Age | Commit message (Collapse) | Author |
|
zone-policy
|
|
Also fixes:
* Issue with multiple state-policy rules being created on firewall updates
* Prevents interface rules being inserted before state-policy
|
|
|
|
|
|
|
|
Currently, all VRFs share the same connection tracking table, which can
lead to problems:
- traffic leaks to a wrong VRF
- improper NAT rules handling when multiple VRFs contain the same IP
networks
- stateful firewall rules issues
The commit implements connection tracking zones support. Each VRF
utilizes its own zone, so connections will never mix up.
It also adds some restrictions to VRF names and assigned table numbers,
because of nftables and conntrack requirements:
- VRF name should always start from a letter (interfaces that start from
numbers are not supported in nftables rules)
- table number must be in the 100-65535 range because conntrack supports
only 65535 zones
|
|
Commit 166d44b3 ("nat: T1083: add translation options for persistent/random
mapping of address and port") added support for persistent IP address and port
mappings for NAT.
Unfortunately one if clause got lost in translation.
|
|
and port
Tested using:
set destination rule 100 inbound-interface 'eth0'
set destination rule 100 translation address '19.13.23.42'
set destination rule 100 translation options address-mapping 'random'
set destination rule 100 translation options port-mapping 'none'
set source rule 1000 outbound-interface 'eth0'
set source rule 1000 translation address '122.233.231.12'
set source rule 1000 translation options address-mapping 'persistent'
set source rule 1000 translation options port-mapping 'fully-random'
|
|
|
|
|
|
|
|
Fix destination NAT template trying to map source->translation
instead of destination->translation.
Fixes https://phabricator.vyos.net/T3307
|
|
|
|
|
|
|
|
|
|
|
|
Support a 1:1 or 1:n prefix translation. The following configuration will NAT
source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29.
For this feature to work a Linux Kernel 5.8 or higher is required!
vyos@vyos# show nat
source {
rule 100 {
outbound-interface eth1
source {
address 10.2.0.0/16
}
translation {
address 192.0.2.0/29
}
}
}
This results in the nftables configuration:
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map
{ 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100"
}
|
|
|
|
The NAT system consists out of nested tag nodes which makes manual parsing very
hard. This is a perfect candidate for migrating this to get_config_dict() as
there is already a smoketest in place.
In addition this should make it easier to add features like static nat/hairpin.
|
|
Commit a2ac9fac ("vyos.template: T2720: always enable Jinja2 trim_blocks
feature") globally enabled the trim_blocks feature. Some templates still used
in-line trim_blocks "{%"- or "-%}" which caused miss-placed line endings.
This is fixed by removing all in-line trim_block statememnts of Jinja2 templates.
|
|
For both source and destination NAT always the LOG name contained DST - which
is definately false. This has been corrected to use SRC and DST on the
appropriate rules.
|
|
|
|
The "to" qualifier did not get rendered when using source ports in masquerade
targets. This case was totally missed out when porting.
|
|
We specify NFT source/destination ports within a { } group, but if the port
range in question is negated, we need to move the != fraction out of { } and
infront of that group, else NFT loading will fail big time.
|
|
This reverts commit 927c054d9236c2c34ca43c1cbfff10fcfd7f5077.
|
|
|
|
By using a Jinja2 macro the same template code can be used to create both
source and destination NAT rules with only minor changes introduced by
e.g. the used chain (POSTROUTING vs PREROUTING).
Used the following configuration for testing on two systems with VyOS 1.2
and the old implementation vs the new one here.
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 15 translation port '3389'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
set nat source rule 120 outbound-interface 'eth0.202'
set nat source rule 120 protocol 'tcp_udp'
set nat source rule 120 source address '192.0.3.0/26'
set nat source rule 120 translation address '2.2.2.2'
|
|
Build up only one output rule string by appending the configuration part by
part.
|
|
CLI commands used for ruleset generation:
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat source rule 10 description 'foo-10'
set nat source rule 10 destination address '1.1.1.1'
set nat source rule 10 destination port '1111'
set nat source rule 10 exclude
set nat source rule 10 log 'enable'
set nat source rule 10 outbound-interface 'eth0.202'
set nat source rule 10 protocol 'tcp_udp'
set nat source rule 10 translation address '192.0.2.10'
set nat source rule 15 description 'foo-10'
set nat source rule 15 destination address '1.1.1.1'
set nat source rule 15 exclude
set nat source rule 15 log 'enable'
set nat source rule 15 outbound-interface 'eth0.202'
set nat source rule 15 protocol 'tcp_udp'
set nat source rule 15 translation address '192.0.2.10'
set nat source rule 20 description 'foo-20'
set nat source rule 20 destination address '2.2.2.2'
set nat source rule 20 log 'enable'
set nat source rule 20 outbound-interface 'eth0.201'
set nat source rule 20 protocol 'tcp'
set nat source rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
|
|
|
|
Make the entire template more maintainable
|
|
|
|
|
|
When instantiating NAT it is required to isntall some nftable jump targets.
The targets need to be added after a specific other target thus we need to
dynamically query the handler number. This is done by get_handler() which could
be moved to vyos.util at a later point in time so it can be reused for a
firewall rewrite.
|
|
|