[Devel] [PATCH RHEL7 COMMIT] netfilter: Add warning on nft NAT init if "iptable_nat" already loaded
Vasily Averin
vvs at virtuozzo.com
Thu Dec 3 11:51:57 MSK 2020
The commit is pushed to "branch-rh7-3.10.0-1160.6.1.vz7.171.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.6.1.vz7.171.1
------>
commit 754ff31c18a2bbb69ea49cbb83c36ace850904c8
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Thu Dec 3 11:51:57 2020 +0300
netfilter: Add warning on nft NAT init if "iptable_nat" already loaded
nft NAT cannot work along with iptables NAT.
"iptable_nat" module is always loaded on the VZ Node (libvirt triggers
the load), so warn on "nft_nat" module load.
i've added an additional check - if "ip(6)table_nat" modules are really
loaded - may be some time later libvirt won't trigger their load.
https://jira.sw.ru/browse/PSBM-102919
https://jira.sw.ru/browse/PSBM-123111
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
net/netfilter/nft_nat.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 3883504..d12d540 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -279,6 +279,12 @@ static struct nft_expr_type nft_nat_type __read_mostly = {
static int __init nft_nat_module_init(void)
{
+ /* nft NAT does not work if ip(6)table_nat module is loaded */
+ WARN_ONCE(init_net.ipv4.nat_table || init_net.ipv6.ip6table_nat,
+ "WARNING: 'nft_nat' kernel module is being loaded "
+ "while 'ip(6)table_nat' module already loaded. "
+ "nft NAT will not work.\n");
+
return nft_register_expr(&nft_nat_type);
}
More information about the Devel
mailing list