Change Details

We have a confusing feature: ``` set vpp settings nat44 no-forwarding ``` The CLI command toggles the [nat44 forwarding (enable|disable)](https://s3-docs.fd.io/vpp/25.06/cli-reference/clis/clicmd_src_plugins_nat_nat44-ed.html#nat44-forwarding) switch in VPP. Its current name and behaviour are not intuitive for customers. ### What it actually does 1. **Enabled** (the default in VyOS when nat44 is active) Only traffic that **matches** an existing NAT session or a static rule will be subject to NAT; everything else is routed without translation. Example – inbound‑to‑outbound (in2out): - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, the packet is forwarded *without* translation—only a routing decision is made. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. 2. **Disabled** (when `set vpp settings nat44 no-forwarding` is configured) All traffic received on inbound (“in”) interfaces will be subject to NAT. Example – in2out: - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, it triggers the creation of a new NAT session and then forwards the packet through the routing node. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. ### Bottom line - If **nat44 forwarding** is **enabled**, a static NAT rule must exist for traffic to be translated; otherwise no translation occurs. - If **nat44 forwarding** is **disabled**, all inbound traffic will always be translated (either dynamically or statically), but you lose the ability to let packets pass through untranslated. ### Options With this in mind, we should consider one of the following options: 1. **Remove the option** and enable/disable it automatically based on the list of configured NAT rules and interfaces. 2. **Rename it** to something more obvious, e.g.: `set vpp settings nat44 processing-mode <dynamic+static|static>`

We have a confusing feature: ``` set vpp settings nat44 no-forwarding ``` The CLI command toggles the [nat44 forwarding (enable|disable)](https://s3-docs.fd.io/vpp/25.06/cli-reference/clis/clicmd_src_plugins_nat_nat44-ed.html#nat44-forwarding) switch in VPP. Its current name and behaviour are not intuitive for customers. ### What it actually does 1. **Enabled** (the default in VyOS when nat44 is active) Only traffic that **matches** an existing NAT session or a static rule will be subject to NAT; everything else is routed without translation. Example – inbound‑to‑outbound (in2out): - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, the packet is forwarded *without* translation—only a routing decision is made. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. 2. **Disabled** (when `set vpp settings nat44 no-forwarding` is configured) All traffic received on inbound (“in”) interfaces will be subject to NAT. Example – in2out: - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, it triggers the creation of a new NAT session and then forwards the packet through the routing node. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. ### Bottom line - If **nat44 forwarding** is **enabled**, a static NAT rule must exist for traffic to be translated; otherwise no translation occurs. - If **nat44 forwarding** is **disabled**, all inbound traffic will always be translated (either dynamically or statically), but you lose the ability to let packets pass through untranslated. ### Options With this in mind, we should consider one of the following options: 1. **Remove the option** and enable/disable it automatically based on the list of configured NAT rules and interfaces. 2. **Rename it** to something more obvious, e.g.: `set vpp settings nat44 processing-mode <static+dynamic|static+bypass>` - `static+dynamic` - Process traffic by both static rules and dynamic NAT - `static+bypass` - Process traffic by static NAT rules only, pass without NAT if not matched

We have a confusing feature: ``` set vpp settings nat44 no-forwarding ``` The CLI command toggles the [nat44 forwarding (enable|disable)](https://s3-docs.fd.io/vpp/25.06/cli-reference/clis/clicmd_src_plugins_nat_nat44-ed.html#nat44-forwarding) switch in VPP. Its current name and behaviour are not intuitive for customers. ### What it actually does 1. **Enabled** (the default in VyOS when nat44 is active) Only traffic that **matches** an existing NAT session or a static rule will be subject to NAT; everything else is routed without translation. Example – inbound‑to‑outbound (in2out): - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, the packet is forwarded *without* translation—only a routing decision is made. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. 2. **Disabled** (when `set vpp settings nat44 no-forwarding` is configured) All traffic received on inbound (“in”) interfaces will be subject to NAT. Example – in2out: - Inside → Outside packet with **no** matching session or static rule: The nat44-ed plugin checks for a session/static mapping; if none is found, it triggers the creation of a new NAT session and then forwards the packet through the routing node. - Inside → Outside packet with a matching session or static rule: The nat44-ed plugin processes the packet according to that session/rule. ### Bottom line - If **nat44 forwarding** is **enabled**, a static NAT rule must exist for traffic to be translated; otherwise no translation occurs. - If **nat44 forwarding** is **disabled**, all inbound traffic will always be translated (either dynamically or statically), but you lose the ability to let packets pass through untranslated. ### Options With this in mind, we should consider one of the following options: 1. **Remove the option** and enable/disable it automatically based on the list of configured NAT rules and interfaces. 2. **Rename it** to something more obvious, e.g.: `set vpp settings nat44 processing-mode <dynamic+static|static>`static+dynamic|static+bypass>` - `static+dynamic` - Process traffic by both static rules and dynamic NAT - `static+bypass` - Process traffic by static NAT rules only, pass without NAT if not matched