7210e4e38f
This adds the missing validation code to avoid the use of nat/masq from non-nat chains. The validation assumes two possible configuration scenarios: 1) Use of nat from base chain that is not of nat type. Reject this configuration from the nft_*_init() path of the expression. 2) Use of nat from non-base chain. In this case, we have to wait until the non-base chain is referenced by at least one base chain via jump/goto. This is resolved from the nft_*_validate() path which is called from nf_tables_check_loops(). The user gets an -EOPNOTSUPP in both cases. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
20 lines
460 B
C
20 lines
460 B
C
#ifndef _NFT_MASQ_H_
|
|
#define _NFT_MASQ_H_
|
|
|
|
struct nft_masq {
|
|
u32 flags;
|
|
};
|
|
|
|
extern const struct nla_policy nft_masq_policy[];
|
|
|
|
int nft_masq_init(const struct nft_ctx *ctx,
|
|
const struct nft_expr *expr,
|
|
const struct nlattr * const tb[]);
|
|
|
|
int nft_masq_dump(struct sk_buff *skb, const struct nft_expr *expr);
|
|
|
|
int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
|
|
const struct nft_data **data);
|
|
|
|
#endif /* _NFT_MASQ_H_ */
|