RE: SNMP mangling anybody?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Robert,

Some progress on this - continuing with the "clientaddr" approach only - no SNAT - changing /proc/sys/net/ipv4/conf/bond0.2/rp_filter=2 (was 1) stopped the blocking of the SNMP response.  See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/ip-sysctl.txt?id=bb077d600689dbf9305758efed1e16775db1c84c#n961

I don't fully understand why rp thinks a default route in table main is better than a default route in my table, but - clearly - it's not a netfilter thing.

I'll try using SNAT and will report final results back.

ed

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Robert White
Sent: Thursday, November 30, 2017 6:03 AM
To: FAIR, ED <ef7193@xxxxxxx>; netfilter@xxxxxxxxxxxxxxx
Subject: Re: SNMP mangling anybody?

You need to bind the socket to the specific interface using your
application.

For snmpget, for example, you can use the snmp.conf file or just add the
clientaddr option on the command line.

so using:

snmpget --clientaddr=udp:192.168.168.3 (rest of stuff)

would bind the get to the local address, and so interface, you
specified. You seem to already know about this but want to avoid it for
some reason.

You are correct that policy routing does not rewrite packet addresses.
That's not what it's for. Rule based nat can do it, but that's not your
best option.

If you want to rewrite the addres, then SNAT the packet (that's what
snat is for, ha ha ha).

But really, unless you have some reason no to, you should use the most
native tool (the clientaddr option or similar) instead of getting "tricky".

As Scotty famously said "the more you over-think the plumbing, the
easier it is to stop up the pipes."

You can use the mark to limit the snat in postrouting, presuming you're
getting the packets marked properly.


iptables --append POSTROUTING \
  --match mark --mark 256 \
  --jump SNAT --to-source 192.168.168.7

But seriously, clientaddr is your best option.

--Rob

On 11/29/2017 04:27 PM, FAIR, ED wrote:
> Hi,
> 
> Are there any members here successfully mangling SNMP requests/replies (udp 161)?  I'm trying to policy-route my outbound SNMP requests, but my efforts have been unsuccessful to date.  I'd like to hear how you do it.
> 
> I have two interfaces in play; I do not have routing turned on; bond0.1 is used for the default route (main table); I would like to policy-route just the locally-generated SNMP requests via bond0.2 towards a NAT device.  So I use:
> 
> 	ip route add to unicast default table 7 via 192.168.168.7 dev bond0.2 src 192.168.168.3   #192.168.168.7 is a NAT server, 192.168.168.3 is the address assigned to bond0.2
> 	iptables -t mangle -A OUTPUT -p udp --dport 161 -j MARK --set-mark 256
> 	ip rule add priority 9999 type unicast fwmark 256 table 7
> 	ip route flush cache table 7
> 
> In the above configuration, the SNMP requests correctly egress via bond0.2 - the policy-routing is having some effect - but the requests retain the bond0.1 address in the IP SRC - the policy-routing doesn't update the IP SRC as I had hoped.  
> 
> For testing, I'm using net-snmp-utils "snmpget" command, with no "clientaddr" specified.
> 
> Thanks in Advance!
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  https://urldefense.proofpoint.com/v2/url?u=http-3A__vger.kernel.org_majordomo-2Dinfo.html&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=EcfiRiy5hyhMv-HmmFZ9UQ&m=ErY6jrDvV-IC87sFqWwJ3OC9zr-csqR8c-9DHMubxjE&s=tQJcdPEWjM68iFLr0luAH8uSL0Lw_XpnCKtepViM084&e= 
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  https://urldefense.proofpoint.com/v2/url?u=http-3A__vger.kernel.org_majordomo-2Dinfo.html&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=EcfiRiy5hyhMv-HmmFZ9UQ&m=ErY6jrDvV-IC87sFqWwJ3OC9zr-csqR8c-9DHMubxjE&s=tQJcdPEWjM68iFLr0luAH8uSL0Lw_XpnCKtepViM084&e= 
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux