Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Alexandre Chaves Fonseca]

Someone has a patch to CONFIG_IP_NF_NAT_LOCAL in kernel 2.6.11
(it was removed in this version) ?

Best regards,
Alexandre 


---------------------------------------------------------------
Esta mensagem foi verificada pelo e-mail seguro wstation.
McAfee VirusScan / Vacina v4443 atualizada em 09/03/2005
powered by wstation (www.wstation.com.br)

Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Alexandre Chaves Fonseca]

Someone has a patch to CONFIG_IP_NF_NAT_LOCAL in kernel 2.6.11
(it was removed in this version) ?

Best regards,
Alexandre


---------------------------------------------------------------
Esta mensagem foi verificada pelo e-mail seguro wstation.
McAfee VirusScan / Vacina v4443 atualizada em 09/03/2005
powered by wstation (www.wstation.com.br)

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Alexandre Chaves Fonseca wrote:
> Someone has a patch to CONFIG_IP_NF_NAT_LOCAL in kernel 2.6.11
> (it was removed in this version) ?

It was enabled unconditionally.

Regards
Patrick

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Alexandre Chaves Fonseca]

This means that I have this ?!

Before (with kernel <= 2.6.10), I had the rule:

iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
DNAT --to 192.168.0.50:25

And now, with 2.6.11, the rule doesn't work... and syslog show:

NAT: no longer support implicit source local NAT
NAT: packet src 192.168.0.50 -> dst 127.0.0.1

Alexandre

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Alexandre Chaves Fonseca" <alex.f-linux@specialist.com.br>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, 10 March, 2005 14:04
Subject: Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?


>> Someone has a patch to CONFIG_IP_NF_NAT_LOCAL in kernel 2.6.11
>
> It was enabled unconditionally.


---------------------------------------------------------------
Esta mensagem foi verificada pelo e-mail seguro wstation.
McAfee VirusScan / Vacina v4444 atualizada em 10/03/2005
powered by wstation (www.wstation.com.br)

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Alexandre Chaves Fonseca wrote:
> This means that I have this ?!
> 
> Before (with kernel <= 2.6.10), I had the rule:
> 
> iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
> DNAT --to 192.168.0.50:25
> 
> And now, with 2.6.11, the rule doesn't work... and syslog show:
> 
> NAT: no longer support implicit source local NAT
> NAT: packet src 192.168.0.50 -> dst 127.0.0.1

This means that NAT no longer fixes up the source address when
doing DNAT in LOCAL_OUT, so the packet goes out with 127.0.0.1
as source. You need to SNAT it manually if you want to get
the old behaviour.

Regards
Patrick

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Alexandre Chaves Fonseca]

you say that I have to do this:

iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
DNAT --to 192.168.0.50:25
iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 192.168.0.50 --dport 
25 -j SNAT --to 192.168.0.10

(192.168.0.10 is my IP)

right ?

but it doesn't work yet...

what I am doing wrong ?

thanks so much,
alexandre

----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Alexandre Chaves Fonseca" <alex.f-linux@specialist.com.br>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, 10 March, 2005 14:34
Subject: Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?


>> NAT: no longer support implicit source local NAT
>> NAT: packet src 192.168.0.50 -> dst 127.0.0.1
>
> This means that NAT no longer fixes up the source address when
> doing DNAT in LOCAL_OUT, so the packet goes out with 127.0.0.1
> as source. You need to SNAT it manually if you want to get
> the old behaviour.


---------------------------------------------------------------
Esta mensagem foi verificada pelo e-mail seguro wstation.
McAfee VirusScan / Vacina v4444 atualizada em 10/03/2005
powered by wstation (www.wstation.com.br)

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Alexandre Chaves Fonseca wrote:
> you say that I have to do this:
> 
> iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
> DNAT --to 192.168.0.50:25
> iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 192.168.0.50 
> --dport 25 -j SNAT --to 192.168.0.10
> 
> (192.168.0.10 is my IP)
> 
> right ?
> 
> but it doesn't work yet...
> 
> what I am doing wrong ?

Check if the rules are used and what happens on the network ..

Regards
Patrick

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 801 bytes --]

On Thu, 2005-03-10 at 19:00 +0100, Patrick McHardy wrote:

> > but it doesn't work yet...
> > 
> > what I am doing wrong ?
> 
> Check if the rules are used and what happens on the network ..

I belive the problem is in ip_route_output_slow() line 2070 in
ipv4/ip_output.c in 2.6.11.2

make_route:
        if (LOOPBACK(fl.fl4_src) && !(dev_out->flags&IFF_LOOPBACK))
                goto e_inval;

It simply does not route packets with loopback addresses out via non
loopback interfaces, and SNAT occurs at POSTROUTING...
Not sure what a good solution could be, we certainly don't want to the
possibility to send out packets with 127.0.0.1 as source (like some
windows virus got the windows stack to do by synflooding a domain that
later got changed into 127.0.0.1)

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Alexandre Chaves Fonseca]

I put a "-j LOG" before in both rules:

iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
LOG --log-prefix "OUT = "
iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
DNAT --to 192.168.0.50:25
iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 192.168.0.50 --dport 
25 -j LOG --log-prefix "POST = "
iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 192.168.0.50 --dport 
25 -j SNAT --to 192.168.0.10

But in syslog only show the first rule (I tried "telnet 127.0.0.1 25")...

Mar 10 16:14:09 backup kernel: OUT = IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=27422 DF PROTO=TCP SPT=2107 DPT=25 
WINDOW=32767 RES=0x00 SYN URGP=0
Mar 10 16:14:12 backup kernel: OUT = IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=27424 DF PROTO=TCP SPT=2107 DPT=25 
WINDOW=32767 RES=0x00 SYN URGP=0
Mar 10 16:17:06 backup kernel: OUT = IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 
LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=13046 DF PROTO=TCP SPT=3133 DPT=25 
WINDOW=32767 RES=0x00 SYN URGP=0

some ideia?


----- Original Message ----- 
From: "Patrick McHardy" <kaber@trash.net>
To: "Alexandre Chaves Fonseca" <alex.f-linux@specialist.com.br>
Cc: <netfilter-devel@lists.netfilter.org>
Sent: Thursday, 10 March, 2005 15:00
Subject: Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?


> Alexandre Chaves Fonseca wrote:
>> you say that I have to do this:
>> iptables -t nat -A OUTPUT -p tcp -s 127.0.0.1 -d 127.0.0.1 --dport 25 -j 
>> DNAT --to 192.168.0.50:25
>> iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 
>> 192.168.0.50 --dport 25 -j SNAT --to 192.168.0.10
>> but it doesn't work yet...
>
> Check if the rules are used and what happens on the network ..


---------------------------------------------------------------
Esta mensagem foi verificada pelo e-mail seguro wstation.
McAfee VirusScan / Vacina v4444 atualizada em 10/03/2005
powered by wstation (www.wstation.com.br)

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Martin Josefsson wrote:
> On Thu, 2005-03-10 at 19:00 +0100, Patrick McHardy wrote:
> 
> 
>>>but it doesn't work yet...
>>>
>>>what I am doing wrong ?
>>
>>Check if the rules are used and what happens on the network ..
> 
> 
> I belive the problem is in ip_route_output_slow() line 2070 in
> ipv4/ip_output.c in 2.6.11.2
> 
> make_route:
>         if (LOOPBACK(fl.fl4_src) && !(dev_out->flags&IFF_LOOPBACK))
>                 goto e_inval;
> 
> It simply does not route packets with loopback addresses out via non
> loopback interfaces, and SNAT occurs at POSTROUTING...
> Not sure what a good solution could be, we certainly don't want to the
> possibility to send out packets with 127.0.0.1 as source (like some
> windows virus got the windows stack to do by synflooding a domain that
> later got changed into 127.0.0.1)

Maybe we can use 0 as source if LOOPBACK(src). OTOH, I don't think we
want to route packet with loopback source, so we may instead declare
this as a bad testcase :)

Regards
Patrick

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Patrick McHardy wrote:
> Martin Josefsson wrote:
>
>> It simply does not route packets with loopback addresses out via non
>> loopback interfaces, and SNAT occurs at POSTROUTING...
>> Not sure what a good solution could be, we certainly don't want to the
>> possibility to send out packets with 127.0.0.1 as source (like some
>> windows virus got the windows stack to do by synflooding a domain that
>> later got changed into 127.0.0.1)
> 
> 
> Maybe we can use 0 as source if LOOPBACK(src). OTOH, I don't think we
> want to route packet with loopback source, so we may instead declare
> this as a bad testcase :)

A different possibility would be retaining the old behaviour for
loopback addresses and doing implicit source NAT.

Regards
Patrick

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[KOVACS Krisztian]

  Hi,

2005-03-11, p keltezéssel 06.18-kor Patrick McHardy ezt írta:
> >> It simply does not route packets with loopback addresses out via non
> >> loopback interfaces, and SNAT occurs at POSTROUTING...
> >> Not sure what a good solution could be, we certainly don't want to the
> >> possibility to send out packets with 127.0.0.1 as source (like some
> >> windows virus got the windows stack to do by synflooding a domain that
> >> later got changed into 127.0.0.1)
> > 
> > 
> > Maybe we can use 0 as source if LOOPBACK(src). OTOH, I don't think we
> > want to route packet with loopback source, so we may instead declare
> > this as a bad testcase :)
> 
> A different possibility would be retaining the old behaviour for
> loopback addresses and doing implicit source NAT.

  You can't do that easily anymore. 2.6.11 does not have a list of
manipulations, so you cannot do multiple source NATs at all. To make it
even more limited, nat_packet() does only one manipulation per hook, so
doing SNAT+DNAT on LOCAL_OUT is impossible.

  BTW, I think SNAT-ting pure local traffic so that it goes out on the
wire is a bad practice anyway.

-- 
 Regards,
  Krisztian Kovacs

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

On Fri, Mar 11, 2005 at 01:48:16PM +0100, KOVACS Krisztian wrote:
>   BTW, I think SNAT-ting pure local traffic so that it goes out on the
> wire is a bad practice anyway.

ack. even if you have broken applications, this should be fixable with
a LD_PRELOAD wrapper.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Patch for CONFIG_IP_NF_NAT_LOCAL in 2.6.11 ?

[Patrick McHardy]

Harald Welte wrote:
> On Fri, Mar 11, 2005 at 01:48:16PM +0100, KOVACS Krisztian wrote:
> 
>>  BTW, I think SNAT-ting pure local traffic so that it goes out on the
>>wire is a bad practice anyway.
> 
> ack. even if you have broken applications, this should be fixable with
> a LD_PRELOAD wrapper.

I agree, but I would still prefer if it would work as expected for
consistency. Haven't had time to look into fixing it yet.

Regards
Patrick