summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/firewall/nftables-nat.tmpl23
-rw-r--r--interface-definitions/include/nat-translation-options.xml.i51
-rw-r--r--interface-definitions/nat.xml.in2
3 files changed, 76 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index b80fc1968..e2776e9c2 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -73,6 +73,26 @@
{% set trns_addr = 'return' %}
{% set trns_port = '' %}
{% endif %}
+{# T1083: NAT address and port translation options #}
+{% if config.translation.options is defined and config.translation.options is not none %}
+{% if config.translation.options.address_mapping is defined and config.translation.options.address_mapping == "persistent" %}
+{% set trns_opts_addr = 'persistent' %}
+{% endif %}
+{% if config.translation.options.port_mapping is defined %}
+{% if config.translation.options.port_mapping == "random" %}
+{% set trns_opts_port = 'random' %}
+{% elif config.translation.options.port_mapping == "fully-random" %}
+{% set trns_opts_port = 'fully-random' %}
+{% endif %}
+{% endif %}
+{% endif %}
+{% if trns_opts_addr and trns_opts_port %}
+{% set trns_opts = trns_opts_addr + ',' + trns_opts_port %}
+{% elif trns_opts_addr %}
+{% set trns_opts = trns_opts_addr %}
+{% elif trns_opts_port %}
+{% set trns_opts = trns_opts_port %}
+{% endif %}
{% set output = 'add rule ip nat ' + chain + interface %}
{% if protocol != 'all' %}
{% set output = output + ' ip protocol ' + protocol %}
@@ -104,6 +124,9 @@
{# e.g. 192.0.2.10:3389 #}
{% set output = output + trns_port %}
{% endif %}
+{% if trns_opts %}
+{% set output = output + ' ' + trns_opts %}
+{% endif %}
{% if comment %}
{% set output = output + ' comment "' + comment + '"' %}
{% endif %}
diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i
new file mode 100644
index 000000000..defc8c0d5
--- /dev/null
+++ b/interface-definitions/include/nat-translation-options.xml.i
@@ -0,0 +1,51 @@
+<!-- include start from nat-translation-options.xml.i -->
+<node name="options">
+ <properties>
+ <help>Translation options</help>
+ </properties>
+ <children>
+ <leafNode name="address-mapping">
+ <properties>
+ <help>Address mapping options</help>
+ <completionHelp>
+ <list>persistent random</list>
+ </completionHelp>
+ <valueHelp>
+ <format>persistent</format>
+ <description>Gives a client the same source or destination-address for each connection</description>
+ </valueHelp>
+ <valueHelp>
+ <format>random</format>
+ <description>Random source or destination address allocation for each connection (defaut)</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(persistent|random)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="port-mapping">
+ <properties>
+ <help>Port mapping options</help>
+ <completionHelp>
+ <list>random fully-random none</list>
+ </completionHelp>
+ <valueHelp>
+ <format>random</format>
+ <description>Randomize source port mapping</description>
+ </valueHelp>
+ <valueHelp>
+ <format>fully-random</format>
+ <description>Full port randomization</description>
+ </valueHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Do not apply port randomization (default)</description>
+ </valueHelp>
+ <constraint>
+ <regex>^(random|fully-random|none)$</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index 6ed52fd29..0d6093347 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -50,6 +50,7 @@
</properties>
</leafNode>
#include <include/nat-translation-port.xml.i>
+ #include <include/nat-translation-options.xml.i>
</children>
</node>
</children>
@@ -168,6 +169,7 @@
</properties>
</leafNode>
#include <include/nat-translation-port.xml.i>
+ #include <include/nat-translation-options.xml.i>
</children>
</node>
</children>