Re: [tproxy] Problem with Tproxy more kernel2.6.22.9

12 Jan 2008

Laszlo Attila Toth wrote:
...
Applied, thanks. The kernel oops is avoided, but the laddr has an 
invalid address.
Current version is in git:
http://git.balabit.hu/?p=panther/tproxy4.git;a=summary
While at it, I have two other patches for your consideration :-

1 ) Sometimes in a multipath routing environment, after spoofing the 
original source IP, yet the packets have to do through a SNAT path, so 
this patch allows this to happen. This patch was provided by Kovacs.


Index: linux-2.6.22/include/linux/netfilter_ipv4.h
===================================================================

--- linux-2.6.22.orig/include/linux/netfilter_ipv4.h    2007-12-05 
11:40:16.000000000 +0100
+++ linux-2.6.22/include/linux/netfilter_ipv4.h 2007-12-05 
11:40:48.000000000 +0100
@@ -58,8 +58,8 @@
        NF_IP_PRI_SELINUX_FIRST = -225,
        NF_IP_PRI_CONNTRACK = -200,
        NF_IP_PRI_MANGLE = -150,
-       NF_IP_PRI_TPROXY = -125,
        NF_IP_PRI_NAT_DST = -100,
+       NF_IP_PRI_TPROXY = -75,
        NF_IP_PRI_FILTER = 0,
        NF_IP_PRI_NAT_SRC = 100,
        NF_IP_PRI_SELINUX_LAST = 225,

              

2 ) IP FREEBIND packets spoofed with foreign source address will not 
leave the system when there is a FWMARK in the mangle table OUTPUT 
chain. This patch is created by me based on the information given by 
Kovacs, code quality is highly questionable as I barely understood 
what's it is all about, but it seems to work.

--- linux-2.6.22-org/net/ipv4/netfilter.c       2007-12-13 
20:55:45.000000000 +0800
+++ linux-2.6.22-new/net/ipv4/netfilter.c       2007-12-13 
20:55:03.000000000 +0800
@@ -24,7 +24,7 @@
        /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
         * packets with foreign saddr to appear on the NF_IP_LOCAL_OUT hook.
         */
-       if (addr_type == RTN_LOCAL) {
+//     if (addr_type == RTN_LOCAL) {
                fl.nl_u.ip4_u.daddr = iph->daddr;
                if (type == RTN_LOCAL)
                        fl.nl_u.ip4_u.saddr = iph->saddr;
@@ -37,10 +37,10 @@
                /* Drop old route. */
                dst_release((*pskb)->dst);
                (*pskb)->dst = &rt->u.dst;
-       } else {
+//     } else {
                /* non-local src, find valid iif to satisfy
                 * rp-filter when calling ip_route_input. */
-               fl.nl_u.ip4_u.daddr = iph->saddr;
+/*             fl.nl_u.ip4_u.daddr = iph->saddr;
                if (ip_route_output_key(&rt, &fl) != 0)
                        return -1;

@@ -53,7 +53,7 @@
                dst_release(&rt->u.dst);
                dst_release(odst);
        }
-
+*/
        if ((*pskb)->dst->error)
                return -1;


Ming-Ching

    

Re: [tproxy] Problem with Tproxy more kernel2.6.22.9

Ming-Ching Tiew