Update nftable template to make acc snat rules
Change-Id: I9c4865f3372a10f546d7d884002dd707528715b2
diff --git a/templates/nftables.conf.j2 b/templates/nftables.conf.j2
index fda523a..c66cc9f 100644
--- a/templates/nftables.conf.j2
+++ b/templates/nftables.conf.j2
@@ -27,6 +27,9 @@
# Allow SSH on all interfaces
tcp dport ssh accept
+ # Allow IPsec ports on external interface
+ iif "{{ netprep_nftables["external_if"] }}" udp dport 500 accept
+ iif "{{ netprep_nftables["external_if"] }}" udp dport 4500 accept
{% if "interface_subnets" in netprep_nftables %}
# The ingress traffic restriction of internal networks
@@ -54,13 +57,21 @@
chain postrouting {
type nat hook postrouting priority 100;
oifname "{{ netprep_nftables["external_if"] }}" masquerade;
- {% if "ue_routing" in netprep_nftables %}
- {% for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] %}
- {% for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
+
+ {% if "ue_routing" in netprep_nftables -%}
+ {%- for src_subnet in netprep_nftables["ue_routing"]["src_subnets"] -%}
+ {%- for ue_subnet in netprep_nftables["ue_routing"]["ue_subnets"] %}
ip saddr {{ src_subnet }} ip daddr {{ ue_subnet }} counter snat to {{ netprep_nftables["ue_routing"]["snat_addr"] }};
{% endfor %}
{% endfor %}
+ {% endif %}
+ {% if "acc_routing" in netprep_nftables -%}
+ {%- for src_subnet in netprep_nftables["acc_routing"]["src_subnets"] -%}
+ {%- for acc_subnet in netprep_nftables["acc_routing"]["acc_subnets"] %}
+ ip saddr {{ src_subnet }} ip daddr {{ acc_subnet }} counter snat to {{ netprep_nftables["acc_routing"]["snat_addr"] }};
+ {% endfor %}
+ {% endfor %}
{% endif %}
}
}