From 8062afa8a5beb73464e911cf7c5ca66f58585d0b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 15 May 2020 23:22:22 +0200 Subject: nat: T2198: sync generated SNAT rules with VyOS 1.2 The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat source rule 10 description 'foo-10' set nat source rule 10 destination address '1.1.1.1' set nat source rule 10 destination port '1111' set nat source rule 10 exclude set nat source rule 10 log 'enable' set nat source rule 10 outbound-interface 'eth0.202' set nat source rule 10 protocol 'tcp_udp' set nat source rule 10 translation address '192.0.2.10' set nat source rule 15 description 'foo-10' set nat source rule 15 destination address '1.1.1.1' set nat source rule 15 exclude set nat source rule 15 log 'enable' set nat source rule 15 outbound-interface 'eth0.202' set nat source rule 15 protocol 'tcp_udp' set nat source rule 15 translation address '192.0.2.10' set nat source rule 20 description 'foo-20' set nat source rule 20 destination address '2.2.2.2' set nat source rule 20 log 'enable' set nat source rule 20 outbound-interface 'eth0.201' set nat source rule 20 protocol 'tcp' set nat source rule 20 translation address '192.0.2.10' set nat source rule 100 outbound-interface 'eth0.202' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.0.2.0/26' set nat source rule 100 translation address 'masquerade' --- data/templates/firewall/nftables-nat.tmpl | 49 ++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 10 deletions(-) (limited to 'data') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 929cae563..928f4ecfe 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -74,23 +74,52 @@ add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_ad {% endfor %} -{% for r in source -%} +{% for r in source if not r.disabled -%} +{% set chain = "POSTROUTING" %} +{% set dst_addr = "ip daddr " + r.dest_address if r.dest_address %} +{% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %} +{% set trns_addr = "snat to " + r.translation_address %} +{% set trns_port = ":" + r.translation_port if r.translation_port %} +{% set comment = "SRC-NAT-" + r.number %} +{% set iface = r.interface_out %} + {% if r.log %} {% if r.exclude %} -{% set value = 'EXCL' %} +{% set log = "[" + comment + "-EXCL]" %} {% elif r.translation_address == 'masquerade' %} -{% set value = 'MASQ' %} +{% set log = "[" + comment + "-MASQ]" %} +{% else %} +{% set log = "[" + comment + "]" %} {% endif %} - add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}" {% endif %} {% if r.exclude %} -{% set value = 'return' %} -{% elif r.translation_address == 'masquerade' %} -{% set value = 'masquerade' %} +{# rule has been marked as "exclude" thus we simply return here #} +{% set trns_addr = "return" %} +{% set trns_port = "" %} +{% endif %} + +{% if r.protocol == 'tcp_udp' %} +{# Special handling for protocol tcp_udp which is represented as two individual rules #} +{% set comment = comment + " tcp_udp" %} +{% if log %} + +{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %} +{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %} + +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" +{% endif %} +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" +{% if log %} +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" +{% endif %} +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" + {% else %} -{% set value = 'snat to ' + r.translation_address %} +{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %} +{% if log %} +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}" +{% endif %} +add rule ip nat {{ chain }} oifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}" {% endif %} - add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}" {% endfor %} - -- cgit v1.2.3