nat: T2198: sync generated DNAT rules with VyOS 1.2

The generated NAT rules in VyOS 1.2 are compared to the generated nftables ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to nftables and then do the diff. To convert from iptables to nftables use the following command: $ iptables-save -t nat > /tmp/tmp.iptables $ iptables-restore-translate -f /tmp/tmp.iptables The following CLI options have been used for testing: set nat destination rule 10 description 'foo-10' set nat destination rule 10 destination address '1.1.1.1' set nat destination rule 10 destination port '1111' set nat destination rule 10 exclude set nat destination rule 10 inbound-interface 'eth0.202' set nat destination rule 10 log set nat destination rule 10 protocol 'tcp_udp' set nat destination rule 10 translation address '192.0.2.10' set nat destination rule 15 description 'foo-10' set nat destination rule 15 destination address '1.1.1.1' set nat destination rule 15 exclude set nat destination rule 15 inbound-interface 'eth0.202' set nat destination rule 15 log set nat destination rule 15 protocol 'tcp_udp' set nat destination rule 15 translation address '192.0.2.10' set nat destination rule 20 description 'foo-20' set nat destination rule 20 destination address '2.2.2.2' set nat destination rule 20 inbound-interface 'eth0.201' set nat destination rule 20 log set nat destination rule 20 protocol 'tcp' set nat destination rule 20 translation address '192.0.2.10'
author: Christian Poessinger <christian@poessinger.com> 2020-05-15 23:01:27 +0200
committer: Christian Poessinger <christian@poessinger.com> 2020-05-16 18:25:58 +0200
commit: 9cec8471dae531072946daf5dcb74a0a9fe1e86c (patch)
tree: 52d041a00aea99e7b6789fd33a498ed468e3eadd /data/templates/firewall/nftables-nat.tmpl
parent: f75db67c495c0e9e251bebba46b75e9d085dece0 (diff)
download: vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.tar.gz
vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.zip
1 files changed, 33 insertions, 27 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 528c4d82a..929cae563 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -4,34 +4,33 @@
 flush table nat
 
 {% if helper_functions == 'remove' %}
-  # NAT if going to be disabled - remove rules and targets from nftables
-  delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
-  delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
-  delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
-  delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+{# NAT if going to be disabled - remove rules and targets from nftables #}
+delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip raw NAT_CONNTRACK
 
-  delete chain ip raw NAT_CONNTRACK
 {% elif helper_functions == 'add' %}
-  # NAT if enabled - add targets to nftables
-  add chain ip raw NAT_CONNTRACK
-  add rule ip raw NAT_CONNTRACK counter accept
-
-  add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-  add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-  add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-  add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
+{# NAT if enabled - add targets to nftables #}
+add chain ip raw NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
 
+add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
+add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
+add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+{% endif %}
 
 {% for r in destination if not r.disabled -%}
 {%   set chain     = "PREROUTING" %}
 {%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
-{%   set dst_port  = "dport { " + r.dest_port +" }" %}
-{%   set trns_addr = r.translation_address %}
+{%   set dst_port  = "dport { " + r.dest_port +" }" if r.dest_port %}
+{%   set trns_addr = "dnat to " + r.translation_address %}
 {%   set trns_port = ":" + r.translation_port if r.translation_port %}
-{%   set trns      = "dnat to " + trns_addr + trns_port if trns_port %}
 {%   set comment   = "DST-NAT-" + r.number %}
-{%   set iface     = "iifname " + r.interface_in %}
+{%   set iface     = r.interface_in %}
 
 {%   if r.log %}
 {%     if r.exclude %}
@@ -45,25 +44,32 @@ flush table nat
 
 {%   if r.exclude %}
 {#     rule has been marked as "exclude" thus we simply return here #}
-{%     set trns      = "return" %}
+{%     set trns_addr = "return" %}
+{%     set trns_port = "" %}
 {%   endif %}
 
 {%   if r.protocol == 'tcp_udp' %}
 {#     Special handling for protocol tcp_udp which is represented as two individual rules #}
+{%     set comment = comment + " tcp_udp" %}
 {%     if log %}
-add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp"
+
+{%       set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
+{%       set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
+
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
 {%     endif %}
-add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter {{ trns }} comment {{ comment }}
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
 {%     if log %}
-add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp"
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
 {%     endif %}
-add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter {{ trns }} comment {{ comment }}
-{%   else %}
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
 
+{%   else %}
+{%       set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
 {%     if log %}
-add rule ip nat {{ chain }} {{ iface }} {{ r.protocol }} counter log prefix "{{ log }}" comment {{ comment }}
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
 {%     endif %}
-add rule ip nat {{ chain }} {{ iface }} {{ dst_addr }} {{ r.protocol }} {{ dst_port }} counter {{ trns }} comment {{ comment }}
+add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
 {%   endif %}
 {% endfor %}
author	Christian Poessinger <christian@poessinger.com>	2020-05-15 23:01:27 +0200
committer	Christian Poessinger <christian@poessinger.com>	2020-05-16 18:25:58 +0200
commit	9cec8471dae531072946daf5dcb74a0a9fe1e86c (patch)
tree	52d041a00aea99e7b6789fd33a498ed468e3eadd /data/templates/firewall/nftables-nat.tmpl
parent	f75db67c495c0e9e251bebba46b75e9d085dece0 (diff)
download	vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.tar.gz vyos-1x-9cec8471dae531072946daf5dcb74a0a9fe1e86c.zip