xt_RAWNAT target idea

xt_RAWNAT target idea

[Jan Engelhardt]

Hi,


the following series implements xt_RAWNAT, a target to do network
address translation not depending on conntrack. I still have an issue
though, if you have an idea what could be wrong, please let me know.



Network scheme:
	vmware--(eth0) -> (rtl0)--ichi--(sis0) -> internet and 85.214.

16:47 ichi:../Coding/linux-2.6_nosov # tcpdump -lni rtl0 port 22 -Xs0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rtl0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:47:29.767215 IP 192.168.222.24.38108 > 85.214.69.204.22: S 3962616798:3962616798(0) win 5840 <mss 1460,sackOK,timestamp 6565122 0,nop,wscale 2>
        0x0000:  4510 003c 96dc 4000 4006 696c c0a8 de18  E..<..@.@.il....
        0x0010:  55d6 45cc 94dc 0016 ec30 bbde 0000 0000  U.E......0......
        0x0020:  a002 16d0 94a3 0000 0204 05b4 0402 080a  ................
        0x0030:  0064 2d02 0000 0000 0103 0302            .d-.........


The odd part is that the packet is not recognized by connection tracking
on ichi. `conntrack -E` remains silent, and the packet does not hit the
nat table. Only in mangle it is visible:

# iptables -t mangle -A FORWARD -i rtl0 -j LOG --log-prefix "[fw/rtl0] "

[14168.102974] [fw/rtl0] IN=rtl0 OUT=sis0 SRC=192.168.222.24 DST=85.214.69.204
LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=64886 DF PROTO=TCP SPT=40337 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0 


Is the packet constructed wrong? What I used inside the VMware host was:

# iptables -t raw -A POSTROUTING -o eth0 -d 1.3.3.7 -j RAWDNAT --to
  85.214.69.204



thanks,
Jan

[xt_RAWNAT 1/3] Make room in the hook priority list

[Jan Engelhardt]

origin git://computergmbh.de/linux patchomatic
commit 03e306db0e3a74d9bca91191afbd955be6b7c632
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Wed Jan 9 18:37:37 2008 +0100

    [NETFILTER]: Make room in the hook priority list
    
    A few hook priorites related to conntrack are currently assigned
    values at the end of the priority list, making it impossible to add
    priorities in-between or after these. Renumber NF_IP_PRI_* so that
    this becomes possible.
    
    Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 9a10092..7378d17 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -62,9 +62,9 @@ enum nf_ip_hook_priorities {
 	NF_IP_PRI_FILTER = 0,
 	NF_IP_PRI_NAT_SRC = 100,
 	NF_IP_PRI_SELINUX_LAST = 225,
-	NF_IP_PRI_CONNTRACK_HELPER = INT_MAX - 2,
-	NF_IP_PRI_NAT_SEQ_ADJUST = INT_MAX - 1,
-	NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
+	NF_IP_PRI_CONNTRACK_HELPER = 500,
+	NF_IP_PRI_NAT_SEQ_ADJUST = 520,
+	NF_IP_PRI_CONNTRACK_CONFIRM = 540,
 	NF_IP_PRI_LAST = INT_MAX,
 };
 

[xt_RAWNAT 2/3] Extend iptable_raw by POSTROUTING hook

[Jan Engelhardt]

origin git://computergmbh.de/linux patchomatic

commit b13cafd71d94ee3bd88aa2aa5755b27c390c2f97
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Thu Jan 10 23:49:04 2008 +0100

    [NETFILTER]: Extend iptable_raw by POSTROUTING hook
    
    iptable_raw and ip6table_raw will get a POSTROUTING hook for the
    xt_RAWNAT targets, because it needs a hook _after_ conntrack has
    applied address transformation.
    
    Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h
index 7378d17..5ee8ce0 100644
--- a/include/linux/netfilter_ipv4.h
+++ b/include/linux/netfilter_ipv4.h
@@ -65,6 +65,7 @@ enum nf_ip_hook_priorities {
 	NF_IP_PRI_CONNTRACK_HELPER = 500,
 	NF_IP_PRI_NAT_SEQ_ADJUST = 520,
 	NF_IP_PRI_CONNTRACK_CONFIRM = 540,
+	NF_IP_PRI_RAW_POST = 800,
 	NF_IP_PRI_LAST = INT_MAX,
 };
 
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 3475a65..610ac89 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -66,6 +66,7 @@ enum nf_ip6_hook_priorities {
 	NF_IP6_PRI_FILTER = 0,
 	NF_IP6_PRI_NAT_SRC = 100,
 	NF_IP6_PRI_SELINUX_LAST = 225,
+	NF_IP6_PRI_RAW_POST = 800,
 	NF_IP6_PRI_LAST = INT_MAX,
 };
 
diff --git a/net/ipv4/netfilter/iptable_raw.c b/net/ipv4/netfilter/iptable_raw.c
index dc34aa2..7ce4c4c 100644
--- a/net/ipv4/netfilter/iptable_raw.c
+++ b/net/ipv4/netfilter/iptable_raw.c
@@ -7,31 +7,34 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <net/ip.h>
 
-#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
+#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING))
 
 static struct
 {
 	struct ipt_replace repl;
-	struct ipt_standard entries[2];
+	struct ipt_standard entries[3];
 	struct ipt_error term;
 } initial_table __initdata = {
 	.repl = {
 		.name = "raw",
 		.valid_hooks = RAW_VALID_HOOKS,
-		.num_entries = 3,
-		.size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
+		.num_entries = 4,
+		.size = sizeof(struct ipt_standard) * 3 + sizeof(struct ipt_error),
 		.hook_entry = {
 			[NF_INET_PRE_ROUTING] = 0,
-			[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard)
+			[NF_INET_LOCAL_OUT] = sizeof(struct ipt_standard),
+			[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 2,
 		},
 		.underflow = {
 			[NF_INET_PRE_ROUTING] = 0,
-			[NF_INET_LOCAL_OUT]  = sizeof(struct ipt_standard)
+			[NF_INET_LOCAL_OUT]  = sizeof(struct ipt_standard),
+			[NF_INET_POST_ROUTING] = sizeof(struct ipt_standard) * 2,
 		},
 	},
 	.entries = {
 		IPT_STANDARD_INIT(NF_ACCEPT),	/* PRE_ROUTING */
 		IPT_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_OUT */
+		IPT_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
 	},
 	.term = IPT_ERROR_INIT,			/* ERROR */
 };
@@ -89,6 +92,13 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
 		.priority = NF_IP_PRI_RAW,
 		.owner = THIS_MODULE,
 	},
+	{
+		.hook     = ipt_hook,
+		.pf       = PF_INET,
+		.hooknum  = NF_INET_POST_ROUTING,
+		.priority = NF_IP_PRI_RAW_POST,
+		.owner    = THIS_MODULE,
+	},
 };
 
 static int __init iptable_raw_init(void)
diff --git a/net/ipv6/netfilter/ip6table_raw.c b/net/ipv6/netfilter/ip6table_raw.c
index eccbaaa..9f32c2a 100644
--- a/net/ipv6/netfilter/ip6table_raw.c
+++ b/net/ipv6/netfilter/ip6table_raw.c
@@ -6,31 +6,34 @@
 #include <linux/module.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
 
-#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
+#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING))
 
 static struct
 {
 	struct ip6t_replace repl;
-	struct ip6t_standard entries[2];
+	struct ip6t_standard entries[3];
 	struct ip6t_error term;
 } initial_table __initdata = {
 	.repl = {
 		.name = "raw",
 		.valid_hooks = RAW_VALID_HOOKS,
-		.num_entries = 3,
-		.size = sizeof(struct ip6t_standard) * 2 + sizeof(struct ip6t_error),
+		.num_entries = 4,
+		.size = sizeof(struct ip6t_standard) * 3 + sizeof(struct ip6t_error),
 		.hook_entry = {
 			[NF_INET_PRE_ROUTING] = 0,
-			[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
+			[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard),
+			[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 2,
 		},
 		.underflow = {
 			[NF_INET_PRE_ROUTING] = 0,
-			[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard)
+			[NF_INET_LOCAL_OUT] = sizeof(struct ip6t_standard),
+			[NF_INET_POST_ROUTING] = sizeof(struct ip6t_standard) * 2,
 		},
 	},
 	.entries = {
 		IP6T_STANDARD_INIT(NF_ACCEPT),	/* PRE_ROUTING */
 		IP6T_STANDARD_INIT(NF_ACCEPT),	/* LOCAL_OUT */
+		IP6T_STANDARD_INIT(NF_ACCEPT),	/* POST_ROUTING */
 	},
 	.term = IP6T_ERROR_INIT,		/* ERROR */
 };
@@ -69,6 +72,13 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
 	  .priority = NF_IP6_PRI_FIRST,
 	  .owner = THIS_MODULE,
 	},
+	{
+		.hook     = ip6t_hook,
+		.pf       = PF_INET6,
+		.hooknum  = NF_INET_POST_ROUTING,
+		.priority = NF_IP6_PRI_RAW_POST,
+		.owner    = THIS_MODULE,
+	},
 };
 
 static int __init ip6table_raw_init(void)

[xt_RAWNAT 3/3] xt_RAWNAT code

[Jan Engelhardt]

origin git://computergmbh.de/linux patchomatic

commit df4f8a4974253e72ccf806c532c7d04daa514474
Author: Jan Engelhardt <jengelh@computergmbh.de>
Date:   Sun Jan 13 17:03:25 2008 +0100

    [NETFILTER]: xt_RAWNAT target
    
    xt_RAWNAT can be used to do static network address translation
    without depending on connection tracking. Together with the previous
    patch to add a POSTROUTING chain to the "raw" table, it is possible
    to use xt_RAWNAT even when conntrack is enabled.
    
    Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

diff --git a/include/linux/netfilter/xt_RAWNAT.h b/include/linux/netfilter/xt_RAWNAT.h
new file mode 100644
index 0000000..f948166
--- /dev/null
+++ b/include/linux/netfilter/xt_RAWNAT.h
@@ -0,0 +1,9 @@
+#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
+#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
+
+struct xt_rawnat_tginfo {
+	union nf_inet_addr addr;
+	uint8_t mask;
+};
+
+#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index eec3d24..7611e1b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -385,6 +385,15 @@ config NETFILTER_XT_TARGET_RATEEST
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_RAWNAT
+	tristate '"RAWNAT" raw address translation w/o conntrack'
+	depends on NETFILTER_XTABLES
+	depends on IP_NF_RAW || IP_NF6_RAW
+	---help---
+	This option adds the RAWSNAT and RAWDNAT targets which can do Network
+	Address Translation (no port translation) without requiring Netfilter
+	connection tracking.
+
 config NETFILTER_XT_TARGET_REJECT
 	tristate '"REJECT" target support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index b170ef1..e5132fd 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_RAWNAT) += xt_RAWNAT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_REJECT) += xt_REJECT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_STEAL) += xt_STEAL.o
diff --git a/net/netfilter/xt_RAWNAT.c b/net/netfilter/xt_RAWNAT.c
new file mode 100644
index 0000000..a5a68da
--- /dev/null
+++ b/net/netfilter/xt_RAWNAT.c
@@ -0,0 +1,195 @@
+/*
+ *	xt_RAWNAT - Netfilter module to do untracked NAT
+ *
+ *	Copyright © CC Computer Consultants GmbH, 2008
+ *	Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_RAWNAT.h>
+#include <net/netfilter/nf_conntrack.h>
+
+static inline u_int32_t
+remask(u_int32_t addr, u_int32_t repl, unsigned int shift)
+{
+	u_int32_t mask = (left == 32) ? 0 : (~(u_int32_t)0 >> shift);
+	return htonl((ntohl(addr) & ~mask) | ntohl(repl));
+}
+
+static void
+rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
+{
+	switch (mask) {
+		case 0:
+			break;
+		case 1 ... 31:
+			addr[0] = remask(addr[0], repl[0], mask);
+			break;
+		case 32:
+			addr[0] = repl[0];
+			break;
+		case 33 ... 63:
+			addr[0] = repl[0];
+			addr[1] = remask(addr[1], repl[1], mask - 64);
+			break;
+		case 64:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			break;
+		case 65 ... 95:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = remask(addr[2], repl[2], mask - 96);
+		case 96:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			break;
+		case 97 ... 127:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			addr[3] = remask(addr[3], repl[3], mask - 128);
+			break;
+		case 128:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			addr[3] = repl[3];
+			break;
+	}
+}
+
+static unsigned int
+rawsnat_tg4(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct iphdr *iph;
+	u_int32_t na;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	na  = remask(iph->saddr, info->addr.ip, info->mask);
+	csum_replace4(&iph->check, iph->saddr, na);
+	iph->saddr = na;
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawdnat_tg4(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct iphdr *iph;
+	u_int32_t na;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	na  = remask(iph->daddr, info->addr.ip, info->mask);
+	csum_replace4(&iph->check, iph->daddr, na);
+	iph->daddr = na;
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawsnat_tg6(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct ipv6hdr *iph;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph = ipv6_hdr(skb);
+	rawnat_ipv6_mask(iph->saddr.s6_addr32, info->addr.ip6, info->mask);
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawdnat_tg6(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct ipv6hdr *iph;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph = ipv6_hdr(skb);
+	rawnat_ipv6_mask(iph->daddr.s6_addr32, info->addr.ip6, info->mask);
+	return XT_CONTINUE;
+}
+
+static struct xt_target rawnat_tg_reg[] __read_mostly = {
+	{
+		.name       = "RAWSNAT",
+		.revision   = 0,
+		.family     = AF_INET,
+		.table      = "raw",
+		.target     = rawsnat_tg4,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWSNAT",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.table      = "raw",
+		.target     = rawsnat_tg6,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWDNAT",
+		.revision   = 0,
+		.family     = AF_INET,
+		.table      = "raw",
+		.target     = rawdnat_tg4,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWDNAT",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.table      = "raw",
+		.target     = rawdnat_tg6,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init rawnat_tg_init(void)
+{
+	return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
+}
+
+static void __exit rawnat_tg_exit(void)
+{
+	xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
+}
+
+module_init(rawnat_tg_init);
+module_exit(rawnat_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_DESCRIPTION("Netfilter: conntrack-less raw NAT");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_RAWSNAT");
+MODULE_ALIAS("ipt_RAWDNAT");
+MODULE_ALIAS("ip6t_RAWSNAT");
+MODULE_ALIAS("ip6t_RAWDNAT");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[xt_RAWNAT] iptables libxt_RAWNAT

[Jan Engelhardt]

[IPTABLES]: xt_RAWNAT extensions

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>

---
 extensions/Makefile                 |    2 
 extensions/libxt_RAWDNAT.c          |  176 ++++++++++++++++++++++++++++++++++++
 extensions/libxt_RAWDNAT.man        |   13 ++
 extensions/libxt_RAWSNAT.c          |  176 ++++++++++++++++++++++++++++++++++++
 extensions/libxt_RAWSNAT.man        |   15 +++
 include/linux/netfilter/xt_RAWNAT.h |    9 +
 6 files changed, 391 insertions(+)

Index: iptables-modules/extensions/Makefile
===================================================================
--- iptables-modules.orig/extensions/Makefile
+++ iptables-modules/extensions/Makefile
@@ -53,6 +53,8 @@ PFX_EXT_SLIB += MARK
 PFX_EXT_SLIB += NFLOG
 PFX_EXT_SLIB += NFQUEUE
 PFX_EXT_SLIB += NOTRACK
+PFX_EXT_SLIB += RAWDNAT
+PFX_EXT_SLIB += RAWSNAT
 PFX_EXT_SLIB += TCPMSS
 PFX_EXT_SLIB += TCPOPTSTRIP
 PFX_EXT_SLIB += TOS
Index: iptables-modules/extensions/libxt_RAWDNAT.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_RAWDNAT.c
@@ -0,0 +1,176 @@
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_RAWNAT.h>
+
+enum {
+	FLAGS_TO = 1 << 0,
+};
+
+static const struct option rawdnat_tg_opts[] = {
+	{.name = "to-destination", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void rawdnat_tg_help(void)
+{
+	printf(
+"RAWDNAT target options:\n"
+"    --to-destination addr[/mask]    Address or network to map to\n"
+);
+}
+
+static int
+rawdnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 32;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!strtonum(end, NULL, &mask, 0, 32))
+				param_act(P_BAD_VALUE, "RAWDNAT",
+				          "--to-destination", optarg);
+			info->mask = mask;
+		}
+		a = numeric_to_ipaddr(optarg);
+		if (a == NULL)
+			param_act(P_BAD_VALUE, "RAWDNAT", "--to-destination",
+			          optarg);
+		memcpy(&info->addr.in, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static int
+rawdnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in6_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 128;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!strtonum(end, NULL, &mask, 0, 32))
+				param_act(P_BAD_VALUE, "RAWDNAT",
+				          "--to-destination", optarg);
+			info->mask = mask;
+		}
+		a = numeric_to_ip6addr(optarg);
+		if (a == NULL)
+			param_act(P_BAD_VALUE, "RAWDNAT", "--to-destination",
+			          optarg);
+		memcpy(&info->addr.in6, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static void rawdnat_tg_check(unsigned int flags)
+{
+	if (!(flags & FLAGS_TO))
+		exit_error(PARAMETER_PROBLEM, "RAWDNAT: \"--to-destination\" "
+		           "is required.");
+}
+
+static void
+rawdnat_tg4_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 32)
+		printf("to-destination %s ",
+		       ipaddr_to_anyname(&info->addr.in));
+	else
+		printf("to-destination %s/%u ",
+		       ipaddr_to_numeric(&info->addr.in), info->mask);
+}
+
+static void
+rawdnat_tg6_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 128)
+		printf("to-destination %s ",
+		       ip6addr_to_anyname(&info->addr.in6));
+	else
+		printf("to-destination %s/%u ",
+		       ip6addr_to_numeric(&info->addr.in6), info->mask);
+}
+
+static void
+rawdnat_tg4_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-destination %s/%u ", ipaddr_to_numeric(&info->addr.in),
+	       info->mask);
+}
+
+static void
+rawdnat_tg6_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-destination %s/%u ", ip6addr_to_numeric(&info->addr.in6),
+	       info->mask);
+}
+
+static struct xtables_target rawdnat_tg4_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "RAWDNAT",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawdnat_tg_help,
+	.parse         = rawdnat_tg4_parse,
+	.final_check   = rawdnat_tg_check,
+	.print         = rawdnat_tg4_print,
+	.save          = rawdnat_tg4_save,
+	.extra_opts    = rawdnat_tg_opts,
+};
+
+static struct xtables_target rawdnat_tg6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "RAWDNAT",
+	.revision      = 0,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawdnat_tg_help,
+	.parse         = rawdnat_tg6_parse,
+	.final_check   = rawdnat_tg_check,
+	.print         = rawdnat_tg6_print,
+	.save          = rawdnat_tg6_save,
+	.extra_opts    = rawdnat_tg_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&rawdnat_tg4_reg);
+	xtables_register_target(&rawdnat_tg6_reg);
+}
Index: iptables-modules/extensions/libxt_RAWDNAT.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_RAWDNAT.man
@@ -0,0 +1,13 @@
+The \fBRAWDNAT\fR target will rewrite the destination address in the IP header,
+much like the \fBNETMAP\fR target. \fBRAWDNAT\fR may only be used in the
+\fBraw\fR table, but can be used in all chains, which makes it possible to
+change the source address either when the packet enters the machine or when it
+leaves it.
+.TP
+\fB--to-destination\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+Network address to map to. The resulting address will be constructed the
+following way: All 'one' bits in the \fImask\fR are filled in from the new
+\fIaddress\fR. All bits that are zero in the mask are filled in from the
+original address.
+.PP
+See the \fBRAWSNAT\fR help entry for examples.
Index: iptables-modules/extensions/libxt_RAWSNAT.c
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_RAWSNAT.c
@@ -0,0 +1,176 @@
+#include <netinet/in.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <xtables.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_RAWNAT.h>
+
+enum {
+	FLAGS_TO = 1 << 0,
+};
+
+static const struct option rawsnat_tg_opts[] = {
+	{.name = "to-source", .has_arg = true, .val = 't'},
+	{},
+};
+
+static void rawsnat_tg_help(void)
+{
+	printf(
+"RAWSNAT target options:\n"
+"    --to-source addr[/mask]    Address or network to map to\n"
+);
+}
+
+static int
+rawsnat_tg4_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 32;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!strtonum(end, NULL, &mask, 0, 32))
+				param_act(P_BAD_VALUE, "RAWSNAT",
+				          "--to-source", optarg);
+			info->mask = mask;
+		}
+		a = numeric_to_ipaddr(optarg);
+		if (a == NULL)
+			param_act(P_BAD_VALUE, "RAWSNAT", "--to-source",
+			          optarg);
+		memcpy(&info->addr.in, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static int
+rawsnat_tg6_parse(int c, char **argv, int invert, unsigned int *flags,
+                  const void *entry, struct xt_entry_target **target)
+{
+	struct xt_rawnat_tginfo *info = (void *)(*target)->data;
+	struct in6_addr *a;
+	unsigned int mask;
+	char *end;
+
+	switch (c) {
+	case 't':
+		info->mask = 128;
+		end = strchr(optarg, '/');
+		if (end != NULL) {
+			*end++ = '\0';
+			if (!strtonum(end, NULL, &mask, 0, 32))
+				param_act(P_BAD_VALUE, "RAWSNAT",
+				          "--to-source", optarg);
+			info->mask = mask;
+		}
+		a = numeric_to_ip6addr(optarg);
+		if (a == NULL)
+			param_act(P_BAD_VALUE, "RAWSNAT", "--to-source",
+			          optarg);
+		memcpy(&info->addr.in6, a, sizeof(*a));
+		*flags |= FLAGS_TO;
+		return true;
+	}
+	return false;
+}
+
+static void rawsnat_tg_check(unsigned int flags)
+{
+	if (!(flags & FLAGS_TO))
+		exit_error(PARAMETER_PROBLEM, "RAWSNAT: \"--to-source\" "
+		           "is required.");
+}
+
+static void
+rawsnat_tg4_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 32)
+		printf("to-source %s ",
+		       ipaddr_to_anyname(&info->addr.in));
+	else
+		printf("to-source %s/%u ",
+		       ipaddr_to_numeric(&info->addr.in), info->mask);
+}
+
+static void
+rawsnat_tg6_print(const void *entry, const struct xt_entry_target *target,
+                  int numeric)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	if (!numeric && info->mask == 128)
+		printf("to-source %s ",
+		       ip6addr_to_anyname(&info->addr.in6));
+	else
+		printf("to-source %s/%u ",
+		       ip6addr_to_numeric(&info->addr.in6), info->mask);
+}
+
+static void
+rawsnat_tg4_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-source %s/%u ", ipaddr_to_numeric(&info->addr.in),
+	       info->mask);
+}
+
+static void
+rawsnat_tg6_save(const void *entry, const struct xt_entry_target *target)
+{
+	const struct xt_rawnat_tginfo *info = (const void *)target->data;
+
+	printf("--to-source %s/%u ", ip6addr_to_numeric(&info->addr.in6),
+	       info->mask);
+}
+
+static struct xtables_target rawsnat_tg4_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "RAWSNAT",
+	.revision      = 0,
+	.family        = AF_INET,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawsnat_tg_help,
+	.parse         = rawsnat_tg4_parse,
+	.final_check   = rawsnat_tg_check,
+	.print         = rawsnat_tg4_print,
+	.save          = rawsnat_tg4_save,
+	.extra_opts    = rawsnat_tg_opts,
+};
+
+static struct xtables_target rawsnat_tg6_reg = {
+	.version       = IPTABLES_VERSION,
+	.name          = "RAWSNAT",
+	.revision      = 0,
+	.family        = AF_INET6,
+	.size          = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.userspacesize = XT_ALIGN(sizeof(struct xt_rawnat_tginfo)),
+	.help          = rawsnat_tg_help,
+	.parse         = rawsnat_tg6_parse,
+	.final_check   = rawsnat_tg_check,
+	.print         = rawsnat_tg6_print,
+	.save          = rawsnat_tg6_save,
+	.extra_opts    = rawsnat_tg_opts,
+};
+
+void _init(void)
+{
+	xtables_register_target(&rawsnat_tg4_reg);
+	xtables_register_target(&rawsnat_tg6_reg);
+}
Index: iptables-modules/extensions/libxt_RAWSNAT.man
===================================================================
--- /dev/null
+++ iptables-modules/extensions/libxt_RAWSNAT.man
@@ -0,0 +1,15 @@
+The \fBRAWSNAT\fR target will rewrite the source address in the IP header, much
+like the \fBNETMAP\fR target. \fBRAWSNAT\fR may only be used in the \fBraw\fR
+table, but can be used in all chains, which makes it possible to change the
+source address either when the packet enters the machine or when it leaves it.
+.TP
+\fB--to-source\fR \fIaddr\fR[\fB/\fR\fImask\fR]
+Network address to map to. The resulting address will be constructed the
+following way: All 'one' bits in the \fImask\fR are filled in from the new
+\fIaddress\fR. All bits that are zero in the mask are filled in from the
+original address.
+.PP
+As an example, changing the destination for a connection:
+.IP
+-t raw -A POSTROUTING -d 12.34.56.78 -j RAWDNAT --to-destination 66.249.93.104
+-t raw -A PREROUTING -s 66.249.93.104 -j RAWSNAT --to-source 12.34.56.78
Index: iptables-modules/include/linux/netfilter/xt_RAWNAT.h
===================================================================
--- /dev/null
+++ iptables-modules/include/linux/netfilter/xt_RAWNAT.h
@@ -0,0 +1,9 @@
+#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
+#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
+
+struct xt_rawnat_tginfo {
+	union nf_inet_addr addr;
+	uint8_t mask;
+};
+
+#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */

Re: [xt_RAWNAT 3/3] xt_RAWNAT code

[Jan Engelhardt]

fixes compile error (3/3 resend).

diff --git a/include/linux/netfilter/xt_RAWNAT.h b/include/linux/netfilter/xt_RAWNAT.h
new file mode 100644
index 0000000..f948166
--- /dev/null
+++ b/include/linux/netfilter/xt_RAWNAT.h
@@ -0,0 +1,9 @@
+#ifndef _LINUX_NETFILTER_XT_TARGET_RAWNAT
+#define _LINUX_NETFILTER_XT_TARGET_RAWNAT 1
+
+struct xt_rawnat_tginfo {
+	union nf_inet_addr addr;
+	uint8_t mask;
+};
+
+#endif /* _LINUX_NETFILTER_XT_TARGET_RAWNAT */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index eec3d24..7611e1b 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -385,6 +385,15 @@ config NETFILTER_XT_TARGET_RATEEST
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config NETFILTER_XT_TARGET_RAWNAT
+	tristate '"RAWNAT" raw address translation w/o conntrack'
+	depends on NETFILTER_XTABLES
+	depends on IP_NF_RAW || IP_NF6_RAW
+	---help---
+	This option adds the RAWSNAT and RAWDNAT targets which can do Network
+	Address Translation (no port translation) without requiring Netfilter
+	connection tracking.
+
 config NETFILTER_XT_TARGET_REJECT
 	tristate '"REJECT" target support'
 	depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index b170ef1..e5132fd 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -47,6 +47,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_RATEEST) += xt_RATEEST.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_RAWNAT) += xt_RAWNAT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_REJECT) += xt_REJECT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_STEAL) += xt_STEAL.o
diff --git a/net/netfilter/xt_RAWNAT.c b/net/netfilter/xt_RAWNAT.c
new file mode 100644
index 0000000..42072d3
--- /dev/null
+++ b/net/netfilter/xt_RAWNAT.c
@@ -0,0 +1,195 @@
+/*
+ *	xt_RAWNAT - Netfilter module to do untracked NAT
+ *
+ *	Copyright © CC Computer Consultants GmbH, 2008
+ *	Jan Engelhardt <jengelh@computergmbh.de>
+ */
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_RAWNAT.h>
+#include <net/netfilter/nf_conntrack.h>
+
+static inline u_int32_t
+remask(u_int32_t addr, u_int32_t repl, unsigned int shift)
+{
+	u_int32_t mask = (shift == 32) ? 0 : (~(u_int32_t)0 >> shift);
+	return htonl((ntohl(addr) & ~mask) | ntohl(repl));
+}
+
+static void
+rawnat_ipv6_mask(__be32 *addr, const __be32 *repl, unsigned int mask)
+{
+	switch (mask) {
+		case 0:
+			break;
+		case 1 ... 31:
+			addr[0] = remask(addr[0], repl[0], mask);
+			break;
+		case 32:
+			addr[0] = repl[0];
+			break;
+		case 33 ... 63:
+			addr[0] = repl[0];
+			addr[1] = remask(addr[1], repl[1], mask - 64);
+			break;
+		case 64:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			break;
+		case 65 ... 95:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = remask(addr[2], repl[2], mask - 96);
+		case 96:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			break;
+		case 97 ... 127:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			addr[3] = remask(addr[3], repl[3], mask - 128);
+			break;
+		case 128:
+			addr[0] = repl[0];
+			addr[1] = repl[1];
+			addr[2] = repl[2];
+			addr[3] = repl[3];
+			break;
+	}
+}
+
+static unsigned int
+rawsnat_tg4(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct iphdr *iph;
+	u_int32_t na;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	na  = remask(iph->saddr, info->addr.ip, info->mask);
+	csum_replace4(&iph->check, iph->saddr, na);
+	iph->saddr = na;
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawdnat_tg4(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct iphdr *iph;
+	u_int32_t na;
+
+	if (!skb_make_writable(skb, sizeof(struct iphdr)))
+		return NF_DROP;
+
+	iph = ip_hdr(skb);
+	na  = remask(iph->daddr, info->addr.ip, info->mask);
+	csum_replace4(&iph->check, iph->daddr, na);
+	iph->daddr = na;
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawsnat_tg6(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct ipv6hdr *iph;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph = ipv6_hdr(skb);
+	rawnat_ipv6_mask(iph->saddr.s6_addr32, info->addr.ip6, info->mask);
+	return XT_CONTINUE;
+}
+
+static unsigned int
+rawdnat_tg6(struct sk_buff *skb, const struct net_device *in,
+            const struct net_device *out, unsigned int hooknum,
+            const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_rawnat_tginfo *info = targinfo;
+	struct ipv6hdr *iph;
+
+	if (!skb_make_writable(skb, sizeof(struct ipv6hdr)))
+		return NF_DROP;
+
+	iph = ipv6_hdr(skb);
+	rawnat_ipv6_mask(iph->daddr.s6_addr32, info->addr.ip6, info->mask);
+	return XT_CONTINUE;
+}
+
+static struct xt_target rawnat_tg_reg[] __read_mostly = {
+	{
+		.name       = "RAWSNAT",
+		.revision   = 0,
+		.family     = AF_INET,
+		.table      = "raw",
+		.target     = rawsnat_tg4,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWSNAT",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.table      = "raw",
+		.target     = rawsnat_tg6,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWDNAT",
+		.revision   = 0,
+		.family     = AF_INET,
+		.table      = "raw",
+		.target     = rawdnat_tg4,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+	{
+		.name       = "RAWDNAT",
+		.revision   = 0,
+		.family     = AF_INET6,
+		.table      = "raw",
+		.target     = rawdnat_tg6,
+		.targetsize = sizeof(struct xt_rawnat_tginfo),
+		.me         = THIS_MODULE,
+	},
+};
+
+static int __init rawnat_tg_init(void)
+{
+	return xt_register_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
+}
+
+static void __exit rawnat_tg_exit(void)
+{
+	xt_unregister_targets(rawnat_tg_reg, ARRAY_SIZE(rawnat_tg_reg));
+}
+
+module_init(rawnat_tg_init);
+module_exit(rawnat_tg_exit);
+MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_DESCRIPTION("Netfilter: conntrack-less raw NAT");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_RAWSNAT");
+MODULE_ALIAS("ipt_RAWDNAT");
+MODULE_ALIAS("ip6t_RAWSNAT");
+MODULE_ALIAS("ip6t_RAWDNAT");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xt_RAWNAT target idea

[Patrick McHardy]

Jan Engelhardt wrote:
> the following series implements xt_RAWNAT, a target to do network
> address translation not depending on conntrack. I still have an issue
> though, if you have an idea what could be wrong, please let me know.

Whats the advantage over using the TC NAT action?

Re: xt_RAWNAT target idea

[Jan Engelhardt]

On Jan 14 2008 07:04, Patrick McHardy wrote:
> Jan Engelhardt wrote:
>> the following series implements xt_RAWNAT, a target to do network
>> address translation not depending on conntrack. I still have an issue
>> though, if you have an idea what could be wrong, please let me know.
>
> Whats the advantage over using the TC NAT action?

Let me put it this way... “what is tc?”

- tc is a real black-box to most users;
  lack of documentation (despite lartc.org efforts)

- act_nat only works like NETMAP, i.e.
  on outgoing packets, you can only change the source addr

At which point I would be asking: why is tc trying to do the same
as netfilter mangling targets?
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xt_RAWNAT target idea

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 14 2008 07:04, Patrick McHardy wrote:
>> Jan Engelhardt wrote:
>>> the following series implements xt_RAWNAT, a target to do network
>>> address translation not depending on conntrack. I still have an issue
>>> though, if you have an idea what could be wrong, please let me know.
>> Whats the advantage over using the TC NAT action?
> 
> Let me put it this way... “what is tc?”
> 
> - tc is a real black-box to most users;
>   lack of documentation (despite lartc.org efforts)

That should be fixed by writing documentation, not code :)

> - act_nat only works like NETMAP, i.e.
>   on outgoing packets, you can only change the source addr

I guess it could be changed to support DNAT on outgoing packets
quite easily.

> At which point I would be asking: why is tc trying to do the same
> as netfilter mangling targets?

Well, true, it would be nice to be able to do this within
netfilter without TC actions. But adding a new chain to the
raw table is a high price, every new netfilter hooks costs
quite a bit of performance. Why not simply do this in the
mangle table? That will also make rerouting in OUTPUT work
as a side effect.

Another issue is IPv6 support. Everyone agrees that we don't
want to support IPv6 NAT. So this would have to be removed.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: xt_RAWNAT target idea

[Jan Engelhardt]

On Jan 14 2008 10:53, Patrick McHardy wrote:
>> 
>> - tc is a real black-box to most users;
>>   lack of documentation (despite lartc.org efforts)
>
> That should be fixed by writing documentation, not code :)

I would rather try obsoleting it.

>> At which point I would be asking: why is tc trying to do the same
>> as netfilter mangling targets?
>
> Well, true, it would be nice to be able to do this within
> netfilter without TC actions. But adding a new chain to the
> raw table is a high price, every new netfilter hooks costs
> quite a bit of performance. Why not simply do this in the
> mangle table? That will also make rerouting in OUTPUT work
> as a side effect.

That may just work.

> Another issue is IPv6 support. Everyone agrees that we don't
> want to support IPv6 NAT. So this would have to be removed.

There is a need for IPv6 (conntrackful) NAT actually, just like there is 
for DHCPv6. Hiding hosts (you want websites to know how many devices you 
have?) or when your ISP runs a pay-per-address model.

Re: xt_RAWNAT target idea

[Jozsef Kadlecsik]

Hi Jan,

On Mon, 14 Jan 2008, Jan Engelhardt wrote:

> > Another issue is IPv6 support. Everyone agrees that we don't
> > want to support IPv6 NAT. So this would have to be removed.
> 
> There is a need for IPv6 (conntrackful) NAT actually, just like there is 
> for DHCPv6. Hiding hosts (you want websites to know how many devices you 
> have?) or when your ISP runs a pay-per-address model.

DHCPv6 is a useful thing but IPv6 NAT is evil. (IPv4) NAT was introduced 
to address (i.e. slow down) the depletion of the IPv4 address space. 
There is simply no need for such a hack for IPv6.

If someone wants to hide hosts then run a proxy.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: xt_RAWNAT target idea

[Jan Engelhardt]

On Jan 14 2008 10:53, Patrick McHardy wrote:

> But adding a new chain to the raw table is a high price, every new
> netfilter hooks costs quite a bit of performance. Why not simply do
> this in the mangle table? That will also make rerouting in OUTPUT
> work as a side effect.

I think the issue that I tried to outrun was that if I mangle the
address in NF_IP_PRI_MANGLE, then IP_NF_PRI_CONNTRACK_HELPER and
IP_NF_PRI_CONNTRACK_CONFIRM gets confused because I change the
address after NF_IP_PRI_CONNTRACK.

IOW: conntrack sees the packet, I mangle it in mangle,
and then the other conntrack hooks get confused.
That is why I thought I need some hook after
NF_IP_PRI_CONNTRACK_CONFIRM.

Re: xt_RAWNAT target idea

[Amos Jeffries]

>
> On Jan 14 2008 10:53, Patrick McHardy wrote:
>>>
>>> - tc is a real black-box to most users;
>>>   lack of documentation (despite lartc.org efforts)
>>
>> That should be fixed by writing documentation, not code :)
>
> I would rather try obsoleting it.
>
>>> At which point I would be asking: why is tc trying to do the same
>>> as netfilter mangling targets?
>>
>> Well, true, it would be nice to be able to do this within
>> netfilter without TC actions. But adding a new chain to the
>> raw table is a high price, every new netfilter hooks costs
>> quite a bit of performance. Why not simply do this in the
>> mangle table? That will also make rerouting in OUTPUT work
>> as a side effect.
>
> That may just work.
>
>> Another issue is IPv6 support. Everyone agrees that we don't
>> want to support IPv6 NAT. So this would have to be removed.
>
> There is a need for IPv6 (conntrackful) NAT actually, just like there is
> for DHCPv6. Hiding hosts (you want websites to know how many devices you
> have?) or when your ISP runs a pay-per-address model.

I'll second that with transparent service proxying.
We all agree its not nice and should be avoided, but there are real-world
situations that need it in some form.

Amos Jeffries
Squid Development Team

Re: xt_RAWNAT target idea

[Patrick McHardy]

Jan Engelhardt wrote:
> On Jan 14 2008 10:53, Patrick McHardy wrote:
> 
>> But adding a new chain to the raw table is a high price, every new
>> netfilter hooks costs quite a bit of performance. Why not simply do
>> this in the mangle table? That will also make rerouting in OUTPUT
>> work as a side effect.
> 
> I think the issue that I tried to outrun was that if I mangle the
> address in NF_IP_PRI_MANGLE, then IP_NF_PRI_CONNTRACK_HELPER and
> IP_NF_PRI_CONNTRACK_CONFIRM gets confused because I change the
> address after NF_IP_PRI_CONNTRACK.
> 
> IOW: conntrack sees the packet, I mangle it in mangle,
> and then the other conntrack hooks get confused.
> That is why I thought I need some hook after
> NF_IP_PRI_CONNTRACK_CONFIRM.


They probably put the wrong address in the hash tables. The main
use for this seems to be avoiding the use of conntrack anyways,
but to make them play nicely together I guess you'd have to
mangle the conntrack tuple in case conntrack is used.