Q: remapping IP addresses for inbound and outbound traffic

Q: remapping IP addresses for inbound and outbound traffic

[Innocenti Maresin]

Hello! 

Let one Linux box have two interfaces to IPv4 networks, 
and for some IP both networks have the host with this IP address, e.g. from RFC1918. 
Or even both use the same IPv4 address block. 
We can say that one IP from the first network 
and numerically the same IP from the second "means" different hosts. 

The software of this box needs to connect all hosts in both networks, 
and also to receive inbound TCP connections. 
The evident way is to "remap" overlapping IPv4 area of one network 
to some "place" not used neither in it nor in other. 
This means that, when we receive a packet from remapped area, 
the kernel should replace the source IP to an "internal representaion". 
Versa, sending something to "internally represented" IP 
the kernel should replace such IP by its external value. 
I clarify these terms so carefully because in news:comp.os.linux.networking 
some people state that I "use terms in strange ways" :) 

The question is: how to do it? 
Please, don't say quicky "iproute2" and "RTFM". 
Iproute2 can do such things when *forwarding* packets. 
I need no forwarding at all, no *connection* between 2 networks. 
I need only to *serve* both networks, 
such that some "external" IPs need to be replaced by internally used IP and versa. 
All this at one Linux box.
No forwarding traffic. Only inbound and outbound. 

So, suppose that I try to use FastNAT/iproute2 on Linux 2.4, 
a "dummy NAT address" is an "internally represented" in my terms, 
and "via" address (in iproute2 terms) is my "external". 
Then, by iproute2 idiots' design, I can't locally send packet 
to so named "dummy NAT address". 
I even can't use connect() on it, the kernel says "Invalid argument". 
So, I really can't use my "internal addresses". 

Ipfilter also cannot solve this problem. 
There is no means to translate inbound packets' source address 
(there is no INPUT chain in -t nat and PREROUTING can't do SNAT), 
but services need to see packets as coming from internally represented IP. 


There is some more or less trivial ideas:

* Use IPv6 (IMHO it's possible, but I seek yet for simpler solution);

* Use extra hardware - I am not willing to do so for many reasons;

* Read docs more carefully ;) - I read relevant ip-cref sections, 
 but FastNAT feature is poorly documented in this Kuznetsov's paper, 
 many anothers docs cite Kuznetsov and generally give even less details;

* Modify the kernel sources - Of course, I will, 
 but it's not evident for me that the trouble caused by some few errors, 
 I'm not sure that kernel may use a "dummy NAT address" 
 as destination of locally generated packets without major changes.


Maybe, somebody knows about "non-official" kernel patches?

P.S. please send me Cc when replying to this message.


-- 

qq~~~~\
/ /\   \
\  /_/ /
 \____/

R: remapping IP addresses for inbound and outbound traffic

[Giampaolo Tomassoni]

I guess you can't do this, since a believe there is a single linux arp table. It is not per-interface.

If you had hosts with unique IPs on both nets, that would be another story: you could use some sort of VPN or Bridge functionality. You could also be able to avoid packets passing through the bridged/VPNed interfaces thanks to iptables.

Cheers,

Giampaolo

> -----Messaggio originale-----
> Da: linux-kernel-owner@vger.kernel.org
> [mailto:linux-kernel-owner@vger.kernel.org]Per conto di Innocenti
> Maresin
> Inviato: sabato 12 agosto 2006 17.09
> A: LKML
> Oggetto: Q: remapping IP addresses for inbound and outbound traffic
> 
> 
> Hello! 
> 
> Let one Linux box have two interfaces to IPv4 networks, 
> and for some IP both networks have the host with this IP address, 
> e.g. from RFC1918. 
> Or even both use the same IPv4 address block. 
> We can say that one IP from the first network 
> and numerically the same IP from the second "means" different hosts. 
> 
> The software of this box needs to connect all hosts in both networks, 
> and also to receive inbound TCP connections. 
> The evident way is to "remap" overlapping IPv4 area of one network 
> to some "place" not used neither in it nor in other. 
> This means that, when we receive a packet from remapped area, 
> the kernel should replace the source IP to an "internal representaion". 
> Versa, sending something to "internally represented" IP 
> the kernel should replace such IP by its external value. 
> I clarify these terms so carefully because in 
> news:comp.os.linux.networking 
> some people state that I "use terms in strange ways" :) 
> 
> The question is: how to do it? 
> Please, don't say quicky "iproute2" and "RTFM". 
> Iproute2 can do such things when *forwarding* packets. 
> I need no forwarding at all, no *connection* between 2 networks. 
> I need only to *serve* both networks, 
> such that some "external" IPs need to be replaced by internally 
> used IP and versa. 
> All this at one Linux box.
> No forwarding traffic. Only inbound and outbound. 
> 
> So, suppose that I try to use FastNAT/iproute2 on Linux 2.4, 
> a "dummy NAT address" is an "internally represented" in my terms, 
> and "via" address (in iproute2 terms) is my "external". 
> Then, by iproute2 idiots' design, I can't locally send packet 
> to so named "dummy NAT address". 
> I even can't use connect() on it, the kernel says "Invalid argument". 
> So, I really can't use my "internal addresses". 
> 
> Ipfilter also cannot solve this problem. 
> There is no means to translate inbound packets' source address 
> (there is no INPUT chain in -t nat and PREROUTING can't do SNAT), 
> but services need to see packets as coming from internally 
> represented IP. 
> 
> 
> There is some more or less trivial ideas:
> 
> * Use IPv6 (IMHO it's possible, but I seek yet for simpler solution);
> 
> * Use extra hardware - I am not willing to do so for many reasons;
> 
> * Read docs more carefully ;) - I read relevant ip-cref sections, 
>  but FastNAT feature is poorly documented in this Kuznetsov's paper, 
>  many anothers docs cite Kuznetsov and generally give even less details;
> 
> * Modify the kernel sources - Of course, I will, 
>  but it's not evident for me that the trouble caused by some few errors, 
>  I'm not sure that kernel may use a "dummy NAT address" 
>  as destination of locally generated packets without major changes.
> 
> 
> Maybe, somebody knows about "non-official" kernel patches?
> 
> P.S. please send me Cc when replying to this message.
> 
> 
> -- 
> 
> qq~~~~\
> / /\   \
> \  /_/ /
>  \____/
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

Re: Q: remapping IP addresses for inbound and outbound traffic

[Jan Engelhardt]

>Let one Linux box have two interfaces to IPv4 networks, 
>and for some IP both networks have the host with this IP address, e.g. from RFC1918. 
>Or even both use the same IPv4 address block. 
>We can say that one IP from the first network 
>and numerically the same IP from the second "means" different hosts. 
>
>I clarify these terms so carefully because in news:comp.os.linux.networking 
>some people state that I "use terms in strange ways" :) 

But we are not in comp.os.linux.networking here, and getting a concrete 
example like "my eth0 has 134.76.13.21/24 and my eth1 has 10.foo.bar/xyz" 
is a little easier to understand.

>The software of this box needs to connect all hosts in both networks, 
>and also to receive inbound TCP connections. 
>The evident way is to "remap" overlapping IPv4 area of one network 
>to some "place" not used neither in it nor in other. 

If they do not use the same address block, they don't overlap and there is 
no need to remap them.

>This means that, when we receive a packet from remapped area, 
>the kernel should replace the source IP to an "internal representaion". 
>Versa, sending something to "internally represented" IP 
>the kernel should replace such IP by its external value. 


Jan Engelhardt
-- 

Re: remapping IP addresses for inbound and outbound traffic

[Innocenti Maresin]

Giampaolo Tomassoni:
 
> I guess you can't do this, since a believe there is a single linux arp table.
> It is not per-interface.

It is a problem generally, but happily not in my case 
because at least one of my networks has this overlapping IP area behind a router. 
More precisely, one network almost entirely stands behind a router. 
I do not need any ARP for IPs those I want to remap. 

 
> If you had hosts with unique IPs on both nets, that would be another story:
> you could use some sort of VPN or Bridge functionality.
> You could also be able to avoid packets passing through the bridged/VPNed interfaces
> thanks to iptables.

May be I do not understand what means "some sort of VPN or Bridge functionality", 
but any solution requiring an extra soft on the client side would be inadequate 
and I will not take such proposals into account. 
My server must accept pure IP from both sides. 
I am not willing to set up packet forwarding, GRE, nor any another "advanced technique". 
Only one simple thing is required: to shift a block of IPs at one interface. 




-- 
qq~~~~\	
/ /\   \
\  /_/ /
 \____/

2.4 - net/ipv4/route.c/ip_route_output_slow()

[Innocenti Maresin]

Ok, my dear kernel coding gurus. 
You have almost nothing to say about "internal IP addresses" and "connect() failures". 
Let me swicth the question's language :) 
Please, help with the function ip_route_output_slow() in net/ipv4/route.c. 
There is such code as:
        if (res.type == RTN_NAT)
                goto e_inval;

In late 2.4 it is line 1922 (2.6 is irrelevant because of elimination of RTN_NAT). 
I realize that this condition means, at least, an explicit ban 
on all attempts to use RTN_NATted destination addresses in connect(), 
so the kernel fails before the process (or the transport level) attempts to send any packet. 
Please, tell me, what value should return this function by design 
and what is the difference between it and a similar situation in ip_route_input_slow() 
where fib_rules_map_destination() is called instead of just failing. 
For what reasons (religious, I think) locally generated packets 
may not be RTN_NATted in a manner similar to the routing of forwarding traffic? 

Thank you for your attention.


-- 
qq~~~~\	
/ /\   \
\  /_/ /
 \____/

Re: 2.4 - net/ipv4/route.c/ip_route_output_slow()

[David Miller]

From: Innocenti Maresin <qq@inCTV.ru>
Date: Sun, 13 Aug 2006 15:17:09 +0000

> Ok, my dear kernel coding gurus.  You have almost nothing to say
> about "internal IP addresses" and "connect() failures".

Probably because you are asking this question on the wrong
list.  The kernel networking developers subscribe to
netdev@vger.kernel.org rather than linux-kernel

Re: Q: remapping IP addresses for inbound and outbound traffic

[Jan Engelhardt]

Hi,

>The software of this box needs to connect all hosts in both networks, and
>also to receive inbound TCP connections.  The evident way is to "remap"
>overlapping IPv4 area of one network to some "place" not used neither in it
>nor in other.  This means that, when we receive a packet from remapped area,
>the kernel should replace the source IP to an "internal representaion". 
>Versa, sending something to "internally represented" IP the kernel should
>replace such IP by its external value.  I clarify these terms so carefully
>because in news:comp.os.linux.networking some people state that I "use terms
>in strange ways" :)
>
>The question is: how to do it? Please, don't say quicky "iproute2" and
>"RTFM".  Iproute2 can do such things when *forwarding* packets.  I need no
>forwarding at all, no *connection* between 2 networks.  I need only to
>*serve* both networks, such that some "external" IPs need to be replaced by
>internally used IP and versa.  All this at one Linux box. No forwarding
>traffic. Only inbound and outbound.

I am working on a small module doing something like that, changing IP 
addresses before the NAT code sees them, in mangle.

  http://jengelh.hopto.org/f/xt_MAP-v0.tar.bz2

I still cannot get outgoing mangled packets (see command below) to reach 
their destination:

  iptables -t mangle -A POSTROUTING -d 134.76.13.21 -j MAP \
    --map-dest 134.76.13.28

ping and TCP packets seem to leave the box (tcpdump), but there are no 
responses (neither negative responses). The destination box's tcpdump also 
shows nothing.
netfilter list, am I missing something like recalculating IP checksums?



Jan Engelhardt
--