vyos-1x icon indicating copy to clipboard operation
vyos-1x copied to clipboard

Published 20 hours ago verified publisher icon vyos

nat: T538: Add static NAT one-to-one

Open sever-sever opened this issue 3 years ago • 3 comments

Change Summary

Ability to set static NAT (one-to-one) in one rule Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number

Types of changes

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Code style update (formatting, renaming)
  • [ ] Refactoring (no functional changes)
  • [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • [ ] Other (please describe):

Related Task(s)

  • https://phabricator.vyos.net/T538

Component(s) name

nat

Proposed changes

How to test

VyOS configuration

set nat static rule 10 destination address '10.0.1.1'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.168.1.1'

set nat static rule 20 destination address '203.0.113.0/24'
set nat static rule 20 inbound-interface 'eth0'
set nat static rule 20 translation address '192.0.2.0/24'

nftables rules:

vyos@r14# sudo nft list table vyos_static_nat
table ip vyos_static_nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 3 bytes 252 jump VYOS_PRE_DNAT_HOOK
		iifname "eth0" ip daddr 10.0.1.1 counter packets 0 bytes 0 dnat to 192.168.1.1 comment "STATIC-NAT-10"
		iifname "eth0" counter packets 3 bytes 252 dnat ip prefix to ip daddr map { 203.0.113.0/24 : 192.0.2.0/24 } comment "STATIC-NAT-20"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 3 bytes 252 jump VYOS_PRE_SNAT_HOOK
		oifname "eth0" counter packets 0 bytes 0 snat to 10.0.1.1 comment "STATIC-NAT-10"
		oifname "eth0" counter packets 0 bytes 0 snat ip prefix to ip saddr map { 192.0.2.0/24 : 203.0.113.0/24 } comment "STATIC-NAT-20"
	}

	chain VYOS_PRE_DNAT_HOOK {
		return
	}

	chain VYOS_PRE_SNAT_HOOK {
		return
	}
}
[edit]
vyos@r14#

Checklist:

  • [x] I have read the CONTRIBUTING document
  • [x] I have linked this PR to one or more Phabricator Task(s)
  • [ ] I have run the components SMOKETESTS if applicable
  • [x] My commit headlines contain a valid Task id
  • [ ] My change requires a change to the documentation
  • [ ] I have updated the documentation accordingly

sever-sever avatar Aug 13 '22 00:08 sever-sever

Something wrong with postrouting rule 10

sever-sever avatar Aug 13 '22 00:08 sever-sever

Something wrong with postrouting rule 10

Fixed

vyos@r14# sudo nft list table vyos_static_nat
table ip vyos_static_nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter packets 0 bytes 0 jump VYOS_PRE_DNAT_HOOK
		iifname "eth0" ip daddr 10.0.1.1 counter packets 0 bytes 0 dnat to 192.168.1.1 comment "STATIC-NAT-10"
		iifname "eth0" counter packets 0 bytes 0 dnat ip prefix to ip daddr map { 203.0.113.0/24 : 192.0.2.0/24 } comment "STATIC-NAT-20"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter packets 0 bytes 0 jump VYOS_PRE_SNAT_HOOK
		oifname "eth0" ip saddr 192.168.1.1 counter packets 0 bytes 0 snat to 10.0.1.1 comment "STATIC-NAT-10"
		oifname "eth0" counter packets 0 bytes 0 snat ip prefix to ip saddr map { 192.0.2.0/24 : 203.0.113.0/24 } comment "STATIC-NAT-20"
	}

	chain VYOS_PRE_DNAT_HOOK {
		return
	}

	chain VYOS_PRE_SNAT_HOOK {
		return
	}
}
[edit]
vyos@r14#

sever-sever avatar Aug 13 '22 01:08 sever-sever

My only remaining question is if there is a reason to not have this in source/destination NAT. Is it because it would require two rules? Or is it to have a 1:1 NAT (not PAT) for entire subnets?

c-po avatar Aug 16 '22 17:08 c-po

My only remaining question is if there is a reason to not have this in source/destination NAT. Is it because it would require two rules? Or is it to have a 1:1 NAT (not PAT) for entire subnets?

As I understand, the goal of the task is to have DNAT/SNAT entries but in one rule. So SNAT/DNAT rules do it in the same way.

Maybe @zdc can add something else or I don't fully understand the task? :)

For example, In the same way, we can add nat hairpin which includes 1 rule instead of 3 rules (in the future)

sever-sever avatar Aug 17 '22 10:08 sever-sever

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Aug 31 '22 05:08 github-actions[bot]

Conflicts have been resolved. A maintainer will review the pull request shortly.

github-actions[bot] avatar Aug 31 '22 09:08 github-actions[bot]