| _create_time |
Timestamp of resource creation |
EpochMsTimestamp |
Readonly
Sortable |
| _create_user |
ID of the user who created this resource |
string |
Readonly |
| _last_modified_time |
Timestamp of last modification |
EpochMsTimestamp |
Readonly
Sortable |
| _last_modified_user |
ID of the user who last modified this resource |
string |
Readonly |
| _links |
References related to this resource
The server will populate this field when returing the resource. Ignored on PUT and POST. |
array of ResourceLink |
Readonly |
| _protection |
Indicates protection status of this resource
Protection status is one of the following:
PROTECTED - the client who retrieved the entity is not allowed
to modify it.
NOT_PROTECTED - the client who retrieved the entity is allowed
to modify it
REQUIRE_OVERRIDE - the client who retrieved the entity is a super
user and can modify it, but only when providing
the request header X-Allow-Overwrite=true.
UNKNOWN - the _protection field could not be determined for this
entity.
|
string |
Readonly |
| _revision |
Generation of this resource config
The _revision property describes the current revision of the resource. To prevent clients from overwriting each other's changes, PUT operations must include the current _revision of the resource, which clients should obtain by issuing a GET operation. If the _revision provided in a PUT request is missing or stale, the operation will be rejected. |
int |
|
| _schema |
Schema for this resource |
string |
Readonly |
| _self |
Link to this resource |
SelfResourceLink |
Readonly |
| _system_owned |
Indicates system owned resource |
boolean |
Readonly |
| action |
NAT rule action type
Valid actions: SNAT, DNAT, NO_SNAT, NO_DNAT, REFLEXIVE, NAT64. All
rules in a logical router are either stateless or stateful. Mix is
not supported. SNAT and DNAT are stateful, can NOT be supported when
the logical router is running at active-active HA mode; REFLEXIVE
is stateless. NO_SNAT and NO_DNAT have no translated_fields, only
match fields are supported.
|
NatActions |
Required |
| applied_tos |
List of LogicalRouterPort resources as applied to
Holds the list of LogicalRouterPort Ids that a NAT rule can be applied to. The LogicalRouterPort used must belong to the same LogicalRouter for which the NAT Rule is created. As of now a NAT rule can only have a single LogicalRouterPort as applied_tos. When applied_tos is not set, the NAT rule is applied to all LogicalRouterPorts beloging to the LogicalRouter. |
array of ResourceReference |
Maximum items: 1 |
| description |
Description of this resource |
string |
Maximum length: 1024
Sortable |
| display_name |
Identifier to use when displaying entity in logs or GUI
Defaults to ID if not set |
string |
Maximum length: 255
Sortable |
| enabled |
enable/disable the rule
Indicator to enable/disable the rule.
|
boolean |
Default: "True" |
| firewall_match |
The rule how the firewall is applied
Indicate how firewall is applied to a traffic packet. Firewall can be
bypassed, or be applied to external/internal address of NAT rule.
The firewall_match will take priority over nat_pass. If the firewall_match
is not provided, the nat_pass will be picked up.
|
NatFirewallMatch |
|
| id |
Unique identifier of this resource |
string |
Sortable |
| internal_rule_id |
Internal NAT rule uuid
Internal NAT rule uuid for debug used in Controller and backend. |
string |
Readonly |
| logging |
Enable/disable the logging of rule
Enable/disable the logging of rule.
|
boolean |
Default: "False" |
| logical_router_id |
Logical router id
The logical router id which the nat rule runs on. |
string |
Readonly |
| match_destination_network |
match destination network
IP Address | CIDR | (null implies Any)
|
string |
|
| match_service |
match service
A NSServiceElement that specifies the matching services of source
ports, destination ports, ip protocol version and number, sub protocol
version and number, ICMP type and code, etc.
The match_service can be one of IPProtocolNSService,L4PortSetNSService
or ICMPTypeNSService. REFLEXIVE NAT does not support match_service.
|
NSServiceElement
(Abstract type: pass one of the following concrete types)
ALGTypeNSService
EtherTypeNSService
ICMPTypeNSService
IGMPTypeNSService
IPProtocolNSService
L4PortSetNSService |
|
| match_source_network |
match source network
IP Address | CIDR | (null implies Any)
|
string |
|
| nat_pass |
enable/disable to bypass following firewall stage
Default is true. If the nat_pass is set to true, the following firewall
stage will be skipped. Please note, if action is NO_SNAT or NO_DNAT,
then nat_pass must be set to true or omitted.
Nat_pass was deprecated with an alternative firewall_match. Please stop
using nat_pass to specify whether firewall stage is skipped. if you want
to skip, please set firewall_match to BYPASS. If you do not want to skip,
please set the firewall_match to MATCH_EXTERNAL_ADDRESS or
MATCH_INTERNAL_ADDRESS.
Please note, the firewall_match will take priority over the nat_pass.
If both are provided, the nat_pass is ignored. If firewall_match is not
provided while the nat_pass is specified, the nat_pass will still be
picked up. In this case, if nat_pass is set to false, firewall rule will
be applied on internall address of a packet, i.e. MATCH_INTERNAL_ADDRESS.
|
boolean |
Deprecated
Default: "True" |
| resource_type |
Must be set to the value NatRule |
string |
|
| rule_priority |
NAT rule priority
Ascending, valid range [0-2147483647]. If multiple rules have the same
priority, evaluation sequence is undefined.
|
integer |
Default: "1024" |
| tags |
Opaque identifiers meaningful to the API user |
array of Tag |
Maximum items: 30 |
| translated_network |
IP Address | IP Range | CIDR
The translated address for the matched IP packet. For a SNAT, it can be
a single ip address, an ip range, or a CIDR block. For a DNAT and
a REFLEXIVE, it can be a single ip address or a CIDR block. Translated
network is not supported for NO_SNAT or NO_DNAT.
|
string |
|
| translated_ports |
port number or port range. DNAT only
The translated port(s) for the mtached IP packet. It can be a single
port or a port range. Please note, port translating is supported only
for DNAT.
|
string |
|