1 files changed, 47 insertions, 0 deletions

diff --git a/data/templates/firewall/nftables-cgnat.j2 b/data/templates/firewall/nftables-cgnat.j2
new file mode 100644
index 0000000..79a8e3d
--- /dev/null
+++ b/data/templates/firewall/nftables-cgnat.j2
@@ -0,0 +1,47 @@
+#!/usr/sbin/nft -f
+
+add table ip cgnat
+flush table ip cgnat
+
+add map ip cgnat tcp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat udp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat icmp_nat_map { type ipv4_addr: interval ipv4_addr . inet_service ; flags interval ;}
+add map ip cgnat other_nat_map { type ipv4_addr: interval ipv4_addr ; flags interval ;}
+flush map ip cgnat tcp_nat_map
+flush map ip cgnat udp_nat_map
+flush map ip cgnat icmp_nat_map
+flush map ip cgnat other_nat_map
+
+table ip cgnat {
+    map tcp_nat_map {
+        type ipv4_addr : interval ipv4_addr . inet_service
+        flags interval
+        elements = { {{ proto_map_elements }} }
+    }
+
+    map udp_nat_map {
+        type ipv4_addr : interval ipv4_addr . inet_service
+        flags interval
+        elements = { {{ proto_map_elements }} }
+    }
+
+    map icmp_nat_map {
+        type ipv4_addr : interval ipv4_addr . inet_service
+        flags interval
+        elements = { {{ proto_map_elements }} }
+    }
+
+    map other_nat_map {
+        type ipv4_addr : interval ipv4_addr
+        flags interval
+        elements = { {{ other_map_elements }} }
+    }
+
+    chain POSTROUTING {
+        type nat hook postrouting priority srcnat; policy accept;
+        ip protocol tcp counter snat ip to ip saddr map @tcp_nat_map
+        ip protocol udp counter snat ip to ip saddr map @udp_nat_map
+        ip protocol icmp counter snat ip to ip saddr map @icmp_nat_map
+        counter snat ip to ip saddr map @other_nat_map
+    }
+}