Hi Patrick, Would you be OK if we push this patchset into mainstream? I think we can investigate the fetch interface address and store in register approach that you proposed to implement masquerading later on. The missing bits are the conntrack cleanup routine, I think that needs some "scratchpad" area to store the last address/interface that have been used. We can probably revisit this later once that generic state infrastructure for nf_tables (to support stateful expressions in some generic way) is in place? If you don't like the idea, please let me know, and I'll defer this masquerading patchset. Thanks! On Tue, Jul 01, 2014 at 06:29:13PM +0200, Arturo Borrero Gonzalez wrote: > The following series implements some updates for NAT in nf_tables. > > First of all, I add a new flag attribute to allow clients of nft_nat to > specify additional config flags. This enables implementing port randomization > and persistence to be set from nft. > > Two patches split the masquerade code from ip[6]t_MASQUERADE.c to generic > modules, so we can use this NAT type from nft_nat. > > Then, the nft_nat code is splitted in AF specific parts, so we avoid potential > dependencies regarding AF specific symbols in the last patch. > > The last patch finally implements masquerade for nft_nat. > > The v2 series included some fixes and additionals checks, as requested > by Florian Westphal. > > This v3 series includes changes requested by Pablo Neira. > > Comments are welcomed. > > --- > > Arturo Borrero Gonzalez (5): > netfilter: nft_nat: include a flag attribute > netfilter: nf_nat_masquerade_ipv4: code factorization > netfilter: nf_nat_masquerade_ipv6: code factorization > netfilter: nft_nat: split code in AF parts > netfilter: nft_nat: add masquerade support > > > .../net/netfilter/ipv4/nf_nat_masquerade_ipv4.h | 14 ++ > .../net/netfilter/ipv6/nf_nat_masquerade_ipv6.h | 10 + > include/net/netfilter/nft_nat.h | 22 +++ > include/uapi/linux/netfilter/nf_nat.h | 5 + > include/uapi/linux/netfilter/nf_tables.h | 10 + > net/ipv4/netfilter/Kconfig | 14 ++ > net/ipv4/netfilter/Makefile | 2 > net/ipv4/netfilter/ipt_MASQUERADE.c | 108 +------------- > net/ipv4/netfilter/nf_nat_masquerade_ipv4.c | 155 ++++++++++++++++++++ > net/ipv4/netfilter/nft_nat_ipv4.c | 133 +++++++++++++++++ > net/ipv6/netfilter/Kconfig | 14 ++ > net/ipv6/netfilter/Makefile | 2 > net/ipv6/netfilter/ip6t_MASQUERADE.c | 76 +--------- > net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 121 ++++++++++++++++ > net/ipv6/netfilter/nft_nat_ipv6.c | 132 +++++++++++++++++ > net/netfilter/nft_nat.c | 156 ++++++-------------- > 16 files changed, 688 insertions(+), 286 deletions(-) > create mode 100644 include/net/netfilter/ipv4/nf_nat_masquerade_ipv4.h > create mode 100644 include/net/netfilter/ipv6/nf_nat_masquerade_ipv6.h > create mode 100644 include/net/netfilter/nft_nat.h > create mode 100644 net/ipv4/netfilter/nf_nat_masquerade_ipv4.c > create mode 100644 net/ipv4/netfilter/nft_nat_ipv4.c > create mode 100644 net/ipv6/netfilter/nf_nat_masquerade_ipv6.c > create mode 100644 net/ipv6/netfilter/nft_nat_ipv6.c > > -- > Arturo Borrero Gonzalez -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
