2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
20 #include <vnet/fib/fib_table.h>
22 #include <nat/lib/log.h>
23 #include <nat/lib/nat_inlines.h>
24 #include <nat/lib/ipfix_logging.h>
26 #include <nat/nat44-ed/nat44_ed.h>
27 #include <nat/nat44-ed/nat44_ed_inlines.h>
28 #include <nat/nat44-ed/nat44_ed_affinity.h>
30 #define NAT44_ED_EXPECTED_ARGUMENT "expected required argument(s)"
33 nat44_ed_enable_disable_command_fn (vlib_main_t *vm, unformat_input_t *input,
34 vlib_cli_command_t *cmd)
36 snat_main_t *sm = &snat_main;
37 unformat_input_t _line_input, *line_input = &_line_input;
38 clib_error_t *error = 0;
40 nat44_config_t c = { 0 };
41 u8 enable_set = 0, enable = 0;
43 if (!unformat_user (input, unformat_line_input, line_input))
44 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
46 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
48 if (unformat (line_input, "inside-vrf %u", &c.inside_vrf))
50 else if (unformat (line_input, "outside-vrf %u", &c.outside_vrf));
51 else if (unformat (line_input, "sessions %u", &c.sessions));
55 if (unformat (line_input, "disable"))
57 else if (unformat (line_input, "enable"))
62 error = clib_error_return (0, "unknown input '%U'",
63 format_unformat_error, line_input);
70 error = clib_error_return (0, "expected enable | disable");
78 error = clib_error_return (0, "already enabled");
82 if (nat44_plugin_enable (c) != 0)
83 error = clib_error_return (0, "enable failed");
89 error = clib_error_return (0, "already disabled");
93 if (nat44_plugin_disable () != 0)
94 error = clib_error_return (0, "disable failed");
98 unformat_free (line_input);
102 static clib_error_t *
103 set_workers_command_fn (vlib_main_t * vm,
104 unformat_input_t * input, vlib_cli_command_t * cmd)
106 unformat_input_t _line_input, *line_input = &_line_input;
109 clib_error_t *error = 0;
111 /* Get a line of input. */
112 if (!unformat_user (input, unformat_line_input, line_input))
113 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
115 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
117 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
121 error = clib_error_return (0, "unknown input '%U'",
122 format_unformat_error, line_input);
129 error = clib_error_return (0, "List of workers must be specified.");
133 rv = snat_set_workers (bitmap);
135 clib_bitmap_free (bitmap);
139 case VNET_API_ERROR_INVALID_WORKER:
140 error = clib_error_return (0, "Invalid worker(s).");
142 case VNET_API_ERROR_FEATURE_DISABLED:
143 error = clib_error_return (0,
144 "Supported only if 2 or more workes available.");
151 unformat_free (line_input);
156 static clib_error_t *
157 nat_show_workers_command_fn (vlib_main_t *vm, unformat_input_t *input,
158 vlib_cli_command_t *cmd)
160 snat_main_t *sm = &snat_main;
163 if (sm->num_workers > 1)
165 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
166 vec_foreach (worker, sm->workers)
168 vlib_worker_thread_t *w =
169 vlib_worker_threads + *worker + sm->first_worker_index;
170 vlib_cli_output (vm, " %s", w->name);
177 static clib_error_t *
178 snat_set_log_level_command_fn (vlib_main_t * vm,
179 unformat_input_t * input,
180 vlib_cli_command_t * cmd)
182 unformat_input_t _line_input, *line_input = &_line_input;
183 snat_main_t *sm = &snat_main;
184 u8 log_level = NAT_LOG_NONE;
185 clib_error_t *error = 0;
187 /* Get a line of input. */
188 if (!unformat_user (input, unformat_line_input, line_input))
189 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
191 if (!unformat (line_input, "%d", &log_level))
193 error = clib_error_return (0, "unknown input '%U'",
194 format_unformat_error, line_input);
197 if (log_level > NAT_LOG_DEBUG)
199 error = clib_error_return (0, "unknown logging level '%d'", log_level);
202 sm->log_level = log_level;
205 unformat_free (line_input);
210 static clib_error_t *
211 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
212 unformat_input_t * input,
213 vlib_cli_command_t * cmd)
215 unformat_input_t _line_input, *line_input = &_line_input;
216 clib_error_t *error = 0;
218 u32 domain_id = 0, src_port = 0;
219 u8 enable_set = 0, enable = 0;
221 if (!unformat_user (input, unformat_line_input, line_input))
222 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
224 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
226 if (unformat (line_input, "domain %d", &domain_id))
228 else if (unformat (line_input, "src-port %d", &src_port))
230 else if (!enable_set)
233 if (unformat (line_input, "disable"))
235 else if (unformat (line_input, "enable"))
240 error = clib_error_return (0, "unknown input '%U'",
241 format_unformat_error, line_input);
248 error = clib_error_return (0, "expected enable | disable");
252 if (nat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port))
254 error = clib_error_return (0, "ipfix logging enable failed");
259 unformat_free (line_input);
264 static clib_error_t *
265 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
266 vlib_cli_command_t * cmd)
268 snat_main_t *sm = &snat_main;
269 nat_affinity_main_t *nam = &nat_affinity_main;
273 if (unformat (input, "detail"))
275 else if (unformat (input, "verbose"))
278 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
279 vec_foreach_index (i, sm->per_thread_data)
281 vlib_cli_output (vm, "-------- thread %d %s --------\n",
282 i, vlib_worker_threads[i].name);
283 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
286 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash, verbose);
288 vlib_cli_output (vm, "-------- hash table parameters --------\n");
289 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
293 static clib_error_t *
294 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
295 vlib_cli_command_t * cmd)
297 unformat_input_t _line_input, *line_input = &_line_input;
298 snat_main_t *sm = &snat_main;
299 clib_error_t *error = 0;
302 /* Get a line of input. */
303 if (!unformat_user (input, unformat_line_input, line_input))
304 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
306 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
308 if (unformat (line_input, "disable"))
309 sm->mss_clamping = 0;
310 else if (unformat (line_input, "%d", &mss))
311 sm->mss_clamping = (u16) mss;
314 error = clib_error_return (0, "unknown input '%U'",
315 format_unformat_error, line_input);
321 unformat_free (line_input);
326 static clib_error_t *
327 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
328 vlib_cli_command_t * cmd)
330 snat_main_t *sm = &snat_main;
332 if (sm->mss_clamping)
333 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
335 vlib_cli_output (vm, "mss-clamping disabled");
340 static clib_error_t *
341 add_address_command_fn (vlib_main_t * vm,
342 unformat_input_t * input, vlib_cli_command_t * cmd)
344 unformat_input_t _line_input, *line_input = &_line_input;
345 ip4_address_t start_addr, end_addr, this_addr;
346 u32 start_host_order, end_host_order;
351 clib_error_t *error = 0;
354 /* Get a line of input. */
355 if (!unformat_user (input, unformat_line_input, line_input))
356 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
358 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
360 if (unformat (line_input, "%U - %U",
361 unformat_ip4_address, &start_addr,
362 unformat_ip4_address, &end_addr))
364 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
366 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
367 end_addr = start_addr;
368 else if (unformat (line_input, "twice-nat"))
370 else if (unformat (line_input, "del"))
374 error = clib_error_return (0, "unknown input '%U'",
375 format_unformat_error, line_input);
380 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
381 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
383 if (end_host_order < start_host_order)
385 error = clib_error_return (0, "end address less than start address");
389 count = (end_host_order - start_host_order) + 1;
392 nat_log_info ("%U - %U, %d addresses...",
393 format_ip4_address, &start_addr,
394 format_ip4_address, &end_addr, count);
396 this_addr = start_addr;
398 for (i = 0; i < count; i++)
402 rv = nat44_ed_add_address (&this_addr, vrf_id, twice_nat);
406 rv = nat44_ed_del_address (this_addr, twice_nat);
411 case VNET_API_ERROR_VALUE_EXIST:
412 error = clib_error_return (0, "NAT address already in use.");
414 case VNET_API_ERROR_NO_SUCH_ENTRY:
415 error = clib_error_return (0, "NAT address not exist.");
417 case VNET_API_ERROR_UNSPECIFIED:
419 clib_error_return (0, "NAT address used in static mapping.");
425 increment_v4_address (&this_addr);
429 unformat_free (line_input);
435 nat44_show_lru_summary (vlib_main_t * vm, snat_main_per_thread_data_t * tsm,
436 u64 now, u64 sess_timeout_time)
438 snat_main_t *sm = &snat_main;
439 dlist_elt_t *oldest_elt;
447 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
448 if (~0 != oldest_index) \
450 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
451 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
452 sess_timeout_time = \
453 s->last_heard + (f64) nat44_session_get_timeout (sm, s); \
454 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
455 sess_timeout_time, now); \
456 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
459 _ (tcp_estab, "established tcp");
460 _ (tcp_trans, "transitory tcp");
462 _ (unk_proto, "unknown protocol");
468 static clib_error_t *
469 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
470 vlib_cli_command_t * cmd)
472 snat_main_per_thread_data_t *tsm;
473 snat_main_t *sm = &snat_main;
478 u64 now = vlib_time_now (vm);
479 u64 sess_timeout_time = 0;
485 } udp = { 0 }, tcp = { 0 }, tcp_established = { 0 }, tcp_transitory = { 0 },
486 icmp = { 0 }, other = { 0 };
490 for (fib = 0; fib < vec_len (sm->max_translations_per_fib); fib++)
491 vlib_cli_output (vm, "max translations per thread: %u fib %u",
492 sm->max_translations_per_fib[fib], fib);
494 if (sm->num_workers > 1)
496 vec_foreach (tsm, sm->per_thread_data)
498 pool_foreach (s, tsm->sessions)
501 s->last_heard + (f64) nat44_session_get_timeout (sm, s);
505 case IP_PROTOCOL_ICMP:
507 if (now >= sess_timeout_time)
510 case IP_PROTOCOL_TCP:
512 if (now >= sess_timeout_time)
514 if (nat44_ed_tcp_is_established (s->tcp_state))
516 ++tcp_established.total;
517 if (now >= sess_timeout_time)
518 ++tcp_established.timed_out;
522 ++tcp_transitory.total;
523 if (now >= sess_timeout_time)
524 ++tcp_transitory.timed_out;
527 case IP_PROTOCOL_UDP:
529 if (now >= sess_timeout_time)
534 if (now >= sess_timeout_time)
539 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
540 count += pool_elts (tsm->sessions);
545 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
546 pool_foreach (s, tsm->sessions)
548 sess_timeout_time = s->last_heard +
549 (f64) nat44_session_get_timeout (sm, s);
553 case IP_PROTOCOL_ICMP:
555 if (now >= sess_timeout_time)
558 case IP_PROTOCOL_TCP:
560 if (now >= sess_timeout_time)
562 if (nat44_ed_tcp_is_established (s->tcp_state))
564 ++tcp_established.total;
565 if (now >= sess_timeout_time)
566 ++tcp_established.timed_out;
570 ++tcp_transitory.total;
571 if (now >= sess_timeout_time)
572 ++tcp_transitory.timed_out;
575 case IP_PROTOCOL_UDP:
577 if (now >= sess_timeout_time)
582 if (now >= sess_timeout_time)
587 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
588 count = pool_elts (tsm->sessions);
592 tcp.timed_out + icmp.timed_out + udp.timed_out + other.timed_out;
593 vlib_cli_output (vm, "total sessions: %u (timed out: %u)", count, timed_out);
594 vlib_cli_output (vm, "tcp sessions:");
595 vlib_cli_output (vm, " total: %u (timed out: %u)", tcp.total,
597 vlib_cli_output (vm, " established: %u (timed out: %u)",
598 tcp_established.total, tcp_established.timed_out);
599 vlib_cli_output (vm, " transitory: %u (timed out: %u)",
600 tcp_transitory.total, tcp_transitory.timed_out);
601 vlib_cli_output (vm, "udp sessions:");
602 vlib_cli_output (vm, " total: %u (timed out: %u)", udp.total,
604 vlib_cli_output (vm, "icmp sessions:");
605 vlib_cli_output (vm, " total: %u (timed out: %u)", icmp.total,
607 vlib_cli_output (vm, "other sessions:");
608 vlib_cli_output (vm, " total: %u (timed out: %u)", other.total,
613 static clib_error_t *
614 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
615 vlib_cli_command_t * cmd)
617 snat_main_t *sm = &snat_main;
620 vlib_cli_output (vm, "NAT44 pool addresses:");
621 vec_foreach (ap, sm->addresses)
623 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
624 if (ap->fib_index != ~0)
626 vm, " tenant VRF: %u",
627 fib_table_get (ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
629 vlib_cli_output (vm, " tenant VRF independent");
631 if (ap->addr_len != ~0)
632 vlib_cli_output (vm, " synced with interface address");
634 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
635 vec_foreach (ap, sm->twice_nat_addresses)
637 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
638 if (ap->fib_index != ~0)
639 vlib_cli_output (vm, " tenant VRF: %u",
640 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
642 vlib_cli_output (vm, " tenant VRF independent");
644 if (ap->addr_len != ~0)
645 vlib_cli_output (vm, " synced with interface address");
650 static clib_error_t *
651 snat_feature_command_fn (vlib_main_t * vm,
652 unformat_input_t * input, vlib_cli_command_t * cmd)
654 unformat_input_t _line_input, *line_input = &_line_input;
655 vnet_main_t *vnm = vnet_get_main ();
656 clib_error_t *error = 0;
658 u32 *inside_sw_if_indices = 0;
659 u32 *outside_sw_if_indices = 0;
660 u8 is_output_feature = 0;
661 int i, rv, is_del = 0;
665 /* Get a line of input. */
666 if (!unformat_user (input, unformat_line_input, line_input))
667 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
669 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
671 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
673 vec_add1 (inside_sw_if_indices, sw_if_index);
674 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
676 vec_add1 (outside_sw_if_indices, sw_if_index);
677 else if (unformat (line_input, "output-feature"))
678 is_output_feature = 1;
679 else if (unformat (line_input, "del"))
683 error = clib_error_return (0, "unknown input '%U'",
684 format_unformat_error, line_input);
689 if (vec_len (inside_sw_if_indices))
691 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
693 sw_if_index = inside_sw_if_indices[i];
694 if (is_output_feature)
698 rv = nat44_ed_del_output_interface (sw_if_index);
702 rv = nat44_ed_add_output_interface (sw_if_index);
706 error = clib_error_return (0, "%s %U failed",
707 is_del ? "del" : "add",
708 format_vnet_sw_if_index_name,
717 rv = nat44_ed_del_interface (sw_if_index, 1);
721 rv = nat44_ed_add_interface (sw_if_index, 1);
725 error = clib_error_return (0, "%s %U failed",
726 is_del ? "del" : "add",
727 format_vnet_sw_if_index_name,
735 if (vec_len (outside_sw_if_indices))
737 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
739 sw_if_index = outside_sw_if_indices[i];
740 if (is_output_feature)
744 rv = nat44_ed_del_output_interface (sw_if_index);
748 rv = nat44_ed_add_output_interface (sw_if_index);
752 error = clib_error_return (0, "%s %U failed",
753 is_del ? "del" : "add",
754 format_vnet_sw_if_index_name,
763 rv = nat44_ed_del_interface (sw_if_index, 0);
767 rv = nat44_ed_add_interface (sw_if_index, 0);
771 error = clib_error_return (0, "%s %U failed",
772 is_del ? "del" : "add",
773 format_vnet_sw_if_index_name,
782 unformat_free (line_input);
783 vec_free (inside_sw_if_indices);
784 vec_free (outside_sw_if_indices);
789 static clib_error_t *
790 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
791 vlib_cli_command_t * cmd)
793 snat_main_t *sm = &snat_main;
795 vnet_main_t *vnm = vnet_get_main ();
797 vlib_cli_output (vm, "NAT44 interfaces:");
798 pool_foreach (i, sm->interfaces)
800 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
802 (nat44_ed_is_interface_inside (i) &&
803 nat44_ed_is_interface_outside (i)) ?
805 (nat44_ed_is_interface_inside (i) ? "in" : "out"));
808 pool_foreach (i, sm->output_feature_interfaces)
810 vlib_cli_output (vm, " %U output-feature %s",
811 format_vnet_sw_if_index_name, vnm, i->sw_if_index,
812 (nat44_ed_is_interface_inside (i) &&
813 nat44_ed_is_interface_outside (i)) ?
815 (nat44_ed_is_interface_inside (i) ? "in" : "out"));
821 static clib_error_t *
822 add_static_mapping_command_fn (vlib_main_t * vm,
823 unformat_input_t * input,
824 vlib_cli_command_t * cmd)
826 unformat_input_t _line_input, *line_input = &_line_input;
827 vnet_main_t *vnm = vnet_get_main ();
828 clib_error_t *error = 0;
829 ip4_address_t l_addr, e_addr, pool_addr;
830 u32 l_port = 0, e_port = 0, vrf_id = ~0;
831 u8 l_port_set = 0, e_port_set = 0;
834 u32 sw_if_index = ~0;
835 ip_protocol_t proto = 0;
837 if (!unformat_user (input, unformat_line_input, line_input))
838 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
840 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
842 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
848 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
850 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
855 else if (unformat (line_input, "external %U", unformat_ip4_address,
858 else if (unformat (line_input, "external %U %u",
859 unformat_vnet_sw_interface, vnm, &sw_if_index,
862 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
865 else if (unformat (line_input, "external %U",
866 unformat_vnet_sw_interface, vnm, &sw_if_index))
868 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
870 else if (unformat (line_input, "exact %U", unformat_ip4_address,
873 flags |= NAT_SM_FLAG_EXACT_ADDRESS;
875 else if (unformat (line_input, "vrf %u", &vrf_id))
877 else if (unformat (line_input, "%U", unformat_ip_protocol, &proto))
879 else if (unformat (line_input, "self-twice-nat"))
881 flags |= NAT_SM_FLAG_SELF_TWICE_NAT;
883 else if (unformat (line_input, "twice-nat"))
885 flags |= NAT_SM_FLAG_TWICE_NAT;
887 else if (unformat (line_input, "out2in-only"))
889 flags |= NAT_SM_FLAG_OUT2IN_ONLY;
891 else if (unformat (line_input, "del"))
897 error = clib_error_return (0, "unknown input: '%U'",
898 format_unformat_error, line_input);
903 if (l_port_set != e_port_set)
905 error = clib_error_return (0, "Either both ports are set or none.");
911 flags |= NAT_SM_FLAG_ADDR_ONLY;
915 l_port = clib_host_to_net_u16 (l_port);
916 e_port = clib_host_to_net_u16 (e_port);
919 // TODO: specific pool_addr for both pool & twice nat pool ?
924 nat44_ed_add_static_mapping (l_addr, e_addr, l_port, e_port, proto,
925 vrf_id, sw_if_index, flags, pool_addr, 0);
929 rv = nat44_ed_del_static_mapping (l_addr, e_addr, l_port, e_port, proto,
930 vrf_id, sw_if_index, flags);
937 case VNET_API_ERROR_INVALID_VALUE:
938 error = clib_error_return (0, "External port already in use.");
940 case VNET_API_ERROR_NO_SUCH_ENTRY:
942 error = clib_error_return (0, "External address must be allocated.");
944 error = clib_error_return (0, "Mapping not exist.");
946 case VNET_API_ERROR_NO_SUCH_FIB:
947 error = clib_error_return (0, "No such VRF id.");
949 case VNET_API_ERROR_VALUE_EXIST:
950 error = clib_error_return (0, "Mapping already exist.");
957 unformat_free (line_input);
962 // TODO: either delete this bullshit or update it
963 static clib_error_t *
964 add_identity_mapping_command_fn (vlib_main_t * vm,
965 unformat_input_t * input,
966 vlib_cli_command_t * cmd)
968 unformat_input_t _line_input, *line_input = &_line_input;
969 vnet_main_t *vnm = vnet_get_main ();
970 clib_error_t *error = 0;
972 int rv, is_add = 1, port_set = 0;
973 u32 sw_if_index, port, flags, vrf_id = ~0;
974 ip_protocol_t proto = 0;
977 flags = NAT_SM_FLAG_IDENTITY_NAT;
979 /* Get a line of input. */
980 if (!unformat_user (input, unformat_line_input, line_input))
981 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
983 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
985 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
987 else if (unformat (line_input, "external %U",
988 unformat_vnet_sw_interface, vnm, &sw_if_index))
990 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
992 else if (unformat (line_input, "vrf %u", &vrf_id))
994 else if (unformat (line_input, "%U %u", unformat_ip_protocol, &proto,
999 else if (unformat (line_input, "del"))
1005 error = clib_error_return (0, "unknown input: '%U'",
1006 format_unformat_error, line_input);
1013 flags |= NAT_SM_FLAG_ADDR_ONLY;
1017 port = clib_host_to_net_u16 (port);
1023 rv = nat44_ed_add_static_mapping (addr, addr, port, port, proto, vrf_id,
1024 sw_if_index, flags, addr, 0);
1028 rv = nat44_ed_del_static_mapping (addr, addr, port, port, proto, vrf_id,
1029 sw_if_index, flags);
1032 // TODO: fix returns
1036 case VNET_API_ERROR_INVALID_VALUE:
1037 error = clib_error_return (0, "External port already in use.");
1039 case VNET_API_ERROR_NO_SUCH_ENTRY:
1041 error = clib_error_return (0, "External address must be allocated.");
1043 error = clib_error_return (0, "Mapping not exist.");
1045 case VNET_API_ERROR_NO_SUCH_FIB:
1046 error = clib_error_return (0, "No such VRF id.");
1048 case VNET_API_ERROR_VALUE_EXIST:
1049 error = clib_error_return (0, "Mapping already exist.");
1056 unformat_free (line_input);
1061 static clib_error_t *
1062 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1063 unformat_input_t * input,
1064 vlib_cli_command_t * cmd)
1066 unformat_input_t _line_input, *line_input = &_line_input;
1067 clib_error_t *error = 0;
1068 ip4_address_t l_addr, e_addr;
1069 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
1071 ip_protocol_t proto;
1072 nat44_lb_addr_port_t *locals = 0, local;
1076 /* Get a line of input. */
1077 if (!unformat_user (input, unformat_line_input, line_input))
1078 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1080 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1082 if (unformat (line_input, "local %U:%u probability %u",
1083 unformat_ip4_address, &l_addr, &l_port, &probability))
1085 clib_memset (&local, 0, sizeof (local));
1086 local.addr = l_addr;
1087 local.port = (u16) l_port;
1088 local.probability = (u8) probability;
1089 vec_add1 (locals, local);
1091 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1092 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1095 clib_memset (&local, 0, sizeof (local));
1096 local.addr = l_addr;
1097 local.port = (u16) l_port;
1098 local.probability = (u8) probability;
1099 local.vrf_id = vrf_id;
1100 vec_add1 (locals, local);
1102 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1105 else if (unformat (line_input, "protocol %U", unformat_ip_protocol,
1110 else if (unformat (line_input, "twice-nat"))
1112 flags |= NAT_SM_FLAG_TWICE_NAT;
1114 else if (unformat (line_input, "self-twice-nat"))
1116 flags |= NAT_SM_FLAG_SELF_TWICE_NAT;
1118 else if (unformat (line_input, "out2in-only"))
1120 flags |= NAT_SM_FLAG_OUT2IN_ONLY;
1122 else if (unformat (line_input, "del"))
1126 else if (unformat (line_input, "affinity %u", &affinity))
1130 error = clib_error_return (0, "unknown input: '%U'",
1131 format_unformat_error, line_input);
1136 if (vec_len (locals) < 2)
1138 error = clib_error_return (0, "at least two local must be set");
1144 error = clib_error_return (0, "missing protocol");
1150 rv = nat44_ed_add_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1151 flags, 0, affinity);
1155 rv = nat44_ed_del_lb_static_mapping (e_addr, (u16) e_port, proto, flags);
1160 case VNET_API_ERROR_INVALID_VALUE:
1161 error = clib_error_return (0, "External port already in use.");
1163 case VNET_API_ERROR_NO_SUCH_ENTRY:
1165 error = clib_error_return (0, "External address must be allocated.");
1167 error = clib_error_return (0, "Mapping not exist.");
1169 case VNET_API_ERROR_VALUE_EXIST:
1170 error = clib_error_return (0, "Mapping already exist.");
1177 unformat_free (line_input);
1183 static clib_error_t *
1184 add_lb_backend_command_fn (vlib_main_t * vm,
1185 unformat_input_t * input, vlib_cli_command_t * cmd)
1187 unformat_input_t _line_input, *line_input = &_line_input;
1188 clib_error_t *error = 0;
1189 ip4_address_t l_addr, e_addr;
1190 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1193 ip_protocol_t proto;
1196 /* Get a line of input. */
1197 if (!unformat_user (input, unformat_line_input, line_input))
1198 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1200 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1202 if (unformat (line_input, "local %U:%u probability %u",
1203 unformat_ip4_address, &l_addr, &l_port, &probability))
1205 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1206 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1209 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1212 else if (unformat (line_input, "protocol %U", unformat_ip_protocol,
1215 else if (unformat (line_input, "del"))
1219 error = clib_error_return (0, "unknown input: '%U'",
1220 format_unformat_error, line_input);
1225 if (!l_port || !e_port)
1227 error = clib_error_return (0, "local or external must be set");
1233 error = clib_error_return (0, "missing protocol");
1237 rv = nat44_ed_add_del_lb_static_mapping_local (
1238 e_addr, (u16) e_port, l_addr, l_port, proto, vrf_id, probability, is_add);
1242 case VNET_API_ERROR_INVALID_VALUE:
1243 error = clib_error_return (0, "External is not load-balancing static "
1246 case VNET_API_ERROR_NO_SUCH_ENTRY:
1247 error = clib_error_return (0, "Mapping or back-end not exist.");
1249 case VNET_API_ERROR_VALUE_EXIST:
1250 error = clib_error_return (0, "Back-end already exist.");
1252 case VNET_API_ERROR_UNSPECIFIED:
1253 error = clib_error_return (0, "At least two back-ends must remain");
1260 unformat_free (line_input);
1265 static clib_error_t *
1266 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1267 unformat_input_t * input,
1268 vlib_cli_command_t * cmd)
1270 snat_main_t *sm = &snat_main;
1271 snat_static_mapping_t *m;
1272 snat_static_mapping_resolve_t *rp;
1274 vlib_cli_output (vm, "NAT44 static mappings:");
1275 pool_foreach (m, sm->static_mappings)
1277 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1279 vec_foreach (rp, sm->sm_to_resolve)
1280 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1285 static clib_error_t *
1286 snat_add_interface_address_command_fn (vlib_main_t * vm,
1287 unformat_input_t * input,
1288 vlib_cli_command_t * cmd)
1290 unformat_input_t _line_input, *line_input = &_line_input;
1291 snat_main_t *sm = &snat_main;
1292 clib_error_t *error = 0;
1297 if (!unformat_user (input, unformat_line_input, line_input))
1298 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1300 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1302 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1303 sm->vnet_main, &sw_if_index))
1305 else if (unformat (line_input, "twice-nat"))
1309 else if (unformat (line_input, "del"))
1315 error = clib_error_return (0, "unknown input '%U'",
1316 format_unformat_error, line_input);
1323 rv = nat44_ed_add_interface_address (sw_if_index, twice_nat);
1326 error = clib_error_return (0, "add address returned %d", rv);
1331 rv = nat44_ed_del_interface_address (sw_if_index, twice_nat);
1334 error = clib_error_return (0, "del address returned %d", rv);
1339 unformat_free (line_input);
1344 static clib_error_t *
1345 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1346 unformat_input_t * input,
1347 vlib_cli_command_t * cmd)
1349 snat_main_t *sm = &snat_main;
1350 vnet_main_t *vnm = vnet_get_main ();
1351 snat_address_resolve_t *ap;
1353 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1354 vec_foreach (ap, sm->addr_to_resolve)
1356 vlib_cli_output (vm, " %U%s", format_vnet_sw_if_index_name, vnm,
1357 ap->sw_if_index, ap->is_twice_nat ? " twice-nat" : "");
1362 static clib_error_t *
1363 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1364 vlib_cli_command_t * cmd)
1366 unformat_input_t _line_input, *line_input = &_line_input;
1367 clib_error_t *error = 0;
1368 snat_main_per_thread_data_t *tsm;
1369 snat_main_t *sm = &snat_main;
1370 ip4_address_t i2o_sa, i2o_da, o2i_sa, o2i_da;
1371 u8 filter_i2o_sa = 0, filter_i2o_da = 0;
1372 u8 filter_o2i_sa = 0, filter_o2i_da = 0;
1373 u16 i2o_sp, i2o_dp, o2i_sp, o2i_dp;
1374 u8 filter_i2o_sp = 0, filter_i2o_dp = 0;
1375 u8 filter_o2i_sp = 0, filter_o2i_dp = 0;
1376 ip_protocol_t proto;
1377 u8 filter_proto = 0;
1378 u8 had_input = 1, filtering = 0;
1379 int i = 0, showed_sessions;
1381 if (!unformat_user (input, unformat_line_input, line_input))
1387 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1389 if (unformat (line_input, "filter i2o saddr %U", unformat_ip4_address,
1391 filter_i2o_sa = filtering = 1;
1392 else if (unformat (line_input, "filter i2o daddr %U",
1393 unformat_ip4_address, &i2o_da))
1394 filter_i2o_da = filtering = 1;
1395 else if (unformat (line_input, "filter o2i saddr %U",
1396 unformat_ip4_address, &o2i_sa))
1397 filter_o2i_sa = filtering = 1;
1398 else if (unformat (line_input, "filter o2i daddr %U",
1399 unformat_ip4_address, &o2i_da))
1400 filter_o2i_da = filtering = 1;
1401 else if (unformat (line_input, "filter i2o sport %u", &i2o_sp))
1402 filter_i2o_sp = filtering = 1;
1403 else if (unformat (line_input, "filter i2o dport %u", &i2o_dp))
1404 filter_i2o_dp = filtering = 1;
1405 else if (unformat (line_input, "filter o2i sport %u", &o2i_sp))
1406 filter_o2i_sp = filtering = 1;
1407 else if (unformat (line_input, "filter o2i dport %u", &o2i_dp))
1408 filter_o2i_dp = filtering = 1;
1409 else if (unformat (line_input, "filter i2o proto %U",
1410 unformat_ip_protocol, &proto))
1411 filter_proto = filtering = 1;
1412 else if (unformat (line_input, "filter o2i proto %U",
1413 unformat_ip_protocol, &proto))
1414 filter_proto = filtering = 1;
1417 error = clib_error_return (0, "unknown input '%U'",
1418 format_unformat_error, line_input);
1424 vlib_cli_output (vm, "NAT44 ED sessions:");
1426 vec_foreach_index (i, sm->per_thread_data)
1428 tsm = vec_elt_at_index (sm->per_thread_data, i);
1430 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1431 i, vlib_worker_threads[i].name,
1432 pool_elts (tsm->sessions));
1434 showed_sessions = 0;
1436 pool_foreach (s, tsm->sessions)
1440 if (filter_i2o_sa && i2o_sa.as_u32 != s->i2o.match.saddr.as_u32)
1442 if (filter_i2o_da && i2o_da.as_u32 != s->i2o.match.daddr.as_u32)
1444 if (filter_o2i_sa && o2i_sa.as_u32 != s->o2i.match.saddr.as_u32)
1446 if (filter_o2i_da && o2i_da.as_u32 != s->o2i.match.daddr.as_u32)
1448 if (filter_i2o_sp &&
1449 i2o_sp != clib_net_to_host_u16 (s->i2o.match.sport))
1451 if (filter_i2o_dp &&
1452 i2o_dp != clib_net_to_host_u16 (s->i2o.match.dport))
1454 if (filter_o2i_sp &&
1455 o2i_sp != clib_net_to_host_u16 (s->o2i.match.sport))
1457 if (filter_o2i_dp &&
1458 o2i_dp != clib_net_to_host_u16 (s->o2i.match.dport))
1460 if (filter_proto && proto != s->proto)
1464 vlib_cli_output (vm, " %U\n", format_snat_session, sm, tsm, s,
1465 vlib_time_now (vm));
1469 vlib_cli_output (vm,
1470 "Showed: %d, Filtered: %d of total %d "
1471 "sessions of thread %d\n\n",
1473 pool_elts (tsm->sessions) - showed_sessions,
1474 pool_elts (tsm->sessions), i);
1480 unformat_free (line_input);
1484 static clib_error_t *
1485 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1486 unformat_input_t * input,
1487 vlib_cli_command_t * cmd)
1489 unformat_input_t _line_input, *line_input = &_line_input;
1490 clib_error_t *error = 0;
1492 u32 session_limit = 0, vrf_id = 0;
1494 if (!unformat_user (input, unformat_line_input, line_input))
1495 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1497 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1499 if (unformat (line_input, "%u", &session_limit))
1501 else if (unformat (line_input, "vrf %u", &vrf_id))
1505 error = clib_error_return (0, "unknown input '%U'",
1506 format_unformat_error, line_input);
1512 error = clib_error_return (0, "missing value of session limit");
1513 else if (nat44_update_session_limit (session_limit, vrf_id))
1514 error = clib_error_return (0, "nat44_set_session_limit failed");
1517 unformat_free (line_input);
1522 static clib_error_t *
1523 nat44_del_session_command_fn (vlib_main_t * vm,
1524 unformat_input_t * input,
1525 vlib_cli_command_t * cmd)
1527 snat_main_t *sm = &snat_main;
1528 unformat_input_t _line_input, *line_input = &_line_input;
1529 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1530 clib_error_t *error = 0;
1531 ip4_address_t addr, eh_addr;
1532 ip_protocol_t proto;
1536 if (!unformat_user (input, unformat_line_input, line_input))
1537 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1539 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1541 if (unformat (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1542 unformat_ip_protocol, &proto))
1544 else if (unformat (line_input, "in"))
1547 vrf_id = sm->inside_vrf_id;
1549 else if (unformat (line_input, "out"))
1552 vrf_id = sm->outside_vrf_id;
1554 else if (unformat (line_input, "vrf %u", &vrf_id))
1556 else if (unformat (line_input, "external-host %U:%u",
1557 unformat_ip4_address, &eh_addr, &eh_port))
1561 error = clib_error_return (0, "unknown input '%U'",
1562 format_unformat_error, line_input);
1567 rv = nat44_ed_del_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1568 clib_host_to_net_u16 (eh_port), proto, vrf_id,
1577 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1582 unformat_free (line_input);
1587 static clib_error_t *
1588 snat_forwarding_set_command_fn (vlib_main_t * vm,
1589 unformat_input_t * input,
1590 vlib_cli_command_t * cmd)
1592 snat_main_t *sm = &snat_main;
1593 unformat_input_t _line_input, *line_input = &_line_input;
1594 clib_error_t *error = 0;
1596 u8 enable_set = 0, enable = 0;
1598 if (!unformat_user (input, unformat_line_input, line_input))
1599 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1601 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1606 if (unformat (line_input, "disable"))
1608 else if (unformat (line_input, "enable"))
1613 error = clib_error_return (0, "unknown input '%U'",
1614 format_unformat_error, line_input);
1620 error = clib_error_return (0, "expected enable | disable");
1622 sm->forwarding_enabled = enable;
1625 unformat_free (line_input);
1629 static clib_error_t *
1630 set_timeout_command_fn (vlib_main_t * vm,
1631 unformat_input_t * input, vlib_cli_command_t * cmd)
1633 snat_main_t *sm = &snat_main;
1634 unformat_input_t _line_input, *line_input = &_line_input;
1635 clib_error_t *error = 0;
1637 if (!unformat_user (input, unformat_line_input, line_input))
1638 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1640 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1642 if (unformat (line_input, "udp %u", &sm->timeouts.udp));
1643 else if (unformat (line_input, "tcp-established %u",
1644 &sm->timeouts.tcp.established));
1645 else if (unformat (line_input, "tcp-transitory %u",
1646 &sm->timeouts.tcp.transitory));
1647 else if (unformat (line_input, "icmp %u", &sm->timeouts.icmp));
1648 else if (unformat (line_input, "reset"))
1649 nat_reset_timeouts (&sm->timeouts);
1652 error = clib_error_return (0, "unknown input '%U'",
1653 format_unformat_error, line_input);
1658 unformat_free (line_input);
1662 static clib_error_t *
1663 nat_show_timeouts_command_fn (vlib_main_t * vm,
1664 unformat_input_t * input,
1665 vlib_cli_command_t * cmd)
1667 snat_main_t *sm = &snat_main;
1669 vlib_cli_output (vm, "udp timeout: %dsec", sm->timeouts.udp);
1670 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1671 sm->timeouts.tcp.established);
1672 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1673 sm->timeouts.tcp.transitory);
1674 vlib_cli_output (vm, "icmp timeout: %dsec", sm->timeouts.icmp);
1679 static clib_error_t *
1680 set_frame_queue_nelts_command_fn (vlib_main_t *vm, unformat_input_t *input,
1681 vlib_cli_command_t *cmd)
1683 unformat_input_t _line_input, *line_input = &_line_input;
1684 clib_error_t *error = 0;
1685 u32 frame_queue_nelts = 0;
1687 if (!unformat_user (input, unformat_line_input, line_input))
1688 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1690 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1692 if (unformat (line_input, "%u", &frame_queue_nelts))
1696 error = clib_error_return (0, "unknown input '%U'",
1697 format_unformat_error, line_input);
1701 if (!frame_queue_nelts)
1703 error = clib_error_return (0, "frame_queue_nelts cannot be zero");
1706 if (nat44_ed_set_frame_queue_nelts (frame_queue_nelts) != 0)
1708 error = clib_error_return (0, "snat_set_frame_queue_nelts failed");
1712 unformat_free (line_input);
1718 * @cliexstart{nat44}
1719 * Enable nat44 plugin
1720 * To enable nat44-ed, use:
1722 * To disable nat44-ed, use:
1723 * vpp# nat44 disable
1724 * To set inside-vrf outside-vrf, use:
1725 * vpp# nat44 enable inside-vrf <id> outside-vrf <id>
1728 VLIB_CLI_COMMAND (nat44_ed_enable_disable_command, static) = {
1730 .short_help = "nat44 <enable [sessions <max-number>] [inside-vrf <vrf-id>] "
1731 "[outside-vrf <vrf-id>]>|disable",
1732 .function = nat44_ed_enable_disable_command_fn,
1737 * @cliexstart{set snat workers}
1738 * Set NAT workers if 2 or more workers available, use:
1739 * vpp# set snat workers 0-2,5
1742 VLIB_CLI_COMMAND (set_workers_command, static) = {
1743 .path = "set nat workers",
1744 .function = set_workers_command_fn,
1745 .short_help = "set nat workers <workers-list>",
1750 * @cliexstart{show nat workers}
1752 * vpp# show nat workers:
1758 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1759 .path = "show nat workers",
1760 .short_help = "show nat workers",
1761 .function = nat_show_workers_command_fn,
1766 * @cliexstart{set nat timeout}
1767 * Set values of timeouts for NAT sessions (in seconds), use:
1768 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1769 * To reset default values use:
1770 * vpp# set nat timeout reset
1773 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1774 .path = "set nat timeout",
1775 .function = set_timeout_command_fn,
1777 "set nat timeout [udp <sec> | tcp-established <sec> "
1778 "tcp-transitory <sec> | icmp <sec> | reset]",
1783 * @cliexstart{show nat timeouts}
1784 * Show values of timeouts for NAT sessions.
1785 * vpp# show nat timeouts
1786 * udp timeout: 300sec
1787 * tcp-established timeout: 7440sec
1788 * tcp-transitory timeout: 240sec
1789 * icmp timeout: 60sec
1792 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1793 .path = "show nat timeouts",
1794 .short_help = "show nat timeouts",
1795 .function = nat_show_timeouts_command_fn,
1800 * @cliexstart{set nat frame-queue-nelts}
1801 * Set number of worker handoff frame queue elements.
1804 VLIB_CLI_COMMAND (set_frame_queue_nelts_command, static) = {
1805 .path = "set nat frame-queue-nelts",
1806 .function = set_frame_queue_nelts_command_fn,
1807 .short_help = "set nat frame-queue-nelts <number>",
1812 * @cliexstart{nat set logging level}
1813 * To set NAT logging level use:
1814 * Set nat logging level
1817 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
1818 .path = "nat set logging level",
1819 .function = snat_set_log_level_command_fn,
1820 .short_help = "nat set logging level <level>",
1825 * @cliexstart{snat ipfix logging}
1826 * To enable NAT IPFIX logging use:
1827 * vpp# nat ipfix logging
1828 * To set IPFIX exporter use:
1829 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1832 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1833 .path = "nat ipfix logging",
1834 .function = snat_ipfix_logging_enable_disable_command_fn,
1835 .short_help = "nat ipfix logging disable|<enable [domain <domain-id>] "
1836 "[src-port <port>]>",
1841 * @cliexstart{nat mss-clamping}
1842 * Set TCP MSS rewriting configuration
1843 * To enable TCP MSS rewriting use:
1844 * vpp# nat mss-clamping 1452
1845 * To disbale TCP MSS rewriting use:
1846 * vpp# nat mss-clamping disable
1849 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1850 .path = "nat mss-clamping",
1851 .short_help = "nat mss-clamping <mss-value>|disable",
1852 .function = nat_set_mss_clamping_command_fn,
1857 * @cliexstart{show nat mss-clamping}
1858 * Show TCP MSS rewriting configuration
1861 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1862 .path = "show nat mss-clamping",
1863 .short_help = "show nat mss-clamping",
1864 .function = nat_show_mss_clamping_command_fn,
1869 * @cliexstart{show nat44 hash tables}
1870 * Show NAT44 hash tables
1873 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
1874 .path = "show nat44 hash tables",
1875 .short_help = "show nat44 hash tables [detail|verbose]",
1876 .function = nat44_show_hash_command_fn,
1881 * @cliexstart{nat44 add address}
1882 * Add/delete NAT44 pool address.
1883 * To add NAT44 pool address use:
1884 * vpp# nat44 add address 172.16.1.3
1885 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
1886 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
1887 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
1890 VLIB_CLI_COMMAND (add_address_command, static) = {
1891 .path = "nat44 add address",
1892 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1893 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
1894 .function = add_address_command_fn,
1899 * @cliexstart{show nat44 summary}
1900 * Show NAT44 summary
1901 * vpp# show nat44 summary
1904 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
1905 .path = "show nat44 summary",
1906 .short_help = "show nat44 summary",
1907 .function = nat44_show_summary_command_fn,
1912 * @cliexstart{show nat44 addresses}
1913 * Show NAT44 pool addresses.
1914 * vpp# show nat44 addresses
1915 * NAT44 pool addresses:
1917 * tenant VRF independent
1926 * NAT44 twice-nat pool addresses:
1928 * tenant VRF independent
1934 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
1935 .path = "show nat44 addresses",
1936 .short_help = "show nat44 addresses",
1937 .function = nat44_show_addresses_command_fn,
1942 * @cliexstart{set interface nat44}
1943 * Enable/disable NAT44 feature on the interface.
1944 * To enable NAT44 feature with local network interface use:
1945 * vpp# set interface nat44 in GigabitEthernet0/8/0
1946 * To enable NAT44 feature with external network interface use:
1947 * vpp# set interface nat44 out GigabitEthernet0/a/0
1950 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1951 .path = "set interface nat44",
1952 .function = snat_feature_command_fn,
1953 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1959 * @cliexstart{show nat44 interfaces}
1960 * Show interfaces with NAT44 feature.
1961 * vpp# show nat44 interfaces
1963 * GigabitEthernet0/8/0 in
1964 * GigabitEthernet0/a/0 out
1967 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
1968 .path = "show nat44 interfaces",
1969 .short_help = "show nat44 interfaces",
1970 .function = nat44_show_interfaces_command_fn,
1975 * @cliexstart{nat44 add static mapping}
1976 * Static mapping allows hosts on the external network to initiate connection
1977 * to to the local network host.
1978 * To create static mapping between local host address 10.0.0.3 port 6303 and
1979 * external address 4.4.4.4 port 3606 for TCP protocol use:
1980 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1981 * If not runnig "static mapping only" NAT plugin mode use before:
1982 * vpp# nat44 add address 4.4.4.4
1983 * To create address only static mapping between local and external address use:
1984 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1985 * To create ICMP static mapping between local and external with ICMP echo
1986 * identifier 10 use:
1987 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
1988 * To force use of specific pool address, vrf independent
1989 * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
1992 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1993 .path = "nat44 add static mapping",
1994 .function = add_static_mapping_command_fn,
1996 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
1997 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
1998 "[out2in-only] [exact <pool-addr>] [del]",
2003 * @cliexstart{nat44 add identity mapping}
2004 * Identity mapping translate an IP address to itself.
2005 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2007 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2008 * To create identity mapping for address 10.0.0.3 use:
2009 * vpp# nat44 add identity mapping 10.0.0.3
2010 * To create identity mapping for DHCP addressed interface use:
2011 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
2014 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2015 .path = "nat44 add identity mapping",
2016 .function = add_identity_mapping_command_fn,
2017 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
2018 "[<protocol> <port>] [vrf <table-id>] [del]",
2023 * @cliexstart{nat44 add load-balancing static mapping}
2024 * Service load balancing using NAT44
2025 * To add static mapping with load balancing for service with external IP
2026 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
2027 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
2028 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
2031 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2032 .path = "nat44 add load-balancing static mapping",
2033 .function = add_lb_static_mapping_command_fn,
2035 "nat44 add load-balancing static mapping protocol tcp|udp "
2036 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2037 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
2038 "[affinity <timeout-seconds>] [del]",
2043 * @cliexstart{nat44 add load-balancing static mapping}
2044 * Modify service load balancing using NAT44
2045 * To add new back-end server 10.100.10.30:8080 for service load balancing
2046 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
2047 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
2050 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
2051 .path = "nat44 add load-balancing back-end",
2052 .function = add_lb_backend_command_fn,
2054 "nat44 add load-balancing back-end protocol tcp|udp "
2055 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2056 "probability <n> [del]",
2061 * @cliexstart{show nat44 static mappings}
2062 * Show NAT44 static mappings.
2063 * vpp# show nat44 static mappings
2064 * NAT44 static mappings:
2065 * local 10.0.0.3 external 4.4.4.4 vrf 0
2066 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2067 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2068 * local 10.100.10.10:8080 probability 80
2069 * local 10.100.10.20:8080 probability 20
2070 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2071 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2074 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2075 .path = "show nat44 static mappings",
2076 .short_help = "show nat44 static mappings",
2077 .function = nat44_show_static_mappings_command_fn,
2082 * @cliexstart{nat44 add interface address}
2083 * Use NAT44 pool address from specific interfce
2084 * To add NAT44 pool address from specific interface use:
2085 * vpp# nat44 add interface address GigabitEthernet0/8/0
2088 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2089 .path = "nat44 add interface address",
2090 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2091 .function = snat_add_interface_address_command_fn,
2096 * @cliexstart{show nat44 interface address}
2097 * Show NAT44 pool address interfaces
2098 * vpp# show nat44 interface address
2099 * NAT44 pool address interfaces:
2100 * GigabitEthernet0/a/0
2101 * NAT44 twice-nat pool address interfaces:
2102 * GigabitEthernet0/8/0
2105 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2106 .path = "show nat44 interface address",
2107 .short_help = "show nat44 interface address",
2108 .function = nat44_show_interface_address_command_fn,
2113 * @cliexstart{show nat44 sessions}
2114 * Show NAT44 sessions.
2117 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2118 .path = "show nat44 sessions",
2119 .short_help = "show nat44 sessions [filter {i2o | o2i} {saddr <ip4-addr> "
2120 "| sport <n> | daddr <ip4-addr> | dport <n> | proto <proto>} "
2121 "[filter .. [..]]]",
2122 .function = nat44_show_sessions_command_fn,
2127 * @cliexstart{set nat44 session limit}
2128 * Set NAT44 session limit.
2131 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
2132 .path = "set nat44 session limit",
2133 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
2134 .function = nat44_set_session_limit_command_fn,
2139 * @cliexstart{nat44 del session}
2140 * To administratively delete NAT44 session by inside address and port use:
2141 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2142 * To administratively delete NAT44 session by outside address and port use:
2143 * vpp# nat44 del session out 1.0.0.3:6033 udp
2146 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2147 .path = "nat44 del session",
2148 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2149 .function = nat44_del_session_command_fn,
2154 * @cliexstart{nat44 forwarding}
2155 * Enable or disable forwarding
2156 * Forward packets which don't match existing translation
2157 * or static mapping instead of dropping them.
2158 * To enable forwarding, use:
2159 * vpp# nat44 forwarding enable
2160 * To disable forwarding, use:
2161 * vpp# nat44 forwarding disable
2164 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2165 .path = "nat44 forwarding",
2166 .short_help = "nat44 forwarding enable|disable",
2167 .function = snat_forwarding_set_command_fn,
2171 * fd.io coding-style-patch-verification: ON
2174 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob