1. dslite_ce_decap

DS-Lite customer edge decapsulation.

1.1. Introduction

There is 1 node: dslite_ce_decap_node.

2. dslite_ce_encap

DS-Lite customer edge encapsulation.

2.1. Introduction

There is 1 node: dslite_ce_encap_node.

3. dslite_cli

3.1. Introduction

This module is not a node, and it provide commands for dual-stack lite.

3.2. Command

dslite add pool address <ip4-range-start> [- <ip4-range-end>]
 [del]

show dslite pool

dslite set aftr-tunnel-endpoint-address <ip6>

show dslite aftr-tunnel-endpoint-address

dslite set b4-tunnel-endpoint-address <ip6>

show dslite b4-tunnel-endpoint-address

show dslite sessions

4. dslite_dpo

DS-Lite data path object.

4.1. Introduction

This module is not a node.

A Data-Path Object is an object that represents actions that are applied to packets as they are switched through VPP’s data-path.

5. dslist_in2out

5.1. Introduction

There are 2 nodes: dslite_in2out_node and dslite_in2out_slowpath_node.

6. dslite_out2in

6.1. Introduction

There is 1 node: dslite_out2in_node.

7. dslite

7.1. Introduction

This is not a node.

Dual-Stack Lite enables a broadband service provider to share IPv4 addresses among customers by combining two well-known technologies: IPv4-in-IPv6 and NAT.

8. in2out_ed

8.1. Introduction

NAT44 endpoint-dependent inside to outside network translation.

There are 6 nodes:

• nat44_ed_in2out_node
• nat44_ed_in2out_output_node
• nat44_ed_in2out_slowpath_node
• nat44_ed_in2out_output_slowpath_node
• nat44_ed_in2out_reass_node
• nat44_ed_in2out_reass_output_node

NAT44 endpoint dependent mode enables endpoint dependent filtering and mapping for all sessions needed by some features. Some existing functionality such as service load balancing, twice nat, out2in-only static mappings, unknown protocol dynamic translations and forwarding feature with dynamic translations are now available only in endpoint dependent mode. Endpoint dependent mode use 6-tuple (source IP address, source port, target IP address, target port, protocol, FIB table index) session hash table key instead of 4-tuple (source IP address, source port, protocol, FIB table index).

8.2. Detail

NAT44 supports multiple threads, the packets with the same 6-tuple only goes to the same thread, and tranlate port ranges are assigned to different threads.

8.2.1. snat_main_per_thread_data_t

This is per thread data.

typedef struct
{
  /* Main lookup tables */
  clib_bihash_8_8_t out2in;
  clib_bihash_8_8_t in2out;

  /* Endpoint dependent sessions lookup tables */
  clib_bihash_16_8_t out2in_ed;
  clib_bihash_16_8_t in2out_ed;

  /* Find-a-user => src address lookup */
  clib_bihash_8_8_t user_hash;

  /* User pool */
  snat_user_t *users;

  /* Session pool */
  snat_session_t *sessions;

  /* Pool of doubly-linked list elements */
  dlist_elt_t *list_pool;

  /* NAT thread index */
  u32 snat_thread_index;
} snat_main_per_thread_data_t;

8.2.1.1. in2out_ed

This is endpoint dependent sessions lookup tables, and it’s VPP classic Bounded-index extensible hash.

• Key is source address, destination address, protocol, fib index, source port and destination port.
• Value is session index.

8.2.1.2. user_hash

Find-a-user => src address lookup.

• Key is source address and fib index.
• Value is user index.

8.2.1.3. list_pool

This is LRU list for session.

It’s array, we can use index to locate array element.

And it contains multiple doubly-linked list, each user has one doubly-linked list, we can use head, next and prev pointer to locate list element.

• Value is session index.

8.2.1.4. users

user_hash table is used to manage users.

typedef struct
{
  ip4_address_t addr;
  u32 fib_index;
  u32 sessions_per_user_list_head_index;
  u32 nsessions;
  u32 nstaticsessions;
} snat_user_t;

• sessions_per_user_list_head_index is the head index of doubly-linked list for this user.
• nsessions is sesssion number for this user.
• nstaticsessions is static session number for this user.

8.2.1.5. sessions

in2out_ed table and doubly-linked list are used to manage sessions.

typedef CLIB_PACKED(struct
{
  /* Outside network key */
  snat_session_key_t out2in;

  /* Inside network key */
  snat_session_key_t in2out;

  /* Flags */
  u32 flags;

  /* Per-user translations */
  u32 per_user_index;
  u32 per_user_list_head_index;

  /* Last heard timer */
  f64 last_heard;

  /* Last HA refresh */
  f64 ha_last_refreshed;

  /* Counters */
  u64 total_bytes;
  u32 total_pkts;

  /* External host address and port */
  ip4_address_t ext_host_addr;
  u16 ext_host_port;

  /* External host address and port after translation */
  ip4_address_t ext_host_nat_addr;
  u16 ext_host_nat_port;

  /* TCP session state */
  u8 state;
  u32 i2o_fin_seq;
  u32 o2i_fin_seq;

  /* user index */
  u32 user_index;
}) snat_session_t;

• out2in is outside network key.
• in2out is inside network key.
• last_heard is the timestamp used to mark timeout session.

8.2.2. nat44_ed_in2out_node

This node is used before ip4-lookup.

This node is using nat44_ed_in2out_node_fn_inline(). is_slow_path is 0, and is_output_feature is 0.

• Default next node is NAT_IN2OUT_ED_NEXT_LOOKUP.
• Locate IP header, offset is 0.
• If IP ttl is 0, next node is NAT_IN2OUT_ED_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• If it’s IP fragment, next node is NAT_IN2OUT_ED_NEXT_REASS.
• If IP protocol is ICMP, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• Use source address, destination address, protocol, fib index, source port and destination port to search in2out_ed table.
• If this search has no result, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

8.2.3. nat44_ed_in2out_output_node

This node is used and after l2-fwd and l3-fwd, before interface-lookup.

This node is using nat44_ed_in2out_node_fn_inline(). is_slow_path is 0, and is_output_feature is 1.

• Default next node is NAT_IN2OUT_ED_NEXT_LOOKUP.
• Locate IP header, offset is save_rewrite_length.
• If IP ttl is 0, next node is NAT_IN2OUT_ED_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• If it’s IP fragment, next node is NAT_IN2OUT_ED_NEXT_REASS.
• Call nat_not_translate_output_feature_fwd()
  • Search in2out_ed table for ICMP, TCP and UDP.
  • If this search has result, , use result to get session.
  • If this session is bypass, update session counter and timestamp, and update doubly-linked list.
• If IP protocol is ICMP, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• Use source address, destination address, protocol, fib index, source port and destination port to search in2out_ed table.
• If this search has no result, next node is NAT_IN2OUT_ED_NEXT_SLOW_PATH.
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

8.2.4. nat44_ed_in2out_slowpath_node

This node is used after nat44-ed-in2out, before ip4-lookup.

This node is using nat44_ed_in2out_node_fn_inline(). is_slow_path is 1, and is_output_feature is 0.

• Default next node is NAT_IN2OUT_ED_NEXT_LOOKUP.
• Locate IP header, offset is 0.
• If IP ttl is 0, next node is NAT_IN2OUT_ED_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, call nat44_ed_in2out_unknown_proto().
  • Use source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search in2out_ed table.
  • If this search has result, use result to get session, and replace source address.
  • If this search has no result, need to search other table.
    • Call nat_user_get_or_create() to create NAT user.
      • Use source address and fib index to search user_hash table.
      • If this search has no result, create new user, add to user_hash table, and initialize doubly-linked list.
      • If this search has result, get user.
    • Use source address, 0 as IP protocol, fib index, 0 as source port to search static_mapping_by_local table.
    • If this search has result, use result to get static mapping, replace source address, and create session.
    • If this search has no result, iterate doubly-linked list to get session of this user.
    • If external host address is the same as destination address, check this session.
      • Replace source address with out2in address.
      • Use session out2in address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search out2in_ed table.
      • If this search has no result, create session.
    • Iterate static mapping addresses, use static mapping address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search out2in_ed table.
    • If this search has no result, replace source address with static mapping address, and create session.
    • Call nat_ed_session_alloc() to create session.
      • Find oldest session on the list.
      • If oldest session is timeout, replace this session.
        • Move to list tail.
        • Clear session.
        • Call nat_free_session_data().
          • If this session is forwarding bypass, remove this session from in2out_ed table.
          • If this session is endpoint dependent, remove this session from in2out_ed table and out2in_ed table.
          • If this session is not endpoint dependent, remove this session from in2out table and out2in table.
          • Call nat_ha_sdel().
          • If this session is twice NAT, call snat_free_outside_address_and_port().
          • Call snat_free_outside_address_and_port().
      • If oldest session is not timeout, add new session.
        • Create new session and add to list tail.
    • Insert in2out_ed table.
      • Key is in2out address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port.
      • Value is session index.
    • Insert out2in_ed table.
      • Key is out2in address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port.
      • Value is session index.
  • Update IP checksum.
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
  • Call nat44_ed_hairpinning_unknown_proto() for hairpinning.
    • Search out2in_ed table.
    • If this search has result, replace destination address.
    • If this search has no result, search static_mapping_by_external table.
    • If this search has result, replace destination address.
    • Update IP checksum.
• If IP protocol is ICMP, call icmp_in2out_ed_slow_path().
  • Call icmp_in2out().
    • Call icmp_match_in2out_ed() to find next node.
      • Call icmp_get_ed_key() to get key.
      • Search in2out_ed table.
      • If this search has result, get session.
      • If this search has no result, enter slow path.
        • Call nat44_ed_not_translate_output_feature().
          • Search in2out_ed table.
          • If this search has result, get session.
          • If this session is forwarding bypass, update session counter, update LRU list, do not translate.
          • If this session is not forwarding bypass, do translate.
        • Call nat44_ed_not_translate().
          • Search out2in_ed table, if this search has result, do translate.
          • Call snat_static_mapping_match(), if it has result, do translate.
          • If forwarding is enabled, do not translate.
          • Call snat_not_translate_fast() to decide.
        • Call slow_path_ed().
          • Call snat_static_mapping_match() to match static mapping by local address and port.
          • If no match, call snat_alloc_outside_address_and_port() to create dynamic translation.
            • port range is assigned to multiple threads.
          • If TCP flag is not SYNC, drop it. Only use single thread, first TCP is sync, create NAT session in slow path, and next TCP will not enter slow path.
          • Call nat_user_get_or_create() to get NAT user.
          • Call nat_ed_session_alloc() to create session.
          • Add to in2out_ed table.
          • Add to out2in_ed table.
          • Call nat_ha_sadd().
    • Verify IP checksum.
    • Replace source address and update IP checksum.
    • If this is not ICMP error message, replace ICMP identifier and update ICMP checksum.
    • If this is ICMP error message, process inner IP.
      • Verify inner IP checksum.
      • Update inner destination IP address.
      • Update inner IP header checksum.
      • If inner IP protocol is ICMP, replace ICMP identifier, update ICMP checksum.
      • If inner IP protocol is TCP or UDP, replace destination port, update ICMP checksum.
      • Call snat_icmp_hairpinning() for hairpinning.
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
• Use source address, destination address, protocol, fib index, source port and destination port to search in2out_ed table.
• If this search has result, use result to get session.
• If this search has no result, enter slow path.
  • Call nat44_ed_not_translate().
  • Call slow_path_ed().
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

8.2.5. nat44_ed_in2out_output_slowpath_node

This node is used after nat44-ed-in2out-output, before interface-output.

This node is using nat44_ed_in2out_node_fn_inline(). is_slow_path is 1, and is_output_feature is 1.

• Default next node is NAT_IN2OUT_ED_NEXT_LOOKUP.
• Locate IP header, offset is save_rewrite_length.
• If IP ttl is 0, next node is NAT_IN2OUT_ED_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, call nat44_ed_in2out_unknown_proto().
  • Use source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search in2out_ed table.
  • If this search has result, use result to get session, and replace source address.
  • If this search has no result, need to search other table.
    • Call nat_user_get_or_create() to create NAT user.
      • Use source address and fib index to search user_hash table.
      • If this search has no result, create new user, add to user_hash table, and initialize doubly-linked list.
      • If this search has result, get user.
    • Use source address, 0 as IP protocol, fib index, 0 as source port to search static_mapping_by_local table.
    • If this search has result, use result to get static mapping, replace source address, and create session.
    • If this search has no result, iterate doubly-linked list to get session of this user.
    • If external host address is the same as destination address, check this session.
      • Replace source address with out2in address.
      • Use session out2in address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search out2in_ed table.
      • If this search has no result, create session.
    • Iterate static mapping addresses, use static mapping address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port to search out2in_ed table.
    • If this search has no result, replace source address with static mapping address, and create session.
    • Call nat_ed_session_alloc() to create session.
      • Find oldest session on the list.
      • If oldest session is timeout, replace this session.
        • Move to list tail.
        • Clear session.
        • Call nat_free_session_data().
          • If this session is forwarding bypass, remove this session from in2out_ed table.
          • If this session is endpoint dependent, remove this session from in2out_ed table and out2in_ed table.
          • If this session is not endpoint dependent, remove this session from in2out table and out2in table.
          • Call nat_ha_sdel().
          • If this session is twice NAT, call snat_free_outside_address_and_port().
          • Call snat_free_outside_address_and_port().
      • If oldest session is not timeout, add new session.
        • Create new session and add to list tail.
    • Insert in2out_ed table.
      • Key is in2out address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port.
      • Value is session index.
    • Insert out2in_ed table.
      • Key is out2in address as source address, destination address, IP protocol, fib index, 0 as source port, 0 as destination port.
      • Value is session index.
  • Update IP checksum.
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
  • Call nat44_ed_hairpinning_unknown_proto() for hairpinning.
    • Search out2in_ed table.
    • If this search has result, replace destination address.
    • If this search has no result, search static_mapping_by_external table.
    • If this search has result, replace destination address.
    • Update IP checksum.
• If IP protocol is ICMP, call icmp_in2out_ed_slow_path().
  • Call icmp_in2out().
    • Call icmp_match_in2out_ed() to find next node.
      • Call icmp_get_ed_key() to get key.
      • Search in2out_ed table.
      • If this search has result, get session.
      • If this search has no result, enter slow path.
        • Call nat44_ed_not_translate_output_feature().
          • Search in2out_ed table.
          • If this search has result, get session.
          • If this session is forwarding bypass, update session counter, update LRU list, do not translate.
          • If this session is not forwarding bypass, do translate.
        • Call nat44_ed_not_translate().
          • Search out2in_ed table, if this search has result, do translate.
          • Call snat_static_mapping_match(), if it has result, do translate.
          • If forwarding is enabled, do not translate.
          • Call snat_not_translate_fast() to decide.
        • Call slow_path_ed().
          • Call snat_static_mapping_match() to match static mapping by local address and port.
          • If no match, call snat_alloc_outside_address_and_port() to create dynamic translation.
            • port range is assigned to multiple threads.
          • If TCP flag is not SYNC, drop it. Only use single thread, first TCP is sync, create NAT session in slow path, and next TCP will not enter slow path.
          • Call nat_user_get_or_create() to get NAT user.
          • Call nat_ed_session_alloc() to create session.
          • Add to in2out_ed table.
          • Add to out2in_ed table.
          • Call nat_ha_sadd().
    • Verify IP checksum.
    • Replace source address and update IP checksum.
    • If this is not ICMP error message, replace ICMP identifier and update ICMP checksum.
    • If this is ICMP error message, process inner IP.
      • Verify inner IP checksum.
      • Update inner destination IP address.
      • Update inner IP header checksum.
      • If inner IP protocol is ICMP, replace ICMP identifier, update ICMP checksum.
      • If inner IP protocol is TCP or UDP, replace destination port, update ICMP checksum.
      • Call snat_icmp_hairpinning() for hairpinning.
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
• Use source address, destination address, protocol, fib index, source port and destination port to search in2out_ed table.
• If this search has result, use result to get session.
• If this search has no result, enter slow path.
  • Call nat44_ed_not_translate_output_feature().
  • Call slow_path_ed().
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

8.2.6. nat44_ed_in2out_reass_node

This node is used after nat44-ed-in2out, before ip4-lookup.

This node is using nat44_ed_in2out_reass_node_fn_inline(). is_output_feature is 0.

• Call nat_reass_is_drop_frag(), drop IP fragment if configured.
• Locate IP header, offset is 0.
• Call nat_ip4_reass_find_or_create() to get reassemble.
• Call ip4_is_first_fragment(), if this is the first fragment.
  • If this is ICMP.
    • Call icmp_in2out_ed_slow_path().
    • Call nat_ip4_reass_get_frags().
  • Search in2out_ed table.
  • If this search has no result.
    • Call nat44_ed_not_translate().
    • Call slow_path_ed().
  • If this search has result, get session.
  • Call nat_ip4_reass_get_frags().
• If this is not the first fragment.
• Replace source address, and update IP checksum.
• Call ip4_is_first_fragment(), if this is the first fragment.
  • If this is TCP.
    • Replace source port, update TCP checksum.
  • If this is not TCP.
    • Replace source port, UDP checksum is 0.
• Call nat44_reass_hairpinning().
• Call nat44_session_update_counters() to update session counter and timestamp.
• Call nat44_session_update_counters() to update doubly-linked list.

8.2.7. nat44_ed_in2out_reass_output_node

This node is used after nat44-ed-in2out-output, before interface-output.

This node is using nat44_ed_in2out_reass_node_fn_inline(). and is_output_feature is 1.

• Call nat_reass_is_drop_frag(), drop IP fragment if configured.
• Locate IP header, offset is save_rewrite_length.
• Call nat_ip4_reass_find_or_create() to get reassemble.
• Call ip4_is_first_fragment(), if this is the first fragment.
  • If this is ICMP.
    • Call nat44_ed_not_translate_output_feature().
    • Call icmp_in2out_ed_slow_path().
    • Call nat_ip4_reass_get_frags().
  • Search in2out_ed table.
  • If this search has no result.
    • Call nat_not_translate_output_feature_fwd().
    • Call slow_path_ed().
  • If this search has result, get session.
  • Call nat_ip4_reass_get_frags().
• If this is not the first fragment.
• Replace source address, and update IP checksum.
• Call ip4_is_first_fragment(), if this is the first fragment.
  • If this is TCP.
    • Replace source port, update TCP checksum.
  • If this is not TCP.
    • Replace source port, UDP checksum is 0.
• Call nat44_reass_hairpinning().
• Call nat44_session_update_counters() to update session counter and timestamp.
• Call nat44_session_update_counters() to update doubly-linked list.

9. in2out

9.1. Introduction

NAT44 inside to outside network translation.

There are 6 nodes:

• snat_in2out_node
• snat_in2out_output_node
• snat_in2out_slowpath_node
• snat_in2out_output_slowpath_node
• nat44_in2out_reass_node
• snat_in2out_fast_node

9.2. Detail

9.2.1. snat_in2out_node

This node is used before ip4-lookup.

This node is using snat_in2out_node_fn_inline(). is_slow_path is 0, and is_output_feature is 0.

• Locate IP header, offset is 0.
• If IP ttl is 0, next node is NAT_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• If it’s IP fragment, next node is NAT_IN2OUT_NEXT_REASS.
• If IP protocol is ICMP, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• Use source address, source port, protocol and fib index to search in2out table.
• If this search has no result, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

9.2.2. snat_in2out_output_node

This node is used after ip4-lookup, before interface-output.

This node is using snat_in2out_node_fn_inline(). is_slow_path is 0, and is_output_feature is 1.

• Locate IP header, offset is save_rewrite_length.
• If IP ttl is 0, next node is NAT_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• If it’s IP fragment, next node is NAT_IN2OUT_NEXT_REASS.
• If IP protocol is ICMP, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• Use source address, source port, protocol and fib index to search in2out table.
• If this search has no result, next node is NAT_IN2OUT_NEXT_SLOW_PATH.
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

9.2.3. snat_in2out_slowpath_node

This node is used after nat44-in2out, before ip4-lookup.

This node is using snat_in2out_node_fn_inline(). is_slow_path is 1, and is_output_feature is 0.

• Locate IP header, offset is 0.
• If IP ttl is 0, next node is NAT_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, call nat_in2out_sm_unknown_proto().
  • Use source address and fib index to search static_mapping_by_local.
  • Replace source address and update IP checksum.
  • Call nat_hairpinning_sm_unknown_proto() for hairpinning.
• If IP protocol is ICMP, call icmp_in2out_slow_path().
  • Call icmp_in2out().
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
• Use source address, source port, protocol and fib index to search in2out table.
• If this search has no result, enter slow path.
  • Call snat_not_translate().
    • Use destination address and destination port to search out2in table, if this search has result, do translate.
    • Use destination address and destination port to search static mapping table, if this search has result, do translate.
    • Call snat_not_translate_fast().
  • Call slow_path().
    • Call snat_static_mapping_match().
      • Try to match static mapping by local address and port.
    • Call snat_alloc_outside_address_and_port().
    • Call nat_user_get_or_create().
      • Get user.
    • Call nat_session_alloc_or_recycle().
      • Did not check timestamp.
    • Add to in2out table.
      • Call nat44_i2o_is_idle_session_cb()
        • Find timeout session in in2out table.
        • in2out entry will be overwritten.
        • Remove timeout session from out2in table.
    • Add to out2in table.
      • Call nat44_o2i_is_idle_session_cb().
        • Find timeout session in out2in table.
        • out2in entry will be overwritten.
        • Remove timeout session from in2out table.
    • Call nat_ha_sadd().
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

9.2.4. snat_in2out_output_slowpath_node

This node is used after nat44-in2out-output, before interface-output.

This node is using snat_in2out_node_fn_inline(). is_slow_path is 1, and is_output_feature is 1.

• Locate IP header, offset is save_rewrite_length.
• If IP ttl is 0, next node is NAT_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is not UDP, TCP and ICMP, call nat_in2out_sm_unknown_proto().
  • Use source address and fib index to search static_mapping_by_local.
  • Replace source address and update IP checksum.
  • Call nat_hairpinning_sm_unknown_proto() for hairpinning.
• If IP protocol is ICMP, call icmp_in2out_slow_path().
  • Call icmp_in2out().
  • Update session counter and timestamp. Timestamp is used to mark timeout session.
  • Update doubly-linked list, move session index to list tail.
• Use source address, source port, protocol and fib index to search in2out table.
• If this search has no result, enter slow path.
  • Call nat_not_translate_output_feature().
    • Use destination address and destination port to search out2in table, if this search has result, do not translate.
    • Use destination address and destination port to search in2out table.
    • If this search has not result, do translate.
    • If this search has result, do not translate.
  • Call slow_path().
    • Call snat_static_mapping_match().
      • Try to match static mapping by local address and port.
    • Call snat_alloc_outside_address_and_port().
    • Call nat_user_get_or_create().
      • Get user.
    • Call nat_session_alloc_or_recycle().
      • Did not check timestamp.
    • Add to in2out table.
      • Call nat44_i2o_is_idle_session_cb()
        • Find timeout session in in2out table.
        • in2out entry will be overwritten.
        • Remove timeout session from out2in table.
    • Add to out2in table.
      • Call nat44_o2i_is_idle_session_cb().
        • Find timeout session in out2in table.
        • out2in entry will be overwritten.
        • Remove timeout session from in2out table.
    • Call nat_ha_sadd().
• If this search has result, use result to get session.
• Replace src address, update IP checksum.
• If IP protocol is TCP, replace source port, update IP checksum, update TCP checksum.
• If IP protocol is UDP, replace source port, UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

9.2.5. nat44_in2out_reass_node

This node is used after nat44-in2out, before ip4-lookup.

• Call nat_reass_is_drop_frag().
  • Drop IP fragment if configured.
• Call nat_ip4_reass_find_or_create().
  • Get reassemble.
• Call ip4_is_first_fragment().
• If this is the first fragment.
  • If IP protocol is ICMP.
    • Call icmp_in2out_slow_path().
  • Use source address, source port, IP protocol, fib index to search in2out table.
  • If this search has result, get session.
  • If this search has no result.
    • Call snat_not_translate().
    • Call slow_path().
• If this is not the first fragment, call nat_ip4_reass_add_fragment().
  • Add fragment to list.
• Replace source address and update IP checksum.
• If this is the first fragment.
  • If IP protocol is TCP.
    • Replace source port and update TCP checksum.
  • If IP protocol is UDP.
    • Replace source port and UDP checksum is 0.
• Call nat44_reass_hairpinning() for hairpinning.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

9.2.6. snat_in2out_fast_node

This node is used before ip4-lookup.

When only support static mapping, and don’t need connection tracking, this node is used.

• Default next node is SNAT_IN2OUT_NEXT_LOOKUP.
• If IP ttl is 0, next node is NAT_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is not TCP, UDP and ICMP, skip it.
• If IP protocol is ICMP, call icmp_in2out().
• Call snat_static_mapping_match().
  • Search for static mapping.
• Replace source address and update IP checksum.
• If new port is not the same as destination port.
  • If IP protocol is TCP, replace source port and update TCP checksum.
  • If IP protocol is UDP, replace source port and UDP checksum is 0.
• If new port is the same as destination port.
  • If IP protocol is TCP, update TCP checksum.
• Call snat_hairpinning() for hairpinning.

10. nat_affinity

10.1. Introduction

NAT plugin client-IP based session affinity for load-balancing.

This module is not a node.

11. nat_api

11.1. Introduction

NAT plugin API implementation.

This module is not a node, and it provides external API.

11.2. Interface

/* List of message types that this plugin understands */
#define foreach_snat_plugin_api_msg                                     \
_(NAT_CONTROL_PING, nat_control_ping)                                   \
_(NAT_SHOW_CONFIG, nat_show_config)                                     \
_(NAT_SET_WORKERS, nat_set_workers)                                     \
_(NAT_WORKER_DUMP, nat_worker_dump)                                     \
_(NAT_IPFIX_ENABLE_DISABLE, nat_ipfix_enable_disable)                   \
_(NAT_SET_REASS, nat_set_reass)                                         \
_(NAT_GET_REASS, nat_get_reass)                                         \
_(NAT_REASS_DUMP, nat_reass_dump)                                       \
_(NAT_SET_TIMEOUTS, nat_set_timeouts)                                   \
_(NAT_GET_TIMEOUTS, nat_get_timeouts)                                   \
_(NAT_SET_ADDR_AND_PORT_ALLOC_ALG, nat_set_addr_and_port_alloc_alg)     \
_(NAT_GET_ADDR_AND_PORT_ALLOC_ALG, nat_get_addr_and_port_alloc_alg)     \
_(NAT_SET_MSS_CLAMPING, nat_set_mss_clamping)                           \
_(NAT_GET_MSS_CLAMPING, nat_get_mss_clamping)                           \
_(NAT_HA_SET_LISTENER, nat_ha_set_listener)                             \
_(NAT_HA_SET_FAILOVER, nat_ha_set_failover)                             \
_(NAT_HA_GET_LISTENER, nat_ha_get_listener)                             \
_(NAT_HA_GET_FAILOVER, nat_ha_get_failover)                             \
_(NAT_HA_FLUSH, nat_ha_flush)                                           \
_(NAT_HA_RESYNC, nat_ha_resync)                                         \
_(NAT44_ADD_DEL_ADDRESS_RANGE, nat44_add_del_address_range)             \
_(NAT44_INTERFACE_ADD_DEL_FEATURE, nat44_interface_add_del_feature)     \
_(NAT44_ADD_DEL_STATIC_MAPPING, nat44_add_del_static_mapping)           \
_(NAT44_ADD_DEL_IDENTITY_MAPPING, nat44_add_del_identity_mapping)       \
_(NAT44_STATIC_MAPPING_DUMP, nat44_static_mapping_dump)                 \
_(NAT44_IDENTITY_MAPPING_DUMP, nat44_identity_mapping_dump)             \
_(NAT44_ADDRESS_DUMP, nat44_address_dump)                               \
_(NAT44_INTERFACE_DUMP, nat44_interface_dump)                           \
_(NAT44_ADD_DEL_INTERFACE_ADDR, nat44_add_del_interface_addr)           \
_(NAT44_INTERFACE_ADDR_DUMP, nat44_interface_addr_dump)                 \
_(NAT44_USER_DUMP, nat44_user_dump)                                     \
_(NAT44_USER_SESSION_DUMP, nat44_user_session_dump)                     \
_(NAT44_INTERFACE_ADD_DEL_OUTPUT_FEATURE,                               \
  nat44_interface_add_del_output_feature)                               \
_(NAT44_INTERFACE_OUTPUT_FEATURE_DUMP,                                  \
  nat44_interface_output_feature_dump)                                  \
_(NAT44_ADD_DEL_LB_STATIC_MAPPING, nat44_add_del_lb_static_mapping)     \
_(NAT44_LB_STATIC_MAPPING_ADD_DEL_LOCAL,                                \
  nat44_lb_static_mapping_add_del_local)                                \
_(NAT44_LB_STATIC_MAPPING_DUMP, nat44_lb_static_mapping_dump)           \
_(NAT44_DEL_SESSION, nat44_del_session)                                 \
_(NAT44_FORWARDING_ENABLE_DISABLE, nat44_forwarding_enable_disable)     \
_(NAT44_FORWARDING_IS_ENABLED, nat44_forwarding_is_enabled)             \
_(NAT_DET_ADD_DEL_MAP, nat_det_add_del_map)                             \
_(NAT_DET_FORWARD, nat_det_forward)                                     \
_(NAT_DET_REVERSE, nat_det_reverse)                                     \
_(NAT_DET_MAP_DUMP, nat_det_map_dump)                                   \
_(NAT_DET_CLOSE_SESSION_OUT, nat_det_close_session_out)                 \
_(NAT_DET_CLOSE_SESSION_IN, nat_det_close_session_in)                   \
_(NAT_DET_SESSION_DUMP, nat_det_session_dump)                           \
_(NAT64_ADD_DEL_POOL_ADDR_RANGE, nat64_add_del_pool_addr_range)         \
_(NAT64_POOL_ADDR_DUMP, nat64_pool_addr_dump)                           \
_(NAT64_ADD_DEL_INTERFACE, nat64_add_del_interface)                     \
_(NAT64_INTERFACE_DUMP, nat64_interface_dump)                           \
_(NAT64_ADD_DEL_STATIC_BIB, nat64_add_del_static_bib)                   \
_(NAT64_BIB_DUMP, nat64_bib_dump)                                       \
_(NAT64_ST_DUMP, nat64_st_dump)                                         \
_(NAT64_ADD_DEL_PREFIX, nat64_add_del_prefix)                           \
_(NAT64_PREFIX_DUMP, nat64_prefix_dump)                                 \
_(NAT64_ADD_DEL_INTERFACE_ADDR, nat64_add_del_interface_addr)           \
_(DSLITE_ADD_DEL_POOL_ADDR_RANGE, dslite_add_del_pool_addr_range)       \
_(DSLITE_ADDRESS_DUMP, dslite_address_dump)				\
_(DSLITE_SET_AFTR_ADDR, dslite_set_aftr_addr)                           \
_(DSLITE_GET_AFTR_ADDR, dslite_get_aftr_addr)                           \
_(DSLITE_SET_B4_ADDR, dslite_set_b4_addr)                               \
_(DSLITE_GET_B4_ADDR, dslite_get_b4_addr)                               \
_(NAT66_ADD_DEL_INTERFACE, nat66_add_del_interface)                     \
_(NAT66_INTERFACE_DUMP, nat66_interface_dump)                           \
_(NAT66_ADD_DEL_STATIC_MAPPING, nat66_add_del_static_mapping)           \
_(NAT66_STATIC_MAPPING_DUMP, nat66_static_mapping_dump)

12. nat_det_in2out

12.1. Introduction

Deterministic/CGN NAT44 inside to outside network translation.

There is one node: snat_det_in2out_node.

12.2 Detail

This node is used before ip4-lookup.

• If IP ttl is 0, next node is NAT_DET_IN2OUT_NEXT_ICMP_ERROR.
• If IP protocol is ICMP, call icmp_in2out().
• Call snat_det_map_by_user().
  • Get match.
• Call snat_det_forward().
• Call snat_det_find_ses_by_in().
  • Find session.
• If no session, call snat_det_ses_create().
• Replace souce port, update IP checksum.
• If IP protocol is TCP.
  • Check TCP flag.
  • Replace TCP source port, and update TCP checksum.
• If IP protocol is UDP.
  • Replace UDP source port, and UDP checksum is 0.
• Update session expire time.

13. nat_det_out2in

13.1. Introduction

Deterministic/CGN NAT44 outside to inside network translation.

There is one node: snat_det_out2in_node.

13.2. Detail

This node is used before ip4-lookup.

• If IP ttl is 0, next node is NAT_DET_OUT2IN_NEXT_ICMP_ERROR.
• If IP protocol is ICMP, call icmp_out2in().
• Call snat_det_map_by_out().
  • Get match.
• Call snat_det_reverse().
• Call snat_det_get_ses_by_out().
• If no session, next node is NAT_DET_OUT2IN_NEXT_DROP.
• Replace destination address and update IP checksum.
• If IP protocol is TCP.
  • Replace destination port and update TCP checksum.
• If IP protocol is UDP.
  • Replace destination port and UDP checksum is 0.

14. nat_det

14.1. Introduction

deterministic NAT.

Inside user is statically mapped to a set of outside ports with the purpose of enabling deterministic NAT to reduce logging and to achieve high scale/high performance in CGN deployments. Support endpoint dependent mapping to deal with overloading of the outside ports. Prealocate 1000 session slots for each inside user. Use sequential port range assignment algorithm (the first block goes to address 1, the second block to address 2, etc.)

There is one node: snat_det_expire_walk_node.

14.2. Detail

14.2.1. snat_det_expire_walk_node

This node is used to iterate sessions and call snat_det_expire_walk_node() to close timeout session.

Atomic operation is used to support multiple thread.

15. nat_dpo

NAT data path object.

15.1. Introduction

This module is not a node.

16. nat_format

NAT formatting.

16.1. Introduction

This module is not a node, and is used for command.

17. nat_ha

17.1. Introduction

One NAT node actively manages traffic while the other is synchronized and ready to transition to the active state and takes over seamlessly and enforces the same NAT sessions when failure occur. Both nodes share the same configuration settings.

There are 4 nodes:

• nat_ha_worker_node
• nat_ha_process_node
• nat_ha_node
• nat_ha_handoff_node

18. nat_ipfix_logging

NAT Events IPFIX logging.

18.1. Introduction

There is one node: snat_ipfix_flush_node.

19. nat_reass

NAT plugin virtual fragmentation reassembly.

19.1. Introduction

This module is not a node.

19.2. Command

nat virtual-reassembly ip4|ip6 [max-reassemblies <n>] 
[max-fragments <n>] [timeout <sec>] [enable|disable]

show nat virtual-reassembly

20. nat_syslog

NAT syslog logging.

20.1. Introduction

This module is not a node.

21. nat_test

skeleton vpp-api-test plug-in

21.1 Introduction

This module is not a node.

22. nat

simple nat plugin.

22.1. Introduction

This module is not a node, and it registers NAT plugin.

22.2. Interface

Initial function is snat_init().

Configure function is snat_config().

23. nat44_classify

Classify for one armed NAT44 (in+out interface).

23.1. Introduction

There are 4 nodes:

• nat44_classify_node
• nat44_ed_classify_node
• nat44_det_classify_node
• nat44_handoff_classify_node

23.2. Detail

23.2.1. nat44_classify_node

This node is used before nat44-in2out and nat44-out2in.

This node is using nat44_classify_node_fn_inline(). is_ed is 0.

23.2.2. nat44_ed_classify_node

This node is used before nat44-ed-in2out and nat44-ed-out2in.

This node is using nat44_classify_node_fn_inline(). is_ed is 1.

23.2.3. nat44_det_classify_node

This node is used before nat44-det-in2out and nat44-det-out2in.

This node is using nat44_classify_node_fn_inline(). is_ed is 0.

23.2.4. nat44_handoff_classify_node

This node is used before nat44-in2out-worker-handoff and nat44-out2in-worker-handoff.

This node is using nat44_classify_node_fn_inline(). is_ed is 0.

24. nat44_cli

NAT44 CLI.

24.1. Introduction

This module is not a node. And it defines NAT44 commands.

24.2. Command

set nat workers <workers-list>

show nat workers

set nat timeout [udp <sec> | tcp-established <sec> 
tcp-transitory <sec> | icmp <sec> | reset]

show nat timeouts

nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]

nat addr-port-assignment-alg <alg-name> [<alg-params>]

show nat addr-port-assignment-alg

nat mss-clamping <mss-value>|disable

show nat mss-clamping

nat ha failover <ip4-address>:<port> [refresh-intervval <sec>]

nat ha listener <ip4-address>:<port> [path-mtu <path-mtu>]

show nat ha

nat ha flush

nat ha resync

show nat44 hash tables [detail|verbose]

nat44 add address <ip4-range-start> [- <ip4-range-end>] 
[tenant-vrf <vrf-id>] [twice-nat] [del]

show nat44 addresses

set interface nat44 in <intfc> out <intfc> [output-feature] 
[del]

show nat44 interfaces

nat44 add static mapping tcp|udp|icmp local <addr> [<port>] 
external <addr> [<port>] [vrf <table-id>] [twice-nat|self-twice-nat] 
[out2in-only] [del]

nat44 add identity mapping <interface>|<ip4-addr> 
[<protocol> <port>] [vrf <table-id>] [del]

nat44 add load-balancing static mapping protocol tcp|udp 
external <addr>:<port> local <addr>:<port> [vrf <table-id>] 
probability <n> [twice-nat|self-twice-nat] [out2in-only] 
[affinity <timeout-seconds>] [del]

nat44 add load-balancing back-end protocol tcp|udp 
external <addr>:<port> local <addr>:<port> [vrf <table-id>] 
probability <n> [del]

show nat44 static mappings

nat44 add interface address <interface> [twice-nat] [del]

show nat44 interface address

show nat44 sessions [detail]

nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]

nat44 forwarding enable|disable

nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]

show nat44 deterministic mappings

nat44 deterministic forward <addr>

nat44 deterministic reverse <addr>:<port>

show nat44 deterministic sessions

nat44 deterministic close session out 
<out_addr>:<out_port> <ext_addr>:<ext_port>

nat44 deterministic close session in 
<in_addr>:<in_port> <ext_addr>:<ext_port>

25. nat44_hairpinning

NAT44 hairpinning.

25.1. Introduction

There are 6 nodes:

• nat44_hairpinning_node
• nat44_ed_hairpinning_node
• snat_hairpin_dst_node
• nat44_ed_hairpin_dst_node
• snat_hairpin_src_node
• nat44_ed_hairpin_src_node

25.2. Detail

25.2.1. nat44_hairpinning_node

This node is used before ip4-lookup.

This node is using nat44_hairpinning_fn_inline(). is_ed is 0.

25.2.2. nat44_ed_hairpinning_node

This node is used before ip4-lookup.

This node is using nat44_hairpinning_fn_inline(). is_ed is 1.

25.2.3. snat_hairpin_dst_node

This node is used before ip4-lookup.

This node is using snat_hairpin_dst_fn_inline(). is_ed is 0.

25.2.4. nat44_ed_hairpin_dst_node

This node is used before ip4-lookup.

This node is using snat_hairpin_dst_fn_inline(). is_ed is 1.

25.2.5. snat_hairpin_src_node

This node is used before nat44-in2out-output.

This node is using snat_hairpin_src_fn_inline(). is_ed is 0.

25.2.6. nat44_ed_hairpin_src_node

This node is used before nat44-ed-in2out-output.

This node is using snat_hairpin_src_fn_inline(). is_ed is 1.

26. nat44_handoff

NAT44 worker handoff.

26.1. Introduction

There are 3 nodes:

• snat_in2out_worker_handoff_node
• snat_in2out_output_worker_handoff_node
• snat_out2in_worker_handoff_node

26.2. Detail

• For in2out traffic, packets with the same source address are processed in the same thread.
• For out2in traffic, packets with the same port are processed in the same thread.
• in2out traffic and out2in traffic corresponding to a specific session must be handled by the same CPU core.
  • At in2out direction, ports are allocated by worker.
  • At out2in direction, ports are used to find the worker.

26.2.1. snat_in2out_worker_handoff_node

This node is using nat44_worker_handoff_fn_inline(). is_output is 0, is_in2out is 1.

26.2.2. snat_in2out_output_worker_handoff_node

This node is using nat44_worker_handoff_fn_inline(). is_output is 1, is_in2out is 1.

26.2.3. snat_out2in_worker_handoff_node

This node is using nat44_worker_handoff_fn_inline(). is_output is 0, is_in2out is 0.

27. nat64_cli

NAT64 CLI.

27.1. Introduction

This is not a node, and it provides commands for NAT64.

27.2. Command

nat64 add pool address <ip4-range-start> [- <ip4-range-end>] 
[tenant-vrf <vrf-id>] [del]

show nat64 pool

set interface nat64 in|out <intfc> [del]

show nat64 interfaces

nat64 add static bib <ip6-addr> <port> <ip4-addr> <port> 
tcp|udp|icmp [vfr <table-id>] [del]

show nat64 bib all|tcp|udp|icmp|unknown

show nat64 session table all|tcp|udp|icmp|unknown

nat64 add prefix <ip6-prefix>/<plen> [tenant-vrf <vrf-id>] 
[del] [interface <interface]

show nat64 prefix

nat64 add interface address <interface> [del]

28. nat64_db

NAT64 DB

28.1. Introduction

This module is not a node.

29. nat64_in2out

NAT64 IPv6 to IPv4 translation (inside to outside network).

29.1. Introduction

There are 4 nodes:

• nat64_in2out_node
• nat64_in2out_slowpath_node
• nat64_in2out_reass_node
• nat64_in2out_handoff_node

30. nat64_out2in

NAT64 IPv4 to IPv6 translation (otside to inside network).

30.1. Introduction

There are 3 nodes:

• nat64_out2in_node
• nat64_out2in_reass_node
• nat64_out2in_handoff_node

31. nat64

NAT64 implementation.

31.1. Introduction

There are 3 nodes:

• nat64_static_bib_worker_node
• nat64_expire_worker_walk_node
• nat64_expire_walk_node

32. nat66_cli

NAT66 CLI.

32.1. Introduction

This module is not a node, and it provides command for NAT66.

32.2. Command

set interface nat66 in|out <intfc> [del]

show nat66 interfaces

nat66 add static mapping local <ip6-addr> external <ip6-addr>
 [vfr <table-id>] [del]

show nat66 static mappings

33. nat66_in2out

NAT66 inside to outside network translation.

33.1. Introduction

There is 1 node: nat66_in2out_node.

34. nat66_out2in

NAT66 outside to inside network translation.

34.1. Introduction

There is 1 node: nat66_out2in_node.

35. nat66

NAT66 implementation

35.1. Introduction

This is not a node.

36. out2in_ed

NAT44 endpoint-dependent outside to inside network translation.

36.1. Introduction

There are 3 nodes:

• nat44_ed_out2in_node
• nat44_ed_out2in_slowpath_node
• nat44_ed_out2in_reass_node

36.2. Detail

36.2.1. nat44_ed_out2in_node

This node is used before nat44-ed-out2in-slowpath.

This node is using nat44_ed_out2in_node_fn_inline(). is_slow_path is 0.

• Default next node is NAT44_ED_OUT2IN_NEXT_LOOKUP.
• If IP ttl is 0, next node is NAT44_ED_OUT2IN_NEXT_ICMP_ERROR.
• If IP protocol is not TCP, UDP and ICMP, next node is NAT44_ED_OUT2IN_NEXT_SLOW_PATH.
• If IP is fragment, next node is NAT44_ED_OUT2IN_NEXT_REASS.
• If IP protocol is ICMP, next node is NAT44_ED_OUT2IN_NEXT_SLOW_PATH.
• Search out2in_ed table.
• If this search has no result, next node is NAT44_ED_OUT2IN_NEXT_SLOW_PATH.
• If this search has result, get session.
• Replace destination address and update IP checksum.
• If IP protocol is TCP, replace destination port and update TCP checksum.
• If IP protocol is UDP, replace destination port and UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

36.2.2. nat44_ed_out2in_slowpath_node

This node is used before ip4-lookup.

This node is using nat44_ed_out2in_node_fn_inline(). is_slow_path is 1.

• Default next node is NAT44_ED_OUT2IN_NEXT_LOOKUP.
• If IP ttl is 0, next node is NAT44_ED_OUT2IN_NEXT_ICMP_ERROR.
• If IP protocol is not TCP, UDP and ICMP, call nat44_ed_out2in_unknown_proto().
• If IP protocol is ICMP, call icmp_out2in_ed_slow_path().
• Search out2in_ed table.
• If this search has no result.
  • Call snat_static_mapping_match().
    • Try to match static mapping by external address and port, destination address and port in packet.
  • Call create_session_for_static_mapping_ed().
    • Create session initiated by host from external network.
• If this search has result, get session.
• Replace destination address and update IP checksum.
• If IP protocol is TCP, replace destination port and update TCP checksum.
• If IP protocol is UDP, replace destination port and UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

36.2.3. nat44_ed_out2in_reass_node

This node is used before ip4-lookup.

• Call nat_reass_is_drop_frag(), drop IP fragment if configured.
• Call nat_ip4_reass_find_or_create() to get reassemble.
• If this is the first fragment.
  • If IP protocol is ICMP, call icmp_out2in_ed_slow_path().
  • Search out2in_ed table.
    • If this search has no result.
      • Call snat_static_mapping_match().
        • Try to match static mapping by external address and port, destination address and port in packet.
      • Call create_session_for_static_mapping_ed().
        • Create session initiated by host from external network.
    • If this search has result, get session.
  • Call nat_ip4_reass_get_frags() to get fragment.
• If this is not the first fragment.
  • Call nat_ip4_reass_add_fragment() to add fragment.
  • Get session.
• Replace destination address and update IP checksum.
• If this is the first fragment.
  • If IP protocol is TCP, replace destination port and update TCP checksum.
  • If IP protocol is UDP, replace destination port and UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

37. out2in

NAT44 endpoint-dependent outside to inside network translation.

37.1. Introduction

There are 3 nodes:

• snat_out2in_node
• nat44_out2in_reass_node
• snat_out2in_fast_node

37.2 Detail

37.2.1. snat_out2in_node

This node is used before ip4-lookup or nat44-out2in-reass.

• If IP ttl is 0, next node is SNAT_OUT2IN_NEXT_ICMP_ERROR.
• If IP protocol is not TCP, UDP and ICMP, call nat_out2in_sm_unknown_proto().
• If IP is fragment, next node is SNAT_OUT2IN_NEXT_REASS.
• If IP protocol is ICMP, call icmp_out2in_slow_path().
• Search out2in table.
• If this search has no result.
  • Call snat_static_mapping_match().
    • Try to match static mapping by external address and port, destination address and port in packet.
  • Call create_session_for_static_mapping().
    • Create session initiated by host from external network.
• If this search has result, get session.
• Replace destination address, and update IP checksum.
• If IP protocol is TCP, replace destination port and update TCP checksum.
• If IP protocol is UDP, replace destination port and UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

37.2.2. nat44_out2in_reass_node

This node is used before ip4-lookup.

• Default next node is SNAT_OUT2IN_NEXT_LOOKUP.
• If nat_reass_is_drop_frag(), next node is SNAT_OUT2IN_NEXT_DROP.
• Call nat_ip4_reass_find_or_create() to get reassemble.
• If this is the first fragment.
  • If IP protocol is ICMP, call icmp_out2in_slow_path().
  • Search out2in table.
  • If this search has no result.
    • Call snat_static_mapping_match().
    • Call create_session_for_static_mapping().
  • If this search has result, get session.
  • Call nat_ip4_reass_get_frags().
• If this is not the first fragment.
  • Call nat_ip4_reass_add_fragment().
  • Get session.
• Replace destination address and update IP checksum.
• If this is the first fragment.
  • If IP protocol is TCP, replace destination port and update TCP checksum.
  • If IP protocol is UDP, replace destination port and UDP checksum is 0.
• Update session counter and timestamp. Timestamp is used to mark timeout session.
• Update doubly-linked list, move session index to list tail.

37.2.3. snat_out2in_fast_node

This node is used before ip4-lookup or nat44-out2in-reass.

• If nat_reass_is_drop_frag(), next node is SNAT_OUT2IN_NEXT_ICMP_ERROR.
• If IP protocol is not TCP, UDP and ICMP, next node is SNAT_OUT2IN_NEXT_DROP.
• If IP protocol is ICMP, call icmp_out2in().
• Call snat_static_mapping_match() to get static mapping.
• Replace destination address and update IP checksum.
• If this is the first fragment.
  • If IP protocol is TCP, replace destination port and update TCP checksum.
  • If IP protocol is UDP, replace destination port and UDP checksum is 0.