Changing source/destination address for local packets

Tomas Mandys tomas.mandys at 2p.cz
Mon Jun 25 18:56:20 CEST 2007 

Dne pondělí 25 červen 2007 18:09 Patrick McHardy napsal(a):
> Tomas Mandys wrote:
> > Hi,
> > I playing in my RTPPROXY module (finally almost ready) with change of
> > source and destination addresses. It works but there is problem when is
> > changed address for locally generated packets to another local address.
> >
> >
> > IP: 192.168.1.1
> > UDP packet:  192.168.1.1:10000  -->  192.168.1.1:50000
> > OUTPUT hook changes destination address (like DNAT) resp. dest port only:
> > 50000 --> 20000
> > POSTROUTING changes source port (like SNAT): 10000 --> 60000
> > now PREROUTING is called but conntrack (ip_conntrack_get) is related to
> > session 192.168.1.1:10000  -->  192.168.1.1:50000
> > (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip/udp.port) instead
> > address from (*pskb)->nh.iph->daddr (192.168.1.1:60000), pudph->dest
> > (192.168.1.1:20000).
>
> You need to change the conntrack tuples as well if you mangle
> a packet in case you're not using the standard NAT functions
> for this (which you probably should). If you change the destination
> address to a local one you additionally need to perform rerouting
> (you *should* do that whenever you change the destination in OUTPUT,
> but for this case it really is necessary).

I'm changing destination address in OUTPUT resp. destination UDP port only in 
this case, source port will be changed in POSTROUTING. Session#1 is 
identified by source/dest address before rerouting is done to source2/dest2 - 
this is second session! But when packet leaves POSTROUTING then enters 
PREROUTING immediately, conntrack high priority callback see  
(*pskb)->nfct != NULL and won't check IP and provides non corresponding info. 
I must drop such packets because it's confusing.

Note I cannot use NAT it's is different task. There are 2 (conntract) sessions 
and RTPPROXY is responsible for routing. 

I'm going to write a HOWTO.

-- 
--------------------------------------------------------
ing. Tomas Mandys              email: tomas.mandys at 2p.cz
2p plus, s.r.o.                mobil: +420-604690589
Na Skalce 23, 150 00 Praha 5   tel:   +420-234139232
Czech republic                 fax:   +420-251561418
http://www.2p.cz               ICQ:   14187044 
--------------------------------------------------------

More information about the netfilter-devel mailing list