summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.tmpl
blob: 01dcec19f54dc5c766138d8a1239bbd51abb0791 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/usr/sbin/nft -f

# Start with clean NAT table
flush table nat

{% if helper_functions == 'remove' %}
  # NAT if going to be disabled - remove rules and targets from nftables
  delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
  delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
  delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
  delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}

  delete chain ip raw NAT_CONNTRACK
{% elif helper_functions == 'add' %}
  # NAT if enabled - add targets to nftables
  add chain ip raw NAT_CONNTRACK
  add rule ip raw NAT_CONNTRACK counter accept

  add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
  add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
  add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
  add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}


{% for r in destination -%}
{%   set chain     = "PREROUTING" %}
{%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
{%   set dst_port  = "dport { " + r.dest_port +" }" %}
{%   set trns_addr = r.translation_address %}
{%   set trns_port = ":" + r.translation_port if r.translation_port %}
{%   set trns      = "dnat to " + trns_addr + trns_port if trns_port %}
{%   set comment   = "DST-NAT-" + r.number %}
{%   set iface     = "iifname " + r.interface_in %}

{%   if r.log %}
{%     if r.exclude %}
{%       set log = "[" + comment + "-EXCL]" %}
{%     elif r.translation_address == 'masquerade' %}
{%       set log = "[" + comment + "-MASQ]" %}
{%     else %}
{%       set log = "[" + comment + "]" %}
{%     endif %}
{%   endif %}

{%   if r.exclude %}
{#     rule has been marked as "exclude" thus we simply return here #}
{%     set trns      = "return" %}
{%   endif %}


{%   if r.protocol == 'tcp_udp' %}
{#     Special handling for protocol tcp_udp which is represented as two individual rules #}
{%     if log %}
add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp"
{%     endif %}
add rule ip nat {{ chain }} {{ iface }} tcp {{ dst_port }} counter {{ trns }} comment {{ comment }}
{%     if log %}
add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter log prefix "{{ log }}" comment "{{ comment }} tcp_udp"
{%     endif %}
add rule ip nat {{ chain }} {{ iface }} udp {{ dst_port }} counter {{ trns }} comment {{ comment }}
{%   else %}

{%     if log %}
add rule ip nat {{ chain }} {{ iface }} {{ r.protocol }} counter log prefix "{{ log }}" comment {{ comment }}
{%     endif %}
add rule ip nat {{ chain }} {{ iface }} {{ dst_addr }} {{ r.protocol }} {{ dst_port }} counter {{ trns }} comment {{ comment }}
{%   endif %}
{% endfor %}


{% for r in source -%}
{%   if r.log %}
{%     if r.exclude %}
{%       set value = 'EXCL' %}
{%     elif r.translation_address == 'masquerade' %}
{%       set value = 'MASQ' %}
{%     endif %}
  add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter log prefix "[NAT-SRC-{{ r.number }}-{{ value }}]" comment "SRC-NAT-{{ r.number }}"
{%   endif %}

{%   if r.exclude %}
{%     set value = 'return' %}
{%   elif r.translation_address == 'masquerade' %}
{%     set value = 'masquerade' %}
{%   else %}
{%     set value = 'snat to ' + r.translation_address %}
{%   endif %}
  add rule ip nat POSTROUTING oifname "{{ r.interface_out }}" ip saddr {{ r.source_address }} counter {{ value }} comment "SRC-NAT-{{ r.number }}"
{% endfor %}