proxmox-mirrors/mirror_iproute2
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_iproute2 synced 2025-10-31 18:42:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c2ecc82b9d
mirror_iproute2/man/man8/tc-nat.8
Phil Sutter ec0bab1e02 man: Add a man page for the nat action 
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Phil Sutter <phil@nwl.cc>
2016-03-04 15:27:51 -08:00

79 lines
2.1 KiB
Groff
Raw Blame History

.TH "NAT action in tc" 8 "12 Jan 2015" "iproute2" "Linux"
.SH NAME
nat - stateless native address translation action
.SH SYNOPSIS
.in +8
.ti -8
.BR tc " ... " "action nat"
.I DIRECTION OLD NEW
.ti -8
.IR DIRECTION " := { "
.BR ingress " | " egress " }"
.ti -8
.IR OLD " := " IPV4_ADDR_SPEC
.ti -8
.IR NEW " := " IPV4_ADDR_SPEC
.ti -8
.IR IPV4_ADDR_SPEC " := { "
.BR default " | " any " | " all " | "
\fIin_addr\fR[\fB/\fR{\fIprefix\fR|\fInetmask\fR}]
.SH DESCRIPTION
The
.B nat
action allows to perform NAT without the overhead of conntrack, which is
desirable if the number of flows or addresses to perform NAT on is large. This
action is best used in combination with the
.B u32
filter to allow for efficient lookups of a large number of stateless NAT rules
in constant time.
.SH OPTIONS
.TP
.B ingress
Translate destination addresses, i.e. perform DNAT.
.TP
.B egress
Translate source addresses, i.e. perform SNAT.
.TP
.I OLD
Specifies addresses which should be translated.
.TP
.I NEW
Specifies addresses which
.I OLD
should be translated into.
.SH NOTES
The accepted address format in
.IR OLD " and " NEW
is quite flexible. It may either consist of one of the keywords
.BR default ", " any " or " all ,
representing the all-zero IP address or a combination of IP address and netmask
or prefix length separated by a slash
.RB ( / )
sign. In any case, the mask (or prefix length) value of
.I OLD
is used for
.I NEW
as well so that a one-to-one mapping of addresses is assured.
Address translation is done using a combination of binary operations. First, the
original (source or destination) address is matched against the value of
.IR OLD .
If the original address fits, the new address is created by taking the leading
bits from
.I NEW
(defined by the netmask of
.IR OLD )
and taking the remaining bits from the original address.
There is rudimental support for upper layer protocols, namely TCP, UDP and ICMP.
While for the first two only checksum recalculation is performed, the action
also takes care of embedded IP headers in ICMP packets by translating the
respective address therein, too.
.SH SEE ALSO
.BR tc (8)
Reference in New Issue View Git Blame Copy Permalink