fi/nix-infra
1
1
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Use a less generic nftables table name

Browse source
This commit is contained in:
yuri 2023-09-19 00:09:41 +02:00
parent cd938d5020
commit 74d5abdfe2
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
pkgs/wireguard-nat-nftables/src/wireguard-nat-nftables.py
View file

@ -20,9 +20,9 @@ def main():
nft.set_handle_output(True) nft.set_handle_output(True)
# add nat table rules for dnat and snat masquerade # add nat table rules for dnat and snat masquerade
nft.cmd("add table nat") nft.cmd("add table wireguard-nat")
nft.cmd("add chain nat prerouting { type nat hook prerouting priority -100; }") nft.cmd("add chain wireguard-nat prerouting { type nat hook prerouting priority -100; }")
nft.cmd("add chain nat postrouting { type nat hook postrouting priority 100; }") nft.cmd("add chain wireguard-nat postrouting { type nat hook postrouting priority 100; }")
# load current nftables rules # load current nftables rules
rc, output, error = nft.cmd("list ruleset") rc, output, error = nft.cmd("list ruleset")
@ -34,14 +34,14 @@ def main():
for item in nftables_output["nftables"]: for item in nftables_output["nftables"]:
if ("rule" in item if ("rule" in item
and item["rule"]["family"] == "ip" and item["rule"]["family"] == "ip"
and item["rule"]["table"] == "nat" and item["rule"]["table"] == "wireguard-nat"
and item["rule"]["chain"] == "postrouting" and item["rule"]["chain"] == "postrouting"
and "masquerade" in item["rule"]["expr"][0] and "masquerade" in item["rule"]["expr"][0]
): ):
add_masquerade = False add_masquerade = False
break break
if add_masquerade: if add_masquerade:
nft.cmd("add rule nat postrouting masquerade") nft.cmd("add rule wireguard-nat postrouting masquerade")
while True: while True:
# list WireGuard peer endpoint addresses of WireGuard VPN connection # list WireGuard peer endpoint addresses of WireGuard VPN connection
@ -67,12 +67,12 @@ def main():
# update existing nftable dnat rules, if the remote IP mismatches # update existing nftable dnat rules, if the remote IP mismatches
for item in nftables_output["nftables"]: for item in nftables_output["nftables"]:
if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "nat" and item["rule"]["chain"] == "prerouting": if "rule" in item and item["rule"]["family"] == "ip" and item["rule"]["table"] == "wireguard-nat" and item["rule"]["chain"] == "prerouting":
handle = item["rule"]["handle"] handle = item["rule"]["handle"]
ip = item["rule"]["expr"][2]["dnat"]["addr"] ip = item["rule"]["expr"][2]["dnat"]["addr"]
port = item["rule"]["expr"][1]["match"]["right"] port = item["rule"]["expr"][1]["match"]["right"]
if not ip == port_ip_mapping[port]: if not ip == port_ip_mapping[port]:
rc, output, error = nft.cmd("replace rule nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port])) rc, output, error = nft.cmd("replace rule wireguard-nat prerouting handle {} iif {} udp dport {} dnat to {}".format(handle, interface, port, port_ip_mapping[port]))
if error: if error:
eprint(error) eprint(error)
else: else:
@ -81,7 +81,7 @@ def main():
# loop through all remaining ports and add needed dnat rules # loop through all remaining ports and add needed dnat rules
for port in port_ip_mapping: for port in port_ip_mapping:
rc, output, error = nft.cmd("add rule nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port])) rc, output, error = nft.cmd("add rule wireguard-nat prerouting iif {} udp dport {} dnat to {}".format(interface, port, port_ip_mapping[port]))
if error: if error:
print(error, file=sys.stderr) print(error, file=sys.stderr)
else: else: