2 files changed, 40 insertions, 0 deletions

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
index b80fc1968..40ed1b916 100644
--- a/data/templates/firewall/nftables-nat.tmpl
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -73,6 +73,26 @@
 {%     set trns_addr = 'return' %}
 {%     set trns_port = '' %}
 {%   endif %}
+{#   T1083: NAT address and port translation options #}
+{%   if config.translation is defined and config.translation.options is defined and config.translation.options is not none %}
+{%     if config.translation.options.address_mapping is defined and config.translation.options.address_mapping == "persistent" %}
+{%         set trns_opts_addr  = 'persistent' %}
+{%     endif %}
+{%     if config.translation.options.port_mapping is defined %}
+{%       if config.translation.options.port_mapping == "random" %}
+{%         set trns_opts_port  = 'random' %}
+{%       elif config.translation.options.port_mapping == "fully-random" %}
+{%         set trns_opts_port  = 'fully-random' %}
+{%       endif %}
+{%     endif %}
+{%   endif %}
+{%   if trns_opts_addr and trns_opts_port %}
+{%     set trns_opts  = trns_opts_addr + ',' + trns_opts_port %}
+{%   elif trns_opts_addr %}
+{%     set trns_opts  = trns_opts_addr %}
+{%   elif trns_opts_port %}
+{%     set trns_opts  = trns_opts_port %}
+{%   endif %}
 {%   set output = 'add rule ip nat ' + chain + interface %}
 {%   if protocol != 'all' %}
 {%     set output = output + ' ip protocol ' + protocol %}
@@ -104,6 +124,9 @@
 {#     e.g. 192.0.2.10:3389                                                                   #}
 {%     set output = output + trns_port %}
 {%   endif %}
+{%   if trns_opts %}
+{%     set output = output + ' ' + trns_opts %}
+{%   endif %}
 {%   if comment %}
 {%     set output = output + ' comment "' + comment + '"' %}
 {%   endif %}
diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.tmpl
new file mode 100644
index 000000000..eecf47b78
--- /dev/null
+++ b/data/templates/firewall/nftables-vrf-zones.tmpl
@@ -0,0 +1,17 @@
+table inet vrf_zones {
+  # Map of interfaces and connections tracking zones
+  map ct_iface_map {
+    typeof iifname : ct zone
+  }
+  # Assign unique zones for each VRF
+  # Chain for inbound traffic
+  chain vrf_zones_ct_in {
+    type filter hook prerouting priority raw; policy accept;
+    counter ct zone set iifname map @ct_iface_map
+  }
+  # Chain for locally-generated traffic
+  chain vrf_zones_ct_out {
+    type filter hook output priority raw; policy accept;
+    counter ct zone set oifname map @ct_iface_map
+  }
+}