diff options
author | Matus Fabian <matfabia@cisco.com> | 2018-03-01 04:48:33 -0800 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2018-03-02 08:48:40 +0000 |
commit | 204591d1bd754f6086edcf8b27a95beab929a78f (patch) | |
tree | b54da1cc1b15dd7b2155e13d6e2487ea7544d810 /src | |
parent | 8996cb6f77e7ddaf892fef646dfcbe72c47d8b7c (diff) |
NAT44: interface output feature and service host direct access (VPP-1176)
forwarding mode:
session initiaded from service host - translate
session initiaded from remote host - do not translate
Change-Id: I48170ee8e4ad14d3d3083ee31a40ef8d10d6ff32
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'src')
-rwxr-xr-x | src/plugins/nat/in2out.c | 65 | ||||
-rwxr-xr-x | src/plugins/nat/out2in.c | 58 |
2 files changed, 117 insertions, 6 deletions
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index 003b1ad3858..24895a0fb11 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -470,6 +470,47 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static inline int +nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + udp_header_t *udp; + + if (!sm->forwarding_enabled) + return 0; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return 0; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.r_port = udp->dst_port; + key.l_port = udp->src_port; + } + else + { + key.l_addr = ip->src_address; + key.r_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value)) + return value.value == ~0ULL; + + return 0; +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -1290,6 +1331,8 @@ snat_in2out_lb (snat_main_t *sm, if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value)) { + if (s_value.value == ~0ULL) + return 0; s = pool_elt_at_index (tsm->sessions, s_value.value); } else @@ -1524,6 +1567,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace00; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1710,6 +1759,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1))) + goto trace01; + } + if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP)) { next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; @@ -1723,8 +1778,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } - b1->flags |= VNET_BUFFER_F_IS_NATED; - key1.addr = ip1->src_address; key1.port = udp1->src_port; key1.protocol = proto1; @@ -1787,6 +1840,8 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } } + b1->flags |= VNET_BUFFER_F_IS_NATED; + old_addr1 = ip1->src_address.as_u32; ip1->src_address = s1->out2in.addr; new_addr1 = ip1->src_address.as_u32; @@ -1932,6 +1987,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } else { + if (is_output_feature) + { + if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0))) + goto trace0; + } + if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) { next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index a03f780ba5e..4589c48aef6 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -311,6 +311,43 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) return 0; } +static void +create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv; + udp_header_t *udp; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header(ip); + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = udp->dst_port; + key.r_port = udp->src_port; + } + else + { + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + kv.value = ~0ULL; + + if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1)) + clib_warning ("in2out_ed key add failed"); +} + /** * Get address and port values to be used for ICMP packet translation * and create session if needed @@ -382,6 +419,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, } else { + create_bypass_for_fwd(sm, ip0); dont_translate = 1; goto out; } @@ -1116,7 +1154,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ @@ -1283,7 +1324,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace1; } else - goto trace1; + { + create_bypass_for_fwd(sm, ip1); + goto trace1; + } } /* Create session initiated by host from external network */ @@ -1486,7 +1530,10 @@ snat_out2in_node_fn (vlib_main_t * vm, goto trace00; } else - goto trace00; + { + create_bypass_for_fwd(sm, ip0); + goto trace00; + } } /* Create session initiated by host from external network */ @@ -1730,7 +1777,10 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, goto trace0; } else - goto trace0; + { + create_bypass_for_fwd(sm, ip0); + goto trace0; + } } /* Create session initiated by host from external network */ |