From 3b8c45989e8fee5ec445ac8c8335a4de43ec9e81 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 12 Jun 2020 00:52:52 +0200 Subject: nat: T2571: add special handling for negated source/destination port(s) We specify NFT source/destination ports within a { } group, but if the port range in question is negated, we need to move the != fraction out of { } and infront of that group, else NFT loading will fail big time. --- data/templates/firewall/nftables-nat.tmpl | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index abb32ddc6..35b2c1232 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -29,9 +29,22 @@ add rule ip raw NAT_CONNTRACK counter accept {% macro nat_rule(rule, chain) %} {% set src_addr = "ip saddr " + rule.source_address if rule.source_address %} -{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %} {% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %} -{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %} + +{# negated port groups need special treatment, move != in front of { } group #} +{% if rule.source_port.startswith('!=') %} +{% set src_port = "sport != { " + rule.source_port.replace('!=','') +" }" if rule.source_port %} +{% else %} +{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %} +{% endif %} + +{# negated port groups need special treatment, move != in front of { } group #} +{% if rule.dest_port.startswith('!=') %} +{% set dst_port = "dport != { " + rule.dest_port.replace('!=','') +" }" if rule.dest_port %} +{% else %} +{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %} +{% endif %} + {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} -- cgit v1.2.3