[PATCH] ROUTE target

[PATCH] ROUTE target

[Cedric de Launois]

[-- Attachment #1: Type: text/plain, Size: 758 bytes --]

Hi !

Here is a new version of the ROUTE target. Following discussions,
it seems that there is a need to make the ROUTE target also a
non-final target. So I added a new option --force. When not using
this option, the behaviour is to set the route and continue traversal.
When using this option, the behaviour is as before, i.e. the packet
is sent and the packet is stolen. This remains useful when we have
to force the use of an interface (rather unfrequent).

Changes :
- ipt_ROUTE.c : 
     added --force option
     cosmetic changes
- ipt_ROUTE.h : added --force option
- libipt_ROUTE.c : added --force option
- ROUTE.patch.config.in : target kernel option now depends on
     CONFIG_IP_NF_MANGLE kernel option

The patch is against current cvs.

Cedric


[-- Attachment #2: ROUTE.cvs.patch --]
[-- Type: text/x-patch, Size: 14268 bytes --]

diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch netfilter/patch-o-matic/extra/ROUTE.patch
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch	2003-06-24 15:22:19.000000000 +0200
@@ -1,7 +1,7 @@
 diff -Nru linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
---- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	Thu Jan  1 01:00:00 1970
-+++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	Tue Dec 17 16:49:04 2002
-@@ -0,0 +1,18 @@
+--- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	2003-06-24 10:40:54.000000000 +0200
+@@ -0,0 +1,22 @@
 +/* Header file for iptables ipt_ROUTE target
 + *
 + * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
@@ -14,23 +14,27 @@
 +#define IPT_ROUTE_IFNAMSIZ 16
 +
 +struct ipt_route_target_info {
-+	char oif[IPT_ROUTE_IFNAMSIZ];
-+	char iif[IPT_ROUTE_IFNAMSIZ];
-+	unsigned int gw;
++	char      oif[IPT_ROUTE_IFNAMSIZ];      /* Output Interface Name */
++	char      iif[IPT_ROUTE_IFNAMSIZ];      /* Input Interface Name  */
++	u_int32_t gw;                           /* IP address of gateway */
++	u_int8_t  flags;
 +};
 +
++/* Values for "flags" field */
++#define IPT_ROUTE_FORCE        0x01
++
 +#endif /*_IPT_ROUTE_H_target*/
 diff -Nru linux.orig/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ipv4/netfilter/ipt_ROUTE.c
---- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	Thu Jan  1 01:00:00 1970
-+++ linux/net/ipv4/netfilter/ipt_ROUTE.c	Wed Feb 26 17:25:39 2003
-@@ -0,0 +1,359 @@
+--- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	1970-01-01 01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_ROUTE.c	2003-06-24 15:19:15.000000000 +0200
+@@ -0,0 +1,370 @@
 +/*
 + * This implements the ROUTE target, which enables you to setup unusual
 + * routes not supported by the standard kernel routing table.
 + *
 + * Copyright (C) 2002 Cedric de Launois <delaunois@info.ucl.ac.be>
 + *
-+ * v 1.6 2003/02/26
++ * v 1.8 2003/06/24
 + *
 + * This software is distributed under GNU GPL v2, 1991
 + */
@@ -56,7 +60,7 @@
 +/* Try to route the packet according to the routing keys specified in
 + * route_info. Keys are :
 + *  - ifindex : 
-+ *      0 if no oif prefered, 
++ *      0 if no oif preferred, 
 + *      otherwise set to the index of the desired oif
 + *  - route_info->gw :
 + *      0 if no gateway specified,
@@ -88,9 +92,10 @@
 +	if (route_info->gw)
 +		key.dst = route_info->gw;
 +	
-+	/* Trying to route the packet with the standard routing table. */
++	/* Trying to route the packet using the standard routing table. */
 +	if ((err = ip_route_output_key(&rt, &key))) {
-+		DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
 +		return -1;
 +	}
 +	
@@ -101,7 +106,6 @@
 +	/* Success if no oif specified or if the oif correspond to the 
 +	 * one desired */
 +	if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
-+		/* Drop old route. */
 +		skb->dst = &rt->u.dst;
 +		skb->dev = skb->dst->dev;
 +		return 1;
@@ -111,8 +115,9 @@
 +	 * specified by the user. This may happen because the dst address
 +	 * is one of our own addresses.
 +	 */
-+	DEBUGP("ipt_ROUTE: failed to route as desired (oif: %i)", 
-+	       rt->u.dst.dev->ifindex);
++	if (net_ratelimit()) 
++		DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n", 
++		       NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
 +	
 +	return 0;
 +}
@@ -159,64 +164,70 @@
 +static unsigned int route_oif(const struct ipt_route_target_info *route_info,
 +			      struct sk_buff *skb) 
 +{
-+	int err;
 +	unsigned int ifindex = 0;
 +	struct net_device *dev_out = NULL;
 +
 +	/* The user set the interface name to use.
 +	 * Getting the current interface index.
 +	 */
-+	if ((dev_out = dev_get_by_name(route_info->oif)))
++	if ((dev_out = dev_get_by_name(route_info->oif))) {
 +		ifindex = dev_out->ifindex;
-+	else 
++	} else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+	
-+	DEBUGP(KERN_DEBUG "oif index of %s is %i\n", route_info->oif, ifindex);
-+
-+
-+	/* Trying the standard way of routing packets */
-+	err = route(skb, ifindex, route_info);
-+	if (err==1) {
-+		DEBUGP(KERN_DEBUG "ROUTE oif ok, skb->dev->index=%i\n",
-+		       skb->dev->ifindex);
-+
-+		dev_put(dev_out);
-+		ip_direct_send(skb);
-+		return NF_STOLEN;
 +	}
 +
-+	if (err) {
++	/* Trying the standard way of routing packets */
++	switch (route(skb, ifindex, route_info)) {
++	case 1:
 +		dev_put(dev_out);
-+		return NF_DROP;
-+	}
++		if (route_info->flags & IPT_ROUTE_FORCE) {
++			ip_direct_send(skb);
++			return NF_STOLEN;
++		}
 +
-+	/* Failed to send to oif. Trying the hard way */
++		return IPT_CONTINUE;
 +
-+	DEBUGP(KERN_DEBUG "HARD ROUTING\n");
++	case 0:
++		/* Failed to send to oif. Trying the hard way */
++		if (!(route_info->flags & IPT_ROUTE_FORCE))
++			return NF_DROP;
 +
-+	/* We have to force the use of an interface.
-+	 * This interface must be a tunnel interface since
-+	 * otherwise we can't guess the hw address for
-+	 * the packet. For a tunnel interface, no hw address
-+	 * is needed.
-+	 */
-+	if ((dev_out->type != ARPHRD_TUNNEL)
-+	    && (dev_out->type != ARPHRD_IPGRE)) {
-+		DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: forcing the use of %i\n",
++			       ifindex);
++
++		/* We have to force the use of an interface.
++		 * This interface must be a tunnel interface since
++		 * otherwise we can't guess the hw address for
++		 * the packet. For a tunnel interface, no hw address
++		 * is needed.
++		 */
++		if ((dev_out->type != ARPHRD_TUNNEL)
++		    && (dev_out->type != ARPHRD_IPGRE)) {
++			if (net_ratelimit()) 
++				DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++			dev_put(dev_out);
++			return NF_DROP;
++		}
++	
++		/* Send the packet. This will also free skb
++		 * Do not go through the POST_ROUTING hook because 
++		 * skb->dst is not set and because it will probably
++		 * get confused by the destination IP address.
++		 */
++		skb->dev = dev_out;
++		dev_direct_send(skb);
++		dev_put(dev_out);
++		return NF_STOLEN;
++		
++	default:
++		/* Unexpected error */
 +		dev_put(dev_out);
 +		return NF_DROP;
 +	}
-+	
-+	/* Send the packet. This will also free skb
-+	 * Do not go through the POST_ROUTING hook because 
-+	 * skb->dst is not set and because it will probably
-+	 * get confused by the destination IP address.
-+	 */
-+	skb->dev = dev_out;
-+	dev_direct_send(skb);
-+	dev_put(dev_out);
-+	return NF_STOLEN;
 +}
 +
 +
@@ -229,11 +240,12 @@
 +	/* Getting the current interface index. */
 +	if ((dev_out = dev_get_by_name(route_info->iif)))
 +		ifindex = dev_out->ifindex;
-+	else 
++	else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+
-+	DEBUGP(KERN_DEBUG "iif index of %s is %i\n", route_info->iif, ifindex);
++	}
 +
 +	skb->dev = dev_out;
 +	dst_release(skb->dst);
@@ -251,12 +263,11 @@
 +	if (route(skb, 0, route_info)!=1)
 +		return NF_DROP;
 +
-+	DEBUGP(KERN_DEBUG "ROUTE gw ok, skb->dev->index=%i\n",
-+	       skb->dev->ifindex);
-+
-+	ip_direct_send(skb);
-+
-+	return NF_STOLEN;
++	if (route_info->flags & IPT_ROUTE_FORCE) {
++		ip_direct_send(skb);
++		return NF_STOLEN;
++	} else
++		return IPT_CONTINUE;
 +}
 +
 +
@@ -308,12 +319,14 @@
 +	 * when a packet is leaving with dst address == our address.
 +	 * Good idea ? Dunno. Need advice.
 +	 */
-+	nf_conntrack_put(skb->nfct);
-+	skb->nfct = NULL;
-+	skb->nfcache = 0;
++	if (route_info->flags & IPT_ROUTE_FORCE) {
++		nf_conntrack_put(skb->nfct);
++		skb->nfct = NULL;
++		skb->nfcache = 0;
 +#ifdef CONFIG_NETFILTER_DEBUG
-+	skb->nf_debug = 0;
++		skb->nf_debug = 0;
 +#endif
++	}
 +
 +	if (route_info->oif[0]) 
 +		return route_oif(route_info, *pskb);
@@ -324,8 +337,10 @@
 +	if (route_info->gw) 
 +		return route_gw(route_info, *pskb);
 +
-+	DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
-+	return NF_ACCEPT;
++	if (net_ratelimit()) 
++		DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
++
++	return IPT_CONTINUE;
 +}
 +
 +
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in netfilter/patch-o-matic/extra/ROUTE.patch.config.in
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.config.in	2003-06-24 12:46:28.000000000 +0200
@@ -1,2 +1,2 @@
-  dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
-  dep_tristate '  ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_IPTABLES
+    dep_tristate '    MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
+    dep_tristate '    ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_MANGLE
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help netfilter/patch-o-matic/extra/ROUTE.patch.configure.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.configure.help	2003-06-24 11:33:25.000000000 +0200
@@ -8,8 +8,8 @@
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
+  The target can be or not a final target and has to be used inside the 
+  mangle table.
 
   
   If you want to compile it as a module, say M here and read
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.help netfilter/patch-o-matic/extra/ROUTE.patch.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.help	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.help	2003-06-24 12:35:59.000000000 +0200
@@ -8,24 +8,29 @@
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
+  The target has to be used inside the mangle table.
 
   ROUTE target options:
-    --oif   ifname    Send the packet out using `ifname' network interface.
+    --oif   ifname    Route the packet through `ifname' network interface
     --iif   ifname    Change the packet's incoming interface to `ifname'.
     --gw    ip        Route the packet via this gateway.
+    --force           Force the use of the interface and send the packet.
+
+  The --force option can be used together with --oif or --gw. When using
+  this option, the target becomes a final target. Otherwise, the route
+  is simply set for the packet.
 
   Examples :
 
-  To redirect all outgoing icmp packet to the eth1 interface :
-  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
+  To force all outgoing icmp packet to go through the eth1 interface 
+  (final target) :
+  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1 --force
 
   To tunnel all incoming http packets :
   # iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1
 
-  To force the next-hop used for ssh packets :
-  # iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
+  To change the the next-hop used for ssh packets :
+  # iptables -A POSTROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
 
   To change the incoming network interface from eth0 to eth1 for icmp packets :
   # iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
diff -Nru netfilter.orig/userspace/extensions/libipt_ROUTE.c netfilter/userspace/extensions/libipt_ROUTE.c
--- netfilter.orig/userspace/extensions/libipt_ROUTE.c	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/userspace/extensions/libipt_ROUTE.c	2003-06-24 15:19:48.000000000 +0200
@@ -1,5 +1,6 @@
 /* Shared library add-on to iptables to add ROUTE target support.
- * Author : Cédric de Launois, <delaunois@info.ucl.ac.be>
+ * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
+ * v 1.8 2003/06/24
  */
 
 #include <stdio.h>
@@ -20,17 +21,19 @@
 {
 	printf(
 "ROUTE target v%s options:\n"
-"  --oif   \tifname \t\tSend the packet out using `ifname' network interface\n"
+"  --oif   \tifname \t\tRoute the packet through `ifname' network interface\n"
 "  --iif   \tifname \t\tChange the packet's incoming interface to `ifname'\n"
 "  --gw    \tip     \t\tRoute the packet via this gateway\n"
+"  --force \t       \t\tForce the use of the interface and send the packet\n"
 "\n",
-IPTABLES_VERSION);
+"1.8");
 }
 
 static struct option opts[] = {
 	{ "oif", 1, 0, '1' },
 	{ "iif", 1, 0, '2' },
 	{ "gw", 1, 0, '3' },
+	{ "force", 0, 0, '4' },
 	{ 0 }
 };
 
@@ -44,6 +47,7 @@
 	route_info->oif[0] = '\0';
 	route_info->iif[0] = '\0';
 	route_info->gw = 0;
+	route_info->flags = 0;
 }
 
 
@@ -111,6 +115,10 @@
 		*flags |= IPT_ROUTE_OPT_GW;
 		break;
 
+	case '4':
+		route_info->flags |= IPT_ROUTE_FORCE;
+		break;
+
 	default:
 		return 0;
 	}
@@ -124,7 +132,7 @@
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
-		           "ROUTE target: one parameter is required");
+		           "ROUTE target: a oif, iif or gw parameter is required");
 }
 
 
@@ -149,6 +157,10 @@
 		struct in_addr ip = { route_info->gw };
 		printf("gw %s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_FORCE)
+		printf("force");
+
 }
 
 
@@ -168,6 +180,9 @@
 		struct in_addr ip = { route_info->gw };
 		printf("--gw %s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_FORCE)
+		printf("--force ");
 }
 
 

[PATCH] [RESEND] ROUTE target

[Cedric de Launois]

[-- Attachment #1: Type: text/plain, Size: 996 bytes --]

This is a resend of the ROUTE patch I sent nearly one month ago.
Please apply or give me comments.

Cedric

Le mar 24/06/2003 à 16:42, Cedric de Launois a écrit :
> Hi !
> 
> Here is a new version of the ROUTE target. Following discussions,
> it seems that there is a need to make the ROUTE target also a
> non-final target. So I added a new option --force. When not using
> this option, the behaviour is to set the route and continue traversal.
> When using this option, the behaviour is as before, i.e. the packet
> is sent and the packet is stolen. This remains useful when we have
> to force the use of an interface (rather unfrequent).
> 
> Changes :
> - ipt_ROUTE.c : 
>      added --force option
>      cosmetic changes
> - ipt_ROUTE.h : added --force option
> - libipt_ROUTE.c : added --force option
> - ROUTE.patch.config.in : target kernel option now depends on
>      CONFIG_IP_NF_MANGLE kernel option
> 
> The patch is against current cvs.
> 
> Cedric
> 

[-- Attachment #2: ROUTE.cvs.patch --]
[-- Type: text/x-patch, Size: 14268 bytes --]

diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch netfilter/patch-o-matic/extra/ROUTE.patch
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch	2003-06-24 15:22:19.000000000 +0200
@@ -1,7 +1,7 @@
 diff -Nru linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
---- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	Thu Jan  1 01:00:00 1970
-+++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	Tue Dec 17 16:49:04 2002
-@@ -0,0 +1,18 @@
+--- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	2003-06-24 10:40:54.000000000 +0200
+@@ -0,0 +1,22 @@
 +/* Header file for iptables ipt_ROUTE target
 + *
 + * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
@@ -14,23 +14,27 @@
 +#define IPT_ROUTE_IFNAMSIZ 16
 +
 +struct ipt_route_target_info {
-+	char oif[IPT_ROUTE_IFNAMSIZ];
-+	char iif[IPT_ROUTE_IFNAMSIZ];
-+	unsigned int gw;
++	char      oif[IPT_ROUTE_IFNAMSIZ];      /* Output Interface Name */
++	char      iif[IPT_ROUTE_IFNAMSIZ];      /* Input Interface Name  */
++	u_int32_t gw;                           /* IP address of gateway */
++	u_int8_t  flags;
 +};
 +
++/* Values for "flags" field */
++#define IPT_ROUTE_FORCE        0x01
++
 +#endif /*_IPT_ROUTE_H_target*/
 diff -Nru linux.orig/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ipv4/netfilter/ipt_ROUTE.c
---- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	Thu Jan  1 01:00:00 1970
-+++ linux/net/ipv4/netfilter/ipt_ROUTE.c	Wed Feb 26 17:25:39 2003
-@@ -0,0 +1,359 @@
+--- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	1970-01-01 01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_ROUTE.c	2003-06-24 15:19:15.000000000 +0200
+@@ -0,0 +1,370 @@
 +/*
 + * This implements the ROUTE target, which enables you to setup unusual
 + * routes not supported by the standard kernel routing table.
 + *
 + * Copyright (C) 2002 Cedric de Launois <delaunois@info.ucl.ac.be>
 + *
-+ * v 1.6 2003/02/26
++ * v 1.8 2003/06/24
 + *
 + * This software is distributed under GNU GPL v2, 1991
 + */
@@ -56,7 +60,7 @@
 +/* Try to route the packet according to the routing keys specified in
 + * route_info. Keys are :
 + *  - ifindex : 
-+ *      0 if no oif prefered, 
++ *      0 if no oif preferred, 
 + *      otherwise set to the index of the desired oif
 + *  - route_info->gw :
 + *      0 if no gateway specified,
@@ -88,9 +92,10 @@
 +	if (route_info->gw)
 +		key.dst = route_info->gw;
 +	
-+	/* Trying to route the packet with the standard routing table. */
++	/* Trying to route the packet using the standard routing table. */
 +	if ((err = ip_route_output_key(&rt, &key))) {
-+		DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
 +		return -1;
 +	}
 +	
@@ -101,7 +106,6 @@
 +	/* Success if no oif specified or if the oif correspond to the 
 +	 * one desired */
 +	if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
-+		/* Drop old route. */
 +		skb->dst = &rt->u.dst;
 +		skb->dev = skb->dst->dev;
 +		return 1;
@@ -111,8 +115,9 @@
 +	 * specified by the user. This may happen because the dst address
 +	 * is one of our own addresses.
 +	 */
-+	DEBUGP("ipt_ROUTE: failed to route as desired (oif: %i)", 
-+	       rt->u.dst.dev->ifindex);
++	if (net_ratelimit()) 
++		DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n", 
++		       NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
 +	
 +	return 0;
 +}
@@ -159,64 +164,70 @@
 +static unsigned int route_oif(const struct ipt_route_target_info *route_info,
 +			      struct sk_buff *skb) 
 +{
-+	int err;
 +	unsigned int ifindex = 0;
 +	struct net_device *dev_out = NULL;
 +
 +	/* The user set the interface name to use.
 +	 * Getting the current interface index.
 +	 */
-+	if ((dev_out = dev_get_by_name(route_info->oif)))
++	if ((dev_out = dev_get_by_name(route_info->oif))) {
 +		ifindex = dev_out->ifindex;
-+	else 
++	} else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+	
-+	DEBUGP(KERN_DEBUG "oif index of %s is %i\n", route_info->oif, ifindex);
-+
-+
-+	/* Trying the standard way of routing packets */
-+	err = route(skb, ifindex, route_info);
-+	if (err==1) {
-+		DEBUGP(KERN_DEBUG "ROUTE oif ok, skb->dev->index=%i\n",
-+		       skb->dev->ifindex);
-+
-+		dev_put(dev_out);
-+		ip_direct_send(skb);
-+		return NF_STOLEN;
 +	}
 +
-+	if (err) {
++	/* Trying the standard way of routing packets */
++	switch (route(skb, ifindex, route_info)) {
++	case 1:
 +		dev_put(dev_out);
-+		return NF_DROP;
-+	}
++		if (route_info->flags & IPT_ROUTE_FORCE) {
++			ip_direct_send(skb);
++			return NF_STOLEN;
++		}
 +
-+	/* Failed to send to oif. Trying the hard way */
++		return IPT_CONTINUE;
 +
-+	DEBUGP(KERN_DEBUG "HARD ROUTING\n");
++	case 0:
++		/* Failed to send to oif. Trying the hard way */
++		if (!(route_info->flags & IPT_ROUTE_FORCE))
++			return NF_DROP;
 +
-+	/* We have to force the use of an interface.
-+	 * This interface must be a tunnel interface since
-+	 * otherwise we can't guess the hw address for
-+	 * the packet. For a tunnel interface, no hw address
-+	 * is needed.
-+	 */
-+	if ((dev_out->type != ARPHRD_TUNNEL)
-+	    && (dev_out->type != ARPHRD_IPGRE)) {
-+		DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: forcing the use of %i\n",
++			       ifindex);
++
++		/* We have to force the use of an interface.
++		 * This interface must be a tunnel interface since
++		 * otherwise we can't guess the hw address for
++		 * the packet. For a tunnel interface, no hw address
++		 * is needed.
++		 */
++		if ((dev_out->type != ARPHRD_TUNNEL)
++		    && (dev_out->type != ARPHRD_IPGRE)) {
++			if (net_ratelimit()) 
++				DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++			dev_put(dev_out);
++			return NF_DROP;
++		}
++	
++		/* Send the packet. This will also free skb
++		 * Do not go through the POST_ROUTING hook because 
++		 * skb->dst is not set and because it will probably
++		 * get confused by the destination IP address.
++		 */
++		skb->dev = dev_out;
++		dev_direct_send(skb);
++		dev_put(dev_out);
++		return NF_STOLEN;
++		
++	default:
++		/* Unexpected error */
 +		dev_put(dev_out);
 +		return NF_DROP;
 +	}
-+	
-+	/* Send the packet. This will also free skb
-+	 * Do not go through the POST_ROUTING hook because 
-+	 * skb->dst is not set and because it will probably
-+	 * get confused by the destination IP address.
-+	 */
-+	skb->dev = dev_out;
-+	dev_direct_send(skb);
-+	dev_put(dev_out);
-+	return NF_STOLEN;
 +}
 +
 +
@@ -229,11 +240,12 @@
 +	/* Getting the current interface index. */
 +	if ((dev_out = dev_get_by_name(route_info->iif)))
 +		ifindex = dev_out->ifindex;
-+	else 
++	else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+
-+	DEBUGP(KERN_DEBUG "iif index of %s is %i\n", route_info->iif, ifindex);
++	}
 +
 +	skb->dev = dev_out;
 +	dst_release(skb->dst);
@@ -251,12 +263,11 @@
 +	if (route(skb, 0, route_info)!=1)
 +		return NF_DROP;
 +
-+	DEBUGP(KERN_DEBUG "ROUTE gw ok, skb->dev->index=%i\n",
-+	       skb->dev->ifindex);
-+
-+	ip_direct_send(skb);
-+
-+	return NF_STOLEN;
++	if (route_info->flags & IPT_ROUTE_FORCE) {
++		ip_direct_send(skb);
++		return NF_STOLEN;
++	} else
++		return IPT_CONTINUE;
 +}
 +
 +
@@ -308,12 +319,14 @@
 +	 * when a packet is leaving with dst address == our address.
 +	 * Good idea ? Dunno. Need advice.
 +	 */
-+	nf_conntrack_put(skb->nfct);
-+	skb->nfct = NULL;
-+	skb->nfcache = 0;
++	if (route_info->flags & IPT_ROUTE_FORCE) {
++		nf_conntrack_put(skb->nfct);
++		skb->nfct = NULL;
++		skb->nfcache = 0;
 +#ifdef CONFIG_NETFILTER_DEBUG
-+	skb->nf_debug = 0;
++		skb->nf_debug = 0;
 +#endif
++	}
 +
 +	if (route_info->oif[0]) 
 +		return route_oif(route_info, *pskb);
@@ -324,8 +337,10 @@
 +	if (route_info->gw) 
 +		return route_gw(route_info, *pskb);
 +
-+	DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
-+	return NF_ACCEPT;
++	if (net_ratelimit()) 
++		DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
++
++	return IPT_CONTINUE;
 +}
 +
 +
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in netfilter/patch-o-matic/extra/ROUTE.patch.config.in
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.config.in	2003-06-24 12:46:28.000000000 +0200
@@ -1,2 +1,2 @@
-  dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
-  dep_tristate '  ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_IPTABLES
+    dep_tristate '    MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
+    dep_tristate '    ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_MANGLE
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help netfilter/patch-o-matic/extra/ROUTE.patch.configure.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.configure.help	2003-06-24 11:33:25.000000000 +0200
@@ -8,8 +8,8 @@
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
+  The target can be or not a final target and has to be used inside the 
+  mangle table.
 
   
   If you want to compile it as a module, say M here and read
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.help netfilter/patch-o-matic/extra/ROUTE.patch.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.help	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.help	2003-06-24 12:35:59.000000000 +0200
@@ -8,24 +8,29 @@
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
+  The target has to be used inside the mangle table.
 
   ROUTE target options:
-    --oif   ifname    Send the packet out using `ifname' network interface.
+    --oif   ifname    Route the packet through `ifname' network interface
     --iif   ifname    Change the packet's incoming interface to `ifname'.
     --gw    ip        Route the packet via this gateway.
+    --force           Force the use of the interface and send the packet.
+
+  The --force option can be used together with --oif or --gw. When using
+  this option, the target becomes a final target. Otherwise, the route
+  is simply set for the packet.
 
   Examples :
 
-  To redirect all outgoing icmp packet to the eth1 interface :
-  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
+  To force all outgoing icmp packet to go through the eth1 interface 
+  (final target) :
+  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1 --force
 
   To tunnel all incoming http packets :
   # iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1
 
-  To force the next-hop used for ssh packets :
-  # iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
+  To change the the next-hop used for ssh packets :
+  # iptables -A POSTROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
 
   To change the incoming network interface from eth0 to eth1 for icmp packets :
   # iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
diff -Nru netfilter.orig/userspace/extensions/libipt_ROUTE.c netfilter/userspace/extensions/libipt_ROUTE.c
--- netfilter.orig/userspace/extensions/libipt_ROUTE.c	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/userspace/extensions/libipt_ROUTE.c	2003-06-24 15:19:48.000000000 +0200
@@ -1,5 +1,6 @@
 /* Shared library add-on to iptables to add ROUTE target support.
- * Author : Cédric de Launois, <delaunois@info.ucl.ac.be>
+ * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
+ * v 1.8 2003/06/24
  */
 
 #include <stdio.h>
@@ -20,17 +21,19 @@
 {
 	printf(
 "ROUTE target v%s options:\n"
-"  --oif   \tifname \t\tSend the packet out using `ifname' network interface\n"
+"  --oif   \tifname \t\tRoute the packet through `ifname' network interface\n"
 "  --iif   \tifname \t\tChange the packet's incoming interface to `ifname'\n"
 "  --gw    \tip     \t\tRoute the packet via this gateway\n"
+"  --force \t       \t\tForce the use of the interface and send the packet\n"
 "\n",
-IPTABLES_VERSION);
+"1.8");
 }
 
 static struct option opts[] = {
 	{ "oif", 1, 0, '1' },
 	{ "iif", 1, 0, '2' },
 	{ "gw", 1, 0, '3' },
+	{ "force", 0, 0, '4' },
 	{ 0 }
 };
 
@@ -44,6 +47,7 @@
 	route_info->oif[0] = '\0';
 	route_info->iif[0] = '\0';
 	route_info->gw = 0;
+	route_info->flags = 0;
 }
 
 
@@ -111,6 +115,10 @@
 		*flags |= IPT_ROUTE_OPT_GW;
 		break;
 
+	case '4':
+		route_info->flags |= IPT_ROUTE_FORCE;
+		break;
+
 	default:
 		return 0;
 	}
@@ -124,7 +132,7 @@
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
-		           "ROUTE target: one parameter is required");
+		           "ROUTE target: a oif, iif or gw parameter is required");
 }
 
 
@@ -149,6 +157,10 @@
 		struct in_addr ip = { route_info->gw };
 		printf("gw %s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_FORCE)
+		printf("force");
+
 }
 
 
@@ -168,6 +180,9 @@
 		struct in_addr ip = { route_info->gw };
 		printf("--gw %s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_FORCE)
+		printf("--force ");
 }
 
 

Re: [PATCH] [RESEND] ROUTE target

[Martin Josefsson]

On Fri, 2003-07-18 at 10:37, Cedric de Launois wrote:
> This is a resend of the ROUTE patch I sent nearly one month ago.
> Please apply or give me comments.
> 
> Cedric
> 
> Le mar 24/06/2003 à 16:42, Cedric de Launois a écrit :
> > Hi !
> > 
> > Here is a new version of the ROUTE target. Following discussions,
> > it seems that there is a need to make the ROUTE target also a
> > non-final target. So I added a new option --force. When not using
> > this option, the behaviour is to set the route and continue traversal.
> > When using this option, the behaviour is as before, i.e. the packet
> > is sent and the packet is stolen. This remains useful when we have
> > to force the use of an interface (rather unfrequent).

My concern is that even though this target isn't included in the kernel
it's a bad idea to change the current behaviour if it can be avoidable.
I mean this target has existed in pom for quite some time (just over 1
year) and if the behaviour changes it might make for some surprises for
its users. Sure the options has changed names over time but that's the
sort of change that users notice quite easily. A subtle change that
suddenly continues traversing rules might lead to weird things.

It's your target but I'd like you to think about this and maybe rename
the new option and leave the default as is.

-- 
/Martin

Re: [PATCH] [RESEND] ROUTE target

[Cedric de Launois]

Le dim 20/07/2003 à 20:15, Martin Josefsson a écrit :
> On Fri, 2003-07-18 at 10:37, Cedric de Launois wrote:
> > This is a resend of the ROUTE patch I sent nearly one month ago.
> > Please apply or give me comments.
> > 
> > Cedric
> > 
> > Le mar 24/06/2003 à 16:42, Cedric de Launois a écrit :
> > > Hi !
> > > 
> > > Here is a new version of the ROUTE target. Following discussions,
> > > it seems that there is a need to make the ROUTE target also a
> > > non-final target. So I added a new option --force. When not using
> > > this option, the behaviour is to set the route and continue traversal.
> > > When using this option, the behaviour is as before, i.e. the packet
> > > is sent and the packet is stolen. This remains useful when we have
> > > to force the use of an interface (rather unfrequent).
> 
> My concern is that even though this target isn't included in the kernel
> it's a bad idea to change the current behaviour if it can be avoidable.
> I mean this target has existed in pom for quite some time (just over 1
> year) and if the behaviour changes it might make for some surprises for
> its users. Sure the options has changed names over time but that's the
> sort of change that users notice quite easily. A subtle change that
> suddenly continues traversing rules might lead to weird things.
> 
> It's your target but I'd like you to think about this and maybe rename
> the new option and leave the default as is.

My concern is that the current behaviour is perhaps not the most logical
one. But you're certainly right. I'll submit a modified patch later.

Thanks for your comment.

Cedric

[PATCH] corrected ROUTE target

[Cedric de Launois]

[-- Attachment #1: Type: text/plain, Size: 1592 bytes --]

Le dim 20/07/2003 à 20:15, Martin Josefsson a écrit :
> > Le mar 24/06/2003 à 16:42, Cedric de Launois a écrit :
> > > Hi !
> > > 
> > > Here is a new version of the ROUTE target. Following discussions,
> > > it seems that there is a need to make the ROUTE target also a
> > > non-final target. So I added a new option --force. When not using
> > > this option, the behaviour is to set the route and continue traversal.
> > > When using this option, the behaviour is as before, i.e. the packet
> > > is sent and the packet is stolen. This remains useful when we have
> > > to force the use of an interface (rather unfrequent).
> 
> My concern is that even though this target isn't included in the kernel
> it's a bad idea to change the current behaviour if it can be avoidable.
> I mean this target has existed in pom for quite some time (just over 1
> year) and if the behaviour changes it might make for some surprises for
> its users. Sure the options has changed names over time but that's the
> sort of change that users notice quite easily. A subtle change that
> suddenly continues traversing rules might lead to weird things.
> 
> It's your target but I'd like you to think about this and maybe rename
> the new option and leave the default as is.

Ok. So here is the ROUTE patch that preserves the old behaviour.
The new option is called --continue. When using it, the packet is routed
and then continues travering the rules. If the option is not used, the
behaviour is as before (i.e. the packet is sent).

The patch is against current cvs.

Cedric


[-- Attachment #2: ROUTE.cvs.patch --]
[-- Type: text/x-patch, Size: 13444 bytes --]

diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch netfilter/patch-o-matic/extra/ROUTE.patch
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch	2003-07-25 10:38:03.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch	2003-07-25 11:37:50.000000000 +0200
@@ -1,7 +1,7 @@
 diff -Nru linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h linux/include/linux/netfilter_ipv4/ipt_ROUTE.h
---- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	Thu Jan  1 01:00:00 1970
-+++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	Tue Dec 17 16:49:04 2002
-@@ -0,0 +1,18 @@
+--- linux.orig/include/linux/netfilter_ipv4/ipt_ROUTE.h	1970-01-01 01:00:00.000000000 +0100
++++ linux/include/linux/netfilter_ipv4/ipt_ROUTE.h	2003-07-25 11:05:27.000000000 +0200
+@@ -0,0 +1,22 @@
 +/* Header file for iptables ipt_ROUTE target
 + *
 + * (C) 2002 by Cédric de Launois <delaunois@info.ucl.ac.be>
@@ -14,23 +14,27 @@
 +#define IPT_ROUTE_IFNAMSIZ 16
 +
 +struct ipt_route_target_info {
-+	char oif[IPT_ROUTE_IFNAMSIZ];
-+	char iif[IPT_ROUTE_IFNAMSIZ];
-+	unsigned int gw;
++	char      oif[IPT_ROUTE_IFNAMSIZ];      /* Output Interface Name */
++	char      iif[IPT_ROUTE_IFNAMSIZ];      /* Input Interface Name  */
++	u_int32_t gw;                           /* IP address of gateway */
++	u_int8_t  flags;
 +};
 +
++/* Values for "flags" field */
++#define IPT_ROUTE_CONTINUE        0x01
++
 +#endif /*_IPT_ROUTE_H_target*/
 diff -Nru linux.orig/net/ipv4/netfilter/ipt_ROUTE.c linux/net/ipv4/netfilter/ipt_ROUTE.c
---- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	Thu Jan  1 01:00:00 1970
-+++ linux/net/ipv4/netfilter/ipt_ROUTE.c	Wed Feb 26 17:25:39 2003
-@@ -0,0 +1,359 @@
+--- linux.orig/net/ipv4/netfilter/ipt_ROUTE.c	1970-01-01 01:00:00.000000000 +0100
++++ linux/net/ipv4/netfilter/ipt_ROUTE.c	2003-07-25 11:07:47.000000000 +0200
+@@ -0,0 +1,369 @@
 +/*
 + * This implements the ROUTE target, which enables you to setup unusual
 + * routes not supported by the standard kernel routing table.
 + *
 + * Copyright (C) 2002 Cedric de Launois <delaunois@info.ucl.ac.be>
 + *
-+ * v 1.6 2003/02/26
++ * v 1.8 2003/07/25
 + *
 + * This software is distributed under GNU GPL v2, 1991
 + */
@@ -56,7 +60,7 @@
 +/* Try to route the packet according to the routing keys specified in
 + * route_info. Keys are :
 + *  - ifindex : 
-+ *      0 if no oif prefered, 
++ *      0 if no oif preferred, 
 + *      otherwise set to the index of the desired oif
 + *  - route_info->gw :
 + *      0 if no gateway specified,
@@ -88,9 +92,10 @@
 +	if (route_info->gw)
 +		key.dst = route_info->gw;
 +	
-+	/* Trying to route the packet with the standard routing table. */
++	/* Trying to route the packet using the standard routing table. */
 +	if ((err = ip_route_output_key(&rt, &key))) {
-+		DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: couldn't route pkt (err: %i)",err);
 +		return -1;
 +	}
 +	
@@ -101,7 +106,6 @@
 +	/* Success if no oif specified or if the oif correspond to the 
 +	 * one desired */
 +	if (!ifindex || rt->u.dst.dev->ifindex == ifindex) {
-+		/* Drop old route. */
 +		skb->dst = &rt->u.dst;
 +		skb->dev = skb->dst->dev;
 +		return 1;
@@ -111,8 +115,9 @@
 +	 * specified by the user. This may happen because the dst address
 +	 * is one of our own addresses.
 +	 */
-+	DEBUGP("ipt_ROUTE: failed to route as desired (oif: %i)", 
-+	       rt->u.dst.dev->ifindex);
++	if (net_ratelimit()) 
++		DEBUGP("ipt_ROUTE: failed to route as desired gw=%u.%u.%u.%u oif=%i (got oif=%i)\n", 
++		       NIPQUAD(route_info->gw), ifindex, rt->u.dst.dev->ifindex);
 +	
 +	return 0;
 +}
@@ -159,64 +164,69 @@
 +static unsigned int route_oif(const struct ipt_route_target_info *route_info,
 +			      struct sk_buff *skb) 
 +{
-+	int err;
 +	unsigned int ifindex = 0;
 +	struct net_device *dev_out = NULL;
 +
 +	/* The user set the interface name to use.
 +	 * Getting the current interface index.
 +	 */
-+	if ((dev_out = dev_get_by_name(route_info->oif)))
++	if ((dev_out = dev_get_by_name(route_info->oif))) {
 +		ifindex = dev_out->ifindex;
-+	else 
++	} else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: oif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+	
-+	DEBUGP(KERN_DEBUG "oif index of %s is %i\n", route_info->oif, ifindex);
-+
++	}
 +
 +	/* Trying the standard way of routing packets */
-+	err = route(skb, ifindex, route_info);
-+	if (err==1) {
-+		DEBUGP(KERN_DEBUG "ROUTE oif ok, skb->dev->index=%i\n",
-+		       skb->dev->ifindex);
-+
++	switch (route(skb, ifindex, route_info)) {
++	case 1:
 +		dev_put(dev_out);
++		if (route_info->flags & IPT_ROUTE_CONTINUE)
++			return IPT_CONTINUE;
++
 +		ip_direct_send(skb);
 +		return NF_STOLEN;
-+	}
 +
-+	if (err) {
-+		dev_put(dev_out);
-+		return NF_DROP;
-+	}
-+
-+	/* Failed to send to oif. Trying the hard way */
-+
-+	DEBUGP(KERN_DEBUG "HARD ROUTING\n");
++	case 0:
++		/* Failed to send to oif. Trying the hard way */
++		if (route_info->flags & IPT_ROUTE_CONTINUE)
++			return NF_DROP;
 +
-+	/* We have to force the use of an interface.
-+	 * This interface must be a tunnel interface since
-+	 * otherwise we can't guess the hw address for
-+	 * the packet. For a tunnel interface, no hw address
-+	 * is needed.
-+	 */
-+	if ((dev_out->type != ARPHRD_TUNNEL)
-+	    && (dev_out->type != ARPHRD_IPGRE)) {
-+		DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: forcing the use of %i\n",
++			       ifindex);
++
++		/* We have to force the use of an interface.
++		 * This interface must be a tunnel interface since
++		 * otherwise we can't guess the hw address for
++		 * the packet. For a tunnel interface, no hw address
++		 * is needed.
++		 */
++		if ((dev_out->type != ARPHRD_TUNNEL)
++		    && (dev_out->type != ARPHRD_IPGRE)) {
++			if (net_ratelimit()) 
++				DEBUGP("ipt_ROUTE: can't guess the hw addr !\n");
++			dev_put(dev_out);
++			return NF_DROP;
++		}
++	
++		/* Send the packet. This will also free skb
++		 * Do not go through the POST_ROUTING hook because 
++		 * skb->dst is not set and because it will probably
++		 * get confused by the destination IP address.
++		 */
++		skb->dev = dev_out;
++		dev_direct_send(skb);
++		dev_put(dev_out);
++		return NF_STOLEN;
++		
++	default:
++		/* Unexpected error */
 +		dev_put(dev_out);
 +		return NF_DROP;
 +	}
-+	
-+	/* Send the packet. This will also free skb
-+	 * Do not go through the POST_ROUTING hook because 
-+	 * skb->dst is not set and because it will probably
-+	 * get confused by the destination IP address.
-+	 */
-+	skb->dev = dev_out;
-+	dev_direct_send(skb);
-+	dev_put(dev_out);
-+	return NF_STOLEN;
 +}
 +
 +
@@ -229,11 +239,12 @@
 +	/* Getting the current interface index. */
 +	if ((dev_out = dev_get_by_name(route_info->iif)))
 +		ifindex = dev_out->ifindex;
-+	else 
++	else {
 +		/* Unknown interface name : packet dropped */
++		if (net_ratelimit()) 
++			DEBUGP("ipt_ROUTE: iif interface %s not found\n", route_info->oif);
 +		return NF_DROP;
-+
-+	DEBUGP(KERN_DEBUG "iif index of %s is %i\n", route_info->iif, ifindex);
++	}
 +
 +	skb->dev = dev_out;
 +	dst_release(skb->dst);
@@ -251,11 +262,10 @@
 +	if (route(skb, 0, route_info)!=1)
 +		return NF_DROP;
 +
-+	DEBUGP(KERN_DEBUG "ROUTE gw ok, skb->dev->index=%i\n",
-+	       skb->dev->ifindex);
++	if (route_info->flags & IPT_ROUTE_CONTINUE)
++		return IPT_CONTINUE;
 +
 +	ip_direct_send(skb);
-+
 +	return NF_STOLEN;
 +}
 +
@@ -308,12 +318,14 @@
 +	 * when a packet is leaving with dst address == our address.
 +	 * Good idea ? Dunno. Need advice.
 +	 */
-+	nf_conntrack_put(skb->nfct);
-+	skb->nfct = NULL;
-+	skb->nfcache = 0;
++	if (!(route_info->flags & IPT_ROUTE_CONTINUE)) {
++		nf_conntrack_put(skb->nfct);
++		skb->nfct = NULL;
++		skb->nfcache = 0;
 +#ifdef CONFIG_NETFILTER_DEBUG
-+	skb->nf_debug = 0;
++		skb->nf_debug = 0;
 +#endif
++	}
 +
 +	if (route_info->oif[0]) 
 +		return route_oif(route_info, *pskb);
@@ -324,8 +336,10 @@
 +	if (route_info->gw) 
 +		return route_gw(route_info, *pskb);
 +
-+	DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
-+	return NF_ACCEPT;
++	if (net_ratelimit()) 
++		DEBUGP(KERN_DEBUG "ipt_ROUTE: no parameter !\n");
++
++	return IPT_CONTINUE;
 +}
 +
 +
diff -Nru netfilter.orig/userspace/extensions/libipt_ROUTE.c netfilter/userspace/extensions/libipt_ROUTE.c
--- netfilter.orig/userspace/extensions/libipt_ROUTE.c	2003-06-24 15:10:12.000000000 +0200
+++ netfilter/userspace/extensions/libipt_ROUTE.c	2003-07-25 11:24:35.000000000 +0200
@@ -1,5 +1,6 @@
 /* Shared library add-on to iptables to add ROUTE target support.
- * Author : Cédric de Launois, <delaunois@info.ucl.ac.be>
+ * Author : Cedric de Launois, <delaunois@info.ucl.ac.be>
+ * v 1.8 2003/06/24
  */
 
