Rework NAT settings again
This commit is contained in:
parent
968a2736d2
commit
aeae0f8a29
|
@ -56,17 +56,18 @@ def save_config():
|
||||||
# Populate IP sets and translation maps for NAT.
|
# Populate IP sets and translation maps for NAT.
|
||||||
ipsets = collections.defaultdict(set)
|
ipsets = collections.defaultdict(set)
|
||||||
networks = db.load('networks')
|
networks = db.load('networks')
|
||||||
nat = {}
|
|
||||||
netmap = {}
|
|
||||||
for name, network in networks.items():
|
for name, network in networks.items():
|
||||||
for ip in network.get('ip', ()):
|
for ip in network.get('ip', ()):
|
||||||
ipsets[name].add(ip)
|
ipsets[name].add(ip)
|
||||||
if 'nat' in network:
|
|
||||||
nat[ip] = network['nat']
|
|
||||||
for ip6 in network.get('ip6', ()):
|
for ip6 in network.get('ip6', ()):
|
||||||
ipsets[f'{name}6'].update(ip6)
|
ipsets[f'{name}6'].update(ip6)
|
||||||
netmap.update(network.get('netmap', {}))
|
|
||||||
|
|
||||||
|
# Load static and dynamic NAT translations.
|
||||||
|
nat = db.load('nat') # { network name: public range… }
|
||||||
|
netmap = db.load('netmap') # { private range: public range… }
|
||||||
|
|
||||||
|
# Add registered VPN addresses for each network based on
|
||||||
|
# LDAP group membership.
|
||||||
wireguard = db.load('wireguard')
|
wireguard = db.load('wireguard')
|
||||||
for ip, key in wireguard.items():
|
for ip, key in wireguard.items():
|
||||||
for network in user_networks.get(key.get('user', ''), ()):
|
for network in user_networks.get(key.get('user', ''), ()):
|
||||||
|
@ -80,8 +81,7 @@ def save_config():
|
||||||
os.makedirs(f'{output}/etc/nftables.d', exist_ok=True)
|
os.makedirs(f'{output}/etc/nftables.d', exist_ok=True)
|
||||||
os.makedirs(f'{output}/etc/wireguard', exist_ok=True)
|
os.makedirs(f'{output}/etc/wireguard', exist_ok=True)
|
||||||
|
|
||||||
# Add registered VPN addresses for each network based on
|
# Print nftables set for wireguard IPs.
|
||||||
# LDAP group membership.
|
|
||||||
with open(f'{output}/etc/nftables.d/sets.nft', 'w', encoding='utf-8') as f:
|
with open(f'{output}/etc/nftables.d/sets.nft', 'w', encoding='utf-8') as f:
|
||||||
def format_set(name, ips):
|
def format_set(name, ips):
|
||||||
return f'''\
|
return f'''\
|
||||||
|
@ -93,8 +93,8 @@ set {name} {{
|
||||||
if not name.endswith('6'):
|
if not name.endswith('6'):
|
||||||
print(format_set(name, ips), file=f)
|
print(format_set(name, ips), file=f)
|
||||||
|
|
||||||
# Print NAT (dynamic and 1:1) rules.
|
# Print static NAT (1:1) rules.
|
||||||
with open(f'{output}/etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
|
with open(f'{output}/etc/nftables.d/netmap.nft', 'w', encoding='utf-8') as f:
|
||||||
def format_map(name, elements):
|
def format_map(name, elements):
|
||||||
lines = ',\n'.join(f'{a}: {b}' for a, b in elements)
|
lines = ',\n'.join(f'{a}: {b}' for a, b in elements)
|
||||||
return f'''\
|
return f'''\
|
||||||
|
@ -105,12 +105,15 @@ map {name} {{
|
||||||
}}
|
}}
|
||||||
}}
|
}}
|
||||||
'''
|
'''
|
||||||
if nat:
|
|
||||||
print(format_map('nat', ((private, public) for private, public in nat.items())), file=f)
|
|
||||||
if netmap:
|
if netmap:
|
||||||
print(format_map('netmap-out', ((private, public) for private, public in netmap.items())), file=f)
|
print(format_map('netmap-out', ((private, public) for private, public in netmap.items())), file=f)
|
||||||
print(format_map('netmap-in', ((public, private) for private, public in netmap.items())), file=f)
|
print(format_map('netmap-in', ((public, private) for private, public in netmap.items())), file=f)
|
||||||
|
|
||||||
|
# Print dynamic NAT rules.
|
||||||
|
with open(f'{output}/etc/nftables.d/nat.nft', 'w', encoding='utf-8') as f:
|
||||||
|
for network, address in nat.items():
|
||||||
|
print(f'iifname @inside oifname @outside ip saddr @{network} snat to {address}', file=f)
|
||||||
|
|
||||||
# Print forwarding rules.
|
# Print forwarding rules.
|
||||||
with open(f'{output}/etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
|
with open(f'{output}/etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
|
||||||
for forward in db.load('forwards'):
|
for forward in db.load('forwards'):
|
||||||
|
|
|
@ -5,6 +5,8 @@
|
||||||
{% if current_user.is_admin %}
|
{% if current_user.is_admin %}
|
||||||
<li><a href="{{ url_for('config.index') }}">Nastavitve
|
<li><a href="{{ url_for('config.index') }}">Nastavitve
|
||||||
<li><a href="{{ url_for('config.edit', name='networks') }}">Omrežja
|
<li><a href="{{ url_for('config.edit', name='networks') }}">Omrežja
|
||||||
|
<li><a href="{{ url_for('config.edit', name='nat') }}">NAT
|
||||||
|
<li><a href="{{ url_for('config.edit', name='netmap') }}">Netmap
|
||||||
<li><a href="{{ url_for('config.edit', name='groups') }}">Skupine
|
<li><a href="{{ url_for('config.edit', name='groups') }}">Skupine
|
||||||
<li><a href="{{ url_for('config.edit', name='forwards') }}">Luknje
|
<li><a href="{{ url_for('config.edit', name='forwards') }}">Luknje
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
Loading…
Reference in a new issue