Add CGNAT Carrier-Grade NAT based on nftables
Needs testing, NormalPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	Viacheslav
	Apr 19 2023, 11:36 AM

Description

Ability to configure CGNAT based on nftables
There is a discussion on the forum

set nat cgnat pool external ext-01 external-port-range '1024-65535'
set nat cgnat pool external ext-01 per-user-limit port '2000'
set nat cgnat pool external ext-01 range 192.168.122.222/32
set nat cgnat pool internal int-01 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int-01'
set nat cgnat rule 10 translation pool 'ext-01'

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Unspecified (please specify)

Related Objects
Search...

Status	Subtype	Assigned	Task
Needs testing	FEATURE REQUEST	None	T5169 Add CGNAT Carrier-Grade NAT based on nftables
Open		None	T6247 Add CGN "full cone" EIF support per RFC6888 REQ-7
Resolved	BUG	Viacheslav	T6347 CGNAT external pools containing dashes cause Traceback error
Resolved	FEATURE REQUEST	Viacheslav	T6350 CGNAT add op-mode to get current port allocation mapping
Resolved	BUG	Viacheslav	T6351 CGNAT add check if external and internal pools exists
Open	FEATURE REQUEST	None	T6360 CGNAT add the ability to exclude (bypass) the translations for specific destinations
Open	FEATURE REQUEST	None	T6361 Integrate Port Control Protocol (PCP) RFC 6887
Open	FEATURE REQUEST	HollyGurza	T6362 Create a conntrack/translations logger daemon
Resolved	FEATURE REQUEST	Viacheslav	T6364 CGNAT drop hard limit that allowed only one translation rule
Resolved	FEATURE REQUEST	Viacheslav	T6366 CGNAT add the ability to show allocation per external or internal address
Resolved	BUG	Viacheslav	T6411 CGNAT does not rely on seq number
Resolved	BUG	Viacheslav	T6412 CGNAT allocation calculation may sometimes be incorrect
Resolved	FEATURE REQUEST	Viacheslav	T6442 CGNAT add address allocation logs to syslog during commit
Resolved	FEATURE REQUEST	Viacheslav	T6497 CGNAT conntrack connections should be deleted if address or port range is changed

Event Timeline

Viacheslav created this task.Apr 19 2023, 11:36 AM

pasik subscribed.Apr 19 2023, 12:27 PM

Viacheslav updated the task description. (Show Details)Apr 19 2023, 4:53 PM

Viacheslav updated the task description. (Show Details)

According to nft changelog, this feature is available in 1.0.7 in a much better way:

nft add table ip cgnat
nft add chain ip cgnat nat_chain { type nat hook postrouting priority srcnat \; policy accept \; }
nft add map ip cgnat nat_map { type ipv4_addr: ipv4_addr . inet_service \; flags interval \;}
nft add rule ip cgnat nat_chain ip protocol { tcp, udp } counter snat to ip saddr map @nat_map

nft add element ip cgnat nat_map { 100.64.0.0: 192.0.2.0 . 1024-9087, 100.64.0.1: 192.0.2.1 . 9088-17151 }

This improves performance significantly by reducing the count of rules to one. Therefore, if the feature needs to be implemented, it is better to check it with nftables 1.0.7 and use this version if it works.

Two cents from the fields. It will be nice to see vrf aware cg-nat solution, when subscribers from a number of "inside" vrfs NAT'ed into one outside vrf. Of course if that's possible.

aserkin added a comment.Apr 25 2023, 4:11 PM

This comment was removed by aserkin.

vfilatov subscribed.May 9 2023, 5:57 AM

Viacheslav mentioned this in T5229: CGN -- external ports limitting.May 19 2023, 4:32 PM

eronlloyd subscribed.Jul 11 2023, 1:03 AM

higebu subscribed.Jul 31 2023, 3:12 PM

scottkrzyzowski subscribed.Dec 20 2023, 10:46 PM

kevinrausch subscribed.Jan 16 2024, 2:15 PM

Viacheslav triaged this task as High priority.Jan 20 2024, 12:30 PM

tjjh89017 subscribed.Jan 23 2024, 10:00 AM

hsw0 subscribed.Mar 11 2024, 11:17 PM

Proposed CLI:

set nat cgnat pool external <external> range 192.0.2.0/30 seq 1
set nat cgnat pool external <external> range 192.0.2.128-192.0.2.132 seq 2
set nat cgnat pool external <external> per-user-limit port 1024
set nat cgnat pool external <external> global-port-range 1024-65535
set nat cgnat pool internal <internal> range 100.64.1.0/24

set nat cgnat rule 10 source pool internal
set nat cgnat rule 10 translation pool external

Any suggestions?

PoC PR https://github.com/vyos/vyos-1x/pull/3274

set nat cgnat pool external ext1 external-port-range '1024-65535'
set nat cgnat pool external ext1 per-user-limit port '1000'
set nat cgnat pool external ext1 range 192.0.2.222/32
set nat cgnat pool internal int1 range '100.64.0.0/28'
set nat cgnat rule 10 source pool 'int1'
set nat cgnat rule 10 translation pool 'ext1'

Viacheslav added a project: VyOS 1.5 Circinus.Apr 7 2024, 8:27 PM

Viacheslav changed the task status from Open to Needs testing.Apr 11 2024, 3:50 PM

Viacheslav removed a project: VyOS 1.4 Sagitta.

Viacheslav added a subtask: T6247: Add CGN "full cone" EIF support per RFC6888 REQ-7.Apr 17 2024, 5:47 PM

Viacheslav lowered the priority of this task from High to Normal.Apr 18 2024, 6:02 AM

Viacheslav added a subtask: T6347: CGNAT external pools containing dashes cause Traceback error.May 16 2024, 9:38 AM

Viacheslav changed the status of subtask T6347: CGNAT external pools containing dashes cause Traceback error from Open to In progress.May 16 2024, 11:52 AM

Viacheslav added a subtask: T6351: CGNAT add check if external and internal pools exists.May 16 2024, 12:27 PM

Viacheslav changed the status of subtask T6351: CGNAT add check if external and internal pools exists from Open to In progress.May 16 2024, 4:34 PM

Viacheslav changed the status of subtask T6350: CGNAT add op-mode to get current port allocation mapping from Open to In progress.May 17 2024, 6:41 AM

Viacheslav closed subtask T6350: CGNAT add op-mode to get current port allocation mapping as Resolved.May 17 2024, 9:13 AM

Viacheslav closed subtask T6351: CGNAT add check if external and internal pools exists as Resolved.

Viacheslav closed subtask T6347: CGNAT external pools containing dashes cause Traceback error as Resolved.

Viacheslav added a subtask: T6360: CGNAT add the ability to exclude (bypass) the translations for specific destinations.May 17 2024, 9:57 AM

Viacheslav added a subtask: T6361: Integrate Port Control Protocol (PCP) RFC 6887.May 17 2024, 10:17 AM

Viacheslav added a subtask: T6362: Create a conntrack/translations logger daemon.May 17 2024, 10:40 AM

Viacheslav added a subtask: T6364: CGNAT drop hard limit that allowed only one translation rule.May 18 2024, 1:44 PM

Viacheslav changed the status of subtask T6364: CGNAT drop hard limit that allowed only one translation rule from Open to In progress.

Viacheslav added a subtask: T6366: CGNAT add the ability to show allocation per external or internal address.May 18 2024, 3:40 PM

Viacheslav updated the task description. (Show Details)May 20 2024, 7:08 AM

Viacheslav closed subtask T6364: CGNAT drop hard limit that allowed only one translation rule as Resolved.May 20 2024, 7:24 AM

Viacheslav changed the status of subtask T6366: CGNAT add the ability to show allocation per external or internal address from Open to In progress.May 21 2024, 8:18 AM

Viacheslav closed subtask T6366: CGNAT add the ability to show allocation per external or internal address as Resolved.May 22 2024, 12:22 PM

Viacheslav added a subtask: T6411: CGNAT does not rely on seq number.May 28 2024, 9:32 AM

Viacheslav added a subtask: T6412: CGNAT allocation calculation may sometimes be incorrect.May 28 2024, 10:40 AM

Viacheslav changed the status of subtask T6411: CGNAT does not rely on seq number from Open to In progress.May 28 2024, 1:15 PM

Viacheslav closed subtask T6411: CGNAT does not rely on seq number as Resolved.May 29 2024, 8:23 AM

Viacheslav added a subtask: T6442: CGNAT add address allocation logs to syslog during commit.Jun 3 2024, 4:28 PM

Viacheslav changed the status of subtask T6412: CGNAT allocation calculation may sometimes be incorrect from Open to In progress.Jun 5 2024, 3:24 PM

Good afternoon I heard that the solution based on nftables is no longer new, but you took it as a basis.
At the same time, I heard that VyOS added support for VPP. Maybe it makes sense to use two implementations?
I don’t want to offend you in any way, I appreciate everything you do.
https://s3-docs.fd.io/vpp/22.06/cli-reference/clis/clicmd_src_plugins_nat_det44.html

Accel-ppp does not work with VPP

Viacheslav changed the status of subtask T6442: CGNAT add address allocation logs to syslog during commit from Open to In progress.Jun 10 2024, 11:29 AM

Viacheslav closed subtask T6442: CGNAT add address allocation logs to syslog during commit as Resolved.Jun 12 2024, 6:12 AM

Viacheslav added a subtask: T6497: CGNAT conntrack connections should be deleted if address or port range is changed.Jun 18 2024, 8:53 AM

Viacheslav changed the status of subtask T6497: CGNAT conntrack connections should be deleted if address or port range is changed from Open to In progress.Jun 19 2024, 9:42 AM

Viacheslav closed subtask T6497: CGNAT conntrack connections should be deleted if address or port range is changed as Resolved.Jun 19 2024, 11:33 AM

hsw0 unsubscribed.Jun 19 2024, 12:36 PM

Viacheslav closed subtask T6412: CGNAT allocation calculation may sometimes be incorrect as Resolved.Jun 26 2024, 2:30 PM

Add CGNAT Carrier-Grade NAT based on nftablesNeeds testing, NormalPublicFEATURE REQUESTActions

Description

Details

Related ObjectsSearch...

Event Timeline

Add CGNAT Carrier-Grade NAT based on nftables
Needs testing, NormalPublicFEATURE REQUEST
Actions

Related Objects
Search...