Skip to content

Commit

Permalink
patch/Support-for-fullcone-nat: Add commit message body
Browse files Browse the repository at this point in the history
Copy the description (including Signed-off-by line) of merge/pull
request sonic-net#100 (Added support in the kernel for fullcone 3-tuple unique
nat.) [1].

[1]: sonic-net#100
  • Loading branch information
paulmenzel authored and Kalimuthu-Velappan committed Dec 5, 2020
1 parent 8dc0841 commit 55c3ec0
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions patch/Support-for-fullcone-nat.patch
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,33 @@ From: Kiran Kella <kiran.kella@broadcom.com>
Date: Fri, 6 Sep 2019 20:54:19 -0700
Subject: [PATCH] netfilter: nf_nat: Support fullcone NAT

Changes done in the kernel to ensure 3-tuple uniqueness of the conntrack
entries for the fullcone nat functionality.

* Hashlist is maintained for the 3-tuple unique keys (Protocol/Source
IP/Port) for all the conntrack entries.

* When NAT table rules are created with the fullcone option, the
SNAT/POSTROUTING stage ensures the ports from the pool are picked up in
such a way that the 3-tuple is uniquely assigned.

* In the DNAT/POSTROUTING stage, the fullcone behavior is ensured by checking
and reusing the 3-tuple for the Source IP/Port in the original direction.

* When the pool is exhausted of the 3-tuple assignments, the packets are
dropped, else, they will be going out of the router they being 5-tuple
unique (which is not intended).

* Passing fullcone option using iptables is part of another PR (in
sonic-buildimage repo).

The kernel changes mentioned above are done to counter the challenges
explained in the section *3.4.2.1 Handling NAT model mismatch between
the ASIC and the Kernel* in the NAT HLD [1].

[1]: https://github.com/kirankella/SONiC/blob/nat_doc_changes/doc/nat/nat_design_spec.md

Signed-off-by: Kiran Kella <kiran.kella@broadcom.com>
---
include/net/netfilter/nf_conntrack.h | 3 +
include/net/netfilter/nf_nat.h | 6 +
Expand Down

0 comments on commit 55c3ec0

Please sign in to comment.