diff --git a/dist/images/install.sh b/dist/images/install.sh
index 6124569e6b3..caf3c50b76c 100755
--- a/dist/images/install.sh
+++ b/dist/images/install.sh
@@ -642,6 +642,14 @@ spec:
                   type: string
                 redo:
                   type: string
+                protocol:
+                  type: string
+                internalIp:
+                  type: string
+                internalPort:
+                  type: string
+                externalPort:
+                  type: string
                 conditions:
                   type: array
                   items:
diff --git a/pkg/apis/kubeovn/v1/types.go b/pkg/apis/kubeovn/v1/types.go
index 8425eb4cc55..61fb1fb3a9a 100644
--- a/pkg/apis/kubeovn/v1/types.go
+++ b/pkg/apis/kubeovn/v1/types.go
@@ -717,6 +717,11 @@ type IptablesDnatRuleStatus struct {
 	NatGwDp string `json:"natGwDp" patchStrategy:"merge"`
 	Redo    string `json:"redo" patchStrategy:"merge"`
 
+	Protocol     string `json:"protocol"  patchStrategy:"merge"`
+	InternalIp   string `json:"internalIp"  patchStrategy:"merge"`
+	InternalPort string `json:"internalPort"  patchStrategy:"merge"`
+	ExternalPort string `json:"externalPort"  patchStrategy:"merge"`
+
 	// Conditions represents the latest state of the object
 	// +optional
 	// +patchMergeKey=type
diff --git a/pkg/controller/vpc_nat_gw_nat.go b/pkg/controller/vpc_nat_gw_nat.go
index 5c28ea95c30..8edfbd84f2e 100644
--- a/pkg/controller/vpc_nat_gw_nat.go
+++ b/pkg/controller/vpc_nat_gw_nat.go
@@ -100,7 +100,11 @@ func (c *Controller) enqueueUpdateIptablesDnatRule(old, new interface{}) {
 
 	if oldDnat.Status.V4ip != newDnat.Status.V4ip ||
 		oldDnat.Spec.EIP != newDnat.Spec.EIP ||
-		oldDnat.Status.Redo != newDnat.Status.Redo {
+		oldDnat.Status.Redo != newDnat.Status.Redo ||
+		oldDnat.Spec.Protocol != newDnat.Spec.Protocol ||
+		oldDnat.Spec.InternalIp != newDnat.Spec.InternalIp ||
+		oldDnat.Spec.InternalPort != newDnat.Spec.InternalPort ||
+		oldDnat.Spec.ExternalPort != newDnat.Spec.ExternalPort {
 		klog.V(3).Infof("enqueue update dnat %s", key)
 		c.updateIptablesDnatRuleQueue.Add(key)
 		return
@@ -781,24 +785,26 @@ func (c *Controller) handleUpdateIptablesDnatRule(key string) error {
 	if vpcNatEnabled != "true" {
 		return fmt.Errorf("iptables nat gw not enable")
 	}
+
+	if err = c.deleteDnatInPod(cachedDnat.Status.NatGwDp, cachedDnat.Status.Protocol,
+		cachedDnat.Status.V4ip, cachedDnat.Status.InternalIp,
+		cachedDnat.Status.ExternalPort, cachedDnat.Status.InternalPort); err != nil {
+		klog.Errorf("failed to delete old dnat, %v", err)
+		return err
+	}
+	if err = c.createDnatInPod(eip.Spec.NatGwDp, cachedDnat.Spec.Protocol,
+		eip.Status.IP, cachedDnat.Spec.InternalIp,
+		cachedDnat.Spec.ExternalPort, cachedDnat.Spec.InternalPort); err != nil {
+		klog.Errorf("failed to create new dnat %s, %v", key, err)
+		return err
+	}
+	if err = c.patchDnatStatus(key, eip.Status.IP, eip.Spec.V6ip, eip.Spec.NatGwDp, "", true); err != nil {
+		klog.Errorf("failed to patch status for dnat %s , %v", key, err)
+		return err
+	}
+
 	if c.dnatChangeEip(cachedDnat, eip) {
 		klog.V(3).Infof("dnat change ip, old ip '%s', new ip %s", cachedDnat.Status.V4ip, eip.Status.IP)
-		if err = c.deleteDnatInPod(cachedDnat.Status.NatGwDp, cachedDnat.Spec.Protocol,
-			cachedDnat.Status.V4ip, cachedDnat.Spec.InternalIp,
-			cachedDnat.Spec.ExternalPort, cachedDnat.Spec.InternalPort); err != nil {
-			klog.Errorf("failed to delete old dnat, %v", err)
-			return err
-		}
-		if err = c.createDnatInPod(eip.Spec.NatGwDp, cachedDnat.Spec.Protocol,
-			eip.Status.IP, cachedDnat.Spec.InternalIp,
-			cachedDnat.Spec.ExternalPort, cachedDnat.Spec.InternalPort); err != nil {
-			klog.Errorf("failed to create new dnat %s, %v", key, err)
-			return err
-		}
-		if err = c.patchDnatStatus(key, eip.Status.IP, eip.Spec.V6ip, eip.Spec.NatGwDp, "", true); err != nil {
-			klog.Errorf("failed to patch status for dnat %s , %v", key, err)
-			return err
-		}
 		if err = c.patchEipNat(eipName, util.DnatUsingEip); err != nil {
 			klog.Errorf("failed to patch dnat use eip %s, %v", key, err)
 			return err
@@ -1381,6 +1387,22 @@ func (c *Controller) patchDnatStatus(key, v4ip, v6ip, natGwDp, redo string, read
 		dnat.Status.NatGwDp = natGwDp
 		changed = true
 	}
+	if ready && dnat.Status.Protocol != "" && dnat.Status.Protocol != dnat.Spec.Protocol {
+		dnat.Status.Protocol = dnat.Spec.Protocol
+		changed = true
+	}
+	if ready && dnat.Status.InternalIp != "" && dnat.Status.InternalIp != dnat.Spec.InternalIp {
+		dnat.Status.InternalIp = dnat.Spec.InternalIp
+		changed = true
+	}
+	if ready && dnat.Status.InternalPort != "" && dnat.Status.InternalPort != dnat.Spec.InternalPort {
+		dnat.Status.InternalPort = dnat.Spec.InternalPort
+		changed = true
+	}
+	if ready && dnat.Status.ExternalPort != "" && dnat.Status.ExternalPort != dnat.Spec.ExternalPort {
+		dnat.Status.ExternalPort = dnat.Spec.ExternalPort
+		changed = true
+	}
 
 	if changed {
 		bytes, err := dnat.Status.Bytes()
diff --git a/yamls/crd.yaml b/yamls/crd.yaml
index 367b9294800..385c8b957e0 100644
--- a/yamls/crd.yaml
+++ b/yamls/crd.yaml
@@ -424,6 +424,14 @@ spec:
                   type: string
                 redo:
                   type: string
+                protocol:
+                  type: string
+                internalIp:
+                  type: string
+                internalPort:
+                  type: string
+                externalPort:
+                  type: string
                 conditions:
                   type: array
                   items: