SNAT using the same internal address multiple times

SNAT using the same internal address multiple times

[Alex Bligh]

Is it possible to use SNAT like this? (what I'm really asking is whether one can use the ingress interface as part of the NAT tuple):

                  LINUX
   eth0 <-------- ROUTER ----------- 10.0.1.0/24
                  \\\\\\\------------ 10.0.1.0/24
                   \\\\\\------------ 10.0.1.0/24
                    \\\\\------------ 10.0.1.0/24
                     \\\\------------ 10.0.1.0/24
                      \\\------------ 10.0.1.0/24
                       \\------------ 10.0.1.0/24
                        \------------ 10.0.1.0/24

Each private / internal address is the same on every interface. I plan to use
unnumbered interfaces and proxy ARP at the linux level.

-- 
Alex Bligh

Re: SNAT using the same internal address multiple times

[Jimmy Thrasibule]

> Is it possible to use SNAT like this? (what I'm really asking is whether one can use the ingress interface as part of the NAT tuple):
> 
>                   LINUX
>    eth0 <-------- ROUTER ----------- 10.0.1.0/24
>                   \\\\\\\------------ 10.0.1.0/24
>                    \\\\\\------------ 10.0.1.0/24
>                     \\\\\------------ 10.0.1.0/24
>                      \\\\------------ 10.0.1.0/24
>                       \\\------------ 10.0.1.0/24
>                        \\------------ 10.0.1.0/24
>                         \------------ 10.0.1.0/24
> 
> Each private / internal address is the same on every interface. I plan to use
> unnumbered interfaces and proxy ARP at the linux level.
> 

Hi Alex,

I don't really get what you are trying to achieve. Can you detail a
little bit more?


Jimmy

Re: SNAT using the same internal address multiple times

[Lazuardi Nasution]

Hi Jimmy,

Why don't you use interface bonding/teaming for having multiple
interfaces with single IP address?

Best regards,

On Wed, Feb 6, 2013 at 5:52 PM, Jimmy Thrasibule
<thrasibule.jimmy@gmail.com> wrote:
>> Is it possible to use SNAT like this? (what I'm really asking is whether one can use the ingress interface as part of the NAT tuple):
>>
>>                   LINUX
>>    eth0 <-------- ROUTER ----------- 10.0.1.0/24
>>                   \\\\\\\------------ 10.0.1.0/24
>>                    \\\\\\------------ 10.0.1.0/24
>>                     \\\\\------------ 10.0.1.0/24
>>                      \\\\------------ 10.0.1.0/24
>>                       \\\------------ 10.0.1.0/24
>>                        \\------------ 10.0.1.0/24
>>                         \------------ 10.0.1.0/24
>>
>> Each private / internal address is the same on every interface. I plan to use
>> unnumbered interfaces and proxy ARP at the linux level.
>>
>
> Hi Alex,
>
> I don't really get what you are trying to achieve. Can you detail a
> little bit more?
>
>
> Jimmy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: SNAT using the same internal address multiple times

[Alex Bligh]

Jimmy,

On 6 Feb 2013, at 10:52, Jimmy Thrasibule wrote:

>> Is it possible to use SNAT like this? (what I'm really asking is whether one can use the ingress interface as part of the NAT tuple):
>> 
>>                  LINUX
>>   eth0 <-------- ROUTER ----------- 10.0.1.0/24
>>                  \\\\\\\------------ 10.0.1.0/24
>>                   \\\\\\------------ 10.0.1.0/24
>>                    \\\\\------------ 10.0.1.0/24
>>                     \\\\------------ 10.0.1.0/24
>>                      \\\------------ 10.0.1.0/24
>>                       \\------------ 10.0.1.0/24
>>                        \------------ 10.0.1.0/24
>> 
>> Each private / internal address is the same on every interface. I plan to use
>> unnumbered interfaces and proxy ARP at the linux level.
>> 
> 
> Hi Alex,
> 
> I don't really get what you are trying to achieve. Can you detail a
> little bit more?

A typical use case: consider all the downstream interfaces are veth
interfaces into either a network container (separate namespaces) or
bridge interfaces into a VM. Let's assume you want to number the
ethernet interface in the container/VM with the same IP address (*)
(10.0.1.1/24 in the above example) and the router will act both
as default route and proxy ARP for things apparently on the same
subnet. Assume the only requirement is for outbound connectivity
through eth0.

There's no reason in theory (I think) why such a NAT should not
work. Outbound packets get NATted to the IP of eth0 saving
the inbound interface in the NAT table. Inbound packets are matched
against the NAT table, have their destination rewritten to the
original source address, and a routed directly out the interface
from which the relevant inbound connection came, rather like a
static interface route.

My question is does iptables support this?


(*) = why on earth would I want to do this? Suppose you have a huge
number of VMs which can live migrate between physical machines. Without
this, IP addressing needs to be globally unique across all VMs
across all physical machines. This is somewhat tedious.

-- 
Alex Bligh

Re: SNAT using the same internal address multiple times

[Jimmy Thrasibule]

> A typical use case: consider all the downstream interfaces are veth
> interfaces into either a network container (separate namespaces) or
> bridge interfaces into a VM. Let's assume you want to number the
> ethernet interface in the container/VM with the same IP address (*)
> (10.0.1.1/24 in the above example) and the router will act both
> as default route and proxy ARP for things apparently on the same
> subnet. Assume the only requirement is for outbound connectivity
> through eth0.

OK, the problem here is to keep your interface MAC address when sending
a packet. You have the `bonding` driver to group interface but I don't
think it permits such a thing as it is more for load-balancing.

Maybe the team [1] driver can help here as you can script it.

[1] https://fedorahosted.org/libteam/

> There's no reason in theory (I think) why such a NAT should not
> work. Outbound packets get NATted to the IP of eth0 saving
> the inbound interface in the NAT table. Inbound packets are matched
> against the NAT table, have their destination rewritten to the
> original source address, and a routed directly out the interface
> from which the relevant inbound connection came, rather like a
> static interface route.
> 
> My question is does iptables support this?

As long as you give to iptables the interface or the IP address, the NAT
should be OK. Your problem is to group the interfaces and keep the MAC
addresses.

>(*) = why on earth would I want to do this? Suppose you have a huge
>number of VMs which can live migrate between physical machines. Without
>this, IP addressing needs to be globally unique across all VMs
>across all physical machines. This is somewhat tedious.

But in any case, how would you set up your virtual machines as they need
an IP address?


Jimmy

Re: SNAT using the same internal address multiple times

[Alex Bligh]

On 7 Feb 2013, at 16:56, Jimmy Thrasibule wrote:

> OK, the problem here is to keep your interface MAC address when sending
> a packet. You have the `bonding` driver to group interface but I don't
> think it permits such a thing as it is more for load-balancing.

Towards the VM? It doesn't care about the originating MAC. The destination
MAC should be in the neighbor table in the normal way.

>> (*) = why on earth would I want to do this? Suppose you have a huge
>> number of VMs which can live migrate between physical machines. Without
>> this, IP addressing needs to be globally unique across all VMs
>> across all physical machines. This is somewhat tedious.
> 
> But in any case, how would you set up your virtual machines as they need
> an IP address?

I could configure them statically. Actually what I'd do is use an extremely
lightweight tiny DHCP server I have written that would simply answer with
the same IP address for any query. Given they all have the same IP address,
this seems satisfactory.

-- 
Alex Bligh

Re: SNAT using the same internal address multiple times

[Amos Jeffries]

On 8/02/2013 9:39 a.m., Alex Bligh wrote:
> On 7 Feb 2013, at 16:56, Jimmy Thrasibule wrote:
>
>> OK, the problem here is to keep your interface MAC address when sending
>> a packet. You have the `bonding` driver to group interface but I don't
>> think it permits such a thing as it is more for load-balancing.
> Towards the VM? It doesn't care about the originating MAC. The destination
> MAC should be in the neighbor table in the normal way.
>
>>> (*) = why on earth would I want to do this? Suppose you have a huge
>>> number of VMs which can live migrate between physical machines. Without
>>> this, IP addressing needs to be globally unique across all VMs
>>> across all physical machines. This is somewhat tedious.
>> But in any case, how would you set up your virtual machines as they need
>> an IP address?
> I could configure them statically. Actually what I'd do is use an extremely
> lightweight tiny DHCP server I have written that would simply answer with
> the same IP address for any query. Given they all have the same IP address,
> this seems satisfactory.
>

What I'd do is access them all individually using their automatic fe80:: 
internal MAC-based IPv6 address.
This address often works regardless of what global access IPv4 or IPv6 
address screwups have been done, allowing easy administrative fixes of 
said problems.

AYJ