2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
21 #include <nat/nat_ipfix_logging.h>
22 #include <nat/nat64.h>
23 #include <nat/nat_inlines.h>
24 #include <nat/nat44/inlines.h>
25 #include <nat/nat_affinity.h>
26 #include <vnet/fib/fib_table.h>
27 #include <nat/nat_ha.h>
29 #define UNSUPPORTED_IN_ED_MODE_STR \
30 "This command is unsupported in endpoint dependent mode"
31 #define SUPPORTED_ONLY_IN_ED_MODE_STR \
32 "This command is supported only in endpoint dependent mode"
35 set_workers_command_fn (vlib_main_t * vm,
36 unformat_input_t * input, vlib_cli_command_t * cmd)
38 unformat_input_t _line_input, *line_input = &_line_input;
41 clib_error_t *error = 0;
43 /* Get a line of input. */
44 if (!unformat_user (input, unformat_line_input, line_input))
47 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
49 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
53 error = clib_error_return (0, "unknown input '%U'",
54 format_unformat_error, line_input);
61 error = clib_error_return (0, "List of workers must be specified.");
65 rv = snat_set_workers (bitmap);
67 clib_bitmap_free (bitmap);
71 case VNET_API_ERROR_INVALID_WORKER:
72 error = clib_error_return (0, "Invalid worker(s).");
74 case VNET_API_ERROR_FEATURE_DISABLED:
75 error = clib_error_return (0,
76 "Supported only if 2 or more workes available.");
83 unformat_free (line_input);
89 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
90 vlib_cli_command_t * cmd)
92 snat_main_t *sm = &snat_main;
95 if (sm->num_workers > 1)
97 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
99 vec_foreach (worker, sm->workers)
101 vlib_worker_thread_t *w =
102 vlib_worker_threads + *worker + sm->first_worker_index;
103 vlib_cli_output (vm, " %s", w->name);
111 static clib_error_t *
112 snat_set_log_level_command_fn (vlib_main_t * vm,
113 unformat_input_t * input,
114 vlib_cli_command_t * cmd)
116 unformat_input_t _line_input, *line_input = &_line_input;
117 snat_main_t *sm = &snat_main;
118 u8 log_level = SNAT_LOG_NONE;
119 clib_error_t *error = 0;
121 /* Get a line of input. */
122 if (!unformat_user (input, unformat_line_input, line_input))
125 if (!unformat (line_input, "%d", &log_level))
127 error = clib_error_return (0, "unknown input '%U'",
128 format_unformat_error, line_input);
131 if (log_level > SNAT_LOG_DEBUG)
133 error = clib_error_return (0, "unknown logging level '%d'", log_level);
136 sm->log_level = log_level;
139 unformat_free (line_input);
144 static clib_error_t *
145 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
146 unformat_input_t * input,
147 vlib_cli_command_t * cmd)
149 unformat_input_t _line_input, *line_input = &_line_input;
154 clib_error_t *error = 0;
156 /* Get a line of input. */
157 if (!unformat_user (input, unformat_line_input, line_input))
159 rv = snat_ipfix_logging_enable_disable (enable, domain_id,
162 return clib_error_return (0, "ipfix logging enable failed");
166 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
168 if (unformat (line_input, "domain %d", &domain_id))
170 else if (unformat (line_input, "src-port %d", &src_port))
172 else if (unformat (line_input, "disable"))
176 error = clib_error_return (0, "unknown input '%U'",
177 format_unformat_error, line_input);
182 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
186 error = clib_error_return (0, "ipfix logging enable failed");
191 unformat_free (line_input);
196 static clib_error_t *
197 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
198 vlib_cli_command_t * cmd)
200 snat_main_t *sm = &snat_main;
201 snat_main_per_thread_data_t *tsm;
202 nat_affinity_main_t *nam = &nat_affinity_main;
206 if (unformat (input, "detail"))
208 else if (unformat (input, "verbose"))
211 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
213 vlib_cli_output (vm, "%U",
214 format_bihash_8_8, &sm->static_mapping_by_external,
216 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed, verbose);
217 vec_foreach_index (i, sm->per_thread_data)
219 tsm = vec_elt_at_index (sm->per_thread_data, i);
220 vlib_cli_output (vm, "-------- thread %d %s --------\n",
221 i, vlib_worker_threads[i].name);
222 if (sm->endpoint_dependent)
224 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->in2out_ed,
229 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->in2out, verbose);
230 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->out2in, verbose);
232 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->user_hash, verbose);
235 if (sm->endpoint_dependent)
237 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
241 vlib_cli_output (vm, "-------- hash table parameters --------\n");
242 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
243 vlib_cli_output (vm, "translation memory size: %U",
244 format_memory_size, sm->translation_memory_size);
245 if (!sm->endpoint_dependent)
247 vlib_cli_output (vm, "user buckets: %u", sm->user_buckets);
248 vlib_cli_output (vm, "user memory size: %U",
249 format_memory_size, sm->user_memory_size);
254 static clib_error_t *
255 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
256 unformat_input_t * input,
257 vlib_cli_command_t * cmd)
259 unformat_input_t _line_input, *line_input = &_line_input;
260 clib_error_t *error = 0;
261 u32 psid, psid_offset, psid_length, port_start, port_end;
263 /* Get a line of input. */
264 if (!unformat_user (input, unformat_line_input, line_input))
267 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
269 if (unformat (line_input, "default"))
270 nat_set_alloc_addr_and_port_default ();
273 (line_input, "map-e psid %d psid-offset %d psid-len %d", &psid,
274 &psid_offset, &psid_length))
275 nat_set_alloc_addr_and_port_mape ((u16) psid, (u16) psid_offset,
279 (line_input, "port-range %d - %d", &port_start, &port_end))
281 if (port_end <= port_start)
284 clib_error_return (0,
285 "The end-port must be greater than start-port");
288 nat_set_alloc_addr_and_port_range ((u16) port_start,
293 error = clib_error_return (0, "unknown input '%U'",
294 format_unformat_error, line_input);
300 unformat_free (line_input);
305 static clib_error_t *
306 nat44_show_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
307 unformat_input_t * input,
308 vlib_cli_command_t * cmd)
310 snat_main_t *sm = &snat_main;
312 vlib_cli_output (vm, "NAT address and port: %U",
313 format_nat_addr_and_port_alloc_alg,
314 sm->addr_and_port_alloc_alg);
315 switch (sm->addr_and_port_alloc_alg)
317 case NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE:
318 vlib_cli_output (vm, " psid %d psid-offset %d psid-len %d", sm->psid,
319 sm->psid_offset, sm->psid_length);
321 case NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE:
322 vlib_cli_output (vm, " start-port %d end-port %d", sm->start_port,
332 static clib_error_t *
333 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
334 vlib_cli_command_t * cmd)
336 unformat_input_t _line_input, *line_input = &_line_input;
337 snat_main_t *sm = &snat_main;
338 clib_error_t *error = 0;
341 /* Get a line of input. */
342 if (!unformat_user (input, unformat_line_input, line_input))
345 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
347 if (unformat (line_input, "disable"))
348 sm->mss_clamping = 0;
349 else if (unformat (line_input, "%d", &mss))
350 sm->mss_clamping = (u16) mss;
353 error = clib_error_return (0, "unknown input '%U'",
354 format_unformat_error, line_input);
360 unformat_free (line_input);
365 static clib_error_t *
366 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
367 vlib_cli_command_t * cmd)
369 snat_main_t *sm = &snat_main;
371 if (sm->mss_clamping)
372 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
374 vlib_cli_output (vm, "mss-clamping disabled");
379 static clib_error_t *
380 nat_ha_failover_command_fn (vlib_main_t * vm, unformat_input_t * input,
381 vlib_cli_command_t * cmd)
383 unformat_input_t _line_input, *line_input = &_line_input;
385 u32 port, session_refresh_interval = 10;
387 clib_error_t *error = 0;
389 /* Get a line of input. */
390 if (!unformat_user (input, unformat_line_input, line_input))
393 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
395 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
399 (line_input, "refresh-interval %u", &session_refresh_interval))
403 error = clib_error_return (0, "unknown input '%U'",
404 format_unformat_error, line_input);
409 rv = nat_ha_set_failover (&addr, (u16) port, session_refresh_interval);
411 error = clib_error_return (0, "set HA failover failed");
414 unformat_free (line_input);
419 static clib_error_t *
420 nat_ha_listener_command_fn (vlib_main_t * vm, unformat_input_t * input,
421 vlib_cli_command_t * cmd)
423 unformat_input_t _line_input, *line_input = &_line_input;
425 u32 port, path_mtu = 512;
427 clib_error_t *error = 0;
429 /* Get a line of input. */
430 if (!unformat_user (input, unformat_line_input, line_input))
433 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
435 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
437 else if (unformat (line_input, "path-mtu %u", &path_mtu))
441 error = clib_error_return (0, "unknown input '%U'",
442 format_unformat_error, line_input);
447 rv = nat_ha_set_listener (&addr, (u16) port, path_mtu);
449 error = clib_error_return (0, "set HA listener failed");
452 unformat_free (line_input);
457 static clib_error_t *
458 nat_show_ha_command_fn (vlib_main_t * vm, unformat_input_t * input,
459 vlib_cli_command_t * cmd)
463 u32 path_mtu, session_refresh_interval, resync_ack_missed;
466 nat_ha_get_listener (&addr, &port, &path_mtu);
469 vlib_cli_output (vm, "NAT HA disabled\n");
473 vlib_cli_output (vm, "LISTENER:\n");
474 vlib_cli_output (vm, " %U:%u path-mtu %u\n",
475 format_ip4_address, &addr, port, path_mtu);
477 nat_ha_get_failover (&addr, &port, &session_refresh_interval);
478 vlib_cli_output (vm, "FAILOVER:\n");
480 vlib_cli_output (vm, " %U:%u refresh-interval %usec\n",
481 format_ip4_address, &addr, port,
482 session_refresh_interval);
484 vlib_cli_output (vm, " NA\n");
486 nat_ha_get_resync_status (&in_resync, &resync_ack_missed);
487 vlib_cli_output (vm, "RESYNC:\n");
489 vlib_cli_output (vm, " in progress\n");
491 vlib_cli_output (vm, " completed (%d ACK missed)\n", resync_ack_missed);
496 static clib_error_t *
497 nat_ha_flush_command_fn (vlib_main_t * vm, unformat_input_t * input,
498 vlib_cli_command_t * cmd)
504 static clib_error_t *
505 nat_ha_resync_command_fn (vlib_main_t * vm, unformat_input_t * input,
506 vlib_cli_command_t * cmd)
508 clib_error_t *error = 0;
510 if (nat_ha_resync (0, 0, 0))
511 error = clib_error_return (0, "NAT HA resync already running");
516 static clib_error_t *
517 add_address_command_fn (vlib_main_t * vm,
518 unformat_input_t * input, vlib_cli_command_t * cmd)
520 unformat_input_t _line_input, *line_input = &_line_input;
521 snat_main_t *sm = &snat_main;
522 ip4_address_t start_addr, end_addr, this_addr;
523 u32 start_host_order, end_host_order;
528 clib_error_t *error = 0;
531 /* Get a line of input. */
532 if (!unformat_user (input, unformat_line_input, line_input))
535 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
537 if (unformat (line_input, "%U - %U",
538 unformat_ip4_address, &start_addr,
539 unformat_ip4_address, &end_addr))
541 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
543 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
544 end_addr = start_addr;
545 else if (unformat (line_input, "twice-nat"))
547 else if (unformat (line_input, "del"))
551 error = clib_error_return (0, "unknown input '%U'",
552 format_unformat_error, line_input);
557 if (sm->static_mapping_only)
559 error = clib_error_return (0, "static mapping only mode");
563 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
564 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
566 if (end_host_order < start_host_order)
568 error = clib_error_return (0, "end address less than start address");
572 count = (end_host_order - start_host_order) + 1;
575 nat_log_info ("%U - %U, %d addresses...",
576 format_ip4_address, &start_addr,
577 format_ip4_address, &end_addr, count);
579 this_addr = start_addr;
581 for (i = 0; i < count; i++)
584 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
586 rv = snat_del_address (sm, this_addr, 0, twice_nat);
590 case VNET_API_ERROR_VALUE_EXIST:
591 error = clib_error_return (0, "NAT address already in use.");
593 case VNET_API_ERROR_NO_SUCH_ENTRY:
594 error = clib_error_return (0, "NAT address not exist.");
596 case VNET_API_ERROR_UNSPECIFIED:
598 clib_error_return (0, "NAT address used in static mapping.");
600 case VNET_API_ERROR_FEATURE_DISABLED:
602 clib_error_return (0,
603 "twice NAT available only for endpoint-dependent mode.");
610 nat44_add_del_address_dpo (this_addr, is_add);
612 increment_v4_address (&this_addr);
616 unformat_free (line_input);
622 nat44_show_lru_summary (vlib_main_t * vm, snat_main_per_thread_data_t * tsm,
623 u64 now, u64 sess_timeout_time)
625 snat_main_t *sm = &snat_main;
626 dlist_elt_t *oldest_elt;
632 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
633 if (~0 != oldest_index) \
635 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
636 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
637 sess_timeout_time = \
638 s->last_heard + (f64)nat44_session_get_timeout (sm, s); \
639 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
640 sess_timeout_time, now); \
641 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
644 _(tcp_estab, "established tcp");
645 _(tcp_trans, "transitory tcp");
647 _(unk_proto, "unknown protocol");
652 static clib_error_t *
653 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
654 vlib_cli_command_t * cmd)
656 snat_main_per_thread_data_t *tsm;
657 snat_main_t *sm = &snat_main;
660 if (!sm->endpoint_dependent)
661 return clib_error_return (0, SUPPORTED_ONLY_IN_ED_MODE_STR);
665 u64 now = vlib_time_now (vm);
666 u64 sess_timeout_time;
668 u32 udp_sessions = 0;
669 u32 tcp_sessions = 0;
670 u32 icmp_sessions = 0;
674 u32 transitory_wait_closed = 0;
675 u32 transitory_closed = 0;
680 for (fib = 0; fib < vec_len (sm->max_translations_per_fib); fib++)
681 vlib_cli_output (vm, "max translations per thread: %u fib %u",
682 sm->max_translations_per_fib[fib], fib);
684 if (sm->num_workers > 1)
687 vec_foreach (tsm, sm->per_thread_data)
689 pool_foreach (s, tsm->sessions,
691 sess_timeout_time = s->last_heard +
692 (f64) nat44_session_get_timeout (sm, s);
693 if (now >= sess_timeout_time)
696 switch (s->nat_proto)
698 case NAT_PROTOCOL_ICMP:
701 case NAT_PROTOCOL_TCP:
705 if (s->tcp_closed_timestamp)
707 if (now >= s->tcp_closed_timestamp)
713 ++transitory_wait_closed;
721 case NAT_PROTOCOL_UDP:
727 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
728 count += pool_elts (tsm->sessions);
734 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
736 pool_foreach (s, tsm->sessions,
738 sess_timeout_time = s->last_heard +
739 (f64) nat44_session_get_timeout (sm, s);
740 if (now >= sess_timeout_time)
743 switch (s->nat_proto)
745 case NAT_PROTOCOL_ICMP:
748 case NAT_PROTOCOL_TCP:
752 if (s->tcp_closed_timestamp)
754 if (now >= s->tcp_closed_timestamp)
760 ++transitory_wait_closed;
768 case NAT_PROTOCOL_UDP:
775 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
776 count = pool_elts (tsm->sessions);
779 vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
780 vlib_cli_output (vm, "total sessions: %u", count);
781 vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
782 vlib_cli_output (vm, "total tcp established sessions: %u", established);
783 vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
784 vlib_cli_output (vm, "total tcp transitory (WAIT-CLOSED) sessions: %u",
785 transitory_wait_closed);
786 vlib_cli_output (vm, "total tcp transitory (CLOSED) sessions: %u",
788 vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
789 vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
793 static clib_error_t *
794 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
795 vlib_cli_command_t * cmd)
797 snat_main_t *sm = &snat_main;
800 vlib_cli_output (vm, "NAT44 pool addresses:");
802 vec_foreach (ap, sm->addresses)
804 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
805 if (ap->fib_index != ~0)
806 vlib_cli_output (vm, " tenant VRF: %u",
807 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
809 vlib_cli_output (vm, " tenant VRF independent");
810 #define _(N, i, n, s) \
811 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
815 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
816 vec_foreach (ap, sm->twice_nat_addresses)
818 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
819 if (ap->fib_index != ~0)
820 vlib_cli_output (vm, " tenant VRF: %u",
821 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
823 vlib_cli_output (vm, " tenant VRF independent");
824 #define _(N, i, n, s) \
825 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
833 static clib_error_t *
834 snat_feature_command_fn (vlib_main_t * vm,
835 unformat_input_t * input, vlib_cli_command_t * cmd)
837 unformat_input_t _line_input, *line_input = &_line_input;
838 vnet_main_t *vnm = vnet_get_main ();
839 clib_error_t *error = 0;
841 u32 *inside_sw_if_indices = 0;
842 u32 *outside_sw_if_indices = 0;
843 u8 is_output_feature = 0;
849 /* Get a line of input. */
850 if (!unformat_user (input, unformat_line_input, line_input))
853 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
855 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
857 vec_add1 (inside_sw_if_indices, sw_if_index);
858 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
860 vec_add1 (outside_sw_if_indices, sw_if_index);
861 else if (unformat (line_input, "output-feature"))
862 is_output_feature = 1;
863 else if (unformat (line_input, "del"))
867 error = clib_error_return (0, "unknown input '%U'",
868 format_unformat_error, line_input);
873 if (vec_len (inside_sw_if_indices))
875 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
877 sw_if_index = inside_sw_if_indices[i];
878 if (is_output_feature)
880 if (snat_interface_add_del_output_feature
881 (sw_if_index, 1, is_del))
883 error = clib_error_return (0, "%s %U failed",
884 is_del ? "del" : "add",
885 format_vnet_sw_if_index_name,
892 if (snat_interface_add_del (sw_if_index, 1, is_del))
894 error = clib_error_return (0, "%s %U failed",
895 is_del ? "del" : "add",
896 format_vnet_sw_if_index_name,
904 if (vec_len (outside_sw_if_indices))
906 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
908 sw_if_index = outside_sw_if_indices[i];
909 if (is_output_feature)
911 if (snat_interface_add_del_output_feature
912 (sw_if_index, 0, is_del))
914 error = clib_error_return (0, "%s %U failed",
915 is_del ? "del" : "add",
916 format_vnet_sw_if_index_name,
923 if (snat_interface_add_del (sw_if_index, 0, is_del))
925 error = clib_error_return (0, "%s %U failed",
926 is_del ? "del" : "add",
927 format_vnet_sw_if_index_name,
936 unformat_free (line_input);
937 vec_free (inside_sw_if_indices);
938 vec_free (outside_sw_if_indices);
943 static clib_error_t *
944 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
945 vlib_cli_command_t * cmd)
947 snat_main_t *sm = &snat_main;
949 vnet_main_t *vnm = vnet_get_main ();
951 vlib_cli_output (vm, "NAT44 interfaces:");
953 pool_foreach (i, sm->interfaces,
955 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
957 (nat_interface_is_inside(i) &&
958 nat_interface_is_outside(i)) ? "in out" :
959 (nat_interface_is_inside(i) ? "in" : "out"));
962 pool_foreach (i, sm->output_feature_interfaces,
964 vlib_cli_output (vm, " %U output-feature %s",
965 format_vnet_sw_if_index_name, vnm,
967 (nat_interface_is_inside(i) &&
968 nat_interface_is_outside(i)) ? "in out" :
969 (nat_interface_is_inside(i) ? "in" : "out"));
976 static clib_error_t *
977 add_static_mapping_command_fn (vlib_main_t * vm,
978 unformat_input_t * input,
979 vlib_cli_command_t * cmd)
981 unformat_input_t _line_input, *line_input = &_line_input;
982 clib_error_t *error = 0;
983 ip4_address_t l_addr, e_addr;
984 u32 l_port = 0, e_port = 0, vrf_id = ~0;
987 u32 sw_if_index = ~0;
988 vnet_main_t *vnm = vnet_get_main ();
990 nat_protocol_t proto = NAT_PROTOCOL_OTHER;
992 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
995 /* Get a line of input. */
996 if (!unformat_user (input, unformat_line_input, line_input))
999 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1001 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
1005 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
1007 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
1010 else if (unformat (line_input, "external %U", unformat_ip4_address,
1013 else if (unformat (line_input, "external %U %u",
1014 unformat_vnet_sw_interface, vnm, &sw_if_index,
1018 else if (unformat (line_input, "external %U",
1019 unformat_vnet_sw_interface, vnm, &sw_if_index))
1021 else if (unformat (line_input, "vrf %u", &vrf_id))
1023 else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
1025 else if (unformat (line_input, "twice-nat"))
1026 twice_nat = TWICE_NAT;
1027 else if (unformat (line_input, "self-twice-nat"))
1028 twice_nat = TWICE_NAT_SELF;
1029 else if (unformat (line_input, "out2in-only"))
1031 else if (unformat (line_input, "del"))
1035 error = clib_error_return (0, "unknown input: '%U'",
1036 format_unformat_error, line_input);
1041 if (twice_nat && addr_only)
1043 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
1052 clib_error_return (0,
1053 "address only mapping doesn't support protocol");
1057 else if (!proto_set)
1059 error = clib_error_return (0, "protocol is required");
1063 rv = snat_add_static_mapping (l_addr, e_addr, clib_host_to_net_u16 (l_port),
1064 clib_host_to_net_u16 (e_port),
1065 vrf_id, addr_only, sw_if_index, proto, is_add,
1066 twice_nat, out2in_only, 0, 0);
1070 case VNET_API_ERROR_INVALID_VALUE:
1071 error = clib_error_return (0, "External port already in use.");
1073 case VNET_API_ERROR_NO_SUCH_ENTRY:
1075 error = clib_error_return (0, "External address must be allocated.");
1077 error = clib_error_return (0, "Mapping not exist.");
1079 case VNET_API_ERROR_NO_SUCH_FIB:
1080 error = clib_error_return (0, "No such VRF id.");
1082 case VNET_API_ERROR_VALUE_EXIST:
1083 error = clib_error_return (0, "Mapping already exist.");
1085 case VNET_API_ERROR_FEATURE_DISABLED:
1087 clib_error_return (0,
1088 "twice-nat/out2in-only available only for endpoint-dependent mode.");
1095 unformat_free (line_input);
1100 static clib_error_t *
1101 add_identity_mapping_command_fn (vlib_main_t * vm,
1102 unformat_input_t * input,
1103 vlib_cli_command_t * cmd)
1105 unformat_input_t _line_input, *line_input = &_line_input;
1106 clib_error_t *error = 0;
1108 u32 port = 0, vrf_id = ~0;
1111 u32 sw_if_index = ~0;
1112 vnet_main_t *vnm = vnet_get_main ();
1114 nat_protocol_t proto;
1118 /* Get a line of input. */
1119 if (!unformat_user (input, unformat_line_input, line_input))
1122 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1124 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1126 else if (unformat (line_input, "external %U",
1127 unformat_vnet_sw_interface, vnm, &sw_if_index))
1129 else if (unformat (line_input, "vrf %u", &vrf_id))
1131 else if (unformat (line_input, "%U %u", unformat_nat_protocol, &proto,
1134 else if (unformat (line_input, "del"))
1138 error = clib_error_return (0, "unknown input: '%U'",
1139 format_unformat_error, line_input);
1145 snat_add_static_mapping (addr, addr, clib_host_to_net_u16 (port),
1146 clib_host_to_net_u16 (port), vrf_id, addr_only,
1147 sw_if_index, proto, is_add, 0, 0, 0, 1);
1151 case VNET_API_ERROR_INVALID_VALUE:
1152 error = clib_error_return (0, "External port already in use.");
1154 case VNET_API_ERROR_NO_SUCH_ENTRY:
1156 error = clib_error_return (0, "External address must be allocated.");
1158 error = clib_error_return (0, "Mapping not exist.");
1160 case VNET_API_ERROR_NO_SUCH_FIB:
1161 error = clib_error_return (0, "No such VRF id.");
1163 case VNET_API_ERROR_VALUE_EXIST:
1164 error = clib_error_return (0, "Mapping already exist.");
1171 unformat_free (line_input);
1176 static clib_error_t *
1177 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1178 unformat_input_t * input,
1179 vlib_cli_command_t * cmd)
1181 unformat_input_t _line_input, *line_input = &_line_input;
1182 clib_error_t *error = 0;
1183 ip4_address_t l_addr, e_addr;
1184 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
1187 nat_protocol_t proto;
1189 nat44_lb_addr_port_t *locals = 0, local;
1190 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
1193 /* Get a line of input. */
1194 if (!unformat_user (input, unformat_line_input, line_input))
1197 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1199 if (unformat (line_input, "local %U:%u probability %u",
1200 unformat_ip4_address, &l_addr, &l_port, &probability))
1202 clib_memset (&local, 0, sizeof (local));
1203 local.addr = l_addr;
1204 local.port = (u16) l_port;
1205 local.probability = (u8) probability;
1206 vec_add1 (locals, local);
1208 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1209 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1212 clib_memset (&local, 0, sizeof (local));
1213 local.addr = l_addr;
1214 local.port = (u16) l_port;
1215 local.probability = (u8) probability;
1216 local.vrf_id = vrf_id;
1217 vec_add1 (locals, local);
1219 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1222 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1225 else if (unformat (line_input, "twice-nat"))
1226 twice_nat = TWICE_NAT;
1227 else if (unformat (line_input, "self-twice-nat"))
1228 twice_nat = TWICE_NAT_SELF;
1229 else if (unformat (line_input, "out2in-only"))
1231 else if (unformat (line_input, "del"))
1233 else if (unformat (line_input, "affinity %u", &affinity))
1237 error = clib_error_return (0, "unknown input: '%U'",
1238 format_unformat_error, line_input);
1243 if (vec_len (locals) < 2)
1245 error = clib_error_return (0, "at least two local must be set");
1251 error = clib_error_return (0, "missing protocol");
1255 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1256 is_add, twice_nat, out2in_only, 0,
1261 case VNET_API_ERROR_INVALID_VALUE:
1262 error = clib_error_return (0, "External port already in use.");
1264 case VNET_API_ERROR_NO_SUCH_ENTRY:
1266 error = clib_error_return (0, "External address must be allocated.");
1268 error = clib_error_return (0, "Mapping not exist.");
1270 case VNET_API_ERROR_VALUE_EXIST:
1271 error = clib_error_return (0, "Mapping already exist.");
1273 case VNET_API_ERROR_FEATURE_DISABLED:
1275 clib_error_return (0, "Available only for endpoint-dependent mode.");
1282 unformat_free (line_input);
1288 static clib_error_t *
1289 add_lb_backend_command_fn (vlib_main_t * vm,
1290 unformat_input_t * input, vlib_cli_command_t * cmd)
1292 unformat_input_t _line_input, *line_input = &_line_input;
1293 clib_error_t *error = 0;
1294 ip4_address_t l_addr, e_addr;
1295 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1298 nat_protocol_t proto;
1301 /* Get a line of input. */
1302 if (!unformat_user (input, unformat_line_input, line_input))
1305 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1307 if (unformat (line_input, "local %U:%u probability %u",
1308 unformat_ip4_address, &l_addr, &l_port, &probability))
1310 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1311 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1314 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1317 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1320 else if (unformat (line_input, "del"))
1324 error = clib_error_return (0, "unknown input: '%U'",
1325 format_unformat_error, line_input);
1330 if (!l_port || !e_port)
1332 error = clib_error_return (0, "local or external must be set");
1338 error = clib_error_return (0, "missing protocol");
1343 nat44_lb_static_mapping_add_del_local (e_addr, (u16) e_port, l_addr,
1344 l_port, proto, vrf_id, probability,
1349 case VNET_API_ERROR_INVALID_VALUE:
1350 error = clib_error_return (0, "External is not load-balancing static "
1353 case VNET_API_ERROR_NO_SUCH_ENTRY:
1354 error = clib_error_return (0, "Mapping or back-end not exist.");
1356 case VNET_API_ERROR_VALUE_EXIST:
1357 error = clib_error_return (0, "Back-end already exist.");
1359 case VNET_API_ERROR_FEATURE_DISABLED:
1361 clib_error_return (0, "Available only for endpoint-dependent mode.");
1363 case VNET_API_ERROR_UNSPECIFIED:
1364 error = clib_error_return (0, "At least two back-ends must remain");
1371 unformat_free (line_input);
1376 static clib_error_t *
1377 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1378 unformat_input_t * input,
1379 vlib_cli_command_t * cmd)
1381 snat_main_t *sm = &snat_main;
1382 snat_static_mapping_t *m;
1383 snat_static_map_resolve_t *rp;
1385 vlib_cli_output (vm, "NAT44 static mappings:");
1387 pool_foreach (m, sm->static_mappings,
1389 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1391 vec_foreach (rp, sm->to_resolve)
1392 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1398 static clib_error_t *
1399 snat_add_interface_address_command_fn (vlib_main_t * vm,
1400 unformat_input_t * input,
1401 vlib_cli_command_t * cmd)
1403 snat_main_t *sm = &snat_main;
1404 unformat_input_t _line_input, *line_input = &_line_input;
1408 clib_error_t *error = 0;
1411 /* Get a line of input. */
1412 if (!unformat_user (input, unformat_line_input, line_input))
1415 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1417 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1418 sm->vnet_main, &sw_if_index))
1420 else if (unformat (line_input, "twice-nat"))
1422 else if (unformat (line_input, "del"))
1426 error = clib_error_return (0, "unknown input '%U'",
1427 format_unformat_error, line_input);
1432 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1440 error = clib_error_return (0, "snat_add_interface_address returned %d",
1446 unformat_free (line_input);
1451 static clib_error_t *
1452 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1453 unformat_input_t * input,
1454 vlib_cli_command_t * cmd)
1456 snat_main_t *sm = &snat_main;
1457 vnet_main_t *vnm = vnet_get_main ();
1461 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1462 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1464 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1467 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1468 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1470 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1478 static clib_error_t *
1479 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1480 vlib_cli_command_t * cmd)
1482 unformat_input_t _line_input, *line_input = &_line_input;
1483 clib_error_t *error = 0;
1485 snat_main_per_thread_data_t *tsm;
1486 snat_main_t *sm = &snat_main;
1491 if (!unformat_user (input, unformat_line_input, line_input))
1494 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1496 if (unformat (line_input, "detail"))
1500 error = clib_error_return (0, "unknown input '%U'",
1501 format_unformat_error, line_input);
1505 unformat_free (line_input);
1508 if (!sm->endpoint_dependent)
1509 vlib_cli_output (vm, "NAT44 sessions:");
1511 vlib_cli_output (vm, "NAT44 ED sessions:");
1514 vec_foreach_index (i, sm->per_thread_data)
1516 tsm = vec_elt_at_index (sm->per_thread_data, i);
1518 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1519 i, vlib_worker_threads[i].name,
1520 pool_elts (tsm->sessions));
1522 if (!sm->endpoint_dependent)
1525 pool_foreach (u, tsm->users,
1527 vlib_cli_output (vm, " %U", format_snat_user, tsm, u, detail);
1533 pool_foreach (s, tsm->sessions,
1535 vlib_cli_output (vm, " %U\n", format_snat_session, tsm, s);
1543 static clib_error_t *
1544 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1545 unformat_input_t * input,
1546 vlib_cli_command_t * cmd)
1548 unformat_input_t _line_input, *line_input = &_line_input;
1549 clib_error_t *error = 0;
1551 u32 session_limit = 0, vrf_id = 0;
1553 /* Get a line of input. */
1554 if (!unformat_user (input, unformat_line_input, line_input))
1557 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1559 if (unformat (line_input, "%u", &session_limit))
1561 else if (unformat (line_input, "vrf %u", &vrf_id))
1565 error = clib_error_return (0, "unknown input '%U'",
1566 format_unformat_error, line_input);
1572 error = clib_error_return (0, "missing value of session limit");
1573 else if (nat44_update_session_limit (session_limit, vrf_id))
1574 error = clib_error_return (0, "nat44_set_session_limit failed");
1577 unformat_free (line_input);
1582 static clib_error_t *
1583 nat44_del_user_command_fn (vlib_main_t * vm,
1584 unformat_input_t * input, vlib_cli_command_t * cmd)
1586 snat_main_t *sm = &snat_main;
1587 unformat_input_t _line_input, *line_input = &_line_input;
1588 clib_error_t *error = 0;
1593 if (sm->endpoint_dependent)
1594 return clib_error_return (0, UNSUPPORTED_IN_ED_MODE_STR);
1596 /* Get a line of input. */
1597 if (!unformat_user (input, unformat_line_input, line_input))
1600 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1602 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1604 else if (unformat (line_input, "fib %u", &fib_index))
1608 error = clib_error_return (0, "unknown input '%U'",
1609 format_unformat_error, line_input);
1614 rv = nat44_user_del (&addr, fib_index);
1618 error = clib_error_return (0, "nat44_user_del returned %d", rv);
1622 unformat_free (line_input);
1627 static clib_error_t *
1628 nat44_clear_sessions_command_fn (vlib_main_t * vm,
1629 unformat_input_t * input,
1630 vlib_cli_command_t * cmd)
1632 clib_error_t *error = 0;
1633 nat44_sessions_clear ();
1637 static clib_error_t *
1638 nat44_del_session_command_fn (vlib_main_t * vm,
1639 unformat_input_t * input,
1640 vlib_cli_command_t * cmd)
1642 snat_main_t *sm = &snat_main;
1643 unformat_input_t _line_input, *line_input = &_line_input;
1644 int is_in = 0, is_ed = 0;
1645 clib_error_t *error = 0;
1646 ip4_address_t addr, eh_addr;
1647 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1648 nat_protocol_t proto;
1651 /* Get a line of input. */
1652 if (!unformat_user (input, unformat_line_input, line_input))
1655 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1658 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1659 unformat_nat_protocol, &proto))
1661 else if (unformat (line_input, "in"))
1664 vrf_id = sm->inside_vrf_id;
1666 else if (unformat (line_input, "out"))
1669 vrf_id = sm->outside_vrf_id;
1671 else if (unformat (line_input, "vrf %u", &vrf_id))
1675 (line_input, "external-host %U:%u", unformat_ip4_address,
1676 &eh_addr, &eh_port))
1680 error = clib_error_return (0, "unknown input '%U'",
1681 format_unformat_error, line_input);
1688 nat44_del_ed_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1689 clib_host_to_net_u16 (eh_port),
1690 nat_proto_to_ip_proto (proto), vrf_id, is_in);
1693 nat44_del_session (sm, &addr, clib_host_to_net_u16 (port), proto,
1702 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1707 unformat_free (line_input);
1712 static clib_error_t *
1713 snat_forwarding_set_command_fn (vlib_main_t * vm,
1714 unformat_input_t * input,
1715 vlib_cli_command_t * cmd)
1717 snat_main_t *sm = &snat_main;
1718 unformat_input_t _line_input, *line_input = &_line_input;
1719 u8 forwarding_enable;
1720 u8 forwarding_enable_set = 0;
1721 clib_error_t *error = 0;
1723 /* Get a line of input. */
1724 if (!unformat_user (input, unformat_line_input, line_input))
1725 return clib_error_return (0, "'enable' or 'disable' expected");
1727 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1729 if (!forwarding_enable_set && unformat (line_input, "enable"))
1731 forwarding_enable = 1;
1732 forwarding_enable_set = 1;
1734 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1736 forwarding_enable = 0;
1737 forwarding_enable_set = 1;
1741 error = clib_error_return (0, "unknown input '%U'",
1742 format_unformat_error, line_input);
1747 if (!forwarding_enable_set)
1749 error = clib_error_return (0, "'enable' or 'disable' expected");
1753 sm->forwarding_enabled = forwarding_enable;
1756 unformat_free (line_input);
1761 static clib_error_t *
1762 set_timeout_command_fn (vlib_main_t * vm,
1763 unformat_input_t * input, vlib_cli_command_t * cmd)
1765 snat_main_t *sm = &snat_main;
1766 unformat_input_t _line_input, *line_input = &_line_input;
1767 clib_error_t *error = 0;
1769 /* Get a line of input. */
1770 if (!unformat_user (input, unformat_line_input, line_input))
1773 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1775 if (unformat (line_input, "udp %u", &sm->udp_timeout))
1777 if (nat64_set_udp_timeout (sm->udp_timeout))
1779 error = clib_error_return (0, "Invalid UDP timeout value");
1783 else if (unformat (line_input, "tcp-established %u",
1784 &sm->tcp_established_timeout))
1786 if (nat64_set_tcp_timeouts
1787 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1790 clib_error_return (0,
1791 "Invalid TCP established timeouts value");
1795 else if (unformat (line_input, "tcp-transitory %u",
1796 &sm->tcp_transitory_timeout))
1798 if (nat64_set_tcp_timeouts
1799 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1802 clib_error_return (0,
1803 "Invalid TCP transitory timeouts value");
1807 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
1809 if (nat64_set_icmp_timeout (sm->icmp_timeout))
1811 error = clib_error_return (0, "Invalid ICMP timeout value");
1815 else if (unformat (line_input, "reset"))
1817 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1818 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1819 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1820 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1821 nat64_set_udp_timeout (0);
1822 nat64_set_icmp_timeout (0);
1823 nat64_set_tcp_timeouts (0, 0);
1827 error = clib_error_return (0, "unknown input '%U'",
1828 format_unformat_error, line_input);
1833 unformat_free (line_input);
1837 static clib_error_t *
1838 nat_show_timeouts_command_fn (vlib_main_t * vm,
1839 unformat_input_t * input,
1840 vlib_cli_command_t * cmd)
1842 snat_main_t *sm = &snat_main;
1844 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
1845 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1846 sm->tcp_established_timeout);
1847 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1848 sm->tcp_transitory_timeout);
1849 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
1854 static clib_error_t *
1855 nat44_debug_fib_expire_command_fn (vlib_main_t * vm,
1856 unformat_input_t * input,
1857 vlib_cli_command_t * cmd)
1859 unformat_input_t _line_input, *line_input = &_line_input;
1860 clib_error_t *error = 0;
1863 /* Get a line of input. */
1864 if (!unformat_user (input, unformat_line_input, line_input))
1867 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1869 if (unformat (line_input, "%u", &fib))
1873 error = clib_error_return (0, "unknown input '%U'",
1874 format_unformat_error, line_input);
1878 expire_per_vrf_sessions (fib);
1880 unformat_free (line_input);
1884 static clib_error_t *
1885 nat44_debug_fib_registration_command_fn (vlib_main_t * vm,
1886 unformat_input_t * input,
1887 vlib_cli_command_t * cmd)
1889 snat_main_t *sm = &snat_main;
1890 snat_main_per_thread_data_t *tsm;
1891 per_vrf_sessions_t *per_vrf_sessions;
1893 vlib_cli_output (vm, "VRF registration debug:");
1894 vec_foreach (tsm, sm->per_thread_data)
1896 vlib_cli_output (vm, "thread %u:", tsm->thread_index);
1897 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1899 vlib_cli_output (vm, "rx fib %u tx fib %u ses count %u %s",
1900 per_vrf_sessions->rx_fib_index,
1901 per_vrf_sessions->tx_fib_index,
1902 per_vrf_sessions->ses_count,
1903 per_vrf_sessions->expired ? "expired" : "");
1913 VLIB_CLI_COMMAND (nat44_debug_fib_expire_command, static) = {
1914 .path = "debug nat44 fib expire",
1915 .short_help = "debug nat44 fib expire <fib-index>",
1916 .function = nat44_debug_fib_expire_command_fn,
1921 VLIB_CLI_COMMAND (nat44_debug_fib_registration_command, static) = {
1922 .path = "debug nat44 fib registration",
1923 .short_help = "debug nat44 fib registration",
1924 .function = nat44_debug_fib_registration_command_fn,
1929 * @cliexstart{set snat workers}
1930 * Set NAT workers if 2 or more workers available, use:
1931 * vpp# set snat workers 0-2,5
1934 VLIB_CLI_COMMAND (set_workers_command, static) = {
1935 .path = "set nat workers",
1936 .function = set_workers_command_fn,
1937 .short_help = "set nat workers <workers-list>",
1942 * @cliexstart{show nat workers}
1944 * vpp# show nat workers:
1950 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1951 .path = "show nat workers",
1952 .short_help = "show nat workers",
1953 .function = nat_show_workers_commnad_fn,
1958 * @cliexstart{set nat timeout}
1959 * Set values of timeouts for NAT sessions (in seconds), use:
1960 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1961 * To reset default values use:
1962 * vpp# set nat timeout reset
1965 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1966 .path = "set nat timeout",
1967 .function = set_timeout_command_fn,
1969 "set nat timeout [udp <sec> | tcp-established <sec> "
1970 "tcp-transitory <sec> | icmp <sec> | reset]",
1975 * @cliexstart{show nat timeouts}
1976 * Show values of timeouts for NAT sessions.
1977 * vpp# show nat timeouts
1978 * udp timeout: 300sec
1979 * tcp-established timeout: 7440sec
1980 * tcp-transitory timeout: 240sec
1981 * icmp timeout: 60sec
1984 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1985 .path = "show nat timeouts",
1986 .short_help = "show nat timeouts",
1987 .function = nat_show_timeouts_command_fn,
1992 * @cliexstart{nat set logging level}
1993 * To set NAT logging level use:
1994 * Set nat logging level
1997 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
1998 .path = "nat set logging level",
1999 .function = snat_set_log_level_command_fn,
2000 .short_help = "nat set logging level <level>",
2005 * @cliexstart{snat ipfix logging}
2006 * To enable NAT IPFIX logging use:
2007 * vpp# nat ipfix logging
2008 * To set IPFIX exporter use:
2009 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
2012 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
2013 .path = "nat ipfix logging",
2014 .function = snat_ipfix_logging_enable_disable_command_fn,
2015 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
2020 * @cliexstart{nat addr-port-assignment-alg}
2021 * Set address and port assignment algorithm
2022 * For the MAP-E CE limit port choice based on PSID use:
2023 * vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6
2024 * For port range use:
2025 * vpp# nat addr-port-assignment-alg port-range <start-port> - <end-port>
2026 * To set standard (default) address and port assignment algorithm use:
2027 * vpp# nat addr-port-assignment-alg default
2030 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
2031 .path = "nat addr-port-assignment-alg",
2032 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
2033 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
2038 * @cliexstart{show nat addr-port-assignment-alg}
2039 * Show address and port assignment algorithm
2042 VLIB_CLI_COMMAND (nat44_show_alloc_addr_and_port_alg_command, static) = {
2043 .path = "show nat addr-port-assignment-alg",
2044 .short_help = "show nat addr-port-assignment-alg",
2045 .function = nat44_show_alloc_addr_and_port_alg_command_fn,
2050 * @cliexstart{nat mss-clamping}
2051 * Set TCP MSS rewriting configuration
2052 * To enable TCP MSS rewriting use:
2053 * vpp# nat mss-clamping 1452
2054 * To disbale TCP MSS rewriting use:
2055 * vpp# nat mss-clamping disable
2058 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
2059 .path = "nat mss-clamping",
2060 .short_help = "nat mss-clamping <mss-value>|disable",
2061 .function = nat_set_mss_clamping_command_fn,
2066 * @cliexstart{show nat mss-clamping}
2067 * Show TCP MSS rewriting configuration
2070 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
2071 .path = "show nat mss-clamping",
2072 .short_help = "show nat mss-clamping",
2073 .function = nat_show_mss_clamping_command_fn,
2078 * @cliexstart{nat ha failover}
2079 * Set HA failover (remote settings)
2082 VLIB_CLI_COMMAND (nat_ha_failover_command, static) = {
2083 .path = "nat ha failover",
2084 .short_help = "nat ha failover <ip4-address>:<port> [refresh-interval <sec>]",
2085 .function = nat_ha_failover_command_fn,
2090 * @cliexstart{nat ha listener}
2091 * Set HA listener (local settings)
2094 VLIB_CLI_COMMAND (nat_ha_listener_command, static) = {
2095 .path = "nat ha listener",
2096 .short_help = "nat ha listener <ip4-address>:<port> [path-mtu <path-mtu>]",
2097 .function = nat_ha_listener_command_fn,
2102 * @cliexstart{show nat ha}
2103 * Show HA configuration/status
2106 VLIB_CLI_COMMAND (nat_show_ha_command, static) = {
2107 .path = "show nat ha",
2108 .short_help = "show nat ha",
2109 .function = nat_show_ha_command_fn,
2114 * @cliexstart{nat ha flush}
2115 * Flush the current HA data (for testing)
2118 VLIB_CLI_COMMAND (nat_ha_flush_command, static) = {
2119 .path = "nat ha flush",
2120 .short_help = "nat ha flush",
2121 .function = nat_ha_flush_command_fn,
2126 * @cliexstart{nat ha resync}
2127 * Resync HA (resend existing sessions to new failover)
2130 VLIB_CLI_COMMAND (nat_ha_resync_command, static) = {
2131 .path = "nat ha resync",
2132 .short_help = "nat ha resync",
2133 .function = nat_ha_resync_command_fn,
2138 * @cliexstart{show nat44 hash tables}
2139 * Show NAT44 hash tables
2142 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
2143 .path = "show nat44 hash tables",
2144 .short_help = "show nat44 hash tables [detail|verbose]",
2145 .function = nat44_show_hash_command_fn,
2150 * @cliexstart{nat44 add address}
2151 * Add/delete NAT44 pool address.
2152 * To add NAT44 pool address use:
2153 * vpp# nat44 add address 172.16.1.3
2154 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
2155 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
2156 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
2159 VLIB_CLI_COMMAND (add_address_command, static) = {
2160 .path = "nat44 add address",
2161 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
2162 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
2163 .function = add_address_command_fn,
2168 * @cliexstart{show nat44 summary}
2169 * Show NAT44 summary
2170 * vpp# show nat44 summary
2173 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
2174 .path = "show nat44 summary",
2175 .short_help = "show nat44 summary",
2176 .function = nat44_show_summary_command_fn,
2181 * @cliexstart{show nat44 addresses}
2182 * Show NAT44 pool addresses.
2183 * vpp# show nat44 addresses
2184 * NAT44 pool addresses:
2186 * tenant VRF independent
2195 * NAT44 twice-nat pool addresses:
2197 * tenant VRF independent
2203 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
2204 .path = "show nat44 addresses",
2205 .short_help = "show nat44 addresses",
2206 .function = nat44_show_addresses_command_fn,
2211 * @cliexstart{set interface nat44}
2212 * Enable/disable NAT44 feature on the interface.
2213 * To enable NAT44 feature with local network interface use:
2214 * vpp# set interface nat44 in GigabitEthernet0/8/0
2215 * To enable NAT44 feature with external network interface use:
2216 * vpp# set interface nat44 out GigabitEthernet0/a/0
2219 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
2220 .path = "set interface nat44",
2221 .function = snat_feature_command_fn,
2222 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
2228 * @cliexstart{show nat44 interfaces}
2229 * Show interfaces with NAT44 feature.
2230 * vpp# show nat44 interfaces
2232 * GigabitEthernet0/8/0 in
2233 * GigabitEthernet0/a/0 out
2236 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
2237 .path = "show nat44 interfaces",
2238 .short_help = "show nat44 interfaces",
2239 .function = nat44_show_interfaces_command_fn,
2244 * @cliexstart{nat44 add static mapping}
2245 * Static mapping allows hosts on the external network to initiate connection
2246 * to to the local network host.
2247 * To create static mapping between local host address 10.0.0.3 port 6303 and
2248 * external address 4.4.4.4 port 3606 for TCP protocol use:
2249 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
2250 * If not runnig "static mapping only" NAT plugin mode use before:
2251 * vpp# nat44 add address 4.4.4.4
2252 * To create address only static mapping between local and external address use:
2253 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
2254 * To create ICMP static mapping between local and external with ICMP echo
2255 * identifier 10 use:
2256 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
2259 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
2260 .path = "nat44 add static mapping",
2261 .function = add_static_mapping_command_fn,
2263 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
2264 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
2265 "[out2in-only] [del]",
2270 * @cliexstart{nat44 add identity mapping}
2271 * Identity mapping translate an IP address to itself.
2272 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2274 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2275 * To create identity mapping for address 10.0.0.3 use:
2276 * vpp# nat44 add identity mapping 10.0.0.3
2277 * To create identity mapping for DHCP addressed interface use:
2278 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
2281 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2282 .path = "nat44 add identity mapping",
2283 .function = add_identity_mapping_command_fn,
2284 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
2285 "[<protocol> <port>] [vrf <table-id>] [del]",
2290 * @cliexstart{nat44 add load-balancing static mapping}
2291 * Service load balancing using NAT44
2292 * To add static mapping with load balancing for service with external IP
2293 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
2294 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
2295 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
2298 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2299 .path = "nat44 add load-balancing static mapping",
2300 .function = add_lb_static_mapping_command_fn,
2302 "nat44 add load-balancing static mapping protocol tcp|udp "
2303 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2304 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
2305 "[affinity <timeout-seconds>] [del]",
2310 * @cliexstart{nat44 add load-balancing static mapping}
2311 * Modify service load balancing using NAT44
2312 * To add new back-end server 10.100.10.30:8080 for service load balancing
2313 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
2314 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
2317 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
2318 .path = "nat44 add load-balancing back-end",
2319 .function = add_lb_backend_command_fn,
2321 "nat44 add load-balancing back-end protocol tcp|udp "
2322 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2323 "probability <n> [del]",
2328 * @cliexstart{show nat44 static mappings}
2329 * Show NAT44 static mappings.
2330 * vpp# show nat44 static mappings
2331 * NAT44 static mappings:
2332 * local 10.0.0.3 external 4.4.4.4 vrf 0
2333 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2334 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2335 * local 10.100.10.10:8080 probability 80
2336 * local 10.100.10.20:8080 probability 20
2337 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2338 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2341 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2342 .path = "show nat44 static mappings",
2343 .short_help = "show nat44 static mappings",
2344 .function = nat44_show_static_mappings_command_fn,
2349 * @cliexstart{nat44 add interface address}
2350 * Use NAT44 pool address from specific interfce
2351 * To add NAT44 pool address from specific interface use:
2352 * vpp# nat44 add interface address GigabitEthernet0/8/0
2355 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2356 .path = "nat44 add interface address",
2357 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2358 .function = snat_add_interface_address_command_fn,
2363 * @cliexstart{show nat44 interface address}
2364 * Show NAT44 pool address interfaces
2365 * vpp# show nat44 interface address
2366 * NAT44 pool address interfaces:
2367 * GigabitEthernet0/a/0
2368 * NAT44 twice-nat pool address interfaces:
2369 * GigabitEthernet0/8/0
2372 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2373 .path = "show nat44 interface address",
2374 .short_help = "show nat44 interface address",
2375 .function = nat44_show_interface_address_command_fn,
2380 * @cliexstart{show nat44 sessions}
2381 * Show NAT44 sessions.
2384 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2385 .path = "show nat44 sessions",
2386 .short_help = "show nat44 sessions [detail|metrics]",
2387 .function = nat44_show_sessions_command_fn,
2392 * @cliexstart{set nat44 session limit}
2393 * Set NAT44 session limit.
2396 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
2397 .path = "set nat44 session limit",
2398 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
2399 .function = nat44_set_session_limit_command_fn,
2404 * @cliexstart{nat44 del user}
2405 * To delete all NAT44 user sessions:
2406 * vpp# nat44 del user 10.0.0.3
2409 VLIB_CLI_COMMAND (nat44_del_user_command, static) = {
2410 .path = "nat44 del user",
2411 .short_help = "nat44 del user <addr> [fib <index>]",
2412 .function = nat44_del_user_command_fn,
2417 * @cliexstart{clear nat44 sessions}
2418 * To clear all NAT44 sessions
2419 * vpp# clear nat44 sessions
2422 VLIB_CLI_COMMAND (nat44_clear_sessions_command, static) = {
2423 .path = "clear nat44 sessions",
2424 .short_help = "clear nat44 sessions",
2425 .function = nat44_clear_sessions_command_fn,
2430 * @cliexstart{nat44 del session}
2431 * To administratively delete NAT44 session by inside address and port use:
2432 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2433 * To administratively delete NAT44 session by outside address and port use:
2434 * vpp# nat44 del session out 1.0.0.3:6033 udp
2437 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2438 .path = "nat44 del session",
2439 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2440 .function = nat44_del_session_command_fn,
2445 * @cliexstart{nat44 forwarding}
2446 * Enable or disable forwarding
2447 * Forward packets which don't match existing translation
2448 * or static mapping instead of dropping them.
2449 * To enable forwarding, use:
2450 * vpp# nat44 forwarding enable
2451 * To disable forwarding, use:
2452 * vpp# nat44 forwarding disable
2455 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2456 .path = "nat44 forwarding",
2457 .short_help = "nat44 forwarding enable|disable",
2458 .function = snat_forwarding_set_command_fn,
2464 * fd.io coding-style-patch-verification: ON
2467 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob