Re: Modifications to netmap target

[Pablo Neira <pablo@eurodev.net>]

Gary W. Smith wrote:
> After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat. 
>  
> I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?
>  
> Example.
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
> to:
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
>  
> and 
>    if (hooknum == NF_IP_PRE_ROUTING)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
> to:
>    if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
>  
> I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.
>  
> /sbin/iptables -t nat -A PREROUTING -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
> /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.80/29 -j NETMAP --to 10.0.0.56/29
> /sbin/iptables -t nat -A OUTPUT -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29

There's something that I don't understand yet, why you want to use 
NETMAP in the OUTPUT chain ?

--
Pablo