Modifications to netmap target

Modifications to netmap target

[Gary W. Smith]

After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat. 
 
I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?
 
Example.
        if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
                DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
                return 0;
        }
to:
        if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
                DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
                return 0;
        }
 
and 
   if (hooknum == NF_IP_PRE_ROUTING)
                new_ip = (*pskb)->nh.iph->daddr & ~netmask;
        else
to:
   if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
                new_ip = (*pskb)->nh.iph->daddr & ~netmask;
        else
 
I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.
 
/sbin/iptables -t nat -A PREROUTING -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.80/29 -j NETMAP --to 10.0.0.56/29
/sbin/iptables -t nat -A OUTPUT -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
 
target     prot opt source               destination         
NETMAP     all  --  anywhere             10.0.0.56/29        10.0.0.80/29
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
NETMAP     all  --  10.0.0.80/29         anywhere            10.0.0.56/29
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NETMAP     all  --  anywhere             10.0.0.56/29        10.0.0.80/29
 
Gary Smith

RE: Modifications to netmap target

[Gary W. Smith]

My dev environment seems to be okay with the patching of the two lines for the output nat of netmap.  If it looks rational to the maintainers I'd like to submit the patch for their formal review.  It they like it they can keep it :).
 
Chain PREROUTING (policy ACCEPT 30 packets, 2135 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    48 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.8/29     10.3.0.8/29
   29  2292 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.16/28    10.3.0.16/28
  144 12104 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.32/27    10.3.0.32/27
   15  1412 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.64/26    10.3.0.64/26
Chain POSTROUTING (policy ACCEPT 195 packets, 17029 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETMAP     all  --  *      *       10.3.0.8/29          0.0.0.0/0       10.2.0.8/29
    0     0 NETMAP     all  --  *      *       10.3.0.16/28         0.0.0.0/0       10.2.0.16/28
    1    60 NETMAP     all  --  *      *       10.3.0.32/27         0.0.0.0/0       10.2.0.32/27
    0     0 NETMAP     all  --  *      *       10.3.0.64/26         0.0.0.0/0       10.2.0.64/26
    3   229 SNAT      !esp  --  *      eth0    0.0.0.0/0            0.0.0.0/0       to:10.2.0.2
Chain OUTPUT (policy ACCEPT 2 packets, 129 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.8/29     10.3.0.8/29
    4   336 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.16/28    10.3.0.16/28
    5   420 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.32/27    10.3.0.32/27
    0     0 NETMAP     all  --  *      *       0.0.0.0/0            10.2.0.64/26    10.3.0.64/26
 
Gary Smith
 

________________________________

From: netfilter-devel-bounces@lists.netfilter.org on behalf of Gary W. Smith
Sent: Fri 4/15/2005 11:42 AM
To: netfilter-devel@lists.netfilter.org
Subject: Modifications to netmap target



After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat.

I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?

Example.
        if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
                DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
                return 0;
        }
to:
        if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
                DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
                return 0;
        }

and
   if (hooknum == NF_IP_PRE_ROUTING)
                new_ip = (*pskb)->nh.iph->daddr & ~netmask;
        else
to:
   if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
                new_ip = (*pskb)->nh.iph->daddr & ~netmask;
        else

I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.

/sbin/iptables -t nat -A PREROUTING -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.80/29 -j NETMAP --to 10.0.0.56/29
/sbin/iptables -t nat -A OUTPUT -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29

target     prot opt source               destination        
NETMAP     all  --  anywhere             10.0.0.56/29        10.0.0.80/29
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
NETMAP     all  --  10.0.0.80/29         anywhere            10.0.0.56/29
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
NETMAP     all  --  anywhere             10.0.0.56/29        10.0.0.80/29

Gary Smith

Re: Modifications to netmap target

[Pablo Neira]

Gary W. Smith wrote:
> After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat. 
>  
> I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?
>  
> Example.
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
> to:
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
>  
> and 
>    if (hooknum == NF_IP_PRE_ROUTING)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
> to:
>    if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
>  
> I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.
>  
> /sbin/iptables -t nat -A PREROUTING -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
> /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.80/29 -j NETMAP --to 10.0.0.56/29
> /sbin/iptables -t nat -A OUTPUT -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29

There's something that I don't understand yet, why you want to use 
NETMAP in the OUTPUT chain ?

--
Pablo

RE: Modifications to netmap target

[Gary W. Smith]

Well, if for some reason I need to access a server using the external IP from the firewall itself it would respond to itself and not map it to the NAT'd server. 
 
What happens for me is that our DNS resolves to the external IP and then when the firewall does things like send out alerts via email, etc it would bounce to itself.  There were a few other issues that I had a couple years ago but I can't remember then off the top of my head.  But anyways, putting the rules in the output nat for DNAT always solved those problem letting the firewall/gateway know that these addresses weren't local to itself.
 
Try doing a pre/post snat/dnat on the firewall and then try to make a connection (such as ssh) the the nat'd IP and you'll see what I mean.  You'll still be on the firewall.
 
We accomplish this with 128 lines of nat'ing in the output chain.  by using netmap we drop it to 4 (because I have some subneting going on.
 
Gary
 

________________________________

From: Pablo Neira [mailto:pablo@eurodev.net]
Sent: Fri 4/15/2005 1:27 PM
To: Gary W. Smith
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: Modifications to netmap target



Gary W. Smith wrote:
> After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat.
> 
> I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?
> 
> Example.
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
> to:
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
> 
> and
>    if (hooknum == NF_IP_PRE_ROUTING)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
> to:
>    if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
> 
> I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.
> 
> /sbin/iptables -t nat -A PREROUTING -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29
> /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.80/29 -j NETMAP --to 10.0.0.56/29
> /sbin/iptables -t nat -A OUTPUT -d 10.0.0.56/29  -j NETMAP --to 10.0.0.80/29

There's something that I don't understand yet, why you want to use
NETMAP in the OUTPUT chain ?

--
Pablo

Re: Modifications to netmap target

[Patrick McHardy]

Gary W. Smith wrote:
> After talking to Jason over on the netfilter users list about netmap target I found that it doesn't support the output chain of nat. 
>  
> I was looking through the code and found that it only registers itself with the pre and post route chains.  I was wondering if adding support for the output chain was as simple as adding the hook for the local_out and then ensuring that the correct modifications are made.  The following looks logically correct from looking into some of the source code for other modules.  Would more be required to make the ouput nat work with netmap?
>  
> Example.
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING))) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
> to:
>         if (hook_mask & ~((1 << NF_IP_PRE_ROUTING) | (1 << NF_IP_POST_ROUTING) | (1 << NF_IP_LOCAL_OUT) )) {
>                 DEBUGP(MODULENAME":check: bad hooks %x.\n", hook_mask);
>                 return 0;
>         }
>  
> and 
>    if (hooknum == NF_IP_PRE_ROUTING)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
> to:
>    if (hooknum == NF_IP_PRE_ROUTING || hooknum == NF_IP_LOCAL_OUT)
>                 new_ip = (*pskb)->nh.iph->daddr & ~netmask;
>         else
>  
> I put the above changes in and compiled and I was able load the table but I'm not sure what the other imacts might be.  Comments would be greatly appreciated.

Should work fine. Can you submit a patch? But please break
the hook_mask & ... line at 80 characters.

Regards
Patrick