rule: allow src/dstnat prios in input and output

Dan Winship says: The "dnat" command is usable from either "prerouting" or "output", but the "dstnat" priority is only usable from "prerouting". (Likewise, "snat" is usable from either "postrouting" or "input", but "srcnat" is only usable from "postrouting".) No need to restrict those priorities to pre/postrouting. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1694 Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-07-28 19:43:16 +0200
committer: Florian Westphal <fw@strlen.de> 2023-07-31 15:04:30 +0200
commit: 8beafab74c391130fbb9111bfccab8613644e3b9 (patch)
tree: c5363937819629b4b7d667126b697d4ed7eacf95 /src/rule.c
parent: b3def33efecb2f7be39fc9aefc9546907202056c (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/src/rule.c b/src/rule.c
index 533161d3..f4d00a8d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -927,7 +927,8 @@ static bool std_prio_family_hook_compat(int prio, int family, int hook)
 		case NFPROTO_INET:
 		case NFPROTO_IPV4:
 		case NFPROTO_IPV6:
-			if (hook == NF_INET_PRE_ROUTING)
+			if (hook == NF_INET_PRE_ROUTING ||
+			    hook == NF_INET_LOCAL_OUT)
 				return true;
 		}
 		break;
@@ -936,7 +937,8 @@ static bool std_prio_family_hook_compat(int prio, int family, int hook)
 		case NFPROTO_INET:
 		case NFPROTO_IPV4:
 		case NFPROTO_IPV6:
-			if (hook == NF_INET_POST_ROUTING)
+			if (hook == NF_INET_LOCAL_IN ||
+			    hook == NF_INET_POST_ROUTING)
 				return true;
 		}
 	}
author	Florian Westphal <fw@strlen.de>	2023-07-28 19:43:16 +0200
committer	Florian Westphal <fw@strlen.de>	2023-07-31 15:04:30 +0200
commit	8beafab74c391130fbb9111bfccab8613644e3b9 (patch)
tree	c5363937819629b4b7d667126b697d4ed7eacf95 /src/rule.c
parent	b3def33efecb2f7be39fc9aefc9546907202056c (diff)