net/nat: replace net_lock with nat_lock(mutex)

add a new API to protect access and operations on the NAT table Signed-off-by: zhanghongyu <zhanghongyu@xiaomi.com>
2026-05-12 01:42:49 +08:00 · 2025-07-29 20:00:31 +08:00
parent eb60667561
commit eb2bd58640
4 changed files with 80 additions and 15 deletions
@@ -739,6 +739,8 @@ ipv4_nat_outbound_internal(FAR struct net_driver_s *dev,
 void ipv4_nat_inbound(FAR struct net_driver_s *dev,
                      FAR struct ipv4_hdr_s *ipv4)
 {
+  nat_lock();
+
  /* We only process packets from NAT device and targeting at the address
   * assigned to the device.
   */
@@ -748,6 +750,8 @@ void ipv4_nat_inbound(FAR struct net_driver_s *dev,
    {
      ipv4_nat_inbound_internal(ipv4, NAT_MANIP_DST);
    }
+
+  nat_unlock();
 }

 /****************************************************************************
@@ -773,6 +777,8 @@ int ipv4_nat_outbound(FAR struct net_driver_s *dev,
                      FAR struct ipv4_hdr_s *ipv4,
                      enum nat_manip_type_e manip_type)
 {
+  nat_lock();
+
  /* We only process packets targeting at NAT device but not targeting at the
   * address assigned to the device.
   */
@@ -793,6 +799,7 @@ int ipv4_nat_outbound(FAR struct net_driver_s *dev,
        }
    }

+  nat_unlock();
  return OK;
 }

@@ -629,6 +629,8 @@ ipv6_nat_outbound_internal(FAR struct net_driver_s *dev,
 void ipv6_nat_inbound(FAR struct net_driver_s *dev,
                      FAR struct ipv6_hdr_s *ipv6)
 {
+  nat_lock();
+
  /* We only process packets from NAT device and targeting at the address
   * assigned to the device.
   */
@@ -638,6 +640,8 @@ void ipv6_nat_inbound(FAR struct net_driver_s *dev,
    {
      ipv6_nat_inbound_internal(ipv6, NAT_MANIP_DST);
    }
+
+  nat_unlock();
 }

 /****************************************************************************
@@ -663,6 +667,8 @@ int ipv6_nat_outbound(FAR struct net_driver_s *dev,
                      FAR struct ipv6_hdr_s *ipv6,
                      enum nat_manip_type_e manip_type)
 {
+  nat_lock();
+
  /* We only process packets targeting at NAT device but not targeting at the
   * address assigned to the device.
   */
@@ -681,6 +687,7 @@ int ipv6_nat_outbound(FAR struct net_driver_s *dev,
        }
    }

+  nat_unlock();
  return OK;
 }

@@ -38,6 +38,12 @@

 #ifdef CONFIG_NET_NAT

+/****************************************************************************
+ * Private Data
+ ****************************************************************************/
+
+static mutex_t g_nat_lock = NXMUTEX_INITIALIZER;
+
 /****************************************************************************
 * Private Functions
 ****************************************************************************/
@@ -108,18 +114,15 @@ static uint16_t nat_port_select_without_stack(

 int nat_enable(FAR struct net_driver_s *dev)
 {
-  net_lock();
-
+  nat_lock();
  if (IFF_IS_NAT(dev->d_flags))
    {
      nwarn("WARNING: NAT was already enabled for %s!\n", dev->d_ifname);
-      net_unlock();
      return -EEXIST;
    }

  IFF_SET_NAT(dev->d_flags);
-
-  net_unlock();
+  nat_unlock();
  return OK;
 }

@@ -140,12 +143,11 @@ int nat_enable(FAR struct net_driver_s *dev)

 int nat_disable(FAR struct net_driver_s *dev)
 {
-  net_lock();
-
+  nat_lock();
  if (!IFF_IS_NAT(dev->d_flags))
    {
      nwarn("WARNING: NAT was not enabled for %s!\n", dev->d_ifname);
-      net_unlock();
+      nat_unlock();
      return -ENODEV;
    }

@@ -159,8 +161,7 @@ int nat_disable(FAR struct net_driver_s *dev)
 #endif

  IFF_CLR_NAT(dev->d_flags);
-
-  net_unlock();
+  nat_unlock();
  return OK;
 }

@@ -184,23 +185,27 @@ int nat_disable(FAR struct net_driver_s *dev)
 bool nat_port_inuse(uint8_t domain, uint8_t protocol,
                    FAR const union ip_addr_u *ip, uint16_t port)
 {
+  bool ret = false;
+
+  nat_lock();
 #ifdef CONFIG_NET_NAT44
  if (domain == PF_INET)
    {
-      return !!ipv4_nat_inbound_entry_find(protocol, ip->ipv4, port,
-                                           INADDR_ANY, 0, false);
+      ret = !!ipv4_nat_inbound_entry_find(protocol, ip->ipv4, port,
+                                          INADDR_ANY, 0, false);
    }
 #endif

 #ifdef CONFIG_NET_NAT66
  if (domain == PF_INET6)
    {
-      return !!ipv6_nat_inbound_entry_find(protocol, ip->ipv6, port,
-                                           g_ipv6_unspecaddr, 0, false);
+      ret = !!ipv6_nat_inbound_entry_find(protocol, ip->ipv6, port,
+                                          g_ipv6_unspecaddr, 0, false);
    }
 #endif

-  return false;
+  nat_unlock();
+  return ret;
 }

 /****************************************************************************
@@ -403,4 +408,30 @@ uint32_t nat_expire_time(uint8_t protocol)
  }
 }

+/****************************************************************************
+ * Name: nat_lock
+ *
+ * Description:
+ *   Lock the NAT lock.
+ *
+ ****************************************************************************/
+
+void nat_lock(void)
+{
+  nxmutex_lock(&g_nat_lock);
+}
+
+/****************************************************************************
+ * Name: nat_unlock
+ *
+ * Description:
+ *   Unlock the NAT lock.
+ *
+ ****************************************************************************/
+
+void nat_unlock(void)
+{
+  nxmutex_unlock(&g_nat_lock);
+}
+
 #endif /* CONFIG_NET_NAT */
@@ -400,5 +400,25 @@ ipv6_nat_outbound_entry_find(FAR struct net_driver_s *dev, uint8_t protocol,
                             uint16_t peer_port, bool try_create);
 #endif

+/****************************************************************************
+ * Name: nat_lock
+ *
+ * Description:
+ *   Lock the NAT lock.
+ *
+ ****************************************************************************/
+
+void nat_lock(void);
+
+/****************************************************************************
+ * Name: nat_unlock
+ *
+ * Description:
+ *   Unlock the NAT lock.
+ *
+ ****************************************************************************/
+
+void nat_unlock(void);
+
 #endif /* CONFIG_NET_NAT */
 #endif /* __NET_NAT_NAT_H */