| <!-- |
| Documentation/_templates/layout.html |
| |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. The |
| ASF licenses this file to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance with the |
| License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| License for the specific language governing permissions and limitations |
| under the License. |
| --> |
| |
| |
| |
| <!DOCTYPE html> |
| <html class="writer-html5" lang="en"> |
| <head> |
| <meta charset="utf-8" /><meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" /> |
| |
| <meta name="viewport" content="width=device-width, initial-scale=1.0" /> |
| <title>Network Address Translation (NAT) — NuttX latest documentation</title> |
| <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" /> |
| <link rel="stylesheet" type="text/css" href="../../_static/css/theme.css" /> |
| <link rel="stylesheet" type="text/css" href="../../_static/copybutton.css" /> |
| <link rel="stylesheet" type="text/css" href="../../_static/custom.css" /> |
| |
| |
| <link rel="shortcut icon" href="../../_static/favicon.ico"/> |
| <script src="../../_static/jquery.js"></script> |
| <script src="../../_static/_sphinx_javascript_frameworks_compat.js"></script> |
| <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script> |
| <script src="../../_static/doctools.js"></script> |
| <script src="../../_static/sphinx_highlight.js"></script> |
| <script src="../../_static/clipboard.min.js"></script> |
| <script src="../../_static/copybutton.js"></script> |
| <script src="../../_static/js/theme.js"></script> |
| <link rel="index" title="Index" href="../../genindex.html" /> |
| <link rel="search" title="Search" href="../../search.html" /> |
| <link rel="next" title="Network Devices" href="netdev.html" /> |
| <link rel="prev" title="IP Packet Filter" href="ipfilter.html" /> |
| </head> |
| |
| <body class="wy-body-for-nav"> |
| <div class="wy-grid-for-nav"> |
| <nav data-toggle="wy-nav-shift" class="wy-nav-side"> |
| <div class="wy-side-scroll"> |
| <div class="wy-side-nav-search" > |
| |
| <a href="../../index.html" class="icon icon-home"> NuttX |
| |
| |
| |
| </a> |
| |
| <!-- this version selector is quite ugly, should be probably replaced by something |
| more modern --> |
| |
| <div class="version-selector"> |
| <select onchange="javascript:location.href = this.value;"> |
| |
| <option value="../../../latest" selected="selected">latest</option> |
| |
| <option value="../../../10.0.0" >10.0.0</option> |
| |
| <option value="../../../10.0.1" >10.0.1</option> |
| |
| <option value="../../../10.1.0" >10.1.0</option> |
| |
| <option value="../../../10.2.0" >10.2.0</option> |
| |
| <option value="../../../10.3.0" >10.3.0</option> |
| |
| <option value="../../../11.0.0" >11.0.0</option> |
| |
| <option value="../../../12.0.0" >12.0.0</option> |
| |
| <option value="../../../12.1.0" >12.1.0</option> |
| |
| <option value="../../../12.2.0" >12.2.0</option> |
| |
| <option value="../../../12.2.1" >12.2.1</option> |
| |
| <option value="../../../12.3.0" >12.3.0</option> |
| |
| <option value="../../../12.4.0" >12.4.0</option> |
| |
| <option value="../../../12.5.0" >12.5.0</option> |
| |
| <option value="../../../12.5.1" >12.5.1</option> |
| |
| <option value="../../../12.6.0" >12.6.0</option> |
| |
| <option value="../../../12.7.0" >12.7.0</option> |
| |
| <option value="../../../12.8.0" >12.8.0</option> |
| |
| <option value="../../../12.9.0" >12.9.0</option> |
| |
| <option value="../../../12.10.0" >12.10.0</option> |
| |
| <option value="../../../12.11.0" >12.11.0</option> |
| |
| </select> |
| </div> |
| |
| |
| <div role="search"> |
| <form id="rtd-search-form" class="wy-form" action="../../search.html" method="get"> |
| <input type="text" name="q" placeholder="Search docs" aria-label="Search docs" /> |
| <input type="hidden" name="check_keywords" value="yes" /> |
| <input type="hidden" name="area" value="default" /> |
| </form> |
| </div> |
| |
| </div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu"> |
| <p class="caption" role="heading"><span class="caption-text">Table of Contents</span></p> |
| <ul class="current"> |
| <li class="toctree-l1"><a class="reference internal" href="../../index.html">Home</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../introduction/index.html">Introduction</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../quickstart/index.html">Getting Started</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../contributing/index.html">Contributing</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../introduction/inviolables.html">The Inviolable Principles of NuttX</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../platforms/index.html">Supported Platforms</a></li> |
| <li class="toctree-l1 current"><a class="reference internal" href="../index.html">OS Components</a><ul class="current"> |
| <li class="toctree-l2"><a class="reference internal" href="../binfmt.html">Binary Loader</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../drivers/index.html">Device Drivers</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../nxflat.html">NXFLAT</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../nxgraphics/index.html">NX Graphics Subsystem</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../paging.html">On-Demand Paging</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../audio/index.html">Audio Subsystem</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../filesystem/index.html">NuttX File System</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../libs/index.html">NuttX libraries</a></li> |
| <li class="toctree-l2 current"><a class="reference internal" href="index.html">Network Support</a><ul class="current"> |
| <li class="toctree-l3"><a class="reference internal" href="sixlowpan.html">6LoWPAN</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="socketcan.html">SocketCAN Device Drivers</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="pkt.html">“Raw” packet socket support</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="ipfilter.html">IP Packet Filter</a></li> |
| <li class="toctree-l3 current"><a class="current reference internal" href="#">Network Address Translation (NAT)</a><ul> |
| <li class="toctree-l4"><a class="reference internal" href="#workflow">Workflow</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#configuration-options">Configuration Options</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#usage">Usage</a></li> |
| <li class="toctree-l4"><a class="reference internal" href="#validation">Validation</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l3"><a class="reference internal" href="netdev.html">Network Devices</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="netdriver.html">Network Drivers</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="netguardsize.html">CONFIG_NET_GUARDSIZE</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="netlink.html">Netlink Route support</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="slip.html">SLIP</a></li> |
| <li class="toctree-l3"><a class="reference internal" href="wqueuedeadlocks.html">Work Queue Deadlocks</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l2"><a class="reference internal" href="../mm/index.html">Memory Management</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../syscall.html">Syscall Layer</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../tools/index.html"><code class="docutils literal notranslate"><span class="pre">/tools</span></code> Host Tools</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../arch/index.html">Architecture-Specific Code</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../boards.html">Boards Support</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../cmake.html">CMake Support</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../openamp.html">OpenAMP Support</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../video.html">Video Subsystem</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../crypto.html">Crypto API Subsystem</a></li> |
| <li class="toctree-l2"><a class="reference internal" href="../wireless.html">Wireless Subsystem</a></li> |
| </ul> |
| </li> |
| <li class="toctree-l1"><a class="reference internal" href="../../applications/index.html">Applications</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../implementation/index.html">Implementation Details</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../reference/index.html">API Reference</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../faq/index.html">FAQ</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../guides/index.html">Guides</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../glossary.html">Glossary</a></li> |
| <li class="toctree-l1"><a class="reference internal" href="../../logos/index.html">NuttX Logos</a></li> |
| </ul> |
| |
| </div> |
| </div> |
| </nav> |
| |
| <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" > |
| <i data-toggle="wy-nav-top" class="fa fa-bars"></i> |
| <a href="../../index.html">NuttX</a> |
| </nav> |
| |
| <div class="wy-nav-content"> |
| <div class="rst-content"> |
| <div role="navigation" aria-label="Page navigation"> |
| <ul class="wy-breadcrumbs"> |
| <li><a href="../../index.html" class="icon icon-home" aria-label="Home"></a></li> |
| <li class="breadcrumb-item"><a href="../index.html">OS Components</a></li> |
| <li class="breadcrumb-item"><a href="index.html">Network Support</a></li> |
| <li class="breadcrumb-item active">Network Address Translation (NAT)</li> |
| <li class="wy-breadcrumbs-aside"> |
| <a href="../../_sources/components/net/nat.rst.txt" rel="nofollow"> View page source</a> |
| </li> |
| </ul> |
| <hr/> |
| </div> |
| <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> |
| <div itemprop="articleBody"> |
| |
| <section id="network-address-translation-nat"> |
| <h1>Network Address Translation (NAT)<a class="headerlink" href="#network-address-translation-nat" title="Permalink to this heading"></a></h1> |
| <p>NuttX supports full cone or symmetric NAT logic, which currently supports</p> |
| <ul class="simple"> |
| <li><p>TCP</p></li> |
| <li><p>UDP</p></li> |
| <li><p>ICMP</p> |
| <ul> |
| <li><p>ECHO (REQUEST & REPLY)</p></li> |
| <li><p>Error Messages (DEST_UNREACHABLE & TIME_EXCEEDED & PARAMETER_PROBLEM)</p></li> |
| </ul> |
| </li> |
| </ul> |
| <section id="workflow"> |
| <h2>Workflow<a class="headerlink" href="#workflow" title="Permalink to this heading"></a></h2> |
| <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>Local Network (LAN) External Network (WAN) |
| |----------------| |
| <local IP, | | <external IP, <peer IP, |
| -----------| |----------------------------- |
| local port> | | external port> peer port> |
| |----------------| |
| </pre></div> |
| </div> |
| <ul class="simple"> |
| <li><p>Outbound</p> |
| <ul> |
| <li><p><strong>LAN</strong> -> <strong>Forward</strong> -> <strong>NAT</strong> (only if targeting at WAN) -> <strong>WAN</strong></p></li> |
| <li><p>All packets from <strong>LAN</strong> and targeting at <strong>WAN</strong> will be masqueraded |
| with <code class="docutils literal notranslate"><span class="pre">local</span> <span class="pre">ip:port</span></code> changed to <code class="docutils literal notranslate"><span class="pre">external</span> <span class="pre">ip:port</span></code>.</p></li> |
| </ul> |
| </li> |
| <li><p>Inbound</p> |
| <ul> |
| <li><p><strong>WAN</strong> -> <strong>NAT</strong> (only from WAN, change destination) -> <strong>Forward</strong> -> <strong>LAN</strong></p></li> |
| <li><p>Packets from <strong>WAN</strong> will try to be changed back from |
| <code class="docutils literal notranslate"><span class="pre">external</span> <span class="pre">ip:port</span></code> to <code class="docutils literal notranslate"><span class="pre">local</span> <span class="pre">ip:port</span></code> and send to <strong>LAN</strong>.</p></li> |
| </ul> |
| </li> |
| </ul> |
| </section> |
| <section id="configuration-options"> |
| <h2>Configuration Options<a class="headerlink" href="#configuration-options" title="Permalink to this heading"></a></h2> |
| <dl class="simple"> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT</span></code></dt><dd><p>Enable or disable Network Address Translation (NAT) function. |
| Depends on <code class="docutils literal notranslate"><span class="pre">CONFIG_NET_IPFORWARD</span></code>.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT44</span></code> & <code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT66</span></code></dt><dd><p>Enable or disable NAT on IPv4 / IPv6. |
| Depends on <code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT</span></code>.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT44_FULL_CONE</span></code> & <code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT66_FULL_CONE</span></code></dt><dd><p>Enable Full Cone NAT logic. Full Cone NAT is easier to traverse than |
| Symmetric NAT, and uses less resources than Symmetric NAT.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT44_SYMMETRIC</span></code> & <code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT66_SYMMETRIC</span></code></dt><dd><p>Enable Symmetric NAT logic. Symmetric NAT will be safer than Full Cone NAT, |
| be more difficult to traverse, and has more entries which may lead to heavier load.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_HASH_BITS</span></code></dt><dd><p>The bits of the hashtable of NAT entries, hashtable has (1 << bits) buckets.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_TCP_EXPIRE_SEC</span></code></dt><dd><p>The expiration time for idle TCP entry in NAT. |
| The default value 86400 is suggested by RFC2663, Section 2.6, |
| Page 5. But we may set it to shorter time like 240s for better |
| performance.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_UDP_EXPIRE_SEC</span></code></dt><dd><p>The expiration time for idle UDP entry in NAT.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_ICMP_EXPIRE_SEC</span></code></dt><dd><p>The expiration time for idle ICMP entry in NAT.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_ICMPv6_EXPIRE_SEC</span></code></dt><dd><p>The expiration time for idle ICMPv6 entry in NAT.</p> |
| </dd> |
| <dt><code class="docutils literal notranslate"><span class="pre">CONFIG_NET_NAT_ENTRY_RECLAIM_SEC</span></code></dt><dd><p>The time to auto reclaim all expired NAT entries. A value of zero will |
| disable auto reclaiming. |
| Expired entries will be automatically reclaimed when matching |
| inbound/outbound entries, so this config does not have significant |
| impact when NAT is normally used, but very useful when the hashtable |
| is big and there are only a few connections using NAT (which will |
| only trigger reclaiming on a few chains in hashtable).</p> |
| </dd> |
| </dl> |
| </section> |
| <section id="usage"> |
| <h2>Usage<a class="headerlink" href="#usage" title="Permalink to this heading"></a></h2> |
| <blockquote> |
| <div><ul class="simple"> |
| <li><p><a class="reference internal" href="#c.nat_enable" title="nat_enable"><code class="xref c c-func docutils literal notranslate"><span class="pre">nat_enable()</span></code></a></p></li> |
| <li><p><a class="reference internal" href="#c.nat_disable" title="nat_disable"><code class="xref c c-func docutils literal notranslate"><span class="pre">nat_disable()</span></code></a></p></li> |
| </ul> |
| </div></blockquote> |
| <dl class="c function"> |
| <dt class="sig sig-object c" id="c.nat_enable"> |
| <span class="kt"><span class="pre">int</span></span><span class="w"> </span><span class="sig-name descname"><span class="n"><span class="pre">nat_enable</span></span></span><span class="sig-paren">(</span><span class="pre">FAR</span><span class="w"> </span><span class="k"><span class="pre">struct</span></span><span class="w"> </span><a class="reference internal" href="netdev.html#c.net_driver_s" title="net_driver_s"><span class="n"><span class="pre">net_driver_s</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">dev</span></span><span class="sig-paren">)</span><span class="p"><span class="pre">;</span></span><a class="headerlink" href="#c.nat_enable" title="Permalink to this definition"></a><br /></dt> |
| <dd><p>Enable NAT function on a network device, on which the outbound packets |
| will be masqueraded.</p> |
| <dl class="field-list simple"> |
| <dt class="field-odd">Returns<span class="colon">:</span></dt> |
| <dd class="field-odd"><p>Zero is returned if NAT function is successfully enabled on |
| the device; A negated errno value is returned if failed.</p> |
| </dd> |
| </dl> |
| </dd></dl> |
| |
| <dl class="c function"> |
| <dt class="sig sig-object c" id="c.nat_disable"> |
| <span class="kt"><span class="pre">int</span></span><span class="w"> </span><span class="sig-name descname"><span class="n"><span class="pre">nat_disable</span></span></span><span class="sig-paren">(</span><span class="pre">FAR</span><span class="w"> </span><span class="k"><span class="pre">struct</span></span><span class="w"> </span><a class="reference internal" href="netdev.html#c.net_driver_s" title="net_driver_s"><span class="n"><span class="pre">net_driver_s</span></span></a><span class="w"> </span><span class="p"><span class="pre">*</span></span><span class="n"><span class="pre">dev</span></span><span class="sig-paren">)</span><span class="p"><span class="pre">;</span></span><a class="headerlink" href="#c.nat_disable" title="Permalink to this definition"></a><br /></dt> |
| <dd><p>Disable NAT function on a network device.</p> |
| <dl class="field-list simple"> |
| <dt class="field-odd">Returns<span class="colon">:</span></dt> |
| <dd class="field-odd"><p>Zero is returned if NAT function is successfully disabled on |
| the device; A negated errno value is returned if failed.</p> |
| </dd> |
| </dl> |
| </dd></dl> |
| |
| </section> |
| <section id="validation"> |
| <h2>Validation<a class="headerlink" href="#validation" title="Permalink to this heading"></a></h2> |
| <p>Validated on Ubuntu 22.04 x86_64 with NuttX SIM by following steps:</p> |
| <ol class="arabic simple"> |
| <li><p>Configure NuttX with >=2 TAP devices (host route mode) and NAT enabled:</p></li> |
| </ol> |
| <blockquote> |
| <div><div class="highlight-Kconfig notranslate"><div class="highlight"><pre><span></span>CONFIG_NET_IPFORWARD=y |
| CONFIG_NET_NAT=y |
| <span class="c1"># CONFIG_SIM_NET_BRIDGE is not set</span> |
| CONFIG_SIM_NETDEV_NUMBER=2 |
| </pre></div> |
| </div> |
| </div></blockquote> |
| <ol class="arabic simple" start="2"> |
| <li><p>Call <code class="docutils literal notranslate"><span class="pre">nat_enable</span></code> on one dev on startup, or manually enable NAT |
| with <code class="docutils literal notranslate"><span class="pre">iptables</span></code> command (either may work).</p></li> |
| </ol> |
| <blockquote> |
| <div><div class="highlight-c notranslate"><div class="highlight"><pre><span></span><span class="cm">/* arch/sim/src/sim/up_netdriver.c */</span> |
| <span class="kt">int</span><span class="w"> </span><span class="nf">netdriver_init</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> |
| <span class="p">{</span> |
| <span class="w"> </span><span class="p">...</span> |
| <span class="w"> </span><span class="n">nat_enable</span><span class="p">(</span><span class="o">&</span><span class="n">g_sim_dev</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span> |
| <span class="w"> </span><span class="p">...</span> |
| <span class="p">}</span> |
| </pre></div> |
| </div> |
| <div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>iptables<span class="w"> </span>-t<span class="w"> </span>nat<span class="w"> </span>-A<span class="w"> </span>POSTROUTING<span class="w"> </span>-o<span class="w"> </span>eth0<span class="w"> </span>-j<span class="w"> </span>MASQUERADE |
| </pre></div> |
| </div> |
| </div></blockquote> |
| <ol class="arabic simple" start="3"> |
| <li><p>Set IP Address for NuttX on startup</p></li> |
| </ol> |
| <blockquote> |
| <div><div class="highlight-shell notranslate"><div class="highlight"><pre><span></span>ifconfig<span class="w"> </span>eth0<span class="w"> </span><span class="m">10</span>.0.1.2 |
| ifup<span class="w"> </span>eth0 |
| ifconfig<span class="w"> </span>eth1<span class="w"> </span><span class="m">10</span>.0.10.2 |
| ifup<span class="w"> </span>eth1 |
| |
| <span class="c1"># IPv6 if you need</span> |
| ifconfig<span class="w"> </span>eth0<span class="w"> </span>inet6<span class="w"> </span>add<span class="w"> </span>fc00:1::2/64<span class="w"> </span>gw<span class="w"> </span>fc00:1::1 |
| ifconfig<span class="w"> </span>eth1<span class="w"> </span>inet6<span class="w"> </span>add<span class="w"> </span>fc00:10::2/64 |
| </pre></div> |
| </div> |
| </div></blockquote> |
| <ol class="arabic simple" start="4"> |
| <li><p>Configure IP & namespace & route on host side (maybe need to be root, then try <code class="docutils literal notranslate"><span class="pre">sudo</span> <span class="pre">-i</span></code>)</p></li> |
| </ol> |
| <blockquote> |
| <div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span><span class="nv">IF_HOST</span><span class="o">=</span><span class="s2">"enp1s0"</span> |
| <span class="nv">IF_0</span><span class="o">=</span><span class="s2">"tap0"</span> |
| <span class="nv">IP_HOST_0</span><span class="o">=</span><span class="s2">"10.0.1.1"</span> |
| <span class="nv">IF_1</span><span class="o">=</span><span class="s2">"tap1"</span> |
| <span class="nv">IP_HOST_1</span><span class="o">=</span><span class="s2">"10.0.10.1"</span> |
| <span class="nv">IP_NUTTX_1</span><span class="o">=</span><span class="s2">"10.0.10.2"</span> |
| |
| <span class="c1"># add net namespace LAN for $IF_1</span> |
| ip<span class="w"> </span>netns<span class="w"> </span>add<span class="w"> </span>LAN |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>sysctl<span class="w"> </span>-w<span class="w"> </span>net.ipv4.ip_forward<span class="o">=</span><span class="m">1</span> |
| ip<span class="w"> </span>link<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="nv">$IF_1</span><span class="w"> </span>netns<span class="w"> </span>LAN |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>link<span class="w"> </span><span class="nb">set</span><span class="w"> </span><span class="nv">$IF_1</span><span class="w"> </span>up |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>link<span class="w"> </span><span class="nb">set</span><span class="w"> </span>lo<span class="w"> </span>up |
| |
| <span class="c1"># add address and set default route</span> |
| ip<span class="w"> </span>addr<span class="w"> </span>add<span class="w"> </span><span class="nv">$IP_HOST_0</span>/24<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_0</span> |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>addr<span class="w"> </span>add<span class="w"> </span><span class="nv">$IP_HOST_1</span>/24<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_1</span> |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>route<span class="w"> </span>add<span class="w"> </span>default<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_1</span><span class="w"> </span>via<span class="w"> </span><span class="nv">$IP_NUTTX_1</span> |
| |
| <span class="c1"># nat to allow NuttX to access the internet</span> |
| iptables<span class="w"> </span>-t<span class="w"> </span>nat<span class="w"> </span>-A<span class="w"> </span>POSTROUTING<span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-j<span class="w"> </span>MASQUERADE |
| iptables<span class="w"> </span>-A<span class="w"> </span>FORWARD<span class="w"> </span>-i<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_0</span><span class="w"> </span>-j<span class="w"> </span>ACCEPT |
| iptables<span class="w"> </span>-A<span class="w"> </span>FORWARD<span class="w"> </span>-i<span class="w"> </span><span class="nv">$IF_0</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-j<span class="w"> </span>ACCEPT |
| sysctl<span class="w"> </span>-w<span class="w"> </span>net.ipv4.ip_forward<span class="o">=</span><span class="m">1</span> |
| |
| <span class="c1"># IPv6 if you need</span> |
| <span class="nv">IP6_HOST_0</span><span class="o">=</span><span class="s2">"fc00:1::1"</span> |
| <span class="nv">IP6_HOST_1</span><span class="o">=</span><span class="s2">"fc00:10::1"</span> |
| <span class="nv">IP6_NUTTX_1</span><span class="o">=</span><span class="s2">"fc00:10::2"</span> |
| |
| <span class="c1"># add address and set default route</span> |
| ip<span class="w"> </span>-6<span class="w"> </span>addr<span class="w"> </span>add<span class="w"> </span><span class="nv">$IP6_HOST_0</span>/64<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_0</span> |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>-6<span class="w"> </span>addr<span class="w"> </span>add<span class="w"> </span><span class="nv">$IP6_HOST_1</span>/64<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_1</span> |
| ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ip<span class="w"> </span>-6<span class="w"> </span>route<span class="w"> </span>add<span class="w"> </span>default<span class="w"> </span>dev<span class="w"> </span><span class="nv">$IF_1</span><span class="w"> </span>via<span class="w"> </span><span class="nv">$IP6_NUTTX_1</span> |
| |
| <span class="c1"># nat to allow NuttX to access the internet</span> |
| ip6tables<span class="w"> </span>-t<span class="w"> </span>nat<span class="w"> </span>-A<span class="w"> </span>POSTROUTING<span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-j<span class="w"> </span>MASQUERADE |
| ip6tables<span class="w"> </span>-A<span class="w"> </span>FORWARD<span class="w"> </span>-i<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_0</span><span class="w"> </span>-j<span class="w"> </span>ACCEPT |
| ip6tables<span class="w"> </span>-A<span class="w"> </span>FORWARD<span class="w"> </span>-i<span class="w"> </span><span class="nv">$IF_0</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">$IF_HOST</span><span class="w"> </span>-j<span class="w"> </span>ACCEPT |
| sysctl<span class="w"> </span>-w<span class="w"> </span>net.ipv6.conf.all.forwarding<span class="o">=</span><span class="m">1</span> |
| </pre></div> |
| </div> |
| </div></blockquote> |
| <ol class="arabic simple" start="5"> |
| <li><p>Do anything in the LAN namespace will go through NAT</p></li> |
| </ol> |
| <blockquote> |
| <div><div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># Host side</span> |
| iperf<span class="w"> </span>-B<span class="w"> </span><span class="m">10</span>.0.1.1<span class="w"> </span>-s<span class="w"> </span>-i<span class="w"> </span><span class="m">1</span> |
| <span class="c1"># LAN side</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>iperf<span class="w"> </span>-B<span class="w"> </span><span class="m">10</span>.0.10.1<span class="w"> </span>-c<span class="w"> </span><span class="m">10</span>.0.1.1<span class="w"> </span>-i<span class="w"> </span><span class="m">1</span> |
| </pre></div> |
| </div> |
| <div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># Host side</span> |
| python3<span class="w"> </span>-m<span class="w"> </span>http.server<span class="w"> </span>-b<span class="w"> </span>:: |
| <span class="c1"># LAN side</span> |
| <span class="k">for</span><span class="w"> </span>i<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="o">{</span><span class="m">1</span>..20000<span class="o">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span><span class="w"> </span>sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>curl<span class="w"> </span><span class="s1">'http://10.0.1.1:8000/'</span><span class="w"> </span>><span class="w"> </span>/dev/null<span class="w"> </span><span class="m">2</span>>1<span class="p">;</span><span class="w"> </span><span class="k">done</span> |
| <span class="k">for</span><span class="w"> </span>i<span class="w"> </span><span class="k">in</span><span class="w"> </span><span class="o">{</span><span class="m">1</span>..20000<span class="o">}</span><span class="p">;</span><span class="w"> </span><span class="k">do</span><span class="w"> </span>sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>curl<span class="w"> </span><span class="s1">'http://[fc00:1::1]:8000/'</span><span class="w"> </span>><span class="w"> </span>/dev/null<span class="w"> </span><span class="m">2</span>>1<span class="p">;</span><span class="w"> </span><span class="k">done</span> |
| </pre></div> |
| </div> |
| <div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># LAN side</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ping<span class="w"> </span><span class="m">8</span>.8.8.8 |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>ping<span class="w"> </span><span class="m">2001</span>:4860:4860::8888 |
| </pre></div> |
| </div> |
| <div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># LAN side</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span><span class="m">8</span>.8.8.8<span class="w"> </span><span class="c1"># ICMP error msg of UDP</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span>-T<span class="w"> </span><span class="m">8</span>.8.8.8<span class="w"> </span><span class="c1"># ICMP error msg of TCP</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span>-I<span class="w"> </span><span class="m">8</span>.8.8.8<span class="w"> </span><span class="c1"># ICMP error msg of ICMP</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span><span class="m">2001</span>:4860:4860::8888 |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span>-T<span class="w"> </span><span class="m">2001</span>:4860:4860::8888 |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>traceroute<span class="w"> </span>-n<span class="w"> </span>-I<span class="w"> </span><span class="m">2001</span>:4860:4860::8888 |
| </pre></div> |
| </div> |
| <div class="highlight-shell notranslate"><div class="highlight"><pre><span></span><span class="c1"># Host side</span> |
| tcpdump<span class="w"> </span>-nn<span class="w"> </span>-i<span class="w"> </span>tap0 |
| <span class="c1"># LAN side</span> |
| sudo<span class="w"> </span>ip<span class="w"> </span>netns<span class="w"> </span><span class="nb">exec</span><span class="w"> </span>LAN<span class="w"> </span>tcpdump<span class="w"> </span>-nn<span class="w"> </span>-i<span class="w"> </span>tap1 |
| </pre></div> |
| </div> |
| </div></blockquote> |
| </section> |
| </section> |
| |
| |
| </div> |
| </div> |
| <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer"> |
| <a href="ipfilter.html" class="btn btn-neutral float-left" title="IP Packet Filter" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a> |
| <a href="netdev.html" class="btn btn-neutral float-right" title="Network Devices" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a> |
| </div> |
| |
| <hr/> |
| |
| <div role="contentinfo"> |
| <p>© Copyright 2023, The Apache Software Foundation.</p> |
| </div> |
| |
| |
| |
| </footer> |
| </div> |
| </div> |
| </section> |
| </div> |
| <script> |
| jQuery(function () { |
| SphinxRtdTheme.Navigation.enable(true); |
| }); |
| </script> |
| |
| </body> |
| </html> |
