Thank you very much for your comments. I did all modifications you mentioned and I checked redirect-udp-recv.c and now my C program works without any problem. I have only one last question, it is just curiosity. redirect-udp-recv.c has the following lines of code. /* check tproxy version */ itp.op = TPROXY_VERSION; itp.v.version = 0x02000000; if (setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { perror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_VERSION)"); return -1; } Is this part optional? What happen if I set the wrong version? Does it mean that my program works only a specific tproxy version? Thanks a lot again Xavier On Oct 15, KOVACS Krisztian <hidden@balabit.hu> wrote:
Hi,
2004-10-14, cs keltez�ssel 23:45-kor Javier Govea ezt �rta:
I've been googling for some information about using tproxy for UDP traffic but I am still a bit confiused. I hope you guys can help me out.
I want to intercept, at the application layer with a C written program, all UDP traffic, and then obtain the final destionation IP address and port.
So, please correct me if I am wrong, I need two rules:
iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.10 iptables -t tproxy -A PREROUTING -j TPROXY --on-port 1025
You don't need the DNAT rule, only the TPROXY one. You can also specify a destination IP to TPROXY with --on-ip, if you omit that argument it will use the address of the interface the packet came in.
/* QUESTION 1: * Do I need to use getsockopt or setsockopt in here??? * If so, what exactly should I pass as paramenters to getsockopt or setsockopt * Krisztian Kovacs, in a message posted in this list on 07 Jul 2004, mentions * that I need to use getsockopt, but I'm not sure about the * paramenters I need to pass, can somebody please clarify this point? */
Yes, you have to set the RECVORIGADDRS socket option with setsockopt() in order to receive the original address with recvmsg().
/* QUESTION 2: * The same message posted by Krisztian Kovacs mentions that I need to use * recvmsg and that the original destination IP address and port is the * acilliary data. Is the following code correct??? Is that how I suppose to * extract the payload, original destination IP address and port * from the ancilliary data? */
You got the msg setup right, but do not process the received msg appropriately. Read below.
/* QUESTION 3: * Is the payload suppose to be in cdata? */ void *cdata = CMSG_DATA(cmsg);
No, it's in msgh.msg_iov.iov_base (buffer in your case).
/* QUESTION 4: * The original destination IP address and port are in msgh.msg_name??? */ sockaddr_in *originalDst = (sockaddr_in *)(msgh.msg_name);
No, it's in CMSG_DATA(cmsg).
/* Original destination IP address in originalDst->sin_addr.s_addr and * original destination port in originalDst->sin_port * Does any of this make any sense??? */
Yes. But please take a look at the example code, redirect-udp-recv.c is _exactly_ you're looking for.
-- Regards, Krisztian KOVACS
Hi, Javier Govea wrote:
I have only one last question, it is just curiosity. redirect-udp-recv.c has the following lines of code.
/* check tproxy version */ itp.op = TPROXY_VERSION; itp.v.version = 0x02000000; if (setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { perror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_VERSION)"); return -1; }
Is this part optional? What happen if I set the wrong version? Does it mean that my program works only a specific tproxy version?
Yes, it's optional. It is an illustration on how to detect whether the tproxy version in the kernel is compatible with this version of the interface. The user-space software requests interface version 2.0.0 (0x20000000) from the kernel, and the setsockopt fails if the tproxy implementation does not support this interface. Note that in spite of using setsockopt(), this operation does not set anything, it just barely returns if a compatible interface is supported. The same operation with getsockopt() simply returns the interface version number. -- Regards, Krisztian KOVACS
participants (2)
-
Javier Govea
-
KOVACS Krisztian