rc/network
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

firewall: configure NAT from NetBox data

Browse source 
This is dynamic NAT for (mostly) physical networks. NAT for custom
prefixes can still be defined in the app.
This commit is contained in:
Timotej Lazar 2024-04-28 12:15:39 +02:00
parent 457ab7d3b7
commit 8a9d47f176
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
roles/firewall/templates/nftables.nft.j2
View file

@ -108,12 +108,25 @@ table ip nat {
map netmap-in { type ipv4_addr : interval ipv4_addr; flags interval; } map netmap-in { type ipv4_addr : interval ipv4_addr; flags interval; }
map netmap-out { type ipv4_addr : interval ipv4_addr; flags interval; } map netmap-out { type ipv4_addr : interval ipv4_addr; flags interval; }
map nat {
type ipv4_addr : interval ipv4_addr; flags interval
elements = {
{% for prefix in vrf_prefixes | selectattr('family.value', '==', 4) | selectattr('custom_fields.nat') %}
{{ prefix.prefix }} : {{ prefix.custom_fields.nat.address | ipmath(0) }}
{{- '' if loop.last else ',' }} # {{ prefix.vlan.name }}
{% endfor %}
}
}
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat type nat hook postrouting priority srcnat
iif @inside oif @outside snat ip prefix to ip saddr map @netmap-out \ iif @inside oif @outside snat ip prefix to ip saddr map @netmap-out \
comment "Static source NAT for 1:1 mapped addresses" comment "Static source NAT for 1:1 mapped addresses"
iif @inside oif @outside snat to ip saddr map @nat \
comment "Dynamic NAT for private IPv4 networks"
include "/etc/nftables.d/nat.nft*" include "/etc/nftables.d/nat.nft*"
} }