iptables: support postrouting hook and SNAT target

The current SNAT implementation has several limitations: - SNAT source port has to be specified. It is not optional. - SNAT source port range is not supported. - SNAT for UDP is a one-way translation. No response packets are handled (because conntrack doesn't support UDP currently). - SNAT and REDIRECT can't work on the same connection. Fixes #5489 PiperOrigin-RevId: 367750325
author: Toshi Kikuchi <toshik@google.com> 2021-04-09 21:09:47 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-04-09 21:11:26 -0700
commit: d1edabdca016b9d80295855a3ce6d2816486d65c (patch)
tree: 9e9827ed0ff58ada2beab7605366d5c881404861 /pkg/abi/linux
parent: ea7faa50579d3d76c6cbb1f7ffba4e16eebf1885 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/pkg/abi/linux/netfilter.go b/pkg/abi/linux/netfilter.go
index 378f1baf3..775bbc759 100644
--- a/pkg/abi/linux/netfilter.go
+++ b/pkg/abi/linux/netfilter.go
@@ -375,6 +375,17 @@ type XTRedirectTarget struct {
 // SizeOfXTRedirectTarget is the size of an XTRedirectTarget.
 const SizeOfXTRedirectTarget = 56
 
+// XTSNATTarget triggers Source NAT when reached.
+// Adding 4 bytes of padding to make the struct 8 byte aligned.
+type XTSNATTarget struct {
+	Target  XTEntryTarget
+	NfRange NfNATIPV4MultiRangeCompat
+	_       [4]byte
+}
+
+// SizeOfXTSNATTarget is the size of an XTSNATTarget.
+const SizeOfXTSNATTarget = 56
+
 // IPTGetinfo is the argument for the IPT_SO_GET_INFO sockopt. It corresponds
 // to struct ipt_getinfo in include/uapi/linux/netfilter_ipv4/ip_tables.h.
 //
author	Toshi Kikuchi <toshik@google.com>	2021-04-09 21:09:47 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-04-09 21:11:26 -0700
commit	d1edabdca016b9d80295855a3ce6d2816486d65c (patch)
tree	9e9827ed0ff58ada2beab7605366d5c881404861 /pkg/abi/linux
parent	ea7faa50579d3d76c6cbb1f7ffba4e16eebf1885 (diff)