lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 21 May 2022 08:50:25 +0200
From:   Daniel Haid <d.haid@...i.tv>
To:     netdev@...r.kernel.org
Subject: Stateless NAT rule and packets disappearing after postrouting hook

Hello,

on my host, I have an interface eth0 where my ISP is routing packets
with destination 192.0.2.1 to me and the default gateway of the ISP is
198.51.100.1.

For certain reasons I do not wish to add the address 192.0.2.1 to any
interface, but instead add a private address 10.0.0.1 and use
stateless nat rules.

(I can explain the exact use case if you wish, but I think for now it
is not necessary. I deliberately removed all configuration except the
part with the problem.)

The configuration is as follows:

1) ip addr add 10.0.0.1/32 dev eth0
2) ip route add default via 198.51.100.1 onlink dev eth0

table ip filter {
	chain dnat {
		type filter hook prerouting priority -250;
		ip daddr 192.0.2.1 ip daddr set 10.0.0.1 counter;
	}
	chain snat {
		type filter hook postrouting priority 900;
		ip saddr 10.0.0.1 ip saddr set 192.0.2.1 counter;
	}
}

I expect to be able to connect to 192.0.2.1 from outside (for example
via ssh) and reach my host, but it does not work. The host does not
send any response packets. Indeed, the counter in the snat chain goes
up, but tcpdump does not show any corresponding output packets. How
can it happen that a packet passes the postrouting hook, but does not
reach the output interface?

Now the funny thing is: if I do not add any address at all, replace
10.0.0.1 with 127.0.0.1 everywhere, and set
net.ipv4.conf.all.route_localnet=1, then it works.

If I leave 127.0.0.1 in the rules, but still add the address 10.0.0.1
to eth0, then it sometimes works and sometimes not, depending on the
order of the commands 1) and 2).

This looks all very mysterious to me. How can I find out what is going
on?

Tested with kernel 5.16.12. I am not subscribed to the list, so please
Cc me.

D.H.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