diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-06-12 00:52:52 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-06-12 00:52:52 +0200 |
commit | 3b8c45989e8fee5ec445ac8c8335a4de43ec9e81 (patch) | |
tree | 57124799da69ad7e486e0b86ff420798bdf1d440 /data/templates/firewall/nftables-nat.tmpl | |
parent | d41903ff8082164719296cbef46d07d036241c2c (diff) | |
download | vyos-1x-3b8c45989e8fee5ec445ac8c8335a4de43ec9e81.tar.gz vyos-1x-3b8c45989e8fee5ec445ac8c8335a4de43ec9e81.zip |
nat: T2571: add special handling for negated source/destination port(s)
We specify NFT source/destination ports within a { } group, but if the port
range in question is negated, we need to move the != fraction out of { } and
infront of that group, else NFT loading will fail big time.
Diffstat (limited to 'data/templates/firewall/nftables-nat.tmpl')
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index abb32ddc6..35b2c1232 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -29,9 +29,22 @@ add rule ip raw NAT_CONNTRACK counter accept {% macro nat_rule(rule, chain) %} {% set src_addr = "ip saddr " + rule.source_address if rule.source_address %} -{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %} {% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %} -{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %} + +{# negated port groups need special treatment, move != in front of { } group #} +{% if rule.source_port.startswith('!=') %} +{% set src_port = "sport != { " + rule.source_port.replace('!=','') +" }" if rule.source_port %} +{% else %} +{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %} +{% endif %} + +{# negated port groups need special treatment, move != in front of { } group #} +{% if rule.dest_port.startswith('!=') %} +{% set dst_port = "dport != { " + rule.dest_port.replace('!=','') +" }" if rule.dest_port %} +{% else %} +{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %} +{% endif %} + {% set comment = "DST-NAT-" + rule.number %} {% if chain == "PREROUTING" %} |