Hi Filip
(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566 * outside host address should be uniquelly matched to the NAT rule for the (NAT ADDRESS) to (INSIDE HOST) translation ? Yes Other OUTSIDE HOST will not be matched to this NAT rule and will not perform NAT to translate. If below Rules: (using VPP debug CLI-like, Schematic command, not existing) and we can specify only external-host(outside host)=X.X.X.X will match this function. vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 external-host X.X.X.X Action: (OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566 (OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING) Rules: or we can sepcify external-host ip and port vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 external-host X.X.X.X 1234 Action: (OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\ (OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING) (OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING) It will a little bit like this: nat44 add static mapping tcp|udp|icmp local <ip4-addr> [<port>] external (<ip4-addr>|<intfc>) [<port>] [external-host (<ip4-addr>|all) [<port>]] [vrf <table-id>] [twice-nat] [out2in-only] [del] to assign source ip and port (or "external-host" used in session tables) to static NAT rule directly. Have you also tried twice-nat out2in-only ? I think there should be this feature if ofc. i correctly understand what you are trying to accomplish. twice-nat didn't meet my requirement. I want to keep source ip and port but I want to add more match entries to NAT rule, source ip, source port, dst ip, dst port match this rule, and them perform this rule. (source ip and source port can be "don't care" attribute) For now, I only saw match "dst ip and port" and then perform NAT rule to translate. Thanks and appreciate Regards, Date ________________________________ 寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com> 寄件日期: 2020年9月30日 下午 06:52 收件者: �S 宇�� <tjjh89...@hotmail.com>; Nathan Skrzypczak <nathan.skrzypc...@gmail.com> 副本: vpp-dev <vpp-dev@lists.fd.io> 主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port Hi Date, Just to verify you want something like this ? (OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566 * outside host address should be uniquelly matched to the NAT rule for the (NAT ADDRESS) to (INSIDE HOST) translation ? Have you also tried twice-nat out2in-only ? I think there should be this feature if ofc. i correctly understand what you are trying to accomplish. Best regards, Filip Varga From: �S 宇�� <tjjh89...@hotmail.com> Sent: Wednesday, September 30, 2020 12:48 PM To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com>; Nathan Skrzypczak <nathan.skrzypc...@gmail.com> Cc: vpp-dev <vpp-dev@lists.fd.io> Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port Importance: High Hi Filip We already used ED mode to re-use the 8080 port But we still cannot limit this rule only for specific source IP. Do you have any idea or advice for this? Thanks and appreciate Regards, Date ________________________________ 寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com<mailto:fiva...@cisco.com>> 寄件日期: 2020年9月30日 下午 06:41 收件者: Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>; Nathan Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>> 副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> 主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port Hi Date, I would suggest looking into ED NAT out2in only translations. Just to point out (OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566 Let’s go with NAT in VPP set interface nat44 in LAN out WAN nat44 add address (NAT ADDRESS) nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT ADDRESS) 8080 out2in-only . ED �C endpoint dependent NAT will let you reuse 8080 port for other connections. Best regards, Filip Varga From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Date Huang Sent: Wednesday, September 30, 2020 9:55 AM To: Nathan Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>> Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port Importance: High Hi Nathan [sorry send this mail again, I found that I didn't cc vpp-dev mailing list] so glad to see your reply. My English is poor, so if there is some confusing term, please tell me. I will try my best to describe it with some graph. Just to be sure to understand your use case, you want to have the following translations happening : * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 * (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234 Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?) Also are you in a home-gateway scenario a.k.a do you have inside & outside interfaces respectively for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all interfaces ? If I used netfilter/iptables to explain. It will more like this. iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT --to-destination Z.Z.Z.Z:5566 when (not x.x.x.x) source IP comes in, don't do any DNAT for that. Only do DNAT for src_IP=X.X.X.X I also need this for LAN device to be out. "iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE" I only have two interface (named LAN, WAN) X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN Y.Y.Y.Y will be WAN's ip Z.Z.Z.Z and W.W.W.W will be device inside LAN. And I want to re-use "--dport 8080" Detail: 1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip is X.X.X.X setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`" * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same as your description) *. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything. 2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep session in session tables and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need to be X.X.X.X:port_xx" So even there is no rule, VPP will use session to determine translate rule first before searching Static NAT rule. TCP connection will not be closed or denied by NAT function. 3. Remove Static NAT rule after establishing connection. remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`" TCP connection still need to be kept. X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection) 4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is X2.X2.X2.X2 setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`" * X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> W.W.W.W:1234 (port overloading via conntrack if netfilter) * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (X still can connect to Z, even there is no Static NAT rule, if session is kept. this translation rule will be stored in session not Static NAT rule until TCP connection is timeout) * (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything. 5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep session in session tables and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need to be X2.X2.X2.X2:port_xx2" So even there is no rule, VPP will use session to determine translate rule first before searching Static NAT rule. TCP connection will not be closed or denied by NAT function. 6. and so on. --- for now, we can only do this in NAT ED mode (any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot limit specific source ip to apply NAT translation, and deny other source ip for security issue) Thanks and appreciate for your reply. Regards, Date ________________________________ 寄件者: Nathan Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>> 寄件日期: 2020年9月30日 下午 03:17 收件者: Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>> 副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> 主旨: Re: [vpp-dev] Static NAT rule only match specific source ip or port Hi Date, Sorry for the late reply, I'm not sure this will be supported by the existing NAT plugin but it might be doable with few additions. Just to be sure to understand your use case, you want to have the following translations happening : * X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 * (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234 Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?) Also are you in a home-gateway scenario a.k.a do you have inside & outside interfaces respectively for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all interfaces ? Best, -Nathan Le lun. 28 sept. 2020 à 08:36, Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>> a écrit : Hi all Is it possible to create a static nat rule with match source ip or source port like IPtable command below? iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT --to-destination Z.Z.Z.Z:5566 For security issue, we want to allow only X.X.X.X to access port 8080. But we still need to re-use 8080 port in ED mode. 1. create rule A for port 8080 to mapping Z.Z.Z.Z:5566 and establish connection 2. after established, delete rule A, and connection need to be kept. 3. and only allow X.X.X.X to access rule A 4. create rule B for port 8080 to mapping W.W.W.W:1234 and establish connection 5. after established, delete rule B, two connection need to be kept. Thanks a lot Regards, Date
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#17611): https://lists.fd.io/g/vpp-dev/message/17611 Mute This Topic: https://lists.fd.io/mt/77214772/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-