From b047855b80754d78cab4d3161ad0e97c21f479bc Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 30 Nov 2020 20:03:00 +0800 Subject: nptv6: T2518: Initial support for nat66 (NPT) --- src/migration-scripts/nat66/0-to-1 | 76 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100755 src/migration-scripts/nat66/0-to-1 (limited to 'src/migration-scripts') diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 new file mode 100755 index 000000000..2bc22061d --- /dev/null +++ b/src/migration-scripts/nat66/0-to-1 @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sys import argv,exit +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +def merge_npt(config,base,rule): + merge_base = ['nat66','source','rule',rule] + # Configure migration functions + if config.exists(base + ['description']): + tmp = config.return_value(base + ['description']) + config.set(merge_base + ['description'],value=tmp) + + if config.exists(base + ['disable']): + tmp = config.return_value(base + ['disable']) + config.set(merge_base + ['disable'],value=tmp) + + if config.exists(base + ['outbound-interface']): + tmp = config.return_value(base + ['outbound-interface']) + config.set(merge_base + ['outbound-interface'],value=tmp) + + if config.exists(base + ['source','prefix']): + tmp = config.return_value(base + ['source','prefix']) + config.set(merge_base + ['source','prefix'],value=tmp) + + if config.exists(base + ['translation','prefix']): + tmp = config.return_value(base + ['translation','prefix']) + config.set(merge_base + ['translation','prefix'],value=tmp) + + +if not config.exists(['nat']): + # Nothing to do + exit(0) +else: + if not config.exists(['nat', 'nptv6']): + exit(0) + + for rule in config.list_nodes(['nat', 'nptv6', 'rule']): + base = ['nat', 'nptv6', 'rule', rule] + # Merge 'nat nptv6' to 'nat66 source' + merge_npt(config,base,rule) + + # Delete the original NPT configuration + config.delete(['nat','nptv6']); + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) + -- cgit v1.2.3 From 9d2ce9c1d0078a16c698c7c5ce503044c780b04d Mon Sep 17 00:00:00 2001 From: JACK Date: Sat, 23 Jan 2021 03:58:48 +0800 Subject: nptv6: T2518: Remove redundant paths for migration scripts --- src/migration-scripts/nat66/0-to-1 | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) (limited to 'src/migration-scripts') diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 index 2bc22061d..67024cf77 100755 --- a/src/migration-scripts/nat66/0-to-1 +++ b/src/migration-scripts/nat66/0-to-1 @@ -52,25 +52,22 @@ def merge_npt(config,base,rule): config.set(merge_base + ['translation','prefix'],value=tmp) -if not config.exists(['nat']): +if not config.exists(['nat', 'nptv6']): # Nothing to do exit(0) -else: - if not config.exists(['nat', 'nptv6']): - exit(0) - - for rule in config.list_nodes(['nat', 'nptv6', 'rule']): - base = ['nat', 'nptv6', 'rule', rule] - # Merge 'nat nptv6' to 'nat66 source' - merge_npt(config,base,rule) - - # Delete the original NPT configuration - config.delete(['nat','nptv6']); - - try: - with open(file_name, 'w') as f: - f.write(config.to_string()) - except OSError as e: - print("Failed to save the modified config: {}".format(e)) - exit(1) + +for rule in config.list_nodes(['nat', 'nptv6', 'rule']): + base = ['nat', 'nptv6', 'rule', rule] + # Merge 'nat nptv6' to 'nat66 source' + merge_npt(config,base,rule) + +# Delete the original NPT configuration +config.delete(['nat','nptv6']); + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3 From c7a967b2d9c83fe4825d1ca672a9aa15615c5a99 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Sat, 23 Jan 2021 17:19:53 +0800 Subject: nptv6: T2518: Remove trailing spaces --- data/templates/firewall/nftables-nat66.tmpl | 1 - data/templates/proxy-ndp/ndppd.conf.tmpl | 1 - src/migration-scripts/nat66/0-to-1 | 1 - 3 files changed, 3 deletions(-) (limited to 'src/migration-scripts') diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index 80150c7a4..45506ca09 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -104,4 +104,3 @@ add rule ip6 raw NAT_CONNTRACK counter accept {{ nptv6_rule(rule, config, 'POSTROUTING') }} {% endfor %} {% endif %} - diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl index 6ef9f3f8b..844b644b7 100644 --- a/data/templates/proxy-ndp/ndppd.conf.tmpl +++ b/data/templates/proxy-ndp/ndppd.conf.tmpl @@ -45,5 +45,4 @@ proxy {{ i }} { {% endif %} {% endfor %} } - {% endfor %} diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 index 67024cf77..602c5f5c1 100755 --- a/src/migration-scripts/nat66/0-to-1 +++ b/src/migration-scripts/nat66/0-to-1 @@ -70,4 +70,3 @@ try: except OSError as e: print("Failed to save the modified config: {}".format(e)) exit(1) - -- cgit v1.2.3 From 41b4f00972917ea950842d53eaede0a4308bc663 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Sun, 24 Jan 2021 13:18:24 +0800 Subject: nptv6: T2518: Delete redundant blank lines --- data/templates/firewall/nftables-nat66.tmpl | 21 --------------------- data/templates/proxy-ndp/ndppd.conf.tmpl | 3 --- smoketest/scripts/cli/test_nat66.py | 1 - src/conf_mode/nat66.py | 9 ++------- src/migration-scripts/nat66/0-to-1 | 1 - 5 files changed, 2 insertions(+), 33 deletions(-) (limited to 'src/migration-scripts') diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index 45506ca09..b1a8f7a16 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -1,10 +1,8 @@ #!/usr/sbin/nft -f {% macro nptv6_rule(rule,config, chain) %} - {% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %} {% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %} - {% if chain == "PREROUTING" %} {% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} {% if config.translation.address | is_ip_network %} @@ -26,49 +24,35 @@ {% set output = "add rule ip6 nat " + chain + interface %} {# Count packets #} {% set output = output + " counter" %} - {# Special handling of log option, we must repeat the entire rule before the #} {# NAT translation options are added, this is essential #} {% if log %} {% set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %} {% endif %} - {% if src_prefix %} {% set output = output + " " + src_prefix %} {% endif %} - - {% if dest_address %} {% set output = output + " " + dest_address %} {% endif %} - {% if trns_prefix %} {% set output = output + " " + trns_prefix %} {% endif %} - {% if trns_address %} {% set output = output + " " + trns_address %} {% endif %} - - {% if comment %} {% set output = output + " comment \"" + comment + "\"" %} {% endif %} - {{ log_output if log_output }} {{ output }} {% endmacro %} # Start with clean NAT table flush table ip6 nat - {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} - - - {% set base_command = "delete rule ip6 raw" %} - {{base_command}} PREROUTING handle {{ pre_ct_conntrack }} {{base_command}} OUTPUT handle {{ out_ct_conntrack }} @@ -78,13 +62,9 @@ delete chain ip6 raw NAT_CONNTRACK {# NAT if enabled - add targets to nftables #} add chain ip6 raw NAT_CONNTRACK add rule ip6 raw NAT_CONNTRACK counter accept - {% set base_command = "add rule ip6 raw" %} - - {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK - {% endif %} # @@ -95,7 +75,6 @@ add rule ip6 raw NAT_CONNTRACK counter accept {{ nptv6_rule(rule, config, 'PREROUTING') }} {% endfor %} {% endif %} - # # Source NAT66 rules build up here # diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl index 4393be169..0137d8135 100644 --- a/data/templates/proxy-ndp/ndppd.conf.tmpl +++ b/data/templates/proxy-ndp/ndppd.conf.tmpl @@ -15,8 +15,6 @@ ######################################################## {% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %} - - {% if source is defined and source.rule is defined and source.rule is not none %} {% for rule, config in source.rule.items() if config.disable is not defined %} {% if config.outbound_interface is defined %} @@ -31,7 +29,6 @@ {% endif %} {% for interface in global.ndppd_interfaces %} - proxy {{ interface }} { router yes timeout 500 diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py index 042c61ace..ccc4196e0 100755 --- a/smoketest/scripts/cli/test_nat66.py +++ b/smoketest/scripts/cli/test_nat66.py @@ -68,7 +68,6 @@ class TestNAT66(unittest.TestCase): self.assertEqual(iface, 'eth1') # check for translation address self.assertEqual(f'{translation_address}/{translation_mask}', translation_prefix) - self.assertEqual(f'{address}/{mask}', source_prefix) def test_destination_nat66(self): diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index f58db04e0..b90939a2f 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -80,19 +80,16 @@ def get_config(config=None): if not conf.exists(base): nat['helper_functions'] = 'remove' - nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK') nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT','NAT_CONNTRACK') - nat['deleted'] = '' - return nat # check if NAT66 connection tracking helpers need to be set up - this has to # be done only once if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'): nat['helper_functions'] = 'add' - + # Retrieve current table handler positions nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_PREROUTING_HOOK') nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT','VYATTA_CT_OUTPUT_HOOK') @@ -120,18 +117,16 @@ def verify(nat): if config['outbound_interface'] not in interfaces(): print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') - prefix = dict_search('translation.prefix', config) if prefix != None: if not is_ipv6(prefix): raise ConfigError(f'Warning: IPv6 prefix {prefix} is not a valid address prefix') - + prefix = dict_search('source.prefix', config) if prefix != None: if not is_ipv6(prefix): raise ConfigError(f'{err_msg} source-prefix not specified') - if dict_search('destination.rule', nat): for rule, config in dict_search('destination.rule', nat).items(): err_msg = f'Destination NAT66 configuration error in rule {rule}:' diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 index 602c5f5c1..74d64c07b 100755 --- a/src/migration-scripts/nat66/0-to-1 +++ b/src/migration-scripts/nat66/0-to-1 @@ -51,7 +51,6 @@ def merge_npt(config,base,rule): tmp = config.return_value(base + ['translation','prefix']) config.set(merge_base + ['translation','prefix'],value=tmp) - if not config.exists(['nat', 'nptv6']): # Nothing to do exit(0) -- cgit v1.2.3