2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_reass.h>
31 #include <nat/nat_inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
35 static char *nat_out2in_ed_error_strings[] = {
36 #define _(sym,string) string,
37 foreach_nat_out2in_ed_error
43 NAT44_ED_OUT2IN_NEXT_DROP,
44 NAT44_ED_OUT2IN_NEXT_LOOKUP,
45 NAT44_ED_OUT2IN_NEXT_ICMP_ERROR,
46 NAT44_ED_OUT2IN_NEXT_IN2OUT,
47 NAT44_ED_OUT2IN_NEXT_SLOW_PATH,
48 NAT44_ED_OUT2IN_NEXT_REASS,
49 NAT44_ED_OUT2IN_N_NEXT,
50 } nat44_ed_out2in_next_t;
58 } nat44_ed_out2in_trace_t;
61 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
63 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
69 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
70 "NAT44_OUT2IN_ED_FAST_PATH";
72 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
73 t->sw_if_index, t->next_index, t->session_index);
79 icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
80 ip4_header_t * ip0, icmp46_header_t * icmp0,
81 u32 sw_if_index0, u32 rx_fib_index0,
82 vlib_node_runtime_t * node, u32 next0, f64 now,
83 u32 thread_index, snat_session_t ** p_s0)
85 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
86 next0, thread_index, p_s0, 0);
87 snat_session_t *s0 = *p_s0;
88 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP && s0))
91 nat44_session_update_counters (s0, now,
92 vlib_buffer_length_in_chain
93 (sm->vlib_main, b0), thread_index);
94 /* Per-user LRU list maintenance */
95 nat44_session_update_lru (sm, s0, thread_index);
100 #ifndef CLIB_MARCH_VARIANT
102 nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
104 snat_main_t *sm = &snat_main;
105 nat44_is_idle_session_ctx_t *ctx = arg;
107 u64 sess_timeout_time;
108 nat_ed_ses_key_t ed_key;
109 clib_bihash_kv_16_8_t ed_kv;
112 snat_session_key_t key;
113 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
116 s = pool_elt_at_index (tsm->sessions, kv->value);
117 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
118 if (ctx->now >= sess_timeout_time)
120 ed_key.l_addr = s->in2out.addr;
121 ed_key.r_addr = s->ext_host_addr;
122 ed_key.fib_index = s->in2out.fib_index;
123 if (snat_is_unk_proto_session (s))
125 ed_key.proto = s->in2out.port;
131 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
132 ed_key.l_port = s->in2out.port;
133 ed_key.r_port = s->ext_host_port;
135 if (is_twice_nat_session (s))
137 ed_key.r_addr = s->ext_host_nat_addr;
138 ed_key.r_port = s->ext_host_nat_port;
140 ed_kv.key[0] = ed_key.as_u64[0];
141 ed_kv.key[1] = ed_key.as_u64[1];
142 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
143 nat_elog_warn ("in2out_ed key del failed");
145 if (snat_is_unk_proto_session (s))
148 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
149 s->in2out.addr.as_u32,
150 s->out2in.addr.as_u32,
154 s->in2out.fib_index);
156 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
157 &s->in2out.addr, s->in2out.port,
158 &s->ext_host_nat_addr, s->ext_host_nat_port,
159 &s->out2in.addr, s->out2in.port,
160 &s->ext_host_addr, s->ext_host_port,
161 s->in2out.protocol, is_twice_nat_session (s));
163 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
164 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
167 if (is_twice_nat_session (s))
169 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
171 key.protocol = s->in2out.protocol;
172 key.port = s->ext_host_nat_port;
173 a = sm->twice_nat_addresses + i;
174 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
176 snat_free_outside_address_and_port (sm->twice_nat_addresses,
184 if (snat_is_session_static (s))
187 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
190 nat44_delete_session (sm, s, ctx->thread_index);
198 static snat_session_t *
199 create_session_for_static_mapping_ed (snat_main_t * sm,
201 snat_session_key_t l_key,
202 snat_session_key_t e_key,
203 vlib_node_runtime_t * node,
205 twice_nat_type_t twice_nat,
206 lb_nat_type_t lb_nat, f64 now)
212 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
213 clib_bihash_kv_16_8_t kv;
214 snat_session_key_t eh_key;
215 nat44_is_idle_session_ctx_t ctx;
217 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
219 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
220 nat_elog_notice ("maximum sessions exceeded");
224 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index);
227 nat_elog_warn ("create NAT user failed");
231 s = nat_ed_session_alloc (sm, u, thread_index, now);
234 nat44_delete_user_with_no_session (sm, u, thread_index);
235 nat_elog_warn ("create NAT session failed");
239 ip = vlib_buffer_get_current (b);
240 udp = ip4_next_header (ip);
242 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
243 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
244 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
246 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
247 if (lb_nat == AFFINITY_LB_NAT)
248 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
249 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
252 s->in2out.protocol = s->out2in.protocol;
253 user_session_increment (sm, u, 1);
255 /* Add to lookup tables */
256 make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol,
257 e_key.fib_index, e_key.port, s->ext_host_port);
258 kv.value = s - tsm->sessions;
260 ctx.thread_index = thread_index;
261 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv,
262 nat44_o2i_ed_is_idle_session_cb,
264 nat_elog_notice ("out2in-ed key add failed");
266 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
267 ip->src_address.as_u32 == l_key.addr.as_u32))
269 eh_key.protocol = e_key.protocol;
270 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
271 thread_index, &eh_key,
273 tsm->snat_thread_index))
275 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
276 nat44_delete_session (sm, s, thread_index);
277 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
278 nat_elog_notice ("out2in-ed key del failed");
281 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
282 s->ext_host_nat_port = eh_key.port;
283 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
284 make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol,
285 l_key.fib_index, l_key.port, s->ext_host_nat_port);
289 make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol,
290 l_key.fib_index, l_key.port, s->ext_host_port);
292 kv.value = s - tsm->sessions;
293 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv,
294 nat44_i2o_ed_is_idle_session_cb,
296 nat_elog_notice ("in2out-ed key add failed");
298 snat_ipfix_logging_nat44_ses_create (thread_index,
299 s->in2out.addr.as_u32,
300 s->out2in.addr.as_u32,
303 s->out2in.port, s->in2out.fib_index);
305 nat_syslog_nat44_sadd (s->user_index, s->in2out.fib_index,
306 &s->in2out.addr, s->in2out.port,
307 &s->ext_host_nat_addr, s->ext_host_nat_port,
308 &s->out2in.addr, s->out2in.port,
309 &s->ext_host_addr, s->ext_host_port,
310 s->in2out.protocol, is_twice_nat_session (s));
312 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
313 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
314 &s->ext_host_nat_addr, s->ext_host_nat_port,
315 s->in2out.protocol, s->in2out.fib_index, s->flags,
322 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
323 u16 dst_port, u32 thread_index, u32 rx_fib_index)
325 clib_bihash_kv_16_8_t kv, value;
326 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
328 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto,
329 rx_fib_index, src_port, dst_port);
330 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
337 create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
340 nat_ed_ses_key_t key;
341 clib_bihash_kv_16_8_t kv, value;
344 snat_session_t *s = 0;
345 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
346 f64 now = vlib_time_now (sm->vlib_main);
348 if (ip->protocol == IP_PROTOCOL_ICMP)
350 if (get_icmp_o2i_ed_key (ip, &key))
353 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
355 udp = ip4_next_header (ip);
356 key.r_addr = ip->src_address;
357 key.l_addr = ip->dst_address;
358 key.proto = ip->protocol;
359 key.l_port = udp->dst_port;
360 key.r_port = udp->src_port;
364 key.r_addr = ip->src_address;
365 key.l_addr = ip->dst_address;
366 key.proto = ip->protocol;
367 key.l_port = key.r_port = 0;
370 kv.key[0] = key.as_u64[0];
371 kv.key[1] = key.as_u64[1];
373 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
375 s = pool_elt_at_index (tsm->sessions, value.value);
381 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
384 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index,
388 nat_elog_warn ("create NAT user failed");
392 s = nat_ed_session_alloc (sm, u, thread_index, now);
395 nat44_delete_user_with_no_session (sm, u, thread_index);
396 nat_elog_warn ("create NAT session failed");
400 proto = ip_proto_to_snat_proto (key.proto);
402 s->ext_host_addr = key.r_addr;
403 s->ext_host_port = key.r_port;
404 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
405 s->out2in.addr = key.l_addr;
406 s->out2in.port = key.l_port;
407 s->out2in.protocol = proto;
410 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
411 s->out2in.port = ip->protocol;
413 s->out2in.fib_index = 0;
414 s->in2out = s->out2in;
415 user_session_increment (sm, u, 0);
417 kv.value = s - tsm->sessions;
418 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
419 nat_elog_notice ("in2out_ed key add failed");
422 if (ip->protocol == IP_PROTOCOL_TCP)
424 tcp_header_t *tcp = ip4_next_header (ip);
425 if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
430 nat44_session_update_counters (s, now, 0, thread_index);
431 /* Per-user LRU list maintenance */
432 nat44_session_update_lru (sm, s, thread_index);
436 create_bypass_for_fwd_worker (snat_main_t * sm, ip4_header_t * ip,
439 ip4_header_t ip_wkr = {
440 .src_address = ip->dst_address,
442 u32 thread_index = sm->worker_in2out_cb (&ip_wkr, rx_fib_index, 0);
444 create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
447 #ifndef CLIB_MARCH_VARIANT
449 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
450 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
451 u8 * p_proto, snat_session_key_t * p_value,
452 u8 * p_dont_translate, void *d, void *e)
454 u32 next = ~0, sw_if_index, rx_fib_index;
455 icmp46_header_t *icmp;
456 nat_ed_ses_key_t key;
457 clib_bihash_kv_16_8_t kv, value;
458 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
459 snat_session_t *s = 0;
460 u8 dont_translate = 0, is_addr_only, identity_nat;
461 snat_session_key_t e_key, l_key;
463 icmp = (icmp46_header_t *) ip4_next_header (ip);
464 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
465 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
467 if (get_icmp_o2i_ed_key (ip, &key))
469 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
470 next = NAT44_ED_OUT2IN_NEXT_DROP;
473 key.fib_index = rx_fib_index;
474 kv.key[0] = key.as_u64[0];
475 kv.key[1] = key.as_u64[1];
477 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
479 /* Try to match static mapping */
480 e_key.addr = ip->dst_address;
481 e_key.port = key.l_port;
482 e_key.protocol = ip_proto_to_snat_proto (key.proto);
483 e_key.fib_index = rx_fib_index;
484 if (snat_static_mapping_match
485 (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0, &identity_nat))
487 if (!sm->forwarding_enabled)
489 /* Don't NAT packet aimed at the intfc address */
490 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index,
491 ip->dst_address.as_u32)))
496 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
497 next = NAT44_ED_OUT2IN_NEXT_DROP;
503 if (next_src_nat (sm, ip, key.proto, key.l_port, key.r_port,
504 thread_index, rx_fib_index))
506 next = NAT44_ED_OUT2IN_NEXT_IN2OUT;
509 if (sm->num_workers > 1)
510 create_bypass_for_fwd_worker (sm, ip, rx_fib_index);
512 create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
517 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
518 (icmp->type != ICMP4_echo_request || !is_addr_only)))
520 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
521 next = NAT44_ED_OUT2IN_NEXT_DROP;
525 if (PREDICT_FALSE (identity_nat))
531 /* Create session initiated by host from external network */
532 s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node,
539 next = NAT44_ED_OUT2IN_NEXT_DROP;
545 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
546 icmp->type != ICMP4_echo_request &&
547 !icmp_is_error_message (icmp)))
549 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
550 next = NAT44_ED_OUT2IN_NEXT_DROP;
554 s = pool_elt_at_index (tsm->sessions, value.value);
557 *p_proto = ip_proto_to_snat_proto (key.proto);
560 *p_value = s->in2out;
561 *p_dont_translate = dont_translate;
563 *(snat_session_t **) d = s;
568 static snat_session_t *
569 nat44_ed_out2in_unknown_proto (snat_main_t * sm,
575 vlib_main_t * vm, vlib_node_runtime_t * node)
577 clib_bihash_kv_8_8_t kv, value;
578 clib_bihash_kv_16_8_t s_kv, s_value;
579 snat_static_mapping_t *m;
580 u32 old_addr, new_addr;
583 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
586 old_addr = ip->dst_address.as_u32;
588 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
591 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
593 s = pool_elt_at_index (tsm->sessions, s_value.value);
594 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
598 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
600 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
601 nat_elog_notice ("maximum sessions exceeded");
605 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
606 if (clib_bihash_search_8_8
607 (&sm->static_mapping_by_external, &kv, &value))
609 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
613 m = pool_elt_at_index (sm->static_mappings, value.value);
615 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
617 u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index,
621 nat_elog_warn ("create NAT user failed");
625 /* Create a new session */
626 s = nat_ed_session_alloc (sm, u, thread_index, now);
629 nat44_delete_user_with_no_session (sm, u, thread_index);
630 nat_elog_warn ("create NAT session failed");
634 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
635 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
636 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
637 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
638 s->out2in.addr.as_u32 = old_addr;
639 s->out2in.fib_index = rx_fib_index;
640 s->in2out.addr.as_u32 = new_addr;
641 s->in2out.fib_index = m->fib_index;
642 s->in2out.port = s->out2in.port = ip->protocol;
643 user_session_increment (sm, u, 1);
645 /* Add to lookup tables */
646 s_kv.value = s - tsm->sessions;
647 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
648 nat_elog_notice ("out2in key add failed");
650 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
652 s_kv.value = s - tsm->sessions;
653 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
654 nat_elog_notice ("in2out key add failed");
657 /* Update IP checksum */
659 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
660 ip->checksum = ip_csum_fold (sum);
662 vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
665 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
667 /* Per-user LRU list maintenance */
668 nat44_session_update_lru (sm, s, thread_index);
674 nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
675 vlib_node_runtime_t * node,
676 vlib_frame_t * frame, int is_slow_path)
678 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
679 nat44_ed_out2in_next_t next_index;
680 snat_main_t *sm = &snat_main;
681 f64 now = vlib_time_now (vm);
682 u32 thread_index = vm->thread_index;
683 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
684 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
687 stats_node_index = is_slow_path ? sm->ed_out2in_slowpath_node_index :
688 sm->ed_out2in_node_index;
690 from = vlib_frame_vector_args (frame);
691 n_left_from = frame->n_vectors;
692 next_index = node->cached_next_index;
694 while (n_left_from > 0)
698 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
700 while (n_left_from >= 4 && n_left_to_next >= 2)
703 vlib_buffer_t *b0, *b1;
704 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
706 u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1,
708 u16 old_port0, new_port0, old_port1, new_port1;
709 ip4_header_t *ip0, *ip1;
710 udp_header_t *udp0, *udp1;
711 tcp_header_t *tcp0, *tcp1;
712 icmp46_header_t *icmp0, *icmp1;
713 snat_session_t *s0 = 0, *s1 = 0;
714 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
715 ip_csum_t sum0, sum1;
716 snat_session_key_t e_key0, l_key0, e_key1, l_key1;
717 lb_nat_type_t lb_nat0, lb_nat1;
718 twice_nat_type_t twice_nat0, twice_nat1;
719 u8 identity_nat0, identity_nat1;
721 /* Prefetch next iteration. */
723 vlib_buffer_t *p2, *p3;
725 p2 = vlib_get_buffer (vm, from[2]);
726 p3 = vlib_get_buffer (vm, from[3]);
728 vlib_prefetch_buffer_header (p2, LOAD);
729 vlib_prefetch_buffer_header (p3, LOAD);
731 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
732 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
735 /* speculatively enqueue b0 and b1 to the current next frame */
736 to_next[0] = bi0 = from[0];
737 to_next[1] = bi1 = from[1];
743 b0 = vlib_get_buffer (vm, bi0);
744 b1 = vlib_get_buffer (vm, bi1);
746 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
747 vnet_buffer (b0)->snat.flags = 0;
748 ip0 = vlib_buffer_get_current (b0);
750 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
752 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
755 if (PREDICT_FALSE (ip0->ttl == 1))
757 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
758 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
759 ICMP4_time_exceeded_ttl_exceeded_in_transit,
761 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
765 udp0 = ip4_next_header (ip0);
766 tcp0 = (tcp_header_t *) udp0;
767 icmp0 = (icmp46_header_t *) udp0;
768 proto0 = ip_proto_to_snat_proto (ip0->protocol);
772 if (PREDICT_FALSE (proto0 == ~0))
775 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
776 thread_index, now, vm,
779 if (!sm->forwarding_enabled)
782 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
787 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
789 next0 = icmp_out2in_ed_slow_path
790 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
791 next0, now, thread_index, &s0);
798 if (PREDICT_FALSE (proto0 == ~0))
800 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
804 if (ip4_is_fragment (ip0))
806 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
811 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
813 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
818 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
819 ip0->protocol, rx_fib_index0, udp0->dst_port,
822 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
826 /* Try to match static mapping by external address and port,
827 destination address and port in packet */
828 e_key0.addr = ip0->dst_address;
829 e_key0.port = udp0->dst_port;
830 e_key0.protocol = proto0;
831 e_key0.fib_index = rx_fib_index0;
832 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
833 &twice_nat0, &lb_nat0,
838 * Send DHCP packets to the ipv4 stack, or we won't
839 * be able to use dhcp client on the outside interface
841 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
842 && (udp0->dst_port ==
844 (UDP_DST_PORT_dhcp_to_client))))
846 vnet_feature_next (&next0, b0);
850 if (!sm->forwarding_enabled)
853 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
854 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
858 if (next_src_nat (sm, ip0, ip0->protocol,
859 udp0->src_port, udp0->dst_port,
860 thread_index, rx_fib_index0))
862 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
865 if (sm->num_workers > 1)
866 create_bypass_for_fwd_worker (sm, ip0,
869 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
875 if (PREDICT_FALSE (identity_nat0))
878 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
880 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
881 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
885 /* Create session initiated by host from external network */
886 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
894 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
900 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
906 s0 = pool_elt_at_index (tsm->sessions, value0.value);
909 old_addr0 = ip0->dst_address.as_u32;
910 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
911 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
913 sum0 = ip0->checksum;
914 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
916 if (PREDICT_FALSE (is_twice_nat_session (s0)))
917 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
918 s0->ext_host_nat_addr.as_u32, ip4_header_t,
920 ip0->checksum = ip_csum_fold (sum0);
922 old_port0 = udp0->dst_port;
923 new_port0 = udp0->dst_port = s0->in2out.port;
925 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
927 sum0 = tcp0->checksum;
928 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
930 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
932 if (is_twice_nat_session (s0))
934 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
935 s0->ext_host_nat_addr.as_u32,
936 ip4_header_t, dst_address);
937 sum0 = ip_csum_update (sum0, tcp0->src_port,
938 s0->ext_host_nat_port, ip4_header_t,
940 tcp0->src_port = s0->ext_host_nat_port;
941 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
943 tcp0->checksum = ip_csum_fold (sum0);
945 if (nat44_set_tcp_session_state_o2i
946 (sm, s0, tcp0, thread_index))
949 else if (udp0->checksum)
951 sum0 = udp0->checksum;
952 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
954 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
956 if (PREDICT_FALSE (is_twice_nat_session (s0)))
958 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
959 s0->ext_host_nat_addr.as_u32,
960 ip4_header_t, dst_address);
961 sum0 = ip_csum_update (sum0, udp0->src_port,
962 s0->ext_host_nat_port, ip4_header_t,
964 udp0->src_port = s0->ext_host_nat_port;
965 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
967 udp0->checksum = ip_csum_fold (sum0);
972 if (PREDICT_FALSE (is_twice_nat_session (s0)))
974 udp0->src_port = s0->ext_host_nat_port;
975 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
981 nat44_session_update_counters (s0, now,
982 vlib_buffer_length_in_chain (vm, b0),
984 /* Per-user LRU list maintenance */
985 nat44_session_update_lru (sm, s0, thread_index);
988 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
989 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
991 nat44_ed_out2in_trace_t *t =
992 vlib_add_trace (vm, node, b0, sizeof (*t));
993 t->is_slow_path = is_slow_path;
994 t->sw_if_index = sw_if_index0;
995 t->next_index = next0;
996 t->session_index = ~0;
998 t->session_index = s0 - tsm->sessions;
1001 pkts_processed += next0 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1003 next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1004 vnet_buffer (b1)->snat.flags = 0;
1005 ip1 = vlib_buffer_get_current (b1);
1007 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1009 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1012 if (PREDICT_FALSE (ip1->ttl == 1))
1014 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1015 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1016 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1018 next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
1022 udp1 = ip4_next_header (ip1);
1023 tcp1 = (tcp_header_t *) udp1;
1024 icmp1 = (icmp46_header_t *) udp1;
1025 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1029 if (PREDICT_FALSE (proto1 == ~0))
1032 nat44_ed_out2in_unknown_proto (sm, b1, ip1, rx_fib_index1,
1033 thread_index, now, vm,
1036 if (!sm->forwarding_enabled)
1039 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1044 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1046 next1 = icmp_out2in_ed_slow_path
1047 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1048 next1, now, thread_index, &s1);
1055 if (PREDICT_FALSE (proto1 == ~0))
1057 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1061 if (ip4_is_fragment (ip1))
1063 next1 = NAT44_ED_OUT2IN_NEXT_REASS;
1068 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1070 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1075 make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address,
1076 ip1->protocol, rx_fib_index1, udp1->dst_port,
1079 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
1083 /* Try to match static mapping by external address and port,
1084 destination address and port in packet */
1085 e_key1.addr = ip1->dst_address;
1086 e_key1.port = udp1->dst_port;
1087 e_key1.protocol = proto1;
1088 e_key1.fib_index = rx_fib_index1;
1089 if (snat_static_mapping_match (sm, e_key1, &l_key1, 1, 0,
1090 &twice_nat1, &lb_nat1,
1095 * Send DHCP packets to the ipv4 stack, or we won't
1096 * be able to use dhcp client on the outside interface
1098 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1099 && (udp1->dst_port ==
1100 clib_host_to_net_u16
1101 (UDP_DST_PORT_dhcp_to_client))))
1103 vnet_feature_next (&next1, b1);
1107 if (!sm->forwarding_enabled)
1110 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1111 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1115 if (next_src_nat (sm, ip1, ip1->protocol,
1116 udp1->src_port, udp1->dst_port,
1117 thread_index, rx_fib_index1))
1119 next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1122 if (sm->num_workers > 1)
1123 create_bypass_for_fwd_worker (sm, ip1,
1126 create_bypass_for_fwd (sm, ip1, rx_fib_index1,
1132 if (PREDICT_FALSE (identity_nat1))
1135 if ((proto1 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp1))
1137 b1->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1138 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1142 /* Create session initiated by host from external network */
1143 s1 = create_session_for_static_mapping_ed (sm, b1, l_key1,
1151 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1157 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1163 s1 = pool_elt_at_index (tsm->sessions, value1.value);
1166 old_addr1 = ip1->dst_address.as_u32;
1167 new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32;
1168 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1170 sum1 = ip1->checksum;
1171 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1173 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1174 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1175 s1->ext_host_nat_addr.as_u32, ip4_header_t,
1177 ip1->checksum = ip_csum_fold (sum1);
1179 old_port1 = udp1->dst_port;
1180 new_port1 = udp1->dst_port = s1->in2out.port;
1182 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1184 sum1 = tcp1->checksum;
1185 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1187 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1189 if (is_twice_nat_session (s1))
1191 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1192 s1->ext_host_nat_addr.as_u32,
1193 ip4_header_t, dst_address);
1194 sum1 = ip_csum_update (sum1, tcp1->src_port,
1195 s1->ext_host_nat_port, ip4_header_t,
1197 tcp1->src_port = s1->ext_host_nat_port;
1198 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1200 tcp1->checksum = ip_csum_fold (sum1);
1202 if (nat44_set_tcp_session_state_o2i
1203 (sm, s1, tcp1, thread_index))
1206 else if (udp1->checksum)
1208 sum1 = udp1->checksum;
1209 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1211 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1213 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1215 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1216 s1->ext_host_nat_addr.as_u32,
1217 ip4_header_t, dst_address);
1218 sum1 = ip_csum_update (sum1, udp1->src_port,
1219 s1->ext_host_nat_port, ip4_header_t,
1221 udp1->src_port = s1->ext_host_nat_port;
1222 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1224 udp1->checksum = ip_csum_fold (sum1);
1229 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1231 udp1->src_port = s1->ext_host_nat_port;
1232 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1238 nat44_session_update_counters (s1, now,
1239 vlib_buffer_length_in_chain (vm, b1),
1241 /* Per-user LRU list maintenance */
1242 nat44_session_update_lru (sm, s1, thread_index);
1245 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1246 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1248 nat44_ed_out2in_trace_t *t =
1249 vlib_add_trace (vm, node, b1, sizeof (*t));
1250 t->is_slow_path = is_slow_path;
1251 t->sw_if_index = sw_if_index1;
1252 t->next_index = next1;
1253 t->session_index = ~0;
1255 t->session_index = s1 - tsm->sessions;
1258 pkts_processed += next1 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1260 /* verify speculative enqueues, maybe switch current next frame */
1261 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1262 to_next, n_left_to_next,
1263 bi0, bi1, next0, next1);
1266 while (n_left_from > 0 && n_left_to_next > 0)
1270 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
1272 u16 old_port0, new_port0;
1276 icmp46_header_t *icmp0;
1277 snat_session_t *s0 = 0;
1278 clib_bihash_kv_16_8_t kv0, value0;
1280 snat_session_key_t e_key0, l_key0;
1281 lb_nat_type_t lb_nat0;
1282 twice_nat_type_t twice_nat0;
1285 /* speculatively enqueue b0 to the current next frame */
1291 n_left_to_next -= 1;
1293 b0 = vlib_get_buffer (vm, bi0);
1294 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1295 vnet_buffer (b0)->snat.flags = 0;
1296 ip0 = vlib_buffer_get_current (b0);
1298 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1300 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1303 if (PREDICT_FALSE (ip0->ttl == 1))
1305 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1306 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1307 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1309 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
1313 udp0 = ip4_next_header (ip0);
1314 tcp0 = (tcp_header_t *) udp0;
1315 icmp0 = (icmp46_header_t *) udp0;
1316 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1320 if (PREDICT_FALSE (proto0 == ~0))
1323 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
1324 thread_index, now, vm,
1327 if (!sm->forwarding_enabled)
1330 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1335 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1337 next0 = icmp_out2in_ed_slow_path
1338 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1339 next0, now, thread_index, &s0);
1346 if (PREDICT_FALSE (proto0 == ~0))
1348 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1352 if (ip4_is_fragment (ip0))
1354 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
1359 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1361 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1366 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1367 ip0->protocol, rx_fib_index0, udp0->dst_port,
1370 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
1374 /* Try to match static mapping by external address and port,
1375 destination address and port in packet */
1376 e_key0.addr = ip0->dst_address;
1377 e_key0.port = udp0->dst_port;
1378 e_key0.protocol = proto0;
1379 e_key0.fib_index = rx_fib_index0;
1380 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1381 &twice_nat0, &lb_nat0,
1386 * Send DHCP packets to the ipv4 stack, or we won't
1387 * be able to use dhcp client on the outside interface
1389 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1390 && (udp0->dst_port ==
1391 clib_host_to_net_u16
1392 (UDP_DST_PORT_dhcp_to_client))))
1394 vnet_feature_next (&next0, b0);
1398 if (!sm->forwarding_enabled)
1401 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1402 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1406 if (next_src_nat (sm, ip0, ip0->protocol,
1407 udp0->src_port, udp0->dst_port,
1408 thread_index, rx_fib_index0))
1410 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1413 if (sm->num_workers > 1)
1414 create_bypass_for_fwd_worker (sm, ip0,
1417 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1423 if (PREDICT_FALSE (identity_nat0))
1426 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
1428 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1429 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1433 /* Create session initiated by host from external network */
1434 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1442 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1448 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1454 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1457 old_addr0 = ip0->dst_address.as_u32;
1458 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
1459 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1461 sum0 = ip0->checksum;
1462 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1464 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1465 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1466 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1468 ip0->checksum = ip_csum_fold (sum0);
1470 old_port0 = udp0->dst_port;
1471 new_port0 = udp0->dst_port = s0->in2out.port;
1473 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1475 sum0 = tcp0->checksum;
1476 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1478 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1480 if (is_twice_nat_session (s0))
1482 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1483 s0->ext_host_nat_addr.as_u32,
1484 ip4_header_t, dst_address);
1485 sum0 = ip_csum_update (sum0, tcp0->src_port,
1486 s0->ext_host_nat_port, ip4_header_t,
1488 tcp0->src_port = s0->ext_host_nat_port;
1489 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1491 tcp0->checksum = ip_csum_fold (sum0);
1493 if (nat44_set_tcp_session_state_o2i
1494 (sm, s0, tcp0, thread_index))
1497 else if (udp0->checksum)
1499 sum0 = udp0->checksum;
1500 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1502 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1504 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1506 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1507 s0->ext_host_nat_addr.as_u32,
1508 ip4_header_t, dst_address);
1509 sum0 = ip_csum_update (sum0, udp0->src_port,
1510 s0->ext_host_nat_port, ip4_header_t,
1512 udp0->src_port = s0->ext_host_nat_port;
1513 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1515 udp0->checksum = ip_csum_fold (sum0);
1520 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1522 udp0->src_port = s0->ext_host_nat_port;
1523 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1529 nat44_session_update_counters (s0, now,
1530 vlib_buffer_length_in_chain (vm, b0),
1532 /* Per-user LRU list maintenance */
1533 nat44_session_update_lru (sm, s0, thread_index);
1536 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1537 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1539 nat44_ed_out2in_trace_t *t =
1540 vlib_add_trace (vm, node, b0, sizeof (*t));
1541 t->is_slow_path = is_slow_path;
1542 t->sw_if_index = sw_if_index0;
1543 t->next_index = next0;
1544 t->session_index = ~0;
1546 t->session_index = s0 - tsm->sessions;
1549 pkts_processed += next0 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1550 /* verify speculative enqueue, maybe switch current next frame */
1551 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1552 to_next, n_left_to_next,
1556 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1559 vlib_node_increment_counter (vm, stats_node_index,
1560 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1562 vlib_node_increment_counter (vm, stats_node_index,
1563 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
1564 vlib_node_increment_counter (vm, stats_node_index,
1565 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
1566 vlib_node_increment_counter (vm, stats_node_index,
1567 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
1569 vlib_node_increment_counter (vm, stats_node_index,
1570 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
1572 vlib_node_increment_counter (vm, stats_node_index,
1573 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
1574 return frame->n_vectors;
1577 VLIB_NODE_FN (nat44_ed_out2in_node) (vlib_main_t * vm,
1578 vlib_node_runtime_t * node,
1579 vlib_frame_t * frame)
1581 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0);
1585 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1586 .name = "nat44-ed-out2in",
1587 .vector_size = sizeof (u32),
1588 .format_trace = format_nat44_ed_out2in_trace,
1589 .type = VLIB_NODE_TYPE_INTERNAL,
1590 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1591 .error_strings = nat_out2in_ed_error_strings,
1592 .runtime_data_bytes = sizeof (snat_runtime_t),
1593 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1595 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1596 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1597 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1598 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1599 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1600 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1605 VLIB_NODE_FN (nat44_ed_out2in_slowpath_node) (vlib_main_t * vm,
1606 vlib_node_runtime_t * node,
1607 vlib_frame_t * frame)
1609 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1);
1613 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1614 .name = "nat44-ed-out2in-slowpath",
1615 .vector_size = sizeof (u32),
1616 .format_trace = format_nat44_ed_out2in_trace,
1617 .type = VLIB_NODE_TYPE_INTERNAL,
1618 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1619 .error_strings = nat_out2in_ed_error_strings,
1620 .runtime_data_bytes = sizeof (snat_runtime_t),
1621 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1623 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1624 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1625 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1626 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1627 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1628 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1633 VLIB_NODE_FN (nat44_ed_out2in_reass_node) (vlib_main_t * vm,
1634 vlib_node_runtime_t * node,
1635 vlib_frame_t * frame)
1637 u32 n_left_from, *from, *to_next;
1638 nat44_ed_out2in_next_t next_index;
1639 u32 pkts_processed = 0;
1640 snat_main_t *sm = &snat_main;
1641 f64 now = vlib_time_now (vm);
1642 u32 thread_index = vm->thread_index;
1643 snat_main_per_thread_data_t *per_thread_data =
1644 &sm->per_thread_data[thread_index];
1645 u32 *fragments_to_drop = 0;
1646 u32 *fragments_to_loopback = 0;
1648 from = vlib_frame_vector_args (frame);
1649 n_left_from = frame->n_vectors;
1650 next_index = node->cached_next_index;
1652 while (n_left_from > 0)
1656 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1658 while (n_left_from > 0 && n_left_to_next > 0)
1660 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1665 nat_reass_ip4_t *reass0;
1668 icmp46_header_t *icmp0;
1669 clib_bihash_kv_16_8_t kv0, value0;
1670 snat_session_t *s0 = 0;
1671 u16 old_port0, new_port0;
1673 snat_session_key_t e_key0, l_key0;
1675 twice_nat_type_t twice_nat0;
1678 /* speculatively enqueue b0 to the current next frame */
1684 n_left_to_next -= 1;
1686 b0 = vlib_get_buffer (vm, bi0);
1687 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1689 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1691 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1694 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1696 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1697 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT];
1701 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1702 udp0 = ip4_next_header (ip0);
1703 tcp0 = (tcp_header_t *) udp0;
1704 icmp0 = (icmp46_header_t *) udp0;
1705 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1707 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1711 1, &fragments_to_drop);
1713 if (PREDICT_FALSE (!reass0))
1715 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1716 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_REASS];
1717 nat_elog_notice ("maximum reassemblies exceeded");
1721 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1723 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1725 next0 = icmp_out2in_ed_slow_path
1726 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1727 next0, now, thread_index, &s0);
1729 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP))
1732 reass0->sess_index = s0 - per_thread_data->sessions;
1734 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1735 reass0->thread_index = thread_index;
1736 nat_ip4_reass_get_frags (reass0,
1737 &fragments_to_loopback);
1743 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1744 ip0->protocol, rx_fib_index0, udp0->dst_port,
1747 if (clib_bihash_search_16_8
1748 (&per_thread_data->out2in_ed, &kv0, &value0))
1750 /* Try to match static mapping by external address and port,
1751 destination address and port in packet */
1752 e_key0.addr = ip0->dst_address;
1753 e_key0.port = udp0->dst_port;
1754 e_key0.protocol = proto0;
1755 e_key0.fib_index = rx_fib_index0;
1756 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1757 &twice_nat0, &lb0, 0,
1761 * Send DHCP packets to the ipv4 stack, or we won't
1762 * be able to use dhcp client on the outside interface
1764 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1767 clib_host_to_net_u16
1768 (UDP_DST_PORT_dhcp_to_client))))
1770 vnet_feature_next (&next0, b0);
1774 if (!sm->forwarding_enabled)
1777 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1778 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1782 if (next_src_nat (sm, ip0, ip0->protocol,
1783 udp0->src_port, udp0->dst_port,
1784 thread_index, rx_fib_index0))
1786 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1789 if (sm->num_workers > 1)
1790 create_bypass_for_fwd_worker (sm, ip0,
1793 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1795 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1796 nat_ip4_reass_get_frags (reass0,
1797 &fragments_to_loopback);
1802 if (PREDICT_FALSE (identity_nat0))
1804 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1808 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
1810 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1811 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1815 /* Create session initiated by host from external network */
1816 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1824 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1825 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1828 reass0->sess_index = s0 - per_thread_data->sessions;
1829 reass0->thread_index = thread_index;
1833 s0 = pool_elt_at_index (per_thread_data->sessions,
1835 reass0->sess_index = value0.value;
1837 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1841 if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
1843 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1845 if (nat_ip4_reass_add_fragment
1846 (thread_index, reass0, bi0, &fragments_to_drop))
1848 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_FRAG];
1850 ("maximum fragments per reassembly exceeded");
1851 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1857 s0 = pool_elt_at_index (per_thread_data->sessions,
1858 reass0->sess_index);
1861 old_addr0 = ip0->dst_address.as_u32;
1862 ip0->dst_address = s0->in2out.addr;
1863 new_addr0 = ip0->dst_address.as_u32;
1864 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1866 sum0 = ip0->checksum;
1867 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1869 dst_address /* changed member */ );
1870 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1871 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1872 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1874 ip0->checksum = ip_csum_fold (sum0);
1876 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1878 old_port0 = udp0->dst_port;
1879 new_port0 = udp0->dst_port = s0->in2out.port;
1881 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1883 sum0 = tcp0->checksum;
1884 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1886 dst_address /* changed member */ );
1888 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1889 ip4_header_t /* cheat */ ,
1890 length /* changed member */ );
1891 if (is_twice_nat_session (s0))
1893 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1894 s0->ext_host_nat_addr.as_u32,
1895 ip4_header_t, dst_address);
1896 sum0 = ip_csum_update (sum0, tcp0->src_port,
1897 s0->ext_host_nat_port,
1898 ip4_header_t, length);
1899 tcp0->src_port = s0->ext_host_nat_port;
1900 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1902 tcp0->checksum = ip_csum_fold (sum0);
1904 else if (udp0->checksum)
1906 sum0 = udp0->checksum;
1908 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1911 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1913 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1915 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1916 s0->ext_host_nat_addr.as_u32,
1917 ip4_header_t, dst_address);
1918 sum0 = ip_csum_update (sum0, udp0->src_port,
1919 s0->ext_host_nat_port,
1920 ip4_header_t, length);
1921 udp0->src_port = s0->ext_host_nat_port;
1922 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1924 udp0->checksum = ip_csum_fold (sum0);
1928 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1930 udp0->src_port = s0->ext_host_nat_port;
1931 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1937 nat44_session_update_counters (s0, now,
1938 vlib_buffer_length_in_chain (vm, b0),
1940 /* Per-user LRU list maintenance */
1941 nat44_session_update_lru (sm, s0, thread_index);
1944 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1945 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1947 nat44_reass_trace_t *t =
1948 vlib_add_trace (vm, node, b0, sizeof (*t));
1949 t->cached = cached0;
1950 t->sw_if_index = sw_if_index0;
1951 t->next_index = next0;
1961 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
1963 /* verify speculative enqueue, maybe switch current next frame */
1964 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1965 to_next, n_left_to_next,
1969 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1971 from = vlib_frame_vector_args (frame);
1972 u32 len = vec_len (fragments_to_loopback);
1973 if (len <= VLIB_FRAME_SIZE)
1975 clib_memcpy_fast (from, fragments_to_loopback,
1976 sizeof (u32) * len);
1978 vec_reset_length (fragments_to_loopback);
1982 clib_memcpy_fast (from, fragments_to_loopback +
1983 (len - VLIB_FRAME_SIZE),
1984 sizeof (u32) * VLIB_FRAME_SIZE);
1985 n_left_from = VLIB_FRAME_SIZE;
1986 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1991 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1994 vlib_node_increment_counter (vm, sm->ed_out2in_reass_node_index,
1995 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1998 nat_send_all_to_node (vm, fragments_to_drop, node,
1999 &node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT],
2000 NAT44_ED_OUT2IN_NEXT_DROP);
2002 vec_free (fragments_to_drop);
2003 vec_free (fragments_to_loopback);
2004 return frame->n_vectors;
2008 VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = {
2009 .name = "nat44-ed-out2in-reass",
2010 .vector_size = sizeof (u32),
2011 .format_trace = format_nat44_reass_trace,
2012 .type = VLIB_NODE_TYPE_INTERNAL,
2013 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
2014 .error_strings = nat_out2in_ed_error_strings,
2015 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
2017 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
2018 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
2019 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
2020 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
2021 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
2022 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
2028 * fd.io coding-style-patch-verification: ON
2031 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob