From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Thomas Graf <tgraf@suug.ch>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
netfilter-devel@vger.kernel.org,
Madhu Challa <challa@noironetworks.com>
Subject: Re: [PATCH nf-next] netfilter: conntrack: add support for flextuples
Date: Wed, 6 May 2015 16:27:41 +0200 [thread overview]
Message-ID: <20150506142741.GA3547@salvia> (raw)
In-Reply-To: <20150504134733.GB1405@pox.localdomain>
On Mon, May 04, 2015 at 03:47:33PM +0200, Thomas Graf wrote:
[...]
> Given that the multiple source zones which talk to a common
> destination zone may have conflicting IPs, the SNAT must either
> occur in the source zone where the source address is still unique
> or the CT tuple must be made unique with a source zone identifier
> so that the SNAT can occur in the destination zone.
>
> Doing the SNAT in the source zone requires to use a unique IP pool
> to map to for each source zone as otherwise IP sources may clash again
> in the destination zone. We obviously can't do --SNAT -to 10.1.1.1 in
> two namespaces and then just route into a third namespace. This
> approach is not scalable in a container environment with 100s or even
> 1000s of containers each in its own network namespace.
>
> What we want to do instead is to do the SNAT in the destination zone
> where we can have a single SNAT rule which overs all source zones.
> This allows inter namespace communication in a /31 with minimal waste
> of addresses.
Thanks for explaining. So you need to allocate an unique tuple using
the mark to avoid the clashes for the first packet that goes original
using the same pool. Then, the NAT engine will allocate an unique
tuple in the reply direction.
But what is the use case for -j CT --flextuple reply ? By when you see
the reply packet the tuple was already created.
Another question is if it makes sense to have part of the flows using
your flextuple idea while some others not, ie.
-s x.y.z.w/24 -j CT --flextuple original
so shouldn't this be a global switch that includes the skb->mark
only for packets coming in the original direction?
I also wonder how you're going to deal with port redirections. This
only seem to be working SNAT/masquerade to me if the NAT happens from
VRF side.
next prev parent reply other threads:[~2015-05-06 14:23 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-04 10:23 [PATCH nf-next] netfilter: conntrack: add support for flextuples Daniel Borkmann
2015-05-04 10:34 ` Pablo Neira Ayuso
2015-05-04 11:59 ` Daniel Borkmann
2015-05-04 13:08 ` Pablo Neira Ayuso
2015-05-04 13:47 ` Thomas Graf
2015-05-06 14:27 ` Pablo Neira Ayuso [this message]
2015-05-06 18:00 ` Daniel Borkmann
2015-05-06 18:50 ` Pablo Neira Ayuso
2015-05-07 12:01 ` Daniel Borkmann
2015-05-07 18:10 ` Pablo Neira Ayuso
2015-05-08 9:45 ` Daniel Borkmann
2015-05-04 13:51 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150506142741.GA3547@salvia \
--to=pablo@netfilter.org \
--cc=challa@noironetworks.com \
--cc=daniel@iogearbox.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).