Age | Commit message (Collapse) | Author |
|
* 'nat-nftables' of github.com:c-po/vyos-1x: (27 commits)
nat: T2198: remove "tcp_udp" from "show nat dest stat"x
Debian: add required dependency on systemd
nat: T2198: add common ip-protocol validator
nat: T2198: use Jinja2 macro for common ruleset for SNAT and DNAT
nat: T2198: restructure DNAT template part for less duplicated code
nat: T2198: add support for SNAT based on source addresses
nat: T2198: set default protocol to all to be backwards compatible
nat: T2198: sync generated SNAT rules with VyOS 1.2
nat: T2198: sync generated DNAT rules with VyOS 1.2
nat: T2198: do not run DNAT rule if rule is disabled
nat: T2198: restructure DNAT template
nat: T2198: verify translation address for SNAT and DNAT
nat: T2198: extend verify() for destination ports
nat: T2198: migrate "log enable" node to only "log"
nat: T2198: add protocol completion helper and regex constraint
nat: T2198: migrate "show nat" commands to XML and Python
nat: T2198: add some basic verify() rules
nat: T2198: split nat-address-port include into individual files
nat: T2198: add ipv4-{address,prefix,rage}-exclude validators
nat: T2198: add new ipv4-range validator
...
|
|
|
|
|
|
It allows IP protocol numbers 0-255, protocol names e.g. tcp, ip, ipv6 and the
negated form with a leading "!".
|
|
By using a Jinja2 macro the same template code can be used to create both
source and destination NAT rules with only minor changes introduced by
e.g. the used chain (POSTROUTING vs PREROUTING).
Used the following configuration for testing on two systems with VyOS 1.2
and the old implementation vs the new one here.
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 15 translation port '3389'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
set nat source rule 120 outbound-interface 'eth0.202'
set nat source rule 120 protocol 'tcp_udp'
set nat source rule 120 source address '192.0.3.0/26'
set nat source rule 120 translation address '2.2.2.2'
|
|
Build up only one output rule string by appending the configuration part by
part.
|
|
CLI commands used for ruleset generation:
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
set nat source rule 110 outbound-interface 'eth0.202'
set nat source rule 110 protocol 'tcp'
set nat source rule 110 source address '192.0.2.0/26'
set nat source rule 110 source port '5556'
set nat source rule 110 translation address 'masquerade'
|
|
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat source rule 10 description 'foo-10'
set nat source rule 10 destination address '1.1.1.1'
set nat source rule 10 destination port '1111'
set nat source rule 10 exclude
set nat source rule 10 log 'enable'
set nat source rule 10 outbound-interface 'eth0.202'
set nat source rule 10 protocol 'tcp_udp'
set nat source rule 10 translation address '192.0.2.10'
set nat source rule 15 description 'foo-10'
set nat source rule 15 destination address '1.1.1.1'
set nat source rule 15 exclude
set nat source rule 15 log 'enable'
set nat source rule 15 outbound-interface 'eth0.202'
set nat source rule 15 protocol 'tcp_udp'
set nat source rule 15 translation address '192.0.2.10'
set nat source rule 20 description 'foo-20'
set nat source rule 20 destination address '2.2.2.2'
set nat source rule 20 log 'enable'
set nat source rule 20 outbound-interface 'eth0.201'
set nat source rule 20 protocol 'tcp'
set nat source rule 20 translation address '192.0.2.10'
set nat source rule 100 outbound-interface 'eth0.202'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.0.2.0/26'
set nat source rule 100 translation address 'masquerade'
|
|
The generated NAT rules in VyOS 1.2 are compared to the generated nftables
ruleset in VyOS 1.3 this was done by converting the 1.2 iptables ruleset to
nftables and then do the diff. To convert from iptables to nftables use the
following command:
$ iptables-save -t nat > /tmp/tmp.iptables
$ iptables-restore-translate -f /tmp/tmp.iptables
The following CLI options have been used for testing:
set nat destination rule 10 description 'foo-10'
set nat destination rule 10 destination address '1.1.1.1'
set nat destination rule 10 destination port '1111'
set nat destination rule 10 exclude
set nat destination rule 10 inbound-interface 'eth0.202'
set nat destination rule 10 log
set nat destination rule 10 protocol 'tcp_udp'
set nat destination rule 10 translation address '192.0.2.10'
set nat destination rule 15 description 'foo-10'
set nat destination rule 15 destination address '1.1.1.1'
set nat destination rule 15 exclude
set nat destination rule 15 inbound-interface 'eth0.202'
set nat destination rule 15 log
set nat destination rule 15 protocol 'tcp_udp'
set nat destination rule 15 translation address '192.0.2.10'
set nat destination rule 20 description 'foo-20'
set nat destination rule 20 destination address '2.2.2.2'
set nat destination rule 20 inbound-interface 'eth0.201'
set nat destination rule 20 log
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '192.0.2.10'
|
|
|
|
Make the entire template more maintainable
|
|
|
|
Destination NAT configuration: destination ports can only be specified when
protocol is tcp, udp or tcp_udp.
|
|
|
|
|
|
- "show nat source|destination statistics" is now implemented in Python
- "show nat source|destination rules" needs a new implementation, see T2459
- "show nat source|destination translations" has been copied over from the old
repo and is here until it is rewritten, this was not possible for "rules"
as there would have been too much dependencies. This one only requires
libxml-simple-perl
|
|
|
|
|
|
Exclude validators are required to support the ! (not) operator on the CLI to
exclude addresses from NAT.
|
|
|
|
|
|
|
|
When instantiating NAT it is required to isntall some nftable jump targets.
The targets need to be added after a specific other target thus we need to
dynamically query the handler number. This is done by get_handler() which could
be moved to vyos.util at a later point in time so it can be reused for a
firewall rewrite.
|
|
|
|
|
|
|
|
|
|
T2467: Restarting of service needs a sudo
|
|
|
|
T2267: Versioning: Update version tag from GIT repo
|
|
flow-accounting: T2456: Replace old function
|
|
|
|
T2449: Fixing key to appropriate one
|
|
|
|
Commit 9e5c6a935e2f55 ("tunnel: T2449: set accept_ra=2 if ipv6 address autoconf
or dhcpv6 is set") referenced wrong key in dict.
|
|
T2449: set 'accept_ra=2' if 'address dhcpv6' or 'ipv6 address autoconf' is set
|
|
Currently accept_ra was set to 0 if 'address dhcpv6' was set on an
interface. This is wrong, as without RA, the system will get no routes
to the DHCPv6-obtained prefix.
Since the logic for accept_ra was moved to the interface scripts,
it can be removed from the dhclient code.
|
|
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
|
|
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
|