[PATCH] IPv4 NAT ported to nf_conntrack

[PATCH] IPv4 NAT ported to nf_conntrack

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 819 bytes --]

Hi,

Attached is a patch which implements IPv4 NAT over nf_conntrack by
straightforward porting of the original NAT code.

As you will notice, in order to avoid circular dependency a boolean choice 
between NF_CONNTRACK and IP_CONNTRACK is added to net/netfilter/Kconfig. 
Ugly it is, but unfortunately the kconfig language is not rich enough and 
an additional option is required to choose between modular/non-modular.

As we won't support IPv6 NAT, I did not bother to introduce nf_nat_ipv4_*
names.

Best regards,
Jozsef

[Resent compressend to get over mailing list post size limit.]
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

[-- Attachment #2: nat.patch.bz2 --]
[-- Type: APPLICATION/octet-stream, Size: 21721 bytes --]

Re: [PATCH] IPv4 NAT ported to nf_conntrack

[Patrick McHardy]

Jozsef Kadlecsik wrote:
> Attached is a patch which implements IPv4 NAT over nf_conntrack by
> straightforward porting of the original NAT code.

Very nice, I was working on that too, but still in the early stages.
I'll give it some closer review during the week.

Re: [PATCH] IPv4 NAT ported to nf_conntrack

[Yasuyuki KOZAKAI]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Mon, 30 Oct 2006 13:25:37 +0100 (CET)

> Hi,
> 
> Attached is a patch which implements IPv4 NAT over nf_conntrack by
> straightforward porting of the original NAT code.

Wow great. I'll review that this weekend.

> As you will notice, in order to avoid circular dependency a boolean choice 
> between NF_CONNTRACK and IP_CONNTRACK is added to net/netfilter/Kconfig. 
> Ugly it is, but unfortunately the kconfig language is not rich enough and 
> an additional option is required to choose between modular/non-modular.

I've not read the patch yet, but I don't feel so ugly. A config to choose
NF_CONNTRACK or IP_CONNTRACK represents current our intension
straightforward.

BTW, Harald has works/ideas on this area IIRC. But I cannot find such codes
in his git tree.

-- Yasuyuki Kozakai

Re: [PATCH] IPv4 NAT ported to nf_conntrack

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 530 bytes --]

Jozsef Kadlecsik wrote:
> As you will notice, in order to avoid circular dependency a boolean choice 
> between NF_CONNTRACK and IP_CONNTRACK is added to net/netfilter/Kconfig. 
> Ugly it is, but unfortunately the kconfig language is not rich enough and 
> an additional option is required to choose between modular/non-modular.

How about this instead? We have a tristate for connection tracking
support, if it is enabled you get to choose which one you want ..
Its a bit nicer than having to select the same option twice IMO.



[-- Attachment #2: x --]
[-- Type: text/plain, Size: 2564 bytes --]

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index a96cdb7..1f2f6ef 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -25,8 +25,23 @@ config NETFILTER_NETLINK_LOG
 	  and is also scheduled to replace the old syslog-based ipt_LOG
 	  and ip6t_LOG modules.
 
+config NF_CONNTRACK_ENABLED
+	tristate "Netfilter connection tracking support"
+	help
+	  Connection tracking keeps a record of what packets have passed
+	  through your machine, in order to figure out how they are related
+	  into connections.
+
+	  This is required to do Masquerading or other kinds of Network
+	  Address Translation (except for Fast NAT).  It can also be used to
+	  enhance packet filtering (see `Connection state match support'
+	  below).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 choice
 	prompt "Netfilter connection tracking support"
+	depends on NF_CONNTRACK_ENABLED
 
 config NF_CONNTRACK_SUPPORT
 	bool "Layer 3 Independent Connection tracking (EXPERIMENTAL)"
@@ -53,34 +68,14 @@ config IP_NF_CONNTRACK_SUPPORT
 endchoice
 
 config NF_CONNTRACK
-	tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)"
-	depends on EXPERIMENTAL && NF_CONNTRACK_SUPPORT
-	default m
-	---help---
-	  Connection tracking keeps a record of what packets have passed
-	  through your machine, in order to figure out how they are related
-	  into connections.
-
-	  Layer 3 independent connection tracking is experimental scheme
-	  which generalize ip_conntrack to support other layer 3 protocols.
-
-	  To compile it as a module, choose M here.  If unsure, say N.
+	tristate
+	default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m
+	default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y
 
 config IP_NF_CONNTRACK
-	tristate "Layer-3 Dependent old connection tracking (IPv4-only, required for masq/NAT)"
-	depends on IP_NF_CONNTRACK_SELECTED
-	default m
-	---help---
-	  Connection tracking keeps a record of what packets have passed
-	  through your machine, in order to figure out how they are related
-	  into connections.
-
-	  This is required to do Masquerading or other kinds of Network
-	  Address Translation (except for Fast NAT).  It can also be used to
-	  enhance packet filtering (see `Connection state match support'
-	  below).
-
-	  To compile it as a module, choose M here.  If unsure, say N.
+	tristate
+	default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m
+	default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y
 
 config NF_CT_ACCT
 	bool "Connection tracking flow accounting"

Re: [PATCH] IPv4 NAT ported to nf_conntrack

[Jozsef Kadlecsik]

On Sun, 5 Nov 2006, Patrick McHardy wrote:

> Jozsef Kadlecsik wrote:
> > As you will notice, in order to avoid circular dependency a boolean choice 
> > between NF_CONNTRACK and IP_CONNTRACK is added to net/netfilter/Kconfig. 
> > Ugly it is, but unfortunately the kconfig language is not rich enough and 
> > an additional option is required to choose between modular/non-modular.
> 
> How about this instead? We have a tristate for connection tracking
> support, if it is enabled you get to choose which one you want ..
> Its a bit nicer than having to select the same option twice IMO.

Yes, that's it! Much nicer!

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary