Commit 7c39fd9a authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

NATRule: support IPv6

fixes #9642
parent c699eca7
......@@ -505,12 +505,25 @@ rules*. These are contained in two top-level lists named **snat** and
**dnat**, respectively.
Each NAT rule may have an attribute named **to-addr** that specifies
the IPv4 address range to which the original source or destination
address is mapped. The value can be a single IPv4 address or a range
specified by two addresses, separated with the **-** character. If not
defined, it defaults to the primary address of the ingress interface
in case of destination NAT, or that of the egress interface in case of
source NAT.
the IP address ranges to which the original source or destination
address is mapped. It is a list that can contain
* an IPv4 address or range
* an IPv6 address or range
* DNS name which resolves to an IPv4 and/or IPv6 address
Only one address or range per protocol version may be defined. Ranges
are specified by two addresses, separated with the **-** character. If
not defined, **to-addr** defaults to the primary address of the
ingress interface in case of destination NAT, or that of the egress
interface in case of source NAT.
When **to-addr** is defined, the NAT rule applies to those protocol
versions for which an address is given. The protocol version scope can
be explicitly defined using the **family** attribute. It is a list
where the allowed values are **inet** and **inet6**, corresponding to
IPv4 and IPv6. When both **to-addr** and **family** are undefined, the
rule applies to IPv4 packets only.
Optionally, a NAT rule can specify the TCP and UDP port range to which
the original source or destination port is mapped. The attribute is
......
......@@ -5,17 +5,24 @@ See LICENSE file for license details
]]--
local identify = require('awall.family').identify
local resolveunique = require('awall.host').resolveunique
local model = require('awall.model')
local class = model.class
local contains = require('awall.util').contains
local expandfamilies = require('awall.optfrag').expandfamilies
local util = require('awall.util')
local setdefault = util.setdefault
local NATRule = class(model.Rule)
function NATRule:init(...)
NATRule.super(self):init(...)
-- alpine v2.4 compatibility
local attrs = {['ip-range']='to-addr', ['port-range']='to-port'}
for old, new in pairs(attrs) do
if not self[new] and self[old] then
......@@ -23,38 +30,60 @@ function NATRule:init(...)
self[new] = self[old]
end
end
if not self.family then
for _, addr in util.listpairs(self['to-addr']) do
local family = identify(addr)
if family ~= 'domain' then
table.insert(setdefault(self, 'family', {}), family)
end
end
setdefault(self, 'family', 'inet')
end
end
function NATRule:porttrans() return self['to-port'] end
function NATRule:trulefilter(rule)
if not contains(self.params.chains, rule.chain) then
self:error(
'Inappropriate zone definitions for a '..self.params.target..' rule'
)
end
return rule.family == 'inet'
end
function NATRule:mangleoptfrags(ofrags)
ofrags = expandfamilies(ofrags, self.family)
if self:customtarget() or self:target() then return ofrags end
function NATRule:table() return 'nat' end
local addrs = self['to-addr'] and resolveunique(
self['to-addr'], self.family, self
) or {}
for _, ofrag in ipairs(ofrags) do
if not ofrag.target then
local addr = addrs[ofrag.family]
local target
function NATRule:target()
local target = NATRule.super(self):target()
if addr then
if self['to-port'] and addr:find(':') then addr = '['..addr..']' end
target = self.params.target..' --to-'..self.params.subject..' '..addr
else target = self.params.deftarget end
if not target then
local addr = self['to-addr']
if addr then
target = self.params.target..' --to-'..self.params.subject..' '..addr
else target = self.params.deftarget end
if self['to-port'] then
target = target..(addr and ':' or ' --to-ports ')..self['to-port']
end
if self['to-port'] then
target = target..(addr and ':' or ' --to-ports ')..self['to-port']
ofrag.target = target
end
end
return target
return ofrags
end
function NATRule:trulefilter(rule)
if not util.contains(self.params.chains, rule.chain) then
self:error(
'Inappropriate zone definitions for a '..self.params.target..' rule'
)
end
return true
end
function NATRule:table() return 'nat' end
local DNATRule = class(NATRule)
......
......@@ -17,6 +17,10 @@ for _, mode in ipairs{{'dnat', {['in']='A'}}, {'snat', {out='B'}}} do
table.insert(res[mode[1]], util.update(util.copy(mode[2]), params))
end
local function add_exclude(family)
add{family=family, service='ssh', action='exclude'}
end
local function add_include(params)
for _, port in ipairs{false, 7890, '1234-5678'} do
params.service = 'http'
......@@ -25,11 +29,18 @@ for _, mode in ipairs{{'dnat', {['in']='A'}}, {'snat', {out='B'}}} do
end
end
add{service='ssh', action='exclude'}
add_exclude()
add_include{}
for _, addr in ipairs{'10.1.2.3', '10.2.3.100-10.2.3.200'} do
add_include{['to-addr']=addr}
for _, addr in ipairs{
{'inet', '10.2.3.100-10.2.3.200'},
{'inet6', 'fc00:600d::cafe'},
{{'inet', 'inet6'}, {'10.1.2.3', 'fc00:dead::beef-fc00:dead::ca1f'}}
} do
add_exclude(addr[1])
add_include{family=addr[1]}
add_include{['to-addr']=addr[2]}
add_include{family=addr[1], ['to-addr']=addr[2]}
end
end
......
This diff is collapsed.
......@@ -201,12 +201,26 @@ COMMIT
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 22 -j ACCEPT
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200:7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200:1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200:7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.2.3.100-10.2.3.200:1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 22 -j ACCEPT
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j MASQUERADE --to-ports 1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:1234-5678
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:7890
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -p tcp --dport 80 -j SNAT --to-source 10.1.2.3:1234-5678
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -d 10.0.0.0/12 -j SNAT --to-source 10.1.2.3
-A POSTROUTING -m set --match-set awall-masquerade src -j masquerade
......@@ -214,12 +228,26 @@ COMMIT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.2.3.100-10.2.3.200:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:1234-5678
-A PREROUTING -i eth0 -j REDIRECT
-A PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
......
......@@ -153,6 +153,50 @@ COMMIT
-A POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
-A PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*nat
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 22 -j ACCEPT
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE --to-ports 7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE --to-ports 1234-5678
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source fc00:600d::cafe
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:600d::cafe]:7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:600d::cafe]:1234-5678
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source fc00:600d::cafe
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:600d::cafe]:7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:600d::cafe]:1234-5678
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 22 -j ACCEPT
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE --to-ports 7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j MASQUERADE --to-ports 1234-5678
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source fc00:dead::beef-fc00:dead::ca1f
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:dead::beef-fc00:dead::ca1f]:7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:dead::beef-fc00:dead::ca1f]:1234-5678
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source fc00:dead::beef-fc00:dead::ca1f
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:dead::beef-fc00:dead::ca1f]:7890
-A POSTROUTING -o eth1 -d fc00::/7 -p tcp --dport 80 -j SNAT --to-source [fc00:dead::beef-fc00:dead::ca1f]:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination fc00:600d::cafe
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:600d::cafe]:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:600d::cafe]:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination fc00:600d::cafe
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:600d::cafe]:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:600d::cafe]:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 22 -j ACCEPT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination fc00:dead::beef-fc00:dead::ca1f
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:dead::beef-fc00:dead::ca1f]:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:dead::beef-fc00:dead::ca1f]:1234-5678
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination fc00:dead::beef-fc00:dead::ca1f
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:dead::beef-fc00:dead::ca1f]:7890
-A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination [fc00:dead::beef-fc00:dead::ca1f]:1234-5678
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment