]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 950ae81)
parser: allow both nat_flags and port specification in redirect
authorArturo Borrero <arturo.borrero.glez@gmail.com>
Fri, 7 Nov 2014 11:39:35 +0000 (12:39 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Sun, 9 Nov 2014 15:52:34 +0000 (16:52 +0100)
This patch changes the parser to permit both nat_flags and port specification
in the redirect expression.

The resulting syntax is:
 % nft add rule nat prerouting redirect [port] [nat_flags]

The port specification requires a bit of context regardin the transport
protocol. Some examples:
 % nft add rule nat prerouting tcp dport 22 redirect :23
 % nft add rule add prerouting udp dport 53 redirect :5353

The nat_flags argument is the last argument:
 % nft add rule nat prerouting tdp dport 80 redirect :8080 random

The port specification can be a range:
 % nft add rule nat prerouting tcp dport 80 redirect :8080-8090 random

While at it, the regression tests files are updated.

Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
src/parser.y patch | blob | blame | history
tests/regression/ip/redirect.t patch | blob | blame | history
tests/regression/ip6/redirect.t patch | blob | blame | history

diff --git a/src/parser.y b/src/parser.y
index 6209e9eb526699af32fcb2e8c34c456c0f366a2f..3992c6a58f8c4335fb31f22c9bb6c03d138a119b 100644 (file)
--- a/src/parser.y
+++ b/src/parser.y
@@ -1437,6 +1437,11 @@ redir_stmt_arg           :       COLON   expr
                        {
                                $<stmt>0->redir.flags = $1;
                        }
+                       |       COLON   expr    nf_nat_flags
+                       {
+                               $<stmt>0->redir.proto = $2;
+                               $<stmt>0->redir.flags = $3;
+                       }
                        ;
 
 nf_nat_flags           :       nf_nat_flag
diff --git a/tests/regression/ip/redirect.t b/tests/regression/ip/redirect.t
index f69fd07ca50e95a69c74ae7ecfe5a6c1cddacc62..cb230e2b6128aa7b79a3ceb5f98f06e0be08208d 100644 (file)
--- a/tests/regression/ip/redirect.t
+++ b/tests/regression/ip/redirect.t
@@ -24,11 +24,15 @@ tcp dport 39128 redirect :993;ok
 redirect :1234;fail
 redirect :12341111;fail
 
-# invalid arguments
-tcp dport 9128 redirect :993 random;fail
-tcp dport 9128 redirect :993 random-fully;fail
-tcp dport 9128 redirect persistent :123;fail
-tcp dport 9128 redirect random,persistent :123;fail
+# both port and nf_nat flags
+tcp dport 9128 redirect :993 random;ok
+tcp dport 9128 redirect :993 random-fully;ok
+tcp dport 9128 redirect :123 persistent;ok
+tcp dport 9128 redirect :123 random,persistent;ok
+
+# nf_nat flags is the last argument
+udp dport 1234 redirect random :123;fail
+udp dport 21234 redirect persistent,random-fully :431;fail
 
 # redirect is a terminal statement
 tcp dport 22 redirect counter packets 0 bytes 0 accept;fail
diff --git a/tests/regression/ip6/redirect.t b/tests/regression/ip6/redirect.t
index d972871439b7fe54ffe4b7b8f1ac41447a34bf23..dce4794a683023c267ad288daf75c794d7db22c7 100644 (file)
--- a/tests/regression/ip6/redirect.t
+++ b/tests/regression/ip6/redirect.t
@@ -25,9 +25,11 @@ tcp dport 39128 redirect :993;ok
 redirect :1234;fail
 redirect :12341111;fail
 
-# invalid arguments
-tcp dport 9128 redirect :993 random;fail
-tcp dport 9128 redirect :993 random-fully;fail
+# both port and nf_nat flags
+tcp dport 9128 redirect :993 random;ok
+tcp dport 9128 redirect :993 random-fully,persistent;ok
+
+# nf_nat flags are the last argument
 tcp dport 9128 redirect persistent :123;fail
 tcp dport 9128 redirect random,persistent :123;fail
 
Mirror of git://git.netfilter.org/nftables