Packet duplication

Packet duplication

[Tiaan Wessels]

Hi,
Not sure there is any life on this list but in case someone picks me up 
on netfilter user SETI here goes:
How do I go about duplicating a UDP packet arriving at a machine. 
Essentially I want to have it go to its original recipient but to 
another new one also.
-j ROUTE --tee seems not to be supported anymore.
Thanks

Re: Packet duplication

[Gáspár Lajos]

Tiaan Wessels írta:
> Hi,
> Not sure there is any life on this list but in case someone picks me 
> up on netfilter user SETI here goes:
There is life !!! :D
> How do I go about duplicating a UDP packet arriving at a machine. 
> Essentially I want to have it go to its original recipient but to 
> another new one also.
> -j ROUTE --tee seems not to be supported anymore.
False... It is supported but you need the patch-o-matic(-ng) stuff...

       --tee  Make a copy of the packet, and route that copy to the
given destination. For the original, uncopied packet, behave like a
non-terminating tar-
              get and continue traversing the rules.  Not valid in
combination with `--iif' or `--continue'

> Thanks


Swifty

Re: Packet duplication

[Tiaan Wessels]

Gáspár Lajos wrote:
> Tiaan Wessels írta:
>> Hi,
>> Not sure there is any life on this list but in case someone picks me 
>> up on netfilter user SETI here goes:
> There is life !!! :D
>> How do I go about duplicating a UDP packet arriving at a machine. 
>> Essentially I want to have it go to its original recipient but to 
>> another new one also.
>> -j ROUTE --tee seems not to be supported anymore.
> False... It is supported but you need the patch-o-matic(-ng) stuff...
>
>       --tee  Make a copy of the packet, and route that copy to the
> given destination. For the original, uncopied packet, behave like a
> non-terminating tar-
>              get and continue traversing the rules.  Not valid in
> combination with `--iif' or `--continue'
>
Getting this to work for a novice like me seems to be impossible.
Doing a man on my FC5 system shows --tee to be there under the ROUTE 
extension and I quote from the man page
'iptables can use extended target modules: the following are included in 
the standard distribution'
however using iptables results in

[root@nst2 ~]# /sbin/iptables -A PREROUTING -t mangle -p udp -d 
192.168.3.77 --dport 9090 -j ROUTE --tee
iptables v1.3.5: Unknown arg `--tee'

locate libipt_ROUTE.so yields nothing which makes me believe the man 
page was talking bollocks when claiming the extensions to be part of the 
'standard distribution'

After further reading I also came to the conclusion patch-o-matic needed 
to be used to install the ROUTE module. going to netfilter extensions 
HOWTO I see I have to get the latest update from CVS like in so

cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login


but when I do this with password cvs I get

[root@nst2 ~]# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
Logging in to :pserver:cvs@pserver.netfilter.org:2401/cvspublic
CVS password:
cvs [login aborted]: connect to 
pserver.netfilter.org(213.95.27.115):2401 failed: Connection refused

any ideas ?

Re: Packet duplication

[Gáspár Lajos]

Tiaan Wessels írta:
> Gáspár Lajos wrote:
>> Tiaan Wessels írta:
>>> Hi,
>>> Not sure there is any life on this list but in case someone picks me 
>>> up on netfilter user SETI here goes:
>> There is life !!! :D
>>> How do I go about duplicating a UDP packet arriving at a machine. 
>>> Essentially I want to have it go to its original recipient but to 
>>> another new one also.
>>> -j ROUTE --tee seems not to be supported anymore.
>> False... It is supported but you need the patch-o-matic(-ng) stuff...
>>
>>       --tee  Make a copy of the packet, and route that copy to the 
>> given destination. For the original, uncopied packet, behave like a 
>> non-terminating tar-
>>              get and continue traversing the rules.  Not valid in 
>> combination with `--iif' or `--continue'
>>
>>> Thanks
>>
>>
>> Swifty
>>
>>
> Getting this to work for a novice like me seems to be impossible.
It is not so hard... :D
> Doing a man on my FC5 system shows --tee to be there under the ROUTE 
> extension and I quote from the man page
> 'iptables can use extended target modules: the following are included 
> in the standard distribution'
> however using iptables results in
>
> [root@nst2 ~]# /sbin/iptables -A PREROUTING -t mangle -p udp -d 
> 192.168.3.77 --dport 9090 -j ROUTE --tee
> iptables v1.3.5: Unknown arg `--tee'
Note that you may need the --oif option too with tee...
(I woukd be glad If anyone could confirm!)
> locate libipt_ROUTE.so yields nothing which makes me believe the man 
> page was talking bollocks when claiming the extensions to be part of 
> the 'standard distribution'
>
Bad manpage... :D
> After further reading I also came to the conclusion patch-o-matic 
> needed to be used to install the ROUTE module. going to netfilter 
> extensions HOWTO I see I have to get the latest update from CVS like 
> in so
>
> cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
>
>
> but when I do this with password cvs I get
>
> [root@nst2 ~]# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
> Logging in to :pserver:cvs@pserver.netfilter.org:2401/cvspublic
> CVS password:
> cvs [login aborted]: connect to 
> pserver.netfilter.org(213.95.27.115):2401 failed: Connection refused
>
> any ideas ?
Forget cvs... try svn...

Swifty

Re: Packet duplication

[Tiaan Wessels]

Gáspár Lajos wrote:
> Tiaan Wessels írta:
>> Gáspár Lajos wrote:
>>> Tiaan Wessels írta:
>>>> Hi,
>>>> Not sure there is any life on this list but in case someone picks 
>>>> me up on netfilter user SETI here goes:
>>> There is life !!! :D
>>>> How do I go about duplicating a UDP packet arriving at a machine. 
>>>> Essentially I want to have it go to its original recipient but to 
>>>> another new one also.
>>>> -j ROUTE --tee seems not to be supported anymore.
>>> False... It is supported but you need the patch-o-matic(-ng) stuff...
>>>
>>>       --tee  Make a copy of the packet, and route that copy to the 
>>> given destination. For the original, uncopied packet, behave like a 
>>> non-terminating tar-
>>>              get and continue traversing the rules.  Not valid in 
>>> combination with `--iif' or `--continue'
>>>
>>>> Thanks
>>>
>>>
>>> Swifty
>>>
>>>
>> Getting this to work for a novice like me seems to be impossible.
> It is not so hard... :D
>> Doing a man on my FC5 system shows --tee to be there under the ROUTE 
>> extension and I quote from the man page
>> 'iptables can use extended target modules: the following are included 
>> in the standard distribution'
>> however using iptables results in
>>
>> [root@nst2 ~]# /sbin/iptables -A PREROUTING -t mangle -p udp -d 
>> 192.168.3.77 --dport 9090 -j ROUTE --tee
>> iptables v1.3.5: Unknown arg `--tee'
> Note that you may need the --oif option too with tee...
> (I woukd be glad If anyone could confirm!)
>> locate libipt_ROUTE.so yields nothing which makes me believe the man 
>> page was talking bollocks when claiming the extensions to be part of 
>> the 'standard distribution'
>>
> Bad manpage... :D
>> After further reading I also came to the conclusion patch-o-matic 
>> needed to be used to install the ROUTE module. going to netfilter 
>> extensions HOWTO I see I have to get the latest update from CVS like 
>> in so
>>
>> cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic login
>>
>>
>> but when I do this with password cvs I get
>>
>> [root@nst2 ~]# cvs -d :pserver:cvs@pserver.netfilter.org:/cvspublic 
>> login
>> Logging in to :pserver:cvs@pserver.netfilter.org:2401/cvspublic
>> CVS password:
>> cvs [login aborted]: connect to 
>> pserver.netfilter.org(213.95.27.115):2401 failed: Connection refused
>>
>> any ideas ?
> Forget cvs... try svn...
>
thanks,
i have located patch-o-matic snapshot for yesterday on netfilter ftp 
server. so i did a runme extra but it never asks me to apply the 
ROUTE/--tee patch. is this correct ? must I recompile my kernel in any 
case ?

RE: Packet duplication

[Rob Sterenborg]

Tiaan Wessels írta:
> thanks,
> i have located patch-o-matic snapshot for yesterday on netfilter ftp
> server. so i did a runme extra but it never asks me to apply the
> ROUTE/--tee patch. is this correct ? must I recompile my
> kernel in any case ?

Yes you have to supply the kernel source-path and compile your own
kernel. While you're at it, also download the new iptables source and
let POM-ng also patch that source. Compiling the kernel isn't that hard,
iptables is easier, just supply the iptables source path and when the
kernel is done, compile and install iptables. Remember to remove the
existing iptables package from your distribution.

Perhaps you can find the kernel-config from the distro you're using to
import when running "make menuconfig", so you automatically have all
options selected that you currently have (unless you choose another
kernel version than what you are using now). That way you only have to
select the extra's you want.


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
> Tiaan Wessels írta:
>   
>> thanks,
>> i have located patch-o-matic snapshot for yesterday on netfilter ftp
>> server. so i did a runme extra but it never asks me to apply the
>> ROUTE/--tee patch. is this correct ? must I recompile my
>> kernel in any case ?
>>     
>
> Yes you have to supply the kernel source-path and compile your own
> kernel. While you're at it, also download the new iptables source and
> let POM-ng also patch that source. Compiling the kernel isn't that hard,
> iptables is easier, just supply the iptables source path and when the
> kernel is done, compile and install iptables. Remember to remove the
> existing iptables package from your distribution.
>
> Perhaps you can find the kernel-config from the distro you're using to
> import when running "make menuconfig", so you automatically have all
> options selected that you currently have (unless you choose another
> kernel version than what you are using now). That way you only have to
> select the extra's you want.
>
>
>   
i patched the kernel sources with pom and compiled and installed and 
then compiled and installed iptables 1.3.7 but still i get

nst2:~ # /usr/local/sbin/iptables -A PREROUTE -t mangle -p udp --dport 
9090 -j ROUTE
iptables v1.3.7: Couldn't load target 
`ROUTE':/usr/local/lib/iptables/libipt_ROUTE.so: cannot open shared 
object file: No such file or directory

RE: Packet duplication

[Rob Sterenborg]

> i patched the kernel sources with pom and compiled and installed and
> then compiled and installed iptables 1.3.7 but still i get
>
> nst2:~ # /usr/local/sbin/iptables -A PREROUTE -t mangle -p
> udp --dport 9090 -j ROUTE
> iptables v1.3.7: Couldn't load target
> `ROUTE':/usr/local/lib/iptables/libipt_ROUTE.so: cannot open shared
> object file: No such file or directory

So, "locate libipt_ROUTE.so" doesn't return
"/usr/local/lib/iptables/libipt_ROUTE.so".

In that case I suppose there was an error when compiling iptables
(perhaps also when compiling the kernel?) that caused libipt_ROUTE.so
not to be compiled. When you ran "make", did you see any related errors?
Anyway, I don't think I can help you there; I'm not a developer, maybe
someone else can.


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
>> i patched the kernel sources with pom and compiled and installed and
>> then compiled and installed iptables 1.3.7 but still i get
>>
>> nst2:~ # /usr/local/sbin/iptables -A PREROUTE -t mangle -p
>> udp --dport 9090 -j ROUTE
>> iptables v1.3.7: Couldn't load target
>> `ROUTE':/usr/local/lib/iptables/libipt_ROUTE.so: cannot open shared
>> object file: No such file or directory
>>     
>
> So, "locate libipt_ROUTE.so" doesn't return
> "/usr/local/lib/iptables/libipt_ROUTE.so".
>
> In that case I suppose there was an error when compiling iptables
> (perhaps also when compiling the kernel?) that caused libipt_ROUTE.so
> not to be compiled. When you ran "make", did you see any related errors?
> Anyway, I don't think I can help you there; I'm not a developer, maybe
> someone else can.
>
>   
thats correct. locate finds nothing. in an attempt at hacking i added 
ROUTE to the variable PF_EXT_SLIB in extensions/Makefile and tried to 
make but then get

nst2:~/iptables-1.3.7 # make
Unable to resolve dependency on linux/netfilter_ipv4/ipt_ROUTE.h. Try 
'make clean'.
Extensions found: IPv4:CLUSTERIP IPv4:connbytes IPv4:dccp IPv4:quota 
IPv4:recent IPv4:statistic IPv4:string IPv6:REJECT IPv6:ah IPv6:esp 
IPv6:frag IPv6:ipv6header IPv6:hbh IPv6:dst IPv6:rt IPv6:sctp


i could not see any problem in compiling either the kernel or iptables. 
what did strike me as odd was when i ran the ./runme script in pom it 
never asks me for the patch on routing so i answer N to all the 
questions. this right ???

RE: Packet duplication

[Rob Sterenborg]

> i could not see any problem in compiling either the kernel or
> iptables. what did strike me as odd was when i ran the ./runme script
> in pom it never asks me for the patch on routing so i answer N to all
> the questions. this right ??? -

I suspect you also couldn't select the ROUTE target when configuring the
kernel.

Try:
KERNEL_DIR=/path/to/kernel \
IPTABLES_DIR=/path/to/iptables \
./runme --download extra


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
>> i could not see any problem in compiling either the kernel or
>> iptables. what did strike me as odd was when i ran the ./runme script
>> in pom it never asks me for the patch on routing so i answer N to all
>> the questions. this right ??? -
>>     
>
> I suspect you also couldn't select the ROUTE target when configuring the
> kernel.
>
> Try:
> KERNEL_DIR=/path/to/kernel \
> IPTABLES_DIR=/path/to/iptables \
> ./runme --download extra
>
>   
looks promising thanks. it said it download ROUTE extra so patched 
(never asked me to apply ROUTE patch though) and am now compiling kernel 
again so will let you know in a days time
thanks for your philantropy

RE: Packet duplication

[Rob Sterenborg]

> looks promising thanks. it said it download ROUTE extra so patched
> (never asked me to apply ROUTE patch though) and am now
> compiling kernel again so will let you know in a days time
> thanks for your philantropy

I tried to patch 2.6.23.1 using POM-ng but it didn't ask to patch for
ROUTE as you found out. Maybe it's not supported on this kernel so it'll
won't work on this kernel.

To see what happens, I patched the kernel manually (copied files, added
stuff to Kconfig and Makefile), configured it for ROUTE (ipv4) and it
seems to compile. I can't test if it will work, however.


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
>> looks promising thanks. it said it download ROUTE extra so patched
>> (never asked me to apply ROUTE patch though) and am now
>> compiling kernel again so will let you know in a days time
>> thanks for your philantropy
>>     
>
> I tried to patch 2.6.23.1 using POM-ng but it didn't ask to patch for
> ROUTE as you found out. Maybe it's not supported on this kernel so it'll
> won't work on this kernel.
>
> To see what happens, I patched the kernel manually (copied files, added
> stuff to Kconfig and Makefile), configured it for ROUTE (ipv4) and it
> seems to compile. I can't test if it will work, however.
>
>   
i know this is much asked but any chance you could explain to me what 
you did ? (you can be brief)

RE: Packet duplication

[Rob Sterenborg]

>> To see what happens, I patched the kernel manually (copied files,
>> added stuff to Kconfig and Makefile), configured it for ROUTE (ipv4)
>> and it seems to compile. I can't test if it will work, however.
>>
>>
> i know this is much asked but any chance you could explain to me what
> you did ? (you can be brief) -

The patch is not hard to include manually. If you look in POM-ng's
patchlets directory, you see all available patches including the ROUTE
patch. There, you go to the source you need (I guess linux-2.6).
You'll see 2 directories: include and net. Copy these into the kernel
source using: cp -R * /path/to/kernel.
Next, you go to the /path/to/kernel/net/ipv4/netfilter directory. You'll
find these files:
- Kconfig
- Kconfig.ladd
- Makefile
- Makefile.ladd
Checkout the .ladd files (there's not much in there) and add it
somewhere to Kconfig or Makefile (I think if you look into these files
you'll probably know where). You can delete the .ladd files afterwards.
Do the same in /path/to/kernel/net/ipv6/netfilter.

Now you can configure the kernel for ROUTE and compile it. According to
Kconfig.ladd, the ipv6 ROUTE does not work as a module so don't do
configure it like that for ipv6; ipv4 seems fine as a module.

Again: I got it to compile but that's as much as I can do here. I do not
know if it works.


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
>>> To see what happens, I patched the kernel manually (copied files,
>>> added stuff to Kconfig and Makefile), configured it for ROUTE (ipv4)
>>> and it seems to compile. I can't test if it will work, however.
>>>
>>>
>>>       
>> i know this is much asked but any chance you could explain to me what
>> you did ? (you can be brief) -
>>     
>
> The patch is not hard to include manually. If you look in POM-ng's
> patchlets directory, you see all available patches including the ROUTE
> patch. There, you go to the source you need (I guess linux-2.6).
> You'll see 2 directories: include and net. Copy these into the kernel
> source using: cp -R * /path/to/kernel.
> Next, you go to the /path/to/kernel/net/ipv4/netfilter directory. You'll
> find these files:
> - Kconfig
> - Kconfig.ladd
> - Makefile
> - Makefile.ladd
> Checkout the .ladd files (there's not much in there) and add it
> somewhere to Kconfig or Makefile (I think if you look into these files
> you'll probably know where). You can delete the .ladd files afterwards.
> Do the same in /path/to/kernel/net/ipv6/netfilter.
>
> Now you can configure the kernel for ROUTE and compile it. According to
> Kconfig.ladd, the ipv6 ROUTE does not work as a module so don't do
> configure it like that for ipv6; ipv4 seems fine as a module.
>
> Again: I got it to compile but that's as much as I can do here. I do not
> know if it works.
>
>
>   
thanks a million Rob,
I got it working at last using your instructions.
cheers

RE: Packet duplication

[Rob Sterenborg]

> thanks a million Rob,

You're welcome..

> I got it working at last using your instructions.
> cheers

Does this mean that the ROUTE patch is actually working (I didn't get to
test that) and which kernel version did you use?


Grts,
Rob

Re: Packet duplication

[Tiaan Wessels]

Rob Sterenborg wrote:
>> thanks a million Rob,
>>     
>
> You're welcome..
>
>   
>> I got it working at last using your instructions.
>> cheers
>>     
>
> Does this mean that the ROUTE patch is actually working (I didn't get to
> test that) and which kernel version did you use?
>
>   
not exactly, it only meant all error messages was gone printed to the 
tty when i run the iptables command. i'm now trying to create what i 
originally set out to do. if you'r interested here's my scenario.

i have one machine with two interfaces eth0 192.168.51.151 and eth1 
192.168.3.11. i have udp packets coming in on eth1 from 192.168.3.77 
destined for 192.168.3.11:9090 . i want to duplicate these packets so 
they go to their original destination but also go out on eth0 to 
192.168.51.46:9090. that's in short what i'm trying. so i have the 
following rules i'm trying now (hope this is not laughable as i'm a novice)

/usr/local/sbin/iptables -F INPUT
/usr/local/sbin/iptables -F OUTPUT
/usr/local/sbin/iptables -F FORWARD
/usr/local/sbin/iptables -t nat -F POSTROUTING
/usr/local/sbin/iptables -t nat -F PREROUTING
/usr/local/sbin/iptables -t mangle -F POSTROUTING
/usr/local/sbin/iptables -t mangle -F PREROUTING

/usr/local/sbin/iptables -t mangle -A PREROUTING -p udp --dport 9090 -j 
ROUTE --tee
/usr/local/sbin/iptables -t nat -A PREROUTING -p udp --dport 9090 -j 
DNAT --to-destination 192.168.51.46:9090

but alas once i run these commands the packets just disappear. it 
doesn't reach either of the two destinations then. any comments ?

RE: Packet duplication

[Rob Sterenborg]

tiaan@netsys.co.za wrote:
> Rob Sterenborg wrote:

>> and which kernel version did you use?


[...]

> /usr/local/sbin/iptables -t mangle -A PREROUTING -p udp --dport 9090
> -j ROUTE --tee

Searching for how "-j ROUTE --tee" works, I stumbled on these pages:
http://www.gossamer-threads.com/lists/iptables/devel/68316
http://www.cl.cam.ac.uk/research/dtg/research/wiki/MulticastRouting

From what I read there, --tee is used like this:

iptables -t mangle -A INPUT [matches] \
  -j ROUTE --tee --gw <mirror_ip>

iptables -t mangle -A OUTPUT -d <dst_ip_net> -o <if_out> \
  -j ROUTE --tee --oif <mirror_if_out>


> /usr/local/sbin/iptables -t nat -A PREROUTING -p udp --dport 9090 -j
> DNAT --to-destination 192.168.51.46:9090
>
> but alas once i run these commands the packets just disappear. it
> doesn't reach either of the two destinations then. any comments ? -

AFAICS you forgot to tell iptables to where you want to packet copied.

I also found that there appears to be a TEE target in development.
http://www.gossamer-threads.com/lists/iptables/devel/68781


Grts,
Rob