diff options
| -rw-r--r-- | data/templates/firewall/nftables-nat66.tmpl | 21 | ||||
| -rw-r--r-- | data/templates/proxy-ndp/ndppd.conf.tmpl | 3 | ||||
| -rwxr-xr-x | smoketest/scripts/cli/test_nat66.py | 1 | ||||
| -rwxr-xr-x | src/conf_mode/nat66.py | 9 | ||||
| -rwxr-xr-x | src/migration-scripts/nat66/0-to-1 | 1 |
5 files changed, 2 insertions, 33 deletions
diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index 45506ca09..b1a8f7a16 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -1,10 +1,8 @@ #!/usr/sbin/nft -f {% macro nptv6_rule(rule,config, chain) %} - {% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %} {% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %} - {% if chain == "PREROUTING" %} {% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} {% if config.translation.address | is_ip_network %} @@ -26,49 +24,35 @@ {% set output = "add rule ip6 nat " + chain + interface %} {# Count packets #} {% set output = output + " counter" %} - {# Special handling of log option, we must repeat the entire rule before the #} {# NAT translation options are added, this is essential #} {% if log %} {% set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %} {% endif %} - {% if src_prefix %} {% set output = output + " " + src_prefix %} {% endif %} - - {% if dest_address %} {% set output = output + " " + dest_address %} {% endif %} - {% if trns_prefix %} {% set output = output + " " + trns_prefix %} {% endif %} - {% if trns_address %} {% set output = output + " " + trns_address %} {% endif %} - - {% if comment %} {% set output = output + " comment \"" + comment + "\"" %} {% endif %} - {{ log_output if log_output }} {{ output }} {% endmacro %} # Start with clean NAT table flush table ip6 nat - {% if helper_functions == 'remove' %} {# NAT if going to be disabled - remove rules and targets from nftables #} - - - {% set base_command = "delete rule ip6 raw" %} - {{base_command}} PREROUTING handle {{ pre_ct_conntrack }} {{base_command}} OUTPUT handle {{ out_ct_conntrack }} @@ -78,13 +62,9 @@ delete chain ip6 raw NAT_CONNTRACK {# NAT if enabled - add targets to nftables #} add chain ip6 raw NAT_CONNTRACK add rule ip6 raw NAT_CONNTRACK counter accept - {% set base_command = "add rule ip6 raw" %} - - {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK - {% endif %} # @@ -95,7 +75,6 @@ add rule ip6 raw NAT_CONNTRACK counter accept {{ nptv6_rule(rule, config, 'PREROUTING') }} {% endfor %} {% endif %} - # # Source NAT66 rules build up here # diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl index 4393be169..0137d8135 100644 --- a/data/templates/proxy-ndp/ndppd.conf.tmpl +++ b/data/templates/proxy-ndp/ndppd.conf.tmpl @@ -15,8 +15,6 @@ ######################################################## {% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %} - - {% if source is defined and source.rule is defined and source.rule is not none %} {% for rule, config in source.rule.items() if config.disable is not defined %} {% if config.outbound_interface is defined %} @@ -31,7 +29,6 @@ {% endif %} {% for interface in global.ndppd_interfaces %} - proxy {{ interface }} { router yes timeout 500 diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py index 042c61ace..ccc4196e0 100755 --- a/smoketest/scripts/cli/test_nat66.py +++ b/smoketest/scripts/cli/test_nat66.py @@ -68,7 +68,6 @@ class TestNAT66(unittest.TestCase): self.assertEqual(iface, 'eth1') # check for translation address self.assertEqual(f'{translation_address}/{translation_mask}', translation_prefix) - self.assertEqual(f'{address}/{mask}', source_prefix) def test_destination_nat66(self): diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index f58db04e0..b90939a2f 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -80,19 +80,16 @@ def get_config(config=None): if not conf.exists(base): nat['helper_functions'] = 'remove' - nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK') nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT','NAT_CONNTRACK') - nat['deleted'] = '' - return nat # check if NAT66 connection tracking helpers need to be set up - this has to # be done only once if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'): nat['helper_functions'] = 'add' - + # Retrieve current table handler positions nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_PREROUTING_HOOK') nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT','VYATTA_CT_OUTPUT_HOOK') @@ -120,18 +117,16 @@ def verify(nat): if config['outbound_interface'] not in interfaces(): print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') - prefix = dict_search('translation.prefix', config) if prefix != None: if not is_ipv6(prefix): raise ConfigError(f'Warning: IPv6 prefix {prefix} is not a valid address prefix') - + prefix = dict_search('source.prefix', config) if prefix != None: if not is_ipv6(prefix): raise ConfigError(f'{err_msg} source-prefix not specified') - if dict_search('destination.rule', nat): for rule, config in dict_search('destination.rule', nat).items(): err_msg = f'Destination NAT66 configuration error in rule {rule}:' diff --git a/src/migration-scripts/nat66/0-to-1 b/src/migration-scripts/nat66/0-to-1 index 602c5f5c1..74d64c07b 100755 --- a/src/migration-scripts/nat66/0-to-1 +++ b/src/migration-scripts/nat66/0-to-1 @@ -51,7 +51,6 @@ def merge_npt(config,base,rule): tmp = config.return_value(base + ['translation','prefix']) config.set(merge_base + ['translation','prefix'],value=tmp) - if not config.exists(['nat', 'nptv6']): # Nothing to do exit(0) |