summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.tmpl
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-06-12 00:52:52 +0200
committerChristian Poessinger <christian@poessinger.com>2020-06-12 00:52:52 +0200
commit3b8c45989e8fee5ec445ac8c8335a4de43ec9e81 (patch)
tree57124799da69ad7e486e0b86ff420798bdf1d440 /data/templates/firewall/nftables-nat.tmpl
parentd41903ff8082164719296cbef46d07d036241c2c (diff)
downloadvyos-1x-3b8c45989e8fee5ec445ac8c8335a4de43ec9e81.tar.gz
vyos-1x-3b8c45989e8fee5ec445ac8c8335a4de43ec9e81.zip
nat: T2571: add special handling for negated source/destination port(s)
We specify NFT source/destination ports within a { } group, but if the port range in question is negated, we need to move the != fraction out of { } and infront of that group, else NFT loading will fail big time.
Diffstat (limited to 'data/templates/firewall/nftables-nat.tmpl')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl17
1 files changed, 15 insertions, 2 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index abb32ddc6..35b2c1232 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -29,9 +29,22 @@ add rule ip raw NAT_CONNTRACK counter accept
{% macro nat_rule(rule, chain) %}
{% set src_addr = "ip saddr " + rule.source_address if rule.source_address %}
-{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %}
{% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %}
-{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.source_port.startswith('!=') %}
+{% set src_port = "sport != { " + rule.source_port.replace('!=','') +" }" if rule.source_port %}
+{% else %}
+{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %}
+{% endif %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.dest_port.startswith('!=') %}
+{% set dst_port = "dport != { " + rule.dest_port.replace('!=','') +" }" if rule.dest_port %}
+{% else %}
+{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %}
+{% endif %}
+
{% set comment = "DST-NAT-" + rule.number %}
{% if chain == "PREROUTING" %}