On Thu, 29 Nov 2012, Pablo Neira Ayuso wrote:
> On Thu, Nov 29, 2012 at 10:26:40PM +0100, Florian Westphal wrote:
> > Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> >
> > > --- a/net/ipv6/netfilter/ip6table_nat.c
> > > +++ b/net/ipv6/netfilter/ip6table_nat.c
> > > @@ -19,6 +19,7 @@
> > > #include <net/netfilter/nf_nat.h>
> > > #include <net/netfilter/nf_nat_core.h>
> > > #include <net/netfilter/nf_nat_l3proto.h>
> > [..]
> > > static const struct xt_table nf_nat_ipv6_table = {
> > > + if (hooknum == NF_INET_POST_ROUTING &&
> > > + CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL &&
> > > + nat->masq_index && nat->masq_index != out->ifindex) {
> > > + /* Outgoing interface changed, kill ct. */
> > > + if (del_timer(&ct->timeout)) {
> >
> > perhaps this could be a helper in include/net/netfilter/nf_nat.h?
> >
> > It would avoid the code duplication and the needed #if IS_ENABLED() MASQ
> > check.
>
> I'd suggest a hook function that is set via rcu_pointer_assign in the
> init path of the masquerade target.
I have started to write it but it looks over-complicated compared how tiny
the code is: both ipt_MASQUERADE and ip6t_MASQUERADE could set the hook
function, so either it requires an reference counter or there should be
two hooks. And the actual function defined in the nat core, that means
three exported objects. Also, the setting of the hook function must always
be checked in nf_nat_ipv[46]_fn which is pretty same as checking
masq_index first. I'm going to send the new version of the patch for
comments.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
