[libnftnl PATCH 1/2] expr: nat: add support for the new flags attribute

[libnftnl PATCH 1/2] expr: nat: add support for the new flags attribute

[Arturo Borrero Gonzalez]

This patchs adds support for the new flags attribute in the nft_nat expression.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 0 files changed

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index cfa5c66..4200c4e 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -100,6 +100,7 @@ enum {
 	NFT_EXPR_NAT_REG_ADDR_MAX,
 	NFT_EXPR_NAT_REG_PROTO_MIN,
 	NFT_EXPR_NAT_REG_PROTO_MAX,
+	NFT_EXPR_NAT_FLAGS,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 2a88f64..92c211b 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -773,6 +773,7 @@ enum nft_nat_types {
  * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers)
  * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ * @NFTA_NAT_FLAGS: additional NAT configuration (NF_NAT_RANGE_*) (NLA_U32)
  */
 enum nft_nat_attributes {
 	NFTA_NAT_UNSPEC,
@@ -782,6 +783,7 @@ enum nft_nat_attributes {
 	NFTA_NAT_REG_ADDR_MAX,
 	NFTA_NAT_REG_PROTO_MIN,
 	NFTA_NAT_REG_PROTO_MAX,
+	NFTA_NAT_FLAGS,
 	__NFTA_NAT_MAX
 };
 #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
diff --git a/src/expr/nat.c b/src/expr/nat.c
index c719b6c..51188c1 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -31,6 +31,7 @@ struct nft_expr_nat {
 	enum nft_registers sreg_proto_max;
 	int                family;
 	enum nft_nat_types type;
+	uint32_t	   flags;
 };
 
 static int
@@ -58,6 +59,9 @@ nft_rule_expr_nat_set(struct nft_rule_expr *e, uint16_t type,
 	case NFT_EXPR_NAT_REG_PROTO_MAX:
 		nat->sreg_proto_max = *((uint32_t *)data);
 		break;
+	case NFT_EXPR_NAT_FLAGS:
+		nat->flags = *((uint32_t *)data);
+		break;
 	default:
 		return -1;
 	}
@@ -90,6 +94,9 @@ nft_rule_expr_nat_get(const struct nft_rule_expr *e, uint16_t type,
 	case NFT_EXPR_NAT_REG_PROTO_MAX:
 		*data_len = sizeof(nat->sreg_proto_max);
 		return &nat->sreg_proto_max;
+	case NFT_EXPR_NAT_FLAGS:
+		*data_len = sizeof(nat->flags);
+		return &nat->flags;
 	}
 	return NULL;
 }
@@ -109,6 +116,7 @@ static int nft_rule_expr_nat_cb(const struct nlattr *attr, void *data)
 	case NFTA_NAT_REG_ADDR_MAX:
 	case NFTA_NAT_REG_PROTO_MIN:
 	case NFTA_NAT_REG_PROTO_MAX:
+	case NFTA_NAT_FLAGS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0) {
 			perror("mnl_attr_validate");
 			return MNL_CB_ERROR;
@@ -157,6 +165,10 @@ nft_rule_expr_nat_parse(struct nft_rule_expr *e, struct nlattr *attr)
 			ntohl(mnl_attr_get_u32(tb[NFTA_NAT_REG_PROTO_MAX]));
 		e->flags |= (1 << NFT_EXPR_NAT_REG_PROTO_MAX);
 	}
+	if (tb[NFTA_NAT_FLAGS]) {
+		nat->flags = ntohl(mnl_attr_get_u32(tb[NFTA_NAT_FLAGS]));
+		e->flags |= (1 << NFT_EXPR_NAT_FLAGS);
+	}
 
 	return 0;
 }
@@ -182,6 +194,8 @@ nft_rule_expr_nat_build(struct nlmsghdr *nlh, struct nft_rule_expr *e)
 	if (e->flags & (1 << NFT_EXPR_NAT_REG_PROTO_MAX))
 		mnl_attr_put_u32(nlh, NFTA_NAT_REG_PROTO_MAX,
 				 htonl(nat->sreg_proto_max));
+	if (e->flags & (1 << NFT_EXPR_NAT_FLAGS))
+		mnl_attr_put_u32(nlh, NFTA_NAT_FLAGS, htonl(nat->flags));
 }
 
 static inline const char *nft_nat2str(uint16_t nat)
@@ -213,7 +227,7 @@ static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root,
 {
 #ifdef JSON_PARSING
 	const char *nat_type, *family_str;
-	uint32_t reg;
+	uint32_t reg, flags;
 	int val32;
 
 	nat_type = nft_jansson_parse_str(root, "nat_type", err);
@@ -252,6 +266,10 @@ static int nft_rule_expr_nat_json_parse(struct nft_rule_expr *e, json_t *root,
 				  &reg, err) == 0)
 		nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_PROTO_MAX, reg);
 
+	if (nft_jansson_parse_val(root, "flags", NFT_TYPE_U32,
+				  &flags, err) == 0)
+		nft_rule_expr_set_u32(e, NFT_EXPR_NAT_FLAGS, flags);
+
 	return 0;
 #else
 	errno = EOPNOTSUPP;
@@ -264,7 +282,7 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre
 {
 #ifdef XML_PARSING
 	const char *nat_type;
-	uint32_t family, nat_type_value;
+	uint32_t family, nat_type_value, flags;
 	uint32_t reg_addr_min, reg_addr_max;
 	uint32_t reg_proto_min, reg_proto_max;
 
@@ -302,6 +320,10 @@ static int nft_rule_expr_nat_xml_parse(struct nft_rule_expr *e, mxml_node_t *tre
 			       MXML_DESCEND, NFT_XML_MAND, err) == 0)
 		nft_rule_expr_set_u32(e, NFT_EXPR_NAT_REG_PROTO_MAX, reg_proto_max);
 
+	if (nft_mxml_num_parse(tree, "flags", MXML_DESCEND, BASE_DEC, &flags,
+			       NFT_TYPE_U32, NFT_XML_MAND, err) == 0)
+		nft_rule_expr_set_u32(e, NFT_EXPR_NAT_FLAGS, flags);
+
 	return 0;
 #else
 	errno = EOPNOTSUPP;
@@ -333,11 +355,20 @@ nft_rule_expr_nat_snprintf_json(char *buf, size_t size,
 
 	if (e->flags & (1 << NFT_EXPR_NAT_REG_PROTO_MIN)) {
 		ret = snprintf(buf+offset, len, "\"sreg_proto_min\":%u,"
-						"\"sreg_proto_max\":%u",
+						"\"sreg_proto_max\":%u,",
 		       nat->sreg_proto_min, nat->sreg_proto_max);
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
 
+	if (e->flags & (1 << NFT_EXPR_NAT_FLAGS)) {
+		ret = snprintf(buf+offset, len, "\"flags\":%u,", nat->flags);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
+	/* Remove the last comma separator */
+	if (offset > 0)
+		offset--;
+
 	return offset;
 }
 
@@ -372,6 +403,12 @@ nft_rule_expr_nat_snprintf_xml(char *buf, size_t size,
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
 
+	if (e->flags & (1 << NFT_EXPR_NAT_FLAGS)) {
+		ret = snprintf(buf+offset, len, "<flags>%u</flags>",
+			       nat->flags);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	return offset;
 }
 
@@ -402,6 +439,11 @@ nft_rule_expr_nat_snprintf_default(char *buf, size_t size,
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
 
+	if (e->flags & (1 << NFT_EXPR_NAT_FLAGS)) {
+		ret = snprintf(buf+offset, len, "flags %u", nat->flags);
+		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+	}
+
 	return offset;
 }
 

[libnftnl PATCH 2/2] expr: nat: add masquerade support

[Arturo Borrero Gonzalez]

This patch adds masquerade support for the nat expression.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 0 files changed

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 92c211b..18c9365 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -758,10 +758,12 @@ enum nft_reject_attributes {
  *
  * @NFT_NAT_SNAT: source NAT
  * @NFT_NAT_DNAT: destination NAT
+ * @NFT_NAT_MASQUERADE: masquerade NAT
  */
 enum nft_nat_types {
 	NFT_NAT_SNAT,
 	NFT_NAT_DNAT,
+	NFT_NAT_MASQUERADE,
 };
 
 /**
diff --git a/src/expr/nat.c b/src/expr/nat.c
index 51188c1..092c871 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -205,6 +205,8 @@ static inline const char *nft_nat2str(uint16_t nat)
 		return "snat";
 	case NFT_NAT_DNAT:
 		return "dnat";
+	case NFT_NAT_MASQUERADE:
+		return "masquerade";
 	default:
 		return "unknown";
 	}
@@ -216,6 +218,8 @@ static inline int nft_str2nat(const char *nat)
 		return NFT_NAT_SNAT;
 	else if (strcmp(nat, "dnat") == 0)
 		return NFT_NAT_DNAT;
+	else if (strcmp(nat, "masquerade") == 0)
+		return NFT_NAT_MASQUERADE;
 	else {
 		errno = EINVAL;
 		return -1;