From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16ABCC43219 for ; Thu, 24 Nov 2022 10:00:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229606AbiKXKAw (ORCPT ); Thu, 24 Nov 2022 05:00:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229669AbiKXKAv (ORCPT ); Thu, 24 Nov 2022 05:00:51 -0500 Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 4F9DF175A7 for ; Thu, 24 Nov 2022 02:00:50 -0800 (PST) Date: Thu, 24 Nov 2022 11:00:45 +0100 From: Pablo Neira Ayuso To: Marcelo Ricardo Leitner Cc: Xin Long , dev@openvswitch.org, ovs-dev@openvswitch.org, Davide Caratti , Jiri Pirko , network dev , Paul Blakey , Florian Westphal , Jamal Hadi Salim , Ilya Maximets , Eric Dumazet , Cong Wang , kuba@kernel.org, Paolo Abeni , davem@davemloft.net Subject: Re: [ovs-dev] [PATCHv2 net-next 5/5] net: move the nat function to nf_nat_ovs for ovs and tc Message-ID: References: <20221123151335.ssrnv7jfrdugmcgg@t14s.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, Nov 23, 2022 at 06:21:15PM -0300, Marcelo Ricardo Leitner wrote: > On Wed, Nov 23, 2022 at 02:55:05PM -0500, Xin Long wrote: > > On Wed, Nov 23, 2022 at 2:17 PM Marcelo Ricardo Leitner > > wrote: [...] > > > > "table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new > > > > actions=ct(nat(dst=7.7.16.3)),ct(commit, nat(src=7.7.16.1), > > > > alg=ftp),veth2" > > > > > > > > as long as it allows the 1st one doesn't commit, which is a simple > > > > check in parse_nat(). > > > > I tested it, TC already supports it. I'm not sure about drivers, but I > > > > > > There's an outstanding issue with act_ct that it may reuse an old > > > CT cache. Fixing it could (I'm not sure) impact this use case: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2099220 > > > same issue in ovs was fixed in > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2061ecfdf2350994e5b61c43e50e98a7a70e95ee > > > > > > (please don't ask me who would NAT and then overwrite IP addresses and > > > then NAT it again :D) > > I thought only traditional NAT would change IP, I'm too naive. > > > > nftables names this as "stateless NAT." > > With two CTs in the same zone for full nat is more close to the > > netfilter's NAT processing (the same CT goes from prerouting to > > postrouting). > > Now I'm wondering how nftables handles the stateful NAT and stateless > > NAT at the same time. > > Me too. There is a 'notrack' action to skip connection tracking for the flows where the user needs stateless NAT.