Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nat66: T4598: Add exclude options in nat66 #1461

Merged
merged 2 commits into from
Aug 8, 2022
Merged

nat66: T4598: Add exclude options in nat66 #1461

merged 2 commits into from
Aug 8, 2022

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Add exclude options in nat66 rules.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

nat66

Proposed changes

Add exclude option in nat66. Useful in many scenario, and already supported in nat.

How to test

Configuration:

set nat66 destination rule 10 inbound-interface 'eth1'
set nat66 destination rule 10 destination address '2001:db8::1'
set nat66 destination rule 10 source address 'fc00::01'
set nat66 destination rule 10 exclude
set nat66 destination rule 20 inbound-interface 'eth1'
set nat66 destination rule 20 destination address '2001:db8::1'
set nat66 destination rule 20 translation address 'fc01::1'

set nat66 source rule 10 outbound-interface 'eth1'
set nat66 source rule 10 source prefix 'fc00::/64'
set nat66 source rule 10 destination prefix 'fc99::/64'
set nat66 source rule 10 exclude
set nat66 source rule 20 outbound-interface 'eth1'
set nat66 source rule 20 source prefix 'fc00::/64'
set nat66 source rule 20 translation address 'masquerade'

nftables:

vyos@vyos# sudo nft list table ip6 nat
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth1" counter packets 0 bytes 0 ip6 saddr fc00::1 ip6 daddr 2001:db8::1 return comment "DST-NAT66-10"
		iifname "eth1" counter packets 0 bytes 0 ip6 daddr 2001:db8::1 dnat to fc01::1 comment "DST-NAT66-20"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr fc00::/64 ip6 daddr fc99::/64 return comment "SRC-NAT66-10"
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr fc00::/64 masquerade comment "SRC-NAT66-20"
	}

	chain VYOS_DNPT_HOOK {
	}

	chain VYOS_SNPT_HOOK {
	}
}

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

c-po
c-po requested changes Aug 7, 2022
View reviewed changes
Copy link
Member

@c-po c-po left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we please have a nat-exclude.xml.i so the definition is written only ince and then included where needed?

@nicolas-fort
Copy link
Contributor Author

Done!

@nicolas-fort nicolas-fort requested a review from c-po August 8, 2022 17:59
@c-po c-po merged commit 7ae34b6 into vyos:current Aug 8, 2022
@nicolas-fort nicolas-fort deleted the nat66-exclude branch March 21, 2024 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyEshenko DmitriyEshenko Awaiting requested review from DmitriyEshenko

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

@jestabro jestabro Awaiting requested review from jestabro

@sever-sever sever-sever Awaiting requested review from sever-sever

@zdc zdc Awaiting requested review from zdc

@c-po c-po Awaiting requested review from c-po

Assignees

@nicolas-fort nicolas-fort

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nicolas-fort @c-po