Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nat66: T4586: Add SNAT destination prefix and DNAT address #1457

Merged
merged 2 commits into from Aug 4, 2022
Merged

nat66: T4586: Add SNAT destination prefix and DNAT address #1457

merged 2 commits into from Aug 4, 2022

Conversation

sever-sever
Copy link
Member

Change Summary

Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

nat66

Proposed changes

How to test

Nat configuration:

set nat66 source rule 10 destination prefix '2001:db8::2/128'
set nat66 source rule 10 outbound-interface 'eth1'
set nat66 source rule 10 source prefix '2001:db8:1111::/64'
set nat66 source rule 10 translation address 'masquerade'

set nat66 source rule 20 destination prefix '!2001:db8::6/127'
set nat66 source rule 20 outbound-interface 'eth1'
set nat66 source rule 20 source prefix '2001:db8:1111::/64'
set nat66 source rule 20 translation address 'masquerade'

set nat66 destination rule 10 destination address '2001:db8:1111::/64'
set nat66 destination rule 10 inbound-interface 'eth1'
set nat66 destination rule 10 source address '!2001:db8::6/127'
set nat66 destination rule 10 translation address '2001:db8::444'

Nftables:

vyos@r14# sudo nft list table ip6 nat
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth1" counter packets 1 bytes 166 ip6 saddr != 2001:db8::6/127 ip6 daddr 2001:db8:1111::/64 dnat to 2001:db8::444 comment "DST-NAT66-10"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr 2001:db8:1111::/64 ip6 daddr 2001:db8::2 masquerade comment "SRC-NAT66-10"
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr 2001:db8:1111::/64 ip6 daddr != 2001:db8::6/127 masquerade comment "SRC-NAT66-20"
	}
...
}

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever
validators: T4586: Add IPv6 exclude validators for address/prefix
08699a1 
Add IPV6 exclude validators:
  - ipv6-address-exclude
  - ipv6-prefix-exclude
Will use in nat66 source/destination
@sever-sever
nat66: T4586: Add SNAT destination prefix and DNAT address
ecc03bd 
Ability to configure SNAT destination prefix and
DNAT source address
Add option "!" - not address/prefix for NAT66
@c-po c-po merged commit 8af312e into vyos:current Aug 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po Awaiting requested review from c-po

@DmitriyEshenko DmitriyEshenko Awaiting requested review from DmitriyEshenko

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

@jestabro jestabro Awaiting requested review from jestabro

@zdc zdc Awaiting requested review from zdc

Assignees

@sever-sever sever-sever

Labels
None yet
Milestone
No milestone
2 participants
@sever-sever @c-po