[tproxy] sctp module patch

KOVACS Krisztian hidden at balabit.hu
Sat Apr 23 12:31:08 CEST 2011


On Mon, 2011-04-18 at 13:47 +0530, maria isabel wrote:
>    I have attached the sctp patch with the steal socket
> implementation.But I have one problem and I need your help.With this
> change the packet gets redirected to the TPROXY port but when it
> reaches the sctp module it gets dropped and an ABORT chunk is
> issued.What could be the reason?This does not happen in tcp and
> udp.Normal sctp flow is proper on other ports apart from the TPROXY
> port.I am able to see this trace.
> redirecting: proto 132 0aff0d9a:1500 -> 00000000:3127, mark: 1
> My rule is 
> iptables -t mangle -A PREROUTING -p sctp --dport 1500 -j TPROXY
> --on-port 3127.
> Inside the sctp module when the packet is redirected the association
> lookup is done with port 1500 and not 3127.
> I think the local address is initialised that way or something.Please
> help me!!

First of all: I don't really know SCTP, neither the protocol nor the
Linux implementation, so everything that follows is highly theoretical
and might be completely wrong.

The code in the patch you've attached does not really do anything (apart
from leaking a socket reference).

The point of the similar code in TCP/UDP is that when the TPROXY target
redirects a connection it stores a reference of the socket listening on
the redirected address in the skb.

Having had a quick look on your code in your previous mail, you store
the socket reference in asoc->base (ie. the socket belonging to the
looked-up endpoint). However, in the SCTP code the lookup doesn't return
a socket reference but an SCTP endpoint (or association).

So you'd have to find a way to get the SCTP association belonging to
skb->sk and modify either the lookup routines in net/sctp/input.c or
sctp_rcv() to use that association/endpoint in case skb->sk is set.

KOVACS Krisztian

More information about the tproxy mailing list