[PATCH iptables] tests added for shifted portmap range with DNAT

I added and verified these tests after applying Florian's fixed wrt. nf_nat_range2 size for rev2. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> ---  extensions/libip6t_DNAT.t | 5 +  extensions/libipt_DNAT.t  | 5 +  2 files changed, 10 insertions(+) diff --git a/exte

Re: [PATCH iptables] extensions: libipt_DNAT: use size of nf_nat_range2 for rev2

On 03-05-18 21:40, Florian Westphal wrote: > DNAT tests fail on nf-next.git, kernel complains about target size > mismatch (40 vs 48), this fixes this for me. > > Fixes: 36976c4b5406 ("extensions: libipt_DNAT: support shifted portmap > ranges") > Signed-off-by: Florian Westphal >

[PATCH v6] netfilter : add NAT support for shifted portmap ranges

lso be proposed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v6: - fix compile issue for openvswitch module Changes in v5: - reverted to v2 for struct nf_nat_range names - rebased to nf-next Chan

[PATCH v3] extensions: libipt_DNAT: support shifted portmap ranges

parsing logic with extra lines of code and thus increased risk for regression. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v3: - adapted to struct naming in kernel patch v5 - change destination port separator ';' -> '/' (use slash instead of

[PATCH v5] netfilter : add NAT support for shifted portmap ranges

lso be proposed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v5: - reverted to v2 for struct nf_nat_range names - rebased to nf-next Changes in v4: - renamed nf_nat_range1 to nf_nat_range_v1 Chan

Re: [PATCH v4] netfilter : add NAT support for shifted portmap ranges

On 06-03-18 00:41, Pablo Neira Ayuso wrote: > Hi Thierry, > > On Fri, Feb 16, 2018 at 12:31:26PM +0100, Thierry Du Tre wrote: >> Op 30/01/2018 om 14:02 schreef Thierry Du Tre: >>> This is a patch proposal to support shifted ranges in portmaps. >>> (i.e. tcp/u

Re: [PATCH v4] netfilter : add NAT support for shifted portmap ranges

Op 30/01/2018 om 14:02 schreef Thierry Du Tre: > This is a patch proposal to support shifted ranges in portmaps. > (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN > 192.168.1.5:2000-2100) > > Currently DNAT only works for single port or identical port ranges. >

[PATCH v4] netfilter : add NAT support for shifted portmap ranges

lso be proposed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v4: - renamed nf_nat_range1 to nf_nat_range_v1 Changes in v3: - use nf_nat_range as name for updated struct, renamed existing nf_nat_range to nf_n

Re: [PATCH v3] netfilter : add NAT support for shifted portmap ranges

Op 16/01/2018 om 15:32 schreef Pablo Neira Ayuso: > Hi Thierry, > > On Mon, Jan 15, 2018 at 01:56:09PM +0100, Thierry Du Tre wrote: >> Hi Pablo, >> >> I prepared this third version to get aligned about the way forward for the >> extension for struct nf_

Re: [PATCH v3] netfilter : add NAT support for shifted portmap ranges

Op 16/01/2018 om 15:32 schreef Pablo Neira Ayuso: > Hi Thierry, > > On Mon, Jan 15, 2018 at 01:56:09PM +0100, Thierry Du Tre wrote: >> Hi Pablo, >> >> I prepared this third version to get aligned about the way forward for the >> extension for struct nf_

Re: [PATCH] extensions : multiple to-dst/to-src arguments for ip6t_DNAT/SNAT not reported

Op 16/01/2018 om 16:24 schreef Pablo Neira Ayuso: > On Tue, Jan 16, 2018 at 04:23:20PM +0100, Pablo Neira Ayuso wrote: >> On Tue, Jan 16, 2018 at 04:20:40PM +0100, Thierry Du Tre wrote: >>> Op 16/01/2018 om 16:06 schreef Thierry Du Tre: >>>> Op 16/01/2018 om 1

Re: [PATCH] extensions : multiple to-dst/to-src arguments for ip6t_DNAT/SNAT not reported

Op 16/01/2018 om 16:06 schreef Thierry Du Tre: > Op 16/01/2018 om 14:06 schreef Pablo Neira Ayuso: >> Hi Thierry, >> >> On Tue, Jan 16, 2018 at 01:44:37PM +0100, Thierry Du Tre wrote: >>> This patch is fixing the detection of multiple '--to-destination' in a D

Re: [PATCH] extensions : multiple to-dst/to-src arguments for ip6t_DNAT/SNAT not reported

Op 16/01/2018 om 14:06 schreef Pablo Neira Ayuso: > Hi Thierry, > > On Tue, Jan 16, 2018 at 01:44:37PM +0100, Thierry Du Tre wrote: >> This patch is fixing the detection of multiple '--to-destination' in a DNAT >> rule and '--to-source' in SNAT rule for IPv6. >> Curren

[PATCH] extensions : multiple to-dst/to-src arguments for ip6t_DNAT/SNAT not reported

ms only added since kernel version 3.7-rc1 and therefore the check for > v2.6.10 will always return true. The check is probably also coming from the IPv4 copy-paste. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- extensions/libip6t_DNAT.c | 12 +--- extensions/lib

Re: [PATCH v3] netfilter : add NAT support for shifted portmap ranges

other applications might also be impacted ? Somehow this doesn't seem right to me, so I might have misinterpreted your earlier response. On 12-01-18 15:01, Thierry Du Tre wrote: > This is a patch proposal to support shifted ranges in portmaps. > (i.e. tcp/udp incoming port 5000-5100

[PATCH v3] netfilter : add NAT support for shifted portmap ranges

ich makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v3: - use nf_nat_range as name for updated struct, renamed existing nf_nat_range to nf_nat_range1 - reverted all nf_nat_range2 occurences Changes in v2: -

Re: [PATCH v2] netfilter : add NAT support for shifted portmap ranges

Hi Pablo, thanks for you quick response. Op 12/01/2018 om 1:21 schreef Pablo Neira Ayuso: > Hi Thierry, > > On Thu, Jan 11, 2018 at 07:42:27PM +0100, Thierry Du Tre wrote: >> This is a patch proposal to support shifted ranges in portmaps. > > I think you can get a much

[PATCH v2] netfilter : add NAT support for shifted portmap ranges

ust be selected via the specific flag when intended to use. A patch for iptables (libipt_DNAT.c) will also be proposed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- Changes in v2: - added new revision

Re: [PATCH] netfilter : add NAT support for shifted portmap ranges

Op 20/12/2017 om 23:16 schreef Pablo Neira Ayuso: On Wed, Dec 20, 2017 at 01:28:09PM +0100, Thierry Du Tre wrote: This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100) Currently DNAT only works

[PATCH] extensions: libipt_DNAT: support shifted portmap ranges

. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- extensions/libipt_DNAT.c | 18 +- include/linux/netfilter/nf_nat.h | 3 +++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c index a14d16f..f

[PATCH] netfilter : add NAT support for shifted portmap ranges

sed which makes this functionality immediately available. Signed-off-by: Thierry Du Tre <thie...@dtsystems.be> --- include/uapi/linux/netfilter/nf_nat.h | 5 - net/netfilter/nf_nat_core.c | 7 --- net/netfilter/nf_nat_proto_common.c | 5 - net/netfilter