mangle source address (to me) -> mistaken martian packet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I am reviving a netfilter module, ipt_RELAY, relays UDP packets between a dynamic set of endpoint pairs, with the pair assignment determined from the destination port. ( I will submit updated source for the module, but would like to resolve the issue below first).
The RELAY module, in the end will be swapping the source and destination UDP/IP addresses, with the destination becoming the other enpoint and the source becoming this relay host (that was originally the destination of packets). 

This all works now and worked before,
but it currently requires that the kernel be patched to allow spoofing/martian-packets. 

The RELAY module is added at PREROUTING, with something like the following.
iptables -t mangle -A PREROUTING -p udp --dport 3000:4000 -j RELAY
, And a running RELAY will be changing the source address to itself, as part of this process.
'__mkroute_input' calls 'fib_validate_source', after the source of the packet is modified by such a mangle rule, and without an 'allow-spoof' patch, this code will report it as a martian packet and toss it.
But this is not a spoofed/martian packet. The packet was mangled intentionally to have the source address of 'this' host. 

The options that I can think of for fixing/avoiding this problem are:
1. do the address check before netfilter rules, not after, where the author of the rules should be responsible. 2. Add some flag checked by the validate process that the packet source was modified by netfilter, such that the validation should be skipped. 
3. Use a 'allow-spoof' patch. This is a hack.
4. Split the iptables/nat rule into two. One PREROUTING one that changes the Dest, and sets some marker, and a POSTROUTING one that looks for the marker, and changes Source to 'this' host. This is inefficient, more cumbersome and requires host ip address information. 

Are there other ways for my packets not to be mistaken for Martians?

Could the address verification happen before netfilter modifications?
Is there some flag that I am missing that allows me to mark the packet as altered, such that the validation would not report martian? 

-Don Mahurin

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux