Page MenuHomeVyOS Platform
Create Task
Maniphest T1083

Implement persistent/random address and port mapping options for NAT rules
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Hello!
We need to add ability to set "--persistent" flag to NAT rules. Without it correct NAT to range of IP address often is not possible, because different connections from/to same client NATed to different IP addresses.

--persistent
Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Related Objects
Search...

Event Timeline

zsdc created this task.Dec 5 2018, 9:27 AM
syncer triaged this task as Normal priority.Dec 6 2018, 12:02 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
pasik added a subscriber: pasik.Mar 12 2019, 6:08 PM
hard added a subscriber: hard.Sep 20 2019, 9:15 PM
hard added a comment.Sep 21 2019, 6:33 PM

Almost done, also implemented 'random' flag, looks ok? or change name? for example - flag, or flags

random: randomize source port mapping.

description main
nat-flags {
   persistent
   random
}
outbound-interface bond1
source {
    address 0.0.0.0/0
}
translation {
    address 10.10.10.5-10.10.10.20
}
hard added a comment.Sep 21 2019, 8:37 PM

Created pull request

Viacheslav added a subscriber: Viacheslav.Oct 27 2019, 10:04 AM
Viacheslav added a comment.EditedMar 14 2020, 3:07 PM

https://github.com/vyos/vyatta-nat/blob/current/scripts/vyatta-update-src-nat.pl#L159

Can we add checks?

set nat source rule 10 translation address 1.1.1.50-1.1.120 persistent

If string contain "persistent" or node set to persistent; then

$cmd = "$IPTABLES -t nat -I $chain_name $ipt_rulenum " ."$rule_str" --persistent;

I don't know how it do with perl, it their documentations it's function names "index, rindex"
index - find a substring within a string
rindex - right-to-left substring search

It would be great if someone writes this check.

Viacheslav mentioned this in T2198: Rewrite NAT in new XML/Python style.May 1 2020, 10:01 AM
c-po added a parent task: T2198: Rewrite NAT in new XML/Python style.May 1 2020, 10:52 AM
nikty added a subscriber: nikty.Feb 1 2021, 10:02 AM
hard awarded a token.Apr 22 2021, 8:58 PM
Viacheslav added a project: VyOS 1.4 Sagitta.Apr 30 2021, 12:10 PM
dmbaturin added a project: test.Jul 29 2021, 9:10 AM
dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin added a parent task: T3710: Upgrade the kernel in 1.3 to 5.10.Jul 29 2021, 2:18 PM
dmbaturin changed the task status from Open to Needs testing.Aug 6 2021, 8:26 PM
dmbaturin added a subscriber: dmbaturin.

I've tested it on 1.3 with kernel 5.4.138, and for me the persistent option works as expected. I think it's a non-issue for equuleus already and the task can be closed, though I'd like other people to test that first.

erkin claimed this task.Aug 14 2021, 5:16 PM
erkin closed this task as Resolved.Aug 14 2021, 5:54 PM

I can confirm that this works fine on the latest 1.3 nightly.

erkin set Issue type to Feature (new functionality).Aug 31 2021, 7:12 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.Sep 10 2021, 6:32 AM
dmbaturin reopened this task as Needs testing.Nov 17 2021, 8:05 PM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0), VyOS 1.2 Crux (VyOS 1.2.9); removed VyOS 1.3 Equuleus (1.3.0-epa1).
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Feature (new functionality) to Improvement (missing useful functionality).
dmbaturin added a comment.Nov 17 2021, 8:09 PM

Since we had to revert to the old NAT implementation due to kernel issues, this had to be back-back-ported to the old Perl code as well.

Some implementation notes that the new version from current should account for:

  • The port-mapping option should only be in source NAT because it's not available for --to-destination target.
  • The port-mapping option is only valid for masquerade rules.
  • Since kernel 5.0, there's no distinction between --random and --random-fully, so there's no reason to provide --random.
  • The address-mapping option is only valid for non-masquerade rules but works for both SNAT and DNAT.

I also wonder if they should be boolean options since post-5.0 they both can have only two values. However, kernel authors may introduce new states, so maybe keep them as is for now.

dmbaturin renamed this task from Implement "--persistent" option to NAT rules to Implement persistent/random address and port mapping options for NAT rules.Nov 17 2021, 8:10 PM
erkin changed the task status from Needs testing to In progress.Nov 18 2021, 2:05 PM
erkin closed this task as Resolved.Nov 24 2021, 11:40 AM

Still works perfectly fine for 1.3 nightly. (1.3-beta-202111240443)

c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.Dec 9 2021, 10:32 PM
dmbaturin mentioned this in 1.2.9.Feb 23 2023, 5:20 PM