On Tue, Sep 09, 2014 at 12:14:25PM +0200, Arturo Borrero Gonzalez wrote: > On 9 September 2014 11:50, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > On Thu, Sep 04, 2014 at 02:06:14PM +0200, Arturo Borrero Gonzalez wrote: > >> Both SNAT and DNAT (and the upcoming masquerade) can have additional > >> configuration parameters, such as port randomization or NAT addressing > >> persistence. > >> We can cover these scenarios by simply adding a flag attribute for > >> userspace to fill when needed. > >> > >> The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h, > >> NF_NAT_RANGE_MAP_IPS > >> NF_NAT_RANGE_PROTO_SPECIFIED > >> NF_NAT_RANGE_PROTO_RANDOM > >> NF_NAT_RANGE_PERSISTENT > >> NF_NAT_RANGE_PROTO_RANDOM_FULLY > >> NF_NAT_RANGE_PROTO_RANDOM_ALL > >> > >> The caller must take care of not messing up with the flags, as they are > >> added unconditionally to the final resulting nf_nat_range. > > > > Not sure this comment is relevant. Of course, userspace should select > > the flags accordingly :-). Let me know if the intention was other than > > insisting on the fact that the flags alter the way the NAT is done. > > > > Yes, I meant that no additional check is done to know if the flags > combination makes sense. I see. iptables does exactly the same thing at this moment. At quick glance I think random flag combinations should not puzzle nf_nat_setup_info(), but it would be good to give it a closer look. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
