Re: nat in linux kernel
From: Giacomo (jacum_at_libero.it)
Date: Mon, 04 Jul 2005 10:11:36 GMT
Yes, i sniff and see prerouting with old ip and ports, then packets goes in
INPUT with new values... but
then i can't see any response back.
I think i must recalculate the checksum, but i don't know what are the right
Thanks a lot!
"joy" <email@example.com> ha scritto nel messaggio
> Giacomo wrote:
>> Good morning i'm Giacomo From Italy
>> i am writing a simple firewall in linux kernel space (2.6.11)
>> i'm trying to implement DNAT, and i take struct sk_buff* skb from
>> functions in prerouting context.
>> i change the destinstion port on skb.
>> i printk the fields in pre routing and in input: all things as expected:
>> original port in pre and changed port in input.
>> the problem is that packet seems to disappear: it does not enter the
>> output hook.
>> For example
>> i map port 100 to 22 and do SSH from IP2 to IP1. On IP1 I do dnat from
>> port 100 to 22
>> IP2: ssh IP1 -p 100
>> on IP1 i get printed:
>> PRE: dest port 100 OK
>> INPUT dest port 22 OK!
>> but ssh seems not responding, it probably does not really receive packet!
>> perhaps i miss something... perhaps it is not enough to simply rewrite a
>> field of sk_buff.
>> I thought it was automatic that since a packet enters input functions
>> with a certain destination port, although different from the port that
>> was in pre routing,
>> it got directed in the right way, in this case delivered to port 22 where
>> ssh is listening.
>> Do i have to recalculate checksum?? how??
>> PS: of course, i have prepared de-dnat on outgoing packets... but for now
>> they do not OUT-GO!
>> PPS: of course ssh is up and responds correctly if i don't mangle
>> destination port in pre routing.
>> Thanks in advance for any idea.
>> Giacomo, Italy
> hello jacopo....
> have you try to sniff?what you see?