vyos-1x.git/data/templates/firewall, branch vyos/1.4dev0

vyos-1x.git/data/templates/firewall, branch vyos/1.4dev0 VyOS command definitions, scripts, and utilities (mirror of https://github.com/marekm72/vyos-1x.git) https://git.amelek.net/marekm72/vyos-1x.git/atom?h=vyos%2F1.4dev0 2020-11-28T20:10:10+00:00 nat: T3092: migrate to get_config_dict() 2020-11-28T20:10:10+00:00 Christian Poessinger christian@poessinger.com 2020-11-28T20:10:10+00:00 urn:sha1:e4ea410b7587b0018055962c295ab491133f458c The NAT system consists out of nested tag nodes which makes manual parsing very hard. This is a perfect candidate for migrating this to get_config_dict() as there is already a smoketest in place. In addition this should make it easier to add features like static nat/hairpin. vyos.template: T2720: fix remaining in-line time_block syntax 2020-11-28T07:25:39+00:00 Christian Poessinger christian@poessinger.com 2020-11-28T07:25:39+00:00 urn:sha1:c87ad948999c28c3c9449f98d60b545481ea29d5 Commit a2ac9fac ("vyos.template: T2720: always enable Jinja2 trim_blocks feature") globally enabled the trim_blocks feature. Some templates still used in-line trim_blocks "{%"- or "-%}" which caused miss-placed line endings. This is fixed by removing all in-line trim_block statememnts of Jinja2 templates. nat: T2951: use proper comments for source/destination logging 2020-10-05T16:42:07+00:00 Christian Poessinger christian@poessinger.com 2020-10-05T16:42:07+00:00 urn:sha1:65acae4868363117697ccefff10d0ef12fae9da4 For both source and destination NAT always the LOG name contained DST - which is definately false. This has been corrected to use SRC and DST on the appropriate rules. nat: T2699: fix exclusion rules for noNAT destinations 2020-07-12T09:54:16+00:00 Christian Poessinger christian@poessinger.com 2020-07-12T09:54:16+00:00 urn:sha1:6f44b47d8f2bf04984684a0752ab224960260b0d nat: T2593: fix for SNAT translation port when using masquerade 2020-06-14T09:46:15+00:00 Christian Poessinger christian@poessinger.com 2020-06-14T09:46:15+00:00 urn:sha1:5f75ecc0e207ee5c04b956e12b65c5846bb7b9be The "to" qualifier did not get rendered when using source ports in masquerade targets. This case was totally missed out when porting. nat: T2571: add special handling for negated source/destination port(s) 2020-06-11T22:52:52+00:00 Christian Poessinger christian@poessinger.com 2020-06-11T22:52:52+00:00 urn:sha1:3b8c45989e8fee5ec445ac8c8335a4de43ec9e81 We specify NFT source/destination ports within a { } group, but if the port range in question is negated, we need to move the != fraction out of { } and infront of that group, else NFT loading will fail big time. Revert "nat: T2571: fix negated port definitions" 2020-06-11T22:22:58+00:00 Christian Poessinger christian@poessinger.com 2020-06-11T22:22:58+00:00 urn:sha1:d41903ff8082164719296cbef46d07d036241c2c This reverts commit 927c054d9236c2c34ca43c1cbfff10fcfd7f5077. nat: T2571: fix negated port definitions 2020-06-11T14:54:00+00:00 Christian Poessinger christian@poessinger.com 2020-06-11T14:54:00+00:00 urn:sha1:927c054d9236c2c34ca43c1cbfff10fcfd7f5077 nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNAT 2020-05-16T16:25:58+00:00 Christian Poessinger christian@poessinger.com 2020-05-16T14:16:09+00:00 urn:sha1:6f349ee3b4d3da731ca22a70db6650848a0c28d9 By using a Jinja2 macro the same template code can be used to create both source and destination NAT rules with only minor changes introduced by e.g. the used chain (POSTROUTING vs PREROUTING). Used the following configuration for testing on two systems with VyOS 1.2 and the old implementation vs the new one here. set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 15 translation port '3389' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 destination port '22' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' set nat source rule 110 outbound-interface 'eth0.202' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/26' set nat source rule 110 source port '5556' set nat source rule 110 translation address 'masquerade' set nat source rule 120 outbound-interface 'eth0.202' set nat source rule 120 protocol 'tcp_udp' set nat source rule 120 source address '192.0.3.0/26' set nat source rule 120 translation address '2.2.2.2' nat: T2198: restructure DNAT template part for less duplicated code 2020-05-16T16:25:58+00:00 Christian Poessinger christian@poessinger.com 2020-05-16T13:29:31+00:00 urn:sha1:d7662ecfff558192a5b5009679108ca58c8518fa Build up only one output rule string by appending the configuration part by part.