From 6f44b47d8f2bf04984684a0752ab224960260b0d Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 12 Jul 2020 11:54:16 +0200
Subject: nat: T2699: fix exclusion rules for noNAT destinations

---
 src/conf_mode/nat.py | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

(limited to 'src/conf_mode')

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
index b0a029f2b..3dd20938a 100755
--- a/src/conf_mode/nat.py
+++ b/src/conf_mode/nat.py
@@ -79,7 +79,7 @@ def verify_rule(rule, err_msg):
                              'statically maps a whole network of addresses onto another\n' \
                              'network of addresses')
 
-    if not rule['translation_address']:
+    if not rule['exclude'] and not rule['translation_address']:
         raise ConfigError(f'{err_msg} translation address not specified')
 
 
@@ -228,10 +228,10 @@ def verify(nat):
 
     for rule in nat['source']:
         interface = rule['interface_out']
-        err_msg = f"Source NAT configuration error in rule {rule['number']}:"
+        err_msg = f'Source NAT configuration error in rule "{rule["number"]}":'
 
-        if interface and interface not in interfaces():
-            print(f'NAT configuration warning: interface {interface} does not exist on this system')
+        if interface and interface not in 'any' and interface not in interfaces():
+            print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
 
         if not rule['interface_out']:
             raise ConfigError(f'{err_msg} outbound-interface not specified')
@@ -246,10 +246,10 @@ def verify(nat):
 
     for rule in nat['destination']:
         interface = rule['interface_in']
-        err_msg = f"Destination NAT configuration error in rule {rule['number']}:"
+        err_msg = f'Destination NAT configuration error in rule "{rule["number"]}":'
 
-        if interface and interface not in interfaces():
-            print(f'NAT configuration warning: interface {interface} does not exist on this system')
+        if interface and interface not in 'any' and interface not in interfaces():
+            print(f'Warning: rule "{rule["number"]}" interface "{interface}" does not exist on this system')
 
         if not rule['interface_in']:
             raise ConfigError(f'{err_msg} inbound-interface not specified')
@@ -261,7 +261,6 @@ def verify(nat):
 
 def generate(nat):
     render(iptables_nat_config, 'firewall/nftables-nat.tmpl', nat, trim_blocks=True, permission=0o755)
-
     return None
 
 def apply(nat):
-- 
cgit v1.2.3