From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 21/25] netfilter: nft_nat: include a flag attribute
Date: Wed, 10 Sep 2014 17:10:38 +0200 [thread overview]
Message-ID: <1410361842-4656-22-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1410361842-4656-1-git-send-email-pablo@netfilter.org>
From: Arturo Borrero <arturo.borrero.glez@gmail.com>
Both SNAT and DNAT (and the upcoming masquerade) can have additional
configuration parameters, such as port randomization and NAT addressing
persistence. We can cover these scenarios by simply adding a flag
attribute for userspace to fill when needed.
The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h:
NF_NAT_RANGE_MAP_IPS
NF_NAT_RANGE_PROTO_SPECIFIED
NF_NAT_RANGE_PROTO_RANDOM
NF_NAT_RANGE_PERSISTENT
NF_NAT_RANGE_PROTO_RANDOM_FULLY
NF_NAT_RANGE_PROTO_RANDOM_ALL
The caller must take care of not messing up with the flags, as they are
added unconditionally to the final resulting nf_nat_range.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_nat.h | 5 +++++
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_nat.c | 16 ++++++++++++++++
3 files changed, 23 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
index 1ad3659..0880781 100644
--- a/include/uapi/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -13,6 +13,11 @@
#define NF_NAT_RANGE_PROTO_RANDOM_ALL \
(NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+#define NF_NAT_RANGE_MASK \
+ (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \
+ NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \
+ NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+
struct nf_nat_ipv4_range {
unsigned int flags;
__be32 min_ip;
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index c000947..6022c6e 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -785,6 +785,7 @@ enum nft_nat_types {
* @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
* @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
* @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
*/
enum nft_nat_attributes {
NFTA_NAT_UNSPEC,
@@ -794,6 +795,7 @@ enum nft_nat_attributes {
NFTA_NAT_REG_ADDR_MAX,
NFTA_NAT_REG_PROTO_MIN,
NFTA_NAT_REG_PROTO_MAX,
+ NFTA_NAT_FLAGS,
__NFTA_NAT_MAX
};
#define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 79ff58c..799550b 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -33,6 +33,7 @@ struct nft_nat {
enum nft_registers sreg_proto_max:8;
enum nf_nat_manip_type type:8;
u8 family;
+ u16 flags;
};
static void nft_nat_eval(const struct nft_expr *expr,
@@ -71,6 +72,8 @@ static void nft_nat_eval(const struct nft_expr *expr,
range.flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
}
+ range.flags |= priv->flags;
+
data[NFT_REG_VERDICT].verdict =
nf_nat_setup_info(ct, &range, priv->type);
}
@@ -82,6 +85,7 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
[NFTA_NAT_REG_ADDR_MAX] = { .type = NLA_U32 },
[NFTA_NAT_REG_PROTO_MIN] = { .type = NLA_U32 },
[NFTA_NAT_REG_PROTO_MAX] = { .type = NLA_U32 },
+ [NFTA_NAT_FLAGS] = { .type = NLA_U32 },
};
static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
@@ -149,6 +153,12 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
} else
priv->sreg_proto_max = priv->sreg_proto_min;
+ if (tb[NFTA_NAT_FLAGS]) {
+ priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
+ if (priv->flags & ~NF_NAT_RANGE_MASK)
+ return -EINVAL;
+ }
+
return 0;
}
@@ -183,6 +193,12 @@ static int nft_nat_dump(struct sk_buff *skb, const struct nft_expr *expr)
htonl(priv->sreg_proto_max)))
goto nla_put_failure;
}
+
+ if (priv->flags != 0) {
+ if (nla_put_be32(skb, NFTA_NAT_FLAGS, htonl(priv->flags)))
+ goto nla_put_failure;
+ }
+
return 0;
nla_put_failure:
--
1.7.10.4
next prev parent reply other threads:[~2014-09-10 15:10 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-10 15:10 [PATCH 00/25] nf-next pull request Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 01/25] uapi: netfilter_arp: use __u8 instead of u_int8_t Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 02/25] netfilter: nft_meta: add pkttype support Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 03/25] netfilter: nft_meta: Add cpu attribute support Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 04/25] netfilter: ipset: Removed invalid IPSET_ATTR_MARKMASK validation Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 05/25] netfilter: ipset: netnet,netportnet: Fix value range support for IPv4 Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 06/25] netfilter: ipset: Resolve missing-field-initializer warnings Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 07/25] netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize' Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 08/25] netfilter: nfnetlink_acct: add filter support to nfacct counter list/reset Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 09/25] netfilter: nat: move specific NAT IPv4 to core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 10/25] netfilter: nft_chain_nat_ipv4: use generic IPv4 NAT code from core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 11/25] netfilter: nat: move specific NAT IPv6 to core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 12/25] netfilter: nft_chain_nat_ipv6: use generic IPv6 NAT code from core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 13/25] netfilter: nf_tables: refactor rule deletion helper Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 14/25] netfilter: nf_tables: add helper to unregister chain hooks Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 15/25] netfilter: nf_tables: rename nf_table_delrule_by_chain() Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 16/25] netfilter: nf_tables: add devgroup support in meta expresion Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 17/25] ipvs: reduce stack usage for sockopt data Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 18/25] netfilter: xt_string: Remove unnecessary initialization of struct ts_state Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 19/25] netfilter: nf_tables: add helpers to schedule objects deletion Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 20/25] netfilter: nf_tables: extend NFT_MSG_DELTABLE to support flushing the ruleset Pablo Neira Ayuso
2014-09-10 15:10 ` Pablo Neira Ayuso [this message]
2014-09-10 15:10 ` [PATCH 22/25] netfilter: ebtables: create audit records for replaces Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 23/25] netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 24/25] netfilter: nf_nat: generalize IPv6 " Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 25/25] netfilter: nf_tables: add new nft_masq expression Pablo Neira Ayuso
2014-09-10 19:47 ` [PATCH 00/25] nf-next pull request David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1410361842-4656-22-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).