* [nft PATCH 1/2] src: add nat persistent and random options
@ 2014-10-03 12:46 Arturo Borrero Gonzalez
2014-10-03 12:46 ` [nft PATCH 2/2] src: add masquerade support Arturo Borrero Gonzalez
2014-10-09 12:17 ` [nft PATCH 1/2] src: add nat persistent and random options Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-10-03 12:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, pablo
This patch adds more configuration options to the nat expression.
The syntax is as follow:
% nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags]
Flags are: random, persistent, random-fully.
Example:
% nft add rule nat postrouting dnat 1.1.1.1 random,persistent
A requirement is to cache some [recent] copies of kernel headers.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
.../linux/netfilter/nf_conntrack_tuple_common.h | 32 ++++++++++++++-
include/linux/netfilter/nf_nat.h | 42 ++++++++++++++++++++
include/statement.h | 1
src/netlink_delinearize.c | 4 ++
src/netlink_linearize.c | 3 +
src/parser.y | 21 ++++++++++
src/scanner.l | 3 +
src/statement.c | 26 ++++++++++++
8 files changed, 130 insertions(+), 2 deletions(-)
create mode 100644 include/linux/netfilter/nf_nat.h
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0..8ab3118 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,13 +1,41 @@
#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
#define _NF_CONNTRACK_TUPLE_COMMON_H
-enum ip_conntrack_dir
-{
+#include <linux/types.h>
+
+enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
IP_CT_DIR_REPLY,
IP_CT_DIR_MAX
};
+/* The protocol-specific manipulable parts of the tuple: always in
+ * network order
+ */
+union nf_conntrack_man_proto {
+ /* Add other protocols here. */
+ __be16 all;
+
+ struct {
+ __be16 port;
+ } tcp;
+ struct {
+ __be16 port;
+ } udp;
+ struct {
+ __be16 id;
+ } icmp;
+ struct {
+ __be16 port;
+ } dccp;
+ struct {
+ __be16 port;
+ } sctp;
+ struct {
+ __be16 key; /* GRE key is 32bit, PPtP only uses 16bit */
+ } gre;
+};
+
#define CTINFO2DIR(ctinfo) ((ctinfo) >= IP_CT_IS_REPLY ? IP_CT_DIR_REPLY : IP_CT_DIR_ORIGINAL)
#endif /* _NF_CONNTRACK_TUPLE_COMMON_H */
diff --git a/include/linux/netfilter/nf_nat.h b/include/linux/netfilter/nf_nat.h
new file mode 100644
index 0000000..0880781
--- /dev/null
+++ b/include/linux/netfilter/nf_nat.h
@@ -0,0 +1,42 @@
+#ifndef _NETFILTER_NF_NAT_H
+#define _NETFILTER_NF_NAT_H
+
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+
+#define NF_NAT_RANGE_MAP_IPS (1 << 0)
+#define NF_NAT_RANGE_PROTO_SPECIFIED (1 << 1)
+#define NF_NAT_RANGE_PROTO_RANDOM (1 << 2)
+#define NF_NAT_RANGE_PERSISTENT (1 << 3)
+#define NF_NAT_RANGE_PROTO_RANDOM_FULLY (1 << 4)
+
+#define NF_NAT_RANGE_PROTO_RANDOM_ALL \
+ (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+
+#define NF_NAT_RANGE_MASK \
+ (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \
+ NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \
+ NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+
+struct nf_nat_ipv4_range {
+ unsigned int flags;
+ __be32 min_ip;
+ __be32 max_ip;
+ union nf_conntrack_man_proto min;
+ union nf_conntrack_man_proto max;
+};
+
+struct nf_nat_ipv4_multi_range_compat {
+ unsigned int rangesize;
+ struct nf_nat_ipv4_range range[1];
+};
+
+struct nf_nat_range {
+ unsigned int flags;
+ union nf_inet_addr min_addr;
+ union nf_inet_addr max_addr;
+ union nf_conntrack_man_proto min_proto;
+ union nf_conntrack_man_proto max_proto;
+};
+
+#endif /* _NETFILTER_NF_NAT_H */
diff --git a/include/statement.h b/include/statement.h
index e2f02b8..e04ab7d 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -65,6 +65,7 @@ struct nat_stmt {
enum nft_nat_types type;
struct expr *addr;
struct expr *proto;
+ uint32_t flags;
};
extern struct stmt *nat_stmt_alloc(const struct location *loc);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 796b632..e2a13d3 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -491,6 +491,10 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
family = nft_rule_expr_get_u32(nle, NFT_EXPR_NAT_FAMILY);
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_NAT_FLAGS))
+ stmt->nat.flags = nft_rule_expr_get_u32(nle,
+ NFT_EXPR_NAT_FLAGS);
+
reg1 = nft_rule_expr_get_u32(nle, NFT_EXPR_NAT_REG_ADDR_MIN);
if (reg1) {
addr = netlink_get_register(ctx, loc, reg1);
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index c46b6d4..36b56ff 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -631,6 +631,9 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
family = nft_rule_attr_get_u32(ctx->nlr, NFT_RULE_ATTR_FAMILY);
nft_rule_expr_set_u32(nle, NFT_EXPR_NAT_FAMILY, family);
+ if (stmt->nat.flags != 0)
+ nft_rule_expr_set_u32(nle, NFT_EXPR_NAT_FLAGS, stmt->nat.flags);
+
if (stmt->nat.addr) {
amin_reg = get_register(ctx);
registers++;
diff --git a/src/parser.y b/src/parser.y
index 4a8df7b..9fda571 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -19,6 +19,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <linux/netfilter/nf_nat.h>
#include <libnftnl/common.h>
#include <libnftnl/set.h>
@@ -371,6 +372,9 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token SNAT "snat"
%token DNAT "dnat"
+%token RANDOM "random"
+%token RANDOM_FULLY "random-fully"
+%token PERSISTENT "persistent"
%token QUEUE "queue"
%token QUEUENUM "num"
@@ -435,6 +439,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%destructor { stmt_free($$); } reject_stmt
%type <stmt> nat_stmt nat_stmt_alloc
%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc
+%type <val> nf_nat_flags nf_nat_flag
%type <stmt> queue_stmt queue_stmt_alloc
%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc
%type <val> queue_stmt_flags queue_stmt_flag
@@ -1408,6 +1413,22 @@ nat_stmt_args : expr
{
$<stmt>0->nat.proto = $2;
}
+ | nat_stmt_args nf_nat_flags
+ {
+ $<stmt>0->nat.flags = $2;
+ }
+ ;
+
+nf_nat_flags : nf_nat_flag
+ | nf_nat_flags COMMA nf_nat_flag
+ {
+ $$ = $1 | $3;
+ }
+ ;
+
+nf_nat_flag : RANDOM { $$ = NF_NAT_RANGE_PROTO_RANDOM; }
+ | RANDOM_FULLY { $$ = NF_NAT_RANGE_PROTO_RANDOM_FULLY; }
+ | PERSISTENT { $$ = NF_NAT_RANGE_PERSISTENT; }
;
queue_stmt : queue_stmt_alloc
diff --git a/src/scanner.l b/src/scanner.l
index 35c9446..440b0ed 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -316,6 +316,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"snat" { return SNAT; }
"dnat" { return DNAT; }
+"random" { return RANDOM; }
+"random-fully" { return RANDOM_FULLY; }
+"persistent" { return PERSISTENT; }
"ll" { return LL_HDR; }
"nh" { return NETWORK_HDR; }
diff --git a/src/statement.c b/src/statement.c
index 8e4b49e..1b2c31c 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -20,6 +20,9 @@
#include <utils.h>
#include <list.h>
+#include <netinet/in.h>
+#include <linux/netfilter/nf_nat.h>
+
struct stmt *stmt_alloc(const struct location *loc,
const struct stmt_ops *ops)
{
@@ -240,6 +243,27 @@ struct stmt *reject_stmt_alloc(const struct location *loc)
return stmt_alloc(loc, &reject_stmt_ops);
}
+static void print_nf_nat_flags(uint32_t flags)
+{
+ const char *delim = " ";
+
+ if (flags == 0)
+ return;
+
+ if (flags & NF_NAT_RANGE_PROTO_RANDOM) {
+ printf("%srandom", delim);
+ delim = ",";
+ }
+
+ if (flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
+ printf("%srandom-fully", delim);
+ delim = ",";
+ }
+
+ if (flags & NF_NAT_RANGE_PERSISTENT)
+ printf("%spersistent", delim);
+}
+
static void nat_stmt_print(const struct stmt *stmt)
{
static const char *nat_types[] = {
@@ -254,6 +278,8 @@ static void nat_stmt_print(const struct stmt *stmt)
printf(":");
expr_print(stmt->nat.proto);
}
+
+ print_nf_nat_flags(stmt->nat.flags);
}
static void nat_stmt_destroy(struct stmt *stmt)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [nft PATCH 2/2] src: add masquerade support
2014-10-03 12:46 [nft PATCH 1/2] src: add nat persistent and random options Arturo Borrero Gonzalez
@ 2014-10-03 12:46 ` Arturo Borrero Gonzalez
2014-10-03 13:10 ` Pablo Neira Ayuso
2014-10-09 12:17 ` [nft PATCH 1/2] src: add nat persistent and random options Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-10-03 12:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: kaber, pablo
This patch adds masquerade support for nft.
The syntax is:
% nft add rule nat postrouting masquerade [flags]
Currently, flags are:
random, random-fully, persistent
Example:
% nft add rule nat postrouting masquerade random,persistent
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
include/statement.h | 9 +++++++++
src/evaluate.c | 17 +++++++++++++++++
src/netlink_delinearize.c | 16 ++++++++++++++++
src/netlink_linearize.c | 15 +++++++++++++++
src/parser.y | 18 ++++++++++++++++--
src/scanner.l | 1 +
src/statement.c | 18 ++++++++++++++++++
7 files changed, 92 insertions(+), 2 deletions(-)
diff --git a/include/statement.h b/include/statement.h
index e04ab7d..8728ab6 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -70,6 +70,12 @@ struct nat_stmt {
extern struct stmt *nat_stmt_alloc(const struct location *loc);
+struct masq_stmt {
+ uint32_t flags;
+};
+
+extern struct stmt *masq_stmt_alloc(const struct location *loc);
+
struct queue_stmt {
struct expr *queue;
uint16_t flags;
@@ -100,6 +106,7 @@ extern struct stmt *ct_stmt_alloc(const struct location *loc,
* @STMT_LOG: log statement
* @STMT_REJECT: REJECT statement
* @STMT_NAT: NAT statement
+ * @STMT_NAT: masquerade statement
* @STMT_QUEUE: QUEUE statement
* @STMT_CT: conntrack statement
*/
@@ -113,6 +120,7 @@ enum stmt_types {
STMT_LOG,
STMT_REJECT,
STMT_NAT,
+ STMT_MASQ,
STMT_QUEUE,
STMT_CT,
};
@@ -160,6 +168,7 @@ struct stmt {
struct limit_stmt limit;
struct reject_stmt reject;
struct nat_stmt nat;
+ struct masq_stmt masq;
struct queue_stmt queue;
struct ct_stmt ct;
};
diff --git a/src/evaluate.c b/src/evaluate.c
index 284ee72..0afbe8d 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1171,6 +1171,21 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
return 0;
}
+static int stmt_evaluate_masq(struct eval_ctx *ctx, struct stmt *stmt)
+{
+ struct proto_ctx *pctx = &ctx->pctx;
+
+ if (pctx && (pctx->family == AF_INET))
+ expr_set_context(&ctx->ectx, &ipaddr_type,
+ 4 * BITS_PER_BYTE);
+ else
+ expr_set_context(&ctx->ectx, &ip6addr_type,
+ 16 * BITS_PER_BYTE);
+
+ stmt->flags |= STMT_F_TERMINAL;
+ return 0;
+}
+
static int stmt_evaluate_ct(struct eval_ctx *ctx, struct stmt *stmt)
{
expr_set_context(&ctx->ectx, stmt->ct.tmpl->dtype,
@@ -1231,6 +1246,8 @@ static int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
return stmt_evaluate_reject(ctx, stmt);
case STMT_NAT:
return stmt_evaluate_nat(ctx, stmt);
+ case STMT_MASQ:
+ return stmt_evaluate_masq(ctx, stmt);
case STMT_QUEUE:
return stmt_evaluate_queue(ctx, stmt);
case STMT_CT:
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index e2a13d3..7785ce4 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -558,6 +558,21 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
list_add_tail(&stmt->list, &ctx->rule->stmts);
}
+static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nft_rule_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = masq_stmt_alloc(loc);
+
+ if (nft_rule_expr_is_set(nle, NFT_EXPR_MASQ_FLAGS))
+ stmt->masq.flags = nft_rule_expr_get_u32(nle,
+ NFT_EXPR_MASQ_FLAGS);
+
+ list_add_tail(&stmt->list, &ctx->rule->stmts);
+}
+
static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nft_rule_expr *nle)
@@ -604,6 +619,7 @@ static const struct {
{ .name = "limit", .parse = netlink_parse_limit },
{ .name = "reject", .parse = netlink_parse_reject },
{ .name = "nat", .parse = netlink_parse_nat },
+ { .name = "masq", .parse = netlink_parse_masq },
{ .name = "queue", .parse = netlink_parse_queue },
};
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 36b56ff..c5aa0b4 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -685,6 +685,19 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
nft_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_masq_stmt(struct netlink_linearize_ctx *ctx,
+ const struct stmt *stmt)
+{
+ struct nft_rule_expr *nle;
+
+ nle = alloc_nft_expr("masq");
+ if (stmt->masq.flags != 0)
+ nft_rule_expr_set_u32(nle, NFT_EXPR_MASQ_FLAGS,
+ stmt->masq.flags);
+
+ nft_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_queue_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
@@ -749,6 +762,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
return netlink_gen_reject_stmt(ctx, stmt);
case STMT_NAT:
return netlink_gen_nat_stmt(ctx, stmt);
+ case STMT_MASQ:
+ return netlink_gen_masq_stmt(ctx, stmt);
case STMT_QUEUE:
return netlink_gen_queue_stmt(ctx, stmt);
case STMT_CT:
diff --git a/src/parser.y b/src/parser.y
index 9fda571..0a698f0 100644
--- a/src/parser.y
+++ b/src/parser.y
@@ -372,6 +372,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token SNAT "snat"
%token DNAT "dnat"
+%token MASQUERADE "masquerade"
%token RANDOM "random"
%token RANDOM_FULLY "random-fully"
%token PERSISTENT "persistent"
@@ -437,9 +438,10 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%type <val> time_unit
%type <stmt> reject_stmt
%destructor { stmt_free($$); } reject_stmt
-%type <stmt> nat_stmt nat_stmt_alloc
-%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc
+%type <stmt> nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc
+%destructor { stmt_free($$); } nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc
%type <val> nf_nat_flags nf_nat_flag
+
%type <stmt> queue_stmt queue_stmt_alloc
%destructor { stmt_free($$); } queue_stmt queue_stmt_alloc
%type <val> queue_stmt_flags queue_stmt_flag
@@ -1239,6 +1241,7 @@ stmt : verdict_stmt
| nat_stmt
| queue_stmt
| ct_stmt
+ | masq_stmt
;
verdict_stmt : verdict_expr
@@ -1419,6 +1422,17 @@ nat_stmt_args : expr
}
;
+masq_stmt : masq_stmt_alloc
+ | masq_stmt_alloc nf_nat_flags
+ {
+ $$ = $1;
+ $$->masq.flags = $2;
+ }
+ ;
+
+masq_stmt_alloc : MASQUERADE { $$ = masq_stmt_alloc(&@$); }
+ ;
+
nf_nat_flags : nf_nat_flag
| nf_nat_flags COMMA nf_nat_flag
{
diff --git a/src/scanner.l b/src/scanner.l
index 440b0ed..9c957c0 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -316,6 +316,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"snat" { return SNAT; }
"dnat" { return DNAT; }
+"masquerade" { return MASQUERADE; }
"random" { return RANDOM; }
"random-fully" { return RANDOM_FULLY; }
"persistent" { return PERSISTENT; }
diff --git a/src/statement.c b/src/statement.c
index 1b2c31c..3fa6d66 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -299,3 +299,21 @@ struct stmt *nat_stmt_alloc(const struct location *loc)
{
return stmt_alloc(loc, &nat_stmt_ops);
}
+
+static void masq_stmt_print(const struct stmt *stmt)
+{
+ printf("masquerade");
+
+ print_nf_nat_flags(stmt->masq.flags);
+}
+
+static const struct stmt_ops masq_stmt_ops = {
+ .type = STMT_MASQ,
+ .name = "masq",
+ .print = masq_stmt_print,
+};
+
+struct stmt *masq_stmt_alloc(const struct location *loc)
+{
+ return stmt_alloc(loc, &masq_stmt_ops);
+}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [nft PATCH 2/2] src: add masquerade support
2014-10-03 12:46 ` [nft PATCH 2/2] src: add masquerade support Arturo Borrero Gonzalez
@ 2014-10-03 13:10 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-10-03 13:10 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: netfilter-devel, kaber
On Fri, Oct 03, 2014 at 02:46:46PM +0200, Arturo Borrero Gonzalez wrote:
> +
> struct queue_stmt {
> struct expr *queue;
> uint16_t flags;
> @@ -100,6 +106,7 @@ extern struct stmt *ct_stmt_alloc(const struct location *loc,
> * @STMT_LOG: log statement
> * @STMT_REJECT: REJECT statement
> * @STMT_NAT: NAT statement
> + * @STMT_NAT: masquerade statement
^
typo
> * @STMT_QUEUE: QUEUE statement
> * @STMT_CT: conntrack statement
> */
> @@ -113,6 +120,7 @@ enum stmt_types {
> STMT_LOG,
> STMT_REJECT,
> STMT_NAT,
> + STMT_MASQ,
> STMT_QUEUE,
> STMT_CT,
> };
> @@ -160,6 +168,7 @@ struct stmt {
> struct limit_stmt limit;
> struct reject_stmt reject;
> struct nat_stmt nat;
> + struct masq_stmt masq;
> struct queue_stmt queue;
> struct ct_stmt ct;
> };
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 284ee72..0afbe8d 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1171,6 +1171,21 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt)
> return 0;
> }
>
> +static int stmt_evaluate_masq(struct eval_ctx *ctx, struct stmt *stmt)
> +{
> + struct proto_ctx *pctx = &ctx->pctx;
> +
> + if (pctx && (pctx->family == AF_INET))
> + expr_set_context(&ctx->ectx, &ipaddr_type,
> + 4 * BITS_PER_BYTE);
> + else
> + expr_set_context(&ctx->ectx, &ip6addr_type,
> + 16 * BITS_PER_BYTE);
Could you use a switch to check pctx->family?
Spot an error for unsupported family, so we don't crash badly if
someone tries to use this from a different context.
> + stmt->flags |= STMT_F_TERMINAL;
> + return 0;
> +}
> +
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [nft PATCH 1/2] src: add nat persistent and random options
2014-10-03 12:46 [nft PATCH 1/2] src: add nat persistent and random options Arturo Borrero Gonzalez
2014-10-03 12:46 ` [nft PATCH 2/2] src: add masquerade support Arturo Borrero Gonzalez
@ 2014-10-09 12:17 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2014-10-09 12:17 UTC (permalink / raw)
To: Arturo Borrero Gonzalez; +Cc: netfilter-devel, kaber
On Fri, Oct 03, 2014 at 02:46:41PM +0200, Arturo Borrero Gonzalez wrote:
> This patch adds more configuration options to the nat expression.
>
> The syntax is as follow:
> % nft add rule nat postrouting <snat|dnat> <nat_arguments> [flags]
>
> Flags are: random, persistent, random-fully.
> Example:
>
> % nft add rule nat postrouting dnat 1.1.1.1 random,persistent
>
> A requirement is to cache some [recent] copies of kernel headers.
Applied, thanks Arturo.
Please, send me a follow-up patch to add test for the new regression
testing infrastructure and document this in our wiki page.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-10-09 12:15 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-03 12:46 [nft PATCH 1/2] src: add nat persistent and random options Arturo Borrero Gonzalez
2014-10-03 12:46 ` [nft PATCH 2/2] src: add masquerade support Arturo Borrero Gonzalez
2014-10-03 13:10 ` Pablo Neira Ayuso
2014-10-09 12:17 ` [nft PATCH 1/2] src: add nat persistent and random options Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).