Skip to content

vr_sdnat4

Ruben S. Montero edited this page Jan 9, 2024 · 6 revisions

SDNAT4

Parameter Default Description
ONEAPP_VNF_SDNAT4_ENABLED NO Enable/Disable SNAT/DNAT feature (YES/NO)
ONEAPP_VNF_SDNAT4_INTERFACES none Mandatory: List of NICs among which to detect mappings (<[!]ethX> ...)
ONEAPP_VNF_SDNAT4_REFRESH_RATE 30 Refresh rate between updates of the mapping rules (seconds)

This feature maps (1:1) public IP addresses to private IP addresses, defining both SNAT and DNAT rules in iptables.

For example, when three NICs (eth0, eth1, eth2) are attached to a VR:

CONTEXT = [
  ...
  ONEAPP_VNF_SDNAT4_ENABLED    = "YES",
  ONEAPP_VNF_SDNAT4_INTERFACES = "eth0 eth1", # same as "!eth2"
  ...
]

And a special NIC_ALIAS section is added to the backend VM's template:

$ onevm nic-attach backend_VM_name_or_ID <<'EOF'
NIC_ALIAS = [
  NETWORK_ID = "0", # ID of the 10.2.11.0/24 VNET.
  PARENT     = "NIC0",
  EXTERNAL   = "YES" ] # Must be set to "YES" to enable SDNAT4 mapping.
EOF

Gives:

$ iptables -t nat -vnL DNAT4
Chain DNAT4 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    12 DNAT       0    --  *      *       0.0.0.0/0            10.2.11.201          to:172.20.0.128
$ iptables -t nat -vnL SNAT4
Chain SNAT4 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    34 SNAT       0    --  *      *       172.20.0.128         0.0.0.0/0            to:10.2.11.201

Where 10.2.11.201 is considered public and is defined on the lo NIC inside the master VR instance:

$ ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 10.2.11.201/32 scope global SDNAT4
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

Connecting to 10.2.11.201 should forward all packets for all protocols, both ways:

$ ssh root@10.2.11.201 ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 02:00:ac:14:00:80 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.128/24 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::acff:fe14:80/64 scope link
       valid_lft forever preferred_lft forever
Clone this wiki locally