From 40e8938667b06615e0a1a26271a30e00f8cff2c6 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 1 May 2020 13:23:20 +0200 Subject: nat: T2198: initial XML and Python representation --- debian/control | 3 +++ 1 file changed, 3 insertions(+) (limited to 'debian/control') diff --git a/debian/control b/debian/control index ab0fc0b29..c8fa8ca63 100644 --- a/debian/control +++ b/debian/control @@ -92,6 +92,9 @@ Depends: python3, pppoe, salt-minion, vyos-utils, + iptables, + nftables, + conntrack, ${shlibs:Depends}, ${misc:Depends} Description: VyOS configuration scripts and data -- cgit v1.2.3 From a927192af24079e6d392e5cae0340441490c0091 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 1 May 2020 19:25:36 +0200 Subject: nat: T2198: move from iptables to nftables --- data/templates/firewall/nftables-nat.tmpl | 43 +++++++++++++++++++++++++++++++ data/templates/nat/iptables-restore.tmpl | 38 --------------------------- debian/control | 1 - src/conf_mode/nat.py | 17 +++++++++--- 4 files changed, 56 insertions(+), 43 deletions(-) create mode 100644 data/templates/firewall/nftables-nat.tmpl delete mode 100644 data/templates/nat/iptables-restore.tmpl (limited to 'debian/control') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl new file mode 100644 index 000000000..340ab3678 --- /dev/null +++ b/data/templates/firewall/nftables-nat.tmpl @@ -0,0 +1,43 @@ +#!/usr/sbin/nft -f + +# Start with a "clean" NAT table +flush table nat + +add chain ip raw NAT_CONNTRACK +add rule ip raw PREROUTING position 25 counter jump VYATTA_CT_HELPER +add rule ip raw PREROUTING position 17 counter jump NAT_CONNTRACK +add rule ip raw OUTPUT position 26 counter jump VYATTA_CT_HELPER +add rule ip raw OUTPUT position 21 counter jump NAT_CONNTRACK +add rule ip raw NAT_CONNTRACK counter accept + + +{% for r in destination -%} +{% if r.protocol == 'tcp_udp' %} +{# Special handling for protocol tcp_udp which is represented as two individual rules #} +add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" +add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" +{% else %} +add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}" +{% endif %} +{% endfor %} + + +{% for r in source -%} +{% if r.log %} +{% if r.exclude %} +{% set value = 'EXCL' %} +{% elif r.translation_address == 'masquerade' %} +{% set value = 'MASQ' %} +{% endif %} +add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}" +{% endif %} + +{% if r.exclude %} +{% set value = 'return' %} +{% elif r.translation_address == 'masquerade' %} +{% set value = 'masquerade' %} +{% else %} +{% set value = 'snat to ' + r.translation_address %} +{% endif %} +add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}" +{% endfor %} diff --git a/data/templates/nat/iptables-restore.tmpl b/data/templates/nat/iptables-restore.tmpl deleted file mode 100644 index f20a05719..000000000 --- a/data/templates/nat/iptables-restore.tmpl +++ /dev/null @@ -1,38 +0,0 @@ -### Autogenerated by nat.py ### - -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -:VYATTA_PRE_DNAT_HOOK - [0:0] -:VYATTA_PRE_SNAT_HOOK - [0:0] --A PREROUTING -j VYATTA_PRE_DNAT_HOOK -{% for r in destination -%} -{% if (',' in r.dest_port) or ('-' in r.dest_port) %} - -{% if r.protocol == 'tcp_udp' %} -# protocol has been tcp_udp - create two distinct rules --A PREROUTING -i {{ r.interface_in }} -p tcp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} --A PREROUTING -i {{ r.interface_in }} -p udp -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} -{% else %} --A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m multiport --dports {{ r.dest_port | replace('-', ':') }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} -{%- endif %} - -{% else %} - -{% if r.protocol == 'tcp_udp' %} -# protocol has been tcp_udp - create two distinct rules --A PREROUTING -i {{ r.interface_in }} -p tcp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} --A PREROUTING -i {{ r.interface_in }} -p udp -m {{ r.protocol }} --dports {{ r.dest_port }} -m comment --comment "DST-NAT-{{ r.number }} tcp_udp" -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} -{% else %} --A PREROUTING -i {{ r.interface_in }} -p {{ r.protocol }} -m {{ r.protocol }} --dport {{ r.dest_port }} -m comment --comment DST-NAT-{{ r.number }} -j DNAT --to-destination {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} -{% endif %} - -{%- endif %} - -{% endfor %} --A POSTROUTING -j VYATTA_PRE_SNAT_HOOK --A VYATTA_PRE_DNAT_HOOK -j RETURN --A VYATTA_PRE_SNAT_HOOK -j RETURN -COMMIT diff --git a/debian/control b/debian/control index c8fa8ca63..2aaca13ba 100644 --- a/debian/control +++ b/debian/control @@ -92,7 +92,6 @@ Depends: python3, pppoe, salt-minion, vyos-utils, - iptables, nftables, conntrack, ${shlibs:Depends}, diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index b4e8c2053..2e866fdf4 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -14,6 +14,8 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import os + from copy import deepcopy from sys import exit from netifaces import interfaces @@ -28,7 +30,14 @@ default_config_data = { 'destination': [] } -iptables_nat_config = '/tmp/iptables_nat_config' +iptables_nat_config = '/tmp/vyos-nat-rules.nft' + +def _check_kmod(): + modules = ['nft_nat', 'nft_chain_nat_ipv4'] + for module in modules: + if not os.path.exists(f'/sys/module/{module}'): + if call(f'modprobe {module}') != 0: + raise ConfigError(f'Loading Kernel module {module} failed') def parse_source_destination(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ @@ -128,19 +137,19 @@ def generate(nat): if not nat: return None - render(iptables_nat_config, 'nat/iptables-restore.tmpl', nat, trim_blocks=True) + render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755) return None def apply(nat): if not nat: return None - call(f'iptables-restore --test < {iptables_nat_config}') - + call(f'{iptables_nat_config}') return None if __name__ == '__main__': try: + _check_kmod() c = get_config() verify(c) generate(c) -- cgit v1.2.3 From 1c6ae6f7e7cf30d9598d2886bb3d2c34685a2c8c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 11 May 2020 18:58:05 +0200 Subject: nat: T2198: automatically determine handler numbers When instantiating NAT it is required to isntall some nftable jump targets. The targets need to be added after a specific other target thus we need to dynamically query the handler number. This is done by get_handler() which could be moved to vyos.util at a later point in time so it can be reused for a firewall rewrite. --- data/templates/firewall/nftables-nat.tmpl | 19 ++++++++++--- debian/control | 2 +- src/conf_mode/nat.py | 45 ++++++++++++++++++++++++++++--- 3 files changed, 58 insertions(+), 8 deletions(-) (limited to 'debian/control') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 340ab3678..343807e79 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -3,11 +3,22 @@ # Start with a "clean" NAT table flush table nat +{% for rule in init_deinit -%} +# Add or remove conntrack helper rules for NAT operation- +{{ rule }} +{% endfor %} + add chain ip raw NAT_CONNTRACK -add rule ip raw PREROUTING position 25 counter jump VYATTA_CT_HELPER -add rule ip raw PREROUTING position 17 counter jump NAT_CONNTRACK -add rule ip raw OUTPUT position 26 counter jump VYATTA_CT_HELPER -add rule ip raw OUTPUT position 21 counter jump NAT_CONNTRACK + +# insert rule after VYATTA_CT_IGNORE +add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER +# insert rule after VYATTA_CT_PREROUTING_HOOK +add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK +# insert rule after VYATTA_CT_IGNORE +add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER +# insert rule after VYATTA_CT_PREROUTING_HOOK +add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK + add rule ip raw NAT_CONNTRACK counter accept diff --git a/debian/control b/debian/control index 2aaca13ba..609f46e4d 100644 --- a/debian/control +++ b/debian/control @@ -92,7 +92,7 @@ Depends: python3, pppoe, salt-minion, vyos-utils, - nftables, + nftables (>= 0.9.3), conntrack, ${shlibs:Depends}, ${misc:Depends} diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 2e866fdf4..128e2469c 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import json import os from copy import deepcopy @@ -21,24 +22,53 @@ from sys import exit from netifaces import interfaces from vyos.config import Config -from vyos.util import call from vyos.template import render +from vyos.util import call, cmd from vyos import ConfigError default_config_data = { - 'source': [], - 'destination': [] + 'prerouting_ct_helper': '', + 'prerouting_ct_conntrack': '', + 'output_ct_helper': '', + 'output_ct_conntrack': '', + 'destination': [], + 'source': [] } iptables_nat_config = '/tmp/vyos-nat-rules.nft' def _check_kmod(): + """ load required Kernel modules """ modules = ['nft_nat', 'nft_chain_nat_ipv4'] for module in modules: if not os.path.exists(f'/sys/module/{module}'): if call(f'modprobe {module}') != 0: raise ConfigError(f'Loading Kernel module {module} failed') + +def get_handler(chain, target): + """ Get handler number of given chain/target combination. Handler is + required when adding NAT/Conntrack helper targets """ + tmp = json.loads(cmd('nft -j list table raw')) + for rule in tmp.get('nftables'): + # We're only interested in rules - not chains + if not 'rule' in rule.keys(): + continue + + # Search for chain of interest + if rule['rule']['chain'] == chain: + for expr in rule['rule']['expr']: + # We're only interested in jump targets + if not 'jump' in expr.keys(): + continue + + # Search for target of interest + if expr['jump']['target'] == target: + return rule['rule']['handle'] + + return None + + def parse_source_destination(conf, source_dest): """ Common wrapper to read in both NAT source and destination CLI """ tmp = [] @@ -114,6 +144,11 @@ def get_config(): else: conf.set_level(['nat']) + nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_IGNORE') + nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'VYATTA_CT_PREROUTING_HOOK') + nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_IGNORE') + nat['out_ct_conntrack'] = get_handler('OUTPUT', 'VYATTA_CT_OUTPUT_HOOK') + # use a common wrapper function to read in the source / destination # tree from the config - thus we do not need to replicate almost the # same code :-) @@ -126,6 +161,9 @@ def verify(nat): if not nat: return None + if not (nat['pre_ct_ignore'] or nat['pre_ct_conntrack'] or nat['out_ct_ignore'] or nat['out_ct_conntrack']): + raise Exception('could not determine nftable ruleset handlers') + for rule in nat['source']: interface = rule['interface_out'] if interface and interface not in interfaces(): @@ -138,6 +176,7 @@ def generate(nat): return None render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755) + return None def apply(nat): -- cgit v1.2.3 From cc2ad34ce61e205454c4676a5bde77629d463964 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Tue, 12 May 2020 17:43:03 +0200 Subject: nat: T2198: make use of jmespath when walking nftables JSON output --- data/templates/firewall/nftables-nat.tmpl | 91 ++++++++++++++----------------- debian/control | 1 + src/conf_mode/nat.py | 71 +++++++++++++----------- 3 files changed, 83 insertions(+), 80 deletions(-) (limited to 'debian/control') diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl index 671cd0920..161ef27fb 100644 --- a/data/templates/firewall/nftables-nat.tmpl +++ b/data/templates/firewall/nftables-nat.tmpl @@ -1,62 +1,55 @@ #!/usr/sbin/nft -f -# Start with a "clean" NAT table +# Start with clean NAT table flush table nat -{% for rule in init_deinit -%} -# Add or remove conntrack helper rules for NAT operation- -{{ rule }} -{% endfor %} - - -{% if deleted %} -# NAT if going to be disabled - remove rules and targets from nftables -delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} -delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} -delete rule ip raw OUTPUT handle {{ out_ct_ignore }} -delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip raw NAT_CONNTRACK - -{% else %} -# NAT if enabled - add targets to nftables -add chain ip raw NAT_CONNTRACK -add rule ip raw NAT_CONNTRACK counter accept - -add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER -add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER -add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK +{% if helper_functions == 'remove' %} + # NAT if going to be disabled - remove rules and targets from nftables + delete rule ip raw PREROUTING handle {{ pre_ct_ignore }} + delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }} + delete rule ip raw OUTPUT handle {{ out_ct_ignore }} + delete rule ip raw OUTPUT handle {{ out_ct_conntrack }} + + delete chain ip raw NAT_CONNTRACK +{% elif helper_functions == 'add' %} + # NAT if enabled - add targets to nftables + add chain ip raw NAT_CONNTRACK + add rule ip raw NAT_CONNTRACK counter accept + + add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER + add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK + add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER + add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK {% endif %} {% for r in destination -%} -{% if r.protocol == 'tcp_udp' %} -{# Special handling for protocol tcp_udp which is represented as two individual rules #} -add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" -add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" -{% else %} -add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}" -{% endif %} +{% if r.protocol == 'tcp_udp' %} + {# Special handling for protocol tcp_udp which is represented as two individual rules #} + add rule ip nat PREROUTING iifname "{{ r.interface_in }}" tcp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" + add rule ip nat PREROUTING iifname "{{ r.interface_in }}" udp dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }} tcp_udp" +{% else %} + add rule ip nat PREROUTING iifname "{{ r.interface_in }}" {{ r.protocol }} dport { {{ r.dest_port }} } counter dnat to {{ r.translation_address }}{{ ":" + r.translation_port if r.translation_port }} comment "DST-NAT-{{ r.number }}" +{% endif %} {% endfor %} {% for r in source -%} -{% if r.log %} -{% if r.exclude %} -{% set value = 'EXCL' %} -{% elif r.translation_address == 'masquerade' %} -{% set value = 'MASQ' %} -{% endif %} -add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}" -{% endif %} - -{% if r.exclude %} -{% set value = 'return' %} -{% elif r.translation_address == 'masquerade' %} -{% set value = 'masquerade' %} -{% else %} -{% set value = 'snat to ' + r.translation_address %} -{% endif %} -add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}" +{% if r.log %} +{% if r.exclude %} +{% set value = 'EXCL' %} +{% elif r.translation_address == 'masquerade' %} +{% set value = 'MASQ' %} +{% endif %} + add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}" +{% endif %} + +{% if r.exclude %} +{% set value = 'return' %} +{% elif r.translation_address == 'masquerade' %} +{% set value = 'masquerade' %} +{% else %} +{% set value = 'snat to ' + r.translation_address %} +{% endif %} + add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}" {% endfor %} diff --git a/debian/control b/debian/control index 609f46e4d..323b8130f 100644 --- a/debian/control +++ b/debian/control @@ -32,6 +32,7 @@ Depends: python3, python3-waitress, python3-netaddr, python3-zmq, + python3-jmespath, cron, easy-rsa, ipaddrcheck, diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 916f63f09..580a06136 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import jmespath import json import os @@ -29,6 +30,7 @@ from vyos import ConfigError default_config_data = { 'deleted': False, 'destination': [], + 'helper_functions': None, 'pre_ct_helper': '', 'pre_ct_conntrack': '', 'out_ct_helper': '', @@ -47,25 +49,15 @@ def _check_kmod(): raise ConfigError(f'Loading Kernel module {module} failed') -def get_handler(chain, target): - """ Get handler number of given chain/target combination. Handler is - required when adding NAT/Conntrack helper targets """ - tmp = json.loads(cmd('nft -j list table raw')) - for rule in tmp.get('nftables'): - # We're only interested in rules - not chains - if not 'rule' in rule.keys(): +def get_handler(json, chain, target): + """ Get nftable rule handler number of given chain/target combination. + Handler is required when adding NAT/Conntrack helper targets """ + for x in json: + if x['chain'] != chain: continue - - # Search for chain of interest - if rule['rule']['chain'] == chain: - for expr in rule['rule']['expr']: - # We're only interested in jump targets - if not 'jump' in expr.keys(): - continue - - # Search for target of interest - if expr['jump']['target'] == target: - return rule['rule']['handle'] + if x['target'] != target: + continue + return x['handle'] return None @@ -141,24 +133,40 @@ def get_config(): nat = deepcopy(default_config_data) conf = Config() + # read in current nftable (once) for further processing + tmp = cmd('nft -j list table raw') + nftable_json = json.loads(tmp) + + # condense the full JSON table into a list with only relevand informations + pattern = 'nftables[?rule].rule[?expr[].jump].{chain: chain, handle: handle, target: expr[].jump.target | [0]}' + condensed_json = jmespath.search(pattern, nftable_json) + if not conf.exists(['nat']): + nat['helper_functions'] = 'remove' + # Retrieve current table handler positions - nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_HELPER') - nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'NAT_CONNTRACK') - nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_HELPER') - nat['out_ct_conntrack'] = get_handler('OUTPUT', 'NAT_CONNTRACK') + nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_HELPER') + nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK') + nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYATTA_CT_HELPER') + nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'NAT_CONNTRACK') nat['deleted'] = True return nat - else: - conf.set_level(['nat']) - # Retrieve current table handler positions - nat['pre_ct_ignore'] = get_handler('PREROUTING', 'VYATTA_CT_IGNORE') - nat['pre_ct_conntrack'] = get_handler('PREROUTING', 'VYATTA_CT_PREROUTING_HOOK') - nat['out_ct_ignore'] = get_handler('OUTPUT', 'VYATTA_CT_IGNORE') - nat['out_ct_conntrack'] = get_handler('OUTPUT', 'VYATTA_CT_OUTPUT_HOOK') + # check if NAT connection tracking helpers need to be set up - this has to + # be done only once + if not get_handler(condensed_json, 'PREROUTING', 'NAT_CONNTRACK'): + nat['helper_functions'] = 'add' + + # Retrieve current table handler positions + nat['pre_ct_ignore'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_IGNORE') + nat['pre_ct_conntrack'] = get_handler(condensed_json, 'PREROUTING', 'VYATTA_CT_PREROUTING_HOOK') + nat['out_ct_ignore'] = get_handler(condensed_json, 'OUTPUT', 'VYATTA_CT_IGNORE') + nat['out_ct_conntrack'] = get_handler(condensed_json, 'OUTPUT', 'VYATTA_CT_OUTPUT_HOOK') + + # set config level for parsing in NAT configuration + conf.set_level(['nat']) # use a common wrapper function to read in the source / destination # tree from the config - thus we do not need to replicate almost the @@ -173,8 +181,9 @@ def verify(nat): # no need to verify the CLI as NAT is going to be deactivated return None - if not (nat['pre_ct_ignore'] or nat['pre_ct_conntrack'] or nat['out_ct_ignore'] or nat['out_ct_conntrack']): - raise Exception('could not determine nftable ruleset handlers') + if nat['helper_functions']: + if not (nat['pre_ct_ignore'] or nat['pre_ct_conntrack'] or nat['out_ct_ignore'] or nat['out_ct_conntrack']): + raise Exception('could not determine nftable ruleset handlers') for rule in nat['source']: interface = rule['interface_out'] -- cgit v1.2.3 From f233a9e4073f3c5257923962a96af5833734e41e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 14 May 2020 18:37:39 +0200 Subject: nat: T2198: migrate "show nat" commands to XML and Python - "show nat source|destination statistics" is now implemented in Python - "show nat source|destination rules" needs a new implementation, see T2459 - "show nat source|destination translations" has been copied over from the old repo and is here until it is rewritten, this was not possible for "rules" as there would have been too much dependencies. This one only requires libxml-simple-perl --- debian/control | 1 + op-mode-definitions/nat.xml | 98 ++++++++ src/op_mode/show_nat_statistics.py | 63 +++++ .../to_be_migrated/vyatta-nat-translations.pl | 267 +++++++++++++++++++++ 4 files changed, 429 insertions(+) create mode 100644 op-mode-definitions/nat.xml create mode 100755 src/op_mode/show_nat_statistics.py create mode 100755 src/op_mode/to_be_migrated/vyatta-nat-translations.pl (limited to 'debian/control') diff --git a/debian/control b/debian/control index 323b8130f..f7285941a 100644 --- a/debian/control +++ b/debian/control @@ -91,6 +91,7 @@ Depends: python3, pmacct (>= 1.6.0), python3-certbot-nginx, pppoe, + libxml-simple-perl, salt-minion, vyos-utils, nftables (>= 0.9.3), diff --git a/op-mode-definitions/nat.xml b/op-mode-definitions/nat.xml new file mode 100644 index 000000000..ffaa2cba3 --- /dev/null +++ b/op-mode-definitions/nat.xml @@ -0,0 +1,98 @@ + + + + + + + Show Network Address Translation (NAT) information + + + + + Show source Network Address Translation (NAT) information + + + + + Show configured source NAT rules + + echo To be migrated to Python - https://phabricator.vyos.net/T2459 + + + + Show statistics for configured source NAT rules + + ${vyos_op_scripts_dir}/show_nat_statistics.py --source + + + + Show active source NAT translations + + + + + Show active source NAT translations for an IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=source --verbose --ipaddr="$6" + + + + Show active source NAT translations detail + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=source --verbose + + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=source + + + + + + Show destination Network Address Translation (NAT) information + + + + + Show configured destination NAT rules + + echo To be migrated to Python - https://phabricator.vyos.net/T2459 + + + + Show statistics for configured destination NAT rules + + ${vyos_op_scripts_dir}/show_nat_statistics.py --destination + + + + Show active destination NAT translations + + + + + Show active NAT destination translations for an IP address + + <x.x.x.x> + + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=destination --verbose --ipaddr="$6" + + + + Show active destination NAT translations detail + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=destination --verbose + + + ${vyos_op_scripts_dir}/to_be_migrated/vyatta-nat-translations.pl --type=destination + + + + + + + + diff --git a/src/op_mode/show_nat_statistics.py b/src/op_mode/show_nat_statistics.py new file mode 100755 index 000000000..b77693e19 --- /dev/null +++ b/src/op_mode/show_nat_statistics.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import jmespath +import json + +from argparse import ArgumentParser +from jinja2 import Template +from sys import exit +from vyos.util import cmd + +OUT_TMPL_SRC=""" +rule pkts bytes interface +---- ---- ----- --------- +{% for r in output %} +{%- if r.comment -%} +{%- set packets = r.counter.packets -%} +{%- set bytes = r.counter.bytes -%} +{%- set interface = r.interface -%} +{# remove rule comment prefix #} +{%- set comment = r.comment | replace('SRC-NAT-', '') | replace('DST-NAT-', '') -%} +{{ "%-4s" | format(comment) }} {{ "%9s" | format(packets) }} {{ "%12s" | format(bytes) }} {{ interface }} +{%- endif %} +{% endfor %} +""" + +parser = ArgumentParser() +group = parser.add_mutually_exclusive_group() +group.add_argument("--source", help="Show statistics for configured source NAT rules", action="store_true") +group.add_argument("--destination", help="Show statistics for configured destination NAT rules", action="store_true") +args = parser.parse_args() + +if args.source or args.destination: + tmp = cmd('sudo nft -j list table nat') + tmp = json.loads(tmp) + + source = r"nftables[?rule.chain=='POSTROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" + destination = r"nftables[?rule.chain=='PREROUTING'].rule.{chain: chain, handle: handle, comment: comment, counter: expr[].counter | [0], interface: expr[].match.right | [0] }" + data = { + 'output' : jmespath.search(source if args.source else destination, tmp), + 'direction' : 'source' if args.source else 'destination' + } + + tmpl = Template(OUT_TMPL_SRC, lstrip_blocks=True) + print(tmpl.render(data)) + exit(0) +else: + parser.print_help() + exit(1) + diff --git a/src/op_mode/to_be_migrated/vyatta-nat-translations.pl b/src/op_mode/to_be_migrated/vyatta-nat-translations.pl new file mode 100755 index 000000000..94ed74bad --- /dev/null +++ b/src/op_mode/to_be_migrated/vyatta-nat-translations.pl @@ -0,0 +1,267 @@ +#!/usr/bin/perl +# +# Module: vyatta-nat-translate.pl +# +# **** License **** +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# This code was originally developed by Vyatta, Inc. +# Portions created by Vyatta are Copyright (C) 2007 Vyatta, Inc. +# All Rights Reserved. +# +# Author: Stig Thormodsrud +# Date: July 2008 +# Description: Script to display nat translations +# +# **** End License **** +# + +use Getopt::Long; +use XML::Simple; +use Data::Dumper; +use POSIX; + +use warnings; +use strict; + +my $dump = 0; +my ($xml_file, $verbose, $proto, $stats, $ipaddr, $pipe); +my $type; +my $verbose_format = "%-20s %-18s %-20s %-18s\n"; +my $format = "%-20s %-20s %-4s %-8s"; + +sub add_xml_root { + my $xml = shift; + + $xml = '' . $xml . ''; + return $xml; +} + + +sub read_xml_file { + my $file = shift; + + local($/, *FD); # slurp mode + open FD, "<", $file or die "Couldn't open $file\n"; + my $xml = ; + close FD; + return $xml; +} + +sub print_xml { + my $data = shift; + print Dumper($data); +} + +sub guess_snat_dnat { + my ($src, $dst) = @_; + + if ($src->{original} eq $dst->{reply}) { + return "dnat"; + } + if ($dst->{original} eq $src->{reply}) { + return "snat"; + } + return "unkn"; +} + +sub nat_print_xml { + my ($data, $type) = @_; + + my $flow = 0; + + my %flowh; + while (1) { + my $meta = 0; + last if ! defined $data->{flow}[$flow]; + my $flow_ref = $data->{flow}[$flow]; + my $flow_type = $flow_ref->{type}; + my (%src, %dst, %sport, %dport, %proto); + my (%packets, %bytes); + my $timeout = undef; + my $uses = undef; + while (1) { + my $meta_ref = $flow_ref->{meta}[$meta]; + last if ! defined $meta_ref; + my $dir = $meta_ref->{direction}; + if ($dir eq 'original' or $dir eq 'reply') { + my $l3_ref = $meta_ref->{layer3}[0]; + my $l4_ref = $meta_ref->{layer4}[0]; + my $count_ref = $meta_ref->{counters}[0]; + if (defined $l3_ref) { + $src{$dir} = $l3_ref->{src}[0]; + $dst{$dir} = $l3_ref->{dst}[0]; + if (defined $l4_ref) { + $sport{$dir} = $l4_ref->{sport}[0]; + $dport{$dir} = $l4_ref->{dport}[0]; + $proto{$dir} = $l4_ref->{protoname}; + } + } + if (defined $stats and defined $count_ref) { + $packets{$dir} = $count_ref->{packets}[0]; + $bytes{$dir} = $count_ref->{bytes}[0]; + } + } elsif ($dir eq 'independent') { + $timeout = $meta_ref->{timeout}[0]; + $uses = $meta_ref->{'use'}[0]; + } + $meta++; + } + my ($proto, $in_src, $in_dst, $out_src, $out_dst); + $proto = $proto{original}; + $in_src = "$src{original}"; + $in_src .= ":$sport{original}" if defined $sport{original}; + $in_dst = "$dst{original}"; + $in_dst .= ":$dport{original}" if defined $dport{original}; + $out_src = "$dst{reply}"; + $out_src .= ":$dport{reply}" if defined $dport{reply}; + $out_dst = "$src{reply}"; + $out_dst .= ":$sport{reply}" if defined $sport{reply}; + if (defined $verbose) { + printf($verbose_format, $in_src, $in_dst, $out_src, $out_dst); + } +# if (! defined $type) { +# $type = guess_snat_dnat(\%src, \%dst); +# } + if (defined $type) { + my ($from, $to); + if ($type eq 'source') { + $from = "$src{original}"; + $to = "$dst{reply}"; + if (defined $sport{original} and defined $dport{reply}) { + if ($sport{original} ne $dport{reply}) { + $from .= ":$sport{original}"; + $to .= ":$dport{reply}"; + } + } + } else { + $from = "$dst{original}"; + $to = "$src{reply}"; + if (defined $dport{original} and defined $sport{reply}) { + if ($dport{original} ne $sport{reply}) { + $from .= ":$dport{original}"; + $to .= ":$sport{reply}"; + } + } + } + if (defined $verbose) { + print " $proto: $from ==> $to"; + } else { + my $timeout2 = ""; + if (defined $timeout) { + $timeout2 = $timeout; + } + printf($format, $from, $to, $proto, $timeout2); + print " $flow_type" if defined $flow_type; + print "\n"; + } + } + if (defined $verbose) { + print " timeout: $timeout" if defined $timeout; + print " use: $uses " if defined $uses; + print " type: $flow_type" if defined $flow_type; + print "\n"; + } + if (defined $stats) { + foreach my $dir ('original', 'reply') { + if (defined $packets{$dir}) { + printf(" %-8s: packets %s, bytes %s\n", + $dir, $packets{$dir}, $bytes{$dir}); + } + } + } + $flow++; + } + return $flow; +} + + +# +# main +# +GetOptions("verbose" => \$verbose, + "proto=s" => \$proto, + "file=s" => \$xml_file, + "stats" => \$stats, + "type=s" => \$type, + "ipaddr=s" => \$ipaddr, + "pipe" => \$pipe, +); + +my $conntrack = '/usr/sbin/conntrack'; +if (! -f $conntrack) { + die "Package [conntrack] not installed"; +} + +die "Must specify NAT type!" if !defined($type); +die "Unknown NAT type!" if (($type ne 'source') && ($type ne 'destination')); + +my $xs = XML::Simple->new(ForceArray => 1, KeepRoot => 0); +my ($xml, $data); + +# flush stdout after every write for pipe mode +$| = 1 if defined $pipe; + +if (defined $verbose) { + printf($verbose_format, 'Pre-NAT src', 'Pre-NAT dst', + 'Post-NAT src', 'Post-NAT dst'); +} else { + printf($format, 'Pre-NAT', 'Post-NAT', 'Prot', 'Timeout'); + print " Type" if defined $pipe; + print "\n"; +} + +if (defined $xml_file) { + $xml = read_xml_file($xml_file); + $data = $xs->XMLin($xml); + if ($dump) { + print_xml($data); + exit; + } + nat_print_xml($data, 'snat'); + +} elsif (defined $pipe) { + while ($xml = ) { + $xml =~ s/\<\?xml version=\"1\.0\" encoding=\"utf-8\"\?\>//; + $xml =~ s/\//; + $xml = add_xml_root($xml); + $data = $xs->XMLin($xml); + nat_print_xml($data, $type); + } +} else { + if (defined $proto) { + $proto = "-p $proto" + } else { + $proto = ""; + } + if ($type eq 'source') { + my $ipopt = ""; + if (defined $ipaddr) { + $ipopt = "--orig-src $ipaddr"; + } + $xml = `sudo $conntrack -L -n $ipopt -o xml $proto 2>/dev/null`; + chomp $xml; + $data = undef; + $data = $xs->XMLin($xml) if ! $xml eq ''; + } + if ($type eq 'destination') { + my $ipopt = ""; + if (defined $ipaddr) { + $ipopt = "--orig-dst $ipaddr"; + } + $xml = `sudo $conntrack -L -g $ipopt -o xml $proto 2>/dev/null`; + chomp $xml; + $data = undef; + $data = $xs->XMLin($xml) if ! $xml eq ''; + } + nat_print_xml($data, $type) if defined $data; +} + +# end of file -- cgit v1.2.3 From d8891acde69ba17019b650656eaa6fa313a222b9 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 16 May 2020 17:52:07 +0200 Subject: Debian: add required dependency on systemd --- debian/control | 1 + 1 file changed, 1 insertion(+) (limited to 'debian/control') diff --git a/debian/control b/debian/control index f7285941a..bd6e445ee 100644 --- a/debian/control +++ b/debian/control @@ -34,6 +34,7 @@ Depends: python3, python3-zmq, python3-jmespath, cron, + systemd, easy-rsa, ipaddrcheck, tcpdump, -- cgit v1.2.3