From bb1191d585867531546cbc43ee66e0cf3fb81c16 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 1 Aug 2019 19:17:30 +0200
Subject: [PATCH] iptables: more flexible NAT rules.

---
 library/roles/iptables/defaults/main.yml          |  1 +
 .../roles/iptables/templates/iptables-rules.v4.j2 | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/library/roles/iptables/defaults/main.yml b/library/roles/iptables/defaults/main.yml
index 4726177..bc5707d 100644
--- a/library/roles/iptables/defaults/main.yml
+++ b/library/roles/iptables/defaults/main.yml
@@ -46,6 +46,7 @@ iptables_deb_pkgs:
 iptables_default_policy: ACCEPT
 iptables_nat_enabled: False
 iptables_nat_specify_interfaces: True
+iptables_post_nat_enabled: False
 iptables_nat_interfaces:
   - '{{ ansible_default_ipv4.interface }}'
 iptables_input_default_policy: '{{ iptables_default_policy }}'
diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index 8071567..b115b60 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -345,6 +345,7 @@
 {% endif %}
 COMMIT
 {% if iptables_nat_enabled %}
+# This should be obsoleted
 # NAT rules
 *nat
 :PREROUTING ACCEPT [0:0]
@@ -360,3 +361,17 @@ COMMIT
 {% endif %}
 COMMIT
 {% endif %}
+
+{% if iptables_post_nat_enabled %}
+# NAT rules
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+{% for rule in iptables_nat_rules %}
+-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
+{% endfor %}
+COMMIT
+{% endif %}
+