CGNAT - Deterministic port ranges RFC7422

CGNAT - Deterministic port ranges RFC7422

[Rafael Ganascim]

Hello guys,

Do you know if its possible to create in few rules the RFC7422
deterministic port ranges with netfilter?

I'm using with iptables generating a lot of rules, one for each
internal ipv4 address/port range/protocol (minimum 3 for each private
ip address).

I'm looking in DNETMAP implementation, but I don't know if it can be
configured to be deterministic based on the source-ip/port.


Regards,

Rafael

Re: CGNAT - Deterministic port ranges RFC7422

[Pablo Neira Ayuso]

Hi,

On Sat, Nov 25, 2017 at 02:41:50AM -0200, Rafael Ganascim wrote:
> Hello guys,
> 
> Do you know if its possible to create in few rules the RFC7422
> deterministic port ranges with netfilter?
> 
> I'm using with iptables generating a lot of rules, one for each
> internal ipv4 address/port range/protocol (minimum 3 for each private
> ip address).
> 
> I'm looking in DNETMAP implementation, but I don't know if it can be
> configured to be deterministic based on the source-ip/port.

I guess your goal is to map a range of source ports to an IP address,
so from outside you can identify what traffic belongs to what IP
address behind the NATs.

I made a quick hack long long time ago for a friend of mine that
needed this, I'm not finding the patchset here, that happened probably
more than 10 years ago.

But I remember this just needs a very small change to the code.
Probably adding a new revision any of the existing NAT targets should
be fine.

So just to clarify, I think this should be easy to support.