[PATCH nf-next v3 0/4] Support for shifted port-ranges in NAT

Jeremy Sowden <jeremy@xxxxxxxxxx> · Fri, 24 Mar 2023 19:04:15 +0000

Commit 2eb0f624b709 ("netfilter: add NAT support for shifted portmap
ranges") introduced support for shifting port-ranges in DNAT.  This
allows one to redirect packets intended for one port to another in a
range in such a way that the new port chosen has the same offset in the
range as the original port had from a specified base value.

For example, by using the base value 2000, one could redirect packets
intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old
and new ports were at the same offset in their respective ranges, i.e.:

  10.0.0.1:2345 -> 10.10.0.1:12345

However, while support for this was added to the common DNAT infra-
structure, only the xt_nat module was updated to make use of it.  This
patch-set extends the core support and updates all the nft NAT modules
to support it too.

Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970672
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1501

* Patch 1 extends the core NAT support for shifted port-ranges to SNAT.
* Patch 2 adds shifted port-range support to nft_nat.
* Patch 3 adds shifted port-range support to nft_masq.
* Patch 4 adds shifted port-range support to nft_redir.

Changes since v2.

  * All the remaining patches not directly related to the new
    functionality have been submitted separately.

Changes since v1.

  * Four patches containing bug-fixes have been removed.
  * Missing `if (priv->sreg_proto_base)` checks have been added to
    patches 4, 6, & 9.
  * In patch 8, `range.flags` in `nft_redir_eval` is initialized by
    simple assignment.

Jeremy Sowden (4):
  netfilter: nat: extend core support for shifted port-ranges
  netfilter: nft_nat: add support for shifted port-ranges
  netfilter: nft_masq: add support for shifted port-ranges
  netfilter: nft_redir: add support for shifted port-ranges

 include/uapi/linux/netfilter/nf_tables.h |  6 ++++
 net/netfilter/nf_nat_core.c              |  3 ++
 net/netfilter/nf_nat_masquerade.c        |  2 ++
 net/netfilter/nf_nat_redirect.c          |  1 +
 net/netfilter/nft_masq.c                 | 25 ++++++++++++++-
 net/netfilter/nft_nat.c                  | 41 ++++++++++++++++++------
 net/netfilter/nft_redir.c                | 23 ++++++++++++-
 7 files changed, 89 insertions(+), 12 deletions(-)

-- 
2.39.2