4 files changed, 97 insertions, 2 deletions

diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2
index 003b138b2..ca19506f2 100644
--- a/data/templates/firewall/nftables-nat66.j2
+++ b/data/templates/firewall/nftables-nat66.j2
@@ -3,8 +3,10 @@
 {% macro nptv6_rule(rule,config, chain) %}
 {% set comment  = '' %}
 {% set base_log = '' %}
-{% set src_prefix  = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %}
-{% set dest_address  = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %}
+{% set dst_prefix  = 'ip6 daddr ' ~ config.destination.prefix.replace('!','!= ') if config.destination.prefix is vyos_defined %}
+{% set src_prefix  = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %}
+{% set source_address  = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %}
+{% set dest_address  = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %}
 {% if chain is vyos_defined('PREROUTING') %}
 {%     set comment   = 'DST-NAT66-' ~ rule %}
 {%     set base_log  = '[NAT66-DST-' ~ rule %}
@@ -52,6 +54,12 @@
 {% if src_prefix is vyos_defined %}
 {%     set output = output ~ ' ' ~ src_prefix %}
 {% endif %}
+{% if dst_prefix is vyos_defined %}
+{%     set output = output ~ ' ' ~ dst_prefix %}
+{% endif %}
+{% if source_address is vyos_defined %}
+{%     set output = output ~ ' ' ~ source_address %}
+{% endif %}
 {% if dest_address is vyos_defined %}
 {%     set output = output ~ ' ' ~ dest_address %}
 {% endif %}
diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in
index b47f653c6..ac3198f45 100644
--- a/interface-definitions/nat66.xml.in
+++ b/interface-definitions/nat66.xml.in
@@ -49,6 +49,30 @@
                   </completionHelp>
                 </properties>
               </leafNode>
+              <node name="destination">
+                <properties>
+                  <help>IPv6 destination prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>IPv6 prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-prefix-exclude"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
               <node name="source">
                 <properties>
                   <help>IPv6 source prefix options</help>
@@ -61,8 +85,13 @@
                         <format>ipv6net</format>
                         <description>IPv6 prefix</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
                       <constraint>
                         <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-prefix-exclude"/>
                       </constraint>
                     </properties>
                   </leafNode>
@@ -164,9 +193,53 @@
                         <format>ipv6net</format>
                         <description>IPv6 prefix</description>
                       </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6</format>
+                        <description>Match everything except the specified IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-address"/>
+                        <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-address-exclude"/>
+                        <validator name="ipv6-prefix-exclude"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="source">
+                <properties>
+                  <help>IPv6 source prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="address">
+                    <properties>
+                      <help>IPv6 address or prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6</format>
+                        <description>IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6</format>
+                        <description>Match everything except the specified IPv6 address</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>!ipv6net</format>
+                        <description>Match everything except the specified IPv6 prefix</description>
+                      </valueHelp>
                       <constraint>
                         <validator name="ipv6-address"/>
                         <validator name="ipv6-prefix"/>
+                        <validator name="ipv6-address-exclude"/>
+                        <validator name="ipv6-prefix-exclude"/>
                       </constraint>
                     </properties>
                   </leafNode>
diff --git a/src/validators/ipv6-address-exclude b/src/validators/ipv6-address-exclude
new file mode 100755
index 000000000..be1d3db25
--- /dev/null
+++ b/src/validators/ipv6-address-exclude
@@ -0,0 +1,7 @@
+#!/bin/sh
+arg="$1"
+if [ "${arg:0:1}" != "!" ]; then
+  exit 1
+fi
+path=$(dirname "$0")
+${path}/ipv6-address "${arg:1}"
diff --git a/src/validators/ipv6-prefix-exclude b/src/validators/ipv6-prefix-exclude
new file mode 100755
index 000000000..6fa4f1d8d
--- /dev/null
+++ b/src/validators/ipv6-prefix-exclude
@@ -0,0 +1,7 @@
+#!/bin/sh
+arg="$1"
+if [ "${arg:0:1}" != "!" ]; then
+  exit 1
+fi
+path=$(dirname "$0")
+${path}/ipv6-prefix "${arg:1}"