Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> wrote: > Both SNAT and DNAT (and the upcoming masquerade) can have additional > configuration parameters, such as port randomization or NAT addressing > persistence. > We can cover these scenarios by simply adding a flag attribute for > userspace to fill when needed. > > The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h, > NF_NAT_RANGE_MAP_IPS > NF_NAT_RANGE_PROTO_SPECIFIED > NF_NAT_RANGE_PROTO_RANDOM > NF_NAT_RANGE_PERSISTENT > NF_NAT_RANGE_PROTO_RANDOM_FULLY > NF_NAT_RANGE_PROTO_RANDOM_ALL > > The caller must take care of not messing up with the flags, as they are > added unconditionally to the final resulting nf_nat_range. I dont think that this is desirable. When userspace knows about NF_NAT_RANGE_FOO but the kernel does not userspace should be ablre to detect that kernel is too old. IOW, > static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, > @@ -149,6 +153,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, > } else > priv->sreg_proto_max = priv->sreg_proto_min; > > + if (tb[NFTA_NAT_FLAGS]) > + priv->flags = ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS])); > + > return 0; > } I think that NFTA_NAT_FLAGS desevers further validation that all flags/bits are known. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
