Page MenuHomeVyOS Platform

Implement persistent/random address and port mapping options for NAT rules
Closed, ResolvedPublicFEATURE REQUEST


We need to add ability to set "--persistent" flag to NAT rules. Without it correct NAT to range of IP address often is not possible, because different connections from/to same client NATed to different IP addresses.

Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2.


Difficulty level
Unknown (require assessment)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Event Timeline

syncer triaged this task as Normal priority.Dec 6 2018, 12:02 AM
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

Almost done, also implemented 'random' flag, looks ok? or change name? for example - flag, or flags

random: randomize source port mapping.

description main
nat-flags {
outbound-interface bond1
source {
translation {

Can we add checks?

set nat source rule 10 translation address persistent

If string contain "persistent" or node set to persistent; then

$cmd = "$IPTABLES -t nat -I $chain_name $ipt_rulenum " ."$rule_str" --persistent;

I don't know how it do with perl, it their documentations it's function names "index, rindex"
index - find a substring within a string
rindex - right-to-left substring search

It would be great if someone writes this check.

dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
dmbaturin changed the task status from Open to Needs testing.Aug 6 2021, 8:26 PM
dmbaturin added a subscriber: dmbaturin.

I've tested it on 1.3 with kernel 5.4.138, and for me the persistent option works as expected. I think it's a non-issue for equuleus already and the task can be closed, though I'd like other people to test that first.

I can confirm that this works fine on the latest 1.3 nightly.

erkin set Issue type to Feature (new functionality).Aug 31 2021, 7:12 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Feature (new functionality) to Improvement (missing useful functionality).

Since we had to revert to the old NAT implementation due to kernel issues, this had to be back-back-ported to the old Perl code as well.

Some implementation notes that the new version from current should account for:

  • The port-mapping option should only be in source NAT because it's not available for --to-destination target.
  • The port-mapping option is only valid for masquerade rules.
  • Since kernel 5.0, there's no distinction between --random and --random-fully, so there's no reason to provide --random.
  • The address-mapping option is only valid for non-masquerade rules but works for both SNAT and DNAT.

I also wonder if they should be boolean options since post-5.0 they both can have only two values. However, kernel authors may introduce new states, so maybe keep them as is for now.

dmbaturin renamed this task from Implement "--persistent" option to NAT rules to Implement persistent/random address and port mapping options for NAT rules.Nov 17 2021, 8:10 PM
erkin changed the task status from Needs testing to In progress.Nov 18 2021, 2:05 PM

Still works perfectly fine for 1.3 nightly. (1.3-beta-202111240443)