Gecko [ v99win.today ]

Name	Size	Permission
NAT-HOWTO-1.html	1.13 KB	-rw-r--r--
NAT-HOWTO-10.html	2.47 KB	-rw-r--r--
NAT-HOWTO-11.html	910 B	-rw-r--r--
NAT-HOWTO-2.html	4.24 KB	-rw-r--r--
NAT-HOWTO-3.html	1.41 KB	-rw-r--r--
NAT-HOWTO-4.html	4.3 KB	-rw-r--r--
NAT-HOWTO-5.html	5.02 KB	-rw-r--r--
NAT-HOWTO-6.html	8.2 KB	-rw-r--r--
NAT-HOWTO-7.html	1.29 KB	-rw-r--r--
NAT-HOWTO-8.html	1.11 KB	-rw-r--r--
NAT-HOWTO-9.html	2.04 KB	-rw-r--r--
NAT-HOWTO.html	2.6 KB	-rw-r--r--
netfilter-extensions-HOWTO-1.h...	2.05 KB	-rw-r--r--
netfilter-extensions-HOWTO-2.h...	7.62 KB	-rw-r--r--
netfilter-extensions-HOWTO-3.h...	28.29 KB	-rw-r--r--
netfilter-extensions-HOWTO-4.h...	12.25 KB	-rw-r--r--
netfilter-extensions-HOWTO-5.h...	6.88 KB	-rw-r--r--
netfilter-extensions-HOWTO-6.h...	10.98 KB	-rw-r--r--
netfilter-extensions-HOWTO-7.h...	2.14 KB	-rw-r--r--
netfilter-extensions-HOWTO-8.h...	1021 B	-rw-r--r--
netfilter-extensions-HOWTO-9.h...	2.17 KB	-rw-r--r--
netfilter-extensions-HOWTO.htm...	7.1 KB	-rw-r--r--
netfilter-hacking-HOWTO-1.html	7.3 KB	-rw-r--r--
netfilter-hacking-HOWTO-2.html	1.68 KB	-rw-r--r--
netfilter-hacking-HOWTO-3.html	7.85 KB	-rw-r--r--
netfilter-hacking-HOWTO-4.html	52.09 KB	-rw-r--r--
netfilter-hacking-HOWTO-5.html	1.03 KB	-rw-r--r--
netfilter-hacking-HOWTO-6.html	2.96 KB	-rw-r--r--
netfilter-hacking-HOWTO-7.html	9.07 KB	-rw-r--r--
netfilter-hacking-HOWTO-8.html	5.11 KB	-rw-r--r--
netfilter-hacking-HOWTO-9.html	835 B	-rw-r--r--
netfilter-hacking-HOWTO.html	3.72 KB	-rw-r--r--
packet-filtering-HOWTO-1.html	1.85 KB	-rw-r--r--
packet-filtering-HOWTO-10.html	2.51 KB	-rw-r--r--
packet-filtering-HOWTO-11.html	3.65 KB	-rw-r--r--
packet-filtering-HOWTO-2.html	1.56 KB	-rw-r--r--
packet-filtering-HOWTO-3.html	5.64 KB	-rw-r--r--
packet-filtering-HOWTO-4.html	2.14 KB	-rw-r--r--
packet-filtering-HOWTO-5.html	1.61 KB	-rw-r--r--
packet-filtering-HOWTO-6.html	3.42 KB	-rw-r--r--
packet-filtering-HOWTO-7.html	34.78 KB	-rw-r--r--
packet-filtering-HOWTO-8.html	1.42 KB	-rw-r--r--
packet-filtering-HOWTO-9.html	2.28 KB	-rw-r--r--
packet-filtering-HOWTO.html	2.76 KB	-rw-r--r--

Code Editor : netfilter-hacking-HOWTO-6.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.82">
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <TITLE>Linux netfilter Hacking HOWTO: Netfilter Hooks for Tunnel Writers</TITLE>
 <LINK HREF="netfilter-hacking-HOWTO-7.html" REL=next>
 <LINK HREF="netfilter-hacking-HOWTO-5.html" REL=previous>
 <LINK HREF="netfilter-hacking-HOWTO.html#toc6" REL=contents>
</HEAD>
<BODY>
<A HREF="netfilter-hacking-HOWTO-7.html">Next</A>
<A HREF="netfilter-hacking-HOWTO-5.html">Previous</A>
<A HREF="netfilter-hacking-HOWTO.html#toc6">Contents</A>
<HR>
<H2><A NAME="s6">6.</A> <A HREF="netfilter-hacking-HOWTO.html#toc6">Netfilter Hooks for Tunnel Writers</A></H2>

Authors of tunnel (or encapsulation) drivers should follow two
simple rules for the 2.4 kernel (as do the drivers inside the kernel,
like net/ipv4/ipip.c):

<UL>
<LI>Release skb->nfct if you're going to make the packet unrecognisable
(ie. decapsulating/encapsulating). You don't need to do this if you
unwrap it into a *new* skb, but if you're going to do it in place, you
must do this.

Otherwise: the NAT code will use the old connection tracking
information to mangle the packet, with bad consequences.

</LI>
<LI>Make sure the encapsulated packets go through the LOCAL_OUT
hook, and decapsulated packets go through the PRE_ROUTING hook (most
tunnels use ip_rcv(), which does this for you).

Otherwise: the user will not be able to filter as they expect to with
tunnels.
</LI>
</UL>

The canonical way to do the first is to insert code like the
following before you wrap or unwrap the packet:

<BLOCKQUOTE><CODE>
<PRE>
 /* Tell the netfilter framework that this packet is not the
 same as the one before! */
#ifdef CONFIG_NETFILTER
 nf_conntrack_put(skb->nfct);
 skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
 skb->nf_debug = 0;
#endif
#endif
</PRE>
</CODE></BLOCKQUOTE>

Usually, all you need to do for the second, is to find where the
newly encapsulated packet goes into "ip_send()", and replace it with
something like:

<BLOCKQUOTE><CODE>
<PRE>
 /* Send "new" packet from local host */
 NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev, ip_send);
</PRE>
</CODE></BLOCKQUOTE>

Following these rules means that the person setting up the packet
filtering rules on the tunnel box will see something like the
following sequence for a packet being tunnelled:

<OL>
<LI> FORWARD hook: normal packet (from eth0 -> tunl0)</LI>
<LI> LOCAL_OUT hook: encapsulated packet (to eth1).</LI>
</OL>

And for the reply packet:
<OL>
<LI> LOCAL_IN hook: encapsulated reply packet (from eth1)</LI>
<LI> FORWARD hook: reply packet (from eth1 -> eth0).</LI>
</OL>

<HR>
<A HREF="netfilter-hacking-HOWTO-7.html">Next</A>
<A HREF="netfilter-hacking-HOWTO-5.html">Previous</A>
<A HREF="netfilter-hacking-HOWTO.html#toc6">Contents</A>
</BODY>
</HTML>

${this.title}

Code Editor : netfilter-hacking-HOWTO-6.html