[PATCH] NAT and requests to unrouted targets

[PATCH] NAT and requests to unrouted targets

[Martin Schiller]

[-- Attachment #1: Type: text/plain, Size: 277 bytes --]


This patch changes the behaivor of the iptables nat module to the style
before release 2.6.16 so it is possible again to use the "ping -I <iface>
<target>" command to send icmp requests to a target for which no route
exists.

Signed-off-by: Martin Schiller <mschiller@tdt.de>

[-- Attachment #2: iptables_nat_unrouted_ping.patch --]
[-- Type: application/octet-stream, Size: 811 bytes --]

diff -uNpr linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c
--- linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c	2006-11-29 22:57:37.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c	2007-03-15 08:25:11.000000000 +0100
@@ -191,11 +191,13 @@ ip_nat_in(unsigned int hooknum,
           int (*okfn)(struct sk_buff *))
 {
 	unsigned int ret;
+	__be32 saddr = (*pskb)->nh.iph->saddr;
 	__be32 daddr = (*pskb)->nh.iph->daddr;
 
 	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
 	if (ret != NF_DROP && ret != NF_STOLEN
-	    && daddr != (*pskb)->nh.iph->daddr) {
+	    && ((*pskb)->nh.iph->saddr != saddr
+	        || (*pskb)->nh.iph->daddr != daddr)) {
 		dst_release((*pskb)->dst);
 		(*pskb)->dst = NULL;
 	}

Re: [PATCH] NAT and requests to unrouted targets

[Patrick McHardy]

Martin Schiller wrote:
> This patch changes the behaivor of the iptables nat module to the style
> before release 2.6.16 so it is possible again to use the "ping -I <iface>
> <target>" command to send icmp requests to a target for which no route
> exists.

Please attach patches inline and send netfilter related patches to
netfilter-devel@lists.netfilter.org.

Quoted for reference:

diff -uNpr linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c
linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c
--- linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c
2006-11-29 22:57:37.000000000 +0100
+++ linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c 2007-03-15
08:25:11.000000000 +0100
@@ -191,11 +191,13 @@ ip_nat_in(unsigned int hooknum,
           int (*okfn)(struct sk_buff *))
 {
        unsigned int ret;
+       __be32 saddr = (*pskb)->nh.iph->saddr;
        __be32 daddr = (*pskb)->nh.iph->daddr;

        ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
        if (ret != NF_DROP && ret != NF_STOLEN
-           && daddr != (*pskb)->nh.iph->daddr) {
+           && ((*pskb)->nh.iph->saddr != saddr
+               || (*pskb)->nh.iph->daddr != daddr)) {
                dst_release((*pskb)->dst);
                (*pskb)->dst = NULL;
        }

I don't see how this would change anything, the PRE_ROUTING hook
doesn't change the source address, so the comparison is unnecessary,
additionally the dst_release is only needed for loopback because
packets received from a real interface don't have a route attached
at this time.

RE: [PATCH] NAT and requests to unrouted targets

[Martin Schiller]

On Thursday, March 15, 2007 9:51 AM, Patrick McHardy wrote:

> diff -uNpr linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c
> linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c
> --- linux-2.6.19.org/net/ipv4/netfilter/ip_nat_standalone.c
> 2006-11-29 22:57:37.000000000 +0100
> +++ linux-2.6.19/net/ipv4/netfilter/ip_nat_standalone.c 2007-03-15
> 08:25:11.000000000 +0100
> @@ -191,11 +191,13 @@ ip_nat_in(unsigned int hooknum,
>            int (*okfn)(struct sk_buff *))  {
>         unsigned int ret;
> +       __be32 saddr = (*pskb)->nh.iph->saddr;
>         __be32 daddr = (*pskb)->nh.iph->daddr;
> 
>         ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
>         if (ret != NF_DROP && ret != NF_STOLEN
> -           && daddr != (*pskb)->nh.iph->daddr) {
> +           && ((*pskb)->nh.iph->saddr != saddr
> +               || (*pskb)->nh.iph->daddr != daddr)) {
>                 dst_release((*pskb)->dst);
>                 (*pskb)->dst = NULL;
>         }
> 
> I don't see how this would change anything, the PRE_ROUTING hook
> doesn't change the source address, so the comparison is unnecessary,
> additionally the dst_release is only needed for loopback because
> packets received from a real interface don't have a route attached at
> this time.    

Sorry, you are right. This wouldn't change anything.
I've tested so much to find the responsible peace of code for my problem, so
i messed up some things here.

Well, the really responsible code is the following:

------------------------------------------------------------------------
static unsigned int
ip_nat_local_fn(unsigned int hooknum,
		struct sk_buff **pskb,
		const struct net_device *in,
		const struct net_device *out,
		int (*okfn)(struct sk_buff *))
{
	struct ip_conntrack *ct;
	enum ip_conntrack_info ctinfo;
	unsigned int ret;

	/* root is playing with raw sockets. */
	if ((*pskb)->len < sizeof(struct iphdr)
	    || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
		return NF_ACCEPT;

	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
	if (ret != NF_DROP && ret != NF_STOLEN
	    && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

		if (ct->tuplehash[dir].tuple.dst.ip !=
		    ct->tuplehash[!dir].tuple.src.ip
#ifdef CONFIG_XFRM
		    || ct->tuplehash[dir].tuple.dst.u.all !=
		       ct->tuplehash[!dir].tuple.src.u.all
#endif
		    )
			if (ip_route_me_harder(pskb, RTN_UNSPEC))
				ret = NF_DROP;
	}
	return ret;
}
----------------------------------------------------------------------------

To be more exactly, it's the examination of
"ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all"
which is only be done if XFRM is configured. Since I don't need this anyway,
I deactivated XFRM now and my "ping -I" is working now. 

Regards, Martin

Re: [PATCH] NAT and requests to unrouted targets

[Patrick McHardy]

Martin Schiller wrote:
> Well, the really responsible code is the following:
> 
> ------------------------------------------------------------------------
> static unsigned int
> ip_nat_local_fn(unsigned int hooknum,
> 		struct sk_buff **pskb,
> 		const struct net_device *in,
> 		const struct net_device *out,
> 		int (*okfn)(struct sk_buff *))
> {
> 	struct ip_conntrack *ct;
> 	enum ip_conntrack_info ctinfo;
> 	unsigned int ret;
> 
> 	/* root is playing with raw sockets. */
> 	if ((*pskb)->len < sizeof(struct iphdr)
> 	    || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr))
> 		return NF_ACCEPT;
> 
> 	ret = ip_nat_fn(hooknum, pskb, in, out, okfn);
> 	if (ret != NF_DROP && ret != NF_STOLEN
> 	    && (ct = ip_conntrack_get(*pskb, &ctinfo)) != NULL) {
> 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
> 
> 		if (ct->tuplehash[dir].tuple.dst.ip !=
> 		    ct->tuplehash[!dir].tuple.src.ip
> #ifdef CONFIG_XFRM
> 		    || ct->tuplehash[dir].tuple.dst.u.all !=
> 		       ct->tuplehash[!dir].tuple.src.u.all
> #endif
> 		    )
> 			if (ip_route_me_harder(pskb, RTN_UNSPEC))
> 				ret = NF_DROP;
> 	}
> 	return ret;
> }
> ----------------------------------------------------------------------------
> 
> To be more exactly, it's the examination of
> "ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all"
> which is only be done if XFRM is configured. Since I don't need this anyway,
> I deactivated XFRM now and my "ping -I" is working now. 


You're right, that doesn't really work for ICMP since the tuples are
asymetric even without NAT. I didn't expect the unnecessary call to
ip_route_me_harder to have any side-effects. I'll look into fixing
this properly.

Re: [PATCH] NAT and requests to unrouted targets

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 369 bytes --]

Martin Schiller wrote:
> To be more exactly, it's the examination of
> "ct->tuplehash[dir].tuple.dst.u.all != ct->tuplehash[!dir].tuple.src.u.all"
> which is only be done if XFRM is configured. Since I don't need this anyway,
> I deactivated XFRM now and my "ping -I" is working now. 


Could you try this patch (against current -git) with CONFIG_XFRM
enabled please?


[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1705 bytes --]

diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index adf25f9..6bcfdf6 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -253,14 +253,17 @@ ip_nat_local_fn(unsigned int hooknum,
 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
 		if (ct->tuplehash[dir].tuple.dst.ip !=
-		    ct->tuplehash[!dir].tuple.src.ip
-#ifdef CONFIG_XFRM
-		    || ct->tuplehash[dir].tuple.dst.u.all !=
-		       ct->tuplehash[!dir].tuple.src.u.all
-#endif
-		    )
+		    ct->tuplehash[!dir].tuple.src.ip) {
 			if (ip_route_me_harder(pskb, RTN_UNSPEC))
 				ret = NF_DROP;
+		}
+#ifdef CONFIG_XFRM
+		else if (ct->tuplehash[dir].tuple.dst.u.all !=
+			 ct->tuplehash[!dir].tuple.src.u.all)
+			if (ip_xfrm_me_harder(pskb))
+				ret = NF_DROP;
+#endif
+
 	}
 	return ret;
 }
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index e4d3ef1..15aa3db 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -245,14 +245,16 @@ nf_nat_local_fn(unsigned int hooknum,
 		enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
 
 		if (ct->tuplehash[dir].tuple.dst.u3.ip !=
-		    ct->tuplehash[!dir].tuple.src.u3.ip
-#ifdef CONFIG_XFRM
-		    || ct->tuplehash[dir].tuple.dst.u.all !=
-		       ct->tuplehash[!dir].tuple.src.u.all
-#endif
-		    )
+		    ct->tuplehash[!dir].tuple.src.u3.ip) {
 			if (ip_route_me_harder(pskb, RTN_UNSPEC))
 				ret = NF_DROP;
+		}
+#ifdef CONFIG_XFRM
+		else if (ct->tuplehash[dir].tuple.dst.u.all !=
+			 ct->tuplehash[!dir].tuple.src.u.all)
+			if (ip_xfrm_me_harder(pskb))
+				ret = NF_DROP;
+#endif
 	}
 	return ret;
 }

RE: [PATCH] NAT and requests to unrouted targets

[Martin Schiller]

On Monday, March 19, 2007 5:02 PM, Patrick McHardy wrote:

> Martin Schiller wrote:
>> To be more exactly, it's the examination of
>> "ct->tuplehash[dir].tuple.dst.u.all !=
>> ct->tuplehash[!dir].tuple.src.u.all" which is only be done if XFRM
>> is configured. Since I don't need this anyway, I deactivated XFRM
>> now and my "ping -I" is working now. 
> 
> 
> Could you try this patch (against current -git) with CONFIG_XFRM
> enabled please? 

I've tried it and the ping is still working now with enabled CONFIG_XFRM.

Thanks for the patch.

Regards,
Martin

Re: [PATCH] NAT and requests to unrouted targets

[Patrick McHardy]

Martin Schiller wrote:
> On Monday, March 19, 2007 5:02 PM, Patrick McHardy wrote:
> 
>>Could you try this patch (against current -git) with CONFIG_XFRM
>>enabled please? 
> 
> 
> I've tried it and the ping is still working now with enabled CONFIG_XFRM.
> 
> Thanks for the patch.


Thanks for testing, I'll push it upstream soon.