aboutsummaryrefslogtreecommitdiffstats
path: root/awall/modules/nat.lua
blob: 7c632f033653174bf36a5f6ebd69a7a4f48ae439 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

--[[
NAT module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

require 'awall.model'
require 'awall.util'

local model = awall.model
local util = awall.util


local NATRule = model.class(model.Rule)

function NATRule:init()
   model.Rule.init(self)
   if util.contains({self['in'], self.out}, fwzone) then
      error('NAT rules not allowed for firewall zone')
   end
end

function NATRule:defaultzones() return {nil} end

function NATRule:checkzoneoptfrag(ofrag)
   if ofrag[self.params.forbidif] then
      error('Cannot specify '..self.params.forbidif..'bound interface for '..target..' rule')
   end
end

function NATRule:trules()
   local res = {}
   for i, ofrags in ipairs(model.Rule.trules(self)) do
      if ofrags.family == 'ip4' then table.insert(res, ofrags) end
   end
   return res
end

function NATRule:table() return 'nat' end

function NATRule:chain() return self.params.chain end

function NATRule:target()
   if not self['ip-range'] then error('IP range not defined for NAT rule') end
   local target = self.params.target..' --to-'..self.params.subject..' '..self['ip-range']
   if self['port-range'] then target = target..':'..self['port-range'] end
   return target
end


local DNATRule = model.class(NATRule)

function DNATRule:init()
   NATRule.init(self)
   self.params = {forbidif='out', subject='destination',
		  chain='PREROUTING', target='DNAT'}
end


local SNATRule = model.class(NATRule)

function SNATRule:init()
   NATRule.init(self)
   self.params = {forbidif='in', subject='source',
		  chain='POSTROUTING', target='SNAT'}
end

function SNATRule:target()
   if self['ip-range'] then return NATRule.target(self) end
   return 'MASQUERADE'..(self['port-range'] and ' --to-ports '..self['port-range'] or '')
end


classmap = {dnat=DNATRule, snat=SNATRule}

-- TODO configuration of the ipset via JSON config
defrules = {{family='ip4', table='nat', chain='POSTROUTING',
	     opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
	    {family='ip4', table='nat', chain='awall-masquerade',
	     opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-13 00:51:18 +0000