Skip to content

Commit e51efbc

Browse files
natali-rs1985natali-rs1985
committed
vpp: T7972: Delete nat44 no-forwarding option from CLI
1 parent 155ddbd commit e51efbc

File tree

1 file changed

+8
-19
lines changed

1 file changed

+8
-19
lines changed

docs/vpp/configuration/nat/nat44.rst

Lines changed: 8 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
:lastproofread: 2025-09-04
1+
:lastproofread: 2025-09-04
22

33
.. _vpp_config_nat_nat44:
44

@@ -32,6 +32,13 @@ To configure dynamic NAT, you need to define a pool of public IP addresses that
3232

3333
Static rules are more suitable for scenarios where you need to provide consistent and predictable mappings between private and public IP addresses, also they are the only way to configure DNAT.
3434

35+
How NAT Rules are Applied
36+
-------------------------
37+
38+
1. **Dynamic Rules only**: The router will try to apply those rules to all incoming traffic, and everything else passes normally
39+
2. **Static + Dynamic Rules**: The router uses static rules first, and uses dynamic ones only when no static rule applies.
40+
3. **Static Rules only**: Only the traffic you explicitly define in a static rule gets translated. Everything else passes untouched.
41+
3542
Interfaces Configuration
3643
========================
3744

@@ -554,24 +561,6 @@ This setting helps prevent memory exhaustion and ensures predictable performance
554561
# Increase session limit for high-capacity deployment
555562
set vpp settings nat44 session-limit 100000
556563
557-
Forwarding Behavior
558-
-------------------
559-
560-
By default, VyOS NAT44 forwards packets that don't match any NAT rules according to the routing table. This behavior can be controlled:
561-
562-
.. cfgcmd:: set vpp settings nat44 no-forwarding
563-
564-
Disable forwarding of packets that don't match existing NAT translations. When enabled, only packets that match static or dynamic NAT rules will be processed; all other traffic will be dropped.
565-
566-
.. important::
567-
568-
This is a significant difference from traditional NAT solutions. By default, VyOS NAT44 allows non-NAT traffic to be forwarded normally. Using ``no-forwarding`` creates a pure NAT-only device that drops any traffic not covered by NAT rules.
569-
570-
**Use cases for no-forwarding:**
571-
572-
* **Pure NAT gateway**: When the router should only handle NAT traffic and drop everything else
573-
* **Security isolation**: Preventing any non-NAT traffic from traversing the device
574-
575564
Worker Assignment
576565
-----------------
577566

0 commit comments

Comments
 (0)