[tproxy] UDP tproxy
Javier Govea
javier@magma.ca
Fri, 15 Oct 2004 16:25:23 -0400 (EDT)
Thank you very much for your comments.
I did all modifications you mentioned and I checked redirect-udp-recv.c and now my C
program works without any problem.
I have only one last question, it is just curiosity. redirect-udp-recv.c has the following
lines of code.
/* check tproxy version */
itp.op = TPROXY_VERSION;
itp.v.version = 0x02000000;
if (setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1)
{
perror("setsockopt(SOL_IP, IP_TPROXY, TPROXY_VERSION)");
return -1;
}
Is this part optional? What happen if I set the wrong version? Does it mean that my
program works only a specific tproxy version?
Thanks a lot again
Xavier
On Oct 15, KOVACS Krisztian <hidden@balabit.hu> wrote:
>
>
> Hi,
>
> 2004-10-14, cs keltez�ssel 23:45-kor Javier Govea ezt �rta:
> > I've been googling for some information about using tproxy for UDP traffic but I am still
> > a bit confiused. I hope you guys can help me out.
> >
> > I want to intercept, at the application layer with a C written program, all UDP traffic,
> > and then obtain the final destionation IP address and port.
> >
> > So, please correct me if I am wrong, I need two rules:
> >
> > iptables -t nat -A PREROUTING -j DNAT --to-dest 192.168.1.10
> > iptables -t tproxy -A PREROUTING -j TPROXY --on-port 1025
>
> You don't need the DNAT rule, only the TPROXY one. You can also
> specify a destination IP to TPROXY with --on-ip, if you omit that
> argument it will use the address of the interface the packet came in.
>
> > /* QUESTION 1:
> > * Do I need to use getsockopt or setsockopt in here???
> > * If so, what exactly should I pass as paramenters to getsockopt or setsockopt
> > * Krisztian Kovacs, in a message posted in this list on 07 Jul 2004, mentions
> > * that I need to use getsockopt, but I'm not sure about the
> > * paramenters I need to pass, can somebody please clarify this point?
> > */
>
> Yes, you have to set the RECVORIGADDRS socket option with setsockopt()
> in order to receive the original address with recvmsg().
>
> > /* QUESTION 2:
> > * The same message posted by Krisztian Kovacs mentions that I need to use
> > * recvmsg and that the original destination IP address and port is the
> > * acilliary data. Is the following code correct??? Is that how I suppose to
> > * extract the payload, original destination IP address and port
> > * from the ancilliary data?
> > */
>
> You got the msg setup right, but do not process the received msg
> appropriately. Read below.
>
> > /* QUESTION 3:
> > * Is the payload suppose to be in cdata?
> > */
> > void *cdata = CMSG_DATA(cmsg);
>
> No, it's in msgh.msg_iov.iov_base (buffer in your case).
>
> >
> > /* QUESTION 4:
> > * The original destination IP address and port are in msgh.msg_name???
> > */
> > sockaddr_in *originalDst = (sockaddr_in *)(msgh.msg_name);
>
> No, it's in CMSG_DATA(cmsg).
>
> > /* Original destination IP address in originalDst->sin_addr.s_addr and
> > * original destination port in originalDst->sin_port
> > * Does any of this make any sense???
> > */
>
> Yes. But please take a look at the example code, redirect-udp-recv.c
> is _exactly_ you're looking for.
>
> --
> Regards,
> Krisztian KOVACS
>
>