Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nat: T4545: Rewrite show nat source rules script #1426

Merged
merged 1 commit into from Jul 25, 2022
Merged

nat: T4545: Rewrite show nat source rules script #1426

merged 1 commit into from Jul 25, 2022

Conversation

sever-sever
Copy link
Member

@sever-sever sever-sever commented Jul 22, 2022
edited

Change Summary

Rewrite show nat source rules due to a large number of bugs
in NAT rules statistics. Use new format 'vyos.opmode module'
Ability to get raw and formatted data

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

nat

Proposed changes

How to test

VyOS configuration:

set nat source rule 10 description 'Masquerade to NAT'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 destination address '192.0.2.0/24'
set nat source rule 20 exclude
set nat source rule 20 outbound-interface 'any'
set nat source rule 20 protocol 'all'
set nat source rule 30 destination address '192.0.2.0/24'
set nat source rule 30 outbound-interface 'any'
set nat source rule 30 protocol 'tcp'
set nat source rule 30 source address '203.0.113.0/24'
set nat source rule 30 translation address '100.64.0.5'
set nat source rule 40 destination address '192.0.2.85/32'
set nat source rule 40 destination port '22001-22005'
set nat source rule 40 outbound-interface 'eth0'
set nat source rule 40 protocol 'tcp_udp'
set nat source rule 40 source port '65001-65005'
set nat source rule 40 translation address 'masquerade'
set nat source rule 50 destination port '8080'
set nat source rule 50 outbound-interface 'any'
set nat source rule 50 protocol 'tcp'
set nat source rule 50 source address '100.64.0.0/24'
set nat source rule 50 source port '9999'
set nat source rule 50 translation address 'masquerade'
set nat source rule 50 translation port '8888'
set nat source rule 60 destination port '2222-2225'
set nat source rule 60 outbound-interface 'any'
set nat source rule 60 protocol 'tcp'
set nat source rule 60 source address '100.64.0.0/24'
set nat source rule 60 source port '4442-4445'
set nat source rule 60 translation address 'masquerade'
set nat source rule 60 translation port '8882-8885'
set nat source rule 70 destination address '192.0.2.5'
set nat source rule 70 destination port '2222'
set nat source rule 70 outbound-interface 'eth1'
set nat source rule 70 protocol 'tcp'
set nat source rule 70 translation address 'masquerade'
set nat source rule 70 translation port '22'
set nat source rule 80 destination port '22,80,443'
set nat source rule 80 outbound-interface 'eth1'
set nat source rule 80 protocol 'tcp'
set nat source rule 80 translation address '192.0.2.99'

Current output (bugs described in the T4545):

vyos@r14:~$ /usr/libexec/vyos/op_mode/show_nat_rules.py --source
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         any                                                masquerade                                         eth0      
20         any                                                                                                   any       
30         192.0.2.0/24                                       100.64.0.5                                         tcp       
40         port 65001-65005                                   masquerade                                         eth0      
           192.0.2.85 port 22001-22005                                                                                     
40         port 65001-65005                                   masquerade                                         eth0      
           192.0.2.85 port 22001-22005                                                                                     
50         port 9999 port 8080                                masquerade                                         any       
60         port 4442-4445 port 2222-2225                      masquerade                                         any       
70         192.0.2.5 port 2222                                masquerade                                         eth1      
80         port 22                                            192.0.2.99                                         eth1      
vyos@r14:~$


vyos@r14:~$ show nat source rules 
Traceback (most recent call last):
  File "/usr/libexec/vyos/op_mode/show_nat_rules.py", line 117, in <module>
    print(format_nat_rule.format(rule, srcdests[0], tran_addr, interface))
TypeError: unsupported format string passed to dict.__format__
Rule       Source                                             Translation                                        Outbound Interface
----       ------                                             -----------                                        ------------------
10         any                                                masquerade                                         eth0

New output:

vyos@r14:~$ show nat source rules 
Rule    Source             Destination        Proto    Out-Int    Translation
------  -----------------  -----------------  -------  ---------  --------------
10      0.0.0.0/0          0.0.0.0/0          any      eth0       masquerade
        sport any          dport any
20      0.0.0.0/0          192.0.2.0/24       IP       any        exclude
        sport any          dport any
30      203.0.113.0/24     192.0.2.0/24       TCP      any        100.64.0.5
        sport any          dport any
40      0.0.0.0/0          192.0.2.85         TCP      eth0       masquerade
        sport 65001-65005  dport 22001-22005
40      0.0.0.0/0          192.0.2.85         UDP      eth0       masquerade
        sport 65001-65005  dport 22001-22005
50      100.64.0.0/24      192.0.2.85         TCP      any        masquerade
        sport 9999         dport 8080                             port 8888
60      100.64.0.0/24      192.0.2.85         TCP      any        masquerade
        sport 4442-4445    dport 2222-2225                        port 8882-8885
70      0.0.0.0/0          192.0.2.5          TCP      eth1       masquerade
        sport any          dport 2222                             port 22
80      0.0.0.0/0          0.0.0.0/0          TCP      eth1       192.0.2.99
        sport any          dport 22,80,443
vyos@r14:~$

Example raw format with only one rule:

vyos@r14:~$ /usr/libexec/vyos/op_mode/nat.py show_rules --direction source --raw
[
    {
        "rule": {
            "family": "ip",
            "table": "nat",
            "chain": "POSTROUTING",
            "handle": 114,
            "comment": "SRC-NAT-10",
            "expr": [
                {
                    "match": {
                        "op": "==",
                        "left": {
                            "meta": {
                                "key": "oifname"
                            }
                        },
                        "right": "eth0"
                    }
                },
                {
                    "counter": {
                        "packets": 0,
                        "bytes": 0
                    }
                },
                {
                    "masquerade": null
                }
            ]
        }
    }
]
vyos@r14:~$

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

dmbaturin
dmbaturin requested changes Jul 22, 2022
View reviewed changes
src/op_mode/nat.py Outdated Show resolved Hide resolved
@sever-sever
nat: T4545: Rewrite show nat source rules script
9228bd3 
Rewrite 'show nat source rules' due to a large number of bugs
in NAT rules statistics. Use new format 'vyos.opmode module'
Ability to get raw_data and formatted_output for the future
op-mode rewriting funcitonal
Ability to get raw and formatted data
@c-po c-po merged commit df7348d into vyos:current Jul 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin approved these changes

@c-po c-po Awaiting requested review from c-po

@DmitriyEshenko DmitriyEshenko Awaiting requested review from DmitriyEshenko

@jestabro jestabro Awaiting requested review from jestabro

@zdc zdc Awaiting requested review from zdc

Assignees

@sever-sever sever-sever

Labels
None yet
Milestone
No milestone
3 participants
@sever-sever @dmbaturin @c-po