Tproxy4, fwmark and netfilter route_me_harder

Tproxy4, fwmark and netfilter route_me_harder

[Ming-Ching Tiew]

KOVACS Krisztian wrote:
> Hi,
>
> On szo, jan 12, 2008 at 11:47:44 +0800, Ming-Ching Tiew wrote:
>   
>> 2 ) IP FREEBIND packets spoofed with foreign source address will not 
>> leave the system when there is a FWMARK in the mangle table OUTPUT 
>> chain. This patch is created by me based on the information given by 
>> Kovacs, code quality is highly questionable as I barely understood 
>> what's it is all about, but it seems to work.
>>
>> --- linux-2.6.22-org/net/ipv4/netfilter.c       2007-12-13 
>> 20:55:45.000000000 +0800
>> +++ linux-2.6.22-new/net/ipv4/netfilter.c       2007-12-13 
>> 20:55:03.000000000 +0800
>> @@ -24,7 +24,7 @@
>>         /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
>>          * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
>>          */
>> -       if (addr_type == RTN_LOCAL) {
>> +//     if (addr_type == RTN_LOCAL) {
>>                 fl.nl_u.ip4_u.daddr = iph->daddr;
>>                 if (type == RTN_LOCAL)
>>                         fl.nl_u.ip4_u.saddr = iph->saddr;
>> @@ -37,10 +37,10 @@
>>                 /* Drop old route. */
>>                 dst_release((*pskb)->dst);
>>                 (*pskb)->dst = &rt->u.dst;
>> -       } else {
>> +//     } else {
>>                 /* non-local src, find valid iif to satisfy
>>                  * rp-filter when calling ip_route_input. */
>> -               fl.nl_u.ip4_u.daddr = iph->saddr;
>> +/*             fl.nl_u.ip4_u.daddr = iph->saddr;
>>                 if (ip_route_output_key(&rt, &fl) != 0)
>>                         return -1;
>>
>> @@ -53,7 +53,7 @@
>>                 dst_release(&rt->u.dst);
>>                 dst_release(odst);
>>         }
>> -
>> +*/
>>         if ((*pskb)->dst->error)
>>                 return -1;
>>     
>
> We should probably first ask on netfilter-devel@ why this whole route
> lookup thing is necessary...
>
>    

I  sort of just forward this to netfilter-devel.
 
For those who in netfilter-devel but not in tproxy mail list, a little 
background here :-
 
I discovered after applying the tproxy4 patch which allows one to spoof 
originating traffic with a foreign IP address ( for the purpose of doing 
transparent proxy ) that after doing it, traffics with foreign IP will 
not leave the system if there is a FWMARK in the mangle table OUTPUT 
chain. Any MARK will screw up the routing.
 
And the patch above seems to be able to get the packets out of the machine
again.

So the motivation here perhaps someone here could throw some light as to 
how this situation is best handled.
 
Regards.

Re: Tproxy4, fwmark and netfilter route_me_harder

[Patrick McHardy]

Ming-Ching Tiew wrote:
> I  sort of just forward this to netfilter-devel.
>  
> For those who in netfilter-devel but not in tproxy mail list, a little 
> background here :-
>  
> I discovered after applying the tproxy4 patch which allows one to spoof 
> originating traffic with a foreign IP address ( for the purpose of doing 
> transparent proxy ) that after doing it, traffics with foreign IP will 
> not leave the system if there is a FWMARK in the mangle table OUTPUT 
> chain. Any MARK will screw up the routing.
>  
> And the patch above seems to be able to get the packets out of the machine
> again.
> 
> So the motivation here perhaps someone here could throw some light as to 
> how this situation is best handled.


IIRC the current TPROXY patches use a flag in the dst_entry
to indicate that the source address is non-local. So
ip_route_me_harder should probably check that flag and
use routing for foreign addresses for that case.