From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: Xin Long <lucien.xin@gmail.com>,
dev@openvswitch.org, ovs-dev@openvswitch.org,
Davide Caratti <dcaratti@redhat.com>,
Jiri Pirko <jiri@resnulli.us>,
network dev <netdev@vger.kernel.org>,
Paul Blakey <paulb@nvidia.com>, Florian Westphal <fw@strlen.de>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Ilya Maximets <i.maximets@ovn.org>,
Eric Dumazet <edumazet@google.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
kuba@kernel.org, Paolo Abeni <pabeni@redhat.com>,
davem@davemloft.net
Subject: Re: [ovs-dev] [PATCHv2 net-next 5/5] net: move the nat function to nf_nat_ovs for ovs and tc
Date: Thu, 24 Nov 2022 11:00:45 +0100 [thread overview]
Message-ID: <Y39AzcHNCbeTePjK@salvia> (raw)
In-Reply-To: <Y36Oy1gT2KwQH07Y@t14s.localdomain>
On Wed, Nov 23, 2022 at 06:21:15PM -0300, Marcelo Ricardo Leitner wrote:
> On Wed, Nov 23, 2022 at 02:55:05PM -0500, Xin Long wrote:
> > On Wed, Nov 23, 2022 at 2:17 PM Marcelo Ricardo Leitner
> > <marcelo.leitner@gmail.com> wrote:
[...]
> > > > "table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new
> > > > actions=ct(nat(dst=7.7.16.3)),ct(commit, nat(src=7.7.16.1),
> > > > alg=ftp),veth2"
> > > >
> > > > as long as it allows the 1st one doesn't commit, which is a simple
> > > > check in parse_nat().
> > > > I tested it, TC already supports it. I'm not sure about drivers, but I
> > >
> > > There's an outstanding issue with act_ct that it may reuse an old
> > > CT cache. Fixing it could (I'm not sure) impact this use case:
> > >
> > > https://bugzilla.redhat.com/show_bug.cgi?id=2099220
> > > same issue in ovs was fixed in
> > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2061ecfdf2350994e5b61c43e50e98a7a70e95ee
> > >
> > > (please don't ask me who would NAT and then overwrite IP addresses and
> > > then NAT it again :D)
> > I thought only traditional NAT would change IP, I'm too naive.
> >
> > nftables names this as "stateless NAT."
> > With two CTs in the same zone for full nat is more close to the
> > netfilter's NAT processing (the same CT goes from prerouting to
> > postrouting).
> > Now I'm wondering how nftables handles the stateful NAT and stateless
> > NAT at the same time.
>
> Me too.
There is a 'notrack' action to skip connection tracking for the flows
where the user needs stateless NAT.
next prev parent reply other threads:[~2022-11-24 10:00 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-22 17:32 [PATCHv2 net-next 0/5] net: eliminate the duplicate code in the ct nat functions of ovs and tc Xin Long
2022-11-22 17:32 ` [PATCHv2 net-next 1/5] openvswitch: delete the unncessary skb_pull_rcsum call in ovs_ct_nat_execute Xin Long
2022-11-22 17:32 ` [PATCHv2 net-next 2/5] openvswitch: return NF_ACCEPT when OVS_CT_NAT is net set in info nat Xin Long
2022-11-23 14:24 ` Marcelo Ricardo Leitner
2022-11-22 17:32 ` [PATCHv2 net-next 3/5] net: sched: return NF_ACCEPT when fails to add nat ext in tcf_ct_act_nat Xin Long
2022-11-23 14:23 ` Marcelo Ricardo Leitner
2022-12-01 16:53 ` Xin Long
2022-11-22 17:32 ` [PATCHv2 net-next 4/5] net: sched: update the nat flag for icmp error packets in ct_nat_execute Xin Long
2022-11-22 17:32 ` [PATCHv2 net-next 5/5] net: move the nat function to nf_nat_ovs for ovs and tc Xin Long
2022-11-23 15:09 ` Marcelo Ricardo Leitner
2022-11-23 15:13 ` [ovs-dev] " Marcelo Ricardo Leitner
2022-11-23 17:31 ` Xin Long
2022-11-23 18:48 ` Marcelo Ricardo Leitner
2022-11-23 18:54 ` Xin Long
2022-11-23 19:17 ` Marcelo Ricardo Leitner
2022-11-23 19:55 ` Xin Long
2022-11-23 21:21 ` Marcelo Ricardo Leitner
2022-11-23 21:34 ` Xin Long
2022-12-01 21:37 ` Marcelo Ricardo Leitner
2022-11-24 10:00 ` Pablo Neira Ayuso [this message]
2022-11-23 18:52 ` Marcelo Ricardo Leitner
2022-12-01 16:26 ` Xin Long
2022-11-23 12:39 ` [PATCHv2 net-next 0/5] net: eliminate the duplicate code in the ct nat functions of " Marcelo Ricardo Leitner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y39AzcHNCbeTePjK@salvia \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=dcaratti@redhat.com \
--cc=dev@openvswitch.org \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=i.maximets@ovn.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=ovs-dev@openvswitch.org \
--cc=pabeni@redhat.com \
--cc=paulb@nvidia.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.