summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-nat.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/firewall/nftables-nat.j2')
-rw-r--r--data/templates/firewall/nftables-nat.j246
1 files changed, 46 insertions, 0 deletions
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
new file mode 100644
index 0000000..4254f6a
--- /dev/null
+++ b/data/templates/firewall/nftables-nat.j2
@@ -0,0 +1,46 @@
+#!/usr/sbin/nft -f
+
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
+{% if first_install is not vyos_defined %}
+delete table ip vyos_nat
+{% endif %}
+{% if deleted is not vyos_defined %}
+table ip vyos_nat {
+ #
+ # Destination NAT rules build up here
+ #
+ chain PREROUTING {
+ type nat hook prerouting priority -100; policy accept;
+ counter jump VYOS_PRE_DNAT_HOOK
+{% if destination.rule is vyos_defined %}
+{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %}
+ {{ config | nat_rule(rule, 'destination') }}
+{% endfor %}
+{% endif %}
+ }
+
+ #
+ # Source NAT rules build up here
+ #
+ chain POSTROUTING {
+ type nat hook postrouting priority 100; policy accept;
+ counter jump VYOS_PRE_SNAT_HOOK
+{% if source.rule is vyos_defined %}
+{% for rule, config in source.rule.items() if config.disable is not vyos_defined %}
+ {{ config | nat_rule(rule, 'source') }}
+{% endfor %}
+{% endif %}
+ }
+
+ chain VYOS_PRE_DNAT_HOOK {
+ return
+ }
+
+ chain VYOS_PRE_SNAT_HOOK {
+ return
+ }
+
+{{ group_tmpl.groups(firewall_group, False, True) }}
+}
+{% endif %}