bundles/wireguard: add option 'snat_to' for connections

2021-09-29 19:43:29 +02:00 · 2021-09-29 19:43:29 +02:00 · 5f1f4fd654
commit 5f1f4fd654
parent 902840ee7f
1 changed files with 26 additions and 0 deletions
--- a/bundles/wireguard/metadata.py
+++ b/bundles/wireguard/metadata.py
@ -218,3 +218,29 @@ def interface_ips(metadata):
    return {
        'interfaces': interfaces,
    }
+
+
+@metadata_reactor.provides(
+    'nftables/rules/nat_postrouting',
+)
+def snat(metadata):
+    if not node.has_bundle('nftables'):
+        raise DoNotRunAgain
+
+    rules = set()
+
+    for config in metadata.get('wireguard/peers', {}).values():
+        if 'snat_to' in config:
+            rules.add('ip saddr {} ip daddr != {} snat to {}'.format(
+                config['my_ip'],
+                config['their_ip'],
+                config['snat_to'],
+            ))
+
+    return {
+        'nftables': {
+            'rules': {
+                'nat_postrouting': rules,
+            },
+        },
+    }