On Mon, Sep 5, 2022 at 6:15 AM Lorenzo Bianconi <lorenzo@xxxxxxxxxx> wrote:
>
> Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> destination nat addresses/ports in a new allocated ct entry not inserted
> in the connection tracking table yet.
>
> Signed-off-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
> ---
> net/netfilter/nf_conntrack_bpf.c | 49 +++++++++++++++++++++++++++++++-
> 1 file changed, 48 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
> index 1cd87b28c9b0..85b8c7ee00af 100644
> --- a/net/netfilter/nf_conntrack_bpf.c
> +++ b/net/netfilter/nf_conntrack_bpf.c
> @@ -14,6 +14,7 @@
> #include <net/netfilter/nf_conntrack.h>
> #include <net/netfilter/nf_conntrack_bpf.h>
> #include <net/netfilter/nf_conntrack_core.h>
> +#include <net/netfilter/nf_nat.h>
>
> /* bpf_ct_opts - Options for CT lookup helpers
> *
> @@ -134,7 +135,6 @@ __bpf_nf_ct_alloc_entry(struct net *net, struct bpf_sock_tuple *bpf_tuple,
>
> memset(&ct->proto, 0, sizeof(ct->proto));
> __nf_ct_set_timeout(ct, timeout * HZ);
> - ct->status |= IPS_CONFIRMED;
>
> out:
> if (opts->netns_id >= 0)
> @@ -339,6 +339,7 @@ struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
> struct nf_conn *nfct = (struct nf_conn *)nfct_i;
> int err;
>
> + nfct->status |= IPS_CONFIRMED;
> err = nf_conntrack_hash_check_insert(nfct);
> if (err < 0) {
> nf_conntrack_free(nfct);
> @@ -424,6 +425,51 @@ int bpf_ct_change_status(struct nf_conn *nfct, u32 status)
> return nf_ct_change_status_common(nfct, status);
> }
Why do we need the above two changes in this patch?
Thanks,
Song
