function for getting the source ip defined in the routing table

function for getting the source ip defined in the routing table

[Andreas Herz]

Hi,

i was looking for a function to get the source ip that is defined in the
routing table. I looked into the MASQUERADE module but the
"inet_select_addr" function returns the source ip from the interface
(the first one, in most use cases).

See the following routing table entry:

10.0.13.0/24 dev eth1  proto kernel  scope link  src 10.0.13.4

while the interface has multiple IPs:

    inet 10.0.12.1/24 scope global eth0
    inet 10.0.13.2/24 scope global eth0
    inet 10.0.13.4/24 scope global secondary eth0

So what i want is the value of the src part in the routing table (for connections to the related network).

thanks.

-- 
Andreas Herz

Re: function for getting the source ip defined in the routing table

[Jan Engelhardt]

On Tuesday 2014-05-20 14:46, Andreas Herz wrote:

>i was looking for a function to get the source ip that is defined in the
>routing table. I looked into the MASQUERADE module but the
>"inet_select_addr" function returns the source ip from the interface
>(the first one, in most use cases).
>
>See the following routing table entry:
>
>10.0.13.0/24 dev eth1  proto kernel  scope link  src 10.0.13.4
>
>while the interface has multiple IPs:
>
>    inet 10.0.12.1/24 scope global eth0
>    inet 10.0.13.2/24 scope global eth0
>    inet 10.0.13.4/24 scope global secondary eth0
>
>So what i want is the value of the src part in the routing table (for 
>connections to the related network).

RTM_GETROUTE in netlink, `ip route get` on sh, and 
ip6_route_output/ip_route_output_key in C.

Re: function for getting the source ip defined in the routing table

[Andreas Herz]

Hi Jan,

On 20/05/14 at 16:03, Jan Engelhardt wrote:
> On Tuesday 2014-05-20 14:46, Andreas Herz wrote:
> >i was looking for a function to get the source ip that is defined in the
> >routing table. I looked into the MASQUERADE module but the
> >"inet_select_addr" function returns the source ip from the interface
> >(the first one, in most use cases).
>
> RTM_GETROUTE in netlink, `ip route get` on sh, and 
> ip6_route_output/ip_route_output_key in C.

Thanks for the hint to RTM_GETROUTE, but i'm wondering how i can receive
the src from ip_route_ouput_key, since with this commit the rt_src got
removed:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?id=d6c0a4f609847d6e65658913f9ccbcb1c137cff3

Or did i miss the new variable for the src or misunderstand the change?

thanks so far!

-- 
Andreas Herz

Re: function for getting the source ip defined in the routing table

[Maciej Żenczykowski]

Guessing that after ip_route_output_key(net, &fl4) fl4.saddr will have
what you want.

Re: function for getting the source ip defined in the routing table

[Andreas Herz]

On 20/05/14 at 08:38, Maciej Żenczykowski wrote:
> Guessing that after ip_route_output_key(net, &fl4) fl4.saddr will have
> what you want.

Only if the fl4.saddr wasn't set before:

if (!fl4->saddr)
    fl4->saddr = FIB_RES_PREFSRC(net, res);

But i have (or need) a fl4->saddr since i want "ip rules" to be
inspected as well, and with an ip rule with "from $SRC" i need to call
ip_route_output_key(dev_net(dev), &fl4) with an fl4->saddr set or the
rule won't match correctly.

In the past i could call "ip_route_output_key" and then use "rt->rt_src"
to get the source ip i needed.

-- 
Andreas Herz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: function for getting the source ip defined in the routing table

[Maciej Żenczykowski]

That's not the way routing works.
If you don't specify a source ip, the routing table picks for you,
if you do already have a source ip specified the routing table will
use that information to make decisions (ip rule from ...) but will not
change it.

Otherwise TCP wouldn't work.

So this is working as intended.

- Maciej

On Wed, May 21, 2014 at 1:36 AM, Andreas Herz <andi@geekosphere.org> wrote:
> On 20/05/14 at 08:38, Maciej Żenczykowski wrote:
>> Guessing that after ip_route_output_key(net, &fl4) fl4.saddr will have
>> what you want.
>
> Only if the fl4.saddr wasn't set before:
>
> if (!fl4->saddr)
>     fl4->saddr = FIB_RES_PREFSRC(net, res);
>
> But i have (or need) a fl4->saddr since i want "ip rules" to be
> inspected as well, and with an ip rule with "from $SRC" i need to call
> ip_route_output_key(dev_net(dev), &fl4) with an fl4->saddr set or the
> rule won't match correctly.
>
> In the past i could call "ip_route_output_key" and then use "rt->rt_src"
> to get the source ip i needed.
>
> --
> Andreas Herz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: function for getting the source ip defined in the routing table

[Maciej Żenczykowski]

[Obviously you could call ip_route_output_key twice, once with
saddr=0, second time with whatever it returned or you wanted to use]

Re: function for getting the source ip defined in the routing table

[Andreas Herz]

On 21/05/14 at 10:06, Maciej Żenczykowski wrote:
> That's not the way routing works.

Then there is some discrepancy in some special scenarios.

> If you don't specify a source ip, the routing table picks for you,
> if you do already have a source ip specified the routing table will
> use that information to make decisions (ip rule from ...) but will not
> change it.

The old ipt_MASQUERADE used "ip_route_output_key" (until 2.6.10 changed
it) without passing the $SRCIP. But as soon as you have also some "ip
rules" with "from $SRCIP" you have to pass the $SRCIP or the rule won't
match. But in this case the $SRCIP isn't changed although in "ip route"
another $SRCIP is defined.

So i already have a source ip specified and the routing table shall use
that information to make decisions (ip rule from ) but based on that i
_want_ to change it.

> Otherwise TCP wouldn't work.

Well it's SNAT, so changing the SRCIP should be valid.

> So this is working as intended.

Or my scenario is just not on the screen. The module shall do the same
like MASQUERADE but use the information from "ip rule" and "ip route".

1. Look into "ip rule", find a matching rule because of the "from
$SRCIP" and look into the table given via lookup.
2. Then check "ip route" for this table that was called via "ip rule".
3. Use this $SRCIP (and gateway) defined there, so override the $SRCIP.

I will try your hint to use ip_route_output_key twice.

Although i still wonder why my requirement is so special :)

> - Maciej
> 
> On Wed, May 21, 2014 at 1:36 AM, Andreas Herz <andi@geekosphere.org> wrote:
> > On 20/05/14 at 08:38, Maciej Żenczykowski wrote:
> >> Guessing that after ip_route_output_key(net, &fl4) fl4.saddr will have
> >> what you want.
> >
> > Only if the fl4.saddr wasn't set before:
> >
> > if (!fl4->saddr)
> >     fl4->saddr = FIB_RES_PREFSRC(net, res);
> >
> > But i have (or need) a fl4->saddr since i want "ip rules" to be
> > inspected as well, and with an ip rule with "from $SRC" i need to call
> > ip_route_output_key(dev_net(dev), &fl4) with an fl4->saddr set or the
> > rule won't match correctly.
> >
> > In the past i could call "ip_route_output_key" and then use "rt->rt_src"
> > to get the source ip i needed.
> >
> > --
> > Andreas Herz
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Andreas Herz
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: function for getting the source ip defined in the routing table

[Andreas Herz]

On 22/05/14 at 11:41, Patrick Schaaf wrote:
> Am 22.05.2014 11:15 schrieb "Andreas Herz" <andi@geekosphere.org>:
> >
> > I will try your hint to use ip_route_output_key twice.
> 
> A second call with input src set to 0 will match a _different_ set of
> rules, so that will probably not work.

That's correct, the wrong rule will match again and the same issue with
calling it without src ip in the first place.

> > Although i still wonder why my requirement is so special :)
> 
> Combining MASQUERADE with policy routing is probably a bit rare :)

Is it? We have several scenarios in that we have more IPs on one
interface and different routes and want to specify the source IP.
Especially in cluster scenarios.

> You could work around with a set of rules using SNAT while matching
> outgoing interface and source/destination IPs - basically duplicating your
> extra routing table in the nat POSTROUTING chains. But that is certainly a
> pain to maintain...

That's the reason why we ported MASQUERADE from 2.6.9 to the newer
kernels to keep it to less rules.

Since rt->src got removed i wanted to find a way to update the module,
but for now it looks like i have to patch the kernel itself :/

Thanks so far.

-- 
Andreas Herz

Re: function for getting the source ip defined in the routing table

[Andreas Herz]

On 20/05/14 at 16:03, Jan Engelhardt wrote:
> On Tuesday 2014-05-20 14:46, Andreas Herz wrote:
> 
> >i was looking for a function to get the source ip that is defined in the
> >routing table. I looked into the MASQUERADE module but the
> >"inet_select_addr" function returns the source ip from the interface
> >(the first one, in most use cases).
> >
> >See the following routing table entry:
> >
> >10.0.13.0/24 dev eth1  proto kernel  scope link  src 10.0.13.4
> >
> >while the interface has multiple IPs:
> >
> >    inet 10.0.12.1/24 scope global eth0
> >    inet 10.0.13.2/24 scope global eth0
> >    inet 10.0.13.4/24 scope global secondary eth0
> >
> >So what i want is the value of the src part in the routing table (for 
> >connections to the related network).
> 
> RTM_GETROUTE in netlink, `ip route get` on sh, and 
> ip6_route_output/ip_route_output_key in C.

I had some time to test around with "ip_route_output_key" but now i'm
stuck. Kernel used is 2.6.32.62.

If i call it with flowi fl set with daddr _and_ with saddr i come into
"ip_route_output_slow". Since i have a saddr set i ran into the part
with "if (oldflp->fl4_src)" which results in the "dev_out =
ip_dev_find(net, oldflp->fl4_src);" call.

But there the table lookup always uses the local table "local_table =
fib_get_table(net, RT_TABLE_LOCAL);" but since i have some packets that
are forwarded, there is no suitable entry in the local table but in some
self defined table.

In my described scenario i also have eth1 with 10.0.20.0/24 net and when
the packet comes from 10.0.20.2 there is no rule in the local table on
the forwarding linux system just in the $USERDEFINED table.

Is there a way to call "ip_route_output_key" with the daddr for this
packet and the saddr 10.0.20.2 to receive the information from the
$USERDEFINED table instead of parsing just the local table?

Or what is the reason that it's just looking into the local table?
Or did i miss some other way to parse other tables then the local one?

thanks so far!

-- 
Andreas Herz