diff options
author | Daniil Baturin <daniil@vyos.io> | 2024-04-11 17:36:49 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-11 17:36:49 +0200 |
commit | fbf400fe8e5b890ee22498ca05e2efb7873ca033 (patch) | |
tree | 7e1fa3c7ea2799a76f8c86735e8996e43c9543d4 /data | |
parent | a17539f4ff5ab7181d10e85f6aefbf51b53309cd (diff) | |
parent | 6f9e6159be265ca91f873576d15ccbbc061fed8d (diff) | |
download | vyos-1x-fbf400fe8e5b890ee22498ca05e2efb7873ca033.tar.gz vyos-1x-fbf400fe8e5b890ee22498ca05e2efb7873ca033.zip |
Merge pull request #3274 from sever-sever/T5169
T5169: Add PoC for generating CGNAT rules rfc6888
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/firewall/nftables-cgnat.j2 | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-cgnat.j2 b/data/templates/firewall/nftables-cgnat.j2 new file mode 100644 index 000000000..79a8e3d5a --- /dev/null +++ b/data/templates/firewall/nftables-cgnat.j2 @@ -0,0 +1,47 @@ +#!/usr/sbin/nft -f + +add table ip cgnat +flush table ip cgnat + +add map ip cgnat tcp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat udp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat icmp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;} +add map ip cgnat other_nat_map { type ipv4_addr: interval ipv4_addr ; flags interval ;} +flush map ip cgnat tcp_nat_map +flush map ip cgnat udp_nat_map +flush map ip cgnat icmp_nat_map +flush map ip cgnat other_nat_map + +table ip cgnat { + map tcp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map udp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map icmp_nat_map { + type ipv4_addr : interval ipv4_addr . inet_service + flags interval + elements = { {{ proto_map_elements }} } + } + + map other_nat_map { + type ipv4_addr : interval ipv4_addr + flags interval + elements = { {{ other_map_elements }} } + } + + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + ip protocol tcp counter snat ip to ip saddr map @tcp_nat_map + ip protocol udp counter snat ip to ip saddr map @udp_nat_map + ip protocol icmp counter snat ip to ip saddr map @icmp_nat_map + counter snat ip to ip saddr map @other_nat_map + } +} |