vlib_main_t * vm,
1249 vlib_node_runtime_t * node,
1250 vlib_frame_t * frame)
1252 u32 n_left_from, *from, *to_next;
1253 snat_out2in_next_t next_index;
1254 u32 pkts_processed = 0;
1255 snat_main_t *sm = &snat_main;
1256 f64 now = vlib_time_now (vm);
1257 u32 thread_index = vm->thread_index;
1258 snat_main_per_thread_data_t *per_thread_data =
1259 &sm->per_thread_data[thread_index];
1260 u32 *fragments_to_drop = 0;
1261 u32 *fragments_to_loopback = 0;
1263 from = vlib_frame_vector_args (frame);
1264 n_left_from = frame->n_vectors;
1265 next_index = node->cached_next_index;
1267 while (n_left_from > 0)
1271 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1273 while (n_left_from > 0 && n_left_to_next > 0)
1275 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1280 nat_reass_ip4_t *reass0;
1281 udp_header_t * udp0;
1282 tcp_header_t * tcp0;
1283 snat_session_key_t key0, sm0;
1284 clib_bihash_kv_8_8_t kv0, value0;
1285 snat_session_t * s0 = 0;
1286 u16 old_port0, new_port0;
1289 /* speculatively enqueue b0 to the current next frame */
1295 n_left_to_next -= 1;
1297 b0 = vlib_get_buffer (vm, bi0);
1298 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1300 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1301 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1304 if (PREDICT_FALSE (nat_reass_is_drop_frag(0)))
1306 next0 = SNAT_OUT2IN_NEXT_DROP;
1307 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
1311 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1312 udp0 = ip4_next_header (ip0);
1313 tcp0 = (tcp_header_t *) udp0;
1314 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1316 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1321 &fragments_to_drop);
1323 if (PREDICT_FALSE (!reass0))
1325 next0 = SNAT_OUT2IN_NEXT_DROP;
1326 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
1327 nat_log_notice ("maximum reassemblies exceeded");
1331 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1333 key0.addr = ip0->dst_address;
1334 key0.port = udp0->dst_port;
1335 key0.protocol = proto0;
1336 key0.fib_index = rx_fib_index0;
1337 kv0.key = key0.as_u64;
1339 if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0))
1341 /* Try to match static mapping by external address and port,
1342 destination address and port in packet */
1343 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
1346 * Send DHCP packets to the ipv4 stack, or we won't
1347 * be able to use dhcp client on the outside interface
1349 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1351 == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
1353 vnet_feature_next (&next0, b0);
1357 if (!sm->forwarding_enabled)
1359 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1360 next0 = SNAT_OUT2IN_NEXT_DROP;
1365 /* Create session initiated by host from external network */
1366 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1370 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1371 next0 = SNAT_OUT2IN_NEXT_DROP;
1374 reass0->sess_index = s0 - per_thread_data->sessions;
1375 reass0->thread_index = thread_index;
1379 s0 = pool_elt_at_index (per_thread_data->sessions,
1381 reass0->sess_index = value0.value;
1383 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1387 if (PREDICT_FALSE (reass0->sess_index == (u32) ~0))
1389 if (nat_ip4_reass_add_fragment (reass0, bi0))
1391 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
1392 nat_log_notice ("maximum fragments per reassembly exceeded");
1393 next0 = SNAT_OUT2IN_NEXT_DROP;
1399 s0 = pool_elt_at_index (per_thread_data->sessions,
1400 reass0->sess_index);
1403 old_addr0 = ip0->dst_address.as_u32;
1404 ip0->dst_address = s0->in2out.addr;
1405 new_addr0 = ip0->dst_address.as_u32;
1406 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1408 sum0 = ip0->checksum;
1409 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1411 dst_address /* changed member */);
1412 ip0->checksum = ip_csum_fold (sum0);
1414 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1416 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1418 old_port0 = tcp0->dst_port;
1419 tcp0->dst_port = s0->in2out.port;
1420 new_port0 = tcp0->dst_port;
1422 sum0 = tcp0->checksum;
1423 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1425 dst_address /* changed member */);
1427 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1428 ip4_header_t /* cheat */,
1429 length /* changed member */);
1430 tcp0->checksum = ip_csum_fold(sum0);
1434 old_port0 = udp0->dst_port;
1435 udp0->dst_port = s0->in2out.port;
1441 nat44_session_update_counters (s0, now,
1442 vlib_buffer_length_in_chain (vm, b0));
1443 /* Per-user LRU list maintenance */
1444 nat44_session_update_lru (sm, s0, thread_index);
1447 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1448 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1450 nat44_out2in_reass_trace_t *t =
1451 vlib_add_trace (vm, node, b0, sizeof (*t));
1452 t->cached = cached0;
1453 t->sw_if_index = sw_if_index0;
1454 t->next_index = next0;
1464 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1466 /* verify speculative enqueue, maybe switch current next frame */
1467 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1468 to_next, n_left_to_next,
1472 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1474 from = vlib_frame_vector_args (frame);
1475 u32 len = vec_len (fragments_to_loopback);
1476 if (len <= VLIB_FRAME_SIZE)
1478 clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len);
1480 vec_reset_length (fragments_to_loopback);
1485 fragments_to_loopback + (len - VLIB_FRAME_SIZE),
1486 sizeof (u32) * VLIB_FRAME_SIZE);
1487 n_left_from = VLIB_FRAME_SIZE;
1488 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1493 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1496 vlib_node_increment_counter (vm, nat44_out2in_reass_node.index,
1497 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1500 nat_send_all_to_node (vm, fragments_to_drop, node,
1501 &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
1502 SNAT_OUT2IN_NEXT_DROP);
1504 vec_free (fragments_to_drop);
1505 vec_free (fragments_to_loopback);
1506 return frame->n_vectors;
1509 VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
1510 .function = nat44_out2in_reass_node_fn,
1511 .name = "nat44-out2in-reass",
1512 .vector_size = sizeof (u32),
1513 .format_trace = format_nat44_out2in_reass_trace,
1514 .type = VLIB_NODE_TYPE_INTERNAL,
1516 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1517 .error_strings = snat_out2in_error_strings,
1519 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1521 /* edit / add dispositions here */
1523 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1524 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1525 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1526 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
1529 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
1530 nat44_out2in_reass_node_fn);
1532 /*******************************/
1533 /*** endpoint-dependent mode ***/
1534 /*******************************/
1536 NAT44_ED_OUT2IN_NEXT_DROP,
1537 NAT44_ED_OUT2IN_NEXT_LOOKUP,
1538 NAT44_ED_OUT2IN_NEXT_ICMP_ERROR,
1539 NAT44_ED_OUT2IN_NEXT_IN2OUT,
1540 NAT44_ED_OUT2IN_NEXT_SLOW_PATH,
1541 NAT44_ED_OUT2IN_N_NEXT,
1542 } nat44_ed_out2in_next_t;
1549 } nat44_ed_out2in_trace_t;
1552 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
1554 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1555 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1556 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
1559 tag = t->is_slow_path ? "NAT44_OUT2IN_SLOW_PATH" : "NAT44_OUT2IN_FAST_PATH";
1561 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
1562 t->sw_if_index, t->next_index, t->session_index);
1567 static snat_session_t *
1568 create_session_for_static_mapping_ed (snat_main_t * sm,
1570 snat_session_key_t l_key,
1571 snat_session_key_t e_key,
1572 vlib_node_runtime_t * node,
1574 twice_nat_type_t twice_nat,
1581 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1582 clib_bihash_kv_16_8_t kv;
1583 snat_session_key_t eh_key;
1586 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1588 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
1589 nat_log_notice ("maximum sessions exceeded");
1593 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index);
1596 nat_log_warn ("create NAT user failed");
1600 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1603 nat44_delete_user_with_no_session (sm, u, thread_index);
1604 nat_log_warn ("create NAT session failed");
1608 ip = vlib_buffer_get_current (b);
1609 udp = ip4_next_header (ip);
1611 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
1612 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
1613 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1615 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
1616 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1617 s->outside_address_index = ~0;
1620 s->in2out.protocol = s->out2in.protocol;
1621 user_session_increment (sm, u, 1);
1623 /* Add to lookup tables */
1624 make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol,
1625 e_key.fib_index, e_key.port, s->ext_host_port);
1626 kv.value = s - tsm->sessions;
1627 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 1))
1628 nat_log_notice ("out2in-ed key add failed");
1630 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
1631 ip->src_address.as_u32 == l_key.addr.as_u32))
1633 eh_key.protocol = e_key.protocol;
1634 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
1635 thread_index, &eh_key,
1637 sm->port_per_thread,
1638 tsm->snat_thread_index))
1640 b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS];
1641 nat44_delete_session (sm, s, thread_index);
1642 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
1643 nat_log_notice ("out2in-ed key del failed");
1646 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
1647 s->ext_host_nat_port = eh_key.port;
1648 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
1649 make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol,
1650 l_key.fib_index, l_key.port, s->ext_host_nat_port);
1654 make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol,
1655 l_key.fib_index, l_key.port, s->ext_host_port);
1657 kv.value = s - tsm->sessions;
1658 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
1659 nat_log_notice ("in2out-ed key add failed");
1664 static_always_inline int
1665 icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
1667 icmp46_header_t *icmp0;
1668 nat_ed_ses_key_t key0;
1669 icmp_echo_header_t *echo0, *inner_echo0 = 0;
1670 ip4_header_t *inner_ip0;
1671 void *l4_header = 0;
1672 icmp46_header_t *inner_icmp0;
1674 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
1675 echo0 = (icmp_echo_header_t *)(icmp0+1);
1677 if (!icmp_is_error_message (icmp0))
1679 key0.proto = IP_PROTOCOL_ICMP;
1680 key0.l_addr = ip0->dst_address;
1681 key0.r_addr = ip0->src_address;
1682 key0.l_port = echo0->identifier;
1687 inner_ip0 = (ip4_header_t *)(echo0+1);
1688 l4_header = ip4_next_header (inner_ip0);
1689 key0.proto = inner_ip0->protocol;
1690 key0.l_addr = inner_ip0->src_address;
1691 key0.r_addr = inner_ip0->dst_address;
1692 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
1694 case SNAT_PROTOCOL_ICMP:
1695 inner_icmp0 = (icmp46_header_t*)l4_header;
1696 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
1697 key0.l_port = inner_echo0->identifier;
1700 case SNAT_PROTOCOL_UDP:
1701 case SNAT_PROTOCOL_TCP:
1702 key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port;
1703 key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port;
1714 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
1715 u16 dst_port, u32 thread_index)
1717 clib_bihash_kv_16_8_t kv, value;
1718 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1720 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto,
1721 sm->inside_fib_index, src_port, dst_port);
1722 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
1729 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
1732 nat_ed_ses_key_t key;
1733 clib_bihash_kv_16_8_t kv, value;
1736 snat_session_t *s = 0;
1737 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1738 f64 now = vlib_time_now (sm->vlib_main);
1740 if (ip->protocol == IP_PROTOCOL_ICMP)
1742 if (icmp_get_ed_key (ip, &key))
1745 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
1747 udp = ip4_next_header(ip);
1748 key.r_addr = ip->src_address;
1749 key.l_addr = ip->dst_address;
1750 key.proto = ip->protocol;
1751 key.l_port = udp->dst_port;
1752 key.r_port = udp->src_port;
1756 key.r_addr = ip->src_address;
1757 key.l_addr = ip->dst_address;
1758 key.proto = ip->protocol;
1759 key.l_port = key.r_port = 0;
1762 kv.key[0] = key.as_u64[0];
1763 kv.key[1] = key.as_u64[1];
1765 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
1767 s = pool_elt_at_index (tsm->sessions, value.value);
1771 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1774 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index,
1778 nat_log_warn ("create NAT user failed");
1782 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1785 nat44_delete_user_with_no_session (sm, u, thread_index);
1786 nat_log_warn ("create NAT session failed");
1790 s->ext_host_addr = key.r_addr;
1791 s->ext_host_port = key.r_port;
1792 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
1793 s->outside_address_index = ~0;
1794 s->out2in.addr = key.l_addr;
1795 s->out2in.port = key.l_port;
1796 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
1797 s->out2in.fib_index = 0;
1798 s->in2out = s->out2in;
1799 user_session_increment (sm, u, 0);
1801 kv.value = s - tsm->sessions;
1802 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
1803 nat_log_notice ("in2out_ed key add failed");
1806 if (ip->protocol == IP_PROTOCOL_TCP)
1808 tcp_header_t *tcp = ip4_next_header(ip);
1809 if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
1813 /* Per-user LRU list maintenance */
1814 nat44_session_update_lru (sm, s, thread_index);
1816 nat44_session_update_counters (s, now, 0);
1820 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
1821 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
1822 u8 * p_proto, snat_session_key_t * p_value,
1823 u8 * p_dont_translate, void * d, void * e)
1825 u32 next = ~0, sw_if_index, rx_fib_index;
1826 icmp46_header_t *icmp;
1827 nat_ed_ses_key_t key;
1828 clib_bihash_kv_16_8_t kv, value;
1829 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1830 snat_session_t *s = 0;
1831 u8 dont_translate = 0, is_addr_only;
1832 snat_session_key_t e_key, l_key;
1834 icmp = (icmp46_header_t *) ip4_next_header (ip);
1835 sw_if_index = vnet_buffer(b)->sw_if_index[VLIB_RX];
1836 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
1838 if (icmp_get_ed_key (ip, &key))
1840 b->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1841 next = SNAT_OUT2IN_NEXT_DROP;
1844 key.fib_index = rx_fib_index;
1845 kv.key[0] = key.as_u64[0];
1846 kv.key[1] = key.as_u64[1];
1848 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
1850 /* Try to match static mapping */
1851 e_key.addr = ip->dst_address;
1852 e_key.port = key.l_port;
1853 e_key.protocol = ip_proto_to_snat_proto (key.proto);
1854 e_key.fib_index = rx_fib_index;
1855 if (snat_static_mapping_match(sm, e_key, &l_key, 1, &is_addr_only, 0, 0))
1857 if (!sm->forwarding_enabled)
1859 /* Don't NAT packet aimed at the intfc address */
1860 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index,
1861 ip->dst_address.as_u32)))
1866 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1867 next = NAT44_ED_OUT2IN_NEXT_DROP;
1873 if (next_src_nat(sm, ip, key.proto, key.l_port, key.r_port, thread_index))
1875 next = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1878 create_bypass_for_fwd(sm, ip, rx_fib_index, thread_index);
1883 if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply &&
1884 (icmp->type != ICMP4_echo_request || !is_addr_only)))
1886 b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
1887 next = NAT44_ED_OUT2IN_NEXT_DROP;
1891 /* Create session initiated by host from external network */
1892 s = create_session_for_static_mapping_ed(sm, b, l_key, e_key, node,
1893 thread_index, 0, 0);
1897 next = NAT44_ED_OUT2IN_NEXT_DROP;
1903 if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply &&
1904 icmp->type != ICMP4_echo_request &&
1905 !icmp_is_error_message (icmp)))
1907 b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
1908 next = SNAT_OUT2IN_NEXT_DROP;
1912 s = pool_elt_at_index (tsm->sessions, value.value);
1915 *p_proto = ip_proto_to_snat_proto (key.proto);
1918 *p_value = s->in2out;
1919 *p_dont_translate = dont_translate;
1921 *(snat_session_t**)d = s;
1925 static snat_session_t *
1926 nat44_ed_out2in_unknown_proto (snat_main_t *sm,
1933 vlib_node_runtime_t * node)
1935 clib_bihash_kv_8_8_t kv, value;
1936 clib_bihash_kv_16_8_t s_kv, s_value;
1937 snat_static_mapping_t *m;
1938 u32 old_addr, new_addr;
1941 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
1944 old_addr = ip->dst_address.as_u32;
1946 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
1947 rx_fib_index, 0, 0);
1949 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
1951 s = pool_elt_at_index (tsm->sessions, s_value.value);
1952 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
1956 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
1958 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
1959 nat_log_notice ("maximum sessions exceeded");
1963 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
1964 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1966 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1970 m = pool_elt_at_index (sm->static_mappings, value.value);
1972 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
1974 u = nat_user_get_or_create (sm, &ip->src_address, m->fib_index,
1978 nat_log_warn ("create NAT user failed");
1982 /* Create a new session */
1983 s = nat_session_alloc_or_recycle (sm, u, thread_index);
1986 nat44_delete_user_with_no_session (sm, u, thread_index);
1987 nat_log_warn ("create NAT session failed");
1991 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
1992 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
1993 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
1994 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
1995 s->outside_address_index = ~0;
1996 s->out2in.addr.as_u32 = old_addr;
1997 s->out2in.fib_index = rx_fib_index;
1998 s->in2out.addr.as_u32 = new_addr;
1999 s->in2out.fib_index = m->fib_index;
2000 s->in2out.port = s->out2in.port = ip->protocol;
2001 user_session_increment (sm, u, 1);
2003 /* Add to lookup tables */
2004 s_kv.value = s - tsm->sessions;
2005 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
2006 nat_log_notice ("out2in key add failed");
2008 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
2009 m->fib_index, 0, 0);
2010 s_kv.value = s - tsm->sessions;
2011 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
2012 nat_log_notice ("in2out key add failed");
2015 /* Update IP checksum */
2017 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
2018 ip->checksum = ip_csum_fold (sum);
2020 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
2023 nat44_session_update_counters (s, now,
2024 vlib_buffer_length_in_chain (vm, b));
2025 /* Per-user LRU list maintenance */
2026 nat44_session_update_lru (sm, s, thread_index);
2032 nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
2033 vlib_node_runtime_t * node,
2034 vlib_frame_t * frame, int is_slow_path)
2036 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
2037 nat44_ed_out2in_next_t next_index;
2038 snat_main_t *sm = &snat_main;
2039 f64 now = vlib_time_now (vm);
2040 u32 thread_index = vm->thread_index;
2041 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
2043 stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index :
2044 nat44_ed_out2in_node.index;
2046 from = vlib_frame_vector_args (frame);
2047 n_left_from = frame->n_vectors;
2048 next_index = node->cached_next_index;
2050 while (n_left_from > 0)
2054 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
2056 while (n_left_from >= 4 && n_left_to_next >= 2)
2059 vlib_buffer_t *b0, *b1;
2060 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0;
2061 u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1, new_addr1;
2062 u16 old_port0, new_port0, old_port1, new_port1;
2063 ip4_header_t *ip0, *ip1;
2064 udp_header_t *udp0, *udp1;
2065 tcp_header_t *tcp0, *tcp1;
2066 icmp46_header_t *icmp0, *icmp1;
2067 snat_session_t *s0 = 0, *s1 = 0;
2068 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
2069 ip_csum_t sum0, sum1;
2070 snat_session_key_t e_key0, l_key0, e_key1, l_key1;
2072 twice_nat_type_t twice_nat0, twice_nat1;
2074 /* Prefetch next iteration. */
2076 vlib_buffer_t * p2, * p3;
2078 p2 = vlib_get_buffer (vm, from[2]);
2079 p3 = vlib_get_buffer (vm, from[3]);
2081 vlib_prefetch_buffer_header (p2, LOAD);
2082 vlib_prefetch_buffer_header (p3, LOAD);
2084 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2085 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2088 /* speculatively enqueue b0 and b1 to the current next frame */
2089 to_next[0] = bi0 = from[0];
2090 to_next[1] = bi1 = from[1];
2094 n_left_to_next -= 2;
2096 b0 = vlib_get_buffer (vm, bi0);
2097 b1 = vlib_get_buffer (vm, bi1);
2099 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2100 vnet_buffer (b0)->snat.flags = 0;
2101 ip0 = vlib_buffer_get_current (b0);
2103 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2104 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2107 if (PREDICT_FALSE(ip0->ttl == 1))
2109 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2110 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2111 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2113 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2117 udp0 = ip4_next_header (ip0);
2118 tcp0 = (tcp_header_t *) udp0;
2119 icmp0 = (icmp46_header_t *) udp0;
2120 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2124 if (PREDICT_FALSE (proto0 == ~0))
2126 s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
2127 thread_index, now, vm, node);
2128 if (!sm->forwarding_enabled)
2131 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2136 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2138 next0 = icmp_out2in_slow_path
2139 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2140 next0, now, thread_index, &s0);
2146 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2148 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2152 if (ip4_is_fragment (ip0))
2154 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2155 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2160 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol,
2161 rx_fib_index0, udp0->dst_port, udp0->src_port);
2163 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
2167 /* Try to match static mapping by external address and port,
2168 destination address and port in packet */
2169 e_key0.addr = ip0->dst_address;
2170 e_key0.port = udp0->dst_port;
2171 e_key0.protocol = proto0;
2172 e_key0.fib_index = rx_fib_index0;
2173 if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0,
2174 &twice_nat0, &is_lb0))
2177 * Send DHCP packets to the ipv4 stack, or we won't
2178 * be able to use dhcp client on the outside interface
2180 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
2181 && (udp0->dst_port ==
2182 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2184 vnet_feature_next (&next0, b0);
2188 if (!sm->forwarding_enabled)
2190 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2191 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2195 if (next_src_nat(sm, ip0, ip0->protocol,
2196 udp0->src_port, udp0->dst_port,
2199 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2202 create_bypass_for_fwd(sm, ip0, rx_fib_index0,
2208 /* Create session initiated by host from external network */
2209 s0 = create_session_for_static_mapping_ed(sm, b0, l_key0,
2212 twice_nat0, is_lb0);
2216 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2222 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2228 s0 = pool_elt_at_index (tsm->sessions, value0.value);
2231 old_addr0 = ip0->dst_address.as_u32;
2232 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
2233 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2235 sum0 = ip0->checksum;
2236 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2238 if (PREDICT_FALSE (is_twice_nat_session (s0)))
2239 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2240 s0->ext_host_nat_addr.as_u32, ip4_header_t,
2242 ip0->checksum = ip_csum_fold (sum0);
2244 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2246 old_port0 = tcp0->dst_port;
2247 new_port0 = tcp0->dst_port = s0->in2out.port;
2249 sum0 = tcp0->checksum;
2250 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2252 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
2254 if (is_twice_nat_session (s0))
2256 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2257 s0->ext_host_nat_addr.as_u32,
2258 ip4_header_t, dst_address);
2259 sum0 = ip_csum_update (sum0, tcp0->src_port,
2260 s0->ext_host_nat_port, ip4_header_t,
2262 tcp0->src_port = s0->ext_host_nat_port;
2263 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2265 tcp0->checksum = ip_csum_fold(sum0);
2266 if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index))
2271 udp0->dst_port = s0->in2out.port;
2272 if (is_twice_nat_session (s0))
2274 udp0->src_port = s0->ext_host_nat_port;
2275 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2281 nat44_session_update_counters (s0, now,
2282 vlib_buffer_length_in_chain (vm, b0));
2283 /* Per-user LRU list maintenance */
2284 nat44_session_update_lru (sm, s0, thread_index);
2287 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2288 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2290 nat44_ed_out2in_trace_t *t =
2291 vlib_add_trace (vm, node, b0, sizeof (*t));
2292 t->is_slow_path = is_slow_path;
2293 t->sw_if_index = sw_if_index0;
2294 t->next_index = next0;
2295 t->session_index = ~0;
2297 t->session_index = s0 - tsm->sessions;
2300 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
2302 next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2303 vnet_buffer (b1)->snat.flags = 0;
2304 ip1 = vlib_buffer_get_current (b1);
2306 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
2307 rx_fib_index1 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2310 if (PREDICT_FALSE(ip1->ttl == 1))
2312 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2313 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
2314 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2316 next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2320 udp1 = ip4_next_header (ip1);
2321 tcp1 = (tcp_header_t *) udp1;
2322 icmp1 = (icmp46_header_t *) udp1;
2323 proto1 = ip_proto_to_snat_proto (ip1->protocol);
2327 if (PREDICT_FALSE (proto1 == ~0))
2329 s1 = nat44_ed_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
2330 thread_index, now, vm, node);
2331 if (!sm->forwarding_enabled)
2334 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2339 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
2341 next1 = icmp_out2in_slow_path
2342 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
2343 next1, now, thread_index, &s1);
2349 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
2351 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2355 if (ip4_is_fragment (ip1))
2357 b1->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2358 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2363 make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address, ip1->protocol,
2364 rx_fib_index1, udp1->dst_port, udp1->src_port);
2366 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
2370 /* Try to match static mapping by external address and port,
2371 destination address and port in packet */
2372 e_key1.addr = ip1->dst_address;
2373 e_key1.port = udp1->dst_port;
2374 e_key1.protocol = proto1;
2375 e_key1.fib_index = rx_fib_index1;
2376 if (snat_static_mapping_match(sm, e_key1, &l_key1, 1, 0,
2377 &twice_nat1, &is_lb1))
2380 * Send DHCP packets to the ipv4 stack, or we won't
2381 * be able to use dhcp client on the outside interface
2383 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
2384 && (udp1->dst_port ==
2385 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2387 vnet_feature_next (&next1, b1);
2391 if (!sm->forwarding_enabled)
2393 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2394 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2398 if (next_src_nat(sm, ip1, ip1->protocol,
2399 udp1->src_port, udp1->dst_port,
2402 next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2405 create_bypass_for_fwd(sm, ip1, rx_fib_index1,
2411 /* Create session initiated by host from external network */
2412 s1 = create_session_for_static_mapping_ed(sm, b1, l_key1,
2415 twice_nat1, is_lb1);
2419 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
2425 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2431 s1 = pool_elt_at_index (tsm->sessions, value1.value);
2434 old_addr1 = ip1->dst_address.as_u32;
2435 new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32;
2436 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
2438 sum1 = ip1->checksum;
2439 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
2441 if (PREDICT_FALSE (is_twice_nat_session (s1)))
2442 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
2443 s1->ext_host_nat_addr.as_u32, ip4_header_t,
2445 ip1->checksum = ip_csum_fold (sum1);
2447 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
2449 old_port1 = tcp1->dst_port;
2450 new_port1 = tcp1->dst_port = s1->in2out.port;
2452 sum1 = tcp1->checksum;
2453 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
2455 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
2457 if (is_twice_nat_session (s1))
2459 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
2460 s1->ext_host_nat_addr.as_u32,
2461 ip4_header_t, dst_address);
2462 sum1 = ip_csum_update (sum1, tcp1->src_port,
2463 s1->ext_host_nat_port, ip4_header_t,
2465 tcp1->src_port = s1->ext_host_nat_port;
2466 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
2468 tcp1->checksum = ip_csum_fold(sum1);
2469 if (nat44_set_tcp_session_state_o2i (sm, s1, tcp1, thread_index))
2474 udp1->dst_port = s1->in2out.port;
2475 if (is_twice_nat_session (s1))
2477 udp1->src_port = s1->ext_host_nat_port;
2478 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
2484 nat44_session_update_counters (s1, now,
2485 vlib_buffer_length_in_chain (vm, b1));
2486 /* Per-user LRU list maintenance */
2487 nat44_session_update_lru (sm, s1, thread_index);
2490 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2491 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
2493 nat44_ed_out2in_trace_t *t =
2494 vlib_add_trace (vm, node, b1, sizeof (*t));
2495 t->is_slow_path = is_slow_path;
2496 t->sw_if_index = sw_if_index1;
2497 t->next_index = next1;
2498 t->session_index = ~0;
2500 t->session_index = s1 - tsm->sessions;
2503 pkts_processed += next1 != NAT44_ED_OUT2IN_NEXT_DROP;
2505 /* verify speculative enqueues, maybe switch current next frame */
2506 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
2507 to_next, n_left_to_next,
2508 bi0, bi1, next0, next1);
2511 while (n_left_from > 0 && n_left_to_next > 0)
2515 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0;
2516 u16 old_port0, new_port0;
2520 icmp46_header_t * icmp0;
2521 snat_session_t *s0 = 0;
2522 clib_bihash_kv_16_8_t kv0, value0;
2524 snat_session_key_t e_key0, l_key0;
2526 twice_nat_type_t twice_nat0;
2528 /* speculatively enqueue b0 to the current next frame */
2534 n_left_to_next -= 1;
2536 b0 = vlib_get_buffer (vm, bi0);
2537 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
2538 vnet_buffer (b0)->snat.flags = 0;
2539 ip0 = vlib_buffer_get_current (b0);
2541 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2542 rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
2545 if (PREDICT_FALSE(ip0->ttl == 1))
2547 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2548 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2549 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2551 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
2555 udp0 = ip4_next_header (ip0);
2556 tcp0 = (tcp_header_t *) udp0;
2557 icmp0 = (icmp46_header_t *) udp0;
2558 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2562 if (PREDICT_FALSE (proto0 == ~0))
2564 s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
2565 thread_index, now, vm, node);
2566 if (!sm->forwarding_enabled)
2569 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2574 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2576 next0 = icmp_out2in_slow_path
2577 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
2578 next0, now, thread_index, &s0);
2584 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
2586 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2590 if (ip4_is_fragment (ip0))
2592 b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
2593 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2598 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol,
2599 rx_fib_index0, udp0->dst_port, udp0->src_port);
2601 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
2605 /* Try to match static mapping by external address and port,
2606 destination address and port in packet */
2607 e_key0.addr = ip0->dst_address;
2608 e_key0.port = udp0->dst_port;
2609 e_key0.protocol = proto0;
2610 e_key0.fib_index = rx_fib_index0;
2611 if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0,
2612 &twice_nat0, &is_lb0))
2615 * Send DHCP packets to the ipv4 stack, or we won't
2616 * be able to use dhcp client on the outside interface
2618 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
2619 && (udp0->dst_port ==
2620 clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client))))
2622 vnet_feature_next (&next0, b0);
2626 if (!sm->forwarding_enabled)
2628 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2629 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2633 if (next_src_nat(sm, ip0, ip0->protocol,
2634 udp0->src_port, udp0->dst_port,
2637 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
2640 create_bypass_for_fwd(sm, ip0, rx_fib_index0,
2646 /* Create session initiated by host from external network */
2647 s0 = create_session_for_static_mapping_ed(sm, b0, l_key0,
2650 twice_nat0, is_lb0);
2654 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
2660 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
2666 s0 = pool_elt_at_index (tsm->sessions, value0.value);
2669 old_addr0 = ip0->dst_address.as_u32;
2670 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
2671 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
2673 sum0 = ip0->checksum;
2674 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2676 if (PREDICT_FALSE (is_twice_nat_session (s0)))
2677 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2678 s0->ext_host_nat_addr.as_u32, ip4_header_t,
2680 ip0->checksum = ip_csum_fold (sum0);
2682 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
2684 old_port0 = tcp0->dst_port;
2685 new_port0 = tcp0->dst_port = s0->in2out.port;
2687 sum0 = tcp0->checksum;
2688 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
2690 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
2692 if (is_twice_nat_session (s0))
2694 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
2695 s0->ext_host_nat_addr.as_u32,
2696 ip4_header_t, dst_address);
2697 sum0 = ip_csum_update (sum0, tcp0->src_port,
2698 s0->ext_host_nat_port, ip4_header_t,
2700 tcp0->src_port = s0->ext_host_nat_port;
2701 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2703 tcp0->checksum = ip_csum_fold(sum0);
2704 if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index))
2709 udp0->dst_port = s0->in2out.port;
2710 if (is_twice_nat_session (s0))
2712 udp0->src_port = s0->ext_host_nat_port;
2713 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
2719 nat44_session_update_counters (s0, now,
2720 vlib_buffer_length_in_chain (vm, b0));
2721 /* Per-user LRU list maintenance */
2722 nat44_session_update_lru (sm, s0, thread_index);
2725 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2726 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2728 nat44_ed_out2in_trace_t *t =
2729 vlib_add_trace (vm, node, b0, sizeof (*t));
2730 t->is_slow_path = is_slow_path;
2731 t->sw_if_index = sw_if_index0;
2732 t->next_index = next0;
2733 t->session_index = ~0;
2735 t->session_index = s0 - tsm->sessions;
2738 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
2740 /* verify speculative enqueue, maybe switch current next frame */
2741 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2742 to_next, n_left_to_next,
2746 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2749 vlib_node_increment_counter (vm, stats_node_index,
2750 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2752 return frame->n_vectors;
2756 nat44_ed_out2in_fast_path_fn (vlib_main_t * vm,
2757 vlib_node_runtime_t * node,
2758 vlib_frame_t * frame)
2760 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0);
2763 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
2764 .function = nat44_ed_out2in_fast_path_fn,
2765 .name = "nat44-ed-out2in",
2766 .vector_size = sizeof (u32),
2767 .format_trace = format_nat44_ed_out2in_trace,
2768 .type = VLIB_NODE_TYPE_INTERNAL,
2770 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2771 .error_strings = snat_out2in_error_strings,
2773 .runtime_data_bytes = sizeof (snat_runtime_t),
2775 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
2777 /* edit / add dispositions here */
2779 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
2780 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2781 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
2782 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2783 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
2787 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node, nat44_ed_out2in_fast_path_fn);
2790 nat44_ed_out2in_slow_path_fn (vlib_main_t * vm,
2791 vlib_node_runtime_t * node,
2792 vlib_frame_t * frame)
2794 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1);
2797 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
2798 .function = nat44_ed_out2in_slow_path_fn,
2799 .name = "nat44-ed-out2in-slowpath",
2800 .vector_size = sizeof (u32),
2801 .format_trace = format_nat44_ed_out2in_trace,
2802 .type = VLIB_NODE_TYPE_INTERNAL,
2804 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2805 .error_strings = snat_out2in_error_strings,
2807 .runtime_data_bytes = sizeof (snat_runtime_t),
2809 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
2811 /* edit / add dispositions here */
2813 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
2814 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2815 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
2816 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2817 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
2821 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node,
2822 nat44_ed_out2in_slow_path_fn);
2824 /**************************/
2825 /*** deterministic mode ***/
2826 /**************************/
2828 snat_det_out2in_node_fn (vlib_main_t * vm,
2829 vlib_node_runtime_t * node,
2830 vlib_frame_t * frame)
2832 u32 n_left_from, * from, * to_next;
2833 snat_out2in_next_t next_index;
2834 u32 pkts_processed = 0;
2835 snat_main_t * sm = &snat_main;
2836 u32 thread_index = vm->thread_index;
2838 from = vlib_frame_vector_args (frame);
2839 n_left_from = frame->n_vectors;
2840 next_index = node->cached_next_index;
2842 while (n_left_from > 0)
2846 vlib_get_next_frame (vm, node, next_index,
2847 to_next, n_left_to_next);
2849 while (n_left_from >= 4 && n_left_to_next >= 2)
2852 vlib_buffer_t * b0, * b1;
2853 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
2854 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
2855 u32 sw_if_index0, sw_if_index1;
2856 ip4_header_t * ip0, * ip1;
2857 ip_csum_t sum0, sum1;
2858 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
2859 u16 new_port0, old_port0, old_port1, new_port1;
2860 udp_header_t * udp0, * udp1;
2861 tcp_header_t * tcp0, * tcp1;
2863 snat_det_out_key_t key0, key1;
2864 snat_det_map_t * dm0, * dm1;
2865 snat_det_session_t * ses0 = 0, * ses1 = 0;
2866 u32 rx_fib_index0, rx_fib_index1;
2867 icmp46_header_t * icmp0, * icmp1;
2869 /* Prefetch next iteration. */
2871 vlib_buffer_t * p2, * p3;
2873 p2 = vlib_get_buffer (vm, from[2]);
2874 p3 = vlib_get_buffer (vm, from[3]);
2876 vlib_prefetch_buffer_header (p2, LOAD);
2877 vlib_prefetch_buffer_header (p3, LOAD);
2879 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
2880 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
2883 /* speculatively enqueue b0 and b1 to the current next frame */
2884 to_next[0] = bi0 = from[0];
2885 to_next[1] = bi1 = from[1];
2889 n_left_to_next -= 2;
2891 b0 = vlib_get_buffer (vm, bi0);
2892 b1 = vlib_get_buffer (vm, bi1);
2894 ip0 = vlib_buffer_get_current (b0);
2895 udp0 = ip4_next_header (ip0);
2896 tcp0 = (tcp_header_t *) udp0;
2898 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2900 if (PREDICT_FALSE(ip0->ttl == 1))
2902 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2903 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2904 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2906 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2910 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2912 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
2914 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2915 icmp0 = (icmp46_header_t *) udp0;
2917 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2918 rx_fib_index0, node, next0, thread_index,
2923 key0.ext_host_addr = ip0->src_address;
2924 key0.ext_host_port = tcp0->src;
2925 key0.out_port = tcp0->dst;
2927 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
2928 if (PREDICT_FALSE(!dm0))
2930 nat_log_info ("unknown dst address: %U",
2931 format_ip4_address, &ip0->dst_address);
2932 next0 = SNAT_OUT2IN_NEXT_DROP;
2933 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2937 snat_det_reverse(dm0, &ip0->dst_address,
2938 clib_net_to_host_u16(tcp0->dst), &new_addr0);
2940 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2941 if (PREDICT_FALSE(!ses0))
2943 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
2944 format_ip4_address, &ip0->src_address,
2945 clib_net_to_host_u16 (tcp0->src),
2946 format_ip4_address, &ip0->dst_address,
2947 clib_net_to_host_u16 (tcp0->dst),
2948 format_ip4_address, &new_addr0);
2949 next0 = SNAT_OUT2IN_NEXT_DROP;
2950 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2953 new_port0 = ses0->in_port;
2955 old_addr0 = ip0->dst_address;
2956 ip0->dst_address = new_addr0;
2957 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
2959 sum0 = ip0->checksum;
2960 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2962 dst_address /* changed member */);
2963 ip0->checksum = ip_csum_fold (sum0);
2965 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2967 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
2968 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
2969 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
2970 snat_det_ses_close(dm0, ses0);
2972 old_port0 = tcp0->dst;
2973 tcp0->dst = new_port0;
2975 sum0 = tcp0->checksum;
2976 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
2978 dst_address /* changed member */);
2980 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2981 ip4_header_t /* cheat */,
2982 length /* changed member */);
2983 tcp0->checksum = ip_csum_fold(sum0);
2987 old_port0 = udp0->dst_port;
2988 udp0->dst_port = new_port0;
2994 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2995 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2997 snat_out2in_trace_t *t =
2998 vlib_add_trace (vm, node, b0, sizeof (*t));
2999 t->sw_if_index = sw_if_index0;
3000 t->next_index = next0;
3001 t->session_index = ~0;
3003 t->session_index = ses0 - dm0->sessions;
3006 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3008 b1 = vlib_get_buffer (vm, bi1);
3010 ip1 = vlib_buffer_get_current (b1);
3011 udp1 = ip4_next_header (ip1);
3012 tcp1 = (tcp_header_t *) udp1;
3014 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
3016 if (PREDICT_FALSE(ip1->ttl == 1))
3018 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3019 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
3020 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3022 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3026 proto1 = ip_proto_to_snat_proto (ip1->protocol);
3028 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
3030 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
3031 icmp1 = (icmp46_header_t *) udp1;
3033 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
3034 rx_fib_index1, node, next1, thread_index,
3039 key1.ext_host_addr = ip1->src_address;
3040 key1.ext_host_port = tcp1->src;
3041 key1.out_port = tcp1->dst;
3043 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
3044 if (PREDICT_FALSE(!dm1))
3046 nat_log_info ("unknown dst address: %U",
3047 format_ip4_address, &ip1->dst_address);
3048 next1 = SNAT_OUT2IN_NEXT_DROP;
3049 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3053 snat_det_reverse(dm1, &ip1->dst_address,
3054 clib_net_to_host_u16(tcp1->dst), &new_addr1);
3056 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
3057 if (PREDICT_FALSE(!ses1))
3059 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3060 format_ip4_address, &ip1->src_address,
3061 clib_net_to_host_u16 (tcp1->src),
3062 format_ip4_address, &ip1->dst_address,
3063 clib_net_to_host_u16 (tcp1->dst),
3064 format_ip4_address, &new_addr1);
3065 next1 = SNAT_OUT2IN_NEXT_DROP;
3066 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3069 new_port1 = ses1->in_port;
3071 old_addr1 = ip1->dst_address;
3072 ip1->dst_address = new_addr1;
3073 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
3075 sum1 = ip1->checksum;
3076 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3078 dst_address /* changed member */);
3079 ip1->checksum = ip_csum_fold (sum1);
3081 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
3083 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
3084 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
3085 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
3086 snat_det_ses_close(dm1, ses1);
3088 old_port1 = tcp1->dst;
3089 tcp1->dst = new_port1;
3091 sum1 = tcp1->checksum;
3092 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
3094 dst_address /* changed member */);
3096 sum1 = ip_csum_update (sum1, old_port1, new_port1,
3097 ip4_header_t /* cheat */,
3098 length /* changed member */);
3099 tcp1->checksum = ip_csum_fold(sum1);
3103 old_port1 = udp1->dst_port;
3104 udp1->dst_port = new_port1;
3110 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3111 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
3113 snat_out2in_trace_t *t =
3114 vlib_add_trace (vm, node, b1, sizeof (*t));
3115 t->sw_if_index = sw_if_index1;
3116 t->next_index = next1;
3117 t->session_index = ~0;
3119 t->session_index = ses1 - dm1->sessions;
3122 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
3124 /* verify speculative enqueues, maybe switch current next frame */
3125 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
3126 to_next, n_left_to_next,
3127 bi0, bi1, next0, next1);
3130 while (n_left_from > 0 && n_left_to_next > 0)
3134 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
3138 ip4_address_t new_addr0, old_addr0;
3139 u16 new_port0, old_port0;
3140 udp_header_t * udp0;
3141 tcp_header_t * tcp0;
3143 snat_det_out_key_t key0;
3144 snat_det_map_t * dm0;
3145 snat_det_session_t * ses0 = 0;
3147 icmp46_header_t * icmp0;
3149 /* speculatively enqueue b0 to the current next frame */
3155 n_left_to_next -= 1;
3157 b0 = vlib_get_buffer (vm, bi0);
3159 ip0 = vlib_buffer_get_current (b0);
3160 udp0 = ip4_next_header (ip0);
3161 tcp0 = (tcp_header_t *) udp0;
3163 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3165 if (PREDICT_FALSE(ip0->ttl == 1))
3167 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3168 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3169 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3171 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3175 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3177 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
3179 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3180 icmp0 = (icmp46_header_t *) udp0;
3182 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
3183 rx_fib_index0, node, next0, thread_index,
3188 key0.ext_host_addr = ip0->src_address;
3189 key0.ext_host_port = tcp0->src;
3190 key0.out_port = tcp0->dst;
3192 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
3193 if (PREDICT_FALSE(!dm0))
3195 nat_log_info ("unknown dst address: %U",
3196 format_ip4_address, &ip0->dst_address);
3197 next0 = SNAT_OUT2IN_NEXT_DROP;
3198 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3202 snat_det_reverse(dm0, &ip0->dst_address,
3203 clib_net_to_host_u16(tcp0->dst), &new_addr0);
3205 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
3206 if (PREDICT_FALSE(!ses0))
3208 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3209 format_ip4_address, &ip0->src_address,
3210 clib_net_to_host_u16 (tcp0->src),
3211 format_ip4_address, &ip0->dst_address,
3212 clib_net_to_host_u16 (tcp0->dst),
3213 format_ip4_address, &new_addr0);
3214 next0 = SNAT_OUT2IN_NEXT_DROP;
3215 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3218 new_port0 = ses0->in_port;
3220 old_addr0 = ip0->dst_address;
3221 ip0->dst_address = new_addr0;
3222 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
3224 sum0 = ip0->checksum;
3225 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3227 dst_address /* changed member */);
3228 ip0->checksum = ip_csum_fold (sum0);
3230 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3232 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
3233 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
3234 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
3235 snat_det_ses_close(dm0, ses0);
3237 old_port0 = tcp0->dst;
3238 tcp0->dst = new_port0;
3240 sum0 = tcp0->checksum;
3241 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
3243 dst_address /* changed member */);
3245 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3246 ip4_header_t /* cheat */,
3247 length /* changed member */);
3248 tcp0->checksum = ip_csum_fold(sum0);
3252 old_port0 = udp0->dst_port;
3253 udp0->dst_port = new_port0;
3259 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3260 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3262 snat_out2in_trace_t *t =
3263 vlib_add_trace (vm, node, b0, sizeof (*t));
3264 t->sw_if_index = sw_if_index0;
3265 t->next_index = next0;
3266 t->session_index = ~0;
3268 t->session_index = ses0 - dm0->sessions;
3271 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3273 /* verify speculative enqueue, maybe switch current next frame */
3274 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3275 to_next, n_left_to_next,
3279 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3282 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
3283 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3285 return frame->n_vectors;
3288 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
3289 .function = snat_det_out2in_node_fn,
3290 .name = "nat44-det-out2in",
3291 .vector_size = sizeof (u32),
3292 .format_trace = format_snat_out2in_trace,
3293 .type = VLIB_NODE_TYPE_INTERNAL,
3295 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3296 .error_strings = snat_out2in_error_strings,
3298 .runtime_data_bytes = sizeof (snat_runtime_t),
3300 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3302 /* edit / add dispositions here */
3304 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3305 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3306 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3307 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3310 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
3313 * Get address and port values to be used for ICMP packet translation
3314 * and create session if needed
3316 * @param[in,out] sm NAT main
3317 * @param[in,out] node NAT node runtime
3318 * @param[in] thread_index thread index
3319 * @param[in,out] b0 buffer containing packet to be translated
3320 * @param[out] p_proto protocol used for matching
3321 * @param[out] p_value address and port after NAT translation
3322 * @param[out] p_dont_translate if packet should not be translated
3323 * @param d optional parameter
3324 * @param e optional parameter
3326 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
3327 u32 thread_index, vlib_buffer_t *b0,
3328 ip4_header_t *ip0, u8 *p_proto,
3329 snat_session_key_t *p_value,
3330 u8 *p_dont_translate, void *d, void *e)
3332 icmp46_header_t *icmp0;
3335 snat_det_out_key_t key0;
3336 u8 dont_translate = 0;
3338 icmp_echo_header_t *echo0, *inner_echo0 = 0;
3339 ip4_header_t *inner_ip0;
3340 void *l4_header = 0;
3341 icmp46_header_t *inner_icmp0;
3342 snat_det_map_t * dm0 = 0;
3343 ip4_address_t new_addr0 = {{0}};
3344 snat_det_session_t * ses0 = 0;
3345 ip4_address_t out_addr;
3347 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
3348 echo0 = (icmp_echo_header_t *)(icmp0+1);
3349 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3351 if (!icmp_is_error_message (icmp0))
3353 protocol = SNAT_PROTOCOL_ICMP;
3354 key0.ext_host_addr = ip0->src_address;
3355 key0.ext_host_port = 0;
3356 key0.out_port = echo0->identifier;
3357 out_addr = ip0->dst_address;
3361 inner_ip0 = (ip4_header_t *)(echo0+1);
3362 l4_header = ip4_next_header (inner_ip0);
3363 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
3364 key0.ext_host_addr = inner_ip0->dst_address;
3365 out_addr = inner_ip0->src_address;
3368 case SNAT_PROTOCOL_ICMP:
3369 inner_icmp0 = (icmp46_header_t*)l4_header;
3370 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
3371 key0.ext_host_port = 0;
3372 key0.out_port = inner_echo0->identifier;
3374 case SNAT_PROTOCOL_UDP:
3375 case SNAT_PROTOCOL_TCP:
3376 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
3377 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
3380 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
3381 next0 = SNAT_OUT2IN_NEXT_DROP;
3386 dm0 = snat_det_map_by_out(sm, &out_addr);
3387 if (PREDICT_FALSE(!dm0))
3389 /* Don't NAT packet aimed at the intfc address */
3390 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
3391 ip0->dst_address.as_u32)))
3396 nat_log_info ("unknown dst address: %U",
3397 format_ip4_address, &ip0->dst_address);
3401 snat_det_reverse(dm0, &ip0->dst_address,
3402 clib_net_to_host_u16(key0.out_port), &new_addr0);
3404 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
3405 if (PREDICT_FALSE(!ses0))
3407 /* Don't NAT packet aimed at the intfc address */
3408 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
3409 ip0->dst_address.as_u32)))
3414 nat_log_info ("no match src %U:%d dst %U:%d for user %U",
3415 format_ip4_address, &key0.ext_host_addr,
3416 clib_net_to_host_u16 (key0.ext_host_port),
3417 format_ip4_address, &out_addr,
3418 clib_net_to_host_u16 (key0.out_port),
3419 format_ip4_address, &new_addr0);
3420 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3421 next0 = SNAT_OUT2IN_NEXT_DROP;
3425 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
3426 !icmp_is_error_message (icmp0)))
3428 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
3429 next0 = SNAT_OUT2IN_NEXT_DROP;
3436 *p_proto = protocol;
3439 p_value->addr = new_addr0;
3440 p_value->fib_index = sm->inside_fib_index;
3441 p_value->port = ses0->in_port;
3443 *p_dont_translate = dont_translate;
3445 *(snat_det_session_t**)d = ses0;
3447 *(snat_det_map_t**)e = dm0;
3451 /**********************/
3452 /*** worker handoff ***/
3453 /**********************/
3455 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
3456 vlib_node_runtime_t * node,
3457 vlib_frame_t * frame)
3459 snat_main_t *sm = &snat_main;
3460 vlib_thread_main_t *tm = vlib_get_thread_main ();
3461 u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0;
3462 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
3463 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
3465 vlib_frame_queue_elt_t *hf = 0;
3466 vlib_frame_queue_t *fq;
3467 vlib_frame_t *f = 0;
3469 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
3470 u32 next_worker_index = 0;
3471 u32 current_worker_index = ~0;
3472 u32 thread_index = vm->thread_index;
3473 vlib_frame_t *d = 0;
3475 ASSERT (vec_len (sm->workers));
3477 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
3479 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
3481 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
3482 tm->n_vlib_mains - 1,
3483 (vlib_frame_queue_t *) (~0));
3486 from = vlib_frame_vector_args (frame);
3487 n_left_from = frame->n_vectors;
3489 while (n_left_from > 0)
3502 b0 = vlib_get_buffer (vm, bi0);
3504 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
3505 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3507 ip0 = vlib_buffer_get_current (b0);
3509 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
3511 if (PREDICT_FALSE (next_worker_index != thread_index))
3515 if (next_worker_index != current_worker_index)
3517 fq = is_vlib_frame_queue_congested (
3518 sm->fq_out2in_index, next_worker_index, NAT_FQ_NELTS - 2,
3519 congested_handoff_queue_by_worker_index);
3523 /* if this is 1st frame */
3526 d = vlib_get_frame_to_node (vm, sm->error_node_index);
3527 to_next_drop = vlib_frame_vector_args (d);
3530 to_next_drop[0] = bi0;
3533 b0->error = node->errors[SNAT_OUT2IN_ERROR_FQ_CONGESTED];
3538 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3540 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
3542 handoff_queue_elt_by_worker_index);
3544 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
3545 to_next_worker = &hf->buffer_index[hf->n_vectors];
3546 current_worker_index = next_worker_index;
3549 /* enqueue to correct worker thread */
3550 to_next_worker[0] = bi0;
3552 n_left_to_next_worker--;
3554 if (n_left_to_next_worker == 0)
3556 hf->n_vectors = VLIB_FRAME_SIZE;
3557 vlib_put_frame_queue_elt (hf);
3558 current_worker_index = ~0;
3559 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
3566 /* if this is 1st frame */
3569 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
3570 to_next = vlib_frame_vector_args (f);
3579 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
3580 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3582 snat_out2in_worker_handoff_trace_t *t =
3583 vlib_add_trace (vm, node, b0, sizeof (*t));
3584 t->next_worker_index = next_worker_index;
3585 t->do_handoff = do_handoff;
3590 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
3593 vlib_put_frame_to_node (vm, sm->error_node_index, d);
3596 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
3598 /* Ship frames to the worker nodes */
3599 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
3601 if (handoff_queue_elt_by_worker_index[i])
3603 hf = handoff_queue_elt_by_worker_index[i];
3605 * It works better to let the handoff node
3606 * rate-adapt, always ship the handoff queue element.
3608 if (1 || hf->n_vectors == hf->last_n_vectors)
3610 vlib_put_frame_queue_elt (hf);
3611 handoff_queue_elt_by_worker_index[i] = 0;
3614 hf->last_n_vectors = hf->n_vectors;
3616 congested_handoff_queue_by_worker_index[i] =
3617 (vlib_frame_queue_t *) (~0);
3620 current_worker_index = ~0;
3621 return frame->n_vectors;
3624 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
3625 .function = snat_out2in_worker_handoff_fn,
3626 .name = "nat44-out2in-worker-handoff",
3627 .vector_size = sizeof (u32),
3628 .format_trace = format_snat_out2in_worker_handoff_trace,
3629 .type = VLIB_NODE_TYPE_INTERNAL,
3631 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3632 .error_strings = snat_out2in_error_strings,
3641 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
3644 snat_out2in_fast_node_fn (vlib_main_t * vm,
3645 vlib_node_runtime_t * node,
3646 vlib_frame_t * frame)
3648 u32 n_left_from, * from, * to_next;
3649 snat_out2in_next_t next_index;
3650 u32 pkts_processed = 0;
3651 snat_main_t * sm = &snat_main;
3653 from = vlib_frame_vector_args (frame);
3654 n_left_from = frame->n_vectors;
3655 next_index = node->cached_next_index;
3657 while (n_left_from > 0)
3661 vlib_get_next_frame (vm, node, next_index,
3662 to_next, n_left_to_next);
3664 while (n_left_from > 0 && n_left_to_next > 0)
3668 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
3672 u32 new_addr0, old_addr0;
3673 u16 new_port0, old_port0;
3674 udp_header_t * udp0;
3675 tcp_header_t * tcp0;
3676 icmp46_header_t * icmp0;
3677 snat_session_key_t key0, sm0;
3681 /* speculatively enqueue b0 to the current next frame */
3687 n_left_to_next -= 1;
3689 b0 = vlib_get_buffer (vm, bi0);
3691 ip0 = vlib_buffer_get_current (b0);
3692 udp0 = ip4_next_header (ip0);
3693 tcp0 = (tcp_header_t *) udp0;
3694 icmp0 = (icmp46_header_t *) udp0;
3696 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
3697 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
3699 vnet_feature_next (&next0, b0);
3701 if (PREDICT_FALSE(ip0->ttl == 1))
3703 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
3704 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
3705 ICMP4_time_exceeded_ttl_exceeded_in_transit,
3707 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
3711 proto0 = ip_proto_to_snat_proto (ip0->protocol);
3713 if (PREDICT_FALSE (proto0 == ~0))
3716 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
3718 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
3719 rx_fib_index0, node, next0, ~0, 0, 0);
3723 key0.addr = ip0->dst_address;
3724 key0.port = udp0->dst_port;
3725 key0.fib_index = rx_fib_index0;
3727 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0))
3729 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
3733 new_addr0 = sm0.addr.as_u32;
3734 new_port0 = sm0.port;
3735 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
3736 old_addr0 = ip0->dst_address.as_u32;
3737 ip0->dst_address.as_u32 = new_addr0;
3739 sum0 = ip0->checksum;
3740 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3742 dst_address /* changed member */);
3743 ip0->checksum = ip_csum_fold (sum0);
3745 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
3747 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3749 old_port0 = tcp0->dst_port;
3750 tcp0->dst_port = new_port0;
3752 sum0 = tcp0->checksum;
3753 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3755 dst_address /* changed member */);
3757 sum0 = ip_csum_update (sum0, old_port0, new_port0,
3758 ip4_header_t /* cheat */,
3759 length /* changed member */);
3760 tcp0->checksum = ip_csum_fold(sum0);
3764 old_port0 = udp0->dst_port;
3765 udp0->dst_port = new_port0;
3771 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
3773 sum0 = tcp0->checksum;
3774 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
3776 dst_address /* changed member */);
3778 tcp0->checksum = ip_csum_fold(sum0);
3784 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
3785 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
3787 snat_out2in_trace_t *t =
3788 vlib_add_trace (vm, node, b0, sizeof (*t));
3789 t->sw_if_index = sw_if_index0;
3790 t->next_index = next0;
3793 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
3795 /* verify speculative enqueue, maybe switch current next frame */
3796 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
3797 to_next, n_left_to_next,
3801 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
3804 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
3805 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
3807 return frame->n_vectors;
3810 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
3811 .function = snat_out2in_fast_node_fn,
3812 .name = "nat44-out2in-fast",
3813 .vector_size = sizeof (u32),
3814 .format_trace = format_snat_out2in_fast_trace,
3815 .type = VLIB_NODE_TYPE_INTERNAL,
3817 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
3818 .error_strings = snat_out2in_error_strings,
3820 .runtime_data_bytes = sizeof (snat_runtime_t),
3822 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
3824 /* edit / add dispositions here */
3826 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
3827 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
3828 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
3829 [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
3832 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob