LibIPQ issue

LibIPQ issue

[Sérgio Bernardino]

Greetings to all.
I have a small problem in regards to libipq and the effects of
altering packets in userspace. I was wondering if anyone could help me
clear the issue. Here's the situation:
Consider three machines: A, B and C. They are located in a LAN. Now, i
sent a packet from A to B. On the machine B i have the following
iptables rule:

iptables -t mangle -A PREROUTING -p ip -j QUEUE

Inside the program i created to deal with the packets i queue into
userspace i change the destination address on the IP header to point
to the machine C and ACCEPT the packet with all the changes. Now, as
far as i can tell and for what i've gathered from reading this,

http://iptables-tutorial.frozentux.net/chunkyhtml/traversingoftables.html 

I'm changing the packet before the routing decision, hence, it should
continue to traverse the network and reach machine C instead of
"staying" on machine B. The thing is, nothing happens. I'm sure the
packet is valid, and that i recalculate the checksum correctly and
such since i've tested it several times. In fact, in the case where i
have the following iptables rule:

iptables -t filter -A OUTPUT -p ip -j QUEUE

I can alter the destination address of the outgoing packet (for
example, a packet that goes from A to B becomes a packet that goes
from A to A, a localhost packet), and it all works fine.
I seems like i'm doing something wrong but i can't quite figure out
what. Any ideas?
Thank you.
-- 
Sérgio Bernardino

============================================
"The Dragon awakens in the darkness
with a frozen heart he roars.
If you are close, the dragon sleeps
And when the wings appear before him
people's dreams will fill the sky..."

Re: LibIPQ issue

[Patrick McHardy]

Sérgio Bernardino wrote:
> 
> iptables -t filter -A OUTPUT -p ip -j QUEUE
> 
> I can alter the destination address of the outgoing packet (for
> example, a packet that goes from A to B becomes a packet that goes
> from A to A, a localhost packet), and it all works fine.
> I seems like i'm doing something wrong but i can't quite figure out
> what. Any ideas?

Packets in LOCAL_OUT are manually rerouted by ip_queue. Packets
mangled in PRE_ROUTING should be routed correctly according to
the data contained in the new packet. Could it be that you are
testing on loopback ?

Regards
Patrick

Re: LibIPQ issue

[Sérgio Bernardino]

On Mon, 07 Mar 2005 14:10:03 +0100, Patrick McHardy <kaber@trash.net> wrote:
> Sérgio Bernardino wrote:
> >
> > iptables -t filter -A OUTPUT -p ip -j QUEUE
> >
> > I can alter the destination address of the outgoing packet (for
> > example, a packet that goes from A to B becomes a packet that goes
> > from A to A, a localhost packet), and it all works fine.
> > I seems like i'm doing something wrong but i can't quite figure out
> > what. Any ideas?
> 
> Packets in LOCAL_OUT are manually rerouted by ip_queue. Packets
> mangled in PRE_ROUTING should be routed correctly according to
> the data contained in the new packet. Could it be that you are
> testing on loopback ?
> 
> Regards
> Patrick
> 

I've always tested it with two or three different machines and the
only rerouting that always worked was the one that occurred when i
changed packet caught in LOCAL_OUT. Curiously enough the packet that i
mangle in PRE_ROUTING seems to disappear. It doesn't "show" on the
current machine (machine B, according to my previous example), on the
intended machine (machine C) and i can't seem to track it with tcpdump
after i committed the changes and ACCEPTed the packet.
The example i gave with LOCAL_OUT rerouting a packet to make it seem
like it's a localhost packet is just that, an example. In fact, i can
reroute packets intended to a machine so that they show up on another
one by changing them in LOCAL_OUT. It works fine. But since you say
that that ip_queue manually reroutes the packets, the situation is
clearly different from what occurs in PRE_ROUTING. I pretty certain
that the information is modified correctly. In fact, the code i use to
change packets caught in PRE_ROUTING is virtually identical to the
code i use to change packets caught in LOCAL_OUT. So, basically, i'm
quite unsure of what's exactly wrong. Specially since you've confirmed
that it should work.
Thank you for your time.

-- 
Sérgio Bernardino

============================================
"The Dragon awakens in the darkness
with a frozen heart he roars.
If you are close, the dragon sleeps
And when the wings appear before him
people's dreams will fill the sky..."

Re: LibIPQ issue

[Patrick McHardy]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1376 bytes --]

On Mon, 7 Mar 2005, [x-unknown] Sérgio Bernardino wrote:

> I've always tested it with two or three different machines and the
> only rerouting that always worked was the one that occurred when i
> changed packet caught in LOCAL_OUT. Curiously enough the packet that i
> mangle in PRE_ROUTING seems to disappear. It doesn't "show" on the
> current machine (machine B, according to my previous example), on the
> intended machine (machine C) and i can't seem to track it with tcpdump
> after i committed the changes and ACCEPTed the packet.
> The example i gave with LOCAL_OUT rerouting a packet to make it seem
> like it's a localhost packet is just that, an example. In fact, i can
> reroute packets intended to a machine so that they show up on another
> one by changing them in LOCAL_OUT. It works fine. But since you say
> that that ip_queue manually reroutes the packets, the situation is
> clearly different from what occurs in PRE_ROUTING. I pretty certain
> that the information is modified correctly. In fact, the code i use to
> change packets caught in PRE_ROUTING is virtually identical to the
> code i use to change packets caught in LOCAL_OUT. So, basically, i'm
> quite unsure of what's exactly wrong. Specially since you've confirmed
> that it should work.

Please send the code you use for testing so I can try myself.

Regards
Patrick

Re: LibIPQ issue

[Sérgio Bernardino]

After a bit more time working with this i realized something "interesting":
When i send a packet from a machine A to a machine B and capture it in
PRE_ROUTING, if i change the destination address so that it points to
machine C, the packet disappears and i can't track it anywhere. On the
other hand, if i instead change the source address of the packet so
that it points to machine C everything works fine. I can "see" the
packet traversing into machine B, which receives the packet and
promptly replies sending a packet to machine C. Machine A never
receives a reply to the packet it sent and machine C receives a reply
from a packet it never sent. Exactly the behaviour expected when
changing the source address field. Now, if this works in this case,
merely changing it to alter the destination address (my original
intention) should work also, but it doesn't.
My code can't be incorrect in a situation like this, so what exactly
is wrong? And is there a away to solve such situation?
Ideas anyone?


On Mon, 7 Mar 2005 20:30:03 +0100 (CET), Patrick McHardy
<kaber@trash.net> wrote:
> On Mon, 7 Mar 2005, [x-unknown] Sérgio Bernardino wrote:
> 
> > I've always tested it with two or three different machines and the
> > only rerouting that always worked was the one that occurred when i
> > changed packet caught in LOCAL_OUT. Curiously enough the packet that i
> > mangle in PRE_ROUTING seems to disappear. It doesn't "show" on the
> > current machine (machine B, according to my previous example), on the
> > intended machine (machine C) and i can't seem to track it with tcpdump
> > after i committed the changes and ACCEPTed the packet.
> > The example i gave with LOCAL_OUT rerouting a packet to make it seem
> > like it's a localhost packet is just that, an example. In fact, i can
> > reroute packets intended to a machine so that they show up on another
> > one by changing them in LOCAL_OUT. It works fine. But since you say
> > that that ip_queue manually reroutes the packets, the situation is
> > clearly different from what occurs in PRE_ROUTING. I pretty certain
> > that the information is modified correctly. In fact, the code i use to
> > change packets caught in PRE_ROUTING is virtually identical to the
> > code i use to change packets caught in LOCAL_OUT. So, basically, i'm
> > quite unsure of what's exactly wrong. Specially since you've confirmed
> > that it should work.
> 
> Please send the code you use for testing so I can try myself.
> 
> Regards
> Patrick
> 


-- 
Sérgio Bernardino

============================================
"The Dragon awakens in the darkness
with a frozen heart he roars.
If you are close, the dragon sleeps
And when the wings appear before him
people's dreams will fill the sky..."

Re: LibIPQ issue

[Patrick McHardy]

Sérgio Bernardino wrote:
> After a bit more time working with this i realized something "interesting":
> When i send a packet from a machine A to a machine B and capture it in
> PRE_ROUTING, if i change the destination address so that it points to
> machine C, the packet disappears and i can't track it anywhere. On the
> other hand, if i instead change the source address of the packet so
> that it points to machine C everything works fine. I can "see" the
> packet traversing into machine B, which receives the packet and
> promptly replies sending a packet to machine C. Machine A never
> receives a reply to the packet it sent and machine C receives a reply
> from a packet it never sent. Exactly the behaviour expected when
> changing the source address field. Now, if this works in this case,
> merely changing it to alter the destination address (my original
> intention) should work also, but it doesn't.
> My code can't be incorrect in a situation like this, so what exactly
> is wrong? And is there a away to solve such situation?
> Ideas anyone?

Have you got IP forwarding enabled ?

echo 1 >/proc/sys/net/ipv4/ip_forward

Regards
Patrick

Re: LibIPQ issue

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 1376 bytes --]


Hi Sérgio,

On Tue, Mar 08, 2005 at 11:08:17PM +0000, Sérgio Bernardino told us:
> After a bit more time working with this i realized something "interesting":
> When i send a packet from a machine A to a machine B and capture it in
> PRE_ROUTING, if i change the destination address so that it points to
> machine C, the packet disappears and i can't track it anywhere. On the
> other hand, if i instead change the source address of the packet so
> that it points to machine C everything works fine. I can "see" the
> packet traversing into machine B, which receives the packet and
> promptly replies sending a packet to machine C. Machine A never
> receives a reply to the packet it sent and machine C receives a reply
> from a packet it never sent. Exactly the behaviour expected when
> changing the source address field. Now, if this works in this case,
> merely changing it to alter the destination address (my original
> intention) should work also, but it doesn't.
> My code can't be incorrect in a situation like this, so what exactly
> is wrong? And is there a away to solve such situation?
> Ideas anyone?

Stupid question, but do you have ip_forward set to 1 on machine B??


Sven

-- 
Linux zion 2.6.11-mm1 #1 Sat Mar 5 13:54:40 CET 2005 i686 athlon i386 GNU/Linux
 00:28:53 up 3 days,  3:34,  2 users,  load average: 0.12, 0.07, 0.06

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: LibIPQ issue

[Sérgio Bernardino]

It was hardly a stupid question. That was precisely the problem!
Such a simple thing and i completely failed to consider that possibility.
Thank you all for your help, it was priceless.

> On Tue, Mar 08, 2005 at 11:08:17PM +0000, Sérgio Bernardino told us:
> > After a bit more time working with this i realized something "interesting":
> > When i send a packet from a machine A to a machine B and capture it in
> > PRE_ROUTING, if i change the destination address so that it points to
> > machine C, the packet disappears and i can't track it anywhere. On the
> > other hand, if i instead change the source address of the packet so
> > that it points to machine C everything works fine. I can "see" the
> > packet traversing into machine B, which receives the packet and
> > promptly replies sending a packet to machine C. Machine A never
> > receives a reply to the packet it sent and machine C receives a reply
> > from a packet it never sent. Exactly the behaviour expected when
> > changing the source address field. Now, if this works in this case,
> > merely changing it to alter the destination address (my original
> > intention) should work also, but it doesn't.
> > My code can't be incorrect in a situation like this, so what exactly
> > is wrong? And is there a away to solve such situation?
> > Ideas anyone?
On Wed, 09 Mar 2005 00:29:28 +0100, Patrick McHardy <kaber@trash.net> wrote:
> 
> Have you got IP forwarding enabled ?
> 
> echo 1 >/proc/sys/net/ipv4/ip_forward
> 
> Regards
> Patrick
> 
> 
On Wed, 9 Mar 2005 00:30:28 +0100, Sven Schuster <schuster.sven@gmx.de> wrote:
> 
> Hi Sérgio,
> 
> Stupid question, but do you have ip_forward set to 1 on machine B??
> 
> Sven
> 
> --
> Linux zion 2.6.11-mm1 #1 Sat Mar 5 13:54:40 CET 2005 i686 athlon i386 GNU/Linux
>  00:28:53 up 3 days,  3:34,  2 users,  load average: 0.12, 0.07, 0.06
> 
> 
> 
-- 
Sérgio Bernardino

============================================
"The Dragon awakens in the darkness
with a frozen heart he roars.
If you are close, the dragon sleeps
And when the wings appear before him
people's dreams will fill the sky..."