11 This plugin covers specific NAT use-cases that come mostly
12 from the container networking world. On the contraty of the
13 NAT concepts used for e.g. a home gateway, there is no notion
14 of 'outside' and 'inside'. We handle Virtual (or Real) IPs and
15 translations of the packets destined to them
20 Setting up the NAT will consist in the creation of a translation
21 that has several backends. A translation is 3-tuple containing :
22 a fully qualified IP address a port and a protocol. All packets
23 destined to it (ip, port) will then choose one of the backends,
24 and follow its rewrite rules.
26 A backend consists of four rewrites components (source & destination
27 address, source & destination port) that shall be applied to packets
28 on the way in, and reverted on the way back.
30 Backends are equally load-balanced with a flow hash. The choice
31 of a backend for a flow will trigger the creation of a NAT session,
32 that will store the packet rewrite to do and the one to undo
33 until the flow is reset or a timeout is reached
38 In this example, all packets destined to 30.0.0.2:80 will be
39 rewritten so that their destination IP is 20.0.0.1 and destination
40 port 8080. Here 30.0.0.2 has to be a virtual IP, it cannot be
41 assigned to an interface
43 .. code-block:: console
45 cnat translation add proto TCP vip 30.0.0.2 80 to ->20.0.0.1 8080
48 If 30.0.0.2 is the address of an interface, we can use the following
49 to do the same translation, and additionnaly change the source.
52 .. code-block:: console
54 cnat translation add proto TCP real 30.0.0.2 80 to 1.2.3.4->20.0.0.1 8080
56 To show existing translations and sessions you can use
58 .. code-block:: console
60 cnat show session verbose
64 SourceNATing outgoing traffic
65 -----------------------------
67 A independant part of the plugin allows changing the source address
68 of outgoing traffic on a per-interface basis.
70 .. code-block:: console
73 cnat snat exclude 20::/100
74 ex_ctl _calico_master cnat snat exclude 10::/100
75 ex_ctl _calico_master set interface feature tap0 ip6-cnat-snat arc ip6-unicast