diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-01 16:46:06 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 15:30:26 +0200 |
commit | a5650abb6d575de2f696a934d52468992ac9f1e9 (patch) | |
tree | dbff8b9439983072f8e16dd506d99fcae8a046fa /data/templates/nat/iptables-restore.tmpl | |
parent | 7caf1568bbb6be59e5f13693c31f23ade9349daa (diff) | |
download | vyos-1x-a5650abb6d575de2f696a934d52468992ac9f1e9.tar.gz vyos-1x-a5650abb6d575de2f696a934d52468992ac9f1e9.zip |
nat: T2198: migrate to common template for source/destination NAT
Diffstat (limited to 'data/templates/nat/iptables-restore.tmpl')
-rw-r--r-- | data/templates/nat/iptables-restore.tmpl | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/data/templates/nat/iptables-restore.tmpl b/data/templates/nat/iptables-restore.tmpl new file mode 100644 index 000000000..f20a05719 --- /dev/null +++ b/data/templates/nat/iptables-restore.tmpl @@ -0,0 +1,38 @@ +### Autogenerated by nat.py ###
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:VYATTA_PRE_DNAT_HOOK - [0:0]
+:VYATTA_PRE_SNAT_HOOK - [0:0]
+-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
+{% for r in destination -%}
+{% if (',' in r.dest_port) or ('-' in r.dest_port) %}
+
+{% if r.protocol == 'tcp_udp' %}
+# protocol has been tcp_udp - create two distinct rules
+-A PREROUTING -i {{ r.interface_in }} -p tcp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+-A PREROUTING -i {{ r.interface_in }} -p udp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% else %}
+-A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{%- endif %}
+
+{% else %}
+
+{% if r.protocol == 'tcp_udp' %}
+# protocol has been tcp_udp - create two distinct rules
+-A PREROUTING -i {{ r.interface_in }} -p tcp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+-A PREROUTING -i {{ r.interface_in }} -p udp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% else %}
+-A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m {{ r.protocol }} --dport {{ r.dest_port }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% endif %}
+
+{%- endif %}
+
+{% endfor %}
+-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
+-A VYATTA_PRE_DNAT_HOOK -j RETURN
+-A VYATTA_PRE_SNAT_HOOK -j RETURN
+COMMIT
|