kernel-janitors@vger.kernel.org
bdschuym@pandora.be
...相关的收件人邮箱
Hi,everyone
As we know,the NAT netfilter-hook for IP hooking at OUTPUT is called after routing,so we must rerouting if the destinaton or source address is changed by NAT after the hook.It's all right as the kernel shown for us.But I don't see any logic for rerouting after the bridged-NAT.If bridge-NAT changes a destination or source MAC address,we should do bridge-rerouting as the IP-layer do.
I have only the kernel of version 2.6.8,so I patch on it.Thought the bridge-logic of kernel source of version 2.6.3X has not been changed,it's no matter to patch on kernel of version 2.6.8.
Best wishes
...邮件签名
--- kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2004-08-14 01:38:09.000000000 -0400
+++ kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2010-09-25 23:18:13.040825944 -0400
//以上不标准,正确的做法应该是在git源码树上修改...
@@ -10,6 +10,7 @@
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/module.h>
+#include "../br_private.h"
#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | /
(1 << NF_BR_POST_ROUTING))
@@ -61,6 +62,30 @@
};
static unsigned int
+ebt_nat_dst_local(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
+ , const struct net_device *out, int (*okfn)(struct sk_buff *))
+{
+ struct net_bridge *br = netdev_priv(out);
+ struct net_bridge_fdb_entry *dst;
+ char orig_mac[ETH_ALEN] = {0};
+ unsigned int ret = 0;
+ memcpy(orig_mac, ((**pskb).mac.ethernet)->h_dest, ETH_ALEN * sizeof(unsigned char));
+ ret = ebt_do_table(hook, pskb, in, out, &frame_nat);
+ if (strncmp(((**pskb).mac.ethernet)->h_dest, orig_mac, ETH_ALEN)) {
+ rcu_read_lock();
+ if ((((**pskb).mac.ethernet)->h_dest)[0] & 1)
+ br_flood_deliver(br, *pskb, 0);
+ else if ((dst = __br_fdb_get(br, ((**pskb).mac.ethernet)->h_dest)) != NULL)
+ br_deliver(dst->dst, *pskb);
+ else
+ br_flood_deliver(br, *pskb, 0);
+ rcu_read_unlock();
+ return NF_STOLEN;
+
+ }
+ return ret;
+}
+static unsigned int
ebt_nat_dst(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
@@ -76,7 +101,7 @@
static struct nf_hook_ops ebt_ops_nat[] = {
{
- .hook = ebt_nat_dst,
+ .hook = ebt_nat_dst_local,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
bdschuym@pandora.be
...相关的收件人邮箱
Hi,everyone
As we know,the NAT netfilter-hook for IP hooking at OUTPUT is called after routing,so we must rerouting if the destinaton or source address is changed by NAT after the hook.It's all right as the kernel shown for us.But I don't see any logic for rerouting after the bridged-NAT.If bridge-NAT changes a destination or source MAC address,we should do bridge-rerouting as the IP-layer do.
I have only the kernel of version 2.6.8,so I patch on it.Thought the bridge-logic of kernel source of version 2.6.3X has not been changed,it's no matter to patch on kernel of version 2.6.8.
Best wishes
...邮件签名
--- kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2004-08-14 01:38:09.000000000 -0400
+++ kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2010-09-25 23:18:13.040825944 -0400
//以上不标准,正确的做法应该是在git源码树上修改...
@@ -10,6 +10,7 @@
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/module.h>
+#include "../br_private.h"
#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | /
(1 << NF_BR_POST_ROUTING))
@@ -61,6 +62,30 @@
};
static unsigned int
+ebt_nat_dst_local(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
+ , const struct net_device *out, int (*okfn)(struct sk_buff *))
+{
+ struct net_bridge *br = netdev_priv(out);
+ struct net_bridge_fdb_entry *dst;
+ char orig_mac[ETH_ALEN] = {0};
+ unsigned int ret = 0;
+ memcpy(orig_mac, ((**pskb).mac.ethernet)->h_dest, ETH_ALEN * sizeof(unsigned char));
+ ret = ebt_do_table(hook, pskb, in, out, &frame_nat);
+ if (strncmp(((**pskb).mac.ethernet)->h_dest, orig_mac, ETH_ALEN)) {
+ rcu_read_lock();
+ if ((((**pskb).mac.ethernet)->h_dest)[0] & 1)
+ br_flood_deliver(br, *pskb, 0);
+ else if ((dst = __br_fdb_get(br, ((**pskb).mac.ethernet)->h_dest)) != NULL)
+ br_deliver(dst->dst, *pskb);
+ else
+ br_flood_deliver(br, *pskb, 0);
+ rcu_read_unlock();
+ return NF_STOLEN;
+
+ }
+ return ret;
+}
+static unsigned int
ebt_nat_dst(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
@@ -76,7 +101,7 @@
static struct nf_hook_ops ebt_ops_nat[] = {
{
- .hook = ebt_nat_dst,
+ .hook = ebt_nat_dst_local,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
本文转自 dog250 51CTO博客,原文链接:http://blog.51cto.com/dog250/1271200
