From: KOVACS Krisztian <hidden@sch.bme.hu>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org,
Balazs Scheidler <bazsi@balabit.hu>,
Toth Laszlo Attila <panther@balabit.hu>
Subject: Re: [PATCH 06/13] Port redirection support for TCP
Date: Mon, 1 Oct 2007 00:49:50 +0200 [thread overview]
Message-ID: <200710010049.50756@nessa> (raw)
In-Reply-To: <47002299.9040400@trash.net>
Hi Patrick,
On Monday 01 October 2007, Patrick McHardy wrote:
> KOVACS Krisztian wrote:
> > Current TCP code relies on the local port of the listening socket
> > being the same as the destination address of the incoming
> > connection. Port redirection used by many transparent proxying
> > techniques obviously breaks this, so we have to store the original
> > destination port address.
> >
> > This patch extends struct inet_request_sock and stores the incoming
> > destination port value there. It also modifies the handshake code to
> > use that value as the source port when sending reply packets.
> >
> > Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
> > ---
> >
> > diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
> > index e86832d..5339089 100644
> > --- a/include/net/inet_sock.h
> > +++ b/include/net/inet_sock.h
> > @@ -65,6 +65,9 @@ struct inet_request_sock {
> > #endif
> > __be32 loc_addr;
> > __be32 rmt_addr;
> > +#if defined(CONFIG_NETFILTER_TPROXY) ||
> > defined(CONFIG_NETFILTER_TPROXY_MODULE) + __be16 loc_port;
> > +#endif
> > __be16 rmt_port;
> > u16 snd_wscale : 4,
> > rcv_wscale : 4,
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index 54053de..927d235 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -980,6 +980,9 @@ static inline void tcp_openreq_init(struct
> > request_sock *req, ireq->acked = 0;
> > ireq->ecn_ok = 0;
> > ireq->rmt_port = tcp_hdr(skb)->source;
> > +#if defined(CONFIG_NETFILTER_TPROXY) ||
> > defined(CONFIG_NETFILTER_TPROXY_MODULE) + ireq->loc_port =
> > tcp_hdr(skb)->dest;
> > +#endif
> > }
> >
> > extern void tcp_enter_memory_pressure(void);
> > diff --git a/net/ipv4/inet_connection_sock.c
> > b/net/ipv4/inet_connection_sock.c index 26b9dbe..f47d966 100644
> > --- a/net/ipv4/inet_connection_sock.c
> > +++ b/net/ipv4/inet_connection_sock.c
> > @@ -502,6 +502,10 @@ struct sock *inet_csk_clone(struct sock *sk,
> > const struct request_sock *req, newicsk->icsk_bind_hash = NULL;
> >
> > inet_sk(newsk)->dport = inet_rsk(req)->rmt_port;
> > +#if defined(CONFIG_IP_NF_TPROXY) ||
> > defined(CONFIG_IP_NF_TPROXY_MODULE) + inet_sk(newsk)->num =
> > ntohs(inet_rsk(req)->loc_port);
> >
> > + inet_sk(newsk)->sport = inet_rsk(req)->loc_port;
>
> Why do you store the port twice here?
Because ->num is in host byte order while sport is host byte order.
> > ipv4/tcp_output.c
> > index 666d8a5..69dd230 100644
> > --- a/net/ipv4/tcp_output.c
> > +++ b/net/ipv4/tcp_output.c
> > @@ -2153,7 +2153,11 @@ struct sk_buff * tcp_make_synack(struct sock
> > *sk, struct dst_entry *dst, th->syn = 1;
> > th->ack = 1;
> > TCP_ECN_make_synack(req, th);
> > +#if defined(CONFIG_IP_NF_TPROXY) ||
> > defined(CONFIG_IP_NF_TPROXY_MODULE) + th->source = ireq->loc_port;
> > +#else
> > th->source = inet_sk(sk)->sport;
> > +#endif
>
> I think this should simply use loc_port unconditionally.
Unfortunately ireq->loc_port does not exist unless tproxy is enabled in
the config. (We could remove all these #ifdefs but that would mean
extending inet_request_sock with 2 bytes even if tproxy is not enabled.)
--
KOVACS Krisztian
next prev parent reply other threads:[~2007-09-30 22:49 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-30 20:51 [PATCH 00/13] Transparent Proxying Patches, Take 3 KOVACS Krisztian
2007-09-30 20:51 ` [PATCH 01/13] Loosen source address check on IPv4 output KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 02/13] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 03/13] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-09-30 22:12 ` Patrick McHardy
2007-09-30 20:52 ` [PATCH 04/13] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 05/13] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-09-30 21:45 ` Jan Engelhardt
2007-09-30 21:46 ` Jan Engelhardt
2007-09-30 21:59 ` KOVACS Krisztian
2007-09-30 22:02 ` Jan Engelhardt
2007-09-30 21:58 ` KOVACS Krisztian
2007-09-30 22:23 ` Patrick McHardy
2007-10-01 19:27 ` KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 06/13] Port redirection support for TCP KOVACS Krisztian
2007-09-30 22:26 ` Patrick McHardy
2007-09-30 22:49 ` KOVACS Krisztian [this message]
2007-10-01 14:09 ` Patrick McHardy
2007-10-01 14:24 ` KOVACS Krisztian
2007-09-30 20:52 ` [PATCH 07/13] Export UDP socket lookup function KOVACS Krisztian
2007-09-30 20:53 ` [PATCH 08/13] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-09-30 22:35 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 09/13] iptables tproxy core KOVACS Krisztian
2007-09-30 22:37 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 10/13] iptables socket match KOVACS Krisztian
2007-09-30 21:43 ` Jan Engelhardt
2007-09-30 22:15 ` [PATCH 10/13] xt_socket Jan Engelhardt
2007-09-30 20:53 ` [PATCH 11/13] iptables TPROXY target KOVACS Krisztian
2007-09-30 21:40 ` [PATCH 11/13] xtables " Jan Engelhardt
2007-09-30 22:07 ` KOVACS Krisztian
2007-09-30 22:20 ` [PATCH 11/13] xt_TPROXY Jan Engelhardt
2007-09-30 23:04 ` KOVACS Krisztian
2007-09-30 22:43 ` [PATCH 11/13] iptables TPROXY target Patrick McHardy
2007-09-30 22:50 ` Jan Engelhardt
2007-09-30 22:51 ` KOVACS Krisztian
2007-09-30 22:56 ` Patrick McHardy
2007-09-30 23:06 ` KOVACS Krisztian
2007-09-30 22:57 ` Jan Engelhardt
2007-10-01 14:11 ` Patrick McHardy
2007-09-30 20:53 ` [PATCH 12/13] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-09-30 20:53 ` [PATCH 13/13] " KOVACS Krisztian
2007-09-30 22:01 ` [PATCH 00/13] Transparent Proxying Patches, Take 3 Patrick McHardy
2007-09-30 22:13 ` KOVACS Krisztian
-- strict thread matches above, loose matches on Subject: below --
2007-10-02 20:39 [PATCH 00/13] Transparent Proxying Patches, Take 4 KOVACS Krisztian
2007-10-02 20:42 ` [PATCH 06/13] Port redirection support for TCP KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200710010049.50756@nessa \
--to=hidden@sch.bme.hu \
--cc=bazsi@balabit.hu \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=panther@balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.