2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
21 #include <nat/nat_ipfix_logging.h>
22 #include <nat/nat_det.h>
23 #include <nat/nat64.h>
24 #include <nat/nat_inlines.h>
25 #include <nat/nat_affinity.h>
26 #include <vnet/fib/fib_table.h>
28 #define UNSUPPORTED_IN_DET_MODE_STR \
29 "This command is unsupported in deterministic mode"
30 #define SUPPORTED_ONLY_IN_DET_MODE_STR \
31 "This command is supported only in deterministic mode"
34 set_workers_command_fn (vlib_main_t * vm,
35 unformat_input_t * input, vlib_cli_command_t * cmd)
37 unformat_input_t _line_input, *line_input = &_line_input;
38 snat_main_t *sm = &snat_main;
41 clib_error_t *error = 0;
43 if (sm->deterministic)
44 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
46 /* Get a line of input. */
47 if (!unformat_user (input, unformat_line_input, line_input))
50 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
52 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
56 error = clib_error_return (0, "unknown input '%U'",
57 format_unformat_error, line_input);
64 error = clib_error_return (0, "List of workers must be specified.");
68 rv = snat_set_workers (bitmap);
70 clib_bitmap_free (bitmap);
74 case VNET_API_ERROR_INVALID_WORKER:
75 error = clib_error_return (0, "Invalid worker(s).");
77 case VNET_API_ERROR_FEATURE_DISABLED:
78 error = clib_error_return (0,
79 "Supported only if 2 or more workes available.");
86 unformat_free (line_input);
92 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
93 vlib_cli_command_t * cmd)
95 snat_main_t *sm = &snat_main;
98 if (sm->deterministic)
99 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
101 if (sm->num_workers > 1)
103 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
105 vec_foreach (worker, sm->workers)
107 vlib_worker_thread_t *w =
108 vlib_worker_threads + *worker + sm->first_worker_index;
109 vlib_cli_output (vm, " %s", w->name);
117 static clib_error_t *
118 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
119 unformat_input_t * input,
120 vlib_cli_command_t * cmd)
122 unformat_input_t _line_input, *line_input = &_line_input;
127 clib_error_t *error = 0;
129 /* Get a line of input. */
130 if (!unformat_user (input, unformat_line_input, line_input))
133 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
135 if (unformat (line_input, "domain %d", &domain_id))
137 else if (unformat (line_input, "src-port %d", &src_port))
139 else if (unformat (line_input, "disable"))
143 error = clib_error_return (0, "unknown input '%U'",
144 format_unformat_error, line_input);
149 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
153 error = clib_error_return (0, "ipfix logging enable failed");
158 unformat_free (line_input);
163 static clib_error_t *
164 nat44_show_hash_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
165 vlib_cli_command_t * cmd)
167 snat_main_t *sm = &snat_main;
168 snat_main_per_thread_data_t *tsm;
169 nat_affinity_main_t *nam = &nat_affinity_main;
173 if (unformat (input, "detail"))
175 else if (unformat (input, "verbose"))
178 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
180 vlib_cli_output (vm, "%U",
181 format_bihash_8_8, &sm->static_mapping_by_external,
183 vec_foreach_index (i, sm->per_thread_data)
185 tsm = vec_elt_at_index (sm->per_thread_data, i);
186 vlib_cli_output (vm, "-------- thread %d %s --------\n",
187 i, vlib_worker_threads[i].name);
188 if (sm->endpoint_dependent)
190 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->in2out_ed,
192 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->out2in_ed,
197 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->in2out, verbose);
198 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->out2in, verbose);
200 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->user_hash, verbose);
203 if (sm->endpoint_dependent)
204 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
209 static clib_error_t *
210 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
211 unformat_input_t * input,
212 vlib_cli_command_t * cmd)
214 unformat_input_t _line_input, *line_input = &_line_input;
215 snat_main_t *sm = &snat_main;
216 clib_error_t *error = 0;
217 u32 psid, psid_offset, psid_length, port_start, port_end;
219 if (sm->deterministic)
220 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
222 /* Get a line of input. */
223 if (!unformat_user (input, unformat_line_input, line_input))
226 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
228 if (unformat (line_input, "default"))
229 nat_set_alloc_addr_and_port_default ();
232 (line_input, "map-e psid %d psid-offset %d psid-len %d", &psid,
233 &psid_offset, &psid_length))
234 nat_set_alloc_addr_and_port_mape ((u16) psid, (u16) psid_offset,
238 (line_input, "port-range %d - %d", &port_start, &port_end))
240 if (port_end <= port_start)
243 clib_error_return (0,
244 "The end-port must be greater than start-port");
247 nat_set_alloc_addr_and_port_range ((u16) port_start,
252 error = clib_error_return (0, "unknown input '%U'",
253 format_unformat_error, line_input);
259 unformat_free (line_input);
264 static clib_error_t *
265 nat44_show_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
266 unformat_input_t * input,
267 vlib_cli_command_t * cmd)
269 snat_main_t *sm = &snat_main;
271 if (sm->deterministic)
272 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
274 vlib_cli_output (vm, "NAT address and port: %U",
275 format_nat_addr_and_port_alloc_alg,
276 sm->addr_and_port_alloc_alg);
277 switch (sm->addr_and_port_alloc_alg)
279 case NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE:
280 vlib_cli_output (vm, " psid %d psid-offset %d psid-len %d", sm->psid,
281 sm->psid_offset, sm->psid_length);
283 case NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE:
284 vlib_cli_output (vm, " start-port %d end-port %d", sm->start_port,
294 static clib_error_t *
295 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
296 vlib_cli_command_t * cmd)
298 unformat_input_t _line_input, *line_input = &_line_input;
299 snat_main_t *sm = &snat_main;
300 clib_error_t *error = 0;
303 /* Get a line of input. */
304 if (!unformat_user (input, unformat_line_input, line_input))
307 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
309 if (unformat (line_input, "disable"))
310 sm->mss_clamping = 0;
311 else if (unformat (line_input, "%d", &mss))
313 sm->mss_clamping = (u16) mss;
314 sm->mss_value_net = clib_host_to_net_u16 (sm->mss_clamping);
318 error = clib_error_return (0, "unknown input '%U'",
319 format_unformat_error, line_input);
325 unformat_free (line_input);
330 static clib_error_t *
331 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
332 vlib_cli_command_t * cmd)
334 snat_main_t *sm = &snat_main;
336 if (sm->mss_clamping)
337 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
339 vlib_cli_output (vm, "mss-clamping disabled");
344 static clib_error_t *
345 add_address_command_fn (vlib_main_t * vm,
346 unformat_input_t * input, vlib_cli_command_t * cmd)
348 unformat_input_t _line_input, *line_input = &_line_input;
349 snat_main_t *sm = &snat_main;
350 ip4_address_t start_addr, end_addr, this_addr;
351 u32 start_host_order, end_host_order;
356 clib_error_t *error = 0;
359 if (sm->deterministic)
360 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
362 /* Get a line of input. */
363 if (!unformat_user (input, unformat_line_input, line_input))
366 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
368 if (unformat (line_input, "%U - %U",
369 unformat_ip4_address, &start_addr,
370 unformat_ip4_address, &end_addr))
372 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
374 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
375 end_addr = start_addr;
376 else if (unformat (line_input, "twice-nat"))
378 else if (unformat (line_input, "del"))
382 error = clib_error_return (0, "unknown input '%U'",
383 format_unformat_error, line_input);
388 if (sm->static_mapping_only)
390 error = clib_error_return (0, "static mapping only mode");
394 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
395 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
397 if (end_host_order < start_host_order)
399 error = clib_error_return (0, "end address less than start address");
403 count = (end_host_order - start_host_order) + 1;
406 nat_log_info ("%U - %U, %d addresses...",
407 format_ip4_address, &start_addr,
408 format_ip4_address, &end_addr, count);
410 this_addr = start_addr;
412 for (i = 0; i < count; i++)
415 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
417 rv = snat_del_address (sm, this_addr, 0, twice_nat);
421 case VNET_API_ERROR_VALUE_EXIST:
422 error = clib_error_return (0, "NAT address already in use.");
424 case VNET_API_ERROR_NO_SUCH_ENTRY:
425 error = clib_error_return (0, "NAT address not exist.");
427 case VNET_API_ERROR_UNSPECIFIED:
429 clib_error_return (0, "NAT address used in static mapping.");
431 case VNET_API_ERROR_FEATURE_DISABLED:
433 clib_error_return (0,
434 "twice NAT available only for endpoint-dependent mode.");
441 nat44_add_del_address_dpo (this_addr, is_add);
443 increment_v4_address (&this_addr);
447 unformat_free (line_input);
452 static clib_error_t *
453 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
454 vlib_cli_command_t * cmd)
456 snat_main_t *sm = &snat_main;
459 if (sm->deterministic)
460 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
462 vlib_cli_output (vm, "NAT44 pool addresses:");
464 vec_foreach (ap, sm->addresses)
466 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
467 if (ap->fib_index != ~0)
468 vlib_cli_output (vm, " tenant VRF: %u",
469 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
471 vlib_cli_output (vm, " tenant VRF independent");
472 #define _(N, i, n, s) \
473 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
474 foreach_snat_protocol
477 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
478 vec_foreach (ap, sm->twice_nat_addresses)
480 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
481 if (ap->fib_index != ~0)
482 vlib_cli_output (vm, " tenant VRF: %u",
483 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
485 vlib_cli_output (vm, " tenant VRF independent");
486 #define _(N, i, n, s) \
487 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
488 foreach_snat_protocol
495 static clib_error_t *
496 snat_feature_command_fn (vlib_main_t * vm,
497 unformat_input_t * input, vlib_cli_command_t * cmd)
499 unformat_input_t _line_input, *line_input = &_line_input;
500 vnet_main_t *vnm = vnet_get_main ();
501 clib_error_t *error = 0;
503 u32 *inside_sw_if_indices = 0;
504 u32 *outside_sw_if_indices = 0;
505 u8 is_output_feature = 0;
511 /* Get a line of input. */
512 if (!unformat_user (input, unformat_line_input, line_input))
515 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
517 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
519 vec_add1 (inside_sw_if_indices, sw_if_index);
520 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
522 vec_add1 (outside_sw_if_indices, sw_if_index);
523 else if (unformat (line_input, "output-feature"))
524 is_output_feature = 1;
525 else if (unformat (line_input, "del"))
529 error = clib_error_return (0, "unknown input '%U'",
530 format_unformat_error, line_input);
535 if (vec_len (inside_sw_if_indices))
537 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
539 sw_if_index = inside_sw_if_indices[i];
540 if (is_output_feature)
542 if (snat_interface_add_del_output_feature
543 (sw_if_index, 1, is_del))
545 error = clib_error_return (0, "%s %U failed",
546 is_del ? "del" : "add",
547 format_vnet_sw_if_index_name,
554 if (snat_interface_add_del (sw_if_index, 1, is_del))
556 error = clib_error_return (0, "%s %U failed",
557 is_del ? "del" : "add",
558 format_vnet_sw_if_index_name,
566 if (vec_len (outside_sw_if_indices))
568 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
570 sw_if_index = outside_sw_if_indices[i];
571 if (is_output_feature)
573 if (snat_interface_add_del_output_feature
574 (sw_if_index, 0, is_del))
576 error = clib_error_return (0, "%s %U failed",
577 is_del ? "del" : "add",
578 format_vnet_sw_if_index_name,
585 if (snat_interface_add_del (sw_if_index, 0, is_del))
587 error = clib_error_return (0, "%s %U failed",
588 is_del ? "del" : "add",
589 format_vnet_sw_if_index_name,
598 unformat_free (line_input);
599 vec_free (inside_sw_if_indices);
600 vec_free (outside_sw_if_indices);
605 static clib_error_t *
606 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
607 vlib_cli_command_t * cmd)
609 snat_main_t *sm = &snat_main;
611 vnet_main_t *vnm = vnet_get_main ();
613 vlib_cli_output (vm, "NAT44 interfaces:");
615 pool_foreach (i, sm->interfaces,
617 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
619 (nat_interface_is_inside(i) &&
620 nat_interface_is_outside(i)) ? "in out" :
621 (nat_interface_is_inside(i) ? "in" : "out"));
624 pool_foreach (i, sm->output_feature_interfaces,
626 vlib_cli_output (vm, " %U output-feature %s",
627 format_vnet_sw_if_index_name, vnm,
629 (nat_interface_is_inside(i) &&
630 nat_interface_is_outside(i)) ? "in out" :
631 (nat_interface_is_inside(i) ? "in" : "out"));
638 static clib_error_t *
639 add_static_mapping_command_fn (vlib_main_t * vm,
640 unformat_input_t * input,
641 vlib_cli_command_t * cmd)
643 unformat_input_t _line_input, *line_input = &_line_input;
644 snat_main_t *sm = &snat_main;
645 clib_error_t *error = 0;
646 ip4_address_t l_addr, e_addr;
647 u32 l_port = 0, e_port = 0, vrf_id = ~0;
650 u32 sw_if_index = ~0;
651 vnet_main_t *vnm = vnet_get_main ();
653 snat_protocol_t proto = ~0;
655 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
658 if (sm->deterministic)
659 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
661 /* Get a line of input. */
662 if (!unformat_user (input, unformat_line_input, line_input))
665 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
667 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
671 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
673 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
676 else if (unformat (line_input, "external %U", unformat_ip4_address,
679 else if (unformat (line_input, "external %U %u",
680 unformat_vnet_sw_interface, vnm, &sw_if_index,
684 else if (unformat (line_input, "external %U",
685 unformat_vnet_sw_interface, vnm, &sw_if_index))
687 else if (unformat (line_input, "vrf %u", &vrf_id))
689 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
691 else if (unformat (line_input, "twice-nat"))
692 twice_nat = TWICE_NAT;
693 else if (unformat (line_input, "self-twice-nat"))
694 twice_nat = TWICE_NAT_SELF;
695 else if (unformat (line_input, "out2in-only"))
697 else if (unformat (line_input, "del"))
701 error = clib_error_return (0, "unknown input: '%U'",
702 format_unformat_error, line_input);
707 if (twice_nat && addr_only)
709 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
713 if (!addr_only && !proto_set)
715 error = clib_error_return (0, "missing protocol");
719 rv = snat_add_static_mapping (l_addr, e_addr, (u16) l_port, (u16) e_port,
720 vrf_id, addr_only, sw_if_index, proto, is_add,
721 twice_nat, out2in_only, 0);
725 case VNET_API_ERROR_INVALID_VALUE:
726 error = clib_error_return (0, "External port already in use.");
728 case VNET_API_ERROR_NO_SUCH_ENTRY:
730 error = clib_error_return (0, "External addres must be allocated.");
732 error = clib_error_return (0, "Mapping not exist.");
734 case VNET_API_ERROR_NO_SUCH_FIB:
735 error = clib_error_return (0, "No such VRF id.");
737 case VNET_API_ERROR_VALUE_EXIST:
738 error = clib_error_return (0, "Mapping already exist.");
740 case VNET_API_ERROR_FEATURE_DISABLED:
742 clib_error_return (0,
743 "twice-nat/out2in-only available only for endpoint-dependent mode.");
750 unformat_free (line_input);
755 static clib_error_t *
756 add_identity_mapping_command_fn (vlib_main_t * vm,
757 unformat_input_t * input,
758 vlib_cli_command_t * cmd)
760 unformat_input_t _line_input, *line_input = &_line_input;
761 snat_main_t *sm = &snat_main;
762 clib_error_t *error = 0;
764 u32 port = 0, vrf_id = ~0;
767 u32 sw_if_index = ~0;
768 vnet_main_t *vnm = vnet_get_main ();
770 snat_protocol_t proto;
772 if (sm->deterministic)
773 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
777 /* Get a line of input. */
778 if (!unformat_user (input, unformat_line_input, line_input))
781 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
783 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
785 else if (unformat (line_input, "external %U",
786 unformat_vnet_sw_interface, vnm, &sw_if_index))
788 else if (unformat (line_input, "vrf %u", &vrf_id))
790 else if (unformat (line_input, "%U %u", unformat_snat_protocol, &proto,
793 else if (unformat (line_input, "del"))
797 error = clib_error_return (0, "unknown input: '%U'",
798 format_unformat_error, line_input);
803 rv = snat_add_static_mapping (addr, addr, (u16) port, (u16) port,
804 vrf_id, addr_only, sw_if_index, proto, is_add,
809 case VNET_API_ERROR_INVALID_VALUE:
810 error = clib_error_return (0, "External port already in use.");
812 case VNET_API_ERROR_NO_SUCH_ENTRY:
814 error = clib_error_return (0, "External addres must be allocated.");
816 error = clib_error_return (0, "Mapping not exist.");
818 case VNET_API_ERROR_NO_SUCH_FIB:
819 error = clib_error_return (0, "No such VRF id.");
821 case VNET_API_ERROR_VALUE_EXIST:
822 error = clib_error_return (0, "Mapping already exist.");
829 unformat_free (line_input);
834 static clib_error_t *
835 add_lb_static_mapping_command_fn (vlib_main_t * vm,
836 unformat_input_t * input,
837 vlib_cli_command_t * cmd)
839 unformat_input_t _line_input, *line_input = &_line_input;
840 snat_main_t *sm = &snat_main;
841 clib_error_t *error = 0;
842 ip4_address_t l_addr, e_addr;
843 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
846 snat_protocol_t proto;
848 nat44_lb_addr_port_t *locals = 0, local;
849 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
852 if (sm->deterministic)
853 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
855 /* Get a line of input. */
856 if (!unformat_user (input, unformat_line_input, line_input))
859 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
861 if (unformat (line_input, "local %U:%u probability %u",
862 unformat_ip4_address, &l_addr, &l_port, &probability))
864 memset (&local, 0, sizeof (local));
866 local.port = (u16) l_port;
867 local.probability = (u8) probability;
868 vec_add1 (locals, local);
870 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
871 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
874 memset (&local, 0, sizeof (local));
876 local.port = (u16) l_port;
877 local.probability = (u8) probability;
878 local.vrf_id = vrf_id;
879 vec_add1 (locals, local);
881 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
884 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
887 else if (unformat (line_input, "twice-nat"))
888 twice_nat = TWICE_NAT;
889 else if (unformat (line_input, "self-twice-nat"))
890 twice_nat = TWICE_NAT_SELF;
891 else if (unformat (line_input, "out2in-only"))
893 else if (unformat (line_input, "del"))
895 else if (unformat (line_input, "affinity %u", &affinity))
899 error = clib_error_return (0, "unknown input: '%U'",
900 format_unformat_error, line_input);
905 if (vec_len (locals) < 2)
907 error = clib_error_return (0, "at least two local must be set");
913 error = clib_error_return (0, "missing protocol");
917 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
918 is_add, twice_nat, out2in_only, 0,
923 case VNET_API_ERROR_INVALID_VALUE:
924 error = clib_error_return (0, "External port already in use.");
926 case VNET_API_ERROR_NO_SUCH_ENTRY:
928 error = clib_error_return (0, "External addres must be allocated.");
930 error = clib_error_return (0, "Mapping not exist.");
932 case VNET_API_ERROR_VALUE_EXIST:
933 error = clib_error_return (0, "Mapping already exist.");
935 case VNET_API_ERROR_FEATURE_DISABLED:
937 clib_error_return (0, "Available only for endpoint-dependent mode.");
944 unformat_free (line_input);
950 static clib_error_t *
951 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
952 unformat_input_t * input,
953 vlib_cli_command_t * cmd)
955 snat_main_t *sm = &snat_main;
956 snat_static_mapping_t *m;
957 snat_static_map_resolve_t *rp;
959 if (sm->deterministic)
960 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
962 vlib_cli_output (vm, "NAT44 static mappings:");
964 pool_foreach (m, sm->static_mappings,
966 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
968 vec_foreach (rp, sm->to_resolve)
969 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
975 static clib_error_t *
976 snat_add_interface_address_command_fn (vlib_main_t * vm,
977 unformat_input_t * input,
978 vlib_cli_command_t * cmd)
980 snat_main_t *sm = &snat_main;
981 unformat_input_t _line_input, *line_input = &_line_input;
985 clib_error_t *error = 0;
988 if (sm->deterministic)
989 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
991 /* Get a line of input. */
992 if (!unformat_user (input, unformat_line_input, line_input))
995 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
997 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
998 sm->vnet_main, &sw_if_index))
1000 else if (unformat (line_input, "twice-nat"))
1002 else if (unformat (line_input, "del"))
1006 error = clib_error_return (0, "unknown input '%U'",
1007 format_unformat_error, line_input);
1012 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1020 error = clib_error_return (0, "snat_add_interface_address returned %d",
1026 unformat_free (line_input);
1031 static clib_error_t *
1032 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1033 unformat_input_t * input,
1034 vlib_cli_command_t * cmd)
1036 snat_main_t *sm = &snat_main;
1037 vnet_main_t *vnm = vnet_get_main ();
1040 if (sm->deterministic)
1041 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1044 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1045 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1047 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1050 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1051 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1053 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1061 static clib_error_t *
1062 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1063 vlib_cli_command_t * cmd)
1066 snat_main_t *sm = &snat_main;
1067 snat_main_per_thread_data_t *tsm;
1071 if (sm->deterministic)
1072 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1074 if (unformat (input, "detail"))
1077 vlib_cli_output (vm, "NAT44 sessions:");
1080 vec_foreach_index (i, sm->per_thread_data)
1082 tsm = vec_elt_at_index (sm->per_thread_data, i);
1084 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1085 i, vlib_worker_threads[i].name,
1086 pool_elts (tsm->sessions));
1087 pool_foreach (u, tsm->users,
1089 vlib_cli_output (vm, " %U", format_snat_user, tsm, u, verbose);
1097 static clib_error_t *
1098 nat44_del_session_command_fn (vlib_main_t * vm,
1099 unformat_input_t * input,
1100 vlib_cli_command_t * cmd)
1102 snat_main_t *sm = &snat_main;
1103 unformat_input_t _line_input, *line_input = &_line_input;
1104 int is_in = 0, is_ed = 0;
1105 clib_error_t *error = 0;
1106 ip4_address_t addr, eh_addr;
1107 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1108 snat_protocol_t proto;
1111 if (sm->deterministic)
1112 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1114 /* Get a line of input. */
1115 if (!unformat_user (input, unformat_line_input, line_input))
1118 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1121 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1122 unformat_snat_protocol, &proto))
1124 else if (unformat (line_input, "in"))
1127 vrf_id = sm->inside_vrf_id;
1129 else if (unformat (line_input, "out"))
1132 vrf_id = sm->outside_vrf_id;
1134 else if (unformat (line_input, "vrf %u", &vrf_id))
1138 (line_input, "external-host %U:%u", unformat_ip4_address,
1139 &eh_addr, &eh_port))
1143 error = clib_error_return (0, "unknown input '%U'",
1144 format_unformat_error, line_input);
1151 nat44_del_ed_session (sm, &addr, port, &eh_addr, eh_port,
1152 snat_proto_to_ip_proto (proto), vrf_id, is_in);
1154 rv = nat44_del_session (sm, &addr, port, proto, vrf_id, is_in);
1162 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1167 unformat_free (line_input);
1172 static clib_error_t *
1173 snat_forwarding_set_command_fn (vlib_main_t * vm,
1174 unformat_input_t * input,
1175 vlib_cli_command_t * cmd)
1177 snat_main_t *sm = &snat_main;
1178 unformat_input_t _line_input, *line_input = &_line_input;
1179 u8 forwarding_enable;
1180 u8 forwarding_enable_set = 0;
1181 clib_error_t *error = 0;
1183 if (sm->deterministic)
1184 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1186 /* Get a line of input. */
1187 if (!unformat_user (input, unformat_line_input, line_input))
1188 return clib_error_return (0, "'enable' or 'disable' expected");
1190 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1192 if (!forwarding_enable_set && unformat (line_input, "enable"))
1194 forwarding_enable = 1;
1195 forwarding_enable_set = 1;
1197 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1199 forwarding_enable = 0;
1200 forwarding_enable_set = 1;
1204 error = clib_error_return (0, "unknown input '%U'",
1205 format_unformat_error, line_input);
1210 if (!forwarding_enable_set)
1212 error = clib_error_return (0, "'enable' or 'disable' expected");
1216 sm->forwarding_enabled = forwarding_enable;
1219 unformat_free (line_input);
1224 static clib_error_t *
1225 snat_det_map_command_fn (vlib_main_t * vm,
1226 unformat_input_t * input, vlib_cli_command_t * cmd)
1228 snat_main_t *sm = &snat_main;
1229 unformat_input_t _line_input, *line_input = &_line_input;
1230 ip4_address_t in_addr, out_addr;
1231 u32 in_plen, out_plen;
1233 clib_error_t *error = 0;
1235 if (!sm->deterministic)
1236 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1238 /* Get a line of input. */
1239 if (!unformat_user (input, unformat_line_input, line_input))
1242 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1245 (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
1249 (line_input, "out %U/%u", unformat_ip4_address, &out_addr,
1252 else if (unformat (line_input, "del"))
1256 error = clib_error_return (0, "unknown input '%U'",
1257 format_unformat_error, line_input);
1262 rv = snat_det_add_map (sm, &in_addr, (u8) in_plen, &out_addr, (u8) out_plen,
1267 error = clib_error_return (0, "snat_det_add_map return %d", rv);
1272 unformat_free (line_input);
1277 static clib_error_t *
1278 nat44_det_show_mappings_command_fn (vlib_main_t * vm,
1279 unformat_input_t * input,
1280 vlib_cli_command_t * cmd)
1282 snat_main_t *sm = &snat_main;
1285 if (!sm->deterministic)
1286 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1288 vlib_cli_output (vm, "NAT44 deterministic mappings:");
1290 pool_foreach (dm, sm->det_maps,
1292 vlib_cli_output (vm, " in %U/%d out %U/%d\n",
1293 format_ip4_address, &dm->in_addr, dm->in_plen,
1294 format_ip4_address, &dm->out_addr, dm->out_plen);
1295 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
1297 vlib_cli_output (vm, " number of ports per inside host: %d\n",
1298 dm->ports_per_host);
1299 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
1306 static clib_error_t *
1307 snat_det_forward_command_fn (vlib_main_t * vm,
1308 unformat_input_t * input,
1309 vlib_cli_command_t * cmd)
1311 snat_main_t *sm = &snat_main;
1312 unformat_input_t _line_input, *line_input = &_line_input;
1313 ip4_address_t in_addr, out_addr;
1316 clib_error_t *error = 0;
1318 if (!sm->deterministic)
1319 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1321 /* Get a line of input. */
1322 if (!unformat_user (input, unformat_line_input, line_input))
1325 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1327 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
1331 error = clib_error_return (0, "unknown input '%U'",
1332 format_unformat_error, line_input);
1337 dm = snat_det_map_by_user (sm, &in_addr);
1339 vlib_cli_output (vm, "no match");
1342 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
1343 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
1344 lo_port, lo_port + dm->ports_per_host - 1);
1348 unformat_free (line_input);
1353 static clib_error_t *
1354 snat_det_reverse_command_fn (vlib_main_t * vm,
1355 unformat_input_t * input,
1356 vlib_cli_command_t * cmd)
1358 snat_main_t *sm = &snat_main;
1359 unformat_input_t _line_input, *line_input = &_line_input;
1360 ip4_address_t in_addr, out_addr;
1363 clib_error_t *error = 0;
1365 if (!sm->deterministic)
1366 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1368 /* Get a line of input. */
1369 if (!unformat_user (input, unformat_line_input, line_input))
1372 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1375 (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
1379 error = clib_error_return (0, "unknown input '%U'",
1380 format_unformat_error, line_input);
1385 if (out_port < 1024 || out_port > 65535)
1387 error = clib_error_return (0, "wrong port, must be <1024-65535>");
1391 dm = snat_det_map_by_out (sm, &out_addr);
1393 vlib_cli_output (vm, "no match");
1396 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
1397 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
1401 unformat_free (line_input);
1406 static clib_error_t *
1407 set_timeout_command_fn (vlib_main_t * vm,
1408 unformat_input_t * input, vlib_cli_command_t * cmd)
1410 snat_main_t *sm = &snat_main;
1411 unformat_input_t _line_input, *line_input = &_line_input;
1412 clib_error_t *error = 0;
1414 /* Get a line of input. */
1415 if (!unformat_user (input, unformat_line_input, line_input))
1418 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1420 if (unformat (line_input, "udp %u", &sm->udp_timeout))
1422 if (nat64_set_udp_timeout (sm->udp_timeout))
1424 error = clib_error_return (0, "Invalid UDP timeout value");
1428 else if (unformat (line_input, "tcp-established %u",
1429 &sm->tcp_established_timeout))
1431 if (nat64_set_tcp_timeouts
1432 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1435 clib_error_return (0,
1436 "Invalid TCP established timeouts value");
1440 else if (unformat (line_input, "tcp-transitory %u",
1441 &sm->tcp_transitory_timeout))
1443 if (nat64_set_tcp_timeouts
1444 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1447 clib_error_return (0,
1448 "Invalid TCP transitory timeouts value");
1452 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
1454 if (nat64_set_icmp_timeout (sm->icmp_timeout))
1456 error = clib_error_return (0, "Invalid ICMP timeout value");
1460 else if (unformat (line_input, "reset"))
1462 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1463 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1464 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1465 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1466 nat64_set_udp_timeout (0);
1467 nat64_set_icmp_timeout (0);
1468 nat64_set_tcp_timeouts (0, 0);
1472 error = clib_error_return (0, "unknown input '%U'",
1473 format_unformat_error, line_input);
1479 unformat_free (line_input);
1484 static clib_error_t *
1485 nat_show_timeouts_command_fn (vlib_main_t * vm,
1486 unformat_input_t * input,
1487 vlib_cli_command_t * cmd)
1489 snat_main_t *sm = &snat_main;
1491 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
1492 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1493 sm->tcp_established_timeout);
1494 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1495 sm->tcp_transitory_timeout);
1496 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
1501 static clib_error_t *
1502 nat44_det_show_sessions_command_fn (vlib_main_t * vm,
1503 unformat_input_t * input,
1504 vlib_cli_command_t * cmd)
1506 snat_main_t *sm = &snat_main;
1508 snat_det_session_t *ses;
1511 if (!sm->deterministic)
1512 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1514 vlib_cli_output (vm, "NAT44 deterministic sessions:");
1516 pool_foreach (dm, sm->det_maps,
1518 vec_foreach_index (i, dm->sessions)
1520 ses = vec_elt_at_index (dm->sessions, i);
1522 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses, &i);
1529 static clib_error_t *
1530 snat_det_close_session_out_fn (vlib_main_t * vm,
1531 unformat_input_t * input,
1532 vlib_cli_command_t * cmd)
1534 snat_main_t *sm = &snat_main;
1535 unformat_input_t _line_input, *line_input = &_line_input;
1536 ip4_address_t out_addr, ext_addr, in_addr;
1537 u32 out_port, ext_port;
1539 snat_det_session_t *ses;
1540 snat_det_out_key_t key;
1541 clib_error_t *error = 0;
1543 if (!sm->deterministic)
1544 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1546 /* Get a line of input. */
1547 if (!unformat_user (input, unformat_line_input, line_input))
1550 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1552 if (unformat (line_input, "%U:%d %U:%d",
1553 unformat_ip4_address, &out_addr, &out_port,
1554 unformat_ip4_address, &ext_addr, &ext_port))
1558 error = clib_error_return (0, "unknown input '%U'",
1559 format_unformat_error, line_input);
1564 unformat_free (line_input);
1566 dm = snat_det_map_by_out (sm, &out_addr);
1568 vlib_cli_output (vm, "no match");
1571 snat_det_reverse (dm, &ext_addr, (u16) out_port, &in_addr);
1572 key.ext_host_addr = out_addr;
1573 key.ext_host_port = ntohs ((u16) ext_port);
1574 key.out_port = ntohs ((u16) out_port);
1575 ses = snat_det_get_ses_by_out (dm, &out_addr, key.as_u64);
1577 vlib_cli_output (vm, "no match");
1579 snat_det_ses_close (dm, ses);
1583 unformat_free (line_input);
1588 static clib_error_t *
1589 snat_det_close_session_in_fn (vlib_main_t * vm,
1590 unformat_input_t * input,
1591 vlib_cli_command_t * cmd)
1593 snat_main_t *sm = &snat_main;
1594 unformat_input_t _line_input, *line_input = &_line_input;
1595 ip4_address_t in_addr, ext_addr;
1596 u32 in_port, ext_port;
1598 snat_det_session_t *ses;
1599 snat_det_out_key_t key;
1600 clib_error_t *error = 0;
1602 if (!sm->deterministic)
1603 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1605 /* Get a line of input. */
1606 if (!unformat_user (input, unformat_line_input, line_input))
1609 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1611 if (unformat (line_input, "%U:%d %U:%d",
1612 unformat_ip4_address, &in_addr, &in_port,
1613 unformat_ip4_address, &ext_addr, &ext_port))
1617 error = clib_error_return (0, "unknown input '%U'",
1618 format_unformat_error, line_input);
1623 unformat_free (line_input);
1625 dm = snat_det_map_by_user (sm, &in_addr);
1627 vlib_cli_output (vm, "no match");
1630 key.ext_host_addr = ext_addr;
1631 key.ext_host_port = ntohs ((u16) ext_port);
1633 snat_det_find_ses_by_in (dm, &in_addr, ntohs ((u16) in_port), key);
1635 vlib_cli_output (vm, "no match");
1637 snat_det_ses_close (dm, ses);
1641 unformat_free (line_input);
1649 * @cliexstart{set snat workers}
1650 * Set NAT workers if 2 or more workers available, use:
1651 * vpp# set snat workers 0-2,5
1654 VLIB_CLI_COMMAND (set_workers_command, static) = {
1655 .path = "set nat workers",
1656 .function = set_workers_command_fn,
1657 .short_help = "set nat workers <workers-list>",
1662 * @cliexstart{show nat workers}
1664 * vpp# show nat workers:
1670 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1671 .path = "show nat workers",
1672 .short_help = "show nat workers",
1673 .function = nat_show_workers_commnad_fn,
1678 * @cliexstart{set nat timeout}
1679 * Set values of timeouts for NAT sessions (in seconds), use:
1680 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1681 * To reset default values use:
1682 * vpp# set nat44 deterministic timeout reset
1685 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1686 .path = "set nat timeout",
1687 .function = set_timeout_command_fn,
1689 "set nat timeout [udp <sec> | tcp-established <sec> "
1690 "tcp-transitory <sec> | icmp <sec> | reset]",
1695 * @cliexstart{show nat timeouts}
1696 * Show values of timeouts for NAT sessions.
1697 * vpp# show nat timeouts
1698 * udp timeout: 300sec
1699 * tcp-established timeout: 7440sec
1700 * tcp-transitory timeout: 240sec
1701 * icmp timeout: 60sec
1704 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1705 .path = "show nat timeouts",
1706 .short_help = "show nat timeouts",
1707 .function = nat_show_timeouts_command_fn,
1712 * @cliexstart{snat ipfix logging}
1713 * To enable NAT IPFIX logging use:
1714 * vpp# nat ipfix logging
1715 * To set IPFIX exporter use:
1716 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1719 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1720 .path = "nat ipfix logging",
1721 .function = snat_ipfix_logging_enable_disable_command_fn,
1722 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
1727 * @cliexstart{nat addr-port-assignment-alg}
1728 * Set address and port assignment algorithm
1729 * For the MAP-E CE limit port choice based on PSID use:
1730 * vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6
1731 * For port range use:
1732 * vpp# nat addr-port-assignment-alg port-range <start-port> - <end-port>
1733 * To set standard (default) address and port assignment algorithm use:
1734 * vpp# nat addr-port-assignment-alg default
1737 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
1738 .path = "nat addr-port-assignment-alg",
1739 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
1740 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
1745 * @cliexstart{show nat addr-port-assignment-alg}
1746 * Show address and port assignment algorithm
1749 VLIB_CLI_COMMAND (nat44_show_alloc_addr_and_port_alg_command, static) = {
1750 .path = "show nat addr-port-assignment-alg",
1751 .short_help = "show nat addr-port-assignment-alg",
1752 .function = nat44_show_alloc_addr_and_port_alg_command_fn,
1757 * @cliexstart{nat mss-clamping}
1758 * Set TCP MSS rewriting configuration
1759 * To enable TCP MSS rewriting use:
1760 * vpp# nat mss-clamping 1452
1761 * To disbale TCP MSS rewriting use:
1762 * vpp# nat mss-clamping disable
1764 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1765 .path = "nat mss-clamping",
1766 .short_help = "nat mss-clamping <mss-value>|disable",
1767 .function = nat_set_mss_clamping_command_fn,
1772 * @cliexstart{nat mss-clamping}
1773 * Show TCP MSS rewriting configuration
1775 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1776 .path = "show nat mss-clamping",
1777 .short_help = "show nat mss-clamping",
1778 .function = nat_show_mss_clamping_command_fn,
1783 * @cliexstart{show nat44 hash tables}
1784 * Show NAT44 hash tables
1787 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
1788 .path = "show nat44 hash tables",
1789 .short_help = "show nat44 hash tables [detail|verbose]",
1790 .function = nat44_show_hash_commnad_fn,
1795 * @cliexstart{nat44 add address}
1796 * Add/delete NAT44 pool address.
1797 * To add NAT44 pool address use:
1798 * vpp# nat44 add address 172.16.1.3
1799 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
1800 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
1801 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
1804 VLIB_CLI_COMMAND (add_address_command, static) = {
1805 .path = "nat44 add address",
1806 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1807 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
1808 .function = add_address_command_fn,
1813 * @cliexstart{show nat44 addresses}
1814 * Show NAT44 pool addresses.
1815 * vpp# show nat44 addresses
1816 * NAT44 pool addresses:
1818 * tenant VRF independent
1827 * NAT44 twice-nat pool addresses:
1829 * tenant VRF independent
1835 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
1836 .path = "show nat44 addresses",
1837 .short_help = "show nat44 addresses",
1838 .function = nat44_show_addresses_command_fn,
1843 * @cliexstart{set interface nat44}
1844 * Enable/disable NAT44 feature on the interface.
1845 * To enable NAT44 feature with local network interface use:
1846 * vpp# set interface nat44 in GigabitEthernet0/8/0
1847 * To enable NAT44 feature with external network interface use:
1848 * vpp# set interface nat44 out GigabitEthernet0/a/0
1851 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1852 .path = "set interface nat44",
1853 .function = snat_feature_command_fn,
1854 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1860 * @cliexstart{show nat44 interfaces}
1861 * Show interfaces with NAT44 feature.
1862 * vpp# show nat44 interfaces
1864 * GigabitEthernet0/8/0 in
1865 * GigabitEthernet0/a/0 out
1868 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
1869 .path = "show nat44 interfaces",
1870 .short_help = "show nat44 interfaces",
1871 .function = nat44_show_interfaces_command_fn,
1876 * @cliexstart{nat44 add static mapping}
1877 * Static mapping allows hosts on the external network to initiate connection
1878 * to to the local network host.
1879 * To create static mapping between local host address 10.0.0.3 port 6303 and
1880 * external address 4.4.4.4 port 3606 for TCP protocol use:
1881 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1882 * If not runnig "static mapping only" NAT plugin mode use before:
1883 * vpp# nat44 add address 4.4.4.4
1884 * To create static mapping between local and external address use:
1885 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1888 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1889 .path = "nat44 add static mapping",
1890 .function = add_static_mapping_command_fn,
1892 "nat44 add static mapping tcp|udp|icmp local <addr> [<port>] "
1893 "external <addr> [<port>] [vrf <table-id>] [twice-nat|self-twice-nat] "
1894 "[out2in-only] [del]",
1899 * @cliexstart{nat44 add identity mapping}
1900 * Identity mapping translate an IP address to itself.
1901 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
1903 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
1904 * To create identity mapping for address 10.0.0.3 use:
1905 * vpp# nat44 add identity mapping 10.0.0.3
1906 * To create identity mapping for DHCP addressed interface use:
1907 * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606
1910 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
1911 .path = "nat44 add identity mapping",
1912 .function = add_identity_mapping_command_fn,
1913 .short_help = "nat44 add identity mapping <interface>|<ip4-addr> "
1914 "[<protocol> <port>] [vrf <table-id>] [del]",
1919 * @cliexstart{nat44 add load-balancing static mapping}
1920 * Service load balancing using NAT44
1921 * To add static mapping with load balancing for service with external IP
1922 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
1923 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
1924 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
1927 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
1928 .path = "nat44 add load-balancing static mapping",
1929 .function = add_lb_static_mapping_command_fn,
1931 "nat44 add load-balancing static mapping protocol tcp|udp "
1932 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
1933 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
1934 "[affinity <timeout-seconds>] [del]",
1939 * @cliexstart{show nat44 static mappings}
1940 * Show NAT44 static mappings.
1941 * vpp# show nat44 static mappings
1942 * NAT44 static mappings:
1943 * local 10.0.0.3 external 4.4.4.4 vrf 0
1944 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
1945 * tcp vrf 0 external 1.2.3.4:80 out2in-only
1946 * local 10.100.10.10:8080 probability 80
1947 * local 10.100.10.20:8080 probability 20
1948 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
1949 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
1952 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
1953 .path = "show nat44 static mappings",
1954 .short_help = "show nat44 static mappings",
1955 .function = nat44_show_static_mappings_command_fn,
1960 * @cliexstart{nat44 add interface address}
1961 * Use NAT44 pool address from specific interfce
1962 * To add NAT44 pool address from specific interface use:
1963 * vpp# nat44 add interface address GigabitEthernet0/8/0
1966 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
1967 .path = "nat44 add interface address",
1968 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
1969 .function = snat_add_interface_address_command_fn,
1974 * @cliexstart{show nat44 interface address}
1975 * Show NAT44 pool address interfaces
1976 * vpp# show nat44 interface address
1977 * NAT44 pool address interfaces:
1978 * GigabitEthernet0/a/0
1979 * NAT44 twice-nat pool address interfaces:
1980 * GigabitEthernet0/8/0
1983 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
1984 .path = "show nat44 interface address",
1985 .short_help = "show nat44 interface address",
1986 .function = nat44_show_interface_address_command_fn,
1991 * @cliexstart{show nat44 sessions}
1992 * Show NAT44 sessions.
1995 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
1996 .path = "show nat44 sessions",
1997 .short_help = "show nat44 sessions [detail]",
1998 .function = nat44_show_sessions_command_fn,
2003 * @cliexstart{nat44 del session}
2004 * To administratively delete NAT44 session by inside address and port use:
2005 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2006 * To administratively delete NAT44 session by outside address and port use:
2007 * vpp# nat44 del session out 1.0.0.3:6033 udp
2010 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2011 .path = "nat44 del session",
2012 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2013 .function = nat44_del_session_command_fn,
2018 * @cliexstart{nat44 forwarding}
2019 * Enable or disable forwarding
2020 * Forward packets which don't match existing translation
2021 * or static mapping instead of dropping them.
2022 * To enable forwarding, use:
2023 * vpp# nat44 forwarding enable
2024 * To disable forwarding, use:
2025 * vpp# nat44 forwarding disable
2028 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2029 .path = "nat44 forwarding",
2030 .short_help = "nat44 forwarding enable|disable",
2031 .function = snat_forwarding_set_command_fn,
2036 * @cliexstart{nat44 deterministic add}
2037 * Create bijective mapping of inside address to outside address and port range
2038 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
2040 * To create deterministic mapping between inside network 10.0.0.0/18 and
2041 * outside network 1.1.1.0/30 use:
2042 * # vpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.0/30
2045 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
2046 .path = "nat44 deterministic add",
2047 .short_help = "nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
2048 .function = snat_det_map_command_fn,
2053 * @cliexpstart{show nat44 deterministic mappings}
2054 * Show NAT44 deterministic mappings
2055 * vpp# show nat44 deterministic mappings
2056 * NAT44 deterministic mappings:
2057 * in 10.0.0.0/24 out 1.1.1.1/32
2058 * outside address sharing ratio: 256
2059 * number of ports per inside host: 252
2060 * sessions number: 0
2063 VLIB_CLI_COMMAND (nat44_det_show_mappings_command, static) = {
2064 .path = "show nat44 deterministic mappings",
2065 .short_help = "show nat44 deterministic mappings",
2066 .function = nat44_det_show_mappings_command_fn,
2071 * @cliexstart{nat44 deterministic forward}
2072 * Return outside address and port range from inside address for deterministic
2074 * To obtain outside address and port of inside host use:
2075 * vpp# nat44 deterministic forward 10.0.0.2
2076 * 1.1.1.0:<1054-1068>
2079 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
2080 .path = "nat44 deterministic forward",
2081 .short_help = "nat44 deterministic forward <addr>",
2082 .function = snat_det_forward_command_fn,
2087 * @cliexstart{nat44 deterministic reverse}
2088 * Return inside address from outside address and port for deterministic NAT.
2089 * To obtain inside host address from outside address and port use:
2090 * #vpp nat44 deterministic reverse 1.1.1.1:1276
2094 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
2095 .path = "nat44 deterministic reverse",
2096 .short_help = "nat44 deterministic reverse <addr>:<port>",
2097 .function = snat_det_reverse_command_fn,
2102 * @cliexstart{show nat44 deterministic sessions}
2103 * Show NAT44 deterministic sessions.
2104 * vpp# show nat44 deterministic sessions
2105 * NAT44 deterministic sessions:
2106 * in 10.0.0.3:3005 out 1.1.1.2:1146 external host 172.16.1.2:3006 state: udp-active expire: 306
2107 * in 10.0.0.3:3000 out 1.1.1.2:1141 external host 172.16.1.2:3001 state: udp-active expire: 306
2108 * in 10.0.0.4:3005 out 1.1.1.2:1177 external host 172.16.1.2:3006 state: udp-active expire: 306
2111 VLIB_CLI_COMMAND (nat44_det_show_sessions_command, static) = {
2112 .path = "show nat44 deterministic sessions",
2113 .short_help = "show nat44 deterministic sessions",
2114 .function = nat44_det_show_sessions_command_fn,
2119 * @cliexstart{nat44 deterministic close session out}
2120 * Close session using outside ip address and port
2121 * and external ip address and port, use:
2122 * vpp# nat44 deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
2125 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
2126 .path = "nat44 deterministic close session out",
2127 .short_help = "nat44 deterministic close session out "
2128 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
2129 .function = snat_det_close_session_out_fn,
2134 * @cliexstart{nat44 deterministic close session in}
2135 * Close session using inside ip address and port
2136 * and external ip address and port, use:
2137 * vpp# nat44 deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
2140 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
2141 .path = "nat44 deterministic close session in",
2142 .short_help = "nat44 deterministic close session in "
2143 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
2144 .function = snat_det_close_session_in_fn,
2150 * fd.io coding-style-patch-verification: ON
2153 * eval: (c-set-style "gnu")