| Message ID | 20180514214659.1757-1-fw@strlen.de |
|---|---|
| Headers | show |
| Series | netfilter: remove one-nat-hook-only restriction | expand |
On Mon, May 14, 2018 at 11:46:52PM +0200, Florian Westphal wrote: [...] > After this change, the base NAT hooks gets registered not from iptable_nat > or nftables nat hooks, but from the l3 nat core via the ipv4/ipv6 nat > backend. Series applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Right now, only a single nat hook is permitted at each hook point. The reason for this is that lookup of the nat transformation (e.g. "nft add rule nat postrouting tcp dport 2222 dnat to 10.1.1.1:22") that should be attached to a conntrack and the packet rewrite occurs from the protocol specific nat backend on behalf of the lookup hook itself, i.e. nft nat hook or ip(6)table_nat. Furthermore, the protocol specific nat backend always creates a nat null binding in case no NAT-rule exists and performs skb rewrite. IOW, if we'd just allow multiple hooks then subsequent hooks have no effect anymore due to the null binding, and nf_nat_packet is (needlessly) called again. After this change, the base NAT hooks gets registered not from iptable_nat or nftables nat hooks, but from the l3 nat core via the ipv4/ipv6 nat backend. The nat core deals with null bindings and reverse translation. When no mapping exists, it calls the registered nat lookup hooks until one creates a new mapping, i.e. the iptable/nftables nat hooks then only deal with setting up a nat mapping, nothing else. If both iptables and nftables nat hooks exist, the first matching one is used (i.e., higher priority wins). nft users do not need to create empty nat hooks anymore: nat core always registers the base hooks that take care of reverse/reply translation. First patch is a small re-factoring patch to reduce copy&paste. Second patch is a preparation patch to allow the xtables core to register a table not backed by base hooks ops. Third patch is the same, but for nf_tables -- it allows the nat hook types to avoid registration of the base hook. Fourth patch is also a preparation patch -- it reworks, then exports two helpers to add/delete hook callbacks from hook array. The fifth patch contains main functionality: The nat core exports functions to register and unregister a nat lookup hook. Nat lookup hooks are not called for every packet -- they are only called when a new conntrack was created and it doesn't have a nat binding attached to it. The nat core calls the registered lookup functions until one creates a nat mapping. It will also setup a null binding and do the packet rewrite if needed. The sixth patch makes iptables and nftables use these functions. The last patch then removes the no-longer-needed restriction and allows userspace to create as many nat hooks as desired. Florian Westphal (7): netfilter: nf_nat: move common nat code to nat core netfilter: xtables: allow table definitions not backed by hook_ops netfilter: nf_tables: allow chain type to override hook register netfilter: core: export raw versions of add/delete hook functions netfilter: nf_nat: add nat hook register functions to nf_nat netfilter: nf_nat: add nat type hooks to nat core netfilter: lift one-nat-hook-only restriction include/linux/netfilter.h | 1 include/net/netfilter/nf_nat.h | 4 include/net/netfilter/nf_nat_core.h | 4 include/net/netfilter/nf_nat_l3proto.h | 52 ------ include/net/netfilter/nf_tables.h | 8 - net/ipv4/netfilter/ip_tables.c | 5 net/ipv4/netfilter/iptable_nat.c | 85 +++++------ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 135 +++++++----------- net/ipv4/netfilter/nft_chain_nat_ipv4.c | 52 +----- net/ipv6/netfilter/ip6_tables.c | 5 net/ipv6/netfilter/ip6table_nat.c | 84 +++++------ net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 129 +++++++---------- net/ipv6/netfilter/nft_chain_nat_ipv6.c | 48 +----- net/netfilter/core.c | 80 +++++++--- net/netfilter/nf_internals.h | 5 net/netfilter/nf_nat_core.c | 232 +++++++++++++++++++++++++++++++ net/netfilter/nf_tables_api.c | 87 ++--------- 17 files changed, 551 insertions(+), 465 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html