Add missing "inet nat" table
With the masquerade rules, we need to get the "nat" table in the "inet" family so that we keep the overall consistency with all the other rules and the dedicated chains. This patch also correct an issue with the "daddr" and "saddr" parameter, since we need to set what ipversion is used (ip, or ip6). This allows to get the rules generated/used on the Undercloud when we toggle the "masquerade" subnet parameter. Change-Id: Ie998c4b892f59fe1909b9d0a53ee6b4059419260
This commit is contained in:
Cédric Jeanneret
Cedric Jeanneret
parent
ca90a73973
commit
ce8820c8d0
|
|
@ -27,6 +27,20 @@ table inet raw {
|
||||||
type filter hook output priority raw; policy accept;
|
type filter hook output priority raw; policy accept;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
table inet nat {
|
||||||
|
chain PREROUTING {
|
||||||
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
|
}
|
||||||
|
chain INPUT {
|
||||||
|
type nat hook input priority 100; policy accept;
|
||||||
|
}
|
||||||
|
chain OUTPUT {
|
||||||
|
type nat hook output priority -100; policy accept;
|
||||||
|
}
|
||||||
|
chain POSTROUTING {
|
||||||
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
|
}
|
||||||
|
}
|
||||||
# Compatibility tables and chains for iptables-nft
|
# Compatibility tables and chains for iptables-nft
|
||||||
table ip filter {
|
table ip filter {
|
||||||
chain INPUT {
|
chain INPUT {
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,8 @@
|
||||||
{%- if 'destination' in rule %}
|
{%- if 'destination' in rule %}
|
||||||
{%- if 'ipversion' in rule and rule['ipversion'] == 'ipv6' %}
|
{%- if 'ipversion' in rule and rule['ipversion'] == 'ipv6' %}
|
||||||
ip6
|
ip6
|
||||||
|
{%- else %}
|
||||||
|
ip
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
daddr {{ rule['destination'] }}
|
daddr {{ rule['destination'] }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
# Managed by tripleo-ansible/tripleo_nftables
|
# Managed by tripleo-ansible/tripleo_nftables
|
||||||
# Valid starting nft-0.9.8
|
# Valid starting nft-0.9.8
|
||||||
|
|
||||||
{%- for ruleset in tripleo_nftables_rules %}
|
{% for ruleset in tripleo_nftables_rules %}
|
||||||
{% set rule=ruleset['rule'] %}
|
{% set rule=ruleset['rule'] %}
|
||||||
{% set name=ruleset['rule_name'] %}
|
{% set name=ruleset['rule_name'] %}
|
||||||
{%- if 'extras' not in rule or rule['extras'].get('ensure', 'present') in ['enabled', 'present'] %}
|
{%- if 'extras' not in rule or rule['extras'].get('ensure', 'present') in ['enabled', 'present'] %}
|
||||||
|
|
@ -22,7 +22,6 @@ add rule
|
||||||
counter
|
counter
|
||||||
{%- include 'templates/jump.j2' %}
|
{%- include 'templates/jump.j2' %}
|
||||||
comment "{{rule.get('rule_name', name) }}"
|
comment "{{rule.get('rule_name', name) }}"
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,7 @@
|
||||||
{%- if 'source' in rule %}
|
{%- if 'source' in rule %}
|
||||||
{%- if 'ipversion' not in rule %}
|
{%- if 'ipversion' in rule and rule['ipversion'] == 'ipv6' %}
|
||||||
|
ip6
|
||||||
|
{% else %}
|
||||||
ip
|
ip
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
saddr {{ rule['source'] }}
|
saddr {{ rule['source'] }}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue