Add missing "inet nat" table

With the masquerade rules, we need to get the "nat" table in the "inet" family so that we keep the overall consistency with all the other rules and the dedicated chains. This patch also correct an issue with the "daddr" and "saddr" parameter, since we need to set what ipversion is used (ip, or ip6). This allows to get the rules generated/used on the Undercloud when we toggle the "masquerade" subnet parameter. Change-Id: Ie998c4b892f59fe1909b9d0a53ee6b4059419260
2022-05-31 13:07:20 +02:00 · 2022-05-31 13:07:20 +02:00 · ce8820c8d0
parent ca90a73973
commit ce8820c8d0
4 changed files with 20 additions and 3 deletions
--- a/tripleo_ansible/roles/tripleo_nftables/files/iptables.nft
+++ b/tripleo_ansible/roles/tripleo_nftables/files/iptables.nft
@ -27,6 +27,20 @@ table inet raw {
                type filter hook output priority raw; policy accept;
        }
 }
+table inet nat {
+        chain PREROUTING {
+                type nat hook prerouting priority dstnat; policy accept;
+        }
+        chain INPUT {
+                type nat hook input priority 100; policy accept;
+        }
+        chain OUTPUT {
+                type nat hook output priority -100; policy accept;
+        }
+        chain POSTROUTING {
+                type nat hook postrouting priority srcnat; policy accept;
+        }
+}
 # Compatibility tables and chains for iptables-nft
 table ip filter {
        chain INPUT {
--- a/tripleo_ansible/roles/tripleo_nftables/templates/destination.j2
+++ b/tripleo_ansible/roles/tripleo_nftables/templates/destination.j2
@ -1,6 +1,8 @@
 {%- if 'destination' in rule %}
 {%-   if 'ipversion' in rule and rule['ipversion'] == 'ipv6' %}
 ip6
+{%- else %}
+ ip
 {%-   endif %}
 daddr {{ rule['destination'] }}
 {%- endif %}
--- a/tripleo_ansible/roles/tripleo_nftables/templates/ruleset.j2
+++ b/tripleo_ansible/roles/tripleo_nftables/templates/ruleset.j2
@ -2,7 +2,7 @@
 # Managed by tripleo-ansible/tripleo_nftables
 # Valid starting nft-0.9.8

-{%- for ruleset in tripleo_nftables_rules %}
+{% for ruleset in tripleo_nftables_rules %}
 {%    set rule=ruleset['rule'] %}
 {%    set name=ruleset['rule_name'] %}
 {%-   if 'extras' not in rule or rule['extras'].get('ensure', 'present') in ['enabled', 'present'] %}
@ -22,7 +22,6 @@ add rule
 counter
 {%-     include 'templates/jump.j2' %}
 comment "{{rule.get('rule_name', name) }}"
-
 {%   endif %}
 {% endfor %}

--- a/tripleo_ansible/roles/tripleo_nftables/templates/source.j2
+++ b/tripleo_ansible/roles/tripleo_nftables/templates/source.j2
@ -1,5 +1,7 @@
 {%- if 'source' in rule %}
-{%-   if 'ipversion' not in rule %}
+{%-   if 'ipversion' in rule and rule['ipversion'] == 'ipv6' %}
+ ip6
+{% else %}
 ip
 {%-   endif %}
 saddr {{ rule['source'] }}