[Devel] [PATCH rh7 v4 0/1] net/netfilter: make nft NAT working in different netns in parallel
Konstantin Khorenko
khorenko at virtuozzo.com
Thu May 7 13:10:50 MSK 2020
Previous attempt failed because there are many places where
nft_do_chain() can be called (directly and indirectly via
do_chain()==nft_nat_do_chain()), so it's ugly to check for return code
for do_chain() hook functions which can't return it and we can miss new
calls of nft_do_chain() during future rebases.
Thus i've decided to go another way:
we have problem cases in nf_nat_ipv{4,6}_fn() only for now,
so let's don't call do_chain() in case it is nft_nat_do_chain()
if we process a chain with inappropriate netns.
We cannot just check "do_chain" argument in nf_nat_ipv{4,6}_fn() because
in that case we have to export nft_nat_do_chain() functions and this
introduces a cycle in symbols' dependence.
So i had to add extra arguments to nf_nat_ipv{4,6}_fn() and functions
which call them to pass info if we need to check netns for correctness.
The underline idea of the patch is very simple: to perform check for
netns correctness only in case do_chain()==nft_nat_do_chain().
Konstantin Khorenko (1):
net/netfilter: make nft NAT working in different netns simultaneously
include/net/netfilter/nf_nat_l3proto.h | 8 ++++++++
net/ipv4/netfilter/iptable_nat.c | 9 +++++----
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 28 +++++++++++++++++++++++++---
net/ipv4/netfilter/nft_chain_nat_ipv4.c | 8 ++++----
net/ipv6/netfilter/ip6table_nat.c | 9 +++++----
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 28 +++++++++++++++++++++++++---
net/ipv6/netfilter/nft_chain_nat_ipv6.c | 8 ++++----
7 files changed, 76 insertions(+), 22 deletions(-)
--
2.15.1
More information about the Devel
mailing list