Enable optional NAT for tunnels
This commit is contained in:
parent
b71fb7003d
commit
25e8b65394
|
@ -9,6 +9,9 @@ tunnel = [
|
||||||
|
|
||||||
[network]
|
[network]
|
||||||
shared-internal = true
|
shared-internal = true
|
||||||
|
nats = [
|
||||||
|
"wg2"
|
||||||
|
]
|
||||||
|
|
||||||
[server]
|
[server]
|
||||||
debug = true
|
debug = true
|
||||||
|
|
58
src/rules.rs
58
src/rules.rs
|
@ -121,15 +121,26 @@ pub(crate) async fn unset(interfaces: &Interfaces, rule: Rule) -> Result<(), any
|
||||||
.await?;
|
.await?;
|
||||||
}
|
}
|
||||||
for iface in &interfaces.tunnel {
|
for iface in &interfaces.tunnel {
|
||||||
iptables::delete_forward_postrouting(
|
if interfaces
|
||||||
rule.proto,
|
.nats
|
||||||
iface.ip,
|
.iter()
|
||||||
iface.mask,
|
.any(|nat_iface| *nat_iface == iface.interface)
|
||||||
interfaces.external.ip,
|
{
|
||||||
rule.port,
|
iptables::delete_forward_prerouting(
|
||||||
dest_ip,
|
rule.proto, iface.ip, iface.mask, rule.port, dest_ip, dest_port,
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
|
} else {
|
||||||
|
iptables::delete_forward_postrouting(
|
||||||
|
rule.proto,
|
||||||
|
iface.ip,
|
||||||
|
iface.mask,
|
||||||
|
interfaces.external.ip,
|
||||||
|
rule.port,
|
||||||
|
dest_ip,
|
||||||
|
)
|
||||||
|
.await?;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -193,15 +204,26 @@ pub(crate) async fn apply(interfaces: &Interfaces, rule: Rule) -> Result<(), any
|
||||||
.await?;
|
.await?;
|
||||||
}
|
}
|
||||||
for iface in &interfaces.tunnel {
|
for iface in &interfaces.tunnel {
|
||||||
iptables::forward_postrouting(
|
if interfaces
|
||||||
rule.proto,
|
.nats
|
||||||
iface.ip,
|
.iter()
|
||||||
iface.mask,
|
.any(|nat_iface| *nat_iface == iface.interface)
|
||||||
interfaces.external.ip,
|
{
|
||||||
rule.port,
|
iptables::forward_prerouting(
|
||||||
dest_ip,
|
rule.proto, iface.ip, iface.mask, rule.port, dest_ip, dest_port,
|
||||||
)
|
)
|
||||||
.await?;
|
.await?;
|
||||||
|
} else {
|
||||||
|
iptables::forward_postrouting(
|
||||||
|
rule.proto,
|
||||||
|
iface.ip,
|
||||||
|
iface.mask,
|
||||||
|
interfaces.external.ip,
|
||||||
|
rule.port,
|
||||||
|
dest_ip,
|
||||||
|
)
|
||||||
|
.await?;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -26,6 +26,8 @@ struct InterfaceConfig {
|
||||||
#[serde(rename_all = "kebab-case")]
|
#[serde(rename_all = "kebab-case")]
|
||||||
struct NetworkConfig {
|
struct NetworkConfig {
|
||||||
shared_internal: bool,
|
shared_internal: bool,
|
||||||
|
#[serde(default)]
|
||||||
|
nats: Vec<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
#[derive(serde::Deserialize)]
|
#[derive(serde::Deserialize)]
|
||||||
|
@ -39,6 +41,7 @@ pub struct Interfaces {
|
||||||
pub(crate) internal: Vec<InterfaceInfo>,
|
pub(crate) internal: Vec<InterfaceInfo>,
|
||||||
pub(crate) tunnel: Vec<InterfaceInfo>,
|
pub(crate) tunnel: Vec<InterfaceInfo>,
|
||||||
pub(crate) shared_internal: bool,
|
pub(crate) shared_internal: bool,
|
||||||
|
pub(crate) nats: Vec<String>,
|
||||||
}
|
}
|
||||||
|
|
||||||
pub(crate) struct InterfaceInfo {
|
pub(crate) struct InterfaceInfo {
|
||||||
|
@ -95,11 +98,17 @@ impl Interfaces {
|
||||||
},
|
},
|
||||||
InterfaceInfo {
|
InterfaceInfo {
|
||||||
interface: String::from("wg1"),
|
interface: String::from("wg1"),
|
||||||
ip: "192.168.4.0".parse()?,
|
ip: "10.42.6.0".parse()?,
|
||||||
|
mask: 24,
|
||||||
|
},
|
||||||
|
InterfaceInfo {
|
||||||
|
interface: String::from("wg2"),
|
||||||
|
ip: "10.42.6.0".parse()?,
|
||||||
mask: 24,
|
mask: 24,
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
shared_internal: false,
|
shared_internal: false,
|
||||||
|
nats: Vec::new(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -137,6 +146,7 @@ impl Interfaces {
|
||||||
internal,
|
internal,
|
||||||
tunnel,
|
tunnel,
|
||||||
shared_internal: config.network.shared_internal,
|
shared_internal: config.network.shared_internal,
|
||||||
|
nats: config.network.nats.clone(),
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -272,6 +272,17 @@ fn nat(interfaces: &Interfaces) -> String {
|
||||||
extif = interfaces.external.interface
|
extif = interfaces.external.interface
|
||||||
);
|
);
|
||||||
|
|
||||||
|
for nat_iface in &interfaces.nats {
|
||||||
|
for internal in &interfaces.internal {
|
||||||
|
nat += &format!(
|
||||||
|
"-A POSTROUTING -s {intip}/{intmask} -o {natiface} -j MASQUERADE\n",
|
||||||
|
intip = internal.ip,
|
||||||
|
intmask = internal.mask,
|
||||||
|
natiface = nat_iface,
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
nat += "COMMIT\n";
|
nat += "COMMIT\n";
|
||||||
|
|
||||||
nat
|
nat
|
||||||
|
|
Loading…
Reference in a new issue