Page MenuHomeVyOS Platform
Create Task
Maniphest T6247

Add CGN "full cone" EIF support per RFC6888 REQ-7
Open, LowPublic
Actions

Description

We see several feature requests to add port mapping and other CGN-friendly featuresets but fundamentally VyOS is missing one of the critical distinguishers of a true CGN verses just standard PAT and that's the ability to support full cone NAT or endpoint independent NAT.

Per RFC this is defined below:
RFC6888 REQ-7 implemented for it to be considered "complete" https://datatracker.ietf.org/doc/html/rfc6888

Ironically it looks like another contributor has attempted the same here:
https://github.com/DmitriyEshenko/vyos-cgnat

This should just be part of any native CGN featureset and is on par with other commercial products of the world such as Juniper/Cisco/A10 implementations.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 Needs testingFEATURE REQUESTNoneT5169 Add CGNAT Carrier-Grade NAT based on nftables
 OpenNoneT6247 Add CGN "full cone" EIF support per RFC6888 REQ-7

Event Timeline

jmoore created this task.Wed, Apr 17, 4:34 PM
jmoore created this object in space S1 VyOS Public.
Viacheslav removed a project: VyOS 1.4 Sagitta.Wed, Apr 17, 5:43 PM
Viacheslav added a subscriber: Viacheslav.

We do not use iptables and their modules for new features.
Feel free to add PR for nftables or if you know which commands should be for nftables

Viacheslav added a parent task: T5169: Add CGNAT Carrier-Grade NAT based on nftables.Wed, Apr 17, 5:47 PM
jmoore added a comment.Wed, Apr 17, 6:03 PM

Another example on nftables: https://github.com/fullcone-nat-nftables/nftables-1.0.5-with-fullcone

pasik added a subscriber: pasik.Wed, Apr 17, 6:23 PM
n.fort added a subscriber: n.fort.Wed, Apr 17, 7:01 PM

I saw such repository more than once, but it seems that it has been abandoned. Last commit is dated two years ago.

jmoore added a comment.Wed, Apr 17, 11:11 PM

It very may well have been. That's not really relevant to this request. The repository is an example. We need the feature regardless of the state of the repository.

Viacheslav added a comment.Thu, Apr 18, 4:11 AM
In T6247#184232, @jmoore wrote:

. We need the feature regardless of the state of the repository.

It doesn’t work this way. If you need it just integrate it.

Viacheslav added a comment.Thu, Apr 18, 9:05 AM

Related topic https://github.com/Chion82/netfilter-full-cone-nat/issues/42