On 9 September 2014 11:50, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Sep 04, 2014 at 02:06:14PM +0200, Arturo Borrero Gonzalez wrote: >> Both SNAT and DNAT (and the upcoming masquerade) can have additional >> configuration parameters, such as port randomization or NAT addressing >> persistence. >> We can cover these scenarios by simply adding a flag attribute for >> userspace to fill when needed. >> >> The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h, >> NF_NAT_RANGE_MAP_IPS >> NF_NAT_RANGE_PROTO_SPECIFIED >> NF_NAT_RANGE_PROTO_RANDOM >> NF_NAT_RANGE_PERSISTENT >> NF_NAT_RANGE_PROTO_RANDOM_FULLY >> NF_NAT_RANGE_PROTO_RANDOM_ALL >> >> The caller must take care of not messing up with the flags, as they are >> added unconditionally to the final resulting nf_nat_range. > > Not sure this comment is relevant. Of course, userspace should select > the flags accordingly :-). Let me know if the intention was other than > insisting on the fact that the flags alter the way the NAT is done. > Yes, I meant that no additional check is done to know if the flags combination makes sense. > > I'm going to make the following comestic change: > > #define NF_NAT_RANGE_MASK \ > (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \ > NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \ > NF_NAT_RANGE_PROTO_RANDOM_FULLY) > > Next time, place the '|' '&' and so on after at the end of the line. > Ok, thanks. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
