From a927192af24079e6d392e5cae0340441490c0091 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 1 May 2020 19:25:36 +0200
Subject: nat: T2198: move from iptables to nftables

---
 data/templates/firewall/nftables-nat.tmpl | 43 +++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 data/templates/firewall/nftables-nat.tmpl

(limited to 'data/templates/firewall')

diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl
new file mode 100644
index 000000000..340ab3678
--- /dev/null
+++ b/data/templates/firewall/nftables-nat.tmpl
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft -f
+
+# Start with a "clean" NAT table
+flush table nat
+
+add chain ip raw NAT_CONNTRACK
+add rule ip raw PREROUTING position 25 counter jump VYATTA_CT_HELPER
+add rule ip raw PREROUTING position 17 counter jump NAT_CONNTRACK
+add rule ip raw OUTPUT position 26 counter jump VYATTA_CT_HELPER
+add rule ip raw OUTPUT position 21 counter jump NAT_CONNTRACK
+add rule ip raw NAT_CONNTRACK counter accept
+
+
+{% for r in destination -%}
+{% if r.protocol == 'tcp_udp' %}
+{# Special handling for protocol tcp_udp which is represented as two individual rules #}
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp"
+{% else %}
+add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}"
+{% endif %}
+{% endfor %}
+
+
+{% for r in source -%}
+{% if r.log %}
+{% if r.exclude %}
+{% set value = 'EXCL' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'MASQ' %}
+{% endif %}
+add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
+{% endif %}
+
+{% if r.exclude %}
+{% set value = 'return' %}
+{% elif r.translation_address == 'masquerade' %}
+{% set value = 'masquerade' %}
+{% else %}
+{% set value = 'snat to ' + r.translation_address %}
+{% endif %}
+add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
+{% endfor %}
-- 
cgit v1.2.3