kernel-janitors@vger.kernel.org
bdschuym@pandora.be
...相关的收件人邮箱
Hi,everyone
As we know,the NAT netfilter-hook for IP hooking at OUTPUT is called after routing,so we must rerouting if the destinaton or source address is changed by NAT after the hook.It's all right as the kernel shown for us.But I don't see any logic for rerouting after the bridged-NAT.If bridge-NAT changes a destination or source MAC address,we should do bridge-rerouting as the IP-layer do.
I have only the kernel of version 2.6.8,so I patch on it.Thought the bridge-logic of kernel source of version 2.6.3X has not been changed,it's no matter to patch on kernel of version 2.6.8.
Best wishes
...邮件签名
--- kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2004-08-14 01:38:09.000000000 -0400
+++ kernel-source-2.6.8/net/bridge/netfilter/ebtable_nat.c 2010-09-25 23:18:13.040825944 -0400
//以上不标准,正确的做法应该是在git源码树上修改...
@@ -10,6 +10,7 @@
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/module.h>
+#include "../br_private.h"
#define NAT_VALID_HOOKS ((1 << NF_BR_PRE_ROUTING) | (1 << NF_BR_LOCAL_OUT) | /
(1 << NF_BR_POST_ROUTING))
@@ -61,6 +62,30 @@
};
static unsigned int
+ebt_nat_dst_local(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
+ , const struct net_device *out, int (*okfn)(struct sk_buff *))
+{
+ struct net_bridge *br = netdev_priv(out);
+ struct net_bridge_fdb_entry *dst;
+ char orig_mac[ETH_ALEN] = {0};
+ unsigned int ret = 0;
+ memcpy(orig_mac, ((**pskb).mac.ethernet)->h_dest, ETH_ALEN * sizeof(unsigned char));
+ ret = ebt_do_table(hook, pskb, in, out, &frame_nat);
+ if (strncmp(((**pskb).mac.ethernet)->h_dest, orig_mac, ETH_ALEN)) {
+ rcu_read_lock();
+ if ((((**pskb).mac.ethernet)->h_dest)[0] & 1)
+ br_flood_deliver(br, *pskb, 0);
+ else if ((dst = __br_fdb_get(br, ((**pskb).mac.ethernet)->h_dest)) != NULL)
+ br_deliver(dst->dst, *pskb);
+ else
+ br_flood_deliver(br, *pskb, 0);
+ rcu_read_unlock();
+ return NF_STOLEN;
+
+ }
+ return ret;
+}
+static unsigned int
ebt_nat_dst(unsigned int hook, struct sk_buff **pskb, const struct net_device *in
, const struct net_device *out, int (*okfn)(struct sk_buff *))
{
@@ -76,7 +101,7 @@
static struct nf_hook_ops ebt_ops_nat[] = {
{
- .hook = ebt_nat_dst,
+ .hook = ebt_nat_dst_local,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
一个实用并且确实的内核补丁--关于桥接nat的
原创
©著作权归作者所有:来自51CTO博客作者dog250的原创作品,请联系作者获取转载授权,否则将追究法律责任
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
小谈设计模式(23)—桥接模式
对Java设计模式中的桥接模式进行了详细解读
桥接模式 插入图片 设计模式 -
NAT\桥接\hostonly的区别
NAT桥接hostonly
NAT brige 桥接 -
网络:仅主机/nat/桥接
网络:仅主机/nat/桥接
网络:仅主机/nat/桥接