[Devel] [PATCH rh7] net/netfilter: make nft NAT working in different netns simultaneously

Vasily Averin vvs at virtuozzo.com
Tue Apr 28 07:22:03 MSK 2020 

On 4/27/20 5:57 PM, Konstantin Khorenko wrote:
> --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
> +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
> @@ -251,6 +252,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>  	/* maniptype == SRC for postrouting. */
>  	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
>  
> +	const struct nft_chain *chain = ops->priv, *basechain = chain;

why you need to define "basechain" here?
can you just use chain instead?

> +	const struct net *chain_net =
> +		read_pnet(&nft_base_chain(basechain)->pnet);
> +	const struct net *net;
> +
>  	/* We never see fragments: conntrack defrags on pre-routing
>  	 * and local-out, and nf_nat_out protects post-routing.
>  	 */
> @@ -265,6 +271,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>  	if (!ct)
>  		return NF_ACCEPT;
>  
> +	/* Ignore chains that are not for the current network namespace */
> +	net = nf_ct_net(ct);
> +	if (!net_eq(net, chain_net))
> +		return NF_ACCEPT;
> +
>  	/* Don't try to NAT if this packet is not conntracked */
>  	if (nf_ct_is_untracked(ct))
>  		return NF_ACCEPT;
> diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> index 540dc0fdaf102..545ba56fbd3c3 100644
> --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
> @@ -24,6 +24,7 @@
>  #include <net/netfilter/nf_nat_core.h>
>  #include <net/netfilter/nf_nat_l3proto.h>
>  #include <net/netfilter/nf_nat_l4proto.h>
> +#include <net/netfilter/nf_tables.h>
>  
>  static const struct nf_nat_l3proto nf_nat_l3proto_ipv6;
>  
> @@ -264,6 +265,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>  	int hdrlen;
>  	u8 nexthdr;
>  
> +	const struct nft_chain *chain = ops->priv, *basechain = chain;

and here too: it seems you can use chain instead of basechain, it isn't?

> +	const struct net *chain_net =
> +		read_pnet(&nft_base_chain(basechain)->pnet);
> +	const struct net *net;
> +
>  	ct = nf_ct_get(skb, &ctinfo);
>  	/* Can't track?  It's not due to stress, or conntrack would
>  	 * have dropped it.  Hence it's the user's responsibilty to
> @@ -273,6 +279,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>  	if (!ct)
>  		return NF_ACCEPT;
>  
> +	/* Ignore chains that are not for the current network namespace */
> +	net = nf_ct_net(ct);
> +	if (!net_eq(net, chain_net))
> +		return NF_ACCEPT;
> +
>  	/* Don't try to NAT if this packet is not conntracked */
>  	if (nf_ct_is_untracked(ct))
>  		return NF_ACCEPT;
>

More information about the Devel mailing list