diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-04-24 21:56:46 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-04-28 17:32:31 +0200 |
| commit | 9599d9d25a6b383b72b119c709af33f6f6031786 (patch) | |
| tree | 2ac2f19b9f5f55578ab6cebe25ebb35dea659492 /src/parser_bison.y | |
| parent | 2885cf2e65042b3dbc44fc232fd35840df255935 (diff) | |
src: NAT support for intervals in maps
This patch allows you to specify an interval of IP address in maps.
table ip x {
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map { 10.141.11.4 : 192.168.2.2-192.168.2.4 }
}
}
The example above performs SNAT to packets that comes from 10.141.11.4
to an interval of IP addresses from 192.168.2.2 to 192.168.2.4 (both
included).
You can also combine this with dynamic maps:
table ip x {
map y {
type ipv4_addr : interval ipv4_addr
flags interval
elements = { 10.141.10.0/24 : 192.168.2.2-192.168.2.4 }
}
chain y {
type nat hook postrouting priority srcnat; policy accept;
snat ip interval to ip saddr map @y
}
}
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/parser_bison.y')
| -rw-r--r-- | src/parser_bison.y | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index 0e04a0e4..731a5b3e 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1792,6 +1792,17 @@ map_block : /* empty */ { $$ = $<set>-1; } $1->flags |= NFT_SET_MAP; $$ = $1; } + | map_block TYPE + data_type_expr COLON INTERVAL data_type_expr + stmt_separator + { + $1->key = $3; + $1->data = $6; + $1->data->flags |= EXPR_F_INTERVAL; + + $1->flags |= NFT_SET_MAP; + $$ = $1; + } | map_block TYPEOF typeof_expr COLON typeof_expr stmt_separator @@ -1803,6 +1814,18 @@ map_block : /* empty */ { $$ = $<set>-1; } $1->flags |= NFT_SET_MAP; $$ = $1; } + | map_block TYPEOF + typeof_expr COLON INTERVAL typeof_expr + stmt_separator + { + $1->key = $3; + datatype_set($1->key, $3->dtype); + $1->data = $6; + $1->data->flags |= EXPR_F_INTERVAL; + + $1->flags |= NFT_SET_MAP; + $$ = $1; + } | map_block TYPE data_type_expr COLON COUNTER stmt_separator @@ -3171,6 +3194,17 @@ nat_stmt_args : stmt_expr $<stmt>0->nat.addr = $6; $<stmt>0->nat.ipportmap = true; } + | nf_key_proto INTERVAL TO stmt_expr + { + $<stmt>0->nat.family = $1; + $<stmt>0->nat.addr = $4; + $<stmt>0->nat.type_flags = STMT_NAT_F_INTERVAL; + } + | INTERVAL TO stmt_expr + { + $<stmt>0->nat.addr = $3; + $<stmt>0->nat.type_flags = STMT_NAT_F_INTERVAL; + } ; masq_stmt : masq_stmt_alloc masq_stmt_args |