2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_ipfix_logging.h>
24 #include <nat/nat_det.h>
25 #include <nat/nat64.h>
26 #include <vnet/fib/fib_table.h>
27 #include <vnet/fib/ip4_fib.h>
29 #include <vpp/app/version.h>
31 snat_main_t snat_main;
34 /* Hook up input features */
35 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
36 .arc_name = "ip4-unicast",
37 .node_name = "nat44-in2out",
38 .runs_before = VNET_FEATURES ("nat44-out2in"),
40 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
41 .arc_name = "ip4-unicast",
42 .node_name = "nat44-out2in",
43 .runs_before = VNET_FEATURES ("ip4-lookup"),
45 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
46 .arc_name = "ip4-unicast",
47 .node_name = "nat44-det-in2out",
48 .runs_before = VNET_FEATURES ("nat44-det-out2in"),
50 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
51 .arc_name = "ip4-unicast",
52 .node_name = "nat44-det-out2in",
53 .runs_before = VNET_FEATURES ("ip4-lookup"),
55 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
56 .arc_name = "ip4-unicast",
57 .node_name = "nat44-in2out-worker-handoff",
58 .runs_before = VNET_FEATURES ("nat44-out2in-worker-handoff"),
60 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
61 .arc_name = "ip4-unicast",
62 .node_name = "nat44-out2in-worker-handoff",
63 .runs_before = VNET_FEATURES ("ip4-lookup"),
65 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
66 .arc_name = "ip4-unicast",
67 .node_name = "nat44-in2out-fast",
68 .runs_before = VNET_FEATURES ("nat44-out2in-fast"),
70 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
71 .arc_name = "ip4-unicast",
72 .node_name = "nat44-out2in-fast",
73 .runs_before = VNET_FEATURES ("ip4-lookup"),
75 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
76 .arc_name = "ip4-unicast",
77 .node_name = "nat44-hairpin-dst",
78 .runs_before = VNET_FEATURES ("ip4-lookup"),
81 /* Hook up output features */
82 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
83 .arc_name = "ip4-output",
84 .node_name = "nat44-in2out-output",
85 .runs_before = VNET_FEATURES ("interface-output"),
87 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
88 .arc_name = "ip4-output",
89 .node_name = "nat44-in2out-output-worker-handoff",
90 .runs_before = VNET_FEATURES ("interface-output"),
92 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
93 .arc_name = "ip4-output",
94 .node_name = "nat44-hairpin-src",
95 .runs_before = VNET_FEATURES ("interface-output"),
100 VLIB_PLUGIN_REGISTER () = {
101 .version = VPP_BUILD_VER,
102 .description = "Network Address Translation",
107 * @brief Add/del NAT address to FIB.
109 * Add the external NAT address to the FIB as receive entries. This ensures
110 * that VPP will reply to ARP for this address and we don't need to enable
111 * proxy ARP on the outside interface.
113 * @param addr IPv4 address.
114 * @param plen address prefix length
115 * @param sw_if_index Interface.
116 * @param is_add If 0 delete, otherwise add.
119 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
122 fib_prefix_t prefix = {
124 .fp_proto = FIB_PROTOCOL_IP4,
126 .ip4.as_u32 = addr->as_u32,
129 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index(sw_if_index);
132 fib_table_entry_update_one_path(fib_index,
134 FIB_SOURCE_PLUGIN_HI,
135 (FIB_ENTRY_FLAG_CONNECTED |
136 FIB_ENTRY_FLAG_LOCAL |
137 FIB_ENTRY_FLAG_EXCLUSIVE),
144 FIB_ROUTE_PATH_FLAG_NONE);
146 fib_table_entry_delete(fib_index,
148 FIB_SOURCE_PLUGIN_HI);
151 void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id)
159 /* Check if address already exists */
160 vec_foreach (ap, sm->addresses)
162 if (ap->addr.as_u32 == addr->as_u32)
166 vec_add2 (sm->addresses, ap, 1);
170 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
171 FIB_SOURCE_PLUGIN_HI);
174 #define _(N, i, n, s) \
175 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535);
176 foreach_snat_protocol
179 /* Add external address to FIB */
180 pool_foreach (i, sm->interfaces,
185 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
188 pool_foreach (i, sm->output_feature_interfaces,
193 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
198 static int is_snat_address_used_in_static_mapping (snat_main_t *sm,
201 snat_static_mapping_t *m;
202 pool_foreach (m, sm->static_mappings,
204 if (m->external_addr.as_u32 == addr.as_u32)
211 void increment_v4_address (ip4_address_t * a)
215 v = clib_net_to_host_u32(a->as_u32) + 1;
216 a->as_u32 = clib_host_to_net_u32(v);
220 snat_add_static_mapping_when_resolved (snat_main_t * sm,
221 ip4_address_t l_addr,
226 snat_protocol_t proto,
230 snat_static_map_resolve_t *rp;
232 vec_add2 (sm->to_resolve, rp, 1);
233 rp->l_addr.as_u32 = l_addr.as_u32;
235 rp->sw_if_index = sw_if_index;
239 rp->addr_only = addr_only;
244 * @brief Add static mapping.
246 * Create static mapping between local addr+port and external addr+port.
248 * @param l_addr Local IPv4 address.
249 * @param e_addr External IPv4 address.
250 * @param l_port Local port number.
251 * @param e_port External port number.
252 * @param vrf_id VRF ID.
253 * @param addr_only If 0 address port and pair mapping, otherwise address only.
254 * @param sw_if_index External port instead of specific IP address.
255 * @param is_add If 0 delete static mapping, otherwise add.
259 int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
260 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
261 u32 sw_if_index, snat_protocol_t proto, int is_add)
263 snat_main_t * sm = &snat_main;
264 snat_static_mapping_t *m;
265 snat_session_key_t m_key;
266 clib_bihash_kv_8_8_t kv, value;
267 snat_address_t *a = 0;
270 snat_interface_t *interface;
273 /* If the external address is a specific interface address */
274 if (sw_if_index != ~0)
276 ip4_address_t * first_int_addr;
278 /* Might be already set... */
279 first_int_addr = ip4_interface_first_address
280 (sm->ip4_main, sw_if_index, 0 /* just want the address*/);
282 /* DHCP resolution required? */
283 if (first_int_addr == 0)
285 snat_add_static_mapping_when_resolved
286 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
291 e_addr.as_u32 = first_int_addr->as_u32;
295 m_key.port = addr_only ? 0 : e_port;
296 m_key.protocol = addr_only ? 0 : proto;
297 m_key.fib_index = sm->outside_fib_index;
298 kv.key = m_key.as_u64;
299 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
302 m = pool_elt_at_index (sm->static_mappings, value.value);
307 return VNET_API_ERROR_VALUE_EXIST;
309 /* Convert VRF id to FIB index */
312 p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id);
314 return VNET_API_ERROR_NO_SUCH_FIB;
317 /* If not specified use inside VRF id from SNAT plugin startup config */
320 fib_index = sm->inside_fib_index;
321 vrf_id = sm->inside_vrf_id;
324 /* Find external address in allocated addresses and reserve port for
325 address and port pair mapping when dynamic translations enabled */
326 if (!addr_only && !(sm->static_mapping_only))
328 for (i = 0; i < vec_len (sm->addresses); i++)
330 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
332 a = sm->addresses + i;
333 /* External port must be unused */
336 #define _(N, j, n, s) \
337 case SNAT_PROTOCOL_##N: \
338 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
339 return VNET_API_ERROR_INVALID_VALUE; \
340 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
342 a->busy_##n##_ports++; \
344 foreach_snat_protocol
347 clib_warning("unknown_protocol");
348 return VNET_API_ERROR_INVALID_VALUE_2;
353 /* External address must be allocated */
355 return VNET_API_ERROR_NO_SUCH_ENTRY;
358 pool_get (sm->static_mappings, m);
359 memset (m, 0, sizeof (*m));
360 m->local_addr = l_addr;
361 m->external_addr = e_addr;
362 m->addr_only = addr_only;
364 m->fib_index = fib_index;
367 m->local_port = l_port;
368 m->external_port = e_port;
372 m_key.addr = m->local_addr;
373 m_key.port = m->local_port;
374 m_key.protocol = m->proto;
375 m_key.fib_index = m->fib_index;
376 kv.key = m_key.as_u64;
377 kv.value = m - sm->static_mappings;
378 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
380 m_key.addr = m->external_addr;
381 m_key.port = m->external_port;
382 m_key.fib_index = sm->outside_fib_index;
383 kv.key = m_key.as_u64;
384 kv.value = m - sm->static_mappings;
385 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1);
390 snat_user_key_t w_key0;
391 snat_worker_key_t w_key1;
393 w_key0.addr = m->local_addr;
394 w_key0.fib_index = m->fib_index;
395 kv.key = w_key0.as_u64;
397 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value))
399 kv.value = sm->first_worker_index +
400 sm->workers[sm->next_worker++ % vec_len (sm->workers)];
402 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv, 1);
406 kv.value = value.value;
409 w_key1.addr = m->external_addr;
410 w_key1.port = clib_host_to_net_u16 (m->external_port);
411 w_key1.fib_index = sm->outside_fib_index;
412 kv.key = w_key1.as_u64;
413 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv, 1);
419 return VNET_API_ERROR_NO_SUCH_ENTRY;
421 /* Free external address port */
422 if (!addr_only && !(sm->static_mapping_only))
424 for (i = 0; i < vec_len (sm->addresses); i++)
426 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
428 a = sm->addresses + i;
431 #define _(N, j, n, s) \
432 case SNAT_PROTOCOL_##N: \
433 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
435 a->busy_##n##_ports--; \
437 foreach_snat_protocol
