[Devel] [PATCH rh7 v5 0/1] net/netfilter: make nft NAT working in different netns in parallel

Konstantin Khorenko khorenko at virtuozzo.com
Thu May 7 19:44:36 MSK 2020


We have problem cases in nf_nat_ipv{4,6}_fn() only for now,
so let's don't call do_chain() in case it is nft_nat_do_chain()
if we process a chain with inappropriate netns.

We cannot just check "do_chain" argument in nf_nat_ipv{4,6}_fn() because
in that case we have to export nft_nat_do_chain() functions and this
introduces a cycle in symbols' dependence.

So i had to add extra argument (callback to check netns validity) to
nf_nat_ipv{4,6}_fn() and functions which call them to pass info if we
need to check netns for correctness.

The callback does perform the check for nft, and for iptables dummy
callback is provided.

Konstantin Khorenko (1):
  net/netfilter: make nft NAT working in different netns simultaneously

 include/net/netfilter/nf_nat_l3proto.h   | 32 ++++++++++++++++++++++++--------
 include/net/netfilter/nf_tables.h        |  3 +++
 net/ipv4/netfilter/iptable_nat.c         | 19 +++++++++++++++----
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 27 ++++++++++++++++++++-------
 net/ipv4/netfilter/nft_chain_nat_ipv4.c  | 12 ++++++++----
 net/ipv6/netfilter/ip6table_nat.c        | 19 +++++++++++++++----
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 27 ++++++++++++++++++++-------
 net/ipv6/netfilter/nft_chain_nat_ipv6.c  | 12 ++++++++----
 net/netfilter/nf_tables_core.c           | 18 ++++++++++++++++++
 9 files changed, 131 insertions(+), 38 deletions(-)

-- 
2.15.1



More information about the Devel mailing list