All of lore.kernel.org
 help / color / mirror / Atom feed
* Netfilter and source address selection
@ 2003-11-04 11:24 Thomas Themel
  2003-11-04 23:39 ` Henrik Nordstrom
  0 siblings, 1 reply; 2+ messages in thread
From: Thomas Themel @ 2003-11-04 11:24 UTC (permalink / raw)
  To: netfilter-devel

Hi,

Currently, a local TCP socket that connect(2)s to the outside gets its
source address from the routing table entry that is used to send it out.

However, with iproute2, it is possible that this routing table entry is
selected based on the netfilter fwmark. This causes the packet to be
routed twice, but only the first time is considered for source address
selection. 

The process is something like this:

* SYN packet is generated
* SYN packet goes through routing, gets local source address
* SYN packet goes through netfilter OUTPUT chain and is mangled
* SYN packet is then routed again
* SYN packet already has a source address and thus doesn't get the
  source address of the route it is actually sent out on

This results in the packet being sent out via the route it matches after
being mangled, but with the source address of the route it matched
before being mangled.

I think that the behaviour would be more consistent if the last step was
something like 'SYN packet gets the source address of the new route'. 

I can see two ways to achieve a correct end result:

1. The source address selection code (that would be ip_route_connect in
   include/net/route.h?)does not only a routing table lookup, but the
   full code path (ie routing, OUTPUT chain, rerouting) including
   netfilter and thus gets the source address right immediately. 

2. The socket/skb (I know very little about the networking code, so my
   terminology might be all wrong) is somehow flagged as 'locally
   originating' and its source address is replaced when it is routed
   again.

[3. Explicitly do a SNAT in POSTROUTING. However, this requires that
    the netfilter rules be kept in sync with the routing and strikes
    me as Not The Right Thing to do.]

Which of those two is the better idea? Is this the way it is by design
or do you consider that a bug?

ciao,
-- 
[*Thomas  Themel*] I just want an EDitor!! Not a "viitor". Not a "emacsitor".
[extended contact] Those aren't even WORDS!!!! ED! ED! ED IS THE STANDARD!!!
[info provided in] 
[*message header*] Paul J. LoPresti in <1991Jul11.031731.9260@athena.mit.edu>

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Netfilter and source address selection
  2003-11-04 11:24 Netfilter and source address selection Thomas Themel
@ 2003-11-04 23:39 ` Henrik Nordstrom
  0 siblings, 0 replies; 2+ messages in thread
From: Henrik Nordstrom @ 2003-11-04 23:39 UTC (permalink / raw)
  To: Thomas Themel; +Cc: netfilter-devel

On Tue, 4 Nov 2003, Thomas Themel wrote:

> This results in the packet being sent out via the route it matches after
> being mangled, but with the source address of the route it matched
> before being mangled.

Yes, and there is two solutions to this

a) Teach the application to bind to the correct address before initiating 
the connection.

b) Use SNAT in the OUTPUT nat chain to assign the correct source address 
to the connection.


The reason why this happens is because the TCP/UDP kernel needs to know 
the source IP address when generating the SYN packet, and with netfilter 
running outside of the TCP/UDP kernel it has no influence over this 
process.

> 1. The source address selection code (that would be ip_route_connect in
>    include/net/route.h?)does not only a routing table lookup, but the
>    full code path (ie routing, OUTPUT chain, rerouting) including
>    netfilter and thus gets the source address right immediately. 

Problem is that for the packet to be sent to netfilter it first needs to 
exists, and for the packet to exists the upper level protocol needs to 
know the source address..

> 2. The socket/skb (I know very little about the networking code, so my
>    terminology might be all wrong) is somehow flagged as 'locally
>    originating' and its source address is replaced when it is routed
>    again.

This might be doable.. add a flag to the skb indicating that the source 
address is dynamically assigned, hinting to the mangle table that it needs 
to SNAT the connection if the resulting route is using another source 
address..

> [3. Explicitly do a SNAT in POSTROUTING. However, this requires that
>     the netfilter rules be kept in sync with the routing and strikes
>     me as Not The Right Thing to do.]

But.. it would not be hard to write a SNAT target which takes the address 
fom the route entry, and I think this is the best solution to the problem. 
To not break local socket binding the flag discussed above should also be 
added.

Regards
Henrik

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-11-04 23:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-11-04 11:24 Netfilter and source address selection Thomas Themel
2003-11-04 23:39 ` Henrik Nordstrom

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.