[Devel] [PATCH rh7 v7 0/1] net/netfilter: make nft NAT working in different netns in parallel

[Konstantin Khorenko]

We have problem cases in nf_nat_ipv{4,6}_fn() only for now,
so let's don't call do_chain() in case it is nft_nat_do_chain()
if we process a chain with inappropriate netns.

We cannot just check "do_chain" argument in nf_nat_ipv{4,6}_fn() because
in that case we have to export nft_nat_do_chain() functions and this
introduces a cycle in symbols' dependence.

So i had to add extra argument (callback to check netns validity) to
nf_nat_ipv{4,6}_fn() and functions which call them to pass info if we
need to check netns for correctness.

The callback does perform the check for nft, and for iptables dummy
callback is provided.

Note: there are 2 different static callbacks for ipv4 and ipv6 under the
same name is_valid_netns(), but the real checking code is places under
single define: is_valid_netns_check(). That's way we do not introduce a
new dependence between nft_chain_nat_ipv{4,6} modules, but still have
the code in one place.

Konstantin Khorenko (1):
  net/netfilter: make nft NAT working in different netns simultaneously

 include/net/netfilter/nf_nat.h           | 11 +++++++++++
 include/net/netfilter/nf_nat_l3proto.h   | 32 ++++++++++++++++++++++++--------
 net/ipv4/netfilter/iptable_nat.c         |  9 +++++----
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 26 +++++++++++++++++++-------
 net/ipv4/netfilter/nft_chain_nat_ipv4.c  | 23 +++++++++++++++++++----
 net/ipv6/netfilter/ip6table_nat.c        |  9 +++++----
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 26 +++++++++++++++++++-------
 net/ipv6/netfilter/nft_chain_nat_ipv6.c  | 23 +++++++++++++++++++----
 8 files changed, 121 insertions(+), 38 deletions(-)

-- 
2.15.1