Re: [nf_tables PATCH v4 1/5] netfilter: nft_nat: include a flag attribute

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 9 Sep 2014 11:50:03 +0200

On Thu, Sep 04, 2014 at 02:06:14PM +0200, Arturo Borrero Gonzalez wrote:
> Both SNAT and DNAT (and the upcoming masquerade) can have additional
> configuration parameters, such as port randomization or NAT addressing
> persistence.
> We can cover these scenarios by simply adding a flag attribute for
> userspace to fill when needed.
> 
> The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h,
>  NF_NAT_RANGE_MAP_IPS
>  NF_NAT_RANGE_PROTO_SPECIFIED
>  NF_NAT_RANGE_PROTO_RANDOM
>  NF_NAT_RANGE_PERSISTENT
>  NF_NAT_RANGE_PROTO_RANDOM_FULLY
>  NF_NAT_RANGE_PROTO_RANDOM_ALL
> 
> The caller must take care of not messing up with the flags, as they are
> added unconditionally to the final resulting nf_nat_range.

Not sure this comment is relevant. Of course, userspace should select
the flags accordingly :-). Let me know if the intention was other than
insisting on the fact that the flags alter the way the NAT is done.

> Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx>
> ---
> v2: address Florian Westphal's comments: check all flag bits to be known.
> v3: style cleanup requested by Pablo Neira. Mask name shortened.
> v4: nf-next rebase.
> 
>  include/uapi/linux/netfilter/nf_nat.h    |    5 +++++
>  include/uapi/linux/netfilter/nf_tables.h |    2 ++
>  net/netfilter/nft_nat.c                  |   16 ++++++++++++++++
>  3 files changed, 23 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
> index 1ad3659..898db2d 100644
> --- a/include/uapi/linux/netfilter/nf_nat.h
> +++ b/include/uapi/linux/netfilter/nf_nat.h
> @@ -13,6 +13,11 @@
>  #define NF_NAT_RANGE_PROTO_RANDOM_ALL		\
>  	(NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
>  
> +#define NF_NAT_RANGE_MASK					\
> +	(NF_NAT_RANGE_MAP_IPS|NF_NAT_RANGE_PROTO_SPECIFIED	\
> +	 |NF_NAT_RANGE_PROTO_RANDOM|NF_NAT_RANGE_PERSISTENT	\
> +	 |NF_NAT_RANGE_PROTO_RANDOM_FULLY)

I'm going to make the following comestic change:

#define NF_NAT_RANGE_MASK                                      \
     (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED |    \
      NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT |    \
      NF_NAT_RANGE_PROTO_RANDOM_FULLY)

Next time, place the '|' '&' and so on after at the end of the line.

If no more comments, I'll push this to nf-next. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html