- if (vec_len (sm->auto_add_sw_if_indices_twice_nat))
- {
- vlib_cli_output (vm, "NAT44 twice-nat pool addresses interfaces:");
- vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
- {
- vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
- vnet_get_sw_interface (vnm, *sw_if_index));
- }
- }
-
- vlib_cli_output (vm, "NAT44 pool addresses:");
- vec_foreach (ap, sm->addresses)
- {
- vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
- if (ap->fib_index != ~0)
- vlib_cli_output (vm, " tenant VRF: %u",
- ip4_fib_get(ap->fib_index)->table_id);
- else
- vlib_cli_output (vm, " tenant VRF independent");
-#define _(N, i, n, s) \
- vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
- foreach_snat_protocol
-#undef _
- }
-
- vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
- vec_foreach (ap, sm->twice_nat_addresses)
- {
- vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
- if (ap->fib_index != ~0)
- vlib_cli_output (vm, " tenant VRF: %u",
- ip4_fib_get(ap->fib_index)->table_id);
- else
- vlib_cli_output (vm, " tenant VRF independent");
-#define _(N, i, n, s) \
- vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
- foreach_snat_protocol
-#undef _
- }
- }
-
- if (sm->num_workers > 1)
- {
- vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
- if (verbose > 0)
- {
- vec_foreach (worker, sm->workers)
- {
- vlib_worker_thread_t *w =
- vlib_worker_threads + *worker + sm->first_worker_index;
- vlib_cli_output (vm, " %s", w->name);
- }
- }
- }
-
- if (sm->deterministic)
- {
- vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
- vlib_cli_output (vm, "tcp-established timeout: %dsec",
- sm->tcp_established_timeout);
- vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
- sm->tcp_transitory_timeout);
- vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
- vlib_cli_output (vm, "%d deterministic mappings",
- pool_elts (sm->det_maps));
- if (verbose > 0)
- {
- pool_foreach (dm, sm->det_maps,
- ({
- vlib_cli_output (vm, "in %U/%d out %U/%d\n",
- format_ip4_address, &dm->in_addr, dm->in_plen,
- format_ip4_address, &dm->out_addr, dm->out_plen);
- vlib_cli_output (vm, " outside address sharing ratio: %d\n",
- dm->sharing_ratio);
- vlib_cli_output (vm, " number of ports per inside host: %d\n",
- dm->ports_per_host);
- vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
- if (verbose > 1)
- {
- vec_foreach_index (j, dm->sessions)
- {
- ses = vec_elt_at_index (dm->sessions, j);
- if (ses->in_port)
- vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses,
- &j);
- }
- }
- }));
- }
- }
- else
- {
- if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
- {
- vlib_cli_output (vm, "%d static mappings",
- pool_elts (sm->static_mappings));
-
- if (verbose > 0)
- {
- pool_foreach (m, sm->static_mappings,
- ({
- vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
- }));
- }
- }
- else
- {
- vec_foreach (tsm, sm->per_thread_data)
- {
- users_num += pool_elts (tsm->users);
- sessions_num += pool_elts (tsm->sessions);
- }
-
- vlib_cli_output (vm, "%d users, %d outside addresses, %d active sessions,"
- " %d static mappings, %d twice-nat addresses",
- users_num,
- vec_len (sm->addresses),
- sessions_num,
- pool_elts (sm->static_mappings),
- vec_len (sm->twice_nat_addresses));
-
- if (verbose > 0)
- {
- vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->in2out_ed,
- verbose - 1);
- vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed,
- verbose - 1);
- vec_foreach_index (j, sm->per_thread_data)
- {
- tsm = vec_elt_at_index (sm->per_thread_data, j);
-
- if (pool_elts (tsm->users) == 0)
- continue;
-
- vlib_worker_thread_t *w = vlib_worker_threads + j;
- vlib_cli_output (vm, "Thread %d (%s at lcore %u):", j, w->name,
- w->lcore_id);
- vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->in2out,
- verbose - 1);
- vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->out2in,
- verbose - 1);
- vlib_cli_output (vm, " %d list pool elements",
- pool_elts (tsm->list_pool));
-
- pool_foreach (u, tsm->users,
- ({
- vlib_cli_output (vm, " %U", format_snat_user, tsm, u,
- verbose - 1);
- }));
- }
-
- if (pool_elts (sm->static_mappings))
- {
- vlib_cli_output (vm, "static mappings:");
- pool_foreach (m, sm->static_mappings,
- ({
- vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
- }));
- for (j = 0; j < vec_len (sm->to_resolve); j++)
- {
- rp = sm->to_resolve + j;
- vlib_cli_output (vm, "%U",
- format_snat_static_map_to_resolve, rp);
- }
- }
- }
- }
- }
-
- return 0;
-}
-
-VLIB_CLI_COMMAND (show_snat_command, static) = {
- .path = "show nat44",
- .short_help = "show nat44",
- .function = show_snat_command_fn,
-};
-
-
-static void
-snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
- uword opaque,
- u32 sw_if_index,
- ip4_address_t * address,
- u32 address_length,
- u32 if_address_index,
- u32 is_delete)
-{
- snat_main_t *sm = &snat_main;
- snat_static_map_resolve_t *rp;
- u32 *indices_to_delete = 0;
- ip4_address_t l_addr;
- int i, j;
- int rv;
- u8 twice_nat = 0;
- snat_address_t *addresses = sm->addresses;
-
- for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
- {
- if (sw_if_index == sm->auto_add_sw_if_indices[i])
- goto match;
- }
-
- for (i = 0; i < vec_len(sm->auto_add_sw_if_indices_twice_nat); i++)
- {
- twice_nat = 1;
- addresses = sm->twice_nat_addresses;
- if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
- goto match;
- }
-
- return;
-
-match:
- if (!is_delete)
- {
- /* Don't trip over lease renewal, static config */
- for (j = 0; j < vec_len(addresses); j++)
- if (addresses[j].addr.as_u32 == address->as_u32)
- return;
-
- snat_add_address (sm, address, ~0, twice_nat);
- /* Scan static map resolution vector */
- for (j = 0; j < vec_len (sm->to_resolve); j++)
- {
- rp = sm->to_resolve + j;
- /* On this interface? */
- if (rp->sw_if_index == sw_if_index)
- {
- /* Indetity mapping? */
- if (rp->l_addr.as_u32 == 0)
- l_addr.as_u32 = address[0].as_u32;
- else
- l_addr.as_u32 = rp->l_addr.as_u32;
- /* Add the static mapping */
- rv = snat_add_static_mapping (l_addr,
- address[0],
- rp->l_port,
- rp->e_port,
- rp->vrf_id,
- rp->addr_only,
- ~0 /* sw_if_index */,
- rp->proto,
- rp->is_add,
- 0);
- if (rv)
- clib_warning ("snat_add_static_mapping returned %d",
- rv);
- vec_add1 (indices_to_delete, j);
- }
- }
- /* If we resolved any of the outstanding static mappings */
- if (vec_len(indices_to_delete))
- {
- /* Delete them */
- for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
- vec_delete(sm->to_resolve, 1, j);
- vec_free(indices_to_delete);
- }
- return;
- }
- else
- {
- (void) snat_del_address(sm, address[0], 1, twice_nat);
- return;
- }
-}
-
-
-int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del,
- u8 twice_nat)
-{
- ip4_main_t * ip4_main = sm->ip4_main;
- ip4_address_t * first_int_addr;
- snat_static_map_resolve_t *rp;
- u32 *indices_to_delete = 0;
- int i, j;
- u32 *auto_add_sw_if_indices =
- twice_nat ? sm->auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
-
- first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index,
- 0 /* just want the address*/);
-
- for (i = 0; i < vec_len(auto_add_sw_if_indices); i++)
- {
- if (auto_add_sw_if_indices[i] == sw_if_index)
- {
- if (is_del)
- {
- /* if have address remove it */
- if (first_int_addr)
- (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
- else
- {
- for (j = 0; j < vec_len (sm->to_resolve); j++)
- {
- rp = sm->to_resolve + j;
- if (rp->sw_if_index == sw_if_index)
- vec_add1 (indices_to_delete, j);
- }
- if (vec_len(indices_to_delete))
- {
- for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
- vec_del1(sm->to_resolve, j);
- vec_free(indices_to_delete);
- }
- }
- if (twice_nat)
- vec_del1(sm->auto_add_sw_if_indices_twice_nat, i);
- else
- vec_del1(sm->auto_add_sw_if_indices, i);
- }
- else
- return VNET_API_ERROR_VALUE_EXIST;
-
- return 0;
- }
- }
-
- if (is_del)
- return VNET_API_ERROR_NO_SUCH_ENTRY;
-
- /* add to the auto-address list */
- if (twice_nat)
- vec_add1(sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
- else
- vec_add1(sm->auto_add_sw_if_indices, sw_if_index);
-
- /* If the address is already bound - or static - add it now */
- if (first_int_addr)
- snat_add_address (sm, first_int_addr, ~0, twice_nat);
-
- return 0;
-}
-
-static clib_error_t *
-snat_add_interface_address_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- snat_main_t *sm = &snat_main;
- unformat_input_t _line_input, *line_input = &_line_input;
- u32 sw_if_index;
- int rv;
- int is_del = 0;
- clib_error_t *error = 0;
- u8 twice_nat = 0;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%U", unformat_vnet_sw_interface,
- sm->vnet_main, &sw_if_index))
- ;
- else if (unformat (line_input, "twice-nat"))
- twice_nat = 1;
- else if (unformat (line_input, "del"))
- is_del = 1;
- else
- {
- error = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
-
- switch (rv)
- {
- case 0:
- break;
-
- default:
- error = clib_error_return (0, "snat_add_interface_address returned %d",
- rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
- .path = "nat44 add interface address",
- .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
- .function = snat_add_interface_address_command_fn,
-};
-
-int
-nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port,
- snat_protocol_t proto, u32 vrf_id, int is_in)
-{
- snat_main_per_thread_data_t *tsm;
- clib_bihash_kv_8_8_t kv, value;
- ip4_header_t ip;
- u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
- snat_session_key_t key;
- snat_session_t *s;
- clib_bihash_8_8_t *t;
- snat_user_key_t u_key;
- snat_user_t *u;
-
- ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
- if (sm->num_workers)
- tsm =
- vec_elt_at_index (sm->per_thread_data,
- sm->worker_in2out_cb (&ip, fib_index));
- else
- tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
-
- key.addr.as_u32 = addr->as_u32;
- key.port = clib_host_to_net_u16 (port);
- key.protocol = proto;
- key.fib_index = fib_index;
- kv.key = key.as_u64;
- t = is_in ? &tsm->in2out : &tsm->out2in;
- if (!clib_bihash_search_8_8 (t, &kv, &value))
- {
- s = pool_elt_at_index (tsm->sessions, value.value);
- kv.key = s->in2out.as_u64;
- clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0);
- kv.key = s->out2in.as_u64;
- clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0);
- u_key.addr = s->in2out.addr;
- u_key.fib_index = s->in2out.fib_index;
- kv.key = u_key.as_u64;
- if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
- {
- u = pool_elt_at_index (tsm->users, value.value);
- u->nsessions--;
- }
- clib_dlist_remove (tsm->list_pool, s->per_user_index);
- pool_put (tsm->sessions, s);
- return 0;
- }
-
- return VNET_API_ERROR_NO_SUCH_ENTRY;
-}
-
-static clib_error_t *
-nat44_del_session_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- snat_main_t *sm = &snat_main;
- unformat_input_t _line_input, *line_input = &_line_input;
- int is_in = 0;
- clib_error_t *error = 0;
- ip4_address_t addr;
- u32 port = 0, vrf_id = sm->outside_vrf_id;
- snat_protocol_t proto;
- int rv;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
- unformat_snat_protocol, &proto))
- ;
- else if (unformat (line_input, "in"))
- {
- is_in = 1;
- vrf_id = sm->inside_vrf_id;
- }
- else if (unformat (line_input, "vrf %u", &vrf_id))
- ;
- else
- {
- error = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- rv = nat44_del_session(sm, &addr, port, proto, vrf_id, is_in);
-
- switch (rv)
- {
- case 0:
- break;
-
- default:
- error = clib_error_return (0, "nat44_del_session returned %d", rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
- .path = "nat44 del session",
- .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>]",
- .function = nat44_del_session_command_fn,
-};
-
-static clib_error_t *
-nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- snat_main_t *sm = &snat_main;
- unformat_input_t _line_input, *line_input = &_line_input;
- clib_error_t *error = 0;
- u32 psid, psid_offset, psid_length;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "default"))
- sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
- else if (unformat (line_input, "map-e psid %d psid-offset %d psid-len %d",
- &psid, &psid_offset, &psid_length))
- {
- sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
- sm->psid = (u16) psid;
- sm->psid_offset = (u16) psid_offset;
- sm->psid_length = (u16) psid_length;
- }
- else
- {
- error = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-};
-
-VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
- .path = "nat addr-port-assignment-alg",
- .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
- .function = nat44_set_alloc_addr_and_port_alg_command_fn,
-};
-
-static clib_error_t *
-snat_det_map_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- snat_main_t *sm = &snat_main;
- unformat_input_t _line_input, *line_input = &_line_input;
- ip4_address_t in_addr, out_addr;
- u32 in_plen, out_plen;
- int is_add = 1, rv;
- clib_error_t *error = 0;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
- ;
- else if (unformat (line_input, "out %U/%u", unformat_ip4_address, &out_addr, &out_plen))
- ;
- else if (unformat (line_input, "del"))
- is_add = 0;
- else
- {
- error = clib_error_return (0, "unknown input '%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- rv = snat_det_add_map(sm, &in_addr, (u8) in_plen, &out_addr, (u8)out_plen,
- is_add);
-
- if (rv)
- {
- error = clib_error_return (0, "snat_det_add_map return %d", rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;