Re: [Devel] [PATCH rh7] net/netfilter: make nft NAT working in different netns simultaneously

Konstantin Khorenko Tue, 28 Apr 2020 02:56:55 -0700

On 04/28/2020 07:22 AM, Vasily Averin wrote:

On 4/27/20 5:57 PM, Konstantin Khorenko wrote:

--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -251,6 +252,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct 
sk_buff *skb,
        /* maniptype == SRC for postrouting. */
        enum nf_nat_manip_type maniptype = HOOK2MANIP(ops->hooknum);


+       const struct nft_chain *chain = ops->priv, *basechain = chain;


why you need to define "basechain" here?
can you just use chain instead?


Vasya, you are fully right,
it's a leftover of debugging. :)

+       const struct net *chain_net =
+               read_pnet(&nft_base_chain(basechain)->pnet);
+       const struct net *net;
+
        /* We never see fragments: conntrack defrags on pre-routing
         * and local-out, and nf_nat_out protects post-routing.
         */
@@ -265,6 +271,11 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops, struct 
sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;

+       /* Ignore chains that are not for the current network namespace */
+       net = nf_ct_net(ct);
+       if (!net_eq(net, chain_net))
+               return NF_ACCEPT;
+
        /* Don't try to NAT if this packet is not conntracked */
        if (nf_ct_is_untracked(ct))
                return NF_ACCEPT;
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c 
b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 540dc0fdaf102..545ba56fbd3c3 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -24,6 +24,7 @@
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_l3proto.h>
 #include <net/netfilter/nf_nat_l4proto.h>
+#include <net/netfilter/nf_tables.h>

 static const struct nf_nat_l3proto nf_nat_l3proto_ipv6;

@@ -264,6 +265,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct 
sk_buff *skb,
        int hdrlen;
        u8 nexthdr;

+       const struct nft_chain *chain = ops->priv, *basechain = chain;


and here too: it seems you can use chain instead of basechain, it isn't?

+       const struct net *chain_net =
+               read_pnet(&nft_base_chain(basechain)->pnet);
+       const struct net *net;
+
        ct = nf_ct_get(skb, &ctinfo);
        /* Can't track?  It's not due to stress, or conntrack would
         * have dropped it.  Hence it's the user's responsibilty to
@@ -273,6 +279,11 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops, struct 
sk_buff *skb,
        if (!ct)
                return NF_ACCEPT;

+       /* Ignore chains that are not for the current network namespace */
+       net = nf_ct_net(ct);
+       if (!net_eq(net, chain_net))
+               return NF_ACCEPT;
+
        /* Don't try to NAT if this packet is not conntracked */
        if (nf_ct_is_untracked(ct))
                return NF_ACCEPT;

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Re: [Devel] [PATCH rh7] net/netfilter: make nft NAT working in different netns simultaneously

Reply via email to