56 "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
68 s =
format (s,
"NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
73 #define foreach_snat_out2in_error \ 74 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \ 75 _(OUT2IN_PACKETS, "good out2in packets processed") \ 76 _(OUT_OF_PORTS, "out of ports") \ 77 _(BAD_ICMP_TYPE, "unsupported ICMP type") \ 78 _(NO_TRANSLATION, "no translation") \ 79 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \ 80 _(DROP_FRAGMENT, "drop fragment") \ 81 _(MAX_REASS, "maximum reassemblies exceeded") \ 82 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\ 83 _(TCP_PACKETS, "TCP packets") \ 84 _(UDP_PACKETS, "UDP packets") \ 85 _(ICMP_PACKETS, "ICMP packets") \ 86 _(OTHER_PACKETS, "other protocol packets") \ 87 _(FRAGMENTS, "fragments") \ 88 _(CACHED_FRAGMENTS, "cached fragments") \ 89 _(PROCESSED_FRAGMENTS, "processed fragments") 93 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym, 100 #define _(sym,string) string, 113 #ifndef CLIB_MARCH_VARIANT 120 u64 sess_timeout_time;
127 if (ctx->
now >= sess_timeout_time)
129 s_kv.
key = s->in2out.as_u64;
130 if (clib_bihash_add_del_8_8 (&tsm->
in2out, &s_kv, 0))
134 s->in2out.addr.as_u32,
135 s->out2in.addr.as_u32,
139 s->in2out.fib_index);
142 &s->in2out.addr, s->in2out.port,
143 &s->out2in.addr, s->out2in.port,
146 nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
147 s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
176 static inline snat_session_t *
182 u32 thread_index,
f64 now)
196 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
231 kv0.
key = s->in2out.as_u64;
233 if (clib_bihash_add_or_overwrite_stale_8_8
238 kv0.
key = s->out2in.as_u64;
240 if (clib_bihash_add_or_overwrite_stale_8_8
247 s->in2out.addr.as_u32,
248 s->out2in.addr.as_u32,
251 s->out2in.port, s->in2out.fib_index);
254 &s->in2out.addr, s->in2out.port, &s->out2in.addr,
255 s->out2in.port, s->in2out.protocol);
257 nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
258 s->out2in.port, &s->ext_host_addr, s->ext_host_port,
259 &s->ext_host_nat_addr, s->ext_host_nat_port,
260 s->in2out.protocol, s->in2out.fib_index, s->flags,
266 #ifndef CLIB_MARCH_VARIANT 271 icmp46_header_t *icmp0;
276 icmp46_header_t *inner_icmp0;
282 (
vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
296 case SNAT_PROTOCOL_ICMP:
297 inner_icmp0 = (icmp46_header_t *) l4_header;
301 case SNAT_PROTOCOL_UDP:
302 case SNAT_PROTOCOL_TCP:
306 return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
332 u8 * p_dont_translate,
void *d,
void *e)
338 snat_session_t *s0 = 0;
339 u8 dont_translate = 0;
354 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
368 (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, &identity_nat))
379 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
394 ICMP4_echo_request || !is_addr_only)))
396 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
425 reass.icmp_type_or_tcp_flags)))
427 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
439 *p_value = s0->in2out;
440 *p_dont_translate = dont_translate;
442 *(snat_session_t **) d = s0;
447 #ifndef CLIB_MARCH_VARIANT 466 u8 * p_dont_translate,
void *d,
void *e)
472 u8 dont_translate = 0;
490 (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, 0))
498 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
504 (
vnet_buffer (b0)->
ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
506 ICMP4_echo_request || !is_addr_only)
508 reass.icmp_type_or_tcp_flags)))
510 b0->
error = node->
errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
519 *p_dont_translate = dont_translate;
524 #ifndef CLIB_MARCH_VARIANT 529 icmp46_header_t * icmp0,
533 u32 next0,
u32 thread_index,
void *d,
void *e)
540 icmp46_header_t *inner_icmp0;
542 u32 new_addr0, old_addr0;
543 u16 old_id0, new_id0;
551 &protocol, &sm0, &dont_translate, d,
566 if (checksum0 != 0 && checksum0 != 0xffff)
585 if (icmp0->checksum == 0)
586 icmp0->checksum = 0xffff;
597 sum0 = icmp0->checksum;
619 sum0 = icmp0->checksum;
626 case SNAT_PROTOCOL_ICMP:
627 inner_icmp0 = (icmp46_header_t *) l4_header;
634 sum0 = icmp0->checksum;
640 case SNAT_PROTOCOL_UDP:
641 case SNAT_PROTOCOL_TCP:
646 sum0 = icmp0->checksum;
666 icmp46_header_t * icmp0,
671 u32 thread_index, snat_session_t ** p_s0)
673 next0 =
icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
674 next0, thread_index, p_s0, 0);
675 snat_session_t *s0 = *p_s0;
696 u32 old_addr, new_addr;
723 u32 n_left_from, *from, *to_next;
725 u32 pkts_processed = 0;
729 u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
733 n_left_from =
frame->n_vectors;
734 next_index =
node->cached_next_index;
736 while (n_left_from > 0)
742 while (n_left_from >= 4 && n_left_to_next >= 2)
748 u32 sw_if_index0, sw_if_index1;
751 u32 new_addr0, old_addr0;
752 u16 new_port0, old_port0;
753 u32 new_addr1, old_addr1;
754 u16 new_port1, old_port1;
757 icmp46_header_t *icmp0, *icmp1;
759 u32 rx_fib_index0, rx_fib_index1;
761 snat_session_t *s0 = 0, *s1 = 0;
763 u8 identity_nat0, identity_nat1;
780 to_next[0] = bi0 = from[0];
781 to_next[1] = bi1 = from[1];
796 icmp0 = (icmp46_header_t *) udp0;
806 ICMP4_time_exceeded_ttl_exceeded_in_transit,
821 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
832 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
node,
833 next0, now, thread_index, &s0);
845 if (clib_bihash_search_8_8
851 (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
858 (proto0 == SNAT_PROTOCOL_UDP
861 (UDP_DST_PORT_dhcp_to_client))))
870 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
908 old_port0 =
vnet_buffer (b0)->ip.reass.l4_dst_port;
909 new_port0 = udp0->
dst_port = s0->in2out.port;
910 sum0 = tcp0->checksum;
926 old_port0 =
vnet_buffer (b0)->ip.reass.l4_dst_port;
927 new_port0 = udp0->
dst_port = s0->in2out.port;
952 && (b0->
flags & VLIB_BUFFER_IS_TRACED)))
970 icmp1 = (icmp46_header_t *) udp1;
980 ICMP4_time_exceeded_ttl_exceeded_in_transit,
995 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1006 (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1,
node,
1007 next1, now, thread_index, &s1);
1019 if (clib_bihash_search_8_8
1025 (sm, key1, &sm1, 1, 0, 0, 0, 0, &identity_nat1))
1032 (proto1 == SNAT_PROTOCOL_UDP
1034 clib_host_to_net_u16
1035 (UDP_DST_PORT_dhcp_to_client))))
1044 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1082 old_port1 =
vnet_buffer (b1)->ip.reass.l4_dst_port;
1083 new_port1 = udp1->
dst_port = s1->in2out.port;
1085 sum1 = tcp1->checksum;
1101 old_port1 =
vnet_buffer (b1)->ip.reass.l4_dst_port;
1102 new_port1 = udp1->
dst_port = s1->in2out.port;
1130 && (b1->
flags & VLIB_BUFFER_IS_TRACED)))
1146 to_next, n_left_to_next,
1147 bi0, bi1, next0, next1);
1150 while (n_left_from > 0 && n_left_to_next > 0)
1158 u32 new_addr0, old_addr0;
1159 u16 new_port0, old_port0;
1162 icmp46_header_t *icmp0;
1166 snat_session_t *s0 = 0;
1176 n_left_to_next -= 1;
1185 icmp0 = (icmp46_header_t *) udp0;
1200 node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1212 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1221 (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0,
node,
1222 next0, now, thread_index, &s0);
1234 if (clib_bihash_search_8_8
1240 (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
1247 (proto0 == SNAT_PROTOCOL_UDP
1249 clib_host_to_net_u16
1250 (UDP_DST_PORT_dhcp_to_client))))
1259 node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1297 old_port0 =
vnet_buffer (b0)->ip.reass.l4_dst_port;
1298 new_port0 = udp0->
dst_port = s0->in2out.port;
1300 sum0 = tcp0->checksum;
1316 old_port0 =
vnet_buffer (b0)->ip.reass.l4_dst_port;
1317 new_port0 = udp0->
dst_port = s0->in2out.port;
1342 && (b0->
flags & VLIB_BUFFER_IS_TRACED)))
1358 to_next, n_left_to_next,
1366 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1369 SNAT_OUT2IN_ERROR_TCP_PACKETS, tcp_packets);
1371 SNAT_OUT2IN_ERROR_UDP_PACKETS, udp_packets);
1373 SNAT_OUT2IN_ERROR_ICMP_PACKETS, icmp_packets);
1375 SNAT_OUT2IN_ERROR_OTHER_PACKETS,
1378 SNAT_OUT2IN_ERROR_FRAGMENTS, fragments);
1380 return frame->n_vectors;
1385 .name =
"nat44-out2in",
1386 .vector_size =
sizeof (
u32),
1410 u32 n_left_from, *from, *to_next;
1412 u32 pkts_processed = 0;
1416 n_left_from =
frame->n_vectors;
1417 next_index =
node->cached_next_index;
1419 while (n_left_from > 0)
1425 while (n_left_from > 0 && n_left_to_next > 0)
1433 u32 new_addr0, old_addr0;
1434 u16 new_port0, old_port0;
1437 icmp46_header_t *icmp0;
1448 n_left_to_next -= 1;
1455 icmp0 = (icmp46_header_t *) udp0;
1467 ICMP4_time_exceeded_ttl_exceeded_in_transit,
1480 next0 =
icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0,
1481 rx_fib_index0,
node, next0, ~0, 0, 0);
1491 b0->
error =
node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1496 new_port0 = sm0.
port;
1514 sum0 = tcp0->checksum;
1539 sum0 = tcp0->checksum;
1558 && (b0->
flags & VLIB_BUFFER_IS_TRACED)))
1570 to_next, n_left_to_next,
1578 SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1580 return frame->n_vectors;
1585 .name =
"nat44-out2in-fast",
1586 .vector_size =
sizeof (
u32),
vlib_node_registration_t snat_out2in_fast_node
(constructor) VLIB_REGISTER_NODE (snat_out2in_fast_node)
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
static ip_csum_t ip_incremental_checksum_buffer(vlib_main_t *vm, vlib_buffer_t *first_buffer, u32 first_buffer_offset, u32 n_bytes_to_checksum, ip_csum_t sum)
#define snat_is_session_static(s)
Check if SNAT session is created from static mapping.
u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, u32 thread_index, vlib_buffer_t *b0, ip4_header_t *ip0, u8 *p_proto, snat_session_key_t *p_value, u8 *p_dont_translate, void *d, void *e)
Get address and port values to be used for ICMP packet translation and create session if needed...
static u8 * format_snat_out2in_fast_trace(u8 *s, va_list *args)
static u32 nat44_session_get_timeout(snat_main_t *sm, snat_session_t *s)
#define nat_elog_notice(nat_elog_str)
static u32 icmp_out2in_slow_path(snat_main_t *sm, vlib_buffer_t *b0, ip4_header_t *ip0, icmp46_header_t *icmp0, u32 sw_if_index0, u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0, f64 now, u32 thread_index, snat_session_t **p_s0)
static f64 vlib_time_now(vlib_main_t *vm)
#define nat_elog_warn(nat_elog_str)
void nat_ha_sadd(ip4_address_t *in_addr, u16 in_port, ip4_address_t *out_addr, u16 out_port, ip4_address_t *eh_addr, u16 eh_port, ip4_address_t *ehn_addr, u16 ehn_port, u8 proto, u32 fib_index, u16 flags, u32 thread_index, u8 is_resync)
Create session add HA event.
u32 * fib_index_by_sw_if_index
Table index indexed by software interface.
#define VLIB_NODE_FN(node)
vlib_error_t * errors
Vector of errors for this node.
int nat44_o2i_is_idle_session_cb(clib_bihash_kv_8_8_t *kv, void *arg)
static uword vlib_buffer_length_in_chain(vlib_main_t *vm, vlib_buffer_t *b)
Get length in bytes of the buffer chain.
struct _tcp_header tcp_header_t
static int ip4_is_fragment(const ip4_header_t *i)
snat_session_t * nat_session_alloc_or_recycle(snat_main_t *sm, snat_user_t *u, u32 thread_index, f64 now)
Allocate new NAT session or recycle last used.
vl_api_ip_proto_t protocol
u32 ip4_fib_table_get_index_for_sw_if_index(u32 sw_if_index)
#define static_always_inline
static uword ip4_header_checksum_is_valid(ip4_header_t *i)
#define vlib_prefetch_buffer_header(b, type)
Prefetch buffer metadata.
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
static void * ip4_next_header(ip4_header_t *i)
#define foreach_snat_out2in_error
static u8 maximum_sessions_exceeded(snat_main_t *sm, u32 thread_index)
int snat_static_mapping_match(snat_main_t *sm, snat_session_key_t match, snat_session_key_t *mapping, u8 by_external, u8 *is_addr_only, twice_nat_type_t *twice_nat, lb_nat_type_t *lb, ip4_address_t *ext_host_addr, u8 *is_identity_nat)
Match NAT44 static mapping.
void snat_free_outside_address_and_port(snat_address_t *addresses, u32 thread_index, snat_session_key_t *k)
Free outside address and port pair.
static void nat44_delete_session(snat_main_t *sm, snat_session_t *ses, u32 thread_index)
vl_api_fib_path_type_t type
vlib_error_t error
Error code for buffers to be enqueued to error handler.
snat_user_t * nat_user_get_or_create(snat_main_t *sm, ip4_address_t *addr, u32 fib_index, u32 thread_index)
Find or create NAT user.
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static_always_inline u8 icmp_type_is_error_message(u8 icmp_type)
snat_static_mapping_t * static_mappings
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
void nat_syslog_nat44_apmadd(u32 ssubix, u32 sfibix, ip4_address_t *isaddr, u16 isport, ip4_address_t *xsaddr, u16 xsport, snat_protocol_t proto)
clib_bihash_8_8_t static_mapping_by_external
vl_api_address_union_t src_address
#define vlib_validate_buffer_enqueue_x2(vm, node, next_index, to_next, n_left_to_next, bi0, bi1, next0, next1)
Finish enqueueing two buffers forward in the graph.
vlib_node_registration_t snat_out2in_node
(constructor) VLIB_REGISTER_NODE (snat_out2in_node)
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
The fine-grained event logger allows lightweight, thread-safe event logging at minimum cost...
void snat_ipfix_logging_nat44_ses_delete(u32 thread_index, u32 src_ip, u32 nat_src_ip, snat_protocol_t snat_proto, u16 src_port, u16 nat_src_port, u32 vrf_id)
Generate NAT44 session delete event.
static void nat44_delete_user_with_no_session(snat_main_t *sm, snat_user_t *u, u32 thread_index)
#define VLIB_REGISTER_NODE(x,...)
#define CLIB_PREFETCH(addr, size, type)
static_always_inline void vnet_feature_next(u32 *next0, vlib_buffer_t *b0)
static void nat44_session_update_counters(snat_session_t *s, f64 now, uword bytes, u32 thread_index)
8 octet key, 8 octet key value pair
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
vlib_main_t vlib_node_runtime_t * node
snat_icmp_match_function_t * icmp_match_out2in_cb
static void nat44_session_update_lru(snat_main_t *sm, snat_session_t *s, u32 thread_index)
Per-user LRU list maintenance.
void nat_syslog_nat44_apmdel(u32 ssubix, u32 sfibix, ip4_address_t *isaddr, u16 isport, ip4_address_t *xsaddr, u16 xsport, snat_protocol_t proto)
void nat_ha_sdel(ip4_address_t *out_addr, u16 out_port, ip4_address_t *eh_addr, u16 eh_port, u8 proto, u32 fib_index, u32 thread_index)
Create session delete HA event.
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
#define vec_elt(v, i)
Get vector value at index i.
static u32 ip_proto_to_snat_proto(u8 ip_proto)
static void user_session_increment(snat_main_t *sm, snat_user_t *u, u8 is_static)
static snat_session_t * create_session_for_static_mapping(snat_main_t *sm, vlib_buffer_t *b0, snat_session_key_t in2out, snat_session_key_t out2in, vlib_node_runtime_t *node, u32 thread_index, f64 now)
Create session for static mapping.
static char * snat_out2in_error_strings[]
static int nat_out2in_sm_unknown_proto(snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip, u32 rx_fib_index)
VLIB buffer representation.
snat_main_per_thread_data_t * per_thread_data
static_always_inline void nat44_session_try_cleanup(ip4_address_t *addr, u32 fib_index, u32 thread_index, f64 now)
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
#define ip_csum_update(sum, old, new, type, field)
static u8 is_interface_addr(snat_main_t *sm, vlib_node_runtime_t *node, u32 sw_if_index0, u32 ip4_addr)
static u8 * format_snat_out2in_trace(u8 *s, va_list *args)
snat_address_t * addresses
u32 out2in_fast_node_index
#define SNAT_SESSION_FLAG_STATIC_MAPPING
vlib_main_t vlib_node_runtime_t vlib_frame_t * frame
static int ip4_header_bytes(const ip4_header_t *i)
#define VLIB_NODE_FLAG_TRACE
#define CLIB_CACHE_LINE_BYTES
static_always_inline snat_out2in_error_t icmp_get_key(vlib_buffer_t *b, ip4_header_t *ip0, snat_session_key_t *p_key0)
u32 icmp_out2in(snat_main_t *sm, vlib_buffer_t *b0, ip4_header_t *ip0, icmp46_header_t *icmp0, u32 sw_if_index0, u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0, u32 thread_index, void *d, void *e)
int nat44_i2o_is_idle_session_cb(clib_bihash_kv_8_8_t *kv, void *arg)
snat_session_t * sessions
static_always_inline void icmp4_error_set_vnet_buffer(vlib_buffer_t *b, u8 type, u8 code, u32 data)
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
static u16 ip_csum_fold(ip_csum_t c)
u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, u32 thread_index, vlib_buffer_t *b0, ip4_header_t *ip0, u8 *p_proto, snat_session_key_t *p_value, u8 *p_dont_translate, void *d, void *e)
Get address and port values to be used for ICMP packet translation.
void snat_ipfix_logging_nat44_ses_create(u32 thread_index, u32 src_ip, u32 nat_src_ip, snat_protocol_t snat_proto, u16 src_port, u16 nat_src_port, u32 vrf_id)
Generate NAT44 session create event.