summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-07-12 11:54:16 +0200
committerChristian Poessinger <christian@poessinger.com>2020-07-12 11:54:16 +0200
commit6f44b47d8f2bf04984684a0752ab224960260b0d (patch)
tree4b9d702cae8533193e5a2f2bae29077da62616d0
parent149ea57f54e06a5158bd7108d7a017a98676d251 (diff)
downloadvyos-1x-6f44b47d8f2bf04984684a0752ab224960260b0d.tar.gz
vyos-1x-6f44b47d8f2bf04984684a0752ab224960260b0d.zip
nat: T2699: fix exclusion rules for noNAT destinations
-rw-r--r--data/templates/firewall/nftables-nat.tmpl9
-rwxr-xr-xsrc/conf_mode/nat.py15
2 files changed, 12 insertions, 12 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 8108d5e0f..0c29f536b 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -6,7 +6,7 @@ flush table nat
{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
-{% set base_command = "delete rule ip raw" %}
+{% set base_command = "delete rule ip raw" %}
{{ base_command }} PREROUTING handle {{ pre_ct_ignore }}
{{ base_command }} OUTPUT handle {{ out_ct_ignore }}
{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
@@ -19,7 +19,7 @@ delete chain ip raw NAT_CONNTRACK
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept
-{% set base_command = "add rule ip raw" %}
+{% set base_command = "add rule ip raw" %}
{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
@@ -48,10 +48,11 @@ add rule ip raw NAT_CONNTRACK counter accept
{% set comment = "DST-NAT-" + rule.number %}
{% if chain == "PREROUTING" %}
-{% set interface = " iifname \"" + rule.interface_in + "\"" %}
+{% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %}
{% set trns_addr = "dnat to " + rule.translation_address %}
+
{% elif chain == "POSTROUTING" %}
-{% set interface = " oifname \"" + rule.interface_out + "\"" %}
+{% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %}
{% if rule.translation_address == 'masquerade' %}
{% set trns_addr = rule.translation_address %}
{% if rule.translation_port %}
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index b0a029f2b..3dd20938a 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -79,7 +79,7 @@ def verify_rule(rule, err_msg):
'statically maps a whole network of addresses onto another\n' \
'network of addresses')
- if not rule['translation_address']:
+ if not rule['exclude'] and not rule['translation_address']:
raise ConfigError(f'{err_msg} translation address not specified')
@@ -228,10 +228,10 @@ def verify(nat):
for rule in nat['source']:
interface = rule['interface_out']
- err_msg = f"Source NAT configuration error in rule {rule['number']}:"
+ err_msg = f'Source NAT configuration error in rule "{rule["number"]}":'
- if interface and interface not in interfaces():
- print(f'NAT configuration warning: interface {interface} does not exist on this system')
+ if interface and interface not in 'any' and interface not in interfaces():
+ print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
if not rule['interface_out']:
raise ConfigError(f'{err_msg} outbound-interface not specified')
@@ -246,10 +246,10 @@ def verify(nat):
for rule in nat['destination']:
interface = rule['interface_in']
- err_msg = f"Destination NAT configuration error in rule {rule['number']}:"
+ err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":'
- if interface and interface not in interfaces():
- print(f'NAT configuration warning: interface {interface} does not exist on this system')
+ if interface and interface not in 'any' and interface not in interfaces():
+ print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
if not rule['interface_in']:
raise ConfigError(f'{err_msg} inbound-interface not specified')
@@ -261,7 +261,6 @@ def verify(nat):
def generate(nat):
render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
-
return None
def apply(nat):