diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-10-05 18:42:07 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-10-05 18:42:07 +0200 |
| commit | 65acae4868363117697ccefff10d0ef12fae9da4 (patch) | |
| tree | e2b77f52b1ec6059905958fdd971790030870422 | |
| parent | 5fca68d821c549572b07f073635170359a9f82c8 (diff) | |
| download | vyos-1x-65acae4868363117697ccefff10d0ef12fae9da4.tar.gz vyos-1x-65acae4868363117697ccefff10d0ef12fae9da4.zip | |
nat: T2951: use proper comments for source/destination logging
For both source and destination NAT always the LOG name contained DST - which
is definately false. This has been corrected to use SRC and DST on the
appropriate rules.
| -rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 10 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_nat.py | 3 |
2 files changed, 8 insertions, 5 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 0c29f536b..286c21859 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -28,6 +28,9 @@ add rule ip raw NAT_CONNTRACK counter accept {% endif %} {% macro nat_rule(rule, chain) %} +{% set comment = "" %} +{% set base_log = "" %} + {% set src_addr = "ip saddr " + rule.source_address if rule.source_address %} {% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %} @@ -45,13 +48,15 @@ add rule ip raw NAT_CONNTRACK counter accept {% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %} {% endif %} -{% set comment = "DST-NAT-" + rule.number %} - {% if chain == "PREROUTING" %} +{% set comment = "DST-NAT-" + rule.number %} +{% set base_log = "[NAT-DST-" + rule.number %} {% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %} {% set trns_addr = "dnat to " + rule.translation_address %} {% elif chain == "POSTROUTING" %} +{% set comment = "SRC-NAT-" + rule.number %} +{% set base_log = "[NAT-SRC-" + rule.number %} {% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %} {% if rule.translation_address == 'masquerade' %} {% set trns_addr = rule.translation_address %} @@ -72,7 +77,6 @@ add rule ip raw NAT_CONNTRACK counter accept {% endif %} {% if rule.log %} -{% set base_log = "[NAT-DST-" + rule.number %} {% if rule.exclude %} {% set log = base_log + "-EXCL]" %} {% elif rule.translation_address == 'masquerade' %} diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index b06fa239d..5c7c66840 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -56,11 +56,10 @@ class TestNAT(unittest.TestCase): nftable_json = json.loads(tmp) condensed_json = jmespath.search(snat_pattern, nftable_json)[0] - self.assertEqual(condensed_json['comment'], 'DST-NAT-1') + self.assertEqual(condensed_json['comment'], 'SRC-NAT-1') self.assertEqual(condensed_json['address']['network'], network.split('/')[0]) self.assertEqual(str(condensed_json['address']['prefix']), network.split('/')[1]) - def test_validation(self): """ T2813: Ensure translation address is specified """ self.session.set(source_path + ['rule', '100', 'outbound-interface', 'eth0']) |