On Wed, Nov 23, 2022 at 06:21:15PM -0300, Marcelo Ricardo Leitner wrote: > On Wed, Nov 23, 2022 at 02:55:05PM -0500, Xin Long wrote: > > On Wed, Nov 23, 2022 at 2:17 PM Marcelo Ricardo Leitner > > <[email protected]> wrote: [...] > > > > "table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new > > > > actions=ct(nat(dst=7.7.16.3)),ct(commit, nat(src=7.7.16.1), > > > > alg=ftp),veth2" > > > > > > > > as long as it allows the 1st one doesn't commit, which is a simple > > > > check in parse_nat(). > > > > I tested it, TC already supports it. I'm not sure about drivers, but I > > > > > > There's an outstanding issue with act_ct that it may reuse an old > > > CT cache. Fixing it could (I'm not sure) impact this use case: > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2099220 > > > same issue in ovs was fixed in > > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2061ecfdf2350994e5b61c43e50e98a7a70e95ee > > > > > > (please don't ask me who would NAT and then overwrite IP addresses and > > > then NAT it again :D) > > I thought only traditional NAT would change IP, I'm too naive. > > > > nftables names this as "stateless NAT." > > With two CTs in the same zone for full nat is more close to the > > netfilter's NAT processing (the same CT goes from prerouting to > > postrouting). > > Now I'm wondering how nftables handles the stateful NAT and stateless > > NAT at the same time. > > Me too.
There is a 'notrack' action to skip connection tracking for the flows where the user needs stateless NAT. _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
