On Fri, Jul 13, 2018 at 12:22:51PM +0200, Máté Eckl wrote:
> > > BTW, srcnat only makes sense from postrouting, I think it would it be
> > > possible to reject things that make no sense from there, like srcnat
> > > with prerouting as in the example above.
> >
> > I'll look after this.
>
> What do you think about this compatibility "matrix"?
Looks fine, one comment though regarding bridge:
include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_OTHER = 100,
include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_SRC = 300,
include/linux/netfilter_bridge.h: NF_BR_PRI_NAT_DST_BRIDGED = -300,
Unfortunately I think we'll need these too, ie. we cannot reuse
NF_IP_PRI_NAT_SRC.
> static bool std_prio_family_hook_compat(int prio, int family, int hook)
> {
> switch(prio) {
> case NF_IP_PRI_FILTER:
> switch(family) {
> case NFPROTO_INET:
> case NFPROTO_IPV4:
> case NFPROTO_IPV6:
> case NFPROTO_ARP:
> case NFPROTO_BRIDGE:
> case NFPROTO_NETDEV:
> return true;
> default:
> return false;
> }
> case NF_IP_PRI_RAW:
> case NF_IP_PRI_MANGLE:
> case NF_IP_PRI_SECURITY:
> // For these I didn't find any info about which hook
> // they can make sense in
> switch(family) {
> case NFPROTO_INET:
> case NFPROTO_IPV4:
> case NFPROTO_IPV6:
> return true;
> default:
> return false;
> }
> case NF_IP_PRI_NAT_DST:
> switch(family) {
> case NFPROTO_INET:
> case NFPROTO_IPV4:
> case NFPROTO_IPV6:
> case NFPROTO_BRIDGE:
> switch(hook) {
> case NF_INET_PRE_ROUTING:
> return true;
> default:
> return false;
> }
> default:
> return false;
> }
> case NF_IP_PRI_NAT_SRC:
> switch(family) {
> case NFPROTO_INET:
> case NFPROTO_IPV4:
> case NFPROTO_IPV6:
> case NFPROTO_BRIDGE:
> switch(hook) {
> case NF_INET_POST_ROUTING:
> return true;
> default:
> return false;
> }
> default:
> return false;
> }
> default:
> return false;
> }
> }
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
