modify + redirect xtables addon using the same skb

modify + redirect xtables addon using the same skb

[Pratik M.]

Hi,
I am a iptables newbie so pardon if I am missing something basic.

I am trying to write an xtables addon that re-writes certain fields in an
application header and sends the packet to a newer IP. Essentially an
application proxy. The application protocol is UDP based. The packets are
destined a local IP. I need to also change the outbound source IP, when
talking to the new address. I do not need connection tracking. There are
ids in the application header that allow me to determine the eventual
destination.

If I copy the skb, call skb_dst_set and dst_output on the new skb and
return NF_DROP for the old skb, the proxy works.

However If I just change the saddr/daddr of the same skb and call
NF_ACCEPT, the packet does not go out and Udp.NoPorts increments.

I looked at xt_REDIRECT/NETMAP for inspiration to see what other skb fields
need to be set. E.g. dst. However they seem to be using some specific
functionality (nf_nat_setup_info) to do the final processing before the
NF_ACCEPT. I am not sure if I need the connection tracking overhead just to
use that.

This code works:
new_skb = skb_copy(orig_skb...);
<change application fields (fixed offsets)>
<set the src ip to a different interface. set dst ip to a new server>
ip_route_output_key()
skb_dst_set()

This does NOT work:
skb_make_writable()
iph->saddr and daddr modified
return NF_ACCEPT

I am using PREROUTING chain in mangle. I tried using INPUT too, to no avail.

Thanks in advance
Pratik