Add nft fullcone support

2025-03-09 15:40:20 +00:00 · 2023-07-29 16:16:52 +02:00 · 2023-07-29 16:16:52 +02:00 · 3feeae5315
commit 3feeae5315
parent d9b6c05d1e
6 changed files with 921 additions and 0 deletions
--- a/6.1/package/network/config/firewall4/patches/990-unconditionally-allow-ct-status-dnat.patch
+++ b/6.1/package/network/config/firewall4/patches/990-unconditionally-allow-ct-status-dnat.patch
@ -0,0 +1,22 @@
+--- a/root/usr/share/firewall4/templates/ruleset.uc	2023-07-28 18:55:05.492297782 +0200
+++ b/root/usr/share/firewall4/templates/ruleset.uc	2023-07-28 18:58:52.300598623 +0200
+@@ -218,9 +218,7 @@
+ {%  for (let rule in fw4.rules(`input_${zone.name}`)): %}
+ 		{%+ include("rule.uc", { fw4, rule }) %}
+ {%  endfor %}
+-{%  if (zone.dflags.dnat): %}
+ 		ct status dnat accept comment "!fw4: Accept port redirections"
+-{%  endif %}
+ {%  fw4.includes('chain-append', `input_${zone.name}`) %}
+ 		jump {{ zone.input }}_from_{{ zone.name }}
+ 	}
+@@ -239,9 +237,7 @@
+ {%  for (let rule in fw4.rules(`forward_${zone.name}`)): %}
+ 		{%+ include("rule.uc", { fw4, rule }) %}
+ {%  endfor %}
+-{%  if (zone.dflags.dnat): %}
+ 		ct status dnat accept comment "!fw4: Accept port forwards"
+-{%  endif %}
+ {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
+ 		jump {{ zone.forward }}_to_{{ zone.name }}
+ {%  if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
--- a/6.1/package/network/config/firewall4/patches/999-01-firewall4-add-fullcone-support.patch
+++ b/6.1/package/network/config/firewall4/patches/999-01-firewall4-add-fullcone-support.patch
@ -0,0 +1,248 @@
+From d4081c498ddca184578903fe5199d390bbc0707b Mon Sep 17 00:00:00 2001
+From: Syrone Wong <wong.syrone@gmail.com>
+Date: Sat, 9 Apr 2022 13:24:19 +0800
+Subject: [PATCH] firewall4: add fullcone support
+
+fullcone is drop-in replacement of masq for non-udp traffic
+
+add runtime fullcone rule check, disable it globally if fullcone expr is
+invalid
+
+defaults.fullcone is the global switch, while zone.fullcone4 and
+zone.fullcone6 are switches for IPv4 and IPv6 respectively, most
+IPv6 traffic do NOT need this FullCone NAT functionality.
+---
+ root/etc/config/firewall                      |  3 +
+ root/usr/share/firewall4/templates/ruleset.uc | 16 +++-
+ .../firewall4/templates/zone-fullcone.uc      |  4 +
+ root/usr/share/ucode/fw4.uc                   | 76 ++++++++++++++++++-
+ 4 files changed, 96 insertions(+), 3 deletions(-)
+ create mode 100644 root/usr/share/firewall4/templates/zone-fullcone.uc
+
+diff --git a/root/etc/config/firewall b/root/etc/config/firewall
+index b9a4647..7187723 100644
+--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
+@@ -5,6 +5,7 @@ config defaults
+ 	option forward		REJECT
+ # Uncomment this line to disable ipv6 rules
+ #	option disable_ipv6	1
+	option fullcone '1'
+ 
+ config zone
+ 	option name		lan
+@@ -20,6 +21,8 @@ config zone
+ 	option input		REJECT
+ 	option output		ACCEPT
+ 	option forward		REJECT
+	option fullcone4 '1'
+	option fullcone6 '1'
+ 	option masq		1
+ 	option mtu_fix		1
+ 
+diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
+index eaa1f04..e29eae6 100644
+--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
+@@ -310,6 +310,12 @@ table inet fw4 {
+ {%   for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %}
+ 		{%+ include("redirect.uc", { fw4, redirect }) %}
+ {%   endfor %}
+{%   if (zone.fullcone4): %}
+		{%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "dstnat" }) %}
+{%   endif %}
+{%   if (zone.fullcone6): %}
+		{%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "dstnat" }) %}
+{%   endif %}
+ {%   fw4.includes('chain-append', `dstnat_${zone.name}`) %}
+ 	}
+ 
+@@ -320,20 +326,26 @@ table inet fw4 {
+ {%   for (let redirect in fw4.redirects(`srcnat_${zone.name}`)): %}
+ 		{%+ include("redirect.uc", { fw4, redirect }) %}
+ {%   endfor %}
+-{%   if (zone.masq): %}
+{%   if (zone.masq && !zone.fullcone4): %}
+ {%    for (let saddrs in zone.masq4_src_subnets): %}
+ {%     for (let daddrs in zone.masq4_dest_subnets): %}
+ 		{%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %}
+ {%     endfor %}
+ {%    endfor %}
+ {%   endif %}
+-{%   if (zone.masq6): %}
+{%   if (zone.masq6 && !zone.fullcone6): %}
+ {%    for (let saddrs in zone.masq6_src_subnets): %}
+ {%     for (let daddrs in zone.masq6_dest_subnets): %}
+ 		{%+ include("zone-masq.uc", { fw4, zone, family: 6, saddrs, daddrs }) %}
+ {%     endfor %}
+ {%    endfor %}
+ {%   endif %}
+{%   if (zone.fullcone4): %}
+		{%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "srcnat" }) %}
+{%   endif %}
+{%   if (zone.fullcone6): %}
+		{%+ include("zone-fullcone.uc", { fw4, zone, family: 6, direction: "srcnat" }) %}
+{%   endif %}
+ {%   fw4.includes('chain-append', `srcnat_${zone.name}`) %}
+ 	}
+ 
+diff --git a/root/usr/share/firewall4/templates/zone-fullcone.uc b/root/usr/share/firewall4/templates/zone-fullcone.uc
+new file mode 100644
+index 0000000..77d9806
+--- /dev/null
+++ b/root/usr/share/firewall4/templates/zone-fullcone.uc
+@@ -0,0 +1,4 @@
+{# /usr/share/firewall4/templates/zone-fullcone.uc #}
+		meta nfproto {{ fw4.nfproto(family) }} fullcone comment "!fw4: Handle {{
+		zone.name
+}} {{ fw4.nfproto(family, true) }} fullcone NAT {{ direction }} traffic"
+diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
+index 1b4764c..c5716da 100644
+--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
+@@ -1,3 +1,5 @@
+// /usr/share/ucode/fw4.uc
+
+ const fs = require("fs");
+ const uci = require("uci");
+ const ubus = require("ubus");
+@@ -428,6 +430,25 @@ function nft_try_hw_offload(devices) {
+ 	return (rc == 0);
+ }
+ 
+function nft_try_fullcone() {
+	let nft_test =
+		'add table inet fw4-fullcone-test; ' +
+		'add chain inet fw4-fullcone-test dstnat { ' +
+			'type nat hook prerouting priority -100; policy accept; ' +
+			'fullcone; ' +
+		'}; ' +
+		'add chain inet fw4-fullcone-test srcnat { ' +
+			'type nat hook postrouting priority -100; policy accept; ' +
+			'fullcone; ' +
+		'}; ';
+	let cmd = sprintf("/usr/sbin/nft -c '%s' 2>/dev/null", replace(nft_test, "'", "'\\''"));
+	let ok = system(cmd) == 0;
+	if (!ok) {
+		warn("nft_try_fullcone: cmd "+ cmd + "\n");
+	}
+	return ok;
+}
+
+ 
+ return {
+ 	read_kernel_version: function() {
+@@ -765,6 +786,18 @@ return {
+ 			warn(`[!] ${msg}\n`);
+ 	},
+ 
+	myinfo: function(fmt, ...args) {
+		if (getenv("QUIET"))
+			return;
+
+		let msg = sprintf(fmt, ...args);
+
+		if (getenv("TTY"))
+			warn(`\033[32m${msg}\033[m\n`);
+		else
+			warn(`[I] ${msg}\n`);
+	},
+
+ 	get: function(sid, opt) {
+ 		return this.cursor.get("firewall", sid, opt);
+ 	},
+@@ -946,6 +979,21 @@ return {
+ 		}
+ 	},
+ 
+	myinfo_section: function(s, msg) {
+		if (s[".name"]) {
+			if (s.name)
+				this.myinfo("Section %s (%s) %s", this.section_id(s[".name"]), s.name, msg);
+			else
+				this.myinfo("Section %s %s", this.section_id(s[".name"]), msg);
+		}
+		else {
+			if (s.name)
+				this.myinfo("ubus %s (%s) %s", s.type || "rule", s.name, msg);
+			else
+				this.myinfo("ubus %s %s", s.type || "rule", msg);
+		}
+	},
+
+ 	parse_policy: function(val) {
+ 		return this.parse_enum(val, [
+ 			"accept",
+@@ -1385,6 +1433,7 @@ return {
+ 			"dnat",
+ 			"snat",
+ 			"masquerade",
+			"fullcone",
+ 			"accept",
+ 			"reject",
+ 			"drop"
+@@ -1852,6 +1901,7 @@ return {
+ 		}
+ 
+ 		let defs = this.parse_options(data, {
+			fullcone: [ "bool", "0" ],
+ 			input: [ "policy", "drop" ],
+ 			output: [ "policy", "drop" ],
+ 			forward: [ "policy", "drop" ],
+@@ -1884,6 +1934,11 @@ return {
+ 
+ 		delete defs.syn_flood;
+ 
+		if (!nft_try_fullcone()) {
+			delete defs.fullcone;
+			warn("nft_try_fullcone failed, disable fullcone globally\n");
+		}
+
+ 		this.state.defaults = defs;
+ 	},
+ 
+@@ -1908,6 +1963,8 @@ return {
+ 			masq_dest: [ "network", null, PARSE_LIST ],
+ 
+ 			masq6: [ "bool" ],
+			fullcone4: [ "bool", "0" ],
+			fullcone6: [ "bool", "0" ],
+ 
+ 			extra: [ "string", null, UNSUPPORTED ],
+ 			extra_src: [ "string", null, UNSUPPORTED ],
+@@ -1940,6 +1997,18 @@ return {
+ 			}
+ 		}
+ 
+		if (this.state.defaults && !this.state.defaults.fullcone) {
+			this.warn_section(data, "fullcone in defaults not enabled, ignore zone fullcone settings");
+			zone.fullcone4 = false;
+			zone.fullcone6 = false;
+		}
+		if (zone.fullcone4) {
+			this.myinfo_section(data, "IPv4 fullcone enabled for zone '" + zone.name + "'");
+		}
+		if (zone.fullcone6) {
+			this.myinfo_section(data, "IPv6 fullcone enabled for zone '" + zone.name + "'");
+		}
+
+ 		if (zone.mtu_fix && this.kernel < 0x040a0000) {
+ 			this.warn_section(data, "option 'mtu_fix' requires kernel 4.10 or later");
+ 			return;
+@@ -2110,10 +2179,15 @@ return {
+ 		zone.related_subnets = related_subnets;
+ 		zone.related_physdevs = related_physdevs;
+ 
+		if (zone.fullcone4 || zone.fullcone6) {
+			zone.dflags.snat = true;
+			zone.dflags.dnat = true;
+		}
+
+ 		if (zone.masq || zone.masq6)
+ 			zone.dflags.snat = true;
+ 
+-		if ((zone.auto_helper && !(zone.masq || zone.masq6)) || length(zone.helper)) {
+		if ((zone.auto_helper && !(zone.masq || zone.masq6 || zone.fullcone4 || zone.fullcone6)) || length(zone.helper)) {
+ 			zone.dflags.helper = true;
+ 
+ 			for (let helper in (length(zone.helper) ? zone.helper : this.state.helpers)) {
--- a/6.1/package/network/utils/nftables/Makefile
+++ b/6.1/package/network/utils/nftables/Makefile
@ -0,0 +1,85 @@
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright (C) 2015 OpenWrt.org
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=nftables
+PKG_VERSION:=1.0.7
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://netfilter.org/projects/$(PKG_NAME)/files
+PKG_HASH:=c12ac941fff9adaedf17367d5ce213789b98a0d314277bc22b3d71e10891f412
+
+PKG_MAINTAINER:=
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYING
+
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1
+
+PKG_BUILD_FLAGS:=lto
+
+include $(INCLUDE_DIR)/package.mk
+
+DISABLE_NLS:=
+
+CONFIGURE_ARGS += \
+        --disable-debug \
+        --disable-man-doc \
+        --with-mini-gmp \
+        --without-cli \
+        --disable-python
+
+define Package/nftables/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Firewall
+  TITLE:=nftables userspace utility
+  DEPENDS:=+kmod-nft-core +libnftnl
+  URL:=http://netfilter.org/projects/nftables/
+  PROVIDES:=nftables
+endef
+
+define Package/nftables-nojson
+  $(Package/nftables/Default)
+  TITLE+= no JSON support
+  VARIANT:=nojson
+  DEFAULT_VARIANT:=1
+  CONFLICTS:=nftables-json
+endef
+
+define Package/nftables-json
+  $(Package/nftables/Default)
+  TITLE+= with JSON support
+  VARIANT:=json
+  DEPENDS+=+jansson
+endef
+
+ifeq ($(BUILD_VARIANT),json)
+  CONFIGURE_ARGS += --with-json
+endif
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/lib $(1)/usr/include
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/
+	$(CP) $(PKG_INSTALL_DIR)/usr/include/nftables $(1)/usr/include/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnftables.pc \
+		$(1)/usr/lib/pkgconfig/
+endef
+
+define Package/nftables/install/Default
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/nft $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so* $(1)/usr/lib/
+endef
+
+Package/nftables-nojson/install = $(Package/nftables/install/Default)
+Package/nftables-json/install = $(Package/nftables/install/Default)
+
+$(eval $(call BuildPackage,nftables-nojson))
+$(eval $(call BuildPackage,nftables-json))
--- a/6.1/package/network/utils/nftables/patches/002-nftables-add-fullcone-expression-support.patch
+++ b/6.1/package/network/utils/nftables/patches/002-nftables-add-fullcone-expression-support.patch
@ -0,0 +1,223 @@
+From 58c89e8768711a959fdc6e953df3ea2254ff93c1 Mon Sep 17 00:00:00 2001
+From: Syrone Wong <wong.syrone@gmail.com>
+Date: Sat, 9 Apr 2022 00:38:51 +0800
+Subject: [PATCH] nftables: add fullcone expression support
+
+Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
+---
+ include/linux/netfilter/nf_tables.h | 16 ++++++++++
+ include/statement.h                 |  1 +
+ src/netlink_delinearize.c           | 48 +++++++++++++++++++++++++++++
+ src/netlink_linearize.c             |  7 +++++
+ src/parser_bison.y                  | 28 +++++++++++++++--
+ src/scanner.l                       |  1 +
+ src/statement.c                     |  1 +
+ 7 files changed, 100 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
+index 75df968..beab9d8 100644
+--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
+@@ -1409,6 +1409,22 @@ enum nft_masq_attributes {
+ };
+ #define NFTA_MASQ_MAX		(__NFTA_MASQ_MAX - 1)
+ 
+/**
+ * enum nft_fullcone_attributes - nf_tables fullcone expression attributes
+ *
+ * @NFTA_FULLCONE_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_FULLCONE_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
+ * @NFTA_FULLCONE_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
+ */
+enum nft_fullcone_attributes {
+	NFTA_FULLCONE_UNSPEC,
+	NFTA_FULLCONE_FLAGS,
+	NFTA_FULLCONE_REG_PROTO_MIN,
+	NFTA_FULLCONE_REG_PROTO_MAX,
+	__NFTA_FULLCONE_MAX
+};
+#define NFTA_FULLCONE_MAX		(__NFTA_FULLCONE_MAX - 1)
+
+ /**
+  * enum nft_redir_attributes - nf_tables redirect expression netlink attributes
+  *
+diff --git a/include/statement.h b/include/statement.h
+index 2a2d300..cbd48dd 100644
+--- a/include/statement.h
+++ b/include/statement.h
+@@ -122,6 +122,7 @@ enum nft_nat_etypes {
+ 	__NFT_NAT_SNAT = NFT_NAT_SNAT,
+ 	__NFT_NAT_DNAT = NFT_NAT_DNAT,
+ 	NFT_NAT_MASQ,
+	NFT_NAT_FULLCONE,
+ 	NFT_NAT_REDIR,
+ };
+ 
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 068c3bb..8513113 100644
+--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
+@@ -1369,6 +1369,53 @@ static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
+ 	stmt_free(stmt);
+ }
+ 
+static void netlink_parse_fullcone(struct netlink_parse_ctx *ctx,
+			       const struct location *loc,
+			       const struct nftnl_expr *nle)
+{
+	enum nft_registers reg1, reg2;
+	struct expr *proto;
+	struct stmt *stmt;
+	uint32_t flags = 0;
+
+	if (nftnl_expr_is_set(nle, NFTNL_EXPR_FULLCONE_FLAGS))
+		flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FULLCONE_FLAGS);
+
+	stmt = nat_stmt_alloc(loc, NFT_NAT_FULLCONE);
+	stmt->nat.flags = flags;
+
+	reg1 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MIN);
+	if (reg1) {
+		proto = netlink_get_register(ctx, loc, reg1);
+		if (proto == NULL) {
+			netlink_error(ctx, loc,
+				      "fullcone statement has no proto expression");
+			goto out_err;
+		}
+		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+		stmt->nat.proto = proto;
+	}
+
+	reg2 = netlink_parse_register(nle, NFTNL_EXPR_FULLCONE_REG_PROTO_MAX);
+	if (reg2 && reg2 != reg1) {
+		proto = netlink_get_register(ctx, loc, reg2);
+		if (proto == NULL) {
+			netlink_error(ctx, loc,
+				      "fullcone statement has no proto expression");
+			goto out_err;
+		}
+		expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+		if (stmt->nat.proto != NULL)
+			proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+		stmt->nat.proto = proto;
+	}
+
+	ctx->stmt = stmt;
+	return;
+out_err:
+	stmt_free(stmt);
+}
+
+ static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
+ 				const struct location *loc,
+ 				const struct nftnl_expr *nle)
+@@ -1787,6 +1834,7 @@ static const struct expr_handler netlink_parsers[] = {
+ 	{ .name = "tproxy",	.parse = netlink_parse_tproxy },
+ 	{ .name = "notrack",	.parse = netlink_parse_notrack },
+ 	{ .name = "masq",	.parse = netlink_parse_masq },
+	{ .name = "fullcone",	.parse = netlink_parse_fullcone },
+ 	{ .name = "redir",	.parse = netlink_parse_redir },
+ 	{ .name = "dup",	.parse = netlink_parse_dup },
+ 	{ .name = "queue",	.parse = netlink_parse_queue },
+diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
+index c8bbcb7..505eafa 100644
+--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
+@@ -1140,6 +1140,13 @@ static void netlink_gen_nat_stmt(struct netlink_linearize_ctx *ctx,
+ 		nftnl_reg_pmin = NFTNL_EXPR_MASQ_REG_PROTO_MIN;
+ 		nftnl_reg_pmax = NFTNL_EXPR_MASQ_REG_PROTO_MAX;
+ 		break;
+	case NFT_NAT_FULLCONE:
+		nle = alloc_nft_expr("fullcone");
+
+		nftnl_flag_attr = NFTNL_EXPR_FULLCONE_FLAGS;
+		nftnl_reg_pmin = NFTNL_EXPR_FULLCONE_REG_PROTO_MIN;
+		nftnl_reg_pmax = NFTNL_EXPR_FULLCONE_REG_PROTO_MAX;
+		break;
+ 	case NFT_NAT_REDIR:
+ 		nle = alloc_nft_expr("redir");
+ 
+diff --git a/src/parser_bison.y b/src/parser_bison.y
+index ca5c488..ec9fc9b 100644
+--- a/src/parser_bison.y
+++ b/src/parser_bison.y
+@@ -571,6 +571,7 @@ int nft_lex(void *, void *, void *);
+ %token SNAT			"snat"
+ %token DNAT			"dnat"
+ %token MASQUERADE		"masquerade"
+%token FULLCONE		"fullcone"
+ %token REDIRECT			"redirect"
+ %token RANDOM			"random"
+ %token FULLY_RANDOM		"fully-random"
+@@ -703,8 +704,8 @@ int nft_lex(void *, void *, void *);
+ %type <val>			limit_burst_pkts limit_burst_bytes limit_mode limit_bytes time_unit quota_mode
+ %type <stmt>			reject_stmt reject_stmt_alloc
+ %destructor { stmt_free($$); }	reject_stmt reject_stmt_alloc
+-%type <stmt>			nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
+-%destructor { stmt_free($$); }	nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc redir_stmt redir_stmt_alloc
+%type <stmt>			nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc
+%destructor { stmt_free($$); }	nat_stmt nat_stmt_alloc masq_stmt masq_stmt_alloc fullcone_stmt fullcone_stmt_alloc redir_stmt redir_stmt_alloc
+ %type <val>			nf_nat_flags nf_nat_flag offset_opt
+ %type <stmt>			tproxy_stmt
+ %destructor { stmt_free($$); }	tproxy_stmt
+@@ -2853,6 +2854,7 @@ stmt			:	verdict_stmt
+ 			|	queue_stmt
+ 			|	ct_stmt
+ 			|	masq_stmt	close_scope_nat
+			|	fullcone_stmt	close_scope_nat
+ 			|	redir_stmt	close_scope_nat
+ 			|	dup_stmt	close_scope_dup
+ 			|	fwd_stmt	close_scope_fwd
+@@ -3753,6 +3755,28 @@ masq_stmt_args		:	TO 	COLON	stmt_expr
+ 			}
+ 			;
+ 
+fullcone_stmt		:	fullcone_stmt_alloc		fullcone_stmt_args
+			|	fullcone_stmt_alloc
+			;
+
+fullcone_stmt_alloc		:	FULLCONE	{ $$ = nat_stmt_alloc(&@$, NFT_NAT_FULLCONE); }
+			;
+
+fullcone_stmt_args		:	TO 	COLON	stmt_expr
+			{
+				$<stmt>0->nat.proto = $3;
+			}
+			|	TO 	COLON	stmt_expr	nf_nat_flags
+			{
+				$<stmt>0->nat.proto = $3;
+				$<stmt>0->nat.flags = $4;
+			}
+			|	nf_nat_flags
+			{
+				$<stmt>0->nat.flags = $1;
+			}
+			;
+
+ redir_stmt		:	redir_stmt_alloc	redir_stmt_arg
+ 			|	redir_stmt_alloc
+ 			;
+diff --git a/src/scanner.l b/src/scanner.l
+index 2154281..c389860 100644
+--- a/src/scanner.l
+++ b/src/scanner.l
+@@ -453,6 +453,7 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
+ "snat"			{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return SNAT; }
+ "dnat"			{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return DNAT; }
+ "masquerade"		{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return MASQUERADE; }
+"fullcone"		{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return FULLCONE; }
+ "redirect"		{ scanner_push_start_cond(yyscanner, SCANSTATE_STMT_NAT); return REDIRECT; }
+ "random"		{ return RANDOM; }
+ <SCANSTATE_STMT_NAT>{
+diff --git a/src/statement.c b/src/statement.c
+index 30caf9c..f4866c2 100644
+--- a/src/statement.c
+++ b/src/statement.c
+@@ -650,6 +650,7 @@ const char *nat_etype2str(enum nft_nat_etypes type)
+ 		[NFT_NAT_SNAT]	= "snat",
+ 		[NFT_NAT_DNAT]	= "dnat",
+ 		[NFT_NAT_MASQ]	= "masquerade",
+		[NFT_NAT_FULLCONE] = "fullcone",
+ 		[NFT_NAT_REDIR]	= "redirect",
+ 	};
+