Page MenuHomeVyOS Platform
Create Task
Maniphest T7972

VPP: Improve `nat44 no-forwarding` feature name and description in CLI
In progress, NormalPublicFEATURE REQUEST
Actions

Description

We have a confusing feature:

set vpp settings nat44 no-forwarding

The CLI command toggles the nat44 forwarding (enable|disable) switch in VPP.

Its current name and behaviour are not intuitive for customers.

What it actually does

  1. Enabled (the default in VyOS when nat44 is active) Only traffic that matches an existing NAT session or a static rule will be subject to NAT; everything else is routed without translation.

    Example – inbound‑to‑outbound (in2out):
    • Inside → Outside packet with no matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, the packet is forwarded *without* translation—only a routing decision is made.
    • Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule.
  1. Disabled (when set vpp settings nat44 no-forwarding is configured) All traffic received on inbound (“in”) interfaces will be subject to NAT.

    Example – in2out:
    • Inside → Outside packet with no matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, it triggers the creation of a new NAT session and then forwards the packet through the routing node.
    • Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule.

Bottom line

  • If nat44 forwarding is enabled, a static NAT rule must exist for traffic to be translated; otherwise no translation occurs.
  • If nat44 forwarding is disabled, all inbound traffic will always be translated (either dynamically or statically), but you lose the ability to let packets pass through untranslated.

Options

With this in mind, we should consider one of the following options:

  1. Remove the option and enable/disable it automatically based on the list of configured NAT rules and interfaces.
  2. Rename it to something more obvious, e.g.: set vpp settings nat44 processing-mode <static+dynamic|static+bypass>
    • static+dynamic - Process traffic by both static rules and dynamic NAT
    • static+bypass - Process traffic by static NAT rules only, pass without NAT if not matched

Details

Version
-
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenFEATURE REQUESTNoneT7221 VPP related features the root task
 In progressFEATURE REQUESTnatali-rs1985T7972 VPP: Improve `nat44 no-forwarding` feature name and description in CLI

Event Timeline

zsdc created this task.Oct 29 2025, 10:21 PM
zsdc renamed this task from VPP: Im to VPP: Improve `nat44 no-forwarding` feature name and description in CLI.
pasik subscribed.Oct 30 2025, 7:21 AM
Viacheslav triaged this task as Normal priority.Oct 30 2025, 10:48 AM
Viacheslav added a parent task: T7221: VPP related features the root task.
zsdc updated the task description. (Show Details)Oct 30 2025, 1:22 PM
natali-rs1985 changed the task status from Open to In progress.Thu, Nov 27, 11:11 AM
natali-rs1985 claimed this task.
natali-rs1985 changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
natali-rs1985 added a comment.Wed, Dec 3, 11:24 AM

It was decided to configure forwarding automatically to simplify CLI for the user

natali-rs1985 added a comment.Wed, Dec 3, 1:06 PM

https://github.com/vyos/vyos-1x/pull/4880

natali-rs1985 mentioned this in rVYOSONEXe091fb8bd87d: vpp: T7972: Make `nat44 no-forwarding` feature automatically configurable.Thu, Dec 11, 9:26 AM
Restricted Repository Identity mentioned this in rVYOSONEXdb841de87054: Merge pull request #4880 from natali-rs1985/T7972.Thu, Dec 11, 9:26 AM