From 43554efc27fcea6703b3b31674a38252434a0f2f Mon Sep 17 00:00:00 2001
From: Ryan Zuwala <ryanzuwala@gmail.com>
Date: Tue, 29 Apr 2025 00:53:53 -0400
Subject: nat66: T7051: add group config node

Add CLI config node for "group" when configuring NAT66 source

Ensure there is only one group in NAT66 source rule config

Add smoketest to cover new group usage in source NAT66 rules
---
 interface-definitions/nat66.xml.in  |  1 +
 smoketest/scripts/cli/test_nat66.py | 29 +++++++++++++++++++++++++++++
 src/conf_mode/nat66.py              |  4 ++++
 3 files changed, 34 insertions(+)

diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in
index c59725c53..2c1babd5a 100644
--- a/interface-definitions/nat66.xml.in
+++ b/interface-definitions/nat66.xml.in
@@ -53,6 +53,7 @@
                     </properties>
                   </leafNode>
                   #include <include/nat-port.xml.i>
+                  #include <include/firewall/source-destination-group-ipv6.xml.i>
                 </children>
               </node>
               <node name="source">
diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py
index 52ad8e3ef..d4b5d6aa4 100755
--- a/smoketest/scripts/cli/test_nat66.py
+++ b/smoketest/scripts/cli/test_nat66.py
@@ -227,6 +227,35 @@ class TestNAT66(VyOSUnitTestSHIM.TestCase):
 
         self.verify_nftables(nftables_search, 'ip6 vyos_nat')
 
+    def test_source_nat66_network_group(self):
+        address_group = 'smoketest_addr'
+        address_group_member = 'fc00::1'
+        network_group = 'smoketest_net'
+        network_group_member = 'fc00::/64'
+        translation_prefix = 'fc01::/64'
+
+        self.cli_set(['firewall', 'group', 'ipv6-address-group', address_group, 'address', address_group_member])
+        self.cli_set(['firewall', 'group', 'ipv6-network-group', network_group, 'network', network_group_member])
+
+        self.cli_set(src_path + ['rule', '1', 'destination', 'group', 'address-group', address_group])
+        self.cli_set(src_path + ['rule', '1', 'translation', 'address', translation_prefix])
+
+        self.cli_set(src_path + ['rule', '2', 'destination', 'group', 'network-group', network_group])
+        self.cli_set(src_path + ['rule', '2', 'translation', 'address', translation_prefix])
+
+        self.cli_commit()
+
+        nftables_search = [
+            [f'set A6_{address_group}'],
+            [f'elements = {{ {address_group_member} }}'],
+            [f'set N6_{network_group}'],
+            [f'elements = {{ {network_group_member} }}'],
+            ['ip6 daddr', f'@A6_{address_group}', 'snat prefix to fc01::/64'],
+            ['ip6 daddr', f'@N6_{network_group}', 'snat prefix to fc01::/64']
+        ]
+
+        self.verify_nftables(nftables_search, 'ip6 vyos_nat')
+
     def test_nat66_no_rules(self):
         # T3206: deleting all rules but keep the direction 'destination' or
         # 'source' resulteds in KeyError: 'rule'.
diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py
index 95dfae3a5..c65950c9e 100755
--- a/src/conf_mode/nat66.py
+++ b/src/conf_mode/nat66.py
@@ -92,6 +92,10 @@ def verify(nat):
             if prefix != None:
                 if not is_ipv6(prefix):
                     raise ConfigError(f'{err_msg} source-prefix not specified')
+                
+            if 'destination' in config and 'group' in config['destination']:
+                if len({'address_group', 'network_group', 'domain_group'} & set(config['destination']['group'])) > 1:
+                    raise ConfigError('Only one address-group, network-group or domain-group can be specified')
 
     if dict_search('destination.rule', nat):
         for rule, config in dict_search('destination.rule', nat).items():
-- 
cgit v1.2.3