From: KOVACS Krisztian <hidden@sch.bme.hu>
To: David Miller <davem@davemloft.net>
Cc: Patrick McHardy <kaber@trash.net>, netdev@vger.kernel.org
Subject: [PATCH 06/14] Port redirection support for TCP
Date: Sat, 13 Oct 2007 19:32:04 +0200 [thread overview]
Message-ID: <20071013173204.22517.35523.stgit@nessa.odu> (raw)
In-Reply-To: <20071013172857.22517.84760.stgit@nessa.odu>
Current TCP code relies on the local port of the listening socket
being the same as the destination address of the incoming
connection. Port redirection used by many transparent proxying
techniques obviously breaks this, so we have to store the original
destination port address.
This patch extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
---
include/net/inet_sock.h | 2 +-
include/net/tcp.h | 1 +
net/ipv4/inet_connection_sock.c | 2 ++
net/ipv4/syncookies.c | 1 +
net/ipv4/tcp_output.c | 2 +-
5 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index 517efe7..d7e2a52 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -61,8 +61,8 @@ struct inet_request_sock {
struct request_sock req;
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
u16 inet6_rsk_offset;
- /* 2 bytes hole, try to pack */
#endif
+ __be16 loc_port;
__be32 loc_addr;
__be32 rmt_addr;
__be16 rmt_port;
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 92049e6..13bd06f 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1006,6 +1006,7 @@ static inline void tcp_openreq_init(struct request_sock *req,
ireq->acked = 0;
ireq->ecn_ok = 0;
ireq->rmt_port = tcp_hdr(skb)->source;
+ ireq->loc_port = tcp_hdr(skb)->dest;
}
extern void tcp_enter_memory_pressure(void);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 1667cd8..eda765f 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -515,6 +515,8 @@ struct sock *inet_csk_clone(struct sock *sk, const struct request_sock *req,
newicsk->icsk_bind_hash = NULL;
inet_sk(newsk)->dport = inet_rsk(req)->rmt_port;
+ inet_sk(newsk)->num = ntohs(inet_rsk(req)->loc_port);
+ inet_sk(newsk)->sport = inet_rsk(req)->loc_port;
newsk->sk_write_space = sk_stream_write_space;
newicsk->icsk_retransmits = 0;
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index a0f6fdb..6e84243 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -223,6 +223,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
treq->rcv_isn = ntohl(th->seq) - 1;
treq->snt_isn = cookie;
req->mss = mss;
+ ireq->loc_port = th->dest;
ireq->rmt_port = th->source;
ireq->loc_addr = ip_hdr(skb)->daddr;
ireq->rmt_addr = ip_hdr(skb)->saddr;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 324b420..b27535f 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2218,7 +2218,7 @@ struct sk_buff * tcp_make_synack(struct sock *sk, struct dst_entry *dst,
th->syn = 1;
th->ack = 1;
TCP_ECN_make_synack(req, th);
- th->source = inet_sk(sk)->sport;
+ th->source = ireq->loc_port;
th->dest = ireq->rmt_port;
TCP_SKB_CB(skb)->seq = tcp_rsk(req)->snt_isn;
TCP_SKB_CB(skb)->end_seq = TCP_SKB_CB(skb)->seq + 1;
next prev parent reply other threads:[~2007-10-13 18:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-13 17:28 [PATCH 00/14] Transparent Proxying Patches, Take 5 KOVACS Krisztian
2007-10-13 17:29 ` [PATCH 01/14] Loosen source address check on IPv4 output KOVACS Krisztian
2007-10-13 17:29 ` [PATCH 02/14] Implement IP_TRANSPARENT socket option KOVACS Krisztian
2007-10-13 17:30 ` [PATCH 03/14] Allow binding to non-local addresses if IP_TRANSPARENT is set KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 04/14] Conditionally enable transparent flow flag when connecting KOVACS Krisztian
2007-10-13 17:31 ` [PATCH 05/14] Handle TCP SYN+ACK/ACK/RST transparency KOVACS Krisztian
2007-10-13 17:32 ` KOVACS Krisztian [this message]
2007-10-13 17:32 ` [PATCH 07/14] Export UDP socket lookup function KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 08/14] Split Netfilter IPv4 defragmentation into a separate module KOVACS Krisztian
2007-10-13 17:33 ` [PATCH 09/14] iptables tproxy core KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 10/14] iptables socket match KOVACS Krisztian
2007-10-13 17:34 ` [PATCH 11/14] iptables TPROXY target KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 12/14] Don't lookup the socket if there's a socket attached to the skb KOVACS Krisztian
2007-10-13 17:35 ` [PATCH 13/14] " KOVACS Krisztian
2007-10-13 17:36 ` [PATCH 14/14] Add documentation KOVACS Krisztian
2007-10-13 22:44 ` [PATCH 00/14] Transparent Proxying Patches, Take 5 David Miller
2007-10-14 9:05 ` KOVACS Krisztian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071013173204.22517.35523.stgit@nessa.odu \
--to=hidden@sch.bme.hu \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.