[PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

Hello,

When redirecting, the destination address is replaced by the first
ip-address on the receiving interface.

If the packet originally was sent to the second ip-address (or third,
fourth, etc..), this patch doesn't change the destination ip.

============
--- linux.orig/net/ipv4/netfilter/ipt_REDIRECT.c
+++ linux/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -78,7 +78,21 @@
        rcu_read_lock();
        indev = __in_dev_get_rcu((*pskb)->dev);
        if (indev && (ifa = indev->ifa_list))
+       {
+           struct in_ifaddr *ifa_cur; // interface ip-list cursor
+
+           // set current destination ip
+           newdst = ((struct iphdr*)skb_network_header(*pskb))->daddr;
+
+           // iterate through interface ip list
+           for (ifa_cur = ifa; ifa_cur; ifa_cur = ifa_cur->ifa_next)
+               if (newdst == ifa_cur->ifa_local)
+                   goto newdst_is_local;
+
+           // set new destination to first ip of this interface
            newdst = ifa->ifa_local;
+       }
+   newdst_is_local:
        rcu_read_unlock();

        if (!newdst)
============

Kind regards,

Bas van Sisseren

-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Patrick McHardy]

Am 16.07.2010 12:00, schrieb Bas van Sisseren:
> Hello,
> 
> When redirecting, the destination address is replaced by the first
> ip-address on the receiving interface.
> 
> If the packet originally was sent to the second ip-address (or third,
> fourth, etc..), this patch doesn't change the destination ip.

So I guess you use statically configured address that are known
in advance. So why don't you simply set up your ruleset to only
redirect packets sent to the first address? That avoids iterating
through the entire address list for each new connection, which
can be quite large.

> 
> ============
> --- linux.orig/net/ipv4/netfilter/ipt_REDIRECT.c
> +++ linux/net/ipv4/netfilter/ipt_REDIRECT.c
> @@ -78,7 +78,21 @@
>         rcu_read_lock();
>         indev = __in_dev_get_rcu((*pskb)->dev);
>         if (indev && (ifa = indev->ifa_list))
> +       {
> +           struct in_ifaddr *ifa_cur; // interface ip-list cursor
> +
> +           // set current destination ip
> +           newdst = ((struct iphdr*)skb_network_header(*pskb))->daddr;
> +
> +           // iterate through interface ip list
> +           for (ifa_cur = ifa; ifa_cur; ifa_cur = ifa_cur->ifa_next)
> +               if (newdst == ifa_cur->ifa_local)
> +                   goto newdst_is_local;
> +
> +           // set new destination to first ip of this interface
>             newdst = ifa->ifa_local;
> +       }
> +   newdst_is_local:
>         rcu_read_unlock();
> 
>         if (!newdst)
> ============
> 
> Kind regards,
> 
> Bas van Sisseren
> 

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

Hello Patrick,

In most situations, all addresses are known in advance (although we have
some situations where we both have a static address and a dhcp'ed address on
the same interface).

The problem is that we can't tell the other end to use the first address on
the interface. Some systems use the first address, others use the second
address. When a connection is set up from the remote system to the second
address, the original REDIRECT redirects the connection to the configured
port-number on the first address.

It seems way more logical to me to keep the destination address the same and
only change the port number if the destination address is locally configured
on that interface.


Assume:
  eth0 has these addresses:
    10.1.0.1, netmask 255.255.255.0  (primary address)
    10.2.0.1, netmask 255.255.255.0
    10.3.0.1, netmask 255.255.255.0
    10.4.0.1, netmask 255.255.255.0

  and redirects from.. say.. port 80 to 8080

  Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
  But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
  10.4.0.1:80 will be redirected to 10.1.0.1:8080


With the patch, the connection to 10.2.0.1:80 will be redirected to
10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..



On 16/07/10 14:21, Patrick McHardy wrote:
> Am 16.07.2010 12:00, schrieb Bas van Sisseren:
>> Hello,
>>
>> When redirecting, the destination address is replaced by the first
>> ip-address on the receiving interface.
>>
>> If the packet originally was sent to the second ip-address (or third,
>> fourth, etc..), this patch doesn't change the destination ip.
> 
> So I guess you use statically configured address that are known
> in advance. So why don't you simply set up your ruleset to only
> redirect packets sent to the first address? That avoids iterating
> through the entire address list for each new connection, which
> can be quite large.
> 
>>
>> ============
>> --- linux.orig/net/ipv4/netfilter/ipt_REDIRECT.c
>> +++ linux/net/ipv4/netfilter/ipt_REDIRECT.c
>> @@ -78,7 +78,21 @@
>>         rcu_read_lock();
>>         indev = __in_dev_get_rcu((*pskb)->dev);
>>         if (indev && (ifa = indev->ifa_list))
>> +       {
>> +           struct in_ifaddr *ifa_cur; // interface ip-list cursor
>> +
>> +           // set current destination ip
>> +           newdst = ((struct iphdr*)skb_network_header(*pskb))->daddr;
>> +
>> +           // iterate through interface ip list
>> +           for (ifa_cur = ifa; ifa_cur; ifa_cur = ifa_cur->ifa_next)
>> +               if (newdst == ifa_cur->ifa_local)
>> +                   goto newdst_is_local;
>> +
>> +           // set new destination to first ip of this interface
>>             newdst = ifa->ifa_local;
>> +       }
>> +   newdst_is_local:
>>         rcu_read_unlock();
>>
>>         if (!newdst)
>> ============
>>
>> Kind regards,
>>
>> Bas van Sisseren

-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Patrick McHardy]

Am 16.07.2010 14:42, schrieb Bas van Sisseren:
> Hello Patrick,
> 
> In most situations, all addresses are known in advance (although we have
> some situations where we both have a static address and a dhcp'ed address on
> the same interface).

At least in the cases where the addresses are known in advance, you can
handle this through the ruleset.

> The problem is that we can't tell the other end to use the first address on
> the interface. Some systems use the first address, others use the second
> address. When a connection is set up from the remote system to the second
> address, the original REDIRECT redirects the connection to the configured
> port-number on the first address.
> 
> It seems way more logical to me to keep the destination address the same and
> only change the port number if the destination address is locally configured
> on that interface.
> 
> 
> Assume:
>   eth0 has these addresses:
>     10.1.0.1, netmask 255.255.255.0  (primary address)
>     10.2.0.1, netmask 255.255.255.0
>     10.3.0.1, netmask 255.255.255.0
>     10.4.0.1, netmask 255.255.255.0
> 
>   and redirects from.. say.. port 80 to 8080
> 
>   Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
>   But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
>   10.4.0.1:80 will be redirected to 10.1.0.1:8080
> 
> 
> With the patch, the connection to 10.2.0.1:80 will be redirected to
> 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..

OK, so basically you just want to rewrite the port number. An easier
way to do this without iterating through all addresses would be to
change userspace and the kernel so you can create REDIRECT rules
without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
packets, but its the simplest solution for the case you describe.

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Jan Engelhardt]

On Friday 2010-07-16 14:49, Patrick McHardy wrote:
>> Assume:
>>   eth0 has these addresses:
>>     10.1.0.1, netmask 255.255.255.0  (primary address)
>>     10.2.0.1, netmask 255.255.255.0
>>     10.3.0.1, netmask 255.255.255.0
>>     10.4.0.1, netmask 255.255.255.0
>> 
>>   and redirects from.. say.. port 80 to 8080
>> 
>>   Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
>>   But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
>>   10.4.0.1:80 will be redirected to 10.1.0.1:8080
>> 
>> 
>> With the patch, the connection to 10.2.0.1:80 will be redirected to
>> 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..
>
>OK, so basically you just want to rewrite the port number. An easier
>way to do this without iterating through all addresses would be to
>change userspace and the kernel so you can create REDIRECT rules
>without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
>packets, but its the simplest solution for the case you describe.

Isn't TPROXY the right thing here if all you want is changing the port 
of delivery? :-)

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Patrick McHardy]

Am 16.07.2010 16:56, schrieb Jan Engelhardt:
> On Friday 2010-07-16 14:49, Patrick McHardy wrote:
>>> Assume:
>>>   eth0 has these addresses:
>>>     10.1.0.1, netmask 255.255.255.0  (primary address)
>>>     10.2.0.1, netmask 255.255.255.0
>>>     10.3.0.1, netmask 255.255.255.0
>>>     10.4.0.1, netmask 255.255.255.0
>>>
>>>   and redirects from.. say.. port 80 to 8080
>>>
>>>   Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
>>>   But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
>>>   10.4.0.1:80 will be redirected to 10.1.0.1:8080
>>>
>>>
>>> With the patch, the connection to 10.2.0.1:80 will be redirected to
>>> 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..
>>
>> OK, so basically you just want to rewrite the port number. An easier
>> way to do this without iterating through all addresses would be to
>> change userspace and the kernel so you can create REDIRECT rules
>> without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
>> packets, but its the simplest solution for the case you describe.
> 
> Isn't TPROXY the right thing here if all you want is changing the port 
> of delivery? :-)

TPROXY does more than changing the port number. Being able to
specify port-only redirect rules sounds useful to me in any
case.

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

On 16/07/10 16:56, Jan Engelhardt wrote:
> On Friday 2010-07-16 14:49, Patrick McHardy wrote:
>>> Assume:
>>>   eth0 has these addresses:
>>>     10.1.0.1, netmask 255.255.255.0  (primary address)
>>>     10.2.0.1, netmask 255.255.255.0
>>>     10.3.0.1, netmask 255.255.255.0
>>>     10.4.0.1, netmask 255.255.255.0
>>>
>>>   and redirects from.. say.. port 80 to 8080
>>>
>>>   Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
>>>   But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
>>>   10.4.0.1:80 will be redirected to 10.1.0.1:8080
>>>
>>>
>>> With the patch, the connection to 10.2.0.1:80 will be redirected to
>>> 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..
>>
>> OK, so basically you just want to rewrite the port number. An easier
>> way to do this without iterating through all addresses would be to
>> change userspace and the kernel so you can create REDIRECT rules
>> without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
>> packets, but its the simplest solution for the case you describe.
> 
> Isn't TPROXY the right thing here if all you want is changing the port 
> of delivery? :-)

I could use TPROXY.. But then I still need to patch the kernel. Even Debian
unstable kernels do not yet have the ipt_TPROXY module. Besides that,
TPROXY looks promising.


On 16/07/10 16:58, Patrick McHardy wrote:
> TPROXY does more than changing the port number. Being able to
> specify port-only redirect rules sounds useful to me in any
> case.

A port-only redirect would be very nice and would solve the problems I'm having.

-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Jan Engelhardt]

On Friday 2010-07-16 17:14, Bas van Sisseren wrote:
>>>
>>> OK, so basically you just want to rewrite the port number. An easier
>>> way to do this without iterating through all addresses would be to
>>> change userspace and the kernel so you can create REDIRECT rules
>>> without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
>>> packets, but its the simplest solution for the case you describe.
>> 
>> Isn't TPROXY the right thing here if all you want is changing the port 
>> of delivery? :-)
>
>I could use TPROXY.. But then I still need to patch the kernel. Even Debian
>unstable kernels do not yet have the ipt_TPROXY module. Besides that,
>TPROXY looks promising.

Squeeze should have xt_TPROXY.ko, which was added for 2.6.28.

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

On 16/07/10 21:18, Jan Engelhardt wrote:
> On Friday 2010-07-16 17:14, Bas van Sisseren wrote:
>>>>
>>>> OK, so basically you just want to rewrite the port number. An easier
>>>> way to do this without iterating through all addresses would be to
>>>> change userspace and the kernel so you can create REDIRECT rules
>>>> without the IP_NAT_RANGE_MAP_IPS flag. That won't work for forwarded
>>>> packets, but its the simplest solution for the case you describe.
>>>
>>> Isn't TPROXY the right thing here if all you want is changing the port 
>>> of delivery? :-)
>>
>> I could use TPROXY.. But then I still need to patch the kernel. Even Debian
>> unstable kernels do not yet have the ipt_TPROXY module. Besides that,
>> TPROXY looks promising.
> 
> Squeeze should have xt_TPROXY.ko, which was added for 2.6.28.

Hmm, my mistake. Even the backports kernels have TPROXY. I guess I made a
typo when checking the /boot/config-* files.

I will have a look at it, thx! :-)

-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Pascal Hambourg]

Bas van Sisseren a écrit :
> 
> The problem is that we can't tell the other end to use the first address on
> the interface. Some systems use the first address, others use the second
> address. When a connection is set up from the remote system to the second
> address, the original REDIRECT redirects the connection to the configured
> port-number on the first address.
> 
> It seems way more logical to me to keep the destination address the same and
> only change the port number if the destination address is locally configured
> on that interface.

Ok, but again, is this really a problem ?

> Assume:
>   eth0 has these addresses:
>     10.1.0.1, netmask 255.255.255.0  (primary address)
>     10.2.0.1, netmask 255.255.255.0
>     10.3.0.1, netmask 255.255.255.0
>     10.4.0.1, netmask 255.255.255.0
> 
>   and redirects from.. say.. port 80 to 8080
> 
>   Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080
>   But also all connections to 10.2.0.1:80, 10.3.0.1:80 and
>   10.4.0.1:80 will be redirected to 10.1.0.1:8080
> 
> With the patch, the connection to 10.2.0.1:80 will be redirected to
> 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc..

If all you want is to change only the destination port number, you can
use "-j DNAT --to :<newport>" so the destination address won't be
altered. If the box acts as a router and you also want to REDIRECT
packets with a non local address, you can use the addrtype match and
DNAT packets with a local destination address and REDIRECT packets with
a non local destination address.

>>> When redirecting, the destination address is replaced by the first
>>> ip-address on the receiving interface.

By the way, I wonder what happens if the interface has no IP address
(unnumbered).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Pascal Hambourg]

Hello,

Bas van Sisseren a écrit :
> 
> When redirecting, the destination address is replaced by the first
> ip-address on the receiving interface.

As described in the iptables manpage.

> If the packet originally was sent to the second ip-address (or third,
> fourth, etc..), this patch doesn't change the destination ip.

Is this patch in reaction to the recent thread "iptables not forwarding
port 443" in the netfilter user list from someone who stumbled into this
issue ?

My thoughts :
1) The iptables manpage would need to be updated accordingly.

2) I wonder whether it is really useful. The purpose of REDIRECT is to
make sure a packet is redirected to the local machine itself without the
need to care about the machine's address (just as MASQUERADE). If you
don't want to change the destination address or need finer control over
it, I believe DNAT can be used instead. Can you provide a use case ?

3) Why restrict only to the addresses attached to the receiving
interface ? Why not extend to any address attached to a host's
interface, or even any local address (such as the whole 127.0.0.0/8
prefix) ?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

Hello Pascal,

On 16/07/10 14:42, Pascal Hambourg wrote:
> Bas van Sisseren a écrit :
>>
>> When redirecting, the destination address is replaced by the first
>> ip-address on the receiving interface.
> 
> As described in the iptables manpage.
> 
>> If the packet originally was sent to the second ip-address (or third,
>> fourth, etc..), this patch doesn't change the destination ip.
> 
> Is this patch in reaction to the recent thread "iptables not forwarding
> port 443" in the netfilter user list from someone who stumbled into this
> issue ?

I didn't read that thread. Although this patch would probably solve that issue.


> My thoughts :
> 1) The iptables manpage would need to be updated accordingly.
> 
> 2) I wonder whether it is really useful. The purpose of REDIRECT is to
> make sure a packet is redirected to the local machine itself without the
> need to care about the machine's address (just as MASQUERADE). If you
> don't want to change the destination address or need finer control over
> it, I believe DNAT can be used instead. Can you provide a use case ?

It's a honeypot system with advanced routing and a lot of ip-addresses. The
honeypot is running as non-root, which complicates usage of ports < 1024.
The REDIRECT rule helps us to redirect the connection to higher
port-numbers. With REDIRECT, we can request the original dst ip:port with
the SO_ORIG_DST sockopt. With DNAT the SO_ORIG_DST is not available.

Besides that, we have to run some services on multiple port-numbers
(sometimes even varying per ip-address). Using only one listening socket
instead of 1000 sockets really helps then.

We can redirect all those connections to the interface's first address. In
fact, this is what we do now. But now and then it is confusing (e.g when
building ip-range check rules in the filter INPUT chain), and we also seem
to trigger routing problems (might be in combination with advanced routing).



> 3) Why restrict only to the addresses attached to the receiving
> interface ? Why not extend to any address attached to a host's
> interface, or even any local address (such as the whole 127.0.0.0/8
> prefix) ?

I don't see any use for that. :-)


-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Pascal Hambourg]

Bas van Sisseren a écrit :
> 
> On 16/07/10 14:42, Pascal Hambourg wrote:
>>
>> 2) I wonder whether it is really useful. The purpose of REDIRECT is to
>> make sure a packet is redirected to the local machine itself without the
>> need to care about the machine's address (just as MASQUERADE). If you
>> don't want to change the destination address or need finer control over
>> it, I believe DNAT can be used instead. Can you provide a use case ?
> 
> It's a honeypot system with advanced routing and a lot of ip-addresses. The
> honeypot is running as non-root, which complicates usage of ports < 1024.
> The REDIRECT rule helps us to redirect the connection to higher
> port-numbers. With REDIRECT, we can request the original dst ip:port with
> the SO_ORIG_DST sockopt. With DNAT the SO_ORIG_DST is not available.

Do you mean SO_ORIGINAL_DST ? I'm surprised it does not work with DNAT.
AFAICS, it uses data from the connection tracking, and it does not
matter how the NAT mapping was created.

>> 3) Why restrict only to the addresses attached to the receiving
>> interface ? Why not extend to any address attached to a host's
>> interface, or even any local address (such as the whole 127.0.0.0/8
>> prefix) ?
> 
> I don't see any use for that. :-)

Well, I think it would be more consistent with the Linux "weak" host
model (all local addresses belong globally to the host instead of a
single interface) ; we want to redirect a packet to the local host, so
if the original destination address is already a local address, we don't
need to change it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipt_REDIRECT: only change dest-ip if not local ip

[Bas van Sisseren]

On 16/07/10 17:04, Pascal Hambourg wrote:
> Bas van Sisseren a écrit :
>>
>> On 16/07/10 14:42, Pascal Hambourg wrote:
>>>
>>> 2) I wonder whether it is really useful. The purpose of REDIRECT is to
>>> make sure a packet is redirected to the local machine itself without the
>>> need to care about the machine's address (just as MASQUERADE). If you
>>> don't want to change the destination address or need finer control over
>>> it, I believe DNAT can be used instead. Can you provide a use case ?
>>
>> It's a honeypot system with advanced routing and a lot of ip-addresses. The
>> honeypot is running as non-root, which complicates usage of ports < 1024.
>> The REDIRECT rule helps us to redirect the connection to higher
>> port-numbers. With REDIRECT, we can request the original dst ip:port with
>> the SO_ORIG_DST sockopt. With DNAT the SO_ORIG_DST is not available.
> 
> Do you mean SO_ORIGINAL_DST ? I'm surprised it does not work with DNAT.
> AFAICS, it uses data from the connection tracking, and it does not
> matter how the NAT mapping was created.

Yes, that's the one. I have to admit I did these experiments before the
netfilter module shuffle (somewhere around the 2.6.18 kernel). I'll have
another look at it.


>>> 3) Why restrict only to the addresses attached to the receiving
>>> interface ? Why not extend to any address attached to a host's
>>> interface, or even any local address (such as the whole 127.0.0.0/8
>>> prefix) ?
>>
>> I don't see any use for that. :-)
> 
> Well, I think it would be more consistent with the Linux "weak" host
> model (all local addresses belong globally to the host instead of a
> single interface) ; we want to redirect a packet to the local host, so
> if the original destination address is already a local address, we don't
> need to change it.

Ah, you've got a point there.


-- 
Bas van Sisseren <bas@quarantainenet.nl>
Quarantainenet
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html