diff options
author | Christian Pointner <equinox@spreadspace.org> | 2022-01-30 16:05:53 +0100 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2022-01-30 16:05:53 +0100 |
commit | bff77c7fb34e9ba0ae1f42ba920ff09f9faca30d (patch) | |
tree | 863169455284f182f955278035e1ea5ad72f7430 /roles/network/wireguard/gateway/templates/nftables.rules.j2 | |
parent | cleanup wireguard/p2p role (diff) |
wireguard/gateway: switch to nftables
Diffstat (limited to 'roles/network/wireguard/gateway/templates/nftables.rules.j2')
-rw-r--r-- | roles/network/wireguard/gateway/templates/nftables.rules.j2 | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/roles/network/wireguard/gateway/templates/nftables.rules.j2 b/roles/network/wireguard/gateway/templates/nftables.rules.j2 new file mode 100644 index 00000000..fcf4a21b --- /dev/null +++ b/roles/network/wireguard/gateway/templates/nftables.rules.j2 @@ -0,0 +1,26 @@ +# {{ ansible_managed }} +{% if 'ip_snat' in item.value %} + +table ip nat { + chain wireguard-gateway-{{ item.key }}-snat { + type nat hook postrouting priority 100; policy accept; + ip saddr { {{ item.value.addresses | map('ipaddr', 'network/prefix') | join(', ') }} } oifname {{ item.value.ip_snat.interface }} snat to {{ item.value.ip_snat.to }} + } +} +{% endif %} +{% if 'port_forwardings' in item.value %} + +table ip nat { + chain wireguard-gateway-{{ item.key }}-port-forwardings { + type nat hook prerouting priority -100; policy accept; +{% for forward in item.value.port_forwardings %} +{% for port in forward.tcp_ports | default([]) %} + ip daddr {{ forward.dest }} tcp dport {{ port }} dnat to {{ forward.tcp_ports[port] }} +{% endfor %} +{% for port in forward.udp_ports | default([]) %} + ip daddr {{ forward.dest }} udp dport {{ port }} dnat to {{ forward.udp_ports[port] }} +{% endfor %} +{% endfor %} + } +} +{% endif %} |