From 29f3c7d2ecac2f9d80bb33e91bd5d1f9d434768a Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Tue, 19 May 2020 07:17:19 +0000 Subject: cnat: Destination based NAT Type: feature Signed-off-by: Neale Ranns Change-Id: I64a99a4fbc674212944247793fd5c1fb701408cb --- src/plugins/cnat/cnat.rst | 81 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 src/plugins/cnat/cnat.rst (limited to 'src/plugins/cnat/cnat.rst') diff --git a/src/plugins/cnat/cnat.rst b/src/plugins/cnat/cnat.rst new file mode 100644 index 00000000000..f1b3deff55e --- /dev/null +++ b/src/plugins/cnat/cnat.rst @@ -0,0 +1,81 @@ +.. _dev_cnat: + +.. toctree:: + +Cloud NAT +========= + +Overview +________ + +This plugin covers specific NAT use-cases that come mostly +from the container networking world. On the contraty of the +NAT concepts used for e.g. a home gateway, there is no notion +of 'outside' and 'inside'. We handle Virtual (or Real) IPs and +translations of the packets destined to them + +Terminology & Usage +___________________ + +Setting up the NAT will consist in the creation of a translation +that has several backends. A translation is 3-tuple containing : +a fully qualified IP address a port and a protocol. All packets +destined to it (ip, port) will then choose one of the backends, +and follow its rewrite rules. + +A backend consists of four rewrites components (source & destination +address, source & destination port) that shall be applied to packets +on the way in, and reverted on the way back. + +Backends are equally load-balanced with a flow hash. The choice +of a backend for a flow will trigger the creation of a NAT session, +that will store the packet rewrite to do and the one to undo +until the flow is reset or a timeout is reached + +Translating Addresses +--------------------- + +In this example, all packets destined to 30.0.0.2:80 will be +rewritten so that their destination IP is 20.0.0.1 and destination +port 8080. Here 30.0.0.2 has to be a virtual IP, it cannot be +assigned to an interface + +.. code-block:: console + + cnat translation add proto TCP vip 30.0.0.2 80 to ->20.0.0.1 8080 + + +If 30.0.0.2 is the address of an interface, we can use the following +to do the same translation, and additionnaly change the source. +address with 1.2.3.4 + +.. code-block:: console + + cnat translation add proto TCP real 30.0.0.2 80 to 1.2.3.4->20.0.0.1 8080 + +To show existing translations and sessions you can use + +.. code-block:: console + + cnat show session verbose + cant show translation + + +SourceNATing outgoing traffic +----------------------------- + +A independant part of the plugin allows changing the source address +of outgoing traffic on a per-interface basis. + +.. code-block:: console + + cnat snat with 30::1 + cnat snat exclude 20::/100 + ex_ctl _calico_master cnat snat exclude 10::/100 + ex_ctl _calico_master set interface feature tap0 ip6-cnat-snat arc ip6-unicast + + + +Extending the NAT +_________________ + -- cgit 1.2.3-korg