linux_dsm_epyc7002/include
Patrick McHardy c68cd6cc21 netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN
2.6.34 introduced 'conntrack zones' to deal with cases where packets
from multiple identical networks are handled by conntrack/NAT. Packets
are looped through veth devices, during which they are NATed to private
addresses, after which they can continue normally through the stack
and possibly have NAT rules applied a second time.

This works well, but is needlessly complicated for cases where only
a single SNAT/DNAT mapping needs to be applied to these packets. In that
case, all that needs to be done is to assign each network to a seperate
zone and perform NAT as usual. However this doesn't work for packets
destined for the machine performing NAT itself since its corrently not
possible to configure SNAT mappings for the LOCAL_IN chain.

This patch adds a new INPUT chain to the NAT table and changes the
targets performing SNAT to be usable in that chain.

Example usage with two identical networks (192.168.0.0/24) on eth0/eth1:

iptables -t raw -A PREROUTING -i eth0 -j CT --zone 1
iptables -t raw -A PREROUTING -i eth0 -j MARK --set-mark 1
iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2
iptabels -t raw -A PREROUTING -i eth1 -j MARK --set-mark 2

iptables -t nat -A INPUT       -m mark --mark 1 -j NETMAP --to 10.0.0.0/24
iptables -t nat -A POSTROUTING -m mark --mark 1 -j NETMAP --to 10.0.0.0/24
iptables -t nat -A INPUT       -m mark --mark 2 -j NETMAP --to 10.0.1.0/24
iptables -t nat -A POSTROUTING -m mark --mark 2 -j NETMAP --to 10.0.1.0/24

iptables -t raw -A PREROUTING -d 10.0.0.0/24 -j CT --zone 1
iptables -t raw -A OUTPUT     -d 10.0.0.0/24 -j CT --zone 1
iptables -t raw -A PREROUTING -d 10.0.1.0/24 -j CT --zone 2
iptables -t raw -A OUTPUT     -d 10.0.1.0/24 -j CT --zone 2

iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A OUTPUT     -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A PREROUTING -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A OUTPUT     -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24

Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-06-17 06:12:26 +02:00
..
acpi Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 2010-05-28 14:42:18 -07:00
asm-generic numa: introduce numa_mem_id()- effective local memory node id 2010-05-27 09:12:57 -07:00
crypto crypto: skcipher - Add ablkcipher_walk interfaces 2010-05-19 14:13:07 +10:00
drm Merge branch 'drm-for-2.6.35' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 2010-05-21 11:14:52 -07:00
keys
linux Merge branch 'master' of /repos/git/net-next-2.6 2010-06-15 17:31:06 +02:00
math-emu
media V4L/DVB: v4l2-subdev.h: Add support for enum_dv_preset 2010-05-19 12:59:01 -03:00
mtd
net netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN 2010-06-17 06:12:26 +02:00
pcmcia pcmcia: remove unused mem_op.h 2010-05-10 10:23:20 +02:00
rdma IB/core: Allow device-specific per-port sysfs files 2010-05-21 10:34:44 -07:00
rxrpc net: use __packed annotation 2010-06-03 03:21:52 -07:00
scsi [SCSI] libfc: Move the port_id into lport 2010-05-16 22:22:34 -04:00
sound Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 2010-05-20 09:41:44 -07:00
trace drop unused dentry argument to ->fsync 2010-05-27 22:05:02 -04:00
video fbdev: move FBIO_WAITFORVSYNC to linux/fb.h 2010-05-25 08:07:09 -07:00
xen
Kbuild