summaryrefslogtreecommitdiff
path: root/src/conf_mode/nat.py
AgeCommit message (Collapse)Author
2024-09-16T6687: add fqdn support to nat rules.Nicolas Fort
2024-08-02T6629: call check_kmod within a standard config functionJohn Estabrook
Move the remaining calls to check_kmod within a standard function, with placement determined by the needs of the config script.
2024-05-22nat: T6365: use interface_exists() over netifaces.interfaces()Christian Breunig
2024-05-22nat: T6365: use string startswith() over [0] index accessChristian Breunig
2024-05-22nat: T6365: remove warnings for negated interface selections by nameRyazanov Alexander Mihailovich
2024-04-03T6199: drop unused Python importsChristian Breunig
found using "git ls-files *.py | xargs pylint | grep W0611"
2024-04-01nat: T2199: always use full nft command name (e.g. --file over -f)Christian Breunig
2024-03-05T6075: firewall and NAT: check if interface-group exists when using them in ↵Nicolas Fort
firewall|nat rules.
2024-02-01Merge pull request #2756 from nicolas-fort/T4839Christian Breunig
T4839: firewall: Add dynamic address group in firewall configuration
2024-01-25T4839: firewall: Add dynamic address group in firewall configuration, and ↵Nicolas Fort
appropiate commands to populate such groups using source and destination address of the packet.
2024-01-04T5159: nat: add option to map network and ports. Feature used for large ↵Nicolás Fort
deployments in cgnat. (#2694)
2023-12-29nat: T5681: relax wording on non existing interface Warning messageChristian Breunig
Remove the word "error" from a Warning only message to not irritate the user.
2023-10-25T5681: Firewall,Nat and Nat66: simplified and standarize interface matcher ↵Nicolas Fort
(valid for interfaces and groups) in firewal, nat and nat66.
2023-10-11T5643: nat: add interface-groups to nat. Use same cli structure for ↵Nicolas Fort
interface-name|interface-group as in firewall.
2023-09-16nat: Remove deprecated kernel checksarthurdev
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives from distutils.version import LooseVersion
2023-09-16conntrack: T5571: Refactor conntrack to be independent conf script from ↵sarthurdev
firewall, nat, nat66
2023-09-13T5561: nat: defining inbound|outbound interface should not be mandatory ↵Nicolas Fort
while configuring dNAT|sNAT rule
2023-09-04nat: T1877: Fix typo in nat ConfigErrorsarthurdev
2023-08-23T5472: nat redirect: allow redirection without defining redirected portNicolas Fort
2023-08-09Merge pull request #2136 from jestabro/with-defaultsChristian Breunig
T5319: remove workarounds for incorrect defaults in config-mode scripts
2023-08-08Merge pull request #2119 from nicolas-fort/T5014-dnatChristian Breunig
T5014: nat: add source and destination nat options for configuring lo…
2023-08-07T5319: remove workarounds for defaults in nat.pyJohn Estabrook
2023-08-06T5195: move helpers from vyos.validate to vyos.utils packageChristian Breunig
2023-07-31Merge branch 'current' into T5014-dnatNicolás Fort
2023-07-31T5014: fix conflicts. Add code for redirection, which is causing conflicts. ↵Nicolas Fort
Change code for new syntax
2023-07-31T5014: nat: add source and destination nat options for configuring load ↵Nicolas Fort
balance within a single rule.
2023-07-19T4899: NAT Redirect: adddestination nat redirection (to local host) feature.Nicolas Fort
2023-07-15T5195: vyos.util -> vyos.utils package refactoring part #2Christian Breunig
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2022-11-03nat: T1877: T970: Add firewall groups to NATsarthurdev
2022-10-25nat: T4706: Verify translation address or port existssarthurdev
2022-10-25nat: T4764: Remove tables on NAT deletionsarthurdev
2022-09-21nat: T4605: Refactor static NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Add static NAT smoketest
2022-09-21nat: T4605: Refactor NAT to use python module for parsing rulessarthurdev
* Rename table to vyos_nat * Refactor tests to use `verify_nftables` format
2022-08-31nat: T538: Move nat configs to /run directoryViacheslav Hletenko
2022-08-29nat: T4367: Move nat rules from /tmp to /run/nftables_nat.confViacheslav Hletenko
Move nftables nat configuration from /tmp to /run As we have for other services like firewall, conntrack Don't remove the config file '/run/nftables_nat.conf' after commit
2022-08-17nat: T538: Add static NAT one-to-oneViacheslav Hletenko
Ability to set static NAT (one-to-one) in one rule set nat static rule 10 destination address '203.0.113.0/24' set nat static rule 10 inbound-interface 'eth0' set nat static rule 10 translation address '192.0.2.0/24' It will be enough for PREROUTING and POSTROUTING rules Use a separate table 'vyos_static_nat' as SRC/DST rules and STATIC rules can have the same rule number
2022-05-01firewall: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-16vyos.base: use Warning() helper where applicableChristian Poessinger
2022-04-10nat: T2199: bugfix dry-run newly generated config before installChristian Poessinger
Commit bb76e8d7f1635 ("nat: T2199: dry-run newly generated config before install") added support to verify the generated nftables ruleset. Unfortunately if the verify failed - a Python exception was triggered: NameError: name 'nftables_ct_file' is not defined This was due to bad copy/pasting.
2022-01-10nat: T2199: dry-run newly generated config before installChristian Poessinger
Before installing a new conntrack policy into the OS Kernel, the new policy should be verified by nftables if it can be loaded at all or if it will fail to load. There is no need to load a "bad" configuration if we can pre-test it.
2022-01-01nat: T2199: rename iptables -> nftables variable prefixChristian Poessinger
2021-12-06firewall: T2199: Migrate firewall to XML/Pythonsarthurdev
2021-08-18nat: T2198: remove superfluous else clause on missing outbound-interfaceChristian Poessinger
2021-01-19nat: T2947: add many-many translationChristian Poessinger
Support a 1:1 or 1:n prefix translation. The following configuration will NAT source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29. For this feature to work a Linux Kernel 5.8 or higher is required! vyos@vyos# show nat source { rule 100 { outbound-interface eth1 source { address 10.2.0.0/16 } translation { address 192.0.2.0/29 } } } This results in the nftables configuration: chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map { 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100" }
2021-01-11nat: T3206: unable to delete only rules but keep destination nodeChristian Poessinger
2020-12-01nat: T3102: Check key in dictionaryDmitriyEshenko
2020-11-28nat: T3092: migrate to get_config_dict()Christian Poessinger
The NAT system consists out of nested tag nodes which makes manual parsing very hard. This is a perfect candidate for migrating this to get_config_dict() as there is already a smoketest in place. In addition this should make it easier to add features like static nat/hairpin.
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-10-01nat: T2948: fix validation of IP address rangeChristian Poessinger