VPP源地址NAT

接口基本配置：

DBGvpp# set interface state port7 up DBGvpp# set interface state port8 up DBGvpp# set interface ip address port7 50.1.1.1/24 DBGvpp# set interface ip address port8 192.168.1.203/24

网络拓扑：

|-----------| |------------| |---------------| | 50.1.1.2 |---------| vpp |----------| 192.168.1.103 | |-----------| |------------| |---------------|Host-A port7 port8 Host-B

启用NAT44配置：

DBGvpp# nat44 enable

SNAT配置一

配置接口的in/out

DBGvpp# set interface nat44 in port7 out port8 DBGvpp# nat44 add interface address port8 DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port7 inport8 out DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent

在主机50.1.1.2上ping主机192.168.1.103进行测试，在103上抓包，可看到源地址转换为了192.168.1.203，即接口port8的地址。以下增加地址池：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 192.168.1.204tenant VRF independent 192.168.1.205tenant VRF independent NAT44 twice-nat pool addresses:

再次执行ping，在103上抓包，可看到源地址转换成了192.168.1.205。如果将主机A的地址修改为50.1.1.25，其源地址将转换为地址池中的192.168.1.204，参见以下会话列表，可见转换地址是根据不同的内部地址（主机A地址）而改变的。

DBGvpp# show nat44 sessions NAT44 ED sessions: -------- thread 0 vpp_main: 42 sessions --------i2o 50.1.1.2 proto ICMP port 1 fib 0o2i 192.168.1.205 proto ICMP port 28717 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.205 daddr 192.168.1.103 icmp-id 28717 txfib 0o2i flow: match: saddr 192.168.1.103 sport 28717 daddr 192.168.1.205 dport 28717 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0index 31last heard 1175.08total pkts 6, total bytes 360dynamic translationi2o 50.1.1.25 proto ICMP port 1 fib 0o2i 192.168.1.204 proto ICMP port 49895 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.25 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 192.168.1.204 daddr 192.168.1.103 icmp-id 49895 txfib 0o2i flow: match: saddr 192.168.1.103 sport 49895 daddr 192.168.1.204 dport 49895 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.25 icmp-id 1 txfib 0index 8last heard 1323.26total pkts 6, total bytes 360dynamic translation

SNAT配置二

如果我们需要在上一节，port7->port8的SNAT基础上，再实现port8->port7的SNAT.尝试以下配置：

DBGvpp# nat44 add address 192.168.1.204-192.168.1.205 del DBGvpp# DBGvpp# set interface nat44 in port8 out port7 DBGvpp# nat44 add interface address port7 DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 50.1.1.1tenant VRF independent NAT44 twice-nat pool addresses: DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port8 in outport7 in out

这时由主机B运行ping主机A，两者是通的。在主机A上抓包，源地址192.168.1.103转换为了50.1.1.1（port7接口地址），SNAT转换正常。反过来主机A->ping->主机B，在主机B抓包，看到源地址50.1.1.2转换成了50.1.1.1，按照SNAT应该是出接口IP：192.168.1.203。查看NAT会话，两个方向应该是走了同一个会话。

DBGvpp# show nat44 sessionsi2o 50.1.1.2 proto ICMP port 1 fib 0o2i 50.1.1.1 proto ICMP port 3449 fib 0external host 192.168.1.103:1i2o flow: match: saddr 50.1.1.2 sport 1 daddr 192.168.1.103 dport 1 proto ICMP fib_idx 0 rewrite: saddr 50.1.1.1 daddr 192.168.1.103 icmp-id 3449 txfib 0o2i flow: match: saddr 192.168.1.103 sport 3449 daddr 50.1.1.1 dport 3449 proto ICMP fib_idx 0 rewrite: daddr 50.1.1.2 icmp-id 1 txfib 0index 29last heard 8132.79total pkts 168, total bytes 10080dynamic translation

如下地址池中再增加一个地址，这时由主机A到主机B不通，在主机B上查看，源地址50.1.1.2转换成了192.168.1.204，但是不知道什么原因，地址池地址192.168.1.204不在回应ARP请求，导致ping回复报文不能发送。

在增加192.168.1.204地址之前，两者能通，在于主机A发送ping请求时，NAT选择了地址50.1.1.1，而此地址与主机B的地址192.168.1.103不在同一网段，不发送请求50.1.1.1硬件地址的ARP。

DBGvpp# nat44 add address 192.168.1.204 DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent 50.1.1.1tenant VRF independent 192.168.1.204tenant VRF independent NAT44 twice-nat pool addresses:

可见，NAT在地址池中选取地址有随机性，地址的选择没有关联出接口，另外，也没有优先选择与目的地址同网段的地址。两边同时做SNAT看起来是不行的。

SNAT配置三

如下开启output-feature选项。

DBGvpp# set interface nat44 in port7 DBGvpp# set interface nat44 out port8 output-feature DBGvpp# nat44 add interface address port8 DBGvpp# DBGvpp# show nat44 interfaces NAT44 interfaces:port7 inport8 output-feature in out DBGvpp# DBGvpp# show nat44 addresses NAT44 pool addresses: 192.168.1.203tenant VRF independent NAT44 twice-nat pool addresses:

在开启output-feature选项之后，在位于ip4-output的节点nat-pre-in2out-output之中执行in2out地址转换，其在ACL插件acl-plugin-out-ip4-fa之前运行，这里ACL的out策略需要根据变换之后的地址配置才能生效。

163 VNET_FEATURE_INIT (nat_pre_in2out_output, static) = {164 .arc_name = "ip4-output",165 .node_name = "nat-pre-in2out-output",166 .runs_after = VNET_FEATURES ("ip4-sv-reassembly-output-feature"),167 .runs_before = VNET_FEATURES ("acl-plugin-out-ip4-fa"),168 };

对于未开启output-feature的情况，NAT转换都是在ip-unicast的node节点nat-pre-in2out和nat-pre-out2in中实现的。两者都位于ACL插件acl-plugin-in-ip4-fa之后，可见acl规则执行之后才进行地址变换。

82 VNET_FEATURE_INIT (nat_pre_in2out, static) = {83 .arc_name = "ip4-unicast",84 .node_name = "nat-pre-in2out",85 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",86 "ip4-sv-reassembly-feature"),87 };88 VNET_FEATURE_INIT (nat_pre_out2in, static) = {89 .arc_name = "ip4-unicast",90 .node_name = "nat-pre-out2in",91 .runs_after = VNET_FEATURES ("acl-plugin-in-ip4-fa",92 "ip4-dhcp-client-detect",93 "ip4-sv-reassembly-feature"),94 };

总结

以上是生活随笔为你收集整理的VPP源地址NAT的全部内容，希望文章能够帮你解决所遇到的问题。

如果觉得生活随笔网站内容还不错，欢迎将生活随笔推荐给好友。