Merge pull request #2162 from nicolas-fort/T5472

T5472: nat redirect: allow redirection without defining redirected port
vyos · Aug 23, 2023 · 7659c45 · 7659c45
2 parents b1886e3 + f0ae034
commit 7659c45
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 5 deletions.
diff --git a/python/vyos/nat.py b/python/vyos/nat.py
@@ -56,10 +56,13 @@ def parse_nat_rule(rule_conf, rule_id, nat_type, ipv6=False):
     elif 'translation' in rule_conf:
         addr = dict_search_args(rule_conf, 'translation', 'address')
         port = dict_search_args(rule_conf, 'translation', 'port')
-        redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port')
-        if redirect_port:
-            translation_output = [f'redirect to {redirect_port}']
+        if 'redirect' in rule_conf['translation']:
+            translation_output = [f'redirect']
+            redirect_port = dict_search_args(rule_conf, 'translation', 'redirect', 'port')
+            if redirect_port:
+                translation_output.append(f'to {redirect_port}')
         else:
+
             translation_prefix = nat_type[:1]
             translation_output = [f'{translation_prefix}nat']
 

diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py
@@ -244,10 +244,17 @@ def test_dnat_redirect(self):
         self.cli_set(dst_path + ['rule', '10', 'inbound-interface', ifname])
         self.cli_set(dst_path + ['rule', '10', 'translation', 'redirect', 'port', redirected_port])
 
+        self.cli_set(dst_path + ['rule', '20', 'destination', 'address', dst_addr_1])
+        self.cli_set(dst_path + ['rule', '20', 'destination', 'port', dest_port])
+        self.cli_set(dst_path + ['rule', '20', 'protocol', protocol])
+        self.cli_set(dst_path + ['rule', '20', 'inbound-interface', ifname])
+        self.cli_set(dst_path + ['rule', '20', 'translation', 'redirect'])
+
         self.cli_commit()
 
         nftables_search = [
-            [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect to :{redirected_port}']
+            [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect to :{redirected_port}'],
+            [f'iifname "{ifname}"', f'ip daddr {dst_addr_1}', f'{protocol} dport {dest_port}', f'redirect']
         ]
 
         self.verify_nftables(nftables_search, 'ip vyos_nat')

diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py
@@ -224,7 +224,7 @@ def verify(nat):
             elif config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces():
                 Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system')
 
-            if not dict_search('translation.address', config) and not dict_search('translation.port', config) and not dict_search('translation.redirect.port', config):
+            if not dict_search('translation.address', config) and not dict_search('translation.port', config) and 'redirect' not in config['translation']:
                 if 'exclude' not in config and 'backend' not in config['load_balance']:
                     raise ConfigError(f'{err_msg} translation requires address and/or port')