* Kernel generated packets and ipsec policies
@ 2010-01-11 16:49 Nils Rennebarth
0 siblings, 0 replies; only message in thread
From: Nils Rennebarth @ 2010-01-11 16:49 UTC (permalink / raw)
To: Netfilter Devel List
Hi,
I am writing a netfilter module which is supposed to run on a firewall,
and protect some servers behind it.
The module is manipulating TCP connections that are routed through the
box, i.e. passing through the FORWARD chain. Occasionally it needs to
generate and send a packets itself, pretending to come from the other
end of the connection.
To send a packet itself, it allocates an skb, puts together ip and tcp
header, a fake mac header, and then calls netif_rx(skb)
It does not use ip_local_out like in the other places in the kernel
(e.g. send_reset in ipt_REJECT.c) that send out kernel generated
packets, because to the rest of the firewall, the packet should appear
as much as possible to be part of the original connection.
Now the actual question:
Normally this works well, except if the connection passes through an
ipsec tunnel, which ends on the firewall. In this case, the following
code in net/ipv4/ip_forward.c
if (!xfrm4_policy_check(NULL, XFRM_POLICY_FWD, skb))
goto drop;
will drop the packet.
Is there some way to prevent the xfrm4_policy_check from rejecting
the packet? The only way I could think of was to somehow mark the
skb and then check the marker in ip_forward:
if (marker_present(skb) || !xfrm4_policy_check(NULL, XFRM_POLICY_FWD, skb))
goto drop;
but that seems too much ad hoc, besides I want to keep the number of
changes to the kernel at a minimum.
--
Mit freundlichen Grüßen / with kind regards
Nils Rennebarth, Software Developer
--
Funkwerk IP-Appliances GmbH
Mönchhaldenstraße 28
D-70191 Stuttgart
Tel: +49 711 900300 - 0
Fax: +49 711 900300 - 90
E-Mail: Nils.Rennebarth@funkwerk-ec.com
Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481
Managing Directors: Torsten Urban
--------------------------------
The information contained in this e-mail has been carefully researched,
but the possibility of it being inapplicable in individual cases cannot
be ruled out. We therefore regret that we cannot accept responsibility
or liability of any kind whatsoever for the correctness of the
information given. Please notify us if you discover that information is
inapplicable.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-01-11 16:54 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-11 16:49 Kernel generated packets and ipsec policies Nils Rennebarth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).