X-Original-To: alpine-devel@lists.alpinelinux.org
Delivered-To: alpine-devel@mail.alpinelinux.org
Received: from kunkku.net (cs181058236.pp.htv.fi [82.181.58.236])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.alpinelinux.org (Postfix) with ESMTPS id 3E953DC0080
	for <alpine-devel@lists.alpinelinux.org>; Thu, 10 Jul 2014 20:26:25 +0000 (UTC)
Received: from kunkku.net (kunkku.net [127.0.0.1])
	by kunkku.net (8.14.7/8.14.7) with ESMTP id s6AKQKH6020981;
	Thu, 10 Jul 2014 23:26:20 +0300
Received: from localhost (kaarle@localhost)
	by kunkku.net (8.14.7/8.14.7/Submit) with ESMTP id s6AKQJB3020978;
	Thu, 10 Jul 2014 23:26:19 +0300
X-Authentication-Warning: kunkku.net: kaarle owned process doing -bs
Date: Thu, 10 Jul 2014 23:26:19 +0300 (EEST)
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
X-X-Sender: kaarle@kunkku.net
To: Paul Kilar <pkilar@gmail.com>
cc: alpine-devel@lists.alpinelinux.org
Subject: Re: [alpine-devel] [PATCH] Patch to support custom port ("to-port")
 in filter --> dnat
In-Reply-To: <1404849841-26249-1-git-send-email-pkilar@gmail.com>
Message-ID: <alpine.LFD.2.10.1407102253580.20742@kunkku.net>
References: <1404849841-26249-1-git-send-email-pkilar@gmail.com>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Hello Paul,

We have actually been planning to introduce the possibility to specify the 
port number in DNAT rules embedded to filters. We agreed on a syntax like 
this to make it clear that "to-port" is related to DNAT:

"dnat": { "to-addr": "<IP address>", "to-port": <port> }

Unfortunately, a valid implementation is a bit more complex than your 
patch. Please check out the class named TranslatingRule to see how the 
IPv4 addresses are overridden by the DNAT target address, in order to make 
the iptables filter rules match. A similar translation is needed for the 
port number in the IPv4 (but not IPv6) rules. Preferably, the 
implementation would also verify that the affected services are not using 
any other protocol than TCP and UDP when port translation is applied.

In case you still want to try to implement the feature, here are a couple 
of hints: You might need to add some hooks to the base class, i.e. 
awall.model.Rule. In addition, it might make sense to move the 
functionality of Rule:servoptfrags to a new class (Service) to make it 
available via the awall.model.ConfigObject:create mechanism.

BR,
Kaarle


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---