diff options
| author | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-12-23 13:21:43 +0000 | 
|---|---|---|
| committer | Viacheslav Hletenko <v.gletenko@vyos.io> | 2023-12-24 09:26:37 +0000 | 
| commit | 8e1e79cfa24c155c8d504822fbbd3c20f890fb70 (patch) | |
| tree | 5621b54f317486306339dee76b0a2ceff555ddb4 | |
| parent | 4393a2fb056574f5079270554d30751d11bf5a9a (diff) | |
| download | vyos-1x-8e1e79cfa24c155c8d504822fbbd3c20f890fb70.tar.gz vyos-1x-8e1e79cfa24c155c8d504822fbbd3c20f890fb70.zip | |
T160: NAT64 add match firewall mark feature
Match mark allows to use firewall marks of packet to use
a specific pool
Example of instance config /run/jool/instance-100.json
```
  ...
  "pool4": [
    {
      "protocol": "TCP",
      "prefix": "192.0.2.10",
      "port range": "1-65535",
      "mark": 23
    },
   ...
```
| -rw-r--r-- | interface-definitions/nat64.xml.in | 19 | ||||
| -rwxr-xr-x | src/conf_mode/nat64.py | 7 | 
2 files changed, 26 insertions, 0 deletions
| diff --git a/interface-definitions/nat64.xml.in b/interface-definitions/nat64.xml.in index baf13e6cb..dfdd295d2 100644 --- a/interface-definitions/nat64.xml.in +++ b/interface-definitions/nat64.xml.in @@ -26,6 +26,25 @@              <children>                #include <include/generic-description.xml.i>                #include <include/generic-disable-node.xml.i> +              <node name="match"> +                <properties> +                  <help>Match</help> +                </properties> +                <children> +                  <leafNode name="mark"> +                    <properties> +                      <help>Match fwmark value</help> +                      <valueHelp> +                        <format>u32:1-2147483647</format> +                        <description>Fwmark value to match against</description> +                      </valueHelp> +                      <constraint> +                        <validator name="numeric" argument="--range 1-2147483647"/> +                      </constraint> +                    </properties> +                  </leafNode> +                </children> +              </node>                <node name="source">                  <properties>                    <help>IPv6 source prefix options</help> diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py index a8b90fb11..6026c61d0 100755 --- a/src/conf_mode/nat64.py +++ b/src/conf_mode/nat64.py @@ -148,6 +148,11 @@ def generate(nat64) -> None:              if dict_search("translation.pool", instance):                  pool4 = [] +                # mark +                mark = '' +                if dict_search("match.mark", instance): +                    mark = instance["match"]["mark"] +                  for pool in instance["translation"]["pool"].values():                      if "disable" in pool:                          continue @@ -159,6 +164,8 @@ def generate(nat64) -> None:                              "prefix": pool["address"],                              "port range": pool["port"],                          } +                        if mark: +                            obj["mark"] = int(mark)                          if "description" in pool:                              obj["comment"] = pool["description"] | 
