[Devel] [PATCH rh7] net/netfilter: make nft NAT working in different netns simultaneously

Konstantin Khorenko khorenko at virtuozzo.com
Tue Apr 28 12:53:57 MSK 2020 

On 04/28/2020 07:22 AM, Vasily Averin wrote:
> On 4/27/20 5:57 PM, Konstantin Khorenko wrote:
>> --- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
>> +++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
>> @@ -251,6 +252,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>>  	/* maniptype == SRC for postrouting. */
>>  	enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);
>>
>> +	const struct nft_chain *chain = ops->priv, *basechain = chain;
>
> why you need to define "basechain" here?
> can you just use chain instead?

Vasya, you are fully right,
it's a leftover of debugging. :)

>
>> +	const struct net *chain_net =
>> +		read_pnet(&nft_base_chain(basechain)->pnet);
>> +	const struct net *net;
>> +
>>  	/* We never see fragments: conntrack defrags on pre-routing
>>  	 * and local-out, and nf_nat_out protects post-routing.
>>  	 */
>> @@ -265,6 +271,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>>  	if (!ct)
>>  		return NF_ACCEPT;
>>
>> +	/* Ignore chains that are not for the current network namespace */
>> +	net = nf_ct_net(ct);
>> +	if (!net_eq(net, chain_net))
>> +		return NF_ACCEPT;
>> +
>>  	/* Don't try to NAT if this packet is not conntracked */
>>  	if (nf_ct_is_untracked(ct))
>>  		return NF_ACCEPT;
>> diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
>> index 540dc0fdaf102..545ba56fbd3c3 100644
>> --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
>> +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
>> @@ -24,6 +24,7 @@
>>  #include <net/netfilter/nf_nat_core.h>
>>  #include <net/netfilter/nf_nat_l3proto.h>
>>  #include <net/netfilter/nf_nat_l4proto.h>
>> +#include <net/netfilter/nf_tables.h>
>>
>>  static const struct nf_nat_l3proto nf_nat_l3proto_ipv6;
>>
>> @@ -264,6 +265,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>>  	int hdrlen;
>>  	u8 nexthdr;
>>
>> +	const struct nft_chain *chain = ops->priv, *basechain = chain;
>
> and here too: it seems you can use chain instead of basechain, it isn't?
>
>> +	const struct net *chain_net =
>> +		read_pnet(&nft_base_chain(basechain)->pnet);
>> +	const struct net *net;
>> +
>>  	ct = nf_ct_get(skb, &ctinfo);
>>  	/* Can't track?  It's not due to stress, or conntrack would
>>  	 * have dropped it.  Hence it's the user's responsibilty to
>> @@ -273,6 +279,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct sk_buff *skb,
>>  	if (!ct)
>>  		return NF_ACCEPT;
>>
>> +	/* Ignore chains that are not for the current network namespace */
>> +	net = nf_ct_net(ct);
>> +	if (!net_eq(net, chain_net))
>> +		return NF_ACCEPT;
>> +
>>  	/* Don't try to NAT if this packet is not conntracked */
>>  	if (nf_ct_is_untracked(ct))
>>  		return NF_ACCEPT;
>>
> .
>

More information about the Devel mailing list