enabled: [ "bool", "1" ],
name: [ "string", this.section_id(data[".name"]) ],
- family: [ "family", "4" ],
+ family: [ "family" ],
src: [ "zone_ref" ],
device: [ "string" ],
return;
}
- if (snat.src && snat.src.zone)
- snat.src.zone.dflags.snat = true;
-
let add_rule = (family, proto, saddrs, daddrs, raddrs, sport, dport, rport, snat) => {
let n = {
...snat,
if (length(rip[0]) > 1 || length(rip[1]) > 1)
this.warn_section(data, "specifies multiple rewrite addresses, using only first one");
- /* inherit family restrictions from related zones */
- if (family === 0 || family === null) {
- let f = (rule.src && rule.src.zone) ? rule.src.zone.family : 0;
-
- if (f) {
- this.warn_section(r,
- sprintf("inheriting %s restriction from src %s",
- this.nfproto(f1, true), rule.src.zone.name));
+ family = infer_family(family, [
+ sip, "source IP",
+ dip, "destination IP",
+ rip, "rewrite IP",
+ snat.src?.zone, "source zone"
+ ]);
- family = f;
- }
+ if (type(family) == "string") {
+ this.warn_section(data, family + ", skipping");
+ continue;
}
+ if (snat.src?.zone)
+ snat.src.zone.dflags.snat = true;
+
/* if no family was configured, infer target family from IP addresses */
if (family === null) {
if ((length(sip[0]) || length(dip[0]) || length(rip[0])) && !length(sip[1]) && !length(dip[1]) && !length(rip[1]))
else if ((length(sip[1]) || length(dip[1]) || length(rip[1])) && !length(sip[0]) && !length(dip[0]) && !length(rip[0]))
family = 6;
else
- family = 0;
+ family = 4; /* default to IPv4 only for backwards compatibility, unless an explict family any was configured */
}
/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
],
"redirect": [
{
- ".description": "Redirects rhose family conflicts with the referenced zone family should be skipped",
+ ".description": "Redirects whose family conflicts with the referenced zone family should be skipped",
"src": "ipv4only",
"proto": "tcp",
"src_dport": "22",
"name": "Redirect #1",
"target": "dnat"
},
+ ],
+ "nat": [
+ {
+ ".description": "NAT rules whose family conflicts with the referenced zone family should be skipped",
+ "name": "NAT #1",
+ "family": "ipv6",
+ "src": "ipv4only",
+ "target": "masquerade"
+ },
+
+ {
+ ".description": "NAT rules whose family conflicts with their addresses should be skipped",
+ "name": "NAT #2",
+ "family": "ipv4",
+ "src": "*",
+ "src_ip": "fc00::/7",
+ "target": "masquerade"
+ },
+
+ {
+ ".description": "NAT rules without any AF specific bits and unspecified family should default to IPv4 for backwards compatibility",
+ "name": "NAT #3",
+ "src": "*",
+ "target": "masquerade"
+ },
+
+ {
+ ".description": "NAT rules without explicit family but IPv6 specific bits should be IPv6",
+ "name": "NAT #4",
+ "src": "*",
+ "src_ip": "fc00::/7",
+ "target": "masquerade"
+ },
+
+
+ {
+ ".description": "NAT rules with explicit family any should inherit zone restrictions",
+ "name": "NAT #5",
+ "src": "ipv4only",
+ "target": "masquerade"
+ },
+
+ {
+ ".description": "NAT rules without any AF specific bits but explicit family any should be IPv4/IPv6",
+ "name": "NAT #6",
+ "family": "any",
+ "src": "*",
+ "target": "masquerade"
+ }
]
}
-- End --
[!] Section @rule[2] (Rule #3) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
[!] Section @rule[3] (Rule #4) is restricted to IPv6 but referenced set match is IPv4 only, skipping
[!] Section @redirect[0] (Redirect #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
+[!] Section @nat[0] (NAT #1) is restricted to IPv6 but referenced source zone is IPv4 only, skipping
+[!] Section @nat[1] (NAT #2) is restricted to IPv4 but referenced source IP is IPv6 only, skipping
-- End --
-- Expect stdout --
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
+ meta nfproto ipv4 masquerade comment "!fw4: NAT #3"
+ ip6 saddr fc00::/7 masquerade comment "!fw4: NAT #4"
+ masquerade comment "!fw4: NAT #6"
+ meta nfproto ipv4 ip daddr 192.168.1.0/24 jump srcnat_ipv4only comment "!fw4: Handle ipv4only IPv4 srcnat traffic"
}
chain dstnat_ipv4only {
}
+ chain srcnat_ipv4only {
+ meta nfproto ipv4 masquerade comment "!fw4: NAT #5"
+ }
+
#
# Raw rules (notrack & helper)