 #include <stdio.h>
@@ -20,17 +21,20 @@
 {
 	printf(
 "ROUTE target v%s options:\n"
-"  --oif   \tifname \t\tSend the packet out using `ifname' network interface\n"
-"  --iif   \tifname \t\tChange the packet's incoming interface to `ifname'\n"
-"  --gw    \tip     \t\tRoute the packet via this gateway\n"
+"    --oif   \tifname \t\tRoute the packet through `ifname' network interface\n"
+"    --iif   \tifname \t\tChange the packet's incoming interface to `ifname'\n"
+"    --gw    \tip     \t\tRoute the packet via this gateway\n"
+"    --continue\t     \t\tRoute the packet and continue traversing the\n"
+"            \t       \t\trules. Not valid with --iif.\n"
 "\n",
-IPTABLES_VERSION);
+"1.8");
 }
 
 static struct option opts[] = {
 	{ "oif", 1, 0, '1' },
 	{ "iif", 1, 0, '2' },
 	{ "gw", 1, 0, '3' },
+	{ "continue", 0, 0, '4' },
 	{ 0 }
 };
 
@@ -44,11 +48,14 @@
 	route_info->oif[0] = '\0';
 	route_info->iif[0] = '\0';
 	route_info->gw = 0;
+	route_info->flags = 0;
 }
 
 
-#define IPT_ROUTE_OPT_IF       0x01
-#define IPT_ROUTE_OPT_GW       0x02
+#define IPT_ROUTE_OPT_OIF      0x01
+#define IPT_ROUTE_OPT_IIF      0x02
+#define IPT_ROUTE_OPT_GW       0x04
+#define IPT_ROUTE_OPT_CONTINUE 0x08
 
 /* Function which parses command options; returns true if it
    ate an option */
@@ -62,9 +69,13 @@
 
 	switch (c) {
 	case '1':
-		if (*flags & IPT_ROUTE_OPT_IF)
+		if (*flags & IPT_ROUTE_OPT_OIF)
 			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --oif twice or --oif with --iif");
+				   "Can't specify --oif twice");
+
+		if (*flags & IPT_ROUTE_OPT_IIF)
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't use --oif and --iif together");
 
 		if (check_inverse(optarg, &invert, NULL, 0))
 			exit_error(PARAMETER_PROBLEM,
@@ -76,13 +87,17 @@
 				   sizeof(route_info->oif) - 1);
 
 		strcpy(route_info->oif, optarg);
-		*flags |= IPT_ROUTE_OPT_IF;
+		*flags |= IPT_ROUTE_OPT_OIF;
 		break;
 
 	case '2':
-		if (*flags & IPT_ROUTE_OPT_IF)
+		if (*flags & IPT_ROUTE_OPT_IIF)
 			exit_error(PARAMETER_PROBLEM,
-				   "Can't specify --iif twice or --iif with --oif");
+				   "Can't specify --iif twice");
+
+		if (*flags & IPT_ROUTE_OPT_OIF)
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't use --iif and --oif together");
 
 		if (check_inverse(optarg, &invert, NULL, 0))
 			exit_error(PARAMETER_PROBLEM,
@@ -94,7 +109,7 @@
 				   sizeof(route_info->iif) - 1);
 
 		strcpy(route_info->iif, optarg);
-		*flags |= IPT_ROUTE_OPT_IF;
+		*flags |= IPT_ROUTE_OPT_IIF;
 		break;
 
 	case '3':
@@ -102,6 +117,10 @@
 			exit_error(PARAMETER_PROBLEM,
 				   "Can't specify --gw twice");
 
+		if (check_inverse(optarg, &invert, NULL, 0))
+			exit_error(PARAMETER_PROBLEM,
+				   "Unexpected `!' after --gw");
+
 		if (!inet_aton(optarg, (struct in_addr*)&route_info->gw)) {
 			exit_error(PARAMETER_PROBLEM,
 				   "Invalid IP address %s",
@@ -111,6 +130,16 @@
 		*flags |= IPT_ROUTE_OPT_GW;
 		break;
 
+	case '4':
+		if (*flags & IPT_ROUTE_OPT_CONTINUE)
+			exit_error(PARAMETER_PROBLEM,
+				   "Can't specify --continue twice");
+
+		route_info->flags |= IPT_ROUTE_CONTINUE;
+		*flags |= IPT_ROUTE_OPT_CONTINUE;
+
+		break;
+
 	default:
 		return 0;
 	}
@@ -124,7 +153,11 @@
 {
 	if (!flags)
 		exit_error(PARAMETER_PROBLEM,
-		           "ROUTE target: one parameter is required");
+		           "ROUTE target: oif, iif or gw option required");
+
+	if ((flags & IPT_ROUTE_OPT_CONTINUE) && (flags & IPT_ROUTE_OPT_IIF))
+		exit_error(PARAMETER_PROBLEM,
+			   "ROUTE target: can't continue traversing the rules with iif option");
 }
 
 
@@ -140,15 +173,19 @@
 	printf("ROUTE ");
 
 	if (route_info->oif[0])
-		printf("oif %s ", route_info->oif);
+		printf("oif:%s ", route_info->oif);
 
 	if (route_info->iif[0])
-		printf("iif %s ", route_info->iif);
+		printf("iif:%s ", route_info->iif);
 
 	if (route_info->gw) {
 		struct in_addr ip = { route_info->gw };
-		printf("gw %s ", inet_ntoa(ip));
+		printf("gw:%s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_CONTINUE)
+		printf("continue");
+
 }
 
 
@@ -168,6 +205,9 @@
 		struct in_addr ip = { route_info->gw };
 		printf("--gw %s ", inet_ntoa(ip));
 	}
+
+	if (route_info->flags & IPT_ROUTE_CONTINUE)
+		printf("--continue ");
 }
 
 

Re: [PATCH] corrected ROUTE target

[Martin Josefsson]

On Fri, 25 Jul 2003, Cedric de Launois wrote:

> Ok. So here is the ROUTE patch that preserves the old behaviour.
> The new option is called --continue. When using it, the packet is routed
> and then continues travering the rules. If the option is not used, the
> behaviour is as before (i.e. the packet is sent).
>
> The patch is against current cvs.

Applied, thanks

/Martin

[PATCH] update to ROUTE target

[Cedric de Launois]

[-- Attachment #1: Type: text/plain, Size: 441 bytes --]

Hi again,

Oops, I forgot to also submit changes to the ROUTE.patch.configure.help
and ROUTE.patch.help files to update the descriptions of the target.

I also modified ROUTE.patch.configure.in in order to make the ROUTE
target dependent of the CONFIG_IP_NF_MANGLE kernel option (since the
ROUTE target must be used inside the mangle table).

The patch is still against the very current cvs.

Thanks for applying it.

Cédric


[-- Attachment #2: ROUTE.cvs.patch --]
[-- Type: text/x-patch, Size: 5022 bytes --]

diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in netfilter/patch-o-matic/extra/ROUTE.patch.config.in
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.config.in	2003-07-25 14:30:09.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.config.in	2003-07-25 14:10:49.000000000 +0200
@@ -1,2 +1,3 @@
-  dep_tristate '  LOG target support' CONFIG_IP_NF_TARGET_LOG $CONFIG_IP_NF_IPTABLES
-  dep_tristate '  ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_IPTABLES
+    dep_tristate '    MARK target support' CONFIG_IP_NF_TARGET_MARK $CONFIG_IP_NF_MANGLE
+    dep_tristate '    ROUTE target support' CONFIG_IP_NF_TARGET_ROUTE $CONFIG_IP_NF_MANGLE
+ 
\ Pas de fin de ligne à la fin du fichier.
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help netfilter/patch-o-matic/extra/ROUTE.patch.configure.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.configure.help	2003-07-25 14:30:09.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.configure.help	2003-07-25 14:15:05.000000000 +0200
@@ -1,16 +1,14 @@
-CONFIG_IP_NF_TARGET_LOG
+CONFIG_IP_NF_TARGET_MARK
 ROUTE target support
 CONFIG_IP_NF_TARGET_ROUTE
   This option adds a `ROUTE' target, which enables you to setup unusual
-  routes not supported by the standard kernel routing table.
-  For example, the ROUTE lets you directly route a received packet through 
+  routes. For example, the ROUTE lets you route a received packet through 
   an interface or towards a host, even if the regular destination of the 
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
-
+  The target can be or not a final target. It has to be used inside the 
+  mangle table.
   
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  The module will be called ipt_ROUTE.o.
diff -Nru netfilter.orig/patch-o-matic/extra/ROUTE.patch.help netfilter/patch-o-matic/extra/ROUTE.patch.help
--- netfilter.orig/patch-o-matic/extra/ROUTE.patch.help	2003-07-25 14:30:09.000000000 +0200
+++ netfilter/patch-o-matic/extra/ROUTE.patch.help	2003-07-25 14:51:25.000000000 +0200
@@ -1,32 +1,37 @@
 Author: Cédric de Launois <delaunois@info.ucl.ac.be>
-Status: In Development/Works for me
+Status: Experimental
   
   This option adds a `ROUTE' target, which enables you to setup unusual
-  routes not supported by the standard kernel routing table.
-  For example, the ROUTE lets you directly route a received packet through 
+  routes. For example, the ROUTE lets you route a received packet through 
   an interface or towards a host, even if the regular destination of the 
   packet is the router itself. The ROUTE target is also able to change the 
   incoming interface of a packet.
 
-  This target does never modify the packet and is a final target.
-  It has to be used inside the mangle table.
+  The target can be or not a final target. It has to be used inside the 
+  mangle table.
 
   ROUTE target options:
-    --oif   ifname    Send the packet out using `ifname' network interface.
-    --iif   ifname    Change the packet's incoming interface to `ifname'.
-    --gw    ip        Route the packet via this gateway.
+  --oif   ifname    Send the packet out using `ifname' network interface.
+  --iif   ifname    Change the packet's incoming interface to `ifname'.
+  --gw    ip        Route the packet via this gateway.
+  --continue        Route the packet and continue traversing the rules.
 
-  Examples :
-
-  To redirect all outgoing icmp packet to the eth1 interface :
-  # iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
+  Note that --iif and --continue can't be used together.
 
-  To tunnel all incoming http packets :
-  # iptables -A PREROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1
-
-  To force the next-hop used for ssh packets :
-  # iptables -A PREROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z
+  Examples :
 
-  To change the incoming network interface from eth0 to eth1 for icmp packets :
-  # iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
+  # To force all outgoing icmp packet to go through the eth1 interface 
+  # (final target) :
+  iptables -A POSTROUTING -t mangle -p icmp -j ROUTE --oif eth1
  
+  # To tunnel outgoing http packets and continue traversing the rules :
+  iptables -A POSTROUTING -t mangle -p tcp --dport 80 -j ROUTE --oif tunl1 --continue
+ 
+  # To forward all ssh packets to gateway w.x.y.z, and continue traversing
+  # the rules :
+  iptables -A POSTROUTING -t mangle -p tcp --dport 22 -j ROUTE --gw w.x.y.z --continue
+ 
+  # To change the incoming network interface from eth0 to eth1 for all icmp
+  # packets (final target) :
+  iptables -A PREROUTING -t mangle -p icmp -i eth0 -j ROUTE --iif eth1
+

Re: [PATCH] update to ROUTE target

[Martin Josefsson]

On Fri, 2003-07-25 at 15:16, Cedric de Launois wrote:
> Hi again,
> 
> Oops, I forgot to also submit changes to the ROUTE.patch.configure.help
> and ROUTE.patch.help files to update the descriptions of the target.
> 
> I also modified ROUTE.patch.configure.in in order to make the ROUTE
> target dependent of the CONFIG_IP_NF_MANGLE kernel option (since the
> ROUTE target must be used inside the mangle table).
> 
> The patch is still against the very current cvs.
> 
> Thanks for applying it.

Applied

-- 
/Martin