2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 * @brief NAT44 endpoint-dependent outside to inside network translation
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 #include <vnet/ip/ip.h>
24 #include <vnet/ethernet/ethernet.h>
25 #include <vnet/fib/ip4_fib.h>
26 #include <vnet/udp/udp.h>
27 #include <vppinfra/error.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_reass.h>
31 #include <nat/nat_inlines.h>
32 #include <nat/nat_syslog.h>
34 #define foreach_nat_out2in_ed_error \
35 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
36 _(OUT2IN_PACKETS, "good out2in packets processed") \
37 _(OUT_OF_PORTS, "out of ports") \
38 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
39 _(NO_TRANSLATION, "no translation") \
40 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
41 _(DROP_FRAGMENT, "drop fragment") \
42 _(MAX_REASS, "maximum reassemblies exceeded") \
43 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\
44 _(NON_SYN, "non-SYN packet try to create session") \
45 _(TCP_PACKETS, "TCP packets") \
46 _(UDP_PACKETS, "UDP packets") \
47 _(ICMP_PACKETS, "ICMP packets") \
48 _(OTHER_PACKETS, "other protocol packets") \
49 _(FRAGMENTS, "fragments") \
50 _(CACHED_FRAGMENTS, "cached fragments") \
51 _(PROCESSED_FRAGMENTS, "processed fragments")
55 #define _(sym,str) NAT_OUT2IN_ED_ERROR_##sym,
56 foreach_nat_out2in_ed_error
58 NAT_OUT2IN_ED_N_ERROR,
59 } nat_out2in_ed_error_t;
61 static char *nat_out2in_ed_error_strings[] = {
62 #define _(sym,string) string,
63 foreach_nat_out2in_ed_error
69 NAT44_ED_OUT2IN_NEXT_DROP,
70 NAT44_ED_OUT2IN_NEXT_LOOKUP,
71 NAT44_ED_OUT2IN_NEXT_ICMP_ERROR,
72 NAT44_ED_OUT2IN_NEXT_IN2OUT,
73 NAT44_ED_OUT2IN_NEXT_SLOW_PATH,
74 NAT44_ED_OUT2IN_NEXT_REASS,
75 NAT44_ED_OUT2IN_N_NEXT,
76 } nat44_ed_out2in_next_t;
84 } nat44_ed_out2in_trace_t;
86 vlib_node_registration_t nat44_ed_out2in_node;
87 vlib_node_registration_t nat44_ed_out2in_slowpath_node;
88 vlib_node_registration_t nat44_ed_out2in_reass_node;
91 format_nat44_ed_out2in_trace (u8 * s, va_list * args)
93 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
94 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
95 nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *);
99 t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" :
100 "NAT44_OUT2IN_ED_FAST_PATH";
102 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
103 t->sw_if_index, t->next_index, t->session_index);
109 icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0,
110 ip4_header_t * ip0, icmp46_header_t * icmp0,
111 u32 sw_if_index0, u32 rx_fib_index0,
112 vlib_node_runtime_t * node, u32 next0, f64 now,
113 u32 thread_index, snat_session_t ** p_s0)
115 next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
116 next0, thread_index, p_s0, 0);
117 snat_session_t *s0 = *p_s0;
118 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP && s0))
121 nat44_session_update_counters (s0, now,
122 vlib_buffer_length_in_chain
123 (sm->vlib_main, b0));
124 /* Per-user LRU list maintenance */
125 nat44_session_update_lru (sm, s0, thread_index);
131 nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg)
133 snat_main_t *sm = &snat_main;
134 nat44_is_idle_session_ctx_t *ctx = arg;
136 u64 sess_timeout_time;
137 nat_ed_ses_key_t ed_key;
138 clib_bihash_kv_16_8_t ed_kv;
141 snat_session_key_t key;
142 snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
145 s = pool_elt_at_index (tsm->sessions, kv->value);
146 sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
147 if (ctx->now >= sess_timeout_time)
149 ed_key.l_addr = s->in2out.addr;
150 ed_key.r_addr = s->ext_host_addr;
151 ed_key.fib_index = s->in2out.fib_index;
152 if (snat_is_unk_proto_session (s))
154 ed_key.proto = s->in2out.port;
160 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
161 ed_key.l_port = s->in2out.port;
162 ed_key.r_port = s->ext_host_port;
164 if (is_twice_nat_session (s))
166 ed_key.r_addr = s->ext_host_nat_addr;
167 ed_key.r_port = s->ext_host_nat_port;
169 ed_kv.key[0] = ed_key.as_u64[0];
170 ed_kv.key[1] = ed_key.as_u64[1];
171 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0))
172 nat_log_warn ("in2out_ed key del failed");
174 if (snat_is_unk_proto_session (s))
177 snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32,
178 s->out2in.addr.as_u32,
182 s->in2out.fib_index);
184 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
185 &s->in2out.addr, s->in2out.port,
186 &s->ext_host_nat_addr, s->ext_host_nat_port,
187 &s->out2in.addr, s->out2in.port,
188 &s->ext_host_addr, s->ext_host_port,
189 s->in2out.protocol, is_twice_nat_session (s));
191 if (is_twice_nat_session (s))
193 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
195 key.protocol = s->in2out.protocol;
196 key.port = s->ext_host_nat_port;
197 a = sm->twice_nat_addresses + i;
198 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
200 snat_free_outside_address_and_port (sm->twice_nat_addresses,
208 if (snat_is_session_static (s))
211 snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
214 nat44_delete_session (sm, s, ctx->thread_index);
221 static snat_session_t *
222 create_session_for_static_mapping_ed (snat_main_t * sm,
224 snat_session_key_t l_key,
225 snat_session_key_t e_key,
226 vlib_node_runtime_t * node,
228 twice_nat_type_t twice_nat,
229 lb_nat_type_t lb_nat, f64 now)
235 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
236 clib_bihash_kv_16_8_t kv;
237 snat_session_key_t eh_key;
238 nat44_is_idle_session_ctx_t ctx;
240 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
242 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
243 nat_log_notice ("maximum sessions exceeded");
247 u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index);
250 nat_log_warn ("create NAT user failed");
254 s = nat_ed_session_alloc (sm, u, thread_index, now);
257 nat44_delete_user_with_no_session (sm, u, thread_index);
258 nat_log_warn ("create NAT session failed");
262 ip = vlib_buffer_get_current (b);
263 udp = ip4_next_header (ip);
265 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
266 s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port;
267 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
269 s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING;
270 if (lb_nat == AFFINITY_LB_NAT)
271 s->flags |= SNAT_SESSION_FLAG_AFFINITY;
272 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
275 s->in2out.protocol = s->out2in.protocol;
276 user_session_increment (sm, u, 1);
278 /* Add to lookup tables */
279 make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol,
280 e_key.fib_index, e_key.port, s->ext_host_port);
281 kv.value = s - tsm->sessions;
283 ctx.thread_index = thread_index;
284 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv,
285 nat44_o2i_ed_is_idle_session_cb,
287 nat_log_notice ("out2in-ed key add failed");
289 if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
290 ip->src_address.as_u32 == l_key.addr.as_u32))
292 eh_key.protocol = e_key.protocol;
293 if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
294 thread_index, &eh_key,
296 tsm->snat_thread_index))
298 b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
299 nat44_delete_session (sm, s, thread_index);
300 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0))
301 nat_log_notice ("out2in-ed key del failed");
304 s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32;
305 s->ext_host_nat_port = eh_key.port;
306 s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
307 make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol,
308 l_key.fib_index, l_key.port, s->ext_host_nat_port);
312 make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol,
313 l_key.fib_index, l_key.port, s->ext_host_port);
315 kv.value = s - tsm->sessions;
316 if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv,
317 nat44_i2o_ed_is_idle_session_cb,
319 nat_log_notice ("in2out-ed key add failed");
321 snat_ipfix_logging_nat44_ses_create (s->in2out.addr.as_u32,
322 s->out2in.addr.as_u32,
325 s->out2in.port, s->in2out.fib_index);
327 nat_syslog_nat44_sdel (s->user_index, s->in2out.fib_index,
328 &s->in2out.addr, s->in2out.port,
329 &s->ext_host_nat_addr, s->ext_host_nat_port,
330 &s->out2in.addr, s->out2in.port,
331 &s->ext_host_addr, s->ext_host_port,
332 s->in2out.protocol, is_twice_nat_session (s));
337 static_always_inline int
338 icmp_get_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
340 icmp46_header_t *icmp0;
341 nat_ed_ses_key_t key0;
342 icmp_echo_header_t *echo0, *inner_echo0 = 0;
343 ip4_header_t *inner_ip0;
345 icmp46_header_t *inner_icmp0;
347 icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
348 echo0 = (icmp_echo_header_t *) (icmp0 + 1);
350 if (!icmp_is_error_message (icmp0))
352 key0.proto = IP_PROTOCOL_ICMP;
353 key0.l_addr = ip0->dst_address;
354 key0.r_addr = ip0->src_address;
355 key0.l_port = echo0->identifier;
360 inner_ip0 = (ip4_header_t *) (echo0 + 1);
361 l4_header = ip4_next_header (inner_ip0);
362 key0.proto = inner_ip0->protocol;
363 key0.l_addr = inner_ip0->src_address;
364 key0.r_addr = inner_ip0->dst_address;
365 switch (ip_proto_to_snat_proto (inner_ip0->protocol))
367 case SNAT_PROTOCOL_ICMP:
368 inner_icmp0 = (icmp46_header_t *) l4_header;
369 inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
370 key0.l_port = inner_echo0->identifier;
373 case SNAT_PROTOCOL_UDP:
374 case SNAT_PROTOCOL_TCP:
375 key0.l_port = ((tcp_udp_header_t *) l4_header)->src_port;
376 key0.r_port = ((tcp_udp_header_t *) l4_header)->dst_port;
387 next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
388 u16 dst_port, u32 thread_index, u32 rx_fib_index)
390 clib_bihash_kv_16_8_t kv, value;
391 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
393 make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto,
394 rx_fib_index, src_port, dst_port);
395 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
402 create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
405 nat_ed_ses_key_t key;
406 clib_bihash_kv_16_8_t kv, value;
409 snat_session_t *s = 0;
410 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
411 f64 now = vlib_time_now (sm->vlib_main);
413 if (ip->protocol == IP_PROTOCOL_ICMP)
415 if (icmp_get_ed_key (ip, &key))
418 else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
420 udp = ip4_next_header (ip);
421 key.r_addr = ip->src_address;
422 key.l_addr = ip->dst_address;
423 key.proto = ip->protocol;
424 key.l_port = udp->dst_port;
425 key.r_port = udp->src_port;
429 key.r_addr = ip->src_address;
430 key.l_addr = ip->dst_address;
431 key.proto = ip->protocol;
432 key.l_port = key.r_port = 0;
435 kv.key[0] = key.as_u64[0];
436 kv.key[1] = key.as_u64[1];
438 if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value))
440 s = pool_elt_at_index (tsm->sessions, value.value);
444 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
447 u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index,
451 nat_log_warn ("create NAT user failed");
455 s = nat_ed_session_alloc (sm, u, thread_index, now);
458 nat44_delete_user_with_no_session (sm, u, thread_index);
459 nat_log_warn ("create NAT session failed");
463 s->ext_host_addr = key.r_addr;
464 s->ext_host_port = key.r_port;
465 s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS;
466 s->out2in.addr = key.l_addr;
467 s->out2in.port = key.l_port;
468 s->out2in.protocol = ip_proto_to_snat_proto (key.proto);
469 s->out2in.fib_index = 0;
470 s->in2out = s->out2in;
471 user_session_increment (sm, u, 0);
473 kv.value = s - tsm->sessions;
474 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1))
475 nat_log_notice ("in2out_ed key add failed");
478 if (ip->protocol == IP_PROTOCOL_TCP)
480 tcp_header_t *tcp = ip4_next_header (ip);
481 if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
486 nat44_session_update_counters (s, now, 0);
487 /* Per-user LRU list maintenance */
488 nat44_session_update_lru (sm, s, thread_index);
492 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
493 u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip,
494 u8 * p_proto, snat_session_key_t * p_value,
495 u8 * p_dont_translate, void *d, void *e)
497 u32 next = ~0, sw_if_index, rx_fib_index;
498 icmp46_header_t *icmp;
499 nat_ed_ses_key_t key;
500 clib_bihash_kv_16_8_t kv, value;
501 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
502 snat_session_t *s = 0;
503 u8 dont_translate = 0, is_addr_only, identity_nat;
504 snat_session_key_t e_key, l_key;
506 icmp = (icmp46_header_t *) ip4_next_header (ip);
507 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
508 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
510 if (icmp_get_ed_key (ip, &key))
512 b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
513 next = NAT44_ED_OUT2IN_NEXT_DROP;
516 key.fib_index = rx_fib_index;
517 kv.key[0] = key.as_u64[0];
518 kv.key[1] = key.as_u64[1];
520 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value))
522 /* Try to match static mapping */
523 e_key.addr = ip->dst_address;
524 e_key.port = key.l_port;
525 e_key.protocol = ip_proto_to_snat_proto (key.proto);
526 e_key.fib_index = rx_fib_index;
527 if (snat_static_mapping_match
528 (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0, &identity_nat))
530 if (!sm->forwarding_enabled)
532 /* Don't NAT packet aimed at the intfc address */
533 if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index,
534 ip->dst_address.as_u32)))
539 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
540 next = NAT44_ED_OUT2IN_NEXT_DROP;
546 if (next_src_nat (sm, ip, key.proto, key.l_port, key.r_port,
547 thread_index, rx_fib_index))
549 next = NAT44_ED_OUT2IN_NEXT_IN2OUT;
552 create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
557 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
558 (icmp->type != ICMP4_echo_request || !is_addr_only)))
560 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
561 next = NAT44_ED_OUT2IN_NEXT_DROP;
565 if (PREDICT_FALSE (identity_nat))
571 /* Create session initiated by host from external network */
572 s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node,
579 next = NAT44_ED_OUT2IN_NEXT_DROP;
585 if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
586 icmp->type != ICMP4_echo_request &&
587 !icmp_is_error_message (icmp)))
589 b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
590 next = NAT44_ED_OUT2IN_NEXT_DROP;
594 s = pool_elt_at_index (tsm->sessions, value.value);
597 *p_proto = ip_proto_to_snat_proto (key.proto);
600 *p_value = s->in2out;
601 *p_dont_translate = dont_translate;
603 *(snat_session_t **) d = s;
607 static snat_session_t *
608 nat44_ed_out2in_unknown_proto (snat_main_t * sm,
614 vlib_main_t * vm, vlib_node_runtime_t * node)
616 clib_bihash_kv_8_8_t kv, value;
617 clib_bihash_kv_16_8_t s_kv, s_value;
618 snat_static_mapping_t *m;
619 u32 old_addr, new_addr;
622 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
625 old_addr = ip->dst_address.as_u32;
627 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
630 if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value))
632 s = pool_elt_at_index (tsm->sessions, s_value.value);
633 new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32;
637 if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index)))
639 b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED];
640 nat_log_notice ("maximum sessions exceeded");
644 make_sm_kv (&kv, &ip->dst_address, 0, 0, 0);
645 if (clib_bihash_search_8_8
646 (&sm->static_mapping_by_external, &kv, &value))
648 b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
652 m = pool_elt_at_index (sm->static_mappings, value.value);
654 new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
656 u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index,
660 nat_log_warn ("create NAT user failed");
664 /* Create a new session */
665 s = nat_ed_session_alloc (sm, u, thread_index, now);
668 nat44_delete_user_with_no_session (sm, u, thread_index);
669 nat_log_warn ("create NAT session failed");
673 s->ext_host_addr.as_u32 = ip->src_address.as_u32;
674 s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO;
675 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
676 s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT;
677 s->out2in.addr.as_u32 = old_addr;
678 s->out2in.fib_index = rx_fib_index;
679 s->in2out.addr.as_u32 = new_addr;
680 s->in2out.fib_index = m->fib_index;
681 s->in2out.port = s->out2in.port = ip->protocol;
682 user_session_increment (sm, u, 1);
684 /* Add to lookup tables */
685 s_kv.value = s - tsm->sessions;
686 if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1))
687 nat_log_notice ("out2in key add failed");
689 make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol,
691 s_kv.value = s - tsm->sessions;
692 if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1))
693 nat_log_notice ("in2out key add failed");
696 /* Update IP checksum */
698 sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
699 ip->checksum = ip_csum_fold (sum);
701 vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index;
704 nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b));
705 /* Per-user LRU list maintenance */
706 nat44_session_update_lru (sm, s, thread_index);
712 nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
713 vlib_node_runtime_t * node,
714 vlib_frame_t * frame, int is_slow_path)
716 u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index;
717 nat44_ed_out2in_next_t next_index;
718 snat_main_t *sm = &snat_main;
719 f64 now = vlib_time_now (vm);
720 u32 thread_index = vm->thread_index;
721 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
722 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
725 stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index :
726 nat44_ed_out2in_node.index;
728 from = vlib_frame_vector_args (frame);
729 n_left_from = frame->n_vectors;
730 next_index = node->cached_next_index;
732 while (n_left_from > 0)
736 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
