{"id":3583,"date":"2022-12-20T17:09:04","date_gmt":"2022-12-20T20:09:04","guid":{"rendered":"http:\/\/lode.uno\/linux-man\/index.php\/2022\/12\/20\/nat-action-in-tc-man8\/"},"modified":"2022-12-20T17:09:04","modified_gmt":"2022-12-20T20:09:04","slug":"nat-action-in-tc-man8","status":"publish","type":"post","link":"https:\/\/lode.uno\/linux-man\/2022\/12\/20\/nat-action-in-tc-man8\/","title":{"rendered":"NAT action in tc (man8)"},"content":{"rendered":"<h1 align=\"center\">NAT action in tc<\/h1>\n<p> <a href=\"#NAME\">NAME<\/a><br \/> <a href=\"#SYNOPSIS\">SYNOPSIS<\/a><br \/> <a href=\"#DESCRIPTION\">DESCRIPTION<\/a><br \/> <a href=\"#OPTIONS\">OPTIONS<\/a><br \/> <a href=\"#NOTES\">NOTES<\/a><br \/> <a href=\"#SEE ALSO\">SEE ALSO<\/a> <\/p>\n<hr>\n<h2>NAME <a name=\"NAME\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">nat &#8211; stateless native address translation action<\/p>\n<h2>SYNOPSIS <a name=\"SYNOPSIS\"><\/a> <\/h2>\n<p style=\"margin-left:23%; margin-top: 1em\"><b>tc<\/b> &#8230; <b>action nat<\/b> <i>DIRECTION OLD NEW<\/i><\/p>\n<p style=\"margin-left:23%; margin-top: 1em\"><i>DIRECTION<\/i> := { <b>ingress<\/b> | <b>egress<\/b> }<\/p>\n<p style=\"margin-left:23%; margin-top: 1em\"><i>OLD<\/i> := <i>IPV4_ADDR_SPEC<\/i><\/p>\n<p style=\"margin-left:23%; margin-top: 1em\"><i>NEW<\/i> := <i>IPV4_ADDR_SPEC<\/i><\/p>\n<p style=\"margin-left:23%; margin-top: 1em\"><i>IPV4_ADDR_SPEC<\/i> := { <b>default<\/b> | <b>any<\/b> | <b>all<\/b> | <i>in_addr<\/i>[<b>\/<\/b>{<i>prefix<\/i>|<i>netmask<\/i>}]<\/p>\n<h2>DESCRIPTION <a name=\"DESCRIPTION\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">The <b>nat<\/b> action allows to perform NAT without the overhead of conntrack, which is desirable if the number of flows or addresses to perform NAT on is large. This action is best used in combination with the <b>u32<\/b> filter to allow for efficient lookups of a large number of stateless NAT rules in constant time.<\/p>\n<h2>OPTIONS <a name=\"OPTIONS\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>ingress<\/b><\/p>\n<p style=\"margin-left:22%;\">Translate destination addresses, i.e. perform DNAT.<\/p>\n<table width=\"100%\" border=\"0\" rules=\"none\" frame=\"void\" cellspacing=\"0\" cellpadding=\"0\">\n<tr valign=\"top\" align=\"left\">\n<td width=\"11%\"><\/td>\n<td width=\"9%\">\n<p><b>egress<\/b><\/p>\n<\/td>\n<td width=\"2%\"><\/td>\n<td width=\"78%\">\n<p>Translate source addresses, i.e. perform SNAT.<\/p>\n<\/td>\n<\/tr>\n<tr valign=\"top\" align=\"left\">\n<td width=\"11%\"><\/td>\n<td width=\"9%\">\n<p><i>OLD<\/i><\/p>\n<\/td>\n<td width=\"2%\"><\/td>\n<td width=\"78%\">\n<p>Specifies addresses which should be translated.<\/p>\n<\/td>\n<\/tr>\n<tr valign=\"top\" align=\"left\">\n<td width=\"11%\"><\/td>\n<td width=\"9%\">\n<p><i>NEW<\/i><\/p>\n<\/td>\n<td width=\"2%\"><\/td>\n<td width=\"78%\">\n<p>Specifies addresses which <i>OLD<\/i> should be translated into.<\/p>\n<\/td>\n<\/tr>\n<\/table>\n<h2>NOTES <a name=\"NOTES\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\">The accepted address format in <i>OLD<\/i> and <i>NEW<\/i> is quite flexible. It may either consist of one of the keywords <b>default<\/b>, <b>any<\/b> or <b>all<\/b>, representing the all-zero IP address or a combination of IP address and netmask or prefix length separated by a slash (<b>\/<\/b>) sign. In any case, the mask (or prefix length) value of <i>OLD<\/i> is used for <i>NEW<\/i> as well so that a one-to-one mapping of addresses is assured.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">Address translation is done using a combination of binary operations. First, the original (source or destination) address is matched against the value of <i>OLD<\/i>. If the original address fits, the new address is created by taking the leading bits from <i>NEW<\/i> (defined by the netmask of <i>OLD<\/i>) and taking the remaining bits from the original address.<\/p>\n<p style=\"margin-left:11%; margin-top: 1em\">There is rudimental support for upper layer protocols, namely TCP, UDP and ICMP. While for the first two only checksum recalculation is performed, the action also takes care of embedded IP headers in ICMP packets by translating the respective address therein, too.<\/p>\n<h2>SEE ALSO <a name=\"SEE ALSO\"><\/a> <\/h2>\n<p style=\"margin-left:11%; margin-top: 1em\"><b>tc<\/b>(8)<\/p>\n<hr>\n","protected":false},"excerpt":{"rendered":"<p>  nat &#8211; stateless native address translation action <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[5,52,4,700],"class_list":["post-3583","post","type-post","status-publish","format-standard","hentry","category-8-administracion-del-sistema","tag-5","tag-administracion","tag-man8","tag-tc-nat"],"gutentor_comment":0,"_links":{"self":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/comments?post=3583"}],"version-history":[{"count":0,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/posts\/3583\/revisions"}],"wp:attachment":[{"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/media?parent=3583"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/categories?post=3583"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lode.uno\/linux-man\/wp-json\/wp\/v2\/tags?post=3583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}