From patchwork Sun Mar 5 10:14:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751889 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=N7z3ruA3; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydd0kgbz246B for ; Sun, 5 Mar 2023 21:30:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229495AbjCEKaI (ORCPT ); Sun, 5 Mar 2023 05:30:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229519AbjCEKaG (ORCPT ); Sun, 5 Mar 2023 05:30:06 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DD5E900C for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CErKrx80nW6nlUapumUtoe3qAi050NiZWuSGRUiN4mU=; b=N7z3ruA3b1eRwcjKOJOpI2uBmX Z4J2DMJ7DD5MprUhnyXmPYf2Umtv1FcNXKg/+my6XMUPXhh7P3dnw+dp/SAuKO5iWwShUFfJZGdUV eCLaHNsdqXHYvUgPsPRIE/ffHSdQmFcXoHp2DVcgMs3kgR13rLkRs82gl5szbBcvYd/qufz2uaIEh bBYCsId1fiSBSjGradCdAmBEE9E2uwLv9M9IYdLLOV8NP3DeqLiChJm7Vyib1208uvAvoI3vtEJZE Km6EXKVWMidZhz/fWY3MFBvVIZzP404vIK5ICR1eIiKHWtTdIAO/BUqEDsPPakTKCAJ3EWwUvLyJ3 DfJwnZ4A==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcu-00DzC0-HM for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:00 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 1/8] nat: add support for shifted port-ranges Date: Sun, 5 Mar 2023 10:14:11 +0000 Message-Id: <20230305101418.2233910-2-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Support for shifted port-ranges was added to iptables for DNAT in 2018. This allows one to redirect packets intended for one port to another in a range in such a way that the new port chosen has the same offset in the range as the original port had from a specified base value. For example, by using the base value 2000, one could redirect packets intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old and new ports were at the same offset in their respective ranges, i.e.: 10.0.0.1:2345 -> 10.10.0.1:12345 Make this functionality available in nftables: add rule t c ip daddr 10.0.0.1 tcp dport 2000-3000 dnat to 10.10.0.1:12000-13000/2000 persistent In contrast to iptables, where shifting is only available for DNAT, both DNAT and SNAT are supported. Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970672 Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1501 Signed-off-by: Jeremy Sowden --- include/statement.h | 1 + src/evaluate.c | 10 ++++++++++ src/netlink_delinearize.c | 16 +++++++++++++++- src/netlink_linearize.c | 19 +++++++++++++++---- src/parser_bison.y | 33 +++++++++++++++++++++++++++++++-- src/statement.c | 4 ++++ 6 files changed, 76 insertions(+), 7 deletions(-) diff --git a/include/statement.h b/include/statement.h index 720a6ac2c754..762ea45d4b89 100644 --- a/include/statement.h +++ b/include/statement.h @@ -144,6 +144,7 @@ struct nat_stmt { enum nft_nat_etypes type; struct expr *addr; struct expr *proto; + struct expr *proto_base; uint32_t flags; uint8_t family; uint32_t type_flags; diff --git a/src/evaluate.c b/src/evaluate.c index 47caf3b0d716..339c428e5aa9 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3772,6 +3772,16 @@ static int stmt_evaluate_nat(struct eval_ctx *ctx, struct stmt *stmt) return err; stmt->nat.flags |= NF_NAT_RANGE_PROTO_SPECIFIED; + + if (stmt->nat.proto_base != NULL) { + err = stmt_evaluate_arg(ctx, stmt, + &inet_service_type, + sizeof(uint16_t) * BITS_PER_BYTE, + BYTEORDER_BIG_ENDIAN, + &stmt->nat.proto_base); + if (err < 0) + return err; + } } stmt->flags |= STMT_F_TERMINAL; diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 60350cd6cd96..bdfd37870b50 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1257,7 +1257,7 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, { struct stmt *stmt; struct expr *addr, *proto; - enum nft_registers reg1, reg2; + enum nft_registers reg1, reg2, reg3; int family; stmt = nat_stmt_alloc(loc, @@ -1352,6 +1352,20 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx, if (stmt->nat.proto != NULL) proto = range_expr_alloc(loc, stmt->nat.proto, proto); stmt->nat.proto = proto; + + reg3 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_BASE); + if (reg3) { + proto = netlink_get_register(ctx, loc, reg3); + if (proto == NULL) { + netlink_error(ctx, loc, + "NAT statement has no proto offset expression"); + goto out_err; + } + + expr_set_type(proto, &inet_service_type, + BYTEORDER_BIG_ENDIAN); + stmt->nat.proto_base = proto; + } } ctx->stmt = stmt; diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 11cf48a3f9d0..72a38341e39e 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1195,11 +1195,11 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx, { struct nftnl_expr *nle; enum nft_registers amin_reg, amax_reg; - enum nft_registers pmin_reg, pmax_reg; + enum nft_registers pmin_reg, pmax_reg, pbase_reg; uint8_t family = 0; int registers = 0; int nftnl_flag_attr; - int nftnl_reg_pmin, nftnl_reg_pmax; + int nftnl_reg_pmin, nftnl_reg_pmax, nftnl_reg_pbase; switch (stmt->nat.type) { case NFT_NAT_SNAT: @@ -1211,8 +1211,9 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx, nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_FAMILY, family); nftnl_flag_attr = NFTNL_EXPR_NAT_FLAGS; - nftnl_reg_pmin = NFTNL_EXPR_NAT_REG_PROTO_MIN; - nftnl_reg_pmax = NFTNL_EXPR_NAT_REG_PROTO_MAX; + nftnl_reg_pmin = NFTNL_EXPR_NAT_REG_PROTO_MIN; + nftnl_reg_pmax = NFTNL_EXPR_NAT_REG_PROTO_MAX; + nftnl_reg_pbase = NFTNL_EXPR_NAT_REG_PROTO_BASE; break; case NFT_NAT_MASQ: nle = alloc_nft_expr("masq"); @@ -1308,6 +1309,16 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx, netlink_gen_expr(ctx, stmt->nat.proto->right, pmax_reg); netlink_put_register(nle, nftnl_reg_pmin, pmin_reg); netlink_put_register(nle, nftnl_reg_pmax, pmax_reg); + + if (stmt->nat.proto_base) { + pbase_reg = get_register(ctx, NULL); + registers++; + + netlink_gen_expr(ctx, stmt->nat.proto_base, + pbase_reg); + netlink_put_register(nle, nftnl_reg_pbase, + pbase_reg); + } } else { netlink_gen_expr(ctx, stmt->nat.proto, pmin_reg); netlink_put_register(nle, nftnl_reg_pmin, pmin_reg); diff --git a/src/parser_bison.y b/src/parser_bison.y index b1b67623cf66..c4e274544355 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3833,24 +3833,53 @@ nat_stmt_args : stmt_expr $0->nat.addr = $1; $0->nat.proto = $3; } + | stmt_expr COLON range_stmt_expr SLASH primary_stmt_expr + { + $0->nat.addr = $1; + $0->nat.proto = $3; + $0->nat.proto_base = $5; + } | TO stmt_expr COLON stmt_expr { $0->nat.addr = $2; $0->nat.proto = $4; } + | TO stmt_expr COLON range_stmt_expr SLASH primary_stmt_expr + { + $0->nat.addr = $2; + $0->nat.proto = $4; + $0->nat.proto_base = $6; + } | nf_key_proto TO stmt_expr COLON stmt_expr { $0->nat.family = $1; $0->nat.addr = $3; $0->nat.proto = $5; } - | COLON stmt_expr + | nf_key_proto TO stmt_expr COLON range_stmt_expr SLASH primary_stmt_expr + { + $0->nat.family = $1; + $0->nat.addr = $3; + $0->nat.proto = $5; + $0->nat.proto_base = $7; + } + | COLON stmt_expr + { + $0->nat.proto = $2; + } + | COLON range_stmt_expr SLASH primary_stmt_expr { $0->nat.proto = $2; + $0->nat.proto_base = $4; + } + | TO COLON stmt_expr + { + $0->nat.proto = $3; } - | TO COLON stmt_expr + | TO COLON range_stmt_expr SLASH primary_stmt_expr { $0->nat.proto = $3; + $0->nat.proto_base = $5; } | nat_stmt_args nf_nat_flags { diff --git a/src/statement.c b/src/statement.c index 72455522c2c9..23eee84eb4dc 100644 --- a/src/statement.c +++ b/src/statement.c @@ -733,6 +733,10 @@ static void nat_stmt_print(const struct stmt *stmt, struct output_ctx *octx) nft_print(octx, " "); nft_print(octx, ":"); expr_print(stmt->nat.proto, octx); + if (stmt->nat.proto_base) { + nft_print(octx, "/"); + expr_print(stmt->nat.proto_base, octx); + } } print_nf_nat_flags(stmt->nat.flags, octx); From patchwork Sun Mar 5 10:14:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751890 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=lrvVdGUI; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydd44hLz1yWw for ; Sun, 5 Mar 2023 21:30:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229519AbjCEKaJ (ORCPT ); Sun, 5 Mar 2023 05:30:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38740 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229681AbjCEKaG (ORCPT ); Sun, 5 Mar 2023 05:30:06 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E079D309 for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TSFK+H6vNxQfhys/126VdD+ibHJXI+PbOLdW2X5yghs=; b=lrvVdGUIhkuCiQ513StmgbAZNH avnSHoGpWd0F6+IHrhmWIjaxEY9s+a884LEC88msRwgoYzkie+QdHrALUnWvIjdDMFn2MvFfZrUgi pgfWn7UHUhw47J/I28qJuBV4ZA73JzJNbELri6hIX3m6T0Ywzbw9cf1d2ZOB+jph0uTSk4rUitd1K jOKqFsRpO6pUTT99kPuLvoHWBMAewfBnfrj7E/3E9OLhMSdOducAm5jft08qASJ33fazZFscEvtP7 3nwKQrKUS20u7cBn9vZs1vpu/kEVTWOlJm0sQDfL5Qi6bqZbafqQrTvXpo+yBylRxYfUB/vYMz0lc TY1DbZEQ==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcu-00DzC0-Oj for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:00 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 2/8] masq: add support for shifted port-ranges Date: Sun, 5 Mar 2023 10:14:12 +0000 Message-Id: <20230305101418.2233910-3-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Support for shifted port-ranges was recently added for nat statements. Extend this to masq statements. Signed-off-by: Jeremy Sowden --- src/netlink_delinearize.c | 16 +++++++++++++++- src/netlink_linearize.c | 5 +++-- src/parser_bison.y | 11 +++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index bdfd37870b50..867ca914cf96 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1442,7 +1442,7 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) { - enum nft_registers reg1, reg2; + enum nft_registers reg1, reg2, reg3; struct expr *proto; struct stmt *stmt; uint32_t flags = 0; @@ -1477,6 +1477,20 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx, if (stmt->nat.proto != NULL) proto = range_expr_alloc(loc, stmt->nat.proto, proto); stmt->nat.proto = proto; + + reg3 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_BASE); + if (reg3) { + proto = netlink_get_register(ctx, loc, reg3); + if (proto == NULL) { + netlink_error(ctx, loc, + "MASQUERADE statement has no base proto expression"); + goto out_err; + } + + expr_set_type(proto, &inet_service_type, + BYTEORDER_BIG_ENDIAN); + stmt->nat.proto_base = proto; + } } ctx->stmt = stmt; diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 72a38341e39e..a018290a7f56 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1219,8 +1219,9 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx, nle = alloc_nft_expr("masq"); nftnl_flag_attr = NFTNL_EXPR_MASQ_FLAGS; - nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN; - nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX; + nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN; + nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX; + nftnl_reg_pbase = NFTNL_EXPR_MASQ_REG_PROTO_BASE; break; case NFT_NAT_REDIR: nle = alloc_nft_expr("redir"); diff --git a/src/parser_bison.y b/src/parser_bison.y index c4e274544355..8a7c5f066daa 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3928,11 +3928,22 @@ masq_stmt_args : TO COLON stmt_expr { $0->nat.proto = $3; } + | TO COLON range_stmt_expr SLASH primary_stmt_expr + { + $0->nat.proto = $3; + $0->nat.proto_base = $5; + } | TO COLON stmt_expr nf_nat_flags { $0->nat.proto = $3; $0->nat.flags = $4; } + | TO COLON range_stmt_expr SLASH primary_stmt_expr nf_nat_flags + { + $0->nat.proto = $3; + $0->nat.proto_base = $5; + $0->nat.flags = $6; + } | nf_nat_flags { $0->nat.flags = $1; From patchwork Sun Mar 5 10:14:13 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751893 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=aNlhu9YW; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydf6HTkz246B for ; Sun, 5 Mar 2023 21:30:14 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229687AbjCEKaK (ORCPT ); Sun, 5 Mar 2023 05:30:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229698AbjCEKaG (ORCPT ); Sun, 5 Mar 2023 05:30:06 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A3A7D33A for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tccSj9qLiu//3N9QU1NxJccSOmdiRkF+t8paJfXmLCQ=; b=aNlhu9YW4FAcMrY1Odsj/UNZAR wy9kPrWTdzEhHOkIKHbio8uKBBFh2nLzcelmAci5/cqTVFp2wz4YvamEFT0peYXV8NOiay4vYn4iZ leQGWj4Y9KIufShigB1ovnvlze+DgKjQYRdNI1vtdi/3bCYD75OGV760RYYGmy+G+dR9b2lqujsHI psRSvYJJHaMHY2zF3eMflDQxDZmIaaJWZTR0oTh5VSK2VFFc4A8sdtjTn7ZpWX8sWEj1EmTyrOX3T eMaT0KaIV4AqcdoeI6ajMbCSNT3mxnbepm6XNtiAyhhOlCWEu6ecV6RDsD6F3YWK3wCYzfzh/pdHX V3kcla4g==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcu-00DzC0-Va for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:01 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 3/8] redir: add support for shifted port-ranges Date: Sun, 5 Mar 2023 10:14:13 +0000 Message-Id: <20230305101418.2233910-4-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Support for shifted port-ranges was recently added to nat statements. Extend this to redir statements. Signed-off-by: Jeremy Sowden --- src/netlink_delinearize.c | 16 +++++++++++++++- src/netlink_linearize.c | 5 +++-- src/parser_bison.y | 11 +++++++++++ 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 867ca914cf96..0c48cdd70428 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -1505,7 +1505,7 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, { struct stmt *stmt; struct expr *proto; - enum nft_registers reg1, reg2; + enum nft_registers reg1, reg2, reg3; uint32_t flags; stmt = nat_stmt_alloc(loc, NFT_NAT_REDIR); @@ -1542,6 +1542,20 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx, proto = range_expr_alloc(loc, stmt->nat.proto, proto); stmt->nat.proto = proto; + + reg3 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_BASE); + if (reg3) { + proto = netlink_get_register(ctx, loc, reg3); + if (proto == NULL) { + netlink_error(ctx, loc, + "redirect statement has no base proto expression"); + goto out_err; + } + + expr_set_type(proto, &inet_service_type, + BYTEORDER_BIG_ENDIAN); + stmt->nat.proto_base = proto; + } } ctx->stmt = stmt; diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index a018290a7f56..684cfdcaf91c 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -1227,8 +1227,9 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx, nle = alloc_nft_expr("redir"); nftnl_flag_attr = NFTNL_EXPR_REDIR_FLAGS; - nftnl_reg_pmin = NFTNL_EXPR_REDIR_REG_PROTO_MIN; - nftnl_reg_pmax = NFTNL_EXPR_REDIR_REG_PROTO_MAX; + nftnl_reg_pmin = NFTNL_EXPR_REDIR_REG_PROTO_MIN; + nftnl_reg_pmax = NFTNL_EXPR_REDIR_REG_PROTO_MAX; + nftnl_reg_pbase = NFTNL_EXPR_REDIR_REG_PROTO_BASE; break; default: BUG("unknown nat type %d\n", stmt->nat.type); diff --git a/src/parser_bison.y b/src/parser_bison.y index 8a7c5f066daa..5b8e48363233 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -3965,6 +3965,11 @@ redir_stmt_arg : TO stmt_expr { $0->nat.proto = $3; } + | TO COLON range_stmt_expr SLASH primary_stmt_expr + { + $0->nat.proto = $3; + $0->nat.proto_base = $5; + } | nf_nat_flags { $0->nat.flags = $1; @@ -3979,6 +3984,12 @@ redir_stmt_arg : TO stmt_expr $0->nat.proto = $3; $0->nat.flags = $4; } + | TO COLON range_stmt_expr SLASH primary_stmt_expr nf_nat_flags + { + $0->nat.proto = $3; + $0->nat.proto_base = $5; + $0->nat.flags = $6; + } ; dup_stmt : DUP TO stmt_expr From patchwork Sun Mar 5 10:14:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751896 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=FWrlT5WS; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydh1JJGz1yWw for ; Sun, 5 Mar 2023 21:30:16 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229507AbjCEKaN (ORCPT ); Sun, 5 Mar 2023 05:30:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38764 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229701AbjCEKaH (ORCPT ); Sun, 5 Mar 2023 05:30:07 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A28DD323 for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZUOeA0J8ve970CSDrGYaACpHyYnHr/ot6BW1mLkKrYM=; b=FWrlT5WSZm70QJ1r0efi7HUYU/ b22+cn6pcMe4/ULtfSH5+2QwyKA/W29E6KOCyIrILbXMhoFCRO4OCxDFyjsIW0CUtRI5FIdFpa2zc HS4AjhxaKtjqC4lSEuZ66O/3ZqqM44B9wInTQHTzBF0fk8WoNAi/VsjYjhpzspwxjFjY2lxbtVW/5 Geb6f+0hwIQ0cpA9BDYI/4vNQ5PZosWg7O/6spG3eqGCxs1ww7cprbY2pZqF+P+wtNJ9E4ezR9ONC tdY/stRErbgZnuDrYPIBsWoyDQ2JQRZtNJpG8zqmXV5qmDDtWRVxloxPafS8Qh3uQk9c93u001Rft 2hkC4F3w==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcv-00DzC0-5t for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:01 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 4/8] json: formatting fixes Date: Sun, 5 Mar 2023 10:14:14 +0000 Message-Id: <20230305101418.2233910-5-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org A few indentation tweaks for the JSON parser. Signed-off-by: Jeremy Sowden --- src/parser_json.c | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/src/parser_json.c b/src/parser_json.c index ec0c02a044e2..d8d4f1b79e6e 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -610,7 +610,7 @@ static struct expr *json_parse_tcp_option_expr(struct json_ctx *ctx, struct expr *expr; if (!json_unpack(root, "{s:i, s:i, s:i}", - "base", &kind, "offset", &offset, "len", &len)) { + "base", &kind, "offset", &offset, "len", &len)) { uint32_t flag = 0; if (kind < 0 || kind > 255) @@ -681,7 +681,7 @@ static int json_parse_ip_option_field(int type, const char *name, int *val) } static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx, - const char *type, json_t *root) + const char *type, json_t *root) { const char *desc, *field; int descval, fieldval; @@ -697,7 +697,7 @@ static struct expr *json_parse_ip_option_expr(struct json_ctx *ctx, if (json_unpack(root, "{s:s}", "field", &field)) { expr = ipopt_expr_alloc(int_loc, descval, - IPOPT_FIELD_TYPE); + IPOPT_FIELD_TYPE); expr->exthdr.flags = NFT_EXTHDR_F_PRESENT; return expr; @@ -1084,13 +1084,13 @@ static struct expr *json_parse_fib_expr(struct json_ctx *ctx, } if ((flagval & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == - (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) { + (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) { json_error(ctx, "fib: saddr and daddr are mutually exclusive"); return NULL; } if ((flagval & (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) == - (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) { + (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) { json_error(ctx, "fib: iif and oif are mutually exclusive"); return NULL; } @@ -1686,7 +1686,7 @@ static struct stmt *json_parse_match_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_counter_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { uint64_t packets, bytes; struct stmt *stmt; @@ -1695,8 +1695,8 @@ static struct stmt *json_parse_counter_stmt(struct json_ctx *ctx, return counter_stmt_alloc(int_loc); if (!json_unpack(value, "{s:I, s:I}", - "packets", &packets, - "bytes", &bytes)) { + "packets", &packets, + "bytes", &bytes)) { stmt = counter_stmt_alloc(int_loc); stmt->counter.packets = packets; stmt->counter.bytes = bytes; @@ -1727,14 +1727,14 @@ static struct stmt *json_parse_verdict_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_mangle_stmt(struct json_ctx *ctx, - const char *type, json_t *root) + const char *type, json_t *root) { json_t *jkey, *jvalue; struct expr *key, *value; struct stmt *stmt; if (json_unpack_err(ctx, root, "{s:o, s:o}", - "key", &jkey, "value", &jvalue)) + "key", &jkey, "value", &jvalue)) return NULL; key = json_parse_mangle_lhs_expr(ctx, jkey); @@ -1787,7 +1787,7 @@ static uint64_t rate_to_bytes(uint64_t val, const char *unit) } static struct stmt *json_parse_quota_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt; int inv = 0; @@ -1937,7 +1937,7 @@ static struct stmt *json_parse_flow_offload_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_notrack_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { return notrack_stmt_alloc(int_loc); } @@ -1975,7 +1975,7 @@ static struct stmt *json_parse_dup_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_secmark_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt; @@ -2047,7 +2047,7 @@ static int json_parse_nat_flags(struct json_ctx *ctx, json_t *root) } static int json_parse_nat_type_flag(struct json_ctx *ctx, - json_t *root, int *flags) + json_t *root, int *flags) { const struct { const char *flag; @@ -2162,7 +2162,6 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx, } stmt->nat.flags = flags; } - if (!json_unpack(value, "{s:o}", "type_flags", &tmp)) { int flags = json_parse_nat_type_flags(ctx, tmp); @@ -2177,7 +2176,7 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_tproxy_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { json_t *jaddr, *tmp; struct stmt *stmt; @@ -2213,7 +2212,7 @@ out_free: } static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt = reject_stmt_alloc(int_loc); const struct datatype *dtype = NULL; @@ -2256,8 +2255,8 @@ static struct stmt *json_parse_reject_stmt(struct json_ctx *ctx, } static void json_parse_set_stmt_list(struct json_ctx *ctx, - struct list_head *stmt_list, - json_t *stmt_json) + struct list_head *stmt_list, + json_t *stmt_json) { struct list_head *head; struct stmt *tmp; @@ -2279,7 +2278,7 @@ static void json_parse_set_stmt_list(struct json_ctx *ctx, } static struct stmt *json_parse_set_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { const char *opstr, *set; struct expr *expr, *expr2; @@ -2562,7 +2561,7 @@ static struct stmt *json_parse_cthelper_stmt(struct json_ctx *ctx, } static struct stmt *json_parse_cttimeout_stmt(struct json_ctx *ctx, - const char *key, json_t *value) + const char *key, json_t *value) { struct stmt *stmt = objref_stmt_alloc(int_loc); From patchwork Sun Mar 5 10:14:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751888 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=GLOLS9Dr; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydc4rp6z1yWw for ; Sun, 5 Mar 2023 21:30:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229699AbjCEKaH (ORCPT ); Sun, 5 Mar 2023 05:30:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229495AbjCEKaG (ORCPT ); Sun, 5 Mar 2023 05:30:06 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DE80CDFF for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IDH7mdRQXnt60IONd6+Tu7cSAGQgeBx9E/LMAK1zgF4=; b=GLOLS9DrFAmNH34wbau+CFIqos Q9gVAm694KGO8oEjWYSBDLA6kY3tdodMDbUZFTWwwqMhgSmRhi9RPfpM+Io8LdV+o5XKCHKTbeHxK n2z/CTW7wtH+iapFXEZRGiUKW7mNh7TvvhUNWUQ07SbIRQrNrqsnDdXsM0k1qFAxDjwH1JFZLogZk 98yMmU7xMLe41BlPSQT2FRqYTwBCSUC9dbzpNPuHbLvBKwXxXt5RMFsA0eB+wy86zHYz4TQ6crlh1 QH/x3e3dacUyvrFFKWeZy0Xh/UKTYHfXHES4BKUiedDBjdC68E0mUcKyjuclE4StLEHTAzxGiK010 DQYLWgBw==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcv-00DzC0-BB for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:01 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 5/8] json: add support for shifted nat port-ranges Date: Sun, 5 Mar 2023 10:14:15 +0000 Message-Id: <20230305101418.2233910-6-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Jeremy Sowden --- src/json.c | 4 ++++ src/parser_json.c | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/src/json.c b/src/json.c index f15461d33894..f6874b94c7ec 100644 --- a/src/json.c +++ b/src/json.c @@ -1407,6 +1407,10 @@ json_t *nat_stmt_json(const struct stmt *stmt, struct output_ctx *octx) json_object_set_new(root, "port", expr_print_json(stmt->nat.proto, octx)); + if (stmt->nat.proto_base) + json_object_set_new(root, "base_port", + expr_print_json(stmt->nat.proto_base, octx)); + nat_stmt_add_array(root, "flags", array); if (stmt->nat.type_flags) { diff --git a/src/parser_json.c b/src/parser_json.c index d8d4f1b79e6e..fca9645c7e57 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -2153,6 +2153,14 @@ static struct stmt *json_parse_nat_stmt(struct json_ctx *ctx, return NULL; } } + if (!json_unpack(value, "{s:o}", "base_port", &tmp)) { + stmt->nat.proto_base = json_parse_stmt_expr(ctx, tmp); + if (!stmt->nat.proto) { + json_error(ctx, "Invalid nat base port."); + stmt_free(stmt); + return NULL; + } + } if (!json_unpack(value, "{s:o}", "flags", &tmp)) { int flags = json_parse_nat_flags(ctx, tmp); From patchwork Sun Mar 5 10:14:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751894 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=IEcFxHVr; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydg28gHz1yWw for ; Sun, 5 Mar 2023 21:30:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229692AbjCEKaL (ORCPT ); Sun, 5 Mar 2023 05:30:11 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38766 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229568AbjCEKaH (ORCPT ); Sun, 5 Mar 2023 05:30:07 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A7D2D507 for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fRCEqMhBHbWetvu4+PPrDgbwXDNwlaoXp+fIim5z7PY=; b=IEcFxHVrLTxCCDt5NGFf45kt4D XhusbAEzXAAvxx3o3TUQUj4647cJXRi3Mo+f46wZPQwJcO99faTGqBvrXvzBMu67/kffoZLaVYnt8 z8XvmqbtrjOLK/R/4sd/bpHXH8CwzZEKX3JiK/ytf7G8AKOR2ctjQpitfmgh2iy3Yu8rVHfHTeoyX /24N1dxJL1RcCJgfESexEBg4Cog00/zdAmuSqcqoVGn0tjnrXnKIg1Vv96a72pyuNGdMQZIsAGgXg 9exLXsFChhxkqD9hS9Y32sXZIFEci2eWssQJ8s7SMms8Hg4ZNjZ6YjWlAREqIbZKv15a8EBzJi+YT +L/lAZIw==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcv-00DzC0-JL for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:01 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 6/8] doc: correct NAT statement description Date: Sun, 5 Mar 2023 10:14:16 +0000 Message-Id: <20230305101418.2233910-7-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Specifying a port specifies that a port, not an address, should be modified. Signed-off-by: Jeremy Sowden --- doc/statements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/statements.txt b/doc/statements.txt index 0532b2b16c7d..b2794bcd6821 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -405,7 +405,7 @@ You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value. | ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } |port| -Specifies that the source/destination address of the packet should be modified. | +Specifies that the source/destination port of the packet should be modified. | port number (16 bit) |=============================== From patchwork Sun Mar 5 10:14:17 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751891 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=n2RPMNfN; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydf025Kz246B for ; Sun, 5 Mar 2023 21:30:14 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229656AbjCEKaJ (ORCPT ); Sun, 5 Mar 2023 05:30:09 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229692AbjCEKaG (ORCPT ); Sun, 5 Mar 2023 05:30:06 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BAE43D516 for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=I2y2kXH9wqfiEMhgsOeDtlMf0mhKkBWcNIvCWpO4gRI=; b=n2RPMNfNWjoWNdJlvIPRz4F26h WUY+qceu20EuJeN9MTSjVbCOnsl/D1TV1hetTRixOPh6bX5u3gzFOjQRAipH23mDYJH2Ef5V0ut66 udTSeO9SnB6ySpTpGoL7sMLuUzTCPFlSbqrv4qAcssqfZsRD+IWPTaQkoTeMjAG3PXqCST0WRX9wr NkgyOKXMuQOrolRns1cEIv+w4I58UpclxKxOFIdIyY3RT1www+qnMklrb9cn2XaLkL6jw3u0jeFBC alvRuN4DSXLlg4+OJOXiDIs+iS2XOqDCN2l3A3dTy4duBkPHqu2PtPDJ0m+3qajKIikZ43g5TtyO2 UkpYjnbw==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcv-00DzC0-Sw for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:02 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 7/8] doc: add shifted port-ranges to nat statements Date: Sun, 5 Mar 2023 10:14:17 +0000 Message-Id: <20230305101418.2233910-8-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Extend the description of ports to cover ranges and shifted ranges, and add an example of the latter. Signed-off-by: Jeremy Sowden --- doc/statements.txt | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index b2794bcd6821..3dd3b98b6cb1 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -362,7 +362,7 @@ ____ *redirect* [*to :*'PORT_SPEC'] ['FLAGS'] 'ADDR_SPEC' := 'address' | 'address' *-* 'address' -'PORT_SPEC' := 'port' | 'port' *-* 'port' +'PORT_SPEC' := 'port' | 'port' *-* 'port' | 'port' *-* 'port' */* 'port' 'FLAGS' := 'FLAG' [*,* 'FLAGS'] 'FLAG' := *persistent* | *random* | *fully-random* @@ -405,7 +405,10 @@ You may specify a mapping to relate a list of tuples composed of arbitrary expression key with address value. | ipv4_addr, ipv6_addr, e.g. abcd::1234, or you can use a mapping, e.g. meta mark map { 10 : 192.168.1.2, 20 : 192.168.1.3 } |port| -Specifies that the source/destination port of the packet should be modified. | +Specifies that the source/destination port of the packet should be modified. If +a range is given, the new port will be chosen from within that range. If a base +offset is also given, the offset of the new port in the range will match the +offset of the old port from the specified base.| port number (16 bit) |=============================== @@ -437,6 +440,10 @@ add rule nat postrouting oif eth0 snat to 1.2.3.4 # redirect all traffic entering via eth0 to destination address 192.168.1.120 add rule nat prerouting iif eth0 dnat to 192.168.1.120 +# redirect all traffic for address 10.0.0.1 and ports 2000-3000 to destination +# address 10.10.0.1 and the port at the matching offset in 12000-13000 +add rule nat prerouting ip daddr 10.0.0.1 tcp dport 2000-3000 dnat to 10.10.0.1:12000-13000/2000 + # translate source addresses of all packets leaving via eth0 to whatever # locally generated packets would use as source to reach the same destination add rule nat postrouting oif eth0 masquerade From patchwork Sun Mar 5 10:14:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeremy Sowden X-Patchwork-Id: 1751895 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=azazel.net header.i=@azazel.net header.a=rsa-sha256 header.s=20220717 header.b=A1GWsDRw; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PTydg57xkz246B for ; Sun, 5 Mar 2023 21:30:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229698AbjCEKaM (ORCPT ); Sun, 5 Mar 2023 05:30:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38776 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229507AbjCEKaI (ORCPT ); Sun, 5 Mar 2023 05:30:08 -0500 Received: from kadath.azazel.net (unknown [IPv6:2001:8b0:135f:bcd1:e0cb:4eff:fedf:e608]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EE57AD303 for ; Sun, 5 Mar 2023 02:30:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=azazel.net; s=20220717; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xbP848LAEnGO6VF83EV9Q20ACWwqK65eyjfUXJ6ZnIY=; b=A1GWsDRw4ujnU7wpn770KITesd +rD+MM4iCzmiUbh31tsu/i8hpbf3JGIIUe3lhwxCYZcbCLfIW06IVALOXjVCZfXtNtD0Ka6QxW+nT DyqiZX0QITt/iQzJJ6uVnwwQFrgU19lIDwGo8JsjwhlocK58YHxTc5a38UWZt26SdKGbj/mqA90oY eITPp8rH65k8BEsj1flO1XMU4O+xnuptfJ4M6XfPOvEHihw7UPCFolnIR0mrRMU9506cd7AaoMbmg W/DqdLxOYaiEvxHLCQGVnO8fR7TJTBlJAseVk3ScYa9PuKxyKiY58Ns7m9FOEMbt31hzUNjys90Ny lYzrJAkQ==; Received: from ulthar.dreamlands.azazel.net ([2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae]) by kadath.azazel.net with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pYlcw-00DzC0-49 for netfilter-devel@vger.kernel.org; Sun, 05 Mar 2023 10:30:02 +0000 From: Jeremy Sowden To: Netfilter Devel Subject: [PATCH nftables 8/8] test: py: add tests for shifted nat port-ranges Date: Sun, 5 Mar 2023 10:14:18 +0000 Message-Id: <20230305101418.2233910-9-jeremy@azazel.net> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230305101418.2233910-1-jeremy@azazel.net> References: <20230305101418.2233910-1-jeremy@azazel.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2001:8b0:fb7d:d6d7:2e4d:54ff:fe4b:a9ae X-SA-Exim-Mail-From: jeremy@azazel.net X-SA-Exim-Scanned: No (on kadath.azazel.net); SAEximRunCond expanded to false X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RDNS_NONE,SPF_HELO_PASS, SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Signed-off-by: Jeremy Sowden --- tests/py/inet/dnat.t | 3 + tests/py/inet/dnat.t.json | 91 +++++++++++++++++++++++++++ tests/py/inet/dnat.t.payload | 33 ++++++++++ tests/py/inet/snat.t | 3 + tests/py/inet/snat.t.json | 91 +++++++++++++++++++++++++++ tests/py/inet/snat.t.payload | 34 ++++++++++ tests/py/ip/masquerade.t | 1 + tests/py/ip/masquerade.t.json | 26 ++++++++ tests/py/ip/masquerade.t.payload | 8 +++ tests/py/ip/redirect.t | 1 + tests/py/ip/redirect.t.json | 26 ++++++++ tests/py/ip/redirect.t.payload | 8 +++ tests/py/ip6/masquerade.t | 1 + tests/py/ip6/masquerade.t.json | 25 ++++++++ tests/py/ip6/masquerade.t.payload.ip6 | 8 +++ tests/py/ip6/redirect.t | 1 + tests/py/ip6/redirect.t.json | 26 ++++++++ tests/py/ip6/redirect.t.payload.ip6 | 8 +++ 18 files changed, 394 insertions(+) diff --git a/tests/py/inet/dnat.t b/tests/py/inet/dnat.t index e4e169f2bc3e..9c47f51cfc71 100644 --- a/tests/py/inet/dnat.t +++ b/tests/py/inet/dnat.t @@ -20,3 +20,6 @@ meta l4proto { tcp, udp } dnat ip to 1.1.1.1:80;ok;meta l4proto { 6, 17} dnat ip ip protocol { tcp, udp } dnat ip to 1.1.1.1:80;ok;ip protocol { 6, 17} dnat ip to 1.1.1.1:80 meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80;fail + +ip daddr 10.0.0.1 tcp dport 55900-55910 dnat ip to 192.168.127.1:5900-5910/55900;ok +ip6 daddr 10::1 tcp dport 55900-55910 dnat ip6 to [::c0:a8:7f:1]:5900-5910/55900;ok diff --git a/tests/py/inet/dnat.t.json b/tests/py/inet/dnat.t.json index c341a0455fea..58d0ed4b76da 100644 --- a/tests/py/inet/dnat.t.json +++ b/tests/py/inet/dnat.t.json @@ -239,3 +239,94 @@ } ] +# ip daddr 10.0.0.1 tcp dport 55900-55910 dnat ip to 192.168.127.1:5900-5910/55900 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "10.0.0.1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 55900, + 55910 + ] + } + } + }, + { + "dnat": { + "addr": "192.168.127.1", + "family": "ip", + "port": { + "range": [ + 5900, + 5910 + ] + }, + "base_port": 55900 + } + } +] + +# ip6 daddr 10::1 tcp dport 55900-55910 dnat ip6 to [::c0:a8:7f:1]:5900-5910/55900 +[ + { + "match": { + "left": { + "payload": { + "field": "daddr", + "protocol": "ip6" + } + }, + "op": "==", + "right": "10::1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "dport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 55900, + 55910 + ] + } + } + }, + { + "dnat": { + "addr": "::c0:a8:7f:1", + "family": "ip6", + "port": { + "range": [ + 5900, + 5910 + ] + }, + "base_port": 55900 + } + } +] diff --git a/tests/py/inet/dnat.t.payload b/tests/py/inet/dnat.t.payload index ce1601ab5c9e..9747018ae89c 100644 --- a/tests/py/inet/dnat.t.payload +++ b/tests/py/inet/dnat.t.payload @@ -84,3 +84,36 @@ inet [ immediate reg 1 0x00005000 ] [ nat dnat inet proto_min reg 1 flags 0x2 ] +# ip daddr 10.0.0.1 tcp dport 55900-55910 dnat ip to 192.168.127.1:5900-5910/55900 +inet test-inet prerouting + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 16 => reg 1 ] + [ cmp eq reg 1 0x0100000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005cda ] + [ cmp lte reg 1 0x000066da ] + [ immediate reg 1 0x017fa8c0 ] + [ immediate reg 2 0x00000c17 ] + [ immediate reg 3 0x00001617 ] + [ immediate reg 4 0x00005cda ] + [ nat dnat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 proto_base reg 4 flags 0x2 ] + +# ip6 daddr 10::1 tcp dport 55900-55910 dnat ip6 to [::c0:a8:7f:1]:5900-5910/55900 +inet test-inet prerouting + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 24 => reg 1 ] + [ cmp eq reg 1 0x00001000 0x00000000 0x00000000 0x01000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 2 => reg 1 ] + [ cmp gte reg 1 0x00005cda ] + [ cmp lte reg 1 0x000066da ] + [ immediate reg 1 0x00000000 0x00000000 0xa800c000 0x01007f00 ] + [ immediate reg 2 0x00000c17 ] + [ immediate reg 3 0x00001617 ] + [ immediate reg 4 0x00005cda ] + [ nat dnat ip6 addr_min reg 1 proto_min reg 2 proto_max reg 3 proto_base reg 4 flags 0x2 ] diff --git a/tests/py/inet/snat.t b/tests/py/inet/snat.t index cf23b5cff1bb..1276145918f5 100644 --- a/tests/py/inet/snat.t +++ b/tests/py/inet/snat.t @@ -19,3 +19,6 @@ snat ip to dead::beef;fail snat ip daddr 1.2.3.4 to dead::beef;fail snat ip daddr 1.2.3.4 ip6 to dead::beef;fail snat ip6 saddr dead::beef to 1.2.3.4;fail + +ip saddr 10.0.0.1 tcp sport 55900-55910 snat ip to 192.168.127.1:5900-5910/55900;ok +ip6 saddr 10::1 tcp sport 55900-55910 snat ip6 to [::c0:a8:7f:1]:5900-5910/55900;ok diff --git a/tests/py/inet/snat.t.json b/tests/py/inet/snat.t.json index 4671625dc06d..03e5823d4258 100644 --- a/tests/py/inet/snat.t.json +++ b/tests/py/inet/snat.t.json @@ -129,3 +129,94 @@ } ] +# ip saddr 10.0.0.1 tcp sport 55900-55910 snat ip to 192.168.127.1:5900-5910/55900 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip" + } + }, + "op": "==", + "right": "10.0.0.1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 55900, + 55910 + ] + } + } + }, + { + "snat": { + "addr": "192.168.127.1", + "family": "ip", + "port": { + "range": [ + 5900, + 5910 + ] + }, + "base_port": 55900 + } + } +] + +# ip6 saddr 10::1 tcp sport 55900-55910 snat ip6 to [::c0:a8:7f:1]:5900-5910/55900 +[ + { + "match": { + "left": { + "payload": { + "field": "saddr", + "protocol": "ip6" + } + }, + "op": "==", + "right": "10::1" + } + }, + { + "match": { + "left": { + "payload": { + "field": "sport", + "protocol": "tcp" + } + }, + "op": "==", + "right": { + "range": [ + 55900, + 55910 + ] + } + } + }, + { + "snat": { + "addr": "::c0:a8:7f:1", + "family": "ip6", + "port": { + "range": [ + 5900, + 5910 + ] + }, + "base_port": 55900 + } + } +] diff --git a/tests/py/inet/snat.t.payload b/tests/py/inet/snat.t.payload index 50519c6b6bb6..c2b5e5884b89 100644 --- a/tests/py/inet/snat.t.payload +++ b/tests/py/inet/snat.t.payload @@ -40,3 +40,37 @@ inet test-inet postrouting [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x006f6f66 0x00000000 0x00000000 0x00000000 ] [ masq flags 0x4 ] + +# ip saddr 10.0.0.1 tcp sport 55900-55910 snat ip to 192.168.127.1:5900-5910/55900 +inet test-inet postrouting + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x00000002 ] + [ payload load 4b @ network header + 12 => reg 1 ] + [ cmp eq reg 1 0x0100000a ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00005cda ] + [ cmp lte reg 1 0x000066da ] + [ immediate reg 1 0x017fa8c0 ] + [ immediate reg 2 0x00000c17 ] + [ immediate reg 3 0x00001617 ] + [ immediate reg 4 0x00005cda ] + [ nat snat ip addr_min reg 1 proto_min reg 2 proto_max reg 3 proto_base reg 4 flags 0x2 ] + +# ip6 saddr 10::1 tcp sport 55900-55910 snat ip6 to [::c0:a8:7f:1]:5900-5910/55900 +inet test-inet postrouting + [ meta load nfproto => reg 1 ] + [ cmp eq reg 1 0x0000000a ] + [ payload load 16b @ network header + 8 => reg 1 ] + [ cmp eq reg 1 0x00001000 0x00000000 0x00000000 0x01000000 ] + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ payload load 2b @ transport header + 0 => reg 1 ] + [ cmp gte reg 1 0x00005cda ] + [ cmp lte reg 1 0x000066da ] + [ immediate reg 1 0x00000000 0x00000000 0xa800c000 0x01007f00 ] + [ immediate reg 2 0x00000c17 ] + [ immediate reg 3 0x00001617 ] + [ immediate reg 4 0x00005cda ] + [ nat snat ip6 addr_min reg 1 proto_min reg 2 proto_max reg 3 proto_base reg 4 flags 0x2 ] diff --git a/tests/py/ip/masquerade.t b/tests/py/ip/masquerade.t index 384ac72a15f0..98858149dfed 100644 --- a/tests/py/ip/masquerade.t +++ b/tests/py/ip/masquerade.t @@ -18,6 +18,7 @@ udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerad # using ports ip protocol 6 masquerade to :1024;ok ip protocol 6 masquerade to :1024-2048;ok +ip protocol 6 masquerade to :1024-2048/4096;ok # masquerade is a terminal statement tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail diff --git a/tests/py/ip/masquerade.t.json b/tests/py/ip/masquerade.t.json index 4a90c7062d47..29d16dd75a02 100644 --- a/tests/py/ip/masquerade.t.json +++ b/tests/py/ip/masquerade.t.json @@ -427,3 +427,29 @@ } ] +# ip protocol 6 masquerade to :1024-2048/4096 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "masquerade": { + "base_port": 4096, + "port": { + "range": [ + 1024, + 2048 + ] + } + } + } +] diff --git a/tests/py/ip/masquerade.t.payload b/tests/py/ip/masquerade.t.payload index 79e52856a22d..804d35377f56 100644 --- a/tests/py/ip/masquerade.t.payload +++ b/tests/py/ip/masquerade.t.payload @@ -140,3 +140,11 @@ ip test-ip4 postrouting [ immediate reg 2 0x00000008 ] [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ] +# ip protocol 6 masquerade to :1024-2048/4096 +ip test-ip4 postrouting + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00000004 ] + [ immediate reg 2 0x00000008 ] + [ immediate reg 3 0x00000010 ] + [ masq proto_min reg 1 proto_max reg 2 proto_base reg 3 flags 0x2 ] diff --git a/tests/py/ip/redirect.t b/tests/py/ip/redirect.t index d2991ce288b0..5321396fc079 100644 --- a/tests/py/ip/redirect.t +++ b/tests/py/ip/redirect.t @@ -23,6 +23,7 @@ udp dport 1234 redirect to :4321;ok ip daddr 172.16.0.1 udp dport 9998 redirect to :6515;ok tcp dport 39128 redirect to :993;ok ip protocol tcp redirect to :100-200;ok;ip protocol 6 redirect to :100-200 +ip protocol tcp redirect to :100-200/1000;ok;ip protocol 6 redirect to :100-200/1000 redirect to :1234;fail redirect to :12341111;fail diff --git a/tests/py/ip/redirect.t.json b/tests/py/ip/redirect.t.json index 3544e7f1b9c5..41a4be95a2ee 100644 --- a/tests/py/ip/redirect.t.json +++ b/tests/py/ip/redirect.t.json @@ -635,3 +635,29 @@ } ] +# ip protocol tcp redirect to :100-200/1000 +[ + { + "match": { + "left": { + "payload": { + "field": "protocol", + "protocol": "ip" + } + }, + "op": "==", + "right": 6 + } + }, + { + "redirect": { + "base_port": 1000, + "port": { + "range": [ + 100, + 200 + ] + } + } + } +] diff --git a/tests/py/ip/redirect.t.payload b/tests/py/ip/redirect.t.payload index 424ad7b4f7ec..d4935c695ff3 100644 --- a/tests/py/ip/redirect.t.payload +++ b/tests/py/ip/redirect.t.payload @@ -218,3 +218,11 @@ ip test-ip4 output [ lookup reg 1 set __map%d dreg 1 ] [ redir proto_min reg 1 flags 0x2 ] +# ip protocol tcp redirect to :100-200/1000 +ip test-ip4 output + [ payload load 1b @ network header + 9 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00006400 ] + [ immediate reg 2 0x0000c800 ] + [ immediate reg 3 0x0000e803 ] + [ redir proto_min reg 1 proto_max reg 2 proto_base reg 3 flags 0x2 ] diff --git a/tests/py/ip6/masquerade.t b/tests/py/ip6/masquerade.t index 4eb0467c362e..3d87fa1d71bb 100644 --- a/tests/py/ip6/masquerade.t +++ b/tests/py/ip6/masquerade.t @@ -18,6 +18,7 @@ udp dport 53 masquerade persistent,fully-random,random;ok;udp dport 53 masquerad # using ports meta l4proto 6 masquerade to :1024;ok meta l4proto 6 masquerade to :1024-2048;ok +meta l4proto 6 masquerade to :1024-2048/4096;ok # masquerade is a terminal statement tcp dport 22 masquerade counter packets 0 bytes 0 accept;fail diff --git a/tests/py/ip6/masquerade.t.json b/tests/py/ip6/masquerade.t.json index 824b44f8a5f5..a56c4372e101 100644 --- a/tests/py/ip6/masquerade.t.json +++ b/tests/py/ip6/masquerade.t.json @@ -421,3 +421,28 @@ } ] +# meta l4proto 6 masquerade to :1024-2048/4096 +[ + { + "match": { + "left": { + "meta": { + "key": "l4proto" + } + }, + "op": "==", + "right": 6 + } + }, + { + "masquerade": { + "base_port": 4096, + "port": { + "range": [ + 1024, + 2048 + ] + } + } + } +] diff --git a/tests/py/ip6/masquerade.t.payload.ip6 b/tests/py/ip6/masquerade.t.payload.ip6 index 43ae2ae48244..bf64313b6b60 100644 --- a/tests/py/ip6/masquerade.t.payload.ip6 +++ b/tests/py/ip6/masquerade.t.payload.ip6 @@ -140,3 +140,11 @@ ip6 test-ip6 postrouting [ immediate reg 2 0x00000008 ] [ masq proto_min reg 1 proto_max reg 2 flags 0x2 ] +# meta l4proto 6 masquerade to :1024-2048/4096 +ip6 test-ip6 postrouting + [ meta load l4proto => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00000004 ] + [ immediate reg 2 0x00000008 ] + [ immediate reg 3 0x00000010 ] + [ masq proto_min reg 1 proto_max reg 2 proto_base reg 3 flags 0x2 ] diff --git a/tests/py/ip6/redirect.t b/tests/py/ip6/redirect.t index 778d53f33ce6..9e8747f50185 100644 --- a/tests/py/ip6/redirect.t +++ b/tests/py/ip6/redirect.t @@ -23,6 +23,7 @@ udp dport 53 redirect persistent,fully-random,random;ok;udp dport 53 redirect ra udp dport 1234 redirect to :1234;ok ip6 daddr fe00::cafe udp dport 9998 redirect to :6515;ok ip6 nexthdr tcp redirect to :100-200;ok;ip6 nexthdr 6 redirect to :100-200 +ip6 nexthdr tcp redirect to :100-200/1000;ok;ip6 nexthdr 6 redirect to :100-200/1000 tcp dport 39128 redirect to :993;ok redirect to :1234;fail redirect to :12341111;fail diff --git a/tests/py/ip6/redirect.t.json b/tests/py/ip6/redirect.t.json index 0059c7accc06..4689b0c71c8b 100644 --- a/tests/py/ip6/redirect.t.json +++ b/tests/py/ip6/redirect.t.json @@ -599,3 +599,29 @@ } ] +# ip6 nexthdr tcp redirect to :100-200/1000 +[ + { + "match": { + "left": { + "payload": { + "field": "nexthdr", + "protocol": "ip6" + } + }, + "op": "==", + "right": 6 + } + }, + { + "redirect": { + "base_port": 1000, + "port": { + "range": [ + 100, + 200 + ] + } + } + } +] diff --git a/tests/py/ip6/redirect.t.payload.ip6 b/tests/py/ip6/redirect.t.payload.ip6 index e9a203161485..4a19df99a3cd 100644 --- a/tests/py/ip6/redirect.t.payload.ip6 +++ b/tests/py/ip6/redirect.t.payload.ip6 @@ -202,3 +202,11 @@ ip6 test-ip6 output [ lookup reg 1 set __map%d dreg 1 ] [ redir proto_min reg 1 flags 0x2 ] +# ip6 nexthdr tcp redirect to :100-200/1000 +ip6 test-ip6 output + [ payload load 1b @ network header + 6 => reg 1 ] + [ cmp eq reg 1 0x00000006 ] + [ immediate reg 1 0x00006400 ] + [ immediate reg 2 0x0000c800 ] + [ immediate reg 3 0x0000e803 ] + [ redir proto_min reg 1 proto_max reg 2 proto_base reg 3 flags 0x2 ]