Merge pull request #2578 from sever-sever/nat64

T160: add NAT64
vyos · Dec 7, 2023 · 18ee242 · 18ee242
2 parents 99c674c + 336bb5a
commit 18ee242
Show file tree

Hide file tree

Showing 5 changed files with 438 additions and 0 deletions.
diff --git a/debian/control b/debian/control
@@ -249,6 +249,9 @@ Depends:
   libstrongswan-standard-plugins (>=5.9),
   python3-vici (>= 5.7.2),
 # End "vpn ipsec"
+# For "nat64"
+  jool,
+# End "nat64"
 # For nat66
   ndppd,
 # End nat66

diff --git a/interface-definitions/include/nat64/protocol.xml.i b/interface-definitions/include/nat64/protocol.xml.i
@@ -0,0 +1,27 @@
+<!-- include start from nat64/protocol.xml.i -->
+<node name="protocol">
+  <properties>
+    <help>Apply translation address to a specfic protocol</help>
+  </properties>
+  <children>
+    <leafNode name="tcp">
+      <properties>
+        <help>Transmission Control Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="udp">
+      <properties>
+        <help>User Datagram Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="icmp">
+      <properties>
+        <help>Internet Control Message Protocol</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/nat64.xml.in b/interface-definitions/nat64.xml.in
@@ -0,0 +1,97 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="nat64" owner="${vyos_conf_scripts_dir}/nat64.py">
+    <properties>
+      <help>IPv6-to-IPv4 Network Address Translation (NAT64) Settings</help>
+      <priority>501</priority>
+    </properties>
+    <children>
+      <node name="source">
+        <properties>
+          <help>IPv6 source to IPv4 destination address translation</help>
+        </properties>
+        <children>
+          <tagNode name="rule">
+            <properties>
+              <help>Source NAT64 rule number</help>
+              <valueHelp>
+                <format>u32:1-999999</format>
+                <description>Number for this rule</description>
+              </valueHelp>
+              <constraint>
+                <validator name="numeric" argument="--range 1-999999"/>
+              </constraint>
+              <constraintErrorMessage>NAT64 rule number must be between 1 and 999999</constraintErrorMessage>
+            </properties>
+            <children>
+              #include <include/generic-description.xml.i>
+              #include <include/generic-disable-node.xml.i>
+              <node name="source">
+                <properties>
+                  <help>IPv6 source prefix options</help>
+                </properties>
+                <children>
+                  <leafNode name="prefix">
+                    <properties>
+                      <help>IPv6 prefix to be translated</help>
+                      <valueHelp>
+                        <format>ipv6net</format>
+                        <description>IPv6 prefix</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="ipv6-prefix"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+              <node name="translation">
+                <properties>
+                  <help>Translated IPv4 address options</help>
+                </properties>
+                <children>
+                  <tagNode name="pool">
+                    <properties>
+                      <help>Translation IPv4 pool number</help>
+                      <valueHelp>
+                        <format>u32:1-999999</format>
+                        <description>Number for this rule</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 1-999999"/>
+                      </constraint>
+                      <constraintErrorMessage>NAT64 pool number must be between 1 and 999999</constraintErrorMessage>
+                    </properties>
+                    <children>
+                      #include <include/generic-description.xml.i>
+                      #include <include/generic-disable-node.xml.i>
+                      #include <include/nat-translation-port.xml.i>
+                      #include <include/nat64/protocol.xml.i>
+                      <leafNode name="address">
+                        <properties>
+                          <help>IPv4 address or prefix to translate to</help>
+                          <valueHelp>
+                            <format>ipv4</format>
+                            <description>IPv4 address</description>
+                          </valueHelp>
+                          <valueHelp>
+                            <format>ipv4net</format>
+                            <description>IPv4 prefix</description>
+                          </valueHelp>
+                          <constraint>
+                            <validator name="ipv4-address"/>
+                            <validator name="ipv4-prefix"/>
+                          </constraint>
+                        </properties>
+                      </leafNode>
+                    </children>
+                  </tagNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_nat64.py b/smoketest/scripts/cli/test_nat64.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import json
+import os
+import unittest
+
+from base_vyostest_shim import VyOSUnitTestSHIM
+from vyos.configsession import ConfigSessionError
+from vyos.utils.process import cmd
+from vyos.utils.dict import dict_search
+
+base_path = ['nat64']
+src_path = base_path + ['source']
+
+jool_nat64_config = '/run/jool/instance-100.json'
+
+
+class TestNAT64(VyOSUnitTestSHIM.TestCase):
+    @classmethod
+    def setUpClass(cls):
+        super(TestNAT64, cls).setUpClass()
+
+        # ensure we can also run this test on a live system - so lets clean
+        # out the current configuration :)
+        cls.cli_delete(cls, base_path)
+
+    def tearDown(self):
+        self.cli_delete(base_path)
+        self.cli_commit()
+        self.assertFalse(os.path.exists(jool_nat64_config))
+
+    def test_snat64(self):
+        rule = '100'
+        translation_rule = '10'
+        prefix_v6 = '64:ff9b::/96'
+        pool = '192.0.2.10'
+        pool_port = '1-65535'
+
+        self.cli_set(src_path + ['rule', rule, 'source', 'prefix', prefix_v6])
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'address', pool]
+        )
+        self.cli_set(
+            src_path
+            + ['rule', rule, 'translation', 'pool', translation_rule, 'port', pool_port]
+        )
+        self.cli_commit()
+
+        # Load the JSON file
+        with open(f'/run/jool/instance-{rule}.json', 'r') as json_file:
+            config_data = json.load(json_file)
+
+        # Assertions based on the content of the JSON file
+        self.assertEqual(config_data['instance'], f'instance-{rule}')
+        self.assertEqual(config_data['framework'], 'netfilter')
+        self.assertEqual(config_data['global']['pool6'], prefix_v6)
+        self.assertTrue(config_data['global']['manually-enabled'])
+
+        # Check the pool4 entries
+        pool4_entries = config_data.get('pool4', [])
+        self.assertIsInstance(pool4_entries, list)
+        self.assertGreater(len(pool4_entries), 0)
+
+        for entry in pool4_entries:
+            self.assertIn('protocol', entry)
+            self.assertIn('prefix', entry)
+            self.assertIn('port range', entry)
+
+            protocol = entry['protocol']
+            prefix = entry['prefix']
+            port_range = entry['port range']
+
+            if protocol == 'ICMP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'UDP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            elif protocol == 'TCP':
+                self.assertEqual(prefix, pool)
+                self.assertEqual(port_range, pool_port)
+            else:
+                self.fail(f'Unexpected protocol: {protocol}')
+
+
+if __name__ == '__main__':
+    unittest.main(verbosity=2)