From 5f1f4fd654dc7a282eef1a97866d6255c0e1b514 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Wed, 29 Sep 2021 19:43:29 +0200
Subject: [PATCH] bundles/wireguard: add option 'snat_to' for connections

---
 bundles/wireguard/metadata.py | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/bundles/wireguard/metadata.py b/bundles/wireguard/metadata.py
index 885f91d..7374d83 100644
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@@ -218,3 +218,29 @@ def interface_ips(metadata):
     return {
         'interfaces': interfaces,
     }
+
+
+@metadata_reactor.provides(
+    'nftables/rules/nat_postrouting',
+)
+def snat(metadata):
+    if not node.has_bundle('nftables'):
+        raise DoNotRunAgain
+
+    rules = set()
+
+    for config in metadata.get('wireguard/peers', {}).values():
+        if 'snat_to' in config:
+            rules.add('ip saddr {} ip daddr != {} snat to {}'.format(
+                config['my_ip'],
+                config['their_ip'],
+                config['snat_to'],
+            ))
+
+    return {
+        'nftables': {
+            'rules': {
+                'nat_postrouting': rules,
+            },
+        },
+    }