From 55c3ec0ae91565160c346f5df03397f5b8885c2b Mon Sep 17 00:00:00 2001 From: Paul Menzel Date: Fri, 6 Nov 2020 22:42:14 +0100 Subject: [PATCH] patch/Support-for-fullcone-nat: Add commit message body Copy the description (including Signed-off-by line) of merge/pull request #100 (Added support in the kernel for fullcone 3-tuple unique nat.) [1]. [1]: https://github.com/Azure/sonic-linux-kernel/pull/100 --- patch/Support-for-fullcone-nat.patch | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/patch/Support-for-fullcone-nat.patch b/patch/Support-for-fullcone-nat.patch index 0f827710d..5d8715072 100644 --- a/patch/Support-for-fullcone-nat.patch +++ b/patch/Support-for-fullcone-nat.patch @@ -3,6 +3,33 @@ From: Kiran Kella Date: Fri, 6 Sep 2019 20:54:19 -0700 Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT +Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack +entries for the fullcone nat functionality. + +* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source + IP/Port) for all the conntrack entries. + +* When NAT table rules are created with the fullcone option, the + SNAT/POSTROUTING stage ensures the ports from the pool are picked up in + such a way that the 3-tuple is uniquely assigned. + +* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking + and reusing the 3-tuple for the Source IP/Port in the original direction. + +* When the pool is exhausted of the 3-tuple assignments, the packets are + dropped, else, they will be going out of the router they being 5-tuple + unique (which is not intended). + +* Passing fullcone option using iptables is part of another PR (in + sonic-buildimage repo). + +The kernel changes mentioned above are done to counter the challenges +explained in the section *3.4.2.1 Handling NAT model mismatch between +the ASIC and the Kernel* in the NAT HLD [1]. + +[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md + +Signed-off-by: Kiran Kella --- include/net/netfilter/nf_conntrack.h | 3 + include/net/netfilter/nf_nat.h | 6 +