summaryrefslogtreecommitdiffstats
path: root/src/plugins/nat
diff options
context:
space:
mode:
authorKlement Sekera <ksekera@cisco.com>2019-10-10 09:46:06 +0000
committerOle Trøan <otroan@employees.org>2020-01-03 10:10:15 +0000
commitf126e746fc01c75bc99329d10ce9127b26b23814 (patch)
treefaf9f09a363add6e140f30e25187b330843b3d21 /src/plugins/nat
parent3535501b19aec95dfd32870c784f841f57b5c045 (diff)
nat: use SVR
Remove NAT's implementation of shallow virtual reassembly with corresponding CLIs, APIs & tests. Replace with standalone shallow virtual reassembly provided by ipX-sv-reass* nodes. Type: refactor Change-Id: I7e6c7487a5a500d591f6871474a359e0993e59b6 Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/plugins/nat')
-rw-r--r--src/plugins/nat/CMakeLists.txt1
-rw-r--r--src/plugins/nat/dslite_in2out.c2
-rw-r--r--src/plugins/nat/dslite_out2in.c3
-rwxr-xr-xsrc/plugins/nat/in2out.c703
-rw-r--r--src/plugins/nat/in2out_ed.c811
-rw-r--r--src/plugins/nat/nat.api79
-rwxr-xr-xsrc/plugins/nat/nat.c184
-rw-r--r--src/plugins/nat/nat.h28
-rw-r--r--src/plugins/nat/nat44_classify.c299
-rw-r--r--src/plugins/nat/nat44_hairpinning.c6
-rw-r--r--src/plugins/nat/nat44_handoff.c30
-rw-r--r--src/plugins/nat/nat64.c69
-rw-r--r--src/plugins/nat/nat64.h4
-rw-r--r--src/plugins/nat/nat64_in2out.c748
-rw-r--r--src/plugins/nat/nat64_out2in.c569
-rw-r--r--src/plugins/nat/nat66.c6
-rw-r--r--src/plugins/nat/nat66_in2out.c2
-rw-r--r--src/plugins/nat/nat66_out2in.c2
-rw-r--r--src/plugins/nat/nat_api.c154
-rw-r--r--src/plugins/nat/nat_det_in2out.c12
-rw-r--r--src/plugins/nat/nat_det_out2in.c12
-rw-r--r--src/plugins/nat/nat_format.c14
-rw-r--r--src/plugins/nat/nat_inlines.h60
-rwxr-xr-xsrc/plugins/nat/nat_reass.c893
-rw-r--r--src/plugins/nat/nat_reass.h340
-rwxr-xr-xsrc/plugins/nat/out2in.c691
-rw-r--r--src/plugins/nat/out2in_ed.c767
-rw-r--r--src/plugins/nat/test/test_nat.py188
28 files changed, 1424 insertions, 5253 deletions
diff --git a/src/plugins/nat/CMakeLists.txt b/src/plugins/nat/CMakeLists.txt
index 4f6ed67a3da..372bbd61bb3 100644
--- a/src/plugins/nat/CMakeLists.txt
+++ b/src/plugins/nat/CMakeLists.txt
@@ -23,7 +23,6 @@ add_vpp_plugin(nat
nat_det.c
nat_det_in2out.c
nat_det_out2in.c
- nat_reass.c
nat_dpo.c
nat44_cli.c
nat44_handoff.c
diff --git a/src/plugins/nat/dslite_in2out.c b/src/plugins/nat/dslite_in2out.c
index 2a8b548c15f..4494a77701e 100644
--- a/src/plugins/nat/dslite_in2out.c
+++ b/src/plugins/nat/dslite_in2out.c
@@ -182,7 +182,7 @@ dslite_icmp_in2out (dslite_main_t * dm, ip6_header_t * ip6,
u16 old_id, new_id;
ip_csum_t sum;
- if (icmp_is_error_message (icmp))
+ if (icmp_type_is_error_message (icmp->type))
{
n = DSLITE_IN2OUT_NEXT_DROP;
*error = DSLITE_ERROR_BAD_ICMP_TYPE;
diff --git a/src/plugins/nat/dslite_out2in.c b/src/plugins/nat/dslite_out2in.c
index 18f9a577923..265d79fc53e 100644
--- a/src/plugins/nat/dslite_out2in.c
+++ b/src/plugins/nat/dslite_out2in.c
@@ -46,7 +46,8 @@ dslite_icmp_out2in (dslite_main_t * dm, ip4_header_t * ip4,
echo = (icmp_echo_header_t *) (icmp + 1);
- if (icmp_is_error_message (icmp) || (icmp->type != ICMP4_echo_reply))
+ if (icmp_type_is_error_message (icmp->type)
+ || (icmp->type != ICMP4_echo_reply))
{
n = DSLITE_OUT2IN_NEXT_DROP;
*error = DSLITE_ERROR_BAD_ICMP_TYPE;
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c
index 6cb111c9b3e..7eaaab29544 100755
--- a/src/plugins/nat/in2out.c
+++ b/src/plugins/nat/in2out.c
@@ -27,7 +27,6 @@
#include <vnet/udp/udp.h>
#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat44_inlines.h>
#include <nat/nat_syslog.h>
@@ -84,8 +83,6 @@ _(BAD_ICMP_TYPE, "unsupported ICMP type") \
_(NO_TRANSLATION, "no translation") \
_(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
_(DROP_FRAGMENT, "drop fragment") \
-_(MAX_REASS, "maximum reassemblies exceeded") \
-_(MAX_FRAG, "maximum fragments per reassembly exceeded")\
_(TCP_PACKETS, "TCP packets") \
_(UDP_PACKETS, "UDP packets") \
_(ICMP_PACKETS, "ICMP packets") \
@@ -114,7 +111,6 @@ typedef enum
SNAT_IN2OUT_NEXT_DROP,
SNAT_IN2OUT_NEXT_ICMP_ERROR,
SNAT_IN2OUT_NEXT_SLOW_PATH,
- SNAT_IN2OUT_NEXT_REASS,
SNAT_IN2OUT_N_NEXT,
} snat_in2out_next_t;
@@ -255,7 +251,6 @@ slow_path (snat_main_t * sm, vlib_buffer_t * b0,
snat_session_t *s = 0;
clib_bihash_kv_8_8_t kv0;
snat_session_key_t key1;
- udp_header_t *udp0 = ip4_next_header (ip0);
u8 is_sm = 0;
nat_outside_fib_t *outside_fib;
fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
@@ -357,7 +352,7 @@ slow_path (snat_main_t * sm, vlib_buffer_t * b0,
break;
}
s->ext_host_addr.as_u32 = ip0->dst_address.as_u32;
- s->ext_host_port = udp0->dst_port;
+ s->ext_host_port = vnet_buffer (b0)->ip.reass.l4_dst_port;
*sessionp = s;
/* Add to translation hashes */
@@ -401,7 +396,7 @@ slow_path (snat_main_t * sm, vlib_buffer_t * b0,
#ifndef CLIB_MARCH_VARIANT
static_always_inline
- snat_in2out_error_t icmp_get_key (ip4_header_t * ip0,
+ snat_in2out_error_t icmp_get_key (vlib_buffer_t * b, ip4_header_t * ip0,
snat_session_key_t * p_key0)
{
icmp46_header_t *icmp0;
@@ -414,11 +409,12 @@ static_always_inline
icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
echo0 = (icmp_echo_header_t *) (icmp0 + 1);
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
{
key0.protocol = SNAT_PROTOCOL_ICMP;
key0.addr = ip0->src_address;
- key0.port = echo0->identifier;
+ key0.port = vnet_buffer (b)->ip.reass.l4_src_port; // TODO fixme should this be dst port?
}
else
{
@@ -466,7 +462,6 @@ icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
snat_session_key_t * p_value,
u8 * p_dont_translate, void *d, void *e)
{
- icmp46_header_t *icmp0;
u32 sw_if_index0;
u32 rx_fib_index0;
snat_session_key_t key0;
@@ -476,11 +471,10 @@ icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
u32 next0 = ~0;
int err;
- icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- err = icmp_get_key (ip0, &key0);
+ err = icmp_get_key (b0, ip0, &key0);
if (err != -1)
{
b0->error = node->errors[err];
@@ -519,7 +513,9 @@ icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
}
}
- if (PREDICT_FALSE (icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (icmp_type_is_error_message
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_IN2OUT_NEXT_DROP;
@@ -540,9 +536,13 @@ icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node,
}
else
{
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request &&
- icmp0->type != ICMP4_echo_reply &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request
+ && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_IN2OUT_NEXT_DROP;
@@ -585,7 +585,6 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
snat_session_key_t * p_value,
u8 * p_dont_translate, void *d, void *e)
{
- icmp46_header_t *icmp0;
u32 sw_if_index0;
u32 rx_fib_index0;
snat_session_key_t key0;
@@ -595,11 +594,10 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
u32 next0 = ~0;
int err;
- icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- err = icmp_get_key (ip0, &key0);
+ err = icmp_get_key (b0, ip0, &key0);
if (err != -1)
{
b0->error = node->errors[err];
@@ -619,7 +617,8 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
goto out;
}
- if (icmp_is_error_message (icmp0))
+ if (icmp_type_is_error_message
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
{
next0 = SNAT_IN2OUT_NEXT_DROP;
goto out;
@@ -630,9 +629,12 @@ icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node,
goto out;
}
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request &&
- (icmp0->type != ICMP4_echo_reply || !is_addr_only) &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_request
+ && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply || !is_addr_only)
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_IN2OUT_NEXT_DROP;
@@ -706,84 +708,90 @@ icmp_in2out (snat_main_t * sm,
src_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- if (icmp0->checksum == 0)
- icmp0->checksum = 0xffff;
-
- if (!icmp_is_error_message (icmp0))
- {
- new_id0 = sm0.port;
- if (PREDICT_FALSE (new_id0 != echo0->identifier))
- {
- old_id0 = echo0->identifier;
- new_id0 = sm0.port;
- echo0->identifier = new_id0;
-
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
- identifier);
- icmp0->checksum = ip_csum_fold (sum0);
- }
- }
- else
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- inner_ip0 = (ip4_header_t *) (echo0 + 1);
- l4_header = ip4_next_header (inner_ip0);
+ if (icmp0->checksum == 0)
+ icmp0->checksum = 0xffff;
- if (!ip4_header_checksum_is_valid (inner_ip0))
+ if (!icmp_type_is_error_message (icmp0->type))
{
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto out;
+ new_id0 = sm0.port;
+ if (PREDICT_FALSE (new_id0 != echo0->identifier))
+ {
+ old_id0 = echo0->identifier;
+ new_id0 = sm0.port;
+ echo0->identifier = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
+ identifier);
+ icmp0->checksum = ip_csum_fold (sum0);
+ }
}
-
- /* update inner destination IP address */
- old_addr0 = inner_ip0->dst_address.as_u32;
- inner_ip0->dst_address = sm0.addr;
- new_addr0 = inner_ip0->dst_address.as_u32;
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address /* changed member */ );
- icmp0->checksum = ip_csum_fold (sum0);
-
- /* update inner IP header checksum */
- old_checksum0 = inner_ip0->checksum;
- sum0 = inner_ip0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address /* changed member */ );
- inner_ip0->checksum = ip_csum_fold (sum0);
- new_checksum0 = inner_ip0->checksum;
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t,
- checksum);
- icmp0->checksum = ip_csum_fold (sum0);
-
- switch (protocol)
+ else
{
- case SNAT_PROTOCOL_ICMP:
- inner_icmp0 = (icmp46_header_t *) l4_header;
- inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
+ inner_ip0 = (ip4_header_t *) (echo0 + 1);
+ l4_header = ip4_next_header (inner_ip0);
- old_id0 = inner_echo0->identifier;
- new_id0 = sm0.port;
- inner_echo0->identifier = new_id0;
+ if (!ip4_header_checksum_is_valid (inner_ip0))
+ {
+ next0 = SNAT_IN2OUT_NEXT_DROP;
+ goto out;
+ }
+ /* update inner destination IP address */
+ old_addr0 = inner_ip0->dst_address.as_u32;
+ inner_ip0->dst_address = sm0.addr;
+ new_addr0 = inner_ip0->dst_address.as_u32;
sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
- identifier);
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address /* changed member */ );
icmp0->checksum = ip_csum_fold (sum0);
- break;
- case SNAT_PROTOCOL_UDP:
- case SNAT_PROTOCOL_TCP:
- old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port;
- new_id0 = sm0.port;
- ((tcp_udp_header_t *) l4_header)->dst_port = new_id0;
+ /* update inner IP header checksum */
+ old_checksum0 = inner_ip0->checksum;
+ sum0 = inner_ip0->checksum;
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address /* changed member */ );
+ inner_ip0->checksum = ip_csum_fold (sum0);
+ new_checksum0 = inner_ip0->checksum;
sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
- dst_port);
+ sum0 =
+ ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t,
+ checksum);
icmp0->checksum = ip_csum_fold (sum0);
- break;
- default:
- ASSERT (0);
+
+ switch (protocol)
+ {
+ case SNAT_PROTOCOL_ICMP:
+ inner_icmp0 = (icmp46_header_t *) l4_header;
+ inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
+
+ old_id0 = inner_echo0->identifier;
+ new_id0 = sm0.port;
+ inner_echo0->identifier = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
+ identifier);
+ icmp0->checksum = ip_csum_fold (sum0);
+ break;
+ case SNAT_PROTOCOL_UDP:
+ case SNAT_PROTOCOL_TCP:
+ old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port;
+ new_id0 = sm0.port;
+ ((tcp_udp_header_t *) l4_header)->dst_port = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
+ dst_port);
+ icmp0->checksum = ip_csum_fold (sum0);
+ break;
+ default:
+ ASSERT (0);
+ }
}
}
@@ -939,7 +947,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
b1 = vlib_get_buffer (vm, bi1);
if (is_output_feature)
- iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
+ iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
iph_offset0);
@@ -999,13 +1007,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
goto trace00;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = SNAT_IN2OUT_NEXT_REASS;
- fragments++;
- goto trace00;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
@@ -1014,7 +1015,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
key0.addr = ip0->src_address;
- key0.port = udp0->src_port;
+ key0.port = vnet_buffer (b0)->ip.reass.l4_src_port;
key0.protocol = proto0;
key0.fib_index = rx_fib_index0;
@@ -1029,13 +1030,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_output_feature)
{
- if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
- ip0,
- proto0,
- udp0->src_port,
- udp0->dst_port,
- thread_index,
- sw_if_index0)))
+ if (PREDICT_FALSE
+ (nat_not_translate_output_feature
+ (sm, ip0, proto0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index0)))
goto trace00;
/*
@@ -1045,7 +1045,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace00;
@@ -1092,34 +1092,42 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
src_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- mss_clamping (sm, tcp0, &sum0);
- tcp0->checksum = ip_csum_fold (sum0);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp0->checksum))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = udp0->checksum;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = tcp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
ip4_header_t,
dst_address /* changed member */ );
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
+ mss_clamping (sm, tcp0, &sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
+ {
+ if (PREDICT_FALSE (udp0->checksum))
+ {
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = udp0->checksum;
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
+ );
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp0->checksum = ip_csum_fold (sum0);
+ }
}
udp_packets++;
}
@@ -1149,7 +1157,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
pkts_processed += next0 == SNAT_IN2OUT_NEXT_LOOKUP;
if (is_output_feature)
- iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
+ iph_offset1 = vnet_buffer (b1)->ip.reass.save_rewrite_length;
ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) +
iph_offset1);
@@ -1207,13 +1215,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
goto trace01;
}
- if (ip4_is_fragment (ip1))
- {
- next1 = SNAT_IN2OUT_NEXT_REASS;
- fragments++;
- goto trace01;
- }
-
if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
@@ -1222,7 +1223,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
key1.addr = ip1->src_address;
- key1.port = udp1->src_port;
+ key1.port = vnet_buffer (b1)->ip.reass.l4_src_port;
key1.protocol = proto1;
key1.fib_index = rx_fib_index1;
@@ -1237,13 +1238,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_output_feature)
{
- if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
- ip1,
- proto1,
- udp1->src_port,
- udp1->dst_port,
- thread_index,
- sw_if_index1)))
+ if (PREDICT_FALSE
+ (nat_not_translate_output_feature
+ (sm, ip1, proto1,
+ vnet_buffer (b1)->ip.reass.l4_src_port,
+ vnet_buffer (b1)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index1)))
goto trace01;
/*
@@ -1253,7 +1253,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b1->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto1 == SNAT_PROTOCOL_UDP
- && (udp1->dst_port ==
+ && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace01;
@@ -1300,34 +1300,41 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
src_address /* changed member */ );
ip1->checksum = ip_csum_fold (sum1);
- old_port1 = udp1->src_port;
- new_port1 = udp1->src_port = s1->out2in.port;
-
if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
{
- sum1 = tcp1->checksum;
- sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
- ip4_header_t,
- dst_address /* changed member */ );
- sum1 = ip_csum_update (sum1, old_port1, new_port1,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- mss_clamping (sm, tcp1, &sum1);
- tcp1->checksum = ip_csum_fold (sum1);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp1->checksum))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum1 = udp1->checksum;
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
+ new_port1 = udp1->src_port = s1->out2in.port;
+ sum1 = tcp1->checksum;
sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
ip4_header_t,
dst_address /* changed member */ );
sum1 = ip_csum_update (sum1, old_port1, new_port1,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp1->checksum = ip_csum_fold (sum1);
+ mss_clamping (sm, tcp1, &sum1);
+ tcp1->checksum = ip_csum_fold (sum1);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
+ {
+ if (PREDICT_FALSE (udp1->checksum))
+ {
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
+ new_port1 = udp1->src_port = s1->out2in.port;
+ sum1 = udp1->checksum;
+ sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, dst_address /* changed member */
+ );
+ sum1 =
+ ip_csum_update (sum1, old_port1, new_port1,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp1->checksum = ip_csum_fold (sum1);
+ }
}
udp_packets++;
}
@@ -1393,7 +1400,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
next0 = SNAT_IN2OUT_NEXT_LOOKUP;
if (is_output_feature)
- iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
+ iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
iph_offset0);
@@ -1451,13 +1458,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
goto trace0;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = SNAT_IN2OUT_NEXT_REASS;
- fragments++;
- goto trace0;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
@@ -1466,7 +1466,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
key0.addr = ip0->src_address;
- key0.port = udp0->src_port;
+ key0.port = vnet_buffer (b0)->ip.reass.l4_src_port;
key0.protocol = proto0;
key0.fib_index = rx_fib_index0;
@@ -1479,13 +1479,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_output_feature)
{
- if (PREDICT_FALSE (nat_not_translate_output_feature (sm,
- ip0,
- proto0,
- udp0->src_port,
- udp0->dst_port,
- thread_index,
- sw_if_index0)))
+ if (PREDICT_FALSE
+ (nat_not_translate_output_feature
+ (sm, ip0, proto0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index0)))
goto trace0;
/*
@@ -1495,7 +1494,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace0;
@@ -1543,34 +1542,41 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
src_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
-
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- mss_clamping (sm, tcp0, &sum0);
- tcp0->checksum = ip_csum_fold (sum0);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp0->checksum))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = udp0->checksum;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = tcp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
ip4_header_t,
dst_address /* changed member */ );
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
+ mss_clamping (sm, tcp0, &sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
+ {
+ if (PREDICT_FALSE (udp0->checksum))
+ {
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = udp0->checksum;
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
+ );
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp0->checksum = ip_csum_fold (sum0);
+ }
}
udp_packets++;
}
@@ -1654,7 +1660,6 @@ VLIB_REGISTER_NODE (snat_in2out_node) = {
[SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
[SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -1687,7 +1692,6 @@ VLIB_REGISTER_NODE (snat_in2out_output_node) = {
[SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
[SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
[SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -1720,7 +1724,6 @@ VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = {
[SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
[SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -1753,307 +1756,6 @@ VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = {
[SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output",
[SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-output-slowpath",
[SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
- },
-};
-/* *INDENT-ON* */
-
-VLIB_NODE_FN (nat44_in2out_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- snat_in2out_next_t next_index;
- u32 pkts_processed = 0, cached_fragments = 0;
- snat_main_t *sm = &snat_main;
- f64 now = vlib_time_now (vm);
- u32 thread_index = vm->thread_index;
- snat_main_per_thread_data_t *per_thread_data =
- &sm->per_thread_data[thread_index];
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
- vlib_buffer_t *b0;
- u32 next0;
- u8 cached0 = 0;
- ip4_header_t *ip0;
- nat_reass_ip4_t *reass0;
- udp_header_t *udp0;
- tcp_header_t *tcp0;
- icmp46_header_t *icmp0;
- snat_session_key_t key0;
- clib_bihash_kv_8_8_t kv0, value0;
- snat_session_t *s0 = 0;
- u16 old_port0, new_port0;
- ip_csum_t sum0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- next0 = SNAT_IN2OUT_NEXT_LOOKUP;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- rx_fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- {
- next0 = SNAT_IN2OUT_NEXT_DROP;
- b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
- udp0 = ip4_next_header (ip0);
- tcp0 = (tcp_header_t *) udp0;
- icmp0 = (icmp46_header_t *) udp0;
- proto0 = ip_proto_to_snat_proto (ip0->protocol);
-
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = SNAT_IN2OUT_NEXT_DROP;
- b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto trace0;
- }
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
- {
- next0 = icmp_in2out_slow_path
- (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, thread_index, &s0);
-
- if (PREDICT_TRUE (next0 != SNAT_IN2OUT_NEXT_DROP))
- {
- if (s0)
- reass0->sess_index = s0 - per_thread_data->sessions;
- else
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
-
- goto trace0;
- }
-
- key0.addr = ip0->src_address;
- key0.port = udp0->src_port;
- key0.protocol = proto0;
- key0.fib_index = rx_fib_index0;
- kv0.key = key0.as_u64;
-
- if (clib_bihash_search_8_8
- (&per_thread_data->in2out, &kv0, &value0))
- {
- if (PREDICT_FALSE
- (snat_not_translate
- (sm, node, sw_if_index0, ip0, proto0, rx_fib_index0,
- thread_index)))
- goto trace0;
-
- next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
- &s0, node, next0, thread_index, now);
-
- if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
- goto trace0;
-
- if (PREDICT_FALSE (!s0))
- goto trace0;
-
- reass0->sess_index = s0 - per_thread_data->sessions;
- }
- else
- {
- s0 = pool_elt_at_index (per_thread_data->sessions,
- value0.value);
- reass0->sess_index = value0.value;
- }
- nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
- }
- else
- {
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = SNAT_IN2OUT_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- s0 = pool_elt_at_index (per_thread_data->sessions,
- reass0->sess_index);
- }
-
- old_addr0 = ip0->src_address.as_u32;
- ip0->src_address = s0->out2in.addr;
- new_addr0 = ip0->src_address.as_u32;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
-
- sum0 = ip0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- src_address /* changed member */ );
- ip0->checksum = ip_csum_fold (sum0);
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
-
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- tcp0->checksum = ip_csum_fold (sum0);
- }
- else if (PREDICT_FALSE (udp0->checksum))
- {
- sum0 = udp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
- }
- }
-
- /* Hairpinning */
- nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
- s0->ext_host_port, proto0, 0);
-
- /* Accounting */
- nat44_session_update_counters (s0, now,
- vlib_buffer_length_in_chain (vm, b0),
- thread_index);
- /* Per-user LRU list maintenance */
- nat44_session_update_lru (sm, s0, thread_index);
-
- trace0:
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat44_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- cached_fragments++;
- }
- else
- {
- pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, sm->in2out_reass_node_index,
- SNAT_IN2OUT_ERROR_PROCESSED_FRAGMENTS,
- pkts_processed);
- vlib_node_increment_counter (vm, sm->in2out_reass_node_index,
- SNAT_IN2OUT_ERROR_CACHED_FRAGMENTS,
- cached_fragments);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT],
- SNAT_IN2OUT_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
- return frame->n_vectors;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat44_in2out_reass_node) = {
- .name = "nat44-in2out-reass",
- .vector_size = sizeof (u32),
- .format_trace = format_nat44_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(snat_in2out_error_strings),
- .error_strings = snat_in2out_error_strings,
-
- .n_next_nodes = SNAT_IN2OUT_N_NEXT,
- .next_nodes = {
- [SNAT_IN2OUT_NEXT_DROP] = "error-drop",
- [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
- [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
- [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -2264,7 +1966,6 @@ VLIB_REGISTER_NODE (snat_in2out_fast_node) = {
[SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath",
[SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass",
},
};
/* *INDENT-ON* */
diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c
index f8cd89fb8de..0209a4059db 100644
--- a/src/plugins/nat/in2out_ed.c
+++ b/src/plugins/nat/in2out_ed.c
@@ -27,7 +27,6 @@
#include <vppinfra/error.h>
#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat44_inlines.h>
#include <nat/nat_syslog.h>
@@ -189,8 +188,7 @@ slow_path_ed (snat_main_t * sm,
u32 rx_fib_index,
clib_bihash_kv_16_8_t * kv,
snat_session_t ** sessionp,
- vlib_node_runtime_t * node, u32 next, u32 thread_index, f64 now,
- tcp_header_t * tcp)
+ vlib_node_runtime_t * node, u32 next, u32 thread_index, f64 now)
{
snat_session_t *s = 0;
snat_user_t *u;
@@ -254,7 +252,8 @@ slow_path_ed (snat_main_t * sm,
if (proto == SNAT_PROTOCOL_TCP)
{
- if (!tcp_is_init (tcp))
+ if (!tcp_flags_is_init
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
{
b->error = node->errors[NAT_IN2OUT_ED_ERROR_NON_SYN];
return NAT_NEXT_DROP;
@@ -405,7 +404,6 @@ nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
{
nat_ed_ses_key_t key;
clib_bihash_kv_16_8_t kv, value;
- udp_header_t *udp;
snat_session_t *s = 0;
snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
@@ -415,7 +413,7 @@ nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
if (ip->protocol == IP_PROTOCOL_ICMP)
{
key.as_u64[0] = key.as_u64[1] = 0;
- if (get_icmp_i2o_ed_key (ip, &key))
+ if (get_icmp_i2o_ed_key (b, ip, &key))
return 0;
key.fib_index = 0;
kv.key[0] = key.as_u64[0];
@@ -423,9 +421,9 @@ nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
}
else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
{
- udp = ip4_next_header (ip);
make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0,
- udp->src_port, udp->dst_port);
+ vnet_buffer (b)->ip.reass.l4_src_port,
+ vnet_buffer (b)->ip.reass.l4_dst_port);
}
else
{
@@ -440,8 +438,7 @@ nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip,
{
if (ip->protocol == IP_PROTOCOL_TCP)
{
- tcp_header_t *tcp = ip4_next_header (ip);
- if (nat44_set_tcp_session_state_i2o (sm, s, tcp, thread_index))
+ if (nat44_set_tcp_session_state_i2o (sm, s, b, thread_index))
return 1;
}
/* Accounting */
@@ -518,7 +515,6 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
u8 * p_proto, snat_session_key_t * p_value,
u8 * p_dont_translate, void *d, void *e)
{
- icmp46_header_t *icmp;
u32 sw_if_index;
u32 rx_fib_index;
nat_ed_ses_key_t key;
@@ -529,12 +525,11 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
int err;
snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
- icmp = (icmp46_header_t *) ip4_next_header (ip);
sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
key.as_u64[0] = key.as_u64[1] = 0;
- err = get_icmp_i2o_ed_key (ip, &key);
+ err = get_icmp_i2o_ed_key (b, ip, &key);
if (err != 0)
{
b->error = node->errors[err];
@@ -550,18 +545,10 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
{
if (vnet_buffer (b)->sw_if_index[VLIB_TX] != ~0)
{
- if (PREDICT_FALSE (nat44_ed_not_translate_output_feature (sm, ip,
- key.proto,
- key.
- l_port,
- key.
- r_port,
- thread_index,
- sw_if_index,
- vnet_buffer
- (b)->
- sw_if_index
- [VLIB_TX])))
+ if (PREDICT_FALSE
+ (nat44_ed_not_translate_output_feature
+ (sm, ip, key.proto, key.l_port, key.r_port, thread_index,
+ sw_if_index, vnet_buffer (b)->sw_if_index[VLIB_TX])))
{
dont_translate = 1;
goto out;
@@ -579,7 +566,9 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
}
}
- if (PREDICT_FALSE (icmp_is_error_message (icmp)))
+ if (PREDICT_FALSE
+ (icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags)))
{
b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
next = NAT_NEXT_DROP;
@@ -587,7 +576,7 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
}
next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next,
- thread_index, vlib_time_now (sm->vlib_main), 0);
+ thread_index, vlib_time_now (sm->vlib_main));
if (PREDICT_FALSE (next == NAT_NEXT_DROP))
goto out;
@@ -600,9 +589,13 @@ icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node,
}
else
{
- if (PREDICT_FALSE (icmp->type != ICMP4_echo_request &&
- icmp->type != ICMP4_echo_reply &&
- !icmp_is_error_message (icmp)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request
+ && vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && !icmp_type_is_error_message (vnet_buffer (b)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE];
next = NAT_NEXT_DROP;
@@ -837,14 +830,11 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
u32 thread_index = vm->thread_index;
snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
- 0, fragments = 0, def_slow, def_reass;
+ 0, def_slow;
def_slow = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH :
NAT_NEXT_IN2OUT_ED_SLOW_PATH;
- def_reass = is_output_feature ? NAT_NEXT_IN2OUT_ED_OUTPUT_REASS :
- NAT_NEXT_IN2OUT_ED_REASS;
-
stats_node_index = is_slow_path ? sm->ed_in2out_slowpath_node_index :
sm->ed_in2out_node_index;
@@ -910,8 +900,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
vnet_feature_next (&nat_buffer_opaque (b1)->arc_next, b1);
}
- iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
- iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length;
+ iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
+ iph_offset1 = vnet_buffer (b1)->ip.reass.save_rewrite_length;
}
next0 = nat_buffer_opaque (b0)->arc_next;
@@ -971,13 +961,6 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
goto trace00;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = def_reass;
- fragments++;
- goto trace00;
- }
-
if (is_output_feature)
{
if (PREDICT_FALSE
@@ -994,8 +977,9 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
- ip0->protocol, rx_fib_index0, udp0->src_port,
- udp0->dst_port);
+ ip0->protocol, rx_fib_index0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port);
if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
{
@@ -1005,8 +989,10 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
if (PREDICT_FALSE
(nat44_ed_not_translate_output_feature
- (sm, ip0, ip0->protocol, udp0->src_port,
- udp0->dst_port, thread_index, sw_if_index0,
+ (sm, ip0, ip0->protocol,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index0,
vnet_buffer (b0)->sw_if_index[VLIB_TX])))
goto trace00;
@@ -1017,7 +1003,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace00;
@@ -1034,7 +1020,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
next0 =
slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
- next0, thread_index, now, tcp0);
+ next0, thread_index, now);
if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
goto trace00;
@@ -1069,36 +1055,44 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
dst_address);
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
- s0->ext_host_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
- tcp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = tcp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address);
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
+ length);
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
+ s0->ext_host_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.
+ reass.l4_dst_port, s0->ext_host_port,
+ ip4_header_t, length);
+ tcp0->dst_port = s0->ext_host_port;
+ ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ }
+ mss_clamping (sm, tcp0, &sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
}
- mss_clamping (sm, tcp0, &sum0);
- tcp0->checksum = ip_csum_fold (sum0);
tcp_packets++;
- if (nat44_set_tcp_session_state_i2o
- (sm, s0, tcp0, thread_index))
+ if (nat44_set_tcp_session_state_i2o (sm, s0, b0, thread_index))
goto trace00;
}
- else if (udp0->checksum)
+ else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
+ && udp0->checksum)
{
+ new_port0 = udp0->src_port = s0->out2in.port;
sum0 = udp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
dst_address);
@@ -1109,9 +1103,10 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
s0->ext_host_addr.as_u32,
ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ s0->ext_host_port, ip4_header_t, length);
udp0->dst_port = s0->ext_host_port;
ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
}
@@ -1120,12 +1115,16 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- udp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ udp0->dst_port = s0->ext_host_port;
+ ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ }
+ udp_packets++;
}
- udp_packets++;
}
/* Accounting */
@@ -1181,8 +1180,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
s1 = nat44_ed_in2out_unknown_proto (sm, b1, ip1,
rx_fib_index1,
- thread_index, now, vm,
- node);
+ thread_index, now,
+ vm, node);
if (!s1)
next1 = NAT_NEXT_DROP;
other_packets++;
@@ -1192,8 +1191,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = icmp_in2out_ed_slow_path
- (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
- next1, now, thread_index, &s1);
+ (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1,
+ node, next1, now, thread_index, &s1);
icmp_packets++;
goto trace01;
}
@@ -1206,13 +1205,6 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
goto trace01;
}
- if (ip4_is_fragment (ip1))
- {
- next1 = def_reass;
- fragments++;
- goto trace01;
- }
-
if (is_output_feature)
{
if (PREDICT_FALSE
@@ -1229,8 +1221,9 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv1, &ip1->src_address, &ip1->dst_address,
- ip1->protocol, rx_fib_index1, udp1->src_port,
- udp1->dst_port);
+ ip1->protocol, rx_fib_index1,
+ vnet_buffer (b1)->ip.reass.l4_src_port,
+ vnet_buffer (b1)->ip.reass.l4_dst_port);
if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv1, &value1))
{
@@ -1240,8 +1233,10 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
if (PREDICT_FALSE
(nat44_ed_not_translate_output_feature
- (sm, ip1, ip1->protocol, udp1->src_port,
- udp1->dst_port, thread_index, sw_if_index1,
+ (sm, ip1, ip1->protocol,
+ vnet_buffer (b1)->ip.reass.l4_src_port,
+ vnet_buffer (b1)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index1,
vnet_buffer (b1)->sw_if_index[VLIB_TX])))
goto trace01;
@@ -1252,7 +1247,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b1->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto1 == SNAT_PROTOCOL_UDP
- && (udp1->dst_port ==
+ && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace01;
@@ -1261,7 +1256,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
sw_if_index1,
- ip1, proto1,
+ ip1,
+ proto1,
rx_fib_index1,
thread_index)))
goto trace01;
@@ -1269,7 +1265,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
next1 =
slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node,
- next1, thread_index, now, tcp1);
+ next1, thread_index, now);
if (PREDICT_FALSE (next1 == NAT_NEXT_DROP))
goto trace01;
@@ -1304,50 +1300,62 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
dst_address);
ip1->checksum = ip_csum_fold (sum1);
- old_port1 = udp1->src_port;
- new_port1 = udp1->src_port = s1->out2in.port;
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_src_port;
if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
{
- sum1 = tcp1->checksum;
- sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
- dst_address);
- sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
- length);
- if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
- s1->ext_host_addr.as_u32,
- ip4_header_t, dst_address);
- sum1 = ip_csum_update (sum1, tcp1->dst_port,
- s1->ext_host_port, ip4_header_t,
- length);
- tcp1->dst_port = s1->ext_host_port;
- ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
+ new_port1 = udp1->src_port = s1->out2in.port;
+ sum1 = tcp1->checksum;
+ sum1 =
+ ip_csum_update (sum1, old_addr1, new_addr1,
+ ip4_header_t, dst_address);
+ sum1 =
+ ip_csum_update (sum1, old_port1, new_port1,
+ ip4_header_t, length);
+ if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ {
+ sum1 =
+ ip_csum_update (sum1, ip1->dst_address.as_u32,
+ s1->ext_host_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum1 =
+ ip_csum_update (sum1,
+ vnet_buffer (b1)->ip.
+ reass.l4_dst_port, s1->ext_host_port,
+ ip4_header_t, length);
+ tcp1->dst_port = s1->ext_host_port;
+ ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
+ }
+ tcp1->checksum = ip_csum_fold (sum1);
+ mss_clamping (sm, tcp1, &sum1);
}
- tcp1->checksum = ip_csum_fold (sum1);
- mss_clamping (sm, tcp1, &sum1);
tcp_packets++;
- if (nat44_set_tcp_session_state_i2o
- (sm, s1, tcp1, thread_index))
+ if (nat44_set_tcp_session_state_i2o (sm, s1, b1, thread_index))
goto trace01;
}
- else if (udp1->checksum)
+ else if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment
+ && udp1->checksum)
{
+ new_port1 = udp1->src_port = s1->out2in.port;
sum1 = udp1->checksum;
- sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
- dst_address);
- sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
- length);
+ sum1 =
+ ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
+ dst_address);
+ sum1 =
+ ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
+ length);
if (PREDICT_FALSE (is_twice_nat_session (s1)))
{
sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32,
s1->ext_host_addr.as_u32,
ip4_header_t, dst_address);
- sum1 = ip_csum_update (sum1, tcp1->dst_port,
- s1->ext_host_port, ip4_header_t,
- length);
+ sum1 =
+ ip_csum_update (sum1,
+ vnet_buffer (b1)->ip.reass.l4_dst_port,
+ s1->ext_host_port, ip4_header_t, length);
udp1->dst_port = s1->ext_host_port;
ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
}
@@ -1356,17 +1364,22 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
{
- udp1->dst_port = s1->ext_host_port;
- ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
+ new_port1 = udp1->src_port = s1->out2in.port;
+ if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ {
+ udp1->dst_port = s1->ext_host_port;
+ ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32;
+ }
}
udp_packets++;
}
/* Accounting */
nat44_session_update_counters (s1, now,
- vlib_buffer_length_in_chain (vm, b1),
+ vlib_buffer_length_in_chain (vm,
+ b1),
thread_index);
/* Per-user LRU list maintenance */
nat44_session_update_lru (sm, s1, thread_index);
@@ -1426,7 +1439,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_TRUE (!is_slow_path))
vnet_feature_next (&nat_buffer_opaque (b0)->arc_next, b0);
- iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
+ iph_offset0 = vnet_buffer (b0)->ip.reass.save_rewrite_length;
}
next0 = nat_buffer_opaque (b0)->arc_next;
@@ -1460,8 +1473,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0,
rx_fib_index0,
- thread_index, now, vm,
- node);
+ thread_index, now,
+ vm, node);
if (!s0)
next0 = NAT_NEXT_DROP;
other_packets++;
@@ -1471,8 +1484,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = icmp_in2out_ed_slow_path
- (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, thread_index, &s0);
+ (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
+ node, next0, now, thread_index, &s0);
icmp_packets++;
goto trace0;
}
@@ -1485,13 +1498,6 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
goto trace0;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = def_reass;
- fragments++;
- goto trace0;
- }
-
if (is_output_feature)
{
if (PREDICT_FALSE
@@ -1508,8 +1514,9 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
- ip0->protocol, rx_fib_index0, udp0->src_port,
- udp0->dst_port);
+ ip0->protocol, rx_fib_index0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port);
if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0))
{
@@ -1519,8 +1526,10 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
if (PREDICT_FALSE
(nat44_ed_not_translate_output_feature
- (sm, ip0, ip0->protocol, udp0->src_port,
- udp0->dst_port, thread_index, sw_if_index0,
+ (sm, ip0, ip0->protocol,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, sw_if_index0,
vnet_buffer (b0)->sw_if_index[VLIB_TX])))
goto trace0;
@@ -1531,7 +1540,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE
((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
&& proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
clib_host_to_net_u16
(UDP_DST_PORT_dhcp_to_server))))
goto trace0;
@@ -1540,7 +1549,8 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
{
if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
sw_if_index0,
- ip0, proto0,
+ ip0,
+ proto0,
rx_fib_index0,
thread_index)))
goto trace0;
@@ -1548,7 +1558,7 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
next0 =
slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node,
- next0, thread_index, now, tcp0);
+ next0, thread_index, now);
if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
goto trace0;
@@ -1583,49 +1593,61 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
dst_address);
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_src_port;
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
- s0->ext_host_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
- tcp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ sum0 = tcp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_addr0, new_addr0,
+ ip4_header_t, dst_address);
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0,
+ ip4_header_t, length);
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ sum0 =
+ ip_csum_update (sum0, ip0->dst_address.as_u32,
+ s0->ext_host_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.
+ reass.l4_dst_port, s0->ext_host_port,
+ ip4_header_t, length);
+ tcp0->dst_port = s0->ext_host_port;
+ ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ }
+ mss_clamping (sm, tcp0, &sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
}
- mss_clamping (sm, tcp0, &sum0);
- tcp0->checksum = ip_csum_fold (sum0);
tcp_packets++;
- if (nat44_set_tcp_session_state_i2o
- (sm, s0, tcp0, thread_index))
+ if (nat44_set_tcp_session_state_i2o (sm, s0, b0, thread_index))
goto trace0;
}
- else if (udp0->checksum)
+ else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
+ && udp0->checksum)
{
+ new_port0 = udp0->src_port = s0->out2in.port;
sum0 = udp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
+ sum0 =
+ ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address);
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
+ length);
if (PREDICT_FALSE (is_twice_nat_session (s0)))
{
sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
s0->ext_host_addr.as_u32,
ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ s0->ext_host_port, ip4_header_t, length);
udp0->dst_port = s0->ext_host_port;
ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
}
@@ -1634,18 +1656,22 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- udp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ new_port0 = udp0->src_port = s0->out2in.port;
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ udp0->dst_port = s0->ext_host_port;
+ ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
+ }
+ udp_packets++;
}
- udp_packets++;
}
/* Accounting */
nat44_session_update_counters (s0, now,
- vlib_buffer_length_in_chain (vm, b0),
- thread_index);
+ vlib_buffer_length_in_chain
+ (vm, b0), thread_index);
/* Per-user LRU list maintenance */
nat44_session_update_lru (sm, s0, thread_index);
@@ -1687,379 +1713,6 @@ nat44_ed_in2out_node_fn_inline (vlib_main_t * vm,
vlib_node_increment_counter (vm, stats_node_index,
NAT_IN2OUT_ED_ERROR_OTHER_PACKETS,
other_packets);
- vlib_node_increment_counter (vm, stats_node_index,
- NAT_IN2OUT_ED_ERROR_FRAGMENTS, fragments);
-
- return frame->n_vectors;
-}
-
-static inline uword
-nat44_ed_in2out_reass_node_fn_inline (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame,
- int is_output_feature)
-{
- u32 n_left_from, *from, *to_next;
- nat_next_t next_index;
- u32 pkts_processed = 0, cached_fragments = 0;
- snat_main_t *sm = &snat_main;
- f64 now = vlib_time_now (vm);
- u32 thread_index = vm->thread_index;
- snat_main_per_thread_data_t *per_thread_data =
- &sm->per_thread_data[thread_index];
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
- u32 iph_offset0 = 0;
- vlib_buffer_t *b0;
- u32 next0;
- u8 cached0 = 0;
- ip4_header_t *ip0 = 0;
- nat_reass_ip4_t *reass0;
- udp_header_t *udp0;
- tcp_header_t *tcp0;
- icmp46_header_t *icmp0;
- clib_bihash_kv_16_8_t kv0, value0;
- snat_session_t *s0 = 0;
- u16 old_port0, new_port0;
- ip_csum_t sum0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
-
- next0 = nat_buffer_opaque (b0)->arc_next;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- rx_fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- {
- next0 = NAT_NEXT_DROP;
- b0->error = node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- if (is_output_feature)
- iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length;
-
- ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
- iph_offset0);
-
- udp0 = ip4_next_header (ip0);
- tcp0 = (tcp_header_t *) udp0;
- icmp0 = (icmp46_header_t *) udp0;
- proto0 = ip_proto_to_snat_proto (ip0->protocol);
-
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto trace0;
- }
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
- {
- if (is_output_feature)
- {
- if (PREDICT_FALSE
- (nat_not_translate_output_feature_fwd
- (sm, ip0, thread_index, now, vm, b0)))
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- goto trace0;
- }
-
- next0 = icmp_in2out_ed_slow_path
- (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, thread_index, &s0);
-
- if (PREDICT_TRUE (next0 != NAT_NEXT_DROP))
- {
- if (s0)
- reass0->sess_index = s0 - per_thread_data->sessions;
- else
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
-
- goto trace0;
- }
-
- make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address,
- ip0->protocol, rx_fib_index0, udp0->src_port,
- udp0->dst_port);
-
- if (clib_bihash_search_16_8
- (&per_thread_data->in2out_ed, &kv0, &value0))
- {
- if (is_output_feature)
- {
- if (PREDICT_FALSE
- (nat44_ed_not_translate_output_feature
- (sm, ip0, ip0->protocol, udp0->src_port,
- udp0->dst_port, thread_index, sw_if_index0,
- vnet_buffer (b0)->sw_if_index[VLIB_TX])))
- {
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- goto trace0;
- }
-
- /*
- * Send DHCP packets to the ipv4 stack, or we won't
- * be able to use dhcp client on the outside interface
- */
- if (PREDICT_FALSE
- ((b0->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED)
- && proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_server))))
- goto trace0;
- }
- else
- {
- if (PREDICT_FALSE (nat44_ed_not_translate (sm, node,
- sw_if_index0,
- ip0, proto0,
- rx_fib_index0,
- thread_index)))
- {
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- goto trace0;
- }
- }
-
- next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0,
- &s0, node, next0, thread_index, now,
- tcp0);
-
- if (PREDICT_FALSE (next0 == NAT_NEXT_DROP))
- goto trace0;
-
- if (PREDICT_FALSE (!s0))
- {
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- goto trace0;
- }
-
- reass0->sess_index = s0 - per_thread_data->sessions;
- }
- else
- {
- s0 = pool_elt_at_index (per_thread_data->sessions,
- value0.value);
- reass0->sess_index = value0.value;
- }
- nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
- }
- else
- {
- if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
- goto trace0;
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = NAT_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- s0 = pool_elt_at_index (per_thread_data->sessions,
- reass0->sess_index);
- }
-
- old_addr0 = ip0->src_address.as_u32;
- ip0->src_address = s0->out2in.addr;
- new_addr0 = ip0->src_address.as_u32;
- if (!is_output_feature)
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index;
-
- sum0 = ip0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- src_address /* changed member */ );
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
- s0->ext_host_addr.as_u32, ip4_header_t,
- dst_address);
- ip0->checksum = ip_csum_fold (sum0);
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- old_port0 = udp0->src_port;
- new_port0 = udp0->src_port = s0->out2in.port;
-
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- {
- sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
- s0->ext_host_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
- tcp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
- }
- tcp0->checksum = ip_csum_fold (sum0);
- }
- else if (udp0->checksum)
- {
- sum0 = udp0->checksum;
- sum0 =
- ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 =
- ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- {
- sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32,
- s0->ext_host_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->dst_port,
- s0->ext_host_port, ip4_header_t,
- length);
- udp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
- }
- udp0->checksum = ip_csum_fold (sum0);
- }
- else
- {
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- {
- udp0->dst_port = s0->ext_host_port;
- ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32;
- }
- }
- }
-
- /* Hairpinning */
- nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port,
- s0->ext_host_port, proto0, 1);
-
- /* Accounting */
- nat44_session_update_counters (s0, now,
- vlib_buffer_length_in_chain (vm, b0),
- thread_index);
- /* Per-user LRU list maintenance */
- nat44_session_update_lru (sm, s0, thread_index);
-
- trace0:
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat44_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- cached_fragments++;
- }
- else
- {
- pkts_processed += next0 == nat_buffer_opaque (b0)->arc_next;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, sm->ed_in2out_reass_node_index,
- NAT_IN2OUT_ED_ERROR_PROCESSED_FRAGMENTS,
- pkts_processed);
- vlib_node_increment_counter (vm, sm->ed_in2out_reass_node_index,
- NAT_IN2OUT_ED_ERROR_CACHED_FRAGMENTS,
- cached_fragments);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT],
- NAT_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
return frame->n_vectors;
}
@@ -2104,8 +1757,8 @@ VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = {
/* *INDENT-ON* */
VLIB_NODE_FN (nat44_ed_in2out_slowpath_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
+ vlib_node_runtime_t *
+ node, vlib_frame_t * frame)
{
return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 0);
}
@@ -2124,8 +1777,8 @@ VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = {
/* *INDENT-ON* */
VLIB_NODE_FN (nat44_ed_in2out_output_slowpath_node) (vlib_main_t * vm,
- vlib_node_runtime_t *
- node,
+ vlib_node_runtime_t
+ * node,
vlib_frame_t * frame)
{
return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 1);
@@ -2144,45 +1797,6 @@ VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = {
};
/* *INDENT-ON* */
-
-VLIB_NODE_FN (nat44_ed_in2out_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 0);
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat44_ed_in2out_reass_node) = {
- .name = "nat44-ed-in2out-reass",
- .vector_size = sizeof (u32),
- .sibling_of = "nat-default",
- .format_trace = format_nat44_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
- .error_strings = nat_in2out_ed_error_strings,
-};
-/* *INDENT-ON* */
-
-VLIB_NODE_FN (nat44_ed_in2out_reass_output_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 1);
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat44_ed_in2out_reass_output_node) = {
- .name = "nat44-ed-in2out-reass-output",
- .vector_size = sizeof (u32),
- .sibling_of = "nat-default",
- .format_trace = format_nat44_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings),
- .error_strings = nat_in2out_ed_error_strings,
-};
-/* *INDENT-ON* */
-
static u8 *
format_nat_pre_trace (u8 * s, va_list * args)
{
@@ -2192,9 +1806,8 @@ format_nat_pre_trace (u8 * s, va_list * args)
return format (s, "in2out next_index %d", t->next_index);
}
-VLIB_NODE_FN (nat_pre_in2out_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
+VLIB_NODE_FN (nat_pre_in2out_node)
+ (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame)
{
return nat_pre_node_fn_inline (vm, node, frame,
NAT_NEXT_IN2OUT_ED_FAST_PATH);
diff --git a/src/plugins/nat/nat.api b/src/plugins/nat/nat.api
index 8cf26d4900d..356dd0ce8a9 100644
--- a/src/plugins/nat/nat.api
+++ b/src/plugins/nat/nat.api
@@ -189,85 +189,6 @@ autoreply define nat_ipfix_enable_disable {
bool enable;
};
-/** \brief Set NAT virtual fragmentation reassembly
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param timeout - reassembly timeout
- @param max_reass - maximum number of concurrent reassemblies
- @param max_frag - maximum number of fragmets per reassembly
- @param drop_frag - if 0 translate fragments, otherwise drop fragments
- @param is_ip6 - true if IPv6, false if IPv4
-*/
-autoreply define nat_set_reass {
- u32 client_index;
- u32 context;
- u32 timeout;
- u16 max_reass;
- u8 max_frag;
- u8 drop_frag;
- bool is_ip6;
-};
-
-/** \brief Get NAT virtual fragmentation reassembly configuration
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-*/
-define nat_get_reass {
- u32 client_index;
- u32 context;
-};
-
-/** \brief Get NAT virtual fragmentation reassembly configuration reply
- @param context - sender context, to match reply w/ request
- @param retval - return code
- @param ip4_timeout - reassembly timeout
- @param ip4_max_reass - maximum number of concurrent reassemblies
- @param ip4_max_frag - maximum number of fragmets per reassembly
- @param ip4_drop_frag - if 0 translate fragments, otherwise drop fragments
- @param ip6_timeout - reassembly timeout
- @param ip6_max_reass - maximum number of concurrent reassemblies
- @param ip6_max_frag - maximum number of fragmets per reassembly
- @param ip6_drop_frag - if 0 translate fragments, otherwise drop fragments
-*/
-define nat_get_reass_reply {
- u32 context;
- i32 retval;
- u32 ip4_timeout;
- u16 ip4_max_reass;
- u8 ip4_max_frag;
- u8 ip4_drop_frag;
- u32 ip6_timeout;
- u16 ip6_max_reass;
- u8 ip6_max_frag;
- u8 ip6_drop_frag;
-};
-
-/** \brief Dump NAT virtual fragmentation reassemblies
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
-*/
-define nat_reass_dump {
- u32 client_index;
- u32 context;
-};
-
-/** \brief NAT virtual fragmentation reassemblies response
- @param context - sender context, to match reply w/ request
- @param src_addr - source IPv4 address
- @param dst_addr - destination IPv4 address
- @param frag_id - fragment ID
- @param proto - protocol
- @param frag_n - number of cached fragments
-*/
-define nat_reass_details {
- u32 context;
- vl_api_address_t src_addr;
- vl_api_address_t dst_addr;
- u32 frag_id;
- u8 proto;
- u8 frag_n;
-};
-
/** \brief Set values of timeouts for NAT sessions (seconds)
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index d85fb267bed..c1a18394aff 100755
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -26,13 +26,13 @@
#include <nat/nat64.h>
#include <nat/nat66.h>
#include <nat/dslite.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat_affinity.h>
#include <nat/nat_syslog.h>
#include <nat/nat_ha.h>
#include <vnet/fib/fib_table.h>
#include <vnet/fib/ip4_fib.h>
+#include <vnet/ip/reass/ip4_sv_reass.h>
#include <vpp/app/version.h>
@@ -46,13 +46,15 @@ fib_source_t nat_fib_src_low;
VNET_FEATURE_INIT (nat_pre_in2out, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat-pre-in2out",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
+ "ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat_pre_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat-pre-out2in",
.runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
- "ip4-dhcp-client-detect"),
+ "ip4-dhcp-client-detect",
+ "ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (snat_in2out_worker_handoff, static) = {
.arc_name = "ip4-unicast",
@@ -68,103 +70,103 @@ VNET_FEATURE_INIT (snat_out2in_worker_handoff, static) = {
VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-in2out",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-out2in",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
"ip4-dhcp-client-detect"),
};
VNET_FEATURE_INIT (ip4_nat_classify, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-classify",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-det-in2out",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-det-out2in",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
"ip4-dhcp-client-detect"),
};
VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-det-classify",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_in2out, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-ed-in2out",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-ed-out2in",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
"ip4-dhcp-client-detect"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_classify, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-ed-classify",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-handoff-classify",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-in2out-fast",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-out2in-fast",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature",
"ip4-dhcp-client-detect"),
};
VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-hairpin-dst",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_dst, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat44-ed-hairpin-dst",
- .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa","ip4-sv-reassembly-feature"),
};
/* Hook up output features */
VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
.arc_name = "ip4-output",
.node_name = "nat44-in2out-output",
- .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
};
VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
.arc_name = "ip4-output",
.node_name = "nat44-in2out-output-worker-handoff",
- .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
};
VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
.arc_name = "ip4-output",
.node_name = "nat44-hairpin-src",
- .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_in2out_output, static) = {
.arc_name = "ip4-output",
.node_name = "nat44-ed-in2out-output",
- .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
};
VNET_FEATURE_INIT (ip4_nat44_ed_hairpin_src, static) = {
.arc_name = "ip4-output",
.node_name = "nat44-ed-hairpin-src",
- .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
+ .runs_after = VNET_FEATURES ("acl-plugin-out-ip4-fa","ip4-sv-reassembly-output-feature"),
};
/* Hook up ip4-local features */
@@ -1869,6 +1871,9 @@ feature_set:
feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
}
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
sw_if_index, 0, 0, 0);
vnet_feature_enable_disable ("ip4-unicast", feature_name,
@@ -1887,6 +1892,9 @@ feature_set:
}
else
{
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 0);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", feature_name,
sw_if_index, 0, 0, 0);
pool_put (sm->interfaces, i);
@@ -1934,6 +1942,9 @@ feature_set:
feature_name = "nat44-classify";
}
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
sw_if_index, 0, 0, 0);
vnet_feature_enable_disable ("ip4-unicast", feature_name,
@@ -1964,6 +1975,10 @@ feature_set:
vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0,
0);
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, 1);
+ if (rv)
+ return rv;
+
if (is_inside && !sm->out2in_dpo)
{
if (sm->endpoint_dependent)
@@ -2063,6 +2078,15 @@ feature_set:
{
if (sm->endpoint_dependent)
{
+ int rv =
+ ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
+ rv =
+ ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
+ !is_del);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst",
sw_if_index, !is_del, 0, 0);
vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src",
@@ -2070,6 +2094,15 @@ feature_set:
}
else
{
+ int rv =
+ ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
+ rv =
+ ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
+ !is_del);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
sw_if_index, !is_del, 0, 0);
vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
@@ -2080,6 +2113,13 @@ feature_set:
if (sm->num_workers > 1)
{
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
+ rv =
+ ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast",
"nat44-out2in-worker-handoff",
sw_if_index, !is_del, 0, 0);
@@ -2091,6 +2131,15 @@ feature_set:
{
if (sm->endpoint_dependent)
{
+ int rv =
+ ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
+ rv =
+ ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
+ !is_del);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", "nat-pre-out2in",
sw_if_index, !is_del, 0, 0);
vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output",
@@ -2098,6 +2147,15 @@ feature_set:
}
else
{
+ int rv =
+ ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, !is_del);
+ if (rv)
+ return rv;
+ rv =
+ ip4_sv_reass_output_enable_disable_with_refcnt (sw_if_index,
+ !is_del);
+ if (rv)
+ return rv;
vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in",
sw_if_index, !is_del, 0, 0);
vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
@@ -2352,29 +2410,21 @@ snat_init (vlib_main_t * vm)
sm->in2out_slowpath_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-output-slowpath");
sm->in2out_slowpath_output_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat44-in2out-reass");
- sm->in2out_reass_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out");
sm->ed_in2out_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-slowpath");
sm->ed_in2out_slowpath_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-in2out-reass");
- sm->ed_in2out_reass_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in");
sm->out2in_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-fast");
sm->out2in_fast_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat44-out2in-reass");
- sm->out2in_reass_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in");
sm->ed_out2in_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-slowpath");
sm->ed_out2in_slowpath_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat44-ed-out2in-reass");
- sm->ed_out2in_reass_node_index = node->index;
node = vlib_get_node_by_name (vm, (u8 *) "nat44-det-in2out");
sm->det_in2out_node_index = node->index;
@@ -2471,8 +2521,7 @@ snat_init (vlib_main_t * vm)
FIB_SOURCE_PRIORITY_LOW,
FIB_SOURCE_BH_SIMPLE);
- /* Init virtual fragmenentation reassembly */
- return nat_reass_init (vm);
+ return error;
}
VLIB_INIT_FUNCTION (snat_init);
@@ -3012,8 +3061,8 @@ snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0,
}
static u32
-snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0,
- u8 is_output)
+snat_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip0,
+ u32 rx_fib_index0, u8 is_output)
{
snat_main_t *sm = &snat_main;
udp_header_t *udp;
@@ -3044,52 +3093,6 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0,
udp = ip4_next_header (ip0);
port = udp->dst_port;
- if (PREDICT_FALSE (ip4_is_fragment (ip0)))
- {
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- return vlib_get_thread_index ();
-
- nat_reass_ip4_t *reass;
- reass = nat_ip4_reass_find (ip0->src_address, ip0->dst_address,
- ip0->fragment_id, ip0->protocol);
-
- if (reass && (reass->thread_index != (u32) ~ 0))
- return reass->thread_index;
-
- if (ip4_is_first_fragment (ip0))
- {
- reass =
- nat_ip4_reass_create (ip0->src_address, ip0->dst_address,
- ip0->fragment_id, ip0->protocol);
- if (!reass)
- goto no_reass;
-
- if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
- {
- m_key.addr = ip0->dst_address;
- m_key.port = clib_net_to_host_u16 (port);
- m_key.protocol = proto;
- m_key.fib_index = rx_fib_index0;
- kv.key = m_key.as_u64;
- if (!clib_bihash_search_8_8
- (&sm->static_mapping_by_external, &kv, &value))
- {
- m = pool_elt_at_index (sm->static_mappings, value.value);
- reass->thread_index = m->workers[0];
- return reass->thread_index;
- }
- }
- reass->thread_index = sm->first_worker_index;
- reass->thread_index +=
- sm->workers[(clib_net_to_host_u16 (port) - 1024) /
- sm->port_per_thread];
- return reass->thread_index;
- }
- else
- return vlib_get_thread_index ();
- }
-
-no_reass:
/* unknown protocol */
if (PREDICT_FALSE (proto == ~0))
{
@@ -3101,10 +3104,12 @@ no_reass:
{
icmp46_header_t *icmp = (icmp46_header_t *) udp;
icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
- if (!icmp_is_error_message (icmp))
- port = echo->identifier;
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+ port = vnet_buffer (b)->ip.reass.l4_src_port;
else
{
+ /* if error message, then it's not fragmented and we can access it */
ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
proto = ip_proto_to_snat_proto (inner_ip->protocol);
void *l4_header = ip4_next_header (inner_ip);
@@ -3252,8 +3257,8 @@ nat44_ed_get_worker_in2out_cb (ip4_header_t * ip, u32 rx_fib_index,
}
static u32
-nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index,
- u8 is_output)
+nat44_ed_get_worker_out2in_cb (vlib_buffer_t * b, ip4_header_t * ip,
+ u32 rx_fib_index, u8 is_output)
{
snat_main_t *sm = &snat_main;
clib_bihash_kv_8_8_t kv, value;
@@ -3295,7 +3300,7 @@ nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index,
{
nat_ed_ses_key_t key;
- if (!get_icmp_o2i_ed_key (ip, &key))
+ if (!get_icmp_o2i_ed_key (b, ip, &key))
{
key.fib_index = rx_fib_index;
@@ -3349,10 +3354,12 @@ nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index,
{
icmp46_header_t *icmp = (icmp46_header_t *) udp;
icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
- if (!icmp_is_error_message (icmp))
- port = echo->identifier;
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+ port = vnet_buffer (b)->ip.reass.l4_src_port;
else
{
+ /* if error message, then it's not fragmented and we can access it */
ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
proto = ip_proto_to_snat_proto (inner_ip->protocol);
void *l4_header = ip4_next_header (inner_ip);
@@ -4359,11 +4366,8 @@ VLIB_REGISTER_NODE (nat_default_node) = {
[NAT_NEXT_IN2OUT_ED_FAST_PATH] = "nat44-ed-in2out",
[NAT_NEXT_IN2OUT_ED_SLOW_PATH] = "nat44-ed-in2out-slowpath",
[NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath",
- [NAT_NEXT_IN2OUT_ED_REASS] = "nat44-ed-in2out-reass",
- [NAT_NEXT_IN2OUT_ED_OUTPUT_REASS] = "nat44-ed-in2out-reass-output",
[NAT_NEXT_OUT2IN_ED_FAST_PATH] = "nat44-ed-out2in",
[NAT_NEXT_OUT2IN_ED_SLOW_PATH] = "nat44-ed-out2in-slowpath",
- [NAT_NEXT_OUT2IN_ED_REASS] = "nat44-ed-out2in-reass",
},
};
/* *INDENT-ON* */
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h
index 38f5a99bfbb..d3fa3eea38a 100644
--- a/src/plugins/nat/nat.h
+++ b/src/plugins/nat/nat.h
@@ -58,11 +58,8 @@ typedef enum
NAT_NEXT_IN2OUT_ED_FAST_PATH,
NAT_NEXT_IN2OUT_ED_SLOW_PATH,
NAT_NEXT_IN2OUT_ED_OUTPUT_SLOW_PATH,
- NAT_NEXT_IN2OUT_ED_REASS,
- NAT_NEXT_IN2OUT_ED_OUTPUT_REASS,
NAT_NEXT_OUT2IN_ED_FAST_PATH,
NAT_NEXT_OUT2IN_ED_SLOW_PATH,
- NAT_NEXT_OUT2IN_ED_REASS,
NAT_N_NEXT,
} nat_next_t;
@@ -534,8 +531,14 @@ typedef u32 (snat_icmp_match_function_t) (struct snat_main_s * sm,
void *e);
/* Return worker thread index for given packet */
-typedef u32 (snat_get_worker_function_t) (ip4_header_t * ip,
- u32 rx_fib_index, u8 is_output);
+typedef u32 (snat_get_worker_in2out_function_t) (ip4_header_t * ip,
+ u32 rx_fib_index,
+ u8 is_output);
+
+typedef u32 (snat_get_worker_out2in_function_t) (vlib_buffer_t * b,
+ ip4_header_t * ip,
+ u32 rx_fib_index,
+ u8 is_output);
/* NAT address and port allacotaion function */
typedef int (nat_alloc_out_addr_and_port_function_t) (snat_address_t *
@@ -556,8 +559,8 @@ typedef struct snat_main_s
u32 num_workers;
u32 first_worker_index;
u32 *workers;
- snat_get_worker_function_t *worker_in2out_cb;
- snat_get_worker_function_t *worker_out2in_cb;
+ snat_get_worker_in2out_function_t *worker_in2out_cb;
+ snat_get_worker_out2in_function_t *worker_out2in_cb;
u16 port_per_thread;
u32 num_snat_thread;
@@ -629,16 +632,12 @@ typedef struct snat_main_s
u32 in2out_fast_node_index;
u32 in2out_slowpath_node_index;
u32 in2out_slowpath_output_node_index;
- u32 in2out_reass_node_index;
u32 ed_in2out_node_index;
u32 ed_in2out_slowpath_node_index;
- u32 ed_in2out_reass_node_index;
u32 out2in_node_index;
u32 out2in_fast_node_index;
- u32 out2in_reass_node_index;
u32 ed_out2in_node_index;
u32 ed_out2in_slowpath_node_index;
- u32 ed_out2in_reass_node_index;
u32 det_in2out_node_index;
u32 det_out2in_node_index;
@@ -756,7 +755,6 @@ format_function_t format_snat_key;
format_function_t format_static_mapping_key;
format_function_t format_snat_protocol;
format_function_t format_nat_addr_and_port_alloc_alg;
-format_function_t format_nat44_reass_trace;
/* unformat functions */
unformat_function_t unformat_snat_protocol;
@@ -848,7 +846,11 @@ unformat_function_t unformat_snat_protocol;
@param t TCP header
@return 1 if client initiating TCP connection
*/
-#define tcp_is_init(t) ((t->flags & TCP_FLAG_SYN) && !(t->flags & TCP_FLAG_ACK))
+always_inline bool
+tcp_flags_is_init (u8 f)
+{
+ return (f & TCP_FLAG_SYN) && !(f & TCP_FLAG_ACK);
+}
/* logging */
#define nat_log_err(...) \
diff --git a/src/plugins/nat/nat44_classify.c b/src/plugins/nat/nat44_classify.c
index b6ce4d7b494..f339770d8f5 100644
--- a/src/plugins/nat/nat44_classify.c
+++ b/src/plugins/nat/nat44_classify.c
@@ -21,12 +21,9 @@
#include <vnet/vnet.h>
#include <vnet/fib/ip4_fib.h>
#include <nat/nat.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#define foreach_nat44_classify_error \
-_(MAX_REASS, "Maximum reassemblies exceeded") \
-_(MAX_FRAG, "Maximum fragments per reassembly exceeded") \
_(NEXT_IN2OUT, "next in2out") \
_(NEXT_OUT2IN, "next out2in") \
_(FRAG_CACHED, "fragment cached")
@@ -87,7 +84,6 @@ nat44_classify_node_fn_inline (vlib_main_t * vm,
nat44_classify_next_t next_index;
snat_main_t *sm = &snat_main;
snat_static_mapping_t *m;
- u32 thread_index = vm->thread_index;
u32 *fragments_to_drop = 0;
u32 *fragments_to_loopback = 0;
u32 next_in2out = 0, next_out2in = 0, frag_cached = 0;
@@ -111,8 +107,6 @@ nat44_classify_node_fn_inline (vlib_main_t * vm,
snat_address_t *ap;
snat_session_key_t m_key0;
clib_bihash_kv_8_8_t kv0, value0;
- udp_header_t *udp0;
- nat_reass_ip4_t *reass0;
u8 cached0 = 0;
/* speculatively enqueue b0 to the current next frame */
@@ -125,7 +119,6 @@ nat44_classify_node_fn_inline (vlib_main_t * vm,
b0 = vlib_get_buffer (vm, bi0);
ip0 = vlib_buffer_get_current (b0);
- udp0 = ip4_next_header (ip0);
/* *INDENT-OFF* */
vec_foreach (ap, sm->addresses)
@@ -154,87 +147,16 @@ nat44_classify_node_fn_inline (vlib_main_t * vm,
next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
goto enqueue0;
}
- if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
- {
- /* process leading fragment/whole packet (with L4 header) */
- m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
- m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
- kv0.key = m_key0.as_u64;
- if (!clib_bihash_search_8_8
- (&sm->static_mapping_by_external, &kv0, &value0))
- {
- m =
- pool_elt_at_index (sm->static_mappings, value0.value);
- if (m->local_addr.as_u32 != m->external_addr.as_u32)
- next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
- }
- if (ip4_is_fragment (ip0))
- {
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT44_CLASSIFY_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- /* save classification for future fragments and set past
- * fragments to be looped over and reprocessed */
- if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN)
- reass0->classify_next =
- NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN;
- else
- reass0->classify_next =
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
- }
- else
+ m_key0.port =
+ clib_net_to_host_u16 (vnet_buffer (b0)->ip.reass.l4_dst_port);
+ m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
+ kv0.key = m_key0.as_u64;
+ if (!clib_bihash_search_8_8
+ (&sm->static_mapping_by_external, &kv0, &value0))
{
- /* process non-first fragment */
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT44_CLASSIFY_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
- /* first fragment still hasn't arrived */
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = NAT44_CLASSIFY_NEXT_DROP;
- goto enqueue0;
- }
- cached0 = 1;
- goto enqueue0;
- }
- else if (reass0->classify_next ==
- NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
+ m = pool_elt_at_index (sm->static_mappings, value0.value);
+ if (m->local_addr.as_u32 != m->external_addr.as_u32)
next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
- else if (reass0->classify_next ==
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
- next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
}
}
@@ -343,8 +265,6 @@ nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
snat_session_key_t m_key0;
clib_bihash_kv_8_8_t kv0, value0;
clib_bihash_kv_16_8_t ed_kv0, ed_value0;
- udp_header_t *udp0;
- nat_reass_ip4_t *reass0;
u8 cached0 = 0;
/* speculatively enqueue b0 to the current next frame */
@@ -357,7 +277,6 @@ nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
b0 = vlib_get_buffer (vm, bi0);
ip0 = vlib_buffer_get_current (b0);
- udp0 = ip4_next_header (ip0);
if (!in_loopback)
{
@@ -369,108 +288,21 @@ nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
if (ip0->protocol != IP_PROTOCOL_ICMP)
{
- if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
- {
- /* process leading fragment/whole packet (with L4 header) */
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- rx_fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
- make_ed_kv (&ed_kv0, &ip0->src_address,
- &ip0->dst_address, ip0->protocol,
- rx_fib_index0, udp0->src_port, udp0->dst_port);
- if (ip4_is_fragment (ip0))
- {
- reass0 =
- nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol, 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- if (!clib_bihash_search_16_8
- (&tsm->in2out_ed, &ed_kv0, &ed_value0))
- {
- /* session exists so classify as IN2OUT,
- * save this information for future fragments and set
- * past fragments to be looped over and reprocessed */
- reass0->sess_index = ed_value0.value;
- reass0->classify_next =
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- goto enqueue0;
- }
- else
- {
- /* session doesn't exist so continue in the code,
- * save this information for future fragments and set
- * past fragments to be looped over and reprocessed */
- reass0->flags |=
- NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
- }
- else
- {
- /* process whole packet */
- if (!clib_bihash_search_16_8
- (&tsm->in2out_ed, &ed_kv0, &ed_value0))
- goto enqueue0;
- /* session doesn't exist so continue in code */
- }
- }
- else
- {
- /* process non-first fragment */
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- /* check if first fragment has arrived */
- if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE
- && !(reass0->flags &
- NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE))
- {
- /* first fragment still hasn't arrived, cache this fragment */
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = NAT_NEXT_DROP;
- goto enqueue0;
- }
- cached0 = 1;
- goto enqueue0;
- }
- if (reass0->classify_next ==
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
- goto enqueue0;
- /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set
- * so keep the default next0 and continue in code to
- * potentially find other classification for this packet */
- }
+ /* process leading fragment/whole packet (with L4 header) */
+ sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
+ rx_fib_index0 =
+ fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
+ sw_if_index0);
+ make_ed_kv (&ed_kv0, &ip0->src_address,
+ &ip0->dst_address, ip0->protocol,
+ rx_fib_index0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port);
+ /* process whole packet */
+ if (!clib_bihash_search_16_8
+ (&tsm->in2out_ed, &ed_kv0, &ed_value0))
+ goto enqueue0;
+ /* session doesn't exist so continue in code */
}
/* *INDENT-OFF* */
@@ -500,85 +332,16 @@ nat44_ed_classify_node_fn_inline (vlib_main_t * vm,
next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
goto enqueue0;
}
- if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0))
- {
- /* process leading fragment/whole packet (with L4 header) */
- m_key0.port = clib_net_to_host_u16 (udp0->dst_port);
- m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
- kv0.key = m_key0.as_u64;
- if (!clib_bihash_search_8_8
- (&sm->static_mapping_by_external, &kv0, &value0))
- {
- m =
- pool_elt_at_index (sm->static_mappings, value0.value);
- if (m->local_addr.as_u32 != m->external_addr.as_u32)
- next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
- }
- if (ip4_is_fragment (ip0))
- {
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- /* save classification for future fragments and set past
- * fragments to be looped over and reprocessed */
- if (next0 == NAT_NEXT_OUT2IN_ED_FAST_PATH)
- reass0->classify_next = NAT_NEXT_OUT2IN_ED_REASS;
- else
- reass0->classify_next = NAT_NEXT_IN2OUT_ED_REASS;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
- }
- else
+ m_key0.port =
+ clib_net_to_host_u16 (vnet_buffer (b0)->ip.reass.l4_dst_port);
+ m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol);
+ kv0.key = m_key0.as_u64;
+ if (!clib_bihash_search_8_8
+ (&sm->static_mapping_by_external, &kv0, &value0))
{
- /* process non-first fragment */
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1,
- &fragments_to_drop);
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto enqueue0;
- }
- if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE)
- /* first fragment still hasn't arrived */
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error =
- node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = NAT_NEXT_DROP;
- goto enqueue0;
- }
- cached0 = 1;
- goto enqueue0;
- }
- else if (reass0->classify_next ==
- NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN)
+ m = pool_elt_at_index (sm->static_mappings, value0.value);
+ if (m->local_addr.as_u32 != m->external_addr.as_u32)
next0 = NAT_NEXT_OUT2IN_ED_FAST_PATH;
- else if (reass0->classify_next ==
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT)
- next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
}
}
diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c
index 331e7ca96bd..69a19b80645 100644
--- a/src/plugins/nat/nat44_hairpinning.c
+++ b/src/plugins/nat/nat44_hairpinning.c
@@ -22,7 +22,6 @@
#include <vnet/fib/ip4_fib.h>
#include <nat/nat.h>
#include <nat/nat_inlines.h>
-#include <nat/nat_reass.h>
typedef enum
{
@@ -211,7 +210,8 @@ snat_icmp_hairpinning (snat_main_t * sm,
snat_session_t *s0;
snat_static_mapping_t *m0;
- if (icmp_is_error_message (icmp0))
+ if (icmp_type_is_error_message
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
{
ip4_header_t *inner_ip0 = 0;
tcp_udp_header_t *l4_header = 0;
@@ -391,7 +391,7 @@ nat44_ed_hairpinning_unknown_proto (snat_main_t * sm,
snat_main_per_thread_data_t *tsm;
if (sm->num_workers > 1)
- ti = sm->worker_out2in_cb (ip, sm->outside_fib_index, 0);
+ ti = sm->worker_out2in_cb (b, ip, sm->outside_fib_index, 0);
else
ti = sm->num_workers;
tsm = &sm->per_thread_data[ti];
diff --git a/src/plugins/nat/nat44_handoff.c b/src/plugins/nat/nat44_handoff.c
index 277f2de57fe..d221e5ba7cd 100644
--- a/src/plugins/nat/nat44_handoff.c
+++ b/src/plugins/nat/nat44_handoff.c
@@ -82,7 +82,6 @@ nat44_worker_handoff_fn_inline (vlib_main_t * vm,
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
snat_main_t *sm = &snat_main;
- snat_get_worker_function_t *get_worker;
u32 fq_index, thread_index = vm->thread_index;
from = vlib_frame_vector_args (frame);
@@ -93,12 +92,10 @@ nat44_worker_handoff_fn_inline (vlib_main_t * vm,
if (is_in2out)
{
fq_index = is_output ? sm->fq_in2out_output_index : sm->fq_in2out_index;
- get_worker = sm->worker_in2out_cb;
}
else
{
fq_index = sm->fq_out2in_index;
- get_worker = sm->worker_out2in_cb;
}
while (n_left_from >= 4)
@@ -147,10 +144,20 @@ nat44_worker_handoff_fn_inline (vlib_main_t * vm,
rx_fib_index2 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index2);
rx_fib_index3 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index3);
- ti[0] = get_worker (ip0, rx_fib_index0, is_output);
- ti[1] = get_worker (ip1, rx_fib_index1, is_output);
- ti[2] = get_worker (ip2, rx_fib_index2, is_output);
- ti[3] = get_worker (ip3, rx_fib_index3, is_output);
+ if (is_in2out)
+ {
+ ti[0] = sm->worker_in2out_cb (ip0, rx_fib_index0, is_output);
+ ti[1] = sm->worker_in2out_cb (ip1, rx_fib_index1, is_output);
+ ti[2] = sm->worker_in2out_cb (ip2, rx_fib_index2, is_output);
+ ti[3] = sm->worker_in2out_cb (ip3, rx_fib_index3, is_output);
+ }
+ else
+ {
+ ti[0] = sm->worker_out2in_cb (b[0], ip0, rx_fib_index0, is_output);
+ ti[1] = sm->worker_out2in_cb (b[1], ip1, rx_fib_index1, is_output);
+ ti[2] = sm->worker_out2in_cb (b[2], ip2, rx_fib_index2, is_output);
+ ti[3] = sm->worker_out2in_cb (b[3], ip3, rx_fib_index3, is_output);
+ }
if (ti[0] == thread_index)
same_worker++;
@@ -194,7 +201,14 @@ nat44_worker_handoff_fn_inline (vlib_main_t * vm,
sw_if_index0 = vnet_buffer (b[0])->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- ti[0] = get_worker (ip0, rx_fib_index0, is_output);
+ if (is_in2out)
+ {
+ ti[0] = sm->worker_in2out_cb (ip0, rx_fib_index0, is_output);
+ }
+ else
+ {
+ ti[0] = sm->worker_out2in_cb (b[0], ip0, rx_fib_index0, is_output);
+ }
if (ti[0] == thread_index)
same_worker++;
diff --git a/src/plugins/nat/nat64.c b/src/plugins/nat/nat64.c
index e1afea6510e..405fc84c7b8 100644
--- a/src/plugins/nat/nat64.c
+++ b/src/plugins/nat/nat64.c
@@ -19,10 +19,11 @@
#include <nat/nat64.h>
#include <nat/nat64_db.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <vnet/fib/ip4_fib.h>
#include <vppinfra/crc32.h>
+#include <vnet/ip/reass/ip4_sv_reass.h>
+#include <vnet/ip/reass/ip6_sv_reass.h>
nat64_main_t nat64_main;
@@ -34,21 +35,25 @@ VNET_FEATURE_INIT (nat64_in2out, static) = {
.arc_name = "ip6-unicast",
.node_name = "nat64-in2out",
.runs_before = VNET_FEATURES ("ip6-lookup"),
+ .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat64_out2in, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat64-out2in",
.runs_before = VNET_FEATURES ("ip4-lookup"),
+ .runs_after = VNET_FEATURES ("ip4-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat64_in2out_handoff, static) = {
.arc_name = "ip6-unicast",
.node_name = "nat64-in2out-handoff",
.runs_before = VNET_FEATURES ("ip6-lookup"),
+ .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat64_out2in_handoff, static) = {
.arc_name = "ip4-unicast",
.node_name = "nat64-out2in-handoff",
.runs_before = VNET_FEATURES ("ip4-lookup"),
+ .runs_after = VNET_FEATURES ("ip4-sv-reassembly-feature"),
};
@@ -120,7 +125,7 @@ nat64_get_worker_in2out (ip6_address_t * addr)
}
u32
-nat64_get_worker_out2in (ip4_header_t * ip)
+nat64_get_worker_out2in (vlib_buffer_t * b, ip4_header_t * ip)
{
nat64_main_t *nm = &nat64_main;
snat_main_t *sm = nm->sm;
@@ -132,41 +137,6 @@ nat64_get_worker_out2in (ip4_header_t * ip)
udp = ip4_next_header (ip);
port = udp->dst_port;
- /* fragments */
- if (PREDICT_FALSE (ip4_is_fragment (ip)))
- {
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- return vlib_get_thread_index ();
-
- nat_reass_ip4_t *reass;
- reass = nat_ip4_reass_find (ip->src_address, ip->dst_address,
- ip->fragment_id, ip->protocol);
-
- if (reass && (reass->thread_index != (u32) ~ 0))
- return reass->thread_index;
-
- if (ip4_is_first_fragment (ip))
- {
- reass =
- nat_ip4_reass_create (ip->src_address, ip->dst_address,
- ip->fragment_id, ip->protocol);
- if (!reass)
- goto no_reass;
-
- port = clib_net_to_host_u16 (port);
- if (port > 1024)
- reass->thread_index =
- nm->sm->first_worker_index +
- ((port - 1024) / sm->port_per_thread);
- else
- reass->thread_index = vlib_get_thread_index ();
- return reass->thread_index;
- }
- else
- return vlib_get_thread_index ();
- }
-
-no_reass:
/* unknown protocol */
if (PREDICT_FALSE (proto == ~0))
{
@@ -193,10 +163,12 @@ no_reass:
{
icmp46_header_t *icmp = (icmp46_header_t *) udp;
icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1);
- if (!icmp_is_error_message (icmp))
- port = echo->identifier;
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
+ port = vnet_buffer (b)->ip.reass.l4_src_port;
else
{
+ /* if error message, then it's not fragmented and we can access it */
ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1);
proto = ip_proto_to_snat_proto (inner_ip->protocol);
void *l4_header = ip4_next_header (inner_ip);
@@ -249,15 +221,9 @@ nat64_init (vlib_main_t * vm)
node = vlib_get_node_by_name (vm, (u8 *) "nat64-in2out-slowpath");
nm->in2out_slowpath_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat64-in2out-reass");
- nm->in2out_reass_node_index = node->index;
-
node = vlib_get_node_by_name (vm, (u8 *) "nat64-out2in");
nm->out2in_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "nat64-out2in-reass");
- nm->out2in_reass_node_index = node->index;
-
/* set session timeouts to default values */
nm->udp_timeout = SNAT_UDP_TIMEOUT;
nm->icmp_timeout = SNAT_ICMP_TIMEOUT;
@@ -528,6 +494,19 @@ nat64_add_del_interface (u32 sw_if_index, u8 is_inside, u8 is_add)
arc_name = is_inside ? "ip6-unicast" : "ip4-unicast";
+ if (is_inside)
+ {
+ int rv = ip6_sv_reass_enable_disable_with_refcnt (sw_if_index, is_add);
+ if (rv)
+ return rv;
+ }
+ else
+ {
+ int rv = ip4_sv_reass_enable_disable_with_refcnt (sw_if_index, is_add);
+ if (rv)
+ return rv;
+ }
+
return vnet_feature_enable_disable (arc_name, feature_name, sw_if_index,
is_add, 0, 0);
}
diff --git a/src/plugins/nat/nat64.h b/src/plugins/nat/nat64.h
index 2bca1f9b73b..a95ded22893 100644
--- a/src/plugins/nat/nat64.h
+++ b/src/plugins/nat/nat64.h
@@ -115,10 +115,8 @@ typedef struct
u32 in2out_node_index;
u32 in2out_slowpath_node_index;
- u32 in2out_reass_node_index;
u32 out2in_node_index;
- u32 out2in_reass_node_index;
ip4_main_t *ip4_main;
snat_main_t *sm;
@@ -380,7 +378,7 @@ u32 nat64_get_worker_in2out (ip6_address_t * addr);
*
* @returns worker thread index.
*/
-u32 nat64_get_worker_out2in (ip4_header_t * ip);
+u32 nat64_get_worker_out2in (vlib_buffer_t * b, ip4_header_t * ip);
#endif /* __included_nat64_h__ */
diff --git a/src/plugins/nat/nat64_in2out.c b/src/plugins/nat/nat64_in2out.c
index 8d1d734c459..8d4b1a89cad 100644
--- a/src/plugins/nat/nat64_in2out.c
+++ b/src/plugins/nat/nat64_in2out.c
@@ -18,7 +18,6 @@
*/
#include <nat/nat64.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <vnet/ip/ip6_to_ip4.h>
#include <vnet/fib/fib_table.h>
@@ -47,38 +46,12 @@ format_nat64_in2out_trace (u8 * s, va_list * args)
return s;
}
-typedef struct
-{
- u32 sw_if_index;
- u32 next_index;
- u8 cached;
-} nat64_in2out_reass_trace_t;
-
-static u8 *
-format_nat64_in2out_reass_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- nat64_in2out_reass_trace_t *t =
- va_arg (*args, nat64_in2out_reass_trace_t *);
-
- s =
- format (s, "NAT64-in2out-reass: sw_if_index %d, next index %d, status %s",
- t->sw_if_index, t->next_index,
- t->cached ? "cached" : "translated");
-
- return s;
-}
-
-
#define foreach_nat64_in2out_error \
_(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
_(IN2OUT_PACKETS, "good in2out packets processed") \
_(NO_TRANSLATION, "no translation") \
_(UNKNOWN, "unknown") \
_(DROP_FRAGMENT, "drop fragment") \
-_(MAX_REASS, "maximum reassemblies exceeded") \
-_(MAX_FRAG, "maximum fragments per reassembly exceeded") \
_(TCP_PACKETS, "TCP packets") \
_(UDP_PACKETS, "UDP packets") \
_(ICMP_PACKETS, "ICMP packets") \
@@ -108,7 +81,6 @@ typedef enum
NAT64_IN2OUT_NEXT_IP6_LOOKUP,
NAT64_IN2OUT_NEXT_DROP,
NAT64_IN2OUT_NEXT_SLOWPATH,
- NAT64_IN2OUT_NEXT_REASS,
NAT64_IN2OUT_N_NEXT,
} nat64_in2out_next_t;
@@ -165,32 +137,75 @@ is_hairpinning (ip6_address_t * dst_addr)
}
static int
-nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
- void *arg)
+nat64_in2out_tcp_udp (vlib_main_t * vm, vlib_buffer_t * p, u16 l4_offset,
+ u16 frag_hdr_offset, nat64_in2out_set_ctx_t * ctx)
{
+ ip6_header_t *ip6;
+ ip_csum_t csum = 0;
+ ip4_header_t *ip4;
+ u16 fragment_id;
+ u8 frag_more;
+ u16 frag_offset;
nat64_main_t *nm = &nat64_main;
- nat64_in2out_set_ctx_t *ctx = arg;
nat64_db_bib_entry_t *bibe;
nat64_db_st_entry_t *ste;
- ip46_address_t saddr, daddr;
+ ip46_address_t old_saddr, old_daddr;
+ ip4_address_t new_daddr;
u32 sw_if_index, fib_index;
- udp_header_t *udp = ip6_next_header (ip6);
- u8 proto = ip6->protocol;
- u16 sport = udp->src_port;
- u16 dport = udp->dst_port;
+ u8 proto = vnet_buffer (p)->ip.reass.ip_proto;
+ u16 sport = vnet_buffer (p)->ip.reass.l4_src_port;
+ u16 dport = vnet_buffer (p)->ip.reass.l4_dst_port;
nat64_db_t *db = &nm->db[ctx->thread_index];
+ ip6 = vlib_buffer_get_current (p);
+
+ vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
+ ip4 = vlib_buffer_get_current (p);
+
+ u32 ip_version_traffic_class_and_flow_label =
+ ip6->ip_version_traffic_class_and_flow_label;
+ u16 payload_length = ip6->payload_length;
+ u8 hop_limit = ip6->hop_limit;
+
+ old_saddr.as_u64[0] = ip6->src_address.as_u64[0];
+ old_saddr.as_u64[1] = ip6->src_address.as_u64[1];
+ old_daddr.as_u64[0] = ip6->dst_address.as_u64[0];
+ old_daddr.as_u64[1] = ip6->dst_address.as_u64[1];
+
+ if (PREDICT_FALSE (frag_hdr_offset))
+ {
+ //Only the first fragment
+ ip6_frag_hdr_t *hdr =
+ (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
+ fragment_id = frag_id_6to4 (hdr->identification);
+ frag_more = ip6_frag_hdr_more (hdr);
+ frag_offset = ip6_frag_hdr_offset (hdr);
+ }
+ else
+ {
+ fragment_id = 0;
+ frag_offset = 0;
+ frag_more = 0;
+ }
+
+ ip4->ip_version_and_header_length =
+ IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
+ ip4->tos = ip6_translate_tos (ip_version_traffic_class_and_flow_label);
+ ip4->length =
+ u16_net_add (payload_length, sizeof (*ip4) + sizeof (*ip6) - l4_offset);
+ ip4->fragment_id = fragment_id;
+ ip4->flags_and_fragment_offset =
+ clib_host_to_net_u16 (frag_offset |
+ (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
+ ip4->ttl = hop_limit;
+ ip4->protocol = (proto == IP_PROTOCOL_ICMP6) ? IP_PROTOCOL_ICMP : proto;
+
sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
fib_index =
fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6, sw_if_index);
- saddr.as_u64[0] = ip6->src_address.as_u64[0];
- saddr.as_u64[1] = ip6->src_address.as_u64[1];
- daddr.as_u64[0] = ip6->dst_address.as_u64[0];
- daddr.as_u64[1] = ip6->dst_address.as_u64[1];
-
ste =
- nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
+ nat64_db_st_entry_find (db, &old_saddr, &old_daddr, sport, dport, proto,
fib_index, 1);
if (ste)
@@ -201,7 +216,8 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
}
else
{
- bibe = nat64_db_bib_entry_find (db, &saddr, sport, proto, fib_index, 1);
+ bibe =
+ nat64_db_bib_entry_find (db, &old_saddr, sport, proto, fib_index, 1);
if (!bibe)
{
@@ -214,7 +230,7 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
bibe =
nat64_db_bib_entry_create (ctx->thread_index, db,
- &ip6->src_address, &out_addr, sport,
+ &old_saddr.ip6, &out_addr, sport,
out_port, fib_index, proto, 0);
if (!bibe)
return -1;
@@ -223,10 +239,10 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
db->bib.bib_entries_num);
}
- nat64_extract_ip4 (&ip6->dst_address, &daddr.ip4, fib_index);
+ nat64_extract_ip4 (&old_daddr.ip6, &new_daddr, fib_index);
ste =
nat64_db_st_entry_create (ctx->thread_index, db, bibe,
- &ip6->dst_address, &daddr.ip4, dport);
+ &old_daddr.ip6, &new_daddr, dport);
if (!ste)
return -1;
@@ -235,22 +251,36 @@ nat64_in2out_tcp_udp_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
}
ip4->src_address.as_u32 = bibe->out_addr.as_u32;
- udp->src_port = bibe->out_port;
-
ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
- if (proto == IP_PROTOCOL_TCP)
+ ip4->checksum = ip4_header_checksum (ip4);
+
+ if (!vnet_buffer (p)->ip.reass.is_non_first_fragment)
{
- u16 *checksum;
- ip_csum_t csum;
- tcp_header_t *tcp = ip6_next_header (ip6);
+ udp_header_t *udp = (udp_header_t *) (ip4 + 1);
+ udp->src_port = bibe->out_port;
- nat64_tcp_session_set_state (ste, tcp, 1);
- checksum = &tcp->checksum;
- csum = ip_csum_sub_even (*checksum, sport);
- csum = ip_csum_add_even (csum, udp->src_port);
- mss_clamping (nm->sm, tcp, &csum);
- *checksum = ip_csum_fold (csum);
+ //UDP checksum is optional over IPv4
+ if (proto == IP_PROTOCOL_UDP)
+ {
+ udp->checksum = 0;
+ }
+ else
+ {
+ tcp_header_t *tcp = (tcp_header_t *) (ip4 + 1);
+ csum = ip_csum_sub_even (tcp->checksum, old_saddr.as_u64[0]);
+ csum = ip_csum_sub_even (csum, old_saddr.as_u64[1]);
+ csum = ip_csum_sub_even (csum, old_daddr.as_u64[0]);
+ csum = ip_csum_sub_even (csum, old_daddr.as_u64[1]);
+ csum = ip_csum_add_even (csum, ip4->dst_address.as_u32);
+ csum = ip_csum_add_even (csum, ip4->src_address.as_u32);
+ csum = ip_csum_sub_even (csum, sport);
+ csum = ip_csum_add_even (csum, udp->src_port);
+ mss_clamping (nm->sm, tcp, &csum);
+ tcp->checksum = ip_csum_fold (csum);
+
+ nat64_tcp_session_set_state (ste, tcp, 1);
+ }
}
nat64_session_reset_timeout (ste, ctx->vm);
@@ -480,16 +510,43 @@ unk_proto_st_walk (nat64_db_st_entry_t * ste, void *arg)
}
static int
-nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
- void *arg)
+nat64_in2out_unk_proto (vlib_main_t * vm, vlib_buffer_t * p, u8 l4_protocol,
+ u16 l4_offset, u16 frag_hdr_offset,
+ nat64_in2out_set_ctx_t * s_ctx)
{
+ ip6_header_t *ip6;
+ ip4_header_t *ip4;
+ u16 fragment_id;
+ u16 frag_offset;
+ u8 frag_more;
+
+ ip6 = vlib_buffer_get_current (p);
+
+ ip4 = (ip4_header_t *) u8_ptr_add (ip6, l4_offset - sizeof (*ip4));
+
+ vlib_buffer_advance (p, l4_offset - sizeof (*ip4));
+
+ if (PREDICT_FALSE (frag_hdr_offset))
+ {
+ //Only the first fragment
+ ip6_frag_hdr_t *hdr =
+ (ip6_frag_hdr_t *) u8_ptr_add (ip6, frag_hdr_offset);
+ fragment_id = frag_id_6to4 (hdr->identification);
+ frag_offset = ip6_frag_hdr_offset (hdr);
+ frag_more = ip6_frag_hdr_more (hdr);
+ }
+ else
+ {
+ fragment_id = 0;
+ frag_offset = 0;
+ frag_more = 0;
+ }
+
nat64_main_t *nm = &nat64_main;
- nat64_in2out_set_ctx_t *s_ctx = arg;
nat64_db_bib_entry_t *bibe;
nat64_db_st_entry_t *ste;
ip46_address_t saddr, daddr, addr;
u32 sw_if_index, fib_index;
- u8 proto = ip6->protocol;
int i;
nat64_db_t *db = &nm->db[s_ctx->thread_index];
@@ -503,17 +560,19 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
daddr.as_u64[1] = ip6->dst_address.as_u64[1];
ste =
- nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, proto, fib_index, 1);
+ nat64_db_st_entry_find (db, &saddr, &daddr, 0, 0, l4_protocol, fib_index,
+ 1);
if (ste)
{
- bibe = nat64_db_bib_entry_by_index (db, proto, ste->bibe_index);
+ bibe = nat64_db_bib_entry_by_index (db, l4_protocol, ste->bibe_index);
if (!bibe)
return -1;
}
else
{
- bibe = nat64_db_bib_entry_find (db, &saddr, 0, proto, fib_index, 1);
+ bibe =
+ nat64_db_bib_entry_find (db, &saddr, 0, l4_protocol, fib_index, 1);
if (!bibe)
{
@@ -525,7 +584,7 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
.dst_addr.as_u64[1] = ip6->dst_address.as_u64[1],
.out_addr.as_u32 = 0,
.fib_index = fib_index,
- .proto = proto,
+ .proto = l4_protocol,
.thread_index = s_ctx->thread_index,
};
@@ -537,7 +596,7 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
/* Verify if out address is not already in use for protocol */
clib_memset (&addr, 0, sizeof (addr));
addr.ip4.as_u32 = ctx.out_addr.as_u32;
- if (nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
+ if (nat64_db_bib_entry_find (db, &addr, 0, l4_protocol, 0, 0))
ctx.out_addr.as_u32 = 0;
if (!ctx.out_addr.as_u32)
@@ -545,7 +604,8 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
for (i = 0; i < vec_len (nm->addr_pool); i++)
{
addr.ip4.as_u32 = nm->addr_pool[i].addr.as_u32;
- if (!nat64_db_bib_entry_find (db, &addr, 0, proto, 0, 0))
+ if (!nat64_db_bib_entry_find
+ (db, &addr, 0, l4_protocol, 0, 0))
break;
}
}
@@ -556,7 +616,7 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
bibe =
nat64_db_bib_entry_create (s_ctx->thread_index, db,
&ip6->src_address, &ctx.out_addr,
- 0, 0, fib_index, proto, 0);
+ 0, 0, fib_index, l4_protocol, 0);
if (!bibe)
return -1;
@@ -580,27 +640,39 @@ nat64_in2out_unk_proto_set_cb (ip6_header_t * ip6, ip4_header_t * ip4,
ip4->src_address.as_u32 = bibe->out_addr.as_u32;
ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
+ ip4->ip_version_and_header_length =
+ IP4_VERSION_AND_HEADER_LENGTH_NO_OPTIONS;
+ ip4->tos = ip6_translate_tos (ip6->ip_version_traffic_class_and_flow_label);
+ ip4->length = u16_net_add (ip6->payload_length,
+ sizeof (*ip4) + sizeof (*ip6) - l4_offset);
+ ip4->fragment_id = fragment_id;
+ ip4->flags_and_fragment_offset =
+ clib_host_to_net_u16 (frag_offset |
+ (frag_more ? IP4_HEADER_FLAG_MORE_FRAGMENTS : 0));
+ ip4->ttl = ip6->hop_limit;
+ ip4->protocol = l4_protocol;
+ ip4->checksum = ip4_header_checksum (ip4);
+
return 0;
}
-
-
static int
nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
- ip6_header_t * ip6, u32 thread_index)
+ ip6_header_t * ip6, u32 l4_offset,
+ u32 thread_index)
{
nat64_main_t *nm = &nat64_main;
nat64_db_bib_entry_t *bibe;
nat64_db_st_entry_t *ste;
ip46_address_t saddr, daddr;
u32 sw_if_index, fib_index;
- udp_header_t *udp = ip6_next_header (ip6);
- tcp_header_t *tcp = ip6_next_header (ip6);
- u8 proto = ip6->protocol;
- u16 sport = udp->src_port;
- u16 dport = udp->dst_port;
- u16 *checksum;
- ip_csum_t csum;
+ udp_header_t *udp = (udp_header_t *) u8_ptr_add (ip6, l4_offset);
+ tcp_header_t *tcp = (tcp_header_t *) u8_ptr_add (ip6, l4_offset);
+ u8 proto = vnet_buffer (b)->ip.reass.ip_proto;
+ u16 sport = vnet_buffer (b)->ip.reass.l4_src_port;
+ u16 dport = vnet_buffer (b)->ip.reass.l4_dst_port;
+ u16 *checksum = NULL;
+ ip_csum_t csum = 0;
nat64_db_t *db = &nm->db[thread_index];
sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
@@ -612,17 +684,17 @@ nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
daddr.as_u64[0] = ip6->dst_address.as_u64[0];
daddr.as_u64[1] = ip6->dst_address.as_u64[1];
- if (proto == IP_PROTOCOL_UDP)
- checksum = &udp->checksum;
- else
- checksum = &tcp->checksum;
-
- csum = ip_csum_sub_even (*checksum, ip6->src_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
- csum = ip_csum_sub_even (csum, sport);
- csum = ip_csum_sub_even (csum, dport);
+ if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
+ {
+ if (proto == IP_PROTOCOL_UDP)
+ checksum = &udp->checksum;
+ else
+ checksum = &tcp->checksum;
+ csum = ip_csum_sub_even (*checksum, ip6->src_address.as_u64[0]);
+ csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
+ csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
+ csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
+ }
ste =
nat64_db_st_entry_find (db, &saddr, &daddr, sport, dport, proto,
@@ -674,7 +746,11 @@ nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
nat64_session_reset_timeout (ste, vm);
- sport = udp->src_port = bibe->out_port;
+ if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
+ {
+ udp->src_port = bibe->out_port;
+ }
+
nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, fib_index);
clib_memset (&daddr, 0, sizeof (daddr));
@@ -696,15 +772,20 @@ nat64_in2out_tcp_udp_hairpinning (vlib_main_t * vm, vlib_buffer_t * b,
ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
- udp->dst_port = bibe->in_port;
- csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
- csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
- csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
- csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
- csum = ip_csum_add_even (csum, udp->src_port);
- csum = ip_csum_add_even (csum, udp->dst_port);
- *checksum = ip_csum_fold (csum);
+ if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
+ {
+ csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
+ csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
+ csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
+ csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
+ csum = ip_csum_sub_even (csum, sport);
+ csum = ip_csum_sub_even (csum, dport);
+ udp->dst_port = bibe->in_port;
+ csum = ip_csum_add_even (csum, udp->src_port);
+ csum = ip_csum_add_even (csum, udp->dst_port);
+ *checksum = ip_csum_fold (csum);
+ }
return 0;
}
@@ -990,7 +1071,7 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
vlib_buffer_t *b0;
u32 next0;
ip6_header_t *ip60;
- u16 l4_offset0, frag_offset0;
+ u16 l4_offset0, frag_hdr_offset0;
u8 l4_protocol0;
u32 proto0;
nat64_in2out_set_ctx_t ctx0;
@@ -1015,8 +1096,8 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
if (PREDICT_FALSE
(ip6_parse
- (ip60, b0->current_length, &l4_protocol0, &l4_offset0,
- &frag_offset0)))
+ (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0,
+ &frag_hdr_offset0)))
{
next0 = NAT64_IN2OUT_NEXT_DROP;
b0->error = node->errors[NAT64_IN2OUT_ERROR_UNKNOWN];
@@ -1051,7 +1132,9 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
goto trace0;
}
- if (ip6_to_ip4 (b0, nat64_in2out_unk_proto_set_cb, &ctx0))
+ if (nat64_in2out_unk_proto
+ (vm, b0, l4_protocol0, l4_offset0, frag_hdr_offset0,
+ &ctx0))
{
next0 = NAT64_IN2OUT_NEXT_DROP;
b0->error =
@@ -1070,14 +1153,6 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
}
}
- if (PREDICT_FALSE
- (ip60->protocol == IP_PROTOCOL_IPV6_FRAGMENTATION))
- {
- next0 = NAT64_IN2OUT_NEXT_REASS;
- fragments++;
- goto trace0;
- }
-
if (proto0 == SNAT_PROTOCOL_ICMP)
{
icmp_packets++;
@@ -1095,7 +1170,7 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
}
if (icmp6_to_icmp
- (b0, nat64_in2out_icmp_set_cb, &ctx0,
+ (vm, b0, nat64_in2out_icmp_set_cb, &ctx0,
nat64_in2out_inner_icmp_set_cb, &ctx0))
{
next0 = NAT64_IN2OUT_NEXT_DROP;
@@ -1114,7 +1189,7 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
{
next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
if (nat64_in2out_tcp_udp_hairpinning
- (vm, b0, ip60, thread_index))
+ (vm, b0, ip60, l4_offset0, thread_index))
{
next0 = NAT64_IN2OUT_NEXT_DROP;
b0->error =
@@ -1123,8 +1198,8 @@ nat64_in2out_node_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
goto trace0;
}
- if (ip6_to_ip4_tcp_udp
- (b0, nat64_in2out_tcp_udp_set_cb, &ctx0, 0))
+ if (nat64_in2out_tcp_udp
+ (vm, b0, l4_offset0, frag_hdr_offset0, &ctx0))
{
next0 = NAT64_IN2OUT_NEXT_DROP;
b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
@@ -1191,7 +1266,6 @@ VLIB_REGISTER_NODE (nat64_in2out_node) = {
[NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
[NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
[NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
- [NAT64_IN2OUT_NEXT_REASS] = "nat64-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -1218,7 +1292,6 @@ VLIB_REGISTER_NODE (nat64_in2out_slowpath_node) = {
[NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
[NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
[NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
- [NAT64_IN2OUT_NEXT_REASS] = "nat64-in2out-reass",
},
};
/* *INDENT-ON* */
@@ -1233,447 +1306,6 @@ typedef struct nat64_in2out_frag_set_ctx_t_
u8 first_frag;
} nat64_in2out_frag_set_ctx_t;
-static int
-nat64_in2out_frag_set_cb (ip6_header_t * ip6, ip4_header_t * ip4, void *arg)
-{
- nat64_main_t *nm = &nat64_main;
- nat64_in2out_frag_set_ctx_t *ctx = arg;
- nat64_db_st_entry_t *ste;
- nat64_db_bib_entry_t *bibe;
- udp_header_t *udp;
- nat64_db_t *db = &nm->db[ctx->thread_index];
-
- ste = nat64_db_st_entry_by_index (db, ctx->proto, ctx->sess_index);
- if (!ste)
- return -1;
-
- bibe = nat64_db_bib_entry_by_index (db, ctx->proto, ste->bibe_index);
- if (!bibe)
- return -1;
-
- nat64_session_reset_timeout (ste, ctx->vm);
-
- if (ctx->first_frag)
- {
- udp = (udp_header_t *) u8_ptr_add (ip6, ctx->l4_offset);
-
- if (ctx->proto == IP_PROTOCOL_TCP)
- {
- u16 *checksum;
- ip_csum_t csum;
- tcp_header_t *tcp = (tcp_header_t *) udp;
-
- nat64_tcp_session_set_state (ste, tcp, 1);
- checksum = &tcp->checksum;
- csum = ip_csum_sub_even (*checksum, tcp->src_port);
- csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
- csum = ip_csum_add_even (csum, bibe->out_port);
- csum = ip_csum_add_even (csum, bibe->out_addr.as_u32);
- csum = ip_csum_add_even (csum, ste->out_r_addr.as_u32);
- *checksum = ip_csum_fold (csum);
- }
-
- udp->src_port = bibe->out_port;
- }
-
- ip4->src_address.as_u32 = bibe->out_addr.as_u32;
- ip4->dst_address.as_u32 = ste->out_r_addr.as_u32;
-
- return 0;
-}
-
-static int
-nat64_in2out_frag_hairpinning (vlib_buffer_t * b, ip6_header_t * ip6,
- nat64_in2out_frag_set_ctx_t * ctx)
-{
- nat64_main_t *nm = &nat64_main;
- nat64_db_st_entry_t *ste;
- nat64_db_bib_entry_t *bibe;
- udp_header_t *udp = (udp_header_t *) u8_ptr_add (ip6, ctx->l4_offset);
- tcp_header_t *tcp = (tcp_header_t *) udp;
- u16 sport = udp->src_port;
- u16 dport = udp->dst_port;
- u16 *checksum;
- ip_csum_t csum;
- ip46_address_t daddr;
- nat64_db_t *db = &nm->db[ctx->thread_index];
-
- if (ctx->first_frag)
- {
- if (ctx->proto == IP_PROTOCOL_UDP)
- checksum = &udp->checksum;
- else
- checksum = &tcp->checksum;
-
- csum = ip_csum_sub_even (*checksum, ip6->src_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->src_address.as_u64[1]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[0]);
- csum = ip_csum_sub_even (csum, ip6->dst_address.as_u64[1]);
- csum = ip_csum_sub_even (csum, sport);
- csum = ip_csum_sub_even (csum, dport);
- }
-
- ste = nat64_db_st_entry_by_index (db, ctx->proto, ctx->sess_index);
- if (!ste)
- return -1;
-
- bibe = nat64_db_bib_entry_by_index (db, ctx->proto, ste->bibe_index);
- if (!bibe)
- return -1;
-
- if (ctx->proto == IP_PROTOCOL_TCP)
- nat64_tcp_session_set_state (ste, tcp, 1);
-
- nat64_session_reset_timeout (ste, ctx->vm);
-
- sport = bibe->out_port;
- dport = ste->r_port;
-
- nat64_compose_ip6 (&ip6->src_address, &bibe->out_addr, bibe->fib_index);
-
- clib_memset (&daddr, 0, sizeof (daddr));
- daddr.ip4.as_u32 = ste->out_r_addr.as_u32;
-
- bibe = 0;
- /* *INDENT-OFF* */
- vec_foreach (db, nm->db)
- {
- bibe = nat64_db_bib_entry_find (db, &daddr, dport, ctx->proto, 0, 0);
-
- if (bibe)
- break;
- }
- /* *INDENT-ON* */
-
- if (!bibe)
- return -1;
-
- ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
- ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
-
- if (ctx->first_frag)
- {
- udp->dst_port = bibe->in_port;
- udp->src_port = sport;
- csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
- csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
- csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
- csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
- csum = ip_csum_add_even (csum, udp->src_port);
- csum = ip_csum_add_even (csum, udp->dst_port);
- *checksum = ip_csum_fold (csum);
- }
-
- return 0;
-}
-
-VLIB_NODE_FN (nat64_in2out_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- nat64_in2out_next_t next_index;
- u32 pkts_processed = 0, cached_fragments = 0;
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
- nat64_main_t *nm = &nat64_main;
- u32 thread_index = vm->thread_index;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0;
- u8 cached0 = 0;
- ip6_header_t *ip60;
- u16 l4_offset0, frag_offset0;
- u8 l4_protocol0;
- nat_reass_ip6_t *reass0;
- ip6_frag_hdr_t *frag0;
- nat64_db_bib_entry_t *bibe0;
- nat64_db_st_entry_t *ste0;
- udp_header_t *udp0;
- snat_protocol_t proto0;
- u32 sw_if_index0, fib_index0;
- ip46_address_t saddr0, daddr0;
- nat64_in2out_frag_set_ctx_t ctx0;
- nat64_db_t *db = &nm->db[thread_index];
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- next0 = NAT64_IN2OUT_NEXT_IP4_LOOKUP;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP6,
- sw_if_index0);
-
- ctx0.thread_index = thread_index;
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (1)))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- ip60 = (ip6_header_t *) vlib_buffer_get_current (b0);
-
- if (PREDICT_FALSE
- (ip6_parse
- (ip60, b0->current_length, &l4_protocol0, &l4_offset0,
- &frag_offset0)))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_UNKNOWN];
- goto trace0;
- }
-
- if (PREDICT_FALSE
- (!(l4_protocol0 == IP_PROTOCOL_TCP
- || l4_protocol0 == IP_PROTOCOL_UDP)))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- udp0 = (udp_header_t *) u8_ptr_add (ip60, l4_offset0);
- frag0 = (ip6_frag_hdr_t *) u8_ptr_add (ip60, frag_offset0);
- proto0 = ip_proto_to_snat_proto (l4_protocol0);
-
- reass0 = nat_ip6_reass_find_or_create (ip60->src_address,
- ip60->dst_address,
- frag0->identification,
- l4_protocol0,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_MAX_REASS];
- goto trace0;
- }
-
- if (PREDICT_TRUE (ip6_frag_hdr_offset (frag0)))
- {
- ctx0.first_frag = 0;
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip6_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[NAT64_IN2OUT_ERROR_MAX_FRAG];
- next0 = NAT64_IN2OUT_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- }
- else
- {
- ctx0.first_frag = 1;
-
- saddr0.as_u64[0] = ip60->src_address.as_u64[0];
- saddr0.as_u64[1] = ip60->src_address.as_u64[1];
- daddr0.as_u64[0] = ip60->dst_address.as_u64[0];
- daddr0.as_u64[1] = ip60->dst_address.as_u64[1];
-
- ste0 =
- nat64_db_st_entry_find (db, &saddr0, &daddr0,
- udp0->src_port, udp0->dst_port,
- l4_protocol0, fib_index0, 1);
- if (!ste0)
- {
- bibe0 =
- nat64_db_bib_entry_find (db, &saddr0, udp0->src_port,
- l4_protocol0, fib_index0, 1);
- if (!bibe0)
- {
- u16 out_port0;
- ip4_address_t out_addr0;
- if (nat64_alloc_out_addr_and_port
- (fib_index0, proto0, &out_addr0, &out_port0,
- thread_index))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error =
- node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
- goto trace0;
- }
-
- bibe0 =
- nat64_db_bib_entry_create (thread_index, db,
- &ip60->src_address,
- &out_addr0, udp0->src_port,
- out_port0, fib_index0,
- l4_protocol0, 0);
- if (!bibe0)
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error =
- node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
- goto trace0;
- }
- vlib_set_simple_counter (&nm->total_bibs, thread_index,
- 0, db->bib.bib_entries_num);
- }
- nat64_extract_ip4 (&ip60->dst_address, &daddr0.ip4,
- fib_index0);
- ste0 =
- nat64_db_st_entry_create (thread_index, db, bibe0,
- &ip60->dst_address, &daddr0.ip4,
- udp0->dst_port);
- if (!ste0)
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error =
- node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
- goto trace0;
- }
-
- vlib_set_simple_counter (&nm->total_sessions, thread_index,
- 0, db->st.st_entries_num);
- }
- reass0->sess_index = nat64_db_st_entry_get_index (db, ste0);
-
- nat_ip6_reass_get_frags (reass0, &fragments_to_loopback);
- }
-
- ctx0.sess_index = reass0->sess_index;
- ctx0.proto = l4_protocol0;
- ctx0.vm = vm;
- ctx0.l4_offset = l4_offset0;
-
- if (PREDICT_FALSE (is_hairpinning (&ip60->dst_address)))
- {
- next0 = NAT64_IN2OUT_NEXT_IP6_LOOKUP;
- if (nat64_in2out_frag_hairpinning (b0, ip60, &ctx0))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_NO_TRANSLATION];
- }
- goto trace0;
- }
- else
- {
- if (ip6_to_ip4_fragmented (b0, nat64_in2out_frag_set_cb, &ctx0))
- {
- next0 = NAT64_IN2OUT_NEXT_DROP;
- b0->error = node->errors[NAT64_IN2OUT_ERROR_UNKNOWN];
- goto trace0;
- }
- }
-
- trace0:
- if (PREDICT_FALSE
- ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat64_in2out_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- cached_fragments++;
- }
- else
- {
- pkts_processed += next0 != NAT64_IN2OUT_NEXT_DROP;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, nm->in2out_reass_node_index,
- NAT64_IN2OUT_ERROR_PROCESSED_FRAGMENTS,
- pkts_processed);
- vlib_node_increment_counter (vm, nm->in2out_reass_node_index,
- NAT64_IN2OUT_ERROR_CACHED_FRAGMENTS,
- cached_fragments);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[NAT64_IN2OUT_ERROR_DROP_FRAGMENT],
- NAT64_IN2OUT_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
- return frame->n_vectors;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat64_in2out_reass_node) = {
- .name = "nat64-in2out-reass",
- .vector_size = sizeof (u32),
- .format_trace = format_nat64_in2out_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (nat64_in2out_error_strings),
- .error_strings = nat64_in2out_error_strings,
- .n_next_nodes = NAT64_IN2OUT_N_NEXT,
- /* edit / add dispositions here */
- .next_nodes = {
- [NAT64_IN2OUT_NEXT_DROP] = "error-drop",
- [NAT64_IN2OUT_NEXT_IP4_LOOKUP] = "ip4-lookup",
- [NAT64_IN2OUT_NEXT_IP6_LOOKUP] = "ip6-lookup",
- [NAT64_IN2OUT_NEXT_SLOWPATH] = "nat64-in2out-slowpath",
- [NAT64_IN2OUT_NEXT_REASS] = "nat64-in2out-reass",
- },
-};
-/* *INDENT-ON* */
#define foreach_nat64_in2out_handoff_error \
_(CONGESTION_DROP, "congestion drop") \
diff --git a/src/plugins/nat/nat64_out2in.c b/src/plugins/nat/nat64_out2in.c
index e0dd407e0cf..6c0075102a1 100644
--- a/src/plugins/nat/nat64_out2in.c
+++ b/src/plugins/nat/nat64_out2in.c
@@ -18,7 +18,6 @@
*/
#include <nat/nat64.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <vnet/ip/ip4_to_ip6.h>
#include <vnet/fib/ip4_fib.h>
@@ -44,38 +43,12 @@ format_nat64_out2in_trace (u8 * s, va_list * args)
return s;
}
-typedef struct
-{
- u32 sw_if_index;
- u32 next_index;
- u8 cached;
-} nat64_out2in_reass_trace_t;
-
-static u8 *
-format_nat64_out2in_reass_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- nat64_out2in_reass_trace_t *t =
- va_arg (*args, nat64_out2in_reass_trace_t *);
-
- s =
- format (s, "NAT64-out2in-reass: sw_if_index %d, next index %d, status %s",
- t->sw_if_index, t->next_index,
- t->cached ? "cached" : "translated");
-
- return s;
-}
-
-
#define foreach_nat64_out2in_error \
_(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
_(OUT2IN_PACKETS, "good out2in packets processed") \
_(NO_TRANSLATION, "no translation") \
_(UNKNOWN, "unknown") \
_(DROP_FRAGMENT, "drop fragment") \
-_(MAX_REASS, "maximum reassemblies exceeded") \
-_(MAX_FRAG, "maximum fragments per reassembly exceeded") \
_(TCP_PACKETS, "TCP packets") \
_(UDP_PACKETS, "UDP packets") \
_(ICMP_PACKETS, "ICMP packets") \
@@ -104,7 +77,6 @@ typedef enum
NAT64_OUT2IN_NEXT_IP6_LOOKUP,
NAT64_OUT2IN_NEXT_IP4_LOOKUP,
NAT64_OUT2IN_NEXT_DROP,
- NAT64_OUT2IN_NEXT_REASS,
NAT64_OUT2IN_N_NEXT,
} nat64_out2in_next_t;
@@ -116,25 +88,90 @@ typedef struct nat64_out2in_set_ctx_t_
} nat64_out2in_set_ctx_t;
static int
-nat64_out2in_tcp_udp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
- void *arg)
+nat64_out2in_tcp_udp (vlib_main_t * vm, vlib_buffer_t * b,
+ nat64_out2in_set_ctx_t * ctx)
{
+ ip4_header_t *ip4;
+ ip6_header_t *ip6;
+ ip_csum_t csum;
+ u16 *checksum = NULL;
+ ip6_frag_hdr_t *frag;
+ u32 frag_id;
+ ip4_address_t old_src, old_dst;
+
nat64_main_t *nm = &nat64_main;
- nat64_out2in_set_ctx_t *ctx = arg;
nat64_db_bib_entry_t *bibe;
nat64_db_st_entry_t *ste;
- ip46_address_t saddr, daddr;
+ ip46_address_t saddr;
+ ip46_address_t daddr;
ip6_address_t ip6_saddr;
- udp_header_t *udp = ip4_next_header (ip4);
- tcp_header_t *tcp = ip4_next_header (ip4);
- u8 proto = ip4->protocol;
- u16 dport = udp->dst_port;
- u16 sport = udp->src_port;
+ u8 proto = vnet_buffer (b)->ip.reass.ip_proto;
+ u16 dport = vnet_buffer (b)->ip.reass.l4_dst_port;
+ u16 sport = vnet_buffer (b)->ip.reass.l4_src_port;
u32 sw_if_index, fib_index;
- u16 *checksum;
- ip_csum_t csum;
nat64_db_t *db = &nm->db[ctx->thread_index];
+ ip4 = vlib_buffer_get_current (b);
+
+ udp_header_t *udp = ip4_next_header (ip4);
+ tcp_header_t *tcp = ip4_next_header (ip4);
+ if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
+ {
+ if (ip4->protocol == IP_PROTOCOL_UDP)
+ {
+ checksum = &udp->checksum;
+ //UDP checksum is optional over IPv4 but mandatory for IPv6
+ //We do not check udp->length sanity but use our safe computed value instead
+ if (PREDICT_FALSE (!*checksum))
+ {
+ u16 udp_len =
+ clib_host_to_net_u16 (ip4->length) - sizeof (*ip4);
+ csum = ip_incremental_checksum (0, udp, udp_len);
+ csum =
+ ip_csum_with_carry (csum, clib_host_to_net_u16 (udp_len));
+ csum =
+ ip_csum_with_carry (csum,
+ clib_host_to_net_u16 (IP_PROTOCOL_UDP));
+ csum =
+ ip_csum_with_carry (csum, *((u64 *) (&ip4->src_address)));
+ *checksum = ~ip_csum_fold (csum);
+ }
+ }
+ else
+ {
+ checksum = &tcp->checksum;
+ }
+ }
+
+ old_src.as_u32 = ip4->src_address.as_u32;
+ old_dst.as_u32 = ip4->dst_address.as_u32;
+
+ // Deal with fragmented packets
+ u16 frag_offset = ip4_get_fragment_offset (ip4);
+ if (PREDICT_FALSE (ip4_get_fragment_more (ip4) || frag_offset))
+ {
+ ip6 =
+ (ip6_header_t *) u8_ptr_add (ip4,
+ sizeof (*ip4) - sizeof (*ip6) -
+ sizeof (*frag));
+ frag =
+ (ip6_frag_hdr_t *) u8_ptr_add (ip4, sizeof (*ip4) - sizeof (*frag));
+ frag_id = frag_id_4to6 (ip4->fragment_id);
+ vlib_buffer_advance (b, sizeof (*ip4) - sizeof (*ip6) - sizeof (*frag));
+ }
+ else
+ {
+ ip6 = (ip6_header_t *) (((u8 *) ip4) + sizeof (*ip4) - sizeof (*ip6));
+ vlib_buffer_advance (b, sizeof (*ip4) - sizeof (*ip6));
+ frag = NULL;
+ }
+
+ ip6->ip_version_traffic_class_and_flow_label =
+ clib_host_to_net_u32 ((6 << 28) + (ip4->tos << 20));
+ ip6->payload_length = u16_net_add (ip4->length, -sizeof (*ip4));
+ ip6->hop_limit = ip4->ttl;
+ ip6->protocol = ip4->protocol;
+
sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
@@ -159,7 +196,7 @@ nat64_out2in_tcp_udp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
if (!bibe)
return -1;
- nat64_compose_ip6 (&ip6_saddr, &ip4->src_address, bibe->fib_index);
+ nat64_compose_ip6 (&ip6_saddr, &old_src, bibe->fib_index);
ste =
nat64_db_st_entry_create (ctx->thread_index, db, bibe, &ip6_saddr,
&saddr.ip4, sport);
@@ -176,29 +213,48 @@ nat64_out2in_tcp_udp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
- udp->dst_port = bibe->in_port;
- if (proto == IP_PROTOCOL_UDP)
- checksum = &udp->checksum;
- else
+ vnet_buffer (ctx->b)->sw_if_index[VLIB_TX] = bibe->fib_index;
+
+ nat64_session_reset_timeout (ste, ctx->vm);
+
+ if (PREDICT_FALSE (frag != NULL))
{
- checksum = &tcp->checksum;
- nat64_tcp_session_set_state (ste, tcp, 0);
+ frag->next_hdr = ip6->protocol;
+ frag->identification = frag_id;
+ frag->rsv = 0;
+ frag->fragment_offset_and_more =
+ ip6_frag_hdr_offset_and_more (frag_offset, 1);
+ ip6->protocol = IP_PROTOCOL_IPV6_FRAGMENTATION;
+ ip6->payload_length = u16_net_add (ip6->payload_length, sizeof (*frag));
}
- csum = ip_csum_sub_even (*checksum, dport);
- csum = ip_csum_add_even (csum, udp->dst_port);
- *checksum = ip_csum_fold (csum);
+ if (!vnet_buffer (b)->ip.reass.is_non_first_fragment)
+ {
+ udp->dst_port = bibe->in_port;
- vnet_buffer (ctx->b)->sw_if_index[VLIB_TX] = bibe->fib_index;
+ if (proto == IP_PROTOCOL_TCP)
+ {
+ nat64_tcp_session_set_state (ste, tcp, 0);
+ }
- nat64_session_reset_timeout (ste, ctx->vm);
+ csum = ip_csum_sub_even (*checksum, dport);
+ csum = ip_csum_add_even (csum, udp->dst_port);
+ csum = ip_csum_sub_even (csum, old_src.as_u32);
+ csum = ip_csum_sub_even (csum, old_dst.as_u32);
+ csum = ip_csum_add_even (csum, ip6->src_address.as_u64[0]);
+ csum = ip_csum_add_even (csum, ip6->src_address.as_u64[1]);
+ csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[0]);
+ csum = ip_csum_add_even (csum, ip6->dst_address.as_u64[1]);
+ *checksum = ip_csum_fold (csum);
+ }
return 0;
}
static int
-nat64_out2in_icmp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6, void *arg)
+nat64_out2in_icmp_set_cb (vlib_buffer_t * b, ip4_header_t * ip4,
+ ip6_header_t * ip6, void *arg)
{
nat64_main_t *nm = &nat64_main;
nat64_out2in_set_ctx_t *ctx = arg;
@@ -278,8 +334,8 @@ nat64_out2in_icmp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6, void *arg)
}
static int
-nat64_out2in_inner_icmp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
- void *arg)
+nat64_out2in_inner_icmp_set_cb (vlib_buffer_t * b, ip4_header_t * ip4,
+ ip6_header_t * ip6, void *arg)
{
nat64_main_t *nm = &nat64_main;
nat64_out2in_set_ctx_t *ctx = arg;
@@ -370,11 +426,15 @@ nat64_out2in_inner_icmp_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
}
static int
-nat64_out2in_unk_proto_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
- void *arg)
+nat64_out2in_unk_proto (vlib_main_t * vm, vlib_buffer_t * p,
+ nat64_out2in_set_ctx_t * ctx)
{
+ ip4_header_t *ip4 = vlib_buffer_get_current (p);
+ ip6_header_t *ip6;
+ ip6_frag_hdr_t *frag;
+ u32 frag_id;
+
nat64_main_t *nm = &nat64_main;
- nat64_out2in_set_ctx_t *ctx = arg;
nat64_db_bib_entry_t *bibe;
nat64_db_st_entry_t *ste;
ip46_address_t saddr, daddr;
@@ -383,6 +443,43 @@ nat64_out2in_unk_proto_set_cb (ip4_header_t * ip4, ip6_header_t * ip6,
u8 proto = ip4->protocol;
nat64_db_t *db = &nm->db[ctx->thread_index];
+ // Deal with fragmented packets
+ u16 frag_offset = ip4_get_fragment_offset (ip4);
+ if (PREDICT_FALSE (ip4_get_fragment_more (ip4) || frag_offset))
+ {
+ ip6 =
+ (ip6_header_t *) u8_ptr_add (ip4,
+ sizeof (*ip4) - sizeof (*ip6) -
+ sizeof (*frag));
+ frag =
+ (ip6_frag_hdr_t *) u8_ptr_add (ip4, sizeof (*ip4) - sizeof (*frag));
+ frag_id = frag_id_4to6 (ip4->fragment_id);
+ vlib_buffer_advance (p, sizeof (*ip4) - sizeof (*ip6) - sizeof (*frag));
+ }
+ else
+ {
+ ip6 = (ip6_header_t *) (((u8 *) ip4) + sizeof (*ip4) - sizeof (*ip6));
+ vlib_buffer_advance (p, sizeof (*ip4) - sizeof (*ip6));
+ frag = NULL;
+ }
+
+ ip6->ip_version_traffic_class_and_flow_label =
+ clib_host_to_net_u32 ((6 << 28) + (ip4->tos << 20));
+ ip6->payload_length = u16_net_add (ip4->length, -sizeof (*ip4));
+ ip6->hop_limit = ip4->ttl;
+ ip6->protocol = ip4->protocol;
+
+ if (PREDICT_FALSE (frag != NULL))
+ {
+ frag->next_hdr = ip6->protocol;
+ frag->identification = frag_id;
+ frag->rsv = 0;
+ frag->fragment_offset_and_more =
+ ip6_frag_hdr_offset_and_more (frag_offset, 1);
+ ip6->protocol = IP_PROTOCOL_IPV6_FRAGMENTATION;
+ ip6->payload_length = u16_net_add (ip6->payload_length, sizeof (*frag));
+ }
+
sw_if_index = vnet_buffer (ctx->b)->sw_if_index[VLIB_RX];
fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
@@ -482,7 +579,7 @@ VLIB_NODE_FN (nat64_out2in_node) (vlib_main_t * vm,
if (PREDICT_FALSE (proto0 == ~0))
{
- if (ip4_to_ip6 (b0, nat64_out2in_unk_proto_set_cb, &ctx0))
+ if (nat64_out2in_unk_proto (vm, b0, &ctx0))
{
next0 = NAT64_OUT2IN_NEXT_DROP;
b0->error = node->errors[NAT64_OUT2IN_ERROR_NO_TRANSLATION];
@@ -491,13 +588,6 @@ VLIB_NODE_FN (nat64_out2in_node) (vlib_main_t * vm,
goto trace0;
}
- if (PREDICT_FALSE (ip4_is_fragment (ip40)))
- {
- next0 = NAT64_OUT2IN_NEXT_REASS;
- fragments++;
- goto trace0;
- }
-
if (proto0 == SNAT_PROTOCOL_ICMP)
{
icmp_packets++;
@@ -517,7 +607,7 @@ VLIB_NODE_FN (nat64_out2in_node) (vlib_main_t * vm,
else
udp_packets++;
- if (ip4_to_ip6_tcp_udp (b0, nat64_out2in_tcp_udp_set_cb, &ctx0))
+ if (nat64_out2in_tcp_udp (vm, b0, &ctx0))
{
udp0 = ip4_next_header (ip40);
/*
@@ -587,7 +677,6 @@ VLIB_REGISTER_NODE (nat64_out2in_node) = {
[NAT64_OUT2IN_NEXT_DROP] = "error-drop",
[NAT64_OUT2IN_NEXT_IP6_LOOKUP] = "ip6-lookup",
[NAT64_OUT2IN_NEXT_IP4_LOOKUP] = "ip4-lookup",
- [NAT64_OUT2IN_NEXT_REASS] = "nat64-out2in-reass",
},
};
/* *INDENT-ON* */
@@ -602,350 +691,6 @@ typedef struct nat64_out2in_frag_set_ctx_t_
u8 first_frag;
} nat64_out2in_frag_set_ctx_t;
-static int
-nat64_out2in_frag_set_cb (ip4_header_t * ip4, ip6_header_t * ip6, void *arg)
-{
- nat64_main_t *nm = &nat64_main;
- nat64_out2in_frag_set_ctx_t *ctx = arg;
- nat64_db_st_entry_t *ste;
- nat64_db_bib_entry_t *bibe;
- udp_header_t *udp = ip4_next_header (ip4);
- ip_csum_t csum;
- u16 *checksum;
- nat64_db_t *db = &nm->db[ctx->thread_index];
-
- ste = nat64_db_st_entry_by_index (db, ctx->proto, ctx->sess_index);
- if (!ste)
- return -1;
-
- bibe = nat64_db_bib_entry_by_index (db, ctx->proto, ste->bibe_index);
- if (!bibe)
- return -1;
-
- if (ctx->first_frag)
- {
- udp->dst_port = bibe->in_port;
-
- if (ip4->protocol == IP_PROTOCOL_UDP)
- {
- checksum = &udp->checksum;
-
- if (!checksum)
- {
- u16 udp_len =
- clib_host_to_net_u16 (ip4->length) - sizeof (*ip4);
- csum = ip_incremental_checksum (0, udp, udp_len);
- csum =
- ip_csum_with_carry (csum, clib_host_to_net_u16 (udp_len));
- csum =
- ip_csum_with_carry (csum,
- clib_host_to_net_u16 (IP_PROTOCOL_UDP));
- csum = ip_csum_with_carry (csum, ste->in_r_addr.as_u64[0]);
- csum = ip_csum_with_carry (csum, ste->in_r_addr.as_u64[1]);
- csum = ip_csum_with_carry (csum, bibe->in_addr.as_u64[0]);
- csum = ip_csum_with_carry (csum, bibe->in_addr.as_u64[1]);
- *checksum = ~ip_csum_fold (csum);
- }
- else
- {
- csum = ip_csum_sub_even (*checksum, bibe->out_addr.as_u32);
- csum = ip_csum_sub_even (csum, ste->out_r_addr.as_u32);
- csum = ip_csum_sub_even (csum, bibe->out_port);
- csum = ip_csum_add_even (csum, ste->in_r_addr.as_u64[0]);
- csum = ip_csum_add_even (csum, ste->in_r_addr.as_u64[1]);
- csum = ip_csum_add_even (csum, bibe->in_addr.as_u64[0]);
- csum = ip_csum_add_even (csum, bibe->in_addr.as_u64[1]);
- csum = ip_csum_add_even (csum, bibe->in_port);
- *checksum = ip_csum_fold (csum);
- }
- }
- else
- {
- tcp_header_t *tcp = ip4_next_header (ip4);
- nat64_tcp_session_set_state (ste, tcp, 0);
- checksum = &tcp->checksum;
- csum = ip_csum_sub_even (*checksum, bibe->out_addr.as_u32);
- csum = ip_csum_sub_even (csum, ste->out_r_addr.as_u32);
- csum = ip_csum_sub_even (csum, bibe->out_port);
- csum = ip_csum_add_even (csum, ste->in_r_addr.as_u64[0]);
- csum = ip_csum_add_even (csum, ste->in_r_addr.as_u64[1]);
- csum = ip_csum_add_even (csum, bibe->in_addr.as_u64[0]);
- csum = ip_csum_add_even (csum, bibe->in_addr.as_u64[1]);
- csum = ip_csum_add_even (csum, bibe->in_port);
- *checksum = ip_csum_fold (csum);
- }
-
- }
-
- ip6->src_address.as_u64[0] = ste->in_r_addr.as_u64[0];
- ip6->src_address.as_u64[1] = ste->in_r_addr.as_u64[1];
-
- ip6->dst_address.as_u64[0] = bibe->in_addr.as_u64[0];
- ip6->dst_address.as_u64[1] = bibe->in_addr.as_u64[1];
-
- vnet_buffer (ctx->b)->sw_if_index[VLIB_TX] = bibe->fib_index;
-
- nat64_session_reset_timeout (ste, ctx->vm);
-
- return 0;
-}
-
-VLIB_NODE_FN (nat64_out2in_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- nat64_out2in_next_t next_index;
- u32 pkts_processed = 0, cached_fragments = 0;
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
- nat64_main_t *nm = &nat64_main;
- u32 thread_index = vm->thread_index;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0;
- vlib_buffer_t *b0;
- u32 next0;
- ip4_header_t *ip40;
- u8 cached0 = 0;
- u32 sw_if_index0, fib_index0;
- udp_header_t *udp0;
- nat_reass_ip4_t *reass0;
- ip46_address_t saddr0, daddr0;
- nat64_db_st_entry_t *ste0;
- nat64_db_bib_entry_t *bibe0;
- ip6_address_t ip6_saddr0;
- nat64_out2in_frag_set_ctx_t ctx0;
- nat64_db_t *db = &nm->db[thread_index];
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- next0 = NAT64_OUT2IN_NEXT_IP6_LOOKUP;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
-
- ctx0.thread_index = thread_index;
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (1)))
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error = node->errors[NAT64_OUT2IN_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- ip40 = vlib_buffer_get_current (b0);
-
- if (PREDICT_FALSE (!(ip40->protocol == IP_PROTOCOL_TCP
- || ip40->protocol == IP_PROTOCOL_UDP)))
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error = node->errors[NAT64_OUT2IN_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- udp0 = ip4_next_header (ip40);
-
- reass0 = nat_ip4_reass_find_or_create (ip40->src_address,
- ip40->dst_address,
- ip40->fragment_id,
- ip40->protocol,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error = node->errors[NAT64_OUT2IN_ERROR_MAX_REASS];
- goto trace0;
- }
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip40)))
- {
- ctx0.first_frag = 1;
-
- clib_memset (&saddr0, 0, sizeof (saddr0));
- saddr0.ip4.as_u32 = ip40->src_address.as_u32;
- clib_memset (&daddr0, 0, sizeof (daddr0));
- daddr0.ip4.as_u32 = ip40->dst_address.as_u32;
-
- ste0 =
- nat64_db_st_entry_find (db, &daddr0, &saddr0,
- udp0->dst_port, udp0->src_port,
- ip40->protocol, fib_index0, 0);
- if (!ste0)
- {
- bibe0 =
- nat64_db_bib_entry_find (db, &daddr0, udp0->dst_port,
- ip40->protocol, fib_index0, 0);
- if (!bibe0)
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error =
- node->errors[NAT64_OUT2IN_ERROR_NO_TRANSLATION];
- goto trace0;
- }
-
- nat64_compose_ip6 (&ip6_saddr0, &ip40->src_address,
- bibe0->fib_index);
- ste0 =
- nat64_db_st_entry_create (thread_index,
- db, bibe0, &ip6_saddr0,
- &saddr0.ip4, udp0->src_port);
-
- if (!ste0)
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error =
- node->errors[NAT64_OUT2IN_ERROR_NO_TRANSLATION];
- goto trace0;
- }
-
- vlib_set_simple_counter (&nm->total_sessions, thread_index,
- 0, db->st.st_entries_num);
- }
- reass0->sess_index = nat64_db_st_entry_get_index (db, ste0);
- reass0->thread_index = thread_index;
-
- nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
- }
- else
- {
- ctx0.first_frag = 0;
-
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[NAT64_OUT2IN_ERROR_MAX_FRAG];
- next0 = NAT64_OUT2IN_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- }
-
- ctx0.sess_index = reass0->sess_index;
- ctx0.proto = ip40->protocol;
- ctx0.vm = vm;
- ctx0.b = b0;
-
- if (ip4_to_ip6_fragmented (b0, nat64_out2in_frag_set_cb, &ctx0))
- {
- next0 = NAT64_OUT2IN_NEXT_DROP;
- b0->error = node->errors[NAT64_OUT2IN_ERROR_UNKNOWN];
- goto trace0;
- }
-
- trace0:
- if (PREDICT_FALSE
- ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat64_out2in_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- cached_fragments++;
- }
- else
- {
- pkts_processed += next0 != NAT64_OUT2IN_NEXT_DROP;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, nm->out2in_reass_node_index,
- NAT64_OUT2IN_ERROR_PROCESSED_FRAGMENTS,
- pkts_processed);
- vlib_node_increment_counter (vm, nm->out2in_reass_node_index,
- NAT64_OUT2IN_ERROR_CACHED_FRAGMENTS,
- cached_fragments);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[NAT64_OUT2IN_ERROR_DROP_FRAGMENT],
- NAT64_OUT2IN_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
- return frame->n_vectors;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat64_out2in_reass_node) = {
- .name = "nat64-out2in-reass",
- .vector_size = sizeof (u32),
- .format_trace = format_nat64_out2in_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN (nat64_out2in_error_strings),
- .error_strings = nat64_out2in_error_strings,
- .n_next_nodes = NAT64_OUT2IN_N_NEXT,
- /* edit / add dispositions here */
- .next_nodes = {
- [NAT64_OUT2IN_NEXT_DROP] = "error-drop",
- [NAT64_OUT2IN_NEXT_IP6_LOOKUP] = "ip6-lookup",
- [NAT64_OUT2IN_NEXT_IP4_LOOKUP] = "ip4-lookup",
- [NAT64_OUT2IN_NEXT_REASS] = "nat64-out2in-reass",
- },
-};
-/* *INDENT-ON* */
-
#define foreach_nat64_out2in_handoff_error \
_(CONGESTION_DROP, "congestion drop") \
_(SAME_WORKER, "same worker") \
@@ -1010,7 +755,7 @@ VLIB_NODE_FN (nat64_out2in_handoff_node) (vlib_main_t * vm,
ip4_header_t *ip0;
ip0 = vlib_buffer_get_current (b[0]);
- ti[0] = nat64_get_worker_out2in (ip0);
+ ti[0] = nat64_get_worker_out2in (b[0], ip0);
if (ti[0] != thread_index)
do_handoff++;
diff --git a/src/plugins/nat/nat66.c b/src/plugins/nat/nat66.c
index e5e783b31f7..3ac773c7da4 100644
--- a/src/plugins/nat/nat66.c
+++ b/src/plugins/nat/nat66.c
@@ -19,6 +19,7 @@
#include <nat/nat66.h>
#include <vnet/fib/fib_table.h>
+#include <vnet/ip/reass/ip6_sv_reass.h>
nat66_main_t nat66_main;
@@ -29,11 +30,13 @@ VNET_FEATURE_INIT (nat66_in2out, static) = {
.arc_name = "ip6-unicast",
.node_name = "nat66-in2out",
.runs_before = VNET_FEATURES ("ip6-lookup"),
+ .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"),
};
VNET_FEATURE_INIT (nat66_out2in, static) = {
.arc_name = "ip6-unicast",
.node_name = "nat66-out2in",
.runs_before = VNET_FEATURES ("ip6-lookup"),
+ .runs_after = VNET_FEATURES ("ip6-sv-reassembly-feature"),
};
/* *INDENT-ON* */
@@ -99,6 +102,9 @@ nat66_interface_add_del (u32 sw_if_index, u8 is_inside, u8 is_add)
}
feature_name = is_inside ? "nat66-in2out" : "nat66-out2in";
+ int rv = ip6_sv_reass_enable_disable_with_refcnt (sw_if_index, is_add);
+ if (rv)
+ return rv;
return vnet_feature_enable_disable ("ip6-unicast", feature_name,
sw_if_index, is_add, 0, 0);
}
diff --git a/src/plugins/nat/nat66_in2out.c b/src/plugins/nat/nat66_in2out.c
index ac1f3298415..437d66550f6 100644
--- a/src/plugins/nat/nat66_in2out.c
+++ b/src/plugins/nat/nat66_in2out.c
@@ -156,7 +156,7 @@ VLIB_NODE_FN (nat66_in2out_node) (vlib_main_t * vm,
if (PREDICT_FALSE
(ip6_parse
- (ip60, b0->current_length, &l4_protocol0, &l4_offset0,
+ (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0,
&frag_offset0)))
{
next0 = NAT66_IN2OUT_NEXT_DROP;
diff --git a/src/plugins/nat/nat66_out2in.c b/src/plugins/nat/nat66_out2in.c
index d404d9f71eb..8386cd3ca73 100644
--- a/src/plugins/nat/nat66_out2in.c
+++ b/src/plugins/nat/nat66_out2in.c
@@ -116,7 +116,7 @@ VLIB_NODE_FN (nat66_out2in_node) (vlib_main_t * vm,
if (PREDICT_FALSE
(ip6_parse
- (ip60, b0->current_length, &l4_protocol0, &l4_offset0,
+ (vm, b0, ip60, b0->current_length, &l4_protocol0, &l4_offset0,
&frag_offset0)))
{
next0 = NAT66_OUT2IN_NEXT_DROP;
diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c
index b83ea0b49f8..6df1a851e48 100644
--- a/src/plugins/nat/nat_api.c
+++ b/src/plugins/nat/nat_api.c
@@ -23,7 +23,6 @@
#include <nat/nat64.h>
#include <nat/nat66.h>
#include <nat/dslite.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat_ha.h>
#include <vlibapi/api.h>
@@ -304,156 +303,6 @@ vl_api_nat_ipfix_enable_disable_t_print (vl_api_nat_ipfix_enable_disable_t *
}
static void
-vl_api_nat_set_reass_t_handler (vl_api_nat_set_reass_t * mp)
-{
- snat_main_t *sm = &snat_main;
- vl_api_nat_set_reass_reply_t *rmp;
- int rv = 0;
-
- rv =
- nat_reass_set (ntohl (mp->timeout), ntohs (mp->max_reass), mp->max_frag,
- mp->drop_frag, mp->is_ip6);
-
- REPLY_MACRO (VL_API_NAT_SET_REASS_REPLY);
-}
-
-static void *
-vl_api_nat_set_reass_t_print (vl_api_nat_set_reass_t * mp, void *handle)
-{
- u8 *s;
-
- s = format (0, "SCRIPT: nat_set_reass ");
- s = format (s, "timeout %d max_reass %d max_frag %d drop_frag %d is_ip6 %d",
- clib_host_to_net_u32 (mp->timeout),
- clib_host_to_net_u16 (mp->max_reass),
- mp->max_frag, mp->drop_frag, mp->is_ip6);
-
- FINISH;
-}
-
-static void
-vl_api_nat_get_reass_t_handler (vl_api_nat_get_reass_t * mp)
-{
- snat_main_t *sm = &snat_main;
- vl_api_nat_get_reass_reply_t *rmp;
- int rv = 0;
-
- /* *INDENT-OFF* */
- REPLY_MACRO2 (VL_API_NAT_GET_REASS_REPLY,
- ({
- rmp->ip4_timeout = htonl (nat_reass_get_timeout(0));
- rmp->ip4_max_reass = htons (nat_reass_get_max_reass(0));
- rmp->ip4_max_frag = nat_reass_get_max_frag(0);
- rmp->ip4_drop_frag = nat_reass_is_drop_frag(0);
- rmp->ip6_timeout = htonl (nat_reass_get_timeout(1));
- rmp->ip6_max_reass = htons (nat_reass_get_max_reass(1));
- rmp->ip6_max_frag = nat_reass_get_max_frag(1);
- rmp->ip6_drop_frag = nat_reass_is_drop_frag(1);
- }))
- /* *INDENT-ON* */
-}
-
-static void *
-vl_api_nat_get_reass_t_print (vl_api_nat_get_reass_t * mp, void *handle)
-{
- u8 *s;
-
- s = format (0, "SCRIPT: nat_get_reass");
-
- FINISH;
-}
-
-typedef struct nat_api_walk_ctx_t_
-{
- vl_api_registration_t *reg;
- u32 context;
-} nat_api_walk_ctx_t;
-
-static int
-nat_ip4_reass_walk_api (nat_reass_ip4_t * reass, void *arg)
-{
- vl_api_nat_reass_details_t *rmp;
- snat_main_t *sm = &snat_main;
- nat_api_walk_ctx_t *ctx = arg;
- ip46_address_t ip_address;
-
- rmp = vl_msg_api_alloc (sizeof (*rmp));
- clib_memset (rmp, 0, sizeof (*rmp));
- rmp->_vl_msg_id = ntohs (VL_API_NAT_REASS_DETAILS + sm->msg_id_base);
- rmp->context = ctx->context;
-
- clib_memcpy (&ip_address.ip4, &reass->key.src, 4);
- ip_address_encode (&ip_address, IP46_TYPE_IP4, &rmp->src_addr);
-
- clib_memcpy (&ip_address.ip4, &reass->key.dst, 4);
- ip_address_encode (&ip_address, IP46_TYPE_IP4, &rmp->dst_addr);
-
- rmp->proto = reass->key.proto;
- rmp->frag_id = ntohl (reass->key.frag_id);
- rmp->frag_n = reass->frag_n;
-
- vl_api_send_msg (ctx->reg, (u8 *) rmp);
-
- return 0;
-}
-
-static int
-nat_ip6_reass_walk_api (nat_reass_ip6_t * reass, void *arg)
-{
- vl_api_nat_reass_details_t *rmp;
- snat_main_t *sm = &snat_main;
- nat_api_walk_ctx_t *ctx = arg;
- ip46_address_t ip_address;
-
- rmp = vl_msg_api_alloc (sizeof (*rmp));
- clib_memset (rmp, 0, sizeof (*rmp));
- rmp->_vl_msg_id = ntohs (VL_API_NAT_REASS_DETAILS + sm->msg_id_base);
- rmp->context = ctx->context;
-
- clib_memcpy (&ip_address.ip6, &reass->key.src, 16);
- ip_address_encode (&ip_address, IP46_TYPE_IP6, &rmp->src_addr);
-
- clib_memcpy (&ip_address.ip6, &reass->key.dst, 16);
- ip_address_encode (&ip_address, IP46_TYPE_IP6, &rmp->dst_addr);
-
- rmp->proto = reass->key.proto;
- rmp->frag_id = ntohl (reass->key.frag_id);
- rmp->frag_n = reass->frag_n;
-
- vl_api_send_msg (ctx->reg, (u8 *) rmp);
-
- return 0;
-}
-
-static void
-vl_api_nat_reass_dump_t_handler (vl_api_nat_reass_dump_t * mp)
-{
- vl_api_registration_t *reg;
-
- reg = vl_api_client_index_to_registration (mp->client_index);
- if (!reg)
- return;
-
- nat_api_walk_ctx_t ctx = {
- .reg = reg,
- .context = mp->context,
- };
-
- nat_ip4_reass_walk (nat_ip4_reass_walk_api, &ctx);
- nat_ip6_reass_walk (nat_ip6_reass_walk_api, &ctx);
-}
-
-static void *
-vl_api_nat_reass_dump_t_print (vl_api_nat_reass_dump_t * mp, void *handle)
-{
- u8 *s;
-
- s = format (0, "SCRIPT: nat_reass_dump");
-
- FINISH;
-}
-
-static void
vl_api_nat_set_timeouts_t_handler (vl_api_nat_set_timeouts_t * mp)
{
snat_main_t *sm = &snat_main;
@@ -3471,9 +3320,6 @@ _(NAT_SET_WORKERS, nat_set_workers) \
_(NAT_WORKER_DUMP, nat_worker_dump) \
_(NAT_SET_LOG_LEVEL, nat_set_log_level) \
_(NAT_IPFIX_ENABLE_DISABLE, nat_ipfix_enable_disable) \
-_(NAT_SET_REASS, nat_set_reass) \
-_(NAT_GET_REASS, nat_get_reass) \
-_(NAT_REASS_DUMP, nat_reass_dump) \
_(NAT_SET_TIMEOUTS, nat_set_timeouts) \
_(NAT_GET_TIMEOUTS, nat_get_timeouts) \
_(NAT_SET_ADDR_AND_PORT_ALLOC_ALG, nat_set_addr_and_port_alloc_alg) \
diff --git a/src/plugins/nat/nat_det_in2out.c b/src/plugins/nat/nat_det_in2out.c
index 832a2bae947..384a1eb54b9 100644
--- a/src/plugins/nat/nat_det_in2out.c
+++ b/src/plugins/nat/nat_det_in2out.c
@@ -121,14 +121,16 @@ icmp_match_in2out_det (snat_main_t * sm, vlib_node_runtime_t * node,
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
{
protocol = SNAT_PROTOCOL_ICMP;
in_addr = ip0->src_address;
- in_port = echo0->identifier;
+ in_port = vnet_buffer (b0)->ip.reass.l4_src_port;
}
else
{
+ /* if error message, then it's not fragmented and we can access it */
inner_ip0 = (ip4_header_t *) (echo0 + 1);
l4_header = ip4_next_header (inner_ip0);
protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
@@ -213,8 +215,10 @@ icmp_match_in2out_det (snat_main_t * sm, vlib_node_runtime_t * node,
}
}
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_request
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[NAT_DET_IN2OUT_ERROR_BAD_ICMP_TYPE];
next0 = NAT_DET_IN2OUT_NEXT_DROP;
diff --git a/src/plugins/nat/nat_det_out2in.c b/src/plugins/nat/nat_det_out2in.c
index c4bd096deb1..74210e17860 100644
--- a/src/plugins/nat/nat_det_out2in.c
+++ b/src/plugins/nat/nat_det_out2in.c
@@ -117,16 +117,18 @@ icmp_match_out2in_det (snat_main_t * sm, vlib_node_runtime_t * node,
echo0 = (icmp_echo_header_t *) (icmp0 + 1);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags))
{
protocol = SNAT_PROTOCOL_ICMP;
key0.ext_host_addr = ip0->src_address;
key0.ext_host_port = 0;
- key0.out_port = echo0->identifier;
+ key0.out_port = vnet_buffer (b0)->ip.reass.l4_src_port;
out_addr = ip0->dst_address;
}
else
{
+ /* if error message, then it's not fragmented and we can access it */
inner_ip0 = (ip4_header_t *) (echo0 + 1);
l4_header = ip4_next_header (inner_ip0);
protocol = ip_proto_to_snat_proto (inner_ip0->protocol);
@@ -191,8 +193,10 @@ icmp_match_out2in_det (snat_main_t * sm, vlib_node_runtime_t * node,
goto out;
}
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[NAT_DET_OUT2IN_ERROR_BAD_ICMP_TYPE];
next0 = NAT_DET_OUT2IN_NEXT_DROP;
diff --git a/src/plugins/nat/nat_format.c b/src/plugins/nat/nat_format.c
index 7dcdff6c769..17f64b9b222 100644
--- a/src/plugins/nat/nat_format.c
+++ b/src/plugins/nat/nat_format.c
@@ -333,20 +333,6 @@ format_det_map_ses (u8 * s, va_list * args)
return s;
}
-u8 *
-format_nat44_reass_trace (u8 * s, va_list * args)
-{
- CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
- CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
- nat44_reass_trace_t *t = va_arg (*args, nat44_reass_trace_t *);
-
- s = format (s, "NAT44_REASS: sw_if_index %d, next index %d, status %s",
- t->sw_if_index, t->next_index,
- t->cached ? "cached" : "translated");
-
- return s;
-}
-
/*
* fd.io coding-style-patch-verification: ON
*
diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h
index 2f68ed4a700..a58317acdf3 100644
--- a/src/plugins/nat/nat_inlines.h
+++ b/src/plugins/nat/nat_inlines.h
@@ -171,9 +171,9 @@ snat_proto_to_ip_proto (snat_protocol_t snat_proto)
}
static_always_inline u8
-icmp_is_error_message (icmp46_header_t * icmp)
+icmp_type_is_error_message (u8 icmp_type)
{
- switch (icmp->type)
+ switch (icmp_type)
{
case ICMP4_destination_unreachable:
case ICMP4_time_exceeded:
@@ -323,25 +323,28 @@ nat44_delete_session (snat_main_t * sm, snat_session_t * ses,
*/
always_inline int
nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses,
- tcp_header_t * tcp, u32 thread_index)
+ vlib_buffer_t * b, u32 thread_index)
{
- if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST))
+ u8 tcp_flags = vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags;
+ u32 tcp_ack_number = vnet_buffer (b)->ip.reass.tcp_ack_number;
+ u32 tcp_seq_number = vnet_buffer (b)->ip.reass.tcp_seq_number;
+ if ((ses->state == 0) && (tcp_flags & TCP_FLAG_RST))
ses->state = NAT44_SES_RST;
- if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST))
+ if ((ses->state == NAT44_SES_RST) && !(tcp_flags & TCP_FLAG_RST))
ses->state = 0;
- if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
+ if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
(ses->state & NAT44_SES_O2I_SYN))
ses->state = 0;
- if (tcp->flags & TCP_FLAG_SYN)
+ if (tcp_flags & TCP_FLAG_SYN)
ses->state |= NAT44_SES_I2O_SYN;
- if (tcp->flags & TCP_FLAG_FIN)
+ if (tcp_flags & TCP_FLAG_FIN)
{
- ses->i2o_fin_seq = clib_net_to_host_u32 (tcp->seq_number);
+ ses->i2o_fin_seq = clib_net_to_host_u32 (tcp_seq_number);
ses->state |= NAT44_SES_I2O_FIN;
}
- if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_O2I_FIN))
+ if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_O2I_FIN))
{
- if (clib_net_to_host_u32 (tcp->ack_number) > ses->o2i_fin_seq)
+ if (clib_net_to_host_u32 (tcp_ack_number) > ses->o2i_fin_seq)
ses->state |= NAT44_SES_O2I_FIN_ACK;
}
if (nat44_is_ses_closed (ses)
@@ -356,25 +359,26 @@ nat44_set_tcp_session_state_i2o (snat_main_t * sm, snat_session_t * ses,
always_inline int
nat44_set_tcp_session_state_o2i (snat_main_t * sm, snat_session_t * ses,
- tcp_header_t * tcp, u32 thread_index)
+ u8 tcp_flags, u32 tcp_ack_number,
+ u32 tcp_seq_number, u32 thread_index)
{
- if ((ses->state == 0) && (tcp->flags & TCP_FLAG_RST))
+ if ((ses->state == 0) && (tcp_flags & TCP_FLAG_RST))
ses->state = NAT44_SES_RST;
- if ((ses->state == NAT44_SES_RST) && !(tcp->flags & TCP_FLAG_RST))
+ if ((ses->state == NAT44_SES_RST) && !(tcp_flags & TCP_FLAG_RST))
ses->state = 0;
- if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
+ if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_SYN) &&
(ses->state & NAT44_SES_O2I_SYN))
ses->state = 0;
- if (tcp->flags & TCP_FLAG_SYN)
+ if (tcp_flags & TCP_FLAG_SYN)
ses->state |= NAT44_SES_O2I_SYN;
- if (tcp->flags & TCP_FLAG_FIN)
+ if (tcp_flags & TCP_FLAG_FIN)
{
- ses->o2i_fin_seq = clib_net_to_host_u32 (tcp->seq_number);
+ ses->o2i_fin_seq = clib_net_to_host_u32 (tcp_seq_number);
ses->state |= NAT44_SES_O2I_FIN;
}
- if ((tcp->flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_FIN))
+ if ((tcp_flags & TCP_FLAG_ACK) && (ses->state & NAT44_SES_I2O_FIN))
{
- if (clib_net_to_host_u32 (tcp->ack_number) > ses->i2o_fin_seq)
+ if (clib_net_to_host_u32 (tcp_ack_number) > ses->i2o_fin_seq)
ses->state |= NAT44_SES_I2O_FIN_ACK;
}
if (nat44_is_ses_closed (ses))
@@ -466,7 +470,8 @@ make_sm_kv (clib_bihash_kv_8_8_t * kv, ip4_address_t * addr, u8 proto,
}
static_always_inline int
-get_icmp_i2o_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
+get_icmp_i2o_ed_key (vlib_buffer_t * b, ip4_header_t * ip0,
+ nat_ed_ses_key_t * p_key0)
{
icmp46_header_t *icmp0;
nat_ed_ses_key_t key0;
@@ -478,12 +483,13 @@ get_icmp_i2o_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
echo0 = (icmp_echo_header_t *) (icmp0 + 1);
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
{
key0.proto = IP_PROTOCOL_ICMP;
key0.l_addr = ip0->src_address;
key0.r_addr = ip0->dst_address;
- key0.l_port = echo0->identifier;
+ key0.l_port = vnet_buffer (b)->ip.reass.l4_src_port; // TODO should this be src or dst?
key0.r_port = 0;
}
else
@@ -516,7 +522,8 @@ get_icmp_i2o_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
static_always_inline int
-get_icmp_o2i_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
+get_icmp_o2i_ed_key (vlib_buffer_t * b, ip4_header_t * ip0,
+ nat_ed_ses_key_t * p_key0)
{
icmp46_header_t *icmp0;
nat_ed_ses_key_t key0;
@@ -528,12 +535,13 @@ get_icmp_o2i_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0)
icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
echo0 = (icmp_echo_header_t *) (icmp0 + 1);
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
{
key0.proto = IP_PROTOCOL_ICMP;
key0.l_addr = ip0->dst_address;
key0.r_addr = ip0->src_address;
- key0.l_port = echo0->identifier;
+ key0.l_port = vnet_buffer (b)->ip.reass.l4_src_port; // TODO should this be src or dst?
key0.r_port = 0;
}
else
diff --git a/src/plugins/nat/nat_reass.c b/src/plugins/nat/nat_reass.c
deleted file mode 100755
index b518c0cb916..00000000000
--- a/src/plugins/nat/nat_reass.c
+++ /dev/null
@@ -1,893 +0,0 @@
-/*
- * Copyright (c) 2017 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- * @file
- * @brief NAT plugin virtual fragmentation reassembly
- */
-
-#include <vnet/vnet.h>
-#include <nat/nat_reass.h>
-#include <nat/nat_ipfix_logging.h>
-
-nat_reass_main_t nat_reass_main;
-
-static u32
-nat_reass_get_nbuckets (u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- u32 nbuckets;
- u8 i;
-
- if (is_ip6)
- nbuckets = (u32) (srm->ip6_max_reass / NAT_REASS_HT_LOAD_FACTOR);
- else
- nbuckets = (u32) (srm->ip4_max_reass / NAT_REASS_HT_LOAD_FACTOR);
-
- for (i = 0; i < 31; i++)
- if ((1 << i) >= nbuckets)
- break;
- nbuckets = 1 << i;
-
- return nbuckets;
-}
-
-static_always_inline void
-nat_ip4_reass_get_frags_inline (nat_reass_ip4_t * reass, u32 ** bi)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- u32 elt_index;
- dlist_elt_t *elt;
-
- while ((elt_index =
- clib_dlist_remove_head (srm->ip4_frags_list_pool,
- reass->frags_per_reass_list_head_index)) !=
- ~0)
- {
- elt = pool_elt_at_index (srm->ip4_frags_list_pool, elt_index);
- vec_add1 (*bi, elt->value);
- reass->frag_n--;
- pool_put_index (srm->ip4_frags_list_pool, elt_index);
- }
-}
-
-static_always_inline void
-nat_ip6_reass_get_frags_inline (nat_reass_ip6_t * reass, u32 ** bi)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- u32 elt_index;
- dlist_elt_t *elt;
-
- while ((elt_index =
- clib_dlist_remove_head (srm->ip6_frags_list_pool,
- reass->frags_per_reass_list_head_index)) !=
- ~0)
- {
- elt = pool_elt_at_index (srm->ip6_frags_list_pool, elt_index);
- vec_add1 (*bi, elt->value);
- reass->frag_n--;
- pool_put_index (srm->ip6_frags_list_pool, elt_index);
- }
-}
-
-int
-nat_reass_set (u32 timeout, u16 max_reass, u8 max_frag, u8 drop_frag,
- u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- u32 nbuckets;
-
- if (is_ip6)
- {
- if (srm->ip6_max_reass != max_reass)
- {
- clib_spinlock_lock_if_init (&srm->ip6_reass_lock);
-
- srm->ip6_max_reass = max_reass;
- pool_free (srm->ip6_reass_pool);
- pool_alloc (srm->ip6_reass_pool, srm->ip4_max_reass);
- nbuckets = nat_reass_get_nbuckets (0);
- clib_bihash_free_48_8 (&srm->ip6_reass_hash);
- clib_bihash_init_48_8 (&srm->ip6_reass_hash, "nat-ip6-reass",
- nbuckets, nbuckets * 1024);
-
- clib_spinlock_unlock_if_init (&srm->ip6_reass_lock);
- }
- srm->ip6_timeout = timeout;
- srm->ip6_max_frag = max_frag;
- srm->ip6_drop_frag = drop_frag;
- }
- else
- {
- if (srm->ip4_max_reass != max_reass)
- {
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
-
- srm->ip4_max_reass = max_reass;
- pool_free (srm->ip4_reass_pool);
- pool_alloc (srm->ip4_reass_pool, srm->ip4_max_reass);
- nbuckets = nat_reass_get_nbuckets (0);
- clib_bihash_free_16_8 (&srm->ip4_reass_hash);
- clib_bihash_init_16_8 (&srm->ip4_reass_hash, "nat-ip4-reass",
- nbuckets, nbuckets * 1024);
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
- }
- srm->ip4_timeout = timeout;
- srm->ip4_max_frag = max_frag;
- srm->ip4_drop_frag = drop_frag;
- }
-
- return 0;
-}
-
-u32
-nat_reass_get_timeout (u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- if (is_ip6)
- return srm->ip6_timeout;
-
- return srm->ip4_timeout;
-}
-
-u16
-nat_reass_get_max_reass (u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- if (is_ip6)
- return srm->ip6_max_reass;
-
- return srm->ip4_max_reass;
-}
-
-u8
-nat_reass_get_max_frag (u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- if (is_ip6)
- return srm->ip6_max_frag;
-
- return srm->ip4_max_frag;
-}
-
-u8
-nat_reass_is_drop_frag (u8 is_ip6)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- if (is_ip6)
- return srm->ip6_drop_frag;
-
- return srm->ip4_drop_frag;
-}
-
-static_always_inline nat_reass_ip4_t *
-nat_ip4_reass_lookup (nat_reass_ip4_key_t * k, f64 now)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- clib_bihash_kv_16_8_t kv, value;
- nat_reass_ip4_t *reass;
-
- kv.key[0] = k->as_u64[0];
- kv.key[1] = k->as_u64[1];
-
- if (clib_bihash_search_16_8 (&srm->ip4_reass_hash, &kv, &value))
- return 0;
-
- reass = pool_elt_at_index (srm->ip4_reass_pool, value.value);
- if (now < reass->last_heard + (f64) srm->ip4_timeout)
- return reass;
-
- return 0;
-}
-
-nat_reass_ip4_t *
-nat_ip4_reass_find (ip4_address_t src, ip4_address_t dst, u16 frag_id,
- u8 proto)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- nat_reass_ip4_t *reass = 0;
- nat_reass_ip4_key_t k;
- f64 now = vlib_time_now (srm->vlib_main);
-
- k.src.as_u32 = src.as_u32;
- k.dst.as_u32 = dst.as_u32;
- k.frag_id = frag_id;
- k.proto = proto;
-
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
- reass = nat_ip4_reass_lookup (&k, now);
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
-
- return reass;
-}
-
-nat_reass_ip4_t *
-nat_ip4_reass_create (ip4_address_t src, ip4_address_t dst, u16 frag_id,
- u8 proto)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- nat_reass_ip4_t *reass = 0;
- dlist_elt_t *elt, *per_reass_list_head_elt;
- u32 elt_index;
- f64 now = vlib_time_now (srm->vlib_main);
- nat_reass_ip4_key_t k;
- clib_bihash_kv_16_8_t kv;
-
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
-
- if (srm->ip4_reass_n >= srm->ip4_max_reass)
- {
- nat_elog_warn ("no free resassembly slot");
- goto unlock;
- }
-
- pool_get (srm->ip4_reass_pool, reass);
- pool_get (srm->ip4_reass_lru_list_pool, elt);
- reass->lru_list_index = elt_index = elt - srm->ip4_reass_lru_list_pool;
- clib_dlist_init (srm->ip4_reass_lru_list_pool, elt_index);
- elt->value = reass - srm->ip4_reass_pool;
- clib_dlist_addtail (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index, elt_index);
- pool_get (srm->ip4_frags_list_pool, per_reass_list_head_elt);
- reass->frags_per_reass_list_head_index =
- per_reass_list_head_elt - srm->ip4_frags_list_pool;
- clib_dlist_init (srm->ip4_frags_list_pool,
- reass->frags_per_reass_list_head_index);
- srm->ip4_reass_n++;
- k.src.as_u32 = src.as_u32;
- k.dst.as_u32 = dst.as_u32;
- k.frag_id = frag_id;
- k.proto = proto;
- reass->key.as_u64[0] = kv.key[0] = k.as_u64[0];
- reass->key.as_u64[1] = kv.key[1] = k.as_u64[1];
- kv.value = reass - srm->ip4_reass_pool;
- reass->sess_index = (u32) ~ 0;
- reass->thread_index = (u32) ~ 0;
- reass->last_heard = now;
- reass->frag_n = 0;
- reass->flags = 0;
- reass->classify_next = NAT_REASS_IP4_CLASSIFY_NONE;
- if (clib_bihash_add_del_16_8 (&srm->ip4_reass_hash, &kv, 1))
- nat_elog_warn ("ip4_reass_hash add key failed");
-
-unlock:
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
- return reass;
-}
-
-nat_reass_ip4_t *
-nat_ip4_reass_find_or_create (ip4_address_t src, ip4_address_t dst,
- u16 frag_id, u8 proto, u8 reset_timeout,
- u32 ** bi_to_drop)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- nat_reass_ip4_t *reass = 0;
- nat_reass_ip4_key_t k;
- f64 now = vlib_time_now (srm->vlib_main);
- dlist_elt_t *oldest_elt, *elt;
- dlist_elt_t *per_reass_list_head_elt;
- u32 oldest_index, elt_index;
- clib_bihash_kv_16_8_t kv, value;
-
- k.src.as_u32 = src.as_u32;
- k.dst.as_u32 = dst.as_u32;
- k.frag_id = frag_id;
- k.proto = proto;
-
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
-
- reass = nat_ip4_reass_lookup (&k, now);
- if (reass)
- {
- if (reset_timeout)
- {
- reass->last_heard = now;
- clib_dlist_remove (srm->ip4_reass_lru_list_pool,
- reass->lru_list_index);
- clib_dlist_addtail (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index,
- reass->lru_list_index);
- }
-
- if (reass->flags & NAT_REASS_FLAG_MAX_FRAG_DROP)
- {
- reass = 0;
- goto unlock;
- }
-
- goto unlock;
- }
-
- if (srm->ip4_reass_n >= srm->ip4_max_reass)
- {
- oldest_index =
- clib_dlist_remove_head (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index);
- ASSERT (oldest_index != ~0);
- oldest_elt =
- pool_elt_at_index (srm->ip4_reass_lru_list_pool, oldest_index);
- reass = pool_elt_at_index (srm->ip4_reass_pool, oldest_elt->value);
- if (now < reass->last_heard + (f64) srm->ip4_timeout)
- {
- clib_dlist_addhead (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index, oldest_index);
- nat_elog_warn ("no free resassembly slot");
- reass = 0;
- goto unlock;
- }
-
- clib_dlist_addtail (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index, oldest_index);
-
- kv.key[0] = reass->key.as_u64[0];
- kv.key[1] = reass->key.as_u64[1];
- if (!clib_bihash_search_16_8 (&srm->ip4_reass_hash, &kv, &value))
- {
- if (value.value == (reass - srm->ip4_reass_pool))
- {
- if (clib_bihash_add_del_16_8 (&srm->ip4_reass_hash, &kv, 0))
- {
- reass = 0;
- goto unlock;
- }
- }
- }
-
- nat_ip4_reass_get_frags_inline (reass, bi_to_drop);
- }
- else
- {
- pool_get (srm->ip4_reass_pool, reass);
- pool_get (srm->ip4_reass_lru_list_pool, elt);
- reass->lru_list_index = elt_index = elt - srm->ip4_reass_lru_list_pool;
- clib_dlist_init (srm->ip4_reass_lru_list_pool, elt_index);
- elt->value = reass - srm->ip4_reass_pool;
- clib_dlist_addtail (srm->ip4_reass_lru_list_pool,
- srm->ip4_reass_head_index, elt_index);
- pool_get (srm->ip4_frags_list_pool, per_reass_list_head_elt);
- reass->frags_per_reass_list_head_index =
- per_reass_list_head_elt - srm->ip4_frags_list_pool;
- clib_dlist_init (srm->ip4_frags_list_pool,
- reass->frags_per_reass_list_head_index);
- srm->ip4_reass_n++;
- }
-
- reass->key.as_u64[0] = kv.key[0] = k.as_u64[0];
- reass->key.as_u64[1] = kv.key[1] = k.as_u64[1];
- kv.value = reass - srm->ip4_reass_pool;
- reass->sess_index = (u32) ~ 0;
- reass->thread_index = (u32) ~ 0;
- reass->last_heard = now;
- reass->frag_n = 0;
- reass->flags = 0;
- reass->classify_next = NAT_REASS_IP4_CLASSIFY_NONE;
-
- if (clib_bihash_add_del_16_8 (&srm->ip4_reass_hash, &kv, 1))
- {
- reass = 0;
- goto unlock;
- }
-
-unlock:
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
- return reass;
-}
-
-int
-nat_ip4_reass_add_fragment (u32 thread_index, nat_reass_ip4_t * reass,
- u32 bi, u32 ** bi_to_drop)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- dlist_elt_t *elt;
- u32 elt_index;
-
- if (reass->frag_n >= srm->ip4_max_frag)
- {
- nat_ipfix_logging_max_fragments_ip4 (thread_index, srm->ip4_max_frag,
- &reass->key.src);
- reass->flags |= NAT_REASS_FLAG_MAX_FRAG_DROP;
- nat_ip4_reass_get_frags_inline (reass, bi_to_drop);
- return -1;
- }
-
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
-
- pool_get (srm->ip4_frags_list_pool, elt);
- elt_index = elt - srm->ip4_frags_list_pool;
- clib_dlist_init (srm->ip4_frags_list_pool, elt_index);
- elt->value = bi;
- clib_dlist_addtail (srm->ip4_frags_list_pool,
- reass->frags_per_reass_list_head_index, elt_index);
- reass->frag_n++;
-
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
-
- return 0;
-}
-
-void
-nat_ip4_reass_get_frags (nat_reass_ip4_t * reass, u32 ** bi)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- clib_spinlock_lock_if_init (&srm->ip4_reass_lock);
-
- nat_ip4_reass_get_frags_inline (reass, bi);
-
- clib_spinlock_unlock_if_init (&srm->ip4_reass_lock);
-}
-
-void
-nat_ip4_reass_walk (nat_ip4_reass_walk_fn_t fn, void *ctx)
-{
- nat_reass_ip4_t *reass;
- nat_reass_main_t *srm = &nat_reass_main;
- f64 now = vlib_time_now (srm->vlib_main);
-
- /* *INDENT-OFF* */
- pool_foreach (reass, srm->ip4_reass_pool,
- ({
- if (now < reass->last_heard + (f64) srm->ip4_timeout)
- {
- if (fn (reass, ctx))
- return;
- }
- }));
- /* *INDENT-ON* */
-}
-
-static_always_inline nat_reass_ip6_t *
-nat_ip6_reass_lookup (nat_reass_ip6_key_t * k, f64 now)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- clib_bihash_kv_48_8_t kv, value;
- nat_reass_ip6_t *reass;
-
- k->unused = 0;
- kv.key[0] = k->as_u64[0];
- kv.key[1] = k->as_u64[1];
- kv.key[2] = k->as_u64[2];
- kv.key[3] = k->as_u64[3];
- kv.key[4] = k->as_u64[4];
- kv.key[5] = k->as_u64[5];
-
- if (clib_bihash_search_48_8 (&srm->ip6_reass_hash, &kv, &value))
- return 0;
-
- reass = pool_elt_at_index (srm->ip6_reass_pool, value.value);
- if (now < reass->last_heard + (f64) srm->ip6_timeout)
- return reass;
-
- return 0;
-}
-
-nat_reass_ip6_t *
-nat_ip6_reass_find_or_create (ip6_address_t src, ip6_address_t dst,
- u32 frag_id, u8 proto, u8 reset_timeout,
- u32 ** bi_to_drop)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- nat_reass_ip6_t *reass = 0;
- nat_reass_ip6_key_t k;
- f64 now = vlib_time_now (srm->vlib_main);
- dlist_elt_t *oldest_elt, *elt;
- dlist_elt_t *per_reass_list_head_elt;
- u32 oldest_index, elt_index;
- clib_bihash_kv_48_8_t kv;
-
- k.src.as_u64[0] = src.as_u64[0];
- k.src.as_u64[1] = src.as_u64[1];
- k.dst.as_u64[0] = dst.as_u64[0];
- k.dst.as_u64[1] = dst.as_u64[1];
- k.frag_id = frag_id;
- k.proto = proto;
- k.unused = 0;
-
- clib_spinlock_lock_if_init (&srm->ip6_reass_lock);
-
- reass = nat_ip6_reass_lookup (&k, now);
- if (reass)
- {
- if (reset_timeout)
- {
- reass->last_heard = now;
- clib_dlist_remove (srm->ip6_reass_lru_list_pool,
- reass->lru_list_index);
- clib_dlist_addtail (srm->ip6_reass_lru_list_pool,
- srm->ip6_reass_head_index,
- reass->lru_list_index);
- }
-
- if (reass->flags & NAT_REASS_FLAG_MAX_FRAG_DROP)
- {
- reass = 0;
- goto unlock;
- }
-
- goto unlock;
- }
-
- if (srm->ip6_reass_n >= srm->ip6_max_reass)
- {
- oldest_index =
- clib_dlist_remove_head (srm->ip6_reass_lru_list_pool,
- srm->ip6_reass_head_index);
- ASSERT (oldest_index != ~0);
- oldest_elt =
- pool_elt_at_index (srm->ip4_reass_lru_list_pool, oldest_index);
- reass = pool_elt_at_index (srm->ip6_reass_pool, oldest_elt->value);
- if (now < reass->last_heard + (f64) srm->ip6_timeout)
- {
- clib_dlist_addhead (srm->ip6_reass_lru_list_pool,
- srm->ip6_reass_head_index, oldest_index);
- nat_elog_warn ("no free resassembly slot");
- reass = 0;
- goto unlock;
- }
-
- clib_dlist_addtail (srm->ip6_reass_lru_list_pool,
- srm->ip6_reass_head_index, oldest_index);
-
- kv.key[0] = k.as_u64[0];
- kv.key[1] = k.as_u64[1];
- kv.key[2] = k.as_u64[2];
- kv.key[3] = k.as_u64[3];
- kv.key[4] = k.as_u64[4];
- kv.key[5] = k.as_u64[5];
- if (clib_bihash_add_del_48_8 (&srm->ip6_reass_hash, &kv, 0))
- {
- reass = 0;
- goto unlock;
- }
-
- nat_ip6_reass_get_frags_inline (reass, bi_to_drop);
- }
- else
- {
- pool_get (srm->ip6_reass_pool, reass);
- pool_get (srm->ip6_reass_lru_list_pool, elt);
- reass->lru_list_index = elt_index = elt - srm->ip6_reass_lru_list_pool;
- clib_dlist_init (srm->ip6_reass_lru_list_pool, elt_index);
- elt->value = reass - srm->ip6_reass_pool;
- clib_dlist_addtail (srm->ip6_reass_lru_list_pool,
- srm->ip6_reass_head_index, elt_index);
- pool_get (srm->ip6_frags_list_pool, per_reass_list_head_elt);
- reass->frags_per_reass_list_head_index =
- per_reass_list_head_elt - srm->ip6_frags_list_pool;
- clib_dlist_init (srm->ip6_frags_list_pool,
- reass->frags_per_reass_list_head_index);
- srm->ip6_reass_n++;
- }
-
- reass->key.as_u64[0] = kv.key[0] = k.as_u64[0];
- reass->key.as_u64[1] = kv.key[1] = k.as_u64[1];
- reass->key.as_u64[2] = kv.key[2] = k.as_u64[2];
- reass->key.as_u64[3] = kv.key[3] = k.as_u64[3];
- reass->key.as_u64[4] = kv.key[4] = k.as_u64[4];
- reass->key.as_u64[5] = kv.key[5] = k.as_u64[5];
- kv.value = reass - srm->ip6_reass_pool;
- reass->sess_index = (u32) ~ 0;
- reass->last_heard = now;
-
- if (clib_bihash_add_del_48_8 (&srm->ip6_reass_hash, &kv, 1))
- {
- reass = 0;
- goto unlock;
- }
-
-unlock:
- clib_spinlock_unlock_if_init (&srm->ip6_reass_lock);
- return reass;
-}
-
-int
-nat_ip6_reass_add_fragment (u32 thread_index, nat_reass_ip6_t * reass,
- u32 bi, u32 ** bi_to_drop)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- dlist_elt_t *elt;
- u32 elt_index;
-
- if (reass->frag_n >= srm->ip6_max_frag)
- {
- nat_ipfix_logging_max_fragments_ip6 (thread_index, srm->ip6_max_frag,
- &reass->key.src);
- reass->flags |= NAT_REASS_FLAG_MAX_FRAG_DROP;
- nat_ip6_reass_get_frags_inline (reass, bi_to_drop);
- return -1;
- }
-
- clib_spinlock_lock_if_init (&srm->ip6_reass_lock);
-
- pool_get (srm->ip6_frags_list_pool, elt);
- elt_index = elt - srm->ip6_frags_list_pool;
- clib_dlist_init (srm->ip6_frags_list_pool, elt_index);
- elt->value = bi;
- clib_dlist_addtail (srm->ip6_frags_list_pool,
- reass->frags_per_reass_list_head_index, elt_index);
- reass->frag_n++;
-
- clib_spinlock_unlock_if_init (&srm->ip6_reass_lock);
-
- return 0;
-}
-
-void
-nat_ip6_reass_get_frags (nat_reass_ip6_t * reass, u32 ** bi)
-{
- nat_reass_main_t *srm = &nat_reass_main;
-
- clib_spinlock_lock_if_init (&srm->ip6_reass_lock);
-
- nat_ip6_reass_get_frags_inline (reass, bi);
-
- clib_spinlock_unlock_if_init (&srm->ip6_reass_lock);
-}
-
-void
-nat_ip6_reass_walk (nat_ip6_reass_walk_fn_t fn, void *ctx)
-{
- nat_reass_ip6_t *reass;
- nat_reass_main_t *srm = &nat_reass_main;
- f64 now = vlib_time_now (srm->vlib_main);
-
- /* *INDENT-OFF* */
- pool_foreach (reass, srm->ip6_reass_pool,
- ({
- if (now < reass->last_heard + (f64) srm->ip4_timeout)
- {
- if (fn (reass, ctx))
- return;
- }
- }));
- /* *INDENT-ON* */
-}
-
-clib_error_t *
-nat_reass_init (vlib_main_t * vm)
-{
- nat_reass_main_t *srm = &nat_reass_main;
- vlib_thread_main_t *tm = vlib_get_thread_main ();
- clib_error_t *error = 0;
- dlist_elt_t *head;
- u32 nbuckets, head_index;
-
- srm->vlib_main = vm;
- srm->vnet_main = vnet_get_main ();
-
- /* IPv4 */
- srm->ip4_timeout = NAT_REASS_TIMEOUT_DEFAULT;
- srm->ip4_max_reass = NAT_MAX_REASS_DEAFULT;
- srm->ip4_max_frag = NAT_MAX_FRAG_DEFAULT;
- srm->ip4_drop_frag = 0;
- srm->ip4_reass_n = 0;
-
- if (tm->n_vlib_mains > 1)
- clib_spinlock_init (&srm->ip4_reass_lock);
-
- pool_alloc (srm->ip4_reass_pool, srm->ip4_max_reass);
-
- nbuckets = nat_reass_get_nbuckets (0);
- clib_bihash_init_16_8 (&srm->ip4_reass_hash, "nat-ip4-reass", nbuckets,
- nbuckets * 1024);
-
- pool_get (srm->ip4_reass_lru_list_pool, head);
- srm->ip4_reass_head_index = head_index =
- head - srm->ip4_reass_lru_list_pool;
- clib_dlist_init (srm->ip4_reass_lru_list_pool, head_index);
-
- /* IPv6 */
- srm->ip6_timeout = NAT_REASS_TIMEOUT_DEFAULT;
- srm->ip6_max_reass = NAT_MAX_REASS_DEAFULT;
- srm->ip6_max_frag = NAT_MAX_FRAG_DEFAULT;
- srm->ip6_drop_frag = 0;
- srm->ip6_reass_n = 0;
-
- if (tm->n_vlib_mains > 1)
- clib_spinlock_init (&srm->ip6_reass_lock);
-
- pool_alloc (srm->ip6_reass_pool, srm->ip6_max_reass);
-
- nbuckets = nat_reass_get_nbuckets (1);
- clib_bihash_init_48_8 (&srm->ip6_reass_hash, "nat-ip6-reass", nbuckets,
- nbuckets * 1024);
-
- pool_get (srm->ip6_reass_lru_list_pool, head);
- srm->ip6_reass_head_index = head_index =
- head - srm->ip6_reass_lru_list_pool;
- clib_dlist_init (srm->ip6_reass_lru_list_pool, head_index);
-
- return error;
-}
-
-static clib_error_t *
-nat_reass_command_fn (vlib_main_t * vm, unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- clib_error_t *error = 0;
- unformat_input_t _line_input, *line_input = &_line_input;
- u32 timeout = 0, max_reass = 0, max_frag = 0;
- u8 drop_frag = (u8) ~ 0, is_ip6 = 0;
- int rv;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "max-reassemblies %u", &max_reass))
- ;
- else if (unformat (line_input, "max-fragments %u", &max_frag))
- ;
- else if (unformat (line_input, "timeout %u", &timeout))
- ;
- else if (unformat (line_input, "enable"))
- drop_frag = 0;
- else if (unformat (line_input, "disable"))
- drop_frag = 1;
- else if (unformat (line_input, "ip4"))
- is_ip6 = 0;
- else if (unformat (line_input, "ip6"))
- is_ip6 = 1;
- else
- {
- error = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (!timeout)
- timeout = nat_reass_get_timeout (is_ip6);
- if (!max_reass)
- max_reass = nat_reass_get_max_reass (is_ip6);
- if (!max_frag)
- max_frag = nat_reass_get_max_frag (is_ip6);
- if (drop_frag == (u8) ~ 0)
- drop_frag = nat_reass_is_drop_frag (is_ip6);
-
- rv =
- nat_reass_set (timeout, (u16) max_reass, (u8) max_frag, drop_frag,
- is_ip6);
- if (rv)
- {
- error = clib_error_return (0, "nat_set_reass return %d", rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-static int
-nat_ip4_reass_walk_cli (nat_reass_ip4_t * reass, void *ctx)
-{
- vlib_main_t *vm = ctx;
- u8 *flags_str = 0;
- const char *classify_next_str;
-
- if (reass->flags & NAT_REASS_FLAG_MAX_FRAG_DROP)
- flags_str = format (flags_str, "MAX_FRAG_DROP");
- if (reass->flags & NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE)
- {
- if (flags_str)
- flags_str = format (flags_str, " | ");
- flags_str = format (flags_str, "CLASSIFY_ED_CONTINUE");
- }
- if (reass->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
- {
- if (flags_str)
- flags_str = format (flags_str, " | ");
- flags_str = format (flags_str, "CLASSIFY_ED_DONT_TRANSLATE");
- }
- if (!flags_str)
- flags_str = format (flags_str, "0");
- flags_str = format (flags_str, "%c", 0);
-
- switch (reass->classify_next)
- {
- case NAT_REASS_IP4_CLASSIFY_NONE:
- classify_next_str = "NONE";
- break;
- case NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT:
- classify_next_str = "IN2OUT";
- break;
- case NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN:
- classify_next_str = "OUT2IN";
- break;
- default:
- classify_next_str = "invalid value";
- }
-
- vlib_cli_output (vm, " src %U dst %U proto %u id 0x%04x cached %u "
- "flags %s classify_next %s",
- format_ip4_address, &reass->key.src,
- format_ip4_address, &reass->key.dst,
- reass->key.proto,
- clib_net_to_host_u16 (reass->key.frag_id), reass->frag_n,
- flags_str, classify_next_str);
-
- vec_free (flags_str);
-
- return 0;
-}
-
-static int
-nat_ip6_reass_walk_cli (nat_reass_ip6_t * reass, void *ctx)
-{
- vlib_main_t *vm = ctx;
-
- vlib_cli_output (vm, " src %U dst %U proto %u id 0x%08x cached %u",
- format_ip6_address, &reass->key.src,
- format_ip6_address, &reass->key.dst,
- reass->key.proto,
- clib_net_to_host_u32 (reass->key.frag_id), reass->frag_n);
-
- return 0;
-}
-
-static clib_error_t *
-show_nat_reass_command_fn (vlib_main_t * vm, unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- vlib_cli_output (vm, "NAT IPv4 virtual fragmentation reassembly is %s",
- nat_reass_is_drop_frag (0) ? "DISABLED" : "ENABLED");
- vlib_cli_output (vm, " max-reassemblies %u", nat_reass_get_max_reass (0));
- vlib_cli_output (vm, " max-fragments %u", nat_reass_get_max_frag (0));
- vlib_cli_output (vm, " timeout %usec", nat_reass_get_timeout (0));
- vlib_cli_output (vm, " reassemblies:");
- nat_ip4_reass_walk (nat_ip4_reass_walk_cli, vm);
-
- vlib_cli_output (vm, "NAT IPv6 virtual fragmentation reassembly is %s",
- nat_reass_is_drop_frag (1) ? "DISABLED" : "ENABLED");
- vlib_cli_output (vm, " max-reassemblies %u", nat_reass_get_max_reass (1));
- vlib_cli_output (vm, " max-fragments %u", nat_reass_get_max_frag (1));
- vlib_cli_output (vm, " timeout %usec", nat_reass_get_timeout (1));
- vlib_cli_output (vm, " reassemblies:");
- nat_ip6_reass_walk (nat_ip6_reass_walk_cli, vm);
-
- return 0;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (nat_reass_command, static) =
-{
- .path = "nat virtual-reassembly",
- .short_help = "nat virtual-reassembly ip4|ip6 [max-reassemblies <n>] "
- "[max-fragments <n>] [timeout <sec>] [enable|disable]",
- .function = nat_reass_command_fn,
-};
-
-VLIB_CLI_COMMAND (show_nat_reass_command, static) =
-{
- .path = "show nat virtual-reassembly",
- .short_help = "show nat virtual-reassembly",
- .function = show_nat_reass_command_fn,
-};
-/* *INDENT-ON* */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/nat/nat_reass.h b/src/plugins/nat/nat_reass.h
deleted file mode 100644
index 11f9db5a252..00000000000
--- a/src/plugins/nat/nat_reass.h
+++ /dev/null
@@ -1,340 +0,0 @@
-/*
- * Copyright (c) 2017 Cisco and/or its affiliates.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at:
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-/**
- * @file
- * @brief NAT plugin virtual fragmentation reassembly
- */
-#ifndef __included_nat_reass_h__
-#define __included_nat_reass_h__
-
-#include <vnet/vnet.h>
-#include <vnet/ip/ip.h>
-#include <vppinfra/bihash_16_8.h>
-#include <vppinfra/bihash_48_8.h>
-#include <vppinfra/dlist.h>
-
-#define NAT_REASS_TIMEOUT_DEFAULT 2
-#define NAT_MAX_REASS_DEAFULT 1024
-#define NAT_MAX_FRAG_DEFAULT 5
-#define NAT_REASS_HT_LOAD_FACTOR (0.75)
-
-#define NAT_REASS_FLAG_MAX_FRAG_DROP 1
-#define NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE 2
-#define NAT_REASS_FLAG_ED_DONT_TRANSLATE 4
-
-typedef struct
-{
- union
- {
- struct
- {
- ip4_address_t src;
- ip4_address_t dst;
- /* align by making this 4 octets even though its a 2 octets field */
- u32 frag_id;
- /* align by making this 4 octets even though its a 1 octet field */
- u32 proto;
- };
- u64 as_u64[2];
- };
-} nat_reass_ip4_key_t;
-
-enum
-{
- NAT_REASS_IP4_CLASSIFY_NONE,
- NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT,
- NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN
-};
-
-/* *INDENT-OFF* */
-typedef CLIB_PACKED(struct
-{
- nat_reass_ip4_key_t key;
- u32 lru_list_index;
- u32 sess_index;
- u32 thread_index;
- f64 last_heard;
- u32 frags_per_reass_list_head_index;
- u8 frag_n;
- u8 flags;
- u8 classify_next;
-}) nat_reass_ip4_t;
-/* *INDENT-ON* */
-
-typedef struct
-{
- union
- {
- struct
- {
- ip6_address_t src;
- ip6_address_t dst;
- u32 frag_id;
- /* align by making this 4 octets even though its a 1 octet field */
- u32 proto;
- u64 unused;
- };
- u64 as_u64[6];
- };
-} nat_reass_ip6_key_t;
-
-/* *INDENT-OFF* */
-typedef CLIB_PACKED(struct
-{
- nat_reass_ip6_key_t key;
- u32 lru_list_index;
- u32 sess_index;
- f64 last_heard;
- u32 frags_per_reass_list_head_index;
- u8 frag_n;
- u8 flags;
-}) nat_reass_ip6_t;
-/* *INDENT-ON* */
-
-typedef struct
-{
- /* IPv4 config */
- u32 ip4_timeout;
- u16 ip4_max_reass;
- u8 ip4_max_frag;
- u8 ip4_drop_frag;
-
- /* IPv6 config */
- u32 ip6_timeout;
- u16 ip6_max_reass;
- u8 ip6_max_frag;
- u8 ip6_drop_frag;
-
- /* IPv4 runtime */
- nat_reass_ip4_t *ip4_reass_pool;
- clib_bihash_16_8_t ip4_reass_hash;
- dlist_elt_t *ip4_reass_lru_list_pool;
- dlist_elt_t *ip4_frags_list_pool;
- u32 ip4_reass_head_index;
- u16 ip4_reass_n;
- clib_spinlock_t ip4_reass_lock;
-
- /* IPv6 runtime */
- nat_reass_ip6_t *ip6_reass_pool;
- clib_bihash_48_8_t ip6_reass_hash;
- dlist_elt_t *ip6_reass_lru_list_pool;
- dlist_elt_t *ip6_frags_list_pool;
- u32 ip6_reass_head_index;
- u16 ip6_reass_n;
- clib_spinlock_t ip6_reass_lock;
-
- /* convenience */
- vlib_main_t *vlib_main;
- vnet_main_t *vnet_main;
-} nat_reass_main_t;
-
-/**
- * @brief Set NAT virtual fragmentation reassembly configuration.
- *
- * @param timeout Reassembly timeout.
- * @param max_reass Maximum number of concurrent reassemblies.
- * @param max_frag Maximum number of fragmets per reassembly
- * @param drop_frag If zero translate fragments, otherwise drop fragments.
- * @param is_ip6 1 if IPv6, 0 if IPv4.
- *
- * @returns 0 on success, non-zero value otherwise.
- */
-int nat_reass_set (u32 timeout, u16 max_reass, u8 max_frag, u8 drop_frag,
- u8 is_ip6);
-
-/**
- * @brief Get reassembly timeout.
- *
- * @param is_ip6 1 if IPv6, 0 if IPv4.
- *
- * @returns reassembly timeout.
- */
-u32 nat_reass_get_timeout (u8 is_ip6);
-
-/**
- * @brief Get maximum number of concurrent reassemblies.
- *
- * @param is_ip6 1 if IPv6, 0 if IPv4.
- *
- * @returns maximum number of concurrent reassemblies.
- */
-u16 nat_reass_get_max_reass (u8 is_ip6);
-
-/**
- * @brief Get maximum number of fragmets per reassembly.
- *
- * @param is_ip6 1 if IPv6, 0 if IPv4.
- *
- * @returns maximum number of fragmets per reassembly.
- */
-u8 nat_reass_get_max_frag (u8 is_ip6);
-
-/**
- * @brief Get status of virtual fragmentation reassembly.
- *
- * @param is_ip6 1 if IPv6, 0 if IPv4.
- *
- * @returns zero if translate fragments, non-zero value if drop fragments.
- */
-u8 nat_reass_is_drop_frag (u8 is_ip6);
-
-/**
- * @brief Initialize NAT virtual fragmentation reassembly.
- *
- * @param vm vlib main.
- *
- * @return error code.
- */
-clib_error_t *nat_reass_init (vlib_main_t * vm);
-
-/**
- * @brief Find reassembly.
- *
- * @param src Source IPv4 address.
- * @param dst Destination IPv4 address.
- * @param frag_id Fragment ID.
- * @param proto L4 protocol.
- *
- * @returns Reassembly data or 0 if not found.
- */
-nat_reass_ip4_t *nat_ip4_reass_find (ip4_address_t src,
- ip4_address_t dst,
- u16 frag_id, u8 proto);
-
-/**
- * @brief Create reassembly.
- *
- * @param src Source IPv4 address.
- * @param dst Destination IPv4 address.
- * @param frag_id Fragment ID.
- * @param proto L4 protocol.
- *
- * @returns Reassembly data or 0 on failure.
- */
-nat_reass_ip4_t *nat_ip4_reass_create (ip4_address_t src, ip4_address_t dst,
- u16 frag_id, u8 proto);
-
-/**
- * @brief Find or create reassembly.
- *
- * @param src Source IPv4 address.
- * @param dst Destination IPv4 address.
- * @param frag_id Fragment ID.
- * @param proto L4 protocol.
- * @param reset_timeout If non-zero value reset timeout.
- * @param bi_to_drop Fragments to drop.
- *
- * @returns Reassembly data or 0 on failure.
- */
-nat_reass_ip4_t *nat_ip4_reass_find_or_create (ip4_address_t src,
- ip4_address_t dst,
- u16 frag_id, u8 proto,
- u8 reset_timeout,
- u32 ** bi_to_drop);
-
-/**
- * @brief Cache fragment.
- *
- * @param reass Reassembly data.
- * @param bi Buffer index.
- * @param bi_to_drop Fragments to drop.
- *
- * @returns 0 on success, non-zero value otherwise.
- */
-int nat_ip4_reass_add_fragment (u32 thread_index, nat_reass_ip4_t * reass,
- u32 bi, u32 ** bi_to_drop);
-
-/**
- * @brief Get cached fragments.
- *
- * @param reass Reassembly data.
- * @param bi Vector of buffer indexes.
- */
-void nat_ip4_reass_get_frags (nat_reass_ip4_t * reass, u32 ** bi);
-
-/**
- * @breif Call back function when walking IPv4 reassemblies, non-zero return
- * value stop walk.
- */
-typedef int (*nat_ip4_reass_walk_fn_t) (nat_reass_ip4_t * reass, void *ctx);
-
-/**
- * @brief Walk IPv4 reassemblies.
- *
- * @param fn The function to invoke on each entry visited.
- * @param ctx A context passed in the visit function.
- */
-void nat_ip4_reass_walk (nat_ip4_reass_walk_fn_t fn, void *ctx);
-
-/**
- * @brief Find or create reassembly.
- *
- * @param src Source IPv6 address.
- * @param dst Destination IPv6 address.
- * @param frag_id Fragment ID.
- * @param proto L4 protocol.
- * @param reset_timeout If non-zero value reset timeout.
- * @param bi_to_drop Fragments to drop.
- *
- * @returns Reassembly data or 0 on failure.
- */
-nat_reass_ip6_t *nat_ip6_reass_find_or_create (ip6_address_t src,
- ip6_address_t dst,
- u32 frag_id, u8 proto,
- u8 reset_timeout,
- u32 ** bi_to_drop);
-/**
- * @brief Cache fragment.
- *
- * @param reass Reassembly data.
- * @param bi Buffer index.
- * @param bi_to_drop Fragments to drop.
- *
- * @returns 0 on success, non-zero value otherwise.
- */
-int nat_ip6_reass_add_fragment (u32 thread_index, nat_reass_ip6_t * reass,
- u32 bi, u32 ** bi_to_drop);
-
-/**
- * @brief Get cached fragments.
- *
- * @param reass Reassembly data.
- * @param bi Vector of buffer indexes.
- */
-void nat_ip6_reass_get_frags (nat_reass_ip6_t * reass, u32 ** bi);
-
-/**
- * @breif Call back function when walking IPv6 reassemblies, non-zero return
- * value stop walk.
- */
-typedef int (*nat_ip6_reass_walk_fn_t) (nat_reass_ip6_t * reass, void *ctx);
-
-/**
- * @brief Walk IPv6 reassemblies.
- *
- * @param fn The function to invoke on each entry visited.
- * @param ctx A context passed in the visit function.
- */
-void nat_ip6_reass_walk (nat_ip6_reass_walk_fn_t fn, void *ctx);
-
-#endif /* __included_nat_reass_h__ */
-
-/*
- * fd.io coding-style-patch-verification: ON
- *
- * Local Variables:
- * eval: (c-set-style "gnu")
- * End:
- */
diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index 6ee126658c8..e9ca88f1d68 100755
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -27,7 +27,6 @@
#include <vnet/fib/ip4_fib.h>
#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat44_inlines.h>
#include <nat/nat_syslog.h>
@@ -108,7 +107,6 @@ typedef enum
SNAT_OUT2IN_NEXT_DROP,
SNAT_OUT2IN_NEXT_LOOKUP,
SNAT_OUT2IN_NEXT_ICMP_ERROR,
- SNAT_OUT2IN_NEXT_REASS,
SNAT_OUT2IN_N_NEXT,
} snat_out2in_next_t;
@@ -267,7 +265,7 @@ create_session_for_static_mapping (snat_main_t * sm,
#ifndef CLIB_MARCH_VARIANT
static_always_inline
- snat_out2in_error_t icmp_get_key (ip4_header_t * ip0,
+ snat_out2in_error_t icmp_get_key (vlib_buffer_t * b, ip4_header_t * ip0,
snat_session_key_t * p_key0)
{
icmp46_header_t *icmp0;
@@ -280,11 +278,12 @@ static_always_inline
icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
echo0 = (icmp_echo_header_t *) (icmp0 + 1);
- if (!icmp_is_error_message (icmp0))
+ if (!icmp_type_is_error_message
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
{
key0.protocol = SNAT_PROTOCOL_ICMP;
key0.addr = ip0->dst_address;
- key0.port = echo0->identifier;
+ key0.port = vnet_buffer (b)->ip.reass.l4_src_port; // TODO should this be dst port?
}
else
{
@@ -332,7 +331,6 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
snat_session_key_t * p_value,
u8 * p_dont_translate, void *d, void *e)
{
- icmp46_header_t *icmp0;
u32 sw_if_index0;
u32 rx_fib_index0;
snat_session_key_t key0;
@@ -345,13 +343,12 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
int err;
u8 identity_nat;
- icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
key0.protocol = 0;
- err = icmp_get_key (ip0, &key0);
+ err = icmp_get_key (b0, ip0, &key0);
if (err != -1)
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
@@ -390,9 +387,11 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
}
}
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
- (icmp0->type != ICMP4_echo_request
- || !is_addr_only)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request || !is_addr_only)))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_OUT2IN_NEXT_DROP;
@@ -417,9 +416,13 @@ icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
}
else
{
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
- icmp0->type != ICMP4_echo_request &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_OUT2IN_NEXT_DROP;
@@ -462,7 +465,6 @@ icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
snat_session_key_t * p_value,
u8 * p_dont_translate, void *d, void *e)
{
- icmp46_header_t *icmp0;
u32 sw_if_index0;
u32 rx_fib_index0;
snat_session_key_t key0;
@@ -472,11 +474,10 @@ icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
u32 next0 = ~0;
int err;
- icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
- err = icmp_get_key (ip0, &key0);
+ err = icmp_get_key (b0, ip0, &key0);
if (err != -1)
{
b0->error = node->errors[err];
@@ -499,9 +500,12 @@ icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
goto out;
}
- if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply &&
- (icmp0->type != ICMP4_echo_request || !is_addr_only) &&
- !icmp_is_error_message (icmp0)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
+ && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request || !is_addr_only)
+ && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
next0 = SNAT_OUT2IN_NEXT_DROP;
@@ -575,72 +579,78 @@ icmp_out2in (snat_main_t * sm,
dst_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- if (icmp0->checksum == 0)
- icmp0->checksum = 0xffff;
- if (!icmp_is_error_message (icmp0))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- new_id0 = sm0.port;
- if (PREDICT_FALSE (new_id0 != echo0->identifier))
+ if (icmp0->checksum == 0)
+ icmp0->checksum = 0xffff;
+
+ if (!icmp_type_is_error_message (icmp0->type))
{
- old_id0 = echo0->identifier;
new_id0 = sm0.port;
- echo0->identifier = new_id0;
-
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
- identifier /* changed member */ );
- icmp0->checksum = ip_csum_fold (sum0);
+ if (PREDICT_FALSE (new_id0 != echo0->identifier))
+ {
+ old_id0 = echo0->identifier;
+ new_id0 = sm0.port;
+ echo0->identifier = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
+ identifier /* changed member */ );
+ icmp0->checksum = ip_csum_fold (sum0);
+ }
}
- }
- else
- {
- inner_ip0 = (ip4_header_t *) (echo0 + 1);
- l4_header = ip4_next_header (inner_ip0);
-
- if (!ip4_header_checksum_is_valid (inner_ip0))
+ else
{
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto out;
- }
+ inner_ip0 = (ip4_header_t *) (echo0 + 1);
+ l4_header = ip4_next_header (inner_ip0);
- old_addr0 = inner_ip0->src_address.as_u32;
- inner_ip0->src_address = sm0.addr;
- new_addr0 = inner_ip0->src_address.as_u32;
-
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- src_address /* changed member */ );
- icmp0->checksum = ip_csum_fold (sum0);
+ if (!ip4_header_checksum_is_valid (inner_ip0))
+ {
+ next0 = SNAT_OUT2IN_NEXT_DROP;
+ goto out;
+ }
- switch (protocol)
- {
- case SNAT_PROTOCOL_ICMP:
- inner_icmp0 = (icmp46_header_t *) l4_header;
- inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
-
- old_id0 = inner_echo0->identifier;
- new_id0 = sm0.port;
- inner_echo0->identifier = new_id0;
+ old_addr0 = inner_ip0->src_address.as_u32;
+ inner_ip0->src_address = sm0.addr;
+ new_addr0 = inner_ip0->src_address.as_u32;
sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
- identifier);
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ src_address /* changed member */ );
icmp0->checksum = ip_csum_fold (sum0);
- break;
- case SNAT_PROTOCOL_UDP:
- case SNAT_PROTOCOL_TCP:
- old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
- new_id0 = sm0.port;
- ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
- sum0 = icmp0->checksum;
- sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
- src_port);
- icmp0->checksum = ip_csum_fold (sum0);
- break;
- default:
- ASSERT (0);
+ switch (protocol)
+ {
+ case SNAT_PROTOCOL_ICMP:
+ inner_icmp0 = (icmp46_header_t *) l4_header;
+ inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
+
+ old_id0 = inner_echo0->identifier;
+ new_id0 = sm0.port;
+ inner_echo0->identifier = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
+ identifier);
+ icmp0->checksum = ip_csum_fold (sum0);
+ break;
+ case SNAT_PROTOCOL_UDP:
+ case SNAT_PROTOCOL_TCP:
+ old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
+ new_id0 = sm0.port;
+ ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
+
+ sum0 = icmp0->checksum;
+ sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
+ src_port);
+ icmp0->checksum = ip_csum_fold (sum0);
+ break;
+ default:
+ ASSERT (0);
+ }
}
}
@@ -816,13 +826,6 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
goto trace0;
}
- if (PREDICT_FALSE (ip4_is_fragment (ip0)))
- {
- next0 = SNAT_OUT2IN_NEXT_REASS;
- fragments++;
- goto trace0;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = icmp_out2in_slow_path
@@ -833,7 +836,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
}
key0.addr = ip0->dst_address;
- key0.port = udp0->dst_port;
+ key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
key0.protocol = proto0;
key0.fib_index = rx_fib_index0;
@@ -851,10 +854,11 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto0 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
vnet_feature_next (&next0, b0);
goto trace0;
@@ -897,34 +901,41 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
dst_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
-
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
-
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- tcp0->checksum = ip_csum_fold (sum0);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp0->checksum))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = udp0->checksum;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ sum0 = tcp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
ip4_header_t,
dst_address /* changed member */ );
+
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
+ {
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ if (PREDICT_FALSE (udp0->checksum))
+ {
+ sum0 = udp0->checksum;
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
+ );
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp0->checksum = ip_csum_fold (sum0);
+ }
}
udp_packets++;
}
@@ -989,13 +1000,6 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
goto trace1;
}
- if (PREDICT_FALSE (ip4_is_fragment (ip1)))
- {
- next1 = SNAT_OUT2IN_NEXT_REASS;
- fragments++;
- goto trace1;
- }
-
if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = icmp_out2in_slow_path
@@ -1006,7 +1010,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
}
key1.addr = ip1->dst_address;
- key1.port = udp1->dst_port;
+ key1.port = vnet_buffer (b1)->ip.reass.l4_dst_port;
key1.protocol = proto1;
key1.fib_index = rx_fib_index1;
@@ -1024,10 +1028,11 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
- && (udp1->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto1 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
vnet_feature_next (&next1, b1);
goto trace1;
@@ -1070,34 +1075,45 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
dst_address /* changed member */ );
ip1->checksum = ip_csum_fold (sum1);
- old_port1 = udp1->dst_port;
- new_port1 = udp1->dst_port = s1->in2out.port;
-
if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
{
- sum1 = tcp1->checksum;
- sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
- ip4_header_t,
- dst_address /* changed member */ );
-
- sum1 = ip_csum_update (sum1, old_port1, new_port1,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- tcp1->checksum = ip_csum_fold (sum1);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp1->checksum))
+ if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
{
- sum1 = udp1->checksum;
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
+ new_port1 = udp1->dst_port = s1->in2out.port;
+
+ sum1 = tcp1->checksum;
sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
ip4_header_t,
dst_address /* changed member */ );
+
sum1 = ip_csum_update (sum1, old_port1, new_port1,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp1->checksum = ip_csum_fold (sum1);
+ tcp1->checksum = ip_csum_fold (sum1);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
+ {
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
+ new_port1 = udp1->dst_port = s1->in2out.port;
+ if (PREDICT_FALSE (udp1->checksum))
+ {
+
+ sum1 = udp1->checksum;
+ sum1 =
+ ip_csum_update (sum1, old_addr1, new_addr1,
+ ip4_header_t,
+ dst_address /* changed member */ );
+ sum1 =
+ ip_csum_update (sum1, old_port1, new_port1,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp1->checksum = ip_csum_fold (sum1);
+ }
}
udp_packets++;
}
@@ -1199,13 +1215,6 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
goto trace00;
}
- if (PREDICT_FALSE (ip4_is_fragment (ip0)))
- {
- next0 = SNAT_OUT2IN_NEXT_REASS;
- fragments++;
- goto trace00;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = icmp_out2in_slow_path
@@ -1216,7 +1225,7 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
}
key0.addr = ip0->dst_address;
- key0.port = udp0->dst_port;
+ key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
key0.protocol = proto0;
key0.fib_index = rx_fib_index0;
@@ -1234,10 +1243,11 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto0 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
vnet_feature_next (&next0, b0);
goto trace00;
@@ -1280,34 +1290,42 @@ VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
dst_address /* changed member */ );
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
-
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
-
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- tcp0->checksum = ip_csum_fold (sum0);
- tcp_packets++;
- }
- else
- {
- if (PREDICT_FALSE (udp0->checksum))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = udp0->checksum;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+
+ sum0 = tcp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
ip4_header_t,
dst_address /* changed member */ );
+
sum0 = ip_csum_update (sum0, old_port0, new_port0,
ip4_header_t /* cheat */ ,
length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
+ tcp0->checksum = ip_csum_fold (sum0);
+ }
+ tcp_packets++;
+ }
+ else
+ {
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
+ {
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ if (PREDICT_FALSE (udp0->checksum))
+ {
+ sum0 = udp0->checksum;
+ sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
+ );
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0,
+ ip4_header_t /* cheat */ ,
+ length /* changed member */ );
+ udp0->checksum = ip_csum_fold (sum0);
+ }
}
udp_packets++;
}
@@ -1381,344 +1399,6 @@ VLIB_REGISTER_NODE (snat_out2in_node) = {
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
- },
-};
-/* *INDENT-ON* */
-
-VLIB_NODE_FN (nat44_out2in_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- snat_out2in_next_t next_index;
- u32 pkts_processed = 0, cached_fragments = 0;
- snat_main_t *sm = &snat_main;
- f64 now = vlib_time_now (vm);
- u32 thread_index = vm->thread_index;
- snat_main_per_thread_data_t *per_thread_data =
- &sm->per_thread_data[thread_index];
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
- vlib_buffer_t *b0;
- u32 next0;
- u8 cached0 = 0;
- ip4_header_t *ip0;
- nat_reass_ip4_t *reass0;
- udp_header_t *udp0;
- tcp_header_t *tcp0;
- icmp46_header_t *icmp0;
- snat_session_key_t key0, sm0;
- clib_bihash_kv_8_8_t kv0, value0;
- snat_session_t *s0 = 0;
- u16 old_port0, new_port0;
- ip_csum_t sum0;
- u8 identity_nat0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- next0 = SNAT_OUT2IN_NEXT_LOOKUP;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- rx_fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- {
- next0 = SNAT_OUT2IN_NEXT_DROP;
- b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
- udp0 = ip4_next_header (ip0);
- tcp0 = (tcp_header_t *) udp0;
- icmp0 = (icmp46_header_t *) udp0;
- proto0 = ip_proto_to_snat_proto (ip0->protocol);
-
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = SNAT_OUT2IN_NEXT_DROP;
- b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto trace0;
- }
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
- {
- next0 = icmp_out2in_slow_path
- (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, thread_index, &s0);
-
- if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP))
- {
- if (s0)
- reass0->sess_index = s0 - per_thread_data->sessions;
- else
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- reass0->thread_index = thread_index;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
-
- goto trace0;
- }
-
- key0.addr = ip0->dst_address;
- key0.port = udp0->dst_port;
- key0.protocol = proto0;
- key0.fib_index = rx_fib_index0;
- kv0.key = key0.as_u64;
-
- if (clib_bihash_search_8_8
- (&per_thread_data->out2in, &kv0, &value0))
- {
- /* Try to match static mapping by external address and port,
- destination address and port in packet */
- if (snat_static_mapping_match
- (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
- {
- /*
- * Send DHCP packets to the ipv4 stack, or we won't
- * be able to use dhcp client on the outside interface
- */
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port
- ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
- {
- vnet_feature_next (&next0, b0);
- goto trace0;
- }
-
- if (!sm->forwarding_enabled)
- {
- b0->error =
- node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
- next0 = SNAT_OUT2IN_NEXT_DROP;
- }
- else
- {
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
- goto trace0;
- }
-
- if (PREDICT_FALSE (identity_nat0))
- goto trace0;
-
- /* Create session initiated by host from external network */
- s0 =
- create_session_for_static_mapping (sm, b0, sm0, key0,
- node, thread_index,
- now);
- if (!s0)
- {
- b0->error =
- node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto trace0;
- }
- reass0->sess_index = s0 - per_thread_data->sessions;
- reass0->thread_index = thread_index;
- }
- else
- {
- s0 = pool_elt_at_index (per_thread_data->sessions,
- value0.value);
- reass0->sess_index = value0.value;
- }
- nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
- }
- else
- {
- if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
- goto trace0;
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = SNAT_OUT2IN_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- s0 = pool_elt_at_index (per_thread_data->sessions,
- reass0->sess_index);
- }
-
- old_addr0 = ip0->dst_address.as_u32;
- ip0->dst_address = s0->in2out.addr;
- new_addr0 = ip0->dst_address.as_u32;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
-
- sum0 = ip0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- ip0->checksum = ip_csum_fold (sum0);
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
-
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
-
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- tcp0->checksum = ip_csum_fold (sum0);
- }
- else if (udp0->checksum)
- {
- sum0 = udp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- udp0->checksum = ip_csum_fold (sum0);
- }
- }
-
- /* Accounting */
- nat44_session_update_counters (s0, now,
- vlib_buffer_length_in_chain (vm, b0),
- thread_index);
- /* Per-user LRU list maintenance */
- nat44_session_update_lru (sm, s0, thread_index);
-
- trace0:
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat44_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- cached_fragments++;
- }
- else
- {
- pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, sm->out2in_reass_node_index,
- SNAT_OUT2IN_ERROR_PROCESSED_FRAGMENTS,
- pkts_processed);
- vlib_node_increment_counter (vm, sm->out2in_reass_node_index,
- SNAT_OUT2IN_ERROR_CACHED_FRAGMENTS,
- cached_fragments);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT],
- SNAT_OUT2IN_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
- return frame->n_vectors;
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
- .name = "nat44-out2in-reass",
- .vector_size = sizeof (u32),
- .format_trace = format_nat44_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
-
- .n_errors = ARRAY_LEN(snat_out2in_error_strings),
- .error_strings = snat_out2in_error_strings,
-
- .n_next_nodes = SNAT_OUT2IN_N_NEXT,
-
- /* edit / add dispositions here */
- .next_nodes = {
- [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
- [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
- [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
},
};
/* *INDENT-ON* */
@@ -1919,7 +1599,6 @@ VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
[SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
[SNAT_OUT2IN_NEXT_DROP] = "error-drop",
[SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
- [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
},
};
/* *INDENT-ON* */
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index cb1cbdad375..ee2f85aa080 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -27,7 +27,6 @@
#include <vppinfra/error.h>
#include <nat/nat.h>
#include <nat/nat_ipfix_logging.h>
-#include <nat/nat_reass.h>
#include <nat/nat_inlines.h>
#include <nat/nat44_inlines.h>
#include <nat/nat_syslog.h>
@@ -326,8 +325,8 @@ next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port,
}
static void
-create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
- u32 thread_index)
+create_bypass_for_fwd (snat_main_t * sm, vlib_buffer_t * b, ip4_header_t * ip,
+ u32 rx_fib_index, u32 thread_index)
{
nat_ed_ses_key_t key;
clib_bihash_kv_16_8_t kv, value;
@@ -339,7 +338,7 @@ create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
if (ip->protocol == IP_PROTOCOL_ICMP)
{
- if (get_icmp_o2i_ed_key (ip, &key))
+ if (get_icmp_o2i_ed_key (b, ip, &key))
return;
}
else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
@@ -414,7 +413,8 @@ create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
if (ip->protocol == IP_PROTOCOL_TCP)
{
tcp_header_t *tcp = ip4_next_header (ip);
- if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index))
+ if (nat44_set_tcp_session_state_o2i
+ (sm, s, tcp->flags, tcp->ack_number, tcp->seq_number, thread_index))
return;
}
@@ -425,15 +425,15 @@ create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index,
}
static inline void
-create_bypass_for_fwd_worker (snat_main_t * sm, ip4_header_t * ip,
- u32 rx_fib_index)
+create_bypass_for_fwd_worker (snat_main_t * sm, vlib_buffer_t * b,
+ ip4_header_t * ip, u32 rx_fib_index)
{
ip4_header_t ip_wkr = {
.src_address = ip->dst_address,
};
u32 thread_index = sm->worker_in2out_cb (&ip_wkr, rx_fib_index, 0);
- create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
+ create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
}
#ifndef CLIB_MARCH_VARIANT
@@ -444,7 +444,6 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
u8 * p_dont_translate, void *d, void *e)
{
u32 next = ~0, sw_if_index, rx_fib_index;
- icmp46_header_t *icmp;
nat_ed_ses_key_t key;
clib_bihash_kv_16_8_t kv, value;
snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
@@ -452,11 +451,10 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
u8 dont_translate = 0, is_addr_only, identity_nat;
snat_session_key_t e_key, l_key;
- icmp = (icmp46_header_t *) ip4_next_header (ip);
sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
- if (get_icmp_o2i_ed_key (ip, &key))
+ if (get_icmp_o2i_ed_key (b, ip, &key))
{
b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL];
next = NAT_NEXT_DROP;
@@ -499,15 +497,18 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
goto out;
}
if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, ip, rx_fib_index);
+ create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
else
- create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index);
+ create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
goto out;
}
}
- if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
- (icmp->type != ICMP4_echo_request || !is_addr_only)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request || !is_addr_only)))
{
b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
next = NAT_NEXT_DROP;
@@ -534,9 +535,13 @@ icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node,
}
else
{
- if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply &&
- icmp->type != ICMP4_echo_request &&
- !icmp_is_error_message (icmp)))
+ if (PREDICT_FALSE
+ (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_reply
+ && vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags !=
+ ICMP4_echo_request
+ && !icmp_type_is_error_message (vnet_buffer (b)->ip.
+ reass.icmp_type_or_tcp_flags)))
{
b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE];
next = NAT_NEXT_DROP;
@@ -795,13 +800,6 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
goto trace00;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = NAT_NEXT_OUT2IN_ED_REASS;
- fragments++;
- goto trace00;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
@@ -810,8 +808,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
- ip0->protocol, rx_fib_index0, udp0->dst_port,
- udp0->src_port);
+ ip0->protocol, rx_fib_index0,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ vnet_buffer (b0)->ip.reass.l4_src_port);
if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
{
@@ -820,7 +819,7 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
/* Try to match static mapping by external address and port,
destination address and port in packet */
e_key0.addr = ip0->dst_address;
- e_key0.port = udp0->dst_port;
+ e_key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
e_key0.protocol = proto0;
e_key0.fib_index = rx_fib_index0;
if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
@@ -832,10 +831,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto0 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
goto trace00;
}
@@ -848,18 +848,20 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (next_src_nat (sm, ip0, ip0->protocol,
- udp0->src_port, udp0->dst_port,
- thread_index, rx_fib_index0))
+ if (next_src_nat
+ (sm, ip0, ip0->protocol,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, rx_fib_index0))
{
next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
goto trace00;
}
if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, ip0,
+ create_bypass_for_fwd_worker (sm, b0, ip0,
rx_fib_index0);
else
- create_bypass_for_fwd (sm, ip0, rx_fib_index0,
+ create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
thread_index);
}
goto trace00;
@@ -868,7 +870,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE (identity_nat0))
goto trace00;
- if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
+ if ((proto0 == SNAT_PROTOCOL_TCP)
+ && !tcp_flags_is_init (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags))
{
b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
next0 = NAT_NEXT_DROP;
@@ -912,35 +916,47 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
src_address);
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (is_twice_nat_session (s0))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
- s0->ext_host_nat_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->src_port,
- s0->ext_host_nat_port, ip4_header_t,
- length);
- tcp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ sum0 = tcp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address);
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
+ length);
+ if (is_twice_nat_session (s0))
+ {
+ sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
+ s0->ext_host_nat_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.
+ reass.l4_src_port,
+ s0->ext_host_nat_port, ip4_header_t,
+ length);
+ tcp0->src_port = s0->ext_host_nat_port;
+ ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ }
+ tcp0->checksum = ip_csum_fold (sum0);
}
- tcp0->checksum = ip_csum_fold (sum0);
tcp_packets++;
if (nat44_set_tcp_session_state_o2i
- (sm, s0, tcp0, thread_index))
+ (sm, s0, vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
+ vnet_buffer (b0)->ip.reass.tcp_ack_number,
+ vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
goto trace00;
}
- else if (udp0->checksum)
+ else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
+ && udp0->checksum)
{
+ new_port0 = udp0->dst_port = s0->in2out.port;
sum0 = udp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
dst_address);
@@ -951,9 +967,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
s0->ext_host_nat_addr.as_u32,
ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, udp0->src_port,
- s0->ext_host_nat_port, ip4_header_t,
- length);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ s0->ext_host_nat_port, ip4_header_t,
+ length);
udp0->src_port = s0->ext_host_nat_port;
ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
}
@@ -962,10 +980,20 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- udp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ udp0->dst_port = s0->in2out.port;
+ if (is_twice_nat_session (s0))
+ {
+ udp0->src_port = s0->ext_host_nat_port;
+ ip0->src_address.as_u32 =
+ s0->ext_host_nat_addr.as_u32;
+ }
+ udp0->checksum = 0;
+ }
}
udp_packets++;
}
@@ -1050,13 +1078,6 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
goto trace01;
}
- if (ip4_is_fragment (ip1))
- {
- next1 = NAT_NEXT_OUT2IN_ED_REASS;
- fragments++;
- goto trace01;
- }
-
if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
@@ -1065,8 +1086,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address,
- ip1->protocol, rx_fib_index1, udp1->dst_port,
- udp1->src_port);
+ ip1->protocol, rx_fib_index1,
+ vnet_buffer (b1)->ip.reass.l4_dst_port,
+ vnet_buffer (b1)->ip.reass.l4_src_port);
if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1))
{
@@ -1075,7 +1097,7 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
/* Try to match static mapping by external address and port,
destination address and port in packet */
e_key1.addr = ip1->dst_address;
- e_key1.port = udp1->dst_port;
+ e_key1.port = vnet_buffer (b1)->ip.reass.l4_dst_port;
e_key1.protocol = proto1;
e_key1.fib_index = rx_fib_index1;
if (snat_static_mapping_match (sm, e_key1, &l_key1, 1, 0,
@@ -1087,10 +1109,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP
- && (udp1->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto1 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
goto trace01;
}
@@ -1103,18 +1126,20 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (next_src_nat (sm, ip1, ip1->protocol,
- udp1->src_port, udp1->dst_port,
- thread_index, rx_fib_index1))
+ if (next_src_nat
+ (sm, ip1, ip1->protocol,
+ vnet_buffer (b1)->ip.reass.l4_src_port,
+ vnet_buffer (b1)->ip.reass.l4_dst_port,
+ thread_index, rx_fib_index1))
{
next1 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
goto trace01;
}
if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, ip1,
+ create_bypass_for_fwd_worker (sm, b1, ip1,
rx_fib_index1);
else
- create_bypass_for_fwd (sm, ip1, rx_fib_index1,
+ create_bypass_for_fwd (sm, b1, ip1, rx_fib_index1,
thread_index);
}
goto trace01;
@@ -1123,7 +1148,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE (identity_nat1))
goto trace01;
- if ((proto1 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp1))
+ if ((proto1 == SNAT_PROTOCOL_TCP)
+ && !tcp_flags_is_init (vnet_buffer (b1)->ip.
+ reass.icmp_type_or_tcp_flags))
{
b1->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
next1 = NAT_NEXT_DROP;
@@ -1167,35 +1194,48 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
src_address);
ip1->checksum = ip_csum_fold (sum1);
- old_port1 = udp1->dst_port;
- new_port1 = udp1->dst_port = s1->in2out.port;
+ old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP))
{
- sum1 = tcp1->checksum;
- sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
- dst_address);
- sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
- length);
- if (is_twice_nat_session (s1))
+ if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
{
- sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
- s1->ext_host_nat_addr.as_u32,
- ip4_header_t, dst_address);
- sum1 = ip_csum_update (sum1, tcp1->src_port,
- s1->ext_host_nat_port, ip4_header_t,
- length);
- tcp1->src_port = s1->ext_host_nat_port;
- ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
+ new_port1 = udp1->dst_port = s1->in2out.port;
+
+ sum1 = tcp1->checksum;
+ sum1 =
+ ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
+ dst_address);
+ sum1 =
+ ip_csum_update (sum1, old_port1, new_port1, ip4_header_t,
+ length);
+ if (is_twice_nat_session (s1))
+ {
+ sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
+ s1->ext_host_nat_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum1 =
+ ip_csum_update (sum1,
+ vnet_buffer (b1)->ip.
+ reass.l4_src_port,
+ s1->ext_host_nat_port, ip4_header_t,
+ length);
+ tcp1->src_port = s1->ext_host_nat_port;
+ ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
+ }
+ tcp1->checksum = ip_csum_fold (sum1);
}
- tcp1->checksum = ip_csum_fold (sum1);
tcp_packets++;
if (nat44_set_tcp_session_state_o2i
- (sm, s1, tcp1, thread_index))
+ (sm, s1, vnet_buffer (b1)->ip.reass.icmp_type_or_tcp_flags,
+ vnet_buffer (b1)->ip.reass.tcp_ack_number,
+ vnet_buffer (b1)->ip.reass.tcp_seq_number, thread_index))
goto trace01;
}
- else if (udp1->checksum)
+ else if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment
+ && udp1->checksum)
{
+ new_port1 = udp1->dst_port = s1->in2out.port;
sum1 = udp1->checksum;
sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t,
dst_address);
@@ -1206,9 +1246,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
sum1 = ip_csum_update (sum1, ip1->src_address.as_u32,
s1->ext_host_nat_addr.as_u32,
ip4_header_t, dst_address);
- sum1 = ip_csum_update (sum1, udp1->src_port,
- s1->ext_host_nat_port, ip4_header_t,
- length);
+ sum1 =
+ ip_csum_update (sum1,
+ vnet_buffer (b1)->ip.reass.l4_src_port,
+ s1->ext_host_nat_port, ip4_header_t,
+ length);
udp1->src_port = s1->ext_host_nat_port;
ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
}
@@ -1217,10 +1259,19 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
{
- udp1->src_port = s1->ext_host_nat_port;
- ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32;
+ if (PREDICT_FALSE (is_twice_nat_session (s1)))
+ {
+ udp1->dst_port = s1->in2out.port;
+ if (is_twice_nat_session (s1))
+ {
+ udp1->src_port = s1->ext_host_nat_port;
+ ip1->src_address.as_u32 =
+ s1->ext_host_nat_addr.as_u32;
+ }
+ udp1->checksum = 0;
+ }
}
udp_packets++;
}
@@ -1341,13 +1392,6 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
goto trace0;
}
- if (ip4_is_fragment (ip0))
- {
- next0 = NAT_NEXT_OUT2IN_ED_REASS;
- fragments++;
- goto trace0;
- }
-
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = NAT_NEXT_OUT2IN_ED_SLOW_PATH;
@@ -1356,8 +1400,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
- ip0->protocol, rx_fib_index0, udp0->dst_port,
- udp0->src_port);
+ ip0->protocol, rx_fib_index0,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ vnet_buffer (b0)->ip.reass.l4_src_port);
if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0))
{
@@ -1366,7 +1411,7 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
/* Try to match static mapping by external address and port,
destination address and port in packet */
e_key0.addr = ip0->dst_address;
- e_key0.port = udp0->dst_port;
+ e_key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
e_key0.protocol = proto0;
e_key0.fib_index = rx_fib_index0;
if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
@@ -1378,10 +1423,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
* Send DHCP packets to the ipv4 stack, or we won't
* be able to use dhcp client on the outside interface
*/
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
+ if (PREDICT_FALSE
+ (proto0 == SNAT_PROTOCOL_UDP
+ && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
+ clib_host_to_net_u16
+ (UDP_DST_PORT_dhcp_to_client))))
{
goto trace0;
}
@@ -1394,18 +1440,20 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (next_src_nat (sm, ip0, ip0->protocol,
- udp0->src_port, udp0->dst_port,
- thread_index, rx_fib_index0))
+ if (next_src_nat
+ (sm, ip0, ip0->protocol,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ vnet_buffer (b0)->ip.reass.l4_dst_port,
+ thread_index, rx_fib_index0))
{
next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
goto trace0;
}
if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, ip0,
+ create_bypass_for_fwd_worker (sm, b0, ip0,
rx_fib_index0);
else
- create_bypass_for_fwd (sm, ip0, rx_fib_index0,
+ create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
thread_index);
}
goto trace0;
@@ -1414,7 +1462,9 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
if (PREDICT_FALSE (identity_nat0))
goto trace0;
- if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
+ if ((proto0 == SNAT_PROTOCOL_TCP)
+ && !tcp_flags_is_init (vnet_buffer (b0)->ip.
+ reass.icmp_type_or_tcp_flags))
{
b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
next0 = NAT_NEXT_DROP;
@@ -1458,35 +1508,47 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
src_address);
ip0->checksum = ip_csum_fold (sum0);
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
+ old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
{
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (is_twice_nat_session (s0))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
- s0->ext_host_nat_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->src_port,
- s0->ext_host_nat_port, ip4_header_t,
- length);
- tcp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ sum0 = tcp0->checksum;
+ sum0 =
+ ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
+ dst_address);
+ sum0 =
+ ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
+ length);
+ if (is_twice_nat_session (s0))
+ {
+ sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
+ s0->ext_host_nat_addr.as_u32,
+ ip4_header_t, dst_address);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.
+ reass.l4_src_port,
+ s0->ext_host_nat_port, ip4_header_t,
+ length);
+ tcp0->src_port = s0->ext_host_nat_port;
+ ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ }
+ tcp0->checksum = ip_csum_fold (sum0);
}
- tcp0->checksum = ip_csum_fold (sum0);
tcp_packets++;
if (nat44_set_tcp_session_state_o2i
- (sm, s0, tcp0, thread_index))
+ (sm, s0, vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags,
+ vnet_buffer (b0)->ip.reass.tcp_ack_number,
+ vnet_buffer (b0)->ip.reass.tcp_seq_number, thread_index))
goto trace0;
}
- else if (udp0->checksum)
+ else if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment
+ && udp0->checksum)
{
+ new_port0 = udp0->dst_port = s0->in2out.port;
sum0 = udp0->checksum;
sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
dst_address);
@@ -1497,9 +1559,11 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
s0->ext_host_nat_addr.as_u32,
ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, udp0->src_port,
- s0->ext_host_nat_port, ip4_header_t,
- length);
+ sum0 =
+ ip_csum_update (sum0,
+ vnet_buffer (b0)->ip.reass.l4_src_port,
+ s0->ext_host_nat_port, ip4_header_t,
+ length);
udp0->src_port = s0->ext_host_nat_port;
ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
}
@@ -1508,10 +1572,14 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
}
else
{
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
{
- udp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ new_port0 = udp0->dst_port = s0->in2out.port;
+ if (PREDICT_FALSE (is_twice_nat_session (s0)))
+ {
+ udp0->src_port = s0->ext_host_nat_port;
+ ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
+ }
}
udp_packets++;
}
@@ -1565,380 +1633,6 @@ nat44_ed_out2in_node_fn_inline (vlib_main_t * vm,
return frame->n_vectors;
}
-static inline uword
-nat44_ed_out2in_reass_node_fn_inline (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- u32 n_left_from, *from, *to_next;
- nat_next_t next_index;
- u32 pkts_processed = 0;
- snat_main_t *sm = &snat_main;
- f64 now = vlib_time_now (vm);
- u32 thread_index = vm->thread_index;
- snat_main_per_thread_data_t *per_thread_data =
- &sm->per_thread_data[thread_index];
- u32 *fragments_to_drop = 0;
- u32 *fragments_to_loopback = 0;
-
- from = vlib_frame_vector_args (frame);
- n_left_from = frame->n_vectors;
- next_index = node->cached_next_index;
-
- while (n_left_from > 0)
- {
- u32 n_left_to_next;
-
- vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
-
- while (n_left_from > 0 && n_left_to_next > 0)
- {
- u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0;
- vlib_buffer_t *b0;
- u32 next0;
- u8 cached0 = 0;
- ip4_header_t *ip0;
- nat_reass_ip4_t *reass0;
- udp_header_t *udp0;
- tcp_header_t *tcp0;
- icmp46_header_t *icmp0;
- clib_bihash_kv_16_8_t kv0, value0;
- snat_session_t *s0 = 0;
- u16 old_port0, new_port0;
- ip_csum_t sum0;
- snat_session_key_t e_key0, l_key0;
- lb_nat_type_t lb0;
- twice_nat_type_t twice_nat0;
- u8 identity_nat0;
-
- /* speculatively enqueue b0 to the current next frame */
- bi0 = from[0];
- to_next[0] = bi0;
- from += 1;
- to_next += 1;
- n_left_from -= 1;
- n_left_to_next -= 1;
-
- b0 = vlib_get_buffer (vm, bi0);
- next0 = nat_buffer_opaque (b0)->arc_next;
-
- sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
- rx_fib_index0 =
- fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4,
- sw_if_index0);
-
- if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
- {
- next0 = NAT_NEXT_DROP;
- b0->error = node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT];
- goto trace0;
- }
-
- ip0 = (ip4_header_t *) vlib_buffer_get_current (b0);
- udp0 = ip4_next_header (ip0);
- tcp0 = (tcp_header_t *) udp0;
- icmp0 = (icmp46_header_t *) udp0;
- proto0 = ip_proto_to_snat_proto (ip0->protocol);
-
- reass0 = nat_ip4_reass_find_or_create (ip0->src_address,
- ip0->dst_address,
- ip0->fragment_id,
- ip0->protocol,
- 1, &fragments_to_drop);
-
- if (PREDICT_FALSE (!reass0))
- {
- next0 = NAT_NEXT_DROP;
- b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_REASS];
- nat_elog_notice ("maximum reassemblies exceeded");
- goto trace0;
- }
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
- {
- next0 = icmp_out2in_ed_slow_path
- (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
- next0, now, thread_index, &s0);
-
- if (PREDICT_TRUE (next0 != NAT_NEXT_DROP))
- {
- if (s0)
- reass0->sess_index = s0 - per_thread_data->sessions;
- else
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- reass0->thread_index = thread_index;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
-
- goto trace0;
- }
-
- make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address,
- ip0->protocol, rx_fib_index0, udp0->dst_port,
- udp0->src_port);
-
- if (clib_bihash_search_16_8
- (&per_thread_data->out2in_ed, &kv0, &value0))
- {
- /* Try to match static mapping by external address and port,
- destination address and port in packet */
- e_key0.addr = ip0->dst_address;
- e_key0.port = udp0->dst_port;
- e_key0.protocol = proto0;
- e_key0.fib_index = rx_fib_index0;
- if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0,
- &twice_nat0, &lb0, 0,
- &identity_nat0))
- {
- /*
- * Send DHCP packets to the ipv4 stack, or we won't
- * be able to use dhcp client on the outside interface
- */
- if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP
- && (udp0->dst_port
- ==
- clib_host_to_net_u16
- (UDP_DST_PORT_dhcp_to_client))))
- {
- goto trace0;
- }
-
- if (!sm->forwarding_enabled)
- {
- b0->error =
- node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
- next0 = NAT_NEXT_DROP;
- }
- else
- {
- if (next_src_nat (sm, ip0, ip0->protocol,
- udp0->src_port, udp0->dst_port,
- thread_index, rx_fib_index0))
- {
- next0 = NAT_NEXT_IN2OUT_ED_FAST_PATH;
- goto trace0;
- }
- if (sm->num_workers > 1)
- create_bypass_for_fwd_worker (sm, ip0,
- rx_fib_index0);
- else
- create_bypass_for_fwd (sm, ip0, rx_fib_index0,
- thread_index);
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- nat_ip4_reass_get_frags (reass0,
- &fragments_to_loopback);
- }
- goto trace0;
- }
-
- if (PREDICT_FALSE (identity_nat0))
- {
- reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE;
- goto trace0;
- }
-
- if ((proto0 == SNAT_PROTOCOL_TCP) && !tcp_is_init (tcp0))
- {
- b0->error = node->errors[NAT_OUT2IN_ED_ERROR_NON_SYN];
- next0 = NAT_NEXT_DROP;
- goto trace0;
- }
-
- /* Create session initiated by host from external network */
- s0 = create_session_for_static_mapping_ed (sm, b0, l_key0,
- e_key0, node,
- thread_index,
- twice_nat0, lb0,
- now);
- if (!s0)
- {
- b0->error =
- node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
- next0 = NAT_NEXT_DROP;
- goto trace0;
- }
- reass0->sess_index = s0 - per_thread_data->sessions;
- reass0->thread_index = thread_index;
- }
- else
- {
- s0 = pool_elt_at_index (per_thread_data->sessions,
- value0.value);
- reass0->sess_index = value0.value;
- }
- nat_ip4_reass_get_frags (reass0, &fragments_to_loopback);
- }
- else
- {
- if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE)
- goto trace0;
- if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0))
- {
- if (nat_ip4_reass_add_fragment
- (thread_index, reass0, bi0, &fragments_to_drop))
- {
- b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_FRAG];
- nat_elog_notice
- ("maximum fragments per reassembly exceeded");
- next0 = NAT_NEXT_DROP;
- goto trace0;
- }
- cached0 = 1;
- goto trace0;
- }
- s0 = pool_elt_at_index (per_thread_data->sessions,
- reass0->sess_index);
- }
-
- old_addr0 = ip0->dst_address.as_u32;
- ip0->dst_address = s0->in2out.addr;
- new_addr0 = ip0->dst_address.as_u32;
- vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
-
- sum0 = ip0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
- s0->ext_host_nat_addr.as_u32, ip4_header_t,
- src_address);
- ip0->checksum = ip_csum_fold (sum0);
-
- if (PREDICT_FALSE (ip4_is_first_fragment (ip0)))
- {
- old_port0 = udp0->dst_port;
- new_port0 = udp0->dst_port = s0->in2out.port;
-
- if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP))
- {
- sum0 = tcp0->checksum;
- sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
- ip4_header_t,
- dst_address /* changed member */ );
-
- sum0 = ip_csum_update (sum0, old_port0, new_port0,
- ip4_header_t /* cheat */ ,
- length /* changed member */ );
- if (is_twice_nat_session (s0))
- {
- sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
- s0->ext_host_nat_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, tcp0->src_port,
- s0->ext_host_nat_port,
- ip4_header_t, length);
- tcp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
- }
- tcp0->checksum = ip_csum_fold (sum0);
- }
- else if (udp0->checksum)
- {
- sum0 = udp0->checksum;
- sum0 =
- ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
- dst_address);
- sum0 =
- ip_csum_update (sum0, old_port0, new_port0, ip4_header_t,
- length);
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- {
- sum0 = ip_csum_update (sum0, ip0->src_address.as_u32,
- s0->ext_host_nat_addr.as_u32,
- ip4_header_t, dst_address);
- sum0 = ip_csum_update (sum0, udp0->src_port,
- s0->ext_host_nat_port,
- ip4_header_t, length);
- udp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
- }
- udp0->checksum = ip_csum_fold (sum0);
- }
- else
- {
- if (PREDICT_FALSE (is_twice_nat_session (s0)))
- {
- udp0->src_port = s0->ext_host_nat_port;
- ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32;
- }
- }
- }
-
- /* Accounting */
- nat44_session_update_counters (s0, now,
- vlib_buffer_length_in_chain (vm, b0),
- thread_index);
- /* Per-user LRU list maintenance */
- nat44_session_update_lru (sm, s0, thread_index);
-
- trace0:
- if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
- && (b0->flags & VLIB_BUFFER_IS_TRACED)))
- {
- nat44_reass_trace_t *t =
- vlib_add_trace (vm, node, b0, sizeof (*t));
- t->cached = cached0;
- t->sw_if_index = sw_if_index0;
- t->next_index = next0;
- }
-
- if (cached0)
- {
- n_left_to_next++;
- to_next--;
- }
- else
- {
- pkts_processed += next0 != NAT_NEXT_DROP;
-
- /* verify speculative enqueue, maybe switch current next frame */
- vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
- to_next, n_left_to_next,
- bi0, next0);
- }
-
- if (n_left_from == 0 && vec_len (fragments_to_loopback))
- {
- from = vlib_frame_vector_args (frame);
- u32 len = vec_len (fragments_to_loopback);
- if (len <= VLIB_FRAME_SIZE)
- {
- clib_memcpy_fast (from, fragments_to_loopback,
- sizeof (u32) * len);
- n_left_from = len;
- vec_reset_length (fragments_to_loopback);
- }
- else
- {
- clib_memcpy_fast (from, fragments_to_loopback +
- (len - VLIB_FRAME_SIZE),
- sizeof (u32) * VLIB_FRAME_SIZE);
- n_left_from = VLIB_FRAME_SIZE;
- _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE;
- }
- }
- }
-
- vlib_put_next_frame (vm, node, next_index, n_left_to_next);
- }
-
- vlib_node_increment_counter (vm, sm->ed_out2in_reass_node_index,
- NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS,
- pkts_processed);
-
- nat_send_all_to_node (vm, fragments_to_drop, node,
- &node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT],
- NAT_NEXT_DROP);
-
- vec_free (fragments_to_drop);
- vec_free (fragments_to_loopback);
- return frame->n_vectors;
-}
-
VLIB_NODE_FN (nat44_ed_out2in_node) (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * frame)
@@ -1979,25 +1673,6 @@ VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = {
};
/* *INDENT-ON* */
-VLIB_NODE_FN (nat44_ed_out2in_reass_node) (vlib_main_t * vm,
- vlib_node_runtime_t * node,
- vlib_frame_t * frame)
-{
- return nat44_ed_out2in_reass_node_fn_inline (vm, node, frame);
-}
-
-/* *INDENT-OFF* */
-VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = {
- .name = "nat44-ed-out2in-reass",
- .vector_size = sizeof (u32),
- .sibling_of = "nat-default",
- .format_trace = format_nat44_reass_trace,
- .type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings),
- .error_strings = nat_out2in_ed_error_strings,
-};
-/* *INDENT-ON* */
-
static u8 *
format_nat_pre_trace (u8 * s, va_list * args)
{
diff --git a/src/plugins/nat/test/test_nat.py b/src/plugins/nat/test/test_nat.py
index 0daa61042c1..46b97c05dbe 100644
--- a/src/plugins/nat/test/test_nat.py
+++ b/src/plugins/nat/test/test_nat.py
@@ -31,6 +31,7 @@ from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \
IPField, IntField, LongField, XByteField, FlagsField, FieldLenField, \
PacketListField
from ipaddress import IPv6Network
+from util import ppc, ppp
# NAT HA protocol event data
@@ -168,10 +169,6 @@ class MethodHolder(VppTestCase):
last_ip_address=addr.ip_address,
vrf_id=0xFFFFFFFF, flags=addr.flags)
- self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5,
- drop_frag=0)
- self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5,
- drop_frag=0, is_ip6=1)
self.verify_no_nat44_user()
self.vapi.nat_set_timeouts(udp=300, tcp_established=7440,
tcp_transitory=240, icmp=60)
@@ -762,6 +759,7 @@ class MethodHolder(VppTestCase):
proto=frags[0][IP].proto)
if ip.proto == IP_PROTOS.tcp:
p = (ip / TCP(buffer.getvalue()))
+ self.logger.debug(ppp("Reassembled:", p))
self.assert_tcp_checksum_valid(p)
elif ip.proto == IP_PROTOS.udp:
p = (ip / UDP(buffer.getvalue()[:8]) /
@@ -792,6 +790,7 @@ class MethodHolder(VppTestCase):
p = (ip / TCP(buffer.getvalue()))
elif ip.nh == IP_PROTOS.udp:
p = (ip / UDP(buffer.getvalue()))
+ self.logger.debug(ppp("Reassembled:", p))
self.assert_packet_checksums_valid(p)
return p
@@ -1154,9 +1153,6 @@ class MethodHolder(VppTestCase):
data = b"A" * 16 + b"B" * 16 + b"C" * 3
self.port_in = random.randint(1025, 65535)
- reass = self.vapi.nat_reass_dump()
- reass_n_start = len(reass)
-
# in2out
pkts = self.create_stream_frag(self.pg0,
self.pg1.remote_ip4,
@@ -1221,11 +1217,6 @@ class MethodHolder(VppTestCase):
self.assertEqual(p[layer].id, self.port_in)
self.assertEqual(data, p[Raw].load)
- reass = self.vapi.nat_reass_dump()
- reass_n_end = len(reass)
-
- self.assertEqual(reass_n_end - reass_n_start, 2)
-
def frag_in_order_in_plus_out(self, proto=IP_PROTOS.tcp):
layer = self.proto2layer(proto)
@@ -1236,9 +1227,6 @@ class MethodHolder(VppTestCase):
self.port_in = random.randint(1025, 65535)
for i in range(2):
- reass = self.vapi.nat_reass_dump()
- reass_n_start = len(reass)
-
# out2in
pkts = self.create_stream_frag(self.pg0,
self.server_out_addr,
@@ -1290,11 +1278,6 @@ class MethodHolder(VppTestCase):
self.assertEqual(p[layer].id, self.port_in)
self.assertEqual(data, p[Raw].load)
- reass = self.vapi.nat_reass_dump()
- reass_n_end = len(reass)
-
- self.assertEqual(reass_n_end - reass_n_start, 2)
-
def reass_hairpinning(self, proto=IP_PROTOS.tcp):
layer = self.proto2layer(proto)
@@ -3581,25 +3564,6 @@ class TestNAT44(MethodHolder):
self.verify_no_nat44_user()
- def test_set_get_reass(self):
- """ NAT44 set/get virtual fragmentation reassembly """
- reas_cfg1 = self.vapi.nat_get_reass()
-
- self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout + 5,
- max_reass=reas_cfg1.ip4_max_reass * 2,
- max_frag=reas_cfg1.ip4_max_frag * 2,
- drop_frag=0)
-
- reas_cfg2 = self.vapi.nat_get_reass()
-
- self.assertEqual(reas_cfg1.ip4_timeout + 5, reas_cfg2.ip4_timeout)
- self.assertEqual(reas_cfg1.ip4_max_reass * 2, reas_cfg2.ip4_max_reass)
- self.assertEqual(reas_cfg1.ip4_max_frag * 2, reas_cfg2.ip4_max_frag)
-
- self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=5,
- drop_frag=1)
- self.assertTrue(self.vapi.nat_get_reass().ip4_drop_frag)
-
def test_frag_in_order(self):
""" NAT44 translate fragments arriving in order """
@@ -3612,22 +3576,10 @@ class TestNAT44(MethodHolder):
sw_if_index=self.pg1.sw_if_index,
is_add=1)
- reas_cfg1 = self.vapi.nat_get_reass()
- # this test was intermittently failing in some cases
- # until we temporarily bump the reassembly timeouts
- self.vapi.nat_set_reass(timeout=20, max_reass=1024, max_frag=5,
- drop_frag=0)
-
self.frag_in_order(proto=IP_PROTOS.tcp)
self.frag_in_order(proto=IP_PROTOS.udp)
self.frag_in_order(proto=IP_PROTOS.icmp)
- # restore the reassembly timeouts
- self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout,
- max_reass=reas_cfg1.ip4_max_reass,
- max_frag=reas_cfg1.ip4_max_frag,
- drop_frag=reas_cfg1.ip4_drop_frag)
-
def test_frag_forwarding(self):
""" NAT44 forwarding fragment test """
self.vapi.nat44_add_del_interface_addr(
@@ -3772,60 +3724,6 @@ class TestNAT44(MethodHolder):
self.assertGreaterEqual(tcp.sport, 1025)
self.assertLessEqual(tcp.sport, 1027)
- def test_ipfix_max_frags(self):
- """ IPFIX logging maximum fragments pending reassembly exceeded """
- self.nat44_add_address(self.nat_addr)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg0.sw_if_index,
- flags=flags, is_add=1)
- self.vapi.nat44_interface_add_del_feature(
- sw_if_index=self.pg1.sw_if_index,
- is_add=1)
- self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=1,
- drop_frag=0)
- self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4,
- src_address=self.pg3.local_ip4,
- path_mtu=512,
- template_interval=10)
- self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id,
- src_port=self.ipfix_src_port,
- enable=1)
-
- data = b"A" * 4 + b"B" * 16 + b"C" * 3
- self.tcp_port_in = random.randint(1025, 65535)
- pkts = self.create_stream_frag(self.pg0,
- self.pg1.remote_ip4,
- self.tcp_port_in,
- 20,
- data)
- pkts.reverse()
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
- sleep(1)
- self.vapi.ipfix_flush()
- capture = self.pg3.get_capture(9)
- ipfix = IPFIXDecoder()
- # first load template
- for p in capture:
- self.assertTrue(p.haslayer(IPFIX))
- self.assertEqual(p[IP].src, self.pg3.local_ip4)
- self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
- self.assertEqual(p[UDP].sport, self.ipfix_src_port)
- self.assertEqual(p[UDP].dport, 4739)
- self.assertEqual(p[IPFIX].observationDomainID,
- self.ipfix_domain_id)
- if p.haslayer(Template):
- ipfix.add_template(p.getlayer(Template))
- # verify events in data set
- for p in capture:
- if p.haslayer(Data):
- data = ipfix.decode_data_set(p.getlayer(Set))
- self.verify_ipfix_max_fragments_ip4(data, 1,
- self.pg0.remote_ip4n)
-
def test_multiple_outside_vrf(self):
""" Multiple outside VRF """
vrf_id1 = 1
@@ -4323,7 +4221,6 @@ class TestNAT44(MethodHolder):
self.logger.info(self.vapi.cli("show nat44 static mappings"))
self.logger.info(self.vapi.cli("show nat44 interface address"))
self.logger.info(self.vapi.cli("show nat44 sessions detail"))
- self.logger.info(self.vapi.cli("show nat virtual-reassembly"))
self.logger.info(self.vapi.cli("show nat44 hash tables detail"))
self.logger.info(self.vapi.cli("show nat timeouts"))
self.logger.info(
@@ -4565,17 +4462,7 @@ class TestNAT44EndpointDependent(MethodHolder):
sw_if_index=self.pg1.sw_if_index,
is_add=1)
self.vapi.nat44_forwarding_enable_disable(enable=True)
- reas_cfg1 = self.vapi.nat_get_reass()
- # this test was intermittently failing in some cases
- # until we temporarily bump the reassembly timeouts
- self.vapi.nat_set_reass(timeout=20, max_reass=1024, max_frag=5,
- drop_frag=0)
self.frag_in_order(proto=IP_PROTOS.tcp, dont_translate=True)
- # restore the reassembly timeouts
- self.vapi.nat_set_reass(timeout=reas_cfg1.ip4_timeout,
- max_reass=reas_cfg1.ip4_max_reass,
- max_frag=reas_cfg1.ip4_max_frag,
- drop_frag=reas_cfg1.ip4_drop_frag)
def test_frag_out_of_order(self):
""" NAT44 translate fragments arriving out of order """
@@ -4643,9 +4530,6 @@ class TestNAT44EndpointDependent(MethodHolder):
self.server_out_addr,
proto=IP_PROTOS.icmp)
- self.vapi.nat_set_reass(timeout=10, max_reass=1024, max_frag=5,
- drop_frag=0)
-
self.frag_in_order_in_plus_out(proto=IP_PROTOS.tcp)
self.frag_in_order_in_plus_out(proto=IP_PROTOS.udp)
self.frag_in_order_in_plus_out(proto=IP_PROTOS.icmp)
@@ -4690,9 +4574,6 @@ class TestNAT44EndpointDependent(MethodHolder):
self.server_out_addr,
proto=IP_PROTOS.icmp)
- self.vapi.nat_set_reass(timeout=10, max_reass=1024, max_frag=5,
- drop_frag=0)
-
self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.tcp)
self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.udp)
self.frag_out_of_order_in_plus_out(proto=IP_PROTOS.icmp)
@@ -8756,9 +8637,6 @@ class TestNAT64(MethodHolder):
self.vapi.nat64_add_del_interface(is_add=1, flags=0,
sw_if_index=self.pg1.sw_if_index)
- reass = self.vapi.nat_reass_dump()
- reass_n_start = len(reass)
-
# in2out
data = b'a' * 200
pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4,
@@ -8786,17 +8664,13 @@ class TestNAT64(MethodHolder):
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
frags = self.pg0.get_capture(len(pkts))
+ self.logger.debug(ppc("Captured:", frags))
src = self.compose_ip6(self.pg1.remote_ip4, '64:ff9b::', 96)
p = self.reass_frags_and_verify_ip6(frags, src, self.pg0.remote_ip6)
self.assertEqual(p[TCP].sport, 20)
self.assertEqual(p[TCP].dport, self.tcp_port_in)
self.assertEqual(data, p[Raw].load)
- reass = self.vapi.nat_reass_dump()
- reass_n_end = len(reass)
-
- self.assertEqual(reass_n_end - reass_n_start, 2)
-
def test_reass_hairpinning(self):
""" NAT64 fragments hairpinning """
data = b'a' * 200
@@ -8835,6 +8709,7 @@ class TestNAT64(MethodHolder):
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
frags = self.pg0.get_capture(len(pkts))
+ self.logger.debug(ppc("Captured:", frags))
p = self.reass_frags_and_verify_ip6(frags, nat_addr_ip6, server.ip6)
self.assertNotEqual(p[TCP].sport, client_in_port)
self.assertEqual(p[TCP].dport, server_in_port)
@@ -9007,57 +8882,6 @@ class TestNAT64(MethodHolder):
data = ipfix.decode_data_set(p.getlayer(Set))
self.verify_ipfix_max_bibs(data, max_bibs)
- def test_ipfix_max_frags(self):
- """ IPFIX logging maximum fragments pending reassembly exceeded """
- self.vapi.nat64_add_del_pool_addr_range(start_addr=self.nat_addr,
- end_addr=self.nat_addr,
- vrf_id=0xFFFFFFFF,
- is_add=1)
- flags = self.config_flags.NAT_IS_INSIDE
- self.vapi.nat64_add_del_interface(is_add=1, flags=flags,
- sw_if_index=self.pg0.sw_if_index)
- self.vapi.nat64_add_del_interface(is_add=1, flags=0,
- sw_if_index=self.pg1.sw_if_index)
- self.vapi.nat_set_reass(timeout=2, max_reass=1024, max_frag=1,
- drop_frag=0, is_ip6=1)
- self.vapi.set_ipfix_exporter(collector_address=self.pg3.remote_ip4,
- src_address=self.pg3.local_ip4,
- path_mtu=512,
- template_interval=10)
- self.vapi.nat_ipfix_enable_disable(domain_id=self.ipfix_domain_id,
- src_port=self.ipfix_src_port,
- enable=1)
-
- data = b'a' * 200
- pkts = self.create_stream_frag_ip6(self.pg0, self.pg1.remote_ip4,
- self.tcp_port_in, 20, data)
- pkts.reverse()
- self.pg0.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- self.pg1.assert_nothing_captured()
- sleep(1)
- self.vapi.ipfix_flush()
- capture = self.pg3.get_capture(9)
- ipfix = IPFIXDecoder()
- # first load template
- for p in capture:
- self.assertTrue(p.haslayer(IPFIX))
- self.assertEqual(p[IP].src, self.pg3.local_ip4)
- self.assertEqual(p[IP].dst, self.pg3.remote_ip4)
- self.assertEqual(p[UDP].sport, self.ipfix_src_port)
- self.assertEqual(p[UDP].dport, 4739)
- self.assertEqual(p[IPFIX].observationDomainID,
- self.ipfix_domain_id)
- if p.haslayer(Template):
- ipfix.add_template(p.getlayer(Template))
- # verify events in data set
- for p in capture:
- if p.haslayer(Data):
- data = ipfix.decode_data_set(p.getlayer(Set))
- self.verify_ipfix_max_fragments_ip6(data, 1,
- self.pg0.remote_ip6n)
-
def test_ipfix_bib_ses(self):
""" IPFIX logging NAT64 BIB/session create and delete events """
self.tcp_port_in = random.randint(1025, 65535)
@@ -9257,7 +9081,6 @@ class TestNAT64(MethodHolder):
self.logger.info(self.vapi.cli("show nat64 prefix"))
self.logger.info(self.vapi.cli("show nat64 bib all"))
self.logger.info(self.vapi.cli("show nat64 session table all"))
- self.logger.info(self.vapi.cli("show nat virtual-reassembly"))
class TestDSlite(MethodHolder):
@@ -9625,6 +9448,7 @@ class TestNAT66(MethodHolder):
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
capture = self.pg1.get_capture(len(pkts))
+
for packet in capture:
try:
self.assertEqual(packet[IPv6].src, self.nat_addr)