REDIRECT changes DST address of the packet

REDIRECT changes DST address of the packet

[Venkata Narayana]

Hello,
 
My question is if I use REDIRECT action in
NAT PREROUTING table  is it going to change the tcp
packet DST address.
 
If I lose original DST address, how can I persist
that value in that packet.

Can you give information how the packet is getting
converted in this scenario.



Thanks in advance.
 
Nari.



		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com

Re: REDIRECT changes DST address of the packet

[Krzysztof Oledzki]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 370 bytes --]



On Thu, 30 Jun 2005, Venkata Narayana wrote:

>
> Hello,
>
> My question is if I use REDIRECT action in
> NAT PREROUTING table  is it going to change the tcp
> packet DST address.
>
> If I lose original DST address, how can I persist
> that value in that packet.

Please use getsockopt() with SO_ORIGINAL_DST.

Best regards,


 				Krzysztof Olędzki

Re: REDIRECT changes DST address of the packet

[Peter Surda]

On Thu, 30 Jun 2005 10:08:55 +0200 (CEST) Krzysztof Oledzki <olenf@ans.pl>
wrote:

>> If I lose original DST address, how can I persist
>> that value in that packet.
>Please use getsockopt() with SO_ORIGINAL_DST.
Hehe you were faster than me :-).

Nari, if you don't understand how to do this, check out the source of some
transparent proxies (squid, p3scan) for examples (as Krzysztof said, grep for
SO_ORIGINAL_DST). I think it's straightforward, I even managed to reproduce this
in perl without using any C.

>Best regards,
> 				Krzysztof Olędzki
Yours sincerely,
Peter

Re: REDIRECT changes DST address of the packet

[Venkata Narayana]

Thanks Peter, Krzysztof and All,

I am able to get the original Destination address and
able to solve the problem.
Thanks once again.
Nari.

--- Peter Surda <shurdeek@routehat.org> wrote:

> On Thu, 30 Jun 2005 10:08:55 +0200 (CEST) Krzysztof
> Oledzki <olenf@ans.pl>
> wrote:
> 
> >> If I lose original DST address, how can I persist
> >> that value in that packet.
> >Please use getsockopt() with SO_ORIGINAL_DST.
> Hehe you were faster than me :-).
> 
> Nari, if you don't understand how to do this, check
> out the source of some
> transparent proxies (squid, p3scan) for examples (as
> Krzysztof said, grep for
> SO_ORIGINAL_DST). I think it's straightforward, I
> even managed to reproduce this
> in perl without using any C.
> 
> >Best regards,
> > 				Krzysztof Olędzki
> Yours sincerely,
> Peter
> 
> 



		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com

Re: REDIRECT changes DST address of the packet

[Jan Engelhardt]

>Hello,
> 
>My question is if I use REDIRECT action in
>NAT PREROUTING table  is it going to change the tcp
>packet DST address.
> 
>If I lose original DST address, how can I persist
>that value in that packet.

You can't really with PREROUTING (except of course, said getsockopt() call)
If you want to transparently redirect packets, you might want to use ROUTE or 
TPROXY, depending on what you really want.



Jan Engelhardt                                                               
--                                                                            
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de

Re: REDIRECT changes DST address of the packet

[Venkata Narayana]

Hi,

Thanks,
I am able to get the original dst address when I am
using tcp connection.
How can I get with UDP???
I my case of UDP we bind to single
fd and all packets irrespective of original
destination get delivered to same fd.

Thanks,
Venkat.


--- Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:

> >Hello,
> > 
> >My question is if I use REDIRECT action in
> >NAT PREROUTING table  is it going to change the tcp
> >packet DST address.
> > 
> >If I lose original DST address, how can I persist
> >that value in that packet.
> 
> You can't really with PREROUTING (except of course,
> said getsockopt() call)
> If you want to transparently redirect packets, you
> might want to use ROUTE or 
> TPROXY, depending on what you really want.
> 
> 
> 
> Jan Engelhardt                                      
>                         
> --                                                  
>                          
> | Gesellschaft fuer Wissenschaftliche
> Datenverarbeitung Goettingen,
> | Am Fassberg, 37077 Goettingen, www.gwdg.de
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: REDIRECT changes DST address of the packet

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 228 bytes --]

Venkata Narayana wrote:
> Hi,
> 
> Thanks,
> I am able to get the original dst address when I am
> using tcp connection.
> How can I get with UDP???

Does this patch help? It should make SO_ORIGINAL_DST usable
with UDP as well.

