@@ -243,6 +243,7 @@ enum {
NFTNL_EXPR_MASQ_FLAGS = NFTNL_EXPR_BASE,
NFTNL_EXPR_MASQ_REG_PROTO_MIN,
NFTNL_EXPR_MASQ_REG_PROTO_MAX,
+ NFTNL_EXPR_MASQ_REG_PROTO_BASE,
};
enum {
@@ -1453,12 +1453,14 @@ enum nft_tproxy_attributes {
* @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
* @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
* @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ * @NFTA_MASQ_REG_PROTO_BASE: source register of proto range base offset (NLA_U32: nft_registers)
*/
enum nft_masq_attributes {
NFTA_MASQ_UNSPEC,
NFTA_MASQ_FLAGS,
NFTA_MASQ_REG_PROTO_MIN,
NFTA_MASQ_REG_PROTO_MAX,
+ NFTA_MASQ_REG_PROTO_BASE,
__NFTA_MASQ_MAX
};
#define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1)
@@ -24,11 +24,12 @@ struct nftnl_expr_masq {
uint32_t flags;
enum nft_registers sreg_proto_min;
enum nft_registers sreg_proto_max;
+ enum nft_registers sreg_proto_base;
};
static int
nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
- const void *data, uint32_t data_len)
+ const void *data, uint32_t data_len)
{
struct nftnl_expr_masq *masq = nftnl_expr_data(e);
@@ -42,6 +43,9 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max));
break;
+ case NFTNL_EXPR_MASQ_REG_PROTO_BASE:
+ memcpy(&masq->sreg_proto_base, data, sizeof(masq->sreg_proto_base));
+ break;
default:
return -1;
}
@@ -50,7 +54,7 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
static const void *
nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t type,
- uint32_t *data_len)
+ uint32_t *data_len)
{
struct nftnl_expr_masq *masq = nftnl_expr_data(e);
@@ -64,6 +68,9 @@ nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t type,
case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
*data_len = sizeof(masq->sreg_proto_max);
return &masq->sreg_proto_max;
+ case NFTNL_EXPR_MASQ_REG_PROTO_BASE:
+ *data_len = sizeof(masq->sreg_proto_base);
+ return &masq->sreg_proto_base;
}
return NULL;
}
@@ -79,6 +86,7 @@ static int nftnl_expr_masq_cb(const struct nlattr *attr, void *data)
switch (type) {
case NFTA_MASQ_REG_PROTO_MIN:
case NFTA_MASQ_REG_PROTO_MAX:
+ case NFTA_MASQ_REG_PROTO_BASE:
case NFTA_MASQ_FLAGS:
if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
abi_breakage();
@@ -102,6 +110,9 @@ nftnl_expr_masq_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX))
mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MAX,
htobe32(masq->sreg_proto_max));
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE))
+ mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_BASE,
+ htobe32(masq->sreg_proto_base));
}
static int
@@ -127,6 +138,11 @@ nftnl_expr_masq_parse(struct nftnl_expr *e, struct nlattr *attr)
be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MAX]));
e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX);
}
+ if (tb[NFTA_MASQ_REG_PROTO_BASE]) {
+ masq->sreg_proto_base =
+ be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_BASE]));
+ e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE);
+ }
return 0;
}
@@ -147,6 +163,11 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
masq->sreg_proto_max);
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
}
+ if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE)) {
+ ret = snprintf(buf + offset, remain, "proto_base reg %u ",
+ masq->sreg_proto_base);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+ }
if (e->flags & (1 << NFTNL_EXPR_MASQ_FLAGS)) {
ret = snprintf(buf + offset, remain, "flags 0x%x ", masq->flags);
SNPRINTF_BUFFER_SIZE(ret, remain, offset);
@@ -37,6 +37,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_MASQ_REG_PROTO_MAX) !=
nftnl_expr_get_u32(rule_b, NFTNL_EXPR_MASQ_REG_PROTO_MAX))
print_err("Expr NFTNL_EXPR_MASQ_REG_PROTO_MAX mismatches");
+ if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_MASQ_REG_PROTO_BASE) !=
+ nftnl_expr_get_u32(rule_b, NFTNL_EXPR_MASQ_REG_PROTO_BASE))
+ print_err("Expr NFTNL_EXPR_MASQ_REG_PROTO_BASE mismatches");
}
int main(int argc, char *argv[])
@@ -59,6 +62,7 @@ int main(int argc, char *argv[])
nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_FLAGS, 0x1234568);
nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_MIN, 0x5432178);
nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_MAX, 0x8765421);
+ nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_BASE, 0x0f1facdb);
nftnl_rule_add_expr(a, ex);
Support for using shift port-ranges when masquerading has now been added to the nft_masq kernel module, so make it available in user space. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> --- include/libnftnl/expr.h | 1 + include/linux/netfilter/nf_tables.h | 2 ++ src/expr/masq.c | 25 +++++++++++++++++++++++-- tests/nft-expr_masq-test.c | 4 ++++ 4 files changed, 30 insertions(+), 2 deletions(-)