FD.io VPP  v20.05.1-6-gf53edbc3b
Vector Packet Processing
out2in.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2016 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 /**
16  * @file
17  * @brief NAT44 endpoint-dependent outside to inside network translation
18  */
19 
20 #include <vlib/vlib.h>
21 #include <vnet/vnet.h>
22 #include <vnet/pg/pg.h>
23 
24 #include <vnet/ip/ip.h>
25 #include <vnet/udp/udp.h>
26 #include <vnet/ethernet/ethernet.h>
27 #include <vnet/fib/ip4_fib.h>
28 #include <nat/nat.h>
29 #include <nat/nat_ipfix_logging.h>
30 #include <nat/nat_inlines.h>
31 #include <nat/nat44/inlines.h>
32 #include <nat/nat_syslog.h>
33 #include <nat/nat_ha.h>
34 
35 #include <vppinfra/hash.h>
36 #include <vppinfra/error.h>
37 #include <vppinfra/elog.h>
38 
39 typedef struct
40 {
41  u32 sw_if_index;
42  u32 next_index;
43  u32 session_index;
44 } snat_out2in_trace_t;
45 
46 /* packet trace format function */
47 static u8 *
48 format_snat_out2in_trace (u8 * s, va_list * args)
49 {
50  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
51  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
52  snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
53 
54  s =
55  format (s,
56  "NAT44_OUT2IN: sw_if_index %d, next index %d, session index %d",
57  t->sw_if_index, t->next_index, t->session_index);
58  return s;
59 }
60 
61 static u8 *
62 format_snat_out2in_fast_trace (u8 * s, va_list * args)
63 {
64  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
65  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
66  snat_out2in_trace_t *t = va_arg (*args, snat_out2in_trace_t *);
67 
68  s = format (s, "NAT44_OUT2IN_FAST: sw_if_index %d, next index %d",
69  t->sw_if_index, t->next_index);
70  return s;
71 }
72 
73 #define foreach_snat_out2in_error \
74 _(UNSUPPORTED_PROTOCOL, "unsupported protocol") \
75 _(OUT2IN_PACKETS, "good out2in packets processed") \
76 _(OUT_OF_PORTS, "out of ports") \
77 _(BAD_ICMP_TYPE, "unsupported ICMP type") \
78 _(NO_TRANSLATION, "no translation") \
79 _(MAX_SESSIONS_EXCEEDED, "maximum sessions exceeded") \
80 _(DROP_FRAGMENT, "drop fragment") \
81 _(MAX_REASS, "maximum reassemblies exceeded") \
82 _(MAX_FRAG, "maximum fragments per reassembly exceeded")\
83 _(TCP_PACKETS, "TCP packets") \
84 _(UDP_PACKETS, "UDP packets") \
85 _(ICMP_PACKETS, "ICMP packets") \
86 _(OTHER_PACKETS, "other protocol packets") \
87 _(FRAGMENTS, "fragments") \
88 _(CACHED_FRAGMENTS, "cached fragments") \
89 _(PROCESSED_FRAGMENTS, "processed fragments")
90 
91 typedef enum
92 {
93 #define _(sym,str) SNAT_OUT2IN_ERROR_##sym,
94  foreach_snat_out2in_error
95 #undef _
96  SNAT_OUT2IN_N_ERROR,
97 } snat_out2in_error_t;
98 
99 static char *snat_out2in_error_strings[] = {
100 #define _(sym,string) string,
101  foreach_snat_out2in_error
102 #undef _
103 };
104 
105 typedef enum
106 {
107  SNAT_OUT2IN_NEXT_DROP,
108  SNAT_OUT2IN_NEXT_LOOKUP,
109  SNAT_OUT2IN_NEXT_ICMP_ERROR,
110  SNAT_OUT2IN_N_NEXT,
111 } snat_out2in_next_t;
112 
113 #ifndef CLIB_MARCH_VARIANT
114 int
115 nat44_o2i_is_idle_session_cb (clib_bihash_kv_8_8_t * kv, void *arg)
116 {
117  snat_main_t *sm = &snat_main;
118  nat44_is_idle_session_ctx_t *ctx = arg;
119  snat_session_t *s;
120  u64 sess_timeout_time;
121  snat_main_per_thread_data_t *tsm = vec_elt_at_index (sm->per_thread_data,
122  ctx->thread_index);
123  clib_bihash_kv_8_8_t s_kv;
124 
125  s = pool_elt_at_index (tsm->sessions, kv->value);
126  sess_timeout_time = s->last_heard + (f64) nat44_session_get_timeout (sm, s);
127  if (ctx->now >= sess_timeout_time)
128  {
129  s_kv.key = s->in2out.as_u64;
130  if (clib_bihash_add_del_8_8 (&tsm->in2out, &s_kv, 0))
131  nat_elog_warn ("out2in key del failed");
132 
133  snat_ipfix_logging_nat44_ses_delete (ctx->thread_index,
134  s->in2out.addr.as_u32,
135  s->out2in.addr.as_u32,
136  s->in2out.protocol,
137  s->in2out.port,
138  s->out2in.port,
139  s->in2out.fib_index);
140 
141  nat_syslog_nat44_apmdel (s->user_index, s->in2out.fib_index,
142  &s->in2out.addr, s->in2out.port,
143  &s->out2in.addr, s->out2in.port,
144  s->in2out.protocol);
145 
146  nat_ha_sdel (&s->out2in.addr, s->out2in.port, &s->ext_host_addr,
147  s->ext_host_port, s->out2in.protocol, s->out2in.fib_index,
148  ctx->thread_index);
149 
150  if (!snat_is_session_static (s))
151  snat_free_outside_address_and_port (sm->addresses, ctx->thread_index,
152  &s->out2in);
153 
154  nat44_delete_session (sm, s, ctx->thread_index);
155  return 1;
156  }
157 
158  return 0;
159 }
160 #endif
161 
162 /**
163  * @brief Create session for static mapping.
164  *
165  * Create NAT session initiated by host from external network with static
166  * mapping.
167  *
168  * @param sm NAT main.
169  * @param b0 Vlib buffer.
170  * @param in2out In2out NAT44 session key.
171  * @param out2in Out2in NAT44 session key.
172  * @param node Vlib node.
173  *
174  * @returns SNAT session if successfully created otherwise 0.
175  */
176 static inline snat_session_t *
177 create_session_for_static_mapping (snat_main_t * sm,
178  vlib_buffer_t * b0,
179  snat_session_key_t in2out,
180  snat_session_key_t out2in,
181  vlib_node_runtime_t * node,
182  u32 thread_index, f64 now)
183 {
184  snat_user_t *u;
185  snat_session_t *s;
186  clib_bihash_kv_8_8_t kv0;
187  ip4_header_t *ip0;
188  udp_header_t *udp0;
189  nat44_is_idle_session_ctx_t ctx0;
190 
191  if (PREDICT_FALSE (nat44_maximum_sessions_exceeded (sm, thread_index)))
192  {
193  b0->error = node->errors[SNAT_OUT2IN_ERROR_MAX_SESSIONS_EXCEEDED];
194  nat_elog_notice ("maximum sessions exceeded");
195  return 0;
196  }
197 
198  ip0 = vlib_buffer_get_current (b0);
199  udp0 = ip4_next_header (ip0);
200 
201  u =
202  nat_user_get_or_create (sm, &in2out.addr, in2out.fib_index, thread_index);
203  if (!u)
204  {
205  nat_elog_warn ("create NAT user failed");
206  return 0;
207  }
208 
209  s = nat_session_alloc_or_recycle (sm, u, thread_index, now);
210  if (!s)
211  {
212  nat44_delete_user_with_no_session (sm, u, thread_index);
213  nat_elog_warn ("create NAT session failed");
214  return 0;
215  }
216 
217  s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
218  s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
219  s->ext_host_port = udp0->src_port;
220  user_session_increment (sm, u, 1 /* static */ );
221  s->in2out = in2out;
222  s->out2in = out2in;
223  s->in2out.protocol = out2in.protocol;
224 
225  /* Add to translation hashes */
226  ctx0.now = now;
227  ctx0.thread_index = thread_index;
228  kv0.key = s->in2out.as_u64;
229  kv0.value = s - sm->per_thread_data[thread_index].sessions;
230  if (clib_bihash_add_or_overwrite_stale_8_8
231  (&sm->per_thread_data[thread_index].in2out, &kv0,
232  nat44_i2o_is_idle_session_cb, &ctx0))
233  nat_elog_notice ("in2out key add failed");
234 
235  kv0.key = s->out2in.as_u64;
236 
237  if (clib_bihash_add_or_overwrite_stale_8_8
238  (&sm->per_thread_data[thread_index].out2in, &kv0,
239  nat44_o2i_is_idle_session_cb, &ctx0))
240  nat_elog_notice ("out2in key add failed");
241 
242  /* log NAT event */
243  snat_ipfix_logging_nat44_ses_create (thread_index,
244  s->in2out.addr.as_u32,
245  s->out2in.addr.as_u32,
246  s->in2out.protocol,
247  s->in2out.port,
248  s->out2in.port, s->in2out.fib_index);
249 
250  nat_syslog_nat44_apmadd (s->user_index, s->in2out.fib_index,
251  &s->in2out.addr, s->in2out.port, &s->out2in.addr,
252  s->out2in.port, s->in2out.protocol);
253 
254  nat_ha_sadd (&s->in2out.addr, s->in2out.port, &s->out2in.addr,
255  s->out2in.port, &s->ext_host_addr, s->ext_host_port,
256  &s->ext_host_nat_addr, s->ext_host_nat_port,
257  s->in2out.protocol, s->in2out.fib_index, s->flags,
258  thread_index, 0);
259 
260  return s;
261 }
262 
263 #ifndef CLIB_MARCH_VARIANT
264 static_always_inline
265  snat_out2in_error_t icmp_get_key (vlib_buffer_t * b, ip4_header_t * ip0,
266  snat_session_key_t * p_key0)
267 {
268  icmp46_header_t *icmp0;
269  snat_session_key_t key0;
270  icmp_echo_header_t *echo0, *inner_echo0 = 0;
271  ip4_header_t *inner_ip0;
272  void *l4_header = 0;
273  icmp46_header_t *inner_icmp0;
274 
275  icmp0 = (icmp46_header_t *) ip4_next_header (ip0);
276  echo0 = (icmp_echo_header_t *) (icmp0 + 1);
277 
278  if (!icmp_type_is_error_message
279  (vnet_buffer (b)->ip.reass.icmp_type_or_tcp_flags))
280  {
281  key0.protocol = NAT_PROTOCOL_ICMP;
282  key0.addr = ip0->dst_address;
283  key0.port = vnet_buffer (b)->ip.reass.l4_src_port; // TODO should this be dst port?
284  }
285  else
286  {
287  inner_ip0 = (ip4_header_t *) (echo0 + 1);
288  l4_header = ip4_next_header (inner_ip0);
289  key0.protocol = ip_proto_to_nat_proto (inner_ip0->protocol);
290  key0.addr = inner_ip0->src_address;
291  switch (key0.protocol)
292  {
293  case NAT_PROTOCOL_ICMP:
294  inner_icmp0 = (icmp46_header_t *) l4_header;
295  inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
296  key0.port = inner_echo0->identifier;
297  break;
298  case NAT_PROTOCOL_UDP:
299  case NAT_PROTOCOL_TCP:
300  key0.port = ((tcp_udp_header_t *) l4_header)->src_port;
301  break;
302  default:
303  return SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL;
304  }
305  }
306  *p_key0 = key0;
307  return -1; /* success */
308 }
309 
310 /**
311  * Get address and port values to be used for ICMP packet translation
312  * and create session if needed
313  *
314  * @param[in,out] sm NAT main
315  * @param[in,out] node NAT node runtime
316  * @param[in] thread_index thread index
317  * @param[in,out] b0 buffer containing packet to be translated
318  * @param[in,out] ip0 ip header
319  * @param[out] p_proto protocol used for matching
320  * @param[out] p_value address and port after NAT translation
321  * @param[out] p_dont_translate if packet should not be translated
322  * @param d optional parameter
323  * @param e optional parameter
324  */
325 u32
326 icmp_match_out2in_slow (snat_main_t * sm, vlib_node_runtime_t * node,
327  u32 thread_index, vlib_buffer_t * b0,
328  ip4_header_t * ip0, u8 * p_proto,
329  snat_session_key_t * p_value,
330  u8 * p_dont_translate, void *d, void *e)
331 {
332  snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
333  u32 sw_if_index0;
334  u32 rx_fib_index0;
335  snat_session_key_t key0;
336  snat_session_key_t sm0;
337  snat_session_t *s0 = 0;
338  u8 dont_translate = 0;
339  clib_bihash_kv_8_8_t kv0, value0;
340  u8 is_addr_only;
341  u32 next0 = ~0;
342  int err;
343  u8 identity_nat;
344  vlib_main_t *vm = vlib_get_main ();
345 
346  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
347  rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
348 
349  key0.protocol = 0;
350 
351  err = icmp_get_key (b0, ip0, &key0);
352  if (err != -1)
353  {
354  b0->error = node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
355  next0 = SNAT_OUT2IN_NEXT_DROP;
356  goto out;
357  }
358  key0.fib_index = rx_fib_index0;
359 
360  kv0.key = key0.as_u64;
361 
362  if (clib_bihash_search_8_8 (&tsm->out2in, &kv0, &value0))
363  {
364  /* Try to match static mapping by external address and port,
365  destination address and port in packet */
366  if (snat_static_mapping_match
367  (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, &identity_nat))
368  {
369  if (!sm->forwarding_enabled)
370  {
371  /* Don't NAT packet aimed at the intfc address */
372  if (PREDICT_FALSE (is_interface_addr (sm, node, sw_if_index0,
373  ip0->dst_address.as_u32)))
374  {
375  dont_translate = 1;
376  goto out;
377  }
378  b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
379  next0 = SNAT_OUT2IN_NEXT_DROP;
380  goto out;
381  }
382  else
383  {
384  dont_translate = 1;
385  goto out;
386  }
387  }
388 
389  if (PREDICT_FALSE
390  (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
391  ICMP4_echo_reply
392  && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
393  ICMP4_echo_request || !is_addr_only)))
394  {
395  b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
396  next0 = SNAT_OUT2IN_NEXT_DROP;
397  goto out;
398  }
399 
400  if (PREDICT_FALSE (identity_nat))
401  {
402  dont_translate = 1;
403  goto out;
404  }
405  /* Create session initiated by host from external network */
406  s0 = create_session_for_static_mapping (sm, b0, sm0, key0,
407  node, thread_index,
408  vlib_time_now (vm));
409 
410  if (!s0)
411  {
412  next0 = SNAT_OUT2IN_NEXT_DROP;
413  goto out;
414  }
415  }
416  else
417  {
418  if (PREDICT_FALSE
419  (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
420  ICMP4_echo_reply
421  && vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
422  ICMP4_echo_request
423  && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
424  reass.icmp_type_or_tcp_flags)))
425  {
426  b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
427  next0 = SNAT_OUT2IN_NEXT_DROP;
428  goto out;
429  }
430 
431  s0 = pool_elt_at_index (tsm->sessions, value0.value);
432  }
433 
434 out:
435  *p_proto = key0.protocol;
436  if (s0)
437  *p_value = s0->in2out;
438  *p_dont_translate = dont_translate;
439  if (d)
440  *(snat_session_t **) d = s0;
441  return next0;
442 }
443 #endif
444 
445 #ifndef CLIB_MARCH_VARIANT
446 /**
447  * Get address and port values to be used for ICMP packet translation
448  *
449  * @param[in] sm NAT main
450  * @param[in,out] node NAT node runtime
451  * @param[in] thread_index thread index
452  * @param[in,out] b0 buffer containing packet to be translated
453  * @param[in,out] ip0 ip header
454  * @param[out] p_proto protocol used for matching
455  * @param[out] p_value address and port after NAT translation
456  * @param[out] p_dont_translate if packet should not be translated
457  * @param d optional parameter
458  * @param e optional parameter
459  */
460 u32
461 icmp_match_out2in_fast (snat_main_t * sm, vlib_node_runtime_t * node,
462  u32 thread_index, vlib_buffer_t * b0,
463  ip4_header_t * ip0, u8 * p_proto,
464  snat_session_key_t * p_value,
465  u8 * p_dont_translate, void *d, void *e)
466 {
467  u32 sw_if_index0;
468  u32 rx_fib_index0;
469  snat_session_key_t key0;
470  snat_session_key_t sm0;
471  u8 dont_translate = 0;
472  u8 is_addr_only;
473  u32 next0 = ~0;
474  int err;
475 
476  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
477  rx_fib_index0 = ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
478 
479  err = icmp_get_key (b0, ip0, &key0);
480  if (err != -1)
481  {
482  b0->error = node->errors[err];
483  next0 = SNAT_OUT2IN_NEXT_DROP;
484  goto out2;
485  }
486  key0.fib_index = rx_fib_index0;
487 
488  if (snat_static_mapping_match
489  (sm, key0, &sm0, 1, &is_addr_only, 0, 0, 0, 0))
490  {
491  /* Don't NAT packet aimed at the intfc address */
492  if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32))
493  {
494  dont_translate = 1;
495  goto out;
496  }
497  b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
498  next0 = SNAT_OUT2IN_NEXT_DROP;
499  goto out;
500  }
501 
502  if (PREDICT_FALSE
503  (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags != ICMP4_echo_reply
504  && (vnet_buffer (b0)->ip.reass.icmp_type_or_tcp_flags !=
505  ICMP4_echo_request || !is_addr_only)
506  && !icmp_type_is_error_message (vnet_buffer (b0)->ip.
507  reass.icmp_type_or_tcp_flags)))
508  {
509  b0->error = node->errors[SNAT_OUT2IN_ERROR_BAD_ICMP_TYPE];
510  next0 = SNAT_OUT2IN_NEXT_DROP;
511  goto out;
512  }
513 
514 out:
515  *p_value = sm0;
516 out2:
517  *p_proto = key0.protocol;
518  *p_dont_translate = dont_translate;
519  return next0;
520 }
521 #endif
522 
523 #ifndef CLIB_MARCH_VARIANT
524 u32
525 icmp_out2in (snat_main_t * sm,
526  vlib_buffer_t * b0,
527  ip4_header_t * ip0,
528  icmp46_header_t * icmp0,
529  u32 sw_if_index0,
530  u32 rx_fib_index0,
531  vlib_node_runtime_t * node,
532  u32 next0, u32 thread_index, void *d, void *e)
533 {
534  snat_session_key_t sm0;
535  u8 protocol;
536  icmp_echo_header_t *echo0, *inner_echo0 = 0;
537  ip4_header_t *inner_ip0 = 0;
538  void *l4_header = 0;
539  icmp46_header_t *inner_icmp0;
540  u8 dont_translate;
541  u32 new_addr0, old_addr0;
542  u16 old_id0, new_id0;
543  ip_csum_t sum0;
544  u16 checksum0;
545  u32 next0_tmp;
546  vlib_main_t *vm = vlib_get_main ();
547 
548  echo0 = (icmp_echo_header_t *) (icmp0 + 1);
549 
550  next0_tmp = sm->icmp_match_out2in_cb (sm, node, thread_index, b0, ip0,
551  &protocol, &sm0, &dont_translate, d,
552  e);
553  if (next0_tmp != ~0)
554  next0 = next0_tmp;
555  if (next0 == SNAT_OUT2IN_NEXT_DROP || dont_translate)
556  goto out;
557 
558  if (PREDICT_TRUE (!ip4_is_fragment (ip0)))
559  {
560  sum0 =
561  ip_incremental_checksum_buffer (vm, b0,
562  (u8 *) icmp0 -
563  (u8 *) vlib_buffer_get_current (b0),
564  ntohs (ip0->length) -
565  ip4_header_bytes (ip0), 0);
566  checksum0 = ~ip_csum_fold (sum0);
567  if (checksum0 != 0 && checksum0 != 0xffff)
568  {
569  next0 = SNAT_OUT2IN_NEXT_DROP;
570  goto out;
571  }
572  }
573 
574  old_addr0 = ip0->dst_address.as_u32;
575  new_addr0 = ip0->dst_address.as_u32 = sm0.addr.as_u32;
576  vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
577 
578  sum0 = ip0->checksum;
579  sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
580  dst_address /* changed member */ );
581  ip0->checksum = ip_csum_fold (sum0);
582 
583 
584  if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
585  {
586  if (icmp0->checksum == 0)
587  icmp0->checksum = 0xffff;
588 
589  if (!icmp_type_is_error_message (icmp0->type))
590  {
591  new_id0 = sm0.port;
592  if (PREDICT_FALSE (new_id0 != echo0->identifier))
593  {
594  old_id0 = echo0->identifier;
595  new_id0 = sm0.port;
596  echo0->identifier = new_id0;
597 
598  sum0 = icmp0->checksum;
599  sum0 =
600  ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
601  identifier /* changed member */ );
602  icmp0->checksum = ip_csum_fold (sum0);
603  }
604  }
605  else
606  {
607  inner_ip0 = (ip4_header_t *) (echo0 + 1);
608  l4_header = ip4_next_header (inner_ip0);
609 
610  if (!ip4_header_checksum_is_valid (inner_ip0))
611  {
612  next0 = SNAT_OUT2IN_NEXT_DROP;
613  goto out;
614  }
615 
616  old_addr0 = inner_ip0->src_address.as_u32;
617  inner_ip0->src_address = sm0.addr;
618  new_addr0 = inner_ip0->src_address.as_u32;
619 
620  sum0 = icmp0->checksum;
621  sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t,
622  src_address /* changed member */ );
623  icmp0->checksum = ip_csum_fold (sum0);
624 
625  switch (protocol)
626  {
627  case NAT_PROTOCOL_ICMP:
628  inner_icmp0 = (icmp46_header_t *) l4_header;
629  inner_echo0 = (icmp_echo_header_t *) (inner_icmp0 + 1);
630 
631  old_id0 = inner_echo0->identifier;
632  new_id0 = sm0.port;
633  inner_echo0->identifier = new_id0;
634 
635  sum0 = icmp0->checksum;
636  sum0 =
637  ip_csum_update (sum0, old_id0, new_id0, icmp_echo_header_t,
638  identifier);
639  icmp0->checksum = ip_csum_fold (sum0);
640  break;
641  case NAT_PROTOCOL_UDP:
642  case NAT_PROTOCOL_TCP:
643  old_id0 = ((tcp_udp_header_t *) l4_header)->src_port;
644  new_id0 = sm0.port;
645  ((tcp_udp_header_t *) l4_header)->src_port = new_id0;
646 
647  sum0 = icmp0->checksum;
648  sum0 = ip_csum_update (sum0, old_id0, new_id0, tcp_udp_header_t,
649  src_port);
650  icmp0->checksum = ip_csum_fold (sum0);
651  break;
652  default:
653  ASSERT (0);
654  }
655  }
656  }
657 
658 out:
659  return next0;
660 }
661 #endif
662 
663 static inline u32
664 icmp_out2in_slow_path (snat_main_t * sm,
665  vlib_buffer_t * b0,
666  ip4_header_t * ip0,
667  icmp46_header_t * icmp0,
668  u32 sw_if_index0,
669  u32 rx_fib_index0,
670  vlib_node_runtime_t * node,
671  u32 next0, f64 now,
672  u32 thread_index, snat_session_t ** p_s0)
673 {
674  vlib_main_t *vm = vlib_get_main ();
675 
676  next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
677  next0, thread_index, p_s0, 0);
678  snat_session_t *s0 = *p_s0;
679  if (PREDICT_TRUE (next0 != SNAT_OUT2IN_NEXT_DROP && s0))
680  {
681  /* Accounting */
682  nat44_session_update_counters (s0, now,
683  vlib_buffer_length_in_chain
684  (vm, b0), thread_index);
685  /* Per-user LRU list maintenance */
686  nat44_session_update_lru (sm, s0, thread_index);
687  }
688  return next0;
689 }
690 
691 static int
692 nat_out2in_sm_unknown_proto (snat_main_t * sm,
693  vlib_buffer_t * b,
694  ip4_header_t * ip, u32 rx_fib_index)
695 {
696  clib_bihash_kv_8_8_t kv, value;
697  snat_static_mapping_t *m;
698  snat_session_key_t m_key;
699  u32 old_addr, new_addr;
700  ip_csum_t sum;
701 
702  m_key.addr = ip->dst_address;
703  m_key.port = 0;
704  m_key.protocol = 0;
705  m_key.fib_index = 0;
706  kv.key = m_key.as_u64;
707  if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
708  return 1;
709 
710  m = pool_elt_at_index (sm->static_mappings, value.value);
711 
712  old_addr = ip->dst_address.as_u32;
713  new_addr = ip->dst_address.as_u32 = m->local_addr.as_u32;
714  sum = ip->checksum;
715  sum = ip_csum_update (sum, old_addr, new_addr, ip4_header_t, dst_address);
716  ip->checksum = ip_csum_fold (sum);
717 
718  vnet_buffer (b)->sw_if_index[VLIB_TX] = m->fib_index;
719  return 0;
720 }
721 
722 VLIB_NODE_FN (snat_out2in_node) (vlib_main_t * vm,
723  vlib_node_runtime_t * node,
724  vlib_frame_t * frame)
725 {
726  u32 n_left_from, *from, *to_next;
727  snat_out2in_next_t next_index;
728  u32 pkts_processed = 0;
729  snat_main_t *sm = &snat_main;
730  f64 now = vlib_time_now (vm);
731  u32 thread_index = vm->thread_index;
732  snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
733  u32 tcp_packets = 0, udp_packets = 0, icmp_packets = 0, other_packets =
734  0, fragments = 0;
735 
736  from = vlib_frame_vector_args (frame);
737  n_left_from = frame->n_vectors;
738  next_index = node->cached_next_index;
739 
740  while (n_left_from > 0)
741  {
742  u32 n_left_to_next;
743 
744  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
745 
746  while (n_left_from >= 4 && n_left_to_next >= 2)
747  {
748  u32 bi0, bi1;
749  vlib_buffer_t *b0, *b1;
750  u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
751  u32 next1 = SNAT_OUT2IN_NEXT_LOOKUP;
752  u32 sw_if_index0, sw_if_index1;
753  ip4_header_t *ip0, *ip1;
754  ip_csum_t sum0, sum1;
755  u32 new_addr0, old_addr0;
756  u16 new_port0, old_port0;
757  u32 new_addr1, old_addr1;
758  u16 new_port1, old_port1;
759  udp_header_t *udp0, *udp1;
760  tcp_header_t *tcp0, *tcp1;
761  icmp46_header_t *icmp0, *icmp1;
762  snat_session_key_t key0, key1, sm0, sm1;
763  u32 rx_fib_index0, rx_fib_index1;
764  u32 proto0, proto1;
765  snat_session_t *s0 = 0, *s1 = 0;
766  clib_bihash_kv_8_8_t kv0, kv1, value0, value1;
767  u8 identity_nat0, identity_nat1;
768 
769  /* Prefetch next iteration. */
770  {
771  vlib_buffer_t *p2, *p3;
772 
773  p2 = vlib_get_buffer (vm, from[2]);
774  p3 = vlib_get_buffer (vm, from[3]);
775 
776  vlib_prefetch_buffer_header (p2, LOAD);
777  vlib_prefetch_buffer_header (p3, LOAD);
778 
779  CLIB_PREFETCH (p2->data, CLIB_CACHE_LINE_BYTES, STORE);
780  CLIB_PREFETCH (p3->data, CLIB_CACHE_LINE_BYTES, STORE);
781  }
782 
783  /* speculatively enqueue b0 and b1 to the current next frame */
784  to_next[0] = bi0 = from[0];
785  to_next[1] = bi1 = from[1];
786  from += 2;
787  to_next += 2;
788  n_left_from -= 2;
789  n_left_to_next -= 2;
790 
791  b0 = vlib_get_buffer (vm, bi0);
792  b1 = vlib_get_buffer (vm, bi1);
793 
794  vnet_buffer (b0)->snat.flags = 0;
795  vnet_buffer (b1)->snat.flags = 0;
796 
797  ip0 = vlib_buffer_get_current (b0);
798  udp0 = ip4_next_header (ip0);
799  tcp0 = (tcp_header_t *) udp0;
800  icmp0 = (icmp46_header_t *) udp0;
801 
802  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
803  rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
804  sw_if_index0);
805 
806  if (PREDICT_FALSE (ip0->ttl == 1))
807  {
808  vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
809  icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
810  ICMP4_time_exceeded_ttl_exceeded_in_transit,
811  0);
812  next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
813  goto trace0;
814  }
815 
816  proto0 = ip_proto_to_nat_proto (ip0->protocol);
817 
818  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
819  {
820  if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
821  {
822  if (!sm->forwarding_enabled)
823  {
824  b0->error =
825  node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
826  next0 = SNAT_OUT2IN_NEXT_DROP;
827  }
828  }
829  other_packets++;
830  goto trace0;
831  }
832 
833  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
834  {
835  next0 = icmp_out2in_slow_path
836  (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
837  next0, now, thread_index, &s0);
838  icmp_packets++;
839  goto trace0;
840  }
841 
842  key0.addr = ip0->dst_address;
843  key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
844  key0.protocol = proto0;
845  key0.fib_index = rx_fib_index0;
846 
847  kv0.key = key0.as_u64;
848 
849  if (clib_bihash_search_8_8
850  (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
851  {
852  /* Try to match static mapping by external address and port,
853  destination address and port in packet */
854  if (snat_static_mapping_match
855  (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
856  {
857  /*
858  * Send DHCP packets to the ipv4 stack, or we won't
859  * be able to use dhcp client on the outside interface
860  */
861  if (PREDICT_FALSE
862  (proto0 == NAT_PROTOCOL_UDP
863  && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
864  clib_host_to_net_u16
865  (UDP_DST_PORT_dhcp_to_client))))
866  {
867  vnet_feature_next (&next0, b0);
868  goto trace0;
869  }
870 
871  if (!sm->forwarding_enabled)
872  {
873  b0->error =
874  node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
875  next0 = SNAT_OUT2IN_NEXT_DROP;
876  }
877  goto trace0;
878  }
879 
880  if (PREDICT_FALSE (identity_nat0))
881  goto trace0;
882 
883  /* Create session initiated by host from external network */
884  s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node,
885  thread_index, now);
886  if (!s0)
887  {
888  next0 = SNAT_OUT2IN_NEXT_DROP;
889  goto trace0;
890  }
891  }
892  else
893  s0 = pool_elt_at_index (tsm->sessions, value0.value);
894 
895  old_addr0 = ip0->dst_address.as_u32;
896  ip0->dst_address = s0->in2out.addr;
897  new_addr0 = ip0->dst_address.as_u32;
898  vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
899 
900  sum0 = ip0->checksum;
901  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
902  ip4_header_t,
903  dst_address /* changed member */ );
904  ip0->checksum = ip_csum_fold (sum0);
905 
906  if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
907  {
908  if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
909  {
910  old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
911  new_port0 = udp0->dst_port = s0->in2out.port;
912  sum0 = tcp0->checksum;
913  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
914  ip4_header_t,
915  dst_address /* changed member */ );
916 
917  sum0 = ip_csum_update (sum0, old_port0, new_port0,
918  ip4_header_t /* cheat */ ,
919  length /* changed member */ );
920  tcp0->checksum = ip_csum_fold (sum0);
921  }
922  tcp_packets++;
923  }
924  else
925  {
926  if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
927  {
928  old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
929  new_port0 = udp0->dst_port = s0->in2out.port;
930  if (PREDICT_FALSE (udp0->checksum))
931  {
932  sum0 = udp0->checksum;
933  sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
934  );
935  sum0 =
936  ip_csum_update (sum0, old_port0, new_port0,
937  ip4_header_t /* cheat */ ,
938  length /* changed member */ );
939  udp0->checksum = ip_csum_fold (sum0);
940  }
941  }
942  udp_packets++;
943  }
944 
945  /* Accounting */
946  nat44_session_update_counters (s0, now,
947  vlib_buffer_length_in_chain (vm, b0),
948  thread_index);
949  /* Per-user LRU list maintenance */
950  nat44_session_update_lru (sm, s0, thread_index);
951  trace0:
952 
953  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
954  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
955  {
956  snat_out2in_trace_t *t =
957  vlib_add_trace (vm, node, b0, sizeof (*t));
958  t->sw_if_index = sw_if_index0;
959  t->next_index = next0;
960  t->session_index = ~0;
961  if (s0)
962  t->session_index =
963  s0 - sm->per_thread_data[thread_index].sessions;
964  }
965 
966  pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
967 
968 
969  ip1 = vlib_buffer_get_current (b1);
970  udp1 = ip4_next_header (ip1);
971  tcp1 = (tcp_header_t *) udp1;
972  icmp1 = (icmp46_header_t *) udp1;
973 
974  sw_if_index1 = vnet_buffer (b1)->sw_if_index[VLIB_RX];
975  rx_fib_index1 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
976  sw_if_index1);
977 
978  if (PREDICT_FALSE (ip1->ttl == 1))
979  {
980  vnet_buffer (b1)->sw_if_index[VLIB_TX] = (u32) ~ 0;
981  icmp4_error_set_vnet_buffer (b1, ICMP4_time_exceeded,
982  ICMP4_time_exceeded_ttl_exceeded_in_transit,
983  0);
984  next1 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
985  goto trace1;
986  }
987 
988  proto1 = ip_proto_to_nat_proto (ip1->protocol);
989 
990  if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_OTHER))
991  {
992  if (nat_out2in_sm_unknown_proto (sm, b1, ip1, rx_fib_index1))
993  {
994  if (!sm->forwarding_enabled)
995  {
996  b1->error =
997  node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
998  next1 = SNAT_OUT2IN_NEXT_DROP;
999  }
1000  }
1001  other_packets++;
1002  goto trace1;
1003  }
1004 
1005  if (PREDICT_FALSE (proto1 == NAT_PROTOCOL_ICMP))
1006  {
1007  next1 = icmp_out2in_slow_path
1008  (sm, b1, ip1, icmp1, sw_if_index1, rx_fib_index1, node,
1009  next1, now, thread_index, &s1);
1010  icmp_packets++;
1011  goto trace1;
1012  }
1013 
1014  key1.addr = ip1->dst_address;
1015  key1.port = vnet_buffer (b1)->ip.reass.l4_dst_port;
1016  key1.protocol = proto1;
1017  key1.fib_index = rx_fib_index1;
1018 
1019  kv1.key = key1.as_u64;
1020 
1021  if (clib_bihash_search_8_8
1022  (&sm->per_thread_data[thread_index].out2in, &kv1, &value1))
1023  {
1024  /* Try to match static mapping by external address and port,
1025  destination address and port in packet */
1026  if (snat_static_mapping_match
1027  (sm, key1, &sm1, 1, 0, 0, 0, 0, &identity_nat1))
1028  {
1029  /*
1030  * Send DHCP packets to the ipv4 stack, or we won't
1031  * be able to use dhcp client on the outside interface
1032  */
1033  if (PREDICT_FALSE
1034  (proto1 == NAT_PROTOCOL_UDP
1035  && (vnet_buffer (b1)->ip.reass.l4_dst_port ==
1036  clib_host_to_net_u16
1037  (UDP_DST_PORT_dhcp_to_client))))
1038  {
1039  vnet_feature_next (&next1, b1);
1040  goto trace1;
1041  }
1042 
1043  if (!sm->forwarding_enabled)
1044  {
1045  b1->error =
1046  node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1047  next1 = SNAT_OUT2IN_NEXT_DROP;
1048  }
1049  goto trace1;
1050  }
1051 
1052  if (PREDICT_FALSE (identity_nat1))
1053  goto trace1;
1054 
1055  /* Create session initiated by host from external network */
1056  s1 = create_session_for_static_mapping (sm, b1, sm1, key1, node,
1057  thread_index, now);
1058  if (!s1)
1059  {
1060  next1 = SNAT_OUT2IN_NEXT_DROP;
1061  goto trace1;
1062  }
1063  }
1064  else
1065  s1 =
1066  pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1067  value1.value);
1068 
1069  old_addr1 = ip1->dst_address.as_u32;
1070  ip1->dst_address = s1->in2out.addr;
1071  new_addr1 = ip1->dst_address.as_u32;
1072  vnet_buffer (b1)->sw_if_index[VLIB_TX] = s1->in2out.fib_index;
1073 
1074  sum1 = ip1->checksum;
1075  sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1076  ip4_header_t,
1077  dst_address /* changed member */ );
1078  ip1->checksum = ip_csum_fold (sum1);
1079 
1080  if (PREDICT_TRUE (proto1 == NAT_PROTOCOL_TCP))
1081  {
1082  if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1083  {
1084  old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1085  new_port1 = udp1->dst_port = s1->in2out.port;
1086 
1087  sum1 = tcp1->checksum;
1088  sum1 = ip_csum_update (sum1, old_addr1, new_addr1,
1089  ip4_header_t,
1090  dst_address /* changed member */ );
1091 
1092  sum1 = ip_csum_update (sum1, old_port1, new_port1,
1093  ip4_header_t /* cheat */ ,
1094  length /* changed member */ );
1095  tcp1->checksum = ip_csum_fold (sum1);
1096  }
1097  tcp_packets++;
1098  }
1099  else
1100  {
1101  if (!vnet_buffer (b1)->ip.reass.is_non_first_fragment)
1102  {
1103  old_port1 = vnet_buffer (b1)->ip.reass.l4_dst_port;
1104  new_port1 = udp1->dst_port = s1->in2out.port;
1105  if (PREDICT_FALSE (udp1->checksum))
1106  {
1107 
1108  sum1 = udp1->checksum;
1109  sum1 =
1110  ip_csum_update (sum1, old_addr1, new_addr1,
1111  ip4_header_t,
1112  dst_address /* changed member */ );
1113  sum1 =
1114  ip_csum_update (sum1, old_port1, new_port1,
1115  ip4_header_t /* cheat */ ,
1116  length /* changed member */ );
1117  udp1->checksum = ip_csum_fold (sum1);
1118  }
1119  }
1120  udp_packets++;
1121  }
1122 
1123  /* Accounting */
1124  nat44_session_update_counters (s1, now,
1125  vlib_buffer_length_in_chain (vm, b1),
1126  thread_index);
1127  /* Per-user LRU list maintenance */
1128  nat44_session_update_lru (sm, s1, thread_index);
1129  trace1:
1130 
1131  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1132  && (b1->flags & VLIB_BUFFER_IS_TRACED)))
1133  {
1134  snat_out2in_trace_t *t =
1135  vlib_add_trace (vm, node, b1, sizeof (*t));
1136  t->sw_if_index = sw_if_index1;
1137  t->next_index = next1;
1138  t->session_index = ~0;
1139  if (s1)
1140  t->session_index =
1141  s1 - sm->per_thread_data[thread_index].sessions;
1142  }
1143 
1144  pkts_processed += next1 == SNAT_OUT2IN_NEXT_LOOKUP;
1145 
1146  /* verify speculative enqueues, maybe switch current next frame */
1147  vlib_validate_buffer_enqueue_x2 (vm, node, next_index,
1148  to_next, n_left_to_next,
1149  bi0, bi1, next0, next1);
1150  }
1151 
1152  while (n_left_from > 0 && n_left_to_next > 0)
1153  {
1154  u32 bi0;
1155  vlib_buffer_t *b0;
1156  u32 next0 = SNAT_OUT2IN_NEXT_LOOKUP;
1157  u32 sw_if_index0;
1158  ip4_header_t *ip0;
1159  ip_csum_t sum0;
1160  u32 new_addr0, old_addr0;
1161  u16 new_port0, old_port0;
1162  udp_header_t *udp0;
1163  tcp_header_t *tcp0;
1164  icmp46_header_t *icmp0;
1165  snat_session_key_t key0, sm0;
1166  u32 rx_fib_index0;
1167  u32 proto0;
1168  snat_session_t *s0 = 0;
1169  clib_bihash_kv_8_8_t kv0, value0;
1170  u8 identity_nat0;
1171 
1172  /* speculatively enqueue b0 to the current next frame */
1173  bi0 = from[0];
1174  to_next[0] = bi0;
1175  from += 1;
1176  to_next += 1;
1177  n_left_from -= 1;
1178  n_left_to_next -= 1;
1179 
1180  b0 = vlib_get_buffer (vm, bi0);
1181 
1182  vnet_buffer (b0)->snat.flags = 0;
1183 
1184  ip0 = vlib_buffer_get_current (b0);
1185  udp0 = ip4_next_header (ip0);
1186  tcp0 = (tcp_header_t *) udp0;
1187  icmp0 = (icmp46_header_t *) udp0;
1188 
1189  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1190  rx_fib_index0 = vec_elt (sm->ip4_main->fib_index_by_sw_if_index,
1191  sw_if_index0);
1192 
1193  proto0 = ip_proto_to_nat_proto (ip0->protocol);
1194 
1195  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1196  {
1197  if (nat_out2in_sm_unknown_proto (sm, b0, ip0, rx_fib_index0))
1198  {
1199  if (!sm->forwarding_enabled)
1200  {
1201  b0->error =
1202  node->errors[SNAT_OUT2IN_ERROR_UNSUPPORTED_PROTOCOL];
1203  next0 = SNAT_OUT2IN_NEXT_DROP;
1204  }
1205  }
1206  other_packets++;
1207  goto trace00;
1208  }
1209 
1210  if (PREDICT_FALSE (ip0->ttl == 1))
1211  {
1212  vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1213  icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1214  ICMP4_time_exceeded_ttl_exceeded_in_transit,
1215  0);
1216  next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1217  goto trace00;
1218  }
1219 
1220  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1221  {
1222  next0 = icmp_out2in_slow_path
1223  (sm, b0, ip0, icmp0, sw_if_index0, rx_fib_index0, node,
1224  next0, now, thread_index, &s0);
1225  icmp_packets++;
1226  goto trace00;
1227  }
1228 
1229  key0.addr = ip0->dst_address;
1230  key0.port = vnet_buffer (b0)->ip.reass.l4_dst_port;
1231  key0.protocol = proto0;
1232  key0.fib_index = rx_fib_index0;
1233 
1234  kv0.key = key0.as_u64;
1235 
1236  if (clib_bihash_search_8_8
1237  (&sm->per_thread_data[thread_index].out2in, &kv0, &value0))
1238  {
1239  /* Try to match static mapping by external address and port,
1240  destination address and port in packet */
1241  if (snat_static_mapping_match
1242  (sm, key0, &sm0, 1, 0, 0, 0, 0, &identity_nat0))
1243  {
1244  /*
1245  * Send DHCP packets to the ipv4 stack, or we won't
1246  * be able to use dhcp client on the outside interface
1247  */
1248  if (PREDICT_FALSE
1249  (proto0 == NAT_PROTOCOL_UDP
1250  && (vnet_buffer (b0)->ip.reass.l4_dst_port ==
1251  clib_host_to_net_u16
1252  (UDP_DST_PORT_dhcp_to_client))))
1253  {
1254  vnet_feature_next (&next0, b0);
1255  goto trace00;
1256  }
1257 
1258  if (!sm->forwarding_enabled)
1259  {
1260  b0->error =
1261  node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1262  next0 = SNAT_OUT2IN_NEXT_DROP;
1263  }
1264  goto trace00;
1265  }
1266 
1267  if (PREDICT_FALSE (identity_nat0))
1268  goto trace00;
1269 
1270  /* Create session initiated by host from external network */
1271  s0 = create_session_for_static_mapping (sm, b0, sm0, key0, node,
1272  thread_index, now);
1273  if (!s0)
1274  {
1275  next0 = SNAT_OUT2IN_NEXT_DROP;
1276  goto trace00;
1277  }
1278  }
1279  else
1280  s0 =
1281  pool_elt_at_index (sm->per_thread_data[thread_index].sessions,
1282  value0.value);
1283 
1284  old_addr0 = ip0->dst_address.as_u32;
1285  ip0->dst_address = s0->in2out.addr;
1286  new_addr0 = ip0->dst_address.as_u32;
1287  vnet_buffer (b0)->sw_if_index[VLIB_TX] = s0->in2out.fib_index;
1288 
1289  sum0 = ip0->checksum;
1290  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1291  ip4_header_t,
1292  dst_address /* changed member */ );
1293  ip0->checksum = ip_csum_fold (sum0);
1294 
1295  if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1296  {
1297  if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1298  {
1299  old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1300  new_port0 = udp0->dst_port = s0->in2out.port;
1301 
1302  sum0 = tcp0->checksum;
1303  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1304  ip4_header_t,
1305  dst_address /* changed member */ );
1306 
1307  sum0 = ip_csum_update (sum0, old_port0, new_port0,
1308  ip4_header_t /* cheat */ ,
1309  length /* changed member */ );
1310  tcp0->checksum = ip_csum_fold (sum0);
1311  }
1312  tcp_packets++;
1313  }
1314  else
1315  {
1316  if (!vnet_buffer (b0)->ip.reass.is_non_first_fragment)
1317  {
1318  old_port0 = vnet_buffer (b0)->ip.reass.l4_dst_port;
1319  new_port0 = udp0->dst_port = s0->in2out.port;
1320  if (PREDICT_FALSE (udp0->checksum))
1321  {
1322  sum0 = udp0->checksum;
1323  sum0 = ip_csum_update (sum0, old_addr0, new_addr0, ip4_header_t, dst_address /* changed member */
1324  );
1325  sum0 =
1326  ip_csum_update (sum0, old_port0, new_port0,
1327  ip4_header_t /* cheat */ ,
1328  length /* changed member */ );
1329  udp0->checksum = ip_csum_fold (sum0);
1330  }
1331  }
1332  udp_packets++;
1333  }
1334 
1335  /* Accounting */
1336  nat44_session_update_counters (s0, now,
1337  vlib_buffer_length_in_chain (vm, b0),
1338  thread_index);
1339  /* Per-user LRU list maintenance */
1340  nat44_session_update_lru (sm, s0, thread_index);
1341  trace00:
1342 
1343  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1344  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1345  {
1346  snat_out2in_trace_t *t =
1347  vlib_add_trace (vm, node, b0, sizeof (*t));
1348  t->sw_if_index = sw_if_index0;
1349  t->next_index = next0;
1350  t->session_index = ~0;
1351  if (s0)
1352  t->session_index =
1353  s0 - sm->per_thread_data[thread_index].sessions;
1354  }
1355 
1356  pkts_processed += next0 == SNAT_OUT2IN_NEXT_LOOKUP;
1357 
1358  /* verify speculative enqueue, maybe switch current next frame */
1359  vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1360  to_next, n_left_to_next,
1361  bi0, next0);
1362  }
1363 
1364  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1365  }
1366 
1367  vlib_node_increment_counter (vm, sm->out2in_node_index,
1368  SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1369  pkts_processed);
1370  vlib_node_increment_counter (vm, sm->out2in_node_index,
1371  SNAT_OUT2IN_ERROR_TCP_PACKETS, tcp_packets);
1372  vlib_node_increment_counter (vm, sm->out2in_node_index,
1373  SNAT_OUT2IN_ERROR_UDP_PACKETS, udp_packets);
1374  vlib_node_increment_counter (vm, sm->out2in_node_index,
1375  SNAT_OUT2IN_ERROR_ICMP_PACKETS, icmp_packets);
1376  vlib_node_increment_counter (vm, sm->out2in_node_index,
1377  SNAT_OUT2IN_ERROR_OTHER_PACKETS,
1378  other_packets);
1379  vlib_node_increment_counter (vm, sm->out2in_node_index,
1380  SNAT_OUT2IN_ERROR_FRAGMENTS, fragments);
1381 
1382  return frame->n_vectors;
1383 }
1384 
1385 /* *INDENT-OFF* */
1386 VLIB_REGISTER_NODE (snat_out2in_node) = {
1387  .name = "nat44-out2in",
1388  .vector_size = sizeof (u32),
1389  .format_trace = format_snat_out2in_trace,
1390  .type = VLIB_NODE_TYPE_INTERNAL,
1391 
1392  .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1393  .error_strings = snat_out2in_error_strings,
1394 
1395  .runtime_data_bytes = sizeof (snat_runtime_t),
1396 
1397  .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1398 
1399  /* edit / add dispositions here */
1400  .next_nodes = {
1401  [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1402  [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1403  [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1404  },
1405 };
1406 /* *INDENT-ON* */
1407 
1408 VLIB_NODE_FN (snat_out2in_fast_node) (vlib_main_t * vm,
1409  vlib_node_runtime_t * node,
1410  vlib_frame_t * frame)
1411 {
1412  u32 n_left_from, *from, *to_next;
1413  snat_out2in_next_t next_index;
1414  u32 pkts_processed = 0;
1415  snat_main_t *sm = &snat_main;
1416 
1417  from = vlib_frame_vector_args (frame);
1418  n_left_from = frame->n_vectors;
1419  next_index = node->cached_next_index;
1420 
1421  while (n_left_from > 0)
1422  {
1423  u32 n_left_to_next;
1424 
1425  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
1426 
1427  while (n_left_from > 0 && n_left_to_next > 0)
1428  {
1429  u32 bi0;
1430  vlib_buffer_t *b0;
1431  u32 next0 = SNAT_OUT2IN_NEXT_DROP;
1432  u32 sw_if_index0;
1433  ip4_header_t *ip0;
1434  ip_csum_t sum0;
1435  u32 new_addr0, old_addr0;
1436  u16 new_port0, old_port0;
1437  udp_header_t *udp0;
1438  tcp_header_t *tcp0;
1439  icmp46_header_t *icmp0;
1440  snat_session_key_t key0, sm0;
1441  u32 proto0;
1442  u32 rx_fib_index0;
1443 
1444  /* speculatively enqueue b0 to the current next frame */
1445  bi0 = from[0];
1446  to_next[0] = bi0;
1447  from += 1;
1448  to_next += 1;
1449  n_left_from -= 1;
1450  n_left_to_next -= 1;
1451 
1452  b0 = vlib_get_buffer (vm, bi0);
1453 
1454  ip0 = vlib_buffer_get_current (b0);
1455  udp0 = ip4_next_header (ip0);
1456  tcp0 = (tcp_header_t *) udp0;
1457  icmp0 = (icmp46_header_t *) udp0;
1458 
1459  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_RX];
1460  rx_fib_index0 =
1461  ip4_fib_table_get_index_for_sw_if_index (sw_if_index0);
1462 
1463  vnet_feature_next (&next0, b0);
1464 
1465  if (PREDICT_FALSE (ip0->ttl == 1))
1466  {
1467  vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
1468  icmp4_error_set_vnet_buffer (b0, ICMP4_time_exceeded,
1469  ICMP4_time_exceeded_ttl_exceeded_in_transit,
1470  0);
1471  next0 = SNAT_OUT2IN_NEXT_ICMP_ERROR;
1472  goto trace00;
1473  }
1474 
1475  proto0 = ip_proto_to_nat_proto (ip0->protocol);
1476 
1477  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_OTHER))
1478  goto trace00;
1479 
1480  if (PREDICT_FALSE (proto0 == NAT_PROTOCOL_ICMP))
1481  {
1482  next0 = icmp_out2in (sm, b0, ip0, icmp0, sw_if_index0,
1483  rx_fib_index0, node, next0, ~0, 0, 0);
1484  goto trace00;
1485  }
1486 
1487  key0.addr = ip0->dst_address;
1488  key0.port = udp0->dst_port;
1489  key0.fib_index = rx_fib_index0;
1490 
1491  if (snat_static_mapping_match (sm, key0, &sm0, 1, 0, 0, 0, 0, 0))
1492  {
1493  b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
1494  goto trace00;
1495  }
1496 
1497  new_addr0 = sm0.addr.as_u32;
1498  new_port0 = sm0.port;
1499  vnet_buffer (b0)->sw_if_index[VLIB_TX] = sm0.fib_index;
1500  old_addr0 = ip0->dst_address.as_u32;
1501  ip0->dst_address.as_u32 = new_addr0;
1502 
1503  sum0 = ip0->checksum;
1504  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1505  ip4_header_t,
1506  dst_address /* changed member */ );
1507  ip0->checksum = ip_csum_fold (sum0);
1508 
1509  if (PREDICT_FALSE (new_port0 != udp0->dst_port))
1510  {
1511  old_port0 = udp0->dst_port;
1512  udp0->dst_port = new_port0;
1513 
1514  if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1515  {
1516  sum0 = tcp0->checksum;
1517  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1518  ip4_header_t,
1519  dst_address /* changed member */ );
1520  sum0 = ip_csum_update (sum0, old_port0, new_port0,
1521  ip4_header_t /* cheat */ ,
1522  length /* changed member */ );
1523  tcp0->checksum = ip_csum_fold (sum0);
1524  }
1525  else if (udp0->checksum)
1526  {
1527  sum0 = udp0->checksum;
1528  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1529  ip4_header_t,
1530  dst_address /* changed member */ );
1531  sum0 = ip_csum_update (sum0, old_port0, new_port0,
1532  ip4_header_t /* cheat */ ,
1533  length /* changed member */ );
1534  udp0->checksum = ip_csum_fold (sum0);
1535  }
1536  }
1537  else
1538  {
1539  if (PREDICT_TRUE (proto0 == NAT_PROTOCOL_TCP))
1540  {
1541  sum0 = tcp0->checksum;
1542  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1543  ip4_header_t,
1544  dst_address /* changed member */ );
1545  tcp0->checksum = ip_csum_fold (sum0);
1546  }
1547  else if (udp0->checksum)
1548  {
1549  sum0 = udp0->checksum;
1550  sum0 = ip_csum_update (sum0, old_addr0, new_addr0,
1551  ip4_header_t,
1552  dst_address /* changed member */ );
1553  udp0->checksum = ip_csum_fold (sum0);
1554  }
1555  }
1556 
1557  trace00:
1558 
1559  if (PREDICT_FALSE ((node->flags & VLIB_NODE_FLAG_TRACE)
1560  && (b0->flags & VLIB_BUFFER_IS_TRACED)))
1561  {
1562  snat_out2in_trace_t *t =
1563  vlib_add_trace (vm, node, b0, sizeof (*t));
1564  t->sw_if_index = sw_if_index0;
1565  t->next_index = next0;
1566  }
1567 
1568  pkts_processed += next0 != SNAT_OUT2IN_NEXT_DROP;
1569 
1570  /* verify speculative enqueue, maybe switch current next frame */
1571  vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
1572  to_next, n_left_to_next,
1573  bi0, next0);
1574  }
1575 
1576  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
1577  }
1578 
1579  vlib_node_increment_counter (vm, sm->out2in_fast_node_index,
1580  SNAT_OUT2IN_ERROR_OUT2IN_PACKETS,
1581  pkts_processed);
1582  return frame->n_vectors;
1583 }
1584 
1585 /* *INDENT-OFF* */
1586 VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
1587  .name = "nat44-out2in-fast",
1588  .vector_size = sizeof (u32),
1589  .format_trace = format_snat_out2in_fast_trace,
1590  .type = VLIB_NODE_TYPE_INTERNAL,
1591 
1592  .n_errors = ARRAY_LEN(snat_out2in_error_strings),
1593  .error_strings = snat_out2in_error_strings,
1594 
1595  .runtime_data_bytes = sizeof (snat_runtime_t),
1596 
1597  .n_next_nodes = SNAT_OUT2IN_N_NEXT,
1598 
1599  /* edit / add dispositions here */
1600  .next_nodes = {
1601  [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
1602  [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
1603  [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
1604  },
1605 };
1606 /* *INDENT-ON* */
1607 
1608 /*
1609  * fd.io coding-style-patch-verification: ON
1610  *
1611  * Local Variables:
1612  * eval: (c-set-style "gnu")
1613  * End:
1614  */
snat_out2in_fast_node
vlib_node_registration_t snat_out2in_fast_node
(constructor) VLIB_REGISTER_NODE (snat_out2in_fast_node)
Definition: out2in.c:1586
vlib_buffer_t::flags
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index, VLIB_BUFFER_IS_TRACED: trace this buffer.
Definition: buffer.h:124
ip_incremental_checksum_buffer
static ip_csum_t ip_incremental_checksum_buffer(vlib_main_t *vm, vlib_buffer_t *first_buffer, u32 first_buffer_offset, u32 n_bytes_to_checksum, ip_csum_t sum)
Definition: ip.h:152
snat_is_session_static
#define snat_is_session_static(s)
Check if SNAT session is created from static mapping.
Definition: nat.h:728
snat_user_t
Definition: nat.h:303
CLIB_UNUSED
#define CLIB_UNUSED(x)
Definition: clib.h:86
icmp_match_out2in_slow
u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node, u32 thread_index, vlib_buffer_t *b0, ip4_header_t *ip0, u8 *p_proto, snat_session_key_t *p_value, u8 *p_dont_translate, void *d, void *e)
Get address and port values to be used for ICMP packet translation and create session if needed...
Definition: out2in.c:326
ip4_header_t::src_address
ip4_address_t src_address
Definition: ip4_packet.h:170
ip4_header_t::ttl
u8 ttl
Definition: ip4_packet.h:157
format_snat_out2in_fast_trace
static u8 * format_snat_out2in_fast_trace(u8 *s, va_list *args)
Definition: out2in.c:62
nat44_session_get_timeout
static u32 nat44_session_get_timeout(snat_main_t *sm, snat_session_t *s)
Definition: nat_inlines.h:385
nat_elog_notice
#define nat_elog_notice(nat_elog_str)
Definition: nat.h:986
icmp_out2in_slow_path
static u32 icmp_out2in_slow_path(snat_main_t *sm, vlib_buffer_t *b0, ip4_header_t *ip0, icmp46_header_t *icmp0, u32 sw_if_index0, u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0, f64 now, u32 thread_index, snat_session_t **p_s0)
Definition: out2in.c:664
PREDICT_TRUE
#define PREDICT_TRUE(x)
Definition: clib.h:119
u64
unsigned long u64
Definition: types.h:89
snat_out2in_trace_t::next_index
u32 next_index
Definition: out2in.c:42
vlib_time_now
static f64 vlib_time_now(vlib_main_t *vm)
Definition: main.h:291
vlib_main_t::thread_index
u32 thread_index
Definition: main.h:218
ip_csum_t
uword ip_csum_t
Definition: ip_packet.h:244
nat_elog_warn
#define nat_elog_warn(nat_elog_str)
Definition: nat.h:988
nat_ha_sadd
void nat_ha_sadd(ip4_address_t *in_addr, u16 in_port, ip4_address_t *out_addr, u16 out_port, ip4_address_t *eh_addr, u16 eh_port, ip4_address_t *ehn_addr, u16 ehn_port, u8 proto, u32 fib_index, u16 flags, u32 thread_index, u8 is_resync)
Create session add HA event.
Definition: nat_ha.c:689
ip4_main_t::fib_index_by_sw_if_index
u32 * fib_index_by_sw_if_index
Table index indexed by software interface.
Definition: ip4.h:122
format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
ip4_fib.h
snat_static_mapping_t
Definition: nat.h:396
VLIB_NODE_FN
#define VLIB_NODE_FN(node)
Definition: node.h:202
tcp_udp_header_t
Definition: nat.h:1423
snat_out2in_trace_t::session_index
u32 session_index
Definition: out2in.c:43
vlib_node_runtime_t::errors
vlib_error_t * errors
Vector of errors for this node.
Definition: node.h:472
nat44_o2i_is_idle_session_cb
int nat44_o2i_is_idle_session_cb(clib_bihash_kv_8_8_t *kv, void *arg)
Definition: out2in.c:115
vlib_buffer_length_in_chain
static uword vlib_buffer_length_in_chain(vlib_main_t *vm, vlib_buffer_t *b)
Get length in bytes of the buffer chain.
Definition: buffer_funcs.h:402
udp_header_t
Definition: udp_packet.h:43
snat_ipfix_logging_nat44_ses_create
void snat_ipfix_logging_nat44_ses_create(u32 thread_index, u32 src_ip, u32 nat_src_ip, nat_protocol_t nat_proto, u16 src_port, u16 nat_src_port, u32 vrf_id)
Generate NAT44 session create event.
Definition: nat_ipfix_logging.c:1309
tcp_header_t
struct _tcp_header tcp_header_t
u8
unsigned char u8
Definition: types.h:56
vlib_frame_t
Definition: node.h:384
f64
double f64
Definition: types.h:142
ip4_is_fragment
static int ip4_is_fragment(const ip4_header_t *i)
Definition: ip4_packet.h:213
icmp_echo_header_t::identifier
u16 identifier
Definition: nat.h:1419
nat_session_alloc_or_recycle
snat_session_t * nat_session_alloc_or_recycle(snat_main_t *sm, snat_user_t *u, u32 thread_index, f64 now)
Allocate new NAT session or recycle last used.
Definition: nat.c:533
src_port
u16 src_port
Definition: udp.api:41
snat_main_per_thread_data_t::in2out
clib_bihash_8_8_t in2out
Definition: nat.h:454
protocol
vl_api_ip_proto_t protocol
Definition: lb_types.api:71
vlib_node_runtime_t
Definition: node.h:466
ip4_fib_table_get_index_for_sw_if_index
u32 ip4_fib_table_get_index_for_sw_if_index(u32 sw_if_index)
Definition: ip4_fib.c:230
udp_header_t::src_port
u16 src_port
Definition: udp_packet.h:46
static_always_inline
#define static_always_inline
Definition: clib.h:106
ip4_header_checksum_is_valid
static uword ip4_header_checksum_is_valid(ip4_header_t *i)
Definition: ip4_packet.h:332
ip_proto_to_nat_proto
static nat_protocol_t ip_proto_to_nat_proto(u8 ip_proto)
Common NAT inline functions.
Definition: inlines.h:22
nat_syslog_nat44_apmdel
void nat_syslog_nat44_apmdel(u32 ssubix, u32 sfibix, ip4_address_t *isaddr, u16 isport, ip4_address_t *xsaddr, u16 xsport, nat_protocol_t proto)
Definition: nat_syslog.c:116
icmp_echo_header_t
Definition: nat.h:1417
ip4_header_t::dst_address
ip4_address_t dst_address
Definition: ip4_packet.h:170
vlib_prefetch_buffer_header
#define vlib_prefetch_buffer_header(b, type)
Prefetch buffer metadata.
Definition: buffer.h:203
vec_elt_at_index
#define vec_elt_at_index(v, i)
Get vector value at index i checking that i is in bounds.
Definition: vec_bootstrap.h:201
icmp_type_is_error_message
static_always_inline u8 icmp_type_is_error_message(u8 icmp_type)
Definition: inlines.h:53
snat_out2in_trace_t
Definition: out2in.c:39
snat_main_s::ip4_main
ip4_main_t * ip4_main
Definition: nat.h:672
ip4_next_header
static void * ip4_next_header(ip4_header_t *i)
Definition: ip4_packet.h:241
u32
unsigned int u32
Definition: types.h:88
snat_session_key_t::as_u64
u64 as_u64
Definition: nat.h:82
foreach_snat_out2in_error
#define foreach_snat_out2in_error
Definition: out2in.c:73
snat_static_mapping_t::local_addr
ip4_address_t local_addr
Definition: nat.h:399
snat_static_mapping_match
int snat_static_mapping_match(snat_main_t *sm, snat_session_key_t match, snat_session_key_t *mapping, u8 by_external, u8 *is_addr_only, twice_nat_type_t *twice_nat, lb_nat_type_t *lb, ip4_address_t *ext_host_addr, u8 *is_identity_nat)
Match NAT44 static mapping.
Definition: nat.c:2741
snat_free_outside_address_and_port
void snat_free_outside_address_and_port(snat_address_t *addresses, u32 thread_index, snat_session_key_t *k)
Free outside address and port pair.
Definition: nat.c:2669
nat44_delete_session
static void nat44_delete_session(snat_main_t *sm, snat_session_t *ses, u32 thread_index)
Definition: nat_inlines.h:249
type
vl_api_fib_path_type_t type
Definition: fib_types.api:123
vlib_buffer_t::error
vlib_error_t error
Error code for buffers to be enqueued to error handler.
Definition: buffer.h:136
snat_out2in_next_t
snat_out2in_next_t
Definition: out2in.c:105
nat_user_get_or_create
snat_user_t * nat_user_get_or_create(snat_main_t *sm, ip4_address_t *addr, u32 fib_index, u32 thread_index)
Find or create NAT user.
Definition: nat.c:481
nat_syslog_nat44_apmadd
void nat_syslog_nat44_apmadd(u32 ssubix, u32 sfibix, ip4_address_t *isaddr, u16 isport, ip4_address_t *xsaddr, u16 xsport, nat_protocol_t proto)
Definition: nat_syslog.c:107
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
snat_session_key_t
Definition: nat.h:72
clib_bihash_kv_8_8_t::key
u64 key
the key
Definition: bihash_8_8.h:41
nat44_is_idle_session_ctx_t
Definition: nat.h:677
ctx
long ctx[MAX_CONNS]
Definition: main.c:144
u16
unsigned short u16
Definition: types.h:57
snat_session_key_t::protocol
u16 protocol
Definition: nat.h:80
snat_main_s::static_mappings
snat_static_mapping_t * static_mappings
Definition: nat.h:545
vlib_buffer_get_current
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:229
PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:118
nat_inlines.h
nat44_is_idle_session_ctx_t::now
f64 now
Definition: nat.h:680
snat_main_s::static_mapping_by_external
clib_bihash_8_8_t static_mapping_by_external
Definition: nat.h:542
src_address
vl_api_address_union_t src_address
Definition: ip_types.api:99
vlib_validate_buffer_enqueue_x2
#define vlib_validate_buffer_enqueue_x2(vm, node, next_index, to_next, n_left_to_next, bi0, bi1, next0, next1)
Finish enqueueing two buffers forward in the graph.
Definition: buffer_node.h:70
snat_out2in_node
vlib_node_registration_t snat_out2in_node
(constructor) VLIB_REGISTER_NODE (snat_out2in_node)
Definition: out2in.c:1386
vlib_validate_buffer_enqueue_x1
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
Definition: buffer_node.h:224
vlib_get_next_frame
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
Definition: node_funcs.h:338
vm
vlib_main_t * vm
Definition: in2out_ed.c:1599
vlib_node_increment_counter
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1150
snat_main
snat_main_t snat_main
Definition: nat.c:41
ip4_header_t::length
u16 length
Definition: ip4_packet.h:144
elog.h
The fine-grained event logger allows lightweight, thread-safe event logging at minimum cost...
clib_bihash_kv_8_8_t::value
u64 value
the value
Definition: bihash_8_8.h:42
nat44_delete_user_with_no_session
static void nat44_delete_user_with_no_session(snat_main_t *sm, snat_user_t *u, u32 thread_index)
Definition: nat_inlines.h:227
ip4_header_t::checksum
u16 checksum
Definition: ip4_packet.h:163
VLIB_REGISTER_NODE
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:169
snat_session_key_t::port
u16 port
Definition: nat.h:79
snat_main_per_thread_data_t::out2in
clib_bihash_8_8_t out2in
Definition: nat.h:453
nat_ipfix_logging.h
CLIB_PREFETCH
#define CLIB_PREFETCH(addr, size, type)
Definition: cache.h:80
udp_header_t::dst_port
u16 dst_port
Definition: udp_packet.h:46
vnet_feature_next
static_always_inline void vnet_feature_next(u32 *next0, vlib_buffer_t *b0)
Definition: feature.h:322
nat44_session_update_counters
static void nat44_session_update_counters(snat_session_t *s, f64 now, uword bytes, u32 thread_index)
Definition: nat_inlines.h:408
snat_main_s
Definition: nat.h:520
vlib_buffer_t::data
u8 data[]
Packet data.
Definition: buffer.h:181
snat_out2in_trace_t::sw_if_index
u32 sw_if_index
Definition: out2in.c:41
snat_runtime_t
Definition: nat.h:683
clib_bihash_kv_8_8_t
8 octet key, 8 octet key value pair
Definition: bihash_8_8.h:39
ARRAY_LEN
#define ARRAY_LEN(x)
Definition: clib.h:66
snat_session_key_t::addr
ip4_address_t addr
Definition: nat.h:78
vlib_put_next_frame
void vlib_put_next_frame(vlib_main_t *vm, vlib_node_runtime_t *r, u32 next_index, u32 n_vectors_left)
Release pointer to next frame vector data.
Definition: main.c:483
snat_static_mapping_t::fib_index
u32 fib_index
Definition: nat.h:410
node
vlib_main_t vlib_node_runtime_t * node
Definition: in2out_ed.c:1599
nat44_maximum_sessions_exceeded
static_always_inline u8 nat44_maximum_sessions_exceeded(snat_main_t *sm, u32 thread_index)
The NAT44 inline functions.
Definition: inlines.h:26
ip4_header_t::protocol
u8 protocol
Definition: ip4_packet.h:160
value
u8 value
Definition: qos.api:54
ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69
snat_main_s::icmp_match_out2in_cb
snat_icmp_match_function_t * icmp_match_out2in_cb
Definition: nat.h:524
nat44_session_update_lru
static void nat44_session_update_lru(snat_main_t *sm, snat_session_t *s, u32 thread_index)
Per-user LRU list maintenance.
Definition: nat_inlines.h:422
snat_main_s::out2in_node_index
u32 out2in_node_index
Definition: nat.h:605
snat_ipfix_logging_nat44_ses_delete
void snat_ipfix_logging_nat44_ses_delete(u32 thread_index, u32 src_ip, u32 nat_src_ip, nat_protocol_t nat_proto, u16 src_port, u16 nat_src_port, u32 vrf_id)
Generate NAT44 session delete event.
Definition: nat_ipfix_logging.c:1335
vlib_get_main
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
nat_ha_sdel
void nat_ha_sdel(ip4_address_t *out_addr, u16 out_port, ip4_address_t *eh_addr, u16 eh_port, u8 proto, u32 fib_index, u32 thread_index)
Create session delete HA event.
Definition: nat_ha.c:715
vlib_add_trace
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:55
vec_elt
#define vec_elt(v, i)
Get vector value at index i.
Definition: vec_bootstrap.h:208
udp_header_t::checksum
u16 checksum
Definition: udp_packet.h:53
VLIB_TX
Definition: defs.h:47
ip
vl_api_address_t ip
Definition: l2.api:501
snat_out2in_error_t
snat_out2in_error_t
Definition: out2in.c:91
user_session_increment
static void user_session_increment(snat_main_t *sm, snat_user_t *u, u8 is_static)
Definition: nat_inlines.h:215
create_session_for_static_mapping
static snat_session_t * create_session_for_static_mapping(snat_main_t *sm, vlib_buffer_t *b0, snat_session_key_t in2out, snat_session_key_t out2in, vlib_node_runtime_t *node, u32 thread_index, f64 now)
Create session for static mapping.
Definition: out2in.c:177
snat_out2in_error_strings
static char * snat_out2in_error_strings[]
Definition: out2in.c:99
nat_out2in_sm_unknown_proto
static int nat_out2in_sm_unknown_proto(snat_main_t *sm, vlib_buffer_t *b, ip4_header_t *ip, u32 rx_fib_index)
Definition: out2in.c:692
snat_main_per_thread_data_t
Definition: nat.h:450
vlib_main_t
Definition: main.h:83
vlib_buffer_t
VLIB buffer representation.
Definition: buffer.h:102
snat_main_s::per_thread_data
snat_main_per_thread_data_t * per_thread_data
Definition: nat.h:536
vlib_node_t
Definition: node.h:260
vlib_frame_vector_args
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:244
ip_csum_update
#define ip_csum_update(sum, old, new, type, field)
Definition: ip_packet.h:294
nat_syslog.h
NAT syslog logging.
is_interface_addr
static u8 is_interface_addr(snat_main_t *sm, vlib_node_runtime_t *node, u32 sw_if_index0, u32 ip4_addr)
Definition: nat_inlines.h:150
format_snat_out2in_trace
static u8 * format_snat_out2in_trace(u8 *s, va_list *args)
Definition: out2in.c:48
snat_main_s::addresses
snat_address_t * addresses
Definition: nat.h:552
snat_main_s::out2in_fast_node_index
u32 out2in_fast_node_index
Definition: nat.h:606
vnet_buffer
#define vnet_buffer(b)
Definition: buffer.h:417
SNAT_SESSION_FLAG_STATIC_MAPPING
#define SNAT_SESSION_FLAG_STATIC_MAPPING
Definition: nat.h:232
snat_main_s::forwarding_enabled
u8 forwarding_enabled
Definition: nat.h:624
frame
vlib_main_t vlib_node_runtime_t vlib_frame_t * frame
Definition: in2out_ed.c:1600
ip4_header_bytes
static int ip4_header_bytes(const ip4_header_t *i)
Definition: ip4_packet.h:235
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:56
VLIB_NODE_FLAG_TRACE
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:304
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
icmp_get_key
static_always_inline snat_out2in_error_t icmp_get_key(vlib_buffer_t *b, ip4_header_t *ip0, snat_session_key_t *p_key0)
Definition: out2in.c:265
icmp_out2in
u32 icmp_out2in(snat_main_t *sm, vlib_buffer_t *b0, ip4_header_t *ip0, icmp46_header_t *icmp0, u32 sw_if_index0, u32 rx_fib_index0, vlib_node_runtime_t *node, u32 next0, u32 thread_index, void *d, void *e)
Definition: out2in.c:525
ip4_header_t
Definition: ip4_packet.h:132
nat44_i2o_is_idle_session_cb
int nat44_i2o_is_idle_session_cb(clib_bihash_kv_8_8_t *kv, void *arg)
Definition: in2out.c:195
snat_main_per_thread_data_t::sessions
snat_session_t * sessions
Definition: nat.h:467
nat44_is_idle_session_ctx_t::thread_index
u32 thread_index
Definition: nat.h:679
icmp4_error_set_vnet_buffer
static_always_inline void icmp4_error_set_vnet_buffer(vlib_buffer_t *b, u8 type, u8 code, u32 data)
Definition: icmp4.h:51
vlib_get_buffer
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:85
ip_csum_fold
static u16 ip_csum_fold(ip_csum_t c)
Definition: ip_packet.h:300
icmp_match_out2in_fast
u32 icmp_match_out2in_fast(snat_main_t *sm, vlib_node_runtime_t *node, u32 thread_index, vlib_buffer_t *b0, ip4_header_t *ip0, u8 *p_proto, snat_session_key_t *p_value, u8 *p_dont_translate, void *d, void *e)
Get address and port values to be used for ICMP packet translation.
Definition: out2in.c:461
VLIB_RX
Definition: defs.h:46
nat_ha.h
NAT active-passive HA.
snat_session_key_t::fib_index
u16 fib_index
Definition: nat.h:80