linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-11 14:42:24 +00:00

History

Florian Westphal 9971a514ed netfilter: nf_nat: add nat type hooks to nat core Currently the packet rewrite and instantiation of nat NULL bindings happens from the protocol specific nat backend. Invocation occurs either via ip(6)table_nat or the nf_tables nat chain type. Invocation looks like this (simplified): NF_HOOK() \| `---iptable_nat \| `---> nf_nat_l3proto_ipv4 -> nf_nat_packet \| new packet? pass skb though iptables nat chain \| `---> iptable_nat: ipt_do_table In nft case, this looks the same (nft_chain_nat_ipv4 instead of iptable_nat). This is a problem for two reasons: 1. Can't use iptables nat and nf_tables nat at the same time, as the first user adds a nat binding (nf_nat_l3proto_ipv4 adds a NULL binding if do_table() did not find a matching nat rule so we can detect post-nat tuple collisions). 2. If you use e.g. nft_masq, snat, redir, etc. uses must also register an empty base chain so that the nat core gets called fro NF_HOOK() to do the reverse translation, which is neither obvious nor user friendly. After this change, the base hook gets registered not from iptable_nat or nftables nat hooks, but from the l3 nat core. iptables/nft nat base hooks get registered with the nat core instead: NF_HOOK() \| `---> nf_nat_l3proto_ipv4 -> nf_nat_packet \| new packet? pass skb through iptables/nftables nat chains \| +-> iptables_nat: ipt_do_table +-> nft nat chain x `-> nft nat chain y The nat core deals with null bindings and reverse translation. When no mapping exists, it calls the registered nat lookup hooks until one creates a new mapping. If both iptables and nftables nat hooks exist, the first matching one is used (i.e., higher priority wins). Also, nft users do not need to create empty nat hooks anymore, nat core always registers the base hooks that take care of reverse/reply translation. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>		2018-05-23 09:14:06 +02:00
..
ila	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
netfilter	netfilter: nf_nat: add nat type hooks to nat core	2018-05-23 09:14:06 +02:00
addrconf_core.c	net: ipv6: Make inet6addr_validator a blocking notifier	2017-10-20 13:15:07 +01:00
addrconf.c	ipv6: addrconf: don't evaluate keep_addr_on_down twice	2018-04-25 13:03:37 -04:00
addrlabel.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
af_inet6.c	tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive	2018-04-29 21:29:55 -04:00
ah6.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next	2017-11-15 11:56:19 -08:00
anycast.c	net/ipv6: Remove aca_idev	2018-04-19 15:40:13 -04:00
calipso.c	net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t	2017-07-04 22:35:16 +01:00
datagram.c	ipv6: add a wrapper for ip6_dst_store() with flowi6 checks	2018-04-04 11:31:57 -04:00
esp6_offload.c	esp: check the NETIF_F_HW_ESP_TX_CSUM bit before segmenting	2018-02-27 10:46:01 +01:00
esp6.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2018-01-17 00:10:42 -05:00
exthdrs_core.c	net: ipv6: Fix typo in ipv6_find_hdr() documentation	2018-05-07 23:50:27 -04:00
exthdrs_offload.c
exthdrs.c	ipv6: Count interface receive statistics on the ingress netdev	2018-04-17 13:39:51 -04:00
fib6_notifier.c	net: Add module reference to FIB notifiers	2017-09-01 20:33:42 -07:00
fib6_rules.c	net: fib_rules: add extack support	2018-04-23 10:21:24 -04:00
fou6.c	fou: make local function static	2017-05-21 13:42:36 -04:00
icmp.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
inet6_connection_sock.c
inet6_hashtables.c	inet: Add a 2nd listener hashtable (port+addr)	2017-12-03 10:18:28 -05:00
ip6_checksum.c	udplite: fix partial checksum initialization	2018-02-16 15:57:42 -05:00
ip6_fib.c	net/ipv6: rename rt6_next to fib6_next	2018-05-04 19:54:52 -04:00
ip6_flowlabel.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
ip6_gre.c	erspan: auto detect truncated ipv6 packets.	2018-05-11 16:03:49 -04:00
ip6_icmp.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
ip6_input.c	ipv6: Count interface receive statistics on the ingress netdev	2018-04-17 13:39:51 -04:00
ip6_offload.c	udp: add udp gso	2018-04-26 15:07:42 -04:00
ip6_offload.h
ip6_output.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next	2018-05-06 21:51:37 -04:00
ip6_tunnel.c	ip6_tunnel: better validate user provided tunnel names	2018-04-05 15:16:15 -04:00
ip6_udp_tunnel.c
ip6_vti.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2018-05-11 20:53:22 -04:00
ip6mr.c	net: fib_rules: add extack support	2018-04-23 10:21:24 -04:00
ipcomp6.c
ipv6_sockglue.c	inet: whitespace cleanup	2018-02-28 11:43:28 -05:00
Kconfig	trivial: fix inconsistent help texts	2018-05-08 00:05:11 -04:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
mcast_snoop.c
mcast.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
mip6.c
ndisc.c	net/ipv6: Rename fib6_info struct elements	2018-04-19 15:40:12 -04:00
netfilter.c	netfilter: use skb_to_full_sk in ip6_route_me_harder	2018-02-25 20:51:13 +01:00
output_core.c	net: accept UFO datagrams from tuntap and packet	2017-11-24 01:37:35 +09:00
ping.c	ipv6: allow to cache dst for a connected sk in ip6_sk_dst_lookup_flow()	2018-04-04 11:31:57 -04:00
proc.c	inet: frags: break the 2GB limit for frags storage	2018-03-31 23:25:39 -04:00
protocol.c	net: Add sysctl to toggle early demux for tcp and udp	2017-03-24 13:17:07 -07:00
raw.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
reassembly.c	ipv6: frags: fix a lockdep false positive	2018-04-18 23:19:39 -04:00
route.c	net/ipv6: fix lock imbalance in ip6_route_del()	2018-05-10 17:29:36 -04:00
seg6_hmac.c	ipv6: sr: Use ARRAY_SIZE macro	2017-09-01 18:35:23 -07:00
seg6_iptunnel.c	ipv6: sr: extract the right key values for "seg6_make_flowlabel"	2018-04-30 12:13:43 -04:00
seg6_local.c	net/ipv6: Pass skb to route lookup	2018-03-04 13:04:22 -05:00
seg6.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
sit.c	ipv6: sit: better validate user provided tunnel names	2018-04-05 15:16:15 -04:00
syncookies.c	net/ipv4: disable SMC TCP option with SYN Cookies	2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c	ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode	2018-04-25 13:02:15 -04:00
tcp_ipv6.c	tcp: Add mark for TIMEWAIT sockets	2018-05-10 17:44:52 -04:00
tcpv6_offload.c	gso: validate gso_type in GSO handlers	2018-01-22 16:01:30 -05:00
tunnel6.c
udp_impl.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
udp_offload.c	udp: Add support for software checksum and GSO_PARTIAL with GSO offload	2018-05-08 22:30:06 -04:00
udp.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2018-05-11 20:53:22 -04:00
udplite.c	net: Drop pernet_operations::async	2018-03-27 13:18:09 -04:00
xfrm6_input.c	xfrm: Reinject transport-mode packets through tasklet	2017-12-19 08:23:21 +01:00
xfrm6_mode_beet.c	networking: make skb_pull & friends return void pointers	2017-06-16 11:48:39 -04:00
xfrm6_mode_ro.c	ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()	2017-06-02 13:57:27 -04:00
xfrm6_mode_transport.c	ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()	2017-06-02 13:57:27 -04:00
xfrm6_mode_tunnel.c	xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto	2018-03-07 10:54:29 +01:00
xfrm6_output.c	net: xfrm: use skb_gso_validate_network_len() to check gso sizes	2018-03-04 17:49:17 -05:00
xfrm6_policy.c	net/ipv6: Remove unused code and variables for rt6_info	2018-04-17 23:41:18 -04:00
xfrm6_protocol.c
xfrm6_state.c	xfrm: remove VLA usage in __xfrm6_sort()	2018-04-26 07:51:48 +02:00
xfrm6_tunnel.c	xfrm: Fix warning in xfrm6_tunnel_net_exit.	2018-04-16 07:50:09 +02:00