Re: [vpp-dev] Static NAT rule only match specific source ip or port

[Filip Varga via lists.fd.io]

Hi Date,

Ok now i understand where you are trying to get. At this point this kind of 
matching is not supported. At this point you can either get match combination 
of external-host external-host-port && external external-port in out2in-only 
twice-nat scenario. I will try to look into it and do some testying of the 
configuraiton. At the moment though we are in a situation of simplyfing NAT 
because of it’s complexity. That means separating features into sub plugins. We 
were though working on policy based matching for NAT this is on hold right now.

Best regards,
Filip Varga

From: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 1:29 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) <fiva...@cisco.com>; 
Nathan Skrzypczak <nathan.skrzypc...@gmail.com>
Cc: vpp-dev <vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High

Continued from previous mail

For example this rule
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

  1.  check if match source IP and Port in packet with rule "external-host 
X.X.X.X 1234"
  2.  check if match dst IP and Port in packet "external Y.Y.Y.Y 8080"
  3.  If 1 & 2 match success, do NAT translate dst IP and Port to "local 
Z.Z.Z.Z 5566"
  4.  If no match, do nothing.

Regards,
Date

________________________________
寄件者: 黃 宇強 <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>
寄件日期: 2020年9月30日 下午 07:17
收件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
<fiva...@cisco.com<mailto:fiva...@cisco.com>>; Nathan Skrzypczak 
<nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port

Hi Filip


(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?

Yes
Other OUTSIDE HOST will not be matched to this NAT rule and will not perform 
NAT to translate.

If below

Rules: (using VPP debug CLI-like, Schematic command, not existing)
and we can specify only external-host(outside host)=X.X.X.X will match this 
function.
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X

Action:

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)


Rules:
or we can sepcify external-host ip and port
vpp# nat44 add static mapping tcp local Z.Z.Z.Z 5566 external Y.Y.Y.Y 8080 
external-host X.X.X.X 1234

Action:

(OUTSIDE HOST) X.X.X.X :1234 -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to 
(OUTSIDE HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566\

(OUTSIDE HOST) X.X.X.X :(other port) -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

(OUTSIDE HOST) X2.X2.X2.X2 :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 (DO NOTHING)

It will a little bit like this:
nat44 add static mapping tcp|udp|icmp local <ip4-addr> [<port>] external 
(<ip4-addr>|<intfc>) [<port>] [external-host (<ip4-addr>|all) [<port>]] [vrf 
<table-id>] [twice-nat] [out2in-only] [del]
to assign source ip and port (or "external-host" used in session tables) to 
static NAT rule directly.


Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.
twice-nat didn't meet my requirement.
I want to keep source ip and port
but I want to add more match entries to NAT rule, source ip, source port, dst 
ip, dst port match this rule, and them perform this rule. (source ip and source 
port can be "don't care" attribute)
For now, I only saw match "dst ip and port" and then perform NAT rule to 
translate.


Thanks and appreciate
Regards,
Date



________________________________
寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
<fiva...@cisco.com<mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:52
收件者: 黃 宇強 <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port


Hi Date,



Just to verify you want something like this ?



(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566

  *   outside host address should be uniquelly matched to the NAT rule for the 
(NAT ADDRESS) to (INSIDE HOST) translation ?



Have you also tried twice-nat out2in-only ? I think there should be this 
feature if ofc. i correctly understand what you are trying to accomplish.



Best regards,

Filip Varga



From: 黃 宇強 <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>
Sent: Wednesday, September 30, 2020 12:48 PM
To: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
<fiva...@cisco.com<mailto:fiva...@cisco.com>>; Nathan Skrzypczak 
<nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: 回覆: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Filip



We already used ED mode to re-use the 8080 port



But we still cannot limit this rule only for specific source IP.

Do you have any idea or advice for this?



Thanks and appreciate

Regards,

Date



________________________________

寄件者: Filip Varga -X (fivarga - PANTHEON TECH SRO at Cisco) 
<fiva...@cisco.com<mailto:fiva...@cisco.com>>
寄件日期: 2020年9月30日 下午 06:41
收件者: Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>; Nathan 
Skrzypczak <nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主旨: RE: [vpp-dev] Static NAT rule only match specific source ip or port



Hi Date,



I would suggest looking into ED NAT out2in only translations.



Just to point out

(OUTSIDE HOST) X.X.X.X :* -> (NAT ADDRESS)Y.Y.Y.Y:8080 translated to (OUTSIDE 
HOST)X.X.X.X:* -> (INSIDE HOST)Z.Z.Z.Z:5566



Let’s go with NAT in VPP



set interface nat44 in LAN out WAN

nat44 add address (NAT ADDRESS)

nat44 add static mapping tcp local (INSIDE HOST) (INSIDE PORT) external (NAT 
ADDRESS) 8080 out2in-only .



ED – endpoint dependent NAT will let you reuse 8080 port for other connections.



Best regards,

Filip Varga





From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> 
<vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> On Behalf Of Date Huang
Sent: Wednesday, September 30, 2020 9:55 AM
To: Nathan Skrzypczak 
<nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
Cc: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
Subject: Re: [vpp-dev] Static NAT rule only match specific source ip or port
Importance: High



Hi Nathan



[sorry send this mail again, I found that I didn't cc vpp-dev mailing list]



so glad to see your reply.

My English is poor, so if there is some confusing term, please tell me.
I will try my best to describe it with some graph.

Just to be sure to understand your use case, you want to have the following 
translations happening :

*      X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234

Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)

Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively

for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?

If I used netfilter/iptables to explain.
It will more like this.

iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566

when (not x.x.x.x) source IP comes in, don't do any DNAT for that.
Only do DNAT for src_IP=X.X.X.X
I also need this for LAN device to be out.
"iptables -t nat -A POSTROUTING -o WAN_INTERFACE -j MASQUERADE"

I only have two interface (named LAN, WAN)
X.X.X.X, X2.X2.X2.X2 will be device ip outside WAN

Y.Y.Y.Y will be WAN's ip
Z.Z.Z.Z and W.W.W.W will be device inside LAN.

And I want to re-use "--dport 8080"

Detail:
1. First I want to translate Y.Y.Y.Y:8080 mapping to Z.Z.Z.Z:5566 if source ip 
is X.X.X.X
setup Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
*      X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 (same 
as your description)
*. (no X.X.X.X):* -> Y.Y.Y.Y:8080 NAT will not do anything.

2. X.X.X.X established connection to Z.Z.Z.Z:5566 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> Z.Z.Z.Z:5566" and "source IP need 
to be X.X.X.X:port_xx"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

3. Remove Static NAT rule after establishing connection.
remove Static NAT rule "match source ip=X.X.X.X and translate dst ip and port 
from `Y.Y.Y.Y:8080` to `Z.Z.Z.Z:5566`"
TCP connection still need to be kept.
X.X.X.X:port_xx still can connect Z.Z.Z.Z:5566 (same established connection)

4. I want to translate Y.Y.Y.Y:8080 mapping to W.W.W.W:1234 if source ip is 
X2.X2.X2.X2
setup Static NAT rule "match source ip=X2.X2.X2.X2 and translate dst ip and 
port from `Y.Y.Y.Y:8080` to `W.W.W.W:1234`"
*      X2.X2.X2.X2 :* -> Y.Y.Y.Y:8080 translated to X2.X2.X2.X2:* -> 
W.W.W.W:1234 (port overloading via conntrack if netfilter)
*          X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566 
(X still can connect to Z, even there is no Static NAT rule, if session is 
kept. this translation rule will be stored in session not Static NAT rule until 
TCP connection is timeout)

* (no X.X.X.X) or (no X2.X2.X2.X2):* -> Y.Y.Y.Y:8080, NAT will not do anything.

5. X2.X2.X2.X2 established connection to W.W.W.W:1234 with TCP, VPP will keep 
session in session tables
and record translated rule "Y.Y.Y.Y:8080 -> W.W.W.W:1234" and "source IP need 
to be X2.X2.X2.X2:port_xx2"
So even there is no rule, VPP will use session to determine translate rule 
first before searching Static NAT rule.
TCP connection will not be closed or denied by NAT function.

6. and so on.

---

for now, we can only do this in NAT ED mode
(any ip):* -> Y.Y.Y.Y:8080 translated to (any ip):* -> W.W.W.W:1234 (we cannot 
limit specific source ip to apply NAT translation, and deny other source ip for 
security issue)

Thanks and appreciate for your reply.
Regards,
Date



________________________________

寄件者: Nathan Skrzypczak 
<nathan.skrzypc...@gmail.com<mailto:nathan.skrzypc...@gmail.com>>
寄件日期: 2020年9月30日 下午 03:17
收件者: Date Huang <tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>>
副本: vpp-dev <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>>
主旨: Re: [vpp-dev] Static NAT rule only match specific source ip or port



Hi Date,



Sorry for the late reply,

I'm not sure this will be supported by the existing NAT plugin but it might be 
doable with few additions.



Just to be sure to understand your use case, you want to have the following 
translations happening :

*      X.X.X.X :* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> Z.Z.Z.Z:5566

* (not X.X.X.X):* -> Y.Y.Y.Y:8080 translated to X.X.X.X:* -> W.W.W.W:1234



Do you also need other NATing to happen (e.g. deterministic / sourceNATing ?)

Also are you in a home-gateway scenario a.k.a do you have inside & outside 
interfaces respectively

for Y.Y.Y.Y and Z.Z.Z.Z / W.W.W.W or should those be reachable from all 
interfaces ?



Best,

-Nathan



Le lun. 28 sept. 2020 à 08:36, Date Huang 
<tjjh89...@hotmail.com<mailto:tjjh89...@hotmail.com>> a écrit :

Hi all

Is it possible to create a static nat rule with match source ip or source port 
like IPtable command below?

iptables -t nat -D PREROUTING -p tcp -s X.X.X.X -d Y.Y.Y.Y --dport 8080 -j DNAT 
--to-destination Z.Z.Z.Z:5566

For security issue, we want to allow only X.X.X.X to access port 8080.
But we still need to re-use 8080 port in ED mode.
1. create rule A for port 8080 to mapping Z.Z.Z.Z:5566 and establish connection
2. after established, delete rule A, and connection need to be kept.
3. and only allow X.X.X.X to access rule A
4. create rule B for port 8080 to mapping W.W.W.W:1234 and establish connection
5. after established, delete rule B, two connection need to be kept.

Thanks a lot
Regards,
Date



-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#17614): https://lists.fd.io/g/vpp-dev/message/17614
Mute This Topic: https://lists.fd.io/mt/77214772/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-