conntrack/NAT module

All of lore.kernel.org
 help / color / mirror / Atom feed

From: luoqiang <luoqiang@ict.ac.cn>
To: laforge@gnumonks.org
Cc: netfilter-devel@lists.samba.org
Subject: conntrack/NAT module
Date: Wed, 5 Jun 2002 10:36:48 +0800	[thread overview]
Message-ID: <02060510364800.10075@luoqiang> (raw)

Hi,Harald

   Thanks for your answers.
   I am afraid that the conntrack module for DNAT is not correct now.my 
purpose of the two module is to achieve the rule  which is "iptables -A 
PREROUTING -t nat -p udp -d 159.226.1.1 --dport 5001 -j DNAT --to 
192.168.1.2:8888".
   The code of conntrack module is as follows:

static int foo_help(const struct iphdr *iph, size_t len,
                       struct ip_conntrack *ct,
		       enum ip_conntrack_info ctinfo)
{
        struct ip_conntrack_tuple t,mask;
        t = ((struct ip_conntrack_tuple)
		{ { 0, { 0 } },
		  { 0x0101e29f, { htons(5001) }, IPPROTO_UDP }});  // 
proto=17,dst=159.226.1.1,dport=5001
	mask = ((struct ip_conntrack_tuple)
		{ { 0, { 0 } },
		  { 0xFFFFFFFF, { 0xFFFF }, 0xFFFF }});
	ip_conntrack_expect_related(ct, &t, &mask, NULL);
	return NF_ACCEPT;
}
static struct ip_conntrack_helper foo = { { NULL, NULL },
					  { { 0, { 0 } },
					    { 0x0101e29f, { 0 }, IPPROTO_UDP } },
					  { { 0, { 0 } },
					    { 0xFFFFFFFF, { 0 }, 0xFFFF } },
					  foo_help };                          // proto=17,dst=159.226.1.1
int init_module(void)
	
	{
               return ip_conntrack_helper_register(&foo);
       	 }
void cleanup_module(void)
       {
               ip_conntrack_helper_unregister(&foo);
       }
   After insmod the conntrack module and receiving udp packges sended to 
159.226.1.1,I can see "EXPECTING: proto=17 src=0.0.0.0 dst=159.226.1.1 
sport=0 dport=5001"in /proc/net/ip_conntrack.I don't know if my conntrack for 
DNAT is correct?
   The code of my nat module is as follows:

  static int foo_nat_expected(struct sk_buff **pksb,
                          unsigned int hooknum,
                          struct ip_conntrack *ct,
                          struct ip_nat_info *info,
                          struct ip_conntrack *master,
                          struct ip_nat_info *masterinfo,
                          unsigned int *verdict)
   {
     struct ip_nat_multi_range mr;
     u_int32_t newdstip;
     if (HOOK2MANIP(hooknum)==IP_NAT_MANIP_DST){
     newdstip = 0x0201a8c0;                   //192.168.1.2
     mr.rangesize=1;                                                 
     mr.range[0].flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
     mr.range[0].min = mr.range[0].max = ((union ip_conntrack_manip_proto)
                                 { htons(8888) });             // forward 
159.226.1.1:5001 to 192.168.1.2:8888,correct?
     *verdict = ip_nat_setup_info(ct, &mr, hooknum);
     printk("###########  foo_nat_expected  finished #############\n");
     return 1;
     }
  }
 
  static unsigned int foo_help(struct ip_conntrack *ct,
                  struct ip_nat_info *info,
                  enum ip_conntrack_info ctinfo,
                  unsigned int hooknum,
                  struct sk_buff  **pksb)
  {

      return NF_ACCEPT; // I don't know what I can do here
  }
 
  static struct ip_nat_expect foo_expect = { { NULL, NULL }, foo_nat_expected 
};
 
  static struct ip_nat_helper hlpr = { { NULL, NULL },
					  { { 0, { 0 } },
					    { 0x09050a0a, { 0 }, IPPROTO_UDP } },
					  { { 0, { 0xFFFF } },
					    { 0xFFFFFFFF, { 0 }, 0xFFFF } },
					  foo_help , "test" };

int init_module(void)
{
       int ret;
       if ((ret=ip_nat_expect_register(&foo_expect))==0){
       ret=ip_nat_helper_register(&hlpr);
       if (ret!=0)
	       ip_nat_expect_unregister(&foo_expect);
       }
       return ret;
}
 
void cleanup_module(void)
{
       ip_nat_helper_unregister(&hlpr);
       ip_nat_expect_unregister(&foo_expect);
}
 
   After the 159.226.1.1 received udp package to 5001 port, I can see the 
"###########  foo_nat_expected  finished #############"imformation for each 
package.But there is no DNAT happened.I copy the code from ip_conntrack_ftp.c 
and ip_nat_ftp.c. where I made the mistake?

Thanks 

luoqiang

____________________________________________________________________________


> Hi,all
> 
> Sorry to resend this mail,last mail is not can be seen.
> I am writing a DNAT module to achieve the purpose which is  identical to
>  "iptables -A PREROUTING -t nat -p udp -d 159.226.1.1 --dport 5000 -j DNAT 
> --to 192.168.1.2:5000".
> host A----------------------------->host  B-------------------->host C
 159.226.1.2--------------->159.226.1.1/192.168.1.1--------------->192.168.1.2
> I have read the hacking howto and have finished the conntrack module,which 
> can be seen in "proc/net/ip_conntrack" 
> file of host B as"EXPECTING : proto=17 src=0 dst=159.226.1.1 sport=0 
> dport=5000"
> But something wrong in my nat module.
> After loaded the module, no DNAT happened. :-(
> there are some questions I don't understand.
> 1.what's the function of foo_help in struct ip_nat_helper?I do nothing here.

to mangle (nat) the payload of the master connection (i.e. if it contains
an internal IP address sent by the client behind SNAT to the server).

> 2. what's the function of struct ip_nat_multi_range here?what's the 
function  
>    of struct ip_nat_range range[0] and  struct ip_nat_range range[1]?(I 
don't 
>    know what's the meaning of " hangs off end. ")

hangs off end == after the end of the structure

> 3.how to configure the struct ip_nat_multi_range when do DNAT?

look  at line 81... of ip_nat_ftp.c

> 4.if I want to close the port after open it in a module,how I can do?

how do you open a port in a module?  everything you do is creating conntrack
entries and NAT bindings.

> my code is here:
> ......
>   static int foo_nat_expected(struct sk_buff **pksb,

>      if (HOOK2MANIP(hooknum)==IP_NAT_MANIP_DST){        
>   
>      mr.rangesize=1;
>      mr.range[0].flags = IP_NAT_RANGE_PROTO_SPECIFIED;   //  I don't know 
> what's the meaning here

PROTO_SPECIFIED == NAT of port
IP == NAT of IP address

please look more detailed at the other available examples.

> luoqiang

next             reply	other threads:[~2002-06-05  2:36 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-06-05  2:36 luoqiang [this message]
2002-06-09 17:30 ` conntrack/NAT module Harald Welte
  -- strict thread matches above, loose matches on Subject: below --
2002-06-03  4:06 luoqiang
2002-06-04  7:56 ` Harald Welte
2002-06-01 11:05 luoqiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=02060510364800.10075@luoqiang \
    --to=luoqiang@ict.ac.cn \
    --cc=laforge@gnumonks.org \
    --cc=netfilter-devel@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.