Hi,
I'm using ip_tables and ip_queue modules to trap the packets from IP stack to a userspace
VPN product, using nothing but standard kernel modules (and my own VPN
proxy app). The packets flowing into or out of the machine get diverted to a
userspace application (actually a VPN client), where src/dest addresses are modified if needed, and then injected
back into the local IP stack.
For example, an outgoing packet (that has a foreign dest addr) is
overridden with a local dest address, hoping it would end up at the
local VPN listener.
Under kernel 2.4(checked on 2.4.20) this works fine.
In 2.6 it doesn't.
To me its seems that while traversing packets through Netfilter, changing dest address from
a foreign to a local address causes the packet to drop (and show up at
ip_rt_bug(), along a syslog entry in kernel 2.6..
* Details:
An outgoing packet (has a non-local dest addr) is queued and recognized
at the ip_queue userspace app. Its dest addr+port are set to that of
the local machine (to get to my userspace VPN app).
The modified packet is marked NF_ACCEPT and sent back into the kernel,
but ends up at the ip_rt_bug function (with a syslog entry).
* Assumed bug analysis:
Due to the destination address change, the packet needed to go through
routing once again, since it's no longer an outgoing packet.
I would have expected the routing function to realize it needs to
re-evaluate the route, and set the *okfn to dst->input instead of ip_rt_bug.
* Kernel version where problem found:
2.6.14 compiled locally with no modifications.
Please advise/suggest me what alternative I have now.
A similar problem has been reported a while back but never replied (http://groups-beta.google.com/group/linux.kernel/msg/455c04e17e354d04?dmode=source&hl=en
)
--
Regards,
Gaurav Aggarwal
