From f0ae034faa74a90ee3c98d31bfd8df2ae0513c7f Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 23 Aug 2023 13:00:27 +0000 Subject: T5472: nat redirect: allow redirection without defining redirected port --- python/vyos/nat.py | 9 ++++++--- smoketest/scripts/cli/test_nat.py | 9 ++++++++- src/conf_mode/nat.py | 2 +- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/python/vyos/nat.py b/python/vyos/nat.py index b6702f7e2..9cbc2b96e 100644 --- a/python/vyos/nat.py +++ b/python/vyos/nat.py @@ -56,10 +56,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False): elif 'translation' in rule_conf: addr = dict_search_args(rule_conf, 'translation', 'address') port = dict_search_args(rule_conf, 'translation', 'port') - redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port') - if redirect_port: - translation_output = [f'redirect to {redirect_port}'] + if 'redirect' in rule_conf['translation']: + translation_output = [f'redirect'] + redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port') + if redirect_port: + translation_output.append(f'to {redirect_port}') else: + translation_prefix = nat_type[:1] translation_output = [f'{translation_prefix}nat'] diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index e6eaedeff..31dfcef87 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -244,10 +244,17 @@ class TestNAT(VyOSUnitTestSHIM.TestCase): self.cli_set(dst_path + ['rule', '10', 'inbound-interface', ifname]) self.cli_set(dst_path + ['rule', '10', 'translation', 'redirect', 'port', redirected_port]) + self.cli_set(dst_path + ['rule', '20', 'destination', 'address', dst_addr_1]) + self.cli_set(dst_path + ['rule', '20', 'destination', 'port', dest_port]) + self.cli_set(dst_path + ['rule', '20', 'protocol', protocol]) + self.cli_set(dst_path + ['rule', '20', 'inbound-interface', ifname]) + self.cli_set(dst_path + ['rule', '20', 'translation', 'redirect']) + self.cli_commit() nftables_search = [ - [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect to :{redirected_port}'] + [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect to :{redirected_port}'], + [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect'] ] self.verify_nftables(nftables_search, 'ip vyos_nat') diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index f9d711b36..9da7fbe80 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -224,7 +224,7 @@ def verify(nat): elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') - if not dict_search('translation.address', config) and not dict_search('translation.port', config) and not dict_search('translation.redirect.port', config): + if not dict_search('translation.address', config) and not dict_search('translation.port', config) and 'redirect' not in config['translation']: if 'exclude' not in config and 'backend' not in config['load_balance']: raise ConfigError(f'{err_msg} translation requires address and/or port') -- cgit v1.2.3