From: Patrick McHardy <kaber@trash.net>
To: Thomas Egerer <thomas.Egerer@secunet.com>
Cc: netfilter@vger.kernel.org,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>
Subject: Re: libipq NAT causes RSTs
Date: Thu, 13 Dec 2007 18:26:48 +0100 [thread overview]
Message-ID: <47616B58.1000300@trash.net> (raw)
In-Reply-To: <47614E80.9050504@secunet.com>
Thomas Egerer wrote:
> I'm currently (trying) to write a transparent proxy application, using
> libipq to capture packets + iptables' redirect mechanism.
> The basic idea works as follows:
> +---+ +---+ +---+
> | S |<---->| P |<---->| D |
> +---+ (1) +---+ (2) +---+
>
> (1) uses iptables' REDIRECT target; the received data is then forwarded,
> using another socket connection (2)
> (2) uses libipq to do some kind of SNAT and change the local source
> address to S's address and vice versa for the incoming packets
> from D
>
> So far the theory. The application works fine, as long, as I do not
> remap the source port (destination port, respectively) from P to D (2). Once
> I enable the port remapping I get
> a) syslog messages like the following:
> [ 7742.939471] ip_rt_bug: [S' IP] -> [P's IP at (2)], ?
> b) RST packets from P towards D, using exactly all the correct TCP
> settings, except for the destination port, (being 1, sometimes 2, or 3,
> I couldn't figure out, why)
>
> The three-way-handshake works fine, the RSTs are generated
> for the _first_ packet to contain a _TCP-payload_. Also netstat tells me,
> there is an established connection between P and D, but somehow (I
> assume that this might be the trouble) looking for the corresponding
> socket connection on P fails.
> I'm totally puzzled why that happens. libipq reinjects the packets with
> properly changed checksums and whatnot, yet the RSTs are generated.
> I've also tried NF_REPEAT, instead of the NF_ACCEPT verdict. The
> behavior remains identically.
>
> Any ideas, anyone?
Most likely you're changing the source to a non-local address in
LOCAL_OUT, causing rerouting of the packet and resulting in an
input route instead of an output one. When dst_output is called
you hit ip_rt_bug, dropping the packet. When this is the first
packet of a connection, the connection tracking entry and
NAT mappings are destroyed. Not sure whats causing the RSTs
then, but its probably related to that.
Does changing:
return ip_route_me_harder(skb, RTN_UNSPEC);
to
return ip_route_me_harder(skb, RTN_LOCAL);
in net/ipv4/netfilter.c:nf_ip_reroute have any effect?
prev parent reply other threads:[~2007-12-13 17:26 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-13 15:23 libipq NAT causes RSTs Thomas Egerer
2007-12-13 17:26 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47616B58.1000300@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=thomas.Egerer@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.