Merge pull request #520 from jack9603301/nptv6

nptv6: T2518: Initial support for nat66 (NPT)

3 files changed, 130 insertions, 1 deletions

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 5480447f2..499733225 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -118,7 +118,7 @@
 {% endmacro %}
 
 # Start with clean NAT table
-flush table nat
+flush table ip nat
 {% if helper_functions == 'remove' %}
 {# NAT if going to be disabled - remove rules and targets from nftables #}
 {%   set base_command = 'delete rule ip raw' %}
diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl
new file mode 100644
index 000000000..b1a8f7a16
--- /dev/null
+++ b/data/templates/firewall/nftables-nat66.tmpl
@@ -0,0 +1,85 @@
+#!/usr/sbin/nft -f
+
+{% macro nptv6_rule(rule,config, chain) %}
+{%     set src_prefix  = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none  %}
+{%     set dest_address  = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %}
+{%   if chain == "PREROUTING" %}
+{%     set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %}
+{%     if config.translation.address | is_ip_network %}
+{#       support 1:1 network translation #}
+{%       set dnat_type = "dnat prefix to " %}
+{%     else   %}
+{%       set dnat_type = "dnat to " %}
+{%     endif %}
+{%     set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none  %}
+{%   elif chain == "POSTROUTING" %}
+{%     set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined else '' %}
+{%     set trns_prefix = "snat prefix to " + config.translation.prefix if config.translation is defined and config.translation.prefix is defined and config.translation.prefix is not none %}
+{%   endif %}
+{%   set comment   = "NPT-NAT-" + rule %}
+{%   if rule.log %}
+{%     set base_log = "[NPT-DST-" + rule %}
+{%     set log = base_log + "]" %}
+{%   endif %}
+{%   set output = "add rule ip6 nat " + chain + interface %}
+{#   Count packets #}
+{%     set output = output + " counter" %}
+{#   Special handling of log option, we must repeat the entire rule before the #}
+{#   NAT translation options are added, this is essential                      #}
+{%   if log %}
+{%     set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %}
+{%   endif %}
+{%   if src_prefix %}
+{%     set output = output + " " + src_prefix %}
+{%   endif %}
+{%   if dest_address %}
+{%     set output = output + " " + dest_address %}
+{%   endif %}
+{%   if trns_prefix %}
+{%     set output = output + " " + trns_prefix %}
+{%   endif %}
+{%   if trns_address %}
+{%     set output = output + " " + trns_address %}
+{%   endif %}
+{%   if comment %}
+{%     set output = output + " comment \"" + comment + "\"" %}
+{%   endif %}
+{{ log_output if log_output }}
+{{ output }}
+{% endmacro %}
+
+# Start with clean NAT table
+flush table ip6 nat
+{% if helper_functions == 'remove' %}
+{# NAT if going to be disabled - remove rules and targets from nftables #}
+{%   set base_command = "delete rule ip6 raw" %}
+{{base_command}} PREROUTING handle {{ pre_ct_conntrack }}
+{{base_command}} OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip6 raw NAT_CONNTRACK
+
+{% elif helper_functions == 'add' %}
+{# NAT if enabled - add targets to nftables #}
+add chain ip6 raw NAT_CONNTRACK
+add rule ip6 raw NAT_CONNTRACK counter accept
+{%   set base_command = "add rule ip6 raw" %}
+{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+{{ base_command }} OUTPUT     position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+{% endif %}
+
+#
+# Destination NAT66 rules build up here
+#
+{% if destination is defined and destination.rule is defined and destination.rule is not none %}
+{%   for rule, config in destination.rule.items() if config.disable is not defined %}
+{{ nptv6_rule(rule, config, 'PREROUTING') }}
+{%   endfor %}
+{% endif %}
+#
+# Source NAT66 rules build up here
+#
+{% if source is defined and source.rule is defined and source.rule is not none %}
+{%   for rule, config in source.rule.items() if config.disable is not defined %}
+{{ nptv6_rule(rule, config, 'POSTROUTING') }}
+{%   endfor %}
+{% endif %}
diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl
new file mode 100644
index 000000000..0137d8135
--- /dev/null
+++ b/data/templates/proxy-ndp/ndppd.conf.tmpl
@@ -0,0 +1,44 @@
+########################################################
+#
+# autogenerated by nat66.py
+#
+#   The configuration file must define one upstream
+#   interface.
+#
+#   For some services, such as nat66, because it runs
+#    stateless, it needs to rely on NDP Proxy to respond 
+#   to NDP requests.
+#
+#   When using nat66 source rules, NDP Proxy needs 
+#   to be enabled
+#
+########################################################
+
+{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %}
+{% if source is defined and source.rule is defined and source.rule is not none %}
+{%   for rule, config in source.rule.items() if config.disable is not defined %}
+{%     if config.outbound_interface is defined %}
+{%         if config.outbound_interface not in global.ndppd_interfaces %}
+{%             set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
+{%         endif   %}
+{%         if config.translation.prefix is defined  %}
+{%             set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.prefix}] %}
+{%         endif    %}
+{%     endif    %}
+{%   endfor %}
+{% endif %}
+
+{% for interface in global.ndppd_interfaces %}
+proxy {{ interface }} {
+    router yes
+    timeout 500
+    ttl 30000
+{%  for map in global.ndppd_prefixs %}
+{%     if map.interface == interface %}
+    rule {{ map.rule }} {
+        static
+    }
+{%     endif  %}
+{%  endfor   %}
+}
+{% endfor %}