| Phil Sutter | ec0bab1 | 2016-03-04 13:11:39 +0100 | [diff] [blame] | 1 | .TH "NAT action in tc" 8 "12 Jan 2015" "iproute2" "Linux" |
| 2 | |
| 3 | .SH NAME |
| 4 | nat - stateless native address translation action |
| 5 | .SH SYNOPSIS |
| 6 | .in +8 |
| 7 | .ti -8 |
| 8 | .BR tc " ... " "action nat" |
| 9 | .I DIRECTION OLD NEW |
| 10 | |
| 11 | .ti -8 |
| 12 | .IR DIRECTION " := { " |
| 13 | .BR ingress " | " egress " }" |
| 14 | |
| 15 | .ti -8 |
| 16 | .IR OLD " := " IPV4_ADDR_SPEC |
| 17 | |
| 18 | .ti -8 |
| 19 | .IR NEW " := " IPV4_ADDR_SPEC |
| 20 | |
| 21 | .ti -8 |
| 22 | .IR IPV4_ADDR_SPEC " := { " |
| 23 | .BR default " | " any " | " all " | " |
| 24 | \fIin_addr\fR[\fB/\fR{\fIprefix\fR|\fInetmask\fR}] |
| 25 | .SH DESCRIPTION |
| 26 | The |
| 27 | .B nat |
| 28 | action allows to perform NAT without the overhead of conntrack, which is |
| 29 | desirable if the number of flows or addresses to perform NAT on is large. This |
| 30 | action is best used in combination with the |
| 31 | .B u32 |
| 32 | filter to allow for efficient lookups of a large number of stateless NAT rules |
| 33 | in constant time. |
| 34 | .SH OPTIONS |
| 35 | .TP |
| 36 | .B ingress |
| 37 | Translate destination addresses, i.e. perform DNAT. |
| 38 | .TP |
| 39 | .B egress |
| 40 | Translate source addresses, i.e. perform SNAT. |
| 41 | .TP |
| 42 | .I OLD |
| 43 | Specifies addresses which should be translated. |
| 44 | .TP |
| 45 | .I NEW |
| 46 | Specifies addresses which |
| 47 | .I OLD |
| 48 | should be translated into. |
| 49 | .SH NOTES |
| 50 | The accepted address format in |
| 51 | .IR OLD " and " NEW |
| 52 | is quite flexible. It may either consist of one of the keywords |
| 53 | .BR default ", " any " or " all , |
| 54 | representing the all-zero IP address or a combination of IP address and netmask |
| 55 | or prefix length separated by a slash |
| 56 | .RB ( / ) |
| 57 | sign. In any case, the mask (or prefix length) value of |
| 58 | .I OLD |
| 59 | is used for |
| 60 | .I NEW |
| 61 | as well so that a one-to-one mapping of addresses is assured. |
| 62 | |
| 63 | Address translation is done using a combination of binary operations. First, the |
| 64 | original (source or destination) address is matched against the value of |
| 65 | .IR OLD . |
| 66 | If the original address fits, the new address is created by taking the leading |
| 67 | bits from |
| 68 | .I NEW |
| 69 | (defined by the netmask of |
| 70 | .IR OLD ) |
| 71 | and taking the remaining bits from the original address. |
| 72 | |
| 73 | There is rudimental support for upper layer protocols, namely TCP, UDP and ICMP. |
| 74 | While for the first two only checksum recalculation is performed, the action |
| 75 | also takes care of embedded IP headers in ICMP packets by translating the |
| 76 | respective address therein, too. |
| 77 | .SH SEE ALSO |
| 78 | .BR tc (8) |