* Problem setting up nftables dnat : dport set to 0 instead of requested value (22)
@ 2014-12-10 14:39 leroy christophe
2014-12-10 18:22 ` Pablo Neira Ayuso
0 siblings, 1 reply; 16+ messages in thread
From: leroy christophe @ 2014-12-10 14:39 UTC (permalink / raw
To: Pablo Neira Ayuso, netfilter; +Cc: GUITTON Alex
Hi,
I'm trying to redirect incoming tcp connections for port 222 to local
port 22 (because I will dnat incoming connections for port 22 to another
destination).
I've set the following ruleset, and logs shows that the port get value 0
instead of 22.
What am I doing wrong ?
Thanks
Christophe
[ 7621.325382] IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18010 DF PROTO=TCP
SPT=54872 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
[ 7621.325785] IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18010 DF PROTO=TCP
SPT=54872 DPT=0 WINDOW=14600 RES=0x00 SYN URGP=0
# nft list ruleset -nn
table ip filter {
chain input {
type filter hook input priority 0;
oifname "lo" accept
ct state established,related accept
ct state new tcp dport 22 log accept
ip protocol icmp accept
udp dport { 138, 1534, 137, 17500, 67, 631, 68} drop
log reject with icmp type host-prohibited
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport 222 counter packets 1 bytes 60 log dnat :22
}
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.0.3 oif eth1 masquerade
}
}
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Problem setting up nftables dnat : dport set to 0 instead of requested value (22)
2014-12-10 14:39 Problem setting up nftables dnat : dport set to 0 instead of requested value (22) leroy christophe
@ 2014-12-10 18:22 ` Pablo Neira Ayuso
2014-12-10 20:29 ` Arturo Borrero Gonzalez
` (2 more replies)
0 siblings, 3 replies; 16+ messages in thread
From: Pablo Neira Ayuso @ 2014-12-10 18:22 UTC (permalink / raw
To: leroy christophe; +Cc: netfilter, GUITTON Alex, arturo.borrero.glez
On Wed, Dec 10, 2014 at 03:39:04PM +0100, leroy christophe wrote:
> Hi,
>
> I'm trying to redirect incoming tcp connections for port 222 to
> local port 22 (because I will dnat incoming connections for port 22
> to another destination).
Then you have to use "redirect" instead of "dnat". "redirect" will be
available since the upcoming 3.19-rc.
Cc'ing Arturo, he has worked on the redirect support.
@Arturo: Could you add documentation for your 'redirect' support to ?
http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
Thanks.
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Problem setting up nftables dnat : dport set to 0 instead of requested value (22)
2014-12-10 18:22 ` Pablo Neira Ayuso
@ 2014-12-10 20:29 ` Arturo Borrero Gonzalez
2014-12-11 13:12 ` leroy christophe
2014-12-12 10:16 ` bug : nft_redirect port byteorder issue leroy christophe
2 siblings, 0 replies; 16+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-12-10 20:29 UTC (permalink / raw
To: Pablo Neira Ayuso
Cc: leroy christophe, Netfilter Users Mailing list, GUITTON Alex
On 10 December 2014 at 19:22, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> @Arturo: Could you add documentation for your 'redirect' support to ?
>
Done:
http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect
regards.
--
Arturo Borrero Gonz√°lez
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Problem setting up nftables dnat : dport set to 0 instead of requested value (22)
2014-12-10 18:22 ` Pablo Neira Ayuso
2014-12-10 20:29 ` Arturo Borrero Gonzalez
@ 2014-12-11 13:12 ` leroy christophe
2014-12-12 10:08 ` leroy christophe
2014-12-12 10:16 ` bug : nft_redirect port byteorder issue leroy christophe
2 siblings, 1 reply; 16+ messages in thread
From: leroy christophe @ 2014-12-11 13:12 UTC (permalink / raw
To: Pablo Neira Ayuso, arturo.borrero.glez; +Cc: netfilter, GUITTON Alex
Le 10/12/2014 19:22, Pablo Neira Ayuso a écrit :
> On Wed, Dec 10, 2014 at 03:39:04PM +0100, leroy christophe wrote:
>> Hi,
>>
>> I'm trying to redirect incoming tcp connections for port 222 to
>> local port 22 (because I will dnat incoming connections for port 22
>> to another destination).
> Then you have to use "redirect" instead of "dnat". "redirect" will be
> available since the upcoming 3.19-rc.
>
> Cc'ing Arturo, he has worked on the redirect support.
>
> @Arturo: Could you add documentation for your 'redirect' support to ?
>
> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
>
> Thanks.
>
Thanks for the information.
I have now applied patches 8d13edd, 9de920e and e9105f1 on my 3.18
kernel, so now the redirect rule is accepted, but I still get the same
issue: dport gets value 0 instead of 22 after the redirect, see below
Is there any other patch to apply ?
Christophe
[ 932.304106] redir IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22863 DF PROTO=TCP
SPT=55116 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
[ 932.304523] rejected IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22863 DF PROTO=TCP
SPT=55116 DPT=0 WINDOW=14600 RES=0x00 SYN URGP=0
# nft list ruleset -nn
table ip filter {
chain input {
type filter hook input priority 0;
oifname "lo" accept
ct state established,related accept
ct state new tcp dport 22 log prefix "ssh " accept
ip protocol icmp accept
udp dport { 631, 137, 68, 67, 1534, 17500, 138} drop
log prefix "rejected " reject with icmp type
host-prohibited
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport 222 counter packets 1 bytes 60 log prefix
"redir " redirect :22
}
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.0.3 oif eth1 masquerade
}
}
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Problem setting up nftables dnat : dport set to 0 instead of requested value (22)
2014-12-11 13:12 ` leroy christophe
@ 2014-12-12 10:08 ` leroy christophe
0 siblings, 0 replies; 16+ messages in thread
From: leroy christophe @ 2014-12-12 10:08 UTC (permalink / raw
To: Pablo Neira Ayuso, arturo.borrero.glez; +Cc: netfilter, GUITTON Alex
Le 11/12/2014 14:12, leroy christophe a écrit :
>
> Le 10/12/2014 19:22, Pablo Neira Ayuso a écrit :
>> On Wed, Dec 10, 2014 at 03:39:04PM +0100, leroy christophe wrote:
>>> Hi,
>>>
>>> I'm trying to redirect incoming tcp connections for port 222 to
>>> local port 22 (because I will dnat incoming connections for port 22
>>> to another destination).
>> Then you have to use "redirect" instead of "dnat". "redirect" will be
>> available since the upcoming 3.19-rc.
>>
>> Cc'ing Arturo, he has worked on the redirect support.
>>
>> @Arturo: Could you add documentation for your 'redirect' support to ?
>>
>> http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
>>
>>
>> Thanks.
>>
> Thanks for the information.
>
> I have now applied patches 8d13edd, 9de920e and e9105f1 on my 3.18
> kernel, so now the redirect rule is accepted, but I still get the same
> issue: dport gets value 0 instead of 22 after the redirect, see below
>
> Is there any other patch to apply ?
>
> Christophe
>
Issue identified. I'll write another mail to explain it.
Christophe
>
> [ 932.304106] redir IN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22863 DF
> PROTO=TCP SPT=55116 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
> [ 932.304523] rejected IN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=22863 DF
> PROTO=TCP SPT=55116 DPT=0 WINDOW=14600 RES=0x00 SYN URGP=0
>
^ permalink raw reply [flat|nested] 16+ messages in thread
* bug : nft_redirect port byteorder issue
2014-12-10 18:22 ` Pablo Neira Ayuso
2014-12-10 20:29 ` Arturo Borrero Gonzalez
2014-12-11 13:12 ` leroy christophe
@ 2014-12-12 10:16 ` leroy christophe
2014-12-12 10:49 ` Arturo Borrero Gonzalez
2014-12-22 11:54 ` Pablo Neira Ayuso
2 siblings, 2 replies; 16+ messages in thread
From: leroy christophe @ 2014-12-12 10:16 UTC (permalink / raw
To: Pablo Neira Ayuso, arturo.borrero.glez
Cc: netfilter, GUITTON Alex, netfilter-devel
Hi,
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport 222 redirect :22
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
With the above rules, data[priv->sreg_proto_min].data[0] has value
0x160000 instead of 0x16 on powerpc (Big Endian byte order)
Due to this, mr.range[0].min.all gets assigned value 0 instead of 22.
Below patch fixes it, but it is maybe not the proper way to fix it, so I
let it up to you.
Christophe
diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
b/net/ipv4/netfilter/nft_redir_ipv4.c
index 643c596..554bb32 100644
--- a/net/ipv4/netfilter/nft_redir_ipv4.c
+++ b/net/ipv4/netfilter/nft_redir_ipv4.c
@@ -28,9 +28,9 @@ static void nft_redir_ipv4_eval(const struct nft_expr
*expr,
memset(&mr, 0, sizeof(mr));
if (priv->sreg_proto_min) {
mr.range[0].min.all = (__force __be16)
- data[priv->sreg_proto_min].data[0];
+ *(__be16*)&data[priv->sreg_proto_min].data[0];
mr.range[0].max.all = (__force __be16)
- data[priv->sreg_proto_max].data[0];
+ *(__be16*)&data[priv->sreg_proto_max].data[0];
mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
}
^ permalink raw reply related [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 10:16 ` bug : nft_redirect port byteorder issue leroy christophe
@ 2014-12-12 10:49 ` Arturo Borrero Gonzalez
2014-12-12 11:07 ` leroy christophe
2014-12-22 11:54 ` Pablo Neira Ayuso
1 sibling, 1 reply; 16+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-12-12 10:49 UTC (permalink / raw
To: leroy christophe
Cc: Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
On 12 December 2014 at 11:16, leroy christophe <christophe.leroy@c-s.fr> wrote:
> Hi,
>
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0;
> tcp dport 222 redirect :22
> }
> chain postrouting {
> type nat hook postrouting priority 0;
> }
> }
>
> With the above rules, data[priv->sreg_proto_min].data[0] has value 0x160000
> instead of 0x16 on powerpc (Big Endian byte order)
>
> Due to this, mr.range[0].min.all gets assigned value 0 instead of 22.
>
> Below patch fixes it, but it is maybe not the proper way to fix it, so I let
> it up to you.
>
> Christophe
>
> diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
> b/net/ipv4/netfilter/nft_redir_ipv4.c
> index 643c596..554bb32 100644
> --- a/net/ipv4/netfilter/nft_redir_ipv4.c
> +++ b/net/ipv4/netfilter/nft_redir_ipv4.c
> @@ -28,9 +28,9 @@ static void nft_redir_ipv4_eval(const struct nft_expr
> *expr,
> memset(&mr, 0, sizeof(mr));
> if (priv->sreg_proto_min) {
> mr.range[0].min.all = (__force __be16)
> - data[priv->sreg_proto_min].data[0];
> +
> *(__be16*)&data[priv->sreg_proto_min].data[0];
> mr.range[0].max.all = (__force __be16)
> - data[priv->sreg_proto_max].data[0];
> +
> *(__be16*)&data[priv->sreg_proto_max].data[0];
> mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
> }
>
With nft_nat and nft_redir_ipv6, the three code are almost the same:
http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_nat.c
http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/ipv6/netfilter/nft_redir_ipv6.c
Since it seems the same issue may appear, would you like to patch all of them?
regards.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 10:49 ` Arturo Borrero Gonzalez
@ 2014-12-12 11:07 ` leroy christophe
2014-12-12 11:55 ` Arturo Borrero Gonzalez
0 siblings, 1 reply; 16+ messages in thread
From: leroy christophe @ 2014-12-12 11:07 UTC (permalink / raw
To: Arturo Borrero Gonzalez
Cc: Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
Le 12/12/2014 11:49, Arturo Borrero Gonzalez a écrit :
> With nft_nat and nft_redir_ipv6, the three code are almost the same:
>
> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_nat.c
> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/ipv6/netfilter/nft_redir_ipv6.c
>
> Since it seems the same issue may appear, would you like to patch all of them?
>
> regards.
Hi,
Yes the issue is most likely the same, so I believe it should also be
fixed there.
Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 11:07 ` leroy christophe
@ 2014-12-12 11:55 ` Arturo Borrero Gonzalez
2014-12-12 12:55 ` leroy christophe
0 siblings, 1 reply; 16+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-12-12 11:55 UTC (permalink / raw
To: leroy christophe
Cc: Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
On 12 December 2014 at 12:07, leroy christophe <christophe.leroy@c-s.fr> wrote:
>
> Le 12/12/2014 11:49, Arturo Borrero Gonzalez a écrit :
>>
>> With nft_nat and nft_redir_ipv6, the three code are almost the same:
>>
>>
>> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_nat.c
>>
>> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/ipv6/netfilter/nft_redir_ipv6.c
>>
>> Since it seems the same issue may appear, would you like to patch all of
>> them?
>>
>> regards.
>
> Hi,
>
> Yes the issue is most likely the same, so I believe it should also be fixed
> there.
>
BTW, please send your patches to netfilter-devel. No need to CC
netfilter@vger.kernel.org.
Patches should include the Signed-off-by line (please be sure they
apply with git am).
Thanks, regards.
--
Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 11:55 ` Arturo Borrero Gonzalez
@ 2014-12-12 12:55 ` leroy christophe
2014-12-12 15:25 ` Patrick McHardy
0 siblings, 1 reply; 16+ messages in thread
From: leroy christophe @ 2014-12-12 12:55 UTC (permalink / raw
To: Arturo Borrero Gonzalez, Pablo Neira Ayuso
Cc: GUITTON Alex, Netfilter Development Mailing list
Le 12/12/2014 12:55, Arturo Borrero Gonzalez a écrit :
> On 12 December 2014 at 12:07, leroy christophe <christophe.leroy@c-s.fr> wrote:
>> Le 12/12/2014 11:49, Arturo Borrero Gonzalez a écrit :
>>> With nft_nat and nft_redir_ipv6, the three code are almost the same:
>>>
>>>
>>> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_nat.c
>>>
>>> http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/ipv6/netfilter/nft_redir_ipv6.c
>>>
>>> Since it seems the same issue may appear, would you like to patch all of
>>> them?
>>>
>>> regards.
>> Hi,
>>
>> Yes the issue is most likely the same, so I believe it should also be fixed
>> there.
>>
> BTW, please send your patches to netfilter-devel. No need to CC
> netfilter@vger.kernel.org.
> Patches should include the Signed-off-by line (please be sure they
> apply with git am).
>
> Thanks, regards.
>
I'm not sure what I proposed it the correct patch, maybe it shall be
fixed earlier in the chain, I don't know.
So I prefer you or Pablo look at it and do what's best.
Regards
Christophe
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 12:55 ` leroy christophe
@ 2014-12-12 15:25 ` Patrick McHardy
2014-12-12 16:20 ` leroy christophe
0 siblings, 1 reply; 16+ messages in thread
From: Patrick McHardy @ 2014-12-12 15:25 UTC (permalink / raw
To: leroy christophe
Cc: Arturo Borrero Gonzalez, Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
On 12.12, leroy christophe wrote:
> Le 12/12/2014 12:55, Arturo Borrero Gonzalez a écrit :
> >On 12 December 2014 at 12:07, leroy christophe <christophe.leroy@c-s.fr> wrote:
> I'm not sure what I proposed it the correct patch, maybe it shall be fixed
> earlier in the chain, I don't know.
Yeah, I'm not so sure myself.
Could you please try what happens if you do:
... tcp dport 222 redir :tcp dport
Which should redirect to the same port, but I'm interested if it
actually does that.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 15:25 ` Patrick McHardy
@ 2014-12-12 16:20 ` leroy christophe
2014-12-12 16:40 ` Patrick McHardy
0 siblings, 1 reply; 16+ messages in thread
From: leroy christophe @ 2014-12-12 16:20 UTC (permalink / raw
To: Patrick McHardy
Cc: Arturo Borrero Gonzalez, Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
Le 12/12/2014 16:25, Patrick McHardy a écrit :
> On 12.12, leroy christophe wrote:
>> Le 12/12/2014 12:55, Arturo Borrero Gonzalez a écrit :
>>> On 12 December 2014 at 12:07, leroy christophe <christophe.leroy@c-s.fr> wrote:
>> I'm not sure what I proposed it the correct patch, maybe it shall be fixed
>> earlier in the chain, I don't know.
> Yeah, I'm not so sure myself.
>
> Could you please try what happens if you do:
>
> ... tcp dport 222 redir :tcp dport
>
> Which should redirect to the same port, but I'm interested if it
> actually does that.
>
Without my patch, I get the following. Note the strange value in the DPT
on the second line.
[ 61.377273] redirIN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29122 DF PROTO=TCP
SPT=55626 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
[ 61.377816] rejected IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29122 DF PROTO=TCP
SPT=55626 DPT=20 WINDOW=14600 RES=0x00 SYN URGP=0
With my patch, I get correct port.
[ 511.994597] redirIN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21300 DF PROTO=TCP
SPT=55622 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
[ 511.994999] rejected IN=eth0 OUT=
MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21300 DF PROTO=TCP
SPT=55622 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 16:20 ` leroy christophe
@ 2014-12-12 16:40 ` Patrick McHardy
0 siblings, 0 replies; 16+ messages in thread
From: Patrick McHardy @ 2014-12-12 16:40 UTC (permalink / raw
To: leroy christophe
Cc: Arturo Borrero Gonzalez, Pablo Neira Ayuso, GUITTON Alex,
Netfilter Development Mailing list
On 12.12, leroy christophe wrote:
> Le 12/12/2014 16:25, Patrick McHardy a écrit :
> >On 12.12, leroy christophe wrote:
> >>Le 12/12/2014 12:55, Arturo Borrero Gonzalez a écrit :
> >>>On 12 December 2014 at 12:07, leroy christophe <christophe.leroy@c-s.fr> wrote:
> >>I'm not sure what I proposed it the correct patch, maybe it shall be fixed
> >>earlier in the chain, I don't know.
> >Yeah, I'm not so sure myself.
> >
> >Could you please try what happens if you do:
> >
> >... tcp dport 222 redir :tcp dport
> >
> >Which should redirect to the same port, but I'm interested if it
> >actually does that.
> >
> Without my patch, I get the following. Note the strange value in the DPT on
> the second line.
>
> [ 61.377273] redirIN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29122 DF PROTO=TCP
> SPT=55626 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
> [ 61.377816] rejected IN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=29122 DF PROTO=TCP
> SPT=55626 DPT=20 WINDOW=14600 RES=0x00 SYN URGP=0
Strange, not sure why it is 20.
> With my patch, I get correct port.
>
> [ 511.994597] redirIN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21300 DF PROTO=TCP
> SPT=55622 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
> [ 511.994999] rejected IN=eth0 OUT=
> MAC=08:00:51:20:44:5b:08:00:27:fe:42:1e:08:00 SRC=172.25.231.37
> DST=172.25.231.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21300 DF PROTO=TCP
> SPT=55622 DPT=222 WINDOW=14600 RES=0x00 SYN URGP=0
Thanks! I'll have another look later, but it seems your patch is fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-12 10:16 ` bug : nft_redirect port byteorder issue leroy christophe
2014-12-12 10:49 ` Arturo Borrero Gonzalez
@ 2014-12-22 11:54 ` Pablo Neira Ayuso
2014-12-22 12:44 ` Patrick McHardy
1 sibling, 1 reply; 16+ messages in thread
From: Pablo Neira Ayuso @ 2014-12-22 11:54 UTC (permalink / raw
To: leroy christophe
Cc: arturo.borrero.glez, GUITTON Alex, netfilter-devel, kaber
On Fri, Dec 12, 2014 at 11:16:29AM +0100, leroy christophe wrote:
> Hi,
>
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0;
> tcp dport 222 redirect :22
> }
> chain postrouting {
> type nat hook postrouting priority 0;
> }
> }
>
> With the above rules, data[priv->sreg_proto_min].data[0] has value
> 0x160000 instead of 0x16 on powerpc (Big Endian byte order)
>
> Due to this, mr.range[0].min.all gets assigned value 0 instead of 22.
>
> Below patch fixes it, but it is maybe not the proper way to fix it,
> so I let it up to you.
>
> Christophe
>
> diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
> b/net/ipv4/netfilter/nft_redir_ipv4.c
> index 643c596..554bb32 100644
> --- a/net/ipv4/netfilter/nft_redir_ipv4.c
> +++ b/net/ipv4/netfilter/nft_redir_ipv4.c
> @@ -28,9 +28,9 @@ static void nft_redir_ipv4_eval(const struct
> nft_expr *expr,
> memset(&mr, 0, sizeof(mr));
> if (priv->sreg_proto_min) {
> mr.range[0].min.all = (__force __be16)
> - data[priv->sreg_proto_min].data[0];
> + *(__be16*)&data[priv->sreg_proto_min].data[0];
> mr.range[0].max.all = (__force __be16)
> - data[priv->sreg_proto_max].data[0];
> + *(__be16*)&data[priv->sreg_proto_max].data[0];
> mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
> }
It seems userspace was generating the wrong bytecode, so your
workaround was reversing the again the port values.
Please, test the userspace fix I sent you and get back to us.
Thanks for diagnosing!
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-22 11:54 ` Pablo Neira Ayuso
@ 2014-12-22 12:44 ` Patrick McHardy
2014-12-22 13:00 ` Pablo Neira Ayuso
0 siblings, 1 reply; 16+ messages in thread
From: Patrick McHardy @ 2014-12-22 12:44 UTC (permalink / raw
To: Pablo Neira Ayuso, leroy christophe
Cc: arturo.borrero.glez, GUITTON Alex, netfilter-devel
Am 22. Dezember 2014 12:54:48 MEZ, schrieb Pablo Neira Ayuso <pablo@netfilter.org>:
>On Fri, Dec 12, 2014 at 11:16:29AM +0100, leroy christophe wrote:
>> Hi,
>>
>> table ip nat {
>> chain prerouting {
>> type nat hook prerouting priority 0;
>> tcp dport 222 redirect :22
>> }
>> chain postrouting {
>> type nat hook postrouting priority 0;
>> }
>> }
>>
>> With the above rules, data[priv->sreg_proto_min].data[0] has value
>> 0x160000 instead of 0x16 on powerpc (Big Endian byte order)
>>
>> Due to this, mr.range[0].min.all gets assigned value 0 instead of 22.
>>
>> Below patch fixes it, but it is maybe not the proper way to fix it,
>> so I let it up to you.
>>
>> Christophe
>>
>> diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
>> b/net/ipv4/netfilter/nft_redir_ipv4.c
>> index 643c596..554bb32 100644
>> --- a/net/ipv4/netfilter/nft_redir_ipv4.c
>> +++ b/net/ipv4/netfilter/nft_redir_ipv4.c
>> @@ -28,9 +28,9 @@ static void nft_redir_ipv4_eval(const struct
>> nft_expr *expr,
>> memset(&mr, 0, sizeof(mr));
>> if (priv->sreg_proto_min) {
>> mr.range[0].min.all = (__force __be16)
>> - data[priv->sreg_proto_min].data[0];
>> + *(__be16*)&data[priv->sreg_proto_min].data[0];
>> mr.range[0].max.all = (__force __be16)
>> - data[priv->sreg_proto_max].data[0];
>> + *(__be16*)&data[priv->sreg_proto_max].data[0];
>> mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
>> }
>
>It seems userspace was generating the wrong bytecode, so your
>workaround was reversing the again the port values.
>
>Please, test the userspace fix I sent you and get back to us.
I actually think this is exactly what needs to be done since it also matches what we're doing for runtime gathered data.
>
>Thanks for diagnosing!
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: bug : nft_redirect port byteorder issue
2014-12-22 12:44 ` Patrick McHardy
@ 2014-12-22 13:00 ` Pablo Neira Ayuso
0 siblings, 0 replies; 16+ messages in thread
From: Pablo Neira Ayuso @ 2014-12-22 13:00 UTC (permalink / raw
To: Patrick McHardy
Cc: leroy christophe, arturo.borrero.glez, GUITTON Alex,
netfilter-devel
On Mon, Dec 22, 2014 at 01:44:12PM +0100, Patrick McHardy wrote:
> Am 22. Dezember 2014 12:54:48 MEZ, schrieb Pablo Neira Ayuso <pablo@netfilter.org>:
> >On Fri, Dec 12, 2014 at 11:16:29AM +0100, leroy christophe wrote:
> >> Hi,
> >>
> >> table ip nat {
> >> chain prerouting {
> >> type nat hook prerouting priority 0;
> >> tcp dport 222 redirect :22
> >> }
> >> chain postrouting {
> >> type nat hook postrouting priority 0;
> >> }
> >> }
> >>
> >> With the above rules, data[priv->sreg_proto_min].data[0] has value
> >> 0x160000 instead of 0x16 on powerpc (Big Endian byte order)
> >>
> >> Due to this, mr.range[0].min.all gets assigned value 0 instead of 22.
> >>
> >> Below patch fixes it, but it is maybe not the proper way to fix it,
> >> so I let it up to you.
> >>
> >> Christophe
> >>
> >> diff --git a/net/ipv4/netfilter/nft_redir_ipv4.c
> >> b/net/ipv4/netfilter/nft_redir_ipv4.c
> >> index 643c596..554bb32 100644
> >> --- a/net/ipv4/netfilter/nft_redir_ipv4.c
> >> +++ b/net/ipv4/netfilter/nft_redir_ipv4.c
> >> @@ -28,9 +28,9 @@ static void nft_redir_ipv4_eval(const struct
> >> nft_expr *expr,
> >> memset(&mr, 0, sizeof(mr));
> >> if (priv->sreg_proto_min) {
> >> mr.range[0].min.all = (__force __be16)
> >> - data[priv->sreg_proto_min].data[0];
> >> + *(__be16*)&data[priv->sreg_proto_min].data[0];
> >> mr.range[0].max.all = (__force __be16)
> >> - data[priv->sreg_proto_max].data[0];
> >> + *(__be16*)&data[priv->sreg_proto_max].data[0];
> >> mr.range[0].flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
> >> }
> >
> >It seems userspace was generating the wrong bytecode, so your
> >workaround was reversing the again the port values.
> >
> >Please, test the userspace fix I sent you and get back to us.
>
> I actually think this is exactly what needs to be done since it also
> matches what we're doing for runtime gathered data.
Sure, I just sent a new kernel patch to rectify.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2014-12-22 12:58 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-12-10 14:39 Problem setting up nftables dnat : dport set to 0 instead of requested value (22) leroy christophe
2014-12-10 18:22 ` Pablo Neira Ayuso
2014-12-10 20:29 ` Arturo Borrero Gonzalez
2014-12-11 13:12 ` leroy christophe
2014-12-12 10:08 ` leroy christophe
2014-12-12 10:16 ` bug : nft_redirect port byteorder issue leroy christophe
2014-12-12 10:49 ` Arturo Borrero Gonzalez
2014-12-12 11:07 ` leroy christophe
2014-12-12 11:55 ` Arturo Borrero Gonzalez
2014-12-12 12:55 ` leroy christophe
2014-12-12 15:25 ` Patrick McHardy
2014-12-12 16:20 ` leroy christophe
2014-12-12 16:40 ` Patrick McHardy
2014-12-22 11:54 ` Pablo Neira Ayuso
2014-12-22 12:44 ` Patrick McHardy
2014-12-22 13:00 ` Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.