Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf #1505

Merged
merged 1 commit into from Aug 30, 2022
Merged

nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf #1505

merged 1 commit into from Aug 30, 2022

Conversation

sever-sever
Copy link
Member

Change Summary

Move nftables nat configuration from /tmp to /run
As we have for other services like firewall, conntrack
Don't remove the config file '/run/nftables_nat.conf' after commit

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Component(s) name

nat

Proposed changes

How to test

set nat destination rule 100 destination port '2222'
set nat destination rule 100 inbound-interface 'eth0'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation address '192.0.2.2'
set nat destination rule 100 translation port '22'

Expect file /run/nftables_nat.conf

vyos@r14# cat /run/nftables_nat.conf 
#!/usr/sbin/nft -f


# Start with clean SNAT and DNAT chains
flush chain ip nat PREROUTING
flush chain ip nat POSTROUTING
add chain ip raw NAT_CONNTRACK
add rule ip raw NAT_CONNTRACK counter accept
add rule ip raw PREROUTING position 16    counter jump VYOS_CT_HELPER
add rule ip raw OUTPUT     position 21    counter jump VYOS_CT_HELPER
add rule ip raw PREROUTING position 18 counter jump NAT_CONNTRACK
add rule ip raw OUTPUT     position 23 counter jump NAT_CONNTRACK

#
# Destination NAT rules build up here
#
add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK

add rule ip nat PREROUTING iifname "eth0" ip protocol tcp tcp dport { 2222 } counter dnat to 192.0.2.2:22 comment "DST-NAT-100"

#
# Source NAT rules build up here
#
add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK
[edit]
vyos@r14#

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever
nat: T4367: Move nat rules from /tmp to /run/nftables_nat.conf
aa9633b 
Move nftables nat configuration from /tmp to /run
As we have for other services like firewall, conntrack
Don't remove the config file '/run/nftables_nat.conf' after commit
@c-po c-po merged commit 74f73bc into vyos:current Aug 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c-po c-po Awaiting requested review from c-po

@DmitriyEshenko DmitriyEshenko Awaiting requested review from DmitriyEshenko

@dmbaturin dmbaturin Awaiting requested review from dmbaturin

@jestabro jestabro Awaiting requested review from jestabro

@zdc zdc Awaiting requested review from zdc

Assignees

@sever-sever sever-sever

Labels
None yet
Milestone
No milestone
2 participants
@sever-sever @c-po