1NAT action in tc(8) Linux NAT action in tc(8)
2
6 nat - stateless native address translation action
7
9 tc ... action nat DIRECTION OLD NEW
10 DIRECTION := { ingress | egress }
12 OLD := IPV4_ADDR_SPEC
14 NEW := IPV4_ADDR_SPEC
16 IPV4_ADDR_SPEC := { default | any | all | in_addr[/{prefix|netmask}]
18
20 The nat action allows to perform NAT without the overhead of conntrack,
21 which is desirable if the number of flows or addresses to perform NAT
22 on is large. This action is best used in combination with the u32 fil‐
23 ter to allow for efficient lookups of a large number of stateless NAT
24 rules in constant time.
25
27 ingress
28 Translate destination addresses, i.e. perform DNAT.
29 egress Translate source addresses, i.e. perform SNAT.
31 OLD Specifies addresses which should be translated.
33 NEW Specifies addresses which OLD should be translated into.
35
37 The accepted address format in OLD and NEW is quite flexible. It may
38 either consist of one of the keywords default, any or all, representing
39 the all-zero IP address or a combination of IP address and netmask or
40 prefix length separated by a slash (/) sign. In any case, the mask (or
41 prefix length) value of OLD is used for NEW as well so that a one-to-
42 one mapping of addresses is assured.
43 Address translation is done using a combination of binary operations.
45 First, the original (source or destination) address is matched against
46 the value of OLD. If the original address fits, the new address is
47 created by taking the leading bits from NEW (defined by the netmask of
48 OLD) and taking the remaining bits from the original address.
49 There is rudimental support for upper layer protocols, namely TCP, UDP
51 and ICMP. While for the first two only checksum recalculation is per‐
52 formed, the action also takes care of embedded IP headers in ICMP pack‐
53 ets by translating the respective address therein, too.
54
56 tc(8)
57iproute2 12 Jan 2015 NAT action in tc(8)