Finally solve the problem that Linux NAT takes effect immediately

Introduction: Linux NAT cannot take effect in a timely manner because it is based on ip_conntrack. if the packet of this stream is bound to an ip_conntrack before the NAT iptables rule is added, this NAT rule will not take effect until this ip_conntrack expires. if it persists: the ultra-long forward Linux NAT cannot take effect in time because it is based on ip_conntrack, if a packet in the current stream has been bound to an ip_conntrack before the NAT iptables rule is added, the rule does not take effect until the ip_conntrack expires, if data has been trying to be transmitted without delay, it will be deadlocked.
Description: naming and ideas

I don't know how to give my module commands. my english is so bad that my wife is very busy and refuse to help me. I can't start a Chinese name, therefore, I can only use imaginary names like XXX. I will not use aaa or abc. This will make people feel that I am irresponsible, a little cynical, or too hasty to wait for everything to come up, in reality, I am also arrogant about the criticism of the leaders and the ridicule of the same person. Once I have learned the lesson, I will use XXX.

Part 1: iptables module file libxt_XXX.c

/** "XXX" target extension for iptables! One of them is a guise, just to use iptables! ** This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License; either * version 2 of the License, or any later version, as published by the * Free Software Foundation. */# include
 
  
# Include
  
   
# Include "compat_user.h" static void xxx_tg_help (void) {printf ("XXX takes no options \ n");} static int xxx_tg_parse (int c, char ** argv, int invert, unsigned int * flags, const void * entry, struct xt_entry_target ** target) {return 0;} static void xxx_tg_check (unsigned int flags) {} static struct xtables_target xxx_tg_reg = {. version = XTABLES_VERSION ,. name = "XXX ",. revision = 1 ,. family = NFPROTO_IPV4 ,. help = xxx_tg_help ,. parse = xxx_tg_parse,}; static _ attribute _ (constructor) void xxx_tg_ldr (void) {xtables_register_target (& xxx_tg_reg );}
  
 

Iptables-t mangle-a prerouting...-j XXX
Part 2: kernel module xt_XXX.c

/** Xt_xxx-kernel module to drop and re-new conntrack to * fit NAT ** Original author: Wangran
 
  
*/# Include
  
   
# Include
   
    
# Include
    
     
# Include "compat_xtables.h" MODULE_AUTHOR ("Wanagran
     
      
"); MODULE_DESCRIPTION (" Xtables: xxx match module "); MODULE_LICENSE (" GPL "); MODULE_ALIAS (" ipt_xxx ");/*** queue handler captures data packets and then injects them again, the difference is: * 1: If it is a NOTRACK data packet, directly note back; * 2: If it is not bound to any conntrack, directly note back; * 3: If it is conntrack, after deleting the conntrack, note it back to * 3. 1. it is not the original position, but the initial position of PREROUTING. * Note: Although the TAGEGET itself has blocked the 1 and 2 cases, you can still judge it. * although I know this, resetct_queue is not clear... */static int resetct_queue (struct nf_queue_entry * entry, unsigned queue_num) {struct sk_buff * skb = entry-> skb; struct nf_conn * ct = NULL; enum ip_conntrack_info ctinfo; if (nf_ct_is_untracked (skb) goto reinject; else if (! (Ct = nf_ct_get (skb, & ctinfo) goto reinject; else {// to reinitialize the conntrack, change the status to the NEW one that can be used for NAT! Struct list_head * elem = & nf_hooks [entry-> pf] [entry-> hook]; nf_reset (skb); nf_ct_kill (ct); entry-> elem = list_entry (elem, struct nf_hook_ops, list);} reinject: nf_reinject (entry, NF_ACCEPT); return 0;}/** XXX executes the TARGET to process the following types of data packets: * the packet itself is in the NEW status and has been confirm. Such a packet will no longer match any NAT rules until its conntrack * expires! */Static unsigned intxxx_tg4 (struct sk_buff ** skb, const struct xt_action_param * par) {struct nf_conn * ct; enum limit ctinfo; ct = nf_ct_get (* skb, & ctinfo ); if (! Ct | ct ==& nf_conntrack_untracked) {return XT_CONTINUE;} // only process forward data packets; otherwise... if (CTINFO2DIR (ctinfo) = IP_CT_DIR_REPLY) {return XT_CONTINUE;} if (ctinfo = IP_CT_NEW &&! Nf_ct_is_confirmed (ct) {return XT_CONTINUE;} return NF_QUEUE;} static struct nf_queue_handler xxxqh = {. name = "resetct ",. outfn = resetct_queue,}; static struct xt_target xxx_tg_reg [] _ read_mostly = {{. name = "XXX ",. revision = 1 ,. family = NFPROTO_IPV4 ,. table = "mangle ",. hooks = 1 <NF_INET_PRE_ROUTING ,. target = xxx_tg4 ,. me = THIS_MODULE, },}; static int _ init xt_xxx_target_init (void) {int status = 0; status = nf_register_queue_handler (NFPROTO_IPV4, & xxxqh); if (status <0) {printk ("XXX: register queue handler error \ n"); goto err;} status = xt_register_targets (xxx_tg_reg, ARRAY_SIZE (xxx_tg_reg); if (status <0) {printk ("XXX: register target error \ n"); goto err;} err: return status;} static void _ exit xt_xxx_target_exit (void) {nf_unregister_queue_handlers (& xxxqh ); return xt_unregister_targets (xxx_tg_reg, ARRAY_SIZE (xxx_tg_reg);} module_init (xt_xxx_target_init); module_exit (xt_xxx_target_exit );
     
    
   
  
 

Part 3: usage

Generally, you can use the following command:

Iptables-t mangle-a prerouting-j XXX

In this case, all incoming packets will execute the following logic:

 

This is equivalent to overhead the optimization of the entire ip_conntrack. this reckless approach is not my goal. I hope it will be used together with other matches such as mark and condition, in this way, irrelevant data packets can be filtered out without being touched, and the usual logic is still executed, this is why I have always insisted on using iptables, rather than using other user-mode/kernel-mode communication methods. Just like the fast/slow matching method based on ip_conntrack I mentioned earlier, this NAT timely matching can also use similar logic:

Iptables-t mangle-a prerouting-m condition -- condition slow...-j XXX