Re: [PATCH v2 bpf-next 3/4] net: netfilter: add bpf_ct_set_nat_info kfunc helper

Lorenzo Bianconi <lorenzo@xxxxxxxxxx> · Wed, 7 Sep 2022 11:01:03 +0200

> On Mon, Sep 5, 2022 at 6:15 AM Lorenzo Bianconi <lorenzo@xxxxxxxxxx> wrote:
> >
> > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and
> > destination nat addresses/ports in a new allocated ct entry not inserted
> > in the connection tracking table yet.
> >
> > Signed-off-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
> > ---
> >  net/netfilter/nf_conntrack_bpf.c | 49 +++++++++++++++++++++++++++++++-
> >  1 file changed, 48 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c
> > index 1cd87b28c9b0..85b8c7ee00af 100644
> > --- a/net/netfilter/nf_conntrack_bpf.c
> > +++ b/net/netfilter/nf_conntrack_bpf.c
> > @@ -14,6 +14,7 @@
> >  #include <net/netfilter/nf_conntrack.h>
> >  #include <net/netfilter/nf_conntrack_bpf.h>
> >  #include <net/netfilter/nf_conntrack_core.h>
> > +#include <net/netfilter/nf_nat.h>
> >
> >  /* bpf_ct_opts - Options for CT lookup helpers
> >   *
> > @@ -134,7 +135,6 @@ __bpf_nf_ct_alloc_entry(struct net *net, struct bpf_sock_tuple *bpf_tuple,
> >
> >         memset(&ct->proto, 0, sizeof(ct->proto));
> >         __nf_ct_set_timeout(ct, timeout * HZ);
> > -       ct->status |= IPS_CONFIRMED;
> >
> >  out:
> >         if (opts->netns_id >= 0)
> > @@ -339,6 +339,7 @@ struct nf_conn *bpf_ct_insert_entry(struct nf_conn___init *nfct_i)
> >         struct nf_conn *nfct = (struct nf_conn *)nfct_i;
> >         int err;
> >
> > +       nfct->status |= IPS_CONFIRMED;
> >         err = nf_conntrack_hash_check_insert(nfct);
> >         if (err < 0) {
> >                 nf_conntrack_free(nfct);
> > @@ -424,6 +425,51 @@ int bpf_ct_change_status(struct nf_conn *nfct, u32 status)
> >         return nf_ct_change_status_common(nfct, status);
> >  }
> 
> Why do we need the above two changes in this patch?

nf_nat_setup_info() does not really add the nat info in the connection tracking
entry if it is already confirmed (it just returns NF_ACCEPT). I moved
IPS_CONFIRMED in bpf_ct_insert_entry() since we can run bpf_ct_set_nat_info()
just if the entry has not inserted in the table yet.

Regards,
Lorenzo

> 
> Thanks,
> Song
Attachment:
signature.asc

Description: PGP signature