2 files changed, 33 insertions, 21 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index f0cf3c924..b9439d42b 100755
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -53,25 +53,32 @@ def conntrack_required(conf):
 
 # Domain Resolver
 
-def fqdn_config_parse(firewall):
-    firewall['ip_fqdn'] = {}
-    firewall['ip6_fqdn'] = {}
-
-    for domain, path in dict_search_recursive(firewall, 'fqdn'):
-        hook_name = path[1]
-        priority = path[2]
-
-        fw_name = path[2]
-        rule = path[4]
-        suffix = path[5][0]
-        set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
-
-        if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
-            firewall['ip_fqdn'][set_name] = domain
-        elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
-            if path[1] == 'name':
-                set_name = f'name6_{priority}_{rule}_{suffix}'
-            firewall['ip6_fqdn'][set_name] = domain
+def fqdn_config_parse(config, node):
+    config['ip_fqdn'] = {}
+    config['ip6_fqdn'] = {}
+
+    for domain, path in dict_search_recursive(config, 'fqdn'):
+        if node != 'nat':
+            hook_name = path[1]
+            priority = path[2]
+
+            rule = path[4]
+            suffix = path[5][0]
+            set_name = f'{hook_name}_{priority}_{rule}_{suffix}'
+
+            if (path[0] == 'ipv4') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+                config['ip_fqdn'][set_name] = domain
+            elif (path[0] == 'ipv6') and (path[1] == 'forward' or path[1] == 'input' or path[1] == 'output' or path[1] == 'name'):
+                if path[1] == 'name':
+                    set_name = f'name6_{priority}_{rule}_{suffix}'
+                config['ip6_fqdn'][set_name] = domain
+        else:
+            # Parse FQDN for NAT
+            nat_direction = path[0]
+            nat_rule = path[2]
+            suffix = path[3][0]
+            set_name = f'{nat_direction}_{nat_rule}_{suffix}'
+            config['ip_fqdn'][set_name] = domain
 
 def fqdn_resolve(fqdn, ipv6=False):
     try:
@@ -80,8 +87,6 @@ def fqdn_resolve(fqdn, ipv6=False):
     except:
         return None
 
-# End Domain Resolver
-
 def find_nftables_rule(table, chain, rule_matches=[]):
     # Find rule in table/chain that matches all criteria and return the handle
     results = cmd(f'sudo nft --handle list chain {table} {chain}').split("\n")
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
index e54548788..4fe21ef13 100644
--- a/python/vyos/nat.py
+++ b/python/vyos/nat.py
@@ -236,6 +236,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
 
                 output.append(f'{proto} {prefix}port {operator} @P_{group_name}')
 
+        if 'fqdn' in side_conf:
+            fqdn = side_conf['fqdn']
+            operator = ''
+            if fqdn[0] == '!':
+                operator = '!='
+            output.append(f' ip {prefix}addr {operator} @FQDN_nat_{nat_type}_{rule_id}_{prefix}')
+
     output.append('counter')
 
     if 'log' in rule_conf: