nat: twice-nat static mapping pool address

Let twice-nat static mapping pick specific
address from the twice-nat pool.

Type: improvement

Change-Id: Iadaa036af2fa3b0e6e9a68ff6e68b4bbe1650eb1
Signed-off-by: Filip Varga <fivarga@cisco.com>
diff --git a/src/plugins/nat/in2out.c b/src/plugins/nat/in2out.c
index 39957259..8e2c5fe 100644
--- a/src/plugins/nat/in2out.c
+++ b/src/plugins/nat/in2out.c
@@ -135,7 +135,7 @@
       if (!snat_static_mapping_match
 	  (sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index,
 	   proto0, &placeholder_addr, &placeholder_port,
-	   &placeholder_fib_index, 1, 0, 0, 0, 0, 0))
+	   &placeholder_fib_index, 1, 0, 0, 0, 0, 0, 0))
 	return 0;
     }
   else
@@ -274,7 +274,7 @@
   /* First try to match static mapping by local address and port */
   if (snat_static_mapping_match
       (sm, i2o_addr, i2o_port, rx_fib_index0, nat_proto, &sm_addr,
-       &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat))
+       &sm_port, &sm_fib_index, 0, 0, 0, 0, 0, &identity_nat, 0))
     {
       /* Try to create dynamic translation */
       if (snat_alloc_outside_address_and_port (sm->addresses, rx_fib_index0,
@@ -599,7 +599,7 @@
 
   if (snat_static_mapping_match
       (sm, *addr, *port, *fib_index, *proto, &sm_addr, &sm_port,
-       &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0))
+       &sm_fib_index, 0, &is_addr_only, 0, 0, 0, 0, 0))
     {
       if (PREDICT_FALSE (snat_not_translate_fast (sm, node, sw_if_index0, ip0,
 						  IP_PROTOCOL_ICMP,
@@ -1842,7 +1842,7 @@
 
 	  if (snat_static_mapping_match
 	      (sm, ip0->src_address, udp0->src_port, rx_fib_index0, proto0,
-	       &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0))
+	       &sm0_addr, &sm0_port, &sm0_fib_index, 0, 0, 0, 0, 0, 0, 0))
 	    {
 	      b0->error = node->errors[SNAT_IN2OUT_ERROR_NO_TRANSLATION];
 	      next0 = SNAT_IN2OUT_NEXT_DROP;
diff --git a/src/plugins/nat/in2out_ed.c b/src/plugins/nat/in2out_ed.c
index a1f5e5b..448e967 100644
--- a/src/plugins/nat/in2out_ed.c
+++ b/src/plugins/nat/in2out_ed.c
@@ -370,7 +370,7 @@
   /* First try to match static mapping by local address and port */
   if (snat_static_mapping_match
       (sm, l_addr, l_port, rx_fib_index, nat_proto, &sm_addr, &sm_port,
-       &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat))
+       &sm_fib_index, 0, 0, 0, &lb, 0, &identity_nat, 0))
     {
       s = nat_ed_session_alloc (sm, thread_index, now, proto);
       ASSERT (s);
@@ -514,7 +514,7 @@
       if (!snat_static_mapping_match
 	  (sm, ip->dst_address, udp->dst_port, sm->outside_fib_index, proto,
 	   &placeholder_addr, &placeholder_port, &placeholder_fib_index, 1, 0,
-	   0, 0, 0, 0))
+	   0, 0, 0, 0, 0))
 	return 0;
     }
   else
diff --git a/src/plugins/nat/nat.api b/src/plugins/nat/nat.api
index 8b263d4..00e9e71 100644
--- a/src/plugins/nat/nat.api
+++ b/src/plugins/nat/nat.api
@@ -684,6 +684,47 @@
   string tag[64];
 };
 
+/** \brief Add/delete NAT44 static mapping
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param is_add - true if add, false if delete
+    @param match_pool - true if use specific pool_ip_address
+    @param flags - flag NAT_IS_ADDR_ONLY if address only mapping,
+                   flag nat_is_twice_nat if nat address range for external hosts,
+                   flag NAT_IS_SELF_TWICE_NAT if translate external host address
+                   and port whenever external host address equals local
+                   address of internal host,
+                   flag NAT_IS_OUT2IN_ONLY if rule match only out2in direction
+    @param pool_ip_address - pool IPv4 address to match with pool
+    @param local_ip_address - local IPv4 address
+    @param external_ip_address - external IPv4 address
+    @param protocol - IP protocol, used only if addr_only=0
+    @param local_port - local port number, used only if addr_only=0
+    @param external_port - external port number, used only if addr_only=0
+    @param external_sw_if_index - external interface (if set
+                                  external_ip_address is ignored, ~0 means not
+                                  used)
+    @param vfr_id - VRF ID
+    @param tag - opaque string tag
+*/
+autoreply define nat44_add_del_static_mapping_v2 {
+  option status="in_progress";
+  u32 client_index;
+  u32 context;
+  bool is_add;
+  bool match_pool;
+  vl_api_nat_config_flags_t flags;
+  vl_api_ip4_address_t pool_ip_address;
+  vl_api_ip4_address_t local_ip_address;
+  vl_api_ip4_address_t external_ip_address;
+  u8 protocol;
+  u16 local_port;
+  u16 external_port;
+  vl_api_interface_index_t external_sw_if_index;
+  u32 vrf_id;
+  string tag[64];
+};
+
 /** \brief Dump NAT44 static mappings
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
diff --git a/src/plugins/nat/nat.c b/src/plugins/nat/nat.c
index 796d9d0..61a36ec 100644
--- a/src/plugins/nat/nat.c
+++ b/src/plugins/nat/nat.c
@@ -692,7 +692,8 @@
 				       nat_protocol_t proto,
 				       int addr_only, int is_add, u8 * tag,
 				       int twice_nat, int out2in_only,
-				       int identity_nat)
+				       int identity_nat,
+				       ip4_address_t pool_addr, int exact)
 {
   snat_static_map_resolve_t *rp;
 
@@ -709,6 +710,8 @@
   rp->out2in_only = out2in_only;
   rp->identity_nat = identity_nat;
   rp->tag = vec_dup (tag);
+  rp->pool_addr = pool_addr;
+  rp->exact = exact;
 }
 
 static u32
@@ -829,7 +832,7 @@
 			 u16 l_port, u16 e_port, u32 vrf_id, int addr_only,
 			 u32 sw_if_index, nat_protocol_t proto, int is_add,
 			 twice_nat_type_t twice_nat, u8 out2in_only, u8 * tag,
-			 u8 identity_nat)
+			 u8 identity_nat, ip4_address_t pool_addr, int exact)
 {
   snat_main_t *sm = &snat_main;
   snat_static_mapping_t *m;
@@ -891,7 +894,8 @@
 
 	  snat_add_static_mapping_when_resolved
 	    (sm, l_addr, l_port, sw_if_index, e_port, vrf_id, proto,
-	     addr_only, is_add, tag, twice_nat, out2in_only, identity_nat);
+	     addr_only, is_add, tag, twice_nat, out2in_only,
+	     identity_nat, pool_addr, exact);
 
 	  /* DHCP resolution required? */
 	  if (first_int_addr == 0)
@@ -1046,6 +1050,13 @@
       m->local_addr = l_addr;
       m->external_addr = e_addr;
       m->twice_nat = twice_nat;
+
+      if (twice_nat == TWICE_NAT && exact)
+	{
+	  m->flags |= NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS;
+	  m->pool_addr = pool_addr;
+	}
+
       if (out2in_only)
 	m->flags |= NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY;
       if (addr_only)
@@ -1673,15 +1684,21 @@
 
   if (delete_sm)
     {
+      ip4_address_t pool_addr = { 0 };
       /* *INDENT-OFF* */
       pool_foreach (m, sm->static_mappings,
       ({
           if (m->external_addr.as_u32 == addr.as_u32)
             (void) snat_add_static_mapping (m->local_addr, m->external_addr,
                                             m->local_port, m->external_port,
-                                            m->vrf_id, is_addr_only_static_mapping(m), ~0,
-                                            m->proto, 0, m->twice_nat,
-                                            is_out2in_only_static_mapping(m), m->tag, is_identity_static_mapping(m));
+                                            m->vrf_id,
+                                            is_addr_only_static_mapping(m), ~0,
+                                            m->proto, 0 /* is_add */,
+                                            m->twice_nat,
+                                            is_out2in_only_static_mapping(m),
+                                            m->tag,
+                                            is_identity_static_mapping(m),
+                                            pool_addr, 0);
       }));
       /* *INDENT-ON* */
     }
@@ -2801,16 +2818,29 @@
 			   u8 * is_addr_only,
 			   twice_nat_type_t * twice_nat,
 			   lb_nat_type_t * lb, ip4_address_t * ext_host_addr,
-			   u8 * is_identity_nat)
+			   u8 * is_identity_nat, snat_static_mapping_t ** out)
 {
   clib_bihash_kv_8_8_t kv, value;
+  clib_bihash_8_8_t *mapping_hash;
   snat_static_mapping_t *m;
-  clib_bihash_8_8_t *mapping_hash = &sm->static_mapping_by_local;
   u32 rand, lo = 0, hi, mid, *tmp = 0, i;
-  u8 backend_index;
   nat44_lb_addr_port_t *local;
+  u8 backend_index;
 
-  if (by_external)
+  if (!by_external)
+    {
+      mapping_hash = &sm->static_mapping_by_local;
+      init_nat_k (&kv, match_addr, match_port, match_fib_index,
+		  match_protocol);
+      if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
+	{
+	  /* Try address only mapping */
+	  init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
+	  if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
+	    return 1;
+	}
+    }
+  else
     {
       mapping_hash = &sm->static_mapping_by_external;
       init_nat_k (&kv, match_addr, match_port, 0, match_protocol);
@@ -2821,20 +2851,6 @@
 	  if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
 	    return 1;
 	}
-
-    }
-  else
-    {
-      init_nat_k (&kv, match_addr, match_port, match_fib_index,
-		  match_protocol);
-      if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
-	{
-	  /* Try address only mapping */
-	  init_nat_k (&kv, match_addr, 0, match_fib_index, 0);
-	  if (clib_bihash_search_8_8 (mapping_hash, &kv, &value))
-	    return 1;
-	}
-
     }
 
   m = pool_elt_at_index (sm->static_mappings, value.value);
@@ -2943,6 +2959,9 @@
   if (PREDICT_FALSE (is_identity_nat != 0))
     *is_identity_nat = is_identity_static_mapping (m);
 
+  if (out != 0)
+    *out = m;
+
   return 0;
 }
 
@@ -4358,7 +4377,8 @@
 				rp->vrf_id,
 				rp->addr_only, ~0 /* sw_if_index */ ,
 				rp->proto, !is_delete, rp->twice_nat,
-				rp->out2in_only, rp->tag, rp->identity_nat);
+				rp->out2in_only, rp->tag, rp->identity_nat,
+				rp->pool_addr, rp->exact);
   if (rv)
     nat_elog_notice_X1 ("snat_add_static_mapping returned %d", "i4", rv);
 }
@@ -4429,7 +4449,8 @@
 					    rp->proto,
 					    rp->is_add, rp->twice_nat,
 					    rp->out2in_only, rp->tag,
-					    rp->identity_nat);
+					    rp->identity_nat,
+					    rp->pool_addr, rp->exact);
 	      if (rv)
 		nat_elog_notice_X1 ("snat_add_static_mapping returned %d",
 				    "i4", rv);
diff --git a/src/plugins/nat/nat.h b/src/plugins/nat/nat.h
index 518f200..ab69922 100644
--- a/src/plugins/nat/nat.h
+++ b/src/plugins/nat/nat.h
@@ -187,16 +187,18 @@
 #define SNAT_SESSION_FLAG_FWD_BYPASS           32
 #define SNAT_SESSION_FLAG_AFFINITY             64
 #define SNAT_SESSION_FLAG_OUTPUT_FEATURE       128
+#define SNAT_SESSION_FLAG_EXACT_ADDRESS        256
 
 /* NAT interface flags */
 #define NAT_INTERFACE_FLAG_IS_INSIDE 1
 #define NAT_INTERFACE_FLAG_IS_OUTSIDE 2
 
 /* Static mapping flags */
-#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY    1
-#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY  2
-#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT 4
-#define NAT_STATIC_MAPPING_FLAG_LB           8
+#define NAT_STATIC_MAPPING_FLAG_ADDR_ONLY      1
+#define NAT_STATIC_MAPPING_FLAG_OUT2IN_ONLY    2
+#define NAT_STATIC_MAPPING_FLAG_IDENTITY_NAT   4
+#define NAT_STATIC_MAPPING_FLAG_LB             8
+#define NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS  16
 
 /* *INDENT-OFF* */
 typedef CLIB_PACKED(struct
@@ -350,6 +352,8 @@
 
 typedef struct
 {
+  /* prefered pool address */
+  ip4_address_t pool_addr;
   /* local IP address */
   ip4_address_t local_addr;
   /* external IP address */
@@ -388,6 +392,7 @@
 typedef struct
 {
   ip4_address_t l_addr;
+  ip4_address_t pool_addr;
   u16 l_port;
   u16 e_port;
   u32 sw_if_index;
@@ -399,6 +404,7 @@
   int is_add;
   int out2in_only;
   int identity_nat;
+  int exact;
   u8 *tag;
 } snat_static_map_resolve_t;
 
@@ -776,6 +782,12 @@
 */
 #define is_affinity_sessions(s) (s->flags & SNAT_SESSION_FLAG_AFFINITY)
 
+/** \brief Check if exact pool address should be used.
+    @param s SNAT session
+    @return 1 if exact pool address or 0
+*/
+#define is_exact_address_session(s) (s->flags & SNAT_SESSION_FLAG_EXACT_ADDRESS)
+
 /** \brief Check if NAT interface is inside.
     @param i NAT interface
     @return 1 if inside interface
@@ -818,6 +830,12 @@
 */
 #define is_lb_static_mapping(sm) (sm->flags & NAT_STATIC_MAPPING_FLAG_LB)
 
+/** \brief Check if exact pool address should be used.
+    @param s SNAT session
+    @return 1 if exact pool address or 0
+*/
+#define is_exact_address(s) (s->flags & NAT_STATIC_MAPPING_FLAG_EXACT_ADDRESS)
+
 /** \brief Check if client initiating TCP connection (received SYN from client)
     @param t TCP header
     @return 1 if client initiating TCP connection
@@ -1138,6 +1156,8 @@
  * @param out2in_only  if 1 rule match only out2in direction
  * @param tag          opaque string tag
  * @param identity_nat identity NAT
+ * @param pool_addr    pool IPv4 address
+ * @param exact        1 = exact pool address
  *
  * @return 0 on success, non-zero value otherwise
  */
@@ -1146,7 +1166,8 @@
 			     int addr_only, u32 sw_if_index,
 			     nat_protocol_t proto, int is_add,
 			     twice_nat_type_t twice_nat, u8 out2in_only,
-			     u8 * tag, u8 identity_nat);
+			     u8 * tag, u8 identity_nat,
+			     ip4_address_t pool_addr, int exact);
 
 /**
  * @brief Add/delete static mapping with load-balancing (multiple backends)
@@ -1394,16 +1415,18 @@
 /**
  * @brief Match NAT44 static mapping.
  *
- * @param key           address and port to match
- * @param addr          external/local address of the matched mapping
- * @param port          port of the matched mapping
- * @param fib_index     fib index of the matched mapping
- * @param by_external   if 0 match by local address otherwise match by external
- *                      address
- * @param is_addr_only  1 if matched mapping is address only
- * @param twice_nat     matched mapping is twice NAT type
- * @param lb            1 if matched mapping is load-balanced
- * @param ext_host_addr external host address
+ * @param key             address and port to match
+ * @param addr            external/local address of the matched mapping
+ * @param port            port of the matched mapping
+ * @param fib_index       fib index of the matched mapping
+ * @param by_external     if 0 match by local address otherwise match by external
+ *                        address
+ * @param is_addr_only    1 if matched mapping is address only
+ * @param twice_nat       matched mapping is twice NAT type
+ * @param lb              1 if matched mapping is load-balanced
+ * @param ext_host_addr   external host address
+ * @param is_identity_nat 1 if indentity mapping
+ * @param out             if !=0 set to pointer of the mapping structure
  *
  * @returns 0 if match found otherwise 1.
  */
@@ -1420,7 +1443,8 @@
 			       twice_nat_type_t * twice_nat,
 			       lb_nat_type_t * lb,
 			       ip4_address_t * ext_host_addr,
-			       u8 * is_identity_nat);
+			       u8 * is_identity_nat,
+			       snat_static_mapping_t ** out);
 
 /**
  * @brief Add/del NAT address to FIB.
diff --git a/src/plugins/nat/nat44_cli.c b/src/plugins/nat/nat44_cli.c
index 65f4075..f61ce2c 100644
--- a/src/plugins/nat/nat44_cli.c
+++ b/src/plugins/nat/nat44_cli.c
@@ -980,13 +980,11 @@
 {
   unformat_input_t _line_input, *line_input = &_line_input;
   clib_error_t *error = 0;
-  ip4_address_t l_addr, e_addr;
+  ip4_address_t l_addr, e_addr, exact_addr;
   u32 l_port = 0, e_port = 0, vrf_id = ~0;
-  int is_add = 1;
-  int addr_only = 1;
+  int is_add = 1, addr_only = 1, rv, exact = 0;
   u32 sw_if_index = ~0;
   vnet_main_t *vnm = vnet_get_main ();
-  int rv;
   nat_protocol_t proto = NAT_PROTOCOL_OTHER;
   u8 proto_set = 0;
   twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
@@ -1014,10 +1012,12 @@
 			 unformat_vnet_sw_interface, vnm, &sw_if_index,
 			 &e_port))
 	addr_only = 0;
-
       else if (unformat (line_input, "external %U",
 			 unformat_vnet_sw_interface, vnm, &sw_if_index))
 	;
+      else if (unformat (line_input, "exact %U", unformat_ip4_address,
+			 &exact_addr))
+	exact = 1;
       else if (unformat (line_input, "vrf %u", &vrf_id))
 	;
       else if (unformat (line_input, "%U", unformat_nat_protocol, &proto))
@@ -1063,7 +1063,8 @@
   rv = snat_add_static_mapping (l_addr, e_addr, clib_host_to_net_u16 (l_port),
 				clib_host_to_net_u16 (e_port),
 				vrf_id, addr_only, sw_if_index, proto, is_add,
-				twice_nat, out2in_only, 0, 0);
+				twice_nat, out2in_only, 0, 0, exact_addr,
+				exact);
 
   switch (rv)
     {
@@ -1104,7 +1105,7 @@
 {
   unformat_input_t _line_input, *line_input = &_line_input;
   clib_error_t *error = 0;
-  ip4_address_t addr;
+  ip4_address_t addr, pool_addr = { 0 };
   u32 port = 0, vrf_id = ~0;
   int is_add = 1;
   int addr_only = 1;
@@ -1144,7 +1145,8 @@
   rv =
     snat_add_static_mapping (addr, addr, clib_host_to_net_u16 (port),
 			     clib_host_to_net_u16 (port), vrf_id, addr_only,
-			     sw_if_index, proto, is_add, 0, 0, 0, 1);
+			     sw_if_index, proto, is_add, 0, 0, 0, 1,
+			     pool_addr, 0);
 
   switch (rv)
     {
@@ -2254,6 +2256,8 @@
  * To create ICMP static mapping between local and external with ICMP echo
  * identifier 10 use:
  *  vpp# nat44 add static mapping icmp local 10.0.0.3 10 external 4.4.4.4 10
+ * To force use of specific pool address, vrf independent
+ *  vpp# nat44 add static mapping local 10.0.0.2 1234 external 10.0.2.2 1234 twice-nat exact 10.0.1.2
  * @cliexend
 ?*/
 VLIB_CLI_COMMAND (add_static_mapping_command, static) = {
@@ -2262,7 +2266,7 @@
   .short_help =
     "nat44 add static mapping tcp|udp|icmp local <addr> [<port|icmp-echo-id>] "
     "external <addr> [<port|icmp-echo-id>] [vrf <table-id>] [twice-nat|self-twice-nat] "
-    "[out2in-only] [del]",
+    "[out2in-only] [exact <pool-addr>] [del]",
 };
 
