Hi folks,
Opening this topic to discuss the feature request we just posted:
https://vyos.dev/T6247
There have been several posts historically and I am surprised this hasn’t already been implemented. Having EIF as a baseline is fundamental to distinguishing any “CGN” solution from a standard PAT running on a router.
Happy to discuss.
We don’t use iptables
If you know how to implement it on nftsbles let us know
We have basic CGNAT features with several requirements of the RFC. Examples you can find here ⚓ T5169 Add CGNAT Carrier-Grade NAT based on nftables
Did you test it?
Yes we tested this extensively in July of 2023. We had an open email thread with Santiago Blanquet where we defined these requirements and the outcome of testing is that the translation was not being created as EIF and inbound traffic from different Internet destinations to the same translated port were dropped.
It is not supported in nftables by default and hence why the below exists:
We even offered to pay for VyOS development of this feature but were turned away. Happy to revisit though.
What are talking about? PoC for CGNAT was merged week ago 
And this project that you mentioned looks completely dead, the issue was opened without any answer of 2 years
I don’t see anything there testing EIF or full cone. Only port address mapping? What are we talking about? Do you have the PR you are referencing?
Regardless of the particular examples being missing, it’s an industry standard feature of CGN that is missing. The links are for reference. Vendor specific links are below to show how this exists in existing products that claim CGN featureset:
I reference these articles as by definition if you claim to support CGN then you really should be supporting EIF as that is one of the main distinguishers of classic NAT/PAT from CGN.
If the feature already exists please point it out and the testing. I would love for that to be the case.
Further, not seeing RFC6888 REQ-7 in: T5169: Add PoC for generating CGNAT rules rfc6888 by sever-sever · Pull Request #3274 · vyos/vyos-1x · GitHub which is what we are talking about.
Feel free to create a PR or implement it.
I mentioned which requirements already integrated by RFC and merged. That why I asked did you test it?
Will be good if you can test what it is already exists.
It is ok if you won’t test it.
We shouldn’t be testing code after it’s been implemented to see if it covers a certain intended use case or functionality. That’s what unit tests are supposed to be for. REQ-7 is either implemented by intention or it isn’t. I looked through the PR and Maniphest and can’t find any reference to REQ-7.
The RFC6888 implementation sadly looks incomplete without REQ-7. We are working to throw some developers at this as we speak.
There is NO implementation for REQ-7
It is RECOMMENDED but not MUST
7. It is RECOMMENDED that a CGN use an "endpoint-independent
filtering" behavior (as defined in Section 5 of [RFC4787]).
Minimize application breakage.
And nftables does not support it natively (as I know)
Correct on both accounts.
Again, I can’t iterate enough that all commercially available CGN products support EIF/REQ-7. It is a fundamental distinguisher of “CGN” vs. traditional NAT. All mainstream “CGN” products support this feature as it’s needed for poking holes through NAT and allowing P2P connectivity from other hosts – IE for gaming and real-time communications.
We are investigating developer support to add this functionality but I encourage you to look in to this through the eyes of a consumer of CGN.