Skip to content

PussAzuki/natflow

3 Branches95 Tags
This branch is 1 commit ahead of, 265 commits behind ptpt52/natflow:master.

Folders and files

NameName
Last commit message
Last commit date

Latest commit

PussAzukiPussAzuki
build: compat with kernel >= 5.15.36
May 12, 2022
22bca4c · May 12, 2022

History

390 Commits
.gitignore
.gitignore
Jul 25, 2020
Makefile
Makefile
Oct 30, 2021
Makefile.dkms
Makefile.dkms
Nov 1, 2021
README.md
README.md
Apr 11, 2022
USER.md
USER.md
Mar 16, 2022
dkms.conf
dkms.conf
Nov 1, 2021
natflow.h
natflow.h
Apr 30, 2022
natflow_common.c
natflow_common.c
May 1, 2022
natflow_common.h
natflow_common.h
May 12, 2022
natflow_conntrack.c
natflow_conntrack.c
Apr 11, 2022
natflow_conntrack.h
natflow_conntrack.h
Oct 30, 2021
natflow_main.c
natflow_main.c
Apr 16, 2022
natflow_path.c
natflow_path.c
May 1, 2022
natflow_path.h
natflow_path.h
Apr 16, 2022
natflow_urllogger.c
natflow_urllogger.c
Apr 2, 2022
natflow_urllogger.h
natflow_urllogger.h
Jun 27, 2021
natflow_user.c
natflow_user.c
Apr 30, 2022
natflow_user.h
natflow_user.h
Apr 2, 2022
natflow_zone.c
natflow_zone.c
Apr 2, 2020
natflow_zone.h
natflow_zone.h
Aug 21, 2018

Repository files navigation

natflow

A fast forwarding stanalone kernel module with zero-patch to kernel. It could be a lite replacement of kmod-ipt-offload.

Notes

Only work for x-wrt(https://github.com/x-wrt/x-wrt)

hwnat support for mt7621/mt7622

port--port hwnat supported:
port---ppe---port

wifi--port hwnat supported:
wifi--cpu--ppe---port

the wifi pure hardware nat for mt7622 is not supported yet. for now it just works as mt7621

wifi--cpu--ppe--port

build

To build with path and urllogger module run:

make EXTRA_CFLAGS="-DCONFIG_NATFLOW_PATH -DCONFIG_NATFLOW_URLLOGGER"

CONFIG_HWNAT_EXTDEV_USE_VLAN_HASH option to make hwnat ext dev work via vlan hash mode, this mode would disable bridge vlan filter. this is required on MT7622 if hwnat ext dev is needed.

make EXTRA_CFLAGS="-DCONFIG_HWNAT_EXTDEV_USE_VLAN_HASH"

CONFIG_HWNAT_EXTDEV_DISABLED option to disable hwnat ext dev. if this is set, bridge vlan filter could be sure to work on MT7622.

make EXTRA_CFLAGS="-DCONFIG_HWNAT_EXTDEV_DISABLED"

Warnning

Since kernel < 4.10 cannot handle NF_STOLEN in ingress hook correctly, so kernel patch needed:

diff --git a/include/linux/netfilter_ingress.h b/include/linux/netfilter_ingress.h
index 5fcd375ef175..b407128a35c0 100644
--- a/include/linux/netfilter_ingress.h
+++ b/include/linux/netfilter_ingress.h
@@ -17,11 +17,15 @@ static inline bool nf_hook_ingress_active(const struct sk_buff *skb)
 static inline int nf_hook_ingress(struct sk_buff *skb)
 {
        struct nf_hook_state state;
+       int ret;
 
        nf_hook_state_init(&state, &skb->dev->nf_hooks_ingress,
                           NF_NETDEV_INGRESS, INT_MIN, NFPROTO_NETDEV,
                           skb->dev, NULL, NULL, dev_net(skb->dev), NULL);
-       return nf_hook_slow(skb, &state);
+       ret = nf_hook_slow(skb, &state);
+       if (ret == 0)
+               return -1;
+       return ret;
 }
 
 static inline void nf_hook_ingress_init(struct net_device *dev)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index f39276d1c2d7..905597547b08 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -320,6 +320,8 @@ next_hook:
                                goto next_hook;
                        kfree_skb(skb);
                }
+       } else if (verdict == NF_STOLEN) {
+               ret = 0;
        }
        rcu_read_unlock();
        return ret;

About

natflow hack kernel module

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

95 tags

Packages

No packages published

Languages

  • C 99.8%
  • Makefile 0.2%