linux_dsm_epyc7002/net
Florian Westphal f92b40a8b2 netfilter: core: only allow one nat hook per hook point
The netfilter NAT core cannot deal with more than one NAT hook per hook
location (prerouting, input ...), because the NAT hooks install a NAT null
binding in case the iptables nat table (iptable_nat hooks) or the
corresponding nftables chain (nft nat hooks) doesn't specify a nat
transformation.

Null bindings are needed to detect port collsisions between NAT-ed and
non-NAT-ed connections.

This causes nftables NAT rules to not work when iptable_nat module is
loaded, and vice versa because nat binding has already been attached
when the second nat hook is consulted.

The netfilter core is not really the correct location to handle this
(hooks are just hooks, the core has no notion of what kinds of side
 effects a hook implements), but its the only place where we can check
for conflicts between both iptables hooks and nftables hooks without
adding dependencies.

So add nat annotation to hook_ops to describe those hooks that will
add NAT bindings and then make core reject if such a hook already exists.
The annotation fills a padding hole, in case further restrictions appar
we might change this to a 'u8 type' instead of bool.

iptables error if nft nat hook active:
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables v1.4.21: can't initialize iptables table `nat': File exists
Perhaps iptables or your kernel needs to be upgraded.

nftables error if iptables nat table present:
nft -f /etc/nftables/ipv4-nat
/usr/etc/nftables/ipv4-nat:3:1-2: Error: Could not process rule: File exists
table nat {
^^

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-01-08 18:01:13 +01:00
..
6lowpan
9p make sock_alloc_file() do sock_release() on failures 2017-12-05 18:39:29 -05:00
802 treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-12 09:17:05 +09:00
appletalk treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
atm atm: mpoa: remove 32-bit timekeeping 2017-11-30 09:26:32 -05:00
ax25
batman-adv batman-adv: Convert packet.h to uapi header 2017-12-21 15:35:53 -05:00
bluetooth Bluetooth: introduce DEFINE_SHOW_ATTRIBUTE() macro 2017-12-13 20:20:34 +01:00
bpf
bridge netfilter: don't allocate space for arp/bridge hooks unless needed 2018-01-08 18:01:11 +01:00
caif
can net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
ceph We have a set of file locking improvements from Zheng, rbd rw/ro 2017-11-21 05:38:32 -10:00
core bpf: finally expose xdp_rxq_info to XDP bpf-programs 2018-01-05 15:21:22 -08:00
dcb
dccp net: dccp: Remove dccpprobe module 2018-01-02 14:27:30 -05:00
decnet net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
dns_resolver
dsa net: dsa: Move padding into Broadcom tagger 2018-01-05 11:21:31 -05:00
ethernet
hsr
ieee802154
ife
ipv4 netfilter: core: only allow one nat hook per hook point 2018-01-08 18:01:13 +01:00
ipv6 netfilter: core: only allow one nat hook per hook point 2018-01-08 18:01:13 +01:00
ipx
iucv
kcm make sock_alloc_file() do sock_release() on failures 2017-12-05 18:39:29 -05:00
key af_key: replace BUG_ON on WARN_ON in net_exit hook 2017-11-14 15:45:52 +09:00
l2tp l2tp: remove configurable payload offset 2018-01-05 11:03:19 -05:00
l3mdev
lapb treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
mac80211 We have things all over the place, no point listing them. 2018-01-04 14:33:29 -05:00
mac802154
mpls net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
ncsi net/ncsi: Don't take any action on HNCDSC AEN 2017-12-18 14:50:11 -05:00
netfilter netfilter: core: only allow one nat hook per hook point 2018-01-08 18:01:13 +01:00
netlabel net/netlabel: Add list_next_rcu() in rcu_dereference(). 2017-11-18 10:32:41 +09:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-12-16 22:11:55 -05:00
netrom treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
nfc treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
nsh
openvswitch openvswitch: drop unneeded newline 2018-01-02 13:49:53 -05:00
packet net: Add asynchronous callbacks for xfrm on layer 2. 2017-12-20 10:41:36 +01:00
phonet net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
psample
qrtr net: use rtnl_register_module where needed 2017-12-04 11:32:39 -05:00
rds rds: use RCU to synchronize work-enqueue with connection teardown 2018-01-05 13:39:18 -05:00
rfkill
rose treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
rxrpc rxrpc: Use correct netns source in rxrpc_release_sock() 2017-12-03 10:05:20 -05:00
sched net: sched: fix skb leak in dev_requeue_skb() 2018-01-02 13:48:29 -05:00
sctp net: sctp: Remove debug SCTP probe module 2018-01-02 14:27:29 -05:00
smc smc: support variable CLC proposal messages 2017-12-07 15:03:12 -05:00
strparser strparser: Call sock_owned_by_user_nocheck 2017-12-28 14:28:22 -05:00
sunrpc NFS client fixes for Linux 4.15-rc4 2017-12-16 13:12:53 -08:00
switchdev net: bridge: Add/del switchdev object on host join/leave 2017-11-10 13:41:40 +09:00
tipc tipc: simplify small window members' sorting algorithm 2018-01-05 13:37:03 -05:00
tls tls: don't override sk_write_space if tls_set_sw_offload fails. 2017-11-14 16:26:35 +09:00
unix
vmw_vsock VSOCK: fix outdated sk_state value in hvs_release() 2017-12-05 15:07:37 -05:00
wimax
wireless We have things all over the place, no point listing them. 2018-01-04 14:33:29 -05:00
x25 treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts 2017-11-21 16:35:54 -08:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-12-29 15:42:26 -05:00
compat.c
Kconfig netfilter: don't allocate space for arp/bridge hooks unless needed 2018-01-08 18:01:11 +01:00
Makefile
socket.c sock: Move the socket inuse to namespace. 2017-12-19 09:58:14 -05:00
sysctl_net.c