Message ID | 1531788961-46115-4-git-send-email-yihung.wei@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | Kernel backports from net-next | expand |
On 7/16/2018 5:56 PM, Yi-Hung Wei wrote: > This patch backports the following upstream commit from net-next, and > defines HAVE_NF_NAT_RANGE2 to determine whether to use > 'struct nf_nat_range2'. > > Upstream commit: > commit 2eb0f624b709e78ec8e2f4c3412947703db99301 > Author: Thierry Du Tre <thierry@dtsystems.be> > Date: Wed Apr 4 15:38:22 2018 +0200 > > netfilter: add NAT support for shifted portmap ranges > > This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp > incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100) > > Currently DNAT only works for single port or identical port ranges. (i.e. > ports 5000-5100 on WAN interface redirected to a LAN host while original > destination port is not altered) When different port ranges are configured, > either 'random' mode should be used, or else all incoming connections are > mapped onto the first port in the redirect range. (in described example > WAN:5000-5100 will all be mapped to 192.168.1.5:2000) > > This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET > which uses a base port value to calculate an offset with the destination port > present in the incoming stream. That offset is then applied as index within the > redirect port range (index modulo rangewidth to handle range overflow). > > In described example the base port would be 5000. An incoming stream with > destination port 5004 would result in an offset value 4 which means that the > NAT'ed stream will be using destination port 2004. > > Other possibilities include deterministic mapping of larger or multiple ranges > to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port > 51xx) > > This patch does not change any current behavior. It just adds new NAT proto > range functionality which must be selected via the specific flag when intended > to use. > > A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed > which makes this functionality immediately available. > > Signed-off-by: Thierry Du Tre <thierry@dtsystems.be> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com> LGTM but again, no chance to test. Reviewed-by: Greg Rose <gvrose8192@gmail.com> > --- > acinclude.m4 | 1 + > datapath/conntrack.c | 8 ++++++-- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/acinclude.m4 b/acinclude.m4 > index ae8e66fc4967..c6d18611f596 100644 > --- a/acinclude.m4 > +++ b/acinclude.m4 > @@ -619,6 +619,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ > [nf_conn_labels], [words]) > OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add]) > OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_alloc_null_binding]) > + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2]) > OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], [nf_ct_seq_adjust]) > > OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32]) > diff --git a/datapath/conntrack.c b/datapath/conntrack.c > index e53b8e32b3f5..42c7929055f0 100644 > --- a/datapath/conntrack.c > +++ b/datapath/conntrack.c > @@ -41,6 +41,10 @@ > #include "flow_netlink.h" > #include "gso.h" > > +#ifndef HAVE_NF_NAT_RANGE2 > +#define nf_nat_range2 nf_nat_range > +#endif > + > struct ovs_ct_len_tbl { > int maxlen; > int minlen; > @@ -79,7 +83,7 @@ struct ovs_conntrack_info { > struct md_mark mark; > struct md_labels labels; > #ifdef CONFIG_NF_NAT_NEEDED > - struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */ > + struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ > #endif > }; > > @@ -744,7 +748,7 @@ static bool skb_nfct_cached(struct net *net, > */ > static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, > enum ip_conntrack_info ctinfo, > - const struct nf_nat_range *range, > + const struct nf_nat_range2 *range, > enum nf_nat_manip_type maniptype) > { > int hooknum, nh_off, err = NF_ACCEPT;
diff --git a/acinclude.m4 b/acinclude.m4 index ae8e66fc4967..c6d18611f596 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -619,6 +619,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [ [nf_conn_labels], [words]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_alloc_null_binding]) + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2]) OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], [nf_ct_seq_adjust]) OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32]) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index e53b8e32b3f5..42c7929055f0 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -41,6 +41,10 @@ #include "flow_netlink.h" #include "gso.h" +#ifndef HAVE_NF_NAT_RANGE2 +#define nf_nat_range2 nf_nat_range +#endif + struct ovs_ct_len_tbl { int maxlen; int minlen; @@ -79,7 +83,7 @@ struct ovs_conntrack_info { struct md_mark mark; struct md_labels labels; #ifdef CONFIG_NF_NAT_NEEDED - struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */ + struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */ #endif }; @@ -744,7 +748,7 @@ static bool skb_nfct_cached(struct net *net, */ static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, - const struct nf_nat_range *range, + const struct nf_nat_range2 *range, enum nf_nat_manip_type maniptype) { int hooknum, nh_off, err = NF_ACCEPT;