RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol#327
Open
sivaraj-comcast wants to merge 5 commits into
Open
RDKB-64200, RDKB-64413: MAPT KP fix - hashlimit approach / split MAP-T postrouting chains by protocol#327sivaraj-comcast wants to merge 5 commits into
sivaraj-comcast wants to merge 5 commits into
Conversation
Reason for change: Reduced the rate of new connections by modifying the existing SNAT rules to prevent internal kernel race condition, thereby eliminating the primary trigger for system crashes. Test Procedure: Deploy on repeat offenders and monitor for SYS_ERROR_NfConnTuple Risks: Medium Priority: P1 Signed-off-by: Harnish_Patel@comcast.com Change-Id: I621e8fdf51c00ff24315a52452d4ea8f50b62075
Reason for change: Separate MAPT NAT postrouting rules into TCP, UDP, and ICMP chains to apply protocol-specific SNAT and hashlimit rules. This improves NAT46/MAPT handling and ensures proper rate limiting per protocol. Test Procedure: 1. Verify creation of postrouting_towan_tcp, postrouting_towan_udp, and postrouting_towan_icmp chains in iptables. 2. Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP with expected port ranges and hashlimit behavior. 3. Validate connectivity for IPv4 clients behind MAPT/NAT46 setup. Change-Id: If42a964aa73e89e95928c0193e032c26f265dc4d Risks: low Signed-off-by: Santosh Nayak SantoshRamesh_Nayak@cable.comcast.com
Add an explicit check for `offset` when emitting MAPT SNAT rules and reorganize the per-index conditional branches. Under _XB6_PRODUCT_REQ_, the loop that builds port ranges and SNAT rules is now executed only when `offset != 0`, and ICMP connlimit printing was moved inside that loop. In the alternative branch the code now checks `if (offset == 0)` to print simple connlimit rules, otherwise it uses the previous i/a-based branching (a-1, >a-4, else) to emit hashlimit+connlimit or connlimit-only rules consistently. These changes prevent incorrect/duplicate rule emission when offset is zero and clean up branch structure and formatting.
sivaraj-comcast
changed the title
sivaraj-comcast
changed the title
snayak002c
approved these changes
Jun 2, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adjusts MAP-T/NAT46 IPv4 NAT POSTROUTING behavior to reduce the rate of new connections (mitigating a kernel race) by applying protocol-specific handling and rate limiting.
Changes:
- Split MAP-T POSTROUTING processing into separate TCP/UDP/ICMP chains (
postrouting_towan_tcp|udp|icmp). - Route NEW TCP/UDP flows to protocol-specific chains to enable per-protocol SNAT + hashlimit behavior; ICMP is routed to its own chain.
- Add chain declarations for the new protocol-specific chains in the primary NAT table generation path.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
SanthoshGujulvajagadeesh
added a commit
that referenced
this pull request
Jun 3, 2026
…T postrouting chains by protocol (#327) Reason for change: Reduced the rate of new connections by adjusting existing SNAT rules to mitigate an internal kernel race condition. Additionally, MAP-T NAT postrouting rules were separated into distinct TCP, UDP, and ICMP chains, enabling protocol-specific SNAT and hashlimit application. This enhances NAT46/MAP-T processing and ensures accurate, per-protocol rate limiting. Test Procedure: Verify creation of postrouting_towan_tcp, postrouting_towan_udp, and postrouting_towan_icmp chains in iptables. Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP with expected port ranges and hashlimit behavior. Validate connectivity for IPv4 clients behind MAPT/NAT46 setup. Risks: Low Priority: P1 Signed-off-by: Sivaraj_Sivalingam@comcast.com
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for change:
Reduced the rate of new connections by adjusting existing SNAT rules to mitigate an internal kernel race condition. Additionally, MAP-T NAT postrouting rules were separated into distinct TCP, UDP, and ICMP chains, enabling protocol-specific SNAT and hashlimit application. This enhances NAT46/MAP-T processing and ensures accurate, per-protocol rate limiting.
Test Procedure:
and postrouting_towan_icmp chains in iptables.
with expected port ranges and hashlimit behavior.
Risks: Low
Priority: P1
Gerrit change-Id's: If42a964aa73e89e95928c0193e032c26f265dc4d, I621e8fdf51c00ff24315a52452d4ea8f50b62075