summaryrefslogtreecommitdiffstats
path: root/extensions/libipt_DNAT.c
Commit message (Collapse)AuthorAgeFilesLines
* extensions: libip[6]t_SNAT/DNAT: use the new nft syntax when do xlateLiping Zhang2016-08-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | After commit "src: add 'to' for snat and dnat" in nftables tree, we should recommend the end user to use the new syntax. Before this patch: # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1 nft add rule ip nat POSTROUTING counter snat 1.1.1.1 # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination 2001::1 nft add rule ip6 nat PREROUTING counter dnat 2001::1 Apply this patch: # iptables-translate -t nat -A POSTROUTING -j SNAT --to-source 1.1.1.1 nft add rule ip nat POSTROUTING counter snat to 1.1.1.1 # ip6tables-translate -t nat -A PREROUTING -j DNAT --to-destination 2001::1 nft add rule ip6 nat PREROUTING counter dnat to 2001::1 Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_DNAT/SNAT: fix "OOM" when do translation to nftLiping Zhang2016-08-301-1/+1
| | | | | | | | | | | | | | | | When I want to translate SNAT target to nft rule, an error message was printed out: # iptables-translate -A POSTROUTING -j SNAT --to-source 1.1.1.1 iptables-translate v1.6.0: OOM Because ipt_natinfo{} started with a xt_entry_target{}, so when we get the ipt_natinfo pointer, we should use the target itself, not its data pointer. Yes, it is a little tricky and it's different with other targets. Fixes: 7a0992da44cf ("src: introduce struct xt_xlate_{mt,tg}_params") Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: introduce struct xt_xlate_{mt,tg}_paramsPablo Neira Ayuso2016-07-251-3/+3
| | | | | | | | This structure is an extensible containers of parameters, so we don't need to propagate interface updates in every extension file in case we need to add new parameters in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables-translate: pass ipt_entry and ip6t_entry to ->xlate()Pablo Neira Ayuso2016-03-091-1/+1
| | | | | | | The multiport match needs it, this basically leaves ->xlate() indirection with almost the same interface as ->print(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: rename xt_buf to xt_xlatePablo Neira Ayuso2016-02-161-10/+10
| | | | | | | Use a more generic name for this object to prepare the introduction of other translation specific fields. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* extensions: libipt_DNAT: Add translation to nftShivani Bhardwaj2016-02-161-0/+46
| | | | | | | | | | | | | | | | | | | | | | | | Add translation for target DNAT to nftables. Examples: $ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 $ sudo iptables-translate -t nat -A prerouting -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.1.1-192.168.1.10 nft add rule ip nat prerouting ip daddr 15.45.23.67 tcp dport 80 counter dnat 192.168.1.1-192.168.1.10 $ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4:1-1023 nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4:1-1023 $ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random $ sudo iptables-translate -t nat -A prerouting -p tcp -o eth0 -j DNAT --to-destination 1.2.3.4 --random --persistent nft add rule ip nat prerouting oifname eth0 ip protocol tcp counter dnat 1.2.3.4 random,persistent Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Convert the NAT targets to use the kernel supplied nf_nat.h headerPatrick McHardy2012-09-101-18/+18
| | | | | Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libipt_SAME: set PROTO_RANDOM on all rangesJan Engelhardt2011-11-301-7/+10
| | | | | | | | Resolve the (justified) WTF remark to a clearer version of when/why PROTO_RANDOM needs to be set. Especially when --random is used before --to in SAME, it would have not been appleid.
