* [HELP] why the string match does not work in nat tables? @ 2011-01-31 1:53 JeHo Park 2011-01-31 2:09 ` Jan Engelhardt 0 siblings, 1 reply; 12+ messages in thread From: JeHo Park @ 2011-01-31 1:53 UTC (permalink / raw) To: netfilter, netfilter-devel hi there i have been trying to apply the string match or external wurlmatch to my NAT environment. but the matches was not valid in NAT or tproxy so i tried to verify TCP payload with debugging code in the string match during runtime, and then i found there is no TCP data in skbuff the string match works well in filter table, but it does not work in NAT. i want to know why the string match does not work in NAT. if you know that reason, please let me know i used following iptables rules # iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string "goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 10.10.10.125 is IP address of my linux router and there is HTTP proxy server ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 1:53 [HELP] why the string match does not work in nat tables? JeHo Park @ 2011-01-31 2:09 ` Jan Engelhardt [not found] ` <AANLkTik02D=agfFrc8VX+Wh4WAg_odm6cEcpbXvbgtqM@mail.gmail.com> 0 siblings, 1 reply; 12+ messages in thread From: Jan Engelhardt @ 2011-01-31 2:09 UTC (permalink / raw) To: JeHo Park; +Cc: netfilter, netfilter-devel On Monday 2011-01-31 02:53, JeHo Park wrote: > >the string match works well in filter table, but it does not work in NAT. Oh it _does_ work in nat. But given that the nat table is an abstract configuration database rather than a filter, not all packets do a lookup. >i used following iptables rules ># iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string >"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 ^ permalink raw reply [flat|nested] 12+ messages in thread
[parent not found: <AANLkTik02D=agfFrc8VX+Wh4WAg_odm6cEcpbXvbgtqM@mail.gmail.com>]
[parent not found: <alpine.LNX.2.01.1101310337270.19252@obet.zrqbmnf.qr>]
* Re: [HELP] why the string match does not work in nat tables? [not found] ` <alpine.LNX.2.01.1101310337270.19252@obet.zrqbmnf.qr> @ 2011-01-31 2:47 ` JeHo Park 2011-01-31 2:51 ` Jan Engelhardt ` (2 more replies) 0 siblings, 3 replies; 12+ messages in thread From: JeHo Park @ 2011-01-31 2:47 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter, netfilter-devel hello jan i see, i took mistake. Ccs.. :-) anyway, i wonder why there is no TCP payload in the skb of the string or wurl match. On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt <jengelh@medozas.de> wrote: > *sigh* don't strip the Ccs > > On Monday 2011-01-31 03:24, JeHo Park wrote: >>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt <jengelh@medozas.de> wrote: >>> On Monday 2011-01-31 02:53, JeHo Park wrote: >>>> >>>>the string match works well in filter table, but it does not work in NAT. >>> >>> Oh it _does_ work in nat. >>> >>> But given that the nat table is an abstract configuration database >>> rather than a filter, not all packets do a lookup. >> >>but i found in runtime with debugging code, there is no TCP data but >>only TCP header in the skbuff of string match. > > Good, then this issue is resolved. > > >>>>i used following iptables rules >>>># iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string >>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 2:47 ` JeHo Park @ 2011-01-31 2:51 ` Jan Engelhardt 2011-01-31 2:59 ` JeHo Park 2011-01-31 3:34 ` netfilter - u32 module Sridhar Kumar 2011-01-31 9:35 ` [HELP] why the string match does not work in nat tables? Pablo Neira Ayuso 2 siblings, 1 reply; 12+ messages in thread From: Jan Engelhardt @ 2011-01-31 2:51 UTC (permalink / raw) To: JeHo Park; +Cc: netfilter, netfilter-devel On Monday 2011-01-31 03:47, JeHo Park wrote: (Might as well avoid top posting?) >hello jan >i see, i took mistake. Ccs.. :-) >anyway, i wonder why there is no TCP payload in the skb of the string >or wurl match. Because TCP packets are allowed to have no payload. >On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt wrote: >> *sigh* don't strip the Ccs >> >> On Monday 2011-01-31 03:24, JeHo Park wrote: >>>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt wrote: >>>> On Monday 2011-01-31 02:53, JeHo Park wrote: >>>>> >>>>>the string match works well in filter table, but it does not work in NAT. >>>> >>>> Oh it _does_ work in nat. >>>> >>>> But given that the nat table is an abstract configuration database >>>> rather than a filter, not all packets do a lookup. >>> >>>but i found in runtime with debugging code, there is no TCP data but >>>only TCP header in the skbuff of string match. >> >> Good, then this issue is resolved. >> >> >>>>>i used following iptables rules >>>>># iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string >>>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 >> >> > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 2:51 ` Jan Engelhardt @ 2011-01-31 2:59 ` JeHo Park 0 siblings, 0 replies; 12+ messages in thread From: JeHo Park @ 2011-01-31 2:59 UTC (permalink / raw) To: netfilter, netfilter-devel hello jan ~ On Mon, Jan 31, 2011 at 11:51 AM, Jan Engelhardt <jengelh@medozas.de> wrote: > On Monday 2011-01-31 03:47, JeHo Park wrote: > > (Might as well avoid top posting?) > >>hello jan >>i see, i took mistake. Ccs.. :-) >>anyway, i wonder why there is no TCP payload in the skb of the string >>or wurl match. > > Because TCP packets are allowed to have no payload. > is there any way to make TCP packets have payload ? does it possible with only configuration ? or need some modification of the source code ? > >>On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt wrote: >>> *sigh* don't strip the Ccs >>> >>> On Monday 2011-01-31 03:24, JeHo Park wrote: >>>>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt wrote: >>>>> On Monday 2011-01-31 02:53, JeHo Park wrote: >>>>>> >>>>>>the string match works well in filter table, but it does not work in NAT. >>>>> >>>>> Oh it _does_ work in nat. >>>>> >>>>> But given that the nat table is an abstract configuration database >>>>> rather than a filter, not all packets do a lookup. >>>> >>>>but i found in runtime with debugging code, there is no TCP data but >>>>only TCP header in the skbuff of string match. >>> >>> Good, then this issue is resolved. >>> >>> >>>>>>i used following iptables rules >>>>>># iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string >>>>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 >>> >>> >> > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 12+ messages in thread
* netfilter - u32 module 2011-01-31 2:47 ` JeHo Park 2011-01-31 2:51 ` Jan Engelhardt @ 2011-01-31 3:34 ` Sridhar Kumar 2011-01-31 9:36 ` Pablo Neira Ayuso 2011-01-31 9:35 ` [HELP] why the string match does not work in nat tables? Pablo Neira Ayuso 2 siblings, 1 reply; 12+ messages in thread From: Sridhar Kumar @ 2011-01-31 3:34 UTC (permalink / raw) To: netfilter, netfilter-devel Hi, I am building a kernel, version 2.6.27 for a MIPS processor. I need module U32 included in netfilter. In the downloaded kernel source I did not see the files "xt_u32.c" etc. Pls let me know where can I find the source code for netfilter modules. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: netfilter - u32 module 2011-01-31 3:34 ` netfilter - u32 module Sridhar Kumar @ 2011-01-31 9:36 ` Pablo Neira Ayuso 0 siblings, 0 replies; 12+ messages in thread From: Pablo Neira Ayuso @ 2011-01-31 9:36 UTC (permalink / raw) To: Sridhar Kumar; +Cc: netfilter, netfilter-devel On 31/01/11 04:34, Sridhar Kumar wrote: > > Hi, > > I am building a kernel, version 2.6.27 for a MIPS processor. > I need module U32 included in netfilter. > > In the downloaded kernel source I did not see the files "xt_u32.c" etc. > Pls let me know where can I find the source code for netfilter modules. Update your Linux kernel. Please, don't cross post. This question is user related, it should go to netfilter@vger.kernel.org, not to netfilter-devel since it's not a bugfix, bug report or contribution. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 2:47 ` JeHo Park 2011-01-31 2:51 ` Jan Engelhardt 2011-01-31 3:34 ` netfilter - u32 module Sridhar Kumar @ 2011-01-31 9:35 ` Pablo Neira Ayuso 2011-01-31 10:33 ` Pascal Hambourg 2011-02-01 1:50 ` JeHo Park 2 siblings, 2 replies; 12+ messages in thread From: Pablo Neira Ayuso @ 2011-01-31 9:35 UTC (permalink / raw) To: JeHo Park; +Cc: Jan Engelhardt, netfilter, netfilter-devel On 31/01/11 03:47, JeHo Park wrote: > hello jan > i see, i took mistake. Ccs.. :-) > anyway, i wonder why there is no TCP payload in the skb of the string > or wurl match. Because you only see the first packet of the flow in the NAT table. You should use the string match in the filter or raw tables. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 9:35 ` [HELP] why the string match does not work in nat tables? Pablo Neira Ayuso @ 2011-01-31 10:33 ` Pascal Hambourg 2011-01-31 11:17 ` JeHo Park 2011-02-01 1:50 ` JeHo Park 1 sibling, 1 reply; 12+ messages in thread From: Pascal Hambourg @ 2011-01-31 10:33 UTC (permalink / raw) To: netfilter, netfilter-devel Hello, Pablo Neira Ayuso a écrit : > On 31/01/11 03:47, JeHo Park wrote: >> anyway, i wonder why there is no TCP payload in the skb of the string >> or wurl match. > > Because you only see the first packet of the flow in the NAT table. And the first packet of a TCP connection usually carries no data. If you what you want to achieve is NAT a TCP connection based on the payload, I am afraid this is not possible because the definitive NAT mapping is defined from the first packet only. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 10:33 ` Pascal Hambourg @ 2011-01-31 11:17 ` JeHo Park 0 siblings, 0 replies; 12+ messages in thread From: JeHo Park @ 2011-01-31 11:17 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter, netfilter-devel, wp thanks pablo, pascal i just want the client who try to connect any specified site to redirect my HTTP proxy server. but judging from your answers, it seems impossible to filter that client packets in the NAT table. anyway thanks On Mon, Jan 31, 2011 at 7:33 PM, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote: > Hello, > > Pablo Neira Ayuso a écrit : >> On 31/01/11 03:47, JeHo Park wrote: >>> anyway, i wonder why there is no TCP payload in the skb of the string >>> or wurl match. >> >> Because you only see the first packet of the flow in the NAT table. > > And the first packet of a TCP connection usually carries no data. > If you what you want to achieve is NAT a TCP connection based on the > payload, I am afraid this is not possible because the definitive NAT > mapping is defined from the first packet only. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-01-31 9:35 ` [HELP] why the string match does not work in nat tables? Pablo Neira Ayuso 2011-01-31 10:33 ` Pascal Hambourg @ 2011-02-01 1:50 ` JeHo Park 2011-02-01 11:51 ` Jan Engelhardt 1 sibling, 1 reply; 12+ messages in thread From: JeHo Park @ 2011-02-01 1:50 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Jan Engelhardt, netfilter, netfilter-devel, wp hello Pablo i have two more questions On Mon, Jan 31, 2011 at 6:35 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On 31/01/11 03:47, JeHo Park wrote: >> hello jan >> i see, i took mistake. Ccs.. :-) >> anyway, i wonder why there is no TCP payload in the skb of the string >> or wurl match. > > Because you only see the first packet of the flow in the NAT table. > first, i thought or assumed what you said like above is from the reason that NAT mapping is first started from L3 IP connection mapping [origin and expect tuples..] and from TCP helper [for TCP port infomation ..etc] but it is not based on TCP contents. so you said it is not possible to rediect such connection. is it right? > You should use the string match in the filter or raw tables. > and second, i think some people might also want such a functionality like what i want to do, redirection some connection to other server judging from its TCP contents infomation. [in this case, the URI infomation of the HTTP transaction] i want to know how you think about .. previously thanks ~ ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [HELP] why the string match does not work in nat tables? 2011-02-01 1:50 ` JeHo Park @ 2011-02-01 11:51 ` Jan Engelhardt 0 siblings, 0 replies; 12+ messages in thread From: Jan Engelhardt @ 2011-02-01 11:51 UTC (permalink / raw) To: JeHo Park; +Cc: Pablo Neira Ayuso, netfilter, netfilter-devel, wp On Tuesday 2011-02-01 02:50, JeHo Park wrote: >>> anyway, i wonder why there is no TCP payload in the skb of the string >>> or wurl match. >> >> Because you only see the first packet of the flow in the NAT table. >> >first, i thought or assumed what you said like above is from the >reason that NAT mapping is first started from L3 IP connection mapping >[...] but it is not based on TCP contents. >so you said it is not possible to rediect such connection. >is it right? The simple fact is that there is usually no content in the TCP SYN packet that you could possibly match on. >> You should use the string match in the filter or raw tables. >> > >and second, i think some people might also want such a functionality >like what i want to do, redirection some connection to other server >judging from its TCP contents infomation. [in this case, the URI >infomation of the HTTP transaction] That is what proxies like squid are for. See http://l7-filter.sourceforge.net/FAQ#usage for an elaborate answer. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2011-02-01 11:51 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-31 1:53 [HELP] why the string match does not work in nat tables? JeHo Park
2011-01-31 2:09 ` Jan Engelhardt
[not found] ` <AANLkTik02D=agfFrc8VX+Wh4WAg_odm6cEcpbXvbgtqM@mail.gmail.com>
[not found] ` <alpine.LNX.2.01.1101310337270.19252@obet.zrqbmnf.qr>
2011-01-31 2:47 ` JeHo Park
2011-01-31 2:51 ` Jan Engelhardt
2011-01-31 2:59 ` JeHo Park
2011-01-31 3:34 ` netfilter - u32 module Sridhar Kumar
2011-01-31 9:36 ` Pablo Neira Ayuso
2011-01-31 9:35 ` [HELP] why the string match does not work in nat tables? Pablo Neira Ayuso
2011-01-31 10:33 ` Pascal Hambourg
2011-01-31 11:17 ` JeHo Park
2011-02-01 1:50 ` JeHo Park
2011-02-01 11:51 ` Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).