[-- Attachment #2: SO_ORIGINAL_DST-udp.diff --]
[-- Type: text/x-patch, Size: 1133 bytes --]

[NETFILTER]: Make SO_ORIGINAL_DST usable for UDP

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit f65e246c7c05b208494de20f38973393d6b30155
tree 6437e0491ba99ec326c59ca0ac65300c2f01a804
parent eb82d02518ac3a400663163995097749d91c7c4c
author Patrick McHardy <kaber@trash.net> Tue, 26 Jul 2005 01:58:27 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 26 Jul 2005 01:58:27 +0200

 net/ipv4/netfilter/ip_conntrack_core.c |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1310,9 +1310,8 @@ getorigdst(struct sock *sk, int optval, 
 	tuple.dst.u.tcp.port = inet->dport;
 	tuple.dst.protonum = IPPROTO_TCP;
 
-	/* We only do TCP at the moment: is there a better way? */
-	if (strcmp(sk->sk_prot->name, "TCP")) {
-		DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
+	if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_UDP) {
+		DEBUGP("SO_ORIGINAL_DST: Not a TCP/UDP socket\n");
 		return -ENOPROTOOPT;
 	}
 

Re: REDIRECT changes DST address of the packet

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 638 bytes --]

Patrick McHardy wrote:
> Venkata Narayana wrote:
> 
>> I am able to get the original dst address when I am
>> using tcp connection.
>> How can I get with UDP???
> 
> Does this patch help? It should make SO_ORIGINAL_DST usable
> with UDP as well.
> 
> diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
> --- a/net/ipv4/netfilter/ip_conntrack_core.c
> +++ b/net/ipv4/netfilter/ip_conntrack_core.c
> @@ -1310,9 +1310,8 @@ getorigdst(struct sock *sk, int optval, 
>  	tuple.dst.u.tcp.port = inet->dport;
>  	tuple.dst.protonum = IPPROTO_TCP;

Please try this patch instead, I missed the above line.

[-- Attachment #2: SO_ORIGINAL_DST-udp.diff --]
[-- Type: text/x-patch, Size: 1245 bytes --]

[NETFILTER]: Make SO_ORIGINAL_DST usable for UDP

Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 59740eead041f1e9c22555a5107bf9ca98a780da
tree a4d80f970e9fa526bff6c173cfe6d5a0610279a4
parent eb82d02518ac3a400663163995097749d91c7c4c
author Patrick McHardy <kaber@trash.net> Tue, 26 Jul 2005 02:19:09 +0200
committer Patrick McHardy <kaber@trash.net> Tue, 26 Jul 2005 02:19:09 +0200

 net/ipv4/netfilter/ip_conntrack_core.c |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1308,11 +1308,10 @@ getorigdst(struct sock *sk, int optval, 
 	tuple.src.u.tcp.port = inet->sport;
 	tuple.dst.ip = inet->daddr;
 	tuple.dst.u.tcp.port = inet->dport;
-	tuple.dst.protonum = IPPROTO_TCP;
+	tuple.dst.protonum = sk->sk_protocol;
 
-	/* We only do TCP at the moment: is there a better way? */
-	if (strcmp(sk->sk_prot->name, "TCP")) {
-		DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
+	if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_UDP) {
+		DEBUGP("SO_ORIGINAL_DST: Not a TCP/UDP socket\n");
 		return -ENOPROTOOPT;
 	}
 

Re: REDIRECT changes DST address of the packet

[Venkata Narayana]

Thank you Patrick. 

Here I'm using single fd wor multiple addresses. so
theoritically speaking it won't work with this... In
udp recvmsg function if we can get the address then 
it  sounds good.

If I am wrong sorry for that.

Thanks,
Venkat


--- Patrick McHardy <kaber@trash.net> wrote:

> Patrick McHardy wrote:
> > Venkata Narayana wrote:
> > 
> >> I am able to get the original dst address when I
> am
> >> using tcp connection.
> >> How can I get with UDP???
> > 
> > Does this patch help? It should make
> SO_ORIGINAL_DST usable
> > with UDP as well.
> > 
> > diff --git
> a/net/ipv4/netfilter/ip_conntrack_core.c
> b/net/ipv4/netfilter/ip_conntrack_core.c
> > --- a/net/ipv4/netfilter/ip_conntrack_core.c
> > +++ b/net/ipv4/netfilter/ip_conntrack_core.c
> > @@ -1310,9 +1310,8 @@ getorigdst(struct sock *sk,
> int optval, 
> >  	tuple.dst.u.tcp.port = inet->dport;
> >  	tuple.dst.protonum = IPPROTO_TCP;
> 
> Please try this patch instead, I missed the above
> line.
> > [NETFILTER]: Make SO_ORIGINAL_DST usable for UDP
> 
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> ---
> commit 59740eead041f1e9c22555a5107bf9ca98a780da
> tree a4d80f970e9fa526bff6c173cfe6d5a0610279a4
> parent eb82d02518ac3a400663163995097749d91c7c4c
> author Patrick McHardy <kaber@trash.net> Tue, 26 Jul
> 2005 02:19:09 +0200
> committer Patrick McHardy <kaber@trash.net> Tue, 26
> Jul 2005 02:19:09 +0200
> 
>  net/ipv4/netfilter/ip_conntrack_core.c |    7
> +++----
>  1 files changed, 3 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ip_conntrack_core.c
> b/net/ipv4/netfilter/ip_conntrack_core.c
> --- a/net/ipv4/netfilter/ip_conntrack_core.c
> +++ b/net/ipv4/netfilter/ip_conntrack_core.c
> @@ -1308,11 +1308,10 @@ getorigdst(struct sock *sk,
> int optval, 
>  	tuple.src.u.tcp.port = inet->sport;
>  	tuple.dst.ip = inet->daddr;
>  	tuple.dst.u.tcp.port = inet->dport;
> -	tuple.dst.protonum = IPPROTO_TCP;
> +	tuple.dst.protonum = sk->sk_protocol;
>  
> -	/* We only do TCP at the moment: is there a better
> way? */
> -	if (strcmp(sk->sk_prot->name, "TCP")) {
> -		DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
> +	if (sk->sk_protocol != IPPROTO_TCP &&
> sk->sk_protocol != IPPROTO_UDP) {
> +		DEBUGP("SO_ORIGINAL_DST: Not a TCP/UDP
> socket\n");
>  		return -ENOPROTOOPT;
>  	}
>  
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: REDIRECT changes DST address of the packet

[KOVACS Krisztian]

  Hi,

2005-07-26, k keltezéssel 02.20-kor Patrick McHardy ezt írta:
> >> I am able to get the original dst address when I am
> >> using tcp connection.
> >> How can I get with UDP???
> > 
> > Does this patch help? It should make SO_ORIGINAL_DST usable
> > with UDP as well.
> > 
> > diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
> > --- a/net/ipv4/netfilter/ip_conntrack_core.c
> > +++ b/net/ipv4/netfilter/ip_conntrack_core.c
> > @@ -1310,9 +1310,8 @@ getorigdst(struct sock *sk, int optval, 
> >  	tuple.dst.u.tcp.port = inet->dport;
> >  	tuple.dst.protonum = IPPROTO_TCP;

  Patrick, I'm afraid this is not enough for a full-featured UDP
solution. If you're using a single socket to receive UDP packets sent to
multiple original addresses this approach simply fails. A better
solution would require receiving the original destination address in a
per-packet manner.

  We're using something similar as part of the transparent proxying
patchset, but unfortunately this requires enlarging the skb and is a
little hackish. The patch introduces an IP_RECVORIGADDRS socket option.
If you enable this sockopt on a UDP socket, then recvmsg() will return
the original addresses as a control message.

-- 
 Regards,
  Krisztian Kovacs

Re: REDIRECT changes DST address of the packet

[Patrick McHardy]

KOVACS Krisztian wrote:

>   Patrick, I'm afraid this is not enough for a full-featured UDP
> solution. If you're using a single socket to receive UDP packets sent to
> multiple original addresses this approach simply fails. A better
> solution would require receiving the original destination address in a
> per-packet manner.

You're right, it doesn't work for unconnected sockets. I'm looking into
other possibilities now. I'm thinking of something similar to
SIOCGSTAMP - altough this would require increasing the size of struct
sock.

>   We're using something similar as part of the transparent proxying
> patchset, but unfortunately this requires enlarging the skb and is a
> little hackish. The patch introduces an IP_RECVORIGADDRS socket option.
> If you enable this sockopt on a UDP socket, then recvmsg() will return
> the original addresses as a control message.

Why does the skb need to be enlarged?

Regards
Patrick

Re: REDIRECT changes DST address of the packet

[KOVACS Krisztian]

  Hi,

2005-07-26, k keltezéssel 11.51-kor Patrick McHardy ezt írta:
> >   We're using something similar as part of the transparent proxying
> > patchset, but unfortunately this requires enlarging the skb and is a
> > little hackish. The patch introduces an IP_RECVORIGADDRS socket option.
> > If you enable this sockopt on a UDP socket, then recvmsg() will return
> > the original addresses as a control message.
> 
> Why does the skb need to be enlarged?

  To store the original address (it's stored in IPCB(skb)). Hmm, now
that you say, actually I'm not sure you have to enlarge it. At the
moment struct inet_skb_parm is small enough, so we might be able to put
the original address information into skb->cb. I'm not sure what would
be the right location for such information, however.

-- 
 Regards,
  Krisztian Kovacs

Re: REDIRECT changes DST address of the packet

[Venkata Narayana]

Hello Patric/Krisztian,

As Mr Krisztian suggested I was able to patch the
2.6.11 kernel with tproxy but trying to use
IP_RECVORIGADDRS socket option on udp socket. If it is
natted traffic I am unable to receive the message.
Can you suggest the alternative mechanism to get the
original DSt address in UDP transaction.

Thanks,
Venkat.



--- Patrick McHardy <kaber@trash.net> wrote:

> KOVACS Krisztian wrote:
> 
> >   Patrick, I'm afraid this is not enough for a
> full-featured UDP
> > solution. If you're using a single socket to
> receive UDP packets sent to
> > multiple original addresses this approach simply
> fails. A better
> > solution would require receiving the original
> destination address in a
> > per-packet manner.
> 
> You're right, it doesn't work for unconnected
> sockets. I'm looking into
> other possibilities now. I'm thinking of something
> similar to
> SIOCGSTAMP - altough this would require increasing
> the size of struct
> sock.
> 
> >   We're using something similar as part of the
> transparent proxying
> > patchset, but unfortunately this requires
> enlarging the skb and is a
> > little hackish. The patch introduces an
> IP_RECVORIGADDRS socket option.
> > If you enable this sockopt on a UDP socket, then
> recvmsg() will return
> > the original addresses as a control message.
> 
> Why does the skb need to be enlarged?
> 
> Regards
> Patrick
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

Rate limit

[Venkata Narayana]

Hi All,

Can i get any  developer documentation on rate limit
module.
I would like to work on rate limit stuff.

Please provide me the details releated to that.

Thanks,
Venkat.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Netfilter Hook

[Venkata Narayana]

Hi All,

Can you please guide me to write a hook for
netfilter...
How we can write like NF_ACCEPT/NF_DROP/NF_STOLEN/ ...


Thanks,
Venkat.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Rate limit

[Jan Engelhardt]

>Hi All,
>
>Can i get any  developer documentation on rate limit
>module.

It is documented. See `man iptables`. If it does not show up there under the
section "limit", "dstlimit" or "hashlimit", check the POM-ng tree which
definitely does have the help texts.


Jan Engelhardt
-- 

UDP Transparent Proxy

[Venkata Narayana]

Hi,

I am developing a transparent proxy feature for my UDP
based server. I am using iptables to redirect message
to my server but I am not able to persist the original
dst address.
I am able implement similar feature for TCP server
using getoption. 

Can you plese guide me in this.

Thanks,
Venkat.



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 

REDIRECT changes DST address of the packet

[Venkata Narayana]

Hello,
 
 I am new to this mailing list sorry If I ask any
 thing wrong.

 My question is if I use REDIRECT action in
 PREROUTINg
 rule is it going to change the tcp packet DST
 address.
 
 If I lose original DST address, how can I persist
 that
 value in that packet.
 
 Help me !!!
 
 Thanks in advance.
 
 Nari.
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: REDIRECT changes DST address of the packet

[George Alexandru Dragoi]

Yes, it is changed to a local address i think (or loopback one). The
original address is restored after routing by NAT system to packets
which comes back (as source address).


>  If I lose original DST address, how can I persist
>  that
>  value in that packet.

Well, i didn't quite get this last worry of you.

Re: REDIRECT changes DST address of the packet

[Jason Lunz]

mesg2nari@yahoo.com said:
>  I am new to this mailing list sorry If I ask any thing wrong.
>
>  My question is if I use REDIRECT action in PREROUTINg rule is it
>  going to change the tcp packet DST address.
>  
>  If I lose original DST address, how can I persist that value in that
>  packet.

I think you're looking for the SO_ORIGINAL_DST sockopt.

Jason

REDIRECT changes DST address of the packet

[Venkata Narayana]

Hello,

I am new to this mailing list sorry If I ask any thing
wrong.

My question is if I use REDIRECT action in PREROUTINg
rule is it going to change the tcp packet DST address.

If I lose original DST address, how can I persist that
value in that packet.

Help me !!!

Thanks in advance.

Nari.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com