summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.tmpl
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables-nat.tmpl')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl104
1 files changed, 72 insertions, 32 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 9bab8b363..5ce110d82 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -5,10 +5,12 @@ flush table nat
{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
-delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
-delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
-delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
-delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
+
+{% set base_command = "delete rule ip raw" %}
+{{ base_command }} PREROUTING handle {{ pre_ct_ignore }}
+{{ base_command }} OUTPUT handle {{ out_ct_ignore }}
+{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
+{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}
delete chain ip raw NAT_CONNTRACK
@@ -17,13 +19,17 @@ delete chain ip raw NAT_CONNTRACK
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept
-add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
-add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
-add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
+{% set base_command = "add rule ip raw" %}
+{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
+{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
+{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
+{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
+{% endif %}
+#
+# Destination NAT rules build up here
+#
{% for r in destination if not r.disabled -%}
{% set chain = "PREROUTING" %}
{% set src_addr = "ip saddr " + r.source_address if r.source_address %}
@@ -32,16 +38,24 @@ add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRAC
{% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %}
{% set trns_addr = "dnat to " + r.translation_address %}
{% set trns_port = ":" + r.translation_port if r.translation_port %}
+{% set interface = " iifname \"" + r.interface_in + "\"" %}
{% set comment = "DST-NAT-" + r.number %}
-{% set iface = r.interface_in %}
+
+{% if r.protocol == "tcp_udp" %}
+{% set protocol = "tcp" %}
+{% set comment = comment + " tcp_udp" %}
+{% else %}
+{% set protocol = r.protocol %}
+{% endif %}
{% if r.log %}
+{% set base_log = "[NAT-DST-" + r.number %}
{% if r.exclude %}
-{% set log = "[" + comment + "-EXCL]" %}
+{% set log = base_log + "-EXCL]" %}
{% elif r.translation_address == 'masquerade' %}
-{% set log = "[" + comment + "-MASQ]" %}
+{% set log = base_log + "-MASQ]" %}
{% else %}
-{% set log = "[" + comment + "]" %}
+{% set log = base_log + "]" %}
{% endif %}
{% endif %}
@@ -51,34 +65,60 @@ add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRAC
{% set trns_port = "" %}
{% endif %}
-{% if r.protocol == 'tcp_udp' %}
-{# Special handling for protocol tcp_udp which is represented as two individual rules #}
-{% set comment = comment + " tcp_udp" %}
-{% if log %}
+{% set output = "add rule ip nat " + chain + interface + " counter" %}
+{% set output = output + " comment \"" + comment + "\"" %}
-{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
-{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
+{% if src_addr %}
+{% set output = output + " " + src_addr %}
+{% endif %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
-{% endif %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
-{% if log %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
-{% endif %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
+{% if src_port %}
+{% set output = output + " " + src_port %}
+{% endif %}
+{% if dst_addr %}
+{% set output = output + " " + dst_addr %}
+{% endif %}
+
+{% if dst_port %}
+{% set output = output + " " + protocol + " " + dst_port %}
{% else %}
-{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
-{% set proto_dst_port = "" if r.protocol == "all" %}
+{% set output = output + " ip protocol " + protocol %}
+{% endif %}
-{% if log %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
-{% endif %}
-add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
+{# Special handling of log option, we must repeat the entire rule before the #}
+{# NAT translation options are added, this is essential #}
+{% if log %}
+{% set log_output = output + " log prefix \"" + log + "\"" %}
+{% endif %}
+
+{% if trns_addr %}
+{% set output = output + " " + trns_addr %}
+{% endif %}
+
+{% if trns_port %}
+{# Do not add a whitespace here, translation port must be directly added after IP address #}
+{# e.g. 192.0.2.10:3389 #}
+{% set output = output + trns_port %}
+{% endif %}
+
+{{ log_output if log_output }}
+{{ output }}
+
+{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #}
+{% if r.protocol == "tcp_udp" %}
+{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #}
+{{ log_output | replace("tcp ", "udp ") if log_output }}
+{{ output | replace("tcp ", "udp ") }}
{% endif %}
{% endfor %}
+
+
+#
+# Source NAT rules build up here
+#
{% for r in source if not r.disabled -%}
{% set chain = "POSTROUTING" %}
{% set src_addr = "ip saddr " + r.source_address if r.source_address %}