On 2019-11-08 11:07 PM, Aaron Conole wrote:
> The act_ct TC module shares a common conntrack and NAT infrastructure
> exposed via netfilter. It's possible that a packet needs both SNAT and
> DNAT manipulation, due to e.g. tuple collision. Netfilter can support
> this because it runs through the NAT table twice - once on ingress and
> again after egress. The act_ct action doesn't have such capability.
>
> Like netfilter hook infrastructure, we should run through NAT twice to
> keep the symmetry.
>
> Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
>
> Signed-off-by: Aaron Conole <acon...@redhat.com>
> ---
> net/sched/act_ct.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> index fcc46025e790..f3232a00970f 100644
> --- a/net/sched/act_ct.c
> +++ b/net/sched/act_ct.c
> @@ -329,6 +329,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
> bool commit)
> {
> #if IS_ENABLED(CONFIG_NF_NAT)
> + int err;
> enum nf_nat_manip_type maniptype;
>
> if (!(ct_action & TCA_CT_ACT_NAT))
> @@ -359,7 +360,17 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
> return NF_ACCEPT;
> }
>
> - return ct_nat_execute(skb, ct, ctinfo, range, maniptype);
> + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
> + if (err == NF_ACCEPT &&
> + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
> + if (maniptype == NF_NAT_MANIP_SRC)
> + maniptype = NF_NAT_MANIP_DST;
> + else
> + maniptype = NF_NAT_MANIP_SRC;
> +
> + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype);
> + }
> + return err;
> #else
> return NF_ACCEPT;
> #endif
>
+paul
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
