From: Patrick McHardy <kaber@trash.net>
To: Harald Welte <laforge@netfilter.org>
Cc: Henrik Nordstrom <hno@marasystems.com>,
Willy Tarreau <willy@w.ods.org>,
Tom Eastep <teastep@shorewall.net>,
Michal Ludvig <mludvig@suse.cz>,
netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH]Re: NAT before IPsec with 2.6
Date: Wed, 28 Jan 2004 14:22:19 +0100 [thread overview]
Message-ID: <4017B78B.3050201@trash.net> (raw)
In-Reply-To: <20040128103000.GP11761@sunbeam.de.gnumonks.org>
Harald Welte wrote:
> On Wed, Jan 28, 2004 at 09:49:56AM +0100, Patrick McHardy wrote:
>
>>I see two problems with this approach. The dummy devices don't have
>>any ip config, so f.e. REDIRECT will fail.
>
>
> Ok, let's ignore that for now. dunno if the dummydev idea was so good
> at all.
I believe we pass the real device and provide a new match.
The real device might be interesting for filtering, too.
But as you say, let's ignore it for now.
>>The bigger problem is hooking in output routines that return
>>NET_XMIT_BYPASS. dst_output loops until the return code of
>>skb->dst->output != NET_XMIT_BYPASS. These output routines replace
>>skb->dst when finished by calling dst_pop.
>>
>>If we pass the packet through netfilter in between, the dst_entry
>>might get replaced in ip_route_me_harder or elsewhere and not all
>>transformations will be applied.
>
>
> I see. So we would have to modify all code that changes skb->dst to
> check if there is a dst stack. If yes, it would have to iterate over
> all of them and just change the last one. Shouldn't be too hard to
> intergrate that change.
> However, it is hard to tell what is the correct behaviour in that case.
>
> In POST_ROUTING of the original, unencapsulated packet, I would say it
> is correct to not apply those transformations, in case rerouting of the
> packet occurs. If somebody reroutes here, he wants to affect the
> original packet, not the encapsulated one.
Agreed. The problem is outfn is already set to {ah,esp}_output when
POST_ROUTING of the original packet is called, we need to handle this
somehow.
We also should handle the opposite case, after a (normal) packet is
SNATed ip_route_me_harder will replace the dst_entry, the new one might
include ipsec transformations if a policy for the now-different packet
exists, but the packet is always passed to ip_finish_output2. If we
would call dst_output instead strange hook orders can occur:
PRE_ROUTING FORWARD POST_ROUTING <SNAT, encapsulate>
POST_ROUTING LOCAL_OUT <SNAT again ;)> ..
I can't imagine a good solution right now.
> However, once we did do the first encapsulation, it doesn't make sense
> to encapsulate further layers until we've reached the real dst. At this
> point, LOCAL_OUT would be called with the heading-for-the-wire packet
> and rerouting will and should affect the final device.
I'm not sure if you understand you correctly. Do you mean to say that it
doesn't make sense to pass packets to netfilter hooks until all
transformations have been applied ? If so, I agree, I don't think there
is much use in doing stuff to half-done packets. We can easily detect
the final dst_entry, it should have dst->xfrm = NULL (at least I would
think so). But I don't know how to skip intermediate ones, I guess
they look similar to the first one.
>
> However, exposing all those intermediate steps to the
> netfilter-hook-attached code is not so bad. It enables people to do
> whatever they want... they just need to be careful with their rules.
> If there's too much interference with normal OUTPUT/POSTROUTING rules,
> we could still go for new hooks+new chains.
This makes me think I misunderstood your statement above. I recall there
was some confusion between hook functions and hooks before, it seems
I got me, too ;) Do you propose to make these steps visible to iptables
chains or just to the registered hook functions, which would hide them
from the user by immediately returning in the iptables case ?
>
>
>>If NAT is used, ip_route_{input,output} might even return a different
>>policy bundle.
>
>
> The question is, again: What ist the desired behaviour? Should the
> policy be determined on the un-NAT'ed packet or on the NAT'ed one?
The NATed one. When the policy says encrypt 10.0.0.1<->10.0.0.2, NAT
should bypass that. IIRC Herbert Xu mentioned some things about when
policy checks need to be done in the "2.6 IPSEC + SNAT" thread. I'm
going to read it again later.
>>Regards,
>>Patrick
>
>
next prev parent reply other threads:[~2004-01-28 13:22 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-21 12:29 NAT before IPsec with 2.6 Michal Ludvig
2004-01-23 6:57 ` Willy Tarreau
2004-01-23 12:31 ` Henrik Nordstrom
2004-01-23 13:31 ` Michal Ludvig
2004-01-23 14:24 ` Henrik Nordstrom
2004-01-23 14:40 ` Michal Ludvig
2004-01-23 15:56 ` Henrik Nordstrom
2004-01-23 15:51 ` Tom Eastep
2004-01-24 8:22 ` Willy Tarreau
2004-01-24 9:21 ` Henrik Nordstrom
2004-01-24 9:27 ` Willy Tarreau
2004-01-27 10:39 ` Harald Welte
2004-01-27 11:57 ` Henrik Nordstrom
2004-01-27 13:07 ` Harald Welte
2004-01-27 13:22 ` Henrik Nordstrom
2004-01-27 14:12 ` Henrik Nordstrom
2004-01-27 20:51 ` Harald Welte
2004-01-27 22:35 ` Henrik Nordstrom
2004-01-28 13:48 ` Harald Welte
2004-01-27 22:41 ` Willy Tarreau
2004-01-27 23:55 ` Harald Welte
2004-01-28 0:14 ` Willy Tarreau
2004-01-28 0:09 ` [PATCH]Re: " Harald Welte
2004-01-28 8:49 ` Patrick McHardy
2004-01-28 9:37 ` Patrick McHardy
2004-01-28 10:30 ` Harald Welte
2004-01-28 11:24 ` Willy Tarreau
2004-01-28 13:39 ` Harald Welte
2004-01-28 15:58 ` Tom Eastep
2004-01-28 13:22 ` Patrick McHardy [this message]
2004-01-28 14:23 ` Henrik Nordstrom
2004-02-01 14:52 ` Patrick McHardy
2004-02-16 1:19 ` Patrick McHardy
2004-02-18 14:57 ` Patrick McHardy
[not found] ` <20040218220337.GA3193@alpha.home.local>
2004-02-20 1:43 ` Patrick McHardy
2004-03-04 22:30 ` [PATCH]: latest netfilter+ipsec patches Patrick McHardy
2004-03-04 23:11 ` Willy Tarreau
2004-03-04 23:42 ` Alexander Samad
2004-03-05 2:00 ` Patrick McHardy
2004-03-05 2:13 ` Alexander Samad
2004-03-10 2:45 ` Alexander Samad
2004-03-11 22:10 ` Patrick McHardy
2004-03-12 0:15 ` Alexander Samad
2004-03-05 1:47 ` Patrick McHardy
2004-03-05 11:10 ` Willy Tarreau
2004-03-04 23:44 ` Patrick McHardy
2004-03-05 11:39 ` Harald Welte
2004-01-28 10:30 ` [PATCH]Re: NAT before IPsec with 2.6 Andreas Jellinghaus
2004-01-29 19:05 ` Harald Welte
2004-01-27 19:54 ` Michael Richardson
2004-01-27 13:27 ` Valentijn Sessink
2004-01-27 13:57 ` Henrik Nordstrom
2004-01-27 21:13 ` Andreas Jellinghaus
2004-01-28 8:58 ` Harald Welte
2004-01-28 10:21 ` Andreas Jellinghaus
2004-01-28 13:00 ` Harald Welte
2004-01-28 13:43 ` Andreas Jellinghaus
2004-01-28 14:24 ` 2.6.2-rc2 and nf-log Wojciech 'Sas' Cieciwa
2004-01-28 19:38 ` NAT before IPsec with 2.6 David S. Miller
2004-01-27 16:11 ` Tom Eastep
2004-01-27 20:45 ` Harald Welte
2004-01-28 15:36 ` Tom Eastep
2004-01-27 19:51 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4017B78B.3050201@trash.net \
--to=kaber@trash.net \
--cc=hno@marasystems.com \
--cc=laforge@netfilter.org \
--cc=mludvig@suse.cz \
--cc=netfilter-devel@lists.netfilter.org \
--cc=teastep@shorewall.net \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.