Valid requirement for REDIRECT target on IPv6 where TPROXY won't do.

Valid requirement for REDIRECT target on IPv6 where TPROXY won't do.

[Steve (Telsat Broadband)]

Hi All,

I would like to see if there is some way we can get the 'REDIRECT' target
implemented into ip6tables; this isn't for NAT purposes; but rather for the
process of creating a captive portal for network users access requests.  We
currently use the REDIRECT target on our gateway for IPv4 and need the same
functionality for IPv6.

It has been suggested that 'TPROXY' which is available in the mangle table
is a replacement; but it isn't.  I have tested TPROXY every which way but
still to no avail; the packets hit the TPROXY rule but simply do not get
send to the captive portal process which is running on the gateway machine.

Given there is no NAT table in IPv6, can we please get the same
functionality as the REDIRECT added into the mangle table targets as well?
For our business case; this is a critical component of being able to
properly handle our customers' requests.

Thanks in advance.
Steve.

Re: Valid requirement for REDIRECT target on IPv6 where TPROXY won't do.

[Amos Jeffries]

On 28/06/2012 1:32 p.m., Steve (Telsat Broadband) wrote:
> Hi All,
>
> I would like to see if there is some way we can get the 'REDIRECT' target
> implemented into ip6tables; this isn't for NAT purposes; but rather for the
> process of creating a captive portal for network users access requests.  We
> currently use the REDIRECT target on our gateway for IPv4 and need the same
> functionality for IPv6.
>
> It has been suggested that 'TPROXY' which is available in the mangle table
> is a replacement; but it isn't.  I have tested TPROXY every which way but
> still to no avail; the packets hit the TPROXY rule but simply do not get
> send to the captive portal process which is running on the gateway machine.

Strange. Quite a few people are happily using TPROXY to redirect IPv6 
packets to a local Squid proxy portal.
The only instances I've found problems are where NAT is also being used 
on the box and changing the packets after TPROXY has setup the routing 
rules.

AYJ

RE: Valid requirement for REDIRECT target on IPv6 where TPROXY won't do.

[Steve (Telsat Broadband)]

Hi AYJ,

Thanks for the reply.

In this particular instance it's not for redirecting packets to Squid, it's
to a custom service listening on a socket for both TCP and UDP data.  It's
capturing packets on all ports and forwarding to their appropriate handler.
In addition for unauthenticated users it's also 'redirecting' their DNS
queries to the built-in DNS server so as to properly handle the
authentication process.

This all works seamless (without NAT) on IPv4 but there are simply no signs
of life when using TPROXY; it's simply as if the packets disappear into thin
air.

In the setup of the TPROXY rules, I can see packets getting counted on the
rule and the appropriate TPROXY mark and ip rules are in place, but they
never appear on the service nor do any of the DNS queries arrive.

Thanks again for your comments.
Steve.


-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Amos Jeffries
Sent: Thursday, 28 June 2012 4:08 PM
To: netfilter@vger.kernel.org
Subject: Re: Valid requirement for REDIRECT target on IPv6 where TPROXY
won't do.

On 28/06/2012 1:32 p.m., Steve (Telsat Broadband) wrote:
> Hi All,
>
> I would like to see if there is some way we can get the 'REDIRECT' 
> target implemented into ip6tables; this isn't for NAT purposes; but 
> rather for the process of creating a captive portal for network users 
> access requests.  We currently use the REDIRECT target on our gateway 
> for IPv4 and need the same functionality for IPv6.
>
> It has been suggested that 'TPROXY' which is available in the mangle 
> table is a replacement; but it isn't.  I have tested TPROXY every 
> which way but still to no avail; the packets hit the TPROXY rule but 
> simply do not get send to the captive portal process which is running on
the gateway machine.

Strange. Quite a few people are happily using TPROXY to redirect IPv6
packets to a local Squid proxy portal.
The only instances I've found problems are where NAT is also being used on
the box and changing the packets after TPROXY has setup the routing rules.

AYJ

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the
body of a message to majordomo@vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html

Re: Valid requirement for REDIRECT target on IPv6 where TPROXY won't do.

[Amos Jeffries]

On 28/06/2012 8:52 p.m., Steve (Telsat Broadband) wrote:
> Hi AYJ,
>
> Thanks for the reply.
>
> In this particular instance it's not for redirecting packets to Squid, it's
> to a custom service listening on a socket for both TCP and UDP data.

My point was that it *is* working, for at least one software 
implementation. I've heard of other software too, but not sure enough to 
name names.


>    It's
> capturing packets on all ports and forwarding to their appropriate handler.
> In addition for unauthenticated users it's also 'redirecting' their DNS
> queries to the built-in DNS server so as to properly handle the
> authentication process.
>
> This all works seamless (without NAT) on IPv4 but there are simply no signs
> of life when using TPROXY; it's simply as if the packets disappear into thin
> air.
>
> In the setup of the TPROXY rules, I can see packets getting counted on the
> rule and the appropriate TPROXY mark and ip rules are in place, but they
> never appear on the service nor do any of the DNS queries arrive.

At the very minimum you should be receiving the packets. We see this 
missing behaviour in two circumstances:
  1) rpfilter in the system is configured to drop the packets.
  2) NAT is configured on the same box as TPROXY.

I'm not sure what is going on there in that second case. Just that NAT 
and TPROXY on the same packets does not mix well on any kernel up to 3.2.

AYJ