Re: BUG: Kernel panic at masquerade

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 14, 2015 at 06:49:10PM +0000, Patrick McHardy wrote:
> On 14.01, Pablo Neira Ayuso wrote:
> > I think that if we control the NAT hook registration from a module,
> > then NAT chains will have to become built-in again, since we need to
> > tie the NAT chain and its rules from the hook to perform the NAT
> > handling.
> 
> No, I think the NAT runtime should be standalone and the NAT tables
> should simply be there to set up mappings. Its quite easy, they
> only receive packets in state NEW and we remove the chain invocation
> from the NAT core.

OK, so the NAT standalone module performs the NAT for state
ESTABLISHED packets. The mapping will be still controlled by the
chain. This will also work for dynamic NAT set via ctnetlink, so users
will not need to even have NAT chains to run this.

I think we'll need two hooks though. And we would still have the
incompatibility that we have with iptable_nat and nf_tables, only the
first one in place will be considered. We'll also have to
inconditionally register the input and output NAT hooks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux