summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat66.tmpl
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables-nat66.tmpl')
-rw-r--r--data/templates/firewall/nftables-nat66.tmpl37
1 files changed, 27 insertions, 10 deletions
diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl
index b1a8f7a16..e5c1b1b8d 100644
--- a/data/templates/firewall/nftables-nat66.tmpl
+++ b/data/templates/firewall/nftables-nat66.tmpl
@@ -1,9 +1,13 @@
#!/usr/sbin/nft -f
{% macro nptv6_rule(rule,config, chain) %}
-{% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %}
-{% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %}
+{% set comment = '' %}
+{% set base_log = '' %}
+{% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %}
+{% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %}
{% if chain == "PREROUTING" %}
+{% set comment = "DST-NAT66-" + rule %}
+{% set base_log = '[NAT66-DST-' + rule %}
{% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %}
{% if config.translation.address | is_ip_network %}
{# support 1:1 network translation #}
@@ -13,13 +17,29 @@
{% endif %}
{% set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %}
{% elif chain == "POSTROUTING" %}
+{% set comment = 'SRC-NAT66-' + rule %}
+{% set base_log = '[NAT66-SRC-' + rule %}
+{% if config.translation is defined and config.translation.address is defined and config.translation.address is not none %}
+{% if config.translation.address == 'masquerade' %}
+{% set trns_address = config.translation.address %}
+{% else %}
+{% if config.translation.address | is_ip_network %}
+{# support 1:1 network translation #}
+{% set snat_type = "snat prefix to " %}
+{% else %}
+{% set snat_type = "snat to " %}
+{% endif %}
+{% set trns_address = snat_type + config.translation.address %}
+{% endif %}
+{% endif %}
{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined else '' %}
-{% set trns_prefix = "snat prefix to " + config.translation.prefix if config.translation is defined and config.translation.prefix is defined and config.translation.prefix is not none %}
{% endif %}
-{% set comment = "NPT-NAT-" + rule %}
-{% if rule.log %}
-{% set base_log = "[NPT-DST-" + rule %}
-{% set log = base_log + "]" %}
+{% if config.log is defined %}
+{% if config.translation is defined and config.translation.address is defined and config.translation.address == 'masquerade' %}
+{% set log = base_log +'-MASQ]' %}
+{% else %}
+{% set log = base_log + "]" %}
+{% endif %}
{% endif %}
{% set output = "add rule ip6 nat " + chain + interface %}
{# Count packets #}
@@ -35,9 +55,6 @@
{% if dest_address %}
{% set output = output + " " + dest_address %}
{% endif %}
-{% if trns_prefix %}
-{% set output = output + " " + trns_prefix %}
-{% endif %}
{% if trns_address %}
{% set output = output + " " + trns_address %}
{% endif %}