blob: 928f4ecfe6c9cdc48f1a45e127ddabdd06b5eda3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#!/usr/sbin/nft -f
# Start with clean NAT table
flush table nat
{% if helper_functions == 'remove' %}
{# NAT if going to be disabled - remove rules and targets from nftables #}
delete rule ip raw PREROUTING handle {{ pre_ct_ignore }}
delete rule ip raw PREROUTING handle {{ pre_ct_conntrack }}
delete rule ip raw OUTPUT handle {{ out_ct_ignore }}
delete rule ip raw OUTPUT handle {{ out_ct_conntrack }}
delete chain ip raw NAT_CONNTRACK
{% elif helper_functions == 'add' %}
{# NAT if enabled - add targets to nftables #}
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept
add rule ip raw PREROUTING position {{ pre_ct_ignore }} counter jump VYATTA_CT_HELPER
add rule ip raw PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
add rule ip raw OUTPUT position {{ out_ct_ignore }} counter jump VYATTA_CT_HELPER
add rule ip raw OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
{% endif %}
{% for r in destination if not r.disabled -%}
{% set chain = "PREROUTING" %}
{% set dst_addr = "ip daddr " + r.dest_address if r.dest_address %}
{% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %}
{% set trns_addr = "dnat to " + r.translation_address %}
{% set trns_port = ":" + r.translation_port if r.translation_port %}
{% set comment = "DST-NAT-" + r.number %}
{% set iface = r.interface_in %}
{% if r.log %}
{% if r.exclude %}
{% set log = "[" + comment + "-EXCL]" %}
{% elif r.translation_address == 'masquerade' %}
{% set log = "[" + comment + "-MASQ]" %}
{% else %}
{% set log = "[" + comment + "]" %}
{% endif %}
{% endif %}
{% if r.exclude %}
{# rule has been marked as "exclude" thus we simply return here #}
{% set trns_addr = "return" %}
{% set trns_port = "" %}
{% endif %}
{% if r.protocol == 'tcp_udp' %}
{# Special handling for protocol tcp_udp which is represented as two individual rules #}
{% set comment = comment + " tcp_udp" %}
{% if log %}
{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% if log %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% else %}
{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
{% if log %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} iifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% endif %}
{% endfor %}
{% for r in source if not r.disabled -%}
{% set chain = "POSTROUTING" %}
{% set dst_addr = "ip daddr " + r.dest_address if r.dest_address %}
{% set dst_port = "dport { " + r.dest_port +" }" if r.dest_port %}
{% set trns_addr = "snat to " + r.translation_address %}
{% set trns_port = ":" + r.translation_port if r.translation_port %}
{% set comment = "SRC-NAT-" + r.number %}
{% set iface = r.interface_out %}
{% if r.log %}
{% if r.exclude %}
{% set log = "[" + comment + "-EXCL]" %}
{% elif r.translation_address == 'masquerade' %}
{% set log = "[" + comment + "-MASQ]" %}
{% else %}
{% set log = "[" + comment + "]" %}
{% endif %}
{% endif %}
{% if r.exclude %}
{# rule has been marked as "exclude" thus we simply return here #}
{% set trns_addr = "return" %}
{% set trns_port = "" %}
{% endif %}
{% if r.protocol == 'tcp_udp' %}
{# Special handling for protocol tcp_udp which is represented as two individual rules #}
{% set comment = comment + " tcp_udp" %}
{% if log %}
{% set tcp_dst_port = "tcp " + dst_port if dst_port else "ip protocol tcp" %}
{% set udp_dst_port = "udp " + dst_port if dst_port else "ip protocol udp" %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ tcp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ udp_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% else %}
{% set proto_dst_port = dst_port if dst_port else "ip protocol " + r.protocol %}
{% if log %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter log prefix "{{ log }}" comment "{{ comment }}"
{% endif %}
add rule ip nat {{ chain }} oifname "{{ iface }}" {{ proto_dst_port }} {{ dst_addr }} counter {{ trns_addr }}{{ trns_port }} comment "{{ comment }}"
{% endif %}
{% endfor %}
|
