Re: [nftables v0.9.2 | kernel 4.19.93] does redirect accept daddr?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/02/2020 02:01, ѽ҉ᶬḳ℠ wrote:

The aim is to prevent DNS query hijacking (e.g. as Android tries)

table nat {
    chain prerouting    { oif br-lan ip daddr != 192.168.112.12 udp dport 53 redirect to ip daddr 192.168.112.12;  } 
}

hooks/prio is otherwise defined but it prints this ominous error:

Error: syntax error, unexpected semicolon
The "redirect" statement results in the packet being directed to the primary address of the interface on which it was received. That's non-negotiable. As such, "ip daddr" is not supported as an aspect of its grammar. Indeed, that's not even how it works for the "dnat" statement. 

For instance, these are valid:

   redirect
   redirect to :8080

This is invalid:

   redirect to 1.2.3.4:8080

However, these are valid:

   dnat to 1.2.3.4
   dnat to 1.2.3.4:8080

Once you address this, any remaining errors should begin to make more sense.



Removing the offending semicolon it then prints:

Error: syntax error, unexpected newline

It is a bit difficult to understand what the issue really is.


Granted, the initial error was not particularly helpful.



----

Alternatively, this

table nat {
    chain prerouting    {  oif br-lan ip daddr != 192.168.112.12 udp dport 53 ip daddr set 192.168.112.12; } 
}
As I understand it, "ip daddr set" is permitted but is effectively a form of stateless DNAT. So, unlike "dnat", the conntrack subsystem won't automatically handle the rewriting of the source address along the inverse path. If in any doubt, that's probably not what you want. 



or a bit shorter even

table nat {
    chain prerouting    {  oif br-lan ip daddr != 192.168.112.12 udp dport 53 ip daddr 192.168.112.12; } 
}
This is a rule that will never match anything because it has a logical conjunction of two matches which are at odds. 

    ip daddr != 192.168.112.12
    ip daddr 192.168.112.12
Both of these conditions cannot hold true simultaneously. Even if this were not the case, the rule would have no effect because there is no verdict, nor is any other course of action taken.
does not throw an error but I am not sure whether that achieves the in the context of the table? 
--
Kerin Millar
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux