diff options
| author | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-20 14:19:23 +0200 |
|---|---|---|
| committer | sarthurdev <965089+sarthurdev@users.noreply.github.com> | 2022-09-21 20:53:49 +0200 |
| commit | 448d4f6db9cf6dfceffccf988301e5f4d04c9afa (patch) | |
| tree | 8cdb965b4cabfcdf02c53e7046833d0cd5610df0 /src | |
| parent | e9c233d65cfffccca131afb4cfb0bcaae0836c39 (diff) | |
| download | vyos-1x-448d4f6db9cf6dfceffccf988301e5f4d04c9afa.tar.gz vyos-1x-448d4f6db9cf6dfceffccf988301e5f4d04c9afa.zip | |
nat: T4605: Refactor NAT to use python module for parsing rules
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/nat.py | 25 | ||||
| -rwxr-xr-x | src/op_mode/show_nat_statistics.py | 2 |
2 files changed, 10 insertions, 17 deletions
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index e75418ba5..3f52d7c1f 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -147,14 +147,10 @@ def verify(nat): Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') addr = dict_search('translation.address', config) - if addr != None: - if addr != 'masquerade' and not is_ip_network(addr): - for ip in addr.split('-'): - if not is_addr_assigned(ip): - Warning(f'IP address {ip} does not exist on the system!') - elif 'exclude' not in config: - raise ConfigError(f'{err_msg}\n' \ - 'translation address not specified') + if addr != None and addr != 'masquerade' and not is_ip_network(addr): + for ip in addr.split('-'): + if not is_addr_assigned(ip): + Warning(f'IP address {ip} does not exist on the system!') # common rule verification verify_rule(config, err_msg) @@ -167,14 +163,8 @@ def verify(nat): if 'inbound_interface' not in config: raise ConfigError(f'{err_msg}\n' \ 'inbound-interface not specified') - else: - if config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): - Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') - - - if dict_search('translation.address', config) == None and 'exclude' not in config: - raise ConfigError(f'{err_msg}\n' \ - 'translation address not specified') + elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): + Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') # common rule verification verify_rule(config, err_msg) @@ -193,6 +183,9 @@ def verify(nat): return None def generate(nat): + if not os.path.exists(nftables_nat_config): + nat['first_install'] = True + render(nftables_nat_config, 'firewall/nftables-nat.j2', nat) render(nftables_static_nat_conf, 'firewall/nftables-static-nat.j2', nat) diff --git a/src/op_mode/show_nat_statistics.py b/src/op_mode/show_nat_statistics.py index c568c8305..be41e083b 100755 --- a/src/op_mode/show_nat_statistics.py +++ b/src/op_mode/show_nat_statistics.py @@ -44,7 +44,7 @@ group.add_argument("--destination", help="Show statistics for configured destina args = parser.parse_args() if args.source or args.destination: - tmp = cmd('sudo nft -j list table ip nat') + tmp = cmd('sudo nft -j list table ip vyos_nat') tmp = json.loads(tmp) source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" |