2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
20 #include <vnet/fib/fib_table.h>
22 #include <nat/lib/log.h>
23 #include <nat/lib/nat_inlines.h>
24 #include <nat/lib/ipfix_logging.h>
26 #include <nat/nat44-ed/nat44_ed.h>
27 #include <nat/nat44-ed/nat44_ed_inlines.h>
28 #include <nat/nat44-ed/nat44_ed_affinity.h>
30 #define NAT44_ED_EXPECTED_ARGUMENT "expected required argument(s)"
33 nat44_ed_enable_disable_command_fn (vlib_main_t *vm, unformat_input_t *input,
34 vlib_cli_command_t *cmd)
36 snat_main_t *sm = &snat_main;
37 unformat_input_t _line_input, *line_input = &_line_input;
38 clib_error_t *error = 0;
40 nat44_config_t c = { 0 };
41 u8 enable_set = 0, enable = 0, mode_set = 0;
43 if (!unformat_user (input, unformat_line_input, line_input))
44 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
46 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
48 if (!mode_set && unformat (line_input, "static-mapping-only"))
51 c.static_mapping_only = 1;
52 if (unformat (line_input, "connection-tracking"))
54 c.connection_tracking = 1;
57 else if (unformat (line_input, "inside-vrf %u", &c.inside_vrf));
58 else if (unformat (line_input, "outside-vrf %u", &c.outside_vrf));
59 else if (unformat (line_input, "sessions %u", &c.sessions));
63 if (unformat (line_input, "disable"))
65 else if (unformat (line_input, "enable"))
70 error = clib_error_return (0, "unknown input '%U'",
71 format_unformat_error, line_input);
78 error = clib_error_return (0, "expected enable | disable");
86 error = clib_error_return (0, "already enabled");
90 if (nat44_plugin_enable (c) != 0)
91 error = clib_error_return (0, "enable failed");
97 error = clib_error_return (0, "already disabled");
101 if (nat44_plugin_disable () != 0)
102 error = clib_error_return (0, "disable failed");
106 unformat_free (line_input);
110 static clib_error_t *
111 set_workers_command_fn (vlib_main_t * vm,
112 unformat_input_t * input, vlib_cli_command_t * cmd)
114 unformat_input_t _line_input, *line_input = &_line_input;
117 clib_error_t *error = 0;
119 /* Get a line of input. */
120 if (!unformat_user (input, unformat_line_input, line_input))
121 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
123 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
125 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
129 error = clib_error_return (0, "unknown input '%U'",
130 format_unformat_error, line_input);
137 error = clib_error_return (0, "List of workers must be specified.");
141 rv = snat_set_workers (bitmap);
143 clib_bitmap_free (bitmap);
147 case VNET_API_ERROR_INVALID_WORKER:
148 error = clib_error_return (0, "Invalid worker(s).");
150 case VNET_API_ERROR_FEATURE_DISABLED:
151 error = clib_error_return (0,
152 "Supported only if 2 or more workes available.");
159 unformat_free (line_input);
164 static clib_error_t *
165 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
166 vlib_cli_command_t * cmd)
168 snat_main_t *sm = &snat_main;
171 if (sm->num_workers > 1)
173 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
174 vec_foreach (worker, sm->workers)
176 vlib_worker_thread_t *w =
177 vlib_worker_threads + *worker + sm->first_worker_index;
178 vlib_cli_output (vm, " %s", w->name);
185 static clib_error_t *
186 snat_set_log_level_command_fn (vlib_main_t * vm,
187 unformat_input_t * input,
188 vlib_cli_command_t * cmd)
190 unformat_input_t _line_input, *line_input = &_line_input;
191 snat_main_t *sm = &snat_main;
192 u8 log_level = NAT_LOG_NONE;
193 clib_error_t *error = 0;
195 /* Get a line of input. */
196 if (!unformat_user (input, unformat_line_input, line_input))
197 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
199 if (!unformat (line_input, "%d", &log_level))
201 error = clib_error_return (0, "unknown input '%U'",
202 format_unformat_error, line_input);
205 if (log_level > NAT_LOG_DEBUG)
207 error = clib_error_return (0, "unknown logging level '%d'", log_level);
210 sm->log_level = log_level;
213 unformat_free (line_input);
218 static clib_error_t *
219 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
220 unformat_input_t * input,
221 vlib_cli_command_t * cmd)
223 unformat_input_t _line_input, *line_input = &_line_input;
224 clib_error_t *error = 0;
226 u32 domain_id = 0, src_port = 0;
227 u8 enable_set = 0, enable = 0;
229 if (!unformat_user (input, unformat_line_input, line_input))
230 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
232 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
234 if (unformat (line_input, "domain %d", &domain_id))
236 else if (unformat (line_input, "src-port %d", &src_port))
238 else if (!enable_set)
241 if (unformat (line_input, "disable"))
243 else if (unformat (line_input, "enable"))
248 error = clib_error_return (0, "unknown input '%U'",
249 format_unformat_error, line_input);
256 error = clib_error_return (0, "expected enable | disable");
260 if (nat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port))
262 error = clib_error_return (0, "ipfix logging enable failed");
267 unformat_free (line_input);
272 static clib_error_t *
273 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
274 vlib_cli_command_t * cmd)
276 snat_main_t *sm = &snat_main;
277 nat_affinity_main_t *nam = &nat_affinity_main;
281 if (unformat (input, "detail"))
283 else if (unformat (input, "verbose"))
286 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
288 vlib_cli_output (vm, "%U",
289 format_bihash_8_8, &sm->static_mapping_by_external,
291 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
292 vec_foreach_index (i, sm->per_thread_data)
294 vlib_cli_output (vm, "-------- thread %d %s --------\n",
295 i, vlib_worker_threads[i].name);
296 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
299 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
302 vlib_cli_output (vm, "-------- hash table parameters --------\n");
303 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
307 static clib_error_t *
308 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
309 vlib_cli_command_t * cmd)
311 unformat_input_t _line_input, *line_input = &_line_input;
312 snat_main_t *sm = &snat_main;
313 clib_error_t *error = 0;
316 /* Get a line of input. */
317 if (!unformat_user (input, unformat_line_input, line_input))
318 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
320 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
322 if (unformat (line_input, "disable"))
323 sm->mss_clamping = 0;
324 else if (unformat (line_input, "%d", &mss))
325 sm->mss_clamping = (u16) mss;
328 error = clib_error_return (0, "unknown input '%U'",
329 format_unformat_error, line_input);
335 unformat_free (line_input);
340 static clib_error_t *
341 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
342 vlib_cli_command_t * cmd)
344 snat_main_t *sm = &snat_main;
346 if (sm->mss_clamping)
347 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
349 vlib_cli_output (vm, "mss-clamping disabled");
354 static clib_error_t *
355 add_address_command_fn (vlib_main_t * vm,
356 unformat_input_t * input, vlib_cli_command_t * cmd)
358 unformat_input_t _line_input, *line_input = &_line_input;
359 snat_main_t *sm = &snat_main;
360 ip4_address_t start_addr, end_addr, this_addr;
361 u32 start_host_order, end_host_order;
366 clib_error_t *error = 0;
369 /* Get a line of input. */
370 if (!unformat_user (input, unformat_line_input, line_input))
371 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
373 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
375 if (unformat (line_input, "%U - %U",
376 unformat_ip4_address, &start_addr,
377 unformat_ip4_address, &end_addr))
379 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
381 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
382 end_addr = start_addr;
383 else if (unformat (line_input, "twice-nat"))
385 else if (unformat (line_input, "del"))
389 error = clib_error_return (0, "unknown input '%U'",
390 format_unformat_error, line_input);
395 if (sm->static_mapping_only)
397 error = clib_error_return (0, "static mapping only mode");
401 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
402 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
404 if (end_host_order < start_host_order)
406 error = clib_error_return (0, "end address less than start address");
410 count = (end_host_order - start_host_order) + 1;
413 nat_log_info ("%U - %U, %d addresses...",
414 format_ip4_address, &start_addr,
415 format_ip4_address, &end_addr, count);
417 this_addr = start_addr;
419 for (i = 0; i < count; i++)
422 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
424 rv = snat_del_address (sm, this_addr, 0, twice_nat);
428 case VNET_API_ERROR_VALUE_EXIST:
429 error = clib_error_return (0, "NAT address already in use.");
431 case VNET_API_ERROR_NO_SUCH_ENTRY:
432 error = clib_error_return (0, "NAT address not exist.");
434 case VNET_API_ERROR_UNSPECIFIED:
436 clib_error_return (0, "NAT address used in static mapping.");
442 increment_v4_address (&this_addr);
446 unformat_free (line_input);
452 nat44_show_lru_summary (vlib_main_t * vm, snat_main_per_thread_data_t * tsm,
453 u64 now, u64 sess_timeout_time)
455 snat_main_t *sm = &snat_main;
456 dlist_elt_t *oldest_elt;
464 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
465 if (~0 != oldest_index) \
467 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
468 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
469 sess_timeout_time = \
470 s->last_heard + (f64) nat44_session_get_timeout (sm, s); \
471 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
472 sess_timeout_time, now); \
473 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
476 _ (tcp_estab, "established tcp");
477 _ (tcp_trans, "transitory tcp");
479 _ (unk_proto, "unknown protocol");
485 static clib_error_t *
486 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
487 vlib_cli_command_t * cmd)
489 snat_main_per_thread_data_t *tsm;
490 snat_main_t *sm = &snat_main;
495 u64 now = vlib_time_now (vm);
496 u64 sess_timeout_time = 0;
498 u32 udp_sessions = 0;
499 u32 tcp_sessions = 0;
500 u32 icmp_sessions = 0;
504 u32 transitory_wait_closed = 0;
505 u32 transitory_closed = 0;
510 for (fib = 0; fib < vec_len (sm->max_translations_per_fib); fib++)
511 vlib_cli_output (vm, "max translations per thread: %u fib %u",
512 sm->max_translations_per_fib[fib], fib);
514 if (sm->num_workers > 1)
516 vec_foreach (tsm, sm->per_thread_data)
518 pool_foreach (s, tsm->sessions)
520 sess_timeout_time = s->last_heard +
521 (f64) nat44_session_get_timeout (sm, s);
522 if (now >= sess_timeout_time)
525 switch (s->nat_proto)
527 case NAT_PROTOCOL_ICMP:
530 case NAT_PROTOCOL_TCP:
534 if (s->tcp_closed_timestamp)
536 if (now >= s->tcp_closed_timestamp)
542 ++transitory_wait_closed;
550 case NAT_PROTOCOL_UDP:
556 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
557 count += pool_elts (tsm->sessions);
562 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
563 pool_foreach (s, tsm->sessions)
565 sess_timeout_time = s->last_heard +
566 (f64) nat44_session_get_timeout (sm, s);
567 if (now >= sess_timeout_time)
570 switch (s->nat_proto)
572 case NAT_PROTOCOL_ICMP:
575 case NAT_PROTOCOL_TCP:
579 if (s->tcp_closed_timestamp)
581 if (now >= s->tcp_closed_timestamp)
587 ++transitory_wait_closed;
595 case NAT_PROTOCOL_UDP:
601 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
602 count = pool_elts (tsm->sessions);
605 vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
606 vlib_cli_output (vm, "total sessions: %u", count);
607 vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
608 vlib_cli_output (vm, "total tcp established sessions: %u", established);
609 vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
610 vlib_cli_output (vm, "total tcp transitory (WAIT-CLOSED) sessions: %u",
611 transitory_wait_closed);
612 vlib_cli_output (vm, "total tcp transitory (CLOSED) sessions: %u",
614 vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
615 vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
619 static clib_error_t *
620 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
621 vlib_cli_command_t * cmd)
623 snat_main_t *sm = &snat_main;
