Next: , Up: IPv4 Network Address Translation   [Contents][Index]


1.8.3.1 Auto NAT

Linux/NFTABLES NAT Configuration

NAT support is now integrated directly into TME via the NFTables API. TME will directly write a table into the NFTables Netfilter kernel module using its native instructions as compiled through the nft tool and using libnftnl. At a minimum, libnftnl and associated headers (development package) must be installed on the host system to get this functionality. In addition, the nftables kernel module support must be configured into the kernel, but the nft tool is not required unless further manual configuration is required. Without these, it will revert to the same behaviour as 0.9, where configuration must be done manually. It may still be necessary to do further manual configuration depending on your particular host system configuration. For example, if you are still having trouble with NAT forwarding from the tap interface, you may still have to flush the iptables forward table (iptables -F FORWARD) or something similar. Further information about NFTables is available here.

To see the table written out to NFTables, run "nft list table tme". The output should be similar to the following:

table ip tme { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 0; ip saddr $int_net oifname $ext_if snat $host } } 

where $int_net is the internal network number in CIDR format, $ext_if is the external interface to NAT to, and $host is the host name or address.

Arch Linux Users: TME should install right out-of-the-box using the AUR source package builder. However, if the libnftnl package is installed, it will not compile correctly. This version of TME does not work with the libnftnl package version installed on Arch. You will have to install the latest version of libnftnl manually as documented on the NFTables Wiki. Either GIT version or snapshot should work.

NetBSD/NPF

NAT support is now integrated directly into TME via the NPF API. TME will directly write a ruleset configurtion into the NPF kernel module using its native instructions as compiled through the npfctl tool and using libnpf. At a minimum, libnpf and associated headers (development package) must be installed on the host system to get this functionality. In addition, the npf kernel module support must be configured into the kernel with the same version, but the npfctl tool is not required unless further manual configuration is required. Without these, NAT will not be set up. It may still be necessary to do further manual configuration depending on your particular host system configuration. NPF is included with NetBSD 6.0 or later. Further information available at www.netbsd.org or in the NetBSD man pages.

To see the ruleset written out to NPF, run "npfctl show". The output should be similar to the following:

map $ext_if dynamic any -> $host pass from { $int_net }   group (name "external", interface $ext_if) {  pass stateful out final all  }   group (default) {  pass final all  } 

where $int_net is the internal network number in CIDR format, $ext_if is the external interface to NAT to, and $host is the host name or address.

BSD/PF

The fallback for most other BSD platforms is PF, which is supported on all the major BSD platforms. TME writes the rules directly using pfctl as documented in the next section.


Next: , Up: IPv4 Network Address Translation   [Contents][Index]