2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
20 #include <vnet/fib/fib_table.h>
22 #include <nat/lib/log.h>
23 #include <nat/lib/nat_inlines.h>
24 #include <nat/lib/ipfix_logging.h>
26 #include <nat/nat44-ed/nat44_ed.h>
27 #include <nat/nat44-ed/nat44_ed_inlines.h>
28 #include <nat/nat44-ed/nat44_ed_affinity.h>
31 nat44_enable_command_fn (vlib_main_t * vm,
32 unformat_input_t * input, vlib_cli_command_t * cmd)
34 snat_main_t *sm = &snat_main;
35 unformat_input_t _line_input, *line_input = &_line_input;
36 clib_error_t *error = 0;
38 nat44_config_t c = { 0 };
42 return clib_error_return (0, "nat44 already enabled");
44 /* Get a line of input. */
45 if (!unformat_user (input, unformat_line_input, line_input))
47 if (nat44_plugin_enable (c) != 0)
48 return clib_error_return (0, "nat44 enable failed");
52 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
54 if (!mode_set && unformat (line_input, "static-mapping-only"))
57 c.static_mapping_only = 1;
58 if (unformat (line_input, "connection-tracking"))
60 c.connection_tracking = 1;
63 else if (unformat (line_input, "inside-vrf %u", &c.inside_vrf));
64 else if (unformat (line_input, "outside-vrf %u", &c.outside_vrf));
65 else if (unformat (line_input, "sessions %u", &c.sessions));
68 error = clib_error_return (0, "unknown input '%U'",
69 format_unformat_error, line_input);
76 error = clib_error_return (0, "number of sessions is required");
80 if (nat44_plugin_enable (c) != 0)
81 error = clib_error_return (0, "nat44 enable failed");
83 unformat_free (line_input);
88 nat44_disable_command_fn (vlib_main_t * vm,
89 unformat_input_t * input, vlib_cli_command_t * cmd)
91 snat_main_t *sm = &snat_main;
92 clib_error_t *error = 0;
95 return clib_error_return (0, "nat44 already disabled");
97 if (nat44_plugin_disable () != 0)
98 error = clib_error_return (0, "nat44 disable failed");
103 static clib_error_t *
104 set_workers_command_fn (vlib_main_t * vm,
105 unformat_input_t * input, vlib_cli_command_t * cmd)
107 unformat_input_t _line_input, *line_input = &_line_input;
110 clib_error_t *error = 0;
112 /* Get a line of input. */
113 if (!unformat_user (input, unformat_line_input, line_input))
116 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
118 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
122 error = clib_error_return (0, "unknown input '%U'",
123 format_unformat_error, line_input);
130 error = clib_error_return (0, "List of workers must be specified.");
134 rv = snat_set_workers (bitmap);
136 clib_bitmap_free (bitmap);
140 case VNET_API_ERROR_INVALID_WORKER:
141 error = clib_error_return (0, "Invalid worker(s).");
143 case VNET_API_ERROR_FEATURE_DISABLED:
144 error = clib_error_return (0,
145 "Supported only if 2 or more workes available.");
152 unformat_free (line_input);
157 static clib_error_t *
158 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
159 vlib_cli_command_t * cmd)
161 snat_main_t *sm = &snat_main;
164 if (sm->num_workers > 1)
166 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
167 vec_foreach (worker, sm->workers)
169 vlib_worker_thread_t *w =
170 vlib_worker_threads + *worker + sm->first_worker_index;
171 vlib_cli_output (vm, " %s", w->name);
178 static clib_error_t *
179 snat_set_log_level_command_fn (vlib_main_t * vm,
180 unformat_input_t * input,
181 vlib_cli_command_t * cmd)
183 unformat_input_t _line_input, *line_input = &_line_input;
184 snat_main_t *sm = &snat_main;
185 u8 log_level = NAT_LOG_NONE;
186 clib_error_t *error = 0;
188 /* Get a line of input. */
189 if (!unformat_user (input, unformat_line_input, line_input))
192 if (!unformat (line_input, "%d", &log_level))
194 error = clib_error_return (0, "unknown input '%U'",
195 format_unformat_error, line_input);
198 if (log_level > NAT_LOG_DEBUG)
200 error = clib_error_return (0, "unknown logging level '%d'", log_level);
203 sm->log_level = log_level;
206 unformat_free (line_input);
211 static clib_error_t *
212 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
213 unformat_input_t * input,
214 vlib_cli_command_t * cmd)
216 unformat_input_t _line_input, *line_input = &_line_input;
221 clib_error_t *error = 0;
223 /* Get a line of input. */
224 if (!unformat_user (input, unformat_line_input, line_input))
226 rv = nat_ipfix_logging_enable_disable (enable, domain_id,
229 return clib_error_return (0, "ipfix logging enable failed");
233 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
235 if (unformat (line_input, "domain %d", &domain_id))
237 else if (unformat (line_input, "src-port %d", &src_port))
239 else if (unformat (line_input, "disable"))
243 error = clib_error_return (0, "unknown input '%U'",
244 format_unformat_error, line_input);
249 rv = nat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
253 error = clib_error_return (0, "ipfix logging enable failed");
258 unformat_free (line_input);
263 static clib_error_t *
264 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
265 vlib_cli_command_t * cmd)
267 snat_main_t *sm = &snat_main;
268 nat_affinity_main_t *nam = &nat_affinity_main;
272 if (unformat (input, "detail"))
274 else if (unformat (input, "verbose"))
277 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
279 vlib_cli_output (vm, "%U",
280 format_bihash_8_8, &sm->static_mapping_by_external,
282 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
283 vec_foreach_index (i, sm->per_thread_data)
285 vlib_cli_output (vm, "-------- thread %d %s --------\n",
286 i, vlib_worker_threads[i].name);
287 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
290 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
293 vlib_cli_output (vm, "-------- hash table parameters --------\n");
294 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
298 static clib_error_t *
299 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
300 vlib_cli_command_t * cmd)
302 unformat_input_t _line_input, *line_input = &_line_input;
303 snat_main_t *sm = &snat_main;
304 clib_error_t *error = 0;
307 /* Get a line of input. */
308 if (!unformat_user (input, unformat_line_input, line_input))
311 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
313 if (unformat (line_input, "disable"))
314 sm->mss_clamping = 0;
315 else if (unformat (line_input, "%d", &mss))
316 sm->mss_clamping = (u16) mss;
319 error = clib_error_return (0, "unknown input '%U'",
320 format_unformat_error, line_input);
326 unformat_free (line_input);
331 static clib_error_t *
332 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
333 vlib_cli_command_t * cmd)
335 snat_main_t *sm = &snat_main;
337 if (sm->mss_clamping)
338 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
340 vlib_cli_output (vm, "mss-clamping disabled");
345 static clib_error_t *
346 add_address_command_fn (vlib_main_t * vm,
347 unformat_input_t * input, vlib_cli_command_t * cmd)
349 unformat_input_t _line_input, *line_input = &_line_input;
350 snat_main_t *sm = &snat_main;
351 ip4_address_t start_addr, end_addr, this_addr;
352 u32 start_host_order, end_host_order;
357 clib_error_t *error = 0;
360 /* Get a line of input. */
361 if (!unformat_user (input, unformat_line_input, line_input))
364 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
366 if (unformat (line_input, "%U - %U",
367 unformat_ip4_address, &start_addr,
368 unformat_ip4_address, &end_addr))
370 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
372 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
373 end_addr = start_addr;
374 else if (unformat (line_input, "twice-nat"))
376 else if (unformat (line_input, "del"))
380 error = clib_error_return (0, "unknown input '%U'",
381 format_unformat_error, line_input);
386 if (sm->static_mapping_only)
388 error = clib_error_return (0, "static mapping only mode");
392 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
393 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
395 if (end_host_order < start_host_order)
397 error = clib_error_return (0, "end address less than start address");
401 count = (end_host_order - start_host_order) + 1;
404 nat_log_info ("%U - %U, %d addresses...",
405 format_ip4_address, &start_addr,
406 format_ip4_address, &end_addr, count);
408 this_addr = start_addr;
410 for (i = 0; i < count; i++)
413 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
415 rv = snat_del_address (sm, this_addr, 0, twice_nat);
419 case VNET_API_ERROR_VALUE_EXIST:
420 error = clib_error_return (0, "NAT address already in use.");
422 case VNET_API_ERROR_NO_SUCH_ENTRY:
423 error = clib_error_return (0, "NAT address not exist.");
425 case VNET_API_ERROR_UNSPECIFIED:
427 clib_error_return (0, "NAT address used in static mapping.");
433 increment_v4_address (&this_addr);
437 unformat_free (line_input);
443 nat44_show_lru_summary (vlib_main_t * vm, snat_main_per_thread_data_t * tsm,
444 u64 now, u64 sess_timeout_time)
446 snat_main_t *sm = &snat_main;
447 dlist_elt_t *oldest_elt;
453 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
454 if (~0 != oldest_index) \
456 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
457 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
458 sess_timeout_time = \
459 s->last_heard + (f64)nat44_session_get_timeout (sm, s); \
460 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
461 sess_timeout_time, now); \
462 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
465 _(tcp_estab, "established tcp");
466 _(tcp_trans, "transitory tcp");
468 _(unk_proto, "unknown protocol");
473 static clib_error_t *
474 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
475 vlib_cli_command_t * cmd)
477 snat_main_per_thread_data_t *tsm;
478 snat_main_t *sm = &snat_main;
483 u64 now = vlib_time_now (vm);
484 u64 sess_timeout_time = 0;
486 u32 udp_sessions = 0;
487 u32 tcp_sessions = 0;
488 u32 icmp_sessions = 0;
492 u32 transitory_wait_closed = 0;
493 u32 transitory_closed = 0;
498 for (fib = 0; fib < vec_len (sm->max_translations_per_fib); fib++)
499 vlib_cli_output (vm, "max translations per thread: %u fib %u",
500 sm->max_translations_per_fib[fib], fib);
502 if (sm->num_workers > 1)
504 vec_foreach (tsm, sm->per_thread_data)
506 pool_foreach (s, tsm->sessions)
508 sess_timeout_time = s->last_heard +
509 (f64) nat44_session_get_timeout (sm, s);
510 if (now >= sess_timeout_time)
513 switch (s->nat_proto)
515 case NAT_PROTOCOL_ICMP:
518 case NAT_PROTOCOL_TCP:
522 if (s->tcp_closed_timestamp)
524 if (now >= s->tcp_closed_timestamp)
530 ++transitory_wait_closed;
538 case NAT_PROTOCOL_UDP:
544 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
545 count += pool_elts (tsm->sessions);
550 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
551 pool_foreach (s, tsm->sessions)
553 sess_timeout_time = s->last_heard +
554 (f64) nat44_session_get_timeout (sm, s);
555 if (now >= sess_timeout_time)
558 switch (s->nat_proto)
560 case NAT_PROTOCOL_ICMP:
563 case NAT_PROTOCOL_TCP:
567 if (s->tcp_closed_timestamp)
569 if (now >= s->tcp_closed_timestamp)
575 ++transitory_wait_closed;
583 case NAT_PROTOCOL_UDP:
589 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
590 count = pool_elts (tsm->sessions);
593 vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
594 vlib_cli_output (vm, "total sessions: %u", count);
595 vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
596 vlib_cli_output (vm, "total tcp established sessions: %u", established);
597 vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
598 vlib_cli_output (vm, "total tcp transitory (WAIT-CLOSED) sessions: %u",
599 transitory_wait_closed);
600 vlib_cli_output (vm, "total tcp transitory (CLOSED) sessions: %u",
602 vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
603 vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
607 static clib_error_t *
608 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
609 vlib_cli_command_t * cmd)
611 snat_main_t *sm = &snat_main;
614 vlib_cli_output (vm, "NAT44 pool addresses:");
615 vec_foreach (ap, sm->addresses)
617 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
618 if (ap->fib_index != ~0)
619 vlib_cli_output (vm, " tenant VRF: %u",
620 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
622 vlib_cli_output (vm, " tenant VRF independent");
623 #define _(N, i, n, s) \
624 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
628 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
629 vec_foreach (ap, sm->twice_nat_addresses)
631 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
632 if (ap->fib_index != ~0)
633 vlib_cli_output (vm, " tenant VRF: %u",
634 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
636 vlib_cli_output (vm, " tenant VRF independent");
637 #define _(N, i, n, s) \
638 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
645 static clib_error_t *
646 snat_feature_command_fn (vlib_main_t * vm,
647 unformat_input_t * input, vlib_cli_command_t * cmd)
649 unformat_input_t _line_input, *line_input = &_line_input;
650 vnet_main_t *vnm = vnet_get_main ();
651 clib_error_t *error = 0;
653 u32 *inside_sw_if_indices = 0;
654 u32 *outside_sw_if_indices = 0;
655 u8 is_output_feature = 0;
661 /* Get a line of input. */
662 if (!unformat_user (input, unformat_line_input, line_input))
665 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
667 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
669 vec_add1 (inside_sw_if_indices, sw_if_index);
670 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
672 vec_add1 (outside_sw_if_indices, sw_if_index);
673 else if (unformat (line_input, "output-feature"))
674 is_output_feature = 1;
675 else if (unformat (line_input, "del"))
679 error = clib_error_return (0, "unknown input '%U'",
680 format_unformat_error, line_input);
685 if (vec_len (inside_sw_if_indices))
687 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
689 sw_if_index = inside_sw_if_indices[i];
690 if (is_output_feature)
692 if (snat_interface_add_del_output_feature
693 (sw_if_index, 1, is_del))
695 error = clib_error_return (0, "%s %U failed",
696 is_del ? "del" : "add",
697 format_vnet_sw_if_index_name,
704 if (snat_interface_add_del (sw_if_index, 1, is_del))
706 error = clib_error_return (0, "%s %U failed",
707 is_del ? "del" : "add",
708 format_vnet_sw_if_index_name,
716 if (vec_len (outside_sw_if_indices))
718 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
720 sw_if_index = outside_sw_if_indices[i];
721 if (is_output_feature)
723 if (snat_interface_add_del_output_feature
724 (sw_if_index, 0, is_del))
726 error = clib_error_return (0, "%s %U failed",
727 is_del ? "del" : "add",
728 format_vnet_sw_if_index_name,
735 if (snat_interface_add_del (sw_if_index, 0, is_del))
737 error = clib_error_return (0, "%s %U failed",
738 is_del ? "del" : "add",
739 format_vnet_sw_if_index_name,
748 unformat_free (line_input);
749 vec_free (inside_sw_if_indices);
750 vec_free (outside_sw_if_indices);
755 static clib_error_t *
756 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
757 vlib_cli_command_t * cmd)
759 snat_main_t *sm = &snat_main;
761 vnet_main_t *vnm = vnet_get_main ();
763 vlib_cli_output (vm, "NAT44 interfaces:");
764 pool_foreach (i, sm->interfaces)
766 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
768 (nat_interface_is_inside(i) &&
769 nat_interface_is_outside(i)) ? "in out" :
770 (nat_interface_is_inside(i) ? "in" : "out"));
773 pool_foreach (i, sm->output_feature_interfaces)
775 vlib_cli_output (vm, " %U output-feature %s",
776 format_vnet_sw_if_index_name, vnm,
778 (nat_interface_is_inside(i) &&
779 nat_interface_is_outside(i)) ? "in out" :
780 (nat_interface_is_inside(i) ? "in" : "out"));
786 static clib_error_t *
787 add_static_mapping_command_fn (vlib_main_t * vm,
788 unformat_input_t * input,
789 vlib_cli_command_t * cmd)
791 unformat_input_t _line_input, *line_input = &_line_input;
792 clib_error_t *error = 0;
793 ip4_address_t l_addr, e_addr, exact_addr;
794 u32 l_port = 0, e_port = 0, vrf_id = ~0;
795 int is_add = 1, addr_only = 1, rv, exact = 0;
796 u32 sw_if_index = ~0;
797 vnet_main_t *vnm = vnet_get_main ();
798 nat_protocol_t proto = NAT_PROTOCOL_OTHER;
800 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
803 /* Get a line of input. */
804 if (!unformat_user (input, unformat_line_input, line_input))
807 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
809 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
813 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
815 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
818 else if (unformat (line_input, "external %U", unformat_ip4_address,
821 else if (unformat (line_input, "external %U %u",
822 unformat_vnet_sw_interface, vnm, &sw_if_index,
825 else if (unformat (line_input, "external %U",
826 unformat_vnet_sw_interface, vnm, &sw_if_index))
828 else if (unformat (line_input, "exact %U", unformat_ip4_address,
831 else if (unformat (line_input, "vrf %u", &vrf_id))
833 else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
835 else if (unformat (line_input, "twice-nat"))
836 twice_nat = TWICE_NAT;
837 else if (unformat (line_input, "self-twice-nat"))
838 twice_nat = TWICE_NAT_SELF;
839 else if (unformat (line_input, "out2in-only"))
841 else if (unformat (line_input, "del"))
845 error = clib_error_return (0, "unknown input: '%U'",
846 format_unformat_error, line_input);
851 if (twice_nat && addr_only)
853 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
862 clib_error_return (0,
863 "address only mapping doesn't support protocol");
869 error = clib_error_return (0, "protocol is required");
873 rv = snat_add_static_mapping (
874 l_addr, e_addr, clib_host_to_net_u16 (l_port),
875 clib_host_to_net_u16 (e_port), vrf_id, addr_only, sw_if_index, proto,
876 is_add, twice_nat, out2in_only, 0, 0, exact_addr, exact);
880 case VNET_API_ERROR_INVALID_VALUE:
881 error = clib_error_return (0, "External port already in use.");
883 case VNET_API_ERROR_NO_SUCH_ENTRY:
885 error = clib_error_return (0, "External address must be allocated.");
887 error = clib_error_return (0, "Mapping not exist.");
889 case VNET_API_ERROR_NO_SUCH_FIB:
890 error = clib_error_return (0, "No such VRF id.");
892 case VNET_API_ERROR_VALUE_EXIST:
893 error = clib_error_return (0, "Mapping already exist.");
900 unformat_free (line_input);
905 static clib_error_t *
906 add_identity_mapping_command_fn (vlib_main_t * vm,
907 unformat_input_t * input,
908 vlib_cli_command_t * cmd)
910 unformat_input_t _line_input, *line_input = &_line_input;
911 clib_error_t *error = 0;
912 ip4_address_t addr, pool_addr = { 0 };
913 u32 port = 0, vrf_id = ~0;
916 u32 sw_if_index = ~0;
917 vnet_main_t *vnm = vnet_get_main ();
919 nat_protocol_t proto;
923 /* Get a line of input. */
924 if (!unformat_user (input, unformat_line_input, line_input))
927 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
929 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
931 else if (unformat (line_input, "external %U",
932 unformat_vnet_sw_interface, vnm, &sw_if_index))
934 else if (unformat (line_input, "vrf %u", &vrf_id))
936 else if (unformat (line_input, "%U %u", unformat_nat_protocol, &proto,
939 else if (unformat (line_input, "del"))
943 error = clib_error_return (0, "unknown input: '%U'",
944 format_unformat_error, line_input);
949 rv = snat_add_static_mapping (
950 addr, addr, clib_host_to_net_u16 (port), clib_host_to_net_u16 (port),
951 vrf_id, addr_only, sw_if_index, proto, is_add, 0, 0, 0, 1, pool_addr, 0);
955 case VNET_API_ERROR_INVALID_VALUE:
956 error = clib_error_return (0, "External port already in use.");
958 case VNET_API_ERROR_NO_SUCH_ENTRY:
960 error = clib_error_return (0, "External address must be allocated.");
962 error = clib_error_return (0, "Mapping not exist.");
964 case VNET_API_ERROR_NO_SUCH_FIB:
965 error = clib_error_return (0, "No such VRF id.");
967 case VNET_API_ERROR_VALUE_EXIST:
968 error = clib_error_return (0, "Mapping already exist.");
975 unformat_free (line_input);
980 static clib_error_t *
981 add_lb_static_mapping_command_fn (vlib_main_t * vm,
982 unformat_input_t * input,
983 vlib_cli_command_t * cmd)
985 unformat_input_t _line_input, *line_input = &_line_input;
986 clib_error_t *error = 0;
987 ip4_address_t l_addr, e_addr;
988 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
991 nat_protocol_t proto;
993 nat44_lb_addr_port_t *locals = 0, local;
994 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
997 /* Get a line of input. */
998 if (!unformat_user (input, unformat_line_input, line_input))
1001 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1003 if (unformat (line_input, "local %U:%u probability %u",
1004 unformat_ip4_address, &l_addr, &l_port, &probability))
1006 clib_memset (&local, 0, sizeof (local));
1007 local.addr = l_addr;
1008 local.port = (u16) l_port;
1009 local.probability = (u8) probability;
1010 vec_add1 (locals, local);
1012 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1013 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1016 clib_memset (&local, 0, sizeof (local));
1017 local.addr = l_addr;
1018 local.port = (u16) l_port;
1019 local.probability = (u8) probability;
1020 local.vrf_id = vrf_id;
1021 vec_add1 (locals, local);
1023 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1026 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1029 else if (unformat (line_input, "twice-nat"))
1030 twice_nat = TWICE_NAT;
1031 else if (unformat (line_input, "self-twice-nat"))
1032 twice_nat = TWICE_NAT_SELF;
1033 else if (unformat (line_input, "out2in-only"))
1035 else if (unformat (line_input, "del"))
1037 else if (unformat (line_input, "affinity %u", &affinity))
1041 error = clib_error_return (0, "unknown input: '%U'",
1042 format_unformat_error, line_input);
1047 if (vec_len (locals) < 2)
1049 error = clib_error_return (0, "at least two local must be set");
1055 error = clib_error_return (0, "missing protocol");
1059 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1060 is_add, twice_nat, out2in_only, 0,
1065 case VNET_API_ERROR_INVALID_VALUE:
1066 error = clib_error_return (0, "External port already in use.");
1068 case VNET_API_ERROR_NO_SUCH_ENTRY:
1070 error = clib_error_return (0, "External address must be allocated.");
1072 error = clib_error_return (0, "Mapping not exist.");
1074 case VNET_API_ERROR_VALUE_EXIST:
1075 error = clib_error_return (0, "Mapping already exist.");
1082 unformat_free (line_input);
1088 static clib_error_t *
1089 add_lb_backend_command_fn (vlib_main_t * vm,
1090 unformat_input_t * input, vlib_cli_command_t * cmd)
1092 unformat_input_t _line_input, *line_input = &_line_input;
1093 clib_error_t *error = 0;
1094 ip4_address_t l_addr, e_addr;
1095 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1098 nat_protocol_t proto;
1101 /* Get a line of input. */
1102 if (!unformat_user (input, unformat_line_input, line_input))
1105 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1107 if (unformat (line_input, "local %U:%u probability %u",
1108 unformat_ip4_address, &l_addr, &l_port, &probability))
1110 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1111 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1114 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1117 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1120 else if (unformat (line_input, "del"))
1124 error = clib_error_return (0, "unknown input: '%U'",
1125 format_unformat_error, line_input);
1130 if (!l_port || !e_port)
1132 error = clib_error_return (0, "local or external must be set");
1138 error = clib_error_return (0, "missing protocol");
1143 nat44_lb_static_mapping_add_del_local (e_addr, (u16) e_port, l_addr,
1144 l_port, proto, vrf_id, probability,
1149 case VNET_API_ERROR_INVALID_VALUE:
1150 error = clib_error_return (0, "External is not load-balancing static "
1153 case VNET_API_ERROR_NO_SUCH_ENTRY:
1154 error = clib_error_return (0, "Mapping or back-end not exist.");
1156 case VNET_API_ERROR_VALUE_EXIST:
1157 error = clib_error_return (0, "Back-end already exist.");
1159 case VNET_API_ERROR_UNSPECIFIED:
1160 error = clib_error_return (0, "At least two back-ends must remain");
1167 unformat_free (line_input);
1172 static clib_error_t *
1173 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1174 unformat_input_t * input,
1175 vlib_cli_command_t * cmd)
1177 snat_main_t *sm = &snat_main;
1178 snat_static_mapping_t *m;
1179 snat_static_map_resolve_t *rp;
1181 vlib_cli_output (vm, "NAT44 static mappings:");
1182 pool_foreach (m, sm->static_mappings)
1184 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1186 vec_foreach (rp, sm->to_resolve)
1187 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1192 static clib_error_t *
1193 snat_add_interface_address_command_fn (vlib_main_t * vm,
1194 unformat_input_t * input,
1195 vlib_cli_command_t * cmd)
1197 snat_main_t *sm = &snat_main;
1198 unformat_input_t _line_input, *line_input = &_line_input;
1202 clib_error_t *error = 0;
1205 /* Get a line of input. */
1206 if (!unformat_user (input, unformat_line_input, line_input))
1209 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1211 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1212 sm->vnet_main, &sw_if_index))
1214 else if (unformat (line_input, "twice-nat"))
1216 else if (unformat (line_input, "del"))
1220 error = clib_error_return (0, "unknown input '%U'",
1221 format_unformat_error, line_input);
1226 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1234 error = clib_error_return (0, "snat_add_interface_address returned %d",
1240 unformat_free (line_input);
1245 static clib_error_t *
1246 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1247 unformat_input_t * input,
1248 vlib_cli_command_t * cmd)
1250 snat_main_t *sm = &snat_main;
1251 vnet_main_t *vnm = vnet_get_main ();
1254 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1255 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1257 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1260 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1261 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1263 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1270 static clib_error_t *
1271 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1272 vlib_cli_command_t * cmd)
1274 unformat_input_t _line_input, *line_input = &_line_input;
1275 clib_error_t *error = 0;
1276 snat_main_per_thread_data_t *tsm;
1277 snat_main_t *sm = &snat_main;
1281 if (!unformat_user (input, unformat_line_input, line_input))
1284 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1286 error = clib_error_return (0, "unknown input '%U'",
1287 format_unformat_error, line_input);
1290 unformat_free (line_input);
1293 vlib_cli_output (vm, "NAT44 ED sessions:");
1295 vec_foreach_index (i, sm->per_thread_data)
1297 tsm = vec_elt_at_index (sm->per_thread_data, i);
1299 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1300 i, vlib_worker_threads[i].name,
1301 pool_elts (tsm->sessions));
1304 pool_foreach (s, tsm->sessions)
1306 vlib_cli_output (vm, " %U\n", format_snat_session, tsm, s);
1312 static clib_error_t *
1313 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1314 unformat_input_t * input,
1315 vlib_cli_command_t * cmd)
1317 unformat_input_t _line_input, *line_input = &_line_input;
1318 clib_error_t *error = 0;
1320 u32 session_limit = 0, vrf_id = 0;
1322 /* Get a line of input. */
1323 if (!unformat_user (input, unformat_line_input, line_input))
1326 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1328 if (unformat (line_input, "%u", &session_limit))
1330 else if (unformat (line_input, "vrf %u", &vrf_id))
1334 error = clib_error_return (0, "unknown input '%U'",
1335 format_unformat_error, line_input);
1341 error = clib_error_return (0, "missing value of session limit");
1342 else if (nat44_update_session_limit (session_limit, vrf_id))
1343 error = clib_error_return (0, "nat44_set_session_limit failed");
1346 unformat_free (line_input);
1351 static clib_error_t *
1352 nat44_del_session_command_fn (vlib_main_t * vm,
1353 unformat_input_t * input,
1354 vlib_cli_command_t * cmd)
1356 snat_main_t *sm = &snat_main;
1357 unformat_input_t _line_input, *line_input = &_line_input;
1358 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1359 clib_error_t *error = 0;
1360 ip4_address_t addr, eh_addr;
1361 nat_protocol_t proto;
1365 /* Get a line of input. */
1366 if (!unformat_user (input, unformat_line_input, line_input))
1369 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1372 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1373 unformat_nat_protocol, &proto))
1375 else if (unformat (line_input, "in"))
1378 vrf_id = sm->inside_vrf_id;
1380 else if (unformat (line_input, "out"))
1383 vrf_id = sm->outside_vrf_id;
1385 else if (unformat (line_input, "vrf %u", &vrf_id))
1387 else if (unformat (line_input, "external-host %U:%u",
1388 unformat_ip4_address, &eh_addr, &eh_port))
1392 error = clib_error_return (0, "unknown input '%U'",
1393 format_unformat_error, line_input);
1399 nat44_del_ed_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1400 clib_host_to_net_u16 (eh_port),
1401 nat_proto_to_ip_proto (proto), vrf_id, is_in);
1409 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1414 unformat_free (line_input);
1419 static clib_error_t *
1420 snat_forwarding_set_command_fn (vlib_main_t * vm,
1421 unformat_input_t * input,
1422 vlib_cli_command_t * cmd)
1424 snat_main_t *sm = &snat_main;
1425 unformat_input_t _line_input, *line_input = &_line_input;
1426 u8 forwarding_enable;
1427 u8 forwarding_enable_set = 0;
1428 clib_error_t *error = 0;
1430 /* Get a line of input. */
1431 if (!unformat_user (input, unformat_line_input, line_input))
1432 return clib_error_return (0, "'enable' or 'disable' expected");
1434 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1436 if (!forwarding_enable_set && unformat (line_input, "enable"))
1438 forwarding_enable = 1;
1439 forwarding_enable_set = 1;
1441 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1443 forwarding_enable = 0;
1444 forwarding_enable_set = 1;
1448 error = clib_error_return (0, "unknown input '%U'",
1449 format_unformat_error, line_input);
1454 if (!forwarding_enable_set)
1456 error = clib_error_return (0, "'enable' or 'disable' expected");
1460 sm->forwarding_enabled = forwarding_enable;
1463 unformat_free (line_input);
1468 static clib_error_t *
1469 set_timeout_command_fn (vlib_main_t * vm,
1470 unformat_input_t * input, vlib_cli_command_t * cmd)
1472 snat_main_t *sm = &snat_main;
1473 unformat_input_t _line_input, *line_input = &_line_input;
1474 clib_error_t *error = 0;
1476 /* Get a line of input. */
1477 if (!unformat_user (input, unformat_line_input, line_input))
1480 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1482 if (unformat (line_input, "udp %u", &sm->timeouts.udp));
1483 else if (unformat (line_input, "tcp-established %u",
1484 &sm->timeouts.tcp.established));
1485 else if (unformat (line_input, "tcp-transitory %u",
1486 &sm->timeouts.tcp.transitory));
1487 else if (unformat (line_input, "icmp %u", &sm->timeouts.icmp));
1488 else if (unformat (line_input, "reset"))
1489 nat_reset_timeouts (&sm->timeouts);
1492 error = clib_error_return (0, "unknown input '%U'",
1493 format_unformat_error, line_input);
1498 unformat_free (line_input);
1502 static clib_error_t *
1503 nat_show_timeouts_command_fn (vlib_main_t * vm,
1504 unformat_input_t * input,
1505 vlib_cli_command_t * cmd)
1507 snat_main_t *sm = &snat_main;
1509 vlib_cli_output (vm, "udp timeout: %dsec", sm->timeouts.udp);
1510 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1511 sm->timeouts.tcp.established);
1512 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1513 sm->timeouts.tcp.transitory);
1514 vlib_cli_output (vm, "icmp timeout: %dsec", sm->timeouts.icmp);
1519 static clib_error_t *
1520 set_frame_queue_nelts_command_fn (vlib_main_t *vm, unformat_input_t *input,
1521 vlib_cli_command_t *cmd)
1523 unformat_input_t _line_input, *line_input = &_line_input;
1524 clib_error_t *error = 0;
1525 u32 frame_queue_nelts = 0;
1526 /* Get a line of input. */
1527 if (!unformat_user (input, unformat_line_input, line_input))
1529 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1531 if (unformat (line_input, "%u", &frame_queue_nelts))
1535 error = clib_error_return (0, "unknown input '%U'",
1536 format_unformat_error, line_input);
1540 if (!frame_queue_nelts)
1542 error = clib_error_return (0, "frame_queue_nelts cannot be zero");
1545 if (snat_set_frame_queue_nelts (frame_queue_nelts) != 0)
1547 error = clib_error_return (0, "snat_set_frame_queue_nelts failed");
1551 unformat_free (line_input);
1557 * @cliexstart{nat44 enable}
1558 * Enable nat44 plugin
1559 * To enable nat44, use:
1560 * vpp# nat44 enable sessions <n>
1561 * To enable nat44 static mapping only, use:
1562 * vpp# nat44 enable sessions <n> static-mapping
1563 * To enable nat44 static mapping with connection tracking, use:
1564 * vpp# nat44 enable sessions <n> static-mapping connection-tracking
1565 * To set inside-vrf outside-vrf, use:
1566 * vpp# nat44 enable sessions <n> inside-vrf <id> outside-vrf <id>
1569 VLIB_CLI_COMMAND (nat44_enable_command, static) = {
1570 .path = "nat44 enable",
1572 "nat44 enable sessions <max-number> [static-mappig-only "
1573 "[connection-tracking]] [inside-vrf <vrf-id>] [outside-vrf <vrf-id>]",
1574 .function = nat44_enable_command_fn,
1579 * @cliexstart{nat44 disable}
1580 * Disable nat44 plugin
1581 * To disable nat44, use:
1582 * vpp# nat44 disable
1585 VLIB_CLI_COMMAND (nat44_disable_command, static) = {
1586 .path = "nat44 disable",
1587 .short_help = "nat44 disable",
1588 .function = nat44_disable_command_fn,
1593 * @cliexstart{set snat workers}
1594 * Set NAT workers if 2 or more workers available, use:
1595 * vpp# set snat workers 0-2,5
1598 VLIB_CLI_COMMAND (set_workers_command, static) = {
1599 .path = "set nat workers",
1600 .function = set_workers_command_fn,
1601 .short_help = "set nat workers <workers-list>",
1606 * @cliexstart{show nat workers}
1608 * vpp# show nat workers:
1614 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1615 .path = "show nat workers",
1616 .short_help = "show nat workers",
1617 .function = nat_show_workers_commnad_fn,
1622 * @cliexstart{set nat timeout}
1623 * Set values of timeouts for NAT sessions (in seconds), use:
1624 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1625 * To reset default values use:
1626 * vpp# set nat timeout reset
1629 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1630 .path = "set nat timeout",
1631 .function = set_timeout_command_fn,
1633 "set nat timeout [udp <sec> | tcp-established <sec> "
1634 "tcp-transitory <sec> | icmp <sec> | reset]",
1639 * @cliexstart{show nat timeouts}
1640 * Show values of timeouts for NAT sessions.
1641 * vpp# show nat timeouts
1642 * udp timeout: 300sec
1643 * tcp-established timeout: 7440sec
1644 * tcp-transitory timeout: 240sec
1645 * icmp timeout: 60sec
1648 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1649 .path = "show nat timeouts",
1650 .short_help = "show nat timeouts",
1651 .function = nat_show_timeouts_command_fn,
1656 * @cliexstart{set nat frame-queue-nelts}
1657 * Set number of worker handoff frame queue elements.
1660 VLIB_CLI_COMMAND (set_frame_queue_nelts_command, static) = {
1661 .path = "set nat frame-queue-nelts",
1662 .function = set_frame_queue_nelts_command_fn,
1663 .short_help = "set nat frame-queue-nelts <number>",
1668 * @cliexstart{nat set logging level}
1669 * To set NAT logging level use:
1670 * Set nat logging level
1673 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
1674 .path = "nat set logging level",
1675 .function = snat_set_log_level_command_fn,
1676 .short_help = "nat set logging level <level>",
1681 * @cliexstart{snat ipfix logging}
1682 * To enable NAT IPFIX logging use:
1683 * vpp# nat ipfix logging
1684 * To set IPFIX exporter use:
1685 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1688 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1689 .path = "nat ipfix logging",
1690 .function = snat_ipfix_logging_enable_disable_command_fn,
1691 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
1696 * @cliexstart{nat mss-clamping}
1697 * Set TCP MSS rewriting configuration
1698 * To enable TCP MSS rewriting use:
1699 * vpp# nat mss-clamping 1452
1700 * To disbale TCP MSS rewriting use:
1701 * vpp# nat mss-clamping disable
1704 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1705 .path = "nat mss-clamping",
1706 .short_help = "nat mss-clamping <mss-value>|disable",
1707 .function = nat_set_mss_clamping_command_fn,
1712 * @cliexstart{show nat mss-clamping}
1713 * Show TCP MSS rewriting configuration
1716 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1717 .path = "show nat mss-clamping",
1718 .short_help = "show nat mss-clamping",
1719 .function = nat_show_mss_clamping_command_fn,
1724 * @cliexstart{show nat44 hash tables}
1725 * Show NAT44 hash tables
1728 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
1729 .path = "show nat44 hash tables",
1730 .short_help = "show nat44 hash tables [detail|verbose]",
1731 .function = nat44_show_hash_command_fn,
1736 * @cliexstart{nat44 add address}
1737 * Add/delete NAT44 pool address.
1738 * To add NAT44 pool address use:
1739 * vpp# nat44 add address 172.16.1.3
1740 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
1741 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
1742 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
1745 VLIB_CLI_COMMAND (add_address_command, static) = {
1746 .path = "nat44 add address",
1747 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
1748 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
1749 .function = add_address_command_fn,
1754 * @cliexstart{show nat44 summary}
1755 * Show NAT44 summary
1756 * vpp# show nat44 summary
1759 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
1760 .path = "show nat44 summary",
1761 .short_help = "show nat44 summary",
1762 .function = nat44_show_summary_command_fn,
1767 * @cliexstart{show nat44 addresses}
1768 * Show NAT44 pool addresses.
1769 * vpp# show nat44 addresses
1770 * NAT44 pool addresses:
1772 * tenant VRF independent
1781 * NAT44 twice-nat pool addresses:
1783 * tenant VRF independent
1789 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
1790 .path = "show nat44 addresses",
1791 .short_help = "show nat44 addresses",
1792 .function = nat44_show_addresses_command_fn,
1797 * @cliexstart{set interface nat44}
1798 * Enable/disable NAT44 feature on the interface.
1799 * To enable NAT44 feature with local network interface use:
1800 * vpp# set interface nat44 in GigabitEthernet0/8/0
1801 * To enable NAT44 feature with external network interface use:
1802 * vpp# set interface nat44 out GigabitEthernet0/a/0
1805 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
1806 .path = "set interface nat44",
1807 .function = snat_feature_command_fn,
1808 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
1814 * @cliexstart{show nat44 interfaces}
1815 * Show interfaces with NAT44 feature.
1816 * vpp# show nat44 interfaces
1818 * GigabitEthernet0/8/0 in
1819 * GigabitEthernet0/a/0 out
1822 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
1823 .path = "show nat44 interfaces",
1824 .short_help = "show nat44 interfaces",
1825 .function = nat44_show_interfaces_command_fn,
1830 * @cliexstart{nat44 add static mapping}
1831 * Static mapping allows hosts on the external network to initiate connection
1832 * to to the local network host.
1833 * To create static mapping between local host address 10.0.0.3 port 6303 and
1834 * external address 4.4.4.4 port 3606 for TCP protocol use:
1835 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
1836 * If not runnig "static mapping only" NAT plugin mode use before:
1837 * vpp# nat44 add address 4.4.4.4
1838 * To create address only static mapping between local and external address use:
1839 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
1840 * To create ICMP static mapping between local and external with ICMP echo
1841 * identifier 10 use:
1842 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
1843 * To force use of specific pool address, vrf independent
1844 * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
1847 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
1848 .path = "nat44 add static mapping",
1849 .function = add_static_mapping_command_fn,
1851 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
1852 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
1853 "[out2in-only] [exact <pool-addr>] [del]",
1858 * @cliexstart{nat44 add identity mapping}
1859 * Identity mapping translate an IP address to itself.
1860 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
1862 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
1863 * To create identity mapping for address 10.0.0.3 use:
1864 * vpp# nat44 add identity mapping 10.0.0.3
1865 * To create identity mapping for DHCP addressed interface use:
1866 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
1869 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
1870 .path = "nat44 add identity mapping",
1871 .function = add_identity_mapping_command_fn,
1872 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
1873 "[<protocol> <port>] [vrf <table-id>] [del]",
1878 * @cliexstart{nat44 add load-balancing static mapping}
1879 * Service load balancing using NAT44
1880 * To add static mapping with load balancing for service with external IP
1881 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
1882 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
1883 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
1886 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
1887 .path = "nat44 add load-balancing static mapping",
1888 .function = add_lb_static_mapping_command_fn,
1890 "nat44 add load-balancing static mapping protocol tcp|udp "
1891 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
1892 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
1893 "[affinity <timeout-seconds>] [del]",
1898 * @cliexstart{nat44 add load-balancing static mapping}
1899 * Modify service load balancing using NAT44
1900 * To add new back-end server 10.100.10.30:8080 for service load balancing
1901 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
1902 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
1905 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
1906 .path = "nat44 add load-balancing back-end",
1907 .function = add_lb_backend_command_fn,
1909 "nat44 add load-balancing back-end protocol tcp|udp "
1910 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
1911 "probability <n> [del]",
1916 * @cliexstart{show nat44 static mappings}
1917 * Show NAT44 static mappings.
1918 * vpp# show nat44 static mappings
1919 * NAT44 static mappings:
1920 * local 10.0.0.3 external 4.4.4.4 vrf 0
1921 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
1922 * tcp vrf 0 external 1.2.3.4:80 out2in-only
1923 * local 10.100.10.10:8080 probability 80
1924 * local 10.100.10.20:8080 probability 20
1925 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
1926 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
1929 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
1930 .path = "show nat44 static mappings",
1931 .short_help = "show nat44 static mappings",
1932 .function = nat44_show_static_mappings_command_fn,
1937 * @cliexstart{nat44 add interface address}
1938 * Use NAT44 pool address from specific interfce
1939 * To add NAT44 pool address from specific interface use:
1940 * vpp# nat44 add interface address GigabitEthernet0/8/0
1943 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
1944 .path = "nat44 add interface address",
1945 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
1946 .function = snat_add_interface_address_command_fn,
1951 * @cliexstart{show nat44 interface address}
1952 * Show NAT44 pool address interfaces
1953 * vpp# show nat44 interface address
1954 * NAT44 pool address interfaces:
1955 * GigabitEthernet0/a/0
1956 * NAT44 twice-nat pool address interfaces:
1957 * GigabitEthernet0/8/0
1960 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
1961 .path = "show nat44 interface address",
1962 .short_help = "show nat44 interface address",
1963 .function = nat44_show_interface_address_command_fn,
1968 * @cliexstart{show nat44 sessions}
1969 * Show NAT44 sessions.
1972 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
1973 .path = "show nat44 sessions",
1974 .short_help = "show nat44 sessions [detail|metrics]",
1975 .function = nat44_show_sessions_command_fn,
1980 * @cliexstart{set nat44 session limit}
1981 * Set NAT44 session limit.
1984 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
1985 .path = "set nat44 session limit",
1986 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
1987 .function = nat44_set_session_limit_command_fn,
1992 * @cliexstart{nat44 del session}
1993 * To administratively delete NAT44 session by inside address and port use:
1994 * vpp# nat44 del session in 10.0.0.3:6303 tcp
1995 * To administratively delete NAT44 session by outside address and port use:
1996 * vpp# nat44 del session out 1.0.0.3:6033 udp
1999 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2000 .path = "nat44 del session",
2001 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2002 .function = nat44_del_session_command_fn,
2007 * @cliexstart{nat44 forwarding}
2008 * Enable or disable forwarding
2009 * Forward packets which don't match existing translation
2010 * or static mapping instead of dropping them.
2011 * To enable forwarding, use:
2012 * vpp# nat44 forwarding enable
2013 * To disable forwarding, use:
2014 * vpp# nat44 forwarding disable
2017 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2018 .path = "nat44 forwarding",
2019 .short_help = "nat44 forwarding enable|disable",
2020 .function = snat_forwarding_set_command_fn,
2024 * fd.io coding-style-patch-verification: ON
2027 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob