Merge pull request #26 from vpp-dev/nat

NAT bugfixes

Author: matfabia-cisco

src/plugins/nat/in2out.c

@@ -251,20 +251,41 @@ snat_not_translate (snat_main_t * sm, vlib_node_runtime_t *node,
 
 static inline int
 nat_not_translate_output_feature (snat_main_t * sm, ip4_header_t * ip0,
-                                  u32 proto0, u16 src_port, u32 thread_index)
+                                  u32 proto0, u16 src_port, u16 dst_port,
+                                  u32 thread_index, u32 sw_if_index)
 {
   snat_session_key_t key0;
   clib_bihash_kv_8_8_t kv0, value0;
+  snat_interface_t *i;
 
+  /* src NAT check */
   key0.addr = ip0->src_address;
   key0.port = src_port;
   key0.protocol = proto0;
   key0.fib_index = sm->outside_fib_index;
   kv0.key = key0.as_u64;
 
   if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].out2in, &kv0,
-                              &value0))
+                               &value0))
+    return 1;
+
+  /* dst NAT check */
+  key0.addr = ip0->dst_address;
+  key0.port = dst_port;
+  key0.protocol = proto0;
+  key0.fib_index = sm->inside_fib_index;
+  kv0.key = key0.as_u64;
+  if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv0,
+                               &value0))
+  {
+    /* hairpinning */
+    pool_foreach (i, sm->output_feature_interfaces,
+    ({
+      if ((nat_interface_is_inside(i)) && (sw_if_index == i->sw_if_index))
+        return 0;
+    }));
     return 1;
+  }
 
   return 0;
 }
@@ -286,6 +307,7 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
   u32 outside_fib_index;
   uword * p;
   udp_header_t * udp0 = ip4_next_header (ip0);
+  u8 is_sm = 0;
 
   if (PREDICT_FALSE (maximum_sessions_exceeded(sm, thread_index)))
     {
@@ -311,13 +333,6 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
       return SNAT_IN2OUT_NEXT_DROP;
     }
 
-  s = nat_session_alloc_or_recycle (sm, u, thread_index);
-  if (!s)
-    {
-      clib_warning ("create NAT session failed");
-      return SNAT_IN2OUT_NEXT_DROP;
-    }
-
   /* First try to match static mapping by local address and port */
   if (snat_static_mapping_match (sm, *key0, &key1, 0, 0, 0))
     {
@@ -331,14 +346,20 @@ static u32 slow_path (snat_main_t *sm, vlib_buffer_t *b0,
           b0->error = node->errors[SNAT_IN2OUT_ERROR_OUT_OF_PORTS];
           return SNAT_IN2OUT_NEXT_DROP;
         }
-      u->nsessions++;
     }
   else
+    is_sm = 1;
+
+  s = nat_session_alloc_or_recycle (sm, u, thread_index);
+  if (!s)
     {
-      u->nstaticsessions++;
-      s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
+      clib_warning ("create NAT session failed");
+      return SNAT_IN2OUT_NEXT_DROP;
     }
 
+  if (is_sm)
+    s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
+  user_session_increment (sm, u, is_sm);
   s->outside_address_index = address_index;
   s->in2out = *key0;
   s->out2in = key1;
@@ -556,7 +577,7 @@ u32 icmp_match_in2out_slow(snat_main_t *sm, vlib_node_runtime_t *node,
       if (vnet_buffer(b0)->sw_if_index[VLIB_TX] != ~0)
         {
           if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
-              ip0, SNAT_PROTOCOL_ICMP, key0.port, thread_index)))
+              ip0, SNAT_PROTOCOL_ICMP, key0.port, key0.port, thread_index, sw_if_index0)))
             {
               dont_translate = 1;
               goto out;
@@ -768,6 +789,9 @@ static inline u32 icmp_in2out (snat_main_t *sm,
                          src_address /* changed member */);
   ip0->checksum = ip_csum_fold (sum0);
 
+  if (icmp0->checksum == 0)
+    icmp0->checksum = 0xffff;
+
   if (!icmp_is_error_message (icmp0))
     {
       new_id0 = sm0.port;
@@ -1236,14 +1260,8 @@ snat_in2out_unknown_proto (snat_main_t *sm,
       s->in2out.fib_index = rx_fib_index;
       s->in2out.port = s->out2in.port = ip->protocol;
       if (is_sm)
-        {
-          u->nstaticsessions++;
-          s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
-        }
-      else
-        {
-          u->nsessions++;
-        }
+	s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
+      user_session_increment (sm, u, is_sm);
 
       /* Add to lookup tables */
       key.l_addr.as_u32 = old_addr;
@@ -1365,7 +1383,7 @@ snat_in2out_lb (snat_main_t *sm,
       s->in2out = l_key;
       s->out2in = e_key;
       s->out2in.protocol = l_key.protocol;
-      u->nstaticsessions++;
+      user_session_increment (sm, u, 1 /* static */);
 
       /* Add to lookup tables */
       s_kv.value = s - tsm->sessions;
@@ -1594,7 +1612,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
                   if (is_output_feature)
                     {
                       if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
-                          ip0, proto0, udp0->src_port, thread_index)))
+                          ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
                         goto trace00;
                     }
                   else
@@ -1786,7 +1804,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
                   if (is_output_feature)
                     {
                       if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
-                          ip1, proto1, udp1->src_port, thread_index)))
+                          ip1, proto1, udp1->src_port, udp1->dst_port, thread_index, sw_if_index1)))
                         goto trace01;
                     }
                   else
@@ -2014,7 +2032,7 @@ snat_in2out_node_fn_inline (vlib_main_t * vm,
                   if (is_output_feature)
                     {
                       if (PREDICT_FALSE(nat_not_translate_output_feature(sm,
-                          ip0, proto0, udp0->src_port, thread_index)))
+                          ip0, proto0, udp0->src_port, udp0->dst_port, thread_index, sw_if_index0)))
                         goto trace0;
                     }
                   else

src/plugins/nat/nat.c

@@ -1447,11 +1447,22 @@ int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
                   i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
 
                 if (sm->num_workers > 1 && !sm->deterministic)
-                  del_feature_name = "nat44-handoff-classify";
+                  {
+                    del_feature_name = "nat44-handoff-classify";
+                    feature_name = !is_inside ?  "nat44-in2out-worker-handoff" :
+                                                 "nat44-out2in-worker-handoff";
+                  }
                 else if (sm->deterministic)
-                  del_feature_name = "nat44-det-classify";
+                  {
+                    del_feature_name = "nat44-det-classify";
+                    feature_name = !is_inside ?  "nat44-det-in2out" :
+                                                 "nat44-det-out2in";
+                  }
                 else
-                  del_feature_name = "nat44-classify";
+                  {
+                    del_feature_name = "nat44-classify";
+                    feature_name = !is_inside ?  "nat44-in2out" : "nat44-out2in";
+                  }
 
                 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
                                              sw_if_index, 0, 0, 0);

src/plugins/nat/nat.h

@@ -650,4 +650,16 @@ nat_send_all_to_node(vlib_main_t *vm, u32 *bi_vector,
   }
 }
 
+always_inline void
+user_session_increment(snat_main_t *sm, snat_user_t *u, u8 is_static)
+{
+  if (u->nsessions + u->nstaticsessions < sm->max_translations_per_user)
+    {
+      if (is_static)
+	u->nstaticsessions++;
+      else
+	u->nsessions++;
+    }
+}
+
 #endif /* __included_snat_h__ */

src/plugins/nat/out2in.c

@@ -133,6 +133,7 @@ typedef enum {
   SNAT_OUT2IN_NEXT_LOOKUP,
   SNAT_OUT2IN_NEXT_ICMP_ERROR,
   SNAT_OUT2IN_NEXT_REASS,
+  SNAT_OUT2IN_NEXT_IN2OUT,
   SNAT_OUT2IN_N_NEXT,
 } snat_out2in_next_t;
 
@@ -191,7 +192,7 @@ create_session_for_static_mapping (snat_main_t *sm,
   s->flags |= SNAT_SESSION_FLAG_STATIC_MAPPING;
   s->ext_host_addr.as_u32 = ip0->src_address.as_u32;
   s->ext_host_port = udp0->src_port;
-  u->nstaticsessions++;
+  user_session_increment (sm, u, 1 /* static */);
   s->in2out = in2out;
   s->out2in = out2in;
   s->in2out.protocol = out2in.protocol;
@@ -311,6 +312,26 @@ icmp_get_ed_key(ip4_header_t *ip0, nat_ed_ses_key_t *p_key0)
   return 0;
 }
 
+static int
+next_src_nat (snat_main_t * sm, ip4_header_t * ip, u32 proto, u16 src_port,
+              u32 thread_index)
+{
+  snat_session_key_t key;
+  clib_bihash_kv_8_8_t kv, value;
+
+  key.addr = ip->src_address;
+  key.port = src_port;
+  key.protocol = proto;
+  key.fib_index = sm->inside_fib_index;
+  kv.key = key.as_u64;
+
+  if (!clib_bihash_search_8_8 (&sm->per_thread_data[thread_index].in2out, &kv,
+                               &value))
+    return 1;
+
+  return 0;
+}
+
 static void
 create_bypass_for_fwd(snat_main_t * sm, ip4_header_t * ip)
 {
@@ -419,8 +440,13 @@ u32 icmp_match_out2in_slow(snat_main_t *sm, vlib_node_runtime_t *node,
             }
           else
             {
-              create_bypass_for_fwd(sm, ip0);
               dont_translate = 1;
+              if (next_src_nat(sm, ip0, key0.protocol, key0.port, thread_index))
+                {
+                  next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+                  goto out;
+                }
+              create_bypass_for_fwd(sm, ip0);
               goto out;
             }
         }
@@ -618,6 +644,9 @@ static inline u32 icmp_out2in (snat_main_t *sm,
                          dst_address /* changed member */);
   ip0->checksum = ip_csum_fold (sum0);
 
+  if (icmp0->checksum == 0)
+    icmp0->checksum = 0xffff;
+
   if (!icmp_is_error_message (icmp0))
     {
       new_id0 = sm0.port;
@@ -804,7 +833,7 @@ snat_out2in_unknown_proto (snat_main_t *sm,
       s->in2out.addr.as_u32 = new_addr;
       s->in2out.fib_index = m->fib_index;
       s->in2out.port = s->out2in.port = ip->protocol;
-      u->nstaticsessions++;
+      user_session_increment (sm, u, 1 /* static */);
 
       /* Add to lookup tables */
       s_kv.value = s - tsm->sessions;
@@ -916,7 +945,7 @@ snat_out2in_lb (snat_main_t *sm,
       s->outside_address_index = ~0;
       s->out2in = e_key;
       s->in2out = l_key;
-      u->nstaticsessions++;
+      user_session_increment (sm, u, 1 /* static */);
 
       /* Add to lookup tables */
       s_kv.value = s - tsm->sessions;
@@ -1152,6 +1181,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
                     }
                   else
                     {
+                      if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+                        {
+                          next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+                          goto trace0;
+                        }
                       create_bypass_for_fwd(sm, ip0);
                       goto trace0;
                     }
@@ -1319,6 +1353,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
                     }
                   else
                     {
+                      if (next_src_nat(sm, ip1, proto1, udp1->src_port, thread_index))
+                        {
+                          next1 = SNAT_OUT2IN_NEXT_IN2OUT;
+                          goto trace1;
+                        }
                       create_bypass_for_fwd(sm, ip1);
                       goto trace1;
                     }
@@ -1522,6 +1561,11 @@ snat_out2in_node_fn (vlib_main_t * vm,
                     }
                   else
                     {
+                      if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+                        {
+                          next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+                          goto trace00;
+                        }
                       create_bypass_for_fwd(sm, ip0);
                       goto trace00;
                     }
@@ -1649,6 +1693,7 @@ VLIB_REGISTER_NODE (snat_out2in_node) = {
     [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
   },
 };
 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_node, snat_out2in_node_fn);
@@ -1765,6 +1810,11 @@ nat44_out2in_reass_node_fn (vlib_main_t * vm,
                         }
                       else
                         {
+                          if (next_src_nat(sm, ip0, proto0, udp0->src_port, thread_index))
+                            {
+                              next0 = SNAT_OUT2IN_NEXT_IN2OUT;
+                              goto trace0;
+                            }
                           create_bypass_for_fwd(sm, ip0);
                           goto trace0;
                         }
@@ -1936,6 +1986,7 @@ VLIB_REGISTER_NODE (nat44_out2in_reass_node) = {
     [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
   },
 };
 VLIB_NODE_FUNCTION_MULTIARCH (nat44_out2in_reass_node,
@@ -2425,6 +2476,7 @@ VLIB_REGISTER_NODE (snat_det_out2in_node) = {
     [SNAT_OUT2IN_NEXT_LOOKUP] = "ip4-lookup",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
   },
 };
 VLIB_NODE_FUNCTION_MULTIARCH (snat_det_out2in_node, snat_det_out2in_node_fn);
@@ -2918,6 +2970,7 @@ VLIB_REGISTER_NODE (snat_out2in_fast_node) = {
     [SNAT_OUT2IN_NEXT_DROP] = "error-drop",
     [SNAT_OUT2IN_NEXT_ICMP_ERROR] = "ip4-icmp-error",
     [SNAT_OUT2IN_NEXT_REASS] = "nat44-out2in-reass",
+    [SNAT_OUT2IN_NEXT_IN2OUT] = "nat44-in2out",
   },
 };
 VLIB_NODE_FUNCTION_MULTIARCH (snat_out2in_fast_node, snat_out2in_fast_node_fn);