Support for shifted port-ranges in DNAT was added to iptables in 2018. This allows one to redirect packets intended for one port to another in a range in such a way that the new port chosen has the same offset in the range as the original port had from a specified base value. For example, by using the base value 2000, one could redirect packets intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old and new ports were at the same offset in their respective ranges, i.e.: 10.0.0.1:2345 -> 10.10.0.1:12345 This patch-set makes support in the nft kernel modules for doing likewise available to user space. In contrast to iptables, this works for `snat`, `redirect` and `masquerade` statements as well as well as `dnat`. Jeremy Sowden (3): nat: add support for shifted port-ranges masq: add support for shifted port-ranges redir: add support for shifted port-ranges include/libnftnl/expr.h | 3 +++ include/linux/netfilter/nf_tables.h | 6 ++++++ src/expr/masq.c | 25 +++++++++++++++++++++++-- src/expr/nat.c | 22 ++++++++++++++++++++++ src/expr/redir.c | 29 ++++++++++++++++++++++++----- tests/nft-expr_masq-test.c | 4 ++++ tests/nft-expr_nat-test.c | 4 ++++ tests/nft-expr_redir-test.c | 4 ++++ 8 files changed, 90 insertions(+), 7 deletions(-) -- 2.39.2
