2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ethernet/ethernet.h>
23 #include <vnet/fib/ip4_fib.h>
24 #include <snat/snat.h>
25 #include <snat/snat_ipfix_logging.h>
27 #include <vppinfra/hash.h>
28 #include <vppinfra/error.h>
29 #include <vppinfra/elog.h>
36 } snat_in2out_trace_t;
39 u32 next_worker_index;
41 } snat_in2out_worker_handoff_trace_t;
43 /* packet trace format function */
44 static u8 * format_snat_in2out_trace (u8 * s, va_list * args)
46 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
47 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
48 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
51 tag = t->is_slow_path ? "SNAT_IN2OUT_SLOW_PATH" : "SNAT_IN2OUT_FAST_PATH";
53 s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag,
54 t->sw_if_index, t->next_index, t->session_index);
59 static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args)
61 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
62 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
63 snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *);
65 s = format (s, "SANT_IN2OUT_FAST: sw_if_index %d, next index %d",
66 t->sw_if_index, t->next_index);
71 static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args)
73 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
74 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
75 snat_in2out_worker_handoff_trace_t * t =
76 va_arg (*args, snat_in2out_worker_handoff_trace_t *);
79 m = t->do_handoff ? "next worker" : "same worker";
80 s = format (s, "SNAT_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
85 vlib_node_registration_t snat_in2out_node;
86 vlib_node_registration_t snat_in2out_slowpath_node;
87 vlib_node_registration_t snat_in2out_fast_node;
88 vlib_node_registration_t snat_in2out_worker_handoff_node;
90 #define foreach_snat_in2out_error \
91 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
92 _(IN2OUT_PACKETS, "Good in2out packets processed") \
93 _(OUT_OF_PORTS, "Out of ports") \
94 _(BAD_OUTSIDE_FIB, "Outside VRF ID not found") \
95 _(BAD_ICMP_TYPE, "icmp type not echo-request") \
96 _(NO_TRANSLATION, "No translation")
99 #define _(sym,str) SNAT_IN2OUT_ERROR_##sym,
100 foreach_snat_in2out_error
103 } snat_in2out_error_t;
105 static char * snat_in2out_error_strings[] = {
106 #define _(sym,string) string,
107 foreach_snat_in2out_error
112 SNAT_IN2OUT_NEXT_LOOKUP,
113 SNAT_IN2OUT_NEXT_DROP,
114 SNAT_IN2OUT_NEXT_SLOW_PATH,
115 SNAT_IN2OUT_NEXT_ICMP_ERROR,
117 } snat_in2out_next_t;
120 * @brief Check if packet should be translated
122 * Packets aimed at outside interface and external addresss with active session
123 * should be translated.
125 * @param sm SNAT main
126 * @param rt SNAT runtime data
127 * @param sw_if_index0 index of the inside interface
128 * @param ip0 IPv4 header
129 * @param proto0 SNAT protocol
130 * @param rx_fib_index0 RX FIB index
132 * @returns 0 if packet should be translated otherwise 1
135 snat_not_translate (snat_main_t * sm, snat_runtime_t * rt, u32 sw_if_index0,
136 ip4_header_t * ip0, u32 proto0, u32 rx_fib_index0)
138 ip4_address_t * first_int_addr;
139 udp_header_t * udp0 = ip4_next_header (ip0);
140 snat_session_key_t key0, sm0;
141 clib_bihash_kv_8_8_t kv0, value0;
142 fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
144 .fp_proto = FIB_PROTOCOL_IP4,
147 .ip4.as_u32 = ip0->dst_address.as_u32,
151 if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
154 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
155 0 /* just want the address */);
156 rt->cached_sw_if_index = sw_if_index0;
158 rt->cached_ip4_address = first_int_addr->as_u32;
160 rt->cached_ip4_address = 0;
163 /* Don't NAT packet aimed at the intfc address */
164 if (PREDICT_FALSE(ip0->dst_address.as_u32 == rt->cached_ip4_address))
167 key0.addr = ip0->dst_address;
168 key0.port = udp0->dst_port;
169 key0.protocol = proto0;
170 key0.fib_index = sm->outside_fib_index;
171 kv0.key = key0.as_u64;
173 /* NAT packet aimed at external address if */
174 /* has active sessions */
175 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
177 /* or is static mappings */
178 if (!snat_static_mapping_match(sm, key0, &sm0, 1))
184 fei = fib_table_lookup (rx_fib_index0, &pfx);
185 if (FIB_NODE_INDEX_INVALID != fei)
187 u32 sw_if_index = fib_entry_get_resolving_interface (fei);
188 if (sw_if_index == ~0)
190 fei = fib_table_lookup (sm->outside_fib_index, &pfx);
191 if (FIB_NODE_INDEX_INVALID != fei)
192 sw_if_index = fib_entry_get_resolving_interface (fei);
195 pool_foreach (i, sm->interfaces,
197 /* NAT packet aimed at outside interface */
198 if ((i->is_inside == 0) && (sw_if_index == i->sw_if_index))
206 static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
209 snat_session_key_t * key0,
210 snat_session_t ** sessionp,
211 vlib_node_runtime_t * node,
216 snat_user_key_t user_key;
218 clib_bihash_kv_8_8_t kv0, value0;
219 u32 oldest_per_user_translation_list_index;
220 dlist_elt_t * oldest_per_user_translation_list_elt;
221 dlist_elt_t * per_user_translation_list_elt;
222 dlist_elt_t * per_user_list_head_elt;
224 snat_session_key_t key1;
225 u32 address_index = ~0;
226 u32 outside_fib_index;
228 snat_worker_key_t worker_by_out_key;
230 p = hash_get (sm->ip4_main->fib_index_by_table_id, sm->outside_vrf_id);
233 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_OUTSIDE_FIB];
234 return SNAT_IN2OUT_NEXT_DROP;
236 outside_fib_index = p[0];
238 key1.protocol = key0->protocol;
239 user_key.addr = ip0->src_address;
240 user_key.fib_index = rx_fib_index0;
241 kv0.key = user_key.as_u64;
243 /* Ever heard of the "user" = src ip4 address before? */
244 if (clib_bihash_search_8_8 (&sm->user_hash, &kv0, &value0))
246 /* no, make a new one */
247 pool_get (sm->per_thread_data[cpu_index].users, u);
248 memset (u, 0, sizeof (*u));
249 u->addr = ip0->src_address;
251 pool_get (sm->per_thread_data[cpu_index].list_pool, per_user_list_head_elt);
253 u->sessions_per_user_list_head_index = per_user_list_head_elt -
254 sm->per_thread_data[cpu_index].list_pool;
256 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
257 u->sessions_per_user_list_head_index);
259 kv0.value = u - sm->per_thread_data[cpu_index].users;
262 clib_bihash_add_del_8_8 (&sm->user_hash, &kv0, 1 /* is_add */);
266 u = pool_elt_at_index (sm->per_thread_data[cpu_index].users,
270 /* Over quota? Recycle the least recently used dynamic translation */
271 if (u->nsessions >= sm->max_translations_per_user)
273 /* Remove the oldest dynamic translation */
275 oldest_per_user_translation_list_index =
276 clib_dlist_remove_head (sm->per_thread_data[cpu_index].list_pool,
277 u->sessions_per_user_list_head_index);
279 ASSERT (oldest_per_user_translation_list_index != ~0);
281 /* add it back to the end of the LRU list */
282 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
283 u->sessions_per_user_list_head_index,
284 oldest_per_user_translation_list_index);
285 /* Get the list element */
286 oldest_per_user_translation_list_elt =
287 pool_elt_at_index (sm->per_thread_data[cpu_index].list_pool,
288 oldest_per_user_translation_list_index);
290 /* Get the session index from the list element */
291 session_index = oldest_per_user_translation_list_elt->value;
293 /* Get the session */
294 s = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
296 } while (snat_is_session_static (s));
298 /* Remove in2out, out2in keys */
299 kv0.key = s->in2out.as_u64;
300 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 0 /* is_add */))
301 clib_warning ("in2out key delete failed");
302 kv0.key = s->out2in.as_u64;
303 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 0 /* is_add */))
304 clib_warning ("out2in key delete failed");
307 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
308 s->out2in.addr.as_u32,
312 s->in2out.fib_index);
314 snat_free_outside_address_and_port
315 (sm, &s->out2in, s->outside_address_index);
316 s->outside_address_index = ~0;
318 if (snat_alloc_outside_address_and_port (sm, &key1, &address_index))
322 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
323 return SNAT_IN2OUT_NEXT_DROP;
325 s->outside_address_index = address_index;
329 u8 static_mapping = 1;
331 /* First try to match static mapping by local address and port */
332 if (snat_static_mapping_match (sm, *key0, &key1, 0))
335 /* Try to create dynamic translation */
336 if (snat_alloc_outside_address_and_port (sm, &key1, &address_index))
338 b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
339 return SNAT_IN2OUT_NEXT_DROP;
343 /* Create a new session */
344 pool_get (sm->per_thread_data[cpu_index].sessions, s);
345 memset (s, 0, sizeof (*s));
347 s->outside_address_index = address_index;
351 u->nstaticsessions++;
352 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
359 /* Create list elts */
360 pool_get (sm->per_thread_data[cpu_index].list_pool,
361 per_user_translation_list_elt);
362 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
363 per_user_translation_list_elt -
364 sm->per_thread_data[cpu_index].list_pool);
366 per_user_translation_list_elt->value =
367 s - sm->per_thread_data[cpu_index].sessions;
368 s->per_user_index = per_user_translation_list_elt -
369 sm->per_thread_data[cpu_index].list_pool;
370 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
372 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
373 s->per_user_list_head_index,
374 per_user_translation_list_elt -
375 sm->per_thread_data[cpu_index].list_pool);
380 s->out2in.protocol = key0->protocol;
381 s->out2in.fib_index = outside_fib_index;
384 /* Add to translation hashes */
385 kv0.key = s->in2out.as_u64;
386 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
387 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 1 /* is_add */))
388 clib_warning ("in2out key add failed");
390 kv0.key = s->out2in.as_u64;
391 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
393 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 1 /* is_add */))
394 clib_warning ("out2in key add failed");
396 /* Add to translated packets worker lookup */
397 worker_by_out_key.addr = s->out2in.addr;
398 worker_by_out_key.port = s->out2in.port;
399 worker_by_out_key.fib_index = s->out2in.fib_index;
400 kv0.key = worker_by_out_key.as_u64;
401 kv0.value = cpu_index;
402 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv0, 1);
405 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
406 s->out2in.addr.as_u32,
410 s->in2out.fib_index);
415 u16 src_port, dst_port;
418 static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
421 icmp46_header_t * icmp0,
424 vlib_node_runtime_t * node,
428 snat_session_t ** p_s0)
430 snat_session_key_t key0;
431 icmp_echo_header_t *echo0, *inner_echo0 = 0;
432 ip4_header_t *inner_ip0;
434 icmp46_header_t *inner_icmp0;
435 clib_bihash_kv_8_8_t kv0, value0;
436 snat_session_t * s0 = 0;
437 u32 new_addr0, old_addr0;
438 u16 old_id0, new_id0;
441 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
442 u8 is_error_message = 0;
444 echo0 = (icmp_echo_header_t *)(icmp0+1);
446 key0.addr = ip0->src_address;
447 key0.fib_index = rx_fib_index0;
451 case ICMP4_destination_unreachable:
452 case ICMP4_time_exceeded:
453 case ICMP4_parameter_problem:
454 case ICMP4_source_quench:
456 case ICMP4_alternate_host_address:
457 is_error_message = 1;
460 if (!is_error_message)
462 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request))
464 b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
465 next0 = SNAT_IN2OUT_NEXT_DROP;
468 key0.protocol = SNAT_PROTOCOL_ICMP;
469 key0.port = echo0->identifier;
473 inner_ip0 = (ip4_header_t *)(echo0+1);
474 l4_header = ip4_next_header (inner_ip0);
475 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
476 switch (key0.protocol)
478 case SNAT_PROTOCOL_ICMP:
479 inner_icmp0 = (icmp46_header_t*)l4_header;
480 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
481 key0.port = inner_echo0->identifier;
483 case SNAT_PROTOCOL_UDP:
484 case SNAT_PROTOCOL_TCP:
485 key0.port = ((tcp_udp_header_t*)l4_header)->dst_port;
488 b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL];
489 next0 = SNAT_IN2OUT_NEXT_DROP;
494 kv0.key = key0.as_u64;
496 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
498 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
499 IP_PROTOCOL_ICMP, rx_fib_index0)))
502 if (is_error_message)
504 next0 = SNAT_IN2OUT_NEXT_DROP;
508 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
509 &s0, node, next0, cpu_index);
511 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
515 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
518 sum0 = ip_incremental_checksum (0, icmp0,
519 ntohs(ip0->length) - ip4_header_bytes (ip0));
520 checksum0 = ~ip_csum_fold (sum0);
521 if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff))
523 next0 = SNAT_IN2OUT_NEXT_DROP;
527 old_addr0 = ip0->src_address.as_u32;
528 ip0->src_address = s0->out2in.addr;
529 new_addr0 = ip0->src_address.as_u32;
530 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
532 sum0 = ip0->checksum;
533 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
534 src_address /* changed member */);
535 ip0->checksum = ip_csum_fold (sum0);
537 if (!is_error_message)
539 old_id0 = echo0->identifier;
540 new_id0 = s0->out2in.port;
541 echo0->identifier = new_id0;
543 sum0 = icmp0->checksum;
544 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
546 icmp0->checksum = ip_csum_fold (sum0);
550 if (!ip4_header_checksum_is_valid (inner_ip0))
552 next0 = SNAT_IN2OUT_NEXT_DROP;
556 old_addr0 = inner_ip0->dst_address.as_u32;
557 inner_ip0->dst_address = s0->out2in.addr;
558 new_addr0 = inner_ip0->src_address.as_u32;
560 sum0 = icmp0->checksum;
561 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
562 dst_address /* changed member */);
563 icmp0->checksum = ip_csum_fold (sum0);
565 switch (key0.protocol)
567 case SNAT_PROTOCOL_ICMP:
568 old_id0 = inner_echo0->identifier;
569 new_id0 = s0->out2in.port;
570 inner_echo0->identifier = new_id0;
572 sum0 = icmp0->checksum;
573 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
575 icmp0->checksum = ip_csum_fold (sum0);
577 case SNAT_PROTOCOL_UDP:
578 case SNAT_PROTOCOL_TCP:
579 old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port;
580 new_id0 = s0->out2in.port;
581 ((tcp_udp_header_t*)l4_header)->dst_port = new_id0;
583 sum0 = icmp0->checksum;
584 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
586 icmp0->checksum = ip_csum_fold (sum0);
594 s0->last_heard = now;
596 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
597 /* Per-user LRU list maintenance for dynamic translations */
598 if (!snat_is_session_static (s0))
600 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
602 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
603 s0->per_user_list_head_index,
615 * Hairpinning allows two endpoints on the internal side of the NAT to
616 * communicate even if they only use each other's external IP addresses
619 * @param sm SNAT main.
620 * @param b0 Vlib buffer.
621 * @param ip0 IP header.
622 * @param udp0 UDP header.
623 * @param tcp0 TCP header.
624 * @param proto0 SNAT protocol.
627 snat_hairpinning (snat_main_t *sm,
634 snat_session_key_t key0, sm0;
635 snat_worker_key_t k0;
637 clib_bihash_kv_8_8_t kv0, value0;
639 u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si;
640 u16 new_dst_port0, old_dst_port0;
642 key0.addr = ip0->dst_address;
643 key0.port = udp0->dst_port;
644 key0.protocol = proto0;
645 key0.fib_index = sm->outside_fib_index;
646 kv0.key = key0.as_u64;
648 /* Check if destination is in active sessions */
649 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
651 /* or static mappings */
652 if (!snat_static_mapping_match(sm, key0, &sm0, 1))
654 new_dst_addr0 = sm0.addr.as_u32;
655 new_dst_port0 = sm0.port;
656 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
662 if (sm->num_workers > 1)
664 k0.addr = ip0->dst_address;
665 k0.port = udp0->dst_port;
666 k0.fib_index = sm->outside_fib_index;
668 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
674 ti = sm->num_workers;
676 s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si);
677 new_dst_addr0 = s0->in2out.addr.as_u32;
678 new_dst_port0 = s0->in2out.port;
679 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
682 /* Destination is behind the same NAT, use internal address and port */
685 old_dst_addr0 = ip0->dst_address.as_u32;
686 ip0->dst_address.as_u32 = new_dst_addr0;
687 sum0 = ip0->checksum;
688 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
689 ip4_header_t, dst_address);
690 ip0->checksum = ip_csum_fold (sum0);
692 old_dst_port0 = tcp0->dst;
693 if (PREDICT_TRUE(new_dst_port0 != old_dst_port0))
695 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
697 tcp0->dst = new_dst_port0;
698 sum0 = tcp0->checksum;
699 sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0,
700 ip4_header_t, dst_address);
701 sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0,
702 ip4_header_t /* cheat */, length);
703 tcp0->checksum = ip_csum_fold(sum0);
707 udp0->dst_port = new_dst_port0;
715 snat_in2out_node_fn_inline (vlib_main_t * vm,
716 vlib_node_runtime_t * node,
717 vlib_frame_t * frame, int is_slow_path)
719 u32 n_left_from, * from, * to_next;
720 snat_in2out_next_t next_index;
721 u32 pkts_processed = 0;
722 snat_main_t * sm = &snat_main;
723 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
724 f64 now = vlib_time_now (vm);
725 u32 stats_node_index;
726 u32 cpu_index = os_get_cpu_number ();
728 stats_node_index = is_slow_path ? snat_in2out_slowpath_node.index :
729 snat_in2out_node.index;
731 from = vlib_frame_vector_args (frame);
732 n_left_from = frame->n_vectors;
733 next_index = node->cached_next_index;
735 while (n_left_from > 0)
739 vlib_get_next_frame (vm, node, next_index,
740 to_next, n_left_to_next);
742 while (n_left_from >= 4 && n_left_to_next >= 2)
745 vlib_buffer_t * b0, * b1;
747 u32 sw_if_index0, sw_if_index1;
748 ip4_header_t * ip0, * ip1;
749 ip_csum_t sum0, sum1;
750 u32 new_addr0, old_addr0, new_addr1, old_addr1;
751 u16 old_port0, new_port0, old_port1, new_port1;
752 udp_header_t * udp0, * udp1;
753 tcp_header_t * tcp0, * tcp1;
754 icmp46_header_t * icmp0, * icmp1;
755 snat_session_key_t key0, key1;
756 u32 rx_fib_index0, rx_fib_index1;
758 snat_session_t * s0 = 0, * s1 = 0;
759 clib_bihash_kv_8_8_t kv0, value0, kv1, value1;
761 /* Prefetch next iteration. */
763 vlib_buffer_t * p2, * p3;
765 p2 = vlib_get_buffer (vm, from[2]);
766 p3 = vlib_get_buffer (vm, from[3]);
768 vlib_prefetch_buffer_header (p2, LOAD);
769 vlib_prefetch_buffer_header (p3, LOAD);
771 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
772 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
775 /* speculatively enqueue b0 and b1 to the current next frame */
776 to_next[0] = bi0 = from[0];
777 to_next[1] = bi1 = from[1];
783 b0 = vlib_get_buffer (vm, bi0);
784 b1 = vlib_get_buffer (vm, bi1);
786 ip0 = vlib_buffer_get_current (b0);
787 udp0 = ip4_next_header (ip0);
788 tcp0 = (tcp_header_t *) udp0;
789 icmp0 = (icmp46_header_t *) udp0;
791 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
792 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
795 next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP;
797 proto0 = ip_proto_to_snat_proto (ip0->protocol);
799 if (PREDICT_FALSE(ip0->ttl == 1))
801 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
802 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
803 ICMP4_time_exceeded_ttl_exceeded_in_transit,
805 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
809 /* Next configured feature, probably ip4-lookup */
812 if (PREDICT_FALSE (proto0 == ~0))
815 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
817 next0 = icmp_in2out_slow_path
818 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
819 node, next0, now, cpu_index, &s0);
825 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
827 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
832 key0.addr = ip0->src_address;
833 key0.port = udp0->src_port;
834 key0.protocol = proto0;
835 key0.fib_index = rx_fib_index0;
837 kv0.key = key0.as_u64;
839 if (PREDICT_FALSE (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0) != 0))
843 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
844 proto0, rx_fib_index0)))
847 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
848 &s0, node, next0, cpu_index);
849 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
854 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
859 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
862 old_addr0 = ip0->src_address.as_u32;
863 ip0->src_address = s0->out2in.addr;
864 new_addr0 = ip0->src_address.as_u32;
865 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
867 sum0 = ip0->checksum;
868 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
870 src_address /* changed member */);
871 ip0->checksum = ip_csum_fold (sum0);
873 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
875 old_port0 = tcp0->src_port;
876 tcp0->src_port = s0->out2in.port;
877 new_port0 = tcp0->src_port;
879 sum0 = tcp0->checksum;
880 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
882 dst_address /* changed member */);
883 sum0 = ip_csum_update (sum0, old_port0, new_port0,
884 ip4_header_t /* cheat */,
885 length /* changed member */);
886 tcp0->checksum = ip_csum_fold(sum0);
890 old_port0 = udp0->src_port;
891 udp0->src_port = s0->out2in.port;
896 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
899 s0->last_heard = now;
901 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
902 /* Per-user LRU list maintenance for dynamic translation */
903 if (!snat_is_session_static (s0))
905 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
907 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
908 s0->per_user_list_head_index,
913 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
914 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
916 snat_in2out_trace_t *t =
917 vlib_add_trace (vm, node, b0, sizeof (*t));
918 t->is_slow_path = is_slow_path;
919 t->sw_if_index = sw_if_index0;
920 t->next_index = next0;
921 t->session_index = ~0;
923 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
926 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
928 ip1 = vlib_buffer_get_current (b1);
929 udp1 = ip4_next_header (ip1);
930 tcp1 = (tcp_header_t *) udp1;
931 icmp1 = (icmp46_header_t *) udp1;
933 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
934 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
937 proto1 = ip_proto_to_snat_proto (ip1->protocol);
939 if (PREDICT_FALSE(ip0->ttl == 1))
941 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
942 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
943 ICMP4_time_exceeded_ttl_exceeded_in_transit,
945 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
949 /* Next configured feature, probably ip4-lookup */
952 if (PREDICT_FALSE (proto1 == ~0))
955 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
957 next1 = icmp_in2out_slow_path
958 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
959 next1, now, cpu_index, &s1);
965 if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
967 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
972 key1.addr = ip1->src_address;
973 key1.port = udp1->src_port;
974 key1.protocol = proto1;
975 key1.fib_index = rx_fib_index1;
977 kv1.key = key1.as_u64;
979 if (PREDICT_FALSE(clib_bihash_search_8_8 (&sm->in2out, &kv1, &value1) != 0))
983 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index1, ip1,
984 proto1, rx_fib_index1)))
987 next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
988 &s1, node, next1, cpu_index);
989 if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
994 next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
999 s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
1002 old_addr1 = ip1->src_address.as_u32;
1003 ip1->src_address = s1->out2in.addr;
1004 new_addr1 = ip1->src_address.as_u32;
1005 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index;
1007 sum1 = ip1->checksum;
1008 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1010 src_address /* changed member */);
1011 ip1->checksum = ip_csum_fold (sum1);
1013 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
1015 old_port1 = tcp1->src_port;
1016 tcp1->src_port = s1->out2in.port;
1017 new_port1 = tcp1->src_port;
1019 sum1 = tcp1->checksum;
1020 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1022 dst_address /* changed member */);
1023 sum1 = ip_csum_update (sum1, old_port1, new_port1,
1024 ip4_header_t /* cheat */,
1025 length /* changed member */);
1026 tcp1->checksum = ip_csum_fold(sum1);
1030 old_port1 = udp1->src_port;
1031 udp1->src_port = s1->out2in.port;
1036 snat_hairpinning (sm, b1, ip1, udp1, tcp1, proto1);
1039 s1->last_heard = now;
1041 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
1042 /* Per-user LRU list maintenance for dynamic translation */
1043 if (!snat_is_session_static (s1))
1045 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
1046 s1->per_user_index);
1047 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
1048 s1->per_user_list_head_index,
1049 s1->per_user_index);
1053 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1054 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1056 snat_in2out_trace_t *t =
1057 vlib_add_trace (vm, node, b1, sizeof (*t));
1058 t->sw_if_index = sw_if_index1;
1059 t->next_index = next1;
1060 t->session_index = ~0;
1062 t->session_index = s1 - sm->per_thread_data[cpu_index].sessions;
1065 pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP;
1067 /* verify speculative enqueues, maybe switch current next frame */
1068 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1069 to_next, n_left_to_next,
1070 bi0, bi1, next0, next1);
1073 while (n_left_from > 0 && n_left_to_next > 0)
1081 u32 new_addr0, old_addr0;
1082 u16 old_port0, new_port0;
1083 udp_header_t * udp0;
1084 tcp_header_t * tcp0;
1085 icmp46_header_t * icmp0;
1086 snat_session_key_t key0;
1089 snat_session_t * s0 = 0;
1090 clib_bihash_kv_8_8_t kv0, value0;
1092 /* speculatively enqueue b0 to the current next frame */
1098 n_left_to_next -= 1;
1100 b0 = vlib_get_buffer (vm, bi0);
1101 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1103 ip0 = vlib_buffer_get_current (b0);
1104 udp0 = ip4_next_header (ip0);
1105 tcp0 = (tcp_header_t *) udp0;
1106 icmp0 = (icmp46_header_t *) udp0;
1108 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1109 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1112 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1114 if (PREDICT_FALSE(ip0->ttl == 1))
1116 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1117 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1118 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1120 next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR;
1124 /* Next configured feature, probably ip4-lookup */
1127 if (PREDICT_FALSE (proto0 == ~0))
1130 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1132 next0 = icmp_in2out_slow_path
1133 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1134 next0, now, cpu_index, &s0);
1140 if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
1142 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1147 key0.addr = ip0->src_address;
1148 key0.port = udp0->src_port;
1149 key0.protocol = proto0;
1150 key0.fib_index = rx_fib_index0;
1152 kv0.key = key0.as_u64;
1154 if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
1158 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
1159 proto0, rx_fib_index0)))
1162 next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
1163 &s0, node, next0, cpu_index);
1165 if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
1170 next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
1175 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
1178 old_addr0 = ip0->src_address.as_u32;
1179 ip0->src_address = s0->out2in.addr;
1180 new_addr0 = ip0->src_address.as_u32;
1181 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
1183 sum0 = ip0->checksum;
1184 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1186 src_address /* changed member */);
1187 ip0->checksum = ip_csum_fold (sum0);
1189 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1191 old_port0 = tcp0->src_port;
1192 tcp0->src_port = s0->out2in.port;
1193 new_port0 = tcp0->src_port;
1195 sum0 = tcp0->checksum;
1196 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1198 dst_address /* changed member */);
1199 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1200 ip4_header_t /* cheat */,
1201 length /* changed member */);
1202 tcp0->checksum = ip_csum_fold(sum0);
1206 old_port0 = udp0->src_port;
1207 udp0->src_port = s0->out2in.port;
1212 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
1215 s0->last_heard = now;
1217 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
1218 /* Per-user LRU list maintenance for dynamic translation */
1219 if (!snat_is_session_static (s0))
1221 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
1222 s0->per_user_index);
1223 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
1224 s0->per_user_list_head_index,
1225 s0->per_user_index);
1229 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1230 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1232 snat_in2out_trace_t *t =
1233 vlib_add_trace (vm, node, b0, sizeof (*t));
1234 t->is_slow_path = is_slow_path;
1235 t->sw_if_index = sw_if_index0;
1236 t->next_index = next0;
1237 t->session_index = ~0;
1239 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
1242 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1244 /* verify speculative enqueue, maybe switch current next frame */
1245 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1246 to_next, n_left_to_next,
1250 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1253 vlib_node_increment_counter (vm, stats_node_index,
1254 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1256 return frame->n_vectors;
1260 snat_in2out_fast_path_fn (vlib_main_t * vm,
1261 vlib_node_runtime_t * node,
1262 vlib_frame_t * frame)
1264 return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */);
1267 VLIB_REGISTER_NODE (snat_in2out_node) = {
1268 .function = snat_in2out_fast_path_fn,
1269 .name = "snat-in2out",
1270 .vector_size = sizeof (u32),
1271 .format_trace = format_snat_in2out_trace,
1272 .type = VLIB_NODE_TYPE_INTERNAL,
1274 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1275 .error_strings = snat_in2out_error_strings,
1277 .runtime_data_bytes = sizeof (snat_runtime_t),
1279 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1281 /* edit / add dispositions here */
1283 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1284 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1285 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
1286 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1290 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn);
1293 snat_in2out_slow_path_fn (vlib_main_t * vm,
1294 vlib_node_runtime_t * node,
1295 vlib_frame_t * frame)
1297 return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */);
1300 VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
1301 .function = snat_in2out_slow_path_fn,
1302 .name = "snat-in2out-slowpath",
1303 .vector_size = sizeof (u32),
1304 .format_trace = format_snat_in2out_trace,
1305 .type = VLIB_NODE_TYPE_INTERNAL,
1307 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1308 .error_strings = snat_in2out_error_strings,
1310 .runtime_data_bytes = sizeof (snat_runtime_t),
1312 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1314 /* edit / add dispositions here */
1316 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1317 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1318 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
1319 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1323 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node, snat_in2out_slow_path_fn);
1326 snat_in2out_worker_handoff_fn (vlib_main_t * vm,
1327 vlib_node_runtime_t * node,
1328 vlib_frame_t * frame)
1330 snat_main_t *sm = &snat_main;
1331 vlib_thread_main_t *tm = vlib_get_thread_main ();
1332 u32 n_left_from, *from, *to_next = 0;
1333 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
1334 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
1336 vlib_frame_queue_elt_t *hf = 0;
1337 vlib_frame_t *f = 0;
1339 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
1340 u32 next_worker_index = 0;
1341 u32 current_worker_index = ~0;
1342 u32 cpu_index = os_get_cpu_number ();
1344 ASSERT (vec_len (sm->workers));
1346 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
1348 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
1350 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
1351 sm->first_worker_index + sm->num_workers - 1,
1352 (vlib_frame_queue_t *) (~0));
1355 from = vlib_frame_vector_args (frame);
1356 n_left_from = frame->n_vectors;
1358 while (n_left_from > 0)
1365 snat_user_key_t key0;
1366 clib_bihash_kv_8_8_t kv0, value0;
1373 b0 = vlib_get_buffer (vm, bi0);
1375 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1376 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1378 ip0 = vlib_buffer_get_current (b0);
1380 key0.addr = ip0->src_address;
1381 key0.fib_index = rx_fib_index0;
1383 kv0.key = key0.as_u64;
1385 /* Ever heard of of the "user" before? */
1386 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv0, &value0))
1388 /* No, assign next available worker (RR) */
1389 next_worker_index = sm->first_worker_index;
1390 if (vec_len (sm->workers))
1392 next_worker_index +=
1393 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
1396 /* add non-traslated packets worker lookup */
1397 kv0.value = next_worker_index;
1398 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
1401 next_worker_index = value0.value;
1403 if (PREDICT_FALSE (next_worker_index != cpu_index))
1407 if (next_worker_index != current_worker_index)
1410 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1412 hf = vlib_get_worker_handoff_queue_elt (sm->fq_in2out_index,
1414 handoff_queue_elt_by_worker_index);
1416 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
1417 to_next_worker = &hf->buffer_index[hf->n_vectors];
1418 current_worker_index = next_worker_index;
1421 /* enqueue to correct worker thread */
1422 to_next_worker[0] = bi0;
1424 n_left_to_next_worker--;
1426 if (n_left_to_next_worker == 0)
1428 hf->n_vectors = VLIB_FRAME_SIZE;
1429 vlib_put_frame_queue_elt (hf);
1430 current_worker_index = ~0;
1431 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
1438 /* if this is 1st frame */
1441 f = vlib_get_frame_to_node (vm, snat_in2out_node.index);
1442 to_next = vlib_frame_vector_args (f);
1450 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1451 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1453 snat_in2out_worker_handoff_trace_t *t =
1454 vlib_add_trace (vm, node, b0, sizeof (*t));
1455 t->next_worker_index = next_worker_index;
1456 t->do_handoff = do_handoff;
1461 vlib_put_frame_to_node (vm, snat_in2out_node.index, f);
1464 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1466 /* Ship frames to the worker nodes */
1467 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
1469 if (handoff_queue_elt_by_worker_index[i])
1471 hf = handoff_queue_elt_by_worker_index[i];
1473 * It works better to let the handoff node
1474 * rate-adapt, always ship the handoff queue element.
1476 if (1 || hf->n_vectors == hf->last_n_vectors)
1478 vlib_put_frame_queue_elt (hf);
1479 handoff_queue_elt_by_worker_index[i] = 0;
1482 hf->last_n_vectors = hf->n_vectors;
1484 congested_handoff_queue_by_worker_index[i] =
1485 (vlib_frame_queue_t *) (~0);
1488 current_worker_index = ~0;
1489 return frame->n_vectors;
1492 VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = {
1493 .function = snat_in2out_worker_handoff_fn,
1494 .name = "snat-in2out-worker-handoff",
1495 .vector_size = sizeof (u32),
1496 .format_trace = format_snat_in2out_worker_handoff_trace,
1497 .type = VLIB_NODE_TYPE_INTERNAL,
1506 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node, snat_in2out_worker_handoff_fn);
1508 static inline u32 icmp_in2out_static_map (snat_main_t *sm,
1511 icmp46_header_t * icmp0,
1513 vlib_node_runtime_t * node,
1517 snat_session_key_t key0, sm0;
1518 icmp_echo_header_t *echo0;
1519 u32 new_addr0, old_addr0;
1520 u16 old_id0, new_id0;
1522 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
1524 echo0 = (icmp_echo_header_t *)(icmp0+1);
1526 key0.addr = ip0->src_address;
1527 key0.port = echo0->identifier;
1528 key0.fib_index = rx_fib_index0;
1530 if (snat_static_mapping_match(sm, key0, &sm0, 0))
1532 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
1533 IP_PROTOCOL_ICMP, rx_fib_index0)))
1536 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1537 return SNAT_IN2OUT_NEXT_DROP;
1540 new_addr0 = sm0.addr.as_u32;
1542 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1543 old_addr0 = ip0->src_address.as_u32;
1544 ip0->src_address.as_u32 = new_addr0;
1546 sum0 = ip0->checksum;
1547 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1549 src_address /* changed member */);
1550 ip0->checksum = ip_csum_fold (sum0);
1552 if (PREDICT_FALSE(new_id0 != echo0->identifier))
1554 old_id0 = echo0->identifier;
1555 echo0->identifier = new_id0;
1557 sum0 = icmp0->checksum;
1558 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
1560 icmp0->checksum = ip_csum_fold (sum0);
1567 snat_in2out_fast_static_map_fn (vlib_main_t * vm,
1568 vlib_node_runtime_t * node,
1569 vlib_frame_t * frame)
1571 u32 n_left_from, * from, * to_next;
1572 snat_in2out_next_t next_index;
1573 u32 pkts_processed = 0;
1574 snat_main_t * sm = &snat_main;
1575 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
1576 u32 stats_node_index;
1578 stats_node_index = snat_in2out_fast_node.index;
1580 from = vlib_frame_vector_args (frame);
1581 n_left_from = frame->n_vectors;
1582 next_index = node->cached_next_index;
1584 while (n_left_from > 0)
1588 vlib_get_next_frame (vm, node, next_index,
1589 to_next, n_left_to_next);
1591 while (n_left_from > 0 && n_left_to_next > 0)
1599 u32 new_addr0, old_addr0;
1600 u16 old_port0, new_port0;
1601 udp_header_t * udp0;
1602 tcp_header_t * tcp0;
1603 icmp46_header_t * icmp0;
1604 snat_session_key_t key0, sm0;
1608 /* speculatively enqueue b0 to the current next frame */
1614 n_left_to_next -= 1;
1616 b0 = vlib_get_buffer (vm, bi0);
1617 next0 = SNAT_IN2OUT_NEXT_LOOKUP;
1619 ip0 = vlib_buffer_get_current (b0);
1620 udp0 = ip4_next_header (ip0);
1621 tcp0 = (tcp_header_t *) udp0;
1622 icmp0 = (icmp46_header_t *) udp0;
1624 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1625 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1627 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1629 if (PREDICT_FALSE (proto0 == ~0))
1632 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1634 if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
1635 proto0, rx_fib_index0)))
1638 next0 = icmp_in2out_static_map
1639 (sm, b0, ip0, icmp0, sw_if_index0, node, next0, rx_fib_index0);
1643 key0.addr = ip0->src_address;
1644 key0.port = udp0->src_port;
1645 key0.fib_index = rx_fib_index0;
1647 if (snat_static_mapping_match(sm, key0, &sm0, 0))
1649 b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
1650 next0= SNAT_IN2OUT_NEXT_DROP;
1654 new_addr0 = sm0.addr.as_u32;
1655 new_port0 = sm0.port;
1656 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1657 old_addr0 = ip0->src_address.as_u32;
1658 ip0->src_address.as_u32 = new_addr0;
1660 sum0 = ip0->checksum;
1661 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1663 src_address /* changed member */);
1664 ip0->checksum = ip_csum_fold (sum0);
1666 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
1668 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1670 old_port0 = tcp0->src_port;
1671 tcp0->src_port = new_port0;
1673 sum0 = tcp0->checksum;
1674 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1676 dst_address /* changed member */);
1677 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1678 ip4_header_t /* cheat */,
1679 length /* changed member */);
1680 tcp0->checksum = ip_csum_fold(sum0);
1684 old_port0 = udp0->src_port;
1685 udp0->src_port = new_port0;
1691 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1693 sum0 = tcp0->checksum;
1694 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1696 dst_address /* changed member */);
1697 tcp0->checksum = ip_csum_fold(sum0);
1702 snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0);
1705 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1706 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1708 snat_in2out_trace_t *t =
1709 vlib_add_trace (vm, node, b0, sizeof (*t));
1710 t->sw_if_index = sw_if_index0;
1711 t->next_index = next0;
1714 pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
1716 /* verify speculative enqueue, maybe switch current next frame */
1717 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1718 to_next, n_left_to_next,
1722 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1725 vlib_node_increment_counter (vm, stats_node_index,
1726 SNAT_IN2OUT_ERROR_IN2OUT_PACKETS,
1728 return frame->n_vectors;
1732 VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
1733 .function = snat_in2out_fast_static_map_fn,
1734 .name = "snat-in2out-fast",
1735 .vector_size = sizeof (u32),
1736 .format_trace = format_snat_in2out_fast_trace,
1737 .type = VLIB_NODE_TYPE_INTERNAL,
1739 .n_errors = ARRAY_LEN(snat_in2out_error_strings),
1740 .error_strings = snat_in2out_error_strings,
1742 .runtime_data_bytes = sizeof (snat_runtime_t),
1744 .n_next_nodes = SNAT_IN2OUT_N_NEXT,
1746 /* edit / add dispositions here */
1748 [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
1749 [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
1750 [SNAT_IN2OUT_NEXT_SLOW_PATH] = "snat-in2out-slowpath",
1751 [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1755 VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn);
Code Review / vpp.git / blob