summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.tmpl
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables-nat.tmpl')
-rw-r--r--data/templates/firewall/nftables-nat.tmpl27
1 files changed, 22 insertions, 5 deletions
diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index 0a3dfa369..8108d5e0f 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -29,9 +29,22 @@ add rule ip raw NAT_CONNTRACK counter accept
{% macro nat_rule(rule, chain) %}
{% set src_addr = "ip saddr " + rule.source_address if rule.source_address %}
-{% set src_port = "sport " + rule.source_port if rule.source_port %}
{% set dst_addr = "ip daddr " + rule.dest_address if rule.dest_address %}
-{% set dst_port = "dport " + rule.dest_port if rule.dest_port %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.source_port.startswith('!=') %}
+{% set src_port = "sport != { " + rule.source_port.replace('!=','') +" }" if rule.source_port %}
+{% else %}
+{% set src_port = "sport { " + rule.source_port +" }" if rule.source_port %}
+{% endif %}
+
+{# negated port groups need special treatment, move != in front of { } group #}
+{% if rule.dest_port.startswith('!=') %}
+{% set dst_port = "dport != { " + rule.dest_port.replace('!=','') +" }" if rule.dest_port %}
+{% else %}
+{% set dst_port = "dport { " + rule.dest_port +" }" if rule.dest_port %}
+{% endif %}
+
{% set comment = "DST-NAT-" + rule.number %}
{% if chain == "PREROUTING" %}
@@ -39,9 +52,13 @@ add rule ip raw NAT_CONNTRACK counter accept
{% set trns_addr = "dnat to " + rule.translation_address %}
{% elif chain == "POSTROUTING" %}
{% set interface = " oifname \"" + rule.interface_out + "\"" %}
-{% set trns_addr = rule.translation_address %}
-{% if rule.translation_address != 'masquerade' %}
-{% set trns_addr = "snat to " + trns_addr %}
+{% if rule.translation_address == 'masquerade' %}
+{% set trns_addr = rule.translation_address %}
+{% if rule.translation_port %}
+{% set trns_addr = trns_addr + " to " %}
+{% endif %}
+{% else %}
+{% set trns_addr = "snat to " + rule.translation_address %}
{% endif %}
{% endif %}
{% set trns_port = ":" + rule.translation_port if rule.translation_port %}