VPP源地址NAT

接口基本配置：

DBGvpp# set interface state port7 up
DBGvpp# set interface state port8 up
DBGvpp# set interface ip address port7 50.1.1.1/24
DBGvpp# set interface ip address port8 192.168.1.203/24
1
2
3
4

网络拓扑：

|-----------|         |------------|          |---------------|
| 50.1.1.2  |---------|    vpp     |----------| 192.168.1.103 |
|-----------|         |------------|          |---------------|
   Host-A           port7        port8             Host-B
1
2
3
4

启用NAT44配置：

DBGvpp# nat44 enable 
1

SNAT配置一

配置接口的in/out

DBGvpp# set interface nat44 in port7 out port8
DBGvpp# nat44 add interface address port8
DBGvpp#
DBGvpp# show nat44 interfaces
NAT44 interfaces:
 port7 in
 port8 out
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
  tenant VRF independent
1
2
3
4
5
6
7
8
9
10
11
12

在主机50.1.1.2上ping主机192.168.1.103进行测试，在103上抓包，可看到源地址转换为了192.168.1.203，即接口port8的地址。以下增加地址池：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
  tenant VRF independent
192.168.1.204
  tenant VRF independent
192.168.1.205
  tenant VRF independent
NAT44 twice-nat pool addresses:
1
2
3
4
5
6
7
8
9
10
11

再次执行ping，在103上抓包，可看到源地址转换成了192.168.1.205。如果将主机A的地址修改为50.1.1.25，其源地址将转换为地址池中的192.168.1.204，参见以下会话列表，可见转换地址是根据不同的内部地址（主机A地址）而改变的。

DBGvpp# show nat44 sessions
NAT44 ED sessions:
-------- thread 0 vpp_main: 42 sessions --------
    i2o 50.1.1.2 proto ICMP port 1 fib 0
    o2i 192.168.1.205 proto ICMP port 28717 fib 0
       external host 192.168.1.103:1
       i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.205 daddr 192.168.1.103 icmp-id 28717 txfib 0
       o2i flow: match: saddr 192.168.1.103 sport 28717 daddr 192.168.1.205 dport 28717 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0
       index 31
       last heard 1175.08
       total pkts 6, total bytes 360
       dynamic translation

    i2o 50.1.1.25 proto ICMP port 1 fib 0
    o2i 192.168.1.204 proto ICMP port 49895 fib 0
       external host 192.168.1.103:1
       i2o flow: match: saddr 50.1.1.25 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.204 daddr 192.168.1.103 icmp-id 49895 txfib 0
       o2i flow: match: saddr 192.168.1.103 sport 49895 daddr 192.168.1.204 dport 49895 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.25 icmp-id 1 txfib 0
       index 8
       last heard 1323.26
       total pkts 6, total bytes 360
       dynamic translation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

SNAT配置二

如果我们需要在上一节，port7->port8的SNAT基础上，再实现port8->port7的SNAT.尝试以下配置：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 del
DBGvpp# 
DBGvpp# set interface nat44 in port8 out port7
DBGvpp# nat44 add interface address port7
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
  tenant VRF independent
50.1.1.1
  tenant VRF independent
NAT44 twice-nat pool addresses:
DBGvpp# 
DBGvpp# show nat44 interfaces
NAT44 interfaces:
 port8 in out
 port7 in out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

这时由主机B运行ping主机A，两者是通的。在主机A上抓包，源地址192.168.1.103转换为了50.1.1.1（port7接口地址），SNAT转换正常。反过来主机A->ping->主机B，在主机B抓包，看到源地址50.1.1.2转换成了50.1.1.1，按照SNAT应该是出接口IP：192.168.1.203。查看NAT会话，两个方向应该是走了同一个会话。

DBGvpp# show nat44 sessions

    i2o 50.1.1.2 proto ICMP port 1 fib 0
    o2i 50.1.1.1 proto ICMP port 3449 fib 0
       external host 192.168.1.103:1
       i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 50.1.1.1 daddr 192.168.1.103 icmp-id 3449 txfib 0
       o2i flow: match: saddr 192.168.1.103 sport 3449 daddr 50.1.1.1 dport 3449 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0
       index 29
       last heard 8132.79
       total pkts 168, total bytes 10080
       dynamic translation
1
2
3
4
5
6
7
8
9
10
11

如下地址池中再增加一个地址，这时由主机A到主机B不通，在主机B上查看，源地址50.1.1.2转换成了192.168.1.204，但是不知道什么原因，地址池地址192.168.1.204不在回应ARP请求，导致ping回复报文不能发送。

在增加192.168.1.204地址之前，两者能通，在于主机A发送ping请求时，NAT选择了地址50.1.1.1，而此地址与主机B的地址192.168.1.103不在同一网段，不发送请求50.1.1.1硬件地址的ARP。

DBGvpp# nat44 add address 192.168.1.204
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
  tenant VRF independent
50.1.1.1
  tenant VRF independent
192.168.1.204
  tenant VRF independent
NAT44 twice-nat pool addresses:
1
2
3
4
5
6
7
8
9
10

可见，NAT在地址池中选取地址有随机性，地址的选择没有关联出接口，另外，也没有优先选择与目的地址同网段的地址。两边同时做SNAT看起来是不行的。

SNAT配置三

如下开启output-feature选项。

DBGvpp# set interface nat44 in port7
DBGvpp# set interface nat44 out port8 output-feature
DBGvpp# nat44 add interface address port8
DBGvpp#
DBGvpp# show nat44 interfaces
NAT44 interfaces:
 port7 in
 port8 output-feature in out
DBGvpp#
DBGvpp# show nat44 addresses
NAT44 pool addresses:
192.168.1.203
  tenant VRF independent
NAT44 twice-nat pool addresses:
1
2
3
4
5
6
7
8
9
10
11
12
13
14

在开启output-feature选项之后，在位于ip4-output的节点nat-pre-in2out-output之中执行in2out地址转换，其在ACL插件acl-plugin-out-ip4-fa之前运行，这里ACL的out策略需要根据变换之后的地址配置才能生效。

 163 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {
 164   .arc_name = "ip4-output",
 165   .node_name = "nat-pre-in2out-output",
 166   .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),
 167   .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),
 168 };
1
2
3
4
5
6

对于未开启output-feature的情况，NAT转换都是在ip-unicast的node节点nat-pre-in2out和nat-pre-out2in中实现的。两者都位于ACL插件acl-plugin-in-ip4-fa之后，可见acl规则执行之后才进行地址变换。

  82 VNET_FEATURE_INIT (nat_pre_in2out, static) = {
  83   .arc_name = "ip4-unicast",
  84   .node_name = "nat-pre-in2out",
  85   .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
  86                    "ip4-sv-reassembly-feature"),
  87 };
  88 VNET_FEATURE_INIT (nat_pre_out2in, static) = {
  89   .arc_name = "ip4-unicast",
  90   .node_name = "nat-pre-out2in",
  91   .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",
  92                                "ip4-dhcp-client-detect",
  93                    "ip4-sv-reassembly-feature"),
  94 };
1
2
3
4
5
6
7
8
9
10
11
12
13