From b047855b80754d78cab4d3161ad0e97c21f479bc Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Mon, 30 Nov 2020 20:03:00 +0800 Subject: nptv6: T2518: Initial support for nat66 (NPT) --- interface-definitions/nat.xml.in | 67 -------------- interface-definitions/nat66.xml.in | 181 +++++++++++++++++++++++++++++++++++++ 2 files changed, 181 insertions(+), 67 deletions(-) create mode 100644 interface-definitions/nat66.xml.in (limited to 'interface-definitions') diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index d6bed5b27..3cff8abc9 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -56,73 +56,6 @@ - - - IPv6-to-IPv6 Network Prefix Translation Settings - - - - - NPTv6 rule number - - 1-999999 - Number for this rule - - - - - NAT rule number must be between 1 and 999999 - - - - - Rule description - - - #include - #include - - - IPv6 source prefix options - - - - - IPv6 prefix to be translated - - ipv6net - IPv6 prefix - - - - - - - - - - - Translated IPv6 prefix options - - - - - IPv6 prefix to translate to - - ipv6net - IPv6 prefix - - - - - - - - - - - - Source NAT settings diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in new file mode 100644 index 000000000..b8e8a8859 --- /dev/null +++ b/interface-definitions/nat66.xml.in @@ -0,0 +1,181 @@ + + + + + IPv6-to-IPv6 Network Prefix Translation (NAT66/NPT) Settings + 220 + + + + + Prefix mapping of IPv6 source address translation + + + + + SNPTv6 rule number + + 1-999999 + Number for this rule + + + + + NAT66 rule number must be between 1 and 999999 + + + + + Rule description + + + + + Disable NAT66 rule + + + + + + NAT66 rule logging + + + + + + Outbound interface of NAT traffic + + + + + + + + IPv6 source prefix options + + + + + IPv6 prefix to be translated + + ipv6net + IPv6 prefix + + + + + + + + + + + Translated IPv6 prefix options + + + + + IPv6 prefix to translate to + + ipv6net + IPv6 prefix + + + + + + + + + + + + + + + Prefix mapping for IPv6 destination address translation + + + + + DNPTv6 rule number + + 1-999999 + Number for this rule + + + + + NAT66 rule number must be between 1 and 999999 + + + + + Rule description + + + + + Disable DNPT rule + + + + + + NAT66 rule logging + + + + + + Inbound interface of NAT traffic + + + + + + + + IPv6 destination prefix options + + + + + IPv6 address to be translated + + ipv6 + IPv6 address + + + + + + + + + + + Translated IPv6 address options + + + + + IPv6 address to translate to + + ipv6 + IPv6 address + + + + + + + + + + + + + + + -- cgit v1.2.3 From 35e89dcc0311514c0388b7ccab51b379113bf104 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Wed, 20 Jan 2021 16:38:36 +0800 Subject: nptv6: T2518: Support many to many DNPT(DNAT66) --- data/templates/firewall/nftables-nat66.tmpl | 8 ++++++- interface-definitions/nat66.xml.in | 14 ++++++++++-- smoketest/scripts/cli/test_nat66.py | 33 ++++++++++++++++++++++++++--- 3 files changed, 49 insertions(+), 6 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index af533812e..1a739cbe2 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -7,7 +7,13 @@ {% if chain == "PREROUTING" %} {% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} -{% set trns_address = "dnat to " + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} +{% if config.translation.address | is_ip_network %} +{# support 1:1 network translation #} +{% set dnat_type = "dnat prefix to " %} +{% else %} +{% set dnat_type = "dnat to " %} +{% endif %} +{% set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} {% elif chain == "POSTROUTING" %} {% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined and config.outbound_interface != 'any' else '' %} {% set trns_prefix = "snat prefix to " + config.translation.prefix if config.translation is defined and config.translation.prefix is defined and config.translation.prefix is not none %} diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index b8e8a8859..36b55f658 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -141,13 +141,18 @@ - IPv6 address to be translated + IPv6 address or prefix to be translated ipv6 IPv6 address + + ipv6net + IPv6 prefix + + @@ -160,13 +165,18 @@ - IPv6 address to translate to + IPv6 address or prefix to translate to ipv6 IPv6 address + + ipv6net + IPv6 prefix + + diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py index f94f77b60..042c61ace 100755 --- a/smoketest/scripts/cli/test_nat66.py +++ b/smoketest/scripts/cli/test_nat66.py @@ -72,10 +72,10 @@ class TestNAT66(unittest.TestCase): self.assertEqual(f'{address}/{mask}', source_prefix) def test_destination_nat66(self): - source_address = 'fc00::1' + destination_address = 'fc00::1' translation_address = 'fc01::1' self.session.set(dst_path + ['rule', '1', 'inbound-interface', 'eth1']) - self.session.set(dst_path + ['rule', '1', 'destination', 'address', source_address]) + self.session.set(dst_path + ['rule', '1', 'destination', 'address', destination_address]) self.session.set(dst_path + ['rule', '1', 'translation', 'address', translation_address]) # check validate() - outbound-interface must be defined @@ -96,8 +96,35 @@ class TestNAT66(unittest.TestCase): self.assertEqual(dnat_addr, translation_address) self.assertEqual(iface, 'eth1') + + def test_destination_nat66_prefix(self): + destination_prefix = 'fc00::/64' + translation_prefix = 'fc01::/64' + self.session.set(dst_path + ['rule', '1', 'inbound-interface', 'eth1']) + self.session.set(dst_path + ['rule', '1', 'destination', 'address', destination_prefix]) + self.session.set(dst_path + ['rule', '1', 'translation', 'address', translation_prefix]) + + # check validate() - outbound-interface must be defined + self.session.commit() + + tmp = cmd('sudo nft -j list table ip6 nat') + data_json = jmespath.search('nftables[?rule].rule[?chain]', json.loads(tmp)) + + for idx in range(0, len(data_json)): + data = data_json[idx] + + self.assertEqual(data['chain'], 'PREROUTING') + self.assertEqual(data['family'], 'ip6') + self.assertEqual(data['table'], 'nat') + + iface = dict_search('match.right', data['expr'][0]) + translation_address = dict_search('dnat.addr.prefix.addr', data['expr'][3]) + translation_mask = dict_search('dnat.addr.prefix.len', data['expr'][3]) + + self.assertEqual(f'{translation_address}/{translation_mask}', translation_prefix) + self.assertEqual(iface, 'eth1') - def test_snat_required_translation_prefix(self): + def test_source_nat66_required_translation_prefix(self): # T2813: Ensure translation address is specified rule = '5' source_prefix = 'fc00::/64' -- cgit v1.2.3 From 01e1759d16afbc9f95b64da76eee97fc06729dc8 Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Thu, 21 Jan 2021 01:25:43 +0800 Subject: nptv6: T2518: outbound_interface cannot be any, inbound_interface can be any --- data/templates/firewall/nftables-nat66.tmpl | 2 +- interface-definitions/nat66.xml.in | 1 + src/conf_mode/nat66.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) (limited to 'interface-definitions') diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl index 1a739cbe2..80150c7a4 100644 --- a/data/templates/firewall/nftables-nat66.tmpl +++ b/data/templates/firewall/nftables-nat66.tmpl @@ -15,7 +15,7 @@ {% endif %} {% set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} {% elif chain == "POSTROUTING" %} -{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined and config.outbound_interface != 'any' else '' %} +{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined else '' %} {% set trns_prefix = "snat prefix to " + config.translation.prefix if config.translation is defined and config.translation.prefix is defined and config.translation.prefix is not none %} {% endif %} {% set comment = "NPT-NAT-" + rule %} diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index 36b55f658..b56a76b4c 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -130,6 +130,7 @@ Inbound interface of NAT traffic + any diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index 69373c054..a5c74259f 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -117,7 +117,7 @@ def verify(nat): raise ConfigError(f'{err_msg}\n' \ 'outbound-interface not specified') else: - if config['outbound_interface'] not in 'any' and config['outbound_interface'] not in interfaces(): + if config['outbound_interface'] not in interfaces(): print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') -- cgit v1.2.3 From 88a6a034b1cb6a1a43c689281df92831d82c996c Mon Sep 17 00:00:00 2001 From: jack9603301 Date: Thu, 21 Jan 2021 22:26:40 +0800 Subject: nptv6: T2518: Maintain the consistency of terms in the CLI configuration file, and use nat66 terms completely --- interface-definitions/nat66.xml.in | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'interface-definitions') diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index b56a76b4c..b45ebc0a8 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -13,7 +13,7 @@ - SNPTv6 rule number + Source NAT66 rule number 1-999999 Number for this rule @@ -43,7 +43,7 @@ - Outbound interface of NAT traffic + Outbound interface of NAT66 traffic @@ -98,7 +98,7 @@ - DNPTv6 rule number + Destination NAT66 rule number 1-999999 Number for this rule @@ -116,7 +116,7 @@ - Disable DNPT rule + Disable NAT66 rule @@ -128,7 +128,7 @@ - Inbound interface of NAT traffic + Inbound interface of NAT66 traffic any -- cgit v1.2.3