Re: [PATCH net 2/2] act_ct: support asymmetric conntrack
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Date: 2019-11-14 16:29:55
Also in:
lkml
On Fri, Nov 08, 2019 at 04:07:14PM -0500, Aaron Conole wrote:
quoted hunk ↗ jump to hunk
The act_ct TC module shares a common conntrack and NAT infrastructure exposed via netfilter. It's possible that a packet needs both SNAT and DNAT manipulation, due to e.g. tuple collision. Netfilter can support this because it runs through the NAT table twice - once on ingress and again after egress. The act_ct action doesn't have such capability. Like netfilter hook infrastructure, we should run through NAT twice to keep the symmetry. Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") Signed-off-by: Aaron Conole <aconole@redhat.com> --- net/sched/act_ct.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index fcc46025e790..f3232a00970f 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c@@ -329,6 +329,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb, bool commit) { #if IS_ENABLED(CONFIG_NF_NAT) + int err; enum nf_nat_manip_type maniptype; if (!(ct_action & TCA_CT_ACT_NAT))@@ -359,7 +360,17 @@ static int tcf_ct_act_nat(struct sk_buff *skb, return NF_ACCEPT; } - return ct_nat_execute(skb, ct, ctinfo, range, maniptype); + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + }
I keep thinking about this and I'm not entirely convinced that this shouldn't be simpler. More like: if (DNAT) DNAT if (SNAT) SNAT So it always does DNAT before SNAT, similarly to what iptables would do on PRE/POSTROUTING chains.
+ return err; #else return NF_ACCEPT; #endif -- 2.21.0