diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-07-12 11:54:16 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-07-12 11:54:16 +0200 |
commit | 6f44b47d8f2bf04984684a0752ab224960260b0d (patch) | |
tree | 4b9d702cae8533193e5a2f2bae29077da62616d0 | |
parent | 149ea57f54e06a5158bd7108d7a017a98676d251 (diff) | |
download | vyos-1x-6f44b47d8f2bf04984684a0752ab224960260b0d.tar.gz vyos-1x-6f44b47d8f2bf04984684a0752ab224960260b0d.zip |
nat: T2699: fix exclusion rules for noNAT destinations
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 9 | ||||
-rwxr-xr-x | src/conf_mode/nat.py | 15 |
2 files changed, 12 insertions, 12 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 8108d5e0f..0c29f536b 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -6,7 +6,7 @@ flush table nat {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip raw" %} +{% set base_command = "delete rule ip raw" %} {{ base_command }} PREROUTING handle {{ pre_ct_ignore }} {{ base_command }} OUTPUT handle {{ out_ct_ignore }} {{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} @@ -19,7 +19,7 @@ delete chain ip raw NAT_CONNTRACK add chain ip raw NAT_CONNTRACK add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip raw" %} +{% set base_command = "add rule ip raw" %} {{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER {{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER @@ -48,10 +48,11 @@ add rule ip raw NAT_CONNTRACK counter accept {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} -{% set interface = " iifname \"" + rule.interface_in + "\"" %} +{% set interface = " iifname \"" + rule.interface_in + "\"" if rule.interface_in is defined and rule.interface_in != 'any' else '' %} {% set trns_addr = "dnat to " + rule.translation_address %} + {% elif chain == "POSTROUTING" %} -{% set interface = " oifname \"" + rule.interface_out + "\"" %} +{% set interface = " oifname \"" + rule.interface_out + "\"" if rule.interface_out is defined and rule.interface_out != 'any' else '' %} {% if rule.translation_address == 'masquerade' %} {% set trns_addr = rule.translation_address %} {% if rule.translation_port %} diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index b0a029f2b..3dd20938a 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -79,7 +79,7 @@ def verify_rule(rule, err_msg): 'statically maps a whole network of addresses onto another\n' \ 'network of addresses') - if not rule['translation_address']: + if not rule['exclude'] and not rule['translation_address']: raise ConfigError(f'{err_msg} translation address not specified') @@ -228,10 +228,10 @@ def verify(nat): for rule in nat['source']: interface = rule['interface_out'] - err_msg = f"Source NAT configuration error in rule {rule['number']}:" + err_msg = f'Source NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_out']: raise ConfigError(f'{err_msg} outbound-interface not specified') @@ -246,10 +246,10 @@ def verify(nat): for rule in nat['destination']: interface = rule['interface_in'] - err_msg = f"Destination NAT configuration error in rule {rule['number']}:" + err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":' - if interface and interface not in interfaces(): - print(f'NAT configuration warning: interface {interface} does not exist on this system') + if interface and interface not in 'any' and interface not in interfaces(): + print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system') if not rule['interface_in']: raise ConfigError(f'{err_msg} inbound-interface not specified') @@ -261,7 +261,6 @@ def verify(nat): def generate(nat): render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755) - return None def apply(nat): |