Re: [PATCH nf-next 0/2] netfilter: autoload NAT support for non-builtin L4 protocols

Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> · Fri, 7 Oct 2016 12:32:25 +0200

On 7 October 2016 at 11:59, Davide Caratti <dcaratti@xxxxxxxxxx> wrote:
> On Fri, 2016-10-07 at 09:35 +0200, Arturo Borrero Gonzalez wrote:
>> Since I can add the same rule in nftables, I wonder if the same problem
>> happens:
>>
>> chain postrouting {
>>   type nat hook postrouting priority 0; policy accept;
>>   ip protocol sctp snat 10.0.0.1:61000
>> }
>>
>
> hello Arturo,
>
> thank you for looking at this. I just did a test following your suggestion:
>
> # iptables -F -t nat
> # rmmod nf_nat_proto_sctp
> # nft add table nat
> # nft add chain nat prerouting { type nat hook prerouting priority 1 \; }
> # nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> # nft add rule nat postrouting oif eth1 ip protocol sctp snat 10.0.0.1:61000
> # IP 10.0.0.1.55836 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.55836: sctp
> IP 10.0.0.1.55836 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.55836: sctp
> IP 10.0.0.1.55836 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.55836: sctp
> IP 10.0.0.1.55836 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.55836: sctp
> IP 10.0.0.1.55836 > 10.0.0.2.2000: sctp
> # modprobe nf_nat_proto_sctp
> # IP 10.0.0.1.61000 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.61000: sctp
> IP 10.0.0.1.61000 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.61000: sctp
> IP 10.0.0.1.61000 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.61000: sctp
> IP 10.0.0.1.61000 > 10.0.0.2.2000: sctp
> IP 10.0.0.2.2000 > 10.0.0.1.61000: sctp
> IP 10.0.0.1.61000 > 10.0.0.2.2000: sctp
> #
>
> you are right, unless you manually modprobe nf_nat_proto_sctp.ko, you will
> see wrong port translation also with nftables, and this patch does not fix
> it. Then I will submit a v2 that also handles nftables.
>

Thanks Davide for your work and time.

Unlike in iptables, in nftables we don't know the expected l4 protocol
at rule setup time.

In the iptables<->nftables compat layer, we have an expression
attribute which is filled from userspace with the l4 protocol
(NFTA_RULE_COMPAT_PROTO).

Not sure if it's worth adding a new netlink attribute for nft_nat to
tell the expression about the expected l4 NAT protocol.
-- 
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html