Message ID | 20191203213414.24109-2-aconole@redhat.com |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [1/2] openvswitch: support asymmetric conntrack | expand |
From: Aaron Conole <aconole@redhat.com> Date: Tue, 3 Dec 2019 16:34:14 -0500 > The act_ct TC module shares a common conntrack and NAT infrastructure > exposed via netfilter. It's possible that a packet needs both SNAT and > DNAT manipulation, due to e.g. tuple collision. Netfilter can support > this because it runs through the NAT table twice - once on ingress and > again after egress. The act_ct action doesn't have such capability. > > Like netfilter hook infrastructure, we should run through NAT twice to > keep the symmetry. > > Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") > > Signed-off-by: Aaron Conole <aconole@redhat.com> > Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> > --- > NOTE: this is a repost to see if the email client issues go away. Applied and queued up for -stable. Next time, please: 1) Provide an introductory posting ala "[PATCH net 0/N] ..." describing what the patch series does on a high level, how it is doing it, and why it is doing it that way. This allows people to understand what they are about to read, and it gives me a single mail to respon to when I apply your entire series. 2) Always clearly indicate the target GIT tree in your Subject line, in these cases it should have been "[PATCH net N/M]" Thank you.
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index ae0de372b1c8..bf2d69335d4b 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -329,6 +329,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb, bool commit) { #if IS_ENABLED(CONFIG_NF_NAT) + int err; enum nf_nat_manip_type maniptype; if (!(ct_action & TCA_CT_ACT_NAT)) @@ -359,7 +360,17 @@ static int tcf_ct_act_nat(struct sk_buff *skb, return NF_ACCEPT; } - return ct_nat_execute(skb, ct, ctinfo, range, maniptype); + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + if (err == NF_ACCEPT && + ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + } + return err; #else return NF_ACCEPT; #endif