Skip to content

T7929: VPP: nat44: validate that only self-twice-nat external address is in translation pool #4805

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 21, 2025
Merged

T7929: VPP: nat44: validate that only self-twice-nat external address is in translation pool #4805

merged 1 commit into from
Oct 21, 2025
+7 −4

Conversation

@natali-rs1985
Copy link
Contributor

@natali-rs1985 natali-rs1985 commented Oct 21, 2025
edited
Loading

Change summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

vyos/vyos-documentation#1695

How to test / Smoketest result

set vpp settings interface eth1 driver 'dpdk'
set vpp settings interface eth0 driver 'dpdk'
set vpp nat44 address-pool twice-nat address '203.0.113.6'
set vpp nat44 interface inside 'eth1'
set vpp nat44 interface outside 'eth0'
set vpp nat44 static rule 100 description 'RDP server - external access only'
set vpp nat44 static rule 100 external address '203.0.113.5'
set vpp nat44 static rule 100 external port '3389'
set vpp nat44 static rule 100 local address '10.10.10.30'
set vpp nat44 static rule 100 local port '3389'
set vpp nat44 static rule 100 options out-to-in-only
set vpp nat44 static rule 100 protocol 'tcp'
set vpp nat44 static rule 200 description 'Web server alt port with twice-NAT'
set vpp nat44 static rule 200 external address '203.0.113.3'
set vpp nat44 static rule 200 external port '8080'
set vpp nat44 static rule 200 local address '10.10.10.10'
set vpp nat44 static rule 200 local port '8080'
set vpp nat44 static rule 200 options self-twice-nat
set vpp nat44 static rule 200 protocol 'tcp'


vyos@vyos# commit
[ vpp ]

WARNING: NOTE: Current dataplane capacity (estimated): 2.1 M IPv4
routes. Exceeding these values will lead to a dataplane out-of-memory
condition and a crash. Extensive use of features like ACLs, NAT and
others may reduce the numbers above. Please read the documentation for
details: https://docs.vyos.io/


[ vpp nat44 ]
Configuration error in static rule 200: external address 203.0.113.3 is
not in "address-pool translation"
[[vpp nat44]] failed
Commit failed
[edit]
vyos@vyos# set vpp nat44 address-pool translation address 203.0.113.3
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# sudo vppctl show nat44 static mappings
NAT44 static mappings:
 TCP local 10.10.10.30:3389 external 203.0.113.5:3389 vrf 0  out2in-only
 TCP local 10.10.10.10:8080 external 203.0.113.3:8080 vrf 0 self-twice-nat
[edit]

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@natali-rs1985 natali-rs1985 marked this pull request as ready for review October 21, 2025 09:45
@github-actions
Copy link

github-actions bot commented Oct 21, 2025
edited
Loading

👍
No issues in PR Title / Commit Title

@natali-rs1985 natali-rs1985 mentioned this pull request Oct 21, 2025
Merged
1 task
@natali-rs1985 natali-rs1985 added the bp/circinus Create automatic backport for circinus label Oct 21, 2025
@github-actions
Copy link

github-actions bot commented Oct 21, 2025

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests VPP 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • Config tests VPP 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

zdc
zdc approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@zdc zdc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have not tested this, but this looks very straightforward.

@dmbaturin dmbaturin merged commit ad0ad37 into vyos:current Oct 21, 2025
21 checks passed
@vyosbot vyosbot added mirror-initiated This PR initiated for mirror sync workflow mirror-completed and removed mirror-initiated This PR initiated for mirror sync workflow labels Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zdc zdc zdc approved these changes

@sever-sever sever-sever Awaiting requested review from sever-sever

Assignees

@natali-rs1985 natali-rs1985

Labels

bp/circinus Create automatic backport for circinus current mirror-completed

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@natali-rs1985 @zdc @dmbaturin @vyosbot