summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--op-mode-definitions/nat.xml.in2
-rwxr-xr-xsrc/op_mode/nat.py10
-rwxr-xr-xsrc/op_mode/show_nat_rules.py126
3 files changed, 11 insertions, 127 deletions
diff --git a/op-mode-definitions/nat.xml.in b/op-mode-definitions/nat.xml.in
index b0ec8989f..7148c1128 100644
--- a/op-mode-definitions/nat.xml.in
+++ b/op-mode-definitions/nat.xml.in
@@ -58,7 +58,7 @@
<properties>
<help>Show configured destination NAT rules</help>
</properties>
- <command>${vyos_op_scripts_dir}/show_nat_rules.py --destination</command>
+ <command>${vyos_op_scripts_dir}/nat.py show_rules --direction destination</command>
</node>
<node name="statistics">
<properties>
diff --git a/src/op_mode/nat.py b/src/op_mode/nat.py
index 4b54ecf31..a98fc4227 100755
--- a/src/op_mode/nat.py
+++ b/src/op_mode/nat.py
@@ -133,6 +133,16 @@ port {port}'''
translation = f'''{translation}
port {port}'''
+ elif 'dnat' in expr:
+ translation = dict_search('dnat.addr', expr)
+ if expr['dnat'] and 'port' in expr['dnat']:
+ if jmespath.search('dnat.port.range', expr):
+ port = dict_search('dnat.port.range', expr)
+ port = '-'.join(map(str, port))
+ else:
+ port = expr['dnat']['port']
+ translation = f'''{translation}
+port {port}'''
else:
translation = 'exclude'
# Overwrite match loop 'proto' if specified filed 'protocol' exist
diff --git a/src/op_mode/show_nat_rules.py b/src/op_mode/show_nat_rules.py
deleted file mode 100755
index 60a4bdd13..000000000
--- a/src/op_mode/show_nat_rules.py
+++ /dev/null
@@ -1,126 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) 2021-2022 VyOS maintainers and contributors
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License version 2 or later as
-# published by the Free Software Foundation.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-import jmespath
-import json
-
-from argparse import ArgumentParser
-from jinja2 import Template
-from sys import exit
-from vyos.util import cmd
-from vyos.util import dict_search
-
-parser = ArgumentParser()
-group = parser.add_mutually_exclusive_group()
-group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true")
-group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true")
-args = parser.parse_args()
-
-if args.source or args.destination:
- tmp = cmd('sudo nft -j list table ip nat')
- tmp = json.loads(tmp)
-
- format_nat_rule = '{0: <10} {1: <50} {2: <50} {3: <10}'
- print(format_nat_rule.format("Rule", "Source" if args.source else "Destination", "Translation", "Outbound Interface" if args.source else "Inbound Interface"))
- print(format_nat_rule.format("----", "------" if args.source else "-----------", "-----------", "------------------" if args.source else "-----------------"))
-
- data_json = jmespath.search('nftables[?rule].rule[?chain]', tmp)
- for idx in range(0, len(data_json)):
- data = data_json[idx]
-
- # The following key values must exist
- # When the rule JSON does not have some keys, this is not a rule we can work with
- continue_rule = False
- for key in ['comment', 'chain', 'expr']:
- if key not in data:
- continue_rule = True
- continue
- if continue_rule:
- continue
-
- comment = data['comment']
-
- # Check the annotation to see if the annotation format is created by VYOS
- continue_rule = True
- for comment_prefix in ['SRC-NAT-', 'DST-NAT-']:
- if comment_prefix in comment:
- continue_rule = False
- if continue_rule:
- continue
-
- rule = int(''.join(list(filter(str.isdigit, comment))))
- chain = data['chain']
- if not ((args.source and chain == 'POSTROUTING') or (not args.source and chain == 'PREROUTING')):
- continue
- interface = dict_search('match.right', data['expr'][0])
- srcdest = ''
- srcdests = []
- tran_addr = ''
- for i in range(1,len(data['expr']) ):
- srcdest_json = dict_search('match.right', data['expr'][i])
- if srcdest_json:
- if isinstance(srcdest_json,str):
- if srcdest != '':
- srcdests.append(srcdest)
- srcdest = ''
- srcdest = srcdest_json + ' '
- elif 'prefix' in srcdest_json:
- addr_tmp = dict_search('match.right.prefix.addr', data['expr'][i])
- len_tmp = dict_search('match.right.prefix.len', data['expr'][i])
- if addr_tmp and len_tmp:
- srcdest = addr_tmp + '/' + str(len_tmp) + ' '
- elif 'set' in srcdest_json:
- if isinstance(srcdest_json['set'][0],int):
- srcdest += 'port ' + str(srcdest_json['set'][0]) + ' '
- else:
- port_range = srcdest_json['set'][0]['range']
- srcdest += 'port ' + str(port_range[0]) + '-' + str(port_range[1]) + ' '
-
- tran_addr_json = dict_search('snat' if args.source else 'dnat', data['expr'][i])
- if tran_addr_json:
- if isinstance(tran_addr_json['addr'],str):
- tran_addr += tran_addr_json['addr'] + ' '
- elif 'prefix' in tran_addr_json['addr']:
- addr_tmp = dict_search('snat.addr.prefix.addr' if args.source else 'dnat.addr.prefix.addr', data['expr'][3])
- len_tmp = dict_search('snat.addr.prefix.len' if args.source else 'dnat.addr.prefix.len', data['expr'][3])
- if addr_tmp and len_tmp:
- tran_addr += addr_tmp + '/' + str(len_tmp) + ' '
-
- if tran_addr_json.get('port'):
- if isinstance(tran_addr_json['port'],int):
- tran_addr += 'port ' + str(tran_addr_json['port'])
-
- else:
- if 'masquerade' in data['expr'][i]:
- tran_addr = 'masquerade'
- elif 'log' in data['expr'][i]:
- continue
-
- if srcdest != '':
- srcdests.append(srcdest)
- srcdest = ''
- else:
- srcdests.append('any')
- print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
-
- for i in range(1, len(srcdests)):
- print(format_nat_rule.format(' ', srcdests[i], ' ', ' '))
-
- exit(0)
-else:
- parser.print_help()
- exit(1)
-