DNATUTIL Tool

Dnatutil is an offline utility tool designed to retrieve mapping information for Deterministic NAT (DNAT) on the CNFs platform.

Purpose and Functionality

The DNAT utility tool enhances log storage efficiency for service providers by algorithmically mapping subscriber IP addresses to public translation addresses and ports. This method minimizes storage requirements for logs while maintaining complete traceability of network activity.

The dnatutil tool is critical for identifying subscribers by performing reverse mapping of source addresses and ports from the translation address and port within deterministic-mode Large-Scale NAT (LSN) pools. This process leverages states stored in log files or configured rules to accurately reconstruct the original subscriber information.

Requirements

Ensure you have:

• Install the BIG-IP Controller
• Install the following CNF CRs configurations.
  • F5BigNatPolicy
  • F5BigNetVlan
• A Linux based workstation with x86_64 configuration.
• Install python version 3.8 or above.
• Install glibc version 2.28 or above.

Configuration and Input

The current version of dnatutil tool retrives the configuration from the CR files (F5BigNatPolicy CR and F5BigNetVlan CR) located in a specified directory. These files define the parameters required for DNAT mapping operations.

Output Format

The tool generates output in JSON format. When an output file is specified in the input, the JSON data is saved to the file; otherwise, the output is displayed on the standard output (stdout). This structured format facilitates efficient mapping of subscriber traffic and seamless integration with other systems.

DNAT Utility - Tool Usage

This section provides exampls that describe how to use the dnat-util tool with the supported options and commands.

dnat-util commands

usage: dnat-util [<options>]

DNAT Utility

options:
  -h, --help            show this help message and exit
  --action {summary,forward,forward_compact,reverse,reverse_addr}
                        Action to perform using DNAT states
  --subscriber_addr [SUBSCRIBER_ADDR]
                        Subscriber or Translation address
  --subscriber_port SUBSCRIBER_PORT
                        Subscriber or Translation port
  --output_file [OUTPUT_FILE]
                        Optional output filename for all the actions
  --trans_addr_port [TRANS_ADDR_PORT]
                        Translation IP with port in the form [trans_addr:trans_port]
  --config_dir CONFIG_DIR
                        Directory containing YAML CR file/files
  --all                 Display all matching entries
  --version             Display version information

Note: Currently, the forward_compact and reverse_addr actions are not supported.

Sample Outputs

• Following is an example output for action forward command with subscriber address.

  ./dnat-util --config_dir test_cr --subscriber_addr 17.17.17.0 --action forward
  {
    "queryParameters:": {
      "subscriber_address": "17.17.17.0",
      "subscriber_port": 1024,
      "action": "forward"
    },
    "subscribers": [
      {
        "translation": {
          "tmm_self_ip": "7.7.7.3",
          "subscriber_ip": "17.17.17.0",
          "translation_ip": "6.6.6.0",
          "port_block": "10000-37767"
        }
      }
    ]
  }
  

• Following is an example output for action forward command with subscriber address and port.

  ./dnat-util --config_dir test_cr --subscriber_addr 17.17.17.0 --subscriber_port 1024 --action forward
  {
    "queryParameters:": {
      "subscriber_address": "17.17.17.0",
      "subscriber_port": 1024,
      "action": "forward"
      },
      "subscribers": [
        {
          "translation": {
          "tmm_self_ip": "7.7.7.3",
          "subscriber_ip": "17.17.17.0",
          "translation_ip": "6.6.6.0",
          "port_block": "10000-37767"
          }
      }
    ]
  }
  

• Following is an example output for action reverse along with translation address and port.

  ./dnat-util --config_dir test_cr  --action reverse --trans_addr_port 6.6.6.0:10000
  {
    "queryParameters:": {
      "trans_address_port": "6.6.6.0:10000",
      "action": "reverse"
    },
    "subscriberInfo": {
      "tmm_self_ip": "7.7.7.3",
      "subscriber_ip": "17.17.17.0"
    }
  }
  

• Following is an example of action forward redirecting the output to a JSON file instead of default stdout file format. This command is applicable for all other actions specified and also for command line arguments --all.

  ./dnat-util --config_dir test_cr --subscriber_addr 17.17.17.0  --action forward --output out.json
  cat out.json
  {
    "queryParameters:": {
      "subscriber_address": "17.17.17.0",
      "subscriber_port": "N/A",
      "action": "forward"
    },
    "subscribers": [
      {
        "translation": {
          "tmm_self_ip": "7.7.7.3",
          "subscriber_ip": "17.17.17.0",
          "translation_ip": "6.6.6.0",
          "port_block": "10000-37767"
        }
      }
    ]
  }
  

CR Example

F5BigNatPolicy CR

Following is an example F5BigNatPolicy CR with patMode as dnat.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNatPolicy
metadata:
  name: "dnat-policy-1"
spec:
  sourceTranslation:
    - name: "dnatsrctr"
      type: "dynamic-pat"
      patMode: "dnat"
      addresses:
        - "22.22.22.1-22.22.22.8"
      port: "1025-65535"
      deterministicNat:
        upstreamRouter: "f5-dag"
        f5Dag:
          f5DagAlgorithm: "carp-hash"
          subscriberVlan: "vlan1"
      routeAdvertisement: True
  rule:
    - name: dnatrule_1
      ipProtocol: tcp
      source:
        addresses:
          - "11.11.11.0/24"
      sourceTranslation: "dnatsrctr"

F5NatPolicy with addressLists

Following is an example F5BigNatPolicy CR with addressList and portLists along with exclude address.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNatPolicy
metadata:
  name: "natpolicy"
spec:
  sourceTranslation:
    - name: "src_tr1"
      type: "dynamic-pat"
      patMode: "dnat"
      addresses:
        - "22.22.22.1/28"
      port: "100-500"  #translation port
      excludeAddresses:
        - "23.23.23.100/32"
        - "33.33.33.1-33.33.33.8"
        - "22.22.22.4"
      deterministicNat:
        upstreamRouter: "f5-dag"
        f5Dag:
          f5DagAlgorithm: "carp-hash"
          subscriberVlan: "dagtmm-net1"
      routeAdvertisement: True
  rule:
    - name: "rule1"
      ipProtocol: tcp
      source:
        addressLists:
        - "addrlist1"
        ports:
        - "3301-3400"  # subscriber port
        portLists:
        - "portlist1"
      sourceTranslation: "src_tr1"

F5BigNetVlan CR

Following is an example F5BigNetVlan CR.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigNetVlan
metadata:
  name: "vlan-net1"
spec:
  name: dagtmm-net1
  interfaces:
  - "1.1"
  selfip_v4s:
  - "20.1.1.152"
  - "20.1.1.153"
  prefixlen_v4: 24
  selfip_v6s:
  - "2002::20:1:1:152"
  - "2002::20:1:1:153"
  prefixlen_v6: 112
  auto_lasthop: "AUTO_LASTHOP_DISABLED"

F5BigCneAddresslist CR

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: "addrlist1"
spec:
  addresses:
   - "100.100.100.0-100.100.100.30"

F5BigCnePortlist CR

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
  name: "portlist1"
spec:
  ports:
   - "600-900"

Installation

The DNAT utility (dnatutil tool) is a python-based tool designed for easy deployment and use. It can be executed directly after downloading the precompiled executable, without requiring additional dependencies or manual setup.

1. Download the dnat-util-v0.5.4.tgz file from the CNFs tarball.

2. Untar the downloaded dnat-util-v0.5.4.tgz file. Run the following command to untar:

   tar -xvzf dnat-util-v0.5.4.tgz
   

3. After extraction, you will find the dnat-util directory. Inside the directory, you can find the dnat-util executable file.

4. Follow the commands provided in the DNAT Utility - Tool Usage section to start using the tool.

Feedback

To provide feedback and help improve this document, please email us at cnfdocs@f5.com.