Age | Commit message (Collapse) | Author |
|
|
|
tested using:
set nat destination rule 399 description 'Redirect DNS iot VLAN'
set nat destination rule 399 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 399 destination port '53'
set nat destination rule 399 inbound-interface bond10.204
set nat destination rule 399 log
set nat destination rule 399 protocol 'tcp_udp'
set nat destination rule 399 translation address '192.168.67.243'
set nat destination rule 399 translation port '53'
set nat destination rule 400 description 'Redirect DNS lan VLAN'
set nat destination rule 400 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 400 destination port '53'
set nat destination rule 400 inbound-interface bond10.204
set nat destination rule 400 log
set nat destination rule 400 protocol 'tcp_udp'
set nat destination rule 400 translation address '192.168.67.243'
set nat destination rule 400 translation port '53'
set nat destination rule 401 description 'Redirect DNS guest VLAN'
set nat destination rule 401 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 401 destination port '53'
set nat destination rule 401 inbound-interface bond10.204
set nat destination rule 401 log
set nat destination rule 401 protocol 'tcp_udp'
set nat destination rule 401 translation address '192.168.67.243'
set nat destination rule 401 translation port '53'
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
That warning made no sense as the destination address where we forward a port
to is by design not locally connected.
|
|
- define XML CLI interface
- read CLI into Python dict
|
|
CLI commands used for ruleset generation:
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
|
|
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
|
|
|
|
Destination NAT configuration: destination ports can only be specified when
protocol is tcp, udp or tcp_udp.
|
|
|
|
|
|
|
|
When instantiating NAT it is required to isntall some nftable jump targets.
The targets need to be added after a specific other target thus we need to
dynamically query the handler number. This is done by get_handler() which could
be moved to vyos.util at a later point in time so it can be reused for a
firewall rewrite.
|
|
|
|
|
|
|
|
|