From 204591d1bd754f6086edcf8b27a95beab929a78f Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Thu, 1 Mar 2018 04:48:33 -0800 Subject: [PATCH] NAT44: interface output feature and service host direct access (VPP-1176) forwarding mode: session initiaded from service host - translate session initiaded from remote host - do not translate Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32 Signed-off-by: Matus Fabian --- src/plugins/nat/in2out.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++-- src/plugins/nat/out2in.c | 58 +++++++++++++++++++++++++++++++++++++++--- test/test_nat.py | 44 ++++++++++++++++++++++++++++++++ 3 files changed, 161 insertions(+), 6 deletions(-) diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index 003b1ad3858..24895a0fb11 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -470,6 +470,47 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static inline int +nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + udp_header_t *udp; + + if (!sm->forwarding_enabled) + return 0; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return 0; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.r_port = udp->dst_port; + key.l_port = udp->src_port; + } + else + { + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) + return value.value == ~0ULL; + + return 0; +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -1290,6 +1331,8 @@ snat_in2out_lb (snat_main_t *sm, if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value)) { + if (s_value.value == ~0ULL) + return 0; s = pool_elt_at_index (tsm->sessions, s_value.value); } else @@ -1524,6 +1567,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace00; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1710,6 +1759,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1))) + goto trace01; + } + if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP)) { next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1723,8 +1778,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } - b1->flags |= VNET_BUFFER_F_IS_NATED; - key1.addr = ip1->src_address; key1.port = udp1->src_port; key1.protocol = proto1; @@ -1787,6 +1840,8 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } + b1->flags |= VNET_BUFFER_F_IS_NATED; + old_addr1 = ip1->src_address.as_u32; ip1->src_address = s1->out2in.addr; new_addr1 = ip1->src_address.as_u32; @@ -1932,6 +1987,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace0; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index a03f780ba5e..4589c48aef6 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -311,6 +311,43 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static void +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv; + udp_header_t *udp; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = udp->dst_port; + key.r_port = udp->src_port; + } + else + { + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + kv.value = ~0ULL; + + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -382,6 +419,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, } else { + create_bypass_for_fwd(sm, ip0); dont_translate = 1; goto out; } @@ -1116,7 +1154,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ @@ -1283,7 +1324,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace1; } else - goto trace1; + { + create_bypass_for_fwd(sm, ip1); + goto trace1; + } } /* Create session initiated by host from external network */ @@ -1486,7 +1530,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace00; } else - goto trace00; + { + create_bypass_for_fwd(sm, ip0); + goto trace00; + } } /* Create session initiated by host from external network */ @@ -1730,7 +1777,10 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ diff --git a/test/test_nat.py b/test/test_nat.py index 7ff3f8517ad..ec2009ef6fd 100644 --- a/test/test_nat.py +++ b/test/test_nat.py @@ -3369,6 +3369,50 @@ class TestNAT44(MethodHolder): self.logger.error(ppp("Unexpected or invalid packet:", p)) raise + def test_output_feature_and_service2(self): + """ NAT44 interface output feature and service host direct access """ + self.vapi.nat44_forwarding_enable_disable(1) + self.nat44_add_address(self.nat_addr) + self.vapi.nat44_interface_add_del_output_feature(self.pg1.sw_if_index, + is_inside=0) + + # session initiaded from service host - translate + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture) + + pkts = self.create_stream_out(self.pg1) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + tcp_port_out = self.tcp_port_out + udp_port_out = self.udp_port_out + icmp_id_out = self.icmp_id_out + + # session initiaded from remote host - do not translate + pkts = self.create_stream_out(self.pg1, + self.pg0.remote_ip4, + use_inside_ports=True) + self.pg1.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg0.get_capture(len(pkts)) + self.verify_capture_in(capture, self.pg0) + + pkts = self.create_stream_in(self.pg0, self.pg1) + self.pg0.add_stream(pkts) + self.pg_enable_capture(self.pg_interfaces) + self.pg_start() + capture = self.pg1.get_capture(len(pkts)) + self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4, + same_port=True) + def test_one_armed_nat44(self): """ One armed NAT44 """ remote_host = self.pg9.remote_hosts[0] -- 2.16.6