switch from iptable to nftables

2022-07-14 15:59:52 +03:00
parent c7e838385f
commit 87700adb4c
1 changed files with 14 additions and 5 deletions
--- a/server/frontend/app/classes/network.py
+++ b/server/frontend/app/classes/network.py
@@ -298,13 +298,22 @@ class Network(object):
                     shell=True).wait()

            # Enable forwarding.
-            sp.Popen(["iptables", "-A", "POSTROUTING", "-t", "nat", "-o",
-                      self.iface_out, "-j", "MASQUERADE"]).wait()
+            
+            sp.Popen("nft add table nat",shell=True).wait()
+            sp.Popen("nft 'add chain nat prerouting { type nat hook prerouting priority 100; }'",shell=True).wait()
+            sp.Popen("nft 'add chain nat postrouting { type nat hook postrouting priority 100; }'",shell=True).wait()
+            sp.Popen("nft add table ip filter",shell=True).wait()
+            sp.Popen("nft 'add chain ip filter INPUT { type filter hook input priority 0; }'",shell=True).wait()
+            
+            
+            sp.Popen(["nft","add","rule","ip","nat","postrouting","oifname",
+                       self.iface_out,"counter","masquerade"]).wait()

            # Prevent the device to reach the 80 and 443 of TinyCheck.
-            sp.Popen(["iptables", "-A", "INPUT", "-i", self.iface_in, "-d",
-                      "192.168.100.1", "-p", "tcp", "--match", "multiport", "--dports", "80,443", "-j" "DROP"]).wait()
-
+            sp.Popen(["nft","add","rule","ip","filter","INPUT","iifname",self.iface_in,"ip",
+                      "protocol","tcp","ip","daddr","192.168.100.1","tcp","dport","{ 80,443}","counter","drop"]).wait()
+            
+            
            return True
        except:
            return False