From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
Linke <linkerpro@mail.ru>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: BUG: Kernel panic at masquerade
Date: Wed, 14 Jan 2015 20:18:47 +0100 [thread overview]
Message-ID: <20150114191847.GA22670@salvia> (raw)
In-Reply-To: <20150114184910.GK5710@acer.localdomain>
On Wed, Jan 14, 2015 at 06:49:10PM +0000, Patrick McHardy wrote:
> On 14.01, Pablo Neira Ayuso wrote:
> > I think that if we control the NAT hook registration from a module,
> > then NAT chains will have to become built-in again, since we need to
> > tie the NAT chain and its rules from the hook to perform the NAT
> > handling.
>
> No, I think the NAT runtime should be standalone and the NAT tables
> should simply be there to set up mappings. Its quite easy, they
> only receive packets in state NEW and we remove the chain invocation
> from the NAT core.
OK, so the NAT standalone module performs the NAT for state
ESTABLISHED packets. The mapping will be still controlled by the
chain. This will also work for dynamic NAT set via ctnetlink, so users
will not need to even have NAT chains to run this.
I think we'll need two hooks though. And we would still have the
incompatibility that we have with iptable_nat and nf_tables, only the
first one in place will be considered. We'll also have to
inconditionally register the input and output NAT hooks.
next prev parent reply other threads:[~2015-01-14 19:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-09 21:32 BUG: Kernel panic at masquerade Linke
2015-01-09 22:02 ` Arturo Borrero Gonzalez
2015-01-13 19:41 ` Patrick McHardy
2015-01-14 17:27 ` Pablo Neira Ayuso
2015-01-14 17:34 ` Patrick McHardy
2015-01-14 18:40 ` Pablo Neira Ayuso
2015-01-14 18:49 ` Patrick McHardy
2015-01-14 19:18 ` Pablo Neira Ayuso [this message]
2015-01-14 19:37 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150114191847.GA22670@salvia \
--to=pablo@netfilter.org \
--cc=arturo.borrero.glez@gmail.com \
--cc=kaber@trash.net \
--cc=linkerpro@mail.ru \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).