diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-09-01 19:35:15 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-09-01 19:35:15 +0200 |
commit | 735767f09f891c438e43565f935b927e6f1b317d (patch) | |
tree | 81daee7b244db6fea41f76bd70a45e02fce0334b /src/conf_mode | |
parent | 5c20eac6cd62f9145bc27041db9145b8ba231fa0 (diff) | |
parent | 3489089000a43a533fcd89282b0ced2434851c03 (diff) | |
download | vyos-1x-735767f09f891c438e43565f935b927e6f1b317d.tar.gz vyos-1x-735767f09f891c438e43565f935b927e6f1b317d.zip |
Merge pull request #1466 from sever-sever/T538
nat: T538: Add static NAT one-to-one
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/nat.py | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index a72e82a83..e75418ba5 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -45,6 +45,7 @@ else: k_mod = ['nft_nat', 'nft_chain_nat_ipv4'] nftables_nat_config = '/run/nftables_nat.conf' +nftables_static_nat_conf = '/run/nftables_static-nat-rules.nft' def get_handler(json, chain, target): """ Get nftable rule handler number of given chain/target combination. @@ -88,7 +89,7 @@ def get_config(config=None): # T2665: we must add the tagNode defaults individually until this is # moved to the base class - for direction in ['source', 'destination']: + for direction in ['source', 'destination', 'static']: if direction in nat: default_values = defaults(base + [direction, 'rule']) for rule in dict_search(f'{direction}.rule', nat) or []: @@ -178,20 +179,35 @@ def verify(nat): # common rule verification verify_rule(config, err_msg) + if dict_search('static.rule', nat): + for rule, config in dict_search('static.rule', nat).items(): + err_msg = f'Static NAT configuration error in rule {rule}:' + + if 'inbound_interface' not in config: + raise ConfigError(f'{err_msg}\n' \ + 'inbound-interface not specified') + + # common rule verification + verify_rule(config, err_msg) + return None def generate(nat): render(nftables_nat_config, 'firewall/nftables-nat.j2', nat) + render(nftables_static_nat_conf, 'firewall/nftables-static-nat.j2', nat) # dry-run newly generated configuration tmp = run(f'nft -c -f {nftables_nat_config}') if tmp > 0: raise ConfigError('Configuration file errors encountered!') + tmp = run(f'nft -c -f {nftables_nat_config}') + return None def apply(nat): cmd(f'nft -f {nftables_nat_config}') + cmd(f'nft -f {nftables_static_nat_conf}') return None |