summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xsrc/plugins/nat/in2out.c65
-rwxr-xr-xsrc/plugins/nat/out2in.c58
-rw-r--r--test/test_nat.py44
3 files changed, 161 insertions, 6 deletions
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c
index 003b1ad3858..24895a0fb11 100755
--- a/src/plugins/nat/in2out.c
+++ b/src/plugins/nat/in2out.c
@@ -470,6 +470,47 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
return 0;
}
+static inline int
+nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip)
+{
+ nat_ed_ses_key_t key;
+ clib_bihash_kv_16_8_t kv, value;
+ udp_header_t *udp;
+
+ if (!sm->forwarding_enabled)
+ return 0;
+
+ if (ip->protocol == IP_PROTOCOL_ICMP)
+ {
+ if (icmp_get_ed_key (ip, &key))
+ return 0;
+ }
+ else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
+ {
+ udp = ip4_next_header(ip);
+ key.l_addr = ip->src_address;
+ key.r_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.r_port = udp->dst_port;
+ key.l_port = udp->src_port;
+ }
+ else
+ {
+ key.l_addr = ip->src_address;
+ key.r_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.l_port = key.r_port = 0;
+ }
+ key.fib_index = 0;
+ kv.key[0] = key.as_u64[0];
+ kv.key[1] = key.as_u64[1];
+
+ if (!clib_bihash_search_16_8 (&sm->in2out_ed, &kv, &value))
+ return value.value == ~0ULL;
+
+ return 0;
+}
+
/**
* Get address and port values to be used for ICMP packet translation
* and create session if needed
@@ -1290,6 +1331,8 @@ snat_in2out_lb (snat_main_t *sm,
if (!clib_bihash_search_16_8 (&sm->in2out_ed, &s_kv, &s_value))
{
+ if (s_value.value == ~0ULL)
+ return 0;
s = pool_elt_at_index (tsm->sessions, s_value.value);
}
else
@@ -1524,6 +1567,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
+ if (is_output_feature)
+ {
+ if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
+ goto trace00;
+ }
+
if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
@@ -1710,6 +1759,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
+ if (is_output_feature)
+ {
+ if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip1)))
+ goto trace01;
+ }
+
if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP))
{
next1 = SNAT_IN2OUT_NEXT_SLOW_PATH;
@@ -1723,8 +1778,6 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
}
- b1->flags |= VNET_BUFFER_F_IS_NATED;
-
key1.addr = ip1->src_address;
key1.port = udp1->src_port;
key1.protocol = proto1;
@@ -1787,6 +1840,8 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
}
+ b1->flags |= VNET_BUFFER_F_IS_NATED;
+
old_addr1 = ip1->src_address.as_u32;
ip1->src_address = s1->out2in.addr;
new_addr1 = ip1->src_address.as_u32;
@@ -1932,6 +1987,12 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
}
else
{
+ if (is_output_feature)
+ {
+ if (PREDICT_FALSE(nat_not_translate_output_feature_fwd(sm, ip0)))
+ goto trace0;
+ }
+
if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP))
{
next0 = SNAT_IN2OUT_NEXT_SLOW_PATH;
diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index a03f780ba5e..4589c48aef6 100755
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -311,6 +311,43 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
return 0;
}
+static void
+create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
+{
+ nat_ed_ses_key_t key;
+ clib_bihash_kv_16_8_t kv;
+ udp_header_t *udp;
+
+ if (ip->protocol == IP_PROTOCOL_ICMP)
+ {
+ if (icmp_get_ed_key (ip, &key))
+ return;
+ }
+ else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP)
+ {
+ udp = ip4_next_header(ip);
+ key.r_addr = ip->src_address;
+ key.l_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.l_port = udp->dst_port;
+ key.r_port = udp->src_port;
+ }
+ else
+ {
+ key.r_addr = ip->src_address;
+ key.l_addr = ip->dst_address;
+ key.proto = ip->protocol;
+ key.l_port = key.r_port = 0;
+ }
+ key.fib_index = 0;
+ kv.key[0] = key.as_u64[0];
+ kv.key[1] = key.as_u64[1];
+ kv.value = ~0ULL;
+
+ if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &kv, 1))
+ clib_warning ("in2out_ed key add failed");
+}
+
/**
* Get address and port values to be used for ICMP packet translation
* and create session if needed
@@ -382,6 +419,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
}
else
{
+ create_bypass_for_fwd(sm, ip0);
dont_translate = 1;
goto out;
}
@@ -1116,7 +1154,10 @@ snat_out2in_node_fn (vlib_main_t * vm,
goto trace0;
}
else
- goto trace0;
+ {
+ create_bypass_for_fwd(sm, ip0);
+ goto trace0;
+ }
}
/* Create session initiated by host from external network */
@@ -1283,7 +1324,10 @@ snat_out2in_node_fn (vlib_main_t * vm,
goto trace1;
}
else
- goto trace1;
+ {
+ create_bypass_for_fwd(sm, ip1);
+ goto trace1;
+ }
}
/* Create session initiated by host from external network */
@@ -1486,7 +1530,10 @@ snat_out2in_node_fn (vlib_main_t * vm,
goto trace00;
}
else
- goto trace00;
+ {
+ create_bypass_for_fwd(sm, ip0);
+ goto trace00;
+ }
}
/* Create session initiated by host from external network */
@@ -1730,7 +1777,10 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm,
goto trace0;
}
else
- goto trace0;
+ {
+ create_bypass_for_fwd(sm, ip0);
+ goto trace0;
+ }
}
/* Create session initiated by host from external network */
diff --git a/test/test_nat.py b/test/test_nat.py
index 7ff3f8517ad..ec2009ef6fd 100644
--- a/test/test_nat.py
+++ b/test/test_nat.py
@@ -3369,6 +3369,50 @@ class TestNAT44(MethodHolder):
self.logger.error(ppp("Unexpected or invalid packet:", p))
raise
+ def test_output_feature_and_service2(self):
+ """ NAT44 interface output feature and service host direct access """
+ self.vapi.nat44_forwarding_enable_disable(1)
+ self.nat44_add_address(self.nat_addr)
+ self.vapi.nat44_interface_add_del_output_feature(self.pg1.sw_if_index,
+ is_inside=0)
+
+ # session initiaded from service host - translate
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture)
+
+ pkts = self.create_stream_out(self.pg1)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ tcp_port_out = self.tcp_port_out
+ udp_port_out = self.udp_port_out
+ icmp_id_out = self.icmp_id_out
+
+ # session initiaded from remote host - do not translate
+ pkts = self.create_stream_out(self.pg1,
+ self.pg0.remote_ip4,
+ use_inside_ports=True)
+ self.pg1.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg0.get_capture(len(pkts))
+ self.verify_capture_in(capture, self.pg0)
+
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_out(capture, nat_ip=self.pg0.remote_ip4,
+ same_port=True)
+
def test_one_armed_nat44(self):
""" One armed NAT44 """
remote_host = self.pg9.remote_hosts[0]