nat: T1083: add translation options for persistent/random mapping of address and port

Tested using: set destination rule 100 inbound-interface 'eth0' set destination rule 100 translation address '19.13.23.42' set destination rule 100 translation options address-mapping 'random' set destination rule 100 translation options port-mapping 'none' set source rule 1000 outbound-interface 'eth0' set source rule 1000 translation address '122.233.231.12' set source rule 1000 translation options address-mapping 'persistent' set source rule 1000 translation options port-mapping 'fully-random'
author: Igor Melnyk <igor_melnyk@ukr.net> 2021-06-26 10:48:54 +0300
committer: GitHub <noreply@github.com> 2021-06-26 09:48:54 +0200
commit: 166d44b32813c9dd64c3857beaf5eac8382b2d6d (patch)
tree: 3e4b7bd63ada6ff76c40d12e576d8b163e1017d0
parent: 3ffe114e8e8916d142b82657bd982122e57d17ed (diff)
download: vyos-1x-166d44b32813c9dd64c3857beaf5eac8382b2d6d.tar.gz
vyos-1x-166d44b32813c9dd64c3857beaf5eac8382b2d6d.zip
3 files changed, 76 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index b80fc1968..e2776e9c2 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -73,6 +73,26 @@
 {%     set trns_addr = 'return' %}
 {%     set trns_port = '' %}
 {%   endif %}
+{#  T1083: NAT address and port translation options #}
+{%   if config.translation.options is defined and config.translation.options is not none %}
+{%     if config.translation.options.address_mapping is defined and config.translation.options.address_mapping == "persistent" %}
+{%         set trns_opts_addr  = 'persistent' %}
+{%     endif %}
+{%     if config.translation.options.port_mapping is defined %}
+{%       if config.translation.options.port_mapping == "random" %}
+{%         set trns_opts_port  = 'random' %}
+{%       elif config.translation.options.port_mapping == "fully-random" %}
+{%         set trns_opts_port  = 'fully-random' %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   if trns_opts_addr and trns_opts_port %}
+{%     set trns_opts  = trns_opts_addr + ',' + trns_opts_port %}
+{%   elif trns_opts_addr %}
+{%     set trns_opts  = trns_opts_addr %}
+{%   elif trns_opts_port %}
+{%     set trns_opts  = trns_opts_port %}
+{%   endif %}
 {%   set output = 'add rule ip nat ' + chain + interface %}
 {%   if protocol != 'all' %}
 {%     set output = output + ' ip protocol ' + protocol %}
@@ -104,6 +124,9 @@
 {#     e.g. 192.0.2.10:3389                                                                   #}
 {%     set output = output + trns_port %}
 {%   endif %}
+{%   if trns_opts %}
+{%     set output = output + ' ' + trns_opts %}
+{%   endif %}
 {%   if comment %}
 {%     set output = output + ' comment "' + comment + '"' %}
 {%   endif %}
diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i
new file mode 100644
index 000000000..defc8c0d5
--- /dev/null
+++ b/interface-definitions/include/nat-translation-options.xml.i
@@ -0,0 +1,51 @@
+<!-- include start from nat-translation-options.xml.i -->
+<node name="options">
+  <properties>
+    <help>Translation options</help>
+  </properties>
+  <children>
+    <leafNode name="address-mapping">
+      <properties>
+        <help>Address mapping options</help>
+        <completionHelp>
+          <list>persistent random</list>
+        </completionHelp>
+        <valueHelp>
+          <format>persistent</format>
+          <description>Gives a client the same source or destination-address for each connection</description>
+        </valueHelp>
+        <valueHelp>
+          <format>random</format>
+          <description>Random source or destination address allocation for each connection (defaut)</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(persistent|random)$</regex>
+        </constraint>
+      </properties>
+    </leafNode> 
+    <leafNode name="port-mapping">
+      <properties>
+        <help>Port mapping options</help>
+        <completionHelp>
+          <list>random fully-random none</list>
+        </completionHelp>
+        <valueHelp>
+          <format>random</format>
+          <description>Randomize source port mapping</description>
+        </valueHelp>
+        <valueHelp>
+          <format>fully-random</format>
+          <description>Full port randomization</description>
+        </valueHelp>
+        <valueHelp>
+          <format>none</format>
+          <description>Do not apply port randomization (default)</description>
+        </valueHelp>
+        <constraint>
+          <regex>^(random|fully-random|none)$</regex>
+        </constraint>
+      </properties>
+    </leafNode> 
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in
index 9862f49b2..3cf3ba6aa 100644
--- a/interface-definitions/nat.xml.in
+++ b/interface-definitions/nat.xml.in
@@ -50,6 +50,7 @@
                     </properties>
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
+                  #include <include/nat-translation-options.xml.i>
                 </children>
               </node>
             </children>
@@ -101,6 +102,7 @@
                     </properties>
                   </leafNode>
                   #include <include/nat-translation-port.xml.i>
+                  #include <include/nat-translation-options.xml.i>
                 </children>
               </node>
             </children>
author	Igor Melnyk <igor_melnyk@ukr.net>	2021-06-26 10:48:54 +0300
committer	GitHub <noreply@github.com>	2021-06-26 09:48:54 +0200
commit	166d44b32813c9dd64c3857beaf5eac8382b2d6d (patch)
tree	3e4b7bd63ada6ff76c40d12e576d8b163e1017d0
parent	3ffe114e8e8916d142b82657bd982122e57d17ed (diff)
download	vyos-1x-166d44b32813c9dd64c3857beaf5eac8382b2d6d.tar.gz vyos-1x-166d44b32813c9dd64c3857beaf5eac8382b2d6d.zip