[ovs-dev] [PATCH 3/4] datapath: NAT support for shifted portmap ranges

Gregory Rose gvrose8192 at gmail.com
Tue Jul 17 20:50:02 UTC 2018


On 7/16/2018 5:56 PM, Yi-Hung Wei wrote:
> This patch backports the following upstream commit from net-next, and
> defines HAVE_NF_NAT_RANGE2 to determine whether to use
> 'struct nf_nat_range2'.
>
> Upstream commit:
>      commit 2eb0f624b709e78ec8e2f4c3412947703db99301
>      Author: Thierry Du Tre <thierry at dtsystems.be>
>      Date:   Wed Apr 4 15:38:22 2018 +0200
>
>      netfilter: add NAT support for shifted portmap ranges
>
>      This is a patch proposal to support shifted ranges in portmaps.  (i.e. tcp/udp
>      incoming port 5000-5100 on WAN redirected to LAN 192.168.1.5:2000-2100)
>
>      Currently DNAT only works for single port or identical port ranges.  (i.e.
>      ports 5000-5100 on WAN interface redirected to a LAN host while original
>      destination port is not altered) When different port ranges are configured,
>      either 'random' mode should be used, or else all incoming connections are
>      mapped onto the first port in the redirect range. (in described example
>      WAN:5000-5100 will all be mapped to 192.168.1.5:2000)
>
>      This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
>      which uses a base port value to calculate an offset with the destination port
>      present in the incoming stream. That offset is then applied as index within the
>      redirect port range (index modulo rangewidth to handle range overflow).
>
>      In described example the base port would be 5000. An incoming stream with
>      destination port 5004 would result in an offset value 4 which means that the
>      NAT'ed stream will be using destination port 2004.
>
>      Other possibilities include deterministic mapping of larger or multiple ranges
>      to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port 5*xx to port
>      51xx)
>
>      This patch does not change any current behavior. It just adds new NAT proto
>      range functionality which must be selected via the specific flag when intended
>      to use.
>
>      A patch for iptables (libipt_DNAT.c + libip6t_DNAT.c) will also be proposed
>      which makes this functionality immediately available.
>
>      Signed-off-by: Thierry Du Tre <thierry at dtsystems.be>
>      Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
>
> Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>

LGTM but again, no chance to test.

Reviewed-by: Greg Rose <gvrose8192 at gmail.com>

> ---
>   acinclude.m4         | 1 +
>   datapath/conntrack.c | 8 ++++++--
>   2 files changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/acinclude.m4 b/acinclude.m4
> index ae8e66fc4967..c6d18611f596 100644
> --- a/acinclude.m4
> +++ b/acinclude.m4
> @@ -619,6 +619,7 @@ AC_DEFUN([OVS_CHECK_LINUX_COMPAT], [
>                           [nf_conn_labels], [words])
>     OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_ct_nat_ext_add])
>     OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_alloc_null_binding])
> +  OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_nat.h], [nf_nat_range2])
>     OVS_GREP_IFELSE([$KSRC/include/net/netfilter/nf_conntrack_seqadj.h], [nf_ct_seq_adjust])
>   
>     OVS_GREP_IFELSE([$KSRC/include/linux/random.h], [prandom_u32])
> diff --git a/datapath/conntrack.c b/datapath/conntrack.c
> index e53b8e32b3f5..42c7929055f0 100644
> --- a/datapath/conntrack.c
> +++ b/datapath/conntrack.c
> @@ -41,6 +41,10 @@
>   #include "flow_netlink.h"
>   #include "gso.h"
>   
> +#ifndef HAVE_NF_NAT_RANGE2
> +#define nf_nat_range2 nf_nat_range
> +#endif
> +
>   struct ovs_ct_len_tbl {
>   	int maxlen;
>   	int minlen;
> @@ -79,7 +83,7 @@ struct ovs_conntrack_info {
>   	struct md_mark mark;
>   	struct md_labels labels;
>   #ifdef CONFIG_NF_NAT_NEEDED
> -	struct nf_nat_range range;  /* Only present for SRC NAT and DST NAT. */
> +	struct nf_nat_range2 range;  /* Only present for SRC NAT and DST NAT. */
>   #endif
>   };
>   
> @@ -744,7 +748,7 @@ static bool skb_nfct_cached(struct net *net,
>    */
>   static int ovs_ct_nat_execute(struct sk_buff *skb, struct nf_conn *ct,
>   			      enum ip_conntrack_info ctinfo,
> -			      const struct nf_nat_range *range,
> +			      const struct nf_nat_range2 *range,
>   			      enum nf_nat_manip_type maniptype)
>   {
>   	int hooknum, nh_off, err = NF_ACCEPT;



More information about the dev mailing list