[Xorp-hackers] XORT-NAT: Proposal for NAT interface XIF and a config file syntaks
Pavlin Radoslavov
pavlin@icir.org
Thu, 30 Mar 2006 18:14:00 -0800
[Note: a follow-up of an old email that was postponed for discussion
after the 1.2 release].
> After a long time of considerations and working on specifying a
> configuratoin syntax and a XIF file for a NAT module, I am hereby
> sending this proposal to the list for comments.
>
> (Re my mail from oct 16 2005 with subject: NAT support for XORP)
>
>
> 20060200-NAT-interface-descr.txt file contains the syntax and a few
> samples of use of the configuration format.
>
> The nat.xif file has kdoc documentation documenting the various
> functions and parameters.
>
> The idea is to provice a common interface for the NAT module, with a
> defined syntax, and then use either the native (FreeBSD natd/or the
> similar functionality in linux) daemon, or a click module, with a rule
> of thumb something like this:
>
> If the nat configuration is possible to implement with the native module
> this can be used, else the user must switch to the click nat module to
> achieve the wanted functionality.
The caveat with the above rule is that the user must have Click.
Currently, kernel-mode Click works only on Linux and some versions
of FreeBSD, and those systems already have native NAT support.
FYI, I believe user-mode Click works on a larger variety of systems
(I have been able to compile and use it as-is on Mac OS X), but
obviously you will get some performance penalty if you perform NAT
in user space Click. The upside of user-space Click NAT of course
would be that you don't have to modify your kernel and the
performance hit may be acceptable in most cases (you may want to do
some measurements here to prove this of course).
> I have designed with the use of IP-realms (aka different ip domains)
> which I am aware of is not possible to use in the standard ip stack of
> Freebsd/Linux, but if one make configurations with non overlapping ip
> ranges it will actually be possible to implement theese in the existing
> kernel / ip stacks. The realm stuff is kept entirely in the nat config
> area of the config file.
>
> I would apreaciate comments on this, as I would like to continue
> planning and coding soon.
>
> I would also like to have ideas / comments about how to add more
> datatypes to the idl generator scripts. (for the port type, and an
> eventually ipv4-range type (which I here has made with 2 ipv4 ip-addresses.)
Can you clarify what you mean by "idl generator scripts".
If you need ipv4-range type support, there is rtrmgr template type
named "ipv4range" and "ipv6range" which has the syntax IPADDR..IPADDR.
E.g. see the policy section inside etc/templates/bgp.tp.
Comments continuing below.
> Sincerely
> Mr. Kristen Nielsen
> University of Copenhagen
> Copenhagen
> Denmark
> kristen@diku.dk / krn@krn.dk
> phone +4540466221 (gmt -1)
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFD+fVJe7tFxipD00wRApbiAJ9p3KmXx/FN7EUjdmMh7hi0szs4hgCgmTNb
> fzLck6xcwnqSfqA3uYgrphA=
> =wZHj
> -----END PGP SIGNATURE-----
>
> --------------040204020303010209060700
> Content-Type: text/plain;
> name="20060220-NAT-interface-descr.txt"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
> filename="20060220-NAT-interface-descr.txt"
>
> * Short description of the config file format for the xorp NAT module.
> * Examples of configurations with alike FreeBSD natd commandline.
> * Syntax of the port statement.
>
> protocols {
> nat {
> disable {disabled:bool}
>
> nat-realm <text:realm-name> <description: description:txt> {
Currently, the rtrmgr template syntax doesn't support multi-value
statements like the one above. You would have to break it into, say:
nat-realm <text:realm-name> {
description: <description:txt>
> interface <ifname> vif <vif-name> {
> description <description:txt>
> default-vif-address: <vif-hw-name:txt>
> ip-address: <ip:ipv4>
> tag: <tagid:txt>
>
> interface-alias {
> description: <description:txt>
> alias-address: <ip:ipv4list> /* alt to more interface-alias clauses */
> tag: <tagid:txt>
> }
> }
The interface/vif statements need to be specified separately:
interface <ifname> {
vif <vif-name> {
...
}
...
}
Also, note that we don't support a list of addresses, hence you may
want to specify all addresses with multi-value nodes like:
interface <ifname> {
vif <vif-name> {
address <ip:ipv4> {
description: <description:txt>
tag: <tagid:txt>
}
}
...
}
>
> /* Address pool maps to the create/delete/get_nat_realm4 function) */
> address-pool {
> description: <description:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> }
> }
>
> static-nat {
> map {
> description: <description:txt>
> source {
> realm: <srcrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> }
> destination {
> realm: <destrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> }
> }
> }
>
> dynamic-nat {
> map {
> description: <description:txt>
> source {
> realm: <srcrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> }
> destination {
> realm: <destrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> binding: <binding:txt>
>
> }
> }
>
> ls-nat {
> map {
> description: <description:txt>
> source {
> realm: <srcrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> }
> destination {
> realm: <destrealm:txt>
> ip-address: <ip:ipv4>
> ip-range: <ipfrom:ipv4> - <ipto:ipv4>
> ipnet: <ipnet:ipv4net>
> tag: <tag:txt>
> port: <ports:ipv4ports>
> }
> }
> }
> }
> }
>
>
> The "port:" parameter is used to set the ports in use for an actual translation.
> Syntax:
>
> <ports-stmt> ::= ports: <port-def>
> <ports-def> ::= <protocol> <port-list>
> <port-list> ::= <port-spec> [, <port-def>]...
> <port-spec> ::= <port-nr | service-name> | <port-range | service-name-range>
> <protocol> ::= tcp | udp
> <port-nr> ::= <digits>
> service-name ::= <letters><letters|digits>...
> digits ::= <digit>...
> digit ::= <0|1|2|3|4|5|6|7|8|9>
> letters ::= <letter>...
> letter ::=<a...z|A..Z>
>
> Example:
>
> ports: tcp 22,33,44-55, udp 22,33,66-77, 88
The above syntax seems to me as tcp/udp centric and assumes the
particular protocol has the concept of a port.
This is not true for protocols like ICMP and GRE.
> Sample configurations with similar FreeBSD natd mappings.
>
> The FreeBSD
>
> "natd -redirect_port tcp 172.17.16.15/telnet 6666"
>
> command with the global ip address equal to 80.10.10.10 is expressed in XORP NAT configuration files as:
>
> protocols {
> NAT {
> realm "global" {
> ip: 80.10.1010
> }
>
> realm "local" {
> ip: 172.17.16.15
> }
> static-map { <description>
> source { ip-address: 80.10.10.10
> ports: tcp 6666
> }
>
> destination {
> ip-address: 172.17.16.15
> ports: tcp telnet
> }
> }
> }
> }
I would recommend to generalize the source and destination syntax by
separating the concept of protocol and port. Of course, for
protocols like tcp and udp you must have ports, so your syntax must
incorporate that too :)
> The configline:
> "natd -interface em0"
> Creation of a dynamic mapping from 172.17.16/24 to global address of em0 interface = ip 80.10.10.10 is expressed as:
>
> protocols {
> NAT{
> realm "global" {
> ip: 80.10.10.10
> tag "globalip"
> }
>
> realm "local" {
> ipnet: 172.17.16.0/24
> tag: "localnet"}
>
> dynamic-map { <description>
> source {tag: "localnet"
> }
> destination {
> tag: "globalip"
> }
> }
> }
> }
> Written by
> Kristen Nielsen
> Computer Science dept
> University of Copenhagen, Denmark
> kristen@diku.dk / KrN@KrN.dk
>
>
>
> --------------040204020303010209060700
> Content-Type: text/plain;
> name="nat.xif"
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline;
> filename="nat.xif"
>
> /* xorp/xrl/interfaces/nat.xif file by KrN@KrN.DK 20060220 */
> /* Suggestion to a nat interface for xorp. */
>
>
> /* The following interfaces exists for the xorp nat module */
>
> /**
> * Network address translation (NAT) interface.
> * The NAT module consists of the following configuration elements:
> *
> * set_nat_disable and get_nat_disable:
> * sets and returns the status of the nat module
> *
> * nat_realm:
> * Manages (creates/deletes/get) realms for use in nat mappings.
> * Before realms can be used in configurations, they must
> * be created.
> *
> * nat_realm_vif4:
> * Manages (creates/delete/lists) vif addresses for nat use
> * in nat mappings.
> *
> * nat_realm_alias4:
> * Manages (creates/deletes/lists) alias ipv4 addresses for vif
> * interfaces for use in nat mappings.
> *
> * nat_realm4:
> * Defines ip4 addresses, ip4 networks and ip4 address ranges
> * for use in nat mappings. Addresses are not directly connected
> * to any vif on the xorp router. Addresses are reachable
> * via the realm / vif interface stated. (This will probably be
> * changed to be the interface pointed out by the next-hop entry
> * in the rib.)
> *
> * nat_static_map4:
> * Defines static NAT table mappings
> * From the realm and ip definitions in the nat_realm_* group
> * Tcp and/or udp port definitions can be defined here.
> *
> * nat_dynamic_map4:
> * Defines dynamic NAT table mappings (triggers)
> * From the definitions in the nat_real_* group
> * Tcp and/or udp port definitions can be defined here.
> *
> * nat_lsnat_map4:
> * Defines Load Sharing NAT mappings
> * From the definitions in the nat_real_* group
> * Tcp and/or udp port definitions can be defined here.
> *
> */
> interface nat/0.1 {
>
> /**
> * set nat disable (and enable) function
> *
> * @param disabled sets the status of the nat module true = disabled,
> * false = enabled
> * @param disabledstatus returns the status of the module,
> * true = disabled, false = enabled
> */
> set_nat_disable ? disabled:bool -> disabledstatus:bool
What is the purpose of the returned disabledstatus?
If "set_nat_disable" returned success, then the status must be same
as the "disabled:bool" argument when the XRL was invoked.
BTW, stylistically, we prefer that longer names are separated
with, say, underscore: disabledstatus -> disabled_status :)
This is my last comment. Without going into details, the rest of the
XRLs seem reasonable. Though, if you change the NAT configuration
syntax quite likely you would have to change some of the XRLs as
well.
Pavlin
> /**
> * get nat status function
> *
> * @param disabledstatus returns the status of the module, (as the
> * set_nat_disable function) true = disabled, false = enabled
> */
> get_nat_disable -> disabledstatus:bool
>
>
> /**
> * create_nat_realm - creates a nat realm.
> *
> * @param realm holds the name of the realm to be created. The name
> * must not exist when the call is made.
> * @param descr is the textual description of the realm.
> */
> create_nat_realm ? realm:txt & descr:txt
>
> /**
> * delete_nat_realm - deletes a nat realm.
> *
> * @param realm holds the name of the realm to be deleted. The name
> * must exist when the call is made.
> */
> delete_nat_realm ? realm:txt
>
> /**
> * get_nat_realm - lists nat realms.
> *
> * @param realm holds the name of the realm to be deleted.
> * If the parameter is NULL, all existing realms is returned.
> */
> get_nat_realm ? realm:txt -> realms:list
>
>
> /**
> * create_nat_realm_vif4 - creates an entry for the base ipv4 address
> * of a virtual interface.
> * Any virtual interface can at most be a member of one realm.
> * Virtual interfaces must be in the same realm as the ip addresses
> * passing the vif interface.
> *
> * @param realm is an existing realm that the vif is mapped to.
> * @param ifname is the name of the physical interface where the
> * vif is defined.
> * @param vifname is the name of the virtual interface to be mapped.
> * @param tag is a textlabel that the mapping is labeled with.
> * @param description textual description of the mapping.
> */
> create_nat_realm_vif4 ? realm:txt & ifname:txt & vifname:txt & \
> tag:txt & description:txt
>
> /**
> * delete_nat_realm_vif4 - removes an entry for a base ipv4 (vif)
> * address of virtual interface from a nat realm.
> * The definitions matching all the supplied parameters is deleted.
> * Wild card parameters must be set to NULL.
> *
> * @param realm all vif4 definitions to this realm is deleted.
> * @param ifname all definitions with this ifname is deleted.
> * @param vifname all mappings to this vifname is deleted
> * @param tag all mappings with this tag is deleted.
> */
> delete_nat_realm_vif4 ? realm:txt & ifname:txt & vifname:txt & \
> tag:txt
>
> /**
> * update_nat_realm_vif4 - updates an existing vif mapping with its
> * new ipv4 address.
> * The vif4 mapping is updated when the vif get a new ipv4 address.
> */
> update_nat_realm_vif4 ? ifname:txt & vifname:txt & ip:ipv4
>
> /**
> * get_nat_realm_vif4 - lists nat_realm_vif4 definitions.
> *
> * get_nat_realm_vif4 returns a list of all nat_realm_vif4
> * interfaces in the router matching the realm supplied.
> * @param realm specifies the realm to return interfaces for.
> * If NULL then all defined nat_realm_vif4 interfaces are returned.
> */
> get_nat_realm_vif4 ? realm:txt -> nat_realm_vif4s:list
>
>
> /**
> * create_nat_realm_alias4 - creates a mapping to the nat_realm
> * definitions. Manipulates ipv4 address aliases of an interface
> * (vif) for in/out going nat gateways. Aliases are not the base
> * ipv4 address of the virtual interface, but ipv4 addresses in
> * the same subnet as the vif. (see nat_realm_vif)
> *
> * Any aliases, aliased to a vif must be in the same realm as the
> * vif itself.
> *
> * @param realm specifies the realm that the IP address belongs to.
> * @param ifname is the physical interfaces for this interface
> * @param vifname is the virtual interface name to add this alias to.
> * @param tag is a label for grouping definitions.
> * @param description is a textual description of this alias.
> * @param ipaddr is the ipv4 alias address added to the vif.
> */
> create_nat_realm_alias4 ? realm:txt & ifname:txt & vifname:txt & \
> tag:txt & description:txt & ipaddr:ipv4
>
>
> /**
> * delete_realm_alias4 function
> * Deletes ipv4 realm_alias4 address from the virtuel interface (vif).
> *
> * The alias4 mappings matching the supplied parameters are deleted.
> * Parameters that are not defined (=not matched against) must be NULL.
> *
> * @param realm the alias4 mappings in the same realm is deleted.
> * @param ifname all alias4 mappings defined for this interface is
> * deleted.
> * @param vifname all alias4 mappings defined under this vif is
> * deleted.
> * @param tag all alias4 mappings with tag is deleted.
> * @param ipaddr the alias4 mapping with this ipv4 address is deleted.
> */
> delete_nat_realm_alias4 ? realm:txt & ifname:txt & vifname:txt & \
> tag:txt & ipaddr:ipv4
>
> /**
> * get_nat_realm_alias4 returns a nat_realm_alias4 list with matching
> * alias4 elements. Wildcard parameters shuld be set to NULL.
> *
> * @param realm specifies the realm of the alias4 addresses to be
> * returned.
> * @param ifname specifies the physical interfaces to match.
> * @param vifname specifies the virtual interfaces to match.
> * @param tag specifies the tag of the definitions to match.
> * @param ipaddr specifies the ipv4 addr of the alias4 to match.
> * @param nat_realm_alias4s is the list of the matching aliases
> * defined.
> */
> get_nat_realm_alias4 ? realm:txt & ifname:txt & vifname:txt & \
> tag:txt & ipaddr:ipv4 \
> -> nat_realm_alias4s:list
>
> /**
> * create_nat_realm - create definitions of ipv4 addresses/ipv4/
> * networks/ipv4 ip ranges to the nat_realm list.
> *
> * The ipv4 addresses / ipv4 networks / ipv4 address ranges / tagged
> * list of definitions, are all ip-addresses not directly attached
> * to any physical/virtual interface on the xorp router.
> *
> * The function have the following way of interpreting the address
> * arguments:
> * All function calls must have theese parameters defined:
> * <realm> <ifname> <vifname>, where realm specifies the actural realm.
> * ifname and vifname the interfaces to route these addresses through.
> * (If the ifname and vifname is possible to acquire via the routing
> * info, these parameters might disappear during implementation)
> *
> * To specify a tag for the definition, supply the <tag> parameter.
> *
> * To specify an single ipv4 address supply ONLY the <ip> parameter.
> *
> * To specify an ipv4 network supply ONLY the <ipnet> parameter.
> *
> * To specify an ipv4 range supply ONLY the <ip> and <ipto> parameters.
> * <ip> is the lowest ip address and ipto is the highest ip address
> * in the range.
> *
> * The 3 types of definitions above can not be mixed in a single call
> * to the function. Grouping is done with defining more of the 3
> * first classes with the same tag.
> *
> * create_nat_realm4 create an ipv4 address/ipv4network/ipv4-range/tag
> * at the nat map list.
> *
> * @param realm specifies the realm to which the mapping belong.
> * @param tag maps the definition with this tag.
> * @param description a textual description of this alias.
> * @param ip is the ip address or the lowest bound of an ip range.
> * @param ipto is the highest bound of a range.
> * @param ipnet specifies an ipv4 network (ip address + subnetmask)
> */
> create_nat_realm4 ? realm:txt & \
> tag:txt & description:txt & \
> ip:ipv4 & ipto:ipv4 & \
> ipnet:ipv4net
>
> /**
> * delete_nat_realm4 deletes all nat_realm4 mappings, matching
> * all supplied parameters. Wild card parameters must be set to NULL.
> * (For further doc see add_nat_realm4)
> *
> * @param realm all nat_realm4 with this realm is deleted.
> * @param tag all nat_realm4 definitions with this tag is deleted.
> * @param ip the ipv4 address mapping is deleted. (see ipto param too)
> * @param ipto the range defined together with the ip parameter is
> * deleted.
> * @param ipnet the ipv4network defined is deleted.
> *
> * If more parameters are defined, only the definitions that match
> * ALL the supplied parameters is deleted.
> */
> delete_nat_realm4 ? realm:txt & \
> tag:txt & \
> ip:ipv4 & ipto:ipv4 & \
> ipnet:ipv4net
>
> /**
> * get_nat_realm4 function - returns the list of defined elements
> * that matches the supplied parameters.
> * (For further doc on the use see add_nat_realm4 the doc.)
> * Wildcard parameters must be set to NULL.
> *
> * @param realm returns the list of realm4 definitions for this realm.
> * @param tag returns the list of definitions tagged with this tag.
> * @param ip returns the list of definitions with this ipv4 address.
> * @param ipto returns the list of definitions with this ipv4 range.
> * @param ipnet returns the list of ipv4 networks defined.
> * @param nat_realm4s is a list of the matched definitions.
> */
> get_nat_realm4 ? realm:txt & \
> tag:txt & description:txt & \
> ip:ipv4 & ipto:ipv4 & \
> ipnet:ipv4net -> nat_realm4s:list
>
> /**
> * create_nat_static_map4
> *
> * create_nat_static_map4 - defines static NAT table entries from the
> * ip definitions from the nat_realm* functions.
> *
> * The nat_static_map functions defines static nat mappings between
> * ip addresses at the source side realm and the ip addresses of
> * the destination side realm.
> * If the ip sizes of the ranges on either side of the mapping is not
> * equal, then the mappings must go from the source side realm
> * (aka local realm) to the destination side realm (aka global realm).
> * ip addresses that is used for TCP/UDP port mapping
> * (port overloading) must always be defined at the destination side.
> *
> * The nat_static_map function has more sub functions dependent of
> * the supplied parameters. The parameters can define either a single
> * ip address, a contiguous range of ip addresses or a sub net, or a
> * tagged set of definitions. The ip addresses and realm used in a map
> * statement must be defined in a nat_realm* clause.
> * The source and destination side of a mapping can take all 4 forms
> * from the following definitions.
> *
> * To specify a single ip address the ip parameter is used. The
> * ipto paramter must be NULL.
> *
> * To specify a contiguous range of IP addresses, the ip and ipto
> * parameters are used. The ipnet parameter must be NULL.
> *
> * To specify an ipnetwork, the ipnet parameters must be specified.
> * The ipnet takes a subnet-address and a submet-mask. The ip and ipto
> * parameters must be NULL.
> *
> * To use a tag from the nat_realm definitions, specify the tag at
> * the tag parameter. The ip, ipto and ipnet parameters must be NULL.
> *
> * @param srcrealm specifies the realm for the source side of the map.
> *
> * @param destrealm specifies the realm for the destination side
> * of the map.
> *
> * @param srcip is the ipv4 source ip address of a mapping.
> *
> * @param srcipto is the source ipv4 address that forms the upper
> * bound of an ip range.
> *
> * @param srcipnet is the ipv4 network which forms the source mapping.
> * bound of an ip range.
> *
> * @param srctag maps all nat_realm definitions with the same tag as
> * the source definition.
> *
> * @param srcport is the range of ports used to this mapping.
> *
> * @param destip is the ipv4 destination address of the mapping
> *
> * @param destipto is the ipv4 address that forms the upper bound of
> * the destination ip range.
> *
> * @param destipnet is the ipv4 network that is the destination ip
> * addresses for the mapping.
> *
> * @param desttag maps all nat_realm definitions with the same tag as
> * the destination definition.
> *
> * @param destport is a list of tcp and/or udp ports used at the
> * destination addresses.
> *
> */
> create_nat_static_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports
>
> /**
> * delete_nat_static_map4
> *
> * delete_nat_static_map4 - delete static nat table entries from the
> * ip definitions from the nat_static_map4 functions.
> *
> * The function deletes the nat_static_map4 entries that matches
> * all the supplied parameters. (for more information about the
> * interfaces see create_nat_static_map4 documentation)
> *
> * The selected ranges must be fully matching sets from the
> * create_nat_static_map4 definition. No internal ranges can be deleted.
> *
> * @param srcrealm specifies the source realm to be deleted. All
> * nat_static_map4 definitions with the same realm is selected.
> *
> * @param destrealm specifies the realm for the destination side
> * to be deleted. All nat_static_map4 definitions with the same realm
> * is selected.
> *
> * @param srcip is the ipv4 source ip address to be deleted.
> *
> * @param srcipto is together with the srcip parameter defines the
> * source ip range to be deleted.
> *
> * @param srcipnet is the ipv4 network source mapping to be deleted.
> *
> * @param srctag maps selects the source tags to be deleted.
> *
> * @param srcport is the range of tcp and/or udp ports to be deleted.
> *
> * @param destip is the ipv4 destination address to be deleted.
> *
> * @param destipto is together with the destip parameter defines
> * the destination ip range to be deleted.
> *
> * @param destipnet is the ipv4 network to be deleted.
> *
> * @param desttag maps defines the destination tags to be deleted.
> *
> * @param destport is a list of tcp and/or udp ports to be deleted.
> */
> delete_nat_static_map4 ? srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports
>
> /**
> * get_nat_static_map4 - lists nat_static_map4 entries.
> *
> * get_nat_static_map4 - lists static NAT table entries that matches
> * the supplied parameters.
> *
> * The function deletes the nat_static_map4 entries that is matches
> * all the supplied parameters.
> * (for more information about the interfaces see
> * create_nat_static_map4 documentation)
> *
> * @param srcrealm specifies the source realm to be listed.
> *
> * @param destrealm specifies the realm for the destination side
> * to be listed.
> *
> * @param srcip is the ipv4 source ip address to be listed.
> *
> * @param srcipto is together with the srcip parameter defines the
> * source ip range to be listed.
> *
> * @param srcipnet is the ipv4 network source to be listed.
> *
> * @param srctag maps selects the srctags to be listed.
> *
> * @param srcport is the range of tcp and/or udp ports to be delted.
> *
> * @param destip is the ipv4 destination address to be listed.
> *
> * @param destipto is together with the destip parameter defines
> * the destination ip range to be listed.
> *
> * @param destipnet is the ipv4 network to be listed.
> *
> * @param desttag maps defines the destination tags to be listed.
> *
> * @param nat_static_map4s contains the list of matched elements.
> *
> * @param destport is a list of tcp and/or udp ports to be matched.
> */
> get_nat_static_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> destport:ipv4ports & \
> desttag:txt -> nat_static_map4s:list
>
>
> /**
> * create_nat_dynamic map definitions.
> *
> * The nat_static_map functions defines static mappings between
> * IP addresses at the source side realm and the IP addresses of
> * the destination side realm.
> * If the IP sizes of the ranges on either side is not equal,
> * then the mappings must go from the source side realm
> * (aka local realm) and the destination side realm (aka global realm).
> * IP addresses that is used for TCP/UDP port mapping
> * (port overloading) must be defined on the destination side.
> *
> * @param srcrealm specify the network realm for the source part
> * of the mapping.
> *
> * @param srctag maps the nat_realm* definitions with this tag as
> * the source side of the mapping. The tagged definitions must belong
> * to the same realm as stated in srcrealm. If the special meaning
> * tag "all" is given then all the definitions in the nat_realm
> * with the same realm as stated in srcrealm is matched.
> *
> * Src or dest definitions defults to "all" which is all addresses
> * in the matching (src/dest) realm as defined in nat_realm_* group.
> *
> * @param srcip is the ipv4 source ip address of a mapping.
> *
> * @param srcipnet is the ipv4 network which forms the source mapping.
> *
> * @param scrip is the source ipv4 address that forms the lower bound
> * of an ip range.
> *
> * @param srcipto is the source ipv4 address that forms the upper
> * bound of an ip range.
> *
> * @param srcport is the range of tcp and/or udp ports to be used in
> * the mapping.
> *
> * @param destip is the ipv4 destination address of the mapping
> *
> * @param destipnet is the ipv4 network that is the destination ip
> * addresses for the mapping.
> *
> * @param destip is the ipv4 address that forms the lower bound of the
> * destination ip range.
> *
> * @param destipto is the ipv4 address that forms the upper bound of
> * the destination ip range.
> *
> * @param desttag maps the nat_realm* definitions with this tag as
> * the destination side of the mapping. The tagged definitions must
> * belong to the same realm as stated in srcrealm. If the special
> * meaning tag "all" is given then all the definitions in the nat_realm
> * with the same realm as stated in srcrealm is matched.
> *
> * @param destport is a list of tcp and/or udp ports to use for the
> * dynamic mapping.
> *
> * @param binding This argument can be "dynamic" (default) or "fixed"
> * Dynamic can be a new mapping each time the mapping is used for a
> * new connection (from src side). "fixed" is using the same source
> * and destination mapping each time the src ip/port is connecting.
> */
> create_nat_dynamic_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
> binding:txt
>
> /**
> * delete_nat_dynamic_map4
> *
> * The delete_nat_dynamic_map4 function deletes the elements from the
> * nat_dynamic_map4 table that matches the supplied parameters.
> *
> * @param srcrealm matches source realm parameter of mappings.
> *
> * @param srctag matches the source tag paramter of the mappings to
> * be deleted.
> * If the special meaning tag "all" is given then all the definitions
> * with this tag on the source side is matched. With the same realm
> * as stated in srcrealm is matched.
> *
> * @param srcip matches the ipv4 source ip, or the lower bound of an
> * ipv4 ip-range to be deleted.
> *
> * @param srcipto matches the source ipv4 address that forms the upper
> * bound of an ip range to be deleted.
> *
> * @param srcipnet matches the source ipv4 network to be deleted.
> *
> * @param srcport is the tcp and/or udp port range to be deleted.
> *
> * @param destip matches the ipv4 destination address of the mapping
> * or the ipv4 address that forms the lower bound of the destination
> * ip range.
> *
> * @param destipto matches the destination ipv4 address to be deleted.
> *
> * @param destipnet matches the destination ipv4 network.
> *
> * @param desttag maps the mappings with this tag as the destination
> * side of the mapping. The tagged definitions must belong to the
> * same realm as stated in srcrealm. If the special
> * meaning tag "all" is given then all the definitions in the
> * nat_dynamic_realm with the same source realm as stated in srcrealm
> * is matched.
> *
> * @param destport is a list of tcp and/or udp ports to be deleted.
> *
> * @param binding This argument can be "dynamic" (default) or "fixed"
> * Dynamic can be a new mapping each time the mapping is used for a
> * new connection (from src side). "fixed" is using the same source
> * and destination mapping each time the src ip/port is connecting.
> */
> delete_nat_dynamic_map4 ? srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
> binding:txt
>
> /**
> * get_nat_dynamic_map4
> *
> * The get_nat_dynamic_map4 function returns the elements from the
> * nat_dynamic_map4 table that matches all the supplied parameters.
> *
> * @param srcrealm matches source realm parameter of the mappings.
> *
> * @param srctag matches the source tag parameter of the mappings.
> * If the special meaning tag "all" is given then all the definitions
> * with this tag on the source side is matched. With the same realm
> * as stated in srcrealm is matched.
> *
> * @param srcip matches the ipv4 source ip, or the lower bound of an
> * ipv4 ip-range.
> *
> * @param srcipto matches the source ipv4 address that forms the upper
> * bound of an ip range.
> *
> * @param srcipnet matches the source ipv4 network.
> *
> * @param srcport is the tcp and/or udp range to be returned.
> *
> * @param destip matches the ipv4 destination address of the mapping
> * or the ipv4 address that forms the lower bound of the destination
> * ip range.
> *
> * @param destipto matches the destination ipv4 address.
> *
> * @param destipnet matches the destination ipv4 network.
> *
> * @param desttag maps the mappings with this tag as the destination
> * side of the mapping. The tagged definitions must belong to the
> * same realm as stated in srcrealm. If the special
> * mening tag "all" is given then all the definitions in the
> * nat_dynamic_realm with the same source realm as stated in srcrealm
> * is matched.
> *
> * @param destport is a list of tcp and/or udp ports to be returned.
> *
> * @param binding This argument can be "dynamic" (default) or "fixed"
> * Dynamic can be a new mapping each time the mapping is used for a
> * new connection (from src side). "fixed" is using the same source
> * and destination mapping each time the src ip/port is connecting.
> */
> get_nat_dynamic_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
> binding:txt -> nat_dynamic_map4s:list
>
>
>
> /**
> * lsnat_map functions - define Load Sharing NAT (LSNAT) functionality.
> *
> * lsnat_map defines hosts at the destination side which is to be
> * loadshared when accesses via a common global address and port,
> * defined at the source side.
> *
> * The lsnat_map function has a range of ways to define ipv4 addresses,
> * ipv4 networks and ipv4 ip address ranges.
> * The parameters can define either a single ip address, a contigous
> * range of IP addresses or a subnet, or a tag.
> * The source and destination side of a mapping can each take all
> * 4 forms.
> *
> * To specify an single ip address the ip parameter is used. The
> * ipto paramter must be NULL.
> *
> * To specify a contiguous range of IP addresses, the ip and ipto
> * parameters are used. The ipnet parameter must be NULL.
> *
> * To specify an ipnetwork, the ipnet parameters must be specified.
> * The ipnet takes a sub net-address and a sub net-mask. The ip and ipto
> * parameters must be NULL.
> *
> * To use a named tag from the nat_realm definitions, specify the tag
> * at the tag parameter. The ip, ipto and ipnet parameters must be
> * NULL. Tags with the special value "all" matches all defined
> * addresses in the same realm as the tag.
> *
> * @param srcrealm defines which realm the source addresses belongs
> * to. The common ip addresses to access the load shared services must
> * be load shared must be connected to the source side of the map.
> *
> * @param destrealm defines which realm the destination addresses
> * belongs to (host network realm). The ip addresses of the hosts
> * with the services to be load shared is on this realm.
> *
> * @param srcip is the ipv4 source ip address of a mapping.
> *
> * @param srcipto is the source ipv4 address that forms the upper
> * bound of an ip range.
> *
> * @param srcipnet is the ipv4 network which forms the source mapping.
> * bound of an ip range.
> *
> * @param srctag maps all nat_realm definitions with the same tag as
> * the source definition. The special tag value "all" matches all
> * definitions from the nat_realm with the same realm.
> *
> * @param srcport is the list of tcp and/or udp ports to created.
> *
> * @param destip is the ipv4 destination address of the mapping
> *
> * @param destipto is the ipv4 address that forms the upper bound of
> * the destination ip range.
> *
> * @param destipnet is the ipv4 network that is the destination ip
> * addresses for the mapping.
> *
> * @param desttag maps all nat_realm definitions with the same tag as
> * the destination definition. The special tag value "all" matches all
> * definitions from the nat_realm with the same realm.
> *
> * @param destport is the tcp and/or udp port to load share.
> *
> * @param lsalgorithm defines the load sharing algorithm, and takes
> * the values: round-robin, random, (more ?), ...
> *
> */
>
> /**
> * create_lsnat_map4 function -
> * Creates a lsnat_map4 table entry to the nat mappings.
> */
> create_lsnat_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
> lsalgorithm:txt
>
> /**
> * delete_lsnat_map4 function -
> * Deletes the lsnat_map4 tableentries from the nat mappings that
> * matches all the defined parameters.
> */
> delete_lsnat_map4 ? srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
>
> /**
> * get_lsnat_map4 function -
> * Lists lsnat_map4 table entries that matches all the defined the
> * parameters.
> */
> get_lsnat_map4 ? description:txt & \
> srcrealm:txt & \
> srcip:ipv4 & srcipto:ipv4 & \
> srcipnet:ipv4net & \
> srctag:txt & \
> srcport:ipv4ports & \
> destrealm:txt & \
> destip:ipv4 & destipto:ipv4 & \
> destipnet:ipv4net & \
> desttag:txt & \
> destport:ipv4ports & \
> lsalgorithm:txt -> lsnat_map4s:list
> }
>
>
>
> --------------040204020303010209060700--
> _______________________________________________
> Xorp-hackers mailing list
> Xorp-hackers@icir.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/xorp-hackers