HELP! problem using netfilter_queue to nat packets in user space

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am working on a proxy agent that will be running on
client’s local machine, all connections to internet servers will be first sent
to the local proxy, then the local proxy will make connections to the internet
server and send data back to local client application.
 
Client
machine                                  
           internet
server
Web browser< -> proxy     <-
-------------à server
 
The proxy is running as localhost:proxy_port
 
I use netfilter_queue to act as the proxy. I have these
rules to direct traffic to user space:
iptables -t raw -A OUTPUT -p tcp -j NFQUEUE --queue-num 0
iptables -t raw -A PREROUTING -p tcp -j NFQUEUE --queue-num
0
(also tried filter table with INPUT and OUTPUT chains, it is
having the same problem below)
 
Then the user space program will nat traffic:
If out-going packet
client:client_port->server:server_port
DNAT the packet
client:client_port->localhost:proxy_port
User raw socket to send natted
packet to local proxy (I also tried set_verdict NF_ACCEPT, but it did not work) 
If incoming packet from proxy
localhost:proxy_port->client:client:port
   SNAT the packet server:server_port ->
client:client_port 
   Set verdict NF_STOP to pass on the packet
to stack (also tried NF_ACCEPT, but it did not work)
 
Thing are basically working until the server closes the
connection.
Server sends FIN to local proxy, local proxy pass on the FIN
to client application, localhost:proxy_port->client:client_port(FIN), then
this FIN is SNATed to local client to look like a FIN from server,
server:server_port->client:client_port, after setting verdict NF_STOP and
realeasing the FIN to stack, I expect to get back an ACK for the FIN which
looks like client:client_port->server:server_port, HOWEVER, the stack is
sending an ACK like client:client_port->localhost:server_port. I don’t know
what I am missing here!!
 
Basically after I natted the packet in netfilter_queue user
space program, I don’t know how to pass/reinject it to the stack.
 
Any help will be highly appreciated!!!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux