Add setting to disable NAT for a given destination IP set
This commit is contained in:
parent
5f1e1ae3e7
commit
0fa06ecbba
|
@ -15,20 +15,21 @@ def create_app(test_config=None):
|
||||||
'ldap_host': '',
|
'ldap_host': '',
|
||||||
'ldap_user': '',
|
'ldap_user': '',
|
||||||
'ldap_pass': '',
|
'ldap_pass': '',
|
||||||
'ldap_base_dn': '',
|
'ldap_base_dn': '', # search for VPN users under this DN
|
||||||
'user_group': '',
|
'user_group': '', # limit VPN users to this LDAP group
|
||||||
'oidc_server': '',
|
'oidc_server': '',
|
||||||
'oidc_client_id': '',
|
'oidc_client_id': '',
|
||||||
'oidc_client_secret': '',
|
'oidc_client_secret': '',
|
||||||
'admin_group': '',
|
'admin_group': '', # OIDC group for admin access
|
||||||
'admin_mail': '',
|
'admin_mail': '', # where to report errors
|
||||||
|
'no_nat_set': '', # name of destination IP set for which no NAT should be done
|
||||||
'wg_endpoint': '',
|
'wg_endpoint': '',
|
||||||
'wg_port': '51820',
|
'wg_port': '51820',
|
||||||
'wg_allowed_nets': '',
|
'wg_allowed_nets': '',
|
||||||
'wg_dns': '',
|
'wg_dns': '',
|
||||||
'wg_key': '',
|
'wg_key': '',
|
||||||
'wg_net': '',
|
'wg_net': '', # allocate wireguard IPv4 addresses from this prefix
|
||||||
'wg_net6': '',
|
'wg_net6': '', # allocate wireguard IPv6 addresses from this prefix
|
||||||
'version': 0,
|
'version': 0,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -131,10 +131,15 @@ def save_config():
|
||||||
|
|
||||||
# Print dynamic NAT rules.
|
# Print dynamic NAT rules.
|
||||||
with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
|
with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
|
||||||
nft_nat = 'iif @inside oif @outside ip saddr @{name} snat to {nat}\n'
|
no_nat_set = settings.get('no_nat_set')
|
||||||
|
nft_nat = 'iif @inside oif @outside ip saddr @{name}'
|
||||||
|
if no_nat_set:
|
||||||
|
# don’t NAT for these destination addresses
|
||||||
|
nft_nat += ' ip daddr != @{no_nat_set}'
|
||||||
|
nft_nat += ' snat to {nat}\n'
|
||||||
for name, data in sets.items():
|
for name, data in sets.items():
|
||||||
if nat := data.get('nat'):
|
if nat := data.get('nat'):
|
||||||
f.write(nft_nat.format(name=name, nat=nat))
|
f.write(nft_nat.format(name=name, nat=nat, no_nat_set=no_nat_set))
|
||||||
|
|
||||||
# Print forwarding rules.
|
# Print forwarding rules.
|
||||||
with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
|
with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
|
||||||
|
|
Loading…
Reference in a new issue