summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-cgnat.j2
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@vyos.io>2024-04-11 17:36:49 +0200
committerGitHub <noreply@github.com>2024-04-11 17:36:49 +0200
commitfbf400fe8e5b890ee22498ca05e2efb7873ca033 (patch)
tree7e1fa3c7ea2799a76f8c86735e8996e43c9543d4 /data/templates/firewall/nftables-cgnat.j2
parenta17539f4ff5ab7181d10e85f6aefbf51b53309cd (diff)
parent6f9e6159be265ca91f873576d15ccbbc061fed8d (diff)
downloadvyos-1x-fbf400fe8e5b890ee22498ca05e2efb7873ca033.tar.gz
vyos-1x-fbf400fe8e5b890ee22498ca05e2efb7873ca033.zip
Merge pull request #3274 from sever-sever/T5169
T5169: Add PoC for generating CGNAT rules rfc6888
Diffstat (limited to 'data/templates/firewall/nftables-cgnat.j2')
-rw-r--r--data/templates/firewall/nftables-cgnat.j247
1 files changed, 47 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-cgnat.j2 b/data/templates/firewall/nftables-cgnat.j2
new file mode 100644
index 000000000..79a8e3d5a
--- /dev/null
+++ b/data/templates/firewall/nftables-cgnat.j2
@@ -0,0 +1,47 @@
+#!/usr/sbin/nft -f
+
+add table ip cgnat
+flush table ip cgnat
+
+add map ip cgnat tcp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat udp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat icmp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat other_nat_map { type ipv4_addr: interval ipv4_addr ; flags interval ;}
+flush map ip cgnat tcp_nat_map
+flush map ip cgnat udp_nat_map
+flush map ip cgnat icmp_nat_map
+flush map ip cgnat other_nat_map
+
+table ip cgnat {
+ map tcp_nat_map {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { {{ proto_map_elements }} }
+ }
+
+ map udp_nat_map {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { {{ proto_map_elements }} }
+ }
+
+ map icmp_nat_map {
+ type ipv4_addr : interval ipv4_addr . inet_service
+ flags interval
+ elements = { {{ proto_map_elements }} }
+ }
+
+ map other_nat_map {
+ type ipv4_addr : interval ipv4_addr
+ flags interval
+ elements = { {{ other_map_elements }} }
+ }
+
+ chain POSTROUTING {
+ type nat hook postrouting priority srcnat; policy accept;
+ ip protocol tcp counter snat ip to ip saddr map @tcp_nat_map
+ ip protocol udp counter snat ip to ip saddr map @udp_nat_map
+ ip protocol icmp counter snat ip to ip saddr map @icmp_nat_map
+ counter snat ip to ip saddr map @other_nat_map
+ }
+}