| Age | Commit message (Collapse) | Author |
|---|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
|
|
|
|
Destination NAT configuration: destination ports can only be specified when
protocol is tcp, udp or tcp_udp.
|
|
|
|
|
|
|
|
When instantiating NAT it is required to isntall some nftable jump targets.
The targets need to be added after a specific other target thus we need to
dynamically query the handler number. This is done by get_handler() which could
be moved to vyos.util at a later point in time so it can be reused for a
firewall rewrite.
|
|
|
|
|
|
|
|
|