738 while (n_left_from >= 4 && n_left_to_next >= 2)
741 vlib_buffer_t *b0, *b1;
742 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
744 u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1,
746 u16 old_port0, new_port0, old_port1, new_port1;
747 ip4_header_t *ip0, *ip1;
748 udp_header_t *udp0, *udp1;
749 tcp_header_t *tcp0, *tcp1;
750 icmp46_header_t *icmp0, *icmp1;
751 snat_session_t *s0 = 0, *s1 = 0;
752 clib_bihash_kv_16_8_t kv0, value0, kv1, value1;
753 ip_csum_t sum0, sum1;
754 snat_session_key_t e_key0, l_key0, e_key1, l_key1;
755 lb_nat_type_t lb_nat0, lb_nat1;
756 twice_nat_type_t twice_nat0, twice_nat1;
757 u8 identity_nat0, identity_nat1;
759 /* Prefetch next iteration. */
761 vlib_buffer_t *p2, *p3;
763 p2 = vlib_get_buffer (vm, from[2]);
764 p3 = vlib_get_buffer (vm, from[3]);
766 vlib_prefetch_buffer_header (p2, LOAD);
767 vlib_prefetch_buffer_header (p3, LOAD);
769 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
770 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
773 /* speculatively enqueue b0 and b1 to the current next frame */
774 to_next[0] = bi0 = from[0];
775 to_next[1] = bi1 = from[1];
781 b0 = vlib_get_buffer (vm, bi0);
782 b1 = vlib_get_buffer (vm, bi1);
784 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
785 vnet_buffer (b0)->snat.flags = 0;
786 ip0 = vlib_buffer_get_current (b0);
788 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
790 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
793 if (PREDICT_FALSE (ip0->ttl == 1))
795 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
796 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
797 ICMP4_time_exceeded_ttl_exceeded_in_transit,
799 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
803 udp0 = ip4_next_header (ip0);
804 tcp0 = (tcp_header_t *) udp0;
805 icmp0 = (icmp46_header_t *) udp0;
806 proto0 = ip_proto_to_snat_proto (ip0->protocol);
810 if (PREDICT_FALSE (proto0 == ~0))
813 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
814 thread_index, now, vm,
817 if (!sm->forwarding_enabled)
820 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
825 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
827 next0 = icmp_out2in_ed_slow_path
828 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
829 next0, now, thread_index, &s0);
836 if (PREDICT_FALSE (proto0 == ~0))
838 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
842 if (ip4_is_fragment (ip0))
844 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
849 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
851 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
856 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
857 ip0->protocol, rx_fib_index0, udp0->dst_port,
860 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
864 /* Try to match static mapping by external address and port,
865 destination address and port in packet */
866 e_key0.addr = ip0->dst_address;
867 e_key0.port = udp0->dst_port;
868 e_key0.protocol = proto0;
869 e_key0.fib_index = rx_fib_index0;
870 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
871 &twice_nat0, &lb_nat0,
876 * Send DHCP packets to the ipv4 stack, or we won't
877 * be able to use dhcp client on the outside interface
879 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
880 && (udp0->dst_port ==
882 (UDP_DST_PORT_dhcp_to_client))))
884 vnet_feature_next (&next0, b0);
888 if (!sm->forwarding_enabled)
891 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
892 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
896 if (next_src_nat (sm, ip0, ip0->protocol,
897 udp0->src_port, udp0->dst_port,
898 thread_index, rx_fib_index0))
900 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
903 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
909 if (PREDICT_FALSE (identity_nat0))
912 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
914 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
915 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
919 /* Create session initiated by host from external network */
920 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
928 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
934 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
940 s0 = pool_elt_at_index (tsm->sessions, value0.value);
943 old_addr0 = ip0->dst_address.as_u32;
944 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
945 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
947 sum0 = ip0->checksum;
948 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
950 if (PREDICT_FALSE (is_twice_nat_session (s0)))
951 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
952 s0->ext_host_nat_addr.as_u32, ip4_header_t,
954 ip0->checksum = ip_csum_fold (sum0);
956 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
958 old_port0 = tcp0->dst_port;
959 new_port0 = tcp0->dst_port = s0->in2out.port;
961 sum0 = tcp0->checksum;
962 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
964 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
966 if (is_twice_nat_session (s0))
968 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
969 s0->ext_host_nat_addr.as_u32,
970 ip4_header_t, dst_address);
971 sum0 = ip_csum_update (sum0, tcp0->src_port,
972 s0->ext_host_nat_port, ip4_header_t,
974 tcp0->src_port = s0->ext_host_nat_port;
975 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
977 tcp0->checksum = ip_csum_fold (sum0);
979 if (nat44_set_tcp_session_state_o2i
980 (sm, s0, tcp0, thread_index))
985 udp0->dst_port = s0->in2out.port;
986 if (is_twice_nat_session (s0))
988 udp0->src_port = s0->ext_host_nat_port;
989 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
996 nat44_session_update_counters (s0, now,
997 vlib_buffer_length_in_chain (vm,
999 /* Per-user LRU list maintenance */
1000 nat44_session_update_lru (sm, s0, thread_index);
1003 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1004 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1006 nat44_ed_out2in_trace_t *t =
1007 vlib_add_trace (vm, node, b0, sizeof (*t));
1008 t->is_slow_path = is_slow_path;
1009 t->sw_if_index = sw_if_index0;
1010 t->next_index = next0;
1011 t->session_index = ~0;
1013 t->session_index = s0 - tsm->sessions;
1016 pkts_processed += next0 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1018 next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1019 vnet_buffer (b1)->snat.flags = 0;
1020 ip1 = vlib_buffer_get_current (b1);
1022 sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
1024 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1027 if (PREDICT_FALSE (ip1->ttl == 1))
1029 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1030 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
1031 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1033 next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
1037 udp1 = ip4_next_header (ip1);
1038 tcp1 = (tcp_header_t *) udp1;
1039 icmp1 = (icmp46_header_t *) udp1;
1040 proto1 = ip_proto_to_snat_proto (ip1->protocol);
1044 if (PREDICT_FALSE (proto1 == ~0))
1047 nat44_ed_out2in_unknown_proto (sm, b1, ip1, rx_fib_index1,
1048 thread_index, now, vm,
1051 if (!sm->forwarding_enabled)
1054 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1059 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1061 next1 = icmp_out2in_ed_slow_path
1062 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1063 next1, now, thread_index, &s1);
1070 if (PREDICT_FALSE (proto1 == ~0))
1072 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1076 if (ip4_is_fragment (ip1))
1078 next1 = NAT44_ED_OUT2IN_NEXT_REASS;
1083 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
1085 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1090 make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address,
1091 ip1->protocol, rx_fib_index1, udp1->dst_port,
1094 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
1098 /* Try to match static mapping by external address and port,
1099 destination address and port in packet */
1100 e_key1.addr = ip1->dst_address;
1101 e_key1.port = udp1->dst_port;
1102 e_key1.protocol = proto1;
1103 e_key1.fib_index = rx_fib_index1;
1104 if (snat_static_mapping_match (sm, e_key1, &l_key1, 1, 0,
1105 &twice_nat1, &lb_nat1,
1110 * Send DHCP packets to the ipv4 stack, or we won't
1111 * be able to use dhcp client on the outside interface
1113 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
1114 && (udp1->dst_port ==
1115 clib_host_to_net_u16
1116 (UDP_DST_PORT_dhcp_to_client))))
1118 vnet_feature_next (&next1, b1);
1122 if (!sm->forwarding_enabled)
1125 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1126 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1130 if (next_src_nat (sm, ip1, ip1->protocol,
1131 udp1->src_port, udp1->dst_port,
1132 thread_index, rx_fib_index1))
1134 next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1137 create_bypass_for_fwd (sm, ip1, rx_fib_index1,
1143 if (PREDICT_FALSE (identity_nat1))
1146 if ((proto1 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp1))
1148 b1->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1149 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1153 /* Create session initiated by host from external network */
1154 s1 = create_session_for_static_mapping_ed (sm, b1, l_key1,
1162 next1 = NAT44_ED_OUT2IN_NEXT_DROP;
1168 next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1174 s1 = pool_elt_at_index (tsm->sessions, value1.value);
1177 old_addr1 = ip1->dst_address.as_u32;
1178 new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32;
1179 vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1181 sum1 = ip1->checksum;
1182 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1184 if (PREDICT_FALSE (is_twice_nat_session (s1)))
1185 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1186 s1->ext_host_nat_addr.as_u32, ip4_header_t,
1188 ip1->checksum = ip_csum_fold (sum1);
1190 if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
1192 old_port1 = tcp1->dst_port;
1193 new_port1 = tcp1->dst_port = s1->in2out.port;
1195 sum1 = tcp1->checksum;
1196 sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
1198 sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
1200 if (is_twice_nat_session (s1))
1202 sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
1203 s1->ext_host_nat_addr.as_u32,
1204 ip4_header_t, dst_address);
1205 sum1 = ip_csum_update (sum1, tcp1->src_port,
1206 s1->ext_host_nat_port, ip4_header_t,
1208 tcp1->src_port = s1->ext_host_nat_port;
1209 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1211 tcp1->checksum = ip_csum_fold (sum1);
1213 if (nat44_set_tcp_session_state_o2i
1214 (sm, s1, tcp1, thread_index))
1219 udp1->dst_port = s1->in2out.port;
1220 if (is_twice_nat_session (s1))
1222 udp1->src_port = s1->ext_host_nat_port;
1223 ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
1230 nat44_session_update_counters (s1, now,
1231 vlib_buffer_length_in_chain (vm,
1233 /* Per-user LRU list maintenance */
1234 nat44_session_update_lru (sm, s1, thread_index);
1237 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1238 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1240 nat44_ed_out2in_trace_t *t =
1241 vlib_add_trace (vm, node, b1, sizeof (*t));
1242 t->is_slow_path = is_slow_path;
1243 t->sw_if_index = sw_if_index1;
1244 t->next_index = next1;
1245 t->session_index = ~0;
1247 t->session_index = s1 - tsm->sessions;
1250 pkts_processed += next1 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1252 /* verify speculative enqueues, maybe switch current next frame */
1253 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1254 to_next, n_left_to_next,
1255 bi0, bi1, next0, next1);
1258 while (n_left_from > 0 && n_left_to_next > 0)
1262 u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0,
1264 u16 old_port0, new_port0;
1268 icmp46_header_t *icmp0;
1269 snat_session_t *s0 = 0;
1270 clib_bihash_kv_16_8_t kv0, value0;
1272 snat_session_key_t e_key0, l_key0;
1273 lb_nat_type_t lb_nat0;
1274 twice_nat_type_t twice_nat0;
1277 /* speculatively enqueue b0 to the current next frame */
1283 n_left_to_next -= 1;
1285 b0 = vlib_get_buffer (vm, bi0);
1286 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1287 vnet_buffer (b0)->snat.flags = 0;
1288 ip0 = vlib_buffer_get_current (b0);
1290 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1292 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1295 if (PREDICT_FALSE (ip0->ttl == 1))
1297 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1298 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1299 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1301 next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR;
1305 udp0 = ip4_next_header (ip0);
1306 tcp0 = (tcp_header_t *) udp0;
1307 icmp0 = (icmp46_header_t *) udp0;
1308 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1312 if (PREDICT_FALSE (proto0 == ~0))
1315 nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0,
1316 thread_index, now, vm,
1319 if (!sm->forwarding_enabled)
1322 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1327 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1329 next0 = icmp_out2in_ed_slow_path
1330 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1331 next0, now, thread_index, &s0);
1338 if (PREDICT_FALSE (proto0 == ~0))
1340 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1344 if (ip4_is_fragment (ip0))
1346 next0 = NAT44_ED_OUT2IN_NEXT_REASS;
1351 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1353 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1358 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1359 ip0->protocol, rx_fib_index0, udp0->dst_port,
1362 if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
1366 /* Try to match static mapping by external address and port,
1367 destination address and port in packet */
1368 e_key0.addr = ip0->dst_address;
1369 e_key0.port = udp0->dst_port;
1370 e_key0.protocol = proto0;
1371 e_key0.fib_index = rx_fib_index0;
1372 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1373 &twice_nat0, &lb_nat0,
1378 * Send DHCP packets to the ipv4 stack, or we won't
1379 * be able to use dhcp client on the outside interface
1381 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1382 && (udp0->dst_port ==
1383 clib_host_to_net_u16
1384 (UDP_DST_PORT_dhcp_to_client))))
1386 vnet_feature_next (&next0, b0);
1390 if (!sm->forwarding_enabled)
1393 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1394 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1398 if (next_src_nat (sm, ip0, ip0->protocol,
1399 udp0->src_port, udp0->dst_port,
1400 thread_index, rx_fib_index0))
1402 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1405 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1411 if (PREDICT_FALSE (identity_nat0))
1414 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
1416 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1417 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1421 /* Create session initiated by host from external network */
1422 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1430 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1436 next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH;
1442 s0 = pool_elt_at_index (tsm->sessions, value0.value);
1445 old_addr0 = ip0->dst_address.as_u32;
1446 new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32;
1447 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1449 sum0 = ip0->checksum;
1450 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1452 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1453 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1454 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1456 ip0->checksum = ip_csum_fold (sum0);
1458 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1460 old_port0 = tcp0->dst_port;
1461 new_port0 = tcp0->dst_port = s0->in2out.port;
1463 sum0 = tcp0->checksum;
1464 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
1466 sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
1468 if (is_twice_nat_session (s0))
1470 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1471 s0->ext_host_nat_addr.as_u32,
1472 ip4_header_t, dst_address);
1473 sum0 = ip_csum_update (sum0, tcp0->src_port,
1474 s0->ext_host_nat_port, ip4_header_t,
1476 tcp0->src_port = s0->ext_host_nat_port;
1477 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1479 tcp0->checksum = ip_csum_fold (sum0);
1481 if (nat44_set_tcp_session_state_o2i
1482 (sm, s0, tcp0, thread_index))
1487 udp0->dst_port = s0->in2out.port;
1488 if (is_twice_nat_session (s0))
1490 udp0->src_port = s0->ext_host_nat_port;
1491 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1498 nat44_session_update_counters (s0, now,
1499 vlib_buffer_length_in_chain (vm,
1501 /* Per-user LRU list maintenance */
1502 nat44_session_update_lru (sm, s0, thread_index);
1505 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1506 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1508 nat44_ed_out2in_trace_t *t =
1509 vlib_add_trace (vm, node, b0, sizeof (*t));
1510 t->is_slow_path = is_slow_path;
1511 t->sw_if_index = sw_if_index0;
1512 t->next_index = next0;
1513 t->session_index = ~0;
1515 t->session_index = s0 - tsm->sessions;
1518 pkts_processed += next0 == NAT44_ED_OUT2IN_NEXT_LOOKUP;
1519 /* verify speculative enqueue, maybe switch current next frame */
1520 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1521 to_next, n_left_to_next,
1525 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1528 vlib_node_increment_counter (vm, stats_node_index,
1529 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1531 vlib_node_increment_counter (vm, stats_node_index,
1532 NAT_OUT2IN_ED_ERROR_TCP_PACKETS, tcp_packets);
1533 vlib_node_increment_counter (vm, stats_node_index,
1534 NAT_OUT2IN_ED_ERROR_UDP_PACKETS, udp_packets);
1535 vlib_node_increment_counter (vm, stats_node_index,
1536 NAT_OUT2IN_ED_ERROR_ICMP_PACKETS,
1538 vlib_node_increment_counter (vm, stats_node_index,
1539 NAT_OUT2IN_ED_ERROR_OTHER_PACKETS,
1541 vlib_node_increment_counter (vm, stats_node_index,
1542 NAT_OUT2IN_ED_ERROR_FRAGMENTS, fragments);
1543 return frame->n_vectors;
1547 nat44_ed_out2in_fast_path_fn (vlib_main_t * vm,
1548 vlib_node_runtime_t * node,
1549 vlib_frame_t * frame)
1551 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0);
1555 VLIB_REGISTER_NODE (nat44_ed_out2in_node) = {
1556 .function = nat44_ed_out2in_fast_path_fn,
1557 .name = "nat44-ed-out2in",
1558 .vector_size = sizeof (u32),
1559 .format_trace = format_nat44_ed_out2in_trace,
1560 .type = VLIB_NODE_TYPE_INTERNAL,
1561 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1562 .error_strings = nat_out2in_ed_error_strings,
1563 .runtime_data_bytes = sizeof (snat_runtime_t),
1564 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1566 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1567 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1568 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1569 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1570 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1571 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1576 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node,
1577 nat44_ed_out2in_fast_path_fn);
1580 nat44_ed_out2in_slow_path_fn (vlib_main_t * vm,
1581 vlib_node_runtime_t * node,
1582 vlib_frame_t * frame)
1584 return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1);
1588 VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
1589 .function = nat44_ed_out2in_slow_path_fn,
1590 .name = "nat44-ed-out2in-slowpath",
1591 .vector_size = sizeof (u32),
1592 .format_trace = format_nat44_ed_out2in_trace,
1593 .type = VLIB_NODE_TYPE_INTERNAL,
1594 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1595 .error_strings = nat_out2in_ed_error_strings,
1596 .runtime_data_bytes = sizeof (snat_runtime_t),
1597 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1599 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1600 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1601 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1602 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1603 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1604 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1609 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node,
1610 nat44_ed_out2in_slow_path_fn);
1613 nat44_ed_out2in_reass_node_fn (vlib_main_t * vm,
1614 vlib_node_runtime_t * node,
1615 vlib_frame_t * frame)
1617 u32 n_left_from, *from, *to_next;
1618 nat44_ed_out2in_next_t next_index;
1619 u32 pkts_processed = 0;
1620 snat_main_t *sm = &snat_main;
1621 f64 now = vlib_time_now (vm);
1622 u32 thread_index = vm->thread_index;
1623 snat_main_per_thread_data_t *per_thread_data =
1624 &sm->per_thread_data[thread_index];
1625 u32 *fragments_to_drop = 0;
1626 u32 *fragments_to_loopback = 0;
1628 from = vlib_frame_vector_args (frame);
1629 n_left_from = frame->n_vectors;
1630 next_index = node->cached_next_index;
1632 while (n_left_from > 0)
1636 vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1638 while (n_left_from > 0 && n_left_to_next > 0)
1640 u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
1645 nat_reass_ip4_t *reass0;
1648 icmp46_header_t *icmp0;
1649 clib_bihash_kv_16_8_t kv0, value0;
1650 snat_session_t *s0 = 0;
1651 u16 old_port0, new_port0;
1653 snat_session_key_t e_key0, l_key0;
1655 twice_nat_type_t twice_nat0;
1658 /* speculatively enqueue b0 to the current next frame */
1664 n_left_to_next -= 1;
1666 b0 = vlib_get_buffer (vm, bi0);
1667 next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP;
1669 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1671 fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
1674 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
1676 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1677 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT];
1681 ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
1682 udp0 = ip4_next_header (ip0);
1683 tcp0 = (tcp_header_t *) udp0;
1684 icmp0 = (icmp46_header_t *) udp0;
1685 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1687 reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
1691 1, &fragments_to_drop);
1693 if (PREDICT_FALSE (!reass0))
1695 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1696 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_REASS];
1697 nat_log_notice ("maximum reassemblies exceeded");
1701 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1703 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1705 next0 = icmp_out2in_ed_slow_path
1706 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1707 next0, now, thread_index, &s0);
1709 if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP))
1712 reass0->sess_index = s0 - per_thread_data->sessions;
1714 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1715 reass0->thread_index = thread_index;
1716 nat_ip4_reass_get_frags (reass0,
1717 &fragments_to_loopback);
1723 make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
1724 ip0->protocol, rx_fib_index0, udp0->dst_port,
1727 if (clib_bihash_search_16_8
1728 (&per_thread_data->out2in_ed, &kv0, &value0))
1730 /* Try to match static mapping by external address and port,
1731 destination address and port in packet */
1732 e_key0.addr = ip0->dst_address;
1733 e_key0.port = udp0->dst_port;
1734 e_key0.protocol = proto0;
1735 e_key0.fib_index = rx_fib_index0;
1736 if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
1737 &twice_nat0, &lb0, 0,
1741 * Send DHCP packets to the ipv4 stack, or we won't
1742 * be able to use dhcp client on the outside interface
1744 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
1747 clib_host_to_net_u16
1748 (UDP_DST_PORT_dhcp_to_client))))
1750 vnet_feature_next (&next0, b0);
1754 if (!sm->forwarding_enabled)
1757 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1758 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1762 if (next_src_nat (sm, ip0, ip0->protocol,
1763 udp0->src_port, udp0->dst_port,
1764 thread_index, rx_fib_index0))
1766 next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT;
1769 create_bypass_for_fwd (sm, ip0, rx_fib_index0,
1771 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1772 nat_ip4_reass_get_frags (reass0,
1773 &fragments_to_loopback);
1778 if (PREDICT_FALSE (identity_nat0))
1780 reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
1784 if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
1786 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
1787 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1791 /* Create session initiated by host from external network */
1792 s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
1800 node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
1801 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1804 reass0->sess_index = s0 - per_thread_data->sessions;
1805 reass0->thread_index = thread_index;
1809 s0 = pool_elt_at_index (per_thread_data->sessions,
1811 reass0->sess_index = value0.value;
1813 nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
1817 if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
1819 if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
1821 if (nat_ip4_reass_add_fragment
1822 (reass0, bi0, &fragments_to_drop))
1824 b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_FRAG];
1826 ("maximum fragments per reassembly exceeded");
1827 next0 = NAT44_ED_OUT2IN_NEXT_DROP;
1833 s0 = pool_elt_at_index (per_thread_data->sessions,
1834 reass0->sess_index);
1837 old_addr0 = ip0->dst_address.as_u32;
1838 ip0->dst_address = s0->in2out.addr;
1839 new_addr0 = ip0->dst_address.as_u32;
1840 vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1842 sum0 = ip0->checksum;
1843 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1845 dst_address /* changed member */ );
1846 if (PREDICT_FALSE (is_twice_nat_session (s0)))
1847 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1848 s0->ext_host_nat_addr.as_u32, ip4_header_t,
1850 ip0->checksum = ip_csum_fold (sum0);
1852 if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
1854 if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
1856 old_port0 = tcp0->dst_port;
1857 tcp0->dst_port = s0->in2out.port;
1858 new_port0 = tcp0->dst_port;
1860 sum0 = tcp0->checksum;
1861 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1863 dst_address /* changed member */ );
1865 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1866 ip4_header_t /* cheat */ ,
1867 length /* changed member */ );
1868 if (is_twice_nat_session (s0))
1870 sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
1871 s0->ext_host_nat_addr.as_u32,
1872 ip4_header_t, dst_address);
1873 sum0 = ip_csum_update (sum0, tcp0->src_port,
1874 s0->ext_host_nat_port,
1875 ip4_header_t, length);
1876 tcp0->src_port = s0->ext_host_nat_port;
1877 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1879 tcp0->checksum = ip_csum_fold (sum0);
1883 old_port0 = udp0->dst_port;
1884 udp0->dst_port = s0->in2out.port;
1885 if (is_twice_nat_session (s0))
1887 udp0->src_port = s0->ext_host_nat_port;
1888 ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
1895 nat44_session_update_counters (s0, now,
1896 vlib_buffer_length_in_chain (vm,
1898 /* Per-user LRU list maintenance */
1899 nat44_session_update_lru (sm, s0, thread_index);
1902 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1903 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1905 nat44_reass_trace_t *t =
1906 vlib_add_trace (vm, node, b0, sizeof (*t));
1907 t->cached = cached0;
1908 t->sw_if_index = sw_if_index0;
1909 t->next_index = next0;
1919 pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP;
1921 /* verify speculative enqueue, maybe switch current next frame */
1922 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1923 to_next, n_left_to_next,
1927 if (n_left_from == 0 && vec_len (fragments_to_loopback))
1929 from = vlib_frame_vector_args (frame);
1930 u32 len = vec_len (fragments_to_loopback);
1931 if (len <= VLIB_FRAME_SIZE)
1933 clib_memcpy_fast (from, fragments_to_loopback,
1934 sizeof (u32) * len);
1936 vec_reset_length (fragments_to_loopback);
1940 clib_memcpy_fast (from, fragments_to_loopback +
1941 (len - VLIB_FRAME_SIZE),
1942 sizeof (u32) * VLIB_FRAME_SIZE);
1943 n_left_from = VLIB_FRAME_SIZE;
1944 _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
1949 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1952 vlib_node_increment_counter (vm, nat44_ed_out2in_reass_node.index,
1953 NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
1956 nat_send_all_to_node (vm, fragments_to_drop, node,
1957 &node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT],
1958 NAT44_ED_OUT2IN_NEXT_DROP);
1960 vec_free (fragments_to_drop);
1961 vec_free (fragments_to_loopback);
1962 return frame->n_vectors;
1966 VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = {
1967 .function = nat44_ed_out2in_reass_node_fn,
1968 .name = "nat44-ed-out2in-reass",
1969 .vector_size = sizeof (u32),
1970 .format_trace = format_nat44_reass_trace,
1971 .type = VLIB_NODE_TYPE_INTERNAL,
1972 .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
1973 .error_strings = nat_out2in_ed_error_strings,
1974 .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT,
1976 [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop",
1977 [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1978 [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath",
1979 [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1980 [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out",
1981 [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass",
1986 VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_reass_node,
1987 nat44_ed_out2in_reass_node_fn);
1990 * fd.io coding-style-patch-verification: ON
1993 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob