From: "Jeff Saremi" <jeffsaremi@yahoo.com>
To: netfilter@vger.kernel.org
Subject: SO_ORIGINAL_DST returning bogus port number
Date: Mon, 19 Apr 2010 15:36:07 -0400 [thread overview]
Message-ID: <003f01cadff7$8ebeb720$ac3c2560$@com> (raw)
In-Reply-To:
I’m not sure what i’m doing wrong or whether my expectations of netfilter
are correct or not.
But i basically had the NAT extension forward all incoming tcp traffic to a
local socket. I tested it and it worked fine.
However I still need the original destination IP and port number for my code
to function properly.
I get the original destination IP correctly but the port number is never
what I expect.
Below are the setup steps, my code and tracing that I did:
Setup:
iptables -A INPUT -p tcp -i eth0 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -j REDIRECT --to-port 9000
Code:
cli_fd = accept(fd, (struct sockaddr *) &cli_addr, &cli_len);
dst_len = sizeof(dst_addr);
if(getsockopt(cli_fd, IPPROTO_IP, SO_ORIGINAL_DST, &dst_addr, &dst_len)
!= 0)
printf("getsockopt() returned error");
else
printf("original destination address: %s:%d\n",
inet_ntoa(dst_addr.sin_addr), dst_addr.sin_port);
The above server is listening on port 9000 on ANY address. When hit by a
call from a telnet client (telnet 10.10.10.1 33000) it prints the following:
original destination address: 10.10.10.1:59520
I have tried changing the port in the telnet command but everytime I do that
a completely different value is reported out.
While the listening socket was running and the telnet client was
communicating, I ran “tcpdump” and below are a few lines from that which
confirm the ports I expected.
There are no traces of port number 59520! (note that 192.168.1.100 is the
telnet machine and 192.168.1.101 is the “intercepting” machine running
netfilter:
Trace:
13:45:01.688156 IP 192.168.1.100.51961 > 10.10.10.1.33000: P 1:2(1) ack 1
win 256
13:45:01.688256 IP 10.10.10.1.33000 > 192.168.1.100.51961: . ack 2 win 183
13:45:01.688418 IP 10.10.10.1.33000 > 192.168.1.100.51961: P 1:19(18) ack 2
win 183
13:45:01.688585 IP 10.10.10.1.33000 > 192.168.1.100.51961: F 19:19(0) ack 2
win 183
13:45:01.688750 IP 192.168.1.100.51961 > 10.10.10.1.33000: . ack 20 win 256
13:45:01.693081 IP 192.168.1.100.51961 > 10.10.10.1.33000: F 2:2(0) ack 20
win 256
13:45:01.693130 IP 10.10.10.1.33000 > 192.168.1.100.51961: . ack 3 win 183
next reply other threads:[~2010-04-19 19:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-19 19:36 Jeff Saremi [this message]
2010-04-19 20:09 ` SO_ORIGINAL_DST returning bogus port number Jan Engelhardt
2010-04-19 20:12 ` Jan Engelhardt
2010-04-19 21:30 ` Jeff Saremi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='003f01cadff7$8ebeb720$ac3c2560$@com' \
--to=jeffsaremi@yahoo.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.