Help needed on standalone nat for opening new ports inside the code

Help needed on standalone nat for opening new ports inside the code

[Nagaraj G]

Hello,

I am writing a new netfilter application module where-in I have to
mangle each and every packet. So, I have made the module as a standalone
NAT with NAT_ALWAYS flag defined.

I am using linux 2.4.10 kernel and the related files.

Masquerading is enabled.

My protocol behaves like this.

1. A packet destined to the well-known port comes to the netfilter from
an internal host. This packet gets mangled via the Nat_Help routine
registered via the register_nat_helper.

2. The reply for the above packet does not come on the same connection.
The reply comes in on the same well-known port from the remote
ip-address.

For the above case, I don't want to define a "iptables" rule hard-coded
as I don't know who is coming in and when.

So, I want to create the connection dynamically to open the well-known
port only for the remote ip-address.

I tried doing ip_conntrack_expect_related(). But it fails with -16
(EBUSY).

I don't get the reply back from the remote ip-address unless I create
the port-forwarding rule manually.

How do I achieve the functionality required in case of standalone-nat?

Thanks in advance for the great reply.

Best Regards,

GNRaj

Re: Help needed on standalone nat for opening new ports inside the code

[Patrick McHardy]

Nagaraj G wrote:
> Hello,
> 
> I am writing a new netfilter application module where-in I have to
> mangle each and every packet. So, I have made the module as a standalone
> NAT with NAT_ALWAYS flag defined.
> 
> ...
>
> I tried doing ip_conntrack_expect_related(). But it fails with -16
> (EBUSY).

EBUSY is returned when max_expected is not set and the expectation
clashes with existing ones. My guess is that you haven't initialized
the mask of the expectation properly. If that's not it, please post
the relevant sections of code, that makes it easier for people to help.

Regards,
Patrick

Re: Help needed on standalone nat for opening new ports inside the code

[Nagaraj G]

Thanks for the reply

I am not using the max_expected field as I am only registering NAT and
not CONN_TRACK module as mine is a standalone NAT and I don't have
connections to manage since each packet is a new one for me on a
different connection.

Here is the registration code for the NAT Helper module. It's not that
every time I get error. I get success sometimes from the expect_related
call; but still the packets from the remote host never come in unless a
port-forward rule is set-up.

One more thing. I use ip_conntrack_change_expect to allocate a new port
for my data mangling.

Please let me know what could be wrong in this code or in something else
I might be doing wrong.

Regards,
GNR


static 
unsigned int 
My_Nat_Help(
    struct ip_conntrack *ct,            /* Connection Tracking Data */
    struct ip_conntrack_expect *exp,    /* Connection Track Expect Data
*/
    struct ip_nat_info *info,           /* NAT Info */
    enum ip_conntrack_info ctinfo,      /* Connection Track Info */
    unsigned int hooknum,               /* Hook Number */
    struct sk_buff **pSkb               /* Packet */
    )
{
        struct ip_conntrack_expect newExpect, *newExp;

/* Mangle the packet here */
/* I use change_expect to allocate a new port */
.
.
.

/* Here I create the connection for my new incoming packet */
                DEBUGP("Setting up incoming connection\n");
                
                /* Clear Expect Structure */
                memset(&newExpect, 0, sizeof(newExpect));

                newExp = &newExpect;
                
                newExp->tuple.src.ip = htonl(pIpHdr->daddr);
                newExp->tuple.src.u.udp.port = 0;
                newExp->tuple.dst.ip = htonl(pIpHdr->saddr);
                newExp->tuple.dst.protonum = IPPROTO_UDP;
                newExp->tuple.dst.u.udp.port = MY_PORT;

                newExp->mask.src.ip = 0xFFFFFFFF;
                newExp->mask.src.u.udp.port = 0xFFFF;
                newExp->mask.dst.ip = 0xFFFFFFFF;
                newExp->mask.dst.protonum = 0xFFFF;
                newExp->mask.dst.u.udp.port = 0xFFFF;

                newExp->expectfn = NULL;

                ret = ip_conntrack_expect_related(ct, newExp);
                if(ret)
                {
                        DEBUGP("expect_related returned error for 5060
in %d\n", ret);
                }

}


static struct ip_nat_helper my_ip_nat_helper_reg = 
{ 
        { NULL, NULL },
        "myname",                               /* name */
        (IP_NAT_HELPER_F_STANDALONE | IP_NAT_HELPER_F_ALWAYS),   /*
flags */
        THIS_MODULE,                               /* module */
        { { 0, { .udp = { __constant_htons(MY_PORT) } } }, /* tuple */
          { 0, { 0 }, IPPROTO_UDP } },
        { { 0, { .udp = { 0xFFFF } } },         /* mask */
          { 0, { 0 }, 0xFFFF } },
        My_Nat_Help,                           /* helper */
        NULL /*My_Nat_Expected*/                        /* expectfn */
};


static 
void 
fini(
    void
    )
{
    ip_nat_helper_unregister(&my_ip_nat_helper_reg);
}

static 
int 
__init my_nat_init(
    void
    )
{
        int ret;

        ret = ip_nat_helper_register(&my_ip_nat_helper_reg);

    if (ret) 
    {
        printk("ip_nat_sip: ERROR registering\n");
        
        fini();
        
        return ret;
    }

}


On Sat, 2004-02-14 at 16:47, Patrick McHardy wrote:
> Nagaraj G wrote:
> > Hello,
> > 
> > I am writing a new netfilter application module where-in I have to
> > mangle each and every packet. So, I have made the module as a standalone
> > NAT with NAT_ALWAYS flag defined.
> > 
> > ...
> >
> > I tried doing ip_conntrack_expect_related(). But it fails with -16
> > (EBUSY).
> 
> EBUSY is returned when max_expected is not set and the expectation
> clashes with existing ones. My guess is that you haven't initialized
> the mask of the expectation properly. If that's not it, please post
> the relevant sections of code, that makes it easier for people to help.
> 
> Regards,
> Patrick