From 40e8938667b06615e0a1a26271a30e00f8cff2c6 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 1 May 2020 13:23:20 +0200 Subject: nat: T2198: initial XML and Python representation --- debian/control | 3 + .../include/nat-address-port.xml.i | 47 +++++++++ interface-definitions/include/nat-rule.xml.i | 86 ++++++++++++++++ .../include/nat-translation-port.xml.i | 13 +++ interface-definitions/nat.xml.in | 110 +++++++++++++++++++++ src/conf_mode/nat.py | 63 ++++++++++++ 6 files changed, 322 insertions(+) create mode 100644 interface-definitions/include/nat-address-port.xml.i create mode 100644 interface-definitions/include/nat-rule.xml.i create mode 100644 interface-definitions/include/nat-translation-port.xml.i create mode 100644 interface-definitions/nat.xml.in create mode 100755 src/conf_mode/nat.py diff --git a/debian/control b/debian/control index ab0fc0b29..c8fa8ca63 100644 --- a/debian/control +++ b/debian/control @@ -92,6 +92,9 @@ Depends: python3, pppoe, salt-minion, vyos-utils, + iptables, + nftables, + conntrack, ${shlibs:Depends}, ${misc:Depends} Description: VyOS configuration scripts and data diff --git a/interface-definitions/include/nat-address-port.xml.i b/interface-definitions/include/nat-address-port.xml.i new file mode 100644 index 000000000..0848364ff --- /dev/null +++ b/interface-definitions/include/nat-address-port.xml.i @@ -0,0 +1,47 @@ + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + !ipv4 + Match everything except the specified address + + + !ipv4net + Match everything except the specified prefix + + + !ipv4range + Match everything except the specified range + + + + + + + Port number + + 1-65535 + Numeric IP port + + + start-end + Numbered port range (e.g., 1001-1005) + + + + \n\nMultiple destination ports can be specified as a comma-separated list.\nThe whole list can also be negated using '!'.\nFor example: '!22,telnet,http,123,1001-1005' + + + diff --git a/interface-definitions/include/nat-rule.xml.i b/interface-definitions/include/nat-rule.xml.i new file mode 100644 index 000000000..fdba4b8bd --- /dev/null +++ b/interface-definitions/include/nat-rule.xml.i @@ -0,0 +1,86 @@ + + + Rule number for NAT + + 1-9999 + Number for this NAT rule + + + + + NAT rule number must be between 1 and 9999 + + + + + Rule description + + + + + NAT destination parameters + + + #include + + + + + Disable NAT rule + + + + + + Exclude packets matching this rule from NAT + + + + + + NAT rule logging + + + + + + Protocol to NAT + + tcp udp tcp_udp all + + + tcp + Transmission Control Protocol + + + udp + User Datagram Protocol + + + tcp_udp + Both TCP and UDP + + + all + All IP protocols + + + 0-255 + IP protocol number + + + !<protocol> + All IP protocols except for the specified name or number (negation) + + + + + + NAT source parameters + + + #include + + + + diff --git a/interface-definitions/include/nat-translation-port.xml.i b/interface-definitions/include/nat-translation-port.xml.i new file mode 100644 index 000000000..93de471e3 --- /dev/null +++ b/interface-definitions/include/nat-translation-port.xml.i @@ -0,0 +1,13 @@ + + + Port number + + 1-65535 + Numeric IP port + + + <start>-<end> + Numbered port range (e.g., 1001-1005) + + + diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in new file mode 100644 index 000000000..bcbdb37af --- /dev/null +++ b/interface-definitions/nat.xml.in @@ -0,0 +1,110 @@ + + + + + Network Address Translation (NAT) parameters + 220 + + + + + Destination NAT settings + + + #include + + + + + Inbound interface of NAT traffic + + + + + + + + Inside NAT IP (destination NAT only) + + + + + IP address, subnet, or range + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + + + #include + + + + + + + + + Source NAT settings + + + #include + + + + + Outbound interface of NAT traffic + + + + + + + + Outside NAT IP (source NAT only) + + + + + IP address, subnet, or range + + masquerade + + + ipv4 + IPv4 address to match + + + ipv4net + IPv4 prefix to match + + + ipv4range + IPv4 address range to match + + + masquerade + NAT to the primary address of outbound-interface + + + + + #include + + + + + + + + + diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py new file mode 100755 index 000000000..188445214 --- /dev/null +++ b/src/conf_mode/nat.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from copy import deepcopy +from sys import exit + +from vyos.config import Config +from vyos import ConfigError + +default_config_data = { + 'source': [], + 'destination': [] +} + +def get_config(): + nat = deepcopy(default_config_data) + conf = Config() + base = ['nat'] + if not conf.exists(base): + return None + else: + conf.set_level(base) + + return nat + +def verify(nat): + if not nat: + return None + + return None + +def generate(nat): + if not nat: + return None + + return None + +def apply(nat): + + return None + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3