626 vlib_cli_output (vm, "NAT44 pool addresses:");
627 vec_foreach (ap, sm->addresses)
629 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
630 if (ap->fib_index != ~0)
631 vlib_cli_output (vm, " tenant VRF: %u",
632 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
634 vlib_cli_output (vm, " tenant VRF independent");
635 #define _(N, i, n, s) \
636 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
640 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
641 vec_foreach (ap, sm->twice_nat_addresses)
643 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
644 if (ap->fib_index != ~0)
645 vlib_cli_output (vm, " tenant VRF: %u",
646 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
648 vlib_cli_output (vm, " tenant VRF independent");
649 #define _(N, i, n, s) \
650 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
657 static clib_error_t *
658 snat_feature_command_fn (vlib_main_t * vm,
659 unformat_input_t * input, vlib_cli_command_t * cmd)
661 unformat_input_t _line_input, *line_input = &_line_input;
662 vnet_main_t *vnm = vnet_get_main ();
663 clib_error_t *error = 0;
665 u32 *inside_sw_if_indices = 0;
666 u32 *outside_sw_if_indices = 0;
667 u8 is_output_feature = 0;
668 int i, rv, is_del = 0;
672 /* Get a line of input. */
673 if (!unformat_user (input, unformat_line_input, line_input))
674 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
676 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
678 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
680 vec_add1 (inside_sw_if_indices, sw_if_index);
681 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
683 vec_add1 (outside_sw_if_indices, sw_if_index);
684 else if (unformat (line_input, "output-feature"))
685 is_output_feature = 1;
686 else if (unformat (line_input, "del"))
690 error = clib_error_return (0, "unknown input '%U'",
691 format_unformat_error, line_input);
696 if (vec_len (inside_sw_if_indices))
698 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
700 sw_if_index = inside_sw_if_indices[i];
701 if (is_output_feature)
705 rv = nat44_ed_del_output_interface (sw_if_index);
709 rv = nat44_ed_add_output_interface (sw_if_index);
713 error = clib_error_return (0, "%s %U failed",
714 is_del ? "del" : "add",
715 format_vnet_sw_if_index_name,
724 rv = nat44_ed_del_interface (sw_if_index, 1);
728 rv = nat44_ed_add_interface (sw_if_index, 1);
732 error = clib_error_return (0, "%s %U failed",
733 is_del ? "del" : "add",
734 format_vnet_sw_if_index_name,
742 if (vec_len (outside_sw_if_indices))
744 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
746 sw_if_index = outside_sw_if_indices[i];
747 if (is_output_feature)
751 rv = nat44_ed_del_output_interface (sw_if_index);
755 rv = nat44_ed_add_output_interface (sw_if_index);
759 error = clib_error_return (0, "%s %U failed",
760 is_del ? "del" : "add",
761 format_vnet_sw_if_index_name,
770 rv = nat44_ed_del_interface (sw_if_index, 0);
774 rv = nat44_ed_add_interface (sw_if_index, 0);
778 error = clib_error_return (0, "%s %U failed",
779 is_del ? "del" : "add",
780 format_vnet_sw_if_index_name,
789 unformat_free (line_input);
790 vec_free (inside_sw_if_indices);
791 vec_free (outside_sw_if_indices);
796 static clib_error_t *
797 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
798 vlib_cli_command_t * cmd)
800 snat_main_t *sm = &snat_main;
802 vnet_main_t *vnm = vnet_get_main ();
804 vlib_cli_output (vm, "NAT44 interfaces:");
805 pool_foreach (i, sm->interfaces)
807 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
809 (nat_interface_is_inside(i) &&
810 nat_interface_is_outside(i)) ? "in out" :
811 (nat_interface_is_inside(i) ? "in" : "out"));
814 pool_foreach (i, sm->output_feature_interfaces)
816 vlib_cli_output (vm, " %U output-feature %s",
817 format_vnet_sw_if_index_name, vnm,
819 (nat_interface_is_inside(i) &&
820 nat_interface_is_outside(i)) ? "in out" :
821 (nat_interface_is_inside(i) ? "in" : "out"));
827 static clib_error_t *
828 add_static_mapping_command_fn (vlib_main_t * vm,
829 unformat_input_t * input,
830 vlib_cli_command_t * cmd)
832 unformat_input_t _line_input, *line_input = &_line_input;
833 vnet_main_t *vnm = vnet_get_main ();
834 clib_error_t *error = 0;
837 nat_protocol_t proto = NAT_PROTOCOL_OTHER;
838 ip4_address_t l_addr, e_addr, pool_addr;
839 u32 l_port = 0, e_port = 0, vrf_id = ~0;
840 u8 l_port_set = 0, e_port_set = 0;
841 u32 sw_if_index, flags = 0;
844 if (!unformat_user (input, unformat_line_input, line_input))
845 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
847 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
849 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
855 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
857 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
862 else if (unformat (line_input, "external %U", unformat_ip4_address,
865 else if (unformat (line_input, "external %U %u",
866 unformat_vnet_sw_interface, vnm, &sw_if_index,
869 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
872 else if (unformat (line_input, "external %U",
873 unformat_vnet_sw_interface, vnm, &sw_if_index))
875 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
877 else if (unformat (line_input, "exact %U", unformat_ip4_address,
880 flags |= NAT_SM_FLAG_EXACT_ADDRESS;
882 else if (unformat (line_input, "vrf %u", &vrf_id))
884 else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
886 else if (unformat (line_input, "self-twice-nat"))
888 flags |= NAT_SM_FLAG_SELF_TWICE_NAT;
890 else if (unformat (line_input, "twice-nat"))
892 flags |= NAT_SM_FLAG_TWICE_NAT;
894 else if (unformat (line_input, "out2in-only"))
896 flags |= NAT_SM_FLAG_OUT2IN_ONLY;
898 else if (unformat (line_input, "del"))
904 error = clib_error_return (0, "unknown input: '%U'",
905 format_unformat_error, line_input);
910 if (l_port_set != e_port_set)
912 error = clib_error_return (0, "Either both ports are set or none.");
918 flags |= NAT_SM_FLAG_ADDR_ONLY;
922 l_port = clib_host_to_net_u16 (l_port);
923 e_port = clib_host_to_net_u16 (e_port);
926 // TODO: specific pool_addr for both pool & twice nat pool ?
931 nat44_ed_add_static_mapping (l_addr, e_addr, l_port, e_port, proto,
932 vrf_id, sw_if_index, flags, pool_addr, 0);
936 rv = nat44_ed_del_static_mapping (l_addr, e_addr, l_port, e_port, proto,
937 vrf_id, sw_if_index, flags);
944 case VNET_API_ERROR_INVALID_VALUE:
945 error = clib_error_return (0, "External port already in use.");
947 case VNET_API_ERROR_NO_SUCH_ENTRY:
949 error = clib_error_return (0, "External address must be allocated.");
951 error = clib_error_return (0, "Mapping not exist.");
953 case VNET_API_ERROR_NO_SUCH_FIB:
954 error = clib_error_return (0, "No such VRF id.");
956 case VNET_API_ERROR_VALUE_EXIST:
957 error = clib_error_return (0, "Mapping already exist.");
964 unformat_free (line_input);
969 // TODO: either delete this bullshit or update it
970 static clib_error_t *
971 add_identity_mapping_command_fn (vlib_main_t * vm,
972 unformat_input_t * input,
973 vlib_cli_command_t * cmd)
975 unformat_input_t _line_input, *line_input = &_line_input;
976 vnet_main_t *vnm = vnet_get_main ();
977 clib_error_t *error = 0;
979 int rv, is_add = 1, port_set = 0;
980 u32 sw_if_index, port, flags, vrf_id = ~0;
981 nat_protocol_t proto;
984 flags = NAT_SM_FLAG_IDENTITY_NAT;
986 /* Get a line of input. */
987 if (!unformat_user (input, unformat_line_input, line_input))
988 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
990 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
992 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
994 else if (unformat (line_input, "external %U",
995 unformat_vnet_sw_interface, vnm, &sw_if_index))
997 flags |= NAT_SM_FLAG_SWITCH_ADDRESS;
999 else if (unformat (line_input, "vrf %u", &vrf_id))
1001 else if (unformat (line_input, "%U %u", unformat_nat_protocol, &proto,
1006 else if (unformat (line_input, "del"))
1012 error = clib_error_return (0, "unknown input: '%U'",
1013 format_unformat_error, line_input);
1020 flags |= NAT_SM_FLAG_ADDR_ONLY;
1024 port = clib_host_to_net_u16 (port);
1030 rv = nat44_ed_add_static_mapping (addr, addr, port, port, proto, vrf_id,
1031 sw_if_index, flags, addr, 0);
1035 rv = nat44_ed_del_static_mapping (addr, addr, port, port, proto, vrf_id,
1036 sw_if_index, flags);
1039 // TODO: fix returns
1043 case VNET_API_ERROR_INVALID_VALUE:
1044 error = clib_error_return (0, "External port already in use.");
1046 case VNET_API_ERROR_NO_SUCH_ENTRY:
1048 error = clib_error_return (0, "External address must be allocated.");
1050 error = clib_error_return (0, "Mapping not exist.");
1052 case VNET_API_ERROR_NO_SUCH_FIB:
1053 error = clib_error_return (0, "No such VRF id.");
1055 case VNET_API_ERROR_VALUE_EXIST:
1056 error = clib_error_return (0, "Mapping already exist.");
1063 unformat_free (line_input);
1068 static clib_error_t *
1069 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1070 unformat_input_t * input,
1071 vlib_cli_command_t * cmd)
1073 unformat_input_t _line_input, *line_input = &_line_input;
1074 clib_error_t *error = 0;
1075 ip4_address_t l_addr, e_addr;
1076 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
1078 nat_protocol_t proto;
1079 nat44_lb_addr_port_t *locals = 0, local;
1083 /* Get a line of input. */
1084 if (!unformat_user (input, unformat_line_input, line_input))
1085 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1087 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1089 if (unformat (line_input, "local %U:%u probability %u",
1090 unformat_ip4_address, &l_addr, &l_port, &probability))
1092 clib_memset (&local, 0, sizeof (local));
1093 local.addr = l_addr;
1094 local.port = (u16) l_port;
1095 local.probability = (u8) probability;
1096 vec_add1 (locals, local);
1098 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1099 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1102 clib_memset (&local, 0, sizeof (local));
1103 local.addr = l_addr;
1104 local.port = (u16) l_port;
1105 local.probability = (u8) probability;
1106 local.vrf_id = vrf_id;
1107 vec_add1 (locals, local);
1109 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1112 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1117 else if (unformat (line_input, "twice-nat"))
1119 flags |= NAT_SM_FLAG_TWICE_NAT;
1121 else if (unformat (line_input, "self-twice-nat"))
1123 flags |= NAT_SM_FLAG_SELF_TWICE_NAT;
1125 else if (unformat (line_input, "out2in-only"))
1127 flags |= NAT_SM_FLAG_OUT2IN_ONLY;
1129 else if (unformat (line_input, "del"))
1133 else if (unformat (line_input, "affinity %u", &affinity))
1137 error = clib_error_return (0, "unknown input: '%U'",
1138 format_unformat_error, line_input);
1143 if (vec_len (locals) < 2)
1145 error = clib_error_return (0, "at least two local must be set");
1151 error = clib_error_return (0, "missing protocol");
1157 rv = nat44_ed_add_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1158 flags, 0, affinity);
1162 rv = nat44_ed_del_lb_static_mapping (e_addr, (u16) e_port, proto, flags);
1167 case VNET_API_ERROR_INVALID_VALUE:
1168 error = clib_error_return (0, "External port already in use.");
1170 case VNET_API_ERROR_NO_SUCH_ENTRY:
1172 error = clib_error_return (0, "External address must be allocated.");
1174 error = clib_error_return (0, "Mapping not exist.");
1176 case VNET_API_ERROR_VALUE_EXIST:
1177 error = clib_error_return (0, "Mapping already exist.");
1184 unformat_free (line_input);
1190 static clib_error_t *
1191 add_lb_backend_command_fn (vlib_main_t * vm,
1192 unformat_input_t * input, vlib_cli_command_t * cmd)
1194 unformat_input_t _line_input, *line_input = &_line_input;
1195 clib_error_t *error = 0;
1196 ip4_address_t l_addr, e_addr;
1197 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1200 nat_protocol_t proto;
1203 /* Get a line of input. */
1204 if (!unformat_user (input, unformat_line_input, line_input))
1205 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1207 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1209 if (unformat (line_input, "local %U:%u probability %u",
1210 unformat_ip4_address, &l_addr, &l_port, &probability))
1212 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1213 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1216 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1219 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1222 else if (unformat (line_input, "del"))
1226 error = clib_error_return (0, "unknown input: '%U'",
1227 format_unformat_error, line_input);
1232 if (!l_port || !e_port)
1234 error = clib_error_return (0, "local or external must be set");
1240 error = clib_error_return (0, "missing protocol");
1244 rv = nat44_ed_add_del_lb_static_mapping_local (
1245 e_addr, (u16) e_port, l_addr, l_port, proto, vrf_id, probability, is_add);
1249 case VNET_API_ERROR_INVALID_VALUE:
1250 error = clib_error_return (0, "External is not load-balancing static "
1253 case VNET_API_ERROR_NO_SUCH_ENTRY:
1254 error = clib_error_return (0, "Mapping or back-end not exist.");
1256 case VNET_API_ERROR_VALUE_EXIST:
1257 error = clib_error_return (0, "Back-end already exist.");
1259 case VNET_API_ERROR_UNSPECIFIED:
1260 error = clib_error_return (0, "At least two back-ends must remain");
1267 unformat_free (line_input);
1272 static clib_error_t *
1273 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1274 unformat_input_t * input,
1275 vlib_cli_command_t * cmd)
1277 snat_main_t *sm = &snat_main;
1278 snat_static_mapping_t *m;
1279 snat_static_map_resolve_t *rp;
1281 vlib_cli_output (vm, "NAT44 static mappings:");
1282 pool_foreach (m, sm->static_mappings)
1284 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1286 vec_foreach (rp, sm->to_resolve)
1287 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1292 static clib_error_t *
1293 snat_add_interface_address_command_fn (vlib_main_t * vm,
1294 unformat_input_t * input,
1295 vlib_cli_command_t * cmd)
1297 snat_main_t *sm = &snat_main;
1298 unformat_input_t _line_input, *line_input = &_line_input;
1302 clib_error_t *error = 0;
1305 /* Get a line of input. */
1306 if (!unformat_user (input, unformat_line_input, line_input))
1307 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1309 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1311 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1312 sm->vnet_main, &sw_if_index))
1314 else if (unformat (line_input, "twice-nat"))
1316 else if (unformat (line_input, "del"))
1320 error = clib_error_return (0, "unknown input '%U'",
1321 format_unformat_error, line_input);
1326 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1334 error = clib_error_return (0, "snat_add_interface_address returned %d",
1340 unformat_free (line_input);
1345 static clib_error_t *
1346 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1347 unformat_input_t * input,
1348 vlib_cli_command_t * cmd)
1350 snat_main_t *sm = &snat_main;
1351 vnet_main_t *vnm = vnet_get_main ();
1354 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1355 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1357 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1360 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1361 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1363 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1370 static clib_error_t *
1371 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1372 vlib_cli_command_t * cmd)
1374 unformat_input_t _line_input, *line_input = &_line_input;
1375 clib_error_t *error = 0;
1376 snat_main_per_thread_data_t *tsm;
1377 snat_main_t *sm = &snat_main;
1381 if (!unformat_user (input, unformat_line_input, line_input))
1384 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1386 error = clib_error_return (0, "unknown input '%U'",
1387 format_unformat_error, line_input);
1390 unformat_free (line_input);
1393 vlib_cli_output (vm, "NAT44 ED sessions:");
1395 vec_foreach_index (i, sm->per_thread_data)
1397 tsm = vec_elt_at_index (sm->per_thread_data, i);
1399 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1400 i, vlib_worker_threads[i].name,
1401 pool_elts (tsm->sessions));
1404 pool_foreach (s, tsm->sessions)
1406 vlib_cli_output (vm, " %U\n", format_snat_session, tsm, s);
1412 static clib_error_t *
1413 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1414 unformat_input_t * input,
1415 vlib_cli_command_t * cmd)
1417 unformat_input_t _line_input, *line_input = &_line_input;
1418 clib_error_t *error = 0;
1420 u32 session_limit = 0, vrf_id = 0;
1422 if (!unformat_user (input, unformat_line_input, line_input))
1423 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1425 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1427 if (unformat (line_input, "%u", &session_limit))
1429 else if (unformat (line_input, "vrf %u", &vrf_id))
1433 error = clib_error_return (0, "unknown input '%U'",
1434 format_unformat_error, line_input);
1440 error = clib_error_return (0, "missing value of session limit");
1441 else if (nat44_update_session_limit (session_limit, vrf_id))
1442 error = clib_error_return (0, "nat44_set_session_limit failed");
1445 unformat_free (line_input);
1450 static clib_error_t *
1451 nat44_del_session_command_fn (vlib_main_t * vm,
1452 unformat_input_t * input,
1453 vlib_cli_command_t * cmd)
1455 snat_main_t *sm = &snat_main;
1456 unformat_input_t _line_input, *line_input = &_line_input;
1457 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1458 clib_error_t *error = 0;
1459 ip4_address_t addr, eh_addr;
1460 nat_protocol_t proto;
1464 if (!unformat_user (input, unformat_line_input, line_input))
1465 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1467 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1470 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1471 unformat_nat_protocol, &proto))
1473 else if (unformat (line_input, "in"))
1476 vrf_id = sm->inside_vrf_id;
1478 else if (unformat (line_input, "out"))
1481 vrf_id = sm->outside_vrf_id;
1483 else if (unformat (line_input, "vrf %u", &vrf_id))
1485 else if (unformat (line_input, "external-host %U:%u",
1486 unformat_ip4_address, &eh_addr, &eh_port))
1490 error = clib_error_return (0, "unknown input '%U'",
1491 format_unformat_error, line_input);
1497 nat44_del_ed_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1498 clib_host_to_net_u16 (eh_port),
1499 nat_proto_to_ip_proto (proto), vrf_id, is_in);
1507 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1512 unformat_free (line_input);
1517 static clib_error_t *
1518 snat_forwarding_set_command_fn (vlib_main_t * vm,
1519 unformat_input_t * input,
1520 vlib_cli_command_t * cmd)
1522 snat_main_t *sm = &snat_main;
1523 unformat_input_t _line_input, *line_input = &_line_input;
1524 clib_error_t *error = 0;
1526 u8 enable_set = 0, enable = 0;
1528 if (!unformat_user (input, unformat_line_input, line_input))
1529 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1531 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1536 if (unformat (line_input, "disable"))
1538 else if (unformat (line_input, "enable"))
1543 error = clib_error_return (0, "unknown input '%U'",
1544 format_unformat_error, line_input);
1550 error = clib_error_return (0, "expected enable | disable");
1552 sm->forwarding_enabled = enable;
1555 unformat_free (line_input);
1559 static clib_error_t *
1560 set_timeout_command_fn (vlib_main_t * vm,
1561 unformat_input_t * input, vlib_cli_command_t * cmd)
1563 snat_main_t *sm = &snat_main;
1564 unformat_input_t _line_input, *line_input = &_line_input;
1565 clib_error_t *error = 0;
1567 if (!unformat_user (input, unformat_line_input, line_input))
1568 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1570 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1572 if (unformat (line_input, "udp %u", &sm->timeouts.udp));
1573 else if (unformat (line_input, "tcp-established %u",
1574 &sm->timeouts.tcp.established));
1575 else if (unformat (line_input, "tcp-transitory %u",
1576 &sm->timeouts.tcp.transitory));
1577 else if (unformat (line_input, "icmp %u", &sm->timeouts.icmp));
1578 else if (unformat (line_input, "reset"))
1579 nat_reset_timeouts (&sm->timeouts);
1582 error = clib_error_return (0, "unknown input '%U'",
1583 format_unformat_error, line_input);
1588 unformat_free (line_input);
1592 static clib_error_t *
1593 nat_show_timeouts_command_fn (vlib_main_t * vm,
1594 unformat_input_t * input,
1595 vlib_cli_command_t * cmd)
1597 snat_main_t *sm = &snat_main;
1599 vlib_cli_output (vm, "udp timeout: %dsec", sm->timeouts.udp);
1600 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1601 sm->timeouts.tcp.established);
1602 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1603 sm->timeouts.tcp.transitory);
1604 vlib_cli_output (vm, "icmp timeout: %dsec", sm->timeouts.icmp);
1609 static clib_error_t *
1610 set_frame_queue_nelts_command_fn (vlib_main_t *vm, unformat_input_t *input,
1611 vlib_cli_command_t *cmd)
1613 unformat_input_t _line_input, *line_input = &_line_input;
1614 clib_error_t *error = 0;
1615 u32 frame_queue_nelts = 0;
1617 if (!unformat_user (input, unformat_line_input, line_input))
1618 return clib_error_return (0, NAT44_ED_EXPECTED_ARGUMENT);
1620 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1622 if (unformat (line_input, "%u", &frame_queue_nelts))
1626 error = clib_error_return (0, "unknown input '%U'",
1627 format_unformat_error, line_input);
1631 if (!frame_queue_nelts)
1633 error = clib_error_return (0, "frame_queue_nelts cannot be zero");
1636 if (nat44_ed_set_frame_queue_nelts (frame_queue_nelts) != 0)
1638 error = clib_error_return (0, "snat_set_frame_queue_nelts failed");
1642 unformat_free (line_input);
1648 * @cliexstart{nat44}
1649 * Enable nat44 plugin
1650 * To enable nat44-ed, use:
1652 * To disable nat44-ed, use:
1653 * vpp# nat44 disable
1654 * To enable nat44-ed static mapping with connection tracking, use:
1655 * vpp# nat44-ed enable static-mapping connection-tracking
1656 * To set inside-vrf outside-vrf, use:
1657 * vpp# nat44 enable inside-vrf <id> outside-vrf <id>
1660 VLIB_CLI_COMMAND (nat44_ed_enable_disable_command, static) = {
1662 .short_help = "nat44 <enable [sessions <max-number>] [static-mapping-only "
1663 "connection-tracking] [inside-vrf <vrf-id>] "
1664 "[outside-vrf <vrf-id>]>|disable",
1665 .function = nat44_ed_enable_disable_command_fn,
1670 * @cliexstart{set snat workers}
1671 * Set NAT workers if 2 or more workers available, use:
1672 * vpp# set snat workers 0-2,5
1675 VLIB_CLI_COMMAND (set_workers_command, static) = {
1676 .path = "set nat workers",
1677 .function = set_workers_command_fn,
1678 .short_help = "set nat workers <workers-list>",
1683 * @cliexstart{show nat workers}
1685 * vpp# show nat workers:
1691 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1692 .path = "show nat workers",
1693 .short_help = "show nat workers",
1694 .function = nat_show_workers_commnad_fn,
1699 * @cliexstart{set nat timeout}
1700 * Set values of timeouts for NAT sessions (in seconds), use:
1701 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1702 * To reset default values use:
1703 * vpp# set nat timeout reset
1706 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1707 .path = "set nat timeout",
1708 .function = set_timeout_command_fn,
1710 "set nat timeout [udp <sec> | tcp-established <sec> "
1711 "tcp-transitory <sec> | icmp <sec> | reset]",
1716 * @cliexstart{show nat timeouts}
1717 * Show values of timeouts for NAT sessions.
1718 * vpp# show nat timeouts
1719 * udp timeout: 300sec
1720 * tcp-established timeout: 7440sec
1721 * tcp-transitory timeout: 240sec
1722 * icmp timeout: 60sec
1725 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1726 .path = "show nat timeouts",
1727 .short_help = "show nat timeouts",
1728 .function = nat_show_timeouts_command_fn,
1733 * @cliexstart{set nat frame-queue-nelts}
1734 * Set number of worker handoff frame queue elements.
1737 VLIB_CLI_COMMAND (set_frame_queue_nelts_command, static) = {
1738 .path = "set nat frame-queue-nelts",
1739 .function = set_frame_queue_nelts_command_fn,
1740 .short_help = "set nat frame-queue-nelts <number>",
1745 * @cliexstart{nat set logging level}
1746 * To set NAT logging level use:
1747 * Set nat logging level
1750 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
1751 .path = "nat set logging level",
1752 .function = snat_set_log_level_command_fn,
1753 .short_help = "nat set logging level <level>",
1758 * @cliexstart{snat ipfix logging}
1759 * To enable NAT IPFIX logging use:
1760 * vpp# nat ipfix logging
1761 * To set IPFIX exporter use:
1762 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1765 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1766 .path = "nat ipfix logging",
1767 .function = snat_ipfix_logging_enable_disable_command_fn,
1768 .short_help = "nat ipfix logging disable|<enable [domain <domain-id>] "
1769 "[src-port <port>]>",
1774 * @cliexstart{nat mss-clamping}
1775 * Set TCP MSS rewriting configuration
1776 * To enable TCP MSS rewriting use:
1777 * vpp# nat mss-clamping 1452
1778 * To disbale TCP MSS rewriting use:
1779 * vpp# nat mss-clamping disable
1782 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1783 .path = "nat mss-clamping",
1784 .short_help = "nat mss-clamping <mss-value>|disable",
1785 .function = nat_set_mss_clamping_command_fn,
1790 * @cliexstart{show nat mss-clamping}
1791 * Show TCP MSS rewriting configuration
1794 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1795 .path = "show nat mss-clamping",
1796 .short_help = "show nat mss-clamping",
1797 .function = nat_show_mss_clamping_command_fn,
1802 * @cliexstart{show nat44 hash tables}
1803 * Show NAT44 hash tables
1806 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
1807 .path = "show nat44 hash tables",
1808 .short_help = "show nat44 hash tables [detail|verbose]",
1809 .function = nat44_show_hash_command_fn,
1814 * @cliexstart{nat44 add address}
1815 * Add/delete NAT44 pool address.
1816 * To add NAT44 pool address use:
1817 * vpp# nat44 add address 172.16.1.3
1818 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
1819 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
1820 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
1823 VLIB_CLI_COMMAND (add_address_command, static) = {
1824 .path = "nat44 add address",
1825 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1826 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
1827 .function = add_address_command_fn,
1832 * @cliexstart{show nat44 summary}
1833 * Show NAT44 summary
1834 * vpp# show nat44 summary
1837 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
1838 .path = "show nat44 summary",
1839 .short_help = "show nat44 summary",
1840 .function = nat44_show_summary_command_fn,
1845 * @cliexstart{show nat44 addresses}
1846 * Show NAT44 pool addresses.
1847 * vpp# show nat44 addresses
1848 * NAT44 pool addresses:
1850 * tenant VRF independent
1859 * NAT44 twice-nat pool addresses:
1861 * tenant VRF independent
1867 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
1868 .path = "show nat44 addresses",
1869 .short_help = "show nat44 addresses",
1870 .function = nat44_show_addresses_command_fn,
1875 * @cliexstart{set interface nat44}
1876 * Enable/disable NAT44 feature on the interface.
1877 * To enable NAT44 feature with local network interface use:
1878 * vpp# set interface nat44 in GigabitEthernet0/8/0
1879 * To enable NAT44 feature with external network interface use:
1880 * vpp# set interface nat44 out GigabitEthernet0/a/0
1883 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1884 .path = "set interface nat44",
1885 .function = snat_feature_command_fn,
1886 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1892 * @cliexstart{show nat44 interfaces}
1893 * Show interfaces with NAT44 feature.
1894 * vpp# show nat44 interfaces
1896 * GigabitEthernet0/8/0 in
1897 * GigabitEthernet0/a/0 out
1900 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
1901 .path = "show nat44 interfaces",
1902 .short_help = "show nat44 interfaces",
1903 .function = nat44_show_interfaces_command_fn,
1908 * @cliexstart{nat44 add static mapping}
1909 * Static mapping allows hosts on the external network to initiate connection
1910 * to to the local network host.
1911 * To create static mapping between local host address 10.0.0.3 port 6303 and
1912 * external address 4.4.4.4 port 3606 for TCP protocol use:
1913 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1914 * If not runnig "static mapping only" NAT plugin mode use before:
1915 * vpp# nat44 add address 4.4.4.4
1916 * To create address only static mapping between local and external address use:
1917 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1918 * To create ICMP static mapping between local and external with ICMP echo
1919 * identifier 10 use:
1920 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
1921 * To force use of specific pool address, vrf independent
1922 * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
1925 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1926 .path = "nat44 add static mapping",
1927 .function = add_static_mapping_command_fn,
1929 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
1930 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
1931 "[out2in-only] [exact <pool-addr>] [del]",
1936 * @cliexstart{nat44 add identity mapping}
1937 * Identity mapping translate an IP address to itself.
1938 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
1940 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
1941 * To create identity mapping for address 10.0.0.3 use:
1942 * vpp# nat44 add identity mapping 10.0.0.3
1943 * To create identity mapping for DHCP addressed interface use:
1944 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
1947 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
1948 .path = "nat44 add identity mapping",
1949 .function = add_identity_mapping_command_fn,
1950 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
1951 "[<protocol> <port>] [vrf <table-id>] [del]",
1956 * @cliexstart{nat44 add load-balancing static mapping}
1957 * Service load balancing using NAT44
1958 * To add static mapping with load balancing for service with external IP
1959 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
1960 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
1961 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
1964 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
1965 .path = "nat44 add load-balancing static mapping",
1966 .function = add_lb_static_mapping_command_fn,
1968 "nat44 add load-balancing static mapping protocol tcp|udp "
1969 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
1970 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
1971 "[affinity <timeout-seconds>] [del]",
1976 * @cliexstart{nat44 add load-balancing static mapping}
1977 * Modify service load balancing using NAT44
1978 * To add new back-end server 10.100.10.30:8080 for service load balancing
1979 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
1980 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
1983 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
1984 .path = "nat44 add load-balancing back-end",
1985 .function = add_lb_backend_command_fn,
1987 "nat44 add load-balancing back-end protocol tcp|udp "
1988 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
1989 "probability <n> [del]",
1994 * @cliexstart{show nat44 static mappings}
1995 * Show NAT44 static mappings.
1996 * vpp# show nat44 static mappings
1997 * NAT44 static mappings:
1998 * local 10.0.0.3 external 4.4.4.4 vrf 0
1999 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2000 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2001 * local 10.100.10.10:8080 probability 80
2002 * local 10.100.10.20:8080 probability 20
2003 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2004 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2007 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2008 .path = "show nat44 static mappings",
2009 .short_help = "show nat44 static mappings",
2010 .function = nat44_show_static_mappings_command_fn,
2015 * @cliexstart{nat44 add interface address}
2016 * Use NAT44 pool address from specific interfce
2017 * To add NAT44 pool address from specific interface use:
2018 * vpp# nat44 add interface address GigabitEthernet0/8/0
2021 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2022 .path = "nat44 add interface address",
2023 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2024 .function = snat_add_interface_address_command_fn,
2029 * @cliexstart{show nat44 interface address}
2030 * Show NAT44 pool address interfaces
2031 * vpp# show nat44 interface address
2032 * NAT44 pool address interfaces:
2033 * GigabitEthernet0/a/0
2034 * NAT44 twice-nat pool address interfaces:
2035 * GigabitEthernet0/8/0
2038 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2039 .path = "show nat44 interface address",
2040 .short_help = "show nat44 interface address",
2041 .function = nat44_show_interface_address_command_fn,
2046 * @cliexstart{show nat44 sessions}
2047 * Show NAT44 sessions.
2050 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2051 .path = "show nat44 sessions",
2052 .short_help = "show nat44 sessions",
2053 .function = nat44_show_sessions_command_fn,
2058 * @cliexstart{set nat44 session limit}
2059 * Set NAT44 session limit.
2062 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
2063 .path = "set nat44 session limit",
2064 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
2065 .function = nat44_set_session_limit_command_fn,
2070 * @cliexstart{nat44 del session}
2071 * To administratively delete NAT44 session by inside address and port use:
2072 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2073 * To administratively delete NAT44 session by outside address and port use:
2074 * vpp# nat44 del session out 1.0.0.3:6033 udp
2077 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2078 .path = "nat44 del session",
2079 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2080 .function = nat44_del_session_command_fn,
2085 * @cliexstart{nat44 forwarding}
2086 * Enable or disable forwarding
2087 * Forward packets which don't match existing translation
2088 * or static mapping instead of dropping them.
2089 * To enable forwarding, use:
2090 * vpp# nat44 forwarding enable
2091 * To disable forwarding, use:
2092 * vpp# nat44 forwarding disable
2095 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2096 .path = "nat44 forwarding",
2097 .short_help = "nat44 forwarding enable|disable",
2098 .function = snat_forwarding_set_command_fn,
2102 * fd.io coding-style-patch-verification: ON
2105 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob