On 4 November 2014 17:04, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Tue, Nov 04, 2014 at 04:04:11PM +0100, Arturo Borrero Gonzalez wrote: >> On 4 November 2014 15:44, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >> > On Tue, Nov 04, 2014 at 02:56:58PM +0100, Arturo Borrero Gonzalez wrote: >> >> On 4 November 2014 14:37, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: >> >> > >> >> > I think this needs to be: >> >> > >> >> > % nft add rule nat prerouting redirect [port] [nat_flags] >> >> > >> >> >> >> The port and nat_flags arguments are mutually exclusives. That's why I >> >> used the [port|nat_flags] syntax. >> > >> > iptables allows this: >> > >> > -j REDIRECT --to-ports 8000-8010 --random >> >> Then, should I change the behaviour of the nft redirect parser? >> The code in my patch doesn't allow that. > > Yes, you have to fix this. > >> I think it makes no sense: "redirect to this port; no sorry, redirect >> to a random one." > > --to-ports reads as "redirect all traffic from ports 8000 to 8010" > --random refers to --to-ports, it reads as "select the port from the > 8000-8010 range at random" > > If --random is not specified, then the NAT engines selects the destination > port in that range one after another (8000, 8001, 8002, ...) IIRC. Understood, thanks. -- Arturo Borrero González -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
