[PATCH libnftnl 0/3] Support for shifted port-ranges in NAT

[PATCH libnftnl 0/3] Support for shifted port-ranges in NAT

[Jeremy Sowden]

Support for shifted port-ranges in DNAT was added to iptables in 2018.
This allows one to redirect packets intended for one port to another in
a range in such a way that the new port chosen has the same offset in
the range as the original port had from a specified base value.

For example, by using the base value 2000, one could redirect packets
intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old
and new ports were at the same offset in their respective ranges, i.e.:

  10.0.0.1:2345 -> 10.10.0.1:12345

This patch-set makes support in the nft kernel modules for doing
likewise available to user space.  In contrast to iptables, this works
for `snat`, `redirect` and `masquerade` statements as well as well as
`dnat`.

Jeremy Sowden (3):
  nat: add support for shifted port-ranges
  masq: add support for shifted port-ranges
  redir: add support for shifted port-ranges

 include/libnftnl/expr.h             |  3 +++
 include/linux/netfilter/nf_tables.h |  6 ++++++
 src/expr/masq.c                     | 25 +++++++++++++++++++++++--
 src/expr/nat.c                      | 22 ++++++++++++++++++++++
 src/expr/redir.c                    | 29 ++++++++++++++++++++++++-----
 tests/nft-expr_masq-test.c          |  4 ++++
 tests/nft-expr_nat-test.c           |  4 ++++
 tests/nft-expr_redir-test.c         |  4 ++++
 8 files changed, 90 insertions(+), 7 deletions(-)

-- 
2.39.2

[PATCH libnftnl 1/3] nat: add support for shifted port-ranges

[Jeremy Sowden]

Support for shifted port-ranges in DNAT was added to iptables in 2018.
This allows one to redirect packets intended for one port to another in
a range in such a way that the new port chosen has the same offset in
the range as the original port had from a specified base value.

For example, by using the base value 2000, one could redirect packets
intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old
and new ports were at the same offset in their respective ranges, i.e.:

  10.0.0.1:2345 -> 10.10.0.1:12345

However, while support for this was added to the common NAT infra-
structure in the kernel, only the xt_nat module was updated to make use
of it.  This support has now also been added to the nft_nat module, so
make it available in user space.

In contrast to iptables, where shifting is only available for DNAT, both
DNAT and SNAT are supported.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/libnftnl/expr.h             |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/expr/nat.c                      | 22 ++++++++++++++++++++++
 tests/nft-expr_nat-test.c           |  4 ++++
 4 files changed, 29 insertions(+)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 9873228dd794..e118a57d4769 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -150,6 +150,7 @@ enum {
 	NFTNL_EXPR_NAT_REG_PROTO_MIN,
 	NFTNL_EXPR_NAT_REG_PROTO_MAX,
 	NFTNL_EXPR_NAT_FLAGS,
+	NFTNL_EXPR_NAT_REG_PROTO_BASE,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 4608646f2103..5c7a47ac8746 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1415,6 +1415,7 @@ enum nft_nat_types {
  * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_NAT_REG_PROTO_BASE: source register of proto range base offset (NLA_U32: nft_registers)
  */
 enum nft_nat_attributes {
 	NFTA_NAT_UNSPEC,
@@ -1425,6 +1426,7 @@ enum nft_nat_attributes {
 	NFTA_NAT_REG_PROTO_MIN,
 	NFTA_NAT_REG_PROTO_MAX,
 	NFTA_NAT_FLAGS,
+	NFTA_NAT_REG_PROTO_BASE,
 	__NFTA_NAT_MAX
 };
 #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
diff --git a/src/expr/nat.c b/src/expr/nat.c
index ca727be0cda6..6d304870d419 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -29,6 +29,7 @@ struct nftnl_expr_nat {
 	enum nft_registers sreg_addr_max;
 	enum nft_registers sreg_proto_min;
 	enum nft_registers sreg_proto_max;
+	enum nft_registers sreg_proto_base;
 	int                family;
 	enum nft_nat_types type;
 	uint32_t	   flags;
@@ -59,6 +60,9 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_NAT_REG_PROTO_MAX:
 		memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max));
 		break;
+	case NFTNL_EXPR_NAT_REG_PROTO_BASE:
+		memcpy(&nat->sreg_proto_base, data, sizeof(nat->sreg_proto_base));
+		break;
 	case NFTNL_EXPR_NAT_FLAGS:
 		memcpy(&nat->flags, data, sizeof(nat->flags));
 		break;
@@ -94,6 +98,9 @@ nftnl_expr_nat_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_NAT_REG_PROTO_MAX:
 		*data_len = sizeof(nat->sreg_proto_max);
 		return &nat->sreg_proto_max;
+	case NFTNL_EXPR_NAT_REG_PROTO_BASE:
+		*data_len = sizeof(nat->sreg_proto_base);
+		return &nat->sreg_proto_base;
 	case NFTNL_EXPR_NAT_FLAGS:
 		*data_len = sizeof(nat->flags);
 		return &nat->flags;
@@ -116,6 +123,7 @@ static int nftnl_expr_nat_cb(const struct nlattr *attr, void *data)
 	case NFTA_NAT_REG_ADDR_MAX:
 	case NFTA_NAT_REG_PROTO_MIN:
 	case NFTA_NAT_REG_PROTO_MAX:
+	case NFTA_NAT_REG_PROTO_BASE:
 	case NFTA_NAT_FLAGS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
@@ -163,6 +171,11 @@ nftnl_expr_nat_parse(struct nftnl_expr *e, struct nlattr *attr)
 			ntohl(mnl_attr_get_u32(tb[NFTA_NAT_REG_PROTO_MAX]));
 		e->flags |= (1 << NFTNL_EXPR_NAT_REG_PROTO_MAX);
 	}
+	if (tb[NFTA_NAT_REG_PROTO_BASE]) {
+		nat->sreg_proto_base =
+			ntohl(mnl_attr_get_u32(tb[NFTA_NAT_REG_PROTO_BASE]));
+		e->flags |= (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE);
+	}
 	if (tb[NFTA_NAT_FLAGS]) {
 		nat->flags = ntohl(mnl_attr_get_u32(tb[NFTA_NAT_FLAGS]));
 		e->flags |= (1 << NFTNL_EXPR_NAT_FLAGS);
@@ -192,6 +205,9 @@ nftnl_expr_nat_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_MAX))
 		mnl_attr_put_u32(nlh, NFTA_NAT_REG_PROTO_MAX,
 				 htonl(nat->sreg_proto_max));
+	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE))
+		mnl_attr_put_u32(nlh, NFTA_NAT_REG_PROTO_BASE,
+				 htonl(nat->sreg_proto_base));
 	if (e->flags & (1 << NFTNL_EXPR_NAT_FLAGS))
 		mnl_attr_put_u32(nlh, NFTA_NAT_FLAGS, htonl(nat->flags));
 }
@@ -258,6 +274,12 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
 
+	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE)) {
+		ret = snprintf(buf + offset, remain,
+			       "proto_base reg %u ", nat->sreg_proto_base);
+		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+	}
+
 	if (e->flags & (1 << NFTNL_EXPR_NAT_FLAGS)) {
 		ret = snprintf(buf + offset, remain, "flags 0x%x ", nat->flags);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c
index 3a365dd307c2..1204c4b7be62 100644
--- a/tests/nft-expr_nat-test.c
+++ b/tests/nft-expr_nat-test.c
@@ -49,6 +49,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_REG_PROTO_MAX) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_REG_PROTO_MAX))
 		print_err("Expr NFTNL_EXPR_NAT_REG_PROTO_MAX mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_REG_PROTO_BASE) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_REG_PROTO_BASE))
+		print_err("Expr NFTNL_EXPR_NAT_REG_PROTO_BASE mismatches");
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_FLAGS) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_FLAGS))
 		print_err("Expr NFTNL_EXPR_NAT_FLAGS mismatches");
@@ -77,6 +80,7 @@ int main(int argc, char *argv[])
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MAX, 0x5134682);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MIN, 0x6124385);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MAX, 0x2153846);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_BASE, 0xbf3c0fbf);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FLAGS, 0x4213683);
 
 	nftnl_rule_add_expr(a, ex);
-- 
2.39.2

[PATCH libnftnl 2/3] masq: add support for shifted port-ranges

[Jeremy Sowden]

Support for using shift port-ranges when masquerading has now been added
to the nft_masq kernel module, so make it available in user space.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/libnftnl/expr.h             |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/expr/masq.c                     | 25 +++++++++++++++++++++++--
 tests/nft-expr_masq-test.c          |  4 ++++
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index e118a57d4769..18d17d6368a8 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -243,6 +243,7 @@ enum {
 	NFTNL_EXPR_MASQ_FLAGS		= NFTNL_EXPR_BASE,
 	NFTNL_EXPR_MASQ_REG_PROTO_MIN,
 	NFTNL_EXPR_MASQ_REG_PROTO_MAX,
+	NFTNL_EXPR_MASQ_REG_PROTO_BASE,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 5c7a47ac8746..3b86bddac67c 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1453,12 +1453,14 @@ enum nft_tproxy_attributes {
  * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
  * @NFTA_MASQ_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  * @NFTA_MASQ_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ * @NFTA_MASQ_REG_PROTO_BASE: source register of proto range base offset (NLA_U32: nft_registers)
  */
 enum nft_masq_attributes {
 	NFTA_MASQ_UNSPEC,
 	NFTA_MASQ_FLAGS,
 	NFTA_MASQ_REG_PROTO_MIN,
 	NFTA_MASQ_REG_PROTO_MAX,
+	NFTA_MASQ_REG_PROTO_BASE,
 	__NFTA_MASQ_MAX
 };
 #define NFTA_MASQ_MAX		(__NFTA_MASQ_MAX - 1)
diff --git a/src/expr/masq.c b/src/expr/masq.c
index e6e528d9acca..be6f523ab20c 100644
--- a/src/expr/masq.c
+++ b/src/expr/masq.c
@@ -24,11 +24,12 @@ struct nftnl_expr_masq {
 	uint32_t		flags;
 	enum nft_registers	sreg_proto_min;
 	enum nft_registers	sreg_proto_max;
+	enum nft_registers	sreg_proto_base;
 };
 
 static int
 nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
-		       const void *data, uint32_t data_len)
+		    const void *data, uint32_t data_len)
 {
 	struct nftnl_expr_masq *masq = nftnl_expr_data(e);
 
@@ -42,6 +43,9 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
 		memcpy(&masq->sreg_proto_max, data, sizeof(masq->sreg_proto_max));
 		break;
+	case NFTNL_EXPR_MASQ_REG_PROTO_BASE:
+		memcpy(&masq->sreg_proto_base, data, sizeof(masq->sreg_proto_base));
+		break;
 	default:
 		return -1;
 	}
@@ -50,7 +54,7 @@ nftnl_expr_masq_set(struct nftnl_expr *e, uint16_t type,
 
 static const void *
 nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t type,
-		       uint32_t *data_len)
+		    uint32_t *data_len)
 {
 	struct nftnl_expr_masq *masq = nftnl_expr_data(e);
 
@@ -64,6 +68,9 @@ nftnl_expr_masq_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_MASQ_REG_PROTO_MAX:
 		*data_len = sizeof(masq->sreg_proto_max);
 		return &masq->sreg_proto_max;
+	case NFTNL_EXPR_MASQ_REG_PROTO_BASE:
+		*data_len = sizeof(masq->sreg_proto_base);
+		return &masq->sreg_proto_base;
 	}
 	return NULL;
 }
@@ -79,6 +86,7 @@ static int nftnl_expr_masq_cb(const struct nlattr *attr, void *data)
 	switch (type) {
 	case NFTA_MASQ_REG_PROTO_MIN:
 	case NFTA_MASQ_REG_PROTO_MAX:
+	case NFTA_MASQ_REG_PROTO_BASE:
 	case NFTA_MASQ_FLAGS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
@@ -102,6 +110,9 @@ nftnl_expr_masq_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 	if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX))
 		mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_MAX,
 				 htobe32(masq->sreg_proto_max));
+	if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE))
+		mnl_attr_put_u32(nlh, NFTA_MASQ_REG_PROTO_BASE,
+				 htobe32(masq->sreg_proto_base));
 }
 
 static int
@@ -127,6 +138,11 @@ nftnl_expr_masq_parse(struct nftnl_expr *e, struct nlattr *attr)
 			be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_MAX]));
 		e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_MAX);
 	}
+	if (tb[NFTA_MASQ_REG_PROTO_BASE]) {
+		masq->sreg_proto_base =
+			be32toh(mnl_attr_get_u32(tb[NFTA_MASQ_REG_PROTO_BASE]));
+		e->flags |= (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE);
+	}
 
 	return 0;
 }
@@ -147,6 +163,11 @@ static int nftnl_expr_masq_snprintf(char *buf, size_t remain,
 			       masq->sreg_proto_max);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
+	if (e->flags & (1 << NFTNL_EXPR_MASQ_REG_PROTO_BASE)) {
+		ret = snprintf(buf + offset, remain, "proto_base reg %u ",
+			       masq->sreg_proto_base);
+		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+	}
 	if (e->flags & (1 << NFTNL_EXPR_MASQ_FLAGS)) {
 		ret = snprintf(buf + offset, remain, "flags 0x%x ", masq->flags);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
diff --git a/tests/nft-expr_masq-test.c b/tests/nft-expr_masq-test.c
index 09179149421e..2bb93c47da54 100644
--- a/tests/nft-expr_masq-test.c
+++ b/tests/nft-expr_masq-test.c
@@ -37,6 +37,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_MASQ_REG_PROTO_MAX) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_MASQ_REG_PROTO_MAX))
 		print_err("Expr NFTNL_EXPR_MASQ_REG_PROTO_MAX mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_MASQ_REG_PROTO_BASE) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_MASQ_REG_PROTO_BASE))
+		print_err("Expr NFTNL_EXPR_MASQ_REG_PROTO_BASE mismatches");
 }
 
 int main(int argc, char *argv[])
@@ -59,6 +62,7 @@ int main(int argc, char *argv[])
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_FLAGS, 0x1234568);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_MIN, 0x5432178);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_MAX, 0x8765421);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_MASQ_REG_PROTO_BASE, 0x0f1facdb);
 
 	nftnl_rule_add_expr(a, ex);
 
-- 
2.39.2

[PATCH libnftnl 3/3] redir: add support for shifted port-ranges

[Jeremy Sowden]

Support for using shift port-ranges when masquerading has now been added
to the nft_redir kernel module, so make it available in user space.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
---
 include/libnftnl/expr.h             |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/expr/redir.c                    | 29 ++++++++++++++++++++++++-----
 tests/nft-expr_redir-test.c         |  4 ++++
 4 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 18d17d6368a8..f3ff4fde046c 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -250,6 +250,7 @@ enum {
 	NFTNL_EXPR_REDIR_REG_PROTO_MIN	= NFTNL_EXPR_BASE,
 	NFTNL_EXPR_REDIR_REG_PROTO_MAX,
 	NFTNL_EXPR_REDIR_FLAGS,
+	NFTNL_EXPR_REDIR_REG_PROTO_BASE,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 3b86bddac67c..5a6814fcf191 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1471,12 +1471,14 @@ enum nft_masq_attributes {
  * @NFTA_REDIR_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  * @NFTA_REDIR_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  * @NFTA_REDIR_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_REDIR_REG_PROTO_BASE: source register of proto range base offset (NLA_U32: nft_registers)
  */
 enum nft_redir_attributes {
 	NFTA_REDIR_UNSPEC,
 	NFTA_REDIR_REG_PROTO_MIN,
 	NFTA_REDIR_REG_PROTO_MAX,
 	NFTA_REDIR_FLAGS,
+	NFTA_REDIR_REG_PROTO_BASE,
 	__NFTA_REDIR_MAX
 };
 #define NFTA_REDIR_MAX		(__NFTA_REDIR_MAX - 1)
diff --git a/src/expr/redir.c b/src/expr/redir.c
index 87c2accb923f..595397da3d4c 100644
--- a/src/expr/redir.c
+++ b/src/expr/redir.c
@@ -23,12 +23,13 @@
 struct nftnl_expr_redir {
 	enum nft_registers sreg_proto_min;
 	enum nft_registers sreg_proto_max;
-	uint32_t	flags;
+	enum nft_registers sreg_proto_base;
+	uint32_t           flags;
 };
 
 static int
 nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
-			const void *data, uint32_t data_len)
+		     const void *data, uint32_t data_len)
 {
 	struct nftnl_expr_redir *redir = nftnl_expr_data(e);
 
@@ -39,6 +40,9 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_REDIR_REG_PROTO_MAX:
 		memcpy(&redir->sreg_proto_max, data, sizeof(redir->sreg_proto_max));
 		break;
+	case NFTNL_EXPR_REDIR_REG_PROTO_BASE:
+		memcpy(&redir->sreg_proto_base, data, sizeof(redir->sreg_proto_base));
+		break;
 	case NFTNL_EXPR_REDIR_FLAGS:
 		memcpy(&redir->flags, data, sizeof(redir->flags));
 		break;
@@ -50,7 +54,7 @@ nftnl_expr_redir_set(struct nftnl_expr *e, uint16_t type,
 
 static const void *
 nftnl_expr_redir_get(const struct nftnl_expr *e, uint16_t type,
-			uint32_t *data_len)
+		     uint32_t *data_len)
 {
 	struct nftnl_expr_redir *redir = nftnl_expr_data(e);
 
@@ -61,6 +65,9 @@ nftnl_expr_redir_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_REDIR_REG_PROTO_MAX:
 		*data_len = sizeof(redir->sreg_proto_max);
 		return &redir->sreg_proto_max;
+	case NFTNL_EXPR_REDIR_REG_PROTO_BASE:
+		*data_len = sizeof(redir->sreg_proto_base);
+		return &redir->sreg_proto_base;
 	case NFTNL_EXPR_REDIR_FLAGS:
 		*data_len = sizeof(redir->flags);
 		return &redir->flags;
@@ -79,6 +86,7 @@ static int nftnl_expr_redir_cb(const struct nlattr *attr, void *data)
 	switch (type) {
 	case NFTA_REDIR_REG_PROTO_MIN:
 	case NFTA_REDIR_REG_PROTO_MAX:
+	case NFTA_REDIR_REG_PROTO_BASE:
 	case NFTA_REDIR_FLAGS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
@@ -100,6 +108,9 @@ nftnl_expr_redir_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 	if (e->flags & (1 << NFTNL_EXPR_REDIR_REG_PROTO_MAX))
 		mnl_attr_put_u32(nlh, NFTA_REDIR_REG_PROTO_MAX,
 				 htobe32(redir->sreg_proto_max));
+	if (e->flags & (1 << NFTNL_EXPR_REDIR_REG_PROTO_BASE))
+		mnl_attr_put_u32(nlh, NFTA_REDIR_REG_PROTO_BASE,
+				 htobe32(redir->sreg_proto_base));
 	if (e->flags & (1 << NFTNL_EXPR_REDIR_FLAGS))
 		mnl_attr_put_u32(nlh, NFTA_REDIR_FLAGS, htobe32(redir->flags));
 }
@@ -123,6 +134,11 @@ nftnl_expr_redir_parse(struct nftnl_expr *e, struct nlattr *attr)
 			ntohl(mnl_attr_get_u32(tb[NFTA_REDIR_REG_PROTO_MAX]));
 		e->flags |= (1 << NFTNL_EXPR_REDIR_REG_PROTO_MAX);
 	}
+	if (tb[NFTA_REDIR_REG_PROTO_BASE]) {
+		redir->sreg_proto_base =
+			ntohl(mnl_attr_get_u32(tb[NFTA_REDIR_REG_PROTO_BASE]));
+		e->flags |= (1 << NFTNL_EXPR_REDIR_REG_PROTO_BASE);
+	}
 	if (tb[NFTA_REDIR_FLAGS]) {
 		redir->flags = be32toh(mnl_attr_get_u32(tb[NFTA_REDIR_FLAGS]));
 		e->flags |= (1 << NFTNL_EXPR_REDIR_FLAGS);
@@ -143,13 +159,16 @@ nftnl_expr_redir_snprintf(char *buf, size_t remain,
 			       redir->sreg_proto_min);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
-
 	if (nftnl_expr_is_set(e, NFTNL_EXPR_REDIR_REG_PROTO_MAX)) {
 		ret = snprintf(buf + offset, remain, "proto_max reg %u ",
 			       redir->sreg_proto_max);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
-
+	if (nftnl_expr_is_set(e, NFTNL_EXPR_REDIR_REG_PROTO_BASE)) {
+		ret = snprintf(buf + offset, remain, "proto_base reg %u ",
+			       redir->sreg_proto_base);
+		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+	}
 	if (nftnl_expr_is_set(e, NFTNL_EXPR_REDIR_FLAGS)) {
 		ret = snprintf(buf + offset, remain, "flags 0x%x ",
 			       redir->flags);
diff --git a/tests/nft-expr_redir-test.c b/tests/nft-expr_redir-test.c
index 8e1f30c43332..fc20e74e0196 100644
--- a/tests/nft-expr_redir-test.c
+++ b/tests/nft-expr_redir-test.c
@@ -34,6 +34,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_REDIR_REG_PROTO_MAX) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_REDIR_REG_PROTO_MAX))
 		print_err("Expr NFTNL_EXPR_REDIR_REG_PROTO_MAX mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_REDIR_REG_PROTO_BASE) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_REDIR_REG_PROTO_BASE))
+		print_err("Expr NFTNL_EXPR_REDIR_REG_PROTO_BASE mismatches");
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_REDIR_FLAGS) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_REDIR_FLAGS))
 		print_err("Expr NFTNL_EXPR_REDIR_FLAGS mismatches");
@@ -58,6 +61,7 @@ int main(int argc, char *argv[])
 
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_REDIR_REG_PROTO_MIN, 0x12345678);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_REDIR_REG_PROTO_MAX, 0x56781234);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_REDIR_REG_PROTO_BASE, 0x14e4cd3c);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_REDIR_FLAGS, 0x12003400);
 
 	nftnl_rule_add_expr(a, ex);
-- 
2.39.2