2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_dpo.h>
24 #include <nat/nat_ipfix_logging.h>
25 #include <nat/nat_det.h>
26 #include <nat/nat64.h>
27 #include <nat/dslite.h>
28 #include <nat/nat_reass.h>
29 #include <vnet/fib/fib_table.h>
30 #include <vnet/fib/ip4_fib.h>
32 #include <vpp/app/version.h>
34 snat_main_t snat_main;
37 /* Hook up input features */
38 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
39 .arc_name = "ip4-unicast",
40 .node_name = "nat44-in2out",
41 .runs_before = VNET_FEATURES ("nat44-out2in"),
43 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
44 .arc_name = "ip4-unicast",
45 .node_name = "nat44-out2in",
46 .runs_before = VNET_FEATURES ("ip4-lookup"),
48 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
49 .arc_name = "ip4-unicast",
50 .node_name = "nat44-classify",
51 .runs_before = VNET_FEATURES ("ip4-lookup"),
53 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
54 .arc_name = "ip4-unicast",
55 .node_name = "nat44-det-in2out",
56 .runs_before = VNET_FEATURES ("nat44-det-out2in"),
58 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
59 .arc_name = "ip4-unicast",
60 .node_name = "nat44-det-out2in",
61 .runs_before = VNET_FEATURES ("ip4-lookup"),
63 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
64 .arc_name = "ip4-unicast",
65 .node_name = "nat44-det-classify",
66 .runs_before = VNET_FEATURES ("ip4-lookup"),
68 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
69 .arc_name = "ip4-unicast",
70 .node_name = "nat44-in2out-worker-handoff",
71 .runs_before = VNET_FEATURES ("nat44-out2in-worker-handoff"),
73 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
74 .arc_name = "ip4-unicast",
75 .node_name = "nat44-out2in-worker-handoff",
76 .runs_before = VNET_FEATURES ("ip4-lookup"),
78 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
79 .arc_name = "ip4-unicast",
80 .node_name = "nat44-handoff-classify",
81 .runs_before = VNET_FEATURES ("ip4-lookup"),
83 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
84 .arc_name = "ip4-unicast",
85 .node_name = "nat44-in2out-fast",
86 .runs_before = VNET_FEATURES ("nat44-out2in-fast"),
88 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
89 .arc_name = "ip4-unicast",
90 .node_name = "nat44-out2in-fast",
91 .runs_before = VNET_FEATURES ("ip4-lookup"),
93 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
94 .arc_name = "ip4-unicast",
95 .node_name = "nat44-hairpin-dst",
96 .runs_before = VNET_FEATURES ("ip4-lookup"),
99 /* Hook up output features */
100 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
101 .arc_name = "ip4-output",
102 .node_name = "nat44-in2out-output",
103 .runs_before = VNET_FEATURES ("interface-output"),
105 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
106 .arc_name = "ip4-output",
107 .node_name = "nat44-in2out-output-worker-handoff",
108 .runs_before = VNET_FEATURES ("interface-output"),
110 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
111 .arc_name = "ip4-output",
112 .node_name = "nat44-hairpin-src",
113 .runs_before = VNET_FEATURES ("interface-output"),
116 /* Hook up ip4-local features */
117 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
119 .arc_name = "ip4-local",
120 .node_name = "nat44-hairpinning",
121 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
126 VLIB_PLUGIN_REGISTER () = {
127 .version = VPP_BUILD_VER,
128 .description = "Network Address Translation",
132 vlib_node_registration_t nat44_classify_node;
133 vlib_node_registration_t nat44_det_classify_node;
134 vlib_node_registration_t nat44_handoff_classify_node;
137 NAT44_CLASSIFY_NEXT_IN2OUT,
138 NAT44_CLASSIFY_NEXT_OUT2IN,
139 NAT44_CLASSIFY_N_NEXT,
140 } nat44_classify_next_t;
143 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index)
145 snat_session_key_t key;
146 clib_bihash_kv_8_8_t kv;
147 nat_ed_ses_key_t ed_key;
148 clib_bihash_kv_16_8_t ed_kv;
151 snat_main_per_thread_data_t *tsm =
152 vec_elt_at_index (sm->per_thread_data, thread_index);
154 /* Endpoint dependent session lookup tables */
155 if (is_ed_session (s))
157 ed_key.l_addr = s->out2in.addr;
158 ed_key.r_addr = s->ext_host_addr;
159 ed_key.fib_index = s->out2in.fib_index;
160 if (snat_is_unk_proto_session (s))
162 ed_key.proto = s->in2out.port;
168 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
169 ed_key.l_port = s->out2in.port;
170 ed_key.r_port = s->ext_host_port;
172 ed_kv.key[0] = ed_key.as_u64[0];
173 ed_kv.key[1] = ed_key.as_u64[1];
174 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0))
175 clib_warning ("out2in_ed key del failed");
177 ed_key.l_addr = s->in2out.addr;
178 ed_key.fib_index = s->in2out.fib_index;
179 if (!snat_is_unk_proto_session (s))
180 ed_key.l_port = s->in2out.port;
181 if (is_twice_nat_session (s))
183 ed_key.r_addr = s->ext_host_nat_addr;
184 ed_key.r_port = s->ext_host_nat_port;
186 ed_kv.key[0] = ed_key.as_u64[0];
187 ed_kv.key[1] = ed_key.as_u64[1];
188 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0))
189 clib_warning ("in2out_ed key del failed");
192 if (snat_is_unk_proto_session (s))
196 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
197 s->out2in.addr.as_u32,
201 s->in2out.fib_index);
203 /* Twice NAT address and port for external host */
204 if (is_twice_nat_session (s))
206 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
208 key.protocol = s->in2out.protocol;
209 key.port = s->ext_host_nat_port;
210 a = sm->twice_nat_addresses + i;
211 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
213 snat_free_outside_address_and_port (sm->twice_nat_addresses,
214 thread_index, &key, i);
220 if (is_ed_session (s))
223 /* Session lookup tables */
224 kv.key = s->in2out.as_u64;
225 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
226 clib_warning ("in2out key del failed");
227 kv.key = s->out2in.as_u64;
228 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
229 clib_warning ("out2in key del failed");
231 if (snat_is_session_static (s))
234 if (s->outside_address_index != ~0)
235 snat_free_outside_address_and_port (sm->addresses, thread_index,
236 &s->out2in, s->outside_address_index);
240 nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index,
244 snat_user_key_t user_key;
245 clib_bihash_kv_8_8_t kv, value;
246 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
247 dlist_elt_t * per_user_list_head_elt;
249 user_key.addr.as_u32 = addr->as_u32;
250 user_key.fib_index = fib_index;
251 kv.key = user_key.as_u64;
253 /* Ever heard of the "user" = src ip4 address before? */
254 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
256 /* no, make a new one */
257 pool_get (tsm->users, u);
258 memset (u, 0, sizeof (*u));
259 u->addr.as_u32 = addr->as_u32;
260 u->fib_index = fib_index;
262 pool_get (tsm->list_pool, per_user_list_head_elt);
264 u->sessions_per_user_list_head_index = per_user_list_head_elt -
267 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
269 kv.value = u - tsm->users;
272 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
273 clib_warning ("user_hash keay add failed");
277 u = pool_elt_at_index (tsm->users, value.value);
284 nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index)
287 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
288 u32 oldest_per_user_translation_list_index, session_index;
289 dlist_elt_t * oldest_per_user_translation_list_elt;
290 dlist_elt_t * per_user_translation_list_elt;
292 /* Over quota? Recycle the least recently used translation */
293 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
295 oldest_per_user_translation_list_index =
296 clib_dlist_remove_head (tsm->list_pool,
297 u->sessions_per_user_list_head_index);
299 ASSERT (oldest_per_user_translation_list_index != ~0);
301 /* Add it back to the end of the LRU list */
302 clib_dlist_addtail (tsm->list_pool,
303 u->sessions_per_user_list_head_index,
304 oldest_per_user_translation_list_index);
305 /* Get the list element */
306 oldest_per_user_translation_list_elt =
307 pool_elt_at_index (tsm->list_pool,
308 oldest_per_user_translation_list_index);
310 /* Get the session index from the list element */
311 session_index = oldest_per_user_translation_list_elt->value;
313 /* Get the session */
314 s = pool_elt_at_index (tsm->sessions, session_index);
315 nat_free_session_data (sm, s, thread_index);
316 s->outside_address_index = ~0;
323 pool_get (tsm->sessions, s);
324 memset (s, 0, sizeof (*s));
325 s->outside_address_index = ~0;
327 /* Create list elts */
328 pool_get (tsm->list_pool, per_user_translation_list_elt);
329 clib_dlist_init (tsm->list_pool,
330 per_user_translation_list_elt - tsm->list_pool);
332 per_user_translation_list_elt->value = s - tsm->sessions;
333 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
334 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
336 clib_dlist_addtail (tsm->list_pool,
337 s->per_user_list_head_index,
338 per_user_translation_list_elt - tsm->list_pool);
345 nat44_classify_node_fn_inline (vlib_main_t * vm,
346 vlib_node_runtime_t * node,
347 vlib_frame_t * frame)
349 u32 n_left_from, * from, * to_next;
350 nat44_classify_next_t next_index;
351 snat_main_t *sm = &snat_main;
353 from = vlib_frame_vector_args (frame);
354 n_left_from = frame->n_vectors;
355 next_index = node->cached_next_index;
357 while (n_left_from > 0)
361 vlib_get_next_frame (vm, node, next_index,
362 to_next, n_left_to_next);
364 while (n_left_from > 0 && n_left_to_next > 0)
368 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
371 snat_session_key_t m_key0;
372 clib_bihash_kv_8_8_t kv0, value0;
374 /* speculatively enqueue b0 to the current next frame */
382 b0 = vlib_get_buffer (vm, bi0);
383 ip0 = vlib_buffer_get_current (b0);
385 vec_foreach (ap, sm->addresses)
387 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
389 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
394 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
396 m_key0.addr = ip0->dst_address;
399 m_key0.fib_index = sm->outside_fib_index;
400 kv0.key = m_key0.as_u64;
401 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0))
403 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
406 /* verify speculative enqueue, maybe switch current next frame */
407 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
408 to_next, n_left_to_next,
412 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
415 return frame->n_vectors;
419 nat44_classify_node_fn (vlib_main_t * vm,
420 vlib_node_runtime_t * node,
421 vlib_frame_t * frame)
423 return nat44_classify_node_fn_inline (vm, node, frame);
426 VLIB_REGISTER_NODE (nat44_classify_node) = {
427 .function = nat44_classify_node_fn,
428 .name = "nat44-classify",
429 .vector_size = sizeof (u32),
430 .type = VLIB_NODE_TYPE_INTERNAL,
431 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
433 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
434 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
438 VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node,
439 nat44_classify_node_fn);
442 nat44_det_classify_node_fn (vlib_main_t * vm,
443 vlib_node_runtime_t * node,
444 vlib_frame_t * frame)
446 return nat44_classify_node_fn_inline (vm, node, frame);
449 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
450 .function = nat44_det_classify_node_fn,
451 .name = "nat44-det-classify",
452 .vector_size = sizeof (u32),
453 .type = VLIB_NODE_TYPE_INTERNAL,
454 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
456 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
457 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
461 VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node,
462 nat44_det_classify_node_fn);
465 nat44_handoff_classify_node_fn (vlib_main_t * vm,
466 vlib_node_runtime_t * node,
467 vlib_frame_t * frame)
469 return nat44_classify_node_fn_inline (vm, node, frame);
472 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
473 .function = nat44_handoff_classify_node_fn,
474 .name = "nat44-handoff-classify",
475 .vector_size = sizeof (u32),
476 .type = VLIB_NODE_TYPE_INTERNAL,
477 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
479 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff",
480 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff",
484 VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node,
485 nat44_handoff_classify_node_fn);
488 * @brief Add/del NAT address to FIB.
490 * Add the external NAT address to the FIB as receive entries. This ensures
491 * that VPP will reply to ARP for this address and we don't need to enable
492 * proxy ARP on the outside interface.
494 * @param addr IPv4 address.
495 * @param plen address prefix length
496 * @param sw_if_index Interface.
497 * @param is_add If 0 delete, otherwise add.
500 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
503 fib_prefix_t prefix = {
505 .fp_proto = FIB_PROTOCOL_IP4,
507 .ip4.as_u32 = addr->as_u32,
510 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index(sw_if_index);
513 fib_table_entry_update_one_path(fib_index,
515 FIB_SOURCE_PLUGIN_HI,
516 (FIB_ENTRY_FLAG_CONNECTED |
517 FIB_ENTRY_FLAG_LOCAL |
518 FIB_ENTRY_FLAG_EXCLUSIVE),
525 FIB_ROUTE_PATH_FLAG_NONE);
527 fib_table_entry_delete(fib_index,
529 FIB_SOURCE_PLUGIN_HI);
532 void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id,
537 vlib_thread_main_t *tm = vlib_get_thread_main ();
539 /* Check if address already exists */
540 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
542 if (ap->addr.as_u32 == addr->as_u32)
547 vec_add2 (sm->twice_nat_addresses, ap, 1);
549 vec_add2 (sm->addresses, ap, 1);
554 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
555 FIB_SOURCE_PLUGIN_HI);
558 #define _(N, i, n, s) \
559 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535); \
560 ap->busy_##n##_ports = 0; \
561 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
562 foreach_snat_protocol
568 /* Add external address to FIB */
569 pool_foreach (i, sm->interfaces,
571 if (nat_interface_is_inside(i) || sm->out2in_dpo)
574 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
577 pool_foreach (i, sm->output_feature_interfaces,
579 if (nat_interface_is_inside(i) || sm->out2in_dpo)
582 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
587 static int is_snat_address_used_in_static_mapping (snat_main_t *sm,
590 snat_static_mapping_t *m;
591 pool_foreach (m, sm->static_mappings,
593 if (m->external_addr.as_u32 == addr.as_u32)
600 void increment_v4_address (ip4_address_t * a)
604 v = clib_net_to_host_u32(a->as_u32) + 1;
605 a->as_u32 = clib_host_to_net_u32(v);
609 snat_add_static_mapping_when_resolved (snat_main_t * sm,
610 ip4_address_t l_addr,
615 snat_protocol_t proto,
619 snat_static_map_resolve_t *rp;
621 vec_add2 (sm->to_resolve, rp, 1);
622 rp->l_addr.as_u32 = l_addr.as_u32;
624 rp->sw_if_index = sw_if_index;
628 rp->addr_only = addr_only;
633 * @brief Add static mapping.
635 * Create static mapping between local addr+port and external addr+port.
637 * @param l_addr Local IPv4 address.
638 * @param e_addr External IPv4 address.
639 * @param l_port Local port number.
640 * @param e_port External port number.
641 * @param vrf_id VRF ID.
642 * @param addr_only If 0 address port and pair mapping, otherwise address only.
643 * @param sw_if_index External port instead of specific IP address.
644 * @param is_add If 0 delete static mapping, otherwise add.
645 * @param twice_nat If 1 translate external host address and port.
646 * @param out2in_only If 1 rule match only out2in direction
650 int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
651 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
652 u32 sw_if_index, snat_protocol_t proto, int is_add,
653 u8 twice_nat, u8 out2in_only)
655 snat_main_t * sm = &snat_main;
656 snat_static_mapping_t *m;
657 snat_session_key_t m_key;
658 clib_bihash_kv_8_8_t kv, value;
659 snat_address_t *a = 0;
662 snat_interface_t *interface;
664 snat_main_per_thread_data_t *tsm;
666 /* If the external address is a specific interface address */
667 if (sw_if_index != ~0)
669 ip4_address_t * first_int_addr;
671 /* Might be already set... */
672 first_int_addr = ip4_interface_first_address
673 (sm->ip4_main, sw_if_index, 0 /* just want the address*/);
675 /* DHCP resolution required? */
676 if (first_int_addr == 0)
678 snat_add_static_mapping_when_resolved
679 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
685 e_addr.as_u32 = first_int_addr->as_u32;
686 /* Identity mapping? */
687 if (l_addr.as_u32 == 0)
688 l_addr.as_u32 = e_addr.as_u32;
693 m_key.port = addr_only ? 0 : e_port;
694 m_key.protocol = addr_only ? 0 : proto;
695 m_key.fib_index = sm->outside_fib_index;
696 kv.key = m_key.as_u64;
697 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
700 m = pool_elt_at_index (sm->static_mappings, value.value);
705 return VNET_API_ERROR_VALUE_EXIST;
707 if (twice_nat && addr_only)
708 return VNET_API_ERROR_UNSUPPORTED;
710 /* Convert VRF id to FIB index */
713 p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id);
715 return VNET_API_ERROR_NO_SUCH_FIB;
718 /* If not specified use inside VRF id from SNAT plugin startup config */
721 fib_index = sm->inside_fib_index;
722 vrf_id = sm->inside_vrf_id;
725 /* Find external address in allocated addresses and reserve port for
726 address and port pair mapping when dynamic translations enabled */
727 if (!(addr_only || sm->static_mapping_only || out2in_only))
729 for (i = 0; i < vec_len (sm->addresses); i++)
731 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
733 a = sm->addresses + i;
734 /* External port must be unused */
737 #define _(N, j, n, s) \
738 case SNAT_PROTOCOL_##N: \
739 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
740 return VNET_API_ERROR_INVALID_VALUE; \
741 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
744 a->busy_##n##_ports++; \
745 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]++; \
748 foreach_snat_protocol
751 clib_warning("unknown_protocol");
752 return VNET_API_ERROR_INVALID_VALUE_2;
757 /* External address must be allocated */
759 return VNET_API_ERROR_NO_SUCH_ENTRY;
762 pool_get (sm->static_mappings, m);
763 memset (m, 0, sizeof (*m));
764 m->local_addr = l_addr;
765 m->external_addr = e_addr;
766 m->addr_only = addr_only;
768 m->fib_index = fib_index;
769 m->twice_nat = twice_nat;
770 m->out2in_only = out2in_only;
773 m->local_port = l_port;
774 m->external_port = e_port;
781 .src_address = m->local_addr,
783 m->worker_index = sm->worker_in2out_cb (&ip, m->fib_index);
784 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
787 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
789 m_key.addr = m->local_addr;
790 m_key.port = m->local_port;
791 m_key.protocol = m->proto;
792 m_key.fib_index = m->fib_index;
793 kv.key = m_key.as_u64;
794 kv.value = m - sm->static_mappings;
796 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
797 if (twice_nat || out2in_only)
799 m_key.port = clib_host_to_net_u16 (l_port);
800 kv.key = m_key.as_u64;
802 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1))
803 clib_warning ("in2out key add failed");
806 m_key.addr = m->external_addr;
807 m_key.port = m->external_port;
808 m_key.fib_index = sm->outside_fib_index;
809 kv.key = m_key.as_u64;
810 kv.value = m - sm->static_mappings;
811 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1);
812 if (twice_nat || out2in_only)
814 m_key.port = clib_host_to_net_u16 (e_port);
815 kv.key = m_key.as_u64;
817 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1))
818 clib_warning ("out2in key add failed");
825 return VNET_API_ERROR_NO_SUCH_ENTRY;
827 /* Free external address port */
828 if (!(addr_only || sm->static_mapping_only || out2in_only))
830 for (i = 0; i < vec_len (sm->addresses); i++)
832 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
834 a = sm->addresses + i;
837 #define _(N, j, n, s) \
838 case SNAT_PROTOCOL_##N: \
839 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
842 a->busy_##n##_ports--; \
843 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]--; \
846 foreach_snat_protocol
849 clib_warning("unknown_protocol");
850 return VNET_API_ERROR_INVALID_VALUE_2;
857 if (sm->num_workers > 1)
858 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
860 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
862 m_key.addr = m->local_addr;
863 m_key.port = m->local_port;
864 m_key.protocol = m->proto;
865 m_key.fib_index = m->fib_index;
866 kv.key = m_key.as_u64;
868 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
869 if (twice_nat || out2in_only)
871 m_key.port = clib_host_to_net_u16 (m->local_port);
872 kv.key = m_key.as_u64;
874 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0))
875 clib_warning ("in2out key del failed");
878 m_key.addr = m->external_addr;
879 m_key.port = m->external_port;
880 m_key.fib_index = sm->outside_fib_index;
881 kv.key = m_key.as_u64;
882 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0);
883 if (twice_nat || out2in_only)
885 m_key.port = clib_host_to_net_u16 (m->external_port);
886 kv.key = m_key.as_u64;
888 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0))
889 clib_warning ("in2out key del failed");
892 /* Delete session(s) for static mapping if exist */
893 if (!(sm->static_mapping_only) ||
894 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
896 snat_user_key_t u_key;
898 dlist_elt_t * head, * elt;
899 u32 elt_index, head_index;
904 u_key.addr = m->local_addr;
905 u_key.fib_index = m->fib_index;
906 kv.key = u_key.as_u64;
907 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
909 user_index = value.value;
910 u = pool_elt_at_index (tsm->users, user_index);
911 if (u->nstaticsessions)
913 head_index = u->sessions_per_user_list_head_index;
914 head = pool_elt_at_index (tsm->list_pool, head_index);
915 elt_index = head->next;
916 elt = pool_elt_at_index (tsm->list_pool, elt_index);
917 ses_index = elt->value;
918 while (ses_index != ~0)
920 s = pool_elt_at_index (tsm->sessions, ses_index);
921 elt = pool_elt_at_index (tsm->list_pool, elt->next);
922 ses_index = elt->value;
926 if ((s->out2in.addr.as_u32 != e_addr.as_u32) &&
927 (clib_net_to_host_u16 (s->out2in.port) != e_port))
931 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
932 clib_dlist_remove (tsm->list_pool, s->per_user_index);
933 pool_put_index (tsm->list_pool, s->per_user_index);
934 pool_put (tsm->sessions, s);
935 u->nstaticsessions--;
942 pool_put (tsm->users, u);
943 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0);
949 /* Delete static mapping from pool */
950 pool_put (sm->static_mappings, m);
953 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
956 /* Add/delete external address to FIB */
957 pool_foreach (interface, sm->interfaces,
959 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
962 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
965 pool_foreach (interface, sm->output_feature_interfaces,
967 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
970 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
977 int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
978 snat_protocol_t proto, u32 vrf_id,
979 nat44_lb_addr_port_t *locals, u8 is_add,
980 u8 twice_nat, u8 out2in_only)
982 snat_main_t * sm = &snat_main;
983 snat_static_mapping_t *m;
984 snat_session_key_t m_key;
985 clib_bihash_kv_8_8_t kv, value;
987 snat_address_t *a = 0;
989 nat44_lb_addr_port_t *local;
990 u32 worker_index = 0, elt_index, head_index, ses_index;
991 snat_main_per_thread_data_t *tsm;
992 snat_user_key_t u_key;
995 dlist_elt_t * head, * elt;
999 m_key.protocol = proto;
1000 m_key.fib_index = sm->outside_fib_index;
1001 kv.key = m_key.as_u64;
1002 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1005 m = pool_elt_at_index (sm->static_mappings, value.value);
1010 return VNET_API_ERROR_VALUE_EXIST;
1012 if (vec_len (locals) < 2)
1013 return VNET_API_ERROR_INVALID_VALUE;
1015 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1017 FIB_SOURCE_PLUGIN_HI);
1019 /* Find external address in allocated addresses and reserve port for
1020 address and port pair mapping when dynamic translations enabled */
1021 if (!(sm->static_mapping_only || out2in_only))
1023 for (i = 0; i < vec_len (sm->addresses); i++)
1025 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1027 a = sm->addresses + i;
1028 /* External port must be unused */
1031 #define _(N, j, n, s) \
1032 case SNAT_PROTOCOL_##N: \
1033 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
1034 return VNET_API_ERROR_INVALID_VALUE; \
1035 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
1036 if (e_port > 1024) \
1038 a->busy_##n##_ports++; \
1039 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]++; \
1042 foreach_snat_protocol
1045 clib_warning("unknown_protocol");
1046 return VNET_API_ERROR_INVALID_VALUE_2;
1051 /* External address must be allocated */
1053 return VNET_API_ERROR_NO_SUCH_ENTRY;
1056 pool_get (sm->static_mappings, m);
1057 memset (m, 0, sizeof (*m));
1058 m->external_addr = e_addr;
1061 m->fib_index = fib_index;
1062 m->external_port = e_port;
1064 m->twice_nat = twice_nat;
1065 m->out2in_only = out2in_only;
1067 m_key.addr = m->external_addr;
1068 m_key.port = m->external_port;
1069 m_key.protocol = m->proto;
1070 m_key.fib_index = sm->outside_fib_index;
1071 kv.key = m_key.as_u64;
1072 kv.value = m - sm->static_mappings;
1073 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1))
1075 clib_warning ("static_mapping_by_external key add failed");
1076 return VNET_API_ERROR_UNSPECIFIED;
1082 worker_index = sm->first_worker_index +
1083 sm->workers[sm->next_worker++ % vec_len (sm->workers)];
1084 tsm = vec_elt_at_index (sm->per_thread_data, worker_index);
1085 m->worker_index = worker_index;
1088 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1090 m_key.port = clib_host_to_net_u16 (m->external_port);
1091 kv.key = m_key.as_u64;
1093 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1))
1095 clib_warning ("out2in key add failed");
1096 return VNET_API_ERROR_UNSPECIFIED;
1099 m_key.fib_index = m->fib_index;
1100 for (i = 0; i < vec_len (locals); i++)
1102 m_key.addr = locals[i].addr;
1105 m_key.port = locals[i].port;
1106 kv.key = m_key.as_u64;
1107 kv.value = m - sm->static_mappings;
1108 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
1110 locals[i].prefix = (i == 0) ? locals[i].probability :\
1111 (locals[i - 1].prefix + locals[i].probability);
1112 vec_add1 (m->locals, locals[i]);
1114 m_key.port = clib_host_to_net_u16 (locals[i].port);
1115 kv.key = m_key.as_u64;
1117 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1))
1119 clib_warning ("in2out key add failed");
1120 return VNET_API_ERROR_UNSPECIFIED;
1127 return VNET_API_ERROR_NO_SUCH_ENTRY;
1129 fib_table_unlock (m->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_HI);
1131 /* Free external address port */
1132 if (!(sm->static_mapping_only || out2in_only))
1134 for (i = 0; i < vec_len (sm->addresses); i++)
1136 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1138 a = sm->addresses + i;
1141 #define _(N, j, n, s) \
1142 case SNAT_PROTOCOL_##N: \
1143 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
1144 if (e_port > 1024) \
1146 a->busy_##n##_ports--; \
1147 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]--; \
1150 foreach_snat_protocol
1153 clib_warning("unknown_protocol");
1154 return VNET_API_ERROR_INVALID_VALUE_2;
1161 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
1162 m_key.addr = m->external_addr;
1163 m_key.port = m->external_port;
1164 m_key.protocol = m->proto;
1165 m_key.fib_index = sm->outside_fib_index;
1166 kv.key = m_key.as_u64;
1167 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0))
1169 clib_warning ("static_mapping_by_external key del failed");
1170 return VNET_API_ERROR_UNSPECIFIED;
1173 m_key.port = clib_host_to_net_u16 (m->external_port);
1174 kv.key = m_key.as_u64;
1175 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0))
1177 clib_warning ("outi2in key del failed");
1178 return VNET_API_ERROR_UNSPECIFIED;
1181 vec_foreach (local, m->locals)
1183 m_key.addr = local->addr;
1186 m_key.port = local->port;
1187 m_key.fib_index = m->fib_index;
1188 kv.key = m_key.as_u64;
1189 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1191 clib_warning ("static_mapping_by_local key del failed");
1192 return VNET_API_ERROR_UNSPECIFIED;
1196 m_key.port = clib_host_to_net_u16 (local->port);
1197 kv.key = m_key.as_u64;
1198 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0))
1200 clib_warning ("in2out key del failed");
1201 return VNET_API_ERROR_UNSPECIFIED;
1203 /* Delete sessions */
1204 u_key.addr = local->addr;
1205 u_key.fib_index = m->fib_index;
1206 kv.key = u_key.as_u64;
1207 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1209 u = pool_elt_at_index (tsm->users, value.value);
1210 if (u->nstaticsessions)
1212 head_index = u->sessions_per_user_list_head_index;
1213 head = pool_elt_at_index (tsm->list_pool, head_index);
1214 elt_index = head->next;
1215 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1216 ses_index = elt->value;
1217 while (ses_index != ~0)
1219 s = pool_elt_at_index (tsm->sessions, ses_index);
1220 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1221 ses_index = elt->value;
1223 if ((s->in2out.addr.as_u32 != local->addr.as_u32) &&
1224 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1227 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
1228 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1229 pool_put_index (tsm->list_pool, s->per_user_index);
1230 pool_put (tsm->sessions, s);
1231 u->nstaticsessions--;
1236 vec_free(m->locals);
1238 pool_put (sm->static_mappings, m);
1245 snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm,
1248 snat_address_t *a = 0;
1249 snat_session_t *ses;
1250 u32 *ses_to_be_removed = 0, *ses_index;
1251 clib_bihash_kv_8_8_t kv, value;
1252 snat_user_key_t user_key;
1254 snat_main_per_thread_data_t *tsm;
1255 snat_static_mapping_t *m;
1256 snat_interface_t *interface;
1258 snat_address_t *addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
1260 /* Find SNAT address */
1261 for (i=0; i < vec_len (addresses); i++)
1263 if (addresses[i].addr.as_u32 == addr.as_u32)
1270 return VNET_API_ERROR_NO_SUCH_ENTRY;
1274 pool_foreach (m, sm->static_mappings,
1276 if (m->external_addr.as_u32 == addr.as_u32)
1277 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1278 m->local_port, m->external_port,
1279 m->vrf_id, m->addr_only, ~0,
1280 m->proto, 0, m->twice_nat,
1286 /* Check if address is used in some static mapping */
1287 if (is_snat_address_used_in_static_mapping(sm, addr))
1289 clib_warning ("address used in static mapping");
1290 return VNET_API_ERROR_UNSPECIFIED;
1294 if (a->fib_index != ~0)
1295 fib_table_unlock(a->fib_index, FIB_PROTOCOL_IP4,
1296 FIB_SOURCE_PLUGIN_HI);
1298 /* Delete sessions using address */
1299 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1301 vec_foreach (tsm, sm->per_thread_data)
1303 pool_foreach (ses, tsm->sessions, ({
1304 if (ses->out2in.addr.as_u32 == addr.as_u32)
1306 ses->outside_address_index = ~0;
1307 nat_free_session_data (sm, ses, tsm - sm->per_thread_data);
1308 clib_dlist_remove (tsm->list_pool, ses->per_user_index);
1309 pool_put_index (tsm->list_pool, ses->per_user_index);
1310 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1311 user_key.addr = ses->in2out.addr;
1312 user_key.fib_index = ses->in2out.fib_index;
1313 kv.key = user_key.as_u64;
1314 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1316 u = pool_elt_at_index (tsm->users, value.value);
1322 vec_foreach (ses_index, ses_to_be_removed)
1323 pool_put_index (tsm->sessions, ses_index[0]);
1325 vec_free (ses_to_be_removed);
1331 vec_del1 (sm->twice_nat_addresses, i);
1335 vec_del1 (sm->addresses, i);
1337 /* Delete external address from FIB */
1338 pool_foreach (interface, sm->interfaces,
1340 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1343 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1346 pool_foreach (interface, sm->output_feature_interfaces,
1348 if (nat_interface_is_inside(interface) || sm->out2in_dpo)
1351 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1358 int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1360 snat_main_t *sm = &snat_main;
1361 snat_interface_t *i;
1362 const char * feature_name, *del_feature_name;
1363 snat_address_t * ap;
1364 snat_static_mapping_t * m;
1365 snat_det_map_t * dm;
1367 if (sm->out2in_dpo && !is_inside)
1368 return VNET_API_ERROR_UNSUPPORTED;
1370 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1371 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1374 if (sm->num_workers > 1 && !sm->deterministic)
1375 feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff";
1376 else if (sm->deterministic)
1377 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1379 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1382 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1383 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0);
1385 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1386 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1388 pool_foreach (i, sm->interfaces,
1390 if (i->sw_if_index == sw_if_index)
1394 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1397 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1399 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1401 if (sm->num_workers > 1 && !sm->deterministic)
1403 del_feature_name = "nat44-handoff-classify";
1404 feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1405 "nat44-out2in-worker-handoff";
1407 else if (sm->deterministic)
1409 del_feature_name = "nat44-det-classify";
1410 feature_name = !is_inside ? "nat44-det-in2out" :
1415 del_feature_name = "nat44-classify";
1416 feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1419 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1420 sw_if_index, 0, 0, 0);
1421 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1422 sw_if_index, 1, 0, 0);
1426 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1427 sw_if_index, 0, 0, 0);
1428 pool_put (sm->interfaces, i);
1433 if ((nat_interface_is_inside(i) && is_inside) ||
1434 (nat_interface_is_outside(i) && !is_inside))
1437 if (sm->num_workers > 1 && !sm->deterministic)
1439 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1440 "nat44-out2in-worker-handoff";
1441 feature_name = "nat44-handoff-classify";
1443 else if (sm->deterministic)
1445 del_feature_name = !is_inside ? "nat44-det-in2out" :
1447 feature_name = "nat44-det-classify";
1451 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1452 feature_name = "nat44-classify";
1455 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1456 sw_if_index, 0, 0, 0);
1457 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1458 sw_if_index, 1, 0, 0);
1467 return VNET_API_ERROR_NO_SUCH_ENTRY;
1469 pool_get (sm->interfaces, i);
1470 i->sw_if_index = sw_if_index;
1472 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0);
1476 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1478 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1480 /* Add/delete external addresses to FIB */
1482 if (is_inside && !sm->out2in_dpo)
1484 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1485 sw_if_index, !is_del, 0, 0);
1489 vec_foreach (ap, sm->addresses)
1490 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1492 pool_foreach (m, sm->static_mappings,
1494 if (!(m->addr_only) || (m->local_addr.as_u32 == m->external_addr.as_u32))
1497 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1500 pool_foreach (dm, sm->det_maps,
1502 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
1508 int snat_interface_add_del_output_feature (u32 sw_if_index,
1512 snat_main_t *sm = &snat_main;
1513 snat_interface_t *i;
1514 snat_address_t * ap;
1515 snat_static_mapping_t * m;
1517 if (sm->deterministic ||
1518 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
1519 return VNET_API_ERROR_UNSUPPORTED;
1523 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
1524 sw_if_index, !is_del, 0, 0);
1525 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
1526 sw_if_index, !is_del, 0, 0);
1530 if (sm->num_workers > 1)
1532 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in-worker-handoff",
1533 sw_if_index, !is_del, 0, 0);
1534 vnet_feature_enable_disable ("ip4-output",
1535 "nat44-in2out-output-worker-handoff",
1536 sw_if_index, !is_del, 0, 0);
1540 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", sw_if_index,
1542 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
1543 sw_if_index, !is_del, 0, 0);
1547 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
1548 sm->fq_in2out_output_index =
1549 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
1551 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
1552 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1554 pool_foreach (i, sm->output_feature_interfaces,
1556 if (i->sw_if_index == sw_if_index)
1559 pool_put (sm->output_feature_interfaces, i);
1561 return VNET_API_ERROR_VALUE_EXIST;
1568 return VNET_API_ERROR_NO_SUCH_ENTRY;
1570 pool_get (sm->output_feature_interfaces, i);
1571 i->sw_if_index = sw_if_index;
1574 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1576 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1578 /* Add/delete external addresses to FIB */
1583 vec_foreach (ap, sm->addresses)
1584 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1586 pool_foreach (m, sm->static_mappings,
1588 if (!(m->addr_only))
1591 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1597 int snat_set_workers (uword * bitmap)
1599 snat_main_t *sm = &snat_main;
1602 if (sm->num_workers < 2)
1603 return VNET_API_ERROR_FEATURE_DISABLED;
1605 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1606 return VNET_API_ERROR_INVALID_WORKER;
1608 vec_free (sm->workers);
1609 clib_bitmap_foreach (i, bitmap,
1611 vec_add1(sm->workers, i);
1612 sm->per_thread_data[sm->first_worker_index + i].snat_thread_index = j;
1616 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
1617 sm->num_snat_thread = _vec_len (sm->workers);
1624 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1627 ip4_address_t * address,
1629 u32 if_address_index,
1633 nat_alloc_addr_and_port_default (snat_address_t * addresses,
1636 snat_session_key_t * k,
1637 u32 * address_indexp,
1638 u16 port_per_thread,
1639 u32 snat_thread_index);
1641 static clib_error_t * snat_init (vlib_main_t * vm)
1643 snat_main_t * sm = &snat_main;
1644 clib_error_t * error = 0;
1645 ip4_main_t * im = &ip4_main;
1646 ip_lookup_main_t * lm = &im->lookup_main;
1648 vlib_thread_registration_t *tr;
1649 vlib_thread_main_t *tm = vlib_get_thread_main ();
1652 ip4_add_del_interface_address_callback_t cb4;
1655 sm->vnet_main = vnet_get_main();
1657 sm->ip4_lookup_main = lm;
1658 sm->api_main = &api_main;
1659 sm->first_worker_index = 0;
1660 sm->next_worker = 0;
1661 sm->num_workers = 0;
1662 sm->num_snat_thread = 1;
1664 sm->port_per_thread = 0xffff - 1024;
1665 sm->fq_in2out_index = ~0;
1666 sm->fq_out2in_index = ~0;
1667 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1668 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1669 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1670 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1671 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
1672 sm->forwarding_enabled = 0;
1674 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
1677 tr = (vlib_thread_registration_t *) p[0];
1680 sm->num_workers = tr->count;
1681 sm->first_worker_index = tr->first_index;
1685 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
1687 /* Use all available workers by default */
1688 if (sm->num_workers > 1)
1690 for (i=0; i < sm->num_workers; i++)
1691 bitmap = clib_bitmap_set (bitmap, i, 1);
1692 snat_set_workers(bitmap);
1693 clib_bitmap_free (bitmap);
1697 sm->per_thread_data[0].snat_thread_index = 0;
1700 error = snat_api_init(vm, sm);
1704 /* Set up the interface address add/del callback */
1705 cb4.function = snat_ip4_add_del_interface_address_cb;
1706 cb4.function_opaque = 0;
1708 vec_add1 (im->add_del_interface_address_callbacks, cb4);
1710 nat_dpo_module_init ();
1712 /* Init IPFIX logging */
1713 snat_ipfix_logging_init(vm);
1716 error = nat64_init(vm);
1722 /* Init virtual fragmenentation reassembly */
1723 return nat_reass_init(vm);
1726 VLIB_INIT_FUNCTION (snat_init);
1728 void snat_free_outside_address_and_port (snat_address_t * addresses,
1730 snat_session_key_t * k,
1734 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
1736 ASSERT (address_index < vec_len (addresses));
1738 a = addresses + address_index;
1740 switch (k->protocol)
1742 #define _(N, i, n, s) \
1743 case SNAT_PROTOCOL_##N: \
1744 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
1745 port_host_byte_order) == 1); \
1746 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
1747 port_host_byte_order, 0); \
1748 a->busy_##n##_ports--; \
1749 a->busy_##n##_ports_per_thread[thread_index]--; \
1751 foreach_snat_protocol
1754 clib_warning("unknown_protocol");
1760 * @brief Match NAT44 static mapping.
1762 * @param sm NAT main.
1763 * @param match Address and port to match.
1764 * @param mapping External or local address and port of the matched mapping.
1765 * @param by_external If 0 match by local address otherwise match by external
1767 * @param is_addr_only If matched mapping is address only
1768 * @param twice_nat If matched mapping is twice NAT.
1770 * @returns 0 if match found otherwise 1.
1772 int snat_static_mapping_match (snat_main_t * sm,
1773 snat_session_key_t match,
1774 snat_session_key_t * mapping,
1779 clib_bihash_kv_8_8_t kv, value;
1780 snat_static_mapping_t *m;
1781 snat_session_key_t m_key;
1782 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
1783 u32 rand, lo = 0, hi, mid;
1786 mapping_hash = &sm->static_mapping_by_external;
1788 m_key.addr = match.addr;
1789 m_key.port = clib_net_to_host_u16 (match.port);
1790 m_key.protocol = match.protocol;
1791 m_key.fib_index = match.fib_index;
1793 kv.key = m_key.as_u64;
1795 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1797 /* Try address only mapping */
1800 kv.key = m_key.as_u64;
1801 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1805 m = pool_elt_at_index (sm->static_mappings, value.value);
1809 if (vec_len (m->locals))
1811 hi = vec_len (m->locals) - 1;
1812 rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix);
1815 mid = ((hi - lo) >> 1) + lo;
1816 (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid);
1818 if (!(m->locals[lo].prefix >= rand))
1820 mapping->addr = m->locals[lo].addr;
1821 mapping->port = clib_host_to_net_u16 (m->locals[lo].port);
1825 mapping->addr = m->local_addr;
1826 /* Address only mapping doesn't change port */
1827 mapping->port = m->addr_only ? match.port
1828 : clib_host_to_net_u16 (m->local_port);
1830 mapping->fib_index = m->fib_index;
1831 mapping->protocol = m->proto;
1835 mapping->addr = m->external_addr;
1836 /* Address only mapping doesn't change port */
1837 mapping->port = m->addr_only ? match.port
1838 : clib_host_to_net_u16 (m->external_port);
1839 mapping->fib_index = sm->outside_fib_index;
1842 if (PREDICT_FALSE(is_addr_only != 0))
1843 *is_addr_only = m->addr_only;
1845 if (PREDICT_FALSE(twice_nat != 0))
1846 *twice_nat = m->twice_nat;
1851 static_always_inline u16
1852 snat_random_port (u16 min, u16 max)
1854 snat_main_t *sm = &snat_main;
1855 return min + random_u32 (&sm->random_seed) /
1856 (random_u32_max() / (max - min + 1) + 1);
1860 snat_alloc_outside_address_and_port (snat_address_t * addresses,
1863 snat_session_key_t * k,
1864 u32 * address_indexp,
1865 u16 port_per_thread,
1866 u32 snat_thread_index)
1868 snat_main_t *sm = &snat_main;
1870 return sm->alloc_addr_and_port(addresses, fib_index, thread_index, k,
1871 address_indexp, port_per_thread,
1876 nat_alloc_addr_and_port_default (snat_address_t * addresses,
1879 snat_session_key_t * k,
1880 u32 * address_indexp,
1881 u16 port_per_thread,
1882 u32 snat_thread_index)
1885 snat_address_t *a, *ga = 0;
1888 for (i = 0; i < vec_len (addresses); i++)
1891 switch (k->protocol)
1893 #define _(N, j, n, s) \
1894 case SNAT_PROTOCOL_##N: \
1895 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
1897 if (a->fib_index == fib_index) \
1901 portnum = (port_per_thread * \
1902 snat_thread_index) + \
1903 snat_random_port(1, port_per_thread) + 1024; \
1904 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1906 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1907 a->busy_##n##_ports_per_thread[thread_index]++; \
1908 a->busy_##n##_ports++; \
1909 k->addr = a->addr; \
1910 k->port = clib_host_to_net_u16(portnum); \
1911 *address_indexp = i; \
1915 else if (a->fib_index == ~0) \
1922 foreach_snat_protocol
1925 clib_warning("unknown protocol");
1934 switch (k->protocol)
1936 #define _(N, j, n, s) \
1937 case SNAT_PROTOCOL_##N: \
1940 portnum = (port_per_thread * \
1941 snat_thread_index) + \
1942 snat_random_port(1, port_per_thread) + 1024; \
1943 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1945 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1946 a->busy_##n##_ports_per_thread[thread_index]++; \
1947 a->busy_##n##_ports++; \
1948 k->addr = a->addr; \
1949 k->port = clib_host_to_net_u16(portnum); \
1950 *address_indexp = gi; \
1954 foreach_snat_protocol
1957 clib_warning ("unknown protocol");
1962 /* Totally out of translations to use... */
1963 snat_ipfix_logging_addresses_exhausted(0);
1968 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
1971 snat_session_key_t * k,
1972 u32 * address_indexp,
1973 u16 port_per_thread,
1974 u32 snat_thread_index)
1976 snat_main_t *sm = &snat_main;
1977 snat_address_t *a = addresses;
1978 u16 m, ports, portnum, A, j;
1979 m = 16 - (sm->psid_offset + sm->psid_length);
1980 ports = (1 << (16 - sm->psid_length)) - (1 << m);
1982 if (!vec_len (addresses))
1985 switch (k->protocol)
1987 #define _(N, i, n, s) \
1988 case SNAT_PROTOCOL_##N: \
1989 if (a->busy_##n##_ports < ports) \
1993 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
1994 j = snat_random_port(0, pow2_mask(m)); \
1995 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
1996 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1998 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1999 a->busy_##n##_ports++; \
2000 k->addr = a->addr; \
2001 k->port = clib_host_to_net_u16 (portnum); \
2002 *address_indexp = i; \
2007 foreach_snat_protocol
2010 clib_warning("unknown protocol");
2015 /* Totally out of translations to use... */
2016 snat_ipfix_logging_addresses_exhausted(0);
2021 nat44_add_del_address_dpo (ip4_address_t addr, u8 is_add)
2023 dpo_id_t dpo_v4 = DPO_INVALID;
2024 fib_prefix_t pfx = {
2025 .fp_proto = FIB_PROTOCOL_IP4,
2027 .fp_addr.ip4.as_u32 = addr.as_u32,
2032 nat_dpo_create (DPO_PROTO_IP4, 0, &dpo_v4);
2033 fib_table_entry_special_dpo_add (0, &pfx, FIB_SOURCE_PLUGIN_HI,
2034 FIB_ENTRY_FLAG_EXCLUSIVE, &dpo_v4);
2035 dpo_reset (&dpo_v4);
2039 fib_table_entry_special_remove (0, &pfx, FIB_SOURCE_PLUGIN_HI);
2043 static clib_error_t *
2044 add_address_command_fn (vlib_main_t * vm,
2045 unformat_input_t * input,
2046 vlib_cli_command_t * cmd)
2048 unformat_input_t _line_input, *line_input = &_line_input;
2049 snat_main_t * sm = &snat_main;
2050 ip4_address_t start_addr, end_addr, this_addr;
2051 u32 start_host_order, end_host_order;
2056 clib_error_t *error = 0;
2059 /* Get a line of input. */
2060 if (!unformat_user (input, unformat_line_input, line_input))
2063 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2065 if (unformat (line_input, "%U - %U",
2066 unformat_ip4_address, &start_addr,
2067 unformat_ip4_address, &end_addr))
2069 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
2071 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
2072 end_addr = start_addr;
2073 else if (unformat (line_input, "twice-nat"))
2075 else if (unformat (line_input, "del"))
2079 error = clib_error_return (0, "unknown input '%U'",
2080 format_unformat_error, line_input);
2085 if (sm->static_mapping_only)
2087 error = clib_error_return (0, "static mapping only mode");
2091 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
2092 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
2094 if (end_host_order < start_host_order)
2096 error = clib_error_return (0, "end address less than start address");
2100 count = (end_host_order - start_host_order) + 1;
2103 clib_warning ("%U - %U, %d addresses...",
2104 format_ip4_address, &start_addr,
2105 format_ip4_address, &end_addr,
2108 this_addr = start_addr;
2110 for (i = 0; i < count; i++)
2113 snat_add_address (sm, &this_addr, vrf_id, twice_nat);
2115 rv = snat_del_address (sm, this_addr, 0, twice_nat);
2119 case VNET_API_ERROR_NO_SUCH_ENTRY:
2120 error = clib_error_return (0, "S-NAT address not exist.");
2122 case VNET_API_ERROR_UNSPECIFIED:
2123 error = clib_error_return (0, "S-NAT address used in static mapping.");
2130 nat44_add_del_address_dpo (this_addr, is_add);
2132 increment_v4_address (&this_addr);
2136 unformat_free (line_input);
2141 VLIB_CLI_COMMAND (add_address_command, static) = {
2142 .path = "nat44 add address",
2143 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
2144 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
2145 .function = add_address_command_fn,
2148 static clib_error_t *
2149 snat_feature_command_fn (vlib_main_t * vm,
2150 unformat_input_t * input,
2151 vlib_cli_command_t * cmd)
2153 unformat_input_t _line_input, *line_input = &_line_input;
2154 vnet_main_t * vnm = vnet_get_main();
2155 clib_error_t * error = 0;
2157 u32 * inside_sw_if_indices = 0;
2158 u32 * outside_sw_if_indices = 0;
2159 u8 is_output_feature = 0;
2165 /* Get a line of input. */
2166 if (!unformat_user (input, unformat_line_input, line_input))
2169 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2171 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
2173 vec_add1 (inside_sw_if_indices, sw_if_index);
2174 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
2176 vec_add1 (outside_sw_if_indices, sw_if_index);
2177 else if (unformat (line_input, "output-feature"))
2178 is_output_feature = 1;
2179 else if (unformat (line_input, "del"))
2183 error = clib_error_return (0, "unknown input '%U'",
2184 format_unformat_error, line_input);
2189 if (vec_len (inside_sw_if_indices))
2191 for (i = 0; i < vec_len(inside_sw_if_indices); i++)
2193 sw_if_index = inside_sw_if_indices[i];
2194 if (is_output_feature)
2196 if (snat_interface_add_del_output_feature (sw_if_index, 1, is_del))
2198 error = clib_error_return (0, "%s %U failed",
2199 is_del ? "del" : "add",
2200 format_vnet_sw_interface_name, vnm,
2201 vnet_get_sw_interface (vnm,
2208 if (snat_interface_add_del (sw_if_index, 1, is_del))
2210 error = clib_error_return (0, "%s %U failed",
2211 is_del ? "del" : "add",
2212 format_vnet_sw_interface_name, vnm,
2213 vnet_get_sw_interface (vnm,
2221 if (vec_len (outside_sw_if_indices))
2223 for (i = 0; i < vec_len(outside_sw_if_indices); i++)
2225 sw_if_index = outside_sw_if_indices[i];
2226 if (is_output_feature)
2228 if (snat_interface_add_del_output_feature (sw_if_index, 0, is_del))
2230 error = clib_error_return (0, "%s %U failed",
2231 is_del ? "del" : "add",
2232 format_vnet_sw_interface_name, vnm,
2233 vnet_get_sw_interface (vnm,
2240 if (snat_interface_add_del (sw_if_index, 0, is_del))
2242 error = clib_error_return (0, "%s %U failed",
2243 is_del ? "del" : "add",
2244 format_vnet_sw_interface_name, vnm,
2245 vnet_get_sw_interface (vnm,
2254 unformat_free (line_input);
2255 vec_free (inside_sw_if_indices);
2256 vec_free (outside_sw_if_indices);
2261 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
2262 .path = "set interface nat44",
2263 .function = snat_feature_command_fn,
2264 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
2269 unformat_snat_protocol (unformat_input_t * input, va_list * args)
2271 u32 *r = va_arg (*args, u32 *);
2274 #define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N;
2275 foreach_snat_protocol
2283 format_snat_protocol (u8 * s, va_list * args)
2285 u32 i = va_arg (*args, u32);
2290 #define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break;
2291 foreach_snat_protocol
2294 s = format (s, "unknown");
2297 s = format (s, "%s", t);
2301 static clib_error_t *
2302 add_static_mapping_command_fn (vlib_main_t * vm,
2303 unformat_input_t * input,
2304 vlib_cli_command_t * cmd)
2306 unformat_input_t _line_input, *line_input = &_line_input;
2307 clib_error_t * error = 0;
2308 ip4_address_t l_addr, e_addr;
2309 u32 l_port = 0, e_port = 0, vrf_id = ~0;
2312 u32 sw_if_index = ~0;
2313 vnet_main_t * vnm = vnet_get_main();
2315 snat_protocol_t proto = ~0;
2320 /* Get a line of input. */
2321 if (!unformat_user (input, unformat_line_input, line_input))
2324 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2326 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
2329 else if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
2331 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
2334 else if (unformat (line_input, "external %U", unformat_ip4_address,
2337 else if (unformat (line_input, "external %U %u",
2338 unformat_vnet_sw_interface, vnm, &sw_if_index,
2342 else if (unformat (line_input, "external %U",
2343 unformat_vnet_sw_interface, vnm, &sw_if_index))
2345 else if (unformat (line_input, "vrf %u", &vrf_id))
2347 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
2349 else if (unformat (line_input, "twice-nat"))
2351 else if (unformat (line_input, "out2in-only"))
2353 else if (unformat (line_input, "del"))
2357 error = clib_error_return (0, "unknown input: '%U'",
2358 format_unformat_error, line_input);
2363 if (twice_nat && addr_only)
2365 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
2369 if (!addr_only && !proto_set)
2371 error = clib_error_return (0, "missing protocol");
2375 rv = snat_add_static_mapping(l_addr, e_addr, (u16) l_port, (u16) e_port,
2376 vrf_id, addr_only, sw_if_index, proto, is_add,
2377 twice_nat, out2in_only);
2381 case VNET_API_ERROR_INVALID_VALUE:
2382 error = clib_error_return (0, "External port already in use.");
2384 case VNET_API_ERROR_NO_SUCH_ENTRY:
2386 error = clib_error_return (0, "External addres must be allocated.");
2388 error = clib_error_return (0, "Mapping not exist.");
2390 case VNET_API_ERROR_NO_SUCH_FIB:
2391 error = clib_error_return (0, "No such VRF id.");
2393 case VNET_API_ERROR_VALUE_EXIST:
2394 error = clib_error_return (0, "Mapping already exist.");
2401 unformat_free (line_input);
2408 * @cliexstart{snat add static mapping}
2409 * Static mapping allows hosts on the external network to initiate connection
2410 * to to the local network host.
2411 * To create static mapping between local host address 10.0.0.3 port 6303 and
2412 * external address 4.4.4.4 port 3606 for TCP protocol use:
2413 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
2414 * If not runnig "static mapping only" NAT plugin mode use before:
2415 * vpp# nat44 add address 4.4.4.4
2416 * To create static mapping between local and external address use:
2417 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
2420 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
2421 .path = "nat44 add static mapping",
2422 .function = add_static_mapping_command_fn,
2424 "nat44 add static mapping tcp|udp|icmp local <addr> [<port>] "
2425 "external <addr> [<port>] [vrf <table-id>] [twice-nat] [out2in-only] [del]",
2428 static clib_error_t *
2429 add_identity_mapping_command_fn (vlib_main_t * vm,
2430 unformat_input_t * input,
2431 vlib_cli_command_t * cmd)
2433 unformat_input_t _line_input, *line_input = &_line_input;
2434 clib_error_t * error = 0;
2436 u32 port = 0, vrf_id = ~0;
2439 u32 sw_if_index = ~0;
2440 vnet_main_t * vnm = vnet_get_main();
2442 snat_protocol_t proto;
2446 /* Get a line of input. */
2447 if (!unformat_user (input, unformat_line_input, line_input))
2450 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2452 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
2454 else if (unformat (line_input, "external %U",
2455 unformat_vnet_sw_interface, vnm, &sw_if_index))
2457 else if (unformat (line_input, "vrf %u", &vrf_id))
2459 else if (unformat (line_input, "%U %u", unformat_snat_protocol, &proto,
2462 else if (unformat (line_input, "del"))
2466 error = clib_error_return (0, "unknown input: '%U'",
2467 format_unformat_error, line_input);
2472 rv = snat_add_static_mapping(addr, addr, (u16) port, (u16) port,
2473 vrf_id, addr_only, sw_if_index, proto, is_add,
2478 case VNET_API_ERROR_INVALID_VALUE:
2479 error = clib_error_return (0, "External port already in use.");
2481 case VNET_API_ERROR_NO_SUCH_ENTRY:
2483 error = clib_error_return (0, "External addres must be allocated.");
2485 error = clib_error_return (0, "Mapping not exist.");
2487 case VNET_API_ERROR_NO_SUCH_FIB:
2488 error = clib_error_return (0, "No such VRF id.");
2490 case VNET_API_ERROR_VALUE_EXIST:
2491 error = clib_error_return (0, "Mapping already exist.");
2498 unformat_free (line_input);
2505 * @cliexstart{snat add identity mapping}
2506 * Identity mapping translate an IP address to itself.
2507 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2509 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2510 * To create identity mapping for address 10.0.0.3 use:
2511 * vpp# nat44 add identity mapping 10.0.0.3
2512 * To create identity mapping for DHCP addressed interface use:
2513 * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606
2516 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2517 .path = "nat44 add identity mapping",
2518 .function = add_identity_mapping_command_fn,
2519 .short_help = "nat44 add identity mapping <interface>|<ip4-addr> "
2520 "[<protocol> <port>] [vrf <table-id>] [del]",
2523 static clib_error_t *
2524 add_lb_static_mapping_command_fn (vlib_main_t * vm,
2525 unformat_input_t * input,
2526 vlib_cli_command_t * cmd)
2528 unformat_input_t _line_input, *line_input = &_line_input;
2529 clib_error_t * error = 0;
2530 ip4_address_t l_addr, e_addr;
2531 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
2534 snat_protocol_t proto;
2536 nat44_lb_addr_port_t *locals = 0, local;
2540 /* Get a line of input. */
2541 if (!unformat_user (input, unformat_line_input, line_input))
2544 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2546 if (unformat (line_input, "local %U:%u probability %u",
2547 unformat_ip4_address, &l_addr, &l_port, &probability))
2549 memset (&local, 0, sizeof (local));
2550 local.addr = l_addr;
2551 local.port = (u16) l_port;
2552 local.probability = (u8) probability;
2553 vec_add1 (locals, local);
2555 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
2558 else if (unformat (line_input, "vrf %u", &vrf_id))
2560 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
2563 else if (unformat (line_input, "twice-nat"))
2565 else if (unformat (line_input, "out2in-only"))
2567 else if (unformat (line_input, "del"))
2571 error = clib_error_return (0, "unknown input: '%U'",
2572 format_unformat_error, line_input);
2577 if (vec_len (locals) < 2)
2579 error = clib_error_return (0, "at least two local must be set");
2585 error = clib_error_return (0, "missing protocol");
2589 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, vrf_id,
2590 locals, is_add, twice_nat, out2in_only);
2594 case VNET_API_ERROR_INVALID_VALUE:
2595 error = clib_error_return (0, "External port already in use.");
2597 case VNET_API_ERROR_NO_SUCH_ENTRY:
2599 error = clib_error_return (0, "External addres must be allocated.");
2601 error = clib_error_return (0, "Mapping not exist.");
2603 case VNET_API_ERROR_VALUE_EXIST:
2604 error = clib_error_return (0, "Mapping already exist.");
2611 unformat_free (line_input);
2617 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2618 .path = "nat44 add load-balancing static mapping",
2619 .function = add_lb_static_mapping_command_fn,
2621 "nat44 add load-balancing static mapping protocol tcp|udp "
2622 "external <addr>:<port> local <addr>:<port> probability <n> [twice-nat] "
2623 "[vrf <table-id>] [out2in-only] [del]",
2626 static clib_error_t *
2627 set_workers_command_fn (vlib_main_t * vm,
2628 unformat_input_t * input,
2629 vlib_cli_command_t * cmd)
2631 unformat_input_t _line_input, *line_input = &_line_input;
2634 clib_error_t *error = 0;
2636 /* Get a line of input. */
2637 if (!unformat_user (input, unformat_line_input, line_input))
2640 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2642 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
2646 error = clib_error_return (0, "unknown input '%U'",
2647 format_unformat_error, line_input);
2654 error = clib_error_return (0, "List of workers must be specified.");
2658 rv = snat_set_workers(bitmap);
2660 clib_bitmap_free (bitmap);
2664 case VNET_API_ERROR_INVALID_WORKER:
2665 error = clib_error_return (0, "Invalid worker(s).");
2667 case VNET_API_ERROR_FEATURE_DISABLED:
2668 error = clib_error_return (0,
2669 "Supported only if 2 or more workes available.");
2676 unformat_free (line_input);
2683 * @cliexstart{set snat workers}
2684 * Set NAT workers if 2 or more workers available, use:
2685 * vpp# set snat workers 0-2,5
2688 VLIB_CLI_COMMAND (set_workers_command, static) = {
2689 .path = "set nat workers",
2690 .function = set_workers_command_fn,
2692 "set nat workers <workers-list>",
2695 static clib_error_t *
2696 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
2697 unformat_input_t * input,
2698 vlib_cli_command_t * cmd)
2700 unformat_input_t _line_input, *line_input = &_line_input;
2705 clib_error_t *error = 0;
2707 /* Get a line of input. */
2708 if (!unformat_user (input, unformat_line_input, line_input))
2711 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2713 if (unformat (line_input, "domain %d", &domain_id))
2715 else if (unformat (line_input, "src-port %d", &src_port))
2717 else if (unformat (line_input, "disable"))
2721 error = clib_error_return (0, "unknown input '%U'",
2722 format_unformat_error, line_input);
2727 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
2731 error = clib_error_return (0, "ipfix logging enable failed");
2736 unformat_free (line_input);
2743 * @cliexstart{snat ipfix logging}
2744 * To enable NAT IPFIX logging use:
2745 * vpp# nat ipfix logging
2746 * To set IPFIX exporter use:
2747 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
2750 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
2751 .path = "nat ipfix logging",
2752 .function = snat_ipfix_logging_enable_disable_command_fn,
2753 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
2757 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2759 snat_main_t *sm = &snat_main;
2760 u32 next_worker_index = 0;
2763 next_worker_index = sm->first_worker_index;
2764 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
2765 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >>24);
2767 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2768 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2770 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2772 return next_worker_index;
2776 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2778 snat_main_t *sm = &snat_main;
2781 snat_session_key_t m_key;
2782 clib_bihash_kv_8_8_t kv, value;
2783 snat_static_mapping_t *m;
2784 nat_ed_ses_key_t key;
2785 clib_bihash_kv_16_8_t s_kv, s_value;
2786 snat_main_per_thread_data_t *tsm;
2790 u32 next_worker_index = 0;
2792 /* first try static mappings without port */
2793 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2795 m_key.addr = ip0->dst_address;
2798 m_key.fib_index = rx_fib_index0;
2799 kv.key = m_key.as_u64;
2800 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2802 m = pool_elt_at_index (sm->static_mappings, value.value);
2803 return m->worker_index;
2807 proto = ip_proto_to_snat_proto (ip0->protocol);
2808 udp = ip4_next_header (ip0);
2809 port = udp->dst_port;
2811 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
2813 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
2814 return vlib_get_thread_index ();
2816 if (PREDICT_TRUE (!ip4_is_first_fragment (ip0)))
2818 nat_reass_ip4_t *reass;
2820 reass = nat_ip4_reass_find (ip0->src_address, ip0->dst_address,
2821 ip0->fragment_id, ip0->protocol);
2823 if (reass && (reass->thread_index != (u32) ~ 0))
2824 return reass->thread_index;
2826 return vlib_get_thread_index ();
2830 /* unknown protocol */
2831 if (PREDICT_FALSE (proto == ~0))
2833 key.l_addr = ip0->dst_address;
2834 key.r_addr = ip0->src_address;
2835 key.fib_index = rx_fib_index0;
2836 key.proto = ip0->protocol;
2839 s_kv.key[0] = key.as_u64[0];
2840 s_kv.key[1] = key.as_u64[1];
2842 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
2844 for (i = 0; i < _vec_len (sm->per_thread_data); i++)
2846 tsm = vec_elt_at_index (sm->per_thread_data, i);
2847 if (!pool_is_free_index(tsm->sessions, s_value.value))
2849 s = pool_elt_at_index (tsm->sessions, s_value.value);
2850 if (s->out2in.addr.as_u32 == ip0->dst_address.as_u32 &&
2851 s->out2in.port == ip0->protocol &&
2852 snat_is_unk_proto_session (s))
2858 /* if no session use current thread */
2859 return vlib_get_thread_index ();
2862 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
2864 icmp46_header_t * icmp = (icmp46_header_t *) udp;
2865 icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1);
2866 if (!icmp_is_error_message (icmp))
2867 port = echo->identifier;
2870 ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1);
2871 proto = ip_proto_to_snat_proto (inner_ip->protocol);
2872 void *l4_header = ip4_next_header (inner_ip);
2875 case SNAT_PROTOCOL_ICMP:
2876 icmp = (icmp46_header_t*)l4_header;
2877 echo = (icmp_echo_header_t *)(icmp + 1);
2878 port = echo->identifier;
2880 case SNAT_PROTOCOL_UDP:
2881 case SNAT_PROTOCOL_TCP:
2882 port = ((tcp_udp_header_t*)l4_header)->src_port;
2885 return vlib_get_thread_index ();
2890 /* try static mappings with port */
2891 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2893 m_key.addr = ip0->dst_address;
2894 m_key.port = clib_net_to_host_u16 (port);
2895 m_key.protocol = proto;
2896 m_key.fib_index = rx_fib_index0;
2897 kv.key = m_key.as_u64;
2898 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2900 m = pool_elt_at_index (sm->static_mappings, value.value);
2901 return m->worker_index;
2905 /* worker by outside port */
2906 next_worker_index = sm->first_worker_index;
2907 next_worker_index +=
2908 sm->workers[(clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread];
2909 return next_worker_index;
2912 static clib_error_t *
2913 snat_config (vlib_main_t * vm, unformat_input_t * input)
2915 snat_main_t * sm = &snat_main;
2916 u32 translation_buckets = 1024;
2917 u32 translation_memory_size = 128<<20;
2918 u32 user_buckets = 128;
2919 u32 user_memory_size = 64<<20;
2920 u32 max_translations_per_user = 100;
2921 u32 outside_vrf_id = 0;
2922 u32 inside_vrf_id = 0;
2923 u32 static_mapping_buckets = 1024;
2924 u32 static_mapping_memory_size = 64<<20;
2925 u32 nat64_bib_buckets = 1024;
2926 u32 nat64_bib_memory_size = 128 << 20;
2927 u32 nat64_st_buckets = 2048;
2928 u32 nat64_st_memory_size = 256 << 20;
2929 u8 static_mapping_only = 0;
2930 u8 static_mapping_connection_tracking = 0;
2931 snat_main_per_thread_data_t *tsm;
2932 dslite_main_t * dm = &dslite_main;
2934 sm->deterministic = 0;
2937 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
2939 if (unformat (input, "translation hash buckets %d", &translation_buckets))
2941 else if (unformat (input, "translation hash memory %d",
2942 &translation_memory_size));
2943 else if (unformat (input, "user hash buckets %d", &user_buckets))
2945 else if (unformat (input, "user hash memory %d",
2948 else if (unformat (input, "max translations per user %d",
2949 &max_translations_per_user))
2951 else if (unformat (input, "outside VRF id %d",
2954 else if (unformat (input, "inside VRF id %d",
2957 else if (unformat (input, "static mapping only"))
2959 static_mapping_only = 1;
2960 if (unformat (input, "connection tracking"))
2961 static_mapping_connection_tracking = 1;
2963 else if (unformat (input, "deterministic"))
2964 sm->deterministic = 1;
2965 else if (unformat (input, "nat64 bib hash buckets %d",
2966 &nat64_bib_buckets))
2968 else if (unformat (input, "nat64 bib hash memory %d",
2969 &nat64_bib_memory_size))
2971 else if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
2973 else if (unformat (input, "nat64 st hash memory %d",
2974 &nat64_st_memory_size))
2976 else if (unformat (input, "out2in dpo"))
2978 else if (unformat (input, "dslite ce"))
2979 dslite_set_ce(dm, 1);
2981 return clib_error_return (0, "unknown input '%U'",
2982 format_unformat_error, input);
2985 /* for show commands, etc. */
2986 sm->translation_buckets = translation_buckets;
2987 sm->translation_memory_size = translation_memory_size;
2988 /* do not exceed load factor 10 */
2989 sm->max_translations = 10 * translation_buckets;
2990 sm->user_buckets = user_buckets;
2991 sm->user_memory_size = user_memory_size;
2992 sm->max_translations_per_user = max_translations_per_user;
2993 sm->outside_vrf_id = outside_vrf_id;
2994 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2996 FIB_SOURCE_PLUGIN_HI);
2997 sm->inside_vrf_id = inside_vrf_id;
2998 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
3000 FIB_SOURCE_PLUGIN_HI);
3001 sm->static_mapping_only = static_mapping_only;
3002 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
3004 nat64_set_hash(nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
3005 nat64_st_memory_size);
3007 if (sm->deterministic)
3009 sm->in2out_node_index = snat_det_in2out_node.index;
3010 sm->in2out_output_node_index = ~0;
3011 sm->out2in_node_index = snat_det_out2in_node.index;
3012 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
3013 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
3017 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
3018 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
3019 sm->in2out_node_index = snat_in2out_node.index;
3020 sm->in2out_output_node_index = snat_in2out_output_node.index;
3021 sm->out2in_node_index = snat_out2in_node.index;
3022 if (!static_mapping_only ||
3023 (static_mapping_only && static_mapping_connection_tracking))
3025 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
3026 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
3028 vec_foreach (tsm, sm->per_thread_data)
3030 clib_bihash_init_8_8 (&tsm->in2out, "in2out", translation_buckets,
3031 translation_memory_size);
3033 clib_bihash_init_8_8 (&tsm->out2in, "out2in", translation_buckets,
3034 translation_memory_size);
3036 clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets,
3040 clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed",
3041 translation_buckets, translation_memory_size);
3043 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
3044 translation_buckets, translation_memory_size);
3048 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
3049 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
3051 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
3052 "static_mapping_by_local", static_mapping_buckets,
3053 static_mapping_memory_size);
3055 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
3056 "static_mapping_by_external", static_mapping_buckets,
3057 static_mapping_memory_size);
3063 VLIB_CONFIG_FUNCTION (snat_config, "nat");
3065 u8 * format_snat_session_state (u8 * s, va_list * args)
3067 u32 i = va_arg (*args, u32);
3072 #define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break;
3073 foreach_snat_session_state
3076 t = format (t, "unknown");
3078 s = format (s, "%s", t);
3082 u8 * format_snat_key (u8 * s, va_list * args)
3084 snat_session_key_t * key = va_arg (*args, snat_session_key_t *);
3086 s = format (s, "%U proto %U port %d fib %d",
3087 format_ip4_address, &key->addr,
3088 format_snat_protocol, key->protocol,
3089 clib_net_to_host_u16 (key->port), key->fib_index);
3093 u8 * format_snat_session (u8 * s, va_list * args)
3095 snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *);
3096 snat_session_t * sess = va_arg (*args, snat_session_t *);
3098 if (snat_is_unk_proto_session (sess))
3100 s = format (s, " i2o %U proto %u fib %u\n",
3101 format_ip4_address, &sess->in2out.addr,
3102 clib_net_to_host_u16 (sess->in2out.port),
3103 sess->in2out.fib_index);
3104 s = format (s, " o2i %U proto %u fib %u\n",
3105 format_ip4_address, &sess->out2in.addr,
3106 clib_net_to_host_u16 (sess->out2in.port),
3107 sess->out2in.fib_index);
3111 s = format (s, " i2o %U\n", format_snat_key, &sess->in2out);
3112 s = format (s, " o2i %U\n", format_snat_key, &sess->out2in);
3114 if (is_twice_nat_session (sess))
3116 s = format (s, " external host o2i %U:%d i2o %U:%d\n",
3117 format_ip4_address, &sess->ext_host_addr,
3118 clib_net_to_host_u16 (sess->ext_host_port),
3119 format_ip4_address, &sess->ext_host_nat_addr,
3120 clib_net_to_host_u16 (sess->ext_host_nat_port));
3124 if (sess->ext_host_addr.as_u32)
3125 s = format (s, " external host %U\n",
3126 format_ip4_address, &sess->ext_host_addr);
3128 s = format (s, " last heard %.2f\n", sess->last_heard);
3129 s = format (s, " total pkts %d, total bytes %lld\n",
3130 sess->total_pkts, sess->total_bytes);
3131 if (snat_is_session_static (sess))
3132 s = format (s, " static translation\n");
3134 s = format (s, " dynamic translation\n");
3135 if (sess->flags & SNAT_SESSION_FLAG_LOAD_BALANCING)
3136 s = format (s, " load-balancing\n");
3137 if (is_twice_nat_session (sess))
3138 s = format (s, " twice-nat\n");
3143 u8 * format_snat_user (u8 * s, va_list * args)
3145 snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *);
3146 snat_user_t * u = va_arg (*args, snat_user_t *);
3147 int verbose = va_arg (*args, int);
3148 dlist_elt_t * head, * elt;
3149 u32 elt_index, head_index;
3151 snat_session_t * sess;
3153 s = format (s, "%U: %d dynamic translations, %d static translations\n",
3154 format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions);
3159 if (u->nsessions || u->nstaticsessions)
3161 head_index = u->sessions_per_user_list_head_index;
3162 head = pool_elt_at_index (sm->list_pool, head_index);
3164 elt_index = head->next;
3165 elt = pool_elt_at_index (sm->list_pool, elt_index);
3166 session_index = elt->value;
3168 while (session_index != ~0)
3170 sess = pool_elt_at_index (sm->sessions, session_index);
3172 s = format (s, " %U\n", format_snat_session, sm, sess);
3174 elt_index = elt->next;
3175 elt = pool_elt_at_index (sm->list_pool, elt_index);
3176 session_index = elt->value;
3183 u8 * format_snat_static_mapping (u8 * s, va_list * args)
3185 snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *);
3186 nat44_lb_addr_port_t *local;
3189 s = format (s, "local %U external %U vrf %d %s",
3190 format_ip4_address, &m->local_addr,
3191 format_ip4_address, &m->external_addr,
3192 m->vrf_id, m->twice_nat ? "twice-nat" : "");
3195 if (vec_len (m->locals))
3197 s = format (s, "%U vrf %d external %U:%d %s %s",
3198 format_snat_protocol, m->proto,
3200 format_ip4_address, &m->external_addr, m->external_port,
3201 m->twice_nat ? "twice-nat" : "",
3202 m->out2in_only ? "out2in-only" : "");
3203 vec_foreach (local, m->locals)
3204 s = format (s, "\n local %U:%d probability %d\%",
3205 format_ip4_address, &local->addr, local->port,
3206 local->probability);
3209 s = format (s, "%U local %U:%d external %U:%d vrf %d %s %s",
3210 format_snat_protocol, m->proto,
3211 format_ip4_address, &m->local_addr, m->local_port,
3212 format_ip4_address, &m->external_addr, m->external_port,
3213 m->vrf_id, m->twice_nat ? "twice-nat" : "",
3214 m->out2in_only ? "out2in-only" : "");
3219 u8 * format_snat_static_map_to_resolve (u8 * s, va_list * args)
3221 snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *);
3222 vnet_main_t *vnm = vnet_get_main();
3225 s = format (s, "local %U external %U vrf %d",
3226 format_ip4_address, &m->l_addr,
3227 format_vnet_sw_interface_name, vnm,
3228 vnet_get_sw_interface (vnm, m->sw_if_index),
3231 s = format (s, "%U local %U:%d external %U:%d vrf %d",
3232 format_snat_protocol, m->proto,
3233 format_ip4_address, &m->l_addr, m->l_port,
3234 format_vnet_sw_interface_name, vnm,
3235 vnet_get_sw_interface (vnm, m->sw_if_index), m->e_port,
3241 u8 * format_det_map_ses (u8 * s, va_list * args)
3243 snat_det_map_t * det_map = va_arg (*args, snat_det_map_t *);
3244 ip4_address_t in_addr, out_addr;
3245 u32 in_offset, out_offset;
3246 snat_det_session_t * ses = va_arg (*args, snat_det_session_t *);
3247 u32 * i = va_arg (*args, u32 *);
3249 u32 user_index = *i / SNAT_DET_SES_PER_USER;
3250 in_addr.as_u32 = clib_host_to_net_u32 (
3251 clib_net_to_host_u32(det_map->in_addr.as_u32) + user_index);
3252 in_offset = clib_net_to_host_u32(in_addr.as_u32) -
3253 clib_net_to_host_u32(det_map->in_addr.as_u32);
3254 out_offset = in_offset / det_map->sharing_ratio;
3255 out_addr.as_u32 = clib_host_to_net_u32(
3256 clib_net_to_host_u32(det_map->out_addr.as_u32) + out_offset);
3257 s = format (s, "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n",
3258 format_ip4_address, &in_addr,
3259 clib_net_to_host_u16 (ses->in_port),
3260 format_ip4_address, &out_addr,
3261 clib_net_to_host_u16 (ses->out.out_port),
3262 format_ip4_address, &ses->out.ext_host_addr,
3263 clib_net_to_host_u16 (ses->out.ext_host_port),
3264 format_snat_session_state, ses->state,
3270 static clib_error_t *
3271 show_snat_command_fn (vlib_main_t * vm,
3272 unformat_input_t * input,
3273 vlib_cli_command_t * cmd)
3276 snat_main_t * sm = &snat_main;
3278 snat_static_mapping_t *m;
3279 snat_interface_t *i;
3280 snat_address_t * ap;
3281 vnet_main_t *vnm = vnet_get_main();
3282 snat_main_per_thread_data_t *tsm;
3283 u32 users_num = 0, sessions_num = 0, *worker, *sw_if_index;
3285 snat_static_map_resolve_t *rp;
3286 snat_det_map_t * dm;
3287 snat_det_session_t * ses;
3289 if (unformat (input, "detail"))
3291 else if (unformat (input, "verbose"))
3294 if (sm->static_mapping_only)
3296 if (sm->static_mapping_connection_tracking)
3297 vlib_cli_output (vm, "NAT plugin mode: static mapping only connection "
3300 vlib_cli_output (vm, "NAT plugin mode: static mapping only");
3302 else if (sm->deterministic)
3304 vlib_cli_output (vm, "NAT plugin mode: deterministic mapping");
3308 vlib_cli_output (vm, "NAT plugin mode: dynamic translations enabled");
3313 pool_foreach (i, sm->interfaces,
3315 vlib_cli_output (vm, "%U %s", format_vnet_sw_interface_name, vnm,
3316 vnet_get_sw_interface (vnm, i->sw_if_index),
3317 (nat_interface_is_inside(i) &&
3318 nat_interface_is_outside(i)) ? "in out" :
3319 (nat_interface_is_inside(i) ? "in" : "out"));
3322 pool_foreach (i, sm->output_feature_interfaces,
3324 vlib_cli_output (vm, "%U output-feature %s",
3325 format_vnet_sw_interface_name, vnm,
3326 vnet_get_sw_interface (vnm, i->sw_if_index),
3327 (nat_interface_is_inside(i) &&
3328 nat_interface_is_outside(i)) ? "in out" :
3329 (nat_interface_is_inside(i) ? "in" : "out"));
3332 if (vec_len (sm->auto_add_sw_if_indices))
3334 vlib_cli_output (vm, "NAT44 pool addresses interfaces:");
3335 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
3337 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
3338 vnet_get_sw_interface (vnm, *sw_if_index));
3342 if (vec_len (sm->auto_add_sw_if_indices_twice_nat))
3344 vlib_cli_output (vm, "NAT44 twice-nat pool addresses interfaces:");
3345 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
3347 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
3348 vnet_get_sw_interface (vnm, *sw_if_index));
3352 vlib_cli_output (vm, "NAT44 pool addresses:");
3353 vec_foreach (ap, sm->addresses)
3355 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
3356 if (ap->fib_index != ~0)
3357 vlib_cli_output (vm, " tenant VRF: %u",
3358 ip4_fib_get(ap->fib_index)->table_id);
3360 vlib_cli_output (vm, " tenant VRF independent");
3361 #define _(N, i, n, s) \
3362 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
3363 foreach_snat_protocol
3367 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
3368 vec_foreach (ap, sm->twice_nat_addresses)
3370 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
3371 if (ap->fib_index != ~0)
3372 vlib_cli_output (vm, " tenant VRF: %u",
3373 ip4_fib_get(ap->fib_index)->table_id);
3375 vlib_cli_output (vm, " tenant VRF independent");
3376 #define _(N, i, n, s) \
3377 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
3378 foreach_snat_protocol
3383 if (sm->num_workers > 1)
3385 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
3388 vec_foreach (worker, sm->workers)
3390 vlib_worker_thread_t *w =
3391 vlib_worker_threads + *worker + sm->first_worker_index;
3392 vlib_cli_output (vm, " %s", w->name);
3397 if (sm->deterministic)
3399 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
3400 vlib_cli_output (vm, "tcp-established timeout: %dsec",
3401 sm->tcp_established_timeout);
3402 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
3403 sm->tcp_transitory_timeout);
3404 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
3405 vlib_cli_output (vm, "%d deterministic mappings",
3406 pool_elts (sm->det_maps));
3409 pool_foreach (dm, sm->det_maps,
3411 vlib_cli_output (vm, "in %U/%d out %U/%d\n",
3412 format_ip4_address, &dm->in_addr, dm->in_plen,
3413 format_ip4_address, &dm->out_addr, dm->out_plen);
3414 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
3416 vlib_cli_output (vm, " number of ports per inside host: %d\n",
3417 dm->ports_per_host);
3418 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
3421 vec_foreach_index (j, dm->sessions)
3423 ses = vec_elt_at_index (dm->sessions, j);
3425 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses,
3434 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
3436 vlib_cli_output (vm, "%d static mappings",
3437 pool_elts (sm->static_mappings));
3441 pool_foreach (m, sm->static_mappings,
3443 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
3449 vec_foreach (tsm, sm->per_thread_data)
3451 users_num += pool_elts (tsm->users);
3452 sessions_num += pool_elts (tsm->sessions);
3455 vlib_cli_output (vm, "%d users, %d outside addresses, %d active sessions,"
3456 " %d static mappings, %d twice-nat addresses",
3458 vec_len (sm->addresses),
3460 pool_elts (sm->static_mappings),
3461 vec_len (sm->twice_nat_addresses));
3465 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->in2out_ed,
3467 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed,
3469 vec_foreach_index (j, sm->per_thread_data)
3471 tsm = vec_elt_at_index (sm->per_thread_data, j);
3473 if (pool_elts (tsm->users) == 0)
3476 vlib_worker_thread_t *w = vlib_worker_threads + j;
3477 vlib_cli_output (vm, "Thread %d (%s at lcore %u):", j, w->name,
3479 vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->in2out,
3481 vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->out2in,
3483 vlib_cli_output (vm, " %d list pool elements",
3484 pool_elts (tsm->list_pool));
3486 pool_foreach (u, tsm->users,
3488 vlib_cli_output (vm, " %U", format_snat_user, tsm, u,
3493 if (pool_elts (sm->static_mappings))
3495 vlib_cli_output (vm, "static mappings:");
3496 pool_foreach (m, sm->static_mappings,
3498 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
3500 for (j = 0; j < vec_len (sm->to_resolve); j++)
3502 rp = sm->to_resolve + j;
3503 vlib_cli_output (vm, "%U",
3504 format_snat_static_map_to_resolve, rp);
3514 VLIB_CLI_COMMAND (show_snat_command, static) = {
3515 .path = "show nat44",
3516 .short_help = "show nat44",
3517 .function = show_snat_command_fn,
3522 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
3525 ip4_address_t * address,
3527 u32 if_address_index,
3530 snat_main_t *sm = &snat_main;
3531 snat_static_map_resolve_t *rp;
3532 u32 *indices_to_delete = 0;
3533 ip4_address_t l_addr;
3537 snat_address_t *addresses = sm->addresses;
3539 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
3541 if (sw_if_index == sm->auto_add_sw_if_indices[i])
3545 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices_twice_nat); i++)
3548 addresses = sm->twice_nat_addresses;
3549 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
3558 /* Don't trip over lease renewal, static config */
3559 for (j = 0; j < vec_len(addresses); j++)
3560 if (addresses[j].addr.as_u32 == address->as_u32)
3563 snat_add_address (sm, address, ~0, twice_nat);
3564 /* Scan static map resolution vector */
3565 for (j = 0; j < vec_len (sm->to_resolve); j++)
3567 rp = sm->to_resolve + j;
3568 /* On this interface? */
3569 if (rp->sw_if_index == sw_if_index)
3571 /* Indetity mapping? */
3572 if (rp->l_addr.as_u32 == 0)
3573 l_addr.as_u32 = address[0].as_u32;
3575 l_addr.as_u32 = rp->l_addr.as_u32;
3576 /* Add the static mapping */
3577 rv = snat_add_static_mapping (l_addr,
3583 ~0 /* sw_if_index */,
3588 clib_warning ("snat_add_static_mapping returned %d",
3590 vec_add1 (indices_to_delete, j);
3593 /* If we resolved any of the outstanding static mappings */
3594 if (vec_len(indices_to_delete))
3597 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
3598 vec_delete(sm->to_resolve, 1, j);
3599 vec_free(indices_to_delete);
3605 (void) snat_del_address(sm, address[0], 1, twice_nat);
3611 int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del,
3614 ip4_main_t * ip4_main = sm->ip4_main;
3615 ip4_address_t * first_int_addr;
3616 snat_static_map_resolve_t *rp;
3617 u32 *indices_to_delete = 0;
3619 u32 *auto_add_sw_if_indices =
3620 twice_nat ? sm->auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
3622 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index,
3623 0 /* just want the address*/);
3625 for (i = 0; i < vec_len(auto_add_sw_if_indices); i++)
3627 if (auto_add_sw_if_indices[i] == sw_if_index)
3631 /* if have address remove it */
3633 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
3636 for (j = 0; j < vec_len (sm->to_resolve); j++)
3638 rp = sm->to_resolve + j;
3639 if (rp->sw_if_index == sw_if_index)
3640 vec_add1 (indices_to_delete, j);
3642 if (vec_len(indices_to_delete))
3644 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
3645 vec_del1(sm->to_resolve, j);
3646 vec_free(indices_to_delete);
3650 vec_del1(sm->auto_add_sw_if_indices_twice_nat, i);
3652 vec_del1(sm->auto_add_sw_if_indices, i);
3655 return VNET_API_ERROR_VALUE_EXIST;
3662 return VNET_API_ERROR_NO_SUCH_ENTRY;
3664 /* add to the auto-address list */
3666 vec_add1(sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
3668 vec_add1(sm->auto_add_sw_if_indices, sw_if_index);
3670 /* If the address is already bound - or static - add it now */
3672 snat_add_address (sm, first_int_addr, ~0, twice_nat);
3677 static clib_error_t *
3678 snat_add_interface_address_command_fn (vlib_main_t * vm,
3679 unformat_input_t * input,
3680 vlib_cli_command_t * cmd)
3682 snat_main_t *sm = &snat_main;
3683 unformat_input_t _line_input, *line_input = &_line_input;
3687 clib_error_t *error = 0;
3690 /* Get a line of input. */
3691 if (!unformat_user (input, unformat_line_input, line_input))
3694 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3696 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
3697 sm->vnet_main, &sw_if_index))
3699 else if (unformat (line_input, "twice-nat"))
3701 else if (unformat (line_input, "del"))
3705 error = clib_error_return (0, "unknown input '%U'",
3706 format_unformat_error, line_input);
3711 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
3719 error = clib_error_return (0, "snat_add_interface_address returned %d",
3725 unformat_free (line_input);
3730 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
3731 .path = "nat44 add interface address",
3732 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
3733 .function = snat_add_interface_address_command_fn,
3737 nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port,
3738 snat_protocol_t proto, u32 vrf_id, int is_in)
3740 snat_main_per_thread_data_t *tsm;
3741 clib_bihash_kv_8_8_t kv, value;
3743 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3744 snat_session_key_t key;
3746 clib_bihash_8_8_t *t;
3747 snat_user_key_t u_key;
3750 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3751 if (sm->num_workers)
3753 vec_elt_at_index (sm->per_thread_data,
3754 sm->worker_in2out_cb (&ip, fib_index));
3756 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3758 key.addr.as_u32 = addr->as_u32;
3759 key.port = clib_host_to_net_u16 (port);
3760 key.protocol = proto;
3761 key.fib_index = fib_index;
3762 kv.key = key.as_u64;
3763 t = is_in ? &tsm->in2out : &tsm->out2in;
3764 if (!clib_bihash_search_8_8 (t, &kv, &value))
3766 s = pool_elt_at_index (tsm->sessions, value.value);
3767 kv.key = s->in2out.as_u64;
3768 clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0);
3769 kv.key = s->out2in.as_u64;
3770 clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0);
3771 u_key.addr = s->in2out.addr;
3772 u_key.fib_index = s->in2out.fib_index;
3773 kv.key = u_key.as_u64;
3774 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
3776 u = pool_elt_at_index (tsm->users, value.value);
3779 clib_dlist_remove (tsm->list_pool, s->per_user_index);
3780 pool_put (tsm->sessions, s);
3784 return VNET_API_ERROR_NO_SUCH_ENTRY;
3787 static clib_error_t *
3788 nat44_del_session_command_fn (vlib_main_t * vm,
3789 unformat_input_t * input,
3790 vlib_cli_command_t * cmd)
3792 snat_main_t *sm = &snat_main;
3793 unformat_input_t _line_input, *line_input = &_line_input;
3795 clib_error_t *error = 0;
3797 u32 port = 0, vrf_id = sm->outside_vrf_id;
3798 snat_protocol_t proto;
3801 /* Get a line of input. */
3802 if (!unformat_user (input, unformat_line_input, line_input))
3805 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3807 if (unformat (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
3808 unformat_snat_protocol, &proto))
3810 else if (unformat (line_input, "in"))
3813 vrf_id = sm->inside_vrf_id;
3815 else if (unformat (line_input, "vrf %u", &vrf_id))
3819 error = clib_error_return (0, "unknown input '%U'",
3820 format_unformat_error, line_input);
3825 rv = nat44_del_session(sm, &addr, port, proto, vrf_id, is_in);
3833 error = clib_error_return (0, "nat44_del_session returned %d", rv);
3838 unformat_free (line_input);
3843 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
3844 .path = "nat44 del session",
3845 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>]",
3846 .function = nat44_del_session_command_fn,
3849 static clib_error_t *
3850 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
3851 unformat_input_t * input,
3852 vlib_cli_command_t * cmd)
3854 snat_main_t *sm = &snat_main;
3855 unformat_input_t _line_input, *line_input = &_line_input;
3856 clib_error_t *error = 0;
3857 u32 psid, psid_offset, psid_length;
3859 /* Get a line of input. */
3860 if (!unformat_user (input, unformat_line_input, line_input))
3863 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3865 if (unformat (line_input, "default"))
3866 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
3867 else if (unformat (line_input, "map-e psid %d psid-offset %d psid-len %d",
3868 &psid, &psid_offset, &psid_length))
3870 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
3871 sm->psid = (u16) psid;
3872 sm->psid_offset = (u16) psid_offset;
3873 sm->psid_length = (u16) psid_length;
3877 error = clib_error_return (0, "unknown input '%U'",
3878 format_unformat_error, line_input);
3884 unformat_free (line_input);
3889 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
3890 .path = "nat addr-port-assignment-alg",
3891 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
3892 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
3895 static clib_error_t *
3896 snat_det_map_command_fn (vlib_main_t * vm,
3897 unformat_input_t * input,
3898 vlib_cli_command_t * cmd)
3900 snat_main_t *sm = &snat_main;
3901 unformat_input_t _line_input, *line_input = &_line_input;
3902 ip4_address_t in_addr, out_addr;
3903 u32 in_plen, out_plen;
3905 clib_error_t *error = 0;
3907 /* Get a line of input. */
3908 if (!unformat_user (input, unformat_line_input, line_input))
3911 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3913 if (unformat (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
3915 else if (unformat (line_input, "out %U/%u", unformat_ip4_address, &out_addr, &out_plen))
3917 else if (unformat (line_input, "del"))
3921 error = clib_error_return (0, "unknown input '%U'",
3922 format_unformat_error, line_input);
3927 rv = snat_det_add_map(sm, &in_addr, (u8) in_plen, &out_addr, (u8)out_plen,
3932 error = clib_error_return (0, "snat_det_add_map return %d", rv);
3937 unformat_free (line_input);
3944 * @cliexstart{snat deterministic add}
3945 * Create bijective mapping of inside address to outside address and port range
3946 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
3948 * To create deterministic mapping between inside network 10.0.0.0/18 and
3949 * outside network 1.1.1.0/30 use:
3950 * # vpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.0/30
3953 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
3954 .path = "nat44 deterministic add",
3955 .short_help = "nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
3956 .function = snat_det_map_command_fn,
3959 static clib_error_t *
3960 snat_det_forward_command_fn (vlib_main_t * vm,
3961 unformat_input_t * input,
3962 vlib_cli_command_t * cmd)
3964 snat_main_t *sm = &snat_main;
3965 unformat_input_t _line_input, *line_input = &_line_input;
3966 ip4_address_t in_addr, out_addr;
3968 snat_det_map_t * dm;
3969 clib_error_t *error = 0;
3971 /* Get a line of input. */
3972 if (!unformat_user (input, unformat_line_input, line_input))
3975 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3977 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
3981 error = clib_error_return (0, "unknown input '%U'",
3982 format_unformat_error, line_input);
3987 dm = snat_det_map_by_user(sm, &in_addr);
3989 vlib_cli_output (vm, "no match");
3992 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
3993 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
3994 lo_port, lo_port + dm->ports_per_host - 1);
3998 unformat_free (line_input);
4005 * @cliexstart{snat deterministic forward}
4006 * Return outside address and port range from inside address for deterministic
4008 * To obtain outside address and port of inside host use:
4009 * vpp# nat44 deterministic forward 10.0.0.2
4010 * 1.1.1.0:<1054-1068>
4013 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
4014 .path = "nat44 deterministic forward",
4015 .short_help = "nat44 deterministic forward <addr>",
4016 .function = snat_det_forward_command_fn,
4019 static clib_error_t *
4020 snat_det_reverse_command_fn (vlib_main_t * vm,
4021 unformat_input_t * input,
4022 vlib_cli_command_t * cmd)
4024 snat_main_t *sm = &snat_main;
4025 unformat_input_t _line_input, *line_input = &_line_input;
4026 ip4_address_t in_addr, out_addr;
4028 snat_det_map_t * dm;
4029 clib_error_t *error = 0;
4031 /* Get a line of input. */
4032 if (!unformat_user (input, unformat_line_input, line_input))
4035 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4037 if (unformat (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
4041 error = clib_error_return (0, "unknown input '%U'",
4042 format_unformat_error, line_input);
4047 if (out_port < 1024 || out_port > 65535)
4049 error = clib_error_return (0, "wrong port, must be <1024-65535>");
4053 dm = snat_det_map_by_out(sm, &out_addr);
4055 vlib_cli_output (vm, "no match");
4058 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
4059 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
4063 unformat_free (line_input);
4070 * @cliexstart{snat deterministic reverse}
4071 * Return inside address from outside address and port for deterministic NAT.
4072 * To obtain inside host address from outside address and port use:
4073 * #vpp nat44 deterministic reverse 1.1.1.1:1276
4077 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
4078 .path = "nat44 deterministic reverse",
4079 .short_help = "nat44 deterministic reverse <addr>:<port>",
4080 .function = snat_det_reverse_command_fn,
4083 static clib_error_t *
4084 set_timeout_command_fn (vlib_main_t * vm,
4085 unformat_input_t * input,
4086 vlib_cli_command_t * cmd)
4088 snat_main_t *sm = &snat_main;
4089 unformat_input_t _line_input, *line_input = &_line_input;
4090 clib_error_t *error = 0;
4092 /* Get a line of input. */
4093 if (!unformat_user (input, unformat_line_input, line_input))
4096 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4098 if (unformat (line_input, "udp %u", &sm->udp_timeout))
4100 else if (unformat (line_input, "tcp-established %u",
4101 &sm->tcp_established_timeout))
4103 else if (unformat (line_input, "tcp-transitory %u",
4104 &sm->tcp_transitory_timeout))
4106 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
4108 else if (unformat (line_input, "reset"))
4110 sm->udp_timeout = SNAT_UDP_TIMEOUT;
4111 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
4112 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
4113 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
4117 error = clib_error_return (0, "unknown input '%U'",
4118 format_unformat_error, line_input);
4124 unformat_free (line_input);
4131 * @cliexstart{set snat deterministic timeout}
4132 * Set values of timeouts for deterministic NAT (in seconds), use:
4133 * vpp# set nat44 deterministic timeout udp 120 tcp-established 7500
4134 * tcp-transitory 250 icmp 90
4135 * To reset default values use:
4136 * vpp# set nat44 deterministic timeout reset
4139 VLIB_CLI_COMMAND (set_timeout_command, static) = {
4140 .path = "set nat44 deterministic timeout",
4141 .function = set_timeout_command_fn,
4143 "set nat44 deterministic timeout [udp <sec> | tcp-established <sec> "
4144 "tcp-transitory <sec> | icmp <sec> | reset]",
4147 static clib_error_t *
4148 snat_det_close_session_out_fn (vlib_main_t *vm,
4149 unformat_input_t * input,
4150 vlib_cli_command_t * cmd)
4152 snat_main_t *sm = &snat_main;
4153 unformat_input_t _line_input, *line_input = &_line_input;
4154 ip4_address_t out_addr, ext_addr, in_addr;
4155 u32 out_port, ext_port;
4156 snat_det_map_t * dm;
4157 snat_det_session_t * ses;
4158 snat_det_out_key_t key;
4159 clib_error_t *error = 0;
4161 /* Get a line of input. */
4162 if (!unformat_user (input, unformat_line_input, line_input))
4165 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4167 if (unformat (line_input, "%U:%d %U:%d",
4168 unformat_ip4_address, &out_addr, &out_port,
4169 unformat_ip4_address, &ext_addr, &ext_port))
4173 error = clib_error_return (0, "unknown input '%U'",
4174 format_unformat_error, line_input);
4179 unformat_free (line_input);
4181 dm = snat_det_map_by_out(sm, &out_addr);
4183 vlib_cli_output (vm, "no match");
4186 snat_det_reverse(dm, &ext_addr, (u16)out_port, &in_addr);
4187 key.ext_host_addr = out_addr;
4188 key.ext_host_port = ntohs((u16)ext_port);
4189 key.out_port = ntohs((u16)out_port);
4190 ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64);
4192 vlib_cli_output (vm, "no match");
4194 snat_det_ses_close(dm, ses);
4198 unformat_free (line_input);
4205 * @cliexstart{snat deterministic close session out}
4206 * Close session using outside ip address and port
4207 * and external ip address and port, use:
4208 * vpp# nat44 deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
4211 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
4212 .path = "nat44 deterministic close session out",
4213 .short_help = "nat44 deterministic close session out "
4214 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
4215 .function = snat_det_close_session_out_fn,
4218 static clib_error_t *
4219 snat_det_close_session_in_fn (vlib_main_t *vm,
4220 unformat_input_t * input,
4221 vlib_cli_command_t * cmd)
4223 snat_main_t *sm = &snat_main;
4224 unformat_input_t _line_input, *line_input = &_line_input;
4225 ip4_address_t in_addr, ext_addr;
4226 u32 in_port, ext_port;
4227 snat_det_map_t * dm;
4228 snat_det_session_t * ses;
4229 snat_det_out_key_t key;
4230 clib_error_t *error = 0;
4232 /* Get a line of input. */
4233 if (!unformat_user (input, unformat_line_input, line_input))
4236 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4238 if (unformat (line_input, "%U:%d %U:%d",
4239 unformat_ip4_address, &in_addr, &in_port,
4240 unformat_ip4_address, &ext_addr, &ext_port))
4244 error = clib_error_return (0, "unknown input '%U'",
4245 format_unformat_error, line_input);
4250 unformat_free (line_input);
4252 dm = snat_det_map_by_user (sm, &in_addr);
4254 vlib_cli_output (vm, "no match");
4257 key.ext_host_addr = ext_addr;
4258 key.ext_host_port = ntohs ((u16)ext_port);
4259 ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs((u16)in_port), key);
4261 vlib_cli_output (vm, "no match");
4263 snat_det_ses_close(dm, ses);
4267 unformat_free(line_input);
4274 * @cliexstart{snat deterministic close_session_in}
4275 * Close session using inside ip address and port
4276 * and external ip address and port, use:
4277 * vpp# nat44 deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
4280 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
4281 .path = "nat44 deterministic close session in",
4282 .short_help = "nat44 deterministic close session in "
4283 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
4284 .function = snat_det_close_session_in_fn,
4287 static clib_error_t *
4288 snat_forwarding_set_command_fn (vlib_main_t *vm,
4289 unformat_input_t * input,
4290 vlib_cli_command_t * cmd)
4292 snat_main_t *sm = &snat_main;
4293 unformat_input_t _line_input, *line_input = &_line_input;
4294 u8 forwarding_enable;
4295 u8 forwarding_enable_set = 0;
4296 clib_error_t *error = 0;
4298 /* Get a line of input. */
4299 if (!unformat_user (input, unformat_line_input, line_input))
4300 return clib_error_return (0, "'enable' or 'disable' expected");
4302 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4304 if (!forwarding_enable_set && unformat (line_input, "enable"))
4306 forwarding_enable = 1;
4307 forwarding_enable_set = 1;
4309 else if (!forwarding_enable_set && unformat (line_input, "disable"))
4311 forwarding_enable = 0;
4312 forwarding_enable_set = 1;
4316 error = clib_error_return (0, "unknown input '%U'",
4317 format_unformat_error, line_input);
4322 if (!forwarding_enable_set)
4324 error = clib_error_return (0, "'enable' or 'disable' expected");
4328 sm->forwarding_enabled = forwarding_enable;
4331 unformat_free(line_input);
4338 * @cliexstart{nat44 forwarding}
4339 * Enable or disable forwarding
4340 * Forward packets which don't match existing translation
4341 * or static mapping instead of dropping them.
4342 * To enable forwarding, use:
4343 * vpp# nat44 forwarding enable
4344 * To disable forwarding, use:
4345 * vpp# nat44 forwarding disable
4348 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
4349 .path = "nat44 forwarding",
4350 .short_help = "nat44 forwarding enable|disable",
4351 .function = snat_forwarding_set_command_fn,
Code Review / vpp.git / blob