Updated NAT kernel patch for 4.19 buster #147
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
lguohan
pushed a commit
to sonic-net/sonic-buildimage
that referenced
this pull request
Jul 1, 2020
Updated the NAT iptables patch for 4.19 buster Depends on PR : sonic-net/sonic-linux-kernel#147 1 Known issue: With both NAT patch files for 4.19 buster kernel, seeing 1 display issue in iptables like explained below On Docker NAT, iptables supported version is 1.6.0 and on base OS it’s 1.8.2. So seeing an display issue of which fullcone option is not showing in version 1.8.2 iptables output and no issues in functionality. Display issue – For example of comparsion: NAT Docker: root@sonic:/home/admin# docker exec -it nat bash root@sonic:/# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 fullcone Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination root@sonic:/# Base OS: root@sonic:/home/admin# iptables-legacy -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 36 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 Chain INPUT (policy ACCEPT 1 packets, 36 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination root@sonic:/home/admin# To fix this issue, iptables need to update from 1.6.0 to 1.8.2 version and have to update the NAT docker from stretch to buster. Will raise a new PR with this. Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
qiluo-msft
pushed a commit
to qiluo-msft/sonic-buildimage
that referenced
this pull request
Jul 12, 2020
…et#4843) Updated the NAT iptables patch for 4.19 buster Depends on PR : sonic-net/sonic-linux-kernel#147 1 Known issue: With both NAT patch files for 4.19 buster kernel, seeing 1 display issue in iptables like explained below On Docker NAT, iptables supported version is 1.6.0 and on base OS it’s 1.8.2. So seeing an display issue of which fullcone option is not showing in version 1.8.2 iptables output and no issues in functionality. Display issue – For example of comparsion: NAT Docker: root@sonic:/home/admin# docker exec -it nat bash root@sonic:/# iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 fullcone Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 30 packets, 2749 bytes) pkts bytes target prot opt in out source destination root@sonic:/# Base OS: root@sonic:/home/admin# iptables-legacy -t nat -nvL Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1 36 DNAT all -- * * 0.0.0.0/0 0.0.0.0/0 to:1.1.1.1 Chain INPUT (policy ACCEPT 1 packets, 36 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 41 packets, 3572 bytes) pkts bytes target prot opt in out source destination root@sonic:/home/admin# To fix this issue, iptables need to update from 1.6.0 to 1.8.2 version and have to update the NAT docker from stretch to buster. Will raise a new PR with this. Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
paulmenzel
added a commit
to paulmenzel/sonic-linux-kernel
that referenced
this pull request
Nov 6, 2020
Fixes: c6aeedd ("Updated NAT kernel patch for 4.19 buster (sonic-net#147)") Cc: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
paulmenzel
added a commit
to paulmenzel/sonic-linux-kernel
that referenced
this pull request
Nov 6, 2020
The format created by `git format-patch` allows to easily apply the patch to the Linux source with `git am`, simplying development and upstreaming. Note, the header was removed when forward porting the patch to a newer Linux kernel version. Fixes: c6aeedd ("Updated NAT kernel patch for 4.19 buster (sonic-net#147)") Cc: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
paulmenzel
added a commit
to paulmenzel/sonic-linux-kernel
that referenced
this pull request
Nov 6, 2020
Copy the Signed-off-by line from merge/pull request description [1]. [1]: sonic-net#147
Kalimuthu-Velappan
pushed a commit
to Kalimuthu-Velappan/sonic-linux-kernel
that referenced
this pull request
Dec 10, 2020
The format created by `git format-patch` allows to easily apply the patch to the Linux source with `git am`, simplying development and upstreaming. Note, the header was removed when forward porting the patch to a newer Linux kernel version. Fixes: c6aeedd ("Updated NAT kernel patch for 4.19 buster (sonic-net#147)") Cc: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Kalimuthu-Velappan
pushed a commit
to Kalimuthu-Velappan/sonic-linux-kernel
that referenced
this pull request
Dec 10, 2020
Copy the Signed-off-by line from merge/pull request description [1]. [1]: sonic-net#147
paulmenzel
added a commit
to paulmenzel/sonic-linux-kernel
that referenced
this pull request
Jan 18, 2021
The format created by `git format-patch` allows to easily apply the patch to the Linux source with `git am`, simplying development and upstreaming. Note, the header was removed when forward porting the patch to a newer Linux kernel version. Fixes: c6aeedd ("Updated NAT kernel patch for 4.19 buster (sonic-net#147)") Cc: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
paulmenzel
added a commit
to paulmenzel/sonic-linux-kernel
that referenced
this pull request
Jan 18, 2021
Copy the Signed-off-by line from merge/pull request description [1]. [1]: sonic-net#147
keboliu
pushed a commit
to keboliu/sonic-linux-kernel-repo
that referenced
this pull request
Aug 5, 2021
Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT
Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack
entries for the fullcone nat functionality.
* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source
IP/Port) for all the conntrack entries.
* When NAT table rules are created with the fullcone option, the
SNAT/POSTROUTING stage ensures the ports from the pool are picked up in
such a way that the 3-tuple is uniquely assigned.
* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking
and reusing the 3-tuple for the Source IP/Port in the original direction.
* When the pool is exhausted of the 3-tuple assignments, the packets are
dropped, else, they will be going out of the router they being 5-tuple
unique (which is not intended).
* Passing fullcone option using iptables is part of another PR (in
sonic-buildimage repo).
The kernel changes mentioned above are done to counter the challenges
explained in the section *3.4.2.1 Handling NAT model mismatch between
the ASIC and the Kernel* in the NAT HLD [1].
[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md
Signed-off-by: Kiran Kella <kiran.kella@broadcom.com>
[forward port to Linux v4.19, sonic-net/sonic-linux-kernel#147]
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
keboliu
pushed a commit
to keboliu/sonic-linux-kernel-repo
that referenced
this pull request
Aug 5, 2021
Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT
Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack
entries for the fullcone nat functionality.
* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source
IP/Port) for all the conntrack entries.
* When NAT table rules are created with the fullcone option, the
SNAT/POSTROUTING stage ensures the ports from the pool are picked up in
such a way that the 3-tuple is uniquely assigned.
* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking
and reusing the 3-tuple for the Source IP/Port in the original direction.
* When the pool is exhausted of the 3-tuple assignments, the packets are
dropped, else, they will be going out of the router they being 5-tuple
unique (which is not intended).
* Passing fullcone option using iptables is part of another PR (in
sonic-buildimage repo).
The kernel changes mentioned above are done to counter the challenges
explained in the section *3.4.2.1 Handling NAT model mismatch between
the ASIC and the Kernel* in the NAT HLD [1].
[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md
Signed-off-by: Kiran Kella <kiran.kella@broadcom.com>
[forward port to Linux v4.19, sonic-net/sonic-linux-kernel#147]
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
keboliu
pushed a commit
to keboliu/sonic-linux-kernel-repo
that referenced
this pull request
Jun 20, 2022
Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT
Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack
entries for the fullcone nat functionality.
* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source
IP/Port) for all the conntrack entries.
* When NAT table rules are created with the fullcone option, the
SNAT/POSTROUTING stage ensures the ports from the pool are picked up in
such a way that the 3-tuple is uniquely assigned.
* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking
and reusing the 3-tuple for the Source IP/Port in the original direction.
* When the pool is exhausted of the 3-tuple assignments, the packets are
dropped, else, they will be going out of the router they being 5-tuple
unique (which is not intended).
* Passing fullcone option using iptables is part of another PR (in
sonic-buildimage repo).
The kernel changes mentioned above are done to counter the challenges
explained in the section *3.4.2.1 Handling NAT model mismatch between
the ASIC and the Kernel* in the NAT HLD [1].
[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md
Signed-off-by: Kiran Kella <kiran.kella@broadcom.com>
[forward port to Linux v4.19, sonic-net/sonic-linux-kernel#147]
Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updated NAT kernel patch for 4.19 buster and enabled the "Support-for-fullcone-nat.patch" in series.
Depends on : sonic-net/sonic-buildimage#4843
Signed-off-by: Akhilesh Samineni akhilesh.samineni@broadcom.com