diff options
| author | Yuxiang Zhu <vfreex@gmail.com> | 2023-09-10 16:22:02 +0000 |
|---|---|---|
| committer | Yuxiang Zhu <vfreex@gmail.com> | 2023-09-11 01:26:08 +0800 |
| commit | aed71d4b7718d55982cf694617c04e28aa002c93 (patch) | |
| tree | 86142aa41a37e30152247801e608931d558363fe /data/templates/firewall/nftables-vrf-zones.j2 | |
| parent | 312370c9ef5c32a6a078d9deaeb5995276adbd48 (diff) | |
| download | vyos-1x-aed71d4b7718d55982cf694617c04e28aa002c93.tar.gz vyos-1x-aed71d4b7718d55982cf694617c04e28aa002c93.zip | |
T3655: Fix NAT problem with VRF
Linux netfilter patch https://patchwork.ozlabs.org/project/netfilter-devel/patch/d0f84a97f9c86bec4d537536a26d0150873e640d.1439559328.git.daniel@iogearbox.net/
adds direction support for conntrack zones, which makes it possible to
do NAT with conflicting IP address/port tuples from multiple, isolated tenants on a host.
According to the description of the kernel patch:
> ... overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
I did some basic tests in my lab and it worked fine to forward packets
from eth0 to pppoe0.
- eth0 192.168.1.1/24 in VRF red
- pppoe0 dynamic public IP from ISP VRF default
- set vrf name red protocols static route 0.0.0.0/0 interface pppoe0 vrf 'default'
- set protocols static route 192.168.1.0/24 interface eth0 vrf 'red'
`conntrack -L` shows something like:
```
tcp 6 113 ESTABLISHED src=192.168.1.2 dst=1.1.1.1 sport=58946 dport=80 zone-orig=250 packets=6 bytes=391 src=1.1.1.1 dst=<my-public-ip> sport=80 dport=58946 packets=4 bytes=602 [ASSURED] mark=0 helper=tns use=1
```
It would be much appreciated if someone could test this with more
complex VRF setup.
Diffstat (limited to 'data/templates/firewall/nftables-vrf-zones.j2')
| -rw-r--r-- | data/templates/firewall/nftables-vrf-zones.j2 | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2 index eecf47b78..3bce7312d 100644 --- a/data/templates/firewall/nftables-vrf-zones.j2 +++ b/data/templates/firewall/nftables-vrf-zones.j2 @@ -7,11 +7,11 @@ table inet vrf_zones { # Chain for inbound traffic chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; - counter ct zone set iifname map @ct_iface_map + counter ct original zone set iifname map @ct_iface_map } # Chain for locally-generated traffic chain vrf_zones_ct_out { type filter hook output priority raw; policy accept; - counter ct zone set oifname map @ct_iface_map + counter ct original zone set oifname map @ct_iface_map } } |