| Message ID | 87588ad6631f7d60691fddb860e075ebebeaa5ec.1623248030.git.marcelo.leitner@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [net] net/sched: act_ct: handle DNAT tuple collision | expand |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Wed, 9 Jun 2021 11:23:56 -0300 you wrote: > This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT > tuple collision") for act_ct. From that commit changelog: > > """ > With multiple DNAT rules it's possible that after destination > translation the resulting tuples collide. > > [...] Here is the summary with links: - [net] net/sched: act_ct: handle DNAT tuple collision https://git.kernel.org/netdev/net/c/13c62f5371e3 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c index 18edd9ad1410947c0464341cf601b87bf7a7a6ff..a656baa321fe1686ac8f87f8a35819f067f65869 100644 --- a/net/sched/act_ct.c +++ b/net/sched/act_ct.c @@ -904,14 +904,19 @@ static int tcf_ct_act_nat(struct sk_buff *skb, } err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); - if (err == NF_ACCEPT && - ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) { - if (maniptype == NF_NAT_MANIP_SRC) - maniptype = NF_NAT_MANIP_DST; - else - maniptype = NF_NAT_MANIP_SRC; - - err = ct_nat_execute(skb, ct, ctinfo, range, maniptype); + if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) { + if (ct->status & IPS_SRC_NAT) { + if (maniptype == NF_NAT_MANIP_SRC) + maniptype = NF_NAT_MANIP_DST; + else + maniptype = NF_NAT_MANIP_SRC; + + err = ct_nat_execute(skb, ct, ctinfo, range, + maniptype); + } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) { + err = ct_nat_execute(skb, ct, ctinfo, NULL, + NF_NAT_MANIP_SRC); + } } return err; #else
This this the counterpart of 8aa7b526dc0b ("openvswitch: handle DNAT tuple collision") for act_ct. From that commit changelog: """ With multiple DNAT rules it's possible that after destination translation the resulting tuples collide. ... Netfilter handles this case by allocating a null binding for SNAT at egress by default. Perform the same operation in openvswitch for DNAT if no explicit SNAT is requested by the user and allocate a null binding for SNAT for packets in the "original" direction. """ Fixes: 95219afbb980 ("act_ct: support asymmetric conntrack") Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> --- I have a tdc test for this but I'll submit it to net-next once this one gets accepted. It requires some changes to tdc itself. net/sched/act_ct.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-)