2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
21 #include <nat/nat_ipfix_logging.h>
22 #include <nat/nat64.h>
23 #include <nat/nat_inlines.h>
24 #include <nat/nat44/inlines.h>
25 #include <nat/nat_affinity.h>
26 #include <vnet/fib/fib_table.h>
27 #include <nat/nat_ha.h>
29 #define UNSUPPORTED_IN_ED_MODE_STR \
30 "This command is unsupported in endpoint dependent mode"
31 #define SUPPORTED_ONLY_IN_ED_MODE_STR \
32 "This command is supported only in endpoint dependent mode"
35 set_workers_command_fn (vlib_main_t * vm,
36 unformat_input_t * input, vlib_cli_command_t * cmd)
38 unformat_input_t _line_input, *line_input = &_line_input;
41 clib_error_t *error = 0;
43 /* Get a line of input. */
44 if (!unformat_user (input, unformat_line_input, line_input))
47 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
49 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
53 error = clib_error_return (0, "unknown input '%U'",
54 format_unformat_error, line_input);
61 error = clib_error_return (0, "List of workers must be specified.");
65 rv = snat_set_workers (bitmap);
67 clib_bitmap_free (bitmap);
71 case VNET_API_ERROR_INVALID_WORKER:
72 error = clib_error_return (0, "Invalid worker(s).");
74 case VNET_API_ERROR_FEATURE_DISABLED:
75 error = clib_error_return (0,
76 "Supported only if 2 or more workes available.");
83 unformat_free (line_input);
89 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
90 vlib_cli_command_t * cmd)
92 snat_main_t *sm = &snat_main;
95 if (sm->num_workers > 1)
97 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
99 vec_foreach (worker, sm->workers)
101 vlib_worker_thread_t *w =
102 vlib_worker_threads + *worker + sm->first_worker_index;
103 vlib_cli_output (vm, " %s", w->name);
111 static clib_error_t *
112 snat_set_log_level_command_fn (vlib_main_t * vm,
113 unformat_input_t * input,
114 vlib_cli_command_t * cmd)
116 unformat_input_t _line_input, *line_input = &_line_input;
117 snat_main_t *sm = &snat_main;
118 u8 log_level = SNAT_LOG_NONE;
119 clib_error_t *error = 0;
121 /* Get a line of input. */
122 if (!unformat_user (input, unformat_line_input, line_input))
125 if (!unformat (line_input, "%d", &log_level))
127 error = clib_error_return (0, "unknown input '%U'",
128 format_unformat_error, line_input);
131 if (log_level > SNAT_LOG_DEBUG)
133 error = clib_error_return (0, "unknown logging level '%d'", log_level);
136 sm->log_level = log_level;
139 unformat_free (line_input);
144 static clib_error_t *
145 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
146 unformat_input_t * input,
147 vlib_cli_command_t * cmd)
149 unformat_input_t _line_input, *line_input = &_line_input;
154 clib_error_t *error = 0;
156 /* Get a line of input. */
157 if (!unformat_user (input, unformat_line_input, line_input))
159 rv = snat_ipfix_logging_enable_disable (enable, domain_id,
162 return clib_error_return (0, "ipfix logging enable failed");
166 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
168 if (unformat (line_input, "domain %d", &domain_id))
170 else if (unformat (line_input, "src-port %d", &src_port))
172 else if (unformat (line_input, "disable"))
176 error = clib_error_return (0, "unknown input '%U'",
177 format_unformat_error, line_input);
182 rv = snat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
186 error = clib_error_return (0, "ipfix logging enable failed");
191 unformat_free (line_input);
196 static clib_error_t *
197 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
198 vlib_cli_command_t * cmd)
200 snat_main_t *sm = &snat_main;
201 snat_main_per_thread_data_t *tsm;
202 nat_affinity_main_t *nam = &nat_affinity_main;
206 if (unformat (input, "detail"))
208 else if (unformat (input, "verbose"))
211 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
213 vlib_cli_output (vm, "%U",
214 format_bihash_8_8, &sm->static_mapping_by_external,
216 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->out2in_ed, verbose);
217 vec_foreach_index (i, sm->per_thread_data)
219 tsm = vec_elt_at_index (sm->per_thread_data, i);
220 vlib_cli_output (vm, "-------- thread %d %s --------\n",
221 i, vlib_worker_threads[i].name);
222 if (sm->endpoint_dependent)
224 vlib_cli_output (vm, "%U", format_bihash_16_8, &tsm->in2out_ed,
229 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->in2out, verbose);
230 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->out2in, verbose);
232 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->user_hash, verbose);
235 if (sm->endpoint_dependent)
237 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
241 vlib_cli_output (vm, "-------- hash table parameters --------\n");
242 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
243 vlib_cli_output (vm, "translation memory size: %U",
244 format_memory_size, sm->translation_memory_size);
245 if (!sm->endpoint_dependent)
247 vlib_cli_output (vm, "user buckets: %u", sm->user_buckets);
248 vlib_cli_output (vm, "user memory size: %U",
249 format_memory_size, sm->user_memory_size);
254 static clib_error_t *
255 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
256 unformat_input_t * input,
257 vlib_cli_command_t * cmd)
259 unformat_input_t _line_input, *line_input = &_line_input;
260 clib_error_t *error = 0;
261 u32 psid, psid_offset, psid_length, port_start, port_end;
263 /* Get a line of input. */
264 if (!unformat_user (input, unformat_line_input, line_input))
267 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
269 if (unformat (line_input, "default"))
270 nat_set_alloc_addr_and_port_default ();
273 (line_input, "map-e psid %d psid-offset %d psid-len %d", &psid,
274 &psid_offset, &psid_length))
275 nat_set_alloc_addr_and_port_mape ((u16) psid, (u16) psid_offset,
279 (line_input, "port-range %d - %d", &port_start, &port_end))
281 if (port_end <= port_start)
284 clib_error_return (0,
285 "The end-port must be greater than start-port");
288 nat_set_alloc_addr_and_port_range ((u16) port_start,
293 error = clib_error_return (0, "unknown input '%U'",
294 format_unformat_error, line_input);
300 unformat_free (line_input);
305 static clib_error_t *
306 nat44_show_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
307 unformat_input_t * input,
308 vlib_cli_command_t * cmd)
310 snat_main_t *sm = &snat_main;
312 vlib_cli_output (vm, "NAT address and port: %U",
313 format_nat_addr_and_port_alloc_alg,
314 sm->addr_and_port_alloc_alg);
315 switch (sm->addr_and_port_alloc_alg)
317 case NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE:
318 vlib_cli_output (vm, " psid %d psid-offset %d psid-len %d", sm->psid,
319 sm->psid_offset, sm->psid_length);
321 case NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE:
322 vlib_cli_output (vm, " start-port %d end-port %d", sm->start_port,
332 static clib_error_t *
333 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
334 vlib_cli_command_t * cmd)
336 unformat_input_t _line_input, *line_input = &_line_input;
337 snat_main_t *sm = &snat_main;
338 clib_error_t *error = 0;
341 /* Get a line of input. */
342 if (!unformat_user (input, unformat_line_input, line_input))
345 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
347 if (unformat (line_input, "disable"))
348 sm->mss_clamping = 0;
349 else if (unformat (line_input, "%d", &mss))
350 sm->mss_clamping = (u16) mss;
353 error = clib_error_return (0, "unknown input '%U'",
354 format_unformat_error, line_input);
360 unformat_free (line_input);
365 static clib_error_t *
366 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
367 vlib_cli_command_t * cmd)
369 snat_main_t *sm = &snat_main;
371 if (sm->mss_clamping)
372 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
374 vlib_cli_output (vm, "mss-clamping disabled");
379 static clib_error_t *
380 nat_ha_failover_command_fn (vlib_main_t * vm, unformat_input_t * input,
381 vlib_cli_command_t * cmd)
383 unformat_input_t _line_input, *line_input = &_line_input;
385 u32 port, session_refresh_interval = 10;
387 clib_error_t *error = 0;
389 /* Get a line of input. */
390 if (!unformat_user (input, unformat_line_input, line_input))
393 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
395 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
399 (line_input, "refresh-interval %u", &session_refresh_interval))
403 error = clib_error_return (0, "unknown input '%U'",
404 format_unformat_error, line_input);
409 rv = nat_ha_set_failover (&addr, (u16) port, session_refresh_interval);
411 error = clib_error_return (0, "set HA failover failed");
414 unformat_free (line_input);
419 static clib_error_t *
420 nat_ha_listener_command_fn (vlib_main_t * vm, unformat_input_t * input,
421 vlib_cli_command_t * cmd)
423 unformat_input_t _line_input, *line_input = &_line_input;
425 u32 port, path_mtu = 512;
427 clib_error_t *error = 0;
429 /* Get a line of input. */
430 if (!unformat_user (input, unformat_line_input, line_input))
433 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
435 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
437 else if (unformat (line_input, "path-mtu %u", &path_mtu))
441 error = clib_error_return (0, "unknown input '%U'",
442 format_unformat_error, line_input);
447 rv = nat_ha_set_listener (&addr, (u16) port, path_mtu);
449 error = clib_error_return (0, "set HA listener failed");
452 unformat_free (line_input);
457 static clib_error_t *
458 nat_show_ha_command_fn (vlib_main_t * vm, unformat_input_t * input,
459 vlib_cli_command_t * cmd)
463 u32 path_mtu, session_refresh_interval, resync_ack_missed;
466 nat_ha_get_listener (&addr, &port, &path_mtu);
469 vlib_cli_output (vm, "NAT HA disabled\n");
473 vlib_cli_output (vm, "LISTENER:\n");
474 vlib_cli_output (vm, " %U:%u path-mtu %u\n",
475 format_ip4_address, &addr, port, path_mtu);
477 nat_ha_get_failover (&addr, &port, &session_refresh_interval);
478 vlib_cli_output (vm, "FAILOVER:\n");
480 vlib_cli_output (vm, " %U:%u refresh-interval %usec\n",
481 format_ip4_address, &addr, port,
482 session_refresh_interval);
484 vlib_cli_output (vm, " NA\n");
486 nat_ha_get_resync_status (&in_resync, &resync_ack_missed);
487 vlib_cli_output (vm, "RESYNC:\n");
489 vlib_cli_output (vm, " in progress\n");
491 vlib_cli_output (vm, " completed (%d ACK missed)\n", resync_ack_missed);
496 static clib_error_t *
497 nat_ha_flush_command_fn (vlib_main_t * vm, unformat_input_t * input,
498 vlib_cli_command_t * cmd)
504 static clib_error_t *
505 nat_ha_resync_command_fn (vlib_main_t * vm, unformat_input_t * input,
506 vlib_cli_command_t * cmd)
508 clib_error_t *error = 0;
510 if (nat_ha_resync (0, 0, 0))
511 error = clib_error_return (0, "NAT HA resync already running");
516 static clib_error_t *
517 add_address_command_fn (vlib_main_t * vm,
518 unformat_input_t * input, vlib_cli_command_t * cmd)
520 unformat_input_t _line_input, *line_input = &_line_input;
521 snat_main_t *sm = &snat_main;
522 ip4_address_t start_addr, end_addr, this_addr;
523 u32 start_host_order, end_host_order;
528 clib_error_t *error = 0;
531 /* Get a line of input. */
532 if (!unformat_user (input, unformat_line_input, line_input))
535 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
537 if (unformat (line_input, "%U - %U",
538 unformat_ip4_address, &start_addr,
539 unformat_ip4_address, &end_addr))
541 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
543 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
544 end_addr = start_addr;
545 else if (unformat (line_input, "twice-nat"))
547 else if (unformat (line_input, "del"))
551 error = clib_error_return (0, "unknown input '%U'",
552 format_unformat_error, line_input);
557 if (sm->static_mapping_only)
559 error = clib_error_return (0, "static mapping only mode");
563 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
564 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
566 if (end_host_order < start_host_order)
568 error = clib_error_return (0, "end address less than start address");
572 count = (end_host_order - start_host_order) + 1;
575 nat_log_info ("%U - %U, %d addresses...",
576 format_ip4_address, &start_addr,
577 format_ip4_address, &end_addr, count);
579 this_addr = start_addr;
581 for (i = 0; i < count; i++)
584 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
586 rv = snat_del_address (sm, this_addr, 0, twice_nat);
590 case VNET_API_ERROR_VALUE_EXIST:
591 error = clib_error_return (0, "NAT address already in use.");
593 case VNET_API_ERROR_NO_SUCH_ENTRY:
594 error = clib_error_return (0, "NAT address not exist.");
596 case VNET_API_ERROR_UNSPECIFIED:
598 clib_error_return (0, "NAT address used in static mapping.");
600 case VNET_API_ERROR_FEATURE_DISABLED:
602 clib_error_return (0,
603 "twice NAT available only for endpoint-dependent mode.");
610 nat44_add_del_address_dpo (this_addr, is_add);
612 increment_v4_address (&this_addr);
616 unformat_free (line_input);
621 static clib_error_t *
622 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
623 vlib_cli_command_t * cmd)
625 snat_main_per_thread_data_t *tsm;
626 snat_main_t *sm = &snat_main;
629 if (!sm->endpoint_dependent)
630 return clib_error_return (0, SUPPORTED_ONLY_IN_ED_MODE_STR);
632 vlib_cli_output (vm, "max translations per thread: %u",
633 sm->max_translations_per_thread);
634 vlib_cli_output (vm, "max translations per user: %u",
635 sm->max_translations_per_user);
639 u64 now = vlib_time_now (vm);
640 u64 sess_timeout_time;
642 u32 udp_sessions = 0;
643 u32 tcp_sessions = 0;
644 u32 icmp_sessions = 0;
648 u32 transitory_wait_closed = 0;
649 u32 transitory_closed = 0;
652 if (sm->num_workers > 1)
655 vec_foreach (tsm, sm->per_thread_data)
657 pool_foreach (s, tsm->sessions,
659 sess_timeout_time = s->last_heard +
660 (f64) nat44_session_get_timeout (sm, s);
661 if (now >= sess_timeout_time)
664 switch (s->nat_proto)
666 case NAT_PROTOCOL_ICMP:
669 case NAT_PROTOCOL_TCP:
673 if (s->tcp_closed_timestamp)
675 if (now >= s->tcp_closed_timestamp)
681 ++transitory_wait_closed;
689 case NAT_PROTOCOL_UDP:
695 count += pool_elts (tsm->sessions);
701 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
703 pool_foreach (s, tsm->sessions,
705 sess_timeout_time = s->last_heard +
706 (f64) nat44_session_get_timeout (sm, s);
707 if (now >= sess_timeout_time)
710 switch (s->nat_proto)
712 case NAT_PROTOCOL_ICMP:
715 case NAT_PROTOCOL_TCP:
719 if (s->tcp_closed_timestamp)
721 if (now >= s->tcp_closed_timestamp)
727 ++transitory_wait_closed;
735 case NAT_PROTOCOL_UDP:
742 count = pool_elts (tsm->sessions);
743 if (sm->endpoint_dependent)
745 dlist_elt_t *oldest_elt;
749 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
750 if (~0 != oldest_index) \
752 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
753 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
754 sess_timeout_time = \
755 s->last_heard + (f64)nat44_session_get_timeout (sm, s); \
756 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
757 sess_timeout_time, now); \
758 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
761 _(tcp_estab, "established tcp");
762 _(tcp_trans, "transitory tcp");
764 _(unk_proto, "unknown protocol");
770 vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
771 vlib_cli_output (vm, "total sessions: %u", count);
772 vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
773 vlib_cli_output (vm, "total tcp established sessions: %u", established);
774 vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
775 vlib_cli_output (vm, "total tcp transitory (WAIT-CLOSED) sessions: %u",
776 transitory_wait_closed);
777 vlib_cli_output (vm, "total tcp transitory (CLOSED) sessions: %u",
779 vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
780 vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
784 static clib_error_t *
785 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
786 vlib_cli_command_t * cmd)
788 snat_main_t *sm = &snat_main;
791 vlib_cli_output (vm, "NAT44 pool addresses:");
793 vec_foreach (ap, sm->addresses)
795 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
796 if (ap->fib_index != ~0)
797 vlib_cli_output (vm, " tenant VRF: %u",
798 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
800 vlib_cli_output (vm, " tenant VRF independent");
801 #define _(N, i, n, s) \
802 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
806 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
807 vec_foreach (ap, sm->twice_nat_addresses)
809 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
810 if (ap->fib_index != ~0)
811 vlib_cli_output (vm, " tenant VRF: %u",
812 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
814 vlib_cli_output (vm, " tenant VRF independent");
815 #define _(N, i, n, s) \
816 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
824 static clib_error_t *
825 snat_feature_command_fn (vlib_main_t * vm,
826 unformat_input_t * input, vlib_cli_command_t * cmd)
828 unformat_input_t _line_input, *line_input = &_line_input;
829 vnet_main_t *vnm = vnet_get_main ();
830 clib_error_t *error = 0;
832 u32 *inside_sw_if_indices = 0;
833 u32 *outside_sw_if_indices = 0;
834 u8 is_output_feature = 0;
840 /* Get a line of input. */
841 if (!unformat_user (input, unformat_line_input, line_input))
844 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
846 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
848 vec_add1 (inside_sw_if_indices, sw_if_index);
849 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
851 vec_add1 (outside_sw_if_indices, sw_if_index);
852 else if (unformat (line_input, "output-feature"))
853 is_output_feature = 1;
854 else if (unformat (line_input, "del"))
858 error = clib_error_return (0, "unknown input '%U'",
859 format_unformat_error, line_input);
864 if (vec_len (inside_sw_if_indices))
866 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
868 sw_if_index = inside_sw_if_indices[i];
869 if (is_output_feature)
871 if (snat_interface_add_del_output_feature
872 (sw_if_index, 1, is_del))
874 error = clib_error_return (0, "%s %U failed",
875 is_del ? "del" : "add",
876 format_vnet_sw_if_index_name,
883 if (snat_interface_add_del (sw_if_index, 1, is_del))
885 error = clib_error_return (0, "%s %U failed",
886 is_del ? "del" : "add",
887 format_vnet_sw_if_index_name,
895 if (vec_len (outside_sw_if_indices))
897 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
899 sw_if_index = outside_sw_if_indices[i];
900 if (is_output_feature)
902 if (snat_interface_add_del_output_feature
903 (sw_if_index, 0, is_del))
905 error = clib_error_return (0, "%s %U failed",
906 is_del ? "del" : "add",
907 format_vnet_sw_if_index_name,
914 if (snat_interface_add_del (sw_if_index, 0, is_del))
916 error = clib_error_return (0, "%s %U failed",
917 is_del ? "del" : "add",
918 format_vnet_sw_if_index_name,
927 unformat_free (line_input);
928 vec_free (inside_sw_if_indices);
929 vec_free (outside_sw_if_indices);
934 static clib_error_t *
935 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
936 vlib_cli_command_t * cmd)
938 snat_main_t *sm = &snat_main;
940 vnet_main_t *vnm = vnet_get_main ();
942 vlib_cli_output (vm, "NAT44 interfaces:");
944 pool_foreach (i, sm->interfaces,
946 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
948 (nat_interface_is_inside(i) &&
949 nat_interface_is_outside(i)) ? "in out" :
950 (nat_interface_is_inside(i) ? "in" : "out"));
953 pool_foreach (i, sm->output_feature_interfaces,
955 vlib_cli_output (vm, " %U output-feature %s",
956 format_vnet_sw_if_index_name, vnm,
958 (nat_interface_is_inside(i) &&
959 nat_interface_is_outside(i)) ? "in out" :
960 (nat_interface_is_inside(i) ? "in" : "out"));
967 static clib_error_t *
968 add_static_mapping_command_fn (vlib_main_t * vm,
969 unformat_input_t * input,
970 vlib_cli_command_t * cmd)
972 unformat_input_t _line_input, *line_input = &_line_input;
973 clib_error_t *error = 0;
974 ip4_address_t l_addr, e_addr;
975 u32 l_port = 0, e_port = 0, vrf_id = ~0;
978 u32 sw_if_index = ~0;
979 vnet_main_t *vnm = vnet_get_main ();
981 nat_protocol_t proto = NAT_PROTOCOL_OTHER;
983 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
986 /* Get a line of input. */
987 if (!unformat_user (input, unformat_line_input, line_input))
990 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
992 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
996 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
998 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
1001 else if (unformat (line_input, "external %U", unformat_ip4_address,
1004 else if (unformat (line_input, "external %U %u",
1005 unformat_vnet_sw_interface, vnm, &sw_if_index,
1009 else if (unformat (line_input, "external %U",
1010 unformat_vnet_sw_interface, vnm, &sw_if_index))
1012 else if (unformat (line_input, "vrf %u", &vrf_id))
1014 else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
1016 else if (unformat (line_input, "twice-nat"))
1017 twice_nat = TWICE_NAT;
1018 else if (unformat (line_input, "self-twice-nat"))
1019 twice_nat = TWICE_NAT_SELF;
1020 else if (unformat (line_input, "out2in-only"))
1022 else if (unformat (line_input, "del"))
1026 error = clib_error_return (0, "unknown input: '%U'",
1027 format_unformat_error, line_input);
1032 if (twice_nat && addr_only)
1034 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
1043 clib_error_return (0,
1044 "address only mapping doesn't support protocol");
1048 else if (!proto_set)
1050 error = clib_error_return (0, "protocol is required");
1054 rv = snat_add_static_mapping (l_addr, e_addr, clib_host_to_net_u16 (l_port),
1055 clib_host_to_net_u16 (e_port),
1056 vrf_id, addr_only, sw_if_index, proto, is_add,
1057 twice_nat, out2in_only, 0, 0);
1061 case VNET_API_ERROR_INVALID_VALUE:
1062 error = clib_error_return (0, "External port already in use.");
1064 case VNET_API_ERROR_NO_SUCH_ENTRY:
1066 error = clib_error_return (0, "External address must be allocated.");
1068 error = clib_error_return (0, "Mapping not exist.");
1070 case VNET_API_ERROR_NO_SUCH_FIB:
1071 error = clib_error_return (0, "No such VRF id.");
1073 case VNET_API_ERROR_VALUE_EXIST:
1074 error = clib_error_return (0, "Mapping already exist.");
1076 case VNET_API_ERROR_FEATURE_DISABLED:
1078 clib_error_return (0,
1079 "twice-nat/out2in-only available only for endpoint-dependent mode.");
1086 unformat_free (line_input);
1091 static clib_error_t *
1092 add_identity_mapping_command_fn (vlib_main_t * vm,
1093 unformat_input_t * input,
1094 vlib_cli_command_t * cmd)
1096 unformat_input_t _line_input, *line_input = &_line_input;
1097 clib_error_t *error = 0;
1099 u32 port = 0, vrf_id = ~0;
1102 u32 sw_if_index = ~0;
1103 vnet_main_t *vnm = vnet_get_main ();
1105 nat_protocol_t proto;
1109 /* Get a line of input. */
1110 if (!unformat_user (input, unformat_line_input, line_input))
1113 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1115 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1117 else if (unformat (line_input, "external %U",
1118 unformat_vnet_sw_interface, vnm, &sw_if_index))
1120 else if (unformat (line_input, "vrf %u", &vrf_id))
1122 else if (unformat (line_input, "%U %u", unformat_nat_protocol, &proto,
1125 else if (unformat (line_input, "del"))
1129 error = clib_error_return (0, "unknown input: '%U'",
1130 format_unformat_error, line_input);
1136 snat_add_static_mapping (addr, addr, clib_host_to_net_u16 (port),
1137 clib_host_to_net_u16 (port), vrf_id, addr_only,
1138 sw_if_index, proto, is_add, 0, 0, 0, 1);
1142 case VNET_API_ERROR_INVALID_VALUE:
1143 error = clib_error_return (0, "External port already in use.");
1145 case VNET_API_ERROR_NO_SUCH_ENTRY:
1147 error = clib_error_return (0, "External address must be allocated.");
1149 error = clib_error_return (0, "Mapping not exist.");
1151 case VNET_API_ERROR_NO_SUCH_FIB:
1152 error = clib_error_return (0, "No such VRF id.");
1154 case VNET_API_ERROR_VALUE_EXIST:
1155 error = clib_error_return (0, "Mapping already exist.");
1162 unformat_free (line_input);
1167 static clib_error_t *
1168 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1169 unformat_input_t * input,
1170 vlib_cli_command_t * cmd)
1172 unformat_input_t _line_input, *line_input = &_line_input;
1173 clib_error_t *error = 0;
1174 ip4_address_t l_addr, e_addr;
1175 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
1178 nat_protocol_t proto;
1180 nat44_lb_addr_port_t *locals = 0, local;
1181 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
1184 /* Get a line of input. */
1185 if (!unformat_user (input, unformat_line_input, line_input))
1188 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1190 if (unformat (line_input, "local %U:%u probability %u",
1191 unformat_ip4_address, &l_addr, &l_port, &probability))
1193 clib_memset (&local, 0, sizeof (local));
1194 local.addr = l_addr;
1195 local.port = (u16) l_port;
1196 local.probability = (u8) probability;
1197 vec_add1 (locals, local);
1199 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1200 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1203 clib_memset (&local, 0, sizeof (local));
1204 local.addr = l_addr;
1205 local.port = (u16) l_port;
1206 local.probability = (u8) probability;
1207 local.vrf_id = vrf_id;
1208 vec_add1 (locals, local);
1210 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1213 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1216 else if (unformat (line_input, "twice-nat"))
1217 twice_nat = TWICE_NAT;
1218 else if (unformat (line_input, "self-twice-nat"))
1219 twice_nat = TWICE_NAT_SELF;
1220 else if (unformat (line_input, "out2in-only"))
1222 else if (unformat (line_input, "del"))
1224 else if (unformat (line_input, "affinity %u", &affinity))
1228 error = clib_error_return (0, "unknown input: '%U'",
1229 format_unformat_error, line_input);
1234 if (vec_len (locals) < 2)
1236 error = clib_error_return (0, "at least two local must be set");
1242 error = clib_error_return (0, "missing protocol");
1246 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1247 is_add, twice_nat, out2in_only, 0,
1252 case VNET_API_ERROR_INVALID_VALUE:
1253 error = clib_error_return (0, "External port already in use.");
1255 case VNET_API_ERROR_NO_SUCH_ENTRY:
1257 error = clib_error_return (0, "External address must be allocated.");
1259 error = clib_error_return (0, "Mapping not exist.");
1261 case VNET_API_ERROR_VALUE_EXIST:
1262 error = clib_error_return (0, "Mapping already exist.");
1264 case VNET_API_ERROR_FEATURE_DISABLED:
1266 clib_error_return (0, "Available only for endpoint-dependent mode.");
1273 unformat_free (line_input);
1279 static clib_error_t *
1280 add_lb_backend_command_fn (vlib_main_t * vm,
1281 unformat_input_t * input, vlib_cli_command_t * cmd)
1283 unformat_input_t _line_input, *line_input = &_line_input;
1284 clib_error_t *error = 0;
1285 ip4_address_t l_addr, e_addr;
1286 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1289 nat_protocol_t proto;
1292 /* Get a line of input. */
1293 if (!unformat_user (input, unformat_line_input, line_input))
1296 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1298 if (unformat (line_input, "local %U:%u probability %u",
1299 unformat_ip4_address, &l_addr, &l_port, &probability))
1301 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1302 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1305 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1308 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1311 else if (unformat (line_input, "del"))
1315 error = clib_error_return (0, "unknown input: '%U'",
1316 format_unformat_error, line_input);
1321 if (!l_port || !e_port)
1323 error = clib_error_return (0, "local or external must be set");
1329 error = clib_error_return (0, "missing protocol");
1334 nat44_lb_static_mapping_add_del_local (e_addr, (u16) e_port, l_addr,
1335 l_port, proto, vrf_id, probability,
1340 case VNET_API_ERROR_INVALID_VALUE:
1341 error = clib_error_return (0, "External is not load-balancing static "
1344 case VNET_API_ERROR_NO_SUCH_ENTRY:
1345 error = clib_error_return (0, "Mapping or back-end not exist.");
1347 case VNET_API_ERROR_VALUE_EXIST:
1348 error = clib_error_return (0, "Back-end already exist.");
1350 case VNET_API_ERROR_FEATURE_DISABLED:
1352 clib_error_return (0, "Available only for endpoint-dependent mode.");
1354 case VNET_API_ERROR_UNSPECIFIED:
1355 error = clib_error_return (0, "At least two back-ends must remain");
1362 unformat_free (line_input);
1367 static clib_error_t *
1368 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1369 unformat_input_t * input,
1370 vlib_cli_command_t * cmd)
1372 snat_main_t *sm = &snat_main;
1373 snat_static_mapping_t *m;
1374 snat_static_map_resolve_t *rp;
1376 vlib_cli_output (vm, "NAT44 static mappings:");
1378 pool_foreach (m, sm->static_mappings,
1380 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1382 vec_foreach (rp, sm->to_resolve)
1383 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1389 static clib_error_t *
1390 snat_add_interface_address_command_fn (vlib_main_t * vm,
1391 unformat_input_t * input,
1392 vlib_cli_command_t * cmd)
1394 snat_main_t *sm = &snat_main;
1395 unformat_input_t _line_input, *line_input = &_line_input;
1399 clib_error_t *error = 0;
1402 /* Get a line of input. */
1403 if (!unformat_user (input, unformat_line_input, line_input))
1406 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1408 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1409 sm->vnet_main, &sw_if_index))
1411 else if (unformat (line_input, "twice-nat"))
1413 else if (unformat (line_input, "del"))
1417 error = clib_error_return (0, "unknown input '%U'",
1418 format_unformat_error, line_input);
1423 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1431 error = clib_error_return (0, "snat_add_interface_address returned %d",
1437 unformat_free (line_input);
1442 static clib_error_t *
1443 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1444 unformat_input_t * input,
1445 vlib_cli_command_t * cmd)
1447 snat_main_t *sm = &snat_main;
1448 vnet_main_t *vnm = vnet_get_main ();
1452 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1453 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1455 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1458 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1459 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1461 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1469 static clib_error_t *
1470 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1471 vlib_cli_command_t * cmd)
1473 unformat_input_t _line_input, *line_input = &_line_input;
1474 clib_error_t *error = 0;
1476 snat_main_per_thread_data_t *tsm;
1477 snat_main_t *sm = &snat_main;
1482 if (!unformat_user (input, unformat_line_input, line_input))
1485 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1487 if (unformat (line_input, "detail"))
1491 error = clib_error_return (0, "unknown input '%U'",
1492 format_unformat_error, line_input);
1496 unformat_free (line_input);
1499 if (!sm->endpoint_dependent)
1500 vlib_cli_output (vm, "NAT44 sessions:");
1502 vlib_cli_output (vm, "NAT44 ED sessions:");
1505 vec_foreach_index (i, sm->per_thread_data)
1507 tsm = vec_elt_at_index (sm->per_thread_data, i);
1509 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1510 i, vlib_worker_threads[i].name,
1511 pool_elts (tsm->sessions));
1513 if (!sm->endpoint_dependent)
1516 pool_foreach (u, tsm->users,
1518 vlib_cli_output (vm, " %U", format_snat_user, tsm, u, detail);
1524 pool_foreach (s, tsm->sessions,
1526 vlib_cli_output (vm, " %U\n", format_snat_session, tsm, s);
1534 static clib_error_t *
1535 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1536 unformat_input_t * input,
1537 vlib_cli_command_t * cmd)
1539 unformat_input_t _line_input, *line_input = &_line_input;
1540 clib_error_t *error = 0;
1542 u32 session_limit = 0, vrf_id = 0;
1544 /* Get a line of input. */
1545 if (!unformat_user (input, unformat_line_input, line_input))
1548 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1550 if (unformat (line_input, "%u", &session_limit))
1552 else if (unformat (line_input, "vrf %u", &vrf_id))
1556 error = clib_error_return (0, "unknown input '%U'",
1557 format_unformat_error, line_input);
1563 error = clib_error_return (0, "missing value of session limit");
1564 else if (nat44_set_session_limit (session_limit, vrf_id))
1565 error = clib_error_return (0, "nat44_set_session_limit failed");
1568 unformat_free (line_input);
1573 static clib_error_t *
1574 nat44_del_user_command_fn (vlib_main_t * vm,
1575 unformat_input_t * input, vlib_cli_command_t * cmd)
1577 snat_main_t *sm = &snat_main;
1578 unformat_input_t _line_input, *line_input = &_line_input;
1579 clib_error_t *error = 0;
1584 if (sm->endpoint_dependent)
1585 return clib_error_return (0, UNSUPPORTED_IN_ED_MODE_STR);
1587 /* Get a line of input. */
1588 if (!unformat_user (input, unformat_line_input, line_input))
1591 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1593 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1595 else if (unformat (line_input, "fib %u", &fib_index))
1599 error = clib_error_return (0, "unknown input '%U'",
1600 format_unformat_error, line_input);
1605 rv = nat44_user_del (&addr, fib_index);
1609 error = clib_error_return (0, "nat44_user_del returned %d", rv);
1613 unformat_free (line_input);
1618 static clib_error_t *
1619 nat44_clear_sessions_command_fn (vlib_main_t * vm,
1620 unformat_input_t * input,
1621 vlib_cli_command_t * cmd)
1623 clib_error_t *error = 0;
1624 nat44_sessions_clear ();
1628 static clib_error_t *
1629 nat44_del_session_command_fn (vlib_main_t * vm,
1630 unformat_input_t * input,
1631 vlib_cli_command_t * cmd)
1633 snat_main_t *sm = &snat_main;
1634 unformat_input_t _line_input, *line_input = &_line_input;
1635 int is_in = 0, is_ed = 0;
1636 clib_error_t *error = 0;
1637 ip4_address_t addr, eh_addr;
1638 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1639 nat_protocol_t proto;
1642 /* Get a line of input. */
1643 if (!unformat_user (input, unformat_line_input, line_input))
1646 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1649 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1650 unformat_nat_protocol, &proto))
1652 else if (unformat (line_input, "in"))
1655 vrf_id = sm->inside_vrf_id;
1657 else if (unformat (line_input, "out"))
1660 vrf_id = sm->outside_vrf_id;
1662 else if (unformat (line_input, "vrf %u", &vrf_id))
1666 (line_input, "external-host %U:%u", unformat_ip4_address,
1667 &eh_addr, &eh_port))
1671 error = clib_error_return (0, "unknown input '%U'",
1672 format_unformat_error, line_input);
1679 nat44_del_ed_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1680 clib_host_to_net_u16 (eh_port),
1681 nat_proto_to_ip_proto (proto), vrf_id, is_in);
1684 nat44_del_session (sm, &addr, clib_host_to_net_u16 (port), proto,
1693 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1698 unformat_free (line_input);
1703 static clib_error_t *
1704 snat_forwarding_set_command_fn (vlib_main_t * vm,
1705 unformat_input_t * input,
1706 vlib_cli_command_t * cmd)
1708 snat_main_t *sm = &snat_main;
1709 unformat_input_t _line_input, *line_input = &_line_input;
1710 u8 forwarding_enable;
1711 u8 forwarding_enable_set = 0;
1712 clib_error_t *error = 0;
1714 /* Get a line of input. */
1715 if (!unformat_user (input, unformat_line_input, line_input))
1716 return clib_error_return (0, "'enable' or 'disable' expected");
1718 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1720 if (!forwarding_enable_set && unformat (line_input, "enable"))
1722 forwarding_enable = 1;
1723 forwarding_enable_set = 1;
1725 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1727 forwarding_enable = 0;
1728 forwarding_enable_set = 1;
1732 error = clib_error_return (0, "unknown input '%U'",
1733 format_unformat_error, line_input);
1738 if (!forwarding_enable_set)
1740 error = clib_error_return (0, "'enable' or 'disable' expected");
1744 sm->forwarding_enabled = forwarding_enable;
1747 unformat_free (line_input);
1752 static clib_error_t *
1753 set_timeout_command_fn (vlib_main_t * vm,
1754 unformat_input_t * input, vlib_cli_command_t * cmd)
1756 snat_main_t *sm = &snat_main;
1757 unformat_input_t _line_input, *line_input = &_line_input;
1758 clib_error_t *error = 0;
1760 /* Get a line of input. */
1761 if (!unformat_user (input, unformat_line_input, line_input))
1764 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1766 if (unformat (line_input, "udp %u", &sm->udp_timeout))
1768 if (nat64_set_udp_timeout (sm->udp_timeout))
1770 error = clib_error_return (0, "Invalid UDP timeout value");
1774 else if (unformat (line_input, "tcp-established %u",
1775 &sm->tcp_established_timeout))
1777 if (nat64_set_tcp_timeouts
1778 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1781 clib_error_return (0,
1782 "Invalid TCP established timeouts value");
1786 else if (unformat (line_input, "tcp-transitory %u",
1787 &sm->tcp_transitory_timeout))
1789 if (nat64_set_tcp_timeouts
1790 (sm->tcp_transitory_timeout, sm->tcp_established_timeout))
1793 clib_error_return (0,
1794 "Invalid TCP transitory timeouts value");
1798 else if (unformat (line_input, "icmp %u", &sm->icmp_timeout))
1800 if (nat64_set_icmp_timeout (sm->icmp_timeout))
1802 error = clib_error_return (0, "Invalid ICMP timeout value");
1806 else if (unformat (line_input, "reset"))
1808 sm->udp_timeout = SNAT_UDP_TIMEOUT;
1809 sm->tcp_established_timeout = SNAT_TCP_ESTABLISHED_TIMEOUT;
1810 sm->tcp_transitory_timeout = SNAT_TCP_TRANSITORY_TIMEOUT;
1811 sm->icmp_timeout = SNAT_ICMP_TIMEOUT;
1812 nat64_set_udp_timeout (0);
1813 nat64_set_icmp_timeout (0);
1814 nat64_set_tcp_timeouts (0, 0);
1818 error = clib_error_return (0, "unknown input '%U'",
1819 format_unformat_error, line_input);
1824 unformat_free (line_input);
1828 static clib_error_t *
1829 nat_show_timeouts_command_fn (vlib_main_t * vm,
1830 unformat_input_t * input,
1831 vlib_cli_command_t * cmd)
1833 snat_main_t *sm = &snat_main;
1835 vlib_cli_output (vm, "udp timeout: %dsec", sm->udp_timeout);
1836 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1837 sm->tcp_established_timeout);
1838 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1839 sm->tcp_transitory_timeout);
1840 vlib_cli_output (vm, "icmp timeout: %dsec", sm->icmp_timeout);
1849 * @cliexstart{set snat workers}
1850 * Set NAT workers if 2 or more workers available, use:
1851 * vpp# set snat workers 0-2,5
1854 VLIB_CLI_COMMAND (set_workers_command, static) = {
1855 .path = "set nat workers",
1856 .function = set_workers_command_fn,
1857 .short_help = "set nat workers <workers-list>",
1862 * @cliexstart{show nat workers}
1864 * vpp# show nat workers:
1870 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
1871 .path = "show nat workers",
1872 .short_help = "show nat workers",
1873 .function = nat_show_workers_commnad_fn,
1878 * @cliexstart{set nat timeout}
1879 * Set values of timeouts for NAT sessions (in seconds), use:
1880 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
1881 * To reset default values use:
1882 * vpp# set nat timeout reset
1885 VLIB_CLI_COMMAND (set_timeout_command, static) = {
1886 .path = "set nat timeout",
1887 .function = set_timeout_command_fn,
1889 "set nat timeout [udp <sec> | tcp-established <sec> "
1890 "tcp-transitory <sec> | icmp <sec> | reset]",
1895 * @cliexstart{show nat timeouts}
1896 * Show values of timeouts for NAT sessions.
1897 * vpp# show nat timeouts
1898 * udp timeout: 300sec
1899 * tcp-established timeout: 7440sec
1900 * tcp-transitory timeout: 240sec
1901 * icmp timeout: 60sec
1904 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
1905 .path = "show nat timeouts",
1906 .short_help = "show nat timeouts",
1907 .function = nat_show_timeouts_command_fn,
1912 * @cliexstart{nat set logging level}
1913 * To set NAT logging level use:
1914 * Set nat logging level
1917 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
1918 .path = "nat set logging level",
1919 .function = snat_set_log_level_command_fn,
1920 .short_help = "nat set logging level <level>",
1925 * @cliexstart{snat ipfix logging}
1926 * To enable NAT IPFIX logging use:
1927 * vpp# nat ipfix logging
1928 * To set IPFIX exporter use:
1929 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
1932 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
1933 .path = "nat ipfix logging",
1934 .function = snat_ipfix_logging_enable_disable_command_fn,
1935 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
1940 * @cliexstart{nat addr-port-assignment-alg}
1941 * Set address and port assignment algorithm
1942 * For the MAP-E CE limit port choice based on PSID use:
1943 * vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6
1944 * For port range use:
1945 * vpp# nat addr-port-assignment-alg port-range <start-port> - <end-port>
1946 * To set standard (default) address and port assignment algorithm use:
1947 * vpp# nat addr-port-assignment-alg default
1950 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
1951 .path = "nat addr-port-assignment-alg",
1952 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
1953 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
1958 * @cliexstart{show nat addr-port-assignment-alg}
1959 * Show address and port assignment algorithm
1962 VLIB_CLI_COMMAND (nat44_show_alloc_addr_and_port_alg_command, static) = {
1963 .path = "show nat addr-port-assignment-alg",
1964 .short_help = "show nat addr-port-assignment-alg",
1965 .function = nat44_show_alloc_addr_and_port_alg_command_fn,
1970 * @cliexstart{nat mss-clamping}
1971 * Set TCP MSS rewriting configuration
1972 * To enable TCP MSS rewriting use:
1973 * vpp# nat mss-clamping 1452
1974 * To disbale TCP MSS rewriting use:
1975 * vpp# nat mss-clamping disable
1978 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
1979 .path = "nat mss-clamping",
1980 .short_help = "nat mss-clamping <mss-value>|disable",
1981 .function = nat_set_mss_clamping_command_fn,
1986 * @cliexstart{show nat mss-clamping}
1987 * Show TCP MSS rewriting configuration
1990 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
1991 .path = "show nat mss-clamping",
1992 .short_help = "show nat mss-clamping",
1993 .function = nat_show_mss_clamping_command_fn,
1998 * @cliexstart{nat ha failover}
1999 * Set HA failover (remote settings)
2002 VLIB_CLI_COMMAND (nat_ha_failover_command, static) = {
2003 .path = "nat ha failover",
2004 .short_help = "nat ha failover <ip4-address>:<port> [refresh-interval <sec>]",
2005 .function = nat_ha_failover_command_fn,
2010 * @cliexstart{nat ha listener}
2011 * Set HA listener (local settings)
2014 VLIB_CLI_COMMAND (nat_ha_listener_command, static) = {
2015 .path = "nat ha listener",
2016 .short_help = "nat ha listener <ip4-address>:<port> [path-mtu <path-mtu>]",
2017 .function = nat_ha_listener_command_fn,
2022 * @cliexstart{show nat ha}
2023 * Show HA configuration/status
2026 VLIB_CLI_COMMAND (nat_show_ha_command, static) = {
2027 .path = "show nat ha",
2028 .short_help = "show nat ha",
2029 .function = nat_show_ha_command_fn,
2034 * @cliexstart{nat ha flush}
2035 * Flush the current HA data (for testing)
2038 VLIB_CLI_COMMAND (nat_ha_flush_command, static) = {
2039 .path = "nat ha flush",
2040 .short_help = "nat ha flush",
2041 .function = nat_ha_flush_command_fn,
2046 * @cliexstart{nat ha resync}
2047 * Resync HA (resend existing sessions to new failover)
2050 VLIB_CLI_COMMAND (nat_ha_resync_command, static) = {
2051 .path = "nat ha resync",
2052 .short_help = "nat ha resync",
2053 .function = nat_ha_resync_command_fn,
2058 * @cliexstart{show nat44 hash tables}
2059 * Show NAT44 hash tables
2062 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
2063 .path = "show nat44 hash tables",
2064 .short_help = "show nat44 hash tables [detail|verbose]",
2065 .function = nat44_show_hash_command_fn,
2070 * @cliexstart{nat44 add address}
2071 * Add/delete NAT44 pool address.
2072 * To add NAT44 pool address use:
2073 * vpp# nat44 add address 172.16.1.3
2074 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
2075 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
2076 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
2079 VLIB_CLI_COMMAND (add_address_command, static) = {
2080 .path = "nat44 add address",
2081 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
2082 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
2083 .function = add_address_command_fn,
2088 * @cliexstart{show nat44 summary}
2089 * Show NAT44 summary
2090 * vpp# show nat44 summary
2093 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
2094 .path = "show nat44 summary",
2095 .short_help = "show nat44 summary",
2096 .function = nat44_show_summary_command_fn,
2101 * @cliexstart{show nat44 addresses}
2102 * Show NAT44 pool addresses.
2103 * vpp# show nat44 addresses
2104 * NAT44 pool addresses:
2106 * tenant VRF independent
2115 * NAT44 twice-nat pool addresses:
2117 * tenant VRF independent
2123 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
2124 .path = "show nat44 addresses",
2125 .short_help = "show nat44 addresses",
2126 .function = nat44_show_addresses_command_fn,
2131 * @cliexstart{set interface nat44}
2132 * Enable/disable NAT44 feature on the interface.
2133 * To enable NAT44 feature with local network interface use:
2134 * vpp# set interface nat44 in GigabitEthernet0/8/0
2135 * To enable NAT44 feature with external network interface use:
2136 * vpp# set interface nat44 out GigabitEthernet0/a/0
2139 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
2140 .path = "set interface nat44",
2141 .function = snat_feature_command_fn,
2142 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
2148 * @cliexstart{show nat44 interfaces}
2149 * Show interfaces with NAT44 feature.
2150 * vpp# show nat44 interfaces
2152 * GigabitEthernet0/8/0 in
2153 * GigabitEthernet0/a/0 out
2156 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
2157 .path = "show nat44 interfaces",
2158 .short_help = "show nat44 interfaces",
2159 .function = nat44_show_interfaces_command_fn,
2164 * @cliexstart{nat44 add static mapping}
2165 * Static mapping allows hosts on the external network to initiate connection
2166 * to to the local network host.
2167 * To create static mapping between local host address 10.0.0.3 port 6303 and
2168 * external address 4.4.4.4 port 3606 for TCP protocol use:
2169 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
2170 * If not runnig "static mapping only" NAT plugin mode use before:
2171 * vpp# nat44 add address 4.4.4.4
2172 * To create address only static mapping between local and external address use:
2173 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
2174 * To create ICMP static mapping between local and external with ICMP echo
2175 * identifier 10 use:
2176 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
2179 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
2180 .path = "nat44 add static mapping",
2181 .function = add_static_mapping_command_fn,
2183 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
2184 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
2185 "[out2in-only] [del]",
2190 * @cliexstart{nat44 add identity mapping}
2191 * Identity mapping translate an IP address to itself.
2192 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2194 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2195 * To create identity mapping for address 10.0.0.3 use:
2196 * vpp# nat44 add identity mapping 10.0.0.3
2197 * To create identity mapping for DHCP addressed interface use:
2198 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
2201 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2202 .path = "nat44 add identity mapping",
2203 .function = add_identity_mapping_command_fn,
2204 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
2205 "[<protocol> <port>] [vrf <table-id>] [del]",
2210 * @cliexstart{nat44 add load-balancing static mapping}
2211 * Service load balancing using NAT44
2212 * To add static mapping with load balancing for service with external IP
2213 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
2214 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
2215 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
2218 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2219 .path = "nat44 add load-balancing static mapping",
2220 .function = add_lb_static_mapping_command_fn,
2222 "nat44 add load-balancing static mapping protocol tcp|udp "
2223 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2224 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
2225 "[affinity <timeout-seconds>] [del]",
2230 * @cliexstart{nat44 add load-balancing static mapping}
2231 * Modify service load balancing using NAT44
2232 * To add new back-end server 10.100.10.30:8080 for service load balancing
2233 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
2234 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
2237 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
2238 .path = "nat44 add load-balancing back-end",
2239 .function = add_lb_backend_command_fn,
2241 "nat44 add load-balancing back-end protocol tcp|udp "
2242 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2243 "probability <n> [del]",
2248 * @cliexstart{show nat44 static mappings}
2249 * Show NAT44 static mappings.
2250 * vpp# show nat44 static mappings
2251 * NAT44 static mappings:
2252 * local 10.0.0.3 external 4.4.4.4 vrf 0
2253 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2254 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2255 * local 10.100.10.10:8080 probability 80
2256 * local 10.100.10.20:8080 probability 20
2257 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2258 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2261 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2262 .path = "show nat44 static mappings",
2263 .short_help = "show nat44 static mappings",
2264 .function = nat44_show_static_mappings_command_fn,
2269 * @cliexstart{nat44 add interface address}
2270 * Use NAT44 pool address from specific interfce
2271 * To add NAT44 pool address from specific interface use:
2272 * vpp# nat44 add interface address GigabitEthernet0/8/0
2275 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2276 .path = "nat44 add interface address",
2277 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2278 .function = snat_add_interface_address_command_fn,
2283 * @cliexstart{show nat44 interface address}
2284 * Show NAT44 pool address interfaces
2285 * vpp# show nat44 interface address
2286 * NAT44 pool address interfaces:
2287 * GigabitEthernet0/a/0
2288 * NAT44 twice-nat pool address interfaces:
2289 * GigabitEthernet0/8/0
2292 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2293 .path = "show nat44 interface address",
2294 .short_help = "show nat44 interface address",
2295 .function = nat44_show_interface_address_command_fn,
2300 * @cliexstart{show nat44 sessions}
2301 * Show NAT44 sessions.
2304 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2305 .path = "show nat44 sessions",
2306 .short_help = "show nat44 sessions [detail|metrics]",
2307 .function = nat44_show_sessions_command_fn,
2312 * @cliexstart{set nat44 session limit}
2313 * Set NAT44 session limit.
2316 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
2317 .path = "set nat44 session limit",
2318 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
2319 .function = nat44_set_session_limit_command_fn,
2324 * @cliexstart{nat44 del user}
2325 * To delete all NAT44 user sessions:
2326 * vpp# nat44 del user 10.0.0.3
2329 VLIB_CLI_COMMAND (nat44_del_user_command, static) = {
2330 .path = "nat44 del user",
2331 .short_help = "nat44 del user <addr> [fib <index>]",
2332 .function = nat44_del_user_command_fn,
2337 * @cliexstart{clear nat44 sessions}
2338 * To clear all NAT44 sessions
2339 * vpp# clear nat44 sessions
2342 VLIB_CLI_COMMAND (nat44_clear_sessions_command, static) = {
2343 .path = "clear nat44 sessions",
2344 .short_help = "clear nat44 sessions",
2345 .function = nat44_clear_sessions_command_fn,
2350 * @cliexstart{nat44 del session}
2351 * To administratively delete NAT44 session by inside address and port use:
2352 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2353 * To administratively delete NAT44 session by outside address and port use:
2354 * vpp# nat44 del session out 1.0.0.3:6033 udp
2357 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2358 .path = "nat44 del session",
2359 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2360 .function = nat44_del_session_command_fn,
2365 * @cliexstart{nat44 forwarding}
2366 * Enable or disable forwarding
2367 * Forward packets which don't match existing translation
2368 * or static mapping instead of dropping them.
2369 * To enable forwarding, use:
2370 * vpp# nat44 forwarding enable
2371 * To disable forwarding, use:
2372 * vpp# nat44 forwarding disable
2375 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2376 .path = "nat44 forwarding",
2377 .short_help = "nat44 forwarding enable|disable",
2378 .function = snat_forwarding_set_command_fn,
2384 * fd.io coding-style-patch-verification: ON
2387 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob