| Age | Commit message (Collapse) | Author |
|---|
|
firewall|nat rules.
|
|
T4839: firewall: Add dynamic address group in firewall configuration
|
|
appropiate commands to populate such groups using source and destination address of the packet.
|
|
deployments in cgnat. (#2694)
|
|
Remove the word "error" from a Warning only message to not irritate the user.
|
|
(valid for interfaces and groups) in firewal, nat and nat66.
|
|
interface-name|interface-group as in firewall.
|
|
/usr/libexec/vyos/conf_mode/nat.py:21: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
from distutils.version import LooseVersion
|
|
firewall, nat, nat66
|
|
while configuring dNAT|sNAT rule
|
|
|
|
|
|
T5319: remove workarounds for incorrect defaults in config-mode scripts
|
|
T5014: nat: add source and destination nat options for configuring lo…
|
|
|
|
|
|
|
|
Change code for new syntax
|
|
balance within a single rule.
|
|
|
|
|
|
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process
* T5195: use read_file and write_file implementation from vyos.utils.file
Changed code automatically using:
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} +
find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} +
* T5195: move chmod* helpers to vyos.utils.permission
* T5195: use colon_separated_to_dict from vyos.utils.dict
* T5195: move is_systemd_service_* to vyos.utils.process
* T5195: fix boot issues with missing imports
* T5195: move dict_search_* helpers to vyos.utils.dict
* T5195: move network helpers to vyos.utils.network
* T5195: move commit_* helpers to vyos.utils.commit
* T5195: move user I/O helpers to vyos.utils.io
|
|
|
|
|
|
|
|
* Rename table to vyos_nat
* Add static NAT smoketest
|
|
* Rename table to vyos_nat
* Refactor tests to use `verify_nftables` format
|
|
|
|
Move nftables nat configuration from /tmp to /run
As we have for other services like firewall, conntrack
Don't remove the config file '/run/nftables_nat.conf' after commit
|
|
Ability to set static NAT (one-to-one) in one rule
set nat static rule 10 destination address '203.0.113.0/24'
set nat static rule 10 inbound-interface 'eth0'
set nat static rule 10 translation address '192.0.2.0/24'
It will be enough for PREROUTING and POSTROUTING rules
Use a separate table 'vyos_static_nat' as SRC/DST rules and
STATIC rules can have the same rule number
|
|
|
|
|
|
Commit bb76e8d7f1635 ("nat: T2199: dry-run newly generated config before
install") added support to verify the generated nftables ruleset. Unfortunately
if the verify failed - a Python exception was triggered:
NameError: name 'nftables_ct_file' is not defined
This was due to bad copy/pasting.
|
|
Before installing a new conntrack policy into the OS Kernel, the new policy
should be verified by nftables if it can be loaded at all or if it will fail
to load. There is no need to load a "bad" configuration if we can pre-test it.
|
|
|
|
|
|
|
|
Support a 1:1 or 1:n prefix translation. The following configuration will NAT
source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29.
For this feature to work a Linux Kernel 5.8 or higher is required!
vyos@vyos# show nat
source {
rule 100 {
outbound-interface eth1
source {
address 10.2.0.0/16
}
translation {
address 192.0.2.0/29
}
}
}
This results in the nftables configuration:
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map
{ 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100"
}
|
|
|
|
|
|
The NAT system consists out of nested tag nodes which makes manual parsing very
hard. This is a perfect candidate for migrating this to get_config_dict() as
there is already a smoketest in place.
In addition this should make it easier to add features like static nat/hairpin.
|
|
|
|
|
|
|
|
Depending on the underlaying Kernel version load the corresponding Kernel
module.
|
|
|
|
l2tpv3, wireguard, wirelessmodem, nat all require additional Kernel modules
to be present on the system. Each and every interface implemented their own
way of loading a module - by copying code.
Use a generic function, vyos.util.check_kmod() to load any arbitrary kernel
module passed as string or list.
|
|
Rules without a translation address are also valid, they'll modify just
the port and leave the address intact.
This also used to be a valid syntax and it caused an error on upgrade.
|
|
|
|
tested using:
set nat destination rule 399 description 'Redirect DNS iot VLAN'
set nat destination rule 399 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 399 destination port '53'
set nat destination rule 399 inbound-interface bond10.204
set nat destination rule 399 log
set nat destination rule 399 protocol 'tcp_udp'
set nat destination rule 399 translation address '192.168.67.243'
set nat destination rule 399 translation port '53'
set nat destination rule 400 description 'Redirect DNS lan VLAN'
set nat destination rule 400 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 400 destination port '53'
set nat destination rule 400 inbound-interface bond10.204
set nat destination rule 400 log
set nat destination rule 400 protocol 'tcp_udp'
set nat destination rule 400 translation address '192.168.67.243'
set nat destination rule 400 translation port '53'
set nat destination rule 401 description 'Redirect DNS guest VLAN'
set nat destination rule 401 destination address '!192.168.67.243-192.168.67.244'
set nat destination rule 401 destination port '53'
set nat destination rule 401 inbound-interface bond10.204
set nat destination rule 401 log
set nat destination rule 401 protocol 'tcp_udp'
set nat destination rule 401 translation address '192.168.67.243'
set nat destination rule 401 translation port '53'
|
