nat66: T4586: Add SNAT destination prefix and DNAT address

Ability to configure SNAT destination prefix and DNAT source address Add option "!" - not address/prefix for NAT66
author: Viacheslav Hletenko <v.gletenko@vyos.io> 2022-08-03 12:58:24 +0000
committer: Viacheslav Hletenko <v.gletenko@vyos.io> 2022-08-03 12:58:24 +0000
commit: ecc03bd6e499bfa071218aa70d325fcfcc191dec (patch)
tree: 5c12722c49f1a3d9914e1364f79315107631c3fb
parent: 08699a10ccea1ea428b856d7b3dd7644d66ea699 (diff)
download: vyos-1x-ecc03bd6e499bfa071218aa70d325fcfcc191dec.tar.gz
vyos-1x-ecc03bd6e499bfa071218aa70d325fcfcc191dec.zip
2 files changed, 83 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2
index 003b138b2..ca19506f2 100644
--- a/data/templates/firewall/nftables-nat66.j2
+++ b/data/templates/firewall/nftables-nat66.j2
@@ -3,8 +3,10 @@
 {% macro nptv6_rule(rule,config, chain) %}
 {% set comment  = '' %}
 {% set base_log = '' %}
-{% set src_prefix  = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %}
-{% set dest_address  = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %}
+{% set dst_prefix  = 'ip6 daddr ' ~ config.destination.prefix.replace('!','!= ') if config.destination.prefix is vyos_defined %}
+{% set src_prefix  = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %}
+{% set source_address  = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %}
+{% set dest_address  = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %}
 {% if chain is vyos_defined('PREROUTING') %}
 {%     set comment   = 'DST-NAT66-' ~ rule %}
 {%     set base_log  = '[NAT66-DST-' ~ rule %}
@@ -52,6 +54,12 @@
 {% if src_prefix is vyos_defined %}
 {%     set output = output ~ ' ' ~ src_prefix %}
 {% endif %}
+{% if dst_prefix is vyos_defined %}
+{%     set output = output ~ ' ' ~ dst_prefix %}
+{% endif %}
+{% if source_address is vyos_defined %}
+{%     set output = output ~ ' ' ~ source_address %}
+{% endif %}
 {% if dest_address is vyos_defined %}
 {%     set output = output ~ ' ' ~ dest_address %}
 {% endif %}
diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in
index b47f653c6..ac3198f45 100644
--- a/interface-definitions/nat66.xml.in
+++ b/interface-definitions/nat66.xml.in
@@ -49,6 +49,30 @@
                   </completionHelp>
                 </properties>
               </leafNode>
+              <node name="destination">
+                <properties>
+                  <help>IPv6 destination prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>IPv6 prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-prefix-exclude"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
               <node name="source">
                 <properties>
                   <help>IPv6 source prefix options</help>
@@ -61,8 +85,13 @@
                         <format>ipv6net</format>
                         <description>IPv6 prefix</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
                       <constraint>
                         <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-prefix-exclude"/>
                       </constraint>
                     </properties>
                   </leafNode>
@@ -164,9 +193,53 @@
                         <format>ipv6net</format>
                         <description>IPv6 prefix</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6</format>
+                        <description>Match everything except the specified IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-address"/>
+                        <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-address-exclude"/>
+                        <validator name="ipv6-prefix-exclude"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="source">
+                <properties>
+                  <help>IPv6 source prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="address">
+                    <properties>
+                      <help>IPv6 address or prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6</format>
+                        <description>IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6</format>
+                        <description>Match everything except the specified IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
                       <constraint>
                         <validator name="ipv6-address"/>
                         <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-address-exclude"/>
+                        <validator name="ipv6-prefix-exclude"/>
                       </constraint>
                     </properties>
                   </leafNode>
author	Viacheslav Hletenko <v.gletenko@vyos.io>	2022-08-03 12:58:24 +0000
committer	Viacheslav Hletenko <v.gletenko@vyos.io>	2022-08-03 12:58:24 +0000
commit	ecc03bd6e499bfa071218aa70d325fcfcc191dec (patch)
tree	5c12722c49f1a3d9914e1364f79315107631c3fb
parent	08699a10ccea1ea428b856d7b3dd7644d66ea699 (diff)
download	vyos-1x-ecc03bd6e499bfa071218aa70d325fcfcc191dec.tar.gz vyos-1x-ecc03bd6e499bfa071218aa70d325fcfcc191dec.zip