Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

The negation operator

Another way to exclude a subset of traffic from being translated is by using the negation operator (exclamation mark [!]). The following example shows how to provide the same functionality as in the previous example but use the negation operator instead of the exclude option.

Note: You can use the negation operator with IP addresses but not with port addresses.
Table 1. Configuring masquerade NAT to exclude a subset of traffic by using the negation operator

Step

Command

Create SNAT rule 10.

vyatta@vyatta# set service nat source rule 10

Apply this rule to packets coming from any host on the 192.168.0.0/24 network, not going to the 192.168.50.0/24 network, and egressing through the dp0p1p1 interface.

vyatta@vyatta# set service nat source rule 10 source address 192.168.0.0/24 
vyatta@vyatta# set service nat source rule 10 destination address !192.168.50.0/24 
vyatta@vyatta# set service nat source rule 10 outbound-interface dp0p1p1

Use the primary IP address of the outbound interface as the translation address.

vyatta@vyatta# set service nat source rule 10 translation address masquerade

Commit the change.

vyatta@vyatta# commit

Show the configuration.

vyatta@vyatta# show nat source
 rule 10 { 
     destination {
         address !192.168.50.0/24
     }
     outbound-interface dp0p1p1
     source {
         address 192.168.0.0/24
     }
     translation {
         address masquerade
     }
 }

Note that you should take extreme care using when combining more than one negation operator rule. NAT rules are evaluated sequentially, and a sequence of rules that use the negation operator may result in unexpected behavior.

Consider the set of two NAT rules shown in the following example.

Multiple source NAT rules that use the negation operator: unexpected behavior

rule 10 { 
    destination {
        address !192.168.50.0/24
    }
    outbound-interface dp0p1p1
    source {
        address 192.168.0.0/24
    }
    translation {
    address masquerade
    }
}
rule 20 { 
    destination {
        address !172.16.50.0/24
    }
    outbound-interface dp0p1p1
    source {
        address 192.168.0.0/24
    }
    translation {
        address masquerade
    }
}

This combination of rules does not exclude the 192.168.50.0/24 and 172.16.50.0/24 networks. As previously explained, these NAT rules are evaluated sequentially; when a packet arrives, it is tested against the first rule and if it does not match, it is tested against the second rule, and so on until it matches a rule.

In the example, a packet with a destination in 192.168.50.0/24 does not meet the match criteria in rule 10, which matches all packets with a destination not in 192.168.50.0/24. As a result, the packet “falls through” to rule 20. A packet with a destination in 192.168.50.0/24 does match rule 20 because it is not in 172.16.50.0/24; therefore, the packet has NAT applied, which is not the desired result.

Similarly, a packet with a destination in 172.16.50.0/24 is matched and has NAT applied by rule 10.