diff options
author | Phil Sutter <phil@nwl.cc> | 2022-11-02 21:54:41 +0100 |
---|---|---|
committer | Phil Sutter <phil@nwl.cc> | 2022-11-11 19:13:10 +0100 |
commit | 7dbd1b1dd95449b1ab8c35cd35fe904eb35db374 (patch) | |
tree | 313c8e4c25e596d9a7e5150e4be5ecf56e3d8e4c /extensions/libip6t_SNAT.c | |
parent | c3432977d9a5e6c5d8e835094dc8c466a5d64f03 (diff) |
extensions: *NAT: Drop NF_NAT_RANGE_PROTO_RANDOM* flag checks
SNAT, DNAT and REDIRECT extensions tried to prevent
NF_NAT_RANGE_PROTO_RANDOM flag from being set if no port or address was
also given.
With SNAT and DNAT, this is not possible as the respective
--to-destination or --to-source parameters are mandatory anyway.
Looking at the kernel code, doing so with REDIRECT seems harmless.
Moreover, nftables supports 'redirect random' without specifying a
port-range.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'extensions/libip6t_SNAT.c')
-rw-r--r-- | extensions/libip6t_SNAT.c | 20 |
1 files changed, 5 insertions, 15 deletions
diff --git a/extensions/libip6t_SNAT.c b/extensions/libip6t_SNAT.c index 4fe272b2..8bf7b035 100644 --- a/extensions/libip6t_SNAT.c +++ b/extensions/libip6t_SNAT.c @@ -20,9 +20,6 @@ enum { O_RANDOM, O_RANDOM_FULLY, O_PERSISTENT, - F_TO_SRC = 1 << O_TO_SRC, - F_RANDOM = 1 << O_RANDOM, - F_RANDOM_FULLY = 1 << O_RANDOM_FULLY, }; static void SNAT_help(void) @@ -166,19 +163,13 @@ static void SNAT_parse(struct xt_option_call *cb) case O_PERSISTENT: range->flags |= NF_NAT_RANGE_PERSISTENT; break; - } -} - -static void SNAT_fcheck(struct xt_fcheck_call *cb) -{ - static const unsigned int f = F_TO_SRC | F_RANDOM; - static const unsigned int r = F_TO_SRC | F_RANDOM_FULLY; - struct nf_nat_range *range = cb->data; - - if ((cb->xflags & f) == f) + case O_RANDOM: range->flags |= NF_NAT_RANGE_PROTO_RANDOM; - if ((cb->xflags & r) == r) + break; + case O_RANDOM_FULLY: range->flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; + break; + } } static void print_range(const struct nf_nat_range *range) @@ -295,7 +286,6 @@ static struct xtables_target snat_tg_reg = { .userspacesize = XT_ALIGN(sizeof(struct nf_nat_range)), .help = SNAT_help, .x6_parse = SNAT_parse, - .x6_fcheck = SNAT_fcheck, .print = SNAT_print, .save = SNAT_save, .x6_options = SNAT_opts, |