summaryrefslogtreecommitdiffstats
path: root/src/plugins/cnat/cnat.rst
blob: f1b3deff55e389aa1315e52ded2e89c38c28e166 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
.. _dev_cnat:

.. toctree::

Cloud NAT
=========

Overview
________

This plugin covers specific NAT use-cases that come mostly
from the container networking world. On the contraty of the
NAT concepts used for e.g. a home gateway, there is no notion
of 'outside' and 'inside'. We handle Virtual (or Real) IPs and
translations of the packets destined to them

Terminology & Usage
___________________

Setting up the NAT will consist in the creation of a translation
that has several backends. A translation is 3-tuple containing :
a fully qualified IP address a port and a protocol. All packets
destined to it (ip, port) will then choose one of the backends,
and follow its rewrite rules.

A backend consists of four rewrites components (source & destination
address, source & destination port) that shall be applied to packets
on the way in, and reverted on the way back.

Backends are equally load-balanced with a flow hash. The choice
of a backend for a flow will trigger the creation of a NAT session,
that will store the packet rewrite to do and the one to undo
until the flow is reset or a timeout is reached

Translating Addresses
---------------------

In this example, all packets destined to 30.0.0.2:80 will be
rewritten so that their destination IP is 20.0.0.1 and destination
port 8080. Here 30.0.0.2 has to be a virtual IP, it cannot be
assigned to an interface

.. code-block:: console

  cnat translation add proto TCP vip 30.0.0.2 80 to ->20.0.0.1 8080


If 30.0.0.2 is the address of an interface, we can use the following
to do the same translation, and additionnaly change the source.
address with 1.2.3.4

.. code-block:: console

  cnat translation add proto TCP real 30.0.0.2 80 to 1.2.3.4->20.0.0.1 8080

To show existing translations and sessions you can use

.. code-block:: console

  cnat show session verbose
  cant show translation


SourceNATing outgoing traffic
-----------------------------

A independant part of the plugin allows changing the source address
of outgoing traffic on a per-interface basis.

.. code-block:: console

  cnat snat with 30::1
  cnat snat exclude 20::/100
  ex_ctl _calico_master cnat snat exclude 10::/100
  ex_ctl _calico_master set interface feature tap0 ip6-cnat-snat arc ip6-unicast



Extending the NAT
_________________