From: Pablo Neira Ayuso <pablo@netfilter.org>
To: kaber@trash.net
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
netfilter-devel@vger.kernel.org
Subject: Re: [linux PATCH v3 0/5] NAT updates for nf_tables
Date: Fri, 25 Jul 2014 18:48:06 +0200 [thread overview]
Message-ID: <20140725164806.GA22375@salvia> (raw)
In-Reply-To: <20140701162801.2847.14389.stgit@nfdev.cica.es>
Hi Patrick,
Would you be OK if we push this patchset into mainstream? I think we
can investigate the fetch interface address and store in register
approach that you proposed to implement masquerading later on. The
missing bits are the conntrack cleanup routine, I think that needs
some "scratchpad" area to store the last address/interface that have
been used. We can probably revisit this later once that generic state
infrastructure for nf_tables (to support stateful expressions in some
generic way) is in place?
If you don't like the idea, please let me know, and I'll defer this
masquerading patchset.
Thanks!
On Tue, Jul 01, 2014 at 06:29:13PM +0200, Arturo Borrero Gonzalez wrote:
> The following series implements some updates for NAT in nf_tables.
>
> First of all, I add a new flag attribute to allow clients of nft_nat to
> specify additional config flags. This enables implementing port randomization
> and persistence to be set from nft.
>
> Two patches split the masquerade code from ip[6]t_MASQUERADE.c to generic
> modules, so we can use this NAT type from nft_nat.
>
> Then, the nft_nat code is splitted in AF specific parts, so we avoid potential
> dependencies regarding AF specific symbols in the last patch.
>
> The last patch finally implements masquerade for nft_nat.
>
> The v2 series included some fixes and additionals checks, as requested
> by Florian Westphal.
>
> This v3 series includes changes requested by Pablo Neira.
>
> Comments are welcomed.
>
> ---
>
> Arturo Borrero Gonzalez (5):
> netfilter: nft_nat: include a flag attribute
> netfilter: nf_nat_masquerade_ipv4: code factorization
> netfilter: nf_nat_masquerade_ipv6: code factorization
> netfilter: nft_nat: split code in AF parts
> netfilter: nft_nat: add masquerade support
>
>
> .../net/netfilter/ipv4/nf_nat_masquerade_ipv4.h | 14 ++
> .../net/netfilter/ipv6/nf_nat_masquerade_ipv6.h | 10 +
> include/net/netfilter/nft_nat.h | 22 +++
> include/uapi/linux/netfilter/nf_nat.h | 5 +
> include/uapi/linux/netfilter/nf_tables.h | 10 +
> net/ipv4/netfilter/Kconfig | 14 ++
> net/ipv4/netfilter/Makefile | 2
> net/ipv4/netfilter/ipt_MASQUERADE.c | 108 +-------------
> net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 155 ++++++++++++++++++++
> net/ipv4/netfilter/nft_nat_ipv4.c | 133 +++++++++++++++++
> net/ipv6/netfilter/Kconfig | 14 ++
> net/ipv6/netfilter/Makefile | 2
> net/ipv6/netfilter/ip6t_MASQUERADE.c | 76 +---------
> net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 121 ++++++++++++++++
> net/ipv6/netfilter/nft_nat_ipv6.c | 132 +++++++++++++++++
> net/netfilter/nft_nat.c | 156 ++++++--------------
> 16 files changed, 688 insertions(+), 286 deletions(-)
> create mode 100644 include/net/netfilter/ipv4/nf_nat_masquerade_ipv4.h
> create mode 100644 include/net/netfilter/ipv6/nf_nat_masquerade_ipv6.h
> create mode 100644 include/net/netfilter/nft_nat.h
> create mode 100644 net/ipv4/netfilter/nf_nat_masquerade_ipv4.c
> create mode 100644 net/ipv4/netfilter/nft_nat_ipv4.c
> create mode 100644 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c
> create mode 100644 net/ipv6/netfilter/nft_nat_ipv6.c
>
> --
> Arturo Borrero Gonzalez
next prev parent reply other threads:[~2014-07-25 16:47 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-01 16:29 [linux PATCH v3 0/5] NAT updates for nf_tables Arturo Borrero Gonzalez
2014-07-01 16:30 ` [linux PATCH v3 1/5] netfilter: nft_nat: include a flag attribute Arturo Borrero Gonzalez
2014-07-01 16:30 ` [linux PATCH v3 2/5] netfilter: nf_nat_masquerade_ipv4: code factorization Arturo Borrero Gonzalez
2014-07-03 12:23 ` Patrick McHardy
2014-07-04 10:41 ` Pablo Neira Ayuso
2014-07-01 16:31 ` [linux PATCH v3 3/5] netfilter: nf_nat_masquerade_ipv6: " Arturo Borrero Gonzalez
2014-07-01 16:32 ` [linux PATCH v3 4/5] netfilter: nft_nat: split code in AF parts Arturo Borrero Gonzalez
2014-07-01 16:33 ` [linux PATCH v3 5/5] netfilter: nft_nat: add masquerade support Arturo Borrero Gonzalez
2014-07-25 16:48 ` Pablo Neira Ayuso [this message]
2014-07-25 16:54 ` [linux PATCH v3 0/5] NAT updates for nf_tables Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140725164806.GA22375@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).