summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/plugins/snat/in2out.c206
-rw-r--r--test/test_snat.py111
2 files changed, 189 insertions, 128 deletions
diff --git a/src/plugins/snat/in2out.c b/src/plugins/snat/in2out.c
index ba752cf0d41..fba852c6fe1 100644
--- a/src/plugins/snat/in2out.c
+++ b/src/plugins/snat/in2out.c
@@ -115,6 +115,93 @@ typedef enum {
SNAT_IN2OUT_N_NEXT,
} snat_in2out_next_t;
+/**
+ * @brief Check if packet should be translated
+ *
+ * Packets aimed at outside interface and external addresss with active session
+ * should be translated.
+ *
+ * @param sm SNAT main
+ * @param rt SNAT runtime data
+ * @param sw_if_index0 index of the inside interface
+ * @param ip0 IPv4 header
+ * @param proto0 SNAT protocol
+ * @param rx_fib_index0 RX FIB index
+ *
+ * @returns 0 if packet should be translated otherwise 1
+ */
+static inline int
+snat_not_translate (snat_main_t * sm, snat_runtime_t * rt, u32 sw_if_index0,
+ ip4_header_t * ip0, u32 proto0, u32 rx_fib_index0)
+{
+ ip4_address_t * first_int_addr;
+ udp_header_t * udp0 = ip4_next_header (ip0);
+ snat_session_key_t key0, sm0;
+ clib_bihash_kv_8_8_t kv0, value0;
+ fib_node_index_t fei = FIB_NODE_INDEX_INVALID;
+ fib_prefix_t pfx = {
+ .fp_proto = FIB_PROTOCOL_IP4,
+ .fp_len = 32,
+ .fp_addr = {
+ .ip4.as_u32 = ip0->dst_address.as_u32,
+ },
+ };
+
+ if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
+ {
+ first_int_addr =
+ ip4_interface_first_address (sm->ip4_main, sw_if_index0,
+ 0 /* just want the address */);
+ rt->cached_sw_if_index = sw_if_index0;
+ if (first_int_addr)
+ rt->cached_ip4_address = first_int_addr->as_u32;
+ else
+ rt->cached_ip4_address = 0;
+ }
+
+ /* Don't NAT packet aimed at the intfc address */
+ if (PREDICT_FALSE(ip0->dst_address.as_u32 == rt->cached_ip4_address))
+ return 1;
+
+ key0.addr = ip0->dst_address;
+ key0.port = udp0->dst_port;
+ key0.protocol = proto0;
+ key0.fib_index = sm->outside_fib_index;
+ kv0.key = key0.as_u64;
+
+ /* NAT packet aimed at external address if */
+ /* has active sessions */
+ if (clib_bihash_search_8_8 (&sm->out2in, &kv0, &value0))
+ {
+ /* or is static mappings */
+ if (!snat_static_mapping_match(sm, key0, &sm0, 1))
+ return 0;
+ }
+ else
+ return 0;
+
+ fei = fib_table_lookup (rx_fib_index0, &pfx);
+ if (FIB_NODE_INDEX_INVALID != fei)
+ {
+ u32 sw_if_index = fib_entry_get_resolving_interface (fei);
+ if (sw_if_index == ~0)
+ {
+ fei = fib_table_lookup (sm->outside_fib_index, &pfx);
+ if (FIB_NODE_INDEX_INVALID != fei)
+ sw_if_index = fib_entry_get_resolving_interface (fei);
+ }
+ snat_interface_t *i;
+ pool_foreach (i, sm->interfaces,
+ ({
+ /* NAT packet aimed at outside interface */
+ if ((i->is_inside == 0) && (sw_if_index == i->sw_if_index))
+ return 0;
+ }));
+ }
+
+ return 1;
+}
+
static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
ip4_header_t * ip0,
u32 rx_fib_index0,
@@ -359,25 +446,10 @@ static inline u32 icmp_in2out_slow_path (snat_main_t *sm,
if (clib_bihash_search_8_8 (&sm->in2out, &kv0, &value0))
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
+ IP_PROTOCOL_ICMP, rx_fib_index0)))
return next0;
-
+
next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
&s0, node, next0, cpu_index);
@@ -652,25 +724,10 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_slow_path)
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
+ proto0, rx_fib_index0)))
goto trace00;
-
+
next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
&s0, node, next0, cpu_index);
if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
@@ -803,25 +860,10 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_slow_path)
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index1))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index1,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index1;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip1->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index1, ip1,
+ proto1, rx_fib_index1)))
goto trace01;
-
+
next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1,
&s1, node, next1, cpu_index);
if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP))
@@ -989,25 +1031,10 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
{
if (is_slow_path)
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
+ proto0, rx_fib_index0)))
goto trace0;
-
+
next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0,
&s0, node, next0, cpu_index);
if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP))
@@ -1375,23 +1402,8 @@ static inline u32 icmp_in2out_static_map (snat_main_t *sm,
if (snat_static_mapping_match(sm, key0, &sm0, 0))
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- if (first_int_addr)
- rt->cached_ip4_address = first_int_addr->as_u32;
- else
- rt->cached_ip4_address = 0;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
+ IP_PROTOCOL_ICMP, rx_fib_index0)))
return next0;
b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
@@ -1498,20 +1510,8 @@ snat_in2out_fast_static_map_fn (vlib_main_t * vm,
if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP))
{
- ip4_address_t * first_int_addr;
-
- if (PREDICT_FALSE(rt->cached_sw_if_index != sw_if_index0))
- {
- first_int_addr =
- ip4_interface_first_address (sm->ip4_main, sw_if_index0,
- 0 /* just want the address */);
- rt->cached_sw_if_index = sw_if_index0;
- rt->cached_ip4_address = first_int_addr->as_u32;
- }
-
- /* Don't NAT packet aimed at the intfc address */
- if (PREDICT_FALSE(ip0->dst_address.as_u32 ==
- rt->cached_ip4_address))
+ if (PREDICT_FALSE(snat_not_translate(sm, rt, sw_if_index0, ip0,
+ proto0, rx_fib_index0)))
goto trace0;
next0 = icmp_in2out_static_map
diff --git a/test/test_snat.py b/test/test_snat.py
index 1abb3daaa40..09fdb108c0b 100644
--- a/test/test_snat.py
+++ b/test/test_snat.py
@@ -41,11 +41,19 @@ class TestSNAT(VppTestCase):
cls.overlapping_interfaces = list(list(cls.pg_interfaces[4:7]))
+ cls.pg4._local_ip4 = "172.16.255.1"
+ cls.pg4._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
+ cls.pg4._remote_hosts[0]._ip4 = "172.16.255.2"
+ cls.pg4.set_table_ip4(10)
+ cls.pg5._local_ip4 = "172.16.255.3"
+ cls.pg5._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
+ cls.pg5._remote_hosts[0]._ip4 = "172.16.255.4"
+ cls.pg5.set_table_ip4(10)
+ cls.pg6._local_ip4 = "172.16.255.1"
+ cls.pg6._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
+ cls.pg6._remote_hosts[0]._ip4 = "172.16.255.2"
+ cls.pg6.set_table_ip4(20)
for i in cls.overlapping_interfaces:
- i._local_ip4 = "172.16.255.1"
- i._local_ip4n = socket.inet_pton(socket.AF_INET, i.local_ip4)
- i._remote_hosts[0]._ip4 = "172.16.255.2"
- i.set_table_ip4(i.sw_if_index)
i.config_ip4()
i.admin_up()
i.resolve_arp()
@@ -178,6 +186,29 @@ class TestSNAT(VppTestCase):
"(inside network):", packet))
raise
+ def verify_capture_no_translation(self, capture, ingress_if, egress_if):
+ """
+ Verify captured packet that don't have to be translated
+
+ :param capture: Captured packets
+ :param ingress_if: Ingress interface
+ :param egress_if: Egress interface
+ """
+ for packet in capture:
+ try:
+ self.assertEqual(packet[IP].src, ingress_if.remote_ip4)
+ self.assertEqual(packet[IP].dst, egress_if.remote_ip4)
+ if packet.haslayer(TCP):
+ self.assertEqual(packet[TCP].sport, self.tcp_port_in)
+ elif packet.haslayer(UDP):
+ self.assertEqual(packet[UDP].sport, self.udp_port_in)
+ else:
+ self.assertEqual(packet[ICMP].id, self.icmp_id_in)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet "
+ "(inside network):", packet))
+ raise
+
def verify_ipfix_nat44_ses(self, data):
"""
Verify IPFIX NAT44 session create/delete event
@@ -462,9 +493,9 @@ class TestSNAT(VppTestCase):
self.icmp_id_out = 6305
self.snat_add_static_mapping(self.pg4.remote_ip4, nat_ip1,
- vrf_id=self.pg4.sw_if_index)
+ vrf_id=10)
self.snat_add_static_mapping(self.pg0.remote_ip4, nat_ip2,
- vrf_id=self.pg4.sw_if_index)
+ vrf_id=10)
self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
is_inside=0)
self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
@@ -494,10 +525,25 @@ class TestSNAT(VppTestCase):
self.snat_add_address(self.snat_addr)
self.vapi.snat_interface_add_del_feature(self.pg0.sw_if_index)
self.vapi.snat_interface_add_del_feature(self.pg1.sw_if_index)
- self.vapi.snat_interface_add_del_feature(self.pg2.sw_if_index)
self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
is_inside=0)
+ # between two S-NAT inside interfaces (no translation)
+ pkts = self.create_stream_in(self.pg0, self.pg1)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg1.get_capture(len(pkts))
+ self.verify_capture_no_translation(capture, self.pg0, self.pg1)
+
+ # from S-NAT inside to interface without S-NAT feature (no translation)
+ pkts = self.create_stream_in(self.pg0, self.pg2)
+ self.pg0.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg2.get_capture(len(pkts))
+ self.verify_capture_no_translation(capture, self.pg0, self.pg2)
+
# in2out 1st interface
pkts = self.create_stream_in(self.pg0, self.pg3)
self.pg0.add_stream(pkts)
@@ -530,31 +576,46 @@ class TestSNAT(VppTestCase):
capture = self.pg1.get_capture(len(pkts))
self.verify_capture_in(capture, self.pg1)
- # in2out 3rd interface
- pkts = self.create_stream_in(self.pg2, self.pg3)
- self.pg2.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg3.get_capture(len(pkts))
- self.verify_capture_out(capture)
-
- # out2in 3rd interface
- pkts = self.create_stream_out(self.pg3)
- self.pg3.add_stream(pkts)
- self.pg_enable_capture(self.pg_interfaces)
- self.pg_start()
- capture = self.pg2.get_capture(len(pkts))
- self.verify_capture_in(capture, self.pg2)
-
def test_inside_overlapping_interfaces(self):
""" SNAT multiple inside interfaces with overlapping address space """
+ static_nat_ip = "10.0.0.10"
self.snat_add_address(self.snat_addr)
self.vapi.snat_interface_add_del_feature(self.pg3.sw_if_index,
is_inside=0)
self.vapi.snat_interface_add_del_feature(self.pg4.sw_if_index)
self.vapi.snat_interface_add_del_feature(self.pg5.sw_if_index)
self.vapi.snat_interface_add_del_feature(self.pg6.sw_if_index)
+ self.snat_add_static_mapping(self.pg6.remote_ip4, static_nat_ip,
+ vrf_id=20)
+
+ # between S-NAT inside interfaces with same VRF (no translation)
+ pkts = self.create_stream_in(self.pg4, self.pg5)
+ self.pg4.add_stream(pkts)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg5.get_capture(len(pkts))
+ self.verify_capture_no_translation(capture, self.pg4, self.pg5)
+
+ # between S-NAT inside interfaces with different VRF (hairpinning)
+ p = (Ether(src=self.pg4.remote_mac, dst=self.pg4.local_mac) /
+ IP(src=self.pg4.remote_ip4, dst=static_nat_ip) /
+ TCP(sport=1234, dport=5678))
+ self.pg4.add_stream(p)
+ self.pg_enable_capture(self.pg_interfaces)
+ self.pg_start()
+ capture = self.pg6.get_capture(1)
+ p = capture[0]
+ try:
+ ip = p[IP]
+ tcp = p[TCP]
+ self.assertEqual(ip.src, self.snat_addr)
+ self.assertEqual(ip.dst, self.pg6.remote_ip4)
+ self.assertNotEqual(tcp.sport, 1234)
+ self.assertEqual(tcp.dport, 5678)
+ except:
+ self.logger.error(ppp("Unexpected or invalid packet:", p))
+ raise
# in2out 1st interface
pkts = self.create_stream_in(self.pg4, self.pg3)
@@ -594,10 +655,10 @@ class TestSNAT(VppTestCase):
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
capture = self.pg3.get_capture(len(pkts))
- self.verify_capture_out(capture)
+ self.verify_capture_out(capture, static_nat_ip, True)
# out2in 3rd interface
- pkts = self.create_stream_out(self.pg3)
+ pkts = self.create_stream_out(self.pg3, static_nat_ip)
self.pg3.add_stream(pkts)
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()