diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-07-30 12:19:26 +0200 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-07-30 12:19:26 +0200 | 
| commit | 2f2e8125560a19b51e0034ec88cf69ce1fd1afb5 (patch) | |
| tree | 9573c835023421da71ec5fc9601c032bba301295 | |
| parent | 2a9a2cfa12e87ae1b300354aeb3bdf7b10059d26 (diff) | |
| parent | fa8a09089af3a9062ae4f4f0ebc8c8474d870783 (diff) | |
| download | vyos-1x-2f2e8125560a19b51e0034ec88cf69ce1fd1afb5.tar.gz vyos-1x-2f2e8125560a19b51e0034ec88cf69ce1fd1afb5.zip | |
Merge pull request #1445 from sever-sever/T4089
nat: T4089: Rewrite show nat destination rules
| -rw-r--r-- | op-mode-definitions/nat.xml.in | 2 | ||||
| -rwxr-xr-x | src/op_mode/nat.py | 10 | ||||
| -rwxr-xr-x | src/op_mode/show_nat_rules.py | 126 | 
3 files changed, 11 insertions, 127 deletions
| diff --git a/op-mode-definitions/nat.xml.in b/op-mode-definitions/nat.xml.in index b0ec8989f..7148c1128 100644 --- a/op-mode-definitions/nat.xml.in +++ b/op-mode-definitions/nat.xml.in @@ -58,7 +58,7 @@                  <properties>                    <help>Show configured destination NAT rules</help>                  </properties> -                <command>${vyos_op_scripts_dir}/show_nat_rules.py --destination</command> +                <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination</command>                </node>                <node name="statistics">                  <properties> diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py index 4b54ecf31..a98fc4227 100755 --- a/src/op_mode/nat.py +++ b/src/op_mode/nat.py @@ -133,6 +133,16 @@ port {port}'''                          translation = f'''{translation}  port {port}''' +                elif 'dnat' in expr: +                    translation = dict_search('dnat.addr', expr) +                    if expr['dnat'] and 'port' in expr['dnat']: +                        if jmespath.search('dnat.port.range', expr): +                            port = dict_search('dnat.port.range', expr) +                            port = '-'.join(map(str, port)) +                        else: +                            port = expr['dnat']['port'] +                        translation = f'''{translation} +port {port}'''                  else:                      translation = 'exclude'          # Overwrite match loop 'proto' if specified filed 'protocol' exist diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py deleted file mode 100755 index 60a4bdd13..000000000 --- a/src/op_mode/show_nat_rules.py +++ /dev/null @@ -1,126 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021-2022 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program.  If not, see <http://www.gnu.org/licenses/>. - -import jmespath -import json - -from argparse import ArgumentParser -from jinja2 import Template -from sys import exit -from vyos.util import cmd -from vyos.util import dict_search - -parser = ArgumentParser() -group = parser.add_mutually_exclusive_group() -group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true") -group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true") -args = parser.parse_args() - -if args.source or args.destination: -    tmp = cmd('sudo nft -j list table ip nat') -    tmp = json.loads(tmp) - -    format_nat_rule = '{0: <10} {1: <50} {2: <50} {3: <10}' -    print(format_nat_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface")) -    print(format_nat_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------")) - -    data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp) -    for idx in range(0, len(data_json)): -        data = data_json[idx] - -        # The following key values must exist -        # When the rule JSON does not have some keys, this is not a rule we can work with -        continue_rule = False -        for key in ['comment', 'chain', 'expr']: -            if key not in data: -                continue_rule = True -                continue -        if continue_rule: -            continue - -        comment = data['comment'] - -        # Check the annotation to see if the annotation format is created by VYOS -        continue_rule = True -        for comment_prefix in ['SRC-NAT-', 'DST-NAT-']: -            if comment_prefix in comment: -                continue_rule = False -        if continue_rule: -            continue - -        rule = int(''.join(list(filter(str.isdigit, comment)))) -        chain = data['chain'] -        if not ((args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING')): -            continue -        interface = dict_search('match.right', data['expr'][0]) -        srcdest = '' -        srcdests = [] -        tran_addr = '' -        for i in range(1,len(data['expr']) ): -            srcdest_json = dict_search('match.right', data['expr'][i]) -            if srcdest_json: -                if isinstance(srcdest_json,str): -                    if srcdest != '': -                        srcdests.append(srcdest) -                        srcdest = '' -                    srcdest = srcdest_json + ' ' -                elif 'prefix' in srcdest_json: -                    addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i]) -                    len_tmp = dict_search('match.right.prefix.len', data['expr'][i]) -                    if addr_tmp and len_tmp: -                        srcdest = addr_tmp + '/' + str(len_tmp) + ' ' -                elif 'set' in srcdest_json: -                    if isinstance(srcdest_json['set'][0],int): -                        srcdest += 'port ' + str(srcdest_json['set'][0]) + ' ' -                    else: -                        port_range = srcdest_json['set'][0]['range'] -                        srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' ' - -            tran_addr_json = dict_search('snat' if args.source else 'dnat', data['expr'][i]) -            if tran_addr_json: -                if isinstance(tran_addr_json['addr'],str): -                    tran_addr += tran_addr_json['addr'] + ' ' -                elif 'prefix' in tran_addr_json['addr']: -                    addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3]) -                    len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3]) -                    if addr_tmp and len_tmp: -                        tran_addr += addr_tmp + '/' + str(len_tmp) + ' ' - -                if tran_addr_json.get('port'): -                    if isinstance(tran_addr_json['port'],int): -                        tran_addr += 'port ' + str(tran_addr_json['port']) - -            else: -                if 'masquerade' in data['expr'][i]: -                    tran_addr = 'masquerade' -                elif 'log' in data['expr'][i]: -                    continue - -        if srcdest != '': -            srcdests.append(srcdest) -            srcdest = '' -        else: -            srcdests.append('any') -        print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface)) - -        for i in range(1, len(srcdests)): -            print(format_nat_rule.format(' ', srcdests[i], ' ', ' ')) - -    exit(0) -else: -    parser.print_help() -    exit(1) - | 
