|
3 | 3 | Date: Fri, 6 Sep 2019 20:54:19 -0700 |
4 | 4 | Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT |
5 | 5 |
|
| 6 | +Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack |
| 7 | +entries for the fullcone nat functionality. |
| 8 | + |
| 9 | +* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source |
| 10 | + IP/Port) for all the conntrack entries. |
| 11 | + |
| 12 | +* When NAT table rules are created with the fullcone option, the |
| 13 | + SNAT/POSTROUTING stage ensures the ports from the pool are picked up in |
| 14 | + such a way that the 3-tuple is uniquely assigned. |
| 15 | + |
| 16 | +* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking |
| 17 | + and reusing the 3-tuple for the Source IP/Port in the original direction. |
| 18 | + |
| 19 | +* When the pool is exhausted of the 3-tuple assignments, the packets are |
| 20 | + dropped, else, they will be going out of the router they being 5-tuple |
| 21 | + unique (which is not intended). |
| 22 | + |
| 23 | +* Passing fullcone option using iptables is part of another PR (in |
| 24 | + sonic-buildimage repo). |
| 25 | + |
| 26 | +The kernel changes mentioned above are done to counter the challenges |
| 27 | +explained in the section *3.4.2.1 Handling NAT model mismatch between |
| 28 | +the ASIC and the Kernel* in the NAT HLD [1]. |
| 29 | + |
| 30 | +[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md |
| 31 | + |
| 32 | +Signed-off-by: Kiran Kella < [email protected]> |
6 | 33 | --- |
7 | 34 | include/net/netfilter/nf_conntrack.h | 3 + |
8 | 35 | include/net/netfilter/nf_nat.h | 6 + |
|
0 commit comments