diff options
| -rw-r--r-- | data/templates/firewall/nftables-nat66.j2 | 158 | ||||
| -rw-r--r-- | data/vyos-firewall-init.conf | 20 | ||||
| -rw-r--r-- | python/vyos/nat.py | 27 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_nat66.py | 63 | ||||
| -rwxr-xr-x | src/conf_mode/nat66.py | 11 | ||||
| -rwxr-xr-x | src/op_mode/show_nat66_statistics.py | 2 | 
6 files changed, 85 insertions, 196 deletions
| diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 index 28714c7a7..27b3eec88 100644 --- a/data/templates/firewall/nftables-nat66.j2 +++ b/data/templates/firewall/nftables-nat66.j2 @@ -1,125 +1,5 @@  #!/usr/sbin/nft -f -{% macro nptv6_rule(rule,config, chain) %} -{% set comment  = '' %} -{% set base_log = '' %} -{% set dst_prefix  = 'ip6 daddr ' ~ config.destination.prefix.replace('!','!= ') if config.destination.prefix is vyos_defined %} -{% set src_prefix  = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %} -{% set source_address  = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} -{% set dest_address  = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} -{# Port #} -{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} -{%     set src_port  = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} -{% else %} -{%     set src_port  = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} -{% endif %} -{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} -{%     set dst_port  = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} -{% else %} -{%     set dst_port  = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} -{% endif %} -{% if chain is vyos_defined('PREROUTING') %} -{%     set comment   = 'DST-NAT66-' ~ rule %} -{%     set base_log  = '[NAT66-DST-' ~ rule %} -{%     set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} -{%     if config.translation.address | is_ip_network %} -{#         support 1:1 network translation #} -{%         set dnat_type = 'dnat prefix to ' %} -{%     else   %} -{%         set dnat_type = 'dnat to ' %} -{%     endif %} -{%     set trns_address = dnat_type ~ config.translation.address if config.translation.address is vyos_defined %} -{% elif chain is vyos_defined('POSTROUTING') %} -{%     set comment   = 'SRC-NAT66-' ~ rule %} -{%     set base_log  = '[NAT66-SRC-' ~ rule %} -{%     if config.translation.address is vyos_defined %} -{%         if config.translation.address is vyos_defined('masquerade') %} -{%             set trns_address = config.translation.address %} -{%         else %} -{%             if config.translation.address | is_ip_network %} -{#                 support 1:1 network translation #} -{%                 set snat_type = 'snat prefix to ' %} -{%             else   %} -{%                 set snat_type = 'snat to ' %} -{%             endif %} -{%             set trns_address = snat_type ~ config.translation.address %} -{%         endif %} -{%     endif   %} -{%     set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %} -{% endif %} -{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} -{# protocol has a default value thus it is always present #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{%     set protocol  = 'tcp' %} -{%     set comment   = comment ~ ' tcp_udp' %} -{% else %} -{%     set protocol  = config.protocol %} -{% endif %} -{% if config.log is vyos_defined %} -{%     if config.translation.address is vyos_defined('masquerade') %} -{%         set log = base_log ~ '-MASQ]' %} -{%     else %} -{%         set log = base_log ~ ']' %} -{%     endif %} -{% endif %} -{% if config.exclude is vyos_defined %} -{#     rule has been marked as 'exclude' thus we simply return here #} -{%     set trns_addr = 'return' %} -{%     set trns_port = '' %} -{% endif %} -{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} -{# Count packets #} -{% set output = output ~ ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential                      #} -{% if log is vyos_defined %} -{%     set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} -{% endif %} -{% if src_prefix is vyos_defined %} -{%     set output = output ~ ' ' ~ src_prefix %} -{% endif %} -{% if dst_port is vyos_defined %} -{%     set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %} -{% endif %} -{% if dst_prefix is vyos_defined %} -{%     set output = output ~ ' ' ~ dst_prefix %} -{% endif %} -{% if source_address is vyos_defined %} -{%     set output = output ~ ' ' ~ source_address %} -{% endif %} -{% if src_port is vyos_defined %} -{%     set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %} -{% endif %} -{% if dest_address is vyos_defined %} -{%     set output = output ~ ' ' ~ dest_address %} -{% endif %} -{% if config.exclude is vyos_defined %} -{#     rule has been marked as 'exclude' thus we simply return here #} -{%     set trns_address = 'return' %} -{% endif %} -{% if trns_address is vyos_defined %} -{%     set output = output ~ ' ' ~ trns_address %} -{% endif %} -{% if trns_port is vyos_defined %} -{#     Do not add a whitespace here, translation port must be directly added after IP address #} -{#     e.g. 2001:db8::1:3389                                                                   #} -{%     set output = output ~ trns_port %} -{% endif %} -{% if comment is vyos_defined %} -{%     set output = output ~ ' comment "' ~ comment ~ '"' %} -{% endif %} -{{ log_output if log_output is vyos_defined }} -{{ output }} -{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} -{% if config.protocol is vyos_defined('tcp_udp') %} -{#     Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} -{{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }} -{{ output | replace('tcp ', 'udp ') }} -{% endif %} -{% endmacro %} - -# Start with clean NAT table -flush table ip6 nat  {% if helper_functions is vyos_defined('remove') %}  {# NAT if going to be disabled - remove rules and targets from nftables #}  {%     set base_command = 'delete rule ip6 raw' %} @@ -137,19 +17,41 @@ add rule ip6 raw NAT_CONNTRACK counter accept  {{ base_command }} OUTPUT     position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK  {% endif %} -# -# Destination NAT66 rules build up here -# +{% if first_install is not vyos_defined %} +delete table ip6 vyos_nat +{% endif %} +table ip6 vyos_nat { +    # +    # Destination NAT66 rules build up here +    # +    chain PREROUTING { +        type nat hook prerouting priority -100; policy accept; +        counter jump VYOS_DNPT_HOOK  {% if destination.rule is vyos_defined %}  {%     for rule, config in destination.rule.items() if config.disable is not vyos_defined %} -{{ nptv6_rule(rule, config, 'PREROUTING') }} +        {{ config | nat_rule(rule, 'destination', ipv6=True) }}  {%     endfor %}  {% endif %} -# -# Source NAT66 rules build up here -# +    } + +    # +    # Source NAT66 rules build up here +    # +    chain POSTROUTING { +        type nat hook postrouting priority 100; policy accept; +        counter jump VYOS_SNPT_HOOK  {% if source.rule is vyos_defined %}  {%     for rule, config in source.rule.items() if config.disable is not vyos_defined %} -{{ nptv6_rule(rule, config, 'POSTROUTING') }} +        {{ config | nat_rule(rule, 'source', ipv6=True) }}  {%     endfor %}  {% endif %} +    } + +    chain VYOS_DNPT_HOOK { +        return +    } + +    chain VYOS_SNPT_HOOK { +        return +    } +} diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 348299462..3a0e1ee48 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -28,26 +28,6 @@ table ip nat {      }  } -table ip6 nat { -    chain PREROUTING { -        type nat hook prerouting priority -100; policy accept; -        counter jump VYOS_DNPT_HOOK -    } - -    chain POSTROUTING { -        type nat hook postrouting priority 100; policy accept; -        counter jump VYOS_SNPT_HOOK -    } - -    chain VYOS_DNPT_HOOK { -        return -    } - -    chain VYOS_SNPT_HOOK { -        return -    } -} -  table inet mangle {      chain FORWARD {          type filter hook forward priority -150; policy accept; diff --git a/python/vyos/nat.py b/python/vyos/nat.py index 654afa424..44dd65372 100644 --- a/python/vyos/nat.py +++ b/python/vyos/nat.py @@ -17,11 +17,15 @@  from vyos.template import is_ip_network  from vyos.util import dict_search_args -def parse_nat_rule(rule_conf, rule_id, nat_type): +def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):      output = [] +    ip_prefix = 'ip6' if ipv6 else 'ip'      log_prefix = ('DST' if nat_type == 'destination' else 'SRC') + f'-NAT-{rule_id}'      log_suffix = '' +    if ipv6: +        log_prefix = log_prefix.replace("NAT-", "NAT66-") +      ignore_type_addr = False      translation_str = '' @@ -39,7 +43,7 @@ def parse_nat_rule(rule_conf, rule_id, nat_type):          protocol = rule_conf['protocol']          if protocol == 'tcp_udp':              protocol = '{ tcp, udp }' -        output.append(f'ip protocol {protocol}') +        output.append(f'meta l4proto {protocol}')      if 'exclude' in rule_conf:          translation_str = 'return' @@ -51,9 +55,12 @@ def parse_nat_rule(rule_conf, rule_id, nat_type):          port = dict_search_args(rule_conf, 'translation', 'port')          if addr and is_ip_network(addr): -            map_addr =  dict_search_args(rule_conf, nat_type, 'address') -            translation_output.append(f'ip prefix to ip {translation_prefix}addr map {{ {map_addr} : {addr} }}') -            ignore_type_addr = True +            if not ipv6: +                map_addr =  dict_search_args(rule_conf, nat_type, 'address') +                translation_output.append(f'{ip_prefix} prefix to {ip_prefix} {translation_prefix}addr map {{ {map_addr} : {addr} }}') +                ignore_type_addr = True +            else: +                translation_output.append(f'prefix to {addr}')          elif addr == 'masquerade':              if port:                  addr = f'{addr} to ' @@ -85,7 +92,15 @@ def parse_nat_rule(rule_conf, rule_id, nat_type):              if addr[:1] == '!':                  operator = '!='                  addr = addr[1:] -            output.append(f'ip {prefix}addr {operator} {addr}') +            output.append(f'{ip_prefix} {prefix}addr {operator} {addr}') + +        addr_prefix = dict_search_args(rule_conf, target, 'prefix') +        if addr_prefix and ipv6: +            operator = '' +            if addr_prefix[:1] == '!': +                operator = '!=' +                addr_prefix = addr[1:] +            output.append(f'ip6 {prefix}addr {operator} {addr_prefix}')          port = dict_search_args(rule_conf, target, 'port')          if port: diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py index 537b094a4..6cf7ca0a1 100755 --- a/smoketest/scripts/cli/test_nat66.py +++ b/smoketest/scripts/cli/test_nat66.py @@ -71,12 +71,12 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):          self.cli_commit()          nftables_search = [ -            ['oifname "eth1"', 'ip6 saddr fc00::/64', 'snat prefix to fc01::/64'], -            ['oifname "eth1"', 'ip6 saddr fc00::/64', 'masquerade'], -            ['oifname "eth1"', 'ip6 saddr fc00::/64', 'return'] +            ['oifname "eth1"', f'ip6 saddr {source_prefix}', f'snat prefix to {translation_prefix}'], +            ['oifname "eth1"', f'ip6 saddr {source_prefix}', 'masquerade'], +            ['oifname "eth1"', f'ip6 saddr {source_prefix}', 'return']          ] -        self.verify_nftables(nftables_search, 'ip6 nat') +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_source_nat66_address(self):          source_prefix = 'fc00::/64' @@ -88,25 +88,11 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):          # check validate() - outbound-interface must be defined          self.cli_commit() -        tmp = cmd('sudo nft -j list table ip6 nat') -        data_json = jmespath.search('nftables[?rule].rule[?chain]', json.loads(tmp)) - -        for idx in range(0, len(data_json)): -            data = data_json[idx] - -            self.assertEqual(data['chain'], 'POSTROUTING') -            self.assertEqual(data['family'], 'ip6') -            self.assertEqual(data['table'], 'nat') - -            iface = dict_search('match.right', data['expr'][0]) -            address = dict_search('match.right.prefix.addr', data['expr'][2]) -            mask = dict_search('match.right.prefix.len', data['expr'][2]) -            snat_address = dict_search('snat.addr', data['expr'][3]) +        nftables_search = [ +            ['oifname "eth1"', f'ip6 saddr {source_prefix}', f'snat to {translation_address}'] +        ] -            self.assertEqual(iface, 'eth1') -            # check for translation address -            self.assertEqual(snat_address, translation_address) -            self.assertEqual(f'{address}/{mask}', source_prefix) +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_destination_nat66(self):          destination_address = 'fc00::1' @@ -129,7 +115,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):              ['iifname "eth1"', 'ip6 saddr fc02::1', 'ip6 daddr fc00::1', 'return']          ] -        self.verify_nftables(nftables_search, 'ip6 nat') +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_destination_nat66_protocol(self):          translation_address = '2001:db8:1111::1' @@ -153,7 +139,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):              ['iifname "eth1"', 'tcp dport 4545', 'ip6 saddr 2001:db8:2222::/64', 'tcp sport 8080', 'dnat to 2001:db8:1111::1:5555']          ] -        self.verify_nftables(nftables_search, 'ip6 nat') +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_destination_nat66_prefix(self):          destination_prefix = 'fc00::/64' @@ -165,22 +151,25 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):          # check validate() - outbound-interface must be defined          self.cli_commit() -        tmp = cmd('sudo nft -j list table ip6 nat') -        data_json = jmespath.search('nftables[?rule].rule[?chain]', json.loads(tmp)) +        nftables_search = [ +            ['iifname "eth1"', f'ip6 daddr {destination_prefix}', f'dnat prefix to {translation_prefix}'] +        ] + +        self.verify_nftables(nftables_search, 'ip6 vyos_nat') -        for idx in range(0, len(data_json)): -            data = data_json[idx] +    def test_destination_nat66_without_translation_address(self): +        self.cli_set(dst_path + ['rule', '1', 'inbound-interface', 'eth1']) +        self.cli_set(dst_path + ['rule', '1', 'destination', 'port', '443']) +        self.cli_set(dst_path + ['rule', '1', 'protocol', 'tcp']) +        self.cli_set(dst_path + ['rule', '1', 'translation', 'port', '443']) -            self.assertEqual(data['chain'], 'PREROUTING') -            self.assertEqual(data['family'], 'ip6') -            self.assertEqual(data['table'], 'nat') +        self.cli_commit() -            iface = dict_search('match.right', data['expr'][0]) -            translation_address = dict_search('dnat.addr.prefix.addr', data['expr'][3]) -            translation_mask = dict_search('dnat.addr.prefix.len', data['expr'][3]) +        nftables_search = [ +            ['iifname "eth1"', 'tcp dport 443', 'dnat to :443'] +        ] -            self.assertEqual(f'{translation_address}/{translation_mask}', translation_prefix) -            self.assertEqual(iface, 'eth1') +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_source_nat66_required_translation_prefix(self):          # T2813: Ensure translation address is specified @@ -222,7 +211,7 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):              ['oifname "eth1"', 'ip6 saddr 2001:db8:2222::/64', 'tcp dport 9999', 'tcp sport 8080', 'snat to 2001:db8:1111::1:80']          ] -        self.verify_nftables(nftables_search, 'ip6 nat') +        self.verify_nftables(nftables_search, 'ip6 vyos_nat')      def test_nat66_no_rules(self):          # T3206: deleting all rules but keep the direction 'destination' or diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index f64102d88..d8f913b0c 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -36,7 +36,7 @@ airbag.enable()  k_mod = ['nft_nat', 'nft_chain_nat'] -nftables_nat66_config = '/tmp/vyos-nat66-rules.nft' +nftables_nat66_config = '/run/nftables_nat66.nft'  ndppd_config = '/run/ndppd/ndppd.conf'  def get_handler(json, chain, target): @@ -147,6 +147,9 @@ def verify(nat):      return None  def generate(nat): +    if not os.path.exists(nftables_nat66_config): +        nat['first_install'] = True +      render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755)      render(ndppd_config, 'ndppd/ndppd.conf.j2', nat, permission=0o755)      return None @@ -154,15 +157,15 @@ def generate(nat):  def apply(nat):      if not nat:          return None -    cmd(f'{nftables_nat66_config}') + +    cmd(f'nft -f {nftables_nat66_config}') +      if 'deleted' in nat or not dict_search('source.rule', nat):          cmd('systemctl stop ndppd')          if os.path.isfile(ndppd_config):              os.unlink(ndppd_config)      else:          cmd('systemctl restart ndppd') -    if os.path.isfile(nftables_nat66_config): -        os.unlink(nftables_nat66_config)      return None diff --git a/src/op_mode/show_nat66_statistics.py b/src/op_mode/show_nat66_statistics.py index bc81692ae..cb10aed9f 100755 --- a/src/op_mode/show_nat66_statistics.py +++ b/src/op_mode/show_nat66_statistics.py @@ -44,7 +44,7 @@ group.add_argument("--destination", help="Show statistics for configured destina  args = parser.parse_args()  if args.source or args.destination: -    tmp = cmd('sudo nft -j list table ip6 nat') +    tmp = cmd('sudo nft -j list table ip6 vyos_nat')      tmp = json.loads(tmp)      source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" | 
