extern struct stmt *reject_stmt_alloc(const struct location *loc);
-struct nat_stmt {
- enum nft_nat_types type;
- struct expr *addr;
- struct expr *proto;
- uint32_t flags;
-};
-
-extern struct stmt *nat_stmt_alloc(const struct location *loc);
-
-struct masq_stmt {
- uint32_t flags;
- struct expr *proto;
+enum nft_nat_etypes {
+ __NFT_NAT_SNAT = NFT_NAT_SNAT,
+ __NFT_NAT_DNAT = NFT_NAT_DNAT,
+ NFT_NAT_MASQ,
+ NFT_NAT_REDIR,
};
-extern struct stmt *masq_stmt_alloc(const struct location *loc);
-
-struct redir_stmt {
+struct nat_stmt {
+ enum nft_nat_etypes type;
+ struct expr *addr;
struct expr *proto;
uint32_t flags;
};
-extern struct stmt *redir_stmt_alloc(const struct location *loc);
+extern struct stmt *nat_stmt_alloc(const struct location *loc,
+ enum nft_nat_etypes type);
struct queue_stmt {
struct expr *queue;
* @STMT_LOG: log statement
* @STMT_REJECT: REJECT statement
* @STMT_NAT: NAT statement
- * @STMT_MASQ: masquerade statement
- * @STMT_REDIR: redirect statement
* @STMT_QUEUE: QUEUE statement
* @STMT_CT: conntrack statement
* @STMT_SET: set statement
STMT_LOG,
STMT_REJECT,
STMT_NAT,
- STMT_MASQ,
- STMT_REDIR,
STMT_QUEUE,
STMT_CT,
STMT_SET,
struct limit_stmt limit;
struct reject_stmt reject;
struct nat_stmt nat;
- struct masq_stmt masq;
- struct redir_stmt redir;
struct queue_stmt queue;
struct quota_stmt quota;
struct ct_stmt ct;
return 0;
}
-static int stmt_evaluate_masq(struct eval_ctx *ctx, struct stmt *stmt)
-{
- int err;
-
- err = nat_evaluate_family(ctx, stmt);
- if (err < 0)
- return err;
-
- if (stmt->masq.proto != NULL) {
- err = nat_evaluate_transport(ctx, stmt, &stmt->masq.proto);
- if (err < 0)
- return err;
- }
-
- stmt->flags |= STMT_F_TERMINAL;
- return 0;
-}
-
-static int stmt_evaluate_redir(struct eval_ctx *ctx, struct stmt *stmt)
-{
- int err;
-
- err = nat_evaluate_family(ctx, stmt);
- if (err < 0)
- return err;
-
- if (stmt->redir.proto != NULL) {
- err = nat_evaluate_transport(ctx, stmt, &stmt->redir.proto);
- if (err < 0)
- return err;
- }
-
- stmt->flags |= STMT_F_TERMINAL;
- return 0;
-}
-
static int stmt_evaluate_dup(struct eval_ctx *ctx, struct stmt *stmt)
{
int err;
return stmt_evaluate_reject(ctx, stmt);
case STMT_NAT:
return stmt_evaluate_nat(ctx, stmt);
- case STMT_MASQ:
- return stmt_evaluate_masq(ctx, stmt);
- case STMT_REDIR:
- return stmt_evaluate_redir(ctx, stmt);
case STMT_QUEUE:
return stmt_evaluate_queue(ctx, stmt);
case STMT_DUP:
enum nft_registers reg1, reg2;
int family;
- stmt = nat_stmt_alloc(loc);
- stmt->nat.type = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_TYPE);
+ stmt = nat_stmt_alloc(loc,
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_TYPE));
family = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_FAMILY);
if (nftnl_expr_is_set(nle, NFTNL_EXPR_MASQ_FLAGS))
flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_MASQ_FLAGS);
- stmt = masq_stmt_alloc(loc);
- stmt->masq.flags = flags;
+ stmt = nat_stmt_alloc(loc, NFT_NAT_MASQ);
+ stmt->nat.flags = flags;
reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN);
if (reg1) {
goto out_err;
}
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
- stmt->masq.proto = proto;
+ stmt->nat.proto = proto;
}
reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX);
goto out_err;
}
