> > BTW, srcnat only makes sense from postrouting, I think it would it be
> > possible to reject things that make no sense from there, like srcnat
> > with prerouting as in the example above.
>
> I'll look after this.
What do you think about this compatibility "matrix"?
static bool std_prio_family_hook_compat(int prio, int family, int hook)
{
switch(prio) {
case NF_IP_PRI_FILTER:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_ARP:
case NFPROTO_BRIDGE:
case NFPROTO_NETDEV:
return true;
default:
return false;
}
case NF_IP_PRI_RAW:
case NF_IP_PRI_MANGLE:
case NF_IP_PRI_SECURITY:
// For these I didn't find any info about which hook
// they can make sense in
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
return true;
default:
return false;
}
case NF_IP_PRI_NAT_DST:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
switch(hook) {
case NF_INET_PRE_ROUTING:
return true;
default:
return false;
}
default:
return false;
}
case NF_IP_PRI_NAT_SRC:
switch(family) {
case NFPROTO_INET:
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
switch(hook) {
case NF_INET_POST_ROUTING:
return true;
default:
return false;
}
default:
return false;
}
default:
return false;
}
}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
