nftables: First shot at NAT support

  This commit adds the first shot at generating NAT rules.

  NAT rule can be specified in the nodes config context in Netbox like the
  following:

  "nftables": {
      "nat": {
          "postrouting": {
              "4": [
                  "oif vlan1012 masquerade"
              ]
          }
      }
  }

  Instead of "postrouting", "prerouting" and "output" would be accepted, as
  well as "6" for the AF.  If at least one NAT rule is defined that way the
  "nat" table will be generated for the given AF including all chains and
  rules.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

_modules/ffho_netfilter.py

@@ -122,3 +122,23 @@ def generate_forward_policy (policy, roles, config_context):
 		pass
 
 	return fp
+
+
+def generate_nat_policy (roles, config_context):
+	np = {
+		4 : {},
+		6 : {},
+	}
+
+	# Any custom rules?
+	cc_nat = config_context.get ('nat')
+	if cc_nat:
+		for chain in ['output', 'prerouting', 'postrouting']:
+			if chain not in cc_nat:
+				continue
+
+			for af in [ 4, 6 ]:
+				if str (af) in cc_nat[chain]:
+					np[4][chain] = cc_nat[chain][str (af)]
+
+	return np

nftables/nftables.conf.tmpl

@@ -16,6 +16,7 @@
 {%- set nms_list = salt['pillar.get']('globals:snmp:nms_list', []) %}
 
 {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_policy, roles, nf_cc) %}
+{%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](roles, nf_cc) %}
 
 flush ruleset
 
@@ -205,3 +206,22 @@ table ip6 filter {
 		counter drop
 	}
 }
+
+{#-
+ # NAT
+ #}
+{%- for af in [ 4, 6 ] %}
+  {%- if nat_policy[af] %}
+    {%- set af_name = "ip" if af == 4 else "ip6" %}
+table {{ af_name }} nat {
+    {%- for chain in ['output', 'prerouting', 'postrouting'] if chain in nat_policy[af] %}
+	chain {{ chain }} {
+		type nat hook {{ chain }} priority 0; policy accept;
+      {%- for rule in nat_policy[af][chain] %}
+		{{ rule }}
+      {%- endfor %}
+	}
+    {%- endfor %}
+}
+  {%- endif %}
+{%- endfor %}