Page MenuHomeVyOS Platform

Migrate vyatta-show-nat-rules.pl to Python
Resolved (N/A)Public

Description

The following Perl script needs a Python migration

https://github.com/vyos/vyatta-nat/blob/current/scripts/vyatta-show-nat-rules.pl
and should be placed here: https://github.com/vyos/vyos-1x/tree/current/src/op_mode

The output is as follows:

vyos@vyos:~$ show nat source rules
Disabled rules are not shown
Codes: X - exclude rule, M - masquerade rule

rule    intf              translation
----    ----              -----------
M100    pppoe0            saddr 172.16.32.0/19 to xx.xx.192.111
        proto-all         sport ANY

M200    pppoe0            saddr 172.16.100.0/24 to xx.xx.192.111
        proto-all         sport ANY

M300    pppoe0            saddr 172.31.0.0/24 to xx.xx.192.111
        proto-all         sport ANY

M400    pppoe0            saddr 172.18.201.0/21 to xx.xx.192.111
        proto-all         sport ANY
vyos@vyos:~$ show nat destination rules
Disabled rules are not shown
Codes: X - exclude rule

rule    intf              translation
----    ----              -----------
100     pppoe0            daddr ANY to 172.16.36.10
        proto-tcp         dport 80,443
Desc: HTTP(S)

1000    pppoe0            daddr ANY to 172.16.33.40
        proto-tcp         dport 3389
Desc: RDP to fooo.vyos.net

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Internal change (not visible to end users)

Event Timeline

c-po renamed this task from Migrate to Migrate vyatta-show-nat-rules.pl to Python.May 14 2020, 4:27 PM
c-po reassigned this task from c-po to thomas-mangin.
c-po triaged this task as Normal priority.
c-po created this task.
c-po created this object in space S1 VyOS Public.

After a while, I may consider how to provide the operation mode command for nat66

Now, the last migration of this task should have completed the preliminary implementation (the operation mode can view NAT rules), but it does not support port rule display

Could you please try backporting this to 1.3 equuleus branch?

${vyos_op_scripts_dir}/show_nat_rules.py --source does not yield any result

running nftbinary standalone yields the following result:

$ sudo nft -j list table ip nat
XT target TCPMSS not found
XT target TCPMSS not found
XT target TCPMSS not found
{"nftables": [{"metainfo": {"version": "0.9.6", "release_name": "Capital Idea #2", "json_schema_version": 1}}, {"table": {"family": "ip", "name": "nat", "handle": 8}}, {"chain": {"family": "ip", "table": "nat", "name": "PREROUTING", "handle": 1, "type": "nat", "hook": "prerouting", "prio": -100, "policy": "accept"}}, {"rule": {"family": "ip", "table": "nat", "chain": "PREROUTING", "handle": 44, "comment": "DST-NAT-100", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [80, 443]}}}, {"counter": {"packets": 76, "bytes": 4220}}, {"log": {"prefix": "[NAT-DST-100]"}}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "PREROUTING", "handle": 46, "comment": "DST-NAT-100", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": {"set": [80, 443]}}}, {"counter": {"packets": 76, "bytes": 4220}}, {"dnat": {"addr": "172.16.36.10"}}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "PREROUTING", "handle": 48, "comment": "DST-NAT-8000", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": {"set": [10000]}}}, {"counter": {"packets": 15, "bytes": 1812}}, {"log": {"prefix": "[NAT-DST-8000]"}}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "PREROUTING", "handle": 50, "comment": "DST-NAT-8000", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "iifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "udp", "field": "dport"}}, "right": {"set": [10000]}}}, {"counter": {"packets": 15, "bytes": 1812}}, {"dnat": {"addr": "172.31.0.200"}}]}}, {"chain": {"family": "ip", "table": "nat", "name": "INPUT", "handle": 2, "type": "nat", "hook": "input", "prio": 100, "policy": "accept"}}, {"chain": {"family": "ip", "table": "nat", "name": "POSTROUTING", "handle": 3, "type": "nat", "hook": "postrouting", "prio": 100, "policy": "accept"}}, {"rule": {"family": "ip", "table": "nat", "chain": "POSTROUTING", "handle": 51, "comment": "SRC-NAT-100", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"prefix": {"addr": "172.16.32.0", "len": 19}}}}, {"counter": {"packets": 3216, "bytes": 223954}}, {"log": {"prefix": "[NAT-SRC-100-MASQ]"}}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "POSTROUTING", "handle": 52, "comment": "SRC-NAT-100", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"prefix": {"addr": "172.16.32.0", "len": 19}}}}, {"counter": {"packets": 3216, "bytes": 223954}}, {"masquerade": null}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "POSTROUTING", "handle": 53, "comment": "SRC-NAT-200", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"prefix": {"addr": "172.16.100.0", "len": 24}}}}, {"counter": {"packets": 1959, "bytes": 160627}}, {"masquerade": null}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "POSTROUTING", "handle": 54, "comment": "SRC-NAT-300", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"prefix": {"addr": "172.31.0.0", "len": 24}}}}, {"counter": {"packets": 333, "bytes": 23974}}, {"masquerade": null}]}}, {"rule": {"family": "ip", "table": "nat", "chain": "POSTROUTING", "handle": 55, "comment": "SRC-NAT-400", "expr": [{"match": {"op": "==", "left": {"meta": {"key": "oifname"}}, "right": "pppoe0"}}, {"match": {"op": "==", "left": {"payload": {"protocol": "ip", "field": "saddr"}}, "right": {"prefix": {"addr": "172.18.200.0", "len": 21}}}}, {"counter": {"packets": 51, "bytes": 3876}}, {"masquerade": null}]}}, {"chain": {"family": "ip", "table": "nat", "name": "OUTPUT", "handle": 4, "type": "nat", "hook": "output", "prio": -100, "policy": "accept"}}, {"chain": {"family": "ip", "table": "nat", "name": "VYATTA_PRE_DNAT_HOOK", "handle": 5}}, {"chain": {"family": "ip", "table": "nat", "name": "VYATTA_PRE_SNAT_HOOK", "handle": 8}}]}

@c-po I have implemented a simple script in 1.4. It works normally, but I can't count the port and protocol information

https://github.com/vyos/vyos-1x/blob/current/src/op_mode/show_nat_rules.py

erkin set Issue type to Internal change (not visible to end users).Aug 30 2021, 6:13 AM
erkin removed a subscriber: Active contributors.

It won't be implemented for 1.3.x
Have this for 1.4/1.5