From a927192af24079e6d392e5cae0340441490c0091 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 1 May 2020 19:25:36 +0200
Subject: nat: T2198: move from iptables to nftables

---
 data/templates/firewall/nftables-nat.tmpl | 43 +++++++++++++++++++++++++++++++
 data/templates/nat/iptables-restore.tmpl  | 38 ---------------------------
 debian/control                            |  1 -
 src/conf_mode/nat.py                      | 17 +++++++++---
 4 files changed, 56 insertions(+), 43 deletions(-)
 create mode 100644 data/templates/firewall/nftables-nat.tmpl
 delete mode 100644 data/templates/nat/iptables-restore.tmpl

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
new file mode 100644
index 000000000..340ab3678
--- /dev/null
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+# Start with a "clean" NAT table
+flush table nat
+
+add chain ip raw NAT_CONNTRACK
+add rule ip raw PREROUTING position 25 counter jump VYATTA_CT_HELPER
+add rule ip raw PREROUTING position 17 counter jump NAT_CONNTRACK
+add rule ip raw OUTPUT position 26 counter jump VYATTA_CT_HELPER
+add rule ip raw OUTPUT position 21 counter jump NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
+
+
+{% for r in destination -%}
+{% if r.protocol == 'tcp_udp' %}
+{# Special handling for protocol tcp_udp which is represented as two individual rules #}
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+{% else %}
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}"
+{% endif %}
+{% endfor %}
+
+
+{% for r in source -%}
+{% if r.log %}
+{% if r.exclude %}
+{% set value = 'EXCL' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'MASQ' %}
+{% endif %}
+add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
+{% endif %}
+
+{% if r.exclude %}
+{% set value = 'return' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'masquerade' %}
+{% else %}
+{% set value = 'snat to ' + r.translation_address %}
+{% endif %}
+add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
+{% endfor %}
diff --git a/data/templates/nat/iptables-restore.tmpl b/data/templates/nat/iptables-restore.tmpl
deleted file mode 100644
index f20a05719..000000000
--- a/data/templates/nat/iptables-restore.tmpl
+++ /dev/null
@@ -1,38 +0,0 @@
-### Autogenerated by nat.py ###
-
-*nat
-:PREROUTING ACCEPT [0:0]
-:INPUT ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
-:POSTROUTING ACCEPT [0:0]
-:VYATTA_PRE_DNAT_HOOK - [0:0]
-:VYATTA_PRE_SNAT_HOOK - [0:0]
--A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-{% for r in destination -%}
-{% if (',' in r.dest_port) or ('-' in r.dest_port) %}
-
-{% if r.protocol == 'tcp_udp' %}
-# protocol has been tcp_udp - create two distinct rules
--A PREROUTING -i {{ r.interface_in }} -p tcp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
--A PREROUTING -i {{ r.interface_in }} -p udp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{% else %}
--A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{%- endif %}
-
-{% else %}
-
-{% if r.protocol == 'tcp_udp' %}
-# protocol has been tcp_udp - create two distinct rules
--A PREROUTING -i {{ r.interface_in }} -p tcp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
--A PREROUTING -i {{ r.interface_in }} -p udp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{% else %}
--A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m {{ r.protocol }} --dport {{ r.dest_port }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{% endif %}
-
-{%- endif %}
-
-{% endfor %}
--A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
--A VYATTA_PRE_DNAT_HOOK -j RETURN
--A VYATTA_PRE_SNAT_HOOK -j RETURN
-COMMIT
diff --git a/debian/control b/debian/control
index c8fa8ca63..2aaca13ba 100644
--- a/debian/control
+++ b/debian/control
@@ -92,7 +92,6 @@ Depends: python3,
   pppoe,
   salt-minion,
   vyos-utils,
-  iptables,
   nftables,
   conntrack,
   ${shlibs:Depends},
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index b4e8c2053..2e866fdf4 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -14,6 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import os
+
 from copy import deepcopy
 from sys import exit
 from netifaces import interfaces
@@ -28,7 +30,14 @@ default_config_data = {
     'destination': []
 }
 
-iptables_nat_config = '/tmp/iptables_nat_config'
+iptables_nat_config = '/tmp/vyos-nat-rules.nft'
+
+def _check_kmod():
+    modules = ['nft_nat', 'nft_chain_nat_ipv4']
+    for module in modules:
+        if not os.path.exists(f'/sys/module/{module}'):
+            if call(f'modprobe {module}') != 0:
+                raise ConfigError(f'Loading Kernel module {module} failed')
 
 def parse_source_destination(conf, source_dest):
     """ Common wrapper to read in both NAT source and destination CLI """
@@ -128,19 +137,19 @@ def generate(nat):
     if not nat:
         return None
 
-    render(iptables_nat_config, 'nat/iptables-restore.tmpl', nat, trim_blocks=True)
+    render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
     return None
 
 def apply(nat):
     if not nat:
         return None
 
-    call(f'iptables-restore --test < {iptables_nat_config}')
-
+    call(f'{iptables_nat_config}')
     return None
 
 if __name__ == '__main__':
     try:
+        _check_kmod()
         c = get_config()
         verify(c)
         generate(c)
-- 
cgit v1.2.3