diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/nat.py | 29 | ||||
| -rwxr-xr-x | src/conf_mode/nat66.py | 11 | ||||
| -rwxr-xr-x | src/op_mode/show_nat66_statistics.py | 2 | ||||
| -rwxr-xr-x | src/op_mode/show_nat_statistics.py | 2 | 
4 files changed, 21 insertions, 23 deletions
| diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index e75418ba5..8b1a5a720 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -147,14 +147,10 @@ def verify(nat):                  Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system')              addr = dict_search('translation.address', config) -            if addr != None: -                if addr != 'masquerade' and not is_ip_network(addr): -                    for ip in addr.split('-'): -                        if not is_addr_assigned(ip): -                            Warning(f'IP address {ip} does not exist on the system!') -            elif 'exclude' not in config: -                raise ConfigError(f'{err_msg}\n' \ -                                  'translation address not specified') +            if addr != None and addr != 'masquerade' and not is_ip_network(addr): +                for ip in addr.split('-'): +                    if not is_addr_assigned(ip): +                        Warning(f'IP address {ip} does not exist on the system!')              # common rule verification              verify_rule(config, err_msg) @@ -167,14 +163,8 @@ def verify(nat):              if 'inbound_interface' not in config:                  raise ConfigError(f'{err_msg}\n' \                                    'inbound-interface not specified') -            else: -                if config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): -                    Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') - - -            if dict_search('translation.address', config) == None and 'exclude' not in config: -                raise ConfigError(f'{err_msg}\n' \ -                                  'translation address not specified') +            elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): +                Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system')              # common rule verification              verify_rule(config, err_msg) @@ -193,6 +183,9 @@ def verify(nat):      return None  def generate(nat): +    if not os.path.exists(nftables_nat_config): +        nat['first_install'] = True +      render(nftables_nat_config, 'firewall/nftables-nat.j2', nat)      render(nftables_static_nat_conf, 'firewall/nftables-static-nat.j2', nat) @@ -201,7 +194,9 @@ def generate(nat):      if tmp > 0:          raise ConfigError('Configuration file errors encountered!') -    tmp = run(f'nft -c -f {nftables_nat_config}') +    tmp = run(f'nft -c -f {nftables_static_nat_conf}') +    if tmp > 0: +        raise ConfigError('Configuration file errors encountered!')      return None diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index f64102d88..d8f913b0c 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -36,7 +36,7 @@ airbag.enable()  k_mod = ['nft_nat', 'nft_chain_nat'] -nftables_nat66_config = '/tmp/vyos-nat66-rules.nft' +nftables_nat66_config = '/run/nftables_nat66.nft'  ndppd_config = '/run/ndppd/ndppd.conf'  def get_handler(json, chain, target): @@ -147,6 +147,9 @@ def verify(nat):      return None  def generate(nat): +    if not os.path.exists(nftables_nat66_config): +        nat['first_install'] = True +      render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755)      render(ndppd_config, 'ndppd/ndppd.conf.j2', nat, permission=0o755)      return None @@ -154,15 +157,15 @@ def generate(nat):  def apply(nat):      if not nat:          return None -    cmd(f'{nftables_nat66_config}') + +    cmd(f'nft -f {nftables_nat66_config}') +      if 'deleted' in nat or not dict_search('source.rule', nat):          cmd('systemctl stop ndppd')          if os.path.isfile(ndppd_config):              os.unlink(ndppd_config)      else:          cmd('systemctl restart ndppd') -    if os.path.isfile(nftables_nat66_config): -        os.unlink(nftables_nat66_config)      return None diff --git a/src/op_mode/show_nat66_statistics.py b/src/op_mode/show_nat66_statistics.py index bc81692ae..cb10aed9f 100755 --- a/src/op_mode/show_nat66_statistics.py +++ b/src/op_mode/show_nat66_statistics.py @@ -44,7 +44,7 @@ group.add_argument("--destination", help="Show statistics for configured destina  args = parser.parse_args()  if args.source or args.destination: -    tmp = cmd('sudo nft -j list table ip6 nat') +    tmp = cmd('sudo nft -j list table ip6 vyos_nat')      tmp = json.loads(tmp)      source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" diff --git a/src/op_mode/show_nat_statistics.py b/src/op_mode/show_nat_statistics.py index c568c8305..be41e083b 100755 --- a/src/op_mode/show_nat_statistics.py +++ b/src/op_mode/show_nat_statistics.py @@ -44,7 +44,7 @@ group.add_argument("--destination", help="Show statistics for configured destina  args = parser.parse_args()  if args.source or args.destination: -    tmp = cmd('sudo nft -j list table ip nat') +    tmp = cmd('sudo nft -j list table ip vyos_nat')      tmp = json.loads(tmp)      source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" | 
