From: Patrick McHardy <kaber@trash.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>,
Linke <linkerpro@mail.ru>,
Netfilter Development Mailing list
<netfilter-devel@vger.kernel.org>
Subject: Re: BUG: Kernel panic at masquerade
Date: Wed, 14 Jan 2015 19:37:51 +0000 [thread overview]
Message-ID: <20150114193745.GL5710@acer.localdomain> (raw)
In-Reply-To: <20150114191847.GA22670@salvia>
On 14.01, Pablo Neira Ayuso wrote:
> On Wed, Jan 14, 2015 at 06:49:10PM +0000, Patrick McHardy wrote:
> > On 14.01, Pablo Neira Ayuso wrote:
> > > I think that if we control the NAT hook registration from a module,
> > > then NAT chains will have to become built-in again, since we need to
> > > tie the NAT chain and its rules from the hook to perform the NAT
> > > handling.
> >
> > No, I think the NAT runtime should be standalone and the NAT tables
> > should simply be there to set up mappings. Its quite easy, they
> > only receive packets in state NEW and we remove the chain invocation
> > from the NAT core.
>
> OK, so the NAT standalone module performs the NAT for state
> ESTABLISHED packets. The mapping will be still controlled by the
> chain. This will also work for dynamic NAT set via ctnetlink, so users
> will not need to even have NAT chains to run this.
Exactly.
> I think we'll need two hooks though. And we would still have the
> incompatibility that we have with iptable_nat and nf_tables, only the
> first one in place will be considered. We'll also have to
> inconditionally register the input and output NAT hooks.
Yes, it requires an extra hook. Its not really a difference to the
current situation though, for any working setup where you have both
NAT and the ability to set up NAT mappings, you have to callbacks,
even though once of them is within NAT and not the hooks.
Regarding the input/output hooks, as a small optimization we could
only register those pairs of hooks that are actually needed, meaning
once iptable_nat is loaded we register all of them, same for ctnetlink,
for nftables we only register the pairs we have chains for. Once
registered they have to stay registered though, unless we want to
tracking the active mappings, which we most likely don't.
Regarding having both iptable_nat and nftables, I'd propose to not
only check for state NEW but also configured mappings. That way
both can set up mappings, but only if a mapping is not set up
already. That seems to be the best we can do and doesn't seem to
unreasonable.
prev parent reply other threads:[~2015-01-14 19:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-09 21:32 BUG: Kernel panic at masquerade Linke
2015-01-09 22:02 ` Arturo Borrero Gonzalez
2015-01-13 19:41 ` Patrick McHardy
2015-01-14 17:27 ` Pablo Neira Ayuso
2015-01-14 17:34 ` Patrick McHardy
2015-01-14 18:40 ` Pablo Neira Ayuso
2015-01-14 18:49 ` Patrick McHardy
2015-01-14 19:18 ` Pablo Neira Ayuso
2015-01-14 19:37 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150114193745.GL5710@acer.localdomain \
--to=kaber@trash.net \
--cc=arturo.borrero.glez@gmail.com \
--cc=linkerpro@mail.ru \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).