* libipt_[SD]NAT: avoid false error about multiple destinations specifiedJan Engelhardt2011-05-131-3/+6
| | | | | | | | | | | iptables-restore v1.4.10: DNAT: Multiple --to-destination not supported xtables_option_parse sets cb->xflags already, so that it cannot be directly used to test whether an option is being used for the second time. Thus use a private option/flag (X_TO_DEST/SRC) that is not under the control of xtables_option_parse. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libipt_[SD]NAT: flag up module name on errorJan Engelhardt2011-05-131-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* Merge branch 'floating/opts' of git://dev.medozas.de/iptablesPatrick McHardy2011-05-121-49/+39
|\
| * libipt_DNAT: use guided option parserJan Engelhardt2011-05-091-49/+39
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | doc: S/DNAT allows to omit IP addressesJan Engelhardt2011-05-091-1/+1
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add missing checks for specific flagsJan Engelhardt2011-02-191-1/+1
| | | | | | | | | With "!flags", any option will be accepted. The extensions however want one very specific option to be used (or wrong help text). Commits: DNAT: v1.3.8~23, osf: v1.4.6~3 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: do not print trailing whitespacesJan Engelhardt2011-01-311-8/+6
| | | | | | | | | | | | | | | | | Due to the use of printf("foobar "), iptables emits spaces at the end-of-line, which looks odd to some users because it causes the terminal to wrap even if there is seemingly nothing to print. It may also have other points of annoyance, such as mailers interpreting a trailing space as an indicator that the paragraph continues when format=flowed is also on. And git highlights trailing spaces in red, so let's avoid :) Preexisting inconsistencies in outputting spaces in the right spot are also addressed right away. References: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=429579 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove no longer necessary default: casesJan Engelhardt2011-01-081-3/+1
| | | | | | | Match and target parse functions now only get option characters they have defined themselves. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* all: consistent syntax use in struct optionJan Engelhardt2010-07-231-4/+5
| | | | | | Try to inhibit copypasting old stuff. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* DNAT: fix incorrect check during parsingPatrick McHardy2009-11-061-1/+1
| | | | | | | | | | Specifying --random before --to-dest results in: Multiple --to-destination not supported Fix the flags check to only test the IPT_DNAT_OPT_DEST bit. Signed-off-by: Patrick McHardy <kaber@trash.net>
* libxtables: hand argv to xtables_check_inverseJan Engelhardt2009-11-031-1/+1
| | | | | | | | | In going to fix NF bug #611, "argv" is needed in xtables_check_inverse to set "optarg" to the right spot in case of an intrapositional negation. References: http://bugzilla.netfilter.org/show_bug.cgi?id=611 Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: add const qualifiers in print/save functionsJan Engelhardt2009-05-261-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* SNAT/DNAT: add support for persistent multi-range NAT mappingsPatrick McHardy2009-04-171-1/+11
| | | | | | | Add support for persistent mappings (2.6.29-rc2+) as replacement for the removed SAME target. Signed-off-by: Patrick McHardy <kaber@trash.net>
* extensions: add missing limits.h includeJan Engelhardt2009-02-211-0/+1
| | | | | | Thanks to Stephen Hemminger for noticing. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* include: resynchronize headers with 2.6.29-rc5Jan Engelhardt2009-02-211-7/+7
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* extensions: remove unwanted/add needed includes for IPv4 extsJan Engelhardt2009-02-211-1/+1
| | | | | | | Most touched files do not use anything from ip_tables.h, so remove that #include. multiport instead, does need it (ipt_entry). Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix exit_error to xtables_errorJan Engelhardt2009-02-211-11/+11
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - move check_inverse to xtables.cJan Engelhardt2009-01-301-1/+1
| | | | | | | This also adds a warning that intrapositional negation support is deprecated. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - ascii to ipaddr/ipmask inputJan Engelhardt2009-01-301-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libxtables: prefix/order - ipaddr/ipmask to ascii outputJan Engelhardt2009-01-301-2/+2
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: remove inclusion of iptables.hJan Engelhardt2008-11-201-0/+1
| | | | | | | | | iptables.h and ip6tables.h only include declarations internal to iptables (specifically iptables.c and ip6tables.c), as most of the public API has been moved to xtables.h a few months ago. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use NFPROTO_ constantsJan Engelhardt2008-11-181-1/+1
| | | | | | | | Resync netfilter.h from the latest kernel and make use of the new NFPROTO_ constants that have been introduced. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Add SCTP/DCCP support to NAT targetsPatrick McHardy2008-11-041-1/+3
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: Update commentsJan Engelhardt2008-09-011-6/+0
| | | | | | | | A number of comments are redundant, some outdated and others outright wrong in their own way. Remove and fixup. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
* Remove old functions, constantsJan Engelhardt2008-04-151-10/+9
|
* fix gcc warningsMax Kellermann2008-01-291-1/+1
| | | | Max Kellermann <max@duempel.org>
* rename overlapping function namesJan Engelhardt2008-01-201-3/+3
| | | | | | Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* bunch o' renamesJan Engelhardt2008-01-201-2/+2
| | | | | | | | Move a few functions from iptables.c/ip6tables.c to xtables.c so they are available for combined (both AF_INET and AF_INET6) libxt modules. Rename overlapping function names. Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
* PATCH - Fix for --random option in DNAT and REDIRECTTom Eastep2007-11-151-0/+1
| | | | | | | The --random option produces "Unknown arg `--random'" errors with both the DNAT and REDIRECT targets. Corrected by the attached patch. Tom Eastep <teastep@shorewall.net>
* Unique names 4/6Jan Engelhardt2007-10-041-22/+16
| | | | | | | | | | | Give symbols of libxt targets unique names (2/3). Adds unique prefixes to all functions (most of them - especially the hook functions) so that debugging programs can unambiguously map a symbol to an address. Also unifies the names of the xtables_match/xtables_target structs, (based upon libxt_connmark.c/libip6t_*.c). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fix sparse warnings: non-ANSI function declarations, 0 used as pointerPatrick McHardy2007-09-081-3/+3
|
* Make the option structures const.Jan Engelhardt2007-07-301-1/+1
| | | | Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Remove the .next=NULL field. This is automatically initialized to zero.Jan Engelhardt2007-07-301-1/+0
| | | | | | | I've kept .print=NULL and .save=NULL so it stands out (since iptables will do the print/save then). Signed-off-by: Jan Engelhardt <jengelh@gmx.de>
* Fixes warning on compilation, part 2Yasuyuki KOZAKAI2007-07-241-3/+4
| | | | | | | | | | This changes the type of arguments as follows in multiport, DNAT, SNAT, MASQUERADE, and REDIRECT - ip[6]t_ip[6] * -> void * - ip[6]t_entry * -> void * and adds lines to cast these pointer with intended type.
* Replaces ipt_entry_* with xt_entry_* in matches/targetsYasuyuki KOZAKAI2007-07-241-5/+5
|
* Add --random option to DNAT and REDIRECT targets and fix the manpage mess ↵Patrick McHardy2007-05-291-2/+20
| | | | this option left behind.
* Use nf_conntrack headers instead of ip_conntrack ones and add sanitized ↵Patrick McHardy2007-04-181-1/+1
| | | | versions.
* Kernels higher than 2.6.10 don't support multiple --to arguments inPhil Oester2005-09-191-0/+7
| | | | | | | | | | | | | | | | | | | | | DNAT and SNAT targets. At present, the error is somewhat vague: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables: Invalid argument But if we want current iptables to work with kernels <= 2.6.10, we cannot simply disallow this in all cases. So the below patch adds kernel version checking to iptables, and utilizes it in [DS]NAT. Now, users will see a more informative error: # iptables -t nat -A foo -j SNAT --to 1.2.3.4 --to 2.3.4.5 iptables v1.3.3: Multiple --to-source not supported This generic infrastructure (shamelessly lifted from procps btw) may come in handy in the future for other changes. This fixes bugzilla #367. (Phil Oester)
* Fix NAT of ICMP ID ranges (Patrick McHardy)Patrick McHardy2005-07-221-1/+2
|
* This patch prevents user to set negative port value of SNAT/DNAT.Yasuyuki KOZAKAI2005-06-221-2/+2
| | | | (Yasuyuki Kozakai)
* Kill NFC_* stuff in iptables (Pablo Neira <pablo@eurodev.net>)Pablo Neira2005-02-141-9/+0
| | | | Fixes build with conntrack event patch for 2.6
* John McCann points out via bugzilla that iptables happily accepts thisPhil Oester2005-02-011-1/+6
| | | | | | | | | | | | | syntax on DNAT/SNAT: --to x.x.x.x:y:z but doesn't actually make use of the second port. Clear up the confusion by only accepting a dash between the ports. This closes bugzilla #265. Signed-off-by: Phil Oester <kernel@linuxace.com>