Add templates for source NAT

author: Daniil Baturin <daniil.baturin@vyatta.com> 2011-09-13 22:26:03 +0700
committer: Daniil Baturin <daniil.baturin@vyatta.com> 2011-09-13 22:26:03 +0700
commit: db4e4cfaca840240298811805d2a572f5663c7f9 (patch)
tree: adae701d04f3bad20a07fe0c1f583fff81e0af0d
parent: 807e14f5ce64f87b2858f003e8c597154c2c2dfa (diff)
download: vyatta-nat-db4e4cfaca840240298811805d2a572f5663c7f9.tar.gz
vyatta-nat-db4e4cfaca840240298811805d2a572f5663c7f9.zip
17 files changed, 126 insertions, 0 deletions
diff --git a/templates-cfg/nat/source/node.def b/templates-cfg/nat/source/node.def
new file mode 100644
index 0000000..5548be4
--- /dev/null
+++ b/templates-cfg/nat/source/node.def
@@ -0,0 +1 @@
+help: Source NAT settings
+\ No newline at end of file
diff --git a/templates-cfg/nat/source/rule/node.def b/templates-cfg/nat/source/rule/node.def
new file mode 100644
index 0000000..c666be9
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.def
@@ -0,0 +1,11 @@
+tag:
+
+type: u32
+
+help: Rule number for NAT
+
+syntax:expression: ($VAR(@) > 0 && $VAR(@) < 10000) ; \
+         "Rule number must be between 1 and 9999."
+
+val_help: u32:1-9999 ; Number for this NAT rule
+
diff --git a/templates-cfg/nat/source/rule/node.tag/description/node.def b/templates-cfg/nat/source/rule/node.tag/description/node.def
new file mode 100644
index 0000000..90bf88b
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/description/node.def
@@ -0,0 +1,3 @@
+type: txt
+
+help: Rule description
diff --git a/templates-cfg/nat/source/rule/node.tag/destination/address/node.def b/templates-cfg/nat/source/rule/node.tag/destination/address/node.def
new file mode 100644
index 0000000..e580b57
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/destination/address/node.def
@@ -0,0 +1,10 @@
+type: txt
+
+help: Destination IP address, subnet, or range
+
+val_help: ipv4 ; IP address to match
+val_help: ipv4net; Subnet to match
+val_help: ipv4range ; IP range to match
+val_help: !ipv4 ; Match everything except the specified address
+val_help: !ipv4net ; Match everything except the specified subnet
+val_help: !ipv4range ; Match everything except the specified range
diff --git a/templates-cfg/nat/source/rule/node.tag/destination/node.def b/templates-cfg/nat/source/rule/node.tag/destination/node.def
new file mode 100644
index 0000000..8fc8e75
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/destination/node.def
@@ -0,0 +1 @@
+help: NAT destination parameters
diff --git a/templates-cfg/nat/source/rule/node.tag/destination/port/node.def b/templates-cfg/nat/source/rule/node.tag/destination/port/node.def
new file mode 100644
index 0000000..7505487
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/destination/port/node.def
@@ -0,0 +1,11 @@
+type: txt
+
+help: Destination port
+
+val_help: <port name> ; Named port (any name in /etc/services, e.g., http)
+val_help: u32:1-65535 ; Numbered port
+val_help: <start>-<end> ; Numbered port range (e.g., 1001-1005)
+
+comp_help: Multiple destination ports can be specified as a comma-separated list.
+The whole list can also be "negated" using '!'. 
+For example:  '!22,telnet,http,123,1001-1005'
diff --git a/templates-cfg/nat/source/rule/node.tag/disable/node.def b/templates-cfg/nat/source/rule/node.tag/disable/node.def
new file mode 100644
index 0000000..c23fc5a
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/disable/node.def
@@ -0,0 +1 @@
+help: Disable NAT rule
diff --git a/templates-cfg/nat/source/rule/node.tag/exclude/node.def b/templates-cfg/nat/source/rule/node.tag/exclude/node.def
new file mode 100644
index 0000000..3fc118a
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/exclude/node.def
@@ -0,0 +1 @@
+help: Exclude packets matching this rule from NAT
diff --git a/templates-cfg/nat/source/rule/node.tag/log/node.def b/templates-cfg/nat/source/rule/node.tag/log/node.def
new file mode 100644
index 0000000..867b471
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/log/node.def
@@ -0,0 +1,6 @@
+type: txt
+
+help: NAT rule logging
+
+syntax:expression: $VAR(@) in "enable", "disable"; \
+         "NAT logging must be enable or disable."
diff --git a/templates-cfg/nat/source/rule/node.tag/outbound-interface/node.def b/templates-cfg/nat/source/rule/node.tag/outbound-interface/node.def
new file mode 100644
index 0000000..efbd9c3
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/outbound-interface/node.def
@@ -0,0 +1,30 @@
+type:  txt
+
+help: Outbound interface for NAT traffic
+
+enumeration: existing-interfaces; echo "any"
+
+val_help: <interface> ; Interface name or "any"
+
+commit:expression: exec "
+        if [ \"any\" == \"$VAR(@)\" ] ; then
+          exit 0
+        fi
+        intf_array=($(awk '$1 ~ /:/ { print $1 }' /proc/net/dev))
+        intf_array_len=${#intf_array[*]}
+        i=0
+        while [ $i -lt $intf_array_len ]; do
+             temp=${intf_array[$i]%:*}
+             if [ \"$temp\" == \"$VAR(@)\" ] ; then
+                   exit 0
+             fi
+             let i++
+        done
+        intf_group_name_array=\"eth+ bond+ br+ peth+ vtun+ tun+ wlm+ wlan+\"
+        i=0
+        for i in $intf_group_name_array; do
+          if [ \"$i\" == \"$VAR(@)\" ]; then
+            exit 0
+          fi
+        done
+        echo NAT configuration warning: interface $VAR(@) does not exist on this system "
diff --git a/templates-cfg/nat/source/rule/node.tag/outside-address/address/node.def b/templates-cfg/nat/source/rule/node.tag/outside-address/address/node.def
new file mode 100644
index 0000000..abd5d45
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/outside-address/address/node.def
@@ -0,0 +1,7 @@
+type: txt
+
+help: Outside IP address or range for NAT
+
+val_help: ipv4 ; NAT to the specified IP address
+val_help: ipv4range ; NAT to the specified IP range
+val_help: ipv4net ; NAT to the specified network address. Host part of the address will remain unchanged
diff --git a/templates-cfg/nat/source/rule/node.tag/outside-address/node.def b/templates-cfg/nat/source/rule/node.tag/outside-address/node.def
new file mode 100644
index 0000000..b8e1e19
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/outside-address/node.def
@@ -0,0 +1 @@
+help: Outside NAT IP (used by source NAT only)
diff --git a/templates-cfg/nat/source/rule/node.tag/outside-address/port/node.def b/templates-cfg/nat/source/rule/node.tag/outside-address/port/node.def
new file mode 100644
index 0000000..8e3b331
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/outside-address/port/node.def
@@ -0,0 +1,6 @@
+type: txt
+
+help: Outside port
+
+val_help: u32:1-65535 ; Numbered port
+val_help: <start>-<end> ; Numbered port range (e.g., 1001-1005)
diff --git a/templates-cfg/nat/source/rule/node.tag/protocol/node.def b/templates-cfg/nat/source/rule/node.tag/protocol/node.def
new file mode 100644
index 0000000..882581d
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/protocol/node.def
@@ -0,0 +1,15 @@
+type:  txt
+
+help: Protocol to NAT 
+
+val_help: txt ; IP protocol name from /etc/protocols (e.g. "tcp" or "udp")
+val_help: u32:0-255 ; IP protocol number
+val_help: tcp_udp ; Both TCP and UDP
+val_help: all ; All IP protocols
+val_help: !<protocol> ; All IP protocols except for the specified name or number (negation)
+
+syntax:expression: exec "if [ -n \"`/opt/vyatta/sbin/vyatta-validate-type.pl protocol_negate '$VAR(@)'`\" ] \
+                        && [ \"$VAR(@)\" != 'tcp_udp' ]; then \
+        echo invalid protocol \"$VAR(@)\" ; \
+        exit 1 ; \
+     fi ; "
diff --git a/templates-cfg/nat/source/rule/node.tag/source/address/node.def b/templates-cfg/nat/source/rule/node.tag/source/address/node.def
new file mode 100644
index 0000000..08c0b41
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/source/address/node.def
@@ -0,0 +1,10 @@
+type: txt
+
+help: Source IPv4 address, subnet, or range
+
+val_help: ipv4 ; IP address to match
+val_help: ipv4net ; Subnet to match
+val_help: ipv4range ; IP range to match
+val_help: !ipv4 ; Match everything except the specified address
+val_help: !ipv4net ; Match everything except the specified subnet
+val_help: !ipv4range ; Match everything except the specified range
diff --git a/templates-cfg/nat/source/rule/node.tag/source/node.def b/templates-cfg/nat/source/rule/node.tag/source/node.def
new file mode 100644
index 0000000..299f6e5
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/source/node.def
@@ -0,0 +1 @@
+help: NAT source parameters
diff --git a/templates-cfg/nat/source/rule/node.tag/source/port/node.def b/templates-cfg/nat/source/rule/node.tag/source/port/node.def
new file mode 100644
index 0000000..d0e9de6
--- /dev/null
+++ b/templates-cfg/nat/source/rule/node.tag/source/port/node.def
@@ -0,0 +1,11 @@
+type: txt
+
+help: Source port
+
+val_help: <port name> ; Named port (any name in /etc/services, e.g., http)
+val_help: u32:1-65535 ; Numbered port
+val_help: <start>-<end> ; Numbered port range (e.g., 1001-1005)
+
+comp_help: Multiple source ports can be specified as a comma-separated list.
+The whole list can also be "negated" using '!'. 
+For example:  '!22,telnet,http,123,1001-1005'
author	Daniil Baturin <daniil.baturin@vyatta.com>	2011-09-13 22:26:03 +0700
committer	Daniil Baturin <daniil.baturin@vyatta.com>	2011-09-13 22:26:03 +0700
commit	db4e4cfaca840240298811805d2a572f5663c7f9 (patch)
tree	adae701d04f3bad20a07fe0c1f583fff81e0af0d
parent	807e14f5ce64f87b2858f003e8c597154c2c2dfa (diff)
download	vyatta-nat-db4e4cfaca840240298811805d2a572f5663c7f9.tar.gz vyatta-nat-db4e4cfaca840240298811805d2a572f5663c7f9.zip