2 * Copyright (c) 2018 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
21 #include <nat/lib/ipfix_logging.h>
22 #include <nat/lib/nat_inlines.h>
23 #include <nat/nat_inlines.h>
24 #include <nat/nat44/inlines.h>
25 #include <nat/nat_affinity.h>
26 #include <vnet/fib/fib_table.h>
28 #include <nat/nat44-ei/nat44_ei_ha.h>
29 #include <nat/nat44-ei/nat44_ei.h>
31 #define UNSUPPORTED_IN_ED_MODE_STR \
32 "This command is unsupported in endpoint dependent mode"
33 #define SUPPORTED_ONLY_IN_ED_MODE_STR \
34 "This command is supported only in endpoint dependent mode"
37 nat44_enable_command_fn (vlib_main_t * vm,
38 unformat_input_t * input, vlib_cli_command_t * cmd)
40 snat_main_t *sm = &snat_main;
41 unformat_input_t _line_input, *line_input = &_line_input;
42 clib_error_t *error = 0;
44 nat44_config_t c = { 0 };
48 return clib_error_return (0, "nat44 already enabled");
50 /* Get a line of input. */
51 if (!unformat_user (input, unformat_line_input, line_input))
53 if (nat44_plugin_enable (c) != 0)
54 return clib_error_return (0, "nat44 enable failed");
58 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
60 if (!mode_set && unformat (line_input, "static-mapping-only"))
63 c.static_mapping_only = 1;
64 if (unformat (line_input, "connection-tracking"))
66 c.connection_tracking = 1;
69 else if (!mode_set && unformat (line_input, "out2in-dpo"))
74 else if (!mode_set && unformat (line_input, "endpoint-dependent"))
77 c.endpoint_dependent = 1;
79 else if (unformat (line_input, "inside-vrf %u", &c.inside_vrf));
80 else if (unformat (line_input, "outside-vrf %u", &c.outside_vrf));
81 else if (unformat (line_input, "users %u", &c.users));
82 else if (unformat (line_input, "sessions %u", &c.sessions));
83 else if (unformat (line_input, "user-sessions %u", &c.user_sessions));
86 error = clib_error_return (0, "unknown input '%U'",
87 format_unformat_error, line_input);
94 error = clib_error_return (0, "number of sessions is required");
98 if (nat44_plugin_enable (c) != 0)
99 error = clib_error_return (0, "nat44 enable failed");
101 unformat_free (line_input);
105 static clib_error_t *
106 nat44_disable_command_fn (vlib_main_t * vm,
107 unformat_input_t * input, vlib_cli_command_t * cmd)
109 snat_main_t *sm = &snat_main;
110 clib_error_t *error = 0;
113 return clib_error_return (0, "nat44 already disabled");
115 if (nat44_plugin_disable () != 0)
116 error = clib_error_return (0, "nat44 disable failed");
121 static clib_error_t *
122 set_workers_command_fn (vlib_main_t * vm,
123 unformat_input_t * input, vlib_cli_command_t * cmd)
125 unformat_input_t _line_input, *line_input = &_line_input;
128 clib_error_t *error = 0;
130 /* Get a line of input. */
131 if (!unformat_user (input, unformat_line_input, line_input))
134 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
136 if (unformat (line_input, "%U", unformat_bitmap_list, &bitmap))
140 error = clib_error_return (0, "unknown input '%U'",
141 format_unformat_error, line_input);
148 error = clib_error_return (0, "List of workers must be specified.");
152 rv = snat_set_workers (bitmap);
154 clib_bitmap_free (bitmap);
158 case VNET_API_ERROR_INVALID_WORKER:
159 error = clib_error_return (0, "Invalid worker(s).");
161 case VNET_API_ERROR_FEATURE_DISABLED:
162 error = clib_error_return (0,
163 "Supported only if 2 or more workes available.");
170 unformat_free (line_input);
175 static clib_error_t *
176 nat_show_workers_commnad_fn (vlib_main_t * vm, unformat_input_t * input,
177 vlib_cli_command_t * cmd)
179 snat_main_t *sm = &snat_main;
182 if (sm->num_workers > 1)
184 vlib_cli_output (vm, "%d workers", vec_len (sm->workers));
186 vec_foreach (worker, sm->workers)
188 vlib_worker_thread_t *w =
189 vlib_worker_threads + *worker + sm->first_worker_index;
190 vlib_cli_output (vm, " %s", w->name);
198 static clib_error_t *
199 snat_set_log_level_command_fn (vlib_main_t * vm,
200 unformat_input_t * input,
201 vlib_cli_command_t * cmd)
203 unformat_input_t _line_input, *line_input = &_line_input;
204 snat_main_t *sm = &snat_main;
205 u8 log_level = SNAT_LOG_NONE;
206 clib_error_t *error = 0;
208 /* Get a line of input. */
209 if (!unformat_user (input, unformat_line_input, line_input))
212 if (!unformat (line_input, "%d", &log_level))
214 error = clib_error_return (0, "unknown input '%U'",
215 format_unformat_error, line_input);
218 if (log_level > SNAT_LOG_DEBUG)
220 error = clib_error_return (0, "unknown logging level '%d'", log_level);
223 sm->log_level = log_level;
226 unformat_free (line_input);
231 static clib_error_t *
232 snat_ipfix_logging_enable_disable_command_fn (vlib_main_t * vm,
233 unformat_input_t * input,
234 vlib_cli_command_t * cmd)
236 unformat_input_t _line_input, *line_input = &_line_input;
241 clib_error_t *error = 0;
243 /* Get a line of input. */
244 if (!unformat_user (input, unformat_line_input, line_input))
246 rv = nat_ipfix_logging_enable_disable (enable, domain_id,
249 return clib_error_return (0, "ipfix logging enable failed");
253 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
255 if (unformat (line_input, "domain %d", &domain_id))
257 else if (unformat (line_input, "src-port %d", &src_port))
259 else if (unformat (line_input, "disable"))
263 error = clib_error_return (0, "unknown input '%U'",
264 format_unformat_error, line_input);
269 rv = nat_ipfix_logging_enable_disable (enable, domain_id, (u16) src_port);
273 error = clib_error_return (0, "ipfix logging enable failed");
278 unformat_free (line_input);
283 static clib_error_t *
284 nat44_show_hash_command_fn (vlib_main_t * vm, unformat_input_t * input,
285 vlib_cli_command_t * cmd)
287 snat_main_t *sm = &snat_main;
288 snat_main_per_thread_data_t *tsm;
289 nat_affinity_main_t *nam = &nat_affinity_main;
293 if (unformat (input, "detail"))
295 else if (unformat (input, "verbose"))
298 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->static_mapping_by_local,
300 vlib_cli_output (vm, "%U",
301 format_bihash_8_8, &sm->static_mapping_by_external,
303 if (sm->endpoint_dependent)
305 vlib_cli_output (vm, "%U", format_bihash_16_8, &sm->flow_hash, verbose);
309 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->in2out, verbose);
310 vlib_cli_output (vm, "%U", format_bihash_8_8, &sm->out2in, verbose);
312 vec_foreach_index (i, sm->per_thread_data)
314 tsm = vec_elt_at_index (sm->per_thread_data, i);
315 vlib_cli_output (vm, "-------- thread %d %s --------\n",
316 i, vlib_worker_threads[i].name);
317 vlib_cli_output (vm, "%U", format_bihash_8_8, &tsm->user_hash, verbose);
320 if (sm->endpoint_dependent)
322 vlib_cli_output (vm, "%U", format_bihash_16_8, &nam->affinity_hash,
326 vlib_cli_output (vm, "-------- hash table parameters --------\n");
327 vlib_cli_output (vm, "translation buckets: %u", sm->translation_buckets);
328 if (!sm->endpoint_dependent)
330 vlib_cli_output (vm, "user buckets: %u", sm->user_buckets);
335 static clib_error_t *
336 nat44_set_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
337 unformat_input_t * input,
338 vlib_cli_command_t * cmd)
340 unformat_input_t _line_input, *line_input = &_line_input;
341 clib_error_t *error = 0;
342 u32 psid, psid_offset, psid_length, port_start, port_end;
343 snat_main_t *sm = &snat_main;
345 if (sm->endpoint_dependent)
346 return clib_error_return (0, UNSUPPORTED_IN_ED_MODE_STR);
348 /* Get a line of input. */
349 if (!unformat_user (input, unformat_line_input, line_input))
352 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
354 if (unformat (line_input, "default"))
355 nat44_ei_set_alloc_default ();
358 (line_input, "map-e psid %d psid-offset %d psid-len %d", &psid,
359 &psid_offset, &psid_length))
360 nat44_ei_set_alloc_mape ((u16) psid, (u16) psid_offset,
364 (line_input, "port-range %d - %d", &port_start, &port_end))
366 if (port_end <= port_start)
369 clib_error_return (0,
370 "The end-port must be greater than start-port");
373 nat44_ei_set_alloc_range ((u16) port_start, (u16) port_end);
377 error = clib_error_return (0, "unknown input '%U'",
378 format_unformat_error, line_input);
384 unformat_free (line_input);
389 static clib_error_t *
390 nat44_show_alloc_addr_and_port_alg_command_fn (vlib_main_t * vm,
391 unformat_input_t * input,
392 vlib_cli_command_t * cmd)
394 snat_main_t *sm = &snat_main;
396 vlib_cli_output (vm, "NAT address and port: %U",
397 format_nat_addr_and_port_alloc_alg,
398 sm->addr_and_port_alloc_alg);
399 switch (sm->addr_and_port_alloc_alg)
401 case NAT_ADDR_AND_PORT_ALLOC_ALG_MAPE:
402 vlib_cli_output (vm, " psid %d psid-offset %d psid-len %d", sm->psid,
403 sm->psid_offset, sm->psid_length);
405 case NAT_ADDR_AND_PORT_ALLOC_ALG_RANGE:
406 vlib_cli_output (vm, " start-port %d end-port %d", sm->start_port,
416 static clib_error_t *
417 nat_set_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
418 vlib_cli_command_t * cmd)
420 unformat_input_t _line_input, *line_input = &_line_input;
421 snat_main_t *sm = &snat_main;
422 clib_error_t *error = 0;
425 /* Get a line of input. */
426 if (!unformat_user (input, unformat_line_input, line_input))
429 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
431 if (unformat (line_input, "disable"))
432 sm->mss_clamping = 0;
433 else if (unformat (line_input, "%d", &mss))
434 sm->mss_clamping = (u16) mss;
437 error = clib_error_return (0, "unknown input '%U'",
438 format_unformat_error, line_input);
444 unformat_free (line_input);
449 static clib_error_t *
450 nat_show_mss_clamping_command_fn (vlib_main_t * vm, unformat_input_t * input,
451 vlib_cli_command_t * cmd)
453 snat_main_t *sm = &snat_main;
455 if (sm->mss_clamping)
456 vlib_cli_output (vm, "mss-clamping %d", sm->mss_clamping);
458 vlib_cli_output (vm, "mss-clamping disabled");
463 static clib_error_t *
464 nat_ha_failover_command_fn (vlib_main_t * vm, unformat_input_t * input,
465 vlib_cli_command_t * cmd)
467 unformat_input_t _line_input, *line_input = &_line_input;
469 u32 port, session_refresh_interval = 10;
471 clib_error_t *error = 0;
473 /* Get a line of input. */
474 if (!unformat_user (input, unformat_line_input, line_input))
477 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
479 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
483 (line_input, "refresh-interval %u", &session_refresh_interval))
487 error = clib_error_return (0, "unknown input '%U'",
488 format_unformat_error, line_input);
493 rv = nat_ha_set_failover (&addr, (u16) port, session_refresh_interval);
495 error = clib_error_return (0, "set HA failover failed");
498 unformat_free (line_input);
503 static clib_error_t *
504 nat_ha_listener_command_fn (vlib_main_t * vm, unformat_input_t * input,
505 vlib_cli_command_t * cmd)
507 unformat_input_t _line_input, *line_input = &_line_input;
509 u32 port, path_mtu = 512;
511 clib_error_t *error = 0;
513 /* Get a line of input. */
514 if (!unformat_user (input, unformat_line_input, line_input))
517 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
519 if (unformat (line_input, "%U:%u", unformat_ip4_address, &addr, &port))
521 else if (unformat (line_input, "path-mtu %u", &path_mtu))
525 error = clib_error_return (0, "unknown input '%U'",
526 format_unformat_error, line_input);
531 rv = nat_ha_set_listener (&addr, (u16) port, path_mtu);
533 error = clib_error_return (0, "set HA listener failed");
536 unformat_free (line_input);
541 static clib_error_t *
542 nat_show_ha_command_fn (vlib_main_t * vm, unformat_input_t * input,
543 vlib_cli_command_t * cmd)
547 u32 path_mtu, session_refresh_interval, resync_ack_missed;
550 nat_ha_get_listener (&addr, &port, &path_mtu);
553 vlib_cli_output (vm, "NAT HA disabled\n");
557 vlib_cli_output (vm, "LISTENER:\n");
558 vlib_cli_output (vm, " %U:%u path-mtu %u\n",
559 format_ip4_address, &addr, port, path_mtu);
561 nat_ha_get_failover (&addr, &port, &session_refresh_interval);
562 vlib_cli_output (vm, "FAILOVER:\n");
564 vlib_cli_output (vm, " %U:%u refresh-interval %usec\n",
565 format_ip4_address, &addr, port,
566 session_refresh_interval);
568 vlib_cli_output (vm, " NA\n");
570 nat_ha_get_resync_status (&in_resync, &resync_ack_missed);
571 vlib_cli_output (vm, "RESYNC:\n");
573 vlib_cli_output (vm, " in progress\n");
575 vlib_cli_output (vm, " completed (%d ACK missed)\n", resync_ack_missed);
580 static clib_error_t *
581 nat_ha_flush_command_fn (vlib_main_t * vm, unformat_input_t * input,
582 vlib_cli_command_t * cmd)
588 static clib_error_t *
589 nat_ha_resync_command_fn (vlib_main_t * vm, unformat_input_t * input,
590 vlib_cli_command_t * cmd)
592 clib_error_t *error = 0;
594 if (nat_ha_resync (0, 0, 0))
595 error = clib_error_return (0, "NAT HA resync already running");
600 static clib_error_t *
601 add_address_command_fn (vlib_main_t * vm,
602 unformat_input_t * input, vlib_cli_command_t * cmd)
604 unformat_input_t _line_input, *line_input = &_line_input;
605 snat_main_t *sm = &snat_main;
606 ip4_address_t start_addr, end_addr, this_addr;
607 u32 start_host_order, end_host_order;
612 clib_error_t *error = 0;
615 /* Get a line of input. */
616 if (!unformat_user (input, unformat_line_input, line_input))
619 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
621 if (unformat (line_input, "%U - %U",
622 unformat_ip4_address, &start_addr,
623 unformat_ip4_address, &end_addr))
625 else if (unformat (line_input, "tenant-vrf %u", &vrf_id))
627 else if (unformat (line_input, "%U", unformat_ip4_address, &start_addr))
628 end_addr = start_addr;
629 else if (unformat (line_input, "twice-nat"))
631 else if (unformat (line_input, "del"))
635 error = clib_error_return (0, "unknown input '%U'",
636 format_unformat_error, line_input);
641 if (sm->static_mapping_only)
643 error = clib_error_return (0, "static mapping only mode");
647 start_host_order = clib_host_to_net_u32 (start_addr.as_u32);
648 end_host_order = clib_host_to_net_u32 (end_addr.as_u32);
650 if (end_host_order < start_host_order)
652 error = clib_error_return (0, "end address less than start address");
656 count = (end_host_order - start_host_order) + 1;
659 nat_log_info ("%U - %U, %d addresses...",
660 format_ip4_address, &start_addr,
661 format_ip4_address, &end_addr, count);
663 this_addr = start_addr;
665 for (i = 0; i < count; i++)
668 rv = snat_add_address (sm, &this_addr, vrf_id, twice_nat);
670 rv = snat_del_address (sm, this_addr, 0, twice_nat);
674 case VNET_API_ERROR_VALUE_EXIST:
675 error = clib_error_return (0, "NAT address already in use.");
677 case VNET_API_ERROR_NO_SUCH_ENTRY:
678 error = clib_error_return (0, "NAT address not exist.");
680 case VNET_API_ERROR_UNSPECIFIED:
682 clib_error_return (0, "NAT address used in static mapping.");
684 case VNET_API_ERROR_FEATURE_DISABLED:
686 clib_error_return (0,
687 "twice NAT available only for endpoint-dependent mode.");
694 nat44_add_del_address_dpo (this_addr, is_add);
696 increment_v4_address (&this_addr);
700 unformat_free (line_input);
706 nat44_show_lru_summary (vlib_main_t * vm, snat_main_per_thread_data_t * tsm,
707 u64 now, u64 sess_timeout_time)
709 snat_main_t *sm = &snat_main;
710 dlist_elt_t *oldest_elt;
716 clib_dlist_remove_head (tsm->lru_pool, tsm->n##_lru_head_index); \
717 if (~0 != oldest_index) \
719 oldest_elt = pool_elt_at_index (tsm->lru_pool, oldest_index); \
720 s = pool_elt_at_index (tsm->sessions, oldest_elt->value); \
721 sess_timeout_time = \
722 s->last_heard + (f64)nat44_session_get_timeout (sm, s); \
723 vlib_cli_output (vm, d " LRU min session timeout %llu (now %llu)", \
724 sess_timeout_time, now); \
725 clib_dlist_addhead (tsm->lru_pool, tsm->n##_lru_head_index, \
728 _(tcp_estab, "established tcp");
729 _(tcp_trans, "transitory tcp");
731 _(unk_proto, "unknown protocol");
736 static clib_error_t *
737 nat44_show_summary_command_fn (vlib_main_t * vm, unformat_input_t * input,
738 vlib_cli_command_t * cmd)
740 snat_main_per_thread_data_t *tsm;
741 snat_main_t *sm = &snat_main;
744 if (!sm->endpoint_dependent)
745 return clib_error_return (0, SUPPORTED_ONLY_IN_ED_MODE_STR);
749 u64 now = vlib_time_now (vm);
750 u64 sess_timeout_time = 0;
752 u32 udp_sessions = 0;
753 u32 tcp_sessions = 0;
754 u32 icmp_sessions = 0;
758 u32 transitory_wait_closed = 0;
759 u32 transitory_closed = 0;
764 for (fib = 0; fib < vec_len (sm->max_translations_per_fib); fib++)
765 vlib_cli_output (vm, "max translations per thread: %u fib %u",
766 sm->max_translations_per_fib[fib], fib);
768 if (sm->num_workers > 1)
771 vec_foreach (tsm, sm->per_thread_data)
773 pool_foreach (s, tsm->sessions)
775 sess_timeout_time = s->last_heard +
776 (f64) nat44_session_get_timeout (sm, s);
777 if (now >= sess_timeout_time)
780 switch (s->nat_proto)
782 case NAT_PROTOCOL_ICMP:
785 case NAT_PROTOCOL_TCP:
789 if (s->tcp_closed_timestamp)
791 if (now >= s->tcp_closed_timestamp)
797 ++transitory_wait_closed;
805 case NAT_PROTOCOL_UDP:
811 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
812 count += pool_elts (tsm->sessions);
818 tsm = vec_elt_at_index (sm->per_thread_data, sm->num_workers);
820 pool_foreach (s, tsm->sessions)
822 sess_timeout_time = s->last_heard +
823 (f64) nat44_session_get_timeout (sm, s);
824 if (now >= sess_timeout_time)
827 switch (s->nat_proto)
829 case NAT_PROTOCOL_ICMP:
832 case NAT_PROTOCOL_TCP:
836 if (s->tcp_closed_timestamp)
838 if (now >= s->tcp_closed_timestamp)
844 ++transitory_wait_closed;
852 case NAT_PROTOCOL_UDP:
859 nat44_show_lru_summary (vm, tsm, now, sess_timeout_time);
860 count = pool_elts (tsm->sessions);
863 vlib_cli_output (vm, "total timed out sessions: %u", timed_out);
864 vlib_cli_output (vm, "total sessions: %u", count);
865 vlib_cli_output (vm, "total tcp sessions: %u", tcp_sessions);
866 vlib_cli_output (vm, "total tcp established sessions: %u", established);
867 vlib_cli_output (vm, "total tcp transitory sessions: %u", transitory);
868 vlib_cli_output (vm, "total tcp transitory (WAIT-CLOSED) sessions: %u",
869 transitory_wait_closed);
870 vlib_cli_output (vm, "total tcp transitory (CLOSED) sessions: %u",
872 vlib_cli_output (vm, "total udp sessions: %u", udp_sessions);
873 vlib_cli_output (vm, "total icmp sessions: %u", icmp_sessions);
877 static clib_error_t *
878 nat44_show_addresses_command_fn (vlib_main_t * vm, unformat_input_t * input,
879 vlib_cli_command_t * cmd)
881 snat_main_t *sm = &snat_main;
884 vlib_cli_output (vm, "NAT44 pool addresses:");
886 vec_foreach (ap, sm->addresses)
888 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
889 if (ap->fib_index != ~0)
890 vlib_cli_output (vm, " tenant VRF: %u",
891 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
893 vlib_cli_output (vm, " tenant VRF independent");
894 #define _(N, i, n, s) \
895 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
899 vlib_cli_output (vm, "NAT44 twice-nat pool addresses:");
900 vec_foreach (ap, sm->twice_nat_addresses)
902 vlib_cli_output (vm, "%U", format_ip4_address, &ap->addr);
903 if (ap->fib_index != ~0)
904 vlib_cli_output (vm, " tenant VRF: %u",
905 fib_table_get(ap->fib_index, FIB_PROTOCOL_IP4)->ft_table_id);
907 vlib_cli_output (vm, " tenant VRF independent");
908 #define _(N, i, n, s) \
909 vlib_cli_output (vm, " %d busy %s ports", ap->busy_##n##_ports, s);
917 static clib_error_t *
918 snat_feature_command_fn (vlib_main_t * vm,
919 unformat_input_t * input, vlib_cli_command_t * cmd)
921 unformat_input_t _line_input, *line_input = &_line_input;
922 vnet_main_t *vnm = vnet_get_main ();
923 clib_error_t *error = 0;
925 u32 *inside_sw_if_indices = 0;
926 u32 *outside_sw_if_indices = 0;
927 u8 is_output_feature = 0;
933 /* Get a line of input. */
934 if (!unformat_user (input, unformat_line_input, line_input))
937 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
939 if (unformat (line_input, "in %U", unformat_vnet_sw_interface,
941 vec_add1 (inside_sw_if_indices, sw_if_index);
942 else if (unformat (line_input, "out %U", unformat_vnet_sw_interface,
944 vec_add1 (outside_sw_if_indices, sw_if_index);
945 else if (unformat (line_input, "output-feature"))
946 is_output_feature = 1;
947 else if (unformat (line_input, "del"))
951 error = clib_error_return (0, "unknown input '%U'",
952 format_unformat_error, line_input);
957 if (vec_len (inside_sw_if_indices))
959 for (i = 0; i < vec_len (inside_sw_if_indices); i++)
961 sw_if_index = inside_sw_if_indices[i];
962 if (is_output_feature)
964 if (snat_interface_add_del_output_feature
965 (sw_if_index, 1, is_del))
967 error = clib_error_return (0, "%s %U failed",
968 is_del ? "del" : "add",
969 format_vnet_sw_if_index_name,
976 if (snat_interface_add_del (sw_if_index, 1, is_del))
978 error = clib_error_return (0, "%s %U failed",
979 is_del ? "del" : "add",
980 format_vnet_sw_if_index_name,
988 if (vec_len (outside_sw_if_indices))
990 for (i = 0; i < vec_len (outside_sw_if_indices); i++)
992 sw_if_index = outside_sw_if_indices[i];
993 if (is_output_feature)
995 if (snat_interface_add_del_output_feature
996 (sw_if_index, 0, is_del))
998 error = clib_error_return (0, "%s %U failed",
999 is_del ? "del" : "add",
1000 format_vnet_sw_if_index_name,
1007 if (snat_interface_add_del (sw_if_index, 0, is_del))
1009 error = clib_error_return (0, "%s %U failed",
1010 is_del ? "del" : "add",
1011 format_vnet_sw_if_index_name,
1020 unformat_free (line_input);
1021 vec_free (inside_sw_if_indices);
1022 vec_free (outside_sw_if_indices);
1027 static clib_error_t *
1028 nat44_show_interfaces_command_fn (vlib_main_t * vm, unformat_input_t * input,
1029 vlib_cli_command_t * cmd)
1031 snat_main_t *sm = &snat_main;
1032 snat_interface_t *i;
1033 vnet_main_t *vnm = vnet_get_main ();
1035 vlib_cli_output (vm, "NAT44 interfaces:");
1037 pool_foreach (i, sm->interfaces)
1039 vlib_cli_output (vm, " %U %s", format_vnet_sw_if_index_name, vnm,
1041 (nat_interface_is_inside(i) &&
1042 nat_interface_is_outside(i)) ? "in out" :
1043 (nat_interface_is_inside(i) ? "in" : "out"));
1046 pool_foreach (i, sm->output_feature_interfaces)
1048 vlib_cli_output (vm, " %U output-feature %s",
1049 format_vnet_sw_if_index_name, vnm,
1051 (nat_interface_is_inside(i) &&
1052 nat_interface_is_outside(i)) ? "in out" :
1053 (nat_interface_is_inside(i) ? "in" : "out"));
1060 static clib_error_t *
1061 add_static_mapping_command_fn (vlib_main_t * vm,
1062 unformat_input_t * input,
1063 vlib_cli_command_t * cmd)
1065 unformat_input_t _line_input, *line_input = &_line_input;
1066 clib_error_t *error = 0;
1067 ip4_address_t l_addr, e_addr, exact_addr;
1068 u32 l_port = 0, e_port = 0, vrf_id = ~0;
1069 int is_add = 1, addr_only = 1, rv, exact = 0;
1070 u32 sw_if_index = ~0;
1071 vnet_main_t *vnm = vnet_get_main ();
1072 nat_protocol_t proto = NAT_PROTOCOL_OTHER;
1074 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
1077 /* Get a line of input. */
1078 if (!unformat_user (input, unformat_line_input, line_input))
1081 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1083 if (unformat (line_input, "local %U %u", unformat_ip4_address, &l_addr,
1087 if (unformat (line_input, "local %U", unformat_ip4_address, &l_addr))
1089 else if (unformat (line_input, "external %U %u", unformat_ip4_address,
1092 else if (unformat (line_input, "external %U", unformat_ip4_address,
1095 else if (unformat (line_input, "external %U %u",
1096 unformat_vnet_sw_interface, vnm, &sw_if_index,
1099 else if (unformat (line_input, "external %U",
1100 unformat_vnet_sw_interface, vnm, &sw_if_index))
1102 else if (unformat (line_input, "exact %U", unformat_ip4_address,
1105 else if (unformat (line_input, "vrf %u", &vrf_id))
1107 else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
1109 else if (unformat (line_input, "twice-nat"))
1110 twice_nat = TWICE_NAT;
1111 else if (unformat (line_input, "self-twice-nat"))
1112 twice_nat = TWICE_NAT_SELF;
1113 else if (unformat (line_input, "out2in-only"))
1115 else if (unformat (line_input, "del"))
1119 error = clib_error_return (0, "unknown input: '%U'",
1120 format_unformat_error, line_input);
1125 if (twice_nat && addr_only)
1127 error = clib_error_return (0, "twice NAT only for 1:1 NAPT");
1136 clib_error_return (0,
1137 "address only mapping doesn't support protocol");
1141 else if (!proto_set)
1143 error = clib_error_return (0, "protocol is required");
1147 rv = snat_add_static_mapping (
1148 l_addr, e_addr, clib_host_to_net_u16 (l_port),
1149 clib_host_to_net_u16 (e_port), vrf_id, addr_only, sw_if_index, proto,
1150 is_add, twice_nat, out2in_only, 0, 0, exact_addr, exact);
1154 case VNET_API_ERROR_INVALID_VALUE:
1155 error = clib_error_return (0, "External port already in use.");
1157 case VNET_API_ERROR_NO_SUCH_ENTRY:
1159 error = clib_error_return (0, "External address must be allocated.");
1161 error = clib_error_return (0, "Mapping not exist.");
1163 case VNET_API_ERROR_NO_SUCH_FIB:
1164 error = clib_error_return (0, "No such VRF id.");
1166 case VNET_API_ERROR_VALUE_EXIST:
1167 error = clib_error_return (0, "Mapping already exist.");
1169 case VNET_API_ERROR_FEATURE_DISABLED:
1171 clib_error_return (0,
1172 "twice-nat/out2in-only available only for endpoint-dependent mode.");
1179 unformat_free (line_input);
1184 static clib_error_t *
1185 add_identity_mapping_command_fn (vlib_main_t * vm,
1186 unformat_input_t * input,
1187 vlib_cli_command_t * cmd)
1189 unformat_input_t _line_input, *line_input = &_line_input;
1190 clib_error_t *error = 0;
1191 ip4_address_t addr, pool_addr = { 0 };
1192 u32 port = 0, vrf_id = ~0;
1195 u32 sw_if_index = ~0;
1196 vnet_main_t *vnm = vnet_get_main ();
1198 nat_protocol_t proto;
1202 /* Get a line of input. */
1203 if (!unformat_user (input, unformat_line_input, line_input))
1206 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1208 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1210 else if (unformat (line_input, "external %U",
1211 unformat_vnet_sw_interface, vnm, &sw_if_index))
1213 else if (unformat (line_input, "vrf %u", &vrf_id))
1215 else if (unformat (line_input, "%U %u", unformat_nat_protocol, &proto,
1218 else if (unformat (line_input, "del"))
1222 error = clib_error_return (0, "unknown input: '%U'",
1223 format_unformat_error, line_input);
1228 rv = snat_add_static_mapping (
1229 addr, addr, clib_host_to_net_u16 (port), clib_host_to_net_u16 (port),
1230 vrf_id, addr_only, sw_if_index, proto, is_add, 0, 0, 0, 1, pool_addr, 0);
1234 case VNET_API_ERROR_INVALID_VALUE:
1235 error = clib_error_return (0, "External port already in use.");
1237 case VNET_API_ERROR_NO_SUCH_ENTRY:
1239 error = clib_error_return (0, "External address must be allocated.");
1241 error = clib_error_return (0, "Mapping not exist.");
1243 case VNET_API_ERROR_NO_SUCH_FIB:
1244 error = clib_error_return (0, "No such VRF id.");
1246 case VNET_API_ERROR_VALUE_EXIST:
1247 error = clib_error_return (0, "Mapping already exist.");
1254 unformat_free (line_input);
1259 static clib_error_t *
1260 add_lb_static_mapping_command_fn (vlib_main_t * vm,
1261 unformat_input_t * input,
1262 vlib_cli_command_t * cmd)
1264 unformat_input_t _line_input, *line_input = &_line_input;
1265 clib_error_t *error = 0;
1266 ip4_address_t l_addr, e_addr;
1267 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0, affinity = 0;
1270 nat_protocol_t proto;
1272 nat44_lb_addr_port_t *locals = 0, local;
1273 twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
1276 /* Get a line of input. */
1277 if (!unformat_user (input, unformat_line_input, line_input))
1280 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1282 if (unformat (line_input, "local %U:%u probability %u",
1283 unformat_ip4_address, &l_addr, &l_port, &probability))
1285 clib_memset (&local, 0, sizeof (local));
1286 local.addr = l_addr;
1287 local.port = (u16) l_port;
1288 local.probability = (u8) probability;
1289 vec_add1 (locals, local);
1291 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1292 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1295 clib_memset (&local, 0, sizeof (local));
1296 local.addr = l_addr;
1297 local.port = (u16) l_port;
1298 local.probability = (u8) probability;
1299 local.vrf_id = vrf_id;
1300 vec_add1 (locals, local);
1302 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1305 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1308 else if (unformat (line_input, "twice-nat"))
1309 twice_nat = TWICE_NAT;
1310 else if (unformat (line_input, "self-twice-nat"))
1311 twice_nat = TWICE_NAT_SELF;
1312 else if (unformat (line_input, "out2in-only"))
1314 else if (unformat (line_input, "del"))
1316 else if (unformat (line_input, "affinity %u", &affinity))
1320 error = clib_error_return (0, "unknown input: '%U'",
1321 format_unformat_error, line_input);
1326 if (vec_len (locals) < 2)
1328 error = clib_error_return (0, "at least two local must be set");
1334 error = clib_error_return (0, "missing protocol");
1338 rv = nat44_add_del_lb_static_mapping (e_addr, (u16) e_port, proto, locals,
1339 is_add, twice_nat, out2in_only, 0,
1344 case VNET_API_ERROR_INVALID_VALUE:
1345 error = clib_error_return (0, "External port already in use.");
1347 case VNET_API_ERROR_NO_SUCH_ENTRY:
1349 error = clib_error_return (0, "External address must be allocated.");
1351 error = clib_error_return (0, "Mapping not exist.");
1353 case VNET_API_ERROR_VALUE_EXIST:
1354 error = clib_error_return (0, "Mapping already exist.");
1356 case VNET_API_ERROR_FEATURE_DISABLED:
1358 clib_error_return (0, "Available only for endpoint-dependent mode.");
1365 unformat_free (line_input);
1371 static clib_error_t *
1372 add_lb_backend_command_fn (vlib_main_t * vm,
1373 unformat_input_t * input, vlib_cli_command_t * cmd)
1375 unformat_input_t _line_input, *line_input = &_line_input;
1376 clib_error_t *error = 0;
1377 ip4_address_t l_addr, e_addr;
1378 u32 l_port = 0, e_port = 0, vrf_id = 0, probability = 0;
1381 nat_protocol_t proto;
1384 /* Get a line of input. */
1385 if (!unformat_user (input, unformat_line_input, line_input))
1388 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1390 if (unformat (line_input, "local %U:%u probability %u",
1391 unformat_ip4_address, &l_addr, &l_port, &probability))
1393 else if (unformat (line_input, "local %U:%u vrf %u probability %u",
1394 unformat_ip4_address, &l_addr, &l_port, &vrf_id,
1397 else if (unformat (line_input, "external %U:%u", unformat_ip4_address,
1400 else if (unformat (line_input, "protocol %U", unformat_nat_protocol,
1403 else if (unformat (line_input, "del"))
1407 error = clib_error_return (0, "unknown input: '%U'",
1408 format_unformat_error, line_input);
1413 if (!l_port || !e_port)
1415 error = clib_error_return (0, "local or external must be set");
1421 error = clib_error_return (0, "missing protocol");
1426 nat44_lb_static_mapping_add_del_local (e_addr, (u16) e_port, l_addr,
1427 l_port, proto, vrf_id, probability,
1432 case VNET_API_ERROR_INVALID_VALUE:
1433 error = clib_error_return (0, "External is not load-balancing static "
1436 case VNET_API_ERROR_NO_SUCH_ENTRY:
1437 error = clib_error_return (0, "Mapping or back-end not exist.");
1439 case VNET_API_ERROR_VALUE_EXIST:
1440 error = clib_error_return (0, "Back-end already exist.");
1442 case VNET_API_ERROR_FEATURE_DISABLED:
1444 clib_error_return (0, "Available only for endpoint-dependent mode.");
1446 case VNET_API_ERROR_UNSPECIFIED:
1447 error = clib_error_return (0, "At least two back-ends must remain");
1454 unformat_free (line_input);
1459 static clib_error_t *
1460 nat44_show_static_mappings_command_fn (vlib_main_t * vm,
1461 unformat_input_t * input,
1462 vlib_cli_command_t * cmd)
1464 snat_main_t *sm = &snat_main;
1465 snat_static_mapping_t *m;
1466 snat_static_map_resolve_t *rp;
1468 vlib_cli_output (vm, "NAT44 static mappings:");
1470 pool_foreach (m, sm->static_mappings)
1472 vlib_cli_output (vm, " %U", format_snat_static_mapping, m);
1474 vec_foreach (rp, sm->to_resolve)
1475 vlib_cli_output (vm, " %U", format_snat_static_map_to_resolve, rp);
1481 static clib_error_t *
1482 snat_add_interface_address_command_fn (vlib_main_t * vm,
1483 unformat_input_t * input,
1484 vlib_cli_command_t * cmd)
1486 snat_main_t *sm = &snat_main;
1487 unformat_input_t _line_input, *line_input = &_line_input;
1491 clib_error_t *error = 0;
1494 /* Get a line of input. */
1495 if (!unformat_user (input, unformat_line_input, line_input))
1498 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1500 if (unformat (line_input, "%U", unformat_vnet_sw_interface,
1501 sm->vnet_main, &sw_if_index))
1503 else if (unformat (line_input, "twice-nat"))
1505 else if (unformat (line_input, "del"))
1509 error = clib_error_return (0, "unknown input '%U'",
1510 format_unformat_error, line_input);
1515 rv = snat_add_interface_address (sm, sw_if_index, is_del, twice_nat);
1523 error = clib_error_return (0, "snat_add_interface_address returned %d",
1529 unformat_free (line_input);
1534 static clib_error_t *
1535 nat44_show_interface_address_command_fn (vlib_main_t * vm,
1536 unformat_input_t * input,
1537 vlib_cli_command_t * cmd)
1539 snat_main_t *sm = &snat_main;
1540 vnet_main_t *vnm = vnet_get_main ();
1544 vlib_cli_output (vm, "NAT44 pool address interfaces:");
1545 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices)
1547 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1550 vlib_cli_output (vm, "NAT44 twice-nat pool address interfaces:");
1551 vec_foreach (sw_if_index, sm->auto_add_sw_if_indices_twice_nat)
1553 vlib_cli_output (vm, " %U", format_vnet_sw_if_index_name, vnm,
1561 static clib_error_t *
1562 nat44_show_sessions_command_fn (vlib_main_t * vm, unformat_input_t * input,
1563 vlib_cli_command_t * cmd)
1565 unformat_input_t _line_input, *line_input = &_line_input;
1566 clib_error_t *error = 0;
1568 snat_main_per_thread_data_t *tsm;
1569 snat_main_t *sm = &snat_main;
1574 if (!unformat_user (input, unformat_line_input, line_input))
1577 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1579 if (unformat (line_input, "detail"))
1583 error = clib_error_return (0, "unknown input '%U'",
1584 format_unformat_error, line_input);
1588 unformat_free (line_input);
1591 if (!sm->endpoint_dependent)
1592 vlib_cli_output (vm, "NAT44 sessions:");
1594 vlib_cli_output (vm, "NAT44 ED sessions:");
1597 vec_foreach_index (i, sm->per_thread_data)
1599 tsm = vec_elt_at_index (sm->per_thread_data, i);
1601 vlib_cli_output (vm, "-------- thread %d %s: %d sessions --------\n",
1602 i, vlib_worker_threads[i].name,
1603 pool_elts (tsm->sessions));
1605 if (!sm->endpoint_dependent)
1608 pool_foreach (u, tsm->users)
1610 vlib_cli_output (vm, " %U", format_snat_user, tsm, u, detail);
1616 pool_foreach (s, tsm->sessions)
1618 vlib_cli_output (vm, " %U\n", format_snat_session, tsm, s);
1626 static clib_error_t *
1627 nat44_set_session_limit_command_fn (vlib_main_t * vm,
1628 unformat_input_t * input,
1629 vlib_cli_command_t * cmd)
1631 unformat_input_t _line_input, *line_input = &_line_input;
1632 clib_error_t *error = 0;
1634 u32 session_limit = 0, vrf_id = 0;
1636 /* Get a line of input. */
1637 if (!unformat_user (input, unformat_line_input, line_input))
1640 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1642 if (unformat (line_input, "%u", &session_limit))
1644 else if (unformat (line_input, "vrf %u", &vrf_id))
1648 error = clib_error_return (0, "unknown input '%U'",
1649 format_unformat_error, line_input);
1655 error = clib_error_return (0, "missing value of session limit");
1656 else if (nat44_update_session_limit (session_limit, vrf_id))
1657 error = clib_error_return (0, "nat44_set_session_limit failed");
1660 unformat_free (line_input);
1665 static clib_error_t *
1666 nat44_del_user_command_fn (vlib_main_t * vm,
1667 unformat_input_t * input, vlib_cli_command_t * cmd)
1669 snat_main_t *sm = &snat_main;
1670 unformat_input_t _line_input, *line_input = &_line_input;
1671 clib_error_t *error = 0;
1676 if (sm->endpoint_dependent)
1677 return clib_error_return (0, UNSUPPORTED_IN_ED_MODE_STR);
1679 /* Get a line of input. */
1680 if (!unformat_user (input, unformat_line_input, line_input))
1683 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1685 if (unformat (line_input, "%U", unformat_ip4_address, &addr))
1687 else if (unformat (line_input, "fib %u", &fib_index))
1691 error = clib_error_return (0, "unknown input '%U'",
1692 format_unformat_error, line_input);
1697 rv = nat44_ei_user_del (&addr, fib_index);
1701 error = clib_error_return (0, "nat44_ei_user_del returned %d", rv);
1705 unformat_free (line_input);
1710 static clib_error_t *
1711 nat44_clear_sessions_command_fn (vlib_main_t * vm,
1712 unformat_input_t * input,
1713 vlib_cli_command_t * cmd)
1715 clib_error_t *error = 0;
1716 nat44_sessions_clear ();
1720 static clib_error_t *
1721 nat44_del_session_command_fn (vlib_main_t * vm,
1722 unformat_input_t * input,
1723 vlib_cli_command_t * cmd)
1725 snat_main_t *sm = &snat_main;
1726 unformat_input_t _line_input, *line_input = &_line_input;
1727 int is_in = 0, is_ed = 0;
1728 clib_error_t *error = 0;
1729 ip4_address_t addr, eh_addr;
1730 u32 port = 0, eh_port = 0, vrf_id = sm->outside_vrf_id;
1731 nat_protocol_t proto;
1734 /* Get a line of input. */
1735 if (!unformat_user (input, unformat_line_input, line_input))
1738 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1741 (line_input, "%U:%u %U", unformat_ip4_address, &addr, &port,
1742 unformat_nat_protocol, &proto))
1744 else if (unformat (line_input, "in"))
1747 vrf_id = sm->inside_vrf_id;
1749 else if (unformat (line_input, "out"))
1752 vrf_id = sm->outside_vrf_id;
1754 else if (unformat (line_input, "vrf %u", &vrf_id))
1758 (line_input, "external-host %U:%u", unformat_ip4_address,
1759 &eh_addr, &eh_port))
1763 error = clib_error_return (0, "unknown input '%U'",
1764 format_unformat_error, line_input);
1771 nat44_del_ed_session (sm, &addr, clib_host_to_net_u16 (port), &eh_addr,
1772 clib_host_to_net_u16 (eh_port),
1773 nat_proto_to_ip_proto (proto), vrf_id, is_in);
1775 rv = nat44_ei_del_session (sm, &addr, clib_host_to_net_u16 (port), proto,
1784 error = clib_error_return (0, "nat44_del_session returned %d", rv);
1789 unformat_free (line_input);
1794 static clib_error_t *
1795 snat_forwarding_set_command_fn (vlib_main_t * vm,
1796 unformat_input_t * input,
1797 vlib_cli_command_t * cmd)
1799 snat_main_t *sm = &snat_main;
1800 unformat_input_t _line_input, *line_input = &_line_input;
1801 u8 forwarding_enable;
1802 u8 forwarding_enable_set = 0;
1803 clib_error_t *error = 0;
1805 /* Get a line of input. */
1806 if (!unformat_user (input, unformat_line_input, line_input))
1807 return clib_error_return (0, "'enable' or 'disable' expected");
1809 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1811 if (!forwarding_enable_set && unformat (line_input, "enable"))
1813 forwarding_enable = 1;
1814 forwarding_enable_set = 1;
1816 else if (!forwarding_enable_set && unformat (line_input, "disable"))
1818 forwarding_enable = 0;
1819 forwarding_enable_set = 1;
1823 error = clib_error_return (0, "unknown input '%U'",
1824 format_unformat_error, line_input);
1829 if (!forwarding_enable_set)
1831 error = clib_error_return (0, "'enable' or 'disable' expected");
1835 sm->forwarding_enabled = forwarding_enable;
1838 unformat_free (line_input);
1843 static clib_error_t *
1844 set_timeout_command_fn (vlib_main_t * vm,
1845 unformat_input_t * input, vlib_cli_command_t * cmd)
1847 snat_main_t *sm = &snat_main;
1848 unformat_input_t _line_input, *line_input = &_line_input;
1849 clib_error_t *error = 0;
1851 /* Get a line of input. */
1852 if (!unformat_user (input, unformat_line_input, line_input))
1855 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1857 if (unformat (line_input, "udp %u", &sm->timeouts.udp));
1858 else if (unformat (line_input, "tcp-established %u",
1859 &sm->timeouts.tcp.established));
1860 else if (unformat (line_input, "tcp-transitory %u",
1861 &sm->timeouts.tcp.transitory));
1862 else if (unformat (line_input, "icmp %u", &sm->timeouts.icmp));
1863 else if (unformat (line_input, "reset"))
1864 nat_reset_timeouts (&sm->timeouts);
1867 error = clib_error_return (0, "unknown input '%U'",
1868 format_unformat_error, line_input);
1873 unformat_free (line_input);
1877 static clib_error_t *
1878 nat_show_timeouts_command_fn (vlib_main_t * vm,
1879 unformat_input_t * input,
1880 vlib_cli_command_t * cmd)
1882 snat_main_t *sm = &snat_main;
1884 vlib_cli_output (vm, "udp timeout: %dsec", sm->timeouts.udp);
1885 vlib_cli_output (vm, "tcp-established timeout: %dsec",
1886 sm->timeouts.tcp.established);
1887 vlib_cli_output (vm, "tcp-transitory timeout: %dsec",
1888 sm->timeouts.tcp.transitory);
1889 vlib_cli_output (vm, "icmp timeout: %dsec", sm->timeouts.icmp);
1894 static clib_error_t *
1895 set_frame_queue_nelts_command_fn (vlib_main_t *vm, unformat_input_t *input,
1896 vlib_cli_command_t *cmd)
1898 unformat_input_t _line_input, *line_input = &_line_input;
1899 clib_error_t *error = 0;
1900 u32 frame_queue_nelts = 0;
1901 /* Get a line of input. */
1902 if (!unformat_user (input, unformat_line_input, line_input))
1904 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1906 if (unformat (line_input, "%u", &frame_queue_nelts))
1910 error = clib_error_return (0, "unknown input '%U'",
1911 format_unformat_error, line_input);
1915 if (!frame_queue_nelts)
1917 error = clib_error_return (0, "frame_queue_nelts cannot be zero");
1920 if (snat_set_frame_queue_nelts (frame_queue_nelts) != 0)
1922 error = clib_error_return (0, "snat_set_frame_queue_nelts failed");
1926 unformat_free (line_input);
1930 static clib_error_t *
1931 nat44_debug_fib_expire_command_fn (vlib_main_t * vm,
1932 unformat_input_t * input,
1933 vlib_cli_command_t * cmd)
1935 unformat_input_t _line_input, *line_input = &_line_input;
1936 clib_error_t *error = 0;
1939 /* Get a line of input. */
1940 if (!unformat_user (input, unformat_line_input, line_input))
1943 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1945 if (unformat (line_input, "%u", &fib))
1949 error = clib_error_return (0, "unknown input '%U'",
1950 format_unformat_error, line_input);
1954 expire_per_vrf_sessions (fib);
1956 unformat_free (line_input);
1960 static clib_error_t *
1961 nat44_debug_fib_registration_command_fn (vlib_main_t * vm,
1962 unformat_input_t * input,
1963 vlib_cli_command_t * cmd)
1965 snat_main_t *sm = &snat_main;
1966 snat_main_per_thread_data_t *tsm;
1967 per_vrf_sessions_t *per_vrf_sessions;
1969 vlib_cli_output (vm, "VRF registration debug:");
1970 vec_foreach (tsm, sm->per_thread_data)
1972 vlib_cli_output (vm, "thread %u:", tsm->thread_index);
1973 vec_foreach (per_vrf_sessions, tsm->per_vrf_sessions_vec)
1975 vlib_cli_output (vm, "rx fib %u tx fib %u ses count %u %s",
1976 per_vrf_sessions->rx_fib_index,
1977 per_vrf_sessions->tx_fib_index,
1978 per_vrf_sessions->ses_count,
1979 per_vrf_sessions->expired ? "expired" : "");
1989 VLIB_CLI_COMMAND (nat44_debug_fib_expire_command, static) = {
1990 .path = "debug nat44 fib expire",
1991 .short_help = "debug nat44 fib expire <fib-index>",
1992 .function = nat44_debug_fib_expire_command_fn,
1997 VLIB_CLI_COMMAND (nat44_debug_fib_registration_command, static) = {
1998 .path = "debug nat44 fib registration",
1999 .short_help = "debug nat44 fib registration",
2000 .function = nat44_debug_fib_registration_command_fn,
2005 * @cliexstart{nat44 enable}
2006 * Enable nat44 plugin
2007 * To enable nat44, use:
2008 * vpp# nat44 enable sessions <n>
2009 * To enable nat44 static mapping only, use:
2010 * vpp# nat44 enable sessions <n> static-mapping
2011 * To enable nat44 static mapping with connection tracking, use:
2012 * vpp# nat44 enable sessions <n> static-mapping connection-tracking
2013 * To enable nat44 out2in dpo, use:
2014 * vpp# nat44 enable sessions <n> out2in-dpo
2015 * To enable nat44 endpoint-dependent, use:
2016 * vpp# nat44 enable sessions <n> endpoint-dependent
2017 * To set inside-vrf outside-vrf, use:
2018 * vpp# nat44 enable sessions <n> inside-vrf <id> outside-vrf <id>
2021 VLIB_CLI_COMMAND (nat44_enable_command, static) = {
2022 .path = "nat44 enable",
2023 .short_help = "nat44 enable sessions <max-number> [users <max-number>] [static-mappig-only [connection-tracking]|out2in-dpo|endpoint-dependent] [inside-vrf <vrf-id>] [outside-vrf <vrf-id>] [user-sessions <max-number>]",
2024 .function = nat44_enable_command_fn,
2029 * @cliexstart{nat44 disable}
2030 * Disable nat44 plugin
2031 * To disable nat44, use:
2032 * vpp# nat44 disable
2035 VLIB_CLI_COMMAND (nat44_disable_command, static) = {
2036 .path = "nat44 disable",
2037 .short_help = "nat44 disable",
2038 .function = nat44_disable_command_fn,
2043 * @cliexstart{set snat workers}
2044 * Set NAT workers if 2 or more workers available, use:
2045 * vpp# set snat workers 0-2,5
2048 VLIB_CLI_COMMAND (set_workers_command, static) = {
2049 .path = "set nat workers",
2050 .function = set_workers_command_fn,
2051 .short_help = "set nat workers <workers-list>",
2056 * @cliexstart{show nat workers}
2058 * vpp# show nat workers:
2064 VLIB_CLI_COMMAND (nat_show_workers_command, static) = {
2065 .path = "show nat workers",
2066 .short_help = "show nat workers",
2067 .function = nat_show_workers_commnad_fn,
2072 * @cliexstart{set nat timeout}
2073 * Set values of timeouts for NAT sessions (in seconds), use:
2074 * vpp# set nat timeout udp 120 tcp-established 7500 tcp-transitory 250 icmp 90
2075 * To reset default values use:
2076 * vpp# set nat timeout reset
2079 VLIB_CLI_COMMAND (set_timeout_command, static) = {
2080 .path = "set nat timeout",
2081 .function = set_timeout_command_fn,
2083 "set nat timeout [udp <sec> | tcp-established <sec> "
2084 "tcp-transitory <sec> | icmp <sec> | reset]",
2089 * @cliexstart{show nat timeouts}
2090 * Show values of timeouts for NAT sessions.
2091 * vpp# show nat timeouts
2092 * udp timeout: 300sec
2093 * tcp-established timeout: 7440sec
2094 * tcp-transitory timeout: 240sec
2095 * icmp timeout: 60sec
2098 VLIB_CLI_COMMAND (nat_show_timeouts_command, static) = {
2099 .path = "show nat timeouts",
2100 .short_help = "show nat timeouts",
2101 .function = nat_show_timeouts_command_fn,
2106 * @cliexstart{set nat frame-queue-nelts}
2107 * Set number of worker handoff frame queue elements.
2110 VLIB_CLI_COMMAND (set_frame_queue_nelts_command, static) = {
2111 .path = "set nat frame-queue-nelts",
2112 .function = set_frame_queue_nelts_command_fn,
2113 .short_help = "set nat frame-queue-nelts <number>",
2118 * @cliexstart{nat set logging level}
2119 * To set NAT logging level use:
2120 * Set nat logging level
2123 VLIB_CLI_COMMAND (snat_set_log_level_command, static) = {
2124 .path = "nat set logging level",
2125 .function = snat_set_log_level_command_fn,
2126 .short_help = "nat set logging level <level>",
2131 * @cliexstart{snat ipfix logging}
2132 * To enable NAT IPFIX logging use:
2133 * vpp# nat ipfix logging
2134 * To set IPFIX exporter use:
2135 * vpp# set ipfix exporter collector 10.10.10.3 src 10.10.10.1
2138 VLIB_CLI_COMMAND (snat_ipfix_logging_enable_disable_command, static) = {
2139 .path = "nat ipfix logging",
2140 .function = snat_ipfix_logging_enable_disable_command_fn,
2141 .short_help = "nat ipfix logging [domain <domain-id>] [src-port <port>] [disable]",
2146 * @cliexstart{nat addr-port-assignment-alg}
2147 * Set address and port assignment algorithm
2148 * For the MAP-E CE limit port choice based on PSID use:
2149 * vpp# nat addr-port-assignment-alg map-e psid 10 psid-offset 6 psid-len 6
2150 * For port range use:
2151 * vpp# nat addr-port-assignment-alg port-range <start-port> - <end-port>
2152 * To set standard (default) address and port assignment algorithm use:
2153 * vpp# nat addr-port-assignment-alg default
2156 VLIB_CLI_COMMAND (nat44_set_alloc_addr_and_port_alg_command, static) = {
2157 .path = "nat addr-port-assignment-alg",
2158 .short_help = "nat addr-port-assignment-alg <alg-name> [<alg-params>]",
2159 .function = nat44_set_alloc_addr_and_port_alg_command_fn,
2164 * @cliexstart{show nat addr-port-assignment-alg}
2165 * Show address and port assignment algorithm
2168 VLIB_CLI_COMMAND (nat44_show_alloc_addr_and_port_alg_command, static) = {
2169 .path = "show nat addr-port-assignment-alg",
2170 .short_help = "show nat addr-port-assignment-alg",
2171 .function = nat44_show_alloc_addr_and_port_alg_command_fn,
2176 * @cliexstart{nat mss-clamping}
2177 * Set TCP MSS rewriting configuration
2178 * To enable TCP MSS rewriting use:
2179 * vpp# nat mss-clamping 1452
2180 * To disbale TCP MSS rewriting use:
2181 * vpp# nat mss-clamping disable
2184 VLIB_CLI_COMMAND (nat_set_mss_clamping_command, static) = {
2185 .path = "nat mss-clamping",
2186 .short_help = "nat mss-clamping <mss-value>|disable",
2187 .function = nat_set_mss_clamping_command_fn,
2192 * @cliexstart{show nat mss-clamping}
2193 * Show TCP MSS rewriting configuration
2196 VLIB_CLI_COMMAND (nat_show_mss_clamping_command, static) = {
2197 .path = "show nat mss-clamping",
2198 .short_help = "show nat mss-clamping",
2199 .function = nat_show_mss_clamping_command_fn,
2204 * @cliexstart{nat ha failover}
2205 * Set HA failover (remote settings)
2208 VLIB_CLI_COMMAND (nat_ha_failover_command, static) = {
2209 .path = "nat ha failover",
2210 .short_help = "nat ha failover <ip4-address>:<port> [refresh-interval <sec>]",
2211 .function = nat_ha_failover_command_fn,
2216 * @cliexstart{nat ha listener}
2217 * Set HA listener (local settings)
2220 VLIB_CLI_COMMAND (nat_ha_listener_command, static) = {
2221 .path = "nat ha listener",
2222 .short_help = "nat ha listener <ip4-address>:<port> [path-mtu <path-mtu>]",
2223 .function = nat_ha_listener_command_fn,
2228 * @cliexstart{show nat ha}
2229 * Show HA configuration/status
2232 VLIB_CLI_COMMAND (nat_show_ha_command, static) = {
2233 .path = "show nat ha",
2234 .short_help = "show nat ha",
2235 .function = nat_show_ha_command_fn,
2240 * @cliexstart{nat ha flush}
2241 * Flush the current HA data (for testing)
2244 VLIB_CLI_COMMAND (nat_ha_flush_command, static) = {
2245 .path = "nat ha flush",
2246 .short_help = "nat ha flush",
2247 .function = nat_ha_flush_command_fn,
2252 * @cliexstart{nat ha resync}
2253 * Resync HA (resend existing sessions to new failover)
2256 VLIB_CLI_COMMAND (nat_ha_resync_command, static) = {
2257 .path = "nat ha resync",
2258 .short_help = "nat ha resync",
2259 .function = nat_ha_resync_command_fn,
2264 * @cliexstart{show nat44 hash tables}
2265 * Show NAT44 hash tables
2268 VLIB_CLI_COMMAND (nat44_show_hash, static) = {
2269 .path = "show nat44 hash tables",
2270 .short_help = "show nat44 hash tables [detail|verbose]",
2271 .function = nat44_show_hash_command_fn,
2276 * @cliexstart{nat44 add address}
2277 * Add/delete NAT44 pool address.
2278 * To add NAT44 pool address use:
2279 * vpp# nat44 add address 172.16.1.3
2280 * vpp# nat44 add address 172.16.2.2 - 172.16.2.24
2281 * To add NAT44 pool address for specific tenant (identified by VRF id) use:
2282 * vpp# nat44 add address 172.16.1.3 tenant-vrf 10
2285 VLIB_CLI_COMMAND (add_address_command, static) = {
2286 .path = "nat44 add address",
2287 .short_help = "nat44 add address <ip4-range-start> [- <ip4-range-end>] "
2288 "[tenant-vrf <vrf-id>] [twice-nat] [del]",
2289 .function = add_address_command_fn,
2294 * @cliexstart{show nat44 summary}
2295 * Show NAT44 summary
2296 * vpp# show nat44 summary
2299 VLIB_CLI_COMMAND (nat44_show_summary_command, static) = {
2300 .path = "show nat44 summary",
2301 .short_help = "show nat44 summary",
2302 .function = nat44_show_summary_command_fn,
2307 * @cliexstart{show nat44 addresses}
2308 * Show NAT44 pool addresses.
2309 * vpp# show nat44 addresses
2310 * NAT44 pool addresses:
2312 * tenant VRF independent
2321 * NAT44 twice-nat pool addresses:
2323 * tenant VRF independent
2329 VLIB_CLI_COMMAND (nat44_show_addresses_command, static) = {
2330 .path = "show nat44 addresses",
2331 .short_help = "show nat44 addresses",
2332 .function = nat44_show_addresses_command_fn,
2337 * @cliexstart{set interface nat44}
2338 * Enable/disable NAT44 feature on the interface.
2339 * To enable NAT44 feature with local network interface use:
2340 * vpp# set interface nat44 in GigabitEthernet0/8/0
2341 * To enable NAT44 feature with external network interface use:
2342 * vpp# set interface nat44 out GigabitEthernet0/a/0
2345 VLIB_CLI_COMMAND (set_interface_snat_command, static) = {
2346 .path = "set interface nat44",
2347 .function = snat_feature_command_fn,
2348 .short_help = "set interface nat44 in <intfc> out <intfc> [output-feature] "
2354 * @cliexstart{show nat44 interfaces}
2355 * Show interfaces with NAT44 feature.
2356 * vpp# show nat44 interfaces
2358 * GigabitEthernet0/8/0 in
2359 * GigabitEthernet0/a/0 out
2362 VLIB_CLI_COMMAND (nat44_show_interfaces_command, static) = {
2363 .path = "show nat44 interfaces",
2364 .short_help = "show nat44 interfaces",
2365 .function = nat44_show_interfaces_command_fn,
2370 * @cliexstart{nat44 add static mapping}
2371 * Static mapping allows hosts on the external network to initiate connection
2372 * to to the local network host.
2373 * To create static mapping between local host address 10.0.0.3 port 6303 and
2374 * external address 4.4.4.4 port 3606 for TCP protocol use:
2375 * vpp# nat44 add static mapping tcp local 10.0.0.3 6303 external 4.4.4.4 3606
2376 * If not runnig "static mapping only" NAT plugin mode use before:
2377 * vpp# nat44 add address 4.4.4.4
2378 * To create address only static mapping between local and external address use:
2379 * vpp# nat44 add static mapping local 10.0.0.3 external 4.4.4.4
2380 * To create ICMP static mapping between local and external with ICMP echo
2381 * identifier 10 use:
2382 * vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
2383 * To force use of specific pool address, vrf independent
2384 * vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
2387 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
2388 .path = "nat44 add static mapping",
2389 .function = add_static_mapping_command_fn,
2391 "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
2392 "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
2393 "[out2in-only] [exact <pool-addr>] [del]",
2398 * @cliexstart{nat44 add identity mapping}
2399 * Identity mapping translate an IP address to itself.
2400 * To create identity mapping for address 10.0.0.3 port 6303 for TCP protocol
2402 * vpp# nat44 add identity mapping 10.0.0.3 tcp 6303
2403 * To create identity mapping for address 10.0.0.3 use:
2404 * vpp# nat44 add identity mapping 10.0.0.3
2405 * To create identity mapping for DHCP addressed interface use:
2406 * vpp# nat44 add identity mapping external GigabitEthernet0/a/0 tcp 3606
2409 VLIB_CLI_COMMAND (add_identity_mapping_command, static) = {
2410 .path = "nat44 add identity mapping",
2411 .function = add_identity_mapping_command_fn,
2412 .short_help = "nat44 add identity mapping <ip4-addr>|external <interface> "
2413 "[<protocol> <port>] [vrf <table-id>] [del]",
2418 * @cliexstart{nat44 add load-balancing static mapping}
2419 * Service load balancing using NAT44
2420 * To add static mapping with load balancing for service with external IP
2421 * address 1.2.3.4 and TCP port 80 and mapped to 2 local servers
2422 * 10.100.10.10:8080 and 10.100.10.20:8080 with probability 80% resp. 20% use:
2423 * vpp# nat44 add load-balancing static mapping protocol tcp external 1.2.3.4:80 local 10.100.10.10:8080 probability 80 local 10.100.10.20:8080 probability 20
2426 VLIB_CLI_COMMAND (add_lb_static_mapping_command, static) = {
2427 .path = "nat44 add load-balancing static mapping",
2428 .function = add_lb_static_mapping_command_fn,
2430 "nat44 add load-balancing static mapping protocol tcp|udp "
2431 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2432 "probability <n> [twice-nat|self-twice-nat] [out2in-only] "
2433 "[affinity <timeout-seconds>] [del]",
2438 * @cliexstart{nat44 add load-balancing static mapping}
2439 * Modify service load balancing using NAT44
2440 * To add new back-end server 10.100.10.30:8080 for service load balancing
2441 * static mapping with external IP address 1.2.3.4 and TCP port 80 use:
2442 * vpp# nat44 add load-balancing back-end protocol tcp external 1.2.3.4:80 local 10.100.10.30:8080 probability 25
2445 VLIB_CLI_COMMAND (add_lb_backend_command, static) = {
2446 .path = "nat44 add load-balancing back-end",
2447 .function = add_lb_backend_command_fn,
2449 "nat44 add load-balancing back-end protocol tcp|udp "
2450 "external <addr>:<port> local <addr>:<port> [vrf <table-id>] "
2451 "probability <n> [del]",
2456 * @cliexstart{show nat44 static mappings}
2457 * Show NAT44 static mappings.
2458 * vpp# show nat44 static mappings
2459 * NAT44 static mappings:
2460 * local 10.0.0.3 external 4.4.4.4 vrf 0
2461 * tcp local 192.168.0.4:6303 external 4.4.4.3:3606 vrf 0
2462 * tcp vrf 0 external 1.2.3.4:80 out2in-only
2463 * local 10.100.10.10:8080 probability 80
2464 * local 10.100.10.20:8080 probability 20
2465 * tcp local 10.100.3.8:8080 external 169.10.10.1:80 vrf 0 twice-nat
2466 * tcp local 10.0.0.10:3603 external GigabitEthernet0/a/0:6306 vrf 10
2469 VLIB_CLI_COMMAND (nat44_show_static_mappings_command, static) = {
2470 .path = "show nat44 static mappings",
2471 .short_help = "show nat44 static mappings",
2472 .function = nat44_show_static_mappings_command_fn,
2477 * @cliexstart{nat44 add interface address}
2478 * Use NAT44 pool address from specific interfce
2479 * To add NAT44 pool address from specific interface use:
2480 * vpp# nat44 add interface address GigabitEthernet0/8/0
2483 VLIB_CLI_COMMAND (snat_add_interface_address_command, static) = {
2484 .path = "nat44 add interface address",
2485 .short_help = "nat44 add interface address <interface> [twice-nat] [del]",
2486 .function = snat_add_interface_address_command_fn,
2491 * @cliexstart{show nat44 interface address}
2492 * Show NAT44 pool address interfaces
2493 * vpp# show nat44 interface address
2494 * NAT44 pool address interfaces:
2495 * GigabitEthernet0/a/0
2496 * NAT44 twice-nat pool address interfaces:
2497 * GigabitEthernet0/8/0
2500 VLIB_CLI_COMMAND (nat44_show_interface_address_command, static) = {
2501 .path = "show nat44 interface address",
2502 .short_help = "show nat44 interface address",
2503 .function = nat44_show_interface_address_command_fn,
2508 * @cliexstart{show nat44 sessions}
2509 * Show NAT44 sessions.
2512 VLIB_CLI_COMMAND (nat44_show_sessions_command, static) = {
2513 .path = "show nat44 sessions",
2514 .short_help = "show nat44 sessions [detail|metrics]",
2515 .function = nat44_show_sessions_command_fn,
2520 * @cliexstart{set nat44 session limit}
2521 * Set NAT44 session limit.
2524 VLIB_CLI_COMMAND (nat44_set_session_limit_command, static) = {
2525 .path = "set nat44 session limit",
2526 .short_help = "set nat44 session limit <limit> [vrf <table-id>]",
2527 .function = nat44_set_session_limit_command_fn,
2532 * @cliexstart{nat44 del user}
2533 * To delete all NAT44 user sessions:
2534 * vpp# nat44 del user 10.0.0.3
2537 VLIB_CLI_COMMAND (nat44_del_user_command, static) = {
2538 .path = "nat44 del user",
2539 .short_help = "nat44 del user <addr> [fib <index>]",
2540 .function = nat44_del_user_command_fn,
2545 * @cliexstart{clear nat44 sessions}
2546 * To clear all NAT44 sessions
2547 * vpp# clear nat44 sessions
2550 VLIB_CLI_COMMAND (nat44_clear_sessions_command, static) = {
2551 .path = "clear nat44 sessions",
2552 .short_help = "clear nat44 sessions",
2553 .function = nat44_clear_sessions_command_fn,
2558 * @cliexstart{nat44 del session}
2559 * To administratively delete NAT44 session by inside address and port use:
2560 * vpp# nat44 del session in 10.0.0.3:6303 tcp
2561 * To administratively delete NAT44 session by outside address and port use:
2562 * vpp# nat44 del session out 1.0.0.3:6033 udp
2565 VLIB_CLI_COMMAND (nat44_del_session_command, static) = {
2566 .path = "nat44 del session",
2567 .short_help = "nat44 del session in|out <addr>:<port> tcp|udp|icmp [vrf <id>] [external-host <addr>:<port>]",
2568 .function = nat44_del_session_command_fn,
2573 * @cliexstart{nat44 forwarding}
2574 * Enable or disable forwarding
2575 * Forward packets which don't match existing translation
2576 * or static mapping instead of dropping them.
2577 * To enable forwarding, use:
2578 * vpp# nat44 forwarding enable
2579 * To disable forwarding, use:
2580 * vpp# nat44 forwarding disable
2583 VLIB_CLI_COMMAND (snat_forwarding_set_command, static) = {
2584 .path = "nat44 forwarding",
2585 .short_help = "nat44 forwarding enable|disable",
2586 .function = snat_forwarding_set_command_fn,
2592 * fd.io coding-style-patch-verification: ON
2595 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob