From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Ken-ichirou MATSUZAWA <chamaken@gmail.com>
Cc: The netfilter developer mailinglist <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition
Date: Tue, 28 Feb 2017 12:48:09 +0100 [thread overview]
Message-ID: <20170228114809.GA19880@salvia> (raw)
In-Reply-To: <20170228114453.GA22524@gmail.com>
On Tue, Feb 28, 2017 at 08:44:53PM +0900, Ken-ichirou MATSUZAWA wrote:
> Hi, Pablo
>
> On Tue, Feb 28, 2017 at 11:47:25AM +0100, Pablo Neira Ayuso wrote:
> > > diff --git a/src/conntrack/objopt.c b/src/conntrack/objopt.c
> > > index fb43d6c..1581480 100644
> > > --- a/src/conntrack/objopt.c
> > > +++ b/src/conntrack/objopt.c
> > > @@ -144,10 +144,8 @@ int __setobjopt(struct nf_conntrack *ct, unsigned int option)
> > >
> > > static int getobjopt_is_snat(const struct nf_conntrack *ct)
> > > {
> > > - if (!(test_bit(ATTR_STATUS, ct->head.set)))
> > > - return 0;
> > > -
> > > - if (!(ct->status & IPS_SRC_NAT_DONE))
> > > + if (test_bit(ATTR_STATUS, ct->head.set) &&
> > > + !(ct->status & IPS_SRC_NAT_DONE))
> >
> > However, if ATTR_STATUS is not set, we keep checking ahead. What are
> > you trying to fix?
>
> It was:
>
> - return ((test_bit(ATTR_STATUS, ct->head.set) ?
> - ct->status & IPS_SRC_NAT_DONE : 1) &&
> - ct->repl.dst.v4 !=
> - ct->head.orig.src.v4);
>
> I thought it keeps checking even ATTR_STATUS is not set.
> But it's ok not to apply, returning false in case of
> ATTR_STATUS is not set.
Ah, I see.
static int getobjopt_is_snat(const struct nf_conntrack *ct)
{
if (!(test_bit(ATTR_STATUS, ct->head.set)))
return 0;
if (!(ct->status & IPS_SRC_NAT_DONE))
return 0;
switch (ct->head.orig.l3protonum) {
case AF_INET:
return ct->repl.dst.v4 != ct->head.orig.src.v4;
case AF_INET6:
if (memcmp(&ct->repl.dst.v6, &ct->head.orig.src.v6,
sizeof(struct in6_addr)) != 0)
return 1;
else
return 0;
default:
return 0;
}
}
So you want to check if the addresses mismatch, so we infer from there
if there is NAT or not when status bits are not available.
Are you trying to catch up some case in netlink event specifically?
Thanks for explaining.
next prev parent reply other threads:[~2017-02-28 11:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-28 4:53 [PATCH lnfct 0/2] fix - src: add support for IPv6 NAT Ken-ichirou MATSUZAWA
2017-02-28 4:55 ` [PATCH lnfct 1/2] conntrack: fix missing break Ken-ichirou MATSUZAWA
2017-02-28 10:47 ` Pablo Neira Ayuso
2017-02-28 5:00 ` [PATCH lnfct 2/2] conntrack: revert getobjopt_is_nat condition Ken-ichirou MATSUZAWA
2017-02-28 10:47 ` Pablo Neira Ayuso
2017-02-28 11:44 ` Ken-ichirou MATSUZAWA
2017-02-28 11:48 ` Pablo Neira Ayuso [this message]
2017-02-28 22:29 ` Ken-ichirou MATSUZAWA
2017-03-01 16:28 ` Pablo Neira Ayuso
2017-03-03 12:18 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170228114809.GA19880@salvia \
--to=pablo@netfilter.org \
--cc=chamaken@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).