blob: f1b3deff55e389aa1315e52ded2e89c38c28e166 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
.. _dev_cnat:
.. toctree::
Cloud NAT
=========
Overview
________
This plugin covers specific NAT use-cases that come mostly
from the container networking world. On the contraty of the
NAT concepts used for e.g. a home gateway, there is no notion
of 'outside' and 'inside'. We handle Virtual (or Real) IPs and
translations of the packets destined to them
Terminology & Usage
___________________
Setting up the NAT will consist in the creation of a translation
that has several backends. A translation is 3-tuple containing :
a fully qualified IP address a port and a protocol. All packets
destined to it (ip, port) will then choose one of the backends,
and follow its rewrite rules.
A backend consists of four rewrites components (source & destination
address, source & destination port) that shall be applied to packets
on the way in, and reverted on the way back.
Backends are equally load-balanced with a flow hash. The choice
of a backend for a flow will trigger the creation of a NAT session,
that will store the packet rewrite to do and the one to undo
until the flow is reset or a timeout is reached
Translating Addresses
---------------------
In this example, all packets destined to 30.0.0.2:80 will be
rewritten so that their destination IP is 20.0.0.1 and destination
port 8080. Here 30.0.0.2 has to be a virtual IP, it cannot be
assigned to an interface
.. code-block:: console
cnat translation add proto TCP vip 30.0.0.2 80 to ->20.0.0.1 8080
If 30.0.0.2 is the address of an interface, we can use the following
to do the same translation, and additionnaly change the source.
address with 1.2.3.4
.. code-block:: console
cnat translation add proto TCP real 30.0.0.2 80 to 1.2.3.4->20.0.0.1 8080
To show existing translations and sessions you can use
.. code-block:: console
cnat show session verbose
cant show translation
SourceNATing outgoing traffic
-----------------------------
A independant part of the plugin allows changing the source address
of outgoing traffic on a per-interface basis.
.. code-block:: console
cnat snat with 30::1
cnat snat exclude 20::/100
ex_ctl _calico_master cnat snat exclude 10::/100
ex_ctl _calico_master set interface feature tap0 ip6-cnat-snat arc ip6-unicast
Extending the NAT
_________________
|
