After receiving the key for processing the packets, the ECS framework creates flows with 5-tuple:
-
Source IP
-
Source port
-
Protocol
-
Destination IP
-
Destination port
If it’s the first packet with a given 5-tuple, then a NAT/FW rule match applies to check if the packet is acceptable or not.
If packet is acceptable, then leads to a flow is creation.
Configuration of the NAT realm (NAT IP) is part of the rules. The NAT realm applicable for a flow is from the rule-definition
that matches the packet
Rule configuration happens are based on well-known server addresses/port numbers. For example, the FTP service with port 21,
SIP service with port 5060.
So, any FTP control session or SIP control session to well-known servers/port numbers finds a matching firewall rule. However,
it may not be possible to configure rules for media flows (child flows) that are dynamically based on the control signaling.
In case of FTP data or SIP media packet, the NAT/FW rule definition match fails and drops the packets.
Another requirement is the control signaling and the corresponding media connection to use the same NAT realm. Same NAT IP
address applies for control and media.
Even if the child flow (media connection) finds a matching NAT/FW rule. The child flow uses the NAT realm configuration for
that rule, which isn’t correct. The media flows should be using the same NAT realm that is applicable for the control connection.
So, the child flows even if there’s no matching rule uses the same NAT realm that was for the control connection. In order
to achieve the flow, create the pinholes based on the signaling messages. A pinhole contains subset of 5-tuple information.
Pinholes are to allow the traffic without doing any rule match (bypass rule match). The NAT realm is associated with the pinholes.
Allows any traffic matching the pinholes and the NAT realm specified in the pinhole applies for noting the packets.
In case of many-to-one NAT, the NAT allows the downlink packets only if there’s an active NAT binding. There are many services
(SIP for example) where the remote end wants to initiate connections (incoming call). Under such conditions, to allow downlink
packets the ALG needs to create required NAT bindings and associate with the pinholes by parsing signaling messages.
Following explains the uplink and downlink packet processing: