Skip to content

RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol#327

Merged
snayak002c merged 6 commits into
developfrom
fix/rdkb-64200
Jun 29, 2026
Merged

RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol#327
snayak002c merged 6 commits into
developfrom
fix/rdkb-64200

Conversation

@sivaraj-comcast

Copy link
Copy Markdown
Contributor

Reason for change:
Reduced the rate of new connections by adjusting existing SNAT rules to mitigate an internal kernel race condition. Additionally, MAP-T NAT postrouting rules were separated into distinct TCP, UDP, and ICMP chains, enabling protocol-specific SNAT and hashlimit application. This enhances NAT46/MAP-T processing and ensures accurate, per-protocol rate limiting.

Test Procedure:

  1. Verify creation of postrouting_towan_tcp, postrouting_towan_udp,
    and postrouting_towan_icmp chains in iptables.
  2. Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP
    with expected port ranges and hashlimit behavior.
  3. Validate connectivity for IPv4 clients behind MAPT/NAT46 setup.

Risks: Low
Priority: P1
Gerrit change-Id's: If42a964aa73e89e95928c0193e032c26f265dc4d, I621e8fdf51c00ff24315a52452d4ea8f50b62075

hpatel006c and others added 3 commits May 22, 2026 17:17
Reason for change: Reduced the rate of new connections by modifying the existing SNAT rules to prevent internal kernel race condition, thereby eliminating the primary trigger for system crashes.
Test Procedure: Deploy on repeat offenders and monitor for SYS_ERROR_NfConnTuple
Risks: Medium
Priority: P1
Signed-off-by: [email protected]

Change-Id: I621e8fdf51c00ff24315a52452d4ea8f50b62075
Reason for change:
Separate MAPT NAT postrouting rules into TCP, UDP, and ICMP
chains to apply protocol-specific SNAT and hashlimit rules.
This improves NAT46/MAPT handling and ensures proper
rate limiting per protocol.

Test Procedure:
1. Verify creation of postrouting_towan_tcp, postrouting_towan_udp,
   and postrouting_towan_icmp chains in iptables.
2. Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP
   with expected port ranges and hashlimit behavior.
3. Validate connectivity for IPv4 clients behind MAPT/NAT46 setup.

Change-Id: If42a964aa73e89e95928c0193e032c26f265dc4d
Risks: low
Signed-off-by: Santosh Nayak [email protected]
Add an explicit check for `offset` when emitting MAPT SNAT rules and reorganize the per-index conditional branches. Under _XB6_PRODUCT_REQ_, the loop that builds port ranges and SNAT rules is now executed only when `offset != 0`, and ICMP connlimit printing was moved inside that loop. In the alternative branch the code now checks `if (offset == 0)` to print simple connlimit rules, otherwise it uses the previous i/a-based branching (a-1, >a-4, else) to emit hashlimit+connlimit or connlimit-only rules consistently. These changes prevent incorrect/duplicate rule emission when offset is zero and clean up branch structure and formatting.
@sivaraj-comcast sivaraj-comcast requested review from a team as code owners May 25, 2026 17:00
@sivaraj-comcast sivaraj-comcast changed the title RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol RDKB-64200, RDKB-64413, RDKB-65217: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol May 27, 2026
@sivaraj-comcast sivaraj-comcast changed the title RDKB-64200, RDKB-64413, RDKB-65217: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol May 29, 2026
Copilot AI review requested due to automatic review settings June 2, 2026 22:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts MAP-T/NAT46 IPv4 NAT POSTROUTING behavior to reduce the rate of new connections (mitigating a kernel race) by applying protocol-specific handling and rate limiting.

Changes:

  • Split MAP-T POSTROUTING processing into separate TCP/UDP/ICMP chains (postrouting_towan_tcp|udp|icmp).
  • Route NEW TCP/UDP flows to protocol-specific chains to enable per-protocol SNAT + hashlimit behavior; ICMP is routed to its own chain.
  • Add chain declarations for the new protocol-specific chains in the primary NAT table generation path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread source/firewall/firewall.c
Comment thread source/firewall/firewall.c
SanthoshGujulvajagadeesh added a commit that referenced this pull request Jun 3, 2026
…T postrouting chains by protocol (#327)

Reason for change:
Reduced the rate of new connections by adjusting existing SNAT rules to mitigate an internal kernel race condition. Additionally, MAP-T NAT postrouting rules were separated into distinct TCP, UDP, and ICMP chains, enabling protocol-specific SNAT and hashlimit application. This enhances NAT46/MAP-T processing and ensures accurate, per-protocol rate limiting.

Test Procedure:

    Verify creation of postrouting_towan_tcp, postrouting_towan_udp,
    and postrouting_towan_icmp chains in iptables.
    Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP
    with expected port ranges and hashlimit behavior.
    Validate connectivity for IPv4 clients behind MAPT/NAT46 setup.

Risks: Low
Priority: P1

Signed-off-by: [email protected]
Copilot AI review requested due to automatic review settings June 29, 2026 18:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

Comment on lines 1356 to 1359
#if defined(_HUB4_PRODUCT_REQ_NO_DPORT_)
fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue);
fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue);
fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue);
Comment on lines 12202 to +12205
fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan");
fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_tcp");
fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_udp");
fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_icmp");
fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue);
}

fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue);
@snayak002c snayak002c merged commit c68b145 into develop Jun 29, 2026
10 of 11 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants