summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-09-01 19:35:15 +0200
committerGitHub <noreply@github.com>2022-09-01 19:35:15 +0200
commit735767f09f891c438e43565f935b927e6f1b317d (patch)
tree81daee7b244db6fea41f76bd70a45e02fce0334b /src/conf_mode
parent5c20eac6cd62f9145bc27041db9145b8ba231fa0 (diff)
parent3489089000a43a533fcd89282b0ced2434851c03 (diff)
downloadvyos-1x-735767f09f891c438e43565f935b927e6f1b317d.tar.gz
vyos-1x-735767f09f891c438e43565f935b927e6f1b317d.zip
Merge pull request #1466 from sever-sever/T538
nat: T538: Add static NAT one-to-one
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/nat.py18
1 files changed, 17 insertions, 1 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index a72e82a83..e75418ba5 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -45,6 +45,7 @@ else:
k_mod = ['nft_nat', 'nft_chain_nat_ipv4']
nftables_nat_config = '/run/nftables_nat.conf'
+nftables_static_nat_conf = '/run/nftables_static-nat-rules.nft'
def get_handler(json, chain, target):
""" Get nftable rule handler number of given chain/target combination.
@@ -88,7 +89,7 @@ def get_config(config=None):
# T2665: we must add the tagNode defaults individually until this is
# moved to the base class
- for direction in ['source', 'destination']:
+ for direction in ['source', 'destination', 'static']:
if direction in nat:
default_values = defaults(base + [direction, 'rule'])
for rule in dict_search(f'{direction}.rule', nat) or []:
@@ -178,20 +179,35 @@ def verify(nat):
# common rule verification
verify_rule(config, err_msg)
+ if dict_search('static.rule', nat):
+ for rule, config in dict_search('static.rule', nat).items():
+ err_msg = f'Static NAT configuration error in rule {rule}:'
+
+ if 'inbound_interface' not in config:
+ raise ConfigError(f'{err_msg}\n' \
+ 'inbound-interface not specified')
+
+ # common rule verification
+ verify_rule(config, err_msg)
+
return None
def generate(nat):
render(nftables_nat_config, 'firewall/nftables-nat.j2', nat)
+ render(nftables_static_nat_conf, 'firewall/nftables-static-nat.j2', nat)
# dry-run newly generated configuration
tmp = run(f'nft -c -f {nftables_nat_config}')
if tmp > 0:
raise ConfigError('Configuration file errors encountered!')
+ tmp = run(f'nft -c -f {nftables_nat_config}')
+
return None
def apply(nat):
cmd(f'nft -f {nftables_nat_config}')
+ cmd(f'nft -f {nftables_static_nat_conf}')
return None