#include <nat/nat_det.h>
#include <nat/nat64.h>
#include <nat/nat_inlines.h>
+#include <nat/nat44/inlines.h>
#include <nat/nat_affinity.h>
#include <vnet/fib/fib_table.h>
+#include <nat/nat_ha.h>
#define UNSUPPORTED_IN_DET_MODE_STR \
"This command is unsupported in deterministic mode"
return 0;
}
+static clib_error_t *
+nat44_session_cleanup_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ clib_error_t *error = 0;
+ nat44_force_users_cleanup ();
+ return error;
+}
+
+static clib_error_t *
+snat_set_log_level_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ snat_main_t *sm = &snat_main;
+ u8 log_level = SNAT_LOG_NONE;
+ clib_error_t *error = 0;
+
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ if (!unformat (line_input, "%d", &log_level))
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ goto done;
+ }
+ if (log_level > SNAT_LOG_DEBUG)
+ {
+ error = clib_error_return (0, "unknown logging level '%d'", log_level);
+ goto done;
+ }
+ sm->log_level = log_level;
+
+done:
+ unformat_free (line_input);
+
+ return error;
+}
+
static clib_error_t *
snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
unformat_input_t * input,
/* Get a line of input. */
if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
+ {
+ rv = snat_ipfix_logging_enable_disable (enable, domain_id,
+ (u16) src_port);
+ if (rv)
+ return clib_error_return (0, "ipfix logging enable failed");
+ return 0;
+ }
while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
{
return 0;
}
+static clib_error_t *
+nat_ha_failover_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ ip4_address_t addr;
+ u32 port, session_refresh_interval = 10;
+ int rv;
+ clib_error_t *error = 0;
+
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
+ ;
+ else
+ if (unformat
+ (line_input, "refresh-interval %u", &session_refresh_interval))
+ ;
+ else
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ goto done;
+ }
+ }
+
+ rv = nat_ha_set_failover (&addr, (u16) port, session_refresh_interval);
+ if (rv)
+ error = clib_error_return (0, "set HA failover failed");
+
+done:
+ unformat_free (line_input);
+
+ return error;
+}
+
+static clib_error_t *
+nat_ha_listener_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ ip4_address_t addr;
+ u32 port, path_mtu = 512;
+ int rv;
+ clib_error_t *error = 0;
+
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
+ ;
+ else if (unformat (line_input, "path-mtu %u", &path_mtu))
+ ;
+ else
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ goto done;
+ }
+ }
+
+ rv = nat_ha_set_listener (&addr, (u16) port, path_mtu);
+ if (rv)
+ error = clib_error_return (0, "set HA listener failed");
+
+done:
+ unformat_free (line_input);
+
+ return error;
+}
+
+static clib_error_t *
+nat_show_ha_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ ip4_address_t addr;
+ u16 port;
+ u32 path_mtu, session_refresh_interval, resync_ack_missed;
+ u8 in_resync;
+
+ nat_ha_get_listener (&addr, &port, &path_mtu);
+ if (!port)
+ {
+ vlib_cli_output (vm, "NAT HA disabled\n");
+ return 0;
+ }
+
+ vlib_cli_output (vm, "LISTENER:\n");
+ vlib_cli_output (vm, " %U:%u path-mtu %u\n",
+ format_ip4_address, &addr, port, path_mtu);
+
+ nat_ha_get_failover (&addr, &port, &session_refresh_interval);
+ vlib_cli_output (vm, "FAILOVER:\n");
+ if (port)
+ vlib_cli_output (vm, " %U:%u refresh-interval %usec\n",
+ format_ip4_address, &addr, port,
+ session_refresh_interval);
+ else
+ vlib_cli_output (vm, " NA\n");
+
+ nat_ha_get_resync_status (&in_resync, &resync_ack_missed);
+ vlib_cli_output (vm, "RESYNC:\n");
+ if (in_resync)
+ vlib_cli_output (vm, " in progress\n");
+ else
+ vlib_cli_output (vm, " completed (%d ACK missed)\n", resync_ack_missed);
+
+ return 0;
+}
+
+static clib_error_t *
+nat_ha_flush_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ nat_ha_flush (0);
+ return 0;
+}
+
+static clib_error_t *
+nat_ha_resync_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ clib_error_t *error = 0;
+
+ if (nat_ha_resync (0, 0, 0))
+ error = clib_error_return (0, "NAT HA resync already running");
+
+ return error;
+}
+
static clib_error_t *
add_address_command_fn (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
return error;
}
+static clib_error_t *
+nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ snat_main_per_thread_data_t *tsm;
+ snat_main_t *sm = &snat_main;
+ snat_session_t *s;
+
+ if (sm->deterministic || !sm->endpoint_dependent)
+ return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
+
+ // print session configuration values
+ vlib_cli_output (vm, "max translations: %u", sm->max_translations);
+ vlib_cli_output (vm, "max translations per user: %u",
+ sm->max_translations_per_user);
+
+ u32 count = 0;
+
+ u64 now = vlib_time_now (sm->vlib_main);
+ u64 sess_timeout_time;
+
+ u32 udp_sessions = 0;
+ u32 tcp_sessions = 0;
+ u32 icmp_sessions = 0;
+
+ u32 timed_out = 0;
+ u32 transitory = 0;
+ u32 established = 0;
+
+ if (sm->num_workers > 1)
+ {
+ /* *INDENT-OFF* */
+ vec_foreach (tsm, sm->per_thread_data)
+ {
+ pool_foreach (s, tsm->sessions,
+ ({
+ sess_timeout_time = s->last_heard +
+ (f64) nat44_session_get_timeout (sm, s);
+ if (now >= sess_timeout_time)
+ timed_out++;
+
+ switch (s->in2out.protocol)
+ {
+ case SNAT_PROTOCOL_ICMP:
+ icmp_sessions++;
+ break;
+ case SNAT_PROTOCOL_TCP:
+ tcp_sessions++;
+ if (s->state)
+ transitory++;
+ else
+ established++;
+ break;
+ case SNAT_PROTOCOL_UDP:
+ default:
+ udp_sessions++;
+ break;
+ }
+ }));
+ count += pool_elts (tsm->sessions);
+
+ vlib_cli_output (vm, "tid[%u] session scavenging cleared: %u",
+ tsm->thread_index, tsm->cleared);
+ vlib_cli_output (vm, "tid[%u] session scavenging cleanup runs: %u",
+ tsm->thread_index, tsm->cleanup_runs);
+
+ if (now < tsm->cleanup_timeout)
+ vlib_cli_output (vm, "tid[%u] session scavenging next run in: %f",
+ tsm->thread_index, tsm->cleanup_timeout - now);
+ else
+ vlib_cli_output (vm, "tid[%u] session scavenging next run in: 0",
+ tsm->thread_index);
+ }
+ /* *INDENT-ON* */
+ }
+ else
+ {
+ tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
+ /* *INDENT-OFF* */
+ pool_foreach (s, tsm->sessions,
+ ({
+ sess_timeout_time = s->last_heard +
+ (f64) nat44_session_get_timeout (sm, s);
+ if (now >= sess_timeout_time)
+ timed_out++;
+
+ switch (s->in2out.protocol)
+ {
+ case SNAT_PROTOCOL_ICMP:
+ icmp_sessions++;
+ break;
+ case SNAT_PROTOCOL_TCP:
+ tcp_sessions++;
+ if (s->state)
+ transitory++;
+ else
+ established++;
+ break;
+ case SNAT_PROTOCOL_UDP:
+ default:
+ udp_sessions++;
+ break;
+ }
+ }));
+ /* *INDENT-ON* */
+ count = pool_elts (tsm->sessions);
+
+ vlib_cli_output (vm, "tid[0] session scavenging cleared: %u",
+ tsm->cleared);
+ vlib_cli_output (vm, "tid[0] session scavenging cleanup runs: %u",
+ tsm->cleanup_runs);
+
+ if (now < tsm->cleanup_timeout)
+ vlib_cli_output (vm, "tid[0] session scavenging next run in: %f",
+ tsm->cleanup_timeout - now);
+ else
+ vlib_cli_output (vm, "tid[0] session scavenging next run in: 0");
+ }
+
+ vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
+ vlib_cli_output (vm, "total sessions: %u", count);
+ vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
+ vlib_cli_output (vm, "total tcp established sessions: %u", established);
+ vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
+ vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
+ vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
+ return 0;
+}
+
static clib_error_t *
nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
vlib_cli_command_t * cmd)
nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
vlib_cli_command_t * cmd)
{
- int verbose = 0;
+ unformat_input_t _line_input, *line_input = &_line_input;
+ clib_error_t *error = 0;
snat_main_t *sm = &snat_main;
snat_main_per_thread_data_t *tsm;
+
+ int detail = 0, metrics = 0;
snat_user_t *u;
int i = 0;
if (sm->deterministic)
return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
- if (unformat (input, "detail"))
- verbose = 1;
+ if (!unformat_user (input, unformat_line_input, line_input))
+ goto print;
- vlib_cli_output (vm, "NAT44 sessions:");
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "detail"))
+ detail = 1;
+ else if (unformat (line_input, "metrics"))
+ metrics = 1;
+ else
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ break;
+ }
+ }
+ unformat_free (line_input);
+print:
+ vlib_cli_output (vm, "NAT44 sessions:");
/* *INDENT-OFF* */
vec_foreach_index (i, sm->per_thread_data)
{
vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
i, vlib_worker_threads[i].name,
pool_elts (tsm->sessions));
- pool_foreach (u, tsm->users,
- ({
- vlib_cli_output (vm, " %U", format_snat_user, tsm, u, verbose);
- }));
+ if (metrics)
+ {
+ u64 now = vlib_time_now (sm->vlib_main);
+ pool_foreach (u, tsm->users,
+ ({
+ vlib_cli_output (vm, " %U", format_snat_user_v2, tsm, u, now);
+ }));
+ }
+ else
+ {
+ pool_foreach (u, tsm->users,
+ ({
+ vlib_cli_output (vm, " %U", format_snat_user, tsm, u, detail);
+ }));
+ }
}
/* *INDENT-ON* */
+ return error;
+}
- return 0;
+static clib_error_t *
+nat44_del_user_command_fn (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ snat_main_t *sm = &snat_main;
+ unformat_input_t _line_input, *line_input = &_line_input;
+ clib_error_t *error = 0;
+ ip4_address_t addr;
+ u32 fib_index = 0;
+ int rv;
+
+ if (sm->deterministic)
+ return clib_error_return (0, UNSUPPORTED_IN_DET_MODE_STR);
+
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "%U", unformat_ip4_address, &addr))
+ ;
+ else if (unformat (line_input, "fib %u", &fib_index))
+ ;
+ else
+ {
+ error = clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input);
+ goto done;
+ }
+ }
+
+ rv = nat44_user_del (&addr, fib_index);
+
+ if (!rv)
+ {
+ error = clib_error_return (0, "nat44_user_del returned %d", rv);
+ }
+
+done:
+ unformat_free (line_input);
+
+ return error;
}
static clib_error_t *
goto done;
}
}
-
done:
unformat_free (line_input);
-
+ sm->min_timeout = nat44_minimal_timeout (sm);
return error;
}
{
snat_main_t *sm = &snat_main;
+ // fix text
+ vlib_cli_output (vm, "min session cleanup timeout: %dsec", sm->min_timeout);
vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
vlib_cli_output (vm, "tcp-established timeout: %dsec",
sm->tcp_established_timeout);
.function = nat_show_timeouts_command_fn,
};
+/*?
+ * @cliexpar
+ * @cliexstart{nat set logging level}
+ * To force garbage collection of nat sessions
+ * vpp# nat44 session cleanup
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat44_session_cleanup_command, static) = {
+ .path = "nat44 session cleanup",
+ .function = nat44_session_cleanup_command_fn,
+ .short_help = "nat44 session cleanup",
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{nat set logging level}
+ * To set NAT logging level use:
+ * Set nat logging level
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
+ .path = "nat set logging level",
+ .function = snat_set_log_level_command_fn,
+ .short_help = "nat set logging level <level>",
+};
+
/*?
* @cliexpar
* @cliexstart{snat ipfix logging}
* vpp# nat mss-clamping 1452
* To disbale TCP MSS rewriting use:
* vpp# nat mss-clamping disable
+ * @cliexend
?*/
VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
.path = "nat mss-clamping",
/*?
* @cliexpar
- * @cliexstart{nat mss-clamping}
+ * @cliexstart{show nat mss-clamping}
* Show TCP MSS rewriting configuration
+ * @cliexend
?*/
VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
.path = "show nat mss-clamping",
.function = nat_show_mss_clamping_command_fn,
};
+/*?
+ * @cliexpar
+ * @cliexstart{nat ha failover}
+ * Set HA failover (remote settings)
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat_ha_failover_command, static) = {
+ .path = "nat ha failover",
+ .short_help = "nat ha failover <ip4-address>:<port> [refresh-interval <sec>]",
+ .function = nat_ha_failover_command_fn,
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{nat ha listener}
+ * Set HA listener (local settings)
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat_ha_listener_command, static) = {
+ .path = "nat ha listener",
+ .short_help = "nat ha listener <ip4-address>:<port> [path-mtu <path-mtu>]",
+ .function = nat_ha_listener_command_fn,
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{show nat ha}
+ * Show HA configuration/status
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat_show_ha_command, static) = {
+ .path = "show nat ha",
+ .short_help = "show nat ha",
+ .function = nat_show_ha_command_fn,
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{nat ha flush}
+ * Flush the current HA data (for testing)
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat_ha_flush_command, static) = {
+ .path = "nat ha flush",
+ .short_help = "nat ha flush",
+ .function = nat_ha_flush_command_fn,
+};
+
+/*?
+ * @cliexpar
+ * @cliexstart{nat ha resync}
+ * Resync HA (resend existing sessions to new failover)
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat_ha_resync_command, static) = {
+ .path = "nat ha resync",
+ .short_help = "nat ha resync",
+ .function = nat_ha_resync_command_fn,
+};
+
/*?
* @cliexpar
* @cliexstart{show nat44 hash tables}
.function = add_address_command_fn,
};
+/*?
+ * @cliexpar
+ * @cliexstart{show nat44 summary}
+ * Show NAT44 summary
+ * vpp# show nat44 summary
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
+ .path = "show nat44 summary",
+ .short_help = "show nat44 summary",
+ .function = nat44_show_summary_command_fn,
+};
+
/*?
* @cliexpar
* @cliexstart{show nat44 addresses}
* To create identity mapping for address 10.0.0.3 use:
* vpp# nat44 add identity mapping 10.0.0.3
* To create identity mapping for DHCP addressed interface use:
- * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606
+ * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
* @cliexend
?*/
VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
.path = "nat44 add identity mapping",
.function = add_identity_mapping_command_fn,
- .short_help = "nat44 add identity mapping <interface>|<ip4-addr> "
+ .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
"[<protocol> <port>] [vrf <table-id>] [del]",
};
?*/
VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
.path = "show nat44 sessions",
- .short_help = "show nat44 sessions [detail]",
+ .short_help = "show nat44 sessions [detail|metrics]",
.function = nat44_show_sessions_command_fn,
};
+/*?
+ * @cliexpar
+ * @cliexstart{nat44 del user}
+ * To delete all NAT44 user sessions:
+ * vpp# nat44 del user 10.0.0.3
+ * @cliexend
+?*/
+VLIB_CLI_COMMAND (nat44_del_user_command, static) = {
+ .path = "nat44 del user",
+ .short_help = "nat44 del user <addr> [fib <index>]",
+ .function = nat44_del_user_command_fn,
+};
+
/*?
* @cliexpar
* @cliexstart{nat44 del session}