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
- if (stmt->masq.proto != NULL)
- proto = range_expr_alloc(loc, stmt->masq.proto, proto);
- stmt->masq.proto = proto;
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+ stmt->nat.proto = proto;
}
ctx->stmt = stmt;
enum nft_registers reg1, reg2;
uint32_t flags;
- stmt = redir_stmt_alloc(loc);
+ stmt = nat_stmt_alloc(loc, NFT_NAT_REDIR);
if (nftnl_expr_is_set(nle, NFTNL_EXPR_REDIR_FLAGS)) {
flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_REDIR_FLAGS);
- stmt->redir.flags = flags;
+ stmt->nat.flags = flags;
}
reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN);
}
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
- stmt->redir.proto = proto;
+ stmt->nat.proto = proto;
}
reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX);
}
expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
- if (stmt->redir.proto != NULL)
- proto = range_expr_alloc(loc, stmt->redir.proto,
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto,
proto);
- stmt->redir.proto = proto;
+ stmt->nat.proto = proto;
}
ctx->stmt = stmt;
if (stmt->nat.proto != NULL)
expr_postprocess(&rctx, &stmt->nat.proto);
break;
- case STMT_REDIR:
- if (stmt->redir.proto != NULL)
- expr_postprocess(&rctx, &stmt->redir.proto);
- break;
case STMT_REJECT:
stmt_reject_postprocess(&rctx);
break;
enum nft_registers pmin_reg, pmax_reg;
int registers = 0;
int family;
+ int nftnl_flag_attr;
+ int nftnl_reg_pmin, nftnl_reg_pmax;
- nle = alloc_nft_expr("nat");
- nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_TYPE, stmt->nat.type);
+ switch (stmt->nat.type) {
+ case NFT_NAT_SNAT:
+ case NFT_NAT_DNAT:
+ nle = alloc_nft_expr("nat");
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_TYPE, stmt->nat.type);
- family = nftnl_rule_get_u32(ctx->nlr, NFTNL_RULE_FAMILY);
- nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_FAMILY, family);
+ family = nftnl_rule_get_u32(ctx->nlr, NFTNL_RULE_FAMILY);
+ nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_FAMILY, family);
+
+ nftnl_flag_attr = NFTNL_EXPR_NAT_FLAGS;
+ nftnl_reg_pmin = NFTNL_EXPR_NAT_REG_PROTO_MIN;
+ nftnl_reg_pmax = NFTNL_EXPR_NAT_REG_PROTO_MAX;
+ break;
+ case NFT_NAT_MASQ:
+ nle = alloc_nft_expr("masq");
+
+ nftnl_flag_attr = NFTNL_EXPR_MASQ_FLAGS;
+ nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN;
+ nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX;
+ break;
+ case NFT_NAT_REDIR:
+ nle = alloc_nft_expr("redir");
+
+ nftnl_flag_attr = NFTNL_EXPR_REDIR_FLAGS;
+ nftnl_reg_pmin = NFTNL_EXPR_REDIR_REG_PROTO_MIN;
+ nftnl_reg_pmax = NFTNL_EXPR_REDIR_REG_PROTO_MAX;
+ break;
+ default:
+ BUG("unknown nat type %d\n", stmt->nat.type);
+ break;
+ }
if (stmt->nat.flags != 0)
- nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_FLAGS, stmt->nat.flags);
+ nftnl_expr_set_u32(nle, nftnl_flag_attr, stmt->nat.flags);
if (stmt->nat.addr) {
amin_reg = get_register(ctx, NULL);
netlink_gen_expr(ctx, stmt->nat.proto->left, pmin_reg);
netlink_gen_expr(ctx, stmt->nat.proto->right, pmax_reg);
- netlink_put_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN,
- pmin_reg);
- netlink_put_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MAX,
- pmax_reg);
+ netlink_put_register(nle, nftnl_reg_pmin, pmin_reg);
+ netlink_put_register(nle, nftnl_reg_pmax, pmax_reg);
} else {
netlink_gen_expr(ctx, stmt->nat.proto, pmin_reg);
- netlink_put_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN,
- pmin_reg);
- }
- }
-
- while (registers > 0) {
- release_register(ctx, NULL);
- registers--;
- }
-
- nftnl_rule_add_expr(ctx->nlr, nle);
-}
-
-static void netlink_gen_masq_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
-{
- enum nft_registers pmin_reg, pmax_reg;
- struct nftnl_expr *nle;
- int registers = 0;
-
- nle = alloc_nft_expr("masq");
- if (stmt->masq.flags != 0)
- nftnl_expr_set_u32(nle, NFTNL_EXPR_MASQ_FLAGS,
- stmt->masq.flags);
- if (stmt->masq.proto) {
- pmin_reg = get_register(ctx, NULL);
- registers++;
-
- if (stmt->masq.proto->ops->type == EXPR_RANGE) {
- pmax_reg = get_register(ctx, NULL);
- registers++;
-
- netlink_gen_expr(ctx, stmt->masq.proto->left, pmin_reg);
- netlink_gen_expr(ctx, stmt->masq.proto->right, pmax_reg);
- netlink_put_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN, pmin_reg);
- netlink_put_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX, pmax_reg);
- } else {
- netlink_gen_expr(ctx, stmt->masq.proto, pmin_reg);
- netlink_put_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN, pmin_reg);
- }
- }
-
- while (registers > 0) {
- release_register(ctx, NULL);
- registers--;
- }
-
- nftnl_rule_add_expr(ctx->nlr, nle);
-}
-
-static void netlink_gen_redir_stmt(struct netlink_linearize_ctx *ctx,
- const struct stmt *stmt)
-{
- struct nftnl_expr *nle;
- enum nft_registers pmin_reg, pmax_reg;
- int registers = 0;
-
- nle = alloc_nft_expr("redir");
-
- if (stmt->redir.flags != 0)
- nftnl_expr_set_u32(nle, NFTNL_EXPR_REDIR_FLAGS,
- stmt->redir.flags);
-
- if (stmt->redir.proto) {
- pmin_reg = get_register(ctx, NULL);
- registers++;
-
- if (stmt->redir.proto->ops->type == EXPR_RANGE) {
- pmax_reg = get_register(ctx, NULL);
- registers++;
-
- netlink_gen_expr(ctx, stmt->redir.proto->left,
- pmin_reg);
- netlink_gen_expr(ctx, stmt->redir.proto->right,
- pmax_reg);
- netlink_put_register(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MIN,
- pmin_reg);
- netlink_put_register(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MAX,
- pmax_reg);
- } else {
- netlink_gen_expr(ctx, stmt->redir.proto, pmin_reg);
- netlink_put_register(nle,
- NFTNL_EXPR_REDIR_REG_PROTO_MIN,
- pmin_reg);
+ netlink_put_register(nle, nftnl_reg_pmin, pmin_reg);
}
}
return netlink_gen_reject_stmt(ctx, stmt);
case STMT_NAT:
return netlink_gen_nat_stmt(ctx, stmt);
- case STMT_MASQ:
- return netlink_gen_masq_stmt(ctx, stmt);
- case STMT_REDIR:
- return netlink_gen_redir_stmt(ctx, stmt);
case STMT_DUP:
return netlink_gen_dup_stmt(ctx, stmt);
case STMT_QUEUE:
nat_stmt : nat_stmt_alloc nat_stmt_args
;
-nat_stmt_alloc : SNAT
- {
- $$ = nat_stmt_alloc(&@$);
- $$->nat.type = NFT_NAT_SNAT;
- }
- | DNAT
- {
- $$ = nat_stmt_alloc(&@$);
- $$->nat.type = NFT_NAT_DNAT;
- }
+nat_stmt_alloc : SNAT { $$ = nat_stmt_alloc(&@$, NFT_NAT_SNAT); }
+ | DNAT { $$ = nat_stmt_alloc(&@$, NFT_NAT_DNAT); }
;
primary_stmt_expr : symbol_expr { $$ = $1; }
| masq_stmt_alloc
;
-masq_stmt_alloc : MASQUERADE { $$ = masq_stmt_alloc(&@$); }
+masq_stmt_alloc : MASQUERADE { $$ = nat_stmt_alloc(&@$, NFT_NAT_MASQ); }
;
masq_stmt_args : TO COLON stmt_expr
{
- $<stmt>0->masq.proto = $3;
+ $<stmt>0->nat.proto = $3;
}
| TO COLON stmt_expr nf_nat_flags
{
- $<stmt>0->masq.proto = $3;
- $<stmt>0->masq.flags = $4;
+ $<stmt>0->nat.proto = $3;
+ $<stmt>0->nat.flags = $4;
}
| nf_nat_flags
{
- $<stmt>0->masq.flags = $1;
+ $<stmt>0->nat.flags = $1;
}
;
| redir_stmt_alloc
;
-redir_stmt_alloc : REDIRECT { $$ = redir_stmt_alloc(&@$); }
+redir_stmt_alloc : REDIRECT { $$ = nat_stmt_alloc(&@$, NFT_NAT_REDIR); }
;
redir_stmt_arg : TO stmt_expr
{
- $<stmt>0->redir.proto = $2;
+ $<stmt>0->nat.proto = $2;
}
| TO COLON stmt_expr
{
- $<stmt>0->redir.proto = $3;
+ $<stmt>0->nat.proto = $3;
}
| nf_nat_flags
{
- $<stmt>0->redir.flags = $1;
+ $<stmt>0->nat.flags = $1;
}
| TO stmt_expr nf_nat_flags
{
- $<stmt>0->redir.proto = $2;
- $<stmt>0->redir.flags = $3;
+ $<stmt>0->nat.proto = $2;
+ $<stmt>0->nat.flags = $3;
}
| TO COLON stmt_expr nf_nat_flags
{
- $<stmt>0->redir.proto = $3;
- $<stmt>0->redir.flags = $4;
+ $<stmt>0->nat.proto = $3;
+ $<stmt>0->nat.flags = $4;
}
;
static const char * const nat_types[] = {
[NFT_NAT_SNAT] = "snat",
[NFT_NAT_DNAT] = "dnat",
+ [NFT_NAT_MASQ] = "masquerade",
+ [NFT_NAT_REDIR] = "redirect",
};
- nft_print(octx, "%s to ", nat_types[stmt->nat.type]);
+ nft_print(octx, "%s", nat_types[stmt->nat.type]);
+ if (stmt->nat.addr || stmt->nat.proto)
+ nft_print(octx, " to");
+
if (stmt->nat.addr) {
+ nft_print(octx, " ");
if (stmt->nat.proto) {
if (stmt->nat.addr->ops->type == EXPR_VALUE &&
stmt->nat.addr->dtype->type == TYPE_IP6ADDR) {
}
if (stmt->nat.proto) {
+ if (!stmt->nat.addr)
+ nft_print(octx, " ");
nft_print(octx, ":");
expr_print(stmt->nat.proto, octx);
}
.destroy = nat_stmt_destroy,
};
-struct stmt *nat_stmt_alloc(const struct location *loc)
-{
- return stmt_alloc(loc, &nat_stmt_ops);
-}
-
-static void masq_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
-{
- nft_print(octx, "masquerade");
-
- if (stmt->masq.proto) {
- nft_print(octx, " to :");
- expr_print(stmt->masq.proto, octx);
- }
-
- print_nf_nat_flags(stmt->masq.flags, octx);
-}
-
-static void masq_stmt_destroy(struct stmt *stmt)
-{
- expr_free(stmt->masq.proto);
-}
-
-static const struct stmt_ops masq_stmt_ops = {
- .type = STMT_MASQ,
- .name = "masq",
- .print = masq_stmt_print,
- .destroy = masq_stmt_destroy,
-};
-
-struct stmt *masq_stmt_alloc(const struct location *loc)
-{
- return stmt_alloc(loc, &masq_stmt_ops);
-}
-
-static void redir_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
+struct stmt *nat_stmt_alloc(const struct location *loc,
+ enum nft_nat_etypes type)
{
- nft_print(octx, "redirect");
-
- if (stmt->redir.proto) {
- nft_print(octx, " to :");
- expr_print(stmt->redir.proto, octx);
- }
-
- print_nf_nat_flags(stmt->redir.flags, octx);
-}
+ struct stmt *stmt = stmt_alloc(loc, &nat_stmt_ops);
-static void redir_stmt_destroy(struct stmt *stmt)
-{
- expr_free(stmt->redir.proto);
-}
-
-static const struct stmt_ops redir_stmt_ops = {
- .type = STMT_REDIR,
- .name = "redir",
- .print = redir_stmt_print,
- .destroy = redir_stmt_destroy,
-};
-
-struct stmt *redir_stmt_alloc(const struct location *loc)
-{
- return stmt_alloc(loc, &redir_stmt_ops);
+ stmt->nat.type = type;
+ return stmt;
}
static const char * const set_stmt_op_names[] = {
projects / thirdparty / nftables.git / commitdiff
