Stateless NAT ICMP Payload Mismatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Is there a way to set up a stateless NAT that updates ICMP payloads
i.e. destination-unreachable (type 3)?

With the current rules I have (shown below) I am able to receive ICMP
destination-unreachable packets but the payload is wrong causing them
to be dropped by clients. This pretty much breaks traceroute on both
sides.

Internal to external:
IPv4 Header - Src: 192.0.2.2, Dst: 100.64.1.105
ICMP Type 3 Payload - Src: 203.0.113.100, Dst: 192.0.2.2

External to internal:
   IPv4 Header - Src: 203.0.113.100, Dst: 203.0.113.200
   ICMP Type 3 Payload - Src: 203.0.113.200, Dst: 100.64.1.105

table ip NAT {
   chain prerouting {
      type filter hook prerouting priority raw; policy accept;
         iif "eth0" ip daddr 203.0.113.100 ip daddr set 100.64.1.105
notrack return
   }

   chain postrouting {
      type filter hook postrouting priority raw; policy accept;
         oif "eth0" ip saddr 100.64.1.105 ip saddr set 203.0.113.100
notrack return
   }
}

As a side note, tc performs ICMP modifications (but doesn't meet my
needs) which is why I'm thinking nftables should be able to do it as
well.
--
Thanks,
Echo Nar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux