2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat44/inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
35 static char *nat_out2in_ed_error_strings[] = {
36 #define _(sym,string) string,
37 foreach_nat_out2in_ed_error
47 } nat44_ed_out2in_trace_t;
50 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
52 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
53 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
54 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
58 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
59 "NAT44_OUT2IN_ED_FAST_PATH";
61 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
62 t->sw_if_index, t->next_index, t->session_index);
68 icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
69 ip4_header_t * ip0, icmp46_header_t * icmp0,
70 u32 sw_if_index0, u32 rx_fib_index0,
71 vlib_node_runtime_t * node, u32 next0, f64 now,
72 u32 thread_index, snat_session_t ** p_s0)
74 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
75 next0, thread_index, p_s0, 0);
76 snat_session_t *s0 = *p_s0;
77 if (PREDICT_TRUE (next0 != NAT_NEXT_DROP && s0))
80 nat44_session_update_counters (s0, now,
81 vlib_buffer_length_in_chain
82 (sm->vlib_main, b0), thread_index);
83 /* Per-user LRU list maintenance */
84 nat44_session_update_lru (sm, s0, thread_index);
89 #ifndef CLIB_MARCH_VARIANT
91 nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
93 snat_main_t *sm = &snat_main;
94 nat44_is_idle_session_ctx_t *ctx = arg;
96 u64 sess_timeout_time;
99 ip4_address_t *l_addr, *r_addr;
101 clib_bihash_kv_16_8_t ed_kv;
104 snat_session_key_t key;
105 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
108 s = pool_elt_at_index (tsm->sessions, kv->value);
109 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
110 if (ctx->now >= sess_timeout_time)
112 l_addr = &s->in2out.addr;
113 r_addr = &s->ext_host_addr;
114 fib_index = s->in2out.fib_index;
115 if (snat_is_unk_proto_session (s))
117 proto = s->in2out.port;
123 proto = snat_proto_to_ip_proto (s->in2out.protocol);
124 l_port = s->in2out.port;
125 r_port = s->ext_host_port;
127 if (is_twice_nat_session (s))
129 r_addr = &s->ext_host_nat_addr;
130 r_port = s->ext_host_nat_port;
132 make_ed_kv (l_addr, r_addr, proto, fib_index, l_port, r_port, ~0ULL,
134 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
135 nat_elog_warn ("in2out_ed key del failed");
137 if (snat_is_unk_proto_session (s))
140 snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
141 s->in2out.addr.as_u32,
142 s->out2in.addr.as_u32,
146 s->in2out.fib_index);
148 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
149 &s->in2out.addr, s->in2out.port,
150 &s->ext_host_nat_addr, s->ext_host_nat_port,
151 &s->out2in.addr, s->out2in.port,
152 &s->ext_host_addr, s->ext_host_port,
153 s->in2out.protocol, is_twice_nat_session (s));
155 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
156 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
159 if (is_twice_nat_session (s))
161 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
163 key.protocol = s->in2out.protocol;
164 key.port = s->ext_host_nat_port;
165 a = sm->twice_nat_addresses + i;
166 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
168 snat_free_outside_address_and_port (sm->twice_nat_addresses,
176 if (snat_is_session_static (s))
179 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
182 nat44_ed_delete_session (sm, s, ctx->thread_index, 1);
190 static snat_session_t *
191 create_session_for_static_mapping_ed (snat_main_t * sm,
193 snat_session_key_t l_key,
194 snat_session_key_t e_key,
195 vlib_node_runtime_t * node,
198 twice_nat_type_t twice_nat,
199 lb_nat_type_t lb_nat, f64 now)
204 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
205 clib_bihash_kv_16_8_t kv;
206 snat_session_key_t eh_key;
207 nat44_is_idle_session_ctx_t ctx;
210 (nat44_ed_maximum_sessions_exceeded (sm, rx_fib_index, thread_index)))
212 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
213 nat_elog_notice ("maximum sessions exceeded");
217 s = nat_ed_session_alloc (sm, thread_index, now);
220 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_USER_SESS_EXCEEDED];
221 nat_elog_warn ("create NAT session failed");
225 ip = vlib_buffer_get_current (b);
226 udp = ip4_next_header (ip);
228 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
229 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
230 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
232 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
233 if (lb_nat == AFFINITY_LB_NAT)
234 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
235 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
238 s->in2out.protocol = s->out2in.protocol;
240 /* Add to lookup tables */
241 make_ed_kv (&e_key.addr, &s->ext_host_addr, ip->protocol,
242 e_key.fib_index, e_key.port, s->ext_host_port,
243 s - tsm->sessions, &kv);
245 ctx.thread_index = thread_index;
246 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv,
247 nat44_o2i_ed_is_idle_session_cb,
249 nat_elog_notice ("out2in-ed key add failed");
251 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
252 ip->src_address.as_u32 == l_key.addr.as_u32))
254 eh_key.protocol = e_key.protocol;
255 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
256 thread_index, &eh_key,
258 tsm->snat_thread_index))
260 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
261 nat44_ed_delete_session (sm, s, thread_index, 1);
262 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
263 nat_elog_notice ("out2in-ed key del failed");
266 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
267 s->ext_host_nat_port = eh_key.port;
268 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
269 make_ed_kv (&l_key.addr, &s->ext_host_nat_addr, ip->protocol,
270 l_key.fib_index, l_key.port, s->ext_host_nat_port,
271 s - tsm->sessions, &kv);
275 make_ed_kv (&l_key.addr, &s->ext_host_addr, ip->protocol,
276 l_key.fib_index, l_key.port, s->ext_host_port,
277 s - tsm->sessions, &kv);
279 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv,
280 nat44_i2o_ed_is_idle_session_cb,
282 nat_elog_notice ("in2out-ed key add failed");
284 snat_ipfix_logging_nat44_ses_create (thread_index,
285 s->in2out.addr.as_u32,
286 s->out2in.addr.as_u32,
289 s->out2in.port, s->in2out.fib_index);
291 nat_syslog_nat44_sadd (s->user_index, s->in2out.fib_index,
292 &s->in2out.addr, s->in2out.port,
293 &s->ext_host_nat_addr, s->ext_host_nat_port,
294 &s->out2in.addr, s->out2in.port,
295 &s->ext_host_addr, s->ext_host_port,
296 s->in2out.protocol, is_twice_nat_session (s));
298 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
299 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
300 &s->ext_host_nat_addr, s->ext_host_nat_port,
301 s->in2out.protocol, s->in2out.fib_index, s->flags,
308 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u16 src_port,
309 u16 dst_port, u32 thread_index, u32 rx_fib_index)
311 clib_bihash_kv_16_8_t kv, value;
312 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
314 make_ed_kv (&ip->src_address, &ip->dst_address, ip->protocol,
315 rx_fib_index, src_port, dst_port, ~0ULL, &kv);
316 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
323 create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
324 u32 rx_fib_index, u32 thread_index)
326 clib_bihash_kv_16_8_t kv, value;
328 snat_session_t *s = 0;
329 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
330 f64 now = vlib_time_now (sm->vlib_main);
333 if (ip->protocol == IP_PROTOCOL_ICMP)
335 if (get_icmp_o2i_ed_key
336 (b, ip, rx_fib_index, ~0ULL, 0, &l_port, &r_port, &kv))
341 if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
343 udp = ip4_next_header (ip);
344 l_port = udp->dst_port;
345 r_port = udp->src_port;
352 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol,
353 rx_fib_index, l_port, r_port, ~0ULL, &kv);
356 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
358 s = pool_elt_at_index (tsm->sessions, value.value);
365 (nat44_ed_maximum_sessions_exceeded
366 (sm, rx_fib_index, thread_index)))
369 s = nat_ed_session_alloc (sm, thread_index, now);
372 nat_elog_warn ("create NAT session failed");
376 proto = ip_proto_to_snat_proto (ip->protocol);
378 s->ext_host_addr = ip->src_address;
379 s->ext_host_port = r_port;
380 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
381 s->out2in.addr = ip->dst_address;
382 s->out2in.port = l_port;
383 s->out2in.protocol = proto;
386 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
387 s->out2in.port = ip->protocol;
389 s->out2in.fib_index = 0;
390 s->in2out = s->out2in;
392 kv.value = s - tsm->sessions;
393 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
394 nat_elog_notice ("in2out_ed key add failed");
397 if (ip->protocol == IP_PROTOCOL_TCP)
399 tcp_header_t *tcp = ip4_next_header (ip);
400 if (nat44_set_tcp_session_state_o2i
401 (sm, now, s, tcp->flags, tcp->ack_number, tcp->seq_number,
407 nat44_session_update_counters (s, now, 0, thread_index);
408 /* Per-user LRU list maintenance */
409 nat44_session_update_lru (sm, s, thread_index);
413 create_bypass_for_fwd_worker (snat_main_t * sm, vlib_buffer_t * b,
414 ip4_header_t * ip, u32 rx_fib_index)
416 ip4_header_t ip_wkr = {
417 .src_address = ip->dst_address,
419 u32 thread_index = sm->worker_in2out_cb (&ip_wkr, rx_fib_index, 0);
421 create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
424 #ifndef CLIB_MARCH_VARIANT
426 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
427 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
428 u8 * p_proto, snat_session_key_t * p_value,
429 u8 * p_dont_translate, void *d, void *e)
431 u32 next = ~0, sw_if_index, rx_fib_index;
432 clib_bihash_kv_16_8_t kv, value;
433 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
434 snat_session_t *s = 0;
435 u8 dont_translate = 0, is_addr_only, identity_nat;
436 snat_session_key_t e_key, l_key;
439 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
440 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
442 if (get_icmp_o2i_ed_key
443 (b, ip, rx_fib_index, ~0ULL, p_proto, &l_port, &r_port, &kv))
445 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
446 next = NAT_NEXT_DROP;
450 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
452 /* Try to match static mapping */
453 e_key.addr = ip->dst_address;
455 e_key.protocol = ip_proto_to_snat_proto (ip->protocol);
456 e_key.fib_index = rx_fib_index;
457 if (snat_static_mapping_match
458 (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0, &identity_nat))
460 if (!sm->forwarding_enabled)
462 /* Don't NAT packet aimed at the intfc address */
463 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index,
464 ip->dst_address.as_u32)))
469 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
470 next = NAT_NEXT_DROP;
476 if (next_src_nat (sm, ip, l_port, r_port,
477 thread_index, rx_fib_index))
479 next = NAT_NEXT_IN2OUT_ED_FAST_PATH;
482 if (sm->num_workers > 1)
483 create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
485 create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
491 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
493 && (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
494 ICMP4_echo_request || !is_addr_only)))
496 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
497 next = NAT_NEXT_DROP;
501 if (PREDICT_FALSE (identity_nat))
507 /* Create session initiated by host from external network */
508 s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node,
509 rx_fib_index, thread_index, 0,
516 next = NAT_NEXT_DROP;
523 (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
525 && vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
527 && !icmp_type_is_error_message (vnet_buffer (b)->ip.
528 reass.icmp_type_or_tcp_flags)))
530 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
531 next = NAT_NEXT_DROP;
535 s = pool_elt_at_index (tsm->sessions, value.value);
539 *p_value = s->in2out;
540 *p_dont_translate = dont_translate;
542 *(snat_session_t **) d = s;
547 static snat_session_t *
548 nat44_ed_out2in_unknown_proto (snat_main_t * sm,
554 vlib_main_t * vm, vlib_node_runtime_t * node)
556 clib_bihash_kv_8_8_t kv, value;
557 clib_bihash_kv_16_8_t s_kv, s_value;
558 snat_static_mapping_t *m;
559 u32 old_addr, new_addr;
562 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
564 old_addr = ip->dst_address.as_u32;
566 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol, rx_fib_index,
569 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
571 s = pool_elt_at_index (tsm->sessions, s_value.value);
572 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
577 (nat44_ed_maximum_sessions_exceeded
578 (sm, rx_fib_index, thread_index)))
580 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
581 nat_elog_notice ("maximum sessions exceeded");
585 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
586 if (clib_bihash_search_8_8
587 (&sm->static_mapping_by_external, &kv, &value))
589 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
593 m = pool_elt_at_index (sm->static_mappings, value.value);
595 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
597 /* Create a new session */
598 s = nat_ed_session_alloc (sm, thread_index, now);
601 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_USER_SESS_EXCEEDED];
602 nat_elog_warn ("create NAT session failed");
606 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
607 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
608 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
609 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
610 s->out2in.addr.as_u32 = old_addr;
611 s->out2in.fib_index = rx_fib_index;
612 s->in2out.addr.as_u32 = new_addr;
613 s->in2out.fib_index = m->fib_index;
614 s->in2out.port = s->out2in.port = ip->protocol;
616 /* Add to lookup tables */
617 s_kv.value = s - tsm->sessions;
618 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
619 nat_elog_notice ("out2in key add failed");
621 make_ed_kv (&ip->dst_address, &ip->src_address, ip->protocol,
622 m->fib_index, 0, 0, s - tsm->sessions, &s_kv);
623 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
624 nat_elog_notice ("in2out key add failed");
627 /* Update IP checksum */
629 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
630 ip->checksum = ip_csum_fold (sum);
632 vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
635 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b),
637 /* Per-user LRU list maintenance */
638 nat44_session_update_lru (sm, s, thread_index);
644 nat44_ed_out2in_fast_path_node_fn_inline (vlib_main_t * vm,
645 vlib_node_runtime_t * node,
646 vlib_frame_t * frame)
648 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
649 nat_next_t next_index;
650 snat_main_t *sm = &snat_main;
651 f64 now = vlib_time_now (vm);
652 u32 thread_index = vm->thread_index;
653 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
654 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
657 stats_node_index = sm->ed_out2in_node_index;
659 from = vlib_frame_vector_args (frame);
660 n_left_from = frame->n_vectors;
661 next_index = node->cached_next_index;
663 while (n_left_from > 0)
667 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
669 while (n_left_from > 0 && n_left_to_next > 0)
673 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
675 u16 old_port0, new_port0;
679 snat_session_t *s0 = 0;
680 clib_bihash_kv_16_8_t kv0, value0;
683 /* speculatively enqueue b0 to the current next frame */
691 b0 = vlib_get_buffer (vm, bi0);
692 next0 = vnet_buffer2 (b0)->nat.arc_next;
694 vnet_buffer (b0)->snat.flags = 0;
695 ip0 = vlib_buffer_get_current (b0);
697 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
699 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
702 if (PREDICT_FALSE (ip0->ttl == 1))
704 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
705 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
706 ICMP4_time_exceeded_ttl_exceeded_in_transit,
708 next0 = NAT_NEXT_ICMP_ERROR;
712 udp0 = ip4_next_header (ip0);
713 tcp0 = (tcp_header_t *) udp0;
714 proto0 = ip_proto_to_snat_proto (ip0->protocol);
716 if (PREDICT_FALSE (proto0 == ~0))
718 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
722 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
724 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
728 make_ed_kv (&ip0->dst_address, &ip0->src_address,
729 ip0->protocol, rx_fib_index0,
730 vnet_buffer (b0)->ip.reass.l4_dst_port,
731 vnet_buffer (b0)->ip.reass.l4_src_port, ~0ULL, &kv0);
733 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
735 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
738 s0 = pool_elt_at_index (tsm->sessions, value0.value);
740 if (s0->tcp_close_timestamp)
742 if (now >= s0->tcp_close_timestamp)
744 // session is closed, go slow path
745 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
749 // session in transitory timeout, drop
750 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_TCP_CLOSED];
751 next0 = NAT_NEXT_DROP;
756 // drop if session expired
757 u64 sess_timeout_time;
758 sess_timeout_time = s0->last_heard +
759 (f64) nat44_session_get_timeout (sm, s0);
760 if (now >= sess_timeout_time)
762 // session is closed, go slow path
763 nat_free_session_data (sm, s0, thread_index, 0);
764 nat44_ed_delete_session (sm, s0, thread_index, 1);
765 next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
770 old_addr0 = ip0->dst_address.as_u32;
771 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
772 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
774 sum0 = ip0->checksum;
775 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
777 if (PREDICT_FALSE (is_twice_nat_session (s0)))
778 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
779 s0->ext_host_nat_addr.as_u32, ip4_header_t,
781 ip0->checksum = ip_csum_fold (sum0);
783 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
785 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
787 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
789 new_port0 = udp0->dst_port = s0->in2out.port;
790 sum0 = tcp0->checksum;
792 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
795 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
797 if (is_twice_nat_session (s0))
799 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
800 s0->ext_host_nat_addr.as_u32,
801 ip4_header_t, dst_address);
803 ip_csum_update (sum0,
804 vnet_buffer (b0)->ip.
806 s0->ext_host_nat_port, ip4_header_t,
808 tcp0->src_port = s0->ext_host_nat_port;
809 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
811 tcp0->checksum = ip_csum_fold (sum0);
814 if (nat44_set_tcp_session_state_o2i
816 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
817 vnet_buffer (b0)->ip.reass.tcp_ack_number,
818 vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
821 else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
824 new_port0 = udp0->dst_port = s0->in2out.port;
825 sum0 = udp0->checksum;
826 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
828 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
830 if (PREDICT_FALSE (is_twice_nat_session (s0)))
832 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
833 s0->ext_host_nat_addr.as_u32,
834 ip4_header_t, dst_address);
836 ip_csum_update (sum0,
837 vnet_buffer (b0)->ip.reass.l4_src_port,
838 s0->ext_host_nat_port, ip4_header_t,
840 udp0->src_port = s0->ext_host_nat_port;
841 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
843 udp0->checksum = ip_csum_fold (sum0);
848 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
850 new_port0 = udp0->dst_port = s0->in2out.port;
851 if (PREDICT_FALSE (is_twice_nat_session (s0)))
853 udp0->src_port = s0->ext_host_nat_port;
854 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
861 nat44_session_update_counters (s0, now,
862 vlib_buffer_length_in_chain (vm, b0),
864 /* Per-user LRU list maintenance */
865 nat44_session_update_lru (sm, s0, thread_index);
868 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
869 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
871 nat44_ed_out2in_trace_t *t =
872 vlib_add_trace (vm, node, b0, sizeof (*t));
873 t->sw_if_index = sw_if_index0;
874 t->next_index = next0;
878 t->session_index = s0 - tsm->sessions;
880 t->session_index = ~0;
883 pkts_processed += next0 == vnet_buffer2 (b0)->nat.arc_next;
884 /* verify speculative enqueue, maybe switch current next frame */
885 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
886 to_next, n_left_to_next,
890 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
893 vlib_node_increment_counter (vm, stats_node_index,
894 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
896 vlib_node_increment_counter (vm, stats_node_index,
897 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
898 vlib_node_increment_counter (vm, stats_node_index,
899 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
900 vlib_node_increment_counter (vm, stats_node_index,
901 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
903 vlib_node_increment_counter (vm, stats_node_index,
904 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
906 vlib_node_increment_counter (vm, stats_node_index,
907 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
908 return frame->n_vectors;
912 nat44_ed_out2in_slow_path_node_fn_inline (vlib_main_t * vm,
913 vlib_node_runtime_t * node,
914 vlib_frame_t * frame)
916 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
917 nat_next_t next_index;
918 snat_main_t *sm = &snat_main;
919 f64 now = vlib_time_now (vm);
920 u32 thread_index = vm->thread_index;
921 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
922 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
925 stats_node_index = sm->ed_out2in_slowpath_node_index;
927 from = vlib_frame_vector_args (frame);
928 n_left_from = frame->n_vectors;
929 next_index = node->cached_next_index;
931 while (n_left_from > 0)
935 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
937 while (n_left_from > 0 && n_left_to_next > 0)
941 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
943 u16 old_port0, new_port0;
947 icmp46_header_t *icmp0;
948 snat_session_t *s0 = 0;
949 clib_bihash_kv_16_8_t kv0, value0;
951 snat_session_key_t e_key0, l_key0;
952 lb_nat_type_t lb_nat0;
953 twice_nat_type_t twice_nat0;
956 /* speculatively enqueue b0 to the current next frame */
964 b0 = vlib_get_buffer (vm, bi0);
965 next0 = vnet_buffer2 (b0)->nat.arc_next;
967 vnet_buffer (b0)->snat.flags = 0;
968 ip0 = vlib_buffer_get_current (b0);
970 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
972 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
975 if (PREDICT_FALSE (ip0->ttl == 1))
977 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
978 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
979 ICMP4_time_exceeded_ttl_exceeded_in_transit,
981 next0 = NAT_NEXT_ICMP_ERROR;
985 udp0 = ip4_next_header (ip0);
986 tcp0 = (tcp_header_t *) udp0;
987 icmp0 = (icmp46_header_t *) udp0;
988 proto0 = ip_proto_to_snat_proto (ip0->protocol);
990 if (PREDICT_FALSE (proto0 == ~0))
993 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
994 thread_index, now, vm, node);
995 if (!sm->forwarding_enabled)
998 next0 = NAT_NEXT_DROP;
1004 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1006 next0 = icmp_out2in_ed_slow_path
1007 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1008 next0, now, thread_index, &s0);
1013 make_ed_kv (&ip0->dst_address, &ip0->src_address,
1014 ip0->protocol, rx_fib_index0,
1015 vnet_buffer (b0)->ip.reass.l4_dst_port,
1016 vnet_buffer (b0)->ip.reass.l4_src_port, ~0ULL, &kv0);
1019 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
1021 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1023 if (s0->tcp_close_timestamp && now >= s0->tcp_close_timestamp)
1025 nat_free_session_data (sm, s0, thread_index, 0);
1026 nat44_ed_delete_session (sm, s0, thread_index, 1);
1033 /* Try to match static mapping by external address and port,
1034 destination address and port in packet */
1035 e_key0.addr = ip0->dst_address;
1036 e_key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
1037 e_key0.protocol = proto0;
1038 e_key0.fib_index = rx_fib_index0;
1040 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1041 &twice_nat0, &lb_nat0,
1046 * Send DHCP packets to the ipv4 stack, or we won't
1047 * be able to use dhcp client on the outside interface
1049 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1050 && (vnet_buffer (b0)->ip.
1051 reass.l4_dst_port ==
1052 clib_host_to_net_u16
1053 (UDP_DST_PORT_dhcp_to_client))))
1058 if (!sm->forwarding_enabled)
1061 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1062 next0 = NAT_NEXT_DROP;
1067 (sm, ip0, vnet_buffer (b0)->ip.reass.l4_src_port,
1068 vnet_buffer (b0)->ip.reass.l4_dst_port,
1069 thread_index, rx_fib_index0))
1071 next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
1074 if (sm->num_workers > 1)
1075 create_bypass_for_fwd_worker (sm, b0, ip0,
1078 create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
1084 if (PREDICT_FALSE (identity_nat0))
1087 if ((proto0 == SNAT_PROTOCOL_TCP)
1088 && !tcp_flags_is_init (vnet_buffer (b0)->ip.
1089 reass.icmp_type_or_tcp_flags))
1091 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1092 next0 = NAT_NEXT_DROP;
1096 /* Create session initiated by host from external network */
1097 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1105 next0 = NAT_NEXT_DROP;
1110 old_addr0 = ip0->dst_address.as_u32;
1111 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
1112 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1114 sum0 = ip0->checksum;
1115 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1117 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1118 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1119 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1121 ip0->checksum = ip_csum_fold (sum0);
1123 old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1125 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1127 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1129 new_port0 = udp0->dst_port = s0->in2out.port;
1130 sum0 = tcp0->checksum;
1132 ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1135 ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1137 if (is_twice_nat_session (s0))
1139 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1140 s0->ext_host_nat_addr.as_u32,
1141 ip4_header_t, dst_address);
1143 ip_csum_update (sum0,
1144 vnet_buffer (b0)->ip.
1146 s0->ext_host_nat_port, ip4_header_t,
1148 tcp0->src_port = s0->ext_host_nat_port;
1149 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1151 tcp0->checksum = ip_csum_fold (sum0);
1154 if (nat44_set_tcp_session_state_o2i
1156 vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
1157 vnet_buffer (b0)->ip.reass.tcp_ack_number,
1158 vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
1161 else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
1164 new_port0 = udp0->dst_port = s0->in2out.port;
1165 sum0 = udp0->checksum;
1166 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1168 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1170 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1172 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1173 s0->ext_host_nat_addr.as_u32,
1174 ip4_header_t, dst_address);
1176 ip_csum_update (sum0,
1177 vnet_buffer (b0)->ip.reass.l4_src_port,
1178 s0->ext_host_nat_port, ip4_header_t,
1180 udp0->src_port = s0->ext_host_nat_port;
1181 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1183 udp0->checksum = ip_csum_fold (sum0);
1188 if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1190 new_port0 = udp0->dst_port = s0->in2out.port;
1191 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1193 udp0->src_port = s0->ext_host_nat_port;
1194 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1201 nat44_session_update_counters (s0, now,
1202 vlib_buffer_length_in_chain (vm, b0),
1204 /* Per-user LRU list maintenance */
1205 nat44_session_update_lru (sm, s0, thread_index);
1208 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1209 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1211 nat44_ed_out2in_trace_t *t =
1212 vlib_add_trace (vm, node, b0, sizeof (*t));
1213 t->sw_if_index = sw_if_index0;
1214 t->next_index = next0;
1215 t->is_slow_path = 1;
1218 t->session_index = s0 - tsm->sessions;
1220 t->session_index = ~0;
1223 pkts_processed += next0 == vnet_buffer2 (b0)->nat.arc_next;
1224 /* verify speculative enqueue, maybe switch current next frame */
1225 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1226 to_next, n_left_to_next,
1230 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1233 vlib_node_increment_counter (vm, stats_node_index,
1234 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1236 vlib_node_increment_counter (vm, stats_node_index,
1237 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
1238 vlib_node_increment_counter (vm, stats_node_index,
1239 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
1240 vlib_node_increment_counter (vm, stats_node_index,
1241 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
1243 vlib_node_increment_counter (vm, stats_node_index,
1244 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
1246 vlib_node_increment_counter (vm, stats_node_index,
1247 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
1248 return frame->n_vectors;
1251 VLIB_NODE_FN (nat44_ed_out2in_node) (vlib_main_t * vm,
1252 vlib_node_runtime_t * node,
1253 vlib_frame_t * frame)
1255 return nat44_ed_out2in_fast_path_node_fn_inline (vm, node, frame);
1259 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1260 .name = "nat44-ed-out2in",
1261 .vector_size = sizeof (u32),
1262 .sibling_of = "nat-default",
1263 .format_trace = format_nat44_ed_out2in_trace,
1264 .type = VLIB_NODE_TYPE_INTERNAL,
1265 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1266 .error_strings = nat_out2in_ed_error_strings,
1267 .runtime_data_bytes = sizeof (snat_runtime_t),
1271 VLIB_NODE_FN (nat44_ed_out2in_slowpath_node) (vlib_main_t * vm,
1272 vlib_node_runtime_t * node,
1273 vlib_frame_t * frame)
1275 return nat44_ed_out2in_slow_path_node_fn_inline (vm, node, frame);
1279 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1280 .name = "nat44-ed-out2in-slowpath",
1281 .vector_size = sizeof (u32),
1282 .sibling_of = "nat-default",
1283 .format_trace = format_nat44_ed_out2in_trace,
1284 .type = VLIB_NODE_TYPE_INTERNAL,
1285 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1286 .error_strings = nat_out2in_ed_error_strings,
1287 .runtime_data_bytes = sizeof (snat_runtime_t),
1292 format_nat_pre_trace (u8 * s, va_list * args)
1294 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
1295 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
1296 nat_pre_trace_t *t = va_arg (*args, nat_pre_trace_t *);
1297 return format (s, "out2in next_index %d", t->next_index);
1300 VLIB_NODE_FN (nat_pre_out2in_node) (vlib_main_t * vm,
1301 vlib_node_runtime_t * node,
1302 vlib_frame_t * frame)
1304 return nat_pre_node_fn_inline (vm, node, frame,
1305 NAT_NEXT_OUT2IN_ED_FAST_PATH);
1309 VLIB_REGISTER_NODE (nat_pre_out2in_node) = {
1310 .name = "nat-pre-out2in",
1311 .vector_size = sizeof (u32),
1312 .sibling_of = "nat-default",
1313 .format_trace = format_nat_pre_trace,
1314 .type = VLIB_NODE_TYPE_INTERNAL,
1320 * fd.io coding-style-patch-verification: ON
1323 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob