Page MenuHomeVyOS Platform
Create Task
Maniphest T4586

Add to NAT66: SNAT destination address and DNAT source address.
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

For those who use NAT66, add the following commands:

Add destination and except prefix to Source NAT (for example):

vyos@vyos# set nat66 source rule 100 
Possible completions:
   description          Rule description
 > destination          IPv6 destination prefix options
   disable              Disable NAT66 rule
   log                  NAT66 rule logging
   outbound-interface   Outbound interface of NAT66 traffic
 > source               IPv6 source prefix options
 > translation          Translated IPv6 address options
   
vyos@vyos# set nat66 source rule 100 source prefix 
Possible completions:
   <h:h:h:h:h:h:h:h/x>   IPv6 prefix
   !<h:h:h:h:h:h:h:h/x>  Match everything except the specified IPv6 prefix
   
vyos@vyos# set nat66 source rule 100 destination prefix 
Possible completions:
   <h:h:h:h:h:h:h:h/x>   IPv6 prefix
   !<h:h:h:h:h:h:h:h/x>  Match everything except the specified IPv6 prefix

An example of a SNAT rule record in nftables:

oifname "eth0" counter packets 0 bytes 0 ip6 saddr fd00:1111:1111:1111::/64 ip6 daddr != fd01:1111:1111:1111::/64 masquerade comment "SRC-NAT66-100"

Add source and except prefix to Destination NAT (for example):

vyos@vyos# set nat66 destination rule 100 
Possible completions:
   description          Rule description
 > destination          IPv6 destination prefix options
   disable              Disable NAT66 rule
   inbound-interface    Inbound interface of NAT66 traffic
   log                  NAT66 rule logging
 > source               IPv6 source prefix options
 > translation          Translated IPv6 address options
   
vyos@vyos# set nat66 destination rule 100 source prefix
Possible completions:
   <h:h:h:h:h:h:h:h/x>   IPv6 prefix
   !<h:h:h:h:h:h:h:h/x>  Match everything except the specified IPv6 prefix

An example of a DNAT rule record in nftables:

iifname "eth0" counter packets 0 bytes 0 ip6 saddr 2002:1111:1111:1111::/64 ip6 daddr 2001:1111:1111:1111::100 dnat to fd00:1111:1111:1111::100 comment "DST-NAT66-100"

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

RyVolodya created this task.Aug 2 2022, 1:59 PM
RyVolodya updated the task description. (Show Details)Aug 2 2022, 2:09 PM
RyVolodya updated the task description. (Show Details)
RyVolodya updated the task description. (Show Details)Aug 2 2022, 4:37 PM
RyVolodya updated the task description. (Show Details)Aug 2 2022, 4:43 PM
pasik added a subscriber: pasik.Aug 2 2022, 7:40 PM
Viacheslav added a subscriber: Viacheslav.Aug 3 2022, 1:07 PM

PR https://github.com/vyos/vyos-1x/pull/1457

set nat66 destination rule 10 destination address '2001:db8:1111::/64'
set nat66 destination rule 10 inbound-interface 'eth1'
set nat66 destination rule 10 source address '!2001:db8::6/127'
set nat66 destination rule 10 translation address '2001:db8::444'
set nat66 source rule 10 destination prefix '2001:db8::2/128'
set nat66 source rule 10 outbound-interface 'eth1'
set nat66 source rule 10 source prefix '2001:db8:1111::/64'
set nat66 source rule 10 translation address 'masquerade'
set nat66 source rule 20 destination prefix '!2001:db8::6/127'
set nat66 source rule 20 outbound-interface 'eth1'
set nat66 source rule 20 source prefix '2001:db8:1111::/64'
set nat66 source rule 20 translation address 'masquerade'

ntf:

vyos@r14# sudo nft list table ip6 nat
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth1" counter packets 1 bytes 166 ip6 saddr != 2001:db8::6/127 ip6 daddr 2001:db8:1111::/64 dnat to 2001:db8::444 comment "DST-NAT66-10"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr 2001:db8:1111::/64 ip6 daddr 2001:db8::2 masquerade comment "SRC-NAT66-10"
		oifname "eth1" counter packets 0 bytes 0 ip6 saddr 2001:db8:1111::/64 ip6 daddr != 2001:db8::6/127 masquerade comment "SRC-NAT66-20"
	}

	chain VYOS_DNPT_HOOK {
	}

	chain VYOS_SNPT_HOOK {
	}
}
Viacheslav changed the task status from Open to Needs testing.Aug 4 2022, 1:50 PM
RyVolodya mentioned this in T4598: nat66 - Add exclude options.Aug 7 2022, 11:12 AM
Viacheslav closed this task as Resolved.Aug 8 2022, 7:30 AM
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.