 /*?
diff --git a/src/plugins/nat/nat44_hairpinning.c b/src/plugins/nat/nat44_hairpinning.c
index 45444c5..9eadcf3 100644
--- a/src/plugins/nat/nat44_hairpinning.c
+++ b/src/plugins/nat/nat44_hairpinning.c
@@ -111,7 +111,7 @@
   /* Check if destination is static mappings */
   if (!snat_static_mapping_match
       (sm, ip0->dst_address, udp0->dst_port, sm->outside_fib_index, proto0,
-       &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0))
+       &sm0_addr, &sm0_port, &sm0_fib_index, 1, 0, 0, 0, 0, 0, 0))
     {
       new_dst_addr0 = sm0_addr.as_u32;
       new_dst_port0 = sm0_port;
diff --git a/src/plugins/nat/nat_api.c b/src/plugins/nat/nat_api.c
index ad67375..bbb1645 100644
--- a/src/plugins/nat/nat_api.c
+++ b/src/plugins/nat/nat_api.c
@@ -1105,7 +1105,7 @@
 {
   snat_main_t *sm = &snat_main;
   vl_api_nat44_add_del_static_mapping_reply_t *rmp;
-  ip4_address_t local_addr, external_addr;
+  ip4_address_t local_addr, external_addr, pool_addr = { 0 };
   u16 local_port = 0, external_port = 0;
   u32 vrf_id, external_sw_if_index;
   twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
@@ -1139,12 +1139,61 @@
 				mp->flags & NAT_API_IS_ADDR_ONLY,
 				external_sw_if_index, proto,
 				mp->is_add, twice_nat,
-				mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0);
+				mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0,
+				pool_addr, 0);
   vec_free (tag);
 
   REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_REPLY);
 }
 
+static void
+  vl_api_nat44_add_del_static_mapping_v2_t_handler
+  (vl_api_nat44_add_del_static_mapping_v2_t * mp)
+{
+  snat_main_t *sm = &snat_main;
+  vl_api_nat44_add_del_static_mapping_v2_reply_t *rmp;
+  ip4_address_t local_addr, external_addr, pool_addr;
+  u16 local_port = 0, external_port = 0;
+  u32 vrf_id, external_sw_if_index;
+  twice_nat_type_t twice_nat = TWICE_NAT_DISABLED;
+  int rv = 0;
+  nat_protocol_t proto;
+  u8 *tag = 0;
+
+  memcpy (&pool_addr.as_u8, mp->pool_ip_address, 4);
+  memcpy (&local_addr.as_u8, mp->local_ip_address, 4);
+  memcpy (&external_addr.as_u8, mp->external_ip_address, 4);
+
+  if (!(mp->flags & NAT_API_IS_ADDR_ONLY))
+    {
+      local_port = mp->local_port;
+      external_port = mp->external_port;
+    }
+
+  vrf_id = clib_net_to_host_u32 (mp->vrf_id);
+  external_sw_if_index = clib_net_to_host_u32 (mp->external_sw_if_index);
+  proto = ip_proto_to_nat_proto (mp->protocol);
+
+  if (mp->flags & NAT_API_IS_TWICE_NAT)
+    twice_nat = TWICE_NAT;
+  else if (mp->flags & NAT_API_IS_SELF_TWICE_NAT)
+    twice_nat = TWICE_NAT_SELF;
+  mp->tag[sizeof (mp->tag) - 1] = 0;
+  tag = format (0, "%s", mp->tag);
+  vec_terminate_c_string (tag);
+
+  rv = snat_add_static_mapping (local_addr, external_addr, local_port,
+				external_port, vrf_id,
+				mp->flags & NAT_API_IS_ADDR_ONLY,
+				external_sw_if_index, proto,
+				mp->is_add, twice_nat,
+				mp->flags & NAT_API_IS_OUT2IN_ONLY, tag, 0,
+				pool_addr, mp->match_pool);
+  vec_free (tag);
+
+  REPLY_MACRO (VL_API_NAT44_ADD_DEL_STATIC_MAPPING_V2_REPLY);
+}
+
 static void *vl_api_nat44_add_del_static_mapping_t_print
   (vl_api_nat44_add_del_static_mapping_t * mp, void *handle)
 {
@@ -1174,6 +1223,39 @@
   FINISH;
 }
 
+static void *vl_api_nat44_add_del_static_mapping_v2_t_print
+  (vl_api_nat44_add_del_static_mapping_v2_t * mp, void *handle)
+{
+  u8 *s;
+
+  s = format (0, "SCRIPT: nat44_add_del_static_mapping_v2 ");
+  s = format (s, "protocol %d local_addr %U external_addr %U ",
+	      mp->protocol,
+	      format_ip4_address, mp->local_ip_address,
+	      format_ip4_address, mp->external_ip_address);
+
+  if (!(mp->flags & NAT_API_IS_ADDR_ONLY))
+    s = format (s, "local_port %d external_port %d ",
+		clib_net_to_host_u16 (mp->local_port),
+		clib_net_to_host_u16 (mp->external_port));
+
+  s = format (s, "twice_nat %d out2in_only %d ",
+	      mp->flags & NAT_API_IS_TWICE_NAT,
+	      mp->flags & NAT_API_IS_OUT2IN_ONLY);
+
+  if (mp->vrf_id != ~0)
+    s = format (s, "vrf %d", clib_net_to_host_u32 (mp->vrf_id));
+
+  if (mp->external_sw_if_index != ~0)
+    s = format (s, "external_sw_if_index %d",
+		clib_net_to_host_u32 (mp->external_sw_if_index));
+  if (mp->match_pool)
+    s = format (s, "match pool address %U",
+		format_ip4_address, mp->pool_ip_address);
+
+  FINISH;
+}
+
 static void
 send_nat44_static_mapping_details (snat_static_mapping_t * m,
 				   vl_api_registration_t * reg, u32 context)
@@ -1301,7 +1383,7 @@
 {
   snat_main_t *sm = &snat_main;
   vl_api_nat44_add_del_identity_mapping_reply_t *rmp;
-  ip4_address_t addr;
+  ip4_address_t addr, pool_addr = { 0 };
   u16 port = 0;
   u32 vrf_id, sw_if_index;
   int rv = 0;
@@ -1326,7 +1408,7 @@
   rv =
     snat_add_static_mapping (addr, addr, port, port, vrf_id,
 			     mp->flags & NAT_API_IS_ADDR_ONLY, sw_if_index,
-			     proto, mp->is_add, 0, 0, tag, 1);
+			     proto, mp->is_add, 0, 0, tag, 1, pool_addr, 0);
   vec_free (tag);
 
   REPLY_MACRO (VL_API_NAT44_ADD_DEL_IDENTITY_MAPPING_REPLY);
@@ -2047,7 +2129,7 @@
 {
   u8 *s;
 
-  s = format (0, "SCRIPT: nat44_add_del_static_mapping ");
+  s = format (0, "SCRIPT: nat44_add_del_session ");
   s = format (s, "addr %U port %d protocol %d vrf_id %d is_in %d",
 	      format_ip4_address, mp->address,
 	      clib_net_to_host_u16 (mp->port),
@@ -2663,6 +2745,7 @@
 _(NAT44_ADD_DEL_ADDRESS_RANGE, nat44_add_del_address_range)             \
 _(NAT44_INTERFACE_ADD_DEL_FEATURE, nat44_interface_add_del_feature)     \
 _(NAT44_ADD_DEL_STATIC_MAPPING, nat44_add_del_static_mapping)           \
+_(NAT44_ADD_DEL_STATIC_MAPPING_V2, nat44_add_del_static_mapping_v2)     \
 _(NAT44_ADD_DEL_IDENTITY_MAPPING, nat44_add_del_identity_mapping)       \
 _(NAT44_STATIC_MAPPING_DUMP, nat44_static_mapping_dump)                 \
 _(NAT44_IDENTITY_MAPPING_DUMP, nat44_identity_mapping_dump)             \
diff --git a/src/plugins/nat/out2in.c b/src/plugins/nat/out2in.c
index 5684a93..c17f0e2 100644
--- a/src/plugins/nat/out2in.c
+++ b/src/plugins/nat/out2in.c
@@ -359,7 +359,7 @@
       if (snat_static_mapping_match
 	  (sm, *addr, *port, *fib_index, *proto,
 	   &mapping_addr, &mapping_port, &mapping_fib_index, 1, &is_addr_only,
-	   0, 0, 0, &identity_nat))
+	   0, 0, 0, &identity_nat, 0))
 	{
 	  if (!sm->forwarding_enabled)
 	    {
@@ -485,7 +485,7 @@
     }
   if (snat_static_mapping_match
       (sm, addr, port, rx_fib_index0, *proto, mapping_addr, mapping_port,
-       mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0))
+       mapping_fib_index, 1, &is_addr_only, 0, 0, 0, 0, 0))
     {
       /* Don't NAT packet aimed at the intfc address */
       if (is_interface_addr (sm, node, sw_if_index0, ip0->dst_address.as_u32))
@@ -835,7 +835,7 @@
 	      (sm, ip0->dst_address,
 	       vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
 	       proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
-	       0, &identity_nat0))
+	       0, &identity_nat0, 0))
 	    {
 	      /*
 	       * Send DHCP packets to the ipv4 stack, or we won't
@@ -1017,7 +1017,7 @@
 	      (sm, ip1->dst_address,
 	       vnet_buffer (b1)->ip.reass.l4_dst_port, proto1,
 	       rx_fib_index1, &sm_addr1, &sm_port1, &sm_fib_index1, 1, 0,
-	       0, 0, 0, &identity_nat1))
+	       0, 0, 0, &identity_nat1, 0))
 	    {
 	      /*
 	       * Send DHCP packets to the ipv4 stack, or we won't
@@ -1236,7 +1236,7 @@
 	      (sm, ip0->dst_address,
 	       vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
 	       proto0, &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0,
-	       0, &identity_nat0))
+	       0, &identity_nat0, 0))
 	    {
 	      /*
 	       * Send DHCP packets to the ipv4 stack, or we won't
@@ -1462,7 +1462,7 @@
 
       if (snat_static_mapping_match
 	  (sm, ip0->dst_address, udp0->dst_port, rx_fib_index0, proto0,
-	   &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0))
+	   &sm_addr0, &sm_port0, &sm_fib_index0, 1, 0, 0, 0, 0, 0, 0))
 	{
 	  b0->error = node->errors[SNAT_OUT2IN_ERROR_NO_TRANSLATION];
 	  goto trace00;
diff --git a/src/plugins/nat/out2in_ed.c b/src/plugins/nat/out2in_ed.c
index 9868fe7..8eef1e4 100644
--- a/src/plugins/nat/out2in_ed.c
+++ b/src/plugins/nat/out2in_ed.c
@@ -190,6 +190,52 @@
 }
 #endif
 
+// allocate exact address based on preference
+static_always_inline int
+nat_alloc_addr_and_port_exact (snat_address_t * a,
+			       u32 thread_index,
+			       nat_protocol_t proto,
+			       ip4_address_t * addr,
+			       u16 * port,
+			       u16 port_per_thread, u32 snat_thread_index)
+{
+  u32 portnum;
+
+  switch (proto)
+    {
+#define _(N, j, n, s) \
+    case NAT_PROTOCOL_##N: \
+      if (a->busy_##n##_ports_per_thread[thread_index] < port_per_thread) \
+        { \
+          while (1) \
+            { \
+              portnum = (port_per_thread * \
+                snat_thread_index) + \
+                snat_random_port(0, port_per_thread - 1) + 1024; \
+              if (a->busy_##n##_port_refcounts[portnum]) \
+                continue; \
+	      --a->busy_##n##_port_refcounts[portnum]; \
+              a->busy_##n##_ports_per_thread[thread_index]++; \
+              a->busy_##n##_ports++; \
+              *addr = a->addr; \
+              *port = clib_host_to_net_u16(portnum); \
+              return 0; \
+            } \
+        } \
+      break;
+      foreach_nat_protocol
+#undef _
+    default:
+      nat_elog_info ("unknown protocol");
+      return 1;
+    }
+
+  /* Totally out of translations to use... */
+  snat_ipfix_logging_addresses_exhausted (thread_index, 0);
+  return 1;
+}
+
+
 static snat_session_t *
 create_session_for_static_mapping_ed (snat_main_t * sm,
 				      vlib_buffer_t * b,
@@ -204,7 +250,8 @@
 				      u32 rx_fib_index,
 				      u32 thread_index,
 				      twice_nat_type_t twice_nat,
-				      lb_nat_type_t lb_nat, f64 now)
+				      lb_nat_type_t lb_nat, f64 now,
+				      snat_static_mapping_t * mapping)
 {
   snat_session_t *s;
   ip4_header_t *ip;
@@ -261,13 +308,46 @@
   if (twice_nat == TWICE_NAT || (twice_nat == TWICE_NAT_SELF &&
 				 ip->src_address.as_u32 == i2o_addr.as_u32))
     {
-      if (snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
-					       thread_index,
-					       nat_proto,
-					       &s->ext_host_nat_addr,
-					       &s->ext_host_nat_port,
-					       sm->port_per_thread,
-					       tsm->snat_thread_index))
+      int rc = 0;
+      snat_address_t *filter = 0;
+
+      // if exact address is specified use this address
+      if (is_exact_address (mapping))
+	{
+	  snat_address_t *ap;
+	  vec_foreach (ap, sm->twice_nat_addresses)
+	  {
+	    if (mapping->pool_addr.as_u32 == ap->addr.as_u32)
+	      {
+		filter = ap;
+		break;
+	      }
+	  }
+	}
+
+      if (filter)
+	{
+	  rc = nat_alloc_addr_and_port_exact (filter,
+					      thread_index,
+					      nat_proto,
+					      &s->ext_host_nat_addr,
+					      &s->ext_host_nat_port,
+					      sm->port_per_thread,
+					      tsm->snat_thread_index);
+	  s->flags |= SNAT_SESSION_FLAG_EXACT_ADDRESS;
+	}
+      else
+	{
+	  rc =
+	    snat_alloc_outside_address_and_port (sm->twice_nat_addresses, 0,
+						 thread_index, nat_proto,
+						 &s->ext_host_nat_addr,
+						 &s->ext_host_nat_port,
+						 sm->port_per_thread,
+						 tsm->snat_thread_index);
+	}
+
+      if (rc)
 	{
 	  b->error = node->errors[NAT_OUT2IN_ED_ERROR_OUT_OF_PORTS];
 	  nat_ed_session_delete (sm, s, thread_index, 1);
@@ -275,6 +355,7 @@
 	    nat_elog_notice ("out2in-ed key del failed");
 	  return 0;
 	}
+
       s->flags |= SNAT_SESSION_FLAG_TWICE_NAT;
       init_ed_kv (&kv, i2o_addr, i2o_port, s->ext_host_nat_addr,
 		  s->ext_host_nat_port, i2o_fib_index, ip->protocol,
@@ -459,6 +540,7 @@
   u16 sm_port;
   u32 sm_fib_index;
   *dont_translate = 0;
+  snat_static_mapping_t *m;
 
   sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
   rx_fib_index = ip4_fib_table_get_index_for_sw_if_index (sw_if_index);
@@ -473,12 +555,12 @@
 
   if (clib_bihash_search_16_8 (&sm->out2in_ed, &kv, &value))
     {
-      /* Try to match static mapping */
       if (snat_static_mapping_match
 	  (sm, ip->dst_address, l_port, rx_fib_index,
 	   ip_proto_to_nat_proto (ip->protocol), &sm_addr, &sm_port,
-	   &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat))
+	   &sm_fib_index, 1, &is_addr_only, 0, 0, 0, &identity_nat, &m))
 	{
+	  // static mapping not matched
 	  if (!sm->forwarding_enabled)
 	    {
 	      /* Don't NAT packet aimed at the intfc address */
@@ -486,11 +568,12 @@
 						    ip->dst_address.as_u32)))
 		{
 		  *dont_translate = 1;
-		  goto out;
 		}
-	      b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
-	      next = NAT_NEXT_DROP;
-	      goto out;
+	      else
+		{
+		  b->error = node->errors[NAT_OUT2IN_ED_ERROR_NO_TRANSLATION];
+		  next = NAT_NEXT_DROP;
+		}
 	    }
 	  else
 	    {
@@ -499,14 +582,17 @@
 				thread_index, rx_fib_index))
 		{
 		  next = NAT_NEXT_IN2OUT_ED_FAST_PATH;
-		  goto out;
 		}
-	      if (sm->num_workers > 1)
-		create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
 	      else
-		create_bypass_for_fwd (sm, b, ip, rx_fib_index, thread_index);
-	      goto out;
+		{
+		  if (sm->num_workers > 1)
+		    create_bypass_for_fwd_worker (sm, b, ip, rx_fib_index);
+		  else
+		    create_bypass_for_fwd (sm, b, ip, rx_fib_index,
+					   thread_index);
+		}
 	    }
+	  goto out;
 	}
 
       if (PREDICT_FALSE
@@ -533,13 +619,9 @@
 					      l_port, rx_fib_index, *proto,
 					      node, rx_fib_index,
 					      thread_index, 0, 0,
-					      vlib_time_now (vm));
-
+					      vlib_time_now (vm), m);
       if (!s)
-	{
-	  next = NAT_NEXT_DROP;
-	  goto out;
-	}
+	next = NAT_NEXT_DROP;
     }
   else
     {
@@ -978,6 +1060,7 @@
   f64 now = vlib_time_now (vm);
   u32 thread_index = vm->thread_index;
   snat_main_per_thread_data_t *tsm = &sm->per_thread_data[thread_index];
+  snat_static_mapping_t *m;
 
   from = vlib_frame_vector_args (frame);
   n_left_from = frame->n_vectors;
@@ -1087,7 +1170,7 @@
 	      (sm, ip0->dst_address,
 	       vnet_buffer (b0)->ip.reass.l4_dst_port, rx_fib_index0,
 	       proto0, &sm_addr, &sm_port, &sm_fib_index, 1, 0,
-	       &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0))
+	       &twice_nat0, &lb_nat0, &ip0->src_address, &identity_nat0, &m))
 	    {
 	      /*
 	       * Send DHCP packets to the ipv4 stack, or we won't
@@ -1115,13 +1198,16 @@
 		       thread_index, rx_fib_index0))
 		    {
 		      next[0] = NAT_NEXT_IN2OUT_ED_FAST_PATH;
-		      goto trace0;
 		    }
-		  if (sm->num_workers > 1)
-		    create_bypass_for_fwd_worker (sm, b0, ip0, rx_fib_index0);
 		  else
-		    create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
-					   thread_index);
+		    {
+		      if (sm->num_workers > 1)
+			create_bypass_for_fwd_worker (sm, b0, ip0,
+						      rx_fib_index0);
+		      else
+			create_bypass_for_fwd (sm, b0, ip0, rx_fib_index0,
+					       thread_index);
+		    }
 		}
 	      goto trace0;
 	    }
@@ -1148,7 +1234,7 @@
 						     rx_fib_index0, proto0,
 						     node, rx_fib_index0,
 						     thread_index, twice_nat0,
-						     lb_nat0, now);
+						     lb_nat0, now, m);
 	  if (!s0)
 	    {
 	      next[0] = NAT_NEXT_DROP;