2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
37 } snat_out2in_trace_t;
40 u32 next_worker_index;
42 } snat_out2in_worker_handoff_trace_t;
44 /* packet trace format function */
45 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
47 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
51 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
52 t->sw_if_index, t->next_index, t->session_index);
56 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
58 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
59 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
60 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
62 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
63 t->sw_if_index, t->next_index);
67 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
69 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
70 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
71 snat_out2in_worker_handoff_trace_t * t =
72 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
75 m = t->do_handoff ? "next worker" : "same worker";
76 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
81 vlib_node_registration_t snat_out2in_node;
82 vlib_node_registration_t snat_out2in_fast_node;
83 vlib_node_registration_t snat_out2in_worker_handoff_node;
84 vlib_node_registration_t snat_det_out2in_node;
86 #define foreach_snat_out2in_error \
87 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
88 _(OUT2IN_PACKETS, "Good out2in packets processed") \
89 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
90 _(NO_TRANSLATION, "No translation") \
91 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded")
94 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
95 foreach_snat_out2in_error
98 } snat_out2in_error_t;
100 static char * snat_out2in_error_strings[] = {
101 #define _(sym,string) string,
102 foreach_snat_out2in_error
107 SNAT_OUT2IN_NEXT_DROP,
108 SNAT_OUT2IN_NEXT_LOOKUP,
109 SNAT_OUT2IN_NEXT_ICMP_ERROR,
111 } snat_out2in_next_t;
114 * @brief Create session for static mapping.
116 * Create NAT session initiated by host from external network with static
119 * @param sm NAT main.
120 * @param b0 Vlib buffer.
121 * @param in2out In2out NAT44 session key.
122 * @param out2in Out2in NAT44 session key.
123 * @param node Vlib node.
125 * @returns SNAT session if successfully created otherwise 0.
127 static inline snat_session_t *
128 create_session_for_static_mapping (snat_main_t *sm,
130 snat_session_key_t in2out,
131 snat_session_key_t out2in,
132 vlib_node_runtime_t * node,
136 snat_user_key_t user_key;
138 clib_bihash_kv_8_8_t kv0, value0;
139 dlist_elt_t * per_user_translation_list_elt;
140 dlist_elt_t * per_user_list_head_elt;
143 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
145 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
149 ip0 = vlib_buffer_get_current (b0);
151 user_key.addr = in2out.addr;
152 user_key.fib_index = in2out.fib_index;
153 kv0.key = user_key.as_u64;
155 /* Ever heard of the "user" = inside ip4 address before? */
156 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].user_hash,
159 /* no, make a new one */
160 pool_get (sm->per_thread_data[thread_index].users, u);
161 memset (u, 0, sizeof (*u));
162 u->addr = in2out.addr;
163 u->fib_index = in2out.fib_index;
165 pool_get (sm->per_thread_data[thread_index].list_pool,
166 per_user_list_head_elt);
168 u->sessions_per_user_list_head_index = per_user_list_head_elt -
169 sm->per_thread_data[thread_index].list_pool;
171 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
172 u->sessions_per_user_list_head_index);
174 kv0.value = u - sm->per_thread_data[thread_index].users;
177 clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].user_hash,
178 &kv0, 1 /* is_add */);
182 u = pool_elt_at_index (sm->per_thread_data[thread_index].users,
186 pool_get (sm->per_thread_data[thread_index].sessions, s);
187 memset (s, 0, sizeof (*s));
189 s->outside_address_index = ~0;
190 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
191 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
192 u->nstaticsessions++;
194 /* Create list elts */
195 pool_get (sm->per_thread_data[thread_index].list_pool,
196 per_user_translation_list_elt);
197 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
198 per_user_translation_list_elt -
199 sm->per_thread_data[thread_index].list_pool);
201 per_user_translation_list_elt->value =
202 s - sm->per_thread_data[thread_index].sessions;
204 per_user_translation_list_elt - sm->per_thread_data[thread_index].list_pool;
205 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
207 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
208 s->per_user_list_head_index,
209 per_user_translation_list_elt -
210 sm->per_thread_data[thread_index].list_pool);
214 s->in2out.protocol = out2in.protocol;
216 /* Add to translation hashes */
217 kv0.key = s->in2out.as_u64;
218 kv0.value = s - sm->per_thread_data[thread_index].sessions;
219 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
221 clib_warning ("in2out key add failed");
223 kv0.key = s->out2in.as_u64;
224 kv0.value = s - sm->per_thread_data[thread_index].sessions;
226 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
228 clib_warning ("out2in key add failed");
231 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
232 s->out2in.addr.as_u32,
236 s->in2out.fib_index);
241 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
242 snat_session_key_t *p_key0)
244 icmp46_header_t *icmp0;
245 snat_session_key_t key0;
246 icmp_echo_header_t *echo0, *inner_echo0 = 0;
247 ip4_header_t *inner_ip0;
249 icmp46_header_t *inner_icmp0;
251 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
252 echo0 = (icmp_echo_header_t *)(icmp0+1);
254 if (!icmp_is_error_message (icmp0))
256 key0.protocol = SNAT_PROTOCOL_ICMP;
257 key0.addr = ip0->dst_address;
258 key0.port = echo0->identifier;
262 inner_ip0 = (ip4_header_t *)(echo0+1);
263 l4_header = ip4_next_header (inner_ip0);
264 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
265 key0.addr = inner_ip0->src_address;
266 switch (key0.protocol)
268 case SNAT_PROTOCOL_ICMP:
269 inner_icmp0 = (icmp46_header_t*)l4_header;
270 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
271 key0.port = inner_echo0->identifier;
273 case SNAT_PROTOCOL_UDP:
274 case SNAT_PROTOCOL_TCP:
275 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
278 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
282 return -1; /* success */
286 * Get address and port values to be used for ICMP packet translation
287 * and create session if needed
289 * @param[in,out] sm NAT main
290 * @param[in,out] node NAT node runtime
291 * @param[in] thread_index thread index
292 * @param[in,out] b0 buffer containing packet to be translated
293 * @param[out] p_proto protocol used for matching
294 * @param[out] p_value address and port after NAT translation
295 * @param[out] p_dont_translate if packet should not be translated
296 * @param d optional parameter
297 * @param e optional parameter
299 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
300 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
301 snat_session_key_t *p_value,
302 u8 *p_dont_translate, void *d, void *e)
305 icmp46_header_t *icmp0;
308 snat_session_key_t key0;
309 snat_session_key_t sm0;
310 snat_session_t *s0 = 0;
311 u8 dont_translate = 0;
312 clib_bihash_kv_8_8_t kv0, value0;
317 ip0 = vlib_buffer_get_current (b0);
318 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
319 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
320 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
324 err = icmp_get_key (ip0, &key0);
327 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
328 next0 = SNAT_OUT2IN_NEXT_DROP;
331 key0.fib_index = rx_fib_index0;
333 kv0.key = key0.as_u64;
335 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
338 /* Try to match static mapping by external address and port,
339 destination address and port in packet */
340 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
342 /* Don't NAT packet aimed at the intfc address */
343 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
344 ip0->dst_address.as_u32)))
349 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
350 next0 = SNAT_OUT2IN_NEXT_DROP;
354 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
355 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
357 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
358 next0 = SNAT_OUT2IN_NEXT_DROP;
362 /* Create session initiated by host from external network */
363 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
368 next0 = SNAT_OUT2IN_NEXT_DROP;
374 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
375 icmp0->type != ICMP4_echo_request &&
376 !icmp_is_error_message (icmp0)))
378 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
379 next0 = SNAT_OUT2IN_NEXT_DROP;
383 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
388 *p_proto = key0.protocol;
390 *p_value = s0->in2out;
391 *p_dont_translate = dont_translate;
393 *(snat_session_t**)d = s0;
398 * Get address and port values to be used for ICMP packet translation
400 * @param[in] sm NAT main
401 * @param[in,out] node NAT node runtime
402 * @param[in] thread_index thread index
403 * @param[in,out] b0 buffer containing packet to be translated
404 * @param[out] p_proto protocol used for matching
405 * @param[out] p_value address and port after NAT translation
406 * @param[out] p_dont_translate if packet should not be translated
407 * @param d optional parameter
408 * @param e optional parameter
410 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
411 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
412 snat_session_key_t *p_value,
413 u8 *p_dont_translate, void *d, void *e)
416 icmp46_header_t *icmp0;
419 snat_session_key_t key0;
420 snat_session_key_t sm0;
421 u8 dont_translate = 0;
426 ip0 = vlib_buffer_get_current (b0);
427 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
428 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
429 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
431 err = icmp_get_key (ip0, &key0);
434 b0->error = node->errors[err];
435 next0 = SNAT_OUT2IN_NEXT_DROP;
438 key0.fib_index = rx_fib_index0;
440 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
442 /* Don't NAT packet aimed at the intfc address */
443 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
448 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
449 next0 = SNAT_OUT2IN_NEXT_DROP;
453 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
454 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
455 !icmp_is_error_message (icmp0)))
457 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
458 next0 = SNAT_OUT2IN_NEXT_DROP;
465 *p_proto = key0.protocol;
466 *p_dont_translate = dont_translate;
470 static inline u32 icmp_out2in (snat_main_t *sm,
473 icmp46_header_t * icmp0,
476 vlib_node_runtime_t * node,
482 snat_session_key_t sm0;
484 icmp_echo_header_t *echo0, *inner_echo0 = 0;
485 ip4_header_t *inner_ip0 = 0;
487 icmp46_header_t *inner_icmp0;
489 u32 new_addr0, old_addr0;
490 u16 old_id0, new_id0;
495 echo0 = (icmp_echo_header_t *)(icmp0+1);
497 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0,
498 &protocol, &sm0, &dont_translate, d, e);
501 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
504 sum0 = ip_incremental_checksum (0, icmp0,
505 ntohs(ip0->length) - ip4_header_bytes (ip0));
506 checksum0 = ~ip_csum_fold (sum0);
507 if (checksum0 != 0 && checksum0 != 0xffff)
509 next0 = SNAT_OUT2IN_NEXT_DROP;
513 old_addr0 = ip0->dst_address.as_u32;
514 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
515 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
517 sum0 = ip0->checksum;
518 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
519 dst_address /* changed member */);
520 ip0->checksum = ip_csum_fold (sum0);
522 if (!icmp_is_error_message (icmp0))
525 if (PREDICT_FALSE(new_id0 != echo0->identifier))
527 old_id0 = echo0->identifier;
529 echo0->identifier = new_id0;
531 sum0 = icmp0->checksum;
532 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
533 identifier /* changed member */);
534 icmp0->checksum = ip_csum_fold (sum0);
539 inner_ip0 = (ip4_header_t *)(echo0+1);
540 l4_header = ip4_next_header (inner_ip0);
542 if (!ip4_header_checksum_is_valid (inner_ip0))
544 next0 = SNAT_OUT2IN_NEXT_DROP;
548 old_addr0 = inner_ip0->src_address.as_u32;
549 inner_ip0->src_address = sm0.addr;
550 new_addr0 = inner_ip0->src_address.as_u32;
552 sum0 = icmp0->checksum;
553 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
554 src_address /* changed member */);
555 icmp0->checksum = ip_csum_fold (sum0);
559 case SNAT_PROTOCOL_ICMP:
560 inner_icmp0 = (icmp46_header_t*)l4_header;
561 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
563 old_id0 = inner_echo0->identifier;
565 inner_echo0->identifier = new_id0;
567 sum0 = icmp0->checksum;
568 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
570 icmp0->checksum = ip_csum_fold (sum0);
572 case SNAT_PROTOCOL_UDP:
573 case SNAT_PROTOCOL_TCP:
574 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
576 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
578 sum0 = icmp0->checksum;
579 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
581 icmp0->checksum = ip_csum_fold (sum0);
593 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
596 icmp46_header_t * icmp0,
599 vlib_node_runtime_t * node,
602 snat_session_t ** p_s0)
604 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
605 next0, thread_index, p_s0, 0);
606 snat_session_t * s0 = *p_s0;
607 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
610 s0->last_heard = now;
612 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
613 /* Per-user LRU list maintenance for dynamic translation */
614 if (!snat_is_session_static (s0))
616 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
618 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
619 s0->per_user_list_head_index,
626 static snat_session_t *
627 snat_out2in_unknown_proto (snat_main_t *sm,
634 vlib_node_runtime_t * node)
636 clib_bihash_kv_8_8_t kv, value;
637 clib_bihash_kv_16_8_t s_kv, s_value;
638 snat_static_mapping_t *m;
639 snat_session_key_t m_key;
640 u32 old_addr, new_addr;
642 nat_ed_ses_key_t key;
644 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
645 snat_user_key_t u_key;
647 dlist_elt_t *head, *elt;
649 old_addr = ip->dst_address.as_u32;
651 key.l_addr = ip->dst_address;
652 key.r_addr = ip->src_address;
653 key.fib_index = rx_fib_index;
654 key.proto = ip->protocol;
657 s_kv.key[0] = key.as_u64[0];
658 s_kv.key[1] = key.as_u64[1];
660 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
662 s = pool_elt_at_index (tsm->sessions, s_value.value);
663 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
667 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
669 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
673 m_key.addr = ip->dst_address;
676 m_key.fib_index = rx_fib_index;
677 kv.key = m_key.as_u64;
678 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
680 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
684 m = pool_elt_at_index (sm->static_mappings, value.value);
686 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
688 u_key.addr = ip->src_address;
689 u_key.fib_index = m->fib_index;
690 kv.key = u_key.as_u64;
692 /* Ever heard of the "user" = src ip4 address before? */
693 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
695 /* no, make a new one */
696 pool_get (tsm->users, u);
697 memset (u, 0, sizeof (*u));
698 u->addr = ip->src_address;
699 u->fib_index = rx_fib_index;
701 pool_get (tsm->list_pool, head);
702 u->sessions_per_user_list_head_index = head - tsm->list_pool;
704 clib_dlist_init (tsm->list_pool,
705 u->sessions_per_user_list_head_index);
707 kv.value = u - tsm->users;
710 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1);
714 u = pool_elt_at_index (tsm->users, value.value);
717 /* Create a new session */
718 pool_get (tsm->sessions, s);
719 memset (s, 0, sizeof (*s));
721 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
722 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
723 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
724 s->outside_address_index = ~0;
725 s->out2in.addr.as_u32 = old_addr;
726 s->out2in.fib_index = rx_fib_index;
727 s->in2out.addr.as_u32 = new_addr;
728 s->in2out.fib_index = m->fib_index;
729 s->in2out.port = s->out2in.port = ip->protocol;
730 u->nstaticsessions++;
732 /* Create list elts */
733 pool_get (tsm->list_pool, elt);
734 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
735 elt->value = s - tsm->sessions;
736 s->per_user_index = elt - tsm->list_pool;
737 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
738 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
741 /* Add to lookup tables */
742 s_kv.value = s - tsm->sessions;
743 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
744 clib_warning ("out2in key add failed");
746 key.l_addr = ip->dst_address;
747 key.fib_index = m->fib_index;
748 s_kv.key[0] = key.as_u64[0];
749 s_kv.key[1] = key.as_u64[1];
750 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
751 clib_warning ("in2out key add failed");
754 /* Update IP checksum */
756 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
757 ip->checksum = ip_csum_fold (sum);
759 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
764 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
765 /* Per-user LRU list maintenance */
766 clib_dlist_remove (tsm->list_pool, s->per_user_index);
767 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
773 static snat_session_t *
774 snat_out2in_lb (snat_main_t *sm,
781 vlib_node_runtime_t * node)
783 nat_ed_ses_key_t key;
784 clib_bihash_kv_16_8_t s_kv, s_value;
785 udp_header_t *udp = ip4_next_header (ip);
786 tcp_header_t *tcp = (tcp_header_t *) udp;
787 snat_session_t *s = 0;
788 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
789 snat_session_key_t e_key, l_key;
790 clib_bihash_kv_8_8_t kv, value;
791 u32 old_addr, new_addr;
792 u32 proto = ip_proto_to_snat_proto (ip->protocol);
793 u16 new_port, old_port;
795 snat_user_key_t u_key;
797 dlist_elt_t *head, *elt;
799 old_addr = ip->dst_address.as_u32;
801 key.l_addr = ip->dst_address;
802 key.r_addr = ip->src_address;
803 key.fib_index = rx_fib_index;
804 key.proto = ip->protocol;
806 key.l_port = udp->dst_port;
807 s_kv.key[0] = key.as_u64[0];
808 s_kv.key[1] = key.as_u64[1];
810 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
812 s = pool_elt_at_index (tsm->sessions, s_value.value);
816 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
818 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
822 e_key.addr = ip->dst_address;
823 e_key.port = udp->dst_port;
824 e_key.protocol = proto;
825 e_key.fib_index = rx_fib_index;
826 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0))
829 u_key.addr = l_key.addr;
830 u_key.fib_index = l_key.fib_index;
831 kv.key = u_key.as_u64;
833 /* Ever heard of the "user" = src ip4 address before? */
834 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
836 /* no, make a new one */
837 pool_get (tsm->users, u);
838 memset (u, 0, sizeof (*u));
839 u->addr = l_key.addr;
840 u->fib_index = l_key.fib_index;
842 pool_get (tsm->list_pool, head);
843 u->sessions_per_user_list_head_index = head - tsm->list_pool;
845 clib_dlist_init (tsm->list_pool,
846 u->sessions_per_user_list_head_index);
848 kv.value = u - tsm->users;
851 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
852 clib_warning ("user key add failed");
856 u = pool_elt_at_index (tsm->users, value.value);
859 /* Create a new session */
860 pool_get (tsm->sessions, s);
861 memset (s, 0, sizeof (*s));
863 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
864 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
865 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
866 s->outside_address_index = ~0;
869 u->nstaticsessions++;
871 /* Create list elts */
872 pool_get (tsm->list_pool, elt);
873 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
874 elt->value = s - tsm->sessions;
875 s->per_user_index = elt - tsm->list_pool;
876 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
877 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
880 /* Add to lookup tables */
881 s_kv.value = s - tsm->sessions;
882 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
883 clib_warning ("out2in-ed key add failed");
885 key.l_addr = l_key.addr;
886 key.fib_index = l_key.fib_index;
887 key.l_port = l_key.port;
888 s_kv.key[0] = key.as_u64[0];
889 s_kv.key[1] = key.as_u64[1];
890 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
891 clib_warning ("in2out-ed key add failed");
894 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
896 /* Update IP checksum */
898 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
899 ip->checksum = ip_csum_fold (sum);
901 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
903 old_port = tcp->dst_port;
904 tcp->dst_port = s->in2out.port;
905 new_port = tcp->dst_port;
908 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
909 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
910 tcp->checksum = ip_csum_fold(sum);
914 udp->dst_port = s->in2out.port;
918 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
923 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
928 snat_out2in_node_fn (vlib_main_t * vm,
929 vlib_node_runtime_t * node,
930 vlib_frame_t * frame)
932 u32 n_left_from, * from, * to_next;
933 snat_out2in_next_t next_index;
934 u32 pkts_processed = 0;
935 snat_main_t * sm = &snat_main;
936 f64 now = vlib_time_now (vm);
937 u32 thread_index = vlib_get_thread_index ();
939 from = vlib_frame_vector_args (frame);
940 n_left_from = frame->n_vectors;
941 next_index = node->cached_next_index;
943 while (n_left_from > 0)
947 vlib_get_next_frame (vm, node, next_index,
948 to_next, n_left_to_next);
950 while (n_left_from >= 4 && n_left_to_next >= 2)
953 vlib_buffer_t * b0, * b1;
954 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
955 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
956 u32 sw_if_index0, sw_if_index1;
957 ip4_header_t * ip0, *ip1;
958 ip_csum_t sum0, sum1;
959 u32 new_addr0, old_addr0;
960 u16 new_port0, old_port0;
961 u32 new_addr1, old_addr1;
962 u16 new_port1, old_port1;
963 udp_header_t * udp0, * udp1;
964 tcp_header_t * tcp0, * tcp1;
965 icmp46_header_t * icmp0, * icmp1;
966 snat_session_key_t key0, key1, sm0, sm1;
967 u32 rx_fib_index0, rx_fib_index1;
969 snat_session_t * s0 = 0, * s1 = 0;
970 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
972 /* Prefetch next iteration. */
974 vlib_buffer_t * p2, * p3;
976 p2 = vlib_get_buffer (vm, from[2]);
977 p3 = vlib_get_buffer (vm, from[3]);
979 vlib_prefetch_buffer_header (p2, LOAD);
980 vlib_prefetch_buffer_header (p3, LOAD);
982 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
983 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
986 /* speculatively enqueue b0 and b1 to the current next frame */
987 to_next[0] = bi0 = from[0];
988 to_next[1] = bi1 = from[1];
994 b0 = vlib_get_buffer (vm, bi0);
995 b1 = vlib_get_buffer (vm, bi1);
997 vnet_buffer (b0)->snat.flags = 0;
998 vnet_buffer (b1)->snat.flags = 0;
1000 ip0 = vlib_buffer_get_current (b0);
1001 udp0 = ip4_next_header (ip0);
1002 tcp0 = (tcp_header_t *) udp0;
1003 icmp0 = (icmp46_header_t *) udp0;
1005 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1006 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1009 if (PREDICT_FALSE(ip0->ttl == 1))
1011 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1012 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1013 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1015 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1019 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1021 if (PREDICT_FALSE (proto0 == ~0))
1023 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1024 thread_index, now, vm, node);
1026 next0 = SNAT_OUT2IN_NEXT_DROP;
1030 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1032 next0 = icmp_out2in_slow_path
1033 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1034 next0, now, thread_index, &s0);
1038 key0.addr = ip0->dst_address;
1039 key0.port = udp0->dst_port;
1040 key0.protocol = proto0;
1041 key0.fib_index = rx_fib_index0;
1043 kv0.key = key0.as_u64;
1045 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1048 /* Try to match static mapping by external address and port,
1049 destination address and port in packet */
1050 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
1052 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1054 * Send DHCP packets to the ipv4 stack, or we won't
1055 * be able to use dhcp client on the outside interface
1057 if (proto0 != SNAT_PROTOCOL_UDP
1059 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1060 next0 = SNAT_OUT2IN_NEXT_DROP;
1064 /* Create session initiated by host from external network */
1065 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1069 next0 = SNAT_OUT2IN_NEXT_DROP;
1075 if (PREDICT_FALSE (value0.value == ~0ULL))
1077 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1080 next0 = SNAT_OUT2IN_NEXT_DROP;
1085 s0 = pool_elt_at_index (
1086 sm->per_thread_data[thread_index].sessions,
1091 old_addr0 = ip0->dst_address.as_u32;
1092 ip0->dst_address = s0->in2out.addr;
1093 new_addr0 = ip0->dst_address.as_u32;
1094 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1096 sum0 = ip0->checksum;
1097 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1099 dst_address /* changed member */);
1100 ip0->checksum = ip_csum_fold (sum0);
1102 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1104 old_port0 = tcp0->dst_port;
1105 tcp0->dst_port = s0->in2out.port;
1106 new_port0 = tcp0->dst_port;
1108 sum0 = tcp0->checksum;
1109 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1111 dst_address /* changed member */);
1113 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1114 ip4_header_t /* cheat */,
1115 length /* changed member */);
1116 tcp0->checksum = ip_csum_fold(sum0);
1120 old_port0 = udp0->dst_port;
1121 udp0->dst_port = s0->in2out.port;
1126 s0->last_heard = now;
1128 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1129 /* Per-user LRU list maintenance for dynamic translation */
1130 if (!snat_is_session_static (s0))
1132 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1133 s0->per_user_index);
1134 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1135 s0->per_user_list_head_index,
1136 s0->per_user_index);
1140 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1141 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1143 snat_out2in_trace_t *t =
1144 vlib_add_trace (vm, node, b0, sizeof (*t));
1145 t->sw_if_index = sw_if_index0;
1146 t->next_index = next0;
1147 t->session_index = ~0;
1149 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1152 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1155 ip1 = vlib_buffer_get_current (b1);
1156 udp1 = ip4_next_header (ip1);
1157 tcp1 = (tcp_header_t *) udp1;
1158 icmp1 = (icmp46_header_t *) udp1;
1160 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1161 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1164 if (PREDICT_FALSE(ip1->ttl == 1))
1166 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1167 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1168 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1170 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1174 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1176 if (PREDICT_FALSE (proto1 == ~0))
1178 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1179 thread_index, now, vm, node);
1181 next1 = SNAT_OUT2IN_NEXT_DROP;
1185 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1187 next1 = icmp_out2in_slow_path
1188 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1189 next1, now, thread_index, &s1);
1193 key1.addr = ip1->dst_address;
1194 key1.port = udp1->dst_port;
1195 key1.protocol = proto1;
1196 key1.fib_index = rx_fib_index1;
1198 kv1.key = key1.as_u64;
1200 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1203 /* Try to match static mapping by external address and port,
1204 destination address and port in packet */
1205 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0))
1207 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1209 * Send DHCP packets to the ipv4 stack, or we won't
1210 * be able to use dhcp client on the outside interface
1212 if (proto1 != SNAT_PROTOCOL_UDP
1214 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1215 next1 = SNAT_OUT2IN_NEXT_DROP;
1219 /* Create session initiated by host from external network */
1220 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1224 next1 = SNAT_OUT2IN_NEXT_DROP;
1230 if (PREDICT_FALSE (value1.value == ~0ULL))
1232 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1235 next1 = SNAT_OUT2IN_NEXT_DROP;
1240 s1 = pool_elt_at_index (
1241 sm->per_thread_data[thread_index].sessions,
1246 old_addr1 = ip1->dst_address.as_u32;
1247 ip1->dst_address = s1->in2out.addr;
1248 new_addr1 = ip1->dst_address.as_u32;
1249 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1251 sum1 = ip1->checksum;
1252 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1254 dst_address /* changed member */);
1255 ip1->checksum = ip_csum_fold (sum1);
1257 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1259 old_port1 = tcp1->dst_port;
1260 tcp1->dst_port = s1->in2out.port;
1261 new_port1 = tcp1->dst_port;
1263 sum1 = tcp1->checksum;
1264 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1266 dst_address /* changed member */);
1268 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1269 ip4_header_t /* cheat */,
1270 length /* changed member */);
1271 tcp1->checksum = ip_csum_fold(sum1);
1275 old_port1 = udp1->dst_port;
1276 udp1->dst_port = s1->in2out.port;
1281 s1->last_heard = now;
1283 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1284 /* Per-user LRU list maintenance for dynamic translation */
1285 if (!snat_is_session_static (s1))
1287 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1288 s1->per_user_index);
1289 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1290 s1->per_user_list_head_index,
1291 s1->per_user_index);
1295 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1296 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1298 snat_out2in_trace_t *t =
1299 vlib_add_trace (vm, node, b1, sizeof (*t));
1300 t->sw_if_index = sw_if_index1;
1301 t->next_index = next1;
1302 t->session_index = ~0;
1304 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1307 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1309 /* verify speculative enqueues, maybe switch current next frame */
1310 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1311 to_next, n_left_to_next,
1312 bi0, bi1, next0, next1);
1315 while (n_left_from > 0 && n_left_to_next > 0)
1319 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1323 u32 new_addr0, old_addr0;
1324 u16 new_port0, old_port0;
1325 udp_header_t * udp0;
1326 tcp_header_t * tcp0;
1327 icmp46_header_t * icmp0;
1328 snat_session_key_t key0, sm0;
1331 snat_session_t * s0 = 0;
1332 clib_bihash_kv_8_8_t kv0, value0;
1334 /* speculatively enqueue b0 to the current next frame */
1340 n_left_to_next -= 1;
1342 b0 = vlib_get_buffer (vm, bi0);
1344 vnet_buffer (b0)->snat.flags = 0;
1346 ip0 = vlib_buffer_get_current (b0);
1347 udp0 = ip4_next_header (ip0);
1348 tcp0 = (tcp_header_t *) udp0;
1349 icmp0 = (icmp46_header_t *) udp0;
1351 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1352 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1355 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1357 if (PREDICT_FALSE (proto0 == ~0))
1359 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1360 thread_index, now, vm, node);
1362 next0 = SNAT_OUT2IN_NEXT_DROP;
1366 if (PREDICT_FALSE(ip0->ttl == 1))
1368 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1369 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1370 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1372 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1376 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1378 next0 = icmp_out2in_slow_path
1379 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1380 next0, now, thread_index, &s0);
1384 key0.addr = ip0->dst_address;
1385 key0.port = udp0->dst_port;
1386 key0.protocol = proto0;
1387 key0.fib_index = rx_fib_index0;
1389 kv0.key = key0.as_u64;
1391 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1394 /* Try to match static mapping by external address and port,
1395 destination address and port in packet */
1396 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
1398 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1400 * Send DHCP packets to the ipv4 stack, or we won't
1401 * be able to use dhcp client on the outside interface
1403 if (proto0 != SNAT_PROTOCOL_UDP
1405 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1407 next0 = SNAT_OUT2IN_NEXT_DROP;
1411 /* Create session initiated by host from external network */
1412 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1416 next0 = SNAT_OUT2IN_NEXT_DROP;
1422 if (PREDICT_FALSE (value0.value == ~0ULL))
1424 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1427 next0 = SNAT_OUT2IN_NEXT_DROP;
1432 s0 = pool_elt_at_index (
1433 sm->per_thread_data[thread_index].sessions,
1438 old_addr0 = ip0->dst_address.as_u32;
1439 ip0->dst_address = s0->in2out.addr;
1440 new_addr0 = ip0->dst_address.as_u32;
1441 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1443 sum0 = ip0->checksum;
1444 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1446 dst_address /* changed member */);
1447 ip0->checksum = ip_csum_fold (sum0);
1449 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1451 old_port0 = tcp0->dst_port;
1452 tcp0->dst_port = s0->in2out.port;
1453 new_port0 = tcp0->dst_port;
1455 sum0 = tcp0->checksum;
1456 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1458 dst_address /* changed member */);
1460 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1461 ip4_header_t /* cheat */,
1462 length /* changed member */);
1463 tcp0->checksum = ip_csum_fold(sum0);
1467 old_port0 = udp0->dst_port;
1468 udp0->dst_port = s0->in2out.port;
1473 s0->last_heard = now;
1475 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1476 /* Per-user LRU list maintenance for dynamic translation */
1477 if (!snat_is_session_static (s0))
1479 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1480 s0->per_user_index);
1481 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1482 s0->per_user_list_head_index,
1483 s0->per_user_index);
1487 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1488 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1490 snat_out2in_trace_t *t =
1491 vlib_add_trace (vm, node, b0, sizeof (*t));
1492 t->sw_if_index = sw_if_index0;
1493 t->next_index = next0;
1494 t->session_index = ~0;
1496 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1499 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1501 /* verify speculative enqueue, maybe switch current next frame */
1502 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1503 to_next, n_left_to_next,
1507 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1510 vlib_node_increment_counter (vm, snat_out2in_node.index,
1511 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1513 return frame->n_vectors;
1516 VLIB_REGISTER_NODE (snat_out2in_node) = {
1517 .function = snat_out2in_node_fn,
1518 .name = "nat44-out2in",
1519 .vector_size = sizeof (u32),
1520 .format_trace = format_snat_out2in_trace,
1521 .type = VLIB_NODE_TYPE_INTERNAL,
1523 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1524 .error_strings = snat_out2in_error_strings,
1526 .runtime_data_bytes = sizeof (snat_runtime_t),
1528 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1530 /* edit / add dispositions here */
1532 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1533 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1534 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1537 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1539 /**************************/
1540 /*** deterministic mode ***/
1541 /**************************/
1543 snat_det_out2in_node_fn (vlib_main_t * vm,
1544 vlib_node_runtime_t * node,
1545 vlib_frame_t * frame)
1547 u32 n_left_from, * from, * to_next;
1548 snat_out2in_next_t next_index;
1549 u32 pkts_processed = 0;
1550 snat_main_t * sm = &snat_main;
1551 u32 thread_index = vlib_get_thread_index ();
1553 from = vlib_frame_vector_args (frame);
1554 n_left_from = frame->n_vectors;
1555 next_index = node->cached_next_index;
1557 while (n_left_from > 0)
1561 vlib_get_next_frame (vm, node, next_index,
1562 to_next, n_left_to_next);
1564 while (n_left_from >= 4 && n_left_to_next >= 2)
1567 vlib_buffer_t * b0, * b1;
1568 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1569 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1570 u32 sw_if_index0, sw_if_index1;
1571 ip4_header_t * ip0, * ip1;
1572 ip_csum_t sum0, sum1;
1573 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
1574 u16 new_port0, old_port0, old_port1, new_port1;
1575 udp_header_t * udp0, * udp1;
1576 tcp_header_t * tcp0, * tcp1;
1578 snat_det_out_key_t key0, key1;
1579 snat_det_map_t * dm0, * dm1;
1580 snat_det_session_t * ses0 = 0, * ses1 = 0;
1581 u32 rx_fib_index0, rx_fib_index1;
1582 icmp46_header_t * icmp0, * icmp1;
1584 /* Prefetch next iteration. */
1586 vlib_buffer_t * p2, * p3;
1588 p2 = vlib_get_buffer (vm, from[2]);
1589 p3 = vlib_get_buffer (vm, from[3]);
1591 vlib_prefetch_buffer_header (p2, LOAD);
1592 vlib_prefetch_buffer_header (p3, LOAD);
1594 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1595 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1598 /* speculatively enqueue b0 and b1 to the current next frame */
1599 to_next[0] = bi0 = from[0];
1600 to_next[1] = bi1 = from[1];
1604 n_left_to_next -= 2;
1606 b0 = vlib_get_buffer (vm, bi0);
1607 b1 = vlib_get_buffer (vm, bi1);
1609 ip0 = vlib_buffer_get_current (b0);
1610 udp0 = ip4_next_header (ip0);
1611 tcp0 = (tcp_header_t *) udp0;
1613 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1615 if (PREDICT_FALSE(ip0->ttl == 1))
1617 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1618 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1619 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1621 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1625 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1627 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
1629 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1630 icmp0 = (icmp46_header_t *) udp0;
1632 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
1633 rx_fib_index0, node, next0, thread_index,
1638 key0.ext_host_addr = ip0->src_address;
1639 key0.ext_host_port = tcp0->src;
1640 key0.out_port = tcp0->dst;
1642 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1643 if (PREDICT_FALSE(!dm0))
1645 clib_warning("unknown dst address: %U",
1646 format_ip4_address, &ip0->dst_address);
1647 next0 = SNAT_OUT2IN_NEXT_DROP;
1648 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1652 snat_det_reverse(dm0, &ip0->dst_address,
1653 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1655 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1656 if (PREDICT_FALSE(!ses0))
1658 clib_warning("no match src %U:%d dst %U:%d for user %U",
1659 format_ip4_address, &ip0->src_address,
1660 clib_net_to_host_u16 (tcp0->src),
1661 format_ip4_address, &ip0->dst_address,
1662 clib_net_to_host_u16 (tcp0->dst),
1663 format_ip4_address, &new_addr0);
1664 next0 = SNAT_OUT2IN_NEXT_DROP;
1665 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1668 new_port0 = ses0->in_port;
1670 old_addr0 = ip0->dst_address;
1671 ip0->dst_address = new_addr0;
1672 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1674 sum0 = ip0->checksum;
1675 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1677 dst_address /* changed member */);
1678 ip0->checksum = ip_csum_fold (sum0);
1680 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1682 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1683 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1684 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1685 snat_det_ses_close(dm0, ses0);
1687 old_port0 = tcp0->dst;
1688 tcp0->dst = new_port0;
1690 sum0 = tcp0->checksum;
1691 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1693 dst_address /* changed member */);
1695 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1696 ip4_header_t /* cheat */,
1697 length /* changed member */);
1698 tcp0->checksum = ip_csum_fold(sum0);
1702 old_port0 = udp0->dst_port;
1703 udp0->dst_port = new_port0;
1709 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1710 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1712 snat_out2in_trace_t *t =
1713 vlib_add_trace (vm, node, b0, sizeof (*t));
1714 t->sw_if_index = sw_if_index0;
1715 t->next_index = next0;
1716 t->session_index = ~0;
1718 t->session_index = ses0 - dm0->sessions;
1721 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1723 b1 = vlib_get_buffer (vm, bi1);
1725 ip1 = vlib_buffer_get_current (b1);
1726 udp1 = ip4_next_header (ip1);
1727 tcp1 = (tcp_header_t *) udp1;
1729 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1731 if (PREDICT_FALSE(ip1->ttl == 1))
1733 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1734 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1735 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1737 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1741 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1743 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
1745 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
1746 icmp1 = (icmp46_header_t *) udp1;
1748 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
1749 rx_fib_index1, node, next1, thread_index,
1754 key1.ext_host_addr = ip1->src_address;
1755 key1.ext_host_port = tcp1->src;
1756 key1.out_port = tcp1->dst;
1758 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
1759 if (PREDICT_FALSE(!dm1))
1761 clib_warning("unknown dst address: %U",
1762 format_ip4_address, &ip1->dst_address);
1763 next1 = SNAT_OUT2IN_NEXT_DROP;
1764 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1768 snat_det_reverse(dm1, &ip1->dst_address,
1769 clib_net_to_host_u16(tcp1->dst), &new_addr1);
1771 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
1772 if (PREDICT_FALSE(!ses1))
1774 clib_warning("no match src %U:%d dst %U:%d for user %U",
1775 format_ip4_address, &ip1->src_address,
1776 clib_net_to_host_u16 (tcp1->src),
1777 format_ip4_address, &ip1->dst_address,
1778 clib_net_to_host_u16 (tcp1->dst),
1779 format_ip4_address, &new_addr1);
1780 next1 = SNAT_OUT2IN_NEXT_DROP;
1781 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1784 new_port1 = ses1->in_port;
1786 old_addr1 = ip1->dst_address;
1787 ip1->dst_address = new_addr1;
1788 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1790 sum1 = ip1->checksum;
1791 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1793 dst_address /* changed member */);
1794 ip1->checksum = ip_csum_fold (sum1);
1796 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1798 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
1799 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1800 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
1801 snat_det_ses_close(dm1, ses1);
1803 old_port1 = tcp1->dst;
1804 tcp1->dst = new_port1;
1806 sum1 = tcp1->checksum;
1807 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1809 dst_address /* changed member */);
1811 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1812 ip4_header_t /* cheat */,
1813 length /* changed member */);
1814 tcp1->checksum = ip_csum_fold(sum1);
1818 old_port1 = udp1->dst_port;
1819 udp1->dst_port = new_port1;
1825 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1826 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1828 snat_out2in_trace_t *t =
1829 vlib_add_trace (vm, node, b1, sizeof (*t));
1830 t->sw_if_index = sw_if_index1;
1831 t->next_index = next1;
1832 t->session_index = ~0;
1834 t->session_index = ses1 - dm1->sessions;
1837 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1839 /* verify speculative enqueues, maybe switch current next frame */
1840 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1841 to_next, n_left_to_next,
1842 bi0, bi1, next0, next1);
1845 while (n_left_from > 0 && n_left_to_next > 0)
1849 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1853 ip4_address_t new_addr0, old_addr0;
1854 u16 new_port0, old_port0;
1855 udp_header_t * udp0;
1856 tcp_header_t * tcp0;
1858 snat_det_out_key_t key0;
1859 snat_det_map_t * dm0;
1860 snat_det_session_t * ses0 = 0;
1862 icmp46_header_t * icmp0;
1864 /* speculatively enqueue b0 to the current next frame */
1870 n_left_to_next -= 1;
1872 b0 = vlib_get_buffer (vm, bi0);
1874 ip0 = vlib_buffer_get_current (b0);
1875 udp0 = ip4_next_header (ip0);
1876 tcp0 = (tcp_header_t *) udp0;
1878 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1880 if (PREDICT_FALSE(ip0->ttl == 1))
1882 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1883 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1884 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1886 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1890 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1892 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
1894 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1895 icmp0 = (icmp46_header_t *) udp0;
1897 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
1898 rx_fib_index0, node, next0, thread_index,
1903 key0.ext_host_addr = ip0->src_address;
1904 key0.ext_host_port = tcp0->src;
1905 key0.out_port = tcp0->dst;
1907 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1908 if (PREDICT_FALSE(!dm0))
1910 clib_warning("unknown dst address: %U",
1911 format_ip4_address, &ip0->dst_address);
1912 next0 = SNAT_OUT2IN_NEXT_DROP;
1913 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1917 snat_det_reverse(dm0, &ip0->dst_address,
1918 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1920 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1921 if (PREDICT_FALSE(!ses0))
1923 clib_warning("no match src %U:%d dst %U:%d for user %U",
1924 format_ip4_address, &ip0->src_address,
1925 clib_net_to_host_u16 (tcp0->src),
1926 format_ip4_address, &ip0->dst_address,
1927 clib_net_to_host_u16 (tcp0->dst),
1928 format_ip4_address, &new_addr0);
1929 next0 = SNAT_OUT2IN_NEXT_DROP;
1930 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1933 new_port0 = ses0->in_port;
1935 old_addr0 = ip0->dst_address;
1936 ip0->dst_address = new_addr0;
1937 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1939 sum0 = ip0->checksum;
1940 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1942 dst_address /* changed member */);
1943 ip0->checksum = ip_csum_fold (sum0);
1945 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1947 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1948 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1949 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1950 snat_det_ses_close(dm0, ses0);
1952 old_port0 = tcp0->dst;
1953 tcp0->dst = new_port0;
1955 sum0 = tcp0->checksum;
1956 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1958 dst_address /* changed member */);
1960 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1961 ip4_header_t /* cheat */,
1962 length /* changed member */);
1963 tcp0->checksum = ip_csum_fold(sum0);
1967 old_port0 = udp0->dst_port;
1968 udp0->dst_port = new_port0;
1974 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1975 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1977 snat_out2in_trace_t *t =
1978 vlib_add_trace (vm, node, b0, sizeof (*t));
1979 t->sw_if_index = sw_if_index0;
1980 t->next_index = next0;
1981 t->session_index = ~0;
1983 t->session_index = ses0 - dm0->sessions;
1986 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1988 /* verify speculative enqueue, maybe switch current next frame */
1989 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1990 to_next, n_left_to_next,
1994 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1997 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
1998 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2000 return frame->n_vectors;
2003 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2004 .function = snat_det_out2in_node_fn,
2005 .name = "nat44-det-out2in",
2006 .vector_size = sizeof (u32),
2007 .format_trace = format_snat_out2in_trace,
2008 .type = VLIB_NODE_TYPE_INTERNAL,
2010 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2011 .error_strings = snat_out2in_error_strings,
2013 .runtime_data_bytes = sizeof (snat_runtime_t),
2015 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2017 /* edit / add dispositions here */
2019 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2020 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2021 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2024 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2027 * Get address and port values to be used for ICMP packet translation
2028 * and create session if needed
2030 * @param[in,out] sm NAT main
2031 * @param[in,out] node NAT node runtime
2032 * @param[in] thread_index thread index
2033 * @param[in,out] b0 buffer containing packet to be translated
2034 * @param[out] p_proto protocol used for matching
2035 * @param[out] p_value address and port after NAT translation
2036 * @param[out] p_dont_translate if packet should not be translated
2037 * @param d optional parameter
2038 * @param e optional parameter
2040 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2041 u32 thread_index, vlib_buffer_t *b0, u8 *p_proto,
2042 snat_session_key_t *p_value,
2043 u8 *p_dont_translate, void *d, void *e)
2046 icmp46_header_t *icmp0;
2049 snat_det_out_key_t key0;
2050 u8 dont_translate = 0;
2052 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2053 ip4_header_t *inner_ip0;
2054 void *l4_header = 0;
2055 icmp46_header_t *inner_icmp0;
2056 snat_det_map_t * dm0 = 0;
2057 ip4_address_t new_addr0 = {{0}};
2058 snat_det_session_t * ses0 = 0;
2059 ip4_address_t out_addr;
2061 ip0 = vlib_buffer_get_current (b0);
2062 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2063 echo0 = (icmp_echo_header_t *)(icmp0+1);
2064 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2066 if (!icmp_is_error_message (icmp0))
2068 protocol = SNAT_PROTOCOL_ICMP;
2069 key0.ext_host_addr = ip0->src_address;
2070 key0.ext_host_port = 0;
2071 key0.out_port = echo0->identifier;
2072 out_addr = ip0->dst_address;
2076 inner_ip0 = (ip4_header_t *)(echo0+1);
2077 l4_header = ip4_next_header (inner_ip0);
2078 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2079 key0.ext_host_addr = inner_ip0->dst_address;
2080 out_addr = inner_ip0->src_address;
2083 case SNAT_PROTOCOL_ICMP:
2084 inner_icmp0 = (icmp46_header_t*)l4_header;
2085 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2086 key0.ext_host_port = 0;
2087 key0.out_port = inner_echo0->identifier;
2089 case SNAT_PROTOCOL_UDP:
2090 case SNAT_PROTOCOL_TCP:
2091 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2092 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2095 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2096 next0 = SNAT_OUT2IN_NEXT_DROP;
2101 dm0 = snat_det_map_by_out(sm, &out_addr);
2102 if (PREDICT_FALSE(!dm0))
2104 /* Don't NAT packet aimed at the intfc address */
2105 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2106 ip0->dst_address.as_u32)))
2111 clib_warning("unknown dst address: %U",
2112 format_ip4_address, &ip0->dst_address);
2116 snat_det_reverse(dm0, &ip0->dst_address,
2117 clib_net_to_host_u16(key0.out_port), &new_addr0);
2119 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2120 if (PREDICT_FALSE(!ses0))
2122 /* Don't NAT packet aimed at the intfc address */
2123 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2124 ip0->dst_address.as_u32)))
2129 clib_warning("no match src %U:%d dst %U:%d for user %U",
2130 format_ip4_address, &key0.ext_host_addr,
2131 clib_net_to_host_u16 (key0.ext_host_port),
2132 format_ip4_address, &out_addr,
2133 clib_net_to_host_u16 (key0.out_port),
2134 format_ip4_address, &new_addr0);
2135 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2136 next0 = SNAT_OUT2IN_NEXT_DROP;
2140 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2141 !icmp_is_error_message (icmp0)))
2143 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2144 next0 = SNAT_OUT2IN_NEXT_DROP;
2151 *p_proto = protocol;
2154 p_value->addr = new_addr0;
2155 p_value->fib_index = sm->inside_fib_index;
2156 p_value->port = ses0->in_port;
2158 *p_dont_translate = dont_translate;
2160 *(snat_det_session_t**)d = ses0;
2162 *(snat_det_map_t**)e = dm0;
2166 /**********************/
2167 /*** worker handoff ***/
2168 /**********************/
2170 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2171 vlib_node_runtime_t * node,
2172 vlib_frame_t * frame)
2174 snat_main_t *sm = &snat_main;
2175 vlib_thread_main_t *tm = vlib_get_thread_main ();
2176 u32 n_left_from, *from, *to_next = 0;
2177 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2178 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2180 vlib_frame_queue_elt_t *hf = 0;
2181 vlib_frame_t *f = 0;
2183 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2184 u32 next_worker_index = 0;
2185 u32 current_worker_index = ~0;
2186 u32 thread_index = vlib_get_thread_index ();
2188 ASSERT (vec_len (sm->workers));
2190 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2192 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2194 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2195 sm->first_worker_index + sm->num_workers - 1,
2196 (vlib_frame_queue_t *) (~0));
2199 from = vlib_frame_vector_args (frame);
2200 n_left_from = frame->n_vectors;
2202 while (n_left_from > 0)
2215 b0 = vlib_get_buffer (vm, bi0);
2217 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2218 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2220 ip0 = vlib_buffer_get_current (b0);
2222 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2224 if (PREDICT_FALSE (next_worker_index != thread_index))
2228 if (next_worker_index != current_worker_index)
2231 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2233 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2235 handoff_queue_elt_by_worker_index);
2237 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2238 to_next_worker = &hf->buffer_index[hf->n_vectors];
2239 current_worker_index = next_worker_index;
2242 /* enqueue to correct worker thread */
2243 to_next_worker[0] = bi0;
2245 n_left_to_next_worker--;
2247 if (n_left_to_next_worker == 0)
2249 hf->n_vectors = VLIB_FRAME_SIZE;
2250 vlib_put_frame_queue_elt (hf);
2251 current_worker_index = ~0;
2252 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2259 /* if this is 1st frame */
2262 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2263 to_next = vlib_frame_vector_args (f);
2271 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2272 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2274 snat_out2in_worker_handoff_trace_t *t =
2275 vlib_add_trace (vm, node, b0, sizeof (*t));
2276 t->next_worker_index = next_worker_index;
2277 t->do_handoff = do_handoff;
2282 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2285 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2287 /* Ship frames to the worker nodes */
2288 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2290 if (handoff_queue_elt_by_worker_index[i])
2292 hf = handoff_queue_elt_by_worker_index[i];
2294 * It works better to let the handoff node
2295 * rate-adapt, always ship the handoff queue element.
2297 if (1 || hf->n_vectors == hf->last_n_vectors)
2299 vlib_put_frame_queue_elt (hf);
2300 handoff_queue_elt_by_worker_index[i] = 0;
2303 hf->last_n_vectors = hf->n_vectors;
2305 congested_handoff_queue_by_worker_index[i] =
2306 (vlib_frame_queue_t *) (~0);
2309 current_worker_index = ~0;
2310 return frame->n_vectors;
2313 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2314 .function = snat_out2in_worker_handoff_fn,
2315 .name = "nat44-out2in-worker-handoff",
2316 .vector_size = sizeof (u32),
2317 .format_trace = format_snat_out2in_worker_handoff_trace,
2318 .type = VLIB_NODE_TYPE_INTERNAL,
2327 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2330 snat_out2in_fast_node_fn (vlib_main_t * vm,
2331 vlib_node_runtime_t * node,
2332 vlib_frame_t * frame)
2334 u32 n_left_from, * from, * to_next;
2335 snat_out2in_next_t next_index;
2336 u32 pkts_processed = 0;
2337 snat_main_t * sm = &snat_main;
2339 from = vlib_frame_vector_args (frame);
2340 n_left_from = frame->n_vectors;
2341 next_index = node->cached_next_index;
2343 while (n_left_from > 0)
2347 vlib_get_next_frame (vm, node, next_index,
2348 to_next, n_left_to_next);
2350 while (n_left_from > 0 && n_left_to_next > 0)
2354 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2358 u32 new_addr0, old_addr0;
2359 u16 new_port0, old_port0;
2360 udp_header_t * udp0;
2361 tcp_header_t * tcp0;
2362 icmp46_header_t * icmp0;
2363 snat_session_key_t key0, sm0;
2367 /* speculatively enqueue b0 to the current next frame */
2373 n_left_to_next -= 1;
2375 b0 = vlib_get_buffer (vm, bi0);
2377 ip0 = vlib_buffer_get_current (b0);
2378 udp0 = ip4_next_header (ip0);
2379 tcp0 = (tcp_header_t *) udp0;
2380 icmp0 = (icmp46_header_t *) udp0;
2382 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2383 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2385 vnet_feature_next (sw_if_index0, &next0, b0);
2387 if (PREDICT_FALSE(ip0->ttl == 1))
2389 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2390 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2391 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2393 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2397 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2399 if (PREDICT_FALSE (proto0 == ~0))
2402 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2404 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2405 rx_fib_index0, node, next0, ~0, 0, 0);
2409 key0.addr = ip0->dst_address;
2410 key0.port = udp0->dst_port;
2411 key0.fib_index = rx_fib_index0;
2413 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
2415 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2419 new_addr0 = sm0.addr.as_u32;
2420 new_port0 = sm0.port;
2421 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2422 old_addr0 = ip0->dst_address.as_u32;
2423 ip0->dst_address.as_u32 = new_addr0;
2425 sum0 = ip0->checksum;
2426 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2428 dst_address /* changed member */);
2429 ip0->checksum = ip_csum_fold (sum0);
2431 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2433 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2435 old_port0 = tcp0->dst_port;
2436 tcp0->dst_port = new_port0;
2438 sum0 = tcp0->checksum;
2439 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2441 dst_address /* changed member */);
2443 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2444 ip4_header_t /* cheat */,
2445 length /* changed member */);
2446 tcp0->checksum = ip_csum_fold(sum0);
2450 old_port0 = udp0->dst_port;
2451 udp0->dst_port = new_port0;
2457 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2459 sum0 = tcp0->checksum;
2460 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2462 dst_address /* changed member */);
2464 tcp0->checksum = ip_csum_fold(sum0);
2470 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2471 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2473 snat_out2in_trace_t *t =
2474 vlib_add_trace (vm, node, b0, sizeof (*t));
2475 t->sw_if_index = sw_if_index0;
2476 t->next_index = next0;
2479 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2481 /* verify speculative enqueue, maybe switch current next frame */
2482 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2483 to_next, n_left_to_next,
2487 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2490 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
2491 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2493 return frame->n_vectors;
2496 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
2497 .function = snat_out2in_fast_node_fn,
2498 .name = "nat44-out2in-fast",
2499 .vector_size = sizeof (u32),
2500 .format_trace = format_snat_out2in_fast_trace,
2501 .type = VLIB_NODE_TYPE_INTERNAL,
2503 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2504 .error_strings = snat_out2in_error_strings,
2506 .runtime_data_bytes = sizeof (snat_runtime_t),
2508 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2510 /* edit / add dispositions here */
2512 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2513 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2514 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2517 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob