Add port and protocol to nat66
Closed, ResolvedPublicFEATURE REQUEST
Actions

Assigned To

Authored By

	RyVolodya
	Aug 20 2022, 12:45 PM

Description

To expand the functionality of nat66, you need to add the port and protocol commands.
Proposal commands to Source NAT66:

vyos@vyos# set nat66 source rule 100 
Possible completions:
   description  Rule description
   disable      Disable NAT66 rule
   log          NAT66 rule logging
   outbound-interface
                Outbound interface of NAT66 traffic
   protocol     Protocol to NAT66                      ---> add command
 > source       IPv6 source prefix options
 > translation  Translated IPv6 address options

vyos@vyos# set nat66 source rule 100 source 
Possible completions:
   prefix       IPv6 prefix to be translated
   port         Port number                            ---> add command

vyos@vyos# set nat66 source rule 100 destination 
Possible completions:
   prefix       IPv6 prefix to be translated
   port         Port number                            ---> add command

Proposal commands to Destination NAT66:

vyos@vyos# set nat66 destination rule 100 
Possible completions:
   description          Rule description
 > destination          IPv6 destination prefix options
   disable              Disable NAT66 rule
   exclude              Exclude packets matching this rule from NAT
   inbound-interface    Inbound interface of NAT66 traffic
   log                  NAT66 rule logging
   protocol             Protocol to NAT66                             ---> add command
 > source               IPv6 source prefix options
 > translation          Translated IPv6 address options

vyos@vyos# set nat66 destination rule 100 destination 
Possible completions:
   address              IPv6 address or prefix to be translated
   port                 Port number                                   ---> add command

vyos@vyos# set nat66 destination rule 100 source 
Possible completions:
   address              IPv6 address or prefix to be translated
   port                 Port number                                   ---> add command

An example of using the dport rule in nftables for source and destination:

table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		counter jump VYOS_DNPT_HOOK
		iifname "eth0" tcp dport { 80 } counter dnat to fd00:1111:1111:1111::10
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		counter jump VYOS_SNPT_HOOK
		oifname "eth0" tcp dport { 80 } counter snat to 2001:1111:1111:1111::10
	}

	chain VYOS_DNPT_HOOK {
		return
	}

	chain VYOS_SNPT_HOOK {
		return
	}
}

Details

Version: -
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Related Objects

Mentioned In: rVYOSONEXb752c8779712: nat66: T4631: Add port and protocol to nat66
rVYOSONEX829c67c4da17: smoketest: T4631: Extend smoketes fot nat66 protocol
rVYOSONEX4eb4a823ffca: Merge pull request #1482 from sever-sever/T4631

Event Timeline

RyVolodya created this task.Aug 20 2022, 12:45 PM

PR https://github.com/vyos/vyos-1x/pull/1482

set nat66 destination rule 120 description 'foo'
set nat66 destination rule 120 destination port '4545'
set nat66 destination rule 120 inbound-interface 'eth0'
set nat66 destination rule 120 protocol 'tcp'
set nat66 destination rule 120 source address '2001:db8:2222::/64'
set nat66 destination rule 120 source port '8080'
set nat66 destination rule 120 translation address '2001:db8:1111::1'
set nat66 destination rule 120 translation port '5555'

set nat66 source rule 10 description 'foo'
set nat66 source rule 10 destination port '9999'
set nat66 source rule 10 outbound-interface 'eth0'
set nat66 source rule 10 protocol 'tcp'
set nat66 source rule 10 source port '8080'
set nat66 source rule 10 source prefix '2001:db8:2222::/64'
set nat66 source rule 10 translation address '2001:db8:1111::1'
set nat66 source rule 10 translation port '80'

Nftables

vyos@r14# sudo nft -s list table ip6 nat
table ip6 nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		iifname "eth0" counter tcp dport { 4545 } ip6 saddr 2001:db8:2222::/64 tcp sport { 8080 } dnat to 2001:db8:1111::1:5555 comment "DST-NAT66-120"
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" counter ip6 saddr 2001:db8:2222::/64 tcp dport { 9999 } tcp sport { 8080 } snat to 2001:db8:1111::1:80 comment "SRC-NAT66-10"
	}

	chain VYOS_DNPT_HOOK {
	}

	chain VYOS_SNPT_HOOK {
	}
}
[edit]
vyos@r14#

pasik subscribed.Aug 20 2022, 6:51 PM

Viacheslav changed the task status from Open to In progress.Aug 24 2022, 11:46 AM

Viacheslav claimed this task.

Restricted Repository Identity mentioned this in rVYOSONEX4eb4a823ffca: Merge pull request #1482 from sever-sever/T4631.Aug 26 2022, 5:31 PM

Viacheslav mentioned this in rVYOSONEX829c67c4da17: smoketest: T4631: Extend smoketes fot nat66 protocol.Aug 26 2022, 5:31 PM

Viacheslav mentioned this in rVYOSONEXb752c8779712: nat66: T4631: Add port and protocol to nat66.

Viacheslav changed the task status from In progress to Needs testing.Aug 26 2022, 5:58 PM

Viacheslav closed this task as Resolved.Aug 29 2022, 8:58 AM

Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

Add port and protocol to nat66Closed, ResolvedPublicFEATURE REQUESTActions

Description

Details

Related Objects

Event Timeline

Add port and protocol to nat66
Closed, ResolvedPublicFEATURE REQUEST
Actions