Add setting to disable NAT for a given destination IP set

2024-09-16 16:24:09 +02:00 · 2024-09-16 16:24:09 +02:00 · 0fa06ecbba
commit 0fa06ecbba
parent 5f1e1ae3e7
2 changed files with 14 additions and 8 deletions
--- a/web/system.py
+++ b/web/system.py
@ -131,10 +131,15 @@ def save_config():

            # Print dynamic NAT rules.
            with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
-                nft_nat = 'iif @inside oif @outside ip saddr @{name} snat to {nat}\n'
+                no_nat_set = settings.get('no_nat_set')
+                nft_nat = 'iif @inside oif @outside ip saddr @{name}'
+                if no_nat_set:
+                    # don’t NAT for these destination addresses
+                    nft_nat += ' ip daddr != @{no_nat_set}'
+                nft_nat += ' snat to {nat}\n'
                for name, data in sets.items():
                    if nat := data.get('nat'):
-                        f.write(nft_nat.format(name=name, nat=nat))
+                        f.write(nft_nat.format(name=name, nat=nat, no_nat_set=no_nat_set))

            # Print forwarding rules.
            with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f: