Hi Date, Sorry for the late reply, I'm not sure this will be supported by the existing NAT plugin but it might be doable with few additions.
Just to be sure to understand your use case, you want to have the following translations happening : * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 * (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234 Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?) Also are you in a home-gateway scenario a.k.a do you have inside & outside interfaces respectively for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all interfaces ? Best, -Nathan Le lun. 28 sept. 2020 à 08:36, Date Huang <[email protected]> a écrit : > Hi all > > Is it possible to create a static nat rule with match source ip or source > port like IPtable command below? > iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j > DNAT --to-destination Z.Z.Z.Z:5566 > For security issue, we want to allow only X.X.X.X to access port 8080. > But we still need to re-use 8080 port in ED mode. > 1. create rule A for port 8080 to mapping Z.Z.Z.Z:5566 and establish > connection > 2. after established, delete rule A, and connection need to be kept. > 3. and only allow X.X.X.X to access rule A > 4. create rule B for port 8080 to mapping W.W.W.W:1234 and establish > connection > 5. after established, delete rule B, two connection need to be kept. > > Thanks a lot > Regards, > Date > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17602): https://lists.fd.io/g/vpp-dev/message/17602 Mute This Topic: https://lists.fd.io/mt/77169416/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
