diff options
Diffstat (limited to 'data/templates/firewall/nftables-nat66.tmpl')
-rw-r--r-- | data/templates/firewall/nftables-nat66.tmpl | 86 |
1 files changed, 43 insertions, 43 deletions
diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index e5c1b1b8d..ed98b888a 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -3,83 +3,83 @@ {% macro nptv6_rule(rule,config, chain) %} {% set comment = '' %} {% set base_log = '' %} -{% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %} -{% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %} -{% if chain == "PREROUTING" %} -{% set comment = "DST-NAT66-" + rule %} -{% set base_log = '[NAT66-DST-' + rule %} -{% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} +{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %} +{% set dest_address = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} +{% if chain is vyos_defined('PREROUTING') %} +{% set comment = 'DST-NAT66-' ~ rule %} +{% set base_log = '[NAT66-DST-' ~ rule %} +{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} {% if config.translation.address | is_ip_network %} {# support 1:1 network translation #} -{% set dnat_type = "dnat prefix to " %} +{% set dnat_type = 'dnat prefix to ' %} {% else %} -{% set dnat_type = "dnat to " %} +{% set dnat_type = 'dnat to ' %} {% endif %} -{% set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{% elif chain == "POSTROUTING" %} -{% set comment = 'SRC-NAT66-' + rule %} -{% set base_log = '[NAT66-SRC-' + rule %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{% if config.translation.address == 'masquerade' %} +{% set trns_address = dnat_type ~ config.translation.address if config.translation.address is vyos_defined %} +{% elif chain is vyos_defined('POSTROUTING') %} +{% set comment = 'SRC-NAT66-' ~ rule %} +{% set base_log = '[NAT66-SRC-' ~ rule %} +{% if config.translation.address is vyos_defined %} +{% if config.translation.address is vyos_defined('masquerade') %} {% set trns_address = config.translation.address %} -{% else %} +{% else %} {% if config.translation.address | is_ip_network %} {# support 1:1 network translation #} -{% set snat_type = "snat prefix to " %} +{% set snat_type = 'snat prefix to ' %} {% else %} -{% set snat_type = "snat to " %} +{% set snat_type = 'snat to ' %} {% endif %} -{% set trns_address = snat_type + config.translation.address %} +{% set trns_address = snat_type ~ config.translation.address %} {% endif %} {% endif %} -{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined else '' %} +{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %} {% endif %} -{% if config.log is defined %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address == 'masquerade' %} +{% if config.log is vyos_defined %} +{% if config.translation.address is vyos_defined('masquerade') %} {% set log = base_log +'-MASQ]' %} {% else %} -{% set log = base_log + "]" %} +{% set log = base_log ~ ']' %} {% endif %} {% endif %} -{% set output = "add rule ip6 nat " + chain + interface %} +{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} {# Count packets #} -{% set output = output + " counter" %} +{% set output = output ~ ' counter' %} {# Special handling of log option, we must repeat the entire rule before the #} {# NAT translation options are added, this is essential #} -{% if log %} -{% set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %} +{% if log is vyos_defined %} +{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} {% endif %} -{% if src_prefix %} -{% set output = output + " " + src_prefix %} +{% if src_prefix is vyos_defined %} +{% set output = output ~ ' ' ~ src_prefix %} {% endif %} -{% if dest_address %} -{% set output = output + " " + dest_address %} +{% if dest_address is vyos_defined %} +{% set output = output ~ ' ' ~ dest_address %} {% endif %} -{% if trns_address %} -{% set output = output + " " + trns_address %} +{% if trns_address is vyos_defined %} +{% set output = output ~ ' ' ~ trns_address %} {% endif %} -{% if comment %} -{% set output = output + " comment \"" + comment + "\"" %} +{% if comment is vyos_defined %} +{% set output = output ~ ' comment "' ~ comment ~ '"' %} {% endif %} -{{ log_output if log_output }} +{{ log_output if log_output is vyos_defined }} {{ output }} {% endmacro %} # Start with clean NAT table flush table ip6 nat -{% if helper_functions == 'remove' %} +{% if helper_functions is vyos_defined('remove') %} {# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip6 raw" %} +{% set base_command = 'delete rule ip6 raw' %} {{base_command}} PREROUTING handle {{ pre_ct_conntrack }} {{base_command}} OUTPUT handle {{ out_ct_conntrack }} delete chain ip6 raw NAT_CONNTRACK -{% elif helper_functions == 'add' %} +{% elif helper_functions is vyos_defined('add') %} {# NAT if enabled - add targets to nftables #} add chain ip6 raw NAT_CONNTRACK add rule ip6 raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip6 raw" %} +{% set base_command = 'add rule ip6 raw' %} {{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK {{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK {% endif %} @@ -87,16 +87,16 @@ add rule ip6 raw NAT_CONNTRACK counter accept # # Destination NAT66 rules build up here # -{% if destination is defined and destination.rule is defined and destination.rule is not none %} -{% for rule, config in destination.rule.items() if config.disable is not defined %} +{% if destination.rule is vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} {{ nptv6_rule(rule, config, 'PREROUTING') }} {% endfor %} {% endif %} # # Source NAT66 rules build up here # -{% if source is defined and source.rule is defined and source.rule is not none %} -{% for rule, config in source.rule.items() if config.disable is not defined %} +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} {{ nptv6_rule(rule, config, 'POSTROUTING') }} {% endfor %} {% endif %} |