Add setting to disable NAT for a given destination IP set

This commit is contained in:
Timotej Lazar 2024-09-16 16:24:09 +02:00
parent 5f1e1ae3e7
commit 0fa06ecbba
2 changed files with 14 additions and 8 deletions

View file

@ -15,20 +15,21 @@ def create_app(test_config=None):
'ldap_host': '',
'ldap_user': '',
'ldap_pass': '',
'ldap_base_dn': '',
'user_group': '',
'ldap_base_dn': '', # search for VPN users under this DN
'user_group': '', # limit VPN users to this LDAP group
'oidc_server': '',
'oidc_client_id': '',
'oidc_client_secret': '',
'admin_group': '',
'admin_mail': '',
'admin_group': '', # OIDC group for admin access
'admin_mail': '', # where to report errors
'no_nat_set': '', # name of destination IP set for which no NAT should be done
'wg_endpoint': '',
'wg_port': '51820',
'wg_allowed_nets': '',
'wg_dns': '',
'wg_key': '',
'wg_net': '',
'wg_net6': '',
'wg_net': '', # allocate wireguard IPv4 addresses from this prefix
'wg_net6': '', # allocate wireguard IPv6 addresses from this prefix
'version': 0,
}

View file

@ -131,10 +131,15 @@ def save_config():
# Print dynamic NAT rules.
with open(output / 'etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
nft_nat = 'iif @inside oif @outside ip saddr @{name} snat to {nat}\n'
no_nat_set = settings.get('no_nat_set')
nft_nat = 'iif @inside oif @outside ip saddr @{name}'
if no_nat_set:
# don’t NAT for these destination addresses
nft_nat += ' ip daddr != @{no_nat_set}'
nft_nat += ' snat to {nat}\n'
for name, data in sets.items():
if nat := data.get('nat'):
f.write(nft_nat.format(name=name, nat=nat))
f.write(nft_nat.format(name=name, nat=nat, no_nat_set=no_nat_set))
# Print forwarding rules.
with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f: