Mojtaba <mespio@xxxxxxxxx> wrote:
> Yes, For this reason, i should add conntrack entry before the kernel do in
> my userspace project. Because i have to forward the packet to another
> destination, i used --src-nat and --dst-nat options while adding new
> conntrack entry. Just like as obvious in below code:
> nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
> nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.133.140"));
> nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.133.108"));
> nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP);
> nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(6000));
> nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(5005));
> nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
> nfct_set_attr_u32(ct, ATTR_TIMEOUT, 60);
>
> *nfct_set_attr_u32(ct, ATTR_SNAT_IPV4,
> inet_addr("192.168.133.108"));nfct_set_attr_u32(ct, ATTR_DNAT_IPV4,
> inet_addr("192.168.133.150"));nfct_set_attr_u16(ct, ATTR_SNAT_PORT,
> htons(5070));*
>
> *nfct_set_attr_u16(ct, ATTR_DNAT_PORT, htons(6000));*
>
> As far as i know, it is possible to delegate verdict of packets to
> user-space, Here is the main point that is deriving me confused. Suppose i
> used this rule in IPTABLE:
> iptables -A INPUT -p udp --dport 5005 -j NQUEUE --queue-num 0
> Then how we could make verdict to forward the packet to another
> destination?
You can't, INPUT is too late and NFQUEUE can't tell kernel to do nat.
You could do what you want by placing NFQUEUE in raw PREROUTING,
but in that case all packets would get queued to userspace because
no conntrack information is available yet.
But if you create the conntrack entry, then after accept verdict the
kernel would find the conntrack entry in place and perform nat for it.
It would be possible to extend nfnetlink_queue to also allow changing
NAT properties of a conntrack entry provided the conntrack has not been
confirmed yet but it would require kernel changes.
So, best option afaics is to use libnetfilter_conntrack to insert
a new conntrack entry from the nfq callback.
