-1

I am using the nfq and pnet library to modify packets and redirect them (to another ip and port).

Modifying Udp and tcp ports i have already figured out and packets arrive at their newly set port. However, when changing the ip address the packets just vanish as far as I can tell.

I have created a rule to queue some packets to my user-space program:

sudo nft add table inet mangle
sudo nft add chain inet mangle prerouting { type filter hook prerouting priority mangle \; }
sudo nft add set inet mangle managed_services { type ipv4_addr . inet_service \; }
sudo nft add rule inet mangle prerouting ip daddr @managed_services queue num 0 bypass
sudo nft add element inet mangle managed_services { THIS_COMPUTER_IP . THIS_COMPUTER_PORT }

This works as expected and packages arrive in my program:

pub fn listen() -> Result<(), Error> {
    let mut queue = Queue::open()?;
    queue.bind(0)?;
    queue.set_recv_conntrack(0, true)?;

    loop {
        let msg = queue.recv()?;
        
        let mut payload = msg.get_payload().to_vec();
        println!("V {:?}", payload);

        let mut ipv4 = MutableIpv4Packet::new(&mut payload).unwrap();
        let source_ip = ipv4.get_source();
        let dest_ip = ipv4.get_destination();
        
        ipv4 = match ipv4.get_next_level_protocol() {
            IpNextHeaderProtocols::Tcp => { rewrite_tcp(ipv4) },
            IpNextHeaderProtocols::Udp => { rewrite_udp(ipv4) }
            proto => { warn!("Found packet with unhandled protocol: {}", proto); ipv4 } // Unhandled Protocols pass
        };

        ipv4.set_source(dest_ip);
        ipv4.set_destination(source_ip);
        ipv4.set_checksum(0);

        let checksum_ipv4 = checksum(&ipv4.to_immutable());

        ipv4.set_checksum(checksum_ipv4);

        let mut new = Message::from(msg);
        new.set_verdict(Verdict::Accept);

        new.set_payload(ipv4.packet());
        queue.verdict(new)?;
    }
}

I left out the udp / tcp methods as that parts works. It swaps out the port with 60535. However, when also using the part swapping source ip and destination ip packages just vanish after they are edited. I assume it is the checksum, since packets do not vanish when changing the port

Using tcpdump I can only see the incoming packets but afterwards nothing.

Any help what about my setup might be incorrect is highly appreciated.

Improve this question
2
  • I've never used pnet, so it's not clear to me exactly what you mean by "redirect" them. I would cast a doubt on the checksum theory, though: the port is part of the checksum too. Instead, I would point to the fact that IPs are used to route a packet between a machine, whereas ports are only used locally on the machine (baring NAT), and thus a switch in destination IP (specifically) is quite likely to cause a packet to no longer be routed correctly. As an experiment, I encourage you to try and only change the source IP, then check if the packet is still routed correctly to its destination. Commented Feb 21 at 12:25
  • Hi @MatthieuM., thanks for your input. With redirect I mean change ip and port destination and forward to another host. In my setup Host A sends to Host B:8080, then source and destination should be swapped and Host A should receive the package at 60535. I have tried to only replace the source ip, the package also does not arrive at the destination port. When only updating the checksum everything works, so you are right it is not the checksum. Could it be that I use an incorrect chain, table or verdict? Commented Feb 21 at 13:02

1 Answer 1

Reset to default
0

I have figured it out. Since I have not found any tutorials on this I will leave some hints for people working on a similar problem.

In my case the problem was the rp_filter. Packages are dropped if the source ip is not from reachable from the interface the package arrives from. Since Host IP is not reachable by sending the package to a NIC the packages where dropped.

Another pitfall to consider is connection tracking. If you change the source and ip, the connection tracking entry might be invalid which can lead to dropped packets as well

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.