system: create forward rules for custom VPN users

Access to some networks is restricted and can only be assigned by admin. These networks don’t have the VPN AD group defined. So for these networks enable forwarding between VPN and physical network if there are any WireGuard IPs registered.
2025-01-17 10:35:43 +01:00 · 2025-01-17 10:35:43 +01:00 · 2e4547119f
parent 02534194d8
commit 2e4547119f
1 changed files with 2 additions and 1 deletions
--- a/web/system.py
+++ b/web/system.py
@ -92,6 +92,7 @@ def save_config():
                for group in user_groups.get(key.get('user', ''), ()):
                    key_networks |= set(group_networks.get(group, ()))
                for network in key_networks:
+                    sets[network]['has_vpn_users'] = True
                    sets[network]['ip'].append(f'{ip}/32')
                    if ip6 := key.get('ip6'):
                        sets[network]['ip6'].append(ip6)
@ -144,7 +145,7 @@ def save_config():
            # Print forwarding rules.
            with open(output / 'etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
                # Forwarding rules for VPN users.
-                if vpn_networks := sorted(name for name, data in sets.items() if data.get('vpn')):
+                if vpn_networks := sorted(name for name, data in sets.items() if data.get('vpn') or data.get('has_vpn_users')):
                    nft_forward = 'iif @inside oif @inside ip saddr @{name} ip daddr @{name} accept\n'
                    nft_forward6 = 'iif @inside oif @inside ip6 saddr @{name}/6 ip6 daddr @{name}/6 accept\n'
                    f.write('# forward from the VPN interface to physical networks and back\n')