440 clib_warning("unknown_protocol");
441 return VNET_API_ERROR_INVALID_VALUE_2;
448 m_key.addr = m->local_addr;
449 m_key.port = m->local_port;
450 m_key.protocol = m->proto;
451 m_key.fib_index = m->fib_index;
452 kv.key = m_key.as_u64;
453 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
455 m_key.addr = m->external_addr;
456 m_key.port = m->external_port;
457 m_key.fib_index = sm->outside_fib_index;
458 kv.key = m_key.as_u64;
459 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0);
461 /* Delete session(s) for static mapping if exist */
462 if (!(sm->static_mapping_only) ||
463 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
465 snat_user_key_t u_key;
467 dlist_elt_t * head, * elt;
468 u32 elt_index, head_index, del_elt_index;
472 snat_main_per_thread_data_t *tsm;
474 u_key.addr = m->local_addr;
475 u_key.fib_index = m->fib_index;
476 kv.key = u_key.as_u64;
477 if (!clib_bihash_search_8_8 (&sm->user_hash, &kv, &value))
479 user_index = value.value;
480 if (!clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value))
481 tsm = vec_elt_at_index (sm->per_thread_data, value.value);
483 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
484 u = pool_elt_at_index (tsm->users, user_index);
485 if (u->nstaticsessions)
487 head_index = u->sessions_per_user_list_head_index;
488 head = pool_elt_at_index (tsm->list_pool, head_index);
489 elt_index = head->next;
490 elt = pool_elt_at_index (tsm->list_pool, elt_index);
491 ses_index = elt->value;
492 while (ses_index != ~0)
494 s = pool_elt_at_index (tsm->sessions, ses_index);
495 del_elt_index = elt_index;
496 elt_index = elt->next;
497 elt = pool_elt_at_index (tsm->list_pool, elt_index);
498 ses_index = elt->value;
502 if ((s->out2in.addr.as_u32 != e_addr.as_u32) &&
503 (clib_net_to_host_u16 (s->out2in.port) != e_port))
507 if (snat_is_unk_proto_session (s))
509 clib_bihash_kv_16_8_t up_kv;
510 nat_ed_ses_key_t up_key;
511 up_key.l_addr = s->in2out.addr;
512 up_key.r_addr = s->ext_host_addr;
513 up_key.fib_index = s->in2out.fib_index;
514 up_key.proto = s->in2out.port;
517 up_kv.key[0] = up_key.as_u64[0];
518 up_kv.key[1] = up_key.as_u64[1];
519 if (clib_bihash_add_del_16_8 (&sm->in2out_ed,
521 clib_warning ("in2out key del failed");
523 up_key.l_addr = s->out2in.addr;
524 up_key.fib_index = s->out2in.fib_index;
525 up_kv.key[0] = up_key.as_u64[0];
526 up_kv.key[1] = up_key.as_u64[1];
527 if (clib_bihash_add_del_16_8 (&sm->out2in_ed,
529 clib_warning ("out2in key del failed");
534 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
535 s->out2in.addr.as_u32,
539 s->in2out.fib_index);
541 value.key = s->in2out.as_u64;
542 if (clib_bihash_add_del_8_8 (&sm->in2out, &value, 0))
543 clib_warning ("in2out key del failed");
544 value.key = s->out2in.as_u64;
545 if (clib_bihash_add_del_8_8 (&sm->out2in, &value, 0))
546 clib_warning ("out2in key del failed");
548 pool_put (tsm->sessions, s);
550 clib_dlist_remove (tsm->list_pool, del_elt_index);
551 pool_put_index (tsm->list_pool, del_elt_index);
552 u->nstaticsessions--;
559 pool_put (tsm->users, u);
560 clib_bihash_add_del_8_8 (&sm->user_hash, &kv, 0);
566 /* Delete static mapping from pool */
567 pool_put (sm->static_mappings, m);
573 /* Add/delete external address to FIB */
574 pool_foreach (interface, sm->interfaces,
576 if (interface->is_inside)
579 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
582 pool_foreach (interface, sm->output_feature_interfaces,
584 if (interface->is_inside)
587 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
594 int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
595 snat_protocol_t proto, u32 vrf_id,
596 nat44_lb_addr_port_t *locals, u8 is_add)
598 snat_main_t * sm = &snat_main;
599 snat_static_mapping_t *m;
600 snat_session_key_t m_key;
601 clib_bihash_kv_8_8_t kv, value;
603 snat_address_t *a = 0;
605 nat44_lb_addr_port_t *local;
606 snat_user_key_t w_key0;
607 snat_worker_key_t w_key1;
608 u32 worker_index = 0;
612 m_key.protocol = proto;
613 m_key.fib_index = sm->outside_fib_index;
614 kv.key = m_key.as_u64;
615 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
618 m = pool_elt_at_index (sm->static_mappings, value.value);
623 return VNET_API_ERROR_VALUE_EXIST;
625 if (vec_len (locals) < 2)
626 return VNET_API_ERROR_INVALID_VALUE;
628 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
630 FIB_SOURCE_PLUGIN_HI);
632 /* Find external address in allocated addresses and reserve port for
633 address and port pair mapping when dynamic translations enabled */
634 if (!sm->static_mapping_only)
636 for (i = 0; i < vec_len (sm->addresses); i++)
638 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
640 a = sm->addresses + i;
641 /* External port must be unused */
644 #define _(N, j, n, s) \
645 case SNAT_PROTOCOL_##N: \
646 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
647 return VNET_API_ERROR_INVALID_VALUE; \
648 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
650 a->busy_##n##_ports++; \
652 foreach_snat_protocol
655 clib_warning("unknown_protocol");
656 return VNET_API_ERROR_INVALID_VALUE_2;
661 /* External address must be allocated */
663 return VNET_API_ERROR_NO_SUCH_ENTRY;
666 pool_get (sm->static_mappings, m);
667 memset (m, 0, sizeof (*m));
668 m->external_addr = e_addr;
671 m->fib_index = fib_index;
672 m->external_port = e_port;
675 m_key.addr = m->external_addr;
676 m_key.port = m->external_port;
677 m_key.protocol = m->proto;
678 m_key.fib_index = sm->outside_fib_index;
679 kv.key = m_key.as_u64;
680 kv.value = m - sm->static_mappings;
681 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1))
683 clib_warning ("static_mapping_by_external key add failed");
684 return VNET_API_ERROR_UNSPECIFIED;
686 m_key.port = clib_host_to_net_u16 (m->external_port);
687 kv.key = m_key.as_u64;
689 if (clib_bihash_add_del_8_8(&sm->out2in, &kv, 1))
691 clib_warning ("static_mapping_by_local key add failed");
692 return VNET_API_ERROR_UNSPECIFIED;
695 m_key.fib_index = m->fib_index;
700 w_key0.addr = locals[0].addr;
701 w_key0.fib_index = fib_index;
702 kv.key = w_key0.as_u64;
704 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv, &value))
705 worker_index = sm->first_worker_index +
706 sm->workers[sm->next_worker++ % vec_len (sm->workers)];
708 worker_index = value.value;
710 w_key1.addr = m->external_addr;
711 w_key1.port = clib_host_to_net_u16 (m->external_port);
712 w_key1.fib_index = sm->outside_fib_index;
713 kv.key = w_key1.as_u64;
714 kv.value = worker_index;
715 if (clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv, 1))
717 clib_warning ("worker-by-out add key failed");
718 return VNET_API_ERROR_UNSPECIFIED;
722 for (i = 0; i < vec_len (locals); i++)
724 m_key.addr = locals[i].addr;
725 m_key.port = locals[i].port;
726 kv.key = m_key.as_u64;
727 kv.value = m - sm->static_mappings;
728 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
729 locals[i].prefix = locals[i - 1].prefix + locals[i].probability;
730 vec_add1 (m->locals, locals[i]);
731 m_key.port = clib_host_to_net_u16 (locals[i].port);
732 kv.key = m_key.as_u64;
734 if (clib_bihash_add_del_8_8(&sm->in2out, &kv, 1))
736 clib_warning ("in2out key add failed");
737 return VNET_API_ERROR_UNSPECIFIED;
742 w_key0.addr = locals[i].addr;
743 w_key0.fib_index = fib_index;
744 kv.key = w_key0.as_u64;
745 kv.value = worker_index;
746 if (clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv, 1))
748 clib_warning ("worker-by-in key add failed");
749 return VNET_API_ERROR_UNSPECIFIED;
757 return VNET_API_ERROR_NO_SUCH_ENTRY;
759 fib_table_unlock (m->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_HI);
761 /* Free external address port */
762 if (!sm->static_mapping_only)
764 for (i = 0; i < vec_len (sm->addresses); i++)
766 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
768 a = sm->addresses + i;
771 #define _(N, j, n, s) \
772 case SNAT_PROTOCOL_##N: \
773 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
775 a->busy_##n##_ports--; \
777 foreach_snat_protocol
780 clib_warning("unknown_protocol");
781 return VNET_API_ERROR_INVALID_VALUE_2;
788 m_key.addr = m->external_addr;
789 m_key.port = m->external_port;
790 m_key.protocol = m->proto;
791 m_key.fib_index = sm->outside_fib_index;
792 kv.key = m_key.as_u64;
793 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0))
795 clib_warning ("static_mapping_by_external key del failed");
796 return VNET_API_ERROR_UNSPECIFIED;
798 m_key.port = clib_host_to_net_u16 (m->external_port);
799 kv.key = m_key.as_u64;
800 if (clib_bihash_add_del_8_8(&sm->out2in, &kv, 0))
802 clib_warning ("outi2in key del failed");
803 return VNET_API_ERROR_UNSPECIFIED;
806 vec_foreach (local, m->locals)
808 m_key.addr = local->addr;
809 m_key.port = local->port;
810 m_key.fib_index = m->fib_index;
811 kv.key = m_key.as_u64;
812 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
814 clib_warning ("static_mapping_by_local key del failed");
815 return VNET_API_ERROR_UNSPECIFIED;
817 m_key.port = clib_host_to_net_u16 (local->port);
818 kv.key = m_key.as_u64;
819 if (clib_bihash_add_del_8_8(&sm->in2out, &kv, 0))
821 clib_warning ("in2out key del failed");
822 return VNET_API_ERROR_UNSPECIFIED;
826 pool_put (sm->static_mappings, m);
832 int snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm)
834 snat_address_t *a = 0;
836 u32 *ses_to_be_removed = 0, *ses_index;
837 clib_bihash_kv_8_8_t kv, value;
838 snat_user_key_t user_key;
840 snat_main_per_thread_data_t *tsm;
841 snat_static_mapping_t *m;
842 snat_interface_t *interface;
845 /* Find SNAT address */
846 for (i=0; i < vec_len (sm->addresses); i++)
848 if (sm->addresses[i].addr.as_u32 == addr.as_u32)
850 a = sm->addresses + i;
855 return VNET_API_ERROR_NO_SUCH_ENTRY;
859 pool_foreach (m, sm->static_mappings,
861 if (m->external_addr.as_u32 == addr.as_u32)
862 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
863 m->local_port, m->external_port,
864 m->vrf_id, m->addr_only, ~0,
870 /* Check if address is used in some static mapping */
871 if (is_snat_address_used_in_static_mapping(sm, addr))
873 clib_warning ("address used in static mapping");
874 return VNET_API_ERROR_UNSPECIFIED;
878 if (a->fib_index != ~0)
879 fib_table_unlock(a->fib_index, FIB_PROTOCOL_IP4,
880 FIB_SOURCE_PLUGIN_HI);
882 /* Delete sessions using address */
883 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
885 vec_foreach (tsm, sm->per_thread_data)
887 pool_foreach (ses, tsm->sessions, ({
888 if (ses->out2in.addr.as_u32 == addr.as_u32)
890 if (snat_is_unk_proto_session (ses))
892 clib_bihash_kv_16_8_t up_kv;
893 nat_ed_ses_key_t up_key;
894 up_key.l_addr = ses->in2out.addr;
895 up_key.r_addr = ses->ext_host_addr;
896 up_key.fib_index = ses->in2out.fib_index;
897 up_key.proto = ses->in2out.port;
900 up_kv.key[0] = up_key.as_u64[0];
901 up_kv.key[1] = up_key.as_u64[1];
902 if (clib_bihash_add_del_16_8 (&sm->in2out_ed,
904 clib_warning ("in2out key del failed");
906 up_key.l_addr = ses->out2in.addr;
907 up_key.fib_index = ses->out2in.fib_index;
908 up_kv.key[0] = up_key.as_u64[0];
909 up_kv.key[1] = up_key.as_u64[1];
910 if (clib_bihash_add_del_16_8 (&sm->out2in_ed,
912 clib_warning ("out2in key del failed");
917 snat_ipfix_logging_nat44_ses_delete(ses->in2out.addr.as_u32,
918 ses->out2in.addr.as_u32,
919 ses->in2out.protocol,
922 ses->in2out.fib_index);
923 kv.key = ses->in2out.as_u64;
924 clib_bihash_add_del_8_8 (&sm->in2out, &kv, 0);
925 kv.key = ses->out2in.as_u64;
926 clib_bihash_add_del_8_8 (&sm->out2in, &kv, 0);
928 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
929 clib_dlist_remove (tsm->list_pool, ses->per_user_index);
930 user_key.addr = ses->in2out.addr;
931 user_key.fib_index = ses->in2out.fib_index;
932 kv.key = user_key.as_u64;
933 if (!clib_bihash_search_8_8 (&sm->user_hash, &kv, &value))
935 u = pool_elt_at_index (tsm->users, value.value);
941 vec_foreach (ses_index, ses_to_be_removed)
942 pool_put_index (tsm->sessions, ses_index[0]);
944 vec_free (ses_to_be_removed);
948 vec_del1 (sm->addresses, i);
950 /* Delete external address from FIB */
951 pool_foreach (interface, sm->interfaces,
953 if (interface->is_inside)
956 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
959 pool_foreach (interface, sm->output_feature_interfaces,
961 if (interface->is_inside)
964 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
971 int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
973 snat_main_t *sm = &snat_main;
975 const char * feature_name;
977 snat_static_mapping_t * m;
980 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
981 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
984 if (sm->num_workers > 1 && !sm->deterministic)
985 feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff";
986 else if (sm->deterministic)
987 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
989 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
992 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index,
995 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
996 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0);
998 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
999 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1001 pool_foreach (i, sm->interfaces,
1003 if (i->sw_if_index == sw_if_index)
1006 pool_put (sm->interfaces, i);
1008 return VNET_API_ERROR_VALUE_EXIST;
1015 return VNET_API_ERROR_NO_SUCH_ENTRY;
1017 pool_get (sm->interfaces, i);
1018 i->sw_if_index = sw_if_index;
1019 i->is_inside = is_inside;
1021 /* Add/delete external addresses to FIB */
1026 vec_foreach (ap, sm->addresses)
1027 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1029 pool_foreach (m, sm->static_mappings,
1031 if (!(m->addr_only))
1034 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1037 pool_foreach (dm, sm->det_maps,
1039 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
1045 int snat_interface_add_del_output_feature (u32 sw_if_index,
1049 snat_main_t *sm = &snat_main;
1050 snat_interface_t *i;
1051 snat_address_t * ap;
1052 snat_static_mapping_t * m;
1054 if (sm->deterministic ||
1055 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
1056 return VNET_API_ERROR_UNSUPPORTED;
1060 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
1061 sw_if_index, !is_del, 0, 0);
1062 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
1063 sw_if_index, !is_del, 0, 0);
1067 if (sm->num_workers > 1)
1069 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in-worker-handoff",
1070 sw_if_index, !is_del, 0, 0);
1071 vnet_feature_enable_disable ("ip4-output",
1072 "nat44-in2out-output-worker-handoff",
1073 sw_if_index, !is_del, 0, 0);
1077 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", sw_if_index,
1079 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
1080 sw_if_index, !is_del, 0, 0);
1084 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
1085 sm->fq_in2out_output_index =
1086 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
1088 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
1089 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1091 pool_foreach (i, sm->output_feature_interfaces,
1093 if (i->sw_if_index == sw_if_index)
1096 pool_put (sm->output_feature_interfaces, i);
1098 return VNET_API_ERROR_VALUE_EXIST;
1105 return VNET_API_ERROR_NO_SUCH_ENTRY;
1107 pool_get (sm->output_feature_interfaces, i);
1108 i->sw_if_index = sw_if_index;
1109 i->is_inside = is_inside;
1111 /* Add/delete external addresses to FIB */
1116 vec_foreach (ap, sm->addresses)
1117 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1119 pool_foreach (m, sm->static_mappings,
1121 if (!(m->addr_only))
1124 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1130 int snat_set_workers (uword * bitmap)
1132 snat_main_t *sm = &snat_main;
1135 if (sm->num_workers < 2)
1136 return VNET_API_ERROR_FEATURE_DISABLED;
1138 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1139 return VNET_API_ERROR_INVALID_WORKER;
1141 vec_free (sm->workers);
1142 clib_bitmap_foreach (i, bitmap,
1144 vec_add1(sm->workers, i);
1145 sm->per_thread_data[i].snat_thread_index = j;
1149 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
1150 sm->num_snat_thread = _vec_len (sm->workers);
1157 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1160 ip4_address_t * address,
1162 u32 if_address_index,
1165 static clib_error_t * snat_init (vlib_main_t * vm)
1167 snat_main_t * sm = &snat_main;
1168 clib_error_t * error = 0;
1169 ip4_main_t * im = &ip4_main;
1170 ip_lookup_main_t * lm = &im->lookup_main;
1172 vlib_thread_registration_t *tr;
1173 vlib_thread_main_t *tm = vlib_get_thread_main ();
1176 ip4_add_del_interface_address_callback_t cb4;
1179 sm->vnet_main = vnet_get_main();
1181 sm->ip4_lookup_main = lm;
1182 sm->api_main = &api_main;
1183 sm->first_worker_index = 0;
1184 sm->next_worker = 0;
1185 sm->num_workers = 0;
1186 sm->num_snat_thread = 1;
1188 sm->port_per_thread = 0xffff - 1024;
1189 sm->fq_in2out_index = ~0;
1190 sm->fq_out2in_index = ~0;
1191 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1192 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1193 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1194 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1196 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
1199 tr = (vlib_thread_registration_t *) p[0];
1202 sm->num_workers = tr->count;
1203 sm->first_worker_index = tr->first_index;
1207 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
1209 /* Use all available workers by default */
1210 if (sm->num_workers > 1)
1212 for (i=0; i < sm->num_workers; i++)
1213 bitmap = clib_bitmap_set (bitmap, i, 1);
1214 snat_set_workers(bitmap);
1215 clib_bitmap_free (bitmap);
1219 sm->per_thread_data[0].snat_thread_index = 0;
1222 error = snat_api_init(vm, sm);
1226 /* Set up the interface address add/del callback */
1227 cb4.function = snat_ip4_add_del_interface_address_cb;
1228 cb4.function_opaque = 0;
1230 vec_add1 (im->add_del_interface_address_callbacks, cb4);
1232 /* Init IPFIX logging */
1233 snat_ipfix_logging_init(vm);
1235 error = nat64_init(vm);
1240 VLIB_INIT_FUNCTION (snat_init);
1242 void snat_free_outside_address_and_port (snat_main_t * sm,
1243 snat_session_key_t * k,
1247 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
1249 ASSERT (address_index < vec_len (sm->addresses));
1251 a = sm->addresses + address_index;
1253 switch (k->protocol)
1255 #define _(N, i, n, s) \
1256 case SNAT_PROTOCOL_##N: \
1257 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
1258 port_host_byte_order) == 1); \
1259 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
1260 port_host_byte_order, 0); \
1261 a->busy_##n##_ports--; \
1263 foreach_snat_protocol
1266 clib_warning("unknown_protocol");
1272 * @brief Match NAT44 static mapping.
1274 * @param sm NAT main.
1275 * @param match Address and port to match.
1276 * @param mapping External or local address and port of the matched mapping.
1277 * @param by_external If 0 match by local address otherwise match by external
1279 * @param is_addr_only If matched mapping is address only
1281 * @returns 0 if match found otherwise 1.
1283 int snat_static_mapping_match (snat_main_t * sm,
1284 snat_session_key_t match,
1285 snat_session_key_t * mapping,
1289 clib_bihash_kv_8_8_t kv, value;
1290 snat_static_mapping_t *m;
1291 snat_session_key_t m_key;
1292 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
1293 u32 rand, lo = 0, hi, mid;
1296 mapping_hash = &sm->static_mapping_by_external;
1298 m_key.addr = match.addr;
1299 m_key.port = clib_net_to_host_u16 (match.port);
1300 m_key.protocol = match.protocol;
1301 m_key.fib_index = match.fib_index;
1303 kv.key = m_key.as_u64;
1305 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1307 /* Try address only mapping */
1310 kv.key = m_key.as_u64;
1311 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1315 m = pool_elt_at_index (sm->static_mappings, value.value);
1319 if (vec_len (m->locals))
1321 hi = vec_len (m->locals) - 1;
1322 rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix);
1325 mid = ((hi - 1) >> 1) + lo;
1326 (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid);
1328 if (!(m->locals[lo].prefix >= rand))
1330 mapping->addr = m->locals[lo].addr;
1331 mapping->port = clib_host_to_net_u16 (m->locals[lo].port);
1335 mapping->addr = m->local_addr;
1336 /* Address only mapping doesn't change port */
1337 mapping->port = m->addr_only ? match.port
1338 : clib_host_to_net_u16 (m->local_port);
1340 mapping->fib_index = m->fib_index;
1341 mapping->protocol = m->proto;
1345 mapping->addr = m->external_addr;
1346 /* Address only mapping doesn't change port */
1347 mapping->port = m->addr_only ? match.port
1348 : clib_host_to_net_u16 (m->external_port);
1349 mapping->fib_index = sm->outside_fib_index;
1352 if (PREDICT_FALSE(is_addr_only != 0))
1353 *is_addr_only = m->addr_only;
1358 static_always_inline u16
1359 snat_random_port (snat_main_t * sm, u16 min, u16 max)
1361 return min + random_u32 (&sm->random_seed) /
1362 (random_u32_max() / (max - min + 1) + 1);
1365 int snat_alloc_outside_address_and_port (snat_main_t * sm,
1368 snat_session_key_t * k,
1369 u32 * address_indexp)
1375 for (i = 0; i < vec_len (sm->addresses); i++)
1377 a = sm->addresses + i;
1378 if (sm->vrf_mode && a->fib_index != ~0 && a->fib_index != fib_index)
1380 switch (k->protocol)
1382 #define _(N, j, n, s) \
1383 case SNAT_PROTOCOL_##N: \
1384 if (a->busy_##n##_ports < (sm->port_per_thread * sm->num_snat_thread)) \
1388 portnum = (sm->port_per_thread * \
1389 sm->per_thread_data[thread_index].snat_thread_index) + \
1390 snat_random_port(sm, 0, sm->port_per_thread) + 1024; \
1391 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1393 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1394 a->busy_##n##_ports++; \
1395 k->addr = a->addr; \
1396 k->port = clib_host_to_net_u16(portnum); \
1397 *address_indexp = i; \
1402 foreach_snat_protocol
1405 clib_warning("unknown protocol");
1410 /* Totally out of translations to use... */
1411 snat_ipfix_logging_addresses_exhausted(0);
1416 static clib_error_t *
1417 add_address_command_fn (vlib_main_t * vm,
1418 unformat_input_t * input,
1419 vlib_cli_command_t * cmd)
1421 unformat_input_t _line_input, *line_input = &_line_input;
1422 snat_main_t * sm = &snat_main;
1423 ip4_address_t start_addr, end_addr, this_addr;
1424 u32 start_host_order, end_host_order;
1429 clib_error_t *error = 0;
1431 /* Get a line of input. */
1432 if (!unformat_user (input, unformat_line_input, line_input))
1435 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1437 if (unformat (line_input, "%U - %U",
1438 unformat_ip4_address, &start_addr,
1439 unformat_ip4_address, &end_addr))
1441 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
1443 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
1444 end_addr = start_addr;
1445 else if (unformat (line_input, "del"))
1449 error = clib_error_return (0, "unknown input '%U'",
1450 format_unformat_error, line_input);
1455 if (sm->static_mapping_only)
1457 error = clib_error_return (0, "static mapping only mode");
1461 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
1462 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
1464 if (end_host_order < start_host_order)
1466 error = clib_error_return (0, "end address less than start address");
1470 count = (end_host_order - start_host_order) + 1;
1473 clib_warning ("%U - %U, %d addresses...",
1474 format_ip4_address, &start_addr,
1475 format_ip4_address, &end_addr,
1478 this_addr = start_addr;
1480 for (i = 0; i < count; i++)
1483 snat_add_address (sm, &this_addr, vrf_id);
1485 rv = snat_del_address (sm, this_addr, 0);
1489 case VNET_API_ERROR_NO_SUCH_ENTRY:
1490 error = clib_error_return (0, "S-NAT address not exist.");
1492 case VNET_API_ERROR_UNSPECIFIED:
1493 error = clib_error_return (0, "S-NAT address used in static mapping.");
1499 increment_v4_address (&this_addr);
1503 unformat_free (line_input);
1508 VLIB_CLI_COMMAND (add_address_command, static) = {
1509 .path = "nat44 add address",
1510 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1511 "[tenant-vrf <vrf-id>] [del]",
1512 .function = add_address_command_fn,
1515 static clib_error_t *
1516 snat_feature_command_fn (vlib_main_t * vm,
1517 unformat_input_t * input,
1518 vlib_cli_command_t * cmd)
1520 unformat_input_t _line_input, *line_input = &_line_input;
1521 vnet_main_t * vnm = vnet_get_main();
1522 clib_error_t * error = 0;
1524 u32 * inside_sw_if_indices = 0;
1525 u32 * outside_sw_if_indices = 0;
1526 u8 is_output_feature = 0;
1532 /* Get a line of input. */
1533 if (!unformat_user (input, unformat_line_input, line_input))
1536 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1538 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
1540 vec_add1 (inside_sw_if_indices, sw_if_index);
1541 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
1543 vec_add1 (outside_sw_if_indices, sw_if_index);
1544 else if (unformat (line_input, "output-feature"))
1545 is_output_feature = 1;
1546 else if (unformat (line_input, "del"))
1550 error = clib_error_return (0, "unknown input '%U'",
1551 format_unformat_error, line_input);
1556 if (vec_len (inside_sw_if_indices))
1558 for (i = 0; i < vec_len(inside_sw_if_indices); i++)
1560 sw_if_index = inside_sw_if_indices[i];
1561 if (is_output_feature)
1563 if (snat_interface_add_del_output_feature (sw_if_index, 1, is_del))
1565 error = clib_error_return (0, "%s %U failed",
1566 is_del ? "del" : "add",
1567 format_vnet_sw_interface_name, vnm,
1568 vnet_get_sw_interface (vnm,
1575 if (snat_interface_add_del (sw_if_index, 1, is_del))
1577 error = clib_error_return (0, "%s %U failed",
1578 is_del ? "del" : "add",
1579 format_vnet_sw_interface_name, vnm,
1580 vnet_get_sw_interface (vnm,
1588 if (vec_len (outside_sw_if_indices))
1590 for (i = 0; i < vec_len(outside_sw_if_indices); i++)
1592 sw_if_index = outside_sw_if_indices[i];
1593 if (is_output_feature)
1595 if (snat_interface_add_del_output_feature (sw_if_index, 0, is_del))
1597 error = clib_error_return (0, "%s %U failed",
1598 is_del ? "del" : "add",
1599 format_vnet_sw_interface_name, vnm,
1600 vnet_get_sw_interface (vnm,
1607 if (snat_interface_add_del (sw_if_index, 0, is_del))
1609 error = clib_error_return (0, "%s %U failed",
1610 is_del ? "del" : "add",
1611 format_vnet_sw_interface_name, vnm,
1612 vnet_get_sw_interface (vnm,
1621 unformat_free (line_input);
1622 vec_free (inside_sw_if_indices);
1623 vec_free (outside_sw_if_indices);
1628 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1629 .path = "set interface nat44",
1630 .function = snat_feature_command_fn,
1631 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1636 unformat_snat_protocol (unformat_input_t * input, va_list * args)
1638 u32 *r = va_arg (*args, u32 *);
1641 #define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N;
1642 foreach_snat_protocol
1650 format_snat_protocol (u8 * s, va_list * args)
1652 u32 i = va_arg (*args, u32);
1657 #define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break;
1658 foreach_snat_protocol
1661 s = format (s, "unknown");
1664 s = format (s, "%s", t);
1668 static clib_error_t *
1669 add_static_mapping_command_fn (vlib_main_t * vm,
1670 unformat_input_t * input,
1671 vlib_cli_command_t * cmd)
1673 unformat_input_t _line_input, *line_input = &_line_input;
1674 clib_error_t * error = 0;
1675 ip4_address_t l_addr, e_addr;
1676 u32 l_port = 0, e_port = 0, vrf_id = ~0;
1679 u32 sw_if_index = ~0;
1680 vnet_main_t * vnm = vnet_get_main();
1682 snat_protocol_t proto;
1685 /* Get a line of input. */
1686 if (!unformat_user (input, unformat_line_input, line_input))
1689 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1691 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
1694 else if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
1696 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
1699 else if (unformat (line_input, "external %U", unformat_ip4_address,
1702 else if (unformat (line_input, "external %U %u",
1703 unformat_vnet_sw_interface, vnm, &sw_if_index,
1707 else if (unformat (line_input, "external %U",
1708 unformat_vnet_sw_interface, vnm, &sw_if_index))
1710 else if (unformat (line_input, "vrf %u", &vrf_id))
1712 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
1714 else if (unformat (line_input, "del"))
1718 error = clib_error_return (0, "unknown input: '%U'",
1719 format_unformat_error, line_input);
1724 if (!addr_only && !proto_set)
1726 error = clib_error_return (0, "missing protocol");
1730 rv = snat_add_static_mapping(l_addr, e_addr, (u16) l_port, (u16) e_port,
1731 vrf_id, addr_only, sw_if_index, proto, is_add);
1735 case VNET_API_ERROR_INVALID_VALUE:
1736 error = clib_error_return (0, "External port already in use.");
1738 case VNET_API_ERROR_NO_SUCH_ENTRY:
1740 error = clib_error_return (0, "External addres must be allocated.");
1742 error = clib_error_return (0, "Mapping not exist.");
1744 case VNET_API_ERROR_NO_SUCH_FIB:
1745 error = clib_error_return (0, "No such VRF id.");
1747 case VNET_API_ERROR_VALUE_EXIST:
1748 error = clib_error_return (0, "Mapping already exist.");
1755 unformat_free (line_input);
1762 * @cliexstart{snat add static mapping}
1763 * Static mapping allows hosts on the external network to initiate connection
1764 * to to the local network host.
1765 * To create static mapping between local host address 10.0.0.3 port 6303 and
1766 * external address 4.4.4.4 port 3606 for TCP protocol use:
1767 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1768 * If not runnig "static mapping only" NAT plugin mode use before:
1769 * vpp# nat44 add address 4.4.4.4
1770 * To create static mapping between local and external address use:
1771 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1774 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1775 .path = "nat44 add static mapping",
1776 .function = add_static_mapping_command_fn,
1778 "nat44 add static mapping tcp|udp|icmp local <addr> [<port>] external <addr> [<port>] [vrf <table-id>] [del]",
1781 static clib_error_t *
1782 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1783 unformat_input_t * input,
1784 vlib_cli_command_t * cmd)
1786 unformat_input_t _line_input, *line_input = &_line_input;
1787 clib_error_t * error = 0;
1788 ip4_address_t l_addr, e_addr;
1789 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1792 snat_protocol_t proto;
1794 nat44_lb_addr_port_t *locals = 0, local;
1796 /* Get a line of input. */
1797 if (!unformat_user (input, unformat_line_input, line_input))
1800 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1802 if (unformat (line_input, "local %U:%u probability %u",
1803 unformat_ip4_address, &l_addr, &l_port, &probability))
1805 memset (&local, 0, sizeof (local));
1806 local.addr = l_addr;
1807 local.port = (u16) l_port;
1808 local.probability = (u8) probability;
1809 vec_add1 (locals, local);
1811 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1814 else if (unformat (line_input, "vrf %u", &vrf_id))
1816 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
1819 else if (unformat (line_input, "del"))
1823 error = clib_error_return (0, "unknown input: '%U'",
1824 format_unformat_error, line_input);
1829 if (vec_len (locals) < 2)
1831 error = clib_error_return (0, "at least two local must be set");
1837 error = clib_error_return (0, "missing protocol");
1841 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, vrf_id,
1846 case VNET_API_ERROR_INVALID_VALUE:
1847 error = clib_error_return (0, "External port already in use.");
1849 case VNET_API_ERROR_NO_SUCH_ENTRY:
1851 error = clib_error_return (0, "External addres must be allocated.");
1853 error = clib_error_return (0, "Mapping not exist.");
1855 case VNET_API_ERROR_VALUE_EXIST:
1856 error = clib_error_return (0, "Mapping already exist.");
1863 unformat_free (line_input);
1869 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
1870 .path = "nat44 add load-balancing static mapping",
1871 .function = add_lb_static_mapping_command_fn,
1873 "nat44 add load-balancing static mapping protocol tcp|udp external <addr>:<port> local <addr>:<port> probability <n> [vrf <table-id>] [del]",
1876 static clib_error_t *
1877 set_workers_command_fn (vlib_main_t * vm,
1878 unformat_input_t * input,
1879 vlib_cli_command_t * cmd)
1881 unformat_input_t _line_input, *line_input = &_line_input;
1884 clib_error_t *error = 0;
1886 /* Get a line of input. */
1887 if (!unformat_user (input, unformat_line_input, line_input))
1890 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1892 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
1896 error = clib_error_return (0, "unknown input '%U'",
1897 format_unformat_error, line_input);
1904 error = clib_error_return (0, "List of workers must be specified.");
1908 rv = snat_set_workers(bitmap);
1910 clib_bitmap_free (bitmap);
1914 case VNET_API_ERROR_INVALID_WORKER:
1915 error = clib_error_return (0, "Invalid worker(s).");
1917 case VNET_API_ERROR_FEATURE_DISABLED:
1918 error = clib_error_return (0,
1919 "Supported only if 2 or more workes available.");
1926 unformat_free (line_input);
1933 * @cliexstart{set snat workers}
1934 * Set NAT workers if 2 or more workers available, use:
1935 * vpp# set snat workers 0-2,5
1938 VLIB_CLI_COMMAND (set_workers_command, static) = {
1939 .path = "set nat workers",
1940 .function = set_workers_command_fn,
1942 "set nat workers <workers-list>",
1945 static clib_error_t *
1946 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
1947 unformat_input_t * input,
1948 vlib_cli_command_t * cmd)
1950 unformat_input_t _line_input, *line_input = &_line_input;
1955 clib_error_t *error = 0;
1957 /* Get a line of input. */
1958 if (!unformat_user (input, unformat_line_input, line_input))
1961 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1963 if (unformat (line_input, "domain %d", &domain_id))
1965 else if (unformat (line_input, "src-port %d", &src_port))
1967 else if (unformat (line_input, "disable"))
1971 error = clib_error_return (0, "unknown input '%U'",
1972 format_unformat_error, line_input);
1977 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
1981 error = clib_error_return (0, "ipfix logging enable failed");
1986 unformat_free (line_input);
1993 * @cliexstart{snat ipfix logging}
1994 * To enable NAT IPFIX logging use:
1995 * vpp# nat ipfix logging
1996 * To set IPFIX exporter use:
1997 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
2000 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
2001 .path = "nat ipfix logging",
2002 .function = snat_ipfix_logging_enable_disable_command_fn,
2003 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
2007 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2009 snat_main_t *sm = &snat_main;
2010 snat_user_key_t key0;
2011 clib_bihash_kv_8_8_t kv0, value0;
2012 u32 next_worker_index = 0;
2014 key0.addr = ip0->src_address;
2015 key0.fib_index = rx_fib_index0;
2017 kv0.key = key0.as_u64;
2019 /* Ever heard of of the "user" before? */
2020 if (clib_bihash_search_8_8 (&sm->worker_by_in, &kv0, &value0))
2022 /* No, assign next available worker (RR) */
2023 next_worker_index = sm->first_worker_index;
2024 if (vec_len (sm->workers))
2026 next_worker_index +=
2027 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
2030 /* add non-traslated packets worker lookup */
2031 kv0.value = next_worker_index;
2032 clib_bihash_add_del_8_8 (&sm->worker_by_in, &kv0, 1);
2035 next_worker_index = value0.value;
2037 return next_worker_index;
2041 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2043 snat_main_t *sm = &snat_main;
2044 snat_worker_key_t key0;
2045 clib_bihash_kv_8_8_t kv0, value0;
2046 udp_header_t * udp0;
2047 u32 next_worker_index = 0;
2049 udp0 = ip4_next_header (ip0);
2051 key0.addr = ip0->dst_address;
2052 key0.port = udp0->dst_port;
2053 key0.fib_index = rx_fib_index0;
2055 if (PREDICT_FALSE(ip0->protocol == IP_PROTOCOL_ICMP))
2057 icmp46_header_t * icmp0 = (icmp46_header_t *) udp0;
2058 icmp_echo_header_t *echo0 = (icmp_echo_header_t *)(icmp0+1);
2059 key0.port = echo0->identifier;
2062 kv0.key = key0.as_u64;
2064 /* Ever heard of of the "user" before? */
2065 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
2068 kv0.key = key0.as_u64;
2070 if (clib_bihash_search_8_8 (&sm->worker_by_out, &kv0, &value0))
2072 /* No, assign next available worker (RR) */
2073 next_worker_index = sm->first_worker_index;
2074 if (vec_len (sm->workers))
2076 next_worker_index +=
2077 sm->workers[sm->next_worker++ % _vec_len (sm->workers)];
2082 /* Static mapping without port */
2083 next_worker_index = value0.value;
2086 /* Add to translated packets worker lookup */
2087 key0.port = udp0->dst_port;
2088 kv0.key = key0.as_u64;
2089 kv0.value = next_worker_index;
2090 clib_bihash_add_del_8_8 (&sm->worker_by_out, &kv0, 1);
2093 next_worker_index = value0.value;
2095 return next_worker_index;
2098 static clib_error_t *
2099 snat_config (vlib_main_t * vm, unformat_input_t * input)
2101 snat_main_t * sm = &snat_main;
2102 u32 translation_buckets = 1024;
2103 u32 translation_memory_size = 128<<20;
2104 u32 user_buckets = 128;
2105 u32 user_memory_size = 64<<20;
2106 u32 max_translations_per_user = 100;
2107 u32 outside_vrf_id = 0;
2108 u32 inside_vrf_id = 0;
2109 u32 static_mapping_buckets = 1024;
2110 u32 static_mapping_memory_size = 64<<20;
2111 u8 static_mapping_only = 0;
2112 u8 static_mapping_connection_tracking = 0;
2114 sm->deterministic = 0;
2116 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
2118 if (unformat (input, "translation hash buckets %d", &translation_buckets))
2120 else if (unformat (input, "translation hash memory %d",
2121 &translation_memory_size));
2122 else if (unformat (input, "user hash buckets %d", &user_buckets))
2124 else if (unformat (input, "user hash memory %d",
2127 else if (unformat (input, "max translations per user %d",
2128 &max_translations_per_user))
2130 else if (unformat (input, "outside VRF id %d",
2133 else if (unformat (input, "inside VRF id %d",
2136 else if (unformat (input, "static mapping only"))
2138 static_mapping_only = 1;
2139 if (unformat (input, "connection tracking"))
2140 static_mapping_connection_tracking = 1;
2142 else if (unformat (input, "deterministic"))
2143 sm->deterministic = 1;
2145 return clib_error_return (0, "unknown input '%U'",
2146 format_unformat_error, input);
2149 /* for show commands, etc. */
2150 sm->translation_buckets = translation_buckets;
2151 sm->translation_memory_size = translation_memory_size;
2152 sm->user_buckets = user_buckets;
2153 sm->user_memory_size = user_memory_size;
2154 sm->max_translations_per_user = max_translations_per_user;
2155 sm->outside_vrf_id = outside_vrf_id;
2156 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2158 FIB_SOURCE_PLUGIN_HI);
2159 sm->inside_vrf_id = inside_vrf_id;
2160 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2162 FIB_SOURCE_PLUGIN_HI);
2163 sm->static_mapping_only = static_mapping_only;
2164 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
2166 if (sm->deterministic)
2168 sm->in2out_node_index = snat_det_in2out_node.index;
2169 sm->in2out_output_node_index = ~0;
2170 sm->out2in_node_index = snat_det_out2in_node.index;
2171 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
2172 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
2176 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
2177 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
2178 sm->in2out_node_index = snat_in2out_node.index;
2179 sm->in2out_output_node_index = snat_in2out_output_node.index;
2180 sm->out2in_node_index = snat_out2in_node.index;
2181 if (!static_mapping_only ||
2182 (static_mapping_only && static_mapping_connection_tracking))
2184 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
2185 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
2187 clib_bihash_init_8_8 (&sm->worker_by_in, "worker-by-in", user_buckets,
2190 clib_bihash_init_8_8 (&sm->worker_by_out, "worker-by-out", user_buckets,
2193 clib_bihash_init_8_8 (&sm->in2out, "in2out", translation_buckets,
2194 translation_memory_size);
2196 clib_bihash_init_8_8 (&sm->out2in, "out2in", translation_buckets,
2197 translation_memory_size);
2199 clib_bihash_init_8_8 (&sm->user_hash, "users", user_buckets,
2202 clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed",
2203 translation_buckets, translation_memory_size);
2205 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
2206 translation_buckets, translation_memory_size);
2210 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
2211 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
2213 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
2214 "static_mapping_by_local", static_mapping_buckets,
2215 static_mapping_memory_size);
2217 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
2218 "static_mapping_by_external", static_mapping_buckets,
2219 static_mapping_memory_size);
2225 VLIB_CONFIG_FUNCTION (snat_config, "nat");
2227 u8 * format_snat_session_state (u8 * s, va_list * args)
2229 u32 i = va_arg (*args, u32);
2234 #define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break;
2235 foreach_snat_session_state
2238 t = format (t, "unknown");
2240 s = format (s, "%s", t);
2244 u8 * format_snat_key (u8 * s, va_list * args)
2246 snat_session_key_t * key = va_arg (*args, snat_session_key_t *);
2248 s = format (s, "%U proto %U port %d fib %d",
2249 format_ip4_address, &key->addr,
2250 format_snat_protocol, key->protocol,
2251 clib_net_to_host_u16 (key->port), key->fib_index);
2255 u8 * format_snat_session (u8 * s, va_list * args)
2257 snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *);
2258 snat_session_t * sess = va_arg (*args, snat_session_t *);
2260 if (snat_is_unk_proto_session (sess))
2262 s = format (s, " i2o %U proto %u fib %u\n",
2263 format_ip4_address, &sess->in2out.addr, sess->in2out.port,
2264 sess->in2out.fib_index);
2265 s = format (s, " o2i %U proto %u fib %u\n",
2266 format_ip4_address, &sess->out2in.addr, sess->out2in.port,
2267 sess->out2in.fib_index);
2271 s = format (s, " i2o %U\n", format_snat_key, &sess->in2out);
2272 s = format (s, " o2i %U\n", format_snat_key, &sess->out2in);
2274 if (sess->ext_host_addr.as_u32)
2275 s = format (s, " external host %U\n",
2276 format_ip4_address, &sess->ext_host_addr);
2277 s = format (s, " last heard %.2f\n", sess->last_heard);
2278 s = format (s, " total pkts %d, total bytes %lld\n",
2279 sess->total_pkts, sess->total_bytes);
2280 if (snat_is_session_static (sess))
2281 s = format (s, " static translation\n");
2283 s = format (s, " dynamic translation\n");
2284 if (sess->flags & SNAT_SESSION_FLAG_LOAD_BALANCING)
2285 s = format (s, " load-balancing\n");
2290 u8 * format_snat_user (u8 * s, va_list * args)
2292 snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *);
2293 snat_user_t * u = va_arg (*args, snat_user_t *);
2294 int verbose = va_arg (*args, int);
2295 dlist_elt_t * head, * elt;
2296 u32 elt_index, head_index;
2298 snat_session_t * sess;
2300 s = format (s, "%U: %d dynamic translations, %d static translations\n",
2301 format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions);
2306 if (u->nsessions || u->nstaticsessions)
2308 head_index = u->sessions_per_user_list_head_index;
2309 head = pool_elt_at_index (sm->list_pool, head_index);
2311 elt_index = head->next;
2312 elt = pool_elt_at_index (sm->list_pool, elt_index);
2313 session_index = elt->value;
2315 while (session_index != ~0)
2317 sess = pool_elt_at_index (sm->sessions, session_index);
2319 s = format (s, " %U\n", format_snat_session, sm, sess);
2321 elt_index = elt->next;
2322 elt = pool_elt_at_index (sm->list_pool, elt_index);
2323 session_index = elt->value;
2330 u8 * format_snat_static_mapping (u8 * s, va_list * args)
2332 snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *);
2333 nat44_lb_addr_port_t *local;
2336 s = format (s, "local %U external %U vrf %d",
2337 format_ip4_address, &m->local_addr,
2338 format_ip4_address, &m->external_addr,
2342 if (vec_len (m->locals))
2344 s = format (s, "%U vrf %d external %U:%d",
2345 format_snat_protocol, m->proto,
2347 format_ip4_address, &m->external_addr, m->external_port);
2348 vec_foreach (local, m->locals)
2349 s = format (s, "\n local %U:%d probability %d\%",
2350 format_ip4_address, &local->addr, local->port,
2351 local->probability);
2354 s = format (s, "%U local %U:%d external %U:%d vrf %d",
2355 format_snat_protocol, m->proto,
2356 format_ip4_address, &m->local_addr, m->local_port,
2357 format_ip4_address, &m->external_addr, m->external_port,
2363 u8 * format_snat_static_map_to_resolve (u8 * s, va_list * args)
2365 snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *);
2366 vnet_main_t *vnm = vnet_get_main();
2369 s = format (s, "local %U external %U vrf %d",
2370 format_ip4_address, &m->l_addr,
2371 format_vnet_sw_interface_name, vnm,
2372 vnet_get_sw_interface (vnm, m->sw_if_index),
2375 s = format (s, "%U local %U:%d external %U:%d vrf %d",
2376 format_snat_protocol, m->proto,
2377 format_ip4_address, &m->l_addr, m->l_port,
2378 format_vnet_sw_interface_name, vnm,
2379 vnet_get_sw_interface (vnm, m->sw_if_index), m->e_port,
2385 u8 * format_det_map_ses (u8 * s, va_list * args)
2387 snat_det_map_t * det_map = va_arg (*args, snat_det_map_t *);
2388 ip4_address_t in_addr, out_addr;
2389 u32 in_offset, out_offset;
2390 snat_det_session_t * ses = va_arg (*args, snat_det_session_t *);
2391 u32 * i = va_arg (*args, u32 *);
2393 u32 user_index = *i / SNAT_DET_SES_PER_USER;
2394 in_addr.as_u32 = clib_host_to_net_u32 (
2395 clib_net_to_host_u32(det_map->in_addr.as_u32) + user_index);
2396 in_offset = clib_net_to_host_u32(in_addr.as_u32) -
2397 clib_net_to_host_u32(det_map->in_addr.as_u32);
2398 out_offset = in_offset / det_map->sharing_ratio;
2399 out_addr.as_u32 = clib_host_to_net_u32(
2400 clib_net_to_host_u32(det_map->out_addr.as_u32) + out_offset);
2401 s = format (s, "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n",
2402 format_ip4_address, &in_addr,
2403 clib_net_to_host_u16 (ses->in_port),
2404 format_ip4_address, &out_addr,
2405 clib_net_to_host_u16 (ses->out.out_port),
2406 format_ip4_address, &ses->out.ext_host_addr,
2407 clib_net_to_host_u16 (ses->out.ext_host_port),
2408 format_snat_session_state, ses->state,
2414 static clib_error_t *
2415 show_snat_command_fn (vlib_main_t * vm,
2416 unformat_input_t * input,
2417 vlib_cli_command_t * cmd)
2420 snat_main_t * sm = &snat_main;
2422 snat_static_mapping_t *m;
2423 snat_interface_t *i;
2424 snat_address_t * ap;
2425 vnet_main_t *vnm = vnet_get_main();
2426 snat_main_per_thread_data_t *tsm;
2427 u32 users_num = 0, sessions_num = 0, *worker, *sw_if_index;
2429 snat_static_map_resolve_t *rp;
2430 snat_det_map_t * dm;
2431 snat_det_session_t * ses;
2433 if (unformat (input, "detail"))
2435 else if (unformat (input, "verbose"))
2438 if (sm->static_mapping_only)
2440 if (sm->static_mapping_connection_tracking)
2441 vlib_cli_output (vm, "NAT plugin mode: static mapping only connection "
2444 vlib_cli_output (vm, "NAT plugin mode: static mapping only");
2446 else if (sm->deterministic)
2448 vlib_cli_output (vm, "NAT plugin mode: deterministic mapping");
2452 vlib_cli_output (vm, "NAT plugin mode: dynamic translations enabled");
2457 pool_foreach (i, sm->interfaces,
2459 vlib_cli_output (vm, "%U %s", format_vnet_sw_interface_name, vnm,
2460 vnet_get_sw_interface (vnm, i->sw_if_index),
2461 i->is_inside ? "in" : "out");
2464 pool_foreach (i, sm->output_feature_interfaces,
2466 vlib_cli_output (vm, "%U output-feature %s",
2467 format_vnet_sw_interface_name, vnm,
2468 vnet_get_sw_interface (vnm, i->sw_if_index),
2469 i->is_inside ? "in" : "out");
2472 if (vec_len (sm->auto_add_sw_if_indices))
2474 vlib_cli_output (vm, "NAT44 pool addresses interfaces:");
2475 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
2477 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
2478 vnet_get_sw_interface (vnm, *sw_if_index));
2482 vec_foreach (ap, sm->addresses)
2484 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
2485 if (ap->fib_index != ~0)
2486 vlib_cli_output (vm, " tenant VRF: %u",
2487 ip4_fib_get(ap->fib_index)->table_id);
2489 vlib_cli_output (vm, " tenant VRF independent");
2490 #define _(N, i, n, s) \
2491 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
2492 foreach_snat_protocol
2497 if (sm->num_workers > 1)
2499 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
2502 vec_foreach (worker, sm->workers)
2504 vlib_worker_thread_t *w =
2505 vlib_worker_threads + *worker + sm->first_worker_index;
2506 vlib_cli_output (vm, " %s", w->name);
2511 if (sm->deterministic)
2513 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
2514 vlib_cli_output (vm, "tcp-established timeout: %dsec",
2515 sm->tcp_established_timeout);
2516 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
2517 sm->tcp_transitory_timeout);
2518 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
2519 vlib_cli_output (vm, "%d deterministic mappings",
2520 pool_elts (sm->det_maps));
2523 pool_foreach (dm, sm->det_maps,
2525 vlib_cli_output (vm, "in %U/%d out %U/%d\n",
2526 format_ip4_address, &dm->in_addr, dm->in_plen,
2527 format_ip4_address, &dm->out_addr, dm->out_plen);
2528 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
2530 vlib_cli_output (vm, " number of ports per inside host: %d\n",
2531 dm->ports_per_host);
2532 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
2535 vec_foreach_index (j, dm->sessions)
2537 ses = vec_elt_at_index (dm->sessions, j);
2539 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses,
2548 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
2550 vlib_cli_output (vm, "%d static mappings",
2551 pool_elts (sm->static_mappings));
2555 pool_foreach (m, sm->static_mappings,
2557 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
2563 vec_foreach (tsm, sm->per_thread_data)
2565 users_num += pool_elts (tsm->users);
2566 sessions_num += pool_elts (tsm->sessions);
2569 vlib_cli_output (vm, "%d users, %d outside addresses, %d active sessions,"
2570 " %d static mappings",
2572 vec_len (sm->addresses),
2574 pool_elts (sm->static_mappings));
2578 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->in2out,
2580 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->out2in,
2582 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->in2out_ed,
2584 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed,
2586 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->worker_by_in,
2588 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->worker_by_out,
2590 vec_foreach_index (j, sm->per_thread_data)
2592 tsm = vec_elt_at_index (sm->per_thread_data, j);
2594 if (pool_elts (tsm->users) == 0)
2597 vlib_worker_thread_t *w = vlib_worker_threads + j;
2598 vlib_cli_output (vm, "Thread %d (%s at lcore %u):", j, w->name,
2600 vlib_cli_output (vm, " %d list pool elements",
2601 pool_elts (tsm->list_pool));
2603 pool_foreach (u, tsm->users,
2605 vlib_cli_output (vm, " %U", format_snat_user, tsm, u,
2610 if (pool_elts (sm->static_mappings))
2612 vlib_cli_output (vm, "static mappings:");
2613 pool_foreach (m, sm->static_mappings,
2615 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
2617 for (j = 0; j < vec_len (sm->to_resolve); j++)
2619 rp = sm->to_resolve + j;
2620 vlib_cli_output (vm, "%U",
2621 format_snat_static_map_to_resolve, rp);
2630 VLIB_CLI_COMMAND (show_snat_command, static) = {
2631 .path = "show nat44",
2632 .short_help = "show nat44",
2633 .function = show_snat_command_fn,
2638 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
2641 ip4_address_t * address,
2643 u32 if_address_index,
2646 snat_main_t *sm = &snat_main;
2647 snat_static_map_resolve_t *rp;
2648 u32 *indices_to_delete = 0;
2652 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
2654 if (sw_if_index == sm->auto_add_sw_if_indices[i])
2658 /* Don't trip over lease renewal, static config */
2659 for (j = 0; j < vec_len(sm->addresses); j++)
2660 if (sm->addresses[j].addr.as_u32 == address->as_u32)
2663 snat_add_address (sm, address, ~0);
2664 /* Scan static map resolution vector */
2665 for (j = 0; j < vec_len (sm->to_resolve); j++)
2667 rp = sm->to_resolve + j;
2668 /* On this interface? */
2669 if (rp->sw_if_index == sw_if_index)
2671 /* Add the static mapping */
2672 rv = snat_add_static_mapping (rp->l_addr,
2678 ~0 /* sw_if_index */,
2682 clib_warning ("snat_add_static_mapping returned %d",
2684 vec_add1 (indices_to_delete, j);
2687 /* If we resolved any of the outstanding static mappings */
2688 if (vec_len(indices_to_delete))
2691 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
2692 vec_delete(sm->to_resolve, 1, j);
2693 vec_free(indices_to_delete);
2699 (void) snat_del_address(sm, address[0], 1);
2707 int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del)
2709 ip4_main_t * ip4_main = sm->ip4_main;
2710 ip4_address_t * first_int_addr;
2711 snat_static_map_resolve_t *rp;
2712 u32 *indices_to_delete = 0;
2715 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index,
2716 0 /* just want the address*/);
2718 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
2720 if (sm->auto_add_sw_if_indices[i] == sw_if_index)
2724 /* if have address remove it */
2726 (void) snat_del_address (sm, first_int_addr[0], 1);
2729 for (j = 0; j < vec_len (sm->to_resolve); j++)
2731 rp = sm->to_resolve + j;
2732 if (rp->sw_if_index == sw_if_index)
2733 vec_add1 (indices_to_delete, j);
2735 if (vec_len(indices_to_delete))
2737 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
2738 vec_del1(sm->to_resolve, j);
2739 vec_free(indices_to_delete);
2742 vec_del1(sm->auto_add_sw_if_indices, i);
2745 return VNET_API_ERROR_VALUE_EXIST;
2752 return VNET_API_ERROR_NO_SUCH_ENTRY;
2754 /* add to the auto-address list */
2755 vec_add1(sm->auto_add_sw_if_indices, sw_if_index);
2757 /* If the address is already bound - or static - add it now */
2759 snat_add_address (sm, first_int_addr, ~0);
2764 static clib_error_t *
2765 snat_add_interface_address_command_fn (vlib_main_t * vm,
2766 unformat_input_t * input,
2767 vlib_cli_command_t * cmd)
2769 snat_main_t *sm = &snat_main;
2770 unformat_input_t _line_input, *line_input = &_line_input;
2774 clib_error_t *error = 0;
2776 /* Get a line of input. */
2777 if (!unformat_user (input, unformat_line_input, line_input))
2780 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2782 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
2783 sm->vnet_main, &sw_if_index))
2785 else if (unformat (line_input, "del"))
2789 error = clib_error_return (0, "unknown input '%U'",
2790 format_unformat_error, line_input);
2795 rv = snat_add_interface_address (sm, sw_if_index, is_del);
2803 error = clib_error_return (0, "snat_add_interface_address returned %d",
2809 unformat_free (line_input);
2814 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2815 .path = "nat44 add interface address",
2816 .short_help = "nat44 add interface address <interface> [del]",
2817 .function = snat_add_interface_address_command_fn,
2820 static clib_error_t *
2821 snat_det_map_command_fn (vlib_main_t * vm,
2822 unformat_input_t * input,
2823 vlib_cli_command_t * cmd)
2825 snat_main_t *sm = &snat_main;
2826 unformat_input_t _line_input, *line_input = &_line_input;
2827 ip4_address_t in_addr, out_addr;
2828 u32 in_plen, out_plen;
2830 clib_error_t *error = 0;
2832 /* Get a line of input. */
2833 if (!unformat_user (input, unformat_line_input, line_input))
2836 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2838 if (unformat (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
2840 else if (unformat (line_input, "out %U/%u", unformat_ip4_address, &out_addr, &out_plen))
2842 else if (unformat (line_input, "del"))
2846 error = clib_error_return (0, "unknown input '%U'",
2847 format_unformat_error, line_input);
2852 unformat_free (line_input);
2854 rv = snat_det_add_map(sm, &in_addr, (u8) in_plen, &out_addr, (u8)out_plen,
2859 error = clib_error_return (0, "snat_det_add_map return %d", rv);
2864 unformat_free (line_input);
2871 * @cliexstart{snat deterministic add}
2872 * Create bijective mapping of inside address to outside address and port range
2873 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
2875 * To create deterministic mapping between inside network 10.0.0.0/18 and
2876 * outside network 1.1.1.0/30 use:
2877 * # vpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.0/30
2880 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
2881 .path = "nat44 deterministic add",
2882 .short_help = "nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
2883 .function = snat_det_map_command_fn,
2886 static clib_error_t *
2887 snat_det_forward_command_fn (vlib_main_t * vm,
2888 unformat_input_t * input,
2889 vlib_cli_command_t * cmd)
2891 snat_main_t *sm = &snat_main;
2892 unformat_input_t _line_input, *line_input = &_line_input;
2893 ip4_address_t in_addr, out_addr;
2895 snat_det_map_t * dm;
2896 clib_error_t *error = 0;
2898 /* Get a line of input. */
2899 if (!unformat_user (input, unformat_line_input, line_input))
2902 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2904 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
2908 error = clib_error_return (0, "unknown input '%U'",
2909 format_unformat_error, line_input);
2914 unformat_free (line_input);
2916 dm = snat_det_map_by_user(sm, &in_addr);
2918 vlib_cli_output (vm, "no match");
2921 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
2922 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
2923 lo_port, lo_port + dm->ports_per_host - 1);
2927 unformat_free (line_input);
2934 * @cliexstart{snat deterministic forward}
2935 * Return outside address and port range from inside address for deterministic
2937 * To obtain outside address and port of inside host use:
2938 * vpp# nat44 deterministic forward 10.0.0.2
2939 * 1.1.1.0:<1054-1068>
2942 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
2943 .path = "nat44 deterministic forward",
2944 .short_help = "nat44 deterministic forward <addr>",
2945 .function = snat_det_forward_command_fn,
2948 static clib_error_t *
2949 snat_det_reverse_command_fn (vlib_main_t * vm,
2950 unformat_input_t * input,
2951 vlib_cli_command_t * cmd)
2953 snat_main_t *sm = &snat_main;
2954 unformat_input_t _line_input, *line_input = &_line_input;
2955 ip4_address_t in_addr, out_addr;
2957 snat_det_map_t * dm;
2958 clib_error_t *error = 0;
2960 /* Get a line of input. */
2961 if (!unformat_user (input, unformat_line_input, line_input))
2964 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2966 if (unformat (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
2970 error = clib_error_return (0, "unknown input '%U'",
2971 format_unformat_error, line_input);
2975 unformat_free (line_input);
2977 if (out_port < 1024 || out_port > 65535)
2979 error = clib_error_return (0, "wrong port, must be <1024-65535>");
2983 dm = snat_det_map_by_out(sm, &out_addr);
2985 vlib_cli_output (vm, "no match");
2988 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
2989 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
2993 unformat_free (line_input);
3000 * @cliexstart{snat deterministic reverse}
3001 * Return inside address from outside address and port for deterministic NAT.
3002 * To obtain inside host address from outside address and port use:
3003 * #vpp nat44 deterministic reverse 1.1.1.1:1276
3007 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
3008 .path = "nat44 deterministic reverse",
3009 .short_help = "nat44 deterministic reverse <addr>:<port>",
3010 .function = snat_det_reverse_command_fn,
3013 static clib_error_t *
3014 set_timeout_command_fn (vlib_main_t * vm,
3015 unformat_input_t * input,
3016 vlib_cli_command_t * cmd)
3018 snat_main_t *sm = &snat_main;
3019 unformat_input_t _line_input, *line_input = &_line_input;
3020 clib_error_t *error = 0;
3022 /* Get a line of input. */
3023 if (!unformat_user (input, unformat_line_input, line_input))
3026 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3028 if (unformat (line_input, "udp %u", &sm->udp_timeout))
3030 else if (unformat (line_input, "tcp-established %u",
3031 &sm->tcp_established_timeout))
3033 else if (unformat (line_input, "tcp-transitory %u",
3034 &sm->tcp_transitory_timeout))
3036 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
3038 else if (unformat (line_input, "reset"))
3040 sm->udp_timeout = SNAT_UDP_TIMEOUT;
3041 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
3042 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
3043 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
3047 error = clib_error_return (0, "unknown input '%U'",
3048 format_unformat_error, line_input);
3053 unformat_free (line_input);
3056 unformat_free (line_input);
3063 * @cliexstart{set snat deterministic timeout}
3064 * Set values of timeouts for deterministic NAT (in seconds), use:
3065 * vpp# set nat44 deterministic timeout udp 120 tcp-established 7500
3066 * tcp-transitory 250 icmp 90
3067 * To reset default values use:
3068 * vpp# set nat44 deterministic timeout reset
3071 VLIB_CLI_COMMAND (set_timeout_command, static) = {
3072 .path = "set nat44 deterministic timeout",
3073 .function = set_timeout_command_fn,
3075 "set nat44 deterministic timeout [udp <sec> | tcp-established <sec> "
3076 "tcp-transitory <sec> | icmp <sec> | reset]",
3079 static clib_error_t *
3080 snat_det_close_session_out_fn (vlib_main_t *vm,
3081 unformat_input_t * input,
3082 vlib_cli_command_t * cmd)
3084 snat_main_t *sm = &snat_main;
3085 unformat_input_t _line_input, *line_input = &_line_input;
3086 ip4_address_t out_addr, ext_addr, in_addr;
3087 u16 out_port, ext_port;
3088 snat_det_map_t * dm;
3089 snat_det_session_t * ses;
3090 snat_det_out_key_t key;
3091 clib_error_t *error = 0;
3093 /* Get a line of input. */
3094 if (!unformat_user (input, unformat_line_input, line_input))
3097 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3099 if (unformat (line_input, "%U:%d %U:%d",
3100 unformat_ip4_address, &out_addr, &out_port,
3101 unformat_ip4_address, &ext_addr, &ext_port))
3105 error = clib_error_return (0, "unknown input '%U'",
3106 format_unformat_error, line_input);
3111 unformat_free (line_input);
3113 dm = snat_det_map_by_out(sm, &out_addr);
3115 vlib_cli_output (vm, "no match");
3118 snat_det_reverse(dm, &ext_addr, out_port, &in_addr);
3119 key.ext_host_addr = out_addr;
3120 key.ext_host_port = ntohs(ext_port);
3121 key.out_port = ntohs(out_port);
3122 ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64);
3124 vlib_cli_output (vm, "no match");
3126 snat_det_ses_close(dm, ses);
3130 unformat_free (line_input);
3137 * @cliexstart{snat deterministic close session out}
3138 * Close session using outside ip address and port
3139 * and external ip address and port, use:
3140 * vpp# nat44 deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
3143 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
3144 .path = "nat44 deterministic close session out",
3145 .short_help = "nat44 deterministic close session out "
3146 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
3147 .function = snat_det_close_session_out_fn,
3150 static clib_error_t *
3151 snat_det_close_session_in_fn (vlib_main_t *vm,
3152 unformat_input_t * input,
3153 vlib_cli_command_t * cmd)
3155 snat_main_t *sm = &snat_main;
3156 unformat_input_t _line_input, *line_input = &_line_input;
3157 ip4_address_t in_addr, ext_addr;
3158 u16 in_port, ext_port;
3159 snat_det_map_t * dm;
3160 snat_det_session_t * ses;
3161 snat_det_out_key_t key;
3162 clib_error_t *error = 0;
3164 /* Get a line of input. */
3165 if (!unformat_user (input, unformat_line_input, line_input))
3168 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3170 if (unformat (line_input, "%U:%d %U:%d",
3171 unformat_ip4_address, &in_addr, &in_port,
3172 unformat_ip4_address, &ext_addr, &ext_port))
3176 error = clib_error_return (0, "unknown input '%U'",
3177 format_unformat_error, line_input);
3182 unformat_free (line_input);
3184 dm = snat_det_map_by_user (sm, &in_addr);
3186 vlib_cli_output (vm, "no match");
3189 key.ext_host_addr = ext_addr;
3190 key.ext_host_port = ntohs (ext_port);
3191 ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs(in_port), key);
3193 vlib_cli_output (vm, "no match");
3195 snat_det_ses_close(dm, ses);
3199 unformat_free(line_input);
3206 * @cliexstart{snat deterministic close_session_in}
3207 * Close session using inside ip address and port
3208 * and external ip address and port, use:
3209 * vpp# nat44 deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
3212 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
3213 .path = "nat44 deterministic close session in",
3214 .short_help = "nat44 deterministic close session in "
3215 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
3216 .function = snat_det_close_session_in_fn,
Code Review / vpp.git / blob