diff options
| -rw-r--r-- | data/templates/nat/iptables-restore.tmpl | 38 | ||||
| -rw-r--r-- | data/templates/nat/nat-destination.tmpl | 13 | ||||
| -rw-r--r-- | data/templates/nat/nat-source.tmpl | 4 | ||||
| -rwxr-xr-x | src/conf_mode/nat.py | 12 |
4 files changed, 45 insertions, 22 deletions
diff --git a/data/templates/nat/iptables-restore.tmpl b/data/templates/nat/iptables-restore.tmpl new file mode 100644 index 000000000..f20a05719 --- /dev/null +++ b/data/templates/nat/iptables-restore.tmpl @@ -0,0 +1,38 @@ +### Autogenerated by nat.py ###
+
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:VYATTA_PRE_DNAT_HOOK - [0:0]
+:VYATTA_PRE_SNAT_HOOK - [0:0]
+-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
+{% for r in destination -%}
+{% if (',' in r.dest_port) or ('-' in r.dest_port) %}
+
+{% if r.protocol == 'tcp_udp' %}
+# protocol has been tcp_udp - create two distinct rules
+-A PREROUTING -i {{ r.interface_in }} -p tcp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+-A PREROUTING -i {{ r.interface_in }} -p udp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% else %}
+-A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{%- endif %}
+
+{% else %}
+
+{% if r.protocol == 'tcp_udp' %}
+# protocol has been tcp_udp - create two distinct rules
+-A PREROUTING -i {{ r.interface_in }} -p tcp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+-A PREROUTING -i {{ r.interface_in }} -p udp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% else %}
+-A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m {{ r.protocol }} --dport {{ r.dest_port }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
+{% endif %}
+
+{%- endif %}
+
+{% endfor %}
+-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
+-A VYATTA_PRE_DNAT_HOOK -j RETURN
+-A VYATTA_PRE_SNAT_HOOK -j RETURN
+COMMIT
diff --git a/data/templates/nat/nat-destination.tmpl b/data/templates/nat/nat-destination.tmpl deleted file mode 100644 index ccd585264..000000000 --- a/data/templates/nat/nat-destination.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -### Autogenerated by nat.py ###
-
-*nat
--A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-{% for r in destination -%}
-{% if (',' in r.dest_port) or ('-' in r.dest_port) %}
--A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} {{ r.protocol }}" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{% else %}
--A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m tcp --dport {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} {{ r.protocol }}" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }}
-{% endif %}
-{% endfor %}
--A VYATTA_PRE_DNAT_HOOK -j RETURN
-COMMIT
diff --git a/data/templates/nat/nat-source.tmpl b/data/templates/nat/nat-source.tmpl deleted file mode 100644 index 41179ae9c..000000000 --- a/data/templates/nat/nat-source.tmpl +++ /dev/null @@ -1,4 +0,0 @@ -### Autogenerated by nat.py ###
-{% for r in source -%}
-# {{ r.description }}
-{% endfor %}
diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 538999f9a..b4e8c2053 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -19,6 +19,7 @@ from sys import exit from netifaces import interfaces from vyos.config import Config +from vyos.util import call from vyos.template import render from vyos import ConfigError @@ -27,8 +28,7 @@ default_config_data = { 'destination': [] } -nat_source_config = '/tmp/nat_source' -nat_destination_config = '/tmp/nat_destination' +iptables_nat_config = '/tmp/iptables_nat_config' def parse_source_destination(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ @@ -128,12 +128,14 @@ def generate(nat): if not nat: return None - render(nat_source_config, 'nat/nat-source.tmpl', nat, trim_blocks=True) - render(nat_destination_config, 'nat/nat-destination.tmpl', nat, trim_blocks=True) - + render(iptables_nat_config, 'nat/iptables-restore.tmpl', nat, trim_blocks=True) return None def apply(nat): + if not nat: + return None + + call(f'iptables-restore --test < {iptables_nat_config}') return None |