data/templates/firewall/nftables-nat.tmpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

#!/usr/sbin/nft -f

# Start with clean NAT table
flush table nat

{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}

delete chain ip raw NAT_CONNTRACK

{% elif helper_functions == 'add' %}
{# NAT if enabled - add targets to nftables #}
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept

add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}


{% for r in destination if not r.disabled -%}
{%   set chain     = "PREROUTING" %}
{%   set src_addr  = "ip saddr " + r.source_address if r.source_address %}
{%   set src_port  = "sport { " + r.source_port +" }" if r.source_port %}
{%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
{%   set dst_port  = "dport { " + r.dest_port +" }" if r.dest_port %}
{%   set trns_addr = "dnat to " + r.translation_address %}
{%   set trns_port = ":" + r.translation_port if r.translation_port %}
{%   set comment   = "DST-NAT-" + r.number %}
{%   set iface     = r.interface_in %}

{%   if r.log %}
{%     if r.exclude %}
{%       set log = "[" + comment + "-EXCL]" %}
{%     elif r.translation_address == 'masquerade' %}
{%       set log = "[" + comment + "-MASQ]" %}
{%     else %}
{%       set log = "[" + comment + "]" %}
{%     endif %}
{%   endif %}

{%   if r.exclude %}
{#     rule has been marked as "exclude" thus we simply return here #}
{%     set trns_addr = "return" %}
{%     set trns_port = "" %}
{%   endif %}

{%   if r.protocol == 'tcp_udp' %}
{#     Special handling for protocol tcp_udp which is represented as two individual rules #}
{%     set comment = comment + " tcp_udp" %}
{%     if log %}

{%       set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
{%       set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}

add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%     if log %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"

{%   else %}
{%       set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
{%       set proto_dst_port = "" if r.protocol == "all" %}

{%     if log %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ src_addr }} {{ src_port }} {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%   endif %}
{% endfor %}


{% for r in source if not r.disabled -%}
{%   set chain     = "POSTROUTING" %}
{%   set src_addr  = "ip saddr " + r.source_address if r.source_address %}
{%   set src_port  = "sport { " + r.source_port +" }" if r.source_port %}
{%   set dst_addr  = "ip daddr " + r.dest_address if r.dest_address %}
{%   set dst_port  = "dport { " + r.dest_port +" }" if r.dest_port %}
{%   set trns_addr = "snat to " + r.translation_address if r.translation_address != "masquerade" else "masquerade" %}
{%   set trns_port = ":" + r.translation_port if r.translation_port %}
{%   set comment   = "SRC-NAT-" + r.number %}
{%   set iface     = r.interface_out %}

{%   if r.log %}
{%     if r.exclude %}
{%       set log = "[" + comment + "-EXCL]" %}
{%     elif r.translation_address == 'masquerade' %}
{%       set log = "[" + comment + "-MASQ]" %}
{%     else %}
{%       set log = "[" + comment + "]" %}
{%     endif %}
{%   endif %}

{%   if r.exclude %}
{#     rule has been marked as "exclude" thus we simply return here #}
{%     set trns_addr = "return" %}
{%     set trns_port = "" %}
{%   endif %}

{%   if r.protocol == 'tcp_udp' %}
{#     Special handling for protocol tcp_udp which is represented as two individual rules #}
{%     set comment = comment + " tcp_udp" %}
{%     if log %}

{%       set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
{%       set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
{%       set tcp_src_port = "tcp " + src_port if src_port %}
{%       set udp_src_port = "udp " + src_port if src_port %}

add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_src_port }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_src_port }} {{ src_port }} {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%     if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_src_port }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_src_port }} {{ src_port }} {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"

{%   else %}
{%       set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
{%       set proto_dst_port = proto_dst_port if r.protocol != "all" %}
{%       set proto_src_port = r.protocol + " " + src_port if r.protocol != "all" else src_port %}

{%     if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ src_addr }} {{ proto_src_port }} {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{%     endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ src_addr }} {{ proto_src_port }} {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{%   endif %}
{% endfor %}