+ {
+ continue;
+ }
+ if (out)
+ {
+ *out = i;
+ }
+ return 0;
+ }
+ }
+ return 1;
+}
+
+int
+nat44_ed_del_resolve_record (ip4_address_t l_addr, u16 l_port, u16 e_port,
+ ip_protocol_t proto, u32 vrf_id, u32 sw_if_index,
+ u32 flags)
+{
+ snat_main_t *sm = &snat_main;
+ int i;
+ if (!nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
+ sw_if_index, flags, &i))
+ {
+ vec_del1 (sm->to_resolve, i);
+ return 0;
+ }
+ return 1;
+}
+
+static_always_inline int
+nat44_ed_validate_sm_input (u32 flags)
+{
+ // identity nat can be initiated only from inside interface
+ if (is_sm_identity_nat (flags) && is_sm_out2in_only (flags))
+ {
+ return VNET_API_ERROR_UNSUPPORTED;
+ }
+
+ if (is_sm_twice_nat (flags) || is_sm_self_twice_nat (flags))
+ {
+ if (is_sm_addr_only (flags) || is_sm_identity_nat (flags))
+ {
+ return VNET_API_ERROR_UNSUPPORTED;
+ }
+ }
+ return 0;
+}
+
+snat_address_t *
+nat44_ed_addr_lookup (snat_main_t *sm, u32 addr)
+{
+ for (int i = 0; i < vec_len (sm->addresses); ++i)
+ {
+ if (sm->addresses[i].addr.as_u32 == addr)
+ return &sm->addresses[i];
+ }
+ return NULL;
+}
+
+int
+nat44_ed_add_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
+ u16 l_port, u16 e_port, ip_protocol_t proto,
+ u32 vrf_id, u32 sw_if_index, u32 flags,
+ ip4_address_t pool_addr, u8 *tag)
+{
+ snat_main_t *sm = &snat_main;
+
+ // interface bound mapping
+ if (is_sm_switch_address (flags))
+ {
+ if (!nat44_ed_get_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
+ sw_if_index, flags, 0))
+ {
+ return VNET_API_ERROR_VALUE_EXIST;
+ }
+
+ nat44_ed_add_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
+ sw_if_index, flags, pool_addr, tag);
+ ip4_address_t *first_int_addr =
+ ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
+ if (!first_int_addr)
+ {
+ // dhcp resolution required
+ return 0;
+ }
+
+ e_addr.as_u32 = first_int_addr->as_u32;
+ }
+
+ return nat44_ed_add_static_mapping_internal (l_addr, e_addr, l_port, e_port,
+ proto, vrf_id, sw_if_index,
+ flags, pool_addr, tag);
+}
+
+int
+nat44_ed_del_static_mapping (ip4_address_t l_addr, ip4_address_t e_addr,
+ u16 l_port, u16 e_port, ip_protocol_t proto,
+ u32 vrf_id, u32 sw_if_index, u32 flags)
+{
+
+ snat_main_t *sm = &snat_main;
+
+ // interface bound mapping
+ if (is_sm_switch_address (flags))
+ {
+ if (nat44_ed_del_resolve_record (l_addr, l_port, e_port, proto, vrf_id,
+ sw_if_index, flags))
+ {
+ return VNET_API_ERROR_NO_SUCH_ENTRY;
+ }
+
+ ip4_address_t *first_int_addr =
+ ip4_interface_first_address (sm->ip4_main, sw_if_index, 0);
+ if (!first_int_addr)
+ {
+ // dhcp resolution required
+ return 0;
+ }
+
+ e_addr.as_u32 = first_int_addr->as_u32;
+ }
+
+ return nat44_ed_del_static_mapping_internal (
+ l_addr, e_addr, l_port, e_port, proto, vrf_id, sw_if_index, flags);
+}
+
+static int
+nat44_ed_add_static_mapping_internal (ip4_address_t l_addr,
+ ip4_address_t e_addr, u16 l_port,
+ u16 e_port, ip_protocol_t proto,
+ u32 vrf_id, u32 sw_if_index, u32 flags,
+ ip4_address_t pool_addr, u8 *tag)
+{
+ snat_main_t *sm = &snat_main;
+ nat44_lb_addr_port_t *local;
+ snat_static_mapping_t *m;
+ u32 fib_index = ~0;
+ int rv;
+
+ if (!sm->enabled)
+ {
+ return VNET_API_ERROR_UNSUPPORTED;
+ }
+
+ rv = nat44_ed_validate_sm_input (flags);
+ if (rv != 0)
+ {
+ return rv;
+ }
+
+ if (is_sm_addr_only (flags))
+ {
+ e_port = l_port = proto = 0;
+ }
+
+ if (is_sm_identity_nat (flags))
+ {
+ l_port = e_port;
+ l_addr.as_u32 = e_addr.as_u32;
+ }
+
+ m = nat44_ed_sm_o2i_lookup (sm, e_addr, e_port, 0, proto);
+ if (m)
+ {
+ if (!is_sm_identity_nat (m->flags))
+ {
+ return VNET_API_ERROR_VALUE_EXIST;
+ }
+
+ // case:
+ // adding local identity nat record for different vrf table
+ pool_foreach (local, m->locals)
+ {
+ if (local->vrf_id == vrf_id)
+ {
+ return VNET_API_ERROR_VALUE_EXIST;
+ }
+ }
+
+ pool_get (m->locals, local);
+
+ local->vrf_id = vrf_id;
+ local->fib_index = fib_table_find_or_create_and_lock (
+ FIB_PROTOCOL_IP4, vrf_id, sm->fib_src_low);
+
+ nat44_ed_sm_i2o_add (sm, m, m->local_addr, m->local_port,
+ local->fib_index, m->proto);
+
+ return 0;
+ }
+
+ if (vrf_id != ~0)
+ {
+ fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
+ sm->fib_src_low);
+ }
+ else
+ {
+ // fallback to default vrf
+ vrf_id = sm->inside_vrf_id;
+ fib_index = sm->inside_fib_index;
+ fib_table_lock (fib_index, FIB_PROTOCOL_IP4, sm->fib_src_low);
+ }
+
+ // test if local mapping record doesn't exist
+ // identity nat supports multiple records in local mapping
+ if (!(is_sm_out2in_only (flags) || is_sm_identity_nat (flags)))
+ {
+ if (nat44_ed_sm_i2o_lookup (sm, l_addr, l_port, fib_index, proto))
+ {
+ return VNET_API_ERROR_VALUE_EXIST;