| .TH "NAT action in tc" 8 "12 Jan 2015" "iproute2" "Linux" |
| |
| .SH NAME |
| nat - stateless native address translation action |
| .SH SYNOPSIS |
| .in +8 |
| .ti -8 |
| .BR tc " ... " "action nat" |
| .I DIRECTION OLD NEW |
| |
| .ti -8 |
| .IR DIRECTION " := { " |
| .BR ingress " | " egress " }" |
| |
| .ti -8 |
| .IR OLD " := " IPV4_ADDR_SPEC |
| |
| .ti -8 |
| .IR NEW " := " IPV4_ADDR_SPEC |
| |
| .ti -8 |
| .IR IPV4_ADDR_SPEC " := { " |
| .BR default " | " any " | " all " | " |
| \fIin_addr\fR[\fB/\fR{\fIprefix\fR|\fInetmask\fR}] |
| .SH DESCRIPTION |
| The |
| .B nat |
| action allows to perform NAT without the overhead of conntrack, which is |
| desirable if the number of flows or addresses to perform NAT on is large. This |
| action is best used in combination with the |
| .B u32 |
| filter to allow for efficient lookups of a large number of stateless NAT rules |
| in constant time. |
| .SH OPTIONS |
| .TP |
| .B ingress |
| Translate destination addresses, i.e. perform DNAT. |
| .TP |
| .B egress |
| Translate source addresses, i.e. perform SNAT. |
| .TP |
| .I OLD |
| Specifies addresses which should be translated. |
| .TP |
| .I NEW |
| Specifies addresses which |
| .I OLD |
| should be translated into. |
| .SH NOTES |
| The accepted address format in |
| .IR OLD " and " NEW |
| is quite flexible. It may either consist of one of the keywords |
| .BR default ", " any " or " all , |
| representing the all-zero IP address or a combination of IP address and netmask |
| or prefix length separated by a slash |
| .RB ( / ) |
| sign. In any case, the mask (or prefix length) value of |
| .I OLD |
| is used for |
| .I NEW |
| as well so that a one-to-one mapping of addresses is assured. |
| |
| Address translation is done using a combination of binary operations. First, the |
| original (source or destination) address is matched against the value of |
| .IR OLD . |
| If the original address fits, the new address is created by taking the leading |
| bits from |
| .I NEW |
| (defined by the netmask of |
| .IR OLD ) |
| and taking the remaining bits from the original address. |
| |
| There is rudimental support for upper layer protocols, namely TCP, UDP and ICMP. |
| While for the first two only checksum recalculation is performed, the action |
| also takes care of embedded IP headers in ICMP packets by translating the |
| respective address therein, too. |
| .SH SEE ALSO |
| .BR tc (8) |