From a7469ab47400bf4add8269a2908965e82ceefc48 Mon Sep 17 00:00:00 2001 From: Arturo Borrero Date: Mon, 3 Nov 2014 21:20:11 +0100 Subject: src: add redirect support This patch adds redirect support for nft. The syntax is: % nft add rule nat prerouting redirect [port] [nat_flags] Signed-off-by: Arturo Borrero Gonzalez Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) (limited to 'src/evaluate.c') diff --git a/src/evaluate.c b/src/evaluate.c index b722567c..3eeb614c 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -1546,6 +1546,44 @@ out: return 0; } +static int stmt_evaluate_redir(struct eval_ctx *ctx, struct stmt *stmt) +{ + int err; + struct proto_ctx *pctx = &ctx->pctx; + + if (!pctx) + goto out; + + switch (pctx->family) { + case AF_INET: + expr_set_context(&ctx->ectx, &ipaddr_type, + 4 * BITS_PER_BYTE); + break; + case AF_INET6: + expr_set_context(&ctx->ectx, &ip6addr_type, + 16 * BITS_PER_BYTE); + break; + default: + return stmt_error(ctx, stmt, "ip and ip6 support only"); + } + + if (stmt->redir.proto != NULL) { + if (pctx->protocol[PROTO_BASE_TRANSPORT_HDR].desc == NULL) + return stmt_binary_error(ctx, stmt->redir.proto, stmt, + "missing transport protocol match"); + + expr_set_context(&ctx->ectx, &inet_service_type, + 2 * BITS_PER_BYTE); + err = expr_evaluate(ctx, &stmt->redir.proto); + if (err < 0) + return err; + } + +out: + stmt->flags |= STMT_F_TERMINAL; + return 0; +} + static int stmt_evaluate_ct(struct eval_ctx *ctx, struct stmt *stmt) { expr_set_context(&ctx->ectx, stmt->ct.tmpl->dtype, @@ -1608,6 +1646,8 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt) return stmt_evaluate_nat(ctx, stmt); case STMT_MASQ: return stmt_evaluate_masq(ctx, stmt); + case STMT_REDIR: + return stmt_evaluate_redir(ctx, stmt); case STMT_QUEUE: return stmt_evaluate_queue(ctx, stmt); case STMT_CT: -- cgit v1.2.3