Sorting NAT Statements... producing useless diffs...
Roderick B. Greening
Roderick.Greening at gt.ca
Sat Jun 11 17:12:29 UTC 2005
Here's how my router see's NAT:
ubr900(config)#ip nat ?
Stateful Stateful NAT configuration commands
inside Inside address translation
log NAT Logging
outside Outside address translation
pool Define pool of addresses
service Special translation for application using non-standard port
translation NAT translation entry configuration
ubr900(config)#ip nat inside ?
destination Destination address translation
source Source address translation
ubr900(config)#ip nat inside source ?
list Specify access list describing local addresses
route-map Specify route-map
static Specify static local->global mapping
ubr900(config)#ip nat inside source static ?
A.B.C.D Inside local IP address
esp IPSec-ESP (Tunnel mode) support
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
ubr900(config)#ip nat inside source static tcp ?
A.B.C.D Inside local IP address
ubr900(config)#ip nat inside source static tcp 1.1.1.1 ?
<1-65535> Local UDP/TCP port
ubr900(config)#ip nat inside source static tcp 1.1.1.1 9999 ?
A.B.C.D Inside global IP address
interface Specify interface for global address
The 3rd field can be (inside|outside)
The 4th field can be (source|destination) *note: for outside translation,
only source if available
The 5th field can be (list|route-map|static)
At this point, we probably need to be able to split list|route-map|static
off.
List and route-map are basically the same, and have all the same options:
ip nat (inside|outside) (source|destination) (list|route-map) (\S+) pool
(\S+)
For static translations, we have the following:
ip nat (inside|outside) (source|destination) static
(tcp|udp|esp|network|\d+\.\d+\.\d+\.\d+)
If it's (tcp|udp|esp) then you have an IP address and port number followed
by either another IP address and port number or the keyword interface
replaces the second IP address.
Is this enough detail?
Thanks.
-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net]
Sent: Friday, June 10, 2005 9:20 PM
To: Roderick B. Greening
Cc: 'rancid-discuss at shrubbery.net'
Subject: Re: Sorting NAT Statements... producing useless diffs...
sigh, I dont have a pix, but from the manual, I think rancid's match is
deficient.
/^ip nat (\S+) source static (\S+)/ &&
doesn't handle a protocol field (udp|tcp) as the 6th field.
/^ip nat (\S+) source static ((udp|tcp) )?(\S+)/ &&
ProcessHistory("IP NAT $1","ipsort","$4","$_") && next;
the IP match probably ought be more specific too,
/^ip nat (\S+) source static ((udp|tcp) )?(\d+\.\d+\.\d+\.\d+)/ &&
What options are available for the 6th field?
Fri, Jun 10, 2005 at 07:26:53AM -0700, Roderick B. Greening:
> Hi,
>
> I keep getting uninteresting diffs like the following:
>
> retrieving revision 1.10
> diff -U4 -r1.10 <FILENAME REMOVED>
> @@ -101,11 +101,11 @@
> no keepalive
> !
> ip default-gateway <IP REMOVED>
> + ip nat inside source route-map nonat interface cable-modem0 overload
> ip nat inside source static udp 192.168.1.11 5632 interface cable-modem0
> 5632
> ip nat inside source static tcp 192.168.1.11 5631 interface cable-modem0
> 5631
> - ip nat inside source route-map nonat interface cable-modem0 overload
> ip classless
> no ip http server
> no ip http secure-server
> no ip http cable-monitor
>
> It appears that the sort routine for NAT needs some augmentation to order
> non-static entries as well to try and forces these to appear either before
> or after the static ones. Any thoughts?
>
> There are two main types of entry I use for overloading:
>
> ip nat inside source list 1 interface cable-modem0 overload
>
> and
>
> ip nat inside source route-map nonat interface cable-modem0 overload
>
> The important (non-changing) bits are the "overload" and the "list" vs
> "route-map".
>
> I'd like to augment the NAT/sort/ProcessHistory to force overloaded
> statements to appear at the top of the NAT history.
>
> Also, I've noticed that I receive the following diff's regularly:
>
> retrieving revision 1.3
> diff -U4 -r1.3 <FILENAME REMOVED>
> @@ -76,12 +76,12 @@
> no cable-modem compliant bridge
> !
> ip default-gateway <IP REMOVED>
> ip nat inside source list 1 interface cable-modem0 overload
> - ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> 5632
> ip nat inside source static udp 192.168.1.20 5631 interface cable-modem0
> 5631
> - ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> 5631
> + ip nat inside source static udp 192.168.1.20 5632 interface cable-modem0
> 5632
> ip nat inside source static tcp 192.168.1.20 5632 interface cable-modem0
> 5632
> + ip nat inside source static tcp 192.168.1.20 5631 interface cable-modem0
> 5631
> ip classless
> no ip http server
> !
> logging trap notifications
>
> Notice that no actual config changes have occured. The NAT sort routine
only
> sorts on IP with no consideration to the same IP having multiple ports
being
> translated. It should also sort on port (at least in my case I'd like
this).
>
> Has anyone provided (or can provide) a way to augment the NAT sorting
rules?
> I'd like to reduce the amount of diff mails I receive, as I currenly have
a
> few hundred of these out in the field and I constantly get diffs with no
> real changes.
>
> Thank in advance,
>
> Rod.
>
>
> Roderick B. Greening, B.Sc.
> Manager, Provisioning & Technical Support
> Atlantic Region
> group telecom, a Bell Canada Company
> 541 Kenmount Rd.
> St. John's, NF
> (709) 757-1328 (Office)
> (709) 685-3681 (Mobile)
> (709) 757-1201 (Fax)
> rgreening at gt.ca
>
>
>
More information about the Rancid-discuss
mailing list