2 * snat.c - simple nat plugin
4 * Copyright (c) 2016 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/ip/ip.h>
20 #include <vnet/ip/ip4.h>
21 #include <vnet/plugin/plugin.h>
23 #include <nat/nat_ipfix_logging.h>
24 #include <nat/nat_det.h>
25 #include <nat/nat64.h>
26 #include <nat/dslite.h>
27 #include <nat/nat_reass.h>
28 #include <vnet/fib/fib_table.h>
29 #include <vnet/fib/ip4_fib.h>
31 #include <vpp/app/version.h>
33 snat_main_t snat_main;
36 /* Hook up input features */
37 VNET_FEATURE_INIT (ip4_snat_in2out, static) = {
38 .arc_name = "ip4-unicast",
39 .node_name = "nat44-in2out",
40 .runs_before = VNET_FEATURES ("nat44-out2in"),
42 VNET_FEATURE_INIT (ip4_snat_out2in, static) = {
43 .arc_name = "ip4-unicast",
44 .node_name = "nat44-out2in",
45 .runs_before = VNET_FEATURES ("ip4-lookup"),
47 VNET_FEATURE_INIT (ip4_nat_classify, static) = {
48 .arc_name = "ip4-unicast",
49 .node_name = "nat44-classify",
50 .runs_before = VNET_FEATURES ("ip4-lookup"),
52 VNET_FEATURE_INIT (ip4_snat_det_in2out, static) = {
53 .arc_name = "ip4-unicast",
54 .node_name = "nat44-det-in2out",
55 .runs_before = VNET_FEATURES ("nat44-det-out2in"),
57 VNET_FEATURE_INIT (ip4_snat_det_out2in, static) = {
58 .arc_name = "ip4-unicast",
59 .node_name = "nat44-det-out2in",
60 .runs_before = VNET_FEATURES ("ip4-lookup"),
62 VNET_FEATURE_INIT (ip4_nat_det_classify, static) = {
63 .arc_name = "ip4-unicast",
64 .node_name = "nat44-det-classify",
65 .runs_before = VNET_FEATURES ("ip4-lookup"),
67 VNET_FEATURE_INIT (ip4_snat_in2out_worker_handoff, static) = {
68 .arc_name = "ip4-unicast",
69 .node_name = "nat44-in2out-worker-handoff",
70 .runs_before = VNET_FEATURES ("nat44-out2in-worker-handoff"),
72 VNET_FEATURE_INIT (ip4_snat_out2in_worker_handoff, static) = {
73 .arc_name = "ip4-unicast",
74 .node_name = "nat44-out2in-worker-handoff",
75 .runs_before = VNET_FEATURES ("ip4-lookup"),
77 VNET_FEATURE_INIT (ip4_nat_handoff_classify, static) = {
78 .arc_name = "ip4-unicast",
79 .node_name = "nat44-handoff-classify",
80 .runs_before = VNET_FEATURES ("ip4-lookup"),
82 VNET_FEATURE_INIT (ip4_snat_in2out_fast, static) = {
83 .arc_name = "ip4-unicast",
84 .node_name = "nat44-in2out-fast",
85 .runs_before = VNET_FEATURES ("nat44-out2in-fast"),
87 VNET_FEATURE_INIT (ip4_snat_out2in_fast, static) = {
88 .arc_name = "ip4-unicast",
89 .node_name = "nat44-out2in-fast",
90 .runs_before = VNET_FEATURES ("ip4-lookup"),
92 VNET_FEATURE_INIT (ip4_snat_hairpin_dst, static) = {
93 .arc_name = "ip4-unicast",
94 .node_name = "nat44-hairpin-dst",
95 .runs_before = VNET_FEATURES ("ip4-lookup"),
98 /* Hook up output features */
99 VNET_FEATURE_INIT (ip4_snat_in2out_output, static) = {
100 .arc_name = "ip4-output",
101 .node_name = "nat44-in2out-output",
102 .runs_before = VNET_FEATURES ("interface-output"),
104 VNET_FEATURE_INIT (ip4_snat_in2out_output_worker_handoff, static) = {
105 .arc_name = "ip4-output",
106 .node_name = "nat44-in2out-output-worker-handoff",
107 .runs_before = VNET_FEATURES ("interface-output"),
109 VNET_FEATURE_INIT (ip4_snat_hairpin_src, static) = {
110 .arc_name = "ip4-output",
111 .node_name = "nat44-hairpin-src",
112 .runs_before = VNET_FEATURES ("interface-output"),
115 /* Hook up ip4-local features */
116 VNET_FEATURE_INIT (ip4_nat_hairpinning, static) =
118 .arc_name = "ip4-local",
119 .node_name = "nat44-hairpinning",
120 .runs_before = VNET_FEATURES("ip4-local-end-of-arc"),
125 VLIB_PLUGIN_REGISTER () = {
126 .version = VPP_BUILD_VER,
127 .description = "Network Address Translation",
131 vlib_node_registration_t nat44_classify_node;
132 vlib_node_registration_t nat44_det_classify_node;
133 vlib_node_registration_t nat44_handoff_classify_node;
136 NAT44_CLASSIFY_NEXT_IN2OUT,
137 NAT44_CLASSIFY_NEXT_OUT2IN,
138 NAT44_CLASSIFY_N_NEXT,
139 } nat44_classify_next_t;
142 nat_free_session_data (snat_main_t * sm, snat_session_t * s, u32 thread_index)
144 snat_session_key_t key;
145 clib_bihash_kv_8_8_t kv;
146 nat_ed_ses_key_t ed_key;
147 clib_bihash_kv_16_8_t ed_kv;
150 snat_main_per_thread_data_t *tsm =
151 vec_elt_at_index (sm->per_thread_data, thread_index);
153 /* Endpoint dependent session lookup tables */
154 if (is_ed_session (s))
156 ed_key.l_addr = s->out2in.addr;
157 ed_key.r_addr = s->ext_host_addr;
158 ed_key.fib_index = s->out2in.fib_index;
159 if (snat_is_unk_proto_session (s))
161 ed_key.proto = s->in2out.port;
167 ed_key.proto = snat_proto_to_ip_proto (s->in2out.protocol);
168 ed_key.l_port = s->out2in.port;
169 ed_key.r_port = s->ext_host_port;
171 ed_kv.key[0] = ed_key.as_u64[0];
172 ed_kv.key[1] = ed_key.as_u64[1];
173 if (clib_bihash_add_del_16_8 (&sm->out2in_ed, &ed_kv, 0))
174 clib_warning ("out2in_ed key del failed");
176 ed_key.l_addr = s->in2out.addr;
177 ed_key.fib_index = s->in2out.fib_index;
178 if (!snat_is_unk_proto_session (s))
179 ed_key.l_port = s->in2out.port;
180 if (is_twice_nat_session (s))
182 ed_key.r_addr = s->ext_host_nat_addr;
183 ed_key.r_port = s->ext_host_nat_port;
185 ed_kv.key[0] = ed_key.as_u64[0];
186 ed_kv.key[1] = ed_key.as_u64[1];
187 if (clib_bihash_add_del_16_8 (&sm->in2out_ed, &ed_kv, 0))
188 clib_warning ("in2out_ed key del failed");
191 if (snat_is_unk_proto_session (s))
195 snat_ipfix_logging_nat44_ses_delete(s->in2out.addr.as_u32,
196 s->out2in.addr.as_u32,
200 s->in2out.fib_index);
202 /* Twice NAT address and port for external host */
203 if (is_twice_nat_session (s))
205 for (i = 0; i < vec_len (sm->twice_nat_addresses); i++)
207 key.protocol = s->in2out.protocol;
208 key.port = s->ext_host_nat_port;
209 a = sm->twice_nat_addresses + i;
210 if (a->addr.as_u32 == s->ext_host_nat_addr.as_u32)
212 snat_free_outside_address_and_port (sm->twice_nat_addresses,
213 thread_index, &key, i);
219 if (is_ed_session (s))
222 /* Session lookup tables */
223 kv.key = s->in2out.as_u64;
224 if (clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0))
225 clib_warning ("in2out key del failed");
226 kv.key = s->out2in.as_u64;
227 if (clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0))
228 clib_warning ("out2in key del failed");
230 if (snat_is_session_static (s))
233 if (s->outside_address_index != ~0)
234 snat_free_outside_address_and_port (sm->addresses, thread_index,
235 &s->out2in, s->outside_address_index);
239 nat_user_get_or_create (snat_main_t *sm, ip4_address_t *addr, u32 fib_index,
243 snat_user_key_t user_key;
244 clib_bihash_kv_8_8_t kv, value;
245 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
246 dlist_elt_t * per_user_list_head_elt;
248 user_key.addr.as_u32 = addr->as_u32;
249 user_key.fib_index = fib_index;
250 kv.key = user_key.as_u64;
252 /* Ever heard of the "user" = src ip4 address before? */
253 if (clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
255 /* no, make a new one */
256 pool_get (tsm->users, u);
257 memset (u, 0, sizeof (*u));
258 u->addr.as_u32 = addr->as_u32;
259 u->fib_index = fib_index;
261 pool_get (tsm->list_pool, per_user_list_head_elt);
263 u->sessions_per_user_list_head_index = per_user_list_head_elt -
266 clib_dlist_init (tsm->list_pool, u->sessions_per_user_list_head_index);
268 kv.value = u - tsm->users;
271 if (clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 1))
272 clib_warning ("user_hash keay add failed");
276 u = pool_elt_at_index (tsm->users, value.value);
283 nat_session_alloc_or_recycle (snat_main_t *sm, snat_user_t *u, u32 thread_index)
286 snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
287 u32 oldest_per_user_translation_list_index, session_index;
288 dlist_elt_t * oldest_per_user_translation_list_elt;
289 dlist_elt_t * per_user_translation_list_elt;
291 /* Over quota? Recycle the least recently used translation */
292 if ((u->nsessions + u->nstaticsessions) >= sm->max_translations_per_user)
294 oldest_per_user_translation_list_index =
295 clib_dlist_remove_head (tsm->list_pool,
296 u->sessions_per_user_list_head_index);
298 ASSERT (oldest_per_user_translation_list_index != ~0);
300 /* Add it back to the end of the LRU list */
301 clib_dlist_addtail (tsm->list_pool,
302 u->sessions_per_user_list_head_index,
303 oldest_per_user_translation_list_index);
304 /* Get the list element */
305 oldest_per_user_translation_list_elt =
306 pool_elt_at_index (tsm->list_pool,
307 oldest_per_user_translation_list_index);
309 /* Get the session index from the list element */
310 session_index = oldest_per_user_translation_list_elt->value;
312 /* Get the session */
313 s = pool_elt_at_index (tsm->sessions, session_index);
314 nat_free_session_data (sm, s, thread_index);
315 s->outside_address_index = ~0;
322 pool_get (tsm->sessions, s);
323 memset (s, 0, sizeof (*s));
324 s->outside_address_index = ~0;
326 /* Create list elts */
327 pool_get (tsm->list_pool, per_user_translation_list_elt);
328 clib_dlist_init (tsm->list_pool,
329 per_user_translation_list_elt - tsm->list_pool);
331 per_user_translation_list_elt->value = s - tsm->sessions;
332 s->per_user_index = per_user_translation_list_elt - tsm->list_pool;
333 s->per_user_list_head_index = u->sessions_per_user_list_head_index;
335 clib_dlist_addtail (tsm->list_pool,
336 s->per_user_list_head_index,
337 per_user_translation_list_elt - tsm->list_pool);
344 nat44_classify_node_fn_inline (vlib_main_t * vm,
345 vlib_node_runtime_t * node,
346 vlib_frame_t * frame)
348 u32 n_left_from, * from, * to_next;
349 nat44_classify_next_t next_index;
350 snat_main_t *sm = &snat_main;
352 from = vlib_frame_vector_args (frame);
353 n_left_from = frame->n_vectors;
354 next_index = node->cached_next_index;
356 while (n_left_from > 0)
360 vlib_get_next_frame (vm, node, next_index,
361 to_next, n_left_to_next);
363 while (n_left_from > 0 && n_left_to_next > 0)
367 u32 next0 = NAT44_CLASSIFY_NEXT_IN2OUT;
370 snat_session_key_t m_key0;
371 clib_bihash_kv_8_8_t kv0, value0;
373 /* speculatively enqueue b0 to the current next frame */
381 b0 = vlib_get_buffer (vm, bi0);
382 ip0 = vlib_buffer_get_current (b0);
384 vec_foreach (ap, sm->addresses)
386 if (ip0->dst_address.as_u32 == ap->addr.as_u32)
388 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
393 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
395 m_key0.addr = ip0->dst_address;
398 m_key0.fib_index = sm->outside_fib_index;
399 kv0.key = m_key0.as_u64;
400 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv0, &value0))
402 next0 = NAT44_CLASSIFY_NEXT_OUT2IN;
405 /* verify speculative enqueue, maybe switch current next frame */
406 vlib_validate_buffer_enqueue_x1 (vm, node, next_index,
407 to_next, n_left_to_next,
411 vlib_put_next_frame (vm, node, next_index, n_left_to_next);
414 return frame->n_vectors;
418 nat44_classify_node_fn (vlib_main_t * vm,
419 vlib_node_runtime_t * node,
420 vlib_frame_t * frame)
422 return nat44_classify_node_fn_inline (vm, node, frame);
425 VLIB_REGISTER_NODE (nat44_classify_node) = {
426 .function = nat44_classify_node_fn,
427 .name = "nat44-classify",
428 .vector_size = sizeof (u32),
429 .type = VLIB_NODE_TYPE_INTERNAL,
430 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
432 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out",
433 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in",
437 VLIB_NODE_FUNCTION_MULTIARCH (nat44_classify_node,
438 nat44_classify_node_fn);
441 nat44_det_classify_node_fn (vlib_main_t * vm,
442 vlib_node_runtime_t * node,
443 vlib_frame_t * frame)
445 return nat44_classify_node_fn_inline (vm, node, frame);
448 VLIB_REGISTER_NODE (nat44_det_classify_node) = {
449 .function = nat44_det_classify_node_fn,
450 .name = "nat44-det-classify",
451 .vector_size = sizeof (u32),
452 .type = VLIB_NODE_TYPE_INTERNAL,
453 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
455 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-det-in2out",
456 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-det-out2in",
460 VLIB_NODE_FUNCTION_MULTIARCH (nat44_det_classify_node,
461 nat44_det_classify_node_fn);
464 nat44_handoff_classify_node_fn (vlib_main_t * vm,
465 vlib_node_runtime_t * node,
466 vlib_frame_t * frame)
468 return nat44_classify_node_fn_inline (vm, node, frame);
471 VLIB_REGISTER_NODE (nat44_handoff_classify_node) = {
472 .function = nat44_handoff_classify_node_fn,
473 .name = "nat44-handoff-classify",
474 .vector_size = sizeof (u32),
475 .type = VLIB_NODE_TYPE_INTERNAL,
476 .n_next_nodes = NAT44_CLASSIFY_N_NEXT,
478 [NAT44_CLASSIFY_NEXT_IN2OUT] = "nat44-in2out-worker-handoff",
479 [NAT44_CLASSIFY_NEXT_OUT2IN] = "nat44-out2in-worker-handoff",
483 VLIB_NODE_FUNCTION_MULTIARCH (nat44_handoff_classify_node,
484 nat44_handoff_classify_node_fn);
487 * @brief Add/del NAT address to FIB.
489 * Add the external NAT address to the FIB as receive entries. This ensures
490 * that VPP will reply to ARP for this address and we don't need to enable
491 * proxy ARP on the outside interface.
493 * @param addr IPv4 address.
494 * @param plen address prefix length
495 * @param sw_if_index Interface.
496 * @param is_add If 0 delete, otherwise add.
499 snat_add_del_addr_to_fib (ip4_address_t * addr, u8 p_len, u32 sw_if_index,
502 fib_prefix_t prefix = {
504 .fp_proto = FIB_PROTOCOL_IP4,
506 .ip4.as_u32 = addr->as_u32,
509 u32 fib_index = ip4_fib_table_get_index_for_sw_if_index(sw_if_index);
512 fib_table_entry_update_one_path(fib_index,
514 FIB_SOURCE_PLUGIN_HI,
515 (FIB_ENTRY_FLAG_CONNECTED |
516 FIB_ENTRY_FLAG_LOCAL |
517 FIB_ENTRY_FLAG_EXCLUSIVE),
524 FIB_ROUTE_PATH_FLAG_NONE);
526 fib_table_entry_delete(fib_index,
528 FIB_SOURCE_PLUGIN_HI);
531 void snat_add_address (snat_main_t *sm, ip4_address_t *addr, u32 vrf_id,
536 vlib_thread_main_t *tm = vlib_get_thread_main ();
538 /* Check if address already exists */
539 vec_foreach (ap, twice_nat ? sm->twice_nat_addresses : sm->addresses)
541 if (ap->addr.as_u32 == addr->as_u32)
546 vec_add2 (sm->twice_nat_addresses, ap, 1);
548 vec_add2 (sm->addresses, ap, 1);
553 fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4, vrf_id,
554 FIB_SOURCE_PLUGIN_HI);
557 #define _(N, i, n, s) \
558 clib_bitmap_alloc (ap->busy_##n##_port_bitmap, 65535); \
559 ap->busy_##n##_ports = 0; \
560 vec_validate_init_empty (ap->busy_##n##_ports_per_thread, tm->n_vlib_mains - 1, 0);
561 foreach_snat_protocol
567 /* Add external address to FIB */
568 pool_foreach (i, sm->interfaces,
570 if (nat_interface_is_inside(i))
573 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
576 pool_foreach (i, sm->output_feature_interfaces,
578 if (nat_interface_is_inside(i))
581 snat_add_del_addr_to_fib(addr, 32, i->sw_if_index, 1);
586 static int is_snat_address_used_in_static_mapping (snat_main_t *sm,
589 snat_static_mapping_t *m;
590 pool_foreach (m, sm->static_mappings,
592 if (m->external_addr.as_u32 == addr.as_u32)
599 void increment_v4_address (ip4_address_t * a)
603 v = clib_net_to_host_u32(a->as_u32) + 1;
604 a->as_u32 = clib_host_to_net_u32(v);
608 snat_add_static_mapping_when_resolved (snat_main_t * sm,
609 ip4_address_t l_addr,
614 snat_protocol_t proto,
618 snat_static_map_resolve_t *rp;
620 vec_add2 (sm->to_resolve, rp, 1);
621 rp->l_addr.as_u32 = l_addr.as_u32;
623 rp->sw_if_index = sw_if_index;
627 rp->addr_only = addr_only;
632 * @brief Add static mapping.
634 * Create static mapping between local addr+port and external addr+port.
636 * @param l_addr Local IPv4 address.
637 * @param e_addr External IPv4 address.
638 * @param l_port Local port number.
639 * @param e_port External port number.
640 * @param vrf_id VRF ID.
641 * @param addr_only If 0 address port and pair mapping, otherwise address only.
642 * @param sw_if_index External port instead of specific IP address.
643 * @param is_add If 0 delete static mapping, otherwise add.
644 * @param twice_nat If 1 translate external host address and port.
648 int snat_add_static_mapping(ip4_address_t l_addr, ip4_address_t e_addr,
649 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
650 u32 sw_if_index, snat_protocol_t proto, int is_add,
653 snat_main_t * sm = &snat_main;
654 snat_static_mapping_t *m;
655 snat_session_key_t m_key;
656 clib_bihash_kv_8_8_t kv, value;
657 snat_address_t *a = 0;
660 snat_interface_t *interface;
662 snat_main_per_thread_data_t *tsm;
664 /* If the external address is a specific interface address */
665 if (sw_if_index != ~0)
667 ip4_address_t * first_int_addr;
669 /* Might be already set... */
670 first_int_addr = ip4_interface_first_address
671 (sm->ip4_main, sw_if_index, 0 /* just want the address*/);
673 /* DHCP resolution required? */
674 if (first_int_addr == 0)
676 snat_add_static_mapping_when_resolved
677 (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
683 e_addr.as_u32 = first_int_addr->as_u32;
684 /* Identity mapping? */
685 if (l_addr.as_u32 == 0)
686 l_addr.as_u32 = e_addr.as_u32;
691 m_key.port = addr_only ? 0 : e_port;
692 m_key.protocol = addr_only ? 0 : proto;
693 m_key.fib_index = sm->outside_fib_index;
694 kv.key = m_key.as_u64;
695 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
698 m = pool_elt_at_index (sm->static_mappings, value.value);
703 return VNET_API_ERROR_VALUE_EXIST;
705 if (twice_nat && addr_only)
706 return VNET_API_ERROR_UNSUPPORTED;
708 /* Convert VRF id to FIB index */
711 p = hash_get (sm->ip4_main->fib_index_by_table_id, vrf_id);
713 return VNET_API_ERROR_NO_SUCH_FIB;
716 /* If not specified use inside VRF id from SNAT plugin startup config */
719 fib_index = sm->inside_fib_index;
720 vrf_id = sm->inside_vrf_id;
723 /* Find external address in allocated addresses and reserve port for
724 address and port pair mapping when dynamic translations enabled */
725 if (!addr_only && !(sm->static_mapping_only))
727 for (i = 0; i < vec_len (sm->addresses); i++)
729 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
731 a = sm->addresses + i;
732 /* External port must be unused */
735 #define _(N, j, n, s) \
736 case SNAT_PROTOCOL_##N: \
737 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
738 return VNET_API_ERROR_INVALID_VALUE; \
739 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
742 a->busy_##n##_ports++; \
743 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]++; \
746 foreach_snat_protocol
749 clib_warning("unknown_protocol");
750 return VNET_API_ERROR_INVALID_VALUE_2;
755 /* External address must be allocated */
757 return VNET_API_ERROR_NO_SUCH_ENTRY;
760 pool_get (sm->static_mappings, m);
761 memset (m, 0, sizeof (*m));
762 m->local_addr = l_addr;
763 m->external_addr = e_addr;
764 m->addr_only = addr_only;
766 m->fib_index = fib_index;
767 m->twice_nat = twice_nat;
770 m->local_port = l_port;
771 m->external_port = e_port;
778 .src_address = m->local_addr,
780 m->worker_index = sm->worker_in2out_cb (&ip, m->fib_index);
781 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
784 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
786 m_key.addr = m->local_addr;
787 m_key.port = m->local_port;
788 m_key.protocol = m->proto;
789 m_key.fib_index = m->fib_index;
790 kv.key = m_key.as_u64;
791 kv.value = m - sm->static_mappings;
792 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
795 m_key.port = clib_host_to_net_u16 (l_port);
796 kv.key = m_key.as_u64;
798 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1))
799 clib_warning ("in2out key add failed");
802 m_key.addr = m->external_addr;
803 m_key.port = m->external_port;
804 m_key.fib_index = sm->outside_fib_index;
805 kv.key = m_key.as_u64;
806 kv.value = m - sm->static_mappings;
807 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1);
810 m_key.port = clib_host_to_net_u16 (e_port);
811 kv.key = m_key.as_u64;
813 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1))
814 clib_warning ("out2in key add failed");
821 return VNET_API_ERROR_NO_SUCH_ENTRY;
823 /* Free external address port */
824 if (!addr_only && !(sm->static_mapping_only))
826 for (i = 0; i < vec_len (sm->addresses); i++)
828 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
830 a = sm->addresses + i;
833 #define _(N, j, n, s) \
834 case SNAT_PROTOCOL_##N: \
835 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
838 a->busy_##n##_ports--; \
839 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]--; \
842 foreach_snat_protocol
845 clib_warning("unknown_protocol");
846 return VNET_API_ERROR_INVALID_VALUE_2;
853 if (sm->num_workers > 1)
854 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
856 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
858 m_key.addr = m->local_addr;
859 m_key.port = m->local_port;
860 m_key.protocol = m->proto;
861 m_key.fib_index = m->fib_index;
862 kv.key = m_key.as_u64;
863 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0);
866 m_key.port = clib_host_to_net_u16 (m->local_port);
867 kv.key = m_key.as_u64;
869 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0))
870 clib_warning ("in2out key del failed");
873 m_key.addr = m->external_addr;
874 m_key.port = m->external_port;
875 m_key.fib_index = sm->outside_fib_index;
876 kv.key = m_key.as_u64;
877 clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0);
880 m_key.port = clib_host_to_net_u16 (m->external_port);
881 kv.key = m_key.as_u64;
883 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0))
884 clib_warning ("in2out key del failed");
887 /* Delete session(s) for static mapping if exist */
888 if (!(sm->static_mapping_only) ||
889 (sm->static_mapping_only && sm->static_mapping_connection_tracking))
891 snat_user_key_t u_key;
893 dlist_elt_t * head, * elt;
894 u32 elt_index, head_index;
899 u_key.addr = m->local_addr;
900 u_key.fib_index = m->fib_index;
901 kv.key = u_key.as_u64;
902 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
904 user_index = value.value;
905 u = pool_elt_at_index (tsm->users, user_index);
906 if (u->nstaticsessions)
908 head_index = u->sessions_per_user_list_head_index;
909 head = pool_elt_at_index (tsm->list_pool, head_index);
910 elt_index = head->next;
911 elt = pool_elt_at_index (tsm->list_pool, elt_index);
912 ses_index = elt->value;
913 while (ses_index != ~0)
915 s = pool_elt_at_index (tsm->sessions, ses_index);
916 elt = pool_elt_at_index (tsm->list_pool, elt->next);
917 ses_index = elt->value;
921 if ((s->out2in.addr.as_u32 != e_addr.as_u32) &&
922 (clib_net_to_host_u16 (s->out2in.port) != e_port))
926 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
927 clib_dlist_remove (tsm->list_pool, s->per_user_index);
928 pool_put_index (tsm->list_pool, s->per_user_index);
929 pool_put (tsm->sessions, s);
930 u->nstaticsessions--;
937 pool_put (tsm->users, u);
938 clib_bihash_add_del_8_8 (&tsm->user_hash, &kv, 0);
944 /* Delete static mapping from pool */
945 pool_put (sm->static_mappings, m);
948 if (!addr_only || (l_addr.as_u32 == e_addr.as_u32))
951 /* Add/delete external address to FIB */
952 pool_foreach (interface, sm->interfaces,
954 if (nat_interface_is_inside(interface))
957 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
960 pool_foreach (interface, sm->output_feature_interfaces,
962 if (nat_interface_is_inside(interface))
965 snat_add_del_addr_to_fib(&e_addr, 32, interface->sw_if_index, is_add);
972 int nat44_add_del_lb_static_mapping (ip4_address_t e_addr, u16 e_port,
973 snat_protocol_t proto, u32 vrf_id,
974 nat44_lb_addr_port_t *locals, u8 is_add,
977 snat_main_t * sm = &snat_main;
978 snat_static_mapping_t *m;
979 snat_session_key_t m_key;
980 clib_bihash_kv_8_8_t kv, value;
982 snat_address_t *a = 0;
984 nat44_lb_addr_port_t *local;
985 u32 worker_index = 0, elt_index, head_index, ses_index;
986 snat_main_per_thread_data_t *tsm;
987 snat_user_key_t u_key;
990 dlist_elt_t * head, * elt;
994 m_key.protocol = proto;
995 m_key.fib_index = sm->outside_fib_index;
996 kv.key = m_key.as_u64;
997 if (clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
1000 m = pool_elt_at_index (sm->static_mappings, value.value);
1005 return VNET_API_ERROR_VALUE_EXIST;
1007 if (vec_len (locals) < 2)
1008 return VNET_API_ERROR_INVALID_VALUE;
1010 fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
1012 FIB_SOURCE_PLUGIN_HI);
1014 /* Find external address in allocated addresses and reserve port for
1015 address and port pair mapping when dynamic translations enabled */
1016 if (!sm->static_mapping_only)
1018 for (i = 0; i < vec_len (sm->addresses); i++)
1020 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1022 a = sm->addresses + i;
1023 /* External port must be unused */
1026 #define _(N, j, n, s) \
1027 case SNAT_PROTOCOL_##N: \
1028 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, e_port)) \
1029 return VNET_API_ERROR_INVALID_VALUE; \
1030 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 1); \
1031 if (e_port > 1024) \
1033 a->busy_##n##_ports++; \
1034 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]++; \
1037 foreach_snat_protocol
1040 clib_warning("unknown_protocol");
1041 return VNET_API_ERROR_INVALID_VALUE_2;
1046 /* External address must be allocated */
1048 return VNET_API_ERROR_NO_SUCH_ENTRY;
1051 pool_get (sm->static_mappings, m);
1052 memset (m, 0, sizeof (*m));
1053 m->external_addr = e_addr;
1056 m->fib_index = fib_index;
1057 m->external_port = e_port;
1059 m->twice_nat = twice_nat;
1061 m_key.addr = m->external_addr;
1062 m_key.port = m->external_port;
1063 m_key.protocol = m->proto;
1064 m_key.fib_index = sm->outside_fib_index;
1065 kv.key = m_key.as_u64;
1066 kv.value = m - sm->static_mappings;
1067 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 1))
1069 clib_warning ("static_mapping_by_external key add failed");
1070 return VNET_API_ERROR_UNSPECIFIED;
1076 worker_index = sm->first_worker_index +
1077 sm->workers[sm->next_worker++ % vec_len (sm->workers)];
1078 tsm = vec_elt_at_index (sm->per_thread_data, worker_index);
1079 m->worker_index = worker_index;
1082 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
1084 m_key.port = clib_host_to_net_u16 (m->external_port);
1085 kv.key = m_key.as_u64;
1087 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 1))
1089 clib_warning ("out2in key add failed");
1090 return VNET_API_ERROR_UNSPECIFIED;
1093 m_key.fib_index = m->fib_index;
1094 for (i = 0; i < vec_len (locals); i++)
1096 m_key.addr = locals[i].addr;
1097 m_key.port = locals[i].port;
1098 kv.key = m_key.as_u64;
1099 kv.value = m - sm->static_mappings;
1100 clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 1);
1101 locals[i].prefix = (i == 0) ? locals[i].probability :\
1102 (locals[i - 1].prefix + locals[i].probability);
1103 vec_add1 (m->locals, locals[i]);
1105 m_key.port = clib_host_to_net_u16 (locals[i].port);
1106 kv.key = m_key.as_u64;
1108 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 1))
1110 clib_warning ("in2out key add failed");
1111 return VNET_API_ERROR_UNSPECIFIED;
1118 return VNET_API_ERROR_NO_SUCH_ENTRY;
1120 fib_table_unlock (m->fib_index, FIB_PROTOCOL_IP4, FIB_SOURCE_PLUGIN_HI);
1122 /* Free external address port */
1123 if (!sm->static_mapping_only)
1125 for (i = 0; i < vec_len (sm->addresses); i++)
1127 if (sm->addresses[i].addr.as_u32 == e_addr.as_u32)
1129 a = sm->addresses + i;
1132 #define _(N, j, n, s) \
1133 case SNAT_PROTOCOL_##N: \
1134 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, e_port, 0); \
1135 if (e_port > 1024) \
1137 a->busy_##n##_ports--; \
1138 a->busy_##n##_ports_per_thread[(e_port - 1024) / sm->port_per_thread]--; \
1141 foreach_snat_protocol
1144 clib_warning("unknown_protocol");
1145 return VNET_API_ERROR_INVALID_VALUE_2;
1152 tsm = vec_elt_at_index (sm->per_thread_data, m->worker_index);
1153 m_key.addr = m->external_addr;
1154 m_key.port = m->external_port;
1155 m_key.protocol = m->proto;
1156 m_key.fib_index = sm->outside_fib_index;
1157 kv.key = m_key.as_u64;
1158 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_external, &kv, 0))
1160 clib_warning ("static_mapping_by_external key del failed");
1161 return VNET_API_ERROR_UNSPECIFIED;
1164 m_key.port = clib_host_to_net_u16 (m->external_port);
1165 kv.key = m_key.as_u64;
1166 if (clib_bihash_add_del_8_8(&tsm->out2in, &kv, 0))
1168 clib_warning ("outi2in key del failed");
1169 return VNET_API_ERROR_UNSPECIFIED;
1172 vec_foreach (local, m->locals)
1174 m_key.addr = local->addr;
1175 m_key.port = local->port;
1176 m_key.fib_index = m->fib_index;
1177 kv.key = m_key.as_u64;
1178 if (clib_bihash_add_del_8_8(&sm->static_mapping_by_local, &kv, 0))
1180 clib_warning ("static_mapping_by_local key del failed");
1181 return VNET_API_ERROR_UNSPECIFIED;
1184 m_key.port = clib_host_to_net_u16 (local->port);
1185 kv.key = m_key.as_u64;
1186 if (clib_bihash_add_del_8_8(&tsm->in2out, &kv, 0))
1188 clib_warning ("in2out key del failed");
1189 return VNET_API_ERROR_UNSPECIFIED;
1191 /* Delete sessions */
1192 u_key.addr = local->addr;
1193 u_key.fib_index = m->fib_index;
1194 kv.key = u_key.as_u64;
1195 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1197 u = pool_elt_at_index (tsm->users, value.value);
1198 if (u->nstaticsessions)
1200 head_index = u->sessions_per_user_list_head_index;
1201 head = pool_elt_at_index (tsm->list_pool, head_index);
1202 elt_index = head->next;
1203 elt = pool_elt_at_index (tsm->list_pool, elt_index);
1204 ses_index = elt->value;
1205 while (ses_index != ~0)
1207 s = pool_elt_at_index (tsm->sessions, ses_index);
1208 elt = pool_elt_at_index (tsm->list_pool, elt->next);
1209 ses_index = elt->value;
1211 if ((s->in2out.addr.as_u32 != local->addr.as_u32) &&
1212 (clib_net_to_host_u16 (s->in2out.port) != local->port))
1215 nat_free_session_data (sm, s, tsm - sm->per_thread_data);
1216 clib_dlist_remove (tsm->list_pool, s->per_user_index);
1217 pool_put_index (tsm->list_pool, s->per_user_index);
1218 pool_put (tsm->sessions, s);
1219 u->nstaticsessions--;
1224 vec_free(m->locals);
1226 pool_put (sm->static_mappings, m);
1233 snat_del_address (snat_main_t *sm, ip4_address_t addr, u8 delete_sm,
1236 snat_address_t *a = 0;
1237 snat_session_t *ses;
1238 u32 *ses_to_be_removed = 0, *ses_index;
1239 clib_bihash_kv_8_8_t kv, value;
1240 snat_user_key_t user_key;
1242 snat_main_per_thread_data_t *tsm;
1243 snat_static_mapping_t *m;
1244 snat_interface_t *interface;
1246 snat_address_t *addresses = twice_nat ? sm->twice_nat_addresses : sm->addresses;
1248 /* Find SNAT address */
1249 for (i=0; i < vec_len (addresses); i++)
1251 if (addresses[i].addr.as_u32 == addr.as_u32)
1258 return VNET_API_ERROR_NO_SUCH_ENTRY;
1262 pool_foreach (m, sm->static_mappings,
1264 if (m->external_addr.as_u32 == addr.as_u32)
1265 (void) snat_add_static_mapping (m->local_addr, m->external_addr,
1266 m->local_port, m->external_port,
1267 m->vrf_id, m->addr_only, ~0,
1268 m->proto, 0, m->twice_nat);
1273 /* Check if address is used in some static mapping */
1274 if (is_snat_address_used_in_static_mapping(sm, addr))
1276 clib_warning ("address used in static mapping");
1277 return VNET_API_ERROR_UNSPECIFIED;
1281 if (a->fib_index != ~0)
1282 fib_table_unlock(a->fib_index, FIB_PROTOCOL_IP4,
1283 FIB_SOURCE_PLUGIN_HI);
1285 /* Delete sessions using address */
1286 if (a->busy_tcp_ports || a->busy_udp_ports || a->busy_icmp_ports)
1288 vec_foreach (tsm, sm->per_thread_data)
1290 pool_foreach (ses, tsm->sessions, ({
1291 if (ses->out2in.addr.as_u32 == addr.as_u32)
1293 ses->outside_address_index = ~0;
1294 nat_free_session_data (sm, ses, tsm - sm->per_thread_data);
1295 clib_dlist_remove (tsm->list_pool, ses->per_user_index);
1296 pool_put_index (tsm->list_pool, ses->per_user_index);
1297 vec_add1 (ses_to_be_removed, ses - tsm->sessions);
1298 user_key.addr = ses->in2out.addr;
1299 user_key.fib_index = ses->in2out.fib_index;
1300 kv.key = user_key.as_u64;
1301 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
1303 u = pool_elt_at_index (tsm->users, value.value);
1309 vec_foreach (ses_index, ses_to_be_removed)
1310 pool_put_index (tsm->sessions, ses_index[0]);
1312 vec_free (ses_to_be_removed);
1318 vec_del1 (sm->twice_nat_addresses, i);
1322 vec_del1 (sm->addresses, i);
1324 /* Delete external address from FIB */
1325 pool_foreach (interface, sm->interfaces,
1327 if (nat_interface_is_inside(interface))
1330 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1333 pool_foreach (interface, sm->output_feature_interfaces,
1335 if (nat_interface_is_inside(interface))
1338 snat_add_del_addr_to_fib(&addr, 32, interface->sw_if_index, 0);
1345 int snat_interface_add_del (u32 sw_if_index, u8 is_inside, int is_del)
1347 snat_main_t *sm = &snat_main;
1348 snat_interface_t *i;
1349 const char * feature_name, *del_feature_name;
1350 snat_address_t * ap;
1351 snat_static_mapping_t * m;
1352 snat_det_map_t * dm;
1354 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
1355 feature_name = is_inside ? "nat44-in2out-fast" : "nat44-out2in-fast";
1358 if (sm->num_workers > 1 && !sm->deterministic)
1359 feature_name = is_inside ? "nat44-in2out-worker-handoff" : "nat44-out2in-worker-handoff";
1360 else if (sm->deterministic)
1361 feature_name = is_inside ? "nat44-det-in2out" : "nat44-det-out2in";
1363 feature_name = is_inside ? "nat44-in2out" : "nat44-out2in";
1366 if (sm->fq_in2out_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1367 sm->fq_in2out_index = vlib_frame_queue_main_init (sm->in2out_node_index, 0);
1369 if (sm->fq_out2in_index == ~0 && !sm->deterministic && sm->num_workers > 1)
1370 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1372 pool_foreach (i, sm->interfaces,
1374 if (i->sw_if_index == sw_if_index)
1378 if (nat_interface_is_inside(i) && nat_interface_is_outside(i))
1381 i->flags &= ~NAT_INTERFACE_FLAG_IS_INSIDE;
1383 i->flags &= ~NAT_INTERFACE_FLAG_IS_OUTSIDE;
1385 if (sm->num_workers > 1 && !sm->deterministic)
1386 del_feature_name = "nat44-handoff-classify";
1387 else if (sm->deterministic)
1388 del_feature_name = "nat44-det-classify";
1390 del_feature_name = "nat44-classify";
1392 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1393 sw_if_index, 0, 0, 0);
1394 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1395 sw_if_index, 1, 0, 0);
1399 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1400 sw_if_index, 0, 0, 0);
1401 pool_put (sm->interfaces, i);
1406 if ((nat_interface_is_inside(i) && is_inside) ||
1407 (nat_interface_is_outside(i) && !is_inside))
1410 if (sm->num_workers > 1 && !sm->deterministic)
1412 del_feature_name = !is_inside ? "nat44-in2out-worker-handoff" :
1413 "nat44-out2in-worker-handoff";
1414 feature_name = "nat44-handoff-classify";
1416 else if (sm->deterministic)
1418 del_feature_name = !is_inside ? "nat44-det-in2out" :
1420 feature_name = "nat44-det-classify";
1424 del_feature_name = !is_inside ? "nat44-in2out" : "nat44-out2in";
1425 feature_name = "nat44-classify";
1428 vnet_feature_enable_disable ("ip4-unicast", del_feature_name,
1429 sw_if_index, 0, 0, 0);
1430 vnet_feature_enable_disable ("ip4-unicast", feature_name,
1431 sw_if_index, 1, 0, 0);
1440 return VNET_API_ERROR_NO_SUCH_ENTRY;
1442 pool_get (sm->interfaces, i);
1443 i->sw_if_index = sw_if_index;
1445 vnet_feature_enable_disable ("ip4-unicast", feature_name, sw_if_index, 1, 0, 0);
1449 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1451 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1453 /* Add/delete external addresses to FIB */
1457 vnet_feature_enable_disable ("ip4-local", "nat44-hairpinning",
1458 sw_if_index, !is_del, 0, 0);
1462 vec_foreach (ap, sm->addresses)
1463 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1465 pool_foreach (m, sm->static_mappings,
1467 if (!(m->addr_only) || (m->local_addr.as_u32 == m->external_addr.as_u32))
1470 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1473 pool_foreach (dm, sm->det_maps,
1475 snat_add_del_addr_to_fib(&dm->out_addr, dm->out_plen, sw_if_index, !is_del);
1481 int snat_interface_add_del_output_feature (u32 sw_if_index,
1485 snat_main_t *sm = &snat_main;
1486 snat_interface_t *i;
1487 snat_address_t * ap;
1488 snat_static_mapping_t * m;
1490 if (sm->deterministic ||
1491 (sm->static_mapping_only && !(sm->static_mapping_connection_tracking)))
1492 return VNET_API_ERROR_UNSUPPORTED;
1496 vnet_feature_enable_disable ("ip4-unicast", "nat44-hairpin-dst",
1497 sw_if_index, !is_del, 0, 0);
1498 vnet_feature_enable_disable ("ip4-output", "nat44-hairpin-src",
1499 sw_if_index, !is_del, 0, 0);
1503 if (sm->num_workers > 1)
1505 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in-worker-handoff",
1506 sw_if_index, !is_del, 0, 0);
1507 vnet_feature_enable_disable ("ip4-output",
1508 "nat44-in2out-output-worker-handoff",
1509 sw_if_index, !is_del, 0, 0);
1513 vnet_feature_enable_disable ("ip4-unicast", "nat44-out2in", sw_if_index,
1515 vnet_feature_enable_disable ("ip4-output", "nat44-in2out-output",
1516 sw_if_index, !is_del, 0, 0);
1520 if (sm->fq_in2out_output_index == ~0 && sm->num_workers > 1)
1521 sm->fq_in2out_output_index =
1522 vlib_frame_queue_main_init (sm->in2out_output_node_index, 0);
1524 if (sm->fq_out2in_index == ~0 && sm->num_workers > 1)
1525 sm->fq_out2in_index = vlib_frame_queue_main_init (sm->out2in_node_index, 0);
1527 pool_foreach (i, sm->output_feature_interfaces,
1529 if (i->sw_if_index == sw_if_index)
1532 pool_put (sm->output_feature_interfaces, i);
1534 return VNET_API_ERROR_VALUE_EXIST;
1541 return VNET_API_ERROR_NO_SUCH_ENTRY;
1543 pool_get (sm->output_feature_interfaces, i);
1544 i->sw_if_index = sw_if_index;
1547 i->flags |= NAT_INTERFACE_FLAG_IS_INSIDE;
1549 i->flags |= NAT_INTERFACE_FLAG_IS_OUTSIDE;
1551 /* Add/delete external addresses to FIB */
1556 vec_foreach (ap, sm->addresses)
1557 snat_add_del_addr_to_fib(&ap->addr, 32, sw_if_index, !is_del);
1559 pool_foreach (m, sm->static_mappings,
1561 if (!(m->addr_only))
1564 snat_add_del_addr_to_fib(&m->external_addr, 32, sw_if_index, !is_del);
1570 int snat_set_workers (uword * bitmap)
1572 snat_main_t *sm = &snat_main;
1575 if (sm->num_workers < 2)
1576 return VNET_API_ERROR_FEATURE_DISABLED;
1578 if (clib_bitmap_last_set (bitmap) >= sm->num_workers)
1579 return VNET_API_ERROR_INVALID_WORKER;
1581 vec_free (sm->workers);
1582 clib_bitmap_foreach (i, bitmap,
1584 vec_add1(sm->workers, i);
1585 sm->per_thread_data[i].snat_thread_index = j;
1589 sm->port_per_thread = (0xffff - 1024) / _vec_len (sm->workers);
1590 sm->num_snat_thread = _vec_len (sm->workers);
1597 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
1600 ip4_address_t * address,
1602 u32 if_address_index,
1606 nat_alloc_addr_and_port_default (snat_address_t * addresses,
1609 snat_session_key_t * k,
1610 u32 * address_indexp,
1611 u16 port_per_thread,
1612 u32 snat_thread_index);
1614 static clib_error_t * snat_init (vlib_main_t * vm)
1616 snat_main_t * sm = &snat_main;
1617 clib_error_t * error = 0;
1618 ip4_main_t * im = &ip4_main;
1619 ip_lookup_main_t * lm = &im->lookup_main;
1621 vlib_thread_registration_t *tr;
1622 vlib_thread_main_t *tm = vlib_get_thread_main ();
1625 ip4_add_del_interface_address_callback_t cb4;
1628 sm->vnet_main = vnet_get_main();
1630 sm->ip4_lookup_main = lm;
1631 sm->api_main = &api_main;
1632 sm->first_worker_index = 0;
1633 sm->next_worker = 0;
1634 sm->num_workers = 0;
1635 sm->num_snat_thread = 1;
1637 sm->port_per_thread = 0xffff - 1024;
1638 sm->fq_in2out_index = ~0;
1639 sm->fq_out2in_index = ~0;
1640 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1641 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1642 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1643 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1644 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
1646 p = hash_get_mem (tm->thread_registrations_by_name, "workers");
1649 tr = (vlib_thread_registration_t *) p[0];
1652 sm->num_workers = tr->count;
1653 sm->first_worker_index = tr->first_index;
1657 vec_validate (sm->per_thread_data, tm->n_vlib_mains - 1);
1659 /* Use all available workers by default */
1660 if (sm->num_workers > 1)
1662 for (i=0; i < sm->num_workers; i++)
1663 bitmap = clib_bitmap_set (bitmap, i, 1);
1664 snat_set_workers(bitmap);
1665 clib_bitmap_free (bitmap);
1669 sm->per_thread_data[0].snat_thread_index = 0;
1672 error = snat_api_init(vm, sm);
1676 /* Set up the interface address add/del callback */
1677 cb4.function = snat_ip4_add_del_interface_address_cb;
1678 cb4.function_opaque = 0;
1680 vec_add1 (im->add_del_interface_address_callbacks, cb4);
1682 /* Init IPFIX logging */
1683 snat_ipfix_logging_init(vm);
1686 error = nat64_init(vm);
1692 /* Init virtual fragmenentation reassembly */
1693 return nat_reass_init(vm);
1696 VLIB_INIT_FUNCTION (snat_init);
1698 void snat_free_outside_address_and_port (snat_address_t * addresses,
1700 snat_session_key_t * k,
1704 u16 port_host_byte_order = clib_net_to_host_u16 (k->port);
1706 ASSERT (address_index < vec_len (addresses));
1708 a = addresses + address_index;
1710 switch (k->protocol)
1712 #define _(N, i, n, s) \
1713 case SNAT_PROTOCOL_##N: \
1714 ASSERT (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, \
1715 port_host_byte_order) == 1); \
1716 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, \
1717 port_host_byte_order, 0); \
1718 a->busy_##n##_ports--; \
1719 a->busy_##n##_ports_per_thread[thread_index]--; \
1721 foreach_snat_protocol
1724 clib_warning("unknown_protocol");
1730 * @brief Match NAT44 static mapping.
1732 * @param sm NAT main.
1733 * @param match Address and port to match.
1734 * @param mapping External or local address and port of the matched mapping.
1735 * @param by_external If 0 match by local address otherwise match by external
1737 * @param is_addr_only If matched mapping is address only
1738 * @param twice_nat If matched mapping is twice NAT.
1740 * @returns 0 if match found otherwise 1.
1742 int snat_static_mapping_match (snat_main_t * sm,
1743 snat_session_key_t match,
1744 snat_session_key_t * mapping,
1749 clib_bihash_kv_8_8_t kv, value;
1750 snat_static_mapping_t *m;
1751 snat_session_key_t m_key;
1752 clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
1753 u32 rand, lo = 0, hi, mid;
1756 mapping_hash = &sm->static_mapping_by_external;
1758 m_key.addr = match.addr;
1759 m_key.port = clib_net_to_host_u16 (match.port);
1760 m_key.protocol = match.protocol;
1761 m_key.fib_index = match.fib_index;
1763 kv.key = m_key.as_u64;
1765 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1767 /* Try address only mapping */
1770 kv.key = m_key.as_u64;
1771 if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
1775 m = pool_elt_at_index (sm->static_mappings, value.value);
1779 if (vec_len (m->locals))
1781 hi = vec_len (m->locals) - 1;
1782 rand = 1 + (random_u32 (&sm->random_seed) % m->locals[hi].prefix);
1785 mid = ((hi - lo) >> 1) + lo;
1786 (rand > m->locals[mid].prefix) ? (lo = mid + 1) : (hi = mid);
1788 if (!(m->locals[lo].prefix >= rand))
1790 mapping->addr = m->locals[lo].addr;
1791 mapping->port = clib_host_to_net_u16 (m->locals[lo].port);
1795 mapping->addr = m->local_addr;
1796 /* Address only mapping doesn't change port */
1797 mapping->port = m->addr_only ? match.port
1798 : clib_host_to_net_u16 (m->local_port);
1800 mapping->fib_index = m->fib_index;
1801 mapping->protocol = m->proto;
1805 mapping->addr = m->external_addr;
1806 /* Address only mapping doesn't change port */
1807 mapping->port = m->addr_only ? match.port
1808 : clib_host_to_net_u16 (m->external_port);
1809 mapping->fib_index = sm->outside_fib_index;
1812 if (PREDICT_FALSE(is_addr_only != 0))
1813 *is_addr_only = m->addr_only;
1815 if (PREDICT_FALSE(twice_nat != 0))
1816 *twice_nat = m->twice_nat;
1821 static_always_inline u16
1822 snat_random_port (u16 min, u16 max)
1824 snat_main_t *sm = &snat_main;
1825 return min + random_u32 (&sm->random_seed) /
1826 (random_u32_max() / (max - min + 1) + 1);
1830 snat_alloc_outside_address_and_port (snat_address_t * addresses,
1833 snat_session_key_t * k,
1834 u32 * address_indexp,
1835 u16 port_per_thread,
1836 u32 snat_thread_index)
1838 snat_main_t *sm = &snat_main;
1840 return sm->alloc_addr_and_port(addresses, fib_index, thread_index, k,
1841 address_indexp, port_per_thread,
1846 nat_alloc_addr_and_port_default (snat_address_t * addresses,
1849 snat_session_key_t * k,
1850 u32 * address_indexp,
1851 u16 port_per_thread,
1852 u32 snat_thread_index)
1855 snat_address_t *a, *ga = 0;
1858 for (i = 0; i < vec_len (addresses); i++)
1861 switch (k->protocol)
1863 #define _(N, j, n, s) \
1864 case SNAT_PROTOCOL_##N: \
1865 if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
1867 if (a->fib_index == fib_index) \
1871 portnum = (port_per_thread * \
1872 snat_thread_index) + \
1873 snat_random_port(1, port_per_thread) + 1024; \
1874 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1876 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1877 a->busy_##n##_ports_per_thread[thread_index]++; \
1878 a->busy_##n##_ports++; \
1879 k->addr = a->addr; \
1880 k->port = clib_host_to_net_u16(portnum); \
1881 *address_indexp = i; \
1885 else if (a->fib_index == ~0) \
1892 foreach_snat_protocol
1895 clib_warning("unknown protocol");
1904 switch (k->protocol)
1906 #define _(N, j, n, s) \
1907 case SNAT_PROTOCOL_##N: \
1910 portnum = (port_per_thread * \
1911 snat_thread_index) + \
1912 snat_random_port(1, port_per_thread) + 1024; \
1913 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1915 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1916 a->busy_##n##_ports_per_thread[thread_index]++; \
1917 a->busy_##n##_ports++; \
1918 k->addr = a->addr; \
1919 k->port = clib_host_to_net_u16(portnum); \
1920 *address_indexp = gi; \
1924 foreach_snat_protocol
1927 clib_warning ("unknown protocol");
1932 /* Totally out of translations to use... */
1933 snat_ipfix_logging_addresses_exhausted(0);
1938 nat_alloc_addr_and_port_mape (snat_address_t * addresses,
1941 snat_session_key_t * k,
1942 u32 * address_indexp,
1943 u16 port_per_thread,
1944 u32 snat_thread_index)
1946 snat_main_t *sm = &snat_main;
1947 snat_address_t *a = addresses;
1948 u16 m, ports, portnum, A, j;
1949 m = 16 - (sm->psid_offset + sm->psid_length);
1950 ports = (1 << (16 - sm->psid_length)) - (1 << m);
1952 if (!vec_len (addresses))
1955 switch (k->protocol)
1957 #define _(N, i, n, s) \
1958 case SNAT_PROTOCOL_##N: \
1959 if (a->busy_##n##_ports < ports) \
1963 A = snat_random_port(1, pow2_mask(sm->psid_offset)); \
1964 j = snat_random_port(0, pow2_mask(m)); \
1965 portnum = A | (sm->psid << sm->psid_offset) | (j << (16 - m)); \
1966 if (clib_bitmap_get_no_check (a->busy_##n##_port_bitmap, portnum)) \
1968 clib_bitmap_set_no_check (a->busy_##n##_port_bitmap, portnum, 1); \
1969 a->busy_##n##_ports++; \
1970 k->addr = a->addr; \
1971 k->port = clib_host_to_net_u16 (portnum); \
1972 *address_indexp = i; \
1977 foreach_snat_protocol
1980 clib_warning("unknown protocol");
1985 /* Totally out of translations to use... */
1986 snat_ipfix_logging_addresses_exhausted(0);
1990 static clib_error_t *
1991 add_address_command_fn (vlib_main_t * vm,
1992 unformat_input_t * input,
1993 vlib_cli_command_t * cmd)
1995 unformat_input_t _line_input, *line_input = &_line_input;
1996 snat_main_t * sm = &snat_main;
1997 ip4_address_t start_addr, end_addr, this_addr;
1998 u32 start_host_order, end_host_order;
2003 clib_error_t *error = 0;
2006 /* Get a line of input. */
2007 if (!unformat_user (input, unformat_line_input, line_input))
2010 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2012 if (unformat (line_input, "%U - %U",
2013 unformat_ip4_address, &start_addr,
2014 unformat_ip4_address, &end_addr))
2016 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
2018 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
2019 end_addr = start_addr;
2020 else if (unformat (line_input, "twice-nat"))
2022 else if (unformat (line_input, "del"))
2026 error = clib_error_return (0, "unknown input '%U'",
2027 format_unformat_error, line_input);
2032 if (sm->static_mapping_only)
2034 error = clib_error_return (0, "static mapping only mode");
2038 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
2039 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
2041 if (end_host_order < start_host_order)
2043 error = clib_error_return (0, "end address less than start address");
2047 count = (end_host_order - start_host_order) + 1;
2050 clib_warning ("%U - %U, %d addresses...",
2051 format_ip4_address, &start_addr,
2052 format_ip4_address, &end_addr,
2055 this_addr = start_addr;
2057 for (i = 0; i < count; i++)
2060 snat_add_address (sm, &this_addr, vrf_id, twice_nat);
2062 rv = snat_del_address (sm, this_addr, 0, twice_nat);
2066 case VNET_API_ERROR_NO_SUCH_ENTRY:
2067 error = clib_error_return (0, "S-NAT address not exist.");
2069 case VNET_API_ERROR_UNSPECIFIED:
2070 error = clib_error_return (0, "S-NAT address used in static mapping.");
2076 increment_v4_address (&this_addr);
2080 unformat_free (line_input);
2085 VLIB_CLI_COMMAND (add_address_command, static) = {
2086 .path = "nat44 add address",
2087 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
2088 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
2089 .function = add_address_command_fn,
2092 static clib_error_t *
2093 snat_feature_command_fn (vlib_main_t * vm,
2094 unformat_input_t * input,
2095 vlib_cli_command_t * cmd)
2097 unformat_input_t _line_input, *line_input = &_line_input;
2098 vnet_main_t * vnm = vnet_get_main();
2099 clib_error_t * error = 0;
2101 u32 * inside_sw_if_indices = 0;
2102 u32 * outside_sw_if_indices = 0;
2103 u8 is_output_feature = 0;
2109 /* Get a line of input. */
2110 if (!unformat_user (input, unformat_line_input, line_input))
2113 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2115 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
2117 vec_add1 (inside_sw_if_indices, sw_if_index);
2118 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
2120 vec_add1 (outside_sw_if_indices, sw_if_index);
2121 else if (unformat (line_input, "output-feature"))
2122 is_output_feature = 1;
2123 else if (unformat (line_input, "del"))
2127 error = clib_error_return (0, "unknown input '%U'",
2128 format_unformat_error, line_input);
2133 if (vec_len (inside_sw_if_indices))
2135 for (i = 0; i < vec_len(inside_sw_if_indices); i++)
2137 sw_if_index = inside_sw_if_indices[i];
2138 if (is_output_feature)
2140 if (snat_interface_add_del_output_feature (sw_if_index, 1, is_del))
2142 error = clib_error_return (0, "%s %U failed",
2143 is_del ? "del" : "add",
2144 format_vnet_sw_interface_name, vnm,
2145 vnet_get_sw_interface (vnm,
2152 if (snat_interface_add_del (sw_if_index, 1, is_del))
2154 error = clib_error_return (0, "%s %U failed",
2155 is_del ? "del" : "add",
2156 format_vnet_sw_interface_name, vnm,
2157 vnet_get_sw_interface (vnm,
2165 if (vec_len (outside_sw_if_indices))
2167 for (i = 0; i < vec_len(outside_sw_if_indices); i++)
2169 sw_if_index = outside_sw_if_indices[i];
2170 if (is_output_feature)
2172 if (snat_interface_add_del_output_feature (sw_if_index, 0, is_del))
2174 error = clib_error_return (0, "%s %U failed",
2175 is_del ? "del" : "add",
2176 format_vnet_sw_interface_name, vnm,
2177 vnet_get_sw_interface (vnm,
2184 if (snat_interface_add_del (sw_if_index, 0, is_del))
2186 error = clib_error_return (0, "%s %U failed",
2187 is_del ? "del" : "add",
2188 format_vnet_sw_interface_name, vnm,
2189 vnet_get_sw_interface (vnm,
2198 unformat_free (line_input);
2199 vec_free (inside_sw_if_indices);
2200 vec_free (outside_sw_if_indices);
2205 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
2206 .path = "set interface nat44",
2207 .function = snat_feature_command_fn,
2208 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
2213 unformat_snat_protocol (unformat_input_t * input, va_list * args)
2215 u32 *r = va_arg (*args, u32 *);
2218 #define _(N, i, n, s) else if (unformat (input, s)) *r = SNAT_PROTOCOL_##N;
2219 foreach_snat_protocol
2227 format_snat_protocol (u8 * s, va_list * args)
2229 u32 i = va_arg (*args, u32);
2234 #define _(N, j, n, str) case SNAT_PROTOCOL_##N: t = (u8 *) str; break;
2235 foreach_snat_protocol
2238 s = format (s, "unknown");
2241 s = format (s, "%s", t);
2245 static clib_error_t *
2246 add_static_mapping_command_fn (vlib_main_t * vm,
2247 unformat_input_t * input,
2248 vlib_cli_command_t * cmd)
2250 unformat_input_t _line_input, *line_input = &_line_input;
2251 clib_error_t * error = 0;
2252 ip4_address_t l_addr, e_addr;
2253 u32 l_port = 0, e_port = 0, vrf_id = ~0;
2256 u32 sw_if_index = ~0;
2257 vnet_main_t * vnm = vnet_get_main();
2259 snat_protocol_t proto = ~0;
2263 /* Get a line of input. */
2264 if (!unformat_user (input, unformat_line_input, line_input))
2267 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2269 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
2272 else if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
2274 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
2277 else if (unformat (line_input, "external %U", unformat_ip4_address,
2280 else if (unformat (line_input, "external %U %u",
2281 unformat_vnet_sw_interface, vnm, &sw_if_index,
2285 else if (unformat (line_input, "external %U",
2286 unformat_vnet_sw_interface, vnm, &sw_if_index))
2288 else if (unformat (line_input, "vrf %u", &vrf_id))
2290 else if (unformat (line_input, "%U", unformat_snat_protocol, &proto))
2292 else if (unformat (line_input, "twice-nat"))
2294 else if (unformat (line_input, "del"))
2298 error = clib_error_return (0, "unknown input: '%U'",
2299 format_unformat_error, line_input);
2304 if (twice_nat && addr_only)
2306 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
2310 if (!addr_only && !proto_set)
2312 error = clib_error_return (0, "missing protocol");
2316 rv = snat_add_static_mapping(l_addr, e_addr, (u16) l_port, (u16) e_port,
2317 vrf_id, addr_only, sw_if_index, proto, is_add,
2322 case VNET_API_ERROR_INVALID_VALUE:
2323 error = clib_error_return (0, "External port already in use.");
2325 case VNET_API_ERROR_NO_SUCH_ENTRY:
2327 error = clib_error_return (0, "External addres must be allocated.");
2329 error = clib_error_return (0, "Mapping not exist.");
2331 case VNET_API_ERROR_NO_SUCH_FIB:
2332 error = clib_error_return (0, "No such VRF id.");
2334 case VNET_API_ERROR_VALUE_EXIST:
2335 error = clib_error_return (0, "Mapping already exist.");
2342 unformat_free (line_input);
2349 * @cliexstart{snat add static mapping}
2350 * Static mapping allows hosts on the external network to initiate connection
2351 * to to the local network host.
2352 * To create static mapping between local host address 10.0.0.3 port 6303 and
2353 * external address 4.4.4.4 port 3606 for TCP protocol use:
2354 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
2355 * If not runnig "static mapping only" NAT plugin mode use before:
2356 * vpp# nat44 add address 4.4.4.4
2357 * To create static mapping between local and external address use:
2358 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
2361 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
2362 .path = "nat44 add static mapping",
2363 .function = add_static_mapping_command_fn,
2365 "nat44 add static mapping tcp|udp|icmp local <addr> [<port>] "
2366 "external <addr> [<port>] [vrf <table-id>] [twice-nat] [del]",
2369 static clib_error_t *
2370 add_identity_mapping_command_fn (vlib_main_t * vm,
2371 unformat_input_t * input,
2372 vlib_cli_command_t * cmd)
2374 unformat_input_t _line_input, *line_input = &_line_input;
2375 clib_error_t * error = 0;
2377 u32 port = 0, vrf_id = ~0;
2380 u32 sw_if_index = ~0;
2381 vnet_main_t * vnm = vnet_get_main();
2383 snat_protocol_t proto;
2387 /* Get a line of input. */
2388 if (!unformat_user (input, unformat_line_input, line_input))
2391 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2393 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
2395 else if (unformat (line_input, "external %U",
2396 unformat_vnet_sw_interface, vnm, &sw_if_index))
2398 else if (unformat (line_input, "vrf %u", &vrf_id))
2400 else if (unformat (line_input, "%U %u", unformat_snat_protocol, &proto,
2403 else if (unformat (line_input, "del"))
2407 error = clib_error_return (0, "unknown input: '%U'",
2408 format_unformat_error, line_input);
2413 rv = snat_add_static_mapping(addr, addr, (u16) port, (u16) port,
2414 vrf_id, addr_only, sw_if_index, proto, is_add,
2419 case VNET_API_ERROR_INVALID_VALUE:
2420 error = clib_error_return (0, "External port already in use.");
2422 case VNET_API_ERROR_NO_SUCH_ENTRY:
2424 error = clib_error_return (0, "External addres must be allocated.");
2426 error = clib_error_return (0, "Mapping not exist.");
2428 case VNET_API_ERROR_NO_SUCH_FIB:
2429 error = clib_error_return (0, "No such VRF id.");
2431 case VNET_API_ERROR_VALUE_EXIST:
2432 error = clib_error_return (0, "Mapping already exist.");
2439 unformat_free (line_input);
2446 * @cliexstart{snat add identity mapping}
2447 * Identity mapping translate an IP address to itself.
2448 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2450 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2451 * To create identity mapping for address 10.0.0.3 use:
2452 * vpp# nat44 add identity mapping 10.0.0.3
2453 * To create identity mapping for DHCP addressed interface use:
2454 * vpp# nat44 add identity mapping GigabitEthernet0/a/0 tcp 3606
2457 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2458 .path = "nat44 add identity mapping",
2459 .function = add_identity_mapping_command_fn,
2460 .short_help = "nat44 add identity mapping <interface>|<ip4-addr> "
2461 "[<protocol> <port>] [vrf <table-id>] [del]",
2464 static clib_error_t *
2465 add_lb_static_mapping_command_fn (vlib_main_t * vm,
2466 unformat_input_t * input,
2467 vlib_cli_command_t * cmd)
2469 unformat_input_t _line_input, *line_input = &_line_input;
2470 clib_error_t * error = 0;
2471 ip4_address_t l_addr, e_addr;
2472 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
2475 snat_protocol_t proto;
2477 nat44_lb_addr_port_t *locals = 0, local;
2480 /* Get a line of input. */
2481 if (!unformat_user (input, unformat_line_input, line_input))
2484 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2486 if (unformat (line_input, "local %U:%u probability %u",
2487 unformat_ip4_address, &l_addr, &l_port, &probability))
2489 memset (&local, 0, sizeof (local));
2490 local.addr = l_addr;
2491 local.port = (u16) l_port;
2492 local.probability = (u8) probability;
2493 vec_add1 (locals, local);
2495 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
2498 else if (unformat (line_input, "vrf %u", &vrf_id))
2500 else if (unformat (line_input, "protocol %U", unformat_snat_protocol,
2503 else if (unformat (line_input, "twice-nat"))
2505 else if (unformat (line_input, "del"))
2509 error = clib_error_return (0, "unknown input: '%U'",
2510 format_unformat_error, line_input);
2515 if (vec_len (locals) < 2)
2517 error = clib_error_return (0, "at least two local must be set");
2523 error = clib_error_return (0, "missing protocol");
2527 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, vrf_id,
2528 locals, is_add, twice_nat);
2532 case VNET_API_ERROR_INVALID_VALUE:
2533 error = clib_error_return (0, "External port already in use.");
2535 case VNET_API_ERROR_NO_SUCH_ENTRY:
2537 error = clib_error_return (0, "External addres must be allocated.");
2539 error = clib_error_return (0, "Mapping not exist.");
2541 case VNET_API_ERROR_VALUE_EXIST:
2542 error = clib_error_return (0, "Mapping already exist.");
2549 unformat_free (line_input);
2555 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2556 .path = "nat44 add load-balancing static mapping",
2557 .function = add_lb_static_mapping_command_fn,
2559 "nat44 add load-balancing static mapping protocol tcp|udp "
2560 "external <addr>:<port> local <addr>:<port> probability <n> [twice-nat] "
2561 "[vrf <table-id>] [del]",
2564 static clib_error_t *
2565 set_workers_command_fn (vlib_main_t * vm,
2566 unformat_input_t * input,
2567 vlib_cli_command_t * cmd)
2569 unformat_input_t _line_input, *line_input = &_line_input;
2572 clib_error_t *error = 0;
2574 /* Get a line of input. */
2575 if (!unformat_user (input, unformat_line_input, line_input))
2578 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2580 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
2584 error = clib_error_return (0, "unknown input '%U'",
2585 format_unformat_error, line_input);
2592 error = clib_error_return (0, "List of workers must be specified.");
2596 rv = snat_set_workers(bitmap);
2598 clib_bitmap_free (bitmap);
2602 case VNET_API_ERROR_INVALID_WORKER:
2603 error = clib_error_return (0, "Invalid worker(s).");
2605 case VNET_API_ERROR_FEATURE_DISABLED:
2606 error = clib_error_return (0,
2607 "Supported only if 2 or more workes available.");
2614 unformat_free (line_input);
2621 * @cliexstart{set snat workers}
2622 * Set NAT workers if 2 or more workers available, use:
2623 * vpp# set snat workers 0-2,5
2626 VLIB_CLI_COMMAND (set_workers_command, static) = {
2627 .path = "set nat workers",
2628 .function = set_workers_command_fn,
2630 "set nat workers <workers-list>",
2633 static clib_error_t *
2634 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
2635 unformat_input_t * input,
2636 vlib_cli_command_t * cmd)
2638 unformat_input_t _line_input, *line_input = &_line_input;
2643 clib_error_t *error = 0;
2645 /* Get a line of input. */
2646 if (!unformat_user (input, unformat_line_input, line_input))
2649 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
2651 if (unformat (line_input, "domain %d", &domain_id))
2653 else if (unformat (line_input, "src-port %d", &src_port))
2655 else if (unformat (line_input, "disable"))
2659 error = clib_error_return (0, "unknown input '%U'",
2660 format_unformat_error, line_input);
2665 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
2669 error = clib_error_return (0, "ipfix logging enable failed");
2674 unformat_free (line_input);
2681 * @cliexstart{snat ipfix logging}
2682 * To enable NAT IPFIX logging use:
2683 * vpp# nat ipfix logging
2684 * To set IPFIX exporter use:
2685 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
2688 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
2689 .path = "nat ipfix logging",
2690 .function = snat_ipfix_logging_enable_disable_command_fn,
2691 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
2695 snat_get_worker_in2out_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2697 snat_main_t *sm = &snat_main;
2698 u32 next_worker_index = 0;
2701 next_worker_index = sm->first_worker_index;
2702 hash = ip0->src_address.as_u32 + (ip0->src_address.as_u32 >> 8) +
2703 (ip0->src_address.as_u32 >> 16) + (ip0->src_address.as_u32 >>24);
2705 if (PREDICT_TRUE (is_pow2 (_vec_len (sm->workers))))
2706 next_worker_index += sm->workers[hash & (_vec_len (sm->workers) - 1)];
2708 next_worker_index += sm->workers[hash % _vec_len (sm->workers)];
2710 return next_worker_index;
2714 snat_get_worker_out2in_cb (ip4_header_t * ip0, u32 rx_fib_index0)
2716 snat_main_t *sm = &snat_main;
2719 snat_session_key_t m_key;
2720 clib_bihash_kv_8_8_t kv, value;
2721 snat_static_mapping_t *m;
2722 nat_ed_ses_key_t key;
2723 clib_bihash_kv_16_8_t s_kv, s_value;
2724 snat_main_per_thread_data_t *tsm;
2729 /* first try static mappings without port */
2730 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2732 m_key.addr = ip0->dst_address;
2735 m_key.fib_index = rx_fib_index0;
2736 kv.key = m_key.as_u64;
2737 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2739 m = pool_elt_at_index (sm->static_mappings, value.value);
2740 return m->worker_index;
2744 proto = ip_proto_to_snat_proto (ip0->protocol);
2745 udp = ip4_next_header (ip0);
2746 port = udp->dst_port;
2748 if (PREDICT_FALSE (ip4_is_fragment (ip0)))
2750 if (PREDICT_FALSE (nat_reass_is_drop_frag (0)))
2751 return vlib_get_thread_index ();
2753 if (PREDICT_TRUE (!ip4_is_first_fragment (ip0)))
2755 nat_reass_ip4_t *reass;
2757 reass = nat_ip4_reass_find (ip0->src_address, ip0->dst_address,
2758 ip0->fragment_id, ip0->protocol);
2760 if (reass && (reass->thread_index != (u32) ~ 0))
2761 return reass->thread_index;
2763 return vlib_get_thread_index ();
2767 /* unknown protocol */
2768 if (PREDICT_FALSE (proto == ~0))
2770 key.l_addr = ip0->dst_address;
2771 key.r_addr = ip0->src_address;
2772 key.fib_index = rx_fib_index0;
2773 key.proto = ip0->protocol;
2776 s_kv.key[0] = key.as_u64[0];
2777 s_kv.key[1] = key.as_u64[1];
2779 if (!clib_bihash_search_16_8 (&sm->out2in_ed, &s_kv, &s_value))
2781 for (i = 0; i < _vec_len (sm->per_thread_data); i++)
2783 tsm = vec_elt_at_index (sm->per_thread_data, i);
2784 if (!pool_is_free_index(tsm->sessions, s_value.value))
2786 s = pool_elt_at_index (tsm->sessions, s_value.value);
2787 if (s->out2in.addr.as_u32 == ip0->dst_address.as_u32 &&
2788 s->out2in.port == ip0->protocol &&
2789 snat_is_unk_proto_session (s))
2795 /* if no session use current thread */
2796 return vlib_get_thread_index ();
2799 if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_ICMP))
2801 icmp46_header_t * icmp = (icmp46_header_t *) udp;
2802 icmp_echo_header_t *echo = (icmp_echo_header_t *)(icmp + 1);
2803 if (!icmp_is_error_message (icmp))
2804 port = echo->identifier;
2807 ip4_header_t *inner_ip = (ip4_header_t *)(echo + 1);
2808 proto = ip_proto_to_snat_proto (inner_ip->protocol);
2809 void *l4_header = ip4_next_header (inner_ip);
2812 case SNAT_PROTOCOL_ICMP:
2813 icmp = (icmp46_header_t*)l4_header;
2814 echo = (icmp_echo_header_t *)(icmp + 1);
2815 port = echo->identifier;
2817 case SNAT_PROTOCOL_UDP:
2818 case SNAT_PROTOCOL_TCP:
2819 port = ((tcp_udp_header_t*)l4_header)->src_port;
2822 return vlib_get_thread_index ();
2827 /* try static mappings with port */
2828 if (PREDICT_FALSE (pool_elts (sm->static_mappings)))
2830 m_key.addr = ip0->dst_address;
2831 m_key.port = clib_net_to_host_u16 (port);
2832 m_key.protocol = proto;
2833 m_key.fib_index = rx_fib_index0;
2834 kv.key = m_key.as_u64;
2835 if (!clib_bihash_search_8_8 (&sm->static_mapping_by_external, &kv, &value))
2837 m = pool_elt_at_index (sm->static_mappings, value.value);
2838 return m->worker_index;
2842 /* worker by outside port */
2843 return (u32) ((clib_net_to_host_u16 (port) - 1024) / sm->port_per_thread);
2846 static clib_error_t *
2847 snat_config (vlib_main_t * vm, unformat_input_t * input)
2849 snat_main_t * sm = &snat_main;
2850 u32 translation_buckets = 1024;
2851 u32 translation_memory_size = 128<<20;
2852 u32 user_buckets = 128;
2853 u32 user_memory_size = 64<<20;
2854 u32 max_translations_per_user = 100;
2855 u32 outside_vrf_id = 0;
2856 u32 inside_vrf_id = 0;
2857 u32 static_mapping_buckets = 1024;
2858 u32 static_mapping_memory_size = 64<<20;
2859 u32 nat64_bib_buckets = 1024;
2860 u32 nat64_bib_memory_size = 128 << 20;
2861 u32 nat64_st_buckets = 2048;
2862 u32 nat64_st_memory_size = 256 << 20;
2863 u8 static_mapping_only = 0;
2864 u8 static_mapping_connection_tracking = 0;
2865 snat_main_per_thread_data_t *tsm;
2867 sm->deterministic = 0;
2869 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
2871 if (unformat (input, "translation hash buckets %d", &translation_buckets))
2873 else if (unformat (input, "translation hash memory %d",
2874 &translation_memory_size));
2875 else if (unformat (input, "user hash buckets %d", &user_buckets))
2877 else if (unformat (input, "user hash memory %d",
2880 else if (unformat (input, "max translations per user %d",
2881 &max_translations_per_user))
2883 else if (unformat (input, "outside VRF id %d",
2886 else if (unformat (input, "inside VRF id %d",
2889 else if (unformat (input, "static mapping only"))
2891 static_mapping_only = 1;
2892 if (unformat (input, "connection tracking"))
2893 static_mapping_connection_tracking = 1;
2895 else if (unformat (input, "deterministic"))
2896 sm->deterministic = 1;
2897 else if (unformat (input, "nat64 bib hash buckets %d",
2898 &nat64_bib_buckets))
2900 else if (unformat (input, "nat64 bib hash memory %d",
2901 &nat64_bib_memory_size))
2903 else if (unformat (input, "nat64 st hash buckets %d", &nat64_st_buckets))
2905 else if (unformat (input, "nat64 st hash memory %d",
2906 &nat64_st_memory_size))
2909 return clib_error_return (0, "unknown input '%U'",
2910 format_unformat_error, input);
2913 /* for show commands, etc. */
2914 sm->translation_buckets = translation_buckets;
2915 sm->translation_memory_size = translation_memory_size;
2916 /* do not exceed load factor 10 */
2917 sm->max_translations = 10 * translation_buckets;
2918 sm->user_buckets = user_buckets;
2919 sm->user_memory_size = user_memory_size;
2920 sm->max_translations_per_user = max_translations_per_user;
2921 sm->outside_vrf_id = outside_vrf_id;
2922 sm->outside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2924 FIB_SOURCE_PLUGIN_HI);
2925 sm->inside_vrf_id = inside_vrf_id;
2926 sm->inside_fib_index = fib_table_find_or_create_and_lock (FIB_PROTOCOL_IP4,
2928 FIB_SOURCE_PLUGIN_HI);
2929 sm->static_mapping_only = static_mapping_only;
2930 sm->static_mapping_connection_tracking = static_mapping_connection_tracking;
2932 nat64_set_hash(nat64_bib_buckets, nat64_bib_memory_size, nat64_st_buckets,
2933 nat64_st_memory_size);
2935 if (sm->deterministic)
2937 sm->in2out_node_index = snat_det_in2out_node.index;
2938 sm->in2out_output_node_index = ~0;
2939 sm->out2in_node_index = snat_det_out2in_node.index;
2940 sm->icmp_match_in2out_cb = icmp_match_in2out_det;
2941 sm->icmp_match_out2in_cb = icmp_match_out2in_det;
2945 sm->worker_in2out_cb = snat_get_worker_in2out_cb;
2946 sm->worker_out2in_cb = snat_get_worker_out2in_cb;
2947 sm->in2out_node_index = snat_in2out_node.index;
2948 sm->in2out_output_node_index = snat_in2out_output_node.index;
2949 sm->out2in_node_index = snat_out2in_node.index;
2950 if (!static_mapping_only ||
2951 (static_mapping_only && static_mapping_connection_tracking))
2953 sm->icmp_match_in2out_cb = icmp_match_in2out_slow;
2954 sm->icmp_match_out2in_cb = icmp_match_out2in_slow;
2956 vec_foreach (tsm, sm->per_thread_data)
2958 clib_bihash_init_8_8 (&tsm->in2out, "in2out", translation_buckets,
2959 translation_memory_size);
2961 clib_bihash_init_8_8 (&tsm->out2in, "out2in", translation_buckets,
2962 translation_memory_size);
2964 clib_bihash_init_8_8 (&tsm->user_hash, "users", user_buckets,
2968 clib_bihash_init_16_8 (&sm->in2out_ed, "in2out-ed",
2969 translation_buckets, translation_memory_size);
2971 clib_bihash_init_16_8 (&sm->out2in_ed, "out2in-ed",
2972 translation_buckets, translation_memory_size);
2976 sm->icmp_match_in2out_cb = icmp_match_in2out_fast;
2977 sm->icmp_match_out2in_cb = icmp_match_out2in_fast;
2979 clib_bihash_init_8_8 (&sm->static_mapping_by_local,
2980 "static_mapping_by_local", static_mapping_buckets,
2981 static_mapping_memory_size);
2983 clib_bihash_init_8_8 (&sm->static_mapping_by_external,
2984 "static_mapping_by_external", static_mapping_buckets,
2985 static_mapping_memory_size);
2991 VLIB_CONFIG_FUNCTION (snat_config, "nat");
2993 u8 * format_snat_session_state (u8 * s, va_list * args)
2995 u32 i = va_arg (*args, u32);
3000 #define _(v, N, str) case SNAT_SESSION_##N: t = (u8 *) str; break;
3001 foreach_snat_session_state
3004 t = format (t, "unknown");
3006 s = format (s, "%s", t);
3010 u8 * format_snat_key (u8 * s, va_list * args)
3012 snat_session_key_t * key = va_arg (*args, snat_session_key_t *);
3014 s = format (s, "%U proto %U port %d fib %d",
3015 format_ip4_address, &key->addr,
3016 format_snat_protocol, key->protocol,
3017 clib_net_to_host_u16 (key->port), key->fib_index);
3021 u8 * format_snat_session (u8 * s, va_list * args)
3023 snat_main_t * sm __attribute__((unused)) = va_arg (*args, snat_main_t *);
3024 snat_session_t * sess = va_arg (*args, snat_session_t *);
3026 if (snat_is_unk_proto_session (sess))
3028 s = format (s, " i2o %U proto %u fib %u\n",
3029 format_ip4_address, &sess->in2out.addr,
3030 clib_net_to_host_u16 (sess->in2out.port),
3031 sess->in2out.fib_index);
3032 s = format (s, " o2i %U proto %u fib %u\n",
3033 format_ip4_address, &sess->out2in.addr,
3034 clib_net_to_host_u16 (sess->out2in.port),
3035 sess->out2in.fib_index);
3039 s = format (s, " i2o %U\n", format_snat_key, &sess->in2out);
3040 s = format (s, " o2i %U\n", format_snat_key, &sess->out2in);
3042 if (is_twice_nat_session (sess))
3044 s = format (s, " external host o2i %U:%d i2o %U:%d\n",
3045 format_ip4_address, &sess->ext_host_addr,
3046 clib_net_to_host_u16 (sess->ext_host_port),
3047 format_ip4_address, &sess->ext_host_nat_addr,
3048 clib_net_to_host_u16 (sess->ext_host_nat_port));
3052 if (sess->ext_host_addr.as_u32)
3053 s = format (s, " external host %U\n",
3054 format_ip4_address, &sess->ext_host_addr);
3056 s = format (s, " last heard %.2f\n", sess->last_heard);
3057 s = format (s, " total pkts %d, total bytes %lld\n",
3058 sess->total_pkts, sess->total_bytes);
3059 if (snat_is_session_static (sess))
3060 s = format (s, " static translation\n");
3062 s = format (s, " dynamic translation\n");
3063 if (sess->flags & SNAT_SESSION_FLAG_LOAD_BALANCING)
3064 s = format (s, " load-balancing\n");
3065 if (is_twice_nat_session (sess))
3066 s = format (s, " twice-nat\n");
3071 u8 * format_snat_user (u8 * s, va_list * args)
3073 snat_main_per_thread_data_t * sm = va_arg (*args, snat_main_per_thread_data_t *);
3074 snat_user_t * u = va_arg (*args, snat_user_t *);
3075 int verbose = va_arg (*args, int);
3076 dlist_elt_t * head, * elt;
3077 u32 elt_index, head_index;
3079 snat_session_t * sess;
3081 s = format (s, "%U: %d dynamic translations, %d static translations\n",
3082 format_ip4_address, &u->addr, u->nsessions, u->nstaticsessions);
3087 if (u->nsessions || u->nstaticsessions)
3089 head_index = u->sessions_per_user_list_head_index;
3090 head = pool_elt_at_index (sm->list_pool, head_index);
3092 elt_index = head->next;
3093 elt = pool_elt_at_index (sm->list_pool, elt_index);
3094 session_index = elt->value;
3096 while (session_index != ~0)
3098 sess = pool_elt_at_index (sm->sessions, session_index);
3100 s = format (s, " %U\n", format_snat_session, sm, sess);
3102 elt_index = elt->next;
3103 elt = pool_elt_at_index (sm->list_pool, elt_index);
3104 session_index = elt->value;
3111 u8 * format_snat_static_mapping (u8 * s, va_list * args)
3113 snat_static_mapping_t *m = va_arg (*args, snat_static_mapping_t *);
3114 nat44_lb_addr_port_t *local;
3117 s = format (s, "local %U external %U vrf %d %s",
3118 format_ip4_address, &m->local_addr,
3119 format_ip4_address, &m->external_addr,
3120 m->vrf_id, m->twice_nat ? "twice-nat" : "");
3123 if (vec_len (m->locals))
3125 s = format (s, "%U vrf %d external %U:%d %s",
3126 format_snat_protocol, m->proto,
3128 format_ip4_address, &m->external_addr, m->external_port,
3129 m->twice_nat ? "twice-nat" : "");
3130 vec_foreach (local, m->locals)
3131 s = format (s, "\n local %U:%d probability %d\%",
3132 format_ip4_address, &local->addr, local->port,
3133 local->probability);
3136 s = format (s, "%U local %U:%d external %U:%d vrf %d %s",
3137 format_snat_protocol, m->proto,
3138 format_ip4_address, &m->local_addr, m->local_port,
3139 format_ip4_address, &m->external_addr, m->external_port,
3140 m->vrf_id, m->twice_nat ? "twice-nat" : "");
3145 u8 * format_snat_static_map_to_resolve (u8 * s, va_list * args)
3147 snat_static_map_resolve_t *m = va_arg (*args, snat_static_map_resolve_t *);
3148 vnet_main_t *vnm = vnet_get_main();
3151 s = format (s, "local %U external %U vrf %d",
3152 format_ip4_address, &m->l_addr,
3153 format_vnet_sw_interface_name, vnm,
3154 vnet_get_sw_interface (vnm, m->sw_if_index),
3157 s = format (s, "%U local %U:%d external %U:%d vrf %d",
3158 format_snat_protocol, m->proto,
3159 format_ip4_address, &m->l_addr, m->l_port,
3160 format_vnet_sw_interface_name, vnm,
3161 vnet_get_sw_interface (vnm, m->sw_if_index), m->e_port,
3167 u8 * format_det_map_ses (u8 * s, va_list * args)
3169 snat_det_map_t * det_map = va_arg (*args, snat_det_map_t *);
3170 ip4_address_t in_addr, out_addr;
3171 u32 in_offset, out_offset;
3172 snat_det_session_t * ses = va_arg (*args, snat_det_session_t *);
3173 u32 * i = va_arg (*args, u32 *);
3175 u32 user_index = *i / SNAT_DET_SES_PER_USER;
3176 in_addr.as_u32 = clib_host_to_net_u32 (
3177 clib_net_to_host_u32(det_map->in_addr.as_u32) + user_index);
3178 in_offset = clib_net_to_host_u32(in_addr.as_u32) -
3179 clib_net_to_host_u32(det_map->in_addr.as_u32);
3180 out_offset = in_offset / det_map->sharing_ratio;
3181 out_addr.as_u32 = clib_host_to_net_u32(
3182 clib_net_to_host_u32(det_map->out_addr.as_u32) + out_offset);
3183 s = format (s, "in %U:%d out %U:%d external host %U:%d state: %U expire: %d\n",
3184 format_ip4_address, &in_addr,
3185 clib_net_to_host_u16 (ses->in_port),
3186 format_ip4_address, &out_addr,
3187 clib_net_to_host_u16 (ses->out.out_port),
3188 format_ip4_address, &ses->out.ext_host_addr,
3189 clib_net_to_host_u16 (ses->out.ext_host_port),
3190 format_snat_session_state, ses->state,
3196 static clib_error_t *
3197 show_snat_command_fn (vlib_main_t * vm,
3198 unformat_input_t * input,
3199 vlib_cli_command_t * cmd)
3202 snat_main_t * sm = &snat_main;
3204 snat_static_mapping_t *m;
3205 snat_interface_t *i;
3206 snat_address_t * ap;
3207 vnet_main_t *vnm = vnet_get_main();
3208 snat_main_per_thread_data_t *tsm;
3209 u32 users_num = 0, sessions_num = 0, *worker, *sw_if_index;
3211 snat_static_map_resolve_t *rp;
3212 snat_det_map_t * dm;
3213 snat_det_session_t * ses;
3215 if (unformat (input, "detail"))
3217 else if (unformat (input, "verbose"))
3220 if (sm->static_mapping_only)
3222 if (sm->static_mapping_connection_tracking)
3223 vlib_cli_output (vm, "NAT plugin mode: static mapping only connection "
3226 vlib_cli_output (vm, "NAT plugin mode: static mapping only");
3228 else if (sm->deterministic)
3230 vlib_cli_output (vm, "NAT plugin mode: deterministic mapping");
3234 vlib_cli_output (vm, "NAT plugin mode: dynamic translations enabled");
3239 pool_foreach (i, sm->interfaces,
3241 vlib_cli_output (vm, "%U %s", format_vnet_sw_interface_name, vnm,
3242 vnet_get_sw_interface (vnm, i->sw_if_index),
3243 (nat_interface_is_inside(i) &&
3244 nat_interface_is_outside(i)) ? "in out" :
3245 (nat_interface_is_inside(i) ? "in" : "out"));
3248 pool_foreach (i, sm->output_feature_interfaces,
3250 vlib_cli_output (vm, "%U output-feature %s",
3251 format_vnet_sw_interface_name, vnm,
3252 vnet_get_sw_interface (vnm, i->sw_if_index),
3253 (nat_interface_is_inside(i) &&
3254 nat_interface_is_outside(i)) ? "in out" :
3255 (nat_interface_is_inside(i) ? "in" : "out"));
3258 if (vec_len (sm->auto_add_sw_if_indices))
3260 vlib_cli_output (vm, "NAT44 pool addresses interfaces:");
3261 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
3263 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
3264 vnet_get_sw_interface (vnm, *sw_if_index));
3268 if (vec_len (sm->auto_add_sw_if_indices_twice_nat))
3270 vlib_cli_output (vm, "NAT44 twice-nat pool addresses interfaces:");
3271 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
3273 vlib_cli_output (vm, "%U", format_vnet_sw_interface_name, vnm,
3274 vnet_get_sw_interface (vnm, *sw_if_index));
3278 vlib_cli_output (vm, "NAT44 pool addresses:");
3279 vec_foreach (ap, sm->addresses)
3281 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
3282 if (ap->fib_index != ~0)
3283 vlib_cli_output (vm, " tenant VRF: %u",
3284 ip4_fib_get(ap->fib_index)->table_id);
3286 vlib_cli_output (vm, " tenant VRF independent");
3287 #define _(N, i, n, s) \
3288 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
3289 foreach_snat_protocol
3293 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
3294 vec_foreach (ap, sm->twice_nat_addresses)
3296 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
3297 if (ap->fib_index != ~0)
3298 vlib_cli_output (vm, " tenant VRF: %u",
3299 ip4_fib_get(ap->fib_index)->table_id);
3301 vlib_cli_output (vm, " tenant VRF independent");
3302 #define _(N, i, n, s) \
3303 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
3304 foreach_snat_protocol
3309 if (sm->num_workers > 1)
3311 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
3314 vec_foreach (worker, sm->workers)
3316 vlib_worker_thread_t *w =
3317 vlib_worker_threads + *worker + sm->first_worker_index;
3318 vlib_cli_output (vm, " %s", w->name);
3323 if (sm->deterministic)
3325 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
3326 vlib_cli_output (vm, "tcp-established timeout: %dsec",
3327 sm->tcp_established_timeout);
3328 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
3329 sm->tcp_transitory_timeout);
3330 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
3331 vlib_cli_output (vm, "%d deterministic mappings",
3332 pool_elts (sm->det_maps));
3335 pool_foreach (dm, sm->det_maps,
3337 vlib_cli_output (vm, "in %U/%d out %U/%d\n",
3338 format_ip4_address, &dm->in_addr, dm->in_plen,
3339 format_ip4_address, &dm->out_addr, dm->out_plen);
3340 vlib_cli_output (vm, " outside address sharing ratio: %d\n",
3342 vlib_cli_output (vm, " number of ports per inside host: %d\n",
3343 dm->ports_per_host);
3344 vlib_cli_output (vm, " sessions number: %d\n", dm->ses_num);
3347 vec_foreach_index (j, dm->sessions)
3349 ses = vec_elt_at_index (dm->sessions, j);
3351 vlib_cli_output (vm, " %U", format_det_map_ses, dm, ses,
3360 if (sm->static_mapping_only && !(sm->static_mapping_connection_tracking))
3362 vlib_cli_output (vm, "%d static mappings",
3363 pool_elts (sm->static_mappings));
3367 pool_foreach (m, sm->static_mappings,
3369 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
3375 vec_foreach (tsm, sm->per_thread_data)
3377 users_num += pool_elts (tsm->users);
3378 sessions_num += pool_elts (tsm->sessions);
3381 vlib_cli_output (vm, "%d users, %d outside addresses, %d active sessions,"
3382 " %d static mappings, %d twice-nat addresses",
3384 vec_len (sm->addresses),
3386 pool_elts (sm->static_mappings),
3387 vec_len (sm->twice_nat_addresses));
3391 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->in2out_ed,
3393 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed,
3395 vec_foreach_index (j, sm->per_thread_data)
3397 tsm = vec_elt_at_index (sm->per_thread_data, j);
3399 if (pool_elts (tsm->users) == 0)
3402 vlib_worker_thread_t *w = vlib_worker_threads + j;
3403 vlib_cli_output (vm, "Thread %d (%s at lcore %u):", j, w->name,
3405 vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->in2out,
3407 vlib_cli_output (vm, " %U", format_bihash_8_8, &tsm->out2in,
3409 vlib_cli_output (vm, " %d list pool elements",
3410 pool_elts (tsm->list_pool));
3412 pool_foreach (u, tsm->users,
3414 vlib_cli_output (vm, " %U", format_snat_user, tsm, u,
3419 if (pool_elts (sm->static_mappings))
3421 vlib_cli_output (vm, "static mappings:");
3422 pool_foreach (m, sm->static_mappings,
3424 vlib_cli_output (vm, "%U", format_snat_static_mapping, m);
3426 for (j = 0; j < vec_len (sm->to_resolve); j++)
3428 rp = sm->to_resolve + j;
3429 vlib_cli_output (vm, "%U",
3430 format_snat_static_map_to_resolve, rp);
3440 VLIB_CLI_COMMAND (show_snat_command, static) = {
3441 .path = "show nat44",
3442 .short_help = "show nat44",
3443 .function = show_snat_command_fn,
3448 snat_ip4_add_del_interface_address_cb (ip4_main_t * im,
3451 ip4_address_t * address,
3453 u32 if_address_index,
3456 snat_main_t *sm = &snat_main;
3457 snat_static_map_resolve_t *rp;
3458 u32 *indices_to_delete = 0;
3459 ip4_address_t l_addr;
3463 snat_address_t *addresses = sm->addresses;
3465 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices); i++)
3467 if (sw_if_index == sm->auto_add_sw_if_indices[i])
3471 for (i = 0; i < vec_len(sm->auto_add_sw_if_indices_twice_nat); i++)
3474 addresses = sm->twice_nat_addresses;
3475 if (sw_if_index == sm->auto_add_sw_if_indices_twice_nat[i])
3484 /* Don't trip over lease renewal, static config */
3485 for (j = 0; j < vec_len(addresses); j++)
3486 if (addresses[j].addr.as_u32 == address->as_u32)
3489 snat_add_address (sm, address, ~0, twice_nat);
3490 /* Scan static map resolution vector */
3491 for (j = 0; j < vec_len (sm->to_resolve); j++)
3493 rp = sm->to_resolve + j;
3494 /* On this interface? */
3495 if (rp->sw_if_index == sw_if_index)
3497 /* Indetity mapping? */
3498 if (rp->l_addr.as_u32 == 0)
3499 l_addr.as_u32 = address[0].as_u32;
3501 l_addr.as_u32 = rp->l_addr.as_u32;
3502 /* Add the static mapping */
3503 rv = snat_add_static_mapping (l_addr,
3509 ~0 /* sw_if_index */,
3514 clib_warning ("snat_add_static_mapping returned %d",
3516 vec_add1 (indices_to_delete, j);
3519 /* If we resolved any of the outstanding static mappings */
3520 if (vec_len(indices_to_delete))
3523 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
3524 vec_delete(sm->to_resolve, 1, j);
3525 vec_free(indices_to_delete);
3531 (void) snat_del_address(sm, address[0], 1, twice_nat);
3537 int snat_add_interface_address (snat_main_t *sm, u32 sw_if_index, int is_del,
3540 ip4_main_t * ip4_main = sm->ip4_main;
3541 ip4_address_t * first_int_addr;
3542 snat_static_map_resolve_t *rp;
3543 u32 *indices_to_delete = 0;
3545 u32 *auto_add_sw_if_indices =
3546 twice_nat ? sm->auto_add_sw_if_indices_twice_nat : sm->auto_add_sw_if_indices;
3548 first_int_addr = ip4_interface_first_address (ip4_main, sw_if_index,
3549 0 /* just want the address*/);
3551 for (i = 0; i < vec_len(auto_add_sw_if_indices); i++)
3553 if (auto_add_sw_if_indices[i] == sw_if_index)
3557 /* if have address remove it */
3559 (void) snat_del_address (sm, first_int_addr[0], 1, twice_nat);
3562 for (j = 0; j < vec_len (sm->to_resolve); j++)
3564 rp = sm->to_resolve + j;
3565 if (rp->sw_if_index == sw_if_index)
3566 vec_add1 (indices_to_delete, j);
3568 if (vec_len(indices_to_delete))
3570 for (j = vec_len(indices_to_delete)-1; j >= 0; j--)
3571 vec_del1(sm->to_resolve, j);
3572 vec_free(indices_to_delete);
3576 vec_del1(sm->auto_add_sw_if_indices_twice_nat, i);
3578 vec_del1(sm->auto_add_sw_if_indices, i);
3581 return VNET_API_ERROR_VALUE_EXIST;
3588 return VNET_API_ERROR_NO_SUCH_ENTRY;
3590 /* add to the auto-address list */
3592 vec_add1(sm->auto_add_sw_if_indices_twice_nat, sw_if_index);
3594 vec_add1(sm->auto_add_sw_if_indices, sw_if_index);
3596 /* If the address is already bound - or static - add it now */
3598 snat_add_address (sm, first_int_addr, ~0, twice_nat);
3603 static clib_error_t *
3604 snat_add_interface_address_command_fn (vlib_main_t * vm,
3605 unformat_input_t * input,
3606 vlib_cli_command_t * cmd)
3608 snat_main_t *sm = &snat_main;
3609 unformat_input_t _line_input, *line_input = &_line_input;
3613 clib_error_t *error = 0;
3616 /* Get a line of input. */
3617 if (!unformat_user (input, unformat_line_input, line_input))
3620 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3622 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
3623 sm->vnet_main, &sw_if_index))
3625 else if (unformat (line_input, "twice-nat"))
3627 else if (unformat (line_input, "del"))
3631 error = clib_error_return (0, "unknown input '%U'",
3632 format_unformat_error, line_input);
3637 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
3645 error = clib_error_return (0, "snat_add_interface_address returned %d",
3651 unformat_free (line_input);
3656 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
3657 .path = "nat44 add interface address",
3658 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
3659 .function = snat_add_interface_address_command_fn,
3663 nat44_del_session (snat_main_t *sm, ip4_address_t *addr, u16 port,
3664 snat_protocol_t proto, u32 vrf_id, int is_in)
3666 snat_main_per_thread_data_t *tsm;
3667 clib_bihash_kv_8_8_t kv, value;
3669 u32 fib_index = fib_table_find (FIB_PROTOCOL_IP4, vrf_id);
3670 snat_session_key_t key;
3672 clib_bihash_8_8_t *t;
3673 snat_user_key_t u_key;
3676 ip.dst_address.as_u32 = ip.src_address.as_u32 = addr->as_u32;
3677 if (sm->num_workers)
3679 vec_elt_at_index (sm->per_thread_data,
3680 sm->worker_in2out_cb (&ip, fib_index));
3682 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
3684 key.addr.as_u32 = addr->as_u32;
3685 key.port = clib_host_to_net_u16 (port);
3686 key.protocol = proto;
3687 key.fib_index = fib_index;
3688 kv.key = key.as_u64;
3689 t = is_in ? &tsm->in2out : &tsm->out2in;
3690 if (!clib_bihash_search_8_8 (t, &kv, &value))
3692 s = pool_elt_at_index (tsm->sessions, value.value);
3693 kv.key = s->in2out.as_u64;
3694 clib_bihash_add_del_8_8 (&tsm->in2out, &kv, 0);
3695 kv.key = s->out2in.as_u64;
3696 clib_bihash_add_del_8_8 (&tsm->out2in, &kv, 0);
3697 u_key.addr = s->in2out.addr;
3698 u_key.fib_index = s->in2out.fib_index;
3699 kv.key = u_key.as_u64;
3700 if (!clib_bihash_search_8_8 (&tsm->user_hash, &kv, &value))
3702 u = pool_elt_at_index (tsm->users, value.value);
3705 clib_dlist_remove (tsm->list_pool, s->per_user_index);
3706 pool_put (tsm->sessions, s);
3710 return VNET_API_ERROR_NO_SUCH_ENTRY;
3713 static clib_error_t *
3714 nat44_del_session_command_fn (vlib_main_t * vm,
3715 unformat_input_t * input,
3716 vlib_cli_command_t * cmd)
3718 snat_main_t *sm = &snat_main;
3719 unformat_input_t _line_input, *line_input = &_line_input;
3721 clib_error_t *error = 0;
3723 u32 port = 0, vrf_id = sm->outside_vrf_id;
3724 snat_protocol_t proto;
3727 /* Get a line of input. */
3728 if (!unformat_user (input, unformat_line_input, line_input))
3731 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3733 if (unformat (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
3734 unformat_snat_protocol, &proto))
3736 else if (unformat (line_input, "in"))
3739 vrf_id = sm->inside_vrf_id;
3741 else if (unformat (line_input, "vrf %u", &vrf_id))
3745 error = clib_error_return (0, "unknown input '%U'",
3746 format_unformat_error, line_input);
3751 rv = nat44_del_session(sm, &addr, port, proto, vrf_id, is_in);
3759 error = clib_error_return (0, "nat44_del_session returned %d", rv);
3764 unformat_free (line_input);
3769 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
3770 .path = "nat44 del session",
3771 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>]",
3772 .function = nat44_del_session_command_fn,
3775 static clib_error_t *
3776 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
3777 unformat_input_t * input,
3778 vlib_cli_command_t * cmd)
3780 snat_main_t *sm = &snat_main;
3781 unformat_input_t _line_input, *line_input = &_line_input;
3782 clib_error_t *error = 0;
3783 u32 psid, psid_offset, psid_length;
3785 /* Get a line of input. */
3786 if (!unformat_user (input, unformat_line_input, line_input))
3789 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3791 if (unformat (line_input, "default"))
3792 sm->alloc_addr_and_port = nat_alloc_addr_and_port_default;
3793 else if (unformat (line_input, "map-e psid %d psid-offset %d psid-len %d",
3794 &psid, &psid_offset, &psid_length))
3796 sm->alloc_addr_and_port = nat_alloc_addr_and_port_mape;
3797 sm->psid = (u16) psid;
3798 sm->psid_offset = (u16) psid_offset;
3799 sm->psid_length = (u16) psid_length;
3803 error = clib_error_return (0, "unknown input '%U'",
3804 format_unformat_error, line_input);
3810 unformat_free (line_input);
3815 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
3816 .path = "nat addr-port-assignment-alg",
3817 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
3818 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
3821 static clib_error_t *
3822 snat_det_map_command_fn (vlib_main_t * vm,
3823 unformat_input_t * input,
3824 vlib_cli_command_t * cmd)
3826 snat_main_t *sm = &snat_main;
3827 unformat_input_t _line_input, *line_input = &_line_input;
3828 ip4_address_t in_addr, out_addr;
3829 u32 in_plen, out_plen;
3831 clib_error_t *error = 0;
3833 /* Get a line of input. */
3834 if (!unformat_user (input, unformat_line_input, line_input))
3837 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3839 if (unformat (line_input, "in %U/%u", unformat_ip4_address, &in_addr, &in_plen))
3841 else if (unformat (line_input, "out %U/%u", unformat_ip4_address, &out_addr, &out_plen))
3843 else if (unformat (line_input, "del"))
3847 error = clib_error_return (0, "unknown input '%U'",
3848 format_unformat_error, line_input);
3853 rv = snat_det_add_map(sm, &in_addr, (u8) in_plen, &out_addr, (u8)out_plen,
3858 error = clib_error_return (0, "snat_det_add_map return %d", rv);
3863 unformat_free (line_input);
3870 * @cliexstart{snat deterministic add}
3871 * Create bijective mapping of inside address to outside address and port range
3872 * pairs, with the purpose of enabling deterministic NAT to reduce logging in
3874 * To create deterministic mapping between inside network 10.0.0.0/18 and
3875 * outside network 1.1.1.0/30 use:
3876 * # vpp# nat44 deterministic add in 10.0.0.0/18 out 1.1.1.0/30
3879 VLIB_CLI_COMMAND (snat_det_map_command, static) = {
3880 .path = "nat44 deterministic add",
3881 .short_help = "nat44 deterministic add in <addr>/<plen> out <addr>/<plen> [del]",
3882 .function = snat_det_map_command_fn,
3885 static clib_error_t *
3886 snat_det_forward_command_fn (vlib_main_t * vm,
3887 unformat_input_t * input,
3888 vlib_cli_command_t * cmd)
3890 snat_main_t *sm = &snat_main;
3891 unformat_input_t _line_input, *line_input = &_line_input;
3892 ip4_address_t in_addr, out_addr;
3894 snat_det_map_t * dm;
3895 clib_error_t *error = 0;
3897 /* Get a line of input. */
3898 if (!unformat_user (input, unformat_line_input, line_input))
3901 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3903 if (unformat (line_input, "%U", unformat_ip4_address, &in_addr))
3907 error = clib_error_return (0, "unknown input '%U'",
3908 format_unformat_error, line_input);
3913 dm = snat_det_map_by_user(sm, &in_addr);
3915 vlib_cli_output (vm, "no match");
3918 snat_det_forward (dm, &in_addr, &out_addr, &lo_port);
3919 vlib_cli_output (vm, "%U:<%d-%d>", format_ip4_address, &out_addr,
3920 lo_port, lo_port + dm->ports_per_host - 1);
3924 unformat_free (line_input);
3931 * @cliexstart{snat deterministic forward}
3932 * Return outside address and port range from inside address for deterministic
3934 * To obtain outside address and port of inside host use:
3935 * vpp# nat44 deterministic forward 10.0.0.2
3936 * 1.1.1.0:<1054-1068>
3939 VLIB_CLI_COMMAND (snat_det_forward_command, static) = {
3940 .path = "nat44 deterministic forward",
3941 .short_help = "nat44 deterministic forward <addr>",
3942 .function = snat_det_forward_command_fn,
3945 static clib_error_t *
3946 snat_det_reverse_command_fn (vlib_main_t * vm,
3947 unformat_input_t * input,
3948 vlib_cli_command_t * cmd)
3950 snat_main_t *sm = &snat_main;
3951 unformat_input_t _line_input, *line_input = &_line_input;
3952 ip4_address_t in_addr, out_addr;
3954 snat_det_map_t * dm;
3955 clib_error_t *error = 0;
3957 /* Get a line of input. */
3958 if (!unformat_user (input, unformat_line_input, line_input))
3961 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
3963 if (unformat (line_input, "%U:%d", unformat_ip4_address, &out_addr, &out_port))
3967 error = clib_error_return (0, "unknown input '%U'",
3968 format_unformat_error, line_input);
3972 if (out_port < 1024 || out_port > 65535)
3974 error = clib_error_return (0, "wrong port, must be <1024-65535>");
3978 dm = snat_det_map_by_out(sm, &out_addr);
3980 vlib_cli_output (vm, "no match");
3983 snat_det_reverse (dm, &out_addr, (u16) out_port, &in_addr);
3984 vlib_cli_output (vm, "%U", format_ip4_address, &in_addr);
3988 unformat_free (line_input);
3995 * @cliexstart{snat deterministic reverse}
3996 * Return inside address from outside address and port for deterministic NAT.
3997 * To obtain inside host address from outside address and port use:
3998 * #vpp nat44 deterministic reverse 1.1.1.1:1276
4002 VLIB_CLI_COMMAND (snat_det_reverse_command, static) = {
4003 .path = "nat44 deterministic reverse",
4004 .short_help = "nat44 deterministic reverse <addr>:<port>",
4005 .function = snat_det_reverse_command_fn,
4008 static clib_error_t *
4009 set_timeout_command_fn (vlib_main_t * vm,
4010 unformat_input_t * input,
4011 vlib_cli_command_t * cmd)
4013 snat_main_t *sm = &snat_main;
4014 unformat_input_t _line_input, *line_input = &_line_input;
4015 clib_error_t *error = 0;
4017 /* Get a line of input. */
4018 if (!unformat_user (input, unformat_line_input, line_input))
4021 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4023 if (unformat (line_input, "udp %u", &sm->udp_timeout))
4025 else if (unformat (line_input, "tcp-established %u",
4026 &sm->tcp_established_timeout))
4028 else if (unformat (line_input, "tcp-transitory %u",
4029 &sm->tcp_transitory_timeout))
4031 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
4033 else if (unformat (line_input, "reset"))
4035 sm->udp_timeout = SNAT_UDP_TIMEOUT;
4036 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
4037 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
4038 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
4042 error = clib_error_return (0, "unknown input '%U'",
4043 format_unformat_error, line_input);
4049 unformat_free (line_input);
4056 * @cliexstart{set snat deterministic timeout}
4057 * Set values of timeouts for deterministic NAT (in seconds), use:
4058 * vpp# set nat44 deterministic timeout udp 120 tcp-established 7500
4059 * tcp-transitory 250 icmp 90
4060 * To reset default values use:
4061 * vpp# set nat44 deterministic timeout reset
4064 VLIB_CLI_COMMAND (set_timeout_command, static) = {
4065 .path = "set nat44 deterministic timeout",
4066 .function = set_timeout_command_fn,
4068 "set nat44 deterministic timeout [udp <sec> | tcp-established <sec> "
4069 "tcp-transitory <sec> | icmp <sec> | reset]",
4072 static clib_error_t *
4073 snat_det_close_session_out_fn (vlib_main_t *vm,
4074 unformat_input_t * input,
4075 vlib_cli_command_t * cmd)
4077 snat_main_t *sm = &snat_main;
4078 unformat_input_t _line_input, *line_input = &_line_input;
4079 ip4_address_t out_addr, ext_addr, in_addr;
4080 u32 out_port, ext_port;
4081 snat_det_map_t * dm;
4082 snat_det_session_t * ses;
4083 snat_det_out_key_t key;
4084 clib_error_t *error = 0;
4086 /* Get a line of input. */
4087 if (!unformat_user (input, unformat_line_input, line_input))
4090 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4092 if (unformat (line_input, "%U:%d %U:%d",
4093 unformat_ip4_address, &out_addr, &out_port,
4094 unformat_ip4_address, &ext_addr, &ext_port))
4098 error = clib_error_return (0, "unknown input '%U'",
4099 format_unformat_error, line_input);
4104 unformat_free (line_input);
4106 dm = snat_det_map_by_out(sm, &out_addr);
4108 vlib_cli_output (vm, "no match");
4111 snat_det_reverse(dm, &ext_addr, (u16)out_port, &in_addr);
4112 key.ext_host_addr = out_addr;
4113 key.ext_host_port = ntohs((u16)ext_port);
4114 key.out_port = ntohs((u16)out_port);
4115 ses = snat_det_get_ses_by_out(dm, &out_addr, key.as_u64);
4117 vlib_cli_output (vm, "no match");
4119 snat_det_ses_close(dm, ses);
4123 unformat_free (line_input);
4130 * @cliexstart{snat deterministic close session out}
4131 * Close session using outside ip address and port
4132 * and external ip address and port, use:
4133 * vpp# nat44 deterministic close session out 1.1.1.1:1276 2.2.2.2:2387
4136 VLIB_CLI_COMMAND (snat_det_close_sesion_out_command, static) = {
4137 .path = "nat44 deterministic close session out",
4138 .short_help = "nat44 deterministic close session out "
4139 "<out_addr>:<out_port> <ext_addr>:<ext_port>",
4140 .function = snat_det_close_session_out_fn,
4143 static clib_error_t *
4144 snat_det_close_session_in_fn (vlib_main_t *vm,
4145 unformat_input_t * input,
4146 vlib_cli_command_t * cmd)
4148 snat_main_t *sm = &snat_main;
4149 unformat_input_t _line_input, *line_input = &_line_input;
4150 ip4_address_t in_addr, ext_addr;
4151 u32 in_port, ext_port;
4152 snat_det_map_t * dm;
4153 snat_det_session_t * ses;
4154 snat_det_out_key_t key;
4155 clib_error_t *error = 0;
4157 /* Get a line of input. */
4158 if (!unformat_user (input, unformat_line_input, line_input))
4161 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
4163 if (unformat (line_input, "%U:%d %U:%d",
4164 unformat_ip4_address, &in_addr, &in_port,
4165 unformat_ip4_address, &ext_addr, &ext_port))
4169 error = clib_error_return (0, "unknown input '%U'",
4170 format_unformat_error, line_input);
4175 unformat_free (line_input);
4177 dm = snat_det_map_by_user (sm, &in_addr);
4179 vlib_cli_output (vm, "no match");
4182 key.ext_host_addr = ext_addr;
4183 key.ext_host_port = ntohs ((u16)ext_port);
4184 ses = snat_det_find_ses_by_in (dm, &in_addr, ntohs((u16)in_port), key);
4186 vlib_cli_output (vm, "no match");
4188 snat_det_ses_close(dm, ses);
4192 unformat_free(line_input);
4199 * @cliexstart{snat deterministic close_session_in}
4200 * Close session using inside ip address and port
4201 * and external ip address and port, use:
4202 * vpp# nat44 deterministic close session in 3.3.3.3:3487 2.2.2.2:2387
4205 VLIB_CLI_COMMAND (snat_det_close_session_in_command, static) = {
4206 .path = "nat44 deterministic close session in",
4207 .short_help = "nat44 deterministic close session in "
4208 "<in_addr>:<in_port> <ext_addr>:<ext_port>",
4209 .function = snat_det_close_session_in_fn,
Code Review / vpp.git / blob