[Devel] [PATCH rh7 v8 0/2] net/netfilter: make nft NAT working in different netns in parallel

[Konstantin Khorenko]

We have problem cases in nf_nat_ipv{4,6}_fn() only for now,
so let's don't call do_chain() in case it is nft_nat_do_chain()
if we process a chain with inappropriate netns.

We cannot just check "do_chain" argument in nf_nat_ipv{4,6}_fn() because
in that case we have to export nft_nat_do_chain() functions and this
introduces a cycle in symbols' dependence.

So we introduce a new flag in struct nf_hook_ops and use it to detect
nft chains.

Note: there are 2 functions where we need to perform checks for netns
correctness in nft chains, so we've put checking code under define:
is_valid_netns. That's way we do not introduce a new dependence between
nft_chain_nat_ipv{4,6} modules, but still have the code in one place.

Konstantin Khorenko (2):
  net/netfilter: add a mark to distinguish nft ops
  net/netfilter: make nft NAT working in different netns simultaneously

 include/linux/netfilter.h                |  2 +-
 include/net/netfilter/nf_nat.h           | 20 ++++++++++++++++++++
 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c |  5 +++++
 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c |  5 +++++
 net/netfilter/nf_tables_api.c            |  1 +
 net/netfilter/x_tables.c                 |  2 ++
 6 files changed, 34 insertions(+), 1 deletion(-)

-- 
2.15.1