* Problem sending skb built from scratch with IPv6
@ 2011-03-22 23:45 Pierre Rondou
2011-03-24 21:16 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Pierre Rondou @ 2011-03-22 23:45 UTC (permalink / raw)
To: netfilter-devel
Hi all,
I'm a student at the University of Liege (Belgium) and for my master
thesis, I have to devellop a netfilter module implementing NatIvI and Nat64.
Basically, those modules ask to "translate" an Ipv4 packet to an IPv6
one (and in the other side aswell), you can find more detailled
information on the IETF website.
For my modules, I use xtables-addons.
I have been able to do every step correctly, but one:
Sending the newly created IPv6 packet to the network.
The modules, as stated by the protocols, need to be able to send packet
with IP that doesn't belong to them (i.e, sort of spoofing).
Everything works fine for the newly created IPv4 skb (I can see the
packets in wireshark), you can see the source code at the end.
But for Ipv6, the only think I see is neighbour solicitation messages
(ICMPv6) for both the source IP and the dest IP.
There is one only case when the program works: when the source IP of the
packet is the same as the interface's one.
Even more curious, the two function I call for my IPv6 sending return 0
(ip6_route_output and ip6_local_out), meaning that they were successfull.
So, my question is simple:
"How can I send an IPv6 paquet, built from scratch (new skb) to the
network?"
Thanks in advance for your help,
Pierre Rondou
Finaly, here are some info you might find usefull:
The source code used for the new IPv4 packets (working 100%), it's
copied from the NAT64 module available in GPL:
newskb->protocol = htons(ETH_P_IP);
newip = ip_hdr(newskb);
memset(&fl, 0, sizeof(fl));
fl.fl4_dst = newip->daddr;
fl.fl4_tos = RT_TOS(newip->tos);
fl.proto = newskb->protocol;
if (ip_route_output_key(&init_net, &rt, &fl))
{
printk("error: ip_route_output_key failed\n");
return NF_DROP;
}
if (!rt)
{
printk("error: rt null\n");
return NF_DROP;
}
newskb->dev = rt->u.dst.dev;
skb_dst_set(newskb, (struct dst_entry *)rt);
if(ip_local_out(newskb)) {
printk("error: ip_local_out failed\n");
return NF_DROP;
}
Here the IPv6 code, NOT WORKING:
newskb->protocol = htons(ETH_P_IPV6);
newip = ipv6_hdr(newskb);
memset(&fl, 0, sizeof(fl));
fl.fl6_src = newip->saddr;
fl.fl6_dst = newip->daddr;
fl.fl6_flowlabel = 0;
fl.proto = newskb->protocol;
dst = ip6_route_output(&init_net, NULL, &fl);
if (!dst)
{
printk("error: ip_route_output_key failed\n");
return NF_DROP;
}
skb_dst_set(newskb, dst);
newskb->dev = dst->dev;
skb_dst_set(newskb, dst);
if(ip6_local_out(newskb)) {
printk("error: ip_local_out failed\n");
return NF_DROP;
}
pr_info("Packet sent \n");
return NF_DROP;
my network configuration:
# The primary network interface
allow-hotplug eth1
iface eth1 inet static
address 192.168.1.40
netmask 255.255.255.0
gateway 192.168.1.1
#IPV6 static configuration
iface eth1 inet6 static
address 2001:6a8:2d80:128::0001
netmask 64
gateway 2001:6a8:2d80:128::0002
# END IPV6 configuration
route result:
# route --inet
Table de routage IP du noyau
Destination Passerelle Genmask Indic Metric Ref Use
Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
# route --inet6
Table de routage IPv6 du noyau
Destination Next Hop Flag Met Ref
Use If
2001:6a8:2d80:128::/64 :: U 256 0
1 eth1
fe80::/64 :: U 256 0
0 eth1
::/0 2001:6a8:2d80:128::2 UG 1 0
35 eth1
::/0 :: !n -1 1
61 lo
::1/128 :: Un 0 1
80 lo
2001:6a8:2d80:128::/128 :: Un 0 1
0 lo
2001:6a8:2d80:128::1/128 :: Un 0 1
20 lo
fe80::/128 :: Un 0 1
0 lo
fe80::20e:a6ff:feb0:e1a2/128 :: Un 0 1
14 lo
ff00::/8 :: U 256 0
0 eth1
::/0 :: !n -1 1
61 lo
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Problem sending skb built from scratch with IPv6
2011-03-22 23:45 Problem sending skb built from scratch with IPv6 Pierre Rondou
@ 2011-03-24 21:16 ` Jan Engelhardt
2011-04-18 15:05 ` Pierre Rondou
0 siblings, 1 reply; 3+ messages in thread
From: Jan Engelhardt @ 2011-03-24 21:16 UTC (permalink / raw)
To: Pierre Rondou; +Cc: netfilter-devel
On Wednesday 2011-03-23 00:45, Pierre Rondou wrote:
> Hi all,
>
>
> I'm a student at the University of Liege (Belgium) and for my master thesis, I
> have to devellop a netfilter module implementing NatIvI and Nat64.
Let me just make aware of preexisting software, such as Ecdysis nat64,
because too often have I encountered students who just reimplemented
everything and then felt like it was for nothing.
>The modules, as stated by the protocols, need to be able to send packet
>with IP that doesn't belong to them (i.e, sort of spoofing). Everything
>works fine for the newly created IPv4 skb (I can see the packets in
>wireshark), you can see the source code at the end.
>
>But for Ipv6, the only think I see is neighbour solicitation messages
>(ICMPv6) for both the source IP and the dest IP. There is one only case
>when the program works: when the source IP of the packet is the same as
>the interface's one.
Of course a connected router will do NDISC if the address is directly
reachable according to its routing table.
> The source code used for the new IPv4 packets (working 100%), it's copied from
> the NAT64 module available in GPL:
"The NAT64 module", but which?
> skb_dst_set(newskb, dst);
> newskb->dev = dst->dev;
> skb_dst_set(newskb, dst);
Why set dst twice?
> # route --inet
> Table de routage IP du noyau
> Destination Passerelle Genmask Indic Metric Ref Use Iface
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
For future reference, stick to iproute2.
> # route --inet6
> Table de routage IPv6 du noyau
> Destination Next Hop Flag Met Ref Use If
> 2001:6a8:2d80:128::/64 :: U 256 0 1 eth1
> fe80::/64 :: U 256 0 0 eth1
> ::/0 2001:6a8:2d80:128::2 UG 1 0 35 eth1
> ::/0 :: !n -1 1 61 lo
> ::1/128 :: Un 0 1 80 lo
> 2001:6a8:2d80:128::/128 :: Un 0 1 0 lo
> 2001:6a8:2d80:128::1/128 :: Un 0 1 20 lo
> fe80::/128 :: Un 0 1 0 lo
> fe80::20e:a6ff:feb0:e1a2/128 :: Un 0 1 14 lo
> ff00::/8 :: U 256 0 0 eth1
> ::/0 :: !n -1 1 61 lo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Problem sending skb built from scratch with IPv6
2011-03-24 21:16 ` Jan Engelhardt
@ 2011-04-18 15:05 ` Pierre Rondou
0 siblings, 0 replies; 3+ messages in thread
From: Pierre Rondou @ 2011-04-18 15:05 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: netfilter-devel
Long time since my previous mail, I've been looking on other issues.
The problem solved itself by upgrading to debian squeeze (I previously
was on a testing version between Lenny and squeeze).
Thanks anyway :-)
Le 24/03/11 22:16, Jan Engelhardt a écrit :
> On Wednesday 2011-03-23 00:45, Pierre Rondou wrote:
>
>
>> Hi all,
>>
>>
>> I'm a student at the University of Liege (Belgium) and for my master thesis, I
>> have to devellop a netfilter module implementing NatIvI and Nat64.
>>
> Let me just make aware of preexisting software, such as Ecdysis nat64,
> because too often have I encountered students who just reimplemented
> everything and then felt like it was for nothing.
>
>
>> The modules, as stated by the protocols, need to be able to send packet
>> with IP that doesn't belong to them (i.e, sort of spoofing). Everything
>> works fine for the newly created IPv4 skb (I can see the packets in
>> wireshark), you can see the source code at the end.
>>
>> But for Ipv6, the only think I see is neighbour solicitation messages
>> (ICMPv6) for both the source IP and the dest IP. There is one only case
>> when the program works: when the source IP of the packet is the same as
>> the interface's one.
>>
> Of course a connected router will do NDISC if the address is directly
> reachable according to its routing table.
>
>
>
>> The source code used for the new IPv4 packets (working 100%), it's copied from
>> the NAT64 module available in GPL:
>>
> "The NAT64 module", but which?
>
>
>> skb_dst_set(newskb, dst);
>> newskb->dev = dst->dev;
>> skb_dst_set(newskb, dst);
>>
> Why set dst twice?
>
>
>> # route --inet
>> Table de routage IP du noyau
>> Destination Passerelle Genmask Indic Metric Ref Use Iface
>> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
>> default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
>>
> For future reference, stick to iproute2.
>
>
>> # route --inet6
>> Table de routage IPv6 du noyau
>> Destination Next Hop Flag Met Ref Use If
>> 2001:6a8:2d80:128::/64 :: U 256 0 1 eth1
>> fe80::/64 :: U 256 0 0 eth1
>> ::/0 2001:6a8:2d80:128::2 UG 1 0 35 eth1
>> ::/0 :: !n -1 1 61 lo
>> ::1/128 :: Un 0 1 80 lo
>> 2001:6a8:2d80:128::/128 :: Un 0 1 0 lo
>> 2001:6a8:2d80:128::1/128 :: Un 0 1 20 lo
>> fe80::/128 :: Un 0 1 0 lo
>> fe80::20e:a6ff:feb0:e1a2/128 :: Un 0 1 14 lo
>> ff00::/8 :: U 256 0 0 eth1
>> ::/0 :: !n -1 1 61 lo
>>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-04-18 15:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-22 23:45 Problem sending skb built from scratch with IPv6 Pierre Rondou
2011-03-24 21:16 ` Jan Engelhardt
2011-04-18 15:05 ` Pierre Rondou
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).