Kernel generated packets and ipsec policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am writing a netfilter module which is supposed to run on a firewall,
and protect some servers behind it.

The module is manipulating TCP connections that are routed through the
box, i.e. passing through the FORWARD chain. Occasionally it needs to
generate and send a packets itself, pretending to come from the other
end of the connection.

To send a packet itself, it allocates an skb, puts together ip and tcp
header, a fake mac header, and then calls netif_rx(skb)
It does not use ip_local_out like in the other places in the kernel
(e.g. send_reset in ipt_REJECT.c) that send out kernel generated
packets, because to the rest of the firewall, the packet should appear
as much as possible to be part of the original connection.

Now the actual question:

Normally this works well, except if the connection passes through an
ipsec tunnel, which ends on the firewall. In this case, the following
code in net/ipv4/ip_forward.c

        if (!xfrm4_policy_check(NULL, XFRM_POLICY_FWD, skb))
                goto drop;

will drop the packet.

Is there some way to prevent the xfrm4_policy_check from rejecting
the packet? The only way I could think of was to somehow mark the
skb and then check the marker in ip_forward:

       if (marker_present(skb) || !xfrm4_policy_check(NULL, XFRM_POLICY_FWD, skb))
               goto drop;

but that seems too much ad hoc, besides I want to keep the number of
changes to the kernel at a minimum.


-- 

Mit freundlichen Grüßen / with kind regards

Nils Rennebarth, Software Developer

--
Funkwerk IP-Appliances GmbH
Mönchhaldenstraße 28
D-70191 Stuttgart

Tel: +49 711 900300 - 0
Fax: +49 711 900300 - 90

E-Mail: Nils.Rennebarth@xxxxxxxxxxxxxxx

Location: GmbH Nuernberg, Local Court Nuernberg, HRB 25481
Managing Directors: Torsten Urban
--------------------------------
The information contained in this e-mail has been carefully researched,
but the possibility of it being inapplicable in individual cases cannot
be ruled out. We therefore regret that we cannot accept responsibility
or liability of any kind whatsoever for the correctness of the
information given. Please notify us if you discover that information is
inapplicable.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux