Skip to content

Add support for port forwarding with masquerading (stateful NAT) #1262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Fredi-raspall wants to merge 5 commits into
base: pr/fredi/nat_use_cases
Choose a base branch
from
Draft

Add support for port forwarding with masquerading (stateful NAT) #1262

Fredi-raspall wants to merge 5 commits into from
+101 −20

Conversation

@Fredi-raspall
Copy link
Contributor

@Fredi-raspall Fredi-raspall commented Feb 4, 2026

This goes on top of #1257

@Fredi-raspall
feat(net): add port-forwarding metadata flag
6ff3ee9 
... and extend the metadata flags from u16 to u32.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(nat): scaffold port-forwarding nat NF
2bc259b 
The port forwarding has some commonalities with both stateful and
stateless NAT. For clarity, we make it a first-class citizen so as
to differentiate them (and not overload) the existing flavors, and
it has its own tracing target "port-forwarding".

This NF will only process packets marked as requiring port-forw-
arding.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(dataplane): add port-forwarder to pipeline
e423069 
Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall
feat(flow-filter): extend NatRequirement
5af1f46 
Extend the enum with PortForwarding. The expectation is that from
the API, we'll be explicitly told about port forwarding. As a
result, the contents of the flow-filter will include that infor-
mation which will allow us to annotate the packet accordingly
to steer the packet through the PortForwarder.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@Fredi-raspall Fredi-raspall requested a review from qmonnet February 4, 2026 12:44
@Fredi-raspall
feat(stateful-nat): simplify nat_packet() args
064fb68 
Do not unnecessarily propagate src/dst vpc discriminants.
The stateful NAT NF requires packets to have been annotated with
both of them, but it only needs them if there is no session.
Instead of always retrieving them and passing them along, keep
the check that they are present, but just retrieve them from the
packet given that we need to pass a reference to it to modify it.

Also, given that the flow-filter is the one responsible for
determining src & dst vpcd, and annotating that nat is needed,
the stateful nat function should never get a packet without those
annotations. Therefore, add a debug assert to the existing check.

Signed-off-by: Fredi Raspall <fredi@githedgehog.com>
@qmonnet qmonnet changed the title Pr/fredi/port forwarding Add support for port forwarding with masquerading (stateful NAT) Feb 4, 2026
@qmonnet qmonnet added the area/nat Related to Network Address Translation (NAT) label Feb 4, 2026
@qmonnet qmonnet linked an issue Feb 4, 2026 that may be closed by this pull request
Support port forwarding for masquerading (stateful NAT) #1259
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qmonnet qmonnet Awaiting requested review from qmonnet

Assignees

@Fredi-raspall Fredi-raspall

@qmonnet qmonnet

Labels

area/nat Related to Network Address Translation (NAT)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support port forwarding for masquerading (stateful NAT)

3 participants

@Fredi-raspall @qmonnet