From 40e8938667b06615e0a1a26271a30e00f8cff2c6 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 1 May 2020 13:23:20 +0200 Subject: nat: T2198: initial XML and Python representation --- .../include/nat-address-port.xml.i | 47 ++++++++++++ interface-definitions/include/nat-rule.xml.i | 86 ++++++++++++++++++++++ .../include/nat-translation-port.xml.i | 13 ++++ 3 files changed, 146 insertions(+) create mode 100644 interface-definitions/include/nat-address-port.xml.i create mode 100644 interface-definitions/include/nat-rule.xml.i create mode 100644 interface-definitions/include/nat-translation-port.xml.i (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/nat-address-port.xml.i b/interface-definitions/include/nat-address-port.xml.i new file mode 100644 index 000000000..0848364ff --- /dev/null +++ b/interface-definitions/include/nat-address-port.xml.i @@ -0,0 +1,47 @@ + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + !ipv4 + Match everything except the specified address + + + !ipv4net + Match everything except the specified prefix + + + !ipv4range + Match everything except the specified range + + + + + + + Port number + + 1-65535 + Numeric IP port + + + start-end + Numbered port range (e.g., 1001-1005) + + + + \n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005' + + + diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i new file mode 100644 index 000000000..fdba4b8bd --- /dev/null +++ b/interface-definitions/include/nat-rule.xml.i @@ -0,0 +1,86 @@ + + + Rule number for NAT + + 1-9999 + Number for this NAT rule + + + + + NAT rule number must be between 1 and 9999 + + + + + Rule description + + + + + NAT destination parameters + + + #include + + + + + Disable NAT rule + + + + + + Exclude packets matching this rule from NAT + + + + + + NAT rule logging + + + + + + Protocol to NAT + + tcp udp tcp_udp all + + + tcp + Transmission Control Protocol + + + udp + User Datagram Protocol + + + tcp_udp + Both TCP and UDP + + + all + All IP protocols + + + 0-255 + IP protocol number + + + !<protocol> + All IP protocols except for the specified name or number (negation) + + + + + + NAT source parameters + + + #include + + + + diff --git a/interface-definitions/include/nat-translation-port.xml.i b/interface-definitions/include/nat-translation-port.xml.i new file mode 100644 index 000000000..93de471e3 --- /dev/null +++ b/interface-definitions/include/nat-translation-port.xml.i @@ -0,0 +1,13 @@ + + + Port number + + 1-65535 + Numeric IP port + + + <start>-<end> + Numbered port range (e.g., 1001-1005) + + + -- cgit v1.2.3 From 1330898ed095b42b6aba7ba00f9a6932b241a230 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 12 May 2020 19:23:15 +0200 Subject: nat: T2198: add ipv4-{address,prefix,rage}-exclude validators Exclude validators are required to support the ! (not) operator on the CLI to exclude addresses from NAT. --- .../include/nat-address-port.xml.i | 9 +++++- src/validators/ipv4-address-exclude | 7 +++++ src/validators/ipv4-prefix-exclude | 7 +++++ src/validators/ipv4-range | 33 ++++++++++++---------- src/validators/ipv4-range-exclude | 7 +++++ 5 files changed, 47 insertions(+), 16 deletions(-) create mode 100755 src/validators/ipv4-address-exclude create mode 100755 src/validators/ipv4-prefix-exclude create mode 100755 src/validators/ipv4-range-exclude (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/nat-address-port.xml.i b/interface-definitions/include/nat-address-port.xml.i index 0848364ff..8705d31cb 100644 --- a/interface-definitions/include/nat-address-port.xml.i +++ b/interface-definitions/include/nat-address-port.xml.i @@ -25,7 +25,14 @@ !ipv4range Match everything except the specified range - + + + + + + + + diff --git a/src/validators/ipv4-address-exclude b/src/validators/ipv4-address-exclude new file mode 100755 index 000000000..80ad17d45 --- /dev/null +++ b/src/validators/ipv4-address-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv4-address "${arg:1}" diff --git a/src/validators/ipv4-prefix-exclude b/src/validators/ipv4-prefix-exclude new file mode 100755 index 000000000..4f7de400a --- /dev/null +++ b/src/validators/ipv4-prefix-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv4-prefix "${arg:1}" diff --git a/src/validators/ipv4-range b/src/validators/ipv4-range index 0d707d6c5..ae3f3f163 100755 --- a/src/validators/ipv4-range +++ b/src/validators/ipv4-range @@ -7,24 +7,27 @@ ip2dec () { printf '%d\n' "$((a * 256 ** 3 + b * 256 ** 2 + c * 256 + d))" } -# This only works with real bash (<<<) - split IP addresses into array with -# hyphen as delimiter -readarray -d - -t strarr <<< $1 +# Only run this if there is a hypen present in $1 +if [[ "$1" =~ "-" ]]; then + # This only works with real bash (<<<) - split IP addresses into array with + # hyphen as delimiter + readarray -d - -t strarr <<< $1 -ipaddrcheck --is-ipv4-single ${strarr[0]} -if [ $? -gt 0 ]; then - exit 1 -fi + ipaddrcheck --is-ipv4-single ${strarr[0]} + if [ $? -gt 0 ]; then + exit 1 + fi -ipaddrcheck --is-ipv4-single ${strarr[1]} -if [ $? -gt 0 ]; then - exit 1 -fi + ipaddrcheck --is-ipv4-single ${strarr[1]} + if [ $? -gt 0 ]; then + exit 1 + fi -start=$(ip2dec ${strarr[0]}) -stop=$(ip2dec ${strarr[1]}) -if [ $start -ge $stop ]; then - exit 1 + start=$(ip2dec ${strarr[0]}) + stop=$(ip2dec ${strarr[1]}) + if [ $start -ge $stop ]; then + exit 1 + fi fi exit 0 diff --git a/src/validators/ipv4-range-exclude b/src/validators/ipv4-range-exclude new file mode 100755 index 000000000..3787b4dec --- /dev/null +++ b/src/validators/ipv4-range-exclude @@ -0,0 +1,7 @@ +#!/bin/sh +arg="$1" +if [ "${arg:0:1}" != "!" ]; then + exit 1 +fi +path=$(dirname "$0") +${path}/ipv4-range "${arg:1}" -- cgit v1.2.3 From ac4f99ac3b176f1804b17b32e6615e8b3701dfe8 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 12 May 2020 19:28:06 +0200 Subject: nat: T2198: split nat-address-port include into individual files --- .../include/nat-address-port.xml.i | 54 ---------------------- interface-definitions/include/nat-address.xml.i | 37 +++++++++++++++ interface-definitions/include/nat-port.xml.i | 17 +++++++ interface-definitions/include/nat-rule.xml.i | 6 ++- 4 files changed, 58 insertions(+), 56 deletions(-) delete mode 100644 interface-definitions/include/nat-address-port.xml.i create mode 100644 interface-definitions/include/nat-address.xml.i create mode 100644 interface-definitions/include/nat-port.xml.i (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/nat-address-port.xml.i b/interface-definitions/include/nat-address-port.xml.i deleted file mode 100644 index 8705d31cb..000000000 --- a/interface-definitions/include/nat-address-port.xml.i +++ /dev/null @@ -1,54 +0,0 @@ - - - IP address, subnet, or range - - ipv4 - IPv4 address to match - - - ipv4net - IPv4 prefix to match - - - ipv4range - IPv4 address range to match - - - !ipv4 - Match everything except the specified address - - - !ipv4net - Match everything except the specified prefix - - - !ipv4range - Match everything except the specified range - - - - - - - - - - - - - - Port number - - 1-65535 - Numeric IP port - - - start-end - Numbered port range (e.g., 1001-1005) - - - - \n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005' - - - diff --git a/interface-definitions/include/nat-address.xml.i b/interface-definitions/include/nat-address.xml.i new file mode 100644 index 000000000..933dae07b --- /dev/null +++ b/interface-definitions/include/nat-address.xml.i @@ -0,0 +1,37 @@ + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + !ipv4 + Match everything except the specified address + + + !ipv4net + Match everything except the specified prefix + + + !ipv4range + Match everything except the specified range + + + + + + + + + + + diff --git a/interface-definitions/include/nat-port.xml.i b/interface-definitions/include/nat-port.xml.i new file mode 100644 index 000000000..24803ae05 --- /dev/null +++ b/interface-definitions/include/nat-port.xml.i @@ -0,0 +1,17 @@ + + + Port number + + 1-65535 + Numeric IP port + + + start-end + Numbered port range (e.g., 1001-1005) + + + + \n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005' + + + diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index fdba4b8bd..183692664 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -21,7 +21,8 @@ NAT destination parameters - #include + #include + #include @@ -79,7 +80,8 @@ NAT source parameters - #include + #include + #include -- cgit v1.2.3 From 756e36da2cf41694981a43f6fed0d558d80eaac2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 15 May 2020 18:28:04 +0200 Subject: nat: T2198: add protocol completion helper and regex constraint --- interface-definitions/include/nat-rule.xml.i | 233 +++++++++++++++++++++++++-- 1 file changed, 224 insertions(+), 9 deletions(-) (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index 183692664..b52eb86c3 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -47,32 +47,247 @@ Protocol to NAT - tcp udp tcp_udp all + all ip hopopt icmp igmp ggp ipencap st tcp egp igp pup udp tcp_udp hmp xns-idp rdp iso-tp4 dccp xtp ddp idpr-cmtp ipv6 ipv6-route ipv6-frag idrp rsvp gre esp ah skip ipv6-icmp ipv6-nonxt ipv6-opts rspf vmtp eigrp ospf ax.25 ipip etherip encap 99 pim ipcomp vrrp l2tp isis sctp fc mobility-header udplite mpls-in-ip manet hip shim6 wesp rohc + + all + All IP protocols + + + ip + Internet Protocol, pseudo protocol number + + + hopopt + IPv6 Hop-by-Hop Option [RFC1883] + + + icmp + internet control message protocol + + + igmp + Internet Group Management + + + ggp + gateway-gateway protocol + + + ipencap + IP encapsulated in IP (officially IP) + + + st + ST datagram mode + tcp - Transmission Control Protocol + transmission control protocol + + + egp + exterior gateway protocol + + + igp + any private interior gateway (Cisco) + + + pup + PARC universal packet protocol udp - User Datagram Protocol + user datagram protocol tcp_udp Both TCP and UDP - all - All IP protocols + hmp + host monitoring protocol - 0-255 - IP protocol number + xns-idp + Xerox NS IDP + + + rdp + "reliable datagram" protocol + + + iso-tp4 + ISO Transport Protocol class 4 [RFC905] + + + dccp + Datagram Congestion Control Prot. [RFC4340] + + + xtp + Xpress Transfer Protocol + + + ddp + Datagram Delivery Protocol + + + idpr-cmtp + IDPR Control Message Transport + + + Ipv6 + Internet Protocol, version 6 + + + ipv6-route + Routing Header for IPv6 + + + ipv6-frag + Fragment Header for IPv6 + + + idrp + Inter-Domain Routing Protocol + + + rsvp + Reservation Protocol + + + gre + General Routing Encapsulation + + + esp + Encap Security Payload [RFC2406] + + + ah + Authentication Header [RFC2402] + + + skip + SKIP + + + ipv6-icmp + ICMP for IPv6 + + + ipv6-nonxt + No Next Header for IPv6 + + + ipv6-opts + Destination Options for IPv6 + + + rspf + Radio Shortest Path First (officially CPHB) + + + vmtp + Versatile Message Transport + + + eigrp + Enhanced Interior Routing Protocol (Cisco) + + + ospf + Open Shortest Path First IGP + + + ax.25 + AX.25 frames + + + ipip + IP-within-IP Encapsulation Protocol + + + etherip + Ethernet-within-IP Encapsulation [RFC3378] + + + encap + Yet Another IP encapsulation [RFC1241] + + + 99 + Any private encryption scheme + + + pim + Protocol Independent Multicast + + + ipcomp + IP Payload Compression Protocol - !<protocol> - All IP protocols except for the specified name or number (negation) + vrrp + Virtual Router Redundancy Protocol [RFC5798] + + + l2tp + Layer Two Tunneling Protocol [RFC2661] + + + isis + IS-IS over IPv4 + + + sctp + Stream Control Transmission Protocol + + + fc + Fibre Channel + + + mobility-header + Mobility Support for IPv6 [RFC3775] + + + udplite + UDP-Lite [RFC3828] + + + mpls-in-ip + MPLS-in-IP [RFC4023] + + + manet + MANET Protocols [RFC5498] + + + hip + Host Identity Protocol + + + shim6 + Shim6 Protocol + + + wesp + Wrapped Encapsulating Security Payload + + + rohc + Robust Header Compression + + + 0-255 + IP protocol number + + !?(all|ip|hopopt|icmp|igmp|ggp|ipencap|st|tcp|egp|igp|pup|udp|tcp_udp|hmp|xns-idp|rdp|iso-tp4|dccp|xtp|ddp|idpr-cmtp|ipv6|ipv6-route|ipv6-frag|idrp|rsvp|gre|esp|ah|skip|ipv6-icmp|ipv6-nonxt|ipv6-opts|rspf|vmtp|eigrp|ospf|ax.25|ipip|etherip|encap|99|pim|ipcomp|vrrp|l2tp|isis|sctp|fc|mobility-header|udplite|mpls-in-ip|manet|hip|shim6|wesp|rohc|[01]?[0-9][0-9]?) + -- cgit v1.2.3 From 2a0d1e77e650bd3e8cdff29ac62a3b23c41c85af Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 16 May 2020 17:21:21 +0200 Subject: nat: T2198: add common ip-protocol validator It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the negated form with a leading "!". --- interface-definitions/include/nat-rule.xml.i | 2 +- src/validators/ip-protocol | 41 ++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100755 src/validators/ip-protocol (limited to 'interface-definitions/include') diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i index b52eb86c3..f62a08987 100644 --- a/interface-definitions/include/nat-rule.xml.i +++ b/interface-definitions/include/nat-rule.xml.i @@ -286,7 +286,7 @@ IP protocol number - !?(all|ip|hopopt|icmp|igmp|ggp|ipencap|st|tcp|egp|igp|pup|udp|tcp_udp|hmp|xns-idp|rdp|iso-tp4|dccp|xtp|ddp|idpr-cmtp|ipv6|ipv6-route|ipv6-frag|idrp|rsvp|gre|esp|ah|skip|ipv6-icmp|ipv6-nonxt|ipv6-opts|rspf|vmtp|eigrp|ospf|ax.25|ipip|etherip|encap|99|pim|ipcomp|vrrp|l2tp|isis|sctp|fc|mobility-header|udplite|mpls-in-ip|manet|hip|shim6|wesp|rohc|[01]?[0-9][0-9]?) + diff --git a/src/validators/ip-protocol b/src/validators/ip-protocol new file mode 100755 index 000000000..078f8e319 --- /dev/null +++ b/src/validators/ip-protocol @@ -0,0 +1,41 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import re +from sys import argv,exit + +if __name__ == '__main__': + if len(argv) != 2: + exit(1) + + input = argv[1] + try: + # IP protocol can be in the range 0 - 255, thus the range must end with 256 + if int(input) in range(0, 256): + exit(0) + except ValueError: + pass + + pattern = "!?\\b(all|ip|hopopt|icmp|igmp|ggp|ipencap|st|tcp|egp|igp|pup|udp|" \ + "tcp_udp|hmp|xns-idp|rdp|iso-tp4|dccp|xtp|ddp|idpr-cmtp|ipv6|" \ + "ipv6-route|ipv6-frag|idrp|rsvp|gre|esp|ah|skip|ipv6-icmp|" \ + "ipv6-nonxt|ipv6-opts|rspf|vmtp|eigrp|ospf|ax.25|ipip|etherip|" \ + "encap|99|pim|ipcomp|vrrp|l2tp|isis|sctp|fc|mobility-header|" \ + "udplite|mpls-in-ip|manet|hip|shim6|wesp|rohc)\\b" + if re.match(pattern, input): + exit(0) + + exit(1) -- cgit v1.2.3