Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T5804: nat: allow <any> interface for inbound and outbound #2579

Closed
wants to merge 3 commits into from
Closed

T5804: nat: allow <any> interface for inbound and outbound #2579

wants to merge 3 commits into from

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Allow interface for inbound and outbound interface name in vyos cli. When used, append nothing while generating the rule.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

nat

Proposed changes

How to test

vyos@nat-any:~$ show config comm | grep nat
set nat destination rule 10 destination address '2.2.2.2'
set nat destination rule 10 inbound-interface name 'eth2'
set nat destination rule 10 translation address '3.3.3.3'
set nat destination rule 20 destination address '8.8.8.8'
set nat destination rule 20 inbound-interface name 'any'
set nat destination rule 20 translation address '9.9.9.9'
set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 translation address 'masquerade'
set nat source rule 20 outbound-interface name 'any'
set nat source rule 20 translation address '1.1.1.1'
vyos@nat-any:~$ sudo nft list table ip vyos_nat
table ip vyos_nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                counter packets 129 bytes 30933 jump VYOS_PRE_DNAT_HOOK
                iifname "eth2" ip daddr 2.2.2.2 counter packets 0 bytes 0 dnat to 3.3.3.3 comment "DST-NAT-10"
                ip daddr 8.8.8.8 counter packets 0 bytes 0 dnat to 9.9.9.9 comment "DST-NAT-20"
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 2 bytes 152 jump VYOS_PRE_SNAT_HOOK
                oifname "eth0" counter packets 2 bytes 152 masquerade comment "SRC-NAT-10"
                counter packets 0 bytes 0 snat to 1.1.1.1 comment "SRC-NAT-20"
        }

        chain VYOS_PRE_DNAT_HOOK {
                return
        }

        chain VYOS_PRE_SNAT_HOOK {
                return
        }
}
vyos@nat-any:~$

Smoketest result

root@nat-any:/usr/libexec/vyos/tests/smoke/cli# ./test_nat.py 
test_dnat (__main__.TestNAT.test_dnat) ... ok
test_dnat_negated_addresses (__main__.TestNAT.test_dnat_negated_addresses) ... ok
test_dnat_redirect (__main__.TestNAT.test_dnat_redirect) ... ok
test_dnat_without_translation_address (__main__.TestNAT.test_dnat_without_translation_address) ... ok
test_nat_balance (__main__.TestNAT.test_nat_balance) ... ok
test_nat_no_rules (__main__.TestNAT.test_nat_no_rules) ... ok
test_snat (__main__.TestNAT.test_snat) ... ok
test_snat_groups (__main__.TestNAT.test_snat_groups) ... ok
test_snat_required_translation_address (__main__.TestNAT.test_snat_required_translation_address) ... 
Source NAT configuration error in rule 5: translation requires address
and/or port

ok
test_static_nat (__main__.TestNAT.test_static_nat) ... ok

----------------------------------------------------------------------
Ran 10 tests in 20.896s

OK
root@nat-any:/usr/libexec/vyos/tests/smoke/cli#

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@nicolas-fort
T5804: nat: allow <any> interface for inbound and outbound interfaca …
a6926c7 
…name in vyos cli. When used, append nothing while generating the rule.
@vyosbot vyosbot requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team December 6, 2023 14:37
dmbaturin
dmbaturin requested changes Dec 7, 2023
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we should adjust the migration script to delete the interface option instead, now that any is the implicit default.

@nicolas-fort
T5804: nat: update migration script for NAT in order to remove interf…
034ff42 
…ace matcher when interface equals to <any>. Also add patch for op-mode command for NAT66.
@nicolas-fort
Merge branch 'T5807-nat66-show' into T5804
d61e1ad
@c-po
Copy link
Member

c-po commented Dec 8, 2023
edited
Loading

I believe we should adjust the migration script to delete the interface option instead, now that any is the implicit default.

Why not even make it an explicit default by using defaultValue any on the XML dedinition, users will then get notified this automatically when using tab completio

@nicolas-fort
Copy link
Contributor Author

I believe we should adjust the migration script to delete the interface option instead, now that any is the implicit default.

Why not even make it an explicit default by using defaultValue any on the XML dedinition, users will then get notified this automatically when using tab completio

I would just go for updating migration script and do not support as an option, not even defualt value. Otherwise, looks like we should allow any for any other matchers as default: any protocol, any source address, any pakcet size, etc...
Any == do not use matcher.

@nicolas-fort
Copy link
Contributor Author

I'll update PR on Monday. Moving to draft for now

@nicolas-fort nicolas-fort marked this pull request as draft December 9, 2023 16:03
@nicolas-fort nicolas-fort mentioned this pull request Dec 11, 2023
Merged
12 tasks
@nicolas-fort
Copy link
Contributor Author

I'm closing this one in favor of #2611, which just contains corrections to migration script

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin dmbaturin requested changes

@sever-sever sever-sever sever-sever approved these changes

@c-po c-po c-po approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nicolas-fort @c-po @dmbaturin @sever-sever