2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
26 #include <nat/nat_ipfix_logging.h>
27 #include <nat/nat_det.h>
29 #include <vppinfra/hash.h>
30 #include <vppinfra/error.h>
31 #include <vppinfra/elog.h>
37 } snat_out2in_trace_t;
40 u32 next_worker_index;
42 } snat_out2in_worker_handoff_trace_t;
44 /* packet trace format function */
45 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
47 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
48 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
49 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
51 s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
52 t->sw_if_index, t->next_index, t->session_index);
56 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
58 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
59 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
60 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
62 s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
63 t->sw_if_index, t->next_index);
67 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
69 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
70 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
71 snat_out2in_worker_handoff_trace_t * t =
72 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
75 m = t->do_handoff ? "next worker" : "same worker";
76 s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
81 vlib_node_registration_t snat_out2in_node;
82 vlib_node_registration_t snat_out2in_fast_node;
83 vlib_node_registration_t snat_out2in_worker_handoff_node;
84 vlib_node_registration_t snat_det_out2in_node;
86 #define foreach_snat_out2in_error \
87 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
88 _(OUT2IN_PACKETS, "Good out2in packets processed") \
89 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
90 _(NO_TRANSLATION, "No translation") \
91 _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded")
94 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
95 foreach_snat_out2in_error
98 } snat_out2in_error_t;
100 static char * snat_out2in_error_strings[] = {
101 #define _(sym,string) string,
102 foreach_snat_out2in_error
107 SNAT_OUT2IN_NEXT_DROP,
108 SNAT_OUT2IN_NEXT_LOOKUP,
109 SNAT_OUT2IN_NEXT_ICMP_ERROR,
111 } snat_out2in_next_t;
114 * @brief Create session for static mapping.
116 * Create NAT session initiated by host from external network with static
119 * @param sm NAT main.
120 * @param b0 Vlib buffer.
121 * @param in2out In2out NAT44 session key.
122 * @param out2in Out2in NAT44 session key.
123 * @param node Vlib node.
125 * @returns SNAT session if successfully created otherwise 0.
127 static inline snat_session_t *
128 create_session_for_static_mapping (snat_main_t *sm,
130 snat_session_key_t in2out,
131 snat_session_key_t out2in,
132 vlib_node_runtime_t * node,
136 snat_user_key_t user_key;
138 clib_bihash_kv_8_8_t kv0, value0;
139 dlist_elt_t * per_user_translation_list_elt;
140 dlist_elt_t * per_user_list_head_elt;
143 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
145 b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
149 ip0 = vlib_buffer_get_current (b0);
151 user_key.addr = in2out.addr;
152 user_key.fib_index = in2out.fib_index;
153 kv0.key = user_key.as_u64;
155 /* Ever heard of the "user" = inside ip4 address before? */
156 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].user_hash,
159 /* no, make a new one */
160 pool_get (sm->per_thread_data[thread_index].users, u);
161 memset (u, 0, sizeof (*u));
162 u->addr = in2out.addr;
163 u->fib_index = in2out.fib_index;
165 pool_get (sm->per_thread_data[thread_index].list_pool,
166 per_user_list_head_elt);
168 u->sessions_per_user_list_head_index = per_user_list_head_elt -
169 sm->per_thread_data[thread_index].list_pool;
171 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
172 u->sessions_per_user_list_head_index);
174 kv0.value = u - sm->per_thread_data[thread_index].users;
177 clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].user_hash,
178 &kv0, 1 /* is_add */);
182 u = pool_elt_at_index (sm->per_thread_data[thread_index].users,
186 pool_get (sm->per_thread_data[thread_index].sessions, s);
187 memset (s, 0, sizeof (*s));
189 s->outside_address_index = ~0;
190 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
191 s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
192 u->nstaticsessions++;
194 /* Create list elts */
195 pool_get (sm->per_thread_data[thread_index].list_pool,
196 per_user_translation_list_elt);
197 clib_dlist_init (sm->per_thread_data[thread_index].list_pool,
198 per_user_translation_list_elt -
199 sm->per_thread_data[thread_index].list_pool);
201 per_user_translation_list_elt->value =
202 s - sm->per_thread_data[thread_index].sessions;
204 per_user_translation_list_elt - sm->per_thread_data[thread_index].list_pool;
205 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
207 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
208 s->per_user_list_head_index,
209 per_user_translation_list_elt -
210 sm->per_thread_data[thread_index].list_pool);
214 s->in2out.protocol = out2in.protocol;
216 /* Add to translation hashes */
217 kv0.key = s->in2out.as_u64;
218 kv0.value = s - sm->per_thread_data[thread_index].sessions;
219 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
221 clib_warning ("in2out key add failed");
223 kv0.key = s->out2in.as_u64;
224 kv0.value = s - sm->per_thread_data[thread_index].sessions;
226 if (clib_bihash_add_del_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
228 clib_warning ("out2in key add failed");
231 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
232 s->out2in.addr.as_u32,
236 s->in2out.fib_index);
241 snat_out2in_error_t icmp_get_key(ip4_header_t *ip0,
242 snat_session_key_t *p_key0)
244 icmp46_header_t *icmp0;
245 snat_session_key_t key0;
246 icmp_echo_header_t *echo0, *inner_echo0 = 0;
247 ip4_header_t *inner_ip0;
249 icmp46_header_t *inner_icmp0;
251 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
252 echo0 = (icmp_echo_header_t *)(icmp0+1);
254 if (!icmp_is_error_message (icmp0))
256 key0.protocol = SNAT_PROTOCOL_ICMP;
257 key0.addr = ip0->dst_address;
258 key0.port = echo0->identifier;
262 inner_ip0 = (ip4_header_t *)(echo0+1);
263 l4_header = ip4_next_header (inner_ip0);
264 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
265 key0.addr = inner_ip0->src_address;
266 switch (key0.protocol)
268 case SNAT_PROTOCOL_ICMP:
269 inner_icmp0 = (icmp46_header_t*)l4_header;
270 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
271 key0.port = inner_echo0->identifier;
273 case SNAT_PROTOCOL_UDP:
274 case SNAT_PROTOCOL_TCP:
275 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
278 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
282 return -1; /* success */
286 * Get address and port values to be used for ICMP packet translation
287 * and create session if needed
289 * @param[in,out] sm NAT main
290 * @param[in,out] node NAT node runtime
291 * @param[in] thread_index thread index
292 * @param[in,out] b0 buffer containing packet to be translated
293 * @param[out] p_proto protocol used for matching
294 * @param[out] p_value address and port after NAT translation
295 * @param[out] p_dont_translate if packet should not be translated
296 * @param d optional parameter
297 * @param e optional parameter
299 u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
300 u32 thread_index, vlib_buffer_t *b0,
301 ip4_header_t *ip0, u8 *p_proto,
302 snat_session_key_t *p_value,
303 u8 *p_dont_translate, void *d, void *e)
305 icmp46_header_t *icmp0;
308 snat_session_key_t key0;
309 snat_session_key_t sm0;
310 snat_session_t *s0 = 0;
311 u8 dont_translate = 0;
312 clib_bihash_kv_8_8_t kv0, value0;
317 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
318 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
319 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
323 err = icmp_get_key (ip0, &key0);
326 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
327 next0 = SNAT_OUT2IN_NEXT_DROP;
330 key0.fib_index = rx_fib_index0;
332 kv0.key = key0.as_u64;
334 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
337 /* Try to match static mapping by external address and port,
338 destination address and port in packet */
339 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
341 /* Don't NAT packet aimed at the intfc address */
342 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
343 ip0->dst_address.as_u32)))
348 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
349 next0 = SNAT_OUT2IN_NEXT_DROP;
353 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
354 (icmp0->type != ICMP4_echo_request || !is_addr_only)))
356 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
357 next0 = SNAT_OUT2IN_NEXT_DROP;
361 /* Create session initiated by host from external network */
362 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
367 next0 = SNAT_OUT2IN_NEXT_DROP;
373 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
374 icmp0->type != ICMP4_echo_request &&
375 !icmp_is_error_message (icmp0)))
377 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
378 next0 = SNAT_OUT2IN_NEXT_DROP;
382 s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
387 *p_proto = key0.protocol;
389 *p_value = s0->in2out;
390 *p_dont_translate = dont_translate;
392 *(snat_session_t**)d = s0;
397 * Get address and port values to be used for ICMP packet translation
399 * @param[in] sm NAT main
400 * @param[in,out] node NAT node runtime
401 * @param[in] thread_index thread index
402 * @param[in,out] b0 buffer containing packet to be translated
403 * @param[out] p_proto protocol used for matching
404 * @param[out] p_value address and port after NAT translation
405 * @param[out] p_dont_translate if packet should not be translated
406 * @param d optional parameter
407 * @param e optional parameter
409 u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node,
410 u32 thread_index, vlib_buffer_t *b0,
411 ip4_header_t *ip0, u8 *p_proto,
412 snat_session_key_t *p_value,
413 u8 *p_dont_translate, void *d, void *e)
415 icmp46_header_t *icmp0;
418 snat_session_key_t key0;
419 snat_session_key_t sm0;
420 u8 dont_translate = 0;
425 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
426 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
427 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
429 err = icmp_get_key (ip0, &key0);
432 b0->error = node->errors[err];
433 next0 = SNAT_OUT2IN_NEXT_DROP;
436 key0.fib_index = rx_fib_index0;
438 if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only))
440 /* Don't NAT packet aimed at the intfc address */
441 if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32))
446 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
447 next0 = SNAT_OUT2IN_NEXT_DROP;
451 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
452 (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
453 !icmp_is_error_message (icmp0)))
455 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
456 next0 = SNAT_OUT2IN_NEXT_DROP;
463 *p_proto = key0.protocol;
464 *p_dont_translate = dont_translate;
468 static inline u32 icmp_out2in (snat_main_t *sm,
471 icmp46_header_t * icmp0,
474 vlib_node_runtime_t * node,
480 snat_session_key_t sm0;
482 icmp_echo_header_t *echo0, *inner_echo0 = 0;
483 ip4_header_t *inner_ip0 = 0;
485 icmp46_header_t *inner_icmp0;
487 u32 new_addr0, old_addr0;
488 u16 old_id0, new_id0;
493 echo0 = (icmp_echo_header_t *)(icmp0+1);
495 next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0,
496 &protocol, &sm0, &dont_translate, d, e);
499 if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
502 sum0 = ip_incremental_checksum (0, icmp0,
503 ntohs(ip0->length) - ip4_header_bytes (ip0));
504 checksum0 = ~ip_csum_fold (sum0);
505 if (checksum0 != 0 && checksum0 != 0xffff)
507 next0 = SNAT_OUT2IN_NEXT_DROP;
511 old_addr0 = ip0->dst_address.as_u32;
512 new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
513 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
515 sum0 = ip0->checksum;
516 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
517 dst_address /* changed member */);
518 ip0->checksum = ip_csum_fold (sum0);
520 if (!icmp_is_error_message (icmp0))
523 if (PREDICT_FALSE(new_id0 != echo0->identifier))
525 old_id0 = echo0->identifier;
527 echo0->identifier = new_id0;
529 sum0 = icmp0->checksum;
530 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
531 identifier /* changed member */);
532 icmp0->checksum = ip_csum_fold (sum0);
537 inner_ip0 = (ip4_header_t *)(echo0+1);
538 l4_header = ip4_next_header (inner_ip0);
540 if (!ip4_header_checksum_is_valid (inner_ip0))
542 next0 = SNAT_OUT2IN_NEXT_DROP;
546 old_addr0 = inner_ip0->src_address.as_u32;
547 inner_ip0->src_address = sm0.addr;
548 new_addr0 = inner_ip0->src_address.as_u32;
550 sum0 = icmp0->checksum;
551 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
552 src_address /* changed member */);
553 icmp0->checksum = ip_csum_fold (sum0);
557 case SNAT_PROTOCOL_ICMP:
558 inner_icmp0 = (icmp46_header_t*)l4_header;
559 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
561 old_id0 = inner_echo0->identifier;
563 inner_echo0->identifier = new_id0;
565 sum0 = icmp0->checksum;
566 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
568 icmp0->checksum = ip_csum_fold (sum0);
570 case SNAT_PROTOCOL_UDP:
571 case SNAT_PROTOCOL_TCP:
572 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
574 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
576 sum0 = icmp0->checksum;
577 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
579 icmp0->checksum = ip_csum_fold (sum0);
591 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
594 icmp46_header_t * icmp0,
597 vlib_node_runtime_t * node,
600 snat_session_t ** p_s0)
602 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
603 next0, thread_index, p_s0, 0);
604 snat_session_t * s0 = *p_s0;
605 if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0))
608 s0->last_heard = now;
610 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
611 /* Per-user LRU list maintenance for dynamic translation */
612 if (!snat_is_session_static (s0))
614 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
616 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
617 s0->per_user_list_head_index,
624 static snat_session_t *
625 snat_out2in_unknown_proto (snat_main_t *sm,
632 vlib_node_runtime_t * node)
634 clib_bihash_kv_8_8_t kv, value;
635 clib_bihash_kv_16_8_t s_kv, s_value;
636 snat_static_mapping_t *m;
637 snat_session_key_t m_key;
638 u32 old_addr, new_addr;
640 nat_ed_ses_key_t key;
642 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
643 snat_user_key_t u_key;
645 dlist_elt_t *head, *elt;
647 old_addr = ip->dst_address.as_u32;
649 key.l_addr = ip->dst_address;
650 key.r_addr = ip->src_address;
651 key.fib_index = rx_fib_index;
652 key.proto = ip->protocol;
655 s_kv.key[0] = key.as_u64[0];
656 s_kv.key[1] = key.as_u64[1];
658 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
660 s = pool_elt_at_index (tsm->sessions, s_value.value);
661 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
665 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
667 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
671 m_key.addr = ip->dst_address;
674 m_key.fib_index = rx_fib_index;
675 kv.key = m_key.as_u64;
676 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
678 b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
682 m = pool_elt_at_index (sm->static_mappings, value.value);
684 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
686 u_key.addr = ip->src_address;
687 u_key.fib_index = m->fib_index;
688 kv.key = u_key.as_u64;
690 /* Ever heard of the "user" = src ip4 address before? */
691 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
693 /* no, make a new one */
694 pool_get (tsm->users, u);
695 memset (u, 0, sizeof (*u));
696 u->addr = ip->src_address;
697 u->fib_index = rx_fib_index;
699 pool_get (tsm->list_pool, head);
700 u->sessions_per_user_list_head_index = head - tsm->list_pool;
702 clib_dlist_init (tsm->list_pool,
703 u->sessions_per_user_list_head_index);
705 kv.value = u - tsm->users;
708 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1);
712 u = pool_elt_at_index (tsm->users, value.value);
715 /* Create a new session */
716 pool_get (tsm->sessions, s);
717 memset (s, 0, sizeof (*s));
719 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
720 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
721 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
722 s->outside_address_index = ~0;
723 s->out2in.addr.as_u32 = old_addr;
724 s->out2in.fib_index = rx_fib_index;
725 s->in2out.addr.as_u32 = new_addr;
726 s->in2out.fib_index = m->fib_index;
727 s->in2out.port = s->out2in.port = ip->protocol;
728 u->nstaticsessions++;
730 /* Create list elts */
731 pool_get (tsm->list_pool, elt);
732 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
733 elt->value = s - tsm->sessions;
734 s->per_user_index = elt - tsm->list_pool;
735 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
736 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
739 /* Add to lookup tables */
740 s_kv.value = s - tsm->sessions;
741 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
742 clib_warning ("out2in key add failed");
744 key.l_addr = ip->dst_address;
745 key.fib_index = m->fib_index;
746 s_kv.key[0] = key.as_u64[0];
747 s_kv.key[1] = key.as_u64[1];
748 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
749 clib_warning ("in2out key add failed");
752 /* Update IP checksum */
754 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
755 ip->checksum = ip_csum_fold (sum);
757 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
762 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
763 /* Per-user LRU list maintenance */
764 clib_dlist_remove (tsm->list_pool, s->per_user_index);
765 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
771 static snat_session_t *
772 snat_out2in_lb (snat_main_t *sm,
779 vlib_node_runtime_t * node)
781 nat_ed_ses_key_t key;
782 clib_bihash_kv_16_8_t s_kv, s_value;
783 udp_header_t *udp = ip4_next_header (ip);
784 tcp_header_t *tcp = (tcp_header_t *) udp;
785 snat_session_t *s = 0;
786 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
787 snat_session_key_t e_key, l_key;
788 clib_bihash_kv_8_8_t kv, value;
789 u32 old_addr, new_addr;
790 u32 proto = ip_proto_to_snat_proto (ip->protocol);
791 u16 new_port, old_port;
793 snat_user_key_t u_key;
795 dlist_elt_t *head, *elt;
797 old_addr = ip->dst_address.as_u32;
799 key.l_addr = ip->dst_address;
800 key.r_addr = ip->src_address;
801 key.fib_index = rx_fib_index;
802 key.proto = ip->protocol;
804 key.l_port = udp->dst_port;
805 s_kv.key[0] = key.as_u64[0];
806 s_kv.key[1] = key.as_u64[1];
808 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
810 s = pool_elt_at_index (tsm->sessions, s_value.value);
814 if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
816 b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
820 e_key.addr = ip->dst_address;
821 e_key.port = udp->dst_port;
822 e_key.protocol = proto;
823 e_key.fib_index = rx_fib_index;
824 if (snat_static_mapping_match(sm, e_key, &l_key, 1, 0))
827 u_key.addr = l_key.addr;
828 u_key.fib_index = l_key.fib_index;
829 kv.key = u_key.as_u64;
831 /* Ever heard of the "user" = src ip4 address before? */
832 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
834 /* no, make a new one */
835 pool_get (tsm->users, u);
836 memset (u, 0, sizeof (*u));
837 u->addr = l_key.addr;
838 u->fib_index = l_key.fib_index;
840 pool_get (tsm->list_pool, head);
841 u->sessions_per_user_list_head_index = head - tsm->list_pool;
843 clib_dlist_init (tsm->list_pool,
844 u->sessions_per_user_list_head_index);
846 kv.value = u - tsm->users;
849 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
850 clib_warning ("user key add failed");
854 u = pool_elt_at_index (tsm->users, value.value);
857 /* Create a new session */
858 pool_get (tsm->sessions, s);
859 memset (s, 0, sizeof (*s));
861 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
862 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
863 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
864 s->outside_address_index = ~0;
867 u->nstaticsessions++;
869 /* Create list elts */
870 pool_get (tsm->list_pool, elt);
871 clib_dlist_init (tsm->list_pool, elt - tsm->list_pool);
872 elt->value = s - tsm->sessions;
873 s->per_user_index = elt - tsm->list_pool;
874 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
875 clib_dlist_addtail (tsm->list_pool, s->per_user_list_head_index,
878 /* Add to lookup tables */
879 s_kv.value = s - tsm->sessions;
880 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &s_kv, 1))
881 clib_warning ("out2in-ed key add failed");
883 key.l_addr = l_key.addr;
884 key.fib_index = l_key.fib_index;
885 key.l_port = l_key.port;
886 s_kv.key[0] = key.as_u64[0];
887 s_kv.key[1] = key.as_u64[1];
888 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &s_kv, 1))
889 clib_warning ("in2out-ed key add failed");
892 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
894 /* Update IP checksum */
896 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
897 ip->checksum = ip_csum_fold (sum);
899 if (PREDICT_TRUE(proto == SNAT_PROTOCOL_TCP))
901 old_port = tcp->dst_port;
902 tcp->dst_port = s->in2out.port;
903 new_port = tcp->dst_port;
906 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
907 sum = ip_csum_update (sum, old_port, new_port, ip4_header_t, length);
908 tcp->checksum = ip_csum_fold(sum);
912 udp->dst_port = s->in2out.port;
916 vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
921 s->total_bytes += vlib_buffer_length_in_chain (vm, b);
926 snat_out2in_node_fn (vlib_main_t * vm,
927 vlib_node_runtime_t * node,
928 vlib_frame_t * frame)
930 u32 n_left_from, * from, * to_next;
931 snat_out2in_next_t next_index;
932 u32 pkts_processed = 0;
933 snat_main_t * sm = &snat_main;
934 f64 now = vlib_time_now (vm);
935 u32 thread_index = vlib_get_thread_index ();
937 from = vlib_frame_vector_args (frame);
938 n_left_from = frame->n_vectors;
939 next_index = node->cached_next_index;
941 while (n_left_from > 0)
945 vlib_get_next_frame (vm, node, next_index,
946 to_next, n_left_to_next);
948 while (n_left_from >= 4 && n_left_to_next >= 2)
951 vlib_buffer_t * b0, * b1;
952 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
953 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
954 u32 sw_if_index0, sw_if_index1;
955 ip4_header_t * ip0, *ip1;
956 ip_csum_t sum0, sum1;
957 u32 new_addr0, old_addr0;
958 u16 new_port0, old_port0;
959 u32 new_addr1, old_addr1;
960 u16 new_port1, old_port1;
961 udp_header_t * udp0, * udp1;
962 tcp_header_t * tcp0, * tcp1;
963 icmp46_header_t * icmp0, * icmp1;
964 snat_session_key_t key0, key1, sm0, sm1;
965 u32 rx_fib_index0, rx_fib_index1;
967 snat_session_t * s0 = 0, * s1 = 0;
968 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
970 /* Prefetch next iteration. */
972 vlib_buffer_t * p2, * p3;
974 p2 = vlib_get_buffer (vm, from[2]);
975 p3 = vlib_get_buffer (vm, from[3]);
977 vlib_prefetch_buffer_header (p2, LOAD);
978 vlib_prefetch_buffer_header (p3, LOAD);
980 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
981 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
984 /* speculatively enqueue b0 and b1 to the current next frame */
985 to_next[0] = bi0 = from[0];
986 to_next[1] = bi1 = from[1];
992 b0 = vlib_get_buffer (vm, bi0);
993 b1 = vlib_get_buffer (vm, bi1);
995 vnet_buffer (b0)->snat.flags = 0;
996 vnet_buffer (b1)->snat.flags = 0;
998 ip0 = vlib_buffer_get_current (b0);
999 udp0 = ip4_next_header (ip0);
1000 tcp0 = (tcp_header_t *) udp0;
1001 icmp0 = (icmp46_header_t *) udp0;
1003 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1004 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1007 if (PREDICT_FALSE(ip0->ttl == 1))
1009 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1010 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1011 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1013 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1017 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1019 if (PREDICT_FALSE (proto0 == ~0))
1021 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1022 thread_index, now, vm, node);
1024 next0 = SNAT_OUT2IN_NEXT_DROP;
1028 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1030 next0 = icmp_out2in_slow_path
1031 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1032 next0, now, thread_index, &s0);
1036 key0.addr = ip0->dst_address;
1037 key0.port = udp0->dst_port;
1038 key0.protocol = proto0;
1039 key0.fib_index = rx_fib_index0;
1041 kv0.key = key0.as_u64;
1043 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1046 /* Try to match static mapping by external address and port,
1047 destination address and port in packet */
1048 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
1050 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1052 * Send DHCP packets to the ipv4 stack, or we won't
1053 * be able to use dhcp client on the outside interface
1055 if (proto0 != SNAT_PROTOCOL_UDP
1057 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1058 next0 = SNAT_OUT2IN_NEXT_DROP;
1062 /* Create session initiated by host from external network */
1063 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1067 next0 = SNAT_OUT2IN_NEXT_DROP;
1073 if (PREDICT_FALSE (value0.value == ~0ULL))
1075 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1078 next0 = SNAT_OUT2IN_NEXT_DROP;
1083 s0 = pool_elt_at_index (
1084 sm->per_thread_data[thread_index].sessions,
1089 old_addr0 = ip0->dst_address.as_u32;
1090 ip0->dst_address = s0->in2out.addr;
1091 new_addr0 = ip0->dst_address.as_u32;
1092 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1094 sum0 = ip0->checksum;
1095 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1097 dst_address /* changed member */);
1098 ip0->checksum = ip_csum_fold (sum0);
1100 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1102 old_port0 = tcp0->dst_port;
1103 tcp0->dst_port = s0->in2out.port;
1104 new_port0 = tcp0->dst_port;
1106 sum0 = tcp0->checksum;
1107 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1109 dst_address /* changed member */);
1111 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1112 ip4_header_t /* cheat */,
1113 length /* changed member */);
1114 tcp0->checksum = ip_csum_fold(sum0);
1118 old_port0 = udp0->dst_port;
1119 udp0->dst_port = s0->in2out.port;
1124 s0->last_heard = now;
1126 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1127 /* Per-user LRU list maintenance for dynamic translation */
1128 if (!snat_is_session_static (s0))
1130 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1131 s0->per_user_index);
1132 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1133 s0->per_user_list_head_index,
1134 s0->per_user_index);
1138 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1139 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1141 snat_out2in_trace_t *t =
1142 vlib_add_trace (vm, node, b0, sizeof (*t));
1143 t->sw_if_index = sw_if_index0;
1144 t->next_index = next0;
1145 t->session_index = ~0;
1147 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1150 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1153 ip1 = vlib_buffer_get_current (b1);
1154 udp1 = ip4_next_header (ip1);
1155 tcp1 = (tcp_header_t *) udp1;
1156 icmp1 = (icmp46_header_t *) udp1;
1158 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1159 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1162 if (PREDICT_FALSE(ip1->ttl == 1))
1164 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1165 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1166 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1168 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1172 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1174 if (PREDICT_FALSE (proto1 == ~0))
1176 s1 = snat_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1,
1177 thread_index, now, vm, node);
1179 next1 = SNAT_OUT2IN_NEXT_DROP;
1183 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1185 next1 = icmp_out2in_slow_path
1186 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1187 next1, now, thread_index, &s1);
1191 key1.addr = ip1->dst_address;
1192 key1.port = udp1->dst_port;
1193 key1.protocol = proto1;
1194 key1.fib_index = rx_fib_index1;
1196 kv1.key = key1.as_u64;
1198 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1201 /* Try to match static mapping by external address and port,
1202 destination address and port in packet */
1203 if (snat_static_mapping_match(sm, key1, &sm1, 1, 0))
1205 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1207 * Send DHCP packets to the ipv4 stack, or we won't
1208 * be able to use dhcp client on the outside interface
1210 if (proto1 != SNAT_PROTOCOL_UDP
1212 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1213 next1 = SNAT_OUT2IN_NEXT_DROP;
1217 /* Create session initiated by host from external network */
1218 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
1222 next1 = SNAT_OUT2IN_NEXT_DROP;
1228 if (PREDICT_FALSE (value1.value == ~0ULL))
1230 s1 = snat_out2in_lb(sm, b1, ip1, rx_fib_index1, thread_index,
1233 next1 = SNAT_OUT2IN_NEXT_DROP;
1238 s1 = pool_elt_at_index (
1239 sm->per_thread_data[thread_index].sessions,
1244 old_addr1 = ip1->dst_address.as_u32;
1245 ip1->dst_address = s1->in2out.addr;
1246 new_addr1 = ip1->dst_address.as_u32;
1247 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1249 sum1 = ip1->checksum;
1250 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1252 dst_address /* changed member */);
1253 ip1->checksum = ip_csum_fold (sum1);
1255 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1257 old_port1 = tcp1->dst_port;
1258 tcp1->dst_port = s1->in2out.port;
1259 new_port1 = tcp1->dst_port;
1261 sum1 = tcp1->checksum;
1262 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1264 dst_address /* changed member */);
1266 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1267 ip4_header_t /* cheat */,
1268 length /* changed member */);
1269 tcp1->checksum = ip_csum_fold(sum1);
1273 old_port1 = udp1->dst_port;
1274 udp1->dst_port = s1->in2out.port;
1279 s1->last_heard = now;
1281 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1282 /* Per-user LRU list maintenance for dynamic translation */
1283 if (!snat_is_session_static (s1))
1285 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1286 s1->per_user_index);
1287 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1288 s1->per_user_list_head_index,
1289 s1->per_user_index);
1293 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1294 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1296 snat_out2in_trace_t *t =
1297 vlib_add_trace (vm, node, b1, sizeof (*t));
1298 t->sw_if_index = sw_if_index1;
1299 t->next_index = next1;
1300 t->session_index = ~0;
1302 t->session_index = s1 - sm->per_thread_data[thread_index].sessions;
1305 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1307 /* verify speculative enqueues, maybe switch current next frame */
1308 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1309 to_next, n_left_to_next,
1310 bi0, bi1, next0, next1);
1313 while (n_left_from > 0 && n_left_to_next > 0)
1317 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1321 u32 new_addr0, old_addr0;
1322 u16 new_port0, old_port0;
1323 udp_header_t * udp0;
1324 tcp_header_t * tcp0;
1325 icmp46_header_t * icmp0;
1326 snat_session_key_t key0, sm0;
1329 snat_session_t * s0 = 0;
1330 clib_bihash_kv_8_8_t kv0, value0;
1332 /* speculatively enqueue b0 to the current next frame */
1338 n_left_to_next -= 1;
1340 b0 = vlib_get_buffer (vm, bi0);
1342 vnet_buffer (b0)->snat.flags = 0;
1344 ip0 = vlib_buffer_get_current (b0);
1345 udp0 = ip4_next_header (ip0);
1346 tcp0 = (tcp_header_t *) udp0;
1347 icmp0 = (icmp46_header_t *) udp0;
1349 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1350 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1353 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1355 if (PREDICT_FALSE (proto0 == ~0))
1357 s0 = snat_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0,
1358 thread_index, now, vm, node);
1360 next0 = SNAT_OUT2IN_NEXT_DROP;
1364 if (PREDICT_FALSE(ip0->ttl == 1))
1366 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1367 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1368 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1370 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1374 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1376 next0 = icmp_out2in_slow_path
1377 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1378 next0, now, thread_index, &s0);
1382 key0.addr = ip0->dst_address;
1383 key0.port = udp0->dst_port;
1384 key0.protocol = proto0;
1385 key0.fib_index = rx_fib_index0;
1387 kv0.key = key0.as_u64;
1389 if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in,
1392 /* Try to match static mapping by external address and port,
1393 destination address and port in packet */
1394 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
1396 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1398 * Send DHCP packets to the ipv4 stack, or we won't
1399 * be able to use dhcp client on the outside interface
1401 if (proto0 != SNAT_PROTOCOL_UDP
1403 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
1405 next0 = SNAT_OUT2IN_NEXT_DROP;
1409 /* Create session initiated by host from external network */
1410 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
1414 next0 = SNAT_OUT2IN_NEXT_DROP;
1420 if (PREDICT_FALSE (value0.value == ~0ULL))
1422 s0 = snat_out2in_lb(sm, b0, ip0, rx_fib_index0, thread_index,
1425 next0 = SNAT_OUT2IN_NEXT_DROP;
1430 s0 = pool_elt_at_index (
1431 sm->per_thread_data[thread_index].sessions,
1436 old_addr0 = ip0->dst_address.as_u32;
1437 ip0->dst_address = s0->in2out.addr;
1438 new_addr0 = ip0->dst_address.as_u32;
1439 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1441 sum0 = ip0->checksum;
1442 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1444 dst_address /* changed member */);
1445 ip0->checksum = ip_csum_fold (sum0);
1447 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1449 old_port0 = tcp0->dst_port;
1450 tcp0->dst_port = s0->in2out.port;
1451 new_port0 = tcp0->dst_port;
1453 sum0 = tcp0->checksum;
1454 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1456 dst_address /* changed member */);
1458 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1459 ip4_header_t /* cheat */,
1460 length /* changed member */);
1461 tcp0->checksum = ip_csum_fold(sum0);
1465 old_port0 = udp0->dst_port;
1466 udp0->dst_port = s0->in2out.port;
1471 s0->last_heard = now;
1473 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1474 /* Per-user LRU list maintenance for dynamic translation */
1475 if (!snat_is_session_static (s0))
1477 clib_dlist_remove (sm->per_thread_data[thread_index].list_pool,
1478 s0->per_user_index);
1479 clib_dlist_addtail (sm->per_thread_data[thread_index].list_pool,
1480 s0->per_user_list_head_index,
1481 s0->per_user_index);
1485 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1486 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1488 snat_out2in_trace_t *t =
1489 vlib_add_trace (vm, node, b0, sizeof (*t));
1490 t->sw_if_index = sw_if_index0;
1491 t->next_index = next0;
1492 t->session_index = ~0;
1494 t->session_index = s0 - sm->per_thread_data[thread_index].sessions;
1497 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1499 /* verify speculative enqueue, maybe switch current next frame */
1500 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1501 to_next, n_left_to_next,
1505 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1508 vlib_node_increment_counter (vm, snat_out2in_node.index,
1509 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1511 return frame->n_vectors;
1514 VLIB_REGISTER_NODE (snat_out2in_node) = {
1515 .function = snat_out2in_node_fn,
1516 .name = "nat44-out2in",
1517 .vector_size = sizeof (u32),
1518 .format_trace = format_snat_out2in_trace,
1519 .type = VLIB_NODE_TYPE_INTERNAL,
1521 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1522 .error_strings = snat_out2in_error_strings,
1524 .runtime_data_bytes = sizeof (snat_runtime_t),
1526 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1528 /* edit / add dispositions here */
1530 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1531 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1532 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1535 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
1537 /**************************/
1538 /*** deterministic mode ***/
1539 /**************************/
1541 snat_det_out2in_node_fn (vlib_main_t * vm,
1542 vlib_node_runtime_t * node,
1543 vlib_frame_t * frame)
1545 u32 n_left_from, * from, * to_next;
1546 snat_out2in_next_t next_index;
1547 u32 pkts_processed = 0;
1548 snat_main_t * sm = &snat_main;
1549 u32 thread_index = vlib_get_thread_index ();
1551 from = vlib_frame_vector_args (frame);
1552 n_left_from = frame->n_vectors;
1553 next_index = node->cached_next_index;
1555 while (n_left_from > 0)
1559 vlib_get_next_frame (vm, node, next_index,
1560 to_next, n_left_to_next);
1562 while (n_left_from >= 4 && n_left_to_next >= 2)
1565 vlib_buffer_t * b0, * b1;
1566 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1567 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
1568 u32 sw_if_index0, sw_if_index1;
1569 ip4_header_t * ip0, * ip1;
1570 ip_csum_t sum0, sum1;
1571 ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1;
1572 u16 new_port0, old_port0, old_port1, new_port1;
1573 udp_header_t * udp0, * udp1;
1574 tcp_header_t * tcp0, * tcp1;
1576 snat_det_out_key_t key0, key1;
1577 snat_det_map_t * dm0, * dm1;
1578 snat_det_session_t * ses0 = 0, * ses1 = 0;
1579 u32 rx_fib_index0, rx_fib_index1;
1580 icmp46_header_t * icmp0, * icmp1;
1582 /* Prefetch next iteration. */
1584 vlib_buffer_t * p2, * p3;
1586 p2 = vlib_get_buffer (vm, from[2]);
1587 p3 = vlib_get_buffer (vm, from[3]);
1589 vlib_prefetch_buffer_header (p2, LOAD);
1590 vlib_prefetch_buffer_header (p3, LOAD);
1592 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
1593 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
1596 /* speculatively enqueue b0 and b1 to the current next frame */
1597 to_next[0] = bi0 = from[0];
1598 to_next[1] = bi1 = from[1];
1602 n_left_to_next -= 2;
1604 b0 = vlib_get_buffer (vm, bi0);
1605 b1 = vlib_get_buffer (vm, bi1);
1607 ip0 = vlib_buffer_get_current (b0);
1608 udp0 = ip4_next_header (ip0);
1609 tcp0 = (tcp_header_t *) udp0;
1611 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1613 if (PREDICT_FALSE(ip0->ttl == 1))
1615 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1616 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1617 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1619 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1623 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1625 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
1627 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1628 icmp0 = (icmp46_header_t *) udp0;
1630 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
1631 rx_fib_index0, node, next0, thread_index,
1636 key0.ext_host_addr = ip0->src_address;
1637 key0.ext_host_port = tcp0->src;
1638 key0.out_port = tcp0->dst;
1640 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1641 if (PREDICT_FALSE(!dm0))
1643 clib_warning("unknown dst address: %U",
1644 format_ip4_address, &ip0->dst_address);
1645 next0 = SNAT_OUT2IN_NEXT_DROP;
1646 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1650 snat_det_reverse(dm0, &ip0->dst_address,
1651 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1653 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1654 if (PREDICT_FALSE(!ses0))
1656 clib_warning("no match src %U:%d dst %U:%d for user %U",
1657 format_ip4_address, &ip0->src_address,
1658 clib_net_to_host_u16 (tcp0->src),
1659 format_ip4_address, &ip0->dst_address,
1660 clib_net_to_host_u16 (tcp0->dst),
1661 format_ip4_address, &new_addr0);
1662 next0 = SNAT_OUT2IN_NEXT_DROP;
1663 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1666 new_port0 = ses0->in_port;
1668 old_addr0 = ip0->dst_address;
1669 ip0->dst_address = new_addr0;
1670 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1672 sum0 = ip0->checksum;
1673 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1675 dst_address /* changed member */);
1676 ip0->checksum = ip_csum_fold (sum0);
1678 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1680 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1681 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1682 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1683 snat_det_ses_close(dm0, ses0);
1685 old_port0 = tcp0->dst;
1686 tcp0->dst = new_port0;
1688 sum0 = tcp0->checksum;
1689 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1691 dst_address /* changed member */);
1693 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1694 ip4_header_t /* cheat */,
1695 length /* changed member */);
1696 tcp0->checksum = ip_csum_fold(sum0);
1700 old_port0 = udp0->dst_port;
1701 udp0->dst_port = new_port0;
1707 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1708 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1710 snat_out2in_trace_t *t =
1711 vlib_add_trace (vm, node, b0, sizeof (*t));
1712 t->sw_if_index = sw_if_index0;
1713 t->next_index = next0;
1714 t->session_index = ~0;
1716 t->session_index = ses0 - dm0->sessions;
1719 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1721 b1 = vlib_get_buffer (vm, bi1);
1723 ip1 = vlib_buffer_get_current (b1);
1724 udp1 = ip4_next_header (ip1);
1725 tcp1 = (tcp_header_t *) udp1;
1727 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
1729 if (PREDICT_FALSE(ip1->ttl == 1))
1731 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1732 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1733 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1735 next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1739 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1741 if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP))
1743 rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1);
1744 icmp1 = (icmp46_header_t *) udp1;
1746 next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1,
1747 rx_fib_index1, node, next1, thread_index,
1752 key1.ext_host_addr = ip1->src_address;
1753 key1.ext_host_port = tcp1->src;
1754 key1.out_port = tcp1->dst;
1756 dm1 = snat_det_map_by_out(sm, &ip1->dst_address);
1757 if (PREDICT_FALSE(!dm1))
1759 clib_warning("unknown dst address: %U",
1760 format_ip4_address, &ip1->dst_address);
1761 next1 = SNAT_OUT2IN_NEXT_DROP;
1762 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1766 snat_det_reverse(dm1, &ip1->dst_address,
1767 clib_net_to_host_u16(tcp1->dst), &new_addr1);
1769 ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64);
1770 if (PREDICT_FALSE(!ses1))
1772 clib_warning("no match src %U:%d dst %U:%d for user %U",
1773 format_ip4_address, &ip1->src_address,
1774 clib_net_to_host_u16 (tcp1->src),
1775 format_ip4_address, &ip1->dst_address,
1776 clib_net_to_host_u16 (tcp1->dst),
1777 format_ip4_address, &new_addr1);
1778 next1 = SNAT_OUT2IN_NEXT_DROP;
1779 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1782 new_port1 = ses1->in_port;
1784 old_addr1 = ip1->dst_address;
1785 ip1->dst_address = new_addr1;
1786 vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1788 sum1 = ip1->checksum;
1789 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1791 dst_address /* changed member */);
1792 ip1->checksum = ip_csum_fold (sum1);
1794 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1796 if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED)
1797 ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1798 else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK)
1799 snat_det_ses_close(dm1, ses1);
1801 old_port1 = tcp1->dst;
1802 tcp1->dst = new_port1;
1804 sum1 = tcp1->checksum;
1805 sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32,
1807 dst_address /* changed member */);
1809 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1810 ip4_header_t /* cheat */,
1811 length /* changed member */);
1812 tcp1->checksum = ip_csum_fold(sum1);
1816 old_port1 = udp1->dst_port;
1817 udp1->dst_port = new_port1;
1823 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1824 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1826 snat_out2in_trace_t *t =
1827 vlib_add_trace (vm, node, b1, sizeof (*t));
1828 t->sw_if_index = sw_if_index1;
1829 t->next_index = next1;
1830 t->session_index = ~0;
1832 t->session_index = ses1 - dm1->sessions;
1835 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
1837 /* verify speculative enqueues, maybe switch current next frame */
1838 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1839 to_next, n_left_to_next,
1840 bi0, bi1, next0, next1);
1843 while (n_left_from > 0 && n_left_to_next > 0)
1847 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1851 ip4_address_t new_addr0, old_addr0;
1852 u16 new_port0, old_port0;
1853 udp_header_t * udp0;
1854 tcp_header_t * tcp0;
1856 snat_det_out_key_t key0;
1857 snat_det_map_t * dm0;
1858 snat_det_session_t * ses0 = 0;
1860 icmp46_header_t * icmp0;
1862 /* speculatively enqueue b0 to the current next frame */
1868 n_left_to_next -= 1;
1870 b0 = vlib_get_buffer (vm, bi0);
1872 ip0 = vlib_buffer_get_current (b0);
1873 udp0 = ip4_next_header (ip0);
1874 tcp0 = (tcp_header_t *) udp0;
1876 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1878 if (PREDICT_FALSE(ip0->ttl == 1))
1880 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1881 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1882 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1884 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1888 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1890 if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP))
1892 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1893 icmp0 = (icmp46_header_t *) udp0;
1895 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
1896 rx_fib_index0, node, next0, thread_index,
1901 key0.ext_host_addr = ip0->src_address;
1902 key0.ext_host_port = tcp0->src;
1903 key0.out_port = tcp0->dst;
1905 dm0 = snat_det_map_by_out(sm, &ip0->dst_address);
1906 if (PREDICT_FALSE(!dm0))
1908 clib_warning("unknown dst address: %U",
1909 format_ip4_address, &ip0->dst_address);
1910 next0 = SNAT_OUT2IN_NEXT_DROP;
1911 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1915 snat_det_reverse(dm0, &ip0->dst_address,
1916 clib_net_to_host_u16(tcp0->dst), &new_addr0);
1918 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
1919 if (PREDICT_FALSE(!ses0))
1921 clib_warning("no match src %U:%d dst %U:%d for user %U",
1922 format_ip4_address, &ip0->src_address,
1923 clib_net_to_host_u16 (tcp0->src),
1924 format_ip4_address, &ip0->dst_address,
1925 clib_net_to_host_u16 (tcp0->dst),
1926 format_ip4_address, &new_addr0);
1927 next0 = SNAT_OUT2IN_NEXT_DROP;
1928 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1931 new_port0 = ses0->in_port;
1933 old_addr0 = ip0->dst_address;
1934 ip0->dst_address = new_addr0;
1935 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index;
1937 sum0 = ip0->checksum;
1938 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1940 dst_address /* changed member */);
1941 ip0->checksum = ip_csum_fold (sum0);
1943 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1945 if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED)
1946 ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT;
1947 else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK)
1948 snat_det_ses_close(dm0, ses0);
1950 old_port0 = tcp0->dst;
1951 tcp0->dst = new_port0;
1953 sum0 = tcp0->checksum;
1954 sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32,
1956 dst_address /* changed member */);
1958 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1959 ip4_header_t /* cheat */,
1960 length /* changed member */);
1961 tcp0->checksum = ip_csum_fold(sum0);
1965 old_port0 = udp0->dst_port;
1966 udp0->dst_port = new_port0;
1972 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1973 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1975 snat_out2in_trace_t *t =
1976 vlib_add_trace (vm, node, b0, sizeof (*t));
1977 t->sw_if_index = sw_if_index0;
1978 t->next_index = next0;
1979 t->session_index = ~0;
1981 t->session_index = ses0 - dm0->sessions;
1984 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1986 /* verify speculative enqueue, maybe switch current next frame */
1987 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1988 to_next, n_left_to_next,
1992 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1995 vlib_node_increment_counter (vm, snat_det_out2in_node.index,
1996 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1998 return frame->n_vectors;
2001 VLIB_REGISTER_NODE (snat_det_out2in_node) = {
2002 .function = snat_det_out2in_node_fn,
2003 .name = "nat44-det-out2in",
2004 .vector_size = sizeof (u32),
2005 .format_trace = format_snat_out2in_trace,
2006 .type = VLIB_NODE_TYPE_INTERNAL,
2008 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2009 .error_strings = snat_out2in_error_strings,
2011 .runtime_data_bytes = sizeof (snat_runtime_t),
2013 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2015 /* edit / add dispositions here */
2017 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2018 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2019 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2022 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
2025 * Get address and port values to be used for ICMP packet translation
2026 * and create session if needed
2028 * @param[in,out] sm NAT main
2029 * @param[in,out] node NAT node runtime
2030 * @param[in] thread_index thread index
2031 * @param[in,out] b0 buffer containing packet to be translated
2032 * @param[out] p_proto protocol used for matching
2033 * @param[out] p_value address and port after NAT translation
2034 * @param[out] p_dont_translate if packet should not be translated
2035 * @param d optional parameter
2036 * @param e optional parameter
2038 u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node,
2039 u32 thread_index, vlib_buffer_t *b0,
2040 ip4_header_t *ip0, u8 *p_proto,
2041 snat_session_key_t *p_value,
2042 u8 *p_dont_translate, void *d, void *e)
2044 icmp46_header_t *icmp0;
2047 snat_det_out_key_t key0;
2048 u8 dont_translate = 0;
2050 icmp_echo_header_t *echo0, *inner_echo0 = 0;
2051 ip4_header_t *inner_ip0;
2052 void *l4_header = 0;
2053 icmp46_header_t *inner_icmp0;
2054 snat_det_map_t * dm0 = 0;
2055 ip4_address_t new_addr0 = {{0}};
2056 snat_det_session_t * ses0 = 0;
2057 ip4_address_t out_addr;
2059 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
2060 echo0 = (icmp_echo_header_t *)(icmp0+1);
2061 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2063 if (!icmp_is_error_message (icmp0))
2065 protocol = SNAT_PROTOCOL_ICMP;
2066 key0.ext_host_addr = ip0->src_address;
2067 key0.ext_host_port = 0;
2068 key0.out_port = echo0->identifier;
2069 out_addr = ip0->dst_address;
2073 inner_ip0 = (ip4_header_t *)(echo0+1);
2074 l4_header = ip4_next_header (inner_ip0);
2075 protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
2076 key0.ext_host_addr = inner_ip0->dst_address;
2077 out_addr = inner_ip0->src_address;
2080 case SNAT_PROTOCOL_ICMP:
2081 inner_icmp0 = (icmp46_header_t*)l4_header;
2082 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
2083 key0.ext_host_port = 0;
2084 key0.out_port = inner_echo0->identifier;
2086 case SNAT_PROTOCOL_UDP:
2087 case SNAT_PROTOCOL_TCP:
2088 key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port;
2089 key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port;
2092 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
2093 next0 = SNAT_OUT2IN_NEXT_DROP;
2098 dm0 = snat_det_map_by_out(sm, &out_addr);
2099 if (PREDICT_FALSE(!dm0))
2101 /* Don't NAT packet aimed at the intfc address */
2102 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2103 ip0->dst_address.as_u32)))
2108 clib_warning("unknown dst address: %U",
2109 format_ip4_address, &ip0->dst_address);
2113 snat_det_reverse(dm0, &ip0->dst_address,
2114 clib_net_to_host_u16(key0.out_port), &new_addr0);
2116 ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64);
2117 if (PREDICT_FALSE(!ses0))
2119 /* Don't NAT packet aimed at the intfc address */
2120 if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0,
2121 ip0->dst_address.as_u32)))
2126 clib_warning("no match src %U:%d dst %U:%d for user %U",
2127 format_ip4_address, &key0.ext_host_addr,
2128 clib_net_to_host_u16 (key0.ext_host_port),
2129 format_ip4_address, &out_addr,
2130 clib_net_to_host_u16 (key0.out_port),
2131 format_ip4_address, &new_addr0);
2132 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2133 next0 = SNAT_OUT2IN_NEXT_DROP;
2137 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply &&
2138 !icmp_is_error_message (icmp0)))
2140 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
2141 next0 = SNAT_OUT2IN_NEXT_DROP;
2148 *p_proto = protocol;
2151 p_value->addr = new_addr0;
2152 p_value->fib_index = sm->inside_fib_index;
2153 p_value->port = ses0->in_port;
2155 *p_dont_translate = dont_translate;
2157 *(snat_det_session_t**)d = ses0;
2159 *(snat_det_map_t**)e = dm0;
2163 /**********************/
2164 /*** worker handoff ***/
2165 /**********************/
2167 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
2168 vlib_node_runtime_t * node,
2169 vlib_frame_t * frame)
2171 snat_main_t *sm = &snat_main;
2172 vlib_thread_main_t *tm = vlib_get_thread_main ();
2173 u32 n_left_from, *from, *to_next = 0;
2174 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
2175 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
2177 vlib_frame_queue_elt_t *hf = 0;
2178 vlib_frame_t *f = 0;
2180 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
2181 u32 next_worker_index = 0;
2182 u32 current_worker_index = ~0;
2183 u32 thread_index = vlib_get_thread_index ();
2185 ASSERT (vec_len (sm->workers));
2187 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
2189 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
2191 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
2192 sm->first_worker_index + sm->num_workers - 1,
2193 (vlib_frame_queue_t *) (~0));
2196 from = vlib_frame_vector_args (frame);
2197 n_left_from = frame->n_vectors;
2199 while (n_left_from > 0)
2212 b0 = vlib_get_buffer (vm, bi0);
2214 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
2215 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2217 ip0 = vlib_buffer_get_current (b0);
2219 next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0);
2221 if (PREDICT_FALSE (next_worker_index != thread_index))
2225 if (next_worker_index != current_worker_index)
2228 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2230 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
2232 handoff_queue_elt_by_worker_index);
2234 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
2235 to_next_worker = &hf->buffer_index[hf->n_vectors];
2236 current_worker_index = next_worker_index;
2239 /* enqueue to correct worker thread */
2240 to_next_worker[0] = bi0;
2242 n_left_to_next_worker--;
2244 if (n_left_to_next_worker == 0)
2246 hf->n_vectors = VLIB_FRAME_SIZE;
2247 vlib_put_frame_queue_elt (hf);
2248 current_worker_index = ~0;
2249 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
2256 /* if this is 1st frame */
2259 f = vlib_get_frame_to_node (vm, sm->out2in_node_index);
2260 to_next = vlib_frame_vector_args (f);
2268 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
2269 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2271 snat_out2in_worker_handoff_trace_t *t =
2272 vlib_add_trace (vm, node, b0, sizeof (*t));
2273 t->next_worker_index = next_worker_index;
2274 t->do_handoff = do_handoff;
2279 vlib_put_frame_to_node (vm, sm->out2in_node_index, f);
2282 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
2284 /* Ship frames to the worker nodes */
2285 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
2287 if (handoff_queue_elt_by_worker_index[i])
2289 hf = handoff_queue_elt_by_worker_index[i];
2291 * It works better to let the handoff node
2292 * rate-adapt, always ship the handoff queue element.
2294 if (1 || hf->n_vectors == hf->last_n_vectors)
2296 vlib_put_frame_queue_elt (hf);
2297 handoff_queue_elt_by_worker_index[i] = 0;
2300 hf->last_n_vectors = hf->n_vectors;
2302 congested_handoff_queue_by_worker_index[i] =
2303 (vlib_frame_queue_t *) (~0);
2306 current_worker_index = ~0;
2307 return frame->n_vectors;
2310 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
2311 .function = snat_out2in_worker_handoff_fn,
2312 .name = "nat44-out2in-worker-handoff",
2313 .vector_size = sizeof (u32),
2314 .format_trace = format_snat_out2in_worker_handoff_trace,
2315 .type = VLIB_NODE_TYPE_INTERNAL,
2324 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
2327 snat_out2in_fast_node_fn (vlib_main_t * vm,
2328 vlib_node_runtime_t * node,
2329 vlib_frame_t * frame)
2331 u32 n_left_from, * from, * to_next;
2332 snat_out2in_next_t next_index;
2333 u32 pkts_processed = 0;
2334 snat_main_t * sm = &snat_main;
2336 from = vlib_frame_vector_args (frame);
2337 n_left_from = frame->n_vectors;
2338 next_index = node->cached_next_index;
2340 while (n_left_from > 0)
2344 vlib_get_next_frame (vm, node, next_index,
2345 to_next, n_left_to_next);
2347 while (n_left_from > 0 && n_left_to_next > 0)
2351 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
2355 u32 new_addr0, old_addr0;
2356 u16 new_port0, old_port0;
2357 udp_header_t * udp0;
2358 tcp_header_t * tcp0;
2359 icmp46_header_t * icmp0;
2360 snat_session_key_t key0, sm0;
2364 /* speculatively enqueue b0 to the current next frame */
2370 n_left_to_next -= 1;
2372 b0 = vlib_get_buffer (vm, bi0);
2374 ip0 = vlib_buffer_get_current (b0);
2375 udp0 = ip4_next_header (ip0);
2376 tcp0 = (tcp_header_t *) udp0;
2377 icmp0 = (icmp46_header_t *) udp0;
2379 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
2380 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
2382 vnet_feature_next (sw_if_index0, &next0, b0);
2384 if (PREDICT_FALSE(ip0->ttl == 1))
2386 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
2387 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
2388 ICMP4_time_exceeded_ttl_exceeded_in_transit,
2390 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
2394 proto0 = ip_proto_to_snat_proto (ip0->protocol);
2396 if (PREDICT_FALSE (proto0 == ~0))
2399 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
2401 next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0,
2402 rx_fib_index0, node, next0, ~0, 0, 0);
2406 key0.addr = ip0->dst_address;
2407 key0.port = udp0->dst_port;
2408 key0.fib_index = rx_fib_index0;
2410 if (snat_static_mapping_match(sm, key0, &sm0, 1, 0))
2412 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
2416 new_addr0 = sm0.addr.as_u32;
2417 new_port0 = sm0.port;
2418 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
2419 old_addr0 = ip0->dst_address.as_u32;
2420 ip0->dst_address.as_u32 = new_addr0;
2422 sum0 = ip0->checksum;
2423 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2425 dst_address /* changed member */);
2426 ip0->checksum = ip_csum_fold (sum0);
2428 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
2430 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2432 old_port0 = tcp0->dst_port;
2433 tcp0->dst_port = new_port0;
2435 sum0 = tcp0->checksum;
2436 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2438 dst_address /* changed member */);
2440 sum0 = ip_csum_update (sum0, old_port0, new_port0,
2441 ip4_header_t /* cheat */,
2442 length /* changed member */);
2443 tcp0->checksum = ip_csum_fold(sum0);
2447 old_port0 = udp0->dst_port;
2448 udp0->dst_port = new_port0;
2454 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
2456 sum0 = tcp0->checksum;
2457 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
2459 dst_address /* changed member */);
2461 tcp0->checksum = ip_csum_fold(sum0);
2467 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
2468 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
2470 snat_out2in_trace_t *t =
2471 vlib_add_trace (vm, node, b0, sizeof (*t));
2472 t->sw_if_index = sw_if_index0;
2473 t->next_index = next0;
2476 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
2478 /* verify speculative enqueue, maybe switch current next frame */
2479 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
2480 to_next, n_left_to_next,
2484 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
2487 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
2488 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
2490 return frame->n_vectors;
2493 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
2494 .function = snat_out2in_fast_node_fn,
2495 .name = "nat44-out2in-fast",
2496 .vector_size = sizeof (u32),
2497 .format_trace = format_snat_out2in_fast_trace,
2498 .type = VLIB_NODE_TYPE_INTERNAL,
2500 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
2501 .error_strings = snat_out2in_error_strings,
2503 .runtime_data_bytes = sizeof (snat_runtime_t),
2505 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
2507 /* edit / add dispositions here */
2509 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2510 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
2511 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2514 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob