2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
21 #include <nat/nat_ipfix_logging.h>
22 #include <nat/nat_det.h>
23 #include <nat/nat64.h>
24 #include <nat/nat_inlines.h>
25 #include <nat/nat_affinity.h>
26 #include <vnet/fib/fib_table.h>
28 #define UNSUPPORTED_IN_DET_MODE_STR \
29 "This command is unsupported in deterministic mode"
30 #define SUPPORTED_ONLY_IN_DET_MODE_STR \
31 "This command is supported only in deterministic mode"
34 set_workers_command_fn (vlib_main_t * vm,
35 unformat_input_t * input, vlib_cli_command_t * cmd)
37 unformat_input_t _line_input, *line_input = &_line_input;
38 snat_main_t *sm = &snat_main;
41 clib_error_t *error = 0;
43 if (sm->deterministic)
44 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
46 /* Get a line of input. */
47 if (!unformat_user (input, unformat_line_input, line_input))
50 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
52 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
56 error = clib_error_return (0, "unknown input '%U'",
57 format_unformat_error, line_input);
64 error = clib_error_return (0, "List of workers must be specified.");
68 rv = snat_set_workers (bitmap);
70 clib_bitmap_free (bitmap);
74 case VNET_API_ERROR_INVALID_WORKER:
75 error = clib_error_return (0, "Invalid worker(s).");
77 case VNET_API_ERROR_FEATURE_DISABLED:
78 error = clib_error_return (0,
79 "Supported only if 2 or more workes available.");
86 unformat_free (line_input);
92 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
93 vlib_cli_command_t * cmd)
95 snat_main_t *sm = &snat_main;
98 if (sm->deterministic)
99 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
101 if (sm->num_workers > 1)
103 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
105 vec_foreach (worker, sm->workers)
107 vlib_worker_thread_t *w =
108 vlib_worker_threads + *worker + sm->first_worker_index;
109 vlib_cli_output (vm, " %s", w->name);
117 static clib_error_t *
118 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
119 unformat_input_t * input,
120 vlib_cli_command_t * cmd)
122 unformat_input_t _line_input, *line_input = &_line_input;
127 clib_error_t *error = 0;
129 /* Get a line of input. */
130 if (!unformat_user (input, unformat_line_input, line_input))
133 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
135 if (unformat (line_input, "domain %d", &domain_id))
137 else if (unformat (line_input, "src-port %d", &src_port))
139 else if (unformat (line_input, "disable"))
143 error = clib_error_return (0, "unknown input '%U'",
144 format_unformat_error, line_input);
149 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
153 error = clib_error_return (0, "ipfix logging enable failed");
158 unformat_free (line_input);
163 static clib_error_t *
164 nat44_show_hash_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
165 vlib_cli_command_t * cmd)
167 snat_main_t *sm = &snat_main;
168 snat_main_per_thread_data_t *tsm;
169 nat_affinity_main_t *nam = &nat_affinity_main;
173 if (unformat (input, "detail"))
175 else if (unformat (input, "verbose"))
178 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
180 vlib_cli_output (vm, "%U",
181 format_bihash_8_8, &sm->static_mapping_by_external,
183 vec_foreach_index (i, sm->per_thread_data)
185 tsm = vec_elt_at_index (sm->per_thread_data, i);
186 vlib_cli_output (vm, "-------- thread %d %s --------\n",
187 i, vlib_worker_threads[i].name);
188 if (sm->endpoint_dependent)
190 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->in2out_ed,
192 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->out2in_ed,
197 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->in2out, verbose);
198 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->out2in, verbose);
200 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->user_hash, verbose);
203 if (sm->endpoint_dependent)
204 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
209 static clib_error_t *
210 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
211 unformat_input_t * input,
212 vlib_cli_command_t * cmd)
214 unformat_input_t _line_input, *line_input = &_line_input;
215 snat_main_t *sm = &snat_main;
216 clib_error_t *error = 0;
217 u32 psid, psid_offset, psid_length, port_start, port_end;
219 if (sm->deterministic)
220 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
222 /* Get a line of input. */
223 if (!unformat_user (input, unformat_line_input, line_input))
226 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
228 if (unformat (line_input, "default"))
229 nat_set_alloc_addr_and_port_default ();
232 (line_input, "map-e psid %d psid-offset %d psid-len %d", &psid,
233 &psid_offset, &psid_length))
234 nat_set_alloc_addr_and_port_mape ((u16) psid, (u16) psid_offset,
238 (line_input, "port-range %d - %d", &port_start, &port_end))
240 if (port_end <= port_start)
243 clib_error_return (0,
244 "The end-port must be greater than start-port");
247 nat_set_alloc_addr_and_port_range ((u16) port_start,
252 error = clib_error_return (0, "unknown input '%U'",
253 format_unformat_error, line_input);
259 unformat_free (line_input);
264 static clib_error_t *
265 nat44_show_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
266 unformat_input_t * input,
267 vlib_cli_command_t * cmd)
269 snat_main_t *sm = &snat_main;
271 if (sm->deterministic)
272 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
274 vlib_cli_output (vm, "NAT address and port: %U",
275 format_nat_addr_and_port_alloc_alg,
276 sm->addr_and_port_alloc_alg);
277 switch (sm->addr_and_port_alloc_alg)
279 case NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE:
280 vlib_cli_output (vm, " psid %d psid-offset %d psid-len %d", sm->psid,
281 sm->psid_offset, sm->psid_length);
283 case NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE:
284 vlib_cli_output (vm, " start-port %d end-port %d", sm->start_port,
294 static clib_error_t *
295 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
296 vlib_cli_command_t * cmd)
298 unformat_input_t _line_input, *line_input = &_line_input;
299 snat_main_t *sm = &snat_main;
300 clib_error_t *error = 0;
303 /* Get a line of input. */
304 if (!unformat_user (input, unformat_line_input, line_input))
307 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
309 if (unformat (line_input, "disable"))
310 sm->mss_clamping = 0;
311 else if (unformat (line_input, "%d", &mss))
313 sm->mss_clamping = (u16) mss;
314 sm->mss_value_net = clib_host_to_net_u16 (sm->mss_clamping);
318 error = clib_error_return (0, "unknown input '%U'",
319 format_unformat_error, line_input);
325 unformat_free (line_input);
330 static clib_error_t *
331 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
332 vlib_cli_command_t * cmd)
334 snat_main_t *sm = &snat_main;
336 if (sm->mss_clamping)
337 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
339 vlib_cli_output (vm, "mss-clamping disabled");
344 static clib_error_t *
345 add_address_command_fn (vlib_main_t * vm,
346 unformat_input_t * input, vlib_cli_command_t * cmd)
348 unformat_input_t _line_input, *line_input = &_line_input;
349 snat_main_t *sm = &snat_main;
350 ip4_address_t start_addr, end_addr, this_addr;
351 u32 start_host_order, end_host_order;
356 clib_error_t *error = 0;
359 if (sm->deterministic)
360 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
362 /* Get a line of input. */
363 if (!unformat_user (input, unformat_line_input, line_input))
366 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
368 if (unformat (line_input, "%U - %U",
369 unformat_ip4_address, &start_addr,
370 unformat_ip4_address, &end_addr))
372 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
374 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
375 end_addr = start_addr;
376 else if (unformat (line_input, "twice-nat"))
378 else if (unformat (line_input, "del"))
382 error = clib_error_return (0, "unknown input '%U'",
383 format_unformat_error, line_input);
388 if (sm->static_mapping_only)
390 error = clib_error_return (0, "static mapping only mode");
394 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
395 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
397 if (end_host_order < start_host_order)
399 error = clib_error_return (0, "end address less than start address");
403 count = (end_host_order - start_host_order) + 1;
406 nat_log_info ("%U - %U, %d addresses...",
407 format_ip4_address, &start_addr,
408 format_ip4_address, &end_addr, count);
410 this_addr = start_addr;
412 for (i = 0; i < count; i++)
415 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
417 rv = snat_del_address (sm, this_addr, 0, twice_nat);
421 case VNET_API_ERROR_VALUE_EXIST:
422 error = clib_error_return (0, "NAT address already in use.");
424 case VNET_API_ERROR_NO_SUCH_ENTRY:
425 error = clib_error_return (0, "NAT address not exist.");
427 case VNET_API_ERROR_UNSPECIFIED:
429 clib_error_return (0, "NAT address used in static mapping.");
431 case VNET_API_ERROR_FEATURE_DISABLED:
433 clib_error_return (0,
434 "twice NAT available only for endpoint-dependent mode.");
441 nat44_add_del_address_dpo (this_addr, is_add);
443 increment_v4_address (&this_addr);
447 unformat_free (line_input);
452 static clib_error_t *
453 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
454 vlib_cli_command_t * cmd)
456 snat_main_t *sm = &snat_main;
459 if (sm->deterministic)
460 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
462 vlib_cli_output (vm, "NAT44 pool addresses:");
464 vec_foreach (ap, sm->addresses)
466 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
467 if (ap->fib_index != ~0)
468 vlib_cli_output (vm, " tenant VRF: %u",
469 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
471 vlib_cli_output (vm, " tenant VRF independent");
472 #define _(N, i, n, s) \
473 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
474 foreach_snat_protocol
477 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
478 vec_foreach (ap, sm->twice_nat_addresses)
480 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
481 if (ap->fib_index != ~0)
482 vlib_cli_output (vm, " tenant VRF: %u",
483 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
485 vlib_cli_output (vm, " tenant VRF independent");
486 #define _(N, i, n, s) \
487 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
488 foreach_snat_protocol
495 static clib_error_t *
496 snat_feature_command_fn (vlib_main_t * vm,
497 unformat_input_t * input, vlib_cli_command_t * cmd)
499 unformat_input_t _line_input, *line_input = &_line_input;
500 vnet_main_t *vnm = vnet_get_main ();
501 clib_error_t *error = 0;
503 u32 *inside_sw_if_indices = 0;
504 u32 *outside_sw_if_indices = 0;
505 u8 is_output_feature = 0;
511 /* Get a line of input. */
512 if (!unformat_user (input, unformat_line_input, line_input))
515 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
517 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
519 vec_add1 (inside_sw_if_indices, sw_if_index);
520 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
522 vec_add1 (outside_sw_if_indices, sw_if_index);
523 else if (unformat (line_input, "output-feature"))
524 is_output_feature = 1;
525 else if (unformat (line_input, "del"))
529 error = clib_error_return (0, "unknown input '%U'",
530 format_unformat_error, line_input);
535 if (vec_len (inside_sw_if_indices))
537 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
539 sw_if_index = inside_sw_if_indices[i];
540 if (is_output_feature)
542 if (snat_interface_add_del_output_feature
543 (sw_if_index, 1, is_del))
545 error = clib_error_return (0, "%s %U failed",
546 is_del ? "del" : "add",
547 format_vnet_sw_if_index_name,
554 if (snat_interface_add_del (sw_if_index, 1, is_del))
556 error = clib_error_return (0, "%s %U failed",
557 is_del ? "del" : "add",
558 format_vnet_sw_if_index_name,
566 if (vec_len (outside_sw_if_indices))
568 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
570 sw_if_index = outside_sw_if_indices[i];
571 if (is_output_feature)
573 if (snat_interface_add_del_output_feature
574 (sw_if_index, 0, is_del))
576 error = clib_error_return (0, "%s %U failed",
577 is_del ? "del" : "add",
578 format_vnet_sw_if_index_name,
585 if (snat_interface_add_del (sw_if_index, 0, is_del))
587 error = clib_error_return (0, "%s %U failed",
588 is_del ? "del" : "add",
589 format_vnet_sw_if_index_name,
598 unformat_free (line_input);
599 vec_free (inside_sw_if_indices);
600 vec_free (outside_sw_if_indices);
605 static clib_error_t *
606 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
607 vlib_cli_command_t * cmd)
609 snat_main_t *sm = &snat_main;
611 vnet_main_t *vnm = vnet_get_main ();
613 vlib_cli_output (vm, "NAT44 interfaces:");
615 pool_foreach (i, sm->interfaces,
617 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
619 (nat_interface_is_inside(i) &&
620 nat_interface_is_outside(i)) ? "in out" :
621 (nat_interface_is_inside(i) ? "in" : "out"));
624 pool_foreach (i, sm->output_feature_interfaces,
626 vlib_cli_output (vm, " %U output-feature %s",
627 format_vnet_sw_if_index_name, vnm,
629 (nat_interface_is_inside(i) &&
630 nat_interface_is_outside(i)) ? "in out" :
631 (nat_interface_is_inside(i) ? "in" : "out"));
638 static clib_error_t *
639 add_static_mapping_command_fn (vlib_main_t * vm,
640 unformat_input_t * input,
641 vlib_cli_command_t * cmd)
643 unformat_input_t _line_input, *line_input = &_line_input;
644 snat_main_t *sm = &snat_main;
645 clib_error_t *error = 0;
646 ip4_address_t l_addr, e_addr;
647 u32 l_port = 0, e_port = 0, vrf_id = ~0;
650 u32 sw_if_index = ~0;
651 vnet_main_t *vnm = vnet_get_main ();
653 snat_protocol_t proto = ~0;
655 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
658 if (sm->deterministic)
659 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
661 /* Get a line of input. */
662 if (!unformat_user (input, unformat_line_input, line_input))
665 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
667 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
671 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
673 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
676 else if (unformat (line_input, "external %U", unformat_ip4_address,
679 else if (unformat (line_input, "external %U %u",
680 unformat_vnet_sw_interface, vnm, &sw_if_index,
684 else if (unformat (line_input, "external %U",
685 unformat_vnet_sw_interface, vnm, &sw_if_index))
687 else if (unformat (line_input, "vrf %u", &vrf_id))
689 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
691 else if (unformat (line_input, "twice-nat"))
692 twice_nat = TWICE_NAT;
693 else if (unformat (line_input, "self-twice-nat"))
694 twice_nat = TWICE_NAT_SELF;
695 else if (unformat (line_input, "out2in-only"))
697 else if (unformat (line_input, "del"))
701 error = clib_error_return (0, "unknown input: '%U'",
702 format_unformat_error, line_input);
707 if (twice_nat && addr_only)
709 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
713 if (!addr_only && !proto_set)
715 error = clib_error_return (0, "missing protocol");
719 rv = snat_add_static_mapping (l_addr, e_addr, (u16) l_port, (u16) e_port,
720 vrf_id, addr_only, sw_if_index, proto, is_add,
721 twice_nat, out2in_only, 0, 0);
725 case VNET_API_ERROR_INVALID_VALUE:
726 error = clib_error_return (0, "External port already in use.");
728 case VNET_API_ERROR_NO_SUCH_ENTRY:
730 error = clib_error_return (0, "External address must be allocated.");
732 error = clib_error_return (0, "Mapping not exist.");
734 case VNET_API_ERROR_NO_SUCH_FIB:
735 error = clib_error_return (0, "No such VRF id.");
737 case VNET_API_ERROR_VALUE_EXIST:
738 error = clib_error_return (0, "Mapping already exist.");
740 case VNET_API_ERROR_FEATURE_DISABLED:
742 clib_error_return (0,
743 "twice-nat/out2in-only available only for endpoint-dependent mode.");
750 unformat_free (line_input);
755 static clib_error_t *
756 add_identity_mapping_command_fn (vlib_main_t * vm,
757 unformat_input_t * input,
758 vlib_cli_command_t * cmd)
760 unformat_input_t _line_input, *line_input = &_line_input;
761 snat_main_t *sm = &snat_main;
762 clib_error_t *error = 0;
764 u32 port = 0, vrf_id = ~0;
767 u32 sw_if_index = ~0;
768 vnet_main_t *vnm = vnet_get_main ();
770 snat_protocol_t proto;
772 if (sm->deterministic)
773 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
777 /* Get a line of input. */
778 if (!unformat_user (input, unformat_line_input, line_input))
781 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
783 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
785 else if (unformat (line_input, "external %U",
786 unformat_vnet_sw_interface, vnm, &sw_if_index))
788 else if (unformat (line_input, "vrf %u", &vrf_id))
790 else if (unformat (line_input, "%U %u", unformat_snat_protocol, &proto,
793 else if (unformat (line_input, "del"))
797 error = clib_error_return (0, "unknown input: '%U'",
798 format_unformat_error, line_input);
803 rv = snat_add_static_mapping (addr, addr, (u16) port, (u16) port,
804 vrf_id, addr_only, sw_if_index, proto, is_add,
809 case VNET_API_ERROR_INVALID_VALUE:
810 error = clib_error_return (0, "External port already in use.");
812 case VNET_API_ERROR_NO_SUCH_ENTRY:
814 error = clib_error_return (0, "External address must be allocated.");
816 error = clib_error_return (0, "Mapping not exist.");
818 case VNET_API_ERROR_NO_SUCH_FIB:
819 error = clib_error_return (0, "No such VRF id.");
821 case VNET_API_ERROR_VALUE_EXIST:
822 error = clib_error_return (0, "Mapping already exist.");
829 unformat_free (line_input);
834 static clib_error_t *
835 add_lb_static_mapping_command_fn (vlib_main_t * vm,
836 unformat_input_t * input,
837 vlib_cli_command_t * cmd)
839 unformat_input_t _line_input, *line_input = &_line_input;
840 snat_main_t *sm = &snat_main;
841 clib_error_t *error = 0;
842 ip4_address_t l_addr, e_addr;
843 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
846 snat_protocol_t proto;
848 nat44_lb_addr_port_t *locals = 0, local;
849 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
852 if (sm->deterministic)
853 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
855 /* Get a line of input. */
856 if (!unformat_user (input, unformat_line_input, line_input))
859 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
861 if (unformat (line_input, "local %U:%u probability %u",
862 unformat_ip4_address, &l_addr, &l_port, &probability))
864 clib_memset (&local, 0, sizeof (local));
866 local.port = (u16) l_port;
867 local.probability = (u8) probability;
868 vec_add1 (locals, local);
870 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
871 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
874 clib_memset (&local, 0, sizeof (local));
876 local.port = (u16) l_port;
877 local.probability = (u8) probability;
878 local.vrf_id = vrf_id;
879 vec_add1 (locals, local);
881 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
884 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
887 else if (unformat (line_input, "twice-nat"))
888 twice_nat = TWICE_NAT;
889 else if (unformat (line_input, "self-twice-nat"))
890 twice_nat = TWICE_NAT_SELF;
891 else if (unformat (line_input, "out2in-only"))
893 else if (unformat (line_input, "del"))
895 else if (unformat (line_input, "affinity %u", &affinity))
899 error = clib_error_return (0, "unknown input: '%U'",
900 format_unformat_error, line_input);
905 if (vec_len (locals) < 2)
907 error = clib_error_return (0, "at least two local must be set");
913 error = clib_error_return (0, "missing protocol");
917 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
918 is_add, twice_nat, out2in_only, 0,
923 case VNET_API_ERROR_INVALID_VALUE:
924 error = clib_error_return (0, "External port already in use.");
926 case VNET_API_ERROR_NO_SUCH_ENTRY:
928 error = clib_error_return (0, "External address must be allocated.");
930 error = clib_error_return (0, "Mapping not exist.");
932 case VNET_API_ERROR_VALUE_EXIST:
933 error = clib_error_return (0, "Mapping already exist.");
935 case VNET_API_ERROR_FEATURE_DISABLED:
937 clib_error_return (0, "Available only for endpoint-dependent mode.");
944 unformat_free (line_input);
950 static clib_error_t *
951 add_lb_backend_command_fn (vlib_main_t * vm,
952 unformat_input_t * input, vlib_cli_command_t * cmd)
954 unformat_input_t _line_input, *line_input = &_line_input;
955 snat_main_t *sm = &snat_main;
956 clib_error_t *error = 0;
957 ip4_address_t l_addr, e_addr;
958 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
961 snat_protocol_t proto;
964 if (sm->deterministic)
965 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
967 /* Get a line of input. */
968 if (!unformat_user (input, unformat_line_input, line_input))
971 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
973 if (unformat (line_input, "local %U:%u probability %u",
974 unformat_ip4_address, &l_addr, &l_port, &probability))
976 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
977 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
980 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
983 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
986 else if (unformat (line_input, "del"))
990 error = clib_error_return (0, "unknown input: '%U'",
991 format_unformat_error, line_input);
996 if (!l_port || !e_port)
998 error = clib_error_return (0, "local or external must be set");
1004 error = clib_error_return (0, "missing protocol");
1009 nat44_lb_static_mapping_add_del_local (e_addr, (u16) e_port, l_addr,
1010 l_port, proto, vrf_id, probability,
1015 case VNET_API_ERROR_INVALID_VALUE:
1016 error = clib_error_return (0, "External is not load-balancing static "
1019 case VNET_API_ERROR_NO_SUCH_ENTRY:
1020 error = clib_error_return (0, "Mapping or back-end not exist.");
1022 case VNET_API_ERROR_VALUE_EXIST:
1023 error = clib_error_return (0, "Back-end already exist.");
1025 case VNET_API_ERROR_FEATURE_DISABLED:
1027 clib_error_return (0, "Available only for endpoint-dependent mode.");
1029 case VNET_API_ERROR_UNSPECIFIED:
1030 error = clib_error_return (0, "At least two back-ends must remain");
1037 unformat_free (line_input);
1042 static clib_error_t *
1043 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1044 unformat_input_t * input,
1045 vlib_cli_command_t * cmd)
1047 snat_main_t *sm = &snat_main;
1048 snat_static_mapping_t *m;
1049 snat_static_map_resolve_t *rp;
1051 if (sm->deterministic)
1052 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1054 vlib_cli_output (vm, "NAT44 static mappings:");
1056 pool_foreach (m, sm->static_mappings,
1058 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1060 vec_foreach (rp, sm->to_resolve)
1061 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1067 static clib_error_t *
1068 snat_add_interface_address_command_fn (vlib_main_t * vm,
1069 unformat_input_t * input,
1070 vlib_cli_command_t * cmd)
1072 snat_main_t *sm = &snat_main;
1073 unformat_input_t _line_input, *line_input = &_line_input;
1077 clib_error_t *error = 0;
1080 if (sm->deterministic)
1081 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1083 /* Get a line of input. */
1084 if (!unformat_user (input, unformat_line_input, line_input))
1087 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1089 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1090 sm->vnet_main, &sw_if_index))
1092 else if (unformat (line_input, "twice-nat"))
1094 else if (unformat (line_input, "del"))
1098 error = clib_error_return (0, "unknown input '%U'",
1099 format_unformat_error, line_input);
1104 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1112 error = clib_error_return (0, "snat_add_interface_address returned %d",
1118 unformat_free (line_input);
1123 static clib_error_t *
1124 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1125 unformat_input_t * input,
1126 vlib_cli_command_t * cmd)
1128 snat_main_t *sm = &snat_main;
1129 vnet_main_t *vnm = vnet_get_main ();
1132 if (sm->deterministic)
1133 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1136 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1137 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1139 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1142 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1143 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1145 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1153 static clib_error_t *
1154 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1155 vlib_cli_command_t * cmd)
1158 snat_main_t *sm = &snat_main;
1159 snat_main_per_thread_data_t *tsm;
1163 if (sm->deterministic)
1164 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1166 if (unformat (input, "detail"))
1169 vlib_cli_output (vm, "NAT44 sessions:");
1172 vec_foreach_index (i, sm->per_thread_data)
1174 tsm = vec_elt_at_index (sm->per_thread_data, i);
1176 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1177 i, vlib_worker_threads[i].name,
1178 pool_elts (tsm->sessions));
1179 pool_foreach (u, tsm->users,
1181 vlib_cli_output (vm, " %U", format_snat_user, tsm, u, verbose);
1189 static clib_error_t *
1190 nat44_del_session_command_fn (vlib_main_t * vm,
1191 unformat_input_t * input,
1192 vlib_cli_command_t * cmd)
1194 snat_main_t *sm = &snat_main;
1195 unformat_input_t _line_input, *line_input = &_line_input;
1196 int is_in = 0, is_ed = 0;
1197 clib_error_t *error = 0;
1198 ip4_address_t addr, eh_addr;
1199 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1200 snat_protocol_t proto;
1203 if (sm->deterministic)
1204 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1206 /* Get a line of input. */
1207 if (!unformat_user (input, unformat_line_input, line_input))
1210 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1213 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1214 unformat_snat_protocol, &proto))
1216 else if (unformat (line_input, "in"))
1219 vrf_id = sm->inside_vrf_id;
1221 else if (unformat (line_input, "out"))
1224 vrf_id = sm->outside_vrf_id;
1226 else if (unformat (line_input, "vrf %u", &vrf_id))
1230 (line_input, "external-host %U:%u", unformat_ip4_address,
1231 &eh_addr, &eh_port))
1235 error = clib_error_return (0, "unknown input '%U'",
1236 format_unformat_error, line_input);
1243 nat44_del_ed_session (sm, &addr, port, &eh_addr, eh_port,
1244 snat_proto_to_ip_proto (proto), vrf_id, is_in);
1246 rv = nat44_del_session (sm, &addr, port, proto, vrf_id, is_in);
1254 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1259 unformat_free (line_input);
1264 static clib_error_t *
1265 snat_forwarding_set_command_fn (vlib_main_t * vm,
1266 unformat_input_t * input,
1267 vlib_cli_command_t * cmd)
1269 snat_main_t *sm = &snat_main;
1270 unformat_input_t _line_input, *line_input = &_line_input;
1271 u8 forwarding_enable;
1272 u8 forwarding_enable_set = 0;
1273 clib_error_t *error = 0;
1275 if (sm->deterministic)
1276 return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
1278 /* Get a line of input. */
1279 if (!unformat_user (input, unformat_line_input, line_input))
1280 return clib_error_return (0, "'enable' or 'disable' expected");
1282 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1284 if (!forwarding_enable_set && unformat (line_input, "enable"))
1286 forwarding_enable = 1;
1287 forwarding_enable_set = 1;
1289 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1291 forwarding_enable = 0;
1292 forwarding_enable_set = 1;
1296 error = clib_error_return (0, "unknown input '%U'",
1297 format_unformat_error, line_input);
1302 if (!forwarding_enable_set)
1304 error = clib_error_return (0, "'enable' or 'disable' expected");
1308 sm->forwarding_enabled = forwarding_enable;
1311 unformat_free (line_input);
1316 static clib_error_t *
1317 snat_det_map_command_fn (vlib_main_t * vm,
1318 unformat_input_t * input, vlib_cli_command_t * cmd)
1320 snat_main_t *sm = &snat_main;
1321 unformat_input_t _line_input, *line_input = &_line_input;
1322 ip4_address_t in_addr, out_addr;
1323 u32 in_plen, out_plen;
1325 clib_error_t *error = 0;
1327 if (!sm->deterministic)
1328 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1330 /* Get a line of input. */
1331 if (!unformat_user (input, unformat_line_input, line_input))
1334 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1337 (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
1341 (line_input, "out %U/%u", unformat_ip4_address, &out_addr,
1344 else if (unformat (line_input, "del"))
1348 error = clib_error_return (0, "unknown input '%U'",
1349 format_unformat_error, line_input);
1354 rv = snat_det_add_map (sm, &in_addr, (u8) in_plen, &out_addr, (u8) out_plen,
1359 error = clib_error_return (0, "snat_det_add_map return %d", rv);
1364 unformat_free (line_input);
1369 static clib_error_t *
1370 nat44_det_show_mappings_command_fn (vlib_main_t * vm,
1371 unformat_input_t * input,
1372 vlib_cli_command_t * cmd)
1374 snat_main_t *sm = &snat_main;
1377 if (!sm->deterministic)
1378 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1380 vlib_cli_output (vm, "NAT44 deterministic mappings:");
1382 pool_foreach (dm, sm->det_maps,
1384 vlib_cli_output (vm, " in %U/%d out %U/%d\n",
1385 format_ip4_address, &dm->in_addr, dm->in_plen,
1386 format_ip4_address, &dm->out_addr, dm->out_plen);
1387 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
1389 vlib_cli_output (vm, " number of ports per inside host: %d\n",
1390 dm->ports_per_host);
1391 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
1398 static clib_error_t *
1399 snat_det_forward_command_fn (vlib_main_t * vm,
1400 unformat_input_t * input,
1401 vlib_cli_command_t * cmd)
1403 snat_main_t *sm = &snat_main;
1404 unformat_input_t _line_input, *line_input = &_line_input;
1405 ip4_address_t in_addr, out_addr;
1408 clib_error_t *error = 0;
1410 if (!sm->deterministic)
1411 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1413 /* Get a line of input. */
1414 if (!unformat_user (input, unformat_line_input, line_input))
1417 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1419 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
1423 error = clib_error_return (0, "unknown input '%U'",
1424 format_unformat_error, line_input);
1429 dm = snat_det_map_by_user (sm, &in_addr);
1431 vlib_cli_output (vm, "no match");
1434 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
1435 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
1436 lo_port, lo_port + dm->ports_per_host - 1);
1440 unformat_free (line_input);
1445 static clib_error_t *
1446 snat_det_reverse_command_fn (vlib_main_t * vm,
1447 unformat_input_t * input,
1448 vlib_cli_command_t * cmd)
1450 snat_main_t *sm = &snat_main;
1451 unformat_input_t _line_input, *line_input = &_line_input;
1452 ip4_address_t in_addr, out_addr;
1455 clib_error_t *error = 0;
1457 if (!sm->deterministic)
1458 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1460 /* Get a line of input. */
1461 if (!unformat_user (input, unformat_line_input, line_input))
1464 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1467 (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
1471 error = clib_error_return (0, "unknown input '%U'",
1472 format_unformat_error, line_input);
1477 if (out_port < 1024 || out_port > 65535)
1479 error = clib_error_return (0, "wrong port, must be <1024-65535>");
1483 dm = snat_det_map_by_out (sm, &out_addr);
1485 vlib_cli_output (vm, "no match");
1488 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
1489 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
1493 unformat_free (line_input);
1498 static clib_error_t *
1499 set_timeout_command_fn (vlib_main_t * vm,
1500 unformat_input_t * input, vlib_cli_command_t * cmd)
1502 snat_main_t *sm = &snat_main;
1503 unformat_input_t _line_input, *line_input = &_line_input;
1504 clib_error_t *error = 0;
1506 /* Get a line of input. */
1507 if (!unformat_user (input, unformat_line_input, line_input))
1510 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1512 if (unformat (line_input, "udp %u", &sm->udp_timeout))
1514 if (nat64_set_udp_timeout (sm->udp_timeout))
1516 error = clib_error_return (0, "Invalid UDP timeout value");
1520 else if (unformat (line_input, "tcp-established %u",
1521 &sm->tcp_established_timeout))
1523 if (nat64_set_tcp_timeouts
1524 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1527 clib_error_return (0,
1528 "Invalid TCP established timeouts value");
1532 else if (unformat (line_input, "tcp-transitory %u",
1533 &sm->tcp_transitory_timeout))
1535 if (nat64_set_tcp_timeouts
1536 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1539 clib_error_return (0,
1540 "Invalid TCP transitory timeouts value");
1544 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
1546 if (nat64_set_icmp_timeout (sm->icmp_timeout))
1548 error = clib_error_return (0, "Invalid ICMP timeout value");
1552 else if (unformat (line_input, "reset"))
1554 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1555 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1556 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1557 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1558 nat64_set_udp_timeout (0);
1559 nat64_set_icmp_timeout (0);
1560 nat64_set_tcp_timeouts (0, 0);
1564 error = clib_error_return (0, "unknown input '%U'",
1565 format_unformat_error, line_input);
1571 unformat_free (line_input);
1576 static clib_error_t *
1577 nat_show_timeouts_command_fn (vlib_main_t * vm,
1578 unformat_input_t * input,
1579 vlib_cli_command_t * cmd)
1581 snat_main_t *sm = &snat_main;
1583 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
1584 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1585 sm->tcp_established_timeout);
1586 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1587 sm->tcp_transitory_timeout);
1588 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
1593 static clib_error_t *
1594 nat44_det_show_sessions_command_fn (vlib_main_t * vm,
1595 unformat_input_t * input,
1596 vlib_cli_command_t * cmd)
1598 snat_main_t *sm = &snat_main;
1600 snat_det_session_t *ses;
1603 if (!sm->deterministic)
1604 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1606 vlib_cli_output (vm, "NAT44 deterministic sessions:");
1608 pool_foreach (dm, sm->det_maps,
1610 vec_foreach_index (i, dm->sessions)
1612 ses = vec_elt_at_index (dm->sessions, i);
1614 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses, &i);
1621 static clib_error_t *
1622 snat_det_close_session_out_fn (vlib_main_t * vm,
1623 unformat_input_t * input,
1624 vlib_cli_command_t * cmd)
1626 snat_main_t *sm = &snat_main;
1627 unformat_input_t _line_input, *line_input = &_line_input;
1628 ip4_address_t out_addr, ext_addr, in_addr;
1629 u32 out_port, ext_port;
1631 snat_det_session_t *ses;
1632 snat_det_out_key_t key;
1633 clib_error_t *error = 0;
1635 if (!sm->deterministic)
1636 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1638 /* Get a line of input. */
1639 if (!unformat_user (input, unformat_line_input, line_input))
1642 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1644 if (unformat (line_input, "%U:%d %U:%d",
1645 unformat_ip4_address, &out_addr, &out_port,
1646 unformat_ip4_address, &ext_addr, &ext_port))
1650 error = clib_error_return (0, "unknown input '%U'",
1651 format_unformat_error, line_input);
1656 unformat_free (line_input);
1658 dm = snat_det_map_by_out (sm, &out_addr);
1660 vlib_cli_output (vm, "no match");
1663 snat_det_reverse (dm, &ext_addr, (u16) out_port, &in_addr);
1664 key.ext_host_addr = out_addr;
1665 key.ext_host_port = ntohs ((u16) ext_port);
1666 key.out_port = ntohs ((u16) out_port);
1667 ses = snat_det_get_ses_by_out (dm, &out_addr, key.as_u64);
1669 vlib_cli_output (vm, "no match");
1671 snat_det_ses_close (dm, ses);
1675 unformat_free (line_input);
1680 static clib_error_t *
1681 snat_det_close_session_in_fn (vlib_main_t * vm,
1682 unformat_input_t * input,
1683 vlib_cli_command_t * cmd)
1685 snat_main_t *sm = &snat_main;
1686 unformat_input_t _line_input, *line_input = &_line_input;
1687 ip4_address_t in_addr, ext_addr;
1688 u32 in_port, ext_port;
1690 snat_det_session_t *ses;
1691 snat_det_out_key_t key;
1692 clib_error_t *error = 0;
1694 if (!sm->deterministic)
1695 return clib_error_return (0, SUPPORTED_ONLY_IN_DET_MODE_STR);
1697 /* Get a line of input. */
1698 if (!unformat_user (input, unformat_line_input, line_input))
1701 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1703 if (unformat (line_input, "%U:%d %U:%d",
1704 unformat_ip4_address, &in_addr, &in_port,
1705 unformat_ip4_address, &ext_addr, &ext_port))
1709 error = clib_error_return (0, "unknown input '%U'",
1710 format_unformat_error, line_input);
1715 unformat_free (line_input);
1717 dm = snat_det_map_by_user (sm, &in_addr);
1719 vlib_cli_output (vm, "no match");
1722 key.ext_host_addr = ext_addr;
1723 key.ext_host_port = ntohs ((u16) ext_port);
1725 snat_det_find_ses_by_in (dm, &in_addr, ntohs ((u16) in_port), key);
1727 vlib_cli_output (vm, "no match");
1729 snat_det_ses_close (dm, ses);
1733 unformat_free (line_input);
1741 * @cliexstart{set snat workers}
1742 * Set NAT workers if 2 or more workers available, use:
1743 * vpp# set snat workers 0-2,5
1746 VLIB_CLI_COMMAND (set_workers_command, static) = {
1747 .path = "set nat workers",
1748 .function = set_workers_command_fn,
1749 .short_help = "set nat workers <workers-list>",
1754 * @cliexstart{show nat workers}
1756 * vpp# show nat workers:
1762 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1763 .path = "show nat workers",
1764 .short_help = "show nat workers",
1765 .function = nat_show_workers_commnad_fn,
1770 * @cliexstart{set nat timeout}
1771 * Set values of timeouts for NAT sessions (in seconds), use:
1772 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1773 * To reset default values use:
1774 * vpp# set nat44 deterministic timeout reset
1777 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1778 .path = "set nat timeout",
1779 .function = set_timeout_command_fn,
1781 "set nat timeout [udp <sec> | tcp-established <sec> "
1782 "tcp-transitory <sec> | icmp <sec> | reset]",
1787 * @cliexstart{show nat timeouts}
1788 * Show values of timeouts for NAT sessions.
1789 * vpp# show nat timeouts
1790 * udp timeout: 300sec
1791 * tcp-established timeout: 7440sec
1792 * tcp-transitory timeout: 240sec
1793 * icmp timeout: 60sec
1796 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1797 .path = "show nat timeouts",
1798 .short_help = "show nat timeouts",
1799 .function = nat_show_timeouts_command_fn,
1804 * @cliexstart{snat ipfix logging}
1805 * To enable NAT IPFIX logging use:
1806 * vpp# nat ipfix logging
1807 * To set IPFIX exporter use:
1808 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1811 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1812 .path = "nat ipfix logging",
1813 .function = snat_ipfix_logging_enable_disable_command_fn,
1814 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
1819 * @cliexstart{nat addr-port-assignment-alg}
1820 * Set address and port assignment algorithm
1821 * For the MAP-E CE limit port choice based on PSID use:
1822 * vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6
1823 * For port range use:
1824 * vpp# nat addr-port-assignment-alg port-range <start-port> - <end-port>
1825 * To set standard (default) address and port assignment algorithm use:
1826 * vpp# nat addr-port-assignment-alg default
1829 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
1830 .path = "nat addr-port-assignment-alg",
1831 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
1832 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
1837 * @cliexstart{show nat addr-port-assignment-alg}
1838 * Show address and port assignment algorithm
1841 VLIB_CLI_COMMAND (nat44_show_alloc_addr_and_port_alg_command, static) = {
1842 .path = "show nat addr-port-assignment-alg",
1843 .short_help = "show nat addr-port-assignment-alg",
1844 .function = nat44_show_alloc_addr_and_port_alg_command_fn,
1849 * @cliexstart{nat mss-clamping}
1850 * Set TCP MSS rewriting configuration
1851 * To enable TCP MSS rewriting use:
1852 * vpp# nat mss-clamping 1452
1853 * To disbale TCP MSS rewriting use:
1854 * vpp# nat mss-clamping disable
1856 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1857 .path = "nat mss-clamping",
1858 .short_help = "nat mss-clamping <mss-value>|disable",
1859 .function = nat_set_mss_clamping_command_fn,
1864 * @cliexstart{nat mss-clamping}
1865 * Show TCP MSS rewriting configuration
1867 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1868 .path = "show nat mss-clamping",
1869 .short_help = "show nat mss-clamping",
1870 .function = nat_show_mss_clamping_command_fn,
1875 * @cliexstart{show nat44 hash tables}
1876 * Show NAT44 hash tables
1879 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
1880 .path = "show nat44 hash tables",
1881 .short_help = "show nat44 hash tables [detail|verbose]",
1882 .function = nat44_show_hash_commnad_fn,
1887 * @cliexstart{nat44 add address}
1888 * Add/delete NAT44 pool address.
1889 * To add NAT44 pool address use:
1890 * vpp# nat44 add address 172.16.1.3
1891 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
1892 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
1893 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
1896 VLIB_CLI_COMMAND (add_address_command, static) = {
1897 .path = "nat44 add address",
1898 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1899 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
1900 .function = add_address_command_fn,
1905 * @cliexstart{show nat44 addresses}
1906 * Show NAT44 pool addresses.
1907 * vpp# show nat44 addresses
1908 * NAT44 pool addresses:
1910 * tenant VRF independent
1919 * NAT44 twice-nat pool addresses:
1921 * tenant VRF independent
1927 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
1928 .path = "show nat44 addresses",
1929 .short_help = "show nat44 addresses",
1930 .function = nat44_show_addresses_command_fn,
1935 * @cliexstart{set interface nat44}
1936 * Enable/disable NAT44 feature on the interface.
1937 * To enable NAT44 feature with local network interface use:
1938 * vpp# set interface nat44 in GigabitEthernet0/8/0
1939 * To enable NAT44 feature with external network interface use:
1940 * vpp# set interface nat44 out GigabitEthernet0/a/0
1943 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1944 .path = "set interface nat44",
1945 .function = snat_feature_command_fn,
1946 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1952 * @cliexstart{show nat44 interfaces}
1953 * Show interfaces with NAT44 feature.
1954 * vpp# show nat44 interfaces
1956 * GigabitEthernet0/8/0 in
1957 * GigabitEthernet0/a/0 out
1960 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
1961 .path = "show nat44 interfaces",
1962 .short_help = "show nat44 interfaces",
1963 .function = nat44_show_interfaces_command_fn,
1968 * @cliexstart{nat44 add static mapping}
1969 * Static mapping allows hosts on the external network to initiate connection
1970 * to to the local network host.
1971 * To create static mapping between local host address 10.0.0.3 port 6303 and
1972 * external address 4.4.4.4 port 3606 for TCP protocol use:
1973 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1974 * If not runnig "static mapping only" NAT plugin mode use before:
1975 * vpp# nat44 add address 4.4.4.4
1976 * To create static mapping between local and external address use:
1977 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1980 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1981 .path = "nat44 add static mapping",
1982 .function = add_static_mapping_command_fn,
1984 "nat44 add static mapping tcp|udp|icmp local <addr> [<port>] "
1985 "external <addr> [<port>] [vrf <table-id>] [twice-nat|self-twice-nat] "
1986 "[out2in-only] [del]",
1991 * @cliexstart{nat44 add identity mapping}
1992 * Identity mapping translate an IP address to itself.
1993 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
1995 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
1996 * To create identity mapping for address 10.0.0.3 use:
1997 * vpp# nat44 add identity mapping 10.0.0.3
1998 * To create identity mapping for DHCP addressed interface use:
1999 * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606
2002 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2003 .path = "nat44 add identity mapping",
2004 .function = add_identity_mapping_command_fn,
2005 .short_help = "nat44 add identity mapping <interface>|<ip4-addr> "
2006 "[<protocol> <port>] [vrf <table-id>] [del]",
2011 * @cliexstart{nat44 add load-balancing static mapping}
2012 * Service load balancing using NAT44
2013 * To add static mapping with load balancing for service with external IP
2014 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
2015 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
2016 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
2019 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2020 .path = "nat44 add load-balancing static mapping",
2021 .function = add_lb_static_mapping_command_fn,
2023 "nat44 add load-balancing static mapping protocol tcp|udp "
2024 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2025 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
2026 "[affinity <timeout-seconds>] [del]",
2031 * @cliexstart{nat44 add load-balancing static mapping}
2032 * Modify service load balancing using NAT44
2033 * To add new back-end server 10.100.10.30:8080 for service load balancing
2034 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
2035 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
2038 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
2039 .path = "nat44 add load-balancing back-end",
2040 .function = add_lb_backend_command_fn,
2042 "nat44 add load-balancing back-end protocol tcp|udp "
2043 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2044 "probability <n> [del]",
2049 * @cliexstart{show nat44 static mappings}
2050 * Show NAT44 static mappings.
2051 * vpp# show nat44 static mappings
2052 * NAT44 static mappings:
2053 * local 10.0.0.3 external 4.4.4.4 vrf 0
2054 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2055 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2056 * local 10.100.10.10:8080 probability 80
2057 * local 10.100.10.20:8080 probability 20
2058 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2059 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2062 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2063 .path = "show nat44 static mappings",
2064 .short_help = "show nat44 static mappings",
2065 .function = nat44_show_static_mappings_command_fn,
2070 * @cliexstart{nat44 add interface address}
2071 * Use NAT44 pool address from specific interfce
2072 * To add NAT44 pool address from specific interface use:
2073 * vpp# nat44 add interface address GigabitEthernet0/8/0
2076 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2077 .path = "nat44 add interface address",
2078 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2079 .function = snat_add_interface_address_command_fn,
2084 * @cliexstart{show nat44 interface address}
2085 * Show NAT44 pool address interfaces
2086 * vpp# show nat44 interface address
2087 * NAT44 pool address interfaces:
2088 * GigabitEthernet0/a/0
2089 * NAT44 twice-nat pool address interfaces:
2090 * GigabitEthernet0/8/0
2093 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2094 .path = "show nat44 interface address",
2095 .short_help = "show nat44 interface address",
2096 .function = nat44_show_interface_address_command_fn,
2101 * @cliexstart{show nat44 sessions}
2102 * Show NAT44 sessions.
2105 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2106 .path = "show nat44 sessions",
2107 .short_help = "show nat44 sessions [detail]",
2108 .function = nat44_show_sessions_command_fn,
2113 * @cliexstart{nat44 del session}
2114 * To administratively delete NAT44 session by inside address and port use:
2115 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2116 * To administratively delete NAT44 session by outside address and port use:
2117 * vpp# nat44 del session out 1.0.0.3:6033 udp
2120 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2121 .path = "nat44 del session",
2122 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2123 .function = nat44_del_session_command_fn,
2128 * @cliexstart{nat44 forwarding}
2129 * Enable or disable forwarding
2130 * Forward packets which don't match existing translation
2131 * or static mapping instead of dropping them.
2132 * To enable forwarding, use:
2133 * vpp# nat44 forwarding enable
2134 * To disable forwarding, use:
2135 * vpp# nat44 forwarding disable
2138 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2139 .path = "nat44 forwarding",
2140 .short_help = "nat44 forwarding enable|disable",
2141 .function = snat_forwarding_set_command_fn,
2146 * @cliexstart{nat44 deterministic add}
2147 * Create bijective mapping of inside address to outside address and port range
2148 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
2150 * To create deterministic mapping between inside network 10.0.0.0/18 and
2151 * outside network 1.1.1.0/30 use:
2152 * # vpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.0/30
2155 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
2156 .path = "nat44 deterministic add",
2157 .short_help = "nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
2158 .function = snat_det_map_command_fn,
2163 * @cliexpstart{show nat44 deterministic mappings}
2164 * Show NAT44 deterministic mappings
2165 * vpp# show nat44 deterministic mappings
2166 * NAT44 deterministic mappings:
2167 * in 10.0.0.0/24 out 1.1.1.1/32
2168 * outside address sharing ratio: 256
2169 * number of ports per inside host: 252
2170 * sessions number: 0
2173 VLIB_CLI_COMMAND (nat44_det_show_mappings_command, static) = {
2174 .path = "show nat44 deterministic mappings",
2175 .short_help = "show nat44 deterministic mappings",
2176 .function = nat44_det_show_mappings_command_fn,
2181 * @cliexstart{nat44 deterministic forward}
2182 * Return outside address and port range from inside address for deterministic
2184 * To obtain outside address and port of inside host use:
2185 * vpp# nat44 deterministic forward 10.0.0.2
2186 * 1.1.1.0:<1054-1068>
2189 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
2190 .path = "nat44 deterministic forward",
2191 .short_help = "nat44 deterministic forward <addr>",
2192 .function = snat_det_forward_command_fn,
2197 * @cliexstart{nat44 deterministic reverse}
2198 * Return inside address from outside address and port for deterministic NAT.
2199 * To obtain inside host address from outside address and port use:
2200 * #vpp nat44 deterministic reverse 1.1.1.1:1276
2204 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
2205 .path = "nat44 deterministic reverse",
2206 .short_help = "nat44 deterministic reverse <addr>:<port>",
2207 .function = snat_det_reverse_command_fn,
2212 * @cliexstart{show nat44 deterministic sessions}
2213 * Show NAT44 deterministic sessions.
2214 * vpp# show nat44 deterministic sessions
2215 * NAT44 deterministic sessions:
2216 * in 10.0.0.3:3005 out 1.1.1.2:1146 external host 172.16.1.2:3006 state: udp-active expire: 306
2217 * in 10.0.0.3:3000 out 1.1.1.2:1141 external host 172.16.1.2:3001 state: udp-active expire: 306
2218 * in 10.0.0.4:3005 out 1.1.1.2:1177 external host 172.16.1.2:3006 state: udp-active expire: 306
2221 VLIB_CLI_COMMAND (nat44_det_show_sessions_command, static) = {
2222 .path = "show nat44 deterministic sessions",
2223 .short_help = "show nat44 deterministic sessions",
2224 .function = nat44_det_show_sessions_command_fn,
2229 * @cliexstart{nat44 deterministic close session out}
2230 * Close session using outside ip address and port
2231 * and external ip address and port, use:
2232 * vpp# nat44 deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
2235 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
2236 .path = "nat44 deterministic close session out",
2237 .short_help = "nat44 deterministic close session out "
2238 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
2239 .function = snat_det_close_session_out_fn,
2244 * @cliexstart{nat44 deterministic close session in}
2245 * Close session using inside ip address and port
2246 * and external ip address and port, use:
2247 * vpp# nat44 deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
2250 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
2251 .path = "nat44 deterministic close session in",
2252 .short_help = "nat44 deterministic close session in "
2253 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
2254 .function = snat_det_close_session_in_fn,
2260 * fd.io coding-style-patch-verification: ON
2263 * eval: (c-set-style "gnu")