2 * Copyright (c) 2016 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vlib/vlib.h>
17 #include <vnet/vnet.h>
18 #include <vnet/pg/pg.h>
19 #include <vnet/handoff.h>
21 #include <vnet/ip/ip.h>
22 #include <vnet/ip/udp.h>
23 #include <vnet/ethernet/ethernet.h>
24 #include <vnet/fib/ip4_fib.h>
25 #include <snat/snat.h>
26 #include <snat/snat_ipfix_logging.h>
28 #include <vppinfra/hash.h>
29 #include <vppinfra/error.h>
30 #include <vppinfra/elog.h>
36 } snat_out2in_trace_t;
39 u32 next_worker_index;
41 } snat_out2in_worker_handoff_trace_t;
43 /* packet trace format function */
44 static u8 * format_snat_out2in_trace (u8 * s, va_list * args)
46 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
47 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
48 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
50 s = format (s, "SNAT_OUT2IN: sw_if_index %d, next index %d, session index %d",
51 t->sw_if_index, t->next_index, t->session_index);
55 static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args)
57 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
58 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
59 snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *);
61 s = format (s, "SNAT_OUT2IN_FAST: sw_if_index %d, next index %d",
62 t->sw_if_index, t->next_index);
66 static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args)
68 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
69 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
70 snat_out2in_worker_handoff_trace_t * t =
71 va_arg (*args, snat_out2in_worker_handoff_trace_t *);
74 m = t->do_handoff ? "next worker" : "same worker";
75 s = format (s, "SNAT_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index);
80 vlib_node_registration_t snat_out2in_node;
81 vlib_node_registration_t snat_out2in_fast_node;
82 vlib_node_registration_t snat_out2in_worker_handoff_node;
84 #define foreach_snat_out2in_error \
85 _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \
86 _(OUT2IN_PACKETS, "Good out2in packets processed") \
87 _(BAD_ICMP_TYPE, "icmp type not echo-reply") \
88 _(NO_TRANSLATION, "No translation")
91 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
92 foreach_snat_out2in_error
95 } snat_out2in_error_t;
97 static char * snat_out2in_error_strings[] = {
98 #define _(sym,string) string,
99 foreach_snat_out2in_error
104 SNAT_OUT2IN_NEXT_DROP,
105 SNAT_OUT2IN_NEXT_LOOKUP,
106 SNAT_OUT2IN_NEXT_ICMP_ERROR,
108 } snat_out2in_next_t;
111 * @brief Create session for static mapping.
113 * Create NAT session initiated by host from external network with static
116 * @param sm SNAT main.
117 * @param b0 Vlib buffer.
118 * @param in2out In2out SNAT session key.
119 * @param out2in Out2in SNAT session key.
120 * @param node Vlib node.
122 * @returns SNAT session if successfully created otherwise 0.
124 static inline snat_session_t *
125 create_session_for_static_mapping (snat_main_t *sm,
127 snat_session_key_t in2out,
128 snat_session_key_t out2in,
129 vlib_node_runtime_t * node,
133 snat_user_key_t user_key;
135 clib_bihash_kv_8_8_t kv0, value0;
136 dlist_elt_t * per_user_translation_list_elt;
137 dlist_elt_t * per_user_list_head_elt;
139 user_key.addr = in2out.addr;
140 user_key.fib_index = in2out.fib_index;
141 kv0.key = user_key.as_u64;
143 /* Ever heard of the "user" = inside ip4 address before? */
144 if (clib_bihash_search_8_8 (&sm->user_hash, &kv0, &value0))
146 /* no, make a new one */
147 pool_get (sm->per_thread_data[cpu_index].users, u);
148 memset (u, 0, sizeof (*u));
149 u->addr = in2out.addr;
151 pool_get (sm->per_thread_data[cpu_index].list_pool,
152 per_user_list_head_elt);
154 u->sessions_per_user_list_head_index = per_user_list_head_elt -
155 sm->per_thread_data[cpu_index].list_pool;
157 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
158 u->sessions_per_user_list_head_index);
160 kv0.value = u - sm->per_thread_data[cpu_index].users;
163 clib_bihash_add_del_8_8 (&sm->user_hash, &kv0, 1 /* is_add */);
165 /* add non-traslated packets worker lookup */
166 kv0.value = cpu_index;
167 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
171 u = pool_elt_at_index (sm->per_thread_data[cpu_index].users,
175 pool_get (sm->per_thread_data[cpu_index].sessions, s);
176 memset (s, 0, sizeof (*s));
178 s->outside_address_index = ~0;
179 s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
180 u->nstaticsessions++;
182 /* Create list elts */
183 pool_get (sm->per_thread_data[cpu_index].list_pool,
184 per_user_translation_list_elt);
185 clib_dlist_init (sm->per_thread_data[cpu_index].list_pool,
186 per_user_translation_list_elt -
187 sm->per_thread_data[cpu_index].list_pool);
189 per_user_translation_list_elt->value =
190 s - sm->per_thread_data[cpu_index].sessions;
192 per_user_translation_list_elt - sm->per_thread_data[cpu_index].list_pool;
193 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
195 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
196 s->per_user_list_head_index,
197 per_user_translation_list_elt -
198 sm->per_thread_data[cpu_index].list_pool);
202 s->in2out.protocol = out2in.protocol;
204 /* Add to translation hashes */
205 kv0.key = s->in2out.as_u64;
206 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
207 if (clib_bihash_add_del_8_8 (&sm->in2out, &kv0, 1 /* is_add */))
208 clib_warning ("in2out key add failed");
210 kv0.key = s->out2in.as_u64;
211 kv0.value = s - sm->per_thread_data[cpu_index].sessions;
213 if (clib_bihash_add_del_8_8 (&sm->out2in, &kv0, 1 /* is_add */))
214 clib_warning ("out2in key add failed");
217 snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32,
218 s->out2in.addr.as_u32,
222 s->in2out.fib_index);
227 u16 src_port, dst_port;
230 static inline u32 icmp_out2in_slow_path (snat_main_t *sm,
233 icmp46_header_t * icmp0,
236 vlib_node_runtime_t * node,
239 snat_session_t ** p_s0)
241 snat_session_key_t key0, sm0;
242 icmp_echo_header_t *echo0, *inner_echo0 = 0;
243 ip4_header_t *inner_ip0 = 0;
245 icmp46_header_t *inner_icmp0;
246 clib_bihash_kv_8_8_t kv0, value0;
247 snat_session_t * s0 = 0;
248 u32 new_addr0, old_addr0;
249 u16 old_id0, new_id0;
252 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
253 u8 is_error_message = 0;
255 echo0 = (icmp_echo_header_t *)(icmp0+1);
257 key0.addr = ip0->dst_address;
258 key0.fib_index = rx_fib_index0;
262 case ICMP4_destination_unreachable:
263 case ICMP4_time_exceeded:
264 case ICMP4_parameter_problem:
265 case ICMP4_source_quench:
267 case ICMP4_alternate_host_address:
268 is_error_message = 1;
271 if (!is_error_message)
273 key0.protocol = SNAT_PROTOCOL_ICMP;
274 key0.port = echo0->identifier;
278 inner_ip0 = (ip4_header_t *)(echo0+1);
279 l4_header = ip4_next_header (inner_ip0);
280 key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
281 switch (key0.protocol)
283 case SNAT_PROTOCOL_ICMP:
284 inner_icmp0 = (icmp46_header_t*)l4_header;
285 inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1);
286 key0.port = inner_echo0->identifier;
288 case SNAT_PROTOCOL_UDP:
289 case SNAT_PROTOCOL_TCP:
290 key0.port = ((tcp_udp_header_t*)l4_header)->src_port;
293 b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
294 next0 = SNAT_OUT2IN_NEXT_DROP;
299 kv0.key = key0.as_u64;
301 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
303 /* Try to match static mapping by external address and port,
304 destination address and port in packet */
305 if (snat_static_mapping_match(sm, key0, &sm0, 1))
307 ip4_address_t * first_int_addr;
309 if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
312 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
313 0 /* just want the address */);
314 rt->cached_sw_if_index = sw_if_index0;
316 rt->cached_ip4_address = first_int_addr->as_u32;
318 rt->cached_ip4_address = 0;
321 /* Don't NAT packet aimed at the intfc address */
322 if (PREDICT_FALSE(ip0->dst_address.as_u32 == rt->cached_ip4_address))
325 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
326 next0 = SNAT_OUT2IN_NEXT_DROP;
330 if (is_error_message)
332 next0 = SNAT_OUT2IN_NEXT_DROP;
336 /* Create session initiated by host from external network */
337 s0 = create_session_for_static_mapping(sm, b0, sm0, key0,
342 next0 = SNAT_OUT2IN_NEXT_DROP;
347 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
350 if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && !is_error_message))
352 b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
353 next0 = SNAT_OUT2IN_NEXT_DROP;
357 sum0 = ip_incremental_checksum (0, icmp0,
358 ntohs(ip0->length) - ip4_header_bytes (ip0));
359 checksum0 = ~ip_csum_fold (sum0);
360 if (checksum0 != 0 && checksum0 != 0xffff)
362 next0 = SNAT_OUT2IN_NEXT_DROP;
366 old_addr0 = ip0->dst_address.as_u32;
367 ip0->dst_address = s0->in2out.addr;
368 new_addr0 = ip0->dst_address.as_u32;
369 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
371 sum0 = ip0->checksum;
372 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
373 dst_address /* changed member */);
374 ip0->checksum = ip_csum_fold (sum0);
376 if (!is_error_message)
378 old_id0 = echo0->identifier;
379 new_id0 = s0->in2out.port;
380 echo0->identifier = new_id0;
382 sum0 = icmp0->checksum;
383 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
384 identifier /* changed member */);
385 icmp0->checksum = ip_csum_fold (sum0);
389 if (!ip4_header_checksum_is_valid (inner_ip0))
391 next0 = SNAT_OUT2IN_NEXT_DROP;
395 old_addr0 = inner_ip0->src_address.as_u32;
396 inner_ip0->src_address = s0->in2out.addr;
397 new_addr0 = inner_ip0->src_address.as_u32;
399 sum0 = icmp0->checksum;
400 sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
401 src_address /* changed member */);
402 icmp0->checksum = ip_csum_fold (sum0);
404 switch (key0.protocol)
406 case SNAT_PROTOCOL_ICMP:
407 old_id0 = inner_echo0->identifier;
408 new_id0 = s0->in2out.port;
409 inner_echo0->identifier = new_id0;
411 sum0 = icmp0->checksum;
412 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
414 icmp0->checksum = ip_csum_fold (sum0);
416 case SNAT_PROTOCOL_UDP:
417 case SNAT_PROTOCOL_TCP:
418 old_id0 = ((tcp_udp_header_t*)l4_header)->src_port;
419 new_id0 = s0->in2out.port;
420 ((tcp_udp_header_t*)l4_header)->src_port = new_id0;
422 sum0 = icmp0->checksum;
423 sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
425 icmp0->checksum = ip_csum_fold (sum0);
433 s0->last_heard = now;
435 s0->total_bytes += vlib_buffer_length_in_chain (sm->vlib_main, b0);
436 /* Per-user LRU list maintenance for dynamic translation */
437 if (!snat_is_session_static (s0))
439 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
441 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
442 s0->per_user_list_head_index,
452 snat_out2in_node_fn (vlib_main_t * vm,
453 vlib_node_runtime_t * node,
454 vlib_frame_t * frame)
456 u32 n_left_from, * from, * to_next;
457 snat_out2in_next_t next_index;
458 u32 pkts_processed = 0;
459 snat_main_t * sm = &snat_main;
460 f64 now = vlib_time_now (vm);
461 u32 cpu_index = os_get_cpu_number ();
463 from = vlib_frame_vector_args (frame);
464 n_left_from = frame->n_vectors;
465 next_index = node->cached_next_index;
467 while (n_left_from > 0)
471 vlib_get_next_frame (vm, node, next_index,
472 to_next, n_left_to_next);
474 while (n_left_from >= 4 && n_left_to_next >= 2)
477 vlib_buffer_t * b0, * b1;
478 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
479 u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
480 u32 sw_if_index0, sw_if_index1;
481 ip4_header_t * ip0, *ip1;
482 ip_csum_t sum0, sum1;
483 u32 new_addr0, old_addr0;
484 u16 new_port0, old_port0;
485 u32 new_addr1, old_addr1;
486 u16 new_port1, old_port1;
487 udp_header_t * udp0, * udp1;
488 tcp_header_t * tcp0, * tcp1;
489 icmp46_header_t * icmp0, * icmp1;
490 snat_session_key_t key0, key1, sm0, sm1;
491 u32 rx_fib_index0, rx_fib_index1;
493 snat_session_t * s0 = 0, * s1 = 0;
494 clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
496 /* Prefetch next iteration. */
498 vlib_buffer_t * p2, * p3;
500 p2 = vlib_get_buffer (vm, from[2]);
501 p3 = vlib_get_buffer (vm, from[3]);
503 vlib_prefetch_buffer_header (p2, LOAD);
504 vlib_prefetch_buffer_header (p3, LOAD);
506 CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
507 CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
510 /* speculatively enqueue b0 and b1 to the current next frame */
511 to_next[0] = bi0 = from[0];
512 to_next[1] = bi1 = from[1];
518 b0 = vlib_get_buffer (vm, bi0);
519 b1 = vlib_get_buffer (vm, bi1);
521 ip0 = vlib_buffer_get_current (b0);
522 udp0 = ip4_next_header (ip0);
523 tcp0 = (tcp_header_t *) udp0;
524 icmp0 = (icmp46_header_t *) udp0;
526 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
527 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
530 proto0 = ip_proto_to_snat_proto (ip0->protocol);
532 if (PREDICT_FALSE (proto0 == ~0))
535 if (PREDICT_FALSE(ip0->ttl == 1))
537 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
538 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
539 ICMP4_time_exceeded_ttl_exceeded_in_transit,
541 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
545 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
547 next0 = icmp_out2in_slow_path
548 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
549 next0, now, cpu_index, &s0);
553 key0.addr = ip0->dst_address;
554 key0.port = udp0->dst_port;
555 key0.protocol = proto0;
556 key0.fib_index = rx_fib_index0;
558 kv0.key = key0.as_u64;
560 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
562 /* Try to match static mapping by external address and port,
563 destination address and port in packet */
564 if (snat_static_mapping_match(sm, key0, &sm0, 1))
566 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
568 * Send DHCP packets to the ipv4 stack, or we won't
569 * be able to use dhcp client on the outside interface
571 if (proto0 != SNAT_PROTOCOL_UDP
573 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
574 next0 = SNAT_OUT2IN_NEXT_DROP;
578 /* Create session initiated by host from external network */
579 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
583 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
584 next0 = SNAT_OUT2IN_NEXT_DROP;
589 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
592 old_addr0 = ip0->dst_address.as_u32;
593 ip0->dst_address = s0->in2out.addr;
594 new_addr0 = ip0->dst_address.as_u32;
595 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
597 sum0 = ip0->checksum;
598 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
600 dst_address /* changed member */);
601 ip0->checksum = ip_csum_fold (sum0);
603 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
605 old_port0 = tcp0->ports.dst;
606 tcp0->ports.dst = s0->in2out.port;
607 new_port0 = tcp0->ports.dst;
609 sum0 = tcp0->checksum;
610 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
612 dst_address /* changed member */);
614 sum0 = ip_csum_update (sum0, old_port0, new_port0,
615 ip4_header_t /* cheat */,
616 length /* changed member */);
617 tcp0->checksum = ip_csum_fold(sum0);
621 old_port0 = udp0->dst_port;
622 udp0->dst_port = s0->in2out.port;
627 s0->last_heard = now;
629 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
630 /* Per-user LRU list maintenance for dynamic translation */
631 if (!snat_is_session_static (s0))
633 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
635 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
636 s0->per_user_list_head_index,
641 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
642 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
644 snat_out2in_trace_t *t =
645 vlib_add_trace (vm, node, b0, sizeof (*t));
646 t->sw_if_index = sw_if_index0;
647 t->next_index = next0;
648 t->session_index = ~0;
650 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
653 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
656 ip1 = vlib_buffer_get_current (b1);
657 udp1 = ip4_next_header (ip1);
658 tcp1 = (tcp_header_t *) udp1;
659 icmp1 = (icmp46_header_t *) udp1;
661 sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX];
662 rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
665 proto1 = ip_proto_to_snat_proto (ip1->protocol);
667 if (PREDICT_FALSE (proto1 == ~0))
670 if (PREDICT_FALSE(ip0->ttl == 1))
672 vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
673 icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
674 ICMP4_time_exceeded_ttl_exceeded_in_transit,
676 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
680 if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
682 next1 = icmp_out2in_slow_path
683 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
684 next1, now, cpu_index, &s1);
688 key1.addr = ip1->dst_address;
689 key1.port = udp1->dst_port;
690 key1.protocol = proto1;
691 key1.fib_index = rx_fib_index1;
693 kv1.key = key1.as_u64;
695 if (clib_bihash_search_8_8 (&sm->out2in, &kv1, &value1))
697 /* Try to match static mapping by external address and port,
698 destination address and port in packet */
699 if (snat_static_mapping_match(sm, key1, &sm1, 1))
701 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
703 * Send DHCP packets to the ipv4 stack, or we won't
704 * be able to use dhcp client on the outside interface
706 if (proto1 != SNAT_PROTOCOL_UDP
708 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
709 next1 = SNAT_OUT2IN_NEXT_DROP;
713 /* Create session initiated by host from external network */
714 s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node,
718 b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
719 next1 = SNAT_OUT2IN_NEXT_DROP;
724 s1 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
727 old_addr1 = ip1->dst_address.as_u32;
728 ip1->dst_address = s1->in2out.addr;
729 new_addr1 = ip1->dst_address.as_u32;
730 vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
732 sum1 = ip1->checksum;
733 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
735 dst_address /* changed member */);
736 ip1->checksum = ip_csum_fold (sum1);
738 if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP))
740 old_port1 = tcp1->ports.dst;
741 tcp1->ports.dst = s1->in2out.port;
742 new_port1 = tcp1->ports.dst;
744 sum1 = tcp1->checksum;
745 sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
747 dst_address /* changed member */);
749 sum1 = ip_csum_update (sum1, old_port1, new_port1,
750 ip4_header_t /* cheat */,
751 length /* changed member */);
752 tcp1->checksum = ip_csum_fold(sum1);
756 old_port1 = udp1->dst_port;
757 udp1->dst_port = s1->in2out.port;
762 s1->last_heard = now;
764 s1->total_bytes += vlib_buffer_length_in_chain (vm, b1);
765 /* Per-user LRU list maintenance for dynamic translation */
766 if (!snat_is_session_static (s1))
768 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
770 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
771 s1->per_user_list_head_index,
776 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
777 && (b1->flags & VLIB_BUFFER_IS_TRACED)))
779 snat_out2in_trace_t *t =
780 vlib_add_trace (vm, node, b1, sizeof (*t));
781 t->sw_if_index = sw_if_index1;
782 t->next_index = next1;
783 t->session_index = ~0;
785 t->session_index = s1 - sm->per_thread_data[cpu_index].sessions;
788 pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP;
790 /* verify speculative enqueues, maybe switch current next frame */
791 vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
792 to_next, n_left_to_next,
793 bi0, bi1, next0, next1);
796 while (n_left_from > 0 && n_left_to_next > 0)
800 u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
804 u32 new_addr0, old_addr0;
805 u16 new_port0, old_port0;
808 icmp46_header_t * icmp0;
809 snat_session_key_t key0, sm0;
812 snat_session_t * s0 = 0;
813 clib_bihash_kv_8_8_t kv0, value0;
815 /* speculatively enqueue b0 to the current next frame */
823 b0 = vlib_get_buffer (vm, bi0);
825 ip0 = vlib_buffer_get_current (b0);
826 udp0 = ip4_next_header (ip0);
827 tcp0 = (tcp_header_t *) udp0;
828 icmp0 = (icmp46_header_t *) udp0;
830 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
831 rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
834 proto0 = ip_proto_to_snat_proto (ip0->protocol);
836 if (PREDICT_FALSE (proto0 == ~0))
839 if (PREDICT_FALSE(ip0->ttl == 1))
841 vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
842 icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
843 ICMP4_time_exceeded_ttl_exceeded_in_transit,
845 next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
849 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
851 next0 = icmp_out2in_slow_path
852 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
853 next0, now, cpu_index, &s0);
857 key0.addr = ip0->dst_address;
858 key0.port = udp0->dst_port;
859 key0.protocol = proto0;
860 key0.fib_index = rx_fib_index0;
862 kv0.key = key0.as_u64;
864 if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
866 /* Try to match static mapping by external address and port,
867 destination address and port in packet */
868 if (snat_static_mapping_match(sm, key0, &sm0, 1))
870 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
872 * Send DHCP packets to the ipv4 stack, or we won't
873 * be able to use dhcp client on the outside interface
875 if (proto0 != SNAT_PROTOCOL_UDP
877 != clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))
879 next0 = SNAT_OUT2IN_NEXT_DROP;
883 /* Create session initiated by host from external network */
884 s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node,
888 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
889 next0 = SNAT_OUT2IN_NEXT_DROP;
894 s0 = pool_elt_at_index (sm->per_thread_data[cpu_index].sessions,
897 old_addr0 = ip0->dst_address.as_u32;
898 ip0->dst_address = s0->in2out.addr;
899 new_addr0 = ip0->dst_address.as_u32;
900 vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
902 sum0 = ip0->checksum;
903 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
905 dst_address /* changed member */);
906 ip0->checksum = ip_csum_fold (sum0);
908 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
910 old_port0 = tcp0->ports.dst;
911 tcp0->ports.dst = s0->in2out.port;
912 new_port0 = tcp0->ports.dst;
914 sum0 = tcp0->checksum;
915 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
917 dst_address /* changed member */);
919 sum0 = ip_csum_update (sum0, old_port0, new_port0,
920 ip4_header_t /* cheat */,
921 length /* changed member */);
922 tcp0->checksum = ip_csum_fold(sum0);
926 old_port0 = udp0->dst_port;
927 udp0->dst_port = s0->in2out.port;
932 s0->last_heard = now;
934 s0->total_bytes += vlib_buffer_length_in_chain (vm, b0);
935 /* Per-user LRU list maintenance for dynamic translation */
936 if (!snat_is_session_static (s0))
938 clib_dlist_remove (sm->per_thread_data[cpu_index].list_pool,
940 clib_dlist_addtail (sm->per_thread_data[cpu_index].list_pool,
941 s0->per_user_list_head_index,
946 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
947 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
949 snat_out2in_trace_t *t =
950 vlib_add_trace (vm, node, b0, sizeof (*t));
951 t->sw_if_index = sw_if_index0;
952 t->next_index = next0;
953 t->session_index = ~0;
955 t->session_index = s0 - sm->per_thread_data[cpu_index].sessions;
958 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
960 /* verify speculative enqueue, maybe switch current next frame */
961 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
962 to_next, n_left_to_next,
966 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
969 vlib_node_increment_counter (vm, snat_out2in_node.index,
970 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
972 return frame->n_vectors;
975 VLIB_REGISTER_NODE (snat_out2in_node) = {
976 .function = snat_out2in_node_fn,
977 .name = "snat-out2in",
978 .vector_size = sizeof (u32),
979 .format_trace = format_snat_out2in_trace,
980 .type = VLIB_NODE_TYPE_INTERNAL,
982 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
983 .error_strings = snat_out2in_error_strings,
985 .runtime_data_bytes = sizeof (snat_runtime_t),
987 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
989 /* edit / add dispositions here */
991 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
992 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
993 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
996 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
999 snat_out2in_worker_handoff_fn (vlib_main_t * vm,
1000 vlib_node_runtime_t * node,
1001 vlib_frame_t * frame)
1003 snat_main_t *sm = &snat_main;
1004 vlib_thread_main_t *tm = vlib_get_thread_main ();
1005 u32 n_left_from, *from, *to_next = 0;
1006 static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index;
1007 static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index
1009 vlib_frame_queue_elt_t *hf = 0;
1010 vlib_frame_t *f = 0;
1012 u32 n_left_to_next_worker = 0, *to_next_worker = 0;
1013 u32 next_worker_index = 0;
1014 u32 current_worker_index = ~0;
1015 u32 cpu_index = os_get_cpu_number ();
1017 ASSERT (vec_len (sm->workers));
1019 if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0))
1021 vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1);
1023 vec_validate_init_empty (congested_handoff_queue_by_worker_index,
1024 sm->first_worker_index + sm->num_workers - 1,
1025 (vlib_frame_queue_t *) (~0));
1028 from = vlib_frame_vector_args (frame);
1029 n_left_from = frame->n_vectors;
1031 while (n_left_from > 0)
1038 udp_header_t * udp0;
1039 snat_worker_key_t key0;
1040 clib_bihash_kv_8_8_t kv0, value0;
1047 b0 = vlib_get_buffer (vm, bi0);
1049 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1050 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1052 ip0 = vlib_buffer_get_current (b0);
1053 udp0 = ip4_next_header (ip0);
1055 key0.addr = ip0->dst_address;
1056 key0.port = udp0->dst_port;
1057 key0.fib_index = rx_fib_index0;
1059 if (PREDICT_FALSE(ip0->protocol == IP_PROTOCOL_ICMP))
1061 icmp46_header_t * icmp0 = (icmp46_header_t *) udp0;
1062 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
1063 key0.port = echo0->identifier;
1066 kv0.key = key0.as_u64;
1068 /* Ever heard of of the "user" before? */
1069 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
1072 kv0.key = key0.as_u64;
1074 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
1076 /* No, assign next available worker (RR) */
1077 next_worker_index = sm->first_worker_index;
1078 if (vec_len (sm->workers))
1080 next_worker_index +=
1081 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
1086 /* Static mapping without port */
1087 next_worker_index = value0.value;
1090 /* Add to translated packets worker lookup */
1091 kv0.value = next_worker_index;
1092 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv0, 1);
1095 next_worker_index = value0.value;
1097 if (PREDICT_FALSE (next_worker_index != cpu_index))
1101 if (next_worker_index != current_worker_index)
1104 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1106 hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index,
1108 handoff_queue_elt_by_worker_index);
1110 n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors;
1111 to_next_worker = &hf->buffer_index[hf->n_vectors];
1112 current_worker_index = next_worker_index;
1115 /* enqueue to correct worker thread */
1116 to_next_worker[0] = bi0;
1118 n_left_to_next_worker--;
1120 if (n_left_to_next_worker == 0)
1122 hf->n_vectors = VLIB_FRAME_SIZE;
1123 vlib_put_frame_queue_elt (hf);
1124 current_worker_index = ~0;
1125 handoff_queue_elt_by_worker_index[next_worker_index] = 0;
1132 /* if this is 1st frame */
1135 f = vlib_get_frame_to_node (vm, snat_out2in_node.index);
1136 to_next = vlib_frame_vector_args (f);
1144 if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1145 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1147 snat_out2in_worker_handoff_trace_t *t =
1148 vlib_add_trace (vm, node, b0, sizeof (*t));
1149 t->next_worker_index = next_worker_index;
1150 t->do_handoff = do_handoff;
1155 vlib_put_frame_to_node (vm, snat_out2in_node.index, f);
1158 hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker;
1160 /* Ship frames to the worker nodes */
1161 for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++)
1163 if (handoff_queue_elt_by_worker_index[i])
1165 hf = handoff_queue_elt_by_worker_index[i];
1167 * It works better to let the handoff node
1168 * rate-adapt, always ship the handoff queue element.
1170 if (1 || hf->n_vectors == hf->last_n_vectors)
1172 vlib_put_frame_queue_elt (hf);
1173 handoff_queue_elt_by_worker_index[i] = 0;
1176 hf->last_n_vectors = hf->n_vectors;
1178 congested_handoff_queue_by_worker_index[i] =
1179 (vlib_frame_queue_t *) (~0);
1182 current_worker_index = ~0;
1183 return frame->n_vectors;
1186 VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = {
1187 .function = snat_out2in_worker_handoff_fn,
1188 .name = "snat-out2in-worker-handoff",
1189 .vector_size = sizeof (u32),
1190 .format_trace = format_snat_out2in_worker_handoff_trace,
1191 .type = VLIB_NODE_TYPE_INTERNAL,
1200 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn);
1202 static inline u32 icmp_out2in_fast (snat_main_t *sm,
1205 icmp46_header_t * icmp0,
1207 vlib_node_runtime_t * node,
1211 snat_session_key_t key0, sm0;
1212 icmp_echo_header_t *echo0;
1213 u32 new_addr0, old_addr0;
1214 u16 old_id0, new_id0;
1216 snat_runtime_t * rt = (snat_runtime_t *)node->runtime_data;
1218 echo0 = (icmp_echo_header_t *)(icmp0+1);
1220 key0.addr = ip0->dst_address;
1221 key0.port = echo0->identifier;
1222 key0.fib_index = rx_fib_index0;
1224 if (snat_static_mapping_match(sm, key0, &sm0, 1))
1226 ip4_address_t * first_int_addr;
1228 if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
1231 ip4_interface_first_address (sm->ip4_main, sw_if_index0,
1232 0 /* just want the address */);
1233 rt->cached_sw_if_index = sw_if_index0;
1235 rt->cached_ip4_address = first_int_addr->as_u32;
1237 rt->cached_ip4_address = 0;
1240 /* Don't NAT packet aimed at the intfc address */
1241 if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
1242 rt->cached_ip4_address))
1245 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1246 return SNAT_OUT2IN_NEXT_DROP;
1249 new_addr0 = sm0.addr.as_u32;
1251 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1253 old_addr0 = ip0->dst_address.as_u32;
1254 ip0->dst_address.as_u32 = new_addr0;
1256 sum0 = ip0->checksum;
1257 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1259 dst_address /* changed member */);
1260 ip0->checksum = ip_csum_fold (sum0);
1262 if (PREDICT_FALSE(new_id0 != echo0->identifier))
1264 old_id0 = echo0->identifier;
1265 echo0->identifier = new_id0;
1267 sum0 = icmp0->checksum;
1268 sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
1270 icmp0->checksum = ip_csum_fold (sum0);
1277 snat_out2in_fast_node_fn (vlib_main_t * vm,
1278 vlib_node_runtime_t * node,
1279 vlib_frame_t * frame)
1281 u32 n_left_from, * from, * to_next;
1282 snat_out2in_next_t next_index;
1283 u32 pkts_processed = 0;
1284 snat_main_t * sm = &snat_main;
1286 from = vlib_frame_vector_args (frame);
1287 n_left_from = frame->n_vectors;
1288 next_index = node->cached_next_index;
1290 while (n_left_from > 0)
1294 vlib_get_next_frame (vm, node, next_index,
1295 to_next, n_left_to_next);
1297 while (n_left_from > 0 && n_left_to_next > 0)
1301 u32 next0 = SNAT_OUT2IN_NEXT_DROP;
1305 u32 new_addr0, old_addr0;
1306 u16 new_port0, old_port0;
1307 udp_header_t * udp0;
1308 tcp_header_t * tcp0;
1309 icmp46_header_t * icmp0;
1310 snat_session_key_t key0, sm0;
1314 /* speculatively enqueue b0 to the current next frame */
1320 n_left_to_next -= 1;
1322 b0 = vlib_get_buffer (vm, bi0);
1324 ip0 = vlib_buffer_get_current (b0);
1325 udp0 = ip4_next_header (ip0);
1326 tcp0 = (tcp_header_t *) udp0;
1327 icmp0 = (icmp46_header_t *) udp0;
1329 sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX];
1330 rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0);
1332 vnet_feature_next (sw_if_index0, &next0, b0);
1334 proto0 = ip_proto_to_snat_proto (ip0->protocol);
1336 if (PREDICT_FALSE (proto0 == ~0))
1339 if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
1341 next0 = icmp_out2in_fast
1342 (sm, b0, ip0, icmp0, sw_if_index0, node, next0, rx_fib_index0);
1346 key0.addr = ip0->dst_address;
1347 key0.port = udp0->dst_port;
1348 key0.fib_index = rx_fib_index0;
1350 if (snat_static_mapping_match(sm, key0, &sm0, 1))
1352 b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1356 new_addr0 = sm0.addr.as_u32;
1357 new_port0 = sm0.port;
1358 vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1359 old_addr0 = ip0->dst_address.as_u32;
1360 ip0->dst_address.as_u32 = new_addr0;
1362 sum0 = ip0->checksum;
1363 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1365 dst_address /* changed member */);
1366 ip0->checksum = ip_csum_fold (sum0);
1368 if (PREDICT_FALSE(new_port0 != udp0->dst_port))
1370 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1372 old_port0 = tcp0->ports.dst;
1373 tcp0->ports.dst = new_port0;
1375 sum0 = tcp0->checksum;
1376 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1378 dst_address /* changed member */);
1380 sum0 = ip_csum_update (sum0, old_port0, new_port0,
1381 ip4_header_t /* cheat */,
1382 length /* changed member */);
1383 tcp0->checksum = ip_csum_fold(sum0);
1387 old_port0 = udp0->dst_port;
1388 udp0->dst_port = new_port0;
1394 if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP))
1396 sum0 = tcp0->checksum;
1397 sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1399 dst_address /* changed member */);
1401 tcp0->checksum = ip_csum_fold(sum0);
1407 if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE)
1408 && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1410 snat_out2in_trace_t *t =
1411 vlib_add_trace (vm, node, b0, sizeof (*t));
1412 t->sw_if_index = sw_if_index0;
1413 t->next_index = next0;
1416 pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1418 /* verify speculative enqueue, maybe switch current next frame */
1419 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1420 to_next, n_left_to_next,
1424 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1427 vlib_node_increment_counter (vm, snat_out2in_fast_node.index,
1428 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1430 return frame->n_vectors;
1433 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
1434 .function = snat_out2in_fast_node_fn,
1435 .name = "snat-out2in-fast",
1436 .vector_size = sizeof (u32),
1437 .format_trace = format_snat_out2in_fast_trace,
1438 .type = VLIB_NODE_TYPE_INTERNAL,
1440 .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1441 .error_strings = snat_out2in_error_strings,
1443 .runtime_data_bytes = sizeof (snat_runtime_t),
1445 .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1447 /* edit / add dispositions here */
1449 [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1450 [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1451 [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1454 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);
Code Review / vpp.git / blob