VyOS command definitions, scripts, and utilities (mirror of https://github.com/vyos/vyos-1x.git) https://git.amelek.net/vyos/vyos-1x.git/atom?h=vyos%2F1.4dev1 2023-09-10T18:46:42+00:00 2023-09-10T18:46:42+00:00 Yuxiang Zhu vfreex@gmail.com 2023-09-10T16:22:02+00:00 urn:sha1:ded55a82a00dbfd3425cec63ed08114957241683 Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/ adds direction support for conntrack zones, which makes it possible to do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host. According to the description of the kernel patch: > ... overlapping tuples can be made unique with the zone identifier in original direction, where the NAT engine will then allocate a unique tuple in the commonly shared default zone for the reply direction. I did some basic tests in my lab and it worked fine to forward packets from eth0 to pppoe0. - eth0 192.168.1.1/24 in VRF red - pppoe0 dynamic public IP from ISP VRF default - set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default' - set protocols static route 192.168.1.0/24 interface eth0 vrf 'red' `conntrack -L` shows something like: ``` tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1 ``` It would be much appreciated if someone could test this with more complex VRF setup. 2023-08-26T21:20:22+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-08-26T21:02:10+00:00 urn:sha1:6b5d3568b88fad9cda694c0cd8b82c1f16773b15 2023-08-25T14:51:49+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-08-25T11:59:31+00:00 urn:sha1:2509a1ab84cdb6d9389b547f93b0904cf329e78a 2023-08-25T14:51:49+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2023-08-25T11:54:47+00:00 urn:sha1:b6f742716da5f89c7f3f3501220e0f3ae1df45d8 2023-08-25T13:53:30+00:00 sarthurdev 965089+sarthurdev@users.noreply.github.com 2022-09-29T11:59:10+00:00 urn:sha1:d62f8ed1e3608d82e3e4fb7566817839023aa39c 2023-08-11T14:50:00+00:00 Nicolas Fort nicolasfort1988@gmail.com 2023-07-03T19:32:37+00:00 urn:sha1:0300bf433d9aaff81fdecf9eeaabba8d06c1999f 2023-08-11T14:50:00+00:00 Nicolas Fort nicolasfort1988@gmail.com 2023-06-02T14:35:26+00:00 urn:sha1:dbb069151f372ea521fad2edcd83f2d33631e6c7 2023-08-11T14:49:54+00:00 Nicolas Fort nicolasfort1988@gmail.com 2023-05-31T15:07:42+00:00 urn:sha1:68d14fe80145542ffd08a5f7d5cde6c090a0de07 2023-08-11T14:40:55+00:00 Nicolas Fort nicolasfort1988@gmail.com 2023-05-23T17:53:57+00:00 urn:sha1:a8244928af84e65dcc9833e14e2de3324b484977 2023-07-03T11:34:10+00:00 Viacheslav Hletenko v.gletenko@vyos.io 2023-07-03T11:34:10+00:00 urn:sha1:5cf503955377d138c626b2c8157eab71b1fa8fad We cannot use some specific names like POSTROUTING/PREROUTING as for PBR they overlaps with VyOS defined chains Chains aftoconfigured by VyOS itself: chain VYOS_PBR_PREROUTING chain VYOS_PBR_POSTROUTING If we try to use chain name "POSTROUTING" it generates 2 chains with the same name "chain VYOS_PBR_POSTROUTING" one is autoconfigured and the second defined by user set policy route POSTROUTING rule 100 Add the user-defined (UD) prefix to separate user defined names That allows to use any user-defined names