Add the ability to exclude (bypass) the translations for specific destinations.
Currently, the exclude option is not implemented
set nat cgnat pool external ext-01 external-port-range '1024-65535' set nat cgnat pool external ext-01 per-user-limit port '2000' set nat cgnat pool external ext-01 range 192.168.122.222/32 set nat cgnat pool internal int-01 range '100.64.0.0/28' set nat cgnat rule 90 description 'Exclude NAT rule to local network 203.0.113.0/24' set nat cgnat rule 90 source pool 'int-01' set nat cgnat rule 90 exclude set nat cgnat rule 90 destination address '203.0.113.0/24' set nat cgnat rule 100 source pool 'int-01' set nat cgnat rule 100 translation pool 'ext-01'
Expected nft rules:
table ip cgnat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 100.64.0.0/28 ip daddr 203.0.113.0/24 counter return comment "CGNAT-90"
ip protocol tcp counter snat ip to ip saddr map @tcp_nat_map
ip protocol udp counter snat ip to ip saddr map @udp_nat_map
ip protocol icmp counter snat ip to ip saddr map @icmp_nat_map
counter snat ip to ip saddr map @other_nat_map
}
}Another idea will be adding an exclude pool (needs to rethink)
set nat cgnat pool exclude ex-01 range '203.0.113.0/24' set nat cgnat rule 90 source pool 'int-01' set nat cgnat rule 90 exclude pool 'ex-01'