-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnat.go
147 lines (117 loc) · 2.75 KB
/
nat.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
package yafw
import (
"fmt"
"net"
"github.com/google/nftables"
"github.com/google/nftables/expr"
)
type SNATTarget int
const (
// Masquerade to the egress IP
SNATEgress SNATTarget = iota
// SNAT to specific IP
SNATSpecific
)
// TODO: SNAT mode support
// type SNATMode int
// const (
// SNATStatic SNATMode = iota
// SNATDynamic
// SNATPort
// )
type SNATRule struct {
ID int `json:"id"`
Description string `json:"description"`
Enabled bool `json:"enabled"`
Source *Address `json:"source"`
Destination *Address `json:"destination"`
Egress string `json:"egress"`
Target SNATTarget `json:"target"`
TargetAddress *Address `json:"target_address"`
Log bool `json:"log"`
// Mode SNATMode
artifact *SNATRuleArtifact
}
type SNATRuleArtifact struct {
Source *nftables.Set
Destination *nftables.Set
Egress *net.Interface
}
type DNATRule struct {
Source *net.IPNet
Destination *net.IPNet
Egress *net.Interface
// Target DNATTarget
IP net.IPNet
}
func (r *Router) SNATRules() (ret []*SNATRule) {
ret = make([]*SNATRule, 0)
for _, entry := range r.snatEntries.All() {
ret = append(ret, entry.(*SNATRule))
}
return ret
}
// the following contents implement Entry in entry.go
func (snat *SNATRule) buildArtifact(router *Router) error {
artifact := &SNATRuleArtifact{}
if snat.Source != nil {
set, err := router.addressToSet(snat.Source)
if err != nil {
return err
}
artifact.Source = set
}
if snat.Destination != nil {
set, err := router.addressToSet(snat.Destination)
if err != nil {
return err
}
artifact.Destination = set
}
if snat.Egress != "" {
iface, err := net.InterfaceByName(snat.Egress)
if err != nil {
return err
}
artifact.Egress = iface
}
snat.artifact = artifact
return nil
}
func (snat *SNATRule) Index() int {
return snat.ID
}
func (snat *SNATRule) SetIndex(index int) {
snat.ID = index
}
func (snat *SNATRule) ToRules() []*nftables.Rule {
builder := &ExprBuilder{}
artifact := snat.artifact
if artifact != nil {
if snat.Egress != "" {
builder.MetaEgressInterface(1).CompareInterfaceName(1, artifact.Egress.Name)
}
if snat.Source != nil {
builder.PayloadIPSource(1).LookupSet(1, artifact.Source)
}
if snat.Destination != nil {
builder.PayloadIPSource(1).LookupSet(1, artifact.Destination)
}
}
builder.Append(&expr.Log{
Data: []byte("yafw-snat"),
Flags: expr.LogFlagsIPOpt | expr.LogFlagsTCPOpt,
})
switch snat.Target {
case SNATEgress:
builder.Masquerade()
// case SNATSpecific:
// builder.SourceNATIP(snat.TargetAddress)
}
fmt.Printf("nat builder: %v\n", len(builder.Exprs()))
return []*nftables.Rule{
{
Exprs: builder.Exprs(),
},
}
}