diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-05-12 17:43:03 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-05-16 15:30:26 +0200 |
commit | cc2ad34ce61e205454c4676a5bde77629d463964 (patch) | |
tree | 8c40fbd4e28d8e2ceb2c44ff989e36f58ad61e3c /data | |
parent | fda762065c03d55c05682bf9834354c0edca3e97 (diff) | |
download | vyos-1x-cc2ad34ce61e205454c4676a5bde77629d463964.tar.gz vyos-1x-cc2ad34ce61e205454c4676a5bde77629d463964.zip |
nat: T2198: make use of jmespath when walking nftables JSON output
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/firewall/nftables-nat.tmpl | 91 |
1 files changed, 42 insertions, 49 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 671cd0920..161ef27fb 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -1,62 +1,55 @@ #!/usr/sbin/nft -f
-# Start with a "clean" NAT table
+# Start with clean NAT table
flush table nat
-{% for rule in init_deinit -%}
-# Add or remove conntrack helper rules for NAT operation-
-{{ rule }}
-{% endfor %}
-
-
-{% if deleted %}
-# NAT if going to be disabled - remove rules and targets from nftables
-delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
-delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
-delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
-delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
-
-delete chain ip raw NAT_CONNTRACK
-
-{% else %}
-# NAT if enabled - add targets to nftables
-add chain ip raw NAT_CONNTRACK
-add rule ip raw NAT_CONNTRACK counter accept
-
-add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+{% if helper_functions == 'remove' %}
+ # NAT if going to be disabled - remove rules and targets from nftables
+ delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
+ delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
+ delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
+ delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+ delete chain ip raw NAT_CONNTRACK
+{% elif helper_functions == 'add' %}
+ # NAT if enabled - add targets to nftables
+ add chain ip raw NAT_CONNTRACK
+ add rule ip raw NAT_CONNTRACK counter accept
+
+ add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
+ add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+ add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
+ add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}
{% for r in destination -%}
-{% if r.protocol == 'tcp_udp' %}
-{# Special handling for protocol tcp_udp which is represented as two individual rules #}
-add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
-add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
-{% else %}
-add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}"
-{% endif %}
+{% if r.protocol == 'tcp_udp' %}
+ {# Special handling for protocol tcp_udp which is represented as two individual rules #}
+ add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+ add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+{% else %}
+ add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}"
+{% endif %}
{% endfor %}
{% for r in source -%}
-{% if r.log %}
-{% if r.exclude %}
-{% set value = 'EXCL' %}
-{% elif r.translation_address == 'masquerade' %}
-{% set value = 'MASQ' %}
-{% endif %}
-add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
-{% endif %}
-
-{% if r.exclude %}
-{% set value = 'return' %}
-{% elif r.translation_address == 'masquerade' %}
-{% set value = 'masquerade' %}
-{% else %}
-{% set value = 'snat to ' + r.translation_address %}
-{% endif %}
-add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
+{% if r.log %}
+{% if r.exclude %}
+{% set value = 'EXCL' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'MASQ' %}
+{% endif %}
+ add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
+{% endif %}
+
+{% if r.exclude %}
+{% set value = 'return' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'masquerade' %}
+{% else %}
+{% set value = 'snat to ' + r.translation_address %}
+{% endif %}
+ add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
{% endfor %}
|