1 files changed, 87 insertions, 33 deletions

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index 978c043e9..08e96f10b 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2020-2022 VyOS maintainers and contributors
+# Copyright (C) 2020-2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -25,15 +25,14 @@ from netifaces import interfaces
 
 from vyos.base import Warning
 from vyos.config import Config
-from vyos.configdict import dict_merge
 from vyos.template import render
 from vyos.template import is_ip_network
-from vyos.util import cmd
-from vyos.util import run
-from vyos.util import check_kmod
-from vyos.util import dict_search
-from vyos.validate import is_addr_assigned
-from vyos.xml import defaults
+from vyos.utils.kernel import check_kmod
+from vyos.utils.dict import dict_search
+from vyos.utils.dict import dict_search_args
+from vyos.utils.process import cmd
+from vyos.utils.process import run
+from vyos.utils.network import is_addr_assigned
 from vyos import ConfigError
 
 from vyos import airbag
@@ -47,6 +46,13 @@ else:
 nftables_nat_config = '/run/nftables_nat.conf'
 nftables_static_nat_conf = '/run/nftables_static-nat-rules.nft'
 
+valid_groups = [
+    'address_group',
+    'domain_group',
+    'network_group',
+    'port_group'
+]
+
 def get_handler(json, chain, target):
     """ Get nftable rule handler number of given chain/target combination.
     Handler is required when adding NAT/Conntrack helper targets """
@@ -60,10 +66,11 @@ def get_handler(json, chain, target):
     return None
 
 
-def verify_rule(config, err_msg):
+def verify_rule(config, err_msg, groups_dict):
     """ Common verify steps used for both source and destination NAT """
 
     if (dict_search('translation.port', config) != None or
+        dict_search('translation.redirect.port', config) != None or
         dict_search('destination.port', config) != None or
         dict_search('source.port', config)):
 
@@ -78,6 +85,57 @@ def verify_rule(config, err_msg):
                              'statically maps a whole network of addresses onto another\n' \
                              'network of addresses')
 
+    for side in ['destination', 'source']:
+        if side in config:
+            side_conf = config[side]
+
+            if len({'address', 'fqdn'} & set(side_conf)) > 1:
+                raise ConfigError('Only one of address, fqdn or geoip can be specified')
+
+            if 'group' in side_conf:
+                if len({'address_group', 'network_group', 'domain_group'} & set(side_conf['group'])) > 1:
+                    raise ConfigError('Only one address-group, network-group or domain-group can be specified')
+
+                for group in valid_groups:
+                    if group in side_conf['group']:
+                        group_name = side_conf['group'][group]
+                        error_group = group.replace("_", "-")
+
+                        if group in ['address_group', 'network_group', 'domain_group']:
+                            types = [t for t in ['address', 'fqdn'] if t in side_conf]
+                            if types:
+                                raise ConfigError(f'{error_group} and {types[0]} cannot both be defined')
+
+                        if group_name and group_name[0] == '!':
+                            group_name = group_name[1:]
+
+                        group_obj = dict_search_args(groups_dict, group, group_name)
+
+                        if group_obj is None:
+                            raise ConfigError(f'Invalid {error_group} "{group_name}" on nat rule')
+
+                        if not group_obj:
+                            Warning(f'{error_group} "{group_name}" has no members!')
+
+            if dict_search_args(side_conf, 'group', 'port_group'):
+                if 'protocol' not in config:
+                    raise ConfigError('Protocol must be defined if specifying a port-group')
+
+                if config['protocol'] not in ['tcp', 'udp', 'tcp_udp']:
+                    raise ConfigError('Protocol must be tcp, udp, or tcp_udp when specifying a port-group')
+
+    if 'load_balance' in config:
+        for item in ['source-port', 'destination-port']:
+            if item in config['load_balance']['hash'] and config['protocol'] not in ['tcp', 'udp']:
+                raise ConfigError('Protocol must be tcp or udp when specifying hash ports')
+        count = 0
+        if 'backend' in config['load_balance']:
+            for member in config['load_balance']['backend']:
+                weight = config['load_balance']['backend'][member]['weight']
+                count = count +  int(weight)
+            if count != 100:
+                Warning(f'Sum of weight for nat load balance rule is not 100. You may get unexpected behaviour')
+
 def get_config(config=None):
     if config:
         conf = config
@@ -85,16 +143,9 @@ def get_config(config=None):
         conf = Config()
 
     base = ['nat']
-    nat = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
-
-    # T2665: we must add the tagNode defaults individually until this is
-    # moved to the base class
-    for direction in ['source', 'destination', 'static']:
-        if direction in nat:
-            default_values = defaults(base + [direction, 'rule'])
-            for rule in dict_search(f'{direction}.rule', nat) or []:
-                nat[direction]['rule'][rule] = dict_merge(default_values,
-                    nat[direction]['rule'][rule])
+    nat = conf.get_config_dict(base, key_mangling=('-', '_'),
+                               get_first_key=True,
+                               with_recursive_defaults=True)
 
     # read in current nftable (once) for further processing
     tmp = cmd('nft -j list table raw')
@@ -105,16 +156,20 @@ def get_config(config=None):
     condensed_json = jmespath.search(pattern, nftable_json)
 
     if not conf.exists(base):
-        nat['helper_functions'] = 'remove'
-
-        # Retrieve current table handler positions
-        nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER')
-        nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK')
-        nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYOS_CT_HELPER')
-        nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'NAT_CONNTRACK')
+        if get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER'):
+            nat['helper_functions'] = 'remove'
+
+            # Retrieve current table handler positions
+            nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYOS_CT_HELPER')
+            nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK')
+            nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYOS_CT_HELPER')
+            nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'NAT_CONNTRACK')
         nat['deleted'] = ''
         return nat
 
+    nat['firewall_group'] = conf.get_config_dict(['firewall', 'group'], key_mangling=('-', '_'), get_first_key=True,
+                                    no_tag_node_value_mangle=True)
+
     # check if NAT connection tracking helpers need to be set up - this has to
     # be done only once
     if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'):
@@ -147,7 +202,7 @@ def verify(nat):
                 Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')
 
             if not dict_search('translation.address', config) and not dict_search('translation.port', config):
-                if 'exclude' not in config:
+                if 'exclude' not in config and 'backend' not in config['load_balance']:
                     raise ConfigError(f'{err_msg} translation requires address and/or port')
 
             addr = dict_search('translation.address', config)
@@ -157,8 +212,7 @@ def verify(nat):
                         Warning(f'IP address {ip} does not exist on the system!')
 
             # common rule verification
-            verify_rule(config, err_msg)
-
+            verify_rule(config, err_msg, nat['firewall_group'])
 
     if dict_search('destination.rule', nat):
         for rule, config in dict_search('destination.rule', nat).items():
@@ -170,12 +224,12 @@ def verify(nat):
             elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces():
                 Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system')
 
-            if not dict_search('translation.address', config) and not dict_search('translation.port', config):
-                if 'exclude' not in config:
+            if not dict_search('translation.address', config) and not dict_search('translation.port', config) and 'redirect' not in config['translation']:
+                if 'exclude' not in config and 'backend' not in config['load_balance']:
                     raise ConfigError(f'{err_msg} translation requires address and/or port')
 
             # common rule verification
-            verify_rule(config, err_msg)
+            verify_rule(config, err_msg, nat['firewall_group'])
 
     if dict_search('static.rule', nat):
         for rule, config in dict_search('static.rule', nat).items():
@@ -186,7 +240,7 @@ def verify(nat):
                                   'inbound-interface not specified')
 
             # common rule verification
-            verify_rule(config, err_msg)
+            verify_rule(config, err_msg, nat['firewall_group'])
 
     return None