Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack.

From: Florian Westphal
Date: Fri Oct 24 2025 - 09:01:12 EST

Next message: Marco Crivellari: "Re: [PATCH 2/2] accel/ivpu: replace use of system_wq with system_percpu_wq"
Previous message: Petr Mladek: "Re: [PATCH v2] printk_legacy_map: use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP"
In reply to: Andrii Melnychenko: "Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrii Melnychenko <a.melnychenko@xxxxxxx> wrote:
> Client has to connect to the router (192.168.100.2 -> 192.168.100.2),
> while the FTP server would receive the connection from the client
> (192.168.100.2 -> 192.168.33.2).
> So the connection hits SNAT when it's already established and confirmed.
>
> > This sets up snat which calls nf_nat_setup_info which adds the
> > seqadj extension.
>
> So, we still need to add seqadj allocation for DNAT.
> I will propose a new patch v4 with `regs->verdict.code = NF_DROP;`.

Yes, just resend your previous patch with the DROP added to force
rexmit rather than ending up with a non-working/stuck connection.

> And later, I can provide a new ruleset for tests in `nft_ftp` for `nftables`.

Thank you.

> Any suggestions?

You can send the bug fix now and followup with a different config later,
you can just extend the existing test case or, if you think your scenario
differs too much, add a new one.

Next message: Marco Crivellari: "Re: [PATCH 2/2] accel/ivpu: replace use of system_wq with system_percpu_wq"
Previous message: Petr Mladek: "Re: [PATCH v2] printk_legacy_map: use LD_WAIT_CONFIG instead of LD_WAIT_SLEEP"
In reply to: Andrii Melnychenko: "Re: [PATCH v3 1/1] nft_ct: Added nfct_seqadj_ext_add() for NAT'ed conntrack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]