[ovs-dev] [PATCH 3/4] datapath: NAT support for shifted portmap ranges
Gregory Rose
gvrose8192 at gmail.com
Tue Jul 17 20:50:02 UTC 2018
On 7/16/2018 5:56 PM, Yi-Hung Wei wrote:
> This patch backports the following upstream commit from net-next, and
> defines HAVE_NF_NAT_RANGE2 to determine whether to use
> 'struct nf_nat_range2'.
>
> Upstream commit:
> commit 2eb0f624b709e78ec8e2f4c3412947703db99301
> Author: Thierry Du Tre <thierry at dtsystems.be>
> Date: Wed Apr 4 15:38:22 2018 +0200
>
> netfilter: add NAT support for shifted portmap ranges
>
> This is a patch proposal to support shifted ranges in portmaps. (i.e. tcp/udp
> incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)
>
> Currently DNAT only works for single port or identical port ranges. (i.e.
> ports 5000-5100 on WAN interface redirected to a LAN host while original
> destination port is not altered) When different port ranges are configured,
> either 'random' mode should be used, or else all incoming connections are
> mapped onto the first port in the redirect range. (in described example
> WAN:5000-5100 will all be mapped to 192.168.1.5:2000)
>
> This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
> which uses a base port value to calculate an offset with the destination port
> present in the incoming stream. That offset is then applied as index within the
> redirect port range (index modulo rangewidth to handle range overflow).
>
> In described example the base port would be 5000. An incoming stream with
> destination port 5004 would result in an offset value 4 which means that the
> NAT'ed stream will be using destination port 2004.
>
> Other possibilities include deterministic mapping of larger or multiple ranges
> to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
> 51xx)
>
> This patch does not change any current behavior. It just adds new NAT proto
> range functionality which must be selected via the specific flag when intended
> to use.
>
> A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
> which makes this functionality immediately available.
>
> Signed-off-by: Thierry Du Tre <thierry at dtsystems.be>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
LGTM but again, no chance to test.
Reviewed-by: Greg Rose <gvrose8192 at gmail.com>
> ---
> acinclude.m4 | 1 +
> datapath/conntrack.c | 8 ++++++--
> 2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/acinclude.m4 b/acinclude.m4
> index ae8e66fc4967..c6d18611f596 100644
> --- a/acinclude.m4
> +++ b/acinclude.m4
> @@ -619,6 +619,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
> [nf_conn_labels], [words])
> OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add])
> OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_alloc_null_binding])
> + OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2])
> OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], [nf_ct_seq_adjust])
>
> OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
> diff --git a/datapath/conntrack.c b/datapath/conntrack.c
> index e53b8e32b3f5..42c7929055f0 100644
> --- a/datapath/conntrack.c
> +++ b/datapath/conntrack.c
> @@ -41,6 +41,10 @@
> #include "flow_netlink.h"
> #include "gso.h"
>
> +#ifndef HAVE_NF_NAT_RANGE2
> +#define nf_nat_range2 nf_nat_range
> +#endif
> +
> struct ovs_ct_len_tbl {
> int maxlen;
> int minlen;
> @@ -79,7 +83,7 @@ struct ovs_conntrack_info {
> struct md_mark mark;
> struct md_labels labels;
> #ifdef CONFIG_NF_NAT_NEEDED
> - struct nf_nat_range range; /* Only present for SRC NAT and DST NAT. */
> + struct nf_nat_range2 range; /* Only present for SRC NAT and DST NAT. */
> #endif
> };
>
> @@ -744,7 +748,7 @@ static bool skb_nfct_cached(struct net *net,
> */
> static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
> enum ip_conntrack_info ctinfo,
> - const struct nf_nat_range *range,
> + const struct nf_nat_range2 *range,
> enum nf_nat_manip_type maniptype)
> {
> int hooknum, nh_off, err = NF_ACCEPT;
More information about the dev
mailing list