Re: [PATCH v2 -next] netfilter: don't use per-destination incrementing ports in nat random mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/21/2013 01:27 PM, Pablo Neira Ayuso wrote:
On Sat, Dec 21, 2013 at 01:26:17PM +0100, Hannes Frederic Sowa wrote:
On Sat, Dec 21, 2013 at 01:17:59PM +0100, Pablo Neira Ayuso wrote:
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
index bf0cc37..1ad3659 100644
--- a/include/uapi/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h

This is exposed to userspace.

@@ -4,10 +4,14 @@
  #include <linux/netfilter.h>
  #include <linux/netfilter/nf_conntrack_tuple_common.h>

-#define NF_NAT_RANGE_MAP_IPS		1
-#define NF_NAT_RANGE_PROTO_SPECIFIED	2
-#define NF_NAT_RANGE_PROTO_RANDOM	4
-#define NF_NAT_RANGE_PERSISTENT		8
+#define NF_NAT_RANGE_MAP_IPS			(1 << 0)
+#define NF_NAT_RANGE_PROTO_SPECIFIED		(1 << 1)
+#define NF_NAT_RANGE_PROTO_RANDOM		(1 << 2)
+#define NF_NAT_RANGE_PERSISTENT			(1 << 3)
+#define NF_NAT_RANGE_PROTO_RANDOM_FULLY		(1 << 4)

So you cannot change it. It would break old iptables binaries.

There are no semantic changes besides the addition of
NF_NAT_RANGE_PROTO_RANDOM_FULLY. Otherwise just the notation is changed,
which looks sane to me.

My fault sorry. I overlooked that you were just converting from
numeric to flag notation.

Yes, this was just for readability.

This is fine.

BTW, please send me the userspace part.

Daniel has the patch ready, I think he will submit it later today.

I was most of the part on travel today, but I'll see if I can finish
the user space part tonight and send it out.

Thanks,

Daniel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux