[HELP] why the string match does not work in nat tables?

[HELP] why the string match does not work in nat tables?

[JeHo Park]

hi there

i have been trying to apply the string match or external wurlmatch to
my NAT environment.
but the matches was not valid in NAT or tproxy
so i tried to verify TCP payload with debugging code in the string
match during runtime, and then i found there is no TCP data in skbuff

the string match works well in filter table, but it does not work in NAT.
i want to know why the string match does not work in NAT.
if you know that reason, please let me know


i used following iptables rules
#  iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string
"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80

10.10.10.125 is IP address of my linux router and there is HTTP proxy server

Re: [HELP] why the string match does not work in nat tables?

[Jan Engelhardt]

On Monday 2011-01-31 02:53, JeHo Park wrote:
>
>the string match works well in filter table, but it does not work in NAT.

Oh it _does_ work in nat.

But given that the nat table is an abstract configuration database
rather than a filter, not all packets do a lookup.

>i used following iptables rules
>#  iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string
>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80

Re: [HELP] why the string match does not work in nat tables?

[JeHo Park]

hello jan
i see, i took mistake. Ccs.. :-)
anyway, i wonder why there is no TCP payload in the skb of the string
or wurl match.


On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> *sigh* don't strip the Ccs
>
> On Monday 2011-01-31 03:24, JeHo Park wrote:
>>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
>>> On Monday 2011-01-31 02:53, JeHo Park wrote:
>>>>
>>>>the string match works well in filter table, but it does not work in NAT.
>>>
>>> Oh it _does_ work in nat.
>>>
>>> But given that the nat table is an abstract configuration database
>>> rather than a filter, not all packets do a lookup.
>>
>>but i found in runtime with debugging code, there is no TCP data but
>>only TCP header in the skbuff of string match.
>
> Good, then this issue is resolved.
>
>
>>>>i used following iptables rules
>>>>#  iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string
>>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [HELP] why the string match does not work in nat tables?

[Jan Engelhardt]

On Monday 2011-01-31 03:47, JeHo Park wrote:

(Might as well avoid top posting?)

>hello jan
>i see, i took mistake. Ccs.. :-)
>anyway, i wonder why there is no TCP payload in the skb of the string
>or wurl match.

Because TCP packets are allowed to have no payload.


>On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt  wrote:
>> *sigh* don't strip the Ccs
>>
>> On Monday 2011-01-31 03:24, JeHo Park wrote:
>>>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt  wrote:
>>>> On Monday 2011-01-31 02:53, JeHo Park wrote:
>>>>>
>>>>>the string match works well in filter table, but it does not work in NAT.
>>>>
>>>> Oh it _does_ work in nat.
>>>>
>>>> But given that the nat table is an abstract configuration database
>>>> rather than a filter, not all packets do a lookup.
>>>
>>>but i found in runtime with debugging code, there is no TCP data but
>>>only TCP header in the skbuff of string match.
>>
>> Good, then this issue is resolved.
>>
>>
>>>>>i used following iptables rules
>>>>>#  iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string
>>>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80
>>
>>
>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [HELP] why the string match does not work in nat tables?

[JeHo Park]

hello jan ~

On Mon, Jan 31, 2011 at 11:51 AM, Jan Engelhardt <jengelh@medozas.de> wrote:
> On Monday 2011-01-31 03:47, JeHo Park wrote:
>
> (Might as well avoid top posting?)
>
>>hello jan
>>i see, i took mistake. Ccs.. :-)
>>anyway, i wonder why there is no TCP payload in the skb of the string
>>or wurl match.
>
> Because TCP packets are allowed to have no payload.
>

is there any way to make TCP packets have payload ?
does it possible with only configuration ? or need some modification
of the source code ?

>
>>On Mon, Jan 31, 2011 at 11:38 AM, Jan Engelhardt  wrote:
>>> *sigh* don't strip the Ccs
>>>
>>> On Monday 2011-01-31 03:24, JeHo Park wrote:
>>>>On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt  wrote:
>>>>> On Monday 2011-01-31 02:53, JeHo Park wrote:
>>>>>>
>>>>>>the string match works well in filter table, but it does not work in NAT.
>>>>>
>>>>> Oh it _does_ work in nat.
>>>>>
>>>>> But given that the nat table is an abstract configuration database
>>>>> rather than a filter, not all packets do a lookup.
>>>>
>>>>but i found in runtime with debugging code, there is no TCP data but
>>>>only TCP header in the skbuff of string match.
>>>
>>> Good, then this issue is resolved.
>>>
>>>
>>>>>>i used following iptables rules
>>>>>>#  iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string
>>>>>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80
>>>
>>>
>>
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

netfilter - u32 module

[Sridhar Kumar]

Hi,

I am building a kernel, version 2.6.27 for a MIPS processor.
I need module U32 included in netfilter.

In the downloaded kernel source I did not see the files "xt_u32.c" etc.
Pls let me know where can I find the source code for netfilter modules.


 

Re: [HELP] why the string match does not work in nat tables?

[Pablo Neira Ayuso]

On 31/01/11 03:47, JeHo Park wrote:
> hello jan
> i see, i took mistake. Ccs.. :-)
> anyway, i wonder why there is no TCP payload in the skb of the string
> or wurl match.

Because you only see the first packet of the flow in the NAT table.

You should use the string match in the filter or raw tables.

Re: netfilter - u32 module

[Pablo Neira Ayuso]

On 31/01/11 04:34, Sridhar Kumar wrote:
> 
> Hi,
> 
> I am building a kernel, version 2.6.27 for a MIPS processor.
> I need module U32 included in netfilter.
> 
> In the downloaded kernel source I did not see the files "xt_u32.c" etc.
> Pls let me know where can I find the source code for netfilter modules.

Update your Linux kernel.

Please, don't cross post. This question is user related, it should go to
netfilter@vger.kernel.org, not to netfilter-devel since it's not a
bugfix, bug report or contribution.

Re: [HELP] why the string match does not work in nat tables?

[Pascal Hambourg]

Hello,

Pablo Neira Ayuso a écrit :
> On 31/01/11 03:47, JeHo Park wrote:
>> anyway, i wonder why there is no TCP payload in the skb of the string
>> or wurl match.
> 
> Because you only see the first packet of the flow in the NAT table.

And the first packet of a TCP connection usually carries no data.
If you what you want to achieve is NAT a TCP connection based on the
payload, I am afraid this is not possible because the definitive NAT
mapping is defined from the first packet only.

Re: [HELP] why the string match does not work in nat tables?

[JeHo Park]

thanks pablo, pascal

i just want the client who try to connect any specified site  to
redirect my HTTP proxy server.
but judging from your answers, it seems impossible to filter that
client packets in the NAT table.
anyway thanks


On Mon, Jan 31, 2011 at 7:33 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Hello,
>
> Pablo Neira Ayuso a écrit :
>> On 31/01/11 03:47, JeHo Park wrote:
>>> anyway, i wonder why there is no TCP payload in the skb of the string
>>> or wurl match.
>>
>> Because you only see the first packet of the flow in the NAT table.
>
> And the first packet of a TCP connection usually carries no data.
> If you what you want to achieve is NAT a TCP connection based on the
> payload, I am afraid this is not possible because the definitive NAT
> mapping is defined from the first packet only.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [HELP] why the string match does not work in nat tables?

[JeHo Park]

hello Pablo

i have two more questions

On Mon, Jan 31, 2011 at 6:35 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On 31/01/11 03:47, JeHo Park wrote:
>> hello jan
>> i see, i took mistake. Ccs.. :-)
>> anyway, i wonder why there is no TCP payload in the skb of the string
>> or wurl match.
>
> Because you only see the first packet of the flow in the NAT table.
>
first, i thought or assumed what you said like above is from the
reason that NAT mapping is first started from L3 IP connection mapping
[origin and expect tuples..] and from TCP helper [for TCP port
infomation ..etc] but it is not based on TCP contents.
so you said it is not possible to rediect such connection.
is it right?

> You should use the string match in the filter or raw tables.
>

and second,
i think some people might also want such a functionality like what i
want to do,
redirection some connection to other server judging from its TCP
contents infomation.
[in this case, the URI  infomation of the HTTP transaction]
i want to know how you think about ..

previously thanks ~

Re: [HELP] why the string match does not work in nat tables?

[Jan Engelhardt]

On Tuesday 2011-02-01 02:50, JeHo Park wrote:
>>> anyway, i wonder why there is no TCP payload in the skb of the string
>>> or wurl match.
>>
>> Because you only see the first packet of the flow in the NAT table.
>>
>first, i thought or assumed what you said like above is from the
>reason that NAT mapping is first started from L3 IP connection mapping
>[...] but it is not based on TCP contents.
>so you said it is not possible to rediect such connection.
>is it right?

The simple fact is that there is usually no content in the
TCP SYN packet that you could possibly match on.

>> You should use the string match in the filter or raw tables.
>>
>
>and second, i think some people might also want such a functionality
>like what i want to do, redirection some connection to other server
>judging from its TCP contents infomation. [in this case, the URI
>infomation of the HTTP transaction]

That is what proxies like squid are for.

See http://l7-filter.sourceforge.net/FAQ#usage for an elaborate
answer.