path: root/src/netlink_linearize.c
diff options
authorFlorian Westphal <>2019-02-02 00:36:51 +0100
committerFlorian Westphal <>2019-04-09 10:36:16 +0200
commitfbe27464dee4588d90649274925145421c84b449 (patch)
tree15433842e30b980c784b867cae558b46e109c6aa /src/netlink_linearize.c
parent16ee51d84e0879b2bdc1135b75455f0cde3ed226 (diff)
src: add nat support for the inet family
consider a simple ip6 nat table: table ip6 nat { chain output { type nat hook output priority 0; policy accept; dnat to dead:2::99 } Now consider same ruleset, but using 'table inet nat': nft now lacks context to determine address family to parse 'to $address'. This adds code to make the following work: table inet nat { [ .. ] # detect af from network protocol context: ip6 daddr dead::2::1 dnat to dead:2::99 # use new dnat ip6 keyword: dnat ip6 to dead:2::99 } On list side, the keyword is only shown in the inet family, else the short version (dnat to ...) is used as the family is redundant when the table already mandates the ip protocol version supported. Address mismatches such as table ip6 { .. dnat ip to are detected/handled during the evaluation phase. Signed-off-by: Florian Westphal <> Acked-by: Pablo Neira Ayuso <>
Diffstat (limited to 'src/netlink_linearize.c')
1 files changed, 1 insertions, 1 deletions
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 8df82d5a..df763544 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1025,7 +1025,7 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
nle = alloc_nft_expr("nat");
nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_TYPE, stmt->nat.type);
- family = nftnl_rule_get_u32(ctx->nlr, NFTNL_RULE_FAMILY);
+ family = stmt->;
nftnl_expr_set_u32(nle, NFTNL_EXPR_NAT_FAMILY, family);
nftnl_flag_attr = NFTNL_EXPR_NAT_FLAGS;