diff options
| author | Arturo Borrero <arturo.borrero.glez@gmail.com> | 2014-09-04 08:06:14 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-09-09 10:31:27 -0400 |
| commit | e42eff8a32f8b7bde88ea3c5a56391407cbe84f3 (patch) | |
| tree | 39ca3eca0d99acea8c49fc73e79244c63e191af5 /include/uapi/linux | |
| parent | b9ac12ef099707f405d7478009564302d7ed8393 (diff) | |
netfilter: nft_nat: include a flag attribute
Both SNAT and DNAT (and the upcoming masquerade) can have additional
configuration parameters, such as port randomization and NAT addressing
persistence. We can cover these scenarios by simply adding a flag
attribute for userspace to fill when needed.
The flags to use are defined in include/uapi/linux/netfilter/nf_nat.h:
NF_NAT_RANGE_MAP_IPS
NF_NAT_RANGE_PROTO_SPECIFIED
NF_NAT_RANGE_PROTO_RANDOM
NF_NAT_RANGE_PERSISTENT
NF_NAT_RANGE_PROTO_RANDOM_FULLY
NF_NAT_RANGE_PROTO_RANDOM_ALL
The caller must take care of not messing up with the flags, as they are
added unconditionally to the final resulting nf_nat_range.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_nat.h | 5 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 2 |
2 files changed, 7 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index 1ad3659102b6..0880781ad7b6 100644 --- a/include/uapi/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h | |||
| @@ -13,6 +13,11 @@ | |||
| 13 | #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ | 13 | #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ |
| 14 | (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) | 14 | (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) |
| 15 | 15 | ||
| 16 | #define NF_NAT_RANGE_MASK \ | ||
| 17 | (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \ | ||
| 18 | NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \ | ||
| 19 | NF_NAT_RANGE_PROTO_RANDOM_FULLY) | ||
| 20 | |||
| 16 | struct nf_nat_ipv4_range { | 21 | struct nf_nat_ipv4_range { |
| 17 | unsigned int flags; | 22 | unsigned int flags; |
| 18 | __be32 min_ip; | 23 | __be32 min_ip; |
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index c000947d3f38..6022c6e6be18 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -785,6 +785,7 @@ enum nft_nat_types { | |||
| 785 | * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) | 785 | * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) |
| 786 | * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) | 786 | * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) |
| 787 | * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) | 787 | * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) |
| 788 | * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) | ||
| 788 | */ | 789 | */ |
| 789 | enum nft_nat_attributes { | 790 | enum nft_nat_attributes { |
| 790 | NFTA_NAT_UNSPEC, | 791 | NFTA_NAT_UNSPEC, |
| @@ -794,6 +795,7 @@ enum nft_nat_attributes { | |||
| 794 | NFTA_NAT_REG_ADDR_MAX, | 795 | NFTA_NAT_REG_ADDR_MAX, |
| 795 | NFTA_NAT_REG_PROTO_MIN, | 796 | NFTA_NAT_REG_PROTO_MIN, |
| 796 | NFTA_NAT_REG_PROTO_MAX, | 797 | NFTA_NAT_REG_PROTO_MAX, |
| 798 | NFTA_NAT_FLAGS, | ||
| 797 | __NFTA_NAT_MAX | 799 | __NFTA_NAT_MAX |
| 798 | }; | 800 | }; |
| 799 | #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) | 801 | #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) |