New target 'ROUTE' and new table 'rsip'

New target 'ROUTE' and new table 'rsip'

[Cédric de Launois]

Hi,

Here is an extension to directly reroute packets without modifying
them, even and especially if those packets are destined to the router
itself. Those packets are locally delivered and cannot be forwarded to
another computer using the standard routing mechanisms.
Sometimes, this is useful to redirect them to another computer, without
modification, e.g. when using the new RSIP protocol (RFC3102, RFC3103,
see http://openresources.info.ucl.ac.be/rsip for more info).

This extension includes a new target, called 'ROUTE', and a new table,
called 'rsip'. It provides a way to reroute those packets to an
interface selected by the user. 

Source files are available at
  http://openresources.info.ucl.ac.be/rsip/netfilter/

These files are not yet packaged in any way. Sorry.


Example
-------

With RSIP, we can lease some ports (8000-8200 here) to one of
our private host. The host has the same IP as its router, so that
packets may remain unmodified when going through the router.
We want to reroute tcp packets coming from eth0 with dst port
8000-8200 towards iface tunl1 (in order to forward them to the
host) :

          eth0  +------+ 192.168.0.1        192.168.0.2 +----+
----------------|router|--------------------------------|host|
IP: 150.150.0.1 +------+                                +----+
                    | | tunl1      tunnel IP: 150.150.0.1 | |
                    | +-----------------------------------+ |
                    +---------------------------------------+

We do :

 iptables -A PREROUTING -i eth0 -p tcp --dport 8000:8200 -j ROUTE
--iface tunl1



The new files
-------------

a) The new 'ROUTE' target :

*  ipt_ROUTE.c        in /usr/src/linux/net/ipv4/netfilter
*  ipt_ROUTE.h        in /usr/src/linux/include/linux/netfilter_ipv4

b) A new 'rsip' table, with only PREROUTING hook, and priority -170 
   == after Conntrack but before Mangle, NAT,... (since we do not
   want those packet being altered in any way)

*  iptable_rsip.c     in /usr/src/linux/net/ipv4/netfilter

c) Extension to make iptables support the new 'ROUTE' target :

*  libipt_ROUTE.c     in iptables-x.x.X/extensions

Any comment ?

Thanks,

Cédric

Re: New target 'ROUTE' and new table 'rsip'

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 810 bytes --]

On Mon, Jun 10, 2002 at 11:23:12AM +0200, Cédric de Launois wrote:
> Source files are available at
>   http://openresources.info.ucl.ac.be/rsip/netfilter/
> 
> These files are not yet packaged in any way. Sorry.

sounds interesting.  For being included with the iptables package, 
I need a patch against the current CVS tree.  You need to package your
kernel changes in patch-o-matic form, see the other available patches
as examples how to do that.

> Cédric

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ 
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]