Combine redir and masq statements into nat

All these statements are very similar, handling them with the same code
is obvious. The only thing required here is a custom extension of enum
nft_nat_types which is used in nat_stmt to distinguish between snat and
dnat already. Though since enum nft_nat_types is part of kernel uAPI,
create a local extended version containing the additional fields.

Note that nat statement printing got a bit more complicated to get the
number of spaces right for every possible combination of attributes.

Note also that there wasn't a case for STMT_MASQ in
rule_parse_postprocess(), which seems like a bug. Since STMT_MASQ became
just a variant of STMT_NAT, postprocessing will take place for it now
anyway.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 14 insertions, 18 deletions

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index b20047f1..754a307e 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -861,8 +861,8 @@ static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
 	enum nft_registers reg1, reg2;
 	int family;
 
-	stmt = nat_stmt_alloc(loc);
-	stmt->nat.type = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_TYPE);
+	stmt = nat_stmt_alloc(loc,
+			      nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_TYPE));
 
 	family = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_FAMILY);
 
@@ -951,8 +951,8 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
 	if (nftnl_expr_is_set(nle, NFTNL_EXPR_MASQ_FLAGS))
 		flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_MASQ_FLAGS);
 
-	stmt = masq_stmt_alloc(loc);
-	stmt->masq.flags = flags;
+	stmt = nat_stmt_alloc(loc, NFT_NAT_MASQ);
+	stmt->nat.flags = flags;
 
 	reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN);
 	if (reg1) {
@@ -963,7 +963,7 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
 			goto out_err;
 		}
 		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
-		stmt->masq.proto = proto;
+		stmt->nat.proto = proto;
 	}
 
 	reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX);
@@ -975,9 +975,9 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
 			goto out_err;
 		}
 		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
-		if (stmt->masq.proto != NULL)
-			proto = range_expr_alloc(loc, stmt->masq.proto, proto);
-		stmt->masq.proto = proto;
+		if (stmt->nat.proto != NULL)
+			proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+		stmt->nat.proto = proto;
 	}
 
 	ctx->stmt = stmt;
@@ -995,11 +995,11 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
 	enum nft_registers reg1, reg2;
 	uint32_t flags;
 
-	stmt = redir_stmt_alloc(loc);
+	stmt = nat_stmt_alloc(loc, NFT_NAT_REDIR);
 
 	if (nftnl_expr_is_set(nle, NFTNL_EXPR_REDIR_FLAGS)) {
 		flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_REDIR_FLAGS);
-		stmt->redir.flags = flags;
+		stmt->nat.flags = flags;
 	}
 
 	reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN);
@@ -1012,7 +1012,7 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
 		}
 
 		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
-		stmt->redir.proto = proto;
+		stmt->nat.proto = proto;
 	}
 
 	reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX);
@@ -1025,10 +1025,10 @@ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
 		}
 
 		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
-		if (stmt->redir.proto != NULL)
-			proto = range_expr_alloc(loc, stmt->redir.proto,
+		if (stmt->nat.proto != NULL)
+			proto = range_expr_alloc(loc, stmt->nat.proto,
 						 proto);
-		stmt->redir.proto = proto;
+		stmt->nat.proto = proto;
 	}
 
 	ctx->stmt = stmt;
@@ -2366,10 +2366,6 @@ static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *r
 			if (stmt->nat.proto != NULL)
 				expr_postprocess(&rctx, &stmt->nat.proto);
 			break;
-		case STMT_REDIR:
-			if (stmt->redir.proto != NULL)
-				expr_postprocess(&rctx, &stmt->redir.proto);
-			break;
 		case STMT_REJECT:
 			stmt_reject_postprocess(&rctx);
 			break;