From 717a13334da31fc6c20f7e9bf9de5ea0fcc79378 Mon Sep 17 00:00:00 2001
From: Paul Lecuq <paul@paulbsd.com>
Date: Wed, 25 Sep 2024 20:57:47 +0200
Subject: [PATCH] updated nftables state

---
 states/nftables/templates/rules.nft.j2 | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/states/nftables/templates/rules.nft.j2 b/states/nftables/templates/rules.nft.j2
index eccb175..d5a5939 100644
--- a/states/nftables/templates/rules.nft.j2
+++ b/states/nftables/templates/rules.nft.j2
@@ -39,8 +39,8 @@ add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
 add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
 add chain ip nat DOCKER
 
-### Main NAT rules
-{%- for network in net.nats %}
+### IPv4 NAT rules
+{%- for network in net.nat4 %}
 add rule ip nat POSTROUTING ip saddr {{ network }} counter masquerade
 {%- endfor %}
 
@@ -77,4 +77,16 @@ add rule ip6 filter6 INPUT counter log
 {%- endif %}
 #add rule ip6 filter6 INPUT counter log reject
 
+## IPv6 NAT
+add table ip6 nat6
+add chain ip6 nat6 PREROUTING { type nat hook prerouting priority dstnat; policy accept; }
+add chain ip6 nat6 INPUT { type nat hook input priority 1; policy accept; }
+add chain ip6 nat6 OUTPUT { type nat hook output priority -100; policy accept; }
+add chain ip6 nat6 POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
+
+### IPv6 NAT rules
+{%- for network in net.nat6 %}
+add rule ip6 nat6 POSTROUTING ip6 saddr {{ network }} counter masquerade
+{%- endfor %}
+
 ## Endline is mandatory