From ab395ec884d0ec9279893b1695379e97acd1f24d Mon Sep 17 00:00:00 2001 From: Matus Fabian Date: Thu, 20 Sep 2018 23:18:41 -0700 Subject: NAT: Refactoring / Housekeeping (VPP-1415) Change-Id: Ia3ce24cc94f9b2fb331ad62a4181ddcd41bc78ca Signed-off-by: Matus Fabian --- src/plugins/nat/CMakeLists.txt | 8 + src/plugins/nat/dslite.h | 1 - src/plugins/nat/dslite_in2out.c | 7 +- src/plugins/nat/in2out.c | 6209 +++++++---------------------------- src/plugins/nat/in2out_ed.c | 2067 ++++++++++++ src/plugins/nat/nat.c | 2701 ++++++--------- src/plugins/nat/nat.h | 812 +++-- src/plugins/nat/nat44_classify.c | 516 +++ src/plugins/nat/nat44_hairpinning.c | 934 ++++++ src/plugins/nat/nat44_handoff.c | 229 ++ src/plugins/nat/nat64.c | 3 +- src/plugins/nat/nat64_in2out.c | 193 +- src/plugins/nat/nat64_out2in.c | 193 +- src/plugins/nat/nat_det_in2out.c | 884 +++++ src/plugins/nat/nat_det_out2in.c | 717 ++++ src/plugins/nat/nat_format.c | 332 ++ src/plugins/nat/nat_inlines.h | 73 + src/plugins/nat/out2in.c | 4729 ++++++-------------------- src/plugins/nat/out2in_ed.c | 1868 +++++++++++ 19 files changed, 11555 insertions(+), 10921 deletions(-) create mode 100644 src/plugins/nat/in2out_ed.c create mode 100644 src/plugins/nat/nat44_classify.c create mode 100644 src/plugins/nat/nat44_hairpinning.c create mode 100644 src/plugins/nat/nat44_handoff.c create mode 100644 src/plugins/nat/nat_det_in2out.c create mode 100644 src/plugins/nat/nat_det_out2in.c create mode 100644 src/plugins/nat/nat_format.c create mode 100644 src/plugins/nat/out2in_ed.c (limited to 'src/plugins/nat') diff --git a/src/plugins/nat/CMakeLists.txt b/src/plugins/nat/CMakeLists.txt index 20cf0e70a9e..76662f96cf3 100644 --- a/src/plugins/nat/CMakeLists.txt +++ b/src/plugins/nat/CMakeLists.txt @@ -16,12 +16,19 @@ add_vpp_plugin(nat nat.c nat_api.c in2out.c + in2out_ed.c out2in.c + out2in_ed.c nat_ipfix_logging.c nat_det.c + nat_det_in2out.c + nat_det_out2in.c nat_reass.c nat_dpo.c nat44_cli.c + nat44_handoff.c + nat44_hairpinning.c + nat44_classify.c nat64.c nat64_cli.c nat64_in2out.c @@ -39,6 +46,7 @@ add_vpp_plugin(nat nat66_in2out.c nat66_out2in.c nat_affinity.c + nat_format.c API_FILES nat.api diff --git a/src/plugins/nat/dslite.h b/src/plugins/nat/dslite.h index 6a1c2ecd709..73902e3a077 100644 --- a/src/plugins/nat/dslite.h +++ b/src/plugins/nat/dslite.h @@ -46,7 +46,6 @@ typedef CLIB_PACKED (struct f64 last_heard; u64 total_bytes; u32 total_pkts; - u32 outside_address_index; }) dslite_session_t; /* *INDENT-ON* */ diff --git a/src/plugins/nat/dslite_in2out.c b/src/plugins/nat/dslite_in2out.c index 8f5a0c0e248..4eec5958da9 100644 --- a/src/plugins/nat/dslite_in2out.c +++ b/src/plugins/nat/dslite_in2out.c @@ -45,7 +45,6 @@ slow_path (dslite_main_t * dm, dslite_session_key_t * in2out_key, u32 oldest_index; dslite_session_t *s; snat_session_key_t out2in_key; - u32 address_index; out2in_key.protocol = in2out_key->proto; out2in_key.fib_index = 0; @@ -104,17 +103,16 @@ slow_path (dslite_main_t * dm, dslite_session_key_t * in2out_key, &out2in_kv, 0); snat_free_outside_address_and_port (dm->addr_pool, thread_index, &s->out2in); - s->outside_address_index = ~0; if (snat_alloc_outside_address_and_port (dm->addr_pool, 0, thread_index, &out2in_key, - &s->outside_address_index, dm->port_per_thread, thread_index)) + dm->port_per_thread, thread_index)) ASSERT (0); } else { if (snat_alloc_outside_address_and_port - (dm->addr_pool, 0, thread_index, &out2in_key, &address_index, + (dm->addr_pool, 0, thread_index, &out2in_key, dm->port_per_thread, thread_index)) { *error = DSLITE_ERROR_OUT_OF_PORTS; @@ -122,7 +120,6 @@ slow_path (dslite_main_t * dm, dslite_session_key_t * in2out_key, } pool_get (dm->per_thread_data[thread_index].sessions, s); memset (s, 0, sizeof (*s)); - s->outside_address_index = address_index; b4->nsessions++; pool_get (dm->per_thread_data[thread_index].list_pool, elt); diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c index 335bd85c298..53aca8b5773 100755 --- a/src/plugins/nat/in2out.c +++ b/src/plugins/nat/in2out.c @@ -12,18 +12,20 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +/** + * @file + * @brief NAT44 inside to outside network translation + */ #include #include #include -#include #include #include #include #include #include -#include #include #include @@ -31,75 +33,40 @@ #include #include -typedef struct { +typedef struct +{ u32 sw_if_index; u32 next_index; u32 session_index; u32 is_slow_path; } snat_in2out_trace_t; -typedef struct { - u32 next_worker_index; - u8 do_handoff; -} snat_in2out_worker_handoff_trace_t; - /* packet trace format function */ -static u8 * format_snat_in2out_trace (u8 * s, va_list * args) +static u8 * +format_snat_in2out_trace (u8 * s, va_list * args) { CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *); - char * tag; + snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *); + char *tag; tag = t->is_slow_path ? "NAT44_IN2OUT_SLOW_PATH" : "NAT44_IN2OUT_FAST_PATH"; s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag, - t->sw_if_index, t->next_index, t->session_index); + t->sw_if_index, t->next_index, t->session_index); return s; } -static u8 * format_snat_in2out_fast_trace (u8 * s, va_list * args) +static u8 * +format_snat_in2out_fast_trace (u8 * s, va_list * args) { CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_in2out_trace_t * t = va_arg (*args, snat_in2out_trace_t *); + snat_in2out_trace_t *t = va_arg (*args, snat_in2out_trace_t *); s = format (s, "NAT44_IN2OUT_FAST: sw_if_index %d, next index %d", - t->sw_if_index, t->next_index); - - return s; -} - -static u8 * format_snat_in2out_worker_handoff_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_in2out_worker_handoff_trace_t * t = - va_arg (*args, snat_in2out_worker_handoff_trace_t *); - char * m; - - m = t->do_handoff ? "next worker" : "same worker"; - s = format (s, "NAT44_IN2OUT_WORKER_HANDOFF: %s %d", m, t->next_worker_index); - - return s; -} - -typedef struct { - u32 sw_if_index; - u32 next_index; - u8 cached; -} nat44_in2out_reass_trace_t; - -static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat44_in2out_reass_trace_t * t = va_arg (*args, nat44_in2out_reass_trace_t *); - - s = format (s, "NAT44_IN2OUT_REASS: sw_if_index %d, next index %d, status %s", - t->sw_if_index, t->next_index, - t->cached ? "cached" : "translated"); + t->sw_if_index, t->next_index); return s; } @@ -107,23 +74,9 @@ static u8 * format_nat44_in2out_reass_trace (u8 * s, va_list * args) vlib_node_registration_t snat_in2out_node; vlib_node_registration_t snat_in2out_slowpath_node; vlib_node_registration_t snat_in2out_fast_node; -vlib_node_registration_t snat_in2out_worker_handoff_node; -vlib_node_registration_t snat_det_in2out_node; vlib_node_registration_t snat_in2out_output_node; vlib_node_registration_t snat_in2out_output_slowpath_node; -vlib_node_registration_t snat_in2out_output_worker_handoff_node; -vlib_node_registration_t snat_hairpin_dst_node; -vlib_node_registration_t snat_hairpin_src_node; -vlib_node_registration_t nat44_hairpinning_node; vlib_node_registration_t nat44_in2out_reass_node; -vlib_node_registration_t nat44_ed_in2out_node; -vlib_node_registration_t nat44_ed_in2out_slowpath_node; -vlib_node_registration_t nat44_ed_in2out_output_node; -vlib_node_registration_t nat44_ed_in2out_output_slowpath_node; -vlib_node_registration_t nat44_ed_hairpin_dst_node; -vlib_node_registration_t nat44_ed_hairpin_src_node; -vlib_node_registration_t nat44_ed_hairpinning_node; -vlib_node_registration_t nat44_ed_in2out_reass_node; #define foreach_snat_in2out_error \ _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ @@ -135,23 +88,24 @@ _(NO_TRANSLATION, "No translation") \ _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \ _(DROP_FRAGMENT, "Drop fragment") \ _(MAX_REASS, "Maximum reassemblies exceeded") \ -_(MAX_FRAG, "Maximum fragments per reassembly exceeded")\ -_(FQ_CONGESTED, "Handoff frame queue congested") +_(MAX_FRAG, "Maximum fragments per reassembly exceeded") -typedef enum { +typedef enum +{ #define _(sym,str) SNAT_IN2OUT_ERROR_##sym, foreach_snat_in2out_error #undef _ - SNAT_IN2OUT_N_ERROR, + SNAT_IN2OUT_N_ERROR, } snat_in2out_error_t; -static char * snat_in2out_error_strings[] = { +static char *snat_in2out_error_strings[] = { #define _(sym,string) string, foreach_snat_in2out_error #undef _ }; -typedef enum { +typedef enum +{ SNAT_IN2OUT_NEXT_LOOKUP, SNAT_IN2OUT_NEXT_DROP, SNAT_IN2OUT_NEXT_ICMP_ERROR, @@ -160,90 +114,12 @@ typedef enum { SNAT_IN2OUT_N_NEXT, } snat_in2out_next_t; -typedef enum { - SNAT_HAIRPIN_SRC_NEXT_DROP, - SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT, - SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH, - SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT, - SNAT_HAIRPIN_SRC_N_NEXT, -} snat_hairpin_next_t; - -/** - * @brief Check if packet should be translated - * - * Packets aimed at outside interface and external address with active session - * should be translated. - * - * @param sm NAT main - * @param rt NAT runtime data - * @param sw_if_index0 index of the inside interface - * @param ip0 IPv4 header - * @param proto0 NAT protocol - * @param rx_fib_index0 RX FIB index - * - * @returns 0 if packet should be translated otherwise 1 - */ -static inline int -snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t *node, - u32 sw_if_index0, ip4_header_t * ip0, u32 proto0, - u32 rx_fib_index0) -{ - if (sm->out2in_dpo) - return 0; - - fib_node_index_t fei = FIB_NODE_INDEX_INVALID; - nat_outside_fib_t *outside_fib; - fib_prefix_t pfx = { - .fp_proto = FIB_PROTOCOL_IP4, - .fp_len = 32, - .fp_addr = { - .ip4.as_u32 = ip0->dst_address.as_u32, - }, - }; - - /* Don't NAT packet aimed at the intfc address */ - if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0, - ip0->dst_address.as_u32))) - return 1; - - fei = fib_table_lookup (rx_fib_index0, &pfx); - if (FIB_NODE_INDEX_INVALID != fei) - { - u32 sw_if_index = fib_entry_get_resolving_interface (fei); - if (sw_if_index == ~0) - { - vec_foreach (outside_fib, sm->outside_fibs) - { - fei = fib_table_lookup (outside_fib->fib_index, &pfx); - if (FIB_NODE_INDEX_INVALID != fei) - { - sw_if_index = fib_entry_get_resolving_interface (fei); - if (sw_if_index != ~0) - break; - } - } - } - if (sw_if_index == ~0) - return 1; - - snat_interface_t *i; - pool_foreach (i, sm->interfaces, - ({ - /* NAT packet aimed at outside interface */ - if ((nat_interface_is_outside(i)) && (sw_if_index == i->sw_if_index)) - return 0; - })); - } - - return 1; -} - static inline int -snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node, - u32 sw_if_index0, ip4_header_t * ip0, u32 proto0, - u32 rx_fib_index0, u32 thread_index) +snat_not_translate (snat_main_t * sm, vlib_node_runtime_t * node, + u32 sw_if_index0, ip4_header_t * ip0, u32 proto0, + u32 rx_fib_index0, u32 thread_index) { - udp_header_t * udp0 = ip4_next_header (ip0); + udp_header_t *udp0 = ip4_next_header (ip0); snat_session_key_t key0, sm0; clib_bihash_kv_8_8_t kv0, value0; @@ -256,11 +132,11 @@ snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node, /* NAT packet aimed at external address if */ /* has active sessions */ if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0, - &value0)) + &value0)) { /* or is static mappings */ - if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - return 0; + if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + return 0; } else return 0; @@ -268,14 +144,14 @@ snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node, if (sm->forwarding_enabled) return 1; - return snat_not_translate_fast(sm, node, sw_if_index0, ip0, proto0, - rx_fib_index0); + return snat_not_translate_fast (sm, node, sw_if_index0, ip0, proto0, + rx_fib_index0); } static inline int nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0, - u32 proto0, u16 src_port, u16 dst_port, - u32 thread_index, u32 sw_if_index) + u32 proto0, u16 src_port, u16 dst_port, + u32 thread_index, u32 sw_if_index) { snat_session_key_t key0; clib_bihash_kv_8_8_t kv0, value0; @@ -288,8 +164,8 @@ nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0, key0.fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); kv0.key = key0.as_u64; - if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0, - &value0)) + if (!clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv0, &value0)) return 1; /* dst NAT check */ @@ -297,50 +173,52 @@ nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0, key0.port = dst_port; key0.protocol = proto0; kv0.key = key0.as_u64; - if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0, - &value0)) - { - /* hairpinning */ + if (!clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv0, &value0)) + { + /* hairpinning */ + /* *INDENT-OFF* */ pool_foreach (i, sm->output_feature_interfaces, ({ if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index)) return 0; })); - return 1; - } + /* *INDENT-ON* */ + return 1; + } return 0; } int -nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void * arg) +nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg) { snat_main_t *sm = &snat_main; nat44_is_idle_session_ctx_t *ctx = arg; snat_session_t *s; u64 sess_timeout_time; snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, - ctx->thread_index); + ctx->thread_index); clib_bihash_kv_8_8_t s_kv; s = pool_elt_at_index (tsm->sessions, kv->value); - sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s); + sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s); if (ctx->now >= sess_timeout_time) { s_kv.key = s->out2in.as_u64; if (clib_bihash_add_del_8_8 (&tsm->out2in, &s_kv, 0)) - nat_log_warn ("out2in key del failed"); + nat_log_warn ("out2in key del failed"); - snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); + snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, + s->in2out.fib_index); if (!snat_is_session_static (s)) - snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, - &s->out2in); + snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, + &s->out2in); nat44_delete_session (sm, s, ctx->thread_index); return 1; @@ -349,22 +227,19 @@ nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void * arg) return 0; } -static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, - ip4_header_t * ip0, - u32 rx_fib_index0, - snat_session_key_t * key0, - snat_session_t ** sessionp, - vlib_node_runtime_t * node, - u32 next0, - u32 thread_index, - f64 now) +static u32 +slow_path (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, + u32 rx_fib_index0, + snat_session_key_t * key0, + snat_session_t ** sessionp, + vlib_node_runtime_t * node, u32 next0, u32 thread_index, f64 now) { snat_user_t *u; snat_session_t *s; clib_bihash_kv_8_8_t kv0; snat_session_key_t key1; - u32 address_index = ~0; - udp_header_t * udp0 = ip4_next_header (ip0); + udp_header_t *udp0 = ip4_next_header (ip0); u8 is_sm = 0; nat_outside_fib_t *outside_fib; fib_node_index_t fei = FIB_NODE_INDEX_INVALID; @@ -372,15 +247,15 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, .fp_proto = FIB_PROTOCOL_IP4, .fp_len = 32, .fp_addr = { - .ip4.as_u32 = ip0->dst_address.as_u32, - }, + .ip4.as_u32 = ip0->dst_address.as_u32, + }, }; nat44_is_idle_session_ctx_t ctx0; - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) { b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; - nat_ipfix_logging_max_sessions(sm->max_translations); + nat_ipfix_logging_max_sessions (sm->max_translations); nat_log_notice ("maximum sessions exceeded"); return SNAT_IN2OUT_NEXT_DROP; } @@ -392,20 +267,20 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, { /* Try to create dynamic translation */ if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0, - thread_index, &key1, - &address_index, - sm->port_per_thread, - sm->per_thread_data[thread_index].snat_thread_index)) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS]; - return SNAT_IN2OUT_NEXT_DROP; - } + thread_index, &key1, + sm->port_per_thread, + sm->per_thread_data + [thread_index].snat_thread_index)) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS]; + return SNAT_IN2OUT_NEXT_DROP; + } } else is_sm = 1; u = nat_user_get_or_create (sm, &ip0->src_address, rx_fib_index0, - thread_index); + thread_index); if (!u) { nat_log_warn ("create NAT user failed"); @@ -423,7 +298,6 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, if (is_sm) s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; user_session_increment (sm, u, is_sm); - s->outside_address_index = address_index; s->in2out = *key0; s->out2in = key1; s->out2in.protocol = key0->protocol; @@ -437,6 +311,7 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, s->out2in.fib_index = sm->outside_fibs[0].fib_index; break; default: + /* *INDENT-OFF* */ vec_foreach (outside_fib, sm->outside_fibs) { fei = fib_table_lookup (outside_fib->fib_index, &pfx); @@ -449,6 +324,7 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, } } } + /* *INDENT-ON* */ break; } s->ext_host_addr.as_u32 = ip0->dst_address.as_u32; @@ -460,32 +336,31 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0, ctx0.thread_index = thread_index; kv0.key = s->in2out.as_u64; kv0.value = s - sm->per_thread_data[thread_index].sessions; - if (clib_bihash_add_or_overwrite_stale_8_8 ( - &sm->per_thread_data[thread_index].in2out, &kv0, - nat44_i2o_is_idle_session_cb, &ctx0)) - nat_log_notice ("in2out key add failed"); + if (clib_bihash_add_or_overwrite_stale_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv0, + nat44_i2o_is_idle_session_cb, &ctx0)) + nat_log_notice ("in2out key add failed"); kv0.key = s->out2in.as_u64; kv0.value = s - sm->per_thread_data[thread_index].sessions; - if (clib_bihash_add_or_overwrite_stale_8_8 ( - &sm->per_thread_data[thread_index].out2in, &kv0, - nat44_o2i_is_idle_session_cb, &ctx0)) - nat_log_notice ("out2in key add failed"); + if (clib_bihash_add_or_overwrite_stale_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv0, + nat44_o2i_is_idle_session_cb, &ctx0)) + nat_log_notice ("out2in key add failed"); /* log NAT event */ - snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); + snat_ipfix_logging_nat44_ses_create (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, s->in2out.fib_index); return next0; } static_always_inline -snat_in2out_error_t icmp_get_key(ip4_header_t *ip0, - snat_session_key_t *p_key0) + snat_in2out_error_t icmp_get_key (ip4_header_t * ip0, + snat_session_key_t * p_key0) { icmp46_header_t *icmp0; snat_session_key_t key0; @@ -495,7 +370,7 @@ snat_in2out_error_t icmp_get_key(ip4_header_t *ip0, icmp46_header_t *inner_icmp0; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); if (!icmp_is_error_message (icmp0)) { @@ -505,27 +380,27 @@ snat_in2out_error_t icmp_get_key(ip4_header_t *ip0, } else { - inner_ip0 = (ip4_header_t *)(echo0+1); + inner_ip0 = (ip4_header_t *) (echo0 + 1); l4_header = ip4_next_header (inner_ip0); key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol); key0.addr = inner_ip0->dst_address; switch (key0.protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - key0.port = inner_echo0->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - key0.port = ((tcp_udp_header_t*)l4_header)->dst_port; - break; - default: - return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL; - } + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.port = ((tcp_udp_header_t *) l4_header)->dst_port; + break; + default: + return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL; + } } *p_key0 = key0; - return -1; /* success */ + return -1; /* success */ } /** @@ -542,11 +417,12 @@ snat_in2out_error_t icmp_get_key(ip4_header_t *ip0, * @param d optional parameter * @param e optional parameter */ -u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) +u32 +icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) { icmp46_header_t *icmp0; u32 sw_if_index0; @@ -559,7 +435,7 @@ u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, int err; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); err = icmp_get_key (ip0, &key0); @@ -574,53 +450,59 @@ u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, kv0.key = key0.as_u64; if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0, - &value0)) + &value0)) { - if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0) - { - if (PREDICT_FALSE(nat_not_translate_output_feature(sm, ip0, - key0.protocol, key0.port, key0.port, thread_index, sw_if_index0))) - { - dont_translate = 1; - goto out; - } - } + if (vnet_buffer (b0)->sw_if_index[VLIB_TX] != ~0) + { + if (PREDICT_FALSE (nat_not_translate_output_feature (sm, ip0, + key0.protocol, + key0.port, + key0.port, + thread_index, + sw_if_index0))) + { + dont_translate = 1; + goto out; + } + } else - { - if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, - ip0, SNAT_PROTOCOL_ICMP, rx_fib_index0, thread_index))) - { - dont_translate = 1; - goto out; - } - } + { + if (PREDICT_FALSE (snat_not_translate (sm, node, sw_if_index0, + ip0, SNAT_PROTOCOL_ICMP, + rx_fib_index0, + thread_index))) + { + dont_translate = 1; + goto out; + } + } - if (PREDICT_FALSE(icmp_is_error_message (icmp0))) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } + if (PREDICT_FALSE (icmp_is_error_message (icmp0))) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, &s0, node, next0, - thread_index, vlib_time_now (sm->vlib_main)); + thread_index, vlib_time_now (sm->vlib_main)); if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto out; + goto out; } else { - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request && - icmp0->type != ICMP4_echo_reply && - !icmp_is_error_message (icmp0))) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request && + icmp0->type != ICMP4_echo_reply && + !icmp_is_error_message (icmp0))) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); + value0.value); } out: @@ -629,7 +511,7 @@ out: *p_value = s0->out2in; *p_dont_translate = dont_translate; if (d) - *(snat_session_t**)d = s0; + *(snat_session_t **) d = s0; return next0; } @@ -646,11 +528,12 @@ out: * @param d optional parameter * @param e optional parameter */ -u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) +u32 +icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) { icmp46_header_t *icmp0; u32 sw_if_index0; @@ -663,7 +546,7 @@ u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node, int err; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); err = icmp_get_key (ip0, &key0); @@ -675,29 +558,30 @@ u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node, } key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, key0, &sm0, 0, &is_addr_only, 0, 0, 0)) + if (snat_static_mapping_match (sm, key0, &sm0, 0, &is_addr_only, 0, 0, 0)) { - if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0, - IP_PROTOCOL_ICMP, rx_fib_index0))) - { - dont_translate = 1; - goto out; - } + if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0, + IP_PROTOCOL_ICMP, + rx_fib_index0))) + { + dont_translate = 1; + goto out; + } if (icmp_is_error_message (icmp0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } + { + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; next0 = SNAT_IN2OUT_NEXT_DROP; goto out; } - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request && - (icmp0->type != ICMP4_echo_reply || !is_addr_only) && - !icmp_is_error_message (icmp0))) + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request && + (icmp0->type != ICMP4_echo_reply || !is_addr_only) && + !icmp_is_error_message (icmp0))) { b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; next0 = SNAT_IN2OUT_NEXT_DROP; @@ -712,24 +596,15 @@ out2: return next0; } -static inline u32 -snat_icmp_hairpinning (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - int is_ed); - -static inline u32 icmp_in2out (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - u32 sw_if_index0, - u32 rx_fib_index0, - vlib_node_runtime_t * node, - u32 next0, - u32 thread_index, - void *d, - void *e) +u32 +icmp_in2out (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + icmp46_header_t * icmp0, + u32 sw_if_index0, + u32 rx_fib_index0, + vlib_node_runtime_t * node, + u32 next0, u32 thread_index, void *d, void *e) { snat_session_key_t sm0; u8 protocol; @@ -745,10 +620,11 @@ static inline u32 icmp_in2out (snat_main_t *sm, u16 checksum0; u32 next0_tmp; - echo0 = (icmp_echo_header_t *)(icmp0+1); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); - next0_tmp = sm->icmp_match_in2out_cb(sm, node, thread_index, b0, ip0, - &protocol, &sm0, &dont_translate, d, e); + next0_tmp = sm->icmp_match_in2out_cb (sm, node, thread_index, b0, ip0, + &protocol, &sm0, &dont_translate, d, + e); if (next0_tmp != ~0) next0 = next0_tmp; if (next0 == SNAT_IN2OUT_NEXT_DROP || dont_translate) @@ -757,13 +633,14 @@ static inline u32 icmp_in2out (snat_main_t *sm, if (PREDICT_TRUE (!ip4_is_fragment (ip0))) { sum0 = ip_incremental_checksum (0, icmp0, - ntohs(ip0->length) - ip4_header_bytes (ip0)); + ntohs (ip0->length) - + ip4_header_bytes (ip0)); checksum0 = ~ip_csum_fold (sum0); - if (PREDICT_FALSE(checksum0 != 0 && checksum0 != 0xffff)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } + if (PREDICT_FALSE (checksum0 != 0 && checksum0 != 0xffff)) + { + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } } old_addr0 = ip0->src_address.as_u32; @@ -771,7 +648,7 @@ static inline u32 icmp_in2out (snat_main_t *sm, sum0 = ip0->checksum; sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address /* changed member */); + src_address /* changed member */ ); ip0->checksum = ip_csum_fold (sum0); if (icmp0->checksum == 0) @@ -780,28 +657,28 @@ static inline u32 icmp_in2out (snat_main_t *sm, if (!icmp_is_error_message (icmp0)) { new_id0 = sm0.port; - if (PREDICT_FALSE(new_id0 != echo0->identifier)) - { - old_id0 = echo0->identifier; - new_id0 = sm0.port; - echo0->identifier = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, - identifier); - icmp0->checksum = ip_csum_fold (sum0); - } + if (PREDICT_FALSE (new_id0 != echo0->identifier)) + { + old_id0 = echo0->identifier; + new_id0 = sm0.port; + echo0->identifier = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, + identifier); + icmp0->checksum = ip_csum_fold (sum0); + } } else { - inner_ip0 = (ip4_header_t *)(echo0+1); + inner_ip0 = (ip4_header_t *) (echo0 + 1); l4_header = ip4_next_header (inner_ip0); if (!ip4_header_checksum_is_valid (inner_ip0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } + { + next0 = SNAT_IN2OUT_NEXT_DROP; + goto out; + } /* update inner destination IP address */ old_addr0 = inner_ip0->dst_address.as_u32; @@ -809,391 +686,94 @@ static inline u32 icmp_in2out (snat_main_t *sm, new_addr0 = inner_ip0->dst_address.as_u32; sum0 = icmp0->checksum; sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address /* changed member */); + dst_address /* changed member */ ); icmp0->checksum = ip_csum_fold (sum0); /* update inner IP header checksum */ old_checksum0 = inner_ip0->checksum; sum0 = inner_ip0->checksum; sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address /* changed member */); + dst_address /* changed member */ ); inner_ip0->checksum = ip_csum_fold (sum0); new_checksum0 = inner_ip0->checksum; sum0 = icmp0->checksum; sum0 = ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t, - checksum); + checksum); icmp0->checksum = ip_csum_fold (sum0); switch (protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - - old_id0 = inner_echo0->identifier; - new_id0 = sm0.port; - inner_echo0->identifier = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, - identifier); - icmp0->checksum = ip_csum_fold (sum0); - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - old_id0 = ((tcp_udp_header_t*)l4_header)->dst_port; - new_id0 = sm0.port; - ((tcp_udp_header_t*)l4_header)->dst_port = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t, - dst_port); - icmp0->checksum = ip_csum_fold (sum0); - break; - default: - ASSERT(0); - } + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + + old_id0 = inner_echo0->identifier; + new_id0 = sm0.port; + inner_echo0->identifier = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, + identifier); + icmp0->checksum = ip_csum_fold (sum0); + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + old_id0 = ((tcp_udp_header_t *) l4_header)->dst_port; + new_id0 = sm0.port; + ((tcp_udp_header_t *) l4_header)->dst_port = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t, + dst_port); + icmp0->checksum = ip_csum_fold (sum0); + break; + default: + ASSERT (0); + } } - if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0) + if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0) { if (sm->deterministic || - 0 != snat_icmp_hairpinning(sm, b0, ip0, icmp0, - sm->endpoint_dependent)) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + 0 != snat_icmp_hairpinning (sm, b0, ip0, icmp0, + sm->endpoint_dependent)) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; } out: return next0; } -/** - * @brief Hairpinning - * - * Hairpinning allows two endpoints on the internal side of the NAT to - * communicate even if they only use each other's external IP addresses - * and ports. - * - * @param sm NAT main. - * @param b0 Vlib buffer. - * @param ip0 IP header. - * @param udp0 UDP header. - * @param tcp0 TCP header. - * @param proto0 NAT protocol. - */ -static inline int -snat_hairpinning (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - udp_header_t * udp0, - tcp_header_t * tcp0, - u32 proto0, - int is_ed) -{ - snat_session_key_t key0, sm0; - snat_session_t * s0; - clib_bihash_kv_8_8_t kv0, value0; - ip_csum_t sum0; - u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si; - u16 new_dst_port0, old_dst_port0; - int rv; - - key0.addr = ip0->dst_address; - key0.port = udp0->dst_port; - key0.protocol = proto0; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - - /* Check if destination is static mappings */ - if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - new_dst_addr0 = sm0.addr.as_u32; - new_dst_port0 = sm0.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; - } - /* or active session */ - else - { - if (sm->num_workers > 1) - ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread; - else - ti = sm->num_workers; - - if (is_ed) - { - clib_bihash_kv_16_8_t ed_kv, ed_value; - make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, - ip0->protocol, sm->outside_fib_index, udp0->dst_port, - udp0->src_port); - rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, - &ed_kv, &ed_value); - si = ed_value.value; - } - else - { - rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, - &value0); - si = value0.value; - } - if (rv) - return 0; - - s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); - new_dst_addr0 = s0->in2out.addr.as_u32; - new_dst_port0 = s0->in2out.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - } - - /* Destination is behind the same NAT, use internal address and port */ - if (new_dst_addr0) - { - old_dst_addr0 = ip0->dst_address.as_u32; - ip0->dst_address.as_u32 = new_dst_addr0; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - ip0->checksum = ip_csum_fold (sum0); - - old_dst_port0 = tcp0->dst; - if (PREDICT_TRUE(new_dst_port0 != old_dst_port0)) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - tcp0->dst = new_dst_port0; - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0, - ip4_header_t /* cheat */, length); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - udp0->dst_port = new_dst_port0; - udp0->checksum = 0; - } - } - else - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - tcp0->checksum = ip_csum_fold(sum0); - } - } - return 1; - } - return 0; -} - static inline u32 -snat_icmp_hairpinning (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - int is_ed) -{ - snat_session_key_t key0; - clib_bihash_kv_8_8_t kv0, value0; - u32 old_dst_addr0, new_dst_addr0; - u32 old_addr0, new_addr0; - u16 old_port0, new_port0; - u16 old_checksum0, new_checksum0; - u32 si, ti = 0; - ip_csum_t sum0; - snat_session_t *s0; - snat_static_mapping_t *m0; - - if (icmp_is_error_message (icmp0)) - { - ip4_header_t *inner_ip0 = 0; - tcp_udp_header_t *l4_header = 0; - - inner_ip0 = (ip4_header_t *)((icmp_echo_header_t *)(icmp0+1)+1); - l4_header = ip4_next_header (inner_ip0); - u32 protocol = ip_proto_to_snat_proto (inner_ip0->protocol); - - if (protocol != SNAT_PROTOCOL_TCP && protocol != SNAT_PROTOCOL_UDP) - return 1; - - if (is_ed) - { - clib_bihash_kv_16_8_t ed_kv, ed_value; - make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, - inner_ip0->protocol, sm->outside_fib_index, - l4_header->src_port, l4_header->dst_port); - if (clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, - &ed_kv, &ed_value)) - return 1; - si = ed_value.value; - } - else - { - key0.addr = ip0->dst_address; - key0.port = l4_header->src_port; - key0.protocol = protocol; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, - &value0)) - return 1; - si = value0.value; - } - s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); - new_dst_addr0 = s0->in2out.addr.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - /* update inner source IP address */ - old_addr0 = inner_ip0->src_address.as_u32; - inner_ip0->src_address.as_u32 = new_dst_addr0; - new_addr0 = inner_ip0->src_address.as_u32; - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address); - icmp0->checksum = ip_csum_fold (sum0); - - /* update inner IP header checksum */ - old_checksum0 = inner_ip0->checksum; - sum0 = inner_ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address); - inner_ip0->checksum = ip_csum_fold (sum0); - new_checksum0 = inner_ip0->checksum; - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t, - checksum); - icmp0->checksum = ip_csum_fold (sum0); - - /* update inner source port */ - old_port0 = l4_header->src_port; - l4_header->src_port = s0->in2out.port; - new_port0 = l4_header->src_port; - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_port0, new_port0, tcp_udp_header_t, - src_port); - icmp0->checksum = ip_csum_fold (sum0); - } - else - { - if (!is_ed) - { - icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1); - u16 icmp_id0 = echo0->identifier; - key0.addr = ip0->dst_address; - key0.port = icmp_id0; - key0.protocol = SNAT_PROTOCOL_ICMP; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - if (sm->num_workers > 1) - ti = (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread; - else - ti = sm->num_workers; - int rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, - &value0); - if (!rv) - { - si = value0.value; - s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); - new_dst_addr0 = s0->in2out.addr.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - echo0->identifier = s0->in2out.port; - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port, - icmp_echo_header_t, identifier); - icmp0->checksum = ip_csum_fold (sum0); - goto change_addr; - } - ti = 0; - } - - key0.addr = ip0->dst_address; - key0.port = 0; - key0.protocol = 0; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - - if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0)) - return 1; - - m0 = pool_elt_at_index (sm->static_mappings, value0.value); - - new_dst_addr0 = m0->local_addr.as_u32; - if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = m0->fib_index; - } -change_addr: - /* Destination is behind the same NAT, use internal address and port */ - if (new_dst_addr0) - { - old_dst_addr0 = ip0->dst_address.as_u32; - ip0->dst_address.as_u32 = new_dst_addr0; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - ip0->checksum = ip_csum_fold (sum0); - } - return 0; -} - -static inline u32 icmp_in2out_slow_path (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - u32 sw_if_index0, - u32 rx_fib_index0, - vlib_node_runtime_t * node, - u32 next0, - f64 now, - u32 thread_index, - snat_session_t ** p_s0) +icmp_in2out_slow_path (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + icmp46_header_t * icmp0, + u32 sw_if_index0, + u32 rx_fib_index0, + vlib_node_runtime_t * node, + u32 next0, + f64 now, u32 thread_index, snat_session_t ** p_s0) { - next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, thread_index, p_s0, 0); - snat_session_t * s0 = *p_s0; - if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0)) + next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, thread_index, p_s0, 0); + snat_session_t *s0 = *p_s0; + if (PREDICT_TRUE (next0 != SNAT_IN2OUT_NEXT_DROP && s0)) { /* Accounting */ nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (sm->vlib_main, b0)); + vlib_buffer_length_in_chain + (sm->vlib_main, b0)); /* Per-user LRU list maintenance */ nat44_session_update_lru (sm, s0, thread_index); } return next0; } -static inline void -nat_hairpinning_sm_unknown_proto (snat_main_t * sm, - vlib_buffer_t * b, - ip4_header_t * ip) -{ - clib_bihash_kv_8_8_t kv, value; - snat_static_mapping_t *m; - u32 old_addr, new_addr; - ip_csum_t sum; - - make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); - if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - return; - - m = pool_elt_at_index (sm->static_mappings, value.value); - - old_addr = ip->dst_address.as_u32; - new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; - sum = ip->checksum; - sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); - ip->checksum = ip_csum_fold (sum); - - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) - vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index; -} - static int -nat_in2out_sm_unknown_proto (snat_main_t *sm, - vlib_buffer_t * b, - ip4_header_t * ip, - u32 rx_fib_index) +nat_in2out_sm_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, + ip4_header_t * ip, u32 rx_fib_index) { clib_bihash_kv_8_8_t kv, value; snat_static_mapping_t *m; @@ -1219,9 +799,9 @@ nat_in2out_sm_unknown_proto (snat_main_t *sm, /* Hairpinning */ - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) { - vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index; + vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index; nat_hairpinning_sm_unknown_proto (sm, b, ip); } @@ -1230,14 +810,14 @@ nat_in2out_sm_unknown_proto (snat_main_t *sm, static inline uword snat_in2out_node_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, int is_slow_path, - int is_output_feature) + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_slow_path, + int is_output_feature) { - u32 n_left_from, * from, * to_next; + u32 n_left_from, *from, *to_next; snat_in2out_next_t next_index; u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; + snat_main_t *sm = &snat_main; f64 now = vlib_time_now (vm); u32 stats_node_index; u32 thread_index = vm->thread_index; @@ -1253,32 +833,31 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, { u32 n_left_to_next; - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from >= 4 && n_left_to_next >= 2) { - u32 bi0, bi1; - vlib_buffer_t * b0, * b1; - u32 next0, next1; - u32 sw_if_index0, sw_if_index1; - ip4_header_t * ip0, * ip1; - ip_csum_t sum0, sum1; - u32 new_addr0, old_addr0, new_addr1, old_addr1; - u16 old_port0, new_port0, old_port1, new_port1; - udp_header_t * udp0, * udp1; - tcp_header_t * tcp0, * tcp1; - icmp46_header_t * icmp0, * icmp1; - snat_session_key_t key0, key1; - u32 rx_fib_index0, rx_fib_index1; - u32 proto0, proto1; - snat_session_t * s0 = 0, * s1 = 0; - clib_bihash_kv_8_8_t kv0, value0, kv1, value1; - u32 iph_offset0 = 0, iph_offset1 = 0; + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0, next1; + u32 sw_if_index0, sw_if_index1; + ip4_header_t *ip0, *ip1; + ip_csum_t sum0, sum1; + u32 new_addr0, old_addr0, new_addr1, old_addr1; + u16 old_port0, new_port0, old_port1, new_port1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + icmp46_header_t *icmp0, *icmp1; + snat_session_key_t key0, key1; + u32 rx_fib_index0, rx_fib_index1; + u32 proto0, proto1; + snat_session_t *s0 = 0, *s1 = 0; + clib_bihash_kv_8_8_t kv0, value0, kv1, value1; + u32 iph_offset0 = 0, iph_offset1 = 0; /* Prefetch next iteration. */ { - vlib_buffer_t * p2, * p3; + vlib_buffer_t *p2, *p3; p2 = vlib_get_buffer (vm, from[2]); p3 = vlib_get_buffer (vm, from[3]); @@ -1290,7 +869,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); } - /* speculatively enqueue b0 and b1 to the current next frame */ + /* speculatively enqueue b0 and b1 to the current next frame */ to_next[0] = bi0 = from[0]; to_next[1] = bi1 = from[1]; from += 2; @@ -1301,356 +880,386 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); b1 = vlib_get_buffer (vm, bi1); - if (is_output_feature) - iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; + if (is_output_feature) + iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; - ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - iph_offset0); + ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + + iph_offset0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index0); + sw_if_index0); - next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP; - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace00; - } + next0 = next1 = SNAT_IN2OUT_NEXT_LOOKUP; - proto0 = ip_proto_to_snat_proto (ip0->protocol); + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; + goto trace00; + } - /* Next configured feature, probably ip4-lookup */ - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; - } - goto trace00; - } + proto0 = ip_proto_to_snat_proto (ip0->protocol); - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_in2out_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, - node, next0, now, thread_index, &s0); - goto trace00; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace00; - } + /* Next configured feature, probably ip4-lookup */ + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + if (nat_in2out_sm_unknown_proto + (sm, b0, ip0, rx_fib_index0)) + { + next0 = SNAT_IN2OUT_NEXT_DROP; + b0->error = + node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; + } + goto trace00; + } - if (ip4_is_fragment (ip0)) - { - next0 = SNAT_IN2OUT_NEXT_REASS; - goto trace00; - } - } + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_in2out_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, + node, next0, now, thread_index, &s0); + goto trace00; + } + } + else + { + if (PREDICT_FALSE + (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace00; + } - key0.addr = ip0->src_address; - key0.port = udp0->src_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; + if (ip4_is_fragment (ip0)) + { + next0 = SNAT_IN2OUT_NEXT_REASS; + goto trace00; + } + } - kv0.key = key0.as_u64; + key0.addr = ip0->src_address; + key0.port = udp0->src_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; - if (PREDICT_FALSE (clib_bihash_search_8_8 ( - &sm->per_thread_data[thread_index].in2out, &kv0, &value0) != 0)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature(sm, - ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0))) - goto trace00; - } - else - { - if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, - ip0, proto0, rx_fib_index0, thread_index))) - goto trace00; - } - - next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, - &s0, node, next0, thread_index, now); - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace00; - } - else - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace00; - } - } - else - s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); + kv0.key = key0.as_u64; + + if (PREDICT_FALSE + (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv0, + &value0) != 0)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE (nat_not_translate_output_feature (sm, + ip0, + proto0, + udp0->src_port, + udp0->dst_port, + thread_index, + sw_if_index0))) + goto trace00; + } + else + { + if (PREDICT_FALSE + (snat_not_translate + (sm, node, sw_if_index0, ip0, proto0, + rx_fib_index0, thread_index))) + goto trace00; + } + + next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, + &s0, node, next0, thread_index, now); + if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) + goto trace00; + } + else + { + next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace00; + } + } + else + s0 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value0.value); - b0->flags |= VNET_BUFFER_F_IS_NATED; + b0->flags |= VNET_BUFFER_F_IS_NATED; - old_addr0 = ip0->src_address.as_u32; - ip0->src_address = s0->out2in.addr; - new_addr0 = ip0->src_address.as_u32; - if (!is_output_feature) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + old_addr0 = ip0->src_address.as_u32; + ip0->src_address = s0->out2in.addr; + new_addr0 = ip0->src_address.as_u32; + if (!is_output_feature) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - tcp0->src_port = s0->out2in.port; - new_port0 = tcp0->src_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->src_port; - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - } + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + tcp0->src_port = s0->out2in.port; + new_port0 = tcp0->src_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->src_port; + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + } - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - trace00: + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); + trace00: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - sm->per_thread_data[thread_index].sessions; - } + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = + s0 - sm->per_thread_data[thread_index].sessions; + } - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; + pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - if (is_output_feature) - iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length; + if (is_output_feature) + iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length; - ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) + - iph_offset1); + ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) + + iph_offset1); - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - icmp1 = (icmp46_header_t *) udp1; + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + icmp1 = (icmp46_header_t *) udp1; - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index1); + sw_if_index1); - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace01; - } + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR; + goto trace01; + } - proto1 = ip_proto_to_snat_proto (ip1->protocol); + proto1 = ip_proto_to_snat_proto (ip1->protocol); - /* Next configured feature, probably ip4-lookup */ - if (is_slow_path) - { - if (PREDICT_FALSE (proto1 == ~0)) - { - if (nat_in2out_sm_unknown_proto (sm, b1, ip1, rx_fib_index1)) - { - next1 = SNAT_IN2OUT_NEXT_DROP; - b1->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; - } - goto trace01; - } + /* Next configured feature, probably ip4-lookup */ + if (is_slow_path) + { + if (PREDICT_FALSE (proto1 == ~0)) + { + if (nat_in2out_sm_unknown_proto + (sm, b1, ip1, rx_fib_index1)) + { + next1 = SNAT_IN2OUT_NEXT_DROP; + b1->error = + node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; + } + goto trace01; + } - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = icmp_in2out_slow_path - (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, - next1, now, thread_index, &s1); - goto trace01; - } - } - else - { - if (PREDICT_FALSE (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace01; - } + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = icmp_in2out_slow_path + (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, + next1, now, thread_index, &s1); + goto trace01; + } + } + else + { + if (PREDICT_FALSE + (proto1 == ~0 || proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace01; + } - if (ip4_is_fragment (ip1)) - { - next1 = SNAT_IN2OUT_NEXT_REASS; - goto trace01; - } - } + if (ip4_is_fragment (ip1)) + { + next1 = SNAT_IN2OUT_NEXT_REASS; + goto trace01; + } + } - key1.addr = ip1->src_address; - key1.port = udp1->src_port; - key1.protocol = proto1; - key1.fib_index = rx_fib_index1; + key1.addr = ip1->src_address; + key1.port = udp1->src_port; + key1.protocol = proto1; + key1.fib_index = rx_fib_index1; - kv1.key = key1.as_u64; + kv1.key = key1.as_u64; - if (PREDICT_FALSE(clib_bihash_search_8_8 ( - &sm->per_thread_data[thread_index].in2out, &kv1, &value1) != 0)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature(sm, - ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1))) - goto trace01; - } - else - { - if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index1, - ip1, proto1, rx_fib_index1, thread_index))) - goto trace01; - } - - next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1, - &s1, node, next1, thread_index, now); - if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP)) - goto trace01; - } - else - { - next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace01; - } - } - else - s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value1.value); + if (PREDICT_FALSE + (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv1, + &value1) != 0)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE (nat_not_translate_output_feature (sm, + ip1, + proto1, + udp1->src_port, + udp1->dst_port, + thread_index, + sw_if_index1))) + goto trace01; + } + else + { + if (PREDICT_FALSE + (snat_not_translate + (sm, node, sw_if_index1, ip1, proto1, + rx_fib_index1, thread_index))) + goto trace01; + } + + next1 = slow_path (sm, b1, ip1, rx_fib_index1, &key1, + &s1, node, next1, thread_index, now); + if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP)) + goto trace01; + } + else + { + next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace01; + } + } + else + s1 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value1.value); - b1->flags |= VNET_BUFFER_F_IS_NATED; + b1->flags |= VNET_BUFFER_F_IS_NATED; - old_addr1 = ip1->src_address.as_u32; - ip1->src_address = s1->out2in.addr; - new_addr1 = ip1->src_address.as_u32; - if (!is_output_feature) - vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index; + old_addr1 = ip1->src_address.as_u32; + ip1->src_address = s1->out2in.addr; + new_addr1 = ip1->src_address.as_u32; + if (!is_output_feature) + vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index; - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, - ip4_header_t, - src_address /* changed member */); - ip1->checksum = ip_csum_fold (sum1); + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, + ip4_header_t, + src_address /* changed member */ ); + ip1->checksum = ip_csum_fold (sum1); - if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP)) - { - old_port1 = tcp1->src_port; - tcp1->src_port = s1->out2in.port; - new_port1 = tcp1->src_port; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, - ip4_header_t, - dst_address /* changed member */); - sum1 = ip_csum_update (sum1, old_port1, new_port1, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp1, &sum1); - tcp1->checksum = ip_csum_fold(sum1); - } - else - { - old_port1 = udp1->src_port; - udp1->src_port = s1->out2in.port; - udp1->checksum = 0; - } + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + old_port1 = tcp1->src_port; + tcp1->src_port = s1->out2in.port; + new_port1 = tcp1->src_port; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, + ip4_header_t, + dst_address /* changed member */ ); + sum1 = ip_csum_update (sum1, old_port1, new_port1, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp1, &sum1); + tcp1->checksum = ip_csum_fold (sum1); + } + else + { + old_port1 = udp1->src_port; + udp1->src_port = s1->out2in.port; + udp1->checksum = 0; + } - /* Accounting */ - nat44_session_update_counters (s1, now, - vlib_buffer_length_in_chain (vm, b1)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s1, thread_index); - trace01: + /* Accounting */ + nat44_session_update_counters (s1, now, + vlib_buffer_length_in_chain (vm, + b1)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s1, thread_index); + trace01: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (s1) - t->session_index = s1 - sm->per_thread_data[thread_index].sessions; - } + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_in2out_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (s1) + t->session_index = + s1 - sm->per_thread_data[thread_index].sessions; + } - pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP; + pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP; - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - u32 new_addr0, old_addr0; - u16 old_port0, new_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - snat_session_key_t key0; - u32 rx_fib_index0; - u32 proto0; - snat_session_t * s0 = 0; - clib_bihash_kv_8_8_t kv0, value0; - u32 iph_offset0 = 0; - - /* speculatively enqueue b0 to the current next frame */ + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + u32 new_addr0, old_addr0; + u16 old_port0, new_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_key_t key0; + u32 rx_fib_index0; + u32 proto0; + snat_session_t *s0 = 0; + clib_bihash_kv_8_8_t kv0, value0; + u32 iph_offset0 = 0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -1659,171 +1268,184 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; + next0 = SNAT_IN2OUT_NEXT_LOOKUP; - if (is_output_feature) - iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; + if (is_output_feature) + iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; - ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - iph_offset0); + ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + + iph_offset0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index0); + sw_if_index0); - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace0; - } + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; + goto trace0; + } - proto0 = ip_proto_to_snat_proto (ip0->protocol); + proto0 = ip_proto_to_snat_proto (ip0->protocol); - /* Next configured feature, probably ip4-lookup */ - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - if (nat_in2out_sm_unknown_proto (sm, b0, ip0, rx_fib_index0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; - } - goto trace0; - } + /* Next configured feature, probably ip4-lookup */ + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + if (nat_in2out_sm_unknown_proto + (sm, b0, ip0, rx_fib_index0)) + { + next0 = SNAT_IN2OUT_NEXT_DROP; + b0->error = + node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; + } + goto trace0; + } - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_in2out_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace0; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace0; - } + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_in2out_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace0; + } + } + else + { + if (PREDICT_FALSE + (proto0 == ~0 || proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace0; + } - if (ip4_is_fragment (ip0)) - { - next0 = SNAT_IN2OUT_NEXT_REASS; - goto trace0; - } - } + if (ip4_is_fragment (ip0)) + { + next0 = SNAT_IN2OUT_NEXT_REASS; + goto trace0; + } + } - key0.addr = ip0->src_address; - key0.port = udp0->src_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; + key0.addr = ip0->src_address; + key0.port = udp0->src_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; - kv0.key = key0.as_u64; + kv0.key = key0.as_u64; - if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, - &kv0, &value0)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature(sm, - ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0))) - goto trace0; - } - else - { - if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, - ip0, proto0, rx_fib_index0, thread_index))) - goto trace0; - } - - next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, - &s0, node, next0, thread_index, now); - - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace0; - } - else - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace0; - } - } - else - s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); + if (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv0, &value0)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE (nat_not_translate_output_feature (sm, + ip0, + proto0, + udp0->src_port, + udp0->dst_port, + thread_index, + sw_if_index0))) + goto trace0; + } + else + { + if (PREDICT_FALSE + (snat_not_translate + (sm, node, sw_if_index0, ip0, proto0, + rx_fib_index0, thread_index))) + goto trace0; + } + + next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, + &s0, node, next0, thread_index, now); + + if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) + goto trace0; + } + else + { + next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; + goto trace0; + } + } + else + s0 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value0.value); - b0->flags |= VNET_BUFFER_F_IS_NATED; + b0->flags |= VNET_BUFFER_F_IS_NATED; - old_addr0 = ip0->src_address.as_u32; - ip0->src_address = s0->out2in.addr; - new_addr0 = ip0->src_address.as_u32; - if (!is_output_feature) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + old_addr0 = ip0->src_address.as_u32; + ip0->src_address = s0->out2in.addr; + new_addr0 = ip0->src_address.as_u32; + if (!is_output_feature) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - tcp0->src_port = s0->out2in.port; - new_port0 = tcp0->src_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->src_port; - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - } + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + tcp0->src_port = s0->out2in.port; + new_port0 = tcp0->src_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->src_port; + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + } - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - sm->per_thread_data[thread_index].sessions; - } + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = + s0 - sm->per_thread_data[thread_index].sessions; + } - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; + pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - /* verify speculative enqueue, maybe switch current next frame */ + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); @@ -1833,19 +1455,20 @@ snat_in2out_node_fn_inline (vlib_main_t * vm, } vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); + SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, + pkts_processed); return frame->n_vectors; } static uword snat_in2out_fast_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, vlib_frame_t * frame) { - return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 0); + return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ , + 0); } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_in2out_node) = { .function = snat_in2out_fast_path_fn, .name = "nat44-in2out", @@ -1869,17 +1492,20 @@ VLIB_REGISTER_NODE (snat_in2out_node) = { [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_node, snat_in2out_fast_path_fn); static uword snat_in2out_output_fast_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, + vlib_frame_t * frame) { - return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */, 1); + return snat_in2out_node_fn_inline (vm, node, frame, 0 /* is_slow_path */ , + 1); } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_in2out_output_node) = { .function = snat_in2out_output_fast_path_fn, .name = "nat44-in2out-output", @@ -1903,18 +1529,20 @@ VLIB_REGISTER_NODE (snat_in2out_output_node) = { [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_node, - snat_in2out_output_fast_path_fn); + snat_in2out_output_fast_path_fn); static uword snat_in2out_slow_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, vlib_frame_t * frame) { - return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 0); + return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ , + 0); } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = { .function = snat_in2out_slow_path_fn, .name = "nat44-in2out-slowpath", @@ -1938,18 +1566,21 @@ VLIB_REGISTER_NODE (snat_in2out_slowpath_node) = { [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_slowpath_node, - snat_in2out_slow_path_fn); + snat_in2out_slow_path_fn); static uword snat_in2out_output_slow_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, + vlib_frame_t * frame) { - return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */, 1); + return snat_in2out_node_fn_inline (vm, node, frame, 1 /* is_slow_path */ , + 1); } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = { .function = snat_in2out_output_slow_path_fn, .name = "nat44-in2out-output-slowpath", @@ -1973,28 +1604,26 @@ VLIB_REGISTER_NODE (snat_in2out_output_slowpath_node) = { [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_slowpath_node, - snat_in2out_output_slow_path_fn); + snat_in2out_output_slow_path_fn); -extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local; - -static inline uword -nat44_hairpinning_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - int is_ed) +static uword +nat44_in2out_reass_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) { - u32 n_left_from, * from, * to_next, stats_node_index; + u32 n_left_from, *from, *to_next; snat_in2out_next_t next_index; u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; - vnet_feature_main_t *fm = &feature_main; - u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index; - vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index]; + snat_main_t *sm = &snat_main; + f64 now = vlib_time_now (vm); + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *per_thread_data = + &sm->per_thread_data[thread_index]; + u32 *fragments_to_drop = 0; + u32 *fragments_to_loopback = 0; - stats_node_index = is_ed ? nat44_ed_hairpinning_node.index : - nat44_hairpinning_node.index; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; next_index = node->cached_next_index; @@ -2003,20 +1632,25 @@ nat44_hairpinning_fn_inline (vlib_main_t * vm, { u32 n_left_to_next; - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - ip4_header_t * ip0; - u32 proto0; - udp_header_t * udp0; - tcp_header_t * tcp0; - - /* speculatively enqueue b0 to the current next frame */ + u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; + vlib_buffer_t *b0; + u32 next0; + u8 cached0 = 0; + ip4_header_t *ip0; + nat_reass_ip4_t *reass0; + udp_header_t *udp0; + tcp_header_t *tcp0; + snat_session_key_t key0; + clib_bihash_kv_8_8_t kv0, value0; + snat_session_t *s0 = 0; + u16 old_port0, new_port0; + ip_csum_t sum0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -2025,3742 +1659,238 @@ nat44_hairpinning_fn_inline (vlib_main_t * vm, n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; + next0 = SNAT_IN2OUT_NEXT_LOOKUP; - proto0 = ip_proto_to_snat_proto (ip0->protocol); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); - vnet_get_config_data (&cm->config_main, &b0->current_config_index, - &next0, 0); + if (PREDICT_FALSE (nat_reass_is_drop_frag (0))) + { + next0 = SNAT_IN2OUT_NEXT_DROP; + b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT]; + goto trace0; + } - if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed)) - next0 = SNAT_IN2OUT_NEXT_LOOKUP; + ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, &fragments_to_drop); - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } + if (PREDICT_FALSE (!reass0)) + { + next0 = SNAT_IN2OUT_NEXT_DROP; + b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto trace0; + } + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + key0.addr = ip0->src_address; + key0.port = udp0->src_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; + kv0.key = key0.as_u64; + + if (clib_bihash_search_8_8 + (&per_thread_data->in2out, &kv0, &value0)) + { + if (PREDICT_FALSE + (snat_not_translate + (sm, node, sw_if_index0, ip0, proto0, rx_fib_index0, + thread_index))) + goto trace0; + + next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, + &s0, node, next0, thread_index, now); + + if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) + goto trace0; + + reass0->sess_index = s0 - per_thread_data->sessions; + } + else + { + s0 = pool_elt_at_index (per_thread_data->sessions, + value0.value); + reass0->sess_index = value0.value; + } + nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); + } + else + { + if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0)) + { + if (nat_ip4_reass_add_fragment + (reass0, bi0, &fragments_to_drop)) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = SNAT_IN2OUT_NEXT_DROP; + goto trace0; + } + cached0 = 1; + goto trace0; + } + s0 = pool_elt_at_index (per_thread_data->sessions, + reass0->sess_index); + } + + old_addr0 = ip0->src_address.as_u32; + ip0->src_address = s0->out2in.addr; + new_addr0 = ip0->src_address.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + tcp0->src_port = s0->out2in.port; + new_port0 = tcp0->src_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->src_port; + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + } + } + + /* Hairpinning */ + nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port, + s0->ext_host_port, proto0, 0); + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_reass_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->cached = cached0; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } + + if (cached0) + { + n_left_to_next++; + to_next--; + } + else + { + pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + if (n_left_from == 0 && vec_len (fragments_to_loopback)) + { + from = vlib_frame_vector_args (frame); + u32 len = vec_len (fragments_to_loopback); + if (len <= VLIB_FRAME_SIZE) + { + clib_memcpy (from, fragments_to_loopback, + sizeof (u32) * len); + n_left_from = len; + vec_reset_length (fragments_to_loopback); + } + else + { + clib_memcpy (from, + fragments_to_loopback + (len - + VLIB_FRAME_SIZE), + sizeof (u32) * VLIB_FRAME_SIZE); + n_left_from = VLIB_FRAME_SIZE; + _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; + } + } + } vlib_put_next_frame (vm, node, next_index, n_left_to_next); } - vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} + vlib_node_increment_counter (vm, nat44_in2out_reass_node.index, + SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, + pkts_processed); -static uword -nat44_hairpinning_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_hairpinning_fn_inline (vm, node, frame, 0); + nat_send_all_to_node (vm, fragments_to_drop, node, + &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT], + SNAT_IN2OUT_NEXT_DROP); + + vec_free (fragments_to_drop); + vec_free (fragments_to_loopback); + return frame->n_vectors; } -VLIB_REGISTER_NODE (nat44_hairpinning_node) = { - .function = nat44_hairpinning_fn, - .name = "nat44-hairpinning", +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_in2out_reass_node) = { + .function = nat44_in2out_reass_node_fn, + .name = "nat44-in2out-reass", .vector_size = sizeof (u32), + .format_trace = format_nat44_reass_trace, .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(snat_in2out_error_strings), .error_strings = snat_in2out_error_strings, - .n_next_nodes = 2, + + .n_next_nodes = SNAT_IN2OUT_N_NEXT, .next_nodes = { [SNAT_IN2OUT_NEXT_DROP] = "error-drop", [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", + [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", + [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ -VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node, - nat44_hairpinning_fn); +VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node, + nat44_in2out_reass_node_fn); static uword -nat44_ed_hairpinning_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) +snat_in2out_fast_static_map_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) { - return nat44_hairpinning_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_hairpinning_node) = { - .function = nat44_ed_hairpinning_fn, - .name = "nat44-ed-hairpinning", - .vector_size = sizeof (u32), - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - .n_next_nodes = 2, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpinning_node, - nat44_ed_hairpinning_fn); - -static inline void -nat44_reass_hairpinning (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - u16 sport, - u16 dport, - u32 proto0, - int is_ed) -{ - snat_session_key_t key0, sm0; - snat_session_t * s0; - clib_bihash_kv_8_8_t kv0, value0; - ip_csum_t sum0; - u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si; - u16 new_dst_port0, old_dst_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - int rv; - - key0.addr = ip0->dst_address; - key0.port = dport; - key0.protocol = proto0; - key0.fib_index = sm->outside_fib_index; - kv0.key = key0.as_u64; - - udp0 = ip4_next_header (ip0); - - /* Check if destination is static mappings */ - if (!snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - new_dst_addr0 = sm0.addr.as_u32; - new_dst_port0 = sm0.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; - } - /* or active sessions */ - else - { - if (sm->num_workers > 1) - ti = (clib_net_to_host_u16 (udp0->dst_port) - 1024) / sm->port_per_thread; - else - ti = sm->num_workers; - - if (is_ed) - { - clib_bihash_kv_16_8_t ed_kv, ed_value; - make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, - ip0->protocol, sm->outside_fib_index, udp0->dst_port, - udp0->src_port); - rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, - &ed_kv, &ed_value); - si = ed_value.value; - } - else - { - rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, - &value0); - si = value0.value; - } - if (!rv) - { - s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); - new_dst_addr0 = s0->in2out.addr.as_u32; - new_dst_port0 = s0->in2out.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - } - } - - /* Destination is behind the same NAT, use internal address and port */ - if (new_dst_addr0) - { - old_dst_addr0 = ip0->dst_address.as_u32; - ip0->dst_address.as_u32 = new_dst_addr0; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - ip0->checksum = ip_csum_fold (sum0); - - old_dst_port0 = dport; - if (PREDICT_TRUE(new_dst_port0 != old_dst_port0 && - ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - tcp0 = ip4_next_header (ip0); - tcp0->dst = new_dst_port0; - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0, - ip4_header_t /* cheat */, length); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - udp0->dst_port = new_dst_port0; - udp0->checksum = 0; - } - } - else - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - tcp0 = ip4_next_header (ip0); - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, - ip4_header_t, dst_address); - tcp0->checksum = ip_csum_fold(sum0); - } - } - } -} - -static uword -nat44_in2out_reass_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, *from, *to_next; - snat_in2out_next_t next_index; - u32 pkts_processed = 0; - snat_main_t *sm = &snat_main; - f64 now = vlib_time_now (vm); - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *per_thread_data = - &sm->per_thread_data[thread_index]; - u32 *fragments_to_drop = 0; - u32 *fragments_to_loopback = 0; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; - vlib_buffer_t *b0; - u32 next0; - u8 cached0 = 0; - ip4_header_t *ip0; - nat_reass_ip4_t *reass0; - udp_header_t * udp0; - tcp_header_t * tcp0; - snat_session_key_t key0; - clib_bihash_kv_8_8_t kv0, value0; - snat_session_t * s0 = 0; - u16 old_port0, new_port0; - ip_csum_t sum0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE (nat_reass_is_drop_frag(0))) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT]; - goto trace0; - } - - ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - - if (PREDICT_FALSE (!reass0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto trace0; - } - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - key0.addr = ip0->src_address; - key0.port = udp0->src_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; - kv0.key = key0.as_u64; - - if (clib_bihash_search_8_8 (&per_thread_data->in2out, &kv0, &value0)) - { - if (PREDICT_FALSE(snat_not_translate(sm, node, sw_if_index0, - ip0, proto0, rx_fib_index0, thread_index))) - goto trace0; - - next0 = slow_path (sm, b0, ip0, rx_fib_index0, &key0, - &s0, node, next0, thread_index, now); - - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace0; - - reass0->sess_index = s0 - per_thread_data->sessions; - } - else - { - s0 = pool_elt_at_index (per_thread_data->sessions, - value0.value); - reass0->sess_index = value0.value; - } - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - else - { - if (PREDICT_FALSE (reass0->sess_index == (u32) ~0)) - { - if (nat_ip4_reass_add_fragment (reass0, bi0, &fragments_to_drop)) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = SNAT_IN2OUT_NEXT_DROP; - goto trace0; - } - cached0 = 1; - goto trace0; - } - s0 = pool_elt_at_index (per_thread_data->sessions, - reass0->sess_index); - } - - old_addr0 = ip0->src_address.as_u32; - ip0->src_address = s0->out2in.addr; - new_addr0 = ip0->src_address.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - tcp0->src_port = s0->out2in.port; - new_port0 = tcp0->src_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->src_port; - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - } - } - - /* Hairpinning */ - nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port, - s0->ext_host_port, proto0, 0); - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_in2out_reass_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->cached = cached0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - if (cached0) - { - n_left_to_next++; - to_next--; - } - else - { - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - if (n_left_from == 0 && vec_len (fragments_to_loopback)) - { - from = vlib_frame_vector_args (frame); - u32 len = vec_len (fragments_to_loopback); - if (len <= VLIB_FRAME_SIZE) - { - clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len); - n_left_from = len; - vec_reset_length (fragments_to_loopback); - } - else - { - clib_memcpy (from, - fragments_to_loopback + (len - VLIB_FRAME_SIZE), - sizeof (u32) * VLIB_FRAME_SIZE); - n_left_from = VLIB_FRAME_SIZE; - _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; - } - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, nat44_in2out_reass_node.index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - - nat_send_all_to_node (vm, fragments_to_drop, node, - &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT], - SNAT_IN2OUT_NEXT_DROP); - - vec_free (fragments_to_drop); - vec_free (fragments_to_loopback); - return frame->n_vectors; -} - -VLIB_REGISTER_NODE (nat44_in2out_reass_node) = { - .function = nat44_in2out_reass_node_fn, - .name = "nat44-in2out-reass", - .vector_size = sizeof (u32), - .format_trace = format_nat44_in2out_reass_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_in2out_reass_node, - nat44_in2out_reass_node_fn); - -/*******************************/ -/*** endpoint-dependent mode ***/ -/*******************************/ - -static_always_inline int -icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) -{ - icmp46_header_t *icmp0; - nat_ed_ses_key_t key0; - icmp_echo_header_t *echo0, *inner_echo0 = 0; - ip4_header_t *inner_ip0 = 0; - void *l4_header = 0; - icmp46_header_t *inner_icmp0; - - icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); - - if (!icmp_is_error_message (icmp0)) - { - key0.proto = IP_PROTOCOL_ICMP; - key0.l_addr = ip0->src_address; - key0.r_addr = ip0->dst_address; - key0.l_port = echo0->identifier; - key0.r_port = 0; - } - else - { - inner_ip0 = (ip4_header_t *)(echo0+1); - l4_header = ip4_next_header (inner_ip0); - key0.proto = inner_ip0->protocol; - key0.r_addr = inner_ip0->src_address; - key0.l_addr = inner_ip0->dst_address; - switch (ip_proto_to_snat_proto (inner_ip0->protocol)) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - key0.r_port = 0; - key0.l_port = inner_echo0->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - key0.l_port = ((tcp_udp_header_t*)l4_header)->dst_port; - key0.r_port = ((tcp_udp_header_t*)l4_header)->src_port; - break; - default: - return SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL; - } - } - *p_key0 = key0; - return 0; -} - -int -nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void * arg) -{ - snat_main_t *sm = &snat_main; - nat44_is_idle_session_ctx_t *ctx = arg; - snat_session_t *s; - u64 sess_timeout_time; - nat_ed_ses_key_t ed_key; - clib_bihash_kv_16_8_t ed_kv; - int i; - snat_address_t *a; - snat_session_key_t key; - snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, - ctx->thread_index); - - s = pool_elt_at_index (tsm->sessions, kv->value); - sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s); - if (ctx->now >= sess_timeout_time) - { - if (is_fwd_bypass_session (s)) - goto delete; - - ed_key.l_addr = s->out2in.addr; - ed_key.r_addr = s->ext_host_addr; - ed_key.fib_index = s->out2in.fib_index; - if (snat_is_unk_proto_session (s)) - { - ed_key.proto = s->in2out.port; - ed_key.r_port = 0; - ed_key.l_port = 0; - } - else - { - ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); - ed_key.l_port = s->out2in.port; - ed_key.r_port = s->ext_host_port; - } - ed_kv.key[0] = ed_key.as_u64[0]; - ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)) - nat_log_warn ("out2in_ed key del failed"); - - if (snat_is_unk_proto_session (s)) - goto delete; - - snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); - - if (is_twice_nat_session (s)) - { - for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) - { - key.protocol = s->in2out.protocol; - key.port = s->ext_host_nat_port; - a = sm->twice_nat_addresses + i; - if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32) - { - snat_free_outside_address_and_port (sm->twice_nat_addresses, - ctx->thread_index, &key); - break; - } - } - } - - if (snat_is_session_static (s)) - goto delete; - - if (s->outside_address_index != ~0) - snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, - &s->out2in); - delete: - nat44_delete_session (sm, s, ctx->thread_index); - return 1; - } - - return 0; -} - -static inline u32 -icmp_in2out_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0, - ip4_header_t * ip0, icmp46_header_t * icmp0, - u32 sw_if_index0, u32 rx_fib_index0, - vlib_node_runtime_t * node, u32 next0, f64 now, - u32 thread_index, snat_session_t ** p_s0) -{ - next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, thread_index, p_s0, 0); - snat_session_t * s0 = *p_s0; - if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP && s0)) - { - /* Hairpinning */ - if (vnet_buffer(b0)->sw_if_index[VLIB_TX] == ~0) - snat_icmp_hairpinning(sm, b0, ip0, icmp0, sm->endpoint_dependent); - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (sm->vlib_main, b0)); - } - return next0; -} - -static u32 -slow_path_ed (snat_main_t *sm, - vlib_buffer_t *b, - u32 rx_fib_index, - clib_bihash_kv_16_8_t *kv, - snat_session_t ** sessionp, - vlib_node_runtime_t * node, - u32 next, - u32 thread_index, - f64 now) -{ - snat_session_t *s; - snat_user_t *u; - snat_session_key_t key0, key1; - lb_nat_type_t lb = 0, is_sm = 0; - u32 address_index = ~0; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - nat_ed_ses_key_t *key = (nat_ed_ses_key_t *) kv->key; - u32 proto = ip_proto_to_snat_proto (key->proto); - nat_outside_fib_t *outside_fib; - fib_node_index_t fei = FIB_NODE_INDEX_INVALID; - fib_prefix_t pfx = { - .fp_proto = FIB_PROTOCOL_IP4, - .fp_len = 32, - .fp_addr = { - .ip4.as_u32 = key->r_addr.as_u32, - }, - }; - nat44_is_idle_session_ctx_t ctx; - - if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) - { - b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; - nat_ipfix_logging_max_sessions(sm->max_translations); - nat_log_notice ("maximum sessions exceeded"); - return SNAT_IN2OUT_NEXT_DROP; - } - - key0.addr = key->l_addr; - key0.port = key->l_port; - key1.protocol = key0.protocol = proto; - key0.fib_index = rx_fib_index; - key1.fib_index = sm->outside_fib_index; - /* First try to match static mapping by local address and port */ - if (snat_static_mapping_match (sm, key0, &key1, 0, 0, 0, &lb, 0)) - { - /* Try to create dynamic translation */ - if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index, - thread_index, &key1, - &address_index, - sm->port_per_thread, - tsm->snat_thread_index)) - { - nat_log_notice ("addresses exhausted"); - b->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS]; - return SNAT_IN2OUT_NEXT_DROP; - } - } - else - is_sm = 1; - - u = nat_user_get_or_create (sm, &key->l_addr, rx_fib_index, thread_index); - if (!u) - { - nat_log_warn ("create NAT user failed"); - if (!is_sm) - snat_free_outside_address_and_port (sm->addresses, - thread_index, &key1); - return SNAT_IN2OUT_NEXT_DROP; - } - - s = nat_ed_session_alloc (sm, u, thread_index); - if (!s) - { - nat44_delete_user_with_no_session (sm, u, thread_index); - nat_log_warn ("create NAT session failed"); - if (!is_sm) - snat_free_outside_address_and_port (sm->addresses, - thread_index, &key1); - return SNAT_IN2OUT_NEXT_DROP; - } - - user_session_increment (sm, u, is_sm); - if (is_sm) - s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; - if (lb) - s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING; - s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; - s->outside_address_index = address_index; - s->ext_host_addr = key->r_addr; - s->ext_host_port = key->r_port; - s->in2out = key0; - s->out2in = key1; - s->out2in.protocol = key0.protocol; - - switch (vec_len (sm->outside_fibs)) - { - case 0: - s->out2in.fib_index = sm->outside_fib_index; - break; - case 1: - s->out2in.fib_index = sm->outside_fibs[0].fib_index; - break; - default: - vec_foreach (outside_fib, sm->outside_fibs) - { - fei = fib_table_lookup (outside_fib->fib_index, &pfx); - if (FIB_NODE_INDEX_INVALID != fei) - { - if (fib_entry_get_resolving_interface (fei) != ~0) - { - s->out2in.fib_index = outside_fib->fib_index; - break; - } - } - } - break; - } - - /* Add to lookup tables */ - kv->value = s - tsm->sessions; - ctx.now = now; - ctx.thread_index = thread_index; - if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, kv, - nat44_i2o_ed_is_idle_session_cb, - &ctx)) - nat_log_notice ("in2out-ed key add failed"); - - make_ed_kv (kv, &key1.addr, &key->r_addr, key->proto, s->out2in.fib_index, - key1.port, key->r_port); - kv->value = s - tsm->sessions; - if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, kv, - nat44_o2i_ed_is_idle_session_cb, - &ctx)) - nat_log_notice ("out2in-ed key add failed"); - - *sessionp = s; - - /* log NAT event */ - snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); - return next; -} - -static_always_inline int -nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t *node, - u32 sw_if_index, ip4_header_t * ip, u32 proto, - u32 rx_fib_index, u32 thread_index) -{ - udp_header_t *udp = ip4_next_header (ip); - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - clib_bihash_kv_16_8_t kv, value; - snat_session_key_t key0, key1; - - make_ed_kv (&kv, &ip->dst_address, &ip->src_address, ip->protocol, - sm->outside_fib_index, udp->dst_port, udp->src_port); - - /* NAT packet aimed at external address if */ - /* has active sessions */ - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) - { - key0.addr = ip->dst_address; - key0.port = udp->dst_port; - key0.protocol = proto; - key0.fib_index = sm->outside_fib_index; - /* or is static mappings */ - if (!snat_static_mapping_match(sm, key0, &key1, 1, 0, 0, 0, 0)) - return 0; - } - else - return 0; - - if (sm->forwarding_enabled) - return 1; - - return snat_not_translate_fast(sm, node, sw_if_index, ip, proto, rx_fib_index); -} - -static_always_inline int -nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip, - u32 thread_index, f64 now, - vlib_main_t * vm, vlib_buffer_t * b) -{ - nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t kv, value; - udp_header_t *udp; - snat_session_t *s = 0; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - - if (!sm->forwarding_enabled) - return 0; - - if (ip->protocol == IP_PROTOCOL_ICMP) - { - key.as_u64[0] = key.as_u64[1] = 0; - if (icmp_get_ed_key (ip, &key)) - return 0; - key.fib_index = 0; - kv.key[0] = key.as_u64[0]; - kv.key[1] = key.as_u64[1]; - } - else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) - { - udp = ip4_next_header(ip); - make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, - udp->src_port, udp->dst_port); - } - else - { - make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, 0, - 0); - } - - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) - { - s = pool_elt_at_index (tsm->sessions, value.value); - if (is_fwd_bypass_session (s)) - { - if (ip->protocol == IP_PROTOCOL_TCP) - { - tcp_header_t *tcp = ip4_next_header(ip); - if (nat44_set_tcp_session_state_i2o (sm, s, tcp, thread_index)) - return 1; - } - /* Accounting */ - nat44_session_update_counters (s, now, - vlib_buffer_length_in_chain (vm, b)); - return 1; - } - else - return 0; - } - - return 0; -} - -static_always_inline int -nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip, - u8 proto, u16 src_port, u16 dst_port, - u32 thread_index, u32 rx_sw_if_index, - u32 tx_sw_if_index) -{ - clib_bihash_kv_16_8_t kv, value; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - snat_interface_t *i; - snat_session_t *s; - u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index); - u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index); - - /* src NAT check */ - make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index, - src_port, dst_port); - if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) - return 1; - - /* dst NAT check */ - make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index, - dst_port, src_port); - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) - { - s = pool_elt_at_index (tsm->sessions, value.value); - if (is_fwd_bypass_session (s)) - return 0; - - /* hairpinning */ - pool_foreach (i, sm->output_feature_interfaces, - ({ - if ((nat_interface_is_inside(i)) && (rx_sw_if_index == i->sw_if_index)) - return 0; - })); - return 1; - } - - return 0; -} - -u32 -icmp_match_in2out_ed(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b, ip4_header_t *ip, - u8 *p_proto, snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) -{ - icmp46_header_t *icmp; - u32 sw_if_index; - u32 rx_fib_index; - nat_ed_ses_key_t key; - snat_session_t *s = 0; - u8 dont_translate = 0; - clib_bihash_kv_16_8_t kv, value; - u32 next = ~0; - int err; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - - icmp = (icmp46_header_t *) ip4_next_header (ip); - sw_if_index = vnet_buffer(b)->sw_if_index[VLIB_RX]; - rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); - - key.as_u64[0] = key.as_u64[1] = 0; - err = icmp_get_ed_key (ip, &key); - if (err != 0) - { - b->error = node->errors[err]; - next = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - key.fib_index = rx_fib_index; - - kv.key[0] = key.as_u64[0]; - kv.key[1] = key.as_u64[1]; - - if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) - { - if (vnet_buffer(b)->sw_if_index[VLIB_TX] != ~0) - { - if (PREDICT_FALSE(nat44_ed_not_translate_output_feature(sm, ip, - key.proto, key.l_port, key.r_port, thread_index, sw_if_index, - vnet_buffer(b)->sw_if_index[VLIB_TX]))) - { - dont_translate = 1; - goto out; - } - } - else - { - if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, sw_if_index, - ip, SNAT_PROTOCOL_ICMP, rx_fib_index, thread_index))) - { - dont_translate = 1; - goto out; - } - } - - if (PREDICT_FALSE(icmp_is_error_message (icmp))) - { - b->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - - next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next, - thread_index, vlib_time_now (sm->vlib_main)); - - if (PREDICT_FALSE (next == SNAT_IN2OUT_NEXT_DROP)) - goto out; - } - else - { - if (PREDICT_FALSE(icmp->type != ICMP4_echo_request && - icmp->type != ICMP4_echo_reply && - !icmp_is_error_message (icmp))) - { - b->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - - s = pool_elt_at_index (tsm->sessions, value.value); - } - - *p_proto = ip_proto_to_snat_proto (key.proto); -out: - if (s) - *p_value = s->out2in; - *p_dont_translate = dont_translate; - if (d) - *(snat_session_t**)d = s; - return next; -} - -static inline void -nat44_ed_hairpinning_unknown_proto (snat_main_t *sm, - vlib_buffer_t * b, - ip4_header_t * ip) -{ - u32 old_addr, new_addr = 0, ti = 0; - clib_bihash_kv_8_8_t kv, value; - clib_bihash_kv_16_8_t s_kv, s_value; - snat_static_mapping_t *m; - ip_csum_t sum; - snat_session_t *s; - snat_main_per_thread_data_t *tsm; - - if (sm->num_workers > 1) - ti = sm->worker_out2in_cb (ip, sm->outside_fib_index); - else - ti = sm->num_workers; - tsm = &sm->per_thread_data[ti]; - - old_addr = ip->dst_address.as_u32; - make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, - sm->outside_fib_index, 0, 0); - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) - { - make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); - if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - return; - - m = pool_elt_at_index (sm->static_mappings, value.value); - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) - vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index; - new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; - } - else - { - s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value); - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) - vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index; - new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32; - } - sum = ip->checksum; - sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); - ip->checksum = ip_csum_fold (sum); -} - -static snat_session_t * -nat44_ed_in2out_unknown_proto (snat_main_t *sm, - vlib_buffer_t * b, - ip4_header_t * ip, - u32 rx_fib_index, - u32 thread_index, - f64 now, - vlib_main_t * vm, - vlib_node_runtime_t * node) -{ - clib_bihash_kv_8_8_t kv, value; - clib_bihash_kv_16_8_t s_kv, s_value; - snat_static_mapping_t *m; - u32 old_addr, new_addr = 0; - ip_csum_t sum; - snat_user_t *u; - dlist_elt_t *head, *elt; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - u32 elt_index, head_index, ses_index; - snat_session_t * s; - u32 address_index = ~0, outside_fib_index = sm->outside_fib_index; - int i; - u8 is_sm = 0; - nat_outside_fib_t *outside_fib; - fib_node_index_t fei = FIB_NODE_INDEX_INVALID; - fib_prefix_t pfx = { - .fp_proto = FIB_PROTOCOL_IP4, - .fp_len = 32, - .fp_addr = { - .ip4.as_u32 = ip->dst_address.as_u32, - }, - }; - - switch (vec_len (sm->outside_fibs)) - { - case 0: - outside_fib_index = sm->outside_fib_index; - break; - case 1: - outside_fib_index = sm->outside_fibs[0].fib_index; - break; - default: - vec_foreach (outside_fib, sm->outside_fibs) - { - fei = fib_table_lookup (outside_fib->fib_index, &pfx); - if (FIB_NODE_INDEX_INVALID != fei) - { - if (fib_entry_get_resolving_interface (fei) != ~0) - { - outside_fib_index = outside_fib->fib_index; - break; - } - } - } - break; - } - old_addr = ip->src_address.as_u32; - - make_ed_kv (&s_kv, &ip->src_address, &ip->dst_address, ip->protocol, - rx_fib_index, 0, 0); - - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &s_kv, &s_value)) - { - s = pool_elt_at_index (tsm->sessions, s_value.value); - new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32; - } - else - { - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) - { - b->error = node->errors[SNAT_IN2OUT_ERROR_MAX_SESSIONS_EXCEEDED]; - nat_ipfix_logging_max_sessions(sm->max_translations); - nat_log_notice ("maximum sessions exceeded"); - return 0; - } - - u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index, - thread_index); - if (!u) - { - nat_log_warn ("create NAT user failed"); - return 0; - } - - make_sm_kv (&kv, &ip->src_address, 0, rx_fib_index, 0); - - /* Try to find static mapping first */ - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value)) - { - m = pool_elt_at_index (sm->static_mappings, value.value); - new_addr = ip->src_address.as_u32 = m->external_addr.as_u32; - is_sm = 1; - goto create_ses; - } - /* Fallback to 3-tuple key */ - else - { - /* Choose same out address as for TCP/UDP session to same destination */ - head_index = u->sessions_per_user_list_head_index; - head = pool_elt_at_index (tsm->list_pool, head_index); - elt_index = head->next; - if (PREDICT_FALSE (elt_index == ~0)) - ses_index = ~0; - else - { - elt = pool_elt_at_index (tsm->list_pool, elt_index); - ses_index = elt->value; - } - - while (ses_index != ~0) - { - s = pool_elt_at_index (tsm->sessions, ses_index); - elt_index = elt->next; - elt = pool_elt_at_index (tsm->list_pool, elt_index); - ses_index = elt->value; - - if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32) - { - new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32; - address_index = s->outside_address_index; - - make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, - ip->protocol, outside_fib_index, 0, 0); - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) - goto create_ses; - - break; - } - } - - for (i = 0; i < vec_len (sm->addresses); i++) - { - make_ed_kv (&s_kv, &sm->addresses[i].addr, &ip->dst_address, - ip->protocol, outside_fib_index, 0, 0); - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) - { - new_addr = ip->src_address.as_u32 = - sm->addresses[i].addr.as_u32; - address_index = i; - goto create_ses; - } - } - return 0; - } - -create_ses: - s = nat_ed_session_alloc (sm, u, thread_index); - if (!s) - { - nat44_delete_user_with_no_session (sm, u, thread_index); - nat_log_warn ("create NAT session failed"); - return 0; - } - - s->ext_host_addr.as_u32 = ip->dst_address.as_u32; - s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO; - s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; - s->outside_address_index = address_index; - s->out2in.addr.as_u32 = new_addr; - s->out2in.fib_index = outside_fib_index; - s->in2out.addr.as_u32 = old_addr; - s->in2out.fib_index = rx_fib_index; - s->in2out.port = s->out2in.port = ip->protocol; - if (is_sm) - s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; - user_session_increment (sm, u, is_sm); - - /* Add to lookup tables */ - make_ed_kv (&s_kv, &s->in2out.addr, &ip->dst_address, ip->protocol, - rx_fib_index, 0, 0); - s_kv.value = s - tsm->sessions; - if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1)) - nat_log_notice ("in2out key add failed"); - - make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, ip->protocol, - outside_fib_index, 0, 0); - s_kv.value = s - tsm->sessions; - if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1)) - nat_log_notice ("out2in key add failed"); - } - - /* Update IP checksum */ - sum = ip->checksum; - sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address); - ip->checksum = ip_csum_fold (sum); - - /* Accounting */ - nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b)); - - /* Hairpinning */ - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) - nat44_ed_hairpinning_unknown_proto(sm, b, ip); - - if (vnet_buffer(b)->sw_if_index[VLIB_TX] == ~0) - vnet_buffer(b)->sw_if_index[VLIB_TX] = outside_fib_index; - - return s; -} - -static inline uword -nat44_ed_in2out_node_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, int is_slow_path, - int is_output_feature) -{ - u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index; - snat_in2out_next_t next_index; - snat_main_t *sm = &snat_main; - f64 now = vlib_time_now (vm); - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - - stats_node_index = is_slow_path ? nat44_ed_in2out_slowpath_node.index : - nat44_ed_in2out_node.index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from >= 4 && n_left_to_next >= 2) - { - u32 bi0, bi1; - vlib_buffer_t *b0, *b1; - u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0, - new_addr0, old_addr0; - u32 next1, sw_if_index1, rx_fib_index1, iph_offset1 = 0, proto1, - new_addr1, old_addr1; - u16 old_port0, new_port0, old_port1, new_port1; - ip4_header_t *ip0, *ip1; - udp_header_t *udp0, *udp1; - tcp_header_t *tcp0, *tcp1; - icmp46_header_t *icmp0, *icmp1; - snat_session_t *s0 = 0, *s1 = 0; - clib_bihash_kv_16_8_t kv0, value0, kv1, value1; - ip_csum_t sum0, sum1; - - /* Prefetch next iteration. */ - { - vlib_buffer_t * p2, * p3; - - p2 = vlib_get_buffer (vm, from[2]); - p3 = vlib_get_buffer (vm, from[3]); - - vlib_prefetch_buffer_header (p2, LOAD); - vlib_prefetch_buffer_header (p3, LOAD); - - CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); - CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); - } - - /* speculatively enqueue b0 and b1 to the current next frame */ - to_next[0] = bi0 = from[0]; - to_next[1] = bi1 = from[1]; - from += 2; - to_next += 2; - n_left_from -= 2; - n_left_to_next -= 2; - - b0 = vlib_get_buffer (vm, bi0); - b1 = vlib_get_buffer (vm, bi1); - - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - - if (is_output_feature) - iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; - - ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - iph_offset0); - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace00; - } - - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0, - rx_fib_index0, - thread_index, now, vm, - node); - if (!s0) - next0 = SNAT_IN2OUT_NEXT_DROP; - goto trace00; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_in2out_ed_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace00; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace00; - } - - if (ip4_is_fragment (ip0)) - { - next0 = SNAT_IN2OUT_NEXT_REASS; - goto trace00; - } - - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd( - sm, ip0, thread_index, now, vm, b0))) - goto trace00; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace00; - } - } - - make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, ip0->protocol, - rx_fib_index0, udp0->src_port, udp0->dst_port); - - if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat44_ed_not_translate_output_feature( - sm, ip0, ip0->protocol, udp0->src_port, - udp0->dst_port, thread_index, sw_if_index0, - vnet_buffer(b0)->sw_if_index[VLIB_TX]))) - goto trace00; - } - else - { - if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, - sw_if_index0, ip0, proto0, rx_fib_index0, - thread_index))) - goto trace00; - } - - next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, - next0, thread_index, now); - - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace00; - } - else - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace00; - } - } - else - { - s0 = pool_elt_at_index (tsm->sessions, value0.value); - } - - b0->flags |= VNET_BUFFER_F_IS_NATED; - - if (!is_output_feature) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - - old_addr0 = ip0->src_address.as_u32; - new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, ip4_header_t, - dst_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - new_port0 = tcp0->src_port = s0->out2in.port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, - length); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->dst_port, - s0->ext_host_port, ip4_header_t, - length); - tcp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index)) - goto trace00; - } - else - { - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - udp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - - trace00: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - tsm->sessions; - } - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - - next1 = SNAT_IN2OUT_NEXT_LOOKUP; - - if (is_output_feature) - iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length; - - ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) + - iph_offset1); - - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; - rx_fib_index1 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index1); - - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace01; - } - - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - icmp1 = (icmp46_header_t *) udp1; - proto1 = ip_proto_to_snat_proto (ip1->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto1 == ~0)) - { - s1 = nat44_ed_in2out_unknown_proto (sm, b1, ip1, - rx_fib_index1, - thread_index, now, vm, - node); - if (!s1) - next1 = SNAT_IN2OUT_NEXT_DROP; - goto trace01; - } - - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = icmp_in2out_ed_slow_path - (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, - next1, now, thread_index, &s1); - goto trace01; - } - } - else - { - if (PREDICT_FALSE (proto1 == ~0)) - { - next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace01; - } - - if (ip4_is_fragment (ip1)) - { - next1 = SNAT_IN2OUT_NEXT_REASS; - goto trace01; - } - - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd( - sm, ip1, thread_index, now, vm, b1))) - goto trace01; - } - - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace01; - } - } - - make_ed_kv (&kv1, &ip1->src_address, &ip1->dst_address, ip1->protocol, - rx_fib_index1, udp1->src_port, udp1->dst_port); - - if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv1, &value1)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat44_ed_not_translate_output_feature( - sm, ip1, ip1->protocol, udp1->src_port, - udp1->dst_port, thread_index, sw_if_index1, - vnet_buffer(b1)->sw_if_index[VLIB_TX]))) - goto trace01; - } - else - { - if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, - sw_if_index1, ip1, proto1, rx_fib_index1, - thread_index))) - goto trace01; - } - - next1 = slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node, - next1, thread_index, now); - - if (PREDICT_FALSE (next1 == SNAT_IN2OUT_NEXT_DROP)) - goto trace01; - } - else - { - next1 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace01; - } - } - else - { - s1 = pool_elt_at_index (tsm->sessions, value1.value); - } - - b1->flags |= VNET_BUFFER_F_IS_NATED; - - if (!is_output_feature) - vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index; - - old_addr1 = ip1->src_address.as_u32; - new_addr1 = ip1->src_address.as_u32 = s1->out2in.addr.as_u32; - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, - src_address); - if (PREDICT_FALSE (is_twice_nat_session (s1))) - sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32, - s1->ext_host_addr.as_u32, ip4_header_t, - dst_address); - ip1->checksum = ip_csum_fold (sum1); - - if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) - { - old_port1 = tcp1->src_port; - new_port1 = tcp1->src_port = s1->out2in.port; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, - dst_address); - sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t, - length); - if (PREDICT_FALSE (is_twice_nat_session (s1))) - { - sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32, - s1->ext_host_addr.as_u32, - ip4_header_t, dst_address); - sum1 = ip_csum_update (sum1, tcp1->dst_port, - s1->ext_host_port, ip4_header_t, - length); - tcp1->dst_port = s1->ext_host_port; - ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32; - } - tcp1->checksum = ip_csum_fold(sum1); - mss_clamping (sm, tcp1, &sum1); - if (nat44_set_tcp_session_state_i2o (sm, s1, tcp1, thread_index)) - goto trace01; - } - else - { - udp1->src_port = s1->out2in.port; - udp1->checksum = 0; - if (PREDICT_FALSE (is_twice_nat_session (s1))) - { - udp1->dst_port = s1->ext_host_port; - ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32; - } - } - - /* Accounting */ - nat44_session_update_counters (s1, now, - vlib_buffer_length_in_chain (vm, b1)); - - trace01: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (s1) - t->session_index = s1 - tsm->sessions; - } - - pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0, - new_addr0, old_addr0; - u16 old_port0, new_port0; - ip4_header_t *ip0; - udp_header_t *udp0; - tcp_header_t *tcp0; - icmp46_header_t * icmp0; - snat_session_t *s0 = 0; - clib_bihash_kv_16_8_t kv0, value0; - ip_csum_t sum0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - - if (is_output_feature) - iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; - - ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - iph_offset0); - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace0; - } - - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0, - rx_fib_index0, - thread_index, now, vm, - node); - if (!s0) - next0 = SNAT_IN2OUT_NEXT_DROP; - goto trace0; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_in2out_ed_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace0; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace0; - } - - if (ip4_is_fragment (ip0)) - { - next0 = SNAT_IN2OUT_NEXT_REASS; - goto trace0; - } - - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd( - sm, ip0, thread_index, now, vm, b0))) - goto trace0; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace0; - } - } - - make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, ip0->protocol, - rx_fib_index0, udp0->src_port, udp0->dst_port); - - if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0)) - { - if (is_slow_path) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat44_ed_not_translate_output_feature( - sm, ip0, ip0->protocol, udp0->src_port, - udp0->dst_port, thread_index, sw_if_index0, - vnet_buffer(b0)->sw_if_index[VLIB_TX]))) - goto trace0; - } - else - { - if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, - sw_if_index0, ip0, proto0, rx_fib_index0, - thread_index))) - goto trace0; - } - - next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, - next0, thread_index, now); - - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace0; - } - else - { - next0 = SNAT_IN2OUT_NEXT_SLOW_PATH; - goto trace0; - } - } - else - { - s0 = pool_elt_at_index (tsm->sessions, value0.value); - } - - b0->flags |= VNET_BUFFER_F_IS_NATED; - - if (!is_output_feature) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - - old_addr0 = ip0->src_address.as_u32; - new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, ip4_header_t, - dst_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - new_port0 = tcp0->src_port = s0->out2in.port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, - length); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->dst_port, - s0->ext_host_port, ip4_header_t, - length); - tcp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - if (nat44_set_tcp_session_state_i2o (sm, s0, tcp0, thread_index)) - goto trace0; - } - else - { - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - udp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - tsm->sessions; - } - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -static uword -nat44_ed_in2out_fast_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 0); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_node) = { - .function = nat44_ed_in2out_fast_path_fn, - .name = "nat44-ed-in2out", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_node, nat44_ed_in2out_fast_path_fn); - -static uword -nat44_ed_in2out_output_fast_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = { - .function = nat44_ed_in2out_output_fast_path_fn, - .name = "nat44-ed-in2out-output", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass-output", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_node, - nat44_ed_in2out_output_fast_path_fn); - -static uword -nat44_ed_in2out_slow_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 0); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = { - .function = nat44_ed_in2out_slow_path_fn, - .name = "nat44-ed-in2out-slowpath", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_slowpath_node, - nat44_ed_in2out_slow_path_fn); - -static uword -nat44_ed_in2out_output_slow_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = { - .function = nat44_ed_in2out_output_slow_path_fn, - .name = "nat44-ed-in2out-output-slowpath", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_slowpath_node, - nat44_ed_in2out_output_slow_path_fn); - -static inline uword -nat44_ed_in2out_reass_node_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - int is_output_feature) -{ - u32 n_left_from, *from, *to_next; - snat_in2out_next_t next_index; - u32 pkts_processed = 0; - snat_main_t *sm = &snat_main; - f64 now = vlib_time_now (vm); - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *per_thread_data = - &sm->per_thread_data[thread_index]; - u32 *fragments_to_drop = 0; - u32 *fragments_to_loopback = 0; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; - u32 iph_offset0 = 0; - vlib_buffer_t *b0; - u32 next0; - u8 cached0 = 0; - ip4_header_t *ip0 = 0; - nat_reass_ip4_t *reass0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - clib_bihash_kv_16_8_t kv0, value0; - snat_session_t * s0 = 0; - u16 old_port0, new_port0; - ip_csum_t sum0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE (nat_reass_is_drop_frag(0))) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT]; - goto trace0; - } - - if (is_output_feature) - iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; - - ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + - iph_offset0); - - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - - if (PREDICT_FALSE (!reass0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto trace0; - } - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat_not_translate_output_feature_fwd( - sm, ip0, thread_index, now, vm, b0))) - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - goto trace0; - } - - next0 = icmp_in2out_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - - if (PREDICT_TRUE(next0 != SNAT_IN2OUT_NEXT_DROP)) - { - if (s0) - reass0->sess_index = s0 - per_thread_data->sessions; - else - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - - goto trace0; - } - - make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, ip0->protocol, - rx_fib_index0, udp0->src_port, udp0->dst_port); - - if (clib_bihash_search_16_8 (&per_thread_data->in2out_ed, &kv0, &value0)) - { - if (is_output_feature) - { - if (PREDICT_FALSE(nat44_ed_not_translate_output_feature( - sm, ip0, ip0->protocol, udp0->src_port, - udp0->dst_port, thread_index, sw_if_index0, - vnet_buffer(b0)->sw_if_index[VLIB_TX]))) - { - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - goto trace0; - } - } - else - { - if (PREDICT_FALSE(nat44_ed_not_translate(sm, node, - sw_if_index0, ip0, proto0, rx_fib_index0, - thread_index))) - { - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - goto trace0; - } - } - - next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, - &s0, node, next0, thread_index, now); - - if (PREDICT_FALSE (next0 == SNAT_IN2OUT_NEXT_DROP)) - goto trace0; - - reass0->sess_index = s0 - per_thread_data->sessions; - } - else - { - s0 = pool_elt_at_index (per_thread_data->sessions, - value0.value); - reass0->sess_index = value0.value; - } - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - else - { - if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE) - goto trace0; - if (PREDICT_FALSE (reass0->sess_index == (u32) ~0)) - { - if (nat_ip4_reass_add_fragment (reass0, bi0, &fragments_to_drop)) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = SNAT_IN2OUT_NEXT_DROP; - goto trace0; - } - cached0 = 1; - goto trace0; - } - s0 = pool_elt_at_index (per_thread_data->sessions, - reass0->sess_index); - } - - old_addr0 = ip0->src_address.as_u32; - ip0->src_address = s0->out2in.addr; - new_addr0 = ip0->src_address.as_u32; - if (!is_output_feature) - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - src_address /* changed member */); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, ip4_header_t, - dst_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - tcp0->src_port = s0->out2in.port; - new_port0 = tcp0->src_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, - s0->ext_host_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->dst_port, - s0->ext_host_port, ip4_header_t, - length); - tcp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->src_port; - udp0->src_port = s0->out2in.port; - udp0->checksum = 0; - if (PREDICT_FALSE (is_twice_nat_session (s0))) - { - udp0->dst_port = s0->ext_host_port; - ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; - } - } - } - - /* Hairpinning */ - if (PREDICT_TRUE(proto0 != SNAT_PROTOCOL_ICMP)) - nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port, - s0->ext_host_port, proto0, 1); - else - snat_icmp_hairpinning(sm, b0, ip0, icmp0, 1); - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_in2out_reass_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->cached = cached0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - if (cached0) - { - n_left_to_next++; - to_next--; - } - else - { - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - if (n_left_from == 0 && vec_len (fragments_to_loopback)) - { - from = vlib_frame_vector_args (frame); - u32 len = vec_len (fragments_to_loopback); - if (len <= VLIB_FRAME_SIZE) - { - clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len); - n_left_from = len; - vec_reset_length (fragments_to_loopback); - } - else - { - clib_memcpy (from, - fragments_to_loopback + (len - VLIB_FRAME_SIZE), - sizeof (u32) * VLIB_FRAME_SIZE); - n_left_from = VLIB_FRAME_SIZE; - _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; - } - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, nat44_in2out_reass_node.index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - - nat_send_all_to_node (vm, fragments_to_drop, node, - &node->errors[SNAT_IN2OUT_ERROR_DROP_FRAGMENT], - SNAT_IN2OUT_NEXT_DROP); - - vec_free (fragments_to_drop); - vec_free (fragments_to_loopback); - return frame->n_vectors; -} - -static uword -nat44_ed_in2out_reass_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 0); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_reass_node) = { - .function = nat44_ed_in2out_reass_node_fn, - .name = "nat44-ed-in2out-reass", - .vector_size = sizeof (u32), - .format_trace = format_nat44_in2out_reass_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_reass_node, - nat44_ed_in2out_reass_node_fn); - -static uword -nat44_ed_in2out_reass_output_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_in2out_reass_output_node) = { - .function = nat44_ed_in2out_reass_output_node_fn, - .name = "nat44-ed-in2out-reass-output", - .vector_size = sizeof (u32), - .format_trace = format_nat44_in2out_reass_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .n_next_nodes = SNAT_IN2OUT_N_NEXT, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "interface-output", - [SNAT_IN2OUT_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_IN2OUT_NEXT_REASS] = "nat44-ed-in2out-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_reass_output_node, - nat44_ed_in2out_reass_output_node_fn); - -/**************************/ -/*** deterministic mode ***/ -/**************************/ -static uword -snat_det_in2out_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, * from, * to_next; - snat_in2out_next_t next_index; - u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; - u32 now = (u32) vlib_time_now (vm); - u32 thread_index = vm->thread_index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from >= 4 && n_left_to_next >= 2) - { - u32 bi0, bi1; - vlib_buffer_t * b0, * b1; - u32 next0, next1; - u32 sw_if_index0, sw_if_index1; - ip4_header_t * ip0, * ip1; - ip_csum_t sum0, sum1; - ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1; - u16 old_port0, new_port0, lo_port0, i0; - u16 old_port1, new_port1, lo_port1, i1; - udp_header_t * udp0, * udp1; - tcp_header_t * tcp0, * tcp1; - u32 proto0, proto1; - snat_det_out_key_t key0, key1; - snat_det_map_t * dm0, * dm1; - snat_det_session_t * ses0 = 0, * ses1 = 0; - u32 rx_fib_index0, rx_fib_index1; - icmp46_header_t * icmp0, * icmp1; - - /* Prefetch next iteration. */ - { - vlib_buffer_t * p2, * p3; - - p2 = vlib_get_buffer (vm, from[2]); - p3 = vlib_get_buffer (vm, from[3]); - - vlib_prefetch_buffer_header (p2, LOAD); - vlib_prefetch_buffer_header (p3, LOAD); - - CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); - CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); - } - - /* speculatively enqueue b0 and b1 to the current next frame */ - to_next[0] = bi0 = from[0]; - to_next[1] = bi1 = from[1]; - from += 2; - to_next += 2; - n_left_from -= 2; - n_left_to_next -= 2; - - b0 = vlib_get_buffer (vm, bi0); - b1 = vlib_get_buffer (vm, bi1); - - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - next1 = SNAT_IN2OUT_NEXT_LOOKUP; - - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace0; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - icmp0 = (icmp46_header_t *) udp0; - - next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, thread_index, - &ses0, &dm0); - goto trace0; - } - - dm0 = snat_det_map_by_user(sm, &ip0->src_address); - if (PREDICT_FALSE(!dm0)) - { - nat_log_info ("no match for internal host %U", - format_ip4_address, &ip0->src_address); - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; - goto trace0; - } - - snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0); - - key0.ext_host_addr = ip0->dst_address; - key0.ext_host_port = tcp0->dst; - - ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0); - if (PREDICT_FALSE(!ses0)) - { - for (i0 = 0; i0 < dm0->ports_per_host; i0++) - { - key0.out_port = clib_host_to_net_u16 (lo_port0 + - ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host)); - - if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64)) - continue; - - ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0); - break; - } - if (PREDICT_FALSE(!ses0)) - { - /* too many sessions for user, send ICMP error packet */ - - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable, - ICMP4_destination_unreachable_destination_unreachable_host, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace0; - } - } - - new_port0 = ses0->out.out_port; - - old_addr0.as_u32 = ip0->src_address.as_u32; - ip0->src_address.as_u32 = new_addr0.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - if (tcp0->flags & TCP_FLAG_SYN) - ses0->state = SNAT_SESSION_TCP_SYN_SENT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT) - ses0->state = SNAT_SESSION_TCP_ESTABLISHED; - else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) - ses0->state = SNAT_SESSION_TCP_FIN_WAIT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT) - snat_det_ses_close(dm0, ses0); - else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT) - ses0->state = SNAT_SESSION_TCP_LAST_ACK; - else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN) - ses0->state = SNAT_SESSION_TCP_ESTABLISHED; - - old_port0 = tcp0->src; - tcp0->src = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - ses0->state = SNAT_SESSION_UDP_ACTIVE; - old_port0 = udp0->src_port; - udp0->src_port = new_port0; - udp0->checksum = 0; - } - - switch(ses0->state) - { - case SNAT_SESSION_UDP_ACTIVE: - ses0->expire = now + sm->udp_timeout; - break; - case SNAT_SESSION_TCP_SYN_SENT: - case SNAT_SESSION_TCP_FIN_WAIT: - case SNAT_SESSION_TCP_CLOSE_WAIT: - case SNAT_SESSION_TCP_LAST_ACK: - ses0->expire = now + sm->tcp_transitory_timeout; - break; - case SNAT_SESSION_TCP_ESTABLISHED: - ses0->expire = now + sm->tcp_established_timeout; - break; - } - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = 0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (ses0) - t->session_index = ses0 - dm0->sessions; - } - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - ip1 = vlib_buffer_get_current (b1); - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace1; - } - - proto1 = ip_proto_to_snat_proto (ip1->protocol); - - if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1); - icmp1 = (icmp46_header_t *) udp1; - - next1 = icmp_in2out(sm, b1, ip1, icmp1, sw_if_index1, - rx_fib_index1, node, next1, thread_index, - &ses1, &dm1); - goto trace1; - } - - dm1 = snat_det_map_by_user(sm, &ip1->src_address); - if (PREDICT_FALSE(!dm1)) - { - nat_log_info ("no match for internal host %U", - format_ip4_address, &ip0->src_address); - next1 = SNAT_IN2OUT_NEXT_DROP; - b1->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; - goto trace1; - } - - snat_det_forward(dm1, &ip1->src_address, &new_addr1, &lo_port1); - - key1.ext_host_addr = ip1->dst_address; - key1.ext_host_port = tcp1->dst; - - ses1 = snat_det_find_ses_by_in(dm1, &ip1->src_address, tcp1->src, key1); - if (PREDICT_FALSE(!ses1)) - { - for (i1 = 0; i1 < dm1->ports_per_host; i1++) - { - key1.out_port = clib_host_to_net_u16 (lo_port1 + - ((i1 + clib_net_to_host_u16 (tcp1->src)) % dm1->ports_per_host)); - - if (snat_det_get_ses_by_out (dm1, &ip1->src_address, key1.as_u64)) - continue; - - ses1 = snat_det_ses_create(dm1, &ip1->src_address, tcp1->src, &key1); - break; - } - if (PREDICT_FALSE(!ses1)) - { - /* too many sessions for user, send ICMP error packet */ - - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_destination_unreachable, - ICMP4_destination_unreachable_destination_unreachable_host, - 0); - next1 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace1; - } - } - - new_port1 = ses1->out.out_port; - - old_addr1.as_u32 = ip1->src_address.as_u32; - ip1->src_address.as_u32 = new_addr1.as_u32; - vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index; - - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, - ip4_header_t, - src_address /* changed member */); - ip1->checksum = ip_csum_fold (sum1); - - if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP)) - { - if (tcp1->flags & TCP_FLAG_SYN) - ses1->state = SNAT_SESSION_TCP_SYN_SENT; - else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_SYN_SENT) - ses1->state = SNAT_SESSION_TCP_ESTABLISHED; - else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED) - ses1->state = SNAT_SESSION_TCP_FIN_WAIT; - else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_FIN_WAIT) - snat_det_ses_close(dm1, ses1); - else if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT) - ses1->state = SNAT_SESSION_TCP_LAST_ACK; - else if (tcp1->flags == 0 && ses1->state == SNAT_SESSION_UNKNOWN) - ses1->state = SNAT_SESSION_TCP_ESTABLISHED; - - old_port1 = tcp1->src; - tcp1->src = new_port1; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, - ip4_header_t, - dst_address /* changed member */); - sum1 = ip_csum_update (sum1, old_port1, new_port1, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp1, &sum1); - tcp1->checksum = ip_csum_fold(sum1); - } - else - { - ses1->state = SNAT_SESSION_UDP_ACTIVE; - old_port1 = udp1->src_port; - udp1->src_port = new_port1; - udp1->checksum = 0; - } - - switch(ses1->state) - { - case SNAT_SESSION_UDP_ACTIVE: - ses1->expire = now + sm->udp_timeout; - break; - case SNAT_SESSION_TCP_SYN_SENT: - case SNAT_SESSION_TCP_FIN_WAIT: - case SNAT_SESSION_TCP_CLOSE_WAIT: - case SNAT_SESSION_TCP_LAST_ACK: - ses1->expire = now + sm->tcp_transitory_timeout; - break; - case SNAT_SESSION_TCP_ESTABLISHED: - ses1->expire = now + sm->tcp_established_timeout; - break; - } - - trace1: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->is_slow_path = 0; - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (ses1) - t->session_index = ses1 - dm1->sessions; - } - - pkts_processed += next1 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - ip4_address_t new_addr0, old_addr0; - u16 old_port0, new_port0, lo_port0, i0; - udp_header_t * udp0; - tcp_header_t * tcp0; - u32 proto0; - snat_det_out_key_t key0; - snat_det_map_t * dm0; - snat_det_session_t * ses0 = 0; - u32 rx_fib_index0; - icmp46_header_t * icmp0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace00; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - icmp0 = (icmp46_header_t *) udp0; - - next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, thread_index, - &ses0, &dm0); - goto trace00; - } - - dm0 = snat_det_map_by_user(sm, &ip0->src_address); - if (PREDICT_FALSE(!dm0)) - { - nat_log_info ("no match for internal host %U", - format_ip4_address, &ip0->src_address); - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; - goto trace00; - } - - snat_det_forward(dm0, &ip0->src_address, &new_addr0, &lo_port0); - - key0.ext_host_addr = ip0->dst_address; - key0.ext_host_port = tcp0->dst; - - ses0 = snat_det_find_ses_by_in(dm0, &ip0->src_address, tcp0->src, key0); - if (PREDICT_FALSE(!ses0)) - { - for (i0 = 0; i0 < dm0->ports_per_host; i0++) - { - key0.out_port = clib_host_to_net_u16 (lo_port0 + - ((i0 + clib_net_to_host_u16 (tcp0->src)) % dm0->ports_per_host)); - - if (snat_det_get_ses_by_out (dm0, &ip0->src_address, key0.as_u64)) - continue; - - ses0 = snat_det_ses_create(dm0, &ip0->src_address, tcp0->src, &key0); - break; - } - if (PREDICT_FALSE(!ses0)) - { - /* too many sessions for user, send ICMP error packet */ - - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_destination_unreachable, - ICMP4_destination_unreachable_destination_unreachable_host, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace00; - } - } - - new_port0 = ses0->out.out_port; - - old_addr0.as_u32 = ip0->src_address.as_u32; - ip0->src_address.as_u32 = new_addr0.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - if (tcp0->flags & TCP_FLAG_SYN) - ses0->state = SNAT_SESSION_TCP_SYN_SENT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_SYN_SENT) - ses0->state = SNAT_SESSION_TCP_ESTABLISHED; - else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) - ses0->state = SNAT_SESSION_TCP_FIN_WAIT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_FIN_WAIT) - snat_det_ses_close(dm0, ses0); - else if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT) - ses0->state = SNAT_SESSION_TCP_LAST_ACK; - else if (tcp0->flags == 0 && ses0->state == SNAT_SESSION_UNKNOWN) - ses0->state = SNAT_SESSION_TCP_ESTABLISHED; - - old_port0 = tcp0->src; - tcp0->src = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - ses0->state = SNAT_SESSION_UDP_ACTIVE; - old_port0 = udp0->src_port; - udp0->src_port = new_port0; - udp0->checksum = 0; - } - - switch(ses0->state) - { - case SNAT_SESSION_UDP_ACTIVE: - ses0->expire = now + sm->udp_timeout; - break; - case SNAT_SESSION_TCP_SYN_SENT: - case SNAT_SESSION_TCP_FIN_WAIT: - case SNAT_SESSION_TCP_CLOSE_WAIT: - case SNAT_SESSION_TCP_LAST_ACK: - ses0->expire = now + sm->tcp_transitory_timeout; - break; - case SNAT_SESSION_TCP_ESTABLISHED: - ses0->expire = now + sm->tcp_established_timeout; - break; - } - - trace00: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = 0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (ses0) - t->session_index = ses0 - dm0->sessions; - } - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, snat_det_in2out_node.index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -VLIB_REGISTER_NODE (snat_det_in2out_node) = { - .function = snat_det_in2out_node_fn, - .name = "nat44-det-in2out", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = 3, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn); - -/** - * Get address and port values to be used for ICMP packet translation - * and create session if needed - * - * @param[in,out] sm NAT main - * @param[in,out] node NAT node runtime - * @param[in] thread_index thread index - * @param[in,out] b0 buffer containing packet to be translated - * @param[out] p_proto protocol used for matching - * @param[out] p_value address and port after NAT translation - * @param[out] p_dont_translate if packet should not be translated - * @param d optional parameter - * @param e optional parameter - */ -u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) -{ - icmp46_header_t *icmp0; - u32 sw_if_index0; - u32 rx_fib_index0; - u8 protocol; - snat_det_out_key_t key0; - u8 dont_translate = 0; - u32 next0 = ~0; - icmp_echo_header_t *echo0, *inner_echo0 = 0; - ip4_header_t *inner_ip0; - void *l4_header = 0; - icmp46_header_t *inner_icmp0; - snat_det_map_t * dm0 = 0; - ip4_address_t new_addr0; - u16 lo_port0, i0; - snat_det_session_t * ses0 = 0; - ip4_address_t in_addr; - u16 in_port; - - icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); - - if (!icmp_is_error_message (icmp0)) - { - protocol = SNAT_PROTOCOL_ICMP; - in_addr = ip0->src_address; - in_port = echo0->identifier; - } - else - { - inner_ip0 = (ip4_header_t *)(echo0+1); - l4_header = ip4_next_header (inner_ip0); - protocol = ip_proto_to_snat_proto (inner_ip0->protocol); - in_addr = inner_ip0->dst_address; - switch (protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - in_port = inner_echo0->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - in_port = ((tcp_udp_header_t*)l4_header)->dst_port; - break; - default: - b0->error = node->errors[SNAT_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - } - - dm0 = snat_det_map_by_user(sm, &in_addr); - if (PREDICT_FALSE(!dm0)) - { - nat_log_info ("no match for internal host %U", - format_ip4_address, &in_addr); - if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0, - IP_PROTOCOL_ICMP, rx_fib_index0))) - { - dont_translate = 1; - goto out; - } - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; - goto out; - } - - snat_det_forward(dm0, &in_addr, &new_addr0, &lo_port0); - - key0.ext_host_addr = ip0->dst_address; - key0.ext_host_port = 0; - - ses0 = snat_det_find_ses_by_in(dm0, &in_addr, in_port, key0); - if (PREDICT_FALSE(!ses0)) - { - if (PREDICT_FALSE(snat_not_translate_fast(sm, node, sw_if_index0, ip0, - IP_PROTOCOL_ICMP, rx_fib_index0))) - { - dont_translate = 1; - goto out; - } - if (icmp0->type != ICMP4_echo_request) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - for (i0 = 0; i0 < dm0->ports_per_host; i0++) - { - key0.out_port = clib_host_to_net_u16 (lo_port0 + - ((i0 + clib_net_to_host_u16 (echo0->identifier)) % dm0->ports_per_host)); - - if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64)) - continue; - - ses0 = snat_det_ses_create(dm0, &in_addr, echo0->identifier, &key0); - break; - } - if (PREDICT_FALSE(!ses0)) - { - next0 = SNAT_IN2OUT_NEXT_DROP; - b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS]; - goto out; - } - } - - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_request && - !icmp_is_error_message (icmp0))) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_IN2OUT_NEXT_DROP; - goto out; - } - - u32 now = (u32) vlib_time_now (sm->vlib_main); - - ses0->state = SNAT_SESSION_ICMP_ACTIVE; - ses0->expire = now + sm->icmp_timeout; - -out: - *p_proto = protocol; - if (ses0) - { - p_value->addr = new_addr0; - p_value->fib_index = sm->outside_fib_index; - p_value->port = ses0->out.out_port; - } - *p_dont_translate = dont_translate; - if (d) - *(snat_det_session_t**)d = ses0; - if (e) - *(snat_det_map_t**)e = dm0; - return next0; -} - -/**********************/ -/*** worker handoff ***/ -/**********************/ -static inline uword -snat_in2out_worker_handoff_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - u8 is_output) -{ - snat_main_t *sm = &snat_main; - vlib_thread_main_t *tm = vlib_get_thread_main (); - u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0; - static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index; - static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index - = 0; - vlib_frame_queue_elt_t *hf = 0; - vlib_frame_queue_t *fq; - vlib_frame_t *f = 0; - int i; - u32 n_left_to_next_worker = 0, *to_next_worker = 0; - u32 next_worker_index = 0; - u32 current_worker_index = ~0; - u32 thread_index = vm->thread_index; - u32 fq_index; - u32 to_node_index; - vlib_frame_t *d = 0; - - ASSERT (vec_len (sm->workers)); - - if (is_output) - { - fq_index = sm->fq_in2out_output_index; - to_node_index = sm->in2out_output_node_index; - } - else - { - fq_index = sm->fq_in2out_index; - to_node_index = sm->in2out_node_index; - } - - if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0)) - { - vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1); - - vec_validate_init_empty (congested_handoff_queue_by_worker_index, - tm->n_vlib_mains - 1, - (vlib_frame_queue_t *) (~0)); - } - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - - while (n_left_from > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 sw_if_index0; - u32 rx_fib_index0; - ip4_header_t * ip0; - u8 do_handoff; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - - ip0 = vlib_buffer_get_current (b0); - - next_worker_index = sm->worker_in2out_cb(ip0, rx_fib_index0); - - if (PREDICT_FALSE (next_worker_index != thread_index)) - { - do_handoff = 1; - - if (next_worker_index != current_worker_index) - { - fq = is_vlib_frame_queue_congested ( - fq_index, next_worker_index, NAT_FQ_NELTS - 2, - congested_handoff_queue_by_worker_index); - - if (fq) - { - /* if this is 1st frame */ - if (!d) - { - d = vlib_get_frame_to_node (vm, sm->error_node_index); - to_next_drop = vlib_frame_vector_args (d); - } - - to_next_drop[0] = bi0; - to_next_drop += 1; - d->n_vectors++; - b0->error = node->errors[SNAT_IN2OUT_ERROR_FQ_CONGESTED]; - goto trace0; - } - - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; - - hf = vlib_get_worker_handoff_queue_elt (fq_index, - next_worker_index, - handoff_queue_elt_by_worker_index); - - n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors; - to_next_worker = &hf->buffer_index[hf->n_vectors]; - current_worker_index = next_worker_index; - } - - /* enqueue to correct worker thread */ - to_next_worker[0] = bi0; - to_next_worker++; - n_left_to_next_worker--; - - if (n_left_to_next_worker == 0) - { - hf->n_vectors = VLIB_FRAME_SIZE; - vlib_put_frame_queue_elt (hf); - current_worker_index = ~0; - handoff_queue_elt_by_worker_index[next_worker_index] = 0; - hf = 0; - } - } - else - { - do_handoff = 0; - /* if this is 1st frame */ - if (!f) - { - f = vlib_get_frame_to_node (vm, to_node_index); - to_next = vlib_frame_vector_args (f); - } - - to_next[0] = bi0; - to_next += 1; - f->n_vectors++; - } - -trace0: - if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_worker_handoff_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->next_worker_index = next_worker_index; - t->do_handoff = do_handoff; - } - } - - if (f) - vlib_put_frame_to_node (vm, to_node_index, f); - - if (d) - vlib_put_frame_to_node (vm, sm->error_node_index, d); - - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; - - /* Ship frames to the worker nodes */ - for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++) - { - if (handoff_queue_elt_by_worker_index[i]) - { - hf = handoff_queue_elt_by_worker_index[i]; - /* - * It works better to let the handoff node - * rate-adapt, always ship the handoff queue element. - */ - if (1 || hf->n_vectors == hf->last_n_vectors) - { - vlib_put_frame_queue_elt (hf); - handoff_queue_elt_by_worker_index[i] = 0; - } - else - hf->last_n_vectors = hf->n_vectors; - } - congested_handoff_queue_by_worker_index[i] = - (vlib_frame_queue_t *) (~0); - } - hf = 0; - current_worker_index = ~0; - return frame->n_vectors; -} - -static uword -snat_in2out_worker_handoff_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 0); -} - -VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = { - .function = snat_in2out_worker_handoff_fn, - .name = "nat44-in2out-worker-handoff", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_worker_handoff_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - - .n_next_nodes = 1, - - .next_nodes = { - [0] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node, - snat_in2out_worker_handoff_fn); - -static uword -snat_in2out_output_worker_handoff_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_in2out_worker_handoff_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = { - .function = snat_in2out_output_worker_handoff_fn, - .name = "nat44-in2out-output-worker-handoff", - .vector_size = sizeof (u32), - .format_trace = format_snat_in2out_worker_handoff_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_next_nodes = 1, - - .next_nodes = { - [0] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node, - snat_in2out_output_worker_handoff_fn); - -static_always_inline int -is_hairpinning (snat_main_t *sm, ip4_address_t * dst_addr) -{ - snat_address_t * ap; - clib_bihash_kv_8_8_t kv, value; - snat_session_key_t m_key; - - vec_foreach (ap, sm->addresses) - { - if (ap->addr.as_u32 == dst_addr->as_u32) - return 1; - } - - m_key.addr.as_u32 = dst_addr->as_u32; - m_key.fib_index = 0; - m_key.port = 0; - m_key.protocol = 0; - kv.key = m_key.as_u64; - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - return 1; - - return 0; -} - -static inline uword -snat_hairpin_dst_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - int is_ed) -{ - u32 n_left_from, * from, * to_next, stats_node_index; - snat_in2out_next_t next_index; - u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; - - stats_node_index = is_ed ? nat44_ed_hairpin_dst_node.index : - snat_hairpin_dst_node.index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - ip4_header_t * ip0; - u32 proto0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; - ip0 = vlib_buffer_get_current (b0); - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - vnet_buffer (b0)->snat.flags = 0; - if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address))) - { - if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP) - { - udp_header_t * udp0 = ip4_next_header (ip0); - tcp_header_t * tcp0 = (tcp_header_t *) udp0; - - snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed); - } - else if (proto0 == SNAT_PROTOCOL_ICMP) - { - icmp46_header_t * icmp0 = ip4_next_header (ip0); - - snat_icmp_hairpinning (sm, b0, ip0, icmp0, is_ed); - } - else - { - if (is_ed) - nat44_ed_hairpinning_unknown_proto (sm, b0, ip0); - else - nat_hairpinning_sm_unknown_proto (sm, b0, ip0); - } - - vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING; - } - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -static uword -snat_hairpin_dst_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_hairpin_dst_fn_inline (vm, node, frame, 0); -} - -VLIB_REGISTER_NODE (snat_hairpin_dst_node) = { - .function = snat_hairpin_dst_fn, - .name = "nat44-hairpin-dst", - .vector_size = sizeof (u32), - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - .n_next_nodes = 2, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node, - snat_hairpin_dst_fn); - -static uword -nat44_ed_hairpin_dst_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_hairpin_dst_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_hairpin_dst_node) = { - .function = nat44_ed_hairpin_dst_fn, - .name = "nat44-ed-hairpin-dst", - .vector_size = sizeof (u32), - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - .n_next_nodes = 2, - .next_nodes = { - [SNAT_IN2OUT_NEXT_DROP] = "error-drop", - [SNAT_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_dst_node, - nat44_ed_hairpin_dst_fn); - -static inline uword -snat_hairpin_src_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - int is_ed) -{ - u32 n_left_from, * from, * to_next, stats_node_index; + u32 n_left_from, *from, *to_next; snat_in2out_next_t next_index; u32 pkts_processed = 0; snat_main_t *sm = &snat_main; - - stats_node_index = is_ed ? nat44_ed_hairpin_src_node.index : - snat_hairpin_src_node.index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - snat_interface_t *i; - u32 sw_if_index0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT; - - pool_foreach (i, sm->output_feature_interfaces, - ({ - /* Only packets from NAT inside interface */ - if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index)) - { - if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) & - SNAT_FLAG_HAIRPINNING)) - { - if (PREDICT_TRUE (sm->num_workers > 1)) - next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH; - else - next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT; - } - break; - } - })); - - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -static uword -snat_hairpin_src_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_hairpin_src_fn_inline (vm, node, frame, 0); -} - -VLIB_REGISTER_NODE (snat_hairpin_src_node) = { - .function = snat_hairpin_src_fn, - .name = "nat44-hairpin-src", - .vector_size = sizeof (u32), - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT, - .next_nodes = { - [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop", - [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output", - [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output", - [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node, - snat_hairpin_src_fn); - -static uword -nat44_ed_hairpin_src_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return snat_hairpin_src_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_hairpin_src_node) = { - .function = nat44_ed_hairpin_src_fn, - .name = "nat44-ed-hairpin-src", - .vector_size = sizeof (u32), - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(snat_in2out_error_strings), - .error_strings = snat_in2out_error_strings, - .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT, - .next_nodes = { - [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop", - [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-ed-in2out-output", - [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output", - [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_src_node, - nat44_ed_hairpin_src_fn); - -static uword -snat_in2out_fast_static_map_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, * from, * to_next; - snat_in2out_next_t next_index; - u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; u32 stats_node_index; stats_node_index = snat_in2out_fast_node.index; @@ -5773,27 +1903,26 @@ snat_in2out_fast_static_map_fn (vlib_main_t * vm, { u32 n_left_to_next; - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0; - vlib_buffer_t * b0; - u32 next0; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - u32 new_addr0, old_addr0; - u16 old_port0, new_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - snat_session_key_t key0, sm0; - u32 proto0; - u32 rx_fib_index0; - - /* speculatively enqueue b0 to the current next frame */ + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + u32 new_addr0, old_addr0; + u16 old_port0, new_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_key_t key0, sm0; + u32 proto0; + u32 rx_fib_index0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -5802,115 +1931,116 @@ snat_in2out_fast_static_map_fn (vlib_main_t * vm, n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_IN2OUT_NEXT_LOOKUP; + next0 = SNAT_IN2OUT_NEXT_LOOKUP; - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; - goto trace0; - } + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_IN2OUT_NEXT_ICMP_ERROR; + goto trace0; + } - proto0 = ip_proto_to_snat_proto (ip0->protocol); + proto0 = ip_proto_to_snat_proto (ip0->protocol); - if (PREDICT_FALSE (proto0 == ~0)) - goto trace0; + if (PREDICT_FALSE (proto0 == ~0)) + goto trace0; - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_in2out(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, ~0, 0, 0); - goto trace0; - } + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, ~0, 0, 0); + goto trace0; + } - key0.addr = ip0->src_address; - key0.protocol = proto0; - key0.port = udp0->src_port; - key0.fib_index = rx_fib_index0; + key0.addr = ip0->src_address; + key0.protocol = proto0; + key0.port = udp0->src_port; + key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, key0, &sm0, 0, 0, 0, 0, 0)) - { - b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; - next0= SNAT_IN2OUT_NEXT_DROP; - goto trace0; - } + if (snat_static_mapping_match (sm, key0, &sm0, 0, 0, 0, 0, 0)) + { + b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION]; + next0 = SNAT_IN2OUT_NEXT_DROP; + goto trace0; + } - new_addr0 = sm0.addr.as_u32; - new_port0 = sm0.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; - old_addr0 = ip0->src_address.as_u32; - ip0->src_address.as_u32 = new_addr0; + new_addr0 = sm0.addr.as_u32; + new_port0 = sm0.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + old_addr0 = ip0->src_address.as_u32; + ip0->src_address.as_u32 = new_addr0; - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - src_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); - if (PREDICT_FALSE(new_port0 != udp0->dst_port)) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->src_port; - tcp0->src_port = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->src_port; - udp0->src_port = new_port0; - udp0->checksum = 0; - } - } - else - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - mss_clamping (sm, tcp0, &sum0); - tcp0->checksum = ip_csum_fold(sum0); - } - } + if (PREDICT_FALSE (new_port0 != udp0->dst_port)) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + tcp0->src_port = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->src_port; + udp0->src_port = new_port0; + udp0->checksum = 0; + } + } + else + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + } - /* Hairpinning */ - snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, 0); + /* Hairpinning */ + snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, 0); - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_in2out_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } - pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; + pkts_processed += next0 != SNAT_IN2OUT_NEXT_DROP; - /* verify speculative enqueue, maybe switch current next frame */ + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); @@ -5920,12 +2050,13 @@ snat_in2out_fast_static_map_fn (vlib_main_t * vm, } vlib_node_increment_counter (vm, stats_node_index, - SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, - pkts_processed); + SNAT_IN2OUT_ERROR_IN2OUT_PACKETS, + pkts_processed); return frame->n_vectors; } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_in2out_fast_node) = { .function = snat_in2out_fast_static_map_fn, .name = "nat44-in2out-fast", @@ -5949,5 +2080,15 @@ VLIB_REGISTER_NODE (snat_in2out_fast_node) = { [SNAT_IN2OUT_NEXT_REASS] = "nat44-in2out-reass", }, }; +/* *INDENT-ON* */ -VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, snat_in2out_fast_static_map_fn); +VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_fast_node, + snat_in2out_fast_static_map_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c new file mode 100644 index 00000000000..d4f70f5a12b --- /dev/null +++ b/src/plugins/nat/in2out_ed.c @@ -0,0 +1,2067 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT44 endpoint-dependent inside to outside network translation + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define foreach_nat_in2out_ed_error \ +_(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ +_(IN2OUT_PACKETS, "Good in2out packets processed") \ +_(OUT_OF_PORTS, "Out of ports") \ +_(BAD_ICMP_TYPE, "unsupported ICMP type") \ +_(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \ +_(DROP_FRAGMENT, "Drop fragment") \ +_(MAX_REASS, "Maximum reassemblies exceeded") \ +_(MAX_FRAG, "Maximum fragments per reassembly exceeded") + +typedef enum +{ +#define _(sym,str) NAT_IN2OUT_ED_ERROR_##sym, + foreach_nat_in2out_ed_error +#undef _ + NAT_IN2OUT_ED_N_ERROR, +} nat_in2out_ed_error_t; + +static char *nat_in2out_ed_error_strings[] = { +#define _(sym,string) string, + foreach_nat_in2out_ed_error +#undef _ +}; + +typedef enum +{ + NAT_IN2OUT_ED_NEXT_LOOKUP, + NAT_IN2OUT_ED_NEXT_DROP, + NAT_IN2OUT_ED_NEXT_ICMP_ERROR, + NAT_IN2OUT_ED_NEXT_SLOW_PATH, + NAT_IN2OUT_ED_NEXT_REASS, + NAT_IN2OUT_ED_N_NEXT, +} nat_in2out_ed_next_t; + +typedef struct +{ + u32 sw_if_index; + u32 next_index; + u32 session_index; + u32 is_slow_path; +} nat_in2out_ed_trace_t; + +vlib_node_registration_t nat44_ed_in2out_node; +vlib_node_registration_t nat44_ed_in2out_slowpath_node; +vlib_node_registration_t nat44_ed_in2out_output_node; +vlib_node_registration_t nat44_ed_in2out_output_slowpath_node; +vlib_node_registration_t nat44_ed_in2out_reass_node; + +static u8 * +format_nat_in2out_ed_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat_in2out_ed_trace_t *t = va_arg (*args, nat_in2out_ed_trace_t *); + char *tag; + + tag = + t->is_slow_path ? "NAT44_IN2OUT_ED_SLOW_PATH" : + "NAT44_IN2OUT_ED_FAST_PATH"; + + s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag, + t->sw_if_index, t->next_index, t->session_index); + + return s; +} + +static_always_inline int +icmp_get_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0) +{ + icmp46_header_t *icmp0; + nat_ed_ses_key_t key0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0 = 0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + + if (!icmp_is_error_message (icmp0)) + { + key0.proto = IP_PROTOCOL_ICMP; + key0.l_addr = ip0->src_address; + key0.r_addr = ip0->dst_address; + key0.l_port = echo0->identifier; + key0.r_port = 0; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + key0.proto = inner_ip0->protocol; + key0.r_addr = inner_ip0->src_address; + key0.l_addr = inner_ip0->dst_address; + switch (ip_proto_to_snat_proto (inner_ip0->protocol)) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.r_port = 0; + key0.l_port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.l_port = ((tcp_udp_header_t *) l4_header)->dst_port; + key0.r_port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + return NAT_IN2OUT_ED_ERROR_UNSUPPORTED_PROTOCOL; + } + } + *p_key0 = key0; + return 0; +} + +int +nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg) +{ + snat_main_t *sm = &snat_main; + nat44_is_idle_session_ctx_t *ctx = arg; + snat_session_t *s; + u64 sess_timeout_time; + nat_ed_ses_key_t ed_key; + clib_bihash_kv_16_8_t ed_kv; + int i; + snat_address_t *a; + snat_session_key_t key; + snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, + ctx->thread_index); + + s = pool_elt_at_index (tsm->sessions, kv->value); + sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s); + if (ctx->now >= sess_timeout_time) + { + if (is_fwd_bypass_session (s)) + goto delete; + + ed_key.l_addr = s->out2in.addr; + ed_key.r_addr = s->ext_host_addr; + ed_key.fib_index = s->out2in.fib_index; + if (snat_is_unk_proto_session (s)) + { + ed_key.proto = s->in2out.port; + ed_key.r_port = 0; + ed_key.l_port = 0; + } + else + { + ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); + ed_key.l_port = s->out2in.port; + ed_key.r_port = s->ext_host_port; + } + ed_kv.key[0] = ed_key.as_u64[0]; + ed_kv.key[1] = ed_key.as_u64[1]; + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)) + nat_log_warn ("out2in_ed key del failed"); + + if (snat_is_unk_proto_session (s)) + goto delete; + + snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, + s->in2out.fib_index); + + if (is_twice_nat_session (s)) + { + for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) + { + key.protocol = s->in2out.protocol; + key.port = s->ext_host_nat_port; + a = sm->twice_nat_addresses + i; + if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32) + { + snat_free_outside_address_and_port (sm->twice_nat_addresses, + ctx->thread_index, + &key); + break; + } + } + } + + if (snat_is_session_static (s)) + goto delete; + + snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, + &s->out2in); + delete: + nat44_delete_session (sm, s, ctx->thread_index); + return 1; + } + + return 0; +} + +static inline u32 +icmp_in2out_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, icmp46_header_t * icmp0, + u32 sw_if_index0, u32 rx_fib_index0, + vlib_node_runtime_t * node, u32 next0, f64 now, + u32 thread_index, snat_session_t ** p_s0) +{ + next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, thread_index, p_s0, 0); + snat_session_t *s0 = *p_s0; + if (PREDICT_TRUE (next0 != NAT_IN2OUT_ED_NEXT_DROP && s0)) + { + /* Hairpinning */ + if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0) + snat_icmp_hairpinning (sm, b0, ip0, icmp0, sm->endpoint_dependent); + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain + (sm->vlib_main, b0)); + } + return next0; +} + +static u32 +slow_path_ed (snat_main_t * sm, + vlib_buffer_t * b, + u32 rx_fib_index, + clib_bihash_kv_16_8_t * kv, + snat_session_t ** sessionp, + vlib_node_runtime_t * node, u32 next, u32 thread_index, f64 now) +{ + snat_session_t *s; + snat_user_t *u; + snat_session_key_t key0, key1; + lb_nat_type_t lb = 0, is_sm = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + nat_ed_ses_key_t *key = (nat_ed_ses_key_t *) kv->key; + u32 proto = ip_proto_to_snat_proto (key->proto); + nat_outside_fib_t *outside_fib; + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP4, + .fp_len = 32, + .fp_addr = { + .ip4.as_u32 = key->r_addr.as_u32, + }, + }; + nat44_is_idle_session_ctx_t ctx; + + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) + { + b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_ipfix_logging_max_sessions (sm->max_translations); + nat_log_notice ("maximum sessions exceeded"); + return NAT_IN2OUT_ED_NEXT_DROP; + } + + key0.addr = key->l_addr; + key0.port = key->l_port; + key1.protocol = key0.protocol = proto; + key0.fib_index = rx_fib_index; + key1.fib_index = sm->outside_fib_index; + /* First try to match static mapping by local address and port */ + if (snat_static_mapping_match (sm, key0, &key1, 0, 0, 0, &lb, 0)) + { + /* Try to create dynamic translation */ + if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index, + thread_index, &key1, + sm->port_per_thread, + tsm->snat_thread_index)) + { + nat_log_notice ("addresses exhausted"); + b->error = node->errors[NAT_IN2OUT_ED_ERROR_OUT_OF_PORTS]; + return NAT_IN2OUT_ED_NEXT_DROP; + } + } + else + is_sm = 1; + + u = nat_user_get_or_create (sm, &key->l_addr, rx_fib_index, thread_index); + if (!u) + { + nat_log_warn ("create NAT user failed"); + if (!is_sm) + snat_free_outside_address_and_port (sm->addresses, + thread_index, &key1); + return NAT_IN2OUT_ED_NEXT_DROP; + } + + s = nat_ed_session_alloc (sm, u, thread_index); + if (!s) + { + nat44_delete_user_with_no_session (sm, u, thread_index); + nat_log_warn ("create NAT session failed"); + if (!is_sm) + snat_free_outside_address_and_port (sm->addresses, + thread_index, &key1); + return NAT_IN2OUT_ED_NEXT_DROP; + } + + user_session_increment (sm, u, is_sm); + if (is_sm) + s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; + if (lb) + s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; + s->ext_host_addr = key->r_addr; + s->ext_host_port = key->r_port; + s->in2out = key0; + s->out2in = key1; + s->out2in.protocol = key0.protocol; + + switch (vec_len (sm->outside_fibs)) + { + case 0: + s->out2in.fib_index = sm->outside_fib_index; + break; + case 1: + s->out2in.fib_index = sm->outside_fibs[0].fib_index; + break; + default: + /* *INDENT-OFF* */ + vec_foreach (outside_fib, sm->outside_fibs) + { + fei = fib_table_lookup (outside_fib->fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + if (fib_entry_get_resolving_interface (fei) != ~0) + { + s->out2in.fib_index = outside_fib->fib_index; + break; + } + } + } + /* *INDENT-ON* */ + break; + } + + /* Add to lookup tables */ + kv->value = s - tsm->sessions; + ctx.now = now; + ctx.thread_index = thread_index; + if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, kv, + nat44_i2o_ed_is_idle_session_cb, + &ctx)) + nat_log_notice ("in2out-ed key add failed"); + + make_ed_kv (kv, &key1.addr, &key->r_addr, key->proto, s->out2in.fib_index, + key1.port, key->r_port); + kv->value = s - tsm->sessions; + if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, kv, + nat44_o2i_ed_is_idle_session_cb, + &ctx)) + nat_log_notice ("out2in-ed key add failed"); + + *sessionp = s; + + /* log NAT event */ + snat_ipfix_logging_nat44_ses_create (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, s->in2out.fib_index); + return next; +} + +static_always_inline int +nat44_ed_not_translate (snat_main_t * sm, vlib_node_runtime_t * node, + u32 sw_if_index, ip4_header_t * ip, u32 proto, + u32 rx_fib_index, u32 thread_index) +{ + udp_header_t *udp = ip4_next_header (ip); + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + clib_bihash_kv_16_8_t kv, value; + snat_session_key_t key0, key1; + + make_ed_kv (&kv, &ip->dst_address, &ip->src_address, ip->protocol, + sm->outside_fib_index, udp->dst_port, udp->src_port); + + /* NAT packet aimed at external address if */ + /* has active sessions */ + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) + { + key0.addr = ip->dst_address; + key0.port = udp->dst_port; + key0.protocol = proto; + key0.fib_index = sm->outside_fib_index; + /* or is static mappings */ + if (!snat_static_mapping_match (sm, key0, &key1, 1, 0, 0, 0, 0)) + return 0; + } + else + return 0; + + if (sm->forwarding_enabled) + return 1; + + return snat_not_translate_fast (sm, node, sw_if_index, ip, proto, + rx_fib_index); +} + +static_always_inline int +nat_not_translate_output_feature_fwd (snat_main_t * sm, ip4_header_t * ip, + u32 thread_index, f64 now, + vlib_main_t * vm, vlib_buffer_t * b) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + udp_header_t *udp; + snat_session_t *s = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + + if (!sm->forwarding_enabled) + return 0; + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + key.as_u64[0] = key.as_u64[1] = 0; + if (icmp_get_ed_key (ip, &key)) + return 0; + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header (ip); + make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, + udp->src_port, udp->dst_port); + } + else + { + make_ed_kv (&kv, &ip->src_address, &ip->dst_address, ip->protocol, 0, 0, + 0); + } + + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + if (is_fwd_bypass_session (s)) + { + if (ip->protocol == IP_PROTOCOL_TCP) + { + tcp_header_t *tcp = ip4_next_header (ip); + if (nat44_set_tcp_session_state_i2o (sm, s, tcp, thread_index)) + return 1; + } + /* Accounting */ + nat44_session_update_counters (s, now, + vlib_buffer_length_in_chain (vm, b)); + return 1; + } + else + return 0; + } + + return 0; +} + +static_always_inline int +nat44_ed_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip, + u8 proto, u16 src_port, u16 dst_port, + u32 thread_index, u32 rx_sw_if_index, + u32 tx_sw_if_index) +{ + clib_bihash_kv_16_8_t kv, value; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + snat_interface_t *i; + snat_session_t *s; + u32 rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (rx_sw_if_index); + u32 tx_fib_index = ip4_fib_table_get_index_for_sw_if_index (tx_sw_if_index); + + /* src NAT check */ + make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, tx_fib_index, + src_port, dst_port); + if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) + return 1; + + /* dst NAT check */ + make_ed_kv (&kv, &ip->dst_address, &ip->src_address, proto, rx_fib_index, + dst_port, src_port); + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + if (is_fwd_bypass_session (s)) + return 0; + + /* hairpinning */ + /* *INDENT-OFF* */ + pool_foreach (i, sm->output_feature_interfaces, + ({ + if ((nat_interface_is_inside (i)) && (rx_sw_if_index == i->sw_if_index)) + return 0; + })); + /* *INDENT-ON* */ + return 1; + } + + return 0; +} + +u32 +icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip, + u8 * p_proto, snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) +{ + icmp46_header_t *icmp; + u32 sw_if_index; + u32 rx_fib_index; + nat_ed_ses_key_t key; + snat_session_t *s = 0; + u8 dont_translate = 0; + clib_bihash_kv_16_8_t kv, value; + u32 next = ~0; + int err; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + + icmp = (icmp46_header_t *) ip4_next_header (ip); + sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX]; + rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); + + key.as_u64[0] = key.as_u64[1] = 0; + err = icmp_get_ed_key (ip, &key); + if (err != 0) + { + b->error = node->errors[err]; + next = NAT_IN2OUT_ED_NEXT_DROP; + goto out; + } + key.fib_index = rx_fib_index; + + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) + { + if (vnet_buffer (b)->sw_if_index[VLIB_TX] != ~0) + { + if (PREDICT_FALSE (nat44_ed_not_translate_output_feature (sm, ip, + key.proto, + key. + l_port, + key. + r_port, + thread_index, + sw_if_index, + vnet_buffer + (b)-> + sw_if_index + [VLIB_TX]))) + { + dont_translate = 1; + goto out; + } + } + else + { + if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, sw_if_index, + ip, SNAT_PROTOCOL_ICMP, + rx_fib_index, + thread_index))) + { + dont_translate = 1; + goto out; + } + } + + if (PREDICT_FALSE (icmp_is_error_message (icmp))) + { + b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE]; + next = NAT_IN2OUT_ED_NEXT_DROP; + goto out; + } + + next = slow_path_ed (sm, b, rx_fib_index, &kv, &s, node, next, + thread_index, vlib_time_now (sm->vlib_main)); + + if (PREDICT_FALSE (next == NAT_IN2OUT_ED_NEXT_DROP)) + goto out; + } + else + { + if (PREDICT_FALSE (icmp->type != ICMP4_echo_request && + icmp->type != ICMP4_echo_reply && + !icmp_is_error_message (icmp))) + { + b->error = node->errors[NAT_IN2OUT_ED_ERROR_BAD_ICMP_TYPE]; + next = NAT_IN2OUT_ED_NEXT_DROP; + goto out; + } + + s = pool_elt_at_index (tsm->sessions, value.value); + } + + *p_proto = ip_proto_to_snat_proto (key.proto); +out: + if (s) + *p_value = s->out2in; + *p_dont_translate = dont_translate; + if (d) + *(snat_session_t **) d = s; + return next; +} + +static snat_session_t * +nat44_ed_in2out_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, + ip4_header_t * ip, + u32 rx_fib_index, + u32 thread_index, + f64 now, + vlib_main_t * vm, vlib_node_runtime_t * node) +{ + clib_bihash_kv_8_8_t kv, value; + clib_bihash_kv_16_8_t s_kv, s_value; + snat_static_mapping_t *m; + u32 old_addr, new_addr = 0; + ip_csum_t sum; + snat_user_t *u; + dlist_elt_t *head, *elt; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + u32 elt_index, head_index, ses_index; + snat_session_t *s; + u32 outside_fib_index = sm->outside_fib_index; + int i; + u8 is_sm = 0; + nat_outside_fib_t *outside_fib; + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP4, + .fp_len = 32, + .fp_addr = { + .ip4.as_u32 = ip->dst_address.as_u32, + }, + }; + + switch (vec_len (sm->outside_fibs)) + { + case 0: + outside_fib_index = sm->outside_fib_index; + break; + case 1: + outside_fib_index = sm->outside_fibs[0].fib_index; + break; + default: + /* *INDENT-OFF* */ + vec_foreach (outside_fib, sm->outside_fibs) + { + fei = fib_table_lookup (outside_fib->fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + if (fib_entry_get_resolving_interface (fei) != ~0) + { + outside_fib_index = outside_fib->fib_index; + break; + } + } + } + /* *INDENT-ON* */ + break; + } + old_addr = ip->src_address.as_u32; + + make_ed_kv (&s_kv, &ip->src_address, &ip->dst_address, ip->protocol, + rx_fib_index, 0, 0); + + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &s_kv, &s_value)) + { + s = pool_elt_at_index (tsm->sessions, s_value.value); + new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32; + } + else + { + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) + { + b->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_ipfix_logging_max_sessions (sm->max_translations); + nat_log_notice ("maximum sessions exceeded"); + return 0; + } + + u = nat_user_get_or_create (sm, &ip->src_address, rx_fib_index, + thread_index); + if (!u) + { + nat_log_warn ("create NAT user failed"); + return 0; + } + + make_sm_kv (&kv, &ip->src_address, 0, rx_fib_index, 0); + + /* Try to find static mapping first */ + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + new_addr = ip->src_address.as_u32 = m->external_addr.as_u32; + is_sm = 1; + goto create_ses; + } + /* Fallback to 3-tuple key */ + else + { + /* Choose same out address as for TCP/UDP session to same destination */ + head_index = u->sessions_per_user_list_head_index; + head = pool_elt_at_index (tsm->list_pool, head_index); + elt_index = head->next; + if (PREDICT_FALSE (elt_index == ~0)) + ses_index = ~0; + else + { + elt = pool_elt_at_index (tsm->list_pool, elt_index); + ses_index = elt->value; + } + + while (ses_index != ~0) + { + s = pool_elt_at_index (tsm->sessions, ses_index); + elt_index = elt->next; + elt = pool_elt_at_index (tsm->list_pool, elt_index); + ses_index = elt->value; + + if (s->ext_host_addr.as_u32 == ip->dst_address.as_u32) + { + new_addr = ip->src_address.as_u32 = s->out2in.addr.as_u32; + + make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, + ip->protocol, outside_fib_index, 0, 0); + if (clib_bihash_search_16_8 + (&tsm->out2in_ed, &s_kv, &s_value)) + goto create_ses; + + break; + } + } + + for (i = 0; i < vec_len (sm->addresses); i++) + { + make_ed_kv (&s_kv, &sm->addresses[i].addr, &ip->dst_address, + ip->protocol, outside_fib_index, 0, 0); + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) + { + new_addr = ip->src_address.as_u32 = + sm->addresses[i].addr.as_u32; + goto create_ses; + } + } + return 0; + } + + create_ses: + s = nat_ed_session_alloc (sm, u, thread_index); + if (!s) + { + nat44_delete_user_with_no_session (sm, u, thread_index); + nat_log_warn ("create NAT session failed"); + return 0; + } + + s->ext_host_addr.as_u32 = ip->dst_address.as_u32; + s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; + s->out2in.addr.as_u32 = new_addr; + s->out2in.fib_index = outside_fib_index; + s->in2out.addr.as_u32 = old_addr; + s->in2out.fib_index = rx_fib_index; + s->in2out.port = s->out2in.port = ip->protocol; + if (is_sm) + s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; + user_session_increment (sm, u, is_sm); + + /* Add to lookup tables */ + make_ed_kv (&s_kv, &s->in2out.addr, &ip->dst_address, ip->protocol, + rx_fib_index, 0, 0); + s_kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1)) + nat_log_notice ("in2out key add failed"); + + make_ed_kv (&s_kv, &s->out2in.addr, &ip->dst_address, ip->protocol, + outside_fib_index, 0, 0); + s_kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1)) + nat_log_notice ("out2in key add failed"); + } + + /* Update IP checksum */ + sum = ip->checksum; + sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, src_address); + ip->checksum = ip_csum_fold (sum); + + /* Accounting */ + nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b)); + + /* Hairpinning */ + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) + nat44_ed_hairpinning_unknown_proto (sm, b, ip); + + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) + vnet_buffer (b)->sw_if_index[VLIB_TX] = outside_fib_index; + + return s; +} + +static inline uword +nat44_ed_in2out_node_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_slow_path, + int is_output_feature) +{ + u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index; + nat_in2out_ed_next_t next_index; + snat_main_t *sm = &snat_main; + f64 now = vlib_time_now (vm); + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + + stats_node_index = is_slow_path ? nat44_ed_in2out_slowpath_node.index : + nat44_ed_in2out_node.index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from >= 4 && n_left_to_next >= 2) + { + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0, + new_addr0, old_addr0; + u32 next1, sw_if_index1, rx_fib_index1, iph_offset1 = 0, proto1, + new_addr1, old_addr1; + u16 old_port0, new_port0, old_port1, new_port1; + ip4_header_t *ip0, *ip1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + icmp46_header_t *icmp0, *icmp1; + snat_session_t *s0 = 0, *s1 = 0; + clib_bihash_kv_16_8_t kv0, value0, kv1, value1; + ip_csum_t sum0, sum1; + + /* Prefetch next iteration. */ + { + vlib_buffer_t *p2, *p3; + + p2 = vlib_get_buffer (vm, from[2]); + p3 = vlib_get_buffer (vm, from[3]); + + vlib_prefetch_buffer_header (p2, LOAD); + vlib_prefetch_buffer_header (p3, LOAD); + + CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); + CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); + } + + /* speculatively enqueue b0 and b1 to the current next frame */ + to_next[0] = bi0 = from[0]; + to_next[1] = bi1 = from[1]; + from += 2; + to_next += 2; + n_left_from -= 2; + n_left_to_next -= 2; + + b0 = vlib_get_buffer (vm, bi0); + b1 = vlib_get_buffer (vm, bi1); + + next0 = NAT_IN2OUT_ED_NEXT_LOOKUP; + + if (is_output_feature) + iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; + + ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + + iph_offset0); + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_IN2OUT_ED_NEXT_ICMP_ERROR; + goto trace00; + } + + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0, + rx_fib_index0, + thread_index, now, vm, + node); + if (!s0) + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace00; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_in2out_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace00; + } + } + else + { + if (PREDICT_FALSE (proto0 == ~0)) + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace00; + } + + if (ip4_is_fragment (ip0)) + { + next0 = NAT_IN2OUT_ED_NEXT_REASS; + goto trace00; + } + + if (is_output_feature) + { + if (PREDICT_FALSE + (nat_not_translate_output_feature_fwd + (sm, ip0, thread_index, now, vm, b0))) + goto trace00; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace00; + } + } + + make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + + if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE + (nat44_ed_not_translate_output_feature + (sm, ip0, ip0->protocol, udp0->src_port, + udp0->dst_port, thread_index, sw_if_index0, + vnet_buffer (b0)->sw_if_index[VLIB_TX]))) + goto trace00; + } + else + { + if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, + sw_if_index0, + ip0, proto0, + rx_fib_index0, + thread_index))) + goto trace00; + } + + next0 = + slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, + next0, thread_index, now); + + if (PREDICT_FALSE (next0 == NAT_IN2OUT_ED_NEXT_DROP)) + goto trace00; + } + else + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace00; + } + } + else + { + s0 = pool_elt_at_index (tsm->sessions, value0.value); + } + + b0->flags |= VNET_BUFFER_F_IS_NATED; + + if (!is_output_feature) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + + old_addr0 = ip0->src_address.as_u32; + new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + src_address); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, ip4_header_t, + dst_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + new_port0 = tcp0->src_port = s0->out2in.port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, + length); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->dst_port, + s0->ext_host_port, ip4_header_t, + length); + tcp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + if (nat44_set_tcp_session_state_i2o + (sm, s0, tcp0, thread_index)) + goto trace00; + } + else + { + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + udp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace00: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_in2out_ed_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = s0 - tsm->sessions; + } + + pkts_processed += next0 != NAT_IN2OUT_ED_NEXT_DROP; + + + next1 = NAT_IN2OUT_ED_NEXT_LOOKUP; + + if (is_output_feature) + iph_offset1 = vnet_buffer (b1)->ip.save_rewrite_length; + + ip1 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b1) + + iph_offset1); + + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; + rx_fib_index1 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index1); + + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = NAT_IN2OUT_ED_NEXT_ICMP_ERROR; + goto trace01; + } + + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + icmp1 = (icmp46_header_t *) udp1; + proto1 = ip_proto_to_snat_proto (ip1->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto1 == ~0)) + { + s1 = nat44_ed_in2out_unknown_proto (sm, b1, ip1, + rx_fib_index1, + thread_index, now, vm, + node); + if (!s1) + next1 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace01; + } + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = icmp_in2out_ed_slow_path + (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, + next1, now, thread_index, &s1); + goto trace01; + } + } + else + { + if (PREDICT_FALSE (proto1 == ~0)) + { + next1 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace01; + } + + if (ip4_is_fragment (ip1)) + { + next1 = NAT_IN2OUT_ED_NEXT_REASS; + goto trace01; + } + + if (is_output_feature) + { + if (PREDICT_FALSE + (nat_not_translate_output_feature_fwd + (sm, ip1, thread_index, now, vm, b1))) + goto trace01; + } + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace01; + } + } + + make_ed_kv (&kv1, &ip1->src_address, &ip1->dst_address, + ip1->protocol, rx_fib_index1, udp1->src_port, + udp1->dst_port); + + if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv1, &value1)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE + (nat44_ed_not_translate_output_feature + (sm, ip1, ip1->protocol, udp1->src_port, + udp1->dst_port, thread_index, sw_if_index1, + vnet_buffer (b1)->sw_if_index[VLIB_TX]))) + goto trace01; + } + else + { + if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, + sw_if_index1, + ip1, proto1, + rx_fib_index1, + thread_index))) + goto trace01; + } + + next1 = + slow_path_ed (sm, b1, rx_fib_index1, &kv1, &s1, node, + next1, thread_index, now); + + if (PREDICT_FALSE (next1 == NAT_IN2OUT_ED_NEXT_DROP)) + goto trace01; + } + else + { + next1 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace01; + } + } + else + { + s1 = pool_elt_at_index (tsm->sessions, value1.value); + } + + b1->flags |= VNET_BUFFER_F_IS_NATED; + + if (!is_output_feature) + vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->out2in.fib_index; + + old_addr1 = ip1->src_address.as_u32; + new_addr1 = ip1->src_address.as_u32 = s1->out2in.addr.as_u32; + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, + src_address); + if (PREDICT_FALSE (is_twice_nat_session (s1))) + sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32, + s1->ext_host_addr.as_u32, ip4_header_t, + dst_address); + ip1->checksum = ip_csum_fold (sum1); + + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + old_port1 = tcp1->src_port; + new_port1 = tcp1->src_port = s1->out2in.port; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, + dst_address); + sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t, + length); + if (PREDICT_FALSE (is_twice_nat_session (s1))) + { + sum1 = ip_csum_update (sum1, ip1->dst_address.as_u32, + s1->ext_host_addr.as_u32, + ip4_header_t, dst_address); + sum1 = ip_csum_update (sum1, tcp1->dst_port, + s1->ext_host_port, ip4_header_t, + length); + tcp1->dst_port = s1->ext_host_port; + ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32; + } + tcp1->checksum = ip_csum_fold (sum1); + mss_clamping (sm, tcp1, &sum1); + if (nat44_set_tcp_session_state_i2o + (sm, s1, tcp1, thread_index)) + goto trace01; + } + else + { + udp1->src_port = s1->out2in.port; + udp1->checksum = 0; + if (PREDICT_FALSE (is_twice_nat_session (s1))) + { + udp1->dst_port = s1->ext_host_port; + ip1->dst_address.as_u32 = s1->ext_host_addr.as_u32; + } + } + + /* Accounting */ + nat44_session_update_counters (s1, now, + vlib_buffer_length_in_chain (vm, + b1)); + + trace01: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_in2out_ed_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (s1) + t->session_index = s1 - tsm->sessions; + } + + pkts_processed += next1 != NAT_IN2OUT_ED_NEXT_DROP; + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0, sw_if_index0, rx_fib_index0, iph_offset0 = 0, proto0, + new_addr0, old_addr0; + u16 old_port0, new_port0; + ip4_header_t *ip0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_t *s0 = 0; + clib_bihash_kv_16_8_t kv0, value0; + ip_csum_t sum0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + next0 = NAT_IN2OUT_ED_NEXT_LOOKUP; + + if (is_output_feature) + iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; + + ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + + iph_offset0); + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_IN2OUT_ED_NEXT_ICMP_ERROR; + goto trace0; + } + + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + s0 = nat44_ed_in2out_unknown_proto (sm, b0, ip0, + rx_fib_index0, + thread_index, now, vm, + node); + if (!s0) + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace0; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_in2out_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace0; + } + } + else + { + if (PREDICT_FALSE (proto0 == ~0)) + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace0; + } + + if (ip4_is_fragment (ip0)) + { + next0 = NAT_IN2OUT_ED_NEXT_REASS; + goto trace0; + } + + if (is_output_feature) + { + if (PREDICT_FALSE + (nat_not_translate_output_feature_fwd + (sm, ip0, thread_index, now, vm, b0))) + goto trace0; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace0; + } + } + + make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + + if (clib_bihash_search_16_8 (&tsm->in2out_ed, &kv0, &value0)) + { + if (is_slow_path) + { + if (is_output_feature) + { + if (PREDICT_FALSE + (nat44_ed_not_translate_output_feature + (sm, ip0, ip0->protocol, udp0->src_port, + udp0->dst_port, thread_index, sw_if_index0, + vnet_buffer (b0)->sw_if_index[VLIB_TX]))) + goto trace0; + } + else + { + if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, + sw_if_index0, + ip0, proto0, + rx_fib_index0, + thread_index))) + goto trace0; + } + + next0 = + slow_path_ed (sm, b0, rx_fib_index0, &kv0, &s0, node, + next0, thread_index, now); + + if (PREDICT_FALSE (next0 == NAT_IN2OUT_ED_NEXT_DROP)) + goto trace0; + } + else + { + next0 = NAT_IN2OUT_ED_NEXT_SLOW_PATH; + goto trace0; + } + } + else + { + s0 = pool_elt_at_index (tsm->sessions, value0.value); + } + + b0->flags |= VNET_BUFFER_F_IS_NATED; + + if (!is_output_feature) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + + old_addr0 = ip0->src_address.as_u32; + new_addr0 = ip0->src_address.as_u32 = s0->out2in.addr.as_u32; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + src_address); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, ip4_header_t, + dst_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + new_port0 = tcp0->src_port = s0->out2in.port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, + length); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->dst_port, + s0->ext_host_port, ip4_header_t, + length); + tcp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + if (nat44_set_tcp_session_state_i2o + (sm, s0, tcp0, thread_index)) + goto trace0; + } + else + { + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + udp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_in2out_ed_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = s0 - tsm->sessions; + } + + pkts_processed += next0 != NAT_IN2OUT_ED_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, stats_node_index, + NAT_IN2OUT_ED_ERROR_IN2OUT_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +static uword +nat44_ed_in2out_fast_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_node) = { + .function = nat44_ed_in2out_fast_path_fn, + .name = "nat44-ed-in2out", + .vector_size = sizeof (u32), + .format_trace = format_nat_in2out_ed_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "ip4-lookup", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_node, + nat44_ed_in2out_fast_path_fn); + +static uword +nat44_ed_in2out_output_fast_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_node_fn_inline (vm, node, frame, 0, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_output_node) = { + .function = nat44_ed_in2out_output_fast_path_fn, + .name = "nat44-ed-in2out-output", + .vector_size = sizeof (u32), + .format_trace = format_nat_in2out_ed_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "interface-output", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass-output", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_node, + nat44_ed_in2out_output_fast_path_fn); + +static uword +nat44_ed_in2out_slow_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_slowpath_node) = { + .function = nat44_ed_in2out_slow_path_fn, + .name = "nat44-ed-in2out-slowpath", + .vector_size = sizeof (u32), + .format_trace = format_nat_in2out_ed_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "ip4-lookup", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-ed-in2out-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_slowpath_node, + nat44_ed_in2out_slow_path_fn); + +static uword +nat44_ed_in2out_output_slow_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_node_fn_inline (vm, node, frame, 1, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_output_slowpath_node) = { + .function = nat44_ed_in2out_output_slow_path_fn, + .name = "nat44-ed-in2out-output-slowpath", + .vector_size = sizeof (u32), + .format_trace = format_nat_in2out_ed_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "interface-output", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-ed-in2out-output-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_output_slowpath_node, + nat44_ed_in2out_output_slow_path_fn); + +static inline uword +nat44_ed_in2out_reass_node_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, + int is_output_feature) +{ + u32 n_left_from, *from, *to_next; + nat_in2out_ed_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + f64 now = vlib_time_now (vm); + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *per_thread_data = + &sm->per_thread_data[thread_index]; + u32 *fragments_to_drop = 0; + u32 *fragments_to_loopback = 0; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; + u32 iph_offset0 = 0; + vlib_buffer_t *b0; + u32 next0; + u8 cached0 = 0; + ip4_header_t *ip0 = 0; + nat_reass_ip4_t *reass0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + clib_bihash_kv_16_8_t kv0, value0; + snat_session_t *s0 = 0; + u16 old_port0, new_port0; + ip_csum_t sum0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + + next0 = NAT_IN2OUT_ED_NEXT_LOOKUP; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (nat_reass_is_drop_frag (0))) + { + next0 = NAT_IN2OUT_ED_NEXT_DROP; + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT]; + goto trace0; + } + + if (is_output_feature) + iph_offset0 = vnet_buffer (b0)->ip.save_rewrite_length; + + ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) + + iph_offset0); + + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, &fragments_to_drop); + + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT_IN2OUT_ED_NEXT_DROP; + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto trace0; + } + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + if (is_output_feature) + { + if (PREDICT_FALSE + (nat_not_translate_output_feature_fwd + (sm, ip0, thread_index, now, vm, b0))) + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + goto trace0; + } + + next0 = icmp_in2out_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + + if (PREDICT_TRUE (next0 != NAT_IN2OUT_ED_NEXT_DROP)) + { + if (s0) + reass0->sess_index = s0 - per_thread_data->sessions; + else + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + } + + goto trace0; + } + + make_ed_kv (&kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + + if (clib_bihash_search_16_8 + (&per_thread_data->in2out_ed, &kv0, &value0)) + { + if (is_output_feature) + { + if (PREDICT_FALSE + (nat44_ed_not_translate_output_feature + (sm, ip0, ip0->protocol, udp0->src_port, + udp0->dst_port, thread_index, sw_if_index0, + vnet_buffer (b0)->sw_if_index[VLIB_TX]))) + { + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + goto trace0; + } + } + else + { + if (PREDICT_FALSE (nat44_ed_not_translate (sm, node, + sw_if_index0, + ip0, proto0, + rx_fib_index0, + thread_index))) + { + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + goto trace0; + } + } + + next0 = slow_path_ed (sm, b0, rx_fib_index0, &kv0, + &s0, node, next0, thread_index, now); + + if (PREDICT_FALSE (next0 == NAT_IN2OUT_ED_NEXT_DROP)) + goto trace0; + + reass0->sess_index = s0 - per_thread_data->sessions; + } + else + { + s0 = pool_elt_at_index (per_thread_data->sessions, + value0.value); + reass0->sess_index = value0.value; + } + nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); + } + else + { + if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE) + goto trace0; + if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0)) + { + if (nat_ip4_reass_add_fragment + (reass0, bi0, &fragments_to_drop)) + { + b0->error = node->errors[NAT_IN2OUT_ED_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = NAT_IN2OUT_ED_NEXT_DROP; + goto trace0; + } + cached0 = 1; + goto trace0; + } + s0 = pool_elt_at_index (per_thread_data->sessions, + reass0->sess_index); + } + + old_addr0 = ip0->src_address.as_u32; + ip0->src_address = s0->out2in.addr; + new_addr0 = ip0->src_address.as_u32; + if (!is_output_feature) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->out2in.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + src_address /* changed member */ ); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, ip4_header_t, + dst_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->src_port; + tcp0->src_port = s0->out2in.port; + new_port0 = tcp0->src_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + sum0 = ip_csum_update (sum0, ip0->dst_address.as_u32, + s0->ext_host_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->dst_port, + s0->ext_host_port, ip4_header_t, + length); + tcp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->src_port; + udp0->src_port = s0->out2in.port; + udp0->checksum = 0; + if (PREDICT_FALSE (is_twice_nat_session (s0))) + { + udp0->dst_port = s0->ext_host_port; + ip0->dst_address.as_u32 = s0->ext_host_addr.as_u32; + } + } + } + + /* Hairpinning */ + if (PREDICT_TRUE (proto0 != SNAT_PROTOCOL_ICMP)) + nat44_reass_hairpinning (sm, b0, ip0, s0->out2in.port, + s0->ext_host_port, proto0, 1); + else + snat_icmp_hairpinning (sm, b0, ip0, icmp0, 1); + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_reass_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->cached = cached0; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } + + if (cached0) + { + n_left_to_next++; + to_next--; + } + else + { + pkts_processed += next0 != NAT_IN2OUT_ED_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + if (n_left_from == 0 && vec_len (fragments_to_loopback)) + { + from = vlib_frame_vector_args (frame); + u32 len = vec_len (fragments_to_loopback); + if (len <= VLIB_FRAME_SIZE) + { + clib_memcpy (from, fragments_to_loopback, + sizeof (u32) * len); + n_left_from = len; + vec_reset_length (fragments_to_loopback); + } + else + { + clib_memcpy (from, + fragments_to_loopback + (len - + VLIB_FRAME_SIZE), + sizeof (u32) * VLIB_FRAME_SIZE); + n_left_from = VLIB_FRAME_SIZE; + _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; + } + } + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, nat44_ed_in2out_reass_node.index, + NAT_IN2OUT_ED_ERROR_IN2OUT_PACKETS, + pkts_processed); + + nat_send_all_to_node (vm, fragments_to_drop, node, + &node->errors[NAT_IN2OUT_ED_ERROR_DROP_FRAGMENT], + NAT_IN2OUT_ED_NEXT_DROP); + + vec_free (fragments_to_drop); + vec_free (fragments_to_loopback); + return frame->n_vectors; +} + +static uword +nat44_ed_in2out_reass_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_reass_node) = { + .function = nat44_ed_in2out_reass_node_fn, + .name = "nat44-ed-in2out-reass", + .vector_size = sizeof (u32), + .format_trace = format_nat44_reass_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "ip4-lookup", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_reass_node, + nat44_ed_in2out_reass_node_fn); + +static uword +nat44_ed_in2out_reass_output_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_in2out_reass_node_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_in2out_reass_output_node) = { + .function = nat44_ed_in2out_reass_output_node_fn, + .name = "nat44-ed-in2out-reass-output", + .vector_size = sizeof (u32), + .format_trace = format_nat44_reass_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN (nat_in2out_ed_error_strings), + .error_strings = nat_in2out_ed_error_strings, + .n_next_nodes = NAT_IN2OUT_ED_N_NEXT, + .next_nodes = { + [NAT_IN2OUT_ED_NEXT_DROP] = "error-drop", + [NAT_IN2OUT_ED_NEXT_LOOKUP] = "interface-output", + [NAT_IN2OUT_ED_NEXT_SLOW_PATH] = "nat44-in2out-slowpath", + [NAT_IN2OUT_ED_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT_IN2OUT_ED_NEXT_REASS] = "nat44-ed-in2out-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_in2out_reass_output_node, + nat44_ed_in2out_reass_output_node_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c index d4c266a2b16..efca4404ddd 100755 --- a/src/plugins/nat/nat.c +++ b/src/plugins/nat/nat.c @@ -36,6 +36,7 @@ snat_main_t snat_main; +/* *INDENT-OFF* */ /* Hook up input features */ VNET_FEATURE_INIT (ip4_snat_in2out, static) = { @@ -166,42 +167,12 @@ VNET_FEATURE_INIT (ip4_nat44_ed_hairpinning, static) = }; -/* *INDENT-OFF* */ VLIB_PLUGIN_REGISTER () = { .version = VPP_BUILD_VER, .description = "Network Address Translation", }; /* *INDENT-ON* */ -vlib_node_registration_t nat44_classify_node; -vlib_node_registration_t nat44_ed_classify_node; -vlib_node_registration_t nat44_det_classify_node; -vlib_node_registration_t nat44_handoff_classify_node; - -#define foreach_nat44_classify_error \ -_(MAX_REASS, "Maximum reassemblies exceeded") \ -_(MAX_FRAG, "Maximum fragments per reassembly exceeded") - -typedef enum { -#define _(sym,str) NAT44_CLASSIFY_ERROR_##sym, - foreach_nat44_classify_error -#undef _ - NAT44_CLASSIFY_N_ERROR, -} nat44_classify_error_t; - -static char * nat44_classify_error_strings[] = { -#define _(sym,string) string, - foreach_nat44_classify_error -#undef _ -}; - -typedef enum { - NAT44_CLASSIFY_NEXT_IN2OUT, - NAT44_CLASSIFY_NEXT_OUT2IN, - NAT44_CLASSIFY_NEXT_DROP, - NAT44_CLASSIFY_N_NEXT, -} nat44_classify_next_t; - void nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) { @@ -223,7 +194,7 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) - nat_log_warn ("in2out_ed key del failed"); + nat_log_warn ("in2out_ed key del failed"); return; } @@ -231,61 +202,60 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) if (is_ed_session (s)) { if (is_affinity_sessions (s)) - nat_affinity_unlock (s->ext_host_addr, s->out2in.addr, - s->in2out.protocol, s->out2in.port); + nat_affinity_unlock (s->ext_host_addr, s->out2in.addr, + s->in2out.protocol, s->out2in.port); ed_key.l_addr = s->out2in.addr; ed_key.r_addr = s->ext_host_addr; ed_key.fib_index = s->out2in.fib_index; if (snat_is_unk_proto_session (s)) - { - ed_key.proto = s->in2out.port; - ed_key.r_port = 0; - ed_key.l_port = 0; - } + { + ed_key.proto = s->in2out.port; + ed_key.r_port = 0; + ed_key.l_port = 0; + } else - { - ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); - ed_key.l_port = s->out2in.port; - ed_key.r_port = s->ext_host_port; - } + { + ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); + ed_key.l_port = s->out2in.port; + ed_key.r_port = s->ext_host_port; + } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &ed_kv, 0)) - nat_log_warn ("out2in_ed key del failed"); + nat_log_warn ("out2in_ed key del failed"); ed_key.l_addr = s->in2out.addr; ed_key.fib_index = s->in2out.fib_index; if (!snat_is_unk_proto_session (s)) - ed_key.l_port = s->in2out.port; + ed_key.l_port = s->in2out.port; if (is_twice_nat_session (s)) - { - ed_key.r_addr = s->ext_host_nat_addr; - ed_key.r_port = s->ext_host_nat_port; - } + { + ed_key.r_addr = s->ext_host_nat_addr; + ed_key.r_port = s->ext_host_nat_port; + } ed_kv.key[0] = ed_key.as_u64[0]; ed_kv.key[1] = ed_key.as_u64[1]; if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) - nat_log_warn ("in2out_ed key del failed"); + nat_log_warn ("in2out_ed key del failed"); } else { kv.key = s->in2out.as_u64; if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0)) - nat_log_warn ("in2out key del failed"); + nat_log_warn ("in2out key del failed"); kv.key = s->out2in.as_u64; if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0)) - nat_log_warn ("out2in key del failed"); + nat_log_warn ("out2in key del failed"); } if (snat_is_unk_proto_session (s)) return; /* log NAT event */ - snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); + snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, s->in2out.fib_index); /* Twice NAT address and port for external host */ if (is_twice_nat_session (s)) @@ -294,26 +264,25 @@ nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index) key.port = s->ext_host_nat_port; key.addr.as_u32 = s->ext_host_nat_addr.as_u32; snat_free_outside_address_and_port (sm->twice_nat_addresses, - thread_index, &key); + thread_index, &key); } if (snat_is_session_static (s)) return; - if (s->outside_address_index != ~0) - snat_free_outside_address_and_port (sm->addresses, thread_index, - &s->out2in); + snat_free_outside_address_and_port (sm->addresses, thread_index, + &s->out2in); } snat_user_t * -nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, - u32 thread_index) +nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, u32 fib_index, + u32 thread_index) { snat_user_t *u = 0; snat_user_key_t user_key; clib_bihash_kv_8_8_t kv, value; snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - dlist_elt_t * per_user_list_head_elt; + dlist_elt_t *per_user_list_head_elt; user_key.addr.as_u32 = addr->as_u32; user_key.fib_index = fib_index; @@ -331,7 +300,7 @@ nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, pool_get (tsm->list_pool, per_user_list_head_elt); u->sessions_per_user_list_head_index = per_user_list_head_elt - - tsm->list_pool; + tsm->list_pool; clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index); @@ -339,7 +308,7 @@ nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, /* add user */ if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1)) - nat_log_warn ("user_hash keay add failed"); + nat_log_warn ("user_hash keay add failed"); } else { @@ -350,31 +319,32 @@ nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index, } snat_session_t * -nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) +nat_session_alloc_or_recycle (snat_main_t * sm, snat_user_t * u, + u32 thread_index) { snat_session_t *s; snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; u32 oldest_per_user_translation_list_index, session_index; - dlist_elt_t * oldest_per_user_translation_list_elt; - dlist_elt_t * per_user_translation_list_elt; + dlist_elt_t *oldest_per_user_translation_list_elt; + dlist_elt_t *per_user_translation_list_elt; /* Over quota? Recycle the least recently used translation */ if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user) { oldest_per_user_translation_list_index = - clib_dlist_remove_head (tsm->list_pool, - u->sessions_per_user_list_head_index); + clib_dlist_remove_head (tsm->list_pool, + u->sessions_per_user_list_head_index); ASSERT (oldest_per_user_translation_list_index != ~0); /* Add it back to the end of the LRU list */ clib_dlist_addtail (tsm->list_pool, - u->sessions_per_user_list_head_index, - oldest_per_user_translation_list_index); + u->sessions_per_user_list_head_index, + oldest_per_user_translation_list_index); /* Get the list element */ oldest_per_user_translation_list_elt = - pool_elt_at_index (tsm->list_pool, - oldest_per_user_translation_list_index); + pool_elt_at_index (tsm->list_pool, + oldest_per_user_translation_list_index); /* Get the session index from the list element */ session_index = oldest_per_user_translation_list_elt->value; @@ -382,11 +352,10 @@ nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) /* Get the session */ s = pool_elt_at_index (tsm->sessions, session_index); nat_free_session_data (sm, s, thread_index); - if (snat_is_session_static(s)) - u->nstaticsessions--; + if (snat_is_session_static (s)) + u->nstaticsessions--; else - u->nsessions--; - s->outside_address_index = ~0; + u->nsessions--; s->flags = 0; s->total_bytes = 0; s->total_pkts = 0; @@ -400,535 +369,92 @@ nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index) { pool_get (tsm->sessions, s); memset (s, 0, sizeof (*s)); - s->outside_address_index = ~0; /* Create list elts */ pool_get (tsm->list_pool, per_user_translation_list_elt); clib_dlist_init (tsm->list_pool, - per_user_translation_list_elt - tsm->list_pool); + per_user_translation_list_elt - tsm->list_pool); per_user_translation_list_elt->value = s - tsm->sessions; s->per_user_index = per_user_translation_list_elt - tsm->list_pool; s->per_user_list_head_index = u->sessions_per_user_list_head_index; clib_dlist_addtail (tsm->list_pool, - s->per_user_list_head_index, - per_user_translation_list_elt - tsm->list_pool); + s->per_user_list_head_index, + per_user_translation_list_elt - tsm->list_pool); } return s; } snat_session_t * -nat_ed_session_alloc (snat_main_t *sm, snat_user_t *u, u32 thread_index) +nat_ed_session_alloc (snat_main_t * sm, snat_user_t * u, u32 thread_index) { snat_session_t *s; snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - dlist_elt_t * per_user_translation_list_elt; + dlist_elt_t *per_user_translation_list_elt; if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user) { - nat_log_warn ("max translations per user %U", format_ip4_address, &u->addr); + nat_log_warn ("max translations per user %U", format_ip4_address, + &u->addr); snat_ipfix_logging_max_entries_per_user (sm->max_translations_per_user, - u->addr.as_u32); + u->addr.as_u32); return 0; } pool_get (tsm->sessions, s); memset (s, 0, sizeof (*s)); - s->outside_address_index = ~0; /* Create list elts */ pool_get (tsm->list_pool, per_user_translation_list_elt); clib_dlist_init (tsm->list_pool, - per_user_translation_list_elt - tsm->list_pool); + per_user_translation_list_elt - tsm->list_pool); per_user_translation_list_elt->value = s - tsm->sessions; s->per_user_index = per_user_translation_list_elt - tsm->list_pool; s->per_user_list_head_index = u->sessions_per_user_list_head_index; clib_dlist_addtail (tsm->list_pool, - s->per_user_list_head_index, - per_user_translation_list_elt - tsm->list_pool); - - return s; -} - -typedef struct { - u8 next_in2out; - u8 cached; -} nat44_classify_trace_t; - -static u8 * format_nat44_classify_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *); - char *next; - - if (t->cached) - s = format (s, "nat44-classify: fragment cached"); - else - { - next = t->next_in2out ? "nat44-in2out" : "nat44-out2in"; - s = format (s, "nat44-classify: next %s", next); - } + s->per_user_list_head_index, + per_user_translation_list_elt - tsm->list_pool); return s; } -static inline uword -nat44_classify_node_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, - int is_ed) -{ - u32 n_left_from, * from, * to_next; - nat44_classify_next_t next_index; - snat_main_t *sm = &snat_main; - snat_static_mapping_t *m; - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - u32 *fragments_to_drop = 0; - u32 *fragments_to_loopback = 0; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0; - ip4_header_t *ip0; - snat_address_t *ap; - snat_session_key_t m_key0; - clib_bihash_kv_8_8_t kv0, value0; - clib_bihash_kv_16_8_t ed_kv0, ed_value0; - udp_header_t *udp0; - nat_reass_ip4_t *reass0; - u8 cached0 = 0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - - if (is_ed && ip0->protocol != IP_PROTOCOL_ICMP) - { - if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0)) - { - /* process leading fragment/whole packet (with L4 header) */ - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = - fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address, - ip0->protocol, rx_fib_index0, udp0->src_port, - udp0->dst_port); - if (ip4_is_fragment (ip0)) - { - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - if (PREDICT_FALSE (!reass0)) - { - next0 = NAT44_CLASSIFY_NEXT_DROP; - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto enqueue0; - } - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, - &ed_value0)) - { - /* session exists so classify as IN2OUT, - * save this information for future fragments and set - * past fragments to be looped over and reprocessed */ - reass0->sess_index = ed_value0.value; - reass0->classify_next = NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT; - nat_ip4_reass_get_frags (reass0, - &fragments_to_loopback); - goto enqueue0; - } - else - { - /* session doesn't exist so continue in the code, - * save this information for future fragments and set - * past fragments to be looped over and reprocessed */ - reass0->flags |= NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE; - nat_ip4_reass_get_frags (reass0, - &fragments_to_loopback); - } - } - else - { - /* process whole packet */ - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, - &ed_value0)) - goto enqueue0; - /* session doesn't exist so continue in code */ - } - } - else - { - /* process non-first fragment */ - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - if (PREDICT_FALSE (!reass0)) - { - next0 = NAT44_CLASSIFY_NEXT_DROP; - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto enqueue0; - } - /* check if first fragment has arrived */ - if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE && - !(reass0->flags & NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE)) - { - /* first fragment still hasn't arrived, cache this fragment */ - if (nat_ip4_reass_add_fragment (reass0, bi0, - &fragments_to_drop)) - { - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = NAT44_CLASSIFY_NEXT_DROP; - goto enqueue0; - } - cached0 = 1; - goto enqueue0; - } - if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT) - goto enqueue0; - /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set - * so keep the default next0 and continue in code to - * potentially find other classification for this packet */ - } - } - - vec_foreach (ap, sm->addresses) - { - if (ip0->dst_address.as_u32 == ap->addr.as_u32) - { - next0 = NAT44_CLASSIFY_NEXT_OUT2IN; - goto enqueue0; - } - } - - if (PREDICT_FALSE (pool_elts (sm->static_mappings))) - { - m_key0.addr = ip0->dst_address; - m_key0.port = 0; - m_key0.protocol = 0; - m_key0.fib_index = 0; - kv0.key = m_key0.as_u64; - /* try to classify the fragment based on IP header alone */ - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, - &kv0, &value0)) - { - m = pool_elt_at_index (sm->static_mappings, value0.value); - if (m->local_addr.as_u32 != m->external_addr.as_u32) - next0 = NAT44_CLASSIFY_NEXT_OUT2IN; - goto enqueue0; - } - if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0)) - { - /* process leading fragment/whole packet (with L4 header) */ - m_key0.port = clib_net_to_host_u16 (udp0->dst_port); - m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol); - kv0.key = m_key0.as_u64; - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, - &kv0, &value0)) - { - m = pool_elt_at_index (sm->static_mappings, value0.value); - if (m->local_addr.as_u32 != m->external_addr.as_u32) - next0 = NAT44_CLASSIFY_NEXT_OUT2IN; - } - if (ip4_is_fragment (ip0)) - { - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - if (PREDICT_FALSE (!reass0)) - { - next0 = NAT44_CLASSIFY_NEXT_DROP; - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto enqueue0; - } - /* save classification for future fragments and set past - * fragments to be looped over and reprocessed */ - if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN) - reass0->classify_next = NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN; - else - reass0->classify_next = NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - } - else - { - /* process non-first fragment */ - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - if (PREDICT_FALSE (!reass0)) - { - next0 = NAT44_CLASSIFY_NEXT_DROP; - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto enqueue0; - } - if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE) - /* first fragment still hasn't arrived */ - { - if (nat_ip4_reass_add_fragment (reass0, bi0, - &fragments_to_drop)) - { - b0->error = node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = NAT44_CLASSIFY_NEXT_DROP; - goto enqueue0; - } - cached0 = 1; - goto enqueue0; - } - else if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN) - next0 = NAT44_CLASSIFY_NEXT_OUT2IN; - else if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT) - next0 = NAT44_CLASSIFY_NEXT_IN2OUT; - } - } - - enqueue0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_classify_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->cached = cached0; - if (!cached0) - t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0; - } - - if (cached0) - { - n_left_to_next++; - to_next--; - } - else - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - - if (n_left_from == 0 && vec_len (fragments_to_loopback)) - { - from = vlib_frame_vector_args (frame); - u32 len = vec_len (fragments_to_loopback); - if (len <= VLIB_FRAME_SIZE) - { - clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len); - n_left_from = len; - vec_reset_length (fragments_to_loopback); - } - else - { - clib_memcpy (from, - fragments_to_loopback + (len - VLIB_FRAME_SIZE), - sizeof (u32) * VLIB_FRAME_SIZE); - n_left_from = VLIB_FRAME_SIZE; - _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; - } - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - nat_send_all_to_node (vm, fragments_to_drop, node, 0, NAT44_CLASSIFY_NEXT_DROP); - - vec_free (fragments_to_drop); - - return frame->n_vectors; -} - -static uword -nat44_classify_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_classify_node_fn_inline (vm, node, frame, 0); -}; - -VLIB_REGISTER_NODE (nat44_classify_node) = { - .function = nat44_classify_node_fn, - .name = "nat44-classify", - .vector_size = sizeof (u32), - .format_trace = format_nat44_classify_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(nat44_classify_error_strings), - .error_strings = nat44_classify_error_strings, - .n_next_nodes = NAT44_CLASSIFY_N_NEXT, - .next_nodes = { - [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out", - [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in", - [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, - nat44_classify_node_fn); -static uword -nat44_ed_classify_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_classify_node_fn_inline (vm, node, frame, 1); -}; - -VLIB_REGISTER_NODE (nat44_ed_classify_node) = { - .function = nat44_ed_classify_node_fn, - .name = "nat44-ed-classify", - .vector_size = sizeof (u32), - .format_trace = format_nat44_classify_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_next_nodes = NAT44_CLASSIFY_N_NEXT, - .next_nodes = { - [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out", - [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in", - [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node, - nat44_ed_classify_node_fn); - -static uword -nat44_det_classify_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_classify_node_fn_inline (vm, node, frame, 0); -}; - -VLIB_REGISTER_NODE (nat44_det_classify_node) = { - .function = nat44_det_classify_node_fn, - .name = "nat44-det-classify", - .vector_size = sizeof (u32), - .format_trace = format_nat44_classify_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_next_nodes = NAT44_CLASSIFY_N_NEXT, - .next_nodes = { - [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out", - [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in", - [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node, - nat44_det_classify_node_fn); - -static uword -nat44_handoff_classify_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_classify_node_fn_inline (vm, node, frame, 0); -}; - -VLIB_REGISTER_NODE (nat44_handoff_classify_node) = { - .function = nat44_handoff_classify_node_fn, - .name = "nat44-handoff-classify", - .vector_size = sizeof (u32), - .format_trace = format_nat44_classify_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - .n_next_nodes = NAT44_CLASSIFY_N_NEXT, - .next_nodes = { - [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff", - [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff", - [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node, - nat44_handoff_classify_node_fn); - -/** - * @brief Add/del NAT address to FIB. - * - * Add the external NAT address to the FIB as receive entries. This ensures - * that VPP will reply to ARP for this address and we don't need to enable - * proxy ARP on the outside interface. - * - * @param addr IPv4 address. - * @param plen address prefix length - * @param sw_if_index Interface. - * @param is_add If 0 delete, otherwise add. - */ void snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index, - int is_add) + int is_add) { fib_prefix_t prefix = { .fp_len = p_len, .fp_proto = FIB_PROTOCOL_IP4, .fp_addr = { - .ip4.as_u32 = addr->as_u32, - }, + .ip4.as_u32 = addr->as_u32, + }, }; - u32 fib_index = ip4_fib_table_get_index_for_sw_if_index(sw_if_index); + u32 fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); if (is_add) - fib_table_entry_update_one_path(fib_index, - &prefix, - FIB_SOURCE_PLUGIN_LOW, - (FIB_ENTRY_FLAG_CONNECTED | - FIB_ENTRY_FLAG_LOCAL | - FIB_ENTRY_FLAG_EXCLUSIVE), - DPO_PROTO_IP4, - NULL, - sw_if_index, - ~0, - 1, - NULL, - FIB_ROUTE_PATH_FLAG_NONE); + fib_table_entry_update_one_path (fib_index, + &prefix, + FIB_SOURCE_PLUGIN_LOW, + (FIB_ENTRY_FLAG_CONNECTED | + FIB_ENTRY_FLAG_LOCAL | + FIB_ENTRY_FLAG_EXCLUSIVE), + DPO_PROTO_IP4, + NULL, + sw_if_index, + ~0, 1, NULL, FIB_ROUTE_PATH_FLAG_NONE); else - fib_table_entry_delete(fib_index, - &prefix, - FIB_SOURCE_PLUGIN_LOW); + fib_table_entry_delete (fib_index, &prefix, FIB_SOURCE_PLUGIN_LOW); } -int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, - u8 twice_nat) +int +snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id, + u8 twice_nat) { - snat_address_t * ap; + snat_address_t *ap; snat_interface_t *i; vlib_thread_main_t *tm = vlib_get_thread_main (); @@ -936,11 +462,13 @@ int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, return VNET_API_ERROR_FEATURE_DISABLED; /* Check if address already exists */ + /* *INDENT-OFF* */ vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses) { if (ap->addr.as_u32 == addr->as_u32) return VNET_API_ERROR_VALUE_EXIST; } + /* *INDENT-ON* */ if (twice_nat) vec_add2 (sm->twice_nat_addresses, ap, 1); @@ -951,7 +479,7 @@ int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, if (vrf_id != ~0) ap->fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id, - FIB_SOURCE_PLUGIN_LOW); + FIB_SOURCE_PLUGIN_LOW); else ap->fib_index = ~0; #define _(N, i, n, s) \ @@ -961,11 +489,11 @@ int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0); foreach_snat_protocol #undef _ - - if (twice_nat) + if (twice_nat) return 0; /* Add external address to FIB */ + /* *INDENT-OFF* */ pool_foreach (i, sm->interfaces, ({ if (nat_interface_is_inside(i) || sm->out2in_dpo) @@ -982,42 +510,44 @@ int snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1); break; })); + /* *INDENT-ON* */ return 0; } -static int is_snat_address_used_in_static_mapping (snat_main_t *sm, - ip4_address_t addr) +static int +is_snat_address_used_in_static_mapping (snat_main_t * sm, ip4_address_t addr) { snat_static_mapping_t *m; + /* *INDENT-OFF* */ pool_foreach (m, sm->static_mappings, ({ if (m->external_addr.as_u32 == addr.as_u32) return 1; })); + /* *INDENT-ON* */ return 0; } -void increment_v4_address (ip4_address_t * a) +void +increment_v4_address (ip4_address_t * a) { u32 v; - v = clib_net_to_host_u32(a->as_u32) + 1; - a->as_u32 = clib_host_to_net_u32(v); + v = clib_net_to_host_u32 (a->as_u32) + 1; + a->as_u32 = clib_host_to_net_u32 (v); } static void snat_add_static_mapping_when_resolved (snat_main_t * sm, - ip4_address_t l_addr, - u16 l_port, - u32 sw_if_index, - u16 e_port, - u32 vrf_id, - snat_protocol_t proto, - int addr_only, - int is_add, - u8 * tag) + ip4_address_t l_addr, + u16 l_port, + u32 sw_if_index, + u16 e_port, + u32 vrf_id, + snat_protocol_t proto, + int addr_only, int is_add, u8 * tag) { snat_static_map_resolve_t *rp; @@ -1032,16 +562,19 @@ snat_add_static_mapping_when_resolved (snat_main_t * sm, rp->is_add = is_add; rp->tag = vec_dup (tag); } - -static u32 get_thread_idx_by_port(u16 e_port) + +static u32 +get_thread_idx_by_port (u16 e_port) { - snat_main_t * sm = &snat_main; - u32 thread_idx = sm->num_workers; - if (sm->num_workers > 1) + snat_main_t *sm = &snat_main; + u32 thread_idx = sm->num_workers; + if (sm->num_workers > 1) { - thread_idx = sm->first_worker_index + sm->workers[(e_port - 1024) / sm->port_per_thread]; - } - return thread_idx; + thread_idx = + sm->first_worker_index + + sm->workers[(e_port - 1024) / sm->port_per_thread]; + } + return thread_idx; } /** @@ -1067,103 +600,104 @@ static u32 get_thread_idx_by_port(u16 e_port) * * @returns */ -int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, - u16 l_port, u16 e_port, u32 vrf_id, int addr_only, - u32 sw_if_index, snat_protocol_t proto, int is_add, - twice_nat_type_t twice_nat, u8 out2in_only, - u8 * tag) +int +snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, + u16 l_port, u16 e_port, u32 vrf_id, int addr_only, + u32 sw_if_index, snat_protocol_t proto, int is_add, + twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag) { - snat_main_t * sm = &snat_main; + snat_main_t *sm = &snat_main; snat_static_mapping_t *m; snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; snat_address_t *a = 0; u32 fib_index = ~0; - uword * p; + uword *p; snat_interface_t *interface; int i; snat_main_per_thread_data_t *tsm; snat_user_key_t u_key; snat_user_t *u; - dlist_elt_t * head, * elt; + dlist_elt_t *head, *elt; u32 elt_index, head_index; u32 ses_index; u64 user_index; - snat_session_t * s; + snat_session_t *s; snat_static_map_resolve_t *rp, *rp_match = 0; if (!sm->endpoint_dependent) { if (twice_nat || out2in_only) - return VNET_API_ERROR_FEATURE_DISABLED; + return VNET_API_ERROR_FEATURE_DISABLED; } /* If the external address is a specific interface address */ if (sw_if_index != ~0) { - ip4_address_t * first_int_addr; + ip4_address_t *first_int_addr; for (i = 0; i < vec_len (sm->to_resolve); i++) - { - rp = sm->to_resolve + i; - if (rp->sw_if_index != sw_if_index || - rp->l_addr.as_u32 != l_addr.as_u32 || - rp->vrf_id != vrf_id || rp->addr_only != addr_only) - continue; + { + rp = sm->to_resolve + i; + if (rp->sw_if_index != sw_if_index || + rp->l_addr.as_u32 != l_addr.as_u32 || + rp->vrf_id != vrf_id || rp->addr_only != addr_only) + continue; - if (!addr_only) - { - if (rp->l_port != l_port || rp->e_port != e_port || rp->proto != proto) - continue; - } + if (!addr_only) + { + if (rp->l_port != l_port || rp->e_port != e_port + || rp->proto != proto) + continue; + } - rp_match = rp; - break; - } + rp_match = rp; + break; + } /* Might be already set... */ first_int_addr = ip4_interface_first_address - (sm->ip4_main, sw_if_index, 0 /* just want the address*/); + (sm->ip4_main, sw_if_index, 0 /* just want the address */ ); if (is_add) - { - if (rp_match) - return VNET_API_ERROR_VALUE_EXIST; + { + if (rp_match) + return VNET_API_ERROR_VALUE_EXIST; - snat_add_static_mapping_when_resolved - (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto, - addr_only, is_add, tag); + snat_add_static_mapping_when_resolved + (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto, + addr_only, is_add, tag); - /* DHCP resolution required? */ - if (first_int_addr == 0) - { - return 0; - } - else - { - e_addr.as_u32 = first_int_addr->as_u32; - /* Identity mapping? */ - if (l_addr.as_u32 == 0) - l_addr.as_u32 = e_addr.as_u32; - } - } + /* DHCP resolution required? */ + if (first_int_addr == 0) + { + return 0; + } + else + { + e_addr.as_u32 = first_int_addr->as_u32; + /* Identity mapping? */ + if (l_addr.as_u32 == 0) + l_addr.as_u32 = e_addr.as_u32; + } + } else - { - if (!rp_match) - return VNET_API_ERROR_NO_SUCH_ENTRY; + { + if (!rp_match) + return VNET_API_ERROR_NO_SUCH_ENTRY; - vec_del1 (sm->to_resolve, i); + vec_del1 (sm->to_resolve, i); - if (first_int_addr) - { - e_addr.as_u32 = first_int_addr->as_u32; - /* Identity mapping? */ - if (l_addr.as_u32 == 0) - l_addr.as_u32 = e_addr.as_u32; - } - else - return 0; - } + if (first_int_addr) + { + e_addr.as_u32 = first_int_addr->as_u32; + /* Identity mapping? */ + if (l_addr.as_u32 == 0) + l_addr.as_u32 = e_addr.as_u32; + } + else + return 0; + } } m_key.addr = e_addr; @@ -1179,49 +713,50 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, if (is_add) { if (m) - return VNET_API_ERROR_VALUE_EXIST; + return VNET_API_ERROR_VALUE_EXIST; if (twice_nat && addr_only) - return VNET_API_ERROR_UNSUPPORTED; + return VNET_API_ERROR_UNSUPPORTED; /* Convert VRF id to FIB index */ if (vrf_id != ~0) - { - p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id); - if (!p) - return VNET_API_ERROR_NO_SUCH_FIB; - fib_index = p[0]; - } + { + p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id); + if (!p) + return VNET_API_ERROR_NO_SUCH_FIB; + fib_index = p[0]; + } /* If not specified use inside VRF id from SNAT plugin startup config */ else - { - fib_index = sm->inside_fib_index; - vrf_id = sm->inside_vrf_id; - } + { + fib_index = sm->inside_fib_index; + vrf_id = sm->inside_vrf_id; + } if (!out2in_only) - { - m_key.addr = l_addr; - m_key.port = addr_only ? 0 : l_port; - m_key.protocol = addr_only ? 0 : proto; - m_key.fib_index = fib_index; - kv.key = m_key.as_u64; - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_local, &kv, &value)) - return VNET_API_ERROR_VALUE_EXIST; - } + { + m_key.addr = l_addr; + m_key.port = addr_only ? 0 : l_port; + m_key.protocol = addr_only ? 0 : proto; + m_key.fib_index = fib_index; + kv.key = m_key.as_u64; + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_local, &kv, &value)) + return VNET_API_ERROR_VALUE_EXIST; + } /* Find external address in allocated addresses and reserve port for address and port pair mapping when dynamic translations enabled */ if (!(addr_only || sm->static_mapping_only || out2in_only)) - { - for (i = 0; i < vec_len (sm->addresses); i++) - { - if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) - { - a = sm->addresses + i; - /* External port must be unused */ - switch (proto) - { + { + for (i = 0; i < vec_len (sm->addresses); i++) + { + if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) + { + a = sm->addresses + i; + /* External port must be unused */ + switch (proto) + { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \ @@ -1233,38 +768,38 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \ } \ break; - foreach_snat_protocol + foreach_snat_protocol #undef _ - default: - nat_log_info ("unknown protocol"); - return VNET_API_ERROR_INVALID_VALUE_2; - } - break; - } - } - /* External address must be allocated */ - if (!a && (l_addr.as_u32 != e_addr.as_u32)) - { - if (sw_if_index != ~0) - { - for (i = 0; i < vec_len (sm->to_resolve); i++) - { - rp = sm->to_resolve + i; - if (rp->addr_only) - continue; - if (rp->sw_if_index != sw_if_index && - rp->l_addr.as_u32 != l_addr.as_u32 && - rp->vrf_id != vrf_id && rp->l_port != l_port && - rp->e_port != e_port && rp->proto != proto) - continue; - - vec_del1 (sm->to_resolve, i); - break; - } - } - return VNET_API_ERROR_NO_SUCH_ENTRY; - } - } + default: + nat_log_info ("unknown protocol"); + return VNET_API_ERROR_INVALID_VALUE_2; + } + break; + } + } + /* External address must be allocated */ + if (!a && (l_addr.as_u32 != e_addr.as_u32)) + { + if (sw_if_index != ~0) + { + for (i = 0; i < vec_len (sm->to_resolve); i++) + { + rp = sm->to_resolve + i; + if (rp->addr_only) + continue; + if (rp->sw_if_index != sw_if_index && + rp->l_addr.as_u32 != l_addr.as_u32 && + rp->vrf_id != vrf_id && rp->l_port != l_port && + rp->e_port != e_port && rp->proto != proto) + continue; + + vec_del1 (sm->to_resolve, i); + break; + } + } + return VNET_API_ERROR_NO_SUCH_ENTRY; + } + } pool_get (sm->static_mappings, m); memset (m, 0, sizeof (*m)); @@ -1277,22 +812,22 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m->twice_nat = twice_nat; m->out2in_only = out2in_only; if (!addr_only) - { - m->local_port = l_port; - m->external_port = e_port; - m->proto = proto; - } + { + m->local_port = l_port; + m->external_port = e_port; + m->proto = proto; + } if (sm->num_workers > 1) - { - ip4_header_t ip = { - .src_address = m->local_addr, - }; - vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index)); - tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); - } + { + ip4_header_t ip = { + .src_address = m->local_addr, + }; + vec_add1 (m->workers, sm->worker_in2out_cb (&ip, m->fib_index)); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); + } else - tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); m_key.addr = m->local_addr; m_key.port = m->local_port; @@ -1301,74 +836,77 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; if (!out2in_only) - clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1); + clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1); m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; - clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1); + clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1); /* Delete dynamic sessions matching local address (+ local port) */ if (!(sm->static_mapping_only)) - { - u_key.addr = m->local_addr; - u_key.fib_index = m->fib_index; - kv.key = u_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - user_index = value.value; - u = pool_elt_at_index (tsm->users, user_index); - if (u->nsessions) - { - head_index = u->sessions_per_user_list_head_index; - head = pool_elt_at_index (tsm->list_pool, head_index); - elt_index = head->next; - elt = pool_elt_at_index (tsm->list_pool, elt_index); - ses_index = elt->value; - while (ses_index != ~0) - { - s = pool_elt_at_index (tsm->sessions, ses_index); - elt = pool_elt_at_index (tsm->list_pool, elt->next); - ses_index = elt->value; - - if (snat_is_session_static (s)) - continue; - - if (!addr_only && (clib_net_to_host_u16 (s->in2out.port) != m->local_port)) - continue; - - nat_free_session_data (sm, s, tsm - sm->per_thread_data); - nat44_delete_session (sm, s, tsm - sm->per_thread_data); - - if (!addr_only && !sm->endpoint_dependent) - break; - } - } - } - } + { + u_key.addr = m->local_addr; + u_key.fib_index = m->fib_index; + kv.key = u_key.as_u64; + if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) + { + user_index = value.value; + u = pool_elt_at_index (tsm->users, user_index); + if (u->nsessions) + { + head_index = u->sessions_per_user_list_head_index; + head = pool_elt_at_index (tsm->list_pool, head_index); + elt_index = head->next; + elt = pool_elt_at_index (tsm->list_pool, elt_index); + ses_index = elt->value; + while (ses_index != ~0) + { + s = pool_elt_at_index (tsm->sessions, ses_index); + elt = pool_elt_at_index (tsm->list_pool, elt->next); + ses_index = elt->value; + + if (snat_is_session_static (s)) + continue; + + if (!addr_only + && (clib_net_to_host_u16 (s->in2out.port) != + m->local_port)) + continue; + + nat_free_session_data (sm, s, + tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); + + if (!addr_only && !sm->endpoint_dependent) + break; + } + } + } + } } else { if (!m) - { - if (sw_if_index != ~0) - return 0; - else - return VNET_API_ERROR_NO_SUCH_ENTRY; - } + { + if (sw_if_index != ~0) + return 0; + else + return VNET_API_ERROR_NO_SUCH_ENTRY; + } /* Free external address port */ if (!(addr_only || sm->static_mapping_only || out2in_only)) - { - for (i = 0; i < vec_len (sm->addresses); i++) - { - if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) - { - a = sm->addresses + i; - switch (proto) - { + { + for (i = 0; i < vec_len (sm->addresses); i++) + { + if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) + { + a = sm->addresses + i; + switch (proto) + { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \ @@ -1378,21 +916,21 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \ } \ break; - foreach_snat_protocol + foreach_snat_protocol #undef _ - default: - nat_log_info ("unknown protocol"); - return VNET_API_ERROR_INVALID_VALUE_2; - } - break; - } - } - } + default: + nat_log_info ("unknown protocol"); + return VNET_API_ERROR_INVALID_VALUE_2; + } + break; + } + } + } if (sm->num_workers > 1) - tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); + tsm = vec_elt_at_index (sm->per_thread_data, m->workers[0]); else - tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); + tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers); m_key.addr = m->local_addr; m_key.port = m->local_port; @@ -1400,60 +938,62 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, m_key.fib_index = m->fib_index; kv.key = m_key.as_u64; if (!out2in_only) - clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0); + clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 0); m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.fib_index = 0; kv.key = m_key.as_u64; - clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0); + clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0); /* Delete session(s) for static mapping if exist */ if (!(sm->static_mapping_only) || - (sm->static_mapping_only && sm->static_mapping_connection_tracking)) - { - u_key.addr = m->local_addr; - u_key.fib_index = m->fib_index; - kv.key = u_key.as_u64; - if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) - { - user_index = value.value; - u = pool_elt_at_index (tsm->users, user_index); - if (u->nstaticsessions) - { - head_index = u->sessions_per_user_list_head_index; - head = pool_elt_at_index (tsm->list_pool, head_index); - elt_index = head->next; - elt = pool_elt_at_index (tsm->list_pool, elt_index); - ses_index = elt->value; - while (ses_index != ~0) - { - s = pool_elt_at_index (tsm->sessions, ses_index); - elt = pool_elt_at_index (tsm->list_pool, elt->next); - ses_index = elt->value; - - if (!addr_only) - { - if ((s->out2in.addr.as_u32 != e_addr.as_u32) || - (clib_net_to_host_u16 (s->out2in.port) != e_port)) - continue; - } - - if (is_lb_session (s)) - continue; - - if (!snat_is_session_static (s)) - continue; - - nat_free_session_data (sm, s, tsm - sm->per_thread_data); - nat44_delete_session (sm, s, tsm - sm->per_thread_data); - - if (!addr_only && !sm->endpoint_dependent) - break; - } - } - } - } + (sm->static_mapping_only && sm->static_mapping_connection_tracking)) + { + u_key.addr = m->local_addr; + u_key.fib_index = m->fib_index; + kv.key = u_key.as_u64; + if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value)) + { + user_index = value.value; + u = pool_elt_at_index (tsm->users, user_index); + if (u->nstaticsessions) + { + head_index = u->sessions_per_user_list_head_index; + head = pool_elt_at_index (tsm->list_pool, head_index); + elt_index = head->next; + elt = pool_elt_at_index (tsm->list_pool, elt_index); + ses_index = elt->value; + while (ses_index != ~0) + { + s = pool_elt_at_index (tsm->sessions, ses_index); + elt = pool_elt_at_index (tsm->list_pool, elt->next); + ses_index = elt->value; + + if (!addr_only) + { + if ((s->out2in.addr.as_u32 != e_addr.as_u32) || + (clib_net_to_host_u16 (s->out2in.port) != + e_port)) + continue; + } + + if (is_lb_session (s)) + continue; + + if (!snat_is_session_static (s)) + continue; + + nat_free_session_data (sm, s, + tsm - sm->per_thread_data); + nat44_delete_session (sm, s, tsm - sm->per_thread_data); + + if (!addr_only && !sm->endpoint_dependent) + break; + } + } + } + } vec_free (m->tag); vec_free (m->workers); @@ -1465,6 +1005,7 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, return 0; /* Add/delete external address to FIB */ + /* *INDENT-OFF* */ pool_foreach (interface, sm->interfaces, ({ if (nat_interface_is_inside(interface) || sm->out2in_dpo) @@ -1481,17 +1022,19 @@ int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add); break; })); + /* *INDENT-ON* */ return 0; } -int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, - snat_protocol_t proto, - nat44_lb_addr_port_t *locals, u8 is_add, - twice_nat_type_t twice_nat, u8 out2in_only, - u8 *tag, u32 affinity) +int +nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, + snat_protocol_t proto, + nat44_lb_addr_port_t * locals, u8 is_add, + twice_nat_type_t twice_nat, u8 out2in_only, + u8 * tag, u32 affinity) { - snat_main_t * sm = &snat_main; + snat_main_t *sm = &snat_main; snat_static_mapping_t *m; snat_session_key_t m_key; clib_bihash_kv_8_8_t kv, value; @@ -1502,8 +1045,8 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, snat_main_per_thread_data_t *tsm; snat_user_key_t u_key; snat_user_t *u; - snat_session_t * s; - dlist_elt_t * head, * elt; + snat_session_t *s; + dlist_elt_t *head, *elt; uword *bitmap = 0; if (!sm->endpoint_dependent) @@ -1522,23 +1065,23 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, if (is_add) { if (m) - return VNET_API_ERROR_VALUE_EXIST; + return VNET_API_ERROR_VALUE_EXIST; if (vec_len (locals) < 2) - return VNET_API_ERROR_INVALID_VALUE; + return VNET_API_ERROR_INVALID_VALUE; /* Find external address in allocated addresses and reserve port for address and port pair mapping when dynamic translations enabled */ if (!(sm->static_mapping_only || out2in_only)) - { - for (i = 0; i < vec_len (sm->addresses); i++) - { - if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) - { - a = sm->addresses + i; - /* External port must be unused */ - switch (proto) - { + { + for (i = 0; i < vec_len (sm->addresses); i++) + { + if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) + { + a = sm->addresses + i; + /* External port must be unused */ + switch (proto) + { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \ @@ -1550,19 +1093,19 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]++; \ } \ break; - foreach_snat_protocol + foreach_snat_protocol #undef _ - default: - nat_log_info ("unknown protocol"); - return VNET_API_ERROR_INVALID_VALUE_2; - } - break; - } - } - /* External address must be allocated */ - if (!a) - return VNET_API_ERROR_NO_SUCH_ENTRY; - } + default: + nat_log_info ("unknown protocol"); + return VNET_API_ERROR_INVALID_VALUE_2; + } + break; + } + } + /* External address must be allocated */ + if (!a) + return VNET_API_ERROR_NO_SUCH_ENTRY; + } pool_get (sm->static_mappings, m); memset (m, 0, sizeof (*m)); @@ -1576,10 +1119,10 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m->affinity = affinity; if (affinity) - m->affinity_per_service_list_head_index = - nat_affinity_get_per_service_list_head_index(); + m->affinity_per_service_list_head_index = + nat_affinity_get_per_service_list_head_index (); else - m->affinity_per_service_list_head_index = ~0; + m->affinity_per_service_list_head_index = ~0; m_key.addr = m->external_addr; m_key.port = m->external_port; @@ -1587,63 +1130,68 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, m_key.fib_index = 0; kv.key = m_key.as_u64; kv.value = m - sm->static_mappings; - if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1)) - { - nat_log_err ("static_mapping_by_external key add failed"); - return VNET_API_ERROR_UNSPECIFIED; - } + if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 1)) + { + nat_log_err ("static_mapping_by_external key add failed"); + return VNET_API_ERROR_UNSPECIFIED; + } m_key.fib_index = m->fib_index; for (i = 0; i < vec_len (locals); i++) - { - locals[i].fib_index = fib_table_find_or_create_and_lock ( - FIB_PROTOCOL_IP4, locals[i].vrf_id, FIB_SOURCE_PLUGIN_LOW); - m_key.addr = locals[i].addr; - m_key.fib_index = locals[i].fib_index; - if (!out2in_only) - { - m_key.port = locals[i].port; - kv.key = m_key.as_u64; - kv.value = m - sm->static_mappings; - clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1); - } - locals[i].prefix = (i == 0) ? locals[i].probability :\ - (locals[i - 1].prefix + locals[i].probability); - vec_add1 (m->locals, locals[i]); - if (sm->num_workers > 1) - { - ip4_header_t ip = { - .src_address = locals[i].addr, - }; - bitmap = clib_bitmap_set ( - bitmap, sm->worker_in2out_cb (&ip, m->fib_index), 1); - } - } + { + locals[i].fib_index = + fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, + locals[i].vrf_id, + FIB_SOURCE_PLUGIN_LOW); + m_key.addr = locals[i].addr; + m_key.fib_index = locals[i].fib_index; + if (!out2in_only) + { + m_key.port = locals[i].port; + kv.key = m_key.as_u64; + kv.value = m - sm->static_mappings; + clib_bihash_add_del_8_8 (&sm->static_mapping_by_local, &kv, 1); + } + locals[i].prefix = (i == 0) ? locals[i].probability : + (locals[i - 1].prefix + locals[i].probability); + vec_add1 (m->locals, locals[i]); + if (sm->num_workers > 1) + { + ip4_header_t ip = { + .src_address = locals[i].addr, + }; + bitmap = + clib_bitmap_set (bitmap, + sm->worker_in2out_cb (&ip, m->fib_index), 1); + } + } /* Assign workers */ if (sm->num_workers > 1) - { + { + /* *INDENT-OFF* */ clib_bitmap_foreach (i, bitmap, ({ vec_add1(m->workers, i); })); - } + /* *INDENT-ON* */ + } } else { if (!m) - return VNET_API_ERROR_NO_SUCH_ENTRY; + return VNET_API_ERROR_NO_SUCH_ENTRY; /* Free external address port */ if (!(sm->static_mapping_only || out2in_only)) - { - for (i = 0; i < vec_len (sm->addresses); i++) - { - if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) - { - a = sm->addresses + i; - switch (proto) - { + { + for (i = 0; i < vec_len (sm->addresses); i++) + { + if (sm->addresses[i].addr.as_u32 == e_addr.as_u32) + { + a = sm->addresses + i; + switch (proto) + { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \ @@ -1653,28 +1201,29 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, a->busy_##n##_ports_per_thread[get_thread_idx_by_port(e_port)]--; \ } \ break; - foreach_snat_protocol + foreach_snat_protocol #undef _ - default: - nat_log_info ("unknown protocol"); - return VNET_API_ERROR_INVALID_VALUE_2; - } - break; - } - } - } + default: + nat_log_info ("unknown protocol"); + return VNET_API_ERROR_INVALID_VALUE_2; + } + break; + } + } + } m_key.addr = m->external_addr; m_key.port = m->external_port; m_key.protocol = m->proto; m_key.fib_index = 0; kv.key = m_key.as_u64; - if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0)) - { - nat_log_err ("static_mapping_by_external key del failed"); - return VNET_API_ERROR_UNSPECIFIED; - } + if (clib_bihash_add_del_8_8 (&sm->static_mapping_by_external, &kv, 0)) + { + nat_log_err ("static_mapping_by_external key del failed"); + return VNET_API_ERROR_UNSPECIFIED; + } + /* *INDENT-OFF* */ vec_foreach (local, m->locals) { fib_table_unlock (local->fib_index, FIB_PROTOCOL_IP4, @@ -1736,11 +1285,12 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, } } } + /* *INDENT-ON* */ if (m->affinity) - nat_affinity_flush_service (m->affinity_per_service_list_head_index); - vec_free(m->locals); - vec_free(m->tag); - vec_free(m->workers); + nat_affinity_flush_service (m->affinity_per_service_list_head_index); + vec_free (m->locals); + vec_free (m->tag); + vec_free (m->workers); pool_put (sm->static_mappings, m); } @@ -1749,8 +1299,8 @@ int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, } int -snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, - u8 twice_nat) +snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm, + u8 twice_nat) { snat_address_t *a = 0; snat_session_t *ses; @@ -1759,22 +1309,24 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, snat_static_mapping_t *m; snat_interface_t *interface; int i; - snat_address_t *addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses; + snat_address_t *addresses = + twice_nat ? sm->twice_nat_addresses : sm->addresses; /* Find SNAT address */ - for (i=0; i < vec_len (addresses); i++) + for (i = 0; i < vec_len (addresses); i++) { if (addresses[i].addr.as_u32 == addr.as_u32) - { - a = addresses + i; - break; - } + { + a = addresses + i; + break; + } } if (!a) return VNET_API_ERROR_NO_SUCH_ENTRY; if (delete_sm) { + /* *INDENT-OFF* */ pool_foreach (m, sm->static_mappings, ({ if (m->external_addr.as_u32 == addr.as_u32) @@ -1784,30 +1336,30 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, m->proto, 0, m->twice_nat, m->out2in_only, m->tag); })); + /* *INDENT-ON* */ } else { /* Check if address is used in some static mapping */ - if (is_snat_address_used_in_static_mapping(sm, addr)) - { - nat_log_notice ("address used in static mapping"); - return VNET_API_ERROR_UNSPECIFIED; - } + if (is_snat_address_used_in_static_mapping (sm, addr)) + { + nat_log_notice ("address used in static mapping"); + return VNET_API_ERROR_UNSPECIFIED; + } } if (a->fib_index != ~0) - fib_table_unlock(a->fib_index, FIB_PROTOCOL_IP4, - FIB_SOURCE_PLUGIN_LOW); + fib_table_unlock (a->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_LOW); /* Delete sessions using address */ if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports) { + /* *INDENT-OFF* */ vec_foreach (tsm, sm->per_thread_data) { pool_foreach (ses, tsm->sessions, ({ if (ses->out2in.addr.as_u32 == addr.as_u32) { - ses->outside_address_index = ~0; nat_free_session_data (sm, ses, tsm - sm->per_thread_data); vec_add1 (ses_to_be_removed, ses - tsm->sessions); } @@ -1820,7 +1372,8 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, } vec_free (ses_to_be_removed); - } + } + /* *INDENT-ON* */ } #define _(N, i, n, s) \ @@ -1828,8 +1381,7 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, vec_free (a->busy_##n##_ports_per_thread); foreach_snat_protocol #undef _ - - if (twice_nat) + if (twice_nat) { vec_del1 (sm->twice_nat_addresses, i); return 0; @@ -1838,6 +1390,7 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, vec_del1 (sm->addresses, i); /* Delete external address from FIB */ + /* *INDENT-OFF* */ pool_foreach (interface, sm->interfaces, ({ if (nat_interface_is_inside(interface) || sm->out2in_dpo) @@ -1854,55 +1407,62 @@ snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm, snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0); break; })); + /* *INDENT-ON* */ return 0; } -int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) +int +snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) { snat_main_t *sm = &snat_main; snat_interface_t *i; - const char * feature_name, *del_feature_name; - snat_address_t * ap; - snat_static_mapping_t * m; - snat_det_map_t * dm; + const char *feature_name, *del_feature_name; + snat_address_t *ap; + snat_static_mapping_t *m; + snat_det_map_t *dm; nat_outside_fib_t *outside_fib; u32 fib_index = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index); + sw_if_index); if (sm->out2in_dpo && !is_inside) return VNET_API_ERROR_UNSUPPORTED; + /* *INDENT-OFF* */ pool_foreach (i, sm->output_feature_interfaces, ({ if (i->sw_if_index == sw_if_index) return VNET_API_ERROR_VALUE_EXIST; })); + /* *INDENT-ON* */ if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)) - feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast"; + feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast"; else { if (sm->num_workers > 1 && !sm->deterministic) - feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff"; + feature_name = + is_inside ? "nat44-in2out-worker-handoff" : + "nat44-out2in-worker-handoff"; else if (sm->deterministic) - feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; + feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in"; else if (sm->endpoint_dependent) - feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in"; + feature_name = is_inside ? "nat44-ed-in2out" : "nat44-ed-out2in"; else - feature_name = is_inside ? "nat44-in2out" : "nat44-out2in"; + feature_name = is_inside ? "nat44-in2out" : "nat44-out2in"; } if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1) sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, - NAT_FQ_NELTS); + NAT_FQ_NELTS); if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1) sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, - NAT_FQ_NELTS); + NAT_FQ_NELTS); if (!is_inside) { + /* *INDENT-OFF* */ vec_foreach (outside_fib, sm->outside_fibs) { if (outside_fib->fib_index == fib_index) @@ -1918,14 +1478,16 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del) goto feature_set; } } + /* *INDENT-ON* */ if (!is_del) - { - vec_add2 (sm->outside_fibs, outside_fib, 1); - outside_fib->refcount = 1; - outside_fib->fib_index = fib_index; - } + { + vec_add2 (sm->outside_fibs, outside_fib, 1); + outside_fib->refcount = 1; + outside_fib->fib_index = fib_index; + } } feature_set: + /* *INDENT-OFF* */ pool_foreach (i, sm->interfaces, ({ if (i->sw_if_index == sw_if_index) @@ -2046,6 +1608,7 @@ feature_set: goto fib; } })); + /* *INDENT-ON* */ if (is_del) return VNET_API_ERROR_NO_SUCH_ENTRY; @@ -2053,16 +1616,17 @@ feature_set: pool_get (sm->interfaces, i); i->sw_if_index = sw_if_index; i->flags = 0; - vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0); + vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, + 0); if (is_inside && !sm->out2in_dpo) { if (sm->endpoint_dependent) - vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", - sw_if_index, 1, 0, 0); + vnet_feature_enable_disable ("ip4-local", "nat44-ed-hairpinning", + sw_if_index, 1, 0, 0); else if (!sm->deterministic) - vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", - sw_if_index, 1, 0, 0); + vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning", + sw_if_index, 1, 0, 0); } set_flags: @@ -2076,6 +1640,7 @@ set_flags: /* Add/delete external addresses to FIB */ fib: + /* *INDENT-OFF* */ vec_foreach (ap, sm->addresses) snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del); @@ -2091,73 +1656,76 @@ fib: ({ snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del); })); + /* *INDENT-ON* */ return 0; } -int snat_interface_add_del_output_feature (u32 sw_if_index, - u8 is_inside, - int is_del) +int +snat_interface_add_del_output_feature (u32 sw_if_index, + u8 is_inside, int is_del) { snat_main_t *sm = &snat_main; snat_interface_t *i; - snat_address_t * ap; - snat_static_mapping_t * m; + snat_address_t *ap; + snat_static_mapping_t *m; if (sm->deterministic || (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))) return VNET_API_ERROR_UNSUPPORTED; + /* *INDENT-OFF* */ pool_foreach (i, sm->interfaces, ({ if (i->sw_if_index == sw_if_index) return VNET_API_ERROR_VALUE_EXIST; })); + /* *INDENT-ON* */ if (is_inside) { if (sm->endpoint_dependent) - { - vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src", - sw_if_index, !is_del, 0, 0); - } + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-hairpin-src", + sw_if_index, !is_del, 0, 0); + } else - { - vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", - sw_if_index, !is_del, 0, 0); - } + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src", + sw_if_index, !is_del, 0, 0); + } goto fq; } if (sm->num_workers > 1) { vnet_feature_enable_disable ("ip4-unicast", - "nat44-out2in-worker-handoff", - sw_if_index, !is_del, 0, 0); + "nat44-out2in-worker-handoff", + sw_if_index, !is_del, 0, 0); vnet_feature_enable_disable ("ip4-output", - "nat44-in2out-output-worker-handoff", - sw_if_index, !is_del, 0, 0); + "nat44-in2out-output-worker-handoff", + sw_if_index, !is_del, 0, 0); } else { if (sm->endpoint_dependent) - { - vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output", - sw_if_index, !is_del, 0, 0); - } + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-ed-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-ed-in2out-output", + sw_if_index, !is_del, 0, 0); + } else - { - vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", - sw_if_index, !is_del, 0, 0); - vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", - sw_if_index, !is_del, 0, 0); - } + { + vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", + sw_if_index, !is_del, 0, 0); + vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output", + sw_if_index, !is_del, 0, 0); + } } fq: @@ -2166,8 +1734,10 @@ fq: vlib_frame_queue_main_init (sm->in2out_output_node_index, 0); if (sm->fq_out2in_index == ~0 && sm->num_workers > 1) - sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0); + sm->fq_out2in_index = + vlib_frame_queue_main_init (sm->out2in_node_index, 0); + /* *INDENT-OFF* */ pool_foreach (i, sm->output_feature_interfaces, ({ if (i->sw_if_index == sw_if_index) @@ -2180,6 +1750,7 @@ fq: goto fib; } })); + /* *INDENT-ON* */ if (is_del) return VNET_API_ERROR_NO_SUCH_ENTRY; @@ -2197,6 +1768,7 @@ fib: if (is_inside) return 0; + /* *INDENT-OFF* */ vec_foreach (ap, sm->addresses) snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del); @@ -2207,11 +1779,13 @@ fib: snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del); })); + /* *INDENT-ON* */ return 0; } -int snat_set_workers (uword * bitmap) +int +snat_set_workers (uword * bitmap) { snat_main_t *sm = &snat_main; int i, j = 0; @@ -2223,12 +1797,14 @@ int snat_set_workers (uword * bitmap) return VNET_API_ERROR_INVALID_WORKER; vec_free (sm->workers); + /* *INDENT-OFF* */ clib_bitmap_foreach (i, bitmap, ({ vec_add1(sm->workers, i); sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j; j++; })); + /* *INDENT-ON* */ sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers); sm->num_snat_thread = _vec_len (sm->workers); @@ -2239,47 +1815,44 @@ int snat_set_workers (uword * bitmap) static void snat_ip4_add_del_interface_address_cb (ip4_main_t * im, - uword opaque, - u32 sw_if_index, - ip4_address_t * address, - u32 address_length, - u32 if_address_index, - u32 is_delete); + uword opaque, + u32 sw_if_index, + ip4_address_t * address, + u32 address_length, + u32 if_address_index, u32 is_delete); static void nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im, - uword opaque, - u32 sw_if_index, - ip4_address_t * address, - u32 address_length, - u32 if_address_index, - u32 is_delete); + uword opaque, + u32 sw_if_index, + ip4_address_t * address, + u32 address_length, + u32 if_address_index, u32 is_delete); static int nat_alloc_addr_and_port_default (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index); - -static clib_error_t * snat_init (vlib_main_t * vm) + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, u32 snat_thread_index); + +static clib_error_t * +snat_init (vlib_main_t * vm) { - snat_main_t * sm = &snat_main; - clib_error_t * error = 0; - ip4_main_t * im = &ip4_main; - ip_lookup_main_t * lm = &im->lookup_main; + snat_main_t *sm = &snat_main; + clib_error_t *error = 0; + ip4_main_t *im = &ip4_main; + ip_lookup_main_t *lm = &im->lookup_main; uword *p; vlib_thread_registration_t *tr; vlib_thread_main_t *tm = vlib_get_thread_main (); uword *bitmap = 0; u32 i; ip4_add_del_interface_address_callback_t cb4; - vlib_node_t * error_drop_node; + vlib_node_t *error_drop_node; sm->vlib_main = vm; - sm->vnet_main = vnet_get_main(); + sm->vnet_main = vnet_get_main (); sm->ip4_main = im; sm->ip4_lookup_main = lm; sm->api_main = &api_main; @@ -2307,10 +1880,10 @@ static clib_error_t * snat_init (vlib_main_t * vm) { tr = (vlib_thread_registration_t *) p[0]; if (tr) - { - sm->num_workers = tr->count; - sm->first_worker_index = tr->first_index; - } + { + sm->num_workers = tr->count; + sm->first_worker_index = tr->first_index; + } } vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1); @@ -2318,9 +1891,9 @@ static clib_error_t * snat_init (vlib_main_t * vm) /* Use all available workers by default */ if (sm->num_workers > 1) { - for (i=0; i < sm->num_workers; i++) - bitmap = clib_bitmap_set (bitmap, i, 1); - snat_set_workers(bitmap); + for (i = 0; i < sm->num_workers; i++) + bitmap = clib_bitmap_set (bitmap, i, 1); + snat_set_workers (bitmap); clib_bitmap_free (bitmap); } else @@ -2328,7 +1901,7 @@ static clib_error_t * snat_init (vlib_main_t * vm) sm->per_thread_data[0].snat_thread_index = 0; } - error = snat_api_init(vm, sm); + error = snat_api_init (vm, sm); if (error) return error; @@ -2346,35 +1919,36 @@ static clib_error_t * snat_init (vlib_main_t * vm) nat_dpo_module_init (); /* Init IPFIX logging */ - snat_ipfix_logging_init(vm); + snat_ipfix_logging_init (vm); /* Init NAT64 */ - error = nat64_init(vm); + error = nat64_init (vm); if (error) return error; - dslite_init(vm); + dslite_init (vm); - nat66_init(); + nat66_init (); /* Init virtual fragmenentation reassembly */ - return nat_reass_init(vm); + return nat_reass_init (vm); } VLIB_INIT_FUNCTION (snat_init); -void snat_free_outside_address_and_port (snat_address_t * addresses, - u32 thread_index, - snat_session_key_t * k) +void +snat_free_outside_address_and_port (snat_address_t * addresses, + u32 thread_index, snat_session_key_t * k) { snat_address_t *a; u32 address_index; u16 port_host_byte_order = clib_net_to_host_u16 (k->port); - for (address_index = 0; address_index < vec_len (addresses); address_index++) + for (address_index = 0; address_index < vec_len (addresses); + address_index++) { if (addresses[address_index].addr.as_u32 == k->addr.as_u32) - break; + break; } ASSERT (address_index < vec_len (addresses)); @@ -2400,28 +1974,14 @@ void snat_free_outside_address_and_port (snat_address_t * addresses, } } -/** - * @brief Match NAT44 static mapping. - * - * @param sm NAT main. - * @param match Address and port to match. - * @param mapping External or local address and port of the matched mapping. - * @param by_external If 0 match by local address otherwise match by external - * address. - * @param is_addr_only If matched mapping is address only - * @param twice_nat If matched mapping is twice NAT. - * @param lb If matched mapping is load-balanced. - * - * @returns 0 if match found otherwise 1. - */ -int snat_static_mapping_match (snat_main_t * sm, - snat_session_key_t match, - snat_session_key_t * mapping, - u8 by_external, - u8 *is_addr_only, - twice_nat_type_t *twice_nat, - lb_nat_type_t *lb, - ip4_address_t * ext_host_addr) +int +snat_static_mapping_match (snat_main_t * sm, + snat_session_key_t match, + snat_session_key_t * mapping, + u8 by_external, + u8 * is_addr_only, + twice_nat_type_t * twice_nat, + lb_nat_type_t * lb, ip4_address_t * ext_host_addr) { clib_bihash_kv_8_8_t kv, value; snat_static_mapping_t *m; @@ -2450,7 +2010,7 @@ int snat_static_mapping_match (snat_main_t * sm, m_key.protocol = 0; kv.key = m_key.as_u64; if (clib_bihash_search_8_8 (mapping_hash, &kv, &value)) - return 1; + return 1; } m = pool_elt_at_index (sm->static_mappings, value.value); @@ -2458,59 +2018,63 @@ int snat_static_mapping_match (snat_main_t * sm, if (by_external) { if (vec_len (m->locals)) - { - if (PREDICT_FALSE(lb != 0)) - *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT; - if (m->affinity) - { - if (nat_affinity_find_and_lock (ext_host_addr[0], match.addr, - match.protocol, match.port, &backend_index)) - goto get_local; - - mapping->addr = m->locals[backend_index].addr; - mapping->port = clib_host_to_net_u16 (m->locals[backend_index].port); - mapping->fib_index = m->locals[backend_index].fib_index; - goto end; - } -get_local: - hi = vec_len (m->locals) - 1; - rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix); - while (lo < hi) - { - mid = ((hi - lo) >> 1) + lo; - (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid); - } - if (!(m->locals[lo].prefix >= rand)) - return 1; - if (PREDICT_FALSE (sm->num_workers > 1)) - { - ip4_header_t ip = { - .src_address = m->locals[lo].addr, - }; - if (sm->worker_in2out_cb (&ip, m->fib_index) != vlib_get_thread_index ()) - goto get_local; - } - mapping->addr = m->locals[lo].addr; - mapping->port = clib_host_to_net_u16 (m->locals[lo].port); - mapping->fib_index = m->locals[lo].fib_index; - if (m->affinity) - { - if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr, - match.protocol, match.port, lo, m->affinity, - m->affinity_per_service_list_head_index)) - nat_log_info ("create affinity record failed"); - } - } + { + if (PREDICT_FALSE (lb != 0)) + *lb = m->affinity ? AFFINITY_LB_NAT : LB_NAT; + if (m->affinity) + { + if (nat_affinity_find_and_lock (ext_host_addr[0], match.addr, + match.protocol, match.port, + &backend_index)) + goto get_local; + + mapping->addr = m->locals[backend_index].addr; + mapping->port = + clib_host_to_net_u16 (m->locals[backend_index].port); + mapping->fib_index = m->locals[backend_index].fib_index; + goto end; + } + get_local: + hi = vec_len (m->locals) - 1; + rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix); + while (lo < hi) + { + mid = ((hi - lo) >> 1) + lo; + (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid); + } + if (!(m->locals[lo].prefix >= rand)) + return 1; + if (PREDICT_FALSE (sm->num_workers > 1)) + { + ip4_header_t ip = { + .src_address = m->locals[lo].addr, + }; + if (sm->worker_in2out_cb (&ip, m->fib_index) != + vlib_get_thread_index ()) + goto get_local; + } + mapping->addr = m->locals[lo].addr; + mapping->port = clib_host_to_net_u16 (m->locals[lo].port); + mapping->fib_index = m->locals[lo].fib_index; + if (m->affinity) + { + if (nat_affinity_create_and_lock (ext_host_addr[0], match.addr, + match.protocol, match.port, + lo, m->affinity, + m->affinity_per_service_list_head_index)) + nat_log_info ("create affinity record failed"); + } + } else - { - if (PREDICT_FALSE(lb != 0)) - *lb = NO_LB_NAT; - mapping->fib_index = m->fib_index; - mapping->addr = m->local_addr; - /* Address only mapping doesn't change port */ - mapping->port = m->addr_only ? match.port - : clib_host_to_net_u16 (m->local_port); - } + { + if (PREDICT_FALSE (lb != 0)) + *lb = NO_LB_NAT; + mapping->fib_index = m->fib_index; + mapping->addr = m->local_addr; + /* Address only mapping doesn't change port */ + mapping->port = m->addr_only ? match.port + : clib_host_to_net_u16 (m->local_port); + } mapping->protocol = m->proto; } else @@ -2518,15 +2082,15 @@ get_local: mapping->addr = m->external_addr; /* Address only mapping doesn't change port */ mapping->port = m->addr_only ? match.port - : clib_host_to_net_u16 (m->external_port); + : clib_host_to_net_u16 (m->external_port); mapping->fib_index = sm->outside_fib_index; } end: - if (PREDICT_FALSE(is_addr_only != 0)) + if (PREDICT_FALSE (is_addr_only != 0)) *is_addr_only = m->addr_only; - if (PREDICT_FALSE(twice_nat != 0)) + if (PREDICT_FALSE (twice_nat != 0)) *twice_nat = m->twice_nat; return 0; @@ -2537,35 +2101,31 @@ snat_random_port (u16 min, u16 max) { snat_main_t *sm = &snat_main; return min + random_u32 (&sm->random_seed) / - (random_u32_max() / (max - min + 1) + 1); + (random_u32_max () / (max - min + 1) + 1); } int snat_alloc_outside_address_and_port (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index) + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, + u32 snat_thread_index) { snat_main_t *sm = &snat_main; - return sm->alloc_addr_and_port(addresses, fib_index, thread_index, k, - address_indexp, port_per_thread, - snat_thread_index); + return sm->alloc_addr_and_port (addresses, fib_index, thread_index, k, + port_per_thread, snat_thread_index); } static int nat_alloc_addr_and_port_default (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index) + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, u32 snat_thread_index) { - int i, gi = 0; + int i; snat_address_t *a, *ga = 0; u32 portnum; @@ -2573,7 +2133,7 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, { a = addresses + i; switch (k->protocol) - { + { #define _(N, j, n, s) \ case SNAT_PROTOCOL_##N: \ if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \ @@ -2592,23 +2152,21 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, a->busy_##n##_ports++; \ k->addr = a->addr; \ k->port = clib_host_to_net_u16(portnum); \ - *address_indexp = i; \ return 0; \ } \ } \ else if (a->fib_index == ~0) \ { \ ga = a; \ - gi = i; \ } \ } \ break; - foreach_snat_protocol + foreach_snat_protocol #undef _ - default: - nat_log_info ("unknown protocol"); - return 1; - } + default: + nat_log_info ("unknown protocol"); + return 1; + } } @@ -2631,7 +2189,6 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, a->busy_##n##_ports++; \ k->addr = a->addr; \ k->port = clib_host_to_net_u16(portnum); \ - *address_indexp = gi; \ return 0; \ } break; @@ -2644,18 +2201,16 @@ nat_alloc_addr_and_port_default (snat_address_t * addresses, } /* Totally out of translations to use... */ - snat_ipfix_logging_addresses_exhausted(0); + snat_ipfix_logging_addresses_exhausted (0); return 1; } static int nat_alloc_addr_and_port_mape (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index) + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, u32 snat_thread_index) { snat_main_t *sm = &snat_main; snat_address_t *a = addresses; @@ -2683,7 +2238,6 @@ nat_alloc_addr_and_port_mape (snat_address_t * addresses, a->busy_##n##_ports++; \ k->addr = a->addr; \ k->port = clib_host_to_net_u16 (portnum); \ - *address_indexp = i; \ return 0; \ } \ } \ @@ -2697,18 +2251,16 @@ nat_alloc_addr_and_port_mape (snat_address_t * addresses, exhausted: /* Totally out of translations to use... */ - snat_ipfix_logging_addresses_exhausted(0); + snat_ipfix_logging_addresses_exhausted (0); return 1; } static int nat_alloc_addr_and_port_range (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index) + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, u32 snat_thread_index) { snat_main_t *sm = &snat_main; snat_address_t *a = addresses; @@ -2734,7 +2286,6 @@ nat_alloc_addr_and_port_range (snat_address_t * addresses, a->busy_##n##_ports++; \ k->addr = a->addr; \ k->port = clib_host_to_net_u16 (portnum); \ - *address_indexp = i; \ return 0; \ } \ } \ @@ -2748,7 +2299,7 @@ nat_alloc_addr_and_port_range (snat_address_t * addresses, exhausted: /* Totally out of translations to use... */ - snat_ipfix_logging_addresses_exhausted(0); + snat_ipfix_logging_addresses_exhausted (0); return 1; } @@ -2766,7 +2317,7 @@ nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add) { nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4); fib_table_entry_special_dpo_add (0, &pfx, FIB_SOURCE_PLUGIN_HI, - FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4); + FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4); dpo_reset (&dpo_v4); } else @@ -2775,61 +2326,6 @@ nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add) } } -uword -unformat_snat_protocol (unformat_input_t * input, va_list * args) -{ - u32 *r = va_arg (*args, u32 *); - - if (0); -#define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N; - foreach_snat_protocol -#undef _ - else - return 0; - return 1; -} - -u8 * -format_snat_protocol (u8 * s, va_list * args) -{ - u32 i = va_arg (*args, u32); - u8 *t = 0; - - switch (i) - { -#define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break; - foreach_snat_protocol -#undef _ - default: - s = format (s, "unknown"); - return s; - } - s = format (s, "%s", t); - return s; -} - -u8 * -format_nat_addr_and_port_alloc_alg (u8 * s, va_list * args) -{ - u32 i = va_arg (*args, u32); - u8 *t = 0; - - switch (i) - { -#define _(v, N, s) case NAT_ADDR_AND_PORT_ALLOC_ALG_##N: t = (u8 *) s; break; - foreach_nat_addr_and_port_alloc_alg -#undef _ - default: - s = format (s, "unknown"); - return s; - } - s = format (s, "%s", t); - return s; -} - -u8 * format_snat_key (u8 * s, va_list * args); -u8 * format_static_mapping_key (u8 * s, va_list * args); - u8 * format_session_kvp (u8 * s, va_list * args) { @@ -2852,7 +2348,7 @@ format_static_mapping_kvp (u8 * s, va_list * args) k.as_u64 = v->key; s = format (s, "%U static-mapping-index %llu", - format_static_mapping_key, &k, v->value); + format_static_mapping_key, &k, v->value); return s; } @@ -2866,7 +2362,7 @@ format_user_kvp (u8 * s, va_list * args) k.as_u64 = v->key; s = format (s, "%U fib %d user-index %llu", format_ip4_address, &k.addr, - k.fib_index, v->value); + k.fib_index, v->value); return s; } @@ -2880,10 +2376,11 @@ format_ed_session_kvp (u8 * s, va_list * args) k.as_u64[0] = v->key[0]; k.as_u64[1] = v->key[1]; - s = format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu", - format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port), - format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port), - format_ip_protocol, k.proto, k.fib_index, v->value); + s = + format (s, "local %U:%d remote %U:%d proto %U fib %d session-index %llu", + format_ip4_address, &k.l_addr, clib_net_to_host_u16 (k.l_port), + format_ip4_address, &k.r_addr, clib_net_to_host_u16 (k.r_port), + format_ip_protocol, k.proto, k.fib_index, v->value); return s; } @@ -2897,7 +2394,7 @@ snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0) next_worker_index = sm->first_worker_index; hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) + - (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >>24); + (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >> 24); if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers)))) next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)]; @@ -2927,11 +2424,12 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) m_key.protocol = 0; m_key.fib_index = rx_fib_index0; kv.key = m_key.as_u64; - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - { - m = pool_elt_at_index (sm->static_mappings, value.value); - return m->workers[0]; - } + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + return m->workers[0]; + } } proto = ip_proto_to_snat_proto (ip0->protocol); @@ -2951,7 +2449,7 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) ip0->fragment_id, ip0->protocol); if (reass && (reass->thread_index != (u32) ~ 0)) - return reass->thread_index; + return reass->thread_index; else return vlib_get_thread_index (); } @@ -2966,30 +2464,30 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP)) { - icmp46_header_t * icmp = (icmp46_header_t *) udp; - icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1); + icmp46_header_t *icmp = (icmp46_header_t *) udp; + icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1); if (!icmp_is_error_message (icmp)) - port = echo->identifier; + port = echo->identifier; else - { - ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1); - proto = ip_proto_to_snat_proto (inner_ip->protocol); - void *l4_header = ip4_next_header (inner_ip); - switch (proto) - { - case SNAT_PROTOCOL_ICMP: - icmp = (icmp46_header_t*)l4_header; - echo = (icmp_echo_header_t *)(icmp + 1); - port = echo->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - port = ((tcp_udp_header_t*)l4_header)->src_port; - break; - default: - return vlib_get_thread_index (); - } - } + { + ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1); + proto = ip_proto_to_snat_proto (inner_ip->protocol); + void *l4_header = ip4_next_header (inner_ip); + switch (proto) + { + case SNAT_PROTOCOL_ICMP: + icmp = (icmp46_header_t *) l4_header; + echo = (icmp_echo_header_t *) (icmp + 1); + port = echo->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + return vlib_get_thread_index (); + } + } } /* try static mappings with port */ @@ -3000,11 +2498,12 @@ snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0) m_key.protocol = proto; m_key.fib_index = rx_fib_index0; kv.key = m_key.as_u64; - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - { - m = pool_elt_at_index (sm->static_mappings, value.value); - return m->workers[0]; - } + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + return m->workers[0]; + } } /* worker by outside port */ @@ -3029,11 +2528,12 @@ nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index) if (PREDICT_FALSE (pool_elts (sm->static_mappings))) { make_sm_kv (&kv, &ip->dst_address, 0, rx_fib_index, 0); - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - { - m = pool_elt_at_index (sm->static_mappings, value.value); - return m->workers[0]; - } + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + return m->workers[0]; + } } proto = ip_proto_to_snat_proto (ip->protocol); @@ -3050,51 +2550,52 @@ nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index) if (PREDICT_FALSE (ip->protocol == IP_PROTOCOL_ICMP)) { - icmp46_header_t * icmp = (icmp46_header_t *) udp; - icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1); + icmp46_header_t *icmp = (icmp46_header_t *) udp; + icmp_echo_header_t *echo = (icmp_echo_header_t *) (icmp + 1); if (!icmp_is_error_message (icmp)) - port = echo->identifier; + port = echo->identifier; else - { - ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1); - proto = ip_proto_to_snat_proto (inner_ip->protocol); - void *l4_header = ip4_next_header (inner_ip); - switch (proto) - { - case SNAT_PROTOCOL_ICMP: - icmp = (icmp46_header_t*)l4_header; - echo = (icmp_echo_header_t *)(icmp + 1); - port = echo->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - port = ((tcp_udp_header_t*)l4_header)->src_port; - break; - default: - return vlib_get_thread_index (); - } - } + { + ip4_header_t *inner_ip = (ip4_header_t *) (echo + 1); + proto = ip_proto_to_snat_proto (inner_ip->protocol); + void *l4_header = ip4_next_header (inner_ip); + switch (proto) + { + case SNAT_PROTOCOL_ICMP: + icmp = (icmp46_header_t *) l4_header; + echo = (icmp_echo_header_t *) (icmp + 1); + port = echo->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + return vlib_get_thread_index (); + } + } } /* try static mappings with port */ if (PREDICT_FALSE (pool_elts (sm->static_mappings))) { make_sm_kv (&kv, &ip->dst_address, proto, rx_fib_index, - clib_net_to_host_u16 (port)); - if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - { - m = pool_elt_at_index (sm->static_mappings, value.value); - if (!vec_len(m->locals)) - return m->workers[0]; + clib_net_to_host_u16 (port)); + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + { + m = pool_elt_at_index (sm->static_mappings, value.value); + if (!vec_len (m->locals)) + return m->workers[0]; - hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) + - (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >>24); + hash = ip->src_address.as_u32 + (ip->src_address.as_u32 >> 8) + + (ip->src_address.as_u32 >> 16) + (ip->src_address.as_u32 >> 24); - if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers)))) - return m->workers[hash & (_vec_len (m->workers) - 1)]; - else - return m->workers[hash % _vec_len (m->workers)]; - } + if (PREDICT_TRUE (is_pow2 (_vec_len (m->workers)))) + return m->workers[hash & (_vec_len (m->workers) - 1)]; + else + return m->workers[hash % _vec_len (m->workers)]; + } } /* worker by outside port */ @@ -3108,18 +2609,18 @@ nat44_ed_get_worker_out2in_cb (ip4_header_t * ip, u32 rx_fib_index) static clib_error_t * snat_config (vlib_main_t * vm, unformat_input_t * input) { - snat_main_t * sm = &snat_main; - nat66_main_t * nm = &nat66_main; + snat_main_t *sm = &snat_main; + nat66_main_t *nm = &nat66_main; u32 translation_buckets = 1024; - u32 translation_memory_size = 128<<20; + u32 translation_memory_size = 128 << 20; u32 user_buckets = 128; - u32 user_memory_size = 64<<20; + u32 user_memory_size = 64 << 20; u32 max_translations_per_user = 100; u32 outside_vrf_id = 0; u32 outside_ip6_vrf_id = 0; u32 inside_vrf_id = 0; u32 static_mapping_buckets = 1024; - u32 static_mapping_memory_size = 64<<20; + u32 static_mapping_memory_size = 64 << 20; u32 nat64_bib_buckets = 1024; u32 nat64_bib_memory_size = 128 << 20; u32 nat64_st_buckets = 2048; @@ -3127,7 +2628,7 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) u8 static_mapping_only = 0; u8 static_mapping_connection_tracking = 0; snat_main_per_thread_data_t *tsm; - dslite_main_t * dm = &dslite_main; + dslite_main_t *dm = &dslite_main; sm->deterministic = 0; sm->out2in_dpo = 0; @@ -3135,68 +2636,66 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) { - if (unformat (input, "translation hash buckets %d", &translation_buckets)) - ; + if (unformat + (input, "translation hash buckets %d", &translation_buckets)) + ; else if (unformat (input, "translation hash memory %d", - &translation_memory_size)); + &translation_memory_size)); else if (unformat (input, "user hash buckets %d", &user_buckets)) - ; - else if (unformat (input, "user hash memory %d", - &user_memory_size)) - ; + ; + else if (unformat (input, "user hash memory %d", &user_memory_size)) + ; else if (unformat (input, "max translations per user %d", - &max_translations_per_user)) - ; - else if (unformat (input, "outside VRF id %d", - &outside_vrf_id)) - ; - else if (unformat (input, "outside ip6 VRF id %d", - &outside_ip6_vrf_id)) - ; - else if (unformat (input, "inside VRF id %d", - &inside_vrf_id)) - ; + &max_translations_per_user)) + ; + else if (unformat (input, "outside VRF id %d", &outside_vrf_id)) + ; + else if (unformat (input, "outside ip6 VRF id %d", &outside_ip6_vrf_id)) + ; + else if (unformat (input, "inside VRF id %d", &inside_vrf_id)) + ; else if (unformat (input, "static mapping only")) - { - static_mapping_only = 1; - if (unformat (input, "connection tracking")) - static_mapping_connection_tracking = 1; - } + { + static_mapping_only = 1; + if (unformat (input, "connection tracking")) + static_mapping_connection_tracking = 1; + } else if (unformat (input, "deterministic")) - sm->deterministic = 1; + sm->deterministic = 1; else if (unformat (input, "nat64 bib hash buckets %d", - &nat64_bib_buckets)) - ; + &nat64_bib_buckets)) + ; else if (unformat (input, "nat64 bib hash memory %d", - &nat64_bib_memory_size)) - ; - else if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets)) - ; + &nat64_bib_memory_size)) + ; + else + if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets)) + ; else if (unformat (input, "nat64 st hash memory %d", - &nat64_st_memory_size)) - ; + &nat64_st_memory_size)) + ; else if (unformat (input, "out2in dpo")) - sm->out2in_dpo = 1; + sm->out2in_dpo = 1; else if (unformat (input, "dslite ce")) - dslite_set_ce(dm, 1); + dslite_set_ce (dm, 1); else if (unformat (input, "endpoint-dependent")) - sm->endpoint_dependent = 1; + sm->endpoint_dependent = 1; else return clib_error_return (0, "unknown input '%U'", format_unformat_error, input); } if (sm->deterministic && sm->endpoint_dependent) - return clib_error_return ( - 0, "deterministic and endpoint-dependent modes are mutually exclusive"); + return clib_error_return (0, + "deterministic and endpoint-dependent modes are mutually exclusive"); if (static_mapping_only && (sm->deterministic || sm->endpoint_dependent)) - return clib_error_return ( - 0, "static mapping only mode available only for simple nat"); + return clib_error_return (0, + "static mapping only mode available only for simple nat"); if (sm->out2in_dpo && (sm->deterministic || sm->endpoint_dependent)) - return clib_error_return ( - 0, "out2in dpo mode available only for simple nat"); + return clib_error_return (0, + "out2in dpo mode available only for simple nat"); /* for show commands, etc. */ sm->translation_buckets = translation_buckets; @@ -3208,21 +2707,21 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) sm->max_translations_per_user = max_translations_per_user; sm->outside_vrf_id = outside_vrf_id; sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, - outside_vrf_id, - FIB_SOURCE_PLUGIN_HI); + outside_vrf_id, + FIB_SOURCE_PLUGIN_HI); nm->outside_vrf_id = outside_ip6_vrf_id; nm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP6, - outside_ip6_vrf_id, - FIB_SOURCE_PLUGIN_HI); + outside_ip6_vrf_id, + FIB_SOURCE_PLUGIN_HI); sm->inside_vrf_id = inside_vrf_id; sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, - inside_vrf_id, - FIB_SOURCE_PLUGIN_HI); + inside_vrf_id, + FIB_SOURCE_PLUGIN_HI); sm->static_mapping_only = static_mapping_only; sm->static_mapping_connection_tracking = static_mapping_connection_tracking; - nat64_set_hash(nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets, - nat64_st_memory_size); + nat64_set_hash (nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets, + nat64_st_memory_size); if (sm->deterministic) { @@ -3235,29 +2734,30 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) else { if (sm->endpoint_dependent) - { - sm->worker_in2out_cb = snat_get_worker_in2out_cb; - sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb; - sm->in2out_node_index = nat44_ed_in2out_node.index; - sm->in2out_output_node_index = nat44_ed_in2out_output_node.index; - sm->out2in_node_index = nat44_ed_out2in_node.index; - sm->icmp_match_in2out_cb = icmp_match_in2out_ed; - sm->icmp_match_out2in_cb = icmp_match_out2in_ed; - nat_affinity_init (vm); - } + { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = nat44_ed_get_worker_out2in_cb; + sm->in2out_node_index = nat44_ed_in2out_node.index; + sm->in2out_output_node_index = nat44_ed_in2out_output_node.index; + sm->out2in_node_index = nat44_ed_out2in_node.index; + sm->icmp_match_in2out_cb = icmp_match_in2out_ed; + sm->icmp_match_out2in_cb = icmp_match_out2in_ed; + nat_affinity_init (vm); + } else - { - sm->worker_in2out_cb = snat_get_worker_in2out_cb; - sm->worker_out2in_cb = snat_get_worker_out2in_cb; - sm->in2out_node_index = snat_in2out_node.index; - sm->in2out_output_node_index = snat_in2out_output_node.index; - sm->out2in_node_index = snat_out2in_node.index; - sm->icmp_match_in2out_cb = icmp_match_in2out_slow; - sm->icmp_match_out2in_cb = icmp_match_out2in_slow; - } + { + sm->worker_in2out_cb = snat_get_worker_in2out_cb; + sm->worker_out2in_cb = snat_get_worker_out2in_cb; + sm->in2out_node_index = snat_in2out_node.index; + sm->in2out_output_node_index = snat_in2out_output_node.index; + sm->out2in_node_index = snat_out2in_node.index; + sm->icmp_match_in2out_cb = icmp_match_in2out_slow; + sm->icmp_match_out2in_cb = icmp_match_out2in_slow; + } if (!static_mapping_only || - (static_mapping_only && static_mapping_connection_tracking)) - { + (static_mapping_only && static_mapping_connection_tracking)) + { + /* *INDENT-OFF* */ vec_foreach (tsm, sm->per_thread_data) { if (sm->endpoint_dependent) @@ -3294,24 +2794,26 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) clib_bihash_set_kvp_format_fn_8_8 (&tsm->user_hash, format_user_kvp); } + /* *INDENT-ON* */ - } + } else - { - sm->icmp_match_in2out_cb = icmp_match_in2out_fast; - sm->icmp_match_out2in_cb = icmp_match_out2in_fast; - } + { + sm->icmp_match_in2out_cb = icmp_match_in2out_fast; + sm->icmp_match_out2in_cb = icmp_match_out2in_fast; + } clib_bihash_init_8_8 (&sm->static_mapping_by_local, - "static_mapping_by_local", static_mapping_buckets, - static_mapping_memory_size); + "static_mapping_by_local", static_mapping_buckets, + static_mapping_memory_size); clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_local, - format_static_mapping_kvp); + format_static_mapping_kvp); clib_bihash_init_8_8 (&sm->static_mapping_by_external, - "static_mapping_by_external", static_mapping_buckets, - static_mapping_memory_size); + "static_mapping_by_external", + static_mapping_buckets, + static_mapping_memory_size); clib_bihash_set_kvp_format_fn_8_8 (&sm->static_mapping_by_external, - format_static_mapping_kvp); + format_static_mapping_kvp); } return 0; @@ -3319,240 +2821,13 @@ snat_config (vlib_main_t * vm, unformat_input_t * input) VLIB_CONFIG_FUNCTION (snat_config, "nat"); -u8 * format_snat_session_state (u8 * s, va_list * args) -{ - u32 i = va_arg (*args, u32); - u8 *t = 0; - - switch (i) - { -#define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break; - foreach_snat_session_state -#undef _ - default: - t = format (t, "unknown"); - } - s = format (s, "%s", t); - return s; -} - -u8 * format_snat_key (u8 * s, va_list * args) -{ - snat_session_key_t * key = va_arg (*args, snat_session_key_t *); - - s = format (s, "%U proto %U port %d fib %d", - format_ip4_address, &key->addr, - format_snat_protocol, key->protocol, - clib_net_to_host_u16 (key->port), key->fib_index); - return s; -} - -u8 * format_static_mapping_key (u8 * s, va_list * args) -{ - snat_session_key_t * key = va_arg (*args, snat_session_key_t *); - - s = format (s, "%U proto %U port %d fib %d", - format_ip4_address, &key->addr, - format_snat_protocol, key->protocol, - key->port, key->fib_index); - return s; -} - -u8 * format_snat_session (u8 * s, va_list * args) -{ - snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *); - snat_session_t * sess = va_arg (*args, snat_session_t *); - - if (snat_is_unk_proto_session (sess)) - { - s = format (s, " i2o %U proto %u fib %u\n", - format_ip4_address, &sess->in2out.addr, - clib_net_to_host_u16 (sess->in2out.port), - sess->in2out.fib_index); - s = format (s, " o2i %U proto %u fib %u\n", - format_ip4_address, &sess->out2in.addr, - clib_net_to_host_u16 (sess->out2in.port), - sess->out2in.fib_index); - } - else - { - s = format (s, " i2o %U\n", format_snat_key, &sess->in2out); - s = format (s, " o2i %U\n", format_snat_key, &sess->out2in); - } - if (is_ed_session (sess) || is_fwd_bypass_session (sess)) - { - if (is_twice_nat_session (sess)) - { - s = format (s, " external host o2i %U:%d i2o %U:%d\n", - format_ip4_address, &sess->ext_host_addr, - clib_net_to_host_u16 (sess->ext_host_port), - format_ip4_address, &sess->ext_host_nat_addr, - clib_net_to_host_u16 (sess->ext_host_nat_port)); - } - else - { - if (sess->ext_host_addr.as_u32) - s = format (s, " external host %U:%u\n", - format_ip4_address, &sess->ext_host_addr, - clib_net_to_host_u16 (sess->ext_host_port)); - } - } - s = format (s, " index %llu\n", sess - sm->sessions); - s = format (s, " last heard %.2f\n", sess->last_heard); - s = format (s, " total pkts %d, total bytes %lld\n", - sess->total_pkts, sess->total_bytes); - if (snat_is_session_static (sess)) - s = format (s, " static translation\n"); - else - s = format (s, " dynamic translation\n"); - if (is_fwd_bypass_session (sess)) - s = format (s, " forwarding-bypass\n"); - if (is_lb_session (sess)) - s = format (s, " load-balancing\n"); - if (is_twice_nat_session (sess)) - s = format (s, " twice-nat\n"); - - return s; -} - -u8 * format_snat_user (u8 * s, va_list * args) -{ - snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *); - snat_user_t * u = va_arg (*args, snat_user_t *); - int verbose = va_arg (*args, int); - dlist_elt_t * head, * elt; - u32 elt_index, head_index; - u32 session_index; - snat_session_t * sess; - - s = format (s, "%U: %d dynamic translations, %d static translations\n", - format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions); - - if (verbose == 0) - return s; - - if (u->nsessions || u->nstaticsessions) - { - head_index = u->sessions_per_user_list_head_index; - head = pool_elt_at_index (sm->list_pool, head_index); - - elt_index = head->next; - elt = pool_elt_at_index (sm->list_pool, elt_index); - session_index = elt->value; - - while (session_index != ~0) - { - sess = pool_elt_at_index (sm->sessions, session_index); - - s = format (s, " %U\n", format_snat_session, sm, sess); - - elt_index = elt->next; - elt = pool_elt_at_index (sm->list_pool, elt_index); - session_index = elt->value; - } - } - - return s; -} - -u8 * format_snat_static_mapping (u8 * s, va_list * args) -{ - snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *); - nat44_lb_addr_port_t *local; - - if (m->addr_only) - s = format (s, "local %U external %U vrf %d %s %s", - format_ip4_address, &m->local_addr, - format_ip4_address, &m->external_addr, - m->vrf_id, - m->twice_nat == TWICE_NAT ? "twice-nat" : - m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", - m->out2in_only ? "out2in-only" : ""); - else - { - if (vec_len (m->locals)) - { - s = format (s, "%U external %U:%d %s %s", - format_snat_protocol, m->proto, - format_ip4_address, &m->external_addr, m->external_port, - m->twice_nat == TWICE_NAT ? "twice-nat" : - m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", - m->out2in_only ? "out2in-only" : ""); - vec_foreach (local, m->locals) - s = format (s, "\n local %U:%d vrf %d probability %d\%", - format_ip4_address, &local->addr, local->port, - local->vrf_id, local->probability); - } - else - s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s", - format_snat_protocol, m->proto, - format_ip4_address, &m->local_addr, m->local_port, - format_ip4_address, &m->external_addr, m->external_port, - m->vrf_id, - m->twice_nat == TWICE_NAT ? "twice-nat" : - m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", - m->out2in_only ? "out2in-only" : ""); - } - return s; -} - -u8 * format_snat_static_map_to_resolve (u8 * s, va_list * args) -{ - snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *); - vnet_main_t *vnm = vnet_get_main(); - - if (m->addr_only) - s = format (s, "local %U external %U vrf %d", - format_ip4_address, &m->l_addr, - format_vnet_sw_if_index_name, vnm, m->sw_if_index, - m->vrf_id); - else - s = format (s, "%U local %U:%d external %U:%d vrf %d", - format_snat_protocol, m->proto, - format_ip4_address, &m->l_addr, m->l_port, - format_vnet_sw_if_index_name, vnm, m->sw_if_index, - m->e_port, m->vrf_id); - - return s; -} - -u8 * format_det_map_ses (u8 * s, va_list * args) -{ - snat_det_map_t * det_map = va_arg (*args, snat_det_map_t *); - ip4_address_t in_addr, out_addr; - u32 in_offset, out_offset; - snat_det_session_t * ses = va_arg (*args, snat_det_session_t *); - u32 * i = va_arg (*args, u32 *); - - u32 user_index = *i / SNAT_DET_SES_PER_USER; - in_addr.as_u32 = clib_host_to_net_u32 ( - clib_net_to_host_u32(det_map->in_addr.as_u32) + user_index); - in_offset = clib_net_to_host_u32(in_addr.as_u32) - - clib_net_to_host_u32(det_map->in_addr.as_u32); - out_offset = in_offset / det_map->sharing_ratio; - out_addr.as_u32 = clib_host_to_net_u32( - clib_net_to_host_u32(det_map->out_addr.as_u32) + out_offset); - s = format (s, "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n", - format_ip4_address, &in_addr, - clib_net_to_host_u16 (ses->in_port), - format_ip4_address, &out_addr, - clib_net_to_host_u16 (ses->out.out_port), - format_ip4_address, &ses->out.ext_host_addr, - clib_net_to_host_u16 (ses->out.ext_host_port), - format_snat_session_state, ses->state, - ses->expire); - - return s; -} - static void nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im, - uword opaque, - u32 sw_if_index, - ip4_address_t * address, - u32 address_length, - u32 if_address_index, - u32 is_delete) + uword opaque, + u32 sw_if_index, + ip4_address_t * address, + u32 address_length, + u32 if_address_index, u32 is_delete) { snat_main_t *sm = &snat_main; snat_static_map_resolve_t *rp; @@ -3566,9 +2841,9 @@ nat_ip4_add_del_addr_only_sm_cb (ip4_main_t * im, { rp = sm->to_resolve + i; if (rp->addr_only == 0) - continue; + continue; if (rp->sw_if_index == sw_if_index) - goto match; + goto match; } return; @@ -3588,12 +2863,12 @@ match: { /* Don't trip over lease renewal, static config */ if (m) - return; + return; } else { if (!m) - return; + return; } /* Indetity mapping? */ @@ -3603,27 +2878,23 @@ match: l_addr.as_u32 = rp->l_addr.as_u32; /* Add the static mapping */ rv = snat_add_static_mapping (l_addr, - address[0], - rp->l_port, - rp->e_port, - rp->vrf_id, - rp->addr_only, - ~0 /* sw_if_index */, - rp->proto, - !is_delete, - 0, 0, rp->tag); + address[0], + rp->l_port, + rp->e_port, + rp->vrf_id, + rp->addr_only, ~0 /* sw_if_index */ , + rp->proto, !is_delete, 0, 0, rp->tag); if (rv) nat_log_notice ("snat_add_static_mapping returned %d", rv); } static void snat_ip4_add_del_interface_address_cb (ip4_main_t * im, - uword opaque, - u32 sw_if_index, - ip4_address_t * address, - u32 address_length, - u32 if_address_index, - u32 is_delete) + uword opaque, + u32 sw_if_index, + ip4_address_t * address, + u32 address_length, + u32 if_address_index, u32 is_delete) { snat_main_t *sm = &snat_main; snat_static_map_resolve_t *rp; @@ -3633,18 +2904,18 @@ snat_ip4_add_del_interface_address_cb (ip4_main_t * im, u8 twice_nat = 0; snat_address_t *addresses = sm->addresses; - for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++) + for (i = 0; i < vec_len (sm->auto_add_sw_if_indices); i++) { if (sw_if_index == sm->auto_add_sw_if_indices[i]) - goto match; + goto match; } - for (i = 0; i < vec_len(sm->auto_add_sw_if_indices_twice_nat); i++) + for (i = 0; i < vec_len (sm->auto_add_sw_if_indices_twice_nat); i++) { twice_nat = 1; addresses = sm->twice_nat_addresses; if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i]) - goto match; + goto match; } return; @@ -3653,98 +2924,99 @@ match: if (!is_delete) { /* Don't trip over lease renewal, static config */ - for (j = 0; j < vec_len(addresses); j++) - if (addresses[j].addr.as_u32 == address->as_u32) - return; + for (j = 0; j < vec_len (addresses); j++) + if (addresses[j].addr.as_u32 == address->as_u32) + return; (void) snat_add_address (sm, address, ~0, twice_nat); /* Scan static map resolution vector */ for (j = 0; j < vec_len (sm->to_resolve); j++) - { - rp = sm->to_resolve + j; - if (rp->addr_only) - continue; - /* On this interface? */ - if (rp->sw_if_index == sw_if_index) - { - /* Indetity mapping? */ - if (rp->l_addr.as_u32 == 0) - l_addr.as_u32 = address[0].as_u32; - else - l_addr.as_u32 = rp->l_addr.as_u32; - /* Add the static mapping */ - rv = snat_add_static_mapping (l_addr, - address[0], - rp->l_port, - rp->e_port, - rp->vrf_id, - rp->addr_only, - ~0 /* sw_if_index */, - rp->proto, - rp->is_add, - 0, 0, rp->tag); - if (rv) - nat_log_notice ("snat_add_static_mapping returned %d", rv); - } - } + { + rp = sm->to_resolve + j; + if (rp->addr_only) + continue; + /* On this interface? */ + if (rp->sw_if_index == sw_if_index) + { + /* Indetity mapping? */ + if (rp->l_addr.as_u32 == 0) + l_addr.as_u32 = address[0].as_u32; + else + l_addr.as_u32 = rp->l_addr.as_u32; + /* Add the static mapping */ + rv = snat_add_static_mapping (l_addr, + address[0], + rp->l_port, + rp->e_port, + rp->vrf_id, + rp->addr_only, + ~0 /* sw_if_index */ , + rp->proto, + rp->is_add, 0, 0, rp->tag); + if (rv) + nat_log_notice ("snat_add_static_mapping returned %d", rv); + } + } return; } else { - (void) snat_del_address(sm, address[0], 1, twice_nat); + (void) snat_del_address (sm, address[0], 1, twice_nat); return; } } -int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del, - u8 twice_nat) +int +snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del, + u8 twice_nat) { - ip4_main_t * ip4_main = sm->ip4_main; - ip4_address_t * first_int_addr; + ip4_main_t *ip4_main = sm->ip4_main; + ip4_address_t *first_int_addr; snat_static_map_resolve_t *rp; u32 *indices_to_delete = 0; int i, j; u32 *auto_add_sw_if_indices = - twice_nat ? sm->auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices; + twice_nat ? sm-> + auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices; - first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, - 0 /* just want the address*/); + first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index, 0 /* just want the address */ + ); - for (i = 0; i < vec_len(auto_add_sw_if_indices); i++) + for (i = 0; i < vec_len (auto_add_sw_if_indices); i++) { if (auto_add_sw_if_indices[i] == sw_if_index) - { - if (is_del) - { - /* if have address remove it */ - if (first_int_addr) - (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat); - else - { - for (j = 0; j < vec_len (sm->to_resolve); j++) - { - rp = sm->to_resolve + j; - if (rp->sw_if_index == sw_if_index) - vec_add1 (indices_to_delete, j); - } - if (vec_len(indices_to_delete)) - { - for (j = vec_len(indices_to_delete)-1; j >= 0; j--) - vec_del1(sm->to_resolve, j); - vec_free(indices_to_delete); - } - } - if (twice_nat) - vec_del1(sm->auto_add_sw_if_indices_twice_nat, i); - else - vec_del1(sm->auto_add_sw_if_indices, i); - } - else - return VNET_API_ERROR_VALUE_EXIST; + { + if (is_del) + { + /* if have address remove it */ + if (first_int_addr) + (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat); + else + { + for (j = 0; j < vec_len (sm->to_resolve); j++) + { + rp = sm->to_resolve + j; + if (rp->sw_if_index == sw_if_index) + vec_add1 (indices_to_delete, j); + } + if (vec_len (indices_to_delete)) + { + for (j = vec_len (indices_to_delete) - 1; j >= 0; j--) + vec_del1 (sm->to_resolve, j); + vec_free (indices_to_delete); + } + } + if (twice_nat) + vec_del1 (sm->auto_add_sw_if_indices_twice_nat, i); + else + vec_del1 (sm->auto_add_sw_if_indices, i); + } + else + return VNET_API_ERROR_VALUE_EXIST; - return 0; - } + return 0; + } } if (is_del) @@ -3752,20 +3024,20 @@ int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del, /* add to the auto-address list */ if (twice_nat) - vec_add1(sm->auto_add_sw_if_indices_twice_nat, sw_if_index); + vec_add1 (sm->auto_add_sw_if_indices_twice_nat, sw_if_index); else - vec_add1(sm->auto_add_sw_if_indices, sw_if_index); + vec_add1 (sm->auto_add_sw_if_indices, sw_if_index); /* If the address is already bound - or static - add it now */ if (first_int_addr) - (void) snat_add_address (sm, first_int_addr, ~0, twice_nat); + (void) snat_add_address (sm, first_int_addr, ~0, twice_nat); return 0; } int -nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, - snat_protocol_t proto, u32 vrf_id, int is_in) +nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port, + snat_protocol_t proto, u32 vrf_id, int is_in) { snat_main_per_thread_data_t *tsm; clib_bihash_kv_8_8_t kv, value; @@ -3795,7 +3067,7 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, if (!clib_bihash_search_8_8 (t, &kv, &value)) { if (pool_is_free_index (tsm->sessions, value.value)) - return VNET_API_ERROR_UNSPECIFIED; + return VNET_API_ERROR_UNSPECIFIED; s = pool_elt_at_index (tsm->sessions, value.value); nat_free_session_data (sm, s, tsm - sm->per_thread_data); @@ -3807,9 +3079,9 @@ nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, } int -nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, - ip4_address_t *eh_addr, u16 eh_port, u8 proto, - u32 vrf_id, int is_in) +nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port, + ip4_address_t * eh_addr, u16 eh_port, u8 proto, + u32 vrf_id, int is_in) { ip4_header_t ip; clib_bihash_16_8_t *t; @@ -3836,7 +3108,7 @@ nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, key.l_port = clib_host_to_net_u16 (port); key.r_port = clib_host_to_net_u16 (eh_port); key.proto = proto; - key.fib_index = clib_host_to_net_u32 (fib_index); + key.fib_index = fib_index; kv.key[0] = key.as_u64[0]; kv.key[1] = key.as_u64[1]; if (clib_bihash_search_16_8 (t, &kv, &value)) @@ -3882,3 +3154,10 @@ nat_set_alloc_addr_and_port_default (void) sm->alloc_addr_and_port = nat_alloc_addr_and_port_default; } +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h index 06a61626333..865d27efb5a 100644 --- a/src/plugins/nat/nat.h +++ b/src/plugins/nat/nat.h @@ -1,7 +1,4 @@ - /* - * nat.h - NAT plugin definitions - * * Copyright (c) 2016 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,6 +12,9 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +/** + * @file NAT plugin global declarations + */ #ifndef __included_nat_h__ #define __included_nat_h__ @@ -30,40 +30,43 @@ #include #include - +/* default session timeouts */ #define SNAT_UDP_TIMEOUT 300 #define SNAT_TCP_TRANSITORY_TIMEOUT 240 #define SNAT_TCP_ESTABLISHED_TIMEOUT 7440 #define SNAT_ICMP_TIMEOUT 60 +/* number of worker handoff frame queue elements */ #define NAT_FQ_NELTS 64 +/* NAT buffer flags */ #define SNAT_FLAG_HAIRPINNING (1 << 0) -/* Key */ -typedef struct { +/* session key (4-tuple) */ +typedef struct +{ union { struct { ip4_address_t addr; u16 port; - u16 protocol:3, - fib_index:13; + u16 protocol:3, fib_index:13; }; u64 as_u64; }; } snat_session_key_t; -typedef struct { +/* endpoint-dependent session key (6-tuple) */ +typedef struct +{ union { struct { ip4_address_t l_addr; ip4_address_t r_addr; - u32 proto:8, - fib_index:24; + u32 proto:8, fib_index:24; u16 l_port; u16 r_port; }; @@ -71,7 +74,9 @@ typedef struct { }; } nat_ed_ses_key_t; -typedef struct { +/* deterministic session outside key */ +typedef struct +{ union { struct @@ -84,7 +89,9 @@ typedef struct { }; } snat_det_out_key_t; -typedef struct { +/* user (internal host) key */ +typedef struct +{ union { struct @@ -96,29 +103,42 @@ typedef struct { }; } snat_user_key_t; +typedef struct +{ + u32 sw_if_index; + u32 next_index; + u8 cached; +} nat44_reass_trace_t; + +/* External address and port allocation modes */ #define foreach_nat_addr_and_port_alloc_alg \ _(0, DEFAULT, "default") \ _(1, MAPE, "map-e") \ _(2, RANGE, "port-range") -typedef enum { +typedef enum +{ #define _(v, N, s) NAT_ADDR_AND_PORT_ALLOC_ALG_##N = v, foreach_nat_addr_and_port_alloc_alg #undef _ } nat_addr_and_port_alloc_alg_t; + +/* Supported L4 protocols */ #define foreach_snat_protocol \ _(UDP, 0, udp, "udp") \ _(TCP, 1, tcp, "tcp") \ _(ICMP, 2, icmp, "icmp") -typedef enum { +typedef enum +{ #define _(N, i, n, s) SNAT_PROTOCOL_##N = i, foreach_snat_protocol #undef _ } snat_protocol_t; +/* Session state */ #define foreach_snat_session_state \ _(0, UNKNOWN, "unknown") \ _(1, UDP_ACTIVE, "udp-active") \ @@ -131,12 +151,14 @@ typedef enum { _(8, TCP_CLOSED, "tcp-closed") \ _(9, ICMP_ACTIVE, "icmp-active") -typedef enum { +typedef enum +{ #define _(v, N, s) SNAT_SESSION_##N = v, foreach_snat_session_state #undef _ } snat_session_state_t; +/* Endpoint dependent TCP session state */ #define NAT44_SES_I2O_FIN 1 #define NAT44_SES_O2I_FIN 2 #define NAT44_SES_I2O_FIN_ACK 4 @@ -144,8 +166,7 @@ typedef enum { #define NAT44_SES_I2O_SYN 16 #define NAT44_SES_O2I_SYN 32 -#define nat44_is_ses_closed(s) s->state == 0xf - +/* Session flags */ #define SNAT_SESSION_FLAG_STATIC_MAPPING 1 #define SNAT_SESSION_FLAG_UNKNOWN_PROTO 2 #define SNAT_SESSION_FLAG_LOAD_BALANCING 4 @@ -154,47 +175,51 @@ typedef enum { #define SNAT_SESSION_FLAG_FWD_BYPASS 32 #define SNAT_SESSION_FLAG_AFFINITY 64 +/* NAT interface flags */ #define NAT_INTERFACE_FLAG_IS_INSIDE 1 #define NAT_INTERFACE_FLAG_IS_OUTSIDE 2 -typedef CLIB_PACKED(struct { - snat_session_key_t out2in; /* 0-15 */ +/* *INDENT-OFF* */ +typedef CLIB_PACKED(struct +{ + /* Outside network key */ + snat_session_key_t out2in; - snat_session_key_t in2out; /* 16-31 */ + /* Inside network key */ + snat_session_key_t in2out; - u32 flags; /* 32-35 */ + /* Flags */ + u32 flags; - /* per-user translations */ - u32 per_user_index; /* 36-39 */ - - u32 per_user_list_head_index; /* 40-43 */ + /* Per-user translations */ + u32 per_user_index; + u32 per_user_list_head_index; /* Last heard timer */ - f64 last_heard; /* 44-51 */ - - u64 total_bytes; /* 52-59 */ - - u32 total_pkts; /* 60-63 */ + f64 last_heard; - /* Outside address */ - u32 outside_address_index; /* 64-67 */ + /* Counters */ + u64 total_bytes; + u32 total_pkts; /* External host address and port */ - ip4_address_t ext_host_addr; /* 68-71 */ - u16 ext_host_port; /* 72-73 */ + ip4_address_t ext_host_addr; + u16 ext_host_port; /* External host address and port after translation */ - ip4_address_t ext_host_nat_addr; /* 74-77 */ - u16 ext_host_nat_port; /* 78-79 */ + ip4_address_t ext_host_nat_addr; + u16 ext_host_nat_port; /* TCP session state */ u8 state; u32 i2o_fin_seq; u32 o2i_fin_seq; }) snat_session_t; +/* *INDENT-ON* */ -typedef struct { +typedef struct +{ ip4_address_t addr; u32 fib_index; u32 sessions_per_user_list_head_index; @@ -202,86 +227,131 @@ typedef struct { u32 nstaticsessions; } snat_user_t; -typedef struct { +typedef struct +{ ip4_address_t addr; u32 fib_index; +/* *INDENT-OFF* */ #define _(N, i, n, s) \ u16 busy_##n##_ports; \ u16 * busy_##n##_ports_per_thread; \ uword * busy_##n##_port_bitmap; foreach_snat_protocol #undef _ +/* *INDENT-ON* */ } snat_address_t; -typedef struct { +typedef struct +{ u32 fib_index; u32 refcount; } nat_outside_fib_t; -typedef struct { +typedef struct +{ + /* Inside network port */ u16 in_port; + /* Outside network address and port */ snat_det_out_key_t out; + /* Session state */ u8 state; + /* Expire timeout */ u32 expire; } snat_det_session_t; -typedef struct { +typedef struct +{ + /* inside IP address range */ ip4_address_t in_addr; u8 in_plen; + /* outside IP address range */ ip4_address_t out_addr; u8 out_plen; + /* inside IP addresses / outside IP addresses */ u32 sharing_ratio; + /* number of ports available to internal host */ u16 ports_per_host; + /* session counter */ u32 ses_num; /* vector of sessions */ - snat_det_session_t * sessions; + snat_det_session_t *sessions; } snat_det_map_t; -typedef struct { +typedef struct +{ + /* backend IP address */ ip4_address_t addr; + /* backend port number */ u16 port; + /* probability of the backend to be randomly matched */ u8 probability; u8 prefix; + /* backend FIB table */ u32 vrf_id; u32 fib_index; } nat44_lb_addr_port_t; -typedef enum { +typedef enum +{ + /* twice-nat disabled */ TWICE_NAT_DISABLED, + /* twice-nat enabled */ TWICE_NAT, + /* twice-nat only when src IP equals dst IP after translation */ TWICE_NAT_SELF, } twice_nat_type_t; -typedef enum { +typedef enum +{ + /* no load-balancing */ NO_LB_NAT, + /* load-balancing */ LB_NAT, + /* load-balancing with affinity */ AFFINITY_LB_NAT, } lb_nat_type_t; -typedef struct { +typedef struct +{ + /* local IP address */ ip4_address_t local_addr; + /* external IP address */ ip4_address_t external_addr; + /* local port */ u16 local_port; + /* external port */ u16 external_port; + /* 1 = 1:1NAT, 0 = 1:1NAPT */ u8 addr_only; + /* is twice-nat */ twice_nat_type_t twice_nat; + /* 1 = rule match only out2in direction */ u8 out2in_only; + /* local FIB table */ u32 vrf_id; u32 fib_index; + /* protocol */ snat_protocol_t proto; + /* 0 = disabled, otherwise client IP affinity sticky time in seconds */ u32 affinity; + /* worker threads used by backends/local host */ u32 *workers; + /* opaque string tag */ u8 *tag; + /* backends for load-balancing mode */ nat44_lb_addr_port_t *locals; + /* affinity per service lis */ u32 affinity_per_service_list_head_index; } snat_static_mapping_t; -typedef struct { +typedef struct +{ u32 sw_if_index; u8 flags; } snat_interface_t; -typedef struct { +typedef struct +{ ip4_address_t l_addr; u16 l_port; u16 e_port; @@ -294,7 +364,8 @@ typedef struct { u8 *tag; } snat_static_map_resolve_t; -typedef struct { +typedef struct +{ /* Main lookup tables */ clib_bihash_8_8_t out2in; clib_bihash_8_8_t in2out; @@ -307,54 +378,60 @@ typedef struct { clib_bihash_8_8_t user_hash; /* User pool */ - snat_user_t * users; + snat_user_t *users; /* Session pool */ - snat_session_t * sessions; + snat_session_t *sessions; /* Pool of doubly-linked list elements */ - dlist_elt_t * list_pool; + dlist_elt_t *list_pool; + /* NAT thread index */ u32 snat_thread_index; } snat_main_per_thread_data_t; struct snat_main_s; -typedef u32 snat_icmp_match_function_t (struct snat_main_s *sm, - vlib_node_runtime_t *node, - u32 thread_index, - vlib_buffer_t *b0, - ip4_header_t *ip0, - u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, - void *d, - void *e); - -typedef u32 (snat_get_worker_function_t) (ip4_header_t * ip, u32 rx_fib_index); - -typedef int nat_alloc_out_addr_and_port_function_t (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index); - -typedef struct snat_main_s { - snat_icmp_match_function_t * icmp_match_in2out_cb; - snat_icmp_match_function_t * icmp_match_out2in_cb; - +/* ICMP session match function */ +typedef u32 (snat_icmp_match_function_t) (struct snat_main_s * sm, + vlib_node_runtime_t * node, + u32 thread_index, + vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, + void *e); + +/* Return worker thread index for given packet */ +typedef u32 (snat_get_worker_function_t) (ip4_header_t * ip, + u32 rx_fib_index); + +/* NAT address and port allacotaion function */ +typedef int (nat_alloc_out_addr_and_port_function_t) (snat_address_t * + addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, + u32 snat_thread_index); + +typedef struct snat_main_s +{ + /* ICMP session match functions */ + snat_icmp_match_function_t *icmp_match_in2out_cb; + snat_icmp_match_function_t *icmp_match_out2in_cb; + + /* Thread settings */ u32 num_workers; u32 first_worker_index; - u32 * workers; - snat_get_worker_function_t * worker_in2out_cb; - snat_get_worker_function_t * worker_out2in_cb; + u32 *workers; + snat_get_worker_function_t *worker_in2out_cb; + snat_get_worker_function_t *worker_out2in_cb; u16 port_per_thread; u32 num_snat_thread; /* Per thread data */ - snat_main_per_thread_data_t * per_thread_data; + snat_main_per_thread_data_t *per_thread_data; /* Find a static mapping by local */ clib_bihash_8_8_t static_mapping_by_local; @@ -363,14 +440,14 @@ typedef struct snat_main_s { clib_bihash_8_8_t static_mapping_by_external; /* Static mapping pool */ - snat_static_mapping_t * static_mappings; + snat_static_mapping_t *static_mappings; /* Interface pool */ - snat_interface_t * interfaces; - snat_interface_t * output_feature_interfaces; + snat_interface_t *interfaces; + snat_interface_t *output_feature_interfaces; /* Vector of outside addresses */ - snat_address_t * addresses; + snat_address_t *addresses; /* Address and port allocation function */ nat_alloc_out_addr_and_port_function_t *alloc_addr_and_port; /* Address and port allocation type */ @@ -384,14 +461,14 @@ typedef struct snat_main_s { u16 end_port; /* vector of outside fibs */ - nat_outside_fib_t * outside_fibs; + nat_outside_fib_t *outside_fibs; /* Vector of twice NAT addresses for extenal hosts */ - snat_address_t * twice_nat_addresses; + snat_address_t *twice_nat_addresses; /* sw_if_indices whose intfc addresses should be auto-added */ - u32 * auto_add_sw_if_indices; - u32 * auto_add_sw_if_indices_twice_nat; + u32 *auto_add_sw_if_indices; + u32 *auto_add_sw_if_indices_twice_nat; /* vector of interface address static mappings to resolve. */ snat_static_map_resolve_t *to_resolve; @@ -399,7 +476,7 @@ typedef struct snat_main_s { /* Randomize port allocation order */ u32 random_seed; - /* Worker handoff index */ + /* Worker handoff frame-queue index */ u32 fq_in2out_index; u32 fq_in2out_output_index; u32 fq_out2in_index; @@ -410,8 +487,8 @@ typedef struct snat_main_s { u32 out2in_node_index; u32 error_node_index; - /* Deterministic NAT */ - snat_det_map_t * det_maps; + /* Deterministic NAT mappings */ + snat_det_map_t *det_maps; /* If forwarding is enabled */ u8 forwarding_enabled; @@ -450,18 +527,25 @@ typedef struct snat_main_s { vlib_log_class_t log_class; /* convenience */ - vlib_main_t * vlib_main; - vnet_main_t * vnet_main; - ip4_main_t * ip4_main; - ip_lookup_main_t * ip4_lookup_main; - api_main_t * api_main; + vlib_main_t *vlib_main; + vnet_main_t *vnet_main; + ip4_main_t *ip4_main; + ip_lookup_main_t *ip4_lookup_main; + api_main_t *api_main; } snat_main_t; -typedef struct { +typedef struct +{ u32 thread_index; f64 now; } nat44_is_idle_session_ctx_t; +typedef struct +{ + u32 cached_sw_if_index; + u32 cached_ip4_address; +} snat_runtime_t; + extern snat_main_t snat_main; extern vlib_node_registration_t snat_in2out_node; extern vlib_node_registration_t snat_in2out_output_node; @@ -484,42 +568,19 @@ extern vlib_node_registration_t nat44_ed_in2out_worker_handoff_node; extern vlib_node_registration_t nat44_ed_in2out_output_worker_handoff_node; extern vlib_node_registration_t nat44_ed_out2in_worker_handoff_node; -void snat_free_outside_address_and_port (snat_address_t * addresses, - u32 thread_index, - snat_session_key_t * k); - -int snat_alloc_outside_address_and_port (snat_address_t * addresses, - u32 fib_index, - u32 thread_index, - snat_session_key_t * k, - u32 * address_indexp, - u16 port_per_thread, - u32 snat_thread_index); - -int snat_static_mapping_match (snat_main_t * sm, - snat_session_key_t match, - snat_session_key_t * mapping, - u8 by_external, - u8 *is_addr_only, - twice_nat_type_t *twice_nat, - lb_nat_type_t *lb, - ip4_address_t * ext_host_addr); - -void snat_add_del_addr_to_fib (ip4_address_t * addr, - u8 p_len, - u32 sw_if_index, - int is_add); - +/* format functions */ format_function_t format_snat_user; format_function_t format_snat_static_mapping; format_function_t format_snat_static_map_to_resolve; format_function_t format_snat_session; format_function_t format_det_map_ses; - -typedef struct { - u32 cached_sw_if_index; - u32 cached_ip4_address; -} snat_runtime_t; +format_function_t format_snat_key; +format_function_t format_static_mapping_key; +format_function_t format_snat_protocol; +format_function_t format_nat_addr_and_port_alloc_alg; +format_function_t format_nat44_reass_trace; +/* unformat functions */ +unformat_function_t unformat_snat_protocol; /** \brief Check if SNAT session is created from static mapping. @param s SNAT session @@ -563,9 +624,25 @@ typedef struct { */ #define is_affinity_sessions(s) (s->flags & SNAT_SESSION_FLAG_AFFINITY) +/** \brief Check if NAT interface is inside. + @param i NAT interfce + @return 1 if inside interface +*/ #define nat_interface_is_inside(i) i->flags & NAT_INTERFACE_FLAG_IS_INSIDE + +/** \brief Check if NAT interface is outside. + @param i NAT interfce + @return 1 if outside interface +*/ #define nat_interface_is_outside(i) i->flags & NAT_INTERFACE_FLAG_IS_OUTSIDE +/** \brief Check if NAT44 endpoint-dependent TCP session is closed. + @param s NAT session + @return 1 if session is closed +*/ +#define nat44_is_ses_closed(s) s->state == 0xf + +/* logging */ #define nat_log_err(...) \ vlib_log(VLIB_LOG_LEVEL_ERR, snat_main.log_class, __VA_ARGS__) #define nat_log_warn(...) \ @@ -577,107 +654,402 @@ typedef struct { #define nat_log_debug(...)\ vlib_log(VLIB_LOG_LEVEL_DEBUG, snat_main.log_class, __VA_ARGS__) +/* ICMP session match functions */ +u32 icmp_match_in2out_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); +u32 icmp_match_in2out_slow (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); +u32 icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); +u32 icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); + +/* ICMP deterministic NAT session match functions */ +u32 icmp_match_out2in_det (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); +u32 icmp_match_in2out_det (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); + +/* ICMP endpoint-dependent session match functions */ +u32 icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); +u32 icmp_match_in2out_ed (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e); + +u32 icmp_in2out (snat_main_t * sm, vlib_buffer_t * b0, ip4_header_t * ip0, + icmp46_header_t * icmp0, u32 sw_if_index0, u32 rx_fib_index0, + vlib_node_runtime_t * node, u32 next0, u32 thread_index, + void *d, void *e); + +u32 icmp_out2in (snat_main_t * sm, vlib_buffer_t * b0, ip4_header_t * ip0, + icmp46_header_t * icmp0, u32 sw_if_index0, u32 rx_fib_index0, + vlib_node_runtime_t * node, u32 next0, u32 thread_index, + void *d, void *e); + +/* hairpinning functions */ +u32 snat_icmp_hairpinning (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, icmp46_header_t * icmp0, + int is_ed); +void nat_hairpinning_sm_unknown_proto (snat_main_t * sm, vlib_buffer_t * b, + ip4_header_t * ip); +void nat44_ed_hairpinning_unknown_proto (snat_main_t * sm, vlib_buffer_t * b, + ip4_header_t * ip); +int snat_hairpinning (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, udp_header_t * udp0, + tcp_header_t * tcp0, u32 proto0, int is_ed); +void nat44_reass_hairpinning (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, u16 sport, u16 dport, + u32 proto0, int is_ed); + +/* Call back functions for clib_bihash_add_or_overwrite_stale */ +int nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg); +int nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg); +int nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg); +int nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg); + +/** + * @brief Increment IPv4 address + */ +void increment_v4_address (ip4_address_t * a); + +/** + * @brief Add external address to NAT44 pool + * + * @param addr IPv4 address + * @param vrf_id VRF id of tenant, ~0 means independent of VRF + * @param twice_nat 1 if twice NAT address + * + * @return 0 on success, non-zero value otherwise + */ +int snat_add_address (snat_main_t * sm, ip4_address_t * addr, u32 vrf_id, + u8 twice_nat); + +/** + * @brief Delete external address from NAT44 pool + * + * @param addr IPv4 address + * @param delete_sm 1 if delete static mapping using address + * @param twice_nat 1 if twice NAT address + * + * @return 0 on success, non-zero value otherwise + */ +int snat_del_address (snat_main_t * sm, ip4_address_t addr, u8 delete_sm, + u8 twice_nat); + +/** + * @brief Add/delete external address to FIB DPO (out2in DPO mode) + * + * @param addr IPv4 address + * @param is_add 1 = add, 0 = delete + * + * @return 0 on success, non-zero value otherwise + */ +void nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add); + +/** + * @brief Add/delete NAT44 static mapping + * + * @param l_addr local IPv4 address + * @param e_addr external IPv4 address + * @param l_port local port number + * @param e_port external port number + * @param vrf_id local VRF ID + * @param addr_only 1 = 1:1NAT, 0 = 1:1NAPT + * @param sw_if_index use interface address as external IPv4 address + * @param proto L4 protocol + * @param is_add 1 = add, 0 = delete + * @param twice_nat twice-nat mode + * @param out2in_only if 1 rule match only out2in direction + * @param tagi opaque string tag + * + * @return 0 on success, non-zero value otherwise + */ +int snat_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr, + u16 l_port, u16 e_port, u32 vrf_id, + int addr_only, u32 sw_if_index, + snat_protocol_t proto, int is_add, + twice_nat_type_t twice_nat, u8 out2in_only, + u8 * tag); + +/** + * @brief Add/delete static mapping with load-balancing (multiple backends) + * + * @param e_addr external IPv4 address + * @param e_port external port number + * @param proto L4 protocol + * @param locals list of local backends + * @param is_add 1 = add, 0 = delete + * @param twice_nat twice-nat mode + * @param out2in_only if 1 rule match only out2in direction + * @param tag opaque string tag + * @param affinity 0 = disabled, otherwise client IP affinity sticky time + * + * @return 0 on success, non-zero value otherwise + */ +int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, + snat_protocol_t proto, + nat44_lb_addr_port_t * locals, u8 is_add, + twice_nat_type_t twice_nat, + u8 out2in_only, u8 * tag, u32 affinity); + +clib_error_t *snat_api_init (vlib_main_t * vm, snat_main_t * sm); + +/** + * @brief Set NAT plugin workers + * + * @param bitmap NAT workers bitmap + * + * @return 0 on success, non-zero value otherwise + */ +int snat_set_workers (uword * bitmap); + +/** + * @brief Enable/disable NAT44 feature on the interface + * + * @param sw_if_index software index of the interface + * @param is_inside 1 = inside, 0 = outside + * @param is_del 1 = delete, 0 = add + * + * @return 0 on success, non-zero value otherwise + */ +int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del); + +/** + * @brief Enable/disable NAT44 output feature on the interface (postrouting NAT) + * + * @param sw_if_index software index of the interface + * @param is_inside 1 = inside, 0 = outside + * @param is_del 1 = delete, 0 = add + * + * @return 0 on success, non-zero value otherwise + */ +int snat_interface_add_del_output_feature (u32 sw_if_index, u8 is_inside, + int is_del); + +/** + * @brief Add/delete NAT44 pool address from specific interfce + * + * @param sw_if_index software index of the interface + * @param is_del 1 = delete, 0 = add + * @param twice_nat 1 = twice NAT address for extenal hosts + * + * @return 0 on success, non-zero value otherwise + */ +int snat_add_interface_address (snat_main_t * sm, u32 sw_if_index, int is_del, + u8 twice_nat); + +/** + * @brief Delete NAT44 session + * + * @param addr IPv4 address + * @param port L4 port number + * @param proto L4 protocol + * @param vrf_id VRF ID + * @param is_in 1 = inside network addres and por pair, 0 = outside + * + * @return 0 on success, non-zero value otherwise + */ +int nat44_del_session (snat_main_t * sm, ip4_address_t * addr, u16 port, + snat_protocol_t proto, u32 vrf_id, int is_in); + +/** + * @brief Delete NAT44 endpoint-dependent session + * + * @param addr IPv4 address + * @param port L4 port number + * @param proto L4 protocol + * @param vrf_id VRF ID + * @param is_in 1 = inside network addres and por pair, 0 = outside + * + * @return 0 on success, non-zero value otherwise + */ +int nat44_del_ed_session (snat_main_t * sm, ip4_address_t * addr, u16 port, + ip4_address_t * eh_addr, u16 eh_port, u8 proto, + u32 vrf_id, int is_in); + +/** + * @brief Free NAT44 session data (lookup keys, external addrres port) + * + * @param s NAT session + * @param thread_index thread index + */ +void nat_free_session_data (snat_main_t * sm, snat_session_t * s, + u32 thread_index); + +/** + * @brief Find or create NAT user + * + * @param addr IPv4 address + * @param fib_index FIB table index + * @param thread_index thread index + * + * @return NAT user data structure on success otherwise zero value + */ +snat_user_t *nat_user_get_or_create (snat_main_t * sm, ip4_address_t * addr, + u32 fib_index, u32 thread_index); + +/** + * @brief Allocate new NAT session or recycle last used + * + * @param u NAT user + * @param thread_index thread index + * + * @return session data structure on success otherwise zero value + */ +snat_session_t *nat_session_alloc_or_recycle (snat_main_t * sm, + snat_user_t * u, + u32 thread_index); + +/** + * @brief Allocate NAT endpoint-dependent session + * + * @param u NAT user + * @param thread_index thread index + * + * @return session data structure on success otherwise zero value + */ +snat_session_t *nat_ed_session_alloc (snat_main_t * sm, snat_user_t * u, + u32 thread_index); + +/** + * @brief Set address and port assignment algorithm for MAP-E CE + * + * @param psid Port Set Identifier value + * @param psid_offset number of offset bits + * @param psid_length length of PSID + */ +void nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, + u16 psid_length); + +/** + * @brief Set address and port assignment algorithm for port range + * + * @param start_port beginning of the port range + * @param end_port end of the port range + */ +void nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port); + +/** + * @brief Set address and port assignment algorithm to default/standard + */ +void nat_set_alloc_addr_and_port_default (void); + +/** + * @brief Free outside address and port pair + * + * @param addresses vector of outside addresses + * @param thread_index thread index + * @param k adddress, port and protocol + */ +void snat_free_outside_address_and_port (snat_address_t * addresses, + u32 thread_index, + snat_session_key_t * k); + +/** + * @brief Alloc outside address and port + * + * @param addresses vector of outside addresses + * @param fib_index FIB table index + * @param thread_index thread index + * @param k allocated address and port pair + * @param port_per_thread number of ports per threead + * @param snat_thread_index NAT thread index + * + * @return 0 on success, non-zero value otherwise + */ +int snat_alloc_outside_address_and_port (snat_address_t * addresses, + u32 fib_index, + u32 thread_index, + snat_session_key_t * k, + u16 port_per_thread, + u32 snat_thread_index); + +/** + * @brief Match NAT44 static mapping. + * + * @param match address and port to match + * @param mapping external/local address and port of the matched mapping + * @param by_external if 0 match by local address otherwise match by external + * address + * @param is_addr_only 1 if matched mapping is address only + * @param twice_nat matched mapping is twice NAT type + * @param lb 1 if matched mapping is load-balanced + * @param ext_host_addr external host address + * + * @returns 0 if match found otherwise 1. + */ +int snat_static_mapping_match (snat_main_t * sm, + snat_session_key_t match, + snat_session_key_t * mapping, + u8 by_external, + u8 * is_addr_only, + twice_nat_type_t * twice_nat, + lb_nat_type_t * lb, + ip4_address_t * ext_host_addr); + +/** + * @brief Add/del NAT address to FIB. + * + * Add the external NAT address to the FIB as receive entries. This ensures + * that VPP will reply to ARP for this address and we don't need to enable + * proxy ARP on the outside interface. + * + * @param addr IPv4 address + * @param plen address prefix length + * @param sw_if_index software index of the outside interface + * @param is_add 0 = delete, 1 = add. + */ +void snat_add_del_addr_to_fib (ip4_address_t * addr, + u8 p_len, u32 sw_if_index, int is_add); + + /* * Why is this here? Because we don't need to touch this layer to * simply reply to an icmp. We need to change id to a unique * value to NAT an echo request/reply. */ -typedef struct { +typedef struct +{ u16 identifier; u16 sequence; } icmp_echo_header_t; -typedef struct { +typedef struct +{ u16 src_port, dst_port; } tcp_udp_header_t; -u32 icmp_match_in2out_fast(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_in2out_det(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_in2out_ed(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -u32 icmp_match_out2in_ed(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e); -void increment_v4_address(ip4_address_t * a); -int snat_add_address(snat_main_t *sm, ip4_address_t *addr, u32 vrf_id, - u8 twice_nat); -int snat_del_address(snat_main_t *sm, ip4_address_t addr, u8 delete_sm, - u8 twice_nat); -void nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add); -int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr, - u16 l_port, u16 e_port, u32 vrf_id, int addr_only, - u32 sw_if_index, snat_protocol_t proto, int is_add, - twice_nat_type_t twice_nat, u8 out2in_only, - u8 *tag); -clib_error_t * snat_api_init(vlib_main_t * vm, snat_main_t * sm); -int snat_set_workers (uword * bitmap); -int snat_interface_add_del(u32 sw_if_index, u8 is_inside, int is_del); -int snat_interface_add_del_output_feature(u32 sw_if_index, u8 is_inside, - int is_del); -int snat_add_interface_address(snat_main_t *sm, u32 sw_if_index, int is_del, - u8 twice_nat); -uword unformat_snat_protocol(unformat_input_t * input, va_list * args); -u8 * format_snat_protocol(u8 * s, va_list * args); -u8 * format_nat_addr_and_port_alloc_alg(u8 * s, va_list * args); -int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port, - snat_protocol_t proto, - nat44_lb_addr_port_t *locals, u8 is_add, - twice_nat_type_t twice_nat, u8 out2in_only, - u8 *tag, u32 affinity); -int nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port, - snat_protocol_t proto, u32 vrf_id, int is_in); -int nat44_del_ed_session (snat_main_t *sm, ip4_address_t *addr, u16 port, - ip4_address_t *eh_addr, u16 eh_port, u8 proto, - u32 vrf_id, int is_in); -void nat_free_session_data (snat_main_t * sm, snat_session_t * s, - u32 thread_index); -snat_user_t * nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, - u32 fib_index, u32 thread_index); -snat_session_t * nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, - u32 thread_index); -snat_session_t * nat_ed_session_alloc (snat_main_t *sm, snat_user_t *u, - u32 thread_index); -void nat_set_alloc_addr_and_port_mape (u16 psid, u16 psid_offset, - u16 psid_length); -void nat_set_alloc_addr_and_port_range (u16 start_port, u16 end_port); -void nat_set_alloc_addr_and_port_default (void); -int nat44_i2o_ed_is_idle_session_cb (clib_bihash_kv_16_8_t *kv, void *arg); -int nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t *kv, void *arg); -int nat44_i2o_is_idle_session_cb (clib_bihash_kv_8_8_t *kv, void *arg); -int nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t *kv, void *arg); +#endif /* __included_nat_h__ */ -#endif /* __included_snat_h__ */ +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat44_classify.c b/src/plugins/nat/nat44_classify.c new file mode 100644 index 00000000000..0e9863c02ac --- /dev/null +++ b/src/plugins/nat/nat44_classify.c @@ -0,0 +1,516 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief Classify for one armed NAT44 (in+out interface) + */ + +#include +#include +#include +#include +#include +#include + +vlib_node_registration_t nat44_classify_node; +vlib_node_registration_t nat44_ed_classify_node; +vlib_node_registration_t nat44_det_classify_node; +vlib_node_registration_t nat44_handoff_classify_node; + +#define foreach_nat44_classify_error \ +_(MAX_REASS, "Maximum reassemblies exceeded") \ +_(MAX_FRAG, "Maximum fragments per reassembly exceeded") + +typedef enum +{ +#define _(sym,str) NAT44_CLASSIFY_ERROR_##sym, + foreach_nat44_classify_error +#undef _ + NAT44_CLASSIFY_N_ERROR, +} nat44_classify_error_t; + +static char *nat44_classify_error_strings[] = { +#define _(sym,string) string, + foreach_nat44_classify_error +#undef _ +}; + +typedef enum +{ + NAT44_CLASSIFY_NEXT_IN2OUT, + NAT44_CLASSIFY_NEXT_OUT2IN, + NAT44_CLASSIFY_NEXT_DROP, + NAT44_CLASSIFY_N_NEXT, +} nat44_classify_next_t; + +typedef struct +{ + u8 next_in2out; + u8 cached; +} nat44_classify_trace_t; + +static u8 * +format_nat44_classify_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_classify_trace_t *t = va_arg (*args, nat44_classify_trace_t *); + char *next; + + if (t->cached) + s = format (s, "nat44-classify: fragment cached"); + else + { + next = t->next_in2out ? "nat44-in2out" : "nat44-out2in"; + s = format (s, "nat44-classify: next %s", next); + } + + return s; +} + +static inline uword +nat44_classify_node_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_ed) +{ + u32 n_left_from, *from, *to_next; + nat44_classify_next_t next_index; + snat_main_t *sm = &snat_main; + snat_static_mapping_t *m; + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + u32 *fragments_to_drop = 0; + u32 *fragments_to_loopback = 0; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT, sw_if_index0, rx_fib_index0; + ip4_header_t *ip0; + snat_address_t *ap; + snat_session_key_t m_key0; + clib_bihash_kv_8_8_t kv0, value0; + clib_bihash_kv_16_8_t ed_kv0, ed_value0; + udp_header_t *udp0; + nat_reass_ip4_t *reass0; + u8 cached0 = 0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + + if (is_ed && ip0->protocol != IP_PROTOCOL_ICMP) + { + if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0)) + { + /* process leading fragment/whole packet (with L4 header) */ + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + make_ed_kv (&ed_kv0, &ip0->src_address, &ip0->dst_address, + ip0->protocol, rx_fib_index0, udp0->src_port, + udp0->dst_port); + if (ip4_is_fragment (ip0)) + { + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, + &fragments_to_drop); + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT44_CLASSIFY_NEXT_DROP; + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto enqueue0; + } + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, + &ed_value0)) + { + /* session exists so classify as IN2OUT, + * save this information for future fragments and set + * past fragments to be looped over and reprocessed */ + reass0->sess_index = ed_value0.value; + reass0->classify_next = + NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + goto enqueue0; + } + else + { + /* session doesn't exist so continue in the code, + * save this information for future fragments and set + * past fragments to be looped over and reprocessed */ + reass0->flags |= + NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + } + } + else + { + /* process whole packet */ + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &ed_kv0, + &ed_value0)) + goto enqueue0; + /* session doesn't exist so continue in code */ + } + } + else + { + /* process non-first fragment */ + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, + &fragments_to_drop); + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT44_CLASSIFY_NEXT_DROP; + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto enqueue0; + } + /* check if first fragment has arrived */ + if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE && + !(reass0->flags & NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE)) + { + /* first fragment still hasn't arrived, cache this fragment */ + if (nat_ip4_reass_add_fragment (reass0, bi0, + &fragments_to_drop)) + { + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = NAT44_CLASSIFY_NEXT_DROP; + goto enqueue0; + } + cached0 = 1; + goto enqueue0; + } + if (reass0->classify_next == + NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT) + goto enqueue0; + /* flag NAT_REASS_FLAG_CLASSIFY_ED_CONTINUE is set + * so keep the default next0 and continue in code to + * potentially find other classification for this packet */ + } + } + + /* *INDENT-OFF* */ + vec_foreach (ap, sm->addresses) + { + if (ip0->dst_address.as_u32 == ap->addr.as_u32) + { + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + goto enqueue0; + } + } + /* *INDENT-ON* */ + + if (PREDICT_FALSE (pool_elts (sm->static_mappings))) + { + m_key0.addr = ip0->dst_address; + m_key0.port = 0; + m_key0.protocol = 0; + m_key0.fib_index = 0; + kv0.key = m_key0.as_u64; + /* try to classify the fragment based on IP header alone */ + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, + &kv0, &value0)) + { + m = pool_elt_at_index (sm->static_mappings, value0.value); + if (m->local_addr.as_u32 != m->external_addr.as_u32) + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + goto enqueue0; + } + if (!ip4_is_fragment (ip0) || ip4_is_first_fragment (ip0)) + { + /* process leading fragment/whole packet (with L4 header) */ + m_key0.port = clib_net_to_host_u16 (udp0->dst_port); + m_key0.protocol = ip_proto_to_snat_proto (ip0->protocol); + kv0.key = m_key0.as_u64; + if (!clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv0, &value0)) + { + m = + pool_elt_at_index (sm->static_mappings, value0.value); + if (m->local_addr.as_u32 != m->external_addr.as_u32) + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + } + if (ip4_is_fragment (ip0)) + { + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, + &fragments_to_drop); + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT44_CLASSIFY_NEXT_DROP; + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto enqueue0; + } + /* save classification for future fragments and set past + * fragments to be looped over and reprocessed */ + if (next0 == NAT44_CLASSIFY_NEXT_OUT2IN) + reass0->classify_next = + NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN; + else + reass0->classify_next = + NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + } + } + else + { + /* process non-first fragment */ + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, + &fragments_to_drop); + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT44_CLASSIFY_NEXT_DROP; + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto enqueue0; + } + if (reass0->classify_next == NAT_REASS_IP4_CLASSIFY_NONE) + /* first fragment still hasn't arrived */ + { + if (nat_ip4_reass_add_fragment (reass0, bi0, + &fragments_to_drop)) + { + b0->error = + node->errors[NAT44_CLASSIFY_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = NAT44_CLASSIFY_NEXT_DROP; + goto enqueue0; + } + cached0 = 1; + goto enqueue0; + } + else if (reass0->classify_next == + NAT_REASS_IP4_CLASSIFY_NEXT_OUT2IN) + next0 = NAT44_CLASSIFY_NEXT_OUT2IN; + else if (reass0->classify_next == + NAT_REASS_IP4_CLASSIFY_NEXT_IN2OUT) + next0 = NAT44_CLASSIFY_NEXT_IN2OUT; + } + } + + enqueue0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_classify_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->cached = cached0; + if (!cached0) + t->next_in2out = next0 == NAT44_CLASSIFY_NEXT_IN2OUT ? 1 : 0; + } + + if (cached0) + { + n_left_to_next++; + to_next--; + } + else + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + + if (n_left_from == 0 && vec_len (fragments_to_loopback)) + { + from = vlib_frame_vector_args (frame); + u32 len = vec_len (fragments_to_loopback); + if (len <= VLIB_FRAME_SIZE) + { + clib_memcpy (from, fragments_to_loopback, + sizeof (u32) * len); + n_left_from = len; + vec_reset_length (fragments_to_loopback); + } + else + { + clib_memcpy (from, + fragments_to_loopback + (len - + VLIB_FRAME_SIZE), + sizeof (u32) * VLIB_FRAME_SIZE); + n_left_from = VLIB_FRAME_SIZE; + _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; + } + } + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + nat_send_all_to_node (vm, fragments_to_drop, node, 0, + NAT44_CLASSIFY_NEXT_DROP); + + vec_free (fragments_to_drop); + + return frame->n_vectors; +} + +static uword +nat44_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_classify_node) = { + .function = nat44_classify_node_fn, + .name = "nat44-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_classify_error_strings), + .error_strings = nat44_classify_error_strings, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in", + [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node, nat44_classify_node_fn); +static uword +nat44_ed_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_classify_node) = { + .function = nat44_ed_classify_node_fn, + .name = "nat44-ed-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-ed-out2in", + [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_classify_node, + nat44_ed_classify_node_fn); + +static uword +nat44_det_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_det_classify_node) = { + .function = nat44_det_classify_node_fn, + .name = "nat44-det-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in", + [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node, + nat44_det_classify_node_fn); + +static uword +nat44_handoff_classify_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_classify_node_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_handoff_classify_node) = { + .function = nat44_handoff_classify_node_fn, + .name = "nat44-handoff-classify", + .vector_size = sizeof (u32), + .format_trace = format_nat44_classify_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_next_nodes = NAT44_CLASSIFY_N_NEXT, + .next_nodes = { + [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff", + [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff", + [NAT44_CLASSIFY_NEXT_DROP] = "error-drop", + }, +}; + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node, + nat44_handoff_classify_node_fn); +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c new file mode 100644 index 00000000000..9d49dc2300e --- /dev/null +++ b/src/plugins/nat/nat44_hairpinning.c @@ -0,0 +1,934 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT44 hairpinning + */ + +#include +#include +#include +#include +#include +#include + +typedef enum +{ + SNAT_HAIRPIN_SRC_NEXT_DROP, + SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT, + SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH, + SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT, + SNAT_HAIRPIN_SRC_N_NEXT, +} snat_hairpin_src_next_t; + +typedef enum +{ + NAT_HAIRPIN_NEXT_LOOKUP, + NAT_HAIRPIN_NEXT_DROP, + NAT_HAIRPIN_N_NEXT, +} nat_hairpin_next_t; + +#define foreach_nat44_hairpin_error \ +_(PROCESSED, "NAT44 hairpinning packets processed") + +typedef enum +{ +#define _(sym,str) NAT44_HAIRPIN_ERROR_##sym, + foreach_nat44_hairpin_error +#undef _ + NAT44_HAIRPIN_N_ERROR, +} nat44_hairpin_error_t; + +static char *nat44_hairpin_error_strings[] = { +#define _(sym,string) string, + foreach_nat44_hairpin_error +#undef _ +}; + +vlib_node_registration_t snat_hairpin_dst_node; +vlib_node_registration_t snat_hairpin_src_node; +vlib_node_registration_t nat44_hairpinning_node; +vlib_node_registration_t nat44_ed_hairpin_dst_node; +vlib_node_registration_t nat44_ed_hairpin_src_node; +vlib_node_registration_t nat44_ed_hairpinning_node; + +extern vnet_feature_arc_registration_t vnet_feat_arc_ip4_local; + +static_always_inline int +is_hairpinning (snat_main_t * sm, ip4_address_t * dst_addr) +{ + snat_address_t *ap; + clib_bihash_kv_8_8_t kv, value; + snat_session_key_t m_key; + + /* *INDENT-OFF* */ + vec_foreach (ap, sm->addresses) + { + if (ap->addr.as_u32 == dst_addr->as_u32) + return 1; + } + /* *INDENT-ON* */ + + m_key.addr.as_u32 = dst_addr->as_u32; + m_key.fib_index = 0; + m_key.port = 0; + m_key.protocol = 0; + kv.key = m_key.as_u64; + if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + return 1; + + return 0; +} + +int +snat_hairpinning (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + udp_header_t * udp0, + tcp_header_t * tcp0, u32 proto0, int is_ed) +{ + snat_session_key_t key0, sm0; + snat_session_t *s0; + clib_bihash_kv_8_8_t kv0, value0; + ip_csum_t sum0; + u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si; + u16 new_dst_port0, old_dst_port0; + int rv; + + key0.addr = ip0->dst_address; + key0.port = udp0->dst_port; + key0.protocol = proto0; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + + /* Check if destination is static mappings */ + if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + new_dst_addr0 = sm0.addr.as_u32; + new_dst_port0 = sm0.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + } + /* or active session */ + else + { + if (sm->num_workers > 1) + ti = + (clib_net_to_host_u16 (udp0->dst_port) - + 1024) / sm->port_per_thread; + else + ti = sm->num_workers; + + if (is_ed) + { + clib_bihash_kv_16_8_t ed_kv, ed_value; + make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, + ip0->protocol, sm->outside_fib_index, udp0->dst_port, + udp0->src_port); + rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, + &ed_kv, &ed_value); + si = ed_value.value; + } + else + { + rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, + &value0); + si = value0.value; + } + if (rv) + return 0; + + s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); + new_dst_addr0 = s0->in2out.addr.as_u32; + new_dst_port0 = s0->in2out.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + } + + /* Destination is behind the same NAT, use internal address and port */ + if (new_dst_addr0) + { + old_dst_addr0 = ip0->dst_address.as_u32; + ip0->dst_address.as_u32 = new_dst_addr0; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + ip0->checksum = ip_csum_fold (sum0); + + old_dst_port0 = tcp0->dst; + if (PREDICT_TRUE (new_dst_port0 != old_dst_port0)) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + tcp0->dst = new_dst_port0; + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0, + ip4_header_t /* cheat */ , length); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + udp0->dst_port = new_dst_port0; + udp0->checksum = 0; + } + } + else + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + tcp0->checksum = ip_csum_fold (sum0); + } + } + return 1; + } + return 0; +} + +u32 +snat_icmp_hairpinning (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, icmp46_header_t * icmp0, int is_ed) +{ + snat_session_key_t key0; + clib_bihash_kv_8_8_t kv0, value0; + u32 old_dst_addr0, new_dst_addr0; + u32 old_addr0, new_addr0; + u16 old_port0, new_port0; + u16 old_checksum0, new_checksum0; + u32 si, ti = 0; + ip_csum_t sum0; + snat_session_t *s0; + snat_static_mapping_t *m0; + + if (icmp_is_error_message (icmp0)) + { + ip4_header_t *inner_ip0 = 0; + tcp_udp_header_t *l4_header = 0; + + inner_ip0 = (ip4_header_t *) ((icmp_echo_header_t *) (icmp0 + 1) + 1); + l4_header = ip4_next_header (inner_ip0); + u32 protocol = ip_proto_to_snat_proto (inner_ip0->protocol); + + if (protocol != SNAT_PROTOCOL_TCP && protocol != SNAT_PROTOCOL_UDP) + return 1; + + if (is_ed) + { + clib_bihash_kv_16_8_t ed_kv, ed_value; + make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, + inner_ip0->protocol, sm->outside_fib_index, + l4_header->src_port, l4_header->dst_port); + if (clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, + &ed_kv, &ed_value)) + return 1; + si = ed_value.value; + } + else + { + key0.addr = ip0->dst_address; + key0.port = l4_header->src_port; + key0.protocol = protocol; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + if (clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, + &value0)) + return 1; + si = value0.value; + } + s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); + new_dst_addr0 = s0->in2out.addr.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + /* update inner source IP address */ + old_addr0 = inner_ip0->src_address.as_u32; + inner_ip0->src_address.as_u32 = new_dst_addr0; + new_addr0 = inner_ip0->src_address.as_u32; + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + src_address); + icmp0->checksum = ip_csum_fold (sum0); + + /* update inner IP header checksum */ + old_checksum0 = inner_ip0->checksum; + sum0 = inner_ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + src_address); + inner_ip0->checksum = ip_csum_fold (sum0); + new_checksum0 = inner_ip0->checksum; + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_checksum0, new_checksum0, ip4_header_t, + checksum); + icmp0->checksum = ip_csum_fold (sum0); + + /* update inner source port */ + old_port0 = l4_header->src_port; + l4_header->src_port = s0->in2out.port; + new_port0 = l4_header->src_port; + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_port0, new_port0, tcp_udp_header_t, + src_port); + icmp0->checksum = ip_csum_fold (sum0); + } + else + { + if (!is_ed) + { + icmp_echo_header_t *echo0 = (icmp_echo_header_t *) (icmp0 + 1); + u16 icmp_id0 = echo0->identifier; + key0.addr = ip0->dst_address; + key0.port = icmp_id0; + key0.protocol = SNAT_PROTOCOL_ICMP; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + if (sm->num_workers > 1) + ti = + (clib_net_to_host_u16 (icmp_id0) - 1024) / sm->port_per_thread; + else + ti = sm->num_workers; + int rv = + clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, + &value0); + if (!rv) + { + si = value0.value; + s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); + new_dst_addr0 = s0->in2out.addr.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + echo0->identifier = s0->in2out.port; + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, icmp_id0, s0->in2out.port, + icmp_echo_header_t, identifier); + icmp0->checksum = ip_csum_fold (sum0); + goto change_addr; + } + ti = 0; + } + + key0.addr = ip0->dst_address; + key0.port = 0; + key0.protocol = 0; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + + if (clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv0, &value0)) + return 1; + + m0 = pool_elt_at_index (sm->static_mappings, value0.value); + + new_dst_addr0 = m0->local_addr.as_u32; + if (vnet_buffer (b0)->sw_if_index[VLIB_TX] == ~0) + vnet_buffer (b0)->sw_if_index[VLIB_TX] = m0->fib_index; + } +change_addr: + /* Destination is behind the same NAT, use internal address and port */ + if (new_dst_addr0) + { + old_dst_addr0 = ip0->dst_address.as_u32; + ip0->dst_address.as_u32 = new_dst_addr0; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + ip0->checksum = ip_csum_fold (sum0); + } + return 0; +} + +void +nat_hairpinning_sm_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, ip4_header_t * ip) +{ + clib_bihash_kv_8_8_t kv, value; + snat_static_mapping_t *m; + u32 old_addr, new_addr; + ip_csum_t sum; + + make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); + if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) + return; + + m = pool_elt_at_index (sm->static_mappings, value.value); + + old_addr = ip->dst_address.as_u32; + new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; + sum = ip->checksum; + sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); + ip->checksum = ip_csum_fold (sum); + + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) + vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index; +} + +void +nat44_ed_hairpinning_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, ip4_header_t * ip) +{ + u32 old_addr, new_addr = 0, ti = 0; + clib_bihash_kv_8_8_t kv, value; + clib_bihash_kv_16_8_t s_kv, s_value; + snat_static_mapping_t *m; + ip_csum_t sum; + snat_session_t *s; + snat_main_per_thread_data_t *tsm; + + if (sm->num_workers > 1) + ti = sm->worker_out2in_cb (ip, sm->outside_fib_index); + else + ti = sm->num_workers; + tsm = &sm->per_thread_data[ti]; + + old_addr = ip->dst_address.as_u32; + make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, + sm->outside_fib_index, 0, 0); + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) + { + make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); + if (clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + return; + + m = pool_elt_at_index (sm->static_mappings, value.value); + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) + vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index; + new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; + } + else + { + s = pool_elt_at_index (sm->per_thread_data[ti].sessions, s_value.value); + if (vnet_buffer (b)->sw_if_index[VLIB_TX] == ~0) + vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index; + new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32; + } + sum = ip->checksum; + sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); + ip->checksum = ip_csum_fold (sum); +} + +void +nat44_reass_hairpinning (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + u16 sport, u16 dport, u32 proto0, int is_ed) +{ + snat_session_key_t key0, sm0; + snat_session_t *s0; + clib_bihash_kv_8_8_t kv0, value0; + ip_csum_t sum0; + u32 new_dst_addr0 = 0, old_dst_addr0, ti = 0, si; + u16 new_dst_port0, old_dst_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + int rv; + + key0.addr = ip0->dst_address; + key0.port = dport; + key0.protocol = proto0; + key0.fib_index = sm->outside_fib_index; + kv0.key = key0.as_u64; + + udp0 = ip4_next_header (ip0); + + /* Check if destination is static mappings */ + if (!snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + new_dst_addr0 = sm0.addr.as_u32; + new_dst_port0 = sm0.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + } + /* or active sessions */ + else + { + if (sm->num_workers > 1) + ti = + (clib_net_to_host_u16 (udp0->dst_port) - + 1024) / sm->port_per_thread; + else + ti = sm->num_workers; + + if (is_ed) + { + clib_bihash_kv_16_8_t ed_kv, ed_value; + make_ed_kv (&ed_kv, &ip0->dst_address, &ip0->src_address, + ip0->protocol, sm->outside_fib_index, udp0->dst_port, + udp0->src_port); + rv = clib_bihash_search_16_8 (&sm->per_thread_data[ti].out2in_ed, + &ed_kv, &ed_value); + si = ed_value.value; + } + else + { + rv = clib_bihash_search_8_8 (&sm->per_thread_data[ti].out2in, &kv0, + &value0); + si = value0.value; + } + if (!rv) + { + s0 = pool_elt_at_index (sm->per_thread_data[ti].sessions, si); + new_dst_addr0 = s0->in2out.addr.as_u32; + new_dst_port0 = s0->in2out.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + } + } + + /* Destination is behind the same NAT, use internal address and port */ + if (new_dst_addr0) + { + old_dst_addr0 = ip0->dst_address.as_u32; + ip0->dst_address.as_u32 = new_dst_addr0; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + ip0->checksum = ip_csum_fold (sum0); + + old_dst_port0 = dport; + if (PREDICT_TRUE (new_dst_port0 != old_dst_port0 && + ip4_is_first_fragment (ip0))) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + tcp0 = ip4_next_header (ip0); + tcp0->dst = new_dst_port0; + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, old_dst_port0, new_dst_port0, + ip4_header_t /* cheat */ , length); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + udp0->dst_port = new_dst_port0; + udp0->checksum = 0; + } + } + else + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + tcp0 = ip4_next_header (ip0); + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_dst_addr0, new_dst_addr0, + ip4_header_t, dst_address); + tcp0->checksum = ip_csum_fold (sum0); + } + } + } +} + +static inline uword +nat44_hairpinning_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_ed) +{ + u32 n_left_from, *from, *to_next, stats_node_index; + nat_hairpin_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + vnet_feature_main_t *fm = &feature_main; + u8 arc_index = vnet_feat_arc_ip4_local.feature_arc_index; + vnet_feature_config_main_t *cm = &fm->feature_config_mains[arc_index]; + + stats_node_index = is_ed ? nat44_ed_hairpinning_node.index : + nat44_hairpinning_node.index; + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + ip4_header_t *ip0; + u32 proto0; + udp_header_t *udp0; + tcp_header_t *tcp0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + vnet_get_config_data (&cm->config_main, &b0->current_config_index, + &next0, 0); + + if (snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed)) + next0 = NAT_HAIRPIN_NEXT_LOOKUP; + + pkts_processed += next0 != NAT_HAIRPIN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, stats_node_index, + NAT44_HAIRPIN_ERROR_PROCESSED, pkts_processed); + return frame->n_vectors; +} + +static uword +nat44_hairpinning_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return nat44_hairpinning_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_hairpinning_node) = { + .function = nat44_hairpinning_fn, + .name = "nat44-hairpinning", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = NAT_HAIRPIN_N_NEXT, + .next_nodes = { + [NAT_HAIRPIN_NEXT_DROP] = "error-drop", + [NAT_HAIRPIN_NEXT_LOOKUP] = "ip4-lookup", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_hairpinning_node, nat44_hairpinning_fn); + +static uword +nat44_ed_hairpinning_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return nat44_hairpinning_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_hairpinning_node) = { + .function = nat44_ed_hairpinning_fn, + .name = "nat44-ed-hairpinning", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = NAT_HAIRPIN_N_NEXT, + .next_nodes = { + [NAT_HAIRPIN_NEXT_DROP] = "error-drop", + [NAT_HAIRPIN_NEXT_LOOKUP] = "ip4-lookup", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpinning_node, + nat44_ed_hairpinning_fn); + +static inline uword +snat_hairpin_dst_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_ed) +{ + u32 n_left_from, *from, *to_next, stats_node_index; + nat_hairpin_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + + stats_node_index = is_ed ? nat44_ed_hairpin_dst_node.index : + snat_hairpin_dst_node.index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + ip4_header_t *ip0; + u32 proto0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + next0 = NAT_HAIRPIN_NEXT_LOOKUP; + ip0 = vlib_buffer_get_current (b0); + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + vnet_buffer (b0)->snat.flags = 0; + if (PREDICT_FALSE (is_hairpinning (sm, &ip0->dst_address))) + { + if (proto0 == SNAT_PROTOCOL_TCP || proto0 == SNAT_PROTOCOL_UDP) + { + udp_header_t *udp0 = ip4_next_header (ip0); + tcp_header_t *tcp0 = (tcp_header_t *) udp0; + + snat_hairpinning (sm, b0, ip0, udp0, tcp0, proto0, is_ed); + } + else if (proto0 == SNAT_PROTOCOL_ICMP) + { + icmp46_header_t *icmp0 = ip4_next_header (ip0); + + snat_icmp_hairpinning (sm, b0, ip0, icmp0, is_ed); + } + else + { + if (is_ed) + nat44_ed_hairpinning_unknown_proto (sm, b0, ip0); + else + nat_hairpinning_sm_unknown_proto (sm, b0, ip0); + } + + vnet_buffer (b0)->snat.flags = SNAT_FLAG_HAIRPINNING; + } + + pkts_processed += next0 != NAT_HAIRPIN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, stats_node_index, + NAT44_HAIRPIN_ERROR_PROCESSED, pkts_processed); + return frame->n_vectors; +} + +static uword +snat_hairpin_dst_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return snat_hairpin_dst_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_hairpin_dst_node) = { + .function = snat_hairpin_dst_fn, + .name = "nat44-hairpin-dst", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = NAT_HAIRPIN_N_NEXT, + .next_nodes = { + [NAT_HAIRPIN_NEXT_DROP] = "error-drop", + [NAT_HAIRPIN_NEXT_LOOKUP] = "ip4-lookup", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_dst_node, snat_hairpin_dst_fn); + +static uword +nat44_ed_hairpin_dst_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return snat_hairpin_dst_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_hairpin_dst_node) = { + .function = nat44_ed_hairpin_dst_fn, + .name = "nat44-ed-hairpin-dst", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = NAT_HAIRPIN_N_NEXT, + .next_nodes = { + [NAT_HAIRPIN_NEXT_DROP] = "error-drop", + [NAT_HAIRPIN_NEXT_LOOKUP] = "ip4-lookup", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_dst_node, + nat44_ed_hairpin_dst_fn); + +static inline uword +snat_hairpin_src_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_ed) +{ + u32 n_left_from, *from, *to_next, stats_node_index; + snat_hairpin_src_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + + stats_node_index = is_ed ? nat44_ed_hairpin_src_node.index : + snat_hairpin_src_node.index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + snat_interface_t *i; + u32 sw_if_index0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + next0 = SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT; + + /* *INDENT-OFF* */ + pool_foreach (i, sm->output_feature_interfaces, + ({ + /* Only packets from NAT inside interface */ + if ((nat_interface_is_inside(i)) && (sw_if_index0 == i->sw_if_index)) + { + if (PREDICT_FALSE ((vnet_buffer (b0)->snat.flags) & + SNAT_FLAG_HAIRPINNING)) + { + if (PREDICT_TRUE (sm->num_workers > 1)) + next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH; + else + next0 = SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT; + } + break; + } + })); + /* *INDENT-ON* */ + + pkts_processed += next0 != SNAT_HAIRPIN_SRC_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, stats_node_index, + NAT44_HAIRPIN_ERROR_PROCESSED, pkts_processed); + return frame->n_vectors; +} + +static uword +snat_hairpin_src_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return snat_hairpin_src_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_hairpin_src_node) = { + .function = snat_hairpin_src_fn, + .name = "nat44-hairpin-src", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT, + .next_nodes = { + [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop", + [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-in2out-output", + [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output", + [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_hairpin_src_node, snat_hairpin_src_fn); + +static uword +nat44_ed_hairpin_src_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + return snat_hairpin_src_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_hairpin_src_node) = { + .function = nat44_ed_hairpin_src_fn, + .name = "nat44-ed-hairpin-src", + .vector_size = sizeof (u32), + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_hairpin_error_strings), + .error_strings = nat44_hairpin_error_strings, + .n_next_nodes = SNAT_HAIRPIN_SRC_N_NEXT, + .next_nodes = { + [SNAT_HAIRPIN_SRC_NEXT_DROP] = "error-drop", + [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT] = "nat44-ed-in2out-output", + [SNAT_HAIRPIN_SRC_NEXT_INTERFACE_OUTPUT] = "interface-output", + [SNAT_HAIRPIN_SRC_NEXT_SNAT_IN2OUT_WH] = "nat44-in2out-output-worker-handoff", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_hairpin_src_node, + nat44_ed_hairpin_src_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat44_handoff.c b/src/plugins/nat/nat44_handoff.c new file mode 100644 index 00000000000..a49b8de658f --- /dev/null +++ b/src/plugins/nat/nat44_handoff.c @@ -0,0 +1,229 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT44 worker handoff + */ + +#include +#include +#include +#include +#include +#include + +typedef struct +{ + u32 next_worker_index; + u8 in2out; +} nat44_handoff_trace_t; + +#define foreach_nat44_handoff_error \ +_(CONGESTION_DROP, "congestion drop") + +typedef enum +{ +#define _(sym,str) NAT44_HANDOFF_ERROR_##sym, + foreach_nat44_handoff_error +#undef _ + NAT44_HANDOFF_N_ERROR, +} nat44_handoff_error_t; + +static char *nat44_handoff_error_strings[] = { +#define _(sym,string) string, + foreach_nat44_handoff_error +#undef _ +}; + + +vlib_node_registration_t snat_in2out_worker_handoff_node; +vlib_node_registration_t snat_in2out_output_worker_handoff_node; +vlib_node_registration_t snat_out2in_worker_handoff_node; + +static u8 * +format_nat44_handoff_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_handoff_trace_t *t = va_arg (*args, nat44_handoff_trace_t *); + char *tag; + + tag = t->in2out ? "IN2OUT" : "OUT2IN"; + s = + format (s, "NAT44_%s_WORKER_HANDOFF: next-worker %d", tag, + t->next_worker_index); + + return s; +} + +static inline uword +nat44_worker_handoff_fn_inline (vlib_main_t * vm, vlib_node_runtime_t * node, + vlib_frame_t * frame, u8 is_output, + u8 is_in2out) +{ + snat_main_t *sm = &snat_main; + vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b; + u32 n_enq, n_left_from, *from; + u16 thread_indices[VLIB_FRAME_SIZE], *ti; + u32 fq_index; + snat_get_worker_function_t *get_worker; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + vlib_get_buffers (vm, from, bufs, n_left_from); + + b = bufs; + ti = thread_indices; + + ASSERT (vec_len (sm->workers)); + + if (is_in2out) + { + get_worker = sm->worker_in2out_cb; + if (is_output) + fq_index = sm->fq_in2out_output_index; + else + fq_index = sm->fq_in2out_index; + } + else + { + fq_index = sm->fq_out2in_index; + get_worker = sm->worker_out2in_cb; + } + + while (n_left_from > 0) + { + u32 sw_if_index0; + u32 rx_fib_index0; + ip4_header_t *ip0; + + sw_if_index0 = vnet_buffer (b[0])->sw_if_index[VLIB_RX]; + rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + ip0 = vlib_buffer_get_current (b[0]); + ti[0] = get_worker (ip0, rx_fib_index0); + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b[0]->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_handoff_trace_t *t = + vlib_add_trace (vm, node, b[0], sizeof (*t)); + t->next_worker_index = ti[0]; + t->in2out = is_in2out; + } + + n_left_from -= 1; + ti += 1; + b += 1; + } + + n_enq = + vlib_buffer_enqueue_to_thread (vm, fq_index, from, thread_indices, + frame->n_vectors, 1); + + if (n_enq < frame->n_vectors) + vlib_node_increment_counter (vm, node->node_index, + NAT44_HANDOFF_ERROR_CONGESTION_DROP, + frame->n_vectors - n_enq); + return frame->n_vectors; +} + +static uword +snat_in2out_worker_handoff_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_worker_handoff_fn_inline (vm, node, frame, 0, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_in2out_worker_handoff_node) = { + .function = snat_in2out_worker_handoff_fn, + .name = "nat44-in2out-worker-handoff", + .vector_size = sizeof (u32), + .format_trace = format_nat44_handoff_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_handoff_error_strings), + .error_strings = nat44_handoff_error_strings, + .n_next_nodes = 1, + .next_nodes = { + [0] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_worker_handoff_node, + snat_in2out_worker_handoff_fn); + +static uword +snat_in2out_output_worker_handoff_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_worker_handoff_fn_inline (vm, node, frame, 1, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_in2out_output_worker_handoff_node) = { + .function = snat_in2out_output_worker_handoff_fn, + .name = "nat44-in2out-output-worker-handoff", + .vector_size = sizeof (u32), + .format_trace = format_nat44_handoff_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_handoff_error_strings), + .error_strings = nat44_handoff_error_strings, + .n_next_nodes = 1, + .next_nodes = { + [0] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_in2out_output_worker_handoff_node, + snat_in2out_output_worker_handoff_fn); + +static uword +snat_out2in_worker_handoff_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_worker_handoff_fn_inline (vm, node, frame, 0, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = { + .function = snat_out2in_worker_handoff_fn, + .name = "nat44-out2in-worker-handoff", + .vector_size = sizeof (u32), + .format_trace = format_nat44_handoff_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat44_handoff_error_strings), + .error_strings = nat44_handoff_error_strings, + .n_next_nodes = 1, + .next_nodes = { + [0] = "error-drop", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, + snat_out2in_worker_handoff_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat64.c b/src/plugins/nat/nat64.c index 04055af99bf..1954893ff8c 100644 --- a/src/plugins/nat/nat64.c +++ b/src/plugins/nat/nat64.c @@ -506,7 +506,6 @@ nat64_alloc_out_addr_and_port (u32 fib_index, snat_protocol_t proto, nat64_main_t *nm = &nat64_main; snat_main_t *sm = nm->sm; snat_session_key_t k; - u32 ai; u32 worker_index = 0; int rv; @@ -516,7 +515,7 @@ nat64_alloc_out_addr_and_port (u32 fib_index, snat_protocol_t proto, worker_index = thread_index - sm->first_worker_index; rv = - sm->alloc_addr_and_port (nm->addr_pool, fib_index, thread_index, &k, &ai, + sm->alloc_addr_and_port (nm->addr_pool, fib_index, thread_index, &k, sm->port_per_thread, worker_index); if (!rv) diff --git a/src/plugins/nat/nat64_in2out.c b/src/plugins/nat/nat64_in2out.c index e843fcf6730..dc5cc005fd7 100644 --- a/src/plugins/nat/nat64_in2out.c +++ b/src/plugins/nat/nat64_in2out.c @@ -1616,10 +1616,26 @@ VLIB_REGISTER_NODE (nat64_in2out_reass_node) = { VLIB_NODE_FUNCTION_MULTIARCH (nat64_in2out_reass_node, nat64_in2out_reass_node_fn); +#define foreach_nat64_in2out_handoff_error \ +_(CONGESTION_DROP, "congestion drop") + +typedef enum +{ +#define _(sym,str) NAT64_IN2OUT_HANDOFF_ERROR_##sym, + foreach_nat64_in2out_handoff_error +#undef _ + NAT64_IN2OUT_HANDOFF_N_ERROR, +} nat64_in2out_handoff_error_t; + +static char *nat64_in2out_handoff_error_strings[] = { +#define _(sym,string) string, + foreach_nat64_in2out_handoff_error +#undef _ +}; + typedef struct { u32 next_worker_index; - u8 do_handoff; } nat64_in2out_handoff_trace_t; static u8 * @@ -1629,10 +1645,9 @@ format_nat64_in2out_handoff_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); nat64_in2out_handoff_trace_t *t = va_arg (*args, nat64_in2out_handoff_trace_t *); - char *m; - m = t->do_handoff ? "next worker" : "same worker"; - s = format (s, "NAT64-IN2OUT-HANDOFF: %s %d", m, t->next_worker_index); + s = + format (s, "NAT64-IN2OUT-HANDOFF: next-worker %d", t->next_worker_index); return s; } @@ -1642,167 +1657,49 @@ nat64_in2out_handoff_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { nat64_main_t *nm = &nat64_main; - vlib_thread_main_t *tm = vlib_get_thread_main (); - u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0; - static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index; - static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index - = 0; - vlib_frame_queue_elt_t *hf = 0; - vlib_frame_queue_t *fq; - vlib_frame_t *f = 0, *d = 0; - int i; - u32 n_left_to_next_worker = 0, *to_next_worker = 0; - u32 next_worker_index = 0; - u32 current_worker_index = ~0; - u32 thread_index = vm->thread_index; + vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b; + u32 n_enq, n_left_from, *from; + u16 thread_indices[VLIB_FRAME_SIZE], *ti; u32 fq_index; - u32 to_node_index; - - fq_index = nm->fq_in2out_index; - to_node_index = nat64_in2out_node.index; - - if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0)) - { - vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1); - - vec_validate_init_empty (congested_handoff_queue_by_worker_index, - tm->n_vlib_mains - 1, - (vlib_frame_queue_t *) (~0)); - } from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; + vlib_get_buffers (vm, from, bufs, n_left_from); + + b = bufs; + ti = thread_indices; + + fq_index = nm->fq_in2out_index; while (n_left_from > 0) { - u32 bi0; - vlib_buffer_t *b0; ip6_header_t *ip0; - u8 do_handoff; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - ip0 = vlib_buffer_get_current (b0); - - next_worker_index = nat64_get_worker_in2out (&ip0->src_address); - - if (PREDICT_FALSE (next_worker_index != thread_index)) - { - do_handoff = 1; - - if (next_worker_index != current_worker_index) - { - fq = - is_vlib_frame_queue_congested (fq_index, next_worker_index, - 30, - congested_handoff_queue_by_worker_index); - - if (fq) - { - /* if this is 1st frame */ - if (!d) - { - d = vlib_get_frame_to_node (vm, nm->error_node_index); - to_next_drop = vlib_frame_vector_args (d); - } - - to_next_drop[0] = bi0; - to_next_drop += 1; - d->n_vectors++; - goto trace0; - } - - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; - - hf = - vlib_get_worker_handoff_queue_elt (fq_index, - next_worker_index, - handoff_queue_elt_by_worker_index); - n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors; - to_next_worker = &hf->buffer_index[hf->n_vectors]; - current_worker_index = next_worker_index; - } - - ASSERT (to_next_worker != 0); - - /* enqueue to correct worker thread */ - to_next_worker[0] = bi0; - to_next_worker++; - n_left_to_next_worker--; - - if (n_left_to_next_worker == 0) - { - hf->n_vectors = VLIB_FRAME_SIZE; - vlib_put_frame_queue_elt (hf); - current_worker_index = ~0; - handoff_queue_elt_by_worker_index[next_worker_index] = 0; - hf = 0; - } - } - else - { - do_handoff = 0; - /* if this is 1st frame */ - if (!f) - { - f = vlib_get_frame_to_node (vm, to_node_index); - to_next = vlib_frame_vector_args (f); - } - to_next[0] = bi0; - to_next += 1; - f->n_vectors++; - } + ip0 = vlib_buffer_get_current (b[0]); + ti[0] = nat64_get_worker_in2out (&ip0->src_address); - trace0: if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) + && (b[0]->flags & VLIB_BUFFER_IS_TRACED))) { nat64_in2out_handoff_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->next_worker_index = next_worker_index; - t->do_handoff = do_handoff; + vlib_add_trace (vm, node, b[0], sizeof (*t)); + t->next_worker_index = ti[0]; } - } - if (f) - vlib_put_frame_to_node (vm, to_node_index, f); - - if (d) - vlib_put_frame_to_node (vm, nm->error_node_index, d); + n_left_from -= 1; + ti += 1; + b += 1; + } - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; + n_enq = + vlib_buffer_enqueue_to_thread (vm, fq_index, from, thread_indices, + frame->n_vectors, 1); - /* Ship frames to the worker nodes */ - for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++) - { - if (handoff_queue_elt_by_worker_index[i]) - { - hf = handoff_queue_elt_by_worker_index[i]; - /* - * It works better to let the handoff node - * rate-adapt, always ship the handoff queue element. - */ - if (1 || hf->n_vectors == hf->last_n_vectors) - { - vlib_put_frame_queue_elt (hf); - handoff_queue_elt_by_worker_index[i] = 0; - } - else - hf->last_n_vectors = hf->n_vectors; - } - congested_handoff_queue_by_worker_index[i] = - (vlib_frame_queue_t *) (~0); - } - hf = 0; - current_worker_index = ~0; + if (n_enq < frame->n_vectors) + vlib_node_increment_counter (vm, node->node_index, + NAT64_IN2OUT_HANDOFF_ERROR_CONGESTION_DROP, + frame->n_vectors - n_enq); return frame->n_vectors; } @@ -1813,6 +1710,8 @@ VLIB_REGISTER_NODE (nat64_in2out_handoff_node) = { .vector_size = sizeof (u32), .format_trace = format_nat64_in2out_handoff_trace, .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat64_in2out_handoff_error_strings), + .error_strings = nat64_in2out_handoff_error_strings, .n_next_nodes = 1, diff --git a/src/plugins/nat/nat64_out2in.c b/src/plugins/nat/nat64_out2in.c index 54a7e82c7c1..89bb71c8960 100644 --- a/src/plugins/nat/nat64_out2in.c +++ b/src/plugins/nat/nat64_out2in.c @@ -898,10 +898,26 @@ VLIB_REGISTER_NODE (nat64_out2in_reass_node) = { VLIB_NODE_FUNCTION_MULTIARCH (nat64_out2in_reass_node, nat64_out2in_reass_node_fn); +#define foreach_nat64_out2in_handoff_error \ +_(CONGESTION_DROP, "congestion drop") + +typedef enum +{ +#define _(sym,str) NAT64_OUT2IN_HANDOFF_ERROR_##sym, + foreach_nat64_out2in_handoff_error +#undef _ + NAT64_OUT2IN_HANDOFF_N_ERROR, +} nat64_out2in_handoff_error_t; + +static char *nat64_out2in_handoff_error_strings[] = { +#define _(sym,string) string, + foreach_nat64_out2in_handoff_error +#undef _ +}; + typedef struct { u32 next_worker_index; - u8 do_handoff; } nat64_out2in_handoff_trace_t; static u8 * @@ -911,10 +927,9 @@ format_nat64_out2in_handoff_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); nat64_out2in_handoff_trace_t *t = va_arg (*args, nat64_out2in_handoff_trace_t *); - char *m; - m = t->do_handoff ? "next worker" : "same worker"; - s = format (s, "NAT64-OUT2IN-HANDOFF: %s %d", m, t->next_worker_index); + s = + format (s, "NAT64-OUT2IN-HANDOFF: next-worker %d", t->next_worker_index); return s; } @@ -924,167 +939,49 @@ nat64_out2in_handoff_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * frame) { nat64_main_t *nm = &nat64_main; - vlib_thread_main_t *tm = vlib_get_thread_main (); - u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0; - static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index; - static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index - = 0; - vlib_frame_queue_elt_t *hf = 0; - vlib_frame_queue_t *fq; - vlib_frame_t *f = 0, *d = 0; - int i; - u32 n_left_to_next_worker = 0, *to_next_worker = 0; - u32 next_worker_index = 0; - u32 current_worker_index = ~0; - u32 thread_index = vm->thread_index; + vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b; + u32 n_enq, n_left_from, *from; + u16 thread_indices[VLIB_FRAME_SIZE], *ti; u32 fq_index; - u32 to_node_index; - - fq_index = nm->fq_out2in_index; - to_node_index = nat64_out2in_node.index; - - if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0)) - { - vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1); - - vec_validate_init_empty (congested_handoff_queue_by_worker_index, - tm->n_vlib_mains - 1, - (vlib_frame_queue_t *) (~0)); - } from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; + vlib_get_buffers (vm, from, bufs, n_left_from); + + b = bufs; + ti = thread_indices; + + fq_index = nm->fq_out2in_index; while (n_left_from > 0) { - u32 bi0; - vlib_buffer_t *b0; ip4_header_t *ip0; - u8 do_handoff; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - ip0 = vlib_buffer_get_current (b0); - next_worker_index = nat64_get_worker_out2in (ip0); - - if (PREDICT_FALSE (next_worker_index != thread_index)) - { - do_handoff = 1; - - if (next_worker_index != current_worker_index) - { - fq = - is_vlib_frame_queue_congested (fq_index, next_worker_index, - 30, - congested_handoff_queue_by_worker_index); - - if (fq) - { - /* if this is 1st frame */ - if (!d) - { - d = vlib_get_frame_to_node (vm, nm->error_node_index); - to_next_drop = vlib_frame_vector_args (d); - } + ip0 = vlib_buffer_get_current (b[0]); + ti[0] = nat64_get_worker_out2in (ip0); - to_next_drop[0] = bi0; - to_next_drop += 1; - d->n_vectors++; - goto trace0; - } - - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; - - hf = - vlib_get_worker_handoff_queue_elt (fq_index, - next_worker_index, - handoff_queue_elt_by_worker_index); - n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors; - to_next_worker = &hf->buffer_index[hf->n_vectors]; - current_worker_index = next_worker_index; - } - - ASSERT (to_next_worker != 0); - - /* enqueue to correct worker thread */ - to_next_worker[0] = bi0; - to_next_worker++; - n_left_to_next_worker--; - - if (n_left_to_next_worker == 0) - { - hf->n_vectors = VLIB_FRAME_SIZE; - vlib_put_frame_queue_elt (hf); - current_worker_index = ~0; - handoff_queue_elt_by_worker_index[next_worker_index] = 0; - hf = 0; - } - } - else - { - do_handoff = 0; - /* if this is 1st frame */ - if (!f) - { - f = vlib_get_frame_to_node (vm, to_node_index); - to_next = vlib_frame_vector_args (f); - } - - to_next[0] = bi0; - to_next += 1; - f->n_vectors++; - } - - trace0: if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) + && (b[0]->flags & VLIB_BUFFER_IS_TRACED))) { nat64_out2in_handoff_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->next_worker_index = next_worker_index; - t->do_handoff = do_handoff; + vlib_add_trace (vm, node, b[0], sizeof (*t)); + t->next_worker_index = ti[0]; } - } - - if (f) - vlib_put_frame_to_node (vm, to_node_index, f); - if (d) - vlib_put_frame_to_node (vm, nm->error_node_index, d); + n_left_from -= 1; + ti += 1; + b += 1; + } - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; + n_enq = + vlib_buffer_enqueue_to_thread (vm, fq_index, from, thread_indices, + frame->n_vectors, 1); - /* Ship frames to the worker nodes */ - for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++) - { - if (handoff_queue_elt_by_worker_index[i]) - { - hf = handoff_queue_elt_by_worker_index[i]; - /* - * It works better to let the handoff node - * rate-adapt, always ship the handoff queue element. - */ - if (1 || hf->n_vectors == hf->last_n_vectors) - { - vlib_put_frame_queue_elt (hf); - handoff_queue_elt_by_worker_index[i] = 0; - } - else - hf->last_n_vectors = hf->n_vectors; - } - congested_handoff_queue_by_worker_index[i] = - (vlib_frame_queue_t *) (~0); - } - hf = 0; - current_worker_index = ~0; + if (n_enq < frame->n_vectors) + vlib_node_increment_counter (vm, node->node_index, + NAT64_OUT2IN_HANDOFF_ERROR_CONGESTION_DROP, + frame->n_vectors - n_enq); return frame->n_vectors; } @@ -1095,6 +992,8 @@ VLIB_REGISTER_NODE (nat64_out2in_handoff_node) = { .vector_size = sizeof (u32), .format_trace = format_nat64_out2in_handoff_trace, .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat64_out2in_handoff_error_strings), + .error_strings = nat64_out2in_handoff_error_strings, .n_next_nodes = 1, diff --git a/src/plugins/nat/nat_det_in2out.c b/src/plugins/nat/nat_det_in2out.c new file mode 100644 index 00000000000..1366c2fce69 --- /dev/null +++ b/src/plugins/nat/nat_det_in2out.c @@ -0,0 +1,884 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief Deterministic/CGN NAT44 inside to outside network translation + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef struct +{ + u32 sw_if_index; + u32 next_index; + u32 session_index; +} nat_det_in2out_trace_t; + +typedef enum +{ + NAT_DET_IN2OUT_NEXT_LOOKUP, + NAT_DET_IN2OUT_NEXT_DROP, + NAT_DET_IN2OUT_NEXT_ICMP_ERROR, + NAT_DET_IN2OUT_N_NEXT, +} nat_det_in2out_next_t; + +#define foreach_nat_det_in2out_error \ +_(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ +_(NO_TRANSLATION, "No translation") \ +_(BAD_ICMP_TYPE, "unsupported ICMP type") \ +_(OUT_OF_PORTS, "Out of ports") \ +_(IN2OUT_PACKETS, "Good in2out packets processed") + +typedef enum +{ +#define _(sym,str) NAT_DET_IN2OUT_ERROR_##sym, + foreach_nat_det_in2out_error +#undef _ + NAT_DET_IN2OUT_N_ERROR, +} nat_det_in2out_error_t; + +static char *nat_det_in2out_error_strings[] = { +#define _(sym,string) string, + foreach_nat_det_in2out_error +#undef _ +}; + +vlib_node_registration_t snat_det_in2out_node; + +static u8 * +format_nat_det_in2out_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat_det_in2out_trace_t *t = va_arg (*args, nat_det_in2out_trace_t *); + + s = format (s, "NAT_DET_IN2OUT: sw_if_index %d, next index %d, session %d", + t->sw_if_index, t->next_index, t->session_index); + + return s; +} + +/** + * Get address and port values to be used for ICMP packet translation + * and create session if needed + * + * @param[in,out] sm NAT main + * @param[in,out] node NAT node runtime + * @param[in] thread_index thread index + * @param[in,out] b0 buffer containing packet to be translated + * @param[out] p_proto protocol used for matching + * @param[out] p_value address and port after NAT translation + * @param[out] p_dont_translate if packet should not be translated + * @param d optional parameter + * @param e optional parameter + */ +u32 +icmp_match_in2out_det (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) +{ + icmp46_header_t *icmp0; + u32 sw_if_index0; + u32 rx_fib_index0; + u8 protocol; + snat_det_out_key_t key0; + u8 dont_translate = 0; + u32 next0 = ~0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + snat_det_map_t *dm0 = 0; + ip4_address_t new_addr0; + u16 lo_port0, i0; + snat_det_session_t *ses0 = 0; + ip4_address_t in_addr; + u16 in_port; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + + if (!icmp_is_error_message (icmp0)) + { + protocol = SNAT_PROTOCOL_ICMP; + in_addr = ip0->src_address; + in_port = echo0->identifier; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + protocol = ip_proto_to_snat_proto (inner_ip0->protocol); + in_addr = inner_ip0->dst_address; + switch (protocol) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + in_port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + in_port = ((tcp_udp_header_t *) l4_header)->dst_port; + break; + default: + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_UNSUPPORTED_PROTOCOL]; + next0 = NAT_DET_IN2OUT_NEXT_DROP; + goto out; + } + } + + dm0 = snat_det_map_by_user (sm, &in_addr); + if (PREDICT_FALSE (!dm0)) + { + nat_log_info ("no match for internal host %U", + format_ip4_address, &in_addr); + if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0, + IP_PROTOCOL_ICMP, + rx_fib_index0))) + { + dont_translate = 1; + goto out; + } + next0 = NAT_DET_IN2OUT_NEXT_DROP; + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_NO_TRANSLATION]; + goto out; + } + + snat_det_forward (dm0, &in_addr, &new_addr0, &lo_port0); + + key0.ext_host_addr = ip0->dst_address; + key0.ext_host_port = 0; + + ses0 = snat_det_find_ses_by_in (dm0, &in_addr, in_port, key0); + if (PREDICT_FALSE (!ses0)) + { + if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0, + IP_PROTOCOL_ICMP, + rx_fib_index0))) + { + dont_translate = 1; + goto out; + } + if (icmp0->type != ICMP4_echo_request) + { + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_BAD_ICMP_TYPE]; + next0 = NAT_DET_IN2OUT_NEXT_DROP; + goto out; + } + for (i0 = 0; i0 < dm0->ports_per_host; i0++) + { + key0.out_port = clib_host_to_net_u16 (lo_port0 + + ((i0 + + clib_net_to_host_u16 + (echo0->identifier)) % + dm0->ports_per_host)); + + if (snat_det_get_ses_by_out (dm0, &in_addr, key0.as_u64)) + continue; + + ses0 = + snat_det_ses_create (dm0, &in_addr, echo0->identifier, &key0); + break; + } + if (PREDICT_FALSE (!ses0)) + { + next0 = NAT_DET_IN2OUT_NEXT_DROP; + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_OUT_OF_PORTS]; + goto out; + } + } + + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_request && + !icmp_is_error_message (icmp0))) + { + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_BAD_ICMP_TYPE]; + next0 = NAT_DET_IN2OUT_NEXT_DROP; + goto out; + } + + u32 now = (u32) vlib_time_now (sm->vlib_main); + + ses0->state = SNAT_SESSION_ICMP_ACTIVE; + ses0->expire = now + sm->icmp_timeout; + +out: + *p_proto = protocol; + if (ses0) + { + p_value->addr = new_addr0; + p_value->fib_index = sm->outside_fib_index; + p_value->port = ses0->out.out_port; + } + *p_dont_translate = dont_translate; + if (d) + *(snat_det_session_t **) d = ses0; + if (e) + *(snat_det_map_t **) e = dm0; + return next0; +} + +static uword +snat_det_in2out_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + nat_det_in2out_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + u32 now = (u32) vlib_time_now (vm); + u32 thread_index = vm->thread_index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from >= 4 && n_left_to_next >= 2) + { + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0, next1; + u32 sw_if_index0, sw_if_index1; + ip4_header_t *ip0, *ip1; + ip_csum_t sum0, sum1; + ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1; + u16 old_port0, new_port0, lo_port0, i0; + u16 old_port1, new_port1, lo_port1, i1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + u32 proto0, proto1; + snat_det_out_key_t key0, key1; + snat_det_map_t *dm0, *dm1; + snat_det_session_t *ses0 = 0, *ses1 = 0; + u32 rx_fib_index0, rx_fib_index1; + icmp46_header_t *icmp0, *icmp1; + + /* Prefetch next iteration. */ + { + vlib_buffer_t *p2, *p3; + + p2 = vlib_get_buffer (vm, from[2]); + p3 = vlib_get_buffer (vm, from[3]); + + vlib_prefetch_buffer_header (p2, LOAD); + vlib_prefetch_buffer_header (p3, LOAD); + + CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); + CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); + } + + /* speculatively enqueue b0 and b1 to the current next frame */ + to_next[0] = bi0 = from[0]; + to_next[1] = bi1 = from[1]; + from += 2; + to_next += 2; + n_left_from -= 2; + n_left_to_next -= 2; + + b0 = vlib_get_buffer (vm, bi0); + b1 = vlib_get_buffer (vm, bi1); + + next0 = NAT_DET_IN2OUT_NEXT_LOOKUP; + next1 = NAT_DET_IN2OUT_NEXT_LOOKUP; + + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace0; + } + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + icmp0 = (icmp46_header_t *) udp0; + + next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, thread_index, + &ses0, &dm0); + goto trace0; + } + + dm0 = snat_det_map_by_user (sm, &ip0->src_address); + if (PREDICT_FALSE (!dm0)) + { + nat_log_info ("no match for internal host %U", + format_ip4_address, &ip0->src_address); + next0 = NAT_DET_IN2OUT_NEXT_DROP; + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_NO_TRANSLATION]; + goto trace0; + } + + snat_det_forward (dm0, &ip0->src_address, &new_addr0, &lo_port0); + + key0.ext_host_addr = ip0->dst_address; + key0.ext_host_port = tcp0->dst; + + ses0 = + snat_det_find_ses_by_in (dm0, &ip0->src_address, tcp0->src, key0); + if (PREDICT_FALSE (!ses0)) + { + for (i0 = 0; i0 < dm0->ports_per_host; i0++) + { + key0.out_port = clib_host_to_net_u16 (lo_port0 + + ((i0 + + clib_net_to_host_u16 + (tcp0->src)) % + dm0-> + ports_per_host)); + + if (snat_det_get_ses_by_out + (dm0, &ip0->src_address, key0.as_u64)) + continue; + + ses0 = + snat_det_ses_create (dm0, &ip0->src_address, tcp0->src, + &key0); + break; + } + if (PREDICT_FALSE (!ses0)) + { + /* too many sessions for user, send ICMP error packet */ + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, + ICMP4_destination_unreachable, + ICMP4_destination_unreachable_destination_unreachable_host, + 0); + next0 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace0; + } + } + + new_port0 = ses0->out.out_port; + + old_addr0.as_u32 = ip0->src_address.as_u32; + ip0->src_address.as_u32 = new_addr0.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + if (tcp0->flags & TCP_FLAG_SYN) + ses0->state = SNAT_SESSION_TCP_SYN_SENT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_SYN_SENT) + ses0->state = SNAT_SESSION_TCP_ESTABLISHED; + else if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) + ses0->state = SNAT_SESSION_TCP_FIN_WAIT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_FIN_WAIT) + snat_det_ses_close (dm0, ses0); + else if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT) + ses0->state = SNAT_SESSION_TCP_LAST_ACK; + else if (tcp0->flags == 0 + && ses0->state == SNAT_SESSION_UNKNOWN) + ses0->state = SNAT_SESSION_TCP_ESTABLISHED; + + old_port0 = tcp0->src; + tcp0->src = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + ses0->state = SNAT_SESSION_UDP_ACTIVE; + old_port0 = udp0->src_port; + udp0->src_port = new_port0; + udp0->checksum = 0; + } + + switch (ses0->state) + { + case SNAT_SESSION_UDP_ACTIVE: + ses0->expire = now + sm->udp_timeout; + break; + case SNAT_SESSION_TCP_SYN_SENT: + case SNAT_SESSION_TCP_FIN_WAIT: + case SNAT_SESSION_TCP_CLOSE_WAIT: + case SNAT_SESSION_TCP_LAST_ACK: + ses0->expire = now + sm->tcp_transitory_timeout; + break; + case SNAT_SESSION_TCP_ESTABLISHED: + ses0->expire = now + sm->tcp_established_timeout; + break; + } + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (ses0) + t->session_index = ses0 - dm0->sessions; + } + + pkts_processed += next0 != NAT_DET_IN2OUT_NEXT_DROP; + + ip1 = vlib_buffer_get_current (b1); + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace1; + } + + proto1 = ip_proto_to_snat_proto (ip1->protocol); + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index1 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index1); + icmp1 = (icmp46_header_t *) udp1; + + next1 = icmp_in2out (sm, b1, ip1, icmp1, sw_if_index1, + rx_fib_index1, node, next1, thread_index, + &ses1, &dm1); + goto trace1; + } + + dm1 = snat_det_map_by_user (sm, &ip1->src_address); + if (PREDICT_FALSE (!dm1)) + { + nat_log_info ("no match for internal host %U", + format_ip4_address, &ip0->src_address); + next1 = NAT_DET_IN2OUT_NEXT_DROP; + b1->error = node->errors[NAT_DET_IN2OUT_ERROR_NO_TRANSLATION]; + goto trace1; + } + + snat_det_forward (dm1, &ip1->src_address, &new_addr1, &lo_port1); + + key1.ext_host_addr = ip1->dst_address; + key1.ext_host_port = tcp1->dst; + + ses1 = + snat_det_find_ses_by_in (dm1, &ip1->src_address, tcp1->src, key1); + if (PREDICT_FALSE (!ses1)) + { + for (i1 = 0; i1 < dm1->ports_per_host; i1++) + { + key1.out_port = clib_host_to_net_u16 (lo_port1 + + ((i1 + + clib_net_to_host_u16 + (tcp1->src)) % + dm1-> + ports_per_host)); + + if (snat_det_get_ses_by_out + (dm1, &ip1->src_address, key1.as_u64)) + continue; + + ses1 = + snat_det_ses_create (dm1, &ip1->src_address, tcp1->src, + &key1); + break; + } + if (PREDICT_FALSE (!ses1)) + { + /* too many sessions for user, send ICMP error packet */ + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, + ICMP4_destination_unreachable, + ICMP4_destination_unreachable_destination_unreachable_host, + 0); + next1 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace1; + } + } + + new_port1 = ses1->out.out_port; + + old_addr1.as_u32 = ip1->src_address.as_u32; + ip1->src_address.as_u32 = new_addr1.as_u32; + vnet_buffer (b1)->sw_if_index[VLIB_TX] = sm->outside_fib_index; + + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, + ip4_header_t, + src_address /* changed member */ ); + ip1->checksum = ip_csum_fold (sum1); + + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + if (tcp1->flags & TCP_FLAG_SYN) + ses1->state = SNAT_SESSION_TCP_SYN_SENT; + else if (tcp1->flags & TCP_FLAG_ACK + && ses1->state == SNAT_SESSION_TCP_SYN_SENT) + ses1->state = SNAT_SESSION_TCP_ESTABLISHED; + else if (tcp1->flags & TCP_FLAG_FIN + && ses1->state == SNAT_SESSION_TCP_ESTABLISHED) + ses1->state = SNAT_SESSION_TCP_FIN_WAIT; + else if (tcp1->flags & TCP_FLAG_ACK + && ses1->state == SNAT_SESSION_TCP_FIN_WAIT) + snat_det_ses_close (dm1, ses1); + else if (tcp1->flags & TCP_FLAG_FIN + && ses1->state == SNAT_SESSION_TCP_CLOSE_WAIT) + ses1->state = SNAT_SESSION_TCP_LAST_ACK; + else if (tcp1->flags == 0 + && ses1->state == SNAT_SESSION_UNKNOWN) + ses1->state = SNAT_SESSION_TCP_ESTABLISHED; + + old_port1 = tcp1->src; + tcp1->src = new_port1; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + sum1 = ip_csum_update (sum1, old_port1, new_port1, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp1, &sum1); + tcp1->checksum = ip_csum_fold (sum1); + } + else + { + ses1->state = SNAT_SESSION_UDP_ACTIVE; + old_port1 = udp1->src_port; + udp1->src_port = new_port1; + udp1->checksum = 0; + } + + switch (ses1->state) + { + case SNAT_SESSION_UDP_ACTIVE: + ses1->expire = now + sm->udp_timeout; + break; + case SNAT_SESSION_TCP_SYN_SENT: + case SNAT_SESSION_TCP_FIN_WAIT: + case SNAT_SESSION_TCP_CLOSE_WAIT: + case SNAT_SESSION_TCP_LAST_ACK: + ses1->expire = now + sm->tcp_transitory_timeout; + break; + case SNAT_SESSION_TCP_ESTABLISHED: + ses1->expire = now + sm->tcp_established_timeout; + break; + } + + trace1: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_in2out_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (ses1) + t->session_index = ses1 - dm1->sessions; + } + + pkts_processed += next1 != NAT_DET_IN2OUT_NEXT_DROP; + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + ip4_address_t new_addr0, old_addr0; + u16 old_port0, new_port0, lo_port0, i0; + udp_header_t *udp0; + tcp_header_t *tcp0; + u32 proto0; + snat_det_out_key_t key0; + snat_det_map_t *dm0; + snat_det_session_t *ses0 = 0; + u32 rx_fib_index0; + icmp46_header_t *icmp0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + next0 = NAT_DET_IN2OUT_NEXT_LOOKUP; + + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace00; + } + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + icmp0 = (icmp46_header_t *) udp0; + + next0 = icmp_in2out (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, thread_index, + &ses0, &dm0); + goto trace00; + } + + dm0 = snat_det_map_by_user (sm, &ip0->src_address); + if (PREDICT_FALSE (!dm0)) + { + nat_log_info ("no match for internal host %U", + format_ip4_address, &ip0->src_address); + next0 = NAT_DET_IN2OUT_NEXT_DROP; + b0->error = node->errors[NAT_DET_IN2OUT_ERROR_NO_TRANSLATION]; + goto trace00; + } + + snat_det_forward (dm0, &ip0->src_address, &new_addr0, &lo_port0); + + key0.ext_host_addr = ip0->dst_address; + key0.ext_host_port = tcp0->dst; + + ses0 = + snat_det_find_ses_by_in (dm0, &ip0->src_address, tcp0->src, key0); + if (PREDICT_FALSE (!ses0)) + { + for (i0 = 0; i0 < dm0->ports_per_host; i0++) + { + key0.out_port = clib_host_to_net_u16 (lo_port0 + + ((i0 + + clib_net_to_host_u16 + (tcp0->src)) % + dm0-> + ports_per_host)); + + if (snat_det_get_ses_by_out + (dm0, &ip0->src_address, key0.as_u64)) + continue; + + ses0 = + snat_det_ses_create (dm0, &ip0->src_address, tcp0->src, + &key0); + break; + } + if (PREDICT_FALSE (!ses0)) + { + /* too many sessions for user, send ICMP error packet */ + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, + ICMP4_destination_unreachable, + ICMP4_destination_unreachable_destination_unreachable_host, + 0); + next0 = NAT_DET_IN2OUT_NEXT_ICMP_ERROR; + goto trace00; + } + } + + new_port0 = ses0->out.out_port; + + old_addr0.as_u32 = ip0->src_address.as_u32; + ip0->src_address.as_u32 = new_addr0.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm->outside_fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + src_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + if (tcp0->flags & TCP_FLAG_SYN) + ses0->state = SNAT_SESSION_TCP_SYN_SENT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_SYN_SENT) + ses0->state = SNAT_SESSION_TCP_ESTABLISHED; + else if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) + ses0->state = SNAT_SESSION_TCP_FIN_WAIT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_FIN_WAIT) + snat_det_ses_close (dm0, ses0); + else if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_CLOSE_WAIT) + ses0->state = SNAT_SESSION_TCP_LAST_ACK; + else if (tcp0->flags == 0 + && ses0->state == SNAT_SESSION_UNKNOWN) + ses0->state = SNAT_SESSION_TCP_ESTABLISHED; + + old_port0 = tcp0->src; + tcp0->src = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + mss_clamping (sm, tcp0, &sum0); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + ses0->state = SNAT_SESSION_UDP_ACTIVE; + old_port0 = udp0->src_port; + udp0->src_port = new_port0; + udp0->checksum = 0; + } + + switch (ses0->state) + { + case SNAT_SESSION_UDP_ACTIVE: + ses0->expire = now + sm->udp_timeout; + break; + case SNAT_SESSION_TCP_SYN_SENT: + case SNAT_SESSION_TCP_FIN_WAIT: + case SNAT_SESSION_TCP_CLOSE_WAIT: + case SNAT_SESSION_TCP_LAST_ACK: + ses0->expire = now + sm->tcp_transitory_timeout; + break; + case SNAT_SESSION_TCP_ESTABLISHED: + ses0->expire = now + sm->tcp_established_timeout; + break; + } + + trace00: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_in2out_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (ses0) + t->session_index = ses0 - dm0->sessions; + } + + pkts_processed += next0 != NAT_DET_IN2OUT_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, snat_det_in2out_node.index, + NAT_DET_IN2OUT_ERROR_IN2OUT_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_det_in2out_node) = { + .function = snat_det_in2out_node_fn, + .name = "nat44-det-in2out", + .vector_size = sizeof (u32), + .format_trace = format_nat_det_in2out_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat_det_in2out_error_strings), + .error_strings = nat_det_in2out_error_strings, + .n_next_nodes = NAT_DET_IN2OUT_N_NEXT, + /* edit / add dispositions here */ + .next_nodes = { + [NAT_DET_IN2OUT_NEXT_DROP] = "error-drop", + [NAT_DET_IN2OUT_NEXT_LOOKUP] = "ip4-lookup", + [NAT_DET_IN2OUT_NEXT_ICMP_ERROR] = "ip4-icmp-error", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_det_in2out_node, snat_det_in2out_node_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat_det_out2in.c b/src/plugins/nat/nat_det_out2in.c new file mode 100644 index 00000000000..9e8ba27285b --- /dev/null +++ b/src/plugins/nat/nat_det_out2in.c @@ -0,0 +1,717 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief Deterministic/CGN NAT44 outside to inside network translation + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +typedef enum +{ + NAT_DET_OUT2IN_NEXT_DROP, + NAT_DET_OUT2IN_NEXT_LOOKUP, + NAT_DET_OUT2IN_NEXT_ICMP_ERROR, + NAT_DET_OUT2IN_N_NEXT, +} nat_det_out2in_next_t; + +typedef struct +{ + u32 sw_if_index; + u32 next_index; + u32 session_index; +} nat_det_out2in_trace_t; + +#define foreach_nat_det_out2in_error \ +_(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ +_(NO_TRANSLATION, "No translation") \ +_(BAD_ICMP_TYPE, "unsupported ICMP type") \ +_(OUT2IN_PACKETS, "Good out2in packets processed") + +typedef enum +{ +#define _(sym,str) NAT_DET_OUT2IN_ERROR_##sym, + foreach_nat_det_out2in_error +#undef _ + SNAT_OUT2IN_N_ERROR, +} nat_det_out2in_error_t; + +static char *nat_det_out2in_error_strings[] = { +#define _(sym,string) string, + foreach_nat_det_out2in_error +#undef _ +}; + +vlib_node_registration_t snat_det_out2in_node; + +static u8 * +format_nat_det_out2in_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat_det_out2in_trace_t *t = va_arg (*args, nat_det_out2in_trace_t *); + + s = + format (s, + "NAT_DET_OUT2IN: sw_if_index %d, next index %d, session index %d", + t->sw_if_index, t->next_index, t->session_index); + return s; +} + +/** + * Get address and port values to be used for ICMP packet translation + * and create session if needed + * + * @param[in,out] sm NAT main + * @param[in,out] node NAT node runtime + * @param[in] thread_index thread index + * @param[in,out] b0 buffer containing packet to be translated + * @param[out] p_proto protocol used for matching + * @param[out] p_value address and port after NAT translation + * @param[out] p_dont_translate if packet should not be translated + * @param d optional parameter + * @param e optional parameter + */ +u32 +icmp_match_out2in_det (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) +{ + icmp46_header_t *icmp0; + u32 sw_if_index0; + u8 protocol; + snat_det_out_key_t key0; + u8 dont_translate = 0; + u32 next0 = ~0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + snat_det_map_t *dm0 = 0; + ip4_address_t new_addr0 = { {0} }; + snat_det_session_t *ses0 = 0; + ip4_address_t out_addr; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + if (!icmp_is_error_message (icmp0)) + { + protocol = SNAT_PROTOCOL_ICMP; + key0.ext_host_addr = ip0->src_address; + key0.ext_host_port = 0; + key0.out_port = echo0->identifier; + out_addr = ip0->dst_address; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + protocol = ip_proto_to_snat_proto (inner_ip0->protocol); + key0.ext_host_addr = inner_ip0->dst_address; + out_addr = inner_ip0->src_address; + switch (protocol) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.ext_host_port = 0; + key0.out_port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.ext_host_port = ((tcp_udp_header_t *) l4_header)->dst_port; + key0.out_port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; + next0 = NAT_DET_OUT2IN_NEXT_DROP; + goto out; + } + } + + dm0 = snat_det_map_by_out (sm, &out_addr); + if (PREDICT_FALSE (!dm0)) + { + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0, + ip0->dst_address.as_u32))) + { + dont_translate = 1; + goto out; + } + nat_log_info ("unknown dst address: %U", + format_ip4_address, &ip0->dst_address); + goto out; + } + + snat_det_reverse (dm0, &ip0->dst_address, + clib_net_to_host_u16 (key0.out_port), &new_addr0); + + ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); + if (PREDICT_FALSE (!ses0)) + { + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0, + ip0->dst_address.as_u32))) + { + dont_translate = 1; + goto out; + } + nat_log_info ("no match src %U:%d dst %U:%d for user %U", + format_ip4_address, &key0.ext_host_addr, + clib_net_to_host_u16 (key0.ext_host_port), + format_ip4_address, &out_addr, + clib_net_to_host_u16 (key0.out_port), + format_ip4_address, &new_addr0); + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = NAT_DET_OUT2IN_NEXT_DROP; + goto out; + } + + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply && + !icmp_is_error_message (icmp0))) + { + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_BAD_ICMP_TYPE]; + next0 = NAT_DET_OUT2IN_NEXT_DROP; + goto out; + } + + goto out; + +out: + *p_proto = protocol; + if (ses0) + { + p_value->addr = new_addr0; + p_value->fib_index = sm->inside_fib_index; + p_value->port = ses0->in_port; + } + *p_dont_translate = dont_translate; + if (d) + *(snat_det_session_t **) d = ses0; + if (e) + *(snat_det_map_t **) e = dm0; + return next0; +} + +static uword +snat_det_out2in_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + nat_det_out2in_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + u32 thread_index = vm->thread_index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from >= 4 && n_left_to_next >= 2) + { + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0 = NAT_DET_OUT2IN_NEXT_LOOKUP; + u32 next1 = NAT_DET_OUT2IN_NEXT_LOOKUP; + u32 sw_if_index0, sw_if_index1; + ip4_header_t *ip0, *ip1; + ip_csum_t sum0, sum1; + ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1; + u16 new_port0, old_port0, old_port1, new_port1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + u32 proto0, proto1; + snat_det_out_key_t key0, key1; + snat_det_map_t *dm0, *dm1; + snat_det_session_t *ses0 = 0, *ses1 = 0; + u32 rx_fib_index0, rx_fib_index1; + icmp46_header_t *icmp0, *icmp1; + + /* Prefetch next iteration. */ + { + vlib_buffer_t *p2, *p3; + + p2 = vlib_get_buffer (vm, from[2]); + p3 = vlib_get_buffer (vm, from[3]); + + vlib_prefetch_buffer_header (p2, LOAD); + vlib_prefetch_buffer_header (p3, LOAD); + + CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); + CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); + } + + /* speculatively enqueue b0 and b1 to the current next frame */ + to_next[0] = bi0 = from[0]; + to_next[1] = bi1 = from[1]; + from += 2; + to_next += 2; + n_left_from -= 2; + n_left_to_next -= 2; + + b0 = vlib_get_buffer (vm, bi0); + b1 = vlib_get_buffer (vm, bi1); + + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_DET_OUT2IN_NEXT_ICMP_ERROR; + goto trace0; + } + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + icmp0 = (icmp46_header_t *) udp0; + + next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, thread_index, + &ses0, &dm0); + goto trace0; + } + + key0.ext_host_addr = ip0->src_address; + key0.ext_host_port = tcp0->src; + key0.out_port = tcp0->dst; + + dm0 = snat_det_map_by_out (sm, &ip0->dst_address); + if (PREDICT_FALSE (!dm0)) + { + nat_log_info ("unknown dst address: %U", + format_ip4_address, &ip0->dst_address); + next0 = NAT_DET_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace0; + } + + snat_det_reverse (dm0, &ip0->dst_address, + clib_net_to_host_u16 (tcp0->dst), &new_addr0); + + ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); + if (PREDICT_FALSE (!ses0)) + { + nat_log_info ("no match src %U:%d dst %U:%d for user %U", + format_ip4_address, &ip0->src_address, + clib_net_to_host_u16 (tcp0->src), + format_ip4_address, &ip0->dst_address, + clib_net_to_host_u16 (tcp0->dst), + format_ip4_address, &new_addr0); + next0 = NAT_DET_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace0; + } + new_port0 = ses0->in_port; + + old_addr0 = ip0->dst_address; + ip0->dst_address = new_addr0; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) + ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_LAST_ACK) + snat_det_ses_close (dm0, ses0); + + old_port0 = tcp0->dst; + tcp0->dst = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = new_port0; + udp0->checksum = 0; + } + + trace0: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (ses0) + t->session_index = ses0 - dm0->sessions; + } + + pkts_processed += next0 != NAT_DET_OUT2IN_NEXT_DROP; + + b1 = vlib_get_buffer (vm, bi1); + + ip1 = vlib_buffer_get_current (b1); + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = NAT_DET_OUT2IN_NEXT_ICMP_ERROR; + goto trace1; + } + + proto1 = ip_proto_to_snat_proto (ip1->protocol); + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index1 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index1); + icmp1 = (icmp46_header_t *) udp1; + + next1 = icmp_out2in (sm, b1, ip1, icmp1, sw_if_index1, + rx_fib_index1, node, next1, thread_index, + &ses1, &dm1); + goto trace1; + } + + key1.ext_host_addr = ip1->src_address; + key1.ext_host_port = tcp1->src; + key1.out_port = tcp1->dst; + + dm1 = snat_det_map_by_out (sm, &ip1->dst_address); + if (PREDICT_FALSE (!dm1)) + { + nat_log_info ("unknown dst address: %U", + format_ip4_address, &ip1->dst_address); + next1 = NAT_DET_OUT2IN_NEXT_DROP; + b1->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace1; + } + + snat_det_reverse (dm1, &ip1->dst_address, + clib_net_to_host_u16 (tcp1->dst), &new_addr1); + + ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64); + if (PREDICT_FALSE (!ses1)) + { + nat_log_info ("no match src %U:%d dst %U:%d for user %U", + format_ip4_address, &ip1->src_address, + clib_net_to_host_u16 (tcp1->src), + format_ip4_address, &ip1->dst_address, + clib_net_to_host_u16 (tcp1->dst), + format_ip4_address, &new_addr1); + next1 = NAT_DET_OUT2IN_NEXT_DROP; + b1->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace1; + } + new_port1 = ses1->in_port; + + old_addr1 = ip1->dst_address; + ip1->dst_address = new_addr1; + vnet_buffer (b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index; + + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + ip1->checksum = ip_csum_fold (sum1); + + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + if (tcp1->flags & TCP_FLAG_FIN + && ses1->state == SNAT_SESSION_TCP_ESTABLISHED) + ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT; + else if (tcp1->flags & TCP_FLAG_ACK + && ses1->state == SNAT_SESSION_TCP_LAST_ACK) + snat_det_ses_close (dm1, ses1); + + old_port1 = tcp1->dst; + tcp1->dst = new_port1; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + + sum1 = ip_csum_update (sum1, old_port1, new_port1, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp1->checksum = ip_csum_fold (sum1); + } + else + { + old_port1 = udp1->dst_port; + udp1->dst_port = new_port1; + udp1->checksum = 0; + } + + trace1: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_out2in_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (ses1) + t->session_index = ses1 - dm1->sessions; + } + + pkts_processed += next1 != NAT_DET_OUT2IN_NEXT_DROP; + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = NAT_DET_OUT2IN_NEXT_LOOKUP; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + ip4_address_t new_addr0, old_addr0; + u16 new_port0, old_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + u32 proto0; + snat_det_out_key_t key0; + snat_det_map_t *dm0; + snat_det_session_t *ses0 = 0; + u32 rx_fib_index0; + icmp46_header_t *icmp0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT_DET_OUT2IN_NEXT_ICMP_ERROR; + goto trace00; + } + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); + icmp0 = (icmp46_header_t *) udp0; + + next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, thread_index, + &ses0, &dm0); + goto trace00; + } + + key0.ext_host_addr = ip0->src_address; + key0.ext_host_port = tcp0->src; + key0.out_port = tcp0->dst; + + dm0 = snat_det_map_by_out (sm, &ip0->dst_address); + if (PREDICT_FALSE (!dm0)) + { + nat_log_info ("unknown dst address: %U", + format_ip4_address, &ip0->dst_address); + next0 = NAT_DET_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace00; + } + + snat_det_reverse (dm0, &ip0->dst_address, + clib_net_to_host_u16 (tcp0->dst), &new_addr0); + + ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); + if (PREDICT_FALSE (!ses0)) + { + nat_log_info ("no match src %U:%d dst %U:%d for user %U", + format_ip4_address, &ip0->src_address, + clib_net_to_host_u16 (tcp0->src), + format_ip4_address, &ip0->dst_address, + clib_net_to_host_u16 (tcp0->dst), + format_ip4_address, &new_addr0); + next0 = NAT_DET_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_DET_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace00; + } + new_port0 = ses0->in_port; + + old_addr0 = ip0->dst_address; + ip0->dst_address = new_addr0; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + if (tcp0->flags & TCP_FLAG_FIN + && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) + ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT; + else if (tcp0->flags & TCP_FLAG_ACK + && ses0->state == SNAT_SESSION_TCP_LAST_ACK) + snat_det_ses_close (dm0, ses0); + + old_port0 = tcp0->dst; + tcp0->dst = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = new_port0; + udp0->checksum = 0; + } + + trace00: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat_det_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (ses0) + t->session_index = ses0 - dm0->sessions; + } + + pkts_processed += next0 != NAT_DET_OUT2IN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, snat_det_out2in_node.index, + NAT_DET_OUT2IN_ERROR_OUT2IN_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (snat_det_out2in_node) = { + .function = snat_det_out2in_node_fn, + .name = "nat44-det-out2in", + .vector_size = sizeof (u32), + .format_trace = format_nat_det_out2in_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat_det_out2in_error_strings), + .error_strings = nat_det_out2in_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT_DET_OUT2IN_N_NEXT, + /* edit / add dispositions here */ + .next_nodes = { + [NAT_DET_OUT2IN_NEXT_DROP] = "error-drop", + [NAT_DET_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", + [NAT_DET_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat_format.c b/src/plugins/nat/nat_format.c new file mode 100644 index 00000000000..279d6664933 --- /dev/null +++ b/src/plugins/nat/nat_format.c @@ -0,0 +1,332 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT formatting + */ + +#include +#include + +uword +unformat_snat_protocol (unformat_input_t * input, va_list * args) +{ + u32 *r = va_arg (*args, u32 *); + + if (0); +#define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N; + foreach_snat_protocol +#undef _ + else + return 0; + return 1; +} + +u8 * +format_snat_protocol (u8 * s, va_list * args) +{ + u32 i = va_arg (*args, u32); + u8 *t = 0; + + switch (i) + { +#define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break; + foreach_snat_protocol +#undef _ + default: + s = format (s, "unknown"); + return s; + } + s = format (s, "%s", t); + return s; +} + +u8 * +format_nat_addr_and_port_alloc_alg (u8 * s, va_list * args) +{ + u32 i = va_arg (*args, u32); + u8 *t = 0; + + switch (i) + { +#define _(v, N, s) case NAT_ADDR_AND_PORT_ALLOC_ALG_##N: t = (u8 *) s; break; + foreach_nat_addr_and_port_alloc_alg +#undef _ + default: + s = format (s, "unknown"); + return s; + } + s = format (s, "%s", t); + return s; +} + +u8 * +format_snat_key (u8 * s, va_list * args) +{ + snat_session_key_t *key = va_arg (*args, snat_session_key_t *); + + s = format (s, "%U proto %U port %d fib %d", + format_ip4_address, &key->addr, + format_snat_protocol, key->protocol, + clib_net_to_host_u16 (key->port), key->fib_index); + return s; +} + +u8 * +format_static_mapping_key (u8 * s, va_list * args) +{ + snat_session_key_t *key = va_arg (*args, snat_session_key_t *); + + s = format (s, "%U proto %U port %d fib %d", + format_ip4_address, &key->addr, + format_snat_protocol, key->protocol, key->port, key->fib_index); + return s; +} + +u8 * +format_snat_session_state (u8 * s, va_list * args) +{ + u32 i = va_arg (*args, u32); + u8 *t = 0; + + switch (i) + { +#define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break; + foreach_snat_session_state +#undef _ + default: + t = format (t, "unknown"); + } + s = format (s, "%s", t); + return s; +} + +u8 * +format_snat_session (u8 * s, va_list * args) +{ + snat_main_per_thread_data_t *sm = + va_arg (*args, snat_main_per_thread_data_t *); + snat_session_t *sess = va_arg (*args, snat_session_t *); + + if (snat_is_unk_proto_session (sess)) + { + s = format (s, " i2o %U proto %u fib %u\n", + format_ip4_address, &sess->in2out.addr, + clib_net_to_host_u16 (sess->in2out.port), + sess->in2out.fib_index); + s = format (s, " o2i %U proto %u fib %u\n", + format_ip4_address, &sess->out2in.addr, + clib_net_to_host_u16 (sess->out2in.port), + sess->out2in.fib_index); + } + else + { + s = format (s, " i2o %U\n", format_snat_key, &sess->in2out); + s = format (s, " o2i %U\n", format_snat_key, &sess->out2in); + } + if (is_ed_session (sess) || is_fwd_bypass_session (sess)) + { + if (is_twice_nat_session (sess)) + { + s = format (s, " external host o2i %U:%d i2o %U:%d\n", + format_ip4_address, &sess->ext_host_addr, + clib_net_to_host_u16 (sess->ext_host_port), + format_ip4_address, &sess->ext_host_nat_addr, + clib_net_to_host_u16 (sess->ext_host_nat_port)); + } + else + { + if (sess->ext_host_addr.as_u32) + s = format (s, " external host %U:%u\n", + format_ip4_address, &sess->ext_host_addr, + clib_net_to_host_u16 (sess->ext_host_port)); + } + } + s = format (s, " index %llu\n", sess - sm->sessions); + s = format (s, " last heard %.2f\n", sess->last_heard); + s = format (s, " total pkts %d, total bytes %lld\n", + sess->total_pkts, sess->total_bytes); + if (snat_is_session_static (sess)) + s = format (s, " static translation\n"); + else + s = format (s, " dynamic translation\n"); + if (is_fwd_bypass_session (sess)) + s = format (s, " forwarding-bypass\n"); + if (is_lb_session (sess)) + s = format (s, " load-balancing\n"); + if (is_twice_nat_session (sess)) + s = format (s, " twice-nat\n"); + + return s; +} + +u8 * +format_snat_user (u8 * s, va_list * args) +{ + snat_main_per_thread_data_t *sm = + va_arg (*args, snat_main_per_thread_data_t *); + snat_user_t *u = va_arg (*args, snat_user_t *); + int verbose = va_arg (*args, int); + dlist_elt_t *head, *elt; + u32 elt_index, head_index; + u32 session_index; + snat_session_t *sess; + + s = format (s, "%U: %d dynamic translations, %d static translations\n", + format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions); + + if (verbose == 0) + return s; + + if (u->nsessions || u->nstaticsessions) + { + head_index = u->sessions_per_user_list_head_index; + head = pool_elt_at_index (sm->list_pool, head_index); + + elt_index = head->next; + elt = pool_elt_at_index (sm->list_pool, elt_index); + session_index = elt->value; + + while (session_index != ~0) + { + sess = pool_elt_at_index (sm->sessions, session_index); + + s = format (s, " %U\n", format_snat_session, sm, sess); + + elt_index = elt->next; + elt = pool_elt_at_index (sm->list_pool, elt_index); + session_index = elt->value; + } + } + + return s; +} + +u8 * +format_snat_static_mapping (u8 * s, va_list * args) +{ + snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *); + nat44_lb_addr_port_t *local; + + if (m->addr_only) + s = format (s, "local %U external %U vrf %d %s %s", + format_ip4_address, &m->local_addr, + format_ip4_address, &m->external_addr, + m->vrf_id, + m->twice_nat == TWICE_NAT ? "twice-nat" : + m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", + m->out2in_only ? "out2in-only" : ""); + else + { + if (vec_len (m->locals)) + { + s = format (s, "%U external %U:%d %s %s", + format_snat_protocol, m->proto, + format_ip4_address, &m->external_addr, m->external_port, + m->twice_nat == TWICE_NAT ? "twice-nat" : + m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", + m->out2in_only ? "out2in-only" : ""); + vec_foreach (local, m->locals) + s = format (s, "\n local %U:%d vrf %d probability %d\%", + format_ip4_address, &local->addr, local->port, + local->vrf_id, local->probability); + } + else + s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s", + format_snat_protocol, m->proto, + format_ip4_address, &m->local_addr, m->local_port, + format_ip4_address, &m->external_addr, m->external_port, + m->vrf_id, + m->twice_nat == TWICE_NAT ? "twice-nat" : + m->twice_nat == TWICE_NAT_SELF ? "self-twice-nat" : "", + m->out2in_only ? "out2in-only" : ""); + } + return s; +} + +u8 * +format_snat_static_map_to_resolve (u8 * s, va_list * args) +{ + snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *); + vnet_main_t *vnm = vnet_get_main (); + + if (m->addr_only) + s = format (s, "local %U external %U vrf %d", + format_ip4_address, &m->l_addr, + format_vnet_sw_if_index_name, vnm, m->sw_if_index, m->vrf_id); + else + s = format (s, "%U local %U:%d external %U:%d vrf %d", + format_snat_protocol, m->proto, + format_ip4_address, &m->l_addr, m->l_port, + format_vnet_sw_if_index_name, vnm, m->sw_if_index, + m->e_port, m->vrf_id); + + return s; +} + +u8 * +format_det_map_ses (u8 * s, va_list * args) +{ + snat_det_map_t *det_map = va_arg (*args, snat_det_map_t *); + ip4_address_t in_addr, out_addr; + u32 in_offset, out_offset; + snat_det_session_t *ses = va_arg (*args, snat_det_session_t *); + u32 *i = va_arg (*args, u32 *); + + u32 user_index = *i / SNAT_DET_SES_PER_USER; + in_addr.as_u32 = + clib_host_to_net_u32 (clib_net_to_host_u32 (det_map->in_addr.as_u32) + + user_index); + in_offset = + clib_net_to_host_u32 (in_addr.as_u32) - + clib_net_to_host_u32 (det_map->in_addr.as_u32); + out_offset = in_offset / det_map->sharing_ratio; + out_addr.as_u32 = + clib_host_to_net_u32 (clib_net_to_host_u32 (det_map->out_addr.as_u32) + + out_offset); + s = + format (s, + "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n", + format_ip4_address, &in_addr, clib_net_to_host_u16 (ses->in_port), + format_ip4_address, &out_addr, + clib_net_to_host_u16 (ses->out.out_port), format_ip4_address, + &ses->out.ext_host_addr, + clib_net_to_host_u16 (ses->out.ext_host_port), + format_snat_session_state, ses->state, ses->expire); + + return s; +} + +u8 * +format_nat44_reass_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_reass_trace_t *t = va_arg (*args, nat44_reass_trace_t *); + + s = format (s, "NAT44_REASS: sw_if_index %d, next index %d, status %s", + t->sw_if_index, t->next_index, + t->cached ? "cached" : "translated"); + + return s; +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/nat_inlines.h b/src/plugins/nat/nat_inlines.h index 4c79fd4124c..4bdb2cb66d9 100644 --- a/src/plugins/nat/nat_inlines.h +++ b/src/plugins/nat/nat_inlines.h @@ -19,6 +19,7 @@ #ifndef __included_nat_inlines_h__ #define __included_nat_inlines_h__ +#include #include always_inline u32 @@ -377,6 +378,78 @@ mss_clamping (snat_main_t * sm, tcp_header_t * tcp, ip_csum_t * sum) } } +/** + * @brief Check if packet should be translated + * + * Packets aimed at outside interface and external address with active session + * should be translated. + * + * @param sm NAT main + * @param rt NAT runtime data + * @param sw_if_index0 index of the inside interface + * @param ip0 IPv4 header + * @param proto0 NAT protocol + * @param rx_fib_index0 RX FIB index + * + * @returns 0 if packet should be translated otherwise 1 + */ +static inline int +snat_not_translate_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 sw_if_index0, ip4_header_t * ip0, u32 proto0, + u32 rx_fib_index0) +{ + if (sm->out2in_dpo) + return 0; + + fib_node_index_t fei = FIB_NODE_INDEX_INVALID; + nat_outside_fib_t *outside_fib; + fib_prefix_t pfx = { + .fp_proto = FIB_PROTOCOL_IP4, + .fp_len = 32, + .fp_addr = { + .ip4.as_u32 = ip0->dst_address.as_u32, + } + , + }; + + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0, + ip0->dst_address.as_u32))) + return 1; + + fei = fib_table_lookup (rx_fib_index0, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + u32 sw_if_index = fib_entry_get_resolving_interface (fei); + if (sw_if_index == ~0) + { + vec_foreach (outside_fib, sm->outside_fibs) + { + fei = fib_table_lookup (outside_fib->fib_index, &pfx); + if (FIB_NODE_INDEX_INVALID != fei) + { + sw_if_index = fib_entry_get_resolving_interface (fei); + if (sw_if_index != ~0) + break; + } + } + } + if (sw_if_index == ~0) + return 1; + + snat_interface_t *i; + pool_foreach (i, sm->interfaces, ( + { + /* NAT packet aimed at outside interface */ + if ((nat_interface_is_outside (i)) + && (sw_if_index == + i->sw_if_index)) return 0;} + )); + } + + return 1; +} + #endif /* __included_nat_inlines_h__ */ /* diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c index ba343ad72a5..985333fc765 100755 --- a/src/plugins/nat/out2in.c +++ b/src/plugins/nat/out2in.c @@ -12,11 +12,14 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +/** + * @file + * @brief NAT44 endpoint-dependent outside to inside network translation + */ #include #include #include -#include #include #include @@ -24,7 +27,6 @@ #include #include #include -#include #include #include @@ -32,81 +34,43 @@ #include #include -typedef struct { +typedef struct +{ u32 sw_if_index; u32 next_index; u32 session_index; } snat_out2in_trace_t; -typedef struct { - u32 next_worker_index; - u8 do_handoff; -} snat_out2in_worker_handoff_trace_t; - /* packet trace format function */ -static u8 * format_snat_out2in_trace (u8 * s, va_list * args) +static u8 * +format_snat_out2in_trace (u8 * s, va_list * args) { CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *); + snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *); - s = format (s, "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d", - t->sw_if_index, t->next_index, t->session_index); + s = + format (s, + "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d", + t->sw_if_index, t->next_index, t->session_index); return s; } -static u8 * format_snat_out2in_fast_trace (u8 * s, va_list * args) +static u8 * +format_snat_out2in_fast_trace (u8 * s, va_list * args) { CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_out2in_trace_t * t = va_arg (*args, snat_out2in_trace_t *); + snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *); s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d", - t->sw_if_index, t->next_index); - return s; -} - -static u8 * format_snat_out2in_worker_handoff_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - snat_out2in_worker_handoff_trace_t * t = - va_arg (*args, snat_out2in_worker_handoff_trace_t *); - char * m; - - m = t->do_handoff ? "next worker" : "same worker"; - s = format (s, "NAT44_OUT2IN_WORKER_HANDOFF: %s %d", m, t->next_worker_index); - - return s; -} - -typedef struct { - u32 sw_if_index; - u32 next_index; - u8 cached; -} nat44_out2in_reass_trace_t; - -static u8 * format_nat44_out2in_reass_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat44_out2in_reass_trace_t * t = va_arg (*args, nat44_out2in_reass_trace_t *); - - s = format (s, "NAT44_OUT2IN_REASS: sw_if_index %d, next index %d, status %s", - t->sw_if_index, t->next_index, - t->cached ? "cached" : "translated"); - + t->sw_if_index, t->next_index); return s; } vlib_node_registration_t snat_out2in_node; vlib_node_registration_t snat_out2in_fast_node; -vlib_node_registration_t snat_out2in_worker_handoff_node; -vlib_node_registration_t snat_det_out2in_node; vlib_node_registration_t nat44_out2in_reass_node; -vlib_node_registration_t nat44_ed_out2in_node; -vlib_node_registration_t nat44_ed_out2in_slowpath_node; -vlib_node_registration_t nat44_ed_out2in_reass_node; #define foreach_snat_out2in_error \ _(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ @@ -117,23 +81,24 @@ _(NO_TRANSLATION, "No translation") \ _(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \ _(DROP_FRAGMENT, "Drop fragment") \ _(MAX_REASS, "Maximum reassemblies exceeded") \ -_(MAX_FRAG, "Maximum fragments per reassembly exceeded")\ -_(FQ_CONGESTED, "Handoff frame queue congested") +_(MAX_FRAG, "Maximum fragments per reassembly exceeded") -typedef enum { +typedef enum +{ #define _(sym,str) SNAT_OUT2IN_ERROR_##sym, foreach_snat_out2in_error #undef _ - SNAT_OUT2IN_N_ERROR, + SNAT_OUT2IN_N_ERROR, } snat_out2in_error_t; -static char * snat_out2in_error_strings[] = { +static char *snat_out2in_error_strings[] = { #define _(sym,string) string, foreach_snat_out2in_error #undef _ }; -typedef enum { +typedef enum +{ SNAT_OUT2IN_NEXT_DROP, SNAT_OUT2IN_NEXT_LOOKUP, SNAT_OUT2IN_NEXT_ICMP_ERROR, @@ -142,34 +107,34 @@ typedef enum { } snat_out2in_next_t; int -nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void * arg) +nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg) { snat_main_t *sm = &snat_main; nat44_is_idle_session_ctx_t *ctx = arg; snat_session_t *s; u64 sess_timeout_time; snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, - ctx->thread_index); + ctx->thread_index); clib_bihash_kv_8_8_t s_kv; s = pool_elt_at_index (tsm->sessions, kv->value); - sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s); + sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s); if (ctx->now >= sess_timeout_time) { s_kv.key = s->in2out.as_u64; if (clib_bihash_add_del_8_8 (&tsm->in2out, &s_kv, 0)) - nat_log_warn ("out2in key del failed"); + nat_log_warn ("out2in key del failed"); - snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); + snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, + s->in2out.fib_index); if (!snat_is_session_static (s)) - snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, - &s->out2in); + snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, + &s->out2in); nat44_delete_session (sm, s, ctx->thread_index); return 1; @@ -193,13 +158,12 @@ nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void * arg) * @returns SNAT session if successfully created otherwise 0. */ static inline snat_session_t * -create_session_for_static_mapping (snat_main_t *sm, - vlib_buffer_t *b0, - snat_session_key_t in2out, - snat_session_key_t out2in, - vlib_node_runtime_t * node, - u32 thread_index, - f64 now) +create_session_for_static_mapping (snat_main_t * sm, + vlib_buffer_t * b0, + snat_session_key_t in2out, + snat_session_key_t out2in, + vlib_node_runtime_t * node, + u32 thread_index, f64 now) { snat_user_t *u; snat_session_t *s; @@ -208,7 +172,7 @@ create_session_for_static_mapping (snat_main_t *sm, udp_header_t *udp0; nat44_is_idle_session_ctx_t ctx0; - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) { b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED]; nat_log_notice ("maximum sessions exceeded"); @@ -218,7 +182,8 @@ create_session_for_static_mapping (snat_main_t *sm, ip0 = vlib_buffer_get_current (b0); udp0 = ip4_next_header (ip0); - u = nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index); + u = + nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index); if (!u) { nat_log_warn ("create NAT user failed"); @@ -233,11 +198,10 @@ create_session_for_static_mapping (snat_main_t *sm, return 0; } - s->outside_address_index = ~0; s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; s->ext_host_addr.as_u32 = ip0->src_address.as_u32; s->ext_host_port = udp0->src_port; - user_session_increment (sm, u, 1 /* static */); + user_session_increment (sm, u, 1 /* static */ ); s->in2out = in2out; s->out2in = out2in; s->in2out.protocol = out2in.protocol; @@ -247,31 +211,30 @@ create_session_for_static_mapping (snat_main_t *sm, ctx0.thread_index = thread_index; kv0.key = s->in2out.as_u64; kv0.value = s - sm->per_thread_data[thread_index].sessions; - if (clib_bihash_add_or_overwrite_stale_8_8 ( - &sm->per_thread_data[thread_index].in2out, &kv0, + if (clib_bihash_add_or_overwrite_stale_8_8 + (&sm->per_thread_data[thread_index].in2out, &kv0, nat44_i2o_is_idle_session_cb, &ctx0)) - nat_log_notice ("in2out key add failed"); + nat_log_notice ("in2out key add failed"); kv0.key = s->out2in.as_u64; - if (clib_bihash_add_or_overwrite_stale_8_8 ( - &sm->per_thread_data[thread_index].out2in, &kv0, - nat44_o2i_is_idle_session_cb, &ctx0)) - nat_log_notice ("out2in key add failed"); + if (clib_bihash_add_or_overwrite_stale_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv0, + nat44_o2i_is_idle_session_cb, &ctx0)) + nat_log_notice ("out2in key add failed"); /* log NAT event */ - snat_ipfix_logging_nat44_ses_create(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); + snat_ipfix_logging_nat44_ses_create (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, s->in2out.fib_index); return s; } static_always_inline -snat_out2in_error_t icmp_get_key(ip4_header_t *ip0, - snat_session_key_t *p_key0) + snat_out2in_error_t icmp_get_key (ip4_header_t * ip0, + snat_session_key_t * p_key0) { icmp46_header_t *icmp0; snat_session_key_t key0; @@ -281,7 +244,7 @@ snat_out2in_error_t icmp_get_key(ip4_header_t *ip0, icmp46_header_t *inner_icmp0; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); if (!icmp_is_error_message (icmp0)) { @@ -291,27 +254,27 @@ snat_out2in_error_t icmp_get_key(ip4_header_t *ip0, } else { - inner_ip0 = (ip4_header_t *)(echo0+1); + inner_ip0 = (ip4_header_t *) (echo0 + 1); l4_header = ip4_next_header (inner_ip0); key0.protocol = ip_proto_to_snat_proto (inner_ip0->protocol); key0.addr = inner_ip0->src_address; switch (key0.protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - key0.port = inner_echo0->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - key0.port = ((tcp_udp_header_t*)l4_header)->src_port; - break; - default: - return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL; - } + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.port = inner_echo0->identifier; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.port = ((tcp_udp_header_t *) l4_header)->src_port; + break; + default: + return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL; + } } *p_key0 = key0; - return -1; /* success */ + return -1; /* success */ } /** @@ -328,11 +291,12 @@ snat_out2in_error_t icmp_get_key(ip4_header_t *ip0, * @param d optional parameter * @param e optional parameter */ -u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) +u32 +icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) { icmp46_header_t *icmp0; u32 sw_if_index0; @@ -347,7 +311,7 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, int err; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); key0.protocol = 0; @@ -364,64 +328,66 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, kv0.key = key0.as_u64; if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0, - &value0)) + &value0)) { /* Try to match static mapping by external address and port, destination address and port in packet */ - if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0)) - { - if (!sm->forwarding_enabled) - { - /* Don't NAT packet aimed at the intfc address */ - if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0, - ip0->dst_address.as_u32))) - { - dont_translate = 1; - goto out; - } - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - else - { - dont_translate = 1; - goto out; - } - } - - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && - (icmp0->type != ICMP4_echo_request || !is_addr_only))) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } + if (snat_static_mapping_match + (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0)) + { + if (!sm->forwarding_enabled) + { + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0, + ip0->dst_address.as_u32))) + { + dont_translate = 1; + goto out; + } + b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } + else + { + dont_translate = 1; + goto out; + } + } + + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply && + (icmp0->type != ICMP4_echo_request + || !is_addr_only))) + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping(sm, b0, sm0, key0, - node, thread_index, - vlib_time_now (sm->vlib_main)); + s0 = create_session_for_static_mapping (sm, b0, sm0, key0, + node, thread_index, + vlib_time_now (sm->vlib_main)); if (!s0) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } + { + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } } else { - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && - icmp0->type != ICMP4_echo_request && - !icmp_is_error_message (icmp0))) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply && + icmp0->type != ICMP4_echo_request && + !icmp_is_error_message (icmp0))) + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); + value0.value); } out: @@ -430,7 +396,7 @@ out: *p_value = s0->in2out; *p_dont_translate = dont_translate; if (d) - *(snat_session_t**)d = s0; + *(snat_session_t **) d = s0; return next0; } @@ -447,11 +413,12 @@ out: * @param d optional parameter * @param e optional parameter */ -u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) +u32 +icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b0, + ip4_header_t * ip0, u8 * p_proto, + snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) { icmp46_header_t *icmp0; u32 sw_if_index0; @@ -464,7 +431,7 @@ u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, int err; icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); err = icmp_get_key (ip0, &key0); @@ -476,22 +443,22 @@ u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, } key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0)) + if (snat_static_mapping_match (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0)) { /* Don't NAT packet aimed at the intfc address */ - if (is_interface_addr(sm, node, sw_if_index0, ip0->dst_address.as_u32)) - { - dont_translate = 1; - goto out; - } + if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32)) + { + dont_translate = 1; + goto out; + } b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; next0 = SNAT_OUT2IN_NEXT_DROP; goto out; } - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && - (icmp0->type != ICMP4_echo_request || !is_addr_only) && - !icmp_is_error_message (icmp0))) + if (PREDICT_FALSE (icmp0->type != ICMP4_echo_reply && + (icmp0->type != ICMP4_echo_request || !is_addr_only) && + !icmp_is_error_message (icmp0))) { b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; next0 = SNAT_OUT2IN_NEXT_DROP; @@ -506,17 +473,15 @@ out2: return next0; } -static inline u32 icmp_out2in (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - u32 sw_if_index0, - u32 rx_fib_index0, - vlib_node_runtime_t * node, - u32 next0, - u32 thread_index, - void *d, - void *e) +u32 +icmp_out2in (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + icmp46_header_t * icmp0, + u32 sw_if_index0, + u32 rx_fib_index0, + vlib_node_runtime_t * node, + u32 next0, u32 thread_index, void *d, void *e) { snat_session_key_t sm0; u8 protocol; @@ -531,10 +496,11 @@ static inline u32 icmp_out2in (snat_main_t *sm, u16 checksum0; u32 next0_tmp; - echo0 = (icmp_echo_header_t *)(icmp0+1); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); - next0_tmp = sm->icmp_match_out2in_cb(sm, node, thread_index, b0, ip0, - &protocol, &sm0, &dont_translate, d, e); + next0_tmp = sm->icmp_match_out2in_cb (sm, node, thread_index, b0, ip0, + &protocol, &sm0, &dont_translate, d, + e); if (next0_tmp != ~0) next0 = next0_tmp; if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate) @@ -543,22 +509,23 @@ static inline u32 icmp_out2in (snat_main_t *sm, if (PREDICT_TRUE (!ip4_is_fragment (ip0))) { sum0 = ip_incremental_checksum (0, icmp0, - ntohs(ip0->length) - ip4_header_bytes (ip0)); + ntohs (ip0->length) - + ip4_header_bytes (ip0)); checksum0 = ~ip_csum_fold (sum0); if (checksum0 != 0 && checksum0 != 0xffff) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } + { + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } } old_addr0 = ip0->dst_address.as_u32; new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; sum0 = ip0->checksum; sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address /* changed member */); + dst_address /* changed member */ ); ip0->checksum = ip_csum_fold (sum0); if (icmp0->checksum == 0) @@ -567,28 +534,28 @@ static inline u32 icmp_out2in (snat_main_t *sm, if (!icmp_is_error_message (icmp0)) { new_id0 = sm0.port; - if (PREDICT_FALSE(new_id0 != echo0->identifier)) - { - old_id0 = echo0->identifier; - new_id0 = sm0.port; - echo0->identifier = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, - identifier /* changed member */); - icmp0->checksum = ip_csum_fold (sum0); - } + if (PREDICT_FALSE (new_id0 != echo0->identifier)) + { + old_id0 = echo0->identifier; + new_id0 = sm0.port; + echo0->identifier = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, + identifier /* changed member */ ); + icmp0->checksum = ip_csum_fold (sum0); + } } else { - inner_ip0 = (ip4_header_t *)(echo0+1); + inner_ip0 = (ip4_header_t *) (echo0 + 1); l4_header = ip4_next_header (inner_ip0); if (!ip4_header_checksum_is_valid (inner_ip0)) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } + { + next0 = SNAT_OUT2IN_NEXT_DROP; + goto out; + } old_addr0 = inner_ip0->src_address.as_u32; inner_ip0->src_address = sm0.addr; @@ -596,38 +563,38 @@ static inline u32 icmp_out2in (snat_main_t *sm, sum0 = icmp0->checksum; sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - src_address /* changed member */); + src_address /* changed member */ ); icmp0->checksum = ip_csum_fold (sum0); switch (protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - - old_id0 = inner_echo0->identifier; - new_id0 = sm0.port; - inner_echo0->identifier = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, - identifier); - icmp0->checksum = ip_csum_fold (sum0); - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - old_id0 = ((tcp_udp_header_t*)l4_header)->src_port; - new_id0 = sm0.port; - ((tcp_udp_header_t*)l4_header)->src_port = new_id0; - - sum0 = icmp0->checksum; - sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t, - src_port); - icmp0->checksum = ip_csum_fold (sum0); - break; - default: - ASSERT(0); - } + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + + old_id0 = inner_echo0->identifier; + new_id0 = sm0.port; + inner_echo0->identifier = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t, + identifier); + icmp0->checksum = ip_csum_fold (sum0); + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + old_id0 = ((tcp_udp_header_t *) l4_header)->src_port; + new_id0 = sm0.port; + ((tcp_udp_header_t *) l4_header)->src_port = new_id0; + + sum0 = icmp0->checksum; + sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t, + src_port); + icmp0->checksum = ip_csum_fold (sum0); + break; + default: + ASSERT (0); + } } out: @@ -635,25 +602,26 @@ out: } -static inline u32 icmp_out2in_slow_path (snat_main_t *sm, - vlib_buffer_t * b0, - ip4_header_t * ip0, - icmp46_header_t * icmp0, - u32 sw_if_index0, - u32 rx_fib_index0, - vlib_node_runtime_t * node, - u32 next0, f64 now, - u32 thread_index, - snat_session_t ** p_s0) +static inline u32 +icmp_out2in_slow_path (snat_main_t * sm, + vlib_buffer_t * b0, + ip4_header_t * ip0, + icmp46_header_t * icmp0, + u32 sw_if_index0, + u32 rx_fib_index0, + vlib_node_runtime_t * node, + u32 next0, f64 now, + u32 thread_index, snat_session_t ** p_s0) { - next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, thread_index, p_s0, 0); - snat_session_t * s0 = *p_s0; - if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0)) + next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, thread_index, p_s0, 0); + snat_session_t *s0 = *p_s0; + if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP && s0)) { /* Accounting */ nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (sm->vlib_main, b0)); + vlib_buffer_length_in_chain + (sm->vlib_main, b0)); /* Per-user LRU list maintenance */ nat44_session_update_lru (sm, s0, thread_index); } @@ -661,10 +629,9 @@ static inline u32 icmp_out2in_slow_path (snat_main_t *sm, } static int -nat_out2in_sm_unknown_proto (snat_main_t *sm, - vlib_buffer_t * b, - ip4_header_t * ip, - u32 rx_fib_index) +nat_out2in_sm_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, + ip4_header_t * ip, u32 rx_fib_index) { clib_bihash_kv_8_8_t kv, value; snat_static_mapping_t *m; @@ -688,19 +655,18 @@ nat_out2in_sm_unknown_proto (snat_main_t *sm, sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); ip->checksum = ip_csum_fold (sum); - vnet_buffer(b)->sw_if_index[VLIB_TX] = m->fib_index; + vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index; return 0; } static uword snat_out2in_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, vlib_frame_t * frame) { - u32 n_left_from, * from, * to_next; + u32 n_left_from, *from, *to_next; snat_out2in_next_t next_index; u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; + snat_main_t *sm = &snat_main; f64 now = vlib_time_now (vm); u32 thread_index = vm->thread_index; @@ -712,34 +678,33 @@ snat_out2in_node_fn (vlib_main_t * vm, { u32 n_left_to_next; - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from >= 4 && n_left_to_next >= 2) { - u32 bi0, bi1; - vlib_buffer_t * b0, * b1; - u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 sw_if_index0, sw_if_index1; - ip4_header_t * ip0, *ip1; - ip_csum_t sum0, sum1; - u32 new_addr0, old_addr0; - u16 new_port0, old_port0; - u32 new_addr1, old_addr1; - u16 new_port1, old_port1; - udp_header_t * udp0, * udp1; - tcp_header_t * tcp0, * tcp1; - icmp46_header_t * icmp0, * icmp1; - snat_session_key_t key0, key1, sm0, sm1; - u32 rx_fib_index0, rx_fib_index1; - u32 proto0, proto1; - snat_session_t * s0 = 0, * s1 = 0; - clib_bihash_kv_8_8_t kv0, kv1, value0, value1; + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; + u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP; + u32 sw_if_index0, sw_if_index1; + ip4_header_t *ip0, *ip1; + ip_csum_t sum0, sum1; + u32 new_addr0, old_addr0; + u16 new_port0, old_port0; + u32 new_addr1, old_addr1; + u16 new_port1, old_port1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + icmp46_header_t *icmp0, *icmp1; + snat_session_key_t key0, key1, sm0, sm1; + u32 rx_fib_index0, rx_fib_index1; + u32 proto0, proto1; + snat_session_t *s0 = 0, *s1 = 0; + clib_bihash_kv_8_8_t kv0, kv1, value0, value1; /* Prefetch next iteration. */ { - vlib_buffer_t * p2, * p3; + vlib_buffer_t *p2, *p3; p2 = vlib_get_buffer (vm, from[2]); p3 = vlib_get_buffer (vm, from[3]); @@ -751,7 +716,7 @@ snat_out2in_node_fn (vlib_main_t * vm, CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); } - /* speculatively enqueue b0 and b1 to the current next frame */ + /* speculatively enqueue b0 and b1 to the current next frame */ to_next[0] = bi0 = from[0]; to_next[1] = bi1 = from[1]; from += 2; @@ -762,336 +727,348 @@ snat_out2in_node_fn (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); b1 = vlib_get_buffer (vm, bi1); - vnet_buffer (b0)->snat.flags = 0; - vnet_buffer (b1)->snat.flags = 0; + vnet_buffer (b0)->snat.flags = 0; + vnet_buffer (b1)->snat.flags = 0; - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index0); - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace0; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE (proto0 == ~0)) - { - if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0)) - { - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; - next0 = SNAT_OUT2IN_NEXT_DROP; - } - } - goto trace0; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace0; - } - - if (PREDICT_FALSE (ip4_is_fragment (ip0))) - { - next0 = SNAT_OUT2IN_NEXT_REASS; - goto trace0; - } - - key0.addr = ip0->dst_address; - key0.port = udp0->dst_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; - - kv0.key = key0.as_u64; - - if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, - &kv0, &value0)) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ + sw_if_index0); + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; + goto trace0; + } + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == ~0)) + { + if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0)) + { + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; + next0 = SNAT_OUT2IN_NEXT_DROP; + } + } + goto trace0; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace0; + } + + if (PREDICT_FALSE (ip4_is_fragment (ip0))) + { + next0 = SNAT_OUT2IN_NEXT_REASS; + goto trace0; + } + + key0.addr = ip0->dst_address; + key0.port = udp0->dst_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; + + kv0.key = key0.as_u64; + + if (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv0, &value0)) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + if (snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + && (udp0->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) { vnet_feature_next (&next0, b0); goto trace0; } - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - } - goto trace0; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node, - thread_index, now); - if (!s0) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - goto trace0; - } - } - else - s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); - - old_addr0 = ip0->dst_address.as_u32; - ip0->dst_address = s0->in2out.addr; - new_addr0 = ip0->dst_address.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - tcp0->dst_port = s0->in2out.port; - new_port0 = tcp0->dst_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = s0->in2out.port; - udp0->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - trace0: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - sm->per_thread_data[thread_index].sessions; - } - - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - - ip1 = vlib_buffer_get_current (b1); - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - icmp1 = (icmp46_header_t *) udp1; - - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + } + goto trace0; + } + + /* Create session initiated by host from external network */ + s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node, + thread_index, now); + if (!s0) + { + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace0; + } + } + else + s0 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value0.value); + + old_addr0 = ip0->dst_address.as_u32; + ip0->dst_address = s0->in2out.addr; + new_addr0 = ip0->dst_address.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + tcp0->dst_port = s0->in2out.port; + new_port0 = tcp0->dst_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = s0->in2out.port; + udp0->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); + trace0: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = + s0 - sm->per_thread_data[thread_index].sessions; + } + + pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; + + + ip1 = vlib_buffer_get_current (b1); + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + icmp1 = (icmp46_header_t *) udp1; + + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index1); - - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace1; - } - - proto1 = ip_proto_to_snat_proto (ip1->protocol); - - if (PREDICT_FALSE (proto1 == ~0)) - { - if (nat_out2in_sm_unknown_proto(sm, b1, ip1, rx_fib_index1)) - { - if (!sm->forwarding_enabled) - { - b1->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; - next1 = SNAT_OUT2IN_NEXT_DROP; - } - } - goto trace1; - } - - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = icmp_out2in_slow_path - (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, - next1, now, thread_index, &s1); - goto trace1; - } - - if (PREDICT_FALSE (ip4_is_fragment (ip1))) - { - next1 = SNAT_OUT2IN_NEXT_REASS; - goto trace1; - } - - key1.addr = ip1->dst_address; - key1.port = udp1->dst_port; - key1.protocol = proto1; - key1.fib_index = rx_fib_index1; - - kv1.key = key1.as_u64; - - if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, - &kv1, &value1)) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - if (snat_static_mapping_match(sm, key1, &sm1, 1, 0, 0, 0, 0)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ + sw_if_index1); + + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR; + goto trace1; + } + + proto1 = ip_proto_to_snat_proto (ip1->protocol); + + if (PREDICT_FALSE (proto1 == ~0)) + { + if (nat_out2in_sm_unknown_proto (sm, b1, ip1, rx_fib_index1)) + { + if (!sm->forwarding_enabled) + { + b1->error = + node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; + next1 = SNAT_OUT2IN_NEXT_DROP; + } + } + goto trace1; + } + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = icmp_out2in_slow_path + (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, + next1, now, thread_index, &s1); + goto trace1; + } + + if (PREDICT_FALSE (ip4_is_fragment (ip1))) + { + next1 = SNAT_OUT2IN_NEXT_REASS; + goto trace1; + } + + key1.addr = ip1->dst_address; + key1.port = udp1->dst_port; + key1.protocol = proto1; + key1.fib_index = rx_fib_index1; + + kv1.key = key1.as_u64; + + if (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv1, &value1)) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + if (snat_static_mapping_match (sm, key1, &sm1, 1, 0, 0, 0, 0)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP - && (udp1->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + && (udp1->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) { vnet_feature_next (&next1, b1); goto trace1; } - if (!sm->forwarding_enabled) - { - b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next1 = SNAT_OUT2IN_NEXT_DROP; - } - goto trace1; - } - - /* Create session initiated by host from external network */ - s1 = create_session_for_static_mapping(sm, b1, sm1, key1, node, - thread_index, now); - if (!s1) - { - next1 = SNAT_OUT2IN_NEXT_DROP; - goto trace1; - } - } - else - s1 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value1.value); - - old_addr1 = ip1->dst_address.as_u32; - ip1->dst_address = s1->in2out.addr; - new_addr1 = ip1->dst_address.as_u32; - vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index; - - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, - ip4_header_t, - dst_address /* changed member */); - ip1->checksum = ip_csum_fold (sum1); - - if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP)) - { - old_port1 = tcp1->dst_port; - tcp1->dst_port = s1->in2out.port; - new_port1 = tcp1->dst_port; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, - ip4_header_t, - dst_address /* changed member */); - - sum1 = ip_csum_update (sum1, old_port1, new_port1, - ip4_header_t /* cheat */, - length /* changed member */); - tcp1->checksum = ip_csum_fold(sum1); - } - else - { - old_port1 = udp1->dst_port; - udp1->dst_port = s1->in2out.port; - udp1->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s1, now, - vlib_buffer_length_in_chain (vm, b1)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s1, thread_index); - trace1: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (s1) - t->session_index = s1 - sm->per_thread_data[thread_index].sessions; - } - - pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } + if (!sm->forwarding_enabled) + { + b1->error = + node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next1 = SNAT_OUT2IN_NEXT_DROP; + } + goto trace1; + } + + /* Create session initiated by host from external network */ + s1 = create_session_for_static_mapping (sm, b1, sm1, key1, node, + thread_index, now); + if (!s1) + { + next1 = SNAT_OUT2IN_NEXT_DROP; + goto trace1; + } + } + else + s1 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value1.value); + + old_addr1 = ip1->dst_address.as_u32; + ip1->dst_address = s1->in2out.addr; + new_addr1 = ip1->dst_address.as_u32; + vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index; + + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, + ip4_header_t, + dst_address /* changed member */ ); + ip1->checksum = ip_csum_fold (sum1); + + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + old_port1 = tcp1->dst_port; + tcp1->dst_port = s1->in2out.port; + new_port1 = tcp1->dst_port; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, + ip4_header_t, + dst_address /* changed member */ ); + + sum1 = ip_csum_update (sum1, old_port1, new_port1, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp1->checksum = ip_csum_fold (sum1); + } + else + { + old_port1 = udp1->dst_port; + udp1->dst_port = s1->in2out.port; + udp1->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s1, now, + vlib_buffer_length_in_chain (vm, + b1)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s1, thread_index); + trace1: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_out2in_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (s1) + t->session_index = + s1 - sm->per_thread_data[thread_index].sessions; + } + + pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP; + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0; - vlib_buffer_t * b0; - u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - u32 new_addr0, old_addr0; - u16 new_port0, old_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - snat_session_key_t key0, sm0; - u32 rx_fib_index0; - u32 proto0; - snat_session_t * s0 = 0; - clib_bihash_kv_8_8_t kv0, value0; - - /* speculatively enqueue b0 to the current next frame */ + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + u32 new_addr0, old_addr0; + u16 new_port0, old_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_key_t key0, sm0; + u32 rx_fib_index0; + u32 proto0; + snat_session_t *s0 = 0; + clib_bihash_kv_8_8_t kv0, value0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -1101,159 +1078,165 @@ snat_out2in_node_fn (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); - vnet_buffer (b0)->snat.flags = 0; + vnet_buffer (b0)->snat.flags = 0; - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index, - sw_if_index0); - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE (proto0 == ~0)) - { - if (nat_out2in_sm_unknown_proto(sm, b0, ip0, rx_fib_index0)) - { - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; - next0 = SNAT_OUT2IN_NEXT_DROP; - } - } - goto trace00; - } - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace00; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace00; - } - - if (PREDICT_FALSE (ip4_is_fragment (ip0))) - { - next0 = SNAT_OUT2IN_NEXT_REASS; - goto trace00; - } - - key0.addr = ip0->dst_address; - key0.port = udp0->dst_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; - - kv0.key = key0.as_u64; - - if (clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, - &kv0, &value0)) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ + sw_if_index0); + + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (PREDICT_FALSE (proto0 == ~0)) + { + if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0)) + { + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; + next0 = SNAT_OUT2IN_NEXT_DROP; + } + } + goto trace00; + } + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; + goto trace00; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace00; + } + + if (PREDICT_FALSE (ip4_is_fragment (ip0))) + { + next0 = SNAT_OUT2IN_NEXT_REASS; + goto trace00; + } + + key0.addr = ip0->dst_address; + key0.port = udp0->dst_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; + + kv0.key = key0.as_u64; + + if (clib_bihash_search_8_8 + (&sm->per_thread_data[thread_index].out2in, &kv0, &value0)) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + if (snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + && (udp0->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) { vnet_feature_next (&next0, b0); goto trace00; } - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - } - goto trace00; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node, - thread_index, now); - if (!s0) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - goto trace00; - } - } - else - s0 = pool_elt_at_index (sm->per_thread_data[thread_index].sessions, - value0.value); - - old_addr0 = ip0->dst_address.as_u32; - ip0->dst_address = s0->in2out.addr; - new_addr0 = ip0->dst_address.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - tcp0->dst_port = s0->in2out.port; - new_port0 = tcp0->dst_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = s0->in2out.port; - udp0->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - trace00: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - sm->per_thread_data[thread_index].sessions; - } - - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + } + goto trace00; + } + + /* Create session initiated by host from external network */ + s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node, + thread_index, now); + if (!s0) + { + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace00; + } + } + else + s0 = + pool_elt_at_index (sm->per_thread_data[thread_index].sessions, + value0.value); + + old_addr0 = ip0->dst_address.as_u32; + ip0->dst_address = s0->in2out.addr; + new_addr0 = ip0->dst_address.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + tcp0->dst_port = s0->in2out.port; + new_port0 = tcp0->dst_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = s0->in2out.port; + udp0->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); + trace00: + + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = + s0 - sm->per_thread_data[thread_index].sessions; + } + + pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); @@ -1263,11 +1246,12 @@ snat_out2in_node_fn (vlib_main_t * vm, } vlib_node_increment_counter (vm, snat_out2in_node.index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); + SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, + pkts_processed); return frame->n_vectors; } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_out2in_node) = { .function = snat_out2in_node_fn, .name = "nat44-out2in", @@ -1290,12 +1274,13 @@ VLIB_REGISTER_NODE (snat_out2in_node) = { [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", }, }; +/* *INDENT-ON* */ + VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn); static uword nat44_out2in_reass_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) + vlib_node_runtime_t * node, vlib_frame_t * frame) { u32 n_left_from, *from, *to_next; snat_out2in_next_t next_index; @@ -1319,22 +1304,22 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; + { + u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; vlib_buffer_t *b0; - u32 next0; - u8 cached0 = 0; - ip4_header_t *ip0; - nat_reass_ip4_t *reass0; - udp_header_t * udp0; - tcp_header_t * tcp0; - snat_session_key_t key0, sm0; - clib_bihash_kv_8_8_t kv0, value0; - snat_session_t * s0 = 0; - u16 old_port0, new_port0; - ip_csum_t sum0; - - /* speculatively enqueue b0 to the current next frame */ + u32 next0; + u8 cached0 = 0; + ip4_header_t *ip0; + nat_reass_ip4_t *reass0; + udp_header_t *udp0; + tcp_header_t *tcp0; + snat_session_key_t key0, sm0; + clib_bihash_kv_8_8_t kv0, value0; + snat_session_t *s0 = 0; + u16 old_port0, new_port0; + ip_csum_t sum0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -1343,179 +1328,190 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, n_left_to_next -= 1; b0 = vlib_get_buffer (vm, bi0); - next0 = SNAT_OUT2IN_NEXT_LOOKUP; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE (nat_reass_is_drop_frag(0))) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT]; - goto trace0; - } - - ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - - if (PREDICT_FALSE (!reass0)) - { - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto trace0; - } - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - key0.addr = ip0->dst_address; - key0.port = udp0->dst_port; - key0.protocol = proto0; - key0.fib_index = rx_fib_index0; - kv0.key = key0.as_u64; - - if (clib_bihash_search_8_8 (&per_thread_data->out2in, &kv0, &value0)) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port - == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) + next0 = SNAT_OUT2IN_NEXT_LOOKUP; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (nat_reass_is_drop_frag (0))) + { + next0 = SNAT_OUT2IN_NEXT_DROP; + b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT]; + goto trace0; + } + + ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, &fragments_to_drop); + + if (PREDICT_FALSE (!reass0)) + { + next0 = SNAT_OUT2IN_NEXT_DROP; + b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto trace0; + } + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + key0.addr = ip0->dst_address; + key0.port = udp0->dst_port; + key0.protocol = proto0; + key0.fib_index = rx_fib_index0; + kv0.key = key0.as_u64; + + if (clib_bihash_search_8_8 + (&per_thread_data->out2in, &kv0, &value0)) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + if (snat_static_mapping_match + (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port + == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next (&next0, b0); + goto trace0; + } + + if (!sm->forwarding_enabled) { - vnet_feature_next (&next0, b0); - goto trace0; - } - - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - } - goto trace0; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping(sm, b0, sm0, key0, node, - thread_index, now); - if (!s0) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto trace0; - } - reass0->sess_index = s0 - per_thread_data->sessions; - reass0->thread_index = thread_index; - } - else - { - s0 = pool_elt_at_index (per_thread_data->sessions, - value0.value); - reass0->sess_index = value0.value; - } - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - else - { - if (PREDICT_FALSE (reass0->sess_index == (u32) ~0)) - { - if (nat_ip4_reass_add_fragment (reass0, bi0, &fragments_to_drop)) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = SNAT_OUT2IN_NEXT_DROP; - goto trace0; - } - cached0 = 1; - goto trace0; - } - s0 = pool_elt_at_index (per_thread_data->sessions, - reass0->sess_index); - } - - old_addr0 = ip0->dst_address.as_u32; - ip0->dst_address = s0->in2out.addr; - new_addr0 = ip0->dst_address.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - tcp0->dst_port = s0->in2out.port; - new_port0 = tcp0->dst_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = s0->in2out.port; - udp0->checksum = 0; - } - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_out2in_reass_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->cached = cached0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - if (cached0) - { - n_left_to_next++; - to_next--; - } - else - { - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } + b0->error = + node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + } + goto trace0; + } + + /* Create session initiated by host from external network */ + s0 = + create_session_for_static_mapping (sm, b0, sm0, key0, + node, thread_index, + now); + if (!s0) + { + b0->error = + node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace0; + } + reass0->sess_index = s0 - per_thread_data->sessions; + reass0->thread_index = thread_index; + } + else + { + s0 = pool_elt_at_index (per_thread_data->sessions, + value0.value); + reass0->sess_index = value0.value; + } + nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); + } + else + { + if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0)) + { + if (nat_ip4_reass_add_fragment + (reass0, bi0, &fragments_to_drop)) + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = SNAT_OUT2IN_NEXT_DROP; + goto trace0; + } + cached0 = 1; + goto trace0; + } + s0 = pool_elt_at_index (per_thread_data->sessions, + reass0->sess_index); + } + + old_addr0 = ip0->dst_address.as_u32; + ip0->dst_address = s0->in2out.addr; + new_addr0 = ip0->dst_address.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + tcp0->dst_port = s0->in2out.port; + new_port0 = tcp0->dst_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = s0->in2out.port; + udp0->checksum = 0; + } + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + /* Per-user LRU list maintenance */ + nat44_session_update_lru (sm, s0, thread_index); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_reass_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->cached = cached0; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } + + if (cached0) + { + n_left_to_next++; + to_next--; + } + else + { + pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } if (n_left_from == 0 && vec_len (fragments_to_loopback)) { @@ -1523,42 +1519,45 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm, u32 len = vec_len (fragments_to_loopback); if (len <= VLIB_FRAME_SIZE) { - clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len); + clib_memcpy (from, fragments_to_loopback, + sizeof (u32) * len); n_left_from = len; vec_reset_length (fragments_to_loopback); } else { clib_memcpy (from, - fragments_to_loopback + (len - VLIB_FRAME_SIZE), - sizeof (u32) * VLIB_FRAME_SIZE); + fragments_to_loopback + (len - + VLIB_FRAME_SIZE), + sizeof (u32) * VLIB_FRAME_SIZE); n_left_from = VLIB_FRAME_SIZE; _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; } } - } + } vlib_put_next_frame (vm, node, next_index, n_left_to_next); } vlib_node_increment_counter (vm, nat44_out2in_reass_node.index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); + SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, + pkts_processed); nat_send_all_to_node (vm, fragments_to_drop, node, - &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT], - SNAT_OUT2IN_NEXT_DROP); + &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT], + SNAT_OUT2IN_NEXT_DROP); vec_free (fragments_to_drop); vec_free (fragments_to_loopback); return frame->n_vectors; } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (nat44_out2in_reass_node) = { .function = nat44_out2in_reass_node_fn, .name = "nat44-out2in-reass", .vector_size = sizeof (u32), - .format_trace = format_nat44_out2in_reass_trace, + .format_trace = format_nat44_reass_trace, .type = VLIB_NODE_TYPE_INTERNAL, .n_errors = ARRAY_LEN(snat_out2in_error_strings), @@ -1574,1794 +1573,19 @@ VLIB_REGISTER_NODE (nat44_out2in_reass_node) = { [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", }, }; +/* *INDENT-ON* */ + VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node, - nat44_out2in_reass_node_fn); - -/*******************************/ -/*** endpoint-dependent mode ***/ -/*******************************/ -typedef enum { - NAT44_ED_OUT2IN_NEXT_DROP, - NAT44_ED_OUT2IN_NEXT_LOOKUP, - NAT44_ED_OUT2IN_NEXT_ICMP_ERROR, - NAT44_ED_OUT2IN_NEXT_IN2OUT, - NAT44_ED_OUT2IN_NEXT_SLOW_PATH, - NAT44_ED_OUT2IN_NEXT_REASS, - NAT44_ED_OUT2IN_N_NEXT, -} nat44_ed_out2in_next_t; - -typedef struct { - u32 sw_if_index; - u32 next_index; - u32 session_index; - u32 is_slow_path; -} nat44_ed_out2in_trace_t; + nat44_out2in_reass_node_fn); -static u8 * -format_nat44_ed_out2in_trace (u8 * s, va_list * args) +static uword +snat_out2in_fast_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, vlib_frame_t * frame) { - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *); - char * tag; - - tag = t->is_slow_path ? "NAT44_OUT2IN_SLOW_PATH" : "NAT44_OUT2IN_FAST_PATH"; - - s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag, - t->sw_if_index, t->next_index, t->session_index); - - return s; -} - -static inline u32 -icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0, - ip4_header_t * ip0, icmp46_header_t * icmp0, - u32 sw_if_index0, u32 rx_fib_index0, - vlib_node_runtime_t * node, u32 next0, f64 now, - u32 thread_index, snat_session_t ** p_s0) -{ - next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, thread_index, p_s0, 0); - snat_session_t * s0 = *p_s0; - if (PREDICT_TRUE(next0 != SNAT_OUT2IN_NEXT_DROP && s0)) - { - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (sm->vlib_main, b0)); - } - return next0; -} - -int -nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void * arg) -{ - snat_main_t *sm = &snat_main; - nat44_is_idle_session_ctx_t *ctx = arg; - snat_session_t *s; - u64 sess_timeout_time; - nat_ed_ses_key_t ed_key; - clib_bihash_kv_16_8_t ed_kv; - int i; - snat_address_t *a; - snat_session_key_t key; - snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, - ctx->thread_index); - - s = pool_elt_at_index (tsm->sessions, kv->value); - sess_timeout_time = s->last_heard + (f64)nat44_session_get_timeout(sm, s); - if (ctx->now >= sess_timeout_time) - { - ed_key.l_addr = s->in2out.addr; - ed_key.r_addr = s->ext_host_addr; - ed_key.fib_index = s->out2in.fib_index; - if (snat_is_unk_proto_session (s)) - { - ed_key.proto = s->in2out.port; - ed_key.r_port = 0; - ed_key.l_port = 0; - } - else - { - ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); - ed_key.l_port = s->in2out.port; - ed_key.r_port = s->ext_host_port; - } - if (is_twice_nat_session (s)) - { - ed_key.r_addr = s->ext_host_nat_addr; - ed_key.r_port = s->ext_host_nat_port; - } - ed_kv.key[0] = ed_key.as_u64[0]; - ed_kv.key[1] = ed_key.as_u64[1]; - if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) - nat_log_warn ("in2out_ed key del failed"); - - if (snat_is_unk_proto_session (s)) - goto delete; - - snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32, - s->out2in.addr.as_u32, - s->in2out.protocol, - s->in2out.port, - s->out2in.port, - s->in2out.fib_index); - - if (is_twice_nat_session (s)) - { - for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) - { - key.protocol = s->in2out.protocol; - key.port = s->ext_host_nat_port; - a = sm->twice_nat_addresses + i; - if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32) - { - snat_free_outside_address_and_port (sm->twice_nat_addresses, - ctx->thread_index, &key); - break; - } - } - } - - if (snat_is_session_static (s)) - goto delete; - - if (s->outside_address_index != ~0) - snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, - &s->out2in); - delete: - nat44_delete_session (sm, s, ctx->thread_index); - return 1; - } - - return 0; -} - -static snat_session_t * -create_session_for_static_mapping_ed (snat_main_t * sm, - vlib_buffer_t *b, - snat_session_key_t l_key, - snat_session_key_t e_key, - vlib_node_runtime_t * node, - u32 thread_index, - twice_nat_type_t twice_nat, - lb_nat_type_t lb_nat, - f64 now) -{ - snat_session_t *s; - snat_user_t *u; - ip4_header_t *ip; - udp_header_t *udp; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - clib_bihash_kv_16_8_t kv; - snat_session_key_t eh_key; - u32 address_index; - nat44_is_idle_session_ctx_t ctx; - - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED]; - nat_log_notice ("maximum sessions exceeded"); - return 0; - } - - u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index); - if (!u) - { - nat_log_warn ("create NAT user failed"); - return 0; - } - - s = nat_ed_session_alloc (sm, u, thread_index); - if (!s) - { - nat44_delete_user_with_no_session (sm, u, thread_index); - nat_log_warn ("create NAT session failed"); - return 0; - } - - ip = vlib_buffer_get_current (b); - udp = ip4_next_header (ip); - - s->ext_host_addr.as_u32 = ip->src_address.as_u32; - s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port; - s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; - if (lb_nat) - s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING; - if (lb_nat == AFFINITY_LB_NAT) - s->flags |= SNAT_SESSION_FLAG_AFFINITY; - s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; - s->outside_address_index = ~0; - s->out2in = e_key; - s->in2out = l_key; - s->in2out.protocol = s->out2in.protocol; - user_session_increment (sm, u, 1); - - /* Add to lookup tables */ - make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol, - e_key.fib_index, e_key.port, s->ext_host_port); - kv.value = s - tsm->sessions; - ctx.now = now; - ctx.thread_index = thread_index; - if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv, - nat44_o2i_ed_is_idle_session_cb, - &ctx)) - nat_log_notice ("out2in-ed key add failed"); - - if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF && - ip->src_address.as_u32 == l_key.addr.as_u32)) - { - eh_key.protocol = e_key.protocol; - if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0, - thread_index, &eh_key, - &address_index, - sm->port_per_thread, - tsm->snat_thread_index)) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_OUT_OF_PORTS]; - nat44_delete_session (sm, s, thread_index); - if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0)) - nat_log_notice ("out2in-ed key del failed"); - return 0; - } - s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32; - s->ext_host_nat_port = eh_key.port; - s->flags |= SNAT_SESSION_FLAG_TWICE_NAT; - make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol, - l_key.fib_index, l_key.port, s->ext_host_nat_port); - } - else - { - make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol, - l_key.fib_index, l_key.port, s->ext_host_port); - } - kv.value = s - tsm->sessions; - if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv, - nat44_i2o_ed_is_idle_session_cb, - &ctx)) - nat_log_notice ("in2out-ed key add failed"); - - return s; -} - -static_always_inline int -icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0) -{ - icmp46_header_t *icmp0; - nat_ed_ses_key_t key0; - icmp_echo_header_t *echo0, *inner_echo0 = 0; - ip4_header_t *inner_ip0; - void *l4_header = 0; - icmp46_header_t *inner_icmp0; - - icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); - - if (!icmp_is_error_message (icmp0)) - { - key0.proto = IP_PROTOCOL_ICMP; - key0.l_addr = ip0->dst_address; - key0.r_addr = ip0->src_address; - key0.l_port = echo0->identifier; - key0.r_port = 0; - } - else - { - inner_ip0 = (ip4_header_t *)(echo0+1); - l4_header = ip4_next_header (inner_ip0); - key0.proto = inner_ip0->protocol; - key0.l_addr = inner_ip0->src_address; - key0.r_addr = inner_ip0->dst_address; - switch (ip_proto_to_snat_proto (inner_ip0->protocol)) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - key0.l_port = inner_echo0->identifier; - key0.r_port = 0; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - key0.l_port = ((tcp_udp_header_t*)l4_header)->src_port; - key0.r_port = ((tcp_udp_header_t*)l4_header)->dst_port; - break; - default: - return -1; - } - } - *p_key0 = key0; - return 0; -} - -static int -next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port, - u16 dst_port, u32 thread_index, u32 rx_fib_index) -{ - clib_bihash_kv_16_8_t kv, value; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - - make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, - rx_fib_index, src_port, dst_port); - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) - return 1; - - return 0; -} - -static void -create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index, - u32 thread_index) -{ - nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t kv, value; - udp_header_t *udp; - snat_user_t *u; - snat_session_t *s = 0; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - f64 now = vlib_time_now (sm->vlib_main); - - if (ip->protocol == IP_PROTOCOL_ICMP) - { - if (icmp_get_ed_key (ip, &key)) - return; - } - else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) - { - udp = ip4_next_header(ip); - key.r_addr = ip->src_address; - key.l_addr = ip->dst_address; - key.proto = ip->protocol; - key.l_port = udp->dst_port; - key.r_port = udp->src_port; - } - else - { - key.r_addr = ip->src_address; - key.l_addr = ip->dst_address; - key.proto = ip->protocol; - key.l_port = key.r_port = 0; - } - key.fib_index = 0; - kv.key[0] = key.as_u64[0]; - kv.key[1] = key.as_u64[1]; - - if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) - { - s = pool_elt_at_index (tsm->sessions, value.value); - } - else - { - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) - return; - - u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, - thread_index); - if (!u) - { - nat_log_warn ("create NAT user failed"); - return; - } - - s = nat_ed_session_alloc (sm, u, thread_index); - if (!s) - { - nat44_delete_user_with_no_session (sm, u, thread_index); - nat_log_warn ("create NAT session failed"); - return; - } - - s->ext_host_addr = key.r_addr; - s->ext_host_port = key.r_port; - s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS; - s->outside_address_index = ~0; - s->out2in.addr = key.l_addr; - s->out2in.port = key.l_port; - s->out2in.protocol = ip_proto_to_snat_proto (key.proto); - s->out2in.fib_index = 0; - s->in2out = s->out2in; - user_session_increment (sm, u, 0); - - kv.value = s - tsm->sessions; - if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1)) - nat_log_notice ("in2out_ed key add failed"); - } - - if (ip->protocol == IP_PROTOCOL_TCP) - { - tcp_header_t *tcp = ip4_next_header(ip); - if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index)) - return; - } - - /* Accounting */ - nat44_session_update_counters (s, now, 0); -} - -u32 -icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, - u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip, - u8 * p_proto, snat_session_key_t * p_value, - u8 * p_dont_translate, void * d, void * e) -{ - u32 next = ~0, sw_if_index, rx_fib_index; - icmp46_header_t *icmp; - nat_ed_ses_key_t key; - clib_bihash_kv_16_8_t kv, value; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - snat_session_t *s = 0; - u8 dont_translate = 0, is_addr_only; - snat_session_key_t e_key, l_key; - - icmp = (icmp46_header_t *) ip4_next_header (ip); - sw_if_index = vnet_buffer(b)->sw_if_index[VLIB_RX]; - rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); - - if (icmp_get_ed_key (ip, &key)) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; - next = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - key.fib_index = rx_fib_index; - kv.key[0] = key.as_u64[0]; - kv.key[1] = key.as_u64[1]; - - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) - { - /* Try to match static mapping */ - e_key.addr = ip->dst_address; - e_key.port = key.l_port; - e_key.protocol = ip_proto_to_snat_proto (key.proto); - e_key.fib_index = rx_fib_index; - if (snat_static_mapping_match(sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0)) - { - if (!sm->forwarding_enabled) - { - /* Don't NAT packet aimed at the intfc address */ - if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index, - ip->dst_address.as_u32))) - { - dont_translate = 1; - goto out; - } - b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next = NAT44_ED_OUT2IN_NEXT_DROP; - goto out; - } - else - { - dont_translate = 1; - if (next_src_nat(sm, ip, key.proto, key.l_port, key.r_port, - thread_index, rx_fib_index)) - { - next = NAT44_ED_OUT2IN_NEXT_IN2OUT; - goto out; - } - create_bypass_for_fwd(sm, ip, rx_fib_index, thread_index); - goto out; - } - } - - if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply && - (icmp->type != ICMP4_echo_request || !is_addr_only))) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; - next = NAT44_ED_OUT2IN_NEXT_DROP; - goto out; - } - - /* Create session initiated by host from external network */ - s = create_session_for_static_mapping_ed(sm, b, l_key, e_key, node, - thread_index, 0, 0, - vlib_time_now (sm->vlib_main)); - - if (!s) - { - next = NAT44_ED_OUT2IN_NEXT_DROP; - goto out; - } - } - else - { - if (PREDICT_FALSE(icmp->type != ICMP4_echo_reply && - icmp->type != ICMP4_echo_request && - !icmp_is_error_message (icmp))) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; - next = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - - s = pool_elt_at_index (tsm->sessions, value.value); - } - - *p_proto = ip_proto_to_snat_proto (key.proto); -out: - if (s) - *p_value = s->in2out; - *p_dont_translate = dont_translate; - if (d) - *(snat_session_t**)d = s; - return next; -} - -static snat_session_t * -nat44_ed_out2in_unknown_proto (snat_main_t *sm, - vlib_buffer_t * b, - ip4_header_t * ip, - u32 rx_fib_index, - u32 thread_index, - f64 now, - vlib_main_t * vm, - vlib_node_runtime_t * node) -{ - clib_bihash_kv_8_8_t kv, value; - clib_bihash_kv_16_8_t s_kv, s_value; - snat_static_mapping_t *m; - u32 old_addr, new_addr; - ip_csum_t sum; - snat_session_t * s; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - snat_user_t *u; - - old_addr = ip->dst_address.as_u32; - - make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, - rx_fib_index, 0, 0); - - if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) - { - s = pool_elt_at_index (tsm->sessions, s_value.value); - new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32; - } - else - { - if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index))) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED]; - nat_log_notice ("maximum sessions exceeded"); - return 0; - } - - make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); - if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value)) - { - b->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - return 0; - } - - m = pool_elt_at_index (sm->static_mappings, value.value); - - new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; - - u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index, - thread_index); - if (!u) - { - nat_log_warn ("create NAT user failed"); - return 0; - } - - /* Create a new session */ - s = nat_ed_session_alloc (sm, u, thread_index); - if (!s) - { - nat44_delete_user_with_no_session (sm, u, thread_index); - nat_log_warn ("create NAT session failed"); - return 0; - } - - s->ext_host_addr.as_u32 = ip->src_address.as_u32; - s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO; - s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; - s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; - s->outside_address_index = ~0; - s->out2in.addr.as_u32 = old_addr; - s->out2in.fib_index = rx_fib_index; - s->in2out.addr.as_u32 = new_addr; - s->in2out.fib_index = m->fib_index; - s->in2out.port = s->out2in.port = ip->protocol; - user_session_increment (sm, u, 1); - - /* Add to lookup tables */ - s_kv.value = s - tsm->sessions; - if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1)) - nat_log_notice ("out2in key add failed"); - - make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, - m->fib_index, 0, 0); - s_kv.value = s - tsm->sessions; - if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1)) - nat_log_notice ("in2out key add failed"); - } - - /* Update IP checksum */ - sum = ip->checksum; - sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); - ip->checksum = ip_csum_fold (sum); - - vnet_buffer(b)->sw_if_index[VLIB_TX] = s->in2out.fib_index; - - /* Accounting */ - nat44_session_update_counters (s, now, - vlib_buffer_length_in_chain (vm, b)); - - return s; -} - -static inline uword -nat44_ed_out2in_node_fn_inline (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame, int is_slow_path) -{ - u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index; - nat44_ed_out2in_next_t next_index; - snat_main_t *sm = &snat_main; - f64 now = vlib_time_now (vm); - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; - - stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index : - nat44_ed_out2in_node.index; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from >= 4 && n_left_to_next >= 2) - { - u32 bi0, bi1; - vlib_buffer_t *b0, *b1; - u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0; - u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1, new_addr1; - u16 old_port0, new_port0, old_port1, new_port1; - ip4_header_t *ip0, *ip1; - udp_header_t *udp0, *udp1; - tcp_header_t *tcp0, *tcp1; - icmp46_header_t *icmp0, *icmp1; - snat_session_t *s0 = 0, *s1 = 0; - clib_bihash_kv_16_8_t kv0, value0, kv1, value1; - ip_csum_t sum0, sum1; - snat_session_key_t e_key0, l_key0, e_key1, l_key1; - lb_nat_type_t lb_nat0, lb_nat1; - twice_nat_type_t twice_nat0, twice_nat1; - - /* Prefetch next iteration. */ - { - vlib_buffer_t * p2, * p3; - - p2 = vlib_get_buffer (vm, from[2]); - p3 = vlib_get_buffer (vm, from[3]); - - vlib_prefetch_buffer_header (p2, LOAD); - vlib_prefetch_buffer_header (p3, LOAD); - - CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); - CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); - } - - /* speculatively enqueue b0 and b1 to the current next frame */ - to_next[0] = bi0 = from[0]; - to_next[1] = bi1 = from[1]; - from += 2; - to_next += 2; - n_left_from -= 2; - n_left_to_next -= 2; - - b0 = vlib_get_buffer (vm, bi0); - b1 = vlib_get_buffer (vm, bi1); - - next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; - vnet_buffer (b0)->snat.flags = 0; - ip0 = vlib_buffer_get_current (b0); - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; - goto trace00; - } - - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0, - thread_index, now, vm, node); - if (!sm->forwarding_enabled) - { - if (!s0) - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace00; - } - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in_ed_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace00; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace00; - } - - if (ip4_is_fragment (ip0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_REASS; - goto trace00; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace00; - } - } - - make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol, - rx_fib_index0, udp0->dst_port, udp0->src_port); - - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0)) - { - if (is_slow_path) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - e_key0.addr = ip0->dst_address; - e_key0.port = udp0->dst_port; - e_key0.protocol = proto0; - e_key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0, - &twice_nat0, &lb_nat0, &ip0->src_address)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - { - vnet_feature_next (&next0, b0); - goto trace00; - } - - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - } - else - { - if (next_src_nat(sm, ip0, ip0->protocol, - udp0->src_port, udp0->dst_port, - thread_index, rx_fib_index0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; - goto trace00; - } - create_bypass_for_fwd(sm, ip0, rx_fib_index0, - thread_index); - } - goto trace00; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping_ed(sm, b0, l_key0, - e_key0, node, - thread_index, - twice_nat0, - lb_nat0, - now); - - if (!s0) - { - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace00; - } - } - else - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace00; - } - } - else - { - s0 = pool_elt_at_index (tsm->sessions, value0.value); - } - - old_addr0 = ip0->dst_address.as_u32; - new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, ip4_header_t, - src_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - new_port0 = tcp0->dst_port = s0->in2out.port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, - length); - if (is_twice_nat_session (s0)) - { - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->src_port, - s0->ext_host_nat_port, ip4_header_t, - length); - tcp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - tcp0->checksum = ip_csum_fold(sum0); - if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index)) - goto trace00; - } - else - { - udp0->dst_port = s0->in2out.port; - if (is_twice_nat_session (s0)) - { - udp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - udp0->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - - trace00: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_ed_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - tsm->sessions; - } - - pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; - - next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP; - vnet_buffer (b1)->snat.flags = 0; - ip1 = vlib_buffer_get_current (b1); - - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; - rx_fib_index1 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index1); - - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; - goto trace01; - } - - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - icmp1 = (icmp46_header_t *) udp1; - proto1 = ip_proto_to_snat_proto (ip1->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto1 == ~0)) - { - s1 = nat44_ed_out2in_unknown_proto(sm, b1, ip1, rx_fib_index1, - thread_index, now, vm, node); - if (!sm->forwarding_enabled) - { - if (!s1) - next1 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace01; - } - } - - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = icmp_out2in_ed_slow_path - (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, - next1, now, thread_index, &s1); - goto trace01; - } - } - else - { - if (PREDICT_FALSE (proto1 == ~0)) - { - next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace01; - } - - if (ip4_is_fragment (ip1)) - { - next1 = NAT44_ED_OUT2IN_NEXT_REASS; - goto trace01; - } - - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) - { - next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace01; - } - } - - make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address, ip1->protocol, - rx_fib_index1, udp1->dst_port, udp1->src_port); - - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1)) - { - if (is_slow_path) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - e_key1.addr = ip1->dst_address; - e_key1.port = udp1->dst_port; - e_key1.protocol = proto1; - e_key1.fib_index = rx_fib_index1; - if (snat_static_mapping_match(sm, e_key1, &l_key1, 1, 0, - &twice_nat1, &lb_nat1, &ip1->src_address)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP - && (udp1->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - { - vnet_feature_next (&next1, b1); - goto trace01; - } - - if (!sm->forwarding_enabled) - { - b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next1 = NAT44_ED_OUT2IN_NEXT_DROP; - } - else - { - if (next_src_nat(sm, ip1, ip1->protocol, - udp1->src_port, udp1->dst_port, - thread_index, rx_fib_index1)) - { - next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT; - goto trace01; - } - create_bypass_for_fwd(sm, ip1, rx_fib_index1, - thread_index); - } - goto trace01; - } - - /* Create session initiated by host from external network */ - s1 = create_session_for_static_mapping_ed(sm, b1, l_key1, - e_key1, node, - thread_index, - twice_nat1, - lb_nat1, - now); - - if (!s1) - { - next1 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace01; - } - } - else - { - next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace01; - } - } - else - { - s1 = pool_elt_at_index (tsm->sessions, value1.value); - } - - old_addr1 = ip1->dst_address.as_u32; - new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32; - vnet_buffer(b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index; - - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, - dst_address); - if (PREDICT_FALSE (is_twice_nat_session (s1))) - sum1 = ip_csum_update (sum1, ip1->src_address.as_u32, - s1->ext_host_nat_addr.as_u32, ip4_header_t, - src_address); - ip1->checksum = ip_csum_fold (sum1); - - if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) - { - old_port1 = tcp1->dst_port; - new_port1 = tcp1->dst_port = s1->in2out.port; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, - dst_address); - sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t, - length); - if (is_twice_nat_session (s1)) - { - sum1 = ip_csum_update (sum1, ip1->src_address.as_u32, - s1->ext_host_nat_addr.as_u32, - ip4_header_t, dst_address); - sum1 = ip_csum_update (sum1, tcp1->src_port, - s1->ext_host_nat_port, ip4_header_t, - length); - tcp1->src_port = s1->ext_host_nat_port; - ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32; - } - tcp1->checksum = ip_csum_fold(sum1); - if (nat44_set_tcp_session_state_o2i (sm, s1, tcp1, thread_index)) - goto trace01; - } - else - { - udp1->dst_port = s1->in2out.port; - if (is_twice_nat_session (s1)) - { - udp1->src_port = s1->ext_host_nat_port; - ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32; - } - udp1->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s1, now, - vlib_buffer_length_in_chain (vm, b1)); - - trace01: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_ed_out2in_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (s1) - t->session_index = s1 - tsm->sessions; - } - - pkts_processed += next1 != NAT44_ED_OUT2IN_NEXT_DROP; - - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, new_addr0; - u16 old_port0, new_port0; - ip4_header_t *ip0; - udp_header_t *udp0; - tcp_header_t *tcp0; - icmp46_header_t * icmp0; - snat_session_t *s0 = 0; - clib_bihash_kv_16_8_t kv0, value0; - ip_csum_t sum0; - snat_session_key_t e_key0, l_key0; - lb_nat_type_t lb_nat0; - twice_nat_type_t twice_nat0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; - vnet_buffer (b0)->snat.flags = 0; - ip0 = vlib_buffer_get_current (b0); - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; - goto trace0; - } - - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (is_slow_path) - { - if (PREDICT_FALSE (proto0 == ~0)) - { - s0 = nat44_ed_out2in_unknown_proto(sm, b0, ip0, rx_fib_index0, - thread_index, now, vm, node); - if (!sm->forwarding_enabled) - { - if (!s0) - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace0; - } - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in_ed_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - goto trace0; - } - } - else - { - if (PREDICT_FALSE (proto0 == ~0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace0; - } - - if (ip4_is_fragment (ip0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_REASS; - goto trace0; - } - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace0; - } - } - - make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol, - rx_fib_index0, udp0->dst_port, udp0->src_port); - - if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0)) - { - if (is_slow_path) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - e_key0.addr = ip0->dst_address; - e_key0.port = udp0->dst_port; - e_key0.protocol = proto0; - e_key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0, - &twice_nat0, &lb_nat0, &ip0->src_address)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port == - clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - { - vnet_feature_next (&next0, b0); - goto trace0; - } - - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - } - else - { - if (next_src_nat(sm, ip0, ip0->protocol, - udp0->src_port, udp0->dst_port, - thread_index, rx_fib_index0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; - goto trace0; - } - create_bypass_for_fwd(sm, ip0, rx_fib_index0, - thread_index); - } - goto trace0; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping_ed(sm, b0, l_key0, - e_key0, node, - thread_index, - twice_nat0, - lb_nat0, - now); - - if (!s0) - { - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace0; - } - } - else - { - next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; - goto trace0; - } - } - else - { - s0 = pool_elt_at_index (tsm->sessions, value0.value); - } - - old_addr0 = ip0->dst_address.as_u32; - new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, ip4_header_t, - src_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - new_port0 = tcp0->dst_port = s0->in2out.port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, - dst_address); - sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, - length); - if (is_twice_nat_session (s0)) - { - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->src_port, - s0->ext_host_nat_port, ip4_header_t, - length); - tcp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - tcp0->checksum = ip_csum_fold(sum0); - if (nat44_set_tcp_session_state_o2i (sm, s0, tcp0, thread_index)) - goto trace0; - } - else - { - udp0->dst_port = s0->in2out.port; - if (is_twice_nat_session (s0)) - { - udp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - udp0->checksum = 0; - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_ed_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->is_slow_path = is_slow_path; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (s0) - t->session_index = s0 - tsm->sessions; - } - - pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, stats_node_index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -static uword -nat44_ed_out2in_fast_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0); -} - -VLIB_REGISTER_NODE (nat44_ed_out2in_node) = { - .function = nat44_ed_out2in_fast_path_fn, - .name = "nat44-ed-out2in", - .vector_size = sizeof (u32), - .format_trace = format_nat44_ed_out2in_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_out2in_error_strings), - .error_strings = snat_out2in_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", - [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", - [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", - [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", - [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node, nat44_ed_out2in_fast_path_fn); - -static uword -nat44_ed_out2in_slow_path_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1); -} - -VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = { - .function = nat44_ed_out2in_slow_path_fn, - .name = "nat44-ed-out2in-slowpath", - .vector_size = sizeof (u32), - .format_trace = format_nat44_ed_out2in_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_out2in_error_strings), - .error_strings = snat_out2in_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", - [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", - [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", - [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", - [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node, - nat44_ed_out2in_slow_path_fn); - -static uword -nat44_ed_out2in_reass_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, *from, *to_next; - snat_out2in_next_t next_index; - u32 pkts_processed = 0; - snat_main_t *sm = &snat_main; - f64 now = vlib_time_now (vm); - u32 thread_index = vm->thread_index; - snat_main_per_thread_data_t *per_thread_data = - &sm->per_thread_data[thread_index]; - u32 *fragments_to_drop = 0; - u32 *fragments_to_loopback = 0; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; - vlib_buffer_t *b0; - u32 next0; - u8 cached0 = 0; - ip4_header_t *ip0; - nat_reass_ip4_t *reass0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - clib_bihash_kv_16_8_t kv0, value0; - snat_session_t * s0 = 0; - u16 old_port0, new_port0; - ip_csum_t sum0; - snat_session_key_t e_key0, l_key0; - lb_nat_type_t lb0; - twice_nat_type_t twice_nat0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; - - b0 = vlib_get_buffer (vm, bi0); - next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, - sw_if_index0); - - if (PREDICT_FALSE (nat_reass_is_drop_frag(0))) - { - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT]; - goto trace0; - } - - ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - reass0 = nat_ip4_reass_find_or_create (ip0->src_address, - ip0->dst_address, - ip0->fragment_id, - ip0->protocol, - 1, - &fragments_to_drop); - - if (PREDICT_FALSE (!reass0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_REASS]; - nat_log_notice ("maximum reassemblies exceeded"); - goto trace0; - } - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in_slow_path - (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, - next0, now, thread_index, &s0); - - if (PREDICT_TRUE(next0 != NAT44_ED_OUT2IN_NEXT_DROP)) - { - if (s0) - reass0->sess_index = s0 - per_thread_data->sessions; - else - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - reass0->thread_index = thread_index; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - - goto trace0; - } - - make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, ip0->protocol, - rx_fib_index0, udp0->dst_port, udp0->src_port); - - if (clib_bihash_search_16_8 (&per_thread_data->out2in_ed, &kv0, &value0)) - { - /* Try to match static mapping by external address and port, - destination address and port in packet */ - e_key0.addr = ip0->dst_address; - e_key0.port = udp0->dst_port; - e_key0.protocol = proto0; - e_key0.fib_index = rx_fib_index0; - if (snat_static_mapping_match(sm, e_key0, &l_key0, 1, 0, - &twice_nat0, &lb0, 0)) - { - /* - * Send DHCP packets to the ipv4 stack, or we won't - * be able to use dhcp client on the outside interface - */ - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP - && (udp0->dst_port - == clib_host_to_net_u16(UDP_DST_PORT_dhcp_to_client)))) - { - vnet_feature_next(&next0, b0); - goto trace0; - } - - if (!sm->forwarding_enabled) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - } - else - { - if (next_src_nat(sm, ip0, ip0->protocol, - udp0->src_port, udp0->dst_port, - thread_index, rx_fib_index0)) - { - next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; - goto trace0; - } - create_bypass_for_fwd(sm, ip0, rx_fib_index0, - thread_index); - reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - goto trace0; - } - - /* Create session initiated by host from external network */ - s0 = create_session_for_static_mapping_ed(sm, b0, l_key0, - e_key0, node, - thread_index, - twice_nat0, lb0, - now); - if (!s0) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace0; - } - reass0->sess_index = s0 - per_thread_data->sessions; - reass0->thread_index = thread_index; - } - else - { - s0 = pool_elt_at_index (per_thread_data->sessions, - value0.value); - reass0->sess_index = value0.value; - } - nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); - } - else - { - if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE) - goto trace0; - if (PREDICT_FALSE (reass0->sess_index == (u32) ~0)) - { - if (nat_ip4_reass_add_fragment (reass0, bi0, &fragments_to_drop)) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_FRAG]; - nat_log_notice ("maximum fragments per reassembly exceeded"); - next0 = NAT44_ED_OUT2IN_NEXT_DROP; - goto trace0; - } - cached0 = 1; - goto trace0; - } - s0 = pool_elt_at_index (per_thread_data->sessions, - reass0->sess_index); - } - - old_addr0 = ip0->dst_address.as_u32; - ip0->dst_address = s0->in2out.addr; - new_addr0 = ip0->dst_address.as_u32; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - if (PREDICT_FALSE (is_twice_nat_session (s0))) - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, ip4_header_t, - src_address); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - tcp0->dst_port = s0->in2out.port; - new_port0 = tcp0->dst_port; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - if (is_twice_nat_session (s0)) - { - sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, - s0->ext_host_nat_addr.as_u32, - ip4_header_t, dst_address); - sum0 = ip_csum_update (sum0, tcp0->src_port, - s0->ext_host_nat_port, ip4_header_t, - length); - tcp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = s0->in2out.port; - if (is_twice_nat_session (s0)) - { - udp0->src_port = s0->ext_host_nat_port; - ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; - } - udp0->checksum = 0; - } - } - - /* Accounting */ - nat44_session_update_counters (s0, now, - vlib_buffer_length_in_chain (vm, b0)); - /* Per-user LRU list maintenance */ - nat44_session_update_lru (sm, s0, thread_index); - - trace0: - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - nat44_out2in_reass_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->cached = cached0; - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - if (cached0) - { - n_left_to_next++; - to_next--; - } - else - { - pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - if (n_left_from == 0 && vec_len (fragments_to_loopback)) - { - from = vlib_frame_vector_args (frame); - u32 len = vec_len (fragments_to_loopback); - if (len <= VLIB_FRAME_SIZE) - { - clib_memcpy (from, fragments_to_loopback, sizeof (u32) * len); - n_left_from = len; - vec_reset_length (fragments_to_loopback); - } - else - { - clib_memcpy (from, - fragments_to_loopback + (len - VLIB_FRAME_SIZE), - sizeof (u32) * VLIB_FRAME_SIZE); - n_left_from = VLIB_FRAME_SIZE; - _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; - } - } - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, nat44_out2in_reass_node.index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); - - nat_send_all_to_node (vm, fragments_to_drop, node, - &node->errors[SNAT_OUT2IN_ERROR_DROP_FRAGMENT], - SNAT_OUT2IN_NEXT_DROP); - - vec_free (fragments_to_drop); - vec_free (fragments_to_loopback); - return frame->n_vectors; -} - -VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = { - .function = nat44_ed_out2in_reass_node_fn, - .name = "nat44-ed-out2in-reass", - .vector_size = sizeof (u32), - .format_trace = format_nat44_out2in_reass_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_out2in_error_strings), - .error_strings = snat_out2in_error_strings, - - .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", - [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", - [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", - [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", - [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_reass_node, - nat44_ed_out2in_reass_node_fn); - -/**************************/ -/*** deterministic mode ***/ -/**************************/ -static uword -snat_det_out2in_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, * from, * to_next; + u32 n_left_from, *from, *to_next; snat_out2in_next_t next_index; u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; - u32 thread_index = vm->thread_index; + snat_main_t *sm = &snat_main; from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -3371,310 +1595,26 @@ snat_det_out2in_node_fn (vlib_main_t * vm, { u32 n_left_to_next; - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from >= 4 && n_left_to_next >= 2) - { - u32 bi0, bi1; - vlib_buffer_t * b0, * b1; - u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 sw_if_index0, sw_if_index1; - ip4_header_t * ip0, * ip1; - ip_csum_t sum0, sum1; - ip4_address_t new_addr0, old_addr0, new_addr1, old_addr1; - u16 new_port0, old_port0, old_port1, new_port1; - udp_header_t * udp0, * udp1; - tcp_header_t * tcp0, * tcp1; - u32 proto0, proto1; - snat_det_out_key_t key0, key1; - snat_det_map_t * dm0, * dm1; - snat_det_session_t * ses0 = 0, * ses1 = 0; - u32 rx_fib_index0, rx_fib_index1; - icmp46_header_t * icmp0, * icmp1; - - /* Prefetch next iteration. */ - { - vlib_buffer_t * p2, * p3; - - p2 = vlib_get_buffer (vm, from[2]); - p3 = vlib_get_buffer (vm, from[3]); - - vlib_prefetch_buffer_header (p2, LOAD); - vlib_prefetch_buffer_header (p3, LOAD); - - CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); - CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); - } - - /* speculatively enqueue b0 and b1 to the current next frame */ - to_next[0] = bi0 = from[0]; - to_next[1] = bi1 = from[1]; - from += 2; - to_next += 2; - n_left_from -= 2; - n_left_to_next -= 2; - - b0 = vlib_get_buffer (vm, bi0); - b1 = vlib_get_buffer (vm, bi1); - - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace0; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - icmp0 = (icmp46_header_t *) udp0; - - next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, thread_index, - &ses0, &dm0); - goto trace0; - } - - key0.ext_host_addr = ip0->src_address; - key0.ext_host_port = tcp0->src; - key0.out_port = tcp0->dst; - - dm0 = snat_det_map_by_out(sm, &ip0->dst_address); - if (PREDICT_FALSE(!dm0)) - { - nat_log_info ("unknown dst address: %U", - format_ip4_address, &ip0->dst_address); - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace0; - } - - snat_det_reverse(dm0, &ip0->dst_address, - clib_net_to_host_u16(tcp0->dst), &new_addr0); - - ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); - if (PREDICT_FALSE(!ses0)) - { - nat_log_info ("no match src %U:%d dst %U:%d for user %U", - format_ip4_address, &ip0->src_address, - clib_net_to_host_u16 (tcp0->src), - format_ip4_address, &ip0->dst_address, - clib_net_to_host_u16 (tcp0->dst), - format_ip4_address, &new_addr0); - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace0; - } - new_port0 = ses0->in_port; - - old_addr0 = ip0->dst_address; - ip0->dst_address = new_addr0; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) - ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK) - snat_det_ses_close(dm0, ses0); - - old_port0 = tcp0->dst; - tcp0->dst = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = new_port0; - udp0->checksum = 0; - } - - trace0: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (ses0) - t->session_index = ses0 - dm0->sessions; - } - - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - b1 = vlib_get_buffer (vm, bi1); - - ip1 = vlib_buffer_get_current (b1); - udp1 = ip4_next_header (ip1); - tcp1 = (tcp_header_t *) udp1; - - sw_if_index1 = vnet_buffer(b1)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip1->ttl == 1)) - { - vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace1; - } - - proto1 = ip_proto_to_snat_proto (ip1->protocol); - - if (PREDICT_FALSE(proto1 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index1 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index1); - icmp1 = (icmp46_header_t *) udp1; - - next1 = icmp_out2in(sm, b1, ip1, icmp1, sw_if_index1, - rx_fib_index1, node, next1, thread_index, - &ses1, &dm1); - goto trace1; - } - - key1.ext_host_addr = ip1->src_address; - key1.ext_host_port = tcp1->src; - key1.out_port = tcp1->dst; - - dm1 = snat_det_map_by_out(sm, &ip1->dst_address); - if (PREDICT_FALSE(!dm1)) - { - nat_log_info ("unknown dst address: %U", - format_ip4_address, &ip1->dst_address); - next1 = SNAT_OUT2IN_NEXT_DROP; - b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace1; - } - - snat_det_reverse(dm1, &ip1->dst_address, - clib_net_to_host_u16(tcp1->dst), &new_addr1); - - ses1 = snat_det_get_ses_by_out (dm1, &new_addr1, key1.as_u64); - if (PREDICT_FALSE(!ses1)) - { - nat_log_info ("no match src %U:%d dst %U:%d for user %U", - format_ip4_address, &ip1->src_address, - clib_net_to_host_u16 (tcp1->src), - format_ip4_address, &ip1->dst_address, - clib_net_to_host_u16 (tcp1->dst), - format_ip4_address, &new_addr1); - next1 = SNAT_OUT2IN_NEXT_DROP; - b1->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace1; - } - new_port1 = ses1->in_port; - - old_addr1 = ip1->dst_address; - ip1->dst_address = new_addr1; - vnet_buffer(b1)->sw_if_index[VLIB_TX] = sm->inside_fib_index; - - sum1 = ip1->checksum; - sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, - ip4_header_t, - dst_address /* changed member */); - ip1->checksum = ip_csum_fold (sum1); - - if (PREDICT_TRUE(proto1 == SNAT_PROTOCOL_TCP)) - { - if (tcp1->flags & TCP_FLAG_FIN && ses1->state == SNAT_SESSION_TCP_ESTABLISHED) - ses1->state = SNAT_SESSION_TCP_CLOSE_WAIT; - else if (tcp1->flags & TCP_FLAG_ACK && ses1->state == SNAT_SESSION_TCP_LAST_ACK) - snat_det_ses_close(dm1, ses1); - - old_port1 = tcp1->dst; - tcp1->dst = new_port1; - - sum1 = tcp1->checksum; - sum1 = ip_csum_update (sum1, old_addr1.as_u32, new_addr1.as_u32, - ip4_header_t, - dst_address /* changed member */); - - sum1 = ip_csum_update (sum1, old_port1, new_port1, - ip4_header_t /* cheat */, - length /* changed member */); - tcp1->checksum = ip_csum_fold(sum1); - } - else - { - old_port1 = udp1->dst_port; - udp1->dst_port = new_port1; - udp1->checksum = 0; - } - - trace1: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b1->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b1, sizeof (*t)); - t->sw_if_index = sw_if_index1; - t->next_index = next1; - t->session_index = ~0; - if (ses1) - t->session_index = ses1 - dm1->sessions; - } - - pkts_processed += next1 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueues, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x2 (vm, node, next_index, - to_next, n_left_to_next, - bi0, bi1, next0, next1); - } + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); while (n_left_from > 0 && n_left_to_next > 0) { - u32 bi0; - vlib_buffer_t * b0; - u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - ip4_address_t new_addr0, old_addr0; - u16 new_port0, old_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - u32 proto0; - snat_det_out_key_t key0; - snat_det_map_t * dm0; - snat_det_session_t * ses0 = 0; - u32 rx_fib_index0; - icmp46_header_t * icmp0; - - /* speculatively enqueue b0 to the current next frame */ + u32 bi0; + vlib_buffer_t *b0; + u32 next0 = SNAT_OUT2IN_NEXT_DROP; + u32 sw_if_index0; + ip4_header_t *ip0; + ip_csum_t sum0; + u32 new_addr0, old_addr0; + u16 new_port0, old_port0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_key_t key0, sm0; + u32 proto0; + u32 rx_fib_index0; + + /* speculatively enqueue b0 to the current next frame */ bi0 = from[0]; to_next[0] = bi0; from += 1; @@ -3684,643 +1624,112 @@ snat_det_out2in_node_fn (vlib_main_t * vm, b0 = vlib_get_buffer (vm, bi0); - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace00; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE(proto0 == SNAT_PROTOCOL_ICMP)) - { - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - icmp0 = (icmp46_header_t *) udp0; - - next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, thread_index, - &ses0, &dm0); - goto trace00; - } - - key0.ext_host_addr = ip0->src_address; - key0.ext_host_port = tcp0->src; - key0.out_port = tcp0->dst; - - dm0 = snat_det_map_by_out(sm, &ip0->dst_address); - if (PREDICT_FALSE(!dm0)) - { - nat_log_info ("unknown dst address: %U", - format_ip4_address, &ip0->dst_address); - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace00; - } - - snat_det_reverse(dm0, &ip0->dst_address, - clib_net_to_host_u16(tcp0->dst), &new_addr0); - - ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); - if (PREDICT_FALSE(!ses0)) - { - nat_log_info ("no match src %U:%d dst %U:%d for user %U", - format_ip4_address, &ip0->src_address, - clib_net_to_host_u16 (tcp0->src), - format_ip4_address, &ip0->dst_address, - clib_net_to_host_u16 (tcp0->dst), - format_ip4_address, &new_addr0); - next0 = SNAT_OUT2IN_NEXT_DROP; - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace00; - } - new_port0 = ses0->in_port; - - old_addr0 = ip0->dst_address; - ip0->dst_address = new_addr0; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm->inside_fib_index; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - if (tcp0->flags & TCP_FLAG_FIN && ses0->state == SNAT_SESSION_TCP_ESTABLISHED) - ses0->state = SNAT_SESSION_TCP_CLOSE_WAIT; - else if (tcp0->flags & TCP_FLAG_ACK && ses0->state == SNAT_SESSION_TCP_LAST_ACK) - snat_det_ses_close(dm0, ses0); - - old_port0 = tcp0->dst; - tcp0->dst = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0.as_u32, new_addr0.as_u32, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = new_port0; - udp0->checksum = 0; - } - - trace00: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - t->session_index = ~0; - if (ses0) - t->session_index = ses0 - dm0->sessions; - } - - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ - vlib_validate_buffer_enqueue_x1 (vm, node, next_index, - to_next, n_left_to_next, - bi0, next0); - } - - vlib_put_next_frame (vm, node, next_index, n_left_to_next); - } - - vlib_node_increment_counter (vm, snat_det_out2in_node.index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); - return frame->n_vectors; -} - -VLIB_REGISTER_NODE (snat_det_out2in_node) = { - .function = snat_det_out2in_node_fn, - .name = "nat44-det-out2in", - .vector_size = sizeof (u32), - .format_trace = format_snat_out2in_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_out2in_error_strings), - .error_strings = snat_out2in_error_strings, - - .runtime_data_bytes = sizeof (snat_runtime_t), - - .n_next_nodes = SNAT_OUT2IN_N_NEXT, - - /* edit / add dispositions here */ - .next_nodes = { - [SNAT_OUT2IN_NEXT_DROP] = "error-drop", - [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", - [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", - [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", - }, -}; -VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn); - -/** - * Get address and port values to be used for ICMP packet translation - * and create session if needed - * - * @param[in,out] sm NAT main - * @param[in,out] node NAT node runtime - * @param[in] thread_index thread index - * @param[in,out] b0 buffer containing packet to be translated - * @param[out] p_proto protocol used for matching - * @param[out] p_value address and port after NAT translation - * @param[out] p_dont_translate if packet should not be translated - * @param d optional parameter - * @param e optional parameter - */ -u32 icmp_match_out2in_det(snat_main_t *sm, vlib_node_runtime_t *node, - u32 thread_index, vlib_buffer_t *b0, - ip4_header_t *ip0, u8 *p_proto, - snat_session_key_t *p_value, - u8 *p_dont_translate, void *d, void *e) -{ - icmp46_header_t *icmp0; - u32 sw_if_index0; - u8 protocol; - snat_det_out_key_t key0; - u8 dont_translate = 0; - u32 next0 = ~0; - icmp_echo_header_t *echo0, *inner_echo0 = 0; - ip4_header_t *inner_ip0; - void *l4_header = 0; - icmp46_header_t *inner_icmp0; - snat_det_map_t * dm0 = 0; - ip4_address_t new_addr0 = {{0}}; - snat_det_session_t * ses0 = 0; - ip4_address_t out_addr; - - icmp0 = (icmp46_header_t *) ip4_next_header (ip0); - echo0 = (icmp_echo_header_t *)(icmp0+1); - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - - if (!icmp_is_error_message (icmp0)) - { - protocol = SNAT_PROTOCOL_ICMP; - key0.ext_host_addr = ip0->src_address; - key0.ext_host_port = 0; - key0.out_port = echo0->identifier; - out_addr = ip0->dst_address; - } - else - { - inner_ip0 = (ip4_header_t *)(echo0+1); - l4_header = ip4_next_header (inner_ip0); - protocol = ip_proto_to_snat_proto (inner_ip0->protocol); - key0.ext_host_addr = inner_ip0->dst_address; - out_addr = inner_ip0->src_address; - switch (protocol) - { - case SNAT_PROTOCOL_ICMP: - inner_icmp0 = (icmp46_header_t*)l4_header; - inner_echo0 = (icmp_echo_header_t *)(inner_icmp0+1); - key0.ext_host_port = 0; - key0.out_port = inner_echo0->identifier; - break; - case SNAT_PROTOCOL_UDP: - case SNAT_PROTOCOL_TCP: - key0.ext_host_port = ((tcp_udp_header_t*)l4_header)->dst_port; - key0.out_port = ((tcp_udp_header_t*)l4_header)->src_port; - break; - default: - b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - } - - dm0 = snat_det_map_by_out(sm, &out_addr); - if (PREDICT_FALSE(!dm0)) - { - /* Don't NAT packet aimed at the intfc address */ - if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0, - ip0->dst_address.as_u32))) - { - dont_translate = 1; - goto out; - } - nat_log_info ("unknown dst address: %U", - format_ip4_address, &ip0->dst_address); - goto out; - } - - snat_det_reverse(dm0, &ip0->dst_address, - clib_net_to_host_u16(key0.out_port), &new_addr0); - - ses0 = snat_det_get_ses_by_out (dm0, &new_addr0, key0.as_u64); - if (PREDICT_FALSE(!ses0)) - { - /* Don't NAT packet aimed at the intfc address */ - if (PREDICT_FALSE(is_interface_addr(sm, node, sw_if_index0, - ip0->dst_address.as_u32))) - { - dont_translate = 1; - goto out; - } - nat_log_info ("no match src %U:%d dst %U:%d for user %U", - format_ip4_address, &key0.ext_host_addr, - clib_net_to_host_u16 (key0.ext_host_port), - format_ip4_address, &out_addr, - clib_net_to_host_u16 (key0.out_port), - format_ip4_address, &new_addr0); - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - - if (PREDICT_FALSE(icmp0->type != ICMP4_echo_reply && - !icmp_is_error_message (icmp0))) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE]; - next0 = SNAT_OUT2IN_NEXT_DROP; - goto out; - } - - goto out; + ip0 = vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; -out: - *p_proto = protocol; - if (ses0) - { - p_value->addr = new_addr0; - p_value->fib_index = sm->inside_fib_index; - p_value->port = ses0->in_port; - } - *p_dont_translate = dont_translate; - if (d) - *(snat_det_session_t**)d = ses0; - if (e) - *(snat_det_map_t**)e = dm0; - return next0; -} + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + ip4_fib_table_get_index_for_sw_if_index (sw_if_index0); -/**********************/ -/*** worker handoff ***/ -/**********************/ -static uword -snat_out2in_worker_handoff_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - snat_main_t *sm = &snat_main; - vlib_thread_main_t *tm = vlib_get_thread_main (); - u32 n_left_from, *from, *to_next = 0, *to_next_drop = 0; - static __thread vlib_frame_queue_elt_t **handoff_queue_elt_by_worker_index; - static __thread vlib_frame_queue_t **congested_handoff_queue_by_worker_index - = 0; - vlib_frame_queue_elt_t *hf = 0; - vlib_frame_queue_t *fq; - vlib_frame_t *f = 0; - int i; - u32 n_left_to_next_worker = 0, *to_next_worker = 0; - u32 next_worker_index = 0; - u32 current_worker_index = ~0; - u32 thread_index = vm->thread_index; - vlib_frame_t *d = 0; + vnet_feature_next (&next0, b0); - ASSERT (vec_len (sm->workers)); + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; + goto trace00; + } - if (PREDICT_FALSE (handoff_queue_elt_by_worker_index == 0)) - { - vec_validate (handoff_queue_elt_by_worker_index, tm->n_vlib_mains - 1); + proto0 = ip_proto_to_snat_proto (ip0->protocol); - vec_validate_init_empty (congested_handoff_queue_by_worker_index, - tm->n_vlib_mains - 1, - (vlib_frame_queue_t *) (~0)); - } + if (PREDICT_FALSE (proto0 == ~0)) + goto trace00; - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, + rx_fib_index0, node, next0, ~0, 0, 0); + goto trace00; + } - while (n_left_from > 0) - { - u32 bi0; - vlib_buffer_t *b0; - u32 sw_if_index0; - u32 rx_fib_index0; - ip4_header_t * ip0; - u8 do_handoff; - - bi0 = from[0]; - from += 1; - n_left_from -= 1; - - b0 = vlib_get_buffer (vm, bi0); - - sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); - - ip0 = vlib_buffer_get_current (b0); - - next_worker_index = sm->worker_out2in_cb(ip0, rx_fib_index0); - - if (PREDICT_FALSE (next_worker_index != thread_index)) - { - do_handoff = 1; - - if (next_worker_index != current_worker_index) - { - fq = is_vlib_frame_queue_congested ( - sm->fq_out2in_index, next_worker_index, NAT_FQ_NELTS - 2, - congested_handoff_queue_by_worker_index); - - if (fq) - { - /* if this is 1st frame */ - if (!d) - { - d = vlib_get_frame_to_node (vm, sm->error_node_index); - to_next_drop = vlib_frame_vector_args (d); - } - - to_next_drop[0] = bi0; - to_next_drop += 1; - d->n_vectors++; - b0->error = node->errors[SNAT_OUT2IN_ERROR_FQ_CONGESTED]; - goto trace0; - } - - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; - - hf = vlib_get_worker_handoff_queue_elt (sm->fq_out2in_index, - next_worker_index, - handoff_queue_elt_by_worker_index); - - n_left_to_next_worker = VLIB_FRAME_SIZE - hf->n_vectors; - to_next_worker = &hf->buffer_index[hf->n_vectors]; - current_worker_index = next_worker_index; - } - - /* enqueue to correct worker thread */ - to_next_worker[0] = bi0; - to_next_worker++; - n_left_to_next_worker--; - - if (n_left_to_next_worker == 0) - { - hf->n_vectors = VLIB_FRAME_SIZE; - vlib_put_frame_queue_elt (hf); - current_worker_index = ~0; - handoff_queue_elt_by_worker_index[next_worker_index] = 0; - hf = 0; - } - } - else - { - do_handoff = 0; - /* if this is 1st frame */ - if (!f) - { - f = vlib_get_frame_to_node (vm, sm->out2in_node_index); - to_next = vlib_frame_vector_args (f); - } - - to_next[0] = bi0; - to_next += 1; - f->n_vectors++; - } - -trace0: - if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_worker_handoff_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->next_worker_index = next_worker_index; - t->do_handoff = do_handoff; - } - } + key0.addr = ip0->dst_address; + key0.port = udp0->dst_port; + key0.fib_index = rx_fib_index0; - if (f) - vlib_put_frame_to_node (vm, sm->out2in_node_index, f); + if (snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0)) + { + b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; + goto trace00; + } - if (d) - vlib_put_frame_to_node (vm, sm->error_node_index, d); + new_addr0 = sm0.addr.as_u32; + new_port0 = sm0.port; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index; + old_addr0 = ip0->dst_address.as_u32; + ip0->dst_address.as_u32 = new_addr0; - if (hf) - hf->n_vectors = VLIB_FRAME_SIZE - n_left_to_next_worker; + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + ip0->checksum = ip_csum_fold (sum0); - /* Ship frames to the worker nodes */ - for (i = 0; i < vec_len (handoff_queue_elt_by_worker_index); i++) - { - if (handoff_queue_elt_by_worker_index[i]) - { - hf = handoff_queue_elt_by_worker_index[i]; - /* - * It works better to let the handoff node - * rate-adapt, always ship the handoff queue element. - */ - if (1 || hf->n_vectors == hf->last_n_vectors) + if (PREDICT_FALSE (new_port0 != udp0->dst_port)) { - vlib_put_frame_queue_elt (hf); - handoff_queue_elt_by_worker_index[i] = 0; + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + tcp0->dst_port = new_port0; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = new_port0; + udp0->checksum = 0; + } } else - hf->last_n_vectors = hf->n_vectors; - } - congested_handoff_queue_by_worker_index[i] = - (vlib_frame_queue_t *) (~0); - } - hf = 0; - current_worker_index = ~0; - return frame->n_vectors; -} - -VLIB_REGISTER_NODE (snat_out2in_worker_handoff_node) = { - .function = snat_out2in_worker_handoff_fn, - .name = "nat44-out2in-worker-handoff", - .vector_size = sizeof (u32), - .format_trace = format_snat_out2in_worker_handoff_trace, - .type = VLIB_NODE_TYPE_INTERNAL, - - .n_errors = ARRAY_LEN(snat_out2in_error_strings), - .error_strings = snat_out2in_error_strings, - - .n_next_nodes = 1, - - .next_nodes = { - [0] = "error-drop", - }, -}; - -VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_worker_handoff_node, snat_out2in_worker_handoff_fn); - -static uword -snat_out2in_fast_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - u32 n_left_from, * from, * to_next; - snat_out2in_next_t next_index; - u32 pkts_processed = 0; - snat_main_t * sm = &snat_main; - - from = vlib_frame_vector_args (frame); - n_left_from = frame->n_vectors; - next_index = node->cached_next_index; - - while (n_left_from > 0) - { - u32 n_left_to_next; - - vlib_get_next_frame (vm, node, next_index, - to_next, n_left_to_next); - - while (n_left_from > 0 && n_left_to_next > 0) - { - u32 bi0; - vlib_buffer_t * b0; - u32 next0 = SNAT_OUT2IN_NEXT_DROP; - u32 sw_if_index0; - ip4_header_t * ip0; - ip_csum_t sum0; - u32 new_addr0, old_addr0; - u16 new_port0, old_port0; - udp_header_t * udp0; - tcp_header_t * tcp0; - icmp46_header_t * icmp0; - snat_session_key_t key0, sm0; - u32 proto0; - u32 rx_fib_index0; - - /* speculatively enqueue b0 to the current next frame */ - bi0 = from[0]; - to_next[0] = bi0; - from += 1; - to_next += 1; - n_left_from -= 1; - n_left_to_next -= 1; + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); - b0 = vlib_get_buffer (vm, bi0); + tcp0->checksum = ip_csum_fold (sum0); + } + } - ip0 = vlib_buffer_get_current (b0); - udp0 = ip4_next_header (ip0); - tcp0 = (tcp_header_t *) udp0; - icmp0 = (icmp46_header_t *) udp0; + trace00: - sw_if_index0 = vnet_buffer(b0)->sw_if_index[VLIB_RX]; - rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index(sw_if_index0); + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + snat_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } - vnet_feature_next (&next0, b0); + pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - if (PREDICT_FALSE(ip0->ttl == 1)) - { - vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; - icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, - ICMP4_time_exceeded_ttl_exceeded_in_transit, - 0); - next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR; - goto trace00; - } - - proto0 = ip_proto_to_snat_proto (ip0->protocol); - - if (PREDICT_FALSE (proto0 == ~0)) - goto trace00; - - if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) - { - next0 = icmp_out2in(sm, b0, ip0, icmp0, sw_if_index0, - rx_fib_index0, node, next0, ~0, 0, 0); - goto trace00; - } - - key0.addr = ip0->dst_address; - key0.port = udp0->dst_port; - key0.fib_index = rx_fib_index0; - - if (snat_static_mapping_match(sm, key0, &sm0, 1, 0, 0, 0, 0)) - { - b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION]; - goto trace00; - } - - new_addr0 = sm0.addr.as_u32; - new_port0 = sm0.port; - vnet_buffer(b0)->sw_if_index[VLIB_TX] = sm0.fib_index; - old_addr0 = ip0->dst_address.as_u32; - ip0->dst_address.as_u32 = new_addr0; - - sum0 = ip0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - ip0->checksum = ip_csum_fold (sum0); - - if (PREDICT_FALSE(new_port0 != udp0->dst_port)) - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - old_port0 = tcp0->dst_port; - tcp0->dst_port = new_port0; - - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - sum0 = ip_csum_update (sum0, old_port0, new_port0, - ip4_header_t /* cheat */, - length /* changed member */); - tcp0->checksum = ip_csum_fold(sum0); - } - else - { - old_port0 = udp0->dst_port; - udp0->dst_port = new_port0; - udp0->checksum = 0; - } - } - else - { - if (PREDICT_TRUE(proto0 == SNAT_PROTOCOL_TCP)) - { - sum0 = tcp0->checksum; - sum0 = ip_csum_update (sum0, old_addr0, new_addr0, - ip4_header_t, - dst_address /* changed member */); - - tcp0->checksum = ip_csum_fold(sum0); - } - } - - trace00: - - if (PREDICT_FALSE((node->flags & VLIB_NODE_FLAG_TRACE) - && (b0->flags & VLIB_BUFFER_IS_TRACED))) - { - snat_out2in_trace_t *t = - vlib_add_trace (vm, node, b0, sizeof (*t)); - t->sw_if_index = sw_if_index0; - t->next_index = next0; - } - - pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP; - - /* verify speculative enqueue, maybe switch current next frame */ + /* verify speculative enqueue, maybe switch current next frame */ vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next, n_left_to_next, bi0, next0); @@ -4330,11 +1739,12 @@ snat_out2in_fast_node_fn (vlib_main_t * vm, } vlib_node_increment_counter (vm, snat_out2in_fast_node.index, - SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, - pkts_processed); + SNAT_OUT2IN_ERROR_OUT2IN_PACKETS, + pkts_processed); return frame->n_vectors; } +/* *INDENT-OFF* */ VLIB_REGISTER_NODE (snat_out2in_fast_node) = { .function = snat_out2in_fast_node_fn, .name = "nat44-out2in-fast", @@ -4357,4 +1767,15 @@ VLIB_REGISTER_NODE (snat_out2in_fast_node) = { [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass", }, }; -VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn); +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, + snat_out2in_fast_node_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c new file mode 100644 index 00000000000..4236285df8d --- /dev/null +++ b/src/plugins/nat/out2in_ed.c @@ -0,0 +1,1868 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +/** + * @file + * @brief NAT44 endpoint-dependent outside to inside network translation + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define foreach_nat_out2in_ed_error \ +_(UNSUPPORTED_PROTOCOL, "Unsupported protocol") \ +_(OUT2IN_PACKETS, "Good out2in packets processed") \ +_(OUT_OF_PORTS, "Out of ports") \ +_(BAD_ICMP_TYPE, "unsupported ICMP type") \ +_(NO_TRANSLATION, "No translation") \ +_(MAX_SESSIONS_EXCEEDED, "Maximum sessions exceeded") \ +_(DROP_FRAGMENT, "Drop fragment") \ +_(MAX_REASS, "Maximum reassemblies exceeded") \ +_(MAX_FRAG, "Maximum fragments per reassembly exceeded") + +typedef enum +{ +#define _(sym,str) NAT_OUT2IN_ED_ERROR_##sym, + foreach_nat_out2in_ed_error +#undef _ + NAT_OUT2IN_ED_N_ERROR, +} nat_out2in_ed_error_t; + +static char *nat_out2in_ed_error_strings[] = { +#define _(sym,string) string, + foreach_nat_out2in_ed_error +#undef _ +}; + +typedef enum +{ + NAT44_ED_OUT2IN_NEXT_DROP, + NAT44_ED_OUT2IN_NEXT_LOOKUP, + NAT44_ED_OUT2IN_NEXT_ICMP_ERROR, + NAT44_ED_OUT2IN_NEXT_IN2OUT, + NAT44_ED_OUT2IN_NEXT_SLOW_PATH, + NAT44_ED_OUT2IN_NEXT_REASS, + NAT44_ED_OUT2IN_N_NEXT, +} nat44_ed_out2in_next_t; + +typedef struct +{ + u32 sw_if_index; + u32 next_index; + u32 session_index; + u32 is_slow_path; +} nat44_ed_out2in_trace_t; + +vlib_node_registration_t nat44_ed_out2in_node; +vlib_node_registration_t nat44_ed_out2in_slowpath_node; +vlib_node_registration_t nat44_ed_out2in_reass_node; + +static u8 * +format_nat44_ed_out2in_trace (u8 * s, va_list * args) +{ + CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); + CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); + nat44_ed_out2in_trace_t *t = va_arg (*args, nat44_ed_out2in_trace_t *); + char *tag; + + tag = + t->is_slow_path ? "NAT44_OUT2IN_ED_SLOW_PATH" : + "NAT44_OUT2IN_ED_FAST_PATH"; + + s = format (s, "%s: sw_if_index %d, next index %d, session %d", tag, + t->sw_if_index, t->next_index, t->session_index); + + return s; +} + +static inline u32 +icmp_out2in_ed_slow_path (snat_main_t * sm, vlib_buffer_t * b0, + ip4_header_t * ip0, icmp46_header_t * icmp0, + u32 sw_if_index0, u32 rx_fib_index0, + vlib_node_runtime_t * node, u32 next0, f64 now, + u32 thread_index, snat_session_t ** p_s0) +{ + next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, thread_index, p_s0, 0); + snat_session_t *s0 = *p_s0; + if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP && s0)) + { + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain + (sm->vlib_main, b0)); + } + return next0; +} + +int +nat44_o2i_ed_is_idle_session_cb (clib_bihash_kv_16_8_t * kv, void *arg) +{ + snat_main_t *sm = &snat_main; + nat44_is_idle_session_ctx_t *ctx = arg; + snat_session_t *s; + u64 sess_timeout_time; + nat_ed_ses_key_t ed_key; + clib_bihash_kv_16_8_t ed_kv; + int i; + snat_address_t *a; + snat_session_key_t key; + snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data, + ctx->thread_index); + + s = pool_elt_at_index (tsm->sessions, kv->value); + sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s); + if (ctx->now >= sess_timeout_time) + { + ed_key.l_addr = s->in2out.addr; + ed_key.r_addr = s->ext_host_addr; + ed_key.fib_index = s->out2in.fib_index; + if (snat_is_unk_proto_session (s)) + { + ed_key.proto = s->in2out.port; + ed_key.r_port = 0; + ed_key.l_port = 0; + } + else + { + ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol); + ed_key.l_port = s->in2out.port; + ed_key.r_port = s->ext_host_port; + } + if (is_twice_nat_session (s)) + { + ed_key.r_addr = s->ext_host_nat_addr; + ed_key.r_port = s->ext_host_nat_port; + } + ed_kv.key[0] = ed_key.as_u64[0]; + ed_kv.key[1] = ed_key.as_u64[1]; + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &ed_kv, 0)) + nat_log_warn ("in2out_ed key del failed"); + + if (snat_is_unk_proto_session (s)) + goto delete; + + snat_ipfix_logging_nat44_ses_delete (s->in2out.addr.as_u32, + s->out2in.addr.as_u32, + s->in2out.protocol, + s->in2out.port, + s->out2in.port, + s->in2out.fib_index); + + if (is_twice_nat_session (s)) + { + for (i = 0; i < vec_len (sm->twice_nat_addresses); i++) + { + key.protocol = s->in2out.protocol; + key.port = s->ext_host_nat_port; + a = sm->twice_nat_addresses + i; + if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32) + { + snat_free_outside_address_and_port (sm->twice_nat_addresses, + ctx->thread_index, + &key); + break; + } + } + } + + if (snat_is_session_static (s)) + goto delete; + + snat_free_outside_address_and_port (sm->addresses, ctx->thread_index, + &s->out2in); + delete: + nat44_delete_session (sm, s, ctx->thread_index); + return 1; + } + + return 0; +} + +static snat_session_t * +create_session_for_static_mapping_ed (snat_main_t * sm, + vlib_buffer_t * b, + snat_session_key_t l_key, + snat_session_key_t e_key, + vlib_node_runtime_t * node, + u32 thread_index, + twice_nat_type_t twice_nat, + lb_nat_type_t lb_nat, f64 now) +{ + snat_session_t *s; + snat_user_t *u; + ip4_header_t *ip; + udp_header_t *udp; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + clib_bihash_kv_16_8_t kv; + snat_session_key_t eh_key; + nat44_is_idle_session_ctx_t ctx; + + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_log_notice ("maximum sessions exceeded"); + return 0; + } + + u = nat_user_get_or_create (sm, &l_key.addr, l_key.fib_index, thread_index); + if (!u) + { + nat_log_warn ("create NAT user failed"); + return 0; + } + + s = nat_ed_session_alloc (sm, u, thread_index); + if (!s) + { + nat44_delete_user_with_no_session (sm, u, thread_index); + nat_log_warn ("create NAT session failed"); + return 0; + } + + ip = vlib_buffer_get_current (b); + udp = ip4_next_header (ip); + + s->ext_host_addr.as_u32 = ip->src_address.as_u32; + s->ext_host_port = e_key.protocol == SNAT_PROTOCOL_ICMP ? 0 : udp->src_port; + s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; + if (lb_nat) + s->flags |= SNAT_SESSION_FLAG_LOAD_BALANCING; + if (lb_nat == AFFINITY_LB_NAT) + s->flags |= SNAT_SESSION_FLAG_AFFINITY; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; + s->out2in = e_key; + s->in2out = l_key; + s->in2out.protocol = s->out2in.protocol; + user_session_increment (sm, u, 1); + + /* Add to lookup tables */ + make_ed_kv (&kv, &e_key.addr, &s->ext_host_addr, ip->protocol, + e_key.fib_index, e_key.port, s->ext_host_port); + kv.value = s - tsm->sessions; + ctx.now = now; + ctx.thread_index = thread_index; + if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->out2in_ed, &kv, + nat44_o2i_ed_is_idle_session_cb, + &ctx)) + nat_log_notice ("out2in-ed key add failed"); + + if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF && + ip->src_address.as_u32 == l_key.addr.as_u32)) + { + eh_key.protocol = e_key.protocol; + if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0, + thread_index, &eh_key, + sm->port_per_thread, + tsm->snat_thread_index)) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS]; + nat44_delete_session (sm, s, thread_index); + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &kv, 0)) + nat_log_notice ("out2in-ed key del failed"); + return 0; + } + s->ext_host_nat_addr.as_u32 = eh_key.addr.as_u32; + s->ext_host_nat_port = eh_key.port; + s->flags |= SNAT_SESSION_FLAG_TWICE_NAT; + make_ed_kv (&kv, &l_key.addr, &s->ext_host_nat_addr, ip->protocol, + l_key.fib_index, l_key.port, s->ext_host_nat_port); + } + else + { + make_ed_kv (&kv, &l_key.addr, &s->ext_host_addr, ip->protocol, + l_key.fib_index, l_key.port, s->ext_host_port); + } + kv.value = s - tsm->sessions; + if (clib_bihash_add_or_overwrite_stale_16_8 (&tsm->in2out_ed, &kv, + nat44_i2o_ed_is_idle_session_cb, + &ctx)) + nat_log_notice ("in2out-ed key add failed"); + + return s; +} + +static_always_inline int +icmp_get_ed_key (ip4_header_t * ip0, nat_ed_ses_key_t * p_key0) +{ + icmp46_header_t *icmp0; + nat_ed_ses_key_t key0; + icmp_echo_header_t *echo0, *inner_echo0 = 0; + ip4_header_t *inner_ip0; + void *l4_header = 0; + icmp46_header_t *inner_icmp0; + + icmp0 = (icmp46_header_t *) ip4_next_header (ip0); + echo0 = (icmp_echo_header_t *) (icmp0 + 1); + + if (!icmp_is_error_message (icmp0)) + { + key0.proto = IP_PROTOCOL_ICMP; + key0.l_addr = ip0->dst_address; + key0.r_addr = ip0->src_address; + key0.l_port = echo0->identifier; + key0.r_port = 0; + } + else + { + inner_ip0 = (ip4_header_t *) (echo0 + 1); + l4_header = ip4_next_header (inner_ip0); + key0.proto = inner_ip0->protocol; + key0.l_addr = inner_ip0->src_address; + key0.r_addr = inner_ip0->dst_address; + switch (ip_proto_to_snat_proto (inner_ip0->protocol)) + { + case SNAT_PROTOCOL_ICMP: + inner_icmp0 = (icmp46_header_t *) l4_header; + inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1); + key0.l_port = inner_echo0->identifier; + key0.r_port = 0; + break; + case SNAT_PROTOCOL_UDP: + case SNAT_PROTOCOL_TCP: + key0.l_port = ((tcp_udp_header_t *) l4_header)->src_port; + key0.r_port = ((tcp_udp_header_t *) l4_header)->dst_port; + break; + default: + return -1; + } + } + *p_key0 = key0; + return 0; +} + +static int +next_src_nat (snat_main_t * sm, ip4_header_t * ip, u8 proto, u16 src_port, + u16 dst_port, u32 thread_index, u32 rx_fib_index) +{ + clib_bihash_kv_16_8_t kv, value; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + + make_ed_kv (&kv, &ip->src_address, &ip->dst_address, proto, + rx_fib_index, src_port, dst_port); + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) + return 1; + + return 0; +} + +static void +create_bypass_for_fwd (snat_main_t * sm, ip4_header_t * ip, u32 rx_fib_index, + u32 thread_index) +{ + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + udp_header_t *udp; + snat_user_t *u; + snat_session_t *s = 0; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + f64 now = vlib_time_now (sm->vlib_main); + + if (ip->protocol == IP_PROTOCOL_ICMP) + { + if (icmp_get_ed_key (ip, &key)) + return; + } + else if (ip->protocol == IP_PROTOCOL_UDP || ip->protocol == IP_PROTOCOL_TCP) + { + udp = ip4_next_header (ip); + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = udp->dst_port; + key.r_port = udp->src_port; + } + else + { + key.r_addr = ip->src_address; + key.l_addr = ip->dst_address; + key.proto = ip->protocol; + key.l_port = key.r_port = 0; + } + key.fib_index = 0; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (!clib_bihash_search_16_8 (&tsm->in2out_ed, &kv, &value)) + { + s = pool_elt_at_index (tsm->sessions, value.value); + } + else + { + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) + return; + + u = nat_user_get_or_create (sm, &ip->dst_address, sm->inside_fib_index, + thread_index); + if (!u) + { + nat_log_warn ("create NAT user failed"); + return; + } + + s = nat_ed_session_alloc (sm, u, thread_index); + if (!s) + { + nat44_delete_user_with_no_session (sm, u, thread_index); + nat_log_warn ("create NAT session failed"); + return; + } + + s->ext_host_addr = key.r_addr; + s->ext_host_port = key.r_port; + s->flags |= SNAT_SESSION_FLAG_FWD_BYPASS; + s->out2in.addr = key.l_addr; + s->out2in.port = key.l_port; + s->out2in.protocol = ip_proto_to_snat_proto (key.proto); + s->out2in.fib_index = 0; + s->in2out = s->out2in; + user_session_increment (sm, u, 0); + + kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &kv, 1)) + nat_log_notice ("in2out_ed key add failed"); + } + + if (ip->protocol == IP_PROTOCOL_TCP) + { + tcp_header_t *tcp = ip4_next_header (ip); + if (nat44_set_tcp_session_state_o2i (sm, s, tcp, thread_index)) + return; + } + + /* Accounting */ + nat44_session_update_counters (s, now, 0); +} + +u32 +icmp_match_out2in_ed (snat_main_t * sm, vlib_node_runtime_t * node, + u32 thread_index, vlib_buffer_t * b, ip4_header_t * ip, + u8 * p_proto, snat_session_key_t * p_value, + u8 * p_dont_translate, void *d, void *e) +{ + u32 next = ~0, sw_if_index, rx_fib_index; + icmp46_header_t *icmp; + nat_ed_ses_key_t key; + clib_bihash_kv_16_8_t kv, value; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + snat_session_t *s = 0; + u8 dont_translate = 0, is_addr_only; + snat_session_key_t e_key, l_key; + + icmp = (icmp46_header_t *) ip4_next_header (ip); + sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX]; + rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index); + + if (icmp_get_ed_key (ip, &key)) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_UNSUPPORTED_PROTOCOL]; + next = NAT44_ED_OUT2IN_NEXT_DROP; + goto out; + } + key.fib_index = rx_fib_index; + kv.key[0] = key.as_u64[0]; + kv.key[1] = key.as_u64[1]; + + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv, &value)) + { + /* Try to match static mapping */ + e_key.addr = ip->dst_address; + e_key.port = key.l_port; + e_key.protocol = ip_proto_to_snat_proto (key.proto); + e_key.fib_index = rx_fib_index; + if (snat_static_mapping_match + (sm, e_key, &l_key, 1, &is_addr_only, 0, 0, 0)) + { + if (!sm->forwarding_enabled) + { + /* Don't NAT packet aimed at the intfc address */ + if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index, + ip->dst_address.as_u32))) + { + dont_translate = 1; + goto out; + } + b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next = NAT44_ED_OUT2IN_NEXT_DROP; + goto out; + } + else + { + dont_translate = 1; + if (next_src_nat (sm, ip, key.proto, key.l_port, key.r_port, + thread_index, rx_fib_index)) + { + next = NAT44_ED_OUT2IN_NEXT_IN2OUT; + goto out; + } + create_bypass_for_fwd (sm, ip, rx_fib_index, thread_index); + goto out; + } + } + + if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply && + (icmp->type != ICMP4_echo_request || !is_addr_only))) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE]; + next = NAT44_ED_OUT2IN_NEXT_DROP; + goto out; + } + + /* Create session initiated by host from external network */ + s = create_session_for_static_mapping_ed (sm, b, l_key, e_key, node, + thread_index, 0, 0, + vlib_time_now + (sm->vlib_main)); + + if (!s) + { + next = NAT44_ED_OUT2IN_NEXT_DROP; + goto out; + } + } + else + { + if (PREDICT_FALSE (icmp->type != ICMP4_echo_reply && + icmp->type != ICMP4_echo_request && + !icmp_is_error_message (icmp))) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_BAD_ICMP_TYPE]; + next = NAT44_ED_OUT2IN_NEXT_DROP; + goto out; + } + + s = pool_elt_at_index (tsm->sessions, value.value); + } + + *p_proto = ip_proto_to_snat_proto (key.proto); +out: + if (s) + *p_value = s->in2out; + *p_dont_translate = dont_translate; + if (d) + *(snat_session_t **) d = s; + return next; +} + +static snat_session_t * +nat44_ed_out2in_unknown_proto (snat_main_t * sm, + vlib_buffer_t * b, + ip4_header_t * ip, + u32 rx_fib_index, + u32 thread_index, + f64 now, + vlib_main_t * vm, vlib_node_runtime_t * node) +{ + clib_bihash_kv_8_8_t kv, value; + clib_bihash_kv_16_8_t s_kv, s_value; + snat_static_mapping_t *m; + u32 old_addr, new_addr; + ip_csum_t sum; + snat_session_t *s; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + snat_user_t *u; + + old_addr = ip->dst_address.as_u32; + + make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, + rx_fib_index, 0, 0); + + if (!clib_bihash_search_16_8 (&tsm->out2in_ed, &s_kv, &s_value)) + { + s = pool_elt_at_index (tsm->sessions, s_value.value); + new_addr = ip->dst_address.as_u32 = s->in2out.addr.as_u32; + } + else + { + if (PREDICT_FALSE (maximum_sessions_exceeded (sm, thread_index))) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_SESSIONS_EXCEEDED]; + nat_log_notice ("maximum sessions exceeded"); + return 0; + } + + make_sm_kv (&kv, &ip->dst_address, 0, 0, 0); + if (clib_bihash_search_8_8 + (&sm->static_mapping_by_external, &kv, &value)) + { + b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + return 0; + } + + m = pool_elt_at_index (sm->static_mappings, value.value); + + new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32; + + u = nat_user_get_or_create (sm, &m->local_addr, m->fib_index, + thread_index); + if (!u) + { + nat_log_warn ("create NAT user failed"); + return 0; + } + + /* Create a new session */ + s = nat_ed_session_alloc (sm, u, thread_index); + if (!s) + { + nat44_delete_user_with_no_session (sm, u, thread_index); + nat_log_warn ("create NAT session failed"); + return 0; + } + + s->ext_host_addr.as_u32 = ip->src_address.as_u32; + s->flags |= SNAT_SESSION_FLAG_UNKNOWN_PROTO; + s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING; + s->flags |= SNAT_SESSION_FLAG_ENDPOINT_DEPENDENT; + s->out2in.addr.as_u32 = old_addr; + s->out2in.fib_index = rx_fib_index; + s->in2out.addr.as_u32 = new_addr; + s->in2out.fib_index = m->fib_index; + s->in2out.port = s->out2in.port = ip->protocol; + user_session_increment (sm, u, 1); + + /* Add to lookup tables */ + s_kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&tsm->out2in_ed, &s_kv, 1)) + nat_log_notice ("out2in key add failed"); + + make_ed_kv (&s_kv, &ip->dst_address, &ip->src_address, ip->protocol, + m->fib_index, 0, 0); + s_kv.value = s - tsm->sessions; + if (clib_bihash_add_del_16_8 (&tsm->in2out_ed, &s_kv, 1)) + nat_log_notice ("in2out key add failed"); + } + + /* Update IP checksum */ + sum = ip->checksum; + sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address); + ip->checksum = ip_csum_fold (sum); + + vnet_buffer (b)->sw_if_index[VLIB_TX] = s->in2out.fib_index; + + /* Accounting */ + nat44_session_update_counters (s, now, vlib_buffer_length_in_chain (vm, b)); + + return s; +} + +static inline uword +nat44_ed_out2in_node_fn_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame, int is_slow_path) +{ + u32 n_left_from, *from, *to_next, pkts_processed = 0, stats_node_index; + nat44_ed_out2in_next_t next_index; + snat_main_t *sm = &snat_main; + f64 now = vlib_time_now (vm); + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index]; + + stats_node_index = is_slow_path ? nat44_ed_out2in_slowpath_node.index : + nat44_ed_out2in_node.index; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from >= 4 && n_left_to_next >= 2) + { + u32 bi0, bi1; + vlib_buffer_t *b0, *b1; + u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, + new_addr0; + u32 next1, sw_if_index1, rx_fib_index1, proto1, old_addr1, + new_addr1; + u16 old_port0, new_port0, old_port1, new_port1; + ip4_header_t *ip0, *ip1; + udp_header_t *udp0, *udp1; + tcp_header_t *tcp0, *tcp1; + icmp46_header_t *icmp0, *icmp1; + snat_session_t *s0 = 0, *s1 = 0; + clib_bihash_kv_16_8_t kv0, value0, kv1, value1; + ip_csum_t sum0, sum1; + snat_session_key_t e_key0, l_key0, e_key1, l_key1; + lb_nat_type_t lb_nat0, lb_nat1; + twice_nat_type_t twice_nat0, twice_nat1; + + /* Prefetch next iteration. */ + { + vlib_buffer_t *p2, *p3; + + p2 = vlib_get_buffer (vm, from[2]); + p3 = vlib_get_buffer (vm, from[3]); + + vlib_prefetch_buffer_header (p2, LOAD); + vlib_prefetch_buffer_header (p3, LOAD); + + CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE); + CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE); + } + + /* speculatively enqueue b0 and b1 to the current next frame */ + to_next[0] = bi0 = from[0]; + to_next[1] = bi1 = from[1]; + from += 2; + to_next += 2; + n_left_from -= 2; + n_left_to_next -= 2; + + b0 = vlib_get_buffer (vm, bi0); + b1 = vlib_get_buffer (vm, bi1); + + next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; + vnet_buffer (b0)->snat.flags = 0; + ip0 = vlib_buffer_get_current (b0); + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; + goto trace00; + } + + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + s0 = + nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0, + thread_index, now, vm, + node); + if (!sm->forwarding_enabled) + { + if (!s0) + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace00; + } + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace00; + } + } + else + { + if (PREDICT_FALSE (proto0 == ~0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace00; + } + + if (ip4_is_fragment (ip0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_REASS; + goto trace00; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace00; + } + } + + make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, + ip0->protocol, rx_fib_index0, udp0->dst_port, + udp0->src_port); + + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0)) + { + if (is_slow_path) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + e_key0.addr = ip0->dst_address; + e_key0.port = udp0->dst_port; + e_key0.protocol = proto0; + e_key0.fib_index = rx_fib_index0; + if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0, + &twice_nat0, &lb_nat0, + &ip0->src_address)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next (&next0, b0); + goto trace00; + } + + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + } + else + { + if (next_src_nat (sm, ip0, ip0->protocol, + udp0->src_port, udp0->dst_port, + thread_index, rx_fib_index0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; + goto trace00; + } + create_bypass_for_fwd (sm, ip0, rx_fib_index0, + thread_index); + } + goto trace00; + } + + /* Create session initiated by host from external network */ + s0 = create_session_for_static_mapping_ed (sm, b0, l_key0, + e_key0, node, + thread_index, + twice_nat0, + lb_nat0, now); + + if (!s0) + { + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace00; + } + } + else + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace00; + } + } + else + { + s0 = pool_elt_at_index (tsm->sessions, value0.value); + } + + old_addr0 = ip0->dst_address.as_u32; + new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, ip4_header_t, + src_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + new_port0 = tcp0->dst_port = s0->in2out.port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, + length); + if (is_twice_nat_session (s0)) + { + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->src_port, + s0->ext_host_nat_port, ip4_header_t, + length); + tcp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + tcp0->checksum = ip_csum_fold (sum0); + if (nat44_set_tcp_session_state_o2i + (sm, s0, tcp0, thread_index)) + goto trace00; + } + else + { + udp0->dst_port = s0->in2out.port; + if (is_twice_nat_session (s0)) + { + udp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + udp0->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace00: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_ed_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = s0 - tsm->sessions; + } + + pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; + + next1 = NAT44_ED_OUT2IN_NEXT_LOOKUP; + vnet_buffer (b1)->snat.flags = 0; + ip1 = vlib_buffer_get_current (b1); + + sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX]; + rx_fib_index1 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index1); + + if (PREDICT_FALSE (ip1->ttl == 1)) + { + vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next1 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; + goto trace01; + } + + udp1 = ip4_next_header (ip1); + tcp1 = (tcp_header_t *) udp1; + icmp1 = (icmp46_header_t *) udp1; + proto1 = ip_proto_to_snat_proto (ip1->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto1 == ~0)) + { + s1 = + nat44_ed_out2in_unknown_proto (sm, b1, ip1, rx_fib_index1, + thread_index, now, vm, + node); + if (!sm->forwarding_enabled) + { + if (!s1) + next1 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace01; + } + } + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = icmp_out2in_ed_slow_path + (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node, + next1, now, thread_index, &s1); + goto trace01; + } + } + else + { + if (PREDICT_FALSE (proto1 == ~0)) + { + next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace01; + } + + if (ip4_is_fragment (ip1)) + { + next1 = NAT44_ED_OUT2IN_NEXT_REASS; + goto trace01; + } + + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_ICMP)) + { + next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace01; + } + } + + make_ed_kv (&kv1, &ip1->dst_address, &ip1->src_address, + ip1->protocol, rx_fib_index1, udp1->dst_port, + udp1->src_port); + + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv1, &value1)) + { + if (is_slow_path) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + e_key1.addr = ip1->dst_address; + e_key1.port = udp1->dst_port; + e_key1.protocol = proto1; + e_key1.fib_index = rx_fib_index1; + if (snat_static_mapping_match (sm, e_key1, &l_key1, 1, 0, + &twice_nat1, &lb_nat1, + &ip1->src_address)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto1 == SNAT_PROTOCOL_UDP + && (udp1->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next (&next1, b1); + goto trace01; + } + + if (!sm->forwarding_enabled) + { + b1->error = + node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next1 = NAT44_ED_OUT2IN_NEXT_DROP; + } + else + { + if (next_src_nat (sm, ip1, ip1->protocol, + udp1->src_port, udp1->dst_port, + thread_index, rx_fib_index1)) + { + next1 = NAT44_ED_OUT2IN_NEXT_IN2OUT; + goto trace01; + } + create_bypass_for_fwd (sm, ip1, rx_fib_index1, + thread_index); + } + goto trace01; + } + + /* Create session initiated by host from external network */ + s1 = create_session_for_static_mapping_ed (sm, b1, l_key1, + e_key1, node, + thread_index, + twice_nat1, + lb_nat1, now); + + if (!s1) + { + next1 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace01; + } + } + else + { + next1 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace01; + } + } + else + { + s1 = pool_elt_at_index (tsm->sessions, value1.value); + } + + old_addr1 = ip1->dst_address.as_u32; + new_addr1 = ip1->dst_address.as_u32 = s1->in2out.addr.as_u32; + vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index; + + sum1 = ip1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, + dst_address); + if (PREDICT_FALSE (is_twice_nat_session (s1))) + sum1 = ip_csum_update (sum1, ip1->src_address.as_u32, + s1->ext_host_nat_addr.as_u32, ip4_header_t, + src_address); + ip1->checksum = ip_csum_fold (sum1); + + if (PREDICT_TRUE (proto1 == SNAT_PROTOCOL_TCP)) + { + old_port1 = tcp1->dst_port; + new_port1 = tcp1->dst_port = s1->in2out.port; + + sum1 = tcp1->checksum; + sum1 = ip_csum_update (sum1, old_addr1, new_addr1, ip4_header_t, + dst_address); + sum1 = ip_csum_update (sum1, old_port1, new_port1, ip4_header_t, + length); + if (is_twice_nat_session (s1)) + { + sum1 = ip_csum_update (sum1, ip1->src_address.as_u32, + s1->ext_host_nat_addr.as_u32, + ip4_header_t, dst_address); + sum1 = ip_csum_update (sum1, tcp1->src_port, + s1->ext_host_nat_port, ip4_header_t, + length); + tcp1->src_port = s1->ext_host_nat_port; + ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32; + } + tcp1->checksum = ip_csum_fold (sum1); + if (nat44_set_tcp_session_state_o2i + (sm, s1, tcp1, thread_index)) + goto trace01; + } + else + { + udp1->dst_port = s1->in2out.port; + if (is_twice_nat_session (s1)) + { + udp1->src_port = s1->ext_host_nat_port; + ip1->src_address.as_u32 = s1->ext_host_nat_addr.as_u32; + } + udp1->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s1, now, + vlib_buffer_length_in_chain (vm, + b1)); + + trace01: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b1->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_ed_out2in_trace_t *t = + vlib_add_trace (vm, node, b1, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index1; + t->next_index = next1; + t->session_index = ~0; + if (s1) + t->session_index = s1 - tsm->sessions; + } + + pkts_processed += next1 != NAT44_ED_OUT2IN_NEXT_DROP; + + /* verify speculative enqueues, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x2 (vm, node, next_index, + to_next, n_left_to_next, + bi0, bi1, next0, next1); + } + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0; + vlib_buffer_t *b0; + u32 next0, sw_if_index0, rx_fib_index0, proto0, old_addr0, + new_addr0; + u16 old_port0, new_port0; + ip4_header_t *ip0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + snat_session_t *s0 = 0; + clib_bihash_kv_16_8_t kv0, value0; + ip_csum_t sum0; + snat_session_key_t e_key0, l_key0; + lb_nat_type_t lb_nat0; + twice_nat_type_t twice_nat0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; + vnet_buffer (b0)->snat.flags = 0; + ip0 = vlib_buffer_get_current (b0); + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (ip0->ttl == 1)) + { + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded, + ICMP4_time_exceeded_ttl_exceeded_in_transit, + 0); + next0 = NAT44_ED_OUT2IN_NEXT_ICMP_ERROR; + goto trace0; + } + + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + if (is_slow_path) + { + if (PREDICT_FALSE (proto0 == ~0)) + { + s0 = + nat44_ed_out2in_unknown_proto (sm, b0, ip0, rx_fib_index0, + thread_index, now, vm, + node); + if (!sm->forwarding_enabled) + { + if (!s0) + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace0; + } + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + goto trace0; + } + } + else + { + if (PREDICT_FALSE (proto0 == ~0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace0; + } + + if (ip4_is_fragment (ip0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_REASS; + goto trace0; + } + + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace0; + } + } + + make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, + ip0->protocol, rx_fib_index0, udp0->dst_port, + udp0->src_port); + + if (clib_bihash_search_16_8 (&tsm->out2in_ed, &kv0, &value0)) + { + if (is_slow_path) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + e_key0.addr = ip0->dst_address; + e_key0.port = udp0->dst_port; + e_key0.protocol = proto0; + e_key0.fib_index = rx_fib_index0; + if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0, + &twice_nat0, &lb_nat0, + &ip0->src_address)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next (&next0, b0); + goto trace0; + } + + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + } + else + { + if (next_src_nat (sm, ip0, ip0->protocol, + udp0->src_port, udp0->dst_port, + thread_index, rx_fib_index0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; + goto trace0; + } + create_bypass_for_fwd (sm, ip0, rx_fib_index0, + thread_index); + } + goto trace0; + } + + /* Create session initiated by host from external network */ + s0 = create_session_for_static_mapping_ed (sm, b0, l_key0, + e_key0, node, + thread_index, + twice_nat0, + lb_nat0, now); + + if (!s0) + { + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace0; + } + } + else + { + next0 = NAT44_ED_OUT2IN_NEXT_SLOW_PATH; + goto trace0; + } + } + else + { + s0 = pool_elt_at_index (tsm->sessions, value0.value); + } + + old_addr0 = ip0->dst_address.as_u32; + new_addr0 = ip0->dst_address.as_u32 = s0->in2out.addr.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, ip4_header_t, + src_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + new_port0 = tcp0->dst_port = s0->in2out.port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, + dst_address); + sum0 = ip_csum_update (sum0, old_port0, new_port0, ip4_header_t, + length); + if (is_twice_nat_session (s0)) + { + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->src_port, + s0->ext_host_nat_port, ip4_header_t, + length); + tcp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + tcp0->checksum = ip_csum_fold (sum0); + if (nat44_set_tcp_session_state_o2i + (sm, s0, tcp0, thread_index)) + goto trace0; + } + else + { + udp0->dst_port = s0->in2out.port; + if (is_twice_nat_session (s0)) + { + udp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + udp0->checksum = 0; + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_ed_out2in_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->is_slow_path = is_slow_path; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + t->session_index = ~0; + if (s0) + t->session_index = s0 - tsm->sessions; + } + + pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, stats_node_index, + NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS, + pkts_processed); + return frame->n_vectors; +} + +static uword +nat44_ed_out2in_fast_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_out2in_node_fn_inline (vm, node, frame, 0); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_out2in_node) = { + .function = nat44_ed_out2in_fast_path_fn, + .name = "nat44-ed-out2in", + .vector_size = sizeof (u32), + .format_trace = format_nat44_ed_out2in_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings), + .error_strings = nat_out2in_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, + .next_nodes = { + [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", + [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", + [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", + [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_node, + nat44_ed_out2in_fast_path_fn); + +static uword +nat44_ed_out2in_slow_path_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + return nat44_ed_out2in_node_fn_inline (vm, node, frame, 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_out2in_slowpath_node) = { + .function = nat44_ed_out2in_slow_path_fn, + .name = "nat44-ed-out2in-slowpath", + .vector_size = sizeof (u32), + .format_trace = format_nat44_ed_out2in_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings), + .error_strings = nat_out2in_ed_error_strings, + .runtime_data_bytes = sizeof (snat_runtime_t), + .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, + .next_nodes = { + [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", + [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", + [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", + [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_slowpath_node, + nat44_ed_out2in_slow_path_fn); + +static uword +nat44_ed_out2in_reass_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * frame) +{ + u32 n_left_from, *from, *to_next; + nat44_ed_out2in_next_t next_index; + u32 pkts_processed = 0; + snat_main_t *sm = &snat_main; + f64 now = vlib_time_now (vm); + u32 thread_index = vm->thread_index; + snat_main_per_thread_data_t *per_thread_data = + &sm->per_thread_data[thread_index]; + u32 *fragments_to_drop = 0; + u32 *fragments_to_loopback = 0; + + from = vlib_frame_vector_args (frame); + n_left_from = frame->n_vectors; + next_index = node->cached_next_index; + + while (n_left_from > 0) + { + u32 n_left_to_next; + + vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next); + + while (n_left_from > 0 && n_left_to_next > 0) + { + u32 bi0, sw_if_index0, proto0, rx_fib_index0, new_addr0, old_addr0; + vlib_buffer_t *b0; + u32 next0; + u8 cached0 = 0; + ip4_header_t *ip0; + nat_reass_ip4_t *reass0; + udp_header_t *udp0; + tcp_header_t *tcp0; + icmp46_header_t *icmp0; + clib_bihash_kv_16_8_t kv0, value0; + snat_session_t *s0 = 0; + u16 old_port0, new_port0; + ip_csum_t sum0; + snat_session_key_t e_key0, l_key0; + lb_nat_type_t lb0; + twice_nat_type_t twice_nat0; + + /* speculatively enqueue b0 to the current next frame */ + bi0 = from[0]; + to_next[0] = bi0; + from += 1; + to_next += 1; + n_left_from -= 1; + n_left_to_next -= 1; + + b0 = vlib_get_buffer (vm, bi0); + next0 = NAT44_ED_OUT2IN_NEXT_LOOKUP; + + sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX]; + rx_fib_index0 = + fib_table_get_index_for_sw_if_index (FIB_PROTOCOL_IP4, + sw_if_index0); + + if (PREDICT_FALSE (nat_reass_is_drop_frag (0))) + { + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT]; + goto trace0; + } + + ip0 = (ip4_header_t *) vlib_buffer_get_current (b0); + udp0 = ip4_next_header (ip0); + tcp0 = (tcp_header_t *) udp0; + icmp0 = (icmp46_header_t *) udp0; + proto0 = ip_proto_to_snat_proto (ip0->protocol); + + reass0 = nat_ip4_reass_find_or_create (ip0->src_address, + ip0->dst_address, + ip0->fragment_id, + ip0->protocol, + 1, &fragments_to_drop); + + if (PREDICT_FALSE (!reass0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_REASS]; + nat_log_notice ("maximum reassemblies exceeded"); + goto trace0; + } + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_ICMP)) + { + next0 = icmp_out2in_ed_slow_path + (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node, + next0, now, thread_index, &s0); + + if (PREDICT_TRUE (next0 != NAT44_ED_OUT2IN_NEXT_DROP)) + { + if (s0) + reass0->sess_index = s0 - per_thread_data->sessions; + else + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + reass0->thread_index = thread_index; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + } + + goto trace0; + } + + make_ed_kv (&kv0, &ip0->dst_address, &ip0->src_address, + ip0->protocol, rx_fib_index0, udp0->dst_port, + udp0->src_port); + + if (clib_bihash_search_16_8 + (&per_thread_data->out2in_ed, &kv0, &value0)) + { + /* Try to match static mapping by external address and port, + destination address and port in packet */ + e_key0.addr = ip0->dst_address; + e_key0.port = udp0->dst_port; + e_key0.protocol = proto0; + e_key0.fib_index = rx_fib_index0; + if (snat_static_mapping_match (sm, e_key0, &l_key0, 1, 0, + &twice_nat0, &lb0, 0)) + { + /* + * Send DHCP packets to the ipv4 stack, or we won't + * be able to use dhcp client on the outside interface + */ + if (PREDICT_FALSE (proto0 == SNAT_PROTOCOL_UDP + && (udp0->dst_port + == + clib_host_to_net_u16 + (UDP_DST_PORT_dhcp_to_client)))) + { + vnet_feature_next (&next0, b0); + goto trace0; + } + + if (!sm->forwarding_enabled) + { + b0->error = + node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + } + else + { + if (next_src_nat (sm, ip0, ip0->protocol, + udp0->src_port, udp0->dst_port, + thread_index, rx_fib_index0)) + { + next0 = NAT44_ED_OUT2IN_NEXT_IN2OUT; + goto trace0; + } + create_bypass_for_fwd (sm, ip0, rx_fib_index0, + thread_index); + reass0->flags |= NAT_REASS_FLAG_ED_DONT_TRANSLATE; + nat_ip4_reass_get_frags (reass0, + &fragments_to_loopback); + } + goto trace0; + } + + /* Create session initiated by host from external network */ + s0 = create_session_for_static_mapping_ed (sm, b0, l_key0, + e_key0, node, + thread_index, + twice_nat0, lb0, + now); + if (!s0) + { + b0->error = + node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION]; + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace0; + } + reass0->sess_index = s0 - per_thread_data->sessions; + reass0->thread_index = thread_index; + } + else + { + s0 = pool_elt_at_index (per_thread_data->sessions, + value0.value); + reass0->sess_index = value0.value; + } + nat_ip4_reass_get_frags (reass0, &fragments_to_loopback); + } + else + { + if (reass0->flags & NAT_REASS_FLAG_ED_DONT_TRANSLATE) + goto trace0; + if (PREDICT_FALSE (reass0->sess_index == (u32) ~ 0)) + { + if (nat_ip4_reass_add_fragment + (reass0, bi0, &fragments_to_drop)) + { + b0->error = node->errors[NAT_OUT2IN_ED_ERROR_MAX_FRAG]; + nat_log_notice + ("maximum fragments per reassembly exceeded"); + next0 = NAT44_ED_OUT2IN_NEXT_DROP; + goto trace0; + } + cached0 = 1; + goto trace0; + } + s0 = pool_elt_at_index (per_thread_data->sessions, + reass0->sess_index); + } + + old_addr0 = ip0->dst_address.as_u32; + ip0->dst_address = s0->in2out.addr; + new_addr0 = ip0->dst_address.as_u32; + vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index; + + sum0 = ip0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + if (PREDICT_FALSE (is_twice_nat_session (s0))) + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, ip4_header_t, + src_address); + ip0->checksum = ip_csum_fold (sum0); + + if (PREDICT_FALSE (ip4_is_first_fragment (ip0))) + { + if (PREDICT_TRUE (proto0 == SNAT_PROTOCOL_TCP)) + { + old_port0 = tcp0->dst_port; + tcp0->dst_port = s0->in2out.port; + new_port0 = tcp0->dst_port; + + sum0 = tcp0->checksum; + sum0 = ip_csum_update (sum0, old_addr0, new_addr0, + ip4_header_t, + dst_address /* changed member */ ); + + sum0 = ip_csum_update (sum0, old_port0, new_port0, + ip4_header_t /* cheat */ , + length /* changed member */ ); + if (is_twice_nat_session (s0)) + { + sum0 = ip_csum_update (sum0, ip0->src_address.as_u32, + s0->ext_host_nat_addr.as_u32, + ip4_header_t, dst_address); + sum0 = ip_csum_update (sum0, tcp0->src_port, + s0->ext_host_nat_port, + ip4_header_t, length); + tcp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + tcp0->checksum = ip_csum_fold (sum0); + } + else + { + old_port0 = udp0->dst_port; + udp0->dst_port = s0->in2out.port; + if (is_twice_nat_session (s0)) + { + udp0->src_port = s0->ext_host_nat_port; + ip0->src_address.as_u32 = s0->ext_host_nat_addr.as_u32; + } + udp0->checksum = 0; + } + } + + /* Accounting */ + nat44_session_update_counters (s0, now, + vlib_buffer_length_in_chain (vm, + b0)); + + trace0: + if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE) + && (b0->flags & VLIB_BUFFER_IS_TRACED))) + { + nat44_reass_trace_t *t = + vlib_add_trace (vm, node, b0, sizeof (*t)); + t->cached = cached0; + t->sw_if_index = sw_if_index0; + t->next_index = next0; + } + + if (cached0) + { + n_left_to_next++; + to_next--; + } + else + { + pkts_processed += next0 != NAT44_ED_OUT2IN_NEXT_DROP; + + /* verify speculative enqueue, maybe switch current next frame */ + vlib_validate_buffer_enqueue_x1 (vm, node, next_index, + to_next, n_left_to_next, + bi0, next0); + } + + if (n_left_from == 0 && vec_len (fragments_to_loopback)) + { + from = vlib_frame_vector_args (frame); + u32 len = vec_len (fragments_to_loopback); + if (len <= VLIB_FRAME_SIZE) + { + clib_memcpy (from, fragments_to_loopback, + sizeof (u32) * len); + n_left_from = len; + vec_reset_length (fragments_to_loopback); + } + else + { + clib_memcpy (from, + fragments_to_loopback + (len - + VLIB_FRAME_SIZE), + sizeof (u32) * VLIB_FRAME_SIZE); + n_left_from = VLIB_FRAME_SIZE; + _vec_len (fragments_to_loopback) = len - VLIB_FRAME_SIZE; + } + } + } + + vlib_put_next_frame (vm, node, next_index, n_left_to_next); + } + + vlib_node_increment_counter (vm, nat44_ed_out2in_reass_node.index, + NAT_OUT2IN_ED_ERROR_OUT2IN_PACKETS, + pkts_processed); + + nat_send_all_to_node (vm, fragments_to_drop, node, + &node->errors[NAT_OUT2IN_ED_ERROR_DROP_FRAGMENT], + NAT44_ED_OUT2IN_NEXT_DROP); + + vec_free (fragments_to_drop); + vec_free (fragments_to_loopback); + return frame->n_vectors; +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (nat44_ed_out2in_reass_node) = { + .function = nat44_ed_out2in_reass_node_fn, + .name = "nat44-ed-out2in-reass", + .vector_size = sizeof (u32), + .format_trace = format_nat44_reass_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(nat_out2in_ed_error_strings), + .error_strings = nat_out2in_ed_error_strings, + .n_next_nodes = NAT44_ED_OUT2IN_N_NEXT, + .next_nodes = { + [NAT44_ED_OUT2IN_NEXT_DROP] = "error-drop", + [NAT44_ED_OUT2IN_NEXT_LOOKUP] = "ip4-lookup", + [NAT44_ED_OUT2IN_NEXT_SLOW_PATH] = "nat44-ed-out2in-slowpath", + [NAT44_ED_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error", + [NAT44_ED_OUT2IN_NEXT_IN2OUT] = "nat44-ed-in2out", + [NAT44_ED_OUT2IN_NEXT_REASS] = "nat44-ed-out2in-reass", + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (nat44_ed_out2in_reass_node, + nat44_ed_out2in_reass_node_fn); + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ -- cgit 1.2.3-korg