summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorjack9603301 <jack9603301@163.com>2020-11-30 20:03:00 +0800
committerjack9603301 <jack9603301@163.com>2021-01-23 21:45:30 +0800
commitb047855b80754d78cab4d3161ad0e97c21f479bc (patch)
treebde7384faa2f64a5fa3b6ce1e239f21bdaa424ee /data
parent6baf79a72cac9e6624d56b140511c32fad2cfbaa (diff)
downloadvyos-1x-b047855b80754d78cab4d3161ad0e97c21f479bc.tar.gz
vyos-1x-b047855b80754d78cab4d3161ad0e97c21f479bc.zip
nptv6: T2518: Initial support for nat66 (NPT)
Diffstat (limited to 'data')
-rw-r--r--data/configd-include.json1
-rw-r--r--data/templates/firewall/nftables-nat.tmpl2
-rw-r--r--data/templates/firewall/nftables-nat66.tmpl101
-rw-r--r--data/templates/proxy-ndp/ndppd.conf.tmpl41
4 files changed, 144 insertions, 1 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index 318ab0e14..345460700 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -28,6 +28,7 @@
"ipsec-settings.py",
"lldp.py",
"nat.py",
+"nat66.py",
"ntp.py",
"policy-local-route.py",
"protocols_bgp.py",
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 5480447f2..499733225 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -118,7 +118,7 @@
{% endmacro %}
# Start with clean NAT table
-flush table nat
+flush table ip nat
{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
{% set base_command = 'delete rule ip raw' %}
diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl
new file mode 100644
index 000000000..af533812e
--- /dev/null
+++ b/data/templates/firewall/nftables-nat66.tmpl
@@ -0,0 +1,101 @@
+#!/usr/sbin/nft -f
+
+{% macro nptv6_rule(rule,config, chain) %}
+
+{% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %}
+{% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %}
+
+{% if chain == "PREROUTING" %}
+{% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %}
+{% set trns_address = "dnat to " + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %}
+{% elif chain == "POSTROUTING" %}
+{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined and config.outbound_interface != 'any' else '' %}
+{% set trns_prefix = "snat prefix to " + config.translation.prefix if config.translation is defined and config.translation.prefix is defined and config.translation.prefix is not none %}
+{% endif %}
+{% set comment = "NPT-NAT-" + rule %}
+{% if rule.log %}
+{% set base_log = "[NPT-DST-" + rule %}
+{% set log = base_log + "]" %}
+{% endif %}
+{% set output = "add rule ip6 nat " + chain + interface %}
+{# Count packets #}
+{% set output = output + " counter" %}
+
+{# Special handling of log option, we must repeat the entire rule before the #}
+{# NAT translation options are added, this is essential #}
+{% if log %}
+{% set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %}
+{% endif %}
+
+{% if src_prefix %}
+{% set output = output + " " + src_prefix %}
+{% endif %}
+
+
+{% if dest_address %}
+{% set output = output + " " + dest_address %}
+{% endif %}
+
+{% if trns_prefix %}
+{% set output = output + " " + trns_prefix %}
+{% endif %}
+
+{% if trns_address %}
+{% set output = output + " " + trns_address %}
+{% endif %}
+
+
+{% if comment %}
+{% set output = output + " comment \"" + comment + "\"" %}
+{% endif %}
+
+{{ log_output if log_output }}
+{{ output }}
+{% endmacro %}
+
+# Start with clean NAT table
+flush table ip6 nat
+
+{% if helper_functions == 'remove' %}
+{# NAT if going to be disabled - remove rules and targets from nftables #}
+
+
+
+{% set base_command = "delete rule ip6 raw" %}
+
+{{base_command}} PREROUTING handle {{ pre_ct_conntrack }}
+{{base_command}} OUTPUT handle {{ out_ct_conntrack }}
+
+delete chain ip6 raw NAT_CONNTRACK
+
+{% elif helper_functions == 'add' %}
+{# NAT if enabled - add targets to nftables #}
+add chain ip6 raw NAT_CONNTRACK
+add rule ip6 raw NAT_CONNTRACK counter accept
+
+{% set base_command = "add rule ip6 raw" %}
+
+
+{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+
+{% endif %}
+
+#
+# Destination NAT66 rules build up here
+#
+{% if destination is defined and destination.rule is defined and destination.rule is not none %}
+{% for rule, config in destination.rule.items() if config.disable is not defined %}
+{{ nptv6_rule(rule, config, 'PREROUTING') }}
+{% endfor %}
+{% endif %}
+
+#
+# Source NAT66 rules build up here
+#
+{% if source is defined and source.rule is defined and source.rule is not none %}
+{% for rule, config in source.rule.items() if config.disable is not defined %}
+{{ nptv6_rule(rule, config, 'POSTROUTING') }}
+{% endfor %}
+{% endif %}
+
diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl
new file mode 100644
index 000000000..9bf120b3a
--- /dev/null
+++ b/data/templates/proxy-ndp/ndppd.conf.tmpl
@@ -0,0 +1,41 @@
+########################################################
+#
+# autogenerated by nat66.py
+#
+# The configuration file must define one upstream
+# interface.
+#
+# For some services, such as nat66, because it runs
+# stateless, it needs to rely on NDP Proxy to respond
+# to NDP requests.
+#
+# When using nat66 source rules, NDP Proxy needs
+# to be enabled
+#
+########################################################
+
+
+{% for i in interface %}
+
+{%- if not interface[i].disable %}
+
+proxy {{ i }} {
+ router {{ interface[i].router }}
+ timeout {{ interface[i].timeout }}
+ ttl {{ interface[i].ttl }}
+{% for p in interface[i].prefix %}
+ rule {{ p }} {
+{% if interface[i].prefix[p].mode == 'auto' %}
+ auto
+{% elif interface[i].prefix[p].mode == 'static' %}
+ static
+{% elif interface[i].prefix[p].mode == 'iface' and interface[i].prefix[p].iface %}
+ iface {{ interface[i].prefix[p].iface }}
+{% endif %}
+ }
+{%- endfor %}
+}
+
+{%- endif %}
+
+{% endfor %}