A general question about IP fragmented packets and netfilter

A general question about IP fragmented packets and netfilter

[Giacomo]

Good morning to all.

I would like to ask you some points concerning IP fragmented packets
arriving on an interface and the
way they are handled by the netfilter modules, in particular what is
the situation in the netfilter hooks.

Starting from NF_IP_PRE_ROUTING, where destination NAT and
de-masquerading takes place, do
the packets arrive fragmented - and netfilter takes care of the
fragments - or do they arrive already
reassembled from the IP stack?

In the first case, what is, generally speaking, the technique adopted
to track fragmented IP packets
and assign each of them to the correct flow?

In the second case, if I register with netfilter NF_IP_PRE_ROUTING
hook, which is the correct "priority"
to assign during registration to receive packets already reassembled?

Thanks in advance.

Giacomo


-- 
Giacomo S.
http://www.giacomos.it

- - - - - - - - - - - - - - - - - - - - - -

* Aprile 2008: iqfire-wall, un progetto
  open source che implementa un
  filtro di pacchetti di rete per Linux,
  e` disponibile per il download qui:
  http://sourceforge.net/projects/ipfire-wall

* Informazioni e pagina web ufficiale:
  http://www.giacomos.it/iqfire/index.html

- - - - - - - - - - - - - - - - - - - - - -

 . ''  `.
:   :'    :
 `.  ` '
    `- Debian GNU/Linux -- The power of freedom
        http://www.debian.org

Re: A general question about IP fragmented packets and netfilter

[Jan Engelhardt]

On Thursday 2009-07-23 08:40, Giacomo wrote:
>
>Starting from NF_IP_PRE_ROUTING, where destination NAT and
>de-masquerading takes place, do the packets arrive fragmented - and
>netfilter takes care of the fragments - or do they arrive already
>reassembled from the IP stack?
>
>In the first case, what is, generally speaking, the technique
>adopted to track fragmented IP packets and assign each of them to
>the correct flow?

Connection tracking does not care about packets or their fragment
bits per se.

Because it reads out the layer-4 header (TCP/etc.) however,
it defragments packets for simplicity.

>In the second case, if I register with netfilter NF_IP_PRE_ROUTING
>hook, which is the correct "priority"
>to assign during registration to receive packets already reassembled?

Before NF_IP_PRI_CONNTRACK_DEFRAG.

Re: A general question about IP fragmented packets and netfilter

[Jan Engelhardt]

Don't strip the ml



---------- Forwarded message ----------
> On Thursday 2009-07-23 08:40, Giacomo wrote:
>>
>>Starting from NF_IP_PRE_ROUTING, where destination NAT and
>>de-masquerading takes place, do the packets arrive fragmented - and
>>netfilter takes care of the fragments - or do they arrive already
>>reassembled from the IP stack?
>>
>>In the first case, what is, generally speaking, the technique
>>adopted to track fragmented IP packets and assign each of them to
>>the correct flow?
>
> Connection tracking does not care about packets or their fragment
> bits per se.

Yes but suppose a fragmented ip protocol hits the NF_IP_PRE_ROUTING hook and
there has to be destination Natted (for instance because being part of
a Masqueraded
stream). Such a packet, without a TCP header, must be recognized as part of the
masqueraded stream, and it has only an IP header, with `More
Fragments' set and some
data. How is it associated to the masqueraded flow if the packet is
not reassembled?
That is, how is it destination-NATTED?

>
> Because it reads out the layer-4 header (TCP/etc.) however,
> it defragments packets for simplicity.
>
>>In the second case, if I register with netfilter NF_IP_PRE_ROUTING
>>hook, which is the correct "priority"
>>to assign during registration to receive packets already reassembled?
>
> Before NF_IP_PRI_CONNTRACK_DEFRAG.

Do you mean that before NF_IP_PRI_CONNTRACK_DEFRAG, i.e. NF_IP_PRI_FIRST,
in the NF_IP_PRE_ROUTING hook, packets arrive reassembled, that is there are no
IP packets with 'More Fragments' set to true?

Thanks a lot, very kind of you.

Giacomo

Re: A general question about IP fragmented packets and netfilter

[Jan Engelhardt]

>Don't strip the ml
>
>---------- Forwarded message ----------
>> On Thursday 2009-07-23 08:40, Giacomo wrote:
>>>
>>>Starting from NF_IP_PRE_ROUTING, where destination NAT and
>>>de-masquerading takes place, do the packets arrive fragmented - and
>>>netfilter takes care of the fragments - or do they arrive already
>>>reassembled from the IP stack?
>>>
>>>In the first case, what is, generally speaking, the technique
>>>adopted to track fragmented IP packets and assign each of them to
>>>the correct flow?
>>
>> Connection tracking does not care about packets or their fragment
>> bits per se.
>
>Yes but suppose a fragmented ip protocol hits the NF_IP_PRE_ROUTING hook and
>there has to be destination Natted (for instance because being part of
>a Masqueraded
>stream). Such a packet, without a TCP header, must be recognized as part of the
>masqueraded stream, and it has only an IP header, with `More
>Fragments' set and some
>data. How is it associated to the masqueraded flow if the packet is
>not reassembled?

It would not be. Hence the defragmenter is mandatory.

>That is, how is it destination-NATTED?

Once it is defragmented, NAT can take place.

>> Because it reads out the layer-4 header (TCP/etc.) however,
>> it defragments packets for simplicity.
>>
>>>In the second case, if I register with netfilter NF_IP_PRE_ROUTING
>>>hook, which is the correct "priority"
>>>to assign during registration to receive packets already reassembled?
>>
>> Before NF_IP_PRI_CONNTRACK_DEFRAG.
>
>Do you mean that before NF_IP_PRI_CONNTRACK_DEFRAG, i.e. NF_IP_PRI_FIRST,

Before NF_IP_PRI_CONNTRACK_DEFRAG, fragments will be visible.

>in the NF_IP_PRE_ROUTING hook, packets arrive reassembled, that is there are no
>IP packets with 'More Fragments' set to true?
>
>Thanks a lot, very kind of you.
>
>Giacomo
>
>
>

Re: A general question about IP fragmented packets and netfilter

[Giacomo]

2009/7/23 Jan Engelhardt <jengelh@medozas.de>:
>
>>Don't strip the ml

Sorry I did not realize!

>>
>>---------- Forwarded message ----------
>>> On Thursday 2009-07-23 08:40, Giacomo wrote:
>>>>
>>>>Starting from NF_IP_PRE_ROUTING, where destination NAT and
>>>>de-masquerading takes place, do the packets arrive fragmented - and
>>>>netfilter takes care of the fragments - or do they arrive already
>>>>reassembled from the IP stack?
>>>>
>>>>In the first case, what is, generally speaking, the technique
>>>>adopted to track fragmented IP packets and assign each of them to
>>>>the correct flow?
>>>
>>> Connection tracking does not care about packets or their fragment
>>> bits per se.
>>
>>Yes but suppose a fragmented ip protocol hits the NF_IP_PRE_ROUTING hook and
>>there has to be destination Natted (for instance because being part of
>>a Masqueraded
>>stream). Such a packet, without a TCP header, must be recognized as part of the
>>masqueraded stream, and it has only an IP header, with `More
>>Fragments' set and some
>>data. How is it associated to the masqueraded flow if the packet is
>>not reassembled?
>
> It would not be. Hence the defragmenter is mandatory.
>
>>That is, how is it destination-NATTED?
>
> Once it is defragmented, NAT can take place.
>
>>> Because it reads out the layer-4 header (TCP/etc.) however,
>>> it defragments packets for simplicity.
>>>
>>>>In the second case, if I register with netfilter NF_IP_PRE_ROUTING
>>>>hook, which is the correct "priority"
>>>>to assign during registration to receive packets already reassembled?
>>>
>>> Before NF_IP_PRI_CONNTRACK_DEFRAG.
>>
>>Do you mean that before NF_IP_PRI_CONNTRACK_DEFRAG, i.e. NF_IP_PRI_FIRST,
>
> Before NF_IP_PRI_CONNTRACK_DEFRAG, fragments will be visible.

Very well. finally, if I have correctly understood the issu, if I have
to de-masquerade a packet
or, more generally, destination nat  it, I have two possibilities:

a. use nf_defrag_ipv4 module and register AFTER  NF_IP_PRI_CONNTRACK_DEFRAG
    and then dest - nat

or

b. register with any priority in  NF_IP_PRE_ROUTING hook, call
ip_defrag() and friend
    defined in linux/ip.h to reassemble packets and then dest - nat.

But last... is there any `priority' to register with inside
NF_IP_PRE_ROUTING to `freely' obtain
reassembled packages? Between which hooks/priority does the IP stack
normally reassemble
packets? (and fragments them in output?)

Thanks again and sorry If I abused of your patience.

Giacomo.

>
>>in the NF_IP_PRE_ROUTING hook, packets arrive reassembled, that is there are no
>>IP packets with 'More Fragments' set to true?
>>
>>Thanks a lot, very kind of you.
>>
>>Giacomo
>>
>>
>>
>
>



-- 
Giacomo S.
http://www.giacomos.it

- - - - - - - - - - - - - - - - - - - - - -

* Aprile 2008: iqfire-wall, un progetto
  open source che implementa un
  filtro di pacchetti di rete per Linux,
  e` disponibile per il download qui:
  http://sourceforge.net/projects/ipfire-wall

* Informazioni e pagina web ufficiale:
  http://www.giacomos.it/iqfire/index.html

- - - - - - - - - - - - - - - - - - - - - -

 . ''  `.
:   :'    :
 `.  ` '
    `- Debian GNU/Linux -- The power of freedom
        http://www.debian.org