[PATCH] netfilter: nft_masq: add range specified flag setting

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] netfilter: nft_masq: add range specified flag setting
@ 2020-03-16  5:51 Sergey Marinkevich
  0 siblings, 0 replies; only message in thread
From: Sergey Marinkevich @ 2020-03-16  5:51 UTC (permalink / raw)
  To: Pablo Neira Ayuso
  Cc: Jozsef Kadlecsik, Florian Westphal, David S. Miller,
	Jakub Kicinski, netfilter-devel, coreteam, netdev, linux-kernel

With nf_tables it is not possible to use port range for masquerading.
Masquerade statement has option "to [:port-port]" which give no effect
to translation behavior. But it must change source port of packet to
one from ":port-port" range.

My network:

	+-----------------------------+
	|   ROUTER                    |
	|                             |
	|                   Masquerade|
	| 10.0.0.1            1.1.1.1 |
	| +------+           +------+ |
	| | eth1 |           | eth2 | |
	+-+--^---+-----------+---^--+-+
	     |                   |
	     |                   |
	+----v------+     +------v----+
	|           |     |           |
	| 10.0.0.2  |     |  1.1.1.2  |
	|           |     |           |
	|PC1        |     |PC2        |
	+-----------+     +-----------+

For testing i used rule like this:

	rule ip nat POSTROUTING oifname eth2 masquerade to :666

Run netcat for 1.1.1.2 667(UDP) and get dump from PC2:

	15:22:25.591567 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.34466 > 1.1.1.2.667: UDP, length 1

Address translation works fine, but source port are not belongs to
specified range.

I see in similar source code (i.e. nft_redir.c, nft_nat.c) that
there is setting NF_NAT_RANGE_PROTO_SPECIFIED flag. After adding this,
repeat test for kernel with this patch, and get dump:

	16:16:22.324710 a8:f9:4b:aa:08:44 > a8:f9:4b:ac:e7:8f, ethertype IPv4 (0x0800), length 60: 1.1.1.1.666 > 1.1.1.2.667: UDP, length 1

Now it is works fine.

Signed-off-by: Sergey Marinkevich <s@marinkevich.ru>
---
 net/netfilter/nft_masq.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index bc9fd98c5d6d..448376e59074 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -113,6 +113,7 @@ static void nft_masq_ipv4_eval(const struct nft_expr *expr,
 			&regs->data[priv->sreg_proto_min]);
 		range.max_proto.all = (__force __be16)nft_reg_load16(
 			&regs->data[priv->sreg_proto_max]);
+		range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 	}
 	regs->verdict.code = nf_nat_masquerade_ipv4(pkt->skb, nft_hook(pkt),
 						    &range, nft_out(pkt));
@@ -159,6 +160,7 @@ static void nft_masq_ipv6_eval(const struct nft_expr *expr,
 			&regs->data[priv->sreg_proto_min]);
 		range.max_proto.all = (__force __be16)nft_reg_load16(
 			&regs->data[priv->sreg_proto_max]);
+		range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 	}
 	regs->verdict.code = nf_nat_masquerade_ipv6(pkt->skb, &range,
 						    nft_out(pkt));
-- 
2.21.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2020-03-16  6:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-16  5:51 [PATCH] netfilter: nft_masq: add range specified flag setting Sergey Marinkevich

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.