bundles/wireguard: add option 'snat_to' for connections
This commit is contained in:
parent
902840ee7f
commit
5f1f4fd654
GPG key ID:
12E3D2136B818350
1 changed files with 26 additions and 0 deletions
|
|
@ -218,3 +218,29 @@ def interface_ips(metadata):
|
||||||
return {
|
return {
|
||||||
'interfaces': interfaces,
|
'interfaces': interfaces,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@metadata_reactor.provides(
|
||||||
|
'nftables/rules/nat_postrouting',
|
||||||
|
)
|
||||||
|
def snat(metadata):
|
||||||
|
if not node.has_bundle('nftables'):
|
||||||
|
raise DoNotRunAgain
|
||||||
|
|
||||||
|
rules = set()
|
||||||
|
|
||||||
|
for config in metadata.get('wireguard/peers', {}).values():
|
||||||
|
if 'snat_to' in config:
|
||||||
|
rules.add('ip saddr {} ip daddr != {} snat to {}'.format(
|
||||||
|
config['my_ip'],
|
||||||
|
config['their_ip'],
|
||||||
|
config['snat_to'],
|
||||||
|
))
|
||||||
|
|
||||||
|
return {
|
||||||
|
'nftables': {
|
||||||
|
'rules': {
|
||||||
|
'nat_postrouting': rules,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue