Commit e9c1572e authored by Leigh B Stoller's avatar Leigh B Stoller

Add PF NAT stuff.

parent f6d5cbd9
# This is the powder-fixed specific parts of target system setup
......@@ -241,6 +242,7 @@ sub Install($$$)
Phase "nat", "Updating NAT configuration", sub {
my $bossip = $configvars{"TARGETSYS_BOSSIP"};
my $opsip = $configvars{"TARGETSYS_OPSIP"};
my $mask = $configvars{"TARGETSYS_NETMASK"};
Phase "delete", "Deleting old configuration", sub {
......@@ -250,6 +252,10 @@ sub Install($$$)
"# Packet normalization",
"scrub in all",
"# Exclude the local networks.",
"no nat on xn0 from $opsip to ${opsip}/${mask}",
"no nat on xn0 from $opsip to ${bossip}/${mask}",
"# Allow outbound connections from the jail",
"nat on xn0 from $opsip to any -> $bossip");
......@@ -314,7 +320,9 @@ sub Install($$$)
"static_routes=\"\$static_routes outerboss outerboss\"");
# Nat config.
"pf_enable=\"YES\"", "pf_rules=\"/etc/pf.nat\"");
# Okay, we want to comment out a bunch of stuff.
