config.sample.toml

# einat Configuration File

[defaults]
ipv4_local_rule_pref = 200
ipv6_local_rule_pref = 200
ipv4_hairpin_rule_pref = 100
ipv6_hairpin_rule_pref = 100
ipv4_hairpin_table_id = 4787
ipv6_hairpin_table_id = 4787

# For ports not in specified ranges, einat would passthourgh NAT if the traffic
# is on interface's external address. You should exclude ports of services (
# e.g. SSH, HTTP server) serving on NAT host's external address and expecting
# inbound initiaed traffic from NAT port ranges specified here.
tcp_ranges = ["20000-29999"]
udp_ranges = ["20000-29999"]
# Combined ICMP query ID ranges, must include `icmp_in_ranges` and `icmp_out_ranges`.
icmp_ranges = ["0-65535"]
# Inbound ICMP query ID ranges
icmp_in_ranges = ["0-9999"]
# Outbound ICMP query ID ranges
icmp_out_ranges = ["1000-65535"]

# Minimal NAT44 configuration with hairpin routing
[[interfaces]]
if_name = "eth0"
nat44 = true
ipv4_hairpin_route.internal_if_names = ["lo", "internal"]

[[interfaces]]
# External(outbound) interface on which NAT would be performed.
if_name = "eth2"

# Unlike NAT flags in CLI options, `nat44` and `nat66` are both disabled by default.
# Set either `nat44` or `nat66` to enable NAT.
# Enable NAPT44
nat44 = false
# Enable NAPT66, this requires that einat was built with "ipv6" feature flag.
nat66 = false

# Set max BPF log level
# 0: disable, 1: error, 2: warn, 3: info, 4: debug, 5: trace
# View logs with `cat /sys/kernel/debug/tracing/trace_pipe`
bpf_log_level = 0

# Enable external address(preferred source) lookup, recommended to enable.
# Only works on Linux kernel>=6.7, it's a no-op for kernel on lower version.
#
# If you enable this option, be careful to have external configs and SNAT
# internals properly setting up for all possible preferred sources configured
# in route table otherwise SNAT skipping or packet dropping could happen.
#
# Enabled by default on Linux kernel>=6.7.
bpf_fib_lookup_external = true

# Set this to `false` for early disabling inbound ICMP binding initiation,
# similar to set `icmp_in_ranges = []`.
allow_inbound_icmpx = true

# NAT records lifetimes, see <https://datatracker.ietf.org/doc/html/rfc6146#section-4> .
# See available time units in <https://github.com/fundu-rs/fundu/blob/fundu-v2.0.0/README.md#time-units> .
timeout_fragment = "2s"
timeout_pkt_min = "1m"
timeout_pkt_default = "5m"
timeout_tcp_trans = "4m"
timeout_tcp_est = "124m"

# Max fragment tracking records allowed.
frag_track_max_records = 65536

# Max NAT binding records allowed, defaults to 65536 * 3(TCP, UDP and ICMP).
#
# Note the default value is already the upper limit for a single external
# address. If your network is under high pressure that taken up all ports,
# try lowering timeout_pkt_* and/or timeout_tcp_* so unused port bindings can
# be cleaned quicker thus can be reused.
binding_max_records = 196608

# Max connection tracking records allowed, this should be at least the same as
# `binding_max_records`, defaults to `binding_max_records` * 2. Increase this
# if you have more connections than the default value.
ct_max_records = 393216

# BPF loading backend used, one of "aya", "libbpf" or "libbpf-skel".
# Requires respetive Cargo feature flag to be enabled on build, fallback to
# other enabled loading backend if not available.
bpf_loader = "aya"

# Use TCX interface if available, only supported by aya loader.
# Enabled by default on Linux kernel>=6.6
prefer_tcx = true

# Disable source NAT for specified destination networks.
no_snat_dests = [
    # "192.168.0.0/16"
]

# This appends external config(s) with `match_address = "0.0.0.0/0`
# and/or `match_address = "::/0` to match all IP addresses on interface.
default_externals = true

# Enable source NAT for internal source networks specified here only, all other
# addresses would be seen as external routable address. Note traffic with
# SNAT-able(no_snat=false) external source address(traffic from NAT host itself)
# would do SNAT regardless.
#
# This is useful only if you have external(public) addresses assigned to internal
# hosts and you want to have traffic from those external addresses going trough
# the interface that einat attaches without being SNATed.
#
# This prepends the following external configs if the internals is not empty for
# IPv4 or IPv6 respectively. Be careful to not include possible external
# addresses here otherwise traffic would be blocked. So if it's not required,
# don't set this option.
#
#
#   [[interfaces.externals]]
#   network = "0.0.0.0/0"  # "::/0" for IPv6
#   no_snat = true
#   no_hairpin = true
#
#   [[interfaces.externals]]
#   network = "<network in snat_internals>"
#   is_internal = true
#   #...
#
snat_internals = [
    # "192.168.1.0/24",
    # "fc00::1:0/64"
]

# Automatically configure hairpinning routes
[interfaces.ipv4_hairpin_route]
# Enable the hairpin routing configuration, defaults to true if
# `internal_if_names` is not empty, otherwise defaults to false.
enable = false
internal_if_names = [
    # "lo",
    # "internal"
]
# Hairpinning IP protocols. You can also add "icmp" here, however it would
# results ICMP query packet to be send back to the sender due to combinated
# effect of the "Endpoint-Independent Mapping" behavior and ICMP does not
# distinguish between source query ID and destination query ID, this is not
# very useful thus not including "icmp" by default.
ip_protocols = ["tcp", "udp"]
# Defaults to `defaults.ipv4_local_rule_pref`.
ip_rule_pref = 200
# Defaults to `defaults.ipv4_hairpin_table_id`.
table_id = 4787

[interfaces.ipv6_hairpin_route]
enable = false
internal_if_names = []
ip_protocols = ["tcp", "udp"]
# Defaults to `defaults.ipv6_local_rule_pref`.
ip_rule_pref = 200
# Defaults to `defaults.ipv6_hairpin_table_id`.
table_id = 4787

# Configure external source addresses that NAT or not NAT to it.
# External configs are saved in prefix trie, hence config with more specific
# address prefix would be used. In the case of configs with same evaluated
# address prefix, config item defined earilier has higher priority. The first
# static or matching address would be used as the default NAT external source.
[[interfaces.externals]]
# Specify a static external source for NAT
address = "192.168.4.2"
# Or specify a static network as NAT external source, the address part(e.g.
# 10.0.0.5) of this CIDR would be used as default NAT external source
# if this config item got selected.
network = "10.0.0.5/24"
# If true, the specified address/network is marked as internal source instead
# of NAT external source. And such internal source would do NAT explicitly.
is_internal = false
# If `true`, the address would not be used as target NAT source address,
# and packet flow from or to this source address would pass through NAT.
no_snat = false
# Disable hairpinning for the address.
no_hairpin = false
# Defaults to ranges in [defaults] if not specified.
#tcp_ranges = ["10000-65535"]
#udp_ranges = ["10000-65535"]
#icmp_ranges = ["0-65535"]
#icmp_in_ranges = ["0-9999"]
#icmp_out_ranges = ["1000-65535"]

# You can set ranges to empty `[]` to disable NAT for respective protocol.
# For example disable NAT for TCP, you can than combine with Netfilter
# masquerading for TCP to form a mixed NAT.
#tcp_ranges = []

# Use `match_address` to match addresses on external interface specified.
[[interfaces.externals]]
# Match a CIDR network, would evaluate to matched address(es) on the interface.
match_address = "192.168.4.0/24"
# This is equivalent to format above.
match_address = { network = "192.168.4.0/24" }
# Match an address range.
match_address = { start = "192.168.4.100", end = "192.168.4.200" }

# You might want to exclude some address from being selected as
# NAT external address.
# Example that exclude IPv6 link-local addresses.
[[interfaces.externals]]
match_address = "fe80::/10"
no_snat = true
no_hairpin = true