bundles/wireguard: add option 'snat_to' for connections

This commit is contained in:
Franzi 2021-09-29 19:43:29 +02:00
parent 902840ee7f
commit 5f1f4fd654
Signed by: kunsi
GPG Key ID: 12E3D2136B818350
1 changed files with 26 additions and 0 deletions

View File

@ -218,3 +218,29 @@ def interface_ips(metadata):
return {
'interfaces': interfaces,
}
@metadata_reactor.provides(
'nftables/rules/nat_postrouting',
)
def snat(metadata):
if not node.has_bundle('nftables'):
raise DoNotRunAgain
rules = set()
for config in metadata.get('wireguard/peers', {}).values():
if 'snat_to' in config:
rules.add('ip saddr {} ip daddr != {} snat to {}'.format(
config['my_ip'],
config['their_ip'],
config['snat_to'],
))
return {
'nftables': {
'rules': {
'nat_postrouting': rules,